date:20080918


not007 wrote:

I am using cpanel 11 and being told that I can't get spamassassin to rewrite
the subject of emails that are spam. Spam assassin IS adding info in the
header like:

X-Spam-Subject: [SPAM] test message
X-Spam-Status: Yes, score=1002.4
X-Spam-Score: 10024
X-Spam-Bar: ++ +

but I don't know how to write a mail rule in outlook express or outlook to
read the header items and act on them. (the subject above has [spam] added,
but the regular / displayed subject does NOT include the [spam] so it
doesn't get put in the spam folder).



menu Tools  rules wizard ...
 option with specific words in the message header
 ...
   X-Spam-Status: Yes

untested!

Another low scoring obvious spam message

2008-09-18 Thread Skip


What can I do to increase my chances on spammies like this one:
http://pastebin.com/m5f5d11e0

--
Get my PGP Public key here:
http://pelorus.org/[EMAIL PROTECTED]

user_prefs brilliant indenting mode invented by me

2008-09-18 Thread jidanni

Gentlemen, I save wads of space in my user_prefs with

header J_YAHOO_CAL X-Yahoo-Newman-Property=~/calendar-invite/
 score J_YAHOO_CAL 11
header J_MEDIAWIKI_MAILER X-Mailer=~/MediaWiki mailer/
 score J_MEDIAWIKI_MAILER -10

instead of the traditional

header J_YAHOO_CAL X-Yahoo-Newman-Property=~/calendar-invite/
score J_YAHOO_CAL 11

header J_MEDIAWIKI_MAILER X-Mailer=~/MediaWiki mailer/
score J_MEDIAWIKI_MAILER -10

(and as nobody is reading the spam except me, I have disposed of
describe entries.)

Re: user_prefs brilliant indenting mode invented by me

2008-09-18 Thread jidanni

Oh no oh no, man Mail::SpamAssassin::Conf says
 Whitespace in the files is not significant, but please note that
 starting a line with whitespace is deprecated, as we reserve its use
 for multi-line rule definitions, at some point in the future.
OK, sorry. I regret my previous message.
Wait. Wouldn't it be unfortunate if SpamAssassin goes the python route
where whitespace counts in syntax, vs. perl where one can use the
trusty semicolon and {}, especially as SpamAssassin is perl based...
(Anyway, I hate python as it doesn't fit into wrapped one-liners in
Makefiles, etc. They expect everybody is editing on a terminal with TABs, etc.)

Re: Another low scoring obvious spam message


Skip wrote:

What can I do to increase my chances on spammies like this one:
http://pastebin.com/m5f5d11e0



maybe

header _CTYPE_PLAIN Content-Type =~ m|text/plain|
header _CTRANSFER_B64 Content-Transfer-Encoding =~ m|base64|


...

Re: user_prefs brilliant indenting mode invented by me


[EMAIL PROTECTED] wrote:

Oh no oh no, man Mail::SpamAssassin::Conf says
 Whitespace in the files is not significant, but please note that
 starting a line with whitespace is deprecated, as we reserve its use
 for multi-line rule definitions, at some point in the future.
OK, sorry. I regret my previous message.
Wait. Wouldn't it be unfortunate if SpamAssassin goes the python route
where whitespace counts in syntax, vs. perl where one can use the
trusty semicolon and {}, especially as SpamAssassin is perl based...


don't fight against the system. don't fight against syntax. If you don't 
like it, write a script to generate it from your own.



(Anyway, I hate python as it doesn't fit into wrapped one-liners in
Makefiles, etc. They expect everybody is editing on a terminal with TABs, etc.)

Re: How to integrate spamassassin in a web app?

2008-09-18 Thread xdmx


Hi, yep, i'm sorry about the 3 posts, wasn't because an edit, but because the
nabble site which went timeout :(
btw, i tried your solution and it works, thanks :)

-- 
View this message in context: 
http://www.nabble.com/How-to-integrate-spamassassin-in-a-web-app--tp19542249p19552374.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: spamassassin can't rewrite subject in cpanel 11?

2008-09-18 Thread Bowie Bailey

mouss wrote:
 not007 wrote:
  I am using cpanel 11 and being told that I can't get spamassassin
  to rewrite the subject of emails that are spam. Spam assassin IS
  adding info in the header like: 
  
  X-Spam-Subject: [SPAM] test message
  X-Spam-Status: Yes, score=1002.4
  X-Spam-Score: 10024
  X-Spam-Bar: ++ +
  
  but I don't know how to write a mail rule in outlook express or
  outlook to read the header items and act on them. (the subject
  above has [spam] added, but the regular / displayed subject does
  NOT include the [spam] so it doesn't get put in the spam folder).
  
 
 menu Tools  rules wizard ...
   option with specific words in the message header
   ...
 X-Spam-Status: Yes
 
 untested!

This works on Outlook, but header tests were not available in Outlook
Express the last time I checked.

-- 
Bowie

RE: user_prefs brilliant indenting mode invented by me

2008-09-18 Thread Bowie Bailey

[EMAIL PROTECTED] wrote:
 Oh no oh no, man Mail::SpamAssassin::Conf says
  Whitespace in the files is not significant, but please note that
  starting a line with whitespace is deprecated, as we reserve its use
  for multi-line rule definitions, at some point in the future.
 OK, sorry. I regret my previous message.

