Re: SPF custom rule
Bret Miller wrote: I need to look at setting up a custom rule based on a SPF result. If mail is sent from domain xyz.com and the SPF record matches, let it pass as per normal. If on the other hand the SPF record fails for xyz.com, add +5 to the score. This has to happen ONLY for domain xyz.com. All others will be handled by Spamassassin the normal way. I can't specify the syntax directly for you, but a good method of doing this would be to create a rule to detect the message is from that domain then use a meta rule to score if the message hits both from that domain and SPF_FAIL. Bret Thanks for the info Bret. What I've come up with is this: header _FROM_DOMAIN From ~= /example\.com/i header _SPF_TRUE /\bSPF_FAIL\b/ meta DOMAIN_SPF_TRUE (_FROM_DOMAIN_SPF_TRUE) score DOMAIN_SPF_TRUE 10.0 Will this work? Regards JvdW
check mx and compare sender ip address ??
is there any way check mx record as from ip adress and compare it sender ip address ? so spamassassin can decide its spam ?? - Ahhh...imagining that irresistible new car smell? Check outnew cars at Yahoo! Autos.
Re: Any anti-spam solution against outgoing mail?
We should have an out going spam filter functional by July 2007 www.think-antispam.com hamann.w wrote: Ian Eiloart wrote --On 26 December 2006 05:53:12 + Monty Ree [EMAIL PROTECTED] wrote: Hello, list. I have used well SA with procmail well against incoming mail. But there are lots of outgoing spam-mails using web programs or using sendmail at my server. (There are several domains are hosted at the server.) So is there any program like spamassassin which can filter against outgoing spam mail? or any program which can limit sending spam-mail? Please recommend any for me.. my system is linux and sendmail. Don't use spamassassin for this. That's intended for use when you can't police the sender. First, use a firewall to force web applications to use your mail server, and not connect directly to remote mail servers. Otherwise, you can't know that you're even seeing all the email. while I basically agree with you - and this measure will stop misconfigured web applications - there may be a need for direct connect. I am running an email verifier on a shopping website that tries to verify email addresses before customers submit their orders. Before that, I had almost 1% failed email addresses (which would not receive order confirmation, shipping confirmation, ...) Then, require that web applications use a username and password to connect to your host. The PHP class PHPMailer, for example, can do this. That way you can trace offenders by checking the sender address. The average hosting client will not like to rewrite somebody else's mail script from mail() to something else. With qmail, defining QMAILHOST as the domain name in the apache config ensures that scripts calling mail() use a valid sender I have seen abuse where a mail sending php script was placed into /tmp area and executed. Mails generated from such script would originate from an admin or role account, so checking that such mails only go to specific recipients (and only mails from a valid customer domain are allowed outside) would create an additional line of defense Require that sender addresses are not spoofed. That way the real sender (well, the web application owner) can be held to account for misdemeanours. Arrange that copies of emails are sent to you (and maybe the application owner), perhaps stripped of the body, or at least notifications. That way, you can get early alerts of abuse. You might want to rate-limit the sending of email. -- Ian Eiloart IT Services, University of Sussex One additional suggestion: do not offer your hosting clients any preconfigured script that allows to specify the recipient via the web form. Rather provide a template where they will hardcode the recipient in the script Wolfgang Hamann -- View this message in context: http://www.nabble.com/Any-anti-spam-solution-against-outgoing-mail--tf2881453.html#a10388989 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: check mx and compare sender ip address ??
Gokhan ALKAN wrote: is there any way check mx record as from ip adress and compare it sender ip address ? so spamassassin can decide its spam ?? Why would you want SpamAssassin to consider mail that didn't come from a server listed in a domain's MX record as spam? Daryl
Re: SPF custom rule
Thanks for the info Bret. What I've come up with is this: header _FROM_DOMAIN From ~= /example\.com/i header _SPF_TRUE /\bSPF_FAIL\b/ meta DOMAIN_SPF_TRUE (_FROM_DOMAIN_SPF_TRUE) score DOMAIN_SPF_TRUE 10.0 Will this work? Kinda, with few changes: header __FROM_DOMAIN From ~= /\bexample\.com\b/i header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/ This will make sure you get example.com and not myexample.communists. However, the From header is *really* easy to spoof, so this isn't much of a check. You would probaly be better off looking for the host name in one of the received headers. You also need to give a target to the second header test. I used ALL to search all of the headers for the string you want. However, if you know the name of the header you are looking for, you could better do something like header __SPF_CHECKSPF_FAIL:Exists Assuming the header was named SPF_FAIL Note also you want two leading underscores, not one, on those meta parts, so the final line becomes: meta DOMAIN_SPF_TRUE (__FROM_DOMAIN __SPF_TRUE) Loren
Re: check mx and compare sender ip address ??
I have received some mails that from domain and return-path domain is different and from domain is in whitelist nowadays. So spamassassin decide mail that is ham . because of user_in_whilist rule. can i block this spam that check mx records as from domain and compare sender ip address ? Thanks - Ahhh...imagining that irresistible new car smell? Check outnew cars at Yahoo! Autos.
Re: SPF custom rule
Loren Wilton wrote: Thanks for the info Bret. What I've come up with is this: header _FROM_DOMAIN From ~= /example\.com/i header _SPF_TRUE /\bSPF_FAIL\b/ meta DOMAIN_SPF_TRUE (_FROM_DOMAIN_SPF_TRUE) score DOMAIN_SPF_TRUE 10.0 Will this work? Kinda, with few changes: header __FROM_DOMAIN From ~= /\bexample\.com\b/i header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/ This will make sure you get example.com and not myexample.communists. However, the From header is *really* easy to spoof, so this isn't much of a check. You would probaly be better off looking for the host name in one of the received headers. You also need to give a target to the second header test. I used ALL to search all of the headers for the string you want. However, if you know the name of the header you are looking for, you could better do something like header __SPF_CHECKSPF_FAIL:Exists Assuming the header was named SPF_FAIL Note also you want two leading underscores, not one, on those meta parts, so the final line becomes: meta DOMAIN_SPF_TRUE (__FROM_DOMAIN __SPF_TRUE) Loren Hi Loren Thank you very much. I'll give it a try. The final filter will then look like this? header __FROM_DOMAIN From ~= /\bexample\.com\b/i header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/ meta DOMAIN_SPF_TRUE (__FROM_DOMAIN__SPF_TRUE) score DOMAIN_SPF_TRUE 10.0 Just a question though.. This whole process happens in Spamassassin... Will there be a SPF_FAIL in the header already at the time of this check?? I get the feeling there won't.. Regards JvdW
Can SpamAssassin delete mails just from certain countries ?
Hi all, Anyone know if you can get Spamassassin to block and/or delete emails from certain countries if you are on shared hosting please ? Any help very much appreciated. Chris.
Re: How to use SpamAssassin from PHP?
On 4/17/07, Derek Harding [EMAIL PROTECTED] wrote: On Tue, 2007-04-17 at 16:52 +0530, BG Mahesh wrote: hi I want to pass the comments/text entered by users on a form to SpamAssassin for approval. If it approves it only then I want to accept the text, else I want to inform the user that the text is Spam and reject the user's comments. We use PHP and want to know how to implement this. Someone asked about SA from PHP on this list back in March. Here is what I wrote then: #!/usr/bin/php -q ? $fname = tempnam(/tmp, sa); file_put_contents($fname, $message); exec(/usr/bin/spamc -c $fname, $score, $res); if ($res == 1) echo It's spam.\n; unlink($fname); ? TBH I'm not sure SA is really going to help you here since you'll have zero headers for it to work on meaning you're pretty much down to content URIBL checks. Derek We have tested this on http://cause.greynium.com/spamtest.php We have constructed a Mail header, concatenating $message to $header and passing the contents of $header to the code given above. We have installed the script from rulesemporium to update the cf files. What could we be missing? -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds
Re: Can SpamAssassin delete mails just from certain countries ?
