Re: Mail server hosted by Comcast
On 8/10/07, Jonn R Taylor [EMAIL PROTECTED] wrote: Jerry Durand wrote: At 01:28 PM 8/10/2007, Igor Chudov wrote: I am considering a local deal related to hosting by Comcast cable (8mbps down, 1 mbps up). I am concerned, however, with me sending email and being on comcast IP range, due to bad rap that Comcast has due to spamming by Comcast hosted zombies. Do you think that my mailserver will have issues if I host it on comcast netwrk? That would be a static IP and, hopefully, I can get comcast to reverse resolve it to a hostname on one of my domains. i We're on a dynamic Verizon business DSL and use the Verizon server (with AUTH) and haven't had much trouble. The main thing is, SEND THROUGH A FIXED SERVER. In your case, you might want to use the server from whoever hosts your DDNS. We use Comcast's WorkPlace Enhanced and it has been working very well with a 99.999% uptime. You should get static IP's from them, this way they can set your rDNS to your domain. This is what we do and we have no problem sending to any provider, including AOL and Yahoo. Jonn i will block you for just for giving money to such a crooked evil company. but, probably most people will not :) if your dns is setup ok then i would not worry.
Re: fdf spam
On Friday 10 August 2007, Dallas Engelken wrote: David B Funk wrote: On Sat, 11 Aug 2007, wolfgang wrote: In an older episode (Friday, 10. August 2007), Mike Cisar wrote: Has anyone else been seeing the empty-body PDF spam, but with a .fdf file extension. Had a whole pile in my inbox here this morning. Thousands of them went through our mail gateways at work. A typo in some bot? No, merely the next episode in the never-ending spam-wars saga. A .fdf file is yet another Adobe file type and double-clicking on one (in a Windows box) will launch Acrobat-reader and display its contents. However anti-spam weapons such as PDFinfo are explicitly coded to look for .pdf files, thus .fdf is given a pass. This shows the cleverness behind (at least some of) the spammers. A quick edit will update PDFinfo to check .fdf files too. that was done this morning if you want to grab a new version... http://www.rulesemporium.com/plugins/PDFInfo.pm I think what he is asking, and I sure am, is how do you get sa-update to pick up these new modules. I have PDFInfo.pm installed, but an sa-update -D [EMAIL PROTECTED] Dailys]# sa-update -D [31662] dbg: logger: adding facilities: all [31662] dbg: logger: logging level is DBG [31662] dbg: generic: SpamAssassin version 3.2.3 [31662] dbg: config: score set 0 chosen. [31662] dbg: dns: is Net::DNS::Resolver available? yes [31662] dbg: dns: Net::DNS version: 0.60 [31662] dbg: generic: sa-update version svn540384 [31662] dbg: generic: using update directory: /var/lib/spamassassin/3.002003 [31662] dbg: diag: perl platform: 5.008008 linux [31662] dbg: diag: module installed: Digest::SHA1, version 2.11 [31662] dbg: diag: module installed: HTML::Parser, version 3.55 [31662] dbg: diag: module installed: Net::DNS, version 0.60 [31662] dbg: diag: module installed: MIME::Base64, version 3.07 [31662] dbg: diag: module installed: DB_File, version 1.814 [31662] dbg: diag: module installed: Net::SMTP, version 2.29 [31662] dbg: diag: module installed: Mail::SPF, version v2.004 [31662] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [31662] dbg: diag: module installed: IP::Country::Fast, version 604.001 [31662] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 [31662] dbg: diag: module installed: Net::Ident, version 1.20 [31662] dbg: diag: module installed: IO::Socket::INET6, version 2.51 [31662] dbg: diag: module installed: IO::Socket::SSL, version 1.01 [31662] dbg: diag: module installed: Compress::Zlib, version 1.42 [31662] dbg: diag: module installed: Time::HiRes, version 1.86 [31662] dbg: diag: module installed: Mail::DomainKeys, version 1.0 [31662] dbg: diag: module installed: Mail::DKIM, version 0.26 [31662] dbg: diag: module installed: DBI, version 1.52 [31662] dbg: diag: module installed: Getopt::Long, version 2.35 [31662] dbg: diag: module installed: LWP::UserAgent, version 2.033 [31662] dbg: diag: module installed: HTTP::Date, version 1.47 [31662] dbg: diag: module installed: Archive::Tar, version 1.30 [31662] dbg: diag: module installed: IO::Zlib, version 1.04 [31662] dbg: diag: module installed: Encode::Detect, version 1.00 [31662] dbg: gpg: Searching for 'gpg' [31662] dbg: util: current PATH is: /usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin [31662] dbg: util: executable for gpg was found at /usr/bin/gpg [31662] dbg: gpg: found /usr/bin/gpg [31662] dbg: gpg: release trusted key id list: [...] [31662] dbg: channel: attempting channel updates.spamassassin.org [31662] dbg: channel: update directory /var/lib/spamassassin/3.002003/updates_spamassassin_org [31662] dbg: channel: channel cf file /var/lib/spamassassin/3.002003/updates_spamassassin_org.cf [31662] dbg: channel: channel pre file /var/lib/spamassassin/3.002003/updates_spamassassin_org.pre [31662] dbg: channel: metadata version = 556472 [31662] dbg: dns: 3.2.3.updates.spamassassin.org = 556472, parsed as 556472 [31662] dbg: channel: current version is 556472, new version is 556472, skipping channel [31662] dbg: diag: updates complete, exiting with code 1 === session ignores that fact. A config error someplace? Smart did update some perl stuffs today but that wasn't in the list. My pdfinfo.cf, and my PDFInfo.pm are both dated July 19, all 3 copies of each, and I too am beginning to drown in this crap. So how DO we get sa-update to actually update this stuff? Thanks. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) A university is what a college becomes when the faculty loses interest in students. -- John Ciardi
Re: some of you have bad meta rules...
On Friday 10 August 2007, Loren Wilton wrote: [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [10637] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'X_AUTH_WARN_FAKED' Unless all of those SARE rules chain back to standard SA rules that have been removed, it may indicate that you have a higher-numbered part of one of the multi-part rule sets, and don't have the lower-numbered parts. In many cases there are base rules in the .0 or .1 files that are used by higher-numbered files in the same set. Loren I'm getting some of those too Loren, since the 3.2.3 update a couple of days ago, done by smart. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Meade's Maxim: Always remember that you are absolutely unique, just like everyone else.
Re: Detecting short-TTL domains?
John D. Hardin wrote on Fri, 10 Aug 2007 13:27:21 -0700 (PPT): Of course, that assumes the same short-TTL domain will be sending a lot of spams to you... SA could cache/store this. A spammer domain with low TTL will be a spammer domain the next day and the day after next day ... Maybe cache that for one day before a requery. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Disabling a shipped rule in SpamAssassin
Kelly Jones wrote on Fri, 10 Aug 2007 20:39:09 -0600: If I put something in /etc/mail/spamassassin/local.cfg .cf ! Or is setting the score to 0 sufficient? It is. In /etc/mail/spamassassin, not in the original rule! Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: SA + Procmail Conundrum - RESOLVED
On Thu, 2007-08-09 at 06:58 -0400, Gene Heskett wrote: On Thursday 09 August 2007, Mark Sansome wrote: [Snip] So if the permissions are OK I need to look again at the original problem. On Tue, 2007-08-07 at 12:32 -0400, Kris Deugau wrote: - Call spamc with the -u option and specify each destination user in a separate recipe. You'll have to call SA for each destination user after splitting off the mail stream for that user (instead of before as you're probably doing now), but you should already have some pieces that do that. This is probably the simplest option. Does this mean that I will have to put a ~/.spamassassin/user_prefs configuration file in each user's account? And will that mean that each will have to have their own bayes learning? I believe that is how it works, but I can't readily check as there aren't any other users on this machine that actually have external email accounts. I run fetchmail as a 500:500 process, and both .fetchmailrc and .procmailrc live in that users home directory. As does a .spamassassin subdir that contains: [Snip] What I was hoping to achieve was that all user's mail would be checked for viruses and spam, offending mails would be put into a IN_Spam folder which is then used each night as the basis for sa-learn. Only clean mail would then be passed on to their respective /var/spool/mail/username folder... I essentially do that here as all mail and SA related stuff is done by me as a user, but at the end of the chain its kmail, run as root. Joanne, if she has the time, can tell you how to set that up as its much more secure to handle your mail as an un-priviledged user even if you do run as root 99.44% of the time. [Snip] Thanks to all the people who helped me think about this. I have now resolved the problem to my satisfaction. For the benefit of others looking at this thread I will briefly describe my solution: Essentially I still run Procmail as root, I still do the virus / spam checking before splitting the mails off into their respective users' mail directories - but now I run SA with the following command from Procmail: :0fw * 256000 | /usr/bin/spamc --username=mark (mark is *my* username) This meant that I had to copy over the bayes files from /etc/mail/spamassassin into /home/mark/.spamassassin and put the spam directory in my user area (in actual fact I just re-ran sa-learn on my spam and ham folders) and now all is well in the land of my humble little home mail server... Thanks again to all... Mark signature.asc Description: This is a digitally signed message part
New Image Spam
