Re: SURBL Usage Policy change
Jeff Chan wrote ... (11/11/2008 7:33 PM): > Hi Micah, > Thanks very much for the feedback. Does anyone know how many > non-profits have more than 1,000 users (i.e., users with > mailboxes)? The non-profit pricing is below ISPs and half that > of regular end users. > There are many non-profits out there that will hit your limits... I don't think anyone knows how many there are. 1,000 users is fairly trivial, and most non profits won't even be able to fill in your forms second "required" field of how many messages on "Average" they send a day. I can tell you that most all small 'private' not for profit schools and colleges will get hit hard by your new fees. In fact, your new fees are more than we spend on our email server per year, and as a result will never happen. Given this change in SURBL in policy and pricing, I would strongly suggest removing their rules from the SA rule base. Otherwise, you will likely get lots of complaints from users of systems that have embedded SA installs, or others who do not monitor this list. I can see many Barracuda users not having a clue why they are now being blocked and their systems are processing messages slower as a result. Sorry Jeff, but this is much too expensive for us and many others I suspect.
Re: Question training the Bayse filter
Dear Karsten. Karsten Bräckelmann schrieb: On Tue, 2008-11-11 at 21:55 +0100, Thomas Zastrow wrote: I'm still not happy with my Spamassassin ... it don't recognizes a lot of Spam mails, even my Thunderbird with default properties recognizes more than SA. Every day, I train the Bayes filter with all the spam which were not already recognized as spam. My question is now: makes it sense to use also the already as spam marked mails as input for sa-learn? Yes, but... (you know, there just has to be a but. ;) I'm taking a guess here only, however your description sounds like you may not have trained Bayes on *ham* properly. It is important to train both, spam and ham -- otherwise, everything would start to look spammy. I trained it also on ham. Moreover, Bayes doesn't even return a score, if it hasn't been trained sufficiently, to avoid mis-fire. You'll need to train it at least 200 spam and ham each, for Bayes to kick in. Preferably much more, taken from your recent and possibly archived ham. Similar for spam, though the older spam gets, the less useful it is for training. Spam changes much more rapidly than the average users ham. I trained it with more than 1000 spam and ham mails :-) If this might be the case, you will not have seen BAYES rules in any of your messages SA headers. To know for sure about your training so far, see nham and nspam in this command: sa-learn --dump magic There are Bayes rules, but often the value is very small so that it does not change the status of the mail. Here is the output of the sa-learn --dump magic command: 0.000 0 3 0 non-token data: bayes db version 0.000 0713 0 non-token data: nspam 0.000 0788 0 non-token data: nham 0.000 0 88333 0 non-token data: ntokens 0.000 0 1224748855 0 non-token data: oldest atime 0.000 0 1226489058 0 non-token data: newest atime 0.000 0 1226484876 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count Another common pitfall is training as the wrong user. You did train Bayes running as the same user SA is being called on behalf in your mail processing chain? HTH It does runs definiteley as the same user. Thanks for your mail, Tom
Re: SURBL Usage Policy change
On 12/11/2008 at 1:15 PM Henrik K wrote: >On Tue, Nov 11, 2008 at 04:33:50PM -0800, Jeff Chan wrote: >> >> Hi Micah, >> Thanks very much for the feedback. Does anyone know how many >> non-profits have more than 1,000 users (i.e., users with >> mailboxes)? The non-profit pricing is below ISPs and half that >> of regular end users. > >Sometimes the requirements make no sense. A server with 1 user can receive >more spam than a server with 1000 users. Both may be non-profit and receive >no money from users. There is a huge difference also whether you use >greylisting and other rules _before_ blacklist checks. > >So which is it, 25 messages (queries) or 1000 users? > >1000 users and 1 messages costs 500 USD. >1000 users and 25 messages costs 500 USD. > >Which affects DNS servers more? > >Of course people can pretty easily lie about numbers. Setting up rsync >access does require some effort and resources. You could just write that >either pay the minimum 500 USD or don't bother us. > >If a large ISP pays 2000 USD for 1000 messages, I'm not going to pay >500 >USD for 5 non-profit messages (I am over the 1000 user limit and use >aggressive filtering before rbls). > >I would be happy to pay a nominal fee for "rsync-access" though, since it >does make things more secure and faster, also allows to use the data for >other purposes. Before that's reality, I guess someone needs to come up >with >a better public distribution method than rsync. P2P? > >By the way, do DNS mirrors get paid anything? It's my non-educated >impression that most big blacklists consist largely of donated DNS servers >from big ISPs etc. Respect to those that dare to face DoSes. :) Read the entire sentence. "Please note that free public DNS queries for organizations smaller than 1,000 users or processing fewer than 250,000 messages per day is unchanged. " So you could have 1,000,000 users but less than 250,000 messages per day, or get 3 gazillion messages per day but for less than 1000 users. The key word is "or". If you satisfy either requirement ( <1,000 users OR <250,000 mails) then you still get free access. Or am I the one reading it wrong? Peter
Re: Funds / Award release scams poor scoring
On Wed, 12 Nov 2008, Justin Mason wrote: John Hardin writes: Check out the sought-fraud ruleset. http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sought_fraud.cf (I don't know if it's in sa-update yet - Justin?) That's in sa-update since last night; it's now bundled in the main "sought" ruleset channel, as well. Thanks! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- Today: Veterans Day
Re: SURBL Usage Policy change
At 16:58 11-11-2008, Dave Koontz wrote: Given this change in SURBL in policy and pricing, I would strongly suggest removing their rules from the SA rule base. Otherwise, you will likely get lots of complaints from users of systems that have embedded SA installs, or others who do not monitor this list. I can see many Barracuda users not having a clue why they are now being blocked and their systems are processing messages slower as a result. Most blacklists have a usage policy where you are charged if your site generates more than X queries. As the SpamAssassin rule base contains several blacklists which are pay-ware, those rules would have to be removed as well. Barracuda users being blocked is not a SpamAssassin issue. Do you want SpamAssassin to include a warning about "external charges may apply if the blacklists included in the rule base are used to process more than X messages or if your site has more than Y users"? Regards, -sm
Major spam source, McColo, knocked offline
Found this posted on another list, thought others here might find this of interest, as well. Major Source of Online Scams and Spams Knocked Offline: http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html SpamCop.net - Total spam report volume: http://www.spamcop.net/spamgraph.shtml?spamweek Bill
Re: Spamassassin+amavis
