Re: Objective site to run spamcheck against?
Jerry Durand wrote: At 05:35 PM 9/13/2007, Tuc at T-B-O-H.NET wrote: Hi, An inordinate amount of people are telling me I'm ending up in spam folders, so I wondered if there was some objective site where I might be able to run a message through and have it score an email. I realize this could also be used by spammers to check about getting past the filters, so I'm thinking maybe there isn't. I can't run it against my own systems since they like me too much. :) Thanks, Tuc/TBOH You could send it directly to most any of us on this list and have us give you the results. Feel free to send one to me. Yeah, same here - send me an email to [EMAIL PROTECTED] /Per Jessen, Zürich
SA only seeing certain mails
I own a couple of domains that are hosted on a shared hosting setup, for which I don't have shell access but do have cPanel access. For quite a while SA was working nicely, but recently it appears to have stopped filtering many mails. The reason I am saying this is that mails are arriving in my mailbox (on the server) for which a few have X-Spam headers written, but most of them don't. The hosting is running SA 3.2.3. My user_prefs file contains:- required_score 4 required_hits 4 rewrite_header subject MATTSPAM bayes_expiry_max_db_size 15 I've had problems with toks files not expiring properly and the bayes_toks file growing to 40MB, as well as file locks sometimes not being removed, so daily I have two cronjobs running:- ls -l .spamassassin/ to give me a file listing so I can delete any locked files (get a lock about once every 5 days or so) sa-learn --force-expire -D to keep bayes_toks under control Both of these seem to work fine, and may be overkill. What I'm looking for is a way (behind cPanel) to debug what is or isn't happening with SA to cause some mails to be seen by SA and some not to be seen. I get about 5 ham mails per day, and about 1,000 spam mails, so its starting to irritate me!! Any help gratefully received! (I don't pay anything for the shared hosting as I get it free from a mate who is a re-seller, so I'm not really in a position to hassle their help desk!) TIA! Matt -- View this message in context: http://www.nabble.com/SA-only-seeing-certain-mails-tf4440917.html#a12670740 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
hardware accelerated regexps
Hi, my co-worker has come accross some interesting articles (links below) about hardware accelerated regexp matching (using specialised hardware or even popular PCI Express GPU cards). Has anyone thought about using this in SA? The benchmarks done using Kaspersky AV are very promising... SA can use compiled regexps, mayby one could use the very same API to run regexp tests via the GPU? http://www.theinquirer.net/?article=42299 http://www.tarari.com/news_pr_details.asp?ID=53 http://www.tarari.com/regexEAP/index.html http://www.kaspersky.nl/news/kaspersky-and-tarari-enhance-hardware-protection.html -- Pawel Sasin WIRTUALNA POLSKA SA, ul. Traugutta 115c, 80-226 Gdansk; NIP: 957-07-51-216; Sad Rejonowy Gdansk-Polnoc KRS 068548, kapital zakladowy 62.880.024 zlotych (w calosci wplacony)
Re: hardware accelerated regexps
Pawel Sasin writes: Hi, my co-worker has come accross some interesting articles (links below) about hardware accelerated regexp matching (using specialised hardware or even popular PCI Express GPU cards). Has anyone thought about using this in SA? The benchmarks done using Kaspersky AV are very promising... SA can use compiled regexps, mayby one could use the very same API to run regexp tests via the GPU? http://www.theinquirer.net/?article=42299 http://www.tarari.com/news_pr_details.asp?ID=53 http://www.tarari.com/regexEAP/index.html http://www.kaspersky.nl/news/kaspersky-and-tarari-enhance-hardware-protection.html Interesting! www.sensorynetworks.com do a hardware accelerator that works with SpamAssassin: http://sensorynetworks.com/pressreleases/PR0060_2006_05_02_NCASA-formatted.pdf but this company, and their GPGPU approach is new to me. --j.
