Re: New Spam Mails plz suggest
can i do this in sendmail SMTP auth session without RBL rest with RBL. can you plz give me some hint for both the solutions of SMTP auth without RBL not scanning mails with spamassassin with SMTP auth ** Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. On Mon, Jun 8, 2009 at 11:05 AM, ram r...@netcore.co.in wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: Below is the link for one of the spam mail in which to from address is same. http://pastebin.com/f20358d76 I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. You can still use RBL's. Allow users with SMTP auth only without rbl checks rest you check rbls and reject if listed. I think you use postfix you could do something like this smtpd_recipient_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, . ..(other rules ) And for the smtp-auth mails do not scan for spam at all. Not only will you avoid FP's .. you will also save a lot of processing on your server Thanks Ram PS: Why are you hiding the spammail in the pastebin. The contents of spam mail are usually not very important
Re: New Spam Mails plz suggest
On Mon, June 8, 2009 08:41, Anshul Chauhan wrote: can i do this in sendmail SMTP auth session without RBL rest with RBL. http://www.sendmail.org/~ca/email/auth.html -- http://localhost/ 100% uptime and 100% mirrored :)
Re: New Spam Mails plz suggest
On 7-Jun-2009, at 22:44, Anshul Chauhan wrote: Below is the link for one of the spam mail in which to from address is same. http://pastebin.com/f20358d76 I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. And why does this mean you can't use RBLs? Use RBLs in your SMTP transaction phase to reject unauthorized/ unauthenticated senders. -- The most perfidious way of harming a cause consists of defending it deliberately with faulty arguments.
Re: ZMI-GERMAN: question to the users
On Mittwoch 03 Juni 2009 Michael Monnerie wrote: But maybe, if response and urge is high, I will include them. What do you think? Is it spam for you? OK, there where only +1 to include that, without any single objection. Updates will follow. Thanks for your opinions and votes. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part.
Training SA
Hi, I'm new to SA. I run an Exim/Dovecot CentOS 5.0 mailserver (VPS), on which I have recently installed SA. I have configured 'Autolearn = yes' but I have no way to know whether this is working. Please can someone explain to me how this works, since my understanding of this is as follows, and makes no sense! SpamAssassin identifies a mail as spam and stores the details of it so that it is easier to identify future emails which are similar. However, I fail to understand how this will help, since it's already successfully identifying those emails? Furthermore, I can I train SpamAssassin to recognize emails that it is currently giving only a very low score to, as spam? I'm getting many emails each day about Acai Berries but SA they are only getting a score of around 3.3! How can I train it to recognize these, server wide? Thanks. pete -- View this message in context: http://www.nabble.com/Training-SA-tp23921166p23921166.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. As has been suggested by various others, just do not scan outgoing mail from authenticated users. These are the RBL settings which i'v used earlier but bcoz of these my geninue mails send from datacards are also spammed, can i use this but my datacard users mail not marked as SPAM score RCVD_IN_PBL 3 score RCVD_IN_XBL 5 score RDNS_NONE 5 score RCVD_IN_SORBS_DUL 3 score SPF_FAIL 10 score SPF_SOFTFAIL 5 score SPF_NEUTRAL 2 score RDNS_DYNAMIC 3 These are all *severely* and arbitrarily raised by you. So you adjust scores in-appropriately, and get false positives due to that. And your conclusion is, you can't use RBLs at all? Yeah, right... Your scores, your problem. Instead, try the defaults and enable RBL checks again. Hint: From and To being the same is valid, seen in real legit mail and not the solution to your problem. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. On 08.06.09 11:56, Karsten Bräckelmann wrote: As has been suggested by various others, just do not scan outgoing mail from authenticated users. Actually, such mail _should_ be scanned, for cases when they start spreading spam. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete
Re: New Spam Mails plz suggest
On Mon, June 8, 2009 11:56, Karsten Bräckelmann wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. As has been suggested by various others, just do not scan outgoing mail from authenticated users. at the risk one user sends spam from mta ip, this is desired to be blocked outside as well, and clearly all your users will be even more happy with this then scan outgoing mails for spam aswell, it also helps learning ham in bayes just my 2 -- http://localhost/ 100% uptime and 100% mirrored :)
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 11:59 +0200, Matus UHLAR - fantomas wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. On 08.06.09 11:56, Karsten Bräckelmann wrote: As has been suggested by various others, just do not scan outgoing mail from authenticated users. Actually, such mail _should_ be scanned, for cases when they start spreading spam. By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... In that case I'd prefer a sucker rod [1] over scanning messages anytime. Anyway, IMHO -- you can not scan outgoing mail sent by authenticated users submitted directly from dial-up lines. They are almost guaranteed to be listed by PBL and DUL style lists. [1] From the syslogd manpage: Use step 4 and if the problem persists and is not secondary to a rogue program/daemon get a 3.5 ft (approx. 1 meter) length of sucker rod* and have a chat with the user in question. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. ^^^ Just noticed this -- I kind of hope this is just a typo. SBL listing of your users would be bad indeed. After all, it lists verified IPs where the spammers actually live on. No dial-up style or something. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
sa-update error
I've just heard about sa-update and tried to run it. I was thinking of setting up a cron to do it daily, however, I got the following error message when I ran it manually: [r...@s1 spamassassin]# sa-update service spamassassin restart Can't locate Archive/Tar.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/per l5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thr ead-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_per l/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-mult i /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /us r/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386 -linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/bin/sa-update line 81. BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. Any ideas please? pete -- View this message in context: http://www.nabble.com/sa-update-error-tp23921654p23921654.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update error
On Mon, 2009-06-08 at 03:30 -0700, an anonymous Nabble user wrote: I've just heard about sa-update and tried to run it. I was thinking of setting up a cron to do it daily, however, I got the following error message when I ran it manually: [r...@s1 spamassassin]# sa-update service spamassassin restart Can't locate Archive/Tar.pm in @INC (@INC contains: BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. Any ideas please? Install the missing Perl module...? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: sa-update error
