Re: rule for empty text + GIF or PDF ?
At 20:33 13-08-2007, Jo Rhett wrote: In specific, the original question referenced SARE rulesets and thus the obvious assumption was that it was a SARE rule, and I had done the search and hadn't found the rule so I needed to know which SARE ruleset that I wasn't currently downloading provided this. The original question was posted by clsgis. In his answer, Theo Van Dinter mentioned that a rule for PDF has been available via sa-update for weeks. Jo Rhett asked where in reply to that message. Had the person included the information that it was not a SARE ruleset but a normal SA ruleset, then I would have understood. I provided the rule name and description together with a link to the RuleUpdates webpage on the SpamAssassin Wiki as it explains how to locate the rules downloaded by sa-update. The webpage also has an example of how to use sa-update and how to debug if there is a problem doing updates. I assumed that the threaded discussion conveyed the fact that I was referring to a rule available from the updates.spamassassin.org channel. Regards, -sm
more than one mx record whitelist_from_rcvd option
hi all ; i have used whitelist_from_rcvd option for spamassassin and it works successfully if domain has only one mx record . for instance i have domain.com and it has only one mx record . the below line is used users who have email address [EMAIL PROTECTED]. whitelist_from_rcvd[EMAIL PROTECTED] domain.com what i wonder is what will happen if the domain.com has more than one mx record ? how should i configure local.cf if the domain has more than one mx record ? - Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV.
whitelist_from_rcvd more than one mx record
hi all ; i have used whitelist_from_rcvd option for spamassassin and it works successfully if domain has only one mx record . for instance i have domain.com and it has only one mx record . the below line is used users who have email address [EMAIL PROTECTED]. whitelist_from_rcvd[EMAIL PROTECTED] domain.com what i wonder is what will happen if the domain.com has more than one mx record ? how should i configure local.cf if the domain has more than one mx record ? - Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
how to stop the spam assassin
Hi, I am running SA 3.1.7. I need to upgrade it. I have to stop the current running SA. how to stop the service? -- Sg
Re: how to stop the spam assassin
it depends on which distro have you used . you can use stop/start script to stop spamassin. or you can see spamassassin prcocess with ps command and kill . you can see pid of spamassassin with below command and you can kill spamassassin # ps auwx | grep spamd | grep -v grep # kill -9 spamassassin_pid - Pinpoint customers who are looking for what you sell.
Re: more than one mx record whitelist_from_rcvd option
On 8/14/2007 2:23 AM, Gokhan ALKAN wrote: hi all ; i have used whitelist_from_rcvd option for spamassassin and it works successfully if domain has only one mx record . for instance i have domain.com and it has only one mx record . the below line is used users who have email address [EMAIL PROTECTED]. whitelist_from_rcvd[EMAIL PROTECTED] domain.com what i wonder is what will happen if the domain.com has more than one mx record ? how should i configure local.cf if the domain has more than one mx record ? whitelist_from_rcvd has nothing to do with MX records. It matches an address to a server host name pattern. If an email domain emits mail from multiple hosts with differing domain names you can simply use more than one whitelist_from_rcvd entry... whitelist_from_rcvd [EMAIL PROTECTED] domain.com whitelist_from_rcvd [EMAIL PROTECTED] here2.example.com Daryl
Re: a small explanation on rule FORGED_RCVD_HELO
Matt Kettler wrote: It looks for a HELO doesn't match against the reverse DNS for the IP address. Please note the case of clients connected to the network via NAT and using dynamic IP addresses. In the general case, such clients do not known about the IP address to which one their local address is translated using NAT. Such clients cannot set a correct HELO. Claude
fake MX records
http://wiki.apache.org/spamassassin/OtherTricksthis page mentions setting up fake MXes Is this method relevant today too with a lot of spam being relayed through proper smtp channels The page says the primary MX should not be accepting connections at all. Has anyone else tried this , will this cause delay in my mail Thanks Ram
Re: a small explanation on rule FORGED_RCVD_HELO
Claude Frantz wrote on Tue, 14 Aug 2007 11:11:31 +0200: Please note the case of clients connected to the network via NAT and using dynamic IP addresses. In the general case, such clients do not known about the IP address to which one their local address is translated using NAT. Such clients cannot set a correct HELO. I would guess the rule uses only the last non-trusted received = it compares the HELO *we* got from it with the rDNS. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: So lets change it to sa-update doesn't
Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick dirty way to determine which .pre file (or local.cf, there are 3 of those too) is actually running the show? all the files in /etc/mail/spamassassin No, that is something you put yourself there. Sorry Kai, the comment string inserted in front of the loadplugin statements (all of them) specifically said that sa-update had disabled them because the --allowplugins wasn't being passed to sa-update. Hm. Can just say I don't have it here, never seen it and sa-update is run from cron.daily and without any addition to the command line. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
RE: disable spamhaus rbl?
You almost got it right! Try score __RCVD_IN_ZEN 0.0 score RCVD_IN_SBL 0.0 score RCVD_IN_XBL 0.0 score RCVD_IN_PBL 0.0 score URIBL_SBL 0.0 Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Fletcher Mattox [mailto:[EMAIL PROTECTED] Sent: 13 August 2007 22:43 To: users@spamassassin.apache.org Subject: Re: disable spamhaus rbl? Theo Van Dinter writes: Alternately, add a spamhaus.org zone to your name server w/ no entries so that queries return instantly. Perfect! Thanks, Theo. Fyi, even with score __RCVD_IN_ZEN 0 score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 I still see lots of queries to sbl.spamhaus.org. (But I no longer care, since the name server hack works). Fletcher
Re: a small explanation on rule FORGED_RCVD_HELO
Claude Frantz wrote: Matt Kettler wrote: It looks for a HELO doesn't match against the reverse DNS for the IP address. Please note the case of clients connected to the network via NAT and using dynamic IP addresses. In the general case, such clients do not known about the IP address to which one their local address is translated using NAT. Such clients cannot set a correct HELO. Which is one of the many, many, many reasons this rule had a high false positive rate, thus had a low score in 3.1.x and was removed from 3.2.x. I don't think anyone believes this rule is a good one, and the above facts (mentioned in the very post you replied to) indicate the SA team knows this already.
RE: fake MX records
-Original Message- From: ram [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 14, 2007 6:07 AM To: users@spamassassin.apache.org Subject: fake MX records http://wiki.apache.org/spamassassin/OtherTricksthis page mentions setting up fake MXes Is this method relevant today too with a lot of spam being relayed through proper smtp channels The page says the primary MX should not be accepting connections at all. Has anyone else tried this , will this cause delay in my mail Yes, and some systems might not ever send you email (they violate RFC's) Also, many spammers go for the SECONDARY mx first. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: fake MX records
On Tue, 14 Aug 2007, ram wrote: The page says the primary MX should not be accepting connections at all. Has anyone else tried this , will this cause delay in my mail It almost doesn't work anymore. Better try adaptive greylisting, with some whitelists so you don't notice too much of delays. K.
