Re: DELETE SPAM

[Evan Platt]

At 10:10 PM 7/5/2007, Tarak Ranjan wrote:

hi all,
 i am facing a serious problem regarding SPAM. now few mails are
going to user's inbox and others are going to postmaster. but i want to
drop/delete those mails from the server side.

how can i able to do that.. i'm using SpamAssassin version 3.1.4 +
qmail

please help me out



That's a qmail question. SpamAssassin cannot delete spam. If you 
don't get an answer here, you may want to try a qmail list.

Re: DELETE SPAM

[Jeff Chan]

Quoting Tarak Ranjan <[EMAIL PROTECTED]>:

> hi all,
>  i am facing a serious problem regarding SPAM. now few mails are
> going to user's inbox and others are going to postmaster. but i want to
> drop/delete those mails from the server side.
>
> how can i able to do that.. i'm using SpamAssassin version 3.1.4 +
> qmail
>
> please help me out
>
> /tarak
>


Please see:

http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions

particularly:

http://wiki.apache.org/spamassassin/DeletingAllMailsMarkedSpam

Jeff C.

DELETE SPAM

[Tarak Ranjan]

hi all,
 i am facing a serious problem regarding SPAM. now few mails are
going to user's inbox and others are going to postmaster. but i want to
drop/delete those mails from the server side.

how can i able to do that.. i'm using SpamAssassin version 3.1.4 +
qmail 

please help me out

/tarak

how to do sa-update on windows 2003

[Sg]

Hi

How to update SA on Exchange 2003 on Windows 2003 server. SA version is
3.1.7.

--
Geetha. S

Re: Spoofed URI's or fake websites ?

[Jeff Chan]

Quoting Samuel Krieg <[EMAIL PROTECTED]>:

> I wrote this because of Jeff's phrase.
>
> > If they are windows do an fdisk, format, etc.
>
> I think it's important to work on the OS that you know how to configure,
> secure and manage. Whatever system it is. I did not want to praise any
> system.
>
> I remain paranoid and monitor system logs, smtp queries and network
> activities as good as I can.

Windows machines are notoriously difficult to fully clean.  That's why many
people end up reformatting the hard disk on them.

As Matt pointed out, at least two of the compromised machines are Linux, so it's
certainly good to have strict security policies, keep programs fully patched,
etc., regardless of what OS one runs.

Jeff C.

RE: 10_default_prefs.cf file in 3.2.x branch

[Robert - eLists]

> No, it doesn't... Your local.cf gets parsed *AFTER* this file, so your
> local.cf overides 10_default_prefs.cf.
> 
> Note: for this to work 10_default_prefs.cf MUST NOT be in your
> /etc/mail/spamassassin. It belongs in /usr/share/spamassassin, as do ALL
> the rulefiles that come with SA. Only your site-specific customizations
> should be in /etc/mail/spamassassin.
snip
> My bigger question is, why not just let the SA installer install all
> this stuff? Why are you mucking about hand-installing the rules in the
> first place?

Matt,

I haven't moved anything no or ever.

U I am just dealing with having the hit report in my headers and I don't
want it there. I want it off.

I turned it on at one time and then I turned it off in local.cf

Ive upgraded from 3.1.7 to 3.1.8 to 3.2.1 and in 3.2.1 I am seeing the rules
hit report in my headers and I haven't figured out why when it is not on by
default (near as I can tell) and I have the configs for that commented out
since 3.1.8

Dunno

 - rh

RE: 10_default_prefs.cf file in 3.2.x branch

[Robert - eLists]

> 
> Other way around.  These are the defaults, and anything you put in 
> local.cf will override the corresponding setting in this file.
> 
> SA processes all the files in the general SA directory -- 
> /usr/(local)/share/spamassassin, or 
> /var/lib/spamassassin/path/to/updated/rules -- then processes the 
> files in your local folder (usually /etc/mail/spamassassin)
> 
> As long as you leave 10_default_prefs.cf in its normal location, you 
> shouldn't have any problems.
> 
> --
> Kelson Vibber

Kelson,

Understood, thank you.

Umm thing is, I will have to review all the contents of that file and
what it is doing as I should not be getting any hit scoring reports in my
headers for ham or spam yet, unfortunately, I am...

And so far, my search has led me here...

 - rh

Re: sa-update

[Matt Kettler]

[EMAIL PROTECTED] wrote:
> We want to be able to use sa-update. This is a "vanilla" install of SA
> 3.2.1 using spamd with hula server. when i run sa-update from the CLI, i
> get this:
> Can't locate LWP/UserAgent.pm in @INC (@INC contains:
> /usr/lib/perl5/site_perl/5.8.3/i586-linux-thread-multi
> /usr/lib/perl5/site_perl/5.8.3
> /usr/lib/perl5/5.8.3/i586-linux-thread-multi /usr/lib/perl5/5.8.3
> /usr/lib/perl5/site_perl
> /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi
> /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl) at
> /usr/bin/sa-update line 79.
> BEGIN failed--compilation aborted at /usr/bin/sa-update line 79.
>
> How do i fix this so we can use sa-update?
>   
Looks like you're missing the LWP (aka libwwwperl) perl module. Install it.

This is not a part of SA, but a required standard perl module.

See also - the INSTALL file:

http://svn.apache.org/repos/asf/spamassassin/branches/3.2/INSTALL

Re: Bayes not able to be used

[carnold5]

>Hmm, what parameters are you passing to spamd? Are you passing a -u?
Not passing any thind to spamd. Spamd runs as "nobody"

>What's sa-learn --dump magic report?
0.000  0  3  0  non-token data: bayes db version
0.000  0   2044  0  non-token data: nspam
0.000  0   1888  0  non-token data: nham
0.000  0 168321  0  non-token data: ntokens
0.000  0 1161452996  0  non-token data: oldest atime
0.000  0 1183669409  0  non-token data: newest atime
0.000  0 1183682517  0  non-token data: last journal
sync atime
0.000  0 1183665883  0  non-token data: last expiry atime
0.000  0   22118400  0  non-token data: last expire
atime delta
0.000  0   4823  0  non-token data: last expire
reduction count

Thanks for the help.

Chris
begin:vcard
n:Arnold;Chris
fn:Arnold, Chris
url:http://www.mytimewithgod.net
version:2.1
email;internet:[EMAIL PROTECTED]
end:vcard

Re: Bayes not able to be used

[Matt Kettler]

[EMAIL PROTECTED] wrote:
> Upon starting spamd on SA 3.2.1, we see this,
> [18662] warn: bayes: bayes db version 0 is not able to be used, aborting! at
> /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm
> line196,  line 3.
>   
Hmm, what parameters are you passing to spamd? Are you passing a -u?
> The local.cf has use_bayes   1
> I also ran sa-learn --sync -D. This says it found bayes DB version 3 but
> i only keep seeing the above error. A ls -l
> /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm
> shows:
> -r--r--r--  1 root root 22758 Jun  8 08:55
> /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm
> Shouldn't one of those "r's" be "rw"?
>   
No. Why would you want something to write to the BayesStore.pm? That's
the CODE not the database.

> Can someone help get this working?
>   
What's sa-learn --dump magic report?

(note: if passing -u to spamd, su to that user first)


>  
>   

Bayes not able to be used

[carnold5]

Upon starting spamd on SA 3.2.1, we see this,
[18662] warn: bayes: bayes db version 0 is not able to be used, aborting! at
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm
line196,  line 3.
The local.cf has use_bayes   1
I also ran sa-learn --sync -D. This says it found bayes DB version 3 but
i only keep seeing the above error. A ls -l
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm
shows:
-r--r--r--  1 root root 22758 Jun  8 08:55
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm
Shouldn't one of those "r's" be "rw"?

Can someone help get this working?
 
begin:vcard
n:Arnold;Chris
fn:Arnold, Chris
url:http://www.mytimewithgod.net
version:2.1
email;internet:[EMAIL PROTECTED]
end:vcard

Re: 10_default_prefs.cf file in 3.2.x branch

[Matt Kettler]

Robert - eLists wrote:
> I have been trying to do a good deal of reading on the newer 3.2.x branch
> etc.
>
> 10_default_prefs.cf
>
> I came across this file in the docs and I am wondering how important it is
> to the big picture on some of our ISP type installs
>
> U I guess I spaced and just didn't see it if it was in the 3.1.x
> branch...
>
> I am investigating yet, it *appears* to override what I have in my local.cf
>   
No, it doesn't... Your local.cf gets parsed *AFTER* this file, so your
local.cf overides 10_default_prefs.cf.

Note: for this to work 10_default_prefs.cf MUST NOT be in your
/etc/mail/spamassassin. It belongs in /usr/share/spamassassin, as do ALL
the rulefiles that come with SA. Only your site-specific customizations
should be in /etc/mail/spamassassin.
> Would someone kindly point me to other *recommended* reading on the
> importance of this file other than what I have found at this link
>
> http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

My bigger question is, why not just let the SA installer install all
this stuff? Why are you mucking about hand-installing the rules in the
first place?

Re: A few 3.2.1 questions

[Matt Kettler]

[EMAIL PROTECTED] wrote:
> OK, i am not sure who has been following the "upgrade to 3.2" thread but
> i think i have it installed and working? At least spamassassin --lint
> and a spamassassin -D < gtube.txt identifies the GTUBE as spam. But a
> few things that i don't understand: 

> 1)there is no "spamd" anymore? I do
> not have a spamd in my "services". Also a /etc/init.d/spamd stop/start
> produces a "command not found".
The source installer does not install a startup script for spamd, as the
structures of these scripts are platform specific. In the past, I assume
you've used you've used distribution packages, and those would naturally
know what platform you're running, thus what init script to use.

You can copy one of the ones that is included in the spamd directory to
/etc/init.d/spamd. There are example ones for redhat, slackware,
old-style suse, netbsd and solaris.

>  2)The ok_locales is not in the local.cf,
> Can i put ok_locales in the local.cf file and it work? 
Yes, but you need to make sure the textcat plugin is loaded in your
v310.pre. This works *exactly* the same as 3.1.x.


> and 3) We had
> 3.1.0 installed and working before this craziness of upgrading. With
> 3.1.0 on SLES9, if i remember right, we had to install
> perl-mail-spamassassin. This time, to get 3.2.1 installed, i installed
> from source and did not install any perl-mail-spamassassin. Is this correct?
>   
Yes. Some distros split SA up into multiple packages, but the source
tarball installs the perl modules, utilities, rules, etc all in one blow.

RE: FORGED_AOL_TAGS hitting on real AOL mail

[Michael Scheidell]

> -Original Message-
> From: Bret Miller [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, July 05, 2007 7:14 PM
> To: users@spamassassin.apache.org
> Subject: FORGED_AOL_TAGS hitting on real AOL mail
> 
> 
> I'm starting to see a lot of AOL mail getting pushed into the 
> review folder (above 4.0 score) with the FORGED_AOL_TAGS rule 
> hitting, and apparently on real AOL e-mail. At least the 
> e-mails were SPF_PASS and received from an AOL server...

Add this to local.cf, all fixed:

score FORGED_AOL_TAGS 0

(ps, to fix a rule, or report a bug, best to go to
bugzilla.spamassassin.org)
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

Re: 10_default_prefs.cf file in 3.2.x branch

[Kelson]

Robert - eLists wrote:

10_default_prefs.cf

I came across this file in the docs and I am wondering how important it is
to the big picture on some of our ISP type installs

U I guess I spaced and just didn't see it if it was in the 3.1.x
branch...

I am investigating yet, it *appears* to override what I have in my local.cf


Other way around.  These are the defaults, and anything you put in 
local.cf will override the corresponding setting in this file.


SA processes all the files in the general SA directory -- 
/usr/(local)/share/spamassassin, or 
/var/lib/spamassassin/path/to/updated/rules -- then processes the files 
in your local folder (usually /etc/mail/spamassassin)


As long as you leave 10_default_prefs.cf in its normal location, you 
shouldn't have any problems.


--
Kelson Vibber
SpeedGate Communications 

10_default_prefs.cf file in 3.2.x branch

[Robert - eLists]

I have been trying to do a good deal of reading on the newer 3.2.x branch
etc.

10_default_prefs.cf

I came across this file in the docs and I am wondering how important it is
to the big picture on some of our ISP type installs

U I guess I spaced and just didn't see it if it was in the 3.1.x
branch...