Chris wrote: Hi all, Anyone know if you can get Spamassassin to block and/or delete emails from certain countries if you are on shared hosting please ? Any help very much appreciated. Chris. Just add a custom rule for matching the desired countries and use procmail to deliver it to /dev/null. Ruben
Re: How to use SpamAssassin from PHP?
On Wed, May 9, 2007 09:36, BG Mahesh wrote: We have tested this on http://cause.greynium.com/spamtest.php We have constructed a Mail header, concatenating $message to $header and passing the contents of $header to the code given above. We have installed the script from rulesemporium to update the cf files. What could we be missing? Are you saying something isn't working?
Re: Can SpamAssassin delete mails just from certain countries ?
On Wed, May 9, 2007 09:57, Ruben Cardenal wrote: Chris wrote: Hi all, Anyone know if you can get Spamassassin to block and/or delete emails from certain countries if you are on shared hosting please ? Any help very much appreciated. Chris. Just add a custom rule for matching the desired countries and use procmail to deliver it to /dev/null. http://wiki.apache.org/spamassassin/URICountryPlugin http://wiki.apache.org/spamassassin/RelayCountryPlugin
Re: How to use SpamAssassin from PHP?
On 5/9/07, Duncan Hill [EMAIL PROTECTED] wrote: On Wed, May 9, 2007 09:36, BG Mahesh wrote: We have tested this on http://cause.greynium.com/spamtest.php We have constructed a Mail header, concatenating $message to $header and passing the contents of $header to the code given above. We have installed the script from rulesemporium to update the cf files. What could we be missing? Are you saying something isn't working? The content should be reported as Spam. The score (when I run from command line is just about 1.0 and required is 5.0). The text in $message have very hardcore words. Shouldn't it be marked as spam? Are we formating the header correctly (i.e. each line is ending with \n)? regards, -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds
Re: check mx and compare sender ip address ??
I have received some mails that from domain and return-path domain is different and from domain is in whitelist nowadays. So spamassassin decide mail that is ham . because of user_in_whilist rule. Instead of whitelist_from you should use whitelist_from_rcvd, eg to whitelist mails from me, you would use whitelist_from_rcvd [EMAIL PROTECTED] astrum.ch Ie, mails from my address that came from a host with an rDNS in the astrum.ch domain will be whitelisted (will not apply to this mail, as it will be distributed by the mailing list). -- Matthias
Re: How to use SpamAssassin from PHP?
To ensure all is working okay, why not take a existing SPAM message and construct the $message from that and test ? On Wed, 9 May 2007 14:40:52 +0530, BG Mahesh [EMAIL PROTECTED] wrote: On 5/9/07, Duncan Hill [EMAIL PROTECTED] wrote: On Wed, May 9, 2007 09:36, BG Mahesh wrote: We have tested this on http://cause.greynium.com/spamtest.php We have constructed a Mail header, concatenating $message to $header and passing the contents of $header to the code given above. We have installed the script from rulesemporium to update the cf files. What could we be missing? Are you saying something isn't working? The content should be reported as Spam. The score (when I run from command line is just about 1.0 and required is 5.0). The text in $message have very hardcore words. Shouldn't it be marked as spam? Are we formating the header correctly (i.e. each line is ending with \n)? regards, -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: How to use SpamAssassin from PHP?
I ran your first sample through SA here and got the following score :- X-Spam-Status: Yes, score=6.5 required=5.0 tests=BAYES_50,FRT_PENIS1, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_DATE,MISSING_HB_SEP, MISSING_MID,NO_RECEIVED,NO_RELAYS autolearn=no version=3.2.0 Regards, On Wed, 9 May 2007 10:22:55 +0100, --[ UxBoD ]-- [EMAIL PROTECTED] wrote: To ensure all is working okay, why not take a existing SPAM message and construct the $message from that and test ? On Wed, 9 May 2007 14:40:52 +0530, BG Mahesh [EMAIL PROTECTED] wrote: On 5/9/07, Duncan Hill [EMAIL PROTECTED] wrote: On Wed, May 9, 2007 09:36, BG Mahesh wrote: We have tested this on http://cause.greynium.com/spamtest.php We have constructed a Mail header, concatenating $message to $header and passing the contents of $header to the code given above. We have installed the script from rulesemporium to update the cf files. What could we be missing? Are you saying something isn't working? The content should be reported as Spam. The score (when I run from command line is just about 1.0 and required is 5.0). The text in $message have very hardcore words. Shouldn't it be marked as spam? Are we formating the header correctly (i.e. each line is ending with \n)? regards, -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Can SpamAssassin delete mails just from certain countries ?
-Original Message- From: Duncan Hill [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 11:00 AM To: users@spamassassin.apache.org Subject: Re: Can SpamAssassin delete mails just from certain countries ? On Wed, May 9, 2007 09:57, Ruben Cardenal wrote: Chris wrote: Hi all, Anyone know if you can get Spamassassin to block and/or delete emails from certain countries if you are on shared hosting please ? Any help very much appreciated. Chris. Just add a custom rule for matching the desired countries and use procmail to deliver it to /dev/null. http://wiki.apache.org/spamassassin/URICountryPlugin http://wiki.apache.org/spamassassin/RelayCountryPlugin Many thanks Ruben, Gabriel and Duncan for the help - it's appreciated. One thing, my hosts say that I'm not able to do this if I'm on shared hosting - are you saying that there's a way to do this on shared hosting please ? Out of the ways that have been kindly recommended here, which one would be the easiest for a comparative newbie to do and for it to still be effective please ? Chris.
RE: Can SpamAssassin delete mails just from certain countries ?
On Wed, May 9, 2007 10:37, Chris wrote: One thing, my hosts say that I'm not able to do this if I'm on shared hosting - are you saying that there's a way to do this on shared hosting please ? Out of the ways that have been kindly recommended here, which one would be the easiest for a comparative newbie to do and for it to still be effective please ? It all depends on the shared hosting. SA never, ever deletes mail, it only assigns scores to it. Talk to the hosting provider, ask if they can enable either of the linked plug-ins. IIRC, the relayclient one adds headers to say where the mail went through, so you can then use header rules in procmail or your mail client to handle that.
Re: How to use SpamAssassin from PHP?
On Wed, May 9, 2007 10:10, BG Mahesh wrote: On 5/9/07, Duncan Hill [EMAIL PROTECTED] wrote: On Wed, May 9, 2007 09:36, BG Mahesh wrote: We have tested this on http://cause.greynium.com/spamtest.php We have constructed a Mail header, concatenating $message to $header and passing the contents of $header to the code given above. We have installed the script from rulesemporium to update the cf files. What could we be missing? Are you saying something isn't working? The content should be reported as Spam. The score (when I run from command line is just about 1.0 and required is 5.0). The text in $message have very hardcore words. Shouldn't it be marked as spam? Are we formating the header correctly (i.e. each line is ending with \n)? 'hardcore' words are not necessarily enough to determine that an item is spam. I suggest you start your testing with a real spam mail (and you can find quite a lot of those in places like news.admin.net-abuse.sightings), using the SpamAssassin command line interface. Once you're happy that it scores mail properly, feed the body plus your custom headers to the command line interface. Bear in mind that a good chunk of the SA rules check headers for things like invalid timestamps, spam signs etc, so your effectiveness may be crippled.
RE: Can SpamAssassin delete mails just from certain countries ?