Hi everyone. I'm receiving some new image spam and was wondering if anyone had a technique for it. The image is now an actual image of some porn with a URL at the top of it. I'm using Fuzzy OCR to scan but I don't think Fuzzy checks the URL's. Any ideas? For those that are interested, you can see a sample at: http://www.gcftech.com/spam.jpg Thanks Jason No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.11/944 - Release Date: 8/9/2007 2:44 PM
debug returns misleading information (dns/async)
Hi guys, The following is an excerpt from a spamassassin -D output or an actual spam message: [15371] dbg: async: select found no socks ready [15371] dbg: async: queries completed: 24 started: 0 [15371] dbg: async: queries active: at Sat Aug 11 14:17:54 2007 [15371] dbg: dns: success for 0 of 24 queries Although all DNS queries were answered (logs says so, and message gets tagged with some RBLs), it still claims that none of the queries were successful. That said the async part says that it got 24 completed queries without starting any! any pointers? Cheers, Dave -- Dave Mifsud Systems Engineer Computing Services Centre University of Malta CSC Tel: (+356) 2340 3004 CSC Fax: (+356) 21 343 397
Re: Detecting short-TTL domains?
On Saturday August 11 2007 02:13:32 John D. Hardin wrote: What I had in mind was a custom DNS client code, or playing with the options to Net::DNS to query the authoritative server directly. Regardless, obtaining that information will be rather ugly. It may also be impractical or imposssible for people behind a firewall. It is customary that internal hosts are only allowed to use dedicated internal DNS resolvers, which in turn are the only ones allowed to have DNS traffic with outside. Mark
Re: Mail server hosted by Comcast
Igor Chudov wrote: I am considering a local deal related to hosting by Comcast cable (8mbps down, 1 mbps up). I am concerned, however, with me sending email and being on comcast IP range, due to bad rap that Comcast has due to spamming by Comcast hosted zombies. Do you think that my mailserver will have issues if I host it on comcast netwrk? That would be a static IP and, hopefully, I can get comcast to reverse resolve it to a hostname on one of my domains. i I'm on Comcast and am having no problems. I set the smarthost for sendmail to smtp.comcast.net and, at least so far, have not triggered anything that would block incoming or outgoing mail. All mail from me goes through the official comcast mail server and does not appear to come from a dynamic address.
Use of uninitialized value in scalar chomp
Hi, I've managed to set up SA to scan via procmail and it works nicely. I run qmail+vpopmail. However, I get this in the logs: Aug 11 15:25:49 spinea spamd[14258]: Use of uninitialized value in scalar chomp at /usr/sbin/spamd line 1765, GEN33 line 2. Aug 11 15:25:49 spinea spamd[14258]: Use of uninitialized value in concatenation (.) or string at /usr/sbin/spamd line 1767, GEN33 line 2. As well as Aug 11 15:25:50 spinea spamd[14258]: pyzor: check failed: internal error I read that the first is due to vuserinfo not returning correct information or something, but it still annoys me to have the message there. My SA startup flags are: --max-children 5 --helper-home-dir /var/qmail/spamassassin -v -u vpopmail I also read that the pyzor message is actually not a real error, but more a notification or similar? I found a couple of patches for it that I couldn't apply to my version. Oh yeah, I run Debian Etch. Any idea how I can get rid of these warnings? Jonathan
Re: debug returns misleading information (dns/async)
Bug 5581 / patch attachment 4081 seems to solve my problem BTW Mark, very nice DNS timings in debug output :) cheers, dave On 11/08/07 14:25, Dave Mifsud wrote: Hi guys, The following is an excerpt from a spamassassin -D output or an actual spam message: [15371] dbg: async: select found no socks ready [15371] dbg: async: queries completed: 24 started: 0 [15371] dbg: async: queries active: at Sat Aug 11 14:17:54 2007 [15371] dbg: dns: success for 0 of 24 queries Although all DNS queries were answered (logs says so, and message gets tagged with some RBLs), it still claims that none of the queries were successful. That said the async part says that it got 24 completed queries without starting any! any pointers? Cheers, Dave -- Dave Mifsud Systems Engineer Computing Services Centre University of Malta CSC Tel: (+356) 2340 3004 CSC Fax: (+356) 21 343 397
Re: fdf spam
that was done this morning if you want to grab a new version... http://www.rulesemporium.com/plugins/PDFInfo.pm Could somebody PLEASE make sure that when a new version of PDFInfo is posted the website shows the updated version number? The page still says it's version 0.7 last modified 2007-07-27, and you have to actually read the .pm to see that it's now at 0.8. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com NASCAR is a Yankee conspiracy to keep you all placated so the South won't rise again. --QuestionableContent.net
MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?