Then just do it the other way:

header BLAH 
score  BLAH ...

 Wait. Wouldn't it be unfortunate if SpamAssassin goes the python route
 where whitespace counts in syntax, vs. perl where one can use the
 trusty semicolon and {}, especially as SpamAssassin is perl based...
 (Anyway, I hate python as it doesn't fit into wrapped one-liners in
 Makefiles, etc. They expect everybody is editing on a terminal with
 TABs, etc.) 

Since SA is written in Perl, I doubt that is going to happen.

-- 
Bowie

Re: Another low scoring obvious spam message


On Thu, 18 Sep 2008, Skip wrote:


What can I do to increase my chances on spammies like this one:
http://pastebin.com/m5f5d11e0


(1) train your bayes with it

(2) try the sought fraud ruleset that Justin is generating

http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sought_fraud.cf

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  An AR-15 in civilian hands used to defend a home or business:
a High Velocity Assault Weapon with High Capacity Magazines
  An AR-15 in Law Enforcement Officer hands used to murder six kids:
a Police-Style Patrol Rifle
---
 Tomorrow: Talk Like a Pirate day

RE: spamassassin can't rewrite subject in cpanel 11?

2008-09-18 Thread not007

header tests were not available in Outlook
Express

That's what I am seeing also that seems like a big deal - cpanel is used
in lots of web hosting and spam assassin is needed these days. Not
everyone uses outlook and OE is a free app that comes with windows (yeah, I
guess you get what you pay for : )...

But this WAS usable with OE before. Taking away a critical feature for the
sake of new and improved is hard to push on clients, right?

Bowie Bailey wrote:

mouss wrote:
not007 wrote:
I am using cpanel 11 and being told that I can't get spamassassin
to rewrite the subject of emails that are spam. Spam assassin IS
adding info in the header like:

X-Spam-Subject: [SPAM] test message
X-Spam-Status: Yes, score=1002.4
X-Spam-Score: 10024
X-Spam-Bar: ++ +

but I don't know how to write a mail rule in outlook express or
outlook to read the header items and act on them. (the subject
above has [spam] added, but the regular / displayed subject does
NOT include the [spam] so it doesn't get put in the spam folder).

menu Tools rules wizard ...
option with specific words in the message header
...
X-Spam-Status: Yes

untested!

This works on Outlook, but header tests were not available in Outlook
Express the last time I checked.

--
Bowie

--
View this message in context:
http://www.nabble.com/spamassassin-can%27t-rewrite-subject-in-cpanel-11--tp19545283p19553082.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: spamassassin can't rewrite subject in cpanel 11?

2008-09-18 Thread not007


a rule based on the header text is doable in outlook, but not outlook
express.




mouss-2 wrote:
 
 not007 wrote:
 I am using cpanel 11 and being told that I can't get spamassassin to
 rewrite
 the subject of emails that are spam. Spam assassin IS adding info in the
 header like:
 
 X-Spam-Subject: [SPAM] test message
 X-Spam-Status: Yes, score=1002.4
 X-Spam-Score: 10024
 X-Spam-Bar: ++ +
 
 but I don't know how to write a mail rule in outlook express or outlook
 to
 read the header items and act on them. (the subject above has [spam]
 added,
 but the regular / displayed subject does NOT include the [spam] so it
 doesn't get put in the spam folder).
 
 
 menu Tools  rules wizard ...
   option with specific words in the message header
   ...
 X-Spam-Status: Yes
 
 untested!
 
 
 

-- 
View this message in context: 
http://www.nabble.com/spamassassin-can%27t-rewrite-subject-in-cpanel-11--tp19545283p19553110.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: spamassassin can't rewrite subject in cpanel 11?

On Thu, 2008-09-18 at 06:36 -0700, not007 wrote:

 But this WAS usable with OE before.  Taking away a critical feature for the
 sake of new and improved is hard to push on clients, right?

See .sig


-- 
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority.-- Cringely, 4/8/2004
---
 Tomorrow: Talk Like a Pirate day

RE: spamassassin can't rewrite subject in cpanel 11?

2008-09-18 Thread SM


At 06:19 18-09-2008, Bowie Bailey wrote:

This works on Outlook, but header tests were not available in Outlook
Express the last time I checked.


In Outlook Express, you can have a rule for the Subject line.

Regards,
-sm

Re: Another low scoring obvious spam message

On Thu, September 18, 2008 8:55 am, mouss wrote:
 Skip wrote:

 What can I do to increase my chances on spammies like this one:
 http://pastebin.com/m5f5d11e0



 maybe

 header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64
 Content-Transfer-Encoding =~ m|base64|


I wonder if that would have too many false positives.
It got me thinking though.  I looked in the 20_body_tests.cf rules and see
the following rules:

rawbody __MIME_BASE64  eval:check_for_mime('mime_base64_count')
describe __MIME_BASE64 Includes a base64 attachment
rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
describe MIME_BASE64_BLANKSExtra blank lines in base64 encoding
rawbody MIME_BASE64_TEXT  
eval:check_for_mime('mime_base64_encoded_text')
describe MIME_BASE64_TEXT  Message text disguised using base64 encoding

and from the 20_head_tests.cf
meta FROM_EXCESS_BASE64__FROM_ENCODED_B64 
!__FROM_NEEDS_MIME
describe FROM_EXCESS_BASE64From: base64 encoded unnecessarily

Interestingly, I have had exactly three spams fire the MIME_BASE64_TEXT
rule in the past six months, but I have had ten hams fire the rule.  Too
many FPs for me.

