Re: the opposit of "ok_locales" ??

[Dave Pooser]

> The jidanni theme: open up life to a rainbow of possibilities.

Y'know, at the risk of being rude, does the rainbow of possibilities include
the possibility of READING the expletive-deleted CONF FILE? Just asking.

> But the basic user is not in the business of understanding things.

Then he shouldn't be tweaking SpamAssassin conf files, or most other server
settings. The world has enough Mouse Clicking System Engineers.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna

Re: whitelist

[Daryl C. W. O'Shea]

Matt Kettler wrote:

Matt Kettler wrote:

Jack Gostl wrote:
  

I have an odd problem. I have a user receiving spam from something like
[EMAIL PROTECTED] Since he does business with verybigcompany.com,
he had them in his white list, and as expected, the spam slipped through.

Based on the advice I got in this newsgroup, I changed him from a
straight:

 whitelist_from[EMAIL PROTECTED]

to

   whitelist_from_rcvd [EMAIL PROTECTED] verybigcompany.com

I think I did that right. So now the odd thing is that spam from
verybigcompany.com is coming through on my PERSONAL account even
though its
not in my whitelist. The headers show that this is a "user in whitelist"
situation. It may be happening to others, I haven't checked, but its weird
enough that its happening to me.

Now if I haven't confused everyone, I'm open to ideas.


Have you checked *all* the "from like" headers to see if any of them
match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)

Have you tried running the same message through spamassassin -D to see
which exact address SA matched against?


  


One other thing to check.. if you use spamd you're probably subject to
this bug:

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179


No, it's not that bug.  That bug is about user rules getting compiled 
into methods at runtime and then not disposed off when the username gets 
changed.


The whitelist (and blacklist) config structures are copied in and out of 
existance by copy_config fine AFAIK.


Jack -- are you using spamd?  Are usernames being passed along somehow 
(via spamc -u, some other client?)?  How are user preferences stored?


Daryl

Re: whitelist

[Matt Kettler]

Jack Gostl wrote:
>
> - Original Message - From: "Matt Kettler"
> <[EMAIL PROTECTED]>
> To: "Jack Gostl" <[EMAIL PROTECTED]>
> Cc: "spam" 
> Sent: Thursday, December 06, 2007 8:19 PM
> Subject: Re: whitelist
>
>
>> Matt Kettler wrote:
>>> Jack Gostl wrote:
>>>
 I have an odd problem. I have a user receiving spam from something
 like
 [EMAIL PROTECTED] Since he does business with
 verybigcompany.com,
 he had them in his white list, and as expected, the spam slipped
 through.

 Based on the advice I got in this newsgroup, I changed him from a
 straight:

  whitelist_from[EMAIL PROTECTED]

 to

whitelist_from_rcvd [EMAIL PROTECTED] verybigcompany.com

 I think I did that right. So now the odd thing is that spam from
 verybigcompany.com is coming through on my PERSONAL account even
 though its
 not in my whitelist. The headers show that this is a "user in
 whitelist"
 situation. It may be happening to others, I haven't checked, but
 its weird
 enough that its happening to me.

 Now if I haven't confused everyone, I'm open to ideas.

>>> Have you checked *all* the "from like" headers to see if any of them
>>> match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)
>>>
>>> Have you tried running the same message through spamassassin -D to see
>>> which exact address SA matched against?
>>>
>>>
>>>
>>
>> One other thing to check.. if you use spamd you're probably subject to
>> this bug:
>>
>> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179
>
> This looks close enough to worry. I'm not used to reading those
> bugzilla reports. Is there a fix? Would I have to upgrade to the
> current release?
>
>
>
No, there's no published fix yet, but there's a patch targeted to go
into the next 3.2.x release if it gets enough votes from the PMC.

Re: the opposit of "ok_locales" ??

[Matt Kettler]

[EMAIL PROTECTED] wrote:
> MK> I'll be happy to change my assumptions, but can you name any good reason
> MK> why they would want to do so?
>
> The Matt theme: restrict oneself from getting mail from any but a few
> safe people, languages, or whatever. Life goes on in its familiar grey
> days. But alas, the software knows best.
>   
Erm.. No. The Matt theme is to only add options if they have a use. I
have yet to see a sensible argument for this..

> The jidanni theme: open up life to a rainbow of possibilities. New
> styles, new friends, new colors. Don't let the minor fact that we
> filter out a tiny part of the spectrum cause us to miss out on new
> contacts from who knows where.
>   
At that point, set ok_locales to all because you might miss out on new
contacts from that tiny spectrum too.

Also, how will you benefit from contact with this broader spectrum if
they're emailing you in a character set you can't read?

Now really. Can you make a serious argument why this configuration
option would be useful. I'm being serious here. I honestly don't see a
valid need for the option.

And those who really want this effect can just list every locale except
the one they dislike, if that's really what they want.

> Anyway, currently it's not even like one could just use "--" to obtain
> "+". And even if it was, our basic user is still looking for his
> blacklist_locales.
>   
Is he really? Or does he think ok_locales = whitelist_locales?

