Re: Trouble with VBounce
Anyone ? Do you get the same analysis with the attached message that I got ? Is my VBounce setup wrong then ? Erik (did my message get ignored because of the text attachment ?) On May 12, 2008, at 11:32 AM, Erik Dasque wrote: Hi all, I am having trouble with VBounce. I think I followed the FAQ to the letter yet most of the backscatter still ends up in my mailbox. For example, if I analyze the attached sample email (which I received this morning), I get the following: [ ] Spam detection software, running on the system li9-234.members.linode.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see root for details. Content preview: Your message did not reach some or all of the intended recipients. The e-mail account does not exist. Check the e-mail address or contact the recipient directly to confirm the address. Devon Roy [EMAIL PROTECTED] [...] Content analysis details: (-2.0 points, 3.0 required) pts rule name description -- -- -2.3 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.3 AWLAWL: From: address is in the auto white- list As you see, no bounce related analysis. However some messages get filtered out as bounce (just not the one attached and quite a few of its bretheren) which tells me it's at least working a bit : X-Spam-Report: * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: bambinidimanina.org] * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: bambinidimanina.org] * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: bambinidimanina.org] * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 0.1 CRBOUNCE_MESSAGE Challenge-response bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message Any idea for me ? Erik sample-vbounce.txt
Re: Trouble with VBounce
I checked the debug result of my a --lint and got: [EMAIL PROTECTED]:~$ spamassassin 21 -D --lint | grep ounce [13492] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC [13492] dbg: config: fixed relative path: /var/lib/spamassassin/ 3.002004/updates_spamassassin_org/20_vbounce.cf [13492] dbg: config: using /var/lib/spamassassin/3.002004/ updates_spamassassin_org/20_vbounce.cf for included file [13492] dbg: config: read file /var/lib/spamassassin/3.002004/ updates_spamassassin_org/20_vbounce.cf This seems right, yes ? Erik On May 13, 2008, at 8:14 AM, Erik Dasque wrote: Anyone ? Do you get the same analysis with the attached message that I got ? Is my VBounce setup wrong then ? Erik (did my message get ignored because of the text attachment ?) On May 12, 2008, at 11:32 AM, Erik Dasque wrote: Hi all, I am having trouble with VBounce. I think I followed the FAQ to the letter yet most of the backscatter still ends up in my mailbox. For example, if I analyze the attached sample email (which I received this morning), I get the following: [ ] Spam detection software, running on the system li9-234.members.linode.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see root for details. Content preview: Your message did not reach some or all of the intended recipients. The e-mail account does not exist. Check the e-mail address or contact the recipient directly to confirm the address. Devon Roy [EMAIL PROTECTED] [...] Content analysis details: (-2.0 points, 3.0 required) pts rule name description -- -- -2.3 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.3 AWLAWL: From: address is in the auto white- list As you see, no bounce related analysis. However some messages get filtered out as bounce (just not the one attached and quite a few of its bretheren) which tells me it's at least working a bit : X-Spam-Report: * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: bambinidimanina.org] * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: bambinidimanina.org] * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: bambinidimanina.org] * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 0.1 CRBOUNCE_MESSAGE Challenge-response bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message Any idea for me ? Erik sample-vbounce.txt
Re: Trouble with VBounce
Hi, Eric 2008/5/13 Erik Dasque [EMAIL PROTECTED]: I checked the debug result of my a --lint and got: [EMAIL PROTECTED]:~$ spamassassin 21 -D --lint | grep ounce [13492] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC [13492] dbg: config: fixed relative path: /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf [13492] dbg: config: using /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf for included file [13492] dbg: config: read file /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf This seems right, yes ? Erik On May 13, 2008, at 8:14 AM, Erik Dasque wrote: Anyone ? Do you get the same analysis with the attached message that I got ? Is my VBounce setup wrong then ? Erik (did my message get ignored because of the text attachment ?) On May 12, 2008, at 11:32 AM, Erik Dasque wrote: Hi all, I am having trouble with VBounce. I think I followed the FAQ to the letter yet most of the backscatter still ends up in my mailbox. For example, if I analyze the attached sample email (which I received this morning), I get the following: [ ] Spam detection software, running on the system li9-234.members.linode.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see root for details. Content preview: Your message did not reach some or all of the intended recipients. The e-mail account does not exist. Check the e-mail address or contact the recipient directly to confirm the address. Devon Roy [EMAIL PROTECTED] [...] Content analysis details: (-2.0 points, 3.0 required) pts rule name description -- -- -2.3 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.3 AWLAWL: From: address is in the auto white-list As you see, no bounce related analysis. However some messages get filtered out as bounce (just not the one attached and quite a few of its bretheren) which tells me it's at least working a bit : X-Spam-Report: * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: bambinidimanina.org] * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: bambinidimanina.org] * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: bambinidimanina.org] * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 0.1 CRBOUNCE_MESSAGE Challenge-response bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message Any idea for me ? Yup. Did you whitelist your servers? If you don't do it, SA doesn't know how to tell a legit bounce from UBE-generated bounces. You should have something like whitelist_bounce_relays my.server.name other.server.name in your local.cf. Then you'll start to notice how bounce notifications start to get tagged as spam. Erik sample-vbounce.txt Regards, Luis -- _ GNU/GPL: May The Source Be With You... Linux Registered User #448382. _
Re: faked bouncebacks. what the?
On 12.05.08 21:49, Arvid Ephraim Picciani wrote: http://rafb.net/p/q3eZwd93.html anyone can see any sense in it? it uses my hostname to fake a bounceback that claims i sent a message to another faked address, while all doing that from a dialup. what's the point of that? testing spambots? from the SA FAQ (http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions): # I'm getting a lot of backscatter / bounce messages / undeliverable email notices / etc. regarding mail I didn't send. How can I block them? http://wiki.apache.org/spamassassin/VBounceRuleset -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
Re: trusted mailing list subscriber spam
On Sun, May 11, 2008 22:39, mouss wrote: a +all and you are annoying us about forwarding and SPF? On 12.05.08 23:07, Benny Pedersen wrote: he, i have +all and forward nothing :) it's not about what do you forward, it's about others forwarding your e-mail (without rewriting mail from: which is a bad thing). stop annoying me that spf cant be used Don't wonder if anyone will reject or flag your e-mail because havinr +all in SPF -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: faked bouncebacks. what the?
