warn: util: cannot untaint path: ARRAY(0x8819ebc)
Hi spamassassin-users, I'm trying to make use of Mail::SpamAssassin::Plugin::AccessDB plugin. This is what I have in config: body GMAIL_IZDANJA eval:check_access_database('/etc/mail/gmail_spam.db') describe GMAIL_IZDANJA spam from gmail.com score GMAIL_IZDANJA 35.000 Content of /etc/mail/gmail_spam is in format em...@addr REJECT. File is compiled with postmap and exim_dbmbuild, both didn't work. When I do spamassassin --lint I get this: [18199] warn: util: cannot untaint path: ARRAY(0x8819ebc) I successuly reproduced bug on two systems: FreeBSD/i386 7.0, Perl 5.8.9 (ports), SpamAssassin-3.2.5_1 (ports) Debian Lenny, Perl 5.10.0, spamassassin 3.2.5-2 I've checked arhives, but nothing. I would be happy with someone's pointer. Thanks, Bogdan
Re: warn: util: cannot untaint path: ARRAY(0x8819ebc)
Bogdan, I'm trying to make use of Mail::SpamAssassin::Plugin::AccessDB plugin. This is what I have in config: body GMAIL_IZDANJA eval:check_access_database('/etc/mail/gmail_spam.db') describe GMAIL_IZDANJA spam from gmail.com score GMAIL_IZDANJA 35.000 Content of /etc/mail/gmail_spam is in format em...@addr REJECT. File is compiled with postmap and exim_dbmbuild, both didn't work. When I do spamassassin --lint I get this: [18199] warn: util: cannot untaint path: ARRAY(0x8819ebc) The test is supposed to receive a header as argument, not a body: wrong: body GMAIL_IZDANJA eval:check_access_database('/etc/mail/gmail_spam.db') right: header GMAIL_IZDANJA eval:check_access_database('/etc/mail/gmail_spam.db') Mark
Re: warn: util: cannot untaint path: ARRAY(0x8819ebc)
Mark Martinec wrote: Bogdan, I'm trying to make use of Mail::SpamAssassin::Plugin::AccessDB plugin. This is what I have in config: body GMAIL_IZDANJA eval:check_access_database('/etc/mail/gmail_spam.db') describe GMAIL_IZDANJA spam from gmail.com score GMAIL_IZDANJA 35.000 Content of /etc/mail/gmail_spam is in format em...@addr REJECT. File is compiled with postmap and exim_dbmbuild, both didn't work. When I do spamassassin --lint I get this: [18199] warn: util: cannot untaint path: ARRAY(0x8819ebc) The test is supposed to receive a header as argument, not a body: wrong: body GMAIL_IZDANJA eval:check_access_database('/etc/mail/gmail_spam.db') right: header GMAIL_IZDANJA eval:check_access_database('/etc/mail/gmail_spam.db') Mark Hi Mark, thanks for the reply. What I am trying to do is actually have access map of blacklisted email addresses or websites that are mentioned in the *body* of email, not in header. Best, Bogdan
Re: negative scores for spam
Hoover Chan wrote: The threshold was set to 6.6 (cf. required=6.6). The message this was attached to was very definitely junk. This kind of situation got me curious about the whole thing where any positive spam score is set as the threshold but seeing junk mail coming in with negative scores. On 20.03.09 16:14, Jesse Stroik wrote: You are getting negative scores for auto white list and for bayes_00. It's a matter of taste and what you believe makes sense, but I don't consider bayes to be all that accurate (since there are methods for defeating bayes, poisoning bayes, etc). What methods? afaik the bayes poisoning turned out to be not working (and even could help us do detect spam when using hapaxes). And I don't know anything about defeating BAYES, if properly trained. Maybe leaving things on autolearn is not a good idea, when not updating scores (sa-update) and/or not using network checks. As such, I don't allow Bayes to assign negative scores or positive scores within a couple of points of the threshold. You can do so by assigning scores like this: score BAYES_00 0 score BAYES_05 0 score BAYES_20 0 score BAYES_40 0 However, it's better not to do that and solve your problem by proper training the databbase. I found BAYES to be very effective for some wanted mail sent by lame mailers... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: Restarting processes after sa-update?