-Original Message- From: Duncan Hill [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 11:44 AM To: users@spamassassin.apache.org Subject: RE: Can SpamAssassin delete mails just from certain countries ? On Wed, May 9, 2007 10:37, Chris wrote: One thing, my hosts say that I'm not able to do this if I'm on shared hosting - are you saying that there's a way to do this on shared hosting please ? Out of the ways that have been kindly recommended here, which one would be the easiest for a comparative newbie to do and for it to still be effective please ? It all depends on the shared hosting. SA never, ever deletes mail, it only assigns scores to it. Talk to the hosting provider, ask if they can enable either of the linked plug-ins. IIRC, the relayclient one adds headers to say where the mail went through, so you can then use header rules in procmail or your mail client to handle that. Thanks Duncan. I will look into that - I would prefer the emails from some countries to not even reach my pc in the first place - so bearing that in mind, is procmail still recommended in this instance please ? If you have for example, a spam threshold of 5 and an email comes in with a score of 4, what happnes to that email ? I never see it, so I thought they got deleted ? Just been trying to find this thread on the message boards - but can't seem to be able to find it ? Am I looking in the right place please ? : http://www.nabble.com/SpamAssassin-f191.html Chris.
RE: Can SpamAssassin delete mails just from certain countries ?
On Wed, May 9, 2007 11:13, Chris wrote: I will look into that - I would prefer the emails from some countries to not even reach my pc in the first place - so bearing that in mind, is procmail still recommended in this instance please ? If your hosting provider offers procmail, yes. The may offer sieve or another filtering/delivery agent. If you have for example, a spam threshold of 5 and an email comes in with a score of 4, what happnes to that email ? I never see it, so I thought they got deleted ? Nothing should happen. That said, it depends on any customisations made by your hosting provider. Just been trying to find this thread on the message boards - but can't seem to be able to find it ? No idea - I'm using an e-mail client, not a web interface.
Re: check mx and compare sender ip address ??
Gokhan ALKAN wrote: I have received some mails that from domain and return-path domain is different and from domain is in whitelist nowadays. So spamassassin decide mail that is ham . because of user_in_whilist rule. Rule 1: DO NOT use whitelist_from unless you have NO other options. Use whitelist_from_rcvd or whitelist_from_spf instead. Whitelist_from is an evil hack of last resort. Rule 2: this is particularly important for your own domain, as this is an obvious target for spammers to try. These alternate versions require more than just a From: or Return-Path: header match to cause whitelisting. Whitelist_from_rcvd will match a combination of a From: header, and has a second parameter that will check the reverse-dns lookup of the host delivering it to a trusted mailserver. whitelist_from_spf will use SPF records, and will only match if the mail is also sent by a server that passes the SPF records of the domain. can i block this spam that check mx records as from domain and compare sender ip address ? But why would that be effective? Most large domains have separate MTA's for sending and receiving mail, thus none of their mail will come from a MTA that matches the MX record. This feature would only be useful for small-shops, and only if you know for sure the small shop uses the one server does it all setup, and that you know the admin will call you and let you know if he decides to change it. My work domain serves a reasonably small population of users, but for quite a while had a separate sending and receiving MTA. However, I recently folded that back in on one host, but might split it back out at any moment.
RE: Can SpamAssassin delete mails just from certain countries ?
-Original Message- From: Duncan Hill [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 12:20 PM To: users@spamassassin.apache.org Subject: RE: Can SpamAssassin delete mails just from certain countries ? On Wed, May 9, 2007 11:13, Chris wrote: I will look into that - I would prefer the emails from some countries to not even reach my pc in the first place - so bearing that in mind, is procmail still recommended in this instance please ? If your hosting provider offers procmail, yes. The may offer sieve or another filtering/delivery agent. I will check and let you know. If you have for example, a spam threshold of 5 and an email comes in with a score of 4, what happnes to that email ? I never see it, so I thought they got deleted ? Nothing should happen. That said, it depends on any customisations made by your hosting provider. But what happens to the email that fails the threshold of spam filtering ? Just been trying to find this thread on the message boards - but can't seem to be able to find it ? No idea - I'm using an e-mail client, not a web interface. I do as well - but I thought there was also a message board of these threads viewable on the internet ?
RE: Poor performance with v3.2.0
-Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 10:01 PM To: users@spamassassin.apache.org Subject: Re: Poor performance with v3.2.0 On Tue, May 08, 2007 at 06:45:32PM -0700, Marc Perkel wrote: I have to admit that I'm seeing higher server load levels since upgrading to 3.2.0 from 3.1.8 as well. It was enough to make me wonder if some ne features were slowing things down. Last time I checked, which has been a while, granted, 3.2 has more rules than 3.1. More rules mean more resource usage and slower scans. FWIW. And, God Blues you Theo! sa-compile (we have it working on FREEBSD for the non-sares rules) brings that performance back to 3.18 levels with all the new rules. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
RE: ANNOUNCE: Apache SpamAssassin 3.2.0 available
If you want a test, cd /usr/ports/devel/re2c rm -rf get http://www.secnap.com/downloads/re2c.tgz Untar it, make and install it, run sa-compile, and uncomment the RulesX2 line in v320.pre Doesn't seem to do anything for SARES rules (I have ONE compiled rule in rule_500) but it does seem to work. -- Michael Scheidell, CTO Join SECNAP at SecureWorld Philadelphia May 16-17 http://www.secnap.com/events for free and discounted seminar tickets _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
RE: Can SpamAssassin delete mails just from certain countries ?
On Wed, May 9, 2007 11:29, Chris wrote: But what happens to the email that fails the threshold of spam filtering ? If it's below the threshold, it may get a subject modification, it probably gets a new header or two. If it's above the threshold, it probably gets a new header or two, and then it's up to the hosting provider. Some may quarantine it, some may pass it through, some may bit bucket it. I do as well - but I thought there was also a message board of these threads viewable on the internet ? That might be Nabble, no idea. There are certainly quite a few web archives of the list.
RE: ANNOUNCE: Apache SpamAssassin 3.2.0 available
On Wed, 9 May 2007, Michael Scheidell wrote: If you want a test, cd /usr/ports/devel/re2c rm -rf get http://www.secnap.com/downloads/re2c.tgz Untar it, make and install it, run sa-compile, and uncomment the RulesX2 line in v320.pre Doesn't seem to do anything for SARES rules (I have ONE compiled rule in rule_500) but it does seem to work. It installed here just fine from your previous message. I didn't have to modify anything. Only thing I received were a couple messages about the two patch files: === Patching for re2c-0.12.0 === Applying FreeBSD patches for re2c-0.12.0 I can't seem to find a patch in there anywhere. I can't seem to find a patch in there anywhere. Looking into the directory for the patches I see: %ls -l /usr/ports/devel/re2c/files -rw-r--r-- 1 root wheel 0 May 8 15:33 patch-action.cc -rw-r--r-- 1 root wheel 0 May 8 15:33 patch-substr.h the two files are zero(0) in length. The install still works with the limited testing I've done and does report the correct version: % re2c -V 001200 I'll probably give it a go on our secondary MX late tonight and see what happens. I have the current SpamAssassin install backed up as well as the entire 3.1.8 configuration and ready to roll back within minutes in the event of any issues.