On Mon, 8 Jun 2009 03:30:59 -0700 (PDT), snowweb pe...@snowweb.co.uk wrote: I've just heard about sa-update and tried to run it. I was thinking of setting up a cron to do it daily, however, I got the following error message when I ran it manually: [r...@s1 spamassassin]# sa-update service spamassassin restart Can't locate Archive/Tar.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/per l5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thr ead-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_per l/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-mult i /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /us r/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386 -linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/bin/sa-update line 81. BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. Any ideas please? pete I think the Tar package is available via yum if you want an easy way to keep it current. If not Install it via CPAN. You may need to restart SA after, not sure. It may also be worth running spamassassin --lint -D to see if you are missing any other packages. HTH Nigel
Re: sa-update error
On Mon, June 8, 2009 12:55, Nigel Frankcom wrote: It may also be worth running spamassassin --lint -D to see if you are missing any other packages. you have currently 2 perl versions installed this is the problem, if not all modules exists in 5.8.8, but some only does in 5.8.6 -- http://localhost/ 100% uptime and 100% mirrored :)
Re: spamd dies - please help - SOLVED
Back on-list, just FYI. On Sun, 2009-06-07 at 22:41 -0300, Soporte Técnico elbolson.com wrote: Thanks for your answer. It is solved now - I removed a plugin that a friend created to call KAV antivirus, based on Clamav plugin. It had worked before on i386, it doesn't work on x86_64. We will investigate why. Clamav plugin works allright. Greetings Claudia Burman El Bolson - Patagonia Argentina Useless full-quote snipped. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New Spam Mails plz suggest
Below is mail headers for one more mail http://pastebin.com/d3da8daa6 I'm new to SA so please suggest/gve some hint for how to use RBL for non smtp authenticated session for smtp authicated mails not spam scanning. Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. On Mon, Jun 8, 2009 at 11:05 AM, ram r...@netcore.co.in wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: Below is the link for one of the spam mail in which to from address is same. http://pastebin.com/f20358d76 I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. You can still use RBL's. Allow users with SMTP auth only without rbl checks rest you check rbls and reject if listed. I think you use postfix you could do something like this smtpd_recipient_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, . ..(other rules ) And for the smtp-auth mails do not scan for spam at all. Not only will you avoid FP's .. you will also save a lot of processing on your server Thanks Ram PS: Why are you hiding the spammail in the pastebin. The contents of spam mail are usually not very important
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 17:05 +0530, Anshul Chauhan wrote: I'm new to SA so please suggest/gve some hint for how to use RBL for non smtp authenticated session for smtp authicated mails not spam scanning. Not scanning outbound messages from your users is entirely the duty of your SMTP and outside the scope of SA. It all depends on your SMTP server, configuration and how you integrate SA. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 11:59 +0200, Matus UHLAR - fantomas wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. On 08.06.09 11:56, Karsten Bräckelmann wrote: As has been suggested by various others, just do not scan outgoing mail from authenticated users. Actually, such mail _should_ be scanned, for cases when they start spreading spam. On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. Not even talking about customers' mail proxies that accept mail from intranet w/o authentication (although we recomment users not to do that) and submit them with authentication to ISP's relays. Both are especially nice if any other machine on customers' intranet is owned by a bot or even an open relay. Anyway, IMHO -- you can not scan outgoing mail sent by authenticated users submitted directly from dial-up lines. They are almost guaranteed to be listed by PBL and DUL style lists. I think that SA skips RBL checks for authenticated clients, which should avoid this problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!.
Re: sa-update error
Sorry for my ignorance. I'm very new to Linux. Which missing perl module is that please? pete Karsten Bräckelmann-2 wrote: On Mon, 2009-06-08 at 03:30 -0700, an anonymous Nabble user wrote: I've just heard about sa-update and tried to run it. I was thinking of setting up a cron to do it daily, however, I got the following error message when I ran it manually: [r...@s1 spamassassin]# sa-update service spamassassin restart Can't locate Archive/Tar.pm in @INC (@INC contains: BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. Any ideas please? Install the missing Perl module...? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} -- View this message in context: http://www.nabble.com/sa-update-error-tp23921654p23923079.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update error
When I do which perl it only returns, /usr/bin/perl doesn't this mean that I only have one installed? (I'm not arguing.. just trying to understand, since I'm new to Linux). pete Benny Pedersen wrote: On Mon, June 8, 2009 12:55, Nigel Frankcom wrote: It may also be worth running spamassassin --lint -D to see if you are missing any other packages. you have currently 2 perl versions installed this is the problem, if not all modules exists in 5.8.8, but some only does in 5.8.6 -- http://localhost/ 100% uptime and 100% mirrored :) -- View this message in context: http://www.nabble.com/sa-update-error-tp23921654p23923139.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update error
On Mon, 2009-06-08 at 03:30 -0700, an anonymous Nabble user wrote: I've just heard about sa-update and tried to run it. I was thinking of setting up a cron to do it daily, however, I got the following error message when I ran it manually: [r...@s1 spamassassin]# sa-update service spamassassin restart Can't locate Archive/Tar.pm in @INC (@INC contains: BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. Any ideas please? Karsten Bräckelmann-2 wrote: Install the missing Perl module...? On 08.06.09 05:27, snowweb wrote: Sorry for my ignorance. I'm very new to Linux. Which missing perl module is that please? IIRC another answer said you probably have two perl versions installed separately. Check for that first. Then, check these: - which software (linux) distribution do you have? - do you have spamassassin installed from the distribution? - do you have perl installed from the distribution? - don't you have incorrectly set environment variable PERL5LIB set somewhere in startup/config files? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
tests= SIZE_LIMIT_EXCEEDED ??
