Re: Russian and Chinese spam rulesets?

[Kevin Golding]

In article [EMAIL PROTECTED], Eray Aslan
[EMAIL PROTECTED] writes
Some Russian and Chinese spam (especially Russian) is making its way to
our users inboxes.  We do business with those 2 countries.
Consequently, lots of legitimate emails go back and forth so that I
cannot just bump up the score for these 2 locales.  We do use user
submitted spam/ham emails for bayesian training but SA is still not as
good as catching, say, English spam.

Anyone know of any good rules sets for SA for determining spam for
Russian and Chinese emails?

This has always seemed pretty reliable for Chinese spam: 
http://www.ccert.edu.cn/spam/sa/Chinese_rules_en.htm

They update quite regularly and I've not had any problems from using it.
Although in fairness I don't handle a great deal of Chinese mail so
greater volumes may get different results.

Kevin

Annoying stocks scams

[kshatriyak]

Hi List!

I'm getting hit by a bunch of annoying stock scams which aren't found by 
any of my sare lists, they keep on scoring low.


So I decided to write a custom rule, which seem to work pretty well for 
my case:


body  __HILO_STOCKS1  /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\ 
Price|Price)[\:\ \t]+\$[\d\ ]+?(.*)(Last|Low|Growth|High|Sale|Price)/i
body  __HILO_STOCKS2 
/(hotlist|r[e3]cord|publicity|n[e3]ws|invest|incr[e3]as[e3]|[e3]xplosion|pric[e3]|high|pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol)/i


meta  HILO_STOCKS ( __HILO_STOCKS1  __HILO_STOCKS2 )
describe  HILO_STOCKS Looks like stocks scam
score HILO_STOCKS 3.5

It's my first meta rule, which only gives a score if both conditions are 
true, and I was wondering if there's a possibility to make the score more 
intelligent :


- if __HILO_STOCKS1 fires up, i would like to give the score maybe 0.5
- if __HILO_STOCKS2 matches as well together with __HILO_STOCKS2, make it 
3.5


Any other comments on this rule?

Thanks!

Re: Annoying stocks scams

[Dhawal Doshy]

[EMAIL PROTECTED] wrote:

Hi List!

I'm getting hit by a bunch of annoying stock scams which aren't found by 
any of my sare lists, they keep on scoring low.


So I decided to write a custom rule, which seem to work pretty well for 
my case:


body  __HILO_STOCKS1  /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\ 
Price|Price)[\:\ \t]+\$[\d\ ]+?(.*)(Last|Low|Growth|High|Sale|Price)/i
body  __HILO_STOCKS2 
/(hotlist|r[e3]cord|publicity|n[e3]ws|invest|incr[e3]as[e3]|[e3]xplosion|pric[e3]|high|pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol)/i 



meta  HILO_STOCKS ( __HILO_STOCKS1  __HILO_STOCKS2 )
describe  HILO_STOCKS Looks like stocks scam
score HILO_STOCKS 3.5

It's my first meta rule, which only gives a score if both conditions are 
true, and I was wondering if there's a possibility to make the score 
more intelligent :


- if __HILO_STOCKS1 fires up, i would like to give the score maybe 0.5
- if __HILO_STOCKS2 matches as well together with __HILO_STOCKS2, make 
it 3.5


You could define:
body HILO_STOCKS1 ...
desc HILO_STOCKS1 ...
score HILO_STOCKS1 ...

body __HILO_STOCKS2 ...

and create a meta
meta HILO_STOCKS ( HILO_STOCKS1  __HILO_STOCKS2 )

You could also rename __HILO_STOCKS2 to HILO_STOCKS2 to make it a 
stand-alone rule..

How to whitelist mail lists?

[Luis Hernán Otegui]

Hi, several of my users have mail lists (such as Yahoo ones, or some other,
at elsevier.com, or other scientific publications).
I've been searching the web, trying to find a way to whitelist the messages
from these lists. Could anyone point me some directions?


Thanks in advance,


Luis
--
-
GNU-GPL: May The Source Be With You...
-

Re: How to whitelist mail lists?

[David Goldsmith]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Luis Hernán Otegui wrote:
 Hi, several of my users have mail lists (such as Yahoo ones, or some
 other, at elsevier.com http://elsevier.com, or other scientific
 publications).
 I've been searching the web, trying to find a way to whitelist the
 messages from these lists. Could anyone point me some directions?
 
 
 Thanks in advance,
 
 
 Luis
 -- 

Look for the List-Id field such as:

List-Id: Dans_CCCemails.yahoogroups.com

As an example for if your call SA via procmail:

:0fw
* ! ^List-Id: Dans_CCCemails.yahoogroups.com
* ! ^X-Spam-Checker-Version:.*iceman11
| /usr/bin/spamc -d IP ADDRESS -u spamass


If the message does not contain that list id, and it hasn't already been
scanned by our SA, then passit to SA.

David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7YKd417vU8/9QfkRAlo6AJ9/M97mO6H/KhViklaqprojwmHJVQCgmFKa
dVBuzm38UjcbidJbVLhUos0=
=ilI/
-END PGP SIGNATURE-

RE: Annoying stocks scams

[Rick Cooper]

 Sorry to mess up the thread, I lost the original

 -Original Message-
 From: Dhawal Doshy [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, March 06, 2007 9:39 AM
 To: users@spamassassin.apache.org
 Subject: Re: Annoying stocks scams
 
 [EMAIL PROTECTED] wrote:
  Hi List!
  
[ ... ]
  meta  HILO_STOCKS ( __HILO_STOCKS1  __HILO_STOCKS2 )
  describe  HILO_STOCKS Looks like stocks scam
  score HILO_STOCKS 3.5
  
  It's my first meta rule, which only gives a score if both 
 conditions are 
  true, and I was wondering if there's a possibility to make 
 the score 
  more intelligent :
  
  - if __HILO_STOCKS1 fires up, i would like to give the 
 score maybe 0.5
  - if __HILO_STOCKS2 matches as well together with 
 __HILO_STOCKS2, make 
  it 3.5
[ ... ]

Define two metas, the first one hits only when 1 is true and 2 is false
The second hits when both are true. You have to use the negation for 2
In meta one or you would double dip whenever both are true.

meta  HILO_STOCKS_1 ( __HILO_STOCKS1  !__HILO_STOCKS2 )
meta  HILO_STOCKS_2 ( __HILO_STOCKS1  __HILO_STOCKS2 )

describe  HILO_STOCKS_1 Looks like stocks scam First Hit Only
describe  HILO_STOCKS_2 Looks like stocks scam Both Hit

score HILO_STOCKS_1 0.5
score HILO_STOCKS_2 3.5

If you wanted to score the 0.5 whenever either 1 or 2 is true and the other
is false

meta  HILO_STOCKS_1 ( (__HILO_STOCKS1  !__HILO_STOCKS2) ||
(!__HILO_STOCKS1  __HILO_STOCKS2) )

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Annoying stocks scams

[Dhawal Doshy]

Rick Cooper wrote:

 Sorry to mess up the thread, I lost the original


-Original Message-
From: Dhawal Doshy [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 06, 2007 9:39 AM

To: users@spamassassin.apache.org
Subject: Re: Annoying stocks scams

[EMAIL PROTECTED] wrote:

Hi List!


