Re: Failed to check the emails
It sounds like a config issue. It would pay to do a "spamassassin -D --lint". This will produce a lot of output, but it is worth reading and understanding all of the information, to be able to parse it for errors. Actually just 'spamassassin --lint' might be a good thing to do, being sure to run under the corredct usercode. This should have no output if things are right. Loren
Re: Help Help Help, 1 month trying to figure it out and still no luck
The headers are like this Post a COMPLETE email somewhere like pastebin that we can look at. Don't manually separate it into headers and body, let us look at it and see what it *really * looks like. The complaint here is that the header-body separator is missing or incorrect, so we need to see what should be there. The correct separator is 0A0D0A0D - that is, a cr/lf on the end of the last line of the headers, *immediately* followed by a second cr/lf pair. If there is a tab or a space or a whole line of spaces or anything else, it isn't a valid header-body separator. If it is just Unix newline characters of 0A0A then it is technically incorrect, but depending on how SA is called it may or may not work. Having things mixed like 0A0D for all the header lines and just 0A for the separator probably won't work either. So we need to see what the mail really looks like as it goes into SA. Loren From [EMAIL PROTECTED] Mon Mar 31 14:51:29 2008 Return-Path: <[EMAIL PROTECTED]> Authentication-Results: mta223.mail.mud.yahoo.com from=pousada.com.br; domainkeys=neutral (no sig) Received: from 64.202.189.171 (HELO k2smtpout03-01.prod.mesa1.secureserver.net) (64.202.189.171) by mta223.mail.mud.yahoo.com with SMTP; Mon, 31 Mar 2008 14:51:31 -0700 Received: (qmail 22885 invoked from network); 31 Mar 2008 21:51:30 - Received: from unknown (HELO Pousada.com.br.secureserver.net) (72.167.52.118) by k2smtpout03-01.prod.mesa1.secureserver.net (64.202.189.171) with ESMTP; 31 Mar 2008 21:51:30 - Received: (qmail 3150 invoked by uid 48); 31 Mar 2008 14:51:29 -0700 Date: 31 Mar 2008 14:51:29 -0700 Message-ID: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Solicitacao de Informacoes ou de Reserva Enviada From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Content-type: text/plain; charset=iso-8859-1 Content-Length: 766 and the body like this Obrigado por utilizar o Pousada.com.br! Sua solicitacao de informacoes ou de reserva foi enviada para Pousada do Anão II Voce pode entrar em contato direto com esta pousada, ligue para (51) - ou mande um e-mail para [EMAIL PROTECTED] Nos ajude a manter o Pousada.com.br funcionando! Ao entrar em contato diretamente com a pousada, nao se esqueca de avisa-los que voce encontrou a pousada atraves do nosso website! Seguem os detalhes da sua solicitacao: Nome: test Endereco: test Pais: Brazil Telefone: uu E-mail: [EMAIL PROTECTED] Data de Chegada: 31/03/2008 Data de Saída: 01/04/2008 Numero de Hospedes: 2 Mensagem: [EMAIL PROTECTED] Desejamos a você uma boa estadia, Atenciosamente, Equipe do Pousada.com.br Does anybody know why this is happening, thanks for the help.. -- View this message in context: http://www.nabble.com/Help-Help-Help%2C-1-month-trying-to-figure-it-out-and-still-no-luck-tp16399235p16399235.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [offtopic] Are 8-bit characters completely illegal in a raw message?
