Is there a test on blacklisted nameservers

[ram]

I am using SA 3.2.3 and very few spam get thru
But I can still see some spam with urls because the the urls are not yet
listed in uribls 

I tried to do some analysis on my quarantine, I found atleast some
spammer domains have the same NS records. 

Now in my spamassassin can I do a DNS check (on all domains in body-urls
or mail-from, reply-to etc)  to find their NS records and score them on
bad NS servers. 
What is the risk of FP's because innocent DNS providers may see
themselves getting list 


Thanks
Ram

Re: autolearn=failed

[Dave Funk]

On Tue, 4 Sep 2007, Raquel wrote:


On Tue, 4 Sep 2007 16:34:49 -0500 (CDT)
David B Funk <[EMAIL PROTECTED]> wrote:


On Mon, 3 Sep 2007, Raquel wrote:


On Mon, 3 Sep 2007 18:31:03 -0700
Raquel <[EMAIL PROTECTED]> wrote:


I'm setting up a new server.  However, email sent to the
server keeps getting "autolearn=failed".  I don't seem to be
able to figure out is causing that.

[snip..]

My local.cf says:
bayes_auto_learn 1
use_bayes_rules 1
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 10


As you want a site-wide Bayes, you also need the "bayes_path"
parameter. What setting do you have for "bayes_path" (note it
isn't a simple directory name).


bayes_path /usr/spamassassin/bayes
bayes_file_mode 0777


OK, is the directory "/usr/spamassassin" writable by the user-ID that
you are running spamd as? What happens if you do a:
   chmod 1777 /usr/spamassassin

and then retest?

Strong suggestion, do -not- put your bayes stuff into a directory
that contains other SA components. Best to have a directory in your "/var"
partition just for the bayes stuff.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: autolearn=failed

[Raquel]

On Tue, 4 Sep 2007 16:34:49 -0500 (CDT)
David B Funk <[EMAIL PROTECTED]> wrote:

> On Mon, 3 Sep 2007, Raquel wrote:
> 
> > On Mon, 3 Sep 2007 18:31:03 -0700
> > Raquel <[EMAIL PROTECTED]> wrote:
> >
> > > I'm setting up a new server.  However, email sent to the
> > > server keeps getting "autolearn=failed".  I don't seem to be
> > > able to figure out is causing that.
> > >
> > > --
> > > Raquel
> > >
> >
> > I should say that this server is Debian Etch w/spamassassin
> > version 3.1.7.
> >
> > My local.cf says:
> > bayes_auto_learn 1
> > use_bayes_rules 1
> > bayes_auto_learn_threshold_nonspam 0.1
> > bayes_auto_learn_threshold_spam 10
> 
> As you want a site-wide Bayes, you also need the "bayes_path"
> parameter. What setting do you have for "bayes_path" (note it
> isn't a simple directory name).
> 
> 
> -- 
> Dave Funk
> 

bayes_path /usr/spamassassin/bayes
bayes_file_mode 0777

-- 
Raquel

If we cannot end now our differences, at least we can make the world
safe for diversity.
  --John F. Kennedy

Re: RulesDuJour

[Daryl C. W. O'Shea]

[EMAIL PROTECTED] wrote:

I was thinking of looking into RulesDuJour as an alternative to
sa-update, as there hasn't been anything to update since July, unless
one installs yet unreleased versions of SpamAssassin. ("find var -ls"
to check.)


Why are you so concerned about updates for the sake of updates? 
Generally we only feel compelled to write rules and release them when 
there's a need for them (remember, we're all volunteers).  Personally, 
I've been receiving very, very little spam that isn't caught by SA.


If you'd like to use RDJ go for it.  The SARE rules (which are available 
via sa-update anyway, and from what I've heard only reliably via 
sa-update) haven't been updated much in the last 6 months either:


[EMAIL PROTECTED] channels]$ find . -type f -mtime -180 -name "*.gz" -exec ls 
-l {} \; | cut -d' ' -f7-

