USER_IN_SPF_WHITELIST missing for some mails
I find the spamassassin's SPF checks extremely unreliable. A lot of times I get SPF Fail of SPF Neutral for the same sender domain and IP address. While it is supposed to pass The same mail shows SPF pass when I run SA on commandline Is there something wrong with my configuration ? I use spamassassin 3.1.5 with MailScanner Thanks Ram
Re: Blacklist a mailing list
Jari, I guess I could. It's just sometimes I use a web browser and sometimes Thunderbird. And I am hoping that none of my other employees are getting spammed by the list! Thanks. This might be my best solution. For the other posters, I will use example.com from now on! I belong to several other forums and we always use mydomain.com or mymail.com. I will pass the word there as well! Thanks! Jari Fredriksson wrote: > > dougp23 wrote: >> I am a member of a mailing list, and I can't get them to reply to me >> to remove me from the list. >> I have tried sending 'unsubscribe' to the list, to no avail. >> So now I get spam from the mailing list. I have Sendmail 8.13, >> SpamAssassin >> 3.1.8 >> How do I go about blocking the mailing list? here are some headers >> from a recent message: (It seems everyone on [EMAIL PROTECTED] is >> getting this junk). >> (domains and other stuff relevant to my domain are blocked out!) > > SpamAssassin is detecting and marking spam. That mailing list does not > deliver spam to you, so it might be wrong tool to your problem. > > Can't you to just mark any mail to [EMAIL PROTECTED] for deletion in > you email application? > > > > > > > > >> >> >> >> Return-Path: <[EMAIL PROTECTED]> >> Received: from mydomain.com (localhost [127.0.0.1]) >> >> by mydomain.com (8.13.1/8.13.1) with ESMTP id l5UI78cE007486 >> >> for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:07:08 -0400 >> Received: from mail.mydomain.com ([EMAIL PROTECTED]) >> >> by mail.mydomain.com (8.13.1/8.13.1/Submit) with ESMTP id >> l5UI78eC007485 >> >> for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:07:08 -0400 >> Received: from mail.rscs.net (mail.rscs.net [204.249.238.4]) >> >>by mail.mydomain.com (Scalix SMTP Relay 11.0.2.17) >> >>via ESMTP; Sat, 30 Jun 2007 14:07:08 -0400 (EDT) >> Received: from [88.238.108.242] (dsl88.238-27890.ttnet.net.tr >> [88.238.108.242] (may be forged)) >> >> by mail.rscs.net (8.12.9/8.12.9) with ESMTP id l5UIQeBe016250 >> >> for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:26:41 -0400 (EDT) >> Received: from [88.238.108.242] by mx00.1and1.com; Sat, 30 Jun 2007 >> 18:26:42 -0200 >> Date: Sat, 30 Jun 2007 18:26:42 -0200 >> From: "Jaime Tran" <[EMAIL PROTECTED]> >> Reply-To: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> Message-ID: <[EMAIL PROTECTED]> >> Subject: Re: Photo >> X-Priority: 3 (Normal) >> X-Mailer: The Bat! (v2.11) Business >> X-Spam-Status: No, score=0.8 required=5.0 tests=HTML_MESSAGE,INFO_TLD, >> >> MIME_HTML_ONLY autolearn=no version=3.1.8 >> X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on >> >> >> Thanks for any help anyone! > > -- View this message in context: http://www.nabble.com/Blacklist-a-mailing-list-tf4008161.html#a11387028 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist a mailing list
In procmail it's easy.
===8<---
:0
* ^From:.*absflooring.com
/dev/null
# this may be a problem if you have multiple list memberships at
# mailinglist.org. You obfuscated too much to make this any better.
# you removed useful identifying material.
:0
* ^To:[EMAIL PROTECTED]
/dev/null
===8<---
{^_^}
- Original Message -
From: "dougp23" <[EMAIL PROTECTED]>
To:
Sent: Sunday, 2007, July 01 08:31
Subject: Blacklist a mailing list
I am a member of a mailing list, and I can't get them to reply to me to
remove me from the list.
I have tried sending 'unsubscribe' to the list, to no avail.
So now I get spam from the mailing list. I have Sendmail 8.13,
SpamAssassin
3.1.8
How do I go about blocking the mailing list? here are some headers from a
recent message: (It seems everyone on [EMAIL PROTECTED] is getting
this
junk).
(domains and other stuff relevant to my domain are blocked out!)