On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote: On 12.05.08 21:49, Arvid Ephraim Picciani wrote: http://rafb.net/p/q3eZwd93.html anyone can see any sense in it? it uses my hostname to fake a bounceback that claims i sent a message to another faked address, while all doing that from a dialup. what's the point of that? testing spambots? from the SA FAQ (http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions): # I'm getting a lot of backscatter / bounce messages / undeliverable email notices / etc. regarding mail I didn't send. How can I block them? http://wiki.apache.org/spamassassin/VBounceRuleset It's not backscatter. Please see read the message again, you'll see that it actually _pretends_ to be backscatter. I'm just asking here becouse i wondered why somone would do that. -- best regards Arvid Ephraim Picciani
Re: Trouble with VBounce
actually, the message simply isn't in a format known to the ruleset. The problem is that it doesn't contain a bounced message at all... just the bounce, and no copy of the original message. Since there's no copy of the original, there's no way to tell what message it was in reply to, and whether it was in response to a fake or real mail. So vbounce won't fire on it. --j. Erik Dasque writes: Anyone ? Do you get the same analysis with the attached message that I got ? Is my VBounce setup wrong then ? Erik (did my message get ignored because of the text attachment ?) On May 12, 2008, at 11:32 AM, Erik Dasque wrote: Hi all, I am having trouble with VBounce. I think I followed the FAQ to the letter yet most of the backscatter still ends up in my mailbox. For example, if I analyze the attached sample email (which I received this morning), I get the following: [ ] Spam detection software, running on the system li9-234.members.linode.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see root for details. Content preview: Your message did not reach some or all of the intended recipients. The e-mail account does not exist. Check the e-mail address or contact the recipient directly to confirm the address. Devon Roy [EMAIL PROTECTED] [...] Content analysis details: (-2.0 points, 3.0 required) pts rule name description -- -- -2.3 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.3 AWLAWL: From: address is in the auto white-list As you see, no bounce related analysis. However some messages get filtered out as bounce (just not the one attached and quite a few of its bretheren) which tells me it's at least working a bit : X-Spam-Report: * 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: bambinidimanina.org] * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: bambinidimanina.org] * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: bambinidimanina.org] * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 0.1 CRBOUNCE_MESSAGE Challenge-response bounce message * 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message Any idea for me ? Erik sample-vbounce.txt
Re: German Spam
On Mittwoch, 30. Mai 2007 Sebastian Wiesinger wrote: It's a nice ruleset but we had a major problem with it. RDJ pulled in an update which contained these lines: Sorry for that problem, and sorry for only answering now. I'd been busy on some private problems, and hope to get into this list more often again. In case of problems with the ZMI_GERMAN rulesets, please contact the e-mail address listed in that file - I read that more often than this list. I wish more people would use the ZMI_GERMAN ruleset, and contribute to it. Our servers are very heavily Anti-SPAM now, and I didn't get german some for quite some time that would have passed our filters, so inclusion of new spam is slow now. So, please report spam to me directly. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0676/846 914 666 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: www.keyserver.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part.
Re: Trouble with VBounce
Yup. Did you whitelist your servers? If you don't do it, SA doesn't know how to tell a legit bounce from UBE-generated bounces. You should have something like whitelist_bounce_relays my.server.name other.server.name in your local.cf. True, and the OP did. He included another header snipped, showing ANY_BOUNCE_MESSAGE hitting. Then you'll start to notice how bounce notifications start to get tagged as spam. This is not true, however. VBounce will add a mere 0.1 or 0.2 to the score, which hardly can be seen as tagging as spam. The purpose of VBounce is to *identify* backscatter. Not to treat it as spam. Please, let me re-iterate what I have posted in here a bunch of times already... :) $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf # If you use this, set up procmail or your mail app to spot the # ANY_BOUNCE_MESSAGE rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: faked bouncebacks. what the?
On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote: On 12.05.08 21:49, Arvid Ephraim Picciani wrote: http://rafb.net/p/q3eZwd93.html anyone can see any sense in it? it uses my hostname to fake a bounceback that claims i sent a message to another faked address, while all doing that from a dialup. what's the point of that? testing spambots? from the SA FAQ (http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions): # I'm getting a lot of backscatter / bounce messages / undeliverable email notices / etc. regarding mail I didn't send. How can I block them? http://wiki.apache.org/spamassassin/VBounceRuleset On 13.05.08 15:17, Arvid Ephraim Picciani wrote: It's not backscatter. Please see read the message again, you'll see that it actually _pretends_ to be backscatter. I'm just asking here becouse i wondered why somone would do that. I've looked at it and I've (probably) missed it (again). Why do you think that it pretends to look like backscatter, and why do you think it is not? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: Trouble with VBounce
My problem is that despite the fact that VBounce is enabled very few of the backscatter gets trapped (5% ?). Even messages that include the headers of the original message such as the following don't get trapped (I thought VBounce was able to analyze included headers to look for the SMTP white listing. So VBounce cannot do anything if the headers from the joe-jobbing message are not included. What of the message that I just included, while it doesn't contain the body of the message, it includes headers from the original message that should tell VBounce it wasn't sent from one of my SMTP servers, right ? : Final-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=02133-01-112 Last-Attempt-Date: Tue, 13 May 2008 09:56:07 -0400 (EDT) Received: from 79.131.82.115 (localhost [127.0.0.1]) by relay.u-s-c-co.com (Spam Firewall) with ESMTP id 83CEB15F4FE for [EMAIL PROTECTED]; Tue, 13 May 2008 09:56:05 -0400 (EDT) Received: from 79.131.82.115 ([79.131.82.115]) by relay.u-s-c-co.com with ESMTP id K81IVHFwdqDLBFGh for [EMAIL PROTECTED]; Tue, 13 May 2008 09:56:05 -0400 (EDT) Message-ID: [EMAIL PROTECTED] From: hussein anil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: million selections Date: Tue, 13 May 2008 12:09:15 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01C8B501.0491D065 