Re: sender name same as recipient name
RE: training. I don't know. My experience w/ SA is that it just works and I haven't dealt with it at this level yet. What is strange is that SA appeared to be working fine for my client, then all of the sudden this spike in spam occurred... and as I said, 99% of the spams have the sender name same as recipient name (see original post). Below is the result of sa-learn -D --dump magic. I see that "bayes: no dbs present" ... that looks bad. Maybe this SA was not installed properly. Thanks for your help. [24475] dbg: logger: adding facilities: all [24475] dbg: logger: logging level is DBG [24475] dbg: generic: SpamAssassin version 3.1.9 [24475] dbg: config: score set 0 chosen. [24475] dbg: util: running in taint mode? yes [24475] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [24475] dbg: util: PATH included '/sbin', keeping [24475] dbg: util: PATH included '/bin', keeping [24475] dbg: util: PATH included '/usr/local/sbin', keeping [24475] dbg: util: PATH included '/usr/local/bin', keeping [24475] dbg: util: PATH included '/sbin', keeping [24475] dbg: util: PATH included '/bin', keeping [24475] dbg: util: PATH included '/usr/sbin', keeping [24475] dbg: util: PATH included '/usr/bin', keeping [24475] dbg: util: PATH included '/usr/X11R6/bin', keeping [24475] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [24475] dbg: util: final PATH set to: /sbin:/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin [24475] dbg: message: MIME PARSER START [24475] dbg: message: main message type: text/plain [24475] dbg: message: parsing normal part [24475] dbg: message: added part, type: text/plain [24475] dbg: message: MIME PARSER END [24475] dbg: dns: is Net::DNS::Resolver available? yes [24475] dbg: dns: Net::DNS version: 0.48 [24475] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [24475] dbg: config: read file /etc/mail/spamassassin/init.pre [24475] dbg: config: read file /etc/mail/spamassassin/v310.pre [24475] dbg: config: read file /etc/mail/spamassassin/v312.pre [24475] dbg: config: using "/var/lib/spamassassin/3.001009" for sys rules pre files [24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org.pre [24475] dbg: config: using "/var/lib/spamassassin/3.001009" for default rules dir [24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org.cf [24475] dbg: config: using "/etc/mail/spamassassin" for site rules dir [24475] dbg: config: read file /etc/mail/spamassassin/local.cf [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8bc694c) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8b86890) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8c060b4) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [24475] dbg: pyzor: network tests on, attempting Pyzor [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x8c1fed0) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [24475] dbg: razor2: razor2 is not available [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x8c3db44) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [24475] dbg: reporter: network tests on, attempting SpamCop [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x8cbbc20) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x8cde6ec) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x8ce8e2c) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x8cec704) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x8cff50c) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x8cf5c58) [24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/empty.pre [24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/empty.pre" for included file [24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/10_misc.cf [24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/10_misc.cf" for included file [24475] dbg: confi
Re: is this a bug? trying to avoid beeing marked as spam
one thing though... the html part of the email contains only one image, and that image is -as i mentioned- only around 1300 bytes and its also just 250px of width so this can't be right or is it? 1.5 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words All this rule says is that there is an HTML image and the message body is between 2400 and 2800 bytes long. It doesn't say how big the image is or even if there is only one image. This is a relatively short message, and from the score on that rule (and personal experience) this falls into a range that is rather commonly ham. You could avoid that rule by having a larger message body of text. However, I don't know that there is any need for that, unless the 1.5 points really bothers you. Loren
Re: is this a bug? trying to avoid beeing marked as spam
thank you for the info one thing though... the html part of the email contains only one image, and that image is -as i mentioned- only around 1300 bytes and its also just 250px of width so this can't be right or is it? Regards Ludwig Loren Wilton wrote: > >> My mail still gets hit with Spam-scores and i don't know what to do at >> this >> point, maybe you do. > > Getting a few points from SA on most any message is typical, not an > exception. SA doesn't declare somethign to be spam until the total score > exceeds the spam threshold. While this is configurable, the default value > is 5 points. > > >> Old-X-HE-Spam-Report: Content analysis details: (2.4 points) > > You only have 2.4 points. Unless someone grossly mis-configured an SA > setup, that isn't a spam. > > >> 0.1 RDNS_NONE Delivered to trusted network by a host with no >> rDNS > > This means what it says. Unless this is a result of the path the mail > took > in testing that is not a normal delivery path, you should see if you can > fix > the rDNS. > > >> 1.5 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of >> words > > This is basically saying that the body is largely image. That is a very > typical spam sign, so is worth a point or two, or in this case 1.5 points. > However, as I mentioned above, 1.5 is a lot less than 5, so this should > generally not be noticed. > > Loren > > > > -- View this message in context: http://www.nabble.com/is-this-a-bug--trying-to-avoid-beeing-marked-as-spam-tf4511579.html#a12871259 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: TIMEOUT