Return-Path: <[EMAIL PROTECTED]>
Received: from mydomain.com (localhost [127.0.0.1])
by mydomain.com (8.13.1/8.13.1) with ESMTP id l5UI78cE007486
for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:07:08 -0400
Received: from mail.mydomain.com ([EMAIL PROTECTED])
by mail.mydomain.com (8.13.1/8.13.1/Submit) with ESMTP id l5UI78eC007485
for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:07:08 -0400
Received: from mail.rscs.net (mail.rscs.net [204.249.238.4])
by mail.mydomain.com (Scalix SMTP Relay 11.0.2.17)
via ESMTP; Sat, 30 Jun 2007 14:07:08 -0400 (EDT)
Received: from [88.238.108.242] (dsl88.238-27890.ttnet.net.tr
[88.238.108.242] (may be forged))
by mail.rscs.net (8.12.9/8.12.9) with ESMTP id l5UIQeBe016250
for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:26:41 -0400 (EDT)
Received: from [88.238.108.242] by mx00.1and1.com; Sat, 30 Jun 2007
18:26:42
-0200
Date: Sat, 30 Jun 2007 18:26:42 -0200
From: "Jaime Tran" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Subject: Re: Photo
X-Priority: 3 (Normal)
X-Mailer: The Bat! (v2.11) Business
X-Spam-Status: No, score=0.8 required=5.0 tests=HTML_MESSAGE,INFO_TLD,
MIME_HTML_ONLY autolearn=no version=3.1.8
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
Thanks for any help anyone!
--
View this message in context:
http://www.nabble.com/Blacklist-a-mailing-list-tf4008161.html#a11382865
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist a mailing list
dougp23 wrote: > I am a member of a mailing list, and I can't get them to reply to me to > remove me from the list. Because of what you are saying it is making me think this is matching a very common error pattern. Unfortunately it is human error and not a machine error. I assume this is a program managed mailing list such as Mailman, Listserv, SmartList, Majordomo, or other? Very often I have seen people claim that they cannot get off of a mailing list when in reality it was "pilot error" and they were not using the right control address. > I have tried sending 'unsubscribe' to the list, to no avail. Hopefully you did not actually send that to the mailing list itself. That would be a breach of etiquette. Remember that for the typical mailing list sending to the MAILINGLIST-request address is the control robot to handle your control request automatically. Sending to the MAILINGLIST-owner address should go to a real live person who can help you if there is something not working right. Did you send an unsubscribe message to the MAILINGLIST-request address? Did you send a request for help to the MAILINGLIST-owner address? Those steps should always be done before sending administrative requests to the mailing list itself. Users on mailing lists usually can't affect any changes to it. Bob
Re: Blacklist a mailing list
On Sun, 1 Jul 2007, Bart Schaefer wrote: > If for some reason you think its essential to purge references to > your domain name, then simply replace them with obvious mark-out > like --.com or the like. ...or use "example.com", which is specifically intended for that application. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The first time I saw a bagpipe, I thought the player was torturing an octopus. I was amazed they could scream so loudly. -- cat_herder_5263 on Y! SCOX --- 3 days until The 231st anniversary of the Declaration of Independence
Re: Blacklist a mailing list
On 7/1/07, dougp23 <[EMAIL PROTECTED]> wrote: How do I go about blocking the mailing list? here are some headers from a recent message: (It seems everyone on [EMAIL PROTECTED] is getting this junk). Prompted by Doug but directed to no one in particular: Please don't use things like "mailinglist.org" and especially "mydomain.com" as either generic examples or as placeholders for whatever your domain really is. There actually *is* a mydomain.com and unless that really is your domain it just causes needless confusion. If for some reason you think its essential to purge references to your domain name, then simply replace them with obvious mark-out like --.com or the like. Thanks.
Re: Blacklist a mailing list
dougp23 wrote: > I am a member of a mailing list, and I can't get them to reply to me > to remove me from the list. > I have tried sending 'unsubscribe' to the list, to no avail. > So now I get spam from the mailing list. I have Sendmail 8.13, > SpamAssassin > 3.1.8 > How do I go about blocking the mailing list? here are some headers > from a recent message: (It seems everyone on [EMAIL PROTECTED] is > getting this junk). > (domains and other stuff relevant to my domain are blocked out!) SpamAssassin is detecting and marking spam. That mailing list does not deliver spam to you, so it might be wrong tool to your problem. Can't you to just mark any mail to [EMAIL PROTECTED] for deletion in you email application? > > > > Return-Path: <[EMAIL PROTECTED]> > Received: from mydomain.com (localhost [127.0.0.1]) > > by mydomain.com (8.13.1/8.13.1) with ESMTP id l5UI78cE007486 > > for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:07:08 -0400 > Received: from mail.mydomain.com ([EMAIL PROTECTED]) > > by mail.mydomain.com (8.13.1/8.13.1/Submit) with ESMTP id > l5UI78eC007485 > > for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:07:08 -0400 > Received: from mail.rscs.net (mail.rscs.net [204.249.238.4]) > >by mail.mydomain.com (Scalix SMTP Relay 11.0.2.17) > >via ESMTP; Sat, 30 Jun 2007 14:07:08 -0400 (EDT) > Received: from [88.238.108.242] (dsl88.238-27890.ttnet.net.tr > [88.238.108.242] (may be forged)) > > by mail.rscs.net (8.12.9/8.12.9) with ESMTP id l5UIQeBe016250 > > for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:26:41 -0400 (EDT) > Received: from [88.238.108.242] by mx00.1and1.com; Sat, 30 Jun 2007 > 18:26:42 -0200 > Date: Sat, 30 Jun 2007 18:26:42 -0200 > From: "Jaime Tran" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > Subject: Re: Photo > X-Priority: 3 (Normal) > X-Mailer: The Bat! (v2.11) Business > X-Spam-Status: No, score=0.8 required=5.0 tests=HTML_MESSAGE,INFO_TLD, > > MIME_HTML_ONLY autolearn=no version=3.1.8 > X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on > > > Thanks for any help anyone!