On Mon, 2008-03-31 at 16:32 -0700, SM wrote: > Hi Vitas, > At 09:27 31-03-2008, [EMAIL PROTECTED] wrote: > >So, as I've found in RFC's all header fields in message should be > >encoded to 7-bit data. In addition my SMTP server does *not* support > >8-bit MIME for incoming e-mail. > > The message body should be 7-bit only as well. See RFC 2822. Unless, as has already been mentioned, 8BITMIME is negotiated during the SMTP transaction. Derek
Re: FP on RCVD_IN_DNSWL_MED
Probably an issue to take up with the DNSWL folks.. Unless of course onored.com is running a mailing list, or mail forwarding service for you. At which point, you should add them to your trusted_networks so that SA doesn't test them, but the host dropping mail off at their network.. However, it does appear onored has been abused recently, and probably needs their DNSWL status reviewed: http://groups.google.com/group/news.admin.net-abuse.sightings/search?group=news.admin.net-abuse.sightings&q=onored.com&qt_g=Search+this+group Jason Bertoch wrote: Received: from empmaa01.ono.com (smtp.onored.com [62.42.230.27]) by mail-bsv.electronet.net (8.14.2/8.14.2) with ESMTP id m2VAmulO029024 for <[EMAIL PROTECTED]>; Mon, 31 Mar 2008 06:49:02 -0400 Received: from empprs01 (62.42.230.186) by empmaa01.ono.com (7.3.118.8) id 47D9043E00B8800C; Mon, 31 Mar 2008 12:17:02 +0200 Message-ID: <[EMAIL PROTECTED]> Date: Mon, 31 Mar 2008 12:17:02 +0200 (CEST) From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Subject: I have set aside 30% for you and for your time. MIME-Version: 1.0 Content-Type: text/plain;charset="UTF-8" Content-Transfer-Encoding: 7bit X-Spam-Score: -1.83 () BAYES_50,DCC_CHECK,RCVD_IN_DNSWL_MED,SPF_PASS Bcc: Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 31 Mar 2008 10:47:08.0457 (UTC) FILETIME=[91349990:01C8931C] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 6:17 AM Subject: I have set aside 30% for you and for your time. I have set aside 30% for you and for your time. contact this E-Mail for more details E-Mail:[EMAIL PROTECTED] God be with you. Yousuf Abdul-Aziz.
Re: [offtopic] Are 8-bit characters completely illegal in a raw message?
Hi Vitas, At 09:27 31-03-2008, [EMAIL PROTECTED] wrote: So, as I've found in RFC's all header fields in message should be encoded to 7-bit data. In addition my SMTP server does *not* support 8-bit MIME for incoming e-mail. The message body should be 7-bit only as well. See RFC 2822. Regards, -sm
Help Help Help, 1 month trying to figure it out and still no luck
Ok I'm desperate, extremely desperate, I have made a good program and I am having massive troubles with Spamassain stopping my emails. I am getting this · SpamAssassin Audit -Missing blank line between message header and body This typically indicates that a header line has had a newline inserted incorrectly somehow, or a mailbox "From" line has been inserted. Remedy: Make sure your headers comply with RFC-822 and that your mail software has not inserted an additional line. -Failure Details MISSING_HB_SEP The headers are like this >From [EMAIL PROTECTED] Mon Mar 31 14:51:29 2008 Return-Path: <[EMAIL PROTECTED]> Authentication-Results: mta223.mail.mud.yahoo.com from=pousada.com.br; domainkeys=neutral (no sig) Received: from 64.202.189.171 (HELO k2smtpout03-01.prod.mesa1.secureserver.net) (64.202.189.171) by mta223.mail.mud.yahoo.com with SMTP; Mon, 31 Mar 2008 14:51:31 -0700 Received: (qmail 22885 invoked from network); 31 Mar 2008 21:51:30 - Received: from unknown (HELO Pousada.com.br.secureserver.net) (72.167.52.118) by k2smtpout03-01.prod.mesa1.secureserver.net (64.202.189.171) with ESMTP; 31 Mar 2008 21:51:30 - Received: (qmail 3150 invoked by uid 48); 31 Mar 2008 14:51:29 -0700 Date: 31 Mar 2008 14:51:29 -0700 Message-ID: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Solicitacao de Informacoes ou de Reserva Enviada From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Content-type: text/plain; charset=iso-8859-1 Content-Length: 766 and the body like this Obrigado por utilizar o Pousada.com.br! Sua solicitacao de informacoes ou de reserva foi enviada para Pousada do Anão II Voce pode entrar em contato direto com esta pousada, ligue para (51) - ou mande um e-mail para [EMAIL PROTECTED] Nos ajude a manter o Pousada.com.br funcionando! Ao entrar em contato diretamente com a pousada, nao se esqueca de avisa-los que voce encontrou a pousada atraves do nosso website! Seguem os detalhes da sua solicitacao: Nome: test Endereco: test Pais: Brazil Telefone: uu E-mail: [EMAIL PROTECTED] Data de Chegada: 31/03/2008 Data de Saída: 01/04/2008 Numero de Hospedes: 2 Mensagem: [EMAIL PROTECTED] Desejamos a você uma boa estadia, Atenciosamente, Equipe do Pousada.com.br Does anybody know why this is happening, thanks for the help.. -- View this message in context: http://www.nabble.com/Help-Help-Help%2C-1-month-trying-to-figure-it-out-and-still-no-luck-tp16399235p16399235.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spam dot com
On Mon, 31 Mar 2008, [EMAIL PROTECTED] wrote:
We have been getting more and more of the soft porn followed by www somesite
dot com
If you change the url to www.somesite.com surbl catches it.
