Re: use of * with available spamassassin tools
In an older episode (Wednesday, 6. June 2007 07:47), bbxrider wrote: i'm getting my domain spoofed and trying to stop the returns from the spoofed targets coming to my domain and then getting fwded to my default email account. the only thing thats constant and identifiable in the returned header is a variation of the spoofed name like [EMAIL PROTECTED] in the header its the 'to:' data Have you considered to block invalid recipient addresses at the MTA level, before even passing them to SA? Why accept mails and create spamassassin rules for them if the recipient does not exist? Cheers, wolfgang
Re: Botnet Plugin
Claude Frantz wrote: The Botnet Plugin is not able to recognize the following sequence: Another case: Received: from OrangeSrv.rz.unibw-muenchen.de ([127.0.0.1]) by localhost (OrangeSrv.rz.unibw-muenchen.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 12512-05 for [EMAIL PROTECTED]; Tue, 5 Jun 2007 20:24:21 +0200 (CEST) Received: from akx100.internetdsl.tpnet.pl (school-0.bts.net.pl [81.210.26.53]) by OrangeSrv.rz.unibw-muenchen.de (8.13.7/8.13.7) with ESMTP id l55IOHYs013110 for [EMAIL PROTECTED]; Tue, 5 Jun 2007 20:24:18 +0200 Received: from marcina-komp by qlwc.com with ASMTP id 8CE3E668 for [EMAIL PROTECTED]; Tue, 5 Jun 2007 20:24:58 - Received: from marcina-komp ([199.123.58.110]) by qlwc.com with ESMTP id 82A06E0E6EC7 for [EMAIL PROTECTED]; Tue, 5 Jun 2007 20:24:58 - And here the debugging output from SA: [29806] dbg: Botnet: checking baddns [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl' [29806] dbg: Botnet: 'school-0.bts.net.pl' resolves [29806] dbg: Botnet: 'school-0.bts.net.pl' matches '81.210.26.53' [29806] dbg: Botnet: checking client words [29806] dbg: Botnet: client words regexp is(((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|((\b|\d)dhcp(\b|\d))|((\b|\d)dial-?up(\b|\d))|((\b|\d)dip(\b|\d))|((\b|\d)(a|s|d(yn)?)?dsl(\b|\d))|((\b|\d)dynamic(\b|\d))|((\b|\d)modem(\b|\d))|((\b|\d)ppp(\b|\d))|((\b|\d)res(net|ident(ial)?)?(\b|\d))|((\b|\d)client(\b|\d))|((\b|\d)fixed(\b|\d))|((\b|\d)pool(\b|\d))|((\b|\d)static(\b|\d))|((\b|\d)user(\b|\d)))\S*\.\S+\.\S+$ [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl' [29806] dbg: Botnet: checking server words [29806] dbg: Botnet: server words regexp is(((\b|\d)mail(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(\b|\d))|((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d)))\S*\.\S+\.\S+$ [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl' [29806] dbg: Botnet: checking ip in hostname [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl' [29806] dbg: Botnet: checking nordns [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl' -- You will find the CA certificate and the CRL here: http://www.unibw.de/certs smime.p7s Description: S/MIME Cryptographic Signature
Re: USER_IN_WHITELIST and autolearn
[EMAIL PROTECTED] says... Alexis Manning wrote: It seems that if USER_IN_WHITELIST is triggered then the message won?t be auto-learned. That is incorrect, however USER_IN_WHITELIST does not count toward any autolearning decisions. [...] As far as the autolearner is concerned, this message scored 0.001. (BAYES_50 doesn't count either, to avoid bayes self-feeding.). Matt, thanks very much for the comprehensive reply. Off to read about AutoLearnThreshold now :) Cheers, -- A.
