Spam volumes down since last week

[ram]

I am seeing a clear downtrend in the number for spams hitting our
servers, I am not sure why ? Since Last week spams are at 50% of what
they used to be last month. Is this what you all are seeing 


 But the  irritant 419's are still coming in ( and some get past SA ),
in many new variants. I have seen scamsters are sending targetted spams
to people of hotel industry , holiday industry etc 


Thanks
Ram

Re: Clamav Plugin for Spamassassin

[metamorph]

Randy Ramsdell wrote:
> 
> metamorph wrote:
>> James Lay wrote:
>>   
>>> On 6/22/08 9:30 PM, "metamorph" <[EMAIL PROTECTED]> wrote:
>>>
>>> 
 Spamassassin/Clamav/Ubuntu/PHP5/Apache2/citadel/

 I just installed spamassasin and tested it with gtube and it worked,
 but
 when I tried to install clamav it still lets the EICAR files through. 
 I
 read through old posts and everything on the spamassassin site and
 still
 cannot get it to work.

 Any suggestions on what I  am not doing correctly are greatly
 appreciated.

 The steps I took:
 filescanclamav is a pearl module, so I had to use CPAN to install it.

 Then, I created the files clamav.cf and clamav.pm with the text from
 http://wiki.apache.org/spamassassin/ClamAVPlugin.

 Placed the two files in the /etc/spamassassin directory.

 Made the recommended change to clamav.pm: our $CLAMD_SOCK =
 "/var/run/clamav/clamd.ctdl";   # changed

 Restarted spamassassin. grep shows spamassassin.

 Sent EICAR  AV text test and it still doesn't do anything.

   
>>> Got any headers to show that it's actually piping through ClamAV? 
>>> (hint:
>>> look for X-Spam-Virus:)
>>> J~
>>>
>>> Citadel does not support headers, so it just sends the email back or
>>> deletes it.
>>>
>>> 
>> Any other suggestions on how to check if it is piping through clamav and
>> how
>> to set it if it is not are greatly appreciated.  Do I need to post any
>> other
>> info ?
>>   
>>
>>   
> 
> 1. Create test file with the EICAR test included.
> 2. Run spamassassin -D < $testfile
> 3. Read through the output thoroughly
> 
> or
> 1. spamassassin -D --lint : this should show if the plugin loaded.
> 
Thanks for the reply

I think this is the important section from the above command (spamassassin
-D --lint): 
[6680] warn: plugin: failed to parse plugin /etc/spamassassin/clamav.pm:
Can't locate /etc/spamassassin/clamav.pm in @INC (@INC contains:
/usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.8
/usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/lib/perl/5.8
/usr/share/perl/5.8 /usr/local/lib/site_perl) at
/usr/share/perl5/Mail/SpamAssassin/PluginHandler.pm line 107.

PluginHandler.pm line 107:
dbg("plugin: loading $package from $path");
# use require instead of "do", so we get built-in $INC{filename}
# smarts
$ret = eval { require $path; };
  }

So, I guess the plugin is not getting loaded.  Any suggestions on how to
make it connect together.
I really appreciate your help.  
-- 
View this message in context: 
http://www.nabble.com/Clamav-Plugin-for-Spamassassin-tp18062002p18082487.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: prevent to set a score for a non existend rule

[Benny Pedersen]

On Tue, June 24, 2008 01:10, Stefan Jakobs wrote:

> I'm guess this doesn't work:

> amavis[31206]: (31206-01) SPAM-TAG, <[EMAIL PROTECTED]> -> [EMAIL 
> PROTECTED]>, Yes,
> score=7.88 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8,
> BAYES_50=0.001, HTML_MESSAGE=0.001, JM_SOUGHT_3=4, JM_SOUGHT_3_ADJ=2.2,
> SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_REP=1.666]

now you added plus and wanted less score ?

2.2 vs -2.2

ALL_TRUSTED is a warning




Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: prevent to set a score for a non existend rule

[John Hardin]

On Tue, 24 Jun 2008, Stefan Jakobs wrote:


On Monday 23 June 2008 18:13, Benny Pedersen wrote:

On Mon, June 23, 2008 14:33, Stefan Jakobs wrote:

/etc/mail/spamassassin/sought_rules.cf with this content:
score   JM_SOUGHT_1 2.2


meta JM_SOUGHT_1_ADJ (JM_SOUGHT_1)
score JM_SOUGHT_1_ADJ -0.1


score   JM_SOUGHT_2 2.2


meta JM_SOUGHT_2_ADJ (JM_SOUGHT_2)
score JM_SOUGHT_2_ADJ -0.1


score   JM_SOUGHT_3 2.2


meta JM_SOUGHT_3_ADJ (JM_SOUGHT_3)
score JM_SOUGHT_3_ADJ -0.1


I'm guess this doesn't work:

amavis[31206]: (31206-01) SPAM-TAG, <[EMAIL PROTECTED]> -> [EMAIL PROTECTED]>, 
Yes,
score=7.88 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8,
BAYES_50=0.001, HTML_MESSAGE=0.001, JM_SOUGHT_3=4, JM_SOUGHT_3_ADJ=2.2,
SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_REP=1.666]


