Re: URIWhois plugin
Quoting Giampaolo Tomassoni <[EMAIL PROTECTED]>: > Dears, > > well, I just did version 0.01 of the URIWhois plugin. > > Its purpose is mainly to detect some spam containing URIs to sites in > brand-new domains, or having some conflict in whois and dns records, or > being driven by specific dns servers. > > So, it is meant to do something I believe someone else is already doing in > their SA, but this plugin is completely asynchronous in order to minimize > any performance impact. > > Also, it caches whois results. But the best thing is that, if you run more > SA copies on the same computer (in example, you use amavis), when one is > asked to issue a whois query for a domain which another copy is already > quering, the first SA copy waits for the results obtained by the latter! > > Finally, it is easily configurable to adapt to your own mileage: you may > even avoid whois queries by not using some of the rules. More details by > perldoc. > > Please note this is not stable stuff. It is... well, what's before alpha? > > The URIWhois plugin needs SA v.3.002003 (or above?) and would surely > appreciate a quite recent copy of BerkeleyDB (I'm using 0.31 with v.4.5 of > the berkeleydb libraries). > > You can download it from here: > http://www.tomassoni.biz/download/URIWhois-0.01.tar.bz2 (come on, it is 17 > KB...). > > Untar it on the /etc/spamassassin directory and you are (almost) done. > Review settings from the /etc/spamassassin/URIWhois.cf file. > > I would like to have this code reviewed by you, since I'm not that much used > to the async thingeries in SA. > > Enjoy! > > Giampaolo In principle, this is a good concept; using domain whois data to spot bad domains can be useful. In practice, it's a really, really, really bad idea since the public whois infrastructure is not designed for this kind of high volume use. If many people did it, it would result in an effective DDOS against whois service, even with caching and delays. Please don't do it. It's much better to let URI blacklist operators such as SURBL handle these domains in a centralized way and publish the domain data via our four dozen DNS servers, etc. Jeff C.
URIWhois plugin
Dears, well, I just did version 0.01 of the URIWhois plugin. Its purpose is mainly to detect some spam containing URIs to sites in brand-new domains, or having some conflict in whois and dns records, or being driven by specific dns servers. So, it is meant to do something I believe someone else is already doing in their SA, but this plugin is completely asynchronous in order to minimize any performance impact. Also, it caches whois results. But the best thing is that, if you run more SA copies on the same computer (in example, you use amavis), when one is asked to issue a whois query for a domain which another copy is already quering, the first SA copy waits for the results obtained by the latter! Finally, it is easily configurable to adapt to your own mileage: you may even avoid whois queries by not using some of the rules. More details by perldoc. Please note this is not stable stuff. It is... well, what's before alpha? The URIWhois plugin needs SA v.3.002003 (or above?) and would surely appreciate a quite recent copy of BerkeleyDB (I'm using 0.31 with v.4.5 of the berkeleydb libraries). You can download it from here: http://www.tomassoni.biz/download/URIWhois-0.01.tar.bz2 (come on, it is 17 KB...). Untar it on the /etc/spamassassin directory and you are (almost) done. Review settings from the /etc/spamassassin/URIWhois.cf file. I would like to have this code reviewed by you, since I'm not that much used to the async thingeries in SA. Enjoy! Giampaolo
Re: looking into spamassassin mail proxy solution
tuxbeagle wrote: > I am trying to find a mail proxy/spamassassin solution for 2 situations. > Situation 1 is > Mail Server --> Mail Proxy --> Internet > > Situation 2 is > Mail Client --> Mail Proxy --> Mail Server > > Mail Proxy is on a seperate server. > > I think MailScanner will work but after reading through part of the > documentation still am not sure. MailScanner isn't a proxy. However, you could still use it for Situation 1 depending on exactly what "Mail Server" is, and what kind of stuff you are willing to set up. > Pop3Proxy might work but there doesn't > appear to have been much work on it, in some time. > That mgith work for situation 2, but not situation 1. Quite frankly, doing anything of this sort using proxies is asking for trouble. The normal way of integrating SA is to run it directly on your mailserver, or insert another upstream mailserver to run SA on, and forward all mail through that machine. ie: 1) MailServer with SA --> internet 2) Mail Client ---> Mail Server with SA or 1) Mail Server (existing) --> New Mail Server with SA --> internet 2) Mail Client --> Mail Server (existing) --> New Mail Server with SA
looking into spamassassin mail proxy solution
I am trying to find a mail proxy/spamassassin solution for 2 situations. Situation 1 is Mail Server --> Mail Proxy --> Internet Situation 2 is Mail Client --> Mail Proxy --> Mail Server Mail Proxy is on a seperate server. I think MailScanner will work but after reading through part of the documentation still am not sure. Pop3Proxy might work but there doesn't appear to have been much work on it, in some time. I could of sworn that I saw a document on how to do this in the not to distant past, but now I can't seem to locate it. -- View this message in context: http://www.nabble.com/looking-into-spamassassin-mail-proxy-solution-tf4519055.html#a12890917 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: 'spamc/spamassassin' crashing with overlong blank line spams?