sa-update
Hi! Below the debug output of my sa-update - what about this ('require' failed) lines - do I have to install Perl modules to get this Spamassassin modules? lg Martin 3694] dbg: logger: adding facilities: all [3694] dbg: logger: logging level is DBG [3694] dbg: generic: SpamAssassin version 3.2.0 [3694] dbg: config: score set 0 chosen. [3694] dbg: dns: no ipv6 [3694] dbg: dns: is Net::DNS::Resolver available? yes [3694] dbg: dns: Net::DNS version: 0.55 [3694] dbg: generic: sa-update version svn523403 [3694] dbg: generic: using update directory: /var/lib/spamassassin/3.002000 [3694] dbg: diag: perl platform: 5.008008 linux [3694] dbg: diag: module installed: Digest::SHA1, version 2.10 [3694] dbg: diag: module installed: HTML::Parser, version 3.48 [3694] dbg: diag: module installed: Net::DNS, version 0.55 [3694] dbg: diag: module installed: MIME::Base64, version 3.07 [3694] dbg: diag: module installed: DB_File, version 1.814 [3694] dbg: diag: module installed: Net::SMTP, version 2.29 [3694] dbg: diag: module not installed: Mail::SPF ('require' failed) [3694] dbg: diag: module installed: Mail::SPF::Query, version 1.997 [3694] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [3694] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 [3694] dbg: diag: module not installed: Net::Ident ('require' failed) [3694] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [3694] dbg: diag: module installed: IO::Socket::SSL, version 0.97 [3694] dbg: diag: module installed: Compress::Zlib, version 1.35 [3694] dbg: diag: module installed: Time::HiRes, version 1.86 [3694] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [3694] dbg: diag: module not installed: Mail::DKIM ('require' failed) [3694] dbg: diag: module installed: DBI, version 1.50 [3694] dbg: diag: module installed: Getopt::Long, version 2.35 [3694] dbg: diag: module installed: LWP::UserAgent, version 2.033 [3694] dbg: diag: module installed: HTTP::Date, version 1.47 [3694] dbg: diag: module installed: Archive::Tar, version 1.24 [3694] dbg: diag: module installed: IO::Zlib, version 1.04 [3694] dbg: diag: module not installed: Encode::Detect ('require' failed) [3694] dbg: gpg: Searching for 'gpg' [3694] dbg: util: current PATH is: /usr/bin:/bin [3694] dbg: util: executable for gpg was found at /usr/bin/gpg [3694] dbg: gpg: found /usr/bin/gpg [3694] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE [3694] dbg: channel: attempting channel updates.spamassassin.org [3694] dbg: channel: update directory /var/lib/spamassassin/3.002000/updates_spamassassin_org [3694] dbg: channel: channel cf file /var/lib/spamassassin/3.002000/updates_spamassassin_org.cf [3694] dbg: channel: channel pre file /var/lib/spamassassin/3.002000/updates_spamassassin_org.pre [3694] dbg: channel: metadata version = 543064 [3694] dbg: dns: 0.2.3.updates.spamassassin.org = 543064, parsed as 543064 [3694] dbg: channel: current version is 543064, new version is 543064, skipping channel [3694] dbg: diag: updates complete, exiting with code 1
Re: Problem with sa-update and ImageInfo
Hi, Luis Hernán Otegui wrote: That's ok, just threw my two cents... Same thing happened to me, and I tracked it down to the loading twice issue, but I never said I had the truth... Maybe some extra cf file getting loaded from the updates dir? Remember, as updates are present, almost everything gets loaded from there, ruling appart the /usr/share/spamassassin dir and some other cf files as well... That is what I was thinking might be happening. I put my question to the list in the hope that someone might say whoops! We included a 3.2.0 (which includes ImageInfo by default) in the 3.1.8 channels by mistake... But I guess if that was happening more people would have piped up by now :-) Luix 2007/6/5, Anthony Peacock [EMAIL PROTECTED]: Anthony Peacock wrote: Hi, Luis Hernán Otegui wrote: You're probably loading the plugin twice, one from your local.cf or a v3**.pre file, and the other from the ImageInfo.cf. Take out one of the LoadPlugin directives (preferably the one from local.cf or the *.pre files), and everything will go fine. This isn't a new installation of ImageInfo. That has been working without problem for ages now. As has sa-update. Just recently sa-update has occasionally given this error. Spamassassin on its own does not, and in fact sa-update does not give this error every time. By the way, I am not disputing your diagnosis, that is undoubtably what is happening. I just don't understand what it is about sa-update that makes it do this only when an update happens. Luix 2007/6/5, CHIME System Admin [EMAIL PROTECTED]: Hi, # spamassassin --version SpamAssassin version 3.1.8 running on Perl version 5.8.8 # sa-update --version sa-update version svn507100 running on Perl version 5.8.8 Sa-update command line run via cron /usr/local/bin/sa-update --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt Channel file: updates.spamassassin.org 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net Every now and then I get the following errors from the cron job: Subroutine new redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 98. Subroutine _get_images redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 223. Subroutine image_named redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 260. Subroutine image_count redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 276. Subroutine pixel_coverage redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 292. Subroutine image_to_text_ratio redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 308. Subroutine image_size_exact redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 330. Subroutine image_size_range redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 346. Subroutine result_check redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 374. I haven't been able to repeat these errors when running from the command line, and they don't appear every time the cron job is run. Because of this I suspect that they only appear when there is an update available. I understand about 3.2.0 including ImageInfo and possible conflicts, but I didn't think this affected 3.1.8. Any thoughts? -- System Admin CHIME, Royal Free University Collge Medical School E-Mail: [EMAIL PROTECTED] -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ I'm in shape. - ROUND is a shape -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ A CAT scan should take less time than a PET scan. For a CAT scan, they're only looking for one thing, whereas a PET scan could result in a lot of things.- Carl Princi, 2002/07/19
