Re: senderbase rating - how to appeal?
On Fri, Sep 5, 2008 at 5:45 PM, Greg Troxel <[EMAIL PROTECTED]> wrote: > > "Michele Neylon :: Blacknight" <[EMAIL PROTECTED]> writes: > >> Does anyone know how you can appeal or query a senderbase rating? > > I resisted answering at first, because I'm perhaps a bit too cynical: > > The way to appeal is to file a bug with spamassassin saying that > senderbase is bogus and ask that any senderbase rules in SA be > dropped. > > I don't know that spamassassin pays attention to senderbase; if not this > probablly won't work. I say this, mostly joking, from my experience > with habeas. I have gotten spam on multiple occasions from senders that > are HABEAS_ACCREDITED_SOI, and complained to habeas - with absolutely > zero useful response. I filed a bug: > > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5902 > > and soon heard from habeas, who claimed that they revoked the listing of > that sender. > > I then got more spam from a different habeas-accredited spammer, and > complained privately to [EMAIL PROTECTED], and heard nothing back. > > So the only rational conclusion seems to be that habeas accreditation is > bogus, and they only respond to public pressure. Perhaps that's not > true and I've been unlucky, but that's how it feels from my end. > After seeing similar spam from "accredited" senders, we disabled any score from the habeas rules long ago and have yet to notice any increase in FP (we have ~5000 fairly sensitive users who definitely let us know when things don't work as they want them to). I've know of other sites that have disabled the habeas rules/score as well with similar results. IMHO, they are not worth scoring on since they obviously do accredit sites that send UCE.Does anyone see any benefit from using habeus? Does it outweigh the spam that gets through because of them?
Re: 1000 times easier to just do sa-update --nogpg
SM wrote: There is a reason the updates are signed. You can either try and figure out the right way or you can wait for someone to compromise one of the endpoints to deliver illegitimate updates. Pardon me for putting words in someone's mouth, but I got the impression that the original poster's point was not to advocate disabling signature checking, but to suggest that the error message should be more useful. -- Kelson Vibber SpeedGate Communications
Re: 1000 times easier to just do sa-update --nogpg
At 14:10 05-09-2008, [EMAIL PROTECTED] wrote: You know, it is a 1000 times easier to just do $ sa-update --nogpg As it's 1000 times easier to disable the firewall to solve user issues. than to try to figure our the right way from the messages that surround "channel: GPG validation failed, channel failed", or the There is a reason the updates are signed. You can either try and figure out the right way or you can wait for someone to compromise one of the endpoints to deliver illegitimate updates. Regards, -sm
Re: senderbase rating - how to appeal?
"Michele Neylon :: Blacknight" <[EMAIL PROTECTED]> writes: > Does anyone know how you can appeal or query a senderbase rating? I resisted answering at first, because I'm perhaps a bit too cynical: The way to appeal is to file a bug with spamassassin saying that senderbase is bogus and ask that any senderbase rules in SA be dropped. I don't know that spamassassin pays attention to senderbase; if not this probablly won't work. I say this, mostly joking, from my experience with habeas. I have gotten spam on multiple occasions from senders that are HABEAS_ACCREDITED_SOI, and complained to habeas - with absolutely zero useful response. I filed a bug: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5902 and soon heard from habeas, who claimed that they revoked the listing of that sender. I then got more spam from a different habeas-accredited spammer, and complained privately to [EMAIL PROTECTED], and heard nothing back. So the only rational conclusion seems to be that habeas accreditation is bogus, and they only respond to public pressure. Perhaps that's not true and I've been unlucky, but that's how it feels from my end. Here's my previously private complaint. I predict that perhaps now it will be paid attention to. (If anyone thinks streamsend are other than spammers, please email me privately and let me know) Return-Path: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on fnord.ir.bbn.com X-Spam-Level: * X-Spam-Status: