SA with no score/no tests
Someone had asked about a no tests/no score result, one just popped up in my logs and it's even explains why there are no tests. This could be a reason for that sort of result. May 17 21:26:11 interstellar.com /usr/bin/amavisd[15704]: (15704-02) spam_scan: not wasting time on SA, message longer than 409600 bytes: 1036+1380195 May 17 21:26:11 interstellar.com /usr/bin/amavisd[15704]: (15704-02) SPAM-TAG, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, No, score=x tagged_above=0 required=2 tests=[] --- Jerry Durand, Durand Interstellar, Inc. Los Gatos, California, USA tel: +1-408-356-3886, USA Toll Free: 866-356-3886 www.interstellar.com, skype: jerrydurand
Re: Determing source of spam on NAT network
Robert Fitzpatrick wrote: > We have a mail server that got listed on Outblaze, below is their > evidence. The IP and reverse DNS points to our NAT firewall. Since that > is the only received header, is there any way for me to track where this > came from? What IPs do you NAT against that IP? All of them? Check your workstations for backdoors or trojans. Odds are this was directly generated by a Trojan on a workstation. This is very much the most popular way to distribute spam, and conventional network layer-3/4 firewalling of inbound traffic is not a useful defense against this stuff. These backdoors infect through email, downloaded files or exploits in malicious websites that your workstation downloaded or tricked you into downloading. Once on the machine, they act like clients. They use HTTP to download their spam target lists from their master site, then proceed to start generating SMTP connections out to the victim sites. It's the same in your network as it is in a cable modem or DSL home network. If you can, configure your NAT firewall to only allow your mailserver to connect to port 25 on outside sites. On most decent firewalls you can do this with an ACL or rule list at the ingress to your inside interface. Make your deny rule log the denied packets, and you'll quickly track down the infected workstation based on the logs. If you need help, post back to the list mentioning what kind of firewall you have and one of us might be able to whip up some cookbook examples for you. (I do Cisco IOS/PIX/ASA, Linux Ipfwadm/chains/tables, OpenBSD PF, and Juniper Netscreens myself) > I check the mail logs on the only mail server on the network > (postfix) and found nothing...is this spoofing our IP? > *HIGHLY* unlikely. Blind spoofing an IP address for a TCP connection across the internet is not easy and generally unlikely to succeed. It's one thing to blind-spoof IP's for connectionless traffic, pings, udp packets, etc. However, blind spoofing TCP connections involves guessing the sequence number generated by the server you're faking a connection. It also would rely on your firewall not generating a RST packet upon getting the SYN-ACK packet before they can advance the sequence number. Most IP spoofing of TCP connections involves being able to sniff the packets going both ways. Across the Internet that's highly impractical. In the "bad old days" of hubbed lans, you saw lots of IP spoofing inside the LAN because it was easy. The passive hubs would forward all the traffic in the network to every computer. Knowing the ISN was easy, you'd get a copy of the SYN-ACK, even if it wasn't addressed to you.
Re: Determing source of spam on NAT network
At 09:19 17-05-2007, Robert Fitzpatrick wrote: We have a mail server that got listed on Outblaze, below is their evidence. The IP and reverse DNS points to our NAT firewall. Since that is the only received header, is there any way for me to track where this came from? I check the mail logs on the only mail server on the network (postfix) and found nothing...is this spoofing our IP? Return-Path: <[EMAIL PROTECTED]> Received: from 66-240-121-10.tpa.fdn.com (66-240-121-10.tpa.fdn.com [66.240.121.10]) by spf3.us4.outblaze.com (Postfix) with SMTP id 3447B1E2CFE If that IP address is from your network, then the email came from it. It's unlikely that the IP address is spoofed. There are no log entries as the email bypassed your mail server and was sent directly to Outblaze. If you log outgoing connections, you may be able to track down from where the email originated. It may be from a computer infected with malware. Regards, -sm
