Re: spamassassin can't rewrite subject in cpanel 11?
not007 wrote: I am using cpanel 11 and being told that I can't get spamassassin to rewrite the subject of emails that are spam. Spam assassin IS adding info in the header like: X-Spam-Subject: [SPAM] test message X-Spam-Status: Yes, score=1002.4 X-Spam-Score: 10024 X-Spam-Bar: ++ + but I don't know how to write a mail rule in outlook express or outlook to read the header items and act on them. (the subject above has [spam] added, but the regular / displayed subject does NOT include the [spam] so it doesn't get put in the spam folder). menu Tools rules wizard ... option with specific words in the message header ... X-Spam-Status: Yes untested!
Another low scoring obvious spam message
What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
user_prefs brilliant indenting mode invented by me
Gentlemen, I save wads of space in my user_prefs with header J_YAHOO_CAL X-Yahoo-Newman-Property=~/calendar-invite/ score J_YAHOO_CAL 11 header J_MEDIAWIKI_MAILER X-Mailer=~/MediaWiki mailer/ score J_MEDIAWIKI_MAILER -10 instead of the traditional header J_YAHOO_CAL X-Yahoo-Newman-Property=~/calendar-invite/ score J_YAHOO_CAL 11 header J_MEDIAWIKI_MAILER X-Mailer=~/MediaWiki mailer/ score J_MEDIAWIKI_MAILER -10 (and as nobody is reading the spam except me, I have disposed of describe entries.)
Re: user_prefs brilliant indenting mode invented by me
Oh no oh no, man Mail::SpamAssassin::Conf says Whitespace in the files is not significant, but please note that starting a line with whitespace is deprecated, as we reserve its use for multi-line rule definitions, at some point in the future. OK, sorry. I regret my previous message. Wait. Wouldn't it be unfortunate if SpamAssassin goes the python route where whitespace counts in syntax, vs. perl where one can use the trusty semicolon and {}, especially as SpamAssassin is perl based... (Anyway, I hate python as it doesn't fit into wrapped one-liners in Makefiles, etc. They expect everybody is editing on a terminal with TABs, etc.)
Re: Another low scoring obvious spam message
Skip wrote: What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 maybe header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64 Content-Transfer-Encoding =~ m|base64| ...
Re: user_prefs brilliant indenting mode invented by me
[EMAIL PROTECTED] wrote: Oh no oh no, man Mail::SpamAssassin::Conf says Whitespace in the files is not significant, but please note that starting a line with whitespace is deprecated, as we reserve its use for multi-line rule definitions, at some point in the future. OK, sorry. I regret my previous message. Wait. Wouldn't it be unfortunate if SpamAssassin goes the python route where whitespace counts in syntax, vs. perl where one can use the trusty semicolon and {}, especially as SpamAssassin is perl based... don't fight against the system. don't fight against syntax. If you don't like it, write a script to generate it from your own. (Anyway, I hate python as it doesn't fit into wrapped one-liners in Makefiles, etc. They expect everybody is editing on a terminal with TABs, etc.)
Re: How to integrate spamassassin in a web app?
Hi, yep, i'm sorry about the 3 posts, wasn't because an edit, but because the nabble site which went timeout :( btw, i tried your solution and it works, thanks :) -- View this message in context: http://www.nabble.com/How-to-integrate-spamassassin-in-a-web-app--tp19542249p19552374.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: spamassassin can't rewrite subject in cpanel 11?
mouss wrote: not007 wrote: I am using cpanel 11 and being told that I can't get spamassassin to rewrite the subject of emails that are spam. Spam assassin IS adding info in the header like: X-Spam-Subject: [SPAM] test message X-Spam-Status: Yes, score=1002.4 X-Spam-Score: 10024 X-Spam-Bar: ++ + but I don't know how to write a mail rule in outlook express or outlook to read the header items and act on them. (the subject above has [spam] added, but the regular / displayed subject does NOT include the [spam] so it doesn't get put in the spam folder). menu Tools rules wizard ... option with specific words in the message header ... X-Spam-Status: Yes untested! This works on Outlook, but header tests were not available in Outlook Express the last time I checked. -- Bowie
RE: user_prefs brilliant indenting mode invented by me
[EMAIL PROTECTED] wrote: Oh no oh no, man Mail::SpamAssassin::Conf says Whitespace in the files is not significant, but please note that starting a line with whitespace is deprecated, as we reserve its use for multi-line rule definitions, at some point in the future. OK, sorry. I regret my previous message. Then just do it the other way: header BLAH score BLAH ... Wait. Wouldn't it be unfortunate if SpamAssassin goes the python route where whitespace counts in syntax, vs. perl where one can use the trusty semicolon and {}, especially as SpamAssassin is perl based... (Anyway, I hate python as it doesn't fit into wrapped one-liners in Makefiles, etc. They expect everybody is editing on a terminal with TABs, etc.) Since SA is written in Perl, I doubt that is going to happen. -- Bowie
Re: Another low scoring obvious spam message
On Thu, 18 Sep 2008, Skip wrote: What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 (1) train your bayes with it (2) try the sought fraud ruleset that Justin is generating http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sought_fraud.cf -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- An AR-15 in civilian hands used to defend a home or business: a High Velocity Assault Weapon with High Capacity Magazines An AR-15 in Law Enforcement Officer hands used to murder six kids: a Police-Style Patrol Rifle --- Tomorrow: Talk Like a Pirate day
RE: spamassassin can't rewrite subject in cpanel 11?
