Re: SpamAssassin not hitting well on obvious spam
Quoting Chris 'Xenon' Hanson [EMAIL PROTECTED]: [...] X-Spam-Status: Yes, hits=4.4 required=4.0 X-Spam-Level: X-Spam-Report: SA TESTS 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 0.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [201.240.244.254 listed in dnsbl.sorbs.net] 1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?201.240.244.254] 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: ecamn.com] Turn on SURBL tests. ecamn.com is blacklisted on SURBL. Jeff C.
Re: SpamAssassin not hitting well on obvious spam
On Mon, Oct 15, 2007 at 11:53:09PM -0600, Chris 'Xenon' Hanson wrote: And yet, sometimes the spam that makes it through is startlingly obvious. Lots of expletives about male anatomy and the like, in plaintext mails. I turned on the X-Spam-Report header to see how things were going. A typical flagged anatomical enlargement spam might show: Having words like fucking, viagra, huge or penis in a mail does not necessarily mean that the message is spam. Bayes does a great job with this kind of thing though -- if those words mean spam for you, then Bayes will learn that and act accordingly. If you're not using Bayes for some reason, you could write your own single-word/phrase rules that simulate the action. Generally speaking, those types of rules either have a low hit-rate or a not acceptable high FP rate, which is why they don't normally exist in the standard ruleset. Are the rulesets here: http://www.koders.com/noncode/fidBB2367C919EFE21595CF39216741049B8CF03958.aspx http://www.koders.com/noncode/fid2FDA2298EF0A572237595868731E4FA234A59A55.aspx production rulesets? If so, how would one subscribe to them. They seemed to have some good ideas in them. You'd really have to ask the people who wrote them. (I've never heard of that site, fwiw.) Ideally, people who come up with ideas/rules would submit them to the SA project for general testing and (possible) inclusion in the standard ruleset. But that doesn't usually happen, unfortunately. :( -- Randomly Selected Tagline: Cut the [network] line to your bathroom ... life will be good again. - Hal Stern pgpMy2eb7ONmy.pgp Description: PGP signature
Re: SpamAssassin not hitting well on obvious spam
Jeff Chan wrote: Turn on SURBL tests. ecamn.com is blacklisted on SURBL. Ok. According to http://wiki.apache.org/spamassassin/SURBL http://www.surbl.org/faq.html#nettest SA 3.x have SURBL by default and it should be enabled if I'm not starting spamd with the -L/--local option. My /etc/default/spamassassin doens't show the local option, so I think I should have SURBL on already. Any suggestions for where to look to determine why it might not be firing? In a broader sense, are there any available local rulesets that are going to key off of the phrasing in the message body for these types of spams? Jeff C. -- Chris 'Xenon' Hanson, omo sanza lettere Xenon AlphaPixel.com PixelSense Landsat processing now available! http://www.alphapixel.com/demos/ There is no Truth. There is only Perception. To Perceive is to Exist. - Xen
way to change the header
Is there a way I can take this X-Spam-Status: No, score=(1.1), required=1.5, tests=BAYES_50,Magi_Body_Chuck, NO_RECEIVED,TO_CC_NONE, autolearn=no, bayes score = 0.5000, version=3.1.8 date scan = Mon, 15 Oct 2007 15:38:39 -0400 and make it look like this... X-Spam-Status: No, score=(1.1), required=1.5, tests=BAYES_50, Magi_Body_Chuck, NO_RECEIVED,TO_CC_NONE, autolearn=no, bayes score = 0.5000, version=3.1.8 date scan = Mon, 15 Oct 2007 15:38:39 -0400 Thanks, Payne
Re: SpamAssassin not hitting well on obvious spam
Henrik Krohns writes: http://taint.org/2007/08/15/004348a.html Ah, my auto-generated ruleset! Yes, please try it out -- it works very well indeed ;) (If anyone gets any FPs from it, I'd appreciate if you could package them up as an mbox, zip it, and mail it to me to avoid them in future. But it's extremely low on FPs in recent testing.) --j.
