whitelist and blacklist problem

[lalit]

i have configure spamassassin with mysql. now it fetch whitelist and
blacklist data from userpref table. but mail detect as spam in both cases
either user in whitelist  or in blacklist. and spam report shows that user
in blacklist and user in whitelist
case 1 when user in whitelist
X-Spam-Status: No, score=0.5 required=5.0 tests=AWL,HTML_MESSAGE,
 MIME_HTML_MOSTLY,USER_IN_BLACKLIST,USER_IN_WHITELIST autolearn=no
 version=3.1.8

case 2 when user in blacklist or not in whitelist it gives correct report

X-Spam-Status: Yes, score=100.8 required=5.0 tests=AWL,HTML_90_100,
 HTML_MESSAGE,NO_DNS_FOR_FROM,USER_IN_BLACKLIST autolearn=no
 version=3.0.5
X-Spam-Report:
 * 100 USER_IN_BLACKLIST From: address is in the user's black-list
 * 0.2 HTML_90_100 BODY: Message is 90% to 100% HTML
 * 0.0 HTML_MESSAGE BODY: HTML included in message
 * 1.1 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
 * -0.5 AWL AWL: From: address is in the auto white-list

how can i fix it ? what is the cause of the problem?

-- 
View this message in context: 
http://www.nabble.com/whitelist-and-blacklist-problem-tf3484900.html#a9728558
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: OT: lost some mail while updating qmail-scanner

[Bill McCormick]

Same thing happened to me recently and it eventually showed up. Although 
my setup's a little different, I think qmail keeps trying until it 
finally delivers.


Does qmail-cntl -stat show anything?

Further OT ...
Depending on how you set up your toaster (I used qmailrocks,) the group 
permissions need to be worked on. I think there needs to be a qmail 
group that qmail, clamav/whaterverav, scanner, spamd and vpopmail all 
belong to so everybody can access the dirs they need to.


Bill


J. wrote:

I had some permissions trouble after updating a few things last night
and as a result mail was coming in but not getting to the place where
it could be "popped" by the user (me). The mail was coming in and being
handled by spamd because I could see action in the log file, but
nothing was showing up in my inbox when I ran pine. I got the trouble
fixed, but the mail that came in during the trouble period seems to be
lost. Does anyone know where I could look to find it? I can't even find
where my current mail gets queued before it's popped. I'm using
qmail/qmail-scanner/spamd/clamd/vpopmail/maildrop. Thanks.


 


Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

OT: lost some mail while updating qmail-scanner

[J.]

I had some permissions trouble after updating a few things last night
and as a result mail was coming in but not getting to the place where
it could be "popped" by the user (me). The mail was coming in and being
handled by spamd because I could see action in the log file, but
nothing was showing up in my inbox when I ran pine. I got the trouble
fixed, but the mail that came in during the trouble period seems to be
lost. Does anyone know where I could look to find it? I can't even find
where my current mail gets queued before it's popped. I'm using
qmail/qmail-scanner/spamd/clamd/vpopmail/maildrop. Thanks.


 

Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

sa-learn question

[J.]

After about a year of running sa-learn from a user that isn't the user
that spamd is running under, I've changed things to allow login to the
spamd user account (qscand). So, will running this command now work for
helping train my bayes files?

sa-learn --showdots --mbox --spam /home/domainmail/mail/Spam
sa-learn --showdots --mbox --ham /home/domainmail/mail/Ham

All mail for our domain is funneled into one user account and I'll move
false positives and false negs into the right pine folders every few
days.

Thanks.


 

Looking for earth-friendly autos? 
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
http://autos.yahoo.com/green_center/

Re: Feature Request

[Loren Wilton]

I have been using SA since ~2.60 and because I work for an ISP, I need
to be more tolerant than most with regards to handling email. With this
in mind I have made a few modifications to the STOCK version and have to
manually patch with every upgrade, so here are some of the modifications
I have made (patch included), in hopes they make it into the newer
versions or help others:


Suggest you open one or more Bugzilla enhancement tickets for these patches. 
They will probably get lost in the noise here.  In Bugzilla they will at 
least be in the system.


   Loren

Re: email header question

[Chris]

On Saturday 24 March 2007 2:23 pm, vruk wrote:
> Was there ever an answer to this?
> I have every one of my emails from earthlink saying they are suspicious,
> using the earthlnk scamblocker analize.
> What is noehlo.host?
>
I finally got the attention of a few people at corp and here is a reply from 
one of them:

> Ok, I have a little more info on this.  First, my big caveat is that I'm 
> the product manager for email and am largely playing a role of 
> translating here between our engineers.
> 
> The high level thing that is going on is that we are making some changes 
> in our mail delivery.   As new email threats emerge (spam, viruses, 
> etc.) we wanted to re-architect how we deliver our email so that we 
> could do some more things in terms of analyzing the inbound messages.   
> The result of this is an extra hop within our network before the message 
> delivery.   This hop happens within our network and technically the IP 
> address is a local host: 127.0.0.1
> 
> We believe we're doing the right thing by listing this hop and 
> appropriate IP in the mail headers.
> 
> I'm not too familiar with Karsten's anti-spam script.   What IP address 
> is the script trying to find that is getting tripped up by this 
> additional hop?   It seems that the script could account for this by 
> looking for the originating IP instead of other hops.  But maybe I am 
> missing something here.
> 
> We're working through all this right now, so your feedback is definitely 
> welcome.
> 
> -Stephen

If I get anymore info I'll forward it along.

-- 
Chris
KeyID 0xE372A7DA98E6705C


pgpHjKW8NTK1Q.pgp
Description: PGP signature

Re: Just a general question

[Chris]

On Friday 23 March 2007 4:16 pm, Gary V wrote:
> >>>I've been on this mail list only for a few months now, and am wondering
> >>>if I am the smallest guy here.
> >>
> >>No, you're not.
> >
> >Oh me me me!
> >
> >1 domain, 1 user. :)
>
> I think only someone that uses fetchmail could beat that (no domain, 1
> user).
>
> Gary V
>
You mean like this:

Received: from pop05.earthlink.net [209.86.93.206]
by localhost.localdomain with POP3 (fetchmail-6.3.7)
for <[EMAIL PROTECTED]> (single-drop); Fri, 23 Mar 2007 16:17:21 
-0500 (CDT)

Just me, all by my lonesome.

-- 
Chris
KeyID 0xE372A7DA98E6705C


pgpe9XRMJOtzF.pgp
Description: PGP signature

Re: Who is APEWS.ORG

[Ilya Vishnyakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
hmm
I got this from Whois.sc

Domain ID:D135922574-LROR
Domain Name:APEWS.ORG
Created On:27-Dec-2006 19:25:43 UTC
Last Updated On:26-Feb-2007 03:47:58 UTC
Expiration Date:27-Dec-2007 19:25:43 UTC
Sponsoring Registrar:PSI-USA, Inc. dba Domain Robot (R68-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:ABM-9494207
Registrant Name:Foda Voce Mesmo
Registrant Street1:Suas queimaduras do burro
Registrant Street2:
Registrant Street3:
Registrant City:Manaus
Registrant State/Province:Regio de Amazon
Registrant Postal Code:69075
Registrant Country:BR
Registrant Phone:+55.923633500
Registrant Phone Ext.:
Registrant FAX:+55.923633501
Registrant FAX Ext.:
Registrant Email:Whois Privacy and Spam Prevention by DomainTools.com

Admin ID:ABM-9494207
Admin Name:Foda Voce Mesmo
Admin Street1:Suas queimaduras do burro
Admin Street2:
Admin Street3:
Admin City:Manaus
Admin State/Province:Regio de Amazon
Admin Postal Code:69075
Admin Country:BR
Admin Phone:+55.923633500
Admin Phone Ext.:
Admin FAX:+55.923633501
Admin FAX Ext.:
Admin Email:Whois Privacy and Spam Prevention by DomainTools.com

Tech ID:ABM-9494207
Tech Name:Foda Voce Mesmo
Tech Street1:Suas queimaduras do burro
Tech Street2:
Tech Street3:
Tech City:Manaus
Tech State/Province:Regio de Amazon
Tech Postal Code:69075
Tech Country:BR
Tech Phone:+55.923633500
Tech Phone Ext.:
Tech FAX:+55.923633501
Tech FAX Ext.:
Tech Email:Whois Privacy and Spam Prevention by DomainTools.com

Name Server:NS9.SCHLUNDTECH.DE
Name Server:NS10.SCHLUNDTECH.DE

Marc Perkel wrote:
> Trying to figure out who these people are Who is APEWS.ORG? They
> claim to be a blocklist provider to block spam but they are blocking
> spam filtering services. They also seem to be hiding who is behind
> it. Who are they? Is this some fake front for uceprotect?
>
> Here's what they have on the /24 block that I'm part of.
>
> Entry matching your Query: E-149815
> 69.50.231.0/24
> --
> CASE: C-117
> Systems running abusive Spamdefense on other systems expense. (CR,
> SAV or similar crap)
> --
> Special Reason:
> Computer Tyme Hosting
> 754 Glenview Dr. #201
> San Bruno, CA 94066
> US
>
> Administrative Contact:
> Perkel, Marc [EMAIL PROTECTED]
> 754 Glenview Dr. #201
> San Bruno, CA 94066
> US
>
> Technical Contact:
> Perkel, Marc [EMAIL PROTECTED]
> 754 Glenview Dr. #201
> San Bruno, CA 94066
> US
>
>
> for running abusive and selfish SAV from there.
> --
> History:
> Entry created 2007-03-15

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFGCtftUZGmaUWxLn8RAqRFAJ9nIs86S2aJ6JIvs8OO6Pzs+h8OhgCeOtww
UiBeKp6VZzwryJj5Aw71xZA=
=T/Wv
-END PGP SIGNATURE-

Who is APEWS.ORG

[Marc Perkel]

Trying to figure out who these people are Who is APEWS.ORG? They claim 
to be a blocklist provider to block spam but they are blocking spam 
filtering services. They also seem to be hiding who is behind it. Who 
are they? Is this some fake front for uceprotect?


Here's what they have on the /24 block that I'm part of.

Entry matching your Query: E-149815
69.50.231.0/24

CASE: C-117
Systems running abusive Spamdefense on other systems expense. (CR, SAV 
or similar crap)


Special Reason:
Computer Tyme Hosting
754 Glenview Dr. #201
San Bruno, CA 94066
US

Administrative Contact:
Perkel, Marc [EMAIL PROTECTED]
754 Glenview Dr. #201
San Bruno, CA 94066
US

Technical Contact:
Perkel, Marc [EMAIL PROTECTED]
754 Glenview Dr. #201
San Bruno, CA 94066
US


for running abusive and selfish SAV from there.

History:
Entry created 2007-03-15

Re: Feature Request

[Justin Mason]

hi -- could you open these as *multiple* *separate* bugs on
http://issues.apache.org/SpamAssassin/ ?  Some of them will be more
likely to get accepted than others. ;)

--j.