Yes, score=1.7 required=1.0 tests=BAYES_50,HASHCASH_20, HTML_IMAGE_ONLY_24,HTML_IMAGE_RATIO_02,HTML_MESSAGE,NO_RELAYS, PRICES_ARE_AFFORDABLE,URIBL_GREY autolearn=no version=3.2.5 X-Spam-Report: * -0.5 HASHCASH_20 Contains valid Hashcash token (20 bits) * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 0.0 PRICES_ARE_AFFORDABLE BODY: Message says that prices aren't too * expensive * 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area * 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5008] * 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist * [URIs: streamsend.com] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: by fnord.ir.bbn.com (Postfix, from userid 10853) id 79F8152A5; Sun, 29 Jun 2008 07:58:52 -0400 (EDT) X-Hashcash: 1:20:080629:[EMAIL PROTECTED]::nCSVyDXiQZdSlr1V:1jsn X-Hashcash: 1:20:080629:[EMAIL PROTECTED]::QLD2PaPUAPhTusXX:7z3 From: Greg Troxel <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: Greg Troxel <[EMAIL PROTECTED]> Subject: [Italian Pages] Uncover more of Italy for less than you would expect Date: Sun, 29 Jun 2008 07:58:52 -0400 Message-ID: <[EMAIL PROTECTED]> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= I received the following spam which SA tagged as HABEAS_ACCREDITED_SOI. Please investigate and de-accredit streamsend. --=-=-= Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on fnord.ir.bbn.com X-Spam-Level: * X-Spam-Status: Yes, score=5.3 required=1.0 tests=AWL,BAYES_99, HABEAS_ACCREDITED_SOI,HTML_IMAGE_ONLY_24,HTML_IMAGE_RATIO_02,HTML_MESSAGE, PRICES_ARE_AFFORDABLE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CHECK,URIBL_GREY autolearn=no version=3.2.5 X-Spam-Report: * -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better * [72.19.240.167 listed in sa-accredit.habeas.com] * 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist * [URIs: streamsend.com] * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.0 PRICES_ARE_AFFORDABLE BODY: Message says that prices aren't too * expensive * 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area * 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 2.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level * above 50% * [cf: 76] * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 76] * 0.4 AWL AWL: From: address is in the auto white-list X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from mailengine.streamsend.com (mailengine.streamsend.com [72.19.240.167])
Re: OT: Ongoing phishing mail flood
We are currently receiving lots of password phishing mails with envelope sender and From: header [EMAIL PROTECTED] and Reply-To: [EMAIL PROTECTED] The connecting mail servers que41.charter.net[209.225.8.24] que51.charter.net[209.225.8.25] do apparently *not* stop re-connecting after receiving REJECT (554) errors, but keep coming back with the same sender-recipient pairs. That's interesting. I am seeing mailgw1.lmco.com sending repeated mails From <> to [EMAIL PROTECTED], where [EMAIL PROTECTED] is valid but the 551 is spurious (yes, that's a username with a number prepended). I am sending 554 each time. period is 1h20m to 1h30m or so. pgpWnP6ovuvZe.pgp Description: PGP signature
Re: 1000 times easier to just do sa-update --nogpg
[EMAIL PROTECTED] wrote: You know, it is a 1000 times easier to just do $ sa-update --nogpg than to try to figure our the right way from the messages that surround "channel: GPG validation failed, channel failed", or the sa-update man page, or writing this group and asking what to do. So there, the result is gpg is defeated. The cure is to have the error message to say "Do sa-update --import bbblllaaa", with the exact name it wants. I challenge you to figure it out just from the failure message to sa-update -D. One ends up lost reading http://www.gnupg.org/faq/subkey-cross-certify.html. It is 1000 times easier to just do $ sa-update --nogpg. curl -o sa.gpg http://spamassassin.apache.org/updates/GPG.KEY echo "24F434CE" >> gpg.keys sa-update --import sa.gpg echo "updates.spamassassin.org" >> channel.list curl -o jm.gpg http://yerp.org/rules/GPG.KEY echo "6C6191E3" >> gpg.keys sa-update --import jm.gpg echo "sought.rules.yerp.org" >> channel.list curl -o sare.gpg http://daryl.dostech.ca/sa-update/sare/GPG.KEY echo "856AA88A" >> gpg.keys sa-update --import sare.gpg #echo "" >> channel.list sa-update --gpgkeyfile gpg.keys --channelfile channel.list I see no gpg failure...
