Re: prefork error
On 19.06.08 13:54, raulbe wrote: were do I find these lines? confQUEUE_LA confREFUSE_LA confDELAY_LA I looked in both the sendmail.cf file and the sendmail.mc file and didnt see them? you'll see them in cf.README(.gz) and you can add them to sendmail.mc -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: how to stop SPF checks from going past trusted host?
John Hardin wrote: On Thu, 2008-06-19 at 20:54 -0700, John Hardin wrote: header XX Received =~ /from \S+\.svcolo\.com (\S+ \[10\.\d\.\d\.\d\]) by arran\.svcolo\.com (/ score XX -5 Oops. Need some plusses in there... /from \S+\.svcolo\.com (\S+ \[10\.\d+\.\d+\.\d+\]) by arran\.svcolo\.com (/ What happens if such header was forged?
Re: points for for user in Awl
Benny Pedersen schrieb: On Thu, June 19, 2008 10:48, Robert Schetterer wrote: http://wiki.apache.org/spamassassin/AutoWhitelist http://wiki.apache.org/spamassassin/AwlWrongWay thanks i allready found and fixed it fix is ? Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098 fix means deleted emailaddress in the whitelist and understood design of autowhitelist described in the wiki -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Spamassassin doesn't learn / debug outputs
sa-learn --dump magic
if both nham, nspam is over 200 then show me
spamassassin 21 -D -t /tmp/msg /tmp/log
and maybe olso
spamassassin 21 -D --lint /tmp/lint
post log and lint file somewhere
First: The dump-data:
0.000 0 3 0 non-token data: bayes db version
0.000 0555 0 non-token data: nspam
0.000 0 7466 0 non-token data: nham
0.000 0 136237 0 non-token data: ntokens
0.000 0 1208412003 0 non-token data: oldest atime
0.000 0 1213945203 0 non-token data: newest atime
0.000 0 0 0 non-token data: last journal sync
atime
0.000 0 1213942542 0 non-token data: last expiry atime
0.000 05529600 0 non-token data: last expire atime
delta
0.000 0 16661 0 non-token data: last expire
reduction count
now with the link-parameter:
[1679] dbg: logger: adding facilities: all
[1679] dbg: logger: logging level is DBG
[1679] dbg: generic: SpamAssassin version 3.1.7-deb
[1679] dbg: config: score set 0 chosen.
[1679] dbg: util: running in taint mode? yes
[1679] dbg: util: taint mode: deleting unsafe environment variables,
resetting PATH
[1679] dbg: util: PATH included '/home/ole/bin', which doesn't exist,
dropping
[1679] dbg: util: PATH included '/home/ole/perl5/bin', which doesn't
exist, dropping
[1679] dbg: util: PATH included '/usr/local/bin', keeping
[1679] dbg: util: PATH included '/usr/bin', keeping
[1679] dbg: util: PATH included '/bin', keeping
[1679] dbg: util: PATH included '/usr/bin/X11', keeping
[1679] dbg: util: PATH included '/usr/games', keeping
[1679] dbg: util: final PATH set to:
/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
[1679] dbg: message: MIME PARSER START
[1679] dbg: message: main message type: text/plain
[1679] dbg: message: parsing normal part
[1679] dbg: message: added part, type: text/plain
[1679] dbg: message: MIME PARSER END
[1679] dbg: dns: is Net::DNS::Resolver available? yes
[1679] dbg: dns: Net::DNS version: 0.59
[1679] dbg: diag: perl platform: 5.008008 linux
[1679] dbg: diag: module installed: Digest::SHA1, version 2.11
[1679] dbg: diag: module installed: Razor2::Client::Agent, version 2.81
[1679] dbg: diag: module not installed: Net::Ident ('require' failed)
[1679] dbg: diag: module not installed: IO::Socket::INET6 ('require'
failed)
[1679] dbg: diag: module installed: IO::Socket::SSL, version 1.01
[1679] dbg: diag: module installed: Time::HiRes, version 1.86
[1679] dbg: diag: module installed: DBI, version 1.53
[1679] dbg: diag: module installed: Getopt::Long, version 2.35
[1679] dbg: diag: module installed: LWP::UserAgent, version 2.033
[1679] dbg: diag: module installed: HTML::Parser, version 3.55
[1679] dbg: diag: module installed: MIME::Base64, version 3.07
[1679] dbg: diag: module installed: DB_File, version 1.814
[1679] dbg: diag: module installed: Net::DNS, version 0.59
[1679] dbg: diag: module installed: Net::SMTP, version 2.29
[1679] dbg: diag: module not installed: Mail::SPF::Query ('require'
failed)
[1679] dbg: diag: module not installed: IP::Country::Fast ('require'
failed)
[1679] dbg: diag: module installed: HTTP::Date, version 1.47
[1679] dbg: diag: module installed: Archive::Tar, version 1.30
[1679] dbg: diag: module installed: IO::Zlib, version 1.04
[1679] dbg: ignore: using a test message to lint rules
[1679] dbg: config: using /etc/spamassassin for site rules pre files
[1679] dbg: config: read file /etc/spamassassin/init.pre
[1679] dbg: config: read file /etc/spamassassin/v310.pre
[1679] dbg: config: read file /etc/spamassassin/v312.pre
[1679] dbg: config: using /usr/share/spamassassin for sys rules pre
files
[1679] dbg: config: using /usr/share/spamassassin for default rules dir
[1679] dbg: config: read file /usr/share/spamassassin/10_misc.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_compensate.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_drugs.cf
[1679] dbg: config: read file
/usr/share/spamassassin/20_fake_helo_tests.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_phrases.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_porn.cf
[1679] dbg: config: read file /usr/share/spamassassin/20_ratware.cf
[1679] dbg:
Re: how to stop SPF checks from going past trusted host?
On Fri, Jun 20, 2008 at 12:12:45AM -0400, Matt Kettler wrote: That is correct, SPF checks are applied to the first untrusted host. Matt, you should know better. ;) It's first _external_ host.
Re: yahoo.com adds new domains.
Michael Scheidell wrote: [snip] sharpen up your SA rules, justin: time to watch those rules, including the 'forged from yahoo' rules. no spf records. wonder if they will dkim sign them: $ host -t txt ymail.com ymail.com has no TXT record $ host -t txt rocketmail.com rocketmail.com has no TXT record just tested the first (ymail.com), and they sign it. I guess they do the same for the other domain. X-Spam-Status: No, score=-0.288 required=5 tests=[ DKIM_VERIFIED=-0.3, DK_POLICY_TESTING=0.001, DK_SIGNED=0.001, DK_VERIFIED=-0.001, HTML_MESSAGE=0.001] ... DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=ymail.com; h=Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; ...
Re: [AMaViS-user] yahoo.com adds new domains.
Quanah Gibson-Mount wrote: Rocketmail isn't new. I've had a rocketmail account since the 1990's. yes, and now you belong to yahoo read the story. -- Michael Scheidell, President Main: 561-999-5000, Office: 561-939-7259 *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ http://www.technosium.com/hotcompanies/ _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: Spamassassin doesn't learn / debug outputs
Well. Three senders of that bad domain made it into the users' (auto)whitelist. I'm not quite sure why. But now I just remove those hoping they won't appear there again. Thanks for helping! -- View this message in context: http://www.nabble.com/Spamassassin-doesn%27t-learn---debug-outputs-tp18011818p18026483.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [AMaViS-user] yahoo.com adds new domains.