Re: hardware accelerated regexps
Justin Mason wrote: Pawel Sasin writes: Hi, my co-worker has come accross some interesting articles (links below) about hardware accelerated regexp matching (using specialised hardware or even popular PCI Express GPU cards). Has anyone thought about using this in SA? The benchmarks done using Kaspersky AV are very promising... SA can use compiled regexps, mayby one could use the very same API to run regexp tests via the GPU? http://www.theinquirer.net/?article=42299 http://www.tarari.com/news_pr_details.asp?ID=53 http://www.tarari.com/regexEAP/index.html http://www.kaspersky.nl/news/kaspersky-and-tarari-enhance-hardware-protection.html Interesting! www.sensorynetworks.com do a hardware accelerator that works with SpamAssassin: http://sensorynetworks.com/pressreleases/PR0060_2006_05_02_NCASA-formatted.pdf but this company, and their GPGPU approach is new to me. --j. I remember coming across this about 2 years ago now (I think they've released two new versions of the processor since)... the dev kit was something like $5k but I never got around to contacting them to find out the important price... cost per PCI(-X) card for end-user use. Daryl
Re: Suggestion to developers
Matt Kettler-3 wrote: Sure, some messages will bail out faster, but most messages will take much longer to scan. How is that better? I don't debate that the basic idea of having SA do this automagically would be a great thing. However, the reality of doing it efficiently is much trickier than you think. At one point, one idea was to run all the negative scoring rules, and then run the positive scoring ones, and bail out if the score went over the spam threshold during the positive phase. The end result of that test was abysmally slow, due to having to scan the message in two passes (negative header, negative body, positive header, positive body). I trust you. And, probably, any reordering may impact performance (original ruleset is carefully tuned). Unfortunately, I don't know rules order in processing (equal to load order established by first numbers in configs filename?) But, I see that shortcirquit does reordering (bayes, whitelists and some others) and nothing dramatic happens. Even more, this plug-in is recommended for use (in propertly set up installations). Of course, if we will consider an abstract case where negative rules may happen in body as well as in header in unpredictable quantity and order, and reordering is impossible, this idea has no right to live. But, in reality, we see that almost all negative rules are about the header with the only exception - bayes. And this test (bayes) is moved to the top by shortcirquit (before all header tests), and this does not harm performance. I think, this situation (all negatives are from the header) will be preserved in future version of SA, because of nature of email messages. So, I think, it is possible to turn on collected points check after [prioritized rules + header rules] (and inside body rules), without any sorting if this is undesirable. -- View this message in context: http://www.nabble.com/Suggestion-to-developers-tf4429767.html#a12674988 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Objective site to run spamcheck against?
Tuc at T-B-O-H.NET wrote: Hi, An inordinate amount of people are telling me I'm ending up in spam folders, so I wondered if there was some objective site where I might be able to run a message through and have it score an email. I realize this could also be used by spammers to check about getting past the filters, so I'm thinking maybe there isn't. I can't run it against my own systems since they like me too much. :) Thanks, Tuc/TBOH A good first step would be checking to see if your mail servers are on any blacklists. There are two or three sites that will check multiple lists for you. I don't know of one offhand, but a Google search should be able to come up with one for you. -- Bowie
spam and virus
Is there a configuration for spamassassin to catch virus attachments? Or, does any one know of one to run on a server with sendmail? thanks Dean
Re: Objective site to run spamcheck against?
If you don t want to search: http://www.robtex.com/rbl.html and http://www.dnsstuff.com/ . 2007/9/14, Bowie Bailey [EMAIL PROTECTED]: Tuc at T-B-O-H.NET wrote: Hi, An inordinate amount of people are telling me I'm ending up in spam folders, so I wondered if there was some objective site where I might be able to run a message through and have it score an email. I realize this could also be used by spammers to check about getting past the filters, so I'm thinking maybe there isn't. I can't run it against my own systems since they like me too much. :) Thanks, Tuc/TBOH A good first step would be checking to see if your mail servers are on any blacklists. There are two or three sites that will check multiple lists for you. I don't know of one offhand, but a Google search should be able to come up with one for you. -- Bowie
RE: spam and virus
Dean, Check out MailScanner - http://www.mailscanner.info Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Dean Clapper [mailto:[EMAIL PROTECTED] Sent: 14 September 2007 14:39 To: users@spamassassin.apache.org Subject: spam and virus Is there a configuration for spamassassin to catch virus attachments? Or, does any one know of one to run on a server with sendmail? thanks Dean
Re: spam and virus
I use ClamAv plugin for SpamAssassin and I have add a rules in my milter to discard every infected email. For the plugin part: http://wiki.apache.org/spamassassin/ClamAVPlugin François Rousseau 2007/9/14, Randal, Phil [EMAIL PROTECTED]: Dean, Check out MailScanner - http://www.mailscanner.info Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Dean Clapper [mailto:[EMAIL PROTECTED] Sent: 14 September 2007 14:39 To: users@spamassassin.apache.org Subject: spam and virus Is there a configuration for spamassassin to catch virus attachments? Or, does any one know of one to run on a server with sendmail? thanks Dean
Re: spam and virus
On 9/14/07 7:38 AM, Dean Clapper [EMAIL PROTECTED] wrote: Is there a configuration for spamassassin to catch virus attachments? Or, does any one know of one to run on a server with sendmail? thanks Dean This has worked well for me. We have our spam emails tagged in the subject line, so people normally just delete it out. http://wiki.apache.org/spamassassin/ClamAVPlugin James
FW: Objective site to run spamcheck against?