[ ... ]

meta  HILO_STOCKS ( __HILO_STOCKS1  __HILO_STOCKS2 )
describe  HILO_STOCKS Looks like stocks scam
score HILO_STOCKS 3.5

It's my first meta rule, which only gives a score if both 
conditions are 
true, and I was wondering if there's a possibility to make 
the score 

more intelligent :

- if __HILO_STOCKS1 fires up, i would like to give the 

score maybe 0.5
- if __HILO_STOCKS2 matches as well together with 
__HILO_STOCKS2, make 

it 3.5

[ ... ]

Define two metas, the first one hits only when 1 is true and 2 is false
The second hits when both are true. You have to use the negation for 2
In meta one or you would double dip whenever both are true.

meta  HILO_STOCKS_1 ( __HILO_STOCKS1  !__HILO_STOCKS2 )
meta  HILO_STOCKS_2 ( __HILO_STOCKS1  __HILO_STOCKS2 )

describe  HILO_STOCKS_1 Looks like stocks scam First Hit Only
describe  HILO_STOCKS_2 Looks like stocks scam Both Hit

score HILO_STOCKS_1 0.5
score HILO_STOCKS_2 3.5

If you wanted to score the 0.5 whenever either 1 or 2 is true and the other
is false

meta  HILO_STOCKS_1 ( (__HILO_STOCKS1  !__HILO_STOCKS2) ||
(!__HILO_STOCKS1  __HILO_STOCKS2) )


Hi Rick,

Though this looks simpler, you are effectively adding an extra meta.. 
you could simply replicate the AND/OR effect by modifying the scores.


body  HILO_STOCKS_1 whatever1
body  __HILO_STOCKS_2   whatever2

meta  HILO_STOCKS ( HILO_STOCKS1  __HILO_STOCKS2 )

score HILO_STOCKS_1 0.5
score HILO_STOCKS 3.0

Only HILO_STOCKS_1 == 0.5
Only __HILO_STOCKS2 == Nothing
Both == 0.5 + 3.0

Though i'm not sure how much overhead one extra meta will have??

Re: How to whitelist mail lists?

[Luis Hernán Otegui]

OK, but the point is that I run SA trough AMaViS, so procmail recipes aren't
the answer. Thanks a lot, I suppose I should create some type of whitelist
in AMaViS to avoid SA.


Luis

2007/3/6, David Goldsmith [EMAIL PROTECTED]:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Luis Hernán Otegui wrote:
 Hi, several of my users have mail lists (such as Yahoo ones, or some
 other, at elsevier.com http://elsevier.com, or other scientific
 publications).
 I've been searching the web, trying to find a way to whitelist the
 messages from these lists. Could anyone point me some directions?


 Thanks in advance,


 Luis
 --

Look for the List-Id field such as:

List-Id: Dans_CCCemails.yahoogroups.com

As an example for if your call SA via procmail:

:0fw
* ! ^List-Id: Dans_CCCemails.yahoogroups.com
* ! ^X-Spam-Checker-Version:.*iceman11
| /usr/bin/spamc -d IP ADDRESS -u spamass


If the message does not contain that list id, and it hasn't already been
scanned by our SA, then passit to SA.

David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7YKd417vU8/9QfkRAlo6AJ9/M97mO6H/KhViklaqprojwmHJVQCgmFKa
dVBuzm38UjcbidJbVLhUos0=
=ilI/
-END PGP SIGNATURE-





--
-
GNU-GPL: May The Source Be With You...
-

Bayes and Upgrade

[abuse]

Like many.I am a Noob to SpamAssasin. I just upgraded to 3.1.8 (first time
performing an upgrade and all went well) and have a simple question I was
unable to find an answer to on the website:

 

Do I need to retrain Bayes after a version Upgrade?

 

Version: Upgraded 3.1.7 to 3.1.8

Platform: Windows 2000 Server (Using Christopher Lewis's AWESOME sink)

 

 

 

Re: Bayes and Upgrade

[Theo Van Dinter]

On Tue, Mar 06, 2007 at 09:49:28AM -0600, [EMAIL PROTECTED] wrote:
 Like many.I am a Noob to SpamAssasin. I just upgraded to 3.1.8 (first time
 performing an upgrade and all went well) and have a simple question I was
 unable to find an answer to on the website:
 
 Do I need to retrain Bayes after a version Upgrade?

No.  Especially not for a maintenance release upgrade
(major.minor.maintenance).


pgp3k715ylNAd.pgp
Description: PGP signature

Re: Bayes and Upgrade

[Jim Knuth]

Heute (06.03.2007/16:49 Uhr) schrieb [EMAIL PROTECTED],

 Like many.I am a Noob to SpamAssasin. I just upgraded to 3.1.8 (first time
 performing an upgrade and all went well) and have a simple question I was
 unable to find an answer to on the website:

  

 Do I need to retrain Bayes after a version Upgrade?

no, not needed

  

 Version: Upgraded 3.1.7 to 3.1.8

-- 
Viele Gruesse, Kind regards,
 Jim Knuth
 [EMAIL PROTECTED]
 ICQ #277289867
--
Zufalls-Zitat
--
Erfolg steigt nur zu Kopf, wenn dort der erforderliche 
Hohlraum vorhanden ist. (Manfred Hinrich)
--
Der Text hat nichts mit dem Empfaenger der Mail zu tun
--
Virus free. Checked by NOD32 Version 2098 Build 9212  06.03.2007

RE: Bayes and Upgrade

[R Lists06]

 F: Theo Van Dinter 
 No.  Especially not for a maintenance release upgrade
 (major.minor.maintenance).

Hm

Will we need to retrain for the upcoming 3.2.0 ?

Im not sure if that is considered major or not

--
Robert - Abba Communications
http://www.abbacomm.net/

Re: auto-learn learned_points

[Matt Kettler]

ram01 wrote:
 auto-learn? no: scored as spam but learner indicated ham
 is given if  if ($learned_points  $learner_said_ham_points)where
 $learner_said_ham_points = -1.0

 what exactly is learned_points
   
It is a recalculation of the message score, based on the following
changes from the normal score calculation:

1) All userconf tests disabled. ie: whitelist/blacklists. This is to
prevent an errant whitelist_from from poisoning the autolearning.
2) All learning subsystems are disabled, ie: bayes and AWL. This is to
prevent self feedback.
3) The score set is changed, because bayes is disabled.

Re: Bayes and Upgrade

[Justin Mason]

R Lists06 writes:
  No.  Especially not for a maintenance release upgrade
  (major.minor.maintenance).
 
 Hm
 
 Will we need to retrain for the upcoming 3.2.0 ?
 
 Im not sure if that is considered major or not

it's pretty major, but retraining won't be required.  Don't worry;
if retraining *is* required, it'll be top of the Important Notes
list in the UPGRADE file.

--j.

Spamhaus Tests

[Cliff Stanford]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Some questions:

1.  RCVD_IN_XBL

Why is this only applied by default to -lastexternal rather than all the
  Received: lines?  Surely if any forwarding host is a known exploit, it
should score the same 3.897 ?

2.  RCVD_IN_PBL

This is (IMHO) correctly applied to -lastexternal.  Why is the default
score only 0.001 ?

3.  -lastexternal

The docs for this flag say, You can select only the external host that
connected to your internal network.  Does this mean that
trusted_networks is ignored for this flag and I would need to put the
secondary MXs' IP addresses into internal_networks instead.

