Re: Is Bayes Dead? Have the spammers won?

[Johann Spies]

On Thu, Mar 22, 2007 at 09:55:07AM -0700, Marc Perkel wrote:
> Maybe I'm doing something wrong but with the various methods of bayes 
> poisoning going on I've found that bayes is just lowering the score of 
> spam and causing more spam to get through. Where bayes used to be the 
> centerpiece of spam filtering now I have turned it off to increase accuracy.
> 
> Anyone else seeing this or is there some new tricks that I'm missing out on?

We had to lower our bayesian filter's score from 7.2 to something like
6.4 (8.0 threshold) as a result of the image spam but it still doing a
good job.

My experience with fuzzyocr was not good enough to implement it on all
our mail servers.  Exim had regular problems with the feedback from
Spamassassin when fuzzyocr was active and recently Spamassassin died
because of some problem fuzzyocr had with some mails - so I disabled it
on the one server I was trying it out.

The result is more image spam.  Maybe it is time to rebuild the bayesian
database with "clean" spam excluding image spam and a lot of ham
messages.

Regards
Johann
-- 
Johann Spies  Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

 "Jesus said unto her, I am the resurrection, and the 
  life; he that believeth in me, though he were dead, 
  yet shall he live; And whosoever liveth and believeth 
  in me shall never die.John 11:25,26 

Re: Is Bayes Dead? Have the spammers won?

[Rajkumar S]

On 3/22/07, Kris Deugau <[EMAIL PROTECTED]> wrote:

Anyone using SA in an ISP environment will run into this problem;


I agree here, I am using SA in an ISP and I have disabled Bayes. There
is no way I can get regular good supply of ham from our customers. No
one want's to forward their good mails to me (or any ISP) regularly to
train Bayes.  And we have a wide spectrum of customers, so Bayes will
cause more damage than good, if I do not get enough volume of mails
for training.

I am interested in hearing from any one using Bayes in ISP though.

raj

Re: Is Bayes Dead? Have the spammers won?

[Jason Marshall]

I was wondering the same thing, idly.  Then one day my Bayes stopped 
working and I went from 30-40 spams getting through in a day to 500-600 
getting through.  Believe me, I think Bayes is doing a decent job of 
adding to the scores of spammy messages...


Maybe I'm doing something wrong but with the various methods of bayes 
poisoning going on I've found that bayes is just lowering the score of spam 
and causing more spam to get through. Where bayes used to be the centerpiece 
of spam filtering now I have turned it off to increase accuracy.


Anyone else seeing this or is there some new tricks that I'm missing out on?



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Jason Marshall, [EMAIL PROTECTED] Spots InterConnect, Inc. Calgary, AB |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Re: Stock rules match legitimate e-mail

[Matt Kettler]

Jason Bertoch [Electronet] wrote:
> A legitimate e-mail passed through my system yesterday that matched three 
> stock
> rules with default scores:
>
> 1.9 RATWARE_OUTLOOK_NONAME
> 1.4 RATWARE_MS_HASH
> 2.2 MSGID_DOLLARS
>
> Because this is a legitimate e-mail from a legitimate server, does that mean
> these particular stock rules need a score adjustment or are they maybe a 
> little
> outdated?  Message headers follow:
>   
What version of SA are you on?

RATWARE_MS_HASH:

Dev is currently looking for samples of FPs of with this:

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4946


MSGID_DOLLARS
They apparently changed a few things in SA 3.1.7 to try to reduce the FPs ..

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4960

They also have removed that rule entirely from 3.2.0 (still in development).


Other possibly related bug-trackers:
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5297
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4798

NOTICE: SpamAssassin 3.2.0-rc1 PRERELEASE available

[Justin Mason]

SpamAssassin 3.2.0-rc1 is released!
This is a *prerelease* for SpamAssassin 3.2.0; not the full release.

SpamAssassin is a mail filter which uses advanced statistical and
heuristic tests to identify spam (also known as unsolicited bulk email).