sa-update gives error
Hi While running sa-update, I am getting this error : Use of uninitialized value in eval string at /usr/local/bin/sa-update line 91. Use of uninitialized value in eval string at /usr/local/bin/sa-update line 92. Use of uninitialized value in eval string at /usr/local/bin/sa-update line 93. Use of uninitialized value in eval string at /usr/local/bin/sa-update line 94. Use of uninitialized value in eval string at /usr/local/bin/sa-update line 95. and the command terminates. Any help is appreciated .. Regards Yadwendra Verma SeaMarbl.jpg
Re: Problem with sa-update and ImageInfo
Daryl C. W. O'Shea wrote: Anthony Peacock wrote: And as I noted above, by the time I see the error from the cron output, running sa-update by hand does not show the problem. It is almost as if it only happen if there really is an update to download. rm -f /var/lib/spamassassin/3.001008 or wherever and run sa-update manually with debug enabled. OK, some feedback after a lot of testing. My original config had placed the ImageInfo plugin in a directory within my SA config dir (/etc/mail/spamassassin/plugins), and used this loadplugin line in v312.pre. loadplugin Mail::SpamAssassin::Plugin::ImageInfo /etc/mail/spamassassin/plugins/ImageInfo.pm Using this setup sa-update correctly lints the config prior to updating [10524] dbg: generic: lint checking site pre files once before attempting channel updates ... [10832] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from /etc/mail/spamassassin/plugins/ImageInfo.pm [10832] dbg: plugin: registered Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x95dea6c) But then gives the following error when checking after downloading an update: [10832] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from /etc/mail/spamassassin/plugins/ImageInfo.pm Subroutine new redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 109. Subroutine _get_images redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 235. Subroutine image_named redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 272. Subroutine image_name_regex redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 288. Subroutine image_count redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 316. Subroutine pixel_coverage redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 332. Subroutine image_to_text_ratio redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 348. Subroutine image_size_exact redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 370. Subroutine image_size_range redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 386. Subroutine result_check redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm line 414. [10832] dbg: plugin: registered Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x9790824) But, if I move the ImageInfo.pm file into the site plugin directory, the errors go away. Interestingly, the VBounce and Botnet plugins don't get loaded by sa-update for testing. I think this is because the LoadPlugin lines are actually in the plugin's .cf files and not in a .pre file (that is how they came). So I seem to have fixed the problem. What I don't understand is why it suddenly started playing up like this. I have been using sa-update and ImageInfo in this way for a long time now, and it is only recently that sa-update start to give these errors. The only major thing that has changed is a Perl upgrade from 5.8.2 to 5.8.8, so it might be that this is what caused the change in behaviour although I can't pin down the start of the problem wit the time of the upgrade. -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ A CAT scan should take less time than a PET scan. For a CAT scan, they're only looking for one thing, whereas a PET scan could result in a lot of things.- Carl Princi, 2002/07/19
Building a new mail server with SA - should I use apt-get or cpan?
Hi, I'm soon to be building two new mailservers which will be running Debian Etch, Qmail, Sophie and SpamAssassin, all plummed together using Qmail-Scanner. In the past, we've just installed SpamAssassin via apt-get, however when we need to upgrade it means looking for a backport. I'm thinking of just installing from cpan instead on these new boxes, as the latest version should always easily available, making upgrades slightly easier. My only worry is that a cpan upgrade may go horribly wrong, when in the past upgrading to a newer debian package has always been faultless. Has anyone got any experience with the pros and cons? Or am I worrying too much about nothing? Cheers, Wilb. -- Adam Wilbraham - Assistant Systems Administrator TechnoPhobia Limited The Workstation 15 Paternoster Row SHEFFIELD England S1 2BX t: +44 (0)114 2212123 f: +44 (0)114 2212124 e: [EMAIL PROTECTED] w: http://www.technophobia.com/ Registered in England and Wales Company No. 3063669 VAT registration No. 598 7858 42 ISO 9001:2000 Accredited Company No. 21227 ISO 14001:2004 Accredited Company No. E997 ISO 27001:2005 (BS7799) Accredited Company No. IS 508906 Investor in People Certified No. 101507 The contents of this email are confidential to the addressee and are intended solely for the recipients use. If you are not the addressee, you have received this email in error. Any disclosure, copying, distribution or action taken in reliance on it is prohibited and may be unlawful. Any opinions expressed in this email are those of the author personally and not TechnoPhobia Limited who do not accept responsibility for the contents of the message. All email communications, in and out of TechnoPhobia, are recorded for monitoring purposes.