Re: 1000 times easier to just do sa-update --nogpg
On Sat, 6 Sep 2008, [EMAIL PROTECTED] wrote: You know, it is a 1000 times easier to just do $ sa-update --nogpg than to try to figure our the right way from the messages that surround "channel: GPG validation failed, channel failed", or the sa-update man page, or writing this group and asking what to do. So there, the result is gpg is defeated. The cure is to have the error message to say "Do sa-update --import bbblllaaa", with the exact name it wants. I challenge you to figure it out just from the failure message to sa-update -D. One ends up lost reading http://www.gnupg.org/faq/subkey-cross-certify.html. It is 1000 times easier to just do $ sa-update --nogpg. I don't have any issues using GPG. Instructions have ALWAYS been clear and when followed to the letter, have no issues. -d
1000 times easier to just do sa-update --nogpg
You know, it is a 1000 times easier to just do $ sa-update --nogpg than to try to figure our the right way from the messages that surround "channel: GPG validation failed, channel failed", or the sa-update man page, or writing this group and asking what to do. So there, the result is gpg is defeated. The cure is to have the error message to say "Do sa-update --import bbblllaaa", with the exact name it wants. I challenge you to figure it out just from the failure message to sa-update -D. One ends up lost reading http://www.gnupg.org/faq/subkey-cross-certify.html. It is 1000 times easier to just do $ sa-update --nogpg.
Re: senderbase rating - how to appeal?
Hi Michele, At 03:27 05-09-2008, Michele Neylon :: Blacknight wrote: Our main issue wasn't with the listing but with the total lack of appeals procedure or delisting, as several large corporates seem to trust Senderbase and block based on its score The "industry's most accurate reputation system" cannot be wrong. :-) Most people trust DNSBLs because it's the magical solution to their problems. A reputation system does not work as a DNSBL and won't have a delisting procedure. As for appeals, you'll have to convince them that their data is not accurate. See whether you can get a resolution through SpamCop. Regards, -sm
RE: OT: Ongoing phishing mail flood
> > Yup. That's why I send a 250 - SPAM - discarded. That way, the > spammers think they have delivered the mail, and go on to the next > victim > -- > Daniel J McDonald, CCIE #2495, CISSP #78281, CNX > Austin Energy Dan Using which server software? Are you /dev/null or reject while sending an accept message? - rh
Re: OT: Ongoing phishing mail flood
On Fri, 2008-09-05 at 18:56 +0200, Wolfgang Zeikat wrote: > We are currently receiving lots of password phishing mails with envelope > sender and From: header > [EMAIL PROTECTED] and Reply-To: > [EMAIL PROTECTED] > > The connecting mail servers > que41.charter.net[209.225.8.24] > que51.charter.net[209.225.8.25] > > do apparently *not* stop re-connecting after receiving REJECT (554) > errors, but keep coming back with the same sender-recipient pairs. > Yup. That's why I send a 250 - SPAM - discarded. That way, the spammers think they have delivered the mail, and go on to the next victim -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
OT: Ongoing phishing mail flood
We are currently receiving lots of password phishing mails with envelope sender and From: header [EMAIL PROTECTED] and Reply-To: [EMAIL PROTECTED] The connecting mail servers que41.charter.net[209.225.8.24] que51.charter.net[209.225.8.25] do apparently *not* stop re-connecting after receiving REJECT (554) errors, but keep coming back with the same sender-recipient pairs. Regards, wolfgang
Re: How can I see all rules applied?
