RE: False Negatives
http://pastebin.com/m16055c85 Content analysis details: (9.6 points, 6.0 required) pts rule name description -- -- 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: diroma.us] 0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mail4.go-concepts.comip=10.1.5.17receive r=proxy.intern.seceidos.de] 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.7 SARE_BANK_URI_IP SARE_BANK_URI_IP 0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score -2.0200 http://pastebin.com/m52635526 Content analysis details: (13.0 points, 6.0 required) pts rule name description -- -- 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: trip-reps6.com] 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: trip-reps6.com] -0.3 BOTNET_SERVERWORDS Hostname contains server-like substrings [botnet_serverwords,ip=64.187.116.22,rdns=mail.trip-reps6.com] 0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mail4.go-concepts.comip=10.1.5.17receive r=proxy.intern.seceidos.de] 0.1 TW_MF BODY: Odd Letter Triples with MF 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5003] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 80] 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 80] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 3.0 DIGEST_MULTIPLEMessage hits more than one network digest check 0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score -1.7700 I did not check the other two. Not sure if DCC/Razor would have seen them a few hours ago. If they were to cross my server now they would at least be flagged as spam. Are you using DCC/RAZOR?
Re: Returned mail spam
Graham Murray wrote: If you publish a suitable SPF record then you will not receive any backscatter (which is the subject of this thread) from sites which correctly implement SPF checking. On 16.04.08 18:06, mouss wrote: without spf, you will not receive any backscatter from sites which do not accept-then-bounce. even with SPF ... SPF changes nothing here. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
how to use conditional cf rules
I have several SA servers all of them share the same cf files There are some particular custom rules , I want to run only on some servers One alternative is I put them in a different file and put the cf file only on the servers that require them But I dont want to have different cf files on different servers Is there a way I can sync the files to all servers and then put in a conditional load file Thanks Ram
Re: two versions of spamd running?
Ok great! Btw I'm running CentOS 4 so yes redhat Now If i run these commands how will I know which version of Spamd was stoped? I want to keep the version of Spamassasin thats running along with mailscanner. Which is were i think the conflict is in. Mailscanner is running its own version and then the older version of spamassasin was already installed so I want to stop that one. THanks! Jari Fredriksson wrote: Thanks for the reply! So if i run that i get $ ps xafu | grep spamd root 2146 0.0 0.0 4556 552 pts/1S+ 12:17 0:00 \_ grep spamd root 16388 0.0 1.8 44492 37708 ? Ss 10:30 0:04 /usr/bin/spamd -d -c -m8 -H -r /var/run/spamd.pid nobody 584 0.9 2.6 69180 55884 ? S11:05 0:40 \_ spamd child nobody 588 0.6 1.9 47664 40512 ? S12:14 0:01 \_ spamd child nobody2117 2.4 1.8 45948 38952 ? S12:17 0:00 \_ spamd child root 2118 0.0 1.7 44492 35640 ? S12:17 0:00 \_ spamd child then doing a $ /etc/init.d/spamassassin status spamd (pid 2118 588 584 16388) is running... So if I was running two versions it would tell me so right? and if I am how do I shut one off? Yes. You are running a spamd there, so it will be a duplicate if you have mailscanner or anothing running it too.. But how to disable spamd? It dependes. If you run a linux, it still depends 1) If it's a debian based linux, you will have a file /etc/default/spamassassin. There is a line as ENABLED=1 1.1) First shut down the spamd /etc/init.d/spamassassin stop 1.2) Edit the default. Edit the file /etc/default/spamassassin so that it says: ENABLED=0 2) If you have a RedHat/Fedora or SuSE based Linux, command as root service spamassassin stop chkconfig spamassassin off If it's not Linux, and those commands do not work, I have no idea. You could command /etc/init.d/spamassassin stop rm /etc/init.d/spamassassin
Re: two versions of spamd running?