Hi, I just had a closer look at the header of an email which should have been recognized by spamassassin as spam. Waht I found was this: X-SpamScore: 0 tests= SIZE_LIMIT_EXCEEDED I have checked /usr/share/spamassassin/ for a rule which might contain a size limit, but didn't finde any. A search with Google didn't help either. So, any suggestions from the list members where I can define the size that has been exceeded? Thanks, Stefan
Re: sa-update error
I just ran yum upgrade spamassassin and this was the result: [r...@s1 spamassassin]# yum upgrade spamassassin Loading installonlyn plugin Setting up Upgrade Process Setting up repositories dag 100% |=| 1.1 kB00:00 openwebmail 100% |=| 951 B00:00 base 100% |=| 1.1 kB00:00 updates 100% |=| 951 B00:00 addons100% |=| 951 B00:00 extras100% |=| 1.1 kB00:00 Reading repository metadata in from local files primary.xml.gz100% |=| 3.1 MB00:10 ## 8680/8680 Excluding Packages in global exclude list Finished Could not find update match for spamassassin No Packages marked for Update/Obsoletion Then I tried again with sa-update and got the following: [r...@s1 spamassassin]# sa-update Can't locate Archive/Tar.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/per l5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thr ead-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_per l/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-mult i /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /us r/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386 -linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/bin/sa-update l pete Nigel Frankcom-2 wrote: On Mon, 8 Jun 2009 03:30:59 -0700 (PDT), snowweb pe...@snowweb.co.uk wrote: I've just heard about sa-update and tried to run it. I was thinking of setting up a cron to do it daily, however, I got the following error message when I ran it manually: [r...@s1 spamassassin]# sa-update service spamassassin restart Can't locate Archive/Tar.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/per l5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thr ead-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_per l/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-mult i /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /us r/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386 -linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/bin/sa-update line 81. BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. Any ideas please? pete I think the Tar package is available via yum if you want an easy way to keep it current. If not Install it via CPAN. You may need to restart SA after, not sure. It may also be worth running spamassassin --lint -D to see if you are missing any other packages. HTH Nigel -- View this message in context: http://www.nabble.com/sa-update-error-tp23921654p23923296.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: tests= SIZE_LIMIT_EXCEEDED ??
Stefan-Michael Guenther wrote: Hi, I just had a closer look at the header of an email which should have been recognized by spamassassin as spam. Waht I found was this: X-SpamScore: 0 tests= SIZE_LIMIT_EXCEEDED I have checked /usr/share/spamassassin/ for a rule which might contain a size limit, but didn't finde any. A search with Google didn't help either. So, any suggestions from the list members where I can define the size that has been exceeded? Thanks, Stefan Interesting, are you just using spamc/spamd, or a different integration tool? In general it sounds like something decided not to feed the message to the main SpamAssassin instance at all. Spamc can do this, but I didn't know it added a test when doing so. Also, X-SpamScore is not a default header, and one that SA couldn't add itself. (it must add headers beginning with X-Spam-, so you'd get X-Spam-Score at the closest), so I'm suspecting this was done by your integration tools.
Re: sa-update error
I tested for two versions of perl using which perl and it only returned one location. I'm using CentOS 5.0 and I'm running DirectAdmin hosting software. The SA was installed by the script which installed the DirectAdmin. I don't understand how or where it got the SA from. Again, I don't know where the perl came from either. Is there a way I can find out? How will I check whether I have an incorrectly set environment variable PERL5LIB set somewhere in startup/config files? I should also mention that apart from the sa-update not working (and FuzzyOcr SA plugin which I'm also working on), SA is working ok. Thanks for your help Matus, pete Matus UHLAR - fantomas wrote: IIRC another answer said you probably have two perl versions installed separately. Check for that first. Then, check these: - which software (linux) distribution do you have? - do you have spamassassin installed from the distribution? - do you have perl installed from the distribution? - don't you have incorrectly set environment variable PERL5LIB set somewhere in startup/config files? -- View this message in context: http://www.nabble.com/sa-update-error-tp23921654p23923417.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update error
Using the command which perl will only turn up the first instance of perl in your path. Try this: cd to the root directory, then type find . -name perl -print and hit return. The find command will recursively search through all the directories on the machine and locate all files named perl. Mark At 08:50 AM 6/8/2009, snowweb wrote: I tested for two versions of perl using which perl and it only returned one location. I'm using CentOS 5.0 and I'm running DirectAdmin hosting software. The SA was installed by the script which installed the DirectAdmin. I don't understand how or where it got the SA from. Again, I don't know where the perl came from either. Is there a way I can find out? How will I check whether I have an incorrectly set environment variable PERL5LIB set somewhere in startup/config files? I should also mention that apart from the sa-update not working (and FuzzyOcr SA plugin which I'm also working on), SA is working ok. Thanks for your help Matus, pete Matus UHLAR - fantomas wrote: IIRC another answer said you probably have two perl versions installed separately. Check for that first. Then, check these: - which software (linux) distribution do you have? - do you have spamassassin installed from the distribution? - do you have perl installed from the distribution? - don't you have incorrectly set environment variable PERL5LIB set somewhere in startup/config files? -- View this message in context: http://www.nabble.com/sa-update-error-tp23921654p23923417.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update error