Highlights of the release
-

(STILL TODO ;)

Downloading
---

  http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.2.0-rc1.tar.bz2
  http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.2.0-rc1.tar.gz
  http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.2.0-rc1.zip

md5sum of archive files:

2be09ab4fad7960e739ecf8a0bacc8cb  Mail-SpamAssassin-3.2.0-rc1.tar.bz2
254464ac8ac0584e4fb8664d2fdb49ad  Mail-SpamAssassin-3.2.0-rc1.tar.gz
47dec3411b9cedececa5832d04057686  Mail-SpamAssassin-3.2.0-rc1.zip

sha1sum of archive files:

53dd8a84b7a87bccdb6a4606be66bf010a76a3bf  Mail-SpamAssassin-3.2.0-rc1.tar.bz2
1a2ac68efce3ad89dd32c636268af7e63aedbcfe  Mail-SpamAssassin-3.2.0-rc1.tar.gz
d6a4f35792319cf7260bd76dc7285c092ad0ed30  Mail-SpamAssassin-3.2.0-rc1.zip

The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net key server, as well as
http://spamassassin.apache.org/released/GPG-SIGNING-KEY

The key information is:

pub  1024D/265FA05B 2003-06-09 SpamAssassin Signing Key <[EMAIL PROTECTED]
rg>
 Key fingerprint =3D 26C9 00A4 6DD4 0CD5 AD24  F6D7 DEE0 1987 265F A05B

Important installation notes


- see the INSTALL and UPGRADE files in the distribution.

Summary of major changes since 3.1.x


(STILL TODO ;)

RE: /etc/spamassassin or /var/lib/spamassassin?

[Bowie Bailey]

Mark Adams wrote:
> On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote:
> > Is it scoring the whitelist lower or is it just not hitting?
> > 
> > Can you post your whitelist rule and the headers from an example
> > message?
> 
> Hi, Apologies for delay I did not see this message. I am still having
> issues with this so your help would be gratefully received.
> 
> Whitelist file is in /etc/spamassassin/ and is called whitelist.cf
> entry;
> 
> whitelist_from [EMAIL PROTECTED]
> 
> Below is the x-spam scoring headers for an email from this sender;
> 
> X-Spam-Score: 40
> X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7

And why do you think this message should have hit the whitelist?  Show
me the "From" line in the email.

-- 
Bowie

R: Is Bayes Dead? Have the spammers won?

[Giampaolo Tomassoni]

> -Messaggio originale-
> Da: --[ UxBoD ]-- [mailto:[EMAIL PROTECTED]
> 
> Using a combination of numerous SA rules, bayes, FuzzyOCR and BotNet on
> a new server Ive just built we are trashing the SPAM.  Attached graph
> is for today :-

What does "received" mean in the graph?

Giampaolo


> Regards,
> 
> UxBoD
> 
> On Thu, 22 Mar 2007 09:55:07 -0700, Marc Perkel <[EMAIL PROTECTED]>
> wrote:
> > Maybe I'm doing something wrong but with the various methods of bayes
> > poisoning going on I've found that bayes is just lowering the score
> of
> > spam and causing more spam to get through. Where bayes used to be the
> > centerpiece of spam filtering now I have turned it off to increase
> > accuracy.
> >
> > Anyone else seeing this or is there some new tricks that I'm missing
> out
> > on?
> >
> >
> > --
> > This message has been scanned for viruses and dangerous content by
> > MailScanner, and is
> > believed to be clean.
> --
> --[ UxBoD ]--
> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
> // SIP Phone: [EMAIL PROTECTED]
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is
> believed to be clean.

Re: Is Bayes Dead? Have the spammers won?

[Theo Van Dinter]

On Thu, Mar 22, 2007 at 02:41:03PM -0500, maillist wrote:
> I don't know about that.  I'd say that 95% of all spam filtered in my 
> system has BAYES_99 as a trigger, and of that, probably 75% - 85% would 
> not have been caught if not for that trigger.

Don't confuse filtering methods with rules.

-- 
Randomly Selected Tagline:
Harriet's Dining Observation:
In every restaurant, the hardness of the butter pats
increases in direct proportion to the softness of the bread.


pgpnNPkxQdFG6.pgp
Description: PGP signature

Re: Is Bayes Dead? Have the spammers won?

