Re: forward mails as spam

[Benny Pedersen]

On Wed, July 15, 2009 05:09, neroxyr wrote:

> http://pastebin.ca/1495392

newer ever use blacklist_from or whitelist_from

use something that have auth eg spf / dkim

if unsure what sender uses use whitelist_from_auth fri...@gmal.com or something 
:)

spammers uses random senders from freemail so only weapon you have against it 
is to whitelist only you known good senders, with
must spammers dont know

sorry if you have a sick cpanel with that fail

-- 
xpoint

Re: forward mails as spam

[Benny Pedersen]

On Wed, July 15, 2009 00:33, neroxyr wrote:
> Here's the text in pastebin:  http://pastebin.ca/1495217 Blocked by
> SpamAssassin

USER_IN_BLACKLIST

grep blacklist_from *

-- 
xpoint

Re: forward mails as spam

[Benny Pedersen]

On Tue, July 14, 2009 23:07, neroxyr wrote:
> the email are forward from a user account in particular.
> for example, the emails i receive to b...@address.com are forwarded to gmail,
> but is in this point where the SA treats the message as a spam because of
> the high score points

stop forwarding emails, resolve all your above problems

case closed from my side


-- 
xpoint

Spam gets through via Envelope

[HerbEppel]

No doubt this has been discussed before and apologies for any repetition, but
I can't find the answer in the archive.

I have set SA to reject all mail that isn't addressed to specific addresses,
but quite a lot of spam gets through by using arbitrary addresses in the To
field and a 'good' address in the Envelope-to field.

How can I rectify this?


-- 
View this message in context: 
http://www.nabble.com/Spam-gets-through-via-Envelope-tp24492488p24492488.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: forward mails as spam

[John Hardin]

On Tue, 2009-07-14 at 20:09 -0700, neroxyr wrote:
> 
> John Hardin wrote:
> > 
> > Would you be willing to post the output from this:
> > 
> >egrep 'white|black' /etc/mail/spamassassin/*.cf
>
> here's the output:
> 
> http://pastebin.ca/1495392

  blacklist_from *...@*.*

...why are you surprised that almost all mail is being rejected with a
huge score? SA is doing exactly what you (or somebody) told it to do.

Is there a specific reason that's there?

Oh, and for small blocks of text like that, pasting them into the
message body is perfectly acceptable. Sample email messages or other
large texts, where retaining the exact format is important, do need to
go via pastebin.

-- 
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79

Re: forward mails as spam

[neroxyr]

here's the output:

http://pastebin.ca/1495392


John Hardin wrote:
> 
> 
> Would you be willing to post the output from this:
> 
>egrep 'white|black' /etc/mail/spamassassin/*.cf
> 
> 

-- 
View this message in context: 
http://www.nabble.com/forward-mails-as-spam-tp24470970p24491203.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: forward mails as spam

[John Hardin]

On Tue, 14 Jul 2009, neroxyr wrote:


Here's the text in pastebin:  http://pastebin.ca/1495217 Blocked by
SpamAssassin


It looks to me like gmail is a red herring, and you're blacklisting 
brennero_pa...@yahoo.es somehow.


Would you be willing to post the output from this:

  egrep 'white|black' /etc/mail/spamassassin/*.cf

(substitute /etc/mail/spamassassin as needed for where your config files 
live)


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  People seem to have this obsession with objects and tools as being
  dangerous in and of themselves, as though a weapon will act of its
  own accord to cause harm. A weapon is just a force multiplier. It's
  *humans* that are (or are not) dangerous.
---
 2 days until the 64th anniversary of the dawn of the Atomic Age

Re: forward mails as spam

[John Hardin]

On Tue, 14 Jul 2009, McDonald, Dan wrote:


I suggest whitelist_from_spf with your specific email addresses. (gmail
does SPF, right?)


It might, but whitelist_from_dkim would probably be better.


Or whitelist_from_auth. D'oH!