Jean-Paul Natola wrote: > Hi all > > I was just checking headers on messages that were flagged ( by my own rules > in outlook) and I'm curious as to what exactly it means > I dono, what do your outlook rules do? > _cbl.abuseat.org_TIMEOUT , >__dnsbl.njabl.org_TIMEOUT , __sbl.spamhaus.org_TIMEOUT ' > Is that spamassassin output? or from something else? I don't recognize those lines, but it suggests that something tested the above RBLs and timed out (ie: got no answer back either way). I know spamhaus has a policy of blocking high-volume sites that are using their RBL without a subscription. abuseat and njabl might be doing the same, as they are essentially feed providers for spamhaus's xbl. (note it's extraordinarily wasteful DNS wise to use those 3 separately. One query to zen.spamahaus.org would effectively cover all three). My question is, why would your outlook rules block something on just a timeout event? > > Now these emails are by no means spam- they are from the university > labmanagers listserve- >
Re: sender name same as recipient name
On Mon, 24 Sep 2007, feral wrote: > Here are the headers & bodies of 3 of the spams that got through > (and are continuing to come through at a high rate): > tests=BAYES_00,HELO_DYNAMIC_IPADDR2 > autolearn=no version=3.1.9 > tests=BAYES_00,HELO_DYNAMIC_IPADDR2, > HELO_DYNAMIC_SPLIT_IP autolearn=no version=3.1.9 > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 > autolearn=no version=3.1.9 Observations: (1) Hardly any rules are hitting. (2) Everything is getting BAYES_00. The very first thing to look at is your Bayes database. How are you training it, and how has it gotten so badly mistrained? Are you using a Bayes database that is global to all your clients, or per-user Bayes databases? How are you training? Is the user actually responsible training, and the problem is basically their own fault? Can you run "sa-learn --dump magic" and send us the output? As Dave said, do you have network tests disabled? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Teflon Mahmoud in a 60 Minutes interview (9/20/2007) --- 244 days until the Mars Phoenix lander arrives at Mars
RE: Marc: use SPF to prevent backscatter? Was RE: [AMaViS-user] Q about mail proxy servers and setups
> > If whoever's responsible for the proxy is not able to > implement normal recipient validation, I think this makes a > good case that they aren't able to keep it running adequately. Its worse, we have to feed it to 'yap' (yet another proxy) and THAT proxy also does no recipient validation, so I can send it ANYTHING. Sure is a mess, and yes, you guessed it, I can't touch anything. Its: fix our fubar, but you can't touch anything, and we expect miracles with the box you put in, even if we have crappy policies, have a messed up proxy sending you email, (but, hey, our first proxy will drop emails that have host only (not FQDN) helo lines). Oh, one more thing. They want us to out of the DMZ to the final proxy which is behind yet another router, but we won't put a route in the router to do it. Not much I can do, all that had good suggestions, I will write this up, and thanks also to everyone who has been in this situation before and understood. (I remember years ago in the nama-email group in the mid 90's, all the morons who keep yelling at the uninitiated 'get a anti-spam isp', and telling them they don't care if there is only one isp in the state. ) Its now pretty much people who don't know anything yelling at people who know less. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Marc: use SPF to prevent backscatter? Was RE: [AMaViS-user] Q about mail proxy servers and setups
On Sun, Sep 23, 2007 at 08:31:04PM -0400, Michael Scheidell wrote: > One thing I would like to see (and this is a different subject: > Marc: take note: Id like to NOT BOUNCE an email back to the victim of > backscatter if they bothered to publish SPF or SENDER ID records that > don't match the incoming. > > (and, yes, this would NOT work behind a proxy) As I said, it *could* if the proxy in question at least puts in a proper received header, and you can fish the info out of there. (If it doesn't, I believe it's in serious violation of RFC 821/2821 and 822/2822; a mailserver MUST insert a Received header for itself.) > I would like the proxy to at LEAST have a copy of the valid userlist, > NOT muck with the headers. Do I understand from this that 1) it's store-and-forward, not transparently proxying, and 2) it doesn't currently validate the recipients before accepting the mail? If so, that's a pretty strong argument for either replacing or fixing it. Validating recipients at the edge has been BCP for email for many years now. Once the mail is accepted into the network, I think the onus is on you collectively to either deliver or drop it, not bounce - not in the current email regime. Not only does bouncing cause misery to others whose addresses have been forged, not only does it make your company a backscatter spam source - which could get you on DNSBLs - it also means that you're doubtless wasting resources on having to accept and then generate bounces for an absurd amount of mail for users who don't exist except in the minds of some spambot. If whoever's responsible for the proxy is not able to implement normal recipient validation, I think this makes a good case that they aren't able to keep it running adequately. I realize I'm preaching to the choir, but perhaps this offers some ammunition you can use to make your case. > MAYBE do its load balancing via bridging rather than store forward. If you can instead reengineer it to *shed* some of the existing load, by introducing more up-to-date antispam measures, that might be better than just balancing the load. > That might fix a lot. But then again, it would be easier to replace the > proxy than fix it. It is starting to sound like it. But if you can do neither, I think you're better off trying to never bounce any spam - configure the MTA under your control to discard all undeliverable messages. If company policy forbids that and says you *must* bounce mail to undeliverable addresses, perhaps you can at least get it agreed to bounce only *after* running the incoming stream through a spam/virus filter set to discard, so that you would generate NDNs only for mail which does not appear to be spam or a virus. This is the opposite of what would normally be considered the desirable sequence, but if the proxy is accepting the mail in the first place, and that's out of your hands, you can at least reduce the volume of spurious bounces. All IMHO, naturally -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED] President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services
Re: is this a bug? trying to avoid beeing marked as spam