Hi this mail ius just to say thanks all the people kindly sent me a mail trying to figure out the low performance in my server. Right now the server is working well and filtering like I wish. The changes I did were decrease the number of amavisd processes to 5, turned off DCC, the network tests and install the DNS service locallly. Thanks all. Regards. On Thu, 2008-11-06 at 01:07 +0100, Mark Martinec wrote: > Luis, > > > I was doing some tests with all the recommendations you sent me... > > and I can make to work the server correctly... I was filtering spam with > > no problems and my performances troubles dissapeard... > > > > I just configured 5 procs for amavis and postfix content filter and > > I turn off the network tests... the server can filter a lot of spam and > > delivery quickly... but now appears another problem :( > > With your 4 CPU 4 GB mem box you should be able to run more than 4 > amavisd(+SA) processes. As a rule of a thumb, I'd say your box should > not have trouble running 20..30 processes. > > > Until today morning... I was filtering and deliverying fine, but > > suddenly I received these messages and the delivery is sooo slow and > > the mail queue just is growing and growing > > > > Nov 5 12:51:23 mailgw postfix/qmgr[14251]: warning: mail for > > [127.0.0.1]:10024 is using up 4001 of 4004 active queue entries > > This is just a consequence of your amavisd+SpamAssassin not being able > to keep up with the incoming mail flow. No fine tuning on the Postfix > side will be able to compensate for the fact that your mail inflow rate > is larger than the mail processing throughput of SpamAssassin filtering. > > What is your message rate on a normal day? Is the current mail flow > significantly larger? Perhaps you are under a bounce storm, which can > easily increase the mail flow rate by an order of magnitude. Examine > what kind of messages are most typical in your mail queue (mailq, postcat), > try to determine if these are just normal spam flow, or bounces, or > something else (e.g. mailer abused as an open relay, perhaps by one of > your client PCs which might have been zombiized). > > What is the message throughput though the filter - see what amavisd-agent > has to report, the more interesting figures are for example: > > CacheAttempts 15216 3217/h 100.0 % (CacheAttempts) > CacheHits1750370/h11.5 % (CacheAttempts) > ... > InMsgs 15216 3217/h 100.0 % (InMsgs) > InMsgsBounce 4176883/h27.4 % (InMsgs) > InMsgsBounceKilled 3904825/h93.5 % (InMsgsBounce) > ... > TimeElapsedDecoding ... > TimeElapsedPenPals > TimeElapsedReceiving > TimeElapsedSending > TimeElapsedSpamCheck > TimeElapsedVirusCheck > TimeElapsedTotal > > How does the display of amavisd-nanny look like? Are all processes > about evenly busy? Are processing times significantly longer than a > couple of seconds? Set $nanny_details_level=2; (in amavisd.conf) for > more detailed timing breakdown by amavisd-nanny. > > Check timing log (at log level 2), you may want to (re)confirm that > SpamAssassin is really taking most of the time, just in case. > > > -I turned off DCC, Razor and Pyzor. > > -I set the bayes use to 0. > > These were pretty drastic measures, significantly affecting quality > of SA results. Once you get over the current crisis, at least put back > the DCC and Bayes on MySQL, which are relatively low resource consumers > compared to regexp-based rules and to Pyzor (razor is somewhere inbetween). > > Mark > > Luis Croker SCSA - SCNA Administrador de Sistemas Megacable Comunicaciones GPG Key1024D/48C1764B Key fingerprint = E8B6 E84F ECE4 661E 30C7 7208 042D BD09 48C1 764B
Re: Major spam source, McColo, knocked offline
> SpamCop.net - Total spam report volume: > http://www.spamcop.net/spamgraph.shtml?spamweek I first thought my stats are broken, but it seems they are still working as they did before - note the share-price-like drop beginning sometime after 22:00 UTC yesterday. (These mrtg charts are not mail volume, but dnswl.org-query volume numbers, which is a rough proxy for overall mail volume trends.) -- Matthias
Re: SURBL Usage Policy change
On 11/11/2008 at 7:58 PM Dave Koontz wrote: >There are many non-profits out there that will hit your limits... I >don't think anyone knows how many there are. 1,000 users is fairly >trivial, and most non profits won't even be able to fill in your forms >second "required" field of how many messages on "Average" they send a day. > >I can tell you that most all small 'private' not for profit schools and >colleges will get hit hard by your new fees. In fact, your new fees are >more than we spend on our email server per year, and as a result will >never happen. > >Given this change in SURBL in policy and pricing, I would strongly >suggest removing their rules from the SA rule base. Otherwise, you will >likely get lots of complaints from users of systems that have embedded >SA installs, or others who do not monitor this list. I can see many >Barracuda users not having a clue why they are now being blocked and >their systems are processing messages slower as a result. > >Sorry Jeff, but this is much too expensive for us and many others I >suspect. "or processing fewer than 250,000 messages per day" Wouldn't that cover most not for profit organisations? Peter
Re: sa-update fails suddenly
What about "spamassassin -D --lint"? btw I suspect this is from having 2 versions of SpamAssassin installed, and/or 2 versions of perl, colliding with each other. --j. Michael Monnerie writes: > On Mittwoch, 12. November 2008 Justin Mason wrote: > > Are you using the sought ruleset? I updated that last night to > > bundle the new anti-fraud component. However it all looks fine and > > I can't see a bug that would cause those errors... > > Oh, my first mail to the list arrived, so I seem to not get any mails > since 2nd November. I'll look into that. > > Meanwhile, my apologies for double posting. > > And yes Justin, I'm using 2 channels, one is your sought rules. But even > just calling sa-update gives errors: > > *** > # sa-update > Subroutine check_for_from_dns redefined at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/EvalTests.pm line > 1429. > plugin: failed to parse plugin (from @INC): Bareword > "Mail::SpamAssassin::Constants::CHARSETS_LIKELY_TO_FP_AS_CAPS" not > allowed while "strict subs" in use at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm > line 968. > Compilation failed in require at (eval 101) line 1. > > plugin: failed to parse plugin (from @INC): > "CHARSETS_LIKELY_TO_FP_AS_CAPS" is not exported by the > Mail::SpamAssassin::Constants module > Can't continue after import errors at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line > 22 > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line > 22. > Compilation failed in require at (eval 102) line 1. > > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line > 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line > 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line > 2669. > Number found where operator expected at (eval 143) line 10, near "} > (and much more lines follow) > *** > > mfg zmi > -- > // Michael Monnerie, Ing.BSc- http://it-management.at > // Tel: 0660 / 415 65 31 .network.your.ideas. > // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import" > // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 > // Keyserver: www.keyserver.net Key-ID: 1C1209B4 > > exit 255
Re: SURBL Usage Policy change
On 12.11.08 21:56, Peter Nitschke wrote: > Read the entire sentence. > > "Please note that free public DNS queries for organizations smaller > than 1,000 users or processing fewer than 250,000 messages per > day is unchanged. " > > So you could have 1,000,000 users but less than 250,000 messages per day, > or get 3 gazillion messages per day but for less than 1000 users. > > The key word is "or". > > If you satisfy either requirement ( <1,000 users OR <250,000 mails) then > you still get free access. > > Or am I the one reading it wrong? In another mail to surbl list it was mentioned that any organization who has more than >1000 users or processes >25 messages per day, the feed must be set up and charge paid. That meant you need to have <=1000 users AND process <=25 messages daily (average) to have free access. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: Funds / Award release scams poor scoring
* Justin Mason <[EMAIL PROTECTED]> [2008-11-12 05:20-0500]: > > John Hardin writes: > > On Sun, 9 Nov 2008, Micah Anderson wrote: > > > > > Does anyone have any rules to catch these, or suggestions of scores to > > > tweak to make these hit better? I am running clamav-milter with the > > > sanesecurity add-ons, but these are still making it through. > > > > Check out the sought-fraud ruleset. > > > > http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sought_fraud.cf > > > > (I don't know if it's in sa-update yet - Justin?) > > That's in sa-update since last night; it's now bundled in the main > "sought" ruleset channel, as well. Which channels specifically? Do you mean to say that it is in both: updates.spamassassin.org sought.rules.yerp.org now? Thanks! Micah signature.asc Description: Digital signature
Re: SURBL Usage Policy change
On Tue, Nov 11, 2008 at 07:58:01PM -0500, Dave Koontz wrote: > > Given this change in SURBL in policy and pricing, I would strongly > suggest removing their rules from the SA rule base. Otherwise, you will > likely get lots of complaints from users of systems that have embedded > SA installs, or others who do not monitor this list. I can see many > Barracuda users not having a clue why they are now being blocked and > their systems are processing messages slower as a result. By your reasoning, spamhaus should also be removed from default rules.