Spamassassin - user_prefs and bayes_path for user
Hi all, I want the spamassassin work with files user_prefs and bayes_path for user. Anyone can help me ? thz.
dnswl.org
We are currently running SpamAssassin 3.1.7. Can we run dnswl.org with this version of SpamAssassin? Can I put in lines like this in local.cf? # dnswl.org file header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted,'127.0.\d+.1') header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.1') describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust tflags RCVD_IN_DNSWL_LOW nice net header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted', '127.0. \d+.2') describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust tflags RCVD_IN_DNSWL_MED nice net header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted', '127.0. \d+.3') describe RCVD_IN_DNSWL_HISender listed at http://www.dnswl.org/, high trust tflags RCVD_IN_DNSWL_HI nice net score RCVD_IN_DNSWL_LOW -1 score RCVD_IN_DNSWL_MEDIUM -10 score RCVD_IN_DNSWL_HI -100 Regards -- Sujit Choudhury ISLS University of Westminster Ext 3851 / 1779
Bayes and tokens
Hi, Recently I had some false positives that also had BAYES_99 triggered. As I saved the original e-mail(s), I'd like to see what tokens actually caused this. Is it possible to do this with Spam Assassin 3.1.8? I vaguely remember that previously I ran spamassassin in debug mode and that it showed tokens matched, but that doesn't seem to be happening any more (or I'm not doing something correctly). To make clear - I'm interested in what tokens caused the BAYES_99 rule to trigger. Thanks all.
older SA 2.7
Hello, I want ask some1 of you about version of SA 2.70. This release was released ever ? or it was just abandoned and replaced with 3.0 ? If it exist , could you please provide me link ? thank you -- Best regards, Peter mailto:[EMAIL PROTECTED]
RE: SPF custom rule
Thanks for the info Bret. What I've come up with is this: header _FROM_DOMAIN From ~= /example\.com/i header _SPF_TRUE /\bSPF_FAIL\b/ meta DOMAIN_SPF_TRUE (_FROM_DOMAIN_SPF_TRUE) score DOMAIN_SPF_TRUE 10.0 Will this work? Kinda, with few changes: header __FROM_DOMAIN From ~= /\bexample\.com\b/i header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/ This will make sure you get example.com and not myexample.communists. However, the From header is *really* easy to spoof, so this isn't much of a check. You would probaly be better off looking for the host name in one of the received headers. You also need to give a target to the second header test. I used ALL to search all of the headers for the string you want. However, if you know the name of the header you are looking for, you could better do something like header __SPF_CHECKSPF_FAIL:Exists Assuming the header was named SPF_FAIL Note also you want two leading underscores, not one, on those meta parts, so the final line becomes: meta DOMAIN_SPF_TRUE (__FROM_DOMAIN __SPF_TRUE) Loren Hi Loren Thank you very much. I'll give it a try. The final filter will then look like this? header __FROM_DOMAIN From ~= /\bexample\.com\b/i header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/ meta DOMAIN_SPF_TRUE (__FROM_DOMAIN__SPF_TRUE) score DOMAIN_SPF_TRUE 10.0 Just a question though.. This whole process happens in Spamassassin... Will there be a SPF_FAIL in the header already at the time of this check?? I get the feeling there won't.. If the SPF test is happening in SA anyway, then you can reduce this to two rules: header __FROM_DOMAIN From ~= /\bexample\.com\b/i meta DOMAIN_SPF_TRUE (__FROM_DOMAINSPF_FAIL) score DOMAIN_SPF_TRUE 10.0 SPF_FAIL is part of the standard rule set in 25_spf.cf. No sense in checking the condition twice. Bret
RE: older SA 2.7
Peter Mikeska (MiKi) wrote: Hello, I want ask some1 of you about version of SA 2.70. This release was released ever ? or it was just abandoned and replaced with 3.0 ? If it exist , could you please provide me link ? thank you http://mail-archives.apache.org/mod_mbox/spamassassin-users/200404.mbox/ [EMAIL PROTECTED] Grts, Rob
Re: How to use SpamAssassin from PHP?
The content should be reported as Spam. The score (when I run from command line is just about 1.0 and required is 5.0). The text in $message have very hardcore words. Shouldn't it be marked as spam? Are we formating the header correctly (i.e. each line is ending with \n)? 'hardcore' words are not necessarily enough to determine that an item is spam. I suggest you start your testing with a real spam mail (and you can find quite a lot of those in places like news.admin.net-abuse.sightings), using the SpamAssassin command line interface. Once you're happy that it scores mail properly, feed the body plus your custom headers to the command line interface. Bear in mind that a good chunk of the SA rules check headers for things like invalid timestamps, spam signs etc, so your effectiveness may be crippled. Thanks..will do that. I agree that the message we are testing against are very short but I think most of the user generated content on our site will be short (feedback, comments etc). So I guess we will have to write a lot more custom rules to achieve what we really want. regards, -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds
Re: How to use SpamAssassin from PHP?
Hi, BG Mahesh wrote: The content should be reported as Spam. The score (when I run from command line is just about 1.0 and required is 5.0). The text in $message have very hardcore words. Shouldn't it be marked as spam? Are we formating the header correctly (i.e. each line is ending with \n)? 'hardcore' words are not necessarily enough to determine that an item is spam. I suggest you start your testing with a real spam mail (and you can find quite a lot of those in places like news.admin.net-abuse.sightings ), using the SpamAssassin command line interface. Once you're happy that it scores mail properly, feed the body plus your custom headers to the command line interface. Bear in mind that a good chunk of the SA rules check headers for things like invalid timestamps, spam signs etc, so your effectiveness may be crippled. Thanks..will do that. I agree that the message we are testing against are very short but I think most of the user generated content on our site will be short (feedback, comments etc). So I guess we will have to write a lot more custom rules to achieve what we really want. Or lower the spam threshold... Or raise the scores of the rules that are hitting... -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Re: Bayes and tokens
BQ wrote: Hi, Recently I had some false positives that also had BAYES_99 triggered. As I saved the original e-mail(s), I'd like to see what tokens actually caused this. Is it possible to do this with Spam Assassin 3.1.8? spamassassin -D bayes message.eml I vaguely remember that previously I ran spamassassin in debug mode and that it showed tokens matched, but that doesn't seem to be happening any more (or I'm not doing something correctly). Yep, it's gotta be -D bayes, not just -D To make clear - I'm interested in what tokens caused the BAYES_99 rule to trigger. Thanks all.
Re: Spamassassin - user_prefs and bayes_path for user
Bruno Henrique de Oliveira wrote: Hi all, I want the spamassassin work with files user_prefs and bayes_path for user. Anyone can help me ? Can you elaborate a bit more on your setup? SpamAssassin does this by default, but making it work depends on how you call spamassassin.
RE: Poor performance with v3.2.0
Bayes auto expiries (taking to long and getting killed)? I think that's a 600 second timeout. We're not using auto-expiry. Bayes expiry is being done with a batch job. It would be interesting on some system experiencing this slowdown to put 'use bytes' back into SA and see what happens with the performance. This wouldn't be any sort of a solution, but it would be an interesting data point. We have Perl v5.8.8, which doesn't have the UTF8 bug. Would it still be worth trying this experiment? If so, where do I put use bytes? And, God Blues you Theo! sa-compile (we have it working on FREEBSD for the non-sares rules) brings that performance back to 3.18 levels with all the new rules. sa-compile took 3 hours to run. (System is a SunFire v210 with 2 processors and 2 GB ram.)