patrickbaer wrote: Dear Lord, I am going nuts! I promised my colleagues a new filter three days ago. Now they are drowning in spam and I have no idea about what's going on! I have this test-machine with a fresh installation of postfix, spamassassin and amavisd and it works like a charme. I have a catch rate of no less than 99.6% on this machine and not a single false negative! Now on the crappy live box, absolutely NOTHING works as it should. I just tried, in my despair, to apply a custom rule, but no way it will accept them! Added it to local.cf, no work. Added a new file to /var/lib/spamassassin.../20_test.cf, no work. Spamassassin parses the rule, yes, but it doesn't apply the score! Please, what the hell is going on there and how can I find out how to solve it? I have no idea where to go from here any more... the first thing is to clam down. then try to explain in a way that _we_ understand what problem you have. saying "nothing works" is meaningless. if a spam message is missed, then save it to a file. Please save an unalatered message (if your mailer or an internal exchange modifies the message, it is useless). then post a copy somewhere so that we can test it on our systems (try pastebin, or use your own web server). also run 'spamassassin -t < message.file' on both servers (please use the same message file) and see the results. once again, use an unmodified message (it's ok if few headers are added by amavisd-new or your MTA/MDA after filtering). if AWL is causing you problems, disable it and _restart_ amavisd-new. when you train SA, make sure you train it as the same user that amavisd-new uses. if using mysql for Bayes, force a single user: bayes_sql_override_username spamassassin (do this in your local.cf). when you modify a rule, a .cf or a .pre file, you need to reload amavisd-new. if you use sa-compile, run it before reloading amavisd-new or testing.
Re: How can I see all rules applied?
McDonald, Dan wrote: > > On Fri, 2008-09-05 at 06:18 -0700, patrickbaer wrote: > >> Now on the crappy live box, absolutely NOTHING works as it should. I just >> tried, in my despair, to apply a custom rule, but no way it will accept >> them! Added it to local.cf, no work. Added a new file to >> /var/lib/spamassassin.../20_test.cf, no work. Spamassassin parses the >> rule, >> yes, but it doesn't apply the score! > >>Did you run sa-compile? then you will need to run sa-compile each time >>you change a body rule. > > I just tried, just to make sure. But it failed with an error with e2c (?) > > >>Are you re-starting amavisd when you make the changes? Amavisd-new >>daemonizes the spamassassin libraries. Only when it is restarted will >>it load any new rules. > > Yes, but it also fails when I sent the email from the command line (see > above) > > > And finally, have you checked that the amavisd user is able to read the > files you are modifying? > > Of course :) > > As I am now pi for various reasons, I'll put my desktop machine (the > testbox) in the DMZ and enable it in the other mailserver, then report > back. > > I'll just add it to the current config: localhost:25 => localhost:10024 => > external:10024 => localhost:10025 > > > -- > Daniel J McDonald, CCIE #2495, CISSP #78281, CNX > Austin Energy > http://www.austinenergy.com > > > > -- View this message in context: http://www.nabble.com/How-can-I-see-all-rules-applied--tp19312076p19331798.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How can I see all rules applied?
Hi, The obvious answer is to look at what is different between the two boxes. You then need to work out which bit of the email pathway is not working. It might be that spamassassin is working like a charm, but some other part of the chain is not doing its job. You should understand that spamassassin only scans and scores a message, it does not do anything about removing, archiving etc. In your case that should be done by amavisd. If it is a problem with amavisd or postfix you will be better served asking in mailing lists related to those pieces of software. But to test spamassassin, run the following command from a command line: spamassassin --lint --debug and look for errors. Then, get an example email with full headers in a text file and feed it in to spamassassin manually, like: spamassassin --test < test-email.eml If you get any errors from either of these people here will probably be able to help you out. patrickbaer wrote: Dear Lord, I am going nuts! I promised my colleagues a new filter three days ago. Now they are drowning in spam and I have no idea about what's going on! I have this test-machine with a fresh installation of postfix, spamassassin and amavisd and it works like a charme. I have a catch rate of no less than 99.6% on this machine and not a single false negative! Now on the crappy live box, absolutely NOTHING works as it should. I just tried, in my despair, to apply a custom rule, but no way it will accept them! Added it to local.cf, no work. Added a new file to /var/lib/spamassassin.../20_test.cf, no work. Spamassassin parses the rule, yes, but it doesn't apply the score! Please, what the hell is going on there and how can I find out how to solve it? I have no idea where to go from here any more... -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/
Re: How can I see all rules applied?
On Fri, 2008-09-05 at 06:18 -0700, patrickbaer wrote: > Now on the crappy live box, absolutely NOTHING works as it should. I just > tried, in my despair, to apply a custom rule, but no way it will accept > them! Added it to local.cf, no work. Added a new file to > /var/lib/spamassassin.../20_test.cf, no work. Spamassassin parses the rule, > yes, but it doesn't apply the score! Did you run sa-compile? then you will need to run sa-compile each time you change a body rule. Are you re-starting amavisd when you make the changes? Amavisd-new daemonizes the spamassassin libraries. Only when it is restarted will it load any new rules. And finally, have you checked that the amavisd user is able to read the files you are modifying? -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: How can I see all rules applied?