Re: Overriding user prefs in local.cf
Matt Kettler <[EMAIL PROTECTED]> writes: > Micah Anderson wrote: >> I set some 'add_header' options in my global local.cf and could not >> figure out why they were not being applied. It turns out that because I >> am using SQL user_prefs, any add_header lines I put in local.cf are just >> ignored (even though I have no global or individual add_header lines >> configured in my sql table). >> > That's strange. They should only be ignored if the user prefs contains a > clear_headers, or if it has an add_header for the exact same header. > > Does your user_prefs or global contain a clear_headers command? No, thats why I was confused as well. My global prefs don't exist in SQL at all, and my user prefs do not contain either an add_headers or clear_headers command. >> Is there any documentation that details which options that I might >> configure in local.cf that are overridden by user prefs simply existing? >> > There are none that are cleared simply by the merits of user_prefs > existing. An empty prefs is the same as no prefs. Ok, thats how I expected things to work, clearly something else is going on then. thanks, micah
Re: SURBL Usage Policy change
On 12.11.08 13:00, Matus UHLAR - fantomas wrote: > In another mail to surbl list it was mentioned that any organization who has > more than >1000 users or processes >25 messages per day, the feed must > be set up and charge paid. > > That meant you need to have <=1000 users AND process <=25 messages daily > (average) to have free access. Ops, it's <1000 u AND <25 m/d for free access or >=1000u or >=25 m/d for non-free access -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: SURBL Usage Policy change
On Wednesday, November 12, 2008, 2:33:53 AM, Peter Nitschke wrote: > On 11/11/2008 at 7:58 PM Dave Koontz wrote: >>There are many non-profits out there that will hit your limits... I >>don't think anyone knows how many there are. 1,000 users is fairly >>trivial, and most non profits won't even be able to fill in your forms >>second "required" field of how many messages on "Average" they send a day. >> >>I can tell you that most all small 'private' not for profit schools and >>colleges will get hit hard by your new fees. In fact, your new fees are >>more than we spend on our email server per year, and as a result will >>never happen. >> >>Given this change in SURBL in policy and pricing, I would strongly >>suggest removing their rules from the SA rule base. Otherwise, you will >>likely get lots of complaints from users of systems that have embedded >>SA installs, or others who do not monitor this list. I can see many >>Barracuda users not having a clue why they are now being blocked and >>their systems are processing messages slower as a result. >> >>Sorry Jeff, but this is much too expensive for us and many others I >>suspect. > "or processing fewer than 250,000 messages per day" > Wouldn't that cover most not for profit organisations? > Peter We deliberately chose 1,000 users and 250,000 messages to be high limits. Most small to medium sized organizations would not hit them and could therefore keep using the free DNS queries. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
sa-update fails suddenly
Without changing anything my sa-update suddenly fails badly. Can someone give me a hint? Subroutine check_for_from_dns redefined at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/EvalTests.pm line 1429. plugin: failed to parse plugin (from @INC): Bareword "Mail::SpamAssassin::Constants::CHARSETS_LIKELY_TO_FP_AS_CAPS" not allowed while "strict subs" in use at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm line 968. Compilation failed in require at (eval 101) line 1. plugin: failed to parse plugin (from @INC): "CHARSETS_LIKELY_TO_FP_AS_CAPS" is not exported by the Mail::SpamAssassin::Constants module Can't continue after import errors at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22 BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22. Compilation failed in require at (eval 102) line 1. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 143) line 10, near "} 1" (Missing operator before 1?) rules: failed to run header tests, skipping some: syntax error at (eval 143) line 6, at EOF Global symbol "$plugin" requires explicit package name at (eval 143) line 7. syntax error at (eval 143) line 11, near "; }" Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 144) line 10, near "} 1" (Missing operator before 1?) rules: failed to run header tests, skipping some: syntax error at (eval 144) line 6, at EOF Global symbol "$plugin" requires explicit package name at (eval 144) line 7. syntax error at (eval 144) line 11, near "; }" Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 145) line 10, near "} 1" (Missing operator before 1?) rules: failed to run header tests, skipping some: syntax error at (eval 145) line 6, at EOF Global symbol "$plugin" requires explicit package name at (eval 145) line 7. syntax error at (eval 145) line 11, near "; }" Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 146) line 10, near "} 1" (Missing operator before 1?) rules: failed to run header tests, skipping some: syntax error at (eval 146) line 6, at EOF Global symbol "$plugin" requires explicit package name at (eval 146) line 7. syntax error at (eval 146) line 11, near "; }" Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 147) line 10, near "} 1" (Missing operator before 1?) rules: failed to run header tests, skipping some: syntax error at (eval 147) line 6, at EOF Global symbol "$plugin" requires explicit package name at (eval 147) line 7. syntax error at (eval 147) line 11, near "; }" Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor
Re: Funds / Award release scams poor scoring
Micah Anderson writes: > * Justin Mason <[EMAIL PROTECTED]> [2008-11-12 05:20-0500]: > > > > John Hardin writes: > > > On Sun, 9 Nov 2008, Micah Anderson wrote: > > > > > > > Does anyone have any rules to catch these, or suggestions of scores to > > > > tweak to make these hit better? I am running clamav-milter with the > > > > sanesecurity add-ons, but these are still making it through. > > > > > > Check out the sought-fraud ruleset. > > > > > > http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sought_fraud.cf > > > > > > (I don't know if it's in sa-update yet - Justin?) > > > > That's in sa-update since last night; it's now bundled in the main > > "sought" ruleset channel, as well. > > Which channels specifically? Do you mean to say that it is in both: > > updates.spamassassin.org > sought.rules.yerp.org just the latter.
Re: Question training the Bayse filter
On Wed, 2008-11-12 at 12:24 +0100, Thomas Zastrow wrote:
> Karsten Bräckelmann schrieb:
> > On Tue, 2008-11-11 at 21:55 +0100, Thomas Zastrow wrote:
> >
> >> I'm still not happy with my Spamassassin ... it don't recognizes a lot
> >> of Spam mails, even my Thunderbird with default properties recognizes
> >> more than SA.
Coincidentally, I just migrated a few home users from the TB internal
Bayes filter to a full featured SA install. So far, they are more than
happy. (Even the one who didn't have sufficient spam on the first run,
so Bayes started working later only.)
Are you sure it's Bayes you're having trouble with? Any chance it's
actually something else, like disabled network tests? Do you see rules
hitting like URIBL_* or RCVD_IN_*?
> >> Every day, I train the Bayes filter with all the spam which were not
> >> already recognized as spam. My question is now: makes it sense to use
> >> also the already as spam marked mails as input for sa-learn?
> >
> > Yes, but... (you know, there just has to be a but. ;)
Getting back to this with more detail -- Yes, it does make sense. In
particular while there are either (a) low scoring spams with a Bayes
score lower than 0.9 (non BAYES_9x hits) or (b) you recently started
training and there might still be a lot different spam that hasn't been
learned yet.