Re: URIBL_BLACK matching on messages with no URLs in them...
Quoting SM <[EMAIL PROTECTED]>: > Hi Jeff, > At 03:58 01-07-2007, Jeff Chan wrote: > >http://lookup.uribl.com/?domain=sync.pl > > I missed that one. :-) It's not listed though. It was listed when I wrote. Jeff C.
Blacklist a mailing list
I am a member of a mailing list, and I can't get them to reply to me to remove me from the list. I have tried sending 'unsubscribe' to the list, to no avail. So now I get spam from the mailing list. I have Sendmail 8.13, SpamAssassin 3.1.8 How do I go about blocking the mailing list? here are some headers from a recent message: (It seems everyone on [EMAIL PROTECTED] is getting this junk). (domains and other stuff relevant to my domain are blocked out!) Return-Path: <[EMAIL PROTECTED]> Received: from mydomain.com (localhost [127.0.0.1]) by mydomain.com (8.13.1/8.13.1) with ESMTP id l5UI78cE007486 for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:07:08 -0400 Received: from mail.mydomain.com ([EMAIL PROTECTED]) by mail.mydomain.com (8.13.1/8.13.1/Submit) with ESMTP id l5UI78eC007485 for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:07:08 -0400 Received: from mail.rscs.net (mail.rscs.net [204.249.238.4]) by mail.mydomain.com (Scalix SMTP Relay 11.0.2.17) via ESMTP; Sat, 30 Jun 2007 14:07:08 -0400 (EDT) Received: from [88.238.108.242] (dsl88.238-27890.ttnet.net.tr [88.238.108.242] (may be forged)) by mail.rscs.net (8.12.9/8.12.9) with ESMTP id l5UIQeBe016250 for <[EMAIL PROTECTED]>; Sat, 30 Jun 2007 14:26:41 -0400 (EDT) Received: from [88.238.108.242] by mx00.1and1.com; Sat, 30 Jun 2007 18:26:42 -0200 Date: Sat, 30 Jun 2007 18:26:42 -0200 From: "Jaime Tran" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Subject: Re: Photo X-Priority: 3 (Normal) X-Mailer: The Bat! (v2.11) Business X-Spam-Status: No, score=0.8 required=5.0 tests=HTML_MESSAGE,INFO_TLD, MIME_HTML_ONLY autolearn=no version=3.1.8 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on Thanks for any help anyone! -- View this message in context: http://www.nabble.com/Blacklist-a-mailing-list-tf4008161.html#a11382865 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: A different approach to scoring spamassassin hits
On Jun 30, 2007, at 11:55 PM, Loren Wilton wrote: Unfortunately I'm not on the SpamAssassin Bayes modules -- I wrote my own Bayes Engine because I wanted to do that and then thought about including the Rules results from SpamAssassin. I don't know where this might be going, but it seems to be working extremely well for me based on a training set of just a couple hundred emails in total. Don't see this as a problem. Someone, I forget who, has a Bayes chained to an SA setup, I think the Bayes comes first, but I don't recall. He was claiming good results from chained classifiers using slightly different data and methods. This seems like a reasonably possible contention to me. If you have a pre-existing Bayes mail filter, and it runs as a filter in a pipe or the like, then basically what you want to do seems very simple to me, at least conceptually. Just run the mail through SA first and then into your classifier. The rule names hit along with their scores will be in the header of the mail you process in your classifier, and thus, as long as you don't ignore header data, the rule names are there to process. No need even to modify SA. In fact you can get a header with just the rule names hit without the scores, so you don't have the score values being scored as tokens. The only case where you would have to modify SA in I think either Check or PMS is if you really did want to bloat every mail with the names of all of the rules in the SA database, rather than just those pertanent to the mail at hand. I hink the trick is simply looking at your mail chain and figuring out how to insert a call to SA before the call to your own Bayes module. Actually I have this but I don't have it writting the headers into the email. It' s sending the SA data as attached information so I can keep track of where it came from (header/body/metadata). I'm not sure that the scoring is going to cost me anything or cause any performance issues compared to getting the hits/misses. I think we're debating the cpu involved to determine a number for the score, not the scoring process itself. I have a question about the sub rules -- are they themselves adding up to an overall rule by means of hit/miss? Is there any conceptual advantage to pulling in rules and sub_rules to this process. And the more I think about it, the more I don't need to "bloat every mail with the names of all the rules". But sub_rules might be more useful. --- By not putting in all the SA rules it might make it easier to establish the contribution of the scoring, but you have to know the intended target (RULE => spam or RULE => ham) which isn't an issue with todays rules (but you never know). Once you know this, the effectiveness of a rule would be measured by it's distance in probability from 0.500 toward 1.00. I can track this eventually, but I think I need to reset my database to be certain of it's value. Not a problem, I am my own admin. But the real challenge for me, as has always been the case with SA, is the proper care and feeding of the application when not using the standard spamc/spamd and spamassassin scripts. I suspect this starts with a lot of RTFM and then I can get to some real questions. The difficulty for me is trimming out all the steps in the application that I won't be benefitting from. I would like to start with something that is approximately: local "static" rules only, no user specific preferences, no learning or bayes or white/black listing. By local "static" I mean to use the rules based on email content analysis without network consultation (DNS, RBL, DCC...)