Re: Building a new mail server with SA - should I use apt-get or cpan?
Adam Wilbraham schrieb: Hi, Hi! I'm soon to be building two new mailservers which will be running Debian Etch, Qmail, Sophie and SpamAssassin, all plummed together using Qmail-Scanner. In the past, we've just installed SpamAssassin via apt-get, however apt-get - aptitude when we need to upgrade it means looking for a backport. I'm thinking of just installing from cpan instead on these new boxes, as the latest version should always easily available, making upgrades slightly easier. My only worry is that a cpan upgrade may go horribly wrong, when in the past upgrading to a newer debian package has always been faultless. Has anyone got any experience with the pros and cons? Or am I worrying too much about nothing? Personally i would prefer the Debian Way if need be with backports. Reason: It works ... ;-). Cheers, Wilb. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
RE: sa-update
Hi! Below the debug output of my sa-update - what about this ('require' failed) lines - do I have to install Perl modules to get this Spamassassin modules? I don't see anything in the debut output that indicates that it failed. The missing requires are all optional modules AFAIK, so it all looks like it's working to me. No update was done because the version of the update matched the version already installed. Bret 3694] dbg: logger: adding facilities: all [3694] dbg: logger: logging level is DBG [3694] dbg: generic: SpamAssassin version 3.2.0 [3694] dbg: config: score set 0 chosen. [3694] dbg: dns: no ipv6 [3694] dbg: dns: is Net::DNS::Resolver available? yes [3694] dbg: dns: Net::DNS version: 0.55 [3694] dbg: generic: sa-update version svn523403 [3694] dbg: generic: using update directory: /var/lib/spamassassin/3.002000 [3694] dbg: diag: perl platform: 5.008008 linux [3694] dbg: diag: module installed: Digest::SHA1, version 2.10 [3694] dbg: diag: module installed: HTML::Parser, version 3.48 [3694] dbg: diag: module installed: Net::DNS, version 0.55 [3694] dbg: diag: module installed: MIME::Base64, version 3.07 [3694] dbg: diag: module installed: DB_File, version 1.814 [3694] dbg: diag: module installed: Net::SMTP, version 2.29 [3694] dbg: diag: module not installed: Mail::SPF ('require' failed) [3694] dbg: diag: module installed: Mail::SPF::Query, version 1.997 [3694] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [3694] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 [3694] dbg: diag: module not installed: Net::Ident ('require' failed) [3694] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [3694] dbg: diag: module installed: IO::Socket::SSL, version 0.97 [3694] dbg: diag: module installed: Compress::Zlib, version 1.35 [3694] dbg: diag: module installed: Time::HiRes, version 1.86 [3694] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [3694] dbg: diag: module not installed: Mail::DKIM ('require' failed) [3694] dbg: diag: module installed: DBI, version 1.50 [3694] dbg: diag: module installed: Getopt::Long, version 2.35 [3694] dbg: diag: module installed: LWP::UserAgent, version 2.033 [3694] dbg: diag: module installed: HTTP::Date, version 1.47 [3694] dbg: diag: module installed: Archive::Tar, version 1.24 [3694] dbg: diag: module installed: IO::Zlib, version 1.04 [3694] dbg: diag: module not installed: Encode::Detect ('require' failed) [3694] dbg: gpg: Searching for 'gpg' [3694] dbg: util: current PATH is: /usr/bin:/bin [3694] dbg: util: executable for gpg was found at /usr/bin/gpg [3694] dbg: gpg: found /usr/bin/gpg [3694] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE [3694] dbg: channel: attempting channel updates.spamassassin.org [3694] dbg: channel: update directory /var/lib/spamassassin/3.002000/updates_spamassassin_org [3694] dbg: channel: channel cf file /var/lib/spamassassin/3.002000/updates_spamassassin_org.cf [3694] dbg: channel: channel pre file /var/lib/spamassassin/3.002000/updates_spamassassin_org.pre [3694] dbg: channel: metadata version = 543064 [3694] dbg: dns: 0.2.3.updates.spamassassin.org = 543064, parsed as 543064 [3694] dbg: channel: current version is 543064, new version is 543064, skipping channel [3694] dbg: diag: updates complete, exiting with code 1
Re: Problem with sa-update and ImageInfo
Anthony Peacock wrote: But, if I move the ImageInfo.pm file into the site plugin directory, the errors go away. Interestingly, the VBounce and Botnet plugins don't get loaded by sa-update for testing. I think this is because the LoadPlugin lines are actually in the plugin's .cf files and not in a .pre file (that is how they came). So I seem to have fixed the problem. What I don't understand is why it suddenly started playing up like this. I have been using sa-update and ImageInfo in this way for a long time now, and it is only recently that sa-update start to give these errors. The only major thing that has changed is a Perl upgrade from 5.8.2 to 5.8.8, so it might be that this is what caused the change in behaviour although I can't pin down the start of the problem wit the time of the upgrade. Prior to 3.1.7 sa-update didn't try to load any plugins that you configured yourself. 3.1.8 and later will use any .pre files found in your site config directory when attempting to lint updates. 3.1.7 used both the .pre and .cf files with less than optimal results. Moving the plugin shouldn't have an affect on this. Can you please provide a complete debug output from sa-update demonstrating this? Thanks, Daryl