Rocketmail isn't new. I've had a rocketmail account since the 1990's. --Quanah --On Thursday, June 19, 2008 6:40 PM -0400 Michael Scheidell [EMAIL PROTECTED] wrote: As if email from freebie @yahoo.com addresses isn't enough, Yahoo has now announces two new domains that the freebie spammers can spam from: ymail.com and rocketmail.com *SAN FRANCISCO — Yahoo Inc. is offering free e-mail accounts under two new designations in an effort to attract Web surfers unhappy with their current addresses.* The Sunnyvale-based company expects to begin registering new addresses under the domains of ymail and rocketmail around noon PDT Thursday at http://mail.yahoo.com. It will be the first time that Yahoo has offered e-mail accounts under umbrellas other than its own company name since it became a correspondence conduit in 1997. Yahoo began offering free e-mail shortly after its $80 million acquisition of Four11 Corp., which included the rocketmail domain. Rocketmail users at the time of the acquisition were allowed to keep their existing accounts, but Yahoo hadn't accepted any new addresses under that name until now. The diversification into new e-mail designations is being driven by the difficulty that people are having as they try to find an appealing e-mail handle under the Yahoo domain. Read full story at: http://www.foxnews.com/printer_friendly_wires/2008Jun19/0,4675,TECYahooMa il,00.html sharpen up your SA rules, justin: time to watch those rules, including the 'forged from yahoo' rules. no spf records. wonder if they will dkim sign them: $ host -t txt ymail.com ymail.com has no TXT record $ host -t txt rocketmail.com rocketmail.com has no TXT record -- Michael Scheidell, President Main: 561-999-5000, Office: 561-939-7259 *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ http://www.technosium.com/hotcompanies/ _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _ - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ AMaViS-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: how to stop SPF checks from going past trusted host?
Matt Kettler wrote: Why do neither of those options make sense? I do both in my network, albeit that version SPF is only in my internal view, and I actually use 10.xx.0.0/16 not 10/8. (I only use a /16, not the whole /8) Is there some detail that's missing here? ie: do you have a compelling reason to not trust your internal hosts using 10/8? Side note: There is no risk of trusting everyone's email when you add 10/8 to your trusted_networks. This is because trust in spamassassin is a chain that must be unbroken to work. Once an message has been handled by an untrusted host, you can't trust any earlier Recieved: headers. Take an example where email comes from the outside (headers simplified, it's an example...): Received from trusted_host.jrhett.com [64.13.143.10] by sa_box.jrett.com; 12:02:00 + Received from example.somoutsidedomain.com[1.1.1.1] by trusted_host.jrhett.com; 12:01:00 + Received from insideclient.someoutsidedomain [10.1.1.1] by example.somoutsidedomain.com; 12:00:00 + Here, spamassassin will trust trusted_host.jrhett.com [64.13.143.10], because it's been configured to do so. However, it does not trust example.somoutsidedomain.com[1.1.1.1]. Because example.somoutsidedomain.com[1.1.1.1] is untrusted, insideclient.someoutsidedomain [10.1.1.1] is also untrusted, even though 10/8 is in trusted_networks.
need a regular expression to create
Hi, One of spammers is killing our SMTP servers. in the content of e-mail, he is mentioning 2 e-mails addresses. i need to create a rule to black the spammer. he is using [EMAIL PROTECTED], [EMAIL PROTECTED] ,i need to black the spam e-mails using content of e-mail. please help me..
Re: need a regular expression to create
vodamailshiva escreveu: Hi, One of spammers is killing our SMTP servers. in the content of e-mail, he is mentioning 2 e-mails addresses. i need to create a rule to black the spammer. he is using [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ,i need to black the spam e-mails using content of e-mail. if you identified which email addresses the spammer is using as the sender of the message, block them at the MTA !! it could be done in SA ??? Of course but you'll waste far more resources than blocking at MTA level. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: need a regular expression to create
On Fri, 2008-06-20 at 10:29 -0300, Leonardo Rodrigues Magalhães wrote: vodamailshiva escreveu: Hi, One of spammers is killing our SMTP servers. in the content of e-mail, he is mentioning 2 e-mails addresses. i need to create a rule to black the spammer. he is using [EMAIL PROTECTED], [EMAIL PROTECTED] ,i need to black the spam e-mails using content of e-mail. if you identified which email addresses the spammer is using as the sender of the message, block them at the MTA !! I think he said it was in the content, not the envelope. Something like: body_L_GMAIL_SPAMMER1 [EMAIL PROTECTED] description _L_GMAIL_SPAMMER1 refers to a known spammer body_L_GMAIL_SPAMMER2 [EMAIL PROTECTED] description _L_GMAIL_SPAMMER2 refers to a known spammer metaL_GMAIL_SPAMMERS_L_GMAIL_SPAMMER1 | _L_GMAIL_SPAMMER2 description L_GMAIL_SPAMMERShas at least one spammer e-mail address in the body score L_GMAIL_SPAMMERS3.0 -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
EuroPharmacie
Hi We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 Regards Philippe Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: by mail.x.fr (Postfix, from userid 513) id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr X-Spam-Level: * X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE, MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL, URIBL_SBL autolearn=no version=3.x.x Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121]) by mail.infodev.fr (Postfix) with ESMTP id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST) Received: from [79.21.166.121] by gateway10.tnb.com; Fri, 20 Jun 2008 13:37:14 +0100 From: Les pilules ici [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Ne vous inquietez pas, EuroPharmacie fait tout pour vous Date: Fri, 20 Jun 2008 13:37:14 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0006_01C8D2DA.BFA4A100 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: Aca6QD7U3RN590OEV2WE4I10P15S8U== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Message-ID: [EMAIL PROTECTED] Status: This is a multi-part message in MIME format. --=_NextPart_000_0006_01C8D2DA.BFA4A100 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Le EuroPharmacie boutique en ligne vous propose de passer a une veritable securite, tout en achetant des medicaments. Nous obtenons nos pilules directement chez le fabricant de l'usine afin qu'ils ne passent pas par les mains de toute intermediaires. Rendez-vous sur notre pharmacie et acheter un http://wroteprove.com --=_NextPart_000_0006_01C8D2DA.BFA4A100 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable html xmlns:o=3Durn:schemas-microsoft-com:office:office xmlns:w=3Durn:= schemas-microsoft-com:office:word xmlns=3Dhttp://www.w3.org/TR/REC-html= 40 head META HTTP-EQUIV=3DContent-Type CONTENT=3Dtext/html; charset=3Dus-asci= i meta name=3DGenerator content=3DMicrosoft Word 11 (filtered medium) /head body html body bgcolor=3D#FF link=3Dgreen Le EuroPharmacie boutique en ligne vous= propose de passer a une veritable securite, tout en achetant des medicam= ents. Nous obtenons nos pilules directement chez le fabricant de l'usine = afin qu'ils ne passent pas par les mains de toute intermediaires.= brbr 3Dhttp://wrote= Rendez-vous sur notre pharmacie et acheter un brbrhttp://wroteprove.com brbr /body /html /body /html --=_NextPart_000_0006_01C8D2DA.BFA4A100-- -- View this message in context: http://www.nabble.com/EuroPharmacie-tp18030043p18030043.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: EuroPharmacie
5.0 is generally considered a level you can consider something Spam at. This scored a 5.9. What's your Spam level set at? phil89 wrote: Hi We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 Regards Philippe
Re: EuroPharmacie
On Friday, June 20, 2008, 6:51:44 AM, phil89 phil89 wrote: Hi We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 Regards Philippe Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: by mail.x.fr (Postfix, from userid 513) id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr X-Spam-Level: * X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE, MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL, URIBL_SBL autolearn=no version=3.x.x Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121]) by mail.infodev.fr (Postfix) with ESMTP id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST) [...] http://wroteprove.com Use SURBLs. Enable network tests: http://www.surbl.org/faq.html#nettest jp.surbl.org blacklisted that domain at 14:33 CEST Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: +++Spam+++: EuroPharmacie
On Fri, 2008-06-20 at 06:51 -0700, phil89 wrote: Hi We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 The botnet plugin probably would have given this a little boost. I use a botnet/p0f combination under amavisd-new that is reasonably accurate at assigning scores. grey-listing would have delayed it enough to have hit uribl-black Received: from host121-166-dynamic.21-79-r.retail.telecomitalia.it (host121-166-dynamic.21-79-r.retail.telecomitalia.it [79.21.166.121]) by mail.infodev.fr (Postfix) with ESMTP id DBDF6E8CE; Fri, 20 Jun 2008 14:30:33 +0200 (CEST) -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
, stretch test for SA
Is there a way or tool to test and measure/analyse how well the SA is being setup to guard against spam?