My mail still gets hit with Spam-scores and i don't know what to do at this point, maybe you do. Getting a few points from SA on most any message is typical, not an exception. SA doesn't declare somethign to be spam until the total score exceeds the spam threshold. While this is configurable, the default value is 5 points. Old-X-HE-Spam-Report: Content analysis details: (2.4 points) You only have 2.4 points. Unless someone grossly mis-configured an SA setup, that isn't a spam. 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS This means what it says. Unless this is a result of the path the mail took in testing that is not a normal delivery path, you should see if you can fix the rDNS. 1.5 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words This is basically saying that the body is largely image. That is a very typical spam sign, so is worth a point or two, or in this case 1.5 points. However, as I mentioned above, 1.5 is a lot less than 5, so this should generally not be noticed. Loren
Re: sender name same as recipient name
Dave Pooser wrote: > >> plus any address @blah.com > > This is an extremely ill-advised practice; spammers have tried using > @example.com addresses to send to example.com users for years. Hopefully > you're using whitelist_from_rcvd or checking authentication or similar > techniques. > > Also, are you using network tests? Assuming your timestamps are accurate > all > of these should have hit on one or more URIBL rules. > -- > Dave Pooser > I am a newbie when it comes to SA settings. I am using a Plesk interface and it doesn't go into this level of detail. But I am shell savvy and can edit config files. BUT... how could that 2nd spam example possibly get through with that subject line!! How do I go about checking/setting: whitelist_from_rcvd, network tests ? thanks -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12869963 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sender name same as recipient name
> plus any address @blah.com This is an extremely ill-advised practice; spammers have tried using @example.com addresses to send to example.com users for years. Hopefully you're using whitelist_from_rcvd or checking authentication or similar techniques. Also, are you using network tests? Assuming your timestamps are accurate all of these should have hit on one or more URIBL rules. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!!" -- Bill McKenna
Re: sender name same as recipient name
The only whitelist addresses I have defined for him are my own email addresses, plus any address @blah.com. Here are the headers & bodies of 3 of the spams that got through (and are continuing to come through at a high rate): Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on localhost.localdomain X-Spam-Level: * X-Spam-Status: No, score=1.2 required=4.0 tests=BAYES_00,HELO_DYNAMIC_IPADDR2 autolearn=no version=3.1.9 ... From: "mark" <[EMAIL PROTECTED]> To: "mark" <[EMAIL PROTECTED]> Subject: Anything goes down at these illegal. Date: Mon, 24 Sep 2007 20:07:47 - MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="us-ascii"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Here ONLY! Hot content! Galleries with HQ-photos and HD-DVD movies. Hurry up! http://himhz.com/fa Join Now! === Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on localhost.localdomain X-Spam-Level: *** X-Spam-Status: No, score=3.4 required=4.0 tests=BAYES_00,HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_SPLIT_IP autolearn=no version=3.1.9 ... From: "mark" <[EMAIL PROTECTED]> To: "mark" <[EMAIL PROTECTED]> Subject: Gorgeous young hottie getting banged in her asshole Date: Mon, 24 Sep 2007 18:23:29 -0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="us-ascii"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Antivirus: avast! (VPS 000776-0, 24/09/2007), Outbound message X-Antivirus-Status: Clean You have never seen this. Get inside and enjoy our models! http://jokhome.com/hp Get Unlimited access now = Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on localhost.localdomain X-Spam-Level: X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 autolearn=no version=3.1.9 ... From: "mark" <[EMAIL PROTECTED]> To: "mark" <[EMAIL PROTECTED]> Subject: Hot teen sluts double fuck of highest quality site... Date: Mon, 24 Sep 2007 23:25:19 +0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="us-ascii"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 24 Hours a Day, 7 Days a Week, 365 Days a Year -We offer all our Porn content for you. Check it: http://jokhome.com/sb1 and get it today.. -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12869685 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [AMaViS-user] Marc: use SPF to prevent backscatter? Was RE: Q about mail proxy servers and setups
Marc, you shouldn't be bouncing e-mails back at all. Use D_REJECT and make sure you're doing it at the SMTP layer. SPF or DKIM is irrelevant in this situation. On Sep 23, 2007, at 5:31 PM, Michael Scheidell wrote: One thing I would like to see (and this is a different subject: Marc: take note: Id like to NOT BOUNCE an email back to the victim of backscatter if they bothered to publish SPF or SENDER ID records that don't match the incoming. (and, yes, this would NOT work behind a proxy) I would like the proxy to at LEAST have a copy of the valid userlist, NOT muck with the headers. MAYBE do its load balancing via bridging rather than store forward. That might fix a lot. But then again, it would be easier to replace the proxy than fix it. -- Michael Scheidell, CTO Office: 561-999-5000 x 1259 Direct: 561-939-7259 Real time security alerts: http://www.secnap.com/news __ ___ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com __ ___ -- --- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ AMaViS-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: [AMaViS-user] Q about mail proxy servers and setups
On Sep 23, 2007, at 5:17 PM, Michael Scheidell wrote: Anyone have an answer that isn't obvious? I already said I can't put it on the proxy. No, you didn't. You mentioned that as an option. And stop being rude to people who answer the question you asked. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: sender name same as recipient name