Even if auto-learn is enabled, SA will not automatically learn messages
that score below a couple different thresholds for safety reasons. These
should be learned manually, if you suspect a problem.
SA will not learn a message twice, so it is safe to simply feed it the
entire (recent) spam folder.
> > If this might be the case, you will not have seen BAYES rules in any of
> > your messages SA headers. To know for sure about your training so far,
> > see nham and nspam in this command:
> >
> > sa-learn --dump magic
>
> There are Bayes rules, but often the value is very small so that it does
> not change the status of the mail. Here is the output of the sa-learn
> --dump magic command:
>
> 0.000 0 3 0 non-token data: bayes db version
> 0.000 0713 0 non-token data: nspam
> 0.000 0788 0 non-token data: nham
> 0.000 0 88333 0 non-token data: ntokens
Can you elaborate, please -- what exactly do you mean by "small values"?
If you check the headers, what are common BAYES_XX rules triggered for
both, your recent spam and ham?
Also, maybe it would be good to see some common samples of mail that
isn't being detected as expected. Please upload it somewhere (like a
pastebin or your webspace) and provide the link, do not post it to the
list directly.
Another thing that comes to mind: How *exactly* are you learning?
I guess you're running sa-learn on some mail folders. Which exactly are
they? Thunderbird local mail storage, or maybe IMAP? Are you running
sa-learn on the raw mbox files? Any chance there have been a bunch of
mis-classified mail in there, which you moved or deleted?
Like, say, spam in your Inbox, which you move to a train-this folder,
then run sa-learn --spam (any other switches?) on it, and do the same
with --ham for the Inbox. If you didn't expunge (compress or something
in TB lingo), these spams are *still* in your Inbox, marked as deleted.
They won't be physically removed unless compressing the folder.
In short: More details and evidence, please. :)
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SURBL Usage Policy change
Jeff Chan <[EMAIL PROTECTED]> wrote: Does anyone know how many non-profits have more than 1,000 users (i.e., users with mailboxes)? Most universities and colleges have many more than that. An undergrad-only school that admits only about 200 a year would pass that number, counting faculty and staff and the summer overlap of graduated and admitted student accounts. Requiring large organizations to use rsync and charging for it makes a lot of sense. How much, though... and we didn't budget this in when we estimated last spring, for the July-June fiscal year schools use... Joseph Brennan Columbia University Information Technology
Re: SURBL Usage Policy change
On Tue, Nov 11, 2008 at 04:33:50PM -0800, Jeff Chan wrote: > > Hi Micah, > Thanks very much for the feedback. Does anyone know how many > non-profits have more than 1,000 users (i.e., users with > mailboxes)? The non-profit pricing is below ISPs and half that > of regular end users. Sometimes the requirements make no sense. A server with 1 user can receive more spam than a server with 1000 users. Both may be non-profit and receive no money from users. There is a huge difference also whether you use greylisting and other rules _before_ blacklist checks. So which is it, 25 messages (queries) or 1000 users? 1000 users and 1 messages costs 500 USD. 1000 users and 25 messages costs 500 USD. Which affects DNS servers more? Of course people can pretty easily lie about numbers. Setting up rsync access does require some effort and resources. You could just write that either pay the minimum 500 USD or don't bother us. If a large ISP pays 2000 USD for 1000 messages, I'm not going to pay 500 USD for 5 non-profit messages (I am over the 1000 user limit and use aggressive filtering before rbls). I would be happy to pay a nominal fee for "rsync-access" though, since it does make things more secure and faster, also allows to use the data for other purposes. Before that's reality, I guess someone needs to come up with a better public distribution method than rsync. P2P? By the way, do DNS mirrors get paid anything? It's my non-educated impression that most big blacklists consist largely of donated DNS servers from big ISPs etc. Respect to those that dare to face DoSes. :)
Re: SURBL Usage Policy change
Hi! Given this change in SURBL in policy and pricing, I would strongly suggest removing their rules from the SA rule base. Otherwise, you will likely get lots of complaints from users of systems that have embedded SA installs, or others who do not monitor this list. I can see many Barracuda users not having a clue why they are now being blocked and their systems are processing messages slower as a result. By your reasoning, spamhaus should also be removed from default rules. Many others have a high volume policy also. You end up with a minimal list. This is ok, but surprisingly operating infrastructure does cost time and money ;) Bye, Raymond.
Re: sa-update fails suddenly
On Mittwoch, 12. November 2008 Justin Mason wrote: > Are you using the sought ruleset? I updated that last night to > bundle the new anti-fraud component. However it all looks fine and > I can't see a bug that would cause those errors... Oh, my first mail to the list arrived, so I seem to not get any mails since 2nd November. I'll look into that. Meanwhile, my apologies for double posting. And yes Justin, I'm using 2 channels, one is your sought rules. But even just calling sa-update gives errors: *** # sa-update Subroutine check_for_from_dns redefined at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/EvalTests.pm line 1429. plugin: failed to parse plugin (from @INC): Bareword "Mail::SpamAssassin::Constants::CHARSETS_LIKELY_TO_FP_AS_CAPS" not allowed while "strict subs" in use at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm line 968. Compilation failed in require at (eval 101) line 1. plugin: failed to parse plugin (from @INC): "CHARSETS_LIKELY_TO_FP_AS_CAPS" is not exported by the Mail::SpamAssassin::Constants module Can't continue after import errors at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22 BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22. Compilation failed in require at (eval 102) line 1. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 143) line 10, near "} (and much more lines follow) *** mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import" // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: www.keyserver.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part.
Re: Barracuda RBL
Sujit Acharyya-Choudhury wrote:
I would like to use the "free" barracuda RBL with SpamAssassin. Is
there any rule for that yet?
I've been usingthis:
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_BRBL eval:check_rbl('brbl-lastexternal',
'bb.barracudacentral.org.')
describe RCVD_IN_BRBL Received via a relay in Barracuda BRBL
tflags RCVD_IN_BRBL net
scoreRCVD_IN_BRBL 3.0
endif #ifplugin Mail::SpamAssassin::Plugin::DNSEval
I started with a score of 2 then increased it. check for yourself if
this is ok.
Re: Funds / Award release scams poor scoring
John Hardin writes: > On Sun, 9 Nov 2008, Micah Anderson wrote: > > > Does anyone have any rules to catch these, or suggestions of scores to > > tweak to make these hit better? I am running clamav-milter with the > > sanesecurity add-ons, but these are still making it through. > > Check out the sought-fraud ruleset. > > http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sought_fraud.cf > > (I don't know if it's in sa-update yet - Justin?) That's in sa-update since last night; it's now bundled in the main "sought" ruleset channel, as well. --j.
Re: SURBL Usage Policy change
On Wed, 2008-11-12 at 13:00 +0100, Matus UHLAR - fantomas wrote:
> On 12.11.08 21:56, Peter Nitschke wrote:
> > Read the entire sentence.
> >
> > "Please note that free public DNS queries for organizations smaller
> > than 1,000 users or processing fewer than 250,000 messages per
> > day is unchanged. "
> > If you satisfy either requirement ( <1,000 users OR <250,000 mails) then
> > you still get free access.
> In another mail to surbl list it was mentioned that any organization who has
> more than >1000 users or processes >25 messages per day, the feed must
> be set up and charge paid.
