RE: MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?

[Leon Kolchinsky]

> They no longer hit enough spam to be worth keeping, so they were removed.
> Just remove the scores when you upgrade.
> 
> Loren

Thanks,

I've suspected that :)


Leon
 

Re: MS outlook can't read parsed email... HELP!!

[Nigel Frankcom]

On Sun, 12 Aug 2007 21:52:28 -0700, Evan Platt
<[EMAIL PROTECTED]> wrote:

>At 08:19 PM 8/12/2007, lynk wrote:
>
>>I'm totally confused re this spamassassin thingy... i can't seem to get MS
>>outlook to read the email i received (spam/ham) after spamassassin(3.1.9)
>>scanned the message.
>
>You posted this 2 days ago. If no one answers again, I have two suggestions:
>
>First would be ask in a Outlook / Microsoft forum. Perhaps not a lot 
>of people here use OutHouse / Outhouse Distress.
>
>>View this message in context: 
>>http://www.nabble.com/MS-outlook-can%27t-read-parsed-email...-HELP%21%21-tf4247467.html#a12087709
>>Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>Second would be ditch Nabble. Nabble is simply a web based forum 
>that's a link to a e-mail group -
>[EMAIL PROTECTED]
>
>I for one am close to killfiling any posts from them, so I'm sure 
>others perhaps already are. 

For what it's worth a colleague of mine is throwing many curses at the
spamc component for SA. His comments are not repeatable in polite
company. Some of *his* problems stem from the way the spamc connector
is written... Below is an extract of the irc rant he had on the
subject

[20:24]  damn it
[20:25]  the exchange plugin is adding 3 CR's
[20:25]  hmm
[20:52]  sa 3.2.3 is out
[21:13]  Grr.
[21:14]  I think I'm going to replace the exchange spamc
junk with what I know works
[21:14]  mtsmilter code

[20:35]  man, who ever wrote this ExchangeSpamC NEVER use
option explicit, therefore almost all of his vars (that he didn't
copy/paste from) weren't dimensioned
[21:31]  seems to be sorted now :-D
[21:31]  converted my old code to the new code
[21:44]  PITA, cause it was adding CR's to messages, namely
3 mroe
[21:44]  more
[21:44]  but outlook and OWA displayed the messages OK, but
blackberries didn't
[21:45]  I figured out why, he blindly replaced CR's with
CRLF's then replaced LF's with CRLF's
[21:45]  then for good measure
[21:45]  before writing back to exchange, replaced Cr's
again with CrLF's

I have no idea if this is related to your problem, what I can say is
that many of my users use Outlook and they have had no issues (that
said, I don't use Exchange).

It may be worth your while upgrading to a later version of SA (3.2.3)
and seeing if that helps at all. Also take SA back to absolute bare
bones, read all the docs carefully and see how far you get before
problems start to appear/reappear.

As the man says, talk to the OL people, see if they have any helpful
input (I wouldn't hold your breath on that one).

Check you logs, see what info is being posted there for any clues.
Apologies if this is teaching you to suck eggs but I'm of the opinion
it's best to start with the obvious and simple and work up from there.

Just my 2p worth.

KR

Nigel

Re: MS outlook can't read parsed email... HELP!!

[Evan Platt]

At 08:19 PM 8/12/2007, lynk wrote:


I'm totally confused re this spamassassin thingy... i can't seem to get MS
outlook to read the email i received (spam/ham) after spamassassin(3.1.9)
scanned the message.


You posted this 2 days ago. If no one answers again, I have two suggestions:

First would be ask in a Outlook / Microsoft forum. Perhaps not a lot 
of people here use OutHouse / Outhouse Distress.


View this message in context: 
http://www.nabble.com/MS-outlook-can%27t-read-parsed-email...-HELP%21%21-tf4247467.html#a12087709

Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


Second would be ditch Nabble. Nabble is simply a web based forum 
that's a link to a e-mail group -

[EMAIL PROTECTED]

I for one am close to killfiling any posts from them, so I'm sure 
others perhaps already are. 

rewrite_header To not work for collect spam mail to one account

[tangaish.en]

hi,everyone!