Hi, feral 2007/9/24, feral <[EMAIL PROTECTED]>: > > > Sorry if this is a well-known issue... first I have encountered it. > > I am using SA 3.1.9 installed on a CentOS Linux system. > > One of my clients just noticed a huge spike in spam getting > through, even though SA is turned on for his email account at > sensitivity level 4. > > For the sake of anonymity, let's say my client's domain is blah.com. > > His address is [EMAIL PROTECTED] 99% of the spam emails > he received during this spike were from [EMAIL PROTECTED] > (where "something" represents various domains.) > > Question: is SA not filtering out these obvious spams because > the name "mark" is the same as the name on my client's > account? > > thanks, > Feral > -- > View this message in context: > http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12868410 > Sent from the SpamAssassin - Users mailing list archive at Nabble.com. > > Do you have a sample of these spams? Have you whitelisted something like "marc@"? Show us a sample of the sapmm y meesages, with all and headers, and more could be told Luis -- - GNU-GPL: "May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: sender name same as recipient name
On Mon, 24 Sep 2007, feral wrote: > Question: is SA not filtering out these obvious spams because the > name "mark" is the same as the name on my client's account? That depends on the rules in use. If a rule like From ~= /mark\@/ with a high negative score was defined, sure! Would it be possible for you to post all of the headers from one of his false negatives, so we can see what rules are hitting? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Teflon Mahmoud in a 60 Minutes interview (9/20/2007) --- 244 days until the Mars Phoenix lander arrives at Mars
sender name same as recipient name
Sorry if this is a well-known issue... first I have encountered it. I am using SA 3.1.9 installed on a CentOS Linux system. One of my clients just noticed a huge spike in spam getting through, even though SA is turned on for his email account at sensitivity level 4. For the sake of anonymity, let's say my client's domain is blah.com. His address is [EMAIL PROTECTED] 99% of the spam emails he received during this spike were from [EMAIL PROTECTED] (where "something" represents various domains.) Question: is SA not filtering out these obvious spams because the name "mark" is the same as the name on my client's account? thanks, Feral -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12868410 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Converting to MySQL
Raquel, 2007/9/24, Raquel <[EMAIL PROTECTED]>: > On a new server I'm running Debian Etch, Sendmail and SpamAssassin, > hosting email for a few accounts. I'm contemplating converting my > SpamAssassin to using MySQL. Is there a "HOWTO" somewhere which > would be good to follow? > > -- > Raquel > > Racism is a learned affliction and anything that is learned can be > unlearned. > --Jane Elliott > > You could try MrC's Howto: http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html Peace, Luis -- - GNU-GPL: "May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: Converting to MySQL
At 12:44 PM Monday, 9/24/2007, you wrote -=> On a new server I'm running Debian Etch, Sendmail and SpamAssassin, hosting email for a few accounts. I'm contemplating converting my SpamAssassin to using MySQL. Is there a "HOWTO" somewhere which would be good to follow? To set up the MySQL db: http://svn.apache.org/repos/asf/spamassassin/branches/3.2/sql/README and then from http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeBayes?highlight=%28mysql%29 Converting Bayes Data From a DBM Database - Converting your bayes database data from Berkeley (DBM) based storage to SQL based storage is as simple as a backup and then restore. If you are upgrading from a previous version of SpamAssassin you should first follow any recommended upgrade instructions for that release, in most cases this will be as simple as running an sa-learn --sync Once you have performed this upgrade, for each bayes database follow this procedure: o Run 'sa-learn --backup > backup.txt' which will backup your bayes data into a text file. o Optionally you can run 'sa-learn --clear' to remove the DBM based bayes files. o Modify your local.cf file according to the directions above. o Run 'sa-learn --spam ' to initialize the database. o Run 'sa-learn --restore backup.txt' to restore your bayes data to the SQL database. NOTE: sa-learn must be run as the user who's data you are loading, or you must make use of the bayes_sql_override_username config option. NOTE: failure to use 'sa-learn --spam ' on an initial spam message will result in the error message "bayes: unable to initialize database for user, aborting!" I suggest you read all the docs before proceeding. I did the same upgrade a while back and had no problems... Ed Kasky ~ Randomly Generated Quote (446 of 568): Our task must be to free ourselves...by widening our circle of compassion to embrace all living creatures and the whole of nature and its beauty. - Albert Einstein
RE: is this a bug? trying to avoid beeing marked as spam
> 0.8 ZMIvirSobY_SUB33 SPAM from Sober-Y-Virus This score has nothing to do with detecting or not detecting a virus in the message. It is detecting specific text: "Ihr Passwort" and it is likely specific to the test message you are using. I can't speak to why the other rule is getting hit. - Skip
is this a bug? trying to avoid beeing marked as spam
Hi there, i'm programming a website backend and it is sending emails to confirm registrations, password-recovs and other functions (no spam of course). My mail still gets hit with Spam-scores and i don't know what to do at this point, maybe you do. Old-X-HE-Spam-Report: Content analysis details: (2.4 points) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.8 ZMIvirSobY_SUB33 SPAM from Sober-Y-Virus 1.5 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words first of all: it is absolutly impossible that the email contains a virus. it is send via php from a 1&1 shared webhosting server. because of the image scores most with its 1.5 points i reduced the image size to 1358 bytes but it still says it is to big (if its that what the rule means). so what can i do? i'ld really prefer the companies mail not be marked as spam. most users wont check their spam-folders and then chaos will be perfect. i allready changed from base64 to quoted printable encoding, also the html-text matches exactly the plain text part. the image contained in the email shows the companies logo, nothing else. it is embeded remotely via https. The Complete Email: (sensitive data = *) >From - Mon Sep 24 21:52:30 2007 X-Account-Key: account2 X-UIDL: 1168351184.21790 X-Mozilla-Status: X-Mozilla-Status2: X-Mozilla-Keys: Return-path: <*> Delivery-date: Mon, 24 Sep 2007 21:51:02 +0200 Received: from mi021.mc1.hosteurope.de ([80.237.138.234]) by wp100.webpack.hosteurope.de