Dear Lord, I am going nuts! I promised my colleagues a new filter three days ago. Now they are drowning in spam and I have no idea about what's going on! I have this test-machine with a fresh installation of postfix, spamassassin and amavisd and it works like a charme. I have a catch rate of no less than 99.6% on this machine and not a single false negative! Now on the crappy live box, absolutely NOTHING works as it should. I just tried, in my despair, to apply a custom rule, but no way it will accept them! Added it to local.cf, no work. Added a new file to /var/lib/spamassassin.../20_test.cf, no work. Spamassassin parses the rule, yes, but it doesn't apply the score! Please, what the hell is going on there and how can I find out how to solve it? I have no idea where to go from here any more... -- View this message in context: http://www.nabble.com/How-can-I-see-all-rules-applied--tp19312076p19331058.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: SpamAssassin for windows
No. If I not embed it in an exe file I would need to install ActiveState-Perl and SpamAssassin together with my application. And I don't like to install a complete runtime environment (16mb setup) if it can be done with one exe file (4mb). So it is better for us to create a new exe file, say twice a year (depending on the changes in SpamAssassin). Harry > -Original Message- > From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] > Sent: Friday, September 05, 2008 2:39 PM > To: Harald Binkle; [EMAIL PROTECTED]; > users@spamassassin.apache.org > Subject: RE: SpamAssassin for windows > > > From: Harald Binkle [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 05, 2008 1:10 PM > > To: '[EMAIL PROTECTED]'; users@spamassassin.apache.org > > Subject: SpamAssassin for windows > > > > Hi @all, > > > > we are searching for some who will continue part of the work from the > > sourceforge project http://sourceforge.net/projects/sawin32/ . > > We are willing to pay or donate if someone will continues developing > > (improving windows integration and keeping up to date with current > > SpamAssassin releases) that windows version of spamd. > > Is there some who is interested in this? > > Wouldn't it be better to avoid embedding a .exe version of spamassassin in > the project? This way there would be no need to update this package at every > and each SA release. > > I'm not running SA in a windows environment, so I may be missing some > important point. Do I? > > Giampaolo > > > > Greetings > > > > Harry > > > > Harald Binkle > > JAM-Software > > > > > > > > > > > > > > JAM Software GmbH > > Geschäftsführer: Joachim Marder > > Max-Planck-Str. 22 * 54296 Trier * Germany > > Tel: 0700-70707050 * Fax: 0700-70707059 > > (max. 12,4 ct/min, Preise aus Mobilfunknetzen können abweichen) > > Handelsregister Nr. HRB 4920 (AG Wittlich) http://www.jam-software.de
RE: SpamAssassin for windows
> From: Harald Binkle [mailto:[EMAIL PROTECTED] > Sent: Friday, September 05, 2008 1:10 PM > To: '[EMAIL PROTECTED]'; users@spamassassin.apache.org > Subject: SpamAssassin for windows > > Hi @all, > > we are searching for some who will continue part of the work from the > sourceforge project http://sourceforge.net/projects/sawin32/ . > We are willing to pay or donate if someone will continues developing > (improving windows integration and keeping up to date with current > SpamAssassin releases) that windows version of spamd. > Is there some who is interested in this? Wouldn't it be better to avoid embedding a .exe version of spamassassin in the project? This way there would be no need to update this package at every and each SA release. I'm not running SA in a windows environment, so I may be missing some important point. Do I? Giampaolo > Greetings > > Harry > > Harald Binkle > JAM-Software > > > > > > > JAM Software GmbH > Geschäftsführer: Joachim Marder > Max-Planck-Str. 22 * 54296 Trier * Germany > Tel: 0700-70707050 * Fax: 0700-70707059 > (max. 12,4 ct/min, Preise aus Mobilfunknetzen können abweichen) > Handelsregister Nr. HRB 4920 (AG Wittlich) http://www.jam-software.de
Re: How can I see all rules applied?