Here are some sites: www.dnsstuff.com http://www.mxtoolbox.com/blacklists.aspx Josie~ -Original Message- From: François Rousseau [mailto:[EMAIL PROTECTED] Sent: Friday, September 14, 2007 9:41 AM To: users@spamassassin.apache.org Subject: Re: Objective site to run spamcheck against? If you don t want to search: http://www.robtex.com/rbl.html and http://www.dnsstuff.com/ . 2007/9/14, Bowie Bailey [EMAIL PROTECTED]: Tuc at T-B-O-H.NET wrote: Hi, An inordinate amount of people are telling me I'm ending up in spam folders, so I wondered if there was some objective site where I might be able to run a message through and have it score an email. I realize this could also be used by spammers to check about getting past the filters, so I'm thinking maybe there isn't. I can't run it against my own systems since they like me too much. :) Thanks, Tuc/TBOH A good first step would be checking to see if your mail servers are on any blacklists. There are two or three sites that will check multiple lists for you. I don't know of one offhand, but a Google search should be able to come up with one for you. -- Bowie
Re: FW: List of 700,000 IP addresses of virus infected computers
My my - I criticize one of the noise makers by pointing out the meta-troll's silliness so Marc responds by blacklisting me. This is getting interesting in a psychological sense. {^_-}I'm still giggling over it. He he, at the rate he's going, he'll have the whole list blacklisted on his end. -Jeff
Re: FW: List of 700,000 IP addresses of virus infected computers
On Fri, 14 Sep 2007 09:07:32 -0700, Jeff Shepherd [EMAIL PROTECTED] wrote: My my - I criticize one of the noise makers by pointing out the meta-troll's silliness so Marc responds by blacklisting me. This is getting interesting in a psychological sense. {^_-}I'm still giggling over it. He he, at the rate he's going, he'll have the whole list blacklisted on his end. -Jeff We can live in hope :-D
Mail log errors about PerMsgStatus.pm
I've been seeing these errors in my mail log. This is SpamAssassin version 3.2.3 running on Perl version 5.8.8. Installed via apt on debian/stable. I've tried to `apt-get install --reinstall spamassassin spamc`, but that did not work. Is this likely the result of a misconfiguration on my part or is it more likely a bug in spamassassin that I should report to -dev? Sep 14 12:51:28 moose spamd[29477]: Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Sep 14 12:51:28 moose spamd[29477]: Number found where operator expected at (eval 303) line 10, near } Sep 14 12:51:28 moose spamd[29477]: Sep 14 12:51:28 moose spamd[29477]: 1 Sep 14 12:51:28 moose spamd[29477]: (Missing operator before Sep 14 12:51:28 moose spamd[29477]: Sep 14 12:51:28 moose spamd[29477]: 1?) Sep 14 12:51:28 moose spamd[29477]: rules: failed to run header tests, skipping some: syntax error at (eval 303) line 11, near ; Sep 14 12:51:28 moose spamd[29477]: } For reference, here is the function in PerMsgStatus.pm that it is complaining about, with line numbers: 2666 sub register_plugin_eval_glue { 2667 my ($self, $pluginobj, $function) = @_; 2668 2669 my $evalstr = ENDOFEVAL; 2670 { 2671 package Mail::SpamAssassin::PerMsgStatus; 2672 2673 sub $function { 2674 my (\$self) = shift; 2675 my \$plugin = \$self-{conf}-{eval_plugins}-{$function}; 2676 return \$plugin-$function (\$self, [EMAIL PROTECTED]); 2677 } 2678 2679 1; 2680 } 2681 ENDOFEVAL 2682 eval $evalstr; 2683 2684 if ($@) { 2685 warn rules: failed to run header tests, skipping some: [EMAIL PROTECTED]; 2686 $self-{rule_errors}++; 2687 } 2688 } -- View this message in context: http://www.nabble.com/Mail-log-errors-about-PerMsgStatus.pm-tf172.html#a12680362 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spam and virus
From: Dean Clapper [EMAIL PROTECTED] Sent: Friday, September 14, 2007 9:38 AM Is there a configuration for spamassassin to catch virus attachments? Or, does any one know of one to run on a server with sendmail? I use mimedefang http://www.mimedefang.org/ with sendmail,clamav and SA. Great flexibility. Lots of mimedefang recipes on the wiki page. Ken
Re: FW: List of 700,000 IP addresses of virus infected computers