Re: whitelist

[Jack Gostl]

- Original Message - 
From: "Matt Kettler" <[EMAIL PROTECTED]>

To: "Jack Gostl" <[EMAIL PROTECTED]>
Cc: "spam" 
Sent: Thursday, December 06, 2007 8:19 PM
Subject: Re: whitelist



Matt Kettler wrote:

Jack Gostl wrote:


I have an odd problem. I have a user receiving spam from something like
[EMAIL PROTECTED] Since he does business with 
verybigcompany.com,
he had them in his white list, and as expected, the spam slipped 
through.


Based on the advice I got in this newsgroup, I changed him from a
straight:

 whitelist_from[EMAIL PROTECTED]

to

   whitelist_from_rcvd [EMAIL PROTECTED] verybigcompany.com

I think I did that right. So now the odd thing is that spam from
verybigcompany.com is coming through on my PERSONAL account even
though its
not in my whitelist. The headers show that this is a "user in whitelist"
situation. It may be happening to others, I haven't checked, but its 
weird

enough that its happening to me.

Now if I haven't confused everyone, I'm open to ideas.


Have you checked *all* the "from like" headers to see if any of them
match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)

Have you tried running the same message through spamassassin -D to see
which exact address SA matched against?





One other thing to check.. if you use spamd you're probably subject to
this bug:

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179


This looks close enough to worry. I'm not used to reading those bugzilla 
reports. Is there a fix? Would I have to upgrade to the current release?

Re: the opposit of "ok_locales" ??

[jidanni]

MK> I'll be happy to change my assumptions, but can you name any good reason
MK> why they would want to do so?

The Matt theme: restrict oneself from getting mail from any but a few
safe people, languages, or whatever. Life goes on in its familiar grey
days. But alas, the software knows best.

The jidanni theme: open up life to a rainbow of possibilities. New
styles, new friends, new colors. Don't let the minor fact that we
filter out a tiny part of the spectrum cause us to miss out on new
contacts from who knows where.

Anyway, currently it's not even like one could just use "--" to obtain
"+". And even if it was, our basic user is still looking for his
blacklist_locales.

Re: the opposit of "ok_locales" ??

[Matt Kettler]

[EMAIL PROTECTED] wrote:
>
> MK> Let's say you speak English and Chinese, and hate Russian because you
> MK> get lots of spam in that text format and don't speak it.
>
> That's me, English and Chinese, and hate Russian.
>
> MK> In this situation, why would you want "not_ok_localles ru" instead of
> MK> "ok_locales en zh"? Is there a reason you'd want to allow character sets
> MK> like Thai, Korean, etc, even though you don't understand them any better
> MK> than Russian?  No.
>
> You make assumptions about peoples lifestyles.
>
> And what if they did?
>   
I'll be happy to change my assumptions, but can you name any good reason
why they would want to do so?

Re: the opposit of "ok_locales" ??

[jidanni]

The basic user understands whitelist_from and blacklist_from. But when
he encounters the locales, he wonders why cannot there be
whitelist_locales and blacklist_locales. He does not want to learn the
superior logic of why his wish is not smart. He just wants to find the
commands for whitelist_locales and blacklist_locales, and can only
find half.

MK> The answer is to read the Conf manpage and understand it. It
MK> doesn't mention it in the exact wording you want, but there is an
MK> answer and ok_locales is exactly the answer you want.

But the basic user is not in the business of understanding things. He
is just looking for the pair whitelist_locales and blacklist_locales,
or whatever devious name they are called, and can only find half of
the pair.

Perhaps deep down some macro could be made so the user can finally
find such a pair, without having to understand anything.

MK> Quite frankly, a "not_ok_locales" option doesn't make any useful sense
MK> anyway. If you want to restrict the locales, restrict it to the ones you
MK> speak. Don't bother singling out just ones you dislike...

...just because the software can't do it yet.

MK> Let's say you speak English and Chinese, and hate Russian because you
MK> get lots of spam in that text format and don't speak it.

That's me, English and Chinese, and hate Russian.

MK> In this situation, why would you want "not_ok_localles ru" instead of
MK> "ok_locales en zh"? Is there a reason you'd want to allow character sets
MK> like Thai, Korean, etc, even though you don't understand them any better
MK> than Russian?  No.

You make assumptions about peoples lifestyles.

And what if they did?

Re: whitelist

[Matt Kettler]

Matt Kettler wrote:
> Jack Gostl wrote:
>   
>> I have an odd problem. I have a user receiving spam from something like
>> [EMAIL PROTECTED] Since he does business with verybigcompany.com,
>> he had them in his white list, and as expected, the spam slipped through.
>>
>> Based on the advice I got in this newsgroup, I changed him from a
>> straight:
>>
>>  whitelist_from[EMAIL PROTECTED]
>>
>> to
>>
>>whitelist_from_rcvd [EMAIL PROTECTED] verybigcompany.com
>>
>> I think I did that right. So now the odd thing is that spam from
>> verybigcompany.com is coming through on my PERSONAL account even
>> though its
>> not in my whitelist. The headers show that this is a "user in whitelist"
>> situation. It may be happening to others, I haven't checked, but its weird
>> enough that its happening to me.
>>
>> Now if I haven't confused everyone, I'm open to ideas.
>> 
> Have you checked *all* the "from like" headers to see if any of them
> match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)
>
> Have you tried running the same message through spamassassin -D to see
> which exact address SA matched against?
>
>
>   

One other thing to check.. if you use spamd you're probably subject to
this bug:

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179

Re: the opposit of "ok_locales" ??

