Re: Razor Problems
On Dec 12, 2007 5:05 AM, Matt Kettler [EMAIL PROTECTED] wrote: Michael Grant wrote: On Dec 12, 2007 1:09 AM, Matt Kettler [EMAIL PROTECTED] wrote: Marc Perkel wrote: What causes this? reporter: razor2 report failed: No such file or directory report requires authentication You didn't run razor-admin --register? Funny, I too just got this same error and yes, I did a razor-agent -create and -register. [88199] warn: reporter: razor2 report failed: No such file or directory report requires authentication at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Razor2.pm line 178. at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Razor2.pm line 326. [88199] info: reporter: could not report spam to Razor Interesting.. do you get a similar result from razor-report? Ahh, I had to do a razor-admin like this: su - root # razor-admin -create # razor-admin -register Even though I had done this initially as just 'su', it was using my homedir to create the .razor directory. Michael Grant
Re: HELO_DYNAMIC_SPLIT_IP
Giampaolo Tomassoni wrote: -Original Message- From: Andrew Hearn [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 11, 2007 12:04 PM Hi, Can anyone explain why this email: http://pastebin.ca/811938 is getting a hit on HELO_DYNAMIC_SPLIT_IP. I'm seeing a few ham message being caught by this (SpamAssassin version 3.2.3, sa-update) smtp.aaisp.net.uk maps to two IP addresses (81.187.81.51 and 81.187.81.52). An outgoing mail server is supposed to announce itself via HELO with its own, specific name, not with a service name (like smtp.etc.etc). aaisp.net.uk could define the following: smtp1 A 81.187.81.51 smtp2 A 81.187.81.52 smtpA 81.187.81.51 A 81.187.81.52 where the latter name is only suitable to their customers, in order to accept mail to be delivered. Then, when delivery occurs, the SMTP server should identify itself with its unique name. Like, in example: EHLO smtp1.aaisp.net.uk This allows also to define two different entries in aaisp.net.uk's DNS reverse mappings: 51 PTR smtp1.aaisp.net.uk. 52 PTR smtp2.aaisp.net.uk. which may help in better identifying the abused host, whenever it happens. Giampaolo Thanks for the reply and explanation, I'll look in to this!
Re: Razor Problems
Michael Grant wrote: -report? Ahh, I had to do a razor-admin like this: su - root # razor-admin -create # razor-admin -register Even though I had done this initially as just 'su', it was using my homedir to create the .razor directory. Yep. Technically you only needed the -, and didn't need to specify root. Plain su doesn't change the environment or run login scripts, but su - forces a full login as the target user. Both assume root by default.
Re: Razor Problems
Matt Kettler wrote: Michael Grant wrote: -report? Ahh, I had to do a razor-admin like this: su - root # razor-admin -create # razor-admin -register Even though I had done this initially as just 'su', it was using my homedir to create the .razor directory. Yep. Technically you only needed the -, and didn't need to specify root. Plain su doesn't change the environment or run login scripts, but su - forces a full login as the target user. Both assume root by default. In my case I had to do su spamd to get it to work for me.
subscribe
Joshua Sindy Unix / Windows Systems Administrator Empower Information Systems www.empoweris.com Gtalk: joshuasindy 757-273-9399 (office) 757-715-3534 (cell) 866-477-1544 (toll free) [EMAIL PROTECTED] (email)
Re: TVD_SPACE_RATIO dependent on subject?