Re: fake MX records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kshatriya schrieb: On Tue, 14 Aug 2007, ram wrote: The page says the primary MX should not be accepting connections at all. Has anyone else tried this , will this cause delay in my mail It almost doesn't work anymore. Better try adaptive greylisting, with some whitelists so you don't notice too much of delays. K. fake mx do work, but dont expect to much, as most of the bots learned to come again to defend greylisting , they also learned fake mx. you will have a delay with fake mx but its very small. In my case i was bombed with connects and fake mx reduced them about 10 percent , i think these are very old spam bot variants who still agressing against my very old three letter domain. I would say fake mx are nice to have , but its not a must have in antispam these days, I includedreject_unknown_reverse_client_hostname in my postfix ,this, it seems is very efficient , in my case,i noticed to block spam mail in early client stage. Also fail2ban does a good job with dictionary attacks, for sure you should have all other recommended antispam settings like reject_unknown_sender_domain etc including greylisting, policy_weight, spf, dkim in your mail server. - -- Mit freundlichen Gruessen Best Regards Robert Schetterer Germany/Bavaria/Munich -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGwa/jfGH2AvR16oERAsbJAJ9iRo0H+YesZN1+fjMXu3iqpL1wFQCdHlUZ 82eAcB03SfJP4j7xuh9NbiU= =mMcc -END PGP SIGNATURE-
R: a small explanation on rule FORGED_RCVD_HELO
-Messaggio originale- Da: Matt Kettler [mailto:[EMAIL PROTECTED] Inviato: martedì 14 agosto 2007 13.38 A: Claude Frantz Cc: users@spamassassin.apache.org Oggetto: Re: a small explanation on rule FORGED_RCVD_HELO Claude Frantz wrote: Matt Kettler wrote: It looks for a HELO doesn't match against the reverse DNS for the IP address. Please note the case of clients connected to the network via NAT and using dynamic IP addresses. In the general case, such clients do not known about the IP address to which one their local address is translated using NAT. Such clients cannot set a correct HELO. Which is one of the many, many, many reasons this rule had a high false positive rate, thus had a low score in 3.1.x and was removed from 3.2.x. I don't think anyone believes this rule is a good one, and the above facts (mentioned in the very post you replied to) indicate the SA team knows this already. I agree with you. If I'm correctly recalling, this kind of check was first suggested even in the (in)famous BOTNET plugin and then not implemented even there. The reason was that most people who legitimately run an MX server don't have any access to their rDNS records and they would not like to HELO with something different to the DNS name they assigned to the MX. Actually, the BOTNET plugin implements a less strict HELO to IP and an IP to rDNS to DNS check. Again, if I'm not recalling wrong. Please note I wrote the (in)famous BOTNET plugin just because at the age there was a lot of debate on it, since mail sent from most small and tiny service providers would have probably failed at least one of its checks. Nevertheless, many in this list were endorsing it. Giampaolo
Re: disable spamhaus rbl?
Fletcher Mattox escribió: Spamhaus has determined that my query rate is too high to continue using their servers for free. So they have, apparently, blocked my queries at their router, which incurs a 5 second timeout. How do I tell SpamAssassin to stop using all spamhaus servers, including zen? I tried this in local.cf: score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 But it seems not to work. I still see lots of outgoing queries with tcpdump, and I still get these debug messages: After reading all the replies I was left wondering.. These kind of rules are not used when spamd is started with the -L (--local) switch, right? I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to query spamhaus at smtp time. (qmail - tcpserver) /usr/local/bin/rblsmtpd -b -C -r 'sbl-xbl.spamhaus.org' I always considered it to be more efficient this way, would this be correct? /Regards
Re: what happened after 3.1.8?
Matt Kettler [EMAIL PROTECTED] wrote on 08/13/2007 08:09:19 PM: Jean-Paul Natola wrote: Since its not in the ports tree yet- ( that's how I usually upgrade) FYI, 3.2.3 is now in the FreeBSD ports tree. Andy
RE: disable spamhaus rbl?
After reading all the replies I was left wondering.. These kind of rules are not used when spamd is started with the -L (--local) switch, right? I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to query spamhaus at smtp time. (qmail - tcpserver) /usr/local/bin/rblsmtpd -b -C -r 'sbl-xbl.spamhaus.org' I always considered it to be more efficient this way, would this be correct? If I am not mistaken, this methodology will simply dump any hits on spamhaus rather than score a hit in combination with other scores. Someone can correct me if I am wrong. - Skip
Rule for PDF and eCard Spam Needed
Can someone recommend a SAR(E) to mitigate the influx of the PDF and eCard spams until I can learn the bayes? (haven't been tuned into the list for a while... sorry.) Thanks, Clay
Re: fake MX records
Kshatriya wrote: On Tue, 14 Aug 2007, ram wrote: The page says the primary MX should not be accepting connections at all. Has anyone else tried this , will this cause delay in my mail It almost doesn't work anymore. Better try adaptive greylisting, with some whitelists so you don't notice too much of delays. K. I'm using it on 1600 domains and it definitely works. I get not bot spam at all. I didn't even know what PDF spam was untill I was it discussed here.
Re: disable spamhaus rbl?
Diego Pomatta wrote on Tue, 14 Aug 2007 10:37:27 -0300: I always considered it to be more efficient this way, would this be correct? It's a matter of trust. If you trust the RBL to produce an insignificant amount of false positives for you then rejecting at MTA level is the best thing you can do. I do it the same way. But there are people/companies who think they cannot even afford a single FP, so they cannot do this. Some also use RBLs as a source of greylisting which is a very good compromise. BTW: you should use zen and not xbl+sbl, anymore, visit the spamhaus.org site. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: So lets change it to sa-update doesn't
On Tuesday 14 August 2007, Kai Schaetzl wrote: Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick dirty way to determine which .pre file (or local.cf, there are 3 of those too) is actually running the show? all the files in /etc/mail/spamassassin Ok, I'll start there. I should add that spamc doesn't run as root, but as me. No, that is something you put yourself there. Sorry Kai, the comment string inserted in front of the loadplugin statements (all of them) specifically said that sa-update had disabled them because the --allowplugins wasn't being passed to sa-update. Hm. Can just say I don't have it here, never seen it and sa-update is run from cron.daily and without any addition to the command line. I wonder if that's a leftover, from the effects of an older version? I've been running SA here for years. Kai Thanks. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Modesty is a vastly overrated virtue. -- J.K. Galbraith
Re: fake MX records
Marc Perkel wrote on Tue, 14 Aug 2007 07:13:16 -0700: I'm using it on 1600 domains and it definitely works. I get not bot spam at all. I doubt that this is because you have a fake low MX. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
PDFAssassin
Is anybody using the PDFAssassin module from http://blog.atmail.com/?p=61 I didn't think I saw it talked about on the list yet. I'm looking for a good solution for catching PDF spam. Are there any better suggestions for catching PDF? Thanks again, Bob
warning - score undef for rule 'MISSING_SUBJECT'...
The first time I run sa-update after a v3.2.3 install, I get the following warnings: rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. ... (repeated several times) The update succeeds anyway. What causes these warnings? Thanks, Larry
Re: Rule for PDF and eCard Spam Needed
PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE rules for the greeting cards, although our experience is they tend to get caught pretty well without help. Apparently though others need more help :-) There have been 3-4 rules in various emails about these things over the last week or two. Scan back in the archives of the list for greeting cards and you will probably find some good rules. Loren
RE: warning - score undef for rule 'MISSING_SUBJECT'...
The first time I run sa-update after a v3.2.3 install, I get the following warnings: rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. ... (repeated several times) I got these as well for both upgrades to 3.2.2 and 3.2.3... - Skip
Re: Rule for PDF and eCard Spam Needed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE rules for the greeting cards, although our experience is they tend to get caught pretty well without help. Apparently though others need more help :-) There have been 3-4 rules in various emails about these things over the last week or two. Scan back in the archives of the list for greeting cards and you will probably find some good rules. Loren I found that ClamAV catches most all those greeting card spamscam viruses. But the PDFInfo from SARE works GREAT! - -- -Doc Penguins: Do it on the ice. 8:44am up 4 days, 16:55, 17 users, load average: 0.18, 0.30, 0.37 SARE HQ http://www.rulesemporium.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGwcm+qOEeBwEpgcsRApTfAJwK8MsCtvSzVGGHnD6M2kZJ6qLgLQCgmFDm PTAamwOZZpn4ASetvokjZ7E= =bEzA -END PGP SIGNATURE-
Re: disable spamhaus rbl?
Kai Schaetzl wrote: Diego Pomatta wrote on Tue, 14 Aug 2007 10:37:27 -0300: I always considered it to be more efficient this way, would this be correct? It's a matter of trust. If you trust the RBL to produce an insignificant amount of false positives for you then rejecting at MTA level is the best thing you can do. I do it the same way. But there are people/companies who think they cannot even afford a single FP, so they cannot do this. Some also use RBLs as a source of greylisting which is a very good compromise. BTW: you should use zen and not xbl+sbl, anymore, visit the spamhaus.org site. Kai Will do, thanks.
