pyzor check failed (can't fork at Util.pm)

[Frank Niedermann]

Hi,

on a fresh Debian 4.0 installation with Spamassassin 3.1.7 I get to
following message:

Oct  2 06:01:20 zoidberg spamd[17975]: spamd: connection from localhost
[127.0.0.1] at port 58519 
Oct  2 06:01:21 zoidberg spamd[17975]: spamd: processing message
<[EMAIL PROTECTED]> for
[EMAIL PROTECTED]:2000 
Oct  2 06:01:25 zoidberg spamd[17975]: pyzor: check failed: Can't fork at
/usr/share/perl5/Mail/SpamAssassin/Util.pm line 1308. 
Oct  2 06:01:27 zoidberg spamd[17975]: spamd: identified spam (1001.9/6.5)
for [EMAIL PROTECTED]:2000 in 6.3 seconds, 1959 bytes. 

Spam mail is getting recognized, I've tried with the GTUBE test. But
something seems to be wrong with starting the pyzor checks, does anybody
know why?

Regards,
  Frank
-- 
View this message in context: 
http://www.nabble.com/pyzor-check-failed-%28can%27t-fork-at-Util.pm%29-tf4553028.html#a12993203
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Can't use spamassassin remotely

[Ted To]

Thank you all!  That did the trick.

On Mon, 01 Oct 2007 21:40:35 -0700
Evan Platt <[EMAIL PROTECTED]> wrote:

> If you can get to it locally, but not remotely, it obviously isn't a 
> spamassassin issue. You made no mention of your setup. Since you 
> mentioned you can telnet localhost but not by the domain name, I'm 
> guessing you're behind a nat router? If that's the case, the problem 
> is when YOU behind the nat gateway try and telnet to the domain name, 
> it's trying to telnet to your router, not the computer. Try from 
> outside the network.
> 
> It would help to explain your setup.
> 
> 
> At 09:34 PM 10/1/2007, Ted To wrote:
> >My mail client doesn't seem to be able to get to my spamassassin
> >server.  When I "telnet  783" from the client, I get:
> > Trying ...
> > telnet: Unable to connect to remote host: Connection refused
> >I can telnet to localhost 783 from localhost but not if I telnet to
> >the domain name from localhost, it gives me the above error.  I have
> >shorewall turned off.
> >
> >Thanks in advance.
> 

Re: Can't use spamassassin remotely

[Duane Hill]

On Tue, 2 Oct 2007 at 00:34 -0400, [EMAIL PROTECTED] confabulated:


My mail client doesn't seem to be able to get to my spamassassin
server.  When I "telnet  783" from the client, I get:
Trying ...
telnet: Unable to connect to remote host: Connection refused
I can telnet to localhost 783 from localhost but not if I telnet to the
domain name from localhost, it gives me the above error.  I have
shorewall turned off.


By default, spamd(1) only listens on localhost(127.0.0.1). Check your 
spamd(1) startup script to ensure it is listening on an IP accessible 
outside the localhost(127.0.0.1).


  man spamd
  ...
  -i [ipaddress], --listen-ip[=ipaddress], --ip-address[=ipaddress]
  Tells spamd to listen on the specified IP address (defaults to
  127.0.0.1).  If you specify no IP address after the switch, spamd
  will listen on all interfaces.  (This is equal to the address
  0.0.0.0).  You can also use a valid hostname which will make spamd
  listen on the first address that name resolves to.

--
  _|_
 (_| |

Re: Can't use spamassassin remotely

[Evan Platt]

Ah. Could be that or / too. :)

Not a lot of information to go on ...

At 09:52 PM 10/1/2007, Daryl C. W. O'Shea wrote:

Evan Platt wrote:
If you can get to it locally, but not remotely, it obviously isn't 
a spamassassin issue.


Actually, it sounds like he hasn't configured spamd to listen on an 
external interface.  perldoc spamd..


-i [ipaddr], --listen-ip=ipaddr   Listen on the IP ipaddr

Daryl

Re: Can't use spamassassin remotely

[Daryl C. W. O'Shea]

Evan Platt wrote:
If you can get to it locally, but not remotely, it obviously isn't a 
spamassassin issue.