Re: way to change the header
I remember it follows RFC specification. So, no blank lines in the headers. cpayne wrote: Is there a way I can take this X-Spam-Status: No, score=(1.1), required=1.5, tests=BAYES_50,Magi_Body_Chuck, NO_RECEIVED,TO_CC_NONE, autolearn=no, bayes score = 0.5000, version=3.1.8 date scan = Mon, 15 Oct 2007 15:38:39 -0400 and make it look like this... X-Spam-Status: No, score=(1.1),required=1.5, tests=BAYES_50, Magi_Body_Chuck, NO_RECEIVED,TO_CC_NONE, autolearn=no,bayes score = 0.5000, version=3.1.8 date scan = Mon, 15 Oct 2007 15:38:39 -0400 Thanks, Payne -- Banyan He MailWeb Security Mobile: +86 13641777622 MSN: [EMAIL PROTECTED] Skype: banyan.he Email: [EMAIL PROTECTED] AntiSpam Test: [EMAIL PROTECTED] AntiVirus Test: [EMAIL PROTECTED] Wemaster Mail: [EMAIL PROTECTED] Website: http://www.rootong.com
Re: SpamAssassin not hitting well on obvious spam
I believe SA uses Bayes out of the box, but what I don't get is how will Bayes know it's spam (to train on, versus ham) You tell it. Bayes won't kick in on a new installation until you have manually fed it AT LEAST 200 each hams and spams. You do this by deciding yourself if a message is ham or spam and training appropriately. Once it has at least the minimal training amount it will start classifying. And if you have auto-learning on, it will start learning from what it classifies. Of course, there is no guarantee that it will learn *correctly*. Again, it is up to you to monitor it (at least occasionally) and if necessary re-learn a message as the correct type. If you get messages that are bayes_50 or near that it means Bayes doesn't have a clue about the message. You should give it one, especialy if it is spam, by again training it appropriately. Bayes will work quite well on the type of spam you are getting. *once you train it*. Loren
Re: Headers not being updated
Thank you both for your posts I'll go off and find out about these issues. I'll report back if and when I find a solution. Martin Matt Kettler-3 wrote: MartyG wrote: I have recently moved to a new VPS, everything has been setup for me and is working well except Spamassassin. (I've never had problems with it on my previous host and I'm a newbie to working with it, so please excuse my ignorance.). Hopefully this might help. Server: Apache/1.3.37 Spamassassin Version 3.2.3 running on perl 5.8.8 I have tested the install by using spamassassin -D sample-spam.txt and it seems to work fine. Now the problem, all incoming emails on all accounts have following headers :- X-Spam-Status: No, score= X-Spam-Score: X-Spam-Bar: X-Spam-Flag: NO At casual glance, it looks like you're trying to use spamc, but spamd isn't running. -- View this message in context: http://www.nabble.com/Headers-not-being-updated-tf4630845.html#a13230385 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
DNSWL question
I've started seeing some spam come through that gets labeled with RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/;, which imparts a negative score if the relay is listed in their db. Here at the Lab, we have an email gateway at the front, which is the single point of entry for email to the Lab, and then forwards the emails to the respective servers. Can't get around that issue, it's mandated by the Lab. Been looking through the doccy's and I've either glossed over it, or there is no section dealing specifically with this rule set that would allow me to turn off this rule. Can someone point me in the right direction as to how and where I can turn off this rule if it can be turned off? Thanks, Mark
Re: DNSWL question
Quoting Mark Wendt (Contractor) [EMAIL PROTECTED]: I've started seeing some spam come through that gets labeled with RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/;, which imparts a negative score if the relay is listed in their db. Here at the Lab, we have an email gateway at the front, which is the single point of entry for email to the Lab, and then forwards the emails to the respective servers. Can't get around that issue, it's mandated by the Lab. Been looking through the doccy's and I've either glossed over it, or there is no section dealing specifically with this rule set that would allow me to turn off this rule. Can someone point me in the right direction as to how and where I can turn off this rule if it can be turned off? Thanks, Mark Just set the score to 0 (zero). Any rule can be disabled by setting the score to zero. Cheers, Jeff C.
Re: DNSWL question
Mark Wendt (Contractor) wrote: I've started seeing some spam come through that gets labeled with RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/; Can someone point me in the right direction as to how and where I can turn off this rule if it can be turned off? In local.cf: score RCVD_IN_DNSWL_MED 0.00 Jon
Re: DNSWL question
Mark Wendt (Contractor) writes: I've started seeing some spam come through that gets labeled with RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/;, which imparts a negative score if the relay is listed in their db. Here at the Lab, we have an email gateway at the front, which is the single point of entry for email to the Lab, and then forwards the emails to the respective servers. Can't get around that issue, it's mandated by the Lab. You may also find trusted_networks and internal_networks to be helpful; specify the gateway's IP in those lists. --j.
AWL: what would happen if...
I work for a large managed hosting company. One of my fellow techs saw a customer put the following in their /etc/mail/local.cf: score AWL -100 He asked me (I have a reputation as the local SA expert) what would happen, and I couldn't figure it out. I figure it would either override the dynamic score and always apply -100 if there's a match in the AWL database, or that the forced score would be ignored. So, which is it, or an answer C that I couldn't think of?