running ExIM using esmtp id 1IZtxO-0006BU-3x; Mon, 24 Sep 2007 21:51:02 +0200 Received: from murphysplan.de ([87.106.22.114]) by mx0.webpack.hosteurope.de (mi021.mc1.hosteurope.de) using esmtp id 1IZtx2-0008KT-UN for *; Mon, 24 Sep 2007 21:50:47 +0200 Received: from [127.0.0.1] (helo=infongd9879.rtr.kundenserver.de) by murphysplan.de with esmtp (Exim 3.35 #1) id 1IZtx1-0004d4-00 for *; Mon, 24 Sep 2007 21:50:39 +0200 Received: from 85.179.232.76 (IP may be forged by CGI script) by infongd9879.rtr.kundenserver.de with HTTP id 0XgogL-1IZtx13oio-0004d0; Mon, 24 Sep 2007 21:50:39 +0200 X-Sender-Info: <[EMAIL PROTECTED]> Date: Mon, 24 Sep 2007 21:50:39 +0200 Message-Id: <[EMAIL PROTECTED]> Precedence: bulk To: * Subject: Ihr Passwort, *.com From:[EMAIL PROTECTED] Reply-To:[EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary = SJSDHD9348934--KJSFKJ398453897348---7834SJFS--DJNS X-HE-Virus-Scanned: yes Old-X-HE-Spam-Level: ++ Old-X-HE-Spam-Score: 2.4 Old-X-HE-Spam-Report: Content analysis details: (2.4 points) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.8 ZMIvirSobY_SUB33 SPAM from Sober-Y-Virus 1.5 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message Envelope-to: * X-HE-Spam-Score: 0.0 X-HE-Spam-Report: Customer whitelisted X-HE-Spam-Level: / This is a MIME encoded message. --SJSDHD9348934--KJSFKJ398453897348---7834SJFS--DJNS Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit ... the plain text part --SJSDHD9348934--KJSFKJ398453897348---7834SJFS--DJNS Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable ... the html part ... -- View this message in context: http://www.nabble.com/is-this-a-bug--trying-to-avoid-beeing-marked-as-spam-tf4511579.html#a12867609 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Problem logging from SA when running Amavisd
> Jeff, > > What I was hoping to do was write stuff to the log file for a week or > > two using the info() method. Then I could grep out my lines, get > > the data analyzed, and then finish the plugin. > > > > I am a fairly experienced programmer but I have not used object oriented > > Perl before. Thankfully it doesn't seem that different from other OO > > languages. Anyway I don't mind hacking up a temporary version of > > Amavisd if you could tell me how to get SA to quit logging to STDERR. > > Ok, here is a patch to amavisd-new 2.5.2 (works with SA 3.2.3), which > achieves what you need, or at least should get you going. It hooks > its own logging module into SpamAssassin, so it receives all logging > from SA. It maps SpamAssassin log levels into amavisd log levels > (which in turn are mapped into syslog priorities), so you should > be seing for example SA 'info:' at amavisd log level 1, and 'dbg:' > at log level 5 (so you must have $log_level=5 in order to see dbg:). > Change the mapping to taste if you like. ---snip snip snip-- Thanks for the patch Mark. I'll put it in production tomorrow. Could you please take a minute to explain the underlying issue to me. I don't understand why SA does not log without the patch. Is SA intentionally logging to STDERR, or is Amavisd's connection to syslog causing SA to loose it's connection. Jeff Moss
Re: Confusing issue regarding SPF_FAIL and local delivery
On Sun, 23 Sep 2007, Magnus Holmgren wrote: > On Sunday 23 September 2007 18:50, John D. Hardin wrote: > > On Sun, 23 Sep 2007, Jari Fredriksson wrote: > > > > SpamAssassin's trusted_network configuration caught my > > > > eye. What exactly does this do, and should I put my box's > > > > ip address in there? > > > > > > Absolutely. You put all your internal servers and possible ISP > > > servers there too. Trusted networks are networks and hosts that > > > you trust are not generating spam. > > > > Incorrect! "trust" means the Received: headers they generate are > > trusted to be accurate (i.e. not forged), **not** that those hosts are > > not originating spam! > > No, Jari is correct. He also wrote "And mostly, they will not > tamper with email headers, that's what the trust is about.", but > you left that out. And hosts in trusted_networks *are* (mildly) > trusted not to originate spam. That's what ALL_TRUSTED is about. That's fair. I focused too quickly on the "not generate spam" part. Apologies. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #7: In ten years nobody will remember the details of caliber, stance, or tactics. They will only remember who lived. --- 244 days until the Mars Phoenix lander arrives at Mars
Converting to MySQL
On a new server I'm running Debian Etch, Sendmail and SpamAssassin, hosting email for a few accounts. I'm contemplating converting my SpamAssassin to using MySQL. Is there a "HOWTO" somewhere which would be good to follow? -- Raquel Racism is a learned affliction and anything that is learned can be unlearned. --Jane Elliott
Re: Every e-mail is now getting a new score, creating a lot of false postive.
Just in case, make sure the --lint passess with no complaints, e.g: # su vscan -c 'spamassassin --lint' David B Funk writes, > Cannot tell for sure (I don't use amavisd) but that looks like something > is broken in the way that messages are being passed into the SA engine so > that it no longer 'sees' headers vs body part of the message. > The RFC message format is headers first, then a blank line then body. > So if something is feeding a blank line to SA -first- then the message, > SA will think that the message has no headers and -all- of it is "body". So it seems. I'm not aware of any such compatibility problems between amavisd and SpamAssassin, it is more likely it is a mail submission problem, or there was really such a broken mail that arrived to MTA 'from the wild'. > Is there some way to collect telemetry on what is actually being fed into > the SA engine? Some amavisd option that is equivalent to running spamd > with the '-D' option? The # amavisd debug-sa turns on SpamAssassin logging. If a mail gathered enough spam points it was already captured in a quarantine and can be examined there. An alternative is to specify a 'test sender address', e.g.: @debug_sender_maps = ( ['[EMAIL PROTECTED]'] ); When a mail is seen whose envelope sender address matches the configured one, a temporary file with a message is preserved and can be examined. The log reports the fact, and tells the directory, e.g.: (42432-01) DEBUG_ONESHOT CAUSES EVIDENCE TO BE PRESERVED (42432-01) (!)PRESERVING EVIDENCE in /var/amavis/tmp-am/amavis-20070924T195255-42432 Mark
Re: Every e-mail is now getting a new score, creating a lot of false postive.