RE: , stretch test for SA
Yeah the whay you get a phone call once a month to the help desk when a single piece of spam ends up in users inbox ;-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: NGSS [mailto:[EMAIL PROTECTED] Sent: 20 June 2008 15:05 To: users@spamassassin.apache.org Cc: [EMAIL PROTECTED] Subject: , stretch test for SA Is there a way or tool to test and measure/analyse how well the SA is being setup to guard against spam? ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
Re: EuroPharmacie
On 20.06.08 06:51, phil89 wrote: We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 upgrade your spamassassin and/or rules (sa-update). turn on network ruless you can (razor, pyzor, DCC, uribl's) Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: by mail.x.fr (Postfix, from userid 513) id E1BD5E8D3; Fri, 20 Jun 2008 14:30:39 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr X-Spam-Level: * X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE, MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL, URIBL_SBL autolearn=no version=3.x.x RCVD_IN_DYNABLOCK does not exist for some time. You rules are old and possibly not as effective as newer are. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: EuroPharmacie
On Fri, 20 Jun 2008, phil89 wrote: Hi We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 Only 5.9? 5.0 is the SA default score. You must have changed that.
Rules in local.cf are not read?
Hi all, I'm using MailScanner with SpamAssassin, and I'm using the Cache SpamAssassin Results = yes option. Since I've enabled this option, I'm seeing that some spam messages pass through, although the subject or body match one or more own-written rules in my local.cf file. If I look at the header of these messages, they have: X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, timed out) If I save the message and try spamassassin -D mymessage it is correctly detected as spam, also against the rules in local.cf file. I know that SpamAssassin sometimes times out on network checks, but aren't the rules in the local.cf file read anyway? Thanks in advance for your help. Simone. -- View this message in context: http://www.nabble.com/Rules-in-local.cf-are-not-read--tp18030907p18030907.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RATWARE_MSGID (was: Re: EuroPharmacie)
X-Spam-Checker-Version: SpamAssassin 3.x.x (2007-02-13) on mail.infodev.fr
Why is your SA version a state secret? Taking a guess -- based on the
build date, it is 3.1.8 (released exactly that day) or earlier. *shrug*
X-Spam-Level: *
X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE,
MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL,
URIBL_SBL autolearn=no version=3.x.x
As Duane and Evan already pointed out, a required_score 5.0 threshold is
the default, and would have classified this message as spam. (Dudes,
hint, he included the full headers. ;)
There's nothing wrong with being paranoid and raising this slightly if
you prefer. However, more spam sneaking through is to be expected, and
you either will have to write your own rules to counter it, or live with
more FNs. You raised that value deliberately.
From: Les pilules ici [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Ne vous inquietez pas, EuroPharmacie fait tout pour vous
Date: Fri, 20 Jun 2008 13:37:14 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary==_NextPart_000_0006_01C8D2DA.BFA4A100
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: Aca6QD7U3RN590OEV2WE4I10P15S8U==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Message-ID: [EMAIL PROTECTED]
This is a spam alright. :) This line alone tells me. See bug 5830. [1]
Here's an easy rule that triggers on about 10% spam with no FPs in
nightly mass-checks [2]. (The 2 ham hits are already verified to be a
dirty corpus and being removed from the ham corpus.)
Enjoy
guenther
# Ratware generated 8$8$8 style Message-Ids, broken Microsoft Outlook forgery.
# The first hex is some time token, but the leading 4 chars are missing. See
# HeaderEval.pm::check_outlook_message_id().
header __KB_MSGID_OUTLOOK_888 Message-Id =~
/^[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
header __KB_OUTLOOK_MUAX-Mailer =~ /^Microsoft (?:Office )?Outlook\b/
meta KB_RATWARE_MSGID __KB_MSGID_OUTLOOK_888 __KB_OUTLOOK_MUA
describe KB_RATWARE_MSGID Ratware Message-Id
scoreKB_RATWARE_MSGID 3.0
[1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5830
[2] http://ruleqa.spamassassin.org/20080620-r669824-n/KB_RATWARE_MSGID/detail
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Rules in local.cf are not read?
Simone This is more a mailscanner issue - try asking there.. The spamassassin is timing out. What RBL's are you running in spamassassin? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Simone Morandini [mailto:[EMAIL PROTECTED] Sent: 20 June 2008 15:37 To: users@spamassassin.apache.org Subject: Rules in local.cf are not read? Hi all, I'm using MailScanner with SpamAssassin, and I'm using the Cache SpamAssassin Results = yes option. Since I've enabled this option, I'm seeing that some spam messages pass through, although the subject or body match one or more own-written rules in my local.cf file. If I look at the header of these messages, they have: X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, timed out) If I save the message and try spamassassin -D mymessage it is correctly detected as spam, also against the rules in local.cf file. I know that SpamAssassin sometimes times out on network checks, but aren't the rules in the local.cf file read anyway? Thanks in advance for your help. Simone. -- View this message in context: http://www.nabble.com/Rules-in-local.cf-are-not-read--tp180309 07p18030907.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com. ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
Re: Rules in local.cf are not read?
On Fri, 2008-06-20 at 07:36 -0700, Simone Morandini wrote: X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, timed out) If I save the message and try spamassassin -D mymessage it is correctly detected as spam, also against the rules in local.cf file. I know that SpamAssassin sometimes times out on network checks, but aren't the rules in the local.cf file read anyway? Don't forget to restart mailscanner each time you change rules or run sa-update. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: prefork error
So should the entry look like this? confQUEUE_LA=1 confREFUSE_LA=1 confDELAY_LA =1 Matus UHLAR - fantomas wrote: On 19.06.08 13:54, raulbe wrote: were do I find these lines? confQUEUE_LA confREFUSE_LA confDELAY_LA I looked in both the sendmail.cf file and the sendmail.mc file and didnt see them? you'll see them in cf.README(.gz) and you can add them to sendmail.mc -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) -- View this message in context: http://www.nabble.com/prefork-error-tp17989187p18031229.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: prefork error
On 20.06.08 07:55, raulbe wrote: So should the entry look like this? confQUEUE_LA=1 confREFUSE_LA=1 confDELAY_LA =1 as you wish, I have those higher. My machine can handle load of 1.0 very well and so I expect yours. I have those set to (3,5,unset). instead of DELAY_LA I use FEATURE(`greet_pause', `1')dnl 10 seconds which delays connections for 10 seconds (can be whitelisted in access DB). I also use ident which delays them more for some firewalls on user machines :) Matus UHLAR - fantomas wrote: On 19.06.08 13:54, raulbe wrote: were do I find these lines? confQUEUE_LA confREFUSE_LA confDELAY_LA I looked in both the sendmail.cf file and the sendmail.mc file and didnt see them? you'll see them in cf.README(.gz) and you can add them to sendmail.mc -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: EMERGENCY RULE: porntube redirect
I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran
spamassassin --lint and got:
That's the wrong way round, seriously. Do not restart SA after changes,
unless --lint comes out clean.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: prefork error
THanks so much for the help Now if I can figure out why I keep getting the bayes.lock error any clues? bayes: cannot open bayes databases /home/nuonce/spamassassin/bayes_* R/W: lock failed: File exists Jun 20 11:02:41 ws096 spamd[20261]: bayes: cannot open bayes databases /home/nuonce/spamassassin/bayes_* R/W: lock failed: File exists Jun 20 11:02:42 ws096 spamd[20262]: bayes: cannot open bayes databases /home/nuonce/spamassassin/bayes_* R/W: lock failed: File exists Jun 20 11:02:42 ws096 spamd[20260]: bayes: cannot open bayes databases /home/nuonce/spamassassin/bayes_* R/W: lock failed: File exists Jun 20 11:02:42 ws096 spamd[20259]: bayes: cannot open bayes databases /home/nuonce/spamassassin/bayes_* R/W: lock failed: File exists Matus UHLAR - fantomas wrote: On 20.06.08 07:55, raulbe wrote: So should the entry look like this? confQUEUE_LA=1 confREFUSE_LA=1 confDELAY_LA =1 as you wish, I have those higher. My machine can handle load of 1.0 very well and so I expect yours. I have those set to (3,5,unset). instead of DELAY_LA I use FEATURE(`greet_pause', `1')dnl 10 seconds which delays connections for 10 seconds (can be whitelisted in access DB). I also use ident which delays them more for some firewalls on user machines :) Matus UHLAR - fantomas wrote: On 19.06.08 13:54, raulbe wrote: were do I find these lines? confQUEUE_LA confREFUSE_LA confDELAY_LA I looked in both the sendmail.cf file and the sendmail.mc file and didnt see them? you'll see them in cf.README(.gz) and you can add them to sendmail.mc -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines. -- View this message in context: http://www.nabble.com/prefork-error-tp17989187p18031812.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: prefork error
On 20.06.08 08:18, raulbe wrote: Now if I can figure out why I keep getting the bayes.lock error any clues? Jun 20 11:02:41 ws096 spamd[20261]: bayes: cannot open bayes databases /home/nuonce/spamassassin/bayes_* R/W: lock failed: File exists do you have autolearning turned on? what about journal? (settings bayes_auto_learn and bayes_learn_to_journal). the default settings (1 and 0) can cause such problems. Try turning on the latter or off the former -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.