[Leander Koornneef]

On 22-mrt-2007, at 20:02, Theo Van Dinter wrote:


On Thu, Mar 22, 2007 at 09:55:07AM -0700, Marc Perkel wrote:

Where bayes used to be the centerpiece of spam filtering ...


FWIW, I don't think Bayes has really ever been the "centerpiece" of
spam filtering.  Definitely not within SA anyway.  It's a good tool,
but it's just another tool in the belt.

/me continues to wait for the spammers to tire of greylisting


Yes, exactly! Greylisting is still working amazingly well here.
Also, most spams that get past the greylisting border are still
hitting BAYES_90 or higher, even on instances where the
bayes system is only being trained by autolearning.

I do feel that greylisting is slowly becoming less effective though.
The amount of spams that get through may have risen by as much
as 50%, although this is extremely relative, because this means
that in my case six spams make it through each day, instead of
four, whereas I used to get >80 spams per day without greylisting.
I noticed that almost all of the spams that get through are GIF image
stock spam. Apparently, I should "GET IN ON THE YOUTUBE OF
CHINA NOW!", because that is all I'm reading about these days ;-)

Leander

Re: Is Bayes Dead? Have the spammers won?

[maillist]

Theo Van Dinter wrote:

On Thu, Mar 22, 2007 at 09:55:07AM -0700, Marc Perkel wrote:
  

Where bayes used to be the centerpiece of spam filtering ...



FWIW, I don't think Bayes has really ever been the "centerpiece" of
spam filtering.  Definitely not within SA anyway.  It's a good tool,
but it's just another tool in the belt.
  
I don't know about that.  I'd say that 95% of all spam filtered in my 
system has BAYES_99 as a trigger, and of that, probably 75% - 85% would 
not have been caught if not for that trigger.  But I don't autolearn, or 
autowhitelist.  I just don't have enough faith in my own setup to allow 
it to make it's own decisions.


-=Aubrey=-

/me continues to wait for the spammers to tire of greylisting

  

Re: /etc/spamassassin or /var/lib/spamassassin?

[Theo Van Dinter]

On Thu, Mar 22, 2007 at 05:56:31PM +, Mark Adams wrote:
> Whitelist file is in /etc/spamassassin/ and is called whitelist.cf
> entry;
> 
> whitelist_from [EMAIL PROTECTED]

Is /etc/spamassassin where the rest of your site config is located?  Typically
it's /etc/mail/spamassassin, but "spamassassin -D --lint" would tell you.

-- 
Randomly Selected Tagline:
"It's stupid to slap a table ... "  - Prof. Long


pgpwM9Frun7hA.pgp
Description: PGP signature

Re: Is Bayes Dead? Have the spammers won?

[Theo Van Dinter]

On Thu, Mar 22, 2007 at 09:55:07AM -0700, Marc Perkel wrote:
> Where bayes used to be the centerpiece of spam filtering ...

FWIW, I don't think Bayes has really ever been the "centerpiece" of
spam filtering.  Definitely not within SA anyway.  It's a good tool,
but it's just another tool in the belt.

/me continues to wait for the spammers to tire of greylisting

-- 
Randomly Selected Tagline:
"If you build something that any idiot can use, any idiot will."
   - Patrick St. Jean


pgpUmlYsM1Tf9.pgp
Description: PGP signature

Re: ONE_TIME (rule)

[Evan Platt]

At 10:39 AM 3/22/2007, Deivid Vilela wrote:

Dear Friend

I can read the CF Files but i don't understand it.
I hope that some one can help me trying to explain abou what realy 
this rule does. :-)




Evan Platt escreveu:

At 10:22 AM 3/22/2007, Deivid Vilela wrote:

Somebody knows what this rule does?

ONE_TIME


# grep ONE_T *
20_phrases.cf:body ONE_TIME /\bone\W+time 
(?:charge|investment|offer|promotion)/i

20_phrases.cf:describe ONE_TIME One Time Rip Off


I'm no expert on rules, but near as I can tell, finds
one time charge
one time investment
one time offer
one time promotion.

Re: ONE_TIME (rule)

[Deivid Vilela]

Dear Friend

I can read the CF Files but i don't understand it.
I hope that some one can help me trying to explain abou what realy this 
rule does. :-)




Evan Platt escreveu:

At 10:22 AM 3/22/2007, Deivid Vilela wrote:

Somebody knows what this rule does?