Re: Mailman cooler [Was Re: unsubscribed]
At 15:52 15-10-2007, Mark Martinec wrote: Also, not to forget that mailman in its current version invalidates and removes DKIM signatures, while this mailing lists stays faithful and keeps messages intact and retains original signatures. (there is supposedly some mailman patch floating around to fix that, but I don't know where). Adding footers to the message or tagging the subject line invalidates the DKIM signature. You can turn off these features in mailman. There is a configuration option to retain the original DKIM signature. Regards, -sm
RE: uribl.com implementing ACLs
Since the last DDOS it would have been nice if the big guys ran local mirrors instead of making the problem worse. No donations and hammering away at the server I wonder why small RBLs drop off the planet. I salute every one who has donated time, machines, banwidth, and love to URIBL. The rest of you leechers need to run a local mirror. Damn this seems like a bitchy reply. I'm having a good morning too. Hmmm... I blame the Red Sox losing! --Chris (The views expressed in this email do not reflect the official position of URIBL. They are the delusional rantings of someone playing too much xbox 360 at night.) -Original Message- From: Rick Macdougall [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 16, 2007 10:36 AM Cc: users@spamassassin.apache.org Subject: Re: uribl.com implementing ACLs Oli Schacher wrote: I've just heard that uribl.com is implementing ACLs for heavy hitters. For those running ISP/ASPs doing millions of queries you may want to watch your logs. They not blocking queries (yet?) but return a REFUSED I believe we are already blocking some major heavy hitters. REFUSED is a block. Regards, Rick uribl public mirror owner
Re: uribl.com implementing ACLs
IMO, one of the best and _easiest_ things any site can do to show love to any blacklist service is: run a local mirror. Even better is to run a publicly accessible mirror ... but a local mirror lessens your impact on the service you're consuming. Ask them when and often you can pull the mirror over, and be as accommodating to them as possible. Offering donations is always good too ... but, like I said, it's easy to do the local mirror, and it can really help reduce the impact on the blacklist service. PLUS it will probably have a noticeable impact on the network lookup latency on your own servers. Chris Santerre wrote: Since the last DDOS it would have been nice if the big guys ran local mirrors instead of making the problem worse. No donations and hammering away at the server I wonder why small RBLs drop off the planet. I salute every one who has donated time, machines, banwidth, and love to URIBL. The rest of you leechers need to run a local mirror. Damn this seems like a bitchy reply. I'm having a good morning too. Hmmm... I blame the Red Sox losing! --Chris (The views expressed in this email do not reflect the official position of URIBL. They are the delusional rantings of someone playing too much xbox 360 at night.) -Original Message- From: Rick Macdougall [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 16, 2007 10:36 AM Cc: users@spamassassin.apache.org Subject: Re: uribl.com implementing ACLs Oli Schacher wrote: I've just heard that uribl.com is implementing ACLs for heavy hitters. For those running ISP/ASPs doing millions of queries you may want to watch your logs. They not blocking queries (yet?) but return a REFUSED I believe we are already blocking some major heavy hitters. REFUSED is a block. Regards, Rick uribl public mirror owner
Re: AWL: what would happen if...
On Tue, Oct 16, 2007 at 10:44:45AM -0500, Mike Jackson wrote:
happen, and I couldn't figure it out. I figure it would either override
the dynamic score and always apply -100 if there's a match in the AWL
database, or that the forced score would be ignored. So, which is it, or
an answer C that I couldn't think of?
The forced score is ignored. More specifically, it's overwritten w/ the
dynamic score via the plugin:
# current AWL score changes with each hit
for my $set (0..3) {
$pms-{conf}-{scoreset}-[$set]-{AWL} = sprintf(%0.3f, $delta);
}
--
Randomly Selected Tagline:
He who fears the unknown may one day flee from his own backside.
-- Sinbad
pgpxiySyiunQX.pgp
Description: PGP signature
refefine/extend a existing rule in 20_ratware.cf possible ??