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  People seem to have this obsession with objects and tools as being
  dangerous in and of themselves, as though a weapon will act of its
  own accord to cause harm. A weapon is just a force multiplier. It's
  *humans* that are (or are not) dangerous.
---
 2 days until the 64th anniversary of the dawn of the Atomic Age

Re: Header Layout

[Karsten Bräckelmann]

On Tue, 2009-07-14 at 12:33 -0500, McDonald, Dan wrote:
> On Tue, 2009-07-14 at 16:13 +0100, Steve wrote:
> > This is very pretty;
> > 
> > X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.3379
> > Rule breakdown below
> >  pts rule name  description
> >  -- 
> > --
> > 0.00 NO_REAL_NAME   From: does not include a real name
> > 1.58 MISSING_HEADERSMissing To: header
> > 0.00 TO_CC_NONE No To: or Cc: header

Heh, that actually looks like the _SUMMARY_ template [1], meant for
*body* reports, injected with add_header into the headers, where's it's
actually not meant to be...

Probably with some custom clear_report_template and report settings. See
10_default_prefs.cf. Also, probably with report_safe 0 set.

> > Can we change the header layout with SA to format it similar to this?

You can, I guess -- even without code changes.


> You don't like the default?:
> X-Spam-Report: 
>   *  2.0 AE_GBP BODY: Mentions hundreds of thousands (or millions) of 
> British
>   *   pounds

The _REPORT_ template, used with report_safe 0. I believe I posted more
details on always using the Report header, even with report_safe != 0
just a few weeks ago...

> You could tweak it a bit on line 2166 of PerMsgstatus.pm


[1] 
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#template_tags

-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: forward mails as spam

[neroxyr]

Here's the text in pastebin:  http://pastebin.ca/1495217 Blocked by
SpamAssassin 
-- 
View this message in context: 
http://www.nabble.com/forward-mails-as-spam-tp24470970p24488978.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

spamassassin bayes postgresql schema

[Tomas.Srna]

Hello.

I'd like to set up bayes storage to postgresql database, but the problem is
that it is not in the 'public' schema. In fact, the database is 'hosting',
schema 'spamassassin' and the tables would be created under this.

Is there a possibility to specify schema for pgsql?

Thanks.
-- 
View this message in context: 
http://www.nabble.com/spamassassin-bayes-postgresql-schema-tp24488695p24488695.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: forward mails as spam

[neroxyr]

the email are forward from a user account in particular.
for example, the emails i receive to b...@address.com are forwarded to gmail,
but is in this point where the SA treats the message as a spam because of
the high score points


Benny Pedersen wrote:
> 
> 
> add the forwarded from ip as trusted_networks, this disable spf from that
> ip
> 
> you know where the mails are forwarded from (ip wize) ?
> 
> -- 
> xpoint
> 
> 

-- 
View this message in context: 
http://www.nabble.com/forward-mails-as-spam-tp24470970p24487844.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: How to attach spam messages as HTML instead of TXT

[Spiro Harvey]

Did you know...? 

Emails like yours are what we're trying to block on a daily basis. 


signature.asc
Description: PGP signature

Re: [NEW SPAM FLOOD] www.shopXX.net

[Hrothgar]

>Which of course means we've long since passed the point where any of  
>these are going to do the spammers any good.  That's the frustrating  
>part.

I thought that the point was that since it cost a spammer the same to send
out a million emails as to send out one, he was happy if only one of the
recipients responded. 

I live in the UK. The chances of anyone here buying prescription drugs from
a web site are non-existent: they are paid for either by the health service
or (for those who have medical insurance) by insurers. And the, er, "get it
up" medicines are now available over the counter. Yet all co.uk addresses
get mountains of this type of spam which presumably sell nothing.

I find it quicker to delete them manually rather than spending time altering
a regex and restarting SA.

Roger
-- 
View this message in context: 
http://www.nabble.com/-NEW-SPAM-FLOOD--www.shopXX.net-tp24139422p24486959.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: forward mails as spam

[Benny Pedersen]

On Tue, July 14, 2009 22:05, neroxyr wrote:
>
> the whitelist_from_spf doesn't seem to work in the spamassassin local.cf file
> puting this line, now i don't receive the mailer-daemon in my account
>
> is there a way that the forward emails not to be considered as spam by SA?

add the forwarded from ip as trusted_networks, this disable spf from that ip

you know where the mails are forwarded from (ip wize) ?

