Re: White List From RCVD

[Asif Iqbal]

On Thu, Dec 11, 2008 at 7:48 PM, Matt Kettler  wrote:
> Asif Iqbal wrote:
>> On Thu, Dec 11, 2008 at 2:09 PM, Jeff Mincy  wrote:
>>
>>>   From: mouss 
>>>   Date: Thu, 11 Dec 2008 19:55:44 +0100
>>>
>>>   Asif Iqbal a écrit :
>>>   > I have this in local.cf in qmail.here.net's /etc/mail/spamassassin dir
>>>   >
>>>   >   whitelist_from_rcvd joe.sm...@here.com  
>>> qtdenexmbm24.AD.HERE.COM
>>>   >
>>>   > But email from that address still tagged as spam. What am I doing wrong?
>>>   >
>>>
>>>   you should run the message through spamassassin -D to see which relays
>>>   are trusted.
>>>
>>>   or you could get luck with:
>>>
>>>   always_trust_envelope_sender 1
>>>
>>>
>>> If you add a Relay header eg:
>>>  add_header all Relay trusted=_RELAYSTRUSTED_, untrusted=_RELAYSUNTRUSTED_
>>>
>>
>> Added now
>>
>>
>>> Then you want the rdns= from the first untrusted relay.
>>>
>>> In this case it is probably:
>>>  whitelist_from_rcvd joe.sm...@here.com here.com
>>>
>>> THe whitelist probably wont work for here.com
>>> because of lack of reverse dns.
>>>  Received: from NO?REVERSE?DNS (HELO sudnp799.here.com)
>>>
>>> The debug output should confirm this.
>>>
>>
>> The debug showed I have nothing in trusted=
>>
>> I guess I could just add qtdenexmbm24.AD.HERE.COM to the trusted
>> network since it
>> is the first received header when the mail went out
>>
> That won't do any good. Trust has to start at the most recent server,
> and continue backward in tiem, unbroken. You can't have
> (untrusted) -> (trusted) -> (untrusted 2) -> (mailserver running SA)

That was excellent explanation. I also got help from this
http://wiki.apache.org/spamassassin/TrustedRelays

>
> This is because "untrusted 2" isn't trusted, thus could be forging
> headers, so from SA's perspective, although the middle header implies
> "untrusted 2" got the message from a trusted host, SpamAssassin can't
> trust it because it's information from an untrustworthy source. (If a
> stranger tells you a package came from your brother, do you trust him
> completely without any question that he might be lying?)
>
> Quite frankly, this header:
>
> Received: from NO?REVERSE?DNS (HELO sudnp799.here.com) ([55.7.32.99])
> (envelope-sender )
>  by qmail.here.net (qmail-ldap-1.03) with SMTP
>
>
> Implies that your trust is pretty much always going to be broken until
> you fix RDNS on 55.7.32.99.

That is the customer IP/domain. I added the IP to the trusted network and
it shows trusted in spamassassin -D and reduced the spam score to -2.6

So I am good

> (I'm assuming that since everything is noted as "here.com" this is all
> stuff inside your own network, if that's incorrect, please change the
> headers to have different munged names for different domains and
> indicate which one is your network vs outsiders)
>
>
>
>
>
>>
>>
>
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

Re: White List From RCVD

[Asif Iqbal]

On Thu, Dec 11, 2008 at 8:09 PM, LuKreme  wrote:
> On 11-Dec-2008, at 11:51, Asif Iqbal wrote:
>>
>>  whitelist_from_rcvd joe.sm...@here.com  qtdenexmbm24.AD.HERE.COM
>
> Really here.com?  The here.com  that is registered to Network Solutions?  Or
> are you making up domain names?
>
> Use example.com or .tld so we know you are munging the
> domains.  Don't munge domains by sticking in other people's domains.

Advise taken. I did not know `example.tld' is reserved for documentation.

Thanks a lot

>
>
> --
> There's a race of men that don't fit in, A race that can't stay
>still So they break the hearts of kith and kin, And they roam
>the world at will.
>
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

Re: White List From RCVD

[LuKreme]

On 11-Dec-2008, at 11:51, Asif Iqbal wrote:
 whitelist_from_rcvd joe.sm...@here.com   
qtdenexmbm24.AD.HERE.COM


Really here.com?  The here.com  that is registered to Network  
Solutions?  Or are you making up domain names?


Use example.com or .tld so we know you are munging  
the domains.  Don't munge domains by sticking in other people's domains.



--
There's a race of men that don't fit in, A race that can't stay
still So they break the hearts of kith and kin, And they roam
the world at will.

Re: White List From RCVD

[Matt Kettler]

Asif Iqbal wrote:
> On Thu, Dec 11, 2008 at 2:09 PM, Jeff Mincy  wrote:
>   
>>   From: mouss 
>>   Date: Thu, 11 Dec 2008 19:55:44 +0100
>>
>>   Asif Iqbal a écrit :
>>   > I have this in local.cf in qmail.here.net's /etc/mail/spamassassin dir
>>   >
>>   >   whitelist_from_rcvd joe.sm...@here.com  
>> qtdenexmbm24.AD.HERE.COM
>>   >
>>   > But email from that address still tagged as spam. What am I doing wrong?
>>   >
>>
>>   you should run the message through spamassassin -D to see which relays
>>   are trusted.
>>
>>   or you could get luck with:
>>
>>   always_trust_envelope_sender 1
>>
>>
>> If you add a Relay header eg:
>>  add_header all Relay trusted=_RELAYSTRUSTED_, untrusted=_RELAYSUNTRUSTED_
>> 
>
> Added now
>
>   
>> Then you want the rdns= from the first untrusted relay.
>>
>> In this case it is probably:
>>  whitelist_from_rcvd joe.sm...@here.com here.com
>>
>> THe whitelist probably wont work for here.com
>> because of lack of reverse dns.
>>  Received: from NO?REVERSE?DNS (HELO sudnp799.here.com)
>>
>> The debug output should confirm this.
>> 
>
> The debug showed I have nothing in trusted=
>
> I guess I could just add qtdenexmbm24.AD.HERE.COM to the trusted
> network since it
> is the first received header when the mail went out
>   
That won't do any good. Trust has to start at the most recent server,
and continue backward in tiem, unbroken. You can't have
(untrusted) -> (trusted) -> (untrusted 2) -> (mailserver running SA)

This is because "untrusted 2" isn't trusted, thus could be forging
headers, so from SA's perspective, although the middle header implies
"untrusted 2" got the message from a trusted host, SpamAssassin can't
trust it because it's information from an untrustworthy source. (If a
stranger tells you a package came from your brother, do you trust him
completely without any question that he might be lying?)

Quite frankly, this header:

Received: from NO?REVERSE?DNS (HELO sudnp799.here.com) ([55.7.32.99])
(envelope-sender )
  by qmail.here.net (qmail-ldap-1.03) with SMTP


Implies that your trust is pretty much always going to be broken until
you fix RDNS on 55.7.32.99.
(I'm assuming that since everything is noted as "here.com" this is all
stuff inside your own network, if that's incorrect, please change the
headers to have different munged names for different domains and
indicate which one is your network vs outsiders)





>
>   

Re: sought rules updates

[LuKreme]

On 11-Dec-2008, at 14:29, Karsten Bräckelmann wrote:

...or read the documentation.



I read a hell of a lot of stuff about all this, and have been running  
SA since 2.mumble  If you are a plug-n-play sysadmin, then no  
problem.  If you are already well-versed in the vagaries of gpg, then  
fine, you already know this.  If you are coming at this newly, the  
documentation is unclear, incomplete, and in some cases points at  
pages that are several years old.


If you think it's perfectly clear, then fine.  Maybe I'm wrong.  But I  
bet you will have a people asking the same exact questions in the  
future and having the same exact confusion. I know it took asking  
several times before anyone was able to even begin to explain where  
this number comes from other than "the author". Well, it doesn't, in  
fact, come from the author.  Most people don't seem to be aware of  
this, so obviously there is some confusion.  It comes from gpg, which  
has as far as I can tell a very exacting syntax to access this bit of  
info, which again most people don't seem to know, as the wrong syntax  
was posted to this thread.