On Wed, 2007-09-19 at 18:49 +0200, Karsten Bräckelmann wrote:
> On Wed, 2007-09-19 at 00:54 -0400, Matt Kettler wrote:
> > Chr. v. Stuckrad wrote:
>
> > > Seemingly our spamc (3.1.9, not yet 3.2.*) can not
> > > transfer a special kind of current spam to a remote
> > > spamd. Those Mails always produce '0/0' instead
> > > of usable reports.
> > >
> > > You can see something like the Mail I analyzed
> > > at http://page.mi.fu-berlin.de/stucki/mail.txt
> > > (I had change the offending line for the browser too,
> > > so at the end you seen a descriptive line only)
>
> Seen a few of these, too.
Nailed the issue in a particular custom plugin. Patch sent to the
author.
I prefer to not publicly disclose the details at this point of space
time, to first get a chance of at least rolling an updated plugin. Also,
this doesn't seem to affect all Perl / Architecture combinations, but is
quite limited to some particular environment.
This is not a bug in the SpamAssassin code itself.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Converting to MySQL
On Mon, 24 Sep 2007 12:44:47 -0700 Raquel <[EMAIL PROTECTED]> wrote: > On a new server I'm running Debian Etch, Sendmail and > SpamAssassin, hosting email for a few accounts. I'm contemplating > converting my SpamAssassin to using MySQL. Is there a "HOWTO" > somewhere which would be good to follow? > > -- > Raquel > Thank you to Ed Kasky and to Luis Hernán Otegui for your responses to my question. I have it all converted over to using MySQL now and it seems to be working quite well in a site-wide configuration. -- Raquel Teach me to feel another's woe, To hide the fault I see, That mercy I to others show, That mercy show to me. --Alexander Pope (The Universal Prayer)
Re: sender name same as recipient name
On Tue, 25 Sep 2007, feral wrote: > Hmmm... deepest thread here w/ John Hardin somehow got > broken... nabble hiccup? My pruning stuff. > Where is this configuration file? Probably under /etc/mail/spamassassin > John Hardin wrote: > > > Look for the command line that starts SA. If "-L" or "--local" > > appears, network tests have been disabled. > > > > You may be able to check this using "ps -fax" to see what the > > currently-running SA instance has for its command line. > > /usr/bin/spamd --username=popuser --daemonize --nouser-config > --helper-home-dir=/var/qmail --max-children 1 --create-prefs > --virtual-config-dir=/var/qmail/mailnames/%d/%l/.spamassassin > --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock Odd, it looks like network tests *should* be running... Also: your bayes database files will probably be under popuser's home directory. See anything there? > Evan Platt wrote: > > > Edit your spamd start-up script, or start-up options file (depending on > > which OS you're running, these may be different). There should be a -L or > > --local switch in that file. Remove it to enable network tests. " > > What are the file names? CentOS is RHEL-based, right? Likely /etc/rc.d/init,d/spamassassin -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
I am stopping using Nabble and just emailing my posting and responses. Evan Platt wrote: I'm pretty close to killfiling Nabble posters. Nabble is to spamassassin as Google Groups is to usenet. Seriously. At 12:15 PM 9/25/2007, feral wrote: Hmmm... deepest thread here w/ John Hardin somehow got broken... nabble hiccup? So I am posting response here:
deprecated rules
I thought I read in an earlier post that some of the SARE rules, specifically the rules targeting the nigerian 419 spam, had not been updated in some time because they had been rolled in to version 3.2.x. Is that correct, and if so, are there any other SARE rules that should be gotten rid of after a move from 3.1.x (in my case 3.1.5) to 3.2.1 because of redundancy? Is this documented anywhere? If not, shouldn't it be? I know the SARE site used to list after the rules that if you were at SA x.x.x, then this rule is no longer necessary, but that only seems to happens when the rules are being actively updated. As always, TIA.