On Mon, 24 Sep 2007, cpayne wrote: > Guys, > > I am not sure when this started but now every e-mail that comes on to my > box has this score... > > 2.0 MISSING_SUBJECTMissing Subject: header > -0.0 NO_RECEIVEDInformational: message has no Received headers > 0.1 TO_CC_NONE No To: or Cc: header > > I use amavisd, spamassassin, and postfix. What rule set this? Why would > every email be getting this. > > Chuck Cannot tell for sure (I don't use amavisd) but that looks like something is broken in the way that messages are being passed into the SA engine so that it no longer 'sees' headers vs body part of the message. The RFC message format is headers first, then a blank line then body. So if something is feeding a blank line to SA -first- then the message, SA will think that the message has no headers and -all- of it is "body". Is there some way to collect telemetry on what is actually being fed into the SA engine? Some amavisd option that is equivalent to running spamd with the '-D' option? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
too high score with similar rules: DATE_IN_FUTURE_96_XX and FH_DATE_PAST_20XX
Hello, is it correct and by a reason, when two similar rules, like FH_DATE_PAST_20XX and DATE_IN_FUTURE_96_XX both match, causing the same problem to score 7.3 ? X-Spam-Report: * 3.4 FH_DATE_PAST_20XX The date is grossly in the future. * 3.9 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date Yes, I know user should fix his/hers system date: Date: Sun, 22 Sep 2024 20:35:27 +0200 But why to have two rules to catch the same problem? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends?
FH_HOST_ALMOST_IP for static addresses?
Hello, our customers match FH_HOST_ALMOST_IP even when their DNS contains word 'static': X-Spam-Report: * 3.8 FH_HOST_ALMOST_IP The host almost looks like an IP addr. Received: from ksd (static-081-024-203.dsl.nextra.sk [212.81.24.203]) by mailhub2.nextra.sk with esmtp; Tue, 18 Sep 2007 10:12:32 +0200 id 0024947F.46EF8870.A622 Afaik similar problem with RDNS_DYNAMIC was solved in 3.2.2 by adding the __RDNS_STATIC meta, which made RDNS_DYNAMIC not match. Shouldn't FH_HOST_ALMOST_IP contain the same check for __RDNS_STATIC ? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.
TIMEOUT
Hi all I was just checking headers on messages that were flagged ( by my own rules in outlook) and I'm curious as to what exactly it means _cbl.abuseat.org_TIMEOUT , __dnsbl.njabl.org_TIMEOUT , __sbl.spamhaus.org_TIMEOUT ' Now these emails are by no means spam- they are from the university labmanagers listserve- Jean-Paul
Re: Some clarification on debug message
Asif Iqbal wrote: I am running spamassassin 3.2.3 and I get the following messages during debug [28083] dbg: config: fixed relative path: /var/lib/spamassassin/3.002003/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf [28083] dbg: config: using "/var/lib/spamassassin/3.002003/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf" for included file [28083] dbg: config: read file /var/lib/spamassassin/3.002003/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf [28083] dbg: config: fixed relative path: /var/lib/spamassassin/3.002003/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/20050602.cf [28083] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [28083] dbg: rules: PREVENT_NONDELIVERY merged duplicates: SARE_HEAD_HDR_PREVNDR Is there some thing I need to fix to avoid fixed relative path message? No, just ignore it. How do I find out duplicate rules? I am assuming I keep the one in /usr/local/share/spamassassin in that case? SA tells you there are duplicates. Then SA merges them for you. Unless you're doing rule development you can ignore these messages too. Daryl
Some clarification on debug message
I am running spamassassin 3.2.3 and I get the following messages during debug [28083] dbg: config: fixed relative path: /var/lib/spamassassin/3.002003/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf [28083] dbg: config: using "/var/lib/spamassassin/3.002003/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf" for included file [28083] dbg: config: read file /var/lib/spamassassin/3.002003/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf [28083] dbg: config: fixed relative path: /var/lib/spamassassin/3.002003/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/20050602.cf [28083] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [28083] dbg: rules: PREVENT_NONDELIVERY merged duplicates: SARE_HEAD_HDR_PREVNDR Is there some thing I need to fix to avoid fixed relative path message? How do I find out duplicate rules? I am assuming I keep the one in /usr/local/share/spamassassin in that case? -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
Re: Q about mail proxy servers and setups
Michael, > I tried. That was my first suggestion. That would fix graylisting > (which I don't do), fix SPF an SPF HELO, and SENDER ID, blacklisting, > tarpitting, etc. SPF, sid, blacklisting etc. work just fine on an internal host as long as the proxy is preserving the information about the client connection in a Received header field, and (trusted/internal/msa)_networks is configured correctly. > MIGHT fix p0f, but don't know. The p0f itself MUST see the original raw TCP session in order to be able to analyze it. This means that p0f needs to be on the first-contact machine where TCP session is terminated (e.g. on a mail proxy). As a clumsy workaround, the mail proxy could capture a tcpdump of the start of a session (first few packets) and pass it to a remote p0f for analysis, but this is even more cumbersome. Or perhaps a L2 port mirroring could be used as another clumsy workaround. As long as the p0f daemon itself can be located on a mail proxy host, the actual mail content filtering (e.g. MTA+amavisd+SpamAssassin) may be running on a different host, it just needs to be able to obtain information from the p0f daemon from the external host. Either through a p0f-analyzer.pl running along with p0f on an external host (this is simplest), or perhaps by feeding the streaming output of 'p0f -l' to the internal host. Mark
Re: Marc: use SPF to prevent backscatter? Was RE: [AMaViS-user] Q about mail proxy servers and setups
Michael Scheidell wrote: One thing I would like to see (and this is a different subject: Marc: take note: Id like to NOT BOUNCE an email back to the victim of backscatter if they bothered to publish SPF or SENDER ID records that don't match the incoming. It's the other way around. you should only bounce if you can be sure the sender was not forged. So, if there is no SPF record, or if the SPD record allows the whole universe (or a significant part of it:), then you must not bounce. anyway, SPF penetration is too low to change anything to the problem here. same for DKIM for now. (and, yes, this would NOT work behind a proxy) I would like the proxy to at LEAST have a copy of the valid userlist, This would be a good start. NOT muck with the headers. MAYBE do its load balancing via bridging rather than store forward. this is not easy to do: - most IP stacks do not allow you to bind to an external IP. so you would need adding dynamic NAT routes (and even this is not that simple, because you need different NAT rules for different connections, so you the proxy needs to bind to a port before adding the NAT rule and before doing a connect()). - in any case, the proxy needs to be modified (in a modified stack, it would just bind to the client IP. in a standard stack, it should do the above). - the final server must route back packets through the proxy machine, probably with a default route. but then you must ensure no host that is not routed this way will not connect to the proxy (there's no "conference" in TCP). - any intermediary routers/gateways/... should keep this traffic going between the proxy and the final server. it would certainly be easier to modify the proxy to fix the real problem than try to convert it into a "bridging proxy" (I don't like "transparent proxy" term: there are many levels of transparency). That might fix a lot. But then again, it would be easier to replace the proxy than fix it. yes. fixing problems introduced by legacy applications is often harder than solving the real problems (and getting rid of the legacy apps)... Unfortunately, there's much "feeling" and "confidence" issues when trying to convince the customer to take another road (and sometimes, the customer representative will resist the change because he did not suggest it, or because he can no more justify a lost budget).