Benny's _ADJ scores are an adjustment to the basic SOUGHT score, so you 
should set JM_SOUGHT_3_ADJ to -1.8 if you want to get a net score of 2.2

for SOUGHT ruleset #3.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Individual liberties are always "loopholes" to absolute authority.
---
 11 days until the 232nd anniversary of the Declaration of Independence

Re: prevent to set a score for a non existend rule

[Stefan Jakobs]

On Monday 23 June 2008 18:13, Benny Pedersen wrote:
> On Mon, June 23, 2008 14:33, Stefan Jakobs wrote:
> > /etc/mail/spamassassin/sought_rules.cf with this content:
> > score   JM_SOUGHT_1 2.2
>
> meta JM_SOUGHT_1_ADJ (JM_SOUGHT_1)
> score JM_SOUGHT_1_ADJ -0.1
>
> > score   JM_SOUGHT_2 2.2
>
> meta JM_SOUGHT_2_ADJ (JM_SOUGHT_2)
> score JM_SOUGHT_2_ADJ -0.1
>
> > score   JM_SOUGHT_3 2.2
>
> meta JM_SOUGHT_3_ADJ (JM_SOUGHT_3)
> score JM_SOUGHT_3_ADJ -0.1

I'm guess this doesn't work:

amavis[31206]: (31206-01) SPAM-TAG, <[EMAIL PROTECTED]> -> [EMAIL PROTECTED]>, 
Yes, 
score=7.88 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1.8, 
BAYES_50=0.001, HTML_MESSAGE=0.001, JM_SOUGHT_3=4, JM_SOUGHT_3_ADJ=2.2, 
SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_REP=1.666]

> > [12533] warn: config: warning: score set for non-existent rule
> > JM_SOUGHT_3
>
> its just a warn, not a error :-)

Yes, that's right. :-S

Thanks for your advices.
Stefan


pgpXzh4MSGlvv.pgp
Description: PGP signature

Re: Fake MX Record(s) Trick

[Benny Pedersen]

On Mon, June 23, 2008 21:27, mouss wrote:

> 14400 is 4 hours (4*3660) which is a bit low for an MX 86400 (24
> hours) is probably better.

nice calc for 4 hours :-)


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: Channel ordering?

[Kris Deugau]

Justin Mason wrote:

The dirs are lexically sorted by the hostname they're downloaded from.
So if you name your hosts "zz-local-sa-updates.domain.org" for example,
those rules will be loaded after "updates.SpamAssassin.org".


Butbutbut   that's so *ugly*.  

(I figured I'd have to do that, but I hoped there might be a hack or 
workaround.)


-kgd

Re: Clamav Plugin for Spamassassin

[Randy Ramsdell]

metamorph wrote:

James Lay wrote:
  

On 6/22/08 9:30 PM, "metamorph" <[EMAIL PROTECTED]> wrote:



Spamassassin/Clamav/Ubuntu/PHP5/Apache2/citadel/

I just installed spamassasin and tested it with gtube and it worked, but
when I tried to install clamav it still lets the EICAR files through.  I
read through old posts and everything on the spamassassin site and still
cannot get it to work.

Any suggestions on what I  am not doing correctly are greatly
appreciated.

The steps I took:
filescanclamav is a pearl module, so I had to use CPAN to install it.

Then, I created the files clamav.cf and clamav.pm with the text from
http://wiki.apache.org/spamassassin/ClamAVPlugin.

Placed the two files in the /etc/spamassassin directory.

Made the recommended change to clamav.pm: our $CLAMD_SOCK =
"/var/run/clamav/clamd.ctdl";   # changed

Restarted spamassassin. grep shows spamassassin.

Sent EICAR  AV text test and it still doesn't do anything.

  

Got any headers to show that it's actually piping through ClamAV?  (hint:
look for X-Spam-Virus:)
J~

Citadel does not support headers, so it just sends the email back or
deletes it.



Any other suggestions on how to check if it is piping through clamav and how
to set it if it is not are greatly appreciated.  Do I need to post any other
info ?
  

  


1. Create test file with the EICAR test included.
2. Run spamassassin -D < $testfile
3. Read through the output thoroughly

or
1. spamassassin -D --lint : this should show if the plugin loaded.

rcr

Re: Clamav Plugin for Spamassassin

[metamorph]

James Lay wrote:
> 
> 
> On 6/22/08 9:30 PM, "metamorph" <[EMAIL PROTECTED]> wrote:
> 
>> 
>> Spamassassin/Clamav/Ubuntu/PHP5/Apache2/citadel/
>> 
>> I just installed spamassasin and tested it with gtube and it worked, but
>> when I tried to install clamav it still lets the EICAR files through.  I
>> read through old posts and everything on the spamassassin site and still
>> cannot get it to work.
>> 
>> Any suggestions on what I  am not doing correctly are greatly
>> appreciated.
>> 
>> The steps I took:
>> filescanclamav is a pearl module, so I had to use CPAN to install it.
>> 
>> Then, I created the files clamav.cf and clamav.pm with the text from
>> http://wiki.apache.org/spamassassin/ClamAVPlugin.
>> 
>> Placed the two files in the /etc/spamassassin directory.
>> 
>> Made the recommended change to clamav.pm: our $CLAMD_SOCK =
>> "/var/run/clamav/clamd.ctdl";   # changed
>> 
>> Restarted spamassassin. grep shows spamassassin.
>> 
>> Sent EICAR  AV text test and it still doesn't do anything.
>> 
> 
> 
> Got any headers to show that it's actually piping through ClamAV?  (hint:
> look for X-Spam-Virus:)
> J~
> 
> Citadel does not support headers, so it just sends the email back or
> deletes it.
> 
Any other suggestions on how to check if it is piping through clamav and how
to set it if it is not are greatly appreciated.  Do I need to post any other
info ?
  

