Re: Header Analysis Problem
On 17.06.08 18:15, Carlos Velasco wrote: > I am getting these hits with the email below: > > AWL, > FH_HELO_ALMOST_IP, > HELO_DYNAMIC_SPLIT_IP, > RCVD_IN_PBL > > Problem is in this "Received": > Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by > owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959); > Tue, 17 Jun 2008 17:18:10 +0200 > > Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to > "owa1.cnio.es", so this header is right. However the headers do not contain any information about using SMTP auth, so the SA does not know about it. adding the IP of your msa_networks would help, but you must not do it if the server also acts as MX... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: are you doing sender address verification?
At 19:10 17-06-2008, Sahil Tandon wrote: Just conjecture at this point, but it seems as though whenever I send an email to the SA mailing list, I receive sender address verification requests from: chlothar.bnv-bamberg.de sam.metaphysis.net I see connections from these two hosts. If they are doing sender address verification, it is incorrectly done as the domain of the sender is spamassassin.apache.org and not the one in the From: header. Regards, -sm
Re: blocking country domains.
> >> Is there a way to just block email coming from .de domains? > >> I have been individually adding those to my blacklist but I was wondering > >> if > >> there was a catchall for just anything coming from .de On 18.06.08 04:43, [EMAIL PROTECTED] wrote: > as someone who sends abuse reports from .de, I often get rejections based > on the kind of policy you want. Now, what is my next step? This already happened to me too. My next step was blocking the IDIOT who allowed its users to spam me, but refused to take complaints. > submit the non-functional abuse@ address to rfci.org? I am not sure if RFCi will take such submissions, but it's quite possible. I already use RFCI blacklists to block mail from companies I can't later complain to. Too bad that SA rules don't use abuse.rfc-ignorant.org anymore. I'd use such rule just because of policy reasons (not onto sender's domain, onto sending hosts RDNS). > Blocking entire countries is a very bad idea I think many people agree with that. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: blocking country domains.
On Wed, June 18, 2008 06:43, [EMAIL PROTECTED] wrote: > Blocking entire countries is a very bad idea all this thread forget one single thing, tlds have nothing to do with countries even if i was in us i could still post to maillist with a email that ends in .de wake up all :-) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Lint failed...how to fix?
On Wed, June 18, 2008 02:25, James Lay wrote: > So here's what I have with rulesdujour: > Very confusing...just those 2 rulesets...anything I can do to fix them? > Thanks. time to change to sa-update, the above is apache error logs you try to lint :) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: SA experts needed here - SPAM examples
On Tue, June 17, 2008 19:30, Ralf Hildebrandt wrote: >> May I know how I can allow pop3/smtp authenticated connections from > What does POP3 have to do with SMTP? might be pop before smtp (problem in its own, in that it does not handle NAT very well) ? >> internet at large while keeping this line "-r zen.spamhaus.org" in the >> /var/qmail/control/blacklists ? > I have no idea, I stopped using qmail 10 years ago. I use Postfix and > with it I'm able to order my restrictions accordingly: lets now not have that mta wars one more time, but i bet sendmail can do this to :-) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
RE: SA experts needed here - SPAM examples
Hi, I got my sa ruleset updated with exactly what you have, the "ninja" works well and scores well !!! But only after a bit of troubleshooting as a few plugins did not updated my configuration correctly . First of all I didn't know they mantle with those (qmail) control files. For most of the spams I easily got score above 10 now. Now I changing my focus to false positive , trying to send emails from the external server or free email accounts such as hotmail and yahoo. Hopefully does not give me much problem before I can move to next step by taking in greyd. Thanks for all your helps. Appreciated. From: Jari Fredriksson [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2008 12:56 PM To: NGSS; users@spamassassin.apache.org Cc: [EMAIL PROTECTED] Subject: Re: SA experts needed here - SPAM examples > Hi Jari, > This is impressive! I am impressed by the high score it > got from your machine's analysis. I think this is what I > am looking for. > The lowest score among the rule is 0.9, it is well way of > my 0.1 total score. I think I really missed out quite a > few things. May I know where I can alter the ruleset? Do > I require additional plugins ? I am using the defaults > plugins set from Qmail-toaster cnt50 . > Well... I use the following rulesets in my sa-update channelfile: -(/etc/spamassassin/channels.txt)--- updates.spamassassin.org sought.rules.yerp.org saupdates.openprotect.com 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_html_eng.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_header_eng.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net --- -(/etc/cron.hourly/sa-update)-- #!/bin/sh /usr/local/bin/sa-update --allowplugins --channelfile /etc/spamassassin/channels.txt --nogpg && \ /usr/local/bin/sa-compile && \ /etc/init.d/spamassassin reload exit 0 --- In addition to those, I use Botnet -plugin. I don't remember url to get it, but surely someone knows, maybe even google;) Cheers jarif
Re: [Rule Set proposal] French Rules
Hi, I was able to access the URL you mentioned, but not all of the files below it. I received: "Forbidden You don't have permission to access /spam/FR_PAYLESSTAXES.txt on this server." Sorry guys, only the ruleset file (the one I tried, of course) was readable, all the non empty spam samples had bad rights. This is fixed. I still miss samples for two rules, even if I did had hits according to /var/spool/maillog I did not save them. John
Re: blocking country domains.
>> >> >> Is there a way to just block email coming from .de domains? >> I have been individually adding those to my blacklist but I was wondering if >> there was a catchall for just anything coming from .de >> Hi, as someone who sends abuse reports from .de, I often get rejections based on the kind of policy you want. Now, what is my next step? submit the non-functional abuse@ address to rfci.org? send the abuse message by snail mail and put some explosives in the letter? Blocking entire countries is a very bad idea Wolfgang
Mail-SpamAssassin-3.2.5 installation went OK
The following are my (happy) Mail-SpamAssassin-3.2.5 installation observations. Seen at untarring: Please make files dates reflect when they were last changed. Not all just 2008-06-10. We see checking module dependencies and their versions... NOTE: the optional Mail::SPF module is not installed... Please say if these are Perl modules or SpamAssassin modules or Cpan Perl modules, etc., even if you say so in README, etc. After the first of perl Makefile.PL PREFIX=$HOME && make && make install we expect cheery messages, "Good boy, looks good", well, at least the latter two don't bomb out :-) (Anyway, still accruing debris of older versions and older sa-updates in the file tree.)
Re: SARE fraud rulesets rotted?
On Tue, 2008-06-17 at 21:28 -0500, Chris wrote: > On Tuesday 17 June 2008 10:29 am, John Hardin wrote: > > On Tue, 17 Jun 2008, ram wrote: > > >> 2.8 L_NOTVALID_GMAIL L_NOTVALID_GMAIL > > > > > > What are these rules L_NOTVALID_GMAIL , L_UNVERIFIED_GMAIL etc ? > > > > They're related to DKIM. Google them and you'll find their definitions. > > Could you possibly be talking about this ruleset: {snip} > I forgot where I got it but I've got it placed in my local.cf and get quite a > few hits on it. Yep. Mark Martinec posted them to the SA list in Feb 2007. http://mail-archives.apache.org/mod_mbox/spamassassin-users/200702.mbox/[EMAIL PROTECTED] That's what I was referring to. I don't know if Mark originated them or not... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- W-w-w-w-w-where did he learn to n-n-negotiate like that? --- Tomorrow: SWMBO's Birthday
Re: SARE fraud rulesets rotted?
