Re: FP on RCVD_IN_DNSWL_MED
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi list, FPs on the DNSWL.org rules can be handled best if sent to admins -at- dnswl.org. I took up this one, should be resolved shortly (or the entry disabled, depending on the actual value of shortly...). Thanks, - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iD8DBQFH9y+qxbHw2nyi/okRAs9NAJ9TNEHA4OiILIR8ZeoM2Bwa3HdH0ACgyBY3 Qm1byOEKw+wDnwW+b3mk988= =BP78 -END PGP SIGNATURE-
Re: auto-whitelist: open of auto-whitelist file failed
On 05.04.2008 01:18 CE(S)T, Matt Kettler wrote: Spamd will never be able to access anything in /root/. 3.1.8 shouldn't have been able to do so any more than 3.2.4 could, but that might have been a bug.. Must have been a bug, yes. If you're always scanning mail as one user, you can create a non-privileged user account and pass that after the -u parameter to either spamd (ie: in your startup script) or to spamc (ie: in your scan-time calls). Okay, that works. I've created a new user+group with its own home directory, moved the .spamassassin directory from /root into there, chown'ed it and then started spamd again. Just remember to su to that user when running sa-learn. This is getting a problem now! My spamd user has no access on the mailbox directories from which I am usually learning. What's the proposed solution for that? What's the problem? Before the upgrade, I removed all traces from SA on the system (locate rm -rf). That was probably unnecessary.. SA will blow itself away if it's already present when you go to install it. The only time you run into trouble is if you change the PREFIX, and end up with one installed in /usr/ and the other in /usr/local. Switching from CPAN to the tarball, I wasn't sure if this would change. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] Visit my web laboratory at http://beta.unclassified.de
Re: dns tests and scoring info for modification
Robert - elists wrote:
don't modify standard rule files.
instead, create a /path/to/site/rules/scores.cf (same directory where
you have local.cf) and override the scores there (use a 0 score to
disable a test). look at 50_scores.cf to get an idea.
I hope you have valid reasons to disable network tests. they are
really useful.
Mouss
I wouldn't
I am not concerned with URI tests, I am concerned with dns RBL tests.
We already have them off by default as we have another rbl checking system
before it hits SA.
Much more effective to reject there.
I just need to know where all the dns RBL tests are and if they are just in
one file, or many.
It appears just one file.
almost all scores are in $path/to/share/spamassassin/50_scores.cf.
# egrep _(SBL|XBL|PBL|SPAMCOP|DSBL|SORBS|NJABL|AHBL|MAPS)
/path/to/share/spamassassin/50_scores.cf | grep -v URIBL | awk '{print
score $2 0}' scores.cf
should do (MAPS is already disabled in the default config).
Once I know that, then I can search out all the scoring issues and zero them
out in local.cf or something that would not get overwritten on update.
Thanks
- rh
Re: Blank messages
Ed Kasky wrote: On Fri, 4 Apr 2008, Matt Kettler wrote: SM wrote: At 04:46 04-04-2008, Matt Kettler wrote: However, in this case it looks purely accidental. That appears to be a legitimate HTML document, or at least doesn't appear to be intentionally malformed. In this case, the message wasn't formatted correctly as it's going to be rendered as a blank message (excluding attachments) by most MUAs. Out of curiosity, did you spot where the error in the formatting is? I looked at the message and failed to spot it... Not real sure but could it have something to do with the boundary? Content-Type: multipart/alternative; boundary=--6622964ADDB6E4 Received-SPF: none (yoda.wrenkasky.com: domain of [EMAIL PROTECTED] does not designate permitted sender hosts) X-Virus-Scanned: ClamAV 0.92.1/6568/Thu Apr 3 09:12:56 2008 on yoda.wrenkasky.com X-Virus-Status: Clean Content-Length: 3009 Status: RO X-Status: X-Keywords: X-UID: 2 6622964ADDB6E4 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Ahn nyeong, ^^ this is where the text started but for me was only visible if I viewed full headers in pine or viewed the raw message... I see no problem with the boundary. can you configure your mailers to show text instead of html and try again? For info, thunderbird shows the message (not blank). didn't test with other MUAs.
Re: somone running spamtraps?