RE: Sendmail SMTP auth'd message strange behavior with Botnet and SPF
Hi, A milter is being used: Spamass-milter-0.3.1 Matthew -Original Message- From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> To: users@spamassassin.apache.org Sent: 5/17/07 5:49 PM Subject: Re: Sendmail SMTP auth'd message strange behavior with Botnet and SPF René Berber wrote: > Looks more like MailScanner to me, not a milter, notice the virus > scan... and MS does include the full received headers. But your point > is valid, that could be the cause of the problem in some cases. The virus scan looks like it's compliments of clamav-milter to me. :) Daryl
Re: Sendmail SMTP auth'd message strange behavior with Botnet and SPF
René Berber wrote: Looks more like MailScanner to me, not a milter, notice the virus scan... and MS does include the full received headers. But your point is valid, that could be the cause of the problem in some cases. The virus scan looks like it's compliments of clamav-milter to me. :) Daryl
Re: Sendmail SMTP auth'd message strange behavior with Botnet and SPF
Daryl C. W. O'Shea wrote: René Berber wrote: Matthew Dickinson wrote: When sending messages from clients using SMTP Auth to a server running sendmail, I'm seeing issues with SPF and Botnet thinking these messages are spam-like - I'm not sure if this issue lays with SA or with sendmail itself. The issue is with SA, sendmail is an innocent bystander. There's no evidence of that. In fact there's evidence of the contrary. Since the X-Spam header fields were appended to the bottom of the header they were added by a milter and not SA. It's quite likely that they were added by a milter like spamass-milter that isn't providing SA with the auth info it needs to extend trust accordingly. Looks more like MailScanner to me, not a milter, notice the virus scan... and MS does include the full received headers. But your point is valid, that could be the cause of the problem in some cases. SA: do you have trusted_networks set correctly? In the case of auth'd connections from unknown in advance IPs it's up to whatever passes the message to SpamAssassin to provide the appropriate auth info. trusted_networks only needs to be configured to include the server that the auth'd user/device/whatever connects to. Correct, my observation was ambiguous, I meant that the server should be included in the trusted_networks, not the client. -- René Berber
Re: Sendmail SMTP auth'd message strange behavior with Botnet and SPF
René Berber wrote: Matthew Dickinson wrote: When sending messages from clients using SMTP Auth to a server running sendmail, I'm seeing issues with SPF and Botnet thinking these messages are spam-like - I'm not sure if this issue lays with SA or with sendmail itself. The issue is with SA, sendmail is an innocent bystander. There's no evidence of that. In fact there's evidence of the contrary. Since the X-Spam header fields were appended to the bottom of the header they were added by a milter and not SA. It's quite likely that they were added by a milter like spamass-milter that isn't providing SA with the auth info it needs to extend trust accordingly. SA: do you have trusted_networks set correctly? In the case of auth'd connections from unknown in advance IPs it's up to whatever passes the message to SpamAssassin to provide the appropriate auth info. trusted_networks only needs to be configured to include the server that the auth'd user/device/whatever connects to. Daryl
RE: Sendmail SMTP auth'd message strange behavior with Botnet and SPF
Hi, I believe I have things set: (yes, this many are trusted) trusted_networks 128.206/16 botnet_pass_auth 1 Will run through debug, Matthew > -Original Message- > From: news [mailto:[EMAIL PROTECTED] On Behalf Of René Berber > Sent: Thursday, May 17, 2007 17:00 > To: users@spamassassin.apache.org > Subject: Re: Sendmail SMTP auth'd message strange behavior with Botnet and SPF > > Matthew Dickinson wrote: > > > When sending messages from clients using SMTP Auth to a server running > > sendmail, I'm seeing issues with SPF and Botnet thinking these messages are > > spam-like - I'm not sure if this issue lays with SA or with sendmail itself. > > The issue is with SA, sendmail is an innocent bystander. > > SA: do you have trusted_networks set