Re: sender name same as recipient name
I'm pretty close to killfiling Nabble posters. Nabble is to spamassassin as Google Groups is to usenet. Seriously. At 12:15 PM 9/25/2007, feral wrote: Hmmm... deepest thread here w/ John Hardin somehow got broken... nabble hiccup? So I am posting response here:
Re: sender name same as recipient name
On Tue, 2007-09-25 at 12:15 -0700, feral wrote: > > Hmmm... deepest thread here w/ John Hardin somehow got > broken... nabble hiccup? > > So I am posting response here: > > Daniel McDonald wrote: > > > > basically, ensure it can resolve DNS. You can force it with > > > > dns_available yes [...] > Where is this configuration file? On my box, /etc/mail/spamassassin/local.cf but if /etc/resolv.conf doesn't have any dns servers, it won't work anyway...
Re: sender name same as recipient name
Hmmm... deepest thread here w/ John Hardin somehow got broken... nabble hiccup? So I am posting response here: Daniel McDonald wrote: > basically, ensure it can resolve DNS. You can force it with > > dns_available yes > use_bayes_rules > If you want to turn bayes off: > > use_bayes 0 > or maybe: > use_bayes_rules 0 (if you want it to attempt to continue to update the > bayes database) > Where is this configuration file? John Hardin wrote: > >> > How do I enable network tests? > > They should be enabled by default, you explicitly DISable them. > > Look for the command line that starts SA. If "-L" or "--local" > appears, network tests have been disabled. > > You may be able to check this using "ps -fax" to see what the > currently-running SA instance has for its command line. > /usr/bin/spamd --username=popuser --daemonize --nouser-config --helper-home-dir=/var/qmail --max-children 1 --create-prefs --virtual-config-dir=/var/qmail/mailnames/%d/%l/.spamassassin --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock Evan Platt wrote: > Edit your spamd start-up script, or start-up options file (depending on > which OS you're running, these may be different). There should be a -L or > --local switch in that file. Remove it to enable network tests. " > What are the file names? thanks -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12885692 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sender name same as recipient name
On Tue, 25 Sep 2007, feral wrote: > How do I enable network tests? ...and make sure your DNS on that box is configured and working, and you will probably want to install a local caching DNS server as well. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
On Tue, 25 Sep 2007, feral wrote: > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 > autolearn=no version=3.1.9 > > So BAYES_00 brought the score down to negative .6 ? Probably. > Methinks the BAYES is not even functional (database absent). It wouldn't give you BAYES_00 (high confidence ham) if that were the case. You'd either see BAYES_50 or no BAYES_* hits at all. > How do I enable network tests? They should be enabled by default, you explicitly DISable them. Look for the command line that starts SA. If "-L" or "--local" appears, network tests have been disabled. You may be able to check this using "ps -fax" to see what the currently-running SA instance has for its command line. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
On Tue, 2007-09-25 at 11:38 -0700, feral wrote: > > > John D. Hardin wrote: > > > > On Tue, 25 Sep 2007, feral wrote: > > > >> Whatever the case, global bayes or not, or even bayes or not, how > >> could an email with the obvious porn words in the subject (as in > >> my examples) NOT get flagged? > > > > If bayes was mistrained to consider such words hammy, then BAYES_00 > > could drag the score back down below the threshold, cancelling out the > > points added by HOT_NASTY and PORN_16. > > > > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 > autolearn=no version=3.1.9 > > So BAYES_00 brought the score down to negative .6 ? Methinks the BAYES is > not > even functional (database absent). > > How do I enable network tests? basically, ensure it can resolve DNS. You can force it with dns_available yes use_bayes_rules If you want to turn bayes off: use_bayes 0 or maybe: use_bayes_rules 0 (if you want it to attempt to continue to update the bayes database) > > thanks -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: sender name same as recipient name
At 11:45 AM 9/25/2007, feral wrote: X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 autolearn=no version=3.1.9 So BAYES_00 brought the score down to negative .6 ? Methinks the BAYES is not even functional (database absent). How do I enable network tests? http://wiki.apache.org/spamassassin/UsingNetworkTests "How to turn on network tests: Edit your spamd start-up script, or start-up options file (depending on which OS you're running, these may be different). There should be a -L or --local switch in that file. Remove it to enable network tests. "
Re: sender name same as recipient name
John D. Hardin wrote: > > On Tue, 25 Sep 2007, feral wrote: > >> Whatever the case, global bayes or not, or even bayes or not, how >> could an email with the obvious porn words in the subject (as in >> my examples) NOT get flagged? > > If bayes was mistrained to consider such words hammy, then BAYES_00 > could drag the score back down below the threshold, cancelling out the > points added by HOT_NASTY and PORN_16. > > One response would be to make the HOT_NASTY and PORN_16 rules "poison > pills" by raising their scores well above the threshold (i.e. to 20 or > 30 or even 100) - but you would have to *really trust* those rules to > do that. > > And I note that those rules didn't even hit on your first two > examples. > > Both of the domains in those spams are listed in SURBL (but may not > have been at the time you received them). URIBL network tests probably > would have hit. > > So it looks to me like two major problems are present: > > 1) mistrained bayes > > 2) no network tests occurring (DNS RBLs, URI BLs, razor, etc.) > > And possibly: > > 3) not enough rules - add some from SARE? > http://www.rulesemporium.com > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 autolearn=no version=3.1.9 So BAYES_00 brought the score down to negative .6 ? Methinks the BAYES is not even functional (database absent). How do I enable network tests? thanks -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12885647 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sender name same as recipient name