Jorge Valdes writes:
> Hi,
> 
> I have been using SA since ~2.60 and because I work for an ISP, I need 
> to be more tolerant than most with regards to handling email. With this 
> in mind I have made a few modifications to the STOCK version and have to 
> manually patch with every upgrade, so here are some of the modifications 
> I have made (patch included), in hopes they make it into the newer 
> versions or help others:
> 
> 1.- Mail::SpamAssassin::Client
> 
> Originally this really useful class only allowed for connection via TCP 
> sockets. I have (borrowing code :)) modified it so that it also handles 
> connection via Unix sockets.
> 
> 2.- Mail::SpamAssassin::Config
> 
> ++ Added Option 'report_score'.
> 
> The reason for this addition is that in order to allow user prefs, with 
> regards to handling of SPAM, in order for SpamAssassin to rewrite the 
> message, instead of doing it by checking the message score versus the 
> 'required_score' it now does it against 'report_score', thus offering 
> more flexibility with the handling of false positives/negatives, as 
> illustrated with these settings:
> 
> rewrite_header Subject [SPAM][_SCORE_]
> report_safe 1 (default)
> required_score 5.0
> report_score 7.0
> 
> Message with score < 5.0 points, message is ham
>  - normal processing
> Message with  5.0 <= score <= 7.0, message is spam:
>  - only subject is modified to indicate this fact
> Message with score >= 7.0, message is spam:
>  - subject is modified to indicate this fact
>  - message is rewritten as specified by report_safe
> 
> 3.- Mail::SpamAssassin::PerMsgStatus
> 
> ++ Added Method is_report().
> 
> This can be used in the same manner as is_spam() method.
> 
> ++ Added Method get_scores_of_tests_hit().
> 
> This can help with debugging by seeing the point score associated with 
> the tests that hit.
> 
> ++ Added Method get_report_score().
> 
> To retrieve the configured report_score setting.
> 
> ++ Modified Precision
> 
> Generally, scores have three digit precision, but when reporting, 
> sometimes the score is rounded to an integer or shown with only one 
> digit precision. This can sometimes lead to confusion and rounding 
> errors, so I modified reports to show three digit precision as the norm 
> and use two digit precision when scores > 10, and integers only when 
> scores > 100 (whitelist or GTUBE).
> 
> 4.- spamd/spamc
> 
> Allowing user preferences in an ISP environment can be troublesome, 
> specially when you have virtual users, there is no place to store each 
> user's preferences, unless you go the SQL route.  One of the most common 
> changes users make is to raise/lower the thresholds for spam detection, 
> so I have modified the source to allow the following additional options 
> to spamc:
> 
> ++  -m value   Use value as required_score instead of default.
> ++  -M value   Use value as report_score instead of default.
> 
> By allowing spamc to pass these values to a modified spamd that can 
> understand and modify these configuration options on a per scan basis, 
> any user (even virtual ones) can get treated differently with regards to 
> required_score and report_score, without the need to read a 
> configuration file. If specified, these values are passed as headers, to 
> spamd, thus extending the current spamd protocol so that it understands 
> these headers, and modifies the child's SpamAssassin object respectively.
> 
> Howto modify calls to spamd with the correct spamc arguments is left as 
> an exercise to the user...
> 
> 5.- spamd
> 
> I also noticed that for those OS that allow it, $0 is changed for each 
> child in order to differentiate children from it's parent.  In order to 
> better monitor what each child is doing, I have modified spamd to also 
> place the number of scans processed by each child as well as the status 
> in $0 so that when monitored by 'top', we can see what each child is doing:
> 
>   PID PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
>  7785 17   0 95932  80m 2844 S   20  8.5   0:43.73 spamd child:  42/75 
> processing a.b.c.d
>  7787 16   0 86004  71m 2832 S0  7.5   0:22.65 spamd child:  19/75 done
> 32447 16   0 83832  69m 2832 S0  7.4   0:19.21 spamd child:  20/75 done
>  8385 16   0 75108  60m 2776 S0  6.4   0:03.07 spamd child:   5/75 done
>  9100 19   0 74348  58m 2412 S0  6.2   0:00.91 spamd child:   0/75 
> initialized
> 
> 
> where a.b.c.d is the IP address from the machine who sent the message we 
> need to "check", and will be 127.0.0.1 when done via Unix Socket.
> 
> -- 
> Jorge Valdes
> [EMAIL PROTECTED]
> 
> 
> diff -rub Mail-SpamAssassin-3.1.8-orig/lib/Mail/SpamAssassin/Client.pm 
> SA-318/lib/Mail/SpamAssassin/Client.pm
> --- Mail-SpamAssassin-3.1.8-orig/lib/Mail/SpamAssassin/Client.pm  
> 2007-02-13 12:17:13.0 -06

Re: Foreign Languages

[John Thompson]

On 2007-03-27, Nathan Brink <[EMAIL PROTECTED]> wrote:

> Does SPAM Assassin score what we boarheaded Americans consider to be
> "foreign language" email messages the same as it would English?

Are you looking for something that would score mail differently 
depending on the language used? Some of the SARE rules are designed to 
handle specific languages differently:

  http://www.rulesemporium.com/rules.htm

-- 

John ([EMAIL PROTECTED])

Re: whitelisting yahoogroups.com

[Ilya Vishnyakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Ok thank you.

Dan Barker wrote:
> No, it needs to be:
>
> whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com
>
> This covers ALL yahoo groups. You'll need more granularity to
> specify the groupname, as that information is in other headers.
>
> Dan
>
> -Original Message- From: Ilya Vishnyakov
> [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 3:05 PM
> To: James E. Pratt Cc: users@spamassassin.apache.org Subject: Re:
> whitelisting yahoogroups.com
>
>
> Thank you.
>
> James E. Pratt wrote:
>> No as I understand it, whitelist_from_rcvd checks relaying
>> domain, whitelist_from is a "blanket-whitelist" that only checks
>> from header - Only mail that matches: [EMAIL PROTECTED]
>> sent from actual yahoo.com relays will get whitelisted. (Sorry I
>> forgot my "-" before!)
>
>> It appears this may not work anymore anyhow, since I'm seeing
>> stuff like:
>
>>
> from=<[EMAIL PROTECTED]
>
>> ahoo.com>
>
>> in the maillog lately... :\
>
>> Regards, Jamie
>
>
>> -Original Message- From: Ilya Vishnyakov
>> [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:42 PM
>>  To: James E. Pratt Cc: users@spamassassin.apache.org Subject:
>> Re: whitelisting yahoogroups.com
>
>> Does this mean
>
>> whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com
>
>> That all mail coming from yahoo will be in the whitelist? I
>> certanly don't want this to happen.
>
>
>> James E. Pratt wrote:
>>> But, wouldn't that allow a spammer spoofing using that address
>>> "full-spammer-access"? I use: whitelist_from_rcvd
>>> [EMAIL PROTECTED] yahoo.com regards, jamie -Original
>>> Message- From: maillist [mailto:[EMAIL PROTECTED]
>>> Sent: Wednesday, March 28, 2007 2:34 PM To: Ilya Vishnyakov Cc:
>>> users@spamassassin.apache.org Subject: Re: whitelisting
>>> yahoogroups.com Ilya Vishnyakov wrote: Hmm. Hello Spamassassin
>>> Gurus! I'm having difficulties with yahoogroups.com emails. I
>>> whitelisted them as [EMAIL PROTECTED] , but emails
>>> still get into the spam. Is there any other way that I can
>>> whitelist it? I attach 2 screenshots with the headers for your
>>> convenience. Thank you in advance! Just whitelist like this:
>>> whitelist_from  @yahoogroups.com
>
>>> -=Aubrey=-
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFGCsVRUZGmaUWxLn8RAl9LAJsGqYoegW1rsU8uiTz2IrHBp/xB7gCgt9XN
LT/lVHsjcR0bnfHIQ3V5G5A=
=j6Cc
-END PGP SIGNATURE-

RE: whitelisting yahoogroups.com

[Dan Barker]

No, it needs to be:

whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com

This covers ALL yahoo groups. You'll need more granularity to specify the
groupname, as that information is in other headers.

Dan

-Original Message-
From: Ilya Vishnyakov [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 28, 2007 3:05 PM
To: James E. Pratt
Cc: users@spamassassin.apache.org
Subject: Re: whitelisting yahoogroups.com


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thank you.

James E. Pratt wrote:
> No as I understand it, whitelist_from_rcvd checks relaying domain,
> whitelist_from is a "blanket-whitelist" that only checks from
> header - Only mail that matches: [EMAIL PROTECTED] sent from
> actual yahoo.com relays will get whitelisted. (Sorry I forgot my
> "-" before!)
>
> It appears this may not work anymore anyhow, since I'm seeing stuff
>  like:
>
> from=<[EMAIL PROTECTED]
>  ahoo.com>
>
> in the maillog lately... :\
>
> Regards, Jamie
>
>
> -Original Message- From: Ilya Vishnyakov
> [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:42 PM
> To: James E. Pratt Cc: users@spamassassin.apache.org Subject: Re:
> whitelisting yahoogroups.com
>
> Does this mean
>
> whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com
>
> That all mail coming from yahoo will be in the whitelist? I
> certanly don't want this to happen.
>
>
> James E. Pratt wrote:
>> But, wouldn't that allow a spammer spoofing using that address
>> "full-spammer-access"?
>
>> I use:
>
>> whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com
>
>> regards, jamie
>
>> -Original Message- From: maillist
>> [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007
>> 2:34 PM To: Ilya Vishnyakov Cc: users@spamassassin.apache.org
>> Subject: Re: whitelisting yahoogroups.com
>
>> Ilya Vishnyakov wrote: Hmm. Hello Spamassassin Gurus! I'm having
>> difficulties with yahoogroups.com emails. I whitelisted them as
>> [EMAIL PROTECTED] , but emails still get into the spam.
>> Is there any other way that I can whitelist it? I attach 2
>> screenshots with the headers for your convenience. Thank you in
>> advance!
>
>> Just whitelist like this:
>
>> whitelist_from  @yahoogroups.com
>
>
>> -=Aubrey=-
>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGCrxtUZGmaUWxLn8RApFnAJ49PJnyfXM48+xpdERoqPYxb1no4wCgzaAg
ZG2tvBuyhpuDlgCRLYjIT5Y=
=LwsH
-END PGP SIGNATURE-

Re: whitelisting yahoogroups.com

[Ilya Vishnyakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Thank you.

James E. Pratt wrote:
> No as I understand it, whitelist_from_rcvd checks relaying domain,
> whitelist_from is a "blanket-whitelist" that only checks from
> header - Only mail that matches: [EMAIL PROTECTED] sent from
> actual yahoo.com relays will get whitelisted. (Sorry I forgot my
> "-" before!)
>
> It appears this may not work anymore anyhow, since I'm seeing stuff
>  like:
>
> from=<[EMAIL PROTECTED]
>  ahoo.com>
>
> in the maillog lately... :\
>
> Regards, Jamie
>
>
> -Original Message- From: Ilya Vishnyakov
> [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:42 PM
> To: James E. Pratt Cc: users@spamassassin.apache.org Subject: Re:
> whitelisting yahoogroups.com
>
> Does this mean
>
> whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com
>
> That all mail coming from yahoo will be in the whitelist? I
> certanly don't want this to happen.
>
>
> James E. Pratt wrote:
>> But, wouldn't that allow a spammer spoofing using that address
>> "full-spammer-access"?
>
>> I use:
>
>> whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com
>
>> regards, jamie
>
>> -Original Message- From: maillist
>> [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007
>> 2:34 PM To: Ilya Vishnyakov Cc: users@spamassassin.apache.org
>> Subject: Re: whitelisting yahoogroups.com
>
>> Ilya Vishnyakov wrote: Hmm. Hello Spamassassin Gurus! I'm having
>> difficulties with yahoogroups.com emails. I whitelisted them as
>> [EMAIL PROTECTED] , but emails still get into the spam.
>> Is there any other way that I can whitelist it? I attach 2
>> screenshots with the headers for your convenience. Thank you in
>> advance!
>
>> Just whitelist like this:
>
>> whitelist_from  @yahoogroups.com
>
>
>> -=Aubrey=-
>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFGCrxtUZGmaUWxLn8RApFnAJ49PJnyfXM48+xpdERoqPYxb1no4wCgzaAg
ZG2tvBuyhpuDlgCRLYjIT5Y=
=LwsH
-END PGP SIGNATURE-

RE: whitelisting yahoogroups.com

[James E. Pratt]

No as I understand it, whitelist_from_rcvd checks relaying domain,
whitelist_from is a "blanket-whitelist" that only checks from header -
Only mail that matches: [EMAIL PROTECTED] sent from actual
yahoo.com relays will get whitelisted. (Sorry I forgot my "-" before!)