Any ideas?
Fairly narrow:
body LAME_OBFU_URI /\bwww\s[a-z]{1,40}\sdot\scom\b/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Perfect Security is unattainable; beware those who would try to sell
it to you, regardless of the cost, for they are trying to sell you
your own slavery.
---
Tomorrow: April Fools' day
spam dot com
We have been getting more and more of the soft porn followed by www somesite dot com If you change the url to www.somesite.com surbl catches it. Any ideas?
Re: mail from dialups via ISP MTA
On Monday 31 March 2008 22:53:45 Matus UHLAR - fantomas wrote: > Such IP's are thus not designed to send mail directly to recipients - users > have to send mail through mailserver with static IP that can autenticate > them. True. The problem is, thats exactly what happened but SA matched the sender anyway becouse he's in the received headers. Somone mentioned trust path but i don't think it's broken. SA matched the archlinux server perfectly fine as the first dynhost sending to my trusted network. -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
Re: mail from dialups via ISP MTA
On 31.03.08 18:33, Arvid Ephraim Picciani wrote: > thanks got it. indeed the archlinux server looks like a dynip, so that match > is perfectly fine. > for the original sender i wonder why NJABL is listing dynips. somone run > an open proxy on a dynamic host and now everyone getting that ip has to > suffer? It's practically impossible to blacklist user/host behind dynamic IP, unless blacklisting them all. You can never know who really is behind the IP, because that can change every few minutes. Actually NJABL does provide 'dynablock' list but it's obsolete and was passed to spamhaus (included in PBL). SORBS and MAPS have also their own dynamic IP lists, the one in SORBS comes from the same source (dynablock.easynet.nl iirc) but contains more IPs and seems to be better maintained. Such IP's are thus not designed to send mail directly to recipients - users have to send mail through mailserver with static IP that can autenticate them. They can't even receive mail, unless running kind of dyndns service, but there can be problems with it... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: mail from dialups via ISP MTA
thanks got it. indeed the archlinux server looks like a dynip, so that match is perfectly fine. for the original sender i wonder why NJABL is listing dynips. somone run an open proxy on a dynamic host and now everyone getting that ip has to suffer? -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
Re: [offtopic] Are 8-bit characters completely illegal in a raw message?
On 31.03.08 20:27, [EMAIL PROTECTED] wrote:
> Sorry for a OFFTOPIC but don't know where to ask this question. I need an
> RFC's guru help :-)
>
> So, as I've found in RFC's all header fields in message should be encoded
> to 7-bit data. In addition my SMTP server does *not* support 8-bit MIME
> for incoming e-mail.
>
> The question is in subject - or am I missed some *legal* usage of 8-bit
> characters (maybe some kind of comments, optional fields, etc)?
>
> Of course, the goal is to write the rule for SA that will trigger on 8-bit
> symbols in raw ("raw"="what I've seen in tcpdump output for this message")
> message.
try RFC 1652
afaik, raw 8-bit in body is allowed, transfer must be supported by both
client&server, 8-bit in header is not allowed, must be encoded.