John D. Hardin wrote: > > On Tue, 25 Sep 2007, feral wrote: > >> Whatever the case, global bayes or not, or even bayes or not, how >> could an email with the obvious porn words in the subject (as in >> my examples) NOT get flagged? > > If bayes was mistrained to consider such words hammy, then BAYES_00 > could drag the score back down below the threshold, cancelling out the > points added by HOT_NASTY and PORN_16. > > One response would be to make the HOT_NASTY and PORN_16 rules "poison > pills" by raising their scores well above the threshold (i.e. to 20 or > 30 or even 100) - but you would have to *really trust* those rules to > do that. > > And I note that those rules didn't even hit on your first two > examples. > > Both of the domains in those spams are listed in SURBL (but may not > have been at the time you received them). URIBL network tests probably > would have hit. > > So it looks to me like two major problems are present: > > 1) mistrained bayes > > 2) no network tests occurring (DNS RBLs, URI BLs, razor, etc.) > > And possibly: > > 3) not enough rules - add some from SARE? > http://www.rulesemporium.com > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 autolearn=no version=3.1.9 So BAYES_00 brought the score down to negative .6 ? Methinks the BAYES is not even functional (database absent). How do I enable network tests? thanks -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12885642 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sender name same as recipient name
On Tue, 25 Sep 2007, feral wrote: > Whatever the case, global bayes or not, or even bayes or not, how > could an email with the obvious porn words in the subject (as in > my examples) NOT get flagged? If bayes was mistrained to consider such words hammy, then BAYES_00 could drag the score back down below the threshold, cancelling out the points added by HOT_NASTY and PORN_16. One response would be to make the HOT_NASTY and PORN_16 rules "poison pills" by raising their scores well above the threshold (i.e. to 20 or 30 or even 100) - but you would have to *really trust* those rules to do that. And I note that those rules didn't even hit on your first two examples. Both of the domains in those spams are listed in SURBL (but may not have been at the time you received them). URIBL network tests probably would have hit. So it looks to me like two major problems are present: 1) mistrained bayes 2) no network tests occurring (DNS RBLs, URI BLs, razor, etc.) And possibly: 3) not enough rules - add some from SARE? http://www.rulesemporium.com -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
John D. Hardin wrote: > > On Mon, 24 Sep 2007, feral wrote: > >> RE: training. I don't know. My experience w/ SA is that >> it just works and I haven't dealt with it at this level yet. >> What is strange is that SA appeared to be working fine >> for my client, then all of the sudden this spike in spam >> occurred... and as I said, 99% of the spams have the >> sender name same as recipient name (see original post). >> >> Below is the result of sa-learn -D --dump magic. I see >> that "bayes: no dbs present" ... that looks bad. Maybe >> this SA was not installed properly. Thanks for your help. > >> [24475] dbg: bayes: no dbs present, cannot tie DB R/O: >> /root/.spamassassin/bayes_toks >> [24475] dbg: config: score set 1 chosen. >> [24475] dbg: bayes: no dbs present, cannot tie DB R/O: >> /root/.spamassassin/bayes_toks > > This doesn't look like global bayes, and I don't use per-user so my > advice may be a little inaccurate... > > Is there a .spamassassin subdirectory in that user's home directory? > Does it have bayes_* files? > > If so, log in as that user (e.g. "su - mark") and run "sa_learn --dump > magic" and see what the ham/spam token balance looks like. > > You should try to find out how bayes is being trained. I still think > your problem stems (at least partly) from badly mistrained bayes. > > As others have suggested, make sure you are *not* using > "whitelist_from". That particular option is a last-resort fallback > option because it's so easy to bypass through forgery. However, as the > header samples you posted did not say a whitelist rule was hitting, > and the scores were not large and negative, that's probably not a > cause of this particular problem. > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > There is a .spamassassin subdirectory, but it doesn't have anything in it. I suspect that SA was not installed properly on this server. I am using a VPS with Plesk and per-user preferences is selected, so I should be able to configure SA on a per-user basis. I'm going to bug my server provider for help on this... it's their responsibility to properly install SA. Whatever the case, global bayes or not, or even bayes or not, how could an email with the obvious porn words in the subject (as in my examples) NOT get flagged? thanks JC -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12884935 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: OT: How to report a known spammer company?