I want use "rewrite_header To" rewrite the spam mail "rcpt to:" address
to one accont named "[EMAIL PROTECTED]", I know there's private problem,
but the mail box is for business use only, the user ask
administrator(me) to pick up normal mail from spam mark mails, I really
hate this work :-(

I add a line in my config file local.cf :

rewrite_header Subject [SPAM]
rewrite_header To [EMAIL PROTECTED]


it not work.

or I change:
rewrite_header To <[EMAIL PROTECTED]>

it not work too.

how can I rewrite the "rcpt to:" address to the [EMAIL PROTECTED]

So lets change it to "sa-update doesn't"

[Gene Heskett]

On Sunday 12 August 2007, Kai Schaetzl wrote:
>Gene Heskett wrote on Sat, 11 Aug 2007 23:43:38 -0400:
>> 1: sa-update is NOT pulling new PDFInfo.pm or pdfinfo.cf files even when
>> they are available.
>
>of course not!
>
And why not?  They've been announced as available, so one would assume a 
simple run of sa-update would pull them.

>> 2: spamassassin --lint -D ignores these rules when we install them by
>> hand.
>
>which means you probably haven't installed PDFInfo correctly?
[EMAIL PROTECTED] rulesdujour]# ls -l `locate PDFInfo.pm`
-rw-r--r-- 1 root root 23475 Aug 11 
05:38 /etc/mail/spamassassin/RulesDuJour/PDFInfo.pm
-rw-r--r-- 1 root root 23475 Aug 11 05:40 /etc/rulesdujour/PDFInfo.pm
-rw-r--r-- 1 root root 23475 Aug 11 
05:41 /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/PDFInfo.pm

[EMAIL PROTECTED] rulesdujour]# ls -l `locate pdfinfo.cf`
-rw-r--r-- 1 root root 19863 Aug 11 05:42 /etc/mail/spamassassin/pdfinfo.cf
-rw-r--r-- 1 root root 19863 Aug 11 
05:39 /etc/mail/spamassassin/RulesDuJour/pdfinfo.cf
-rw-r--r-- 1 root root 19863 Aug 11 05:41 /etc/rulesdujour/pdfinfo.cf
-rw-r--r-- 1 root root 19863 Aug 11 
05:42 /var/lib/spamassassin/3.002001/saupdates_openprotect_com/pdfinfo.cf

>> Now is the question sufficiently illuminated?
>
>Not at all. This is your first posting in this thread. This thread is about
>"rule for empty text + GIF or PDF". Your posting is about "how do I install
> or make use of PDFInfo". So, please go ahead and post a new thread and
> include all the information that is necessary for others to help you. If
> you did that already elsewhere, then please keep going there. But please
> don't hijack threads with completely different topics and pretend it fits.
>
>Kai

I'm not sure, playing this back in my memory, how it got into this thread, so 
my apologies.  I've made at least 2 other posts about this, both of which 
were ignored except for Lorens ack on one of them when I confirmed the --lint 
errors someone else had reported.

So what file to we add something to, to enable this, and what do we add to it?

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
You will be awarded the Nobel Peace Prize... posthumously.

Re: SA rule for userid in subject?

[Loren Wilton]

I was wondering how to modify Lorens rule for the follwing type of emails
which I have been getting a lot of:

In the subject I get: "some word[s]-userid" or  "some word[s]-some
word[s]-userid"


You aren't too specific about the subject form, and you aren't specific 
about the To: form.  That leaves lots of room to guess and get things wrong. 
I'm guessing these aren't the fake forwards that were causing the OP 
problems.


You could try something like the following.  It is UNTESTED and may not 
work.


header RULE_NAME ALL =~ 
/\nTo:[EMAIL PROTECTED]<]([^\@>\n]+).+\nSubject:\s[^\n]{0,30}\b\1\b/i


   Loren




>
>   Loren answered that a month ago. Is in the archives. You may use:
>
> header RULE_NAME ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw:
.{0,30}\s*\1\b/i
>
>   That covers "Fw: userid" and "Fw: (some word[s]) userid".
>



--
View this message in context: 
http://www.nabble.com/SA-rule-for-userid-in-subject--tf1261071.html#a12119080
Sent from the SpamAssassin - Users mailing list archive at Nabble.com. 

userid in subject

[jeffsal]

I was wondering how to modify Lorens rule for the follwing type of emails
which I have been getting a lot of: 

In the subject I get: "some word[s]-userid" or  "some word[s]-some
word[s]-userid" 

> > 
> >   Loren answered that a month ago. Is in the archives. You may use: 
> > 
> > header RULE_NAME ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw: 
> .{0,30}\s*\1\b/i 
> > 
> >   That covers "Fw: userid" and "Fw: (some word[s]) userid". 

-- 
View this message in context: 
http://www.nabble.com/userid-in-subject-tf4258508.html#a12119138
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: SA rule for userid in subject?