Re: how to stop SPF checks from going past trusted host?
On Fri, 20 Jun 2008, mouss wrote: John Hardin wrote: On Thu, 2008-06-19 at 20:54 -0700, John Hardin wrote: header XX Received =~ /from \S+\.svcolo\.com (\S+ \[10\.\d\.\d\.\d\]) by arran\.svcolo\.com (/ score XX -5 Oops. Need some plusses in there... /from \S+\.svcolo\.com (\S+ \[10\.\d+\.\d+\.\d+\]) by arran\.svcolo\.com (/ What happens if such header was forged? Then the message gets -5 points added to it's score. How likely is a header forged with that particular data going to be sent in a message to that particular SA host? If that's a concern then add a rule to verify that the SA host received the message from the relay, use a meta to AND them, and score the meta rule at -5. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Efficiency can magnify good, but it magnifies evil just as well. So, we should not be surprised to find that modern electronic communication magnifies stupidity as *efficiently* as it magnifies intelligence. -- Robert A. Matern --- 14 days until the 232nd anniversary of the Declaration of Independence
Re: EuroPharmacie
On Fri, 20 Jun 2008, phil89 wrote: We receive some mails with EuroPharmacie How could i avoid theses SCORE is only 5.9 X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50 Train them as spam. That should get a BAYES_99 if it's very common. Why have you changed your required from 5.0 to 6.2? All of the stock rules are tuned for 5.0, increasing the required score will increase your FN rate. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Efficiency can magnify good, but it magnifies evil just as well. So, we should not be surprised to find that modern electronic communication magnifies stupidity as *efficiently* as it magnifies intelligence. -- Robert A. Matern --- 14 days until the 232nd anniversary of the Declaration of Independence
Re: how to stop SPF checks from going past trusted host?
On Jun 19, 2008, at 9:12 PM, Matt Kettler wrote: That is correct, SPF checks are applied to the first untrusted host. The question here would be if 10.x.x.x is in fact an internal, and presumably trusted, network, why isn't it trusted? The mail server I'm receiving this on is in the outside world. If a 10.x address connects to it, I don't want that address to be trusted for any reason. Only 10.x addresses that came via a trusted host ;-) Also, presuming we're talking about your own domain, why aren't you using split DNS and declaring 10.x.x.x as a valid source in your internal SPF record (but not the one you expose to the outside world) Split DNS only applies if the mail is on the inside which it isn't. There actually isn't an inside network at all, except for this one non-routed private network used for monitoring physical gear. It does not route to the outside world, with the exception of mail relay. Obviously, putting 10/8 into the published SPF record makes no sense at all, nor does adding 10/8 to the trusted_networks. Why do neither of those options make sense? I do both in my network, albeit that version SPF is only in my internal view, and I actually use 10.xx.0.0/16 not 10/8. (I only use a /16, not the whole /8) No internal view, no internal DNS. Putting 10/8 into external DNS is nonsense ;-) Is there some detail that's missing here? ie: do you have a compelling reason to not trust your internal hosts using 10/8? Those internal hosts cannot connect to the mail server directly. Any 10.x address that does connect to the mailserver is guaranteed to be a spammer. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: how to stop SPF checks from going past trusted host?
On Fri, Jun 20, 2008 at 12:12:45AM -0400, Matt Kettler wrote: That is correct, SPF checks are applied to the first untrusted host Henrik K wrote: Matt, you should know better. ;) It's first _external_ host. On Jun 20, 2008, at 3:54 AM, Matt Kettler wrote: Doh.. my bad. Huh? How are you defining external in this context? What prevents me from trusting an external hosts? I don't actually have any internal hosts -- no NAT, no firewall, it's all outside. There's hosts I trust, but none that aren't external. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: how to stop SPF checks from going past trusted host?
On Fredag, 20/6 2008, 05:37, Jo Rhett wrote: I'm trying to figure out how to stop SPF_FAIL on messages generated on an internal rfc1918 network and routed through a trusted host. netconsonance.com. IN TXT v=spf1 ip4:64.13.134.178 ip4:64.13.143.17 ip4:209.157.140.144 mx ~all not you ? Received:from arran.svcolo.com (arran.sc.svcolo.com [64.13.143.17]) by kininvie.sv.svcolo.com (8.14.1/8.14.1) with ESMTP id m5K2o3it016795 for [EMAIL PROTECTED]; Thu, 19 Jun 2008 19:50:03 -0700 (PDT) (envelope-from [EMAIL PROTECTED]) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: how to stop SPF checks from going past trusted host?
On Fri, Jun 20, 2008 at 10:28:25AM -0700, Jo Rhett wrote: On Fri, Jun 20, 2008 at 12:12:45AM -0400, Matt Kettler wrote: That is correct, SPF checks are applied to the first untrusted host Henrik K wrote: Matt, you should know better. ;) It's first _external_ host. On Jun 20, 2008, at 3:54 AM, Matt Kettler wrote: Doh.. my bad. Huh? How are you defining external in this context? What prevents me from trusting an external hosts? Nothing prevents you from trusting external hosts, you should do it as necessary. Here we go again.. internal_networks = internal/external trusted_networks = trusted/untrusted Both define borders which things are checked against. Internal is your MX-border, against which SPF and RBL checks are made (all internal must be in trusted also). Trusted can expand further to prevent RBL checks against trusted hosts and allows kind of whitelisting with ALL_TRUSTED rule. http://wiki.apache.org/spamassassin/TrustPath PS. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856
Re: how to stop SPF checks from going past trusted host?
On Fredag, 20/6 2008, 05:37, Jo Rhett wrote: I'm trying to figure out how to stop SPF_FAIL on messages generated on an internal rfc1918 network and routed through a trusted host. On Jun 20, 2008, at 10:37 AM, Benny Pedersen wrote: netconsonance.com. IN TXT v=spf1 ip4:64.13.134.178 ip4:64.13.143.17 ip4:209.157.140.144 mx ~all not you ? Nope ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Spamassassin doesn't learn / debug outputs
On Fredag, 20/6 2008, 09:58, heinztomato wrote:
First: The dump-data:
thats ok
now with the link-parameter:
[1679] dbg: util: PATH included '/home/ole/bin', which doesn't exist,
dropping
[1679] dbg: util: PATH included '/home/ole/perl5/bin', which doesn't
exist, dropping
problems above
[1679] dbg: diag: module not installed: Net::Ident ('require' failed)
[1679] dbg: diag: module not installed: IO::Socket::INET6 ('require'
failed)
install
[1679] dbg: diag: module not installed: Mail::SPF::Query ('require'
failed)
[1679] dbg: diag: module not installed: IP::Country::Fast ('require'
failed)
install
[1679] dbg: config: read file /home/ole/.spamassassin/user_prefs
spamassassin runs entirely in your shell ?
[1679] warn: config: failed to parse line, skipping: SpamAssassin config
file for version 3.x
old config somewhere
[1679] warn: config: failed to parse line, skipping: use_dcc 1
search for use_dcc in your config
and see perldoc Mail::SpamAssassin::Plugin::DCC on how to make config for dcc
if you want to test for dcc make sure its configured
else remove use_dcc its a pluging now
[1679] warn: config: failed to parse, now a plugin, skipping: ok_languages
all
that is a missing plugin in a pre file
the first command did not work. /tmp/msg is non-existing.
that was intended you to put testing msg there
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: how to stop SPF checks from going past trusted host?