www.uribl.com
Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( -- Ken Anderson Pacific.Net
RE: www.uribl.com
Ken Web site may be having trouble but the BL's are still responding -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Ken A [mailto:[EMAIL PROTECTED] Sent: 06 June 2007 17:38 To: users@spamassassin.apache.org Subject: www.uribl.com Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( -- Ken Anderson Pacific.Net ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
Re: www.uribl.com
Martin.Hepworth wrote: Ken Web site may be having trouble but the BL's are still responding Only one of three US rsync mirrors is. Good to know the public BLs are. Ken -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Ken A [mailto:[EMAIL PROTECTED] Sent: 06 June 2007 17:38 To: users@spamassassin.apache.org Subject: www.uribl.com Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( -- Ken Anderson Pacific.Net ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ** -- Ken Anderson Pacific.Net
Re: use of * with available spamassassin tools
i would very much like to be able to do that, but my mail service, sitelutions.com, evidently doesn't have that functionality, which doesn't make any sense to me at all, so i'm forced to try and deal with it with sa i would have thought that pop3 services would easily include an option to just drop any message for a non-existant account (or bounce it back like what is causing my problem), ideally this would be at the option of the pop3 user, so they could decide if messages coming in were just spam or a legitimate typo, etc so my question remains trying to see if i can get spam assassin to get the job done, thanks for your reply bbxrider Wolfgang-7 wrote: In an older episode (Wednesday, 6. June 2007 07:47), bbxrider wrote: i'm getting my domain spoofed and trying to stop the returns from the spoofed targets coming to my domain and then getting fwded to my default email account. the only thing thats constant and identifiable in the returned header is a variation of the spoofed name like [EMAIL PROTECTED] in the header its the 'to:' data Have you considered to block invalid recipient addresses at the MTA level, before even passing them to SA? Why accept mails and create spamassassin rules for them if the recipient does not exist? Cheers, wolfgang -- View this message in context: http://www.nabble.com/use-of-*-and---in-blacklist_from-tf3874156.html#a10992512 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: www.uribl.com
Hi! Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( There are some botnets having fun with both URIBL and SURBL. Bye, Raymond.
Re: POPAuth plugin 3.20?
Daryl C. W. O'Shea wrote: Daryl C. W. O'Shea wrote: The POPAuth plugin for 3.1 works with 3.2 as long as you configure at least one trusted_network manually. http://wiki.apache.org/spamassassin/POPAuthPlugin Hi Daryl, Good to know. I only had internal_networks set and not trusted_networks. I'll add it to local.cf and try it out later when I'm outside of our network. Thanks for looking into this. -- View this message in context: http://www.nabble.com/POPAuth-plugin---3.20--tf3854238.html#a10993594 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: www.uribl.com
Raymond Dijkxhoorn wrote: Hi! Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( There are some botnets having fun with both URIBL and SURBL. Bye, Raymond. Ah, yes www.surbl.org has gone missing too. Forget national id cards. How about a license to operate a computer? Everyone running unpatched, unfirewalled windows, please shutdown now. Thanks, -- Ken Anderson Pacific.Net
Re: use of * with available spamassassin tools
bbxrider wrote: i would very much like to be able to do that, but my mail service, sitelutions.com, evidently doesn't have that functionality, which doesn't make any sense to me at all, so i'm forced to try and deal with it with sa i would have thought that pop3 services would easily include an option to just drop any message for a non-existant account (or bounce it back like what is causing my problem), ideally this would be at the option of the pop3 user, so they could decide if messages coming in were just spam or a legitimate typo, etc so my question remains trying to see if i can get spam assassin to get the job done, thanks for your reply bbxrider pop3-accounts normally drop mail sent to invalid addresses, meaning that each pop-box only get the messages for that one pop address. Seems there is some kind of catch-all arrangement, and you have an own domain, so that [EMAIL PROTECTED] gets into that mailbox. I have similar, and I like it;) It's great as a spamtrap.