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 On May 13, 2008, at 10:26 AM, Karsten Bräckelmann wrote: Yup. Did you whitelist your servers? If you don't do it, SA doesn't know how to tell a legit bounce from UBE-generated bounces. You should have something like whitelist_bounce_relays my.server.name other.server.name in your local.cf. True, and the OP did. He included another header snipped, showing ANY_BOUNCE_MESSAGE hitting. Then you'll start to notice how bounce notifications start to get tagged as spam. This is not true, however. VBounce will add a mere 0.1 or 0.2 to the score, which hardly can be seen as tagging as spam. The purpose of VBounce is to *identify* backscatter. Not to treat it as spam. Please, let me re-iterate what I have posted in here a bunch of times already... :) $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf # If you use this, set up procmail or your mail app to spot the # ANY_BOUNCE_MESSAGE rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. guenther -- char *t=[EMAIL PROTECTED] \x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i %8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]) { putchar(t[s]);h=m;s=0; }}}
Re: Trouble with VBounce
Karsten: 2008/5/13 Karsten Bräckelmann [EMAIL PROTECTED]: Yup. Did you whitelist your servers? If you don't do it, SA doesn't know how to tell a legit bounce from UBE-generated bounces. You should have something like whitelist_bounce_relays my.server.name other.server.name in your local.cf. True, and the OP did. He included another header snipped, showing ANY_BOUNCE_MESSAGE hitting. Then you'll start to notice how bounce notifications start to get tagged as spam. This is not true, however. VBounce will add a mere 0.1 or 0.2 to the score, which hardly can be seen as tagging as spam. The purpose of VBounce is to *identify* backscatter. Not to treat it as spam. Please, let me re-iterate what I have posted in here a bunch of times already... :) Well, you're right. I didn't express myself clearly. However, I have a heavily modified vbounce2.cf in the /etc/spamassassin/ folder, which assigns a default score of 7 so many bounce messages, since we don't accept foreign bounces here. $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf # If you use this, set up procmail or your mail app to spot the # ANY_BOUNCE_MESSAGE rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} Anyway, thanks for pointing out the real aim of VBounce. I lost it completely, and now you've got me thinking if what I'm doing is wrong. Regards, Luis -- _ GNU/GPL: May The Source Be With You... Linux Registered User #448382. _
Re: faked bouncebacks. what the?
On Tue, 13 May 2008, Matus UHLAR - fantomas wrote: On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote: On 12.05.08 21:49, Arvid Ephraim Picciani wrote: http://rafb.net/p/q3eZwd93.html anyone can see any sense in it? it uses my hostname to fake a bounceback that claims i sent a message to another faked address, while all doing that from a dialup. what's the point of that? testing spambots? from the SA FAQ (http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions): # I'm getting a lot of backscatter / bounce messages / undeliverable email notices / etc. regarding mail I didn't send. How can I block them? http://wiki.apache.org/spamassassin/VBounceRuleset On 13.05.08 15:17, Arvid Ephraim Picciani wrote: It's not backscatter. Please see read the message again, you'll see that it actually _pretends_ to be backscatter. I'm just asking here becouse i wondered why somone would do that. I've looked at it and I've (probably) missed it (again). Why do you think that it pretends to look like backscatter, and why do you think it is not? Not to put words in anyone else's mouth, but I think what sets the recent incidents apart from backscatter is one of intention. Backscatter is the unintended blowback of spams sent out with forged From addresses where the intention is to deliver spam directly to a victim. This new phenomenon, which I've been referring to as bounce spam (or maybe bounced spam) reverses the intentionality. That is, bounce spam is intentionally sent to misconfigured servers that are known to bounce rather than reject, in which the forged From address is the intended victim. The fact that it's a bounce is just another way of eluding spam filters. In other words, backscatter is a by-product of spamming, while bounced spam is the product itself. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: faked bouncebacks. what the?
On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote: I've looked at it and I've (probably) missed it (again). Why do you think that it pretends to look like backscatter, and why do you think it is not? backscatter is what happens if mail systems automaticly reply to forged From: headers. In this case the mail was never sent over any third party. It claims to be bounceback from my own MTA, while in fact it never went through any MTA (directly sent from dialup). I'm worried that this might be a new form of joe jobbing. Ie somone sends out mails that look like bounceback from your machines. -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
bayes learning not on using cPanel
I am using the spamassassin that is installed when you install cPanel. I have been attempting to get the automatic bayes learning to work. I have set use_bayes to 1 in my properties file but it doesn't seem to be working. I say this because it appears that the only time the bayes_toks file gets updated is when I use sa-learn. Is there another way to verify that this is working? Thanks, Angie
spamd
Spamd is not using whitelist_from_rcvd or whitelist_from_spf in local.cf but when i run a test msg spamassassin --test-mode 113.msg orspamassassin -D 113.msg The whitelist_from_rcvd and whitelist_from_spf are working I've even tried setting the path. Here is how I'm launching spamd /opt/csw/bin/spamd -dl -u spamassassin --allowed-ips=192.168.0.0/16 --listen-ip=192.168.1.36 --port=783 -C /opt/csw/etc/spamassassin
Re: Spanish Content
Diego Pomatta escribió: For more info on usage, etc -- http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_TextCat.html Make that http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_TextCat.html for the 3.2.x version.
Re: Spanish Content
Diego Pomatta escribió: Try adding loadplugin Mail::SpamAssassin::Plugin::TextCat to your /etc/mail/spamassassin/init.pre, to enable the TextCat plugin Or better yet, edit your /etc/mail/spamassassin/v310.pre file and uncomment #loadplugin Mail::SpamAssassin::Plugin::TextCat It's already there :$ but disabled by default.
Re: trusted mailing list subscriber spam
Matus UHLAR - fantomas wrote: On Sun, May 11, 2008 22:39, mouss wrote: a +all and you are annoying us about forwarding and SPF? On 12.05.08 23:07, Benny Pedersen wrote: he, i have +all and forward nothing :) it's not about what do you forward, it's about others forwarding your e-mail (without rewriting mail from: which is a bad thing). and more importantly: about others being able to reject mail claiming to be from his domain but coming out of faraway clients. stop annoying me that spf cant be used Don't wonder if anyone will reject or flag your e-mail because havinr +all in SPF exactly.