Re: Q about mail proxy servers and setups
Michael Scheidell wrote: -Original Message- From: David B Funk [mailto:[EMAIL PROTECTED] Sent: Monday, September 24, 2007 12:07 AM To: Michael Scheidell Cc: users@spamassassin.apache.org; Amavis-Users Subject: RE: Q about mail proxy servers and setups On Sun, 23 Sep 2007, Michael Scheidell wrote: For the purposes of this discussion, the biggest reason I can't be on the edge where Id like to be is that there is a massive proxy/load balancer/failover device that does more than email. Many firewalls 'proxy' the email also, so its not like you can take it out. Is there any chance you can talk them into running a -transparent- SMTP proxy rather than a SMTP relay? It acts more like an ISO layer 2 bridge (but specific to SMTP traffic) so not to disturb the contents. As you might suspect, one of the IT people at this company who has been there 20 years wrote the thing. I tried. That was my first suggestion. That would fix graylisting (which I don't do), not important. but see below. fix SPF an SPF HELO, and SENDER ID, if the proxy adds the righht Received headers (the same way postfix and sendmail would do), there should be no problem if you configure trusted_networks and internal_networks (thanks to matus for the reminder). blacklisting, tarpitting, etc. MIGHT fix p0f, but don't know. I am going to write up a whitepaper on why NOT to put an anti-spam/MTA behind a proxy, cite all relevant, good suggestions and send it to them. it really depends on whether you can add a box before the proxy to implement blacklisting and other things. (but if the proxy needs the client IP, some work is needed. so it's a budget question).
Re: Every e-mail is now getting a new score, creating a lot of false postive.
Daryl C. W. O'Shea schrieb: Matthias Haegele wrote: cpayne schrieb: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9974] btw: 0.99 for Bayes_99 seems really low for me, but that depends on your policy ... 99.74% seems reasonable for BAYES_99 to me. Oops i exchanged the "Score of 3.5" with the Probability of 0.9974 -> 99,74xx%. Many thanks for your correction ;-). Daryl -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
RE: Q about mail proxy servers and setups
> -Original Message- > From: David B Funk [mailto:[EMAIL PROTECTED] > Sent: Monday, September 24, 2007 12:07 AM > To: Michael Scheidell > Cc: users@spamassassin.apache.org; Amavis-Users > Subject: RE: Q about mail proxy servers and setups > > > On Sun, 23 Sep 2007, Michael Scheidell wrote: > > > For the purposes of this discussion, the biggest reason I > can't be on > > the edge where Id like to be is that there is a massive proxy/load > > balancer/failover device that does more than email. > > > > Many firewalls 'proxy' the email also, so its not like you > can take it > > out. > > Is there any chance you can talk them into running a > -transparent- SMTP proxy rather than a SMTP relay? It acts > more like an ISO layer 2 bridge (but specific to SMTP > traffic) so not to disturb the contents. > As you might suspect, one of the IT people at this company who has been there 20 years wrote the thing. I tried. That was my first suggestion. That would fix graylisting (which I don't do), fix SPF an SPF HELO, and SENDER ID, blacklisting, tarpitting, etc. MIGHT fix p0f, but don't know. I am going to write up a whitepaper on why NOT to put an anti-spam/MTA behind a proxy, cite all relevant, good suggestions and send it to them. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Every e-mail is now getting a new score, creating a lot of false postive.
Matthias Haegele wrote: cpayne schrieb: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9974] btw: 0.99 for Bayes_99 seems really low for me, but that depends on your policy ... 99.74% seems reasonable for BAYES_99 to me. Daryl
Re: Every e-mail is now getting a new score, creating a lot of false postive.
cpayne schrieb: Matthias Haegele wrote: cpayne schrieb: Guys, I am not sure when this started but now every e-mail that comes on to my box has this score... 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header I use amavisd, spamassassin, and postfix. What rule set this? Why would every email be getting this. Perhaps you could show a complete message? Maybe config errors (removed headers ...)? Without further details it is hard to guess ... Which versions you use ... Chuck Ok, this message is spam, but I think this what you are looking for, if not please let me know. But those lines are showing up in every email. Perhaps the complete message would help more ... (Your MUA should have a button or opportunity to show "Source Code" with Thunderbird its CTRL-U, here) [Anatrim spam] Content analysis details: (6.9 points, 1.5 required) pts rule name description -- -- 1.1 HTML_20_30 BODY: Message is 20% to 30% HTML 0.2 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9974] btw: 0.99 for Bayes_99 seems really low for me, but that depends on your policy ... 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header [...] -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Every e-mail is now getting a new score, creating a lot of false postive.
