Catch all addresses and failure/undeliverable notification messages
Hello all, I am looking for some advice regarding the following issue : I have some domains which are using a catch all address. On these addresses I get a lot of undeliverable / failure notices which are theoretically legit. Though they originate from spams spoofing the domains which makes those messages spam in practice. I am hoping any of you would know a solution to filter these message while retaining the legit ones. So far the only solution I can come up with is stop using catch all address which in some cases is not feasible. Thank you for your time :) Gerard. -- View this message in context: http://www.nabble.com/Catch-all-addresses-and-failure-undeliverable-notification-messages-tf4101428.html#a11663462 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Why my SA sending report to all users?
It does not seem like being sent by SpamAssassin to me. SA does not send messages or reports, it just filters them. It has added the X-Spam* headers, but everything else comes from elsewhere. X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on mail2.singapore-daiichi.com.sg X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,AWL autolearn=disabled version=3.1.8 - Original Message - From: Eny Wu To: users@spamassassin.apache.org Sent: Wednesday, July 18, 2007 5:22 AM Subject: Why my SA sending report to all users? I have just update my Spamassassin from 2.4 to 3.1.8. It works great, however me all my user have been receving some emails without any headers with the following info (sample below): -- From [EMAIL PROTECTED] Mon Jul 16 20:09:26 2007 Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on mail2.singapore-daiichi.com.sg X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,AWL autolearn=disabled version=3.1.8 Received: from mail.singapore-daiichi.com.sg (mail3.singapore-daiichi.com.sg [ 192.168.12.29]) by mail2.singapore-daiichi.com.sg (8.13.6/8.13.6) with ESMTP id l6GC9FdZ014308 for [EMAIL PROTECTED]; Mon, 16 Jul 2007 20:09:25 +0800 Received: from localhost (localhost) by mail.singapore-daiichi.com.sg id l6GCEbhs027137; Mon, 16 Jul 2007 20:14:46 +0800 Date: Mon, 16 Jul 2007 20:14:46 +0800 From: Mail Delivery Subsystem [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=l6GCEbhs027137.1184588086/mail.singapore- daiichi.com.sg Subject: Postmaster notify: see transcript for details Auto-Submitted: auto-generated (postmaster-notification) This is a MIME-encapsulated message --l6GCEbhs027137.1184588086/mail.singapore-daiichi.com.sg The original message was received at Mon, 16 Jul 2007 20:14:46 +0800 from localhost with id l6GCEbhr027137 -- Is there anyway that I disable the spamassassin to send the above report? I don't want my user to receive this message. Some of my user also receiving empty/blank emails also. My OS is Linux Redhat 9. The Spamassassin version is 3.1.8 and using the procmail. I update the spammassin through CPAN. Thanks in advance for your help. Eny
is there a whitelist rhswl available
There are quite a few domain you can trust not to send spam. For example the airlines, the banks , and a lot others like spamassassin.apache.org :-) If mails from these domains gets an SPF/DK pass we can simply pass the mails. Today I manually maintain a list of whitelist_from_auth Is there a global DNS WL available somewhere. So that I dont have to keep tracking myself for maintaining which new bank has put up SPF records Thanks Ram
Re: [AMaViS-user] Potential DOS in spamassassin/perl-Net-DNS FW: rPSA-2007-0142-1 perl-Net-DNS
Michael Scheidell wrote: Don't know if anyone has mentioned this, if so, I missed it. Potential DOS in spamassassin if perl-Net-DNS .60. (previously recommended version was .58) Freebsd ports has .60, for the last two weeks. Thanks for the FYI. MrC -Original Message- From: rPath Update Announcements [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 17, 2007 8:12 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: rPSA-2007-0142-1 perl-Net-DNS rPath Security Advisory: 2007-0142-1 Published: 2007-07-17 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Denial of Service Updated Versions: perl-Net-DNS=/[EMAIL PROTECTED]:devel//1/0.60-1-0.1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3377 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3409 https://issues.rpath.com/browse/RPL-1537 Description: Previous versions of the perl-Net-DNS package contained multiple vulnerabilities: one can lead to DNS cache poisoning, and the other can result in a Denial of Service triggered by an infinite loop. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ AMaViS-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: too much spam getting through, scores too low
On Wed, 18 Jul 2007 00:31:44 -0400, Debbie D [EMAIL PROTECTED] wrote: I am so frustrated.. updated cpanel the other day to WHM 11.2.0 cPanel 11.6.0-C15032 FEDORA 4 i686 - WHM X v3.1.0 Exim 4.66 on a Linux box But I am still getting way to many spams.. more than I did before the update -- cialis, viagra, all kinds of meds, all scoring between 0.6 and 3.5 How can these mails score that low? I used to be able to see the rules it hit on, but can no longer see this.. Also I see that since the upgrade local delivered mails are not being scanned at all.. not that those really matter IMHO.. they come from my forums or forms.. The SA version header is also gone from the headers.. I am in the same boat as you. I am running Exim 4.67 with SA v3.2.1 and I am seeing spam that I should not. Try to run the spam e-mail through spamassassin from the commandline. ie. spamassassin -t spam-email-that-got-pass-exim.txt Let me know what you find, something is wrong with the exim-connection. I am not Exim expert, but maybe we can solve this problem. Paul
Re: too much spam getting through, scores too low
On Wed, 18 Jul 2007 05:30:38 -0400, SM [EMAIL PROTECTED] wrote: At 21:31 17-07-2007, Debbie D wrote: But I am still getting way to many spams.. more than I did before the update -- cialis, viagra, all kinds of meds, all scoring between 0.6 and 3.5 Post a link to some of these emails including full headers. That should show the rules they hit. See this link: http://www.cse.yorku.ca/~paulg/missed-spam.html Debbie, are these the knid of e-mails that are by passing Exim/SA Here are some snippets from our Exim configure file. --- # Content-Filtering av_scanner = clamd:/tmp/clamd.sock spamd_address = /tmp/spamd.sock --- # Reject spam messages with score = 5 deny message = This message scored $spam_score spam points. spam = exim:true/defer_ok condition = ${if {$spam_score_int}{50}{1}{0}} # finally accept all the rest local_delivery: driver = appendfile transport_filter = /xsys/bin/spamc -U /tmp/spamd.sock file = /var/mail/$local_part delivery_date_add envelope_to_add return_path_add # group = mail # mode = 0660 address_pipe: driver = pipe transport_filter = /xsys/bin/spamc -U /tmp/spamd.sock return_fail_output I can send snippets from our Exim and spamd log files. Thanks Paul
RE: Catch all addresses and failure/undeliverable notification messages
What you create by having a catch-all address domain, is an EXCELLENT resource for spammers. They will use your domain as a FROM in their spoofing spew. Any [misguided but popular] email software doing the [DDoS enabling] sender address verification will pass the sender as legit, when indeed it is not. There are many ways to program around a catchall policy, and I encourage you to find one. Maybe someone on the list can even help. Tell us, why do you think you need a catchall? hth Dan -Original Message- From: smeevil [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 18, 2007 2:52 AM To: users@spamassassin.apache.org Subject: Catch all addresses and failure/undeliverable notification messages Hello all, I am looking for some advice regarding the following issue : I have some domains which are using a catch all address. On these addresses I get a lot of undeliverable / failure notices which are theoretically legit. Though they originate from spams spoofing the domains which makes those messages spam in practice. I am hoping any of you would know a solution to filter these message while retaining the legit ones. So far the only solution I can come up with is stop using catch all address which in some cases is not feasible. Thank you for your time :) Gerard. -- View this message in context: http://www.nabble.com/Catch-all-addresses-and-failure-undeliverable-notifica tion-messages-tf4101428.html#a11663462 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: is there a whitelist rhswl available