4.  Lists

Is this the right place or should I have posted this to the dev list
instead?

Many thanks,
Cliff.

- --
Cliff Stanford
Might Limited   +44 845 0045 666 (Office)
Suite 67, Dorset House  +44 7973 616 666 (Mobile)
Duke Street, Chelmsford, CM1 1TB
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7Zl6fNTx9pWyKfwRAnxFAJ42+uaxKVd9y764iMHUX6Tc6HmhvACcDVK5
liMuRvQlu3/S2NMsGjZfsPw=
=v7sQ
-END PGP SIGNATURE-

Not Enough Points

[David Goldsmith]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Here is how this message scored:

X-Spam-DCC: PacNet-SG: iceman11.giac.net 1358; Body=65 Fuz1=65 Fuz2=51
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on iceman11.giac.net
X-Spam-Level: ***
X-Spam-Status: No, score=4.0 required=5.0 tests=BAYES_99,HTML_90_100,
HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,PLING_PLING 
autolearn=no
version=3.1.8
X-Spam-Pyzor: Reported 0 times.
X-Spam-Report:
*  0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
*  [score: 1.]
*  0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
*  0.0 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
*  headers
*  0.3 PLING_PLING Subject has lots of exclamation marks


Here is a URL for the message:

http://members.cox.net/dgoldsmi/spam/lowscore02a.eml

Maybe I just got lucky and was an early recipient of it.  None of the
message hash sites have seen it enough yet to assign points.

Does this message break 5.0 points for anyone?

David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7aXa417vU8/9QfkRAvXbAKClnfNGXJ7+Mkl+rWvNMgMtk5aRYQCgmotU
nIs5jZZjvjdb0PzohvFZJbk=
=RCUf
-END PGP SIGNATURE-

Re: [2] auto-learn learned_points

[ram01]

Thanks for the reply, but I think that you are referring to autolearn_points.
As computed in PerMsgStatus.pm and is used in AutoLearningThreshold.pm. They
are computed in the same function but they are not the same.  Notice that in
the get_autolearn_points autolearn_points is $score where learned points is 
  $self-{learned_points} +=
$self-{conf}-{scoreset}-[$orig_scoreset]-{$test}; which is inside a loop
and a conditional.  I am not very familiar with perl and was kind of lost in
the syntactics of the for and the if, but I assume that += means the same as
in say c/c++ so this is some kind of cumulative sum of something.  On one
run of sa-learn in debug mode I got the following numbers back:

[28135] dbg: learn: auto-learn: currently using scoreset 3, recomputing
score based on scoreset 1
[28135] dbg: learn: auto-learn: message score: 10.955, computed score for
autolearn: 12.011
[28135] dbg: learn: auto-learn? ham=12, spam=1, body-points=0,
head-points=10.813, learned-points=-2.599

so it is definitely not the same score, but what is it?

here's a snippet of AutoLearnThreshold.pm
sub autolearn_discriminator {
  my ($self, $params) = @_;

  my $scan = $params-{permsgstatus};
  my $conf = $scan-{conf};

  # Figure out min/max for autolearning.
  # Default to specified auto_learn_threshold settings
  my $min = $conf-{bayes_auto_learn_threshold_nonspam};
  my $max = $conf-{bayes_auto_learn_threshold_spam};

  # Find out what score we should consider this message to have ...
  my $score = $scan-get_autolearn_points();
  my $body_only_points = $scan-get_body_only_points();
  my $head_only_points = $scan-get_head_only_points();
  my $learned_points = $scan-get_learned_points();

  dbg(learn: auto-learn? ham=$min, spam=$max, .
body-points=.$body_only_points., .
head-points=.$head_only_points., .
learned-points=.$learned_points);

  my $isspam;
  if ($score  $min) {
$isspam = 0;
  } elsif ($score = $max) {
$isspam = 1;
  } else {
dbg(learn: auto-learn? no: inside auto-learn thresholds, not considered
ham or spam);
return;
  }

  my $learner_said_ham_points = -1.0;
  my $learner_said_spam_points = 1.0;

  if ($isspam) {
my $required_body_points = 3;
my $required_head_points = 3;

if ($body_only_points  $required_body_points) {
  dbg(learn: auto-learn? no: scored as spam but too few body points (.
  $body_only_points.  .$required_body_points.));
  return;
}
if ($head_only_points  $required_head_points) {
  dbg(learn: auto-learn? no: scored as spam but too few head points (.
  $head_only_points.  .$required_head_points.));
  return;
}
if ($learned_points  $learner_said_ham_points) {
  dbg(learn: auto-learn? no: scored as spam but learner indicated ham
(.
  $learned_points.  .$learner_said_ham_points.));
  return;
}

if (!$scan-is_spam()) {
  dbg(learn: auto-learn? no: scored as ham but autolearn wanted spam);
  return;
}

  } else {
if ($learned_points  $learner_said_spam_points) {
  dbg(learn: auto-learn? no: scored as ham but learner indicated spam
(.
  $learned_points.  .$learner_said_spam_points.));
  return;
}

if ($scan-is_spam()) {
  dbg(learn: auto-learn? no: scored as spam but autolearn wanted ham);
  return;
}
  }

  dbg(learn: auto-learn? yes, .($isspam?spam ($score  $max):ham
($score  $min)));
  return $isspam;
}

here's a snippet of PerMsgStatus.pm
sub _get_autolearn_points {
  my ($self) = @_;

  return if (exists $self-{autolearn_points});
  # ensure it only gets computed once, even if we return early
  $self-{autolearn_points} = 0;

  # This function needs to use use sum($score[scoreset % 2]) not just
{score}.
  # otherwise we shift what we autolearn on and it gets really wierd.  - tvd
  my $orig_scoreset = $self-{conf}-get_score_set();
  my $new_scoreset = $orig_scoreset;
  my $scores = $self-{conf}-{scores};

  if (($orig_scoreset  2) == 0) { # we don't need to recompute
dbg(learn: auto-learn: currently using scoreset $orig_scoreset);
  }
  else {
$new_scoreset = $orig_scoreset  ~2;
dbg(learn: auto-learn: currently using scoreset $orig_scoreset,
recomputing score based on scoreset $new_scoreset);
$scores = $self-{conf}-{scoreset}-[$new_scoreset];
  }

  my $tflags = $self-{conf}-{tflags};
  my $points = 0;

  # Just in case this function is called multiple times, clear out the
  # previous calculated values
  $self-{learned_points} = 0;
  $self-{body_only_points} = 0;
  $self-{head_only_points} = 0;

  foreach my $test (@{$self-{test_names_hit}}) {
# According to the documentation, noautolearn, userconf, and learn
# rules are ignored for autolearning.
if (exists $tflags-{$test}) {
  next if $tflags-{$test} =~ /\bnoautolearn\b/;
  next if $tflags-{$test} =~ /\buserconf\b/;

  # Keep track of the learn points for an additional 

Re: Not Enough Points

[Jim Maul]

David Goldsmith wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Here is how this message scored:

X-Spam-DCC: PacNet-SG: iceman11.giac.net 1358; Body=65 Fuz1=65 Fuz2=51
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on iceman11.giac.net
X-Spam-Level: ***
X-Spam-Status: No, score=4.0 required=5.0 tests=BAYES_99,HTML_90_100,
HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,PLING_PLING 
autolearn=no
version=3.1.8
X-Spam-Pyzor: Reported 0 times.
X-Spam-Report:
*  0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
*  [score: 1.]
*  0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
*  0.0 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
*  headers
*  0.3 PLING_PLING Subject has lots of exclamation marks


Here is a URL for the message:

http://members.cox.net/dgoldsmi/spam/lowscore02a.eml

Maybe I just got lucky and was an early recipient of it.  None of the
message hash sites have seen it enough yet to assign points.