Hi, I want to add a patch to 20_ratware.cf so I can extend FORGED_MUA_OUTLOOK to handle the new Outlook Message-ID format. Can I just redefine the supporting meta rule __FORGED_OE and let SA take care of the rest ? see patch here: http://issues.apache.org/SpamAssassin/attachment.cgi?id=4162action=view Thanks Paul -- Paul Griffith |Dept. of Computer Science and Engineering CSE Technical Team |4700 Keele Street, Toronto, ON, Canada, M3J-1P3 [EMAIL PROTECTED] |CSE1003A|Tel: 416-736-2100 x70258|Fax: 416-736-5872
Re: Question about total effective of spamassassin
I am also running an old version (3.1.7 on Ubuntu 7.04). Between SA and Thunderbird's own spam features, I am detecting something between 75% and 80% of spam. How much better is 3.2.x? On my small system (5 users) spam detection is above 99% accuracy for my own mail account. Less than 1 spam per week coming through and no false positives for a year or two (and I check all found spam manually). My account gets 100 spam and 20 ham per day; perhaps more ham with the mailing lists. I have installed and activated all external network-tests in SA (dcc, razor, pyzor), AWL, feed all my messages to Bayes manually in addition to the automatic bayes learning, raised the BAYES_99 score to 4.5 points, and pull a few selected rules from SARE. I also did a few rules myself, but the corresponding spam isn't coming any more. I also use greylisting on my mailserver (with the exception of servers in the dnswl) and use the Spamhaus zen and dsbl blocklists at the mailserver. I also did the usual mailserver hardening for postfix (reject invalid hostnames/senders/recipients, non-fqdn helo etc). Additionally, a local caching-nameserver is in use. From my point of view, it couldn't get any better. And don't forget: SA alone isn't enough. The correct mailserver configuration is as important. My system is certainly over-administrated for 5 users, but hey, it's my hobby and I hate-hate-hate spam :) Tschau Alex
Sa-compile error
Hi, everybody, sa-compile was running allright in my systems, and the
saturday it began to spit out this output (from sa-compile -D):
cd /tmp/.spamassassin28680clJUyOtmp
cd Mail-SpamAssassin-CompiledRegexps-body_0
Wide character in print at /usr/local/bin/sa-compile line 379, $fh line 4428.
re2c -i -b -o scanner1.c scanner1.re
re2c -i -b -o scanner2.c scanner2.re
re2c -i -b -o scanner3.c scanner3.re
re2c -i -b -o scanner4.c scanner4.re
re2c -i -b -o scanner5.c scanner5.re
re2c -i -b -o scanner6.c scanner6.re
re2c: error: line 103, column 8: can't find symbol
command failed! at /usr/local/bin/sa-compile line 282, $fh line 4586.
the relevant line of scanner6.re is this:
e\/[EMAIL PROTECTED], [EMAIL PROTECTED] = and many many more ) - free
shipping
{RET(__SEEK_F3UZNS);}
The saturday I've enabled Justin Mason's rules via sa-update, I don't
know if this has something to do with it...
Any other info you need to debug this, please ask.
Thanks in advance,
Luis
--
-
GNU-GPL: May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-
Re: Sa-compile error
=?ISO-8859-1?Q?Luis_Hern=E1n_Otegui?= writes: Hi, everybody, sa-compile was running allright in my systems, and the saturday it began to spit out this output (from sa-compile -D): there are a number of bugs in sa-compile that are fixed in SVN trunk-- please apply the patches from http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5493 http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5556 http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5594 and that should go away. Hopefully we can get a 3.2.4 release out eventually to fix these... --j.
RE: uribl.com implementing ACLs
No donations IT departments managed by folks with corporate backgrounds don't even have a procedure for sending off checks in arbitrary amounts solely because somebody thinks it would be a nice thing to do. Just say that large sites have to pay for rsync and put a price on it. That turns it into a routine bill for service and it goes right through, and you get much-deserved income. I'm afraid that's how it works. Joseph Brennan Columbia University IT
Re: refefine/extend a existing rule in 20_ratware.cf possible ??
--On Tuesday, October 16, 2007 12:59 -0400 Paul Griffith [EMAIL PROTECTED] wrote: Hi, I want to add a patch to 20_ratware.cf so I can extend FORGED_MUA_OUTLOOK to handle the new Outlook Message-ID format. Can I just redefine the supporting meta rule __FORGED_OE and let SA take care of the rest ? see patch here: http://issues.apache.org/SpamAssassin/attachment.cgi?id=4162action=view You've got part of it described... MESSAGEID =~ /^[EMAIL PROTECTED]$/m ... but in the past few days we saw also these two types: [EMAIL PROTECTED] mailed using Outlook, by an MSN customer [EMAIL PROTECTED] mailed using Outlook Express These anomalies are all coming from a group of hosts with names ending bay0.hotmail.com. That group of hosts are also responsible for passing along spam from botnet PCs. No scanning of outgoing mail? Joseph Brennan Columbia University IT
Re: unsubscribed
Bob, I agree and have for a long time. I am always a little taken aback when an unsubscriber get hammered with sarcasm on this list... Plus, I have always assembled first and read the directions later... especially on Christmas Eve, when the pressure is on! It's human nature... but, then, so is sarcasm, I guess... at lease in my case it is. I can't understand why anyone would want to unsubscribe anyway! Maybe that's where we should poke fun; with a hearty laugh YOU WANT TO DO WHAT? re, Clay Bob Proulx [EMAIL PROTECTED] 10/12/2007 12:46 PM Nigel Frankcom wrote: I am amazed at the number of list users that unsubscribe from an anti spam list and yet they fail to look at the headers of the mails they receive Yes and no. It is a technical list for an anti-spam tool and so you would think would be comprised of people who know how email works. But on the other hand people all over the world are overwhelmed with spam and turn to anti-spam tools and their discussion lists to help. Those are the ones who do not know how email works and are also attracted to the same lists out of the misunderstanding. Bob
Re: refefine/extend a existing rule in 20_ratware.cf possible ??