IIRC (too lazy to look up the details for you) it accepts key IDs,
fingerprints, email-addresses, names, and any substring at least of  
the

latter two. Did you try it? It's enlightening...


really?

mail# gpg --list-keys sought
gpg: error reading key: No public key
mail# gpg --list-keys sought_rules_yerp_org
gpg: error reading key: No public key
mail# gpg --list-keys sought.rules.yerp.org
gpg: error reading key: No public key
mail# gpg --list-keys updates.spamassassin.org
gpg: error reading key: No public key
mail# gpg --list-keys rele...@spamassasin.org
gpg: error reading key: No public key

the only command that seems to do anything is:

gpg --list-keys --no-default-keyring --keyring sa-update-keys/ 
pubring.gpg


even this command, posted to the list as a way to get the --gpgkey  
value:


gpg --no-default-keyring --keyring /etc/mail/spamassassin/sa-update- 
keys/pubring.gpg


returns:

gpg: Go ahead and type your message ...

and then accepts input until and EOF at which point it returns

gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error

# gpg --version
gpg (GnuPG) 2.0.3

On 11-Dec-2008, at 14:56, Karsten Bräckelmann wrote:

FWIW, here would be a good place to start.
 http://wiki.apache.org/spamassassin/RuleUpdates


That's a bit late in the thread to be posting that, but and it gives a  
brand new piece of information which no one else has yet to mention:
Generally it's safer to specify the whole key fingerprint, but it  
is more common to see simply the last 8 hex digits used.


So it's not a number that has to be generated by gpg, it's just the  
last 8 digits of the fingerprint.  It's not a hash of the fingerprint,  
as was posted in this thread, it's just the last 8 digits.


And you don't think there's confusion?  As far as I can tell, ever  
single person who posted in this thread and said anything about gpg  
and keys got at least something wrong except for you. And even you  
left out what I consider some fairly crucial information.



And yes, it does explain what the sa-update --gpgkey option does, and
what it is used for.


Yes, it does.  It even indirectly explains how to get the value.   
Indirectly. Given that information I could at least have searched for  
'gpg fingerprint' and found out how to get the fingerprint (and the  
last 8 digits of it).  I would not, as it turns out, have gotten any  
further since all the instructions I've found on getting a fingerprint  
assume the key is stored in your own pubring, and not in some other  
file, so the critical flags of


--no-default-keyring --keyring /etc/mail/spamassassin/sa-update-keys/ 
pubring.gpg


are missing from those instructions (and those flags are required for  
both the --list-keys and the --fingerprint to work). So I checked  
google for help, now that I know EXACTLY what to search for: "sa- 
update list-keys no-default-keyring"





The only hits are from today.  this tells me there is not a single  
page indexed on Google that gives full and complete instructions on  
how to get the --gpgkey value.  Not until I hit send, at least. :)


--
So now you know the words to our song, pretty soon you'll all be
singing along, when you're sad, when you're lonely and it all
turns out wrong...

Re: (newbie question) Increasing SA effectiveness

[Kai Schaetzl]

Matthias Leisi wrote on Thu, 11 Dec 2008 22:05:34 +0100:

> (and
> are thus likely to be quoted in reply emails)

correctly working email programs leave the signature out from quoting

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: sought rules updates

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 22:29 +0100, Karsten Bräckelmann wrote:
> On Thu, 2008-12-11 at 13:32 -0700, LuKreme wrote:

> > Not at all, I KNOW where the gpg.key came from, because I downloaded  
> > it.  And it came from the same server as the rules are coming.

> > The KeyID is coming from who knows where.
> 
> No. It is part of the key. We've covered that basic GPG intro already.
> Also, usually, the instructions for third-party rules telling you about
> the entire sa-update command to run are located on the same server as
> you got the key from. Yeah, that's "who knows where" alright...


> > I'm just saying the current state of the documentation on this is  
> > poor, requires a level of implicit trust of the -gpgkey value that  
> > should not be necessary with gpg keys, and it down-right confusing to  
> > anyone looking at it for the first time who is not willing to simply  
> > plug-n-play with someone else's config.
> 
> ...or read the documentation.
> 
> This is Open Source. Patches accepted. Yes, documentation patches
> accepted. Wait, there are lots of docs in a *wiki*... Just do it, no
> patch required.

FWIW, here would be a good place to start.
  http://wiki.apache.org/spamassassin/RuleUpdates

And yes, it does explain what the sa-update --gpgkey option does, and
what it is used for.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: sought rules updates

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 13:32 -0700, LuKreme wrote:

> > It's almost like "Just download this key file and you'll be fine.  Don't
> > worry about where it came from, just put it in your keyring."
> 
> Not at all, I KNOW where the gpg.key came from, because I downloaded  
> it.  And it came from the same server as the rules are coming.
> 
> > The point is that at some point you have to trust the source to give you
> > the correct information.  (Which, in the case of an encryption key or
> > key id, will look like a bunch of random numbers)
> 
> The KeyID is coming from who knows where.

No. It is part of the key. We've covered that basic GPG intro already.
Also, usually, the instructions for third-party rules telling you about
the entire sa-update command to run are located on the same server as
you got the key from. Yeah, that's "who knows where" alright...

[ snipp ]
> Or is it that checking multiple keys is so expensive that you are  
> trying to save the server massive processing by telling it which key  
> to check with?  That at least might make some sense, but I've not  
> noticed key checking taking a lot of processing.

The *client* is verifying the signed update. No additional load on the
server at all.

> On 11-Dec-2008, at 08:31, Kai Schaetzl wrote:
> > Karsten Bräckelmann wrote on Thu, 11 Dec 2008 12:48:34 +0100:
> >
> >> A quick glimpsing of the man page tells me to use this:
> >>  gpg --list-keys --no-default-keyring --keyring sa-update-keys/ 
> >> pubring.gpg
> >
> > For me, too. Either cd to /etc/mail/spamassassin or add it to the  
> > path, though ;-)
> 
> The gpg installed on my FreeBSD does not have a man page (installed by  
> ports for SA3.2.5, IIRC), just a --help which says the syntax is:

Did you ever try googling for "man gpg"? Dude, this is quite a lame
excuse... Anyway, if you got gpg, but no man-pages, I'd complain loudly
to my $vendor.


> It does, further down, say:
>   --list-keys [names]show keys
> 
> but there is no indication of what is meant by [names]

IIRC (too lazy to look up the details for you) it accepts key IDs,
fingerprints, email-addresses, names, and any substring at least of the
latter two. Did you try it? It's enlightening...


> I'm just saying the current state of the documentation on this is  
> poor, requires a level of implicit trust of the -gpgkey value that  
> should not be necessary with gpg keys, and it down-right confusing to  
> anyone looking at it for the first time who is not willing to simply  
> plug-n-play with someone else's config.

...or read the documentation.

This is Open Source. Patches accepted. Yes, documentation patches
accepted. Wait, there are lots of docs in a *wiki*... Just do it, no
patch required.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: White List From RCVD

[Matus UHLAR - fantomas]

> >   Asif Iqbal a écrit :
> >   > I have this in local.cf in qmail.here.net's /etc/mail/spamassassin
> >   > dir
> >   >
> >   >   whitelist_from_rcvd joe.sm...@here.com  
> > qtdenexmbm24.AD.HERE.COM
> >   >
> >   > But email from that address still tagged as spam. What am I doing
> >   > wrong?

On 11.12.08 14:26, Asif Iqbal wrote:
> The debug showed I have nothing in trusted=
> 
> I guess I could just add qtdenexmbm24.AD.HERE.COM to the trusted
> network since it
> is the first received header when the mail went out

The *whitelist_from_rcvd does work with internal_networks setting, so it
checks the first _external_ relay. However, correct settings of
trusted_networks and internal_networks is required for working SA.

See http://wiki.apache.org/spamassassin/TrustPath

Looking at the header, seems that it's your customer who has sent mail to
you, so all servers/ips in the path should be in internal_networks...
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Re: Bug in iXhash plugin - fixed version available

[Andreas Prieß]

Dirk Bonengel wrote:
>>> it hangs my SA 3.2.4 setup on waiting for a reply from
>>> ctyme.ixhash.net .
>>>
>>> The strange thing is that it consumes a lot of CPU while hanging... Some
>>> problem in the ctyme.ixhash.net side? Anybody is experiencing the same?

I see the same problem: SA hanging with CPU to 100% for 300 - 500
seconds with the new iXhash plugin 1.5.2.

>> Same here.  I noticed that some messages would hang for up to 10 minutes
>> on ctyme.  However, when scanning the same message with the older
>> plugin, there would be no delays.

Going back to the old plugin, but with the _new_ configuration works
without the high CPU usage and with correct timeouts.

> Sorry to hear there are still problems. I don't think it hash anything
> to do with DNS - rather with Perl itself

Since there are no timeouts with the new config and the old plugin, I
also think that is not a network problem, but maybe something with the
new timer code?

> Maybe those of you having problems can toy around with the new options
> use_ixhash_cache and ixhash_pureperl.

I tried both settings of the new options, but that did not solve the
problem.

Since the timeout of the new plugin is _not_ working here, maybe there
is the problem? (Timeout set to 20 seconds, but SA working on the mails
for over 500 seconds...)