RE: PDFAssassin
-Original Message- From: Bob Pierce [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 14, 2007 11:00 AM To: users@spamassassin.apache.org Subject: PDFAssassin Is anybody using the PDFAssassin module from http://blog.atmail.com/?p=61 I didn't think I saw it talked about on the list yet. I'm looking for a good solution for catching PDF spam. Are there any better suggestions for catching PDF? Thanks again, Bob PDFInfo plugin http://www.rulesemporium.com/plugins.htm
Re: Rule for PDF and eCard Spam Needed
Doc Schneider wrote: Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. I found that ClamAV catches most all those greeting card spamscam viruses. But the PDFInfo from SARE works GREAT! ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL signatures in addition to the main ClamAV signatures. We went from rejecting a few thousand viruses a day with just the base ClamAV signatures, to rejecting high 10's of thousands of messages a day (mostly due to Sanesecurity). No complaints about false positives yet.
Sample eCard Rules...
Some quick eCard rules: header JARED_ECARD Subject =~ /You\'ve received (a|an) (greeting|postcard| ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague| family member|friend|mate|neighbor|neighbour|partner|school friend|school mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i score JARED_ECARD 2.5 header JARED_ECARD1Subject =~ /^(School\-mate|Worshipper|Neighbour| Colleague|Admirer|School mate|Mate|Class\-mate|Neighbor|Friend|Partner|Family member|Class mate) sent you (a|an) (greeting|postcard|ecard|greeting ecard| greeting card) from ((postcardsfrom|Greeting\-Cards|e\-cards|1LoveCards| postcard|greetingCard|netfuncards|freewebcards|AmericanGreetings| GreetingCards|2000Greetings|FunnyPostcard|mypostcards|egreetings|dgreetings| VintagePostcards|123Greetings|riversongs|Hallmark|greet2k|egreetings| all\-yours|bluemountain|Postcards)\.(com|net|org))\!?/i score JARED_ECARD12.0 header JARED_ECARD2Subject =~ /^(Animated|Funny|Greeting|Holiday|Thank you| Musical|Love|Birthday|Movie\-quality)[\s](ecard|card|postcard)[\s]$/i score JARED_ECARD22.0 $0.02, Jared Hall General Telecom, LLC. On Tuesday 14 August 2007 11:33, John Rudd wrote: Doc Schneider wrote: Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. I found that ClamAV catches most all those greeting card spamscam viruses. But the PDFInfo from SARE works GREAT! ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL signatures in addition to the main ClamAV signatures. We went from rejecting a few thousand viruses a day with just the base ClamAV signatures, to rejecting high 10's of thousands of messages a day (mostly due to Sanesecurity). No complaints about false positives yet.
Public.pm
Hi List, Does anyone encounter this error and how do you fix it? Use of uninitialized value in string eq at /usr/lib/perl5/vendor_perl/5.8.8/Mail/DomainKeys/Key/Public.pm line 67, GEN934 line 319. Thanks
[EMAIL PROTECTED] strikes again
The original message was received at Tue, 14 Aug 2007 11:50:13 -0400 from localhost.localdomain [127.0.0.1] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)) (expanded from: [EMAIL PROTECTED]) - Transcript of session follows - ... while talking to mail.mx05.net.: RCPT To:[EMAIL PROTECTED] 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) 550 5.1.1 [EMAIL PROTECTED] User unknown Return-Path: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by ns.mx04.com (8.11.6/8.11.6) with ESMTP id l7EFoDt31728 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 11:50:13 -0400 Received: from pop.zajil.net [212.24.224.61] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Tue, 14 Aug 2007 11:50:13 -0400 (EDT) Received: from bmwebin.zajil.net ([212.24.224.151]) by pop.zajil.net (Merak 8.3.6) with ESMTP id TXN40659 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 18:51:59 +0300 Received: from bmwebin.zajil.net (unknown [127.0.0.1]) by bmwebin.zajil.net (Symantec Mail Security) with ESMTP id C240830429 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 18:01:06 +0300 (AST) X-AuditID: d418e097-af8b2bb00a34-15-46c1c3b1f614 Received: from mail.apache.org (hermes.apache.org [140.211.11.2]) by bmwebin.zajil.net (Symantec Mail Security) with SMTP id B37A130140 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 18:01:05 +0300 (AST) Received: (qmail 27303 invoked by uid 500); 14 Aug 2007 15:47:18 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id: users.spamassassin.apache.org Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 27294 invoked by uid 99); 14 Aug 2007 15:47:18 - Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Aug 2007 08:47:18 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of [EMAIL PROTECTED] designates 209.85.198.190 as permitted sender) Received: from [209.85.198.190] (HELO rv-out-0910.google.com) (209.85.198.190) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Aug 2007 15:47:14 + Received: by rv-out-0910.google.com with SMTP id c24so1461045rvf for users@spamassassin.apache.org; Tue, 14 Aug 2007 08:46:54 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=W8riJXKcP7tjMGodnC54UqKof7JusOySWiJDOkqienhASG+HfcRMm55cD0lU62X6qar4wm6gJu6mwVfETukRx3pUJJSB7uOqSm9hFhfwoBHFqhoJ4/JKIrXQLX6JNpSChFKHHZNrVdlbhfQ7sqfvW5g9qZmcDExxIUDqhPpFDtE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Kt0Nt44b3Z02LFQL89KgbvbyqZZO5tLzhbJVsw2O5BwQkP61RsL1uAs+y5LtNMwMfK0v5Y53FJtA+MdwpeJC+IGpVdyujeHtlC+k28nhoxcKz5WuwCJSVzvxIipRUUdk4JRS925cE+O9JRyNWf1j9GQmhjUrJAWQW5HkJOn9+n4= Received: by 10.114.27.20 with SMTP id a20mr2782785waa.1187106414523; Tue, 14 Aug 2007 08:46:54 -0700 (PDT) Received: from dw ( [220.255.72.245]) by mx.google.com with ESMTPS id m10sm10662529waf.2007.08.14.08.46.51 (version=SSLv3 cipher=RC4-MD5); Tue, 14 Aug 2007 08:46:53 -0700 (PDT) Message-ID: [EMAIL PROTECTED] From: Spamassassin List [EMAIL PROTECTED] To: users@spamassassin.apache.org Subject: Public.pm Date: Tue, 14 Aug 2007 23:47:12 +0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-Virus-Checked: Checked by ClamAV on apache.org X-Brightmail-Tracker: AA== ATT00550.dat Description: Binary data
Re: So lets change it to sa-update doesn't
On 8/14/2007 6:31 AM, Kai Schaetzl wrote: Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick dirty way to determine which .pre file (or local.cf, there are 3 of those too) is actually running the show? all the files in /etc/mail/spamassassin No, that is something you put yourself there. Sorry Kai, the comment string inserted in front of the loadplugin statements (all of them) specifically said that sa-update had disabled them because the --allowplugins wasn't being passed to sa-update. Hm. Can just say I don't have it here, never seen it and sa-update is run from cron.daily and without any addition to the command line. The openprotect SARE rules sa-update channel includes a pre file that loads just about every plugin known to man for some (unknown to me) reason. If you don't use the --allowplugins options with their channel sa-update will comment out the plugins they try to load to protect you from the channel running any code. Daryl
Re: So lets change it to sa-update doesn't
On Tuesday 14 August 2007, Daryl C. W. O'Shea wrote: On 8/14/2007 6:31 AM, Kai Schaetzl wrote: Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick dirty way to determine which .pre file (or local.cf, there are 3 of those too) is actually running the show? all the files in /etc/mail/spamassassin No, that is something you put yourself there. Sorry Kai, the comment string inserted in front of the loadplugin statements (all of them) specifically said that sa-update had disabled them because the --allowplugins wasn't being passed to sa-update. Hm. Can just say I don't have it here, never seen it and sa-update is run from cron.daily and without any addition to the command line. The openprotect SARE rules sa-update channel includes a pre file that loads just about every plugin known to man for some (unknown to me) reason. If you don't use the --allowplugins options with their channel sa-update will comment out the plugins they try to load to protect you from the channel running any code. Daryl Which explains what I found to a Tee, thanks Daryl. BTW, what is the name of their *.pre file? Thanks -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) In 1750 Issac Newton became discouraged when he fell up a flight of stairs.