[jeffsal]

I was wondering how to modify Lorens rule for the follwing type of emails
which I have been getting a lot of:

In the subject I get: "some word[s]-userid" or  "some word[s]-some
word[s]-userid"

> >
> >   Loren answered that a month ago. Is in the archives. You may use:
> >
> > header RULE_NAME ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw:
> .{0,30}\s*\1\b/i
> >
> >   That covers "Fw: userid" and "Fw: (some word[s]) userid".
> >
> 

-- 
View this message in context: 
http://www.nabble.com/SA-rule-for-userid-in-subject--tf1261071.html#a12119080
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Dns Resolver problem

[Pawel Sasin]

> > I want to be able to make SA rotate DNS servers.
>
> Apparently that is a limitation of Net::DNS. There was some
> discussion of it on-list a few weeks back; I don't clearly remember the 
> details.
>
> You might want check the current status of Net::DNS w/r/t fallback,
> rotation, etc., and work with the developers of that package, rather
> than talking about it here...

Isn't SA using its own resolver class (DnsResolver) for performing background 
queries? DnsReslover seems to work like this:
- create a Net::DNS::Reslover instance
- get the Net::DNS::Reslover nameserver list
- use the first entry in the above list, create a socket to the nameserver
- craft some Net::DNS::Packets and flush them through the socket to the 
nameserver
- from time to time poll_responses() on the socket, and when sth comes in use 
the Net::DNS::Resolver bgread() to get the response packet
- trigger a callback function for associated query

If this is true then I think I've asked the right people for help. Correct me 
if I'm wrong.

-- 
Pawel Sasin

WIRTUALNA  POLSKA  SA, ul. Traugutta 115c, 80-226 Gdansk; NIP: 957-07-51-216; 
Sad Rejonowy Gdansk-Polnoc KRS 068548, kapital zakladowy 62.880.024 zlotych 
(w calosci wplacony)

Re: Dns Resolver problem

[Pawel Sasin]

> > I want to be able to make SA rotate DNS servers.
> 
> Apparently that is a limitation of Net::DNS. There was some 
> discussion of it on-list a few weeks back; I don't clearly remember the 
> details.
> 
> You might want check the current status of Net::DNS w/r/t fallback, 
> rotation, etc., and work with the developers of that package, rather 
> than talking about it here...

Isn't SA using its own resolver class (DnsResolver) for performing background 
queries? DnsReslover seems to work like this:
- create a Net::DNS::Reslover instance
- get the Net::DNS::Reslover nameserver list
- use the first entry in the above list, create a socket to the nameserver
- craft some Net::DNS::Packets and flush them through the socket to the 
nameserver
- from time to time poll_responses() on the socket, and when sth comes in use 
the Net::DNS::Resolver bgread() to get the response packet
- trigger a callback function for associated query

If this is true then I think I've asked the right people for help. Correct me 
if I'm wrong.

-- 
Pawel Sasin

WIRTUALNA  POLSKA  SA, ul. Traugutta 115c, 80-226 Gdansk; NIP: 957-07-51-216; 
Sad Rejonowy Gdansk-Polnoc KRS 068548, kapital zakladowy 62.880.024 zlotych 
(w calosci wplacony)

Re: Detecting short-TTL domains?

[Steve Freegard]

[ repost: obfusicating domains to avoid the apache.org SMTP filter... ]

Hi John,

John Rudd wrote:


I'm a prophet now!?

:-)

Hm.  So, I'm sure I can figure this out eventually, but does anyone know 
the right Net::DNS way to extract the TTL?


I could probably set it up as a value in Botnet.cf, where the default is 
0 (disabled), but other values will trigger some rule's score if its 
less than the number that was set.


And, it shouldn't be too hard for me to write a test for number of A 
records returned by a domain.


I probably wont make them part of the BOTNET rule, but make them 
separate BOTNET_* rules (BOTNET_TTL and BOTNET_NUM_ARECS ?).


A better and more reliable way than simply looking at the TTL is to
count the number of A and NS records returned for the URI.  Based on the
Honeynet paper and my testing you'll always see a number of these
(usually >=4) for example:

[EMAIL PROTECTED] ~]# host khk15tr30ib5tl . afstrikesbut . com
khk15tr30ib5tl . afstrikesbut . com is an alias for afstrikesbut . com .
afstrikesbut . com has address 220 . 84 . 183 . 184
afstrikesbut . com has address 71 . 239 . 64 . 172
afstrikesbut . com has address 74 . 213 . 64. 116
afstrikesbut . com has address 86 . 49 . 102 . 161
afstrikesbut . com has address 89 . 176 . 134 . 27
afstrikesbut . com has address 203 . 81 . 193 . 254
afstrikesbut . com has address 203 . 203 . 118 . 48
afstrikesbut . com has address 217 . 70 . 53 . 126