For the records:
mail-filter/spamassassin-3.2.1-r1
dev-lang/perl-5.8.8-r5
on gentoo linux x86 stable.


Andreas



signature.asc
Description: OpenPGP digital signature

Re: (newbie question) Increasing SA effectiveness

[Matthias Leisi]

Mark Martinec schrieb:

> or construct custom rules to whitelist (=add negative score points)
> based on some other specific chraracteristic of mail to be passed.

Your own (your companys) street address, phone number, or some hopefully
unique token which you typically add in footers of outgoing emails (and
are thus likely to be quoted in reply emails) are good candidates for
such rules.

-- Matthias

RE: sought rules updates

[Bowie Bailey]

LuKreme wrote:
> On 11-Dec-2008, at 07:39, Bowie Bailey wrote:
> > 
> > It's almost like "Just download this key file and you'll be fine.
> > Don't worry about where it came from, just put it in your keyring."
> 
> Not at all, I KNOW where the gpg.key came from, because I downloaded
> it.  And it came from the same server as the rules are coming.
> 
> > The point is that at some point you have to trust the source to
> > give you the correct information.  (Which, in the case of an
> > encryption key or key id, will look like a bunch of random numbers)
> 
> The KeyID is coming from who knows where.

the KeyID came from the original announcement of the ruleset by the
author.  This is currently hosted on his blog.

http://taint.org/2007/08/15/004348a.html


> > > > Because sa-update is designed to provide updates in a secure
> > > > way. If you want the simplest way, you can ignore these steps
> > > > and face the consequences when something goes wrong.
> > > 
> > > Oddly enough, I am able to encrypt emails, sign emails, verify
> > > signed mails,  login to ssh ports on remote servers and do a
> > > whole host of secure things without ever having encountered
> > > anything like this gpgkey.  I've added the key to the keychain as
> > > a trusted key, that is enough to make it secure.  How is this 8
> > > digit hex code making anything any more secure?
> > 
> > Because it specifies WHICH key in your keyring is allowed to sign
> > the updates.
> 
> So the concern is that someone who produces RULES1 for SA would hijack
> RULES2's server and then create a new RULES2 set, sign it with their
> RULES1 key, and wait for people to sync up with it?  Because it would
> require all of that, right?
> 
> Probability seems low.

If you know that the updates will only ever be signed by one key, why
not specify it?  It doesn't cost you anything and gives a slight
increase in the security level even if it is unlikely anyone would
attempt to fake an update.

-- 
Bowie

Re: Problem with faked return-path or something like that...!

[LuKreme]

On 10-Dec-2008, at 02:41, hofmae wrote:

I think the main problem is that there is one of our adressess in the
return-path. Thats wrong i think, because the spammer sends a  
spammail with
one of our adressess in the return-path. The actualy spammail we  
don't get

to see...



I think the main problem is that Communigate is being fooled by that  
received header in same way to generate a bogus bounce.  This is  
almost certainly due to a miss-configuraton on your part, so talk to  
stalker and see if you can find out what's wrong.  AIR, stalker staff  
(and the mailing lists) is quite helpful.


--
I draw the line at 7 unreturned phone calls.

Re: Spam slipping through

[LuKreme]

On 11-Dec-2008, at 10:48, Kelson wrote:

LuKreme wrote:

On 10-Dec-2008, at 16:01, mouss wrote:

so 5 is a little too high.
Ah, gotcha.  I am scoring whitelist at -5 though, so a 5 still puts  
them at 0.  Without other spam tags, they should still pass, no?


whitelist_from_dkim and related rules (whitelist_from_spf,  
whitelist_from_auth, etc.) only fire if the authentication is valid.  
The idea is to whitelist messages from a domain only when you can  
confirm that they really did come from that domain.


So the whitelist and blacklist rules will never cancel each other  
out, because they'll never fire on the same message.


/facepalm

Got it, thanks!

--
There are strange things done in the midnight sun/By the men who
moil for gold; The Arctic trails have their secret tales/That
would make you bloodrun cold; The Northern Lights have seen
queer sights,/But the queerest they ever did see Was the night
on the marge of Lake Lebarge/ When I cremated Sam McGee

Re: sought rules updates

[LuKreme]

On 11-Dec-2008, at 07:39, Bowie Bailey wrote:

LuKreme wrote:

On 10-Dec-2008, at 20:36, SM wrote:


it's a hexadecimal number which identifies the key.


And the source of that number is, evidently, a complete mystery.
That's my point.  I've seen lots of instructions like this:

# wget http://somesite.tld/somepath/GPG.KEY
# sudo sa-update --import GPG.KEY
# sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld

where the '0E28B3DC' has just magically appeared as if created from
the ether.

Do you see that there is a crucial step missing there?  Where did  
that

gpgkey value come from?  If it wasn't provided in these instructions
(like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but
hadn't yet discovered the page that had the magic hex code), how do
you find it?  Can you generate it.  Is is simply a hash of the gpg
keyfile, or something else?

It's a bit of "hey, now just fill in this number we hopefully have
given you.  Don't worry about what it means, or how it works, or  
where

it came from. Just copy&paste and you'll be fine."

Strangely enough, that does not fill me with the highest degree of
confidence.  Not much more so that --nogpg.


It's almost like "Just download this key file and you'll be fine.   
Don't

worry about where it came from, just put it in your keyring."


Not at all, I KNOW where the gpg.key came from, because I downloaded  
it.  And it came from the same server as the rules are coming.


The point is that at some point you have to trust the source to give  
you

the correct information.  (Which, in the case of an encryption key or
key id, will look like a bunch of random numbers)


The KeyID is coming from who knows where.






Because sa-update is designed to provide updates in a secure way.
If you want the simplest way, you can ignore these steps and face
the consequences when something goes wrong.


Oddly enough, I am able to encrypt emails, sign emails, verify signed
mails,  login to ssh ports on remote servers and do a whole host of
secure things without ever having encountered anything like this
gpgkey.  I've added the key to the keychain as a trusted key, that is
enough to make it secure.  How is this 8 digit hex code making
anything any more secure?


Because it specifies WHICH key in your keyring is allowed to sign the
updates.


So the concern is that someone who produces RULES1 for SA would hijack  
RULES2's server and then create a new RULES2 set, sign it with their  
RULES1 key, and wait for people to sync up with it?  Because it would  
require all of that, right?


Probability seems low.

Or is it that checking multiple keys is so expensive that you are  
trying to save the server massive processing by telling it which key  
to check with?  That at least might make some sense, but I've not  
noticed key checking taking a lot of processing.


On 11-Dec-2008, at 08:31, Kai Schaetzl wrote:

Karsten Bräckelmann wrote on Thu, 11 Dec 2008 12:48:34 +0100:


A quick glimpsing of the man page tells me to use this:
 gpg --list-keys --no-default-keyring --keyring sa-update-keys/ 
pubring.gpg


For me, too. Either cd to /etc/mail/spamassassin or add it to the  
path, though ;-)


The gpg installed on my FreeBSD does not have a man page (installed by  
ports for SA3.2.5, IIRC), just a --help which says the syntax is:


syntax: gpg [options] [files]
sign, check, encrypt or decrypt

It does, further down, say:

 --list-keys [names]show keys

but there is no indication of what is meant by [names]

I'm just saying the current state of the documentation on this is  
poor, requires a level of implicit trust of the -gpgkey value that  
should not be necessary with gpg keys, and it down-right confusing to  
anyone looking at it for the first time who is not willing to simply  
plug-n-play with someone else's config.


--
How do you feel?  I'm lonely
What do you think?  Cant take it all
Whatcha gonna do?  Gonna live my life

Re: (newbie question) Increasing SA effectiveness

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 18:36 +0100, Matus UHLAR - fantomas wrote:
> > > Ned Slider wrote:
> > > > Yes, additional DNSBLs such as psbl and uceprotect can be integrated 
> > > > into SA
> 
> > On Thu, 2008-12-11 at 15:19 +0100, Marcin Krol wrote:
> > > Well, isn't it better to use them before SA, provided your MTA does have
> > > this feature (I recommend Exim to everyone)?
> 
> On 11.12.08 17:55, Karsten Bräckelmann wrote:
> > No -- unless you ultimately trust the RBL to produce a *negligible*
> > amount of FPs. Every single RBL does have FPs to a highly variable
> > degree. Instead ob outright blocking on a hit, it is a good idea to
> > assign a score for the hit only, and see what the result is after all
> > tests have been performed...
> 
> However, using blacklists before SA saves much of bandwidth and CPU time.
> Our company's servers refuse daily ~3x more clients than mails that are
> daily processed.

That may very well be.  My point is, that you better *carefully* (to
avoid the word "paranoid") verify, whether you can trust an RBL for
outright blocking at SMTP level. Hence the "unless" part. The RBLs
mentioned aren't, say, ZEN...