-- 
xpoint

Re: forward mails as spam

[neroxyr]

The milter i'm using is spamass-milter and the spamc is already running


Cedric Knight, GreenNet wrote:
> 
> 
> I use postfix rather than sendmail, but suspect your sendmail milter is
>  wrongly configured, or just plain buggy.  What is the name of the
> milter you are using?  I understand www.mimedefang.org is more standard
> and shouldn't produce backscatter if correctly configured.  And Gmail's
> own milter is supposedly quite good, so you might just want to run spamc
> from procmail.
> 
> CK
> 

-- 
View this message in context: 
http://www.nabble.com/forward-mails-as-spam-tp24470970p24486950.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: custom rule no work (as expected) and log score

[Kevin Parris]

The most obvious problem is that you are re-using the rule name.  While the 
configuration is parsed the 2nd line replaces the first then the 3rd line 
replaces the 2nd line.  If you want three rules give them three different 
names, for example: whitelist_from_luser1 whitelist_from_luser2 
whitelist_from_luser3

Alternatively, consider writing a single expression to detect the 3 domains 
with OR logical conditions.  This is left as an exercise for the reader.

>>> Bazooka Joe  07/14/09 3:54 PM >>>
any idea why this rule never works for domain1 or domain2 but only domain3

header whitelist_from_luser From =~ /domain1\.com/i
header whitelist_from_luser From =~ /domain2\.com/i
header whitelist_from_luser From =~ /domain3\.com/i

score whitelist_from_luser -2.5


How do I log the score for each rule that is triggered?

-bazooka

Re: custom rule no work (as expected) and log score

[McDonald, Dan]

On Tue, 2009-07-14 at 12:54 -0700, Bazooka Joe wrote:
> any idea why this rule never works for domain1 or domain2 but only domain3
> 
> header whitelist_from_luser From =~ /domain1\.com/i
> header whitelist_from_luser From =~ /domain2\.com/i
> header whitelist_from_luser From =~ /domain3\.com/i

Because you redefined whitelist_from_luser twice?


> score whitelist_from_luser -2.5
> 
> 
> How do I log the score for each rule that is triggered?

header WHITELIST_FROM_LUSER1 From =~ /domain1\.com/i
header WHITELIST_FROM_LUSER2 From =~ /domain2\.com/i
header WHITELIST_FROM_LUSER3 From =~ /domain3\.com/i

score WHITELIST_FROM_LUSER1 -2.5
score WHITELIST_FROM_LUSER2 -2.5
score WHITELIST_FROM_LUSER3 -2.5

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


signature.asc
Description: This is a digitally signed message part

Re: forward mails as spam

[neroxyr]

Ok, i'll try with those, i'll post you later to see how these goes


Benny Pedersen wrote:
> 
> 
> On Tue, July 14, 2009 21:28, neroxyr wrote:
>> tks cheking the local.cf i had a blacklist_from *...@*.*
>> i delete that line and put the whitelist_from *...@gmail.com
> 
> dont use whitelist_from, senders can forge it very easyly, if you want to
> whitelist use
> 
> whitelist_from_dkim
> whitelist_from_spf
> whitelist_from_auth
> 
> all of them can have def_ prepended to get def_whitelist_from_spf and
> friends
> 
> so eg
> 
> whitelist_from_auth f...@gmail.com will check full email and only gives
> negative score if the email is really from gmail
> 
> use
> 
> def_whitelist_* *...@gmail.com if you want to use wildcards
> 
> its a diff score on whitelist_from_* and def_whitelist_from_*
> 
> the last have less weight then the first
> 
> newer use whitelist_from, newer
> 
> -- 
> xpoint
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/forward-mails-as-spam-tp24470970p24486853.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: forward mails as spam

[neroxyr]

the whitelist_from_spf doesn't seem to work in the spamassassin local.cf file
puting this line, now i don't receive the mailer-daemon in my account

is there a way that the forward emails not to be considered as spam by SA?