Actually, it sounds like he hasn't configured spamd to listen on an 
external interface.  perldoc spamd..


-i [ipaddr], --listen-ip=ipaddr   Listen on the IP ipaddr

Daryl

Re: Can't use spamassassin remotely

[Evan Platt]

If you can get to it locally, but not remotely, it obviously isn't a 
spamassassin issue. You made no mention of your setup. Since you 
mentioned you can telnet localhost but not by the domain name, I'm 
guessing you're behind a nat router? If that's the case, the problem 
is when YOU behind the nat gateway try and telnet to the domain name, 
it's trying to telnet to your router, not the computer. Try from 
outside the network.


It would help to explain your setup.


At 09:34 PM 10/1/2007, Ted To wrote:

My mail client doesn't seem to be able to get to my spamassassin
server.  When I "telnet  783" from the client, I get:
Trying ...
telnet: Unable to connect to remote host: Connection refused
I can telnet to localhost 783 from localhost but not if I telnet to the
domain name from localhost, it gives me the above error.  I have
shorewall turned off.

Thanks in advance.

Can't use spamassassin remotely

[Ted To]

My mail client doesn't seem to be able to get to my spamassassin
server.  When I "telnet  783" from the client, I get:
Trying ...
telnet: Unable to connect to remote host: Connection refused
I can telnet to localhost 783 from localhost but not if I telnet to the
domain name from localhost, it gives me the above error.  I have
shorewall turned off.

Thanks in advance.

spammed by an anti-spam company: FW: Webinar: Ferris Research and Commtouch cordially invite you to a Reputation Services Webinar

[Michael Scheidell]

looks like the commercial version of DCC.
 
anyone else from this list spammed? where did they get their victim
list?
 
the want to help protect the internet from the next big spam outbreak.
 
Reputation services can play a significant role in blocking the next big
spam or malware outbreak, including server-side polymorphic malware
  
-Original Message-
From: Stoney Brooks [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 01, 2007 7:26 PM
To: Michael Scheidell
Subject: Webinar: Ferris Research and Commtouch cordially invite you to
a Reputation Services Webinar




Dear Michael,

 

Commtouch and Ferris Research cordially invite you to a Reputation
Services webinar.

 

Reputation services can play a significant role in blocking the next big
spam or malware outbreak, including server-side polymorphic malware. I'd
like to invite you to join us at a Reputation Services Webinar on
October 10
  to
learn how you can use reputation services to expand your product
offerings, or enter new markets with your current products. 

 

Rather than fighting each new type of outbreak as it comes - think back
to Image spam, PDF spam, Excel spam, and so on - reputation services
provide information about good and bad senders, to enable your solution
to offload more traffic at the perimeter.

 

Hear the latest about reputation services from Commtouch CTO Amir Lev
and Ferris Research's Richi Jennings in their first-ever joint webinar. 

 

The webinar will cover subjects such as:

 

*   What types of problems can be solved by reputation services? 
*   What kinds of reputation services are available? 
*   What are the pros and cons of each in terms of ease of
integration, blocking rates, and classification errors? 
*   Should more than one service be used? 
*   How do reputation services complement other security solutions? 
*   How real-time do the services need to be? 
*   How useful are they for enterprise security and overall traffic
management?

 

The one-hour webinar will be held on Wednesday, October 10, 2007 at 8:30
a.m. Pacific, 11:30 a.m. Eastern, 4:30 p.m. U.K., 5:30 p.m. CET. 

 

Click here
  to
Register today.

 

Any questions, please feel free to call or write.

 

Regards,

Stoney

 

___

Stoney Brooks

Director Business Development

[EMAIL PROTECTED]

(650) 864-

www.commtouch.com  


 

 
 



_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_

Re: [SPAM] Thanks for your Email Address

[John D. Hardin]

On Mon, 1 Oct 2007, Daryl C. W. O'Shea wrote:

> John D. Hardin wrote:
> > On Thu, 27 Sep 2007, Sara wrote:
> > 
> >>  Just Go To The Link Given Below To See How You Can Get Everyone
> >> Begging You To Share Your Little Secret!
> >>
> >> http://cloakedlink.com/jcmyhpwnzp
> > 
> > etc.
> > 
> > Is cloakedlink.com in the default redirectors list?
> 
> SA doesn't have a list of redirectors.  There's a list of
> redirector_patterns to parse visible redirector targets, but
> that's it.