Hello All, I'm going to upgrade SA from spamassassin-3.1.7-3 to spamassassin-3.2.2-1. In my local.cf I've adjusted some optional scores and now I want to check if these scores are still intact in the new version of SA. So I went to http://spamassassin.apache.org/tests_3_1_x.html and http://spamassassin.apache.org/tests_3_2_x.html I've found that: 1) RATWARE_OUTLOOK_NONAME and MISSING_SUBJECT now missing in both (3.1.x and 3.2.x) These scores were intact for my 3.1.7 installation when I configured it. (spamassassin --lint gives no error) What happened? How these scores disappeared? Should I just remove them from my local.cf before upgrade? Best Regards, Leon Kolchinsky
Re: Dns Resolver problem
On Fri, 10 Aug 2007, Pawel Sasin wrote: I want to be able to make SA rotate DNS servers. Apparently that is a limitation of Net::DNS. There was some discussion of it on-list a few weeks back; I don't clearly remember the details. You might want check the current status of Net::DNS w/r/t fallback, rotation, etc., and work with the developers of that package, rather than talking about it here... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ --- 4 days until The 62nd anniversary of the end of World War II
Re: Detecting short-TTL domains?
Kai Schaetzl wrote: SA could cache/store this. A spammer domain with low TTL will be a spammer domain the next day and the day after next day ... Maybe cache that for one day before a requery. Yes, but this also means that it takes longer to fix false positive problems. How would one clear this out if the original problem was fixed and you wanted to receive the mail? -- Jo Rhett Net Consonance ... net philanthropy, open source and other randomness
Re: rule for empty text + GIF or PDF ?
Kai Schaetzl wrote: Jo Rhett wrote on Fri, 10 Aug 2007 20:30:37 -0700: Thank you for the very useless reference to sa-update. Please, don't do this! You got a nice answer that exactly answered your question. No, I didn't. I asked where a given rule was. I was given a reference to a page that described how to set up sa-update. This is exactly identical to giving someone a reference to how to program in c when they've asked a very specific question about a function. Perhaps it wasn't intended as an insult, but as an answer its utterly worthless. FYI I have seen several other threads with people complaining that sa-update is not providing the PDF updates, so this is apparently a common problem. -- Jo Rhett Net Consonance ... net philanthropy, open source and other randomness
Re: some of you have bad meta rules...
On Friday 10 August 2007, Loren Wilton wrote: [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [10637] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [10637] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [10637] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'X_AUTH_WARN_FAKED' I'm getting some of those too Loren, since the 3.2.3 update a couple of days ago, done by smart. Same list here, 3.2.3 via cpan, sa-updated sa-compiled.
Re: I think we're winning....
jdow wrote: This made it past my filters. But it's unreadable gibberish. I wonder why they bother. Good point. The fact that they have to resort to gibberish, image spam, pdf spam all of which is far harder than clocking on a link shows we are winning. Their return in the amount of spam they send has to be rather small.
Re: rule for empty text + GIF or PDF ?