John Hardin wrote:
> 
> Not if you don't want _every_ _single_ _message_ from gmail to be 
> whitelisted. You really don't want to paint with _that_ broad a brush.
> 
> I suggest whitelist_from_spf with your specific email addresses. (gmail 
> does SPF, right?)
> 

-- 
View this message in context: 
http://www.nabble.com/forward-mails-as-spam-tp24470970p24486830.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: custom rule no work (as expected) and log score

[Daniel Schaefer]

any idea why this rule never works for domain1 or domain2 but only domain3

header whitelist_from_luser From =~ /domain1\.com/i
header whitelist_from_luser From =~ /domain2\.com/i
header whitelist_from_luser From =~ /domain3\.com/i

score whitelist_from_luser -2.5


How do I log the score for each rule that is triggered?

-bazooka
  
Perhaps it's being overwritten by the 3rd rule? Try one of the 
following, depending on what your actual domain names are. I'm still 
learning REs, so please someone correct me if I'm wrong.


header whitelist_from_luser From =~ /(domain[1-3]\.com)/i

header whitelist_from_luser From =~ /(domain1\.com|domain2\.com|domain3\.com)/i



--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: forward mails as spam

[Benny Pedersen]

On Tue, July 14, 2009 21:28, neroxyr wrote:
> tks cheking the local.cf i had a blacklist_from *...@*.*
> i delete that line and put the whitelist_from *...@gmail.com

dont use whitelist_from, senders can forge it very easyly, if you want to 
whitelist use

whitelist_from_dkim
whitelist_from_spf
whitelist_from_auth

all of them can have def_ prepended to get def_whitelist_from_spf and friends

so eg

whitelist_from_auth f...@gmail.com will check full email and only gives 
negative score if the email is really from gmail

use

def_whitelist_* *...@gmail.com if you want to use wildcards

its a diff score on whitelist_from_* and def_whitelist_from_*

the last have less weight then the first

newer use whitelist_from, newer

-- 
xpoint

custom rule no work (as expected) and log score

[Bazooka Joe]

any idea why this rule never works for domain1 or domain2 but only domain3

header whitelist_from_luser From =~ /domain1\.com/i
header whitelist_from_luser From =~ /domain2\.com/i
header whitelist_from_luser From =~ /domain3\.com/i

score whitelist_from_luser -2.5


How do I log the score for each rule that is triggered?

-bazooka

Re: trusted_networks and internal_networks

[Benny Pedersen]

On Tue, July 14, 2009 21:26, Jari Fredriksson wrote:
> Duh. Dumb. Arrgh! Hit! Damn.

its rocket science :)

--
xpoint

Re: forward mails as spam

[McDonald, Dan]

On Tue, 2009-07-14 at 12:42 -0700, John Hardin wrote:
> On Tue, 14 Jul 2009, neroxyr wrote:
> 
> > tks cheking the local.cf i had a blacklist_from *...@*.*
> > i delete that line and put the whitelist_from *...@gmail.com
> >
> > I restart spamassassin and sendmail service and it worked!!. But putting
> > whitelist_from *...@gmail.com in the local.rf is not correct, is it?
> 
> Not if you don't want _every_ _single_ _message_ from gmail to be 
> whitelisted. You really don't want to paint with _that_ broad a brush.
> 
> I suggest whitelist_from_spf with your specific email addresses. (gmail 
> does SPF, right?)

It might, but whitelist_from_dkim would probably be better.

> 
-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


signature.asc
Description: This is a digitally signed message part

Re: trusted_networks and internal_networks

[mouss]

Jari Fredriksson a écrit :
>> [snip]
>> when I put your lines in my config, I only seethe
>> 127.0.0.1/32 warning. 
>>
> 
>>>
>>> It looks like SA itself configured the trusted.
> 
> I removed both the 127.0.0.1 AND 10/8 and this is happy again. It seems to 
> configure the internal networks as trusted automagically. As it should be IMO.
> 

It may be as "it should be" for you. so it's a good default. but here,
internal != trusted (strict subset), because I "trust" relays that are
not under my control and which may accept mail from residential users.

Re: forward mails as spam

[John Hardin]

On Tue, 14 Jul 2009, neroxyr wrote:


tks cheking the local.cf i had a blacklist_from *...@*.*
i delete that line and put the whitelist_from *...@gmail.com

I restart spamassassin and sendmail service and it worked!!. But putting
whitelist_from *...@gmail.com in the local.rf is not correct, is it?