Same with the FROM_EXCESS_BASE64 rule:  I have had zero spams fire that
rule, but have had two hams fire it (they were newsletters from Red Hat).

Sadly, these both sound like they would be good rules, but they don't seem
to live up to their potential. (Btw, I am working with about 6,000 spams
and 3,500 hams)

Quick aside:  Does SA decode the message body before running the body
tests?  I was really surprised that the decoded content on this message
didn't trigger any of the get rich quick rules, or my bayes.

Re: Another low scoring obvious spam message

On Thu, September 18, 2008 9:33 am, John Hardin wrote:
 On Thu, 18 Sep 2008, Skip wrote:


 What can I do to increase my chances on spammies like this one:
 http://pastebin.com/m5f5d11e0


 (1) train your bayes with it

I am using bayes, but it didn't catch it.  I was quite surprised at that.

 (2) try the sought fraud ruleset that Justin is generating


 http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough
 t_fraud.cf

I'm using that too, and again no joy there.  It may be time for an
sa-update though.

Thanks for the ideas though :)

Skip

Re: Another low scoring obvious spam message

2008-09-18 Thread Rick Macdougall


Skip Morrow wrote:

On Thu, September 18, 2008 9:33 am, John Hardin wrote:

On Thu, 18 Sep 2008, Skip wrote:



What can I do to increase my chances on spammies like this one:
http://pastebin.com/m5f5d11e0


(1) train your bayes with it


I am using bayes, but it didn't catch it.  I was quite surprised at that.


Doesn't look to me like you are using bayes.  There is no bayes score in 
the headers.



X-Spam-Report:
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 *  1.3 MISSING_HEADERS Missing To: header
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding

Regards,

Rick

Re: Another low scoring obvious spam message

 I am using bayes, but it didn't catch it.  I was quite surprised at
 that.

 Doesn't look to me like you are using bayes.  There is no bayes score in
 the headers.

Oh.  I thought I was.  I do get reports in some messages.  Here's the
debug from this particular message:
[12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf
[12541] dbg: config: read file
/home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf
[12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC
[12541] dbg: config: fixed relative path:
/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf
[12541] dbg: config: using
/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf for
included file
[12541] dbg: config: read file
/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf
[12541] dbg: config: fixed relative path:
/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf
[12541] dbg: config: using
/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf
for included file
[12541] dbg: bayes: tie-ing to DB file R/O
/home/peloruso/.spamassassin/skip/bayes/bayes_toks
[12541] dbg: bayes: tie-ing to DB file R/O
/home/peloruso/.spamassassin/skip/bayes/bayes_seen
[12541] dbg: bayes: found bayes db version 3
[12541] dbg: bayes: DB journal sync: last sync: 1221706869
[12541] dbg: bayes: DB journal sync: last sync: 1221706869
[12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680
[12541] dbg: bayes: score = 2.02454774056449e-08
[12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size:
15, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire:
1220940612, Current time: 1221712855
[12541] dbg: bayes: DB journal sync: last sync: 1221706869
[12541] dbg: bayes: untie-ing

Anything look funny in there?  I see a very low score: 2.02e-08, but isn't
it still working?

Re: Another low scoring obvious spam message

 I am using bayes, but it didn't catch it.  I was quite surprised at
 that.

 Doesn't look to me like you are using bayes.  There is no bayes score in
 the headers.

Oh.  I thought I was.  I do get reports in some messages.  Here's the
debug from this particular message:
[12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf
[12541] dbg: config: read file
/home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf
[12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC
[12541] dbg: config: fixed relative path:
/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf
[12541] dbg: config: using
/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf for
included file
[12541] dbg: config: read file
/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf
[12541] dbg: config: fixed relative path:
/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf
[12541] dbg: config: using
/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf
for included file
[12541] dbg: bayes: tie-ing to DB file R/O
/home/peloruso/.spamassassin/skip/bayes/bayes_toks
[12541] dbg: bayes: tie-ing to DB file R/O
/home/peloruso/.spamassassin/skip/bayes/bayes_seen
[12541] dbg: bayes: found bayes db version 3
[12541] dbg: bayes: DB journal sync: last sync: 1221706869
[12541] dbg: bayes: DB journal sync: last sync: 1221706869
[12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680
[12541] dbg: bayes: score = 2.02454774056449e-08
[12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size:
15, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire:
1220940612, Current time: 1221712855
[12541] dbg: bayes: DB journal sync: last sync: 1221706869
[12541] dbg: bayes: untie-ing

Anything look funny in there?  I see a very low score: 2.02e-08, but isn't
it still working?

Re: Another low scoring obvious spam message

Sorry about the double post--operator error.

RE: spamassassin can't rewrite subject in cpanel 11?