[Matt Kettler]

[EMAIL PROTECTED] wrote:
> Anyway, Mail::SpamAssassin::Conf should admit that it doesn't mention
> "What if I hate a specific language, people, culture. Is there e.g., a
> not_ok_locales?"
>
> Don't put the answer here, put it on Mail::SpamAssassin::Conf, even if
> the answer is that there is no answer. Thank you.
>   
Well, at the risk of sounding more rude than I intend, the answer is to
read the Conf manpage and understand it. It doesn't mention it in the
exact wording you want, but there is an answer and ok_locales is exactly
the answer you want.

Quite frankly, a "not_ok_locales" option doesn't make any useful sense
anyway. If you want to restrict the locales, restrict it to the ones you
speak. Don't bother singling out just ones you dislike.

Let's say you speak English and Chinese, and hate Russian because you
get lots of spam in that text format and don't speak it.

In this situation, why would you want "not_ok_localles ru" instead of
"ok_locales en zh"? Is there a reason you'd want to allow character sets
like Thai, Korean, etc, even though you don't understand them any better
than Russian?  No.

Re: whitelist

[Matt Kettler]

Jack Gostl wrote:
> I have an odd problem. I have a user receiving spam from something like
> [EMAIL PROTECTED] Since he does business with verybigcompany.com,
> he had them in his white list, and as expected, the spam slipped through.
>
> Based on the advice I got in this newsgroup, I changed him from a
> straight:
>
>  whitelist_from[EMAIL PROTECTED]
>
> to
>
>whitelist_from_rcvd [EMAIL PROTECTED] verybigcompany.com
>
> I think I did that right. So now the odd thing is that spam from
> verybigcompany.com is coming through on my PERSONAL account even
> though its
> not in my whitelist. The headers show that this is a "user in whitelist"
> situation. It may be happening to others, I haven't checked, but its weird
> enough that its happening to me.
>
> Now if I haven't confused everyone, I'm open to ideas.
Have you checked *all* the "from like" headers to see if any of them
match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)

Have you tried running the same message through spamassassin -D to see
which exact address SA matched against?


>
>

Re: Turning off rules

[Daryl C. W. O'Shea]

John Rudd wrote:

Theo Van Dinter wrote:

On Thu, Dec 06, 2007 at 09:30:34AM +, Justin Mason wrote:

if that doesn't work, it's a bug; please report it at the Bugzilla.


... assuming that the local.cf file is actually being read and doesn't 
have an

error causing the parsing of the file to fail.   :)



That wouldn't cause the score to actually be 0 though.  The score is 
correctly being set to 0, but the rule is still showing up in the list 
of triggered rules.


What version of SA are you using?  There was a bug, apparently fixed in 
3.2.3, that had eval rules being executed regardless of their score.


http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5519

Daryl

Re: the opposit of "ok_locales" ??

[jidanni]

Anyway, Mail::SpamAssassin::Conf should admit that it doesn't mention
"What if I hate a specific language, people, culture. Is there e.g., a
not_ok_locales?"

Don't put the answer here, put it on Mail::SpamAssassin::Conf, even if
the answer is that there is no answer. Thank you.

Re: Antwort: Re: sa-update error

[Philipp Snizek]

try this:

perl -MCPAN -e 'notest force install Archive::Tar'

no warranty that this will not cause any problems with Archive::Tar at
some point later. I remember your spamassassin --lint -D saying that it
found Archive::Tar, so I guess there is an install of this module on your
box. However this command should install Archive::Tar on your box by
force.

Nevertheless I think the better way is finding out why it fails to install
and resolve that.





> It won't install:
>
> Test Summary Report
> ---
> t/02_methods.t(Wstat: 65280 Tests: 252 Failed: 65)
>   Failed test number(s):  18-25, 71-72, 74-75, 77-80, 82-83, 92-97
> 105, 110-117, 123-125, 151-154, 162, 167-168
> 186-189, 195-197, 214-217, 225, 230-231
> 240-243, 249-252
>   Non-zero exit status: 255
> t/04_resolved_issues.t (Wstat: 65280 Tests: 7 Failed: 2)
>   Failed test number(s):  6-7
>   Non-zero exit status: 255
> Files=5, Tests=482,  1 wallclock secs ( 0.07 usr  0.00 sys +  0.54 cusr
> 0.05 csys =  0.66 CPU)
> Result: FAIL
> Failed 2/5 test programs. 67/482 subtests failed.
> make: *** [test_dynamic] Fehler 11
>   /usr/bin/make test -- NOT OK
> Running make install
>   make test had returned bad status, won't install without force
>
>
>
>
>
> "Philipp Snizek" <[EMAIL PROTECTED]>
> 06.12.2007 14:07
>
> An
> [EMAIL PROTECTED]
> Kopie
> users@spamassassin.apache.org
> Thema
> Re: sa-update error
>
>
>
>
>
>
>> Hi
>>
>> can anyone help me with this?
>> I think its the archive::tar which makes problems,
>> so i installed a newer version, but the error remains...
>>
>> [23086] dbg: channel: populating temp content file
>> [23086] dbg: channel: file verification passed, testing update
>> [23086] dbg: channel: extracting archive
>> No data could be read from file at /usr/bin/sa-update line 961
>> fatal: couldn't create Archive::Tar object!
>
> what does
>
> perl -MCPAN -e 'install Archive::Tar'
>
> say?
>
> - Philipp
>
>
>
>
>