Re: Spamassassin - user_prefs and bayes_path for user
Bruno Henrique de Oliveira wrote: Hi all, I want the spamassassin work with files user_prefs and bayes_path for user. Anyone can help me ? Can you elaborate a bit more on your setup? SpamAssassin does this by default, but making it work depends on how you call spamassassin. I have spamassassin + vpopmail + maildrop. I execute spamassassin through the line: spamd_enable=YES spamd_flags=-u qscand -c -d -r /var/run/spamd.pid \ --socketpath=/var/run/spamd.socket \ --socketowner=qscand --socketgroup=qscand inside of rc.conf of the server FreeBSD 6.1. The idea is that spamassassin reads user_prefs and the base bayes inside of home of the user. i.e.: /usr/local/vpopmail/domains/domain.com/user/
Authenticated SMTP and SA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm running sendmail 8.14.1 configured to do authenticated e-mail relaying with port 587 and TLS encryption. When our users authenticate and send a message sendmail changes the received header line to look like this - Received: from dyn041100.cc.lehigh.edu (Dyn041100.CC.Lehigh.EDU [128.180.41.100]) (authenticated bits=0) by rain.CC.Lehigh.EDU (8.14.1/8.14.1) with ESMTP id l49DkUi3019835 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for [EMAIL PROTECTED]; Wed, 9 May 2007 09:46:30 -0400 Anyway, SA 3.2 doesn't appear to recognize this as being a trusted message based on the authenticated portion, and SPF_FAIL gets triggered if the message is coming from a source which wouldn't normally be allowed (but is allowed because the message was sent via an authenticated connection). So my question is, did I miss something in configuring SA so that authenticated e-mail messages are trusted and won't trigger the SPF_FAIL and other rules, or do I need to set up spamass-milter or spamc differently so that authenticated messages simply bypass SA checking altogether? Thanks - Dan Schwartz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQdkhhCibbju3xzcRAjqfAJ9CLaa4bgOkmJkvrJt9JWWjDYxjcwCeO814 gUULw1uy/IgS+d/hAQrVtXQ= =Rv1y -END PGP SIGNATURE-
RDNS_NONE - SA 3.2.0
I've been doing some testing with v3.2.0 on my local machine and am seeing a test that is triggering. I'm going to share the IP it is triggering on in hopes someone can point out what I'm missing. [71849] dbg: received-header: parsed as [ ip=162.42.148.100 rdns= helo=smtpgate.ndunet.com by=admin.mwci.net ident= envfrom= intl=0 id=119059853 auth= msa=0 ] ... [71849] dbg: rules: ran header rule RDNS_NONE == got hit: [ip=162.42.148.100 rdns= Doing a lookup of the IP from where I am sitting, I can get the reverse DNS: Non-authoritative answer: 100.148.42.162.in-addr.arpa name = smtpgate.ndunet.com.
Re: RDNS_NONE - SA 3.2.0
Duane Hill writes: I've been doing some testing with v3.2.0 on my local machine and am seeing a test that is triggering. I'm going to share the IP it is triggering on in hopes someone can point out what I'm missing. [71849] dbg: received-header: parsed as [ ip=162.42.148.100 rdns= helo=smtpgate.ndunet.com by=admin.mwci.net ident= envfrom= intl=0 id=119059853 auth= msa=0 ] ... [71849] dbg: rules: ran header rule RDNS_NONE == got hit: [ip=162.42.148.100 rdns= Doing a lookup of the IP from where I am sitting, I can get the reverse DNS: Non-authoritative answer: 100.148.42.162.in-addr.arpa name = smtpgate.ndunet.com. sounds like the MTA in question is not performing rDNS lookups, or else not recording them in a format SpamAssassin can read. --j.
Re: RDNS_NONE - SA 3.2.0
On Wed, 9 May 2007, Justin Mason wrote: Duane Hill writes: I've been doing some testing with v3.2.0 on my local machine and am seeing a test that is triggering. I'm going to share the IP it is triggering on in hopes someone can point out what I'm missing. [71849] dbg: received-header: parsed as [ ip=162.42.148.100 rdns= helo=smtpgate.ndunet.com by=admin.mwci.net ident= envfrom= intl=0 id=119059853 auth= msa=0 ] ... [71849] dbg: rules: ran header rule RDNS_NONE == got hit: [ip=162.42.148.100 rdns= Doing a lookup of the IP from where I am sitting, I can get the reverse DNS: Non-authoritative answer: 100.148.42.162.in-addr.arpa name = smtpgate.ndunet.com. sounds like the MTA in question is not performing rDNS lookups, or else not recording them in a format SpamAssassin can read. You are correct now that I look. The MTA is CommuniGate and the header is: Received: from [162.42.148.100] (HELO smtpgate.ndunet.com) by admin.mwci.net (CommuniGate Pro SMTP 4.1.8) with ESMTP id 119059853 for [EMAIL PROTECTED]; Wed, 09 May 2007 14:11:59 + I can resolve 162.42.148.100 from the CommuniGate server successfully. And, as I reflect back, this has been brought up a very few times in the past about the headers being incorrect with that MTA on this list.
Re: Problem upgrading from 3.1.8 to 3.1.20, check.pm
On Wed, May 09, 2007 at 12:14:24AM -0500, Gabriel Millerd wrote: Beyond the s/3.1.20/v3.2.0/ issue that some people cannot get past. I have the same issue. I had to juggle my cf/pre files entries for quite some time to get past the check_scan problem you describe for spamd to run peachy. I, like you I suspect, loaded up one single file with all my config entries. The v3.2 suite seems to want these in a number of files. Where v3.1.x was forgiving I guess. The config code didn't really change between 3.1 and 3.2. 3.2 doesn't care if you have one pre file or twenty. However, what does matter is that you have all the loadplugin lines that you need to have. In 3.2, the check() function was pluginized, and so you need to load a plugin that implements the function or else you don't have a check() function. Without that function, SA can't scan anything, and so it helpfully alerts you to the fact that you don't have this functionality. So in v3.2 if you remove all your .pre files and just have local.cf with all your rules you cannot sa-update, it will bomb. You need to If you remove all your pre files, you will have broken your SA install, forget sa-update. In short, and I'll say it in caps so people know I mean this very seriously: DON'T PUT LOADPLUGIN LINES IN CF FILES, LEAVE THEM IN PRE FILES I only know of one good reason to put loadplugin lines in a cf file, and it involves testing plugins from a sandbox. I haven't come up with a reason in a normal production install. # mv init.pre local.cf Why would you do that? config: no configuration text or files found! please check your setup check: no loaded plugin implements 'check_main': cannot scan! at /usr/local/share/perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 164. Of course, you've disabled all the plugins. sa-update can't lint anything, and you've broken your install. -- Randomly Selected Tagline: A CAT scan should take less time than a PET scan. For a CAT scan, they're only looking for one thing, whereas a PET scan could result in a lot of things. - Carl Princi, 2002/07/19 pgpAHNzljeiKt.pgp Description: PGP signature
Re: Bayes and tokens
Matt, On 5/10/07, Matt Kettler [EMAIL PROTECTED] wrote: BQ wrote: Hi, Recently I had some false positives that also had BAYES_99 triggered. As I saved the original e-mail(s), I'd like to see what tokens actually caused this. Is it possible to do this with Spam Assassin 3.1.8? spamassassin -D bayes message.eml I vaguely remember that previously I ran spamassassin in debug mode and that it showed tokens matched, but that doesn't seem to be happening any more (or I'm not doing something correctly). Yep, it's gotta be -D bayes, not just -D Thanks - this works great. It would be good if this little thing gets included in the manual pages - it's either not there or I missed it (quite possible :).
Re: Bayes and tokens
On Thu, May 10, 2007 at 03:13:58AM +1200, BQ wrote: Yep, it's gotta be -D bayes, not just -D Thanks - this works great. It would be good if this little thing gets included in the manual pages - it's either not there or I missed it (quite possible :). fyi: http://wiki.apache.org/spamassassin/DebugChannels -- Randomly Selected Tagline: If it wasn't for time everything would happen at once. pgpDFzoRQL83o.pgp Description: PGP signature
required_score not working?