This branch of the thread discusses adding more RBLs, which aren't even
part of stock SA for scoring.


> > Exactly the SA approach. A single (or even a few) rules and RBLs can
> > misfire, without affecting the overall deliverability of a particular
> > mail.

-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: White List From RCVD

[Asif Iqbal]

On Thu, Dec 11, 2008 at 2:09 PM, Jeff Mincy  wrote:
>   From: mouss 
>   Date: Thu, 11 Dec 2008 19:55:44 +0100
>
>   Asif Iqbal a écrit :
>   > I have this in local.cf in qmail.here.net's /etc/mail/spamassassin dir
>   >
>   >   whitelist_from_rcvd joe.sm...@here.com  qtdenexmbm24.AD.HERE.COM
>   >
>   > But email from that address still tagged as spam. What am I doing wrong?
>   >
>
>   you should run the message through spamassassin -D to see which relays
>   are trusted.
>
>   or you could get luck with:
>
>   always_trust_envelope_sender 1
>
>
> If you add a Relay header eg:
>  add_header all Relay trusted=_RELAYSTRUSTED_, untrusted=_RELAYSUNTRUSTED_

Added now

>
> Then you want the rdns= from the first untrusted relay.
>
> In this case it is probably:
>  whitelist_from_rcvd joe.sm...@here.com here.com
>
> THe whitelist probably wont work for here.com
> because of lack of reverse dns.
>  Received: from NO?REVERSE?DNS (HELO sudnp799.here.com)
>
> The debug output should confirm this.

The debug showed I have nothing in trusted=

I guess I could just add qtdenexmbm24.AD.HERE.COM to the trusted
network since it
is the first received header when the mail went out

>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

Re: White List From RCVD

[Jeff Mincy]

   From: mouss 
   Date: Thu, 11 Dec 2008 19:55:44 +0100
   
   Asif Iqbal a écrit :
   > I have this in local.cf in qmail.here.net's /etc/mail/spamassassin dir
   > 
   >   whitelist_from_rcvd joe.sm...@here.com  qtdenexmbm24.AD.HERE.COM
   > 
   > But email from that address still tagged as spam. What am I doing wrong?
   > 
   
   you should run the message through spamassassin -D to see which relays
   are trusted.
   
   or you could get luck with:
   
   always_trust_envelope_sender 1
   
   
If you add a Relay header eg: 
  add_header all Relay trusted=_RELAYSTRUSTED_, untrusted=_RELAYSUNTRUSTED_

Then you want the rdns= from the first untrusted relay.

In this case it is probably:
  whitelist_from_rcvd joe.sm...@here.com here.com

THe whitelist probably wont work for here.com
because of lack of reverse dns.
  Received: from NO?REVERSE?DNS (HELO sudnp799.here.com)

The debug output should confirm this.

Re: Problem with spamassassin not finding razor-agent.conf

[mouss]

Johan Borch a écrit :
> Hi all,
> 
> I have a problem with getting spamassassin to find the razor-agent.conf
> 
> When running "spamassassin -D < testmail.txt" it says:
> 
> .
> .
> .
> [22640] warn: razor2: razor2 check failed: No such file or directory razor2:
> Can't read conf file: = /etc/razor/razor-agent.conf at
> /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Razor2.pm line 326.
> .
> .
> .
> 
> The config exists and I have been running -create, register & discover, the
> permissions is correct, I'm running the latest razor2-version. What could 
> cause
> this? The system is running centos 5.2.
> 

either it's a permission problem. do not forget to check the permissions
of all the parent directories.

# ls -l / |grep /etc
# ls -l /etc |grep razor
# ls -l /etc/razor/razor-agent.conf

or it's a SELINUX issue (check /var/log/messages).

Re: White List From RCVD

[mouss]

Asif Iqbal a écrit :
> I have this in local.cf in qmail.here.net's /etc/mail/spamassassin dir
> 
>   whitelist_from_rcvd joe.sm...@here.com  qtdenexmbm24.AD.HERE.COM
> 
> But email from that address still tagged as spam. What am I doing wrong?
> 

you should run the message through spamassassin -D to see which relays
are trusted.

or you could get luck with:

always_trust_envelope_sender 1


> [snip]

White List From RCVD

[Asif Iqbal]

I have this in local.cf in qmail.here.net's /etc/mail/spamassassin dir

  whitelist_from_rcvd joe.sm...@here.com  qtdenexmbm24.AD.HERE.COM

But email from that address still tagged as spam. What am I doing wrong?


Return-Path: 
Received: (qmail 10789 invoked by uid 7801); 11 Dec 2008 17:56:34 -
Received: from 55.7.32.99 by qmail (envelope-from
, uid 7791) with qmail-scanner-2.01st
 (clamdscan: 0.93.1/8745. spamassassin: 3.2.3. perlscan: 2.01st.
 Clear:RC:0(55.7.32.99):SA:1(5.7/5.0):.
 Processed in 9.903398 secs); 11 Dec 2008 17:56:34 -
X-Spam-Status: Yes, hits=5.7 required=5.0
X-Spam-Level: +
X-Qmail-Scanner-Mail-From: joe.sm...@here.com via qmail
X-Qmail-Scanner: 2.01st (Clear:RC:0(55.7.32.99):SA:1(5.7/5.0):.
Processed in 9.903398 secs Process 10766)
Received: from NO?REVERSE?DNS (HELO sudnp799.here.com) ([55.7.32.99])
(envelope-sender )
  by qmail.here.net (qmail-ldap-1.03) with SMTP
  for ; 11 Dec 2008 17:56:19 -
Received: from suomp61i.here.com (suomp61i.here.com [51.17.69.28])
by sudnp799.here.com (8.14.0/8.14.0) with ESMTP id mBBHuIQh014497
for ; Thu, 11 Dec 2008 10:56:18 -0700 (MST)
Received: from ITDENE2KSM01.AD.HERE.COM (localhost [127.0.0.1])
by suomp61i.here.com (8.14.0/8.14.0) with ESMTP id mBBHuCrs016219
for ; Thu, 11 Dec 2008 11:56:13 -0600 (CST)
Received: from qtdenexhtm20.AD.HERE.COM ([51.19.91.229]) by
ITDENE2KSM01.AD.HERE.COM with Microsoft SMTPSVC(6.0.3790.1830);
 Thu, 11 Dec 2008 10:56:13 -0700
Received: from qtdenexhtm21.AD.HERE.COM (51.19.91.230) by
 qtdenexhtm20.AD.HERE.COM (51.19.91.229) with Microsoft SMTP Server (TLS)
 id 8.1.291.1; Thu, 11 Dec 2008 10:56:12 -0700
Received: from qtdenexmbm24.AD.HERE.COM ([51.19.91.226]) by
 qtdenexhtm21.AD.HERE.COM ([51.19.91.230]) with mapi; Thu, 11 Dec 2008
 10:56:12 -0700
From: "Smith, Joe" 
To: help 
Importance: high
Sensitivity: company-confidential
Date: Thu, 11 Dec 2008 10:56:10 -0700
Subject: SPAM swat 763 - need response
Thread-Topic: swat 763 - need response
Thread-Index: AclZYPGtXYIc2nIfTFSFP76DMWQ1wACWMFtA
Message-ID: 
<1ce788419e9bac469e6c7e33cb9d37cb033b353...@qtdenexmbm24.ad.here.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/mixed;
boundary="_006_1CE788419E9BAC469E6C7E33CB9D37CB033B35352Cqtdenexmbm24A_"
MIME-Version: 1.0
X-OriginalArrivalTime: 11 Dec 2008 17:56:13.0279 (UTC)
FILETIME=[C1A6EEF0:01C95BB9]

--_006_1CE788419E9BAC469E6C7E33CB9D37CB033B35352Cqtdenexmbm24A_
Content-Type: multipart/related;

boundary="_005_1CE788419E9BAC469E6C7E33CB9D37CB033B35352Cqtdenexmbm24A_";
type="multipart/alternative"

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

Re: (newbie question) Increasing SA effectiveness

[Henrik K]

On Thu, Dec 11, 2008 at 05:57:10PM +, Ned Slider wrote:
>
> Genuine spam traps are great for bayes training as they should contain a  
> representative sample of spam your users will be seeing plus you know  
> they only contain spam so you don't need to check the contents before  
> feeding them to bayes to learn :)
>
> I do the same - whitelist a few *good* spamtraps through all my  
> different levels of filtering specifically to feed bayes. I also use  
> these for statistical analysis to see which types of mail SA scores  
> poorly on and then target custom rules towards those spam to help bump  
> the scores.
>
> I'm sure there's other useful stuff you can do with spamtrap mails too.