I am investigating yet, it *appears* to override what I have in my local.cf

Would someone kindly point me to other *recommended* reading on the
importance of this file other than what I have found at this link

http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

thanks and kind regards

 - rh

Re:sa-update

[carnold5]

On Thu, Jul 05, 2007 at 05:01:47PM -0400, 
>Install the required modules.  They're listed in the INSTALL doc.
Thanks Theo!
I installed all but IO::Zlib via cpan and on IO::Zlib, it gives this error:
t/tied..ok
t/uncomp1...FAILED test 5
Failed 1/10 tests, 90.00% okay
t/uncomp2...FAILED test 5
Failed 1/10 tests, 90.00% okay
Failed Test Stat Wstat Total Fail  Failed  List of Failed
---
t/uncomp1.t   101  10.00%  5
t/uncomp2.t   101  10.00%  5
1 subtest skipped.
Failed 2/10 test scripts, 80.00% okay. 2/123 subtests failed, 98.37% okay.
make: *** [test_dynamic] Error 255
  /usr/bin/make test -- NOT OK
Running make install
  make test had returned bad status, won't install without force

Chris
begin:vcard
n:Arnold;Chris
fn:Arnold, Chris
url:http://www.mytimewithgod.net
version:2.1
email;internet:[EMAIL PROTECTED]
end:vcard

Error feeding spam

[Randall Perry]

Am getting this perl error trying to feed SA 3.2.1 spam:

Command:
sudo sa-learn --spam -C /etc/mail/spamassassin --showdots --dir /spam

Error:
Can't use string ("Mail::SpamAssassin") as a HASH ref while "strict 
refs" in use at 
/usr/local/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin.pm line 1385.


relevant config directives:
bayes_auto_learn 1
bayes_store_module   Mail::SpamAssassin::BayesStore::PgSQL
bayes_sql_dsn  DBI:Pg:dbname=dbname;host=localhost


Anyone else seen this?

--
Randall Perry
sysTame

Xserve Web Hosting/Co-location/Leasing
QuickTime Streaming
Mac Consulting/Sales

http://www.systame.com/

Re: Spamassassin -t

[Matt Kettler]

Matt wrote:
> When going back and doing a test on a message manually like this how
> do I get it to use the bayes files at say:
> "/home/user3/.spamassassin/"?
>
> Matt
>
AFAIK, there's no way to change bayes DB's via the command line.

However, you could do something like this:

su user3 spamassassin -t 

FORGED_AOL_TAGS hitting on real AOL mail

[Bret Miller]

I'm starting to see a lot of AOL mail getting pushed into the review
folder (above 4.0 score) with the FORGED_AOL_TAGS rule hitting, and
apparently on real AOL e-mail. At least the e-mails were SPF_PASS and
received from an AOL server...

Here are two examples:

http://webmail.wcg.org/~support/spam/20070705-01.txt
http://webmail.wcg.org/~support/spam/20070705-02.txt

This rule seems to score awfully high for the ham hit rate...

I'll probably take the time tomorrow to track down where it's coming
from and perhaps adjust the score down so I don't have to keep adding
AOL users to my whitelist. I just don't like doing that because those
scoring adjustments then have to be evaluated regularly. It'd be nicer
if someone fixed the rule.

Bret

Re: New version of iXhash plugin available

[guenther]

On Thu, 2007-07-05 at 23:04 +0200, Dirk Bonengel wrote:
> Maybe just a few words to close that discussion here:

Dirk, I don't think this really puts an end to this discussion, and I
believe what Per actually was wondering about are some precise
statements about each of the iXhash lists sources. At the very least,
that is what I am wondering about. ;)

Unfortunately, the example iXhash.cf of (current) version 1.0 is rather
scarce when it comes to the definitions. I'd wish for these to become as
informative again as they used to be. FWIW, these verbose descriptions
and comments have been the reason for me to pick 2 out of 3 lists in the
first place, long ago. (Which doesn't mean I am not re-evaluating this
decision. In fact, the third one seems to be highly accurate, too --
granted, based on some brief, non-exhaustive tests...)


Revision 23 of your plugins old home claims this:
  http://wiki.apache.org/spamassassin/iXhash?action=diff

* ix.dnsbl.manitu.net:  Uses iX Magazine's spam as datasource.

* nospam.login-solutions.de:  *Manually* verified stuff, fed by
  spamtraps run by LogIn & Solutions AG.

* nospam.login-solutions.ag:  Lots of stuff, but *automatically*
  categorized and contributed.


So, the most important question is:  Does this still hold true?

Also, am I correct in understanding, that all you mentioned in your
previous post about the various sources applies to the last list only?


I do love your plugin and these lists, using them personally for a long
time -- and I find them to not only match a huge part of my spam, but to
also be highly accurate. However, Per is right in that trust is an
important piece of the puzzle whether to use a list or not.

I'd really love to see this info probably being mentioned on the (new)
project home, and definitely back in place in the example cf file...

  guenther


-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: sample of new style PDF spam (containing embedded link, no image)

[hamann . w]

I receive quite a few legitimate pdf attachments - half of them are pdf type, 
the
other half is octet-string
(but they are usually A4 paper size)

Wolfgang Hamann


>> >Here's a new style of PDF spam (recipient email address is munged):
>> 
>> [snip]
>> 
>> >  - uses "application/octet-stream" instead of "application/pdf"
>> >as the Content-Type
>> 
>>  From your sample:
>> 
>>   Content-Type: application/octet-stream; name="Message.pdf"
>> 
>> You could match on the "application/octet-steam" and the file 
>> extension being ".pdf".
>> 
>> Regards,
>> -sm 
>> 
>> 

Re: sample of new style PDF spam (containing embedded link, no image)

[Chip M.]

At 01:09 PM 7/5/2007 -0700, you wrote:
>You could match on the "application/octet-steam" and the file 
>extension being ".pdf".

Good idea, but sorry, I should have been clearer (my BIM):
I meant use that in COMBINATION with OTHER signs, mainly to detect the
difference between the two styles.

To clear this up, I did some MassChecks on all 2007 data for my two
most diverse (Muggle) domains, and using your (suggested) rule above,
had these results (percent FPs, total FPs, total ham PDFs):
34.66%, 96, 277
26.98%, 92, 341
The first is a business, the 2nd an extended family.  Some quick eyeball
checks of just small PDFs indicate this content type is valid, and in
common use.

That content type is only of interest in the context of differentiating 
between the two very distinct styles, which I suspect are produced by
two separate pieces of software.  Sorry if I confused anybody.

I also did a much smaller masscheck of just this month's data for the
domain which received the new style, and, using the content type as a
branch point for my own rules, had zero FPs, and 100% spam killrate
(for PDFs).

Again, my PDF specific rules "cocktail" consists of a combination of
message size, Realname, and internal "tags" (using a post processing
filter that I suspect uses a similar approach to Dallas' SA plugin).
On top of those, I'm getting plenty of hits using nation of
origin/route.
- "Chip"

Re: sa-update

[Theo Van Dinter]

On Thu, Jul 05, 2007 at 05:01:47PM -0400, [EMAIL PROTECTED] wrote:
> We want to be able to use sa-update. This is a "vanilla" install of SA
> 3.2.1 using spamd with hula server. when i run sa-update from the CLI, i
> get this:
> Can't locate LWP/UserAgent.pm in @INC (@INC contains:
> 
> How do i fix this so we can use sa-update?

Install the required modules.  They're listed in the INSTALL doc.

-- 
Randomly Selected Tagline:
"Matt to Lower Intestine ... Matt to Lower Intestine ...  Please pick up
 white courtesy phone."   - Theo to Matt


pgpalYQIDWW1Y.pgp
Description: PGP signature

Re: New version of iXhash plugin available

[Dirk Bonengel]

Per Jessen schrieb:

Marc Perkel wrote:

  

I do most of the filtering using Exim rules and I only use
Spamassassin on less that 1% of incoming email. What I do is focus on
the behavior of the spammer rather than the content of the message. I
have too many tricks to describe here but my filtering is extremely
accurate.



OK, that's fair enough.  But it also virtually rules out my using
anything from login-solutions(courtesy of Dirk).  I can't trust
somebodyelses hashes very much, not unless they are from guaranteed
spamtraps or manually verified. 

  

I'm sending Dirk only hashes. We set up a special server to process
them at high speeds. I'm probably sending about 100k hashes a day.



Very impressive. 




/Per Jessen, Zürich

  

Maybe just a few words to close that discussion here:
Marc has sent me hashes generated from his spamtraps for quite some time 
now, and he's a valuable source of  input for me. He's definitly 'up 
there', as he puts it, and I'm really grateful he's investing time and 
resources as he did.
There's another volume contributor who's propably busy fixing broken 
hardware, else he'd maybe come forward - he's a regular here.
I know of one other contributor who explicitly wants to keep his 
involvment a secret. And that's why I've chosen to mention no-one in the 
first place. If you don't like that - don't use my lists.


Another thing: You mention http://www.nixspam.org a.k.a 
http://www.heise.de/ix/nixspam/. Just to be clear - that's a different 
story and a different project. NiXspam is a procmail-based spam filter 
that produces lists (i.e. text files) of IPs and fuzzy checksums to help 
identify and block known spam sources or mails. Years ago manitu.net, a 
German ISP, volunteered to publish this data via DNS. This data was the 
initial impulse for me to write up this plugin (so I can use the hashes 
from within SA), but otherwise the two projects are separate. I'm not 
affiliated with Heise, and I don't provide input for their list.


Dirk

sa-update

[carnold5]

We want to be able to use sa-update. This is a "vanilla" install of SA
3.2.1 using spamd with hula server. when i run sa-update from the CLI, i
get this:
Can't locate LWP/UserAgent.pm in @INC (@INC contains:
/usr/lib/perl5/site_perl/5.8.3/i586-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.3
/usr/lib/perl5/5.8.3/i586-linux-thread-multi /usr/lib/perl5/5.8.3
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl) at
/usr/bin/sa-update line 79.
BEGIN failed--compilation aborted at /usr/bin/sa-update line 79.

How do i fix this so we can use sa-update?
begin:vcard
n:Arnold;Chris
fn:Arnold, Chris
url:http://www.mytimewithgod.net
version:2.1
email;internet:[EMAIL PROTECTED]
end:vcard

Re: A different approach to scoring spamassassin hits, Re: A different approach to scoring spamassassin hits

[Nix]

On 5 Jul 2007, [EMAIL PROTECTED] stated:

> On 7/2/2007, "Nix" <[EMAIL PROTECTED]> wrote:
> 
> 
>>If you wanted to replace all other scoring mechanisms with the Bayes DB,
>>you'd need a second Bayes DB for this, anyway, or you'd need the tokens
>>corresponding to typically negative-scoring rules to have values which
>>cannot appear in the body of an email. Anything else would enable spammers
>>to force both FPs and FNs by customizing spam appropriately to include
>>suitable NO_FOO/YES_FOO values.
> 
> That's why the data is being passed in as a second reference, nothing to
> do with the message.  Seems to be working well, but there's some
> optimization to include.

It doesn't just need to be a second reference. The tokens need to be
independent of the message-derived tokens in the Bayes database itself
as well: i.e., it needs to be impossible for spammers to generate tokens
in the message body which can be used to influence the scores of the
tokens in the Bayes DB which correspond to the Bayes-scored rule hits.


(btw, Tom, what's wrong with your mailer? ^M characters --- CRCRLF line
terminators on the wire, perhaps? --- a doubled-up Subject line, and two
To: lines, one with fullnames, one without... I cleaned up the ^Ms in
this response.)

-- 
`... in the sense that dragons logically follow evolution so they would
 be able to wield metal.' --- Kenneth Eng's colourless green ideas sleep
 furiously

A few 3.2.1 questions

[carnold5]

OK, i am not sure who has been following the "upgrade to 3.2" thread but
i think i have it installed and working? At least spamassassin --lint
and a spamassassin -D < gtube.txt identifies the GTUBE as spam. But a
few things that i don't understand: 1)there is no "spamd" anymore? I do
not have a spamd in my "services". Also a /etc/init.d/spamd stop/start
produces a "command not found". 2)The ok_locales is not in the local.cf,
Can i put ok_locales in the local.cf file and it work? and 3) We had
3.1.0 installed and working before this craziness of upgrading. With
3.1.0 on SLES9, if i remember right, we had to install
perl-mail-spamassassin. This time, to get 3.2.1 installed, i installed
from source and did not install any perl-mail-spamassassin. Is this correct?
begin:vcard
n:Arnold;Chris
fn:Arnold, Chris
url:http://www.mytimewithgod.net
version:2.1
email;internet:[EMAIL PROTECTED]
end:vcard

Re: New version of iXhash plugin available

[Dirk Bonengel]

Per Jessen schrieb:

[EMAIL PROTECTED] wrote:

  

The difference is that the .de domain is fed by input that's either
visually checked or stems from dedicated spamtraps, so I'm quite
confident the hashes contained really mark spam.

The .ag domain contains hashes either from feedback loops (ie. end
users) or from mails marked as spam by other systems. Thus there's a
higher risk of getting FPs from that list - hence the lower score.