ONE_TIME




# grep ONE_T *
20_phrases.cf:body ONE_TIME /\bone\W+time 
(?:charge|investment|offer|promotion)/i

20_phrases.cf:describe ONE_TIME One Time Rip Off

Evan




___ 
Yahoo! Mail - Sempre a melhor opção para você! 
Experimente já e veja as novidades. 
http://br.yahoo.com/mailbeta/tudonovo/

Per User Settings?

[Paul Hutchings]

I'm looking at rebuilding our mail gateway due to new hardware (and to
learn).

The plan at the moment is probably Redhat/CentOS/Fedora (mostly for rpm
availability) plus Postfix plus Spamassassin.

The box will be an in/out relay server and will accept mail for a few
domains and pass most of it off to our internal server.

With a couple of a domains there are a few local users with pop3
mailboxes.

I currently call Spamassassin (spamc/spamd) from Postfix via a simple
shell script, and we have a single set of whitelists/blacklists and a
single bayes DB etc.

Does anyone have any pointers on how I could setup spamassassin so that
valid users email address could have their own set of
blacklists/whitelists and bayes?

I assume I would need some sort of SQL (currently we use Berkeley DB for
the shared database).

I'm not a *nix admin by trade so I'm looking for kind of an "idiots
guide" on how I could do this.  I'm not too concerned about users being
able to change their own settings.

TIA,
Paul

Re: ONE_TIME (rule)

[Evan Platt]

At 10:22 AM 3/22/2007, Deivid Vilela wrote:

Somebody knows what this rule does?

ONE_TIME




# grep ONE_T *
20_phrases.cf:body ONE_TIME /\bone\W+time 
(?:charge|investment|offer|promotion)/i

20_phrases.cf:describe ONE_TIME One Time Rip Off

Evan 

Re: Is Bayes Dead? Have the spammers won?

[Michel R Vaillancourt]

Henrik Krohns wrote:

On Thu, Mar 22, 2007 at 09:55:07AM -0700, Marc Perkel wrote:
Maybe I'm doing something wrong but with the various methods of bayes 
poisoning going on I've found that bayes is just lowering the score of 
spam and causing more spam to get through.


So is there actually any real proof that Bayes poisoning works? I've yet to
find any evidence. All the cases have been admins/users messing it up
themselves.


In point of fact, my own experience is that poisoning attempts make no difference 
at all.  Because the number of poison tokens in an established database is so small, they 
don't change anything.  However the incidence of other spam-positive keys "tips the 
hand".

I use auto-learning.  Always have.  It has NEVER been a problem;  if I 
get an FP or FN, I resubmit those mails for retraining to the DB.

I've even gone so far as to take a Spam mail that was visually more than 80% 
"poison", copy the poison out, put it around another spam mail and mail it to 
myself from a dummy account.  Result?  Bayes_99.  Took the same poision, wrapped it 
around a legitimate mail and sent it to myself.  Result?  Bayes_00.  You can't keep a 
good Bays down;  auto-learned or not.

And I'm a little guy; 5000 messages a day ... 1 if the lists I host 
are busy.  Its not like I have a massive bayes DB to work against.  The Big 
Boys should be even more accurate just by raw weight of statistical incidence.  
Bayes Poison is fiction;  its not even good fiction.
--
--Michel Vaillancourt
Wolfstar Systems
www.wolfstar.ca

Re: Is Bayes Dead? Have the spammers won?

[John D. Hardin]

On Thu, 22 Mar 2007, Kris Deugau wrote:

> John D. Hardin wrote:
> > I've never trusted automatic learning. Why let your Bayes database be 
> > (even partially) under the control of a third party, particularly 
> > when that third party is the attacker?
> 
> Because there's no other (practical and/or ethical) way of getting 
> enough ham to make it useful?

Fair enough. I've only ever administered a limited-size trusted
environment (small corporate and personal).

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #7: In ten years nobody will remember the
  details of caliber, stance, or tactics. They will only remember who
  lived.
---
 593 days until the Presidential Election

ONE_TIME (rule)

[Deivid Vilela]

Somebody
knows what this rule does?