Re: trusted mailing list subscriber spam
On Tue, May 13, 2008 15:19, Matus UHLAR - fantomas wrote: Don't wonder if anyone will reject or flag your e-mail because havinr +all in SPF yes i need to implement srs to fix it better ? come on, srs and +all it imho the same seen to the recipient diff is that i dont use srs installed anywhere fact: v=spf1 +all this is bad ! v=spf1 mx +all this is not if admins see them as equal, blame them Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: faked bouncebacks. what the?
Arvid Ephraim Picciani wrote: On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote: I've looked at it and I've (probably) missed it (again). Why do you think that it pretends to look like backscatter, and why do you think it is not? backscatter is what happens if mail systems automaticly reply to forged From: headers. In this case the mail was never sent over any third party. It claims to be bounceback from my own MTA, while in fact it never went through any MTA (directly sent from dialup). I'm worried that this might be a new form of joe jobbing. Ie somone sends out mails that look like bounceback from your machines. Fake NDRs have been discussed few years ago. for example, sophos spam and the non-delivery report.. dates back to March 2004. That said, one possibility is this: Some soho have an MSA on a dsl line. a ratwared box inside (or a web service running on the MSA box) sends mail to an invalid recipient. the MSA gets rejected and then sends you an NDR. the MSA is borked enough to helo with the recipient domain, and generates an incomplet NDR. anyway, you can safely reject mail from systems that helo with your own domain... (or is this mail to a trap?). PS. The link you posted is no more valid... (I mean http://rafb.net/p/q3eZwd93.html)
Re: faked bouncebacks. what the?
On 13.05.08 15:17, Arvid Ephraim Picciani wrote: It's not backscatter. Please see read the message again, you'll see that it actually _pretends_ to be backscatter. I'm just asking here becouse i wondered why somone would do that. I've looked at it and I've (probably) missed it (again). Why do you think that it pretends to look like backscatter, and why do you think it is not? On 13.05.08 12:01, Shane Williams wrote: Not to put words in anyone else's mouth, but I think what sets the recent incidents apart from backscatter is one of intention. Intentional or not, the VBounce ruleset is specially designed to catch all bounces that were sent in reply to mail that the user did not send. It's imho completely useless to speculate why did the spammer forge user's address and if he wanted to spam the invalid address, or the bounce recipient. Backscatter is the unintended blowback of spams sent out with forged From addresses where the intention is to deliver spam directly to a victim. I don't see any reason why we should not call those bounces a backscatter, even if this was true. This new phenomenon, which I've been referring to as bounce spam (or maybe bounced spam) reverses the intentionality. That is, bounce spam is intentionally sent to misconfigured servers that are known to bounce rather than reject, in which the forged From address is the intended victim. The fact that it's a bounce is just another way of eluding spam filters. In other words, backscatter is a by-product of spamming, while bounced spam is the product itself. I don't think it's intended. I will better guess that spammers are wanting either one side to get it. Since two addresses I receive mail for got joe-jobbed in the past, I don't think the reason was to deliver mail to us - what's the point of delivering tons of spam to _one_ forged address, when someone wants to spam? Spammers want (not being a spammer I'm just guessing) their spam to be received by as much people as possible. Can you explain to me, why would spammer want all of his spam to be received by the same user? If we would even differ between getting random spam bounces and intended bounces, there's no need for different reaction - we do not want them. We want to block them all. To summarize, the original message was a bounce, and it was a backscatter. I really see no point of speculating who did the spammer want to spam, it would change nothing. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut.
Re: Spanish Content
I have a client that uses Spanish content and is getting filtered due to some of the symbols used. Is there anything in SpamAssasin that takes that into account? Try adding loadplugin Mail::SpamAssassin::Plugin::TextCat to your /etc/mail/spamassassin/init.pre, to enable the TextCat plugin then add ok_locales en ok_languages en es Enabling these will NOT help. The default for both is all. Moreover, enabling these will just trigger additional rules for charsets and languages respectively, that are not in the list. ok_locales [1] en will only change anything in this case of Spanish content, if it is currently set to a list that neither contains all nor en. In which case English text would suffer from the same. Adding ok_languages es will only change anything, if it is missing from the list and the plugin already is enabled, plus the messages in question hitting UNWANTED_LANGUAGE_BODY. In general, both these settings are to tighten the default setup, and add *additional* rules for charsets or languages not in the list. They are not useful for lowering the score. guenther [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#language_options -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
question about MISSING_SUBJECT
Hello Guys, i got a message that was flagged with MISSING_SUBJECT rule. The message has, among other headers: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Date: Tue, 13 May 2008 17:12:47 -0300 MIME-Version: 1.0 and rules are: header __HAS_SUBJECTexists:Subject meta MISSING_SUBJECT!__HAS_SUBJECT describe MISSING_SUBJECTMissing Subject: header MISSING_SUBJECT is, at least in my opinion, incorrect. The Subject header is there, it do EXISTS. It's empty, OK but it's not MISSING. should this empty subject really triggers MISSING_SUBJECT rule ?? I do sa-update once a day, so yes i'm running with the latest rules. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it smime.p7s Description: S/MIME Cryptographic Signature
Re: faked bouncebacks. what the?