2008-09-18 Thread RobertH


 
 header tests were not available in Outlook
 Express 
 

This might be the wrong question in the wrong place yet in this day and age,
why in the world is anyone using outlook express?

Stop do it!

;-

There are many other good choices.

 - rh

force Bayes DB to expire

2008-09-18 Thread Stefan Jakobs

Hello list,

first I'm wondering why I got the following error, because in my local.cf I 
set 'bayes_auto_expire 1' to prevent SpamAssassin from expire the bayes-db (or 
did amavis the expire?):

Sep 18 13:15:48 server amavis[19655]: (19655-04) (!)SA TIMED OUT, backtrace: 
at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 
630\n\teval {...} called at /usr/lib/perl5/site_perl/5.8
.3/Mail/SpamAssassin/BayesStore/DBM.pm 
line630\n\tMail::SpamAssassin::BayesStore::DBM::calculate_expire_
delta('Mail::SpamAssassin::BayesStore::DBM=HASH(0xa61ea14)',1221736346,43200,512)
 
called at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm line 
322\n\tMail::SpamAssassin::BayesStore::expire_old_tokens_trapped('Mail::SpamAssassin::BayesStore::DBM=HASH(0xa61ea14)','undef')
 
called at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm line 
215\n\teval {...} called at 
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore.pm line 
212\n\tMail::SpamAssassin::BayesStore::expire_old_tokens('Mail::SpamAssassin::BayesStore::DBM=HASH(0xa61ea14)','undef')
 
called at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Bayes[...]

Second, if I run 
# sa-learn --debug --force-expire --dbpath ./ -p ./user_prefs -u vscan 
I get the following:
[4069] dbg: bayes: expiry check keep size, 0.75 * max: 225
[4069] dbg: bayes: token count: 3425687, final goal reduction size: 1175687
[4069] dbg: bayes: first pass? current: 1221753006, Last: 1221752575, atime: 
691200, count: 101725, newdelta: 59805, ratio: 11.5575030720079, period: 43200  
 
[4069] dbg: bayes: can't use estimation method for expiry, unexpected result, 
calculating optimal atime delta (first pass)

[4069] dbg: bayes: expiry max exponent: 9   
 
[4069] dbg: bayes: atime token reduction
 
[4069] dbg: bayes:  === 
 
[4069] dbg: bayes: 43200 2897558
 
[4069] dbg: bayes: 86400 2668468
 
[4069] dbg: bayes: 172800 2125446   
 
[4069] dbg: bayes: 345600 1241167   
 
[4069] dbg: bayes: 691200 4482  
 
[4069] dbg: bayes: 1382400 0
 
[4069] dbg: bayes: 2764800 0
 
[4069] dbg: bayes: 5529600 0
 
[4069] dbg: bayes: 11059200 0   
 
[4069] dbg: bayes: 22118400 0   
 
[4069] dbg: bayes: first pass decided on 691200 for atime delta 
 
bayes: synced databases from journal in 8 seconds: 11174 unique entries (20637 
total entries)

And it takes approx. 10 minutes to finish with a 220 MB Bayes-DB. Is that OK?

Greetings Stefan




signature.asc
Description: This is a digitally signed message part.

Re: Another low scoring obvious spam message


On Thu, 18 Sep 2008, Skip Morrow wrote:


Doesn't look to me like you are using bayes.  There is no bayes score in
the headers.


Oh.  I thought I was.  I do get reports in some messages.  Here's the
debug from this particular message:
[12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf


Silly question, but is peloruso the user that spamd is running as? 
user/database mismatch is a common problem.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 What nuts do with guns is terrible, certainly. But what evil or crazy
 people do with *anything* is not a valid argument for banning that
 item.-- John C. Randolph [EMAIL PROTECTED]
---
 Tomorrow: Talk Like a Pirate day

Re: Another low scoring obvious spam message


 Silly question, but is peloruso the user that spamd is running as?
 user/database mismatch is a common problem.

I'm not using spamd, I call spamassassin from procmail.  I'm on a shared
host that doesn't allow users to run their own daemons (although they are
running their own spamd, but not with the options I want/need)

But, yes, all processes under my account are run as peloruso.

Re: Another low scoring obvious spam message


Skip Morrow wrote:

On Thu, September 18, 2008 8:55 am, mouss wrote:

Skip wrote:


What can I do to increase my chances on spammies like this one:
http://pastebin.com/m5f5d11e0



maybe

header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64
Content-Transfer-Encoding =~ m|base64|



I wonder if that would have too many false positives.


it will trigger on ham, which means you shouldn't score it too much.

If you check the list mail, it'll trigger for mail sent by Larry Rosenbaum.


It got me thinking though.  I looked in the 20_body_tests.cf rules and see
the following rules:

rawbody __MIME_BASE64  eval:check_for_mime('mime_base64_count')
describe __MIME_BASE64 Includes a base64 attachment
rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
describe MIME_BASE64_BLANKSExtra blank lines in base64 encoding
rawbody MIME_BASE64_TEXT  
eval:check_for_mime('mime_base64_encoded_text')

describe MIME_BASE64_TEXT  Message text disguised using base64 encoding

and from the 20_head_tests.cf
meta FROM_EXCESS_BASE64__FROM_ENCODED_B64 
!__FROM_NEEDS_MIME
describe FROM_EXCESS_BASE64From: base64 encoded unnecessarily

Interestingly, I have had exactly three spams fire the MIME_BASE64_TEXT
rule in the past six months, but I have had ten hams fire the rule.  Too
many FPs for me.