Unfortunately it takes a lot of effort to create *good* spamtraps. It's just
too much trouble for a normal admin, I leave it to those who have time on
their hands. You can do the simple grep for "mistyped" non-existant
addresses from logs etc, but it's just silly botnet crud that doesn't
represent the "real" spam coming to real users (that leak their addresses in
all sort of ways). I don't see any point Bayes-learning simple-to-block
botnet mails either, since it's completely separate thing from the sneakier
419 and phish stuff..

Re: (newbie question) Increasing SA effectiveness

[mouss]

Ned Slider a écrit :
> Genuine spam traps are great for bayes training as they should contain a
> representative sample of spam your users will be seeing plus you know
> they only contain spam so you don't need to check the contents before
> feeding them to bayes to learn :)
> 

you must be careful with traps. They can get non spam mail:

- bounces (backscatter). you may consider this spam, but I'm not sure
this won't simply poison your bayes

- spammers can use the trap address in subscription forms. (I mean, if
they can send mail to these addresses, then they can use them otherwise.
if they can't send mail to, then the address is useless!). so you should
at least exclude "confirmation requests".

I do "whitelist" some pseudo-traps from time to time, but I manually
review the messages (quickly of course).

> I do the same - whitelist a few *good* spamtraps through all my
> different levels of filtering specifically to feed bayes. I also use
> these for statistical analysis to see which types of mail SA scores
> poorly on and then target custom rules towards those spam to help bump
> the scores.
> 
> I'm sure there's other useful stuff you can do with spamtrap mails too.
> 
> 
> 
> 

Re: (newbie question) Increasing SA effectiveness

[Ned Slider]

Marcin Krol wrote:

Matus UHLAR - fantomas wrote:

- blocking at MTA by RBL or other techniques (such as graylisting)
  is efficient and effective, but deprives SpamAssassin of spam samples,
  so if your resources permit, it is better to let SpamAssassin deal
  with all RBLs.


I don't think so. We get "enough" of spam even if using many RBLs at SMTP
level.


Plus note that characteristics of spam that got through RBL "sieve" 
*might* be different than characteristics of the spam that didn't.


If so - I have not done any tests, so I have no idea really - then Bayes 
would be at least partially mistrained.


Having said that, I do have exceptions to my sender-verify and RBL rules 
for spam traps. :-) Now, getting something useful done with that stuff 
is another story.




Genuine spam traps are great for bayes training as they should contain a 
representative sample of spam your users will be seeing plus you know 
they only contain spam so you don't need to check the contents before 
feeding them to bayes to learn :)


I do the same - whitelist a few *good* spamtraps through all my 
different levels of filtering specifically to feed bayes. I also use 
these for statistical analysis to see which types of mail SA scores 
poorly on and then target custom rules towards those spam to help bump 
the scores.


I'm sure there's other useful stuff you can do with spamtrap mails too.

Re: Spam slipping through

[Kelson]

LuKreme wrote:

On 10-Dec-2008, at 16:01, mouss wrote:

so 5 is a little too high.


Ah, gotcha.  I am scoring whitelist at -5 though, so a 5 still puts them 
at 0.  Without other spam tags, they should still pass, no?


whitelist_from_dkim and related rules (whitelist_from_spf, 
whitelist_from_auth, etc.) only fire if the authentication is valid. 
The idea is to whitelist messages from a domain only when you can 
confirm that they really did come from that domain.


So the whitelist and blacklist rules will never cancel each other out, 
because they'll never fire on the same message.


If you want to leave a DKIM failure for that domain as neutral, just 
remove your custom blacklist rule.


--
Kelson Vibber
SpeedGate Communications 

Re: (newbie question) Increasing SA effectiveness

[Ned Slider]

Karsten Bräckelmann wrote:

On Thu, 2008-12-11 at 15:19 +0100, Marcin Krol wrote:

Ned Slider wrote:

Yes, additional DNSBLs such as psbl and uceprotect can be integrated 
into SA

Well, isn't it better to use them before SA, provided your MTA does have
this feature (I recommend Exim to everyone)?


No -- unless you ultimately trust the RBL to produce a *negligible*
amount of FPs. Every single RBL does have FPs to a highly variable
degree. Instead ob outright blocking on a hit, it is a good idea to
assign a score for the hit only, and see what the result is after all
tests have been performed...



I agree. There are very few (well, only one actually) DNSBLs that I 
trust to outright block mail at the smtp level whereas plenty of DNSBLs 
are good enough to be useful in SA with sensible scoring where an 
occasional FP doesn't matter too much. That said, that one DNSBL 
(zen.spamhaus.org) and greylisting do block 90% of spam before it ever 
reaches SA.




Also look at setting up Bayes and train it well. A well trained Bayes 
setup can hit 99% plus spam (for me) and can be highly effective.

Except I found that while it often gets positive identification right,
it sometimes produces false negatives (BAYES_00 negative scoring gets
fired on what it should classify as spam -- I reduced BAYES_00 scoring
for that reason).


As mentioned a few times already -- do train Bayes instead. That's a
mis-fire of Bayes, and needs to be corrected.



Agreed - Bayes does need to be well trained. I find Bayes to be highly 
accurate - over 99% of my spam scores at bayes_80 or above (the vast 
majority at bayes_99) whilst non-spam scores at bayes_00 and 
occasionally bayes_05. Occasionally new spam not seen on my server 
before scores bayes_50 (neutral) but that's what you'd expect. I see 
very little mail that scores between the two extremes.


Bottom line - if bayes isn't working well for you then you've not 
trained it right.

Re: Problem with spamassassin not finding razor-agent.conf

[Theo Van Dinter]

On Thu, Dec 11, 2008 at 05:33:36PM +, Johan Borch wrote:
> [22640] warn: razor2: razor2 check failed: No such file or directory razor2:
> Can't read conf file: = /etc/razor/razor-agent.conf at
> /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Razor2.pm line 326.

Do you have a "razor_config" config line somewhere, perhaps that looks like:

razor_config = /etc/razor/razor-agent.conf

?

-- 
Randomly Selected Tagline:
"I won't be made useless, or be idle with despair." - Jewel, "Hands"


pgpy64WsDGqqu.pgp
Description: PGP signature

Problem with spamassassin not finding razor-agent.conf

[Johan Borch]

Hi all,

I have a problem with getting spamassassin to find the razor-agent.conf

When running "spamassassin -D < testmail.txt" it says:

.
.
.
[22640] warn: razor2: razor2 check failed: No such file or directory razor2:
Can't read conf file: = /etc/razor/razor-agent.conf at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Razor2.pm line 326.
.
.
.

The config exists and I have been running -create, register & discover, the
permissions is correct, I'm running the latest razor2-version. What could cause
this? The system is running centos 5.2.

Best regards
Johan Borch

Re: (newbie question) Increasing SA effectiveness

[Matus UHLAR - fantomas]

> > Ned Slider wrote:
> > > Yes, additional DNSBLs such as psbl and uceprotect can be integrated 
> > > into SA

> On Thu, 2008-12-11 at 15:19 +0100, Marcin Krol wrote:
> > Well, isn't it better to use them before SA, provided your MTA does have
> > this feature (I recommend Exim to everyone)?

On 11.12.08 17:55, Karsten Bräckelmann wrote:
> No -- unless you ultimately trust the RBL to produce a *negligible*
> amount of FPs. Every single RBL does have FPs to a highly variable
> degree. Instead ob outright blocking on a hit, it is a good idea to
> assign a score for the hit only, and see what the result is after all
> tests have been performed...

However, using blacklists before SA saves much of bandwidth and CPU time.
Our company's servers refuse daily ~3x more clients than mails that are
daily processed.

Configure combination of scoring and rejecting mail without the need of
recceiving it as whole would be nice. 

Good that at least postfix supports pre-data filtering...

> Exactly the SA approach. A single (or even a few) rules and RBLs can
> misfire, without affecting the overall deliverability of a particular
> mail.


-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

Re: (newbie question) Increasing SA effectiveness

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 15:19 +0100, Marcin Krol wrote:
> Ned Slider wrote:
> 
> > Yes, additional DNSBLs such as psbl and uceprotect can be integrated 
> > into SA
> 
> Well, isn't it better to use them before SA, provided your MTA does have
> this feature (I recommend Exim to everyone)?

No -- unless you ultimately trust the RBL to produce a *negligible*
amount of FPs. Every single RBL does have FPs to a highly variable
degree. Instead ob outright blocking on a hit, it is a good idea to
assign a score for the hit only, and see what the result is after all
tests have been performed...

Exactly the SA approach. A single (or even a few) rules and RBLs can
misfire, without affecting the overall deliverability of a particular
mail.