On Sun, 2009-03-22 at 12:30 +0100, mouss wrote: McDonald, Dan a écrit : On Fri, 2009-03-20 at 14:56 -0400, Bryan Lee wrote: My Spam assassin is run from /etc/mail/mimedefang-filter via the perl module. When running sa-update, do I need to run anything to make sure new rules get picked up? I.e. Do I need to restart mimedefang or somehow call the spam_assassin_init()-compile_now(1) ? Yes. When I update my rules for amavisd-new, I run sa-update, sa-compile, service amavisd reload, and postfix flush. why postfix flush? mail may be deferred for reasons unrelated to amavisd-new status. just let postfix do its job as usual. Everything in the queue tempfails when amavisd-new is restarted, since it can't reach the filter. There is less impact to the customers if I do a flush immediately after reloading amavisd -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: warn: util: cannot untaint path: ARRAY(0x8819ebc)
Bogdan, The test is supposed to receive a header as argument, not a body: thanks for the reply. What I am trying to do is actually have access map of blacklisted email addresses or websites that are mentioned in the *body* of email, not in header. I'm afraid you'd need to enhance the plugin to do what you want. The current AccessDB only checks sender/author addresses from the header section. Actually it seems you want a cross between some URI* plugin and AccessDB. Perhaps a way out is to set up your own local RBL zone in your DNS server, stock it up with the contents of your access database, then let it be used by URI rules. Mark
Re: warn: util: cannot untaint path: ARRAY(0x8819ebc)
On Mon, Mar 23, 2009 at 3:08 PM, Mark Martinec mark.martinec...@ijs.si wrote: Bogdan, The test is supposed to receive a header as argument, not a body: thanks for the reply. What I am trying to do is actually have access map of blacklisted email addresses or websites that are mentioned in the *body* of email, not in header. I'm afraid you'd need to enhance the plugin to do what you want. The current AccessDB only checks sender/author addresses from the header section. Actually it seems you want a cross between some URI* plugin and AccessDB. Perhaps a way out is to set up your own local RBL zone in your DNS server, stock it up with the contents of your access database, then let it be used by URI rules. Mark The goal is to put the regexes, which are being searched for in the body of the mail, out of the configuration file, to avoid clutter and to allow easy addition of new regexes. Unfortunately, mailto: links cannot be put in a RBL, at least not in their native form. In other words, what we use currently is: body__GMAIL_IZDANJA_BODY /ema...@address\.com/i We combine that rule in a meta with a few other rules and assign a score to it. Is there a way to put all the email addresses we are searching for in the body of the messages in a separate file or a database and not specify them in the configuration file directly? Thanks, -- Ivan Savcic isavcic at gmail . com
Suddenly bouncing emails
I started suddenly getting lots of bounces. I'm using the latest Mandriva. I have traced it down to EVERY email getting points from uribil and surbil. I checked one list on surbil and it isn't listed. I guess I need to know how to fix/disable this module? As far as I can tell EVERY email is getting the exact same score added to it. Thanks. URIBL_GREY Contains an URL listed in the URIBL greylist [URIs: mod_frontpage.so] 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: mod_frontpage.so] 2.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist [URIs: mod_security2.so] 1.6 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: mod_security2.so] 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: mod_security2.so] 2.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: mod_security2.so] 2.1 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: mod_security2.so] 2.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: mod_security2.so] 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS -5.8 AWLAWL: From: address is in the auto white-list Ken
Re: Suddenly bouncing emails
I started suddenly getting lots of bounces. I'm using the latest Mandriva. I have traced it down to EVERY email getting points from uribil and surbil. That's a typical symptom if your DNS provider has switched to providing a positive response to what should be NXDOMAIN results. Best practice is to run a DNS instance on your mail server for its exclusive use to avoid that sort of problem. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com You know a nice little side benefit of watching women's sports? Sitting in front of the TV for a while without hearing about erectile dysfunction. -- King Kaufman