It appears this may not work anymore anyhow, since I'm seeing stuff
like:

from=<[EMAIL PROTECTED]
ahoo.com>

in the maillog lately... :\

Regards,
Jamie


-Original Message-
From: Ilya Vishnyakov [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 28, 2007 2:42 PM
To: James E. Pratt
Cc: users@spamassassin.apache.org
Subject: Re: whitelisting yahoogroups.com

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Does this mean

whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com

That all mail coming from yahoo will be in the whitelist?
I certanly don't want this to happen.


James E. Pratt wrote:
> But, wouldn't that allow a spammer spoofing using that address
> "full-spammer-access"?
>
> I use:
>
> whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com
>
> regards, jamie
>
> -Original Message- From: maillist
> [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:34
> PM To: Ilya Vishnyakov Cc: users@spamassassin.apache.org Subject:
> Re: whitelisting yahoogroups.com
>
> Ilya Vishnyakov wrote: Hmm. Hello Spamassassin Gurus! I'm having
> difficulties with yahoogroups.com emails. I whitelisted them as
> [EMAIL PROTECTED] , but emails still get into the spam. Is
> there any other way that I can whitelist it? I attach 2 screenshots
> with the headers for your convenience. Thank you in advance!

> Just whitelist like this:

> whitelist_from  @yahoogroups.com


> -=Aubrey=-


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFGCrb1UZGmaUWxLn8RAk66AJsF8E6J3DLvr54Xl6t5XF0020AcEgCfTWA0
avlktBmq+tHGq+Ks9WzKhws=
=zNjQ
-END PGP SIGNATURE-

Re: Whitelist scoring question

[Mark Adams]

Thanks, I did run exactly that, and got the output that I posted. Do you
have any idea why I might be getting such a limited output?

What do you have set for reporting purposes in your local.cf file?

Regards,
Mark

On Wed, Mar 28, 2007 at 01:31:16PM -0500, maillist wrote:
> Mark Adams wrote:
> >>You could run: "spamassassin --test-mode < message", and see what it is 
> >>scoring.
> >>
> >>
> >
> >Hi There,
> >
> >I have tried this, and get the below result.
> >
> >--_=_NextPart_001_01C7710E.58A560A4--
> >hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7
> >
> >This does not show whitelist hits, should it?
> >
> >Regards,
> >Mark
> >
> >  
> Yes, if you run "spamassassin --test-mode < message", it should show 
> something like this:
> 
> Content analysis details:   (-104.0 points, 7.0 required)
> 
> pts rule name  description
>  -- 
> --
> -1.0 SPF_HELO_PASS  SPF: HELO matches SPF record
> -100 USER_IN_WHITELIST  From: address is in the user's white-list
> -3.0 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
>[score: 0.]
> 
> -=Aubrey=-

Re: whitelisting yahoogroups.com

[Ilya Vishnyakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Does this mean

whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com

That all mail coming from yahoo will be in the whitelist?
I certanly don't want this to happen.


James E. Pratt wrote:
> But, wouldn't that allow a spammer spoofing using that address
> "full-spammer-access"?
>
> I use:
>
> whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com
>
> regards, jamie
>
> -Original Message- From: maillist
> [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:34
> PM To: Ilya Vishnyakov Cc: users@spamassassin.apache.org Subject:
> Re: whitelisting yahoogroups.com
>
> Ilya Vishnyakov wrote: Hmm. Hello Spamassassin Gurus! I'm having
> difficulties with yahoogroups.com emails. I whitelisted them as
> [EMAIL PROTECTED] , but emails still get into the spam. Is
> there any other way that I can whitelist it? I attach 2 screenshots
> with the headers for your convenience. Thank you in advance!

> Just whitelist like this:

> whitelist_from  @yahoogroups.com


> -=Aubrey=-


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFGCrb1UZGmaUWxLn8RAk66AJsF8E6J3DLvr54Xl6t5XF0020AcEgCfTWA0
avlktBmq+tHGq+Ks9WzKhws=
=zNjQ
-END PGP SIGNATURE-

RE: whitelisting yahoogroups.com

[James E. Pratt]

But, wouldn't that allow a spammer spoofing using that address
"full-spammer-access"?

I use:

whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com

regards,
jamie

-Original Message-
From: maillist [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 28, 2007 2:34 PM
To: Ilya Vishnyakov
Cc: users@spamassassin.apache.org
Subject: Re: whitelisting yahoogroups.com

Ilya Vishnyakov wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>  
> Hmm. Hello Spamassassin Gurus!
> I'm having difficulties with yahoogroups.com emails. I whitelisted
> them as [EMAIL PROTECTED] , but emails still get into the
> spam. Is there any other way that I can whitelist it?
> I attach 2 screenshots with the headers for your convenience.
> Thank you in advance!
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.5 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>  
> iD8DBQFGCrPLUZGmaUWxLn8RAq7LAJsFKpJDrk3qQ/JeuyxjZL6mTvrO3QCfbjT/
> ecQNvPrGApYTdSmAzdVYLsI=
> =xoye
> -END PGP SIGNATURE-
>   

Just whitelist like this:

whitelist_from  @yahoogroups.com


-=Aubrey=-

Re: whitelisting yahoogroups.com

[maillist]

Ilya Vishnyakov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Hmm. Hello Spamassassin Gurus!

I'm having difficulties with yahoogroups.com emails. I whitelisted
them as [EMAIL PROTECTED] , but emails still get into the
spam. Is there any other way that I can whitelist it?
I attach 2 screenshots with the headers for your convenience.
Thank you in advance!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFGCrPLUZGmaUWxLn8RAq7LAJsFKpJDrk3qQ/JeuyxjZL6mTvrO3QCfbjT/

ecQNvPrGApYTdSmAzdVYLsI=
=xoye
-END PGP SIGNATURE-
  


Just whitelist like this:

whitelist_from  @yahoogroups.com


-=Aubrey=-

Feature Request

[Jorge Valdes]

Hi,

I have been using SA since ~2.60 and because I work for an ISP, I need 
to be more tolerant than most with regards to handling email. With this 
in mind I have made a few modifications to the STOCK version and have to 
manually patch with every upgrade, so here are some of the modifications 
I have made (patch included), in hopes they make it into the newer 
versions or help others:


1.- Mail::SpamAssassin::Client

Originally this really useful class only allowed for connection via TCP 
sockets. I have (borrowing code :)) modified it so that it also handles 
connection via Unix sockets.


2.- Mail::SpamAssassin::Config

++ Added Option 'report_score'.

The reason for this addition is that in order to allow user prefs, with 
regards to handling of SPAM, in order for SpamAssassin to rewrite the 
message, instead of doing it by checking the message score versus the 
'required_score' it now does it against 'report_score', thus offering 
more flexibility with the handling of false positives/negatives, as 
illustrated with these settings:


rewrite_header Subject [SPAM][_SCORE_]
report_safe 1 (default)
required_score 5.0
report_score 7.0

Message with score < 5.0 points, message is ham
- normal processing
Message with  5.0 <= score <= 7.0, message is spam:
- only subject is modified to indicate this fact
Message with score >= 7.0, message is spam:
- subject is modified to indicate this fact
- message is rewritten as specified by report_safe

3.- Mail::SpamAssassin::PerMsgStatus

++ Added Method is_report().

This can be used in the same manner as is_spam() method.

++ Added Method get_scores_of_tests_hit().

This can help with debugging by seeing the point score associated with 
the tests that hit.


++ Added Method get_report_score().

To retrieve the configured report_score setting.

++ Modified Precision

Generally, scores have three digit precision, but when reporting, 
sometimes the score is rounded to an integer or shown with only one 
digit precision. This can sometimes lead to confusion and rounding 
errors, so I modified reports to show three digit precision as the norm 
and use two digit precision when scores > 10, and integers only when 
scores > 100 (whitelist or GTUBE).


4.- spamd/spamc

Allowing user preferences in an ISP environment can be troublesome, 
specially when you have virtual users, there is no place to store each 
user's preferences, unless you go the SQL route.  One of the most common 
changes users make is to raise/lower the thresholds for spam detection, 
so I have modified the source to allow the following additional options 
to spamc:


++  -m value   Use value as required_score instead of default.
++  -M value   Use value as report_score instead of default.

By allowing spamc to pass these values to a modified spamd that can 
understand and modify these configuration options on a per scan basis, 
any user (even virtual ones) can get treated differently with regards to 
required_score and report_score, without the need to read a 
configuration file. If specified, these values are passed as headers, to 
spamd, thus extending the current spamd protocol so that it understands 
these headers, and modifies the child's SpamAssassin object respectively.


Howto modify calls to spamd with the correct spamc arguments is left as 
an exercise to the user...


5.- spamd

I also noticed that for those OS that allow it, $0 is changed for each 
child in order to differentiate children from it's parent.  In order to 
better monitor what each child is doing, I have modified spamd to also 
place the number of scans processed by each child as well as the status 
in $0 so that when monitored by 'top', we can see what each child is doing:


 PID PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
7785 17   0 95932  80m 2844 S   20  8.5   0:43.73 spamd child:  42/75 
processing a.b.c.d

7787 16   0 86004  71m 2832 S0  7.5   0:22.65 spamd child:  19/75 done
32447 16   0 83832  69m 2832 S0  7.4   0:19.21 spamd child:  20/75 done
8385 16   0 75108  60m 2776 S0  6.4   0:03.07 spamd child:   5/75 done
9100 19   0 74348  58m 2412 S0  6.2   0:00.91 spamd child:   0/75 
initialized



where a.b.c.d is the IP address from the machine who sent the message we 
need to "check", and will be 127.0.0.1 when done via Unix Socket.