Not if you don't want _every_ _single_ _message_ from gmail to be 
whitelisted. You really don't want to paint with _that_ broad a brush.


I suggest whitelist_from_spf with your specific email addresses. (gmail 
does SPF, right?)


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #4: If your shooting stance is good,
  you're probably not moving fast enough nor using cover correctly.
---
 2 days until the 64th anniversary of the dawn of the Atomic Age

Re: forward mails as spam

[neroxyr]

tks cheking the local.cf i had a blacklist_from *...@*.*
i delete that line and put the whitelist_from *...@gmail.com

I restart spamassassin and sendmail service and it worked!!. But putting
whitelist_from *...@gmail.com in the local.rf is not correct, is it?


Cedric Knight, GreenNet wrote:
> 
> neroxyr wrote:
>> Hope this is the log you wanted
>>
>> http://www.nabble.com/file/p24471425/block.jpg
> 
> It's not possible to see from this whether the first log line that you
> have highlighted is necessarily related to the second and third
> highlights (the message IDs are different), but I'll assume they are.
> 
> What is clear is that USER_IN_BLACKLIST caused 100 of the 103 point
> score.  Do you perhaps have
>blacklist_from brennero..e etc
> in your local.cf; or some blacklist_from with a * wildcard ?
> 
> CK
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/forward-mails-as-spam-tp24470970p24486220.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: trusted_networks and internal_networks

[Jari Fredriksson]

> Jari Fredriksson a écrit :
>> I tried with this:
>> 
>> -(local.cf)---
>> 
>> internal_networks 10.0.0.0/8
>> trusted_networks 10.0.0.0/8 127.0.0.1
>> trusted_networks 212.16.98.0/24 212.16.100.0/24
>> 62.142.0.0/16 195.197.172.98 trusted_networks
>> 195.74.0.0/16 213.192.189.2/24 217.30.188.0/24
>> 65.54.0.0/16 trusted_networks 83.145.211.136
>> 217.30.180.104  
>> trusted_networks 64.233.183.0/24 209.85.199.0/24
>> 72.14.247.27/24 64.233.163.27 trusted_networks
>> 213.157.94.92 
>> 
>> --
>> 
>> Here, internal is a subset of trusted, is that how it
>> should go? 
>> 
>> $ spamassassin -D --lint
>> 
>> [7594] warn: netset: cannot include 127.0.0.1/32 as it
>> has already been included 
> 
> remove 127.0.0.1/32
> 
>> [7594] warn: netset: cannot include 10.0.0.0/8 as it has
>> already been included 
> 
> which version of SA is this? also grep for 10.0 in your
> .cf files. 
> 
> when I put your lines in my config, I only seethe
> 127.0.0.1/32 warning. 
> 

Case resolved. I grepped and found an additional trusted_networks in the 
local.cf

Duh. Dumb. Arrgh! Hit! Damn.

Re: trusted_networks and internal_networks

[Jari Fredriksson]

> Jari Fredriksson a écrit :
>> I tried with this:
>> 
>> -(local.cf)---
>> 
>> internal_networks 10.0.0.0/8
>> trusted_networks 10.0.0.0/8 127.0.0.1
>> trusted_networks 212.16.98.0/24 212.16.100.0/24
>> 62.142.0.0/16 195.197.172.98 trusted_networks
>> 195.74.0.0/16 213.192.189.2/24 217.30.188.0/24
>> 65.54.0.0/16 trusted_networks 83.145.211.136
>> 217.30.180.104  
>> trusted_networks 64.233.183.0/24 209.85.199.0/24
>> 72.14.247.27/24 64.233.163.27 trusted_networks
>> 213.157.94.92 
>> 
>> --
>> 
>> Here, internal is a subset of trusted, is that how it
>> should go? 
>> 
>> $ spamassassin -D --lint
>> 
>> [7594] warn: netset: cannot include 127.0.0.1/32 as it
>> has already been included 
> 
> remove 127.0.0.1/32
> 
>> [7594] warn: netset: cannot include 10.0.0.0/8 as it has
>> already been included 
> 
> which version of SA is this? also grep for 10.0 in your
> .cf files. 
> 

3.2.5 from cpan.