Thanks for the reply! So if i run that i get $ ps xafu | grep spamd root 2146 0.0 0.0 4556 552 pts/1S+ 12:17 0:00 \_ grep spamd root 16388 0.0 1.8 44492 37708 ? Ss 10:30 0:04 /usr/bin/spamd -d -c -m8 -H -r /var/run/spamd.pid nobody 584 0.9 2.6 69180 55884 ? S11:05 0:40 \_ spamd child nobody 588 0.6 1.9 47664 40512 ? S12:14 0:01 \_ spamd child nobody2117 2.4 1.8 45948 38952 ? S12:17 0:00 \_ spamd child root 2118 0.0 1.7 44492 35640 ? S12:17 0:00 \_ spamd child then doing a $ /etc/init.d/spamassassin status spamd (pid 2118 588 584 16388) is running... So if I was running two versions it would tell me so right? and if I am how do I shut one off? Thanks! Jari Fredriksson wrote: Any thoughts? Thanks! ps xafu | grep spamd or /etc/init.d/spamassassin status
Re: Need help with bobax rules
From: Justin Mason [EMAIL PROTECTED] Date: Wed, 16 Apr 2008 14:16:51 +0100 To: Jack Pepper [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: Need help with bobax rules for what it's worth, I just pushed Henry's version of Joe's rules into the 3.2.x sa-updates. But did someone sign them right ? [49696] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE 49696] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf [49657] dbg: gpg: gpg: Signature made Wed Apr 16 04:28:44 2008 CDT using RSA key ID 24F434CE [49657] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [49657] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information [49657] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1 [49657] dbg: gpg: gpg: Can't check signature: General error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed [49657] dbg: generic: cleaning up temporary directory/files [49657] dbg: diag: updates complete, exiting with code 4 -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer --j. Jack Pepper writes: Quoting Jeremy Fairbrass [EMAIL PROTECTED]: HI Jack, Any chance of sharing your rules for this?! Cheers, Jeremy Sure: score BOBAX_GEN_SPAM_2 1.800 header BOBAX_GEN_SPAM_2 ALL =~ /^Message-Id:[EMAIL PROTECTED]/m describe BOBAX_GEN_SPAM_2 Has Bobax Generated Message-Id, type 2 score BOBAX_GEN_SPAM 1.800 header BOBAX_GEN_SPAM ALL =~ /^Message-Id:.*EJXVWDA/m describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id One fellow suggested that it might be more efficient to do this: score BOBAX_GEN_SPAM 1.800 header BOBAX_GEN_SPAM Message-ID =~ /EJXVWDA/m describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id but I wasn't sure if SA would detect that the incorrect case on the word message-id and then not realize the test, etc. Any suggestions? jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Need help with bobax rules
On Thursday 17 April 2008 6:15 am, Michael Scheidell wrote: From: Justin Mason [EMAIL PROTECTED] Date: Wed, 16 Apr 2008 14:16:51 +0100 To: Jack Pepper [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: Need help with bobax rules for what it's worth, I just pushed Henry's version of Joe's rules into the 3.2.x sa-updates. But did someone sign them right ? [49696] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE 49696] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf [49657] dbg: gpg: gpg: Signature made Wed Apr 16 04:28:44 2008 CDT using RSA key ID 24F434CE [49657] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [49657] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information [49657] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1 [49657] dbg: gpg: gpg: Can't check signature: General error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed [49657] dbg: generic: cleaning up temporary directory/files [49657] dbg: diag: updates complete, exiting with code 4 FWIW, I saw the same error, however, I re-downloaded the GPG.KEY, and once it was installed the update installed correctly. -- Chris KeyID 0xE372A7DA98E6705C pgpIxAm1dAp77.pgp Description: PGP signature
Re: Need help with bobax rules
http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified --j. Michael Scheidell writes: From: Justin Mason [EMAIL PROTECTED] Date: Wed, 16 Apr 2008 14:16:51 +0100 To: Jack Pepper [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: Need help with bobax rules for what it's worth, I just pushed Henry's version of Joe's rules into the 3.2.x sa-updates. But did someone sign them right ? [49696] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE 49696] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf [49657] dbg: gpg: gpg: Signature made Wed Apr 16 04:28:44 2008 CDT using RSA key ID 24F434CE [49657] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [49657] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information [49657] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1 [49657] dbg: gpg: gpg: Can't check signature: General error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed [49657] dbg: generic: cleaning up temporary directory/files [49657] dbg: diag: updates complete, exiting with code 4 -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer --j. Jack Pepper writes: Quoting Jeremy Fairbrass [EMAIL PROTECTED]: HI Jack, Any chance of sharing your rules for this?! Cheers, Jeremy Sure: score BOBAX_GEN_SPAM_2 1.800 header BOBAX_GEN_SPAM_2 ALL =~ /^Message-Id:[EMAIL PROTECTED]/m describe BOBAX_GEN_SPAM_2 Has Bobax Generated Message-Id, type 2 score BOBAX_GEN_SPAM 1.800 header BOBAX_GEN_SPAM ALL =~ /^Message-Id:.