--
Jorge Valdes
[EMAIL PROTECTED]


diff -rub Mail-SpamAssassin-3.1.8-orig/lib/Mail/SpamAssassin/Client.pm 
SA-318/lib/Mail/SpamAssassin/Client.pm
--- Mail-SpamAssassin-3.1.8-orig/lib/Mail/SpamAssassin/Client.pm
2007-02-13 12:17:13.0 -0600
+++ SA-318/lib/Mail/SpamAssassin/Client.pm  2007-03-16 03:40:03.0 
-0600
@@ -24,6 +24,9 @@
 
 =head1 SYNOPSIS
 
+  my $client = new Mail::SpamAssassin::Client({socket => '/tmp/spamd',
+   username => 'someuser'});
+or
   my $client = new Mail::SpamAssassin::Client({port => 783,
host => 'localhost',

Re: Big trouble

[Justin Mason]

Mark Martinec writes:
> > > >   2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois:
> > > >   sender on bogons IP block [102.176.29.76 listed in
> > > > combined-HIB.dnsiplists.completewhois.com]
> > > I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
> > > (unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED...
> >
> > almost non-existent hits. rules/STATISTICS-set3.txt :
> >   0.000   0.0007   0.1.000   0.510.00  RCVD_IN_WHOIS_BOGONS
> > that's like 6 out of nearly a million spams.
> 
> It seems like a waste to actually send out a query against a
> combined-HIB.dnsiplists.completewhois.com, but then ignore
> its result (apparently the score did help with the OP spam).
> 
> The HIJACKED, BOGONS, and INVALID share the same RBL and
> only one query is send out if any of these three rules is
> nonzero. Setting RCVD_IN_WHOIS_BOGONS to 0 saves no resources.

well, it saves a little -- even running the rule has a tiny overhead.  But
not much, granted.  The more serious issue is that the GA/perceptron
cannot give a rule a reasonable score unless a useful number of hits are
listed in the mass-check run, to base the score estimation on.  In
the case of RCVD_IN_WHOIS_BOGONS, there's just not enough data to
guess what it's score should be.

--j.

Re: Sa-update problem ?

[Daryl C. W. O'Shea]

Theo Van Dinter wrote:

On Wed, Mar 28, 2007 at 11:00:37AM -0400, Kevin Plested wrote:

I am running SA 3.1.7 on a UNIX box, I haven't received an update since I
installed it. Am I doing something wrong ? I have included below the result
of "sa-update -D", which shows that 507739 is the latest version, but I'm
pretty sure it isn't.


If there are no updates, there are no updates.  3.1 is updated manually, so if
no one adds in/changes the rules then no new update gets created.

FWIW, in the past, it's usually been me who adds in new rules to the
3.1 channel, and I've been overwhelmed by things at work for a while.
So I haven't worked on SA in a while. :(


I've been all through the website, and it would appear that running
"sa-update" with no parameters should be all I need to do. I run a separate
update for SARE updates, and that completes fine.


FWIW, there haven't been too many SARE updates this year either:

[EMAIL PROTECTED] channels]$ find . -name *.gz -ctime -90 -exec ls -l {} \; | 
cut -d" " -f7-

Jan  2 11:24 ./88_FVGT_headers.cf/200701020900.tar.gz
Jan  2 11:24 ./70_sc_top200.cf/200701020900.tar.gz
Jan  8 10:24 ./70_sc_top200.cf/200701080800.tar.gz
Jan  9 12:24 ./70_sc_top200.cf/200701091000.tar.gz
Jan 12 13:24 ./70_sc_top200.cf/200701121100.tar.gz
Jan 15 12:24 ./70_sc_top200.cf/200701151000.tar.gz
Jan 15 13:24 ./70_sc_top200.cf/200701151100.tar.gz
Jan 17 17:24 ./70_sc_top200.cf/200701171500.tar.gz
Jan 18 17:09 ./70_sc_top200.cf/200701181500.tar.gz
Jan 20 12:09 ./70_sc_top200.cf/200701201000.tar.gz
Jan 25 14:09 ./70_sc_top200.cf/200701251200.tar.gz
Jan 30 11:07 ./70_sc_top200.cf/200701300900.tar.gz
Feb  1 18:07 ./70_sc_top200.cf/200702011600.tar.gz
Feb  8 16:07 ./70_sc_top200.cf/200702081400.tar.gz
Feb 23 12:07 ./70_sc_top200.cf/200702231000.tar.gz
Feb 23 15:07 ./70_sc_top200.cf/200702231300.tar.gz
Feb 27 10:24 ./70_sc_top200.cf/200702270800.tar.gz
Mar  2 13:24 ./70_sc_top200.cf/200703021100.tar.gz
Mar  2 15:24 ./70_sc_top200.cf/200703021300.tar.gz
Mar  2 18:24 ./70_sc_top200.cf/200703021600.tar.gz
Mar  3 12:24 ./70_sc_top200.cf/200703031000.tar.gz
Mar  7 11:24 ./70_sc_top200.cf/200703070900.tar.gz
Mar  9 10:08 ./70_sc_top200.cf/200703090800.tar.gz
Mar  9 11:08 ./70_sc_top200.cf/200703090900.tar.gz
Mar  9 12:08 ./70_sc_top200.cf/200703091000.tar.gz
Mar  9 17:08 ./70_sc_top200.cf/200703091500.tar.gz
Mar 12 11:08 ./70_sc_top200.cf/200703120800.tar.gz
Mar 14 16:08 ./70_sc_top200.cf/200703141300.tar.gz
Mar 15 13:08 ./70_sc_top200.cf/200703151000.tar.gz
Mar 22 13:24 ./70_sc_top200.cf/200703221000.tar.gz
Jan  4 21:24 ./70_sare_stocks.cf/200701041900.tar.gz
Jan 14 23:24 ./70_sare_stocks.cf/200701142100.tar.gz
Jan 21 16:09 ./70_sare_stocks.cf/200701211400.tar.gz
Feb  9 12:07 ./70_sare_stocks.cf/200702091000.tar.gz
Mar  2 10:24 ./70_sare_stocks.cf/200703020800.tar.gz
Jan 15 12:24 ./70_sare_spoof.cf/200701151000.tar.gz
[EMAIL PROTECTED] channels]$


Daryl

Re: Whitelist scoring question

[Mark Adams]

> 
> You could run: "spamassassin --test-mode < message", and see what it is 
> scoring.
> 

Hi There,

I have tried this, and get the below result.

--_=_NextPart_001_01C7710E.58A560A4--
hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7

This does not show whitelist hits, should it?

Regards,
Mark

Re: Sa-update problem ?

[Lance Albertson]

Theo Van Dinter wrote:

>> I've been all through the website, and it would appear that running
>> "sa-update" with no parameters should be all I need to do. I run a separate
>> update for SARE updates, and that completes fine.
> 
> Yes, to download/install an update, you can just run sa-update.  You'll need
> to restart any daemon to load the new rules if an update has occurred.

That might need to be clearly defined in the man page then. I assumed
this was the case, but the man page made it sound like sa-update
automatically installs the rules and makes them active.

---

An exit code of 0 means an update was available, and was downloaded and
installed successfully if --checkonly was not specified.

---

Anyways, its nice to know how it works now :)

Thanks-

-- 
Lance Albertson  <[EMAIL PROTECTED]>
Unix System AdministratorKansas State University
Computing & Telecommunications Services / Enterprise Server Technologies
Work: 532-3067   PGP Key: 0x27F4B742
GPG Fingerprint   0423 92F3 544A 1282 5AB1  4D07 416F A15D 27F4 B742



signature.asc
Description: OpenPGP digital signature

Re: Big trouble

[Mark Martinec]

> > >   2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois:
> > >   sender on bogons IP block [102.176.29.76 listed in
> > > combined-HIB.dnsiplists.completewhois.com]
> > I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
> > (unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED...
>
> almost non-existent hits. rules/STATISTICS-set3.txt :
>   0.000   0.0007   0.1.000   0.510.00  RCVD_IN_WHOIS_BOGONS
> that's like 6 out of nearly a million spams.

It seems like a waste to actually send out a query against a
combined-HIB.dnsiplists.completewhois.com, but then ignore
its result (apparently the score did help with the OP spam).

The HIJACKED, BOGONS, and INVALID share the same RBL and
only one query is send out if any of these three rules is
nonzero. Setting RCVD_IN_WHOIS_BOGONS to 0 saves no resources.

  Mark

Re: Sa-update problem ?

[Theo Van Dinter]

On Wed, Mar 28, 2007 at 11:00:37AM -0400, Kevin Plested wrote:
> I am running SA 3.1.7 on a UNIX box, I haven't received an update since I
> installed it. Am I doing something wrong ? I have included below the result
> of "sa-update -D", which shows that 507739 is the latest version, but I'm
> pretty sure it isn't.

If there are no updates, there are no updates.  3.1 is updated manually, so if
no one adds in/changes the rules then no new update gets created.

FWIW, in the past, it's usually been me who adds in new rules to the
3.1 channel, and I've been overwhelmed by things at work for a while.
So I haven't worked on SA in a while. :(

> I've been all through the website, and it would appear that running
> "sa-update" with no parameters should be all I need to do. I run a separate
> update for SARE updates, and that completes fine.

Yes, to download/install an update, you can just run sa-update.  You'll need
to restart any daemon to load the new rules if an update has occurred.

> [43896] dbg: channel: metadata version = 507739
> [43896] dbg: dns: 7.1.3.updates.spamassassin.org => 507739, parsed as 507739
> [43896] dbg: channel: current version is 507739, new version is 507739, 
> skipping channel

There is no update since you're already running the latest version.

-- 
Randomly Selected Tagline:
"Unfortunately, the "Can't write utmp, wtmp" message, or any other
 variation is a symptom with a myriad of possible causes. The causes
 could range from a bad utmp or wtmp entry to the wind blowing slightly
 to the north." - Paul Carver


pgpfin9g0UZgk.pgp
Description: PGP signature

Re: Big trouble

[Justin Mason]

Mark Martinec writes:
> >   2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP block
> > [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com]
> 
> I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
> (unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED, which are nonzero)
> 
> rules/50_scores.cf :
>   score RCVD_IN_WHOIS_BOGONS 0 # n=0 n=1 n=2 n=3

almost non-existent hits. rules/STATISTICS-set3.txt :

  0.000   0.0007   0.1.000   0.510.00  RCVD_IN_WHOIS_BOGONS

that's like 6 out of nearly a million spams.

--j.

Sa-update problem ?

[Kevin Plested]

I am running SA 3.1.7 on a UNIX box, I haven't received an update since I
installed it. Am I doing something wrong ? I have included below the result
of "sa-update -D", which shows that 507739 is the latest version, but I'm
pretty sure it isn't.

I've been all through the website, and it would appear that running
"sa-update" with no parameters should be all I need to do. I run a separate
update for SARE updates, and that completes fine.