http://www.dnswl.org/ http://wiki.ctyme.com/index.php/Spam_DNS_Lists Both work well IMHO Ramprasad wrote: There are quite a few domain you can trust not to send spam. For example the airlines, the banks , and a lot others like spamassassin.apache.org :-) If mails from these domains gets an SPF/DK pass we can simply pass the mails. Today I manually maintain a list of whitelist_from_auth Is there a global DNS WL available somewhere. So that I dont have to keep tracking myself for maintaining which new bank has put up SPF records Thanks Ram -- View this message in context: http://www.nabble.com/is-there-a-whitelist-rhswl-available-tf4102536.html#a11668610 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
spam scoring -2.6
Hi all, I'm getting creamed with these spams but they are getting through due to; -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0005] Why is this happening? Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Catching .pdf Spam
Like many of you, we have been receiving a lot of spam with .pdf attachments. Perhaps I am missing a rule set, but almost none seemed to be getting a high enough score to be marked spam. (We mark a score of 3.00 or more as spam). Can anyone tell me if there is already a ruleset that I should be using? I have noticed that 98% of the spam with pdf attachments is being sent from Thunderbird. I wrote a few rules and added them to my local.cf. Here is the main one that is working. I am catching most of the spam with this. Does anyone see anything negative about a rule like this? header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i full__LOCAL_HAS_PDF /\b\S*\.pdf\b/i metaLOCAL_PDF_VIA_THUNDERBIRD (__LOCAL_HEADER_THUNDERBIRD __LOCAL_HAS_PDF) score LOCAL_PDF_VIA_THUNDERBIRD 6.0 Thanks All ! MW -- View this message in context: http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11669157 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: spam scoring -2.6
Jean-Paul Natola wrote: Hi all, I'm getting creamed with these spams but they are getting through due to; -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0005] Why is this happening? This only says that Bayes doesn't think the email looks like spam so points are subtracted. What other information can you give about the spam that you receive? (Like the full email headers?) Content analysis details: (4.3 points, 5.0 required) pts rule name description -- -- -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0005] 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?208.180.135.80] 1.8 MISSING_SUBJECTMissing Subject: header 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Jul 2007 13:36:07.0980 (UTC) FILETIME=[98AB46C0:01C7C940] --000102010208070406000602 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit --000102010208070406000602 Content-Type: application/pdf; name=log.pdf Content-Transfer-Encoding: base64 Content-Disposition: inline; filename=log.pdf --000102010208070406000602--
Re: spam scoring -2.6
On Wed, 2007-07-18 at 09:41 -0400, Jean-Paul Natola wrote: Hi all, I'm getting creamed with these spams but they are getting through due to; -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0005] Why is this happening? I think that is more than obvious The bayes DB has gone crazy. This happens to me too. I would suggest nuke your DB and run sa-learn again You could try expiring tokens regulary Thanks Ram
Re: Catching .pdf Spam
On Wed, Jul 18, 2007 at 06:52:40AM -0700, nws.charlie wrote: more as spam). Can anyone tell me if there is already a ruleset that I should be using? Run sa-update, there's a rule already in there. -- Randomly Selected Tagline: Human female: All in all. This is one day that mitten the kitten will not soon forget. Morbo: Kittens give Morbo gas. In later news the city of New New York is doomed. Blame rests with known human professor Hubert Farnsworth and his tiny inferior brain. pgpyac8OZgF2e.pgp Description: PGP signature
Re: spam scoring -2.6
On Wed, 18 Jul 2007, Jean-Paul Natola wrote: I'm getting creamed with these spams but they are getting through due to; -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0005] Why is this happening? Well, most likely two causes: (1) your bayes is mistrained, or (2) the spams contain sufficient text that looks like your legitimate message traffic. I'll repost the questions I posted here a bit ago in response to a similar question: (0) Does the text in the low-scoring spam, apart from the commercial pitch, look like legitimate message traffic that you would expect at your site? (e.g. if you're in the medical profession, it contains a lot of text about medical topics.) (1) How often does this happen? (2) How big is your bayes database? (use sa-learn --dump magic) (3) How are you training your bayes database? Autolearn? Or manual? (4) If manual, do you keep your corpus around after you've trained it? (5) If manual, do you let nontechnical users train it without review? Finally, have you installed any of the SARE rules from www.rulesemporium.com? While not fixing a low bayes score, they may counteract it when bayes gets fooled. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where We Want You To Go Today 07/05/07: Microsoft patents in-OS adware architecture incorporating spyware, profiling, competitor suppression and delivery confirmation (U.S. Patent #20070157227) --- 6 days until The 38th anniversary of Apollo 11 landing on the Moon
RE: spam scoring -2.6
On Wed, 18 Jul 2007, Jean-Paul Natola wrote: -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% 1.8 MISSING_SUBJECTMissing Subject: header 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint Yeah. PDF spams. You'll have to train some PDF spams into bayes for it to work against them. Most of the headers on them (the only content Bayes has to work with given the lack of a body or subject) do look legit. Basically, training on them lets bayes learn about things like the suspicius user-agent header and the .pdf attachment MIME header bits. You should only need to do a handful of the smaller ones. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where We Want You To Go Today 07/05/07: Microsoft patents in-OS adware architecture incorporating spyware, profiling, competitor suppression and delivery confirmation (U.S. Patent #20070157227) --- 6 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: Catching .pdf Spam
On Wed, 18 Jul 2007, nws.charlie wrote: I have noticed that 98% of the spam with pdf attachments is being sent from Thunderbird. I wrote a few rules and added them to my local.cf. Here is the main one that is working. I am catching most of the spam with this. Does anyone see anything negative about a rule like this? header__LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i full __LOCAL_HAS_PDF /\b\S*\.pdf\b/i meta LOCAL_PDF_VIA_THUNDERBIRD (__LOCAL_HEADER_THUNDERBIRD __LOCAL_HAS_PDF) score LOCAL_PDF_VIA_THUNDERBIRD 6.0 A real person using Thunderbird cannot send you a pdf, or possibly even talk about a .pdf file with you... It has been observed that the user-agent header in these spams consistently claims to be a specific version of thunderbird. I have also noticed the same behavior in the past. You might want to add that to your rule to make it a little more focused. Also, having one poison pill rule is generally a bad idea. There are subject line patterns in the PDF spams that are fairly consistent and not similar to what most human correspondents would use. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where We Want You To Go Today 07/05/07: Microsoft patents in-OS adware architecture incorporating spyware, profiling, competitor suppression and delivery confirmation (U.S. Patent #20070157227) --- 6 days until The 38th anniversary of Apollo 11 landing on the Moon
Re: is there a whitelist rhswl available
On Wed, 2007-07-18 at 06:24 -0700, OliverScott wrote: http://www.dnswl.org/ http://wiki.ctyme.com/index.php/Spam_DNS_Lists Both work well IMHO These are ip lists. I think there would be some spamassassin rule already ( RCVD_IN_DNSWL ???) . Need to google again :-) On the other hand Can I get domain lists because that would be a far smaller number than IP's and much easier to whitelist with confidence for eg mail from citibank.co.in with SPF_PASS can be whitelisted , but from its IP I will still have to make sure the list is well maintained Thanks Ram
quantitative pdf-tool comparisons?