header tests were not available in Outlook Express That's what I am seeing also that seems like a big deal - cpanel is used in lots of web hosting and spam assassin is needed these days. Not everyone uses outlook and OE is a free app that comes with windows (yeah, I guess you get what you pay for : )... But this WAS usable with OE before. Taking away a critical feature for the sake of new and improved is hard to push on clients, right? Bowie Bailey wrote: mouss wrote: not007 wrote: I am using cpanel 11 and being told that I can't get spamassassin to rewrite the subject of emails that are spam. Spam assassin IS adding info in the header like: X-Spam-Subject: [SPAM] test message X-Spam-Status: Yes, score=1002.4 X-Spam-Score: 10024 X-Spam-Bar: ++ + but I don't know how to write a mail rule in outlook express or outlook to read the header items and act on them. (the subject above has [spam] added, but the regular / displayed subject does NOT include the [spam] so it doesn't get put in the spam folder). menu Tools rules wizard ... option with specific words in the message header ... X-Spam-Status: Yes untested! This works on Outlook, but header tests were not available in Outlook Express the last time I checked. -- Bowie -- View this message in context: http://www.nabble.com/spamassassin-can%27t-rewrite-subject-in-cpanel-11--tp19545283p19553082.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamassassin can't rewrite subject in cpanel 11?
a rule based on the header text is doable in outlook, but not outlook express. mouss-2 wrote: not007 wrote: I am using cpanel 11 and being told that I can't get spamassassin to rewrite the subject of emails that are spam. Spam assassin IS adding info in the header like: X-Spam-Subject: [SPAM] test message X-Spam-Status: Yes, score=1002.4 X-Spam-Score: 10024 X-Spam-Bar: ++ + but I don't know how to write a mail rule in outlook express or outlook to read the header items and act on them. (the subject above has [spam] added, but the regular / displayed subject does NOT include the [spam] so it doesn't get put in the spam folder). menu Tools rules wizard ... option with specific words in the message header ... X-Spam-Status: Yes untested! -- View this message in context: http://www.nabble.com/spamassassin-can%27t-rewrite-subject-in-cpanel-11--tp19545283p19553110.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: spamassassin can't rewrite subject in cpanel 11?
On Thu, 2008-09-18 at 06:36 -0700, not007 wrote: But this WAS usable with OE before. Taking away a critical feature for the sake of new and improved is hard to push on clients, right? See .sig -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority.-- Cringely, 4/8/2004 --- Tomorrow: Talk Like a Pirate day
RE: spamassassin can't rewrite subject in cpanel 11?
At 06:19 18-09-2008, Bowie Bailey wrote: This works on Outlook, but header tests were not available in Outlook Express the last time I checked. In Outlook Express, you can have a rule for the Subject line. Regards, -sm
Re: Another low scoring obvious spam message
On Thu, September 18, 2008 8:55 am, mouss wrote: Skip wrote: What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 maybe header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64 Content-Transfer-Encoding =~ m|base64| I wonder if that would have too many false positives. It got me thinking though. I looked in the 20_body_tests.cf rules and see the following rules: rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count') describe __MIME_BASE64 Includes a base64 attachment rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks') describe MIME_BASE64_BLANKSExtra blank lines in base64 encoding rawbody MIME_BASE64_TEXT eval:check_for_mime('mime_base64_encoded_text') describe MIME_BASE64_TEXT Message text disguised using base64 encoding and from the 20_head_tests.cf meta FROM_EXCESS_BASE64__FROM_ENCODED_B64 !__FROM_NEEDS_MIME describe FROM_EXCESS_BASE64From: base64 encoded unnecessarily Interestingly, I have had exactly three spams fire the MIME_BASE64_TEXT rule in the past six months, but I have had ten hams fire the rule. Too many FPs for me. Same with the FROM_EXCESS_BASE64 rule: I have had zero spams fire that rule, but have had two hams fire it (they were newsletters from Red Hat). Sadly, these both sound like they would be good rules, but they don't seem to live up to their potential. (Btw, I am working with about 6,000 spams and 3,500 hams) Quick aside: Does SA decode the message body before running the body tests? I was really surprised that the decoded content on this message didn't trigger any of the get rich quick rules, or my bayes.