On Tue, 16 Oct 2007 14:57:00 -0400, Joseph Brennan [EMAIL PROTECTED] wrote: --On Tuesday, October 16, 2007 12:59 -0400 Paul Griffith [EMAIL PROTECTED] wrote: Hi, I want to add a patch to 20_ratware.cf so I can extend FORGED_MUA_OUTLOOK to handle the new Outlook Message-ID format. Can I just redefine the supporting meta rule __FORGED_OE and let SA take care of the rest ? see patch here: http://issues.apache.org/SpamAssassin/attachment.cgi?id=4162action=view You've got part of it described... MESSAGEID =~ /^[EMAIL PROTECTED]$/m ... but in the past few days we saw also these two types: [EMAIL PROTECTED] mailed using Outlook, by an MSN customer [EMAIL PROTECTED] mailed using Outlook Express These anomalies are all coming from a group of hosts with names ending bay0.hotmail.com. That group of hosts are also responsible for passing along spam from botnet PCs. No scanning of outgoing mail? Joseph Brennan Columbia University IT In Canada one of the largest ISP is Sympatico.ca and they offer a service [EMAIL PROTECTED] (http://sympatico.msn.ca/). They use hotmail to handle their e-mail backend. Their outgoing mail server is smtphm.sympatico.ca which is an alias for smtp.bc.hotmail.com. From my logs all the sympatico.ca e-mails we are getting are coming from the servers are in the bay0.hotmail.com range. I will patch FORGED_MUA_OUTLOOK in our own custom rules and and wait until SA offically updates 20_ratware.cf Thanks for the heads up on the BLU message id. -- Paul Griffith
RE: unsubscribed
-Original Message- From: Clay Davis [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 16, 2007 2:16 PM To: Bob Proulx; users@spamassassin.apache.org Subject: Re: unsubscribed Bob, I agree and have for a long time. I am always a little taken aback when an unsubscriber get hammered with sarcasm on this list... Plus, I have always assembled first and read the directions later... especially on Christmas Eve, when the pressure is on! It's human nature... but, then, so is sarcasm, I guess... at lease in my case it is. I can't understand why anyone would want to unsubscribe anyway! Maybe that's where we should poke fun; with a hearty laugh YOU WANT TO DO WHAT? re, Clay Bob Proulx [EMAIL PROTECTED] 10/12/2007 12:46 PM Nigel Frankcom wrote: I am amazed at the number of list users that unsubscribe from an anti spam list and yet they fail to look at the headers of the mails they receive Yes and no. It is a technical list for an anti-spam tool and so you would think would be comprised of people who know how email works. But on the other hand people all over the world are overwhelmed with spam and turn to anti-spam tools and their discussion lists to help. Those are the ones who do not know how email works and are also attracted to the same lists out of the misunderstanding. Bob I cannot help but comment on this post. I am one of those ignorant people that is subscribed to this list (along with several others) for the purpose of asking questions of you experts out there because I do not fully understand how it is working. By all accounts everyone of you out there would label me as a novice. The truth of the matter is I am a novice. As the saying goes; I know enough about this stuff to be dangerous. What I would like to say by posting this is; why don't all you experts out there relax a bit? I, for one, acknowledge your superiority over me in this spam stuff. I will never consider myself at the level of understanding you are. Therefore, I need you guys to keep me straight and show me the errors of my ways when I run into problems. However, I would greatly appreciate it if you would not whip me up the side of the head with my stupidity. Instead work with me with the notion that you are talking with one of the uneducated masses and direct me to the correct conclusion to my problem without being so dad blamed vague about what needs to happen. Many times I flat don't understand what you are saying when you might say just run xyz.123 and it will work. How many steps are involved in running xyz.123. There may be an awful lot of steps involved that you already know about but I don't. If you truly are interested in helping us bozos who don't already know this stuff why not talk to us about what we need to do as if we really don't understand it instead of talking to us as if we should already know about it and your flabbergasted because we don't? Ok, enough ranting. My apologies for taking up everyone's time. I seldom post here because I do not even remotely pretend to know enough to help anyone. I felt compelled to post this because I do not think I am alone when I mention that it really does get old when I post to this list (and others) only to get a condescending or vague response that I cannot use to help in my situation. Please be kind to us spamassassin administrators who want to keep things functional but have a tub load of other tasks to perform. Many of us out here are tasked with many many responsibilities of which managing spamassassin is only a small part. That forces us to not spend as much time as we should learning everything there is to know about spamassassin because we have a dozen other responsibilities to take care of. Ok time to stop now, forgive me for my rant. Live Long and Prosper, Steve
Re: refefine/extend a existing rule in 20_ratware.cf possible ??