correctly? > > Botnet: do you have "botnet_pass_auth 1" set? > > SPF shouldn't have triggered, looks like a problem with trusted_networks. > > The best way to figure this out is by running `spamassassin -x -D -t < > test.eml` > and look for the trusted pseudo-headers (X-Spam-Relays-Untrusted, > X-Spam-Relays-Internal, X-Spam-Relays-External) and lines like: > > [824] dbg: received-header: relay 200.52.129.137 trusted? yes internal? yes > > > > The below message is sent from a (broken) Cingular 8125 phone, hence the no > > RDNS. > > > > Matthew > > > > Received: from Inbox ([166.216.69.130]) (authenticated bits=0) by > > server.domain.org (8.12.11.20060308/8.12.11) with ESMTP id l4HJRKUm015411 > > (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for > > <[EMAIL PROTECTED]>; Thu, 17 May 2007 14:27:29 -0500 Message-Id: > > <[EMAIL PROTECTED]> MIME-Version: 1.0 From: > > Matthew Dickinson <[EMAIL PROTECTED]> Subject: Test message Date: Thu, 17 May > > 2007 14:28:00 -0500 Importance: normal X-Priority: 3 To: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset="iso-8859-1" X-Virus-Scanned: ClamAV > > version 0.88.7, clamav-milter version 0.88.7 on server.domain.org > > X-Virus-Status: Clean X-Spam-Status: No, score=2.5 required=5.0 > > tests=AWL,BAYES_50,BOTNET, > > > > BOTNET_NORDNS,DKIM_POLICY_SIGNSOME,DK_POLICY_SIGNSOME,MISSING_MID,RDNS_NONE, > > SPF_FAIL shortcircuit=no autolearn=no version=3.2.0 X-Spam-Level: ** > > X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on server.domain.org > > Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable > > to 8bit by server.domain.org id l4HJRKUm015411 > -- > René Berber
Re: Sendmail SMTP auth'd message strange behavior with Botnet and SPF
Matthew Dickinson wrote: When sending messages from clients using SMTP Auth to a server running sendmail, I'm seeing issues with SPF and Botnet thinking these messages are spam-like - I'm not sure if this issue lays with SA or with sendmail itself. The issue is with SA, sendmail is an innocent bystander. SA: do you have trusted_networks set correctly? Botnet: do you have "botnet_pass_auth 1" set? SPF shouldn't have triggered, looks like a problem with trusted_networks. The best way to figure this out is by running `spamassassin -x -D -t < test.eml` and look for the trusted pseudo-headers (X-Spam-Relays-Untrusted, X-Spam-Relays-Internal, X-Spam-Relays-External) and lines like: [824] dbg: received-header: relay 200.52.129.137 trusted? yes internal? yes The below message is sent from a (broken) Cingular 8125 phone, hence the no RDNS. Matthew Received: from Inbox ([166.216.69.130]) (authenticated bits=0) by server.domain.org (8.12.11.20060308/8.12.11) with ESMTP id l4HJRKUm015411 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for <[EMAIL PROTECTED]>; Thu, 17 May 2007 14:27:29 -0500 Message-Id: <[EMAIL PROTECTED]> MIME-Version: 1.0 From: Matthew Dickinson <[EMAIL PROTECTED]> Subject: Test message Date: Thu, 17 May 2007 14:28:00 -0500 Importance: normal X-Priority: 3 To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 on server.domain.org X-Virus-Status: Clean X-Spam-Status: No, score=2.5 required=5.0 tests=AWL,BAYES_50,BOTNET, BOTNET_NORDNS,DKIM_POLICY_SIGNSOME,DK_POLICY_SIGNSOME,MISSING_MID,RDNS_NONE, SPF_FAIL shortcircuit=no autolearn=no version=3.2.0 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on server.domain.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by server.domain.org id l4HJRKUm015411 -- René Berber
Re: Sendmail SMTP auth'd message strange behavior with Botnet and SPF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew Dickinson wrote: > Hi, > > When sending messages from clients using SMTP Auth to a server running > sendmail, I'm seeing issues with SPF and Botnet thinking these messages are > spam-like - I'm not sure if this issue lays with SA or with sendmail itself. > > > The below message is sent from a (broken) Cingular 8125 phone, hence the no > RDNS. > > Matthew > > Received: from Inbox ([166.216.69.130]) > (authenticated bits=0) > by server.domain.org (8.12.11.20060308/8.12.11) with ESMTP id > l4HJRKUm015411 > (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) > for <[EMAIL PROTECTED]>; Thu, 17 May 2007 14:27:29 -0500 > Message-Id: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > From: Matthew Dickinson <[EMAIL