Re: whitelist_from_rcvd not working
Hi Victor, At 22:02 08-04-2008, Victor Sudakov wrote: I have the following rule in local.cf: whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru Please help me figure out why the rule does not work. Below is a sample message where I think the rule should work but actually does not. [snip] Received: from mail.sibptus.tomsk.ru [212.73.124.5] by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8) for <[EMAIL PROTECTED]> (single-drop); Tue, 08 Apr 2008 15:08:02 +0700 (OMSST) Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 That rule does not match the host in the Received: header. The host shows up as an IP address. You could use: whitelist_auth [EMAIL PROTECTED] as the domain has SFP records. Don't forget to enable the Mail::SpamAssassin::Plugins::SPF plugin if you use the above. Regards, -sm
whitelist_from_rcvd not working
Colleagues, I have the following rule in local.cf: whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru Please help me figure out why the rule does not work. Below is a sample message where I think the rule should work but actually does not. Perhaps someone with experience could run it through "spamassassin -D". >From sudakov Tue Apr 8 15:08:02 2008 X-Virus-Scanned: by clamd daemon 0.91.2 for FreeBSD at relay2.tomsk.ru X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on meow.tomsk.su X-Spam-Level: X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_00,MISSING_HEADERS, MISSING_SUBJECT,TRACKER_ID,TVD_SPACE_RATIO autolearn=no version=3.2.4 Return-Path: <[EMAIL PROTECTED]> Received: from mail.sibptus.tomsk.ru [212.73.124.5] by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8) for <[EMAIL PROTECTED]> (single-drop); Tue, 08 Apr 2008 15:08:02 +0700 (OMSST) Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 Received-SPF: pass receiver=relay2.tomsk.ru; client-ip=213.183.100.11; [EMAIL PROTECTED] Received: from root by gw.dtdm.tomsk.ru with local (Exim 4.67 (FreeBSD)) (envelope-from <[EMAIL PROTECTED]>) id 1Jj8pm-00033X-KY for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:38 +0700 Message-Id: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] Date: Tue, 08 Apr 2008 15:05:38 +0700 X-SpamProbe: GOOD 0.0003774 1cae503bd9d0b131eaddef3cb3f12c45 Status: RO Content-Length: 37 Lines: 1 93202240-0542-11dd-9f2c-00016cd36bbf Thanks in advance for any input. I am using SpamAssassin-3.2.4_2 from the FreeBSD ports collection, perl-5.8.8, FreeBSD 6.2. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Bored girls spams
A while ago I asked what was the scam about those "I am a boored grrl, pleas write me". I have finally found the answer. http://ikillspammers.blogspot.com/ The answer is that they get men to talk to them and then start concocting various stories about how they were beaten up, raped anally, and so on, and beg for money. That's the business. i
Re: Returned mail spam
On Tue, 2008-04-08 at 12:36 -0700, ahgu wrote: > They forged the header with my email addr as the return address. > When it get bounced back by a server, everything is valid. Since the server > strip off most of the content, it can pass the spamassassin very easily. I > wonder if anyone got this problem? Of course, it is very common. SPF does a reasonable job of stopping it, since it is not worth the spammer's time to forge when a good portion will be ditched as violating spf. the vbounce plugin is also useful for identifying the bad bounces and discarding them. Amavisd-new 2.6 has a new pen-pals feature that checks all DSN's received to see if there is a corresponding outbound e-mail. That would virtually eliminate your receipt of spoofed bounces. The other solution is to convince every computer owner in the world to replace their infected BOTs with a clean machine and stable OS, and to maintain it properly. That one has considerably higher time investments needed. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: Returned mail spam
They forged the header with my email addr as the return address. When it get bounced back by a server, everything is valid. Since the server strip off most of the content, it can pass the spamassassin very easily. I wonder if anyone got this problem? Benny Pedersen wrote: > > > On Tue, April 8, 2008 21:10, ahgu wrote: > >> Delivery to the following recipient has been delayed: >> >> [EMAIL PROTECTED] >> >> Message will be retried for 2 more day(s) > > what mta have 2 days of notifying as default ? > > solutiion is more to stop notifying :-) > > its imho not a spam problem, just a notifying > > > Benny Pedersen > Need more webspace ? http://www.servage.net/?coupon=cust37098 > > > -- View this message in context: http://www.nabble.com/Returned-mail-spam-tp16570515p16571331.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Returned mail spam