Guys, thanks to you all. You're all the most helpful people I've come across online! I think Stefan-Michael Guenther fixed it when he emailed me and told me to run this: perl -MCPAN -e shell install Archive::Tar Now when I type sa-update, although I don't get any feedback, I don't get any errors either, so I guess it's fixed. regards and many thanks pete snowweb wrote: I've just heard about sa-update and tried to run it. I was thinking of setting up a cron to do it daily, however, I got the following error message when I ran it manually: [r...@s1 spamassassin]# sa-update service spamassassin restart Can't locate Archive/Tar.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/per l5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thr ead-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_per l/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-mult i /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /us r/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386 -linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/bin/sa-update line 81. BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. Any ideas please? pete -- View this message in context: http://www.nabble.com/sa-update-error-tp23921654p23923677.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update error
On Mon, Jun 08, 2009 at 03:30:59AM -0700, snowweb wrote: I've just heard about sa-update and tried to run it. I was thinking of setting up a cron to do it daily, however, I got the following error message when I ran it manually: [r...@s1 spamassassin]# sa-update service spamassassin restart Can't locate Archive/Tar.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/per l5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thr ead-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_per l/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-mult i /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /us r/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386 -linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/bin/sa-update line 81. BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. Any ideas please? You need to install Archive-Tar . You can either use cpan or http://search.cpan.org . pete -- View this message in context: http://www.nabble.com/sa-update-error-tp23921654p23921654.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! Rudeness is the weak man's imitation of strength. -Eric Hoffer
Re: Next Rule Causing False Positives: BOTNET
On Sat, 6 Jun 2009, John Rudd wrote: Probably a good approach for your situation. Let me know how the lower score works out for you (when you said 80% in the other message, do you mean you're lowering it to a score of 1.0, or to a score of 4.0?) John, It seems to be working better with the SPAMBOT score lowered to 2.0, and scores of 0.4 for the individual components. Now that my mail has settled back to normal I'll again thank everyone and leave the list. Rich -- Richard B. Shepard, Ph.D. | IntegrityCredibility Applied Ecosystem Services, Inc.|Innovation http://www.appl-ecosys.com Voice: 503-667-4517 Fax: 503-667-8863
Re: sa-update error
On 08.06.09 06:04, snowweb wrote: Guys, thanks to you all. You're all the most helpful people I've come across online! I think Stefan-Michael Guenther fixed it when he emailed me and told me to run this: perl -MCPAN -e shell install Archive::Tar Now when I type sa-update, although I don't get any feedback, I don't get any errors either, so I guess it's fixed. I don't think this is a good solution - all possible packages should be installed through your package system, which ir apparently yum/RPM. Otherwise, you may cause even more problems in the future. So, make sure you have only one perl installed, that it's installed using yum and if you can install Archive::Tar through yum (maybe archive-tar or perl-archive-tar package), do that. Proper packaging system should take care of dependencies, from SA to perl and its packages, so your problem should not even happen! And, of course, such questions belong more to your packaging systems' mailing list, not here... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
backscatter from dnswl
Hi, i'm getting _massive_ amounts of backscatter and some of the offenders are listed in dnswl.org. is there anything i can do about that? thanks
Re: backscatter from dnswl
On 08.06.09 15:41, Arvid Picciani wrote: i'm getting _massive_ amounts of backscatter and some of the offenders are listed in dnswl.org. is there anything i can do about that? ask for DNSWL delisting, if the backscatters are generated by dnswl hosts (if the hosts in the dnswl are the sources, not victims). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One World. One Web. One Program. - Microsoft promotional advertisement Ein Volk, ein Reich, ein Fuhrer! - Adolf Hitler
Re: backscatter from dnswl
Matus UHLAR - fantomas schrieb: On 08.06.09 15:41, Arvid Picciani wrote: i'm getting _massive_ amounts of backscatter and some of the offenders are listed in dnswl.org. is there anything i can do about that? ask for DNSWL delisting, if the backscatters are generated by dnswl hosts (if the hosts in the dnswl are the sources, not victims). Depends on interpretation of victim. I personaly don't think misconfigured hosts belong in a whitelist, no matter if the admins are well meaning.
Re: tests= SIZE_LIMIT_EXCEEDED ??