Any chance of making one or both available for download/rsync?  



/Per Jessen, Zürich

  

I have rsnycd available, so why not. Contact me per PM and I'll see to it.

Dirk

Re: New version of iXhash plugin available

[Per Jessen]

Marc Perkel wrote:

> I do most of the filtering using Exim rules and I only use
> Spamassassin on less that 1% of incoming email. What I do is focus on
> the behavior of the spammer rather than the content of the message. I
> have too many tricks to describe here but my filtering is extremely
> accurate.

OK, that's fair enough.  But it also virtually rules out my using
anything from login-solutions(courtesy of Dirk).  I can't trust
somebodyelses hashes very much, not unless they are from guaranteed
spamtraps or manually verified. 

> I'm sending Dirk only hashes. We set up a special server to process
> them at high speeds. I'm probably sending about 100k hashes a day.

Very impressive. 



/Per Jessen, Zürich

RE: isolated W

[donald.dawson]

Martin,

How did you run the test below and get the rules grid?  Did you somehow
test the email contents below?

I'm concerned my implementation did not return these hits.

Thanks,
Donald

-Original Message-
From: Martin.Hepworth [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 05, 2007 10:55 AM
To: Dawson, Donald; users@spamassassin.apache.org
Subject: RE: isolated W


Donald

My analysis (SA 3.1.8)


Content analysis details:   (10.9 points, 5.0 required)

 pts rule name  description
 --
--
 1.5 FH_RELAY_NODNS We could not determine your Reverse DNS
 2.5 MISSING_HB_SEP Missing blank line between message header
and body
 0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay
lines
 0.3 SARE_WEOFFER   BODY: Offers Something
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
 1.8 MISSING_SUBJECTMissing Subject: header
 0.5 FM_NO_TO   FM_NO_TO
 0.6 HELO_MISMATCH_NET  HELO_MISMATCH_NET
 0.1 TO_CC_NONE No To: or Cc: header
 2.5 FM_NO_FROM_OR_TO   FM_NO_FROM_OR_TO
 1.1 FM_MULTI_ODD2  FM_MULTI_ODD2

Putting in a "spam list" in mailscanner.conf will make anything that
hits that RBL be marked as spamnothing to do with SA!

Also the URI-black and grey are already in SA, so need to add then in.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> Sent: 05 July 2007 16:48
> To: users@spamassassin.apache.org
> Subject: FW: isolated W
>
> This may have already been addressed, but is there a released rule set
> or add-on that would help in identifying these type of stock spam
> emails?
>
> We use MailScanner 4.59.4 (MailScanner-v: 3.002000
Mail::SpamAssassin),
> SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor.  We run
> sa-update and RulesDuJour for automatic updates.
>
> We turned off Razor since it was causing delays in processing mail.
>
> In MailScanner, we turned off SpamHaus since we process too much email
-
> it appears it was just raising the score of high spam:  'Spam List =
> SBL+XBL'
>
> We also use milter-greylist during the hours of 10 PM and 5 AM.  We
use
> milter-null (snert) to reduce bounce backs.
>
> We receive about 300k emails a day with about 70% identified as spam.
> We deliver about 5% of the suspected spam (score below 5).
>
> We added URIBL checks to our mailscanner.cf file:
>
> urirhssub   URIBL_BLACK  multi.uribl.com.A   2
> bodyURIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
> describeURIBL_BLACK  Contains an URL listed in the URIBL
> blacklist
> tflags  URIBL_BLACK  net
> score   URIBL_BLACK  3.0
>
> urirhssub   URIBL_GREY  multi.uribl.com.A   4
> bodyURIBL_GREY  eval:check_uridnsbl('URIBL_GREY')
> describeURIBL_GREY  Contains an URL listed in the URIBL
greylist
> tflags  URIBL_GREY  net
> score   URIBL_GREY  0.25
>
> I am considering adding the botnet plugin from:
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
> adding fake MX entries.
>
> We use BAYES, but we don't feed spam or ham so it may have little
help.
>
> Here are the cf files we use in /etc/mail/spamassassin:
>
> 00_FVGT_File001.cf   70_sare_highrisk.cf  70_sare_stocks.cf
> 72_sare_bml_post25x.cf bogus-virus-warnings.cf  random.cf
> 70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
> 72_sare_redirect_post3.0.0.cf  chickenpox.cfsa-update-keys
> 70_sare_bayes_poison_nxm.cf  70_sare_html_eng.cf  70_sare_uri0.cf
> 88_FVGT_body.cfinit.pre tripwire.cf
> 70_sare_evilnum0.cf  70_sare_obfu0.cf 70_sare_uri_eng.cf
> 88_FVGT_rawbody.cf local.cf v310.pre
> 70_sare_genlsubj0.cf 70_sare_oem.cf   70_sare_whitelist.cf
> 88_FVGT_subject.cf mailscanner.cf   v312.pre
> 70_sare_genlsubj_eng.cf  70_sare_random.cf
> 70_sare_whitelist_rcvd.cf  88_FVGT_uri.cf mangled.cf
> v320.pre
> 70_sare_header0.cf   70_sare_specific.cf
> 70_sare_whitelist_spf.cf   99_sare_fraud_post25x.cf   pdfinfo.cf
> weeds.cf
> 70_sare_header_eng.cf70_sare_spoof.cf 70_zmi_german.cf
> bakerbotts.cf  popcorn_new.cf
>
> Any input on our configuration would be appreciated - this is a great
> forum!
>
> Donald
>
> Donald Dawson
> Security Administrator
> Baker Botts L.L.P.
> 713-229-2183
>
>

> --
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
> HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
>Thu, 5 Jul 2007 1

Re: sample of new style PDF spam (containing embedded link, no image)

[SM]

At 12:49 05-07-2007, Chip M. wrote:

Here's a new style of PDF spam (recipient email address is munged):


[snip]


 - uses "application/octet-stream" instead of "application/pdf"
   as the Content-Type


From your sample:

 Content-Type: application/octet-stream; name="Message.pdf"

You could match on the "application/octet-steam" and the file 
extension being ".pdf".


Regards,
-sm 

Postfix Authenticated Header

[Matthew Dickinson]

Hi,

Whilst trying to use Botnet on my machine running SA 3.2.1 and postfix -
I've come to the conclusion that SA is unable to pickup authentication
headers provided by postfix (smtpd_sasl_authenticated_header yes).

As far as I  can see...

>From Mail/SpamAssassin/Message/Metadata/Received.pm:
  # Postfix 2.3 and later with "smtpd_sasl_authenticated_header yes"
  elsif (/\) \(Authenticated sender: \S+\) by \S+ \(Postfix\) with /) {
$auth = 'Postfix';
  }

However, the headers I'm getting from postfix look like:
Received: from MYPC (unknown [77.xxx.xx.xx])
(Authenticated sender: [EMAIL PROTECTED])

And the source (postfix/src/smtpd/smtpd.c) seems to back this up:
out_fprintf(out_stream, REC_TYPE_NORM,
"\t(Authenticated sender: %s)", STR(username));

Is this something that needs changed in SA - or something in postfix?

Thanks!

Matthew

Re: New version of iXhash plugin available

[Rob McEwen]

Why not just let the quality (or lack of quality) of the plugin speak for 
itself. If anyone stars spotting FPs (even a tiny but) and these trace 
back to Marc, THEN perhaps this would be a useful discussion. Otherwise, 
I'm going to assume that Marc's data is pretty good. For one, with his 
feeding iXhash for the past year, then we'd probably be hearing 
about FPs from iXhash if Marc was feeding bad data!!... but, instead, 
the opposite is true.

(recently, someone testing one of my DNSBLs asked the same kind of 
questions... I told the guy... spot me ONE single FP first and THEN I'll 
tell you more about how it works!)

Rob McEwen
PowerView Systems
[EMAIL PROTECTED]

Re: New version of iXhash plugin available

[Marc Perkel]

Per Jessen wrote:

Marc Perkel wrote:

  

I think I'm the highest volume source for Dirk. If not the highest I'm
up there. I'm feeding his public servers. i have been for about a
year. 



Hi Marc,

a feed that size is very interesting to be perfectly honest.  I have a
couple of questions - 

how do you determine what to feed?  spamtraps, honeypots? 
if so, how are these set? 
are you feeding Dirk only the hashes or are you feeding him the raw

email?  i.e. who is computing the fuzzy hash?


/Per Jessen, Zürich


  


I do most of the filtering using Exim rules and I only use Spamassassin 
on less that 1% of incoming email. What I do is focus on the behavior of 
the spammer rather than the content of the message. I have too many 
tricks to describe here but my filtering is extremely accurate.


I'm sending Dirk only hashes. We set up a special server to process them 
at high speeds. I'm probably sending about 100k hashes a day.

sample of new style PDF spam (containing embedded link, no image)

[Chip M.]

Here's a new style of PDF spam (recipient email address is munged):
http://Puffin.net/software/spam/samples/0004_pdf_gen3.eml

This time, it (apparently) is plain text with a link to an ED site, with
rather explicit language.  I've only found two of these so far.

>From a technical point of view, it's interesting (aka annoying), because
it's a LOT smarter than the 2nd wave stock fuzzy images.

Most notable are:
 - no longer has an empty text part (that was a dead give away)
 - instead of an empty RealName, uses the account name
   (ok, that's a bit dumb)
 - does not put the attachment filename in the Subject
   (still has "PDF" somewhere)
 - uses different (less obvious) PDF generator software
   (none of my old (albeit cautious) tags hit)
 - uses "application/octet-stream" instead of "application/pdf"
   as the Content-Type
 - has a bogus anti-viral text part as the final part of the message

I've updated my own rules to look for that content type, and some
obvious new tags.

Dallas, based on what you've posted, I'm pretty sure I know some of the
tags you were keying on, and suspect this new style breaks those.
This sample does have several good candidates for new tags (possibly
even more distinctive than the previous style - I haven't done a mass
check yet).

My gut instinct is that these are different gangs, and almost all of the
PDFs I'm seeing are still the previous style, so existing solutions
should still be useable for some time.

On my system, these have all been stopped by a combination of
"small PDF", Nation of origin/route, and bogus Realname tests.

There is one other potentially interesting pattern, but with only two
data points to extrapolate from, I will resist the temptation to draw a
straight line. :)

Does anyone have a sample of the very FIRST wave?  The ones that looked
like a prospectus?  I've seen a screen dump, but that's useless for
analysis.
- "Chip"

Re: New version of iXhash plugin available

[Per Jessen]

Marc Perkel wrote:

> I think I'm the highest volume source for Dirk. If not the highest I'm
> up there. I'm feeding his public servers. i have been for about a
> year. 

Hi Marc,

a feed that size is very interesting to be perfectly honest.  I have a
couple of questions - 

how do you determine what to feed?  spamtraps, honeypots? 
if so, how are these set? 
are you feeding Dirk only the hashes or are you feeding him the raw
email?  i.e. who is computing the fuzzy hash?


/Per Jessen, Zürich

actual paypal fraud breakout rule

[c. r.]

begin 644 99_paypal.cf
M([EMAIL PROTECTED])A=60*8F]D>2`@("[EMAIL PROTECTED]
M("]":71T92!B96%C:'1E;B!3:[EMAIL PROTECTED]&EE($5I;F9U:')U;F<@96EN97(@;F5U
[EMAIL PROTECTED]:&5R:&5I='-M87-S;F%H;64O"G-C;W)E("`@(%]-65]005E004Q?
M,5\P,2`P+C$*"F)O9'D@("`@(%]-65]005E004Q?,5\P,B`O56YS97)E(%!R
M;V=R86UM:65R97(@:&[EMAIL PROTECTED](%-I92!E:[EMAIL PROTECTED];'5G96QT97,L
M(&5L96MT5!A;"!"86YK:6YG(&YO8V@@&5M<&QA2`@("[EMAIL PROTECTED]("]724-(5$E'
M("[EMAIL PROTECTED](%-)0TA%4DA%25131U)53D1%3B!)[EMAIL 
PROTECTED](%!23T=204U-($M%
M24Y%($5812!$051%22`M(%-)[EMAIL PROTECTED]@04)%4B!!0E-/3%54
M(%-)[EMAIL PROTECTED])/0DQ%34Q/4R!)3E-404Q,245214XO"G-C;W)E("`@
M(%]-65]005E004Q?,5\P-"`P+C$*"F)O9'D@("`@(%]-65]005E004Q?,5\P
M-2`O1&%S($4M5$%.(%-Y2`@("[EMAIL PROTECTED]("]":71T
M92!I;G-T86QL:[EMAIL PROTECTED]('5M9V5H96YD(&1A2`@("[EMAIL PROTECTED]("]/:&YE(&1I92!);G-T86QL871I;VX@
M=VER9"!I;B!N86AE

Re: Bayes suddenly scoring everything at 0

[Alex Woick]

I have a site-wide Bayesian database that I trained some time ago with a few
hundred hams, and then since then I've trained spam into it anytime I
received a false negative.