-- 
View this message in context: 
http://www.nabble.com/Clamav-Plugin-for-Spamassassin-tp18062002p18076681.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Fake MX Record(s) Trick

[mouss]

Marc Ferguson wrote:

Hi,

I'm a linux noob and a spam assassin noob so please reply in simplified
language.  Thanks.

I saw on the wiki a trick to use fake mx records in order to weed out spam (
http://wiki.apache.org/spamassassin/OtherTricks).  I'm using Evolution at
home and on my laptop and I have the spamassassin plugin so I'm constantly
clicking the "junk" icon.  I have access to my shared web hosting account
and I sure do get TONS of spam.  I'm a bit confused as to how to implement
it though.  My web host uses WHM so my form looks something like this:

digitalalias.net  14400  IN  MX  0  digitalalias.net

What is 14400, I'm guessing a port of some kind.


nice try :)  it's an (optional) TTL.
   http://www.zytrax.com/books/dns/

14400 is 4 hours (4*3660) which is a bit low for an MX 86400 (24 
hours) is probably better.



  Besides that the wiki
suggests that my first fake mx record should be set at 10, then my real mx
record at 20, and then another fake one at 30. 


at this stage, I would recommend that you forget about MX tricks and 
focus on more "straightforward" measures. tune your SA first. only when 
you're happy and you've learnt enough about MXes should you try such road.

 Why is this since my current
mx record is set to 0?
  


only the order counts. (10, 20, 30) is the same as (100, 500, 900).


fake0.example.com 10
realmx.example.com 20
fake1.example.com 30


Marc F.

"..Grace to you and peace from Him who is and who was and who is to come.."
  


Peace to this world... (once wev'e exterminated spammers ;-p)

-Rev1:4

  

Re: Fake MX Record(s) Trick

[mouss]

Marc Perkel wrote:

Marc Ferguson wrote:

Hi,

I'm a linux noob and a spam assassin noob so please reply in 
simplified language.  Thanks.
I saw on the wiki a trick to use fake mx records in order to weed out 
spam (http://wiki.apache.org/spamassassin/OtherTricks).  I'm using 
Evolution at home and on my laptop and I have the spamassassin plugin 
so I'm constantly clicking the "junk" icon.  I have access to my 
shared web hosting account and I sure do get TONS of spam.  I'm a bit 
confused as to how to implement it though.  My web host uses WHM so 
my form looks something like this:


digitalalias.net   14400  IN  MX  0  
digitalalias.net 


What is 14400, I'm guessing a port of some kind.  Besides that the 
wiki suggests that my first fake mx record should be set at 10, then 
my real mx record at 20, and then another fake one at 30.  Why is 
this since my current mx record is set to 0?


fake0.example.com  10
realmx.example.com  20
fake1.example.com  30


Hi Marc,

I'm the guy who invented the trick and yes it does work.


ahuh? do you have references for this claimed "invention"?

I'm running it with more that 4000 domains and it gets rid of more 
than half my spam without having to use spamassassin. I use SA too but 
it's very expensive to run and anything that reduces it will cut your 
server load.


I'm also providing a public server to harvest fake MX info to help 
build my blacklist. You can use this host for your fake high numbered 
MX. (Not a low numbered MX though)


mail.yourdomain.com  10
tarbaby.junkemailfilter.com 20

Re: hit frequencies (was Re: [Rule Set proposal] French Rules

[John GALLET]

Re,

I excluded the last two rules from my masscheck to avoid FPs as these 
ESPs/X-Mailers are definitely grey, "import rcpt list and blast" sort of ESPs 
not black for global use.


If you can point me to some more information on how to do that, on-list or 
off-list, I am interested. I am new to this whole business.


In fact I was forced to look at X-Mailer and other strange headers for 
French spam that was still getting through with no real easy keywords, and 
these guys often ad the good idea to have developped their own "software" 
and be proud of it.