On Mon, 2009-06-08 at 08:48 -0400, Matt Kettler wrote: Stefan-Michael Guenther wrote: I just had a closer look at the header of an email which should have been recognized by spamassassin as spam. Waht I found was this: X-SpamScore: 0 tests= SIZE_LIMIT_EXCEEDED Interesting, are you just using spamc/spamd, or a different integration tool? Looking at the OPs headers, it's a setting in his Amavisd-new. In general it sounds like something decided not to feed the message to the main SpamAssassin instance at all. Spamc can do this, but I didn't know it added a test when doing so. It doesn't. :) Neither tests, nor headers. spamc will return the message unprocessed, if the size limit is exceeded. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: backscatter from dnswl
On Mon, 2009-06-08 at 15:41 +0200, Arvid Picciani wrote: Hi, i'm getting _massive_ amounts of backscatter and some of the offenders are listed in dnswl.org. is there anything i can do about that? thanks Has your domain got an SPF record? If not, setting one up may well help. Some time back I started getting a lot of backscatter due to some spammer forging my address as a spam sender. I set up an SPF record and back scatter tailed off rather quickly. May be I was lucky, but it certainly worked for me. However, it most be set up right: I used the wizard at http://www.openspf.org/ to create it and the testing tools at http://www.kitterman.com/spf/validate.html to validate the result, which was initially wrong. SPF had no impact on backscatter until the Kitterman validation tools passed my setup as correct. Martin
Re: backscatter from dnswl
On 08.06.09 15:41, Arvid Picciani wrote: i'm getting _massive_ amounts of backscatter and some of the offenders are listed in dnswl.org. is there anything i can do about that? Matus UHLAR - fantomas schrieb: ask for DNSWL delisting, if the backscatters are generated by dnswl hosts (if the hosts in the dnswl are the sources, not victims). On 08.06.09 15:50, Arvid Picciani wrote: Depends on interpretation of victim. I personaly don't think misconfigured hosts belong in a whitelist, no matter if the admins are well meaning. an organization whose customer(s) started to spreading delivery notices even if the organization required not to do so... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: [sa] New slew of spams
I am also starting to get a lot of these .rtf attachment only with no email body text spams. Unfortunately, we use hostmonster.com for our email so my ability to customize SA is greatly limited (i.e. I cannot use custom rules). So if I understand correctly: currently there is no standard rule in SA (we use 3.2.4) for filtering out mail with attachments but no text. Charles Gregory wrote: On Fri, 5 Jun 2009, Jeremy Morton wrote: I've suddenly started getting a new slew of spams that are making their way through my SpamAssassin filter. These are examples of the new variant on 'image only' spams, having only a rtf file attachment, instead of an image. Check the archives and you will find rules to tag messages with 'octet-stream mime part but no text part'. Quite effective. -- View this message in context: http://www.nabble.com/New-slew-of-spams-tp23892760p23924941.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [sa] New slew of spams
On Mon, 8 Jun 2009, ktn wrote: I am also starting to get a lot of these .rtf attachment only with no email body text spams. Unfortunately, we use hostmonster.com for our email so my ability to customize SA is greatly limited (i.e. I cannot use custom rules). Bummer. Does hostmonster run sa-update at all? So if I understand correctly: currently there is no standard rule in SA (we use 3.2.4) for filtering out mail with attachments but no text. That is correct. I hope (when I get write access to the repo) to add them to the 3.2.5 rules so they will go out via sa-update. Is there any way you can upgrade to 3.2.5? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government wants to do everything it can for the children, except sparing them crushing tax burdens. --- 49 days since 9th Circuit incorporated 2nd Amdt - MSM still silent
Re: [sa] New slew of spams
We haven't been with hostmonster long, but considering that they're running 3.2.4 right now, I would assume at some point that they will update to 3.2.5. Until then, I can be patient. I'm just glad to hear that a standard rule for this kind of spam will be added to SA! Many thanks. John Hardin wrote: Does hostmonster run sa-update at all? So if I understand correctly: currently there is no standard rule in SA (we use 3.2.4) for filtering out mail with attachments but no text. That is correct. I hope (when I get write access to the repo) to add them to the 3.2.5 rules so they will go out via sa-update. Is there any way you can upgrade to 3.2.5? -- View this message in context: http://www.nabble.com/New-slew-of-spams-tp23892760p23926488.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? Why should I have any? Any spamming client can get us to blacklist, so it's important that they would not spread spam... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: [sa] New slew of spams
On Mon, 8 Jun 2009, ktn wrote: We haven't been with hostmonster long, but considering that they're running 3.2.4 right now, I would assume at some point that they will update to 3.2.5. Until then, I can be patient. I'm just glad to hear that a standard rule for this kind of spam will be added to SA! Many thanks. Don't hold your breath. I'm still new to this, there may be a lot of delay that I'm not aware of before those new rules get added to the 3.2.5 base. John Hardin wrote: Does hostmonster run sa-update at all? So if I understand correctly: currently there is no standard rule in SA (we use 3.2.4) for filtering out mail with attachments but no text. That is correct. I hope (when I get write access to the repo) to add them to the 3.2.5 rules so they will go out via sa-update. Is there any way you can upgrade to 3.2.5? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- 49 days since 9th Circuit incorporated 2nd Amdt - MSM still silent
Re: [sa] New slew of spams
On Mon, 2009-06-08 at 07:17 -0700, ktn wrote: I am also starting to get a lot of these .rtf attachment only with no email body text spams. Unfortunately, we use hostmonster.com for our email so my ability to customize SA is greatly limited (i.e. I cannot use custom rules). You can, of course, run your own copy of SA 3.2.5 if you have a house or office server that's running a private MTA to service a private LAN. Martin
Re: New slew of spams
On Mon, 8 Jun 2009, ktn wrote: I am also starting to get a lot of these .rtf attachment only with no email body text spams. Unfortunately, we use hostmonster.com for our email so my ability to customize SA is greatly limited (i.e. I cannot use custom rules). Do you mean that they won't allow 'local.cf' or that they won't allow 'user_prefs'? I'd be a bit surprised if the latter were not available - Charles
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 17:42 +0200, Matus UHLAR - fantomas wrote: On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? Why should I have any? Any spamming client can get us to blacklist, so it's important that they would not spread spam... Oh, I thought you could back up your claim... Never mind. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [sa] Re: New Spam Mails plz suggest
On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? On Mon, 8 Jun 2009, Matus UHLAR - fantomas wrote: Why should I have any? Any spamming client can get us to blacklist, so it's important that they would not spread spam... I believe his request for stats is a polite way of disagreeing with your statement that bots 'often' use Outlook SMTP Auth. Personally, I have always thought that bots avoided ISP mail servers in order to minimize detection and maximize the amount of time they can spew before being blocked/deleted. This is actually the premise that makes RBl checks for 'direct to MX' so successful. So your statement was quite surprising. Rather than just challenge its accuracy, we politely ask for more info. :) - Charles
BOTNET plugin download
The BOTNET plugin isn't covered in the CustomPlugins wiki page. When I Googled it I found this: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar but it's a bit old. Is there a later version?