Re: Another low scoring obvious spam message
On Thu, September 18, 2008 9:33 am, John Hardin wrote: On Thu, 18 Sep 2008, Skip wrote: What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 (1) train your bayes with it I am using bayes, but it didn't catch it. I was quite surprised at that. (2) try the sought fraud ruleset that Justin is generating http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough t_fraud.cf I'm using that too, and again no joy there. It may be time for an sa-update though. Thanks for the ideas though :) Skip
Re: Another low scoring obvious spam message
Skip Morrow wrote: On Thu, September 18, 2008 9:33 am, John Hardin wrote: On Thu, 18 Sep 2008, Skip wrote: What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 (1) train your bayes with it I am using bayes, but it didn't catch it. I was quite surprised at that. Doesn't look to me like you are using bayes. There is no bayes score in the headers. X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 1.3 MISSING_HEADERS Missing To: header * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding Regards, Rick
Re: Another low scoring obvious spam message
I am using bayes, but it didn't catch it. I was quite surprised at that. Doesn't look to me like you are using bayes. There is no bayes score in the headers. Oh. I thought I was. I do get reports in some messages. Here's the debug from this particular message: [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf [12541] dbg: config: read file /home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf [12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [12541] dbg: config: fixed relative path: /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf for included file [12541] dbg: config: read file /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: fixed relative path: /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf for included file [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_toks [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_seen [12541] dbg: bayes: found bayes db version 3 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680 [12541] dbg: bayes: score = 2.02454774056449e-08 [12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size: 15, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire: 1220940612, Current time: 1221712855 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: untie-ing Anything look funny in there? I see a very low score: 2.02e-08, but isn't it still working?
Re: Another low scoring obvious spam message
I am using bayes, but it didn't catch it. I was quite surprised at that. Doesn't look to me like you are using bayes. There is no bayes score in the headers. Oh. I thought I was. I do get reports in some messages. Here's the debug from this particular message: [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf [12541] dbg: config: read file /home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf [12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [12541] dbg: config: fixed relative path: /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf for included file [12541] dbg: config: read file /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: fixed relative path: /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf for included file [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_toks [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_seen [12541] dbg: bayes: found bayes db version 3 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680 [12541] dbg: bayes: score = 2.02454774056449e-08 [12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size: 15, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire: 1220940612, Current time: 1221712855 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: untie-ing Anything look funny in there? I see a very low score: 2.02e-08, but isn't it still working?
Re: Another low scoring obvious spam message
Sorry about the double post--operator error.
RE: spamassassin can't rewrite subject in cpanel 11?
header tests were not available in Outlook Express This might be the wrong question in the wrong place yet in this day and age, why in the world is anyone using outlook express? Stop do it! ;- There are many other good choices. - rh
force Bayes DB to expire
Hello list, first I'm wondering why I got the following error, because in my local.cf I set 'bayes_auto_expire 1' to prevent SpamAssassin from expire the bayes-db (or did amavis the expire?): Sep 18 13:15:48 server amavis[19655]: (19655-04) (!)SA TIMED OUT, backtrace: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 630\n\teval {...} called at /usr/lib/perl5/site_perl/5.8 .3/Mail/SpamAssassin/BayesStore/DBM.pm line630\n\tMail::SpamAssassin::BayesStore::DBM::calculate_expire_ delta('Mail::SpamAssassin::BayesStore::DBM=HASH(0xa61ea14)',1221736346,43200,512) called at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm line 322\n\tMail::SpamAssassin::BayesStore::expire_old_tokens_trapped('Mail::SpamAssassin::BayesStore::DBM=HASH(0xa61ea14)','undef') called at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm line 215\n\teval {...} called at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm line 212\n\tMail::SpamAssassin::BayesStore::expire_old_tokens('Mail::SpamAssassin::BayesStore::DBM=HASH(0xa61ea14)','undef') called at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Bayes[...] Second, if I run # sa-learn --debug --force-expire --dbpath ./ -p ./user_prefs -u vscan I get the following: [4069] dbg: bayes: expiry check keep size, 0.75 * max: 225 [4069] dbg: bayes: token count: 3425687, final goal reduction size: 1175687 [4069] dbg: bayes: first pass? current: 1221753006, Last: 1221752575, atime: 691200, count: 101725, newdelta: 59805, ratio: 11.5575030720079, period: 43200 [4069] dbg: bayes: can't use estimation method for expiry, unexpected result, calculating optimal atime delta (first pass) [4069] dbg: bayes: expiry max exponent: 9 [4069] dbg: bayes: atime token reduction [4069] dbg: bayes: === [4069] dbg: bayes: 43200 2897558 [4069] dbg: bayes: 86400 2668468 [4069] dbg: bayes: 172800 2125446 [4069] dbg: bayes: 345600 1241167 [4069] dbg: bayes: 691200 4482 [4069] dbg: bayes: 1382400 0 [4069] dbg: bayes: 2764800 0 [4069] dbg: bayes: 5529600 0 [4069] dbg: bayes: 11059200 0 [4069] dbg: bayes: 22118400 0 [4069] dbg: bayes: first pass decided on 691200 for atime delta bayes: synced databases from journal in 8 seconds: 11174 unique entries (20637 total entries) And it takes approx. 10 minutes to finish with a 220 MB Bayes-DB. Is that OK? Greetings Stefan signature.asc Description: This is a digitally signed message part.