On Friday 04 April 2008 15:05:37 Giampaolo Tomassoni wrote: I wouldn't do that: you risk your own inet address to be reported as a spam source: most spamtraps are not smart enough to understand you are trying to help... It's ok. we're going to throw that domain away anyway. weird thing is we didn't even have anything finished on it. Why don't you open a reporting account (free) in spamcop (www.spamcom.net) and report those messages there? good idea. thanks On Friday 04 April 2008 18:13:59 Benny Pedersen wrote: http://www.clamav.org/ submit a file lets kill that worm now :=) will do. thanks. -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
Re: Blank messages
Hmmm, maybe you schould decrease the score? Am 2008-04-03 12:47:12, schrieb Ed Kasky: I can't seem to catch these emails with blank bodies. I upped the BLANK_LINES_80_90 score to 3 but the email below didn't get a hit off the rule. Is there another rule that I don't know about that is designed for blank message bodies? Thanks in advance on this one. These things have been plaguing me for some time and no matter how many I run through sa-learn, they never seem to score above a 5... Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on yoda.wrenkasky.com X-Spam-Level: * X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE, ^ Here, your E-Mail WAS in the spamfolder I am currently checking... RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4 snip Thanks, Greetings and nice Day Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Blank messages
At 16:12 04-04-2008, Matt Kettler wrote: Out of curiosity, did you spot where the error in the formatting is? I looked at the message and failed to spot it... My initial reply was incorrect as it's not a MIME related problem. I viewed the message again after your question. There's an extra double-quote in the META line. The HTML is malformed which is why the message appear empty in Eudora's built-in viewer. At 16:23 04-04-2008, Ed Kasky wrote: Not real sure but could it have something to do with the boundary? The boundary is correct. Regards, -sm
eudora and password
heoo all, installed current win version on an xp box, using last paid version of eudora, inserted 127.0.0.1 in place of POP3 mail server as advised in manual, but eudora wants a password every time one changes a server name.and I cannot find one that works. meaning, I am the admin on this machine, tried my log on (in windows password) and it doesn't worktried the pop 3 password (which works with normal setttings) for the server and it doesn't work either. in both cases, eudora never completes the log in via the spam assassin proxy, to get my mail. what, please, should I do? thanks dooley -- View this message in context: http://www.nabble.com/eudora-and-%22password%22-tp16518109p16518109.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spam abuse report plugin
On 05.04.08 02:04, Benny Pedersen wrote: On Fri, April 4, 2008 19:22, decoder wrote: first hop, thatone might be forged by spammers. So already determining a sure source address is something that can hardly be automatised. well amavisd get the origin ip, and relay ip, why cant spamassassin not use that aswell ? the origin IP can be faked and there may be more relays... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: Spam abuse report plugin
On 04.04.08 12:16, Eddy Beliveau wrote: This subject is very interesting I received many spams daily and have to manually analyse headers or email content to be able to send abuse report Is there a tool which can do this for me ? I imagine some web form (unix/windows) in which I can put a cut/paste of original email (including headers) and that tool can prepare abuse complaint automagically. Does that beast exist ? what about changing the way? First forward the mail to special address and then confirm it via webform? That's how SpamCop works now -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Re: dns tests and scoring info for modification
don't modify standard rule files. instead, create a /path/to/site/rules/scores.cf (same directory where you have local.cf) and override the scores there (use a 0 score to disable a test). look at 50_scores.cf to get an idea. I hope you have valid reasons to disable network tests. they are really useful. On 04.04.08 12:59, Robert - elists wrote: I am not concerned with URI tests, I am concerned with dns RBL tests. Why not using the skip_rbl_checks option then? We already have them off by default as we have another rbl checking system before it hits SA. Much more effective to reject there. SA checks more blacklist and they can change. IT also checks IP's in Received: headers so it can check different thing you are checking. I think, even if you do RBL checks on different place, you can still use them in SA -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
Re: auto-whitelist: open of auto-whitelist file failed
Yves Goergen wrote: Just remember to su to that user when running sa-learn. This is getting a problem now! My spamd user has no access on the mailbox directories from which I am usually learning. What's the proposed solution for that? Well, there's a couple of ways to deal with that.. The new fangled way would be to use spamc for learning instead of sa-learn. If you start spamd with the --allow-tell parameter, you can the use spamc -L ham, spamc -L spam or spamc -L forget on the message, and it will pass it to spamd for learning. This way you guarantee that the learning runs as the same user you scan as. It's also very slightly faster as you don't have to load a perl interpreter instance. Other ways would be: Make use of groups to grant the user spamd runs as rights to the mailboxes. If all the mailboxes have the same group ownership, or you can create a group and set them all to it, then just add that to spamd user as a supplemental group. You could also make use of a root cronjob to copy/chown the files somewhere that your learner can get to them. Both of those last approaches have some limitations and won't work in all situations, hence I'd suggest the spamc -L method.. However, I do caveat that it's a somewhat new feature and I personally have never tested it, but several others do use it.