> > Also look at setting up Bayes and train it well. A well trained Bayes 
> > setup can hit 99% plus spam (for me) and can be highly effective.
> 
> Except I found that while it often gets positive identification right,
> it sometimes produces false negatives (BAYES_00 negative scoring gets
> fired on what it should classify as spam -- I reduced BAYES_00 scoring
> for that reason).

As mentioned a few times already -- do train Bayes instead. That's a
mis-fire of Bayes, and needs to be corrected.

  guenther


-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: (newbie question) Increasing SA effectiveness

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 08:28 -0800, John Hardin wrote:
> On Thu, 11 Dec 2008, Karsten Bräckelmann wrote:

> >>> I still recommend initial training, to give Bayes a good kick-start.
> >>
> >> Initial _manual_ training.
> >
> > Err... Yes! :)
> 
> The reason I stressed that is it sounds like the OP turned on autolearn 
> and let that do the initial bayes training, and I think we all agree 
> that's a bad idea.

Yeah, exactly my point, I just didn't express it the way I meant to.
Thanks for pointing out the most important part, John.

-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: (newbie question) Increasing SA effectiveness

[John Hardin]

On Thu, 11 Dec 2008, Karsten Br�ckelmann wrote:


On Thu, 2008-12-11 at 08:18 -0800, John Hardin wrote:

On Thu, 11 Dec 2008, Karsten Bräckelmann wrote:


I still recommend initial training, to give Bayes a good kick-start.


Initial _manual_ training.


Err... Yes! :)


The reason I stressed that is it sounds like the OP turned on autolearn 
and let that do the initial bayes training, and I think we all agree 
that's a bad idea.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You do not examine legislation in the light of the benefits it
  will convey if properly administered, but in the light of the
  wrongs it would do and the harms it would cause if improperly
  administered.  -- Lyndon B. Johnson
---
 4 days until Bill of Rights day

Re: (newbie question) Increasing SA effectiveness

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 08:18 -0800, John Hardin wrote:
> On Thu, 11 Dec 2008, Karsten Bräckelmann wrote:
> 
> > I still recommend initial training, to give Bayes a good kick-start.
> 
> Initial _manual_ training.

Err... Yes! :)

-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: (newbie question) Increasing SA effectiveness

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 16:28 +0100, Marcin Krol wrote:
> Karsten Bräckelmann wrote:
> > Do train false negatives. It does help Bayes, if you train "FN according
> > to Bayes", that is spam that has been caught, but got a low, ham-ish
> > Bayes score.
> 
> It seems that I need to brush up on specifics of SA Bayes; so far I have 
> used only DSPAM from among statistical filters.

Nah, I guess you just need to adjust your point of view. :)

We've specifically discussed Bayes here. So strip all the rules and
network tests, which still made the message correctly score as spam,
despite Bayes claiming different. The latter is important here.
Considering Bayes only -- if Bayes returned a score less than 0.5 it
looks like ham to it...

With a statical filter *only*, you now would train and re-classify that
mail, no? Do the same with Bayes in SA (regardless of other tests
overruling Bayes) -- at least, for those where SA did not auto-learn
anyway. How is that different from dspam?

  guenther


-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: (newbie question) Increasing SA effectiveness

[John Hardin]

On Thu, 11 Dec 2008, Karsten Br�ckelmann wrote:


I still recommend initial training, to give Bayes a good kick-start.


Initial _manual_ training.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You do not examine legislation in the light of the benefits it
  will convey if properly administered, but in the light of the
  wrongs it would do and the harms it would cause if improperly
  administered.  -- Lyndon B. Johnson
---
 4 days until Bill of Rights day

Re: sought rules updates

[Kai Schaetzl]

RobertH wrote on Wed, 10 Dec 2008 17:49:28 -0800:

> what ones did you keep? if you recall, any particular reason why?

Hm, I checked and it seems I was wrong, partly. I still have them in the 
channels.txt for my sa-update. I removed them on some other machines 
partly because of memory constraints and didn't notice ill effects. But I 
didn't remove on the machine for my own mail.
I checked the rule hits on it now and the highest hitting SARE rules (in 
the last 35.000 messages) for me are:
SARE_HEAD_8BIT_SPAM (6% hits on ham!)
SARE_GIF_ATTACH (20% hits on ham!)
SARE_MSGID_LONG40 (almost 100% of the hits are ham)
SARE_ADULT2 (almost no ham)
all the other rules are negligable (none hits on more than 0.02 % of 
spam), so it's probably really time to remove them.

This structure might be much different on systems that accept almost every 
mail for SA processing, though. There the SARE might still be very 
helpful. I block 80% or more of spam at MTA level with RBL, greylisting, 
access.db and tight postfix configuration.

Interestingly, I find that two of my own and very old rules are among the 
top 10 scorers for spam and hit almost no ham (< 1%).

body SPAM_HEALTH_1  /pharmacy/i
score SPAM_HEALTH_1 1.0

body SPAM_BUY_9 /discount/i
score SPAM_BUY_91.0

Might create more false positives on systems with more legitimate English 
ham traffic, though ,-)




Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: sought rules updates

[Kai Schaetzl]

Mouss wrote on Wed, 10 Dec 2008 10:34:21 +0100:

> 90_2tld.cf.sare.sa-update.dostech.net

Thanks, for the tip, I wasn't aware of it. As I understand it helps URIBL 
to score on subdomains that it otherwise wouldn't check at all?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: sought rules updates

[SM]

At 22:19 10-12-2008, LuKreme wrote:

I ssh to the server and then I sudo su (so I am sure I have discarded
my own login environment, I do not normally do this)

mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg
gpg: error reading key: No public key


gpg --no-default-keyring --keyring 
/etc/mail/spamassassin/sa-update-keys/pubring.gpg



At least on my FreeBSD, there's no man page for gpg, and the --help


man gpg works for me.


Riiight, but the public key I put in the keychain does all that, no?
I'm still unclear on how the --gpgkey makes it more secure.  If the
file is signed, the signature is checked against the public key that I
have in pubring.gpg.  What does the gpgkey do?


There may be several keys in a keyring.  When running an automated 
process to verify a file, you also have to validate who signed the 
file.  That's where the gpgkey comes in.  Simply checking the 
signature is not enough.


Regards,
-sm 

Re: Problem with faked return-path or something like that...!

[Kevin Parris]

>>> support <[EMAIL PROTECTED]> 12/11/08 2:52 AM >>>
Prempting some responses:
What about external remote workers? 
What about those who email stuff to themselves? 
I hear this kind of thing all the time when people moan about spoofing.

On Wed, 2008-12-10 at 12:19 -0500, Kevin Parris wrote:
> You do not have a SpamAssassin problem, you have a Communigate problem.  
> Present this issue to your support resources for that product.
> 
> The basics of what you want to do are something like this:
> 
> When a message is arriving from the internet, and has your own domain in the 
> Return-path, it should be REJECTED immediately.  The detection of this 
> condition, and the Rejecting of the message, should occur entirely within 
> Communigate so that the item does not survive long enough to be presented to 
> SA for analysis.
> 
>  


I believe the common wisdom is something like: your own remote users will be 
configured for some sort of VPN or other authentication mechanism, therefore 
the mail they send will not be "arriving from the internet" thus the mailserver 
can distinguish their items from those that need to be rejected.

People who email stuff to themselves will either be local in the office, or 
remote and authenticated as above, therefore the items they generate will not 
be "arriving from the internet" thus the mailserver can distinguish them from 
those that need to be rejected.

If you have a mailserver that is not able to make this distinction, or you have 
remote users who do not have a VPN or other authentication mechanism, you 
should consider replacing or reconfiguring some components in your facilities.

Re: sought rules updates

[Kai Schaetzl]

y>
Reply-To: users@spamassassin.apache.org

Karsten Bräckelmann wrote on Thu, 11 Dec 2008 12:48:34 +0100:

> Hmm, mine doesn't. :) 

My package says gnupg-1.4.5-13.

> Instead that option's desc starts with "List all
> keys from the public keyrings, or just the keys given on the command
> line".

Yeah, and now that I know how to squeeze the keys out, I know what they mean by 
the [names], e.g.

gpg --list-keys --no-default-keyring --keyring sa-update-keys/pubring.gpg 
856AA88A

> It definitely doesn't tell me to dump a file-name there...

No, but the basic command syntax tells about it.