*EJXVWDA/m describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id One fellow suggested that it might be more efficient to do this: score BOBAX_GEN_SPAM 1.800 header BOBAX_GEN_SPAM Message-ID =~ /EJXVWDA/m describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id but I wasn't sure if SA would detect that the incorrect case on the word message-id and then not realize the test, etc. Any suggestions? jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Need help with bobax rules
Justin Mason wrote: http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified bingo! thanks. (wonder why do a rm on the sa-update-keys dir didn't fix that) -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ http://www.technosium.com/hotcompanies/ _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Bayesian Learnig for SpamAssassin
I have SA 3.17 running with amavisd-new, dovecot and Postfix 2.4.3 and Clama/v on freebsd 6.1 I am trying toteach sa using the following sa-learn /var/mail/vmail/example.com/user/.INBOX.spam/cur/ this is a maildir I have put around 175 spam messages in.. I got the following response Learned tokens from 0 message(s) (0 message(s) examined) spam done.archive-iterator: unable to open ~nospam/Maildir/new/: No such file or directory Learned tokens from 0 message(s) (0 message(s) examined) ls: ~nospam/Maildir/new/: No such file or directory nospam done.The --rebuild option has been deprecated. Please use --sync instead. My novice analysis is that there is a default configuration for the bayesian learning that provides a default path for SA-learn. I have checked amavisd.conf and local.cf and can not find it. Am I looking for the wrong file? Thank for any help that can be given Jason -- View this message in context: http://www.nabble.com/Bayesian-Learnig-for-SpamAssassin-tp16743984p16743984.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Bayesian Learnig for SpamAssassin
JasonHirsh wrote: I have SA 3.17 running with amavisd-new, dovecot and Postfix 2.4.3 and Clama/v on freebsd 6.1 I am trying toteach sa using the following sa-learn /var/mail/vmail/example.com/user/.INBOX.spam/cur/ this is a maildir I have put around 175 spam messages in.. I got the following response Learned tokens from 0 message(s) (0 message(s) examined) spam done.archive-iterator: unable to open ~nospam/Maildir/new/: No such file or directory Learned tokens from 0 message(s) (0 message(s) examined) ls: ~nospam/Maildir/new/: No such file or directory nospam done.The --rebuild option has been deprecated. Please use --sync instead. Are you sure you called exactly this command: sa-learn /var/mail/vmail/example.com/user/.INBOX.spam/cur/ And not something different? sa-learn seems to think you passed the --rebuild option. Try this instead: sa-learn --spam /var/mail/vmail/example.com/user/.INBOX.spam/cur/ ie: make sure you're passing the --spam parameter, and no rebuild parameter.
Re: Upgrading
Hi Mike, Thanks again for the advice. I've just managed to miss-configure Postfix by restarting SpamAssasin :(( Don't know why is sending spam from my account now, it's like bouncing it with my address as From. Probably will do the Virtual Machine reharsal for the upgrade. Best regards, /Hiram Is your Spamassassin started via an entry in /etc/postfix/master.cf? I had such an installation at first years ago, and it managed to do just as you described. It bounced all my email back.. I reconfigured it so that spamc is called by maildrop (could be procmail too, of course). I think that is a better solution too, because I have no need to send outgoing email to SA. If postfix calls SA via master.cf all mail, including outgoing will be scanned. Best regards, jarif Michael Hutchinson-3 wrote: Hello Hiram, It's not scary, you have to step up and own it - be prepared. The best way might be to replicate the situation/scenario in a Virtual environment, and attempt upgrading in there first, to see what might go wrong, and how you can avoid problems on your live server. VMWare is great for this, for me. You might find some other Virtualization software suits you, but it is much better to use that than to learn Spamassassin on your live server(s). Doing something on a live server that you haven't done before at all, will get you labelled as a loose cannon. Cheers, Mike -Original Message- From: hiram [mailto:[EMAIL PROTECTED] Sent: 14 April 2008 9:04 p.m. To: users@spamassassin.apache.org Subject: RE: Upgrading Hi Mike, That sounds on the limit to scarry. I will rethink it before upgrading then. Thanks for the