On Tue, April 8, 2008 21:10, ahgu wrote: > Delivery to the following recipient has been delayed: > > [EMAIL PROTECTED] > > Message will be retried for 2 more day(s) what mta have 2 days of notifying as default ? solutiion is more to stop notifying :-) its imho not a spam problem, just a notifying Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Returned mail spam
On Tue, April 8, 2008 21:04, Evan Platt wrote: > SPF is a good start... > http://spf.pobox.com/ moved to http://openspf.org/ Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Returned mail spam
Another email: X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on xphotonics.com X-Spam-Level: * X-Spam-Status: No, score=1.3 required=5.0 tests=URI_HEX autolearn=no version=3.2.4 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 1.3 URI_HEX URI: URI hostname has long hexadecimal sequence Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.189]) by xphotonics.com (8.14.1/8.14.1) with ESMTP id m38J7lLH034356 for <[EMAIL PROTECTED]>; Tue, 8 Apr 2008 15:07:47 -0400 (EDT) Received: by gv-out-0910.google.com with SMTP id n29so441885gve.40 for <[EMAIL PROTECTED]>; Tue, 08 Apr 2008 12:07:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to:subject:date; bh=NY6lhrPVA5FG0iKYqXfg+EuDzaymNjt7EVEKS7tTG0o=; b=FxfK7+lxXIeO4BN0aWU+V+GhumK181T5gVxlEZpffDhNBR0piBItBzfa6u82ZIw9sfIrpvFm3smhBhfeApO15Fb4OSvWZzy4pOBjLgW4wXX1ELkAPxq1auMWmF/M81SXAQxGkv1EyNTjp2Z8wrFPP5rVFIRH9M39M5zibDQg0iE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:from:to:subject:date; b=V1b/BbeXdacGKojrQFM5jYtGpJFG9MsBiSde8lt5A1YJccuWPf5PFj49EGkHMw3e54ZOJG9zHWQfnCgjr1iPDUKu9rZpPYcmTqu5dnAthX5GgP8ZhmX4OnPBJ57+/EcG7W0y7dCn+DVNYon/fm9V+6/KV7fS3Y56hKgmpg71yBc= Received: by 10.142.158.17 with SMTP id g17mr3223126wfe.106.1207681655587; Tue, 08 Apr 2008 12:07:35 -0700 (PDT) Received: by 10.142.158.17 with SMTP id g17mr4800214wfe.106; Tue, 08 Apr 2008 12:07:35 -0700 (PDT) Message-ID: <[EMAIL PROTECTED]> From: Mail Delivery Subsystem <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Delivery Status Notification (Delay) Date: Tue, 08 Apr 2008 12:07:35 -0700 (PDT) X-Virus-Scanned: ClamAV 0.91.1/6671/Tue Apr 8 13:52:06 2008 on xphotonics.com X-Virus-Status: Clean This is an automatically generated Delivery Status Notification THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. Delivery to the following recipient has been delayed: [EMAIL PROTECTED] Message will be retried for 2 more day(s) - Message header follows - Received: by 10.142.158.17 with SMTP id g17mr2671000wfe.106.1207589565795; Mon, 07 Apr 2008 10:32:45 -0700 (PDT) Return-Path: <[EMAIL PROTECTED]> Received: from toroon12-1177845134.sdsl.bell.ca (toroon12-1177845134.sdsl.bell.ca [70.52.125.142]) by mx.google.com with ESMTP id 30si18291073wfa.2.2008.04.07.10.32.44; Mon, 07 Apr 2008 10:32:45 -0700 (PDT) Received-SPF: neutral (google.com: 70.52.125.142 is neither permitted nor denied by best guess record for domain of [EMAIL PROTECTED]) client-ip=70.52.125.142; Authentication-Results: mx.google.com; spf=neutral (google.com: 70.52.125.142 is neither permitted nor denied by best guess record for domain of [EMAIL PROTECTED]) [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> From: "benedicto hiram" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: We ship worldwide. Don't wanna overpay in your local drugstore? Shy to buy ED drugs? Buy from us we'll deliver it to your house. Date: Mon, 07 Apr 2008 15:45:22 + MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 - Message body suppressed - -- View this message in context: http://www.nabble.com/Returned-mail-spam-tp16570515p16570714.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Returned mail spam