cpayne wrote: Guys, I am not sure when this started but now every e-mail that comes on to my box has this score... 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header I use amavisd, spamassassin, and postfix. What rule set this? Why would every email be getting this. Is there an old version of SpamAssassin or an old version of amavisd installed? I can't remember specific version combos that will cause this at 6am, but there are some non-current versions that will cause this. Daryl
Re: SpamAssassin 3.1.9 not catching any emails
Hi Tom, > From: Tom Ray <[EMAIL PROTECTED]> > Date: Fri, 21 Sep 2007 13:05:02 -0400 > To: Dave Addey <[EMAIL PROTECTED]> > Cc: > Subject: Re: SpamAssassin 3.1.9 not catching any emails > > Dave Addey wrote: >> Hi all, >> >> As part of an ³Ensim² (Linux control panel) installation, I¹m running >> the Ensim-provided install of SpamAssassin 3.1.9. Unfortunately, I¹m >> finding that no emails are being caught as spam. Whilst I¹m sure that >> Ensim is doing some non-standard stufff around SpamAssassin, I¹m >> wondering if anyone can help me (as a relative newbie to SpamAssassin) >> to debug what may be causing the problem. >> >> I'm pretty sure that SpamAssassin is set up correctly. However, every >> single spam message seems to be getting through (assuming it is even >> being checked). All emails have a header of "X-Spam-Status: No, No" - >> which I assume means that SpamAssassin is checking the messages, and >> passing them all regardless of their spam-ness? >> >> I really don't know where to start in debugging this. spamd is >> definitely running. I've run sa-update. I've sent myself an email with >> the GTUBE string in it, as described in >> http://wiki.apache.org/spamassassin/TestingInstallation , and it also >> came through with the same header as above. I have "Enable tests that >> connect to remote servers" enabled in Ensim's "Spam Filter >> Configuration" settings, but disabling it doesn't seem to make a >> difference. >> >> Can anyone suggest some things I could investigate to find out where >> the problem may lie? >> >> Many thanks in advance, >> >> - maurj. > First thing you need to know about running Ensim, is not to run Ensim. I > had nothing but problems on the ensim server that I had. I thought it > was going to be the low cost answer to my problems and it just was a > high cost problem. Their support was horrid also. I'm finding the same thing. Also, Ensim Pro has just been sold to a competitor, so I can't imagine it's going to get any better any time soon. Unfortunately, the hassle of moving my hosting elsewhere is also high-cost, time-wise at least :( So, if I can get SpamAssassin working on this existing server alongside Ensim, then at least it gives me some time to consider my hosting options whilst not receiving thousands of spam messages a day. > Do you have access to logs to see if the mail is actually being scanned? > It doesn't sound like it at all. Is this your box or someone else's? I do. It's my own dedicated box, and I've got root access to look around. I'm not a server admin genius (hence the Ensim control panel), but I can find my way around a Linux command line reasonably well with a bit of prompting. I guess the question is, what should I be looking for (or looking for the absence of), and where? Does the presence of the "X-Spam-Status" header indicate that SA is being called, or does it suggest that MailScanner is trying to call it but failing every time? I'm a bit stumped as to where to look to start debugging this, so any help is much appreciated :) All the best, Dave.
Re: Every e-mail is now getting a new score, creating a lot of false postive.
Matthias Haegele wrote: cpayne schrieb: Guys, I am not sure when this started but now every e-mail that comes on to my box has this score... 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header I use amavisd, spamassassin, and postfix. What rule set this? Why would every email be getting this. Perhaps you could show a complete message? Maybe config errors (removed headers ...)? Without further details it is hard to guess ... Which versions you use ... Chuck Ok, this message is spam, but I think this what you are looking for, if not please let me know. But those lines are showing up in every email. Spam detection software, running on the system "magi.magidesign.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see postmaster for details. Content preview: Do not waste your opportunity! - Anatrim - The latest and most delighting product for over-weight people is made available now - As you could see on Oprah Can you hold in your memory all the situations when you appeal to yourself to do anything to get rid of this frightful pounds of fat? Fortunately, now no major offering is required. Thanks to Anatrim, the ground-breaking, you can achieve healthier lifestyle and become really slimmer. [...] Content analysis details: (6.9 points, 1.5 required) pts rule name description -- -- 1.1 HTML_20_30 BODY: Message is 20% to 30% HTML 0.2 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9974] 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor.
Re: Every e-mail is now getting a new score, creating a lot of false postive.
cpayne schrieb: Guys, I am not sure when this started but now every e-mail that comes on to my box has this score... 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header I use amavisd, spamassassin, and postfix. What rule set this? Why would every email be getting this. Perhaps you could show a complete message? Maybe config errors (removed headers ...)? Without further details it is hard to guess ... Which versions you use ... Chuck -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Q about mail proxy servers and setups
> Michael Scheidell wrote: > > Sometimes a large company will have a proxy server set up in the DMZ and > > then send it to their internal mail server. I understand that ideally, > > the proxy server would be replaces with a SpamAssassin/MTA setup. > > > > However, sometimes, client, security and company policy needs outweigh > > logic. I can think of several things this might break, depending on if > > you count that proxy server as an internal/trusted server. > > > > #1, SPF. SPF helo, SENDERID > > The proxy will be adding a received header, and announcing 'HELO/EHLO' > > using its own name, not the senders. > > (please no bitching about SPF) > > #2, many blacklists that depend on the last received header (the proxy > > will normally put on in) On 23.09.07 22:24, mouss wrote: > These are easily solved by correctly configuring trusted_networks. and internal_networks - the proxy has to be in both of them. In such case SA will behave correctly, unless the proxy does any bad in modifying headers etc (and for SA-3.2.x, the proxy has to do reverse DNS check and put it into Received: headers) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Every e-mail is now getting a new score, creating a lot of false postive.
Guys, I am not sure when this started but now every e-mail that comes on to my box has this score... 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header I use amavisd, spamassassin, and postfix. What rule set this? Why would every email be getting this. Chuck