Given the numerous, ongoing discussions about the various anti-pdf-spam tools, /does/ a quantitative comparison of their relative efficacies (I suppose, measured by SA scores?) exist somewhere? If not (yet), /is/ there a reference collection (in parlance, corpus?) of pdf spam that could be used/shared by those testing? E.g., I'm curently using 80_additional.cf FuzzyOcr-dev PDFText2 They do score, but with different weights on various messages. Difficult to measure relative performance when the volume of pdf-spam is still relatively low. Ironically, that's, of course, a good thing, -- Thanks, JTDeLys
OT: digest version of mailing list
Hi, sorry if I missed something but is there also a digest version of the mailing list? I searched http://wiki.apache.org/spamassassin/MailingLists but only found subscribe and unsubscribe. Thanks, Helmut
not scoring correctly
We use SA 3.1.7 with Postfix and amavisd-new 2.4.4 and clamav. I received several PDF's this morning even though we have updated protection. They all came from one server, so I did a lookup in the mail logs to find 'Hits: -', that's it. After some more searching on different servers, I see this frequently, what does it mean as far as score? Logged in as the amavisd user 'vscan' and running sa test, it clearly scores well above the 5.0 threshold. Any ideas why these type of messages would have gotten through SA? esmtp# bzcat /var/log/maillog.0.bz2 | grep ysHkeL+S2PmL Jul 17 19:03:43 esmtp amavis[51729]: (51729-14) Passed CLEAN, [89.214.60.100] [108.83.93.165] [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine: clean-ysHkeL+S2PmL.gz, Message-ID: [EMAIL PROTECTED], mail_id: ysHkeL+S2PmL, Hits: -, queued_as: 0787037B4FA, 821 ms esmtp# su vscan $ spamassassin -t /var/virusmails/clean-ysHkeL+S2PmL snip Content analysis details: (11.7 points, 5.0 required) pts rule name description -- -- 2.4 MIME_BOUND_DIGITS_15 Spam tool pattern in MIME boundary 4.5 BOTNET_NORDNS Relay's IP address has no PTR record [botnet_nordns,ip=89.214.60.100] 2.0 GMD_PDF_FUZZY2_T3 BODY: Fuzzy MD5 Match 3D4E25DE4A05695681D694716D579474 1.8 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [108.83.93.165 listed in combined-HIB.dnsiplists.completewhois.com] 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint Thanks for any help! -- Robert
Re: not scoring correctly
A rough guess and probably wrong as usual, but could the message size be larger than what you have set in amavisd-new? If so then SA would be bypassed but not when you manually test the message. Robert Fitzpatrick wrote: We use SA 3.1.7 with Postfix and amavisd-new 2.4.4 and clamav. I received several PDF's this morning even though we have updated protection. They all came from one server, so I did a lookup in the mail logs to find 'Hits: -', that's it. After some more searching on different servers, I see this frequently, what does it mean as far as score? Logged in as the amavisd user 'vscan' and running sa test, it clearly scores well above the 5.0 threshold. Any ideas why these type of messages would have gotten through SA? esmtp# bzcat /var/log/maillog.0.bz2 | grep ysHkeL+S2PmL Jul 17 19:03:43 esmtp amavis[51729]: (51729-14) Passed CLEAN, [89.214.60.100] [108.83.93.165] [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine: clean-ysHkeL+S2PmL.gz, Message-ID: [EMAIL PROTECTED], mail_id: ysHkeL+S2PmL, Hits: -, queued_as: 0787037B4FA, 821 ms esmtp# su vscan $ spamassassin -t /var/virusmails/clean-ysHkeL+S2PmL snip Content analysis details: (11.7 points, 5.0 required) pts rule name description -- -- 2.4 MIME_BOUND_DIGITS_15 Spam tool pattern in MIME boundary 4.5 BOTNET_NORDNS Relay's IP address has no PTR record [botnet_nordns,ip=89.214.60.100] 2.0 GMD_PDF_FUZZY2_T3 BODY: Fuzzy MD5 Match 3D4E25DE4A05695681D694716D579474 1.8 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [108.83.93.165 listed in combined-HIB.dnsiplists.completewhois.com] 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint Thanks for any help!
Re: FuzzyOcr output
On 07/18/07 01:21, René Berber wrote: Wolfgang Zeikat wrote: In an older episode (Tuesday, 17. July 2007 21:43), René Berber wrote: Wolfgang Zeikat wrote: You can add a line to FuzzyOcr.pm : use POSIX; That line is already there. Sorry, I should have said: use POSIX qw(SIGTERM); yes, that fixed it (or does at least suppress the output), thanks. wolfgang
RE: not scoring correctly
We use SA 3.1.7 with Postfix and amavisd-new 2.4.4 and clamav. I received several PDF's this morning even though we have updated protection. They all came from one server, so I did a lookup in the mail logs to find 'Hits: -', that's it. After some more searching on different servers, I see this frequently, what does it mean as far as score? Logged in as the amavisd user 'vscan' and running sa test, it clearly scores well above the 5.0 threshold. Any ideas why these type of messages would have gotten through SA? Jul 17 19:03:43 esmtp amavis[51729]: (51729-14) Passed CLEAN, [89.214.60.100] [108.83.93.165] [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine: clean-ysHkeL+S2PmL.gz, Message-ID: [EMAIL PROTECTED], mail_id: ysHkeL+S2PmL, Hits: -, queued_as: 0787037B4FA, 821 ms Hits: - indicates SA scanning was skipped. Possibly because the message was larger than: $sa_mail_body_size_limit Probably not a good idea to have this over 400k however: $sa_mail_body_size_limit = 400*1024; 4.5 BOTNET_NORDNS Relay's IP address has no PTR record [botnet_nordns,ip=89.214.60.100] I would be careful using large Botnet scores. There have been a number of posts talking about false positives. Thanks for any help! Robert Gary V _ http://imagine-windowslive.com/hotmail/?locale=en-usocid=TXT_TAGHM_migration_HM_mini_pcmag_0507
Re: not scoring correctly
On Wed, 2007-07-18 at 09:57 -0500, Administrator wrote: A rough guess and probably wrong as usual, but could the message size be larger than what you have set in amavisd-new? If so then SA would be bypassed but not when you manually test the message. Ding! Thanks! It is set at 64*1024 falling short of all these 70K+ PDF messages. What is recommended bypass these days considering the types of spam out there? I raised it to 128*1024, but I don't want to choke these heavily used gateways. -- Robert
Re: not scoring correctly
I use 256K, but I have a small volume (about a thousand emails a day) server load. We are also experimenting with the SaneSecurity definitions for clam which catch a lot of this rodent mail as well and should lower the SA load. Glad it helped. Robert Fitzpatrick wrote: On Wed, 2007-07-18 at 09:57 -0500, Administrator wrote: A rough guess and probably wrong as usual, but could the message size be larger than what you have set in amavisd-new? If so then SA would be bypassed but not when you manually test the message. Ding! Thanks! It is set at 64*1024 falling short of all these 70K+ PDF messages. What is recommended bypass these days considering the types of spam out there? I raised it to 128*1024, but I don't want to choke these heavily used gateways. begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: too much spam getting through, scores too low
At 05:39 18-07-2007, Paul Griffith wrote: See this link: http://www.cse.yorku.ca/~paulg/missed-spam.html Both messages scored 13.9 and hits FH_FROMEML_NOTLD,RDNS_NONE, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL. This was tested on a system without any additional rules and without Bayes. Your SpamAssassin setup gave the first message a score of 4.5 and the second one a score of 4.6. They may not have been in the all URI blacklists at the time your mail server received the message. Both messages hit RCVD_IN_PBL and RDNS_NONE. If you add 0.5 to the score for any of these two rules, the scores of these messages would reach your threshold. Are you using Bayes? See http://wiki.apache.org/spamassassin/BayesInSpamAssassin Regards, -sm
How to disable Bayes for PDF emails
I would like to disable Bayes analysis entirely if an email has a PDF attachment. How can I do it? i
Re: OT: digest version of mailing list
At 07:41 18-07-2007, Helmut Schneider wrote: sorry if I missed something but is there also a digest version of the mailing list? I searched http://wiki.apache.org/spamassassin/MailingLists but only found subscribe and unsubscribe. Send an email to [EMAIL PROTECTED] Regards, -sm
Re: OT Alert: Forward low scoring SPAM to sa-learn.