May 28 13:14 ./70_sare_obfu.cf/200705281000.tar.gz
May 28 14:14 ./70_sare_obfu.cf/200705281100.tar.gz
May 29 16:14 ./70_sare_obfu.cf/200705291300.tar.gz
Jun  1 05:14 ./70_sare_obfu.cf/200706010200.tar.gz
Jun  4 21:14 ./70_sare_obfu.cf/200706041800.tar.gz
Jun  5 11:14 ./70_sare_obfu.cf/200706050800.tar.gz
May 21 10:14 ./70_sare_obfu1.cf/200705210700.tar.gz
May 21 11:14 ./70_sare_obfu1.cf/200705210800.tar.gz
May 28 13:14 ./70_sare_obfu1.cf/200705281000.tar.gz
Jun  1 05:14 ./70_sare_obfu1.cf/200706010200.tar.gz
Jun  4 21:14 ./70_sare_obfu1.cf/200706041800.tar.gz
May 21 10:14 ./72_sare_bml_post25x.cf/200705210700.tar.gz
May 28 13:14 ./70_sare_obfu0.cf/200705281000.tar.gz
Jun  1 05:14 ./70_sare_obfu0.cf/200706010200.tar.gz
Jun  4 21:14 ./70_sare_obfu0.cf/200706041800.tar.gz
May 21 10:14 ./70_sare_adult.cf/200705210700.tar.gz
Mar  9 10:08 ./70_sc_top200.cf/200703090800.tar.gz
Mar  9 11:08 ./70_sc_top200.cf/200703090900.tar.gz
Mar  9 12:08 ./70_sc_top200.cf/200703091000.tar.gz
Mar  9 17:08 ./70_sc_top200.cf/200703091500.tar.gz
Mar 12 11:08 ./70_sc_top200.cf/200703120800.tar.gz
Mar 14 16:08 ./70_sc_top200.cf/200703141300.tar.gz
Mar 15 13:08 ./70_sc_top200.cf/200703151000.tar.gz
Mar 22 13:24 ./70_sc_top200.cf/200703221000.tar.gz
Mar 30 12:10 ./70_sc_top200.cf/200703300900.tar.gz
Apr  5 12:10 ./70_sc_top200.cf/200704050900.tar.gz
Apr  6 10:10 ./70_sc_top200.cf/200704060700.tar.gz
Apr  6 17:10 ./70_sc_top200.cf/200704061400.tar.gz
May 23 11:14 ./70_sc_top200.cf/200705230800.tar.gz
May 24 12:14 ./70_sc_top200.cf/200705240900.tar.gz
May  6 23:24 ./70_sare_stocks.cf/200705062000.tar.gz
May  7 00:24 ./70_sare_stocks.cf/200705062100.tar.gz
Aug 18 08:14 ./70_sare_stocks.cf/200708181200.tar.gz
Apr  6 10:10 ./00_FVGT_File001.cf/200704060700.tar.gz
[EMAIL PROTECTED] channels]$

If you like, since you seem to be preoccupied with the raw number of 
updates, you can compare that the number of updates released by the SA 
project in the last 6 months:


[EMAIL PROTECTED] asf-sa-updates]$ find . -type f -mtime -180 -name "*.gz" 
-perm 444 -exec ls -l {} \; | cut -d' ' -f7-

Sep  3 23:21 ./572502.tar.gz
May  7 00:31 ./535131.tar.gz
May 11 01:54 ./535132.tar.gz
May 31 01:41 ./543064.tar.gz
Jun  9 04:12 ./545708.tar.gz
Jul  4 17:46 ./548226.tar.gz
Jul 11 00:36 ./555165.tar.gz
Jul 15 18:55 ./556472.tar.gz
[EMAIL PROTECTED] asf-sa-updates]$



However reading this thread has scared me further.

(Shall I chuck Santa Claus (rms) and the Penguin (linus) and install
"WIN2000" and enjoy "Norton Daily Updates"?)


That might not be a bad idea.


Daryl

RE: RulesDuJour

[jidanni]

I was thinking of looking into RulesDuJour as an alternative to
sa-update, as there hasn't been anything to update since July, unless
one installs yet unreleased versions of SpamAssassin. ("find var -ls"
to check.)

However reading this thread has scared me further.

(Shall I chuck Santa Claus (rms) and the Penguin (linus) and install
"WIN2000" and enjoy "Norton Daily Updates"?)

update problem with PerMsgStatus.pm

[night duke]

Hi i have updated my spamassassin to version 3.2.3 but at the log mail appears 
errors.I have updated by perl -M CPAN -e shell
  perl install Mail::SpamAssassin
   
   
  Does anyone know a way to fix this?
   
