whitelist_from not working

[Nelson Serafica]

I'm using spamassassin 3.2.5. Now, I must a whitelist_from containing *@
foo.com in my local.cf.

However, there are still 1 email that has been tagged as spam. In my
understanding, if a domain was in whitelist_from, even if it was tagged as
spam, it will delivered to the recipient. I restart the spamd after I edit
local.cf so it must take effect.

Is this the right way to whitelist? As I check, when using 3.2.5, this is
the right way of whitelisting a domain.

Re: whitelist_from not working

[Matus UHLAR - fantomas]

On 29.10.08 17:18, Nelson Serafica wrote:
> I'm using spamassassin 3.2.5. Now, I must a whitelist_from containing *@
> foo.com in my local.cf.
> 
> However, there are still 1 email that has been tagged as spam. 

Only one? show the headers or upload it somewhere..

> In my understanding, if a domain was in whitelist_from, even if it was
> tagged as spam, it will delivered to the recipient.

No, It will have -100 points added, so it should get classified as not spam
(ham). It seems does not work.

> I restart the spamd after I edit
> local.cf so it must take effect.
> 
> Is this the right way to whitelist? As I check, when using 3.2.5, this is
> the right way of whitelisting a domain.

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have. 

Re: whitelist_from not working

[Benny Pedersen]

On Wed, October 29, 2008 10:18, Nelson Serafica wrote:

> Is this the right way to whitelist? As I check, when using 3.2.5, this is
> the right way of whitelisting a domain.

the more i hear about whitelist_from the more i want to make a bug on it,
whitelist_from should imho newer have being implemented

use whitelist_auth, whitelist_from_spf, whitelist_from_dkim, whitelist_from_rcvd

see perldocs how to make this

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: whitelist_from not working

[Matt Kettler]

Nelson Serafica wrote:
> I'm using spamassassin 3.2.5.  Now, I must a
> whitelist_from containing [EMAIL PROTECTED]  in my local.cf
> .
>
> However, there are still 1 email that has been tagged as spam. In my
> understanding, if a domain was in whitelist_from, even if it was
> tagged as spam, it will delivered to the recipient.
First, be aware that SpamAssassin itself does not directly cause
messages to be deleted, rejected, or otherwise alter delivery.
SpamAssassin itself *ONLY* tags. The way it inserts itself into the mail
chain is very flexible, but gives SA no direct power over message
delivery, so tagging is the only thing it can possibly do. If it were to
try to delete the message, most mail tools would assume SA had crashed
and recover the original, unscanned message and deliver that.

Therefore, there is nothing in the SpamAssassin configuration that can
cause a message to be delivered "even if it is tagged as spam". SA can
only tag, or not tag. whitelist_from causes messages to be hit with a
-100 point rule named USER_IN_WHITELIST. This large negative score makes
it more-or-less impossible for the message to be tagged as spam. Pretty
much the only way to get SA to tag it when matching a whitelist would be
to put a GTUBE test signature into the message.

Your previously posted example was working perfectly, in that the
whitelist configuration caused SA to match USER_IN_WHITELIST, which
generated a hugely negative score, and therefore was not tagged as spam.
That's exactly what it should do.

If you've got something else that deletes mail when SA tags messages,
then that is the tool you'd need to configure if you want the message to
get tagged as spam, but still be delivered. Reconfiguring SA can't
change this, because SA doesn't (and in fact can't) delete the messages.

> I restart the spamd after I edit local.cf  so it must
> take effect.
>
> Is this the right way to whitelist? As I check, when using 3.2.5, this
> is the right way of whitelisting a domain.
whitelist_from is never the "right" way to do anything. It is horribly
easy to forge. Use whitelist_from_rcvd, or preferably, whitelist in your
tools that call SA, bypassing it entirely and saving CPU time.

