Re: Performance problem after upgrading from SA 3.2.1 to 3.2.2
[EMAIL PROTECTED] wrote: I had posted before, but we couldn't figure out what was adding 3+ seconds processing time after I upgraded from SA 3.2.1 to 3.2.2. It's the following plugin. I have tested loading and commenting out the plugin - it's the culprit. SA 3.2.2 automatically adds several plugins automatically. 3.2.2 adds no new plugins that weren't in 3.2.1 or 3.2.0 for that matter. 3.2.0 is the last version to have plugins added to the release. Daryl
how to upgrade 3.1.7 to higer version
Hi Now I using SA 3.1.7. How to update the higher versions. Please help me. -- Sg
RE: how to upgrade 3.1.7 to higer version
Now I using SA 3.1.7. How to update the higher versions. Please help me. -- Sg Hi Sg, Um if you are using CentOS just do this Backup your /etc/mail/spamassassin directory and all of it's file contents, mainly for safety and good admin work protection Then if you have not setup your rpm workspace in your main non root account do this cd mkdir -m 755 rpm cd rpm mkdir -m 755 BUILD RPMS SOURCES SPECS SRPMS then go back to your home directory and create a file called .rpmmacros mine looks something like this for the rtst shell account %_topdir /home/rtst/rpm %packager RTst [EMAIL PROTECTED] Then goto your rpm directory and then get the sources cd cd rpm wget http://apache.oregonstate.edu/spamassassin/source/Mail-SpamAssassin-3.2.3.ta r.gz then rpmbuild -tb Mail-SpamAssassin-3.2.3.tar.gz then (as the super user) goto the RPMS/i386 directory and install rpm -Uvh perl-Mail-SpamAssassin-3.2.3-1.i386.rpm spamassassin-3.2.3-1.i386.rpm and when done make sure to update with sa-update -D or if another distro or need other hints check out this page for other info http://spamassassin.apache.org/downloads.cgi?update=200708092033 have a good night - rh
Re: ANNOUNCE: Apache SpamAssassin 3.2.3 available
Justin Mason wrote on Thu, 09 Aug 2007 23:45:29 +0100: will load an updated, nearby mirror. Indeed, worked just fine, maybe an hour after your announcement. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Detecting short-TTL domains?
Upon examining various URI messages that trolls have sent here the last two days (of those that still have DNS resolution): (A) TTL is less than 300 on all but two (2560 and 3600). (B) Even 2g00d.mobi is running a TTL of 181. Would a spamvertized URI from a legit company be running a TTL that low? I think not. Seems like a good way to combat Fast-Flux DNS system spam. Drawbacks include DNS SOA timeouts for bad domains. Where's our prophet John the Botnet when you need him? Ever Pondering, Jared Hall General Telecom, LLC. On Friday 10 August 2007 10:34, clsgis wrote: We're seeing URIs in spam whose domains have between a dozen and three dozen Address records, with time-to-live TTLs less than ten minutes. Is there a test for too many Address records? What's its name? Is there a test for too-short TTLs?
Re: required score vs refuse score
On Fri, Aug 10, 2007 at 05:05:49PM +0200, Michael Worobcuk wrote:
So what is the refuse score in the userprefs tables for ?
No idea, there is no such thing in standard SA.
--
Randomly Selected Tagline:
do {nothing} while (HearFromMe==0)
pgpuslxKAjrLJ.pgp
Description: PGP signature
Re: Detecting short-TTL domains?
amazon and yahoo use a TTL 60sec google uses a TTL of 300sec cnn had 8 A records and a TTL of 600 dave On 10/08/07 19:42, clsgis wrote: Jim Maul wrote: Stream Service || Mark Scholten wrote: For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have [too] many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM. Most SA rules look for spam signs, not RFC violations. Now whether or not these are good spam signs I do not know... -Jim It seems to me there are two legitimate reasons for short TTL. You're running a hobby server on consumer broadband, and using something like DynDNS.org for its name service. You're planning on moving soon. In both of those cases, it would be pretty strange to have more than two or three A records. So one or the other of short-TTL and many-As is legit, but together they're good enough spam-sign that a lot of folks might use the rule. I sure would. Cameron -- Dave Mifsud Systems Engineer Computing Services Centre University of Malta CSC Tel: (+356) 2340 3004 CSC Fax: (+356) 21 343 397
Re: Detecting short-TTL domains?
John, Hm. So, I'm sure I can figure this out eventually, but does anyone know the right Net::DNS way to extract the TTL? I don't think it is possible to obtain the original TTL from DNS responses. The information received in a reply only indicates a remaining time this information has, before it need be refreshed from a source. If responses come from a cache of a local name server, the resulting TTL will get smaller by every call answered from a cache. Try and see! On a first call: $ host -v -t a 2g00d.mobi one gets 1800 seconds: ;; ANSWER SECTION: 2g00d.mobi. 1800IN A 220.112.46.131 half an hour later only few seconds remain: ;; ANSWER SECTION: 2g00d.mobi. 36 IN A 220.112.46.131 and after expiry, you are up to 1800 s again. Mark
Re: Detecting short-TTL domains?
Jim Maul wrote: Stream Service || Mark Scholten wrote: For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have to many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM. Most SA rules look for spam signs, not RFC violations. Now whether or not these are good spam signs I do not know... -Jim They are good spam signs. Not always spam though, because sometimes a domain that is changing IP addresses has turned down a TTL temporarily, so you'd want to combine such a test with other factors, but SA is good at that! I've noticed some ISPs ignore small TTLs, presumably with a intended (or unintended) side-effect that they actually fail to resolve a lot of these fast-flux spam domains. For some interesting reading on this, see:http://www.honeynet.org/papers/ff/index.html Ken -- Ken Anderson Pacific.Net
Re: Detecting short-TTL domains?