On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote: I've looked at it and I've (probably) missed it (again). Why do you think that it pretends to look like backscatter, and why do you think it is not? On 13.05.08 19:09, Arvid Ephraim Picciani wrote: backscatter is what happens if mail systems automaticly reply to forged From: headers. In this case the mail was never sent over any third party. It claims to be bounceback from my own MTA, while in fact it never went through any MTA (directly sent from dialup). since the message expired, I only can guess from what I remember: your mailserver re-wrote the from: and mail from address, but the mail was sent by remote mailserver... I'm worried that this might be a new form of joe jobbing. Ie somone sends out mails that look like bounceback from your machines. I didn't have the feeling when looking at the message. Maybe you could put it somewhere it won't expire that fast? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Re: Spanish Content
On 13.05.08 10:59, Josie Walls wrote: I have a client that uses Spanish content and is getting filtered due to some of the symbols used. what rules do those hit? Maybe you use some rules that have false positives for non-english languages (chickenpox or so) Is there anything in SpamAssasin that takes that into account? Should they use English content and use a web link for the Spanish content? It's more you should fix your rules :) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: trusted mailing list subscriber spam
On Tue, May 13, 2008 15:19, Matus UHLAR - fantomas wrote: Don't wonder if anyone will reject or flag your e-mail because havinr +all in SPF On 13.05.08 21:29, Benny Pedersen wrote: yes i need to implement srs to fix it better ? no, forwarders need to. come on, srs and +all it imho the same seen to the recipient it's not, they are much different. diff is that i dont use srs installed anywhere fact: v=spf1 +all this is bad ! v=spf1 mx +all this is not if admins see them as equal, blame them spammers will use whatever they'll see people don't catch. you just told all spammers to use mx +all in SPF records for their domains to be able to use them for world-wide spamming -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
AWL putting spam in my inbox
I'm using SpamAssassin 3.2.3 w/ Perl 5.8.8 on Linux. I'm not the sysadmin of the machine, but a user. I invoke it through a procmail recipe that says, in part, :0fw | /usr/bin/spamc My user_prefs file is as follows. report_safe 0 required_score 4.0 score BAYES_50 0.1 score BAYES_80 3.0 score BAYES_95 4.0 score BAYES_99 5.0 bayes_journal_max_size 102400 bayes_expiry_max_db_size 45 I am getting an immense amount of backscatter spam, and have trained SA on it until SA gives it a reliable Bayes score of 99%. However, I'm still ending up getting tons of it passed through into my mailbox. When I check the headers of some of the spams that end up in my mailbox, I see something like the following: From MAILER-DAEMON Tue May 13 13:46:20 2008 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on haven.eyrie.org X-Spam-Level: * X-Spam-Status: No, score=1.2 required=4.0 tests=AWL,BAYES_99 autolearn=no version=3.2.3 So, SA is giving it a BAYES_99, which should result in it hitting 5.0 right off the bat. However, apparently the Auto-Whitelist is knocking it back down to where it still ends up in my mailbox. Can someone please tell me how to make it stop? I'm getting a LOT of these messages that should by all rights be safely filtered into spammyland. -- Chris Meadows aka | WWW: http://www.terrania.us | Somebody help, Robotech_Master | ICQ: 5477383 AIM: RoboMastr | I'm trapped in [EMAIL PROTECTED] | Skype, Gizmo: Robotech_Master | a sig file! [EMAIL PROTECTED] | Yahoo: robotech_master_2000 |
VBounceRuleset for non-sysadmin?
I'm not the sysadmin but a user on someone else's machine. This other machine has SpamAssassin set up, and the VBounceRuleset module loaded, but does not have the whitelist_bounce_relays line in local.cf that is needed to make the rule function. Would it function if I added that line to my user_prefs instead? Also, I send a lot of my outbound mail via GMail, even though I use my email on the linux box as my return address so I can pipe all my mail through spamassassin. If my sysadmin adds a whitelist_bounce_relays line to local.cf, can I add another with my GMail outgoing server to my user_prefs and have it work? -- Chris Meadows aka | WWW: http://www.terrania.us | Somebody help, Robotech_Master | ICQ: 5477383 AIM: RoboMastr | I'm trapped in [EMAIL PROTECTED] | Skype, Gizmo: Robotech_Master | a sig file! [EMAIL PROTECTED] | Yahoo: robotech_master_2000 |
Re: trusted mailing list subscriber spam
On Tue, May 13, 2008 23:09, Matus UHLAR - fantomas wrote: spammers will use whatever they'll see people don't catch. you just told all spammers to use mx +all in SPF records for their domains to be able to use them for world-wide spamming basic score in spf is olso very low pr default, one still have to whitelist_from_spf if recipient agre this domain does not send spam Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: question about MISSING_SUBJECT
Leonardo Rodrigues Magalhães wrote: Hello Guys, i got a message that was flagged with MISSING_SUBJECT rule. The message has, among other headers: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Date: Tue, 13 May 2008 17:12:47 -0300 MIME-Version: 1.0 and rules are: header __HAS_SUBJECTexists:Subject meta MISSING_SUBJECT!__HAS_SUBJECT describe MISSING_SUBJECTMissing Subject: header MISSING_SUBJECT is, at least in my opinion, incorrect. The Subject header is there, it do EXISTS. It's empty, OK but it's not MISSING. should this empty subject really triggers MISSING_SUBJECT rule ?? yes. An empty subject is a missing one ;-p I mean that's not better than omitting the subject header at once... while ham sometimes has no subject (or has an empty subject), it doesn't usually trigger other rules. so a 1.3 score isn't a problem (at least in my experience). I do sa-update once a day, so yes i'm running with the latest rules.
Re: faked bouncebacks. what the?
On Tuesday 13 May 2008 22:45:43 mouss wrote: That said, one possibility is this: Some soho have an MSA on a dsl line. a ratwared box inside (or a web service running on the MSA box) sends mail to an invalid recipient. the MSA gets rejected and then sends you an NDR. the MSA is borked enough to helo with the recipient domain, and generates an incomplet NDR. interesting. and broken enough to use my hostname as From, in the body, helo and message id? double backscatter? kindof weird, but if that works it would at least just be some coincidence rather then intention. PS. The link you posted is no more valid... (I mean http://rafb.net/p/q3eZwd93.html) sorry. i replaced the hostname with example.com and will keep it permanently here. http://exys.org/stuff/fakebounce.txt On Tuesday 13 May 2008 22:58:52 Matus UHLAR - fantomas wrote: To summarize, the original message was a bounce, and it was a backscatter. are you saying that the definition of bounceback is: everything that contains the subject line Undelivered mail, or are you claming that my server actually does backscatter. If you read closely again you will see that the message body claims to be generated from me: Reporting-MTA: dns; mx1.example.com and the from is forged: From: [EMAIL PROTECTED] (Mail Delivery Subsystem) and the helo: Received: from pool-151-204-219-7.pskn.east.verizon.net ([151.204.219.7] helo=example.com) it's not a bounceback. It's 100% fake. Not containing any extra content. The entire purpose of the message is to look like backscatter. I really see no point of speculating who did the spammer want to spam, it would change nothing. oh i do, becouse of exactly my above point. people WILL start claming that this is real backscatter and block or score the IP or hostname. -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
Re: VBounceRuleset for non-sysadmin?