On Tuesday 17 June 2008 10:29 am, John Hardin wrote: > On Tue, 17 Jun 2008, ram wrote: > >> 2.8 L_NOTVALID_GMAIL L_NOTVALID_GMAIL > > > > What are these rules L_NOTVALID_GMAIL , L_UNVERIFIED_GMAIL etc ? > > They're related to DKIM. Google them and you'll find their definitions. Could you possibly be talking about this ruleset: header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR header __L_FROM_Y1 From:addr =~ [EMAIL PROTECTED] header __L_FROM_Y2 From:addr =~ [EMAIL PROTECTED](ar|br|cn|hk|my|sg)$}i header __L_FROM_Y3 From:addr =~ [EMAIL PROTECTED](id|in|jp|nz|uk)$}i header __L_FROM_Y4 From:addr =~ [EMAIL PROTECTED](ca|de|dk|es|fr|gr|ie|it|pl| se)$}i meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4 header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED] meta L_UNVERIFIED_YAHOO !DKIM_VERIFIED && __L_FROM_YAHOO && !__L_VIA_ML priority L_UNVERIFIED_YAHOO 500 scoreL_UNVERIFIED_YAHOO 2.5 meta L_UNVERIFIED_GMAIL !DKIM_VERIFIED && __L_FROM_GMAIL && !__L_VIA_ML priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 I forgot where I got it but I've got it placed in my local.cf and get quite a few hits on it. -- Chris KeyID 0xE372A7DA98E6705C pgpYiEXPVhZeM.pgp Description: PGP signature
RE: SA experts needed here - SPAM examples
HI David, The server is running on latest qmail-toaster's bundle. It is a smtp-auth. -Original Message- From: David B Funk [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2008 5:55 AM To: users@spamassassin.apache.org Cc: NGSS Subject: Re: SA experts needed here - SPAM examples On Tue, 17 Jun 2008, Ralf Hildebrandt wrote: > * NGSS <[EMAIL PROTECTED]>: > > Hi Ralf, > > Thanks for the response. > > > May I know how I can allow pop3/smtp authenticated connections from > > What does POP3 have to do with SMTP? At a guess, he's using the old POP before SMTP kluge rather than real SMTP-AUTH, so no auth tokens in the "Received" headers and thus all kinds of additional pain. To NGSS: either set up a SMTP server with real SMTP-AUTH or set up a seperate SMTP server to act just as a MSA and configure it to skip SA mail filtering. As it sounds like you're using qmail you will have better luck getting these questions answered on a qmail specific list. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
are you doing sender address verification?
Just conjecture at this point, but it seems as though whenever I send an email to the SA mailing list, I receive sender address verification requests from: chlothar.bnv-bamberg.de sam.metaphysis.net Over the course of a few days, I see these requests soon after my messages are accepted by an apache.org MX. Is there a link? Just a coincidence? Is anyone else experiencing similar behavior? Thanks. -- Sahil Tandon <[EMAIL PROTECTED]>
Re: Lint failed...how to fix?
James Lay <[EMAIL PROTECTED]> wrote: > Ah..that explains it then..thanks. Where does one go to get updated > rulesets then? man sa-update(1) -- Sahil Tandon <[EMAIL PROTECTED]>
Re: Lint failed...how to fix?
On 6/17/08 6:49 PM, "SM" <[EMAIL PROTECTED]> wrote: > At 17:25 17-06-2008, James Lay wrote: >> So here's what I have with rulesdujour: >> >>> Lint output: [5993] warn: config: failed to parse line, skipping, in >>> "/etc/mail/spamassassin/70_sare_random.cf": >> HTTP-EQUIV="Refresh" CONTENT="0.1"> > > You got a web page instead of the actual rules. Remove that file as > it does not contain any SpamAssassin rules. > >> Very confusing...just those 2 rulesets...anything I can do to fix them? > > Don't use rulesdujour. There hasn't been any updates to those > rulesets since a long time. > > Regards, > -sm > Ah..that explains it then..thanks. Where does one go to get updated rulesets then? James
Re: Lint failed...how to fix?
At 17:25 17-06-2008, James Lay wrote: So here's what I have with rulesdujour: > Lint output: [5993] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/70_sare_random.cf": HTTP-EQUIV="Refresh" CONTENT="0.1"> You got a web page instead of the actual rules. Remove that file as it does not contain any SpamAssassin rules. Very confusing...just those 2 rulesets...anything I can do to fix them? Don't use rulesdujour. There hasn't been any updates to those rulesets since a long time. Regards, -sm
Lint failed...how to fix?
So here's what I have with rulesdujour: > Lint output: [5993] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/70_sare_random.cf": HTTP-EQUIV="Refresh" CONTENT="0.1"> > [5993] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/70_sare_random.cf": CONTENT="no-cache"> > [5993] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/70_sare_random.cf": CONTENT="-1"> > [5993] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/70_sare_random.cf": > [5993] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/bogus-virus-warnings.cf": HTTP-EQUIV="Refresh" CONTENT="0.1"> > [5993] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/bogus-virus-warnings.cf": CONTENT="no-cache"> > [5993] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/bogus-virus-warnings.cf": CONTENT="-1"> > [5993] warn: config: failed to parse line, skipping, in > "/etc/mail/spamassassin/bogus-virus-warnings.cf": > [5993] warn: lint: 8 issues detected, please rerun with debug enabled for more > information > Very confusing...just those 2 rulesets...anything I can do to fix them? Thanks. James
Re: blocking country domains.
raulbe <[EMAIL PROTECTED]> wrote: > Is there a way to just block email coming from .de domains? > I have been individually adding those to my blacklist but I was wondering if > there was a catchall for just anything coming from .de This is better accomplished with your MTA before mail is processed by SA. Your question expectedly triggered a flood of passionate responses and encouragement against rejecting all mail from any country. That is generally good advice; unless, for example, you are a postmaster for a client who has asked for this feature. At the very least, try accepting email to abuse@ and postmaster@ even from .de addresses and educate your client about the perils (read: stupidity) of rejecting email from an entire country. -- Sahil Tandon <[EMAIL PROTECTED]>
Re: blocking country domains.