2007/9/25, John D. Hardin <[EMAIL PROTECTED]>: > On Tue, 25 Sep 2007, Luis Hernán Otegui wrote: > > > I want to know how to report them to a RBL server (currently I report > > them via SpamCop, Razor and DCC, besides I'm blacklisting them at > > local.cf), but I think it would be good for the rest of us here in > > Argentina to blacklist these guys. > > Do they have URLs in the message bodies? > > http://www.rulesemporium.com/cgi-bin/uribl.cgi > No, they mostly have telephone contact numbers. I'll look better to find and report the unsubscribe mailto: addresses they sport. Thanks Luis > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > Pelley: Will you pledge not to test a nuclear weapon? > Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! >-- Mahmoud Ahmadeinejad clumsily dodges a question > (60 minutes interview, 9/20/2007) > --- > 243 days until the Mars Phoenix lander arrives at Mars > > -- - GNU-GPL: "May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
SA config questions.
Hello, I am new to SA and to this list so handle with care : ) I am building a new Sendmail server to replace our internal gateway. In addition to providing internal application delivery, I want this box to be the second hop in from the internet. As such, I want to have an additional layer of both AV and anti-spam running on the box. ClamAV is working like a champ but I have found SA to be more of a challenge. I have SA running as a milter (Spam Assassin 3.1.7-4 along with Spamass-milter 0.3.1-1 on RHEL5) but I am struggling with a few configurations. I am hoping you all can help! 1 - First, I want a simple way to run SA as a non-root user (on a RH box). I receive a ton of these errors in my maillog (currently set to level 12): Sep 25 12:42:18 newserver spamd[707]: spamd: connection from localhost.localdomain [127.0.0.1] at port 46005 Sep 25 12:42:18 newserver spamd[707]: spamd: setuid to root succeeded Sep 25 12:42:18 newserver spamd[707]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody at /usr/bin/spamd line 1147, line 4. Sep 25 12:42:18 newserver spamd[707]: spamd: processing message <[EMAIL PROTECTED]> for root:99 Sep 25 12:42:21 newserver spamd[707]: mkdir /root/.spamassassin: Permission denied at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1530 Sep 25 12:42:21 newserver spamd[707]: locker: safe_lock: cannot create tmp lockfile /root/.spamassassin/auto-whitelist.lock.newserver.wearguard-crest.com.707 for /root/.spamassassin/auto-whitelist.lock: Permission denied Sep 25 12:42:21 newserver spamd[707]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /root/.spamassassin/auto-whitelist.lock.newserver.example.com.707 for /root/.spamassassin/auto-whitelist.lock: Permission denied Sep 25 12:42:21 newserver spamd[707]: spamd: clean message (0.6/5.0) for root:99 in 3.3 seconds, 2213 bytes. Sep 25 12:42:21 newserver spamd[707]: spamd: result: . 0 - NO_REAL_NAME scantime=3.3,size=2213,user=root,uid=99,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=46005,mid=<[EMAIL PROTECTED]>,autolearn=no 2 - How do I get SA to use a "global" ruleset since this will just be a gateway and will have no local users on it? Thanks in advance! Rich
Re: OT: How to report a known spammer company?