Re: warn: util: cannot untaint path: ARRAY(0x8819ebc)
On Mon, 2009-03-23 at 15:44 +0100, Ivan Savcic wrote: The goal is to put the regexes, which are being searched for in the body of the mail, out of the configuration file, to avoid clutter and to allow easy addition of new regexes. But have you got a plot for compiling the regexes when they've been retrieved? OTOH I have a similar plot. The idea is that mail from an exact address that I've previously sent mail to will not be spam. My system consists of two parts: - the first automatically records every address I've sent mail to. This uses a table in a PostgreSQL database which contains the address and a manually set flag to to show whether the address is within one of my domains. - the second part is an SA plugin and a rule. The plugin checks whether an email's sender address matches the database and is not one of my marked addresses. If this condition is met the email is whitelisted. The 'my domain' flag is needed to weed out cases where the sender address is forged using a valid address in my domain. I only filter incoming mail: this would not work if I filtered internal mail. I built the plugin by modifying the SentOutDB.pm plugin from http://whatever.frukt.org/mdf-sentoutdb.text.shtml Martin
Re: Suddenly bouncing emails
On Mon, 2009-03-23 at 10:46 -0400, klowther wrote: I started suddenly getting lots of bounces. I'm using the latest Mandriva. I have traced it down to EVERY email getting points from uribil and surbil. I checked one list on surbil and it isn't listed. I guess I need to know how to fix/disable this module? As far as I can tell EVERY email is getting the exact same score added to it. Thanks. Add score URIBL_GREY 0 . to your local.cf file to disable every rule in the list. Martin
Re: warn: util: cannot untaint path: ARRAY(0x8819ebc)
On Mon, 2009-03-23 at 15:44 +0100, Ivan Savcic wrote: On Mon, Mar 23, 2009 at 3:08 PM, Mark Martinec mark.martinec...@ijs.si wrote: Bogdan, The test is supposed to receive a header as argument, not a body: thanks for the reply. What I am trying to do is actually have access map of blacklisted email addresses or websites that are mentioned in the *body* of email, not in header. have you looked at the freemail plugin? It might give you some ideas how to do what you want. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: negative scores for spam
Jeff Mincy wrote: Yow. The negative scoring bayes rules are extremely reliable when well trained. Ham messages are not trying to evade the filter. Defeating bayes with poison is mostly a myth. The random garbage might work the first time but not the second time as long as you are training these messages as spam. If you are getting lots of BAYES_00 hits on spam then the problem is almost certainly incorrect training where spam messages were incorrectly learned as ham. Fair enough. But the problem remains. A simple glance at this list shows that this happens often enough to be a fairly common problem. The question is: How does one fix the problem after it occurs? Is there a FAQ page with step-by-step instructions a person could use? -- Chris Barnes AOL IM: CNBarnes chris-bar...@tamu.eduYahoo IM: chrisnbarnes Computer Systems Manager MSN IM: ch...@txbarnes.com Department of Physics ph: 979-845-7801 Texas AM University fax: 979-845-2590
3 rules hit the same header
Hello, According to report from one of our customers it seems that this header is being hit by multiple rules: Received: from 217-112-174-194.cust.avonet.cz (217-112-174-194.cust.avonet.cz [217.112.174.194]) (TLS: TLS1.0,192bits,RSA_3DES_EDE_CBC_SHA1) by mailhub3.nextra.sk with esmtp; Wed, 18 Mar 2009 08:10:09 +0100 id 00112EF1.49C09E51.7522 * 4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr * 2) * 0.5 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d * 1.6 TVD_RCVD_IP TVD_RCVD_IP (running pcretest on those rules and this header confirmed that this header causes those hits) I guess that FH_HELO_EQ_D_D_D_D and TVD_RCVD_IP are superflous here because they all match the same helo string. I've made a small test: % grep -F -e HELO_DYNAMIC_IPADDR2 -e FH_HELO_EQ_D_D_D_D -e TVD_RCVD_IP /tmp/spamd /tmp/spamd.dynip % wc -l /tmp/spamd.dynip 423 /tmp/spamd.dynip % grep -c HELO_DYNAMIC_IPADDR2 /tmp/spamd.dynip 232 % grep -c FH_HELO_EQ_D_D_D_D /tmp/spamd.dynip 325 % grep -c TVD_RCVD_IP /tmp/spamd.dynip 160 % grep HELO_DYNAMIC_IPADDR2 /tmp/spamd.dynip | grep FH_HELO_EQ_D_D_D_D | grep TVD_RCVD_IP | wc -l 132 % grep HELO_DYNAMIC_IPADDR2 /tmp/spamd.dynip | grep FH_HELO_EQ_D_D_D_D | wc -l 143 % grep HELO_DYNAMIC_IPADDR2 /tmp/spamd.dynip | grep TVD_RCVD_IP | wc -l 143 % grep FH_HELO_EQ_D_D_D_D /tmp/spamd.dynip | grep TVD_RCVD_IP | wc -l 140 I'd say there are really pretty redundant... Of course, I can make meta rules, but should I fill up a bugreport or can anyone comment this, maybe I missed something here? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
Re: warn: util: cannot untaint path: ARRAY(0x8819ebc)
Martin Gregorie wrote: OTOH I have a similar plot. The idea is that mail from an exact address that I've previously sent mail to will not be spam. My system consists of two parts: - the first automatically records every address I've sent mail to. This uses a table in a PostgreSQL database which contains the address and a manually set flag to to show whether the address is within one of my domains. - the second part is an SA plugin and a rule. The plugin checks whether an email's sender address matches the database and is not one of my marked addresses. If this condition is met the email is whitelisted. The 'my domain' flag is needed to weed out cases where the sender address is forged using a valid address in my domain. I only filter incoming mail: this would not work if I filtered internal mail. I built the plugin by modifying the SentOutDB.pm plugin from http://whatever.frukt.org/mdf-sentoutdb.text.shtml Yes, this is a useful techniques to cut down false positives. It was introduced with amavisd-new-2.4.2 (June 2006), the feature is known as 'pen pals'. Initially it only dealt with envelope sender and recipient address pairs, but was later extended to take into account a Message-ID, References and In-Reply-To header fields, which extended its usefulness to mailing list threads. From release notes: - new feature: pen pals soft-whitelisting lowers spam score of received replies (or followup correspondence) to a message previously sent by a local user to this address; How it works: * SQL logging stores records about all mail messages processed by amavisd, their sender, recipients, delivery status, mail contents type (no changes there, this feature was introduced with amavisd-new-2.3.0); for the purpose of pen pals scheme only records with local-domain senders matter; * when a message is received, a SQL lookup against a SQL logging database is performed, looking for previous messages sent in reverse direction, i.e. from a local user (which is now a recipient of the current mail) to the address that is now the sender of the message being processed; A SELECT clause in $sql_clause{'sel_penpals'} is used, which by default only considers records of previous messages that were actually delivered (not rejected, discarded or bounced), and were not infected. SQL lookup returns a timestamp of the most recent such message (if any), the difference (in seconds) between the current time and the timestamp is an 'age' as used in the following formula; * an exponential decay formula calculates score points to be deducted from the SA score: weight = 1 / 2^(age/penpals_halflife) score_boost = -penpals_bonus_score * weight i.e. penpals_bonus_score is multiplied by 1, 1/2, 1/4, 1/8, 1/16, ... at age 0, 1*halflife, 2*halflife, 3*halflife, 4*halflife ... weight is a continuous function of age (actually, in steps of one second); Mark
Looking for people for Pilot SA setup
All, I am looking for a few people to test my custom rules. I'm looking for somebody to filter through their own SA installation and then follow up by calling spamc to connect to my spamd setup. The reason I want to be second is so that all the obvious spam gets captured first and following up with a second scan on my setup. Let me know if you're interested and I can open the Firewall ports and give you the necessary information. Brian
Re: Suddenly bouncing emails