Re: zip spams

[Theo Van Dinter]

On Sat, Dec 01, 2007 at 10:30:11PM +0800, [EMAIL PROTECTED] wrote:
> Many spam messages with a .zip attachment in them.
> How do you stop it in SA rules?

Block mails w/ zip attachments at your MTA.

Otherwise you could write a mimeheader rule to look for those filenames.


pgp39d1lYLKqm.pgp
Description: PGP signature

Re: Turning off rules

[Theo Van Dinter]

On Thu, Dec 06, 2007 at 09:12:44AM -0800, John Rudd wrote:
> That wouldn't cause the score to actually be 0 though.  The score is 
> correctly being set to 0, but the rule is still showing up in the list 
> of triggered rules.

Are you sure it's 0 and not 0.001 or something else small and non-zero?

-- 
Randomly Selected Tagline:
Stewie: Ah!  Damn it!  I want pancakes.  God!  You people understand
 every language except English.  Yo quiero pancakes.  Dali mua pancakes.
 Clik clik bloody clik pancakes!
 - Family Guy, "Love Thy Trophy"


pgpUi05E8yxrB.pgp
Description: PGP signature

Re: Mismatched URLs revisited

[Theo Van Dinter]

On Thu, Dec 06, 2007 at 11:52:30AM -0500, Rosenbaum, Larry M. wrote:
> Some time ago (and more than once) there have been discussions on this list 
> about email containing hyperlinks where the link text is a URL that doesn't 
> match the URL in the link HREF, and the pros and cons of testing for and 
> scoring these mismatched links.  My management has raised this issue.  My 
> memory is hazy on what the final opinions were - it seems like this was 
> initially discouraged, but later discussions may have been less discouraging. 
>  Could somebody point me to the threads where this is discussed?  Also, does 
> SpamAssassin currently contain any rules for this kind of testing, or are 
> there third-party rules that do this?

http://wiki.apache.org/spamassassin/AntiPhishFakeUrlRule

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4255#c24 has a good
amount of info.

It all resulted in a single rule:

  0.021   0.0247   0.00170.935   0.530.00  HTTPS_IP_MISMATCH

which obviously isn't very helpful and still has false positives.

-- 
Randomly Selected Tagline:
"I protect home plate like a mormon girl on prom night."
 - Mimi on the Drew Carey show


pgpUjzpOxxZUi.pgp
Description: PGP signature

Re: Turning off rules

[Theo Van Dinter]

On Thu, Dec 06, 2007 at 07:56:30PM +0100, Jonas Eckerman wrote:
> What happens when a zero score rule (not named __.*) is used in a 
> meta rule?

There's no difference between those two things.

-- 
Randomly Selected Tagline:
Accident, n.:
A condition in which presence of mind is good, but absence of
body is better.
-- Foolish Dictionary


pgpwWbaRKtruy.pgp
Description: PGP signature

great opportunity to help stop spam

[antispam]

FYI-Cloudmark the anti-spam solutions provider that protects over 300 million
mail boxes worldwide has a position open for a Sales Engineer that will be
focused on supporting Apache customers running the Cloudmark Authority
plugin for Spam Assasin. This is a great opportunity to help rid the world
of annoying spam and spam bourne viruses.  Please feel free to contact me at
[EMAIL PROTECTED]
-- 
View this message in context: 
http://www.nabble.com/great-opportunity-to-help-stop-spam-tf4958322.html#a14200134
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Mismatched URLs revisited

[Joseph Brennan]

The URL mismatch that seemed like a sure thing to us was showing the
reader "https" but really linking to "http"!

Believe it or not major financial institutions send mail with these
fraudulent (I would say) links.  Very sad.

OK, well, then say as long as the https and http links go to the
same *domain* maybe it's just an ill-advised redirect.  Surely if
they go to totally different domains something must be wrong.

No.  We log them.  Here are some samples from yesterday, below.
"..." for long identifier strings.

I handpicked these for variety.  There are actually many phishing
messages especially for paypal.com and some banks.

Says https://email.citicards.com
Links to http://info.citibank.com/...#real bank

Says https://web.da-us.citibank.com/...
Linsk to http://www.makrasrealestate.com/... #phishing

Says https://newsletters.1105pubs.com/...
Links to http://www.1105newsletters.com/...  #legit?

Says https://www.gotomeeting.com/...
Links to http://www.itmpi-journal.com/...#legit?