Re: Another low scoring obvious spam message
On Thu, 18 Sep 2008, Skip Morrow wrote: Doesn't look to me like you are using bayes. There is no bayes score in the headers. Oh. I thought I was. I do get reports in some messages. Here's the debug from this particular message: [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf Silly question, but is peloruso the user that spamd is running as? user/database mismatch is a common problem. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What nuts do with guns is terrible, certainly. But what evil or crazy people do with *anything* is not a valid argument for banning that item.-- John C. Randolph [EMAIL PROTECTED] --- Tomorrow: Talk Like a Pirate day
Re: Another low scoring obvious spam message
Silly question, but is peloruso the user that spamd is running as? user/database mismatch is a common problem. I'm not using spamd, I call spamassassin from procmail. I'm on a shared host that doesn't allow users to run their own daemons (although they are running their own spamd, but not with the options I want/need) But, yes, all processes under my account are run as peloruso.
Re: Another low scoring obvious spam message
Skip Morrow wrote: On Thu, September 18, 2008 8:55 am, mouss wrote: Skip wrote: What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 maybe header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64 Content-Transfer-Encoding =~ m|base64| I wonder if that would have too many false positives. it will trigger on ham, which means you shouldn't score it too much. If you check the list mail, it'll trigger for mail sent by Larry Rosenbaum. It got me thinking though. I looked in the 20_body_tests.cf rules and see the following rules: rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count') describe __MIME_BASE64 Includes a base64 attachment rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks') describe MIME_BASE64_BLANKSExtra blank lines in base64 encoding rawbody MIME_BASE64_TEXT eval:check_for_mime('mime_base64_encoded_text') describe MIME_BASE64_TEXT Message text disguised using base64 encoding and from the 20_head_tests.cf meta FROM_EXCESS_BASE64__FROM_ENCODED_B64 !__FROM_NEEDS_MIME describe FROM_EXCESS_BASE64From: base64 encoded unnecessarily Interestingly, I have had exactly three spams fire the MIME_BASE64_TEXT rule in the past six months, but I have had ten hams fire the rule. Too many FPs for me. Same with the FROM_EXCESS_BASE64 rule: I have had zero spams fire that rule, but have had two hams fire it (they were newsletters from Red Hat). Sadly, these both sound like they would be good rules, but they don't seem to live up to their potential. (Btw, I am working with about 6,000 spams and 3,500 hams) Quick aside: Does SA decode the message body before running the body tests? I was really surprised that the decoded content on this message didn't trigger any of the get rich quick rules, or my bayes.
Re: Another low scoring obvious spam message
Skip Morrow wrote: On Thu, September 18, 2008 9:33 am, John Hardin wrote: On Thu, 18 Sep 2008, Skip wrote: What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 (1) train your bayes with it I am using bayes, but it didn't catch it. I was quite surprised at that. h... Content analysis details: (6.3 points, 5.0 required) pts rule name description -- -- 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 1.3 MISSING_HEADERSMissing To: header 1.5 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding (2) try the sought fraud ruleset that Justin is generating http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough t_fraud.cf I'm using that too, and again no joy there. It may be time for an sa-update though. sa-update and jm sought here. without Bayes, it's missed.