Paul Griffith wrote: Hi, I want to add a patch to 20_ratware.cf so I can extend FORGED_MUA_OUTLOOK to handle the new Outlook Message-ID format. Can I just redefine the supporting meta rule __FORGED_OE and let SA take care of the rest ? Redefining the rule in your site config (often located in /etc/mail/spamassassin) will redefine the rule as you are looking to do. Daryl
RE: unsubscribed
Steve, I hope you didn't misunderstand me... I AGREE with you! Clay Steve Ingraham [EMAIL PROTECTED] 10/16/2007 4:10 PM -Original Message- From: Clay Davis [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 16, 2007 2:16 PM To: Bob Proulx; users@spamassassin.apache.org Subject: Re: unsubscribed Bob, I agree and have for a long time. I am always a little taken aback when an unsubscriber get hammered with sarcasm on this list... Plus, I have always assembled first and read the directions later... especially on Christmas Eve, when the pressure is on! It's human nature... but, then, so is sarcasm, I guess... at lease in my case it is. I can't understand why anyone would want to unsubscribe anyway! Maybe that's where we should poke fun; with a hearty laugh YOU WANT TO DO WHAT? re, Clay Bob Proulx [EMAIL PROTECTED] 10/12/2007 12:46 PM Nigel Frankcom wrote: I am amazed at the number of list users that unsubscribe from an anti spam list and yet they fail to look at the headers of the mails they receive Yes and no. It is a technical list for an anti-spam tool and so you would think would be comprised of people who know how email works. But on the other hand people all over the world are overwhelmed with spam and turn to anti-spam tools and their discussion lists to help. Those are the ones who do not know how email works and are also attracted to the same lists out of the misunderstanding. Bob I cannot help but comment on this post. I am one of those ignorant people that is subscribed to this list (along with several others) for the purpose of asking questions of you experts out there because I do not fully understand how it is working. By all accounts everyone of you out there would label me as a novice. The truth of the matter is I am a novice. As the saying goes; I know enough about this stuff to be dangerous. What I would like to say by posting this is; why don't all you experts out there relax a bit? I, for one, acknowledge your superiority over me in this spam stuff. I will never consider myself at the level of understanding you are. Therefore, I need you guys to keep me straight and show me the errors of my ways when I run into problems. However, I would greatly appreciate it if you would not whip me up the side of the head with my stupidity. Instead work with me with the notion that you are talking with one of the uneducated masses and direct me to the correct conclusion to my problem without being so dad blamed vague about what needs to happen. Many times I flat don't understand what you are saying when you might say just run xyz.123 and it will work. How many steps are involved in running xyz.123. There may be an awful lot of steps involved that you already know about but I don't. If you truly are interested in helping us bozos who don't already know this stuff why not talk to us about what we need to do as if we really don't understand it instead of talking to us as if we should already know about it and your flabbergasted because we don't? Ok, enough ranting. My apologies for taking up everyone's time. I seldom post here because I do not even remotely pretend to know enough to help anyone. I felt compelled to post this because I do not think I am alone when I mention that it really does get old when I post to this list (and others) only to get a condescending or vague response that I cannot use to help in my situation. Please be kind to us spamassassin administrators who want to keep things functional but have a tub load of other tasks to perform. Many of us out here are tasked with many many responsibilities of which managing spamassassin is only a small part. That forces us to not spend as much time as we should learning everything there is to know about spamassassin because we have a dozen other responsibilities to take care of. Ok time to stop now, forgive me for my rant. Live Long and Prosper, Steve
RE: unsubscribed
-Original Message- From: Clay Davis [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 16, 2007 3:33 PM To: users@spamassassin.apache.org Subject: RE: unsubscribed Steve, I hope you didn't misunderstand me... I AGREE with you! Clay No! My apologies for the misunderstanding. My bad. I understand what you are saying. I just wanted to add my agreement to your statements and to ask that some posters try to treat all of us asking these supposedly stupid questions to understand that we really do struggle with understanding how all of these systems function. Steve
Re: Question about total effective of spamassassin