Hi, Do you want to disable the AWL or just delete the entries? http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_AWL.html To disable the autowhitelist completely put the following line in your local.cf file (usually in /etc/mail/spamassassin) use_auto_whitelist 0 Then restart spamd or whatever system you have to call spamassassin. To delete indivual entries you can use the following command: spamassassin --remove-addr-from-whitelist [EMAIL PROTECTED] http://spamassassin.apache.org/full/3.2.x/doc/spamassassin-run.html patrickbaer wrote: Hi Anthony, I agree. But how can I delete this auto-whitelist? I found two of them in /root/.spamassassin/auto-whitelist and /var/amavis/.spamassassin/auto-whitelist. I even disabled it in /etc/mail/spamassassin/v310.pre No avail. :( Anthony Peacock wrote: Hi, I am not sure what you think the problem is. If you are refering to the different scores then that is to be expected as the two systems are using different auto-whitelist databases and will probably have different data in them. patrickbaer wrote: I have now came down to a problem with the auto whitelist: See the test machine: [4998] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /root/.spamassassin/auto-whitelist [4998] dbg: auto-whitelist: db-based [EMAIL PROTECTED]|ip=190.173 scores 5/61.821 [4998] dbg: auto-whitelist: AWL active, pre-score: 2.602, autolearn score: 2.602, mean: 12.3642, IP: 190.173.128.77 [4998] dbg: auto-whitelist: add_score: new count: 6, new totscore: 64.423 [4998] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [4998] dbg: auto-whitelist: DB addr list: file locked, breaking lock [4998] dbg: locker: safe_unlock: unlink /root/.spamassassin/auto-whitelist.lock [4998] dbg: auto-whitelist: post auto-whitelist score: 7.4831 Compared to the live-system: [18824] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /root/.spamassassin/auto-whi telist [18824] dbg: auto-whitelist: db-based [EMAIL PROTECTED]|ip=190.173 scores 6/13.112 [18824] dbg: auto-whitelist: AWL active, pre-score: 2.602, autolearn score: 2.602, mean: 2.1853 33, IP: 190.173.128.77 [18824] dbg: auto-whitelist: add_score: new count: 7, new totscore: 15.714 [18824] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [18824] dbg: auto-whitelist: DB addr list: file locked, breaking lock [18824] dbg: locker: safe_unlock: unlink /root/.spamassassin/auto-whitelist.lock [18824] dbg: auto-whitelist: post auto-whitelist score: 2.393667 -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/ -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/
Re: How can I see all rules applied?
Hi Anthony, I agree. But how can I delete this auto-whitelist? I found two of them in /root/.spamassassin/auto-whitelist and /var/amavis/.spamassassin/auto-whitelist. I even disabled it in /etc/mail/spamassassin/v310.pre No avail. :( Anthony Peacock wrote: > > Hi, > > I am not sure what you think the problem is. If you are refering to the > different scores then that is to be expected as the two systems are > using different auto-whitelist databases and will probably have > different data in them. > > patrickbaer wrote: >> I have now came down to a problem with the auto whitelist: >> >> See the test machine: >> >> [4998] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in >> /root/.spamassassin/auto-whitelist >> [4998] dbg: auto-whitelist: db-based [EMAIL PROTECTED]|ip=190.173 >> scores 5/61.821 >> [4998] dbg: auto-whitelist: AWL active, pre-score: 2.602, autolearn >> score: >> 2.602, mean: 12.3642, IP: 190.173.128.77 >> [4998] dbg: auto-whitelist: add_score: new count: 6, new totscore: 64.423 >> [4998] dbg: auto-whitelist: DB addr list: untie-ing and unlocking >> [4998] dbg: auto-whitelist: DB addr list: file locked, breaking lock >> [4998] dbg: locker: safe_unlock: unlink >> /root/.spamassassin/auto-whitelist.lock >> [4998] dbg: auto-whitelist: post auto-whitelist score: 7.4831 >> >> Compared to the live-system: >> >> [18824] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in >> /root/.spamassassin/auto-whi >> telist >> [18824] dbg: auto-whitelist: db-based [EMAIL PROTECTED]|ip=190.173 >> scores 6/13.112 >> [18824] dbg: auto-whitelist: AWL active, pre-score: 2.602, autolearn >> score: >> 2.602, mean: 2.1853 >> 33, IP: 190.173.128.77 >> [18824] dbg: auto-whitelist: add_score: new count: 7, new totscore: >> 15.714 >> [18824] dbg: auto-whitelist: DB addr list: untie-ing and unlocking >> [18824] dbg: auto-whitelist: DB addr list: file locked, breaking lock >> [18824] dbg: locker: safe_unlock: unlink >> /root/.spamassassin/auto-whitelist.lock >> [18824] dbg: auto-whitelist: post auto-whitelist score: 2.393667 >> > > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ > Study Health Informatics - Modular Postgraduate Degree > http://www.chime.ucl.ac.uk/study-health-informatics/ > > -- View this message in context: http://www.nabble.com/How-can-I-see-all-rules-applied--tp19312076p19329287.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How can I see all rules applied?