  Thanks
   
  Nightduke
   
  Sep  4 23:54:50 bck00654 spamd[5745]: Use of uninitialized value in 
concatenation (.) or string at 
/usr/share/perl5/Mail/SpamAssassin/PerMsgStatus.pm line 2669,  line 37.
Sep  4 23:54:50 bck00654 last message repeated 2 times
Sep  4 23:54:50 bck00654 spamd[5745]: Number found where operator expected at 
(eval 2497) line 10, near "}
Sep  4 23:54:50 bck00654 spamd[5745]:
Sep  4 23:54:50 bck00654 spamd[5745]:  1"
Sep  4 23:54:50 bck00654 spamd[5745]:  (Missing operator before
Sep  4 23:54:50 bck00654 spamd[5745]:
Sep  4 23:54:50 bck00654 spamd[5745]:  1?)
Sep  4 23:54:50 bck00654 spamd[5745]: rules: failed to run header tests, 
skipping some: syntax error at (eval 2497) line 11, near ";

   
-

Sé un Mejor Amante del Cine
¿Quieres saber cómo? ¡Deja que otras personas te ayuden!.

Re: autolearn=failed

[David B Funk]

On Mon, 3 Sep 2007, Raquel wrote:

> On Mon, 3 Sep 2007 18:31:03 -0700
> Raquel <[EMAIL PROTECTED]> wrote:
>
> > I'm setting up a new server.  However, email sent to the server
> > keeps getting "autolearn=failed".  I don't seem to be able to
> > figure out is causing that.
> >
> > --
> > Raquel
> >
>
> I should say that this server is Debian Etch w/spamassassin version
> 3.1.7.
>
> My local.cf says:
> bayes_auto_learn 1
> use_bayes_rules 1
> bayes_auto_learn_threshold_nonspam 0.1
> bayes_auto_learn_threshold_spam 10

As you want a site-wide Bayes, you also need the "bayes_path" parameter.
What setting do you have for "bayes_path" (note it isn't a simple
directory name).


-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Multiple rules for dynamic-looking IP addresses

[Dan Fulbright]

On 2007-08-29 23:16, Dan Fulbright wrote:
> I'm having problems with high scores from messages sent from IP
> addresses that appear to be dynamic, but in fact are static. Here's an
> example:
> 
> *  4.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious
>  hostname (Split
> *  IP)
> *  4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious
>  hostname (IP addr
> *   2)
> *  1.6 TVD_RCVD_IP TVD_RCVD_IP
> *  2.1 RCVD_NUMERIC_HELO Received: contains an IP address used
>  for HELO
> 
> Here are the Received lines, with specific information cleaned:
> 
> Received: from 1.2.3.4.static.vsnl.net.in [1.2.3.4] by mail5.example2.com 
> with SMTP;
>Sat, 25 Aug 2007 04:11:59 -0500
> Received: from gbd07 ([192.168.96.107]) by mail.example1.com with Microsoft 
> SMTPSVC(6.0.3790.1830);
>  Sat, 25 Aug 2007 14:48:07 +0530
> 
> I realize that 1.2.3.4 should have a better reverse DNS, but it seems
> that it causes the SA score to be artificially high. I know I could
> disable some of these tests, but I feel like that would artificially
> lower scores.
> 
> How can I adjust the scores or write/fix rules so that static IP
> addresses are recognized as such?
> 
> I am an admin for example2.com.

Thank you for the replies, however, I think I'll restate my own
question. Why are there so many rules that seem to check for the same
thing? I'm seeing this more and more often. xo.net seems to be a
common domain that uses hostnames like this to send mail. I feel like
the right thing to do would be to tell the sender to get a better
reverse DNS, but that just isn't feasible.

Received: from 1.2.3.4.ptr.us.xo.net [1.2.3.4] by mail4.example2.com with SMTP;
   Tue, 4 Sep 2007 12:10:07 -0500

Is anyone familiar with xo.net? If so, do you know why I am seeing so
many messages from hostnames that look like this? Are these dynamic or
static IP addresses?

Thanks.