>
> That meant you need to have <=1000 users AND process <=25 messages daily
> (average) to have free access.
Hmm, that's not what http://www.surbl.org/usage-policy.html says about
the FQS. It states OR there, so Peter's understanding seems to be
correct.
On the other hand though, that same page states 1k users as the sole
limit to require SDS...
That's kind of fuzzy and mind boggling. ;) Anyway, I guess all this
should be taken with a grain of salt. In particular "posts to lists"
that accidentally might have changed the logic by not applying proper
boolean logic when talking about the subject.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: SURBL Usage Policy change
Where is the price list? I haven't been able to find it. > -Original Message- > From: Joseph Brennan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 12, 2008 12:25 PM > To: users@spamassassin.apache.org > Subject: Re: SURBL Usage Policy change > > > Jeff Chan <[EMAIL PROTECTED]> wrote: > > > Does anyone know how many non-profits have more than 1,000 users > > (i.e., users with mailboxes)? > > > Most universities and colleges have many more than that. An > undergrad-only school that admits only about 200 a year would > pass that number, counting faculty and staff and the summer > overlap of graduated and admitted student accounts. > > Requiring large organizations to use rsync and charging for it > makes a lot of sense. How much, though... and we didn't budget > this in when we estimated last spring, for the July-June fiscal > year schools use... > > Joseph Brennan > Columbia University Information Technology >
Re: sa-update fails suddenly
Michael Monnerie writes: > Without changing anything my sa-update suddenly fails badly. Can someone give > me a hint? Are you using the sought ruleset? I updated that last night to bundle the new anti-fraud component. However it all looks fine and I can't see a bug that would cause those errors... --j. > Subroutine check_for_from_dns redefined at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/EvalTests.pm line 1429. > plugin: failed to parse plugin (from @INC): Bareword > "Mail::SpamAssassin::Constants::CHARSETS_LIKELY_TO_FP_AS_CAPS" not allowed > while "strict subs" in use at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm line > 968. > Compilation failed in require at (eval 101) line 1. > > plugin: failed to parse plugin (from @INC): "CHARSETS_LIKELY_TO_FP_AS_CAPS" > is not exported by the Mail::SpamAssassin::Constants module > Can't continue after import errors at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22 > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22. > Compilation failed in require at (eval 102) line 1. > > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Number found where operator expected at (eval 143) line 10, near "} > > 1" > (Missing operator before > > 1?) > rules: failed to run header tests, skipping some: syntax error at (eval 143) > line 6, at EOF > Global symbol "$plugin" requires explicit package name at (eval 143) line 7. > syntax error at (eval 143) line 11, near "; > }" > > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Number found where operator expected at (eval 144) line 10, near "} > > 1" > (Missing operator before > > 1?) > rules: failed to run header tests, skipping some: syntax error at (eval 144) > line 6, at EOF > Global symbol "$plugin" requires explicit package name at (eval 144) line 7. > syntax error at (eval 144) line 11, near "; > }" > > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Number found where operator expected at (eval 145) line 10, near "} > > 1" > (Missing operator before > > 1?) > rules: failed to run header tests, skipping some: syntax error at (eval 145) > line 6, at EOF > Global symbol "$plugin" requires explicit package name at (eval 145) line 7. > syntax error at (eval 145) line 11, near "; > }" > > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Number found where operator expected at (eval 146) line 10, near "} > > 1" > (Missing operator before > > 1?) > rules: failed to run header tests, skipping some: syntax error at (eval 146) > line 6, at EOF > Global symbol "$plugin" requires explicit package name at (eval 146) line 7. > syntax error at (eval 146) line 11, near "; > }" > > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. > Number found where operator expected at (eval 147) line 10, near "} > > 1" > (Missing operator before > > 1?) > rules: failed to run header tests, skipping some: syntax error at (eval
Re: sa-update fails suddenly
On 12.11.08 11:24, Michael Monnerie wrote: > Without changing anything my sa-update suddenly fails badly. Can someone > give me a hint? HAven't you changed or upgraded perl or any of its libraries? > Subroutine check_for_from_dns redefined at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/EvalTests.pm line > 1429. > plugin: failed to parse plugin (from @INC): Bareword > "Mail::SpamAssassin::Constants::CHARSETS_LIKELY_TO_FP_AS_CAPS" not > allowed while "strict subs" in use at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm > line 968. > Compilation failed in require at (eval 101) line 1. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: SURBL Usage Policy change
On Wed, Nov 12, 2008 at 09:56:46PM +1030, Peter Nitschke wrote: > > Read the entire sentence. > > "Please note that free public DNS queries for organizations smaller > than 1,000 users or processing fewer than 250,000 messages per > day is unchanged. " > > So you could have 1,000,000 users but less than 250,000 messages per day, > or get 3 gazillion messages per day but for less than 1000 users. > > The key word is "or". > > If you satisfy either requirement ( <1,000 users OR <250,000 mails) then > you still get free access. > > Or am I the one reading it wrong? I don't understand what users have to do in this context. It's the queries that affect DNS servers. It's hard to judge organizations wealth from user count also. I guess there should be some methods for deciding what to pay, but the current ones don't make sense to me. It should be up to the queries or free donations.
Re: SURBL Usage Policy change
On Wednesday, November 12, 2008, 10:55:52 AM, Larry Rosenbaum wrote: > Where is the price list? I haven't been able to find it. Hi Larry, The pricing calculator is the first step of the data feed form: http://www.surbl.org/datafeed/ Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: SURBL Usage Policy change
On Wednesday, November 12, 2008, 3:15:26 AM, Henrik K wrote: > On Tue, Nov 11, 2008 at 04:33:50PM -0800, Jeff Chan wrote: >> >> Hi Micah, >> Thanks very much for the feedback. Does anyone know how many >> non-profits have more than 1,000 users (i.e., users with >> mailboxes)? The non-profit pricing is below ISPs and half that >> of regular end users. > Sometimes the requirements make no sense. A server with 1 user can receive > more spam than a server with 1000 users. Both may be non-profit and receive > no money from users. There is a huge difference also whether you use > greylisting and other rules _before_ blacklist checks. > So which is it, 25 messages (queries) or 1000 users? > 1000 users and 1 messages costs 500 USD. > 1000 users and 25 messages costs 500 USD. > Which affects DNS servers more? It's not directly about the DNS service since DNS service is entirely unpaid on both the server and client sides. (Please see below). It's more about trying to find some way to measure for the rsync service. > By the way, do DNS mirrors get paid anything? It's my non-educated > impression that most big blacklists consist largely of donated DNS servers > from big ISPs etc. Respect to those that dare to face DoSes. :) The DNS mirrors are voluntarily provided and the DNS queries are freely used. Therefore there is no money to or from the free DNS service. It's only the rsync access for large organizations that we're asking sponsorship fees for. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
SA Score
Hello All, Can anyone provide insight into what this means and how to rectify it?: 2.9 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO Thanks so much for your help. Kindest Regards, Josie Josie Walls Senior Email Deliverability Manager WhatCounts, Inc. Business Email, RSS, Mobile, and Blog Marketing 206-709-8250 X143 (office) 917-361-4155 (cell) 206-709-9210 (fax) 800-440-7005 (support) "Those who occupy their minds with petty matters, generally become incapable of greatness."