Re: whitelist_from not working

[Matt Kettler]

Benny Pedersen wrote:
> On Wed, October 29, 2008 10:18, Nelson Serafica wrote:
>
>   
>> Is this the right way to whitelist? As I check, when using 3.2.5, this is
>> the right way of whitelisting a domain.
>> 
>
> the more i hear about whitelist_from the more i want to make a bug on it,
> whitelist_from should imho newer have being implemented
>   
Agreed. whitelist_from sucks. However, it's there as a method of
last-resort. There are some messages you can't whitelist in SA using any
other method. (ie: when the sender's server doesn't have reverse DNS).


> use whitelist_auth, whitelist_from_spf, whitelist_from_dkim, 
> whitelist_from_rcvd
>
> see perldocs how to make this
>
>   
Agreed, and the man Mail::SpamAssassin::Conf section on whitelist_from
(which should have been read in the first place) will tell you the same.

had it with spaces spam and idiots at hotmail

[Michael Scheidell]

I have had it with spaces live random url spam.  we get thousands of 
them, most from zombots, and idiots at hotmail want a valid live account 
to process the complaint"


"Thank you for reporting spam to the Windows Live Hotmail Support Team. This is an auto-generated response to inform you that we have received your submission. Please note that you will not receive a reply if you respond directly to this message. 


Unfortunately, in order to process your request, Hotmail Support needs a valid 
Windows Live Hotmail hosted account."



this looks for it, assigns some reasonable scores, and if (add your 
favorite shortcut) bumps it up another 5.


uri ST_SPACES   /\.spaces\.live\.com/$
score   ST_SPACES 5 3 4 2

meta ST_SPACES_BUMP (ST_SPACES && (RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_XBL 
|| RCVD_IN_BL_SPAMCOP_NET || DCC_CHECK))

tflags ST_SPACES_BUMP net
score ST_SPACES_BUMP 5

--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * King of Spam Filters, SC Magazine 2008
   * Information Security Award 2008, Info Security Products Guide
   * CRN Magazine Top 40 Emerging Security Vendors

_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com

_

Re: whitelist_from not working

[Henrik K]

On Wed, Oct 29, 2008 at 08:24:25AM -0400, Matt Kettler wrote:
>
> There are some messages you can't whitelist in SA using any other method.
> (ie: when the sender's server doesn't have reverse DNS).

You can use trusted_networks + ALL_TRUSTED to whitelist. Given of course
that there aren't any dynamic IPs in the path.

Re: had it with spaces spam and idiots at hotmail

[Bob McClure Jr]

On Wed, Oct 29, 2008 at 08:13:34AM -0400, Michael Scheidell wrote:
> I have had it with spaces live random url spam.  we get thousands of them, 
> most from zombots, and idiots at hotmail want a valid live account to 
> process the complaint"
>
> "Thank you for reporting spam to the Windows Live Hotmail Support Team. 
> This is an auto-generated response to inform you that we have received your 
> submission. Please note that you will not receive a reply if you respond 
> directly to this message. 
> Unfortunately, in order to process your request, Hotmail Support needs a 
> valid Windows Live Hotmail hosted account."

Me, too.  There's a good reason they are listed on rfc-ignorant.org.

However, after some digging, I found a place to report the stuff.  Go
to

https://support.live.com/eform.aspx?productKey=wlspacesabuse&ct=eformts

Fill in your name and email.  For the offender's email, which I don't
know, I put "[EMAIL PROTECTED]".  Then fill in the URL of the spamsite.
For the two selection boxes, I put "other" since none of the other
things fit.  In the "Please provide as much detail ..." textarea box,
I put "Spamvertised web site:" and follow that with a cut-and-paste of
the entire spam with full headers.

Have at it.

> this looks for it, assigns some reasonable scores, and if (add your 
> favorite shortcut) bumps it up another 5.
>
> uri ST_SPACES   /\.spaces\.live\.com/$
> score   ST_SPACES 5 3 4 2
>
> meta ST_SPACES_BUMP (ST_SPACES && (RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_XBL || 
> RCVD_IN_BL_SPAMCOP_NET || DCC_CHECK))
> tflags ST_SPACES_BUMP net
> score ST_SPACES_BUMP 5
>
> -- 
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
> > *| *SECNAP Network Security Corporation
>
>* Certified SNORT Integrator
>* King of Spam Filters, SC Magazine 2008
>* Information Security Award 2008, Info Security Products Guide
>* CRN Magazine Top 40 Emerging Security Vendors