On Jun 20, 2008, at 10:44 AM, Henrik K wrote: On Fri, Jun 20, 2008 at 10:28:25AM -0700, Jo Rhett wrote: On Fri, Jun 20, 2008 at 12:12:45AM -0400, Matt Kettler wrote: That is correct, SPF checks are applied to the first untrusted host Henrik K wrote: Matt, you should know better. ;) It's first _external_ host. On Jun 20, 2008, at 3:54 AM, Matt Kettler wrote: Doh.. my bad. Huh? How are you defining external in this context? What prevents me from trusting an external hosts? Nothing prevents you from trusting external hosts, you should do it as necessary. Here we go again.. internal_networks = internal/external trusted_networks = trusted/untrusted Both define borders which things are checked against. Internal is your MX-border, against which SPF and RBL checks are made (all internal must be in trusted also). Trusted can expand further to prevent RBL checks against trusted hosts and allows kind of whitelisting with ALL_TRUSTED rule. Okay, so my understanding is correct. So why did you correct Matt? He said first untrusted host. You said first external host. If internal hosts must all be trusted, and some external hosts may be trusted, then the SPF check would be applied to the first untrusted host, not the first external host. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: how to stop SPF checks from going past trusted host?
On Fredag, 20/6 2008, 10:04, Henrik K wrote: On Fri, Jun 20, 2008 at 12:12:45AM -0400, Matt Kettler wrote: That is correct, SPF checks are applied to the first untrusted host. Matt, you should know better. ;) It's first _external_ host. and is most of the time olso first untrusted ? :) both is imho correct Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
trusted_host breaks pretty much every form of whitelist
I just realized something re: the previous message about SPF failure. trusted_hosts is also apparently blocking whitelist_from_rcvd from working. This is getting out of control. I understand the original intent here, but basically what is happening is that by making a host trusted you are basically saying to ignore SPF whitelist_from_* etc... Everything that says any message from this host is good is compromised/broken. Honestly, I think we need two separate forms here: trusted_relays should be what trusted_hosts is today. We trust that this host won't add false headers to the e-mail. If you read the description of trusted hosts, that's clearly what the rule is meant to do. trusted_hosts should mean no, we really truly trust this host and want everything it gives us -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: how to stop SPF checks from going past trusted host?
On Jun 19, 2008, at 9:21 PM, John Hardin wrote: /from \S+\.svcolo\.com (\S+ \[10\.\d+\.\d+\.\d+\]) by arran\.svcolo \.com (/ You actually need some backslashes too, but I figured it out. Thanks. See my other note about trusted_hosts breaking all forms of whitelisting, FYI. This kind of hackery (although appreciate the help) is kindof nonsense :-( -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Spamassassin doesn't learn / debug outputs
On Fredag, 20/6 2008, 12:09, heinztomato wrote: Well. Three senders of that bad domain made it into the users' (auto)whitelist. well awl is for scoreing forged emails to possive and non forged senders to negative and in all that try to compensate it all to not being that will scores based on awl_factor in the plugin awl_factor 0 gives sender none benefit on forges awl_factor 1 gives sender full benefit on forges default is 0.5 I'm not quite sure why. But now I just remove those hoping they won't appear there again. i can assure your work in this area is waste :-) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: need a regular expression to create
On Fredag, 20/6 2008, 15:26, vodamailshiva wrote: please help me.. just dont whitelist gmail mails at all need more help ?, post the spammail on pastebin and give a link here Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: need a regular expression to create
On Fredag, 20/6 2008, 15:39, McDonald, Dan wrote: I think he said it was in the content, not the envelope. nice rules, but try freemail plugin :-) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: EuroPharmacie
On Fredag, 20/6 2008, 15:51, phil89 wrote: X-Spam-Status: No, score=5.9 required=6.2 tests=BAYES_50,HTML_MESSAGE, MR_NOT_ATTRIBUTED_IP,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,RCVD_IN_SORBS_DUL, URIBL_SBL autolearn=no version=3.x.x i would set scores required to 5.8 and begin train bayes Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: EuroPharmacie
Benny Pedersen wrote: i would set scores required to 5.8 and begin train bayes What's wrong with the default of 5?
Re: prefork error
On Fredag, 20/6 2008, 16:55, raulbe wrote: So should the entry look like this? confQUEUE_LA=1 confREFUSE_LA=1 this is based on load avage confDELAY_LA =1 this is based on deley secunds (keep this litte more then your scan time pr mail) with 1 you scan every email/spam in just one sec, and sendmail accept new spam in that time see the page i linked to in the first place :/ Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: prefork error
What I did was turn off auto_learn and that cleared up the error. So would doing this would it affect how bayes works or? Also doing the editing in confQUEUE_LA confREFUSE_LA confDELAY_LA totaly cleared up the prefork: server reached --max-children setting, consider raising it error i was getting. So all thats left is this error spamd[29330]: prefork: child states: BIBI any ideas to clear that one up? Thanks for the help. Matus UHLAR - fantomas wrote: On 20.06.08 08:18, raulbe wrote: Now if I can figure out why I keep getting the bayes.lock error any clues? Jun 20 11:02:41 ws096 spamd[20261]: bayes: cannot open bayes databases /home/nuonce/spamassassin/bayes_* R/W: lock failed: File exists do you have autolearning turned on? what about journal? (settings bayes_auto_learn and bayes_learn_to_journal). the default settings (1 and 0) can cause such problems. Try turning on the latter or off the former -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. -- View this message in context: http://www.nabble.com/prefork-error-tp17989187p18035422.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: how to stop SPF checks from going past trusted host?
On Fri, 20 Jun 2008, Jo Rhett wrote: On Jun 19, 2008, at 9:21 PM, John Hardin wrote: /from \S+\.svcolo\.com (\S+ \[10\.\d+\.\d+\.\d+\]) by arran\.svcolo\.com (/ You actually need some backslashes too, but I figured it out. Thanks. D'oh! See my other note about trusted_hosts breaking all forms of whitelisting, FYI. This kind of hackery (although appreciate the help) is kindof nonsense :-( Yeah. Trust and Internal properly set up and working is, of course, the optimal solution. Just wanted to point out it's not the _only_ solution. Also: On Jun 19, 2008, at 9:12 PM, Matt Kettler wrote: That is correct, SPF checks are applied to the first untrusted host. The question here would be if 10.x.x.x is in fact an internal, and presumably trusted, network, why isn't it trusted? The mail server I'm receiving this on is in the outside world. If a 10.x address connects to it, I don't want that address to be trusted for any reason. Only 10.x addresses that came via a trusted host ;-) 10.x is (supposedly) not routable on the public internet. If you see 10.x (or other RFC-1918) traffic coming in from the world, your ISP is broken. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Perfect Security is unattainable; beware those who would try to sell it to you, regardless of the cost, for they are trying to sell you your own slavery. --- 14 days until the 232nd anniversary of the Declaration of Independence
Re: how to stop SPF checks from going past trusted host?
On Jun 20, 2008, at 11:49 AM, John Hardin wrote: 10.x is (supposedly) not routable on the public internet. If you see 10.x (or other RFC-1918) traffic coming in from the world, your ISP is broken. You don't run packet sniffers on your hosts much, do you? ;-) Does your ISP filter egress packets on your interface? No, neither does mine ;-) (and in this case I control the border routing so I know it for sure) Most competent ISPs will filter customer interfaces to prevent bogons, and some will filter public peering ports for bogons, but even with both of those a surprising number of 10.x packets make their way to our hosts. belt-and-suspenders: Even if it's unlikely for a 10.x packet to reach the host, why should I trust it? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: how to stop SPF checks from going past trusted host?
On Fredag, 20/6 2008, 19:59, Jo Rhett wrote: netconsonance.com. IN TXT v=spf1 ip4:64.13.134.178 ip4:64.13.143.17 ip4:209.157.140.144 mx ~all not you ? Nope ;-) added .17 to the domain you are sending from, but its not you so not your problem :) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: how to stop SPF checks from going past trusted host?
On Fri, Jun 20, 2008 at 11:01:40AM -0700, Jo Rhett wrote:
On Jun 20, 2008, at 10:44 AM, Henrik K wrote:
On Fri, Jun 20, 2008 at 10:28:25AM -0700, Jo Rhett wrote:
On Fri, Jun 20, 2008 at 12:12:45AM -0400, Matt Kettler wrote:
That is correct, SPF checks are applied to the first untrusted
host
Henrik K wrote:
Matt, you should know better. ;) It's first _external_ host.
On Jun 20, 2008, at 3:54 AM, Matt Kettler wrote:
Doh.. my bad.
Huh? How are you defining external in this context? What
prevents me
from trusting an external hosts?