Writing a rule to access SA ClamAV Plugin Header
There is a SpamAssassin plugin which checks messages with ClamAV, which adds
the following header to emails it processes:
X-Spam-Virus: Yes ($VirusName)
http://wiki.apache.org/spamassassin/ClamAVPlugin
By default you can set a score in its clamav.cf file:
score CLAMAV 10
I am currently testing a 3rd party set of ClamAV definitions from a website
called www.sanesecurity.co.uk which look to be very effective against some
phishing and image spam emails. When it fires on an email the headers the
ClamAV plugin adds are as follows:
X-Spam-Virus: Yes ($Name.Sanesecurity)
What I would like to do would be to score the ClamAV detection differently
depending on whether it was detected by the ClamAV default signatures
(virus) or the Sanesecurity signatures (spam). I have tried adding the
following to local.cf but it doesn't seem to be working:
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
meta MY_CLAMAV (__MY_CLAMAV && !__MY_CLAMAV_SANE)
meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
score MY_CLAMAV 10
score MY_CLAMAV_SANE 5
Any suggestions?
--
View this message in context:
http://www.nabble.com/Writing-a-rule-to-access-SA-ClamAV-Plugin-Header-tf4007944.html#a11382177
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: URIBL_BLACK matching on messages with no URLs in them...
Hi Jeff, At 03:58 01-07-2007, Jeff Chan wrote: http://lookup.uribl.com/?domain=sync.pl I missed that one. :-) It's not listed though. Regards, -sm
Re: URIBL_BLACK matching on messages with no URLs in them...
On Sun, 1 Jul 2007 at 05:58 -0500, [EMAIL PROTECTED] confabulated: Quoting SM <[EMAIL PROTECTED]>: At 12:07 30-06-2007, Jo Rhett wrote: Note: yes, uribl has their own mailing list. That server has been down for quite some time, so I gave up and posted it here in case someone is dual listed and can fix it. There's no URL in this message. What is it mis-matching against? There was a URL in the message. It's not listed in URIBL. Regards, -sm http://lookup.uribl.com/?domain=sync.pl Thanks for the general reminder that 'pl' is a valid domain tld. I completely overlooked it myself.
Re: URIBL_BLACK matching on messages with no URLs in them...
Quoting SM <[EMAIL PROTECTED]>: > At 12:07 30-06-2007, Jo Rhett wrote: > >Note: yes, uribl has their own mailing list. That server has been > >down for quite some time, so I gave up and posted it here in case > >someone is dual listed and can fix it. > > > >There's no URL in this message. What is it mis-matching against? > > There was a URL in the message. It's not listed in URIBL. > > Regards, > -sm > http://lookup.uribl.com/?domain=sync.pl Jeff C.
Re: DNS list service to detect the registrar barrier
Marc Perkel wrote: OK - tell me if this is useful. I created a DNS list that you can pass a host name to and get information as to where the registrar barrier is. You can use it as follows: dig .rb.junkemailfilter.com Example: dig perkel.com.rb.junkemailfilter.com - returns 127.0.0.1 dig perkel.co.uk.rb.junkemailfilter.com - returns 127.0.0.2 If it's a single level domain it will return 127.0.0.1 Two level domains return 127.0.0.2 Three level domains return 127.0.0.3 I'm waiting the day someone will confuse it with a "normal" DNSBL, and use it to reject mail ;-p I personally don't like this "dns can do everything" hype. I'm using it for some statistical stuff but I'm wondering if anyone else finds this useful. Thinking about using it to forward spam to abuse@ to report spam. sorry?