On 17.07.07 10:40, Anthony Kamau wrote: I'm faced with a dilemma on how to use sa-learn with mail forwarded from a user's inbox on Exchange to the sendmail server. Since we just recently started using sendmail as a front end server, our bayes system is still in its infancy and spam is getting through to user inboxes with scores lower than our threshold of 10 and thus not being clearly identified as spam on the subject line. My intention is to have a user forward spam back to sendmail server and use sa-learn to help the scoring system get better fast. my experience tells that exchange rewrites mails very often in such a horrible way that mail from exchange should be never used for SA training. Try to send all copies of received e-mail to special mailbox on your front-end server and whenever your user reports false positive/negative, run sa-learn (or spamassasin -r/-k) over the copy. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: Anyone getting 'OOO e-mails from Charles Mount?
On Jul 17, 2007, at 10:30 AM, Evan Platt wrote: Just posted to the list, and got a bounce from Charles Mount. Not 100% sure it's from this list though. On 17.07.07 11:27, Vivek Khera wrote: there are gazillions of b0rked autoresponders in the world. you just stumbled upon one of them. they are as not nearly as vile as spambots, but still annoying. I think in this case it was really autoresponder sending e-mails from the list.. I received reply a few minutes after posting here... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: How to get Spam report in header?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 17, 2007 5:32 PM To: users@spamassassin.apache.org; [EMAIL PROTECTED] Subject: How to get Spam report in header? We use MailScanner and Spamassassin. Our email has a header line as follows: X-BakerBotts-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-4.4, required 5, autolearn=not spam, BAYES_00 -0.40, RCVD_IN_DNSWL_MED -4.00) Is it possible to include the 'Spam-Report' as in the example below? On 17.07.07 17:35, Koopmann, Jan-Peter wrote: AFAIK: No there is no way. time for wishlist/enhancement bugreport I'd say. Donald, will you submit one? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. To Boot or not to Boot, that's the question. [WD1270 Caviar]
Re: Catching .pdf Spam
nws.charlie wrote: I am catching most of the spam with this. Does anyone see anything negative about a rule like this? header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i full__LOCAL_HAS_PDF /\b\S*\.pdf\b/i metaLOCAL_PDF_VIA_THUNDERBIRD (__LOCAL_HEADER_THUNDERBIRD __LOCAL_HAS_PDF) score LOCAL_PDF_VIA_THUNDERBIRD 6.0 Well, this message will probably go into your spam folder, since I'm using Thunderbird and the phrase .pdf appears in the message. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: OT: digest version of mailing list
From: SM [EMAIL PROTECTED] At 07:41 18-07-2007, Helmut Schneider wrote: sorry if I missed something but is there also a digest version of the mailing list? I searched http://wiki.apache.org/spamassassin/MailingLists but only found subscribe and unsubscribe. Send an email to [EMAIL PROTECTED] Thanks a lot.
Re: too much spam getting through, scores too low
On Wed, 18 Jul 2007 11:17:16 -0400, SM [EMAIL PROTECTED] wrote: At 05:39 18-07-2007, Paul Griffith wrote: See this link: http://www.cse.yorku.ca/~paulg/missed-spam.html Both messages scored 13.9 and hits FH_FROMEML_NOTLD,RDNS_NONE, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL. This was tested on a system without any additional rules and without Bayes. Your SpamAssassin setup gave the first message a score of 4.5 and the second one a score of 4.6. They may not have been in the all URI blacklists at the time your mail server received the message. Both messages hit RCVD_IN_PBL and RDNS_NONE. If you add 0.5 to the score for any of these two rules, the scores of these messages would reach your threshold. Are you using Bayes? See http://wiki.apache.org/spamassassin/BayesInSpamAssassin Regards, -sm We have bayes turned off. I will take a look at URL listed above and keep digging! Thanks Paul
Plugin Location
I'm trying to add a new plugin to Spamassassin, I located my plugin directory on my server: /usr/local/lib/perl5/site_perl/5.8.4/Mail/SpamAssassin/Plugin/ by searching on my server for URIDNSBL.pm. When I put my new plugin into that directory, and call it from init.pre, and run a --lint, I get the following: [11359] warn: plugin: failed to parse plugin (from @INC): Can't locate MAIL/SpamAssassin/Plugin/PDFInfo.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.8.4/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.4 /usr/local/lib/perl5/5.8.4/i386-freebsd /usr/local/lib/perl5/5.8.4 /usr/local/lib/perl5/site_perl/5.8.3/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl/5.8.1/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.1 /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl/5.005 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/vendor_perl/5.8.4/i386-freebsd /usr/local/lib/perl5/vendor_perl/5.8.4 /usr/local/lib/perl5/vendor_perl/5.8.3/i386-freebsd /usr/local/lib/perl5/vendor_perl/5.8.3 /usr/local/lib/perl5/vendor_perl /usr/local/lib/perl5/5.00503 /usr/local/lib/site_perl) at (eval 52) line 1. [11359] warn: plugin: failed to create instance of plugin MAIL::SpamAssassin::Plugin::PDFInfo: Can't locate object method new via package MAIL::SpamAssassin::Plugin::PDFInfo at (eval 53) line 1. What am I doing wrong? Kevin Plested Warpzone Web Services
Re: Plugin Location
On Wed, 2007-07-18 at 12:25 -0400, Kevin Plested wrote: I'm trying to add a new plugin to Spamassassin, I located my plugin directory on my server: /usr/local/lib/perl5/site_perl/5.8.4/Mail/SpamAssassin/Plugin/ by searching on my server for URIDNSBL.pm. When I put my new plugin into that directory, and call it from init.pre, and run a --lint, I get the following: [11359] warn: plugin: failed to parse plugin (from @INC): Can't locate MAIL/SpamAssassin/Plugin/PDFInfo.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.8.4/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.4 /usr/local/lib/perl5/5.8.4/i386-freebsd /usr/local/lib/perl5/5.8.4 /usr/local/lib/perl5/site_perl/5.8.3/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl/5.8.1/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.1 /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl/5.005 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/vendor_perl/5.8.4/i386-freebsd /usr/local/lib/perl5/vendor_perl/5.8.4 /usr/local/lib/perl5/vendor_perl/5.8.3/i386-freebsd /usr/local/lib/perl5/vendor_perl/5.8.3 /usr/local/lib/perl5/vendor_perl /usr/local/lib/perl5/5.00503 /usr/local/lib/site_perl) at (eval 52) line 1. [11359] warn: plugin: failed to create instance of plugin MAIL::SpamAssassin::Plugin::PDFInfo: Can't locate object method new via package MAIL::SpamAssassin::Plugin::PDFInfo at (eval 53) line 1. What am I doing wrong? Kevin Plested Warpzone Web Services It looks as if you are not defining a method named 'new' in your plugin. SA plugins are perl objects, they must define a constructor named 'new'. Look at some of the other plugins to see what needs to happen in the 'new' method.