On Tue, 2008-06-17 at 18:32 +0200, Ralf Hildebrandt wrote: > * raulbe <[EMAIL PROTECTED]>: > > > > Is there a way to just block email coming from .de domains? > > Oh come on :) Do that in your MTA. Right. And don't get either of these replies. ;-) [1] Anyway, what you just requested is WAY too broad and intrusive. You will get FPs. I hope no one will just tell you, how to write a SA rule as easy as matching on a ccTLD in the From: header. If you can't come up with such a rule yourself, clearly, you don't understand the impact this might have either. [2] Oh, and just for the record: SpamAssassin does NOT block. *sigh* It merely scores mail. Any action whatsoever is the duty of other tools in your mail processing chain. guenther [1] No, wait. The OP is using Nabble. So he wants us to reply and help him, but he doesn't want out mail. Smart move [2] to use a forum thingy so blocking entire countries doesn't block answers... [2] Sarcasm intended. -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Header Analysis Problem
mouss escribió: Carlos Velasco wrote: mouss escribió: Carlos Velasco wrote: Hello, I am getting these hits with the email below: AWL, FH_HELO_ALMOST_IP, HELO_DYNAMIC_SPLIT_IP, RCVD_IN_PBL Problem is in this "Received": Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Jun 2008 17:18:10 +0200 Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to "owa1.cnio.es", so this header is right. Problem is that SA is analyzing this "Received" and complaining about it as it is a dynamic IP address or so. Any way to solve this problem? set internal_networks. Well, the problem is that users can send from any Internet IP address as they do SMTP-Auth, so I can't use internal_networks or trusted_networks or msa_networks. put the IP of owa1.cnio.es in internal_networks. It doesn't work. I think internal_networks matches the "from" IP address, not the "by". In debug relay 192.168.10.7 is matched as internal, but relay 88.31.96.80 not. [30937] dbg: received-header: parsed as [ ip=192.168.10.7 rdns=owa1.cnio.es helo=owa1.cnio.es by=flash2.cnio.es ident= envfrom= intl=0 id= auth= msa=0 ] [30937] dbg: received-header: relay 192.168.10.7 trusted? yes internal? yes msa? no [30937] dbg: received-header: parsed as [ ip=88.31.96.80 rdns= helo=80.Red-88-31-96.staticIP.rima-tde.net by=owa1.cnio.es ident= envfrom= intl=0 id= auth= msa=0 ] [30937] dbg: received-header: relay 88.31.96.80 trusted? no internal? no msa? no [30937] dbg: metadata: X-Spam-Relays-Trusted: [ ip=192.168.10.7 rdns=owa1.cnio.es helo=owa1.cnio.es by=flash2.cnio.es ident= envfrom= intl=1 id= auth= msa=0 ] [30937] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=88.31.96.80 rdns= helo=80.Red-88-31-96.staticIP.rima-tde.net by=owa1.cnio.es ident= envfrom= intl=0 id= auth= msa=0 ] [30937] dbg: metadata: X-Spam-Relays-Internal: [ ip=192.168.10.7 rdns=owa1.cnio.es helo=owa1.cnio.es by=flash2.cnio.es ident= envfrom= intl=1 id= auth= msa=0 ] [30937] dbg: metadata: X-Spam-Relays-External: [ ip=88.31.96.80 rdns= helo=80.Red-88-31-96.staticIP.rima-tde.net by=owa1.cnio.es ident= envfrom= intl=0 id= auth= msa=0 ]
Re: SpamAssassin 3.2.5 committed to FreeBSD ports
> From: Len Conrad <[EMAIL PROTECTED]> > Date: Tue, 17 Jun 2008 16:09:49 -0500 > To: > Subject: Re: SpamAssassin 3.2.5 committed to FreeBSD ports > > >> cd /usr/src/kerberos5/lib/libkrb5 && make && make install && make clean > > this worked, thanks. sshd loads now. > > Is there any good reason for spamassassin on a fairly standard MX > relay box to bother with kerberos at all? There is nothing in the ports Makefile that should do that. Sometimes, if your system was a 4.x, upgraded to a 5.x and upgraded to a 6.x and upgraded to a 7.x and sometime inbetween you enabled, or disabled kerbros, the system could get into a confused state. Nothing in the SA port that I know of that would do that. -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: SA experts needed here - SPAM examples
On Tue, 17 Jun 2008, Ralf Hildebrandt wrote: > * NGSS <[EMAIL PROTECTED]>: > > Hi Ralf, > > Thanks for the response. > > > May I know how I can allow pop3/smtp authenticated connections from > > What does POP3 have to do with SMTP? At a guess, he's using the old POP before SMTP kluge rather than real SMTP-AUTH, so no auth tokens in the "Received" headers and thus all kinds of additional pain. To NGSS: either set up a SMTP server with real SMTP-AUTH or set up a seperate SMTP server to act just as a MSA and configure it to skip SA mail filtering. As it sounds like you're using qmail you will have better luck getting these questions answered on a qmail specific list. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: [Rule Set proposal] French Rules
On Tue, Jun 17, 2008 at 12:11 PM, John GALLET <[EMAIL PROTECTED]> wrote: > Hi, > > This is my first post on this list and first ruleset, so please point me to > the right place/documents if I am doing anything wrong. > > According to a search of this list on markmail.org, there have been few > subjects about spam in French and (no disrespect meant) I would agree with > the comments I read about the current French Ruleset being inadequate (tried > it, did not keep any of it). > > So I would like to propose a set for French Rules and get your feedback. > > You can find both the rules and some sample spam email messages (two of them > missing, I have hits in my log files, but deleted them) at the following > URL: http://www.saphirtech.fr/spam/ > > I have been running these for about a month sitewise on three domains, I > have not seen any false positives (yet). > > Sincerely, > JG I was able to access the URL you mentioned, but not all of the files below it. I received: "Forbidden You don't have permission to access /spam/FR_PAYLESSTAXES.txt on this server." Dave
SA 3.2.5 RPM Build Error
I tried to build the new SA release via command: rpmbuild -tb Mail-SpamAssassin-3.2.5.tar.gz and this is the error I recieved. RPM build errors: Bad exit status from /var/tmp/rpm-tmp.9369 (%doc) File not found: /var/tmp/spamassassin-root/usr/share/spamassassin Any help will be greatly appreciated. Jeremy Davila Systems Administrator Direct: 646-205-2136 The LanguageWorks, Inc. 1123 Broadway, Suite 201 New York, NY 10010 The LanguageWorks, Inc. is an ISO 9001:2000 certified company which: "Facilitates global communication by providing foreign language translation, editing, proofreading, and cultural analysis. Additional services include on-site interpreting and document review, foreign language page layout, conversion of web sites into multiple languages, and multilingual voice-overs for radio spots and video productions." CONFIDENTIALITY NOTICE: The information in this E-Mail may be confidential and may be legally privileged. It is intended solely for the addressee(s). If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on this E-Mail, is prohibited and may be unlawful. If you have received this E-Mail message in error, notify the sender by reply E-Mail and delete the message.<><><>
Re: SpamAssassin 3.2.5 committed to FreeBSD ports
Does libkrb5.so.8 exist (usually in /usr/lib/)?! no. installed heimdal then krb5 from ports, no problem. re-booted. same msgs as before in sshd logs. sshd won't allow any logins. and complains same as before. Did you install security/krb5 or security/heimdal from ports? yes, after your first msg. Check your make.conf. If there are no entries about kerberos, remove security/heimdal and then: cd /usr/src/kerberos5/lib/libkrb5 && make && make install && make clean this worked, thanks. sshd loads now. Is there any good reason for spamassassin on a fairly standard MX relay box to bother with kerberos at all? Len
Re: The rules has more weigh than bayesian-learn ?
On Tue, Jun 17, 2008 at 04:32:00PM -0300, Thiago Henrique Rodrigues wrote: > I am a novice in the use of SpamAssassin and I need your help. Who has > more weigh in the classification of a message, the rules or the > bayesian-learn ? Your question doesn't really make sense. The results of the Bayes examination are rules based on the 0-100 spam probability. If I understand what you're asking though, the Bayes system results in 1 rule hit, whereas there are hundreds of other rules that can all hit, so generally rules would outweigh Bayes, unless you change the weighting (score) of the Bayes rule in relation to the other rules. -- Randomly Selected Tagline: "I am NOT a computer geek! ... I just spend too much time in front of the computer." - Theo pgpBerDu77NYx.pgp Description: PGP signature
Re: The rules has more weigh than bayesian-learn ?
Thiago Henrique Rodrigues wrote: Dear, I am a novice in the use of SpamAssassin and I need your help. Who has more weigh in the classification of a message, the rules or the bayesian-learn ? Best Regards, -- []'s Thiago Henrique Network Administration Digirati Networks K8 Networks Hostnet Hosting It depends on the scores you give each thing. I.E bayesian confidence 90-100% you might give 6 points to and a single rule onlly 1 point. But if the bayesian confidence was only 5% you may give it 0 points. Kate
Re: sa-update and location of rules
On Tue, Jun 17, 2008 at 09:56:49PM +0200, Helmut Schneider wrote: > >FWIW, the directories and their order are well documented in the > >spamassassin > >POD. > > Could you please point me to the exact location? Thanks. (you could also use "man") $ perldoc spamassassin [...] CONFIGURATION FILES The SpamAssassin rule base, text templates, and rule description text are loaded from configuration files. Default configuration data is loaded from the first existing directory in: /var/lib/spamassassin/3.002005 /usr/share/spamassassin [...] -- Randomly Selected Tagline: "Variety is the spice of life: one day ignore people, the next day annoy them." - A cat's guide to life pgpOOUfmi8a3T.pgp Description: PGP signature
Re: sa-update and location of rules
"Theo Van Dinter" <[EMAIL PROTECTED]> wrote: On Tue, Jun 17, 2008 at 10:42:41AM +0200, Helmut Schneider wrote: So /var/db/spamassassin//updates_spamassassin_org has precedence over /usr/local/etc/mail/spamassassin? Some kind of version checking or rather the existence of the rules file? What happens if /usr/local/etc/mail/spamassassin contains obsolete rules? /usr/local/etc/mail/spamassassin sounds like your like site rules dir, so if you have obsolete rules in there you will continue to have them. Typo, I meant /usr/local/share/spamassassin/ FWIW, the directories and their order are well documented in the spamassassin POD. Could you please point me to the exact location? Thanks.