#counts   FR_SPAMISLEGAL   8s/2h of 3859 corpus (1166s/2693h AXB-MC1) 
06/23/08
#counts   FR_SPAMISLEGAL_2 5s/2h of 3859 corpus (1166s/2693h AXB-MC1) 
06/23/08
#counts   FR_NOTSPAM   0s/0h of 3859 corpus (1166s/2693h AXB-MC1) 
06/23/08
#counts   FR_PAYLESSTAXES  0s/0h of 3859 corpus (1166s/2693h AXB-MC1) 
06/23/08
#counts   FR_REALESTATE_INVEST 0s/0h of 3859 corpus (1166s/2693h AXB-MC1) 
06/23/08
#counts   FR_ONLINEGAMBLING0s/0h of 3859 corpus (1166s/2693h AXB-MC1) 
06/23/08
#counts   FR_ONLINEMEDS0s/0h of 3859 corpus (1166s/2693h AXB-MC1) 
06/23/08
#counts   FR_REASON_SUBSCRIBE  1s/1h of 3859 corpus (1166s/2693h AXB-MC1) 
06/23/08
#counts   FR_HOWTOUNSUBSCRIBE  7s/16h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08


If these are hit rates with a very minimal daily corpus, don't know if the 
present ruleset is ready for production unless you have 0 tolerance for any 
bulk, period


I do subscribe to various mailing lists, and none of them seemed compelled 
to remind me how to unsubscribe, even less to state me the law about spam.


Even the official government "conseil des ministres" (sum up of the 
daily/weekly/whatever government meeting) does not state the "loi 
informatique et libertés" anymore (but they do use a company I am getting 
a lot of spam from ).


So basically the question is: what makes a spam in French recognizable.

On the other hand I am also worried about the very low hits of most rules.

If all your 1166 spams are in French, we can throw the whole ruleset to 
/dev/null (well I'll keep it for me anyway).


A++;
JG

seekrules over French spam (was Re: [Rule Set proposal] French Rules

[John GALLET]

Hi,


You run "seek-phrases-in-corpus" over the 2 corpora, and it'll spit out
the patterns; you can then write rules based on these.


I did so, the results are interesting, though I do not really know where 
to go from there. If I take the first 50 "best" patterns and strip off the 
obvious stand-alone words and sure-to-be-false-positive expressions, here 
is what I get to: (sorry for non French speakers, explanation below)


 RATIO   SPAM%HAM%   DATA
 1.000   9.375   0.000  /Pour ne plus recevoir /
 1.000   6.875   0.000  /6 janvier 1978 relative /
 1.000   6.875   0.000  /affiche pas correctement, vous pouvez le visualiser en/
 1.000   5.625   0.000  /s données nominatives /
 1.000   5.625   0.000  / ce message, cliquez-ici/
 1.000   5.625   0.000  / vous désinscrire de /
 1.000   5.000   0.000  /Conformément à l/
 1.000   5.000   0.000  / plus recevoir d\'informations de notre part/
 1.000   5.000   0.000  /un droit d\'accès/
 1.000   4.375   0.000  /ment Ã|  l\'article 34 de la loi/
 1.000   4.375   0.000  /ment à l\'article 34 de la loi /
 1.000   3.750   0.000  /ous désinscrire de notre /
 1.000   3.750   0.000  /es nominatives vous concernant\. /
 1.000   3.750   0.000  / Libertés du 6 /
 1.000   3.750   0.000  /es vous concernant\. Pour l\'exercer, /

As you can see, charset encoding makes a mess, and many must be regrouped.

Anyway, these are the patterns I tried to code in FR_SPAMISLEGAL and 
FR_HOWTOUNSUBSCRIBE, plus one I considered too generic (if you can't 
read this mail in html, click here).


The whole result is available at 
http://www.saphirtech.fr/spam/seekrules_fr_1.txt



 http://taint.org/x/2008/seekrules_run


I also adapted this one (paths of course, but also forced "mbox" format, 
"detect" spit out zero results), but the result is even less "readable" 
for me. I miss the script seekrules/kill_bad_patterns which I presume 
removes stand alone words and such things.


Whole result at http://www.saphirtech.fr/spam/seekrules_fr_2.txt

John

Re: Fake MX Record(s) Trick

[Marc Perkel]

Marc Ferguson wrote:

Hi,

I'm a linux noob and a spam assassin noob so please reply in 
simplified language.  Thanks. 

I saw on the wiki a trick to use fake mx records in order to weed out 
spam (http://wiki.apache.org/spamassassin/OtherTricks).  I'm using 
Evolution at home and on my laptop and I have the spamassassin plugin 
so I'm constantly clicking the "junk" icon.  I have access to my 
shared web hosting account and I sure do get TONS of spam.  I'm a bit 
confused as to how to implement it though.  My web host uses WHM so my 
form looks something like this:


digitalalias.net   14400  IN  MX  0  
digitalalias.net 


What is 14400, I'm guessing a port of some kind.  Besides that the 
wiki suggests that my first fake mx record should be set at 10, then 
my real mx record at 20, and then another fake one at 30.  Why is this 
since my current mx record is set to 0?


fake0.example.com  10
realmx.example.com  20
fake1.example.com  30


Hi Marc,

I'm the guy who invented the trick and yes it does work. I'm running it 
with more that 4000 domains and it gets rid of more than half my spam 
without having to use spamassassin. I use SA too but it's very expensive 
to run and anything that reduces it will cut your server load.