Hi, I am not sure what you think the problem is. If you are refering to the different scores then that is to be expected as the two systems are using different auto-whitelist databases and will probably have different data in them. patrickbaer wrote: I have now came down to a problem with the auto whitelist: See the test machine: [4998] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /root/.spamassassin/auto-whitelist [4998] dbg: auto-whitelist: db-based [EMAIL PROTECTED]|ip=190.173 scores 5/61.821 [4998] dbg: auto-whitelist: AWL active, pre-score: 2.602, autolearn score: 2.602, mean: 12.3642, IP: 190.173.128.77 [4998] dbg: auto-whitelist: add_score: new count: 6, new totscore: 64.423 [4998] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [4998] dbg: auto-whitelist: DB addr list: file locked, breaking lock [4998] dbg: locker: safe_unlock: unlink /root/.spamassassin/auto-whitelist.lock [4998] dbg: auto-whitelist: post auto-whitelist score: 7.4831 Compared to the live-system: [18824] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /root/.spamassassin/auto-whi telist [18824] dbg: auto-whitelist: db-based [EMAIL PROTECTED]|ip=190.173 scores 6/13.112 [18824] dbg: auto-whitelist: AWL active, pre-score: 2.602, autolearn score: 2.602, mean: 2.1853 33, IP: 190.173.128.77 [18824] dbg: auto-whitelist: add_score: new count: 7, new totscore: 15.714 [18824] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [18824] dbg: auto-whitelist: DB addr list: file locked, breaking lock [18824] dbg: locker: safe_unlock: unlink /root/.spamassassin/auto-whitelist.lock [18824] dbg: auto-whitelist: post auto-whitelist score: 2.393667 -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ Study Health Informatics - Modular Postgraduate Degree http://www.chime.ucl.ac.uk/study-health-informatics/
Re: How can I see all rules applied?
I have now came down to a problem with the auto whitelist: See the test machine: [4998] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /root/.spamassassin/auto-whitelist [4998] dbg: auto-whitelist: db-based [EMAIL PROTECTED]|ip=190.173 scores 5/61.821 [4998] dbg: auto-whitelist: AWL active, pre-score: 2.602, autolearn score: 2.602, mean: 12.3642, IP: 190.173.128.77 [4998] dbg: auto-whitelist: add_score: new count: 6, new totscore: 64.423 [4998] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [4998] dbg: auto-whitelist: DB addr list: file locked, breaking lock [4998] dbg: locker: safe_unlock: unlink /root/.spamassassin/auto-whitelist.lock [4998] dbg: auto-whitelist: post auto-whitelist score: 7.4831 Compared to the live-system: [18824] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /root/.spamassassin/auto-whi telist [18824] dbg: auto-whitelist: db-based [EMAIL PROTECTED]|ip=190.173 scores 6/13.112 [18824] dbg: auto-whitelist: AWL active, pre-score: 2.602, autolearn score: 2.602, mean: 2.1853 33, IP: 190.173.128.77 [18824] dbg: auto-whitelist: add_score: new count: 7, new totscore: 15.714 [18824] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [18824] dbg: auto-whitelist: DB addr list: file locked, breaking lock [18824] dbg: locker: safe_unlock: unlink /root/.spamassassin/auto-whitelist.lock [18824] dbg: auto-whitelist: post auto-whitelist score: 2.393667 -- View this message in context: http://www.nabble.com/How-can-I-see-all-rules-applied--tp19312076p19329022.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Results from test machine, was: Re: How can I see all rules applied?