Quoth Per Jessen: 'It would perhaps make sense not to scan internal email. We certainly don't.' We were concerned about scans sent to people outside the organization. russell bell -- View this message in context: http://www.nabble.com/TVD_SPACE_RATIO-dependent-on-subject--tp14243978p14302535.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
AWL: dont understand it
sorry for posting again a question regarding the same topic, but I think I found out more in the meantime and can ask a better question. I've a user [EMAIL PROTECTED] with the following entries in my autowhitelist: 20.0(40.0/2) -- [EMAIL PROTECTED]|ip=222.253 24.2(72.7/3) -- [EMAIL PROTECTED]|ip=85.140 -2.5 (-171.5/69) -- [EMAIL PROTECTED]|ip=85.126 26.9(26.9/1) -- [EMAIL PROTECTED]|ip=212.33 Then a mail from this emailadress from an IP=85.126.x.x gets an AWL-scoring of +11 !!! This does not make sense to me at all. How is this AWL-scoring calculated? It seems almost broken to me. X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.2 (2007-07-23) on goldfisch.at X-Spam-Level: ** X-Spam-Status: Yes, score=6.8 required=2.5 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=no version=3.2.2 X-Spam-Report: * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] * 11 AWL AWL: From: address is in the auto white-list Received: from mail.vhs-archiv.at (mail.vhs-archiv.at [85.126.129.42]) by goldfisch.at (8.12.10/8.12.1) with ESMTP id lBCD1FmU005410 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for [EMAIL PROTECTED]; Wed, 12 Dec 2007 14:01:16 +0100 Received: from [192.168.0.199] ([192.168.0.199]) by mail.vhs-archiv.at (Merak 8.2.4) with ESMTP id IZF38973 for [EMAIL PROTECTED]; Wed, 12 Dec 2007 14:00:52 +0100 Any help appretiated. I need to turn off AWL by now. thnx a lot for any help, idea, insight, feedback ... peter
Adjusting SA scores in 50_scores.cf...
I'm running SpamAssassin 3.2.3 and have been advised to increase the score for URIBL_SBL to 5.0. I see where it is defined in 50_scores.cf, but I don't completely understand the format. Mine shows: score URIBL_SBL 0 2.468 0 1.499 # n=0 n=2 Is the last score (1.499) the one I should increase? We are using both Bayes and Network Checks and I do have Mail::SpamAssassin::Plugin::URIDNSBL installed. Thanks!
Virus found in this message, probe?
Anyone seen these? text/plain and HTML parts, seem to have same content, saying there's a virus, please delete, and some gibberish. I'm guessing it's some kind of probe.
Re: Virus found in this message, probe?
Kenneth Porter wrote: Anyone seen these? text/plain and HTML parts, seem to have same content, saying there's a virus, please delete, and some gibberish. I'm guessing it's some kind of probe. There was a web address hidden by a malformed CSS tag.
Re: AWL: dont understand it
On Wed, 12 Dec 2007, peter pilsl wrote: How is this AWL-scoring calculated? It seems almost broken to me. The name is very misleading. If you think of it as a historical score averaging system instead, with the goal of allowing a typically-hammy sender to occasionally send a spammy message, and blocking a typically-spammy sender that occasionally sends a hammy message, it makes sense. I need to turn off AWL by now. Most people do... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We have to realize that people who run the government can and do change. Our society and laws must assume that bad people - criminals even - will run the government, at least part of the time. -- John Gilmore --- 3 days until Bill of Rights day
Re: Adjusting SA scores in 50_scores.cf...
On Wed, 12 Dec 2007, Ken Morley wrote: I'm running SpamAssassin 3.2.3 and have been advised to increase the score for URIBL_SBL to 5.0. I see where it is defined in 50_scores.cf, but I don't completely understand the format. Don't change the distribution files. Alter scores in a local.cf file in your local customer configuration directory, typically /etc/mail/spamassassin/ Mine shows: score URIBL_SBL 0 2.468 0 1.499 # n=0 n=2 Just put this into your local config file: score URIBL_SBL 5 Discussion of the advisability of a single poison-pill rule is for another day, though if you *do* want to spamcan everything that hits SBL you'd be better served doing it at the MTA layer as a regular DNSBL test. Also, isn't SBL folded into Zen these days? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We have to realize that people who run the government can and do change. Our society and laws must assume that bad people - criminals even - will run the government, at least part of the time. -- John Gilmore --- 3 days until Bill of Rights day