Then lookup the PTR records and you can check them against the
CLIENTWORDS list:

[EMAIL PROTECTED] ~]# host 203 . 81 . 193 . 254
Host 254 . 193 . 81 . 203 . in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] ~]# host 203 . 203 . 118 . 48
48 . 118 . 203 . 203 . in-addr.arpa domain name pointer
203-203-118-48. cable .dynamic .giga .net .tw.
[EMAIL PROTECTED] ~]# host 217 . 70 . 53 . 126
126 . 53 . 70 . 217 .in-addr.arpa domain name pointer g126 . zicom . pl.
[EMAIL PROTECTED] ~]# host 220 . 84 . 183 . 184
Host 184 . 183 . 84 . 220.in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] ~]# host 71 . 239 . 64 . 172
Host 172 . 64 . 239 . 71.in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] ~]# host 71 . 213 . 64 . 116
116 . 64 . 213 . 71.in-addr.arpa domain name pointer 71-213-64-116 .slkc
. qwest . net.
[EMAIL PROTECTED] ~]# host 89 . 176 . 134 . 27
27 . 134 . 176 . 89.in-addr.arpa domain name pointer rb5g27 .net .upc .cz.

And/or Spamhaus Zen:

[EMAIL PROTECTED] ~]# host 126 . 53 . 70 . 217.zen.spamhaus.org
126 . 53 . 70 . 217.zen.spamhaus.org has address 127.0.0.4

Same with the NS records:

ns1. hardtomakeforliving . com. 13727 IN   A   62 .129.34.86
ns2. hardtomakeforliving . com. 13727 IN   A   89 .103.117.20
ns3. hardtomakeforliving . com. 13727 IN   A   200 .147.164.37
ns4. hardtomakeforliving . com. 13727 IN   A   151 .118.144.136
ns5. hardtomakeforliving . com. 75945 IN   A   89 .229.248.242

[EMAIL PROTECTED] ~]# host 62 .129.34.86
86 .34.129.62.in-addr.arpa domain name pointer 1048650326 .ip2long. net.
[EMAIL PROTECTED] ~]# host 89 .103.117.20
20 .117.103.89.in-addr.arpa domain name pointer ip-89-103-117-20.
karneval.cz.
[EMAIL PROTECTED] ~]# host 200 .147.164.37
Host 37 .164.147.200.in-addr.arpa not found: 3(NXDOMAIN)
[EMAIL PROTECTED] ~]# host 151 .118.144.136
136.144.118.151.in-addr.arpa domain name pointer
VDSL-151-118-144-136. DNVR. QWEST. NET.
[EMAIL PROTECTED] ~]# host 89 .229.248.242
242.248.229.89.in-addr.arpa domain name pointer
host-89-229-248-242. grudziadz .mm. pl.

I've been doing this for a bit in some software that I have been working
on and it seems to work quite well.

Kind regards,
Steve.

Re: SOLVED: How can I write my own plugins?

[Paul Lenz]

"John D. Hardin" <[EMAIL PROTECTED]> wrote:

> > After "chmod 777" the logfile, 
> 
> Bad practice. 

I know. I did this only to make the logfile working
for a short time. Since I know that my plugin works, 
I deleted the logfile.

Paul Lenz

Re: SOLVED: How can I write my own plugins?

[John D. Hardin]

On Sun, 12 Aug 2007, Paul Lenz wrote:

> After "chmod 777" the logfile, 

Bad practice. Bad practice. Please don't develop the habit of 
reflexively "chmod 777"ing things. I dealt with that from my firm's 
support department for five years and I still have the twitch.

(1) It completely turns off security.

(2) It marks as executable a file that is not executable.

If you need a specific user to read that file, then change the
ownership of that file to that user and "chmod u+r" it. If you need it
to be readable but not writable by a subset of your users, then change
the group and "chmod g=r" it; or "chmod +r" it if you don't care who 
reads it.

But you will eventually regret developing the habit of hitting files
with "chmod 777" when they don't cooperate.

This hot-button moment brought to you by the letter "Q".

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It's easy to be noble with other people's money.
   -- John McKay, _The Welfare State:
  No Mercy for the Middle Class_
---
 3 days until The 62nd anniversary of the end of World War II

Re: Detecting short-TTL domains?