Same with the FROM_EXCESS_BASE64 rule:  I have had zero spams fire that
rule, but have had two hams fire it (they were newsletters from Red Hat).

Sadly, these both sound like they would be good rules, but they don't seem
to live up to their potential. (Btw, I am working with about 6,000 spams
and 3,500 hams)

Quick aside:  Does SA decode the message body before running the body
tests?  I was really surprised that the decoded content on this message
didn't trigger any of the get rich quick rules, or my bayes.

Re: Another low scoring obvious spam message


Skip Morrow wrote:

On Thu, September 18, 2008 9:33 am, John Hardin wrote:

On Thu, 18 Sep 2008, Skip wrote:



What can I do to increase my chances on spammies like this one:
http://pastebin.com/m5f5d11e0


(1) train your bayes with it


I am using bayes, but it didn't catch it.  I was quite surprised at that.


h...

Content analysis details:   (6.3 points, 5.0 required)

 pts rule name  description
 -- 
--

 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record
 1.3 MISSING_HEADERSMissing To: header
 1.5 BASE64_LENGTH_79_INF   BODY: BASE64_LENGTH_79_INF
 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding





(2) try the sought fraud ruleset that Justin is generating


http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough
t_fraud.cf


I'm using that too, and again no joy there.  It may be time for an
sa-update though.



sa-update and jm sought here. without Bayes, it's missed.

Re: Another low scoring obvious spam message


Skip Morrow wrote:

Sorry about the double post--operator error.



fire operator :)

Re: force Bayes DB to expire

2008-09-18 Thread Michael Scheidell

 Hello list,
 
 first I'm wondering why I got the following error, because in my local.cf I
 set 'bayes_auto_expire 1' to prevent SpamAssassin from expire the bayes-db (or
 did amavis the expire?):

Ah?

Bayes will auto expire if you set it for 'true' (1).  Amavis doesn't do
anything, with bayes_auto_expire true, spamassassin does the auto-expire
(amavis calls spamassassin, which is why you get the amavis logs)

 so:
#1, you want to set bayes_auto_expire 0 in local.cf if you want to run a
nightly cronjob to run bayes expire (recommended)


Yes, I guess it could take 10 mins.  Best practices says either move to sql
based bayes, or use db4 with enough ram to cache things better.

 
 And it takes approx. 10 minutes to finish with a 220 MB Bayes-DB. Is that OK?
 
 Greetings Stefan
 
 

_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_

sa-learn

2008-09-18 Thread Lars Ebeling

Is it possible to forward spam sent to me to an other user eg spam and run 
sa-learn on that mailbox? I will then be sender.

--
Regards
Lars Ebeling

http://leopg9.no-ip.org
Hobbithobbyist

I am not young enough to know everything.
-- Oscar Wilde

RE: spamassassin can't rewrite subject in cpanel 11?

2008-09-18 Thread Bowie Bailey

RobertH wrote:
  header tests were not available in Outlook
  Express 
  
 
 This might be the wrong question in the wrong place yet in this day
 and age, why in the world is anyone using outlook express?

Because it comes installed with every Windows computer.  Quite a few
(most?) people will simply use it rather than spending the time and
energy to find and install an alternative (if they are even aware that
there ARE alternatives).

 There are many other good choices.

Agreed.  I use Thunderbird at home.

-- 
Bowie

Re: Another low scoring obvious spam message



 I am using bayes, but it didn't catch it.  I was quite surprised at
 that.

 h...

 Content analysis details:   (6.3 points, 5.0 required)


 pts rule name  description  --
 --
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
 [score: 1.]
 -0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
 -0.0 SPF_PASS   SPF: sender matches SPF record
 1.3 MISSING_HEADERSMissing To: header
 1.5 BASE64_LENGTH_79_INF   BODY: BASE64_LENGTH_79_INF
 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding


How interesting that you are hitting the BASE64_LENGTH_79_INF rule and I'm
not.  I just looked and I have never triggered that rule in any spams, but
I have triggered it in a couple of hams.  Now why would it work for you
and not for me hm.  I am using SA 3.2.4.  By the way, that
mime block is only 76 characters wide.


 sa-update and jm sought here. without Bayes, it's missed.


I ran sa-update just a few minutes ago and it didn't make a difference.

I habitually run most of my spam through sa-learn and most of my ham too. 
I know it's work b/c I do have a lot of spam trigger the BAYES_99 rule
(and others too).  I am still surprised that I had such a low score on
this one.  Bayes would have been my only saving grace here too.

More spam after disabling local BIND ?