RE: www.uribl.com
Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( I unplugged the server so I could play Forza 2 on the 360 at work. I'll plug it back in after this endurance race. :) I'm kidding... I'll prbly keep playing after this race. ;) --Chris (seriously, I'm kidding. If I could figure out a way to play at work... that would be so sweeet!)
RE: www.uribl.com
Hi! Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( I unplugged the server so I could play Forza 2 on the 360 at work. I'll plug it back in after this endurance race. :) I'm kidding... I'll prbly keep playing after this race. ;) Ok. Plug in surbl also while it seems to race along ;) Bye, Raymond.
Re: www.uribl.com
Ken A wrote: Raymond Dijkxhoorn wrote: Hi! Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( There are some botnets having fun with both URIBL and SURBL. Bye, Raymond. Ah, yes www.surbl.org has gone missing too. Forget national id cards. How about a license to operate a computer? Everyone running unpatched, unfirewalled windows, please shutdown now. Thanks, I said that five years ago on a list and got personal hate mail in my inbox for days. Apparently I didn't appreciate the free expansive space of the true Internet for exercising our world citizen freedoms, or something like that. I remember they wanted me to do things that even yoga can't teach. Seems I see it mentioned more often now. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
RE: www.uribl.com
FWIW, I'm showing uribl.com resolving to 127.0.0.1 at the moment (A tactic to deal with DOS???) Rob McEwen PowerView Systems [EMAIL PROTECTED] -Original message- From: Chris Santerre [EMAIL PROTECTED] Date: Wed, 06 Jun 2007 15:11:17 -0400 To: 'Ken A' [EMAIL PROTECTED], users@spamassassin.apache.org Subject: RE: www.uribl.com Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( I unplugged the server so I could play Forza 2 on the 360 at work. I'll plug it back in after this endurance race. :) I'm kidding... I'll prbly keep playing after this race. ;) --Chris (seriously, I'm kidding. If I could figure out a way to play at work... that would be so sweeet!)
Re: www.uribl.com
On Wed, 6 Jun 2007 20:07:20 +0200 (CEST), Raymond Dijkxhoorn [EMAIL PROTECTED] wrote: Hi! Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( I unplugged the server so I could play Forza 2 on the 360 at work. I'll plug it back in after this endurance race. :) I'm kidding... I'll prbly keep playing after this race. ;) Ok. Plug in surbl also while it seems to race along ;) A couple of my locally hosted domains have been hammered the last couple of days in the region of 500+% increase in what appears to be a dictionary attack. Since my servers only accept incoming for valid users it's been annoying rather than crippling. I'd strongly suggest that anyone fool enough to have catch-all accounts disable them. I had one domain with that enabled (an oversight) and it logged 14k+ hits in 5 hours. URIBL was running very slow so I assume I wasn't the only one getting hit. On an odd note my local.cf has a timeout of 10 seconds, but I saw many scans hitting 40+ seconds Anyway, point being - watch those catch-alls. Hope that helps somebody Kind regards Nigel
Question Rule
Dear Users I didnt found it on google or FAQ Today i get mails marked as spam cause of this 2 rules CTYPE_001C_A and FH_HAS_XID It was a normal t-online user e-mail. Can you tell me what is danger on this headers / rules (if found)? thx regards richard
Re: use of * with available spamassassin tools
yes, but.. i have a spam filter on my client, spambayes, and it works fine to sort out spam sent to a 'real' account the problem here is numbers, the spammer is spoofing my domain with a constantly changing name (but with a constant piece of it) with dozens if not hundreds a day, are coming back to my domain pop3 with invalid address messages, i don't want to deal with those and besides its further clogging the pipes with messages being sent to me that are unnecessary, so my hunt continues to determine a way to have spam assassin handle it at my pop3, sitelutions.com, since they don't seem to have another way to handle it. thanks bbxrider Jari Fredriksson wrote: bbxrider wrote: i would very much like to be able to do that, but my mail service, sitelutions.com, evidently doesn't have that functionality, which doesn't make any