Says https://www.hsbcdirect.com/...
Links to http://ebusiness.hsbcusa.com/...#real bank

Says https://online.lloydstsb.co.uk/...
Links to http://dundonaldbluebell.com/...#phishing

Says https://www.paypal.com/...
Links to http://0x94f57182/www.paypal.com/...#phishing!

Says https://www.wellsfargo.com/...
Links to http://teplomer.spb.ru/...  #phishing

Says https://www.downeysavings.com/...
LInks to http://smtp.faith-sol-tech.com/...  #phishing

Says https://www.regonline.com/...
Links to http://www.maildogmanager.com/...   #legit?

Says https://www.moviemaker.com/...
Links to http://rs6.net/...  #legit



Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology

Re: Turning off rules

[Jonas Eckerman]

John Rudd wrote:

The score is 
correctly being set to 0, but the rule is still showing up in the list 
of triggered rules.


What happens when a zero score rule (not named __.*) is used in a 
meta rule?


Regards
/Jonas

--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: Mondo bayes_toks - millions of entries

[John D. Hardin]

On Thu, 6 Dec 2007, Wes wrote:

> We're going to switch to all-manual learning and hopefully
> convince enough users to send in spam and false positives to train
> it well.  Sufficient participation is a big question, but appears
> to be the only viable option at this point.

That could be automated somewhat. Hook into your delivery process for
selected users and bcc messages that fall outside your desired
thresholds to spam and ham boxes, then train from the boxes in bulk at
night and clear them. Sort of a middle ground between regular
autolearn and totally manual training. Batched autolearn?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Perfect Security is unattainable; beware those who would try to sell
  it to you, regardless of the cost, for they are trying to sell you
  your own slavery.
---
 9 days until Bill of Rights day

Re: Mondo bayes_toks - millions of entries

[Wes]

On 12/3/07 11:14 AM, "Justin Mason" <[EMAIL PROTECTED]> wrote:

> Have you considered turning off autolearn to reduce the number of writes?

That is where I am at now.  Whether with a database or DBM, I have scaling
and concurrency problems.  I am also having problems with expire failing in
both - deadlock detected for the DB, or failure to acquire lock in DBM.  It
doesn't appear auto-learn is really buying us anything anyway, especially
considering the short token retention period necessary without adding very
serious disk hardware.

We're going to switch to all-manual learning and hopefully convince enough
users to send in spam and false positives to train it well.  Sufficient
participation is a big question, but appears to be the only viable option at
this point.

Wes

Re: Mismatched URLs revisited

[Richard Frovarp]

Randal, Phil wrote:
Unfortunately, people who should know better (e.g. McAfee) do this all 
the time.
 
There'd have to be a huge whitelist of safe URLs to make this workable.
 
We use MailScanner, which has this sort of phishing detection built 
in, flagging suspicious links.
 
Cheers,
 
Phil


Note as Phil said, MailScanner doesn't determine if a message is spam or 
not using the Phishing Detection. It merely modifies that part of the 
message inserting a warning that something odd is going on, but adds 
nothing to the score. It has a whitelist of over 800 exceptions to this 
rule. This is to try to reduce the number of rewrites for legit URLs.


A few examples in the whitelist are: americanexpress.com, apple.com, 
bell.ca, capitalone.com, mcafee.com

Re: Mismatched URLs revisited

[John D. Hardin]

On Thu, 6 Dec 2007, DAve wrote:

> I would think if you scored based on mismatched URLs you would tag
> the same messages incorrectly.

You could mitigate that bby using it in a meta along with rules that
hit on phishing-like text, and leave the score for a single mismatched
URL low, like 0.1 or so.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the business of government to make men virtuous or
  religious, or to preserve the fool from the consequences of his own
  folly.  -- Henry George
---
 9 days until Bill of Rights day

RE: Mismatched URLs revisited

[Randal, Phil]

Unfortunately, people who should know better (e.g. McAfee) do this all
the time.
 
There'd have to be a huge whitelist of safe URLs to make this workable.
 
We use MailScanner, which has this sort of phishing detection built in,
flagging suspicious links.
 
Cheers,
 
Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 
 




From: Rosenbaum, Larry M. [mailto:[EMAIL PROTECTED] 
Sent: 06 December 2007 16:53
To: users@spamassassin.apache.org
Subject: Mismatched URLs revisited



Some time ago (and more than once) there have been discussions
on this list about email containing hyperlinks where the link text is a
URL that doesn't match the URL in the link HREF, and the pros and cons
of testing for and scoring these mismatched links.  My management has
raised this issue.  My memory is hazy on what the final opinions were -
it seems like this was initially discouraged, but later discussions may
have been less discouraging.  Could somebody point me to the threads
where this is discussed?  Also, does SpamAssassin currently contain any
rules for this kind of testing, or are there third-party rules that do
this?