Jim Maul wrote: Stream Service || Mark Scholten wrote: For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have [too] many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM. Most SA rules look for spam signs, not RFC violations. Now whether or not these are good spam signs I do not know... -Jim It seems to me there are two legitimate reasons for short TTL. You're running a hobby server on consumer broadband, and using something like DynDNS.org for its name service. You're planning on moving soon. In both of those cases, it would be pretty strange to have more than two or three A records. So one or the other of short-TTL and many-As is legit, but together they're good enough spam-sign that a lot of folks might use the rule. I sure would. Cameron -- View this message in context: http://www.nabble.com/Detecting-short-TTL-domains--tf4249063.html#a12095972 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: FW: Performance problem after upgrading from SA 3.2.1 to 3.2.2
Donald,
I had posted before, but we couldn't figure out what was adding 3+
seconds processing time after I upgraded from SA 3.2.1 to 3.2.2.
One reason for slowness is a missing call to {async}-set_response_packet
in Plugin::ASN, which leds SpamAssassin think the request never arrived
and waits until timeout, even though the response does arrive (quite fast
usually).
See
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5589
If you care to try out the fix (which is rather extensive), you may
apply to 3.2.3 (or 3.2.2) the patch attached to that bug entry.
Mark
Re: required score vs refuse score
At 08:05 10-08-2007, Michael Worobcuk wrote: So what is the refuse score in the userprefs tables for ? There is no refuse score in the userpref table. See http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadme Regards, -sm
Re: Performance problem after upgrading from SA 3.2.1 to 3.2.2
Daryl C. W. O'Shea wrote on Fri, 10 Aug 2007 02:20:23 -0400: 3.2.2 adds no new plugins that weren't in 3.2.1 or 3.2.0 for that matter. 3.2.0 is the last version to have plugins added to the release. looking at the documentation I wonder if it was a good idea at all to add this plugin to the official distribution. Reading between the lines it's clear that the services of routeview.org might be overwhelmed by widespread use of it (allthough John Heasley says otherwise, I think he doesn't know how much this could be in the end ...). At least the concern that is mentioned in the documentation should have been expressed in the loadplugin comment as well, like use this plugin only if you are a small site! or something like this. As we all know documentation is often only read once a problem occurs and uncommenting is so easy ... Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
fdf spam
Has anyone else been seeing the empty-body PDF spam, but with a .fdf file extension. Had a whole pile in my inbox here this morning. Cheers, Mike
Detecting short-TTL domains?
We're seeing URIs in spam whose domains have between a dozen and three dozen Address records, with time-to-live TTLs less than ten minutes. Is there a test for too many Address records? What's its name? Is there a test for too-short TTLs? -- View this message in context: http://www.nabble.com/Detecting-short-TTL-domains--tf4249063.html#a12092425 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Detecting short-TTL domains?
John Rudd wrote:
I'm a prophet now!?
:-)
Hm. So, I'm sure I can figure this out eventually, but does anyone
know the right Net::DNS way to extract the TTL?
Net::DNS::RR has a ttl() function.
# perl ttl_test
Lookup: A www.uribl.com
www.uribl.com 591 IN A 209.200.135.149
use Net::DNS;
my $res = Net::DNS::Resolver-new;
lookup('www.uribl.com', 'A');
exit;
sub lookup {
my ($host, $rr) = @_;
print Lookup: $rr $host\n;
my $packet = $res-send($host, $rr);
return unless $packet;
my $header = $packet-header;
return if ($header-rcode =~ m/NXDOMAIN|SERVFAIL|REFUSED/i);
my @answer = $packet-answer;
foreach $a (@answer) {
my $type = $a-type;
my $ttl = $a-ttl;
if ($type eq 'A') {
print $host $ttl IN $a , $a-address, \n;
}
# support other rr types below...
}
}
Note that Net::DNS returns the ttl from the answer record, which means
if you have a caching nameserver, your ttl may be lower than the value
returned from the authoritative nameservers. Pulling a ttl from an SOA
wont work either, as ttl can be set per RR. The only proper way to do
this is to perform a lookup, set the $res-nameservers() to those from
the $packet-authority and re-run the query. That will give you
authoritative results, and the ttl will be the proper one.
Something like this...
@authority = $packet-authority;
if (scalar @authority) {
@ns=(); # reset nameservers...
foreach my $a (@authority) {
my $type = $a-type;
my $s = $a-rdatastr;
if ($type =~ m/ns/i) {
$s=~s/\.$//;
push(@ns,$s);
}
}
$res-nameservers(@ns);
}
Pulling authoritative results can be quite slow, so you may want to
alarm it to prevent timeouts from hanging you up.
--
Dallas Engelken
[EMAIL PROTECTED]
http://uribl.com
Re: Detecting short-TTL domains?
Great overview on DNS and Net::DNS. While there is a
difference between RR and zone TTL times, my
observation was based upon Zone SOA TTL records of
recent spamvertized URIs in Emails.
There is nothing wrong with using URI BLs. But most
URI BLs are simply triggered from a problem that
somebody else already had. It still seems to me that
the problems presented by Fast-Flux systems can be
mitigated by some coding relevant to current statistical
norms.
While I have no doubt that Dallas is technically accurate,
I'm wondering if there is a Net::DNS function that can be
used to extract zone SOA TTL: values (at least until
Joe Spammer starts tweaking individual RRs)?
Jared Hall
General Telecom, LLC.
On Friday 10 August 2007 13:59, Dallas Engelken wrote:
John Rudd wrote:
I'm a prophet now!?
:-)
Hm. So, I'm sure I can figure this out eventually, but does anyone
know the right Net::DNS way to extract the TTL?
Net::DNS::RR has a ttl() function.