[...]

I noticed something interesting - all the spam I've gotten in at least the
last few days has scored 0 on Bayes.


I am continuously learning everything for Bayes. I have autolearn on 
(it's default) and am explicitly learning all unlearned ham and spam 
accordingly, included FPs. But that's only my account. The other users 
don't let learn their mail, so for them only autolearn applies.


Almost all spams that are half "content" and half random text score 
BAYES_99, so I think that's the way to do it. Whenever I look at the 
spam scores, I see BAYES_99 in spam and BAYES_50 or lower on ham.
It's important to continuously learn everything so the system 
accommodates to new mail characteristics. No mail is more "important" to 
learn than others. Every mail is equally important.


To help Bayes distinguish between spam and ham, I have subscribed to a 
few technical medium-traffic spam free mailing lists, even if I don't 
read them regularly. Otherwise, the ham count is a bit too low in my 
opinion.

Re: spam with a pdf

[Egor A. Fisher]

Andrew Xiang wrote:
> I am not clear on your suggestion. Do you recommend using fuzzyocr
> plugin for SA?
>  
> -Andrew
>  
Yes latest  version from svn have mechanisms for pdf  recognizing
but i`ve some problems with netpbm components

(and this solution right if don`t want just have higher scores on all
pdf files)




signature.asc
Description: OpenPGP digital signature

Re: New version of iXhash plugin available

[Per Jessen]

Marc Perkel wrote:

>> To stay on-topic, are you providing ixHash checksums from some of the
>> spams for others to use?
>>
>> /Per Jessen, Zürich
>>   
> 
> Yes - I thought that was what I said. I think I'm the highest volume
> source for Dirk. If not the highest I'm up there. I'm feeding his
> public servers. i have been for about a year.

Hmmm - no, that's not quite how I read your posting, but I obviously got
it wrong.
Dirk - what have you got to add here?  I don't think I've seen this
mentioned anywhere at www.nixspam.org.  Or are Marcs hashes only going
into the lists at login-solutions?  

My opinion - it might be overall a Good Thing(R), but when it comes to
spam-filtering Trust Is More Desirable(R) IMHO. I don't use the
login-solutions data because I don't have any feel for how trustworthy
it is, but when Marcs feed isn't even mentioned, I don't like it at
all.


/Per Jessen, Zürich

Re: A different approach to scoring spamassassin hits

[tom]

On 7/2/2007, "Nix" <[EMAIL PROTECTED]> wrote:


>If you wanted to replace all other scoring mechanisms with the Bayes DB,
>you'd need a second Bayes DB for this, anyway, or you'd need the tokens
>corresponding to typically negative-scoring rules to have values which
>cannot appear in the body of an email. Anything else would enable spammers
>to force both FPs and FNs by customizing spam appropriately to include
>suitable NO_FOO/YES_FOO values.

That's why the data is being passed in as a second reference, nothing to
do with the message.  Seems to be working well, but there's some
optimization to include.

Re: Bayes suddenly scoring everything at 0

[omehegan]

I should note that autolearn is turned on, and is apparently learning about
half of my legit messages as ham, so that's cool. Furthermore, the spams
that are getting through are showing as autolearn=no, so that's good as
well. Seems less likely, then, that a stale database of ham messages is
causing my problem.
-- 
View this message in context: 
http://www.nabble.com/Bayes-suddenly-scoring-everything-at-0-tf4031385.html#a11452605
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: New version of iXhash plugin available

[Marc Perkel]

Per Jessen wrote:

[EMAIL PROTECTED] wrote:

  

The difference is that the .de domain is fed by input that's either
visually checked or stems from dedicated spamtraps, so I'm quite
confident the hashes contained really mark spam.

The .ag domain contains hashes either from feedback loops (ie. end
users) or from mails marked as spam by other systems. Thus there's a
higher risk of getting FPs from that list - hence the lower score.



  


One thing to note about how the iXhash works is that if it were fed a 
false positive that wasn't some mass mailing then that false hash would 
probably never be hit again. That's why I think this meathod is highly 
false positive resistent.

Re: New version of iXhash plugin available

[Marc Perkel]

Per Jessen wrote:

Marc Perkel wrote:

  

I'm feeding in spam from 1600 domains through my junkemailfilter.com
service and I think that I'm helping out a very good service. I
encourage other to do the same.



At a price of course.  Thanks for the advertising Marc.

To stay on-topic, are you providing ixHash checksums from some of the
spams for others to use? 



/Per Jessen, Zürich


  


Yes - I thought that was what I said. I think I'm the highest volume 
source for Dirk. If not the highest I'm up there. I'm feeding his public 
servers. i have been for about a year.

Bayes suddenly scoring everything at 0

[omehegan]

I'm running SA 3.2.1 with Postfix, routing mail to it through spamd/spamc. I
have a site-wide Bayesian database that I trained some time ago with a few
hundred hams, and then since then I've trained spam into it anytime I
received a false negative. With the recent influx of PDF and stock spam,
I've been updating rules and tweaking settings to get SA to catch them. I
noticed something interesting - all the spam I've gotten in at least the
last few days has scored 0 on Bayes. That's causing SA to drop the message's
score by 2.6 points, throwing other filters off-balance, so to speak. I'm
wondering if this is happening because I've been dutifully teaching these
stock spam messages into the database. They're full of nonsense words, and
although I think I've been told on this list that it's ok to submit them, it
seems like that could reduce the Bayes reliability. Or, maybe I just need to
refresh the database with a slew of new ham messages. 

Attached is a spam I got today, which got good hits in other tests but 0
probability in Bayes. Any suggestions on how to remedy this would be
appreciated. Thanks!

http://www.nabble.com/file/p11451717/spam.txt spam.txt 
-- 
View this message in context: 
http://www.nabble.com/Bayes-suddenly-scoring-everything-at-0-tf4031385.html#a11451717
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: MD5 Hash of URL's

[John D. Hardin]

On Thu, 5 Jul 2007, Kelson wrote:

> > On Tue, 3 Jul 2007, Matt wrote:
> > 
> >> Why can't Spamassassin do like a MD5 hash of any URL's in a
> >> message and check them against a database?  I just think it would
> >> help catch things like: geocities.com/spamer123/ or
> >> spamer123.tripod.com and etc.
> 
> The concept might still be useful for specific known "grey" hosts
> with a mix of legit sites and spam sites -- geocities, tripod,
> blogspot, etc.  --where the URL patterns are known.  If you know
> the pattern is account.example.com, or example.com/account, then
> throw away the rest of the URL and list/lookup the base pattern.

True. The plugin doing the analysis would have a list of domains and 
slice points (how much of the URL to discard before hashing). I 
presume the MD5 sum would be checked via a DNS lookup? That would be 
the only way to get a reasonable response time for new URLs to block.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If someone has a gun and is trying to kill you, it would be
  reasonable to shoot back with your own gun.
  -- the Dalai Lama, May 15, 2001
---
 2 days until Robert Heinlein's 100th birthday

In place upgrade/update

[Skip Brott]

Treat me kindly as I am brand new here.

I am currently running SA 3.1.0 on RHEL3  with sendmail 8.13 and am
interested in upgrading SA to a newer version.  I have not been able to find
any documentation as to what I need to back up from my current installation.
I assume I need to keep all of my *.cf files located in
/etc/mail/spamassassin, but what else should I be concerned about?  I had
planned to upgrade to 3.2.1 but it was kicking out the dependency problems
which I am concerned about.  I opted for 3.1.9 and I just completed the
rpmbuild so the installation is ready but I don't want to lose any of my
existing configuration.

Thanks for any and all insight!

- Skip

Re: Training the Bayesian learner

[Theo Van Dinter]

On Thu, Jul 05, 2007 at 09:13:06AM -0700, Unga wrote:
> I have noted sa-learn updates the files in
> /root/.spamassassin/ irrespective of the username for
> its -u option.

sa-learn -u is only useful for SQL.  For non-SQL, you'd want to run
sa-learn as the appropriate user.

> I prefer to run spamd as mailuser (-u mailuser ), is
> it possible to use one central location for bayes_*
> files for SpamAssassin and sa-learn?

Sure, that is called a "site-wide" Bayes DB.  See the docs for bayes_path.

-- 
Randomly Selected Tagline:
"In the game of chess, you can never let your opponent see your pieces."
 - Zapp Branigan, Futurama, "Love's Labour Lost In Space"


pgp6esbZB3rgP.pgp
Description: PGP signature

Re: MD5 Hash of URL's

[Kelson]

John D. Hardin wrote:

On Tue, 3 Jul 2007, Matt wrote:


Why can't Spamassassin do like a MD5 hash of any URL's in a
message and check them against a database?  I just think it would
help catch things like: geocities.com/spamer123/ or
spamer123.tripod.com and etc.


Too easy to defeat using a URI with random parameters pointing to a
PHP et. al. page that ignores parameters (assuming you include
parameters in the hash) or via wildcard DNS using random third- or
fourth-level hostnames.


Even the path could be made random if they use mod_rewrite or 
equivalent.  If http://example.com/random/path/gets/ignored always 
serves up the contents of salespitch.html, they can generate as many 
URLs as they want.


The concept might still be useful for specific known "grey" hosts with a 
mix of legit sites and spam sites -- geocities, tripod, blogspot, etc. 
--where the URL patterns are known.  If you know the pattern is 
account.example.com, or example.com/account, then throw away the rest of 
the URL and list/lookup the base pattern.


--
Kelson Vibber
SpeedGate Communications 

Re: New version of iXhash plugin available

[Per Jessen]

[EMAIL PROTECTED] wrote:

> The difference is that the .de domain is fed by input that's either
> visually checked or stems from dedicated spamtraps, so I'm quite
> confident the hashes contained really mark spam.
> 
> The .ag domain contains hashes either from feedback loops (ie. end
> users) or from mails marked as spam by other systems. Thus there's a
> higher risk of getting FPs from that list - hence the lower score.

Any chance of making one or both available for download/rsync?  


/Per Jessen, Zürich

Re: New version of iXhash plugin available

[Per Jessen]

Marc Perkel wrote:

> I'm feeding in spam from 1600 domains through my junkemailfilter.com
> service and I think that I'm helping out a very good service. I
> encourage other to do the same.

At a price of course.  Thanks for the advertising Marc.

To stay on-topic, are you providing ixHash checksums from some of the
spams for others to use? 


/Per Jessen, Zürich

Spamassassin -t

[Matt]

When going back and doing a test on a message manually like this how
do I get it to use the bayes files at say:
"/home/user3/.spamassassin/"?

Matt

Training the Bayesian learner

[Unga]

Hi all

I have noted sa-learn updates the files in
/root/.spamassassin/ irrespective of the username for
its -u option.

The spamd runs as root and the spamc runs as mailuser.
Therefore, the child processes of spamd runs as
mailuser and it also creates bayes_* files under
.spamassassin directory of  the mailuser's home
directory.

Since the child processes of spamd runs under mailuser
and the mailuser has no permission read files under
/root/.spamassassin/, can the SpamAssassin effectively
use what is learned by the sa-learn without restarting
the  SpamAssassin after the sa-learn completes the
learning?

I prefer to run spamd as mailuser (-u mailuser ), is
it possible to use one central location for bayes_*
files for SpamAssassin and sa-learn?

Best Regards
Unga


 

No need to miss a message. Get email on-the-go 
with Yahoo! Mail for Mobile. Get started.
http://mobile.yahoo.com/mail 

RE: isolated W

[Martin.Hepworth]

Donald

Just got in something very similar and it scored thus..