Does this message break 5.0 points for anyone?



Yep -

Content analysis details:   (9.8 points, 5.0 required)

 pts rule name  description
 -- 
--
 1.1 HTML_IMAGE_RATIO_04BODY: HTML has a low ratio of text to image 
area

 0.1 HTML_MESSAGE   BODY: HTML included in message
 5.4 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 2.2 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME 
headers

 0.7 PLING_PLINGSubject has lots of exclamation marks



Still rocking SA 2.64 with incredible results ;)

-Jim

Re: Spamassassin filter files? / Oh, i forgot

[night duke]

No i don't have qmail-scanner installed...
  I wish to use http://untroubled.org/qmail-qfilter/
  Anyone has any experience witht qmail-qfilter?
  
Thanks.
  

Mário Gamito [EMAIL PROTECTED] escribió:
  You have to have qmail-scanner installed.
I suppose you do.

-- Mário Gamito

Mário Gamito wrote:
 night duke wrote:
 Hi i wish to know if it's possible to filter on email files like
 .mp3 .exe .vbs .scr .com .pif etc... with spamassassin?
 Yes, it's possible.
 
 Let's say you want to block .exe files.
 
 Edit file /var/spool/qmailscan/quarantine-attachments.txt
 and insert the line
 .exe 0
 
 You van filter for subject:
 I am.*Bad
 
 Or for RCPT TO and MAIL FROM from the message header:
 [EMAIL PROTECTED] Virus-MAILFROM: You're blocked.
 This prevents messages from [EMAIL PROTECTED] arriving
 
 Hope it helps.
 
 Warm Regards,
 Mário Gamito
 




-

LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com

NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[Justin Mason]

SpamAssassin 3.2.0-pre2 is released!
This is a *prerelease* of SpamAssassin 3.2.0; not the full release.

SpamAssassin is a mail filter which uses advanced statistical and
heuristic tests to identify spam (also known as unsolicited bulk email).

Highlights of the release
-

(TODO ;)

Downloading
---

  http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.2.0-pre2.tar.bz2
  http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.2.0-pre2.tar.gz
  http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.2.0-pre2.zip

md5sum of archive files:

  b530e3b3b828cc0fbe8ee738a300dcef  Mail-SpamAssassin-3.2.0-pre2.tar.bz2
  5c84180b188f2dde9bb6ff5e11bf35e6  Mail-SpamAssassin-3.2.0-pre2.tar.gz
  9b5d4a335b18ef49103e81e04df1df4e  Mail-SpamAssassin-3.2.0-pre2.zip

sha1sum of archive files:

  99080918fe4d194923a672443c49a14473310b34  Mail-SpamAssassin-3.2.0-pre2.tar.bz2
  9878e61bd3f9fc90903ac5840b5dd61cffe94400  Mail-SpamAssassin-3.2.0-pre2.tar.gz
  f65c4bf5ea09d5e887bef0ca1d851d1ad8b45698  Mail-SpamAssassin-3.2.0-pre2.zip

The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net key server, as well as
http://spamassassin.apache.org/released/GPG-SIGNING-KEY

The key information is:

pub  1024D/265FA05B 2003-06-09 SpamAssassin Signing Key [EMAIL PROTECTED]
 Key fingerprint =3D 26C9 00A4 6DD4 0CD5 AD24  F6D7 DEE0 1987 265F A05B

Important installation notes


- see the INSTALL and UPGRADE files in the distribution.

Summary of major changes since 3.1.x


(TODO ;)

Re: Not Enough Points

[David Goldsmith]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jim Maul wrote:
 David Goldsmith wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Here is how this message scored:

 X-Spam-DCC: PacNet-SG: iceman11.giac.net 1358; Body=65 Fuz1=65 Fuz2=51
 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
 iceman11.giac.net
 X-Spam-Level: ***
 X-Spam-Status: No, score=4.0 required=5.0 tests=BAYES_99,HTML_90_100,
 HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,PLING_PLING
 autolearn=no
 version=3.1.8
 X-Spam-Pyzor: Reported 0 times.
 X-Spam-Report:
 *  0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
 *  [score: 1.]
 *  0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 *  0.0 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without
 required MIME
 *  headers
 *  0.3 PLING_PLING Subject has lots of exclamation marks


 Here is a URL for the message:

 http://members.cox.net/dgoldsmi/spam/lowscore02a.eml

 Maybe I just got lucky and was an early recipient of it.  None of the
 message hash sites have seen it enough yet to assign points.

 Does this message break 5.0 points for anyone?

 
 Yep -
 
 Content analysis details:   (9.8 points, 5.0 required)
 
  pts rule name  description
  --
 --
  1.1 HTML_IMAGE_RATIO_04BODY: HTML has a low ratio of text to image
 area
  0.1 HTML_MESSAGE   BODY: HTML included in message
  5.4 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
 [score: 1.]
  0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
  2.2 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
 headers
  0.7 PLING_PLINGSubject has lots of exclamation marks
 
 
 
 Still rocking SA 2.64 with incredible results ;)
 
 -Jim

Ok, so my SA 3.1.8 install with the latest rules via sa-update has:

# grep HTML_IMAGE_RATIO_04 *
20_html_tests.cf:body HTML_IMAGE_RATIO_04
eval:html_image_ratio('0.002','0.004')
20_html_tests.cf:describe HTML_IMAGE_RATIO_04   HTML has a low ratio of
text to image area
50_scores.cf:score HTML_IMAGE_RATIO_04 0.877 0 1.057 0

but it apparently does not trip this.

We both have MIME_HTML_ONLY, MIME_HEADER_CTYPE_ONLY and PLING_PLING but
you have higher scores for all three.

I have HTML_MESSAGE and HTML_90_100 which correlate to your HTML_MESSAGE
rule and score.

You have a higher BAYES_99 score.

Your scores for MIME_HTML_ONLY, MIME_HEADER_CTYPE_ONLY, PLING_PLING and
BAYES_99 -- are they the default values from SA 2.64 or have you
increased them?

I ran the message through spamassassin -D but do not see anything in
the debug output relating to html_image_ratio.

David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7a6a417vU8/9QfkRAjBgAJwKMnWApQFaGuWVSPvsuDeJUn8cEACff2GX
E2GnKTKP/9bvGQZZIm1QmfU=
=/xIN
-END PGP SIGNATURE-

Re: Not Enough Points

[Jim Maul]

David Goldsmith wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jim Maul wrote:

David Goldsmith wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Here is how this message scored:

X-Spam-DCC: PacNet-SG: iceman11.giac.net 1358; Body=65 Fuz1=65 Fuz2=51
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
iceman11.giac.net
X-Spam-Level: ***
X-Spam-Status: No, score=4.0 required=5.0 tests=BAYES_99,HTML_90_100,
HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,PLING_PLING
autolearn=no
version=3.1.8
X-Spam-Pyzor: Reported 0 times.
X-Spam-Report:
*  0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
*  [score: 1.]
*  0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
*  0.0 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without
required MIME
*  headers
*  0.3 PLING_PLING Subject has lots of exclamation marks


Here is a URL for the message:

http://members.cox.net/dgoldsmi/spam/lowscore02a.eml

Maybe I just got lucky and was an early recipient of it.  None of the
message hash sites have seen it enough yet to assign points.