On Tue, 25 Sep 2007, Luis Hernán Otegui wrote: > I want to know how to report them to a RBL server (currently I report > them via SpamCop, Razor and DCC, besides I'm blacklisting them at > local.cf), but I think it would be good for the rest of us here in > Argentina to blacklist these guys. Do they have URLs in the message bodies? http://www.rulesemporium.com/cgi-bin/uribl.cgi -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
RE: sender name same as recipient name
On Tue, 25 Sep 2007, Leon Kolchinsky wrote: > As Dave said it seems that your problem in whitelist > configuration. Please use whitelist_from_rcvd instead of whatever > you are using. How so? The samples he posted did not say that whitelist rules were hitting. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
On Mon, 24 Sep 2007, feral wrote: > RE: training. I don't know. My experience w/ SA is that > it just works and I haven't dealt with it at this level yet. > What is strange is that SA appeared to be working fine > for my client, then all of the sudden this spike in spam > occurred... and as I said, 99% of the spams have the > sender name same as recipient name (see original post). > > Below is the result of sa-learn -D --dump magic. I see > that "bayes: no dbs present" ... that looks bad. Maybe > this SA was not installed properly. Thanks for your help. > [24475] dbg: bayes: no dbs present, cannot tie DB R/O: > /root/.spamassassin/bayes_toks > [24475] dbg: config: score set 1 chosen. > [24475] dbg: bayes: no dbs present, cannot tie DB R/O: > /root/.spamassassin/bayes_toks This doesn't look like global bayes, and I don't use per-user so my advice may be a little inaccurate... Is there a .spamassassin subdirectory in that user's home directory? Does it have bayes_* files? If so, log in as that user (e.g. "su - mark") and run "sa_learn --dump magic" and see what the ham/spam token balance looks like. You should try to find out how bayes is being trained. I still think your problem stems (at least partly) from badly mistrained bayes. As others have suggested, make sure you are *not* using "whitelist_from". That particular option is a last-resort fallback option because it's so easy to bypass through forgery. However, as the header samples you posted did not say a whitelist rule was hitting, and the scores were not large and negative, that's probably not a cause of this particular problem. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
network tests
Hellow All, is there a detail explanation about the spamassassin's network tests? I have only found http://wiki.apache.org/spamassassin/UsingNetworkTests, it says something like "*URIDNSBL: *These perform a high number of DNS lookups" but without a detail about what tests are those peformed. Right now im doing several network tests using postfix, e.g.: - Sender's domain has mx - Sender's mta has ptr - Sender's FQDN has A pointer, etc Does SA perform the same tests? or the network tets are related to other info? Thanks
OT: How to report a known spammer company?
Hi, list. In the past few months, I've seen an increasing rate of mails coming from many servers hosted here in Argentina, with valid domains, and Linux architecture (at least, that's what p0f is reporting), thus they get -1'ed at scoring. Digging around I've found many of these companies offering "email marketing" come from the same IP block, or are registered domains of the same "email marketing" advertised company. The range of products vary from CD-packed-DIY courses, to several TV-infomercial advertised products. They don't even offer an opt-out method, their excuse is that "this is a one-time contact". I want to know how to report them to a RBL server (currently I report them via SpamCop, Razor and DCC, besides I'm blacklisting them at local.cf), but I think it would be good for the rest of us here in Argentina to blacklist these guys. Thanks in advance, Luis -- - GNU-GPL: "May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: Discarding RBL-Mails, forwarding others
On Tue, 2007-09-25 at 12:39 +0200, Dietmar Braun wrote: > Hi, > > I am working with Postfix and I am searching for a solution for the > following issue: > > - all mails coming from hosts on a RBL should be /dev/nulled http://www.postfix.org/uce.html#smtpd_client_restrictions > - all other mails should be forwarded to another email address not on > the same server http://www.postfix.org/postconf.5.html#always_bcc -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: SpamAssassin 3.1.9 not catching any emails