Re: Header Analysis Problem
Carlos Velasco wrote: mouss escribió: Carlos Velasco wrote: Hello, I am getting these hits with the email below: AWL, FH_HELO_ALMOST_IP, HELO_DYNAMIC_SPLIT_IP, RCVD_IN_PBL Problem is in this "Received": Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Jun 2008 17:18:10 +0200 Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to "owa1.cnio.es", so this header is right. Problem is that SA is analyzing this "Received" and complaining about it as it is a dynamic IP address or so. Any way to solve this problem? set internal_networks. Well, the problem is that users can send from any Internet IP address as they do SMTP-Auth, so I can't use internal_networks or trusted_networks or msa_networks. put the IP of owa1.cnio.es in internal_networks.
Re: SpamAssassin 3.2.5 committed to FreeBSD ports
Helmut Schneider <[EMAIL PROTECTED]> wrote: Len Conrad <[EMAIL PROTECTED]> wrote: Does libkrb5.so.8 exist (usually in /usr/lib/)?! no. installed heimdal then krb5 from ports, no problem. re-booted. same msgs as before in sshd logs. sshd won't allow any logins. and complains same as before. Did you install security/krb5 or security/heimdal from ports? yes, after your first msg. Check your make.conf. If there are no entries about kerberos, remove security/heimdal and then: cd /usr/src/kerberos5/lib/libkrb5 && make && make install && make clean I still don't see why a port upgrade should remove base conponents but you should consider rebuilding the system[1]. Alternatively use sysinstall and "fixit". [1] http://www.freebsd.org/doc/en/books/handbook/makeworld.html -- No Swen today, my love has gone away My mailbox stands for lorn, a symbol of the dawn
Re: SpamAssassin 3.2.5 committed to FreeBSD ports
Len Conrad <[EMAIL PROTECTED]> wrote: Does libkrb5.so.8 exist (usually in /usr/lib/)?! no. installed heimdal then krb5 from ports, no problem. re-booted. same msgs as before in sshd logs. sshd won't allow any logins. and complains same as before. Did you install security/krb5 or security/heimdal from ports? yes, after your first msg. Check your make.conf. If there are no entries about kerberos, remove security/heimdal and then: cd /usr/src/kerberos5/lib/libkrb5 && make && make install && make clean I still don't see why a port upgrade should remove base conponents but you should consider rebuilding the system[1]. Alternatively use sysinstall and "fixit". -- No Swen today, my love has gone away My mailbox stands for lorn, a symbol of the dawn
The rules has more weigh than bayesian-learn ?
Dear, I am a novice in the use of SpamAssassin and I need your help. Who has more weigh in the classification of a message, the rules or the bayesian-learn ? Best Regards, -- []'s Thiago Henrique Network Administration Digirati Networks K8 Networks Hostnet Hosting
[Rule Set proposal] French Rules
Hi, This is my first post on this list and first ruleset, so please point me to the right place/documents if I am doing anything wrong. According to a search of this list on markmail.org, there have been few subjects about spam in French and (no disrespect meant) I would agree with the comments I read about the current French Ruleset being inadequate (tried it, did not keep any of it). So I would like to propose a set for French Rules and get your feedback. You can find both the rules and some sample spam email messages (two of them missing, I have hits in my log files, but deleted them) at the following URL: http://www.saphirtech.fr/spam/ I have been running these for about a month sitewise on three domains, I have not seen any false positives (yet). Sincerely, JG # # FRENCH SPECIFIC SPAMASSASSIN RULES. # USE AND REDISTRIBUTE WITH THIS NOTE AT YOUR OWN RISK AND PLEASURE. # AUTHOR: John GALLET # Version: 2008-JUNE-17 # Latest: http://www.saphirtech.fr/ # Status: It Works For Me (tm) # # Spam is legal in France ! body FR_SPAMISLEGAL /\b(Conform.+ment|En vertu).{0,5}(article.{0,4}34.{0,4})?la loi\b/i describe FR_SPAMISLEGAL French: pretends spam is (l)awful. lang fr describe FR_SPAMISLEGAL Invoque la loi informatique et libertes. score FR_SPAMISLEGAL2.5 body FR_SPAMISLEGAL_2 /\bdroit d.acc.+s.{1,3}(de modification)?.{0,5}de rectification\b/i describe FR_SPAMISLEGAL_2 French: pretends spam is (l)awful. lang fr describe FR_SPAMISLEGAL_2 Invoque le droit de rectification cnil. score FR_SPAMISLEGAL_2 2.5 # # yeah, sure. body FR_NOTSPAM /\b(ceci|ce).{1,9} n.est pas.{1,5}spam\b/i describe FR_NOTSPAM French: claims not to be spam. lang fr describe FR_NOTSPAM Affirme ne pas etre du spam. score FR_NOTSPAM4.0 # ## I can pay my taxes body FR_PAYLESSTAXES /\b(paye|calcul|simul|r.+dui|investi).{1,7}(moins|vo|ses).{0,5}imp.+t(s)?\b/i describe FR_PAYLESSTAXESFrench: Pay less taxes lang fr describe FR_PAYLESSTAXESSimulateurs et reductions d'impots. score FR_PAYLESSTAXES 2.0 body FR_REALESTATE_INVEST /\b(loi)? (de.robien|girardin).{1,15}(neuf|recentr.+|ancien|IR|IS|imp.+t(s)?|industriel(le)?)\b/i describe FR_REALESTATE_INVEST French: Invest in real-estate with tax-reductions lang fr describe FR_REALESTATE_INVEST Reduction impots immobilier. score FR_REALESTATE_INVEST 2.5 # # I won at the casino body FR_ONLINEGAMBLING /\b(casino(s)?|jeu(x)?|joueur(s)?) (en ligne|de grattage)\b/i describe FR_ONLINEGAMBLING French: Online gambling lang fr describe FR_ONLINEGAMBLING Jeux en ligne. score FR_ONLINEGAMBLING 2.0 # # I am so lucky to receive spam body FR_YOURELUCKY /\b(tentez)? votre (jour de)? chance\b/i describe FR_YOURELUCKY French: it's your lucky day (sure). lang fr describe FR_YOURELUCKY Jeux de hasard et de chance. score FR_YOURELUCKY 1.0 # # Baby, did you forget to take your meds ? body FR_ONLINEMEDS /\bpharmacie(s)? (en ligne|internet)\b/i describe FR_ONLINEMEDS French: Online meds ordering lang fr describe FR_ONLINEMEDS Achat de medicaments en ligne. score FR_ONLINEMEDS 3.0 ## # Tell me why body FR_REASON_SUBSCRIBE/\bVous recevez ce(t|tte)? (message|mail|m.+l|lettre|news.+) (car|parce que)\b/i describe FR_REASON_SUBSCRIBEFrench: you subscribed to my spam. lang fr describe FR_REASON_SUBSCRIBEIndique pourquoi vous recevez le courrier. score FR_REASON_SUBSCRIBE 1.5 # # How to unsubscribe body FR_HOWTOUNSUBSCRIBE /\b(souhaitez|d.+sirez|pour).{1,10}(plus.{1,}recevoir|d.+sincrire|d.+sinscription).{0,10}(information|email|mail|mailing|newsletter|message|offre|promotion)(s)?\b/i describe FR_HOWTOUNSUBSCRIBEFrench: how to unsubscribe lang fr describe FR_HOWTOUNSUBSCRIBEIndique comment se desabonner. score FR_HOWTOUNSUBSCRIBE 2.0 # Various "CRM" (Could Remove Me) # header FR_MAILER_1 X-Mailer =~ /(delosmail|cabestan|ems|mp6|wamailer|phpmailer|eMailink|Accucast|Benchmail)/i describe FR_MAILER_1French spammy X-Mailer lang fr describe FR_MAILER_1X-Mailer couramment employe pour des spams en francais. score FR_MAILER_1 4.0 header FR_MAILER_2 X-EMV- =~ /.+/ describe FR_MAILER_2French spammy mailer hea
Re: Header Analysis Problem
mouss escribió: Carlos Velasco wrote: Hello, I am getting these hits with the email below: AWL, FH_HELO_ALMOST_IP, HELO_DYNAMIC_SPLIT_IP, RCVD_IN_PBL Problem is in this "Received": Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Jun 2008 17:18:10 +0200 Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to "owa1.cnio.es", so this header is right. Problem is that SA is analyzing this "Received" and complaining about it as it is a dynamic IP address or so. Any way to solve this problem? set internal_networks. Well, the problem is that users can send from any Internet IP address as they do SMTP-Auth, so I can't use internal_networks or trusted_networks or msa_networks.