Re: Another low scoring obvious spam message
Skip Morrow wrote: Sorry about the double post--operator error. fire operator :)
Re: force Bayes DB to expire
Hello list, first I'm wondering why I got the following error, because in my local.cf I set 'bayes_auto_expire 1' to prevent SpamAssassin from expire the bayes-db (or did amavis the expire?): Ah? Bayes will auto expire if you set it for 'true' (1). Amavis doesn't do anything, with bayes_auto_expire true, spamassassin does the auto-expire (amavis calls spamassassin, which is why you get the amavis logs) so: #1, you want to set bayes_auto_expire 0 in local.cf if you want to run a nightly cronjob to run bayes expire (recommended) Yes, I guess it could take 10 mins. Best practices says either move to sql based bayes, or use db4 with enough ram to cache things better. And it takes approx. 10 minutes to finish with a 220 MB Bayes-DB. Is that OK? Greetings Stefan _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
sa-learn
Is it possible to forward spam sent to me to an other user eg spam and run sa-learn on that mailbox? I will then be sender. -- Regards Lars Ebeling http://leopg9.no-ip.org Hobbithobbyist I am not young enough to know everything. -- Oscar Wilde
RE: spamassassin can't rewrite subject in cpanel 11?
RobertH wrote: header tests were not available in Outlook Express This might be the wrong question in the wrong place yet in this day and age, why in the world is anyone using outlook express? Because it comes installed with every Windows computer. Quite a few (most?) people will simply use it rather than spending the time and energy to find and install an alternative (if they are even aware that there ARE alternatives). There are many other good choices. Agreed. I use Thunderbird at home. -- Bowie
Re: Another low scoring obvious spam message
I am using bayes, but it didn't catch it. I was quite surprised at that. h... Content analysis details: (6.3 points, 5.0 required) pts rule name description -- -- 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 1.3 MISSING_HEADERSMissing To: header 1.5 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding How interesting that you are hitting the BASE64_LENGTH_79_INF rule and I'm not. I just looked and I have never triggered that rule in any spams, but I have triggered it in a couple of hams. Now why would it work for you and not for me hm. I am using SA 3.2.4. By the way, that mime block is only 76 characters wide. sa-update and jm sought here. without Bayes, it's missed. I ran sa-update just a few minutes ago and it didn't make a difference. I habitually run most of my spam through sa-learn and most of my ham too. I know it's work b/c I do have a lot of spam trigger the BAYES_99 rule (and others too). I am still surprised that I had such a low score on this one. Bayes would have been my only saving grace here too.
More spam after disabling local BIND ?
Configuration (maybe more than you care to see, sorry) -- 1) platform: kubuntu 8.04 2) SA version:3.2.4 3) options: add_header spam BB score=_SCORE_ report_safe 0 lock_method flock 4) using qmail - procmail - spamc - spamd ps ea | grep spam shows ... /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --username spamd -s /usr/local/bb/spamassassin/spamd.log -d --pidfile=/usr/local/bb/spamassassin/spamd.pid this snippit is from /etc/procmailrc :0fw: spamassassin.lock * 256000 | spamc -F /usr/local/bb/spamassassin/bb.spamc.conf cat bb.spamc.conf shows -u spamd -s 100 --headers SA has been working great! Very few spam messages get through. Then, we made ONE change to the machine. We turned off BIND, and just resolve to the ISP name servers. After that, lots and lots of spam gets through ? Not everything, just a lot more than when BIND was running locally So, instead of having BIND running locally, and forwarding to the name servers provided by our ISP, we turned off running BIND, and placed the ISP name servers addresses in /etc/resolv.conf. Just for clarity, here is what we did to /etc/resolv.conf # nameserver 192.168.1.17 comment out our localhost, since bind is no longer running domain angels.bookus-boulet.com nameserver 66.189.0.29 nameserver 66.189.0.30 So, really that is all we did. After that, lot's of spam gets through. Just to check, we turned our nameserver back on (and adjusted /etc/resolv.conf accordingly), and once again SAworks great ! So, please tell me what I am doing wrong here Thanks in advance ... jules
Re: Another low scoring obvious spam message
On Thu, 18 Sep 2008, mouss wrote: (2) try the sought fraud ruleset that Justin is generating http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough t_fraud.cf I'm using that too, and again no joy there. It may be time for an sa-update though. sa-update and jm sought here. without Bayes, it's missed. sought != sought_fraud. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Your mouse has moved. Your Windows Operating System must be relicensed due to this hardware change. Please contact Microsoft to obtain a new activation key. If this hardware change results in added functionality you may be subject to additional license fees. Your system will now shut down. Thank you for choosing Microsoft. --- Tomorrow: Talk Like a Pirate day
Re: More spam after disabling local BIND ?