Sorry, yes, that's what I meant.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Pelley: Will you pledge not to test a nuclear weapon?
  Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
   -- Mahmoud Ahmadeinejad clumsily dodges a question
(60 minutes interview, 9/20/2007)
---
 237 days until the Mars Phoenix lander arrives at Mars

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[John Rudd]

Loren Wilton wrote:

As far as I have understood it Botnet checks the first IP not being in
your "trusted networks".


botnet probably does such checks based on trusted_networks and
internal_networks settings: doesn't check IP in trusted_networks, but
continues on next IP when current one is in internal_networks
(where you should put your own mail forwarders and backups, altogether 
with

trusted_networks)


Probably uses first_untrusted.  So indeed, if one does not have 
trusted_networks set up right, then Botnet will probably draw the wrong 
conclusions.



Actually, as currently written, Botnet does a few things of its own to 
figure out which entry is the one to check.  And it has a few config 
options to modify that behavior.


I might change that at some point (to use first_untrusted by default 
might be best).  But, for now, it does its own thing in trying to figure 
it out.

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[Daryl C. W. O'Shea]

hanz wrote:

Thanks for the explanation and quick replies from everyone. I was definitely
wrong in my assumption on how botnet works.

I think I understand the issue now and my problem can easily be fixed by
skipping the IPs or my internal forwarders.

That is  adding the following to botnet.cf fixed it.

botnet_skip_ip  ^128\.6\.72\.254$
botnet_skip_ip  ^128\.6\.72\.72$
botnet_skip_ip  ^128\.6\.31\.85$
botnet_skip_ip  ^128\.6\.31\.86$


It sounds like you haven't configured SpamAssassin for use on your 
network if the above config is necessary to make the Botnet plugin work 
(assuming the Botnet plugin DTRT in regards to what IPs it checks).


You should have the IPs of your internal forwarders included in your 
trusted and internal network of your SpamAssassin config, along with any 
other appropriate IPs.



Daryl

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[hanz]

Thanks for the explanation and quick replies from everyone. I was definitely
wrong in my assumption on how botnet works.

I think I understand the issue now and my problem can easily be fixed by
skipping the IPs or my internal forwarders.

That is  adding the following to botnet.cf fixed it.

botnet_skip_ip  ^128\.6\.72\.254$
botnet_skip_ip  ^128\.6\.72\.72$
botnet_skip_ip  ^128\.6\.31\.85$
botnet_skip_ip  ^128\.6\.31\.86$

Hanz



John Rudd wrote:
> 
> hanz wrote:
> 
>> 
>> I believe if botnet.pm is checking all the path  the mail went thru like
>> how
>> dnsbl is used, botnet will get more accurate.
> 
> No, it would throw a lot more false-positives.  Every end user 
> (corporate, home, etc.) on a dynamic IP address would suddenly get their 
> email flagged by botnet, because the originating host matches the botnet 
> conditions.
> 
> 
> Consider this senario:
> 
> a) user on dynamic IP sends email to their ISP's mail server
> b) ISP's mail server submits message to your mail server
> 
> In your suggested processing, this would generate a false positive: the 
> message would be marked as a potential botnet even though the message 
> was handled in a legitimate manner (message went out through the ISP's 
> mail server instead of coming _directly_ from the dynamic host).
> 
> Botnet specifically only tries to look at the host that submitted the 
> message to  your environment because of this.
> 
> 
> So you might ask "what about ISPs that aren't policing their network, to 
> keep botnets from relaying through them?"   Those can much more easily 
> be targeted by DSBLs than trying to DSBL every little dynamic host 
> (though, pbl.spamhaus.org seems to be trying to do that).  In one way, 
> Botnet tries to encourage a bottle-neck of mail traffic through each 
> provider's mail server, partially to make it easier to manage all of the 
> end points recipient postmasters have to deal with.
> 
> 
> So, basically, I wont be changing botnet to do what you're asking for. 
> I consider it to be a rather bad idea.  Though, you could fork the code, 
> call it something else, and make your own that behaves however you want.
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Botnet-0.8-Plugin-is-available-%28FINALLY%21%21%21%29-tf4221965.html#a12987885
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: [SPAM] Thanks for your Email Address

[Daryl C. W. O'Shea]

John D. Hardin wrote:

On Thu, 27 Sep 2007, Sara wrote:


 Just Go To The Link Given Below To See How You Can Get Everyone
Begging You To Share Your Little Secret!

http://cloakedlink.com/jcmyhpwnzp


etc.