--df

Re: Outbound spam filtering for a large ISP

[Ken A]

Joe Pranevich wrote:

Hello,

I maintain a large webmail host (I bet you can figure out which one) for
free/paid accounts that sends out tens of thousands of emails a day. We're
not quite Yahoo Mail or Hotmail, but we're pretty big. We're looking to scan
outbound mail using SpamAssassin and I'm hoping that someone here might have
some suggestions or feedback on what the best way to configure this would
be. I've seen a handful of posts about this in the archive, so I know it's
come up before. 


My plan is to scan all outbound mail and drop all mails that match to a log
file or a separate directory where they can be hand-reviewed by someone in
our customer service department. We also wouldn't want to actually modify
the mails on the way out-- so we wouldn't add the spamassassin mail headers.

Does anyone here have practical experience or advice, tweaks, etc. that
would help us to implement this sort of thing? (I know the volume will be
fairly high, but a nice farm of machines all running spamd should be able to
load balance that part fairly well. It's the rules I'm worried about and how
to make the log/discard work the way I want.)

Thanks in advance for any help you can provide.

Joe



For one more option, see http://mailscanner.info It's perl, works great 
with sendmail, and has a wide variety of options for queuing, 
quarantining, and classifying mail using SA and going beyond what SA 
does by itself. It's not a milter. It has a queue, check, then forward 
approach that nicely levels out the load on SA. There's also some nice 
addon reporting available in MailWatch (sourceforge).


--
Ken Anderson
Pacific.Net

RE: Parsing Received Headers

[Bret Miller]

> > I'm trying to get received headers to parse correctly 
> because the ones from
> > CommuniGate Pro don't always. And, since I'm already 
> modifying the headers
> > in my connector due to the MTA not being able to do RDNS 
> without rejecting
> > based on it, I'm not aware that certain types of headers don't parse
> > correctly. My current problem is this one:
> > ...
> > My RDNS lookup was modifying the header to read:
> 
> Since you are already fixing broken Received header fields,
> I suggest you do it by the book. The syntax is prescribed
> by RFC 2821 (4.4 Trace Information):
> 
> ...
>This line MUST be structured as follows:
> 
>-  The FROM field, which MUST be supplied in an SMTP environment,
>   SHOULD contain both (1) the name of the source host as presented
>   in the EHLO command and (2) an address literal containing the IP
>   address of the source, determined from the TCP connection.
> ...
> 
> From-domain = "FROM" FWS Extended-Domain CFWS
> 
> Extended-Domain = Domain /
>( Domain FWS "(" TCP-info ")" ) /
>( Address-literal FWS "(" TCP-info ")" )
> 
> TCP-info = Address-literal / ( Domain FWS Address-literal )
>   ; Information derived by server from TCP connection
>   ; not client EHLO.
> 
> Domain = (sub-domain 1*("." sub-domain)) / address-literal

As for reporting this to the CommuniGate people, I doubt they have any
interest in fixing it. After all, they still use the domain name instead of
the machine name for their own EHLO/HELO command and provide no way of
overriding it for RFC compliance. We got around it by (against their
recommendation) licensing our copy to the machine instead of the domain.

Anyway, the above doesn't make any more sense to me than reading examples in
the mail I receive. So far, I haven't come up with a format that works for
SA. So, please correct:

HELO bretspc, IP 192.168.1.125, RDNS bretspc.example.com
Received: from bretspc (bretspc.example.com 192.168.1.125)...

HELO [192.168.1.125], IP 192.168.1.125, RDNS none
Received: from [192.168.1.125] (unknown 192.168.1.125)...

HELO 192.168.1.125, IP 192.168.1.125, RDNS 192.168.1.125 (yeah, I've seen
ones like this)
Received: from 192.168.1.125 (192.168.1.125 192.168.1.125)...

And then there's the matter of adding whether the sender was authenticated,
and what was supplied as "mail from". 

Perhaps the better way to do this would be to fix SA to read the CGPro
headers, do it's own RDNS lookup if necessary. The problem is that not all
the information is available to SA at that point, so I have to supply some
of it, and I suppose there would be concerns as to whether SA should be
doing the RDNS lookup itself too.

Maybe a plugin? But can a plugin get control early enough to re-write the
received header info so that it's correct for all the other places in SA it
gets used? 