Re: BOTNET plugin download
The BOTNET plugin isn't covered in the CustomPlugins wiki page. When I Googled it I found this: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar but it's a bit old. Is there a later version? That's 0.8 which is AFAIK the latest.
Re: Question on add-to-blacklist
Just wanted to pass along a thank you to those who helped out here and provide a few notes, on my experience, that may help anyone else that is looking at this. By the way, converting to MySQL did alleviate the problems that I was seeing when attempting to apply updates to AWL ... processes that were taking hours are now taking seconds! Along the way I discovered a few things: 1) We have been running SA for several years and the AWL was far too large for any of the scripts, that I downloaded for conversion. 2) The time to load the MySQL database, with per-row insert logic was daunting. Note: I made a few passes at this before hitting on a working solution. I found it, much, faster, to unload the existing DB to a delimited file, and use mysql load to load the AWL from that file. What I wound up with was a scrit to: . Unload the DB (formatting a flat delimited file): This was created from the convert_awl_dbm_to_sql script downloaded from the spamassassin/tools. Substituting output, to stdout, for the mysql insert statement, and modifying the loop to use each rather than attempting to build and array of @k as well as adding some trim functionality: # my @k = grep(!/totscore$/,keys(%h)); # for my $key (@k) { our $rowsread; our $rowsinsert; print stderr Processing: $db \n; while(my ($key, $v) = each %h) { next if $key =~ /totscore$/; # Skip totscore entries $rowsread++; next if ($v 2); # skip one off entries. . . . $rowsinsert++; print '',$opt{'username'},',','',$email,',','',$ip,',', $count,',',$totscore,\n; . . . . Drop and create the AWL table (the drop becuase of earlier experiments). drop table awl; CREATE TABLE awl ( username varchar(100) NOT NULL default '', email varchar(200) NOT NULL default '', ip varchar(10) NOT NULL default '', count int(11) default '0', totscore float default '0', lastupdate timestamp(14) NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, PRIMARY KEY (username,email,ip) ) TYPE=MyISAM; . load the MySQL database: LOAD DATA INFILE '/home/larrys/sa_tools/awl.load' REPLACE INTO TABLE awl FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '' (username, email, ip, count, totscore) SET lastupdate = CURRENT_TIMESTAMP; Following this it was a simple matter of sliding the new local.cf into place and restarting processesses. So far everything seems to be running well. Thanks again -- Larry G. Starr - lar...@fullcompass.com or sta...@globaldialog.com Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
Re: New slew of spams
I can edit 'user_prefs' and customize scores for existing tests, but when I tried to add custom rules to 'user_prefs' they somehow got ignored. Weird. Here's the details from a hostmonster http://www.hostmonsterforum.com/showthread.php?t=2364 forum post : First off, hostmonster does not use the spamassassin command to run SA, they use the server/client spamd/spamc method. Therefore if you want to duplicate what is happening when you email arrives, you will need to do this in a shell: % spamc mail_message If you try to use spamassassin from the shell, then things don't quite work right, namely it won't find the site configuration file AND it will process your $HOME/.spamassassin/user_prefs file differently than if you had run spamc By default, the spamd daemon does not allow user defined rules. Hostmonster needs to set allow_user_rules to 1 in the system configuration file. I asked about this and that's something that they will not do. Charles Gregory wrote: On Mon, 8 Jun 2009, ktn wrote: I am also starting to get a lot of these .rtf attachment only with no email body text spams. Unfortunately, we use hostmonster.com for our email so my ability to customize SA is greatly limited (i.e. I cannot use custom rules). Do you mean that they won't allow 'local.cf' or that they won't allow 'user_prefs'? I'd be a bit surprised if the latter were not available -- View this message in context: http://www.nabble.com/New-slew-of-spams-tp23892760p23928476.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: New slew of spams
On Mon, 8 Jun 2009, ktn wrote: By default, the spamd daemon does not allow user defined rules. Hostmonster needs to set allow_user_rules to 1 in the system configuration file. I asked about this and that's something that they will not do. ...which is completely reasonable in a shared-hosting environment. You don't want to risk someone malicious adding a denial-of-service rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Any time law enforcement becomes a revenue center, the system becomes corrupt. --- 49 days since 9th Circuit incorporated 2nd Amdt - MSM still silent
Re: New Spam Mails plz suggest
On 8-Jun-2009, at 09:42, Matus UHLAR - fantomas wrote: On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? Why should I have any? Because you are asserting something we know is not true. Your choices are 1) prove it 2) be dismissed. -- Boy, it sure would be nice if we had some grenades, don'tcha think?