Nothing prevents you from trusting external hosts, you should do it as
necessary.
Here we go again..
internal_networks = internal/external
trusted_networks = trusted/untrusted
Both define borders which things are checked against. Internal is your
MX-border, against which SPF and RBL checks are made (all internal
must be
in trusted also). Trusted can expand further to prevent RBL checks
against
trusted hosts and allows kind of whitelisting with ALL_TRUSTED rule.
Okay, so my understanding is correct. So why did you correct Matt? He
said first untrusted host. You said first external host. If internal
hosts must all be trusted, and some external hosts may be trusted, then
the SPF check would be applied to the first untrusted host, not the first
external host.
I corrected Matt because when newbies read such claims, they don't learn to
separate the meanings. Also your comment makes no sense given what I said
already.
As the code says:
# dos: first external relay, not first untrusted
return $scanner-{relays_external}-[0];
SPF will be checked for first external (non internal_networks) host. Period.
This doesn't have anything to do with your case specifically, I'm just
explaining how things work.
Re: trusted_host breaks pretty much every form of whitelist
On Fri, Jun 20, 2008 at 11:08:01AM -0700, Jo Rhett wrote: I just realized something re: the previous message about SPF failure. trusted_hosts is also apparently blocking whitelist_from_rcvd from working. This is getting out of control. I understand the original intent here, but basically what is happening is that by making a host trusted you are basically saying to ignore SPF whitelist_from_* etc... Everything that says any message from this host is good is compromised/broken. Honestly, I think we need two separate forms here: trusted_relays should be what trusted_hosts is today. We trust that this host won't add false headers to the e-mail. If you read the description of trusted hosts, that's clearly what the rule is meant to do. trusted_hosts should mean no, we really truly trust this host and want everything it gives us And here we go again.. whitelist_from_rcvd is checked on external (internal_networks) border. If you set up internal and trusted right, there are no problems.
Re: EuroPharmacie
On Fredag, 20/6 2008, 20:49, Evan Platt wrote: What's wrong with the default of 5? nothing :) if bayes was better trained Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Moving ham/spam from Exchange folders to sa-learn?
James Wilkinson sa-user at aprilcottage.co.uk writes: Henry Kwan wrote: Thanks for the script but I don't think I can use it as Exchange2K7 has dropped IMAP support for public folders. Or least this blog post from MSFT seems to indicate: http://msexchangeteam.com/archive/2006/02/20/419994.aspx I don't have any Exchange 2007 experience, but at least on 2003 public folder and normal mailbox into which everyone can copy e-mail and to which no-one can send e-mail are two separate concepts. And you can use IMAP to read the contents of the latter. I still can't figure out if public folders under Exchange2K7 can be IMAP-enabled but in the meanwhile, I have been fiddling with the script that Martin posted. I ended up creating a mailbox where I could move all the spam/ham into from the public folders. Then I would run the script from the SA machine to grab the spam/ham. The script dies on me after it grabs the spam (but not the ham): system /usr/local/bin/sa-learn --spam --showdots --dir /root/spam/ /dev/null 21 failed: 32512 at ./grabmail.pl line 180. I then manually run sa-learn and it seem to succeed: [boxen]# sa-learn --spam --progress --dir /root/spam/ 100% [===] 12.58 msgs/sec 00m07s DONE Learned tokens from 96 message(s) (97 message(s) examined) Not quite automated but I could live with this since I probably will only run it once a week. Thanks.
Re: how to stop SPF checks from going past trusted host?
On Fredag, 20/6 2008, 20:49, John Hardin wrote: 10.x is (supposedly) not routable on the public internet. If you see 10.x (or other RFC-1918) traffic coming in from the world, your ISP is broken. pppoe, but firewall it to be sure, rule is newer accept connections from non routable ips from outside, that olso explains confusing for spamassassin lets have ipv6 :) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: how to stop SPF checks from going past trusted host?
On Fri, Jun 20, 2008 at 11:57:38AM -0700, Jo Rhett wrote: On Jun 20, 2008, at 11:49 AM, John Hardin wrote: 10.x is (supposedly) not routable on the public internet. If you see 10.x (or other RFC-1918) traffic coming in from the world, your ISP is broken. You don't run packet sniffers on your hosts much, do you? ;-) Does your ISP filter egress packets on your interface? No, neither does mine ;-) (and in this case I control the border routing so I know it for sure) Most competent ISPs will filter customer interfaces to prevent bogons, and some will filter public peering ports for bogons, but even with both of those a surprising number of 10.x packets make their way to our hosts. belt-and-suspenders: Even if it's unlikely for a 10.x packet to reach the host, why should I trust it? Jo, you are unbelievable in a funny way. You always come up with dozens of posts seemingly with the attitude I must be right. You don't configure things like they should be, and then complain that things don't work. Just set up the friggin networks right and let's continue normal life. If you need help, post your detailed setup so we don't need to guess. :-) etc
Re: how to stop SPF checks from going past trusted host?
On Jun 20, 2008, at 12:23 PM, Henrik K wrote: Jo, you are unbelievable in a funny way. You always come up with dozens of posts seemingly with the attitude I must be right. You don't configure things like they should be, and then complain that things don't work. Just set up the friggin networks right and let's continue normal life. If you need help, post your detailed setup so we don't need to guess. :-) etc I'm really not sure what you are saying here, and it's very hard not to read this offensively. I certainly have never said I must be right in any form whatsoever, and I certainly don't think it. I also don't have the vaguest clue what you mean by suggesting that I don't configure things like they should be -- most of my configurations are very plain and generic. And exactly as they should be, per the documentation. The only things I can think you might have a problem with: 1. Not trusting that 10.x packets can't reach my host * I always do belt-suspenders, and assume that an outside layer of protection might fail 2. Not routing internal networks that don't need internet access directly to an outside host * Um... why should I? Minimal requirement, minimal risk... How exactly are these things not the way they should be? If you mean something else, please explain. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: how to stop SPF checks from going past trusted host?
On Fri, Jun 20, 2008 at 12:31:06PM -0700, Jo Rhett wrote: On Jun 20, 2008, at 12:23 PM, Henrik K wrote: Jo, you are unbelievable in a funny way. You always come up with dozens of posts seemingly with the attitude I must be right. You don't configure things like they should be, and then complain that things don't work. Just set up the friggin networks right and let's continue normal life. If you need help, post your detailed setup so we don't need to guess. :-) etc I'm really not sure what you are saying here, and it's very hard not to read this offensively. I certainly have never said I must be right in any form whatsoever, and I certainly don't think it. Don't take it personally. I just have the impression that threads started by you tend to get very long.. it might just be because we don't come through clear enough for you. Do notice the smiley. I also don't have the vaguest clue what you mean by suggesting that I don't configure things like they should be -- most of my configurations are very plain and generic. And exactly as they should be, per the documentation. The only things I can think you might have a problem with: 1. Not trusting that 10.x packets can't reach my host * I always do belt-suspenders, and assume that an outside layer of protection might fail 2. Not routing internal networks that don't need internet access directly to an outside host * Um... why should I? Minimal requirement, minimal risk... How exactly are these things not the way they should be? What comes to your first post info, it would seem to me that you need: internal_networks hostA hostB hostC You _need_ to have everything internal, so there will be no SPF lookups. Your fear of IP spoofers makes no sense to me, how do you think someone could accomplish that? Just put the 10.something there.
Re: how to stop SPF checks from going past trusted host?
On Jun 20, 2008, at 12:44 PM, Henrik K wrote: You _need_ to have everything internal, so there will be no SPF lookups. Your fear of IP spoofers makes no sense to me, how do you think someone could accomplish that? Just put the 10.something there. You could have said that a lot easier ;-) Unfortunately our hosts are public in a big datacenter, and on the honeypot machines in the same network I see lots of packets and even well designed (blind) TCP sessions from 10.x hosts. It just doesn't make sense to trust anything received from a 10.x host. Especially because my 10.x hosts can't talk to this machine. It would be one thing if I could say trust 10.x hosts that relay via these- other-hosts but I can't :-( Since the trust list is single layer, adding 10.x means trusting random-source packets. I'd rather use the meta rule I created looking for the relay hosts. 10.x blind TCP streams are uncommon, but someone guessing the exact IP ranges and hosts involved much less so. (I modified the rule quite extensively to limit only the hosts which send mail) So I can understand why you might feel that I'm being overly cautious, but I'm not sure how you would think I'm doing it wrong? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: trusted_host breaks pretty much every form of whitelist
On Jun 20, 2008, at 12:10 PM, Henrik K wrote: whitelist_from_rcvd is checked on external (internal_networks) border. If you set up internal and trusted right, there are no problems. Why not allow me to say I trust everything from this host no matter what? I could possibly set internal_networks to be less than trusted hosts... that would likely fix it. But before I go configure it all wrong tell me why this would be bad. (no MX relays in our environment at all) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Channel ordering?