SPF is a good start... http://spf.pobox.com/ Do you actually have a [EMAIL PROTECTED] account? If not, don't accept mail for invalid e-mail addresses. ahgu wrote: somebody is using my email as the bounce-back return email. How do I avoid the problem? thanks Andrew X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on xphotonics.com X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS autolearn=failed version=3.2.4 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record Received: from da1.hostingplus.nl (da1.hostingplus.nl [213.247.55.91]) by xphotonics.com (8.14.1/8.14.1) with ESMTP id m38IYDjj098834 for <[EMAIL PROTECTED]>; Tue, 8 Apr 2008 14:34:13 -0400 (EDT) Received: from mail by da1.hostingplus.nl with local (Exim 4.67) id 1JjIda-0004I1-RX for [EMAIL PROTECTED]; Tue, 08 Apr 2008 20:33:42 +0200 Auto-Submitted: auto-replied From: Mail Delivery System <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Warning: message 1JiuzE-0004HI-Pi delayed 24 hours Message-Id: <[EMAIL PROTECTED]> Date: Tue, 08 Apr 2008 20:33:42 +0200 X-Virus-Scanned: ClamAV 0.91.1/6671/Tue Apr 8 13:52:06 2008 on xphotonics.com X-Virus-Status: Clean This message was created automatically by mail delivery software. A message that you sent has not yet been delivered to one or more of its recipients after more than 24 hours on the queue on da1.hostingplus.nl. The message identifier is: 1JiuzE-0004HI-Pi The subject of the message is: *SPAM* Only Prestige The date of the message is:Mon, 07 Apr 2008 15:31:15 + The address to which the message has not yet been delivered is: [EMAIL PROTECTED] Delay reason: mailbox is full No action is required on your part. Delivery attempts will continue for some time, and this warning may be repeated at intervals if the message remains undelivered. Eventually the mail delivery software will give up, and when that happens, the message will be returned to you.
Returned mail spam
somebody is using my email as the bounce-back return email. How do I avoid the problem? thanks Andrew X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on xphotonics.com X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS autolearn=failed version=3.2.4 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record Received: from da1.hostingplus.nl (da1.hostingplus.nl [213.247.55.91]) by xphotonics.com (8.14.1/8.14.1) with ESMTP id m38IYDjj098834 for <[EMAIL PROTECTED]>; Tue, 8 Apr 2008 14:34:13 -0400 (EDT) Received: from mail by da1.hostingplus.nl with local (Exim 4.67) id 1JjIda-0004I1-RX for [EMAIL PROTECTED]; Tue, 08 Apr 2008 20:33:42 +0200 Auto-Submitted: auto-replied From: Mail Delivery System <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Warning: message 1JiuzE-0004HI-Pi delayed 24 hours Message-Id: <[EMAIL PROTECTED]> Date: Tue, 08 Apr 2008 20:33:42 +0200 X-Virus-Scanned: ClamAV 0.91.1/6671/Tue Apr 8 13:52:06 2008 on xphotonics.com X-Virus-Status: Clean This message was created automatically by mail delivery software. A message that you sent has not yet been delivered to one or more of its recipients after more than 24 hours on the queue on da1.hostingplus.nl. The message identifier is: 1JiuzE-0004HI-Pi The subject of the message is: *SPAM* Only Prestige The date of the message is:Mon, 07 Apr 2008 15:31:15 + The address to which the message has not yet been delivered is: [EMAIL PROTECTED] Delay reason: mailbox is full No action is required on your part. Delivery attempts will continue for some time, and this warning may be repeated at intervals if the message remains undelivered. Eventually the mail delivery software will give up, and when that happens, the message will be returned to you. -- View this message in context: http://www.nabble.com/Returned-mail-spam-tp16570515p16570515.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SA 3.2.4 speedup
> >Aha. Well, since network rules are run in parallel, I don't think turning > >off some of them will help you much. And what I say is still valid, even if > >it applies only in some cases :) > > I see your point, problem is the new SA is taking a much larger load, > and catching less spam. I am getting complaints from clients. So now I > am hesitant to remove any rules. > > I wanted to check the Wiki to refresh my SA performance knowledge, but > it is down today 8^( If you need to run more spamds in parrallel because of network tests delays, increase the amount of RAM you have and the number of spamd processes. > Dave > >>Which was why I asked. I read through the rules to see what was doing a > >>lookup and where it looked up the URI. I do not want to check sorbs or > >>spamhaus, we do that at the MTA. I do not what to lookup anything via > >>spamcop, njabl, or bl.whois. > > > >I think that should not cause any problems to you. We use blacklist at MTA > >level too, and SA still hits some of them (of those > >same lists!). SA just may check different IPs. We blacklist some stuff at the MTA too, but figure it's probably cached in our nameserver if it has to check it again, so no big penalty. We have our own rsync feed to some of those services, so it would definitely be a local network check. -- /* Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL KB1IOJ| Broadband Internet Access, Dialup, and Hosting http://f64.nu/ | for Midcoast Mainehttp://www.midcoast.com/ */