Matt Kettler wrote: Michael Scheidell wrote: 3.18 is unsupported. please update to latest versions. Well, it's as supported or unsupported as any other version of SpamAssassin is. No version of SpamAssassin is supported by the SA team beyond the advice given on this list. (sure, some third parties offer supported services, but that's another ball of wax and not relevant here.) However, more to the point, it is getting a bit old. sa-update can only do so much, and at some point, you need updated code to keep abreast of the current trends in spam. If accuracy is your problem, updating to a current release should be your first step. Beyond that, look for common mistakes like ALL_TRUSTED firing off on spam (a sure sign of a broken trust path, see http://wiki.apache.org/spamassassin/TrustPath) As for the error messages, it looks like for some reason your stock ruleset is getting parsed twice. You didn't happen to copy some or all of the stock ruleset into /etc/mail/spamassassin by mistake, did you? Thanks, guys the problem is that for SuSE 10.0 3.1.8 is the max, and the last time I update a 10.0 to the lastest everything broke. And the major thing for me that perl is still at 5.8.7, don't you have to be 5.8.8 or higher for the lastest stuff. I am looking into the stuff you recommend, and no I haven't updated another into /etc/mail/spamassassing, but I have found out that sa-update places the lastest greatest updates in /var/lib/spamassasin and suse by default places the test files into /usr/share/spamassassin I think that is the problem. So know I have to figure out how to kill one of them with out screwing up things. Again thanks. Payne
Re: Question about total effective of spamassassin
On Tue, Oct 16, 2007 at 04:52:41PM -0400, cpayne wrote: but I have found out that sa-update places the lastest greatest updates in /var/lib/spamassasin and suse by default places the test files into /usr/share/spamassassin I think that is the problem. So know I have to figure out how to kill one of them with out screwing up things. You don't. They're different dirs because they're different data. :) -- Randomly Selected Tagline: A book is like a mirror. If an ass peers in, you can't exactly expect an apostle to peer out.- Unknown pgpHdOqbRPdkx.pgp Description: PGP signature
Re: Question about total effective of spamassassin
cpayne writes: Matt Kettler wrote: Thanks, guys the problem is that for SuSE 10.0 3.1.8 is the max, and the last time I update a 10.0 to the lastest everything broke. And the major thing for me that perl is still at 5.8.7, don't you have to be 5.8.8 or higher for the lastest stuff. nope. --j.
RCVD_IN_DNSWL_LOW
dnswl.org is either full of it, or not well maintained. I've gotten at least 20 spams which I see are listed in dnswl.org as low trust (which still merits -1.0). Could we maybe please add a feature to spamassassin -r (or some other hook to the generic whitelisting code) which reports this to the appropriate whitelist owner? -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
40comcast.net detected as URI
The UUism Networks MailScanner believes that the attachment to this message sent to you From: [EMAIL PROTECTED] Subject: 40comcast.net detected as URI may be Unsolicited Commercial Email (spam). Unless you are sure that this message is incorrectly thought to be spam, please delete this message without opening it. Opening spam messages might allow the spammer to verify your email address. If you believe that this message has been incorrectly marked as spam, please forward this email to Jim Hermann at [EMAIL PROTECTED] pts rule name description -- - 0.0 ALL_TRUSTEDPassed through trusted hosts only via SMTP -0.0 SPF_PASS SPF: sender matches SPF record -3.4 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 3.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: 40comcast.net] - Total Score = -0.401 - End of MailScanner report ---BeginMessage--- Why is my Spamassassin is reporting xxx%40comcast.net as URI 40comcast.com? Thanks. Jim - Jim Hermann [EMAIL PROTECTED] UUism Networks http://www.UUism.net Ministering to the Needs of Online UUs Web Hosting, Email Services, Mailing Lists - ---End Message---
Re: unsubscribed