Jo Rhett wrote: No, I didn't. I asked where a given rule was. I was given a reference to a page that described how to set up sa-update. That page not only described how to set up sa-update it also described where the files were stored. Also SM included the name of the rule that was expected to catch pdf spam. Those two things were the two key pieces of information that answered the question. This is exactly identical to giving someone a reference to how to program in c when they've asked a very specific question about a function. Perhaps it wasn't intended as an insult, but as an answer its utterly worthless. Many people believe that because email is ephemeral (aka the net has no memory) that it is much better to place answers in documentation pages such as on the web rather than to place answers in email. Otherwise the same answers will need to be posted again and again and any incorrect answers will remain in the archives forever possibly misleading those that look them up later. Also most people consider having documentation available to be superior to having an email archive of questions and answers. A common trend these days is to document an answer on a web page and simply refer to the web page when answering questions. This way incorrect answers can be corrected on the web page when in the future other people look up the same information. The answer you were given was following that best practice. On the documentation page you were pointed to you must have missed this section which answers your question. Installed Updates When updates are downloaded, they are put into a directory under the local state dir (default /var/lib/spamassassin/spamassassin version) similar to: /var/lib/spamassassin `-- 3.001004 |-- updates_spamassassin_org `-- updates_spamassassin_org.cf The files from the update go into updates_spamassassin_org, and the *.cf files are then included by updates_spamassassin_org.cf, which also keeps track of what update version is installed. Therefore, if it is desired to change the update directory, the .cf and the update directory will exist there. There is the answer to your question. The files are stored in /var/lib/spamassassin under a versioned directory under the subdirectory there. SM wrote: TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint That is the key piece of information. Using 'grep' to find which file contains that rule is now trivial. On my Debian Stable Etch system running the backports spamassassin with sa-update (justifying the older version number) shows: grep -l -r TVD_PDF_FINGER01 /var/lib/spamassassin /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf FYI I have seen several other threads with people complaining that sa-update is not providing the PDF updates, so this is apparently a common problem. The sa-update rules catch most of the pdf spam here but I do see a few pdf spams slip through the rules because they are not perfect. Rarely are spam rules 100% perfect and seeing some corner cases slip through is not unusual. It is a process of continual improvement. Bob
Re: plugin to test attachments from unknown senders
On 7/14/2007 3:49 PM, Eric A. Hall wrote: Like other folks I've been getting hit with the PDF spam pretty hard. I think the way to solve this and the image spam in general is to do a plugin that does two things: 1) looks in the message to see if there is a binary attachment 2) looks in the AWL to see if the sender tuple is known 3) if (1==true) (2==false) fire a score I was able to do this with basic rules. Note the low (0.1) scores. It would be nice to use this as a DEFER check in the MTA, since resends will hit the AWL rule and get cleared. # # This rule looks for in-line MIME Content-Type headers of various # types, and then looks to see if the sender tuple is already known # to the autowhitelist system. If the message contains a binary # attachment and the sender tuple is unknown, fire a rule that tells # us that the message is a gift from a stranger. # mimeheader __L_C_TYPE_APP Content-Type =~ /^application/i mimeheader __L_C_TYPE_IMAGEContent-Type =~ /^image/i mimeheader __L_C_TYPE_AUDIOContent-Type =~ /^audio/i mimeheader __L_C_TYPE_VIDEOContent-Type =~ /^video/i mimeheader __L_C_TYPE_MODELContent-Type =~ /^model/i metaL_STRANGER_APP (!AWL __L_C_TYPE_APP) score L_STRANGER_APP 0.1 tflags L_STRANGER_APP noautolearn priorityL_STRANGER_APP 1001 # defer till after AWL metaL_STRANGER_IMAGE(!AWL __L_C_TYPE_IMAGE) score L_STRANGER_IMAGE0.1 tflags L_STRANGER_IMAGEnoautolearn priorityL_STRANGER_IMAGE1001 # defer till after AWL metaL_STRANGER_AUDIO(!AWL __L_C_TYPE_AUDIO) score L_STRANGER_AUDIO0.1 tflags L_STRANGER_AUDIOnoautolearn priorityL_STRANGER_AUDIO1001 # defer till after AWL metaL_STRANGER_VIDEO(!AWL __L_C_TYPE_VIDEO) score L_STRANGER_VIDEO0.1 tflags L_STRANGER_VIDEOnoautolearn priorityL_STRANGER_VIDEO1001 # defer till after AWL metaL_STRANGER_MODEL(!AWL __L_C_TYPE_MODEL) score L_STRANGER_MODEL0.1 tflags L_STRANGER_MODELnoautolearn priorityL_STRANGER_MODEL1001 # defer till after AWL -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: PDF-Spam passing SA