[Jeff Chan]

Quoting Kai Schaetzl <[EMAIL PROTECTED]>:

> Thomas Raef wrote on Sun, 12 Aug 2007 06:19:43 -0500:
>
> > a dnsbl is the way to go.
>
> On first look I disagree. We already have SURBL and URIBL. I don't see how
> this would add any benefit on top of that. We are talking about URI's in
> mail, not about hostnames of mailservers or email adresses. The only
> occasion where looking at the TTL (and whatever else in conjunction) is of
> benefit is when the URI *is not yet* on an RBL. In that case you can use
> those deviations from the norm as a spam indicator. Nothing more, nothing
> less. That also means that if the URI is found on SURBL/URIBL you don't
> have to do the TTL lookup which helps reducing the query load.

One answer is for URI blacklists to catch more of the fast flux domains sooner. 
SURBL gets some now, and we are looking to get more.  The factors Thomas
mentions are some good ones to look for.

In principle SpamAssassin could also independently look for factors like these,
particularly for URI domains not already blacklisted as Kai suggests, but I'd
argue the overall function of finding these domains is better-suited to a
blacklist.  Anyway, it's something we are working on.

Cheers,

Jeff C.

RE: Detecting short-TTL domains?

[Thomas Raef]

Yes you are correct. I got so focused on the improper identification of 
fast-flux that I lost sight of the details.

I stand, maybe not corrected, but at least with a broader understanding of the 
real issue.

There must be some way of better identifying these domains in a URI.

Thank you for pointing out my misconception. I always appreciate being 
corrected - really I do.


-Original Message-
From: Kai Schaetzl [mailto:[EMAIL PROTECTED] 
Sent: Sunday, August 12, 2007 7:31 AM
To: users@spamassassin.apache.org
Subject: Re: Detecting short-TTL domains?

Thomas Raef wrote on Sun, 12 Aug 2007 06:19:43 -0500:

> a dnsbl is the way to go.

On first look I disagree. We already have SURBL and URIBL. I don't see how 
this would add any benefit on top of that. We are talking about URI's in 
mail, not about hostnames of mailservers or email adresses. The only 
occasion where looking at the TTL (and whatever else in conjunction) is of 
benefit is when the URI *is not yet* on an RBL. In that case you can use 
those deviations from the norm as a spam indicator. Nothing more, nothing 
less. That also means that if the URI is found on SURBL/URIBL you don't 
have to do the TTL lookup which helps reducing the query load.

> I believe that not checking for everyone of these will lead to erroneous
> domains being blocked.

Why should that be the case? SA is all about storing. So, even if you add 
a score of 1.0 to *each* low-TTL domain any "normal" ham will just bypass 
that. You do not ever *block* by this single criterion!

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Detecting short-TTL domains?

[Kai Schaetzl]

Kai Schaetzl wrote on Sun, 12 Aug 2007 14:31:15 +0200:

> SA is all about storing

SA is all about *scoring*

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

I send 5 million spams a day

[Marc Perkel]

But I send them to people who are building public blocklists. I've 
expanded my delivery system so I can keep up with the load. If anyone 
out there is running a public black lists and wants a free feed contact 
me privately and I'll set it up.


I have 2 main feeds. One is mostly messages determined to be spam by SA 
and is suitable for URL mining and checking rules and other content 
stuff but not for IP blacking as most of this feed is mixed source spam. 
(Yahoo, Hotmail etc)


The big feed is my spambot class spam and it is suitable for blocklists 
and I have added headers to make it easy to get the original sending IP.


These feeds are free to anyone who provides free lists and are available 
for a small fee if you don't provide public lists. Accuracy is extremely 
good. I'm already feeding several of the major lists that a lot of you use.


Contact me privately if interested.

Marc Perkel
Junk Email Filter
http://www.junkemailfilter.com

If spammers were smart they would blacklist me.

Re: some of you have bad meta rules...

[Justin Mason]

Loren Wilton writes:
> Ok.  Sounds like they removed some base rules we were depending on.  Maybe 
> time to remove those rules based on them, or recreate the base rules as our 
> own.

Feel free to recreate them; 3.2.x will efficiently merge duplicates
anyway so it won't have any runtime effect.

--j.

Re: Detecting short-TTL domains?

[Kai Schaetzl]

Thomas Raef wrote on Sun, 12 Aug 2007 06:19:43 -0500:

> a dnsbl is the way to go.

On first look I disagree. We already have SURBL and URIBL. I don't see how 
this would add any benefit on top of that. We are talking about URI's in 
mail, not about hostnames of mailservers or email adresses. The only 
occasion where looking at the TTL (and whatever else in conjunction) is of 
benefit is when the URI *is not yet* on an RBL. In that case you can use 
those deviations from the norm as a spam indicator. Nothing more, nothing 
less. That also means that if the URI is found on SURBL/URIBL you don't 
have to do the TTL lookup which helps reducing the query load.