2008-09-18 Thread Jules Yasuna


Configuration (maybe more than you care to see, sorry)
--
1) platform:   kubuntu 8.04
2) SA version:3.2.4
3) options:
   add_header spam BB score=_SCORE_
   report_safe 0
   lock_method flock
4) using qmail - procmail - spamc - spamd

  ps ea | grep spam shows ...
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir 
--username spamd -s /usr/local/bb/spamassassin/spamd.log -d 
--pidfile=/usr/local/bb/spamassassin/spamd.pid


   this snippit is from /etc/procmailrc
 :0fw: spamassassin.lock
 *  256000
 | spamc -F /usr/local/bb/spamassassin/bb.spamc.conf

 cat bb.spamc.conf  shows
-u spamd
-s 100
--headers


SA has been working great! Very few spam messages get through. Then, we 
made ONE change
to the machine. We turned off BIND, and just resolve to the ISP name 
servers. After  that, lots
and lots of spam gets through ? Not everything, just a lot more than 
when BIND was running locally


So, instead of having BIND running locally, and forwarding to the name 
servers provided by our ISP,
we turned off running BIND, and placed the ISP name servers addresses in 
/etc/resolv.conf. Just

for clarity, here is what we did to /etc/resolv.conf

 # nameserver 192.168.1.17  comment out our localhost, since bind is no 
longer running

 domain angels.bookus-boulet.com
 nameserver 66.189.0.29
 nameserver 66.189.0.30

So, really that is all we did. After that, lot's of spam gets through.

Just to check, we turned our nameserver back on (and adjusted 
/etc/resolv.conf accordingly), and once

again SAworks great !

So, please tell me what I am doing wrong here

Thanks in advance ... jules

Re: Another low scoring obvious spam message


On Thu, 18 Sep 2008, mouss wrote:


  (2) try the sought fraud ruleset that Justin is generating
 
  http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough

  t_fraud.cf

 I'm using that too, and again no joy there.  It may be time for an
 sa-update though.


sa-update and jm sought here. without Bayes, it's missed.


sought != sought_fraud.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Your mouse has moved. Your Windows Operating System must be
  relicensed due to this hardware change. Please contact Microsoft
  to obtain a new activation key. If this hardware change results in
  added functionality you may be subject to additional license fees.
  Your system will now shut down. Thank you for choosing Microsoft.
---
 Tomorrow: Talk Like a Pirate day

Re: More spam after disabling local BIND ?

2008-09-18 Thread Jules Yasuna


Ok - that explains it - thank you very much. Really, many thanks !

But, is there a way to still not run BIND locally, and continue to 
benefit from the RBL filters?


Perhaps there is a timeout associated with the RBL filters that can be 
increased? I understand that if
such a timout option existed and was increased, performance would 
suffer.  I'm just fishing here ...


Turning off BIND was needed for other reasons. It's not mandatory that 
we not run BIND, just one less service

that we would have to maintain. (we meaning ME!)

Many thanks for your help, Kevin

Kevin Parris wrote:

You're wasting time and network resources by sending all the RBL query traffic 
upstream to your ISP.  The ISP servers may, or may not, be caching the results. 
 Your spam detection rate may be suffering from delayed (or absent) responses 
to the queries, thus missing score values that would mark more of your traffic 
as spam.  Keep the local caching DNS running - you've already figured out by 
observation that it is a valuable tool.

  

Jules Yasuna [EMAIL PROTECTED] 09/18/08 1:23 PM 



Just to check, we turned our nameserver back on (and adjusted /etc/resolv.conf 
accordingly), and once again SAworks great !

So, please tell me what I am doing wrong here

Thanks in advance ... jules

Re: More spam after disabling local BIND ?

2008-09-18 Thread Blaine Fleming


Jules Yasuna wrote:

Configuration (maybe more than you care to see, sorry)
--
1) platform:   kubuntu 8.04
2) SA version:3.2.4
3) options:
   add_header spam BB score=_SCORE_
   report_safe 0
   lock_method flock
4) using qmail - procmail - spamc - spamd

  ps ea | grep spam shows ...
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir 
--username spamd -s /usr/local/bb/spamassassin/spamd.log -d 
--pidfile=/usr/local/bb/spamassassin/spamd.pid


   this snippit is from /etc/procmailrc
 :0fw: spamassassin.lock
 *  256000
 | spamc -F /usr/local/bb/spamassassin/bb.spamc.conf

 cat bb.spamc.conf  shows
-u spamd
-s 100
--headers


SA has been working great! Very few spam messages get through. Then, 
we made ONE change
to the machine. We turned off BIND, and just resolve to the ISP name 
servers. After  that, lots
and lots of spam gets through ? Not everything, just a lot more than 
when BIND was running locally


So, instead of having BIND running locally, and forwarding to the name 
servers provided by our ISP,
we turned off running BIND, and placed the ISP name servers addresses 
in /etc/resolv.conf. Just

for clarity, here is what we did to /etc/resolv.conf

 # nameserver 192.168.1.17  comment out our localhost, since bind is 
no longer running

 domain angels.bookus-boulet.com
 nameserver 66.189.0.29
 nameserver 66.189.0.30

So, really that is all we did. After that, lot's of spam gets through.

Just to check, we turned our nameserver back on (and adjusted 
/etc/resolv.conf accordingly), and once

again SAworks great !

So, please tell me what I am doing wrong here

Thanks in advance ... jules
I'm wondering if your DNS servers are running slow or timing out.  Have 
you tried running SA in debug mode and looking for DNS related delays or 
issues?