X-Solid-State-Logic-MailScanner-SpamCheck: spam, SpamAssassin (not
cached,
score=6.311, required 5, BAYES_50 0.00, BOTNET 5.00,
FH_HOST_EQ_D_D_D_D 0.67, HOST_MISMATCH_COM 0.31,
IP_NOT_FRIENDLY 0.33)

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> Sent: 05 July 2007 16:48
> To: users@spamassassin.apache.org
> Subject: FW: isolated W
>
> This may have already been addressed, but is there a released rule set
> or add-on that would help in identifying these type of stock spam
> emails?
>
> We use MailScanner 4.59.4 (MailScanner-v: 3.002000
Mail::SpamAssassin),
> SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor.  We run
> sa-update and RulesDuJour for automatic updates.
>
> We turned off Razor since it was causing delays in processing mail.
>
> In MailScanner, we turned off SpamHaus since we process too much email
-
> it appears it was just raising the score of high spam:  'Spam List =
> SBL+XBL'
>
> We also use milter-greylist during the hours of 10 PM and 5 AM.  We
use
> milter-null (snert) to reduce bounce backs.
>
> We receive about 300k emails a day with about 70% identified as spam.
> We deliver about 5% of the suspected spam (score below 5).
>
> We added URIBL checks to our mailscanner.cf file:
>
> urirhssub   URIBL_BLACK  multi.uribl.com.A   2
> bodyURIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
> describeURIBL_BLACK  Contains an URL listed in the URIBL
> blacklist
> tflags  URIBL_BLACK  net
> score   URIBL_BLACK  3.0
>
> urirhssub   URIBL_GREY  multi.uribl.com.A   4
> bodyURIBL_GREY  eval:check_uridnsbl('URIBL_GREY')
> describeURIBL_GREY  Contains an URL listed in the URIBL
greylist
> tflags  URIBL_GREY  net
> score   URIBL_GREY  0.25
>
> I am considering adding the botnet plugin from:
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
> adding fake MX entries.
>
> We use BAYES, but we don't feed spam or ham so it may have little
help.
>
> Here are the cf files we use in /etc/mail/spamassassin:
>
> 00_FVGT_File001.cf   70_sare_highrisk.cf  70_sare_stocks.cf
> 72_sare_bml_post25x.cf bogus-virus-warnings.cf  random.cf
> 70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
> 72_sare_redirect_post3.0.0.cf  chickenpox.cfsa-update-keys
> 70_sare_bayes_poison_nxm.cf  70_sare_html_eng.cf  70_sare_uri0.cf
> 88_FVGT_body.cfinit.pre tripwire.cf
> 70_sare_evilnum0.cf  70_sare_obfu0.cf 70_sare_uri_eng.cf
> 88_FVGT_rawbody.cf local.cf v310.pre
> 70_sare_genlsubj0.cf 70_sare_oem.cf   70_sare_whitelist.cf
> 88_FVGT_subject.cf mailscanner.cf   v312.pre
> 70_sare_genlsubj_eng.cf  70_sare_random.cf
> 70_sare_whitelist_rcvd.cf  88_FVGT_uri.cf mangled.cf
> v320.pre
> 70_sare_header0.cf   70_sare_specific.cf
> 70_sare_whitelist_spf.cf   99_sare_fraud_post25x.cf   pdfinfo.cf
> weeds.cf
> 70_sare_header_eng.cf70_sare_spoof.cf 70_zmi_german.cf
> bakerbotts.cf  popcorn_new.cf
>
> Any input on our configuration would be appreciated - this is a great
> forum!
>
> Donald
>
> Donald Dawson
> Security Administrator
> Baker Botts L.L.P.
> 713-229-2183
>
>

> --
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
> HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
>Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
> houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
>Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
> [10.20.254.236]) by housweep03.bakerbotts.net
>  (Content Technologies SMTPRS 4.3.20) with ESMTP id
> <[EMAIL PROTECTED]> for
> <[EMAIL PROTECTED]>;
>  Thu, 5 Jul 2007 10:09:08 -0500
> Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net)
by
> housweep01.bakerbotts.net
>  (Content Technologies SMTPRS 4.3.20) with ESMTP id
> <[EMAIL PROTECTED]> for
> <[EMAIL PROTECTED]>;
>  Thu, 5 Jul 2007 10:09:08 -0500
> X-Envelope-From: [EMAIL PROTECTED]
> Received: from stryker-coruna.easynet.es (stryker-coruna.easynet.es
> [84.20.18.243])
>   by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id
> l65F8mIB022832
>   for <[EMAIL PROTECTED]>; Thu, 5 Jul 2007 10:08:55
> -0500
> Received: (qmail 17255 invoked from network); Thu, 5 Jul 2007 17:08:48
> +0200
> Received: from unknown (HELO tjz) (196.128.111.164)
>   by stryker-coruna.easynet.es with SMTP; Thu, 5 Jul 2007 17:08:48
> +02

RE: isolated W

[Martin.Hepworth]

Donald

My analysis (SA 3.1.8)


Content analysis details:   (10.9 points, 5.0 required)

 pts rule name  description
 --
--
 1.5 FH_RELAY_NODNS We could not determine your Reverse DNS
 2.5 MISSING_HB_SEP Missing blank line between message header
and body
 0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay
lines
 0.3 SARE_WEOFFER   BODY: Offers Something
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
 1.8 MISSING_SUBJECTMissing Subject: header
 0.5 FM_NO_TO   FM_NO_TO
 0.6 HELO_MISMATCH_NET  HELO_MISMATCH_NET
 0.1 TO_CC_NONE No To: or Cc: header
 2.5 FM_NO_FROM_OR_TO   FM_NO_FROM_OR_TO
 1.1 FM_MULTI_ODD2  FM_MULTI_ODD2

Putting in a "spam list" in mailscanner.conf will make anything that
hits that RBL be marked as spamnothing to do with SA!

Also the URI-black and grey are already in SA, so need to add then in.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> Sent: 05 July 2007 16:48
> To: users@spamassassin.apache.org
> Subject: FW: isolated W
>
> This may have already been addressed, but is there a released rule set
> or add-on that would help in identifying these type of stock spam
> emails?
>
> We use MailScanner 4.59.4 (MailScanner-v: 3.002000
Mail::SpamAssassin),
> SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor.  We run
> sa-update and RulesDuJour for automatic updates.
>
> We turned off Razor since it was causing delays in processing mail.
>
> In MailScanner, we turned off SpamHaus since we process too much email
-
> it appears it was just raising the score of high spam:  'Spam List =
> SBL+XBL'
>
> We also use milter-greylist during the hours of 10 PM and 5 AM.  We
use
> milter-null (snert) to reduce bounce backs.
>
> We receive about 300k emails a day with about 70% identified as spam.
> We deliver about 5% of the suspected spam (score below 5).
>
> We added URIBL checks to our mailscanner.cf file:
>
> urirhssub   URIBL_BLACK  multi.uribl.com.A   2
> bodyURIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
> describeURIBL_BLACK  Contains an URL listed in the URIBL
> blacklist
> tflags  URIBL_BLACK  net
> score   URIBL_BLACK  3.0
>
> urirhssub   URIBL_GREY  multi.uribl.com.A   4
> bodyURIBL_GREY  eval:check_uridnsbl('URIBL_GREY')
> describeURIBL_GREY  Contains an URL listed in the URIBL
greylist
> tflags  URIBL_GREY  net
> score   URIBL_GREY  0.25
>
> I am considering adding the botnet plugin from:
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
> adding fake MX entries.
>
> We use BAYES, but we don't feed spam or ham so it may have little
help.
>
> Here are the cf files we use in /etc/mail/spamassassin:
>
> 00_FVGT_File001.cf   70_sare_highrisk.cf  70_sare_stocks.cf
> 72_sare_bml_post25x.cf bogus-virus-warnings.cf  random.cf
> 70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
> 72_sare_redirect_post3.0.0.cf  chickenpox.cfsa-update-keys
> 70_sare_bayes_poison_nxm.cf  70_sare_html_eng.cf  70_sare_uri0.cf
> 88_FVGT_body.cfinit.pre tripwire.cf
> 70_sare_evilnum0.cf  70_sare_obfu0.cf 70_sare_uri_eng.cf
> 88_FVGT_rawbody.cf local.cf v310.pre
> 70_sare_genlsubj0.cf 70_sare_oem.cf   70_sare_whitelist.cf
> 88_FVGT_subject.cf mailscanner.cf   v312.pre
> 70_sare_genlsubj_eng.cf  70_sare_random.cf
> 70_sare_whitelist_rcvd.cf  88_FVGT_uri.cf mangled.cf
> v320.pre
> 70_sare_header0.cf   70_sare_specific.cf
> 70_sare_whitelist_spf.cf   99_sare_fraud_post25x.cf   pdfinfo.cf
> weeds.cf
> 70_sare_header_eng.cf70_sare_spoof.cf 70_zmi_german.cf
> bakerbotts.cf  popcorn_new.cf
>
> Any input on our configuration would be appreciated - this is a great
> forum!
>
> Donald
>
> Donald Dawson
> Security Administrator
> Baker Botts L.L.P.
> 713-229-2183
>
>

> --
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
> HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
>Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
> houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
>Thu, 5 Jul 2007 10:09:09 -0500
> Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
> [10.20.254.236]) by housweep03.bakerbotts.net
>  (Content Technologies SMTPRS 4.3.20) with ESMTP id
> <[EMAIL PROTECTED]>

Re: New version of iXhash plugin available

[Marc Perkel]

Per Jessen wrote:

Dirk Bonengel wrote:

  

For those that don't know what this plugin does: It uses an algorithm
developed by Bert Ungerer of the German IT magazin iX (Heise Verlag)
to compute fuzzy checksums from (spam) emails and checks them against
those hashes I and Heise computed from our spam ( and serve via DNS).
In short, this puts it in the league of Pyzor, Razor and DCC. It's
certainly no 'German Wunderwaffe' against spam but I think it has its
merits.



Since 1 July, we have had about 10K matches on checksums, and about 16K
hits on the IP-list.  I think it's quite a useful tool.

  

If you happen to have some significant spamtrap feed you might also be
interested to set up your own hash database to check your production
mails against. 



Yes, that's what we've done too - do you know of anybody else doing
this?  It might be interesting to share databases/experiences.


/Per Jessen, Zürich

  


I'm feeding in spam from 1600 domains through my junkemailfilter.com 
service and I think that I'm helping out a very good service. I 
encourage other to do the same.

FW: isolated W

[donald.dawson]

This may have already been addressed, but is there a released rule set
or add-on that would help in identifying these type of stock spam
emails?

We use MailScanner 4.59.4 (MailScanner-v: 3.002000 Mail::SpamAssassin),
SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor.  We run
sa-update and RulesDuJour for automatic updates.

We turned off Razor since it was causing delays in processing mail.

In MailScanner, we turned off SpamHaus since we process too much email -
it appears it was just raising the score of high spam:  'Spam List =
SBL+XBL'

We also use milter-greylist during the hours of 10 PM and 5 AM.  We use
milter-null (snert) to reduce bounce backs.

We receive about 300k emails a day with about 70% identified as spam.
We deliver about 5% of the suspected spam (score below 5).

We added URIBL checks to our mailscanner.cf file:

urirhssub   URIBL_BLACK  multi.uribl.com.A   2
bodyURIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
describeURIBL_BLACK  Contains an URL listed in the URIBL
blacklist
tflags  URIBL_BLACK  net
score   URIBL_BLACK  3.0

urirhssub   URIBL_GREY  multi.uribl.com.A   4
bodyURIBL_GREY  eval:check_uridnsbl('URIBL_GREY')
describeURIBL_GREY  Contains an URL listed in the URIBL greylist
tflags  URIBL_GREY  net
score   URIBL_GREY  0.25

I am considering adding the botnet plugin from:
http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and possibly
adding fake MX entries.

We use BAYES, but we don't feed spam or ham so it may have little help.

Here are the cf files we use in /etc/mail/spamassassin:

00_FVGT_File001.cf   70_sare_highrisk.cf  70_sare_stocks.cf
72_sare_bml_post25x.cf bogus-virus-warnings.cf  random.cf
70_sare_adult.cf 70_sare_html0.cf 70_sare_unsub.cf
72_sare_redirect_post3.0.0.cf  chickenpox.cfsa-update-keys
70_sare_bayes_poison_nxm.cf  70_sare_html_eng.cf  70_sare_uri0.cf
88_FVGT_body.cfinit.pre tripwire.cf
70_sare_evilnum0.cf  70_sare_obfu0.cf 70_sare_uri_eng.cf
88_FVGT_rawbody.cf local.cf v310.pre
70_sare_genlsubj0.cf 70_sare_oem.cf   70_sare_whitelist.cf
88_FVGT_subject.cf mailscanner.cf   v312.pre
70_sare_genlsubj_eng.cf  70_sare_random.cf
70_sare_whitelist_rcvd.cf  88_FVGT_uri.cf mangled.cf
v320.pre
70_sare_header0.cf   70_sare_specific.cf
70_sare_whitelist_spf.cf   99_sare_fraud_post25x.cf   pdfinfo.cf
weeds.cf
70_sare_header_eng.cf70_sare_spoof.cf 70_zmi_german.cf
bakerbotts.cf  popcorn_new.cf

Any input on our configuration would be appreciated - this is a great
forum!