Is it possible to determine the order channel-originated rulesets will be loaded in? Or *cause* a specific channel's rules to be loaded after another? I'm looking at creating several local channels for distributing local rules across the collection of mismatched servers doing spam filtering in several different ways (a general channel suitable for all systems; several per-system or per-cluster channels with a few specific settings peculiar to that system/cluster). One component of the general rules are score adjustments to some stock rules and a few channel rulesets - thus the problem; my local channel must be loaded *after* pretty much everything else (eg, treated as if it were in the site config dir). -kgd
Re: how to stop SPF checks from going past trusted host?
On Fri, Jun 20, 2008 at 12:58:55PM -0700, Jo Rhett wrote: On Jun 20, 2008, at 12:44 PM, Henrik K wrote: You _need_ to have everything internal, so there will be no SPF lookups. Your fear of IP spoofers makes no sense to me, how do you think someone could accomplish that? Just put the 10.something there. You could have said that a lot easier ;-) I try not to spoon-feed people, I get to the point and give facts that should be enought to solve things. There has been a lot of talk already about internal/trusted/borders, and it should be quite clear what you need to do to accomplish what you asked. Unfortunately our hosts are public in a big datacenter, and on the honeypot machines in the same network I see lots of packets and even well designed (blind) TCP sessions from 10.x hosts. It just doesn't make sense to trust anything received from a 10.x host. Especially because my 10.x hosts can't talk to this machine. It would be one thing if I could say trust 10.x hosts that relay via these- other-hosts but I can't :-( Since the trust list is single layer, adding 10.x means trusting random-source packets. I'd rather use the meta rule I created looking for the relay hosts. 10.x blind TCP streams are uncommon, but someone guessing the exact IP ranges and hosts involved much less so. (I modified the rule quite extensively to limit only the hosts which send mail) So I can understand why you might feel that I'm being overly cautious, but I'm not sure how you would think I'm doing it wrong? Well, even if you are doing things right, unfortunately it won't work for with SA. You know the documented and supported way, which works fine for 99% of people. It should be no problem to limit hostB to accept mail only from hostA in 10.x. If you want to be sure, use TLS certificates to identify your servers or something similar. This doesn't have anything to do with SA anymore.
Re: trusted_host breaks pretty much every form of whitelist
On Fri, Jun 20, 2008 at 01:01:53PM -0700, Jo Rhett wrote: On Jun 20, 2008, at 12:10 PM, Henrik K wrote: whitelist_from_rcvd is checked on external (internal_networks) border. If you set up internal and trusted right, there are no problems. Why not allow me to say I trust everything from this host no matter what? I could possibly set internal_networks to be less than trusted hosts... that would likely fix it. But before I go configure it all wrong tell me why this would be bad. (no MX relays in our environment at all) I don't really have a vision of your setup, so it's hard to answer. There are many ways to trust everything from a host. Beginning with not calling SA at all for such hosts. You should know by now what SA network settings do. I don't know how complex your setup really is for them not to work.
Re: prefork error
Couple new errors now :( config: cannot write to /var/spool/uucp/.spamassassin/user_prefs: No such file or directory spamd[19476]: spamd: processing message [EMAIL PROTECTED] for uucp:10 Matus UHLAR - fantomas wrote: On 20.06.08 08:18, raulbe wrote: Now if I can figure out why I keep getting the bayes.lock error any clues? Jun 20 11:02:41 ws096 spamd[20261]: bayes: cannot open bayes databases /home/nuonce/spamassassin/bayes_* R/W: lock failed: File exists do you have autolearning turned on? what about journal? (settings bayes_auto_learn and bayes_learn_to_journal). the default settings (1 and 0) can cause such problems. Try turning on the latter or off the former -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. -- View this message in context: http://www.nabble.com/prefork-error-tp17989187p18036734.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: prefork error
raulbe wrote: What I did was turn off auto_learn and that cleared up the error. So would doing this would it affect how bayes works or? Well, yes. All Bayes training will now have to be done manually. What's usually a slightly better idea for a global Bayes database is to set these Bayes options: bayes_learn_to_journal 1 bayes_auto_expire 0 and make sure to set up a cron job to run sa-learn --sync --force-expire periodically (I've been finding daily is a good idea; YMMV). So all thats left is this error spamd[29330]: prefork: child states: BIBI This isn't an error, it's an informational message telling you what spamd's children are doing. If you really want to get rid of it, you'll either have to shift the logging threshold for the mail facility in syslog until it goes away (thus likely losing a great deal of valuable log data from both SA and other sources) or fiddle the SA source so that those messages get sent with a debug priority, and set syslog to not log debug-priority messages. Unless you're *really* horribly short on disk (I can recall a few systems I might have considered that on), it's not worth worrying about. -kgd
Re: how to stop SPF checks from going past trusted host?
On Fri, 20 Jun 2008, Jo Rhett wrote: On Jun 20, 2008, at 11:49 AM, John Hardin wrote: 10.x is (supposedly) not routable on the public internet. If you see 10.x (or other RFC-1918) traffic coming in from the world, your ISP is broken. You don't run packet sniffers on your hosts much, do you? ;-) I did say supposedly. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 14 days until the 232nd anniversary of the Declaration of Independence
Re: EuroPharmacie
Benny Pedersen wrote: On Fredag, 20/6 2008, 20:49, Evan Platt wrote: What's wrong with the default of 5? nothing :) if bayes was better trained I guess you missed my point.. If the default of 5 was used, the message would have been marked as spam. :)
Re: prefork error
Were can i find these settings? would it be in spamassassin.bayes_rules or 23_bayes.cf Thanks Kris Deugau wrote: raulbe wrote: What I did was turn off auto_learn and that cleared up the error. So would doing this would it affect how bayes works or? Well, yes. All Bayes training will now have to be done manually. What's usually a slightly better idea for a global Bayes database is to set these Bayes options: bayes_learn_to_journal 1 bayes_auto_expire 0 and make sure to set up a cron job to run sa-learn --sync --force-expire periodically (I've been finding daily is a good idea; YMMV). So all thats left is this error spamd[29330]: prefork: child states: BIBI This isn't an error, it's an informational message telling you what spamd's children are doing. If you really want to get rid of it, you'll either have to shift the logging threshold for the mail facility in syslog until it goes away (thus likely losing a great deal of valuable log data from both SA and other sources) or fiddle the SA source so that those messages get sent with a debug priority, and set syslog to not log debug-priority messages. Unless you're *really* horribly short on disk (I can recall a few systems I might have considered that on), it's not worth worrying about. -kgd -- View this message in context: http://www.nabble.com/prefork-error-tp17989187p18037020.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: how to stop SPF checks from going past trusted host?
Jo Rhett wrote: On Jun 20, 2008, at 11:49 AM, John Hardin wrote: 10.x is (supposedly) not routable on the public internet. If you see 10.x (or other RFC-1918) traffic coming in from the world, your ISP is broken. You don't run packet sniffers on your hosts much, do you? ;-) Does your ISP filter egress packets on your interface? No, neither does mine ;-) (and in this case I control the border routing so I know it for sure) Most competent ISPs will filter customer interfaces to prevent bogons, and some will filter public peering ports for bogons, but even with both of those a surprising number of 10.x packets make their way to our hosts. belt-and-suspenders: Even if it's unlikely for a 10.x packet to reach the host, why should I trust it? I've never had an ISP/hoster block bogons, but I've never let them in. it's part of the first rules in ipf/pf/iptables/router/$FW (and in both directions. so my networks never send packets with bogon IPs to the internet). if you don't partition the network correctly, you'll have a lot of problems trying to deal with such annoyances.