PROTECTED]> > Subject: Test message > Date: Thu, 17 May 2007 14:28:00 -0500 > Importance: normal > X-Priority: 3 > To: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 on > server.domain.org > X-Virus-Status: Clean > X-Spam-Status: No, score=2.5 required=5.0 tests=AWL,BAYES_50,BOTNET, > > BOTNET_NORDNS,DKIM_POLICY_SIGNSOME,DK_POLICY_SIGNSOME,MISSING_MID,RDNS_NONE, > SPF_FAIL shortcircuit=no autolearn=no version=3.2.0 > X-Spam-Level: ** > X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on server.domain.org > Content-Transfer-Encoding: 8bit > X-MIME-Autoconverted: from quoted-printable to 8bit by server.domain.org id > l4HJRKUm015411 > Hi Matthew - I just fixed my copy of spamass-milter to bypass spamassassin for authenticated messages, and I'm wondering if you are running into the same problem. There was a bypass patch posted for it in 2004 on the spamass-milt-list mailing list. See - http://lists.nongnu.org/archive/html/spamass-milt-list/2004-03/msg8.html One problem is that spamass-milter doesn't pass the whole received line to spamassassin, so it never sees the part of the line with (authenticated bits=0). Dan Schwartz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGTLschCibbju3xzcRAqfDAJ4lOKn79eRJOiLI6Jn5TM5/w5F6OgCgy/KZ rmqvPC/cz88DQ8M7DIMLaM4= =41zU -END PGP SIGNATURE-
Re: Lint results question
The first line is either invalid or requires a plugin that isn't enabled. You should probably check on that to see what is going on. The second one is only complaining about a long description for what appears to be a local rule, and is no particular concern. Loren - Original Message - From: Clay Davis To: users@spamassassin.apache.org Sent: Thursday, May 17, 2007 12:31 PM Subject: Lint results question Should I be concerned with the following as a result of "--lint -D"? config: SpamAssassin failed to parse line, skipping: check_mx_delay 5 warning: description for FS_START_DOYOU2 is over 50 chars Thanks, Clay
Re: Lint results question
In my humble opinion, no. What you are seeing is a warning from SA that the author of that rule has been too verbose in their description section. SA has gotten more strict with many aspects of rules format over the past several releases. The warning is not an indication that the rule will not be called. Clay Davis wrote: Should I be concerned with the following as a result of "--lint -D"? config: SpamAssassin failed to parse line, skipping: check_mx_delay 5 warning: description for FS_START_DOYOU2 is over 50 chars Thanks, Clay begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Sendmail SMTP auth'd message strange behavior with Botnet and SPF
Hi, When sending messages from clients using SMTP Auth to a server running sendmail, I'm seeing issues with SPF and Botnet thinking these messages are spam-like - I'm not sure if this issue lays with SA or with sendmail itself. The below message is sent from a (broken) Cingular 8125 phone, hence the no RDNS. Matthew Received: from Inbox ([166.216.69.130]) (authenticated bits=0) by server.domain.org (8.12.11.20060308/8.12.11) with ESMTP id l4HJRKUm015411 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for <[EMAIL PROTECTED]>; Thu, 17 May 2007 14:27:29 -0500 Message-Id: <[EMAIL PROTECTED]> MIME-Version: 1.0 From: Matthew Dickinson <[EMAIL PROTECTED]> Subject: Test message Date: Thu, 17 May 2007 14:28:00 -0500 Importance: normal X-Priority: 3 To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 on server.domain.org X-Virus-Status: Clean X-Spam-Status: No, score=2.5 required=5.0 tests=AWL,BAYES_50,BOTNET, BOTNET_NORDNS,DKIM_POLICY_SIGNSOME,DK_POLICY_SIGNSOME,MISSING_MID,RDNS_NONE, SPF_FAIL shortcircuit=no autolearn=no version=3.2.0 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on server.domain.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by server.domain.org id l4HJRKUm015411
Lint results question
Should I be concerned with the following as a result of "--lint -D"? config: SpamAssassin failed to parse line, skipping: check_mx_delay 5 warning: description for FS_START_DOYOU2 is over 50 chars Thanks, Clay
Re: Can you use spamassassian as an access control list?
I would think that should be done by the MTA but if you have none local users and would like to check a ldap database or something external you could use a filter something like Milter in Sendmail...