I'm also providing a public server to harvest fake MX info to help build 
my blacklist. You can use this host for your fake high numbered MX. (Not 
a low numbered MX though)


mail.yourdomain.com  10
tarbaby.junkemailfilter.com 20

Re: prevent to set a score for a non existend rule

[Benny Pedersen]

On Mon, June 23, 2008 14:33, Stefan Jakobs wrote:

> /etc/mail/spamassassin/sought_rules.cf with this content:
>   score   JM_SOUGHT_1 2.2

meta JM_SOUGHT_!_ADJ (JM_SOUGHT_1)
score JM_SOUGHT_!_ADJ -0.1

>   score   JM_SOUGHT_2 2.2

meta JM_SOUGHT_2_ADJ (JM_SOUGHT_2)
score JM_SOUGHT_2_ADJ -0.1

>   score   JM_SOUGHT_3 2.2

meta JM_SOUGHT_3_ADJ (JM_SOUGHT_3)
score JM_SOUGHT_3_ADJ -0.1

> [12533] warn: config: warning: score set for non-existent rule JM_SOUGHT_3

its just a warn, not a error :-)


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: hit frequencies (was Re: [Rule Set proposal] French Rules

[Yet Another Ninja]

On 6/23/2008 4:36 PM, John GALLET wrote:

Hi,

First of all, thanks to Justin for patiently helping me to install 
mass-check and pointing me in the right direction. I will try to run the 
algorithms tonight to see what they come up with.


In the meantime, you can find a hit-frequencies report at:
http://www.saphirtech.fr/spam/freqs_2008_06_23.txt

All rules are prefixed with FR_ and are available in the same directory.

I must say I did not double check for stray spam in my mailbox before 
using it as a ham corpus but it *should* be clean. I'll double check for 
next run. The spam corpus was 100% French spam, hand-picked over the 
last week through the "probably-spam" class (default score values 5-15).


Any feedback on the results (not enough in corpus, bad rules, good 
rules, etc.) appreciated.


I excluded the last two rules from my masscheck to avoid FPs as these 
ESPs/X-Mailers are definitely grey, "import rcpt list and blast" sort of 
ESPs not black for global use.



#counts   FR_SPAMISLEGAL   8s/2h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08
#counts   FR_SPAMISLEGAL_2 5s/2h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08
#counts   FR_NOTSPAM   0s/0h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08
#counts   FR_PAYLESSTAXES  0s/0h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08
#counts   FR_REALESTATE_INVEST 0s/0h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08
#counts   FR_ONLINEGAMBLING0s/0h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08
#counts   FR_ONLINEMEDS0s/0h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08
#counts   FR_REASON_SUBSCRIBE  1s/1h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08
#counts   FR_HOWTOUNSUBSCRIBE  7s/16h of 3859 corpus (1166s/2693h 
AXB-MC1) 06/23/08


If these are hit rates with a very minimal daily corpus, don't know if 
the present ruleset is ready for production unless you have 0 tolerance 
for any bulk, period

Re: hit frequencies (was Re: [Rule Set proposal] French Rules

[John GALLET]

Thanks for taking this burden upon yourself. One other thing you should be 
prepared to do, if you're willing to devote long-term responsibility to these 
rules, is to provide sa-update-compatible feeds of your dynamic rules. This 
is another thing that Justin can probably help you with.


I am happy with trying to do so, but I am honestly not worried about the 
feed part, all it bores down to is putting the right file at the right 
place (be it push or pull, ftp or rsync, whatever).


What I am more worried about is testing regularly the rules, and, even 
before that, checking that they are valid. They are "good" on my system 
with my users, but then they were custom-tailored to be so.


JG

Re: prevent to set a score for a non existend rule

[John Hardin]

On Mon, 23 Jun 2008, Stefan Jakobs wrote:


But now I get a lint warning:
# spamassassin --lint
[12533] warn: config: warning: score set for non-existent rule JM_SOUGHT_3

The problem is that the sought ruleset has sometimes three rules and sometimes
only two rules. But I don't like to change my config file each time the
number of rules change.


My first response is, it's only a warning - why worry about it?

If there was _never_ going to be a JM_SOUGHT_3 then yeah, you'd want to 
drop that score override, but if it's occasional, and it doesn't keep SA 
from running, and you know why it's happening, why worry?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The problem is when people look at Yahoo, slashdot, or groklaw and
  jump from obvious and correct observations like "Oh my God, this
  place is teeming with utter morons" to incorrect conclusions like
  "there's nothing of value here".-- Al Petrofsky, in Y! SCOX
---
 11 days until the 232nd anniversary of the Declaration of Independence

Re: hit frequencies (was Re: [Rule Set proposal] French Rules

[John GALLET]

Re,

Looking at the rules, I'm worried about false positives on genuine opt-in 
advertising. I have a number of users who choose to receive all kinds of 
advertising blurb,


This is one of the reasons why I did not hunt for "click here" and "if you 
can't see this email in html". Now correct me if I am wrong (ouch, no, not 
on the head), but isn't this what whitelist_from is for ? I never was able 
to let the Intel newsletter through (it is in English), it would always be 
caught by SA. Same went for Microsoft Support genuine answers (ok, don't 
laugh).


so I'll run your rules with very low scores for a while to see what gets 
hit.


You can have a little more information, and exactly this suggestion, by 
reading http://www.saphirtech.fr/spamassassin.html


JG

Re: hit frequencies (was Re: [Rule Set proposal] French Rules

[John Wilcock]

John GALLET a écrit :
Any feedback on the results (not enough in corpus, bad rules, good 
rules, etc.) appreciated.