Cheers,
-- 
Bob McClure, Jr. Bobcat Open Systems, Inc.
[EMAIL PROTECTED] http://www.bobcatos.com
The Lord says: "These people come near to me with their mouth and
honor me with their lips, but their hearts are far from me. Their
worship of me is made up only of rules taught by men. Therefore once
more I will astound these people with wonder upon wonder; the wisdom
of the wise will perish, the intelligence of the intelligent will
vanish."  Isaiah 29:13-14 (NIV)

Re: whitelist_from not working

[Jeff Mincy]

   From: Matt Kettler <[EMAIL PROTECTED]>
   Date: Wed, 29 Oct 2008 08:24:25 -0400
   
   Benny Pedersen wrote:
   > On Wed, October 29, 2008 10:18, Nelson Serafica wrote:
   >
   >   
   >> Is this the right way to whitelist? As I check, when using 3.2.5, this is
   >> the right way of whitelisting a domain.
   >> 
   >
   > the more i hear about whitelist_from the more i want to make a bug on it,
   > whitelist_from should imho newer have being implemented
   >   
   Agreed. whitelist_from sucks. However, it's there as a method of
   last-resort. There are some messages you can't whitelist in SA using any
   other method. (ie: when the sender's server doesn't have reverse DNS).
   
Since whitelist_from is spoofable wouldn't it make sense to have
different scores assigned to whitelist_from and whitelist_from_rcvd?
Right now if an email is in either you get a hit on USER_IN_WHITELIST,
which is scored at a -100 by default.  So split out
USER_IN_RCVD_WHITELIST hits from USER_IN_WHITELIST.

-jeff

Re: whitelist_from not working

[Greg Troxel]

Jeff Mincy <[EMAIL PROTECTED]> writes:

>Agreed. whitelist_from sucks. However, it's there as a method of
>last-resort. There are some messages you can't whitelist in SA using any
>other method. (ie: when the sender's server doesn't have reverse DNS).
>
> Since whitelist_from is spoofable wouldn't it make sense to have
> different scores assigned to whitelist_from and whitelist_from_rcvd?
> Right now if an email is in either you get a hit on USER_IN_WHITELIST,
> which is scored at a -100 by default.  So split out
> USER_IN_RCVD_WHITELIST hits from USER_IN_WHITELIST.

I use whitelist_from to be sure I whitelist mail from some people (not
part of my organization).  For those addreses, it's better to get FN on
spam than a single FP.  I don't know what IP addresses they use, and
they keep changing.  So the 'better' whitelist rules won't work.

I have sometimes wanted a way to give a per-rule score for whitelist
entries, instead of a fixed -100.  But not enough to implement it :-)




pgplJGqhwfxdz.pgp
Description: PGP signature

Re: Spamassassin+amavis

[Luis Croker]

  How can I tunr off the Network tests (RBLs) ???  Just to probe if it
can make the delivery faster. 

  


On Wed, 2008-10-29 at 04:05 +, Ned Slider wrote:

> Gary V wrote:
> > 
> > 6 seconds seems somewhat typical. Mostly due to network tests. Some
> > RBLs are no longer and you could turn the non functional RBL rules off
> > by setting to 0. I'm not sure which ones though. Maybe someone else
> > knows.
> > 
> 
>  From my own stats of hits against DNSBLs and URIBLs for the last ~1000 
> spam (these results are typical for me):
> 
> ## DNSBL Statistics ##
> 1223 RCVD_IN_ZEN (Spamhaus PBL, SBL or XBL)
> 1067 RCVD_IN_UCE_COMBINED (UCEPROTECT level 1, 2 or 3)
> 1052 RCVD_IN_PBL
>  900 RCVD_IN_UCEPROTECT3
>  834 RCVD_IN_UCEPROTECT2
>  678 RCVD_IN_SBLXBL
>  427 RCVD_IN_UCEPROTECT1
>  163 RCVD_IN_PSBL
>  105 RCVD_IN_BL_SPAMCOP_NET
>   15 RCVD_IN_SORBS_WEB
>   14 RCVD_IN_NJABL_PROXY
>1 RCVD_IN_SORBS_DUL
>  1329 Total Spam
> 
> ## URIBL Statistics ##
> 1060 URIBL_BLACK
>  829 URIBL_JP_SURBL
>  695 URIBL_OB_SURBL
>  611 URIBL_SC_SURBL
>  444 URIBL_SBLXBL
>  440 URIBL_WS_SURBL
>  427 URIBL_AB_SURBL
>  163 URIBL_RHS_DOB
>   42 URIBL_PH_SURBL
>  1329 Total Spam
> 
> Spamhaus Zen is highly effective for me and hits on >90% of spam when 
> used as -lastexternal, and is the only DNSRBL I'd trust to use at the 
> smtp level. I've also added custom rules for UCE Protect levels 1-3 and 
> PSBL blacklists. I wouldn't use either at the smtp level as they do 
> generate the occasional FP, but UCE Protect is useful in a scoring 
> environment such as SA. For me NJABL, SORBS and pretty much anything 
> else are a waste of space relative to the effectiveness of Spamhaus. If 
> you can implement Spamhaus Zen at the smtp level then blocking ~90% of 
> spam before it ever reaches SA is hugely beneficial to system load and 
> the rest could probably be dropped from SA with minimal impact.
> 
> I also find the URIBLs to be very effective, especially URIBL_BLACK. 
> Between Bayes and my top DNSRBLs and URIBLs, nothing gets through - 
> everything else is just bumping the score further past the spam threshold.
> 
> I'd recommend taking a look at your own stats to see which are effective 
> for you and maybe drop those that are ineffective or, better still, look 
> at ways to pre-filter spam at the smtp level before it ever reaches 
> amavisd/SA so as to reduce the load (for example, 
> http://wiki.centos.org/HowTos/postfix_restrictions). A good setup like 
> this can easily block the vast majority of spam at the smtp level 
> meaning that your server/SA now primarily only has to deal with the ham 
> and an insignificantly small proportion of spam.
> 
> BTW, checking my logs I note typical delays of 4-6secs on a 3.0GHz quad 
> core server with 4GB RAM running 4 amavisd child processes that handles 
> a very light load.
> 
> -Ned
> 


Luis Croker
SCSA - SCNA 
Administrador de Sistemas 
Megacable Comunicaciones 
GPG Key1024D/48C1764B 
Key fingerprint = E8B6 E84F ECE4 661E 30C7 7208 042D BD09 48C1 764B


signature.asc
Description: This is a digitally signed message part

Re: whitelist_from not working

[John Hardin]

On Wed, 29 Oct 2008, Matt Kettler wrote:


Benny Pedersen wrote:


the more i hear about whitelist_from the more i want to make a bug on it,
whitelist_from should imho newer have being implemented


Agreed. whitelist_from sucks. However, it's there as a method of 
last-resort. There are some messages you can't whitelist in SA using any 
other method. (ie: when the sender's server doesn't have reverse DNS).


I'm going to suggest again that, given how much pain it causes noobs, 
perhaps the use of whitelist_from should generate a lint _warning_ that it 
should only be used if no other whitelist method will work...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 2 days until Halloween

Re: Spamassassin+amavis

[Ned Slider]

Luis Croker wrote:

  How can I tunr off the Network tests (RBLs) ???  Just to probe if it
can make the delivery faster. 



In /etc/amavisd.conf, find the following line:

$sa_local_tests_only = 0;# only tests which do not require internet 
access?


and change the setting to = 1

then restart amavisd

Re: had it with spaces spam and idiots at hotmail

[Randy]

Michael Scheidell wrote:
I have had it with spaces live random url spam.  we get thousands of 
them, most from zombots, and idiots at hotmail want a valid live 
account to process the complaint"


"Thank you for reporting spam to the Windows Live Hotmail Support 
Team. This is an auto-generated response to inform you that we have 
received your submission. Please note that you will not receive a 
reply if you respond directly to this message.
Unfortunately, in order to process your request, Hotmail Support needs 
a valid Windows Live Hotmail hosted account."