Private whitelisting
qq: How do would I get spamassassin to reference an internal list of IPs? (This would be all of our client IPs in either suspended or active states on our whitelists to avoid denying access to our ticketing system from those clients with dnsbl listings) I know how to aggregate the data, just want a clue offered as to how to call them from SA. TIA -- Neil Schwartzman Director, Accreditation Security Standards Certified | Safelist Return Path Inc. 0142002038
Re: Private whitelisting
On Mon, 8 Jun 2009, Neil Schwartzman wrote: qq: How do would I get spamassassin to reference an internal list of IPs? (This would be all of our client IPs in either suspended or active states on our whitelists to avoid denying access to our ticketing system from those clients with dnsbl listings) I know how to aggregate the data, just want a clue offered as to how to call them from SA. Two ways: (1) Set up an internal DNS zone and do a negative-scoring DNSBL lookup, or (2) Do it at the MTA level and bypass SA for those IPs completely. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Individual liberties are always loopholes to absolute authority. --- 49 days since 9th Circuit incorporated 2nd Amdt - MSM still silent
Re: sa-update error
On Mon, June 8, 2009 14:27, snowweb wrote: Sorry for my ignorance. I'm very new to Linux. Which missing perl module is that please? there is non missing, you just have another perl version that miss it, how to resolve problem with 2 versions of perl with yum i dont know, but solve this and the remaining problem with mission perl modules will wanish at the same time, if not ask distro maintainers for help on that issue, its not a spamassassin problem -- http://localhost/ 100% uptime and 100% mirrored :)
Re: sa-update error
On Mon, June 8, 2009 14:30, snowweb wrote: When I do which perl it only returns, /usr/bin/perl unsure if thats relayted doesn't this mean that I only have one installed? (I'm not arguing.. just trying to understand, since I'm new to Linux). spamassassin 21 -D --lint grep 5.8 on it if you see 5.8.6 and 5.8.8 there we go try remove the old perl version, but make sure all modules in 5.8.8 is installed first does there exists a perl-cleanup in you distro ? -- http://localhost/ 100% uptime and 100% mirrored :)
Re: sa-update error
On Mon, June 8, 2009 14:41, snowweb wrote: Then I tried again with sa-update and got the following: [r...@s1 spamassassin]# sa-update Can't locate Archive/Tar.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/per l5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thr ead-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_per l/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-mult i /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /us r/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386 -linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/bin/sa-update l 5.8.5 5.8.6 5.8.7 5.8.8 4 perl versions, are your distro out of there mind ? :) -- http://localhost/ 100% uptime and 100% mirrored :)
Re: sa-update error
On Mon, June 8, 2009 15:04, snowweb wrote: so I guess it's fixed. until next time there is a new perl version yes :/ newer mix CPAN with a RPM system ! -- http://localhost/ 100% uptime and 100% mirrored :)
Re: sa-update error
On Mon, June 8, 2009 15:26, The Doctor wrote: You can either use cpan or http://search.cpan.org . bad advise ! -- http://localhost/ 100% uptime and 100% mirrored :)
Re: backscatter from dnswl
On Mon, June 8, 2009 15:41, Arvid Picciani wrote: is there anything i can do about that? report to dnswl at there site ? http://www.dnswl.org/ -- http://localhost/ 100% uptime and 100% mirrored :)
Re: sa-update error
On Tue, 2009-06-09 at 00:39 +0200, Benny Pedersen wrote: does there exists a perl-cleanup in you distro ? There's not a general one. On the assumption (true for Fedora) that both Perl and SA are distro supported packages, if I was tackling this I'd do the following: - make safety copies of SA customisation. - yum remove perl spamassassin - updatedb - use 'locate perl' to see if there are any other copies of perl - there is in this case. At a guess it is a CPAN install. - remove it using 'rm -rf' as it is unlikely to be an RPM package - check that Perl is definitely gone. (updatedb; locate perl) - get the latest distro versions: yum install perl spamassassin - replace SA customisation if it got overwritten. - check that the default PATH doesn't point to anything that was removed. It is set up in /etc/profile plus extras from /etc/profile.d Martin
Re: sa-update error
On Tue, June 9, 2009 00:59, Martin Gregorie wrote: On Tue, 2009-06-09 at 00:39 +0200, Benny Pedersen wrote: does there exists a perl-cleanup in you distro ? There's not a general one. On the assumption (true for Fedora) that both Perl and SA are distro supported packages, if I was tackling this I'd do the following: - make safety copies of SA customisation. - yum remove perl spamassassin - updatedb - use 'locate perl' to see if there are any other copies of perl - there is in this case. At a guess it is a CPAN install. - remove it using 'rm -rf' as it is unlikely to be an RPM package - check that Perl is definitely gone. (updatedb; locate perl) - get the latest distro versions: yum install perl spamassassin - replace SA customisation if it got overwritten. - check that the default PATH doesn't point to anything that was removed. It is set up in /etc/profile plus extras from /etc/profile.d yes, when no perl is installed you can yum install spamassassin as it was ment to from distros, if still problem with spamassassin 21 -D --lint after this then report it to your distro as a dependice problem i remember perl problems from my old freebsd 4.9 :=) newer happended on gentoo here -- http://localhost/ 100% uptime and 100% mirrored :)
Re: tests= SIZE_LIMIT_EXCEEDED ??