Re: How to disable Bayes for PDF emails
On Wed, Jul 18, 2007 at 10:22:49AM -0500, Igor Chudov wrote: I would like to disable Bayes analysis entirely if an email has a PDF attachment. How can I do it? You could theoretically write a plugin that looks for an attachment and changes the config and score set if it finds one. Otherwise, you don't. Why would you want to? -- Randomly Selected Tagline: Logic is very, very straight-forward. - Instructor Dean pgpzlV0bTykaR.pgp Description: PGP signature
Re: is there a whitelist rhswl available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [Disclosure: I'm involved with dnswl.org] ram wrote: http://www.dnswl.org/ http://wiki.ctyme.com/index.php/Spam_DNS_Lists Both work well IMHO These are ip lists. I think there would be some spamassassin rule already ( RCVD_IN_DNSWL ???) . Need to google again :-) It depends on the version of SpamAssassin you're using. If you are on 3.2.0 and using sa-update, you have the full ruleset. The original 3.2.0 was missing one rule (add it to local.cf or some similar file, warp on one line): header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.') The whole bunch of rules (useable for any version of SA that can do RBL lookups) can be found here: http://www.dnswl.org/tech#spamassassin On the other hand Can I get domain lists because that would be a far smaller number than IP's and much easier to whitelist with confidence for eg mail from citibank.co.in with SPF_PASS can be whitelisted , but from its IP I will still have to make sure the list is well maintained We are currently evaluating options to combine our current IP- with domain name-based listings. Stay tuned ;) - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFGnk1AxbHw2nyi/okRAjfvAJ9PL9jGvbzb99b0aZFkK7VqArrC9ACdETqb cYQdbn/NENEvs2D2Bf9dpPs= =F5pc -END PGP SIGNATURE-
Re: is there a whitelist rhswl available
i'm working on the rules you described, and will upload working versions soon. i posted about this a few days ago, with a prototype ruleset. http://www.gossamer-threads.com/lists/spf/discuss/32160 they will be integrated with SPF and DKIM in the appropriate manner. the following RHSWL is alpha only and not ready for production. in production the name will change. % dig +short prudential.com.mengwong.manywl-v1.dnswl.karmasphere.com @query.karmasphere.com 127.0.0.2 i am going to add all the SA 60_* whitelisted domains to that feedset. On Jul 18, 2007, at 10:22 PM, ram wrote: On Wed, 2007-07-18 at 06:24 -0700, OliverScott wrote: http://www.dnswl.org/ http://wiki.ctyme.com/index.php/Spam_DNS_Lists Both work well IMHO These are ip lists. I think there would be some spamassassin rule already ( RCVD_IN_DNSWL ???) . Need to google again :-) On the other hand Can I get domain lists because that would be a far smaller number than IP's and much easier to whitelist with confidence for eg mail from citibank.co.in with SPF_PASS can be whitelisted , but from its IP I will still have to make sure the list is well maintained Thanks Ram
Re: Question about v3.2.1 and SARE rules..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Billy Huddleston wrote: I upgraded from 3.1.7 to 3.2.1 and started getting errors from 70_sare_obfu.cf rules set.. any one got any ideas on this? Thanks, Billy ** What are the errors? - -- -Doc Penguins: Do it on the ice. 8:44am up 4 days, 16:55, 17 users, load average: 0.18, 0.30, 0.37 SARE HQ http://www.rulesemporium.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGnlM+qOEeBwEpgcsRAhieAJ9+/oBIgmxG5BFcEhk3jQ/VFcyMawCfQ/Fr IKmWuv4PQ83Xy3LeoZ+tRmQ= =Cv1y -END PGP SIGNATURE-
Re: is there a whitelist rhswl available
On Jul 19, 2007, at 1:33 AM, Meng Weng Wong wrote: the following RHSWL is alpha only and not ready for production. in production the name will change. % dig +short prudential.com.mengwong.manywl- v1.dnswl.karmasphere.com @query.karmasphere.com 127.0.0.2 oops, I forgot the url that describes that RHSWL in more detail. https://my.karmasphere.com/app/store/composite/composite_view_feeds? composite_id=mengwong.manywl-v1 I want to offer a big thank-you to Matthias Leisi for DNSWL. Because Karmasphere tries to avoid generating original data, it is data providers like him who make it all possible. If you have RHSWL data to contribute, please 1. publish a feed of domain names to KS 2. join the karmasphere-users mailing list 3. tell me about it and I will add your feed to the feedset. I'm working on a comparison document that shows how Karmasphere can be used to complement the stuff that's already in SA 3.2.1.
Re: Question about v3.2.1 and SARE rules..
Malformed UTF-8 character (unexpected non-cont inuation byte 0x00, immediately after start byte 0xd5) in pattern match (m//) at /etc/mail/spamassassin/70_sare_obfu1.cf, rule __SARE_OBFU_VISIT1, line 1, GEN4 2 line 64. Malformed UTF-8 character (unexpected non-cont inuation byte 0x00, immediately after start byte 0xcf) in pattern match (m//) at /etc/mail/spamassassin/70_sare_obfu0.cf, rule SARE_OBFU_XANAX, line 1, GEN42 line 64. Doc Schneider wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Billy Huddleston wrote: I upgraded from 3.1.7 to 3.2.1 and started getting errors from 70_sare_obfu.cf rules set.. any one got any ideas on this? Thanks, Billy ** What are the errors? - -- -Doc Penguins: Do it on the ice. 8:44am up 4 days, 16:55, 17 users, load average: 0.18, 0.30, 0.37 SARE HQ http://www.rulesemporium.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGnlM+qOEeBwEpgcsRAhieAJ9+/oBIgmxG5BFcEhk3jQ/VFcyMawCfQ/Fr IKmWuv4PQ83Xy3LeoZ+tRmQ= =Cv1y -END PGP SIGNATURE-
Re: How to disable Bayes for PDF emails
On Wed, Jul 18, 2007 at 01:17:45PM -0400, Theo Van Dinter wrote: On Wed, Jul 18, 2007 at 10:22:49AM -0500, Igor Chudov wrote: I would like to disable Bayes analysis entirely if an email has a PDF attachment. How can I do it? You could theoretically write a plugin that looks for an attachment and changes the config and score set if it finds one. Otherwise, you don't. Why would you want to? Bayes, applied to pdf spams, always classifies the message as ham and increases the score. It is not reliable for PDF messages where the content is in PDF. i
Re: Question about v3.2.1 and SARE rules..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Billy Huddleston wrote: Malformed UTF-8 character (unexpected non-cont inuation byte 0x00, immediately after start byte 0xd5) in pattern match (m//) at /etc/mail/spamassassin/70_sare_obfu1.cf, rule __SARE_OBFU_VISIT1, line 1, GEN4 2 line 64. Malformed UTF-8 character (unexpected non-cont inuation byte 0x00, immediately after start byte 0xcf) in pattern match (m//) at /etc/mail/spamassassin/70_sare_obfu0.cf, rule SARE_OBFU_XANAX, line 1, GEN42 line 64. You need to update that rule... this was fixed a over a month ago. Check what version you're running, you need 01.00.14 And yes I'm the one who fixed it! 8*) - -- -Doc Penguins: Do it on the ice. 8:44am up 4 days, 16:55, 17 users, load average: 0.18, 0.30, 0.37 SARE HQ http://www.rulesemporium.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGnlZAqOEeBwEpgcsRAt3ZAKCFXCeQGo2ZHg7D76eo63lWrrz7yQCdE6OH DY/pC0JEk8eovlYT9Vvr/dA= =HAWW -END PGP SIGNATURE-
Really Stupid Question: Plugins
I haven't yet had to implement any pdf plugins, but I am looking to do so. I am running SA 3.1.9 and perl 5.8.8. From what I can see, my plugins are here: /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/ And there is no related folder for 5.8.8 Is that the location where I want to install the plugin? - Skip
Re: How to disable Bayes for PDF emails