3.2.3 TIME out
Hi all, I was told that 3.2.3 had the fixes for the timing out issues- Is there ANYTHING else I'm missing to correct this? Here's my netstat output; Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp42546 0 localhost.783 localhost.55853CLOSE_WAIT tcp4 0 0 localhost.55853localhost.783 FIN_WAIT_2 tcp4 71680 0 localhost.783 localhost.53026 ESTABLISHED tcp4 0 43008 localhost.53026localhost.783 ESTABLISHED tcp4 36278 0 localhost.783 localhost.50210CLOSE_WAIT tcp4 0 0 localhost.50210localhost.783 FIN_WAIT_2 tcp4 41465 0 localhost.783 localhost.61363CLOSE_WAIT tcp4 0 0 localhost.61363localhost.783 FIN_WAIT_2 tcp41453 0 localhost.783 localhost.56325CLOSE_WAIT tcp4 0 0 localhost.56325localhost.783 FIN_WAIT_2 tcp4 0 0 milter.smtp0x55529182.adsl..19593 TIME_WAIT tcp4 20605 0 localhost.783 localhost.57041CLOSE_WAIT tcp4 0 0 localhost.57041localhost.783 FIN_WAIT_2 tcp4 1 0 localhost.783 localhost.55441CLOSE_WAIT tcp4 0 0 localhost.55441localhost.783 FIN_WAIT_2 tcp4 71680 0 localhost.783 localhost.54128 ESTABLISHED tcp4 0 13160 localhost.54128localhost.783 FIN_WAIT_1 tcp42522 0 localhost.783 localhost.55305CLOSE_WAIT tcp4 0 0 localhost.55305localhost.783 FIN_WAIT_2 tcp4 0 0 milter.smtpn19c.bullet.sp1..48428 TIME_WAIT tcp4 0 0 milter.smtp0x55529182.adsl..19259 TIME_WAIT tcp4 10896 0 localhost.783 localhost.60158CLOSE_WAIT tcp4 0 0 localhost.60158localhost.783 FIN_WAIT_2 tcp42413 0 localhost.783 localhost.54420CLOSE_WAIT tcp4 0 0 localhost.54420localhost.783 FIN_WAIT_2 tcp4 22951 0 localhost.783 localhost.65442CLOSE_WAIT tcp4 0 0 localhost.65442localhost.783 FIN_WAIT_2 tcp4 0 0 milter.smtpcpe-76-171-198-1.3082 ESTABLISHED tcp4 12341 0 localhost.783 localhost.50400CLOSE_WAIT tcp4 0 0 localhost.50400localhost.783 FIN_WAIT_2 tcp42473 0 localhost.783 localhost.60731CLOSE_WAIT tcp4 0 0 localhost.60731localhost.783 FIN_WAIT_2 tcp43483 0 localhost.783 localhost.56846CLOSE_WAIT tcp4 0 0 localhost.56846localhost.783 FIN_WAIT_2 tcp4 36670 0 localhost.783 localhost.61583CLOSE_WAIT tcp4 0 0 localhost.61583localhost.783 FIN_WAIT_2 tcp4 15375 0 localhost.783 localhost.63733CLOSE_WAIT tcp4 0 0 localhost.63733localhost.783 FIN_WAIT_2 tcp42182 0 localhost.783 localhost.64677CLOSE_WAIT tcp4 0 0 localhost.64677localhost.783 FIN_WAIT_2 tcp43510 0 localhost.783 localhost.56295CLOSE_WAIT tcp4 0 0 localhost.56295localhost.783 FIN_WAIT_2 tcp4 0 0 milter.smtpbay0-omc3-s35.ba.52054 ESTABLISHED tcp42546 0 localhost.783 localhost.49280CLOSE_WAIT tcp4 0 0 localhost.49280localhost.783 FIN_WAIT_2 tcp4 71680 0 localhost.783 localhost.60422 ESTABLISHED tcp4 0 43008 localhost.60422localhost.783 FIN_WAIT_1 tcp4 36278 0 localhost.783 localhost.56594CLOSE_WAIT tcp4 0 0 localhost.56594localhost.783 FIN_WAIT_2 tcp4 41465 0 localhost.783 localhost.55585CLOSE_WAIT tcp4 0 0 localhost.55585localhost.783 FIN_WAIT_2 tcp41453 0 localhost.783 localhost.57817CLOSE_WAIT tcp4 0 0 localhost.57817localhost.783 FIN_WAIT_2 tcp4 20605 0 localhost.783 localhost.56469CLOSE_WAIT tcp4 0 0 localhost.56469localhost.783 FIN_WAIT_2 tcp4 1 0 localhost.783 localhost.58489CLOSE_WAIT tcp4 0 0 localhost.58489localhost.783 FIN_WAIT_2 tcp4 71680 0 localhost.783 localhost.53661 ESTABLISHED tcp4 0 13160 localhost.53661localhost.783 FIN_WAIT_1 tcp42522 0 localhost.783 localhost.63506CLOSE_WAIT tcp4 0 0 localhost.63506localhost.783 FIN_WAIT_2 tcp4 0
Get Magic Statistics From Mail::SpamAssassin
I'm writing a perl script to train sa. And I'm wondering how I can get the statics that sa-learn --dump magic would give me ? Thanks!
R: Get Magic Statistics From Mail::SpamAssassin
Da: Daniel Aquino [mailto:[EMAIL PROTECTED] I'm writing a perl script to train sa. And I'm wondering how I can get the statics that sa-learn --dump magic would give me ? Thanks! Which statistics? sa-learn --dump magic only gives some infos about the bayes db status. See: xxx ~ # su -s /bin/sh -c '/usr/bin/sa-learn --dump magic' - amavis 0.000 0 3 0 non-token data: bayes db version 0.000 0 42955 0 non-token data: nspam 0.000 0 24938 0 non-token data: nham 0.000 0 161062 0 non-token data: ntokens 0.000 0 1184337895 0 non-token data: oldest atime 0.000 0 1187116896 0 non-token data: newest atime 0.000 0 1187113117 0 non-token data: last journal sync atime 0.000 0 1187102847 0 non-token data: last expiry atime 0.000 02764800 0 non-token data: last expire atime delta 0.000 0 3256 0 non-token data: last expire reduction count Giampaolo
[no subject]
I'm currently using: my $spam_assassin = Mail::SpamAssassin-new({ site_rules_filename = '/etc/mail/spamassassin/', dont_copy_prefs = 1 }); Would this be the correct way to initialize SA ? I have been testing back and forth between my script and sa-learn and it appears that they are not using the same database...
PDF rule not matching -- split line content type?