Ok - that explains it - thank you very much. Really, many thanks ! But, is there a way to still not run BIND locally, and continue to benefit from the RBL filters? Perhaps there is a timeout associated with the RBL filters that can be increased? I understand that if such a timout option existed and was increased, performance would suffer. I'm just fishing here ... Turning off BIND was needed for other reasons. It's not mandatory that we not run BIND, just one less service that we would have to maintain. (we meaning ME!) Many thanks for your help, Kevin Kevin Parris wrote: You're wasting time and network resources by sending all the RBL query traffic upstream to your ISP. The ISP servers may, or may not, be caching the results. Your spam detection rate may be suffering from delayed (or absent) responses to the queries, thus missing score values that would mark more of your traffic as spam. Keep the local caching DNS running - you've already figured out by observation that it is a valuable tool. Jules Yasuna [EMAIL PROTECTED] 09/18/08 1:23 PM Just to check, we turned our nameserver back on (and adjusted /etc/resolv.conf accordingly), and once again SAworks great ! So, please tell me what I am doing wrong here Thanks in advance ... jules
Re: More spam after disabling local BIND ?
Jules Yasuna wrote: Configuration (maybe more than you care to see, sorry) -- 1) platform: kubuntu 8.04 2) SA version:3.2.4 3) options: add_header spam BB score=_SCORE_ report_safe 0 lock_method flock 4) using qmail - procmail - spamc - spamd ps ea | grep spam shows ... /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --username spamd -s /usr/local/bb/spamassassin/spamd.log -d --pidfile=/usr/local/bb/spamassassin/spamd.pid this snippit is from /etc/procmailrc :0fw: spamassassin.lock * 256000 | spamc -F /usr/local/bb/spamassassin/bb.spamc.conf cat bb.spamc.conf shows -u spamd -s 100 --headers SA has been working great! Very few spam messages get through. Then, we made ONE change to the machine. We turned off BIND, and just resolve to the ISP name servers. After that, lots and lots of spam gets through ? Not everything, just a lot more than when BIND was running locally So, instead of having BIND running locally, and forwarding to the name servers provided by our ISP, we turned off running BIND, and placed the ISP name servers addresses in /etc/resolv.conf. Just for clarity, here is what we did to /etc/resolv.conf # nameserver 192.168.1.17 comment out our localhost, since bind is no longer running domain angels.bookus-boulet.com nameserver 66.189.0.29 nameserver 66.189.0.30 So, really that is all we did. After that, lot's of spam gets through. Just to check, we turned our nameserver back on (and adjusted /etc/resolv.conf accordingly), and once again SAworks great ! So, please tell me what I am doing wrong here Thanks in advance ... jules I'm wondering if your DNS servers are running slow or timing out. Have you tried running SA in debug mode and looking for DNS related delays or issues? --Blaine
Re: sa-learn
On Thu, 18 Sep 2008, Lars Ebeling wrote: Is it possible to forward spam sent to me to an other user eg spam and run sa-learn on that mailbox? I will then be sender. Possible, yes. Recommended, no, for the reason you note: forwarding alters the message. Probably the best way is to set up an IMAP mail folder that the SA system can learn from, then just move the message to train from your inbox folder to that folder; this will leave the message in its original form. There are examples of this in the archives, searching on learn imap will probably find them. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Your mouse has moved. Your Windows Operating System must be relicensed due to this hardware change. Please contact Microsoft to obtain a new activation key. If this hardware change results in added functionality you may be subject to additional license fees. Your system will now shut down. Thank you for choosing Microsoft. --- Tomorrow: Talk Like a Pirate day
Re: Another low scoring obvious spam message
Skip Morrow wrote: I am using bayes, but it didn't catch it. I was quite surprised at that. h... Content analysis details: (6.3 points, 5.0 required) pts rule name description -- -- 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 1.3 MISSING_HEADERSMissing To: header 1.5 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding How interesting that you are hitting the BASE64_LENGTH_79_INF rule and I'm not. I just looked and I have never triggered that rule in any spams, but I have triggered it in a couple of hams. Now why would it work for you and not for me hm. I am using SA 3.2.4. By the way, that mime block is only 76 characters wide. well, I did a cut-paste from the pastebin page, so maybe there's a mismatch between what I passed to sa and your message? sa-update and jm sought here. without Bayes, it's missed. I ran sa-update just a few minutes ago and it didn't make a difference. I habitually run most of my spam through sa-learn and most of my ham too. I know it's work b/c I do have a lot of spam trigger the BAYES_99 rule (and others too). I am still surprised that I had such a low score on this one. Bayes would have been my only saving grace here too. I have spam that goes to pseudo-traps. maybe this helps Bayes. anyway, if your SA only misses few spam, there's no need to try to improve that with new rules.
Re: More spam after disabling local BIND ?