Is cloakedlink.com in the default redirectors list?


SA doesn't have a list of redirectors.  There's a list of 
redirector_patterns to parse visible redirector targets, but that's it.


Daryl

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[Daryl C. W. O'Shea]

Jerry Durand wrote:

On Mon, 2007-10-01 at 10:44 +0200, Matus UHLAR - fantomas wrote:


Does your provider puth AUTH information into message headers? If so,
those
servers are certainly broken. ZEN containt IPs like dynamic that are
not
suppoded to send mail directly, but through their SMTP server. (they
are in
PBL which is subset of ZEN). The header check should stop at such
headers.
SA does do that



It should, but check the headers on this message (since you'll get a
private copy from the reply-to-all).

If I have something set wrong, let me know as I have to move the server
over to our new Ubuntu system and that would be a good time to fix it.


Your provider does include an auth token... ESMTPA.

Daryl


Received: from smtp.interstellar.com ([71.116.65.33])
 by vms044.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 
(built Apr

 3 2006)) with ESMTPA id <[EMAIL PROTECTED]> for
 users@spamassassin.apache.org; Mon, 01 Oct 2007 12:23:03 -0500 (CDT)

Re: Spammers who "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA"

[Daryl C. W. O'Shea]

Igor Chudov wrote:

[This message has also been posted to comp.mail.sendmail.]
My mailserver gets a lot of errors reported such as:

Oct  1 11:49:36 ak74 sendmail[31464]: l91Gnatt031464: nat.incompany.ru 
[83.167.0.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Oct  1 11:49:37 ak74 sendmail[31460]: l91GnXOc031460: [59.92.187.94] did not 
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Oct  1 11:50:40 ak74 sendmail[31647]: l91Goe5W031647: pool-71-125-52-61.nycmny.fios.verizon.net [71.125.52.61] did not issue MAIL/EXPN/VRFY/ETRN during connection 
to MTA


These errors are clearly spammers trying to send me spams. I would
like to know if there is some extension that would quietly junk all
these spams with as little CPU spent on them. I do not want to log
them, save them anywhere etc. Ideally, sendmail would either issue a
500 error or just quietly junk these messages.

I would prefer this done before queuing them locally and without invoking spamassassin. 


Any extension for this?


There's no mail to discard.  The client connected and disconnected 
without doing anything (to send mail or harvest an address).


Daryl

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[Jerry Durand]

Well that didn't totally work, I received a 550 from fantomas.sk.  If anyone is 
willing to check my headers off-list, contact me with a private e-mail.

I'd like to make sure I have the new system set up right before I add some more 
domains to it.

Thanks.


On Mon, 2007-10-01 at 10:44 +0200, Matus UHLAR - fantomas wrote:

> Does your provider puth AUTH information into message headers? If so,
> those
> servers are certainly broken. ZEN containt IPs like dynamic that are
> not
> suppoded to send mail directly, but through their SMTP server. (they
> are in
> PBL which is subset of ZEN). The header check should stop at such
> headers.
> SA does do that
> 

It should, but check the headers on this message (since you'll get a
private copy from the reply-to-all).

If I have something set wrong, let me know as I have to move the server
over to our new Ubuntu system and that would be a good time to fix it.