Igor Chudov wrote: Bayes, applied to pdf spams, always classifies the message as ham and increases the score. It is not reliable for PDF messages where the content is in PDF. Sounds like you need to train Bayes on those messages. Over here, Bayes is misclassifying less than 15% of PDF spams, and only a handful of those are getting through. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Catching .pdf Spam
I took over this project (dealing w/spam) with very little instruction or experience, so My Apologies if my questions are ignorant... I had previously run sa-update manually, and we also have it scheduled automatically twice a day. The updates are happening as scheduled, and being placed in var/lib/spamassassin/3.001001/..., however, spamassassin seems to be ignoring the rules there. I manually copied 80_additional.cf to etc/mail/spamassassin, and now I am getting new rule hits, including the TVD_PDF_FINGER01 rule. According to what I have read, rules should work when they are in var/lib/spamassassin/.. Do I misunderstand, or do we have something configured wrong? Thanks for your replies! MW Theo Van Dinter-2 wrote: Run sa-update, there's a rule already in there. -- View this message in context: http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11674168 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Catching .pdf Spam
On Wed, Jul 18, 2007 at 11:17:03AM -0700, nws.charlie wrote: automatically twice a day. The updates are happening as scheduled, and being placed in var/lib/spamassassin/3.001001/..., however, spamassassin seems to be ignoring the rules there. Why do you say that? Does spamassassin --lint -D show the files being used? Also, if you're really using 3.1.1 you should think about upgrading. 3.1.9 has been out for a while, and 3.1.10 should be in the next week or so. -- Randomly Selected Tagline: I decry the current tendency to seek patents on algorithms. There are better ways to earn a living than to prevent other people from making use of one's contributions to computer science. - Donald E. Knuth pgpHA2HFsKngD.pgp Description: PGP signature
Re: Really Stupid Question: Plugins
Skip Brott wrote: I haven't yet had to implement any pdf plugins, but I am looking to do so. I am running SA 3.1.9 and perl 5.8.8. From what I can see, my plugins are here: /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/ And there is no related folder for 5.8.8 Is that the location where I want to install the plugin? I usually recommend that people place third party plugins into their site or local rules directory (ie /etc/mail/spamassassin) and then specify that path in the loadplugin line. For instance, if you download MyPlugin.pm from the wiki, copy it to /etc/mail/spamassassin. Create a myplugin.pre file and put the following: loadplugin MyPlugin /etc/mail/spamassassin/MyPlugin.pm In the above config line the name of the plugin is actually the perl package name, so if its Mail::SpamAssassin::Plugin::MyPlugin then the config line will look like: loadplugin Mail::SpamAssassin::Plugin::MyPlugin /etc/mail/spamassassin/MyPlugin.pm Mucking around with the site_perl lib directories by hand is asking for trouble. Michael
Re: not scoring correctly
On Wed, 2007-07-18 at 10:12 -0500, Craig Carriere wrote: I use 256K, but I have a small volume (about a thousand emails a day) server load. We are also experimenting with the SaneSecurity definitions for clam which catch a lot of this rodent mail as well and should lower the SA load. Glad it helped. I'm sure it did tremendously, thanks again. But WOW! Look at this one where the logs indicate it was scored at 4.441 as I received the message, but if I login as the vscan user, I get a score of 5.8... Content analysis details: (5.8 points, 5.0 required) pts rule name description -- -- 0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted 1.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.3 MISSING_SUBJECTMissing Subject: header 1.5 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint $ exit esmtp# grep Hpqf4RZBgPd0 /var/log/maillog Jul 18 14:12:54 esmtp amavis[26504]: (26504-09) Passed CLEAN, [63.139.123.10] [166.149.97.103] [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine: clean-Hpqf4RZBgPd0.gz, Message-ID: [EMAIL PROTECTED], mail_id: Hpqf4RZBgPd0, Hits: 4.441, queued_as: 9663137B50F, 2405 ms What other things can contribute to this type of scenario? -- Robert
Re: Who can tell me where the latest sa-stats can be found.
On Monday 16 July 2007 9:47 pm, Dallas Engelken wrote: I havent touched them for a while and havent checked if v1.03 even works with SA 3.2. If something needs to be done, let me know. 1.03 is working just fine here Dallas w/SA3.2.1 -- Chris KeyID 0xE372A7DA98E6705C pgpcaCcsXAAu1.pgp Description: PGP signature
Re: Really Stupid Question: Plugins
On Wed, Jul 18, 2007 at 01:15:16PM -0500, Skip Brott wrote: I haven't yet had to implement any pdf plugins, but I am looking to do so. I am running SA 3.1.9 and perl 5.8.8. From what I can see, my plugins are here: /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/ Is that the location where I want to install the plugin? No, and you probably don't have your plugins directly there either. The default plugins are in .../Mail/SpamAssassin/Plugins. You could put your own plugins there, but it's not a requirement. It also, imo, makes it annoying in certain situations. Upgrading a plugin, for instance -- I can't remember that path, and I'm tired of having to look it up when I need it. YMMV. I'd probably shove my own plugins in /etc/mail/spamassassin/plugins so that they're in the same place as the configs I would edit to enable them. Then you just set the loadplugin line to aim at the path and you're done. (see perldoc Mail::SpamAssassin::Conf's loadplugin area to see what I mean.) -- Randomly Selected Tagline: The weaknesses and the strengths of computer networking derive from the same feature: it is easy to send messages to anyone who has access to the network. - Donald A. Norman, The Trouble with Networks (Datamation 1/1982) pgpwjcouB2n76.pgp Description: PGP signature
Re: not scoring correctly
It is not all that unusual to see differences in SA when run from the command line. Have you looked at what scores are being hit on the actual incoming message (amavisd-new log level to 2)? Robert Fitzpatrick wrote: On Wed, 2007-07-18 at 10:12 -0500, Craig Carriere wrote: I use 256K, but I have a small volume (about a thousand emails a day) server load. We are also experimenting with the SaneSecurity definitions for clam which catch a lot of this rodent mail as well and should lower the SA load. Glad it helped. I'm sure it did tremendously, thanks again. But WOW! Look at this one where the logs indicate it was scored at 4.441 as I received the message, but if I login as the vscan user, I get a score of 5.8... Content analysis details: (5.8 points, 5.0 required) pts rule name description -- -- 0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted 1.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.3 MISSING_SUBJECTMissing Subject: header 1.5 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint $ exit esmtp# grep Hpqf4RZBgPd0 /var/log/maillog Jul 18 14:12:54 esmtp amavis[26504]: (26504-09) Passed CLEAN, [63.139.123.10] [166.149.97.103] [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine: clean-Hpqf4RZBgPd0.gz, Message-ID: [EMAIL PROTECTED], mail_id: Hpqf4RZBgPd0, Hits: 4.441, queued_as: 9663137B50F, 2405 ms What other things can contribute to this type of scenario?