Does this message break 5.0 points for anyone?


Yep -

Content analysis details:   (9.8 points, 5.0 required)

 pts rule name  description
 --
--
 1.1 HTML_IMAGE_RATIO_04BODY: HTML has a low ratio of text to image
area
 0.1 HTML_MESSAGE   BODY: HTML included in message
 5.4 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 2.2 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
headers
 0.7 PLING_PLINGSubject has lots of exclamation marks



Still rocking SA 2.64 with incredible results ;)

-Jim


Ok, so my SA 3.1.8 install with the latest rules via sa-update has:

# grep HTML_IMAGE_RATIO_04 *
20_html_tests.cf:body HTML_IMAGE_RATIO_04
eval:html_image_ratio('0.002','0.004')
20_html_tests.cf:describe HTML_IMAGE_RATIO_04   HTML has a low ratio of
text to image area
50_scores.cf:score HTML_IMAGE_RATIO_04 0.877 0 1.057 0

but it apparently does not trip this.

We both have MIME_HTML_ONLY, MIME_HEADER_CTYPE_ONLY and PLING_PLING but
you have higher scores for all three.

I have HTML_MESSAGE and HTML_90_100 which correlate to your HTML_MESSAGE
rule and score.

You have a higher BAYES_99 score.

Your scores for MIME_HTML_ONLY, MIME_HEADER_CTYPE_ONLY, PLING_PLING and
BAYES_99 -- are they the default values from SA 2.64 or have you
increased them?



I have increased my bayes scores because of the high accuracy of my 
bayes database.  BAYES_99 alone is enough to push spam over my 5.0 
threshold.  All other scores are stock for 2.64.


-Jim

Re: Annoying stocks scams

[Eric A. Hall]

On 3/6/2007 5:30 AM, [EMAIL PROTECTED] wrote:

 It's my first meta rule, which only gives a score if both conditions are 
 true, and I was wondering if there's a possibility to make the score more 
 intelligent :

my local rules use combinations. any message that hits AT LEAST one rule
gets the L_STOCKS_1 match. messages that hit more than one ALSO get a
separate score, in addition to L_STOCKS_1:

metaL_STOCKS_1  (__L_STOCKS_01 || __L_STOCKS_02 ||
__L_STOCKS_03 || __L_STOCKS_04 || __L_STOCKS_05 || __L_STOCKS_06 ||
__L_STOCKS_07 || __L_STOCKS_08 || __L_STOCKS_09 || __L_STOCKS_10 ||
__L_STOCKS_11 || __L_STOCKS_12 || __L_STOCKS_13 || __L_STOCKS_14 ||
__L_STOCKS_15 || __L_STOCKS_16 || __L_STOCKS_17 || __L_STOCKS_18 ||
__L_STOCKS_19 || __L_STOCKS_20 || __L_STOCKS_21 || __L_STOCKS_22 ||
__L_STOCKS_23 || __L_STOCKS_24 || __L_STOCKS_25 || __L_STOCKS_26 ||
__L_STOCKS_27 )
describeL_STOCKS_1  One or more stock markers
score   L_STOCKS_1  1.0

metaL_STOCKS_2  (( __L_STOCKS_01 + __L_STOCKS_02 +
__L_STOCKS_03 + __L_STOCKS_04 + __L_STOCKS_05 + __L_STOCKS_06 +
__L_STOCKS_07 + __L_STOCKS_08 + __L_STOCKS_09 + __L_STOCKS_10 +
__L_STOCKS_11 + __L_STOCKS_12 + __L_STOCKS_13 + __L_STOCKS_14 +
__L_STOCKS_15 + __L_STOCKS_16 + __L_STOCKS_17 + __L_STOCKS_18 +
__L_STOCKS_19 + __L_STOCKS_20 + __L_STOCKS_21 + __L_STOCKS_22 +
__L_STOCKS_23 + __L_STOCKS_24 + __L_STOCKS_25 + __L_STOCKS_26 +
__L_STOCKS_27 ) == 2)
describeL_STOCKS_2  Two stock markers
score   L_STOCKS_2  4.0

metaL_STOCKS_3  (( __L_STOCKS_01 + __L_STOCKS_02 +
__L_STOCKS_03 + __L_STOCKS_04 + __L_STOCKS_05 + __L_STOCKS_06 +
__L_STOCKS_07 + __L_STOCKS_08 + __L_STOCKS_09 + __L_STOCKS_10 +
__L_STOCKS_11 + __L_STOCKS_12 + __L_STOCKS_13 + __L_STOCKS_14 +
__L_STOCKS_15 + __L_STOCKS_16 + __L_STOCKS_17 + __L_STOCKS_18 +
__L_STOCKS_19 + __L_STOCKS_20 + __L_STOCKS_21 + __L_STOCKS_22 +
__L_STOCKS_23 + __L_STOCKS_24 + __L_STOCKS_25 + __L_STOCKS_26 +
__L_STOCKS_27 ) == 3)
describeL_STOCKS_3  Three stock markers
score   L_STOCKS_3  9.0

metaL_STOCKS_4  (( __L_STOCKS_01 + __L_STOCKS_02 +
__L_STOCKS_03 + __L_STOCKS_04 + __L_STOCKS_05 + __L_STOCKS_06 +
__L_STOCKS_07 + __L_STOCKS_08 + __L_STOCKS_09 + __L_STOCKS_10 +
__L_STOCKS_11 + __L_STOCKS_12 + __L_STOCKS_13 + __L_STOCKS_14 +
__L_STOCKS_15 + __L_STOCKS_16 + __L_STOCKS_17 + __L_STOCKS_18 +
__L_STOCKS_19 + __L_STOCKS_20 + __L_STOCKS_21 + __L_STOCKS_22 +
__L_STOCKS_23 + __L_STOCKS_24 + __L_STOCKS_25 + __L_STOCKS_26 +
__L_STOCKS_27 )  3)
describeL_STOCKS_4  Four or more stock markers
score   L_STOCKS_4  20.0

My scores are high because I have some mail accounts on other networks
that are lightly whitelisted and I need to hit the spams that come from
there. Do not use those scores or else you will fry mailing lists etc.

PNG graphics

[bryan haase]

Does anyone have a rule for a message that contains PNG graphics either inline 
or attached?
 
Thanks
Bryan

 

-

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

-

Re: PNG graphics

[Theo Van Dinter]

On Tue, Mar 06, 2007 at 12:29:47PM -0600, bryan haase wrote:
 Does anyone have a rule for a message that contains PNG graphics either 
 inline or attached?

How are those different?