this looks for it, assigns some reasonable scores, and if (add your 
favorite shortcut) bumps it up another 5.


uri ST_SPACES   /\.spaces\.live\.com/$
score   ST_SPACES 5 3 4 2

meta ST_SPACES_BUMP (ST_SPACES && (RCVD_IN_BL_SPAMCOP_NET || 
RCVD_IN_XBL || RCVD_IN_BL_SPAMCOP_NET || DCC_CHECK))

tflags ST_SPACES_BUMP net
score ST_SPACES_BUMP 5



We are receiving lots of this. Also look out for the university degree 
spam which seems new and using botnet.


Randy Ramsdell

Re: why is this message hitting URIBL_BLACK ...

[Richard Frovarp]

Claudia Burman wrote:

...if the URI is not listed in www.uribl.com ?





Another message from the same domain doesn't hit the rule

uribl.com checks embedded URIs in the message, not the from domain. The 
content of the two messages was obviously different. One contained a 
listed URI, the other did not.

Re: why is this message hitting URIBL_BLACK ...

[Randy]

Claudia Burman wrote:

...if the URI is not listed in www.uribl.com ?

Return-Path: <[EMAIL PROTECTED]>
Received: from [...] (sending to my server)
Received: from pikachu.nic.ar (unknown [140.191.48.11])
by maderna.nic.ar (Postfix) with ESMTP id 83E07D7049;
Wed, 29 Oct 2008 12:23:19 -0200 (ARST)
Received: by pikachu.nic.ar (Postfix, from userid 2)
id 0C59B17873; Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
Subject: Solicitud de Modificacion de Datos de .com.ar Recibida
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
X-Virus-Scanned: amavisd-new at x.com
X-Spam-Status: Yes, score=6.469 required=5 
tests=[DNS_FROM_RFC_ABUSE=0.479,
DNS_FROM_RFC_POST=1.44, EXCLAMACION_ES=1, NO_REAL_NAME=0.55, 
URIBL_BLACK=3]

X-Spam-Score: 6.469
X-Spam-Level: **
X-Spam-Flag: YES



Another message from the same domain doesn't hit the rule

Return-Path: <[EMAIL PROTECTED]>
Received: from [...] (sending to my server, same route)
Received: from pikachu.nic.ar (unknown [140.191.48.11])
by maderna.nic.ar (Postfix) with ESMTP id 4DDD3D70A4;
Wed, 29 Oct 2008 13:22:41 -0200 (ARST)
Received: by pikachu.nic.ar (Postfix, from userid 2)
id 1E9C917873; Wed, 29 Oct 2008 13:22:41 -0200 (ARST)
Subject: Solicitud de Renovacion de .net.ar Recibida
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 29 Oct 2008 13:22:41 -0200 (ARST)
X-Virus-Scanned: amavisd-new at .com
X-Spam-Status: No, score=3.469 required=5 
tests=[DNS_FROM_RFC_ABUSE=0.479,

DNS_FROM_RFC_POST=1.44, EXCLAMACION_ES=1, NO_REAL_NAME=0.55]
X-Spam-Score: 3.469
X-Spam-Level: ***


I am using spamassassin through amavis and rules where updated last week.
And no, it was not delisted in the last our, the same happened a 
couple of hours ago with two messages from the same place


Thanks
Claudia Burman
Argentina

Could it have been listed then removed?

why is this message hitting URIBL_BLACK ...

[Claudia Burman]

...if the URI is not listed in www.uribl.com ?