So I've been getting a metric ton of PDF spam. Investigating the rule that is supposed to match this, I see rawbody __TVD_BODY /\S{4}/ header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i meta __TVD_MIME_ATT __TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM __TVD_MIME_ATT_TP __TVD_MIME_ATT !__TVD_BODY describe TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet- stream.*\.pdf/i The following message appears to match perfectly with this, except for perhaps that the content type is spread across two lines? I haven't checked the code, but would this matter? Return-Path: [EMAIL PROTECTED] Received: from mail.netconsonance.com ([unix socket]) by triceratops.netconsonance.com (Cyrus v2.3.8) with LMTPA; Tue, 14 Aug 2007 06:27:16 -0700 Received: from [84.21.29.58] ([84.21.29.58]) by mail.netconsonance.com (8.14.1/8.14.1) with ESMTP id l7EDR4UU095951 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 06:27:08 -0700 (PDT) (envelope-from [EMAIL PROTECTED]) X-Virus-Scanned: amavisd-new at netconsonance.com X-Spam-Score: 2.033 X-Spam-Level: ** X-Spam-Status: No, score=2.033 tagged_above=-999 required=4 tests=[DK_POLICY_SIGNSOME=0.001, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.699, RCVD_IN_BL_SPAMCOP_NET=1.332] Received: from x-6of7ca27m39al ([158.187.61.7]) by [84.21.29.58] with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Aug 2007 15:27:01 +0200 Message-ID: [EMAIL PROTECTED] From: Yohann michels [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: bill-jrhett Date: Tue, 14 Aug 2007 15:26:28 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_000E_01C7DE87.7C1E24D0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 --=_NextPart_000_000E_01C7DE87.7C1E24D0 Content-Type: multipart/alternative; boundary==_NextPart_001_000F_01C7DE87.7C1E24D0 --=_NextPart_001_000F_01C7DE87.7C1E24D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1250 --=_NextPart_001_000F_01C7DE87.7C1E24D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1250 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Dwindows-1250 META content=3DMSHTML 6.00.2900.3132 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVFONT face=3DArial size=3D2/FONTnbsp;/DIV/BODY/HTML --=_NextPart_001_000F_01C7DE87.7C1E24D0-- --=_NextPart_000_000E_01C7DE87.7C1E24D0 Content-Transfer-Encoding: base64 Content-Type: application/octet-stream; name=marketing-jrhett.pdf Content-Disposition: attachment; filename=marketing-jrhett.pdf JVBERi0xLjUNJeLjz9MNCjIyIDAgb2JqPDwvSFs0MzYgMTQ4XS9MaW5lYXJpemVkIDEvRSAx NjU5 L0wgMTM1NzYvTiAxMC9PIDI2L1QgMTMwNzQ +Pg1lbmRvYmoNICAgICAgICAgICAgICAgICAgICAg *snip* -- Jo Rhett
Re: Rule for PDF and eCard Spam Needed
On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE rules for the greeting cards, although our experience is they tend to get caught pretty well without help. Apparently though others need more help :-) Just to make it clear what I and others keep saying on this topic: I'm using 4 different systems that have various 3.x versions of spamassassin, all of which use sa-update, and none of which are doing an adequate job of catching gif, pdf or ecard spam. It's upwards of 20 an hour on several systems. I think that rules which did a better job on these messages would be greatly appreciated. See my other post about the PDF not matching, with an example spam included. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
mail in quarantine have diferent hits from spamc
Hi does *not always happen, but sometimes I got this: *this is a spam in my quarantine folder... snip *** Qmail-Scanner Quarantine Envelope Details Begin *** snip spamassassin: 3.1.7. SPAM Found. Processed in 2.719401 secs) Quarantine-Description: SPAM content refused by this network (5.8/5.0) *** Qmail-Scanner Envelope Details End ** But, if I run spamc -R quarantined_email, spamassin reports only 2.8 hits for the same message... Content analysis details: (2.8 points, 5.0 required) pts rule name description -- -- 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 1.2 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words 2.1 TVD_FW_GRAPHIC_ID1 BODY: TVD_FW_GRAPHIC_ID1 -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 PART_CID_STOCK Has a spammy image attachment (by Content-ID) Why this happens ?? How can I use sa-learn in this cases??
Re: So lets change it to sa-update doesn't
On 8/14/2007 2:18 PM, Gene Heskett wrote: On Tuesday 14 August 2007, Daryl C. W. O'Shea wrote: On 8/14/2007 6:31 AM, Kai Schaetzl wrote: Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick dirty way to determine which .pre file (or local.cf, there are 3 of those too) is actually running the show? all the files in /etc/mail/spamassassin No, that is something you put yourself there. Sorry Kai, the comment string inserted in front of the loadplugin statements (all of them) specifically said that sa-update had disabled them because the --allowplugins wasn't being passed to sa-update. Hm. Can just say I don't have it here, never seen it and sa-update is run from cron.daily and without any addition to the command line. The openprotect SARE rules sa-update channel includes a pre file that loads just about every plugin known to man for some (unknown to me) reason. If you don't use the --allowplugins options with their channel sa-update will comment out the plugins they try to load to protect you from the channel running any code. Daryl Which explains what I found to a Tee, thanks Daryl. BTW, what is the name of their *.pre file? According to one of your emails from yesterday, it's loadplugins.pre. It'll be the pre file in their update directory on your system. Daryl
Re: So lets change it to sa-update doesn't
On Tuesday 14 August 2007, Daryl C. W. O'Shea wrote: On 8/14/2007 6:31 AM, Kai Schaetzl wrote: Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick dirty way to determine which .pre file (or local.cf, there are 3 of those too) is actually running the show? all the files in /etc/mail/spamassassin No, that is something you put yourself there. Sorry Kai, the comment string inserted in front of the loadplugin statements (all of them) specifically said that sa-update had disabled them because the --allowplugins wasn't being passed to sa-update. Hm. Can just say I don't have it here, never seen it and sa-update is run from cron.daily and without any addition to the command line. The openprotect SARE rules sa-update channel includes a pre file that loads just about every plugin known to man for some (unknown to me) reason. If you don't use the --allowplugins options with their channel sa-update will comment out the plugins they try to load to protect you from the channel running any code. Daryl Nother Q here. I went to the site and updated my crontab entry for the 3.20+ specs, then ran that from the cli with a copy-paste, added a -D when it came back in half a second, silently the first time, and got this, striping the usual preamble: [...] [18342] dbg: gpg: adding key id [deleted by me] [18342] dbg: gpg: Searching for 'gpg' [18342] dbg: util: current PATH is: /usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin [18342] dbg: util: executable for gpg was found at /usr/bin/gpg [18342] dbg: gpg: found /usr/bin/gpg [18342] dbg: gpg: release trusted key id list: [deleted by me] [18342] dbg: channel: attempting channel saupdates.openprotect.com [18342] dbg: channel: update directory /var/lib/spamassassin/3.002003/saupdates_openprotect_com [18342] dbg: channel: channel cf file /var/lib/spamassassin/3.002003/saupdates_openprotect_com.cf [18342] dbg: channel: channel pre file /var/lib/spamassassin/3.002003/saupdates_openprotect_com.pre [18342] dbg: dns: query failed: 3.2.3.saupdates.openprotect.com = NXDOMAIN [18342] dbg: channel: no updates available, skipping channel [18342] dbg: diag: updates complete, exiting with code 1 So, we're back to my subject line, sa-update doesn't [Big Grin] Whose NXDOMAIN error is this? Thanks -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Money is the root of all wealth.
Re: Rule for PDF and eCard Spam Needed
Jo Rhett wrote: On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE rules for the greeting cards, although our experience is they tend to get caught pretty well without help. Apparently though others need more help :-) Just to make it clear what I and others keep saying on this topic: I'm using 4 different systems that have various 3.x versions of spamassassin, all of which use sa-update, and none of which are doing an adequate job of catching gif, pdf or ecard spam. It's upwards of 20 an hour on several systems. I think that rules which did a better job on these messages would be greatly appreciated. See my other post about the PDF not matching, with an example spam included. Have you tried BOTNET? Have you tried clamav with sanesecurity?