-- 
Randomly Selected Tagline:
Meanwhile the US military officials are looking for their next target
 in the war on terrorism.  Today President Bush restated his commitment
 to the war on terror, saying, You're either with us, or against us,
 or, in the case of Saudi Arabia, both.- Bill Maher


pgpTVPQFDQXA3.pgp
Description: PGP signature

[Fwd: Re: *****POSIBLE SPAM***** Re: Annoying stocks scams]

[Eric A. Hall]

please suspend this users mailing list account


---BeginMessage---
 Mensaje Automatico ***
Este usuario no se encuentra operativo, para cualquier asunto le ruego
se pongan en contacto con Leandro Gayango [EMAIL PROTECTED]

***

 ehall 03/06/07 19:24 

Spam detection software, running on the system
vm-antispam2.mpsistemas.es, has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  On 3/6/2007 5:30 AM, [EMAIL PROTECTED] wrote: 
It's
  my first meta rule, which only gives a score if both conditions are 
  true, and I was wondering if there's a possibility to make the score
  more  intelligent : [...] 

Content analysis details:   (5.1 points, 4.0 required)

 pts rule name  description
 --
--
 1.0 MY_DSL I could use a BL for this.
 0.5 NO_RDNSSending MTA has no reverse DNS (Postfix
variant)
 0.2 MR_NOT_ATTRIBUTED_IP   Beta rule: an non-attributed IPv4 found in
headers
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
 2.0 RATWR10_MESSID Message-ID has ratware pattern
(HEXHEX.HEXHEX@)
 0.4 UPPERCASE_50_75message body is 50-75% uppercase
 0.0 NO_RDNS2   Sending MTA has no reverse DNS
 1.0 RCVD_IN_SORBS  RCVD_IN_SORBS

---End Message---

Re: How to whitelist mail lists?

[Vivek Khera]

On Mar 6, 2007, at 10:37 AM, Luis Hernán Otegui wrote:

OK, but the point is that I run SA trough AMaViS, so procmail  
recipes aren't the answer. Thanks a lot, I suppose I should create  
some type of whitelist in AMaViS to avoid SA.


amavisd-new has several whitelisting options.   first you have to  
identify the common part, such as the sender address or sender  
domain, etc., then use that for creating your whitelist.




smime.p7s
Description: S/MIME cryptographic signature

[OT] How to deal with SPF_FAIL ?

[Raul Dias]

I was thinking about adding spf checking support directly in the MTA.
This would allow messages that fail spf to be instantly blocked.

However, I noticed that many maillists (sourceforge's ones included) set
the MAIL FROM to the original sender address.
If the senders domain is spf enabled, it will generate an SPF_FAIL
error.

Also, many webservices (like contact forms, php generated messages)
forge the sender address (usually to the recipients address).

How do you guys deal with this?
 1 - Dont enable spf at mta level (leave it to SA)
 2 - Enable spf at MTA, but keep monitoring and whitelisting broken 
 sender.
 3 - Something else.


-Raul Dias

Re: How to whitelist mail lists?

[Marco Maske]

Luis Hernán Otegui wrote:
 OK, but the point is that I run SA trough AMaViS, so procmail recipes
 aren't the answer. Thanks a lot, I suppose I should create some type of
 whitelist in AMaViS to avoid SA.

Yes an example for bypass THIS list with amavisd,
I've postet here in Feb. 06
search the archive: http://wiki.apache.org/spamassassin/MailingLists

Subject
Re: Bypass SA Was: DO NOT Filter this list!!!

Ciao Marco!

Re: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[Mark Martinec]

 SpamAssassin 3.2.0-pre2 is released!
 This is a *prerelease* of SpamAssassin 3.2.0; not the full release.

Looks fine, runs also under amavisd-new cleanly

(after having to remove some stale rule scores
in my local.cf of course to make a --lint happy).

An updated DKIM plugin patch is now in the bug tracker:
  http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5332

Thanks for your efforts!

  Mark

Re: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[Justin Mason]

Mark Martinec writes:
  SpamAssassin 3.2.0-pre2 is released!
  This is a *prerelease* of SpamAssassin 3.2.0; not the full release.
 
 Looks fine, runs also under amavisd-new cleanly
 
 (after having to remove some stale rule scores
 in my local.cf of course to make a --lint happy).
 
 An updated DKIM plugin patch is now in the bug tracker:
   http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5332
 
 Thanks for your efforts!

And thanks for the patch and feedback ;)

--j.

domain has been refused (why?)

[Peter]

I have a client who complains that one of their own clients cannot send mail 
to them.  The sender has performed a simple SMTP transmission and receives 
the following error:

SMTP Error 4570:
Illegal response to the sender(550):
550 5.7.1 H:MXBSMTP client IPConnection refused to due abuse

I realize this is a generic MTA question but I figured some may want to 
comment since it may be a spam abuse issue.  I have gone to dnsstuff.com and 
checked the sender IP and all is well.

PM

Re: domain has been refused (why?)

[Michele Neylon :: Blacknight]

Peter wrote:
I have a client who complains that one of their own clients cannot send mail 
to them.  The sender has performed a simple SMTP transmission and receives 
the following error:


SMTP Error 4570:
Illegal response to the sender(550):
550 5.7.1 H:MXBSMTP client IPConnection refused to due abuse

I realize this is a generic MTA question but I figured some may want to 
comment since it may be a spam abuse issue.  I have gone to dnsstuff.com and 
checked the sender IP and all is well.


PM


It sounds like someone has setup a rule at the MTA level to block that 
IP or netblock.


If it's a private DNSBL it won't appear in most of your public checks



--
Mr Michele Neylon
Blacknight Solutions
Hosting  Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239

Re: domain has been refused (why?)

[John D. Hardin]

On Tue, 6 Mar 2007, Peter wrote:

 I have a client who complains that one of their own clients cannot
 send mail to them.  The sender has performed a simple SMTP
 transmission and receives the following error:
 
 SMTP Error 4570:
 Illegal response to the sender(550):
 550 5.7.1 H:MXBSMTP client IPConnection refused to due abuse
 
 I realize this is a generic MTA question but I figured some may want to 
 comment since it may be a spam abuse issue.  I have gone to dnsstuff.com and 
 checked the sender IP and all is well.

What MTA is your client using?

Given the grammar of the error message, it smells like a local config
(e.g. something in /etc/mail/access if they're using sendmail) that's
returning a hard fail with a custom error message.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Failure to plan ahead on someone else's part does not constitute
  an emergency on my part. -- David W. Barts in a.s.r
---
 5 days until Daylight Saving Time begins in U.S. - Spring Forward

Re: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[Jim Knuth]

Gestern (06.03.2007/15:09 Uhr) schrieb Justin Mason,

 SpamAssassin 3.2.0-pre2 is released!
 This is a *prerelease* of SpamAssassin 3.2.0; not the full release.


Actual there a little bit changed with trusted network?

My local.cf included

# Trusted
clear_trusted_networks
trusted_networks 127/8
# Internal
clear_internal_networks
internal_networks 127/8

and this getting by --lint

[15519] warn: netset: cannot include 127/8 as it has already been included
[15519] warn: netset: cannot include 127/8 as it has already been included




-- 
Viele Gruesse, Kind regards,
 Jim Knuth
 [EMAIL PROTECTED]
 ICQ #277289867
--
Zufalls-Zitat
--
Als Mensch kann man vernünftig denken und trotzdem unsinnig 
handeln.
--
Der Text hat nichts mit dem Empfaenger der Mail zu tun
--
Virus free. Checked by NOD32 Version 2099 Build 9215  06.03.2007

RE: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[Randal, Phil]

127/8 is now always trusted.

Remove that trusted_networks 127/8 line and all should be well.