At 07:46 23-03-2009, klowther wrote: I started suddenly getting lots of bounces. I'm using the latest Mandriva. I have traced it down to EVERY email getting points from uribil and surbil. I checked one list on surbil and it isn't listed. I guess I need to know how to fix/disable this module? As far as I can tell EVERY email is getting the exact same score added to it. Thanks. URIBL_GREY Contains an URL listed in the URIBL greylist [URIs: mod_frontpage.so] 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: mod_frontpage.so] 2.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist Do a DNS test for a non-existent hostname. If you receive an answer, switch to a name server (you can run one locally) that provides genuine replies. Regards, -sm
Re: negative scores for spam
On 23-Mar-2009, at 10:14, Chris Barnes wrote: But the problem remains. A simple glance at this list shows that this happens often enough to be a fairly common problem. Because people don't train bayes properly. The question is: How does one fix the problem after it occurs? Train bayes with a decent spam/ham corpus? -- In England 100 miles is a long distance. In the US 100 years is a long time
Using SpamAssassin for just the Bayesian filtering?
Having gone over the FAQ and other doc-sections on the wiki, I haven't been able to answer my questions. So here's hoping the user-community can help! My company is currently using a home-brew solution for applying naive Bayes filtering to data. Currently, what we're doing is basically spam filtering on email messages that pass through our system. However, we have a need to do filtering on other content, filtering that isn't the same as spam-testing. In a nutshell, we currently use the bogofilter application to classify messages, and invoke it with different word-list files to represent different filtering requirements. But this isn't going to scale well for us as written, and I'm the lucky soul tasked with coming up with a better way. I'd like to adapt SA to this, if I can. I've used it in the past (and my ISP for my personal email is fiercely loyal to it), but only ever for basic email analysis. What I need, in this case, is a scalable Bayesian classifier. I see from the docs that using SA will get me a usable client/server model, which would take care of most of the scaling issues by making it easier for us to move the classifier to a dedicated machine (if needed, or at least a less-loaded one). What I *can't* puzzle out from the docs, is how to set up such a daemon to do *only* the Bayes part, not the rest of the typical spam checking (for one thing, these won't be email messages and thus will not have any SMTP headers at all). Also, I (we) would need to be able to either have the one daemon dynamically choose the database/word-list to use when judging a message, or run multiple instances that each look at a different db/word-list. Is this do-able with SA? I had hoped that there would be a more general solution around bogofilter, either a client/server application pair or a more API/library-based interface to calling it for training and for evaluation. But there isn't (not that I can find, anyway). And SA is a system with a long history and a solid code-base, so it seemed worthwhile to at least check and see if this was possible. Thanks in advance for any help, advice, etc. Randy -- Randy J. Ray Oodle, Inc. http://www.oodle.com rj...@corp.oodle.com
Re: Looking for people for Pilot SA setup
q...@usermail.com writes: I am looking for a few people to test my custom rules. I'm looking for somebody to filter through their own SA installation and then follow up by calling spamc to connect to my spamd setup. The reason I want to be second is so that all the obvious spam gets captured first and following up with a second scan on my setup. Let me know if you're interested and I can open the Firewall ports and give you the necessary information. Are you really asking people to send all of their mail to you? It's hard to believe that someone would make such an unreasonable request, especially coming from a person with no name. So I'm wondering if I misunderstood and you are really going to publish your rules for people to run a second spamd. pgp97bLesZZHS.pgp Description: PGP signature
Re: negative scores for spam