Re: AWL File Locking - Permission Denied
You should start probably by checking file permissions on the dir awl sits, and its parent... Luix 2007/5/17, Daniel Aquino <[EMAIL PROTECTED]>: I seem to see this message allot... warn: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create lockfile /var/spool/MD-Databases/auto-whitelist.mutex: Permission denied If I delete my databases all together it creates it fine... But once its created then it keeps giving the above error... Only relevant option that may affect this in my local.cf is: lock_method flock Any idea about this warning or how I can get rid of it ? -- - GNU-GPL: "May The Source Be With You... Linux Registered User #448382. -
Re: Determing source of spam on NAT network
On Thu, May 17, 2007 at 12:19:39PM -0400, Robert Fitzpatrick wrote: > We have a mail server that got listed on Outblaze, below is their > evidence. The IP and reverse DNS points to our NAT firewall. Since that > is the only received header, is there any way for me to track where this > came from? I check the mail logs on the only mail server on the network > (postfix) and found nothing...is this spoofing our IP? If you use NAT, and allow client machines to directly go out to port 25, then it's probably one of your clients. How to track backwards to figure out which client is likely difficult, unless you have something in place specifically to track Internet usage from client machines (firewall logs, etc.) IMO, if you're a company (and not an ISP type of company), unless there's a reason to allow it, deny traffic outbound to port 25, at least from non-server machines. (optionally, track down the systems which then try to connect out and find out why.) -- Randomly Selected Tagline: Monogamous and monotonous are synonymous. pgpI8aqTcQk22.pgp Description: PGP signature
Re: Can you use spamassassian as an access control list?
At 09:41 AM 5/17/2007, Duane Hill wrote: That sounds like it would be better suited for your MUA or for something like procmail. I believe the MTA is where the decision making would be done. Yeahh.. That's the ticket. Didn't get much sleep last night. Maybe I should just go home.
Re: Can you use spamassassian as an access control list?
On Thu, 17 May 2007, Evan Platt wrote: At 09:15 AM 5/17/2007, jmp242 wrote: Is it possible to have spamassassian only parse a small ruleset that is basically a whitelist for allowing e-mails? Specifically, can you specify a to address and say only allow e-mail from these addresses? And if the e-mail isn't addressed to one of the specified to addresses, do not filtering? Unless I'm mistaken, you cannot. You can whitelist addresses, but if you pass them to SpamAssassin, they will be scanned. You are not mistaken. That sounds like it would be better suited for your MUA or for something like procmail. I believe the MTA is where the decision making would be done.
Re: Can you use spamassassian as an access control list?
At 09:15 AM 5/17/2007, jmp242 wrote: Is it possible to have spamassassian only parse a small ruleset that is basically a whitelist for allowing e-mails? Specifically, can you specify a to address and say only allow e-mail from these addresses? And if the e-mail isn't addressed to one of the specified to addresses, do not filtering? Unless I'm mistaken, you cannot. You can whitelist addresses, but if you pass them to SpamAssassin, they will be scanned. That sounds like it would be better suited for your MUA or for something like procmail.
Can you use spamassassian as an access control list?
Is it possible to have spamassassian only parse a small ruleset that is basically a whitelist for allowing e-mails? Specifically, can you specify a to address and say only allow e-mail from these addresses? And if the e-mail isn't addressed to one of the specified to addresses, do not filtering? -- View this message in context: http://www.nabble.com/Can-you-use-spamassassian-as-an-access-control-list--tf3772788.html#a10667075 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
AWL File Locking - Permission Denied
I seem to see this message allot... warn: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create lockfile /var/spool/MD-Databases/auto-whitelist.mutex: Permission denied If I delete my databases all together it creates it fine... But once its created then it keeps giving the above error... Only relevant option that may affect this in my local.cf is: lock_method flock Any idea about this warning or how I can get rid of it ?
Re: Bayes Auto Learn
Daniel Aquino wrote: > Is spam assassin smart enough to not auto-learn (bayesian) spam if the > default tests "allready" detect it as spam... ? No, in fact, that's exactly what you DO NOT want to do. Bayes training is not applicable to just one message. Bits learned from one spam get applied to other spams. > What I'm wondering is > if the other tests have allready deamed it to be spam, then why would > you want to increase the size of your bayesian db... You won't increase the size of the bayes DB.. SA automatically prunes tokens that haven't been used recently in order to keep the token count below a specified limit. (see the conf docs) > Bayesian I > believe would be better applied to messages that appear to be slipping > past the other tests... That is purely misguided. It is certianly more important to get to training messages that are missed, but at the same time it is also important to train fresh spam that is caught. You have to consider that spam is a mutating thing. Even if a spam is caught, and even if it already hits BAYES_99, it can still contain new tokens caused by these mutations. So, if you avoid training the new mutations, and wait until there are enough mutations that that family of spam starts getting missed, you'll have to play catch-up. On the other hand, if you consistently train spam, as they mutate they will continue to have high bayes scores, and likely never get missed at all.