Re: SA Score
Josie Walls wrote: Hello All, Can anyone provide insight into what this means and how to rectify it?: 2.9 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO http://wiki.apache.org/spamassassin/Rules/TVD_SPACE_RATIO http://svn.apache.org/viewvc/spamassassin/trunk/rules/20_body_tests.cf?view=markup&pathrev=378252 to "rectify" it, show a sample message that triggers the rule (post it on pastebin or on your web server, and send us the URL).
Re: SURBL Usage Policy change
On Wednesday, November 12, 2008 1:28 PM +0100 Matthias Leisi <[EMAIL PROTECTED]> wrote: Number of users or number of messages is a good approximation of the number of actual DNS queries, and sufficiently simple to determine. At dnswl.org, we consider any source (being losely defined as a /24 doing more than 100'000 queries / 24 hours as a "large" user, and ask them to switch to rsync access (however this is not strongly enforced at present, and does not involve money). Does it help to configure one's DNS server to direct queries for this zone to one's ISP's servers, to let the ISP provide some additional caching and consolidation? I don't generally forward/stub to my ISP but I'd be willing to do that for services like this to reduce load on the source.
RE: Barracuda RBL
A bit confused after reading all the mail. Would the following rule
score 2.0 points and reduce FP?
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_BRBL eval:check_rbl('brbl','bb.barracudacentral.org')
tflags __RCVD_IN_BRBL net
header RCVD_IN_BRBL eval:check_rbl_sub('brbl','127.0.0.2')
describe RCVD_IN_BRBL Received via a relay in Barracuda BRBL
tflags RCVD_RCVD_IN_BRBL net
score RCVD_RCVD_IN_BRBL 2.0
endif
Regards
Sujit Choudhury
-Original Message-
From: Henrik K [mailto:[EMAIL PROTECTED]
Sent: 11 November 2008 15:38
To: users@spamassassin.apache.org
Subject: Re: Barracuda RBL
On Tue, Nov 11, 2008 at 05:34:28PM +0200, Henrik K wrote:
> On Tue, Nov 11, 2008 at 08:30:26AM -0700, Chris wrote:
> > On Tuesday 11 November 2008 8:15:26 am Sujit Acharyya-Choudhury
wrote:
> > > I would like to use the "free" barracuda RBL with SpamAssassin.
Is
> > > there any rule for that yet?
> >
> > Easy enough to create one. I created /etc/mail/spamassassin/brbl.cf
with the
> > content:
> >
> > # BarracudaCental.org RBL
> > header BARRACUDA_BRBL
rbleval:check_rbl('b-rbl','b.barracudacentral.org.')
> > describe BARRACUDA_BRBL Listed: Barracuda Reputation
Block List (BRBL)
> > score BARRACUDA_BRBL1.35
>
> It's been in SA rules long time if you use sa-update.
>
> I advice not to use it without '-lastexternal'. Or score them
separately
> like current SA.
>
> RCVD_IN_BRBL
> RCVD_IN_BRBL_LASTEXT
Oh correction, only if you use SVN (3.3). I though it's already active.
Here is are the rules in 72_active.cf:
header RCVD_IN_BRBL eval:check_rbl_sub('brbl','127.0.0.2')
describe RCVD_IN_BRBL Received via a relay in Barracuda BRBL
tflags RCVD_IN_BRBL net
header RCVD_IN_BRBL_LASTEXT
eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org')
tflags RCVD_IN_BRBL_LASTEXT net
--
The University of Westminster is a charity and a company limited by
guarantee. Registration number: 977818 England. Registered Office:
309 Regent Street, London W1B 2UW, UK.
Re: SURBL Usage Policy change
On Tuesday, November 11, 2008, 4:58:01 PM, Dave Koontz wrote: > Jeff Chan wrote ... (11/11/2008 7:33 PM): >> Hi Micah, >> Thanks very much for the feedback. Does anyone know how many >> non-profits have more than 1,000 users (i.e., users with >> mailboxes)? The non-profit pricing is below ISPs and half that >> of regular end users. >> > There are many non-profits out there that will hit your limits... I > don't think anyone knows how many there are. 1,000 users is fairly > trivial, and most non profits won't even be able to fill in your forms > second "required" field of how many messages on "Average" they send a day. To be clear, the field asks for an average number of inbound not outbound messages. > I can tell you that most all small 'private' not for profit schools and > colleges will get hit hard by your new fees. In fact, your new fees are > more than we spend on our email server per year, and as a result will > never happen. That's useful feedback, but perhaps not a useful measurement. Servers and reputation data are different things. One is hardware and the other is data service. Without data, the server probably is not very effective at filtering. (Conversely without the hardware the data can't be used, so one needs both.) So I suppose the question is: "how valuable are the data?", as opposed to "how valuable is the hardware?" > Given this change in SURBL in policy and pricing, I would strongly > suggest removing their rules from the SA rule base. Otherwise, you will > likely get lots of complaints from users of systems that have embedded > SA installs, or others who do not monitor this list. By default, network tests are disabled in SA. And any large users should be using rsync. Any small to medium sized users can continue to use the DNS queries for free. > I can see many > Barracuda users not having a clue why they are now being blocked and > their systems are processing messages slower as a result. Barracuda would pay for the data as a mail filter vendor. Their customers would not pay directly. > Sorry Jeff, but this is much too expensive for us and many others I suspect. What pricing would you recommend? Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: SURBL Usage Policy change
Kenneth Porter schrieb: >> At dnswl.org, we consider any source (being losely defined as a /24 doing >> more than 100'000 queries / 24 hours as a "large" user, and ask them to >> switch to rsync access (however this is not strongly enforced at present, >> and does not involve money). > > Does it help to configure one's DNS server to direct queries for this > zone to one's ISP's servers, to let the ISP provide some additional > caching and consolidation? I don't generally forward/stub to my ISP but > I'd be willing to do that for services like this to reduce load on the > source. As always: It depends :) If multiple users with roughly equal traffic patterns use the same ISPs nameserver, caching should be efficient enough to noticeably reduce the WAN load. In that case it may even make sense if the ISP would set up a local mirror of our data (even if only for it's own users and not as a public mirror). OpenDNS may have a big enough user base in order to make the caching truly effective (but they started using a local copy of our data some time ago, so I can't even guess the order of magnitude of their "cache factor"). But, if you are willing to configure your nameserver specifically for such lists, you may even use a local copy of the data yourself - we provide a BIND-formatted file. [I just noticed that we don't have setup hints on http://www.dnswl.org/tech - I just opened an internal ticket to fix that :) ] -- Matthias
USER_IN_WHITELIST triggered but whitelist_from* not in my config
Lately, we've been getting a bunch of spam with negative scores because it has triggered USER_IN_WHITELIST but we don't use whitelist_from*. About 2 weeks ago I removed whitelist_from_rcvd. Could it still be triggering it. Maybe the spam was sent a few weeks ago and just now being deliver to the users? Any ideas why? Email head: From: user Subject: RE: Get your mind cleared from additional problems. Date: November 12, 2008 11:25:03 AM MST To: user Return-Path: <[EMAIL PROTECTED]> X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on server X-Spam-Level: X-Spam-Status: No, score=-70.5 required=5.5 tests=BAYES_50,HTML_50_60, HTML_EXTRA_CLOSE,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY,MSGID_FROM_MTA_ID,NO_REAL_NAME,PYZOR_CHECK,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.9 Received: from Jolanta (host-81-190-116-29.gdynia.mm.pl [81.190.116.29]) by server with SMTP id mACIP34L021551 for ; Wed, 12 Nov 2008 11:25:04 -0700 Mime-Version: 1.0 Content-Type: text/html /local.cf # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_hits 5.5 report_safe 0 rewrite_header Subject [SPAM] use_auto_whitelist 0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 use_razor2 1 use_pyzor 1 skip_rbl_checks 1 internal_networks 192.168.1/24 internal_networks 192.168.2/24 internal_networks 192.168.3/24 internal_networks 192.168.4/24 internal_networks 192.168.5/24 trusted_networks 192.168.1/24 trusted_networks 192.168.2/24 trusted_networks 192.168.3/24 trusted_networks 192.168.4/24 trusted_networks 192.168.5/24 -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-triggered-but-whitelist_from*-not-in-my-config-tp20470780p20470780.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update fails suddenly
On Mittwoch, 12. November 2008 Justin Mason wrote: > Are you using the sought ruleset? I updated that last night to > bundle the new anti-fraud component. However it all looks fine and > I can't see a bug that would cause those errors... I've got confirmation that I have been re-subscribed now. Don't know what happened. Have this problem sometimes, but only with this SA list. Meanwhile, my apologies for double posting. And yes Justin, I'm using 2 channels, one is your sought rules. But even just calling sa-update gives errors: *** # sa-update Subroutine check_for_from_dns redefined at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/EvalTests.pm line 1429. plugin: failed to parse plugin (from @INC): Bareword "Mail::SpamAssassin::Constants::CHARSETS_LIKELY_TO_FP_AS_CAPS" not allowed while "strict subs" in use at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm line 968. Compilation failed in require at (eval 101) line 1. plugin: failed to parse plugin (from @INC): "CHARSETS_LIKELY_TO_FP_AS_CAPS" is not exported by the Mail::SpamAssassin::Constants module Can't continue after import errors at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22 BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22. Compilation failed in require at (eval 102) line 1. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 143) line 10, near "} (and much more lines follow) *** mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import" // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: www.keyserver.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part.