Re: prefork error
raulbe wrote: Were can i find these settings? would it be in spamassassin.bayes_rules or 23_bayes.cf As with all site-local settings, the Bayes options should go in a .cf file in your site config dir - typically either /etc/mail/spamassassin/ or /etc/spamassassin/. local.cf is usually convenient. I'm not sure what you're referring to with spamassassin.bayes_rules. -kgd
Re: Channel ordering?
On Fri, June 20, 2008 22:11, Kris Deugau wrote: must be loaded *after* pretty much everything else (eg, treated as if it were in the site config dir). one could name the cf files like priottet_channel_rulename.cf then it will be loaded in right order i hope Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: EuroPharmacie
On Fri, June 20, 2008 22:34, Evan Platt wrote: I guess you missed my point.. If the default of 5 was used, the message would have been marked as spam. :) and this have nothing to do with bayes was or is bad trained Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: prefork error
On Fri, June 20, 2008 22:38, raulbe wrote: Were can i find these settings? perldoc Mail::SpamAssassin::Conf perldoc Mail::SpamAssassin::Plugin::Bayes plenty of info there :) would it be in spamassassin.bayes_rules or 23_bayes.cf no in local.cf or user_prefs Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: EMERGENCY RULE: porntube redirect
On Friday 20 June 2008 10:14 am, Karsten Bräckelmann wrote: I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran spamassassin --lint and got: That's the wrong way round, seriously. Do not restart SA after changes, unless --lint comes out clean. guenther Hmm, I've always understood that SA needs to be restarted to get any new rules added read, though you may be right, sa-update runs a --lint before stopping and starting SA. -- Chris KeyID 0xE372A7DA98E6705C pgpsdm5Wf5rh5.pgp Description: PGP signature
Re: EMERGENCY RULE: porntube redirect
On Fri, 2008-06-20 at 17:53 -0500, Chris wrote:
On Friday 20 June 2008 10:14 am, Karsten Bräckelmann wrote:
That's the wrong way round, seriously. Do not restart SA after changes,
unless --lint comes out clean.
Hmm, I've always understood that SA needs to be restarted to get any new
rules
added read, though you may be right, sa-update runs a --lint before stopping
and starting SA.
Yes, this is true when using spamd, or any other daemonized third party
tool using the SA API directly, like amavis.
This is *not* true, when calling 'spamassassin' directly, which you do
for linting. In this case a new SA process is being started, reading all
config files from disk, entirely unrelated to a possibly running spamd.
So, while your daemonized spamd is running, you can edit the cf files
without harming the precious, busy spamd, lint your changes, and even
test them using 'spamassassin'. Only when you're happy with your
changes, restart the daemon to make it pick up the freshly changed (and
hopefully linted ;) rules.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: EuroPharmacie
On Fri, 2008-06-20 at 23:15 +0200, Benny Pedersen wrote:
On Fri, June 20, 2008 22:34, Evan Platt wrote:
I guess you missed my point.. If the default of 5 was used, the message
would have been marked as spam. :)
and this have nothing to do with bayes was or is bad trained
Yeah, just like your recommendation to arbitrarily lower the
required_score threshold, from an arbitrary value. Or maybe I just don't
see how this is related to Bayes...
There have been more than sufficient tweaks and hints given in this
thread, to bomb that easy to catch spam into oblivion.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
trusted_networks set in local.cf, but not according to sa-update
I see the following when running sa-update with debug flags: [20528] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually However: # grep trusted /usr/local/etc/mail/spamassassin/local.cf trusted_networks69.55.228.210 --lint does not complain, and I know that local.cf is being otherwise interpreted by SA because custom rules contained therein are scoring. -- Sahil Tandon [EMAIL PROTECTED]
spamd problem - some tests appear to stop working after running for a while?
I have Spamassassin 3.1.9 running on RedHat 4 and 5 and it seems to exhibit the following weird problem. The setup is as follows: mail servers are dedicated for spam filtering. All incoming messages are fed to SpamAssassin via spamass-milter and then spamd. Then the messages are handed off to Microsoft IIS server for further processing. I set them up, tested and forgot about them for a while. When I checked today it turned out that most of the spam is getting through again. Investigation showed that things like spamcop and XBL no longer work and they appeared to be the most effective part of the filtering. I tried to turn on debug logging and restarted spamd. Everything started working properly. I then just restarted spamd without enabling logging on the second server -- and it did the trick! Everything is working again. To demonstrate I'm attaching 2 files: 2.txt and 3.txt. First one is the result of processing before restart (when spamd was in bad state). 3.txt is the result of feeding 2.txt to spamc after spamd was restarted. spamd is running as a dedicated user. I don't see anything suspicious in the /var/log/maillog but I don't really know what to look for. Real hostnames were changed to mydomain.com. Thanks! x-sender: [EMAIL PROTECTED] x-receiver: [EMAIL PROTECTED] Received: from mx1.mydomain.com ([10.61.1.9]) by hesiodFax01.mydomain.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 20 Jun 2008 18:27:57 -0400 Received: from 72.70.225.47 (pool-72-70-225-47.spfdma.east.verizon.net [72.70.225.47]) by mx1.mydomain.com (8.13.1/8.13.1) with ESMTP id m5KMRqDF024446 for [EMAIL PROTECTED]; Fri, 20 Jun 2008 18:27:53 -0400 Message-ID: [EMAIL PROTECTED] From: gibby david [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Fw: Receive our grant to feel well! Date: Fri, 20 Jun 2008 22:38:05 + MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_0005_01C8D335.03243FD5 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-Spam-Status: No, score=4.6 required=7.0 tests=BAYES_40,EXTRA_MPART_TYPE, HTML_30_40,HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_NUMERIC_HELO autolearn=no version=3.1.9 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on hesiodmail01.mydomain.com Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 20 Jun 2008 22:27:57.0250 (UTC) FILETIME=[E3B2FA20:01C8D324] This is a multi-part message in MIME format. --=_NextPart_000_0005_01C8D335.03243FD5 Content-Type: multipart/alternative; boundary==_NextPart_001_0006_01C8D335.03243FD5 --=_NextPart_001_0006_01C8D335.03243FD5 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Try it out at once! Worm out at once! sein Streben war auch von einigen Erfolgen begleitet, aber eine = wirkliche Bl?te hat die japanische Lyrik bis heute nicht wieder zu = erreichen vermocht, auch nicht durch jene von Europa beeinflussten von = dem man wenig weiss, ist durch die Legende phantastisch ausgeschm?ckt = worden. Es geht das Ger?cht, ein Poet brauche nur Hitomaro anzurufen, um = ein gutes Gedicht bilden zu k?nnen. Mit Ungeduld wartete man in Wien auf = einen Entschluss Russlands, d.h. auf die Antwort in bezug auf die Frage = der Bocca di Cattaro. Endlich kam der langersehnte Bescheid. Rasumovski = erschien am 26. Mai bei Stadion und teilte ihm mit, Russland sei bereit, = Cattaro mit der Bocca herauszugeben. --=_NextPart_001_0006_01C8D335.03243FD5 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DMSHTML 6.00.2900.3199 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff PTry it out at once!/P img src=3Dcid:000701c8d335$03243fd5$b27f0dac@ekwbpms PWorm out at once!/P Psein Streben war auch von einigen Erfolgen begleitet, aber eine = wirkliche Bl?te hat die japanische Lyrik bis heute nicht wieder zu = erreichen vermocht, auch nicht durch jene von Europa beeinflussten von = dem man wenig weiss, ist durch die Legende phantastisch ausgeschm?ckt = worden. Es geht das Ger?cht, ein Poet brauche nur Hitomaro anzurufen, um = ein gutes Gedicht bilden zu k?nnen. Mit Ungeduld wartete man in Wien auf = einen Entschluss Russlands, d.h. auf die Antwort in bezug auf die Frage = der Bocca di Cattaro. Endlich kam der langersehnte Bescheid. Rasumovski = erschien am 26. Mai bei Stadion und teilte ihm mit, Russland sei bereit, = Cattaro mit der Bocca herauszugeben./P/BODY/HTML --=_NextPart_001_0006_01C8D335.03243FD5-- --=_NextPart_000_0005_01C8D335.03243FD5 Content-Type: image/gif; name=img0.gif Content-Transfer-Encoding: base64 Content-ID: [EMAIL PROTECTED]