-- 
Jerry Durand, Durand Interstellar, Inc.
Los Gatos, California, USA, www.interstellar.com
tel:  408-356-3886, Skype:  jerrydurand

Spammers who "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA"

[Igor Chudov]

[This message has also been posted to comp.mail.sendmail.]
My mailserver gets a lot of errors reported such as:

Oct  1 11:49:36 ak74 sendmail[31464]: l91Gnatt031464: nat.incompany.ru 
[83.167.0.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Oct  1 11:49:37 ak74 sendmail[31460]: l91GnXOc031460: [59.92.187.94] did not 
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Oct  1 11:50:40 ak74 sendmail[31647]: l91Goe5W031647: 
pool-71-125-52-61.nycmny.fios.verizon.net [71.125.52.61] did not issue 
MAIL/EXPN/VRFY/ETRN during connection 
to MTA

These errors are clearly spammers trying to send me spams. I would
like to know if there is some extension that would quietly junk all
these spams with as little CPU spent on them. I do not want to log
them, save them anywhere etc. Ideally, sendmail would either issue a
500 error or just quietly junk these messages.

I would prefer this done before queuing them locally and without invoking 
spamassassin. 

Any extension for this?

thanks

i

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[Jerry Durand]

On Mon, 2007-10-01 at 10:44 +0200, Matus UHLAR - fantomas wrote:

> Does your provider puth AUTH information into message headers? If so,
> those
> servers are certainly broken. ZEN containt IPs like dynamic that are
> not
> suppoded to send mail directly, but through their SMTP server. (they
> are in
> PBL which is subset of ZEN). The header check should stop at such
> headers.
> SA does do that
> 

It should, but check the headers on this message (since you'll get a
private copy from the reply-to-all).

If I have something set wrong, let me know as I have to move the server
over to our new Ubuntu system and that would be a good time to fix it.

-- 
Jerry Durand, Durand Interstellar, Inc.
Los Gatos, California, USA, www.interstellar.com
tel:  408-356-3886, Skype:  jerrydurand

Re: is lock needed when using spamd/c combo

[Matthias Häker]

John D. Hardin schrieb:

On Mon, 1 Oct 2007, Obantec Support wrote:

  

DROPPRIVS=yes
:0fw
* < 512000
| /usr/bin/spamc
:0:
* ^X-Spam-Status: Yes
$HOME/mail/spam





SPAM='spam'

:0fw: $SPAM$LOGNAME.lock

this will scan only one message for one user at a time.


Matthias

Re: is lock needed when using spamd/c combo

[John D. Hardin]

On Mon, 1 Oct 2007, Obantec Support wrote:

> DROPPRIVS=yes
> :0fw
> * < 512000
> | /usr/bin/spamc
> :0:
> * ^X-Spam-Status: Yes
> $HOME/mail/spam

That looks okay. There's a more complex example at 
http://www.impsec.org/~jhardin/antispam that you might want to look 
at.

> do i need to use the lock as per the procmail.example which uses
> 
> :0fw: spamassassin.lock
> * < 512000
> | spamassassin

You only need to lock around the spamc call if you explicitly want to
scan only one message at a time. If you don't have low-resource issues
on the SA box, you probably don't need to do that.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Pelley: Will you pledge not to test a nuclear weapon?
  Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
   -- Mahmoud Ahmadeinejad clumsily dodges a question
(60 minutes interview, 9/20/2007)
---
 237 days until the Mars Phoenix lander arrives at Mars

Re: New domains

[mouss]

Jonas Eckerman wrote:
(The idea below is not mine, someone else (I'm sorry, but I forgot 
who) wrote about it here (I think) before.)


Giampaolo Tomassoni wrote:


brand-new domains,


Something that could work for this without the problems inherent in 
using whois or registry databases is to simply check how long ago a 
domain was first seen beeing used for sending mail or in URIs in mail. 
(People might allready be doing this locally, but doing it centralized 
could work better.)


A specialized DNS server could be done for this. It'd work something 
like this:


1: It receives a query.

2: It checks in it's database.

3.a, found in database:
* Return result indicating how long ago domain was added.

3.b: not found:
* Adds the domain to the database.
* Return result indicating new domain.

(It might be a good idea to also save last queried time for each 
domain (meaning 2.a will need to update the database) in order to be 
able to clean out domains that hasn't been seen for a long time.)


In order to be effective, such a DNS list must be used by a lot of 
different systems spread all over the world and used by different type 
of organizations.


It will also take time time until it can be used in an effective 
manner, so enough people would have to be using it for some time with 
very low scores just to seed it.


