Re: country in africa
RobertH a écrit : No. Scoring based on single-words is pretty much the opposite of the SA approach. That's all I was saying. karsten, i get the SA approach and to the no answer, baloney this word should get a *HIT* no mattter how small it is scored. if you add a rule for every possible word, the cost/benefit ratio will approach infinity. bottom line: if you think you need a rule for Nigeria, just add it to your local.cf. if you use the RelayCountry plugin, you can add rules for a few countries: ifplugin Mail::SpamAssassin::Plugin::RelayCountry header COUNTRY_NG X-Relay-Countries=~/\bNG\b/ describe COUNTRY_NG Relayed via Nigeria score COUNTRY_NG 1 header COUNTRY_GH X-Relay-Countries=~/\bGH\b/ describe COUNTRY_GH Relayed via Ghana score COUNTRY_GH 1 header COUNTRY_BO X-Relay-Countries=~/\bBO\b/ describe COUNTRY_BO Relayed via Burkina Faso score COUNTRY_BO 1 header COUNTRY_TZ X-Relay-Countries=~/\bTZ\b/ describe COUNTRY_TZ Relayed via Tanzania score COUNTRY_TZ 1 header COUNTRY_CI X-Relay-Countries=~/\bCI\b/ describe COUNTRY_CI Relayed via Cote-d-Ivoire score COUNTRY_CI 1 #... #... # etc endif The above assumes you don't get (much) mail from these countries. adjust the score as you see fit. and of course, use at your own rix.
Re: country in africa
funny story: we just got an inquiry from a large ISP in 'that country' to implement a hosted anti-spam solution for them. Seems we were the only company that they looked at that didn't block email to/from or mentioning 'that country'. (other providers they emailed blocked their email!) They want to pay up front for 3 years. Trouble is, now they want to send money directly to our bank account, so they want our bank account number, routing number, my date of birth, social security number, etc :-) and the money will come from what was left over from a failed coup attempt. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors * Finalist 2009 Network Products Guide Hot Companies _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: country in africa
On Sat, January 31, 2009 12:40, mouss wrote: The above assumes you don't get (much) mail from these countries. adjust the score as you see fit. and of course, use at your own rix. i see more spam from outside this countrys, eg 419 spams not sent from there anyway, botnet sooks :) -- http://localhost/ 100% uptime and 100% mirrored :)
Re: country in africa
Benny Pedersen a écrit : On Sat, January 31, 2009 12:40, mouss wrote: The above assumes you don't get (much) mail from these countries. adjust the score as you see fit. and of course, use at your own rix. i see more spam from outside this countrys, eg 419 spams not sent from there anyway, botnet sooks :) yes, and from some ISPs as well.
Re: country in africa
On Sat, Jan 31, 2009 at 12:40:24PM +0100, mouss wrote: if you use the RelayCountry plugin, you can add rules for a few countries: If you are lazy, here is about all of africa.. header RELAYED_419 X-Relay-Countries =~ /\b(?:AO|B[IJW]|C[DFGIMV]|DJ|E[RT]|G[AHMNQW]|K[EM]|L[RS]|M[WZ]|N[AEG]|RW|S[LNOTZ]|T[DGNZ]|UG|Z[AMW])\b/ Works fine for me. YMMV. ;)
RE: country in africa
At 22:39 30-01-2009, RobertH wrote: when an email comes in with the word nigeria in it, it should get scored something. You could score the content if it mentions a country in Africa. We then have to obfuscate the words so that we can mention them on this mailing list. It's better to use Bayes to deal with that type of email. Regards, -sm
RE: country in africa
You could score the content if it mentions a country in Africa. We then have to obfuscate the words so that we can mention them on this mailing list. It's better to use Bayes to deal with that type of email. Regards, -sm actually, one does not have to obfuscate a word on this list and of course we know we should *NOT* send spam email content to the list, it should be posted elsewhere. it is my understanding that in your local config you could use something like whitelisting by spf aka [r...@rs1 ~]# dig spamassassin.apache.org txt spamassassin.apache.org. 1323 IN TXT v=spf1 a:mail.apache.org -all aka whitelist_from_spf *...@spamassassin.apache.org and if i understand correctly, you can tell the SA config not to bayes_ignore_from *...@spamassassin.apache.org bayes_ignore_to users@spamassassin.apache.org right? - rh
RE: country in africa
thanks mouss u the reason i made the subject, country in africa was that i didnt want to use the exact word i can see my mistake it that now. as always, i sincerely appreciate the vast programming and SA application wisdom knowledge on this list. thank you all for you help. and again, this is like probably the only word that in small quantities regularly slips through untouched. may i ask, in writing this non standard rule for a single word, and you wanted to capture the most possibilities of that single word coming through so that you could flag it with very small score / hit how should that be written? something like this two word one? body LOCAL_JASONHART /\bJason Hart\b/ score LOCAL_JASONHART 10.1 - rh
RE: country in africa
At 08:18 31-01-2009, RobertH wrote: and if i understand correctly, you can tell the SA config not to bayes_ignore_from *...@spamassassin.apache.org bayes_ignore_to users@spamassassin.apache.org Right. There are still some subscribers who don't realize that some of the messages from this mailing list will trigger their antispam filters as the discussion is generally about spam. Regards, -sm
RE: country in africa
On Sat, 31 Jan 2009, SM wrote: We then have to obfuscate the words so that we can mention them on this mailing list. If you're running SA mailing list messages through SA you get what you deserve. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance is no excuse for a law. --- Tomorrow: the 6th anniversary of the loss of STS-107 Columbia
RE: country in africa
is this good enough for a basic rule to flag that word or should it be different or raw or what? something better? body LOCAL_NIGERIA /\bnigeria\b/i score LOCAL_NIGERIA 0.1 describe LOCAL_NIGERIA This is a simple test rule for nigeria i know that single word rules in general are a bad idea, i just want to continue to learn and be able to contrib more over time thanks - rh
Spamd crash - redhat startup script problem?