I checked this email against my SA, this is what I've got: Content analysis details: (10.1 points, 5.0 required) pts rule name description -- -- -1.8 ALL_TRUSTEDPassed through trusted hosts only via SMTP 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.] 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 2.2 TVD_SPACE_RATIOBODY: TVD_SPACE_RATIO 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 3.7 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 0.0 DIGEST_MULTIPLEMessage hits more than one network digest check Eugene Starckjohann, Ove wrote: Hi! The following PDF-Spam is passing through: http://ghds.de/20070808074441242.eml.txt System ist Debian Sarge with SA 3.1.7. I'm already using: PDFInfo 0.7 80_additional.cf Anyone scoring over 5? How to get it caught ? Ove Starckjohann -- View this message in context: http://www.nabble.com/PDF-Spam-passing-SA-tf4235004.html#a12108793 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: PDF-Spam passing SA
But funny thing, my SA can't filter PDF spam if it was sent in regular way. I mean it passes it throught without scoring it. Yours was triggered as spam when I checked it with: spamassassin -t -D message.eml Eugene Starckjohann, Ove wrote: Hi! The following PDF-Spam is passing through: http://ghds.de/20070808074441242.eml.txt System ist Debian Sarge with SA 3.1.7. I'm already using: PDFInfo 0.7 80_additional.cf Anyone scoring over 5? How to get it caught ? Ove Starckjohann -- View this message in context: http://www.nabble.com/PDF-Spam-passing-SA-tf4235004.html#a12108819 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: PDF-Spam passing SA
Hey, Ninja, how can I be sure that my PDFInfo plugin works ? When I pass it through SA it reports that it is unlikely spam: Content analysis details: (-0.1 points, 5.0 required) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 2.2 TVD_SPACE_RATIOBODY: TVD_SPACE_RATIO 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint -0.9 AWLAWL: From: address is in the auto white-list Eugene Yet Another Ninja wrote: On 8/8/2007 10:54 AM, Starckjohann, Ove wrote: Hi! The following PDF-Spam is passing through: http://ghds.de/20070808074441242.eml.txt System ist Debian Sarge with SA 3.1.7. I'm already using: PDFInfo 0.7 80_additional.cf Anyone scoring over 5? How to get it caught ? With PDFinfo you can generate your own FUZZY values and create custom rules. See .cf file for instructions. -- View this message in context: http://www.nabble.com/PDF-Spam-passing-SA-tf4235004.html#a12108873 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: some of you have bad meta rules...
Unless all of those SARE rules chain back to standard SA rules that have been removed, it may indicate that you have a higher-numbered part of one of the multi-part rule sets, and don't have the lower-numbered parts. In many cases there are base rules in the .0 or .1 files that are used by higher-numbered files in the same set. I'm getting some of those too Loren, since the 3.2.3 update a couple of days ago, done by smart. Ok. Sounds like they removed some base rules we were depending on. Maybe time to remove those rules based on them, or recreate the base rules as our own. Loren
Re: plugin to test attachments from unknown senders
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric A. Hall schrieb: Don't forget the ifplugin conditions: ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader__L_C_TYPE_APP Content-Type =~ /^application/i [..] endif - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFGvjsjxbHw2nyi/okRAkj8AJ4oRN+TN33dof2uTkJhLegBjxjTSgCgkSK/ uZcNWiJwMnax+OrKFVv2uqg= =Nr3Q -END PGP SIGNATURE-
Re: rule for empty text + GIF or PDF ?
Jo Rhett wrote on Sat, 11 Aug 2007 09:31:05 -0700: No, I didn't. I asked where a given rule was. I was given a reference to a page that described how to set up sa-update. You were given the exact name of the rule, that reference to sa-update was an additional courtesy as it is easy to know from reading documentation or this list to know where the rules are stored, anyway. It would have probably answered all your remaining questions if there were any left. If you had cared to read it. If you know the name of the rule you can easily check if it's available for you or not. That was *exactly* what you wanted to know. Quoting yourself: Where?. Perhaps it wasn't intended as an insult Are you talking about your own response? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?
Leon Kolchinsky wrote on Sat, 11 Aug 2007 18:32:36 +0300: Should I just remove them from my local.cf before upgrade? Run a spamassassin --lint after upgrade (which you should do always, anyway), this will bark about those scores and you can remove them. No need to check each time if they still exist. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?
Loren Wilton wrote on Sat, 11 Aug 2007 15:09:34 -0700: They no longer hit enough spam to be worth keeping, so they were removed. Just remove the scores when you upgrade. and MISSING_SUBJECT LOL, there was just a whole rush of no subject spam. ;-) I noticed that because the greylist milter on one of my machines hung and all that stuff went thru. Normally, it doesn't make it thru to SA. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Detecting short-TTL domains?