Return-Path: <[EMAIL PROTECTED]>
Received: from [...] (sending to my server)
Received: from pikachu.nic.ar (unknown [140.191.48.11])
by maderna.nic.ar (Postfix) with ESMTP id 83E07D7049;
Wed, 29 Oct 2008 12:23:19 -0200 (ARST)
Received: by pikachu.nic.ar (Postfix, from userid 2)
id 0C59B17873; Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
Subject: Solicitud de Modificacion de Datos de .com.ar Recibida
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
X-Virus-Scanned: amavisd-new at x.com
X-Spam-Status: Yes, score=6.469 required=5 tests=[DNS_FROM_RFC_ABUSE=0.479,
DNS_FROM_RFC_POST=1.44, EXCLAMACION_ES=1, NO_REAL_NAME=0.55, URIBL_BLACK=3]
X-Spam-Score: 6.469
X-Spam-Level: **
X-Spam-Flag: YES



Another message from the same domain doesn't hit the rule

Return-Path: <[EMAIL PROTECTED]>
Received: from [...] (sending to my server, same route)
Received: from pikachu.nic.ar (unknown [140.191.48.11])
by maderna.nic.ar (Postfix) with ESMTP id 4DDD3D70A4;
Wed, 29 Oct 2008 13:22:41 -0200 (ARST)
Received: by pikachu.nic.ar (Postfix, from userid 2)
id 1E9C917873; Wed, 29 Oct 2008 13:22:41 -0200 (ARST)
Subject: Solicitud de Renovacion de .net.ar Recibida
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 29 Oct 2008 13:22:41 -0200 (ARST)
X-Virus-Scanned: amavisd-new at .com
X-Spam-Status: No, score=3.469 required=5 tests=[DNS_FROM_RFC_ABUSE=0.479,
DNS_FROM_RFC_POST=1.44, EXCLAMACION_ES=1, NO_REAL_NAME=0.55]
X-Spam-Score: 3.469
X-Spam-Level: ***


I am using spamassassin through amavis and rules where updated last week.
And no, it was not delisted in the last our, the same happened a couple 
of hours ago with two messages from the same place


Thanks
Claudia Burman
Argentina

Re: why is this message hitting URIBL_BLACK ...

[John Hardin]

On Wed, 29 Oct 2008, Claudia Burman wrote:


...if the URI is not listed in www.uribl.com ?

Return-Path: <[EMAIL PROTECTED]>
Received:  from [...] (sending to my server)
Received:  from pikachu.nic.ar (unknown [140.191.48.11])
 by maderna.nic.ar (Postfix) with ESMTP id 83E07D7049;
 Wed, 29 Oct 2008 12:23:19 -0200 (ARST)
Received: by pikachu.nic.ar (Postfix, from userid 2)
id 0C59B17873; Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
Subject: Solicitud de Modificacion de Datos de .com.ar Recibida
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
X-Virus-Scanned: amavisd-new at x.com
X-Spam-Status: Yes, score=6.469 required=5 tests=[DNS_FROM_RFC_ABUSE=0.479,
DNS_FROM_RFC_POST=1.44, EXCLAMACION_ES=1, NO_REAL_NAME=0.55, URIBL_BLACK=3]
X-Spam-Score: 6.469
X-Spam-Level: **
X-Spam-Flag: YES


Where's a URI in that?

Look in the message body for URIs and/or domain names and check those 
against www.uribl.com.



Another message from the same domain doesn't hit the rule


URIBL != DNSBL

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 2 days until Halloween

Re: why is this message hitting URIBL_BLACK ...

[Claudia Burman]

Oh, I see now, I thought it was only testing the sender.

Yes, one of the domains mentioned in the message body was listed.

Thanks!

Claudia

John Hardin escribió:

On Wed, 29 Oct 2008, Claudia Burman wrote:


...if the URI is not listed in www.uribl.com ?

Return-Path: <[EMAIL PROTECTED]>
Received:  from [...] (sending to my server)
Received:  from pikachu.nic.ar (unknown [140.191.48.11])
 by maderna.nic.ar (Postfix) with ESMTP id 83E07D7049;
 Wed, 29 Oct 2008 12:23:19 -0200 (ARST)
Received: by pikachu.nic.ar (Postfix, from userid 2)
id 0C59B17873; Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
Subject: Solicitud de Modificacion de Datos de .com.ar Recibida
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
X-Virus-Scanned: amavisd-new at x.com
X-Spam-Status: Yes, score=6.469 required=5 
tests=[DNS_FROM_RFC_ABUSE=0.479,
DNS_FROM_RFC_POST=1.44, EXCLAMACION_ES=1, NO_REAL_NAME=0.55, 
URIBL_BLACK=3]

X-Spam-Score: 6.469
X-Spam-Level: **
X-Spam-Flag: YES


Where's a URI in that?