Re: Rule for PDF and eCard Spam Needed
Jo Rhett escribió: On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE rules for the greeting cards, although our experience is they tend to get caught pretty well without help. Apparently though others need more help :-) Just to make it clear what I and others keep saying on this topic: I'm using 4 different systems that have various 3.x versions of spamassassin, all of which use sa-update, and none of which are doing an adequate job of catching gif, pdf or ecard spam. It's upwards of 20 an hour on several systems. I think that rules which did a better job on these messages would be greatly appreciated. I use PDFinfo plugin from http://rulesemporium.com/plugins.htm and this ruleset for postcardsecards - http://www.impsec.org/~jhardin/antispam/postcards.cf http://www.impsec.org/%7Ejhardin/antispam/postcards.cf which I customised a bit myself, and they are catching like 98% of all pdf and greeting cards spam, if not more. Haven't really done the math, but that kind of spam was a real pain in the butt, and now I'd almost forgotten about it. :p /Regards
Scoring question
Does this score: 0.001 BAYES_50Bayesian spam probability is 40 to 60% seem to be rather low for something with a 50% probablity of being spam? SA 3.2.1 run within Maia with autolearning on. Tnx -- Rick Zeman Manager of Information Technology Melwood Horticultural Training Center 301.599.4574 - HelpDesk 301.599.4560 - MyDesk http://www.melwood.org
Re: Rule for PDF and eCard Spam Needed
Interesting Tech Republic article, Putting a stop to PDF spam http://blogs.techrepublic.com.com/networking/?p=314tag=nl.e019 which mentions the pdfinfo plugin for SA.
Re: Scoring question
On 8/14/2007 3:49 PM, Rick Zeman wrote: Does this score: 0.001 BAYES_50Bayesian spam probability is 40 to 60% seem to be rather low for something with a 50% probablity of being spam? Anything higher would seem to be a little high for something with a 50% probability of being ham. Daryl
Using SpamAssassin to parse Received headers
Hey folks, This is a question about using SpamAssassin's perl interface, not about filtering mail. I'm using 3.2.2 (soon to be 3.2.3) on OpenBSD, built from source. In addition to using SA to filter my email, I'd also like to take advantage of SA's ability to parse Received headers for my own project. I store the entire spam in a database. What I want to do is to be able to parse out the Received headers' IP addresses from the full text of each email. I only really need the IP that hands off to my own servers, but it would be useful to get an array of all of them. I am not at all a perl guru - I've written quite a bit of it, but more complex stuff than my simple scratchings makes my brain swell and hurt. If someone could give me a quick leg up in going from a variable containing the entire message to an array of IPs (or just the handoff IP, that's fine), I'd really appreciate it. Thanks a bunch! Benny -- This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation
Re: Scoring question
Rick Zeman schrieb: Does this score: 0.001 BAYES_50Bayesian spam probability is 40 to 60% seem to be rather low for something with a 50% probablity of being spam? SA 3.2.1 run within Maia with autolearning on. Tnx BAYES_50 means that bayes thinks that its 50% chance to be ham and 50% chance to be spam - so bayes should stay neutral because it has no opinion on this message. arni
RE: Rule for PDF and eCard Spam Needed
Just to make it clear what I and others keep saying on this topic: I'm using 4 different systems that have various 3.x versions of spamassassin, all of which use sa-update, and none of which are doing an adequate job of catching gif, pdf or ecard spam. It's upwards of 20 an hour on several systems. I think that rules which did a better job on these messages would be greatly appreciated. See my other post about the PDF not matching, with an example spam included. -- Jo Rhett Jo, Dunno if this is the best option... And food for thought only... You might consider the clamav integration into SA, as clamav is catching all the ecard ones - rh
Re: Rule for PDF and eCard Spam Needed
Jo Rhett wrote on Tue, 14 Aug 2007 13:27:20 -0700: Well first I don't think many of us want to waste CPU cycles trying to analyze the contents of PDF files. Right, and not only of PDFs. That's why many of us reject this stuff already at MTA for technical reasons and thus rarely see this stuff. Problem solved. Without complaining. But if you don't want to detect with SA you *have* to analyze the PDF as the spammy content is in the PDF and not elsewhere. You cannot rely on some signs in the mail itself as they may easily change from day to day. What can be done to get these tested and included in the main ruleset? What is these? I don't see that you offered any rules catching that stuff. So, what do you want the developers or anyone to test? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: So lets change it to sa-update doesn't
Gene Heskett wrote on Tue, 14 Aug 2007 14:46:55 -0400: [18342] dbg: dns: query failed: 3.2.3.saupdates.openprotect.com = NXDOMAIN [18342] dbg: channel: no updates available, skipping channel [18342] dbg: diag: updates complete, exiting with code 1 So, we're back to my subject line, sa-update doesn't [Big Grin] Wrong, 3.2.3.saupdates.openprotect.com doesn't exist. There is nothing wrong with sa-update, but a lot with openprotect, as already some other people told. Actually, it seems that all your problems started when you started using openprotect. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: fake MX records
Kai Schaetzl wrote: Marc Perkel wrote on Tue, 14 Aug 2007 07:13:16 -0700: I'm using it on 1600 domains and it definitely works. I get not bot spam at all. I doubt that this is because you have a fake low MX. Kai So what do you attribute my success in getting rid of all bot spam to?
Re: Using SpamAssassin to parse Received headers
Hey folks, This is a question about using SpamAssassin's perl interface, not about filtering mail. I'm using 3.2.2 (soon to be 3.2.3) on OpenBSD, built from source. In addition to using SA to filter my email, I'd also like to take advantage of SA's ability to parse Received headers for my own project. I think looking at Botnet.pm plugin would give some hints to you. Not a perl guru myself, though..
Re: Rule for PDF and eCard Spam Needed
On Tue, 14 Aug 2007, Diego Pomatta wrote: and this ruleset for postcardsecards - http://www.impsec.org/~jhardin/antispam/postcards.cf We're starting to get into whack-a-mole territory with the postcard spams. There will be another update out tonight. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising.-- fwadling on Y! SCOX -- Tomorrow: The 62nd anniversary of the end of World War II
Re: Get Magic Statistics From Mail::SpamAssassin
On Tue, Aug 14, 2007 at 02:46:00PM -0400, Daniel Aquino wrote: I'm writing a perl script to train sa. And I'm wondering how I can get the statics that sa-learn --dump magic would give me ? FWIW, if you're writing perl you should feel free to edit sa-learn and see how it's done. :) (hint: there's a M::SA function you can call, though apparently it isn't fully documented in the POD. :() -- Randomly Selected Tagline: Bush keeps saying the terrorists hate us for our freedom, and he's working damn hard to see that pretty soon, that won't be a problem. - Bill Maher, Real Time with Bill Maher, Episode 87 pgpOxEYQZ8mTE.pgp Description: PGP signature
DCC Troubles
I am getting this continuously in my maillog log file running exim and sa. dccproc[18723]: open(/var/dcc/map): Permission denied I have DCC installed. [EMAIL PROTECTED] ~]# rpm -qa | grep dcc -i dcc-1.3.57-0.rhel4 Any idea what is wrong? Matt
Re: So lets change it to sa-update doesn't
On 8/14/2007 2:46 PM, Gene Heskett wrote: On Tuesday 14 August 2007, Daryl C. W. O'Shea wrote: On 8/14/2007 6:31 AM, Kai Schaetzl wrote: Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick dirty way to determine which .pre file (or local.cf, there are 3 of those too) is actually running the show? all the files in /etc/mail/spamassassin No, that is something you put yourself there. Sorry Kai, the comment string inserted in front of the loadplugin statements (all of them) specifically said that sa-update had disabled them because the --allowplugins wasn't being passed to sa-update. Hm. Can just say I don't have it here, never seen it and sa-update is run from cron.daily and without any addition to the command line. The openprotect SARE rules sa-update channel includes a pre file that loads just about every plugin known to man for some (unknown to me) reason. If you don't use the --allowplugins options with their channel sa-update will comment out the plugins they try to load to protect you from the channel running any code. Daryl Nother Q here. I went to the site and updated my crontab entry for the 3.20+ specs, then ran that from the cli with a copy-paste, added a -D when it came back in half a second, silently the first time, and got this, striping the usual preamble: [...] [18342] dbg: gpg: adding key id [deleted by me] [18342] dbg: gpg: Searching for 'gpg' [18342] dbg: util: current PATH is: /usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin [18342] dbg: util: executable for gpg was found at /usr/bin/gpg [18342] dbg: gpg: found /usr/bin/gpg [18342] dbg: gpg: release trusted key id list: [deleted by me] [18342] dbg: channel: attempting channel saupdates.openprotect.com [18342] dbg: channel: update directory /var/lib/spamassassin/3.002003/saupdates_openprotect_com [18342] dbg: channel: channel cf file /var/lib/spamassassin/3.002003/saupdates_openprotect_com.cf [18342] dbg: channel: channel pre file /var/lib/spamassassin/3.002003/saupdates_openprotect_com.pre [18342] dbg: dns: query failed: 3.2.3.saupdates.openprotect.com = NXDOMAIN [18342] dbg: channel: no updates available, skipping channel [18342] dbg: diag: updates complete, exiting with code 1 So, we're back to my subject line, sa-update doesn't [Big Grin] Whose NXDOMAIN error is this? NXDOMAIN isn't an error (at least not a DNS error), the record simply does not exist. For some, again unknown, reason (although I've speculated about why it's this way [1]) openprotect is always way behind in publishing the needed DNS record for each new release of SA. Just use my channels [2] and be done with the hassle once and for all. Daryl [1] http://daryl.dostech.ca/blog/2007/02/15/apache-spamassassin-318-released/ [2] http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
Re: Sample eCard Rules...