From: Chris Barnes ch...@txbarnes.com Date: Mon, 23 Mar 2009 11:14:37 -0500 Jeff Mincy wrote: Yow. The negative scoring bayes rules are extremely reliable when well trained. Ham messages are not trying to evade the filter. Defeating bayes with poison is mostly a myth. The random garbage might work the first time but not the second time as long as you are training these messages as spam. If you are getting lots of BAYES_00 hits on spam then the problem is almost certainly incorrect training where spam messages were incorrectly learned as ham. Fair enough. But the problem remains. A simple glance at this list shows that this happens often enough to be a fairly common problem. The question is: How does one fix the problem after it occurs? The way to fix the problem is to relearn any incorrectly learned messages. So any spam message that was incorrectly learned as ham, either automatically or manually, needs to be correctly relearned as spam using sa-learn. You should also learn as spam any spam messages that hits BAYES_00, or anything less than BAYES_50. You should also do the same thing for HAM messages hitting BAYES_50 - BAYES_99. The more messages that you correctly train the more accurate and definitive bayes will be. If you don't have the incorrectly learned messages to retrain then you can always start over by removing the bayes database files in your .spamassassin directory. -jeff
dns: sendto() failed: Connection refused
The whole error(s) read: Mar 23 18:01:08 localhost spamd[3676]: dns: sendto() failed: Connection refused at /usr/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/DnsResolver.pm line 395, GEN71 line 45. Mar 23 18:01:08 localhost spamd[3676]: plugin: eval failed: oops, no key at /usr/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/AsyncLoop.pm line 173, GEN71 line 45. Mar 23 18:01:09 localhost spamd[3676]: dns: sendto() failed: Connection refused at /usr/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/DnsResolver.pm line 395, GEN71 line 45. Mar 23 18:01:09 localhost spamd[3676]: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping: Mar 23 18:01:10 localhost spamd[3676]: dns: sendto() failed: Connection refused at /usr/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/DnsResolver.pm line 395, GEN71 line 45. Mar 23 18:01:10 localhost spamd[3676]: rules: failed to run DNS_FROM_OPENWHOIS RBL test, skipping: Mar 23 18:04:01 localhost clamd[3996]: cli_engine_set_str(CL_ENGINE_TMPDIR) failed: Invalid argument passed to function I caused this myself I believe but I'm wondering why. I'm having issues getting named to work correctly in chroot configuration, it will run but when started reports zone files not found even though they are where I have them in the named.conf file. So, I stopped named running and went back to the OpenDNS nameservers in my resolf.conf file. The outcome is above. Can someone enlighten me as to why this happened since I had named stop and was not using 127.0.0.1 as the local caching nameserver. Also, if anyone could possibly lend me a hand with this running named chrooted I'd appreciate it. Please contact me off list. After starting named again all seems back to normal with SA. Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: dns: sendto() failed: Connection refused
Chris wrote: I caused this myself I believe but I'm wondering why. I'm having issues getting named to work correctly in chroot configuration, it will run but when started reports zone files not found even though they are where I have them in the named.conf file. Are they in the path listed in named.conf or are they in /chrootdir/named.conf path. They need to be in the latter. ie: if named.conf says /var/named/zones/zonefile.zone and you're chrooting to /var/named it will actually try to read /var/named/var/named/zones/zonefile.zone, because / has been replaced by /var/named. So, I stopped named running and went back to the OpenDNS nameservers in my resolf.conf file. The outcome is above. Can someone enlighten me as to why this happened since I had named stop and was not using 127.0.0.1 as the local caching nameserver. Sounds like you have a firewall somewhere (local iptables/ipfw? or perhaps a dedicated firewall device) that's refusing the traffic. Also, if anyone could possibly lend me a hand with this running named chrooted I'd appreciate it. Please contact me off list. After starting named again all seems back to normal with SA. Chris
Re: Using SpamAssassin for just the Bayesian filtering?
Randy J. Ray a écrit : [snip] if you want a bayes filter, bogofilter is a good one. if you want a daemon, try dspam. if you want to fight spam, ask open questions. SA is a good filter. Bayes isn't as perfect as you might think.