On Wed, 12 Sep 2007, Luis Hernán Otegui wrote: 2007/9/12, Jon Trulson [EMAIL PROTECTED]: On Wed, 12 Sep 2007, Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. FWIW, +1 -- Jon Trulson mailto:[EMAIL PROTECTED] #include std/disclaimer.h No Kill I -Horta OK, count me in... Be careful if you agree with others and I :) I too received the lovely 'I've added you to my blacklist' email from our buddy Marc. So be warned, you might be added too! :) If he's actually talking about this magical blacklist he's trying to sell, that should give some people pause about actually using it in real life :) -- Jon Trulson mailto:[EMAIL PROTECTED] #include std/disclaimer.h No Kill I -Horta
Compiling Rules
sa-compile appears to examine rules downloaded via sa-update, including custom channels like dostech. However, it does not appear to pick up custom rules, or anything else, from files in /etc/mail/spamassassin. Is this a bug or a feature? Jason A. Bertoch Network Administrator [EMAIL PROTECTED] ElectroNet Intermedia Consulting 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
Re: Compiling Rules
Me thinks it does body rules only. I'm at 3.2.3 and it (sa-compile) definitely picks up my rules. FWIW, Jared Hall General Telecom, LLC. On Friday 14 September 2007 15:54, Jason Bertoch wrote: sa-compile appears to examine rules downloaded via sa-update, including custom channels like dostech. However, it does not appear to pick up custom rules, or anything else, from files in /etc/mail/spamassassin. Is this a bug or a feature? Jason A. Bertoch Network Administrator [EMAIL PROTECTED] ElectroNet Intermedia Consulting 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
Re: Compiling Rules
On Fri, Sep 14, 2007 at 03:54:28PM -0400, Jason Bertoch wrote: sa-compile appears to examine rules downloaded via sa-update, including custom channels like dostech. However, it does not appear to pick up custom rules, or anything else, from files in /etc/mail/spamassassin. Is this a bug or a feature? I know for a fact that it picks up my custom rules, as sa-compile couldn't parse a couple of them correctly. :) Try running this: sa-compile -D --list 21 | grep rules dir You should see: [17010] dbg: config: using /var/lib/spamassassin/3.002003 for default rules dir [17010] dbg: config: using /etc/mail/spamassassin for site rules dir You can also pick a custom body rule that you made and grep that: sa-compile -D --list 21 | grep TEST And get results like: orig TEST_0001 /test01010101/i r test01010101:TEST_0001 -- Gus
Display DCC results in headers
I dunno if anybody else will find this useful, but I made a modification to DCC.pm that will make it display the same DCC results via the SpamAssassin report that dcc would normally add in it's header. http://www.disco-zombie.net/tmp/dcc_header_plugin.tar.gz Normally, dccproc/ifd/whatever adds a header that looks like this: X-DCC--Metrics: lum 1049; Body=17 Fuz1=17 Fuz2=17 Done through SA, you just either trip the DCC_CHECK rule or you don't. My organization is going to be adding dcc to our mail system fairly soon, and we want people to be able to see the actual results, yet due to our mail system's current configuration, SpamAssassin is by far the best way to perform the DCC checks, so I just made SpamAssassin add the info... The results look like this: *2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * [lum 1049; Body=1 Fuz1=1 Fuz2=many] or this: * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [lum 1049; Body=16 Fuz1=16 Fuz2=16] If you only have the report header on when something is scored as spam, just apply the patch and you're set. Otherwise, just add the following scoring to one of your config files: score DCC_CHECK 0 1.37 0 2.17 full DCC_CHECK eval:check_dcc(0) describe DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) tflags DCC_CHECKnet full DCC_CHECK_NEGATIVE eval:check_dcc(1) describe DCC_CHECK_NEGATIVE Not listed in DCC tflags DCC_CHECK_NEGATIVE net score DCC_CHECK_NEGATIVE0 -0.0001 0 -0.0001 And since I'm not a fan of directly modifying my SA installation, I keep the modified DCC.pm in with my SA config and just specify the path. Anyway, like I said, dunno if anybody'll find it useful, but since I did it I figured I might as well share it just in case. I'm sure now that I've gone to the trouble somebody's going to point me to some dcc_add_header 1 config variable that I overlooked. ;^) -- Gus
Re: Compiling Rules