Jared Hall wrote: Some quick eCard rules: headerJARED_ECARD Subject =~ /You\'ve received (a|an) (greeting|postcard| ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague| family member|friend|mate|neighbor|neighbour|partner|school friend|school mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i A good start, but that rule could be simplified quite a lot. For starters, don't do (a|an).. it's much faster to do an? instead. Also, in this case the \!? at the end is pointless. Regexes match substrings, so you could just leave that whole part off with zero change in what will match. In general, for regexes that are used to detect matches only (ie: SA rules), if you end in . + * or ? you're doing something wasteful and pointless and should re-examine the regex. Unless you add a $ at the end, you don't have to match the whole text, so don't waste time trying to match optional characters at the end. Here's a variant I use.. header L_S_SUBJPOSTCARD Subject =~/\bYou've received an? (?:greeting)?(?:e|post)?card from a .{4,20}!/ describe L_S_SUBJPOSTCARD greeting card virus Notes: mine won't catch the You've received a greeting from a variant yours picks up, but I've never seen that one myself. Every one I've seen of this type as card in it somewhere. Mine's also a bit less specific, as it just uses a .{4,20} where yours bothers to list out all the possible texts the virus uses. I feel it's unlikely to match anything nonspam, but greatly reduces the resource usage of the rule. Mine requires the exclamation point at the end, where yours makes it optional (and should just leave it off as above).
Re: Scoring question
Rick Zeman wrote: Does this score: 0.001 BAYES_50Bayesian spam probability is 40 to 60% seem to be rather low for something with a 50% probablity of being spam? No, as it has a 50% probability of being nonspam too. 50% is the exactly undecided mark.
Re: fake MX records
Marc Perkel wrote on Tue, 14 Aug 2007 14:52:22 -0700: So what do you attribute my success in getting rid of all bot spam to? As I don't know your setup this would be pure speculation. However, as *I* am not using fake MXs, but several other MTA techniques and see not much Botnet spam either I would suspect that it's rather the other techniques that cut it. On the other hand, I wonder how you can collect so much spam or spammer IPs (as you claim and I believe it) if no Botnet spam reaches you. Please, don't use HTML on mailing lists, thanks! Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Rule for PDF and eCard Spam Needed
On Aug 14, 2007, at 2:22 PM, Robert - elists wrote: You might consider the clamav integration into SA, as clamav is catching all the ecard ones Apparently with alternate virus files, which I had not yet tested. Someone mentioned that earlier today and I'm investigating it. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Rule for PDF and eCard Spam Needed
On Aug 14, 2007, at 2:31 PM, Kai Schaetzl wrote: What can be done to get these tested and included in the main ruleset? What is these? I don't see that you offered any rules catching that stuff. So, what do you want the developers or anyone to test? People refer to rulesets they've created. I am not an SA committer, so I can't run these through their test environment and them commit them to the tree. So I'm asking someone who is if they'd be willing to do this. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
RE: Rule for PDF and eCard Spam Needed
Apparently with alternate virus files, which I had not yet tested. Someone mentioned that earlier today and I'm investigating it. -- Jo Rhett Jo I don't use alternative files that I am aware of anyways... just stock clamav And... I hear ya, yet clamav plugin *integration* into SA scores as I understand it, where stock clamav quarantines http://wiki.apache.org/spamassassin/ClamAVPlugin I haven't figured it out yet as there appears to be some good and bad experiences and differing outlooks on this solution Therefore you can score high and smtp reject as opposed to just quarantine and some other email event for admin or rcpt person(s)... Maybe I am wrong... Just food for thought. - rh
Re: Rule for PDF and eCard Spam Needed
Robert - elists wrote: I don't use alternative files that I am aware of anyways... just stock clamav the ecard stuff is not the normal clamav virus databases. And... I hear ya, yet clamav plugin *integration* into SA scores as I understand it, where stock clamav quarantines We use amavis which integrates them cleanly. Therefore you can score high and smtp reject as opposed to just quarantine and some other email event for admin or rcpt person(s)... We never quarantine. Reject or tag and pass through depending on the user's settings. Quarantine requires someone to go clean it up, etc. -- Jo Rhett Net Consonance ... net philanthropy, open source and other randomness
Re: So lets change it to sa-update doesn't
Gene Heskett wrote: So what needs to be used in place of saupdates.openprotect.com? I might add that rulesdujour seems to work, but I've not regularly abused their site since the DDOS started. Darryl does a good job of providing all the sare rulesets via sa-update. All the details are on this (short and easy to read) page. http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt -- Jo Rhett Net Consonance ... net philanthropy, open source and other randomness
Re: PDF rule not matching -- split line content type?
Can someone clue me in on why this rule isn't matching? Jo Rhett wrote: So I've been getting a metric ton of PDF spam. Investigating the rule that is supposed to match this, I see rawbody __TVD_BODY /\S{4}/ header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i meta __TVD_MIME_ATT __TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM __TVD_MIME_ATT_TP __TVD_MIME_ATT !__TVD_BODY describe TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i The following message appears to match perfectly with this, except for perhaps that the content type is spread across two lines? I haven't checked the code, but would this matter? Return-Path: [EMAIL PROTECTED] Received: from mail.netconsonance.com ([unix socket]) by triceratops.netconsonance.com (Cyrus v2.3.8) with LMTPA; Tue, 14 Aug 2007 06:27:16 -0700 Received: from [84.21.29.58] ([84.21.29.58]) by mail.netconsonance.com (8.14.1/8.14.1) with ESMTP id l7EDR4UU095951 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 06:27:08 -0700 (PDT) (envelope-from [EMAIL PROTECTED]) X-Virus-Scanned: amavisd-new at netconsonance.com X-Spam-Score: 2.033 X-Spam-Level: ** X-Spam-Status: No, score=2.033 tagged_above=-999 required=4 tests=[DK_POLICY_SIGNSOME=0.001, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.699, RCVD_IN_BL_SPAMCOP_NET=1.332] Received: from x-6of7ca27m39al ([158.187.61.7]) by [84.21.29.58] with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Aug 2007 15:27:01 +0200 Message-ID: [EMAIL PROTECTED] From: Yohann michels [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: bill-jrhett Date: Tue, 14 Aug 2007 15:26:28 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_000E_01C7DE87.7C1E24D0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 --=_NextPart_000_000E_01C7DE87.7C1E24D0 Content-Type: multipart/alternative; boundary==_NextPart_001_000F_01C7DE87.7C1E24D0 --=_NextPart_001_000F_01C7DE87.7C1E24D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1250 --=_NextPart_001_000F_01C7DE87.7C1E24D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1250 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Dwindows-1250 META content=3DMSHTML 6.00.2900.3132 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVFONT face=3DArial size=3D2/FONTnbsp;/DIV/BODY/HTML --=_NextPart_001_000F_01C7DE87.7C1E24D0-- --=_NextPart_000_000E_01C7DE87.7C1E24D0 Content-Transfer-Encoding: base64 Content-Type: application/octet-stream; name=marketing-jrhett.pdf Content-Disposition: attachment; filename=marketing-jrhett.pdf JVBERi0xLjUNJeLjz9MNCjIyIDAgb2JqPDwvSFs0MzYgMTQ4XS9MaW5lYXJpemVkIDEvRSAxNjU5 L0wgMTM1NzYvTiAxMC9PIDI2L1QgMTMwNzQ+Pg1lbmRvYmoNICAgICAgICAgICAgICAgICAgICAg *snip* -- Jo Rhett Net Consonance ... net philanthropy, open source and other randomness
Re: PDF rule not matching -- split line content type?