On Tue, 2008-05-13 at 16:20 -0500, Robotech_Master wrote: I'm not the sysadmin but a user on someone else's machine. This other machine has SpamAssassin set up, and the VBounceRuleset module loaded, but does not have the whitelist_bounce_relays line in local.cf that is needed to make the rule function. Would it function if I added that line to my user_prefs instead? Yes. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_VBounce.html The following options can be used in both site-wide (local.cf) and user-specific (user_prefs) configuration files to customize how SpamAssassin handles incoming email messages. Also, I send a lot of my outbound mail via GMail, even though I use my email on the linux box as my return address so I can pipe all my mail through spamassassin. If my sysadmin adds a whitelist_bounce_relays line to local.cf, can I add another with my GMail outgoing server to my user_prefs and have it work? Yes. You can have as many whitelist_bounce_relays entries. Just be sure to add all of those you really do use. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: faked bouncebacks. what the?
Arvid Ephraim Picciani wrote: On Tuesday 13 May 2008 22:45:43 mouss wrote: That said, one possibility is this: Some soho have an MSA on a dsl line. a ratwared box inside (or a web service running on the MSA box) sends mail to an invalid recipient. the MSA gets rejected and then sends you an NDR. the MSA is borked enough to helo with the recipient domain, and generates an incomplet NDR. interesting. and broken enough to use my hostname as From, in the body, helo and message id? double backscatter? kindof weird, but if that works it would at least just be some coincidence rather then intention. - message-id was most probably generated by your own MTA because remote ratware didn't include one - the domain part of the From: header may also have been added by your MTA because remote system uses a non fqdn address. so that leaves us with helo and Reporting-MTA. considering that old mozilla stuff used to use the recipient domain in its helo, it is no surprise that many ratware does so. I would say the same for the Reporting-MTA. at least, this is the most logical explanation I can see. As you, I don't think a spammer intentionally wanted to send you a mostly empty NDR... PS. The link you posted is no more valid... (I mean http://rafb.net/p/q3eZwd93.html) sorry. i replaced the hostname with example.com and will keep it permanently here. http://exys.org/stuff/fakebounce.txt On Tuesday 13 May 2008 22:58:52 Matus UHLAR - fantomas wrote: To summarize, the original message was a bounce, and it was a backscatter. are you saying that the definition of bounceback is: everything that contains the subject line Undelivered mail, no. it's any DSN sent to a forged sender. in general, sender is empty, but this is not always true. not sure if bounceback is better than bounce out. because there is no back here... so outscatter is probably a better name. or are you claming that my server actually does backscatter. if pool-151-204-219-7.pskn.east.verizon.net is one of your machines, then the problem is in your system. but this IP is in the US and your server in .de, so this doesn't look probable... If you read closely again you will see that the message body claims to be generated from me: Reporting-MTA: dns; mx1.example.com and the from is forged: From: [EMAIL PROTECTED] (Mail Delivery Subsystem) as said above, this proves nothing as it may have been fixed by your MTA. you can test this by sending a message with a non fqdn From: address and see if your MTA will append your domain. and the helo: Received: from pool-151-204-219-7.pskn.east.verizon.net ([151.204.219.7] helo=example.com) the helo is obviously fake. now, something weired here: $ host pool-151-204-219-7.pskn.east.verizon.net Host pool-151-204-219-7.pskn.east.verizon.net not found: 3(NXDOMAIN) so your exim is logging an unverified rDNS. (no, I won't debate received header formats...). it's not a bounceback. It's 100% fake. you can't tell. as I said, it may be a bounce from ratware. you can't argue in a fictitious world... Not containing any extra content. The entire purpose of the message is to look like backscatter. I think it is backscatter. I have many of these without forgery (I mean with the right helo and reporting-mta). so I am tempted to believe that a silly developper wrote a bogus mailer and couldn't get a domain name (oh, that's hard, isn't it?) so used the final recipient domain... I really see no point of speculating who did the spammer want to spam, it would change nothing. oh i do, becouse of exactly my above point. people WILL start claming that this is real backscatter and block or score the IP or hostname. I don't know what you want to do with that IP. it gets blocked here: $ host 151.204.219.7 7.219.204.151.in-addr.arpa domain name pointer pool-151-204-219-7.pskn.east.verizon.net. $ host pool-151-204-219-7.pskn.east.verizon.net Host pool-151-204-219-7.pskn.east.verizon.net not found: 3(NXDOMAIN) that's generic rDNS + doesn't resolve back. gets a 450 4.7.1 Client host rejected: cannot find your hostname here because of (postfix) reject_unknown_client applied in case of generic rDNS. but for this particular transaction, a forged helo gets rejected with no mercy...