> I believe that not checking for everyone of these will lead to erroneous
> domains being blocked.

Why should that be the case? SA is all about storing. So, even if you add 
a score of 1.0 to *each* low-TTL domain any "normal" ham will just bypass 
that. You do not ever *block* by this single criterion!

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: How can I write my own plugins?

[Kai Schaetzl]

Paul Lenz wrote on  Sun, 12 Aug 2007 12:23:52 +0300:

> PS. Sorry for multiple postings, I only saved my message during 
> editing, but it seems to be sent every time

BTW, it looks like you are using an outdated version of your mail client, 
upgrade!

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

SOLVED: How can I write my own plugins?

[Paul Lenz]

"Alex Woick" <[EMAIL PROTECTED]> wrote:

> This is already very good. You have it. That text is the text 
> of the internal test message that is processed on every 
> SpamAssassin startup or  --lint.

Ah! It does not come from an email, only from the startup!

Now I got it. I stored the log file into /Plugins and this was
created by root, so it simply did not work for SA when it
received mail. It worked only on startup because I (as 
root) made the startup. After "chmod 777" the logfile, it
suddenly contains the email body as desired.

Thankyou very much for this hint!

Paul Lenz

Re: How can I write my own plugins?

[Alex Woick]

Paul Lenz wrote on 12.08.2007 11:23:


Actually I write Perl programs since many years, but I am not
so familiar with the object oriented programming and I can not
discover the secrets of Spamassassin. Contretely: I was not able
to access the body of a mail.


You should consult "man perltoot" first - it's "Tom's Object-Orientated 
Tutorial For Perl" to learn about the basics. Without that, it is very 
difficult for you to decipher the structure and the usage of the 
objects. SpamAssassin uses derived classes, so you might not find 
methods ("functions") in the packages where you are expecting them - 
that may be one of the many mysteries to you.


The absolutely short definition of perl's object orientation is probably 
something like this:
- an "object" is an ordinary reference that gets a package name ("class 
name") tagged to it with the bless() function
- if you call a function like $object->my_function($param), perl 
searches for sub my_function in the package that is tagged to $object, 
and then it calls my_function($object, $param).
- Perl does not only search the tagged package for a function, but also 
recursively each package that is listed in the @ISA array, which can be 
declared in each class package. So you can not only use the sub's in 
your class but also all sub's of the referenced classes ("super classes").
- the most used reference to use as an object is a hash reference, but 
you can use every reference type in bless().



I looked into some other plugins and ended with this code:

  my ($self, $permsgstatus) = @_;
  my $array = $permsgstatus->get_decoded_stripped_body_text_array();
  my $text = join (' ', @$array);

But $text contains only "I need to make this message body somewhat
long so TextCat preloads I need to make this message body somewhat
long so TextCat preloads ..". I gave it up.

Would please somebody give me a hint how to access the body of 
the mail? 


This is already very good. You have it. That text is the text of the 
internal test message that is processed on every SpamAssassin startup or 
--lint.

RE: Detecting short-TTL domains?

[Thomas Raef]

I agree. To catch the fast-flux servers you have to check not only low
ttl values but ALSO how frequently the IP addresses assigned to that
domain change.

I think everyone is looking for a fast fast-flux fix. I believe, and
this is just my opinion, that a dnsbl is the way to go. That way if the
people maintaining the dnsbl have their systems constantly checking for
the variables that identify a fast-flux domain:

1. Short TTL
2. Numerous A records
3. IP addresses changing frequently

the dnsbl will avoid false positives and still provide a high-level of
accuracy in identifying the fast-flux domains.

I believe that not checking for everyone of these will lead to erroneous
domains being blocked.

That's just my opinion, I could be wrong. (Dennis Miller)



-Original Message-
From: Bob Proulx [mailto:[EMAIL PROTECTED] 
Sent: Saturday, August 11, 2007 7:05 PM
To: users@spamassassin.apache.org
Subject: Re: Detecting short-TTL domains?

Kai Schaetzl wrote:
> Jo Rhett wrote:
> > Yes, but this also means that it takes longer to fix false positive 
> > problems.  How would one clear this out if the original problem was 
> > fixed and you wanted to receive the mail?
> 
> By using some whitelist for legit low-ttl domains.