   

  ONE_TIME

  





	

	
		
___ 
Yahoo! Mail - Sempre a melhor opção para você! 
Experimente já e veja as novidades. 
http://br.yahoo.com/mailbeta/tudonovo/

Re: Is Bayes Dead? Have the spammers won?

[Kris Deugau]

John D. Hardin wrote:
I've never trusted automatic learning. Why let your Bayes database be 
(even partially) under the control of a third party, particularly 
when that third party is the attacker?


Because there's no other (practical and/or ethical) way of getting 
enough ham to make it useful?


Anyone using SA in an ISP environment will run into this problem;  about 
the only way I can see to legitimately get any real volume of ham is to 
send customers' outbound mail into a learning queue somewhere.  Even 
that has its limits and issues - for instance, the fact that any ISP 
larger than a few thousand customers will likely have completely 
separate paths for inbound and outbound mail, which *will* affect the 
usefulness of the learning.  :/


I've been running the same Bayes databases on one system and my personal 
email since I upgraded from SA2.44 to 2.54 and started using Bayes;  I'd 
be running the original Bayes DB on another system if I had figured out 
I *could* just continue to use the exact same files upgrading 
2.64->3.1.7 at the time.


Accuracy on the continuous-use databases hasn't suffered for the 
autolearning, so far as I can tell...  but the more out-of-date SA 
itself got the worse it was at tagging spam.


I *do* regularly feed back both my own missed-spams (my account, and 
three role accounts), as well as customer-submitted missed-spam.  Lately 
there have only been four or five (reported) FNs per day, across the 
whole system.


-kgd

Re: /etc/spamassassin or /var/lib/spamassassin?

[Mark Adams]

On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote:
> Is it scoring the whitelist lower or is it just not hitting?
> 
> Can you post your whitelist rule and the headers from an example
> message?

Hi, Apologies for delay I did not see this message. I am still having
issues with this so your help would be gratefully received.

Whitelist file is in /etc/spamassassin/ and is called whitelist.cf
entry;

whitelist_from [EMAIL PROTECTED]

Below is the x-spam scoring headers for an email from this sender;

X-Spam-Score: 40
X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7

Re: what is RAZOR2_CF_RANGE_51_100 BODY?

[Theo Van Dinter]

On Thu, Mar 22, 2007 at 12:40:23PM -0300, David fire wrote:
> but whats that means?
> confidence (cf) rating between 51 and 100.

You should take a look at Razor for information
about how their stuff works.  Things like
http://razor.sourceforge.net/docs/doc.php?type=text&name=README, etc.

-- 
Randomly Selected Tagline:
Call this number for illiteracy: 555-READ


pgpbuMY4MeMvT.pgp
Description: PGP signature

Re: Is Bayes Dead? Have the spammers won?

[Marc Perkel]

Henrik Krohns wrote:

On Thu, Mar 22, 2007 at 09:55:07AM -0700, Marc Perkel wrote:
  
Maybe I'm doing something wrong but with the various methods of bayes 
poisoning going on I've found that bayes is just lowering the score of 
spam and causing more spam to get through.



So is there actually any real proof that Bayes poisoning works? I've yet to
find any evidence. All the cases have been admins/users messing it up
themselves.
  


I'm just relating my experience and perhaps wondering if I'm doing 
something wrong.

Re: Is Bayes Dead? Have the spammers won?

[John D. Hardin]

On Thu, 22 Mar 2007, Marc Perkel wrote:

> Maybe I'm doing something wrong but with the various methods of
> bayes poisoning going on I've found that bayes is just lowering
> the score of spam and causing more spam to get through. Where
> bayes used to be the centerpiece of spam filtering now I have
> turned it off to increase accuracy.

I've never trusted automatic learning. Why let your Bayes database be 
(even partially) under the control of a third party, particularly 
when that third party is the attacker?

If a spam technique that scores low is found or that does not place
the commercial message in the textual parts of the message, and you
have automatic learning turned on, then the bad guys have the ability
to affect to a degree your token balance.