patrickbaer wrote: And this is the output from the very same command, ran on the test box: The command might be the same, but the message was not. There are important differences in the headers (see below). Only one of the messages had any "Received:" headers, wich can make a big difference for the score. In this case the rules RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_XBL RBL and RCVD_IN_PBL RBL hit the message with complete headers wich is a score difference of 5.6. Another difference between the scores is that one of the messages hit more URIBL rules than the other. This couls simply be because some time has passed between your two tests, but it could also be due to DNS problems. The headers for the first message was: ---8<--- From: "Ayomide Acton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: The best offer! Date: Thu, 4 Sep 2008 08:14:46 -0500 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0012_01C90E66.4AEF7570" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Status: ---8<--- The headers for the message on the test box was: ---8<--- Return-Path: <[EMAIL PROTECTED]> Received: from medusa.tvwerk.de ([unix socket]) by medusa2 (Cyrus v2.2.13-Debian-2.2.13-10.cb1.1) with LMTPA; Thu, 04 Sep 2008 15:15:10 +0200 X-Sieve: CMU Sieve 2.2 Received: from proxy.tvwerk.de (proxy1 [10.10.10.2]) by medusa.tvwerk.de (Postfix) with ESMTP id 2AAD81BD7F22 for <[EMAIL PROTECTED]>; Thu, 4 Sep 2008 15:15:10 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by proxy.tvwerk.de (Postfix) with ESMTP id 208B43040D6 for <[EMAIL PROTECTED]>; Thu, 4 Sep 2008 15:15:10 +0200 (CEST) X-Virus-Scanned: amavisd-new at tvwerk.de X-Spam-Flag: NO X-Spam-Score: 1.491 X-Spam-Level: * X-Spam-Status: No, score=1.491 tagged_above=0 required=5 tests=[BAYES_05=-1.11, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RDNS_NONE=0.1] Received: from proxy.tvwerk.de ([127.0.0.1]) by localhost (proxy1.tvwerk.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4N+6qeb1DG4o for <[EMAIL PROTECTED]>; Thu, 4 Sep 2008 15:14:54 +0200 (CEST) Received: from abenalaptop (unknown [190.173.128.77]) by proxy.tvwerk.de (Postfix) with ESMTP id 7E8E03040CB for <[EMAIL PROTECTED]>; Thu, 4 Sep 2008 15:14:50 +0200 (CEST) From: "Ayomide Acton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: The best offer! Date: Thu, 4 Sep 2008 08:14:46 -0500 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0012_01C90E66.4AEF7570" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Status: ---8<--- Regards /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: senderbase rating - how to appeal?
Joseph Thanks :) Our main issue wasn't with the listing but with the total lack of appeals procedure or delisting, as several large corporates seem to trust Senderbase and block based on its score Thanks again Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: senderbase rating - how to appeal?
On 4 Sep 2008, at 15:49, Michael Scheidell wrote: Does anyone know how you can appeal or query a senderbase rating? I think senderbase is automatic.. You start spamming, you get on the list. You stop spamming, (eventually) you get off the list. You must be new to the 'net', so you get one free clue: You must be new to the net as well or maybe you think you're "clever"? Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: final authority on forwarded email and spamassassin
RobertH wrote: Ok mouss lets try this I forward some email accounts of other domains I do not own with .forward files on those *nix boxen I have them forward to an email address I have in the abbacomm.net domain and of course we run spamassassin. That's what I understood. I have similar accounts and I put the forwarding servers in my trusted_networks. You don't want to break SPF checking, AWL, ... etc. and you get the benefit of not checking them in dnsbl and the like. They run spamassassin on their boxes too yet it does a poor admin job. Should I forward to my box or not and train those spammy emails or what? you want to filter these messages, so you need to run SA on them. and for better results, you need to train it. Or should I just pop3 from them and be done with it or? It's up to you. I prefer forwarding. That is what I am talking about...