Re: SA 3.2.4 speedup
Matus UHLAR - fantomas wrote: On 08.04.08 10:52, DAve wrote: We recently upgraded to SA 3.2.4 and are experiencing much slower processing. After watching my rule hits for a few days I would like to remove some rules (set score to 0) to gain back some speed. Ami I correct in believing that the below rules will not be run and no lookup will be made if skip_rbl_checks is set to 1? Looking at my dnscache I think this is true. Matus UHLAR - fantomas wrote: if you want to turn those off, simply disable network rules. Many rules have different scores when used with network and without it, and simply disabling network rules would increase FN (maybe even FP) rate for you. On 08.04.08 11:34, DAve wrote: But I want some network rules, some of the URIBL tests are my golden bullets, by far the most effective rules we run. Your spam may vary of course. Aha. Well, since network rules are run in parallel, I don't think turning off some of them will help you much. And what I say is still valid, even if it applies only in some cases :) I see your point, problem is the new SA is taking a much larger load, and catching less spam. I am getting complaints from clients. So now I am hesitant to remove any rules. I wanted to check the Wiki to refresh my SA performance knowledge, but it is down today 8^( Dave However, if you can afford it, do run those tests. They are much effective than most of static rules in SA. They don't take much CPU time, just some network traffic and a few seconds more. And they increase efficiency very much ... and I still say this ;) I would also like to not run the following rules, they hit, but in less than 1% of my spam do they make any difference. The lookups are not worth it, at least not for our mail, not today. That all may change. I am assuming I will need to set each one to zero to stop any lookups? those were network too. Which was why I asked. I read through the rules to see what was doing a lookup and where it looked up the URI. I do not want to check sorbs or spamhaus, we do that at the MTA. I do not what to lookup anything via spamcop, njabl, or bl.whois. I think that should not cause any problems to you. We use blacklist at MTA level too, and SA still hits some of them (of those same lists!). SA just may check different IPs. -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins.
Botnet plugin?
Hi, what's the current status of the Botnet plugin for SpamAssassin? I used it in my old SA 3.1.8 and think it was doing a good job. I heard that it should be part of SA now, but I couldn't find it by grepping the default rule files. Nor did I find it at SARE or elsewhere on the web. All I see is that web folder with the tarballs, latest from Nov 2007 or so. How can I enable it in SA 3.2.4? Do I still need to get that 3rd party file and install it? Is there a status/news website anywhere? -- Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]> Visit my web laboratory at http://beta.unclassified.de
Re: SA 3.2.4 speedup
> >On 08.04.08 10:52, DAve wrote: > >>We recently upgraded to SA 3.2.4 and are experiencing much slower > >>processing. After watching my rule hits for a few days I would like to > >>remove some rules (set score to 0) to gain back some speed. > >> > >>Ami I correct in believing that the below rules will not be run and no > >>lookup will be made if skip_rbl_checks is set to 1? Looking at my > >>dnscache I think this is true. > Matus UHLAR - fantomas wrote: > >if you want to turn those off, simply disable network rules. Many rules > >have different scores when used with network and without it, and simply > >disabling network rules would increase FN (maybe even FP) rate for you. On 08.04.08 11:34, DAve wrote: > But I want some network rules, some of the URIBL tests are my golden > bullets, by far the most effective rules we run. Your spam may vary of > course. Aha. Well, since network rules are run in parallel, I don't think turning off some of them will help you much. And what I say is still valid, even if it applies only in some cases :) > >However, if you can afford it, do run those tests. They are much effective > >than most of static rules in SA. They don't take much CPU time, just some > >network traffic and a few seconds more. And they increase efficiency very > >much ... and I still say this ;) > >>I would also like to not run the following rules, they hit, but in less > >>than 1% of my spam do they make any difference. The lookups are not > >>worth it, at least not for our mail, not today. That all may change. I > >>am assuming I will need to set each one to zero to stop any lookups? > >those were network too. > Which was why I asked. I read through the rules to see what was doing a > lookup and where it looked up the URI. I do not want to check sorbs or > spamhaus, we do that at the MTA. I do not what to lookup anything via > spamcop, njabl, or bl.whois. I think that should not cause any problems to you. We use blacklist at MTA level too, and SA still hits some of them (of those same lists!). SA just may check different IPs. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: http://www.nk.ca/blog/
> On Tue, Apr 08, 2008 at 04:32:05PM +0200, Matus UHLAR - fantomas wrote: > > On 08.04.08 07:43, The Doctor wrote: > > > http://www.nk.ca/blog/ . > > > > > > In that blog, there is a section for Spam and Phish for your reasearch. > > > > whose research? On 08.04.08 09:50, The Doctor wrote: > Anyone doing anti-spam research. please stop thread hijacking then. It you're writing new post, send it as new mail and not as a reply to other mail. I am not doing antispam research, plest don't answer my mails as if I were... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: http://www.nk.ca/blog/
On Tue, Apr 08, 2008 at 04:32:05PM +0200, Matus UHLAR - fantomas wrote: > On 08.04.08 07:43, The Doctor wrote: > > http://www.nk.ca/blog/ . > > > > In that blog, there is a section for Spam and Phish for your reasearch. > > whose research? > Anyone doing anti-spam research. > -- > Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > We are but packets in the Internet of life (userfriendly.org) > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God, Queen and country! Beware Anti-Christ rising! USA petition for dissolution of your nation! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: SA 3.2.4 speedup
Matus UHLAR - fantomas wrote: On 08.04.08 10:52, DAve wrote: We recently upgraded to SA 3.2.4 and are experiencing much slower processing. After watching my rule hits for a few days I would like to remove some rules (set score to 0) to gain back some speed. Ami I correct in believing that the below rules will not be run and no lookup will be made if skip_rbl_checks is set to 1? Looking at my dnscache I think this is true. if you want to turn those off, simply disable network rules. Many rules have different scores when used with network and without it, and simply disabling network rules would increase FN (maybe even FP) rate for you. But I want some network rules, some of the URIBL tests are my golden bullets, by far the most effective rules we run. Your spam may vary of course. However, if you can afford it, do run those tests. They are much effective than most of static rules in SA. They don't take much CPU time, just some network traffic and a few seconds more. And they increase efficiency very much I would also like to not run the following rules, they hit, but in less than 1% of my spam do they make any difference. The lookups are not worth it, at least not for our mail, not today. That all may change. I am assuming I will need to set each one to zero to stop any lookups? those were network too. Which was why I asked. I read through the rules to see what was doing a lookup and where it looked up the URI. I do not want to check sorbs or spamhaus, we do that at the MTA. I do not what to lookup anything via spamcop, njabl, or bl.whois. Thanks, DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins.
Help with these errors
All, I posted a question regarding SpamAssasssin errors which MailScanner --lint seemed to detect. It was suggested to me that this is an SA issue so, with your indulgence, I'd like to ask here. I'm now running mailscanner-4.68.8-1 on a CentOS 3 box, along with spamassassin-3.2.4-1.el3.rf from the Dag repository. When I run MailScanner --lint, I get the following: Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database Use of uninitialized value in addition (+) at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 371. plugin: eval failed: Can't locate object method "log_lookups_timing" via package "Mail::SpamAssassin::AsyncLoop" at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 381. SpamAssassin reported no errors. spamassassin -D --lint returns no errors. My mail system seems to work fine, but I'd like to know what these errors mean, and to eliminate them if possible. Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: SA 3.2.4 speedup