Greetings, Am I correct in saying that the proper way to set a default required_score is in the /etc/mail/spamassassin/local.cf file? I'm running SA 3.2.0 and I seem to be unable to change the default required_score. I'm using spamc/spamd for processing via simscan. Per-user rules are enabled and seem to be working fine. If the user does not have any preferences set, however, I thought the default required_score from the local.cf file was used. Is that not the case? spamd is run with the following options : -d -q -x -m25 --min-children 10 --min-spare 5 --max-spare 10 --socketpath=/tmp/spamd.sock --syslog-socket=none I'm attempting to lower the default required_score because I'm seeing a ton of incoming spam that's flying just under the default score of 5.0. Per-user scores are not working because simscan drops to defaults if there is more than one rcpt_to, and most of the incoming spam is BCC spam. Speaking of which, is there any sort of BCC rule that pumps up the score if the mail is BCCed? I can see a problem with mailing lists, though Would it be possible to trigger on the mailing list headers as well? Thanks, -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
Re: dnswl.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sujit Acharyya-Choudhury wrote: We are currently running SpamAssassin 3.1.7. Can we run dnswl.org with this version of SpamAssassin? Sure - it uses regular DNSBL-style lookups. dnswl.org data (and the rules) should work in almost any version of SA. Can I put in lines like this in local.cf? If you took the lines from http://www.dnswl.org/tech#spamassassin (which it seems you did), you should be fine. Note that there are two differeneces to the rules now distributed with SA 3.2.0: 1) The 3.2.0 ruleset misses the actual lookup, which you can add to your local.cf: header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.') 2) The distributed scores are -1, -4 and -8 for low, med and hi; on our webpage, we have -1, -10 and -100. I guess it depends on your philosophy and other (whitelisting/blocking) rules to decide which scores to choose. - -- Matthias PS: I've seen a number of requests for .ac.uk domains to be included in dnswl.org -- I will not get around to handle them today. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGQfnKxbHw2nyi/okRArE8AJ9Wz6Ux/zx+V+DswEnVrcTuq13WzgCfY3TY JRHIgTnH3zDr0ofw3dDXUYQ= =xlsQ -END PGP SIGNATURE-
Re: Authenticated SMTP and SA
Dan Schwartz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm running sendmail 8.14.1 configured to do authenticated e-mail relaying with port 587 and TLS encryption. When our users authenticate and send a message sendmail changes the received header line to look like this - Received: from dyn041100.cc.lehigh.edu (Dyn041100.CC.Lehigh.EDU [128.180.41.100]) (authenticated bits=0) by rain.CC.Lehigh.EDU (8.14.1/8.14.1) with ESMTP id l49DkUi3019835 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for [EMAIL PROTECTED]; Wed, 9 May 2007 09:46:30 -0400 Anyway, SA 3.2 doesn't appear to recognize this as being a trusted message based on the authenticated portion, and SPF_FAIL gets triggered if the message is coming from a source which wouldn't normally be allowed (but is allowed because the message was sent via an authenticated connection). Try running a message that exhibits this problem through 'spamassassin' on the command line after first removing any received headers that are added after SA sees the message. I expect that you won't see the problem if there are either no relays (and thus received headers) between the received header quoted above and what SA sees or if there is, you've got your trusted_networks configured correctly. So my question is, did I miss something in configuring SA so that authenticated e-mail messages are trusted and won't trigger the SPF_FAIL and other rules, or do I need to set up spamass-milter or spamc differently so that authenticated messages simply bypass SA checking altogether? If the command line test above doesn't exhibit the problem I would expect that spamass-milter isn't including the auth line when it fakes the received header. A quick look at the spamass-milter code would confirm whether this is the case or not (it should be easy to find, there's not much to the milter). Daryl
sa-compile ends with error
is this a problem? Can't locate object method finish via package Mail::SpamAssassin::Timeout at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PluginHandler.pm line 234.
Re: sa-compile ends with error
Tim Litwiller wrote: is this a problem? Can't locate object method finish via package Mail::SpamAssassin::Timeout at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PluginHandler.pm line 234. Do you have the FuzzyOCR plugin installed? At least one version of it tried to call this non-existent method. Daryl
Re: sa-compile ends with error
Daryl C. W. O'Shea wrote: Tim Litwiller wrote: is this a problem? Can't locate object method finish via package Mail::SpamAssassin::Timeout at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PluginHandler.pm line 234. Do you have the FuzzyOCR plugin installed? At least one version of it tried to call this non-existent method. Daryl I had renamed the .cf to .old since it wasn't working correctly in 3.2.0 now I move the files out of /etc/mail/spamassassin completely. I'm running sa-compile again.
attack, bug, or just misconfig?
Hi there Wasn't there a recent thread on this one? Umm here is the error spamd[705]: Malformed UTF-8 character (unexpected non-continuation byte 0x00, immediately after start byte 0xd2) in pattern match (m//) at /etc/mail/spamassassin/70_sare_adult.cf, rule SARE_OBFUFCK1, line 1. Can easily fill up a log partition... Now, do I need to disable some **auto compile rules** feature on this 3.2.0 or is this a need to update some perl mods Pretty standard 3.2.0 install upgraded from 3.1.8 I got some hits on this from recent and although I have been following I do not recall the answers other than the obvious temporary removal of the SARE sets. Thanks - rh -- Abba Communications Spokane, WA www.abbacomm.net
spamassassin list
Why does the SA list accept postings from unsubscribed email addresses? - rh -- Abba Communications Spokane, WA www.abbacomm.net
razor_timeout in mailscanner.cf failing lint test
I have 3 mail servers with relatively identical configurations that I just upgraded to MailScanner 4.59.4 and SpamAssassin 3.2.0. Two of them are working fine, however on one of them, sa-compile won't run, due to the spamassassin --lint check failing. spamassassin --lint --debug only turns up this: [17079] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/mailscanner.cf: razor_timeout 10 Looking at my two good boxes, that line seems like it should work just fine... On all 3 boxes Razor 2.82 v3 is installed and running correctly, MailScanner and SpamAssassin are parsing and scoring incoming messages without any errors, and mailscanner.cf is identical on all boxes. I'm at a loss to figure out what's going on... does anyone have any ideas? Thanks in advance! -Geromy -- View this message in context: http://www.nabble.com/razor_timeout-in-mailscanner.cf-failing-lint-test-tf3717236.html#a10399185 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: razor_timeout in mailscanner.cf failing lint test
harp2812 wrote: I have 3 mail servers with relatively identical configurations that I just upgraded to MailScanner 4.59.4 and SpamAssassin 3.2.0. Two of them are working fine, however on one of them, sa-compile won't run, due to the spamassassin --lint check failing. spamassassin --lint --debug only turns up this: [17079] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/mailscanner.cf: razor_timeout 10 Looking at my two good boxes, that line seems like it should work just fine... On all 3 boxes Razor 2.82 v3 is installed and running correctly, MailScanner and SpamAssassin are parsing and scoring incoming messages without any errors, and mailscanner.cf is identical on all boxes. I'm at a loss to figure out what's going on... does anyone have any ideas? Thanks in advance! -Geromy Make sure that the Razor2 plugin is being loaded. The loadplugin line for it is in v310.pre. If enabled (and the .pm file isn't missing, you'll see it being loaded in the debug output). Daryl
Re: razor_timeout in mailscanner.cf failing lint test
That fixed it! Thank you! Daryl C. W. O wrote: Make sure that the Razor2 plugin is being loaded. The loadplugin line for it is in v310.pre. If enabled (and the .pm file isn't missing, you'll see it being loaded in the debug output). Daryl -- View this message in context: http://www.nabble.com/razor_timeout-in-mailscanner.cf-failing-lint-test-tf3717236.html#a10399367 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-compile ends with error
Daryl C. W. O'Shea wrote: Tim Litwiller wrote: is this a problem? Can't locate object method finish via package Mail::SpamAssassin::Timeout at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PluginHandler.pm line 234. Do you have the FuzzyOCR plugin installed? At least one version of it tried to call this non-existent method. Daryl Even with FuzzyOcr removed it still ends that way. I'll try removing all my custom rules next
Re: sa-compile ends with error
Tim Litwiller wrote: Daryl C. W. O'Shea wrote: Tim Litwiller wrote: is this a problem? Can't locate object method finish via package Mail::SpamAssassin::Timeout at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PluginHandler.pm line 234. Do you have the FuzzyOCR plugin installed? At least one version of it tried to call this non-existent method. Even with FuzzyOcr removed it still ends that way. I'll try removing all my custom rules next It's either one of your plugins calling it (try disabling all third-party plugins) or perhaps for some reason you've got a loadplugin line for M::SA::Timeout itself. Daryl
Re: [SPAM] RE: Poor performance with v3.2.0
On Wed, 9 May 2007, Rosenbaum, Larry M. wrote: Bayes auto expiries (taking to long and getting killed)? I think that's a 600 second timeout. We're not using auto-expiry. Bayes expiry is being done with a batch job. It would be interesting on some system experiencing this slowdown to put 'use bytes' back into SA and see what happens with the performance. This wouldn't be any sort of a solution, but it would be an interesting data point. We have Perl v5.8.8, which doesn't have the UTF8 bug. Would it still be worth trying this experiment? If so, where do I put use bytes? Put in Mail::SpamAssassin::Message (Message.pm). It will break normalize_charset though. And, God Blues you Theo! sa-compile (we have it working on FREEBSD for the non-sares rules) brings that performance back to 3.18 levels with all the new rules. sa-compile took 3 hours to run. (System is a SunFire v210 with 2 processors and 2 GB ram.) Vincent Li http://bl0g.blogdns.com
Re: check mx and compare sender ip address ??