On Thu, 18 Sep 2008, Jules Yasuna wrote: [snip..] SA has been working great! Very few spam messages get through. Then, we made ONE change to the machine. We turned off BIND, and just resolve to the ISP name servers. After that, lots and lots of spam gets through ? Not everything, just a lot more than when BIND was running locally [snip..] So, really that is all we did. After that, lot's of spam gets through. Just to check, we turned our nameserver back on (and adjusted /etc/resolv.conf accordingly), and once again SAworks great ! So, please tell me what I am doing wrong here Thanks in advance ... jules To paraphrase an old joke: Patient: Doctor Doctor, it hurts when I poke a stick into my eye. What should I do to stop the pain? Doctor: Don't poke a stick into your eye. It's considered generally good advice for spamassassin sites to run a local DNS server to reduce network traffic and timeouts. Is there a compelling reason not to follow this advice? Probably your ISP's DNS servers are busy and prone to delays, causing timeouts and loss of DNS based rules (RBLS, etc). Either run a local DNS server, find a better off-site server that doesn't suffer from delays (ask for permission to use them tho), or increase your network test timeout settings and expect delays in processing mail. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: More spam after disabling local BIND ?
Jules Yasuna wrote: Ok - that explains it - thank you very much. Really, many thanks ! But, is there a way to still not run BIND locally, and continue to benefit from the RBL filters? Take a look at djbdns. We run dnscache on all servers that require the ability to do a DNS lookup and have for several years. It also uses a minuscule amount of resources, if you cannot run dnscache you have bigger problems to deal with. http://cr.yp.to/djbdns.html dnscache setup, http://cr.yp.to/djbdns/run-cache.html It makes a noticeable difference in RBL performance on your end, and provides a great reduction in traffic for the RBL provider. DAve Perhaps there is a timeout associated with the RBL filters that can be increased? I understand that if such a timout option existed and was increased, performance would suffer. I'm just fishing here ... Turning off BIND was needed for other reasons. It's not mandatory that we not run BIND, just one less service that we would have to maintain. (we meaning ME!) Many thanks for your help, Kevin Kevin Parris wrote: You're wasting time and network resources by sending all the RBL query traffic upstream to your ISP. The ISP servers may, or may not, be caching the results. Your spam detection rate may be suffering from delayed (or absent) responses to the queries, thus missing score values that would mark more of your traffic as spam. Keep the local caching DNS running - you've already figured out by observation that it is a valuable tool. Jules Yasuna [EMAIL PROTECTED] 09/18/08 1:23 PM Just to check, we turned our nameserver back on (and adjusted /etc/resolv.conf accordingly), and once again SAworks great ! So, please tell me what I am doing wrong here Thanks in advance ... jules -- Don't tell me I'm driving the cart!
Re: Another low scoring obvious spam message
John Hardin wrote: On Thu, 18 Sep 2008, mouss wrote: (2) try the sought fraud ruleset that Justin is generating http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough t_fraud.cf I'm using that too, and again no joy there. It may be time for an sa-update though. sa-update and jm sought here. without Bayes, it's missed. sought != sought_fraud. ah. missed that. just tried it, but I get the same results.
Re: How to integrate spamassassin in a web app?
Bob Proulx wrote: Nabble! Bad Nabble! Let me be yet another voice complaining about how terrible Nabble is for mailing lists. AFAIK Nabble allows the user to modify sent messages. Every time they modify the message it sends the message again using the same Message-Id: as before. Grr... Nabble is very annoying to me. Nabble is to e-mail as Google groups is to Usenet. And yes, I killfile all posts from Google Groups. Pretty close to doing it for Nabble too.
Re: Another low scoring obvious spam message
sought != sought_fraud. Whoops! Thanks! Got it now, but still no hits in that rule set either.
Re: More spam after disabling local BIND ?
Jules Yasuna wrote: Ok - that explains it - thank you very much. Really, many thanks ! But, is there a way to still not run BIND locally, and continue to benefit from the RBL filters? Perhaps there is a timeout associated with the RBL filters that can be increased? I understand that if such a timout option existed and was increased, performance would suffer. I'm just fishing here ... Turning off BIND was needed for other reasons. It's not mandatory that we not run BIND, just one less service that we would have to maintain. (we meaning ME!) running BIND in cache only mode doesn't really require a lot of maintenance. you can firewall it as much as your security policy requires. and if you don't want bind, try one of the available alternatives. but a local DNS is recommended on a mail server or spam filter that uses DNS.
Re: Another low scoring obvious spam message
anyway, if your SA only misses few spam, there's no need to try to improve that with new rules. Yeah, this is the first spam I've gotten in about a month or maybe two. Still, I let it bug me too much. That, and it's slow at work today. I guess I'll just let it go.
Re: Another low scoring obvious spam message
On Thu, 18 Sep 2008, mouss wrote: John Hardin wrote: sought != sought_fraud. ah. missed that. just tried it, but I get the same results. That's not *too* surprising. At the moment the corpus for it is manually-collected fraud spams sent to me personally, and I don't necessarily see all possible forms. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Tomorrow: Talk Like a Pirate day
Re: How to integrate spamassassin in a web app?
xdmx wrote: Hi, yep, i'm sorry about the 3 posts, wasn't because an edit, but because the nabble site which went timeout :( All the more reason to not use a web interface to a e-mail group. btw, i tried your solution and it works, thanks :) Who's solution? Who are you replying to?