advice and the information! Best regards, /Hiram Michael Hutchinson-3 wrote: -Original Message- Sir, You or someone else, has managed to break apt-get's info about S.A. Im not going into fixing that, that is a Debian question. You need to download the package manually with 'wget'. You can apt-get install wget if you don't have it. Use wget to get the package. Example wget http://somefileyouwant.deb; After that use dpkg -i to install the package just as if you'd used apt-get. dpkg -i somefileyouwant.deb That will install your Spamassassin package. Just remember you're opening a can of worms by using anything later than S.A. version 3.1.7 on Debian Sarge. The newer versions are reported to run fine on Debian Etch. I botched an upgrade from 3.1.4 - 3.2.3 on Sarge a while ago, and it caused a MASSIVE headache with incorrect dependencies, wrong perl modules being installed, and config being installed in new/different locations, which ended up with an INSANE installation - more than one version existing in binaries or config on one singular computer. Not a good look. It took a long time to fix. (well, it seemed like a very long time) You'd be better off arranging some downtime. Copying out your current S.A config, and completely removing S.A altogether, including manually hunting down every config file and binary. Then and only then would I consider installing the 3.2.4 package, and restoring the config. HTH, Mike -- View this message in context: http://www.nabble.com/Upgrading- tp16630332p16674214.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Error: incomplete data at .../DNS/RR.pm
On 09.04.2008 17:13 CE(S)T, Yves Goergen wrote: On 09.04.2008 12:41 CE(S)T, Justin Mason wrote: Yves Goergen writes: I keep getting this error since I installed SpamAssassin 3.2.4 on my Debian 3.1 Linux machine: Apr 9 11:52:20 mond spamd[2087]: Exception: incomplete data at /usr/local/lib/perl/5.8.4/Net/DNS/RR.pm line 513, GEN770 line 275. Apr 9 11:52:20 mond spamd[2087]: caught at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/DnsResolver.pm line 419 It happens once a day on average. Is this error remotely caused or can I do something against it? it's remotely caused -- it should be safely handled and harmless. Okay, but why is this written to syslog? I need to add a logcheck rule for that - and then it's two lines... No idea? -- Yves Goergen LonelyPixel [EMAIL PROTECTED] Visit my web laboratory at http://beta.unclassified.de
Re: Returned mail spam
Hos safe is it to pump up the score for the ANY_BOUNCE_MESSAGE ? Is it bug free, so I can give it 5 or 10 points ? Is anyone doing this ? (Maybe a step to far) Greetings Richard Matus UHLAR - fantomas wrote: Graham Murray wrote: If you publish a suitable SPF record then you will not receive any backscatter (which is the subject of this thread) from sites which correctly implement SPF checking. On 16.04.08 18:06, mouss wrote: without spf, you will not receive any backscatter from sites which do not accept-then-bounce. even with SPF ... SPF changes nothing here.
Re: False Negatives
Koopmann, Jan-Peter wrote: http://pastebin.com/m16055c85 Content analysis details: (9.6 points, 6.0 required) pts rule name description -- -- 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: diroma.us] 0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mail4.go-concepts.comip=10.1.5.17receive r=proxy.intern.seceidos.de] 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.7 SARE_BANK_URI_IP SARE_BANK_URI_IP 0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score -2.0200 It was not on uribl/surbl when OP sent it, and unwanted language isn't appropriate for everybody. I ran a test on the first (when OP sent it) and it scored a little less than 5 (I don't remember if DCC was hit, but razor was). http://pastebin.com/m52635526 Content analysis details: (13.0 points, 6.0 required) pts rule name description -- -- 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: trip-reps6.com] 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: trip-reps6.com] -0.3 BOTNET_SERVERWORDS Hostname contains server-like substrings [botnet_serverwords,ip=64.187.116.22,rdns=mail.trip-reps6.com] 0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mail4.go-concepts.comip=10.1.5.17receive r=proxy.intern.seceidos.de] 0.1 TW_MF BODY: Odd Letter Triples with MF 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5003] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 80] 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 80] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 3.0 DIGEST_MULTIPLEMessage hits more than one network digest check 0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score -1.7700 I did not check the other two. Not sure if DCC/Razor would have seen them a few hours ago. If they were to cross my server now they would at least be flagged as spam. Are you using DCC/RAZOR? I guess so, otherwise, he wouldn't get into the 3-4 range as he said.