 

Thanks, Larry

Re: Mismatched URLs revisited

[DAve]

Rosenbaum, Larry M. wrote:
> Some time ago (and more than once) there have been discussions on this
> list about email containing hyperlinks where the link text is a URL that
> doesn’t match the URL in the link HREF, and the pros and cons of testing
> for and scoring these mismatched links.  My management has raised this
> issue.  My memory is hazy on what the final opinions were – it seems
> like this was initially discouraged, but later discussions may have been
> less discouraging.  Could somebody point me to the threads where this is
> discussed?  Also, does SpamAssassin currently contain any rules for this
> kind of testing, or are there third-party rules that do this?
> 

MailScanner does that under the concept of "Phishing Detection". We used
it very successfully for several months to catch phishing attempts.
Unfortunately we had to turn it off because it also catches multitudes
of legit (so I am told) opt in mailings. Several large mass mailing
providers (their names escape me now) use redirects in every URL.
Rewriting them made the beautifully designed html messages less
beautiful and clients objected.

I would think if you scored based on mismatched URLs you would tag the
same messages incorrectly.

Just my experience.

DAve


-- 
I've been asking Google for a Veteran's Day logo since 2000,
maybe 1999. I was told they finally did a Veteran's Day logo,
but none of the links I was given return anything but a
normal Google logo.

Sad, very sad. Maybe the Chinese Government didn't like it?

Mismatched URLs revisited

[Rosenbaum, Larry M.]

Some time ago (and more than once) there have been discussions on this list 
about email containing hyperlinks where the link text is a URL that doesn't 
match the URL in the link HREF, and the pros and cons of testing for and 
scoring these mismatched links.  My management has raised this issue.  My 
memory is hazy on what the final opinions were - it seems like this was 
initially discouraged, but later discussions may have been less discouraging.  
Could somebody point me to the threads where this is discussed?  Also, does 
SpamAssassin currently contain any rules for this kind of testing, or are there 
third-party rules that do this?

Thanks, Larry

Re: Turning off rules

[John Rudd]

Theo Van Dinter wrote:

On Thu, Dec 06, 2007 at 09:30:34AM +, Justin Mason wrote:

if that doesn't work, it's a bug; please report it at the Bugzilla.


... assuming that the local.cf file is actually being read and doesn't have an
error causing the parsing of the file to fail.   :)



That wouldn't cause the score to actually be 0 though.  The score is 
correctly being set to 0, but the rule is still showing up in the list 
of triggered rules.

Re: Turning off rules

[Theo Van Dinter]

On Thu, Dec 06, 2007 at 09:30:34AM +, Justin Mason wrote:
> if that doesn't work, it's a bug; please report it at the Bugzilla.

... assuming that the local.cf file is actually being read and doesn't have an
error causing the parsing of the file to fail.   :)

-- 
Randomly Selected Tagline:
"Now let's say I like sheep...  And now let's say I take the sheep to a 
 Christmas party..."   - Bob Golub


pgpmpwMFyFOG0.pgp
Description: PGP signature

Re: SpamAssassin and LaTeX

[Paul Griffith]

On Wed, 05 Dec 2007 21:33:49 -0500, Olivier Nicole <[EMAIL PROTECTED]> wrote:


Hi

I guess I could write rules that verify a valid .tex and .bib document  
and

then assign a minus score,


Except trying to run the document through LaTeX, I cannot see how you
can realy verify the validity.


Let me rephrase that, I could write some rules that look for common  
markups that I expect to find in laTeX files. I could for example look for  
the an attachment signature and look for file LaTeX filename (.tex, .bib,  
.sty, etc..) and assign negative scores. Not what I call fun, but it might  
be able to help someone else.


---i.e-
Content-Type: application/x-tex; name="color-package-demo.tex"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="color-package-demo.tex"

Oh the joy.


it would be better if e-mail clients actually send attachments as
true attachments.


That is really a matter of taste, when it is pure ascii, i prefer it
inline myself :)

Best regards,

Olivier


Thanks Paul



--
Paul Griffith |Dept. of Computer Science and Engineering - York University
CSE Technical Team |4700 Keele Street, Toronto, ON, Canada M3J-1P3
[EMAIL PROTECTED] |CSE1003A|Tel: 416-736-2100 x70258|Fax: 416-736-5872

RES: Does not rewrite the Subject with SPAM tag

[Douglas Marcel dos Santos]

It works now. Qmail-scanner uses fast-spamassassin as default configuration
and this does not rewrite the subject header. I regenerate the
qmail-scanner.pl file with the --scanners verbose-spamassassin and it starts
to tag messages immediately.

 


Douglas Marcel dos Santos
Fortymil Ind. de Plásticos Ltda.
Tel. (11) 4894-8950
[EMAIL PROTECTED]

-Mensagem original-
De: Evan Platt [mailto:[EMAIL PROTECTED] 
Enviada em: quarta-feira, 5 de dezembro de 2007 18:16
Para: users@spamassassin.apache.org
Assunto: Re: Does not rewrite the Subject with SPAM tag 

http://wiki.apache.org/spamassassin/SubjectRewrite

Warning: if you are running SA through amavisd or 
qmail-scanner, those apps do their own message 
rewriting and 
SpamAssassin 
cannot perform these rewrites. 
Here 
is the FAQ entry for how to rewrite the subject in qmail-scanner.

See http://qmail-scanner.sourceforge.net/FAQ.php#cs .