# perl ttl_test
Lookup: A www.uribl.com
www.uribl.com 591 IN A 209.200.135.149
use Net::DNS;
my $res = Net::DNS::Resolver-new;
lookup('www.uribl.com', 'A');
exit;
sub lookup {
my ($host, $rr) = @_;
print Lookup: $rr $host\n;
my $packet = $res-send($host, $rr);
return unless $packet;
my $header = $packet-header;
return if ($header-rcode =~ m/NXDOMAIN|SERVFAIL|REFUSED/i);
my @answer = $packet-answer;
foreach $a (@answer) {
my $type = $a-type;
my $ttl = $a-ttl;
if ($type eq 'A') {
print $host $ttl IN $a , $a-address, \n;
}
# support other rr types below...
}
}
Note that Net::DNS returns the ttl from the answer record, which means
if you have a caching nameserver, your ttl may be lower than the value
returned from the authoritative nameservers. Pulling a ttl from an SOA
wont work either, as ttl can be set per RR. The only proper way to do
this is to perform a lookup, set the $res-nameservers() to those from
the $packet-authority and re-run the query. That will give you
authoritative results, and the ttl will be the proper one.
Something like this...
@authority = $packet-authority;
if (scalar @authority) {
@ns=(); # reset nameservers...
foreach my $a (@authority) {
my $type = $a-type;
my $s = $a-rdatastr;
if ($type =~ m/ns/i) {
$s=~s/\.$//;
push(@ns,$s);
}
}
$res-nameservers(@ns);
}
Pulling authoritative results can be quite slow, so you may want to
alarm it to prevent timeouts from hanging you up.
Re: sa-update / sa-compile
It's been discussed somewhat. Here is a simple implementation. install re2c cat /etc/sa-update.channels updates.spamassassin.org in /etc/mail/spamassassin/v320.pre uncomment loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody then have a script for starting spamd: #!/bin/bash sa-update --nogpg --channelfile /etc/sa-update.channels sa-compile stop and start spamd with your normal options On Thu, Aug 09, 2007 at 12:03:48PM -0600, Reg Clemens wrote: Is there a complete discussion of using sa-update and sa-compile (and whatever else is necessary) somewhere. This looks like the way to go, but I would need either (a) a working script to do the dirty work (b) a description of HOW do do it. -- Reg.Clemens [EMAIL PROTECTED] -- /* Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL KB1IOJ| Broadband Internet Access, Dialup, and Hosting http://f64.nu/ | for Midcoast Mainehttp://www.midcoast.com/ */
Re: Detecting short-TTL domains?
Stream Service || Mark Scholten escreveu: For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have to many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM. Never heard of a minimum TTL specified by RFCs Anyway, checking TTL would require that you always check domain NSs and not your DNS cache server. That would trash all the DNS cache traffic save, thus not making it a good idea. The fact that real domains uses low TTLs also make this check a bad idea. Some applications, just like dynamic DNS stuff, HAS to use low TTLs. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it smime.p7s Description: S/MIME Cryptographic Signature
Re: Detecting short-TTL domains?
I'm a prophet now!? :-) Hm. So, I'm sure I can figure this out eventually, but does anyone know the right Net::DNS way to extract the TTL? I could probably set it up as a value in Botnet.cf, where the default is 0 (disabled), but other values will trigger some rule's score if its less than the number that was set. And, it shouldn't be too hard for me to write a test for number of A records returned by a domain. I probably wont make them part of the BOTNET rule, but make them separate BOTNET_* rules (BOTNET_TTL and BOTNET_NUM_ARECS ?). Jared Hall wrote: Upon examining various URI messages that trolls have sent here the last two days (of those that still have DNS resolution): (A) TTL is less than 300 on all but two (2560 and 3600). (B) Even 2g00d.mobi is running a TTL of 181. Would a spamvertized URI from a legit company be running a TTL that low? I think not. Seems like a good way to combat Fast-Flux DNS system spam. Drawbacks include DNS SOA timeouts for bad domains. Where's our prophet John the Botnet when you need him? Ever Pondering, Jared Hall General Telecom, LLC. On Friday 10 August 2007 10:34, clsgis wrote: We're seeing URIs in spam whose domains have between a dozen and three dozen Address records, with time-to-live TTLs less than ten minutes. Is there a test for too many Address records? What's its name? Is there a test for too-short TTLs?