Look in the message body for URIs and/or domain names and check those 
against www.uribl.com.



Another message from the same domain doesn't hit the rule


URIBL != DNSBL

Re: whitelist_from not working

[Karsten Bräckelmann]

On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote:
> I'm going to suggest again that, given how much pain it causes noobs, 
> perhaps the use of whitelist_from should generate a lint _warning_ that it 
> should only be used if no other whitelist method will work...

The thing with noobs and whitelist_from (according to my experience on
this list) appears to be a lack of reading. I got the impression most of
them just blindly whitelist_from their own domain to be on the safe
side, without any prior investigation and usually without any need.

I believe some of the recent threads like this clearly showed that SA
has been set up right before that, for the first time, and this is kind
of the very first customization...

  guenther


-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

RE: had it with spaces spam and idiots at hotmail

[RobertH]

> 
>  this looks for it, assigns some reasonable scores, and if (add your 
> favorite shortcut) bumps it up another 5.
> 
> uri ST_SPACES   /\.spaces\.live\.com/$
> score   ST_SPACES 5 3 4 2
> 
> meta ST_SPACES_BUMP (ST_SPACES && (RCVD_IN_BL_SPAMCOP_NET || 
> RCVD_IN_XBL 
> || RCVD_IN_BL_SPAMCOP_NET || DCC_CHECK))
> tflags ST_SPACES_BUMP net
> score ST_SPACES_BUMP 5
> 
> -- 
> Michael Scheidell, CTO

is it just me?

:-)

[EMAIL PROTECTED] ~]$ spamassassin --lint
[27054] warn: config: invalid regexp for rule ST_SPACES:
/\.spaces\.live\.com/$: missing or invalid delimiters
[27054] warn: lint: 1 issues detected, please rerun with debug enabled for
more information

 - rh

Re: whitelist_from not working

[John Hardin]

On Wed, 29 Oct 2008, Karsten Br?ckelmann wrote:


On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote:

I'm going to suggest again that, given how much pain it causes noobs,
perhaps the use of whitelist_from should generate a lint _warning_ that it
should only be used if no other whitelist method will work...


The thing with noobs and whitelist_from (according to my experience on 
this list) appears to be a lack of reading. I got the impression most of 
them just blindly whitelist_from their own domain to be on the safe 
side, without any prior investigation and usually without any need.


Agreed, and if they aren't reading the documentation carefully enough to 
see the warnings about using whitelist_from, then they probably aren't 
running a lint either...


However, if emitting a warning in lint saves having some "why are spams 
hitting USER_IN_WHITELIST??" messages sent to the list, it's probably 
worth doing.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 2 days until Halloween

Re: undefined symbol:Mail_SpamAssassin_CompiledRegexps_body_0_scan1

[Karsten Bräckelmann]

On Mon, 2008-10-27 at 18:40 +0200, Jari Fredriksson wrote:
> > 
> > Which third-party rule-sets do you use? Can you perhaps
> > identify one that triggers this?

*sigh*  I wished you would actually answer this and some other questions
I have been repeating...

A bug report that is not reproducible, doesn't give any hint about the
issue (specifically including moving target rule-sets here) and doesn't
provide the information asked for eventually will be just closed.


> Well, I went and activated compilation. I had earlier removed
> /var/lib/spamsassassin/compiled folder, and 
> 
> now it works! No errors!
> 
> I guess the compiled folder was somehow damaged, and compiling a fresh
> one fixed it. Possible?