Re: SURBL Usage Policy change
> I don't understand what users have to do in this context. It's the queries > that affect DNS servers. It's obviously true that the number of queries is the cause for introducing any limitation/pricing scheme. But it's pretty hard for a receiving site to actually know how many DNS queries they're doing towards a particular nameserver or a particular zone (it would require extensive logging and log-parsing). Number of users or number of messages is a good approximation of the number of actual DNS queries, and sufficiently simple to determine. At dnswl.org, we consider any source (being losely defined as a /24 doing more than 100'000 queries / 24 hours as a "large" user, and ask them to switch to rsync access (however this is not strongly enforced at present, and does not involve money). -- Matthias
Re: USER_IN_WHITELIST triggered but whitelist_from* not in my config
Nevermind. Someone has whitelisted our url in user-prefs. robanna wrote: > > Lately, we've been getting a bunch of spam with negative scores because it > has triggered USER_IN_WHITELIST but we don't use whitelist_from*. About 2 > weeks ago I removed whitelist_from_rcvd. Could it still be triggering it. > Maybe the spam was sent a few weeks ago and just now being deliver to the > users? > > Any ideas why? > > Email head: > From: user > Subject: RE: Get your mind cleared from additional problems. > Date: November 12, 2008 11:25:03 AM MST > To: user > Return-Path: <[EMAIL PROTECTED]> > X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on server > X-Spam-Level: > X-Spam-Status: No, score=-70.5 required=5.5 tests=BAYES_50,HTML_50_60, > HTML_EXTRA_CLOSE,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, > MIME_HTML_ONLY,MSGID_FROM_MTA_ID,NO_REAL_NAME,PYZOR_CHECK,URIBL_AB_SURBL, > URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL, > USER_IN_WHITELIST autolearn=no version=3.1.9 > Received: from Jolanta (host-81-190-116-29.gdynia.mm.pl [81.190.116.29]) > by server with SMTP id mACIP34L021551 for ; Wed, 12 Nov 2008 > 11:25:04 -0700 > Mime-Version: 1.0 > Content-Type: text/html > > /local.cf > # These values can be overridden by editing ~/.spamassassin/user_prefs.cf > # (see spamassassin(1) for details) > > # These should be safe assumptions and allow for simple visual sifting > # without risking lost emails. > > required_hits 5.5 > report_safe 0 > rewrite_header Subject [SPAM] > use_auto_whitelist 0 > # Enable the Bayes system > use_bayes 1 > # Enable Bayes auto-learning > bayes_auto_learn 1 > use_razor2 1 > use_pyzor 1 > skip_rbl_checks 1 > > internal_networks 192.168.1/24 > internal_networks 192.168.2/24 > internal_networks 192.168.3/24 > internal_networks 192.168.4/24 > internal_networks 192.168.5/24 > trusted_networks 192.168.1/24 > trusted_networks 192.168.2/24 > trusted_networks 192.168.3/24 > trusted_networks 192.168.4/24 > trusted_networks 192.168.5/24 > > -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-triggered-but-whitelist_from*-not-in-my-config-tp20470780p20471035.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Spamassassin Restart and E-Mail being scanned at time of restart.
Hello Everyone, I am wondering, what happens to E-Mail that is being scanned when the root user on the mail system restarts Spamassassin? I see lots of Spamd children before it is restarted and they suddenly all drop off on a restart (as expected) - do the E-Mail's being scanned at that time actually get re-scanned or do they only get partially scanned, and then delivered? It would appear that the number of child processes does not increase quickly back to what it was before - suggesting the E-Mails that were being scanned at restart time do not get fully scanned... Does anyone know what the score is here? Cheers, Michael Hutchinson Manux Solutions Ltd | Phone: 0800 328 324 | Email: [EMAIL PROTECTED] | Web: http://www.manux.co.nz/
Re: Razor2 and Windoze
No... I'd say if it's working for you, then no worries. I'll have to try
installing it again when I have a chance. Perhaps it matters what kind
of compiler you use for installing too...
Bret
On 11/10/2008 6:04 AM, Dan Barker wrote:
I read it on the internet (so it has to be true) that razor2 does not
work with Windows. ("Note that Razor support does not seem to work on
Windows systems. Win32 users should disable the Razor tests using "score
RAZOR2_CHECK 0".)
My research was poorly done before my install, and I didn't find this tidbit
of wisdom until afterwards. I did the download, untar, nmake, nmake install,
-create, -discover, -register, loadplugin, test and roll out to production,
and THEN found the Wiki article. I'm wondering if I should be concerned.
Razor2 seems to work very effectively and really makes a difference in my
installlation. 6,000 spams hit RAZOR2 in only 10K emails since install. This
is a wonderful result. I've yet to find a false positive.
Does anybody know what problems I was supposed to have running razor2 under
windows? I'd really hate to find I must stop using it, but I'd certainly
like to know in advance.