Re: 3 rules hit the same header
Matus UHLAR - fantomas a écrit : Hello, According to report from one of our customers it seems that this header is being hit by multiple rules: Received: from 217-112-174-194.cust.avonet.cz (217-112-174-194.cust.avonet.cz [217.112.174.194]) (TLS: TLS1.0,192bits,RSA_3DES_EDE_CBC_SHA1) by mailhub3.nextra.sk with esmtp; Wed, 18 Mar 2009 08:10:09 +0100 id 00112EF1.49C09E51.7522 * 4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr * 2) * 0.5 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d * 1.6 TVD_RCVD_IP TVD_RCVD_IP [snip] many of the helo/rdns checks need a review. I am looking at these rules since I removed some checks from postfix. if anyone is looking at these, I'll be happy happy to collaborate.
Re: dns: sendto() failed: Connection refused
Chris, Mar 23 18:01:08 localhost spamd[3676]: dns: sendto() failed: Connection refused at /usr/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/DnsResolver.pm line 395, GEN71 line 45. man 2 sendto [ECONNREFUSED] The socket received an ICMP destination unreachable message from the last message sent. This typically means that the receiver is not listening on the remote port. Your DNS server is not reachable - either it is not running, or is being blocked by a firewall, or your chroot/etc/resolv.conf is misconfigured. Mark
Re: Spam Assassin White List
Hello John Thanks for your reply. I am adding users to the white list and the black list (in the SpamAssassin user preferences file) as follows: blacklist_from *...@blacklist1.com blacklist_from *...@blacklist2.com blacklist_from *...@blacklist3.com required_score 100 whitelist_from *...@whitelist1.com whitelist_from *...@whitelist2.com whitelist_from *...@whitelist3.com John Hardin wrote: On Wed, 18 Mar 2009, dsh979 wrote: I have found that when I add manually a user to the whitelist (in the SpamAssassin user preferences file) I get inconsistent results: ... I have also found that when I manually a user to the blacklist (in the SpamAssassin user preferences file) I get the following result: How _exactly_ are you adding users to the whitelist and blacklist? Give us examples of what you're adding to the config file. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...in the 2nd amendment the right to arms clause means you have the right to choose how many arms you want, and the militia clause means that Congress can punish you if the answer is none. -- David Hardy, 2nd Amendment scholar --- 1327 days until the Presidential Election -- View this message in context: http://www.nabble.com/Spam-Assassin-White-List-tp22589650p22673278.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spam Assassin White List
dsh979 wrote: Hello John Thanks for your reply. I am adding users to the white list and the black list (in the SpamAssassin user preferences file) as follows: blacklist_from *...@blacklist1.com blacklist_from *...@blacklist2.com blacklist_from *...@blacklist3.com required_score 100 whitelist_from *...@whitelist1.com whitelist_from *...@whitelist2.com whitelist_from *...@whitelist3.com Why do you have the required_score 100 in there? That could prevent your blacklists from working 100% of the time. The blacklist works by adding +100 to the message score, but if the other rules it matches come out negative, the blacklist won't be effective because the total score will be under 100.
Re: Spam Assassin White List
Thanks for your reply. I am adding users to the white list and the black list (in the SpamAssassin user preferences file) as follows: snip whitelist_from *...@whitelist1.com whitelist_from should be used as a last resort; whitelist_from_auth and whitelist_from_rcvd are significantly safer in a world where spammers forge From: addresses constantly. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com You're useless when you're high on catnip, you know that?