Sorry, dunno -- but AFAIK, the previous compiled set, no matter how
broken it is, should not have any effect on a new compilation run.

  guenther


-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: whitelist_from not working

[Karsten Bräckelmann]

On Wed, 2008-10-29 at 11:15 -0700, John Hardin wrote:
> On Wed, 29 Oct 2008, Karsten Bräckelmann wrote:

> > The thing with noobs and whitelist_from (according to my experience on 
> > this list) appears to be a lack of reading. I got the impression most of 
> > them just blindly whitelist_from their own domain to be on the safe 
> > side, without any prior investigation and usually without any need.
> 
> Agreed, and if they aren't reading the documentation carefully enough to 
> see the warnings about using whitelist_from, then they probably aren't 
> running a lint either...
> 
> However, if emitting a warning in lint saves having some "why are spams 
> hitting USER_IN_WHITELIST??" messages sent to the list, it's probably 
> worth doing.

I'm not convinced this would help much, for the reason you mention in
your first paragraph. ;)  Also, this would be rather annoying for those
who use it legitimately [1] and know what they are doing.

What I am really wondering about is, *why* they set it in the first
place, and where they found out about this, without actually reading
much documentation.


The funny thing is, that quite a lot of the recent threads regarding
whitelist_from are not asking about spam slipping through, but the
opposite -- they are claiming that whitelisting does *not* work, despite
the setting.

  guenther


[1] Meh, this one was exceptionally hard to spell correctly. ;)

-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

RE: had it with spaces spam and idiots at hotmail

[Bowie Bailey]

RobertH wrote:
> >  this looks for it, assigns some reasonable scores, and if (add your
> > favorite shortcut) bumps it up another 5.
> > 
> > uri ST_SPACES   /\.spaces\.live\.com/$
> > score   ST_SPACES 5 3 4 2
> > 
> > meta ST_SPACES_BUMP (ST_SPACES && (RCVD_IN_BL_SPAMCOP_NET ||
> > RCVD_IN_XBL
> > > > RCVD_IN_BL_SPAMCOP_NET || DCC_CHECK))
> > tflags ST_SPACES_BUMP net
> > score ST_SPACES_BUMP 5
> > 
> > --
> > Michael Scheidell, CTO
> 
> is it just me?
> 
> :-)
> 
> [EMAIL PROTECTED] ~]$ spamassassin --lint
> [27054] warn: config: invalid regexp for rule ST_SPACES:
> /\.spaces\.live\.com/$: missing or invalid delimiters
> [27054] warn: lint: 1 issues detected, please rerun with debug
> enabled for more information

Looks like that should be:

uri  ST_SPACES  /\.spaces\.live\.com$/

-- 
Bowie

Re: whitelist_from not working

[Matus UHLAR - fantomas]

> >On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote:
> >>I'm going to suggest again that, given how much pain it causes noobs,
> >>perhaps the use of whitelist_from should generate a lint _warning_ that it
> >>should only be used if no other whitelist method will work...

> On Wed, 29 Oct 2008, Karsten Br�ckelmann wrote:
> >The thing with noobs and whitelist_from (according to my experience on 
> >this list) appears to be a lack of reading. I got the impression most of 
> >them just blindly whitelist_from their own domain to be on the safe 
> >side, without any prior investigation and usually without any need.

On 29.10.08 11:15, John Hardin wrote:
> Agreed, and if they aren't reading the documentation carefully enough to 
> see the warnings about using whitelist_from, then they probably aren't 
> running a lint either...
> 
> However, if emitting a warning in lint saves having some "why are spams 
> hitting USER_IN_WHITELIST??" messages sent to the list, it's probably 
> worth doing.

Actually, it's completely safe to whitelist some domains, if your MTA does
the SPF check for you, and you expect no fails to pass fotr those domains...

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller

FP case for FM_DOESNT_SAY_STOCK

[Matt Kettler]

Not sure who owns this rule, but I just got a note about a FP case in
this rule.

The message was a legitamate email from a stock broker, which contained
symbol quotes. However, the email used the word "securities" instead of
"stock".

It's certainly quite valid to talk about stocks as securities, and it's
something a real stock broker is likely to do, so it might be worth
adding this.

Re: undefined symbol:Mail_SpamAssassin_CompiledRegexps_body_0_scan1

[Jari Fredriksson]

If you or anyone wants to see the damaged folder, it is zipped and can be 
downloaded: http://www.localnet.fi/jarif/sa-compiled-bad.zip