Hello, Using: spamassassin 3.2.5 on a CentOS 5.2 system. Unfortunately the spamd process on one of our mail servers crashed early this morning. The system mail log showed: == Jan 31 06:52:00 tracy spamd[23255]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45028 Jan 31 06:52:13 tracy spamd[2347]: spamd: server killed by SIGTERM, shutting down Jan 31 06:52:24 tracy spamd[26043]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use Jan 31 06:52:25 tracy spamd[23255]: spamd: checking message 200901310651.n0v6pxad026...@isg-prod-loader.informa.com for sauser:10001 Jan 31 06:52:25 tracy spamd[26043]: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use Jan 31 06:52:26 tracy spamd[26043]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use Jan 31 06:52:31 tracy spamd[23255]: spamd: clean message (-6.6/8.0) for sauser:10001in 30.9 seconds, 5194 bytes. Jan 31 06:52:31 tracy spamd[23255]: spamd: result: . -6 - BAYES_00,RCVD_IN_DNSWL_MEDscantime=30.9,size=5194,user=sauser,uid=10001,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45028,mid=200901310651.n0v6pxad026...@isg-prod-loader.informa.com,bayes=0.00,autolearn=ham Jan 31 06:52:31 tracy spamd[23255]: syswrite() to parent failed: Broken pipe at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/SpamdForkScaling.pm line 576. == My first thought was a bug in the SpamdForkScaling.pm module, but I'm not so sure. At 06:52 spamd was fine, but we have an sa-update/sa-compile job that runs at around that time. The files in /var/lib/spamassassin/compiled indicate that the job was running (or finishing) at 06:52. The job (if successful) then restarts spamassassin (using 'service spamassassin restart'). Now, the above log shows that at 06:52:13 SA received a shutdown signal - which is correct when restarting. But at 06:52:24 it seems to be trying to startup but cannot because SA is still running (the port is in use). Then at 06:52:31 it seems that some SA scan now finishes, and because SA was trying to restart, the parent process was gone and, hence, the syswrite error. Okay, so looking at the SA startup script it shows (this is within a shell 'case' statement): == stop) # Stop daemons. echo -n $Stopping $prog: killproc spamd RETVAL=$? echo if [ $RETVAL = 0 ]; then rm -f /var/lock/subsys/spamassassin rm -f $SPAMD_PID fi ;; restart) $0 stop sleep 3 $0 start ;; == I suspect the problem is that the 'stop' actually failed (RETVAL != 0). But since the 'restart' doesn't check this, it then just went on and tried to 'start' SA. This failed because SA still had a process/child running. Ultimately it meant that our mail server ended up with SA not running. Perhaps the RedHat (and hence Fedora (I assume)/CentOS) startup script should be a bit more aggressive in its checking that SA has actually stopped before trying to start it again? I think I would rather that more time was spent on ensuring that SA was stopped, so that it could then start, rather than it completely failing and the server being left without SA running. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001
Re: SA rules stats (Was: SARE false positives on MY_CID_* rules)
On Freitag, 30. Januar 2009 06:33:49 Rajkumar S wrote:
After activating the rule I haven't seen any more FP. But that doesn't
mean much. Here are my stats from yesterday:
Rank Hits% Msgs % Spam% Ham Score Rule
-- --- -
3472 0.01%0.06%0.22% 1.46 MY_CID_AND_ARIAL2
3711 0.01%0.03%0.02% 1.54 MY_CID_AND_STYLE
0 0.01%0.00%0.02% 1.58 MY_CID_ARIAL_STYLE
Hi,
How did you generate this stats ?