--Blaine

Re: sa-learn


On Thu, 18 Sep 2008, Lars Ebeling wrote:

Is it possible to forward spam sent to me to an other user eg spam and 
run sa-learn on that mailbox? I will then be sender.


Possible, yes. Recommended, no, for the reason you note: forwarding alters 
the message.


Probably the best way is to set up an IMAP mail folder that the SA system 
can learn from, then just move the message to train from your inbox folder 
to that folder; this will leave the message in its original form. There 
are examples of this in the archives, searching on learn imap will 
probably find them.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Your mouse has moved. Your Windows Operating System must be
  relicensed due to this hardware change. Please contact Microsoft
  to obtain a new activation key. If this hardware change results in
  added functionality you may be subject to additional license fees.
  Your system will now shut down. Thank you for choosing Microsoft.
---
 Tomorrow: Talk Like a Pirate day

Re: Another low scoring obvious spam message


Skip Morrow wrote:



I am using bayes, but it didn't catch it.  I was quite surprised at
that.

h...

Content analysis details:   (6.3 points, 5.0 required)


pts rule name  description  --
--
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record
1.3 MISSING_HEADERSMissing To: header
1.5 BASE64_LENGTH_79_INF   BODY: BASE64_LENGTH_79_INF
0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding



How interesting that you are hitting the BASE64_LENGTH_79_INF rule and I'm
not.  I just looked and I have never triggered that rule in any spams, but
I have triggered it in a couple of hams.  Now why would it work for you
and not for me hm.  I am using SA 3.2.4.  By the way, that
mime block is only 76 characters wide.



well, I did a cut-paste from the pastebin page, so maybe there's a 
mismatch between what I passed to sa and your message?



sa-update and jm sought here. without Bayes, it's missed.



I ran sa-update just a few minutes ago and it didn't make a difference.

I habitually run most of my spam through sa-learn and most of my ham too. 
I know it's work b/c I do have a lot of spam trigger the BAYES_99 rule

(and others too).  I am still surprised that I had such a low score on
this one.  Bayes would have been my only saving grace here too.



I have spam that goes to pseudo-traps. maybe this helps Bayes.

anyway, if your SA only misses few spam, there's no need to try to 
improve that with new rules.

Re: More spam after disabling local BIND ?

2008-09-18 Thread David B Funk

On Thu, 18 Sep 2008, Jules Yasuna wrote:

[snip..]
 SA has been working great! Very few spam messages get through. Then, we
 made ONE change
 to the machine. We turned off BIND, and just resolve to the ISP name
 servers. After  that, lots
 and lots of spam gets through ? Not everything, just a lot more than
 when BIND was running locally

[snip..]
 So, really that is all we did. After that, lot's of spam gets through.

 Just to check, we turned our nameserver back on (and adjusted
 /etc/resolv.conf accordingly), and once
 again SAworks great !

 So, please tell me what I am doing wrong here

 Thanks in advance ... jules

To paraphrase an old joke:
 Patient:  Doctor Doctor, it hurts when I poke a stick into my eye.
What should I do to stop the pain?
 Doctor:   Don't poke a stick into your eye.

It's considered generally good advice for spamassassin sites to run a
local DNS server to reduce network traffic and timeouts. Is there a
compelling reason not to follow this advice?

Probably your ISP's DNS servers are busy and prone to delays, causing
timeouts and loss of DNS based rules (RBLS, etc).

Either run a local DNS server, find a better off-site server that doesn't
suffer from delays (ask for permission to use them tho), or increase your
network test timeout settings and expect delays in processing mail.

-- 
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{

Re: More spam after disabling local BIND ?

2008-09-18 Thread DAve


Jules Yasuna wrote:

Ok - that explains it - thank you very much. Really, many thanks !

But, is there a way to still not run BIND locally, and continue to 
benefit from the RBL filters?


Take a look at djbdns. We run dnscache on all servers that require the 
ability to do a DNS lookup and have for several years. It also uses a 
minuscule amount of resources, if you cannot run dnscache you have 
bigger problems to deal with.


http://cr.yp.to/djbdns.html

dnscache setup,

http://cr.yp.to/djbdns/run-cache.html

It makes a noticeable difference in RBL performance on your end, and 
provides a great reduction in traffic for the RBL provider.


DAve



Perhaps there is a timeout associated with the RBL filters that can
be increased? I understand that if such a timout option existed and
was increased, performance would suffer.  I'm just fishing here ...

Turning off BIND was needed for other reasons. It's not mandatory
that we not run BIND, just one less service that we would have to
maintain. (we meaning ME!)

Many thanks for your help, Kevin

Kevin Parris wrote:

You're wasting time and network resources by sending all the RBL
query traffic upstream to your ISP.  The ISP servers may, or may
not, be caching the results.  Your spam detection rate may be
suffering from delayed (or absent) responses to the queries, thus
missing score values that would mark more of your traffic as spam.
Keep the local caching DNS running - you've already figured out by
observation that it is a valuable tool.



Jules Yasuna [EMAIL PROTECTED] 09/18/08 1:23 PM 



Just to check, we turned our nameserver back on (and adjusted
/etc/resolv.conf accordingly), and once again SAworks great !

