Re: can we make AWL ignore mail from self to self?
Jo Rhett writes: I send myself a lot of email from my phone. So AWL properly scores me well. I just got a piece of SPAM which should have scored 12.something that got a -6 from the AWL. I think that mail from self to self should be ignored by the AWL. (it's harder to forged mail from a regular correspondent, so this makes AWL more useful) the AWL is keyed on email address and /16 of the sending IP address, so this may warrant more investigation. could you post the Received hdrs from the spam that hit the AWL, and a ham that properly hits the AWL? --j.
Spamassassin, ipv6 and spf check
Hi,
I'm currently on debian etch (stable) and I check spams using
spamassassin via amavisd-new.
Because my mail server supports ipv6, I installed spamassassin 3.2.4
(from debian testing) and amavisd-new-2.5.3 (debian testing) in order to
benefit ipv6 spf check support (plugin Mail::SPF)
Problem : spamassassin don't tag spffail when an ipv6 server send a
mail. No problem with ipv4.
My SA is using Mail::SPF plugin and the old Mail:SPF:Query was removed:
[11661] dbg: diag: module installed: Mail::SPF, version v2.5.0
[11661] dbg: diag: module not installed: Mail::SPF::Query ('require' failed)
Do someone experienced the same problem ?
Here's the header of a mail sent via my test server using ipv4:
Received: from localhost (localhost.localdomain [127.0.0.1])
by core.csnu.org (Postfix) with ESMTP id 9444130053
for [EMAIL PROTECTED]; Sat, 29 Mar 2008 10:30:45 +0100 (CET)
X-Spam-Flag: NO
X-Spam-Score: 2.791
X-Spam-Level: **
X-Spam-Status: No, score=2.791 tagged_above=2 required=6.31
tests=[AWL=0.604,
SPF_HELO_SOFTFAIL=1.533, SPF_SOFTFAIL=0.654]
Received: from core.csnu.org ([127.0.0.1])
by localhost (core.csnu.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id GKVjcNnKosUS for [EMAIL PROTECTED];
Sat, 29 Mar 2008 10:30:44 +0100 (CET)
Received: from csnu.org (bluebox.equin0xe.org [82.227.48.154])
by core.csnu.org (Postfix) with ESMTP id 5D8A92FFE0
for [EMAIL PROTECTED]; Sat, 29 Mar 2008 10:30:30 +0100 (CET)
Subject: test
Message-Id: [EMAIL PROTECTED]
Date: Sat, 29 Mar 2008 10:30:30 +0100 (CET)
From: [EMAIL PROTECTED]
To: undisclosed-recipients:;
ipv4 !
Here's the header of a mail sent via my the same test server using ipv6:
Received: from localhost (localhost.localdomain [127.0.0.1])
by core.csnu.org (Postfix) with ESMTP id D10B630053
for [EMAIL PROTECTED]; Sat, 29 Mar 2008 10:28:41 +0100 (CET)
Received: from core.csnu.org ([127.0.0.1])
by localhost (core.csnu.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id I7IY+kPn6tUz for [EMAIL PROTECTED];
Sat, 29 Mar 2008 10:28:40 +0100 (CET)
Received: from csnu.org (cl-304.bru-01.be.sixxs.net
[IPv6:2001:6f8:202:12f::2])
by core.csnu.org (Postfix) with ESMTP id 387D32FFE0
for [EMAIL PROTECTED]; Sat, 29 Mar 2008 10:28:26 +0100 (CET)
Subject: test ipv6
Message-Id: [EMAIL PROTECTED]
Date: Sat, 29 Mar 2008 10:28:26 +0100 (CET)
From: [EMAIL PROTECTED]
To: undisclosed-recipients:;
ipv6 !
A spfquery check :
core:~# spfquery -V
spfquery version 2.501 (using Mail::SPF)
core:~# spfquery --mfrom [EMAIL PROTECTED] --ip-address 2001:6f8:202:12f::2
softfail
csnu.org: Sender is not authorized by default to use '[EMAIL PROTECTED]' in
'mfrom' identity, however domain is not currently prepared for false
failures (mechanism '~all' matched)
csnu.org: Sender is not authorized by default to use '[EMAIL PROTECTED]' in
'mfrom' identity, however domain is not currently prepared for false
failures (mechanism '~all' matched)
Received-SPF: softfail (csnu.org: Sender is not authorized by default to
use '[EMAIL PROTECTED]' in 'mfrom' identity, however domain is not currently
prepared for false failures (mechanism '~all' matched))
receiver=core.csnu.org; identity=mfrom; envelope-from=[EMAIL PROTECTED];
client-ip=2001:6f8:202:12f::2
Re: SARE stock
From: [EMAIL PROTECTED] Date: 29 Mar 2008 05:53:21 - To: users@spamassassin.apache.org Subject: SARE stock SARE_PROLOSTOCK_SYM3 traps on ISMN (international standard Music number, similar to ISBN) I just got an order confirmation from a music book store with a pretty high score Easy fix: In local.cf score SARE_PROLOSTOCK_SYM3 0 Then restart spamd/amavisd/ spamassassin -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer Charter member, ICSA labs anti-spam consortium _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: SARE stock
Hi! similar to ISBN) I just got an order confirmation from a music book store with a pretty high score Easy fix: In local.cf score SARE_PROLOSTOCK_SYM3 0 And we will update the rule also, in my local version of the rule i could not even find that string, so it might be a SARE update on that was missed. Thanks for reporting. Bye, Raymond.