Re: Catching .pdf Spam
Theo Van Dinter-2 wrote: On Wed, Jul 18, 2007 at 11:17:03AM -0700, nws.charlie wrote: automatically twice a day. The updates are happening as scheduled, and being placed in var/lib/spamassassin/3.001001/..., however, spamassassin seems to be ignoring the rules there. Why do you say that? Does spamassassin --lint -D show the files being used? I say spamassassin is ignoring the rules simply because I was not getting rule hits on any of the rules in 80_additional.cf when it was only in var/lib/spamassassin. As soon as I placed a copy in etc/mail/spamassassin the rules started triggering. I verified this several ways. Most specifically, when I placed a copy in etc/mail/spamassassin, the rule TVD_PDF_FINGER01 began triggering for the same messages as my custom rule. When I remove 80_additional.cf from etc/mail/spamassassin, that rule no longer triggers, while my custom rule does. 80_additional.cf is still in var/lib/spamassassin. Also, if you're really using 3.1.1 you should think about upgrading. Yes, we are... I'm looking into that too. Meanwhile, that shouldn't prevent these rules from working, right? Thanks again. -- View this message in context: http://www.nabble.com/Catching-.pdf-Spam-tf4103383.html#a11675276 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Whats wrong with dateformat?
X-Spam-Status: No, score=-1.19 tagged_above=-999 required=5 tests=[AWL=0.164, BAYES_00=-2.599, DKIM_POLICY_SIGNSOME=0, DK_POLICY_SIGNSOME=0, INVALID_DATE=1.245] Date: 18 Jul 07 11:01:52 -0700 I THINK day is optional: From rfc: 3.6.1: The origination date field The origination date field consists of the field name Date followed by a date-time specification. orig-date = Date: date-time CRLF That is, the day-of-the-week (if included) MUST be the day implied by the date, http://www.ietf.org/rfc/rfc2822.txt 3.3: date-time = [ day-of-week , ] date FWS time [CFWS] date= day month year year= 4*DIGIT / obs-year *where obs-year is 4.3. obs-year= [CFWS] 2*DIGIT [CFWS] Where a two or three digit year occurs in a date, the year is to be interpreted as follows: If a two digit year is encountered whose value is between 00 and 49, the year is interpreted by adding 2000, ending up with a value between 2000 and 2049. If a two digit year is encountered with a value between 50 and 99, or any three digit year is encountered, the year is interpreted by adding 1900. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Whats wrong with dateformat?
On Wed, Jul 18, 2007 at 03:30:29PM -0400, Michael Scheidell wrote: INVALID_DATE=1.245] Date: 18 Jul 07 11:01:52 -0700 I THINK day is optional: Ok ... ? It's optional in the rule too. The rule does, however, wants a 4-digit year. Rules such as this one, fwiw, aren't meant to be strictly checking for RFC compliance. RFC (in)compliance isn't necessarily useful for ham versus spam determination. The rule also has a pretty good hit rate: 2.760 3.2762 0.04880.985 0.890.00 INVALID_DATE None of my FPs, anyway, have a 2-digit year, they're pretty much all strangely corrupt timezones. -- Randomly Selected Tagline: We should declare war on North Vietnam. We could pave the whole country and put parking strips on it, and still be home by Christmas. - Ronald Reagan pgpijbo544vOE.pgp Description: PGP signature
RE: Whats wrong with dateformat?
-Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 18, 2007 4:22 PM To: users@spamassassin.apache.org Subject: Re: Whats wrong with dateformat? On Wed, Jul 18, 2007 at 03:30:29PM -0400, Michael Scheidell wrote: INVALID_DATE=1.245] Date: 18 Jul 07 11:01:52 -0700 I THINK day is optional: Ok ... ? It's optional in the rule too. The rule does, however, wants a 4-digit year. Rules such as this one, fwiw, aren't meant to be strictly checking for RFC compliance. RFC (in)compliance isn't necessarily useful for ham versus spam determination. And I believe in the rule of thumb that NO rule (well maybe if it comes from topica) is a strict 'spam/no spam' rule, and, yes, I can adjust the score myself, that is one great thing about SA. But, aren't the scores a little high for a valid date? (rfc compliant) Ps, I berated the program manager, letting hm know that y2k issues should have been solved 8 years ago ;-) INVALID_DATE 2.303 1.651 1.329 1.245 The rule also has a pretty good hit rate: 2.760 3.2762 0.04880.985 0.890.00 INVALID_DATE None of my FPs, anyway, have a 2-digit year, they're pretty much all strangely corrupt timezones. I just happened to look, I haven't run any comparisons. So, easy to change? Should I do a bugzilla? (right after I reformat the multiple meta rule thing and send to bugzilla ;-) My brain can't wrap itself around that regex, maybe changing \s+(?:19[7-9]\d|2\d{3})\s+ To \s+(?:19[7-9]\d|2\d{3}|[7-9]\d)\s+ Lets not forget 3 digit years: or any three digit year is encountered, the year is interpreted by adding 1900. So, 079 is 1979, 100 is 2000, etc? \s+(?:19[7-9]\d|2\d{3}|[7-9]\d|0[7-9]\d|1\d{2})\s+ _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Plugin Location
Kevin Plested wrote: *I'm trying to add a new plugin to Spamassassin, I located my plugin directory on my server:* /usr/local/lib/perl5/site_perl/5.8.4/Mail/SpamAssassin/Plugin/ *by searching on my server for URIDNSBL.pm.* *When I put my new plugin into that directory, and call it from init.pre, and run a --lint, I get the following:* [11359] warn: plugin: failed to parse plugin (from @INC): Can't locate MAIL/SpamAssassin/Plugin/PDFInfo.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.8.4/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.4 /usr/local/lib/perl5/5.8.4/i386-freebsd /usr/local/lib/perl5/5.8.4 /usr/local/lib/perl5/site_perl/5.8.3/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl/5.8.1/i386-freebsd /usr/local/lib/perl5/site_perl/5.8.1 /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl/5.005 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/vendor_perl/5.8.4/i386-freebsd /usr/local/lib/perl5/vendor_perl/5.8.4 /usr/local/lib/perl5/vendor_perl/5.8.3/i386-freebsd /usr/local/lib/perl5/vendor_perl/5.8.3 /usr/local/lib/perl5/vendor_perl /usr/local/lib/perl5/5.00503 /usr/local/lib/site_perl) at (eval 52) line 1. [11359] warn: plugin: failed to create instance of plugin MAIL::SpamAssassin::Plugin::PDFInfo: Can't locate object method new via package MAIL::SpamAssassin::Plugin::PDFInfo at (eval 53) line 1. *What am I doing wrong?* Using a loadplugin line that has MAIL:: rather than Mail::. I wouldn't put third-party/custom plugins in the perl lib directories either (I'd put them in/under your site config directory), but that isn't the cause of your problem Daryl
Re: Whats wrong with dateformat?