Re: SpamAssassin 3.2.5 committed to FreeBSD ports
Does libkrb5.so.8 exist (usually in /usr/lib/)?! after installing heimdal and krb5 from ports with no errors: find / -iname "libkrb5.so.*" /usr/local/lib/libkrb5.so.21 /usr/compat/linux/usr/lib/libkrb5.so.3 /usr/compat/linux/usr/lib/libkrb5.so.3.2 /usr/ports/security/heimdal/work/heimdal-0.7.2/lib/krb5/.libs/libkrb5.so.21 /usr/ports/security/heimdal/work/heimdal-0.7.2/lib/krb5/.libs/libkrb5.so.21T /usr/ports/security/krb5/work/krb5-1.5.1/src/lib/krb5/libkrb5.so.3 /usr/ports/security/krb5/work/krb5-1.5.1/src/lib/libkrb5.so.3 I think we'll have to wipe an re-install, quicker than spending hours trying fix a broken Unix. Len
Re: Header Analysis Problem
Carlos Velasco wrote: Hello, I am getting these hits with the email below: AWL, FH_HELO_ALMOST_IP, HELO_DYNAMIC_SPLIT_IP, RCVD_IN_PBL Problem is in this "Received": Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Jun 2008 17:18:10 +0200 Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to "owa1.cnio.es", so this header is right. Problem is that SA is analyzing this "Received" and complaining about it as it is a dynamic IP address or so. Any way to solve this problem? set internal_networks.
Re: SpamAssassin 3.2.5 committed to FreeBSD ports
Both sshd and libkrb5.so.8 are part of the base system so I guess you messed up something else. I claim innocence. portugrade of spamassassin messed it up. Does libkrb5.so.8 exist (usually in /usr/lib/)?! no. installed heimdal then krb5 from ports, no problem. re-booted. same msgs as before in sshd logs. sshd won't allow any logins. and complains same as before. Did you install security/krb5 or security/heimdal from ports? yes, after your first msg. Len
Re: SARE fraud rulesets rotted?
ram wrote: [snip] What are these rules L_NOTVALID_GMAIL , L_UNVERIFIED_GMAIL etc ? See (even if you don't use amavisd-new): http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
Re: SA experts needed here - SPAM examples
* NGSS <[EMAIL PROTECTED]>: > Hi Ralf, > Thanks for the response. > May I know how I can allow pop3/smtp authenticated connections from What does POP3 have to do with SMTP? > internet at large while keeping this line "-r zen.spamhaus.org" in the > /var/qmail/control/blacklists ? I have no idea, I stopped using qmail 10 years ago. I use Postfix and with it I'm able to order my restrictions accordingly: smtpd_recipient_restrictions = permit_mynetworks # permit stuff from my network ranges permit_sasl_authenticated # permit authenticated connections reject_unauth_destination # prevent relaying reject_rbl_client zen.spamhaus.org # reject blacklisted clients -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
RE: SA experts needed here - SPAM examples
Hi Ralf, Thanks for the response. May I know how I can allow pop3/smtp authenticated connections from internet at large while keeping this line "-r zen.spamhaus.org" in the /var/qmail/control/blacklists ? -Original Message- From: Ralf Hildebrandt [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2008 4:20 PM To: users@spamassassin.apache.org Subject: Re: SA experts needed here - SPAM examples * NGSS <[EMAIL PROTECTED]>: > Hi John > I afraid I had move the ling "-r zen.spamhaus.org" from the > /var/qmail/control/blacklists . > Because with this line is in, I can't perform send/receive from most of the > external network using my Outlook. Is that what you talking about? That's a clear case of a misconfiguration. The host in that RBL may not send mail to you, but YOU as AUTHORIZED client may of course send. Make sure that the RBL is only applied to non-authorized clients. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
RE: SARE fraud rulesets rotted?
> > > I have made some early progress on this (I don't want to make it > generally avalaible yet until Steve from Sane gets back off vacation). > The biggest problem I have at the moment is the size of the rule set > that it generates - a subset of the rules (i.e. the ones that I have > managed to convert automagically to regexes) - causes a lint time to > increase by over 50 times most of which is account for in the body rules > compile. > > I am trying to come up with an automated QA process to try and select a > subset of the rules that work well. > > Currently my top hitter is > > body SANE_5c5f0a94131e9a4a62a04b9f590d7455 /New players at Euro VIP/ > > > matt > Matt Will this be done somewhat like the sought ruleset so that we can turn it on or off based upon need? - rh
RE: SA experts needed here - SPAM examples
On Wed, 18 Jun 2008, NGSS wrote: It required authentication for external connections so it is not an open-relay. Good. So you meant I am doing the right thing by removing the line from /var/qmail/control/blacklists ? No, I think you *should* have the zen blacklist in use. If using it is interfering with authenticated external connections, then you need to ask the qmail list why that is happening. Authenticated connections should *not* be affected by the blacklists you use. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We are hell-bent and determined to allocate the talent, the resources, the money, the innovation to absolutely become a powerhouse in the ad business. -- Microsoft CEO Steve Ballmer ...because allocating talent to securing Windows isn't profitable? --- Tomorrow: SWMBO's Birthday
RE: Can't find re2c
Yap. I got the rpm and installed. Thanks. -Original Message- From: Jari Fredriksson [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2008 8:43 PM To: NGSS Cc: users@spamassassin.apache.org; [EMAIL PROTECTED] Subject: Re: Can't find re2c > Hi, > I tried to do a sa-compile the first time after successfully downloaded > the ruleset recommended. But I got this error. > > > re2c -i -b -o scanner1.c scanner1.re > Can't exec "re2c": No such file or directory at /usr/bin/sa-compile line > 287, <$fh> line 974. > > > It seemed that it cannot find re2c . I tried to installed the latest > spamassassin + tools rpm but still no success (in getting this file). > Anyone knows where I can get this file ? is it suppose to come with the > package? > > if you use Linux then if you use Debian or Ubuntu aptitude install re2c else if you use RedHat based yum install re2c else use whatever tool there is to install re2c else use whatever tool there is to install re2c You can also download and install it from source. It is not part of SpamAssassin package.