--
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
[offtopic] Are 8-bit characters completely illegal in a raw message?
Hi to all.
Sorry for a OFFTOPIC but don't know where to ask this question. I need an
RFC's guru help :-)
So, as I've found in RFC's all header fields in message should be encoded
to 7-bit data. In addition my SMTP server does *not* support 8-bit MIME
for incoming e-mail.
The question is in subject - or am I missed some *legal* usage of 8-bit
characters (maybe some kind of comments, optional fields, etc)?
Of course, the goal is to write the rule for SA that will trigger on 8-bit
symbols in raw ("raw"="what I've seen in tcpdump output for this message")
message.
Thanks in advance. Vitas.
Re: Applications file for Last Week
Yup, 37 years of experience does not make one immune to Monday morning stupidity! I'm answering, off list, in the hope that I won't fan the flames any further! Have a good day. On Monday 31 March 2008 09:54, Arthur Dent wrote: > On Mon, Mar 31, 2008 at 09:42:35AM -0500, Larry Starr wrote: > > I'm not sure who, at GE, this should be addressed to, however: > > > > We normally download an Activations file each Monday morning at 10:00. > > > > Occasionally, for whatever reason, the file isn't available when my > > automatic download runs and I have downloaded it as late as Tuesday > > afternoon. > > > > Last week, Monday March 24, there was no file available, and, as of > > Friday there was still no file available. > > > > Can you tell me why this was true or, if not, can you tell me who this > > should be addressed to? > > > > Thank you, > > -- > > Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] > > Software Engineer: Full Compass Systems LTD. > > Phone: 608-831-7330 x 1347 FAX: 608-831-6330 > > === > > There are only three sports: bullfighting, mountaineering and motor > > racing, all the rest are merely games! - Ernest Hemmingway > > Boy am I looking forward to the replies to this one! > > Sorry Larry, we all press the wrong button from time to time but this is > a very public way to do it! > > Good luck! -- Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
Re: Applications file for Last Week
I must appoligize. I sent the earlier message to our contacts at GE. Unfortunately I seem to have suffered an address-book malfunction whichh resulted an a list of recipients that, should NOT have been sent this message. If you are on that list, and have no idea what I was talking about, please accept my appology and ignore the message. Thank you, -- Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
Re: Applications file for Last Week
On Mon, Mar 31, 2008 at 09:42:35AM -0500, Larry Starr wrote: > I'm not sure who, at GE, this should be addressed to, however: > > We normally download an Activations file each Monday morning at 10:00. > > Occasionally, for whatever reason, the file isn't available when my automatic > download runs and I have downloaded it as late as Tuesday afternoon. > > Last week, Monday March 24, there was no file available, and, as of Friday > there was still no file available. > > Can you tell me why this was true or, if not, can you tell me who this should > be addressed to? > > Thank you, > -- > Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] > Software Engineer: Full Compass Systems LTD. > Phone: 608-831-7330 x 1347 FAX: 608-831-6330 > === > There are only three sports: bullfighting, mountaineering and motor > racing, all the rest are merely games! - Ernest Hemmingway Boy am I looking forward to the replies to this one! Sorry Larry, we all press the wrong button from time to time but this is a very public way to do it! Good luck!