is there any way check mx record as from ip adress and compare it sender ip address ? so spamassassin can decide its spam ?? Hi, some domains, unfortunately only few, use spf (or domainkeys) to declare the machines allowed to send mail for the domain. Now, If such information exists, and the mail does not match, you can safely drop it Wolfgang Hamann
Re: sa-compile ends with error
Daryl C. W. O'Shea wrote: Tim Litwiller wrote: Daryl C. W. O'Shea wrote: Tim Litwiller wrote: is this a problem? Can't locate object method finish via package Mail::SpamAssassin::Timeout at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PluginHandler.pm line 234. Do you have the FuzzyOCR plugin installed? At least one version of it tried to call this non-existent method. Even with FuzzyOcr removed it still ends that way. I'll try removing all my custom rules next It's either one of your plugins calling it (try disabling all third-party plugins) or perhaps for some reason you've got a loadplugin line for M::SA::Timeout itself. Daryl Thanks, it was a loadplugin line for Mail::SpamAssassin::Timeout . Now, I'll carefully put my cf files and plugins back and see if it still works.
Re: attack, bug, or just misconfig?
- Original Message - From: RobertH [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, May 09, 2007 10:25 AM Subject: attack, bug, or just misconfig? Hi there Wasn't there a recent thread on this one? Umm here is the error spamd[705]: Malformed UTF-8 character (unexpected non-continuation byte 0x00, immediately after start byte 0xd2) in pattern match (m//) at /etc/mail/spamassassin/70_sare_adult.cf, rule SARE_OBFUFCK1, line 1. Can easily fill up a log partition... Now, do I need to disable some **auto compile rules** feature on this 3.2.0 or is this a need to update some perl mods Pretty standard 3.2.0 install upgraded from 3.1.8 I got some hits on this from recent and although I have been following I do not recall the answers other than the obvious temporary removal of the SARE sets. Thanks - rh -- Abba Communications Spokane, WA www.abbacomm.net Bug 3787 addresses this issue. I had the same problem with log files (RHEL 3 with cPanel) and resolved it by upgrading from perl 5.8.7 to perl 5.8.8 via the cPanel perl installer. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3787 Tom Green -- Expertsites, Inc.
RE: Can SpamAssassin delete mails just from certain countries ?
On Wed, May 9, 2007 11:13, Chris wrote: I will look into that - I would prefer the emails from some countries to not even reach my pc in the first place - so bearing that in mind, is procmail still recommended in this instance please ? If your hosting provider offers procmail, yes. The may offer sieve or another filtering/delivery agent. If you have for example, a spam threshold of 5 and an email comes in with a score of 4, what happnes to that email ? I never see it, so I thought they got deleted ? Nothing should happen. That said, it depends on any customisations made by your hosting provider. Just been trying to find this thread on the message boards - but can't seem to be able to find it ? No idea - I'm using an e-mail client, not a web interface.
High FP rate with 3.2 ??
Is anyone else seeing an increased FP rate after upgrading to 3.2? I've got a number of reports coming in like: AXB_XMID_1212, which defaults to 3.899 and was causing a fair amount of legitimate mail to one of our customers to fail Replace 'AXB_XMID_1212' with a handful of other rules with substantial scores and the reports are pretty much all the same. One rule with a high score matching on HAM with a couple of minor low scoring rules pushing the message over the edge. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Architect 2260 Apollo Way 707.522.1000 Santa Rosa, CA 95407
Re: How to use SpamAssassin from PHP?
On Wed, May 9, 2007 10:10, BG Mahesh wrote: On 5/9/07, Duncan Hill [EMAIL PROTECTED] wrote: On Wed, May 9, 2007 09:36, BG Mahesh wrote: We have tested this on http://cause.greynium.com/spamtest.php We have constructed a Mail header, concatenating $message to $header and passing the contents of $header to the code given above. We have installed the script from rulesemporium to update the cf files. What could we be missing? Are you saying something isn't working? The content should be reported as Spam. The score (when I run from command line is just about 1.0 and required is 5.0). The text in $message have very hardcore words. Shouldn't it be marked as spam? Are we formating the header correctly (i.e. each line is ending with \n)? 'hardcore' words are not necessarily enough to determine that an item is spam. I suggest you start your testing with a real spam mail (and you can find quite a lot of those in places like news.admin.net-abuse.sightings), using the SpamAssassin command line interface. Once you're happy that it scores mail properly, feed the body plus your custom headers to the command line interface. Bear in mind that a good chunk of the SA rules check headers for things like invalid timestamps, spam signs etc, so your effectiveness may be crippled.
RE: Can SpamAssassin delete mails just from certain countries ?
On Wed, May 9, 2007 10:37, Chris wrote: One thing, my hosts say that I'm not able to do this if I'm on shared hosting - are you saying that there's a way to do this on shared hosting please ? Out of the ways that have been kindly recommended here, which one would be the easiest for a comparative newbie to do and for it to still be effective please ? It all depends on the shared hosting. SA never, ever deletes mail, it only assigns scores to it. Talk to the hosting provider, ask if they can enable either of the linked plug-ins. IIRC, the relayclient one adds headers to say where the mail went through, so you can then use header rules in procmail or your mail client to handle that.
3 spamc questions, version 3.2
I just switched from using spamassassin to spamc in our procmail. * is there an equivalent of 'spamassassin -d' for spamc? * spamd is running with '-d -H -s /usr/temp/spamd.log -u esp -r /var/run/spamd.pid' . spamc is running with '-u esp' , which is a normal account. Yet in the log, I am getting the following error/warning messages: Wed May 9 14:12:17 2007 [12597] info: spamd: setuid to esp succeeded Wed May 9 14:22:19 2007 [12597] info: spamd: processing message [EMAIL PROTECTED] for esp:520 Wed May 9 14:12:19 2007 [12597] warn: auto-whitelist: open of auto- whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/esp/.spamassassin/auto-whitelist.lock.nnn.abc.com.12597 for /home/esp/.spamassassin/auto-whitelist.lock: Permission denied * How can I control the verbosity of the logging? thanks,
Re: High FP rate with 3.2 ??
On 5/8/2007 7:18 PM, Kelsey Cummings wrote: Is anyone else seeing an increased FP rate after upgrading to 3.2? I've got a number of reports coming in like: AXB_XMID_1212, which defaults to 3.899 and was causing a fair amount of legitimate mail to one of our customers to fail Replace 'AXB_XMID_1212' with a handful of other rules with substantial scores and the reports are pretty much all the same. One rule with a high score matching on HAM with a couple of minor low scoring rules pushing the message over the edge. #counts AXB_XMID_1212 260s/0h of 19804 corpus (15215s/4589h) 5/10/07 AXB_XMID_1212 -- suggested score: 1.666 (of 5) #counts AXB_XMID_1212 272s/1h of 9297 corpus (4867s/4430h) 05/10/07 AXB_XMID_1212 -- suggested score: 1.311 (of 5) I wonder why it was scored so high... score AXB_XMID_1212 3.899 3.899 3.899 3.496 # n=2 JM?
how to fix this again 'malformed UTF-8 character' please...