Jo Rhett wrote on Sat, 11 Aug 2007 09:28:05 -0700: Yes, but this also means that it takes longer to fix false positive problems. How would one clear this out if the original problem was fixed and you wanted to receive the mail? By using some whitelist for legit low-ttl domains. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Detecting short-TTL domains?
Kai Schaetzl wrote: Jo Rhett wrote: Yes, but this also means that it takes longer to fix false positive problems. How would one clear this out if the original problem was fixed and you wanted to receive the mail? By using some whitelist for legit low-ttl domains. I think it is a bad idea to use low-TTL values as more than a minor spamsign. There is nothing overtly improper about it and there are often times when a low TTL dns record is just the right thing to do, such as when planning an IP move for a server. That should not cause mail to be tagged as spam in those cases. While it may be that there is some correlation to some spammers using low TTL servers it is also true that good spam filtering has always been about reducing false negatives. A false negative is much worse than a false positive. Using low TTL dns records, a perfectly valid configuration, as a strong spam indication will cause false negatives, which is creates a cascade failure which is much worse than the original problem. Trying to create workarounds such as maintaining whitelists for noted servers is going about this the wrong way. It is perfectly valid to do and so this would legitimately need to list all possible servers. In fact a small time operator who is setting up and planning moves would most likely to be using low TTL values and would be unlikely to be in random whitelists. Bob
Re: Detecting short-TTL domains?
Kai Schaetzl wrote: Jo Rhett wrote on Sat, 11 Aug 2007 09:28:05 -0700: Yes, but this also means that it takes longer to fix false positive problems. How would one clear this out if the original problem was fixed and you wanted to receive the mail? By using some whitelist for legit low-ttl domains. It would all be easier if there was just an open-content version of the various sender reputation databases (like various anti-spam appliances use). You could have things like low TTL, and how long it has been low, etc., all factor in to a given IP address's reputation. Which would be MUCH more useful than the traditional binary RBL type blacklist (reputation systems usually give a range, such as Ironport's -10 (very bad) to +10 (very good), and you pick where in that range you want to block messages).
Re: Detecting short-TTL domains?
On Sat, 11 Aug 2007, Bob Proulx wrote: I think it is a bad idea to use low-TTL values as more than a minor spamsign. There is nothing overtly improper about it and there are often times when a low TTL dns record is just the right thing to do, such as when planning an IP move for a server. That should not cause mail to be tagged as spam in those cases. I think there was some consensus about using that in concert with an excessive number of A records as a spam sign. Check the thread history. I don't think anyone is suggesting by itself it's a useful indicator. While it may be that there is some correlation to some spammers using low TTL servers it is also true that good spam filtering has always been about reducing false negatives. A false negative is much worse than a false positive. Using low TTL dns records, a perfectly valid configuration, as a strong spam indication will cause false negatives, which is creates a cascade failure which is much worse than the original problem. er... I think your logic is off 180 degrees there. Isn't a FP much worse than a FN? (not that it invalidates your point.) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- To prevent conflict and violence from undermining development, effective disarmament programmes are vital... -- the UN, who doesn't want to confiscate guns --- 4 days until The 62nd anniversary of the end of World War II
Re: Detecting short-TTL domains?
Off hand I would suspect a very low (10 minute for example) TTL would be worth a detection and a rule of some sort. It is certainly not a slam dunk. But it is something that is likely to be more common in spam than in ham. Were I working a largish outfit as opposed to a small two person 2 dozen computer setup I'd certainly add it as a scoring tool to reject mail in the MTA. {^_^} - Original Message - From: Stream Service || Mark Scholten [EMAIL PROTECTED] For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have to many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM. With kind regards, Met vriendelijke groet, - Original Message - From: clsgis [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, August 10, 2007 4:34 PM Subject: Detecting short-TTL domains? We're seeing URIs in spam whose domains have between a dozen and three dozen Address records, with time-to-live TTLs less than ten minutes. Is there a test for too many Address records? What's its name? Is there a test for too-short TTLs? -- View this message in context: http://www.nabble.com/Detecting-short-TTL-domains--tf4249063.html#a12092425 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: I think we're winning....
From: Marc Perkel [EMAIL PROTECTED] jdow wrote: This made it past my filters. But it's unreadable gibberish. I wonder why they bother. Good point. The fact that they have to resort to gibberish, image spam, pdf spam all of which is far harder than clocking on a link shows we are winning. Their return in the amount of spam they send has to be rather small. At least SOMEBODY got my point. I was laughing at the silly thing. {^_^}
Re: Detecting short-TTL domains?