Looking at the rules, I'm worried about false positives on genuine 
opt-in advertising. I have a number of users who choose to receive all 
kinds of advertising blurb, so I'll run your rules with very low scores 
for a while to see what gets hit.


John.

--
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr

Re: hit frequencies (was Re: [Rule Set proposal] French Rules

[John Hardin]

On Mon, 23 Jun 2008, John GALLET wrote:

First of all, thanks to Justin for patiently helping me to install 
mass-check and pointing me in the right direction.


Applause for Justin! This is the sort of thing we need to see for many 
more specialized spam categories...



I will try to run the algorithms tonight to see what they come up with.


Thanks for taking this burden upon yourself. One other thing you should be 
prepared to do, if you're willing to devote long-term responsibility to 
these rules, is to provide sa-update-compatible feeds of your dynamic 
rules. This is another thing that Justin can probably help you with.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The problem is when people look at Yahoo, slashdot, or groklaw and
  jump from obvious and correct observations like "Oh my God, this
  place is teeming with utter morons" to incorrect conclusions like
  "there's nothing of value here".-- Al Petrofsky, in Y! SCOX
---
 11 days until the 232nd anniversary of the Declaration of Independence

Re: Fake MX Record(s) Trick

[Diego Pomatta]

Marc Ferguson escribió:

Hi,

I'm a linux noob and a spam assassin noob so please reply in 
simplified language.  Thanks. 

I saw on the wiki a trick to use fake mx records in order to weed out 
spam (http://wiki.apache.org/spamassassin/OtherTricks).  I'm using 
Evolution at home and on my laptop and I have the spamassassin plugin 
so I'm constantly clicking the "junk" icon.  I have access to my 
shared web hosting account and I sure do get TONS of spam.  I'm a bit 
confused as to how to implement it though.  My web host uses WHM so my 
form looks something like this:


digitalalias.net   14400  IN  MX  0  
digitalalias.net 


What is 14400, I'm guessing a port of some kind.  Besides that the 
wiki suggests that my first fake mx record should be set at 10, then 
my real mx record at 20, and then another fake one at 30.  Why is this 
since my current mx record is set to 0?


fake0.example.com  10
realmx.example.com  20
fake1.example.com  30

Hey Marc.
That is a variation or extension of a technique known as "nolisting", 
which consists on making your primary MX record point to an IP which 
does not accept SMTP connections (i.e. a fake). In this case, the MX 
with the lowest priority is also a made a fake because spammers tend to 
target the lowest priority mail server directly (a spammer breaking the 
rules, imagine that!) to avoid the usually tighter security of the 
primary mail server.



From http://nolisting.org/:
Nolisting requires privileges that are only available to administrators. 
It is not configurable by end users. To configure Nolisting, an 
administrator must have the following:


   * the ability create MX records for the destination domain
   * a spare /public/ IP address, within the administrator's control,
 that has no listening service running on SMTP port 25
   * cooperation of all staff with administrative control over related
 network resources
   * optionally, a packet filter on the IP address specified as the
 primary MX (recommended)


In my opinion this "trick" sucks for many reasons, two mainly: First, 
legitimate mail senders lose time and sometimes lose mails (for example 
unpatched RFC-compliant qmail servers).
Second, it's pointless, spammers are already adapting. All they have to 
do is try all mx records. So du'h.


Besides, having fake mx records in your DNS makes *you* non 
RFC-compliant. ;)


Regards
/Diego

Re: Fake MX Record(s) Trick

[John Hardin]

On Mon, 23 Jun 2008, McDonald, Dan wrote:

But I'm not convinced that twiddling with fake MX records will reduce 
your spam level any.


Cue Mr. Perkel... :)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The problem is when people look at Yahoo, slashdot, or groklaw and
  jump from obvious and correct observations like "Oh my God, this
  place is teeming with utter morons" to incorrect conclusions like
  "there's nothing of value here".-- Al Petrofsky, in Y! SCOX
---
 11 days until the 232nd anniversary of the Declaration of Independence

hit frequencies (was Re: [Rule Set proposal] French Rules

[John GALLET]

Hi,

First of all, thanks to Justin for patiently helping me to install 
mass-check and pointing me in the right direction. I will try to run the 
algorithms tonight to see what they come up with.


In the meantime, you can find a hit-frequencies report at:
http://www.saphirtech.fr/spam/freqs_2008_06_23.txt

All rules are prefixed with FR_ and are available in the same directory.

I must say I did not double check for stray spam in my mailbox before 
using it as a ham corpus but it *should* be clean. I'll double check for 
next run. The spam corpus was 100% French spam, hand-picked over the last 
week through the "probably-spam" class (default score values 5-15).


Any feedback on the results (not enough in corpus, bad rules, good rules, 
etc.) appreciated.


Sincerely,
JG

Re: Channel ordering?