So, please tell me what I am doing wrong here

Thanks in advance ... jules





--
Don't tell me I'm driving the cart!

Re: Another low scoring obvious spam message


John Hardin wrote:

On Thu, 18 Sep 2008, mouss wrote:


  (2) try the sought fraud ruleset that Justin is generating
   
http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough 


  t_fraud.cf

 I'm using that too, and again no joy there.  It may be time for an
 sa-update though.


sa-update and jm sought here. without Bayes, it's missed.


sought != sought_fraud.



ah. missed that. just tried it, but I get the same results.

Re: How to integrate spamassassin in a web app?

2008-09-18 Thread Evan Platt


Bob Proulx wrote:

Nabble! Bad Nabble! Let me be yet another voice complaining about
how terrible Nabble is for mailing lists.  AFAIK Nabble allows the
user to modify sent messages.  Every time they modify the message it
sends the message again using the same Message-Id: as before.  Grr...
Nabble is very annoying to me.
  

Nabble is to e-mail as Google groups is to Usenet.

And yes, I killfile all posts from Google Groups. Pretty close to doing 
it for Nabble too.

Re: Another low scoring obvious spam message


 sought != sought_fraud.

Whoops!  Thanks!  Got it now, but still no hits in that rule set either.

Re: More spam after disabling local BIND ?


Jules Yasuna wrote:

Ok - that explains it - thank you very much. Really, many thanks !

But, is there a way to still not run BIND locally, and continue to 
benefit from the RBL filters?


Perhaps there is a timeout associated with the RBL filters that can be 
increased? I understand that if
such a timout option existed and was increased, performance would 
suffer.  I'm just fishing here ...


Turning off BIND was needed for other reasons. It's not mandatory that 
we not run BIND, just one less service

that we would have to maintain. (we meaning ME!)



running BIND in cache only mode doesn't really require a lot of 
maintenance. you can firewall it as much as your security policy requires.


and if you don't want bind, try one of the available alternatives. but a 
local DNS is recommended on a mail server or spam filter that uses DNS.

Re: Another low scoring obvious spam message



 anyway, if your SA only misses few spam, there's no need to try to improve
 that with new rules.



Yeah, this is the first spam I've gotten in about a month or maybe two. 
Still, I let it bug me too much.  That, and it's slow at work today.  I
guess I'll just let it go.

Re: Another low scoring obvious spam message


On Thu, 18 Sep 2008, mouss wrote:


John Hardin wrote:


 sought != sought_fraud.


ah. missed that. just tried it, but I get the same results.


That's not *too* surprising. At the moment the corpus for it is 
manually-collected fraud spams sent to me personally, and I don't 
necessarily see all possible forms.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Tomorrow: Talk Like a Pirate day

Re: How to integrate spamassassin in a web app?

2008-09-18 Thread Evan Platt


xdmx wrote:

Hi, yep, i'm sorry about the 3 posts, wasn't because an edit, but because the
nabble site which went timeout :(
  

All the more reason to not use a web interface to a e-mail group.

btw, i tried your solution and it works, thanks :)
  

Who's solution? Who are you replying to?

Re: How to integrate spamassassin in a web app?


Evan Platt wrote:

Bob Proulx wrote:

Nabble! Bad Nabble! Let me be yet another voice complaining about
how terrible Nabble is for mailing lists.  AFAIK Nabble allows the
user to modify sent messages.  Every time they modify the message it
sends the message again using the same Message-Id: as before.  Grr...
Nabble is very annoying to me.
  

Nabble is to e-mail as Google groups is to Usenet.

And yes, I killfile all posts from Google Groups. Pretty close to doing 
it for Nabble too.


and in these days of SPF and DKIM, posting from nabble will cause more 
and more problems. unless of course they get the private key of every 
site ;-p

testing spam gives warn config error

2008-09-18 Thread Kate Kleinschafer


Hi all,

I have a new install of MailScanner / Postfix / Spamassassin
when I run sudo -u postfix spamassassin -p 
/etc/MailScanner/spam.assassin.prefs.conf -t  message.MAI

I get the following error:
warn config path /root/ .spamassassin is inaccessible permission denied

How can I resolve this error?

Thanks
Kate

Re: testing spam gives warn config error


Kate Kleinschafer wrote:

Hi all,

I have a new install of MailScanner / Postfix / Spamassassin
when I run sudo -u postfix spamassassin -p 
/etc/MailScanner/spam.assassin.prefs.conf -t  message.MAI

I get the following error:
warn config path /root/ .spamassassin is inaccessible permission denied

How can I resolve this error?



by running the command as root or by using another directory.

Re: testing spam gives warn config error

2008-09-18 Thread Kate Kleinschafer

I don't think I want to run it as root do I? (MailScanner is set to use 
user postfix)


Which config file sets it to use /root/ directory?

Thanks
Kate

mouss wrote:

Kate Kleinschafer wrote:

Hi all,

I have a new install of MailScanner / Postfix / Spamassassin
when I run sudo -u postfix spamassassin -p 
/etc/MailScanner/spam.assassin.prefs.conf -t  message.MAI

I get the following error:
warn config path /root/ .spamassassin is inaccessible permission denied

How can I resolve this error?



by running the command as root or by using another directory.

Re: testing spam gives warn config error