Re: False Negatives
mouss wrote: Koopmann, Jan-Peter wrote: http://pastebin.com/m16055c85 Content analysis details: (9.6 points, 6.0 required) pts rule name description -- -- 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: diroma.us] 0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mail4.go-concepts.comip=10.1.5.17receive r=proxy.intern.seceidos.de] 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.7 SARE_BANK_URI_IP SARE_BANK_URI_IP 0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score -2.0200 unwanted language It was not on uribl/surbl when OP sent it, and unwanted language isn't appropriate for everybody. I ran a test on the first (when OP sent it) and it scored a little less than 5 (I don't remember if DCC was hit, but razor was). It really doesn't matter to me whether it was on urisbl/surbl when he sent it. I provided what our server marked this as as an example of rules that he could look at as to why it was scored low. Other people that don't use unwanted language may not need it, but in some cases it helps, specifically this case. I ran a test on our log and could not find one incident of hitting the unwanted rule, so maybe he should use it. I also stated that bayes would help mostly in the cases he provided. thanks. rcr
Re: Returned mail spam
Richard Smits wrote: Hos safe is it to pump up the score for the ANY_BOUNCE_MESSAGE ? Is it bug free, so I can give it 5 or 10 points ? So you are wanting to mark ANY bounce, out of office, or mailing-list related email into your organization as spam? If you want to do that, then sure! :-) My own investigations would show that would not be a good idea. I think you meant BOUNCE_MESSAGE instead - but even that is catching stuff that isn't backscatter. ...and I don't think the Backscatter FAQ answers this question. IMHO VBounce tags *bounces* - not backscatter. Backscatter is a *subset* of bounces - so it tags stuff that isn't backscatter. I'm working on a backscatter.cf to exclusively catch backscatter - but it's still tagging incorrect stuff. (all my Sourceforge moderator mail for starters). If I get it working reliably, I'll flick it up the food chain... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
No Blacklist DNS List
I've created a public no blacklist DNS list of host names and IP addresses that should never be blacklisted. Some of them are from my white list, some from my yellow list, and others are just names and IPs that you don't want to be on a blacklist. Here's the link that describes how to use it. http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#No_Blacklist_List The idea here is if the IP is in this list then you can skip all other IP based blacklist tests because if found it would be a false positive. It also reduces bandwidth usage and system load by skipping useless tests.
RE: SPF and Hotmail
-Original Message- From: Benny Pedersen [mailto:[EMAIL PROTECTED] Sent: 16 April 2008 7:25 p.m. To: users@spamassassin.apache.org Subject: RE: SPF and Hotmail On Wed, April 16, 2008 00:14, Michael Hutchinson wrote: domain: def_whitelist_auth [EMAIL PROTECTED] user: whitelist_auth [EMAIL PROTECTED] Cool, thanks Benny. np I can't employ what you've told me as upgrading to 3.2.4 is out of the question until I rebuild the mail server (Debian Sarge), but the advice is appreciated. until you have 3.2.4 then def_whitelist_spf [EMAIL PROTECTED] whitelist_spf [EMAIL PROTECTED] newer whitelist a domain, the above its imho better since you still can control the scores diffrently spamassassin 21 -D spf -t /tmp/msg | less to see it works or not Thanks for the information Benny. I haven't had time to put things into operation yet so am unable to report success or not, but I'm sure things will work out fine. Thanks again! Cheers, Michael Hutchinson
Re: Need help with bobax rules
Are Henry's versions of these rules different to what Jack posted below, and if so, where can I find them? I'm still running SA 3.1.8 (unable to upgrade yet) so I wouldn't receive them if you've pushed them to the 3.2 sa-update. Cheers, Jeremy Justin Mason [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] for what it's worth, I just pushed Henry's version of Joe's rules into the 3.2.x sa-updates. --j. Jack Pepper writes: Quoting Jeremy Fairbrass [EMAIL PROTECTED]: HI Jack, Any chance of sharing your rules for this?! Cheers, Jeremy Sure: score BOBAX_GEN_SPAM_2 1.800 header BOBAX_GEN_SPAM_2 ALL =~ /^Message-Id:[EMAIL PROTECTED]/m describe BOBAX_GEN_SPAM_2 Has Bobax Generated Message-Id, type 2 score BOBAX_GEN_SPAM 1.800 header BOBAX_GEN_SPAM ALL =~ /^Message-Id:.*EJXVWDA/m describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id One fellow suggested that it might be more efficient to do this: score BOBAX_GEN_SPAM 1.800 header BOBAX_GEN_SPAM Message-ID =~ /EJXVWDA/m describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id but I wasn't sure if SA would detect that the incorrect case on the word message-id and then not realize the test, etc. Any suggestions? jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