rawbody __TVD_BODY /\S{4}/ true header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i true mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i false mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i maybe true, maybe not. I would hope newlines were translated to spaces by the mimehdr plugin, but maybe they weren't. Try /is instead of /i and see if it helps. meta __TVD_MIME_ATT __TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF maybe true meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM true __TVD_MIME_ATT_TP undefined here, can't say __TVD_MIME_ATT maybe true !__TVD_BODY true So, not knowing what is in __TVD_MIME_ATT_TP, I haven't a clue if it will fire, since that is part of an 'and'. If I assume it to be true then I'm still not sure because of the multiline possibility in __TVD_MIME_ATT. Loren describe TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint - Original Message - From: Jo Rhett [EMAIL PROTECTED] To: SpamAssassin Users users@spamassassin.apache.org Sent: Tuesday, August 14, 2007 10:16 PM Subject: Re: PDF rule not matching -- split line content type? Can someone clue me in on why this rule isn't matching? Jo Rhett wrote: So I've been getting a metric ton of PDF spam. Investigating the rule that is supposed to match this, I see rawbody __TVD_BODY /\S{4}/ header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i meta __TVD_MIME_ATT __TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM __TVD_MIME_ATT_TP __TVD_MIME_ATT !__TVD_BODY describe TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i The following message appears to match perfectly with this, except for perhaps that the content type is spread across two lines? I haven't checked the code, but would this matter? Return-Path: [EMAIL PROTECTED] Received: from mail.netconsonance.com ([unix socket]) by triceratops.netconsonance.com (Cyrus v2.3.8) with LMTPA; Tue, 14 Aug 2007 06:27:16 -0700 Received: from [84.21.29.58] ([84.21.29.58]) by mail.netconsonance.com (8.14.1/8.14.1) with ESMTP id l7EDR4UU095951 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 06:27:08 -0700 (PDT) (envelope-from [EMAIL PROTECTED]) X-Virus-Scanned: amavisd-new at netconsonance.com X-Spam-Score: 2.033 X-Spam-Level: ** X-Spam-Status: No, score=2.033 tagged_above=-999 required=4 tests=[DK_POLICY_SIGNSOME=0.001, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.699, RCVD_IN_BL_SPAMCOP_NET=1.332] Received: from x-6of7ca27m39al ([158.187.61.7]) by [84.21.29.58] with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Aug 2007 15:27:01 +0200 Message-ID: [EMAIL PROTECTED] From: Yohann michels [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: bill-jrhett Date: Tue, 14 Aug 2007 15:26:28 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_000E_01C7DE87.7C1E24D0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 --=_NextPart_000_000E_01C7DE87.7C1E24D0 Content-Type: multipart/alternative; boundary==_NextPart_001_000F_01C7DE87.7C1E24D0 --=_NextPart_001_000F_01C7DE87.7C1E24D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1250 --=_NextPart_001_000F_01C7DE87.7C1E24D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1250 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Dwindows-1250 META content=3DMSHTML 6.00.2900.3132 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVFONT face=3DArial size=3D2/FONTnbsp;/DIV/BODY/HTML --=_NextPart_001_000F_01C7DE87.7C1E24D0-- --=_NextPart_000_000E_01C7DE87.7C1E24D0 Content-Transfer-Encoding: base64 Content-Type: application/octet-stream; name=marketing-jrhett.pdf Content-Disposition: attachment; filename=marketing-jrhett.pdf JVBERi0xLjUNJeLjz9MNCjIyIDAgb2JqPDwvSFs0MzYgMTQ4XS9MaW5lYXJpemVkIDEvRSAxNjU5 L0wgMTM1NzYvTiAxMC9PIDI2L1QgMTMwNzQ+Pg1lbmRvYmoNICAgICAgICAgICAgICAgICAgICAg *snip* -- Jo Rhett Net Consonance ... net philanthropy, open source and other randomness
Re: PDF rule not matching -- split line content type?
The rawbody rule finds the text/html part as non-empty, so __TVD_BODY is false, making the TVD_PDF_FINGER01 rule false. On Tue, Aug 14, 2007 at 10:16:42PM -0700, Jo Rhett wrote: Can someone clue me in on why this rule isn't matching? Jo Rhett wrote: So I've been getting a metric ton of PDF spam. Investigating the rule that is supposed to match this, I see rawbody __TVD_BODY /\S{4}/ header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i meta __TVD_MIME_ATT __TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM __TVD_MIME_ATT_TP __TVD_MIME_ATT !__TVD_BODY describe TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i The following message appears to match perfectly with this, except for perhaps that the content type is spread across two lines? I haven't checked the code, but would this matter? Return-Path: [EMAIL PROTECTED] Received: from mail.netconsonance.com ([unix socket]) by triceratops.netconsonance.com (Cyrus v2.3.8) with LMTPA; Tue, 14 Aug 2007 06:27:16 -0700 Received: from [84.21.29.58] ([84.21.29.58]) by mail.netconsonance.com (8.14.1/8.14.1) with ESMTP id l7EDR4UU095951 for [EMAIL PROTECTED]; Tue, 14 Aug 2007 06:27:08 -0700 (PDT) (envelope-from [EMAIL PROTECTED]) X-Virus-Scanned: amavisd-new at netconsonance.com X-Spam-Score: 2.033 X-Spam-Level: ** X-Spam-Status: No, score=2.033 tagged_above=-999 required=4 tests=[DK_POLICY_SIGNSOME=0.001, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.699, RCVD_IN_BL_SPAMCOP_NET=1.332] Received: from x-6of7ca27m39al ([158.187.61.7]) by [84.21.29.58] with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Aug 2007 15:27:01 +0200 Message-ID: [EMAIL PROTECTED] From: Yohann michels [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: bill-jrhett Date: Tue, 14 Aug 2007 15:26:28 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_000E_01C7DE87.7C1E24D0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 --=_NextPart_000_000E_01C7DE87.7C1E24D0 Content-Type: multipart/alternative; boundary==_NextPart_001_000F_01C7DE87.7C1E24D0 --=_NextPart_001_000F_01C7DE87.7C1E24D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1250 --=_NextPart_001_000F_01C7DE87.7C1E24D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1250 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Dwindows-1250 META content=3DMSHTML 6.00.2900.3132 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVFONT face=3DArial size=3D2/FONTnbsp;/DIV/BODY/HTML --=_NextPart_001_000F_01C7DE87.7C1E24D0-- --=_NextPart_000_000E_01C7DE87.7C1E24D0 Content-Transfer-Encoding: base64 Content-Type: application/octet-stream; name=marketing-jrhett.pdf Content-Disposition: attachment; filename=marketing-jrhett.pdf JVBERi0xLjUNJeLjz9MNCjIyIDAgb2JqPDwvSFs0MzYgMTQ4XS9MaW5lYXJpemVkIDEvRSAxNjU5 L0wgMTM1NzYvTiAxMC9PIDI2L1QgMTMwNzQ+Pg1lbmRvYmoNICAgICAgICAgICAgICAgICAgICAg *snip* -- Jo Rhett Net Consonance ... net philanthropy, open source and other randomness -- Randomly Selected Tagline: Low probability events do happen, which is why people still play the lottery. - Elizabeth Zwicky at LISA '99 pgphFsXCYIlP0.pgp Description: PGP signature