Donald

Donald Dawson
Security Administrator
Baker Botts L.L.P.
713-229-2183


--

Microsoft Mail Internet Headers Version 2.0
Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by
HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
 Thu, 5 Jul 2007 10:09:09 -0500
Received: from housweep03.bakerbotts.net ([10.20.254.246]) by
houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211);
 Thu, 5 Jul 2007 10:09:09 -0500
Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net
[10.20.254.236]) by housweep03.bakerbotts.net
 (Content Technologies SMTPRS 4.3.20) with ESMTP id
<[EMAIL PROTECTED]> for
<[EMAIL PROTECTED]>;
 Thu, 5 Jul 2007 10:09:08 -0500
Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net) by
housweep01.bakerbotts.net
 (Content Technologies SMTPRS 4.3.20) with ESMTP id
<[EMAIL PROTECTED]> for
<[EMAIL PROTECTED]>;
 Thu, 5 Jul 2007 10:09:08 -0500
X-Envelope-From: [EMAIL PROTECTED]
Received: from stryker-coruna.easynet.es (stryker-coruna.easynet.es
[84.20.18.243])
by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id
l65F8mIB022832
for <[EMAIL PROTECTED]>; Thu, 5 Jul 2007 10:08:55
-0500
Received: (qmail 17255 invoked from network); Thu, 5 Jul 2007 17:08:48
+0200
Received: from unknown (HELO tjz) (196.128.111.164)
by stryker-coruna.easynet.es with SMTP; Thu, 5 Jul 2007 17:08:48
+0200
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 5 Jul 2007 17:08:48 +0200
From: Curry <[EMAIL PROTECTED]>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: isolated W
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Null-Tag: 1bc6951047be6b09f152db58e9a5f883
X-Greylist: Delayed for 00:10:08 by milter-greylist-3.0rc3
(houmx05.bakerbotts.com [204.194.98.17]); Thu, 05 Jul 2007 10:08:56
-0500 (CDT)
X-BakerBotts-MailScanner-Information: Please contact the ISP for more
information
X-BakerBotts-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=0.3, required 5, SARE_WEOFFER 0.30)
X-BakerBotts-MailScanner-From: [EMAIL 

Re: New version of iXhash plugin available

[dirk]

 Original Message 
Subject: Re: New version of iXhash plugin available
From:"Jeremy Fairbrass" <[EMAIL PROTECTED]>
Date:Thu, July 5, 2007 10:49 am
To:  users@spamassassin.apache.org
--

Thanks Dirk!
I have a question: two of the RBL zones have very similar names -
nospam.login-solutions.de and nospam.login-solutions.ag. Do they  belong
to the same company, and what are the differences between them? Eg. do
they both contain exactly the same data (hashes) as  each other, or are
there some differences between them, such that it's adviseable to use them
both? (I also noted that in your  latest .cf file, you score each one
differently - 4.5 vs. 2.5).

Cheers,
Jeremy



"Dirk Bonengel" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Folks,
>
> I've finally come around to releasing a new version of the iXhash
plugin. If you happen to use that plugin, just get the code (now 
located at http://ixhash.sf.net) and upgrade.
> Normally simply replacing the iXhash.pm file should do. Just make sure
you have the version corresponding to your  SA version. The new version
now uses Net::DNS::Resolver's query method (as opposed to search in the
earlier code) and stops computing hashes  once it's got a hit.
>
> For those that don't know what this plugin does: It uses an algorithm
developed by Bert Ungerer of the German IT magazin iX (Heise  Verlag) to
compute fuzzy checksums from (spam) emails and checks them against those
hashes I and Heise computed from our spam (  and serve via DNS). In
short, this puts it in the league of Pyzor, Razor and DCC. It's
certainly no 'German Wunderwaffe' against  spam but I think it has its
merits.
>
> If you happen to have some significant spamtrap feed you might also be
interested to set up your own hash database to check your  production
mails against. I added a server program that computes the necessary
hashes and stores them in a MySQL table as well as  another plugin that
sources that table. If you do let me know - I'd be interested in any
results.
>
> Dirk
>

Yepp, there's a difference.
First of all, both domains belong to the company I work for, Login &
Solutions AG. I was allowed to use them for this project, and they provide
some hosting for me as well, so I simply have to say 'Thank you' here.

The difference is that the .de domain is fed by input that's either
visually checked or stems from dedicated spamtraps, so I'm quite confident
the hashes contained really mark spam.

The .ag domain contains hashes either from feedback loops (ie. end users)
or from mails marked as spam by other systems. Thus there's a higher risk
of getting FPs from that list - hence the lower score.

My advice is to score the .de domain a bit higher but YMMV. mass-check
results welcome

Dirk

Re: Botnet over aggressive?

[Cliff Stanford]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John Rudd wrote:

> The number of messages that get flagged by Botnet but aren't spam is, in 
> my observation across a few sites, less than one tenth of one percent.

Funnily enough, the reason this came up is that Botnet was flagging
messages at 5.1 from two British Telcos, Orange and Magrathea.

Both companies have mis-configured reverse DNS.

Regards,
Cliff.

- --
Cliff Stanford
Might Limited   +44 845 0045 666 (Office)
Suite 67, Dorset House  +44 7973 616 666 (Mobile)
Duke Street, Chelmsford, CM1 1TB
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjRAlfNTx9pWyKfwRAlzNAKDJRs31f7eXPysO8bK6lldYvYl3NACfd4cI
KclowUqK7XmbHUU51YtgFaY=
=SW0C
-END PGP SIGNATURE-

Re: Several messages a day are not getting scanned (no X-Spam-Status)

[esposj]

arni wrote:
> 
> you might be using the to: field to determine who the mail is to and 
> scan acording to that - thats not a safe way because it can be forged, 
> use headers such as envelope-to or delivered-to as added by your mta to 
> find out where a mail is really going
> 
> arni
> 
> 
Hi Arni:

I'm not using the to field as far as I know.

Here's the relevant part of the procmail script.
--
:0fw
* < 256000
| /home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin
--prefs-file=/data/ispcpnfig/web1/user/fakename/.user_prefs
--

All the spams getting through are < 10k.


-- 
View this message in context: 
http://www.nabble.com/Several-messages-a-day-are-not-getting-scanned-%28no-X-Spam-Status%29-tf4030196.html#a11448213
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Several messages a day are not getting scanned (no X-Spam-Status)

[arni]

esposj schrieb:

I have recently upgraded to SA3.2 (via ISPConfig) and have several users
seeing messages come through without any SA processing.  On my personal
account, I see 2-5 messages a day which don't have a X-Spam-Status and are
very obviously spam.

SA is called through PROCMAIL and I have confirmed that the messages getting
through aren't too big to get blocked by the PROCMAIL script.

My thoughts are to write another procmail rule at the end to check for the
X-Spam-Status header and if missing feed back into the SA rule.  This seems
like an unneeded hack, and I hope someone could point me at some other
troubleshooting ideas.

Thanks,
Joe Esposito
The Seagroatt Companies
Albany, NY
  
you might be using the to: field to determine who the mail is to and 
scan acording to that - thats not a safe way because it can be forged, 
use headers such as envelope-to or delivered-to as added by your mta to 
find out where a mail is really going


arni

Several messages a day are not getting scanned (no X-Spam-Status)

[esposj]

I have recently upgraded to SA3.2 (via ISPConfig) and have several users
seeing messages come through without any SA processing.  On my personal
account, I see 2-5 messages a day which don't have a X-Spam-Status and are
very obviously spam.

SA is called through PROCMAIL and I have confirmed that the messages getting
through aren't too big to get blocked by the PROCMAIL script.

My thoughts are to write another procmail rule at the end to check for the
X-Spam-Status header and if missing feed back into the SA rule.  This seems
like an unneeded hack, and I hope someone could point me at some other
troubleshooting ideas.

Thanks,
Joe Esposito
The Seagroatt Companies
Albany, NY
-- 
View this message in context: 
http://www.nabble.com/Several-messages-a-day-are-not-getting-scanned-%28no-X-Spam-Status%29-tf4030196.html#a11447911
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Spoofed URI's or fake websites ?

[Samuel Krieg]

I wrote this because of Jeff's phrase.


If they are windows do an fdisk, format, etc.


I think it's important to work on the OS that you know how to configure, secure 
and manage. Whatever system it is. I did not want to praise any system.

I remain paranoid and monitor system logs, smtp queries and network activities 
as good as I can.

Regards.
--
Sam

Botnet config Botnet.cf

[Claude Frantz]

According to the docs...:

Option:   botnet_clientwords
   Space delimited list of regexps that are indicate an end client or
dynamic host which should not directly connect to other mail servers
besides its own provider's.  Multiple entries are ORed together.  Multiple
entries may be space delimited or made with multiple lines.  Defaults
to empty (no client word check will be done).  The example cf file comes
with a basic entry, however.  The expressions will not match against the
top two domains (the TLD and usually the registed domain).  All word
expressions have (\b|\d) added to the beginning and end, to ensure they
are not sub-words of larger words.

#

I do not understand very well. Please allow me an example:

   AAnnecy-256-1-92-172.w90-10.abo.wanadoo.fr

What is the term against which one the regex will test ?
Is it "AAnnecy-256-1-92-172.w90-10.abo." or perhaps 
"AAnnecy-256-1-92-172.w90-10.abo" ?


If I'm writing 
"\w+-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.w\d{1,3}-\d{1,3}\.abo\."
will this really be prefixed and suffixed by "(\b|\d)" before applying 
the test ? I do not understand why ? Explain me please !


Thanks a lot !
Claude

Re: Choosing score set in amavisd-new

[Matt Kettler]

Leigh Sharpe wrote:
> Hi all,
> I've just installed a virgin debian 4.0 with spamassassin and
> amavisd-new. I have
>  
>  $sa_local_tests_only=0; in /etc/amavis/conf.d/20-debian_defaults
> and
> skip_rbl_checks 0 in  /etc/mail/spamassassin/local.cf
>  
> Yet for some reason, when I run spamassassin -D --lint, I get these lines:
--lint implies local-only. Network tests will never be enabled when you
do this, as lint is intended to check your config files for syntax
errors. Enabling network tests just wastes time.

Try again using spamassassin -D   
> [12337] dbg: pyzor: local tests only, disabling Pyzor
> [12337] dbg: plugin: registered
> Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9597ba0)
> [12337] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
> [12337] dbg: razor2: local tests only, skipping Razor
> [12337] dbg: plugin: registered
> Mail::SpamAssassin::Plugin::Razor2=HASH(0x955f27c)
> [12337] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC
> [12337] dbg: reporter: local tests only, disabling SpamCop
> [12337] dbg: plugin: registered
> Mail::SpamAssassin::Plugin::SpamCop=HASH(0x9561b44)
> As well as "Score set 0 chosen".
> Can anybody tell me where I might have missed a config to use a
> different score set? I want to use all the network tests.

Re: how to quarantine spam mail

[LEVEAU Stanislas]

Hi,

I run SA on a linux server using Spamassassin and amavisd-new. And Amavisd-new 
use a quarantine with Mailzu or Mailguard with mysql base

_*Mailzu :*_
http://www.mailzu.net/
_*
Mailguard*_ :
http://www.maiamailguard.com/maia/wiki

regards
Stan


Matt Kettler a écrit :

Sg wrote:
  

Hi

We have MS Exchange Server 2003 on windows 2003 server. We have
installed Mail-spamassassin-3.1.7, Active Perl, GUI tool for SA, ESA.

We have mail ids with 30 users. Here spam mail has detected. How to
quaratine this mail   Please help me



Fundamentally, quarantining mail must be a function of your mail server
tools. Spamassassin has no power other than to modify the contents of
the message.

Unfortunately, I know almost nothing at all about exchange, nor do I use
any kind of quarantine. However, I sincerely doubt that Exchange comes
with any kind of quarantine management tool, given my limited experience
with its general lack of useful server-side mail handling features. (as
far as I can tell about the only thing it does do well server-side is
distributed storage.)

Personally, I run SA on a linux server using MailScanner and Sendmail. I
then forward back to an exchange server, and let the individual users
set of filters to move the messages into their Junk folders.




  


--
*LEVEAU Stanislas**
*Rectorat de Caen
SIAC
168, rue Caponière
B.P. 6184
14061 CAEN Cedex
/

Service Informatique de l'académie de Caen
Département Systèmes & Réseaux/


Tel : 02.31.30.17.86

Re: Spoofed URI's or fake websites ?