> when I put your lines in my config, I only seethe
> 127.0.0.1/32 warning. 
> 

>> 
>> 
>> It looks like SA itself configured the trusted.

I removed both the 127.0.0.1 AND 10/8 and this is happy again. It seems to 
configure the internal networks as trusted automagically. As it should be IMO.

Re: Header Layout

[McDonald, Dan]

On Tue, 2009-07-14 at 16:13 +0100, Steve wrote:
> This is very pretty;
> 
> X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.3379
>   Rule breakdown below
>pts rule name  description
>    --
> --
>   0.00 NO_REAL_NAME   From: does not include a real name
>   1.58 MISSING_HEADERSMissing To: header
>   0.00 TO_CC_NONE No To: or Cc: header
> 
> 
> Can we change the header layout with SA to format it similar to this?
> 
You don't like the default?:
X-Spam-Report: 
*  2.0 AE_GBP BODY: Mentions hundreds of thousands (or millions) of 
British
*   pounds
*  0.0 RELAY_US Relayed through United States
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  1.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
*  3.0 AE_DETAILS_WITH_MONEY Has form and mentions much money
*  2.5 AE_DETAILS_WITH_EMAIL Has form and gives handy email to send it 
back
*   to

You could tweak it a bit on line 2166 of PerMsgstatus.pm
-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


signature.asc
Description: This is a digitally signed message part

Re: trusted_networks and internal_networks

[mouss]

Jari Fredriksson a écrit :
> I tried with this:
> 
> -(local.cf)---
> 
> internal_networks 10.0.0.0/8
> trusted_networks 10.0.0.0/8 127.0.0.1
> trusted_networks 212.16.98.0/24 212.16.100.0/24 62.142.0.0/16 195.197.172.98
> trusted_networks 195.74.0.0/16 213.192.189.2/24 217.30.188.0/24 65.54.0.0/16
> trusted_networks 83.145.211.136 217.30.180.104
> trusted_networks 64.233.183.0/24 209.85.199.0/24 72.14.247.27/24 64.233.163.27
> trusted_networks 213.157.94.92
> 
> --
> 
> Here, internal is a subset of trusted, is that how it should go?
> 
> $ spamassassin -D --lint
> 
> [7594] warn: netset: cannot include 127.0.0.1/32 as it has already been 
> included

remove 127.0.0.1/32

> [7594] warn: netset: cannot include 10.0.0.0/8 as it has already been included

which version of SA is this? also grep for 10.0 in your .cf files.

when I put your lines in my config, I only seethe 127.0.0.1/32 warning.

> 
> 
> It looks like SA itself configured the trusted.
> 

Re: How to attach spam messages as HTML instead of TXT

[LuKreme]

On 13-Jul-2009, at 19:42, Fenton, Jason (interVations) wrote:
Is there a way to set SpamAssassin to save and attached the original  
message as HTML instead of TXT which has been caught as spam in-case  
it is a legitimate email?


HTML is text.  The original untouched message is saved as a standard  
compliant email attachment. On a decent mail client, simply opening  
the attachment will have the original message, exactly as it should  
be, ready to be moved to another folder, forwarded, replied to, or  
whatever.


As a hosting provider the main feedback we get is that the users  
cannot read the TXT file.


Then your users are stupid or their MUA is broken.

In the future do not post html email and especially not bullshit  
copyright notices to this list. No one will help you.


--
No one ever thinks of themselves as one of Them. We're always one
of Us. It's Them that do the bad things.

Header Layout

[Steve]

This is very pretty;

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.3379
Rule breakdown below
 pts rule name  description
 --
--
0.00 NO_REAL_NAME   From: does not include a real name
1.58 MISSING_HEADERSMissing To: header
0.00 TO_CC_NONE No To: or Cc: header


Can we change the header layout with SA to format it similar to this?