What do I put in the messages.pm and where do I put it? Thanks. = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: how to fix this again 'malformed UTF-8 character' please...
What do I put in the messages.pm and where do I put it? Its 'use bytes;' YOu'll have to search back in the archives for a message describing exactly where it goes. Note this isn't a FIX, this is a tempoary WORKAROUND. Loren
Re: how to fix this again 'malformed UTF-8 character' please...
On Wed, May 9, 2007 5:10 pm, Loren Wilton wrote: What do I put in the messages.pm and where do I put it? Its 'use bytes;' YOu'll have to search back in the archives for a message describing exactly where it goes. Note this isn't a FIX, this is a tempoary WORKAROUND. I've been checking all the archives of this list as well as bugzilla and google searches, can't find anything about this. Obviously I'm looking in the wrong place. Also searched my entire hard disk, messages.pm file found (well, I hoped it would be there already). -- Jerry Durand, Durand Interstellar, Inc. Los Gatos, California USA tel: +1 408 356-3886, USA toll free: 1 866 356-3886 web: www.interstellar.com, skype: jerrydurand
Re: how to fix this again 'malformed UTF-8 character' please...
On Wed, May 9, 2007 6:20 pm, Jerry Durand wrote: I've been checking all the archives of this list as well as bugzilla and google searches, can't find anything about this. Obviously I'm looking in the wrong place. Found it, Loren added an s to the file name, that's why I couldn't find it! -- Jerry Durand, Durand Interstellar, Inc. Los Gatos, California USA tel: +1 408 356-3886, USA toll free: 1 866 356-3886 web: www.interstellar.com, skype: jerrydurand
Re: 3 spamc questions, version 3.2
.rp wrote: I just switched from using spamassassin to spamc in our procmail. * is there an equivalent of 'spamassassin -d' for spamc? Do you really mean spamassassin -D? -d does markup stripping, -D does debugging. If so, you can pass -D to spamd, but you'd have to debug everything spamd processes. There is no direct equivalent on spamc, as spamc itself doesn't run any of the rules, it's just a dumb client. * * spamd is running with '-d -H -s /usr/temp/spamd.log -u esp -r /var/run/spamd.pid' . spamc is running with '-u esp' , which is a normal account. Yet in the log, I am getting the following error/warning messages: Wed May 9 14:12:17 2007 [12597] info: spamd: setuid to esp succeeded Wed May 9 14:22:19 2007 [12597] info: spamd: processing message [EMAIL PROTECTED] for esp:520 Wed May 9 14:12:19 2007 [12597] warn: auto-whitelist: open of auto- whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/esp/.spamassassin/auto-whitelist.lock.nnn.abc.com.12597 for /home/esp/.spamassassin/auto-whitelist.lock: Permission denied * How can I control the verbosity of the logging? start spamd with -D * thanks,
Re: Files missing from spamassassin.apache.org
Gary V wrote: I have links to some of the files that used to be in this location: http://spamassassin.apache.org/full/3.1.x/dist/ compare that URL to this one: http://spamassassin.apache.org/full/3.0.x/dist/ Who would know if the files that used to be there will be returned to that location? I can't speak authoritatively on this matter, but really the purpose of that directory is only to provide links to the documentation from the main webpage. It's not intended to provide a browser-interfaced version of the code. If you need to do this, for some reason, the tip of the 3.1 SVN tree can be browsed at: http://svn.apache.org/repos/asf/spamassassin/branches/3.1/ (Note that the svn server is where the README document is linked to from the docs page, but it currently points at the 3.2 branch) However, in general, if you've got questions about what's in your copy of SA, I would refer to the files on your system, not stuff off a website anywhere. Or, at the very least, download the zipfile or tarfile for the same version that you're running and look at that. After all, if you're running 3.1.0, or 3.1.3, or 3.1.anything-but-the-latest-pre-release. that SVN head won't exactly match.
Re: UTF-8/SA WORKAROUND only - NOT - a fix..
Thanks for straightening me out on that Vincent. Folks - for completeness here are some instructions for the WORKAROUND. Locate your Message.pm module and edit the section in the begining as indicated below. I have been running this now for a couple of hours with no adverse affects (that I can see at the moment). PS Thanks [EMAIL PROTECTED] for your help. I'm up and running without any further errors. - Forwarded Message - Vincent, Where in the Message.pm module do I but use bytes? Right here (below) and do I just add it below the warnings line with a ; ending it? Yes, you are right, after use warnings;. I ran SA3.2 on my site with use bytes; added, no problem so far. But it seems SA developers did not mention this, they might have their reasons (break normalize_charset for one reason). ---paste--- package Mail::SpamAssassin::Message; use strict; use warnings; use Mail::SpamAssassin; use Mail::SpamAssassin::Message::Node; use Mail::SpamAssassin::Message::Metadata; use Mail::SpamAssassin::Constants qw(:sa); use Mail::SpamAssassin::Logger; use vars qw(@ISA); ---end paste--- = Vincent Li http://bl0g.blogdns.com = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: 3 spamc questions, version 3.2
On Wed, 9 May 2007, Matt Kettler wrote: .rp wrote: I just switched from using spamassassin to spamc in our procmail. * is there an equivalent of 'spamassassin -d' for spamc? Do you really mean spamassassin -D? -d does markup stripping, -D does debugging. If so, you can pass -D to spamd, but you'd have to debug everything spamd processes. There is no direct equivalent on spamc, as spamc itself doesn't run any of the rules, it's just a dumb client. * * spamd is running with '-d -H -s /usr/temp/spamd.log -u esp -r /var/run/spamd.pid' . spamc is running with '-u esp' , which is a normal account. Yet in the log, I am getting the following error/warning messages: Wed May 9 14:12:17 2007 [12597] info: spamd: setuid to esp succeeded Wed May 9 14:22:19 2007 [12597] info: spamd: processing message [EMAIL PROTECTED] for esp:520 Wed May 9 14:12:19 2007 [12597] warn: auto-whitelist: open of auto- whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/esp/.spamassassin/auto-whitelist.lock.nnn.abc.com.12597 for /home/esp/.spamassassin/auto-whitelist.lock: Permission denied * How can I control the verbosity of the logging? start spamd with -D You can also control what debugging is to be performed by specifying what channels you want to see: http://wiki.apache.org/spamassassin/DebugChannels?highlight=%28debug%29 * thanks,
RE: Poor performance with v3.2.0
-Original Message- From: Rosenbaum, Larry M. [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 10:10 AM To: users@spamassassin.apache.org Subject: RE: Poor performance with v3.2.0 sa-compile took 3 hours to run. (System is a SunFire v210 with 2 processors and 2 GB ram.) Took 10 mins on my 2.8gh 512mb ram, with a bunch of sares rules. You using .12.0 of re2c? _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
RE: Poor performance with v3.2.0
On Thu, 10 May 2007, Michael Scheidell wrote: -Original Message- From: Rosenbaum, Larry M. [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 09, 2007 10:10 AM To: users@spamassassin.apache.org Subject: RE: Poor performance with v3.2.0 sa-compile took 3 hours to run. (System is a SunFire v210 with 2 processors and 2 GB ram.) Took 10 mins on my 2.8gh 512mb ram, with a bunch of sares rules. You using .12.0 of re2c? Took about 10 minutes here too on a dual P3 1Ghz with 1 gig of ram using re2c 0.12.0. 27 sare rulesets are used along with the SA updated set and consuming 1.9M.