Kevin Plested
Warpzone Web Services





# sa-update -D
[43896] dbg: logger: adding facilities: all
[43896] dbg: logger: logging level is DBG
[43896] dbg: generic: SpamAssassin version 3.1.7
[43896] dbg: config: score set 0 chosen.
[43896] dbg: message:  MIME PARSER START 
[43896] dbg: message: main message type: text/plain
[43896] dbg: message: parsing normal part
[43896] dbg: message: added part, type: text/plain
[43896] dbg: message:  MIME PARSER END 
[43896] dbg: dns: is Net::DNS::Resolver available? yes
[43896] dbg: dns: Net::DNS version: 0.59
[43896] dbg: generic: sa-update version svn454083
[43896] dbg: generic: using update directory: /var/lib/spamassassin/3.001007
[43896] dbg: diag: perl platform: 5.008004 freebsd
[43896] dbg: diag: module installed: Digest::SHA1, version 2.10
[43896] dbg: diag: module installed: MIME::Base64, version 3.07
[43896] dbg: diag: module installed: HTML::Parser, version 3.55
[43896] dbg: diag: module installed: DB_File, version 1.808
[43896] dbg: diag: module installed: Net::DNS, version 0.59
[43896] dbg: diag: module installed: Net::SMTP, version 2.29
[43896] dbg: diag: module installed: Mail::SPF::Query, version 1.997
[43896] dbg: diag: module installed: IP::Country::Fast, version 309.002
[43896] dbg: diag: module not installed: Razor2::Client::Agent ('require'
failed)
[43896] dbg: diag: module not installed: Net::Ident ('require' failed)
[43896] dbg: diag: module installed: IO::Socket::INET6, version 2.51
[43896] dbg: diag: module installed: IO::Socket::SSL, version 0.97
[43896] dbg: diag: module installed: Time::HiRes, version 1.59
[43896] dbg: diag: module installed: DBI, version 1.52
[43896] dbg: diag: module installed: Getopt::Long, version 2.34
[43896] dbg: diag: module installed: LWP::UserAgent, version 2.033
[43896] dbg: diag: module installed: HTTP::Date, version 1.47
[43896] dbg: diag: module installed: Archive::Tar, version 1.30
[43896] dbg: diag: module installed: IO::Zlib, version 1.04
[43896] dbg: gpg: Searching for 'gpg'
[43896] dbg: util: current PATH is:
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr
/X11R6/bin:/www/bin
[43896] dbg: util: executable for gpg was found at /usr/local/bin/gpg
[43896] dbg: gpg: found /usr/local/bin/gpg
[43896] dbg: gpg: release trusted key id list:
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
26C900A46DD40CD5AD24F6D7DEE01987265FA05B
0C2B1D7175B852C64B3CDC716C55397824F434CE
[43896] dbg: channel: attempting channel updates.spamassassin.org
[43896] dbg: channel: update directory
/var/lib/spamassassin/3.001007/updates_spamassassin_org
[43896] dbg: channel: channel cf file
/var/lib/spamassassin/3.001007/updates_spamassassin_org.cf
[43896] dbg: channel: channel pre file
/var/lib/spamassassin/3.001007/updates_spamassassin_org.pre
[43896] dbg: channel: metadata version = 507739
[43896] dbg: dns: 7.1.3.updates.spamassassin.org => 507739, parsed as 507739
[43896] dbg: channel: current version is 507739, new version is 507739,
skipping channel
[43896] dbg: diag: updates complete, exiting with code 1

Re: /etc/spamassassin or /var/lib/spamassassin?

[Mark Adams]

On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote:
> Mark Adams wrote:
> > On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote:
> > > Is it scoring the whitelist lower or is it just not hitting?
> > > 
> > > Can you post your whitelist rule and the headers from an example
> > > message?
> 
> And why do you think this message should have hit the whitelist?  Show
> me the "From" line in the email.
Hi, Header excerpt below. Once again help appreciated.

From: Guy Graham <[EMAIL PROTECTED]>
X-Spam-Score: 40
X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7
X-Original-Recipient: [EMAIL PROTECTED]

Re: /etc/spamassassin or /var/lib/spamassassin?

[Mark Adams]

> > Whitelist file is in /etc/spamassassin/ and is called whitelist.cf
> > entry;
> > 
> > whitelist_from [EMAIL PROTECTED]
> 
> Is /etc/spamassassin where the rest of your site config is located?  Typically
> it's /etc/mail/spamassassin, but "spamassassin -D --lint" would tell you.
> 
Hi,

Yes /etc/spamassassin is the location in Debian. the lint does show
this, and all the whitelist files as being read.

Cheers,
Mark

Re: List BlackList

[Pablo Allietti]

On Tue, Mar 27, 2007 at 06:52:27PM -0400, Matt Kettler wrote:
> Pablo Allietti wrote:
> > Hi all i need to list all members that i have in blacklist and in
> > whitelist with the scores from anyone.. is that possible?
> 
> Do you mean the AWL? That can be done using the check_whitelist script
> in the tools subdirectory of the tarball..


yep! thanks.

> 
> 
---end quoted text---

-- 


.-
Pablo Allietti
E-mail: [EMAIL PROTECTED] | LACNIC  

  
Phone : +598 2 604   | http://LACNIC.NET

per user scanning

[Ronan McGlue]

I am now able to call spamassassin from exim with the users localpart of 
their email address from within exim.


I have tested it and it is calling to spamd with the line user='whatever'

however in both AWL and bayes i dont see the user appearing, now im 
aware that the bayes required a certain minimum threshold to begin 
working, however surely the AWL should start working immediately?


thanks
R
--
Regards

Ronan McGlue

===
Analyst / Programmer
Queens University Belfast

Re: Big trouble

[Mark Martinec]

>   2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP block
> [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com]

I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
(unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED, which are nonzero)

rules/50_scores.cf :
  score RCVD_IN_WHOIS_BOGONS 0 # n=0 n=1 n=2 n=3

Mark

Re: spamassassin not checking emails correctly.

[Jimmy Stewpot]

Loren Wilton wrote:
Things are basically working, but you don't seem to have network test 
enabled, and you haven't trained enough ham/spam messages yet for Bayes 
to kick in.


If you are starting SA using spamd, check for a -L parameter on the 
command line and remove it.  That should enable network tests for you, 
and probably will help a lot.


The exact startup configuration is

/usr/sbin/spamd -D -m 20 -v -u vpopmail -d --round-robin -x -d 
--pidfile=/var/run/spamd.pid





To get Bayes working, you need to train it with at least 200 each ham 
and spam messages.  Once it has that many messages it will start to feel 
confident about adding to the score.


   Loren



I have done an sa-learn --showdots --spam . in a folder full of spam. I 
would have expected it to add entries into the bayes database but it 
still says there are only 5 emails in the bayes.






- Original Message - From: "Jimmy Stewpot" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: 
Sent: Wednesday, March 28, 2007 1:37 AM
Subject: Re: spamassassin not checking emails correctly.



--[ UxBoD ]-- wrote:
First thing first.  Could you run a spamassassin -D --lint as the 
user which is scanning the email, and post the results please. This 
will allow people to diagnose the problem more easily.


Regards,

UxBoD

On Wed, 28 Mar 2007 09:12:20 +0100, Jimmy Stewpot <[EMAIL PROTECTED]> 
wrote:

Hello,

I have recently installed spamassassin on my new ubuntu distribution
from the apt package. I seem to be having issues where emails that are
obviously spam are not being marked.

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=no
version=3.1.7-deb

Is in the headers of the email but the content of the email has URLs
which are in the blacklists, If I forward these emails to my ISP 
account

which has its own spam solution they get marked.

Here is the body of the email

=SNIP===

Hello, share

 >> Don't have time for a full time relationship?
Many young career minded people don't but still want a physical
relationship,
many of these need sexual encounters but without the frustrating
attachment of a boyfriend or girlfriend.
This means they have time to concentrate on their profession/career and
not worry about
what is going on at home, as essentially they are single.
This is commonly becoming known as a
[geocities URL HERE]
skittle chesapeake boycott ripple grandchildren anglicanism flora
yaounde lawson, offshore inhere.
ampere terse hoofmark computation nero evildoer cause downcast, wolfish
squirehood
bucharest creamy marin, goa strand bulrush january.
fable ultimatum rate, cerise bluebonnet steiner travesty.

Your Tad.

=SNIP===

I have removed the geocities URL so that it wont potentially be marked
by users of this lists spam protection.

By spamassassin configuration is fairly basic and it looks like this


=SNIP===
cat /etc/spamassassin/local.cf

lock_method flock
required_score 5.0
trusted_networks 127.0.0.1
# clear_headers
# add_header all Flag _YESNOCAPS_
# add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on
_HOSTNAME_

rewrite_header Subject **SPAM**

skip_rbl_checks 0
report_safe 1
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED] users@spamassassin.apache.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
bayes_min_ham_num 50
bayes_min_spam_num 50
bayes_use_hapaxes 1
use_bayes 1
use_auto_whitelist 0
bayes_auto_learn_threshold_spam 1.0
use_razor2 1
use_pyzor 1
ok_locales en


=SNIP===


I had previously being using the rules from saupdates.openprotect.com
but I have stopped using that service while I try and diagnose this
problem. With or without the rules I have exactly the same issues.

One line I am constantly seeing in the mail.log file is the following

Mar 28 09:09:34 poopey spamd[21715]: config: copying current conf from
backup

does that have any reference on the problem?

I also see the following

Mar 28 09:10:23 poopey spamd[21716]: bayes: not available for scanning,
only 5 spam(s) in bayes DB < 50

I find that a little strange as I have done an sa-learn for both ham 
and

spam emails on folders which I have moved all the spam messages to.

Any advice on resolving or how to diagnose these problems would be
greatly appreciated.

Regards,

Jimmy.

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is
believed to be clean.





[EMAIL PROTECTED]:~$ spamassassin -D --lint
[25453] dbg: logger: adding facilities: all
[25453] dbg: logger: logging level is DBG
[25453] dbg: generic: SpamAssassin version 3.1.7-deb
[25453] dbg: config: score set 0 chosen.
[25453] dbg: util: running in taint mode? yes
[25453] dbg: util: taint mode: deleting unsafe en

RE: Big trouble

[Rocco Scappatura]

> Before anyone can you give you a hint on how to block the 
> messages, we would need to see what the messages are.
> 
> Same form as before, save the message (with full headers) and 
> place it somewhere where we can download it.

http://www.rocsca.it/INBOX

rocsca

Re: Big trouble

[Anthony Peacock]

Hi,

Rocco Scappatura wrote:
Before anyone can you give you a hint on how to block the 
messages, we would need to see what the messages are.


Same form as before, save the message (with full headers) and 
place it somewhere where we can download it.


http://www.rocsca.it/INBOX


There is another discussion on this list about rules that catch these 
sorts of messages.  Check that out for ideas.


For what it is worth these are the rules I get:

Content analysis details:   (10.5 points, 5.0 required)

 pts rule name  description
 -- 
--

 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
 0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some 
mails

 0.6 J_CHICKENPOX_14BODY: 1alpha-pock-4alpha
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP block
   [102.176.29.76 listed in 
combined-HIB.dnsiplists.completewhois.com]

 1.0 RCVD_IN_JANET_RBL  RBL: Relay in JANET MAPS RBL+ RBL
  [102.176.29.76 listed in 
rbl-plus.mail-abuse.ja.net]

 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay




--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw

RE: Big trouble

[-- [ UxBoD ] --]

If you wish to reject at MTA level then please read 
http://www.postfix.org/uce.html under the section "Client hostname/address 
restrictions" as you are able to specify a list of RBLs.

Regards,

UxBoD

On Wed, 28 Mar 2007 12:20:16 +0200, "Rocco Scappatura" <[EMAIL PROTECTED]> 
wrote:
>> What MTA are you using ?
> 
> Postfix+MySQL+Amavisd-new
> 
> rocsca
> 
>
-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP Phone: [EMAIL PROTECTED]


-- 
This message has been scanned for viruses and dangerous content by MailScanner, 
and is
believed to be clean.

Re: "KAUF-TIPP DER WOCHE" spam getting through

[kshatriyak]

On Wed, 28 Mar 2007, Panagiotis Christias wrote:


the last days we get a lot of spam like this:

KAUF-TIPP DER WOCHE


I wrote a few of my own rules especially to catch those stocks scams 
together with bayes. If you don't have any people who should write you in 
German you can also use the X-Languages tag to boost the score if the mail 
is written in German.