Evan

At 12:08 PM 12/5/2007, Douglas Marcel dos Santos wrote:


>I've a little problem here in my QMail +  qmail-scanner + spamassassin
3.2.3
>The sa is working , its adding X-Spam headers , its identifies the spam ,
>but it does not Rewrite the Subject header with the Spam*** tag.
>
>Some clues:
>
>The SpamAssassin is working. I could comprove this reading
/var/log/maillog.
>I could not see any arrors in that file.
>
>Reading the message header I could see the added headers
>X-Spam-Status: Yes, score=4.6 required=4.3
>X-Spam-Level: 
>
>My /etc/mail/spamassassin/local.cf file is:
>required_score   4.3
>rewrite_header Subject SPAM
>report_safe 0
>use_bayes   1
>bayes_auto_learn  1
>skip_rbl_checks 1
>use_razor2  0
>use_pyzor   0
>
>
>I cant see any error and I could not find any misconfiguration.
>Has someone a new tip to solve this behavior ?
>
>
>
>Douglas Marcel dos Santos
>Fortymil Ind. de Plásticos Ltda.
>Tel. (11) 4894-8950
>[EMAIL PROTECTED]

Re: SpamAssassin and LaTeX

[Paul Griffith]

On Wed, 05 Dec 2007 20:36:22 -0500, John D. Hardin <[EMAIL PROTECTED]>  
wrote:



On Wed, 5 Dec 2007, Paul Griffith wrote:


I guess I could write rules that verify a valid .tex and .bib
document and then assign a minus score, it would be better if
e-mail clients actually send attachments as true attachments.


Not too hard to do...


\title{\LaTeX}
\date{}
\begin{document}
\end{document}


Take off some points for having all of those in the body.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---


I figure I would have end up writing some rules to handle this issue,  
LaTeX is used widely in our environment. I was just hoping ;-) someone had  
something out there already.


Thanks
Paul

--
Paul Griffith |Dept. of Computer Science and Engineering - York University
CSE Technical Team |4700 Keele Street, Toronto, ON, Canada M3J-1P3
[EMAIL PROTECTED] |CSE1003A|Tel: 416-736-2100 x70258|Fax: 416-736-5872

whitelist

[Jack Gostl]

-BEGIN PGP SIGNED MESSAGE-

I have an odd problem. I have a user receiving spam from something like
[EMAIL PROTECTED] Since he does business with verybigcompany.com,
he had them in his white list, and as expected, the spam slipped through.

Based on the advice I got in this newsgroup, I changed him from a straight:

 whitelist_from[EMAIL PROTECTED]

to

   whitelist_from_rcvd [EMAIL PROTECTED] verybigcompany.com

I think I did that right. So now the odd thing is that spam from
verybigcompany.com is coming through on my PERSONAL account even though its
not in my whitelist. The headers show that this is a "user in whitelist"
situation. It may be happening to others, I haven't checked, but its weird
enough that its happening to me.

Now if I haven't confused everyone, I'm open to ideas.

I am on SpamAssassin version 3.1.8 running on Perl version 5.8.2 under AIX
5.3


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wpUDBQFHWATLFhDacYjJc7UBAW6QBACyE2GnQXEgSY/89kXWo2kk6OFE0IAg3CfS
K3mrslL5OxkWGhqAptLw5nE5J3plAR3a16r8XLk9YuMNLJJD/9q3Dk+SVpB1NVsk
1igoTTX0rlZMTKzIFiLLzitInXUXeg2Gwl7s57OCZtjdTl8vxmBkynno3nl3csjk
Xfp9aRKP2w==
=ub+v
-END PGP SIGNATURE-

Antwort: Re: sa-update error

[Juergen . Boehm]

It won't install:

Test Summary Report
---
t/02_methods.t(Wstat: 65280 Tests: 252 Failed: 65)
  Failed test number(s):  18-25, 71-72, 74-75, 77-80, 82-83, 92-97
105, 110-117, 123-125, 151-154, 162, 167-168
186-189, 195-197, 214-217, 225, 230-231
240-243, 249-252
  Non-zero exit status: 255
t/04_resolved_issues.t (Wstat: 65280 Tests: 7 Failed: 2)
  Failed test number(s):  6-7
  Non-zero exit status: 255
Files=5, Tests=482,  1 wallclock secs ( 0.07 usr  0.00 sys +  0.54 cusr 
0.05 csys =  0.66 CPU)
Result: FAIL
Failed 2/5 test programs. 67/482 subtests failed.
make: *** [test_dynamic] Fehler 11
  /usr/bin/make test -- NOT OK
Running make install
  make test had returned bad status, won't install without force





"Philipp Snizek" <[EMAIL PROTECTED]> 
06.12.2007 14:07

An
[EMAIL PROTECTED]
Kopie
users@spamassassin.apache.org
Thema
Re: sa-update error






> Hi
>
> can anyone help me with this?
> I think its the archive::tar which makes problems,
> so i installed a newer version, but the error remains...
>
> [23086] dbg: channel: populating temp content file
> [23086] dbg: channel: file verification passed, testing update
> [23086] dbg: channel: extracting archive
> No data could be read from file at /usr/bin/sa-update line 961
> fatal: couldn't create Archive::Tar object!

what does

perl -MCPAN -e 'install Archive::Tar'

say?