Phil

-Original Message-
From: Jim Knuth [mailto:[EMAIL PROTECTED] 
Sent: 07 March 2007 00:12
To: Justin Mason
Cc: dev@spamassassin.apache.org; users@spamassassin.apache.org
Subject: Re: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

Gestern (06.03.2007/15:09 Uhr) schrieb Justin Mason,

 SpamAssassin 3.2.0-pre2 is released!
 This is a *prerelease* of SpamAssassin 3.2.0; not the full release.


Actual there a little bit changed with trusted network?

My local.cf included

# Trusted
clear_trusted_networks
trusted_networks 127/8
# Internal
clear_internal_networks
internal_networks 127/8

and this getting by --lint

[15519] warn: netset: cannot include 127/8 as it has already been
included
[15519] warn: netset: cannot include 127/8 as it has already been
included




-- 
Viele Gruesse, Kind regards,
 Jim Knuth
 [EMAIL PROTECTED]
 ICQ #277289867
--
Zufalls-Zitat
--
Als Mensch kann man vernünftig denken und trotzdem unsinnig 
handeln.
--
Der Text hat nichts mit dem Empfaenger der Mail zu tun
--
Virus free. Checked by NOD32 Version 2099 Build 9215  06.03.2007

User or Admin?

[Don Ireland]

Hello all!

I have a shared hosting account.  My host has Exim installed as the mail server and has SA installed.  

I have three domains (1 for personal use and 2 for small businesses--one man operations).  

Should I be looking at the docs written for users or for admins?  


If I use Bayesian filtering (I want to), will other users of my host's system 
affect SA's learning?  Or will it only read MINE?  If I can allow it to include 
other users training but have that carry a lower weight in the decision process 
then that's what I'd like to do.  But I don't want the fact that someone else 
identified something as spam to carry as much weight as MY identifying 
something as spam.

Should I be creating a special directory for SA to learn from me?  Last night I 
got my account set up to learn from ham/spam folders under IMAP (using a PHP 
script and Cron).  Now I just need to make sure it learns properly.

Also when the host updates SA, will I need to re-train SA?  I've read that 
minor or maintenance updates don't need retrained, but what about major 
upgrades?  If so, will SA just stop working?  Or will I just start receiving 
more spam until I get it re-trained again?

Thx!

Don Ireland

Re: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[Jim Knuth]

Heute (07.03.2007/01:42 Uhr) schrieb Randal, Phil,

 127/8 is now always trusted.

 Remove that trusted_networks 127/8 line and all should be well.

Thank you. I have only asked because I could read nothing in the
Changes.

 Phil

 -Original Message-
 From: Jim Knuth [mailto:[EMAIL PROTECTED] 
 Sent: 07 March 2007 00:12
 To: Justin Mason
 Cc: dev@spamassassin.apache.org; users@spamassassin.apache.org
 Subject: Re: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

 Gestern (06.03.2007/15:09 Uhr) schrieb Justin Mason,

 SpamAssassin 3.2.0-pre2 is released!
 This is a *prerelease* of SpamAssassin 3.2.0; not the full release.


 Actual there a little bit changed with trusted network?

 My local.cf included

 # Trusted
 clear_trusted_networks
 trusted_networks 127/8
 # Internal
 clear_internal_networks
 internal_networks 127/8

 and this getting by --lint

 [15519] warn: netset: cannot include 127/8 as it has already been
 included
 [15519] warn: netset: cannot include 127/8 as it has already been
 included

-- 
Viele Gruesse, Kind regards,
 Jim Knuth
 [EMAIL PROTECTED]
 ICQ #277289867
--
Zufalls-Zitat
--
Ein guter Spruch ist die Wahrheit eines ganzen Buches in 
einem einzigen Satz. (Theodor Fontane)
--
Der Text hat nichts mit dem Empfaenger der Mail zu tun
--
Virus free. Checked by NOD32 Version 2099 Build 9215  06.03.2007

RE: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[R Lists06]

 
 127/8 is now always trusted.
 
 Remove that trusted_networks 127/8 line and all should be well.
 
 Phil


Are you saying we should remove the entry 127.0.0.1 from the
trusted_networks ?

What about if in the internal_networks entry ?

Is this for 3.2.0 only or is it in 3.1.8 too?

Isn't this somewhat confusing?

There are cases where it isn't necessary to run SMTP or even the same
MTA/smtp service on 127.0.0.1 etc...

 - rh

--
Robert - Abba Communications
http://www.abbacomm.net/

Re: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[Jim Knuth]

Heute (07.03.2007/02:26 Uhr) schrieb R Lists06,

 
 127/8 is now always trusted.
 
 Remove that trusted_networks 127/8 line and all should be well.
 
 Phil


 Are you saying we should remove the entry 127.0.0.1 from the
 trusted_networks ?

 What about if in the internal_networks entry ?

 Is this for 3.2.0 only or is it in 3.1.8 too?

I think it is only for 3.2.0. In 3.1.8 was this ok. But the
maintainers knowing these better. ;)

 Isn't this somewhat confusing?

 There are cases where it isn't necessary to run SMTP or even the same
 MTA/smtp service on 127.0.0.1 etc...

  - rh

 --
 Robert - Abba Communications
 http://www.abbacomm.net/

-- 
Viele Gruesse, Kind regards,
 Jim Knuth
 [EMAIL PROTECTED]
 ICQ #277289867
--
Zufalls-Zitat
--
Eskimos haben Hunderte von Worten für Eis, aber keines 
für Hallo.
--
Der Text hat nichts mit dem Empfaenger der Mail zu tun
--
Virus free. Checked by NOD32 Version 2099 Build 9215  06.03.2007

Re: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[Jim Knuth]

Heute (07.03.2007/01:42 Uhr) schrieb Randal, Phil,

 127/8 is now always trusted.

 Remove that trusted_networks 127/8 line and all should be well.

Are then still other changes, which are not explained in Changes
or INSTALL?

 Phil

 -Original Message-
 From: Jim Knuth [mailto:[EMAIL PROTECTED] 
 Sent: 07 March 2007 00:12
 To: Justin Mason
 Cc: dev@spamassassin.apache.org; users@spamassassin.apache.org
 Subject: Re: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

 Gestern (06.03.2007/15:09 Uhr) schrieb Justin Mason,

 SpamAssassin 3.2.0-pre2 is released!
 This is a *prerelease* of SpamAssassin 3.2.0; not the full release.


 Actual there a little bit changed with trusted network?

 My local.cf included

 # Trusted
 clear_trusted_networks
 trusted_networks 127/8
 # Internal
 clear_internal_networks
 internal_networks 127/8

 and this getting by --lint

 [15519] warn: netset: cannot include 127/8 as it has already been
 included
 [15519] warn: netset: cannot include 127/8 as it has already been
 included

-- 
Viele Gruesse, Kind regards,
 Jim Knuth
 [EMAIL PROTECTED]
 ICQ #277289867
--
Zufalls-Zitat
--
Diplomatie ist die Fähigkeit, so zu tun, als täte man nicht 
so. (Boleslaw Barlog)
--
Der Text hat nichts mit dem Empfaenger der Mail zu tun
--
Virus free. Checked by NOD32 Version 2099 Build 9215  06.03.2007

Re: spamd child processing timeout

[Daryl C. W. O'Shea]

On 3/2/2007 2:50 AM, Sandeep Agarwal wrote:


any suggestions how to fix this or the reason for this.