Anyone able to help me out here? > I guess the question is, what should I be looking for (or looking for the > absence of), and where? Does the presence of the "X-Spam-Status" header > indicate that SA is being called, or does it suggest that MailScanner is > trying to call it but failing every time? Dave. > From: Dave Addey <[EMAIL PROTECTED]> > Date: Mon, 24 Sep 2007 11:03:44 +0100 > To: > Conversation: SpamAssassin 3.1.9 not catching any emails > Subject: Re: SpamAssassin 3.1.9 not catching any emails > > Hi Tom, > >> From: Tom Ray <[EMAIL PROTECTED]> >> Date: Fri, 21 Sep 2007 13:05:02 -0400 >> To: Dave Addey <[EMAIL PROTECTED]> >> Cc: >> Subject: Re: SpamAssassin 3.1.9 not catching any emails >> >> Dave Addey wrote: >>> Hi all, >>> >>> As part of an ³Ensim² (Linux control panel) installation, I¹m running >>> the Ensim-provided install of SpamAssassin 3.1.9. Unfortunately, I¹m >>> finding that no emails are being caught as spam. Whilst I¹m sure that >>> Ensim is doing some non-standard stufff around SpamAssassin, I¹m >>> wondering if anyone can help me (as a relative newbie to SpamAssassin) >>> to debug what may be causing the problem. >>> >>> I'm pretty sure that SpamAssassin is set up correctly. However, every >>> single spam message seems to be getting through (assuming it is even >>> being checked). All emails have a header of "X-Spam-Status: No, No" - >>> which I assume means that SpamAssassin is checking the messages, and >>> passing them all regardless of their spam-ness? >>> >>> I really don't know where to start in debugging this. spamd is >>> definitely running. I've run sa-update. I've sent myself an email with >>> the GTUBE string in it, as described in >>> http://wiki.apache.org/spamassassin/TestingInstallation , and it also >>> came through with the same header as above. I have "Enable tests that >>> connect to remote servers" enabled in Ensim's "Spam Filter >>> Configuration" settings, but disabling it doesn't seem to make a >>> difference. >>> >>> Can anyone suggest some things I could investigate to find out where >>> the problem may lie? >>> >>> Many thanks in advance, >>> >>> - maurj. >> First thing you need to know about running Ensim, is not to run Ensim. I >> had nothing but problems on the ensim server that I had. I thought it >> was going to be the low cost answer to my problems and it just was a >> high cost problem. Their support was horrid also. > > I'm finding the same thing. Also, Ensim Pro has just been sold to a > competitor, so I can't imagine it's going to get any better any time soon. > Unfortunately, the hassle of moving my hosting elsewhere is also high-cost, > time-wise at least :( So, if I can get SpamAssassin working on this > existing server alongside Ensim, then at least it gives me some time to > consider my hosting options whilst not receiving thousands of spam messages > a day. > >> Do you have access to logs to see if the mail is actually being scanned? >> It doesn't sound like it at all. Is this your box or someone else's? > > I do. It's my own dedicated box, and I've got root access to look around. > I'm not a server admin genius (hence the Ensim control panel), but I can > find my way around a Linux command line reasonably well with a bit of > prompting. > > I guess the question is, what should I be looking for (or looking for the > absence of), and where? Does the presence of the "X-Spam-Status" header > indicate that SA is being called, or does it suggest that MailScanner is > trying to call it but failing every time? > > I'm a bit stumped as to where to look to start debugging this, so any help > is much appreciated :) > > All the best, > > Dave. > >
Re: Problem logging from SA when running Amavisd
Jeff, > Thanks for the patch Mark. I'll put it in production tomorrow. For your purpose, you want to run it with option '-d info', e.g.: # amavisd -d info which will give you the 'info'-level debug at amavisd log level 1 or above (set: $log_level=1); With the next version I'll make the '-d info' a default, as in spamd. If you want a pre-release please drop me a line. > Could you please take a minute to explain the underlying issue to me. > I don't understand why SA does not log without the patch. > Is SA intentionally logging to STDERR, or is Amavisd's connection > to syslog causing SA to loose it's connection. SpamAssassin _library_ provides two methods of logging (stderr and syslog), and hooks-in the stderr logging by default. It is up to a calling program (e.g. spamd or amavisd) to substitute this default setting with something else if it chooses so, either by a provided syslog module, or by supplying own module. I chose the later because it would be ugly to use two different access mechanisms simultaneusly to send log entries to syslogd, and this way all the usual amavisd logging settings still apply, along with its mapping of log levels to syslog priorities. Mark