I think it is a bad idea to use low-TTL values as more than a minor
spamsign.  There is nothing overtly improper about it and there are
often times when a low TTL dns record is just the right thing to do,
such as when planning an IP move for a server.  That should not cause
mail to be tagged as spam in those cases.

While it may be that there is some correlation to some spammers using
low TTL servers it is also true that good spam filtering has always
been about reducing false negatives.  A false negative is much worse
than a false positive.  Using low TTL dns records, a perfectly valid
configuration, as a strong spam indication will cause false negatives,
which is creates a cascade failure which is much worse than the
original problem.

Trying to create workarounds such as maintaining whitelists for noted
servers is going about this the wrong way.  It is perfectly valid to
do and so this would legitimately need to list all possible servers.
In fact a small time operator who is setting up and planning moves
would most likely to be using low TTL values and would be unlikely to
be in random whitelists.

Bob

Re: How can I write my own plugin?

[jdow]

From: "Paul Lenz" <[EMAIL PROTECTED]>


Actually I write Perl programs since many years, but I am not
so familiar with the object oriented programming and I can not
discover the secrets of Spamassassin. Contretely: I was not able
to access the body of a mail.

I included Plugin\Test.pm into my configuration:

loadplugin Mail::SpamAssassin::Plugin::Test
full   MY_TEST1 eval:check_test_plugin()
score  MY_TEST1 0.1
describe   MY_TEST1 Test-Plugin

This workes, each mail gets this score.

In the sub with the line "hard work goes here..." (how true!!!) there
are the scalars $self and $permsgstatus. I added some code which
saves $self into a file. The result was a hash reference. I tried
keys() and found the key "main". Sounds promising, doesn't it?
But the result was another hash reference. It's keys didn't look like
the message body. I gave it up.

I looked into some other plugins and ended with this code:

 my ($self, $permsgstatus) = @_;
 my $array = $permsgstatus->get_decoded_stripped_body_text_array();
 my $text = join (' ', @$array);

But $text contains only "I need to make this message body somewhat
long so TextCat preloads I need to make this message body somewhat
long so TextCat preloads ..". I gave it up.


What did the body of the email you are testing look like?

I am suspecting it looked something like:

I need to make this message body somewhat long so TextCat preloads
I need to make this message body somewhat long so TextCat preloads

etc.

The newlines are stripped as are some other elements of the message
leaving it as a long line of text for that particular means of getting
the message body.

{^_^}

Re: How can I write my own plugins?

[jdow]

From: "Paul Lenz" <[EMAIL PROTECTED]>

PS. Sorry for multiple postings, I only saved my message during 
editing, but it seems to be sent every time :(


Control-S save draft.
Alt-S send.
Easy way to make the mistake.

Control-Enter is an instant send, which is annoying when you
fat finger and hit the enter key at the wrong moment.

{^_-}

Re: rule for empty text + GIF or PDF ?

[Kai Schaetzl]

Gene Heskett wrote on Sat, 11 Aug 2007 23:43:38 -0400:

> 1: sa-update is NOT pulling new PDFInfo.pm or pdfinfo.cf files even when they 
> are available.

of course not!

> 2: spamassassin --lint -D ignores these rules when we install them by hand.

which means you probably haven't installed PDFInfo correctly?

> Now is the question sufficiently illuminated?

Not at all. This is your first posting in this thread. This thread is about 
"rule for empty text + GIF or PDF". Your posting is about "how do I install or 
make use of PDFInfo". So, please go ahead and post a new thread and include all 
the information that is necessary for others to help you. If you did that 
already elsewhere, then please keep going there. But please don't hijack 
threads 
with completely different topics and pretend it fits.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Detecting short-TTL domains?

[Kai Schaetzl]

John D. Hardin wrote on Sat, 11 Aug 2007 18:21:35 -0700 (PPT):

> I think there was some consensus about using that in concert with an
> excessive number of A records as a spam sign. Check the thread
> history. I don't think anyone is suggesting by itself it's a useful
> indicator.

This is what I had in mind. Otherwise it might indeed fire too often.
I don't know if the combination will turn out to be of any help in spam 
detection. I'm not pro or con, I just wanted to add some comments about 
the query load and storage as this is of concern to me. My main point was 
that you don't have to rely on caching at the nameserver. You can have 
your own storage, as we have with AWL, Bayes etc., and thus minimize the 
query load. And for getting false positives out of it you best use a 
whitelist as just removing it from the database will not help much.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

How can I write my own plugin?

[Paul Lenz]

Actually I write Perl programs since many years, but I am not
so familiar with the object oriented programming and I can not
discover the secrets of Spamassassin. Contretely: I was not able
to access the body of a mail.