Stefan, I just had a closer look at the header of an email which should have been recognized by spamassassin as spam. Waht I found was this: X-SpamScore: 0 tests= SIZE_LIMIT_EXCEEDED I have checked /usr/share/spamassassin/ for a rule which might contain a size limit, but didn't finde any. A search with Google didn't help either. So, any suggestions from the list members where I can define the size that has been exceeded? Some sw components to be ruled out: - this isn't amavisd-new doing it, at least none of the official versions; - this isn't Maia Mailguard; - this isn't old versions of amavis; - this isn't SpamAssassin (neither spamc/spamd, nor the library). Although the most recent version of amavisd-new (2.6.3) does provide ability to pass partial message to SpamAssassin and to insert rule hits into the final result, this isn't the case here, and there is no SIZE_LIMIT_EXCEEDED message generated anywhere. Look for another culprit in your mail path, such as a webmail component or a content filter at some ISP. My guess at pointing fingers is Nemesis. Mark
Re: BOTNET plugin download
On Mon, Jun 8, 2009 at 09:55, Jari Fredrikssonja...@iki.fi wrote: The BOTNET plugin isn't covered in the CustomPlugins wiki page. When I Googled it I found this: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar but it's a bit old. Is there a later version? That's 0.8 which is AFAIK the latest. Yes, 0.8 is the latest, and it's ... 2 years old now? or just 1.5? somewhere around there. I haven't really needed to do an update, though there are some things I want to re-work once I get some spare time (mostly, how it does DNS lookups, to use SA internals more).
Re: BOTNET plugin download
whats botnet plugin? On Mon, Jun 8, 2009 at 7:23 PM, John Ruddjr...@ucsc.edu wrote: On Mon, Jun 8, 2009 at 09:55, Jari Fredrikssonja...@iki.fi wrote: The BOTNET plugin isn't covered in the CustomPlugins wiki page. When I Googled it I found this: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar but it's a bit old. Is there a later version? That's 0.8 which is AFAIK the latest. Yes, 0.8 is the latest, and it's ... 2 years old now? or just 1.5? somewhere around there. I haven't really needed to do an update, though there are some things I want to re-work once I get some spare time (mostly, how it does DNS lookups, to use SA internals more). -- http://alexus.org/
Re: BOTNET plugin download
On Mon, Jun 8, 2009 at 16:31, alexusale...@gmail.com wrote: whats botnet plugin? It's a SpamAssassin plugin looks at DNS configurations and attempts to identify hosts that are probably actually clients that are sending email directly to your server, instead of through their own mail server. There's a high likelihood that those senders are actually botnets and not legitimate senders. Thus the name of the plugin. But, botnets aren't its only purpose. It's also an encouragement for email admins to follow best practices in how they set up the DNS of their mail servers. On Mon, Jun 8, 2009 at 7:23 PM, John Ruddjr...@ucsc.edu wrote: On Mon, Jun 8, 2009 at 09:55, Jari Fredrikssonja...@iki.fi wrote: The BOTNET plugin isn't covered in the CustomPlugins wiki page. When I Googled it I found this: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar but it's a bit old. Is there a later version? That's 0.8 which is AFAIK the latest. Yes, 0.8 is the latest, and it's ... 2 years old now? or just 1.5? somewhere around there. I haven't really needed to do an update, though there are some things I want to re-work once I get some spare time (mostly, how it does DNS lookups, to use SA internals more). -- http://alexus.org/
Re: tests= SIZE_LIMIT_EXCEEDED ??
On Tue, 2009-06-09 at 01:18 +0200, Mark Martinec wrote: X-SpamScore: 0 tests= SIZE_LIMIT_EXCEEDED Some sw components to be ruled out: - this isn't amavisd-new doing it, at least none of the official versions; Sorry, Mark. :) I was entirely going by the OPs outgoing headers, which clearly shows an amavisd-new header in the chain. Though at a second look, I realize that's about a hop after SA processing... - this isn't Maia Mailguard; - this isn't old versions of amavis; - this isn't SpamAssassin (neither spamc/spamd, nor the library). Although the most recent version of amavisd-new (2.6.3) does provide ability to pass partial message to SpamAssassin and to insert rule hits into the final result, this isn't the case here, and there is no SIZE_LIMIT_EXCEEDED message generated anywhere. Look for another culprit in your mail path, such as a webmail component or a content filter at some ISP. My guess at pointing fingers is Nemesis. Right, that's definitely something else adding the headers, as has been pointed out before. Not SA. Anything, even a trivial filter foo calling formail easily can inject such a header (though the order in the chain may vary, which is not obvious from the OP). -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New slew of spams
On 8-Jun-2009, at 11:19, ktn wrote: By default, the spamd daemon does not allow user defined rules. Hostmonster needs to set allow_user_rules to 1 in the system configuration file. I asked about this and that's something that they will not do. It's a good thing there are other hosting companies that are not willfully retarded, isn't it? -- The person on the other side was a young woman. Very obviously a young woman. There was no possible way that she could have been mistaken for a young man in any language, especially Braille.
Re: sa-update error
On 8-Jun-2009, at 16:50, Benny Pedersen wrote: On Mon, June 8, 2009 15:26, The Doctor wrote: You can either use cpan or http://search.cpan.org . bad advise ! First off, it's 'advice' (the noun) in this case, not 'advise' (the verb). Second off, there is absolutely nothing wrong with using CPAN. -- Well, I've wrestled with reality for 35 years, Doctor, and I'm happy to state I finally won out over it.
Re: sa-update error
On Tue, June 9, 2009 03:48, LuKreme wrote: Second off, there is absolutely nothing wrong with using CPAN. OP problem is mix of CPAN and RPM, he dont need both to solve it CPAN is usefull if one makes RPM with it, but most belive its better just to follow guides and use CPAN shells, when distro is RPM based -- http://localhost/ 100% uptime and 100% mirrored :)