So I guess my choices are there-- rewrite the received header to make it
readable, patch SA to read the information correct (this doesn't solve my
missing RDNS info problem unless I add the lookup to SA too), or add a
plugin if it's possible to do what needs to be done with it.

Honestly, rewriting the header is probably the easiest, which is why I chose
to do that. Now it's just a matter of rewriting it so that SA can actually
read it properly. I guess another problem is that I might have to say I'm
NOT running CommuniGate Pro so that SA doesn't try it's custom code on it...

Bret


smime.p7s
Description: S/MIME cryptographic signature

Re: Manual sorting based on score count

[Jari Fredriksson]

> Hi
> 
> I admin my personal mail system with SpamAssassin.  I use
> maildrop as my MDA to process mail through SpamAssassin
> and then deliver it to the 
> proper new-spam folder based on the spam's score.
> 

You can also sent different spam (based on the score) to different folders.

I have something like this in my maildroprc

if ( /^X-Spam-Flag:.YES/ )
{
if ( /^X-Spam-Level:.\*\*\*\*\*\*\*\*\*\*/ )
{
to "Maildir/.Drafts"
}
to "Maildir/.Spam"
}

All score > 10 is put on Drafts folder of my spam account, and lover score spam 
in Spam folder.

The Drafts folder is because they will automatically be sent to SpamCop 
reporting, while Spam folder needs my attention.

Re: autolearn=failed

[Raquel]

On Mon, 3 Sep 2007 18:44:35 -0700
Raquel <[EMAIL PROTECTED]> wrote:

> On Mon, 3 Sep 2007 18:39:40 -0700
> Raquel <[EMAIL PROTECTED]> wrote:
> 
> > On Mon, 3 Sep 2007 18:31:03 -0700
> > Raquel <[EMAIL PROTECTED]> wrote:
> > 
> > > I'm setting up a new server.  However, email sent to the
> > > server keeps getting "autolearn=failed".  I don't seem to be
> > > able to figure out is causing that.
> > > 
> > > -- 
> > > Raquel
> > > 
> > 
> > I should say that this server is Debian Etch w/spamassassin
> > version 3.1.7.
> > 
> > My local.cf says:
> > bayes_auto_learn 1
> > use_bayes_rules 1
> > bayes_auto_learn_threshold_nonspam 0.1
> > bayes_auto_learn_threshold_spam 10
> > 
> > -- 
> > Raquel
> > 
> 
> I should also say that spamassassin is being called by
> spamass-milter on sendmail and that it is a site-wide
> installation.
> 
> -- 
> Raquel
> 

Looking at my mail log, it seems I'm having several permissions
issues.  I'm going to be working on solving those and when I finish
I'll let everyone know the results.  Thanks for all the ideas.

-- 
Raquel

Religion is all bunk.
  --Thomas Edison

Re: Outbound spam filtering for a large ISP

[Kelson]

Leon Kolchinsky wrote:

Try amavisd-new list.
There you could integrate your SA checks in a very efficient way (policy banks, 
quarantining, releasing etc.)
MySQL backend is also a good idea on high load severs.


I'd also recommend MIMEDefang for integrating SpamAssassin into 
sendmail.  It's a milter, like amavisd-new.


We've been using it for several years on our servers.  It's very 
customizable -- basically if you can write something in Perl, you can do 
it in MD.


The authors also have a commercial product based on MIMEDefang, Can-It, 
which might be worth looking into.


MIMEDefang - http://www.mimedefang.org/
CanIt -  http://www.roaringpenguin.com/products/antiSpam

--
Kelson Vibber
SpeedGate Communications 

Re: my collegue id received as spam

[Matus UHLAR - fantomas]

On 04.09.07 08:54, Martin.Hepworth wrote:

> I mean why does SA think this is spam? What rules are firing within
> spamassassin.

show us the e-mail, its headers, or at least its X-Spam- headers
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Re: Manual sorting based on score count

[Matus UHLAR - fantomas]

On 04.09.07 00:48, Jesse Molina wrote:
> However, I then need to manually go through my new-spam folder from time 
> to time and find the false-positives and train the Bayes system as 
> appropriate.
> 
> I use Seamonkey (Mozilla) and mutt as my MUAs.  I'm usually using 
> Seamonkey when I'm doing my manual sorting and processing of my new-spam 
> folder.
> 
> Today I was thinking about adding a feature to rewrite the Subject field 
> of spam-tagged messages with the numerical value of the score.  For example;