On 08.04.08 10:52, DAve wrote: > We recently upgraded to SA 3.2.4 and are experiencing much slower > processing. After watching my rule hits for a few days I would like to > remove some rules (set score to 0) to gain back some speed. > > Ami I correct in believing that the below rules will not be run and no > lookup will be made if skip_rbl_checks is set to 1? Looking at my > dnscache I think this is true. if you want to turn those off, simply disable network rules. Many rules have different scores when used with network and without it, and simply disabling network rules would increase FN (maybe even FP) rate for you. However, if you can afford it, do run those tests. They are much effective than most of static rules in SA. They don't take much CPU time, just some network traffic and a few seconds more. And they increase efficiency very much > I would also like to not run the following rules, they hit, but in less > than 1% of my spam do they make any difference. The lookups are not > worth it, at least not for our mail, not today. That all may change. I > am assuming I will need to set each one to zero to stop any lookups? those were network too. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
SA 3.2.4 speedup
Good morning, We recently upgraded to SA 3.2.4 and are experiencing much slower processing. After watching my rule hits for a few days I would like to remove some rules (set score to 0) to gain back some speed. Ami I correct in believing that the below rules will not be run and no lookup will be made if skip_rbl_checks is set to 1? Looking at my dnscache I think this is true. RCVD_IN_NJABL_RELAY RCVD_IN_NJABL_SPAM RCVD_IN_NJABL_MULTI RCVD_IN_NJABL_CGI RCVD_IN_NJABL_PROXY RCVD_IN_SORBS_HTTP RCVD_IN_SORBS_SOCKS RCVD_IN_SORBS_MISC RCVD_IN_SORBS_SMTP RCVD_IN_SORBS_WEB RCVD_IN_SORBS_BLOCK RCVD_IN_SORBS_ZOMBIE RCVD_IN_SORBS_DUL RCVD_IN_SBL RCVD_IN_XBL RCVD_IN_PBL DNS_FROM_RFC_DSN DNS_FROM_RFC_BOGUSMX RCVD_IN_WHOIS_BOGONS RCVD_IN_WHOIS_HIJACKED RCVD_IN_WHOIS_INVALID RCVD_IN_DSBL DNS_FROM_AHBL_RHSBL DNS_FROM_SECURITYSAGE RCVD_IN_BL_SPAMCOP_NET RCVD_IN_MAPS_RBL RCVD_IN_MAPS_DUL RCVD_IN_MAPS_RSS RCVD_IN_MAPS_NML RCVD_IN_BSP_TRUSTED RCVD_IN_BSP_OTHER RCVD_IN_IADB_VOUCHED HABEAS_ACCREDITED_COI HABEAS_ACCREDITED_SOI HABEAS_CHECKED SPF_PASS SPF_NEUTRAL SPF_FAIL SPF_SOFTFAIL SPF_HELO_PASS SPF_HELO_NEUTRAL SPF_HELO_FAIL SPF_HELO_SOFTFAIL RCVD_IN_DNSWL_HI RCVD_IN_DNSWL_LOW RCVD_IN_DNSWL_MED RCVD_IN_DOB RCVD_IN_IADB_DK RCVD_IN_IADB_DOPTIN RCVD_IN_IADB_DOPTIN_GT50 RCVD_IN_IADB_DOPTIN_LT50 RCVD_IN_IADB_EDDB RCVD_IN_IADB_EPIA RCVD_IN_IADB_GOODMAIL RCVD_IN_IADB_LISTED RCVD_IN_IADB_LOOSE RCVD_IN_IADB_MI_CPEAR RCVD_IN_IADB_MI_CPR_30 RCVD_IN_IADB_MI_CPR_MAT RCVD_IN_IADB_ML_DOPTIN RCVD_IN_IADB_NOCONTROL RCVD_IN_IADB_OOO RCVD_IN_IADB_OPTIN RCVD_IN_IADB_OPTIN_GT50 RCVD_IN_IADB_OPTIN_LT50 RCVD_IN_IADB_OPTOUTONLY RCVD_IN_IADB_RDNS RCVD_IN_IADB_SENDERID RCVD_IN_IADB_SPF RCVD_IN_IADB_UNVERIFIED_1 RCVD_IN_IADB_UNVERIFIED_2 RCVD_IN_IADB_UT_CPEAR RCVD_IN_IADB_UT_CPR_30 RCVD_IN_IADB_UT_CPR_MAT I would also like to not run the following rules, they hit, but in less than 1% of my spam do they make any difference. The lookups are not worth it, at least not for our mail, not today. That all may change. I am assuming I will need to set each one to zero to stop any lookups? URIBL_SBL URIBL_COMPLETEWHOIS URIBL_RHS_ABUSE URIBL_RHS_AHBL URIBL_RHS_BOGUSMX URIBL_RHS_DOB URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS WHOIS_1AND1PR WHOIS_AITPRIV WHOIS_CONTACTPRIV WHOIS_DMNBYPROXY WHOIS_DOMESCROW WHOIS_DOMPRIVCORP WHOIS_DREAMPRIV WHOIS_DROA WHOIS_DYNADOT WHOIS_FINEXE WHOIS_GKGPROXY WHOIS_IDSHIELD WHOIS_IDTHEFTPROT WHOIS_KATZ WHOIS_LISTINGAG WHOIS_LNOA WHOIS_MAPNAME WHOIS_MONIKER_PRIV WHOIS_MYPRIVREG WHOIS_NAMEKING WHOIS_NAMESECURE WHOIS_NETID WHOIS_NETSOLPR WHOIS_NOLDC WHOIS_NOMINET WHOIS_PRIVACYPOST WHOIS_PRIVDOMAIN WHOIS_PRIVPROT WHOIS_REGISTER4LESS WHOIS_REGISTERFLY WHOIS_REGTEK WHOIS_SAFENAMES WHOIS_SECINFOSERV WHOIS_SECUREWHOIS WHOIS_SPAMFREE WHOIS_SRSPLUS WHOIS_UNLISTED WHOIS_WHOISGUARD WHOIS_WHOISPROT Thanks, DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins.