- Philipp

Re: sa-update error

[Philipp Snizek]

> Hi
>
> can anyone help me with this?
> I think its the archive::tar which makes problems,
> so i installed a newer version, but the error remains...
>
> [23086] dbg: channel: populating temp content file
> [23086] dbg: channel: file verification passed, testing update
> [23086] dbg: channel: extracting archive
> No data could be read from file at /usr/bin/sa-update line 961
> fatal: couldn't create Archive::Tar object!

what does

perl -MCPAN -e 'install Archive::Tar'

say?

- Philipp

Re: the opposit of "ok_locales" ??

[Per Jessen]

Jonathan Armitage wrote:

> Provided it is possible with your MTA, you could consider rejecting
> such email at that level, thus relieving SA of the burden of having to
> scan it at all.
> 
> This is easy in Exim, but I don't know if other mailers can do the
> same thing.

In postfix, a header or a body check would do it. 


/Per Jessen, Zürich

Re: Best Practice to "whitelist" logcheck mailings?

[Per Jessen]

Matthias Haegele wrote:

> Hi all!
> What you suggest would be best method to "whitelist" logcheck mails?:
> 
[snip]
> I considered putting [EMAIL PROTECTED] in whitelist but i am not sure if it
> is the only possible (and really good) solution?

How about:

whitelist_from_rcvd  [EMAIL PROTECTED] myserver.dyndns.org


/Per Jessen, Zürich

Best Practice to "whitelist" logcheck mailings?

[Matthias Haegele]

Hi all!
What you suggest would be best method to "whitelist" logcheck mails?:

A sniplet of a quarantined message:


Return-Path: <[EMAIL PROTECTED]>
Delivered-To: spam-quarantine
X-Envelope-From: <[EMAIL PROTECTED]>
X-Envelope-To: <[EMAIL PROTECTED]>
X-Quarantine-ID: <1JtIvtWCm2i6>
X-Spam-Flag: YES
X-Spam-Score: 4.032
X-Spam-Level: 
X-Spam-Status: Yes, score=4.032 tag=x tag2=3.5 kill=3.5 tests=[AWL=-2.927,
BAYES_99=4.5, J_CHICKENPOX_64=0.6, NO_RELAYS=-0.001,
URIBL_AB_SURBL=1.86]
Received: from myserver.dyndns.org ([127.0.0.1])
by localhost (myserver.dyndns.org [127.0.0.1]) (amavisd-new, po
rt 10024)
with ESMTP id 1JtIvtWCm2i6 for <[EMAIL PROTECTED]>;
Sun,  2 Dec 2007 04:02:02 +0100 (CET)


I considered putting [EMAIL PROTECTED] in whitelist but i am not sure if it is 
the only possible (and really good) solution?

Thx for any tips.

I know the 3.5 kill level is low but i want it there ... ;-).

--
Grüsse/Greetings
MH


Dont send mail to: [EMAIL PROTECTED]
--

Re: Turning off rules

[Justin Mason]

John Rudd writes:
> 
> 
> In the past, turning off a rule was supposed to be as simple as setting 
> its score to zero.  Is that no longer the case?  I set a rule to zero, 
> and it's still showing up in my logs (but it looks like the value is 
> correctly being recorded as zero, so it's not affecting my scores; I'm 
> just concerned that it might be affecting performance, even if slightly).
> 
> What's the current proper way to disable a rule?
> 
> (the rule in question is BASE64_LENGTH_79_INF ; in my local.cf I gave it 
> a score of 0 but not 0.00)

if that doesn't work, it's a bug; please report it at the Bugzilla.

--j.

Re: Turning off rules

[Matthias Haegele]

John Rudd schrieb:



In the past, turning off a rule was supposed to be as simple as setting 
its score to zero.  Is that no longer the case?  I set a rule to zero, 
and it's still showing up in my logs (but it looks like the value is 
correctly being recorded as zero, so it's not affecting my scores; I'm 
just concerned that it might be affecting performance, even if slightly).


What's the current proper way to disable a rule?

(the rule in question is BASE64_LENGTH_79_INF ; in my local.cf I gave it 
a score of 0 but not 0.00)



http://svn.apache.org/repos/asf/spamassassin/branches/3.2/README

Disabled code
-
To turn on tests disabled in 50_scores.cf, simply assign them a non-zero
score

Seems it didnt change.

http://svn.apache.org/repos/asf/spamassassin/branches/3.2/UPGRADE

btw: (I had a little difficulties to find the files i searched for a 
changelog ...)


hth






--
Grüsse/Greetings
MH


Dont send mail to: [EMAIL PROTECTED]
--

sa-update error

[Juergen . Boehm]

Hi

can anyone help me with this?
I think its the archive::tar which makes problems, 
so i installed a newer version, but the error remains...

[23086] dbg: channel: populating temp content file
[23086] dbg: channel: file verification passed, testing update
[23086] dbg: channel: extracting archive
No data could be read from file at /usr/bin/sa-update line 961
fatal: couldn't create Archive::Tar object!