Hand-trained bayes can't be affected by poisoning.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #7: In ten years nobody will remember the
  details of caliber, stance, or tactics. They will only remember who
  lived.
---
 593 days until the Presidential Election

Re: Is Bayes Dead? Have the spammers won?

[-- [ UxBoD ] --]

Using a combination of numerous SA rules, bayes, FuzzyOCR and BotNet on a new 
server Ive just built we are trashing the SPAM.  Attached graph is for today :-

Regards,

UxBoD

On Thu, 22 Mar 2007 09:55:07 -0700, Marc Perkel <[EMAIL PROTECTED]> wrote:
> Maybe I'm doing something wrong but with the various methods of bayes
> poisoning going on I've found that bayes is just lowering the score of
> spam and causing more spam to get through. Where bayes used to be the
> centerpiece of spam filtering now I have turned it off to increase
> accuracy.
> 
> Anyone else seeing this or is there some new tricks that I'm missing out
> on?
> 
> 
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is
> believed to be clean.
-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP Phone: [EMAIL PROTECTED]
-- 
This message has been scanned for viruses and dangerous content by MailScanner, 
and is
believed to be clean.



smartmail.png
Description: PNG image

Re: Is Bayes Dead? Have the spammers won?

[Anthony Peacock]

Hi,

My Bayes is just as accurate as it has always been.

Any false negatives usually all have BAYES_99 in them, they just don't 
have enough other rule hits to raise the overall score above the threshold.


Marc Perkel wrote:
Maybe I'm doing something wrong but with the various methods of bayes 
poisoning going on I've found that bayes is just lowering the score of 
spam and causing more spam to get through. Where bayes used to be the 
centerpiece of spam filtering now I have turned it off to increase 
accuracy.


Anyone else seeing this or is there some new tricks that I'm missing out 
on?






--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw

Is Bayes Dead? Have the spammers won?

[Marc Perkel]

Maybe I'm doing something wrong but with the various methods of bayes 
poisoning going on I've found that bayes is just lowering the score of 
spam and causing more spam to get through. Where bayes used to be the 
centerpiece of spam filtering now I have turned it off to increase accuracy.


Anyone else seeing this or is there some new tricks that I'm missing out on?

Stock rules match legitimate e-mail

[Jason Bertoch [Electronet]]

A legitimate e-mail passed through my system yesterday that matched three stock
rules with default scores:

1.9 RATWARE_OUTLOOK_NONAME
1.4 RATWARE_MS_HASH
2.2 MSGID_DOLLARS

Because this is a legitimate e-mail from a legitimate server, does that mean
these particular stock rules need a score adjustment or are they maybe a little
outdated?  Message headers follow:





Return-path: <[EMAIL PROTECTED]>
Received: from outbound-smtp.firstam.com (outbound-smtp3.firstam.com
[69.87.54.8])
by mail1.electronet.net (8.14.0/8.14.0) with ESMTP id l2LL3o67001535
for <[EMAIL PROTECTED]>; Wed, 21 Mar 2007 17:03:51 -0400
Received: from 10.48.129.31 by outbound-smtp.firstam.com with ESMTP (
 Hello SMTP Relay); Wed, 21 Mar 2007 14:03:35 -0700
X-Server-Uuid: 6B41F939-E8F2-471D-A9AE-316CEEC949DD
Received: from unknown (HELO fahqsna01smxs12.corp.firstam.com) (
 [172.17.247.12]) by FAEMSNA01SMXS02.FIRSTAM.COM with ESMTP; 21 Mar 2007
 14:03:32 -0700
Received: from TISELRG01SMXS02.corp.firstam.com ([172.27.10.100]) by
 fahqsna01smxs12.corp.firstam.com with Microsoft SMTPSVC(6.0.3790.1830);
 Wed, 21 Mar 2007 14:03:31 -0700
Received: from 172.17.22.206 ([172.17.22.206]) by
 TISELRG01SMXS02.corp.firstam.com ([172.27.10.100]) with Microsoft
 Exchange Server HTTP-DAV ; Wed, 21 Mar 2007 21:03:29 +
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
From: "Escalona, Edith" <[EMAIL PROTECTED]>
Subject: *SPAM* RE: family names
Date: Wed, 21 Mar 2007 17:03:28 -0400
X-Priority: 3
To: "Curt Hunter" <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 21 Mar 2007 21:03:31.0275 (UTC)
 FILETIME=[615CC9B0:01C76BFC]
X-TMWD-Spam-Summary: SEV=1.1; DFV=A2007032108; IFV=2.0.6,4.0-7;
 RPD=4.00.0004;
 