> gpg  [--homedir name]  [--options file]

That actually refers to a file to be signed, decrypted etc., though, and not 
the 
keyrings. And there's also a difference between "options" and "commands". 
(--list
-keys i9s a command). If you don't know much about gpg it's easy to get 
tricked. 
As I said earlier, it isn't important to know all that if one just wants to use 
SA. Otherwise you may want to read the gnupg documentation before asking, 
indeed 
;-)

> 
> A quick glimpsing of the man page tells me to use this:
>   gpg --list-keys --no-default-keyring --keyring sa-update-keys/pubring.gpg

For me, too. Either cd to /etc/mail/spamassassin or add it to the path, though 
;-)



Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: (newbie question) Increasing SA effectiveness

[Marcin Krol]

Karsten Bräckelmann wrote:

Do train false negatives. It does help Bayes, if you train "FN according
to Bayes", that is spam that has been caught, but got a low, ham-ish
Bayes score.


It seems that I need to brush up on specifics of SA Bayes; so far I have 
used only DSPAM from among statistical filters.


Regards,
Marcin Krol

Re: (newbie question) Increasing SA effectiveness

[Marcin Krol]

Matus UHLAR - fantomas wrote:

- blocking at MTA by RBL or other techniques (such as graylisting)
  is efficient and effective, but deprives SpamAssassin of spam samples,
  so if your resources permit, it is better to let SpamAssassin deal
  with all RBLs.


I don't think so. We get "enough" of spam even if using many RBLs at SMTP
level.


Plus note that characteristics of spam that got through RBL "sieve" 
*might* be different than characteristics of the spam that didn't.


If so - I have not done any tests, so I have no idea really - then Bayes 
would be at least partially mistrained.


Having said that, I do have exceptions to my sender-verify and RBL rules 
for spam traps. :-) Now, getting something useful done with that stuff 
is another story.


Regards,
Marcin Krol

Re: (newbie question) Increasing SA effectiveness

[Matus UHLAR - fantomas]

On 11.12.08 15:47, Mark Martinec wrote:
> Quality of bayes auto-learning improves if you let all your mail
> pass through SpamAssassin:
> 
> - outbound mail is often a high-quality source of ham
>   for autolearning;

But when one of your users starts spamming (trojan or wtf), you have problem
and can drop the BAYES DB imediately...

> - blocking at MTA by RBL or other techniques (such as graylisting)
>   is efficient and effective, but deprives SpamAssassin of spam samples,
>   so if your resources permit, it is better to let SpamAssassin deal
>   with all RBLs.

I don't think so. We get "enough" of spam even if using many RBLs at SMTP
level.
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: (newbie question) Increasing SA effectiveness

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 16:01 +0100, Karsten Bräckelmann wrote:
> On Thu, 2008-12-11 at 15:13 +0100, Marcin Krol wrote:

Forgot to add...

> > No, I just waited until default 200 hams and 200 spams kicked it in. As 
> > I mentioned elsewhere, I get a weird effect of correct positives, but 
> > relatively many false negatives from Bayes rules.

Do train false negatives. It does help Bayes, if you train "FN according
to Bayes", that is spam that has been caught, but got a low, ham-ish
Bayes score.

> I still recommend initial training, to give Bayes a good kick-start.

-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: (newbie question) Increasing SA effectiveness

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 15:13 +0100, Marcin Krol wrote:
> Karsten Bräckelmann wrote:

> > Razor is quite good, too. Also Pyzor, though it requires much more
> > resources. 
> 
> See, my friend who works at a hosting company didn't find Razor to be 
> much improvement. Perhaps he misconfigured it or smth?

That's pretty much just another way of saying, what you snipped from my
post. ;)  "Results and effectiveness vary, everyone's spam is
different." Yes, that means it might work much better for you. Did you
try it?

> >I also recommend the iXhash plugin, which is another digest
> > test that kicks some serious butt.
> 
> Now you're talking. :-)


> >Did you manually (initially) train it
> > with your collected ham and recent (not older than 3 months) spam?
> 
> No, I just waited until default 200 hams and 200 spams kicked it in. As 
> I mentioned elsewhere, I get a weird effect of correct positives, but 
> relatively many false negatives from Bayes rules.

I still recommend initial training, to give Bayes a good kick-start.


-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

RE: (newbie question) Increasing SA effectiveness

[Bowie Bailey]

Marcin Krol wrote:
> Karsten Bräckelmann wrote:
> > 
> > Did you manually (initially) train it
> > with your collected ham and recent (not older than 3 months) spam?
> 
> No, I just waited until default 200 hams and 200 spams kicked it in.
> As I mentioned elsewhere, I get a weird effect of correct positives,
> but relatively many false negatives from Bayes rules.

Bayes works best when it is manually trained.  At the very least, you
need to monitor it and retrain any messages that are scored incorrectly.
Automatic training is at the mercy of SA's scoring.  If SA gets it
wrong, Bayes will be trained wrong, which will result in an increase in
false positives and false negatives.

-- 
Bowie

Re: (newbie question) Increasing SA effectiveness

[Mark Martinec]

Marcin,

> >Did you manually (initially) train it
> > with your collected ham and recent (not older than 3 months) spam?
>
> No, I just waited until default 200 hams and 200 spams kicked it in. As
> I mentioned elsewhere, I get a weird effect of correct positives, but
> relatively many false negatives from Bayes rules.

Quality of bayes auto-learning improves if you let all your mail
pass through SpamAssassin:

- outbound mail is often a high-quality source of ham
  for autolearning;

- blocking at MTA by RBL or other techniques (such as graylisting)
  is efficient and effective, but deprives SpamAssassin of spam samples,
  so if your resources permit, it is better to let SpamAssassin deal
  with all RBLs.


Mark

RE: (newbie question) Increasing SA effectiveness

[Bowie Bailey]

Marcin Krol wrote:
> Matthias Leisi wrote:
> 
> > * If circumstances permit, make use of extensive whitelisting, so
> > that you can increase the score of rules (or maybe lower the
> > threshold after which you consider a message to be spam).
> 
> With all due respect, that's risky... My users often get legit mails
> out of blue or e-mail new parties and I could react to that only
> after the fact.

Whitelisting here does not mean "accept only these emails".  It simply
reduces the score to prevent them from being marked as spam.  Unknown
email addresses are treated the same as if you had no whitelist.

-- 
Bowie

Re: (newbie question) Increasing SA effectiveness

[Matus UHLAR - fantomas]

> Ned Slider wrote:
> >Also look at setting up Bayes and train it well. A well trained Bayes 
> >setup can hit 99% plus spam (for me) and can be highly effective.

On 11.12.08 15:19, Marcin Krol wrote:
> Except I found that while it often gets positive identification right,
> it sometimes produces false negatives (BAYES_00 negative scoring gets
> fired on what it should classify as spam -- I reduced BAYES_00 scoring
> for that reason).

That's apparently problem of bad trained BAYES, not the problem of BAYES
itself. Train more spams.

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

RE: sought rules updates

[Bowie Bailey]

LuKreme wrote:
> On 10-Dec-2008, at 20:36, SM wrote:
> >  
> > it's a hexadecimal number which identifies the key.
> 
> And the source of that number is, evidently, a complete mystery.
> That's my point.  I've seen lots of instructions like this:
> 
> # wget http://somesite.tld/somepath/GPG.KEY
> # sudo sa-update --import GPG.KEY
> # sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld
> 
> where the '0E28B3DC' has just magically appeared as if created from
> the ether.
> 
> Do you see that there is a crucial step missing there?  Where did that
> gpgkey value come from?  If it wasn't provided in these instructions
> (like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but
> hadn't yet discovered the page that had the magic hex code), how do
> you find it?  Can you generate it.  Is is simply a hash of the gpg
> keyfile, or something else?
> 
> It's a bit of "hey, now just fill in this number we hopefully have
> given you.  Don't worry about what it means, or how it works, or where
> it came from. Just copy&paste and you'll be fine."
> 
> Strangely enough, that does not fill me with the highest degree of
> confidence.  Not much more so that --nogpg.

It's almost like "Just download this key file and you'll be fine.  Don't
worry about where it came from, just put it in your keyring."

The point is that at some point you have to trust the source to give you
the correct information.  (Which, in the case of an encryption key or
key id, will look like a bunch of random numbers)


> > Because sa-update is designed to provide updates in a secure way.
> > If you want the simplest way, you can ignore these steps and face
> > the consequences when something goes wrong.
> 
> Oddly enough, I am able to encrypt emails, sign emails, verify signed
> mails,  login to ssh ports on remote servers and do a whole host of
> secure things without ever having encountered anything like this
> gpgkey.  I've added the key to the keychain as a trusted key, that is
> enough to make it secure.  How is this 8 digit hex code making
> anything any more secure?

Because it specifies WHICH key in your keyring is allowed to sign the
updates.

-- 
Bowie

Re: sought rules updates

[John Hardin]

On Wed, 10 Dec 2008, LuKreme wrote:

I'm still unclear on how the --gpgkey makes it more secure.  If the file 
is signed, the signature is checked against the public key that I have 
in pubring.gpg.  What does the gpgkey do?