Wouldn't this be reinventing /etc/hosts? I mean, if you list all 
domains, you end up with a huge database...  or am I missing something?




I could probably throw together a proof-of-concept DNS thingy in perl 
for this, but I don't have the hardware to host it for production use, 
nor the time to do it properly (perl would probably not be the best 
language to do it in).


The best way might be to actually implement this in an existing 
DNS-list server, so it could be seeded thorugh queries fopr that list.


If, just as an example, SURBL did this, the list would be seeded by 
all systems allready using SURBL lists, and the results could be 
included in multi.surbl.org.


(Please not, I have no idea if implementing this in SURBLs DNS system 
is feasible in any way (wr to software, hardware, lunch breaks, or 
whatever), it was just an example.)


Regards
/Jonas

Re: RCVD_IN_DNSWL_MED causing FN's

[Rolf Kraeuchi]

ram schrieb:
> I got this spam mail that was actually in a DNSWL  
> 
> https://ecm.netcore.co.in/tmp/fn.txt
> 
> How can I report this.

Reports go to: [EMAIL PROTECTED]

regards,
rolf

Re: Discarding RBL-Mails, forwarding others

[mouss]

Dietmar Braun wrote:

Wednesday, September 26, 2007, 12:12:13 PM, you wrote:
m> then you should say what exactly you want to achieve. we could spend a month 
at guess games.

I think I said all you have to know - the one missing was just the
"domain dependent" thing.

  

Additionally, this rejects RBL listed mails - but I want to discard
them to /dev/null...
  

m> This is a _bad_ idea. not only will you be wasting resources reading
m> data that you want handle, but you run the risk of discarding legitmate
m> mail.
m> (note that reject != bounce).

I know that. In this case, it's ok because it is a 100% spamtrap domain.
  


I'm not sure I understand your goal. do you really want to not reject 
(421 or other) such mail at smtp time for some reason, or you don't care 
if it's a reject or a discard? do you want to discard so that client 
thinks the message was delivered (so it won't retry)?

m> you can use rbl_reply_maps to set the reply code to 421 so that postfix
m> closes the connection. only use this for those RBL that list zombes 
m> (spamhaus pbl). otherwise, you'll need to watch your logs for retries 
m> from MTAs and explicitely reject them.


m> Please understand that this is not SA related. so followup on the 
m> postfix users list.


Since I know Postfix quite good, I think this cannot be done with
Postfix features - you will need to expand it with SA and perhaps
procmail.
  


postfix has DISCARD action that you can use after SA. you can for 
example let SA add its headers, and in the after-the-filter postfix, use 
header_checks to looks for SA headers and discard mail if a match is found.

is lock needed when using spamd/c combo

[Obantec Support]

Hi

3.2.3 SA on FC3

just need to ensure i have the master .procmailrc syntax correct for spamc

i am using 


DROPPRIVS=yes
:0fw
* < 512000
| /usr/bin/spamc
:0:
* ^X-Spam-Status: Yes
$HOME/mail/spam

do i need to use the lock as per the procmail.example which uses

:0fw: spamassassin.lock
* < 512000
| spamassassin


Mark

RCVD_IN_DNSWL_MED causing FN's

[ram]

I got this spam mail that was actually in a DNSWL  

https://ecm.netcore.co.in/tmp/fn.txt

How can I report this.

Thanks
Ram

Re: would you trust these people :)

[Clay Davis]

Hey, anyone willing to add another day to the year gets my vote!

Clay

>>> <[EMAIL PROTECTED]> 9/30/2007 12:45 PM >>>
they did not even learn the calendar at school

Wolfgang

>From a stock spam:
+++

5-day price: ~$0.50
Check it at 31.09.2007

RE: Low resource rules

[Martin.Hepworth]