On Fri, Sep 14, 2007 at 03:54:28PM -0400, Jason Bertoch wrote: sa-compile appears to examine rules downloaded via sa-update, including custom channels like dostech. However, it does not appear to pick up custom rules, or anything else, from files in /etc/mail/spamassassin. Is this a bug or a feature? I know for a fact that it picks up my custom rules, as sa-compile couldn't parse a couple of them correctly. :) Try running this: sa-compile -D --list 21 | grep rules dir You should see: [17010] dbg: config: using /var/lib/spamassassin/3.002003 for default rules dir [17010] dbg: config: using /etc/mail/spamassassin for site rules dir You can also pick a custom body rule that you made and grep that: sa-compile -D --list 21 | grep TEST And get results like: orig TEST_0001 /test01010101/i r test01010101:TEST_0001 -- Gus
Display DCC results in headers
I dunno if anybody else will find this useful, but I made a modification to DCC.pm that will make it display the same DCC results via the SpamAssassin report that dcc would normally add in it's header. http://www.disco-zombie.net/tmp/dcc_header_plugin.tar.gz Normally, dccproc/ifd/whatever adds a header that looks like this: X-DCC--Metrics: lum 1049; Body=17 Fuz1=17 Fuz2=17 Done through SA, you just either trip the DCC_CHECK rule or you don't. My organization is going to be adding dcc to our mail system fairly soon, and we want people to be able to see the actual results, yet due to our mail system's current configuration, SpamAssassin is by far the best way to perform the DCC checks, so I just made SpamAssassin add the info... The results look like this: *2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * [lum 1049; Body=1 Fuz1=1 Fuz2=many] or this: * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [lum 1049; Body=16 Fuz1=16 Fuz2=16] If you only have the report header on when something is scored as spam, just apply the patch and you're set. Otherwise, just add the following scoring to one of your config files: score DCC_CHECK 0 1.37 0 2.17 full DCC_CHECK eval:check_dcc(0) describe DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) tflags DCC_CHECKnet full DCC_CHECK_NEGATIVE eval:check_dcc(1) describe DCC_CHECK_NEGATIVE Not listed in DCC tflags DCC_CHECK_NEGATIVE net score DCC_CHECK_NEGATIVE0 -0.0001 0 -0.0001 And since I'm not a fan of directly modifying my SA installation, I keep the modified DCC.pm in with my SA config and just specify the path. Anyway, like I said, dunno if anybody'll find it useful, but since I did it I figured I might as well share it just in case. I'm sure now that I've gone to the trouble somebody's going to point me to some dcc_add_header 1 config variable that I overlooked. ;^) -- Gus
Re: Compiling Rules
Sorry for the dupes. Had a wrong setting in mutt and thought these two didn't get sent properly. :-/ (my solution to this problem being to send a third message... Hmmm...) -- Gus
Re: Display DCC results in headers
I dunno if anybody else will find this useful, but I made a modification to DCC.pm that will make it display the same DCC results via the SpamAssassin report that dcc would normally add in it's header. You probably ought to open a Bugzilla enhancement ticket for this and attach the patch. It sounds like something that others might want, and in a bug there will be a record of it. Loren
Re: Mail log errors about PerMsgStatus.pm
dvogel wrote: I've been seeing these errors in my mail log. This is SpamAssassin version 3.2.3 running on Perl version 5.8.8. Installed via apt on debian/stable. I've tried to `apt-get install --reinstall spamassassin spamc`, but that did not work. Is this likely the result of a misconfiguration on my part or is it more likely a bug in spamassassin that I should report to -dev? Sep 14 12:51:28 moose spamd[29477]: Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Something is corrupted about your SA install.. The PerMsgStatus.pm that comes with 3.2.3 is only 2604 lines long. Did you have a borked upgrade that would up leaving two PerMsgStatus.pm's on your system in different directories? For reference, here is the function in PerMsgStatus.pm that it is complaining about, with line numbers: 2666 sub register_plugin_eval_glue { 2667 my ($self, $pluginobj, $function) = @_; 2668 2669 my $evalstr = ENDOFEVAL; 2670 { 2671 package Mail::SpamAssassin::PerMsgStatus; 2672 That is not the correct code for register_plugin_eval_glue for SA 3.2.3. It looks like the one from a 3.1.x version of SpamAssassin, as it matches the one found in 3.1.8. It should start off as such: -- sub register_plugin_eval_glue { my ($self, $function) = @_; if (!$function) { warn rules: empty function name; return; } # only need to call this once per fn (globally) return if exists $TEMPORARY_EVAL_GLUE_METHODS{$function}; $TEMPORARY_EVAL_GLUE_METHODS{$function} = undef; -- And that much is the same for both 3.2.3 and 3.2.0.