Here are my current rules, which should also catch the German stocks. 
Maybe there are some false positives in a real stock environment, but for 
me they work fine:


body  __HILO_STOCKS1  /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\ 
P(ric[e3])?|Pric[e3]|Last)[\:\ \t]+\$[\d\ 
]+?(.*)(Last|Low|Growth|Grow||High|Sale|Pric[e3]|Vol|[E3]xp)[\:\ \t]+/i

body  __HILO_STOCKS2  /curr[e3]n[t7](ly)?[\ \t\_]+?\:[\ \t\_\$]+?\d/i
body  __HILO_STOCKS2  /[e3](x|ks)p[e3]ct[e3]d?[\ \t\_]+?\:[\ 
\t\_\$]+?\d/i
body  __HILO_STOCKS3  /our[\ \t\_]+?(last[\ ]+?)?pick[\:\ 
\t\_\;\=\,]/i
body  __HILO_STOCKS4  /\d[\ 
\t\_]+?(c[e3]nt|dollar|[e3]ur|p[e3]nc[e3])/i
body  __HILO_STOCKS5  /(c[e3]nt|dollar|[e3]ur[o]?|p[e3]nc[e3])[\ 
\t\_]+?\d/ibody  __HILO_STOCKS9  /(hot[\ 
\t\_]+?list|r[e3]cord|publicity\ |n[e3]ws\ 
|invest|incr[e3]as[e3]|[e3]xplosion|high\ 
|pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol|the\ rush|your\ radar|g[e3]t\ 
[i1]n|schluss\-?stand|prognose|kauf\-?tip)/i


meta  HILO_STOCKS ( ( __HILO_STOCKS1 || __HILO_STOCKS2 || 
__HILO_STOCKS3 || __HILO_STOCKS4 || __HILO_STOCKS5 ) && __HILO_STOCKS9 )

describe  HILO_STOCKS Looks like stocks scam
score HILO_STOCKS 3.0

RE: Big trouble

[Rocco Scappatura]

> What MTA are you using ?

Postfix+MySQL+Amavisd-new

rocsca

Re: Big trouble

[Anthony Peacock]

Hi Rocco,

Rocco Scappatura wrote:

Since some day, It's increased the number of spams which SA doesn't
block.

Every time I'm going to analyse the message:

1) Save the message in mbox format 'message.mbox'
2) su - amavis -c "spamassassin -t < message.mbox"

And I get that the score is greater the 5.0 and often I get:

 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  [Blocked - see
]

That is, if the message is sent just now, the message is rejected (?).

So I feel that every time that I receive a spam, the system spend a
period of time to 'learn' that that message is spam.

If this is the truth, I would like to figure out how I can block these
messages in advance..

Could someone give me an hint?


Before anyone can you give you a hint on how to block the messages, we 
would need to see what the messages are.


Same form as before, save the message (with full headers) and place it 
somewhere where we can download it.


--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw

Re: Big trouble

[-- [ UxBoD ] --]

What MTA are you using ?

On Wed, 28 Mar 2007 12:06:55 +0200, "Rocco Scappatura" <[EMAIL PROTECTED]> 
wrote:
> Since some day, It's increased the number of spams which SA doesn't
> block.
> 
> Every time I'm going to analyse the message:
> 
> 1) Save the message in mbox format 'message.mbox'
> 2) su - amavis -c "spamassassin -t < message.mbox"
> 
> And I get that the score is greater the 5.0 and often I get:
> 
>  1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
>   [Blocked - see
> ]
> 
> That is, if the message is sent just now, the message is rejected (?).
> 
> So I feel that every time that I receive a spam, the system spend a
> period of time to 'learn' that that message is spam.
> 
> If this is the truth, I would like to figure out how I can block these
> messages in advance..
> 
> Could someone give me an hint?
> 
> TIA,
> 
> rocsca
> 
> 
> 
>
-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP Phone: [EMAIL PROTECTED]


-- 
This message has been scanned for viruses and dangerous content by MailScanner, 
and is
believed to be clean.

Big trouble

[Rocco Scappatura]

Since some day, It's increased the number of spams which SA doesn't
block.

Every time I'm going to analyse the message:

1) Save the message in mbox format 'message.mbox'
2) su - amavis -c "spamassassin -t < message.mbox"

And I get that the score is greater the 5.0 and often I get:

 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  [Blocked - see
]

That is, if the message is sent just now, the message is rejected (?).

So I feel that every time that I receive a spam, the system spend a
period of time to 'learn' that that message is spam.

If this is the truth, I would like to figure out how I can block these
messages in advance..

Could someone give me an hint?

TIA,

rocsca

Re: spamassassin not checking emails correctly.

[Loren Wilton]

Things are basically working, but you don't seem to have network test 
enabled, and you haven't trained enough ham/spam messages yet for Bayes to 
kick in.


If you are starting SA using spamd, check for a -L parameter on the command 
line and remove it.  That should enable network tests for you, and probably 
will help a lot.


To get Bayes working, you need to train it with at least 200 each ham and 
spam messages.  Once it has that many messages it will start to feel 
confident about adding to the score.


   Loren

- Original Message - 
From: "Jimmy Stewpot" <[EMAIL PROTECTED]>

To: <[EMAIL PROTECTED]>
Cc: 
Sent: Wednesday, March 28, 2007 1:37 AM
Subject: Re: spamassassin not checking emails correctly.



--[ UxBoD ]-- wrote:
First thing first.  Could you run a spamassassin -D --lint as the user 
which is scanning the email, and post the results please. This will allow 
people to diagnose the problem more easily.


Regards,

UxBoD

On Wed, 28 Mar 2007 09:12:20 +0100, Jimmy Stewpot <[EMAIL PROTECTED]> 
wrote:

Hello,

I have recently installed spamassassin on my new ubuntu distribution
from the apt package. I seem to be having issues where emails that are
obviously spam are not being marked.

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=no
version=3.1.7-deb

Is in the headers of the email but the content of the email has URLs
which are in the blacklists, If I forward these emails to my ISP account
which has its own spam solution they get marked.

Here is the body of the email

=SNIP===

Hello, share

 >> Don't have time for a full time relationship?
Many young career minded people don't but still want a physical
relationship,
many of these need sexual encounters but without the frustrating
attachment of a boyfriend or girlfriend.
This means they have time to concentrate on their profession/career and
not worry about
what is going on at home, as essentially they are single.
This is commonly becoming known as a
[geocities URL HERE]
skittle chesapeake boycott ripple grandchildren anglicanism flora
yaounde lawson, offshore inhere.
ampere terse hoofmark computation nero evildoer cause downcast, wolfish
squirehood
bucharest creamy marin, goa strand bulrush january.
fable ultimatum rate, cerise bluebonnet steiner travesty.

Your Tad.

=SNIP===

I have removed the geocities URL so that it wont potentially be marked
by users of this lists spam protection.

By spamassassin configuration is fairly basic and it looks like this


=SNIP===
cat /etc/spamassassin/local.cf

lock_method flock
required_score 5.0
trusted_networks 127.0.0.1
# clear_headers
# add_header all Flag _YESNOCAPS_
# add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on
_HOSTNAME_

rewrite_header Subject **SPAM**

skip_rbl_checks 0
report_safe 1
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED] users@spamassassin.apache.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
bayes_min_ham_num 50
bayes_min_spam_num 50
bayes_use_hapaxes 1
use_bayes 1
use_auto_whitelist 0
bayes_auto_learn_threshold_spam 1.0
use_razor2 1
use_pyzor 1
ok_locales en


=SNIP===


I had previously being using the rules from saupdates.openprotect.com
but I have stopped using that service while I try and diagnose this
problem. With or without the rules I have exactly the same issues.

One line I am constantly seeing in the mail.log file is the following

Mar 28 09:09:34 poopey spamd[21715]: config: copying current conf from
backup

does that have any reference on the problem?

I also see the following

Mar 28 09:10:23 poopey spamd[21716]: bayes: not available for scanning,
only 5 spam(s) in bayes DB < 50

I find that a little strange as I have done an sa-learn for both ham and
spam emails on folders which I have moved all the spam messages to.

Any advice on resolving or how to diagnose these problems would be
greatly appreciated.

Regards,

Jimmy.

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is
believed to be clean.





[EMAIL PROTECTED]:~$ spamassassin -D --lint
[25453] dbg: logger: adding facilities: all
[25453] dbg: logger: logging level is DBG
[25453] dbg: generic: SpamAssassin version 3.1.7-deb
[25453] dbg: config: score set 0 chosen.
[25453] dbg: util: running in taint mode? yes
[25453] dbg: util: taint mode: deleting unsafe environment variables, 
resetting PATH

[25453] dbg: util: PATH included '/usr/local/sbin', keeping
[25453] dbg: util: PATH included '/usr/local/bin', keeping
[25453] dbg: util: PATH included '/usr/sbin', keeping
[25453] dbg: util: PATH included '/usr/bin', keeping
[25453] dbg: util: PATH included '/sbin', keeping
[25453] dbg: util: PATH included '/bin', keep

Re: "KAUF-TIPP DER WOCHE" spam getting through

[Loren Wilton]

My goodness.  That are sending that new format in German too!

Could you send me a few of these AS ATTACHMENTS, WITH FULL HEADERS?  I'm 
going to try to get time to write up some rules for the English-language 
version in the next few days, and if I have some German examples I may be 
able to write some rules for them too.


   Loren


- Original Message - 
From: "Panagiotis Christias" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, March 28, 2007 1:40 AM
Subject: "KAUF-TIPP DER WOCHE" spam getting through



Hello,

the last days we get a lot of spam like this:

 spam body begins here 
Words disputed interview galli provisions raise, eyebrows dead holders!

KAUF-TIPP DER WOCHE

LESEN SIE DIE NACHRICTEN
STONEBRIDGE RES EXP   Frankfurt:   S3C.F

Name :STONEBRIDGE RES EXP
Kurzel :S3C.F
WKN :A0HHEB
Borsenplatz :Frankfurt
Schluss-Stand 23.03.2007 :Euro 0.10
Prognose bis 02.04.2007 :Euro 0.21

Freedom hampton radical illich ivan, fontana ishiguro kazuo.
Austerlitz natural history semprun. Scrfrk tue am foudy fans.
Newsgroup msdn chappell app? Remote locations talk improving, access
ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
indicate. Required preserve specify references interested.
Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
Example unicode character exact numeric without decimal such numbers.
Cedega natively lowlevel emulators binary gaming opengl.
Investors press privacy, statement mypoints mysite, juno, photosite 
registered.

End, dialogues spiritual renewal thames hudson chorus stones.
Effective auditing procedures handy records kept propertys examined.
Money resources time others, worse than no so why? Setupmore botts
george ou real world wireless lan myths! Red hats expense technology,
announced last year helping.
Guzman writings, osip natasha mandelstam susan, griffin.
 spam body ends here 

We use rbls on our border mail servers, SA 3.1.8, sa-update and
rules_du_jour to update our rule set from spamassassin and
rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
SPF, RelayChecker etc. Still many of those spam messages get low
scores and slip through. Scores as low as -1.2 (!) like the message
above which triggered the following rules:

X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8

Ideas and suggestions are welcome.