Re: eudora and password
dooley2 wrote: heoo all, installed current win version on an xp box, using last paid version of eudora, inserted 127.0.0.1 in place of POP3 mail server as advised in manual, but eudora wants a password every time one changes a server name.and I cannot find one that works. meaning, I am the admin on this machine, tried my log on (in windows password) and it doesn't worktried the pop 3 password (which works with normal setttings) for the server and it doesn't work either. in both cases, eudora never completes the log in via the spam assassin proxy, to get my mail. what, please, should I do? Could you at least tell us what proxy you're using, or how this relates to SpamAssassin ? (SpamAssassin isn't a proxy, but could be hacked into one)
Re: eudora and password
it is a spam assassin proxy 3.2.3.3., for windows. respectfully, why would I post the question here unless it had something to do with spam assassin? http://wiki.apache.org/spamassassin/SaProxy Matt Kettler-3 wrote: dooley2 wrote: heoo all, installed current win version on an xp box, using last paid version of eudora, inserted 127.0.0.1 in place of POP3 mail server as advised in manual, but eudora wants a password every time one changes a server name.and I cannot find one that works. meaning, I am the admin on this machine, tried my log on (in windows password) and it doesn't worktried the pop 3 password (which works with normal setttings) for the server and it doesn't work either. in both cases, eudora never completes the log in via the spam assassin proxy, to get my mail. what, please, should I do? Could you at least tell us what proxy you're using, or how this relates to SpamAssassin ? (SpamAssassin isn't a proxy, but could be hacked into one) -- View this message in context: http://www.nabble.com/eudora-and-%22password%22-tp16518109p16520112.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: eudora and password
dooley2 wrote: it is a spam assassin proxy 3.2.3.3., for windows. respectfully, why would I post the question here unless it had something to do with spam assassin? Well, true.. however, from your post it wasn't possible to determine much about your setup. It also wasn't even clear you were using SA at all, but I assumed you were. (Note: most folks here, unless you specify otherwise, are going to assume you're using SpamAssassin on a unix-like platform with a MTA or MDA layer integration, because that's what's common. It was clear from your post that's not what you're doing, but it also wasn't possible to tell what you are using.) Regardless, without knowing what proxy I don't think anyone could be of much help. After all, you problem isn't with the SA code, it's with the proxy code. That's very specific to what proxy you're using. All I could tell you would be a broad generic statement like the pop3 password should work, dono why it doesn't. That's not very informative. http://wiki.apache.org/spamassassin/SaProxy That said, based on the version number you posted, I *think* you're using SAwin32, which is one of the many proxies mentioned above. Since this is really a feature of the proxy part of the code, not the SA part of the code, you might try their forums: http://sourceforge.net/forum/?group_id=175673 Someone here might be able to help, but there are not many folks on this list using proxies.
Really raw body
How would I match on a URL like the text below? This does not work: rawbody CU_0A /www\.[a-z]+\.(com|cn)=0A=/ Rawbody evidently sees it after it has been decoded from quoted-printable. The needless use of qp is actually a distinctive sign of this spammer. Joseph Brennan Columbia University Information Technology -- Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable =0A= Soma - real expert in fighting muscle pains=0A= =0A= www.fordiscountpharm.com=0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A=
Re: Really raw body
Joseph Brennan wrote: How would I match on a URL like the text below? This does not work: rawbody CU_0A /www\.[a-z]+\.(com|cn)=0A=/ Rawbody evidently sees it after it has been decoded from quoted-printable. The needless use of qp is actually a distinctive sign of this spammer. Use the full type.. however, beware this brings in the headers and the body.
Re: eudora and password
ok. thanks for all. I felet it was worth a shot, even knowing that most would not be using a windows proxy. if anything occurs to you...or, certainly, anyone else indulging this thread...I would appreciate any comments. thanks. Matt Kettler-3 wrote: dooley2 wrote: it is a spam assassin proxy 3.2.3.3., for windows. respectfully, why would I post the question here unless it had something to do with spam assassin? Well, true.. however, from your post it wasn't possible to determine much about your setup. It also wasn't even clear you were using SA at all, but I assumed you were. (Note: most folks here, unless you specify otherwise, are going to assume you're using SpamAssassin on a unix-like platform with a MTA or MDA layer integration, because that's what's common. It was clear from your post that's not what you're doing, but it also wasn't possible to tell what you are using.) Regardless, without knowing what proxy I don't think anyone could be of much help. After all, you problem isn't with the SA code, it's with the proxy code. That's very specific to what proxy you're using. All I could tell you would be a broad generic statement like the pop3 password should work, dono why it doesn't. That's not very informative. http://wiki.apache.org/spamassassin/SaProxy That said, based on the version number you posted, I *think* you're using SAwin32, which is one of the many proxies mentioned above. Since this is really a feature of the proxy part of the code, not the SA part of the code, you might try their forums: http://sourceforge.net/forum/?group_id=175673 Someone here might be able to help, but there are not many folks on this list using proxies. -- View this message in context: http://www.nabble.com/eudora-and-%22password%22-tp16518109p16520694.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: eudora and password
installed current win version on an xp box, using last paid version of eudora, inserted 127.0.0.1 in place of POP3 mail server as advised in manual, but eudora wants a password every time one changes a server name.and I cannot find one that works. Not really an SA issue but it is probably a config issue. Most proxies need you to set the pop3 username to the full login credentials like '[EMAIL PROTECTED]' so they know where to send your request. As someone that was happy with Eudora for the better part of 10 years I can say that Eudora doesn't have a password that is causing you problems. --Blaine