Re: Spam Assassin White List
Thank you for your reply Matt. I did not realise that items listed on the white list or the black list would still be subject to the operation/analysis of the SpamAssassin Rules. You have asked why I have set the required score the 100. Lengthy explanation (sorry). I have done this to prevent SpamAssassin from inserting SpamWarnings into the header/body of the relevant email. In responding to spam I rely on the SpamAssassin Score in conjunction with other email message indicators), and incorporate these variables into a domain level filter (cPanel). Mail is then bounced (by the filter) without any warning in the bounced email itself, that it has been bounced because it has been identified as spam. In fact, the bounced email will have a message inserted to the effect that there is no such user/receipient. In this way, if there is a sender who receives the bounced email, hopefully they take me off their mailing list, instead of looking for a way to 'outsmart' the SpamRules. Q:How can I list items/users on a white list or a black list without the lists (and items) being the subject of further analysis by the SpamAssassin Rules (and therefore obtaining the same score for each item on the relevant list, irrespective of the operation of the SpamAssassin Rules, that is -100=white list items +100 = black list items)? Matt Kettler-3 wrote: dsh979 wrote: Hello John Thanks for your reply. I am adding users to the white list and the black list (in the SpamAssassin user preferences file) as follows: blacklist_from *...@blacklist1.com blacklist_from *...@blacklist2.com blacklist_from *...@blacklist3.com required_score 100 whitelist_from *...@whitelist1.com whitelist_from *...@whitelist2.com whitelist_from *...@whitelist3.com Why do you have the required_score 100 in there? That could prevent your blacklists from working 100% of the time. The blacklist works by adding +100 to the message score, but if the other rules it matches come out negative, the blacklist won't be effective because the total score will be under 100. -- View this message in context: http://www.nabble.com/Spam-Assassin-White-List-tp22589650p22674314.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spam Assassin White List
On Mon, March 23, 2009 10:58 pm, dsh979 wrote: Thank you for your reply Matt. I did not realise that items listed on the white list or the black list would still be subject to the operation/analysis of the SpamAssassin Rules. You have asked why I have set the required score the 100. Lengthy explanation (sorry). I have done this to prevent SpamAssassin from inserting SpamWarnings into the header/body of the relevant email. In responding to spam I rely on the SpamAssassin Score in conjunction with other email message indicators), and incorporate these variables into a domain level filter (cPanel). Mail is then bounced (by the filter) without any warning in the bounced email itself, that it has been bounced because it has been identified as spam. In fact, the bounced email will have a message inserted to the effect that there is no such user/receipient. In this way, if there is a sender who receives the bounced email, hopefully they take me off their mailing list, instead of looking for a way to 'outsmart' the SpamRules. Q:How can I list items/users on a white list or a black list without the lists (and items) being the subject of further analysis by the SpamAssassin Rules (and therefore obtaining the same score for each item on the relevant list, irrespective of the operation of the SpamAssassin Rules, that is -100=white list items +100 = black list items)? A couple thoughts: 1. by returning the emails, you run the risk of false-negatives and thus creating 'email backscatter' (see wikipedia). 2. If you don't want to receive these things at all, have you considered using your MTA to block the actual IP addresses of known spammers using a couple of rules like (for sendmail): FEATURE(`dnsbl', `bl.spamcop.net',`Rejected as Spam. See http://bl.spamcop.net?${clientaddr}; for more information')dnl FEATURE(`dnsbl', `zen.spamhaus.org',`Rejected as Spam. See http://spamhaus.org/query/bl?ip=${clientaddr}; for more information')dnl which rejects the email long before SA has to be bothered? When I check my logs, the spamcop rule alone blocks as many as 800-1100 email daily. Just something to consider. Karl Matt Kettler-3 wrote: dsh979 wrote: Hello John Thanks for your reply. I am adding users to the white list and the black list (in the SpamAssassin user preferences file) as follows: blacklist_from *...@blacklist1.com blacklist_from *...@blacklist2.com blacklist_from *...@blacklist3.com required_score 100 whitelist_from *...@whitelist1.com whitelist_from *...@whitelist2.com whitelist_from *...@whitelist3.com Why do you have the required_score 100 in there? That could prevent your blacklists from working 100% of the time. The blacklist works by adding +100 to the message score, but if the other rules it matches come out negative, the blacklist won't be effective because the total score will be under 100. -- View this message in context: http://www.nabble.com/Spam-Assassin-White-List-tp22589650p22674314.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com. --- Karl Pearson ka...@ourldsfamily.com Owner/Administrator of the sites at http://ourldsfamily.com --- To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it. ---