It indicates which key to use to check the signature.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the place of government to make right every tragedy and
  woe that befalls every resident of the nation.
---
 4 days until Bill of Rights day

Re: (newbie question) Increasing SA effectiveness

[Marcin Krol]

Ned Slider wrote:

Yes, additional DNSBLs such as psbl and uceprotect can be integrated 
into SA


Well, isn't it better to use them before SA, provided your MTA does have
this feature (I recommend Exim to everyone)?

Also look at setting up Bayes and train it well. A well trained Bayes 
setup can hit 99% plus spam (for me) and can be highly effective.


Except I found that while it often gets positive identification right,
it sometimes produces false negatives (BAYES_00 negative scoring gets
fired on what it should classify as spam -- I reduced BAYES_00 scoring
for that reason).

My most effective rule classes are Bayes, DNSBLs and URIBLs plus my own 
custom rules for stuff SA routinely misses.


Add on 3rd party rules like JM_SOUGHT and SARE can be useful too so 
maybe look at those as well.


That probably is stuff to look at, thanks!

Regards,
Marcin

Re: (newbie question) Increasing SA effectiveness

[Marcin Krol]

Karsten Bräckelmann wrote:

- SURBL and URIBL are extremely effective at identifying spam


They are enabled by default -- unless you are running local tests only.
Did you (or your distro default) disable network tests? If you
specifically had to enable these, you are likely missing more of them.


No, I have them enabled - I just found them so effective that I 
increased their scores.



- DCC is able to find at least some spam


Razor is quite good, too. Also Pyzor, though it requires much more
resources. 


See, my friend who works at a hosting company didn't find Razor to be 
much improvement. Perhaps he misconfigured it or smth?



I also recommend the iXhash plugin, which is another digest
test that kicks some serious butt.


Now you're talking. :-)


Is anybody here willing to share other / better techniques and tips?


Watch the list. Every now and then additional rules, tips and even DNS
BLs are posted and discussed here.


Btw, do you have Bayes enabled? 


Yes.


Did you manually (initially) train it
with your collected ham and recent (not older than 3 months) spam?


No, I just waited until default 200 hams and 200 spams kicked it in. As 
I mentioned elsewhere, I get a weird effect of correct positives, but 
relatively many false negatives from Bayes rules.


Regards,
Marcin Krol

Re: (newbie question) Increasing SA effectiveness

[Marcin Krol]

Matthias Leisi wrote:

* If circumstances permit, make use of extensive whitelisting, so that 
you can increase the score of rules (or maybe lower the threshold after 
which you consider a message to be spam).


With all due respect, that's risky... My users often get legit mails out 
of blue or e-mail new parties and I could react to that only after the 
fact.



* Experiment with additional blacklists (but beware of false positives).

* Consider using some blacklist(s) to actually reject messages before 
they reach SpamAssassin (often, the Spamhaus lists are fine for that 
purpose).


I already do that (among other reasons, it is far cheaper than SA 
scanning), just today:


Rejections by:
 RBLs  2856
 SA permanent rejection871
 Sender Verify failed  4627

As you can see, sender verify (a feature in Exim) is very effective at 
cutting out lots of spam, so there's little left for SA to work on. 
Granted, it's controversial, but extremely effective.


Regards,
Marcin Krol

Re: (newbie question) Increasing SA effectiveness

[Mark Martinec]

> * If circumstances permit, make use of extensive whitelisting, so that
> you can increase the score of rules (or maybe lower the threshold after
> which you consider a message to be spam).

When whitelisting, never whitelist just based on a plain sender or author
address (such as 'whitelist_from').

Whitelisting should only be based on reliable (or at least: likely to be true)
information, so use:
  whitelist_from_dkim
  whitelist_from_spf
  whitelist_auth
  whitelist_from_rcvd

or construct custom rules to whitelist (=add negative score points)
based on some other specific chraracteristic of mail to be passed.

See man pages for:
  Mail::SpamAssassin::Conf
  Mail::SpamAssassin::Plugin::DKIM
  Mail::SpamAssassin::Plugin::SPF


Mark

Re: (newbie question) Increasing SA effectiveness

[Karsten Bräckelmann]

On Thu, 2008-12-11 at 12:52 +0100, Marcin Krol wrote:
> Through experimentation I have found that the following techniques are 
> highly effective:

> - SURBL and URIBL are extremely effective at identifying spam

They are enabled by default -- unless you are running local tests only.
Did you (or your distro default) disable network tests? If you
specifically had to enable these, you are likely missing more of them.

Yes, network tests are highly effective with SA.

> - DCC is able to find at least some spam

Razor is quite good, too. Also Pyzor, though it requires much more
resources. I also recommend the iXhash plugin, which is another digest
test that kicks some serious butt.

Results and effectiveness vary, everyone's spam is different.

> Is anybody here willing to share other / better techniques and tips?

Watch the list. Every now and then additional rules, tips and even DNS
BLs are posted and discussed here.

Btw, do you have Bayes enabled? Did you manually (initially) train it
with your collected ham and recent (not older than 3 months) spam?

  guenther

-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: (newbie question) Increasing SA effectiveness

[Ned Slider]

Matthias Leisi wrote:

Marcin Krol schrieb:


Is anybody here willing to share other / better techniques and tips?


No silver bullet, only blood, sweat and tears :-)



I agree.

* Create custom rules that to match your uncaught spam (and maybe share 
these rules back on this list).




Yes, custom rules are a great way of supplementing SA's scoring. But 
score your custom rules low to start with and ALWAYS run 'spamassassin 
--lint' to check your custom rules BEFORE restarting SA as if you're 
anything like me you will make typos!


* If circumstances permit, make use of extensive whitelisting, so that 
you can increase the score of rules (or maybe lower the threshold after 
which you consider a message to be spam).


* Experiment with additional blacklists (but beware of false positives).



Yes, additional DNSBLs such as psbl and uceprotect can be integrated into SA

Also look at setting up Bayes and train it well. A well trained Bayes 
setup can hit 99% plus spam (for me) and can be highly effective.


My most effective rule classes are Bayes, DNSBLs and URIBLs plus my own 
custom rules for stuff SA routinely misses.


Add on 3rd party rules like JM_SOUGHT and SARE can be useful too so 
maybe look at those as well.

Re: (newbie question) Increasing SA effectiveness

[Matthias Leisi]

Marcin Krol schrieb:


Is anybody here willing to share other / better techniques and tips?


No silver bullet, only blood, sweat and tears :-)

* Create custom rules that to match your uncaught spam (and maybe share 
these rules back on this list).


* If circumstances permit, make use of extensive whitelisting, so that 
you can increase the score of rules (or maybe lower the threshold after 
which you consider a message to be spam).


* Experiment with additional blacklists (but beware of false positives).

* Consider using some blacklist(s) to actually reject messages before 
they reach SpamAssassin (often, the Spamhaus lists are fine for that 
purpose).


-- Matthias

(newbie question) Increasing SA effectiveness

[Marcin Krol]

Hello everyone,

I'm (somewhat) new to SA, and it works nicely, except now I would like 
to boost its effectiveness at finding spam. I have searched the web and 
frankly I'm disappointed with the results - except basic config there is 
not much info there on how to finetune SA to get better results at 
filtering. Secret science or what? :-)


Through experimentation I have found that the following techniques are 
highly effective:


- Botnet plugin is very effective at finding spammer-like DNS records

- SURBL and URIBL are extremely effective at identifying spam

- DCC is able to find at least some spam

Is anybody here willing to share other / better techniques and tips?

Thanks in advance,
Marcin Krol

Re: sought rules updates

[Karsten Bräckelmann]

> > mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg
> > gpg: error reading key: No public key

And another doc you didn't read before asking here, LuKreme...

> I get the same, and without the path to a file I get the keys from the 
> global keyring which are non for SA. man gpg says "--list-keys [names]" 
> but it's not clear which name to put there.

Hmm, mine doesn't. :)  Instead that option's desc starts with "List all
keys from the public keyrings, or just the keys given on the command
line". It definitely doesn't tell me to dump a file-name there...

A quick glimpsing of the man page tells me to use this:
  gpg --list-keys --no-default-keyring --keyring sa-update-keys/pubring.gpg

And it works for me. See the description for the --keyring option.


-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: sought rules updates

[Kai Schaetzl]

[EMAIL PROTECTED]>
Reply-To: users@spamassassin.apache.org

LuKreme wrote on Wed, 10 Dec 2008 23:19:25 -0700:

> mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg
> gpg: error reading key: No public key

I get the same, and without the path to a file I get the keys from the 
global keyring which are non for SA. man gpg says "--list-keys [names]" 
but it's not clear which name to put there.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com