Re: Gocr gives an error while it is trying to read a pic sometimes
On 8 Aug 2007, Halid Faith said: I use spamassassin3.1.7, fuzzyocr, gocr0.44 ( Before I used gocr 0.41 and 0.43 ) Gocr gives an error while it is trying to read a picture sometimes as below; 1 - gocr -l 180 -d 2 -i italic.gif giftopnm: Reading Image Sequence 0 giftopnm: EOF or error reading data portion of 59 byte DataBlock from file (null): Error reading magic number from Netpbm image stream. Most often, this means your input file is empty. 2 - On another picture, giftopnm: Reading Image Sequence 0 # Warning: non-positive median line gap of 0 How can I fix above errors ? This error probably means the picture is corrupted. That's OK: fuzzyocr penalizes corrupt images. :)
Re: SPAMD Mysql non standard Port
On Friday 10 August 2007 14:44, Per Jessen wrote: When you specify host=localhost to a mysql client, it will always try to use the socket interface instead. I think that is probably what is happening. Specifing '127.0.0.1' instead of 'localhost' will prevent this. With '127.0.0.1' a TCP/IP connection will be used. -- So long... Fuzz
RE: Performance problem after upgrading from SA 3.2.1 to 3.2.2
I'm posting a correction to my earlier post: When I installed SA 3.2.2 from the package from spamassassin.org, it did not add any plugins or uncomment any plugins. On this one MX box I used the tarball from the mailscanner.info site that had clamav and spamassassin 3.2.2 - I'm wondering if that process may have added the plugin. That process may have appended these plugins. loadplugin Mail::SpamAssassin::Plugin::RelayCountry loadplugin Mail::SpamAssassin::Plugin::SPF loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::ASN Each added plugin should be reviewed and tested to see if processing time is affected (logging options in MailScanner that show time per message when processing new batches). It's sometimes difficult to determine if a plugin is necessary and all of the ramifications of adding it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, August 09, 2007 7:10 PM To: users@spamassassin.apache.org Subject: FW: Performance problem after upgrading from SA 3.2.1 to 3.2.2 I had posted before, but we couldn't figure out what was adding 3+ seconds processing time after I upgraded from SA 3.2.1 to 3.2.2. It's the following plugin. I have tested loading and commenting out the plugin - it's the culprit. SA 3.2.2 automatically adds several plugins automatically. # ASN - Look up the Autonomous System Number of the connecting IP # and create a header containing ASN data for bayes tokenization. # See plugin's POD docs for usage info. # #loadplugin Mail::SpamAssassin::Plugin::ASN more info. here: http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_A SN.html http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_ ASN.html Donald Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183
Re: SPAMD Mysql non standard Port
Jordi wrote: Aug 10 10:30:54 spamd[25901]: config: failed to load user (jordi) scores from SQL database: config: SQL error: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) Aug 10 10:30:54 spamd[25901]: spamd: service unavailable: Error fetching user preferences via SQL at /usr/bin/spamd line 1995, GEN23 line 2. Mysql is running on port 3308 and using /tmp/mysql2.sock and NOT the /tmp/mysql.sock When you specify host=localhost to a mysql client, it will always try to use the socket interface instead. I think that is probably what is happening. /Per Jessen, Zürich
Re: SPAMD Mysql non standard Port
alexw wrote: Jordi wrote on 10.08.2007 11:01: I try to use the 3308 because I have another mysql in 3306 and the SPAMD don't take the information of the local.cf file user_scores_dsn DBI:mysql:spamassassin:localhost:3308 Mysql is running on port 3308 and using /tmp/mysql2.sock and NOT the /tmp/mysql.sock You might want to try a different dsn string: - for port 3308: DBI:mysql:spamassassin;host=localhost:3308 or DBI:mysql:spamassassin;host=localhost;port=3308 (beware : and ; difference) or for the socket: DBI:mysql:spamassassin;mysql_socket=/tmp/mysql2.sock YES!!! It's working only changing the : for : and in my case I use the mysql_socket specification. Thanks, Jordi -- View this message in context: http://www.nabble.com/SPAMD---Mysql---non-standard-Port-tf4247476.html#a12088564 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SPAMD Mysql non standard Port
Jordi wrote on 10.08.2007 11:01: I try to use the 3308 because I have another mysql in 3306 and the SPAMD don't take the information of the local.cf file user_scores_dsn DBI:mysql:spamassassin:localhost:3308 Mysql is running on port 3308 and using /tmp/mysql2.sock and NOT the /tmp/mysql.sock You might want to try a different dsn string: - for port 3308: DBI:mysql:spamassassin;host=localhost:3308 or DBI:mysql:spamassassin;host=localhost;port=3308 (beware : and ; difference) or for the socket: DBI:mysql:spamassassin;mysql_socket=/tmp/mysql2.sock Keep in mind that either the port or the socket is used by a mysql client, but not both. As a last resort, if all that is not working, modify the .my.cnf file for the user spamassassin or spamd is running under and make these entries: [client] host=localhost port=3308 or [client] socket=/tmp/mysql2.sock or if you don't want to use the default .my.cnf file, give an explicit filename in the dsn string: DBI:mysql:spamassassin;mysql_read_default_file=/etc/mail/spamassassin/.my.cnf and put the options into /etc/mail/spamassassin/.my.cnf.
RE: a small explanation on rule FORGED_RCVD_HELO
ah ok thank you for you answere :handshake: Klas Nyström wrote: My guess is that its when your mailserver receives a mail via SMTP and the sender identifies itself as the receiving mailserver or perhaps if it identifies as a host without reverse lookup. I havnt really looked in to it but can anyone confirm this? /KN -Original Message- From: Sasori_no_Suna [mailto:[EMAIL PROTECTED] Sent: den 10 augusti 2007 10:10 To: users@spamassassin.apache.org Subject: a small explanation on rule FORGED_RCVD_HELO hello all , I want just to know about this rule FORGED_RCVD_HELO what does it mean ? and on the result of spamassassin, why I have always that I need just explanation thank ps:excuse me for my bad english:-/ -- View this message in context: http://www.nabble.com/a-small-explanation-on-rule-FORGED_RCVD_HELO-tf4247254.html#a12087088 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/a-small-explanation-on-rule-FORGED_RCVD_HELO-tf4247254.html#a12087639 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Detecting short-TTL domains?
From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Fri 8/10/2007 12:27 PM To: Jared Hall Cc: users@spamassassin.apache.org Subject: Re: Detecting short-TTL domains? I'm a prophet now!? :-) Hm. So, I'm sure I can figure this out eventually, but does anyone know the right Net::DNS way to extract the TTL? I could probably set it up as a value in Botnet.cf, where the default is 0 (disabled), but other values will trigger some rule's score if its less than the number that was set. And, it shouldn't be too hard for me to write a test for number of A records returned by a domain. I probably wont make them part of the BOTNET rule, but make them separate BOTNET_* rules (BOTNET_TTL and BOTNET_NUM_ARECS ?). Jared Hall wrote: Upon examining various URI messages that trolls have sent here the last two days (of those that still have DNS resolution): (A) TTL is less than 300 on all but two (2560 and 3600). (B) Even 2g00d.mobi is running a TTL of 181. Would a spamvertized URI from a legit company be running a TTL that low? I think not. Seems like a good way to combat Fast-Flux DNS system spam. Drawbacks include DNS SOA timeouts for bad domains. Where's our prophet John the Botnet when you need him? Ever Pondering, Jared Hall General Telecom, LLC. On Friday 10 August 2007 10:34, clsgis wrote: We're seeing URIs in spam whose domains have between a dozen and three dozen Address records, with time-to-live TTLs less than ten minutes. Is there a test for too many Address records? What's its name? Is there a test for too-short TTLs? Oh mighty one (sorry I don't have an emoticon that bows) :) I don't know how effective these tests will be as part of fast-flux scheme is constantly changing DNS records. There's no test for that. How many A records will be too many? I guess with careful scoring it could be another tool to use to increase the score of these emails. I've been working on a program that starts checking all the new domains on a constant basis to see if they're changing. This will produce a blacklist, and that might be the way to check this as a dnsbl. Any ideas are welcome. (like, forget about computers and go to the beach, go play hockey, go fishing...)