Re: AWL: dont understand it
John D. Hardin wrote: peter pilsl wrote: I need to turn off AWL by now. Most people do... :) The problem is that it is based upon the from address. That is an unreliable piece of data. Spammers forge from addresses all of the time. Even valid senders will sometimes fabricate from addresses. If the input to the equation can't be guarenteed valid then the output of the equation can't be guarenteed valid either. GIGO. The effect as you see can be a denial of service against a valid from address. Bob
Re: AWL: dont understand it
On Thursday 13 December 2007 02:07:00 Bob Proulx wrote: The problem is that it is based upon the from address. That is an unreliable piece of data. Spammers forge from addresses all of the time. Even valid senders will sometimes fabricate from addresses. If the input to the equation can't be guarenteed valid then the output of the equation can't be guarenteed valid either. GIGO. The effect as you see can be a denial of service against a valid from address. Right. And if someone is whitelisting some domains, things get quickly much worse. Whithout whitelisting or other extreme scores AWL behaves very well. For about two months I'm running a modified version of SpamAssassin with one additional field in an AWL SQL database, namely the DKIM signer id. This effectively separates forged from nonforged authors from domains such as gmail.com and yahoo.com. The AWL average is than taken only across senders of the same signed domain as the current message under investigation (or from unsigned messages in its own separate group). An interesting byproduct can be derived from the database: a long-term score average for each DKIM signing id. It can be considered an automatically derived signer reputation. Here are some interesting spam score averages by signer id (just loosely manually grouped for ease of reading and interpretation): ebay.fr -11.37 ebay.ca -9.57 ebay.co.uk-9.10 ebay.com -8.24 ebay.at -6.80 ebay.de -3.93 reply3.ebay.com -3.24 reply.ebay.com-1.90 paypal.com-6.95 email.paypal.co.uk-2.37 gmail.com -4.28 googlegroups.com -3.94 googlemail.com-3.90 google.com-1.98 yahoo-inc.com -5.63 yahoogroups.co.uk -5.46 yahoogroupes.fr -5.05 yahoogroups.com -4.29 yahoo.com.au -4.72 yahoo.se -2.19 yahoo.com -2.08 yahoo.co.uk -0.31 yahoo.es 0.14 yahoo.de 0.20 yahoo.com.cn 2.01 yahoo.fr 2.06 yahoo.it 2.34 yahoo.ie 4.23 yahoo.gr 4.28 yahoo.ca 4.77 yahoo.co.nz5.54 yahoo.co.in5.78 yahoo.com.vn 5.87 yahoo.com.hk 6.81 yahoo.co.jp7.04 yahoo.com.sg 8.64 yahoo.dk 10.06 yahoo.com.br 10.20 yahoo.com.mx 11.13 dostech.ca-10.25 kitterman.com -9.80 porcupine.org -9.80 megan.vbhcs.org -9.40 charite.de-9.68 state-of-mind.de -9.36 resistor.net -9.29 secnap.net-8.54 gmurray.org.uk-8.10 messiah.edu -6.49 cisco.com -5.63 cern.ch -5.33 skype.net -4.09 welcome.skype.com -2.07 tugraz.at -4.91 tu-graz.ac.at -5.80 uu.se -3.26 aitech.ac.jp -4.69 hermes-softlab.com-5.99 amis.net -4.71 ijs.si-4.62 rogers.com-4.20 eurescom.eu -3.98 pacbell.net -2.58 newsletters.trendmicro.com -2.42 123greetings.com -1.83 amazon.com-1.10 youtube.com -1.72 alert.bankofamerica.com -0.61 m-w.com3.62 astrology.com 3.67 news.coleparmer.com -1.54 news.biomedcentral.com 0.22 medcompare.com 0.40 biocompare.com 1.01 dentalcompare.com 1.62 perfspot.com -10.60 hege.li -10.30 prime.gushi.org -9.86 incertum.net -9.80 schetterer.org-9.70 nexaima.net -9.23 prodigy.net -8.93 unix-scripts.info -8.92 inetmsg.com -8.79 suedfactoring.de -8.53 izb.knu.ac.kr -7.51 arcamax.com -6.20 pd.infn.it-5.75 mtcc.com -5.72 consulintel.es-5.04 geni.com -4.60 ybb.ne.jp -4.37 abv.bg-4.33 journalexperts.com-4.26 vvm.com -4.03 nagual.pp.ru -4.00 univ-tours.fr -3.68 btinternet.com-3.61 yousendit.com -6.24 springer.delivery.net -3.55 starwood.delivery.net -1.19 marriott.delivery.net 2.12 alibris.i.delivery.net 2.29 gap.delivery.net 2.70 mail6.subscribermail.com-2.97 mail120.subscribermail.com -5.17
Re: AWL: dont understand it