Steve Ingraham wrote: I just wanted to add my agreement to your statements and to ask that some posters try to treat all of us asking these supposedly stupid questions to understand that we really do struggle with understanding how all of these systems function. I see a lot of silly questions asked about SpamAssassin and I think for the most part people are kind and helpful answering them. I think most people are excited to see SpamAssassin adopted and used in interesting ways and are willing to help out. I think the friction between people starts when discussion turns to things not-SpamAssassin. These are often concerning the basic infrastructure things such as email and mailing lists. Since email is a basic structure that enables people to work together on the Internet there is some expectation that people will use it at least somewhat effectively. Think of how disruptive it would be to a university level calculus lecture if it were frequently interrupted with basic math questions about 2+2 or with off-topic questions about chemistry. In this case it is surprising to me that people subscribe successfully to a mailing list but then can't unsubscribe from it. Why wouldn't they simply unsubscribe the same way that they subscribed? I don't know. But we have all seen this happen repeatedly. It is very distracting. I think with all of the off-topic discussions lately the mailing list would gladly welcome silly SpamAssassin questions! Please bring them on! :-) Bob
Re: Question about total effective of spamassassin
Justin Mason wrote: cpayne writes: Matt Kettler wrote: Thanks, guys the problem is that for SuSE 10.0 3.1.8 is the max, and the last time I update a 10.0 to the lastest everything broke. And the major thing for me that perl is still at 5.8.7, don't you have to be 5.8.8 or higher for the lastest stuff. nope. --j. Cool I just found a source rpm and I am building 3.2.3.10 so hopefully this will help my issue thanks guys. By the way, I notices no one answer the part about the script. Payne
Re: test my auto-generated ruleset
On 8/13/07 at 4:01 PM +0100 Justin Mason wrote: I've been working on a new way to auto-generate body rules recently... Are these rules restricted to Spamassassin 3.2 or newer? The following is what I get when I dig 8.1.3.sought.rules.yerp.org. Notice the NXDOMAIN. Thanks for the great work! Nedry ; DiG 9.3.1 8.1.3.sought.rules.yerp.org ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 46528 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;8.1.3.sought.rules.yerp.org. IN A ;; AUTHORITY SECTION: yerp.org. 3272IN SOA ns1.fdntech.com. jm.jmason.org. 2007101601 3600 3600 604800 3600 ;; Query time: 2 msec ;; SERVER: 208.109.96.1#53(208.109.96.1) ;; WHEN: Tue Oct 16 22:33:25 2007 ;; MSG SIZE rcvd: 106
Re: Question about total effective of spamassassin
cpayne wrote: Cool I just found a source rpm and I am building 3.2.3.10 so hopefully this will help my issue thanks guys. By the way, I notices no one answer the part about the script. You mean this one: -- If questions, anyone know of script that works with postfix logs that looks at the total message of day, then look as the spamassassin scores so that I can see where my avg score is? -- I noticed it, but I'm not a postfix kinda guy. Are you just using spamd's logging? Or is there some special postfix-generated logging going on here? If it's just spamd's logs, then there's lots of analyzers at: http://wiki.apache.org/spamassassin/StatsAndAnalyzers
Re: DNSWL question
Justin Mason wrote: Mark Wendt (Contractor) writes: I've started seeing some spam come through that gets labeled with RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/;, which imparts a negative score if the relay is listed in their db. Here at the Lab, we have an email gateway at the front, which is the single point of entry for email to the Lab, and then forwards the emails to the respective servers. Can't get around that issue, it's mandated by the Lab. You may also find trusted_networks and internal_networks to be helpful; specify the gateway's IP in those lists. Agreed. I would *STRONGLY* suggest fixing the problem, rather than trying to treat the symptoms by disabling rules. Right now SA appears to be confused about where your network borders are. Fix that, and it will fix a lot of other problems (ie: whitelist_from_rcvd won't work for you correctly) See also: http://wiki.apache.org/spamassassin/TrustPath
Re: way to change the header
cpayne wrote: Is there a way I can take this X-Spam-Status: No, score=(1.1), required=1.5, tests=BAYES_50,Magi_Body_Chuck, NO_RECEIVED,TO_CC_NONE, autolearn=no, bayes score = 0.5000, version=3.1.8 date scan = Mon, 15 Oct 2007 15:38:39 -0400 Have you already customized your add_headers? If so, can you post what you're using? If not, the first example isn't a normal default for SA 3.1.8. Check around for add_headers commands in your config files. and make it look like this... X-Spam-Status: No, score=(1.1),required=1.5, tests=BAYES_50, Magi_Body_Chuck, NO_RECEIVED,TO_CC_NONE, autolearn=no,bayes score = 0.5000, version=3.1.8 date scan = Mon, 15 Oct 2007 15:38:39 -0400 I don't know if that format is legal in an email message header...There's very particular rules about using whitespace to ensure that the header block can be parsed reliably... However, the place to do it would be to tweak your add_headers commands. (note: do this by COPYING that block of /usr/share/spamassassin/10_default_prefs.cf into your /etc/mail/spamassassin/local.cf and edit. Not copying to local.cf could cause your changes to be obliterated by sa-update or upgrading SA itself)