RE: SA experts needed here - SPAM examples
Hi John, It required authentication for external connections so it is not an open-relay. So you meant I am doing the right thing by removing the line from /var/qmail/control/blacklists ? -Original Message- From: John Hardin [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2008 11:22 PM To: NGSS Cc: 'SpamAssassin Users List'; [EMAIL PROTECTED] Subject: RE: SA experts needed here - SPAM examples On Tue, 17 Jun 2008, NGSS wrote: > I afraid I had move the ling "-r zen.spamhaus.org" from the > /var/qmail/control/blacklists . > Because with this line is in, I can't perform send/receive from most of > the external network using my Outlook. Is that what you talking about? DNSBL tests should not be applied to locally-originated messages. Your local network probably uses an address range that appears on the zen DNSBL. Ask on the qmail list how to apply a DNSBL to external mail but not to internal-network mail clients. Either that, or I am misunderstanding your question. Are you saying you're using roaming outlook mail clients from the internet at large to send email via your MTA? If you are using authentication, then the DNSRBL should not be used (again, that's a question for the qmail list). If you are _not_ using authentication, and are accepting and relaying mail from the internet at large, and zen is interfering with that, then you have bigger problems than your SA scores being low. It sounds like you're what's called an "open relay"... > -Original Message- > From: John Hardin [mailto:[EMAIL PROTECTED] > >>> http://www.keac.com/id3303/spam-egs.txt >> >> 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL >>[68.243.81.116 listed in zen.spamhaus.org] > > Indeed. > > Suggestion: put zen.spamhaus.org in your MTA's DNSBL list. That's a > reliable BL and should be part of your up-front filtering. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: "If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault." --- Tomorrow: SWMBO's Birthday
RE: sare rule updates ?
> > They are not being updated and they won't in the close future. > Any update would be announced *loudly* all over the place. > > Running any type of updates (sa-update with SARE channel or > rules_du_jour) is a waste of bandwidth and useless load on donated > server resources. > > SARE recommends shutting off all updates and wait for any announcement. > > > Ninja, Good looking out for us! Thank you for all the hard work you have put in for the SA community over a long time :-) - rh
Re: blocking country domains.
raulbe wrote: Is there a way to just block email coming from .de domains? Probably - in your MTA. Maybe a procmail recipe. I have been individually adding those to my blacklist but I was wondering if there was a catchall for just anything coming from .de Your call. Bad idea, IMHO. But Spamassassin doesn't *block*.
Re: blocking country domains.
* raulbe <[EMAIL PROTECTED]>: > > Is there a way to just block email coming from .de domains? Oh come on :) Do that in your MTA. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
Header Analysis Problem
Hello, I am getting these hits with the email below: AWL, FH_HELO_ALMOST_IP, HELO_DYNAMIC_SPLIT_IP, RCVD_IN_PBL Problem is in this "Received": Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Jun 2008 17:18:10 +0200 Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to "owa1.cnio.es", so this header is right. Problem is that SA is analyzing this "Received" and complaining about it as it is a dynamic IP address or so. Any way to solve this problem? # spamassassin < test Received: from localhost by flash2.cnio.es with SpamAssassin (version 3.2.5); Tue, 17 Jun 2008 18:04:15 +0200 From: john doe <[EMAIL PROTECTED]> To: Any One <[EMAIL PROTECTED]> Subject: spam: Re: [Fwd: [Fwd: Delivery Status Notification (Failure)]] Date: Tue, 17 Jun 2008 17:18:02 +0200 Message-Id: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on flash2.cnio.es X-Spam-Level: X-Spam-Status: Yes, score=8.0 required=5.0 tests=AWL,FH_HELO_ALMOST_IP, HELO_DYNAMIC_SPLIT_IP,RCVD_IN_PBL,RDNS_NONE autolearn=no version=3.2.5 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_4857E07F.6924E393" This is a multi-part message in MIME format. =_4857E07F.6924E393 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 8bit This Email has been identified as spam. The original message has been attached to this so you can view it (if it isn't spam). Content analysis details: (8.0 points, 5.0 required) Este Email ha sido identificado como spam. El mensaje original ha sido adjuntado a esta notificacia su visualizaci caso de que no sea spam). Detalles del an?sis de contenido: (8.0 points, 5.0 required) =_4857E07F.6924E393 Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit Received: from owa1.cnio.es (owa1.cnio.es [192.168.10.7]) by flash2.cnio.es (ESMTP Server) with ESMTP for <[EMAIL PROTECTED]>; Tue, 17 Jun 2008 17:18:15 +0200 (CEST) Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Jun 2008 17:18:10 +0200 Message-ID: <[EMAIL PROTECTED]> Date: Tue, 17 Jun 2008 17:18:02 +0200 From: john doe <[EMAIL PROTECTED]> User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Any One <[EMAIL PROTECTED]> Subject: Re: [Fwd: [Fwd: Delivery Status Notification (Failure)]] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit some text =_4857E07F.6924E393-- Regards, Carlos Velasco
Re: blocking country domains.
On 17.06.08 08:47, raulbe wrote: > Is there a way to just block email coming from .de domains? Why? That may be a very bad idea. There surely are different rules and configurations that may > I have been individually adding those to my blacklist but I was wondering if > there was a catchall for just anything coming from .de -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
blocking country domains.
Is there a way to just block email coming from .de domains? I have been individually adding those to my blacklist but I was wondering if there was a catchall for just anything coming from .de Thanks -- View this message in context: http://www.nabble.com/blocking-country-domains.-tp17916455p17916455.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
/root/.spamassassin/auto-whitelist.lock: Permission denied in maillog
Hi , I know this message has been posted several time sbut I couldn't get satisfactory answer. I have successfully installed Openprotect 5.0.4 mentioned at http://wiki.apache.org/spamassassin/IntegratedInMta which is complete package including MailScanner for intergration with MTAs, spamassassin, clamav antivirus on RHEL 4 running 2.6.9-67.0.15.ELsmp. When I am trying to test spam mail as mentioned in documentation I get following error in maillog Jun 17 09:39:21 smgtest2 spamd[25646]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody at /usr/bin/spamd line 1150, line 4. Jun 17 09:39:21 smgtest2 spamd[25646]: spamd: processing message <[EMAIL PROTECTED]> for root:99 Jun 17 09:39:29 smgtest2 spamd[25646]: mkdir /root/.spamassassin: Permission denied at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1467 Jun 17 09:39:29 smgtest2 spamd[25646]: locker: safe_lock: cannot create tmp lockfile /root/.spamassassin/auto-whitelist.lock.smgtest2.bu.edu.25646 for /root/.spamassassin/auto-whitelist.lock: Permission denied Jun 17 09:39:29 smgtest2 spamd[25646]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /root/.spamassassin/auto-whitelist.lock.smgtest2.bu.edu.25646 for /root/.spamassassin/auto-whitelist.lock: Permission denied Jun 17 09:39:29 smgtest2 spamd[25646]: Can't call method "finish" on an undefined value at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/AWL.pm line 397. After gooogling I found that error is because I am running spamd as root . I tried adding DROPPRIVS=yes to /etc/procmailrc But that didn’t work. I also created a user called spamd , assign home directory then run /usr/bin/spamd -r /var/run/spamd.pid -d --username=spamd then send test mail again but same error How do I tell spamd to run as different user ? What privileges are required by that user ? Thanks MP -- View this message in context: http://www.nabble.com/-root-.spamassassin-auto-whitelist.lock%3A-Permission-denied-in-maillog-tp17916446p17916446.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update and location of rules
On Tue, Jun 17, 2008 at 10:42:41AM +0200, Helmut Schneider wrote: > So /var/db/spamassassin//updates_spamassassin_org has precedence > over /usr/local/etc/mail/spamassassin? Some kind of version checking or > rather the existence of the rules file? What happens if > /usr/local/etc/mail/spamassassin contains obsolete rules? /usr/local/etc/mail/spamassassin sounds like your like site rules dir, so if you have obsolete rules in there you will continue to have them. FWIW, the directories and their order are well documented in the spamassassin POD. -- Randomly Selected Tagline: Welcome to Kyoto -- the anagram lover's Tokyo. - Futurama, "Crimes of the Hot" pgpXZ11dNsWlk.pgp Description: PGP signature
RE: SA experts needed here - SPAM examples
On Tue, 17 Jun 2008, John Hardin wrote: There is your problem right there. Bayes will not start classifying messages until you have taught at least 100 each of ham and spam. Make that 200. D'oh! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: "If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault." --- Tomorrow: SWMBO's Birthday
Re: SARE fraud rulesets rotted?