John D. Hardin wrote: Bob Proulx wrote: I think it is a bad idea to use low-TTL values as more than a minor spamsign. There is nothing overtly improper about it and there are often times when a low TTL dns record is just the right thing to do, such as when planning an IP move for a server. That should not cause mail to be tagged as spam in those cases. I think there was some consensus about using that in concert with an excessive number of A records as a spam sign. Check the thread history. I don't think anyone is suggesting by itself it's a useful indicator. The thread has wandered around a bit and I admit to have been lost in the discussion. I was not paying it detailed attention because, well, because I think it is going to cause trouble. While it may be that there is some correlation to some spammers using low TTL servers it is also true that good spam filtering has always been about reducing false negatives. A false negative is much worse than a false positive. Using low TTL dns records, a perfectly valid configuration, as a strong spam indication will cause false negatives, which is creates a cascade failure which is much worse than the original problem. er... I think your logic is off 180 degrees there. Isn't a FP much worse than a FN? (not that it invalidates your point.) You are right. I have my names reversed. Sorry about that. Glad you were able to figure out my meaning anyway. :-) Bob
Re: rule for empty text + GIF or PDF ?
On Saturday 11 August 2007, Bob Proulx wrote: Jo Rhett wrote: No, I didn't. I asked where a given rule was. I was given a reference to a page that described how to set up sa-update. That page not only described how to set up sa-update it also described where the files were stored. Also SM included the name of the rule that was expected to catch pdf spam. Those two things were the two key pieces of information that answered the question. This is exactly identical to giving someone a reference to how to program in c when they've asked a very specific question about a function. Perhaps it wasn't intended as an insult, but as an answer its utterly worthless. Many people believe that because email is ephemeral (aka the net has no memory) that it is much better to place answers in documentation pages such as on the web rather than to place answers in email. Otherwise the same answers will need to be posted again and again and any incorrect answers will remain in the archives forever possibly misleading those that look them up later. Also most people consider having documentation available to be superior to having an email archive of questions and answers. A common trend these days is to document an answer on a web page and simply refer to the web page when answering questions. This way incorrect answers can be corrected on the web page when in the future other people look up the same information. The answer you were given was following that best practice. On the documentation page you were pointed to you must have missed this section which answers your question. Installed Updates When updates are downloaded, they are put into a directory under the local state dir (default /var/lib/spamassassin/spamassassin version) similar to: /var/lib/spamassassin `-- 3.001004 |-- updates_spamassassin_org `-- updates_spamassassin_org.cf The files from the update go into updates_spamassassin_org, and the *.cf files are then included by updates_spamassassin_org.cf, which also keeps track of what update version is installed. Therefore, if it is desired to change the update directory, the .cf and the update directory will exist there. There is the answer to your question. The files are stored in /var/lib/spamassassin under a versioned directory under the subdirectory there. SM wrote: TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint That is the key piece of information. Using 'grep' to find which file contains that rule is now trivial. On my Debian Stable Etch system running the backports spamassassin with sa-update (justifying the older version number) shows: grep -l -r TVD_PDF_FINGER01 /var/lib/spamassassin /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf FYI I have seen several other threads with people complaining that sa-update is not providing the PDF updates, so this is apparently a common problem. The sa-update rules catch most of the pdf spam here but I do see a few pdf spams slip through the rules because they are not perfect. Rarely are spam rules 100% perfect and seeing some corner cases slip through is not unusual. It is a process of continual improvement. Bob We're missing the point here Bob, so let me repeat myself, or re-word it: 1: sa-update is NOT pulling new PDFInfo.pm or pdfinfo.cf files even when they are available. 2: spamassassin --lint -D ignores these rules when we install them by hand. Ergo, we are pretty well convinced its not working. Grepping our logs for mentions gets me this, and that log is for the last week: [EMAIL PROTECTED] ~]# grep PDFInfo /var/log/maillog Aug 8 11:02:34 coyote spamd[557]: Use of uninitialized value in pattern match (m//) at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/PDFInfo.pm line 329. The only error all week, and spamassassin --lint -D didn't report it. It looks like a typu to me but then I'm a perl dummy. Or maybe just a dummy. Now is the question sufficiently illuminated? Thanks for any clues thrown our way, we seem to not have any. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Make a wish, it might come true.