Regards,
Panagiotis

ps. I understand that a simple rule matching something /^KAUF-TIPP DER
WOCHE$/ would wipe out all of them but I am interested in a more
generic/efficient way.

ps2. both messages marked as spam or ham are available here:
 http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz 

Re: "KAUF-TIPP DER WOCHE" spam getting through

[Nigel Frankcom]

On Wed, 28 Mar 2007 11:40:53 +0300, "Panagiotis Christias"
<[EMAIL PROTECTED]> wrote:

>Hello,
>
>the last days we get a lot of spam like this:
>
> spam body begins here 
>Words disputed interview galli provisions raise, eyebrows dead holders!
>
>KAUF-TIPP DER WOCHE
>
>LESEN SIE DIE NACHRICTEN
>STONEBRIDGE RES EXP   Frankfurt:   S3C.F
>
>Name :STONEBRIDGE RES EXP
>Kurzel :S3C.F
>WKN :A0HHEB
>Borsenplatz :Frankfurt
>Schluss-Stand 23.03.2007 :Euro 0.10
>Prognose bis 02.04.2007 :Euro 0.21
>
>Freedom hampton radical illich ivan, fontana ishiguro kazuo.
>Austerlitz natural history semprun. Scrfrk tue am foudy fans.
>Newsgroup msdn chappell app? Remote locations talk improving, access
>ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
>indicate. Required preserve specify references interested.
>Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
>Example unicode character exact numeric without decimal such numbers.
>Cedega natively lowlevel emulators binary gaming opengl.
>Investors press privacy, statement mypoints mysite, juno, photosite registered.
>End, dialogues spiritual renewal thames hudson chorus stones.
>Effective auditing procedures handy records kept propertys examined.
>Money resources time others, worse than no so why? Setupmore botts
>george ou real world wireless lan myths! Red hats expense technology,
>announced last year helping.
>Guzman writings, osip natasha mandelstam susan, griffin.
> spam body ends here 
>
>We use rbls on our border mail servers, SA 3.1.8, sa-update and
>rules_du_jour to update our rule set from spamassassin and
>rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
>SPF, RelayChecker etc. Still many of those spam messages get low
>scores and slip through. Scores as low as -1.2 (!) like the message
>above which triggered the following rules:
>
>X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
>   MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8
>
>Ideas and suggestions are welcome.
>
>Regards,
>Panagiotis
>
>ps. I understand that a simple rule matching something /^KAUF-TIPP DER
>WOCHE$/ would wipe out all of them but I am interested in a more
>generic/efficient way.
>
>ps2. both messages marked as spam or ham are available here:
>  http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz

I get a few similar ones here, it may be the start of a spam run or
the fact that the stock spams morph so quickly. I haven't seen an
update from RDJ for stock spam in a while; I guess the authors have
real lives too so can't spend every waking hour fine tuning the rules
to catch each new iteration.

If I get persistent spam getting through with common features I write
my own rule and drop it in. It's often redundant within a few days so
gets morphed to catch the next ones that get through.

Perhaps you should go with your own rule and edit it as needed?

Looking at the other post on this thread you might want to check your
network tests.

KR

Nigel

Re: "KAUF-TIPP DER WOCHE" spam getting through

[-- [ UxBoD ] --]

I ran them through our server and scored as follows :-

Content analysis details:   (9.9 points, 5.0 required)
 
 pts rule name  description
 -- --
 0.3 SARE_WEOFFER   BODY: Offers Something
 3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
 0.8 SARE_RMML_Stock19  BODY: SARE_RMML_Stock19
 0.1 SPOOF_OURI URI: URI has items in odd places
 0.2 NORMAL_HTTP_TO_IP  URI: Uses a dotted-decimal IP address in URL 
 0.1 SARE_URI_4_BIZ URI: Domain has a "four-you" type domain name
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 1.7 SARE_FRAUD_X3  Matches 3+ phrases commonly used in fraud spam
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay


Content analysis details:   (5.8 points, 5.0 required)

 pts rule name  description
 -- --
 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
 1.4 MSGID_FROM_MTA_ID  Message-Id for external message added locally
 0.0 RELAY_CHECKER_BADDNS   Doesn't have full circle DNS
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.4319]
 2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP block
   [122.111.44.35 listed in combined-HIB.dnsiplists.completewhois.com]
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 2.0 RELAY_CHECKER  Any RelayChecker rule hit

Content analysis details:   (5.4 points, 5.0 required)

 pts rule name  description
 -- --
 1.4 SPF_SOFTFAIL   SPF: sender does not match SPF record (softfail)
[SPF failed: Please see 
http://www.openspf.org/why.html?sender=myersonkrgg%40ajk-enterprises.com&ip=82.88.48.142&receiver=ajax.noc.ntua.gr]
 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
 0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords
 1.4 MSGID_FROM_MTA_ID  Message-Id for external message added locally
 3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
[score: 0.0004]
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 2.0 RELAY_CHECKER  Any RelayChecker rule hit

Content analysis details:   (6.8 points, 5.0 required)

 pts rule name  description
 -- --
 3.8 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr
2)
 2.2 INVALID_DATE   Invalid Date: header (not RFC 2822)
 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
 1.4 MSGID_FROM_MTA_ID  Message-Id for external message added locally
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
[score: 0.]
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 2.0 RELAY_CHECKER  Any RelayChecker rule hit
 0.0 RCVD_DOUBLE_IP_LOOSE   Received: by and from look like IP addresses

Content analysis details:   (8.6 points, 5.0 required)

 pts rule name  description
 -- --
 3.6 RATWARE_RCVD_PFBulk email fingerprint (Received PF) found
 4.2 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr
1)
 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
 1.4 MSGID_FROM_MTA_ID  Message-Id for external message added locally
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
[score: 0.0001]
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 2.0 RELAY_CHECKER  Any RelayChecker rule hit

Content analysis details:   (7.5 points, 5.0 required)

 pts rule name  description
 -- --
 3.1 HELO_DYNAMIC_DHCP  Relay HELO'd using suspicious hostname (DHCP)
 3.6 RATWARE_RCVD_PFBulk email fingerprint (Received PF) found
 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address
 0.0 RELAY_CHECKER_KEYWORDS Hostname matches keywords
 1.4 MSGID_FROM_MTA_ID  Message-Id for external message added locally
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
[score: 0.0005]
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 2.0 RELAY_CHECKER  Any RelayChecker rule hit

Content analysis details:   (8.3 points, 5.0 required)

 pts rule name  description
 -- --
 3.8 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr

"KAUF-TIPP DER WOCHE" spam getting through

[Panagiotis Christias]

Hello,

the last days we get a lot of spam like this:

 spam body begins here 
Words disputed interview galli provisions raise, eyebrows dead holders!

KAUF-TIPP DER WOCHE

LESEN SIE DIE NACHRICTEN
STONEBRIDGE RES EXP   Frankfurt:   S3C.F

Name :STONEBRIDGE RES EXP
Kurzel :S3C.F
WKN :A0HHEB
Borsenplatz :Frankfurt
Schluss-Stand 23.03.2007 :Euro 0.10
Prognose bis 02.04.2007 :Euro 0.21

Freedom hampton radical illich ivan, fontana ishiguro kazuo.
Austerlitz natural history semprun. Scrfrk tue am foudy fans.
Newsgroup msdn chappell app? Remote locations talk improving, access
ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt
indicate. Required preserve specify references interested.
Brutes granta nadezhda hope, hopehope abandoned collins, harvill.
Example unicode character exact numeric without decimal such numbers.
Cedega natively lowlevel emulators binary gaming opengl.
Investors press privacy, statement mypoints mysite, juno, photosite registered.
End, dialogues spiritual renewal thames hudson chorus stones.
Effective auditing procedures handy records kept propertys examined.
Money resources time others, worse than no so why? Setupmore botts
george ou real world wireless lan myths! Red hats expense technology,
announced last year helping.
Guzman writings, osip natasha mandelstam susan, griffin.
 spam body ends here 

We use rbls on our border mail servers, SA 3.1.8, sa-update and
rules_du_jour to update our rule set from spamassassin and
rulesemporium sites and various plugins like DCC, Razor, URIDNSBL,
SPF, RelayChecker etc. Still many of those spam messages get low
scores and slip through. Scores as low as -1.2 (!) like the message
above which triggered the following rules:

X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,
MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8

Ideas and suggestions are welcome.

Regards,
Panagiotis

ps. I understand that a simple rule matching something /^KAUF-TIPP DER
WOCHE$/ would wipe out all of them but I am interested in a more
generic/efficient way.

ps2. both messages marked as spam or ham are available here:
 http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz

RE: blacklist by default

[Jon Armitage]

> -Original Message-
> From: Matt Kettler [mailto:[EMAIL PROTECTED] 
> Sent: 28 March 2007 01:16
> To: Caleb Cushing
> Cc: users@spamassassin.apache.org
> Subject: Re: blacklist by default
> 
> Caleb Cushing wrote:
> > Is it possible to configure spamassassin 3.x to consider 
> all mail spam 
> > unless it has been whitelisted?
> I've never tried it, but you could try setting required_hits to -10.0.
> 
> That said, spamassassin is a *MASSIVE* overkill for such a 
> simple system. A bit like cutting bread with a sawzall.
> 
We find it much more productive to have our MTA (Exim) check whether the
incoming email address is valid and reject invalid ones at the RCPT stage.
Then you don't need to pass them to SpamAssassin at all.

Further details on request---there have been other similar threads as well.

Jon

Re: spamassassin not checking emails correctly.

[Jimmy Stewpot]

--[ UxBoD ]-- wrote:

First thing first.  Could you run a spamassassin -D --lint as the user which is 
scanning the email, and post the results please. This will allow people to 
diagnose the problem more easily.

Regards,

UxBoD

On Wed, 28 Mar 2007 09:12:20 +0100, Jimmy Stewpot <[EMAIL PROTECTED]> wrote:

Hello,

I have recently installed spamassassin on my new ubuntu distribution
from the apt package. I seem to be having issues where emails that are
obviously spam are not being marked.

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=no
version=3.1.7-deb

Is in the headers of the email but the content of the email has URLs
which are in the blacklists, If I forward these emails to my ISP account
which has its own spam solution they get marked.

Here is the body of the email

=SNIP===

Hello, share

 >> Don't have time for a full time relationship?
Many young career minded people don't but still want a physical
relationship,
many of these need sexual encounters but without the frustrating
attachment of a boyfriend or girlfriend.
This means they have time to concentrate on their profession/career and
not worry about
what is going on at home, as essentially they are single.
This is commonly becoming known as a
[geocities URL HERE]
skittle chesapeake boycott ripple grandchildren anglicanism flora
yaounde lawson, offshore inhere.
ampere terse hoofmark computation nero evildoer cause downcast, wolfish
squirehood
bucharest creamy marin, goa strand bulrush january.
fable ultimatum rate, cerise bluebonnet steiner travesty.

Your Tad.

=SNIP===

I have removed the geocities URL so that it wont potentially be marked
by users of this lists spam protection.

By spamassassin configuration is fairly basic and it looks like this


=SNIP===
cat /etc/spamassassin/local.cf

lock_method flock
required_score 5.0
trusted_networks 127.0.0.1
# clear_headers
# add_header all Flag _YESNOCAPS_
# add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on
_HOSTNAME_

rewrite_header Subject **SPAM**

skip_rbl_checks 0
report_safe 1
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED] users@spamassassin.apache.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
bayes_min_ham_num 50
bayes_min_spam_num 50
bayes_use_hapaxes 1
use_bayes 1
use_auto_whitelist 0
bayes_auto_learn_threshold_spam 1.0
use_razor2 1
use_pyzor 1
ok_locales en


=SNIP===


I had previously being using the rules from saupdates.openprotect.com
but I have stopped using that service while I try and diagnose this
problem. With or without the rules I have exactly the same issues.

One line I am constantly seeing in the mail.log file is the following

Mar 28 09:09:34 poopey spamd[21715]: config: copying current conf from
backup

does that have any reference on the problem?