On Tue, 17 Jun 2008, ram wrote: 2.8 L_NOTVALID_GMAIL L_NOTVALID_GMAIL What are these rules L_NOTVALID_GMAIL , L_UNVERIFIED_GMAIL etc ? They're related to DKIM. Google them and you'll find their definitions. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: "If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault." --- Tomorrow: SWMBO's Birthday
Re: controlling spams to mailing lists with procmailrc possible?
On Tue, 17 Jun 2008, kk CHN wrote: Anyone here using procmailrc for blocking spams coming in the mailman mailing lists? I'm not. If you do some google searches you'll find some mailman patches that hook it directly up to SA. Any posting that scores high is held for moderator approval using the existing mailman mechanisms. No need for any external glue. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: "If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault." --- Tomorrow: SWMBO's Birthday
RE: SA experts needed here - SPAM examples
On Tue, 17 Jun 2008, NGSS wrote: I afraid I had move the ling "-r zen.spamhaus.org" from the /var/qmail/control/blacklists . Because with this line is in, I can't perform send/receive from most of the external network using my Outlook. Is that what you talking about? DNSBL tests should not be applied to locally-originated messages. Your local network probably uses an address range that appears on the zen DNSBL. Ask on the qmail list how to apply a DNSBL to external mail but not to internal-network mail clients. Either that, or I am misunderstanding your question. Are you saying you're using roaming outlook mail clients from the internet at large to send email via your MTA? If you are using authentication, then the DNSRBL should not be used (again, that's a question for the qmail list). If you are _not_ using authentication, and are accepting and relaying mail from the internet at large, and zen is interfering with that, then you have bigger problems than your SA scores being low. It sounds like you're what's called an "open relay"... -Original Message- From: John Hardin [mailto:[EMAIL PROTECTED] http://www.keac.com/id3303/spam-egs.txt 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [68.243.81.116 listed in zen.spamhaus.org] Indeed. Suggestion: put zen.spamhaus.org in your MTA's DNSBL list. That's a reliable BL and should be part of your up-front filtering. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: "If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault." --- Tomorrow: SWMBO's Birthday
RE: SA experts needed here - SPAM examples
On Tue, 17 Jun 2008, NGSS wrote: I quite sure that the script is running and the variable in $DOMAIN and $SPAM are correct ( I defined it early in the script, which are not shown here) because the I got a copy for each them in $DIRCOLLECTSPAM and nothing in the learning folder, /home/vpopmail/domains/$DOMAIN/$SPAM/Maildir/cur/* Ok, good. I did the The dump from your command and which had given me this 0.000 0 3 0 non-token data: bayes db version 0.000 0 1337 0 non-token data: nspam 0.000 0 6 0 non-token data: nham There is your problem right there. Bayes will not start classifying messages until you have taught at least 100 each of ham and spam. Teach it a few hundred ham messages and you'll be good. If you've been trying to do that, it's not working. The spams are being learned, the hams are not. Take a look at the hams part of your script. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: "If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault." --- Tomorrow: SWMBO's Birthday
Re: SARE fraud rulesets rotted?
On Mon, 2008-06-16 at 22:10 +0200, mouss wrote: > John Hardin wrote: > > [snip] > > They *did not* hit for me. I've published one of the messages here: > > http://www.impsec.org/~jhardin/atm_spam_01.txt > > > > > > > > true, but other rules hit, so there is no point to have specific sare rules. > > without Bayes, a test on the message yields: > > Content analysis details: (8.7 points, 5.0 required) > > pts rule name description > -- > -- > 0.9 FH_HOST_EQ_PACBELL_D Host is pacbell.net dsl > 0.0 COUNTRY_US Relayed via US > 1.8 SUBJ_ALL_CAPS Subject is all capitals > 1.2 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN) > 0.1 RDNS_DYNAMIC Delivered to trusted network by host with > dynamic-looking rDNS > 1.9 UPPERCASE_75_100 message body is 75-100% uppercase > 2.8 L_NOTVALID_GMAIL L_NOTVALID_GMAIL > What are these rules L_NOTVALID_GMAIL , L_UNVERIFIED_GMAIL etc ?
Re: Hotmail and Gmail spam getting through
http://www.nabble.com/file/p17876019/pharmaspam.txt pharmaspam.txt This one is very distinctive, with all those lines of just =0A= (encoded newline). I've seen it many times. But-- how do you count consecutive lines of raw /^=0A=$/ with the tool we are using? Joseph Brennan Columbia University Information Technology
Re: SARE fraud rulesets rotted?
Justin Mason wrote: Robert - elists writes: Yeah, it's easy enough doing that conversion -- let us know if he's happy for that to happen. It'd be a good way to "port" those sigs to SpamAssassin --j. JM, Would that be announced on the list somehow? Many of us use the CLAMAV SA plugin with those sigs already, and I think it would add unnecessary processing to out systems yes. I have made some early progress on this (I don't want to make it generally avalaible yet until Steve from Sane gets back off vacation). The biggest problem I have at the moment is the size of the rule set that it generates - a subset of the rules (i.e. the ones that I have managed to convert automagically to regexes) - causes a lint time to increase by over 50 times most of which is account for in the body rules compile. I am trying to come up with an automated QA process to try and select a subset of the rules that work well. Currently my top hitter is body SANE_5c5f0a94131e9a4a62a04b9f590d7455 /New players at Euro VIP/ matt
Re: sare rule updates ?
On Tue, June 17, 2008 08:10, Yet Another Ninja wrote: > SARE recommends shutting off all updates and wait for any announcement. sa-update uses dns check to see if there is new version, it not even connect to the mirror host, so waste of bandwidth, maybe dns does not work for some ? :-) we should olso shutting of freshclam since this olso uses dns resources same badly way :-) wait for clamav tarball, hehe no i am just funny now :/ Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Can't find re2c
> Hi, > I tried to do a sa-compile the first time after successfully downloaded > the ruleset recommended. But I got this error. > > > re2c -i -b -o scanner1.c scanner1.re > Can't exec "re2c": No such file or directory at /usr/bin/sa-compile line > 287, <$fh> line 974. > > > It seemed that it cannot find re2c . I tried to installed the latest > spamassassin + tools rpm but still no success (in getting this file). > Anyone knows where I can get this file ? is it suppose to come with the > package? > > if you use Linux then if you use Debian or Ubuntu aptitude install re2c else if you use RedHat based yum install re2c else use whatever tool there is to install re2c else use whatever tool there is to install re2c You can also download and install it from source. It is not part of SpamAssassin package.
controlling spams to mailing lists with procmailrc possible?