Re: Detecting short-TTL domains?
For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have to many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM. With kind regards, Met vriendelijke groet, Mark Scholten Stream Service Web: http://www.streamservice.nl/ E-mail: [EMAIL PROTECTED] NOC: http://www.mynoc.eu/ NOC e-mail: [EMAIL PROTECTED] Tel.: +31 (0)642 40 86 02 Fax: +31 (0)20 20 101 57 KVK: 08141074 BTW: NL104278274B01 - Original Message - From: clsgis [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, August 10, 2007 4:34 PM Subject: Detecting short-TTL domains? We're seeing URIs in spam whose domains have between a dozen and three dozen Address records, with time-to-live TTLs less than ten minutes. Is there a test for too many Address records? What's its name? Is there a test for too-short TTLs? -- View this message in context: http://www.nabble.com/Detecting-short-TTL-domains--tf4249063.html#a12092425 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Detecting short-TTL domains?
Jared Hall wrote:
Great overview on DNS and Net::DNS. While there is a
difference between RR and zone TTL times, my
observation was based upon Zone SOA TTL records of
recent spamvertized URIs in Emails.
Well then that is even simpler... using the same code below..
lookup('uribl.com', 'SOA');
and add support for SOA type in the lookup() sub.
# support other rr types below...
if ($type eq 'SOA') {
print $host $ttl IN $a , $a-minimum, \n;
}
above, the $ttl would still be the ttl on the SOA answer record (possibly cached),
and $a-minimum would be the ttl found in the SOA.
from the docs,
minimum() Returns the minimum (default) TTL for records in this zone.
There is nothing wrong with using URI BLs. But most
URI BLs are simply triggered from a problem that
somebody else already had. It still seems to me that
the problems presented by Fast-Flux systems can be
mitigated by some coding relevant to current statistical
norms.
While I have no doubt that Dallas is technically accurate,
I'm wondering if there is a Net::DNS function that can be
used to extract zone SOA TTL: values (at least until
Joe Spammer starts tweaking individual RRs)?
Jared Hall
General Telecom, LLC.
On Friday 10 August 2007 13:59, Dallas Engelken wrote:
John Rudd wrote:
I'm a prophet now!?
:-)
Hm. So, I'm sure I can figure this out eventually, but does anyone
know the right Net::DNS way to extract the TTL?
Net::DNS::RR has a ttl() function.
# perl ttl_test
Lookup: A www.uribl.com
www.uribl.com 591 IN A 209.200.135.149
use Net::DNS;
my $res = Net::DNS::Resolver-new;
lookup('www.uribl.com', 'A');
exit;
sub lookup {
my ($host, $rr) = @_;
print Lookup: $rr $host\n;
my $packet = $res-send($host, $rr);
return unless $packet;
my $header = $packet-header;
return if ($header-rcode =~ m/NXDOMAIN|SERVFAIL|REFUSED/i);
my @answer = $packet-answer;
foreach $a (@answer) {
my $type = $a-type;
my $ttl = $a-ttl;
if ($type eq 'A') {
print $host $ttl IN $a , $a-address, \n;
}
# support other rr types below...
}
}
Note that Net::DNS returns the ttl from the answer record, which means
if you have a caching nameserver, your ttl may be lower than the value
returned from the authoritative nameservers. Pulling a ttl from an SOA
wont work either, as ttl can be set per RR. The only proper way to do
this is to perform a lookup, set the $res-nameservers() to those from
the $packet-authority and re-run the query. That will give you
authoritative results, and the ttl will be the proper one.
Something like this...
@authority = $packet-authority;
if (scalar @authority) {
@ns=(); # reset nameservers...
foreach my $a (@authority) {
my $type = $a-type;
my $s = $a-rdatastr;
if ($type =~ m/ns/i) {
$s=~s/\.$//;
push(@ns,$s);
}
}
$res-nameservers(@ns);
}
Pulling authoritative results can be quite slow, so you may want to
alarm it to prevent timeouts from hanging you up.
--
Dallas Engelken
[EMAIL PROTECTED]
http://uribl.com
a small explanation on rule FORGED_RCVD_HELO
hello all , I want just to know about this rule FORGED_RCVD_HELO what does it mean ? and on the result of spamassassin, why I have always that I need just explanation thank -- View this message in context: http://www.nabble.com/a-small-explanation-on-rule-FORGED_RCVD_HELO-tf4247254.html#a12087088 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
how to upgrade 3.1.7 to 3.2.x
Hi How to upgrage 3.1.7 to 3.2.x. Please help me. -- Sg
RE: a small explanation on rule FORGED_RCVD_HELO
My guess is that its when your mailserver receives a mail via SMTP and the sender identifies itself as the receiving mailserver or perhaps if it identifies as a host without reverse lookup. I havnt really looked in to it but can anyone confirm this? /KN -Original Message- From: Sasori_no_Suna [mailto:[EMAIL PROTECTED] Sent: den 10 augusti 2007 10:10 To: users@spamassassin.apache.org Subject: a small explanation on rule FORGED_RCVD_HELO hello all , I want just to know about this rule FORGED_RCVD_HELO what does it mean ? and on the result of spamassassin, why I have always that I need just explanation thank ps:excuse me for my bad english:-/ -- View this message in context: http://www.nabble.com/a-small-explanation-on-rule-FORGED_RCVD_HELO-tf4247254.html#a12087088 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
MS outlook can't read parsed email... HELP!!