Applications file for Last Week
I'm not sure who, at GE, this should be addressed to, however: We normally download an Activations file each Monday morning at 10:00. Occasionally, for whatever reason, the file isn't available when my automatic download runs and I have downloaded it as late as Tuesday afternoon. Last week, Monday March 24, there was no file available, and, as of Friday there was still no file available. Can you tell me why this was true or, if not, can you tell me who this should be addressed to? Thank you, -- Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
FP on RCVD_IN_DNSWL_MED
Received: from empmaa01.ono.com (smtp.onored.com [62.42.230.27]) by mail-bsv.electronet.net (8.14.2/8.14.2) with ESMTP id m2VAmulO029024 for <[EMAIL PROTECTED]>; Mon, 31 Mar 2008 06:49:02 -0400 Received: from empprs01 (62.42.230.186) by empmaa01.ono.com (7.3.118.8) id 47D9043E00B8800C; Mon, 31 Mar 2008 12:17:02 +0200 Message-ID: <[EMAIL PROTECTED]> Date: Mon, 31 Mar 2008 12:17:02 +0200 (CEST) From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Subject: I have set aside 30% for you and for your time. MIME-Version: 1.0 Content-Type: text/plain;charset="UTF-8" Content-Transfer-Encoding: 7bit X-Spam-Score: -1.83 () BAYES_50,DCC_CHECK,RCVD_IN_DNSWL_MED,SPF_PASS Bcc: Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 31 Mar 2008 10:47:08.0457 (UTC) FILETIME=[91349990:01C8931C] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 6:17 AM Subject: I have set aside 30% for you and for your time. I have set aside 30% for you and for your time. contact this E-Mail for more details E-Mail:[EMAIL PROTECTED] God be with you. Yousuf Abdul-Aziz.
Re: -2.6 bayes_00
Jean-Paul Natola wrote: i have site-wide config, as I only filter the mail and pass it on to exchange- no ind users setup Ok, so you're using a bayes_path and bayes_file_mode in your config? Or are you always force-running SA as one non-root user, and su'ing to that user for your training? I run sa-learn --spam --showdots Seems reasonable. As long as one of the above is true, and you're feeding it real messages ie: not forwarded or otherwise mangled by exchange. You need the full, raw message with complete original mail headers. You might want to try running it through spamassassin on the command line and make sure it matches BAYES_00 there too. If it matches BAYES_99 on the command line, but BAYES_00 at delivery time, there's something that isn't matching up between your training and the inbound email.
Re: mail from dialups via ISP MTA
Henrik K wrote: On Sun, Mar 30, 2008 at 07:23:17PM -0400, Matt Kettler wrote: There is nothing wrong. The overzealous RDNS_DYNAMIC rule hits the first one like it should. Well, actually, it's matching the archlinux list server. It is not matching the gmail users home IP. This test matches only the first untrusted host. ie: the machine dropping mail off at your MX. The archlinux.org list server appears to reverse DNS as 66-211-213-17.velocity.net, which is a sure-fire match for RDNS_DYNAMIC, and is also the host that dropped mail off at your domain. You might want to encourage the archlinux guys to get their hosting provider to set up a non-generic reverse DNS for the server. That said, RDNS_DYNAMIC was only 0.1 of the score of this message. Then those RCVD_IN rules check all Received-headers, thus matching the IP that sent to gmail. True. RCVD_IN_NJABL_PROXY will match any header. The sender is emailing from an IP that's had a verified open proxy running on it. Also, the fact that 201.20.219.97 did not have a reverse lookup also gaurntees that RDNS_DYNAMIC could not possibly match it. There is no RDNS in the headers, so there's nothing to match. TVD_RCVD_IP will also match any header, but it would appear to be matching the list server as well. 66-211-213-17.velocity.net should match the rule.
Re: all emails are tagged SPAM
I follow the instructions and it works for me. Thanks buddy Fakrul Alam sm-7 wrote: > > At 23:03 26-03-2008, Umar Murtaza wrote: >>I have Spamassin 3.2.4 running on RedHat. It has been running fine, >>until last night when all the emails started getting tagged as SPAMs. >> >>Any idea where should i start looking for? >> >>I am using: >> >>sendmail-cf-8.13.1-3.2.el4 >>sendmail-8.13.1-3.2.el4 >>mailscanner-4.62.9-3 > > Mailscanner is using the relays.ordb.org DNSBL. That DNSBL is > returning a positive response for all queries which is why all your > emails are being tagged as Spam. Remove that DNSBL from your > Mailscanner configuration. > > Regards, > -sm > > > -- View this message in context: http://www.nabble.com/all-emails-are-tagged-SPAM-tp16322775p16394701.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