Also rejecting non-existant recipients straight away helps a lot - I'm dropping 
over 65% of my traffic this way..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: Adam Wilbraham [mailto:[EMAIL PROTECTED]
> Sent: 01 October 2007 14:26
> To: users@spamassassin.apache.org
> Cc: [EMAIL PROTECTED]
> Subject: Re: Low resource rules
>
> On Sat, 29 Sep 2007 13:43:55 -0500
> "John Schmerold" <[EMAIL PROTECTED]> wrote:
>
> > Problem is SA, I don't have enough computer to do serious content
> > checking. Anyone care to recommend a few rules that will tend to catch
> > a big chunk of the spam without sucking too much brainpower from this
> > VPS box?
>
> ClamAV with the SaneSecurity definitions.
>
> www.sanesecurity.co.uk
>
>
> --
> Adam Wilbraham - Assistant Systems Administrator
> TechnoPhobia Limited
> The Workstation
> 15 Paternoster Row
> SHEFFIELD
> England
> S1 2BX
> t: +44 (0)114 2212123
> f: +44 (0)114 2212124
> e: [EMAIL PROTECTED]
> w: http://www.technophobia.com/
>
> Registered in England and Wales Company No. 3063669
> VAT registration No. 598 7858 42
> ISO 9001:2000 Accredited Company No. 21227
> ISO 14001:2004 Accredited Company No. E997
> ISO 27001:2005 (BS7799) Accredited Company No. IS 508906
> Investor in People Certified No. 101507
>
> The contents of this email are confidential to the addressee
> and are intended solely for the recipients use. If you are not
> the addressee, you have received this email in error.
> Any disclosure, copying, distribution or action taken in
> reliance on it is prohibited and may be unlawful.
>
> Any opinions expressed in this email are those of the author
> personally and not TechnoPhobia Limited who do not accept
> responsibility for the contents of the message.
>
> All email communications, in and out of TechnoPhobia,
> are recorded for monitoring purposes.




**
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 
Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**

Re: New PayPal phish?

[Evan Platt]

The message the OP Kenneth Porter sent? No, it wasn't a phish.

At 10:01 AM 9/30/2007, Michelle Konzack wrote:

Right, but PayPal write the ful name in the "From:" header too.
So, the message from the OP is definitivly a phish.

Re: Low resource rules

[Adam Wilbraham]

On Sat, 29 Sep 2007 13:43:55 -0500
"John Schmerold" <[EMAIL PROTECTED]> wrote:

> Problem is SA, I don't have enough computer to do serious content
> checking. Anyone care to recommend a few rules that will tend to catch
> a big chunk of the spam without sucking too much brainpower from this
> VPS box?

ClamAV with the SaneSecurity definitions.

www.sanesecurity.co.uk


-- 
Adam Wilbraham - Assistant Systems Administrator
TechnoPhobia Limited
The Workstation
15 Paternoster Row
SHEFFIELD
England
S1 2BX
t: +44 (0)114 2212123
f: +44 (0)114 2212124
e: [EMAIL PROTECTED]
w: http://www.technophobia.com/

Registered in England and Wales Company No. 3063669
VAT registration No. 598 7858 42
ISO 9001:2000 Accredited Company No. 21227
ISO 14001:2004 Accredited Company No. E997
ISO 27001:2005 (BS7799) Accredited Company No. IS 508906
Investor in People Certified No. 101507

The contents of this email are confidential to the addressee
and are intended solely for the recipients use. If you are not
the addressee, you have received this email in error.
Any disclosure, copying, distribution or action taken in
reliance on it is prohibited and may be unlawful.

Any opinions expressed in this email are those of the author
personally and not TechnoPhobia Limited who do not accept
responsibility for the contents of the message.

All email communications, in and out of TechnoPhobia,
are recorded for monitoring purposes.

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[Loren Wilton]

As far as I have understood it Botnet checks the first IP not being in
your "trusted networks".


botnet probably does such checks based on trusted_networks and
internal_networks settings: doesn't check IP in trusted_networks, but
continues on next IP when current one is in internal_networks
(where you should put your own mail forwarders and backups, altogether 
with

trusted_networks)


Probably uses first_untrusted.  So indeed, if one does not have 
trusted_networks set up right, then Botnet will probably draw the wrong 
conclusions.


   Loren

Exporting from Exchange for sa-learn?

[Paul Hutchings]

I have a Public folder containing spam (dragged not forwarded).  

I want to use sa-learn to teach them as being spam.  So I used
Thunderbird to download the Public Folder via IMAP into MBOX format.