Re: http://www.nk.ca/blog/
On 08.04.08 07:43, The Doctor wrote: > http://www.nk.ca/blog/ . > > In that blog, there is a section for Spam and Phish for your reasearch. whose research? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Re: SA-UPDATE How often new updates?
On Tue, Apr 08, 2008 at 11:05:55AM +0200, Benny Pedersen wrote: > /usr/share/spamassassin < this dir is maintained by some package managers > /var/lib/spamassassin is entirely done by spamassassin :-) > > i belive it was the real reason not to overwrite files The slightly longer version: - originally, sa-update was going to store stuff in /etc/mail/spamassassin (or whatever your site rules dir is), in much the same setup as now. and the updates were going to be just that -- updates to the current rule set, scores, new rules, etc, but the standard rules would still be used. - certain folks had issues with something downloading updates to /etc, because via the LSB, etc, that kind of stuff goes in /var. - somewhere in there, it got decided that instead of just updates we should allow distribution of the entire rule set. this allows for people to be able to be more flexible with their installations, but also means that people need to understand "updates" are really an alternate ruleset (so get updates.spamassassin.org if you expect to keep those rules when adding a new channel). So in the end, that's why /usr/share/spamassassin isn't used anymore -- people have the ability to override the entire standard SA ruleset if they don't want to use it, and that's why /var is used instead of /usr or /etc. -- Randomly Selected Tagline: "Flourescent lights are generating negative ions." - Today's BOFH Excuse pgp2Ka35g4ugJ.pgp Description: PGP signature
http://www.nk.ca/blog/
http://www.nk.ca/blog/ . In that blog, there is a section for Spam and Phish for your reasearch. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God, Queen and country! Beware Anti-Christ rising! USA petition for dissolution of your nation! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Low Scores on Bounce Backs
On Tue, 2008-04-08 at 12:33 +0200, Matus UHLAR - fantomas wrote:
> Sorry for previous mail, I accidentally hit send...
>
> > On Sun, 2008-04-06 at 23:25 -0400, Jeff Koch wrote:
> > > Thanks for the reply. I thought the purpose of adding the
> > >
> > > 'whitelist_bounce_relays mailserver_name.com'
> > >
> > > in local.cf was so that SA could assign a higher score to bounces that
> > > never originated at your own mailserver. Thereby identifying return
> > > address
> > > forgery.
>
> On 07.04.08 12:17, Karsten Bräckelmann wrote:
> > Actually quite the opposite. :) Rather than increasing a score, it is
> > used to 'rescue' legitimate bounce messages. See the docs [1].
>
> I don't think it's "opposite". I think he said the same as you - the
> whitelist_bounce_relays identify bounces originating on own mailserver,
> while the others, matching ANY_BOUNCE_MESSAGE indicate forgery.
Well, I stand to what I said. *shrug*
> > Basically, it serves two purposes: (a) Setting this option enables the
> > VBounce plugin, and (b) it prevents legit bounces from being marked
> > with the ANY_BOUNCE_MESSAGE and friends rules.
>
> does whitelist_bounce_relays really turn on VBounce? Does that mean that
> *BOUNCE* won't match when it's not set up?
Yes -- IIRC, no time to dig through the code again, today.
> > Of course, we can't stop you from assigning a custom, absurdly high
> > score to ANY_BOUNCE_MESSAGE to abuse the existing score based filtering.
>
> I guess score e.g. 1 is not absurdly high. Especially not when he uses
> SPF/DKIM and his users send mail through his servers.
Please read the context again. Neither me nor the OP mentioned setting a
score like 1. Actually, this thread started, because the assigned 0.2
"doesn't help much" in crossing the spam threshold. Neither does a score
of 1.
VBounce detects backscatter. And it does so, even without the original
spam attached. It does detect backscatter with a score of 0 or less,
too. (Coincidentally, the backscatter I get just raised dramatically a
few days ago.)
VBounce is not intended to raise the score anyway. It's the sole
triggering of these rules and thus flagging. NOT marking as spam, as I
explained earlier. A score of -1 would do just the same. The only reason
to set a score at all is, so SA does not skip these tests, as it would
do with a neutral score of 0.