I included Plugin\Test.pm into my configuration:

loadplugin Mail::SpamAssassin::Plugin::Test
full   MY_TEST1 eval:check_test_plugin()
score  MY_TEST1 0.1
describe   MY_TEST1 Test-Plugin

This workes, each mail gets this score.

In the sub with the line "hard work goes here..." (how true!!!) there
are the scalars $self and $permsgstatus. I added some code which
saves $self into a file. The result was a hash reference. I tried
keys() and found the key "main". Sounds promising, doesn't it?
But the result was another hash reference. It's keys didn't look like
the message body. I gave it up.

I looked into some other plugins and ended with this code:

  my ($self, $permsgstatus) = @_;
  my $array = $permsgstatus->get_decoded_stripped_body_text_array();
  my $text = join (' ', @$array);

But $text contains only "I need to make this message body somewhat
long so TextCat preloads I need to make this message body somewhat
long so TextCat preloads ..". I gave it up.

Would please somebody give me a hint how to access the body of 
the mail? 

Thanks, Paul Lenz


PS. Sorry for multiple postings, I only saved my message during 
editing, but it seems to be sent every time :(

 

How can I write my own plugins?

[Paul Lenz]

Actually I write Perl programs since many years, but I am not
so familiar with the object oriented programming and I can not
discover the secrets of Spamassassin. Contretely: I was not able
to access the body of a mail.

I included Plugin\Test.pm into my configuration:

loadplugin Mail::SpamAssassin::Plugin::Test
full   MY_TEST1 eval:check_test_plugin()
score  MY_TEST1 0.1
describe   MY_TEST1 Test-Plugin

This workes, each mail gets this score.

In the sub with the line "hard work goes here..." (how true!!!) there
are the scalars $self and $permsgstatus. I added some code which
saves $self into a file. The result was a hash reference. I tried
keys() and found the key "main". Sounds promising, doesn't it?
But the result was another hash reference. It's keys didn't look like
the message body. I gave it up.

I looked into some other plugins and ended with this code:

  my ($self, $permsgstatus) = @_;
  my $array = $permsgstatus->get_decoded_stripped_body_text_array();
  my $text = join (' ', @$array);

But $text contains only "I need to make this message body somewhat
long so TextCat preloads I need to make this message body somewhat
long so TextCat preloads ..". I gave it up.

Would please somebody give me a hint how to access the body of 
the mail? 

Thanks, Paul Lenz


PS. Sorry for multiple postings, I only saved my message during 
editing, but it seems to be sent every time :(

How to write my own plugin

[Paul Lenz]

Actually I write Perl programs since many years, but I am not
so familiar with the object oriented programming and I can not
discover the secrets of Spamassassin. Contretely: I was not able
to access the body of a mail.

I included Plugin\Test.pm into my configuration and gave it a score
of 0.1. This worked, each mail got this score.

In the sub with the line "hard work goes here..." (how true!!!) there
are the scalars $self and $permsgstatus. I added some code which
saves $self into a file. The result was a hash reference. I tried
keys() and found the key "main". Sounds promising, doesn't it?
But the result was another hash reference. It's keys didn't look like
the message body. I gave it up.

I looked into some other plugins and ended with this code:
  my ($self, $permsgstatus) = @_;
  my $array = $permsgstatus->get_decoded_stripped_body_text_array();
  my $text = join (' ', @$array);

But $text contains only "I need to make this message body somewhat
long so TextCat preloads I need to make this message body somewhat
long so TextCat preloads ..". I gave it up.

How to write my own plugin

[Paul Lenz]

Actually I write Perl programs since many years, but I am not so
familiar
with the object oriented programming and I can not discover the
secrets
of Spamassassin. Contretely: I was not able to access the body of a
mail.

I included Plugin\Test.pm into my configuration and gave it a score of
0.1.
This worked, each mail got this score.

In the sub with the line "hard work goes here..." (how true!!!) there
are
the scalars $self and $permsgstatus. I added some code which saves
$self into a file. The result was a hash reference. I tried keys() and
found
the key "main". Sounds promising, doesn't it? But the result was
another
hash reference. It's keys didn't look like the message body. I gave it
up.

I looked into some other plugins and ended with this code:
  my ($self, $permsgstatus) = @_;
  my $array = $permsgstatus->get_decoded_stripped_body_text_array();
  my $text = join (' ', @$array);

But $text contains only "I need to make this message body somewhat
long
so TextCat preloads I need to make this message body somewhat long so
TextCat preloads .."