peter pilsl wrote: sorry for posting again a question regarding the same topic, but I think I found out more in the meantime and can ask a better question. I've a user [EMAIL PROTECTED] with the following entries in my autowhitelist: 20.0(40.0/2) -- [EMAIL PROTECTED]|ip=222.253 24.2(72.7/3) -- [EMAIL PROTECTED]|ip=85.140 -2.5 (-171.5/69) -- [EMAIL PROTECTED]|ip=85.126 26.9(26.9/1) -- [EMAIL PROTECTED]|ip=212.33 Then a mail from this emailadress from an IP=85.126.x.x gets an AWL-scoring of +11 !!! This does not make sense to me at all. How is this AWL-scoring calculated? It seems almost broken to me. X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.2 (2007-07-23) on goldfisch.at X-Spam-Level: ** X-Spam-Status: Yes, score=6.8 required=2.5 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=no version=3.2.2 X-Spam-Report: * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] * 11 AWL AWL: From: address is in the auto white-list Received: from mail.vhs-archiv.at (mail.vhs-archiv.at [85.126.129.42]) by goldfisch.at (8.12.10/8.12.1) with ESMTP id lBCD1FmU005410 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for [EMAIL PROTECTED]; Wed, 12 Dec 2007 14:01:16 +0100 Received: from [192.168.0.199] ([192.168.0.199]) by mail.vhs-archiv.at (Merak 8.2.4) with ESMTP id IZF38973 for [EMAIL PROTECTED]; Wed, 12 Dec 2007 14:00:52 +0100 Any help appretiated. I need to turn off AWL by now. The first thing that jumps out at me is that ALL_TRUSTED fired off. Is that really correct? As far as SA is concerned, this message is not from 85.126.129.42, as it considers that IP to be a part of your network. (otherwise ALL_TRUSTED wouldn't have fired off). SA probably considers this message to be from 192.168.0.199, unless there are other Received: headers further back that you left out. You probably need to manually declare a trusted_networks setting due to NAT. (ie: if your SA box resolves goldfisch.at to a reserved IP address, you'll have a problem with broken trust path). See also: http://wiki.apache.org/spamassassin/TrustPath
Re: Virus found in this message, probe?
--On Wednesday, December 12, 2007 1:20 PM -0800 Kenneth Porter [EMAIL PROTECTED] wrote: Anyone seen these? text/plain and HTML parts, seem to have same content, saying there's a virus, please delete, and some gibberish. I'm guessing it's some kind of probe. Started today (based on reports to us) Varying senders. Comes from a botnet. Varying Subject but always one lower-case word or wordlike string (ogbomosho). Subject does repeat in different messages, but looks like too many to bother matching. Note the misspelling in the string: /Virus found in this message, please delete it without futher reading/ The link *follows* /p/body/html, and additionally there is nothing between the a ... and /a tags. How can this ever be clicked on? The URL has a dot in the path. We have a local rule watching for this. Example (this is a dead link at this time): a href=http://www.crop.co.uk/.hidden/nikpfpdk/ganf.html; Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Virus found in this message, probe?
--On Wednesday, December 12, 2007 1:20 PM -0800 Kenneth Porter [EMAIL PROTECTED] wrote: Anyone seen these? text/plain and HTML parts, seem to have same content, saying there's a virus, please delete, and some gibberish. I'm guessing it's some kind of probe. Started today (based on reports to us) Varying senders. Comes from a botnet. Varying Subject but always one lower-case word or wordlike string (ogbomosho). Subject does repeat in different messages, but looks like too many to bother matching. Note the misspelling in the string: /Virus found in this message, please delete it without futher reading/ The link *follows* /p/body/html, and additionally there is nothing between the a ... and /a tags. How can this ever be clicked on? The URL has a dot in the path. We have a local rule watching for this. Example (this is a dead link at this time): a href=http://www.crop.co.uk/.hidden/nikpfpdk/ganf.html; Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology I wonder if that is in fact a broken spam warning message of some sort. I've been getting things for weeks with one nonsense word for a subject, but they have all been plain-text fake watch spams. Loren