> > However, the purpose of this plugin and the low default score is to not
> > weigh in into classifying spam, but to provide a nice handler (see my
> > previous post) to identify bounces and treat them specially.
>
> However, this plugin can be easily used to detect backscatter and it's
> probably what users will use it for.
^^
Exactly. *Detect* backscatter, not mark it as spam.
Moreover, it is an understatement to claim VBounce "can be easily used
to detect backscatter". That's its purpose. That is all it does.
Please see the most important part of the docs again, how VBounce is
intended and document to be used:
$ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Low Scores on Bounce Backs
Sorry for previous mail, I accidentally hit send... > On Sun, 2008-04-06 at 23:25 -0400, Jeff Koch wrote: > > Thanks for the reply. I thought the purpose of adding the > > > > 'whitelist_bounce_relays mailserver_name.com' > > > > in local.cf was so that SA could assign a higher score to bounces that > > never originated at your own mailserver. Thereby identifying return address > > forgery. On 07.04.08 12:17, Karsten Bräckelmann wrote: > Actually quite the opposite. :) Rather than increasing a score, it is > used to 'rescue' legitimate bounce messages. See the docs [1]. I don't think it's "opposite". I think he said the same as you - the whitelist_bounce_relays identify bounces originating on own mailserver, while the others, matching ANY_BOUNCE_MESSAGE indicate forgery. > Basically, it serves two purposes: (a) Setting this option enables the > VBounce plugin, and (b) it prevents legit bounces from being marked > with the ANY_BOUNCE_MESSAGE and friends rules. does whitelist_bounce_relays really turn on VBounce? Does that mean that *BOUNCE* won't match when it's not set up? > Of course, we can't stop you from assigning a custom, absurdly high > score to ANY_BOUNCE_MESSAGE to abuse the existing score based filtering. I guess score e.g. 1 is not absurdly high. Especially not when he uses SPF/DKIM and his users send mail through his servers. > However, the purpose of this plugin and the low default score is to not > weigh in into classifying spam, but to provide a nice handler (see my > previous post) to identify bounces and treat them specially. However, this plugin can be easily used to detect backscatter and it's probably what users will use it for. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
Re: Low Scores on Bounce Backs
On 07.04.08 12:17, Karsten Bräckelmann wrote: > From: Karsten Bräckelmann <[EMAIL PROTECTED]> > Date: Mon, 07 Apr 2008 12:17:36 +0200 > Subject: Re: Low Scores on Bounce Backs > To: users@spamassassin.apache.org > > On Sun, 2008-04-06 at 23:25 -0400, Jeff Koch wrote: > > Thanks for the reply. I thought the purpose of adding the > > > > 'whitelist_bounce_relays mailserver_name.com' > > > > in local.cf was so that SA could assign a higher score to bounces that > > never originated at your own mailserver. Thereby identifying return address > > forgery. > > Actually quite the opposite. :) Rather than increasing a score, it is > used to 'rescue' legitimate bounce messages. See the docs [1]. > > Basically, it serves two purposes: (a) Setting this option enables the > VBounce plugin, and (b) it prevents legit bounces from being marked > with the ANY_BOUNCE_MESSAGE and friends rules. > Of course, we can't stop you from assigning a custom, absurdly high > score to ANY_BOUNCE_MESSAGE to abuse the existing score based filtering. assign a score about 1 doesn't abuse the filtering :) > However, the purpose of this plugin and the low default score is to not > weigh in into classifying spam, but to provide a nice handler (see my > previous post) to identify bounces and treat them specially. bounces that contain original spam as mime attachment could -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Efficiency of Bayes filter SA vs. Thunderbird
Almost all (>95%) of my spam is tagged as BAYES_99 by SA (which is great), but only approx. 60% of my spam is classified as spam by my Thunderbird 2.0.0.12. Thunderbird also uses a a bayesian filtering system. I always learn all of my spam and all of my ham in both systems perhaps once a week, not only FP/FN. I'm just curious: is there any explanation for this big difference? Why is the SA implementation that much better? One year ago Thunderbird scored much better than nowadays, while SA is still at maximum efficiency. Tschau Alex
Re: SA-UPDATE How often new updates?
On Tue, March 25, 2008 15:27, Patrick Sherrill wrote: > Is there any reason not to put the updates in /usr/share/spamassassin using > sa-update with the --updatedir parameter? /usr/share/spamassassin < this dir is maintained by some package managers /var/lib/spamassassin is entirely done by spamassassin :-) i belive it was the real reason not to overwrite files Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