sense to me at all, so i'm forced to try and deal with it with sa i would have thought that pop3 services would easily include an option to just drop any message for a non-existant account (or bounce it back like what is causing my problem), ideally this would be at the option of the pop3 user, so they could decide if messages coming in were just spam or a legitimate typo, etc so my question remains trying to see if i can get spam assassin to get the job done, thanks for your reply bbxrider pop3-accounts normally drop mail sent to invalid addresses, meaning that each pop-box only get the messages for that one pop address. Seems there is some kind of catch-all arrangement, and you have an own domain, so that [EMAIL PROTECTED] gets into that mailbox. I have similar, and I like it;) It's great as a spamtrap. -- View this message in context: http://www.nabble.com/use-of-*-and---in-blacklist_from-tf3874156.html#a10998014 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Question Rule
[EMAIL PROTECTED] wrote: Dear Users I didnt found it on google or FAQ Today i get mails marked as spam cause of this 2 rules CTYPE_001C_A and FH_HAS_XID It was a normal t-online user e-mail. Can you tell me what is danger on this headers / rules (if found)? Danger? SpamAssassin doesn't detect dangers, merely patterns that match what spammers have been known to do. CTYPE_001C_A is looking for a particular mime boundary commonly seen in spam, but rarely in nonspam. (99.7% of emails in the corpus that matched were spam) However FH_HAS_XID is more troubling, it's got a strong score, and a poor S/O. (78.6% spam). That's pretty poor poor performance for a spam rule with a score of aproximately 2.4. All it's looking for is any message with and X-Id: header. I've opened a bug to get the devs to discuss modifying or dropping that one.
SMTP AUTH problem/question
I have read the documentation over and over again and must be missing something. It seems to me that the default behavior is to give everything that has been through SMTP AUTH a high negative score, and that I shouldn't have to configure anything. It isn't working, though. My users don't connect from trusted networks, which is why they have to SMTP AUTH to relay mail through my system. Am I missing something? Will that high negative score only be applied to SMTP AUTH from trusted nets? Brian
Re: SMTP AUTH problem/question
Brian C. Hill wrote: I have read the documentation over and over again and must be missing something. It seems to me that the default behavior is to give everything that has been through SMTP AUTH a high negative score, and that I shouldn't have to configure anything. It isn't working, though. My users don't connect from trusted networks, which is why they have to SMTP AUTH to relay mail through my system. Am I missing something? Will that high negative score only be applied to SMTP AUTH from trusted nets? A few things: - there must be an indication of auth taking place in the Received header for that relay in order to have trust extended to that relay - any relays after/above that relay must also be trusted - if you want ALL_TRUSTED to fire, all relays before/below the auth'd relay (if any are present) must either be (i) trusted, (ii) RFC 1918 addresses, or (iii) also auth'd Daryl
Re: Botnet Plugin
In what way is botnet not properly processing the headers in question? Claude Frantz wrote: Claude Frantz wrote: The Botnet Plugin is not able to recognize the following sequence: Another case: Received: from OrangeSrv.rz.unibw-muenchen.de ([127.0.0.1]) by localhost (OrangeSrv.rz.unibw-muenchen.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 12512-05 for [EMAIL PROTECTED]; Tue, 5 Jun 2007 20:24:21 +0200 (CEST) Received: from akx100.internetdsl.tpnet.pl (school-0.bts.net.pl [81.210.26.53]) by OrangeSrv.rz.unibw-muenchen.de (8.13.7/8.13.7) with ESMTP id l55IOHYs013110 for [EMAIL PROTECTED]; Tue, 5 Jun 2007 20:24:18 +0200 Received: from marcina-komp by qlwc.com with ASMTP id 8CE3E668 for [EMAIL PROTECTED]; Tue, 5 Jun 2007 20:24:58 - Received: from marcina-komp ([199.123.58.110]) by qlwc.com with ESMTP id 82A06E0E6EC7 for [EMAIL PROTECTED]; Tue, 5 Jun 2007 20:24:58 - And here the debugging output from SA: [29806] dbg: Botnet: checking baddns [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl' [29806] dbg: Botnet: 'school-0.bts.net.pl' resolves [29806] dbg: Botnet: 'school-0.bts.net.pl' matches '81.210.26.53' [29806] dbg: Botnet: checking client words [29806] dbg: Botnet: client words regexp is(((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|((\b|\d)dhcp(\b|\d))|((\b|\d)dial-?up(\b|\d))|((\b|\d)dip(\b|\d))|((\b|\d)(a|s|d(yn)?)