It's probably being caused by bayes expiries.  Disable auto expiry and 
do the expiries via a cron job.


Daryl

Re: Spamhaus Tests

[Matt Kettler]

Cliff Stanford wrote:
 Some questions:

 1.  RCVD_IN_XBL

 Why is this only applied by default to -lastexternal rather than all the
   Received: lines?  Surely if any forwarding host is a known exploit, it
 should score the same 3.897 ?
The problem here is that XBL will generally consist of home-user IPs.
Those IPs are of hosts known to have been infected with backdoors that
cause spam relaying.

XBL is highly effective if you use it to pick of hosts directly sending
mail to your network, with near zero false positives. Generally home
users use their relays, and spam tools direct deliver.

However, if you apply it to the originating IP, you'll also pick off all
the legitamate mail sent by infected users (or uninfected users who got
reallocated the same IP!) the false positive rate goes up as a result,
and the score of this test would fall as a result.

 2.  RCVD_IN_PBL

 This is (IMHO) correctly applied to -lastexternal.  Why is the default
 score only 0.001 ?
I suspect It's not been around long enough to have been subjected to a
mass-check to determine its accuracy. It is also not clear to what
degree it will overlap with the NJABL and SORBS DUL lists, which would
also show up in mass-check. With no detailed information on the accuracy
of the list, or how it interacts with other existing lists, they
probably assigned it this score to start.

 3.  -lastexternal

 The docs for this flag say, You can select only the external host that
 connected to your internal network.  Does this mean that
 trusted_networks is ignored for this flag and I would need to put the
 secondary MXs' IP addresses into internal_networks instead.
Yes, although be aware that unless you explicitly specify a
internal_networks, the value is copied from trusted_networks.

Most people only need to set trusted_networks, and let internal_networks
copy it. Only a few sites (for example those that need to accept mail
from dialup users) need to make these two lists differ.

 4.  Lists

 Is this the right place or should I have posted this to the dev list
 instead?
This is the right place for questions about SA. Even though this touches
a bit on the subject of development, it's really only questions about
the hows and whys of SA's rules. As such, I'd say this is the right list.

Personally, I kind of view the dev list as more of a place to make
specific suggestions. This list is a better place to ask questions,
unless you're really getting into questions that arise from attempts to
implement a new feature in SA. (ie: if you were writing a new bayes
store for some new kind of database, and had questions about how bayes
stores are used.. that would probably be good to post to dev)

However, be aware that I'm merely a helpful community member and my
opinions on the list uses are purely non-official.

Spamassassin 3.1.8

[SAtalk Mail User]

Hello All,

I have upgraded spamassassin from 3.1.7 to 3.1.8 and have a easy quiestion,
When I look at the headers it still shows that Spamassassin 3.1.7 is installed 
/ running
Why is that?  I did the following -- downloaded Mail-SpamassAssin-3.1.8.tar.gz 
and installed
by perl Makefile.PL / make / make install
stopped the current spamd and restarted and it shows that 3.1.7 in the header.

TIA

Re: Spamassassin 3.1.8

[Theo Van Dinter]

On Tue, Mar 06, 2007 at 09:08:59PM -0600, SAtalk Mail User wrote:
 stopped the current spamd and restarted and it shows that 3.1.7 in the header.

I would guess that your install didn't happen correctly.  Sounds like you have
one version installed and probably installed 3.1.8 to a different location.

-- 
Randomly Selected Tagline:
Remember: while root can do most everything, there are certain privileges
 that only a partner can grant.- Telsa Gwynne


pgpm1R3knMDIo.pgp
Description: PGP signature

Re: User or Admin?

[Theo Van Dinter]

On Tue, Mar 06, 2007 at 07:42:54PM -0500, Don Ireland wrote:
 Should I be looking at the docs written for users or for admins?  

Are you running SA as a user or as an admin?

 If I use Bayesian filtering (I want to), will other users of my host's 
 system affect SA's learning?  Or will it only read MINE?  If I can allow it 

Depends how you set it up.

 to include other users training but have that carry a lower weight in the 
 decision process then that's what I'd like to do.  But I don't want the 
 fact that someone else identified something as spam to carry as much weight 
 as MY identifying something as spam.

There's a single DB, either yours, or a site-wide DB.

 Also when the host updates SA, will I need to re-train SA?  I've read that 
 minor or maintenance updates don't need retrained, but what about major 
 upgrades?  If so, will SA just stop working?  Or will I just start 
 receiving more spam until I get it re-trained again?

So far, there's been no situation where an upgrade requires restarting with
Bayes, SA upgrades the DB formats and such.

It sounds like you're a user on someone else's hosting though -- I'd talk to
them about what their SA setup is and how you're expected to use it.

-- 
Randomly Selected Tagline:
the Audi sounds and feels like a volcano making love to an avalanche
 - http://www.thetruthaboutcars.com/?p=2545


pgpEq9aKh3Bem.pgp
Description: PGP signature

Re: User or Admin?

[Don Ireland]

Are you running SA as a user or as an admin?
I THINK user.  But that's what I was looking for confirmation on.  
That's why I posted the details of the fact that I'm using a shared 
hosting account.


Depends how you set it up.
Ok--so it can be configured to use MY bayesian training then.  GOOD.

It sounds like you're a user on someone else's hosting though
Yes I am.

I'd talk to them about what their SA setup is and how you're expected 
to use it.
When I ask them anything about SA configuration, they point me to 
spamassassin.apache.org.  They have told me that I can use my own 
userprefs file and told me where the file is.




Theo Van Dinter wrote:

On Tue, Mar 06, 2007 at 07:42:54PM -0500, Don Ireland wrote:
  
Should I be looking at the docs written for users or for admins?  



Are you running SA as a user or as an admin?

  
If I use Bayesian filtering (I want to), will other users of my host's 
system affect SA's learning?  Or will it only read MINE?  If I can allow it 



Depends how you set it up.

  
to include other users training but have that carry a lower weight in the 
decision process then that's what I'd like to do.  But I don't want the 
fact that someone else identified something as spam to carry as much weight 
as MY identifying something as spam.



There's a single DB, either yours, or a site-wide DB.

  
Also when the host updates SA, will I need to re-train SA?  I've read that 
minor or maintenance updates don't need retrained, but what about major 
upgrades?  If so, will SA just stop working?  Or will I just start 
receiving more spam until I get it re-trained again?



So far, there's been no situation where an upgrade requires restarting with
Bayes, SA upgrades the DB formats and such.

It sounds like you're a user on someone else's hosting though -- I'd talk to
them about what their SA setup is and how you're expected to use it.

  

RE: Spamassassin 3.1.8

[R Lists06]

 I have upgraded spamassassin from 3.1.7 to 3.1.8 and have a easy
 quiestion,
 When I look at the headers it still shows that Spamassassin 3.1.7 is
 installed / running
 Why is that?  I did the following -- downloaded Mail-SpamassAssin-
 3.1.8.tar.gz and installed
 by perl Makefile.PL / make / make install
 stopped the current spamd and restarted and it shows that 3.1.7 in the
 header.
 TIA

Greetings back at ya...

What operating system?

It isn't accidentally installed twice in two separate places is it?

Are you using qmail-scanner-queue?

If so, you have to run it (the QMS perl script) a certain way to have it
reinit the new config 

 - rh

--
Robert - Abba Communications
http://www.abbacomm.net/