Discarding RBL-Mails, forwarding others
Hi, I am working with Postfix and I am searching for a solution for the following issue: - all mails coming from hosts on a RBL should be /dev/nulled - all other mails should be forwarded to another email address not on the same server Can you give me some hints how to do that? Regards, Dietmar
RE: sender name same as recipient name
> RE: training. I don't know. My experience w/ SA is that > it just works and I haven't dealt with it at this level yet. > What is strange is that SA appeared to be working fine > for my client, then all of the sudden this spike in spam > occurred... and as I said, 99% of the spams have the > sender name same as recipient name (see original post). > As Dave said it seems that your problem in whitelist configuration. Please use whitelist_from_rcvd instead of whatever you are using. Leon Kolchinsky
RE: SPAM FILTERING RATE
We get a small percentage of SPAM being tagged by SA as well due to most of it being caught by the rblsmtpd option in tcpserver. What does your qmail config file look like? I say not to look at just your spamd logs but also your smtp(d) logs. You might see more of what's being tagged/blocked there. Thomas J. Raef e-Based Security, LLC www.ebasedsecurity.com 1-866-838-6108 "You're either hardened, or you're hacked!" > -Original Message- > From: Tarak Ranjan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 25, 2007 4:43 AM > To: Spamassassin > Subject: SPAM FILTERING RATE > > hi, > as i have installed qmrtg . so it's giving me the details of > everything QUEUE, SMTP, POP3, SPAM >here i'm getting the the graph that out of 100, 57.8% is spam and > only 8.6% is cleaned by SPAMASSASSIN. > can anyone assist me to increase the effectiveness on > SPAMASSASSIN in my Qmail server. > here is my local.cf > required_hits 4 > report_safe 0 > rewrite_header Subject [***SPAM***] > skip_rbl_checks 0 > use_razor2 1 > use_dcc 1 > use_pyzor 1 > use_bayes 1 > bayes_auto_learn1 > body NO_VIAGRA/viagra/i > score NO_VIAGRA 10 > > rawbody BECAUSE_OPTIN /saveup to/i > score BECAUSE_OPTIN 5.0 > > rawbody BECAUSE_OPTIN /Low Price Guarantee/i > score BECAUSE_OPTIN 10 > > rawbody DEALSMINUTE/dealsbytheminute/i > score DEALSMINUTE10 > > score SUBJ_FREE_CAP 4 > > > log for spamd: >Sep 25 14:59:03 mail spamd[4892]: spamd: connection from > localhost.localdomain [127.0.0.1] at port 36274 > Sep 25 14:59:03 mail spamd[4892]: spamd: checking message > <[EMAIL PROTECTED]> for qscand:513 > Sep 25 14:59:04 mail spamd[4892]: spamd: clean message (-2.6/4.0) for > qscand:513 in 1.3 seconds, 17439 bytes. > Sep 25 14:59:04 mail spamd[4892]: spamd: result: . -2 - > BAYES_00,HTML_MESSAGE,RCVD_IN_IADB_LISTED,RCVD_IN_IADB_OPTIN,RCVD_IN_IAD B_ > RDNS,RCVD_IN_IADB_SPF,URI_REDIRECTOR > scantime=1.3,size=17439,user=qscand,uid=513,required_score=4.0,rhost=loc al > host.localdomain,raddr=127.0.0.1,rport=36274,mid=<1101822893466.11014602 51 > [EMAIL PROTECTED]>,bayes=1.11022302462516e-16,autolearn=ham > > Sep 25 14:59:04 mail spamd[29446]: prefork: child states: II > Sep 25 14:59:06 mail spamd[4892]: spamd: connection from > localhost.localdomain [127.0.0.1] at port 36275 > Sep 25 14:59:06 mail spamd[4892]: spamd: checking message > <[EMAIL PROTECTED]> for qscand:513 > Sep 25 14:59:09 mail spamd[4892]: spamd: clean message (3.1/4.0) for > qscand:513 in 2.4 seconds, 1441 bytes. > Sep 25 14:59:09 mail spamd[4892]: spamd: result: . 3 - > BAYES_50,DATE_IN_PAST_12_24,TVD_STOCK1 > scantime=2.4,size=1441,user=qscand,uid=513,required_score=4.0,rhost=loca lh > ost.localdomain,raddr=127.0.0.1,rport=36275,mid=<001001c7fea7$66cc5850$0 b5 > [EMAIL PROTECTED]>,bayes=0.499983898885655,autolearn=no > > Sep 25 14:59:09 mail spamd[29446]: prefork: child states: II > Sep 25 14:59:34 mail spamd[4892]: spamd: connection from > localhost.localdomain [127.0.0.1] at port 36279 > Sep 25 14:59:34 mail spamd[4892]: spamd: checking message > <[EMAIL PROTECTED]> for qscand:513 > Sep 25 14:59:38 mail spamd[4892]: spamd: identified spam (21.3/4.0) for > qscand:513 in 4.4 seconds, 829 bytes. > Sep 25 14:59:38 mail spamd[4892]: spamd: result: Y 21 - > BAYES_99,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_ SB > L,URIBL_SC_SURBL,URIBL_WS_SURBL > scantime=4.4,size=829,user=qscand,uid=513,required_score=4.0,rhost=local ho > st.localdomain,raddr=127.0.0.1,rport=36279,mid=<388127736388.18806771891 3@ > autoshopholland.nl>,bayes=0.999826777960067,autolearn=no > > Sep 25 14:59:38 mail spamd[29446]: prefork: child states: II > > > -- > > > Thanks & Regards, > Tarak > __ > Tarak Ranjan Mukherjee > > > www.liqwidkrystal.com > > "It is possible to fail in many ways... > while to succeed is possible only in one way."