backscatter and (was: Re: AWL putting spam in my inbox)
On Tue, 2008-05-13 at 16:16 -0500, Robotech_Master wrote: I'm using SpamAssassin 3.2.3 w/ Perl 5.8.8 on Linux. I'm not the sysadmin of the machine, but a user. I invoke it through a procmail recipe that says, in part, :0fw | /usr/bin/spamc I am getting an immense amount of backscatter spam, and have trained SA on it until SA gives it a reliable Bayes score of 99%. Please do note, that Bayes will be biased, if you train a LOT more ham than spam. Even though 50 times as much has been reported to work, one should at least expect to see spammy looking ham due to excessive, unbalanced training way earlier. This pretty much depends on your own ham and its variety in topic, too. Also, I'm not convinced that Bayes is the correct tool to fight backscatter at all... See your other post for a better way, where you ask about VBounce. :) Since you are using procmail anyway, let me stress a point HOW to handle bounces. Filter them. Into a different folder, for possible later review. Do not just treat them as spam -- keep in mind, the default VBounce scores are LOW, and set to merely have the rules not be disabled (which would be the case with a score of 0). Now, here goes my favorite quote these days: $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf # If you use this, set up procmail or your mail app to spot the # ANY_BOUNCE_MESSAGE rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. However, I'm still ending up getting tons of it passed through into my mailbox. When I check the headers of some of the spams that end up in my mailbox, I see something like the following: From MAILER-DAEMON Tue May 13 13:46:20 2008 Return-Path: ... X-Spam-Status: No, score=1.2 required=4.0 tests=AWL,BAYES_99 autolearn=no version=3.2.3 Just a guess, but most likely due to an empty Return-Path. AWL is based on email address and the originating network block. Thus, you might see totally different results for mail sent by the same $address (well, the empty string here) from different net blocks. AWL is not related to Bayes, but all about the average score of mail previously seen by a specific sender (and origin). See also these and probably other articles in the wiki: http://wiki.apache.org/spamassassin/AutoWhitelist http://wiki.apache.org/spamassassin/AwlWrongWay So, SA is giving it a BAYES_99, which should result in it hitting 5.0 right off the bat. However, apparently the Auto-Whitelist is knocking it back down to where it still ends up in my mailbox. Can someone please tell me how to make it stop? I'm getting a LOT of these messages that should by all rights be safely filtered into spammyland. Use VBounce. Filter them (using procmail) into bouncy-land. :) guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: backscatter and (was: Re: AWL putting spam in my inbox)
Please keep list posts on list, by either Replying To List or All. On Tue, 2008-05-13 at 17:43 -0500, Robotech_Master wrote: On Tue, May 13, 2008 at 5:05 PM, Karsten Bräckelmann [EMAIL PROTECTED] wrote: Now, here goes my favorite quote these days: $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf # If you use this, set up procmail or your mail app to spot the # ANY_BOUNCE_MESSAGE rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. Thanks for your advice. I would like to do that. I'd also like to tell it to search the body of the bounce for a Sender: [my gmail address] line, which gmail sticks in when I send as [EMAIL PROTECTED], and pass those on, since I don't think I can inclusively list every GMail mail server (since I don't know them). The one you are using as SMTP as configured in your MUA should be sufficient, I guess. If not, you can simply omit the leading hostname or use file-glob-style patterns. See the docs [1]. The hostnames can be file-glob-style patterns, so relay*.isp.com will work. Specifically, * and ? are allowed, but all other metacharacters are not. Regular expressions are not used for security reasons. The thing is, I'm not real good with coming up with my own recipes. :P Can you help me out? Procmail receipts? Sure. :0 : * ^X-Spam-Status: .*ANY_BOUNCE_MESSAGE spam/bounces Put that AFTER your SA/spamc filtering receipt, and BEFORE any receipt to dump classified spam into their own folders. Also, of course, do adjust the delivery actions target. Not taking on the body grep for Sender (or are you about a SA rule here?), since I don't know the exact details. Anyway I'd recommend to just start with the above, and later re-evaluate if you actually see any need for that. However, I am rather positive, that VBounce generally does not result in FP at all -- you can check by sending a test mail to a known-to-fail address. Testing for any marker like the above seems to aim at rescuing FPs. Which is the very purpose of whitelist_bounce_relays. I don't think any additional body grep would be useful. Also, what's the difference between ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE? BOUNCE_MESSAGE is a general MTA bounce message, not including Challenge- Response or Virus-Scanner bounces. ANY_BOUNCE_MESSAGE is a meta rule that aggregates all of these. (Not including legit bounces of course, which originated at your whitelisted relays.) See /usr/share/spamassassin/20_vbounce.cf :) guenther [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_VBounce.html -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamd
Mark Walmsley wrote: Spamd is not using whitelist_from_rcvd or whitelist_from_spf in local.cf but when i run a test msg spamassassin --test-mode 113.msg or spamassassin -D 113.msg The whitelist_from_rcvd and whitelist_from_spf are working I've even tried setting the path. Here is how I'm launching spamd /opt/csw/bin/spamd -dl -u spamassassin --allowed-ips=192.168.0.0/16 --listen-ip=192.168.1.36 --port=783 -C /opt/csw/etc/spamassassin Ditch the -C parameter from your spamd commandline. DO NOT use this parameter unless you really understand what it does. If you wish to specify a site rules directory (where local.cf and other local rulefiles exist) to other than the default, use the --siteconfigpath parameter instead. -C does not over-ride the the site rules directory, it over-rides the *default* rules directory. i.e.: the location of the base ruleset. So, by specifying -C, you've removed all of the default rules from SA, including USER_IN_WHITELIST, etc, etc, etc.
User Folder problem with sa_learn
Hello all, since some longer time I have a little problem with the spam learning method, which is used in a script on my box. The script runs as user _amavisd, but it always tries to acces the root folder. This of course produces an error: config: path /var/root/.spamassassin is inaccessible: Permission denied config: path /var/root/.spamassassin/user_prefs is inaccessible: Permission denied the error appears here: sudo -u $spamav_user sa-learn --dbpath /var/amavis/.spamassassin --sync /dev/null as well as here: sudo -u $spamav_user -H sa-learn --dbpath /var/amavis/.spamassassin -- dump magic and here sudo -u $spamav_user sa-learn --dbpath /var/amavis/.spamassassin --sync /dev/null the database gets trained, but it looks like sa_learn can't access the user prefs. What could possibly twist here the path var? It must be something specific to my installation, because it works fine on other boxes with the same OS (Mac OS 10.5). Thanks and all the best Matthias