> This would make sorting of my new-spam folder easy, based on the 
> alphabetical/numerical ordering of the subjects.  Lower scored mails are 
> more likely to be false positives, so I can go through them first and 
> then forget about anything with a score over 15 or 20.
> 
> This is pretty easy to do, but I wanted to ask if anyone else is doing 
> this, and if they have any superior methodologies that they have discovered.

mutt supports spam tags, I use this setup:

set imap_headers="X-Spam-Status"
spam "X-Spam-Status: (Yes|No), score=(-?[0-9]+\.[0-9])" "%2"
spam "X-Spam-Status: (Yes|No), hits=(-?[0-9]+\.[0-9])" "%2"
unset spam_separator
set index_format="%4C %Z %D %5c %04H %-15.15L %s"

now mutt shows spam score in index, I can sort using the score and match
against score  (~H ...)

However the '-' character is not understood as minus sign, so mail with
-1.0 < score < 1.0  are misex when sorted.

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

Re: Which rules are used

[Robert Dudley]

Hi Claudia,

You should be able to run "spamassassin -D --lint" to see which rules  
and plugins are being loaded system wide.


Regards and good luck

Rob


---

Robert Dudley
[EMAIL PROTECTED]



On 4 Sep 2007, at 15:03, Claudia Burman wrote:


Hi,
Is there a way to know if spamassassin is using all the rules?
I'm getting too much spam, including some which I think should be  
captured...


Thanks
Claudia Burman
Argentina

Re: Which rules are used

[Anthony Peacock]

Hi Claudia,

The easiest way to see what rules are hitting a particular message is to 
save the message (including _ALL_ headers) into a text file and then to 
pass it to SpamAssassin in test mode:


spamassassin --test-mode < email.txt

This will produce a report of the rules that are hitting the message.

If you want more information use the debug option:

spamassassin --debug --test-mode < email.txt

If you would like people here to let you know which rules these emails 
hit on their systems, place the email text file somewhere on the web, so 
that we can download it and run it through our systems.


PS make sure you are running the above commands as the same user that 
spamassassin usually runs as.


Claudia Burman wrote:

Hi,
Is there a way to know if spamassassin is using all the rules?
I'm getting too much spam, including some which I think should be 
captured...


Thanks
Claudia Burman
Argentina





--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
"A CAT scan should take less time than a PET scan.  For a CAT scan,
 they're only looking for one thing, whereas a PET scan could result in
 a lot of things."- Carl Princi, 2002/07/19

Which rules are used

[Claudia Burman]

Hi,
Is there a way to know if spamassassin is using all the rules?
I'm getting too much spam, including some which I think should be 
captured...


Thanks
Claudia Burman
Argentina

Re: Manual sorting based on score count

[OliverScott]

You already can - try this in your local.cf:

rewrite_header Subject SPAM [_STARS(X)_]

This will give you somthing which looks like:

SPAM [X] Some Dodgy Subject

You can also put in the actual numeric score (rather than a number of X's
which equals the whole number part of the score) but I find it easier to
create rules in email clients which count whole numbers of X's.

Note: You can use any other character rather than X if you want.

To include the actual score use:

rewrite_header Subject *SPAM* (_SCORE_)

This will give you somthing which looks like:

*SPAM* (9.7) Some Dodgy Subject

Hope this helps!