Looking at the MBOX file, A typical header is:

--_=_NextPart_001_01C774F8.2EE0E1BA--
From - Mon Oct 01 11:29:51 2007
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
X-MimeOLE: Produced By Microsoft Exchange V6.5
Received:  from relay.mira.co.uk ([193.35.217.1]) by mail.mira.co.uk
with Microsoft SMTPSVC(6.0.3790.1830); Mon, 2 Apr 2007 09:54:31 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_=_NextPart_001_01C77504.87157D80"
Received:  from mocha.ocn.ne.jp (unknown [220.205.145.6]) by
relay.mira.co.uk (Postfix) with SMTP id 171261C11D9 for
<[EMAIL PROTECTED]>; Mon,  2 Apr 2007 09:53:46 +0100 (BST)
Content-class: urn:content-classes:message
Subject: Re: snook precipice
Date: Mon, 2 Apr 2007 09:53:34 +0100
Message-ID: <[EMAIL PROTECTED]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: snook precipice
Thread-Index: Acd1BIe2WZhfEKZgSDKkANlcsHJPfw==
From: "Tyree Hollisq" <[EMAIL PROTECTED]>
To: "Duncan Hill" <[EMAIL PROTECTED]>
Reply-To: "Tyree Hollisq" <[EMAIL PROTECTED]>

This is a multi-part message in MIME format.

--_=_NextPart_001_01C77504.87157D80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

My question is, how "smart" is Spamassassin with regards to ignoring all
the stuff that happens after it hit the gateway (relay.mira.co.uk)?

Cheers,
Paul

Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 44 (0)24 7635 5378
Fax: 44 (0)24 7635 8378
mailto:[EMAIL PROTECTED]


-- 
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the 
intended recipient.
If you receive this e-mail in error, please delete it and notify us either by 
e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as 
this is prohibited.

Re: New PayPal phish?

[Michelle Konzack]

Am 2007-09-28 10:32:47, schrieb Skip:
> I saw one of these nearly a month ago, but that was it.  That it comes
> addressed to a personal name is a bit disturbing.
> 
> - Skip
> 
- END OF REPLIED MESSAGE -

Right, but PayPal write the ful name in the "From:" header too.
So, the message from the OP is definitivly a phish.

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Localize Rule

[Paolo De Marco]

Hi,
there are any repository of localize rules? I recieved some spam in 
italian...

Thanks

--
Paolo De Marco

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[Matus UHLAR - fantomas]

> > Thanks for confirming how botnet works.  This is exactly
> > the problem! 
> > 
> > Botnet.pm is only checking the LAST IP and not the FIRST
> > in the example email.
> > 
> > The first IP in the list is a definite botnet source but
> > botnet.pm does not detect this as a botnet email.

On 29.09.07 02:31, Jari Fredriksson wrote:
> As far as I have understood it Botnet checks the first IP not being in
> your "trusted networks".

botnet probably does such checks based on trusted_networks and
internal_networks settings: doesn't check IP in trusted_networks, but
continues on next IP when current one is in internal_networks
(where you should put your own mail forwarders and backups, altogether with
trusted_networks)
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[Matus UHLAR - fantomas]

> At 02:31 PM 9/28/2007, John Rudd wrote:
> >Consider this senario:
> >
> >   a) user on dynamic IP sends email to their ISP's mail server
> >   b) ISP's mail server submits message to your mail server
> >
> >In your suggested processing, this would generate a false positive: 
> >the message would be marked as a potential botnet even though the 
> >message was handled in a legitimate manner (message went out through 
> >the ISP's mail server instead of coming _directly_ from the dynamic host).

On 28.09.07 14:52, Jerry Durand wrote:
> Our mail server is on a dynamic business line, so we send through our 
> ISPs AUTH port (and have this listed in SPF).  We still get bounced 
> mail from some servers that are scanning all the headers against 
> things like the Zen list.  For a while, Internic was bouncing mailing 
> list digests that had posts from anyone with a dynamic address, seems 
> they were scanning the body of the message, too!

Does your provider puth AUTH information into message headers? If so, those
servers are certainly broken. ZEN containt IPs like dynamic that are not
suppoded to send mail directly, but through their SMTP server. (they are in
PBL which is subset of ZEN). The header check should stop at such headers.
SA does do that

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.