[Justin Mason]

Kris Deugau writes:
> Is it possible to determine the order channel-originated rulesets will 
> be loaded in?  Or *cause* a specific channel's rules to be loaded after 
> another?
> 
> I'm looking at creating several local channels for distributing local 
> rules across the collection of mismatched servers doing spam filtering 
> in several different ways (a general channel suitable for all systems; 
> several per-system or per-cluster channels with a few specific settings 
> peculiar to that system/cluster).
> 
> One component of the general rules are score adjustments to some stock 
> rules and a few channel rulesets - thus the problem;  my local channel 
> must be loaded *after* pretty much everything else (eg, treated as if it 
> were in the site config dir).

hi Kris --

That's tricky -- we didn't plan for that :(  Our mistake.

The dirs are lexically sorted by the hostname they're downloaded from.
So if you name your hosts "zz-local-sa-updates.domain.org" for example,
those rules will be loaded after "updates.SpamAssassin.org".

--j.

Re: Fake MX Record(s) Trick

[Alex Woick]

Marc Ferguson schrieb am 20.06.2008 16:38:

I saw on the wiki a trick to use fake mx records in order to weed out 
spam (http://wiki.apache.org/spamassassin/OtherTricks).  I'm using 
Evolution at home and on my laptop and I have the spamassassin plugin so 
I'm constantly clicking the "junk" icon.  I have access to my shared web 
hosting account and I sure do get TONS of spam.  I'm a bit confused as 
to how to implement it though.


If you don't exactly know what you are doing, don't fiddle with your MX 
entries. Correctly set up, SpamAssassin is 99.9% accurate even without 
such special tweaks. With 99.9% I mean that for every 1000 spam I get, 
at most 1 is not detected.


You might have not understood how SpamAssassin works: it simply marks 
spam as spam, but passes it through into your inbox like any other mail. 
It is an additional task for you to set up in your mail client or in 
your mail delivery agent to move marked spam away to some kind of junk 
folder. SpamAssassin marks found spam with the "X-Spam-Flag: YES" header.


Tschau
Alex

Re: Fake MX Record(s) Trick

[McDonald, Dan]

On Fri, 2008-06-20 at 10:38 -0400, Marc Ferguson wrote:
> Hi,

> I saw on the wiki a trick to use fake mx records in order to weed out
> spam (http://wiki.apache.org/spamassassin/OtherTricks).  I'm using
> Evolution at home and on my laptop and I have the spamassassin plugin
> so I'm constantly clicking the "junk" icon.  I have access to my
> shared web hosting account and I sure do get TONS of spam.  I'm a bit
> confused as to how to implement it though.  My web host uses WHM so my
> form looks something like this:
> 
> digitalalias.net  14400  IN  MX  0  digitalalias.net
> 
> What is 14400, 

The time-to-live.  It tells the world how often (in seconds) they should
check back to see if this record has changed.  You are telling people to
check once every 4 hours.

> I'm guessing a port of some kind.  Besides that the wiki suggests that
> my first fake mx record should be set at 10, then my real mx record at
> 20, and then another fake one at 30.  Why is this since my current mx
> record is set to 0?

Lowest number wins, so to attempt this "trick" you would need to change
your current MX to be some number larger than zero so that a fake MX
could be inserted lower.

But I'm not convinced that twiddling with fake MX records will reduce
your spam level any.
-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



signature.asc
Description: This is a digitally signed message part

Re: Fake MX Record(s) Trick

[Matus UHLAR - fantomas]

On 20.06.08 10:38, Marc Ferguson wrote:
> I'm a linux noob and a spam assassin noob so please reply in simplified
> language.  Thanks.
> 
> I saw on the wiki a trick to use fake mx records in order to weed out spam (
> http://wiki.apache.org/spamassassin/OtherTricks).  I'm using Evolution at
> home and on my laptop and I have the spamassassin plugin so I'm constantly
> clicking the "junk" icon.  I have access to my shared web hosting account
> and I sure do get TONS of spam.  I'm a bit confused as to how to implement
> it though.  My web host uses WHM so my form looks something like this:
> 
> digitalalias.net  14400  IN  MX  0  digitalalias.net
> 
> What is 14400, I'm guessing a port of some kind.

it's a TTL of the recotrd. ALL MX ex should have equal TTL, if others don't
have any explicitly specified (BIND takes it from other info), don't specify
this.

> Besides that the wiki suggests that my first fake mx record should be set
> at 10, then my real mx record at 20, and then another fake one at 30.  Why
> is this since my current mx record is set to 0?

The numbers is irelevant, only the order is. 0-1-2 will have the same effect
as 10-20-30 or 10-95-100.


-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are

Fake MX Record(s) Trick

[Marc Ferguson]

Hi,

I'm a linux noob and a spam assassin noob so please reply in simplified
language.  Thanks.

I saw on the wiki a trick to use fake mx records in order to weed out spam (
http://wiki.apache.org/spamassassin/OtherTricks).  I'm using Evolution at
home and on my laptop and I have the spamassassin plugin so I'm constantly
clicking the "junk" icon.  I have access to my shared web hosting account
and I sure do get TONS of spam.  I'm a bit confused as to how to implement
it though.  My web host uses WHM so my form looks something like this:

digitalalias.net  14400  IN  MX  0  digitalalias.net

What is 14400, I'm guessing a port of some kind.  Besides that the wiki
suggests that my first fake mx record should be set at 10, then my real mx
record at 20, and then another fake one at 30.  Why is this since my current
mx record is set to 0?

fake0.example.com 10
realmx.example.com 20
fake1.example.com 30


Marc F.