[Matt Kettler]

Samuel Krieg wrote:
> Jeff Chan a écrit :
>>
>>
>> The web sites are apparently cracked.  The servers need to be cleaned
>> and
>> secured.  If they are windows do an fdisk, format, etc.
>>
>> Jeff C.
>>
>
> Hi,
>
> Thanks for your answer. You confirm my thoughts.
>
> By the way I contacted ThePlanet sometimes ago for such websites. The
> redirection has been cleaned up and the websites are still online.
>
> PS: I'm not talking about my servers. They are healthy and running
> Linux :-)

Both of the cracked servers you mentioned are Apache/Unix based..

tvoftheabsurd: Apache/1.3.36 (Unix) PHP/4.4.2 mod_ssl/2.8.27 OpenSSL/0.9.7e
apnalounge: Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.7e PHP/4.4.2
FrontPage/5.0.2.2510


It doesn't matter what platform you run on, if you run exploitable code
on your server, it is exploitable. tvoftheabsurd is running an
exploitable version of wordpress (2.2), and apnalounge is probably
running some other exploitable PHP code.

Re: how do I block this stock promotion spam?

[arni]

Hi,

i'd block it like this:

X-Spam-Report:
* 5.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 0.9997]
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see ]
* 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* [63.147.147.222 listed in zen.spamhaus.org]
* 3.0 BOTNET Relay might be a spambot or virusbot
* [botnet0.7,ip=63.147.147.222,maildomain=southwest.com.au,nordns]
* 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain
* signs some mails
* 0.0 BOTNET_NORDNS Relay's IP address has no PTR record
* [botnet_nordns,ip=63.147.147.222]

Generally means:

ether install botnet and hope for beeing a "late reciever" (spamcop) or
train your bayes on it (also together with the botnet plugin)

arni

Andrew Xiang schrieb:
> how do I block this stock promotion spam?
> thanks
> Andrew

Re: how do I block this stock promotion spam?

[Evan Platt]

At 06:14 AM 7/5/2007, Andrew Xiang wrote:

how do I block this stock promotion spam?


You are running 3.1.7. I'm on 3.1.8, and I'm not up to date. I 
believe 3.2.1 is the most current.


On my system, the first spam scored a 11.0:

X-Spam-Status: Yes, score=11.9 required=5.0 tests=BOTNET,MISSING_HB_SEP,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL autolearn=no version=3.1.8

I'd suggest running sa-update. 

Re: Spoofed URI's or fake websites ?

[Matt Kettler]

Samuel Krieg wrote:
> Hi
>
> I'm receiving some spam with links like
> http://www.somewebsite.tld/image.htm ( filename may differ like
> join.htm  or shop.htm ). The uri redirects to another viagra website.
>
> But the somewebsite.tld looks like a normal site (I'm pretty sure it is).
>
> Some examples :
> http://www.apnalounge.com/shop.htm
>
> http://www.tvoftheabsurd.com/join.htm
>
> I need to understand how it works.. Is the hosting server beeing
> abused ? Any ideas/solutions ?

Odds are good they are being abused. Looking at tvoftheabsurd's main page 
they've got a PHP wordpress 2.2 login page. Wordpress has been known to have 
exploits in the past.

Ahh, yes. here's one for WP 2.2: 
http://www.securityfocus.com/bid/24344
Oh, and another that allows arbitrary file upload:
http://www.securityfocus.com/bid/24642

That latter one is probably how the redirect page got uploaded.



apnalounge.com also makes extensive use of PHP and seems to have a lot of 
"cobbled together" code. Nothing jumps out at me, but I'd again not be 
surprised to find out some part is exploitable.

>
> Thank you.
>

Re: how to quarantine spam mail

[Matt Kettler]

Sg wrote:
>
> Hi
>
> We have MS Exchange Server 2003 on windows 2003 server. We have
> installed Mail-spamassassin-3.1.7, Active Perl, GUI tool for SA, ESA.
>
> We have mail ids with 30 users. Here spam mail has detected. How to
> quaratine this mail   Please help me
>
Fundamentally, quarantining mail must be a function of your mail server
tools. Spamassassin has no power other than to modify the contents of
the message.

Unfortunately, I know almost nothing at all about exchange, nor do I use
any kind of quarantine. However, I sincerely doubt that Exchange comes
with any kind of quarantine management tool, given my limited experience
with its general lack of useful server-side mail handling features. (as
far as I can tell about the only thing it does do well server-side is
distributed storage.)

Personally, I run SA on a linux server using MailScanner and Sendmail. I
then forward back to an exchange server, and let the individual users
set of filters to move the messages into their Junk folders.

Re: Spoofed URI's or fake websites ?

[Phil Barnett]

On Thursday 05 July 2007 06:47, Samuel Krieg wrote:

> Thanks for your answer. You confirm my thoughts.
>
> By the way I contacted ThePlanet sometimes ago for such websites. The
> redirection has been cleaned up and the websites are still online.
>
> PS: I'm not talking about my servers. They are healthy and running Linux
> :-)

Don't think that this can't happen to a Linux based server.

I've had both Coppermine and Geeklog compromised in the last month with phish 
sites. Fortunately, it was simple to see and secure the path on the 
Coppermine, which was letting new users have picture posting rights, but I 
never did figure out how they got in on Geeklog, so it's now banned from my 
server.

-- 
Phil Barnett
AI4OF
SKCC #600

how to quarantine spam mail

[Sg]

Hi

We have MS Exchange Server 2003 on windows 2003 server. We have installed
Mail-spamassassin-3.1.7, Active Perl, GUI tool for SA, ESA.

We have mail ids with 30 users. Here spam mail has detected. How to
quaratine this mail   Please help me
Spam detection software, running on the system
"ganesha-usa.Treselle.com",
has identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see [EMAIL PROTECTED] for
details.

Content preview:  Hi Geetha, Hi Geetha, [...]

Content analysis details:   (6.4 points, 5.0 required)

 pts rule name  description

 --
--

0.1 HTML_90_100BODY: Message is 90% to 100% HTML

-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%

   [score: 0.]

1.1 MIME_HTML_MOSTLY   BODY: Multipart message mostly text/html MIME

0.0 HTML_MESSAGE   BODY: HTML included in message

2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address

   [59.93.22.119 listed in dnsbl.sorbs.net]

1.9 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP

   [59.93.22.119 listed in combined.njabl.org]

3.8 AWLAWL: From: address is in the auto white-list


--
Geetha. S

Re: Question about missing rules for 3.2.1 upgrade

[Matt Kettler]

Albert E. Whale wrote:
> I recently upgraded to 3.2.1
>
> In doing so, I find that the following rules which were previously used
> are no longer in service.
>
> Can someone explain why?
>   
Um, because it's an upgrade?

Rules get removed frequently. They get removed for lots of different
reasons. The most common are:

1) The become ineffective due to changes in spam or nonspam, which
causes their S/O ratio to drop below 0.80
2) A better-performing rule gets added, making them irrelevant.

I suspect ADVANCE_FEE_1 fell victim to cause #1. Even in 3.1.0's
mass-checks the S/O of this rule was questionable (0.828 in set0, and
all 4 sets under 0.85). This was, in essence, a rule with a history of
poor performance.

NO_REAL_NAME shouldn't have even been in 3.1.0. It's S/O was 0.511,
meaning it matched almost as much spam as nonspam. Good riddance to bad
rubbish.

The same applies to NO_OBLIGATION. It was at 0.883 in 3.1.0's set 0.

Not sure about  FORGED_RCVD_HELO and DNS_FROM_RFC_POST.

Re: spam with a pdf

[LEVEAU Stanislas]

Hi

In a first time update Spamassassin with 3.2.1 version

In a second time I create a rule for spamassassin because the name of 
pdf attachement is always in the Subject


_*rule spamassassin :*_
header FR_PDF_TAG   Subject =~ /\.pdf/
describe FR_PDF_TAG Extension PDF in the Subject
score FR_PDF_TAG2


and in a third time I modify a score on a rule in user_prefs

score TVD_SPACE_RATIO 4


Regards
Stan

Andrew Xiang a écrit :

Hi, All,
 
Spammer are getting very smart and hateful.

How can filter this spam with only pdf attached.
 
thanks

Andrew
 
 
 
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on xphotonics.com

X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00
 autolearn=unavailable version=3.1.7
X-Spam-Pyzor:
X-Spam-Report:
 * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
 *  [score: 0.]
Received: from impkfl ([88.251.61.194])
 by xphotonics.com (8.13.8/8.13.6) with SMTP id l64KFtLi000250
 for <[EMAIL PROTECTED] >; Wed, 4 
Jul 2007 16:15:56 -0400 (EDT)

 (envelope-from [EMAIL PROTECTED] )
Received: from [81.178.204.196] (helo=yun)
 by impkfl with smtp (Exim 4.66 (FreeBSD))
 id 1I6BH?0003NG-Ay; Wed, 4 Jul 2007 23:16:07 +0300
Message-ID: <[EMAIL PROTECTED] 
>

Date: Wed, 4 Jul 2007 23:15:32 +0300
From: "Emmanuel W. Dickerson" <[EMAIL PROTECTED] 
>

User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: [EMAIL PROTECTED] 
Subject: Fwd: Journal-jzisnyavquxas.pdf
Content-Type: multipart/mixed;
 boundary="020807010003020808050700"
X-Antivirus: avast! (VPS 000754-0, 04.07.2007), Outbound message
X-Antivirus-Status: Clean
X-Virus-Scanned: ClamAV 0.88.5/3598/Wed Jul  4 04:35:02 2007 on 
xphotonics.com

X-Virus-Status: Clean
 
--020807010003020808050700

Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
 
 
 
--020807010003020808050700

Content-Type: application/pdf;
 name="Journal-jzisnyavquxas.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="Journal-jzisnyavquxas.pdf"
 
JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmoKPDwKL1R5cGUgL0NhdGFsb2cK

L1BhZ2VzIDMgMCBSCj4+CmVuZG9iagozIDAgb2JqCjw8Ci9UeXBlIC9QYWdlcwovS2lkcyBbIDQg
MCBSIF0KL0NvdW50IDEKPj4KZW5kb2JqCjQgMCBvYmoKPDwKL1R5cGUgL1BhZ2UKL1BhcmVudCAz
IDAgUgovUmVzb3VyY2VzIDw8Ci9Gb250IDw8IC9GMCA4IDAgUiA+PgovWE9iamVjdCA8PCAvSW0w
IDkgMCBSID4+Ci9Qcm9jU2V0IDcgMCBSID4+Ci9NZWRpYUJveCBbMCAwIDQ5MCAxNDddCi9Dcm9w
Qm94IFswIDAgNDkwIDE0N10KL0NvbnRlbnRzIDUgMCBSCi9UaHVtYiAxMiAwIFIKPj4KZW5kb2Jq
CjUgMCBvYmoKPDwKL0xlbmd0aCA2IDAgUgo+PgpzdHJlYW0KcQo0OTAgMCAwIDE0NyAwIDAgY20K
L0ltMCBEbwpRCmVuZHN0cmVhbQplbmRvYmoKNiAwIG9iagozMQplbmRvYmoKNyAwIG9iagpbIC9Q
REYgL1RleHQgL0ltYWdlSSBdCmVuZG9iago4IDAgb2JqCjw8Ci9UeXBlIC9Gb250Ci9TdWJ0eXBl
IC9UeXBlMQovTmFtZSAvRjAKL0Jhc2VGb250IC9IZWx2ZXRpY2EKL0VuY29kaW5nIC9NYWNSb21h
bkVuY29kaW5nCj4+CmVuZG9iago5IDAgb2JqCjw8Ci9UeXBlIC9YT2JqZWN0Ci9TdWJ0eXBlIC9J
bWFnZQovTmFtZSAvSW0wCi9GaWx0ZXIgWyAvTFpXRGVjb2RlIF0KL1dpZHRoIDQ5MAovSGVpZ2h0
IDE0NwovQ29sb3JTcGFjZSAxMSAwIFIKL0JpdHNQZXJDb21wb25lbnQgOAovTGVuZ3RoIDEwIDAg
Ugo+PgpzdHJlYW0KgAAgUDgkFg0HhEJhULhkNh0PiERiUTikVi0XjEZjUbjkdj0fkEhkUjkklk0n
lEplUrlktl0vmExmUzmk1m03nE5nU7nk9n0/oFBoVDolFo1HpFJpVLplNp1PqFRqVTqlVq1XrFZr
Vbrldr1fsFhsVjslls1ntFptVrthGCIUB7vCgAC5IPjgH8sVCBg4yO8mfV+H49GSdXM0t8eKx1GS
5HsCOpGiJ3TsVt1zgt3hKXdcSyMDuUXwwyhtye8CzQADioyF/tkiDQRgpwJECO6Wd+sAA/H4IS6X
gZ3OsdVA3mR1TcPYLLDhDORwkQRYMJ3G6h4y4cCH9/OoaiO9i3SiO/z3egXNiDuDkEOryh3MgZIJ
A727vge818iGSe2Z8gR1n+XK+AAHpcju8jbNIhJch+7CHlQUUCtci4ciGYLoAAT8AQEhYZMe7TsO
ygwdmWgokE+gUOQJA0EIkTwdoTAMBts353RmgsHIKxkXxLCw4P8gUZN1AyHMYOrDoHF7xuAiLGIH
CsLj5E6FEvGyBh6vKGxIgkpQ1AMryQ/KPsidwKCkgR7yAW4fly3IHl27YASqAEnISxrIREgc0iQC
JboGVAHoMDU6wXLLPzNNEpNkhw7s6AA20NBSCzKg0+zYgc4IFObbHWHoETsOsyIRNYANy7UJoU7F
JTpEQpPsAEpABUgAUA3bXHc8y+uzBiBiMdzMz4hJOyrQb/09SCEVCgdXAo04AT6hFh1wgdOgRZCF
TLZiBT5WaBUzMUx1ygQKBWPg+HcXc2kCVANPwAB1luf1U1WADYrhcYVoFdCBXWg5/UkNoEB/Qg60
M7y4LlclYX2hg71+AGBMheiBLeuLMX0XaCXbTVHIJgM6VU0l3NihF9nfGbeyZDscxyAC4oFcoAYY
+68s4hNCILkjMv9dOT3YvLfIFf+HIZluLMxc6FXggZ3HA7U80qzAKYvdE2oFjdwI9nAAYVPksABf
o7yzYiFZxOuX4VZ8P37QURU8gUcyPiWZUCg2voXRqBAQytWIOT2HoKCMPoEG7XHllVGndt5cwU7B
c0c/aEcFNkbgBw8isPo1X5jwSC7EO73QXie4P5YECLzsLt9DYp18VVMRLi0IAWCzfAdagTDIVv6B
dlr3KABwus61qAhxgABPHA0jVgBsQAWHWR9ZvVdla5QPioF5Dzusghb+igRN8bxorTxZ7MeugYZE
tDrXMLuGoIEtyDCR5FJFQ13ngAwPv5F8IrFKZAyT8nSmqe2nJjpBUGvofGy1e4AAdjVeO06AjzDt
t8IRAkg5nyCjVNq8mCbn2+PdIG+BUBA2EBDW3AMg7NjbMPE6lkhD8VSwodm/QSx63hEfOwBoPhyw
ABYDkQMOSqF2i5U+ed97cFVo5h9EA/8QV+M/IIeqEaWQZONOzEw5gWAAG0HXEMhgdUJwviuQiHhs
zavMH+QJn8RiBgcOyJsvMGIrsFMguI+LHWTr1TY0FO0V4yvujPFuKAAIhj/VexuPxB4MEGO6QY2k
hi/x7iLEeKh94LEGh3D01UQJIpUZUzKOUmZApcOXDiT4d41q0jxDkkY7oDuFSIvyJMSkQHZS2hYg
QL3AEIB2jMbrkFJJHQbLUkIdUeIVIScWDIdxbzBeY+EACDEQkHD4C8gaKiUPBTlKFHEWCBvUIIml
mRnUOSyQOJdGEYpnwHIZMohaLJ1OVm/K4q0V1eKhV8Rh1wAJSk9F