On Wed, Jul 18, 2007 at 04:34:02PM -0400, Michael Scheidell wrote: But, aren't the scores a little high for a valid date? (rfc compliant) Ps, I berated the program manager, letting hm know that y2k issues should have been solved 8 years ago ;-) INVALID_DATE 2.303 1.651 1.329 1.245 Not really. valid versus invalid is kind of irrelevent. If a statistically small (for me: 0) number of ham senders do something, but a statistically high number of spam senders do something, that's a good spam rule. The scores aren't high anyway IMO. So, easy to change? Should I do a bugzilla? (right after I reformat the multiple meta rule thing and send to bugzilla ;-) Yes, it's pretty easy to change. You can file a ticket if you want to, but I'll pretty much guarantee it'll be closed as a wontfix. The rule works really well based on the nightly corpus runs, and changing the rule to allow 2 (or 3) digit years is likely going to drive the spam hit rate down precipitously (based on a quick grep of my corpus). With an already relatively small ham hit rate, there's no win there. -- Randomly Selected Tagline: There ought to be limits to freedom. - George W. Bush (Gov. of Texas) pgp4VBfduRAmg.pgp Description: PGP signature
huge auto-whitelist file etc
Hello. Our Linux server is running SpamAssassin version 3.1.5. Backups started dying with 'inactivity timeout'. Dug around found the following: drwx-- 3 vscan vscan512 Jul 18 16:28 . -rw--- 1 vscan vscan 1099983372288 Jul 18 16:28 auto-whitelist -rw--- 1 vscan vscan 1205862400 Jul 18 16:28 bayes_seen -rw--- 1 vscan vscan 10846208 Jul 18 16:28 bayes_toks -rw--- 1 vscan vscan 18240 Jul 18 16:28 bayes_journal drwxr-x--- 12 vscan vscan 1024 Jul 18 12:12 .. -rw--- 1 vscan vscan2654208 Jan 26 2005 bayes_toks.expire42066 -rw--- 1 vscan vscan 606208 Mar 30 2004 bayes_toks.expire93303 drwxr-xr-x 2 vscan vscan512 Jan 28 2004 old -rw-r--r-- 1 vscan vscan 1165 Jan 27 2004 user_prefs A du -k shows auto-whitelist as being 1747968. Surprisingly, we aren't experiencing any problems other than the backups. Our site handles A LOT of email. After I send this email, I'm going to look into check_whitelist and trim_whitelist (and probably sa-learn re: the bayes files), however, any suggestions would be most appreciated! Our sys admin is on vacation and he's our expert. Thanks in advance for any advice.
Re: huge auto-whitelist file etc
On Wed, Jul 18, 2007 at 09:30:25PM -0300, Tammy George wrote: -rw--- 1 vscan vscan 1099983372288 Jul 18 16:28 auto-whitelist A du -k shows auto-whitelist as being 1747968. Ah, the magic of sparse files. :) After I send this email, I'm going to look into check_whitelist and trim_whitelist (and probably sa-learn re: the bayes files), however, any suggestions would be most appreciated! Our sys admin is on vacation and he's our expert. Removing entries from the DB will likely not decrease the size of the file, it would likely require a remove entries, db_dump, db_load type thing. -- Randomly Selected Tagline: I'll kick your butt up so high you'll look like a hunchback. - Delores Claiborne pgpp8UlkDDXnx.pgp Description: PGP signature
Re: huge auto-whitelist file etc
Tammy George wrote: Hello. Our Linux server is running SpamAssassin version 3.1.5. Backups started dying with 'inactivity timeout'. Dug around found the following: drwx-- 3 vscan vscan512 Jul 18 16:28 . -rw--- 1 vscan vscan 1099983372288 Jul 18 16:28 auto-whitelist -rw--- 1 vscan vscan 1205862400 Jul 18 16:28 bayes_seen -rw--- 1 vscan vscan 10846208 Jul 18 16:28 bayes_toks -rw--- 1 vscan vscan 18240 Jul 18 16:28 bayes_journal drwxr-x--- 12 vscan vscan 1024 Jul 18 12:12 .. -rw--- 1 vscan vscan2654208 Jan 26 2005 bayes_toks.expire42066 -rw--- 1 vscan vscan 606208 Mar 30 2004 bayes_toks.expire93303 drwxr-xr-x 2 vscan vscan512 Jan 28 2004 old -rw-r--r-- 1 vscan vscan 1165 Jan 27 2004 user_prefs A du -k shows auto-whitelist as being 1747968. Surprisingly, we aren't experiencing any problems other than the backups. Our site handles A LOT of email. After I send this email, I'm going to look into check_whitelist and trim_whitelist (and probably sa-learn re: the bayes files), however, any suggestions would be most appreciated! Our sys admin is on vacation and he's our expert. for the auto-whitelist file you need to run this command: check_whitelist --clean /path/to/auto-whitelist That said, IMHO, the AWL isn't really ready for production use on large systems unless you're going to run it on SQL and use your own scripts to do expiry. The bayes_toks and bayes_journal files auto-expire, so you don't need to do anything to them. The bayes_seen file doesn't have any kind of date information, so it can't auto-expire. However, you can remove the file reasonably safely. This file is just a list of all the files that have already been run through sa-learn. The only drawback to deleting it is that it will allow you to re-train a message that you've already learned. So if you maintain a massive directory of files to be relearned but don't clean it out, you might have a minor amount of over-learning (no big deal). Thanks in advance for any advice.
Re: Why my SA sending report to all users?
Hi Jari, Thanks for your response. The scenario is like this: when my user received email A, at the same time another same email A will be received by the user . The only differrent between this email is the 1st email will be the original email and the 2nd email will the 1st email (jumbled up/encrypted) + the below X-Spam* header with blank sender subject. Another problem is my users also receiving emails with blank header, blank sender, blank body. everything is blank. Any idea on how to solve this? Thanks a lot. Eny On 7/18/07, Jari Fredriksson [EMAIL PROTECTED] wrote: It does not seem like being sent by SpamAssassin to me. SA does not send messages or reports, it just filters them. It has added the X-Spam* headers, but everything else comes from elsewhere. X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on mail2.singapore-daiichi.com.sg X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,AWL autolearn=disabled version=3.1.8 - Original Message - *From:* Eny Wu [EMAIL PROTECTED] *To:* users@spamassassin.apache.org *Sent:* Wednesday, July 18, 2007 5:22 AM *Subject:* Why my SA sending report to all users? I have just update my Spamassassin from 2.4 to 3.1.8. It works great, however me all my user have been receving some emails without any headers with the following info (sample below): -- From [EMAIL PROTECTED] [EMAIL PROTECTED] Mon Jul 16 20:09:26 2007 Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on mail2.singapore-daiichi.com.sg X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,AWL autolearn=disabled version=3.1.8 Received: from mail.singapore-daiichi.com.sg (mail3.singapore-daiichi.com.sg [ 192.168.12.29]) by mail2.singapore-daiichi.com.sg (8.13.6/8.13.6) with ESMTP id l6GC9FdZ014308 for [EMAIL PROTECTED]; Mon, 16 Jul 2007 20:09:25 +0800 Received: from localhost (localhost) by mail.singapore-daiichi.com.sg id l6GCEbhs027137; Mon, 16 Jul 2007 20:14:46 +0800 Date: Mon, 16 Jul 2007 20:14:46 +0800 From: Mail Delivery Subsystem [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=l6GCEbhs027137.1184588086/mail.singapore- daiichi.com.sg Subject: Postmaster notify: see transcript for details Auto-Submitted: auto-generated (postmaster-notification) This is a MIME-encapsulated message --l6GCEbhs027137.1184588086/mail.singapore-daiichi.com.sg The original message was received at Mon, 16 Jul 2007 20:14:46 +0800 from localhost with id l6GCEbhr027137 -- Is there anyway that I disable the spamassassin to send the above report? I don't want my user to receive this message. Some of my user also receiving empty/blank emails also. My OS is Linux Redhat 9. The Spamassassin version is 3.1.8 and using the procmail. I update the spammassin through CPAN. Thanks in advance for your help. Eny -- Thanks Regards, Eny