Dan Barker
Environment:
Wintel box, Celeron 3.2GHz/1G ram, IDE
W2K Server, SP4
IMail 8.15.hf2
ActiveState perl: 5.8.8.822
Spamassassin: 3.2.5
razor-agents-sdk-2.07.tar.bz
razor-agents-2.85.tar.bz (but it reports as 2.84 anyway)
SpamAssassin Caller for Windows: 1.6 (www.visioncomm.net/sac)
REF: http://wiki.apache.org/spamassassin/InstallingRazor
Re: Major spam source, McColo, knocked offline
I seen the similar statistics on my mail server. I saw a drop of spam since this morning which I normally see the daily spike of spam. I wish this lull in spam will last awhile since my mail server needs a break :-) Frank > SpamCop.net - Total spam report volume: http://www.spamcop.net/spamgraph.shtml?spamweek I first thought my stats are broken, but it seems they are still working as they did before - note the share-price-like drop beginning sometime after 22:00 UTC yesterday. (These mrtg charts are not mail volume, but dnswl.org-query volume numbers, which is a rough proxy for overall mail volume trends.) -- Matthias
Re: Major spam source, McColo, knocked offline
> > > SpamCop.net - Total spam report volume: > >> http://www.spamcop.net/spamgraph.shtml?spamweek > >I first thought my stats are broken, but it seems they are still working > >as they did before - note the share-price-like drop beginning sometime > >after 22:00 UTC yesterday. can't see any drop here. in fact a huge increase the last 2 weeks. why would all spam come from a single network anyway? we get most from botnets and various dialups in eastern europe. maybe i got my stats wrong (counting incomming mails on our spam mailbox). does SA keep log of how often which rule triggered? or are there any neat scripts for it? -- best regards Arvid Ephraim Picciani Lead Software Engineer IB C SOLUTIONS LTD
Re: Spamassassin+amavis
On Wed, 12 Nov 2008, Luis Croker wrote: turned off DCC, the network tests and install the DNS service locallly. Turning off the network tests will obscure any benefit from installing a local caching DNS server. Try turning the network tests on for a while and see whether your performance is still poor even with the local caching DNS server. (...don't forget to update your /etc/resolv.conf to point at the local DNS server so that you actually *use* it...) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. ---
Re: Major spam source, McColo, knocked offline
On Thu, 2008-11-13 at 01:16 +0100, Arvid Ephraim Picciani wrote: > why would all spam come from a single network anyway? > Turning off that one network would stop spam from a bot net if the bot-herder's command server(s) are there. Martin
Re: Major spam source, McColo, knocked offline
Martin Gregorie wrote: On Thu, 2008-11-13 at 01:16 +0100, Arvid Ephraim Picciani wrote: why would all spam come from a single network anyway? Turning off that one network would stop spam from a bot net if the bot-herder's command server(s) are there. Martin SpamCop's weekly graph shows the sudden drop off at around 16:30 EST on Tuesday: http://www.spamcop.net/spamgraph.shtml?spamweek I'm seeing a drop compared to the previous couple of days but not quite to the extent depicted above. How much of a drop will depend on your spam make up but I'd be surprised if you don't see something. I bet it doesn't last more than a week though :(
Re: Major spam source, McColo, knocked offline
fchan schrieb: > I seen the similar statistics on my mail server. I saw a drop of spam > since this morning which I normally see the daily spike of spam. I wish > this lull in spam will last awhile since my mail server needs a break :-) > > Frank >> > SpamCop.net - Total spam report volume: >>> http://www.spamcop.net/spamgraph.shtml?spamweek >> >> I first thought my stats are broken, but it seems they are still working >> as they did before - note the share-price-like drop beginning sometime >> after 22:00 UTC yesterday. >> >> (These mrtg charts are not mail volume, but dnswl.org-query volume >> numbers, which is a rough proxy for overall mail volume trends.) >> >> -- Matthias > lucky people, at my three letter domain spam rate didnt slow down very much this might be happen one day if someone takedown all windoze bots *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: sa-update fails suddenly
On Donnerstag, 13. November 2008 Michael Monnerie wrote: > Without changing anything Bah, found the bug, it was a PEBKAC. Some stupid installed SA 3.1.8 from the openSUSE DVD, while we were at 3.2.5. Reverted to 3.2.5, runs smooth as it should. Sorry for the fuzz. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import" // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: www.keyserver.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part.
Re: SURBL Usage Policy change
On 12/11/2008 at 12:45 PM Jeff Chan wrote: >On Wednesday, November 12, 2008, 3:15:26 AM, Henrik K wrote: >> On Tue, Nov 11, 2008 at 04:33:50PM -0800, Jeff Chan wrote: >>> >>> Hi Micah, >>> Thanks very much for the feedback. Does anyone know how many >>> non-profits have more than 1,000 users (i.e., users with >>> mailboxes)? The non-profit pricing is below ISPs and half that >>> of regular end users. > >> Sometimes the requirements make no sense. A server with 1 user can >receive >> more spam than a server with 1000 users. Both may be non-profit and >receive >> no money from users. There is a huge difference also whether you use >> greylisting and other rules _before_ blacklist checks. > >> So which is it, 25 messages (queries) or 1000 users? > >> 1000 users and 1 messages costs 500 USD. >> 1000 users and 25 messages costs 500 USD. > >> Which affects DNS servers more? > >It's not directly about the DNS service since DNS service is >entirely unpaid on both the server and client sides. (Please see >below). It's more about trying to find some way to measure for >the rsync service. > >> By the way, do DNS mirrors get paid anything? It's my non-educated >> impression that most big blacklists consist largely of donated DNS >servers >> from big ISPs etc. Respect to those that dare to face DoSes. :) > >The DNS mirrors are voluntarily provided and the DNS queries are >freely used. Therefore there is no money to or from the free DNS >service. It's only the rsync access for large organizations that >we're asking sponsorship fees for. The web site has conflicting information regarding "and/or" 1,000 users/250,000 mails. Does the number of users really matter? I would suggest simplify it that you require rsync access for 250,000 mails scanned and leave it at that, then charge whatever you see as appropriate. If this means more people use MTA techniques to reduce the number of messages being scanned, then it's to their own and your advantage. Yesterday, I handled 88,500 messages, but only 3,500 were scanned as the other 85,000 were stopped by the use of RBL's, greylisting etc. Peter
419 cheapskates
On Thu, 13 Nov 2008, cyrilla johnson wrote: Dearest One, I'm Ms Cyrilla Johnson, Pls I'm seeking for your attention to assist me in transfering sum of (US$10.5) to you. It's Deposited in a security company here in Cote d'ivoire by My late father but my uncle is a total trait to my life. More details later. Thanks and God bless you Ten bucks? Can I have it in Green Stamps? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- One death is a tragedy; thirty is a media sensation; a million is a statistic. -- Joseph Stalin, modernized ---
Re: Spamassassin Restart and E-Mail being scanned at time of restart.
Hi Michael, At 14:45 12-11-2008, Michael Hutchinson wrote: I am wondering, what happens to E-Mail that is being scanned when the root user on the mail system restarts Spamassassin? I see lots of Spamd children before it is restarted and they suddenly all drop off on a restart (as expected) do the E-Mails being scanned at that time actually get re-scanned or do they only get partially scanned, and then delivered? It would appear that the number of child processes does not increase quickly back to what it was before suggesting the E-Mails that were being scanned at restart time do not get fully scanned Does anyone know what the score is here? SpamAssassin does content filtering only. The software interacting with SpamAssassin determines the action to take, i.e. whether to block or drop the email, etc. If spamd is restarted while an email is being scanned, the software interacting with SpamAssassin will not get a negative or positive response. The software might defer mail delivery and retry later, hence causing a rescan. Regards, -sm