I use amavisd-new with spamassassin. So I used amavisd-logwatch to generate
these stats. See: http://www.mikecappella.com/logwatch/
raj
Greetings
Stefan
signature.asc
Description: This is a digitally signed message part.
Re: html experts: empty style tags.
Matus UHLAR - fantomas wrote on Fri, 30 Jan 2009 16:41:51 +0100: Aren't there any MUAs that try to autodetect the right content type? Even from microsoft? No. If they would then you couldn't send any plain text messages that *discuss* HTML code with examples. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: html experts: empty style tags.
--On Saturday, January 31, 2009 10:31 PM +0100 Kai Schaetzl mailli...@conactive.com wrote: Aren't there any MUAs that try to autodetect the right content type? Even from microsoft? No. If they would then you couldn't send any plain text messages that *discuss* HTML code with examples. A simple-minded autodetect system would just look at the first tokens to spot HTML tags, like html, body, div, or p. An initial paragraph of plain text would be enough to prevent it from interpreting later HTML examples as making the whole message part HTML.
Re: country in africa
RobertH wrote: it should get a hit. how many legitimate emails a day do you people get with the work Nigeria in it? several now that we are sending the 'n word' back and forth on this list now! -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors * Finalist 2009 Network Products Guide Hot Companies _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: country in africa
RobertH wrote: how many legitimate emails a day do you people get with the work Nigeria in it? Daily, not really. But often enough in email news feeds. i.e. I got one within the last 24 hours.. Remember the rebels threatening oil supplies in Nigeria 4 months ago? Yeah, they called off their ceasefire and it's hit the news wires. google news for nigeria and see what has been poping up over there lately. There's also the occasional mention of hacker activity in that region on a network security list. Not incredibly common, but it comes up. And of course, spam related discussions, although those don't entirely count. yeah, that is what i thought. :-) I doubt that's what you expected. But I bet your email feed looks nothing like mine. It's very hard to look at your own inbox and be able to forecast what other people tend to be getting, that's why we've got mass-checks in SA :) when i get an nigerian email scam email that hits squat, well you get the idea. Yeah, but there are a lot better things to hit on than a single word. I'm sorry, but such over simplified rules are contrary to the entire design of SpamAssassin. If you want to do it on your own server, knock your socks of. But I'll vote -1 on any proposal to put such a rule in the mainstream ruleset. (And I am on the PMC).
RE: country in africa
matt i hear ya. ill be using it and scoring low (or whatever i desire) and using meta's it appears. i wasnt asking for it to be some major contention in SA core scoring... i just honestly cannot belive that there are still people out there sending these emails pretending to be someone from that country wouldnt it be a joke in those circles by now? - rh
Re: SA rules stats (Was: SARE false positives on MY_CID_* rules)
On Thursday 29 January 2009 23:33:49 Rajkumar S wrote:
2009/1/30 Stefan Jakobs stefan.jak...@rus.uni-stuttgart.de
After activating the rule I haven't seen any more FP. But that doesn't
mean much. Here are my stats from yesterday:
Rank Hits% Msgs % Spam% Ham Score Rule
-- --- -
3472 0.01%0.06%0.22% 1.46 MY_CID_AND_ARIAL2
3711 0.01%0.03%0.02% 1.54 MY_CID_AND_STYLE
0 0.01%0.00%0.02% 1.58 MY_CID_ARIAL_STYLE
Hi,
How did you generate this stats ?
raj
There are two scripts I run, one being sastats and the other being sa-addon
stats:
Email: 34 Autolearn: 0 AvgScore: 3.88 AvgScanTime: 9.85 sec
Spam: 13 Autolearn: 0 AvgScore: 18.15 AvgScanTime: 7.89 sec
Ham: 21 Autolearn: 0 AvgScore: -4.95 AvgScanTime: 11.06 sec
Time Spent Running SA: 0.09 hours
Time Spent Processing Spam: 0.03 hours
Time Spent Processing Ham: 0.06 hours
TOP SPAM RULES FIRED
--
RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
--
1SAGREY 12 35.29 92.31 0.00
2HTML_MESSAGE 10 64.71 76.92 57.14
3DCC_CHECK_NEGATIVE 9 58.82 69.23 52.38
That was the sastats output, the sa-addon output is below:
Total: 247
Ham: 182
Spam: 65
FreeMail.cf:
Rule Name Score Ham Spam %of Ham %of Spam
---
FREEMAIL_REPLYTO 2.00 0 16 0.00% 24.62%
FREEMAIL_FROM 1.00 5 23 2.75% 35.38%
---
OVERALL 5 23 2.75% 35.38%
clamav.cf:
Rule Name Score Ham Spam %of Ham %of Spam
---
CLAMAV 10.00 2 19 1.10% 29.23%
---
OVERALL 2 19 1.10% 29.23%
And so on
--
KeyID 0xE372A7DA98E6705C
signature.asc
Description: This is a digitally signed message part.