Re: How to integrate spamassassin in a web app?
Evan Platt wrote: Bob Proulx wrote: Nabble! Bad Nabble! Let me be yet another voice complaining about how terrible Nabble is for mailing lists. AFAIK Nabble allows the user to modify sent messages. Every time they modify the message it sends the message again using the same Message-Id: as before. Grr... Nabble is very annoying to me. Nabble is to e-mail as Google groups is to Usenet. And yes, I killfile all posts from Google Groups. Pretty close to doing it for Nabble too. and in these days of SPF and DKIM, posting from nabble will cause more and more problems. unless of course they get the private key of every site ;-p
testing spam gives warn config error
Hi all, I have a new install of MailScanner / Postfix / Spamassassin when I run sudo -u postfix spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf -t message.MAI I get the following error: warn config path /root/ .spamassassin is inaccessible permission denied How can I resolve this error? Thanks Kate
Re: testing spam gives warn config error
Kate Kleinschafer wrote: Hi all, I have a new install of MailScanner / Postfix / Spamassassin when I run sudo -u postfix spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf -t message.MAI I get the following error: warn config path /root/ .spamassassin is inaccessible permission denied How can I resolve this error? by running the command as root or by using another directory.
Re: testing spam gives warn config error
I don't think I want to run it as root do I? (MailScanner is set to use user postfix) Which config file sets it to use /root/ directory? Thanks Kate mouss wrote: Kate Kleinschafer wrote: Hi all, I have a new install of MailScanner / Postfix / Spamassassin when I run sudo -u postfix spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf -t message.MAI I get the following error: warn config path /root/ .spamassassin is inaccessible permission denied How can I resolve this error? by running the command as root or by using another directory.
Re: testing spam gives warn config error
Kate Kleinschafer wrote: I don't think I want to run it as root do I? run the test command as root, not mailscanner. you have the error while running the test command. you don't have an error while running mailscanner. (MailScanner is set to use user postfix) I Don't use MS so I have no idea about its configuration. I use amavisd-new. Which config file sets it to use /root/ directory? when you'll run SA from mailscanner, I'm sure the /root directory won't be used. so run it and see.
Re: testing spam gives warn config error
I am almost 100% certain that I need to be able to run this command as postfix. Kate mouss wrote: Kate Kleinschafer wrote: I don't think I want to run it as root do I? run the test command as root, not mailscanner. you have the error while running the test command. you don't have an error while running mailscanner. (MailScanner is set to use user postfix) I Don't use MS so I have no idea about its configuration. I use amavisd-new. Which config file sets it to use /root/ directory? when you'll run SA from mailscanner, I'm sure the /root directory won't be used. so run it and see.
what's the trick with sa-compile?
FreeBSD 6.2 re2c-0.13.5 SpamAssassin version 3.2.5 running on Perl version 5.8.8 Wdeclaration-after-statement -I/usr/local/include -O2 -fno-strict-aliasing -pipe-DVERSION=\1.0\ -DXS_VERSION=\1.0\ -DPIC -fPIC -I/usr/local/lib/perl5/5.8.8/mach/CORE body_0.c cc -c-DAPPLLIB_EXP=/usr/local/lib/perl5/5.8.8/BSDPAN -DHAS_FPSETMASK - DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -O2 -fno-strict-aliasing -pipe-DVERSION=\1.0\ -DXS_VERSION=\1.0\ -DPIC -fPIC -I/usr/local/lib/perl5/5.8.8/mach/CORE scanner1.c cc: Internal error: Killed: 9 (program cc1) Please submit a full bug report. See URL:http://gcc.gnu.org/bugs.html for instructions. *** Error code 1 Stop in /tmp/.spamassassin395970Egncetmp/Mail-SpamAssassin-CompiledRegexps-body_0. command failed! at /usr/local/bin/sa-compile line 285. which is: 281 sub run { 282 my @cmd = @_; 283 print join(' ',@cmd).\n; 284 system(@cmd); 285 ($?8 != 0) and die command failed!; 286 } thanks Len __ IMGate OpenSource Mail Firewall www.IMGate.net
Re: More spam after disabling local BIND ?
mouss [EMAIL PROTECTED] wrote: and if you don't want bind, try one of the available alternatives. but a local DNS is recommended on a mail server or spam filter that uses DNS. Regarding alternatives, we use djbdns here; highly recommended. -- Sahil Tandon [EMAIL PROTECTED]