I'm totally confused re this spamassassin thingy... i can't seem to get MS outlook to read the email i received (spam/ham) after spamassassin(3.1.9) scanned the message. it seems that i had set everything up correctly cause i managed to run the assassin test (spamassassin -D -t sample-spam.txtout.eml) correctly using the text file that comes with spamassassin. When i tried it on exchange however, (after installing ESA Sink), i could not get the scanned email to be read by MS outlook/OE.. Somehow the Email header tags could not be recognized.. i get blank sender, receiver and subjects. Is it my configuration of the spamAssassin local.cf or is it something else.. any sort of help on this matter will be greatly appreciated. Thank u so much... best regards, SpamAssassin Newbie -- View this message in context: http://www.nabble.com/MS-outlook-can%27t-read-parsed-email...-HELP%21%21-tf4247467.html#a12087709 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
SPAMD Mysql non standard Port
Hi, Anybody is using SPAMASSASSIN with MYSQL to store scores, AWL or Bayes information in a different port than the standard one 3306? I try to use the 3308 because I have another mysql in 3306 and the SPAMD don't take the information of the local.cf file user_scores_dsn DBI:mysql:spamassassin:localhost:3308 That is the message: Aug 10 10:30:54 spamd[25901]: config: failed to load user (jordi) scores from SQL database: config: SQL error: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) Aug 10 10:30:54 spamd[25901]: spamd: service unavailable: Error fetching user preferences via SQL at /usr/bin/spamd line 1995, GEN23 line 2. Mysql is running on port 3308 and using /tmp/mysql2.sock and NOT the /tmp/mysql.sock I try with spamassassin 3.2.0, 3.2.1 and now with 3.2.3 Thanks, -- View this message in context: http://www.nabble.com/SPAMD---Mysql---non-standard-Port-tf4247476.html#a12087734 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: a small explanation on rule FORGED_RCVD_HELO
more explanation please :confused: Sasori_no_Suna wrote: ah ok thank you for you answere :handshake: Klas Nyström wrote: My guess is that its when your mailserver receives a mail via SMTP and the sender identifies itself as the receiving mailserver or perhaps if it identifies as a host without reverse lookup. I havnt really looked in to it but can anyone confirm this? /KN -Original Message- From: Sasori_no_Suna [mailto:[EMAIL PROTECTED] Sent: den 10 augusti 2007 10:10 To: users@spamassassin.apache.org Subject: a small explanation on rule FORGED_RCVD_HELO hello all , I want just to know about this rule FORGED_RCVD_HELO what does it mean ? and on the result of spamassassin, why I have always that I need just explanation thank ps:excuse me for my bad english:-/ -- View this message in context: http://www.nabble.com/a-small-explanation-on-rule-FORGED_RCVD_HELO-tf4247254.html#a12087088 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/a-small-explanation-on-rule-FORGED_RCVD_HELO-tf4247254.html#a12088661 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Mail server hosted by Comcast
I am considering a local deal related to hosting by Comcast cable (8mbps down, 1 mbps up). I am concerned, however, with me sending email and being on comcast IP range, due to bad rap that Comcast has due to spamming by Comcast hosted zombies. Do you think that my mailserver will have issues if I host it on comcast netwrk? That would be a static IP and, hopefully, I can get comcast to reverse resolve it to a hostname on one of my domains. i
Re: Mail server hosted by Comcast
At 01:28 PM 8/10/2007, Igor Chudov wrote: I am considering a local deal related to hosting by Comcast cable (8mbps down, 1 mbps up). I am concerned, however, with me sending email and being on comcast IP range, due to bad rap that Comcast has due to spamming by Comcast hosted zombies. Do you think that my mailserver will have issues if I host it on comcast netwrk? That would be a static IP and, hopefully, I can get comcast to reverse resolve it to a hostname on one of my domains. i We're on a dynamic Verizon business DSL and use the Verizon server (with AUTH) and haven't had much trouble. The main thing is, SEND THROUGH A FIXED SERVER. In your case, you might want to use the server from whoever hosts your DDNS. -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: Detecting short-TTL domains?
John D. Hardin escreveu: On Fri, 10 Aug 2007, Leonardo Rodrigues Magalhães wrote: Anyway, checking TTL would require that you always check domain NSs and not your DNS cache server. That would trash all the DNS cache traffic save, thus not making it a good idea. _always_? Not necessarily. That data could be maintained in a local cache after querying the authoritative server directly. Of course, that assumes the same short-TTL domain will be sending a lot of spams to you... Well at least that would probably require some coding on the DNS Cache server code. As far as i know, the original TTL is never kept, so that information would need to be stored and some new query would have to be created for allowing you to check the original TTL not the 'remaining' one. Seems not trivial, altough it could be made for sure. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it smime.p7s Description: S/MIME Cryptographic Signature
Re: Detecting short-TTL domains?
Stream Service || Mark Scholten wrote: For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have to many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM. Most SA rules look for spam signs, not RFC violations. Now whether or not these are good spam signs I do not know... -Jim
Re: required score vs refuse score
Michael Worobcuk wrote on Fri, 10 Aug 2007 17:05:49 +0200: So what is the refuse score in the userprefs tables for ? As Theo said: ask the Vexim people. It's not used by SA. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: required score vs refuse score
Am 10.08.2007 um 01:08 schrieb Theo Van Dinter: On Thu, Aug 09, 2007 at 12:57:11PM +0200, Michael Worobcuk wrote: I am using Spamassassin and Vexim. In the Vexim Interface I can adjust the values : - SpamAssassin tag score - SpamAssassin refuse score What is the difference between the values refuse score and the required score ? SA has no such concept (it just marks up mails), so you're want to ask the Vexim folks. My guess is that it's the score at which the mail is refused. So what is the refuse score in the userprefs tables for ?