Re: SARE stock
Raymond Dijkxhoorn wrote: Hi! similar to ISBN) I just got an order confirmation from a music book store with a pretty high score Easy fix: In local.cf score SARE_PROLOSTOCK_SYM3 0 And we will update the rule also, in my local version of the rule i could not even find that string, so it might be a SARE update on that was missed. maybe you can replace with IFST? cite IFSA Strongman, Inc. will Change its Ticker to IFST from ISMN 11/16/2007 Effective November 19, 2007, IFSA Strongman, Inc. will change its OTCPK stock ticker symbol to IFST from ISMN. /cite
Re: Howto stop SPF_FAIL from internal network?
On Thu, March 27, 2008 11:28, Enrico Scholz wrote: Benny Pedersen [EMAIL PROTECTED] writes: spamassassin 21 -D spf -t /tmp/msg /tmp/msg.spf.debug post the debug file https://www.cvg.de/people/ensc/spf_fail.txt info: generic: trusted_networks doesn't contain msa_networks entry '192.168.0.0/16' this is fail and disable plugins that are not installed anyway in the pre files this line here i dont like dbg: metadata: X-Spam-Relays-External: [ ip=192.168.3.24 rdns=ensc-virt.intern.sigma-chemnitz.de helo=ensc-virt.intern.sigma-chemnitz.de by=mail.cvg.de ident= envfrom= intl=0 id=m2RA9lJc010009 auth= msa=0 ] that ip can't be external :/ is the problem that you have non route ip in the wan ip nic as alias ? show me netstat -nr or ip addr show and ip route show (full debug with configuration of | $ sed '/^\(#.*\)\?$/d' ~/.spamassassin/user_prefs | internal_networks 62.153.82.30 | trusted_networks62.153.82.30 | trusted_networks192.168.8.0/23 ups ? (to wide) | trusted_networks!192.168.3.0/24 | msa_networks192.168.0.0/16 result is SPF_NEUTRAL now as I added 192.168.0.0 net to SPF entry) non route ip range makes no sense in spf Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Howto stop SPF_FAIL from internal network?
Benny Pedersen [EMAIL PROTECTED] writes: https://www.cvg.de/people/ensc/spf_fail.txt info: generic: trusted_networks doesn't contain msa_networks entry '192.168.0.0/16' this is fail You mean, that this is a bug in Spamassassin? this line here i dont like dbg: metadata: X-Spam-Relays-External: [ ip=192.168.3.24 rdns=ensc-virt.intern.sigma-chemnitz.de helo=ensc-virt.intern.sigma-chemnitz.de by=mail.cvg.de ident= envfrom= intl=0 id=m2RA9lJc010009 auth= msa=0 ] that ip can't be external :/ That's the internal/private host which sends the mail and generates the SPF_FAIL. There is no reason/way to make it external. result is SPF_NEUTRAL now as I added 192.168.0.0 net to SPF entry) non route ip range makes no sense in spf ... but seems to be the easiest way to prevent the false SPF_FAIL... Enrico
Re: -2.6 bayes_00
On 28.03.08 15:45, Jean-Paul Natola wrote: Why does this hit on the most OBVIOUS messages? what's obvious? the score may indicate FP, as long as FN Its almost an oxymoron How can all these rules get triggered quite easy. *chickenpox* often hit non-english BAYES must be trained, otherwise it might start hitting _00 because of new spam phrases appear and old disappear 0.6 J_CHICKENPOX_34BODY: 3alpha-pock-4alpha 0.6 J_CHICKENPOX_64BODY: 6alpha-pock-4alpha 0.6 J_CHICKENPOX_82BODY: 8alpha-pock-2alpha -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 1.4 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419) 1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam 1.7 SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud spam 0.1 TO_CC_NONE No To: or Cc: header -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