_HAMMYTOKENS_/_SPAMMYTOKENS_ templates
In my local.cf I have: add_header all Spammy _SPAMMYTOKENS(2,long)_ add_header all Hammy _HAMMYTOKENS(2,long)_ which according to Mail::SpamAssassin::Conf should result in: X-Spam-Spammy: 0.989-6--0h-4s--4d--remove.php, 0.988-33--2h-25s--1d--UD:jpg however when running spamassassin -t testspam.txt I see only this: X-Spam-Hammy: Tokens 40 X-Spam-Spammy: Tokens 111 I 'think' I've got the setup correct in my local.cf, maybe I've missed something? Chris -- Chris KeyID 0xE372A7DA98E6705C pgpim7FZDrvVb.pgp Description: PGP signature
Re: _HAMMYTOKENS_/_SPAMMYTOKENS_ templates
On Tuesday 13 May 2008 9:30 pm, Chris wrote: In my local.cf I have: add_header all Spammy _SPAMMYTOKENS(2,long)_ add_header all Hammy _HAMMYTOKENS(2,long)_ which according to Mail::SpamAssassin::Conf should result in: X-Spam-Spammy: 0.989-6--0h-4s--4d--remove.php, 0.988-33--2h-25s--1d--UD:jpg however when running spamassassin -t testspam.txt I see only this: X-Spam-Hammy: Tokens 40 X-Spam-Spammy: Tokens 111 I 'think' I've got the setup correct in my local.cf, maybe I've missed something? Chris Please disregard, though I stopped and started SA several times, and there were no lint errors, this didn't start working correctly until I logged out and back in again to my box: X-Spam-Spammy: 1.000-3--0h-74s--0d--omega, 0.999-1--0h-18s--0d--tun X-Spam-Hammy: 0.000-37--38h-0s--2d--relay, 0.001-14--14h-0s--14d--19 -- Chris KeyID 0xE372A7DA98E6705C pgpqQ6on1omD9.pgp Description: PGP signature
How to output Debugged Lint to file
Hi all, My installation of spamassassin seems to have stopped using all the rules I have added when checking email. They now reside in /var/lib/spamassassin/3.002002 I'm trying to run spamassassin -D --lint and output it to say test.txt so that I can see it all later and try and trouble shoot why its not using the rules. Can anyone tell me how I can do this or if there is a better way to check why they are not working. I think they are not working because I am testing a piece of spam that came through that usually would have been stopped. It is only hitting on bayes (low) and a couple of other rules which I think are spamassassin default rules. I would expect it to hit on at least the sought_rules Any help would be greatly appreciated. Regards, Kate
Re: How to output Debugged Lint to file
Kathryn Kleinschafer wrote: Hi all, My installation of spamassassin seems to have stopped using all the rules I have added when checking email. They now reside in /var/lib/spamassassin/3.002002 I'm trying to run spamassassin -D --lint and output it to say test.txt so that I can see it all later and try and trouble shoot why its not using the rules. Can anyone tell me how I can do this or if there is a better way to check why they are not working. The debug output goes to stderr. you need to redirect it with 2 instead of ie: spamassassin -D --lint 2 output.txt
Re: How to output Debugged Lint to file
Awesome thanks. the output showed [3887] dbg: config: using /etc/mail/spamassassin for site rules pre files [3887] dbg: config: read file /etc/mail/spamassassin/init.pre [3887] dbg: config: read file /etc/mail/spamassassin/v310.pre [3887] dbg: config: read file /etc/mail/spamassassin/v312.pre [3887] dbg: config: read file /etc/mail/spamassassin/v320.pre [3887] dbg: config: using /var/lib/spamassassin/3.002002 for sys rules pre files [3887] dbg: config: read file /var/lib/spamassassin/3.002002/saupdates_openprotect_com.pre [3887] dbg: config: using /var/lib/spamassassin/3.002002 for default rules dir [3887] dbg: config: read file /var/lib/spamassassin/3.002002/saupdates_openprotect_com.cf [3887] dbg: config: read file /var/lib/spamassassin/3.002002/sought_rules_yerp_org.cf [3887] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org.cf which seems to me that it is actually loading up the correct files - yet when i do a test on a piece of mail which should hit heaps of rules especially the sought_rules it is not hitting at all. Are there any other tests I can do? Kate Matt Kettler wrote: Kathryn Kleinschafer wrote: Hi all, My installation of spamassassin seems to have stopped using all the rules I have added when checking email. They now reside in /var/lib/spamassassin/3.002002 I'm trying to run spamassassin -D --lint and output it to say test.txt so that I can see it all later and try and trouble shoot why its not using the rules. Can anyone tell me how I can do this or if there is a better way to check why they are not working. The debug output goes to stderr. you need to redirect it with 2 instead of ie: spamassassin -D --lint 2 output.txt
Re: How to output Debugged Lint to file
Kathryn Kleinschafer wrote: Awesome thanks. the output showed [3887] dbg: config: using /etc/mail/spamassassin for site rules pre files [3887] dbg: config: read file /etc/mail/spamassassin/init.pre [3887] dbg: config: read file /etc/mail/spamassassin/v310.pre [3887] dbg: config: read file /etc/mail/spamassassin/v312.pre [3887] dbg: config: read file /etc/mail/spamassassin/v320.pre [3887] dbg: config: using /var/lib/spamassassin/3.002002 for sys rules pre files [3887] dbg: config: read file /var/lib/spamassassin/3.002002/saupdates_openprotect_com.pre [3887] dbg: config: using /var/lib/spamassassin/3.002002 for default rules dir [3887] dbg: config: read file /var/lib/spamassassin/3.002002/saupdates_openprotect_com.cf [3887] dbg: config: read file /var/lib/spamassassin/3.002002/sought_rules_yerp_org.cf [3887] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org.cf which seems to me that it is actually loading up the correct files - yet when i do a test on a piece of mail which should hit heaps of rules especially the sought_rules it is not hitting at all. Are there any other tests I can do? Hmm, how are you running your test? spamassassin -t somemessage.txt ? Or are you passing other parameters, or using spamc for the test?
Re: How to output Debugged Lint to file
I am running it by going: sudo -u postfix spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf -t messagename.mai Matt Kettler wrote: Kathryn Kleinschafer wrote: Awesome thanks. the output showed [3887] dbg: config: using /etc/mail/spamassassin for site rules pre files [3887] dbg: config: read file /etc/mail/spamassassin/init.pre [3887] dbg: config: read file /etc/mail/spamassassin/v310.pre [3887] dbg: config: read file /etc/mail/spamassassin/v312.pre [3887] dbg: config: read file /etc/mail/spamassassin/v320.pre [3887] dbg: config: using /var/lib/spamassassin/3.002002 for sys rules pre files [3887] dbg: config: read file /var/lib/spamassassin/3.002002/saupdates_openprotect_com.pre [3887] dbg: config: using /var/lib/spamassassin/3.002002 for default rules dir [3887] dbg: config: read file /var/lib/spamassassin/3.002002/saupdates_openprotect_com.cf [3887] dbg: config: read file /var/lib/spamassassin/3.002002/sought_rules_yerp_org.cf [3887] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org.cf which seems to me that it is actually loading up the correct files - yet when i do a test on a piece of mail which should hit heaps of rules especially the sought_rules it is not hitting at all. Are there any other tests I can do? Hmm, how are you running your test? spamassassin -t somemessage.txt ? Or are you passing other parameters, or using spamc for the test?