Re: a small explanation on rule FORGED_RCVD_HELO
Sasori_no_Suna wrote: hello all , I want just to know about this rule FORGED_RCVD_HELO what does it mean ? and on the result of spamassassin, why I have always that I need just explanation thank It looks for a HELO doesn't match against the reverse DNS for the IP address. However, it should also be noted that this rule is dead. 3.2.0 and higher no longer include it. Even in 3.1.x the score of this rule is very small and negligable due to its high false-positive rate.
Re: how to upgrade 3.1.7 to higer version
Robert - eLists wrote: Now I using SA 3.1.7. How to update the higher versions. Please help me. -- Sg Hi Sg, Um if you are using CentOS just do this Sg uses SA on windows, not CentOS, or any other Linux. In any event, If you're installing from the source (.zip or tarball), you can just download the new one and go through the install process. SA will very nicely install over top of itself. As Robert suggested, it's always a good idea to back up your /etc/mail/spamassassin, or whatever the equivalent is for your system, but the install process shouldn't change anything here, other than to add v320.pre for the new plugins. It is also a good idea to read the UPGRADE file, as this is where the developers leave notes about significant changes between versions. In 3.2.x there's not a whole lot changed from a general configuration perspective, but it is still a good idea to read the relevant parts UPGRADE file before upgrading. UPGRADE will come with the source, but you can also read it at: http://svn.apache.org/repos/asf/spamassassin/branches/3.2/UPGRADE
Re: Detecting short-TTL domains?
On Fri, 10 Aug 2007, Leonardo Rodrigues Magalhães wrote: Anyway, checking TTL would require that you always check domain NSs and not your DNS cache server. That would trash all the DNS cache traffic save, thus not making it a good idea. _always_? Not necessarily. That data could be maintained in a local cache after querying the authoritative server directly. Of course, that assumes the same short-TTL domain will be sending a lot of spams to you... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The real opiate of the masses isn't religion; it's the belief that somewhere there is a benefit that can be delivered without a corresponding cost. -- Tom of Radio Free NJ --- 5 days until The 62nd anniversary of the end of World War II
Re: Detecting short-TTL domains?
wrote on Fri, 10 Aug 2007 16:28:11 -0300: Never heard of a minimum TTL specified by RFCs Some domain registries force a minimum TTL on you when you register, not afterwards. But I haven't heard of any limit by RFC either. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: how to upgrade 3.1.7 to 3.2.x
It could be good if you provide us with some details about your installation (OS, method of installation at least). If you want to go the old compile way, backup your /etc/spamassassin (or /etc/mail/spamassassin/), and then: #wget last-version-of-spamassassin.tar.gz #tar xzvf last-version-of-spamassassin.tar.gz #cd last-version-of-spamassassin #perl Makefile.PL #make #make test #sudo make install But it varies depending on your OS, Perl version, and update method (RPMs, Debian packages, FreeBSD port system, etc) Bring us more info, and you'll get more help. Luix 2007/8/10, Sg [EMAIL PROTECTED]: Hi How to upgrage 3.1.7 to 3.2.x. Please help me. -- Sg -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: Mail server hosted by Comcast
At 13:28 10-08-2007, Igor Chudov wrote: I am considering a local deal related to hosting by Comcast cable (8mbps down, 1 mbps up). I am concerned, however, with me sending email and being on comcast IP range, due to bad rap that Comcast has due to spamming by Comcast hosted zombies. Do you think that my mailserver will have issues if I host it on comcast netwrk? That would be a static IP and, hopefully, I can get comcast to reverse resolve it to a hostname on one of my domains. It shouldn't be an issue if you have the reverse DNS resolving to your hostname. Regards, -sm
Re: Mail server hosted by Comcast
Jerry Durand wrote: At 01:28 PM 8/10/2007, Igor Chudov wrote: I am considering a local deal related to hosting by Comcast cable (8mbps down, 1 mbps up). I am concerned, however, with me sending email and being on comcast IP range, due to bad rap that Comcast has due to spamming by Comcast hosted zombies. Do you think that my mailserver will have issues if I host it on comcast netwrk? That would be a static IP and, hopefully, I can get comcast to reverse resolve it to a hostname on one of my domains. i We're on a dynamic Verizon business DSL and use the Verizon server (with AUTH) and haven't had much trouble. The main thing is, SEND THROUGH A FIXED SERVER. In your case, you might want to use the server from whoever hosts your DDNS. We use Comcast's WorkPlace Enhanced and it has been working very well with a 99.999% uptime. You should get static IP's from them, this way they can set your rDNS to your domain. This is what we do and we have no problem sending to any provider, including AOL and Yahoo. Jonn
some of you have bad meta rules...
noticed this in the debug output while upgrading [10637] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [10637] info: rules: meta test FM__TIMES_2 has dependency 'FH_HOST_EQ_D_D_D_D' with a zero score [10637] info: rules: meta test FM_SEX_HOST has dependency 'FH_HOST_EQ_D_D_D_D' with a zero score [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [10637] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'X_AUTH_WARN_FAKED' don't feel bad, I had some broken ones myself :) --lint probably ought to be extended to catch meta rules btw -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: fdf spam
In an older episode (Friday, 10. August 2007), Mike Cisar wrote: Has anyone else been seeing the empty-body PDF spam, but with a .fdf file extension. Had a whole pile in my inbox here this morning. Thousands of them went through our mail gateways at work. A typo in some bot? Regards, wolfgang -- Bad typists of the world, UNTIE!
Re: Detecting short-TTL domains?