RPDID=303030312E30413031303230372E34363031394441382E303030353A5343464D4135343334
32342D462D2F4E4553574B563534472F71554B6D71577A564237673D3D;
 ENG=IBF; TS=20070321220337; CAT=NONE; CON=NONE;
X-WSS-ID: 6A1F422F4I018575-01-01
Content-Type: multipart/mixed; boundary="--=_1174511032-11972-52"
X-Spam-Score: 5.403 (*) MSGID_DOLLARS,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME





Jason A. Bertoch
Network Administrator
[EMAIL PROTECTED]
ElectroNet Intermedia Consulting
3411 Capital Medical Blvd.
Tallahassee, FL 32308
(V) 850.222.0229 (F) 850.222.8771

Re: what is RAZOR2_CF_RANGE_51_100 BODY?

[Theo Van Dinter]

On Thu, Mar 22, 2007 at 10:50:58AM -0300, David fire wrote:
> i try to configure my spam assassin but i have one question
> what is RAZOR2_CF_RANGE_51_100 BODY ?

It means that Razor2 gave the message a spam confidence (cf) rating
between 51 and 100.

-- 
Randomly Selected Tagline:
There are two things in life one should always remember:
   1. Never tell everything you know.


pgpVOkLRkLxBP.pgp
Description: PGP signature

Re: Reporting spam by forwarded/attached message

[Luis Hernán Otegui]

Well, I got it working (started a thread like this one month ago or so)
thanks to some other users contributions.
What I did (following someone elses instructions) was insert these lines in
local.cf:

bayes_ignore_header ReSent-Date
bayes_ignore_header ReSent-From
bayes_ignore_header ReSent-Message-ID
bayes_ignore_header ReSent-Subject
bayes_ignore_header ReSent-To
all_spam_to [EMAIL PROTECTED]


and after that, set up the spam account, and generate a script to teach
spamassassin the forwarded messages. Maybe the bash programming could be
improved, but it's working for me like this:


#!/bin/bash
result_spam=$(ls /usr/local/virtual/[EMAIL PROTECTED]/new | wc -l)
if [ $result_spam -ne 0 ]
   then
   spamassassin -r -d  --progress < /usr/local/virtual/spam@
mydomain.tld/new
   echo 1 > /var/tmp/sa-state
   rm -f /usr/local/virtual/[EMAIL PROTECTED]/new/*
fi


This script runs through cron once an hour along with some others which scan
my users IMAP folders (some of them only use a webmail, and some use MUAs,
such as Outlook Express), seach for spam and ham folders, checks if they're
not empty, and learn from their contents (that's why I put that "echo"
sentence. BTW, if anyone knows a better way to check for the existence of
spam in the precedent script, I will gladly accept their tips...

When I finish polishing this, I promess to make a nice package and share it.



Luis
2007/3/21, Wael Shaheen <[EMAIL PROTECTED]>:


Hello everyone,
am looking for a mechanism which allows my clients to report spam by
forwarding a message or attaching it to a single mailbox i.e
[EMAIL PROTECTED]

How can i do this, forwarded emails will have the sender information cut
off
before being fed to sa-learn
I would appreciate any hints-information in that direction and if any idea
would be better than what am thinking of
or have sa-learn run on the attached messages

Thank you





--
-
GNU-GPL: "May The Source Be With You...
-

RE: reset spam bayes

[Dean Manners]

sa-learn --clear

Make sure you have a ham/spam pile ready to re-train your db's after
clearing.

-Original Message-
From: Dean Clapper [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 23, 2007 1:12 AM
To: users@spamassassin.apache.org
Subject: reset spam bayes

I was wondering how to reset bayes for spamassassin.  We have had a lot of
spam start coming through the past few weeks and I want to flush out the
bayes in my directory then try it for the shared bayes.