?dsl(\b|\d))|((\b|\d)dynamic(\b|\d))|((\b|\d)modem(\b|\d))|((\b|\d)ppp(\b|\d))|((\b|\d)res(net|ident(ial)?)?(\b|\d))|((\b|\d)client(\b|\d))|((\b|\d)fixed(\b|\d))|((\b|\d)pool(\b|\d))|((\b|\d)static(\b|\d))|((\b|\d)user(\b|\d)))\S*\.\S+\.\S+$ [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl' [29806] dbg: Botnet: checking server words [29806] dbg: Botnet: server words regexp is(((\b|\d)mail(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(\b|\d))|((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d)))\S*\.\S+\.\S+$ [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl' [29806] dbg: Botnet: checking ip in hostname [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl' [29806] dbg: Botnet: checking nordns [29806] dbg: Botnet: get_relay good RDNS [29806] dbg: Botnet: IP is '81.210.26.53' [29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
Re: Botnet Plugin
The diagnostic output for that message would have been useful. However, one thing to recognize is that botnet does not parse the Received headers themselves. Spam Assassin does, and puts them into psuedoheaders. Those pseudoheaders are what botnet processes. Claude Frantz wrote: The Botnet Plugin is not able to recognize the following sequence: Received: from ludwik.warynski.net (ludwik.warynski.net [195.82.166.1]) by BlueSrv.rz.unibw-muenchen.de (8.12.11.20060308/8.12.11) with ESMTP id l55L66tA013532 for [EMAIL PROTECTED]; Tue, 5 Jun 2007 23:06:07 +0200 Received: by 10.48.206.66 with SMTP id ZFdyrphavZIbn; Tue, 5 Jun 2007 23:06:12 +0200 (GMT) Received: by 192.168.193.149 with SMTP id iofMJgjleKxfwH.3044561993659; Tue, 5 Jun 2007 23:06:10 +0200 (GMT) Why ? Thanks a lot ! Claude
Can anyone explain this Milter add:... spike in my logs by spamd!
Hello fellow anti-spam advocates. After getting a rather large logwatch report, I went hunting in my logs to get to the root of the problem. I noticed a very big spike in the number of occurences of the following line in the /var/log/maillog file: Milter add: header: Content-Type: multipart/mixed; boundary=... I collated data off of the log files (I keep 3 years worth) and below is what I uncovered in the last few days: DayOccurences == == 27-May - 12 28-May -6 29-May -9 30-May -6 31-May -5 1-Jun- 724 2-Jun- 609 3-Jun- 31 4-Jun- 576 5-Jun- 706 6-Jun- 515 7-Jun- 17 Number of similar occurences in the last quarter: Week endingOccurences == Week ending 3/18 -1 Week ending 3/25 - 27 Week ending 4/1 - 70 Week ending 4/8 - 67 Week ending 4/15 - 59 Week ending 4/22 - 47 Week ending 4/29 - 33 Week ending 5/6 - 31 Week ending 5/13 - 40 Week ending 5/20 - 61 Week ending 5/27 - 1402 Week ending 6/3 - 1931 Prior to June 1, the highest occurrence was 70 back in May. What the heck is going on? Cheers, Anthony.
Re: Can anyone explain this Milter add:... spike in my logs by spamd!
At 20:19 06-06-2007, Anthony Kamau wrote: After getting a rather large logwatch report, I went hunting in my logs to get to the root of the problem. I noticed a very big spike in the number of occurences of the following line in the /var/log/maillog file: Milter add: header: Content-Type: multipart/mixed; boundary=... spamd is not doing that. It's your milter which is adding that header. Regards, -sm
RE: Can anyone explain this Milter add:... spike in my logs by spamd!
Thanks sm. It is indeed sendmail that is responsible - I totally ignored that part in the logs! I guess it is time to hunt down the sendmail list. Cheers, Anthony. -Original Message- From: SM [mailto:[EMAIL PROTECTED] Sent: Thursday, 7 June 2007 1:59 PM To: users@spamassassin.apache.org Subject: Re: Can anyone explain this Milter add:... spike in my logs by spamd! At 20:19 06-06-2007, Anthony Kamau wrote: After getting a rather large logwatch report, I went hunting in my logs to get to the root of the problem. I noticed a very big spike in the number of occurences of the following line in the /var/log/maillog file: Milter add: header: Content-Type: multipart/mixed; boundary=... spamd is not doing that. It's your milter which is adding that header. Regards, -sm