On Fri, 10 Aug 2007, Leonardo Rodrigues Magalhães wrote: John D. Hardin escreveu: On Fri, 10 Aug 2007, Leonardo Rodrigues Magalhães wrote: Anyway, checking TTL would require that you always check domain NSs and not your DNS cache server. That would trash all the DNS cache traffic save, thus not making it a good idea. _always_? Not necessarily. That data could be maintained in a local cache after querying the authoritative server directly. Of course, that assumes the same short-TTL domain will be sending a lot of spams to you... Well at least that would probably require some coding on the DNS Cache server code. What I had in mind was a custom DNS client code, or playing with the options to Net::DNS to query the authoritative server directly. Regardless, obtaining that information will be rather ugly. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The big news on the streets today is that the people of Baqubah are generally ecstatic, although many hold in reserve a serious concern that we will abandon them again. For many Iraqis, we have morphed from being invaders to occupiers to members of a tribe. -- Michael Yon, 05 July 2007 --- 5 days until The 62nd anniversary of the end of World War II
Re: Single letters in punctuation
OK you regex guys, write a decent rule for this - Have been getting bombarded (it's a weekend! Yay!) with these for the past hour or so. I got one of those too. Bayes_95! Content analysis details: (9.3 points, 5.0 required) pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=59.7.41.128,maildomain=camillesellscaliforniadesert.com,nordns] 0.0 HTML_MESSAGE BODY: HTML included in message 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9741] 0.0 HTML_SHOUTING5 BODY: HTML has very strong shouting markup 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?59.7.41.128]
Disabling a shipped rule in SpamAssassin
How do I disable a rule in /usr/local/share/spamassassin/*.cf? I'm tempted to comment it out, but the headers say to not do that. If I put something in /etc/mail/spamassassin/local.cfg, I can override the definition of an existing rule (right?), but that doesn't let me delete a rule. If I wanted to disable the RCVD_IN_NJABL_DUL rule (for example), could I do: header RCVD_IN_NJABL_DUL NULL_TEST describe RCVD_IN_NJABL_DUL overriding and nulling out NJABL test score RCVD_IN_NJABL_DUL 0 or something? Or is setting the score to 0 sufficient? I don't want SA to run the rule at all if I'm not going to use it, so I wasn't sure if setting the score to 0 was the best way to go. -- We're just a Bunch Of Regular Guys, a collective group that's trying to understand and assimilate technology. We feel that resistance to new ideas and technology is unwise and ultimately futile.
Re: rule for empty text + GIF or PDF ?
Theo Van Dinter wrote: Sure, one for PDF has been available via sa-update for weeks. Where? I'm using sa-update and almost all of the sare rulesets, and I'm getting a metric ton of these. Searching rulesemporium for empty or pdf gets nothing. -- Jo Rhett Net Consonance ... net philanthropy, open source and other randomness
Re: fdf spam
On Sat, 11 Aug 2007, wolfgang wrote:
In an older episode (Friday, 10. August 2007), Mike Cisar wrote:
Has anyone else been seeing the empty-body PDF spam, but with a
.fdf file extension. Had a whole pile in my inbox here this morning.
Thousands of them went through our mail gateways at work. A typo in some
bot?
No, merely the next episode in the never-ending spam-wars saga.
A .fdf file is yet another Adobe file type and double-clicking on one
(in a Windows box) will launch Acrobat-reader and display its contents.
However anti-spam weapons such as PDFinfo are explicitly coded to look
for .pdf files, thus .fdf is given a pass.
This shows the cleverness behind (at least some of) the spammers.
A quick edit will update PDFinfo to check .fdf files too.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: some of you have bad meta rules...
[10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [10637] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'X_AUTH_WARN_FAKED' Unless all of those SARE rules chain back to standard SA rules that have been removed, it may indicate that you have a higher-numbered part of one of the multi-part rule sets, and don't have the lower-numbered parts. In many cases there are base rules in the .0 or .1 files that are used by higher-numbered files in the same set. Loren
Re: rule for empty text + GIF or PDF ?
SM wrote: At 19:39 10-08-2007, Jo Rhett wrote: Where? I'm using sa-update and almost all of the sare rulesets, and I'm getting a metric ton of these. Searching rulesemporium for empty or pdf gets nothing. TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint http://wiki.apache.org/spamassassin/RuleUpdates Thank you for the very useless reference to sa-update. As my original e-mail said, I'm running sa-update (and it works) and I'm also using sa-update to get about 40 SARE channels, and those work. I don't see any sare channels that deal with PDF empty text spam. -- Jo Rhett Net Consonance ... net philanthropy, open source and other randomness
Re: Detecting short-TTL domains?
_always_? Not necessarily. That data could be maintained in a local cache after querying the authoritative server directly. Of course, that assumes the same short-TTL domain will be sending a lot of spams to you... Query the cache first . If it returns 1800 seconds it isn't a short-time domain, so there is no point in querying the authority. If it returns 2, then look elsewhere. Loren
Re: fdf spam
David B Funk wrote: On Sat, 11 Aug 2007, wolfgang wrote: In an older episode (Friday, 10. August 2007), Mike Cisar wrote: Has anyone else been seeing the empty-body PDF spam, but with a .fdf file extension. Had a whole pile in my inbox here this morning. Thousands of them went through our mail gateways at work. A typo in some bot? No, merely the next episode in the never-ending spam-wars saga. A .fdf file is yet another Adobe file type and double-clicking on one (in a Windows box) will launch Acrobat-reader and display its contents. However anti-spam weapons such as PDFinfo are explicitly coded to look for .pdf files, thus .fdf is given a pass. This shows the cleverness behind (at least some of) the spammers. A quick edit will update PDFinfo to check .fdf files too. that was done this morning if you want to grab a new version... http://www.rulesemporium.com/plugins/PDFInfo.pm -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