I also see the following

Mar 28 09:10:23 poopey spamd[21716]: bayes: not available for scanning,
only 5 spam(s) in bayes DB < 50

I find that a little strange as I have done an sa-learn for both ham and
spam emails on folders which I have moved all the spam messages to.

Any advice on resolving or how to diagnose these problems would be
greatly appreciated.

Regards,

Jimmy.

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is
believed to be clean.





[EMAIL PROTECTED]:~$ spamassassin -D --lint
[25453] dbg: logger: adding facilities: all
[25453] dbg: logger: logging level is DBG
[25453] dbg: generic: SpamAssassin version 3.1.7-deb
[25453] dbg: config: score set 0 chosen.
[25453] dbg: util: running in taint mode? yes
[25453] dbg: util: taint mode: deleting unsafe environment variables, 
resetting PATH

[25453] dbg: util: PATH included '/usr/local/sbin', keeping
[25453] dbg: util: PATH included '/usr/local/bin', keeping
[25453] dbg: util: PATH included '/usr/sbin', keeping
[25453] dbg: util: PATH included '/usr/bin', keeping
[25453] dbg: util: PATH included '/sbin', keeping
[25453] dbg: util: PATH included '/bin', keeping
[25453] dbg: util: PATH included '/usr/bin/X11', keeping
[25453] dbg: util: PATH included '/usr/games', keeping
[25453] dbg: util: final PATH set to: 
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games

[25453] dbg: message:  MIME PARSER START 
[25453] dbg: message: main message type: text/plain
[25453] dbg: message: parsing normal part
[25453] dbg: message: added part, type: text/plain
[25453] dbg: message:  MIME PARSER END 
[25453] dbg: dns: is Net::DNS::Resolver available? yes
[25453] dbg: dns: Net::DNS version: 0.53
[25453] dbg: diag: perl platform: 5.008007 linux
[25453] dbg: diag: module installed: DB_File, version 1.811
[25453] dbg: diag: module installed: HTML:

Re: spamassassin not checking emails correctly.

[Nigel Frankcom]

On Wed, 28 Mar 2007 09:12:20 +0100, Jimmy Stewpot <[EMAIL PROTECTED]>
wrote:

>Hello,
>
>I have recently installed spamassassin on my new ubuntu distribution 
>from the apt package. I seem to be having issues where emails that are 
>obviously spam are not being marked.
>
>X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=no
>version=3.1.7-deb
>
>Is in the headers of the email but the content of the email has URLs 
>which are in the blacklists, If I forward these emails to my ISP account 
>which has its own spam solution they get marked.
>
>Here is the body of the email
>
>=SNIP===

>=SNIP===
>cat /etc/spamassassin/local.cf
>
>lock_method flock
>required_score 5.0
>trusted_networks 127.0.0.1
># clear_headers
># add_header all Flag _YESNOCAPS_
># add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
>add_header spam Flag _YESNOCAPS_
>add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ 
>tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
>add_header all Level _STARS(*)_
>add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on 
>_HOSTNAME_
>
>rewrite_header Subject **SPAM**
>
>skip_rbl_checks 0
>report_safe 1
>whitelist_from [EMAIL PROTECTED]
>whitelist_from [EMAIL PROTECTED]
>whitelist_from [EMAIL PROTECTED] users@spamassassin.apache.org 
>[EMAIL PROTECTED] [EMAIL PROTECTED]
>bayes_min_ham_num 50
>bayes_min_spam_num 50
>bayes_use_hapaxes 1
>use_bayes 1
>use_auto_whitelist 0
>bayes_auto_learn_threshold_spam 1.0
>use_razor2 1
>use_pyzor 1
>ok_locales en
>
>
>=SNIP===
>
>
>I had previously being using the rules from saupdates.openprotect.com 
>but I have stopped using that service while I try and diagnose this 
>problem. With or without the rules I have exactly the same issues.
>
>One line I am constantly seeing in the mail.log file is the following
>
>Mar 28 09:09:34 poopey spamd[21715]: config: copying current conf from 
>backup
>
>does that have any reference on the problem?
>
>I also see the following
>
>Mar 28 09:10:23 poopey spamd[21716]: bayes: not available for scanning, 
>only 5 spam(s) in bayes DB < 50
>
>I find that a little strange as I have done an sa-learn for both ham and 
>spam emails on folders which I have moved all the spam messages to.
>
>Any advice on resolving or how to diagnose these problems would be 
>greatly appreciated.
>

Hi

A few things seem a bit off in your conf, before those, you need to
train some ham/spam into your bayes db 200 of each is the minimum
recommended if I recall right.

In your conf you have the line:

>whitelist_from [EMAIL PROTECTED] users@spamassassin.apache.org [EMAIL 
>PROTECTED] [EMAIL PROTECTED]

I think each of those should have its own whitelist_from line.

>bayes_auto_learn_threshold_spam 1.0

See
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html
and look at the LEARNING OPTIONS section.

Also run spamassassin --lint -D for a list of just what is working and
what's not.

HTH

Nigel

Re: spamassassin not checking emails correctly.

[-- [ UxBoD ] --]

First thing first.  Could you run a spamassassin -D --lint as the user which is 
scanning the email, and post the results please. This will allow people to 
diagnose the problem more easily.

Regards,

UxBoD

On Wed, 28 Mar 2007 09:12:20 +0100, Jimmy Stewpot <[EMAIL PROTECTED]> wrote:
> Hello,
> 
> I have recently installed spamassassin on my new ubuntu distribution
> from the apt package. I seem to be having issues where emails that are
> obviously spam are not being marked.
> 
> X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=no
> version=3.1.7-deb
> 
> Is in the headers of the email but the content of the email has URLs
> which are in the blacklists, If I forward these emails to my ISP account
> which has its own spam solution they get marked.
> 
> Here is the body of the email
> 
> =SNIP===
> 
> Hello, share
> 
>  >> Don't have time for a full time relationship?
> Many young career minded people don't but still want a physical
> relationship,
> many of these need sexual encounters but without the frustrating
> attachment of a boyfriend or girlfriend.
> This means they have time to concentrate on their profession/career and
> not worry about
> what is going on at home, as essentially they are single.
> This is commonly becoming known as a
> [geocities URL HERE]
> skittle chesapeake boycott ripple grandchildren anglicanism flora
> yaounde lawson, offshore inhere.
> ampere terse hoofmark computation nero evildoer cause downcast, wolfish
> squirehood
> bucharest creamy marin, goa strand bulrush january.
> fable ultimatum rate, cerise bluebonnet steiner travesty.
> 
> Your Tad.
> 
> =SNIP===
> 
> I have removed the geocities URL so that it wont potentially be marked
> by users of this lists spam protection.
> 
> By spamassassin configuration is fairly basic and it looks like this
> 
> 
> =SNIP===
> cat /etc/spamassassin/local.cf
> 
> lock_method flock
> required_score 5.0
> trusted_networks 127.0.0.1
> # clear_headers
> # add_header all Flag _YESNOCAPS_
> # add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
> add_header spam Flag _YESNOCAPS_
> add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
> tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
> add_header all Level _STARS(*)_
> add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on
> _HOSTNAME_
> 
> rewrite_header Subject **SPAM**
> 
> skip_rbl_checks 0
> report_safe 1
> whitelist_from [EMAIL PROTECTED]
> whitelist_from [EMAIL PROTECTED]
> whitelist_from [EMAIL PROTECTED] users@spamassassin.apache.org
> [EMAIL PROTECTED] [EMAIL PROTECTED]
> bayes_min_ham_num 50
> bayes_min_spam_num 50
> bayes_use_hapaxes 1
> use_bayes 1
> use_auto_whitelist 0
> bayes_auto_learn_threshold_spam 1.0
> use_razor2 1
> use_pyzor 1
> ok_locales en
> 
> 
> =SNIP===
> 
> 
> I had previously being using the rules from saupdates.openprotect.com
> but I have stopped using that service while I try and diagnose this
> problem. With or without the rules I have exactly the same issues.
> 
> One line I am constantly seeing in the mail.log file is the following
> 
> Mar 28 09:09:34 poopey spamd[21715]: config: copying current conf from
> backup
> 
> does that have any reference on the problem?
> 
> I also see the following
> 
> Mar 28 09:10:23 poopey spamd[21716]: bayes: not available for scanning,
> only 5 spam(s) in bayes DB < 50
> 
> I find that a little strange as I have done an sa-learn for both ham and
> spam emails on folders which I have moved all the spam messages to.
> 
> Any advice on resolving or how to diagnose these problems would be
> greatly appreciated.
> 
> Regards,
> 
> Jimmy.
> 
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is
> believed to be clean.
-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// SIP Phone: [EMAIL PROTECTED]


-- 
This message has been scanned for viruses and dangerous content by MailScanner, 
and is
believed to be clean.

spamassassin not checking emails correctly.

[Jimmy Stewpot]

Hello,

I have recently installed spamassassin on my new ubuntu distribution 
from the apt package. I seem to be having issues where emails that are 
obviously spam are not being marked.


X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=no
version=3.1.7-deb

Is in the headers of the email but the content of the email has URLs 
which are in the blacklists, If I forward these emails to my ISP account 
which has its own spam solution they get marked.


Here is the body of the email

=SNIP===

Hello, share

>> Don't have time for a full time relationship?
Many young career minded people don't but still want a physical
relationship,
many of these need sexual encounters but without the frustrating
attachment of a boyfriend or girlfriend.
This means they have time to concentrate on their profession/career and
not worry about
what is going on at home, as essentially they are single.
This is commonly becoming known as a
[geocities URL HERE]
skittle chesapeake boycott ripple grandchildren anglicanism flora
yaounde lawson, offshore inhere.
ampere terse hoofmark computation nero evildoer cause downcast, wolfish
squirehood
bucharest creamy marin, goa strand bulrush january.
fable ultimatum rate, cerise bluebonnet steiner travesty.

Your Tad.

=SNIP===

I have removed the geocities URL so that it wont potentially be marked 
by users of this lists spam protection.


By spamassassin configuration is fairly basic and it looks like this


=SNIP===
cat /etc/spamassassin/local.cf

lock_method flock
required_score 5.0
trusted_networks 127.0.0.1
# clear_headers
# add_header all Flag _YESNOCAPS_
# add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ 
tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_

add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on 
_HOSTNAME_


rewrite_header Subject **SPAM**

skip_rbl_checks 0
report_safe 1
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED] users@spamassassin.apache.org 
[EMAIL PROTECTED] [EMAIL PROTECTED]

bayes_min_ham_num 50
bayes_min_spam_num 50
bayes_use_hapaxes 1
use_bayes 1
use_auto_whitelist 0
bayes_auto_learn_threshold_spam 1.0
use_razor2 1
use_pyzor 1
ok_locales en


=SNIP===


I had previously being using the rules from saupdates.openprotect.com 
but I have stopped using that service while I try and diagnose this 
problem. With or without the rules I have exactly the same issues.


One line I am constantly seeing in the mail.log file is the following

Mar 28 09:09:34 poopey spamd[21715]: config: copying current conf from 
backup


does that have any reference on the problem?

I also see the following

Mar 28 09:10:23 poopey spamd[21716]: bayes: not available for scanning, 
only 5 spam(s) in bayes DB < 50


I find that a little strange as I have done an sa-learn for both ham and 
spam emails on folders which I have moved all the spam messages to.


Any advice on resolving or how to diagnose these problems would be 
greatly appreciated.


Regards,

Jimmy.