Re: Spoofed URI's or fake websites ?

[Samuel Krieg]

Jeff Chan a écrit :

Quoting Samuel Krieg <[EMAIL PROTECTED]>:


Hi

I'm receiving some spam with links like
http://www.somewebsite.tld/image.htm ( filename may differ like
join.htm  or shop.htm ). The uri redirects to another viagra website.

But the somewebsite.tld looks like a normal site (I'm pretty sure it is).

Some examples :
http://www.apnalounge.com/shop.htm

http://www.tvoftheabsurd.com/join.htm

I need to understand how it works.. Is the hosting server beeing abused ? Any
ideas/solutions ?



The web sites are apparently cracked.  The servers need to be cleaned and
secured.  If they are windows do an fdisk, format, etc.

Jeff C.



Hi,

Thanks for your answer. You confirm my thoughts.

By the way I contacted ThePlanet sometimes ago for such websites. The redirection has been cleaned 
up and the websites are still online.


PS: I'm not talking about my servers. They are healthy and running Linux :-)

--
Samuel Krieg

Re: Spoofed URI's or fake websites ?

[Jeff Chan]

Quoting Samuel Krieg <[EMAIL PROTECTED]>:

> Hi
>
> I'm receiving some spam with links like
> http://www.somewebsite.tld/image.htm ( filename may differ like
> join.htm  or shop.htm ). The uri redirects to another viagra website.
>
> But the somewebsite.tld looks like a normal site (I'm pretty sure it is).
>
> Some examples :
> http://www.apnalounge.com/shop.htm
>
> http://www.tvoftheabsurd.com/join.htm
>
> I need to understand how it works.. Is the hosting server beeing abused ? Any
> ideas/solutions ?


The web sites are apparently cracked.  The servers need to be cleaned and
secured.  If they are windows do an fdisk, format, etc.

Jeff C.

Spoofed URI's or fake websites ?

[Samuel Krieg]

Hi

I'm receiving some spam with links like 
http://www.somewebsite.tld/image.htm ( filename may differ like 
join.htm  or shop.htm ). The uri redirects to another viagra website.


But the somewebsite.tld looks like a normal site (I'm pretty sure it is).

Some examples :
http://www.apnalounge.com/shop.htm

http://www.tvoftheabsurd.com/join.htm

I need to understand how it works.. Is the hosting server beeing abused ? Any 
ideas/solutions ?

Thank you.

--
Samuel Krieg

Re: New version of iXhash plugin available

[Jeremy Fairbrass]

Thanks Dirk!
I have a question: two of the RBL zones have very similar names - 
nospam.login-solutions.de and nospam.login-solutions.ag. Do they 
belong to the same company, and what are the differences between them? Eg. do 
they both contain exactly the same data (hashes) as 
each other, or are there some differences between them, such that it's 
adviseable to use them both? (I also noted that in your 
latest .cf file, you score each one differently - 4.5 vs. 2.5).

Cheers,
Jeremy



"Dirk Bonengel" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> Folks,
>
> I've finally come around to releasing a new version of the iXhash plugin. If 
> you happen to use that plugin, just get the code (now 
> located at http://ixhash.sf.net) and upgrade.
> Normally simply replacing the iXhash.pm file should do. Just make sure you 
> have the version corresponding to your  SA version.
> The new version now uses Net::DNS::Resolver's query method (as opposed to 
> search in the earlier code) and stops computing hashes 
> once it's got a hit.
>
> For those that don't know what this plugin does: It uses an algorithm 
> developed by Bert Ungerer of the German IT magazin iX (Heise 
> Verlag) to compute fuzzy checksums from (spam) emails and checks them against 
> those hashes I and Heise computed from our spam ( 
> and serve via DNS). In short, this puts it in the league of Pyzor, Razor and 
> DCC. It's certainly no 'German Wunderwaffe' against 
> spam but I think it has its merits.
>
> If you happen to have some significant spamtrap feed you might also be 
> interested to set up your own hash database to check your 
> production mails against. I added a server program that computes the 
> necessary hashes and stores them in a MySQL table as well as 
> another plugin that sources that table. If you do let me know - I'd be 
> interested in any results.
>
> Dirk
> 

Re: New version of iXhash plugin available

[Per Jessen]

Dirk Bonengel wrote:

> So you're using the procmail NiXspam code, I guess?  

Yes, we used that as a base, but rewrote it in C. (the "need for
speed" :-)

> You might somehow translate your hash and IP lists into zonefiles and
> feed them into an DNS server. 

We build rbldnsd-style zonefiles and use those in our local rbldnsd. 
Just as we do with your nixspam cachematches and blackmatches files.

> If you plan to offer such a service get in contact with me per PM (and
> in German I guess)

I'll let you know if/when we make it available externally. 


/Per Jessen, Zürich

Re: New version of iXhash plugin available

[Dirk Bonengel]

Per Jessen schrieb:

Dirk Bonengel wrote:

  

For those that don't know what this plugin does: It uses an algorithm
developed by Bert Ungerer of the German IT magazin iX (Heise Verlag)
to compute fuzzy checksums from (spam) emails and checks them against
those hashes I and Heise computed from our spam ( and serve via DNS).
In short, this puts it in the league of Pyzor, Razor and DCC. It's
certainly no 'German Wunderwaffe' against spam but I think it has its
merits.



Since 1 July, we have had about 10K matches on checksums, and about 16K
hits on the IP-list.  I think it's quite a useful tool.

  

If you happen to have some significant spamtrap feed you might also be
interested to set up your own hash database to check your production
mails against. 



Yes, that's what we've done too - do you know of anybody else doing
this?  It might be interesting to share databases/experiences.


/Per Jessen, Zürich

  
So you're using the procmail NiXspam code, I guess? You might somehow 
translate your hash and IP lists into zonefiles and feed them into an 
DNS server. Alternatively use the hashhackserver to get those hashes 
(only those) into a MySQL database. Building zone files from that data 
is easy.
Apart from me and Heise I don't know of anyone doing that (i.e. 
publishing spam hashes) -  which I think is a pity but I'm propably 
partial here.
If you plan to offer such a service get in contact with me per PM (and 
in German I guess)


Dirk

Re: Choosing score set in amavisd-new

[LEVEAU Stanislas]

Hi

If you want to use Razor DCC Pyzor with spamassassin your oblige to have 
$sa_local_tests_only=0; in amavisd.conf


# SpamAssassin settings

# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
# of the option local_tests_only. See Mail::SpamAssassin man page.
# If set to 1, SA tests are restricted to local tests only, i.e. no tests
# that require internet access will be performed.
#
$sa_local_tests_only = 0;   # (default: false)



_And in local.cf in spamassassin_
for activate the module

use_razor2 1
use_dcc 1
use_pyzor 1

and change the score

score RAZOR2_CHECK 6
score DCC_CHECK 6

Regards
Stan


Leigh Sharpe a écrit :

Hi all,
I've just installed a virgin debian 4.0 with spamassassin and 
amavisd-new. I have
 
 $sa_local_tests_only=0; in /etc/amavis/conf.d/20-debian_defaults

and
skip_rbl_checks 0 in  /etc/mail/spamassassin/local.cf
 
Yet for some reason, when I run spamassassin -D --lint, I get these 
lines:
 
[12337] dbg: pyzor: local tests only, disabling Pyzor
[12337] dbg: plugin: registered 
Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9597ba0)

[12337] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
[12337] dbg: razor2: local tests only, skipping Razor
[12337] dbg: plugin: registered 
Mail::SpamAssassin::Plugin::Razor2=HASH(0x955f27c)

[12337] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC
[12337] dbg: reporter: local tests only, disabling SpamCop
[12337] dbg: plugin: registered 
Mail::SpamAssassin::Plugin::SpamCop=HASH(0x9561b44)

As well as "Score set 0 chosen".
Can anybody tell me where I might have missed a config to use a 
different score set? I want to use all the network tests.
 
Regards,

 Leigh
 
Leigh Sharpe

Network Systems Engineer
Pacific Wireless
Ph +61 3 9584 8966
Mob 0408 009 502
Helpdesk 1300 300 616
email [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED]>
web www.pacificwireless.com.au 
http://www.pacificwireless.com.au/>
 


--
*LEVEAU Stanislas**
*Rectorat de Caen
SIAC
168, rue Caponière
B.P. 6184
14061 CAEN Cedex
/

Service Informatique de l'académie de Caen
Département Systèmes & Réseaux/


Tel : 02.31.30.17.86

Choosing score set in amavisd-new

[Leigh Sharpe]

Hi all,
I've just installed a virgin debian 4.0 with spamassassin and
amavisd-new. I have 
 
 $sa_local_tests_only=0; in /etc/amavis/conf.d/20-debian_defaults
and
skip_rbl_checks 0 in  /etc/mail/spamassassin/local.cf 
 
Yet for some reason, when I run spamassassin -D --lint, I get these
lines:
 
[12337] dbg: pyzor: local tests only, disabling Pyzor
[12337] dbg: plugin: registered
Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9597ba0)
[12337] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from
@INC
[12337] dbg: razor2: local tests only, skipping Razor
[12337] dbg: plugin: registered
Mail::SpamAssassin::Plugin::Razor2=HASH(0x955f27c)
[12337] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from
@INC
[12337] dbg: reporter: local tests only, disabling SpamCop
[12337] dbg: plugin: registered
Mail::SpamAssassin::Plugin::SpamCop=HASH(0x9561b44)

As well as "Score set 0 chosen".
Can anybody tell me where I might have missed a config to use a
different score set? I want to use all the network tests.
 
Regards,
 Leigh
 
Leigh Sharpe
Network Systems Engineer
Pacific Wireless
Ph +61 3 9584 8966
Mob 0408 009 502
Helpdesk 1300 300 616
email [EMAIL PROTECTED]
web www.pacificwireless.com.au