Anyone here using procmailrc for blocking spams coming in the mailman mailing lists? I installed spamassassin in my FreebSD box where I am running postfix with mailman with 10 lists. I edited main.cf & added mailbox_command=/usr/local/bin/procmail -a "$EXTENSION" , and I edited the file /usr/local/etc/procmailrc, content of procmailrd I pasted here http://rafb.net/p/yMHUXh12.html OR I am pasing it here #cat /usr/local/etc/procmailrc PATH=$HOME/bin:/usr/bin:/bin:/usr/local/bin:. MAILDIR=$HOME/Maildir/ DEFAULT=$MAILDIR/ :0fw | /usr/local/bin/spamc -u spamassassin -s 256000 DROPPRIVS=YES :0 * ^X-Spam-Flag.*YES $MAILDIR.Junk/ :0 * ^TO ! [EMAIL PROTECTED],[EMAIL PROTECTED],...,[EMAIL PROTECTED] my question is that , 1 ) is the configuration in procmailrc is okay for controlling spams to my mailing lists ? any errors in it OR I have to add anything more in procmailrc file ? 2) is the procmailrc configuration is the rightway to control spams to mailing lists ? am I wrong ? OR anyother method is there to do it effectively All of you please share with your comments to help me out to achive what I am trying to do Thanks in advance kkchn
Re: SpamAssassin 3.2.5 committed to FreeBSD ports
Please don't post HTML, thanks... for sshd: /libexec/ld-elf.so.1: shared object "libkrb5.so.8" not found required by "sshd" Both sshd and libkrb5.so.8 are part of the base system so I guess you messed up something else. Does libkrb5.so.8 exist (usually in /usr/lib/)?! Did you install security/krb5 or security/heimdal from ports?
Re: Can't find re2c
On 17.06.08 18:52, NGSS wrote: > I tried to do a sa-compile the first time after successfully downloaded > the ruleset recommended. But I got this error. Please, configure your mailer to wrap long lines below 80 characters per line. > > re2c -i -b -o scanner1.c scanner1.re > Can't exec "re2c": No such file or directory at /usr/bin/sa-compile line 287, > <$fh> line 974. > > > It seemed that it cannot find re2c . I tried to installed the latest > spamassassin + tools rpm but still no success (in getting this file). > Anyone knows where I can get this file ? is it suppose to come with the > package? re2c is external package, not part of SA. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: Can't find re2c
* NGSS <[EMAIL PROTECTED]>: > Hi, > I tried to do a sa-compile the first time after successfully downloaded the > ruleset recommended. But I got this error. > > > re2c -i -b -o scanner1.c scanner1.re > Can't exec "re2c": No such file or directory at /usr/bin/sa-compile line 287, > <$fh> line 974. > > > It seemed that it cannot find re2c . I tried to installed the latest > spamassassin + tools rpm but still no success (in getting this file). Anyone > knows where I can get this file ? is it suppose to come with the package? $ apt-cache search re2c re2c - tool for generating fast C-based recognizers It's a sep. package -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
Can't find re2c
Hi, I tried to do a sa-compile the first time after successfully downloaded the ruleset recommended. But I got this error. re2c -i -b -o scanner1.c scanner1.re Can't exec "re2c": No such file or directory at /usr/bin/sa-compile line 287, <$fh> line 974. It seemed that it cannot find re2c . I tried to installed the latest spamassassin + tools rpm but still no success (in getting this file). Anyone knows where I can get this file ? is it suppose to come with the package?
Re: sare rule updates ?
> On 6/17/2008 8:01 AM, RobertH wrote: > > Running any type of updates (sa-update with SARE channel or > rules_du_jour) is a waste of bandwidth and useless load on donated > server resources. > > SARE recommends shutting off all updates and wait for any announcement. > So noted. I removed those from my sa-update. cheers, jarif
Re: SARE fraud rulesets rotted?
Robert - elists writes: > > > > Yeah, it's easy enough doing that conversion -- let us know if he's > > happy for that to happen. It'd be a good way to "port" those sigs > > to SpamAssassin > > > > --j. > > JM, > > Would that be announced on the list somehow? > > Many of us use the CLAMAV SA plugin with those sigs already, and I think it > would add unnecessary processing to out systems yes.
Re: sa-update and location of rules
Michael Scheidell <[EMAIL PROTECTED]> wrote: running FreeBSD I have two directories with rules in it: /usr/local/share/spamassassin /var/db/spamassassin/3.002005/updates_spamassassin_org Which is the correct directory, which rules are used? SpamAssassin will use the default, distributed rules in /usr/local/share/spamassassin plus /usr/local/etc/mail/spamassassin UNTIL YOU RUN SA-UPDATE. Then it uses the rules in /var/db/spamassassin//updates_spamassassin_org plus /usr/local/etc/mail/spamassassin. So /var/db/spamassassin//updates_spamassassin_org has precedence over /usr/local/etc/mail/spamassassin? Some kind of version checking or rather the existence of the rules file? What happens if /usr/local/etc/mail/spamassassin contains obsolete rules? I'm running amavisd chroot'ed, 'cp -rp /var/db/spamassassin /var/amavisd/var/db' is all I need to do? -- No Swen today, my love has gone away My mailbox stands for lorn, a symbol of the dawn
Re: sare rule updates ?
On 6/17/2008 8:01 AM, RobertH wrote: Seeing that Jari posted a large channels.txt file with lots of sare rule updates... I am wondering... When was the last time any of the sare rules were updated? I actually do not recall any of the ones we use being updated in many months, and it appears he checks hourly... Anyone? They are not being updated and they won't in the close future. Any update would be announced *loudly* all over the place. Running any type of updates (sa-update with SARE channel or rules_du_jour) is a waste of bandwidth and useless load on donated server resources. SARE recommends shutting off all updates and wait for any announcement.
Re: SA experts needed here - SPAM examples
* NGSS <[EMAIL PROTECTED]>: > Hi John > I afraid I had move the ling "-r zen.spamhaus.org" from the > /var/qmail/control/blacklists . > Because with this line is in, I can't perform send/receive from most of the > external network using my Outlook. Is that what you talking about? That's a clear case of a misconfiguration. The host in that RBL may not send mail to you, but YOU as AUTHORIZED client may of course send. Make sure that the RBL is only applied to non-authorized clients. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
Re: Spam getting scored but not tagged -- redux
> On Mon, 16 Jun 2008, Matus UHLAR - fantomas wrote: > > >I don't think that problem with not tagging your messages is anyhow related > >to pyzor. I guess it's caused by postfix configuration, but I don't use > >postfix so I can not comment that out. On 16.06.08 10:57, Chris St. Pierre wrote: > Baroo? Using pyzor -> suckage; not using pyzor -> no suckage. I'm > not sure it's directly caused by pyzor, either, but I think it's > pretty clearly related in some way. I'd be interested to hear how > a problem like this could be related to _any_ MTA; Postfix doesn't > know or care what pyzor does. Simply - if spamassassin fails, it does neither score nor tag the message. If spammassin scored the message, it did not fail. According to OP, the spamassassin did score the message, so it did not fail. When headers are not found in the resulting message, it's not problem of SA. I guess that checking the message tooks too long time so postfix timed out and continued with original message. Maybe the long time and timeout was caused by pyzor. However as the OP said, the spamassassion DOES score. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have.
RE: sare rule updates ?
> > - rh > > lol.. Maybe I should put them in a separate sare_channels.txt and run it > yearly? > Heheh Ummm, it isn't a knock on the sare rules. We appreciate them a lot. I am truly wondering if maybe we just are updating from the wrong place by going directly to the rulesemporium website manually. - rh
Re: SA experts needed here - SPAM examples
NGSS wrote: Hi John I quite sure that the script is running and the variable in $DOMAIN and $SPAM are correct ( I defined it early in the script, which are not shown here) because the I got a copy for each them in $DIRCOLLECTSPAM and nothing in the learning folder, /home/vpopmail/domains/$DOMAIN/$SPAM/Maildir/cur/* I did the The dump from your command and which had given me this 0.000 0 3 0 non-token data: bayes db version 0.000 0 1337 0 non-token data: nspam 0.000 0 6 0 non-token data: nham You need to learn 200 spam _AND_ 200 HAM messages before Bayes will start scoring. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/