Re: spam acl condition: cannot parse spamd output
Ronan McGlue wrote: > since upgrading to 3.2 i have been getting regular messages in the > exim's panic log. > > > 2007-05-17 02:16:03 1HoVX0-0002df-PP spam acl condition: cannot parse > spamd output > > anyone else seen this or know any reasons why it happens? Looks like exim is directly parsing spamd's output and doesn't understand it. This is apparently a recurring problem: http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20060821/msg00079.html
spam acl condition: cannot parse spamd output
since upgrading to 3.2 i have been getting regular messages in the exim's panic log. 2007-05-17 02:16:03 1HoVX0-0002df-PP spam acl condition: cannot parse spamd output anyone else seen this or know any reasons why it happens? R Regards Ronan McGlue === Analyst / Programmer Queens University Belfast
Re: FH_HOST_EQ_D_D_D_D
On Thu, May 17, 2007 09:00, fRANz wrote:
>> From the FVGT ruleset (Fred):
>> header FH_HOST_EQ_D_D_D_D X-Spam-Relays-Untrusted =~ /^[^\]]+
>> rdns=[^ ]+\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ / describe
>> FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
>> scoreFH_HOST_EQ_D_D_D_D 0.665
>
> Yep, 'Host starts with d-d-d-d' is also in wiki description too, I see
> it...
>
> Below a session header positive to FH_HOST_EQ_D_D_D_D test.
> Which is FH_HOST_EQ_D_D_D_D host in these headers?
X-Spam-Relays-Untrusted is a SA internal variable. Run the message
through in debug mode and you can see what it thinks.
Re: FH_HOST_EQ_D_D_D_D
On 5/17/07, Duncan Hill <[EMAIL PROTECTED]> wrote:
Hi Duncan,
thank you for your reply.
Hint: grep is your friend when searching your rule files.
From the FVGT ruleset (Fred):
header FH_HOST_EQ_D_D_D_D X-Spam-Relays-Untrusted =~ /^[^\]]+
rdns=[^ ]+\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ /
describe FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
scoreFH_HOST_EQ_D_D_D_D 0.665
Yep, 'Host starts with d-d-d-d' is also in wiki description too, I see it...
Below a session header positive to FH_HOST_EQ_D_D_D_D test.
Which is FH_HOST_EQ_D_D_D_D host in these headers?
Delivered-To: [EMAIL PROTECTED]
Received: by 10.114.47.13 with SMTP id u13cs67834wau;
Tue, 15 May 2007 16:05:56 -0700 (PDT)
Received: by 10.90.25.3 with SMTP id 3mr7096331agy.1179270355960;
Tue, 15 May 2007 16:05:55 -0700 (PDT)
Return-Path: <[EMAIL PROTECTED]>
Received: from mail.foo.bar (adsl-144-8.38-151.net24.it [151.38.8.144])
by mx.google.com with ESMTP id 13si1739896wrl.2007.05.15.16.05.52;
Tue, 15 May 2007 16:05:55 -0700 (PDT)
Received-SPF: neutral (google.com: 151.38.8.144 is neither permitted
nor denied by best guess record for domain of [EMAIL PROTECTED])
Received: by mail.foo.bar (Postfix, from userid 30)
id 62815178C9; Wed, 16 May 2007 01:05:50 +0200 (CEST)
Date: Wed, 16 May 2007 01:05:50 +0200
To: [EMAIL PROTECTED]
From: info <[EMAIL PROTECTED]>
Subject: xxx
X-Priority: 3
X-Mailer: PHPMailer
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <[EMAIL PROTECTED]>
Thank you,
-f
Re: FH_HOST_EQ_D_D_D_D
On Thu, May 17, 2007 08:21, fRANz wrote:
> Hi.
>
>
> Some mails are positive to this test.
> In wiki section, I can't find any information about it.
> Someone could explain me what does it means?!
>
>
> Regards,
> -f
>
>
Hint: grep is your friend when searching your rule files.
>From the FVGT ruleset (Fred):
header FH_HOST_EQ_D_D_D_D X-Spam-Relays-Untrusted =~ /^[^\]]+
rdns=[^ ]+\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^0-9]\d{1,3}[^ ]+ /
describe FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
scoreFH_HOST_EQ_D_D_D_D 0.665
FH_HOST_EQ_D_D_D_D
Hi. Some mails are positive to this test. In wiki section, I can't find any information about it. Someone could explain me what does it means?! Regards, -f