Jesse Molina wrote:
> 
> 
> Hi
> 
> I admin my personal mail system with SpamAssassin.  I use maildrop as my 
> MDA to process mail through SpamAssassin and then deliver it to the 
> proper new-spam folder based on the spam's score.
> 
> However, I then need to manually go through my new-spam folder from time 
> to time and find the false-positives and train the Bayes system as 
> appropriate.
> 
> I use Seamonkey (Mozilla) and mutt as my MUAs.  I'm usually using 
> Seamonkey when I'm doing my manual sorting and processing of my new-spam 
> folder.
> 
> Today I was thinking about adding a feature to rewrite the Subject field 
> of spam-tagged messages with the numerical value of the score.  For
> example;
> 
> Subject: *SPAM:Score=24* old-subject-goes-here
> 
> or maybe
> 
> Subject: *SPAM:24* old-subject-goes-here
> 
> This would make sorting of my new-spam folder easy, based on the 
> alphabetical/numerical ordering of the subjects.  Lower scored mails are 
> more likely to be false positives, so I can go through them first and 
> then forget about anything with a score over 15 or 20.
> 
> This is pretty easy to do, but I wanted to ask if anyone else is doing 
> this, and if they have any superior methodologies that they have
> discovered.
> 
> Comments would be appreciated
> 
> 
> 
> -- 
> # Jesse Molina
> # Mail = [EMAIL PROTECTED]
> # Page = [EMAIL PROTECTED]
> # Cell = 1.602.323.7608
> # Web  = http://www.opendreams.net/jesse/
> 
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Manual-sorting-based-on-score-count-tf4376119.html#a12477936
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: my collegue id received as spam

[Martin.Hepworth]

Hi



--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: Sg [mailto:[EMAIL PROTECTED]
> Sent: 04 September 2007 10:22
> To: Martin.Hepworth
> Subject: Re: my collegue id received as spam
>

Hi

Still not what I meant.

What rules actually scored enough for Spamassassin to think the message is spam.

How do you make Spamassassin analyse the emails? You may need to modify this to 
include full information in the headers so you can see what rules are hitting 
the email that makes spamassassin think the email is spam.

--
Martin




**
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 
Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**

RE: RulesDuJour

[Rob Sterenborg]

>> The page describes how to select what channels sa-update
>> will update. You'll just have an extra sa-update in your
>> crontab; one for the official SA rules and one for the SARE rules.
>> 
> 
> I have only one sa-update in my crontab

Yes, sorry, it can be done using 1 sa-update line; I actually don't
remember why I have 2 lines for that but it works. Maybe I'll change
that someday. However, I think we agree that the OP should switch from
RDJ to sa-update to let it handle the SARE updates.


Grts,
Rob

Re: RulesDuJour

[Jari Fredriksson]

>> What channels sa-update updates?
>> 
>> And if I use the '--channelfile' what happens? Maybe
>> sa-update updates only the channels included in the file
>> specifided for the argument '--channelfile' or it adds
>> the file listed to the default list of channels
>> maintained by sa-update? 
> 
> The page describes how to select what channels sa-update
> will update. You'll just have an extra sa-update in your
> crontab; one for the official SA rules and one for the
> SARE rules. 
> 

I have only one sa-update in my crontab

-- channels.txt --

update.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net

--

-- cronjob ---

/usr/local/bin/sa-update --allowplugins --channelfile 
/etc/spamassassin/channels.txt --nogpg
/usr/local/bin/sa-compile

/etc/init.d/spamassassin reload

--

RE: RulesDuJour

[Rob Sterenborg]

Rocco Scappatura wrote:
>> But it is.
>> 
>> RulesDuJour delivery is broken, and it gives only HTTP-error page,
>> which causes the error. 
>> 
>> sa-update can deliver the rules without errors.
> 
> However, I already use sa-update other than RulesDuJour, which is
> scheduled as follow: 

The webpage at
http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt says:
"How to update SARE rulesets via Apache SpamAssassin's sa-update". This
is what RDJ did and apparently RDJ doesn't work anymore.

> What channels sa-update updates?
> 
> And if I use the '--channelfile' what happens? Maybe sa-update updates
> only the channels included in the file specifided for the argument
> '--channelfile' or it adds the file listed to the default list of
> channels maintained by sa-update?

The page describes how to select what channels sa-update will update.
You'll just have an extra sa-update in your crontab; one for the
official SA rules and one for the SARE rules.