"..Grace to you and peace from Him who is and who was and who is to come.."
-Rev1:4

prevent to set a score for a non existend rule

[Stefan Jakobs]

Hello list,

I'm using JM's sought ruleset, but the default score is in my opinion to high. 
That's why I have the following file: 
/etc/mail/spamassassin/sought_rules.cf
with this content:
score   JM_SOUGHT_1 2.2
score   JM_SOUGHT_2 2.2
score   JM_SOUGHT_3 2.2

But now I get a lint warning:
# spamassassin --lint
[12533] warn: config: warning: score set for non-existent rule JM_SOUGHT_3

The problem is that the sought ruleset has sometimes three rules and sometimes 
only two rules. But I don't like to change my config file each time the 
number of rules change. Is there a simple way to tell spamassassin that it 
should ignore the score for a nonexistent rule? Or is there a way to set a 
score only when a rule exists?

Thanks for your help.
Stefan


pgpetdmabJPi4.pgp
Description: PGP signature

Re: 60_whitelist.cf

[Matus UHLAR - fantomas]

On 23.06.08 02:02, [EMAIL PROTECTED] wrote:
> I am running spamassassin with postfix via amavisd on a FreeBSD Intel box. 
> Email from Nintendo's Wii service is getting flagged as spam, despite me 
> entering it into the whitelist. This seems to be the case with other 
> unrelated entries that I have whitelisted as well.
> 
> I have entered the following into 
> /usr/local/share/spamassassin/60_whitelist.cf:
> 
> whitelist_from_rcvd [EMAIL PROTECTED]   
> bsaa42453.tk.mesh.ad.jp

Received: from bsaa42453.tk.mesh.ad.jp (bsaa42453.wc24.wii.com 
[133.205.103.194])

the bsaa42453.tk.mesh.ad.jp is the HELO string, while bsaa42453.wc24.wii.com
is the hostname. You should put hostnames on *whitelist_from_rcvd rules.

However, wii.com has SPF set up, whitelist_auth would be much safer.

The other problem was mentioned already.

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.

Re: prefork error

[Matus UHLAR - fantomas]

On 20.06.08 13:20, raulbe wrote:
> Couple new errors now :(
> 
>  config: cannot write to /var/spool/uucp/.spamassassin/user_prefs: No such
> file or directory
> 
> 
>  spamd[19476]: spamd: processing message <[EMAIL PROTECTED]>
> for uucp:10

there are independent on those you reported before... Someone is sending
mail to uucp user, most probably spam, but you can look at its mailbox.
You should alias such system users to someone else...

> Matus UHLAR - fantomas wrote:
> > 
> > On 20.06.08 08:18, raulbe wrote:
> >> Now if I can figure out why I keep getting the bayes.lock error any
> >> clues?
> > 
> >> Jun 20 11:02:41 ws096 spamd[20261]: bayes: cannot open bayes databases
> >> /home/nuonce/spamassassin/bayes_* R/W: lock failed: File exists
> > 
> > do you have autolearning turned on? what about journal?
> > (settings bayes_auto_learn and bayes_learn_to_journal).
> > the default settings (1 and 0) can cause such problems. Try turning on the
> > latter or off the former

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

Re: how to stop SPF checks from going past trusted host?

[Matus UHLAR - fantomas]

> On Jun 20, 2008, at 11:49 AM, John Hardin wrote:
> >10.x is (supposedly) not routable on the public internet. If you see  
> >10.x (or other RFC-1918) traffic coming in from the world, your ISP  
> >is broken.

On 20.06.08 11:57, Jo Rhett wrote:
> Does your ISP filter egress packets on your interface?  No, neither  
> does mine ;-)  (and in this case I control the border routing so I  
> know it for sure)
> 
> Most competent ISPs will filter customer interfaces to prevent bogons,  
> and some will filter public peering ports for bogons, but even with  
> both of those a surprising number of 10.x packets make their way to  
> our hosts.

> belt-and-suspenders: Even if it's unlikely for a 10.x packet to reach  
> the host, why should I trust it?

it one packet reaches your host, nothing happends. Fot the TCP/SMTP
connections to be opened, (at least) three packets must be sent, in both
directions. If you can trace to 10.x address that is not part of your
network, it's a problem. Solve this problem by configuring of your network,
firewalls, asking your ISP to do the same. Do not try to solve this problem
at SA level.
 
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have. 

Re: 60_whitelist.cf

[Benny Pedersen]

On Mon, June 23, 2008 08:02, [EMAIL PROTECTED] wrote:

> whitelist_from_rcvd [EMAIL PROTECTED] bsaa42453.tk.mesh.ad.jp

def_whitelist_auth [EMAIL PROTECTED]
whitelist_auth [EMAIL PROTECTED]

dont use both since its 2 diff scores, and only use the one that are needed

here is the spf
http://old.openspf.org/wizard.html?mydomain=wii.com&submit=Go%21

perldoc Mail::SpamAssassin::Conf
perldoc Mail::SpamAssassin::Plugin::SPF

i use whitelist_auth since if wii later changes to dkim or other supported
auths in spamassassin you dont need to change the whitelist


Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098