I'm on spamassassin-3.1.3-1.

thanks
Dean

Pamditherbw gone, but no pamthreshhold

[David Baron]

Now getting loads of FuzzyOcr failed to execute pamditherbw.
I have ppmtopgm but no pamtopnm and no pamthreshold.

I have netpbm 2.10.0-11 from Debian Sid. So I commented out the missing stuff 
in FuzzyOcr.scansets,  but in FuzzyOcr.preps, this was an either or 
situfation.

I do have a ppmdither. (Also, some othe pamto thingies that are in 
FuzzyOcr.preps: Pamtotiff -> ppm2tiff? )

How to fix it? Simply substitute ppmto's? Argument changes as well?

reset spam bayes

[Dean Clapper]

I was wondering how to reset bayes for spamassassin.  We have had a lot 
of spam start coming through the past few weeks and I want to flush out the 
bayes in my directory then try it for the shared bayes.

I'm on spamassassin-3.1.3-1.

thanks
Dean

what is RAZOR2_CF_RANGE_51_100 BODY?

[David fire]

hi
i try to configure my spam assassin but i have one question
what is RAZOR2_CF_RANGE_51_100 BODY ?
thanks
David

Re: patches for FREEBSD sa-update

[Jonas Eckerman]

Michael Scheidell wrote:


Then /usr/local/etc/mail/spamassassin isn't a good place for .local.cf
and SARES rules either .),


I'd say SA's "local.cf" and other manually edited configuration 
files are typical for files in "/usr/local/etc".


The SARE rules doesn't fit that bad in "/usr/local/etc" as long 
as they are not updated automagically.


If you do update the SARE rules automagically, then I agree that 
they should not be in "/usr/local/etc" (and using sa-update for 
the SARE rules, they are of course placed in SA's LOCAL_STATE_DIR).


Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: Need help with a rule

[Chris St. Pierre]

Sure.

header __LOCAL_SENDER  From =~ /@example\.com/i
meta   FORGED_LOCAL_SENDER __LOCAL_SENDER && !TRUSTED_NETWORKS
score  FORGED_LOCAL_SENDER 1

This depends on a proper setting of TRUSTED_NETWORKS.

(Note: untested code, YMMV, etc.)

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Thu, 22 Mar 2007, Bill Minton wrote:


I'm looking to have Spamassassin mark messages where the from address is
forged with a valid local address.

For instance, if a local address is [EMAIL PROTECTED] and a spammer spoofs that,
then it initially appears as though [EMAIL PROTECTED] is sending an email to
[EMAIL PROTECTED] (which is ok).

I've found that if the "From:" contains a valid local account, AND the
"envelope-from" (part of "Received:" doesn't match that account, it is
spam.  At least that's the case w/the ones I've looked over.

So, is it possible to write a rule to combine the two checks necessary to do
that?

Re: Need help with a rule

[Matt Kettler]

Bill Minton wrote:
> I'm looking to have Spamassassin mark messages where the from address
> is forged with a valid local address.
>
> For instance, if a local address is [EMAIL PROTECTED]  PROTECTED]>
> and a spammer spoofs that, then it initially appears as though
> [EMAIL PROTECTED]  is sending an email to [EMAIL 
> PROTECTED]
>  (which is ok).
>
> I've found that if the "From:" contains a valid local account, AND the
> "envelope-from" (part of "Received:" doesn't match that account, it is
> spam.  At least that's the case w/the ones I've looked over.
>
> So, is it possible to write a rule to combine the two checks necessary
> to do that?
Yes, but it would be easier to just publish a SPF record for web.com,
install the SPF perl modules, and let the SPF checks in SA pick it up.
>
>

Need help with a rule

[Bill Minton]

I'm looking to have Spamassassin mark messages where the from address is
forged with a valid local address.

For instance, if a local address is [EMAIL PROTECTED] and a spammer spoofs that,
then it initially appears as though [EMAIL PROTECTED] is sending an email to
[EMAIL PROTECTED] (which is ok).

I've found that if the "From:" contains a valid local account, AND the
"envelope-from" (part of "Received:" doesn't match that account, it is
spam.  At least that's the case w/the ones I've looked over.

So, is it possible to write a rule to combine the two checks necessary to do
that?