Grts,
Rob

RE: my collegue id received as spam

[Martin.Hepworth]

Hi

I mean why does SA think this is spam? What rules are firing within 
spamassassin.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: Sg [mailto:[EMAIL PROTECTED]
> Sent: 04 September 2007 08:38
> To: Martin.Hepworth
> Subject: Re: my collegue id received as spam
>
>
>whitelist_from_rcvd*.myhome.com  myhome.come
> whitelist_tomyhome.com
>
>
>
>
>
> On 9/4/07, Martin.Hepworth <[EMAIL PROTECTED]> wrote:
>
>   Sg
>
>   Can you please show us what rules fired so we can advise.
>
>   --
>   Martin Hepworth
>   Snr Systems Administrator
>   Solid State Logic
>   Tel: +44 (0)1865 842300
>
>   > -Original Message-
>   > From: Sg [mailto: [EMAIL PROTECTED]
>   > Sent: 04 September 2007 07:06
>   > To: users@spamassassin.apache.org
>   > Subject: my collegue id received as spam
>   >
>   > Hi
>   >
>   > My collegue id received as spam. Already i added to them on
>   > whitelist_from_rcvd and whitelist_to. Again it received as spam.
> Any
>   > solution
>   >
>   > --
>   > Sg
>
>
>
>
>   
> **
>   Confidentiality : This e-mail and any attachments are intended for
> the
>   addressee only and may be confidential. If they come to you in error
>   you must take no action based on them, nor must you copy or show
> them
>   to anyone. Please advise the sender by replying to this e-mail
>   immediately and then delete the original from your computer.
>   Opinion : Any opinions expressed in this e-mail are entirely those
> of
>   the author and unless specifically stated to the contrary, are not
>   necessarily those of the author's employer.
>   Security Warning : Internet e-mail is not necessarily a secure
>   communications medium and can be subject to data corruption. We
> advise
>   that you consider this fact when e-mailing us.
>   Viruses : We have taken steps to ensure that this e-mail and any
>   attachments are free from known viruses but in keeping with good
>   computing practice, you should ensure that they are virus free.
>
>   Red Lion 49 Ltd T/A Solid State Logic
>   Registered as a limited company in England and Wales
>   (Company No:5362730)
>   Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
>   United Kingdom
>   
> **
>
>
>
>
>
>
> --
> Sg




**
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 
Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**

RE: RulesDuJour

[Rocco Scappatura]

> But it is.
> 
> RulesDuJour delivery is broken, and it gives only HTTP-error 
> page, which causes the error.
> 
> sa-update can deliver the rules without errors.

However, I already use sa-update other than RulesDuJour, which is
scheduled as follow:

22 14 * * 1,2,3,4,5 sa-update && rcamavisd restart

What channels sa-update updates?

And if I use the '--channelfile' what happens? Maybe sa-update updates
only the channels included in the file specifided for the argument
'--channelfile' or it adds the file listed to the default list of
channels maintained by sa-update?

Thanks,

rocsca

Manual sorting based on score count

[Jesse Molina]

Hi

I admin my personal mail system with SpamAssassin.  I use maildrop as my 
MDA to process mail through SpamAssassin and then deliver it to the 
proper new-spam folder based on the spam's score.


However, I then need to manually go through my new-spam folder from time 
to time and find the false-positives and train the Bayes system as 
appropriate.


I use Seamonkey (Mozilla) and mutt as my MUAs.  I'm usually using 
Seamonkey when I'm doing my manual sorting and processing of my new-spam 
folder.


Today I was thinking about adding a feature to rewrite the Subject field 
of spam-tagged messages with the numerical value of the score.  For example;


Subject: *SPAM:Score=24* old-subject-goes-here

or maybe

Subject: *SPAM:24* old-subject-goes-here

This would make sorting of my new-spam folder easy, based on the 
alphabetical/numerical ordering of the subjects.  Lower scored mails are 
more likely to be false positives, so I can go through them first and 
then forget about anything with a score over 15 or 20.


This is pretty easy to do, but I wanted to ask if anyone else is doing 
this, and if they have any superior methodologies that they have discovered.


Comments would be appreciated



--
# Jesse Molina
# Mail = [EMAIL PROTECTED]
# Page = [EMAIL PROTECTED]
# Cell = 1.602.323.7608
# Web  = http://www.opendreams.net/jesse/

RE: my collegue id received as spam

[Martin.Hepworth]

Sg

Can you please show us what rules fired so we can advise.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: Sg [mailto:[EMAIL PROTECTED]
> Sent: 04 September 2007 07:06
> To: users@spamassassin.apache.org
> Subject: my collegue id received as spam
>
> Hi
>
> My collegue id received as spam. Already i added to them on
> whitelist_from_rcvd and whitelist_to. Again it received as spam. Any
> solution
>
> --
> Sg




**
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 
Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**