Re: URI-DNSBL problem with spamassassin 3.2.5

[Eddy Beliveau]

 Message original 
Sujet : Re: URI-DNSBL problem with spamassassin 3.2.5
De : Michael Parker 
Pour : Eddy Beliveau 
Copie à : users@spamassassin.apache.org, Mark Martinec 


Date : 2009-07-09 19:37


On Jul 9, 2009, at 1:40 PM, Eddy Beliveau wrote:


but Ido not find any timing.log file on my current directory or 
anywhere on my system!!


Did I missed something ?



I doubt all the necessary hooks are in place for that plugin to work 
in 3.2.5, you'd need to run 3.3 to make use of that plugin.


Michael



Hi! Michael,

Many thanks for the hint.

The current devel version is 3.3.0-alpha1 (dated 2 weeks ago)

Do you know when the production release will be available ?

I do not want to put non-production version on my academic server.

Maybe I can send you the culprit email if you have 3.3 installed and see 
how it reacts on your location !


Is there a web page where I can inject the email to have it analysed by 
some SA version ?
I tried my 250KB message with http://flashmarketing.com/spam-check.htm 
but it said that my message is too big


Thanks,
Eddy

Re: trusted_networks and internal_networks

[Benny Pedersen]

On Tue, July 14, 2009 14:48, Jari Fredriksson wrote:
> Yeah. My LAN is using 10/8 for hysterical reasons. Is there something wrong 
> here?

just that your source have now rfc1918 ranges hardcorded into sa, so remove 
your own internal/trsuted/msa for rfc1918 will solve it

ps: i have not seen the cpan source, but the error you get is that problem

-- 
xpoint

Re: trusted_networks and internal_networks

[Bowie Bailey]

Jari Fredriksson wrote:

I tried with this:

-(local.cf)---

internal_networks 10.0.0.0/8
trusted_networks 10.0.0.0/8 127.0.0.1
trusted_networks 212.16.98.0/24 212.16.100.0/24 62.142.0.0/16 195.197.172.98
trusted_networks 195.74.0.0/16 213.192.189.2/24 217.30.188.0/24 65.54.0.0/16
trusted_networks 83.145.211.136 217.30.180.104
trusted_networks 64.233.183.0/24 209.85.199.0/24 72.14.247.27/24 64.233.163.27
trusted_networks 213.157.94.92

--

Here, internal is a subset of trusted, is that how it should go?

$ spamassassin -D --lint

[7594] warn: netset: cannot include 127.0.0.1/32 as it has already been included
[7594] warn: netset: cannot include 10.0.0.0/8 as it has already been included


It looks like SA itself configured the trusted.
  


I know that you should not include 127.0.0.1 since it is always there by 
default (if you can't trust your own server, you have bigger problems 
than the SA config), but I'm not sure where the error for 10.0.0.0/8 
came from.  That one should not be trusted by default as far as I know.


--
Bowie

Re: trusted_networks and internal_networks

[Jari Fredriksson]

> On Tue, July 14, 2009 13:25, Jari Fredriksson wrote:
> 
>> [7594] warn: netset: cannot include 127.0.0.1/32 as it
>> has already been included [7594] warn: netset: cannot
>> include 10.0.0.0/8 as it has already been included It
>> looks like SA itself configured the trusted. 
> 
> rfc1918
> 

Yeah. My LAN is using 10/8 for hysterical reasons. Is there something wrong 
here?


> sa 3.3 ?

3.2.5 from cpan.

Re: use save_pattern_hits to debug Mail::SpamAssassin?

[Daniel Schaefer]

So what I want is to get a list of all performed check and the score of this 
check.

  
If you want to see the scores of the successful checks in all emails, 
put this in your cf file:

add_header all Report _REPORT_

--
Dan Schaefer
Application Developer
Performance Administration Corp.

use save_pattern_hits to debug Mail::SpamAssassin?

[peter pilsl]

I have some serious problems with my Spam-Detection. I use a milter wrapped 
around Mail::SpamAssassin and occassionaly a Mail slips through with a quite 
low spamscore despite the fact that a later check gives it a high score.

So what I want is to get a list of all performed check and the score of this 
check.

According to the manpage the following should help:


save_pattern_hits
   If set to 1, the patterns hit can be retrieved from the 
"Mail::SpamAssassin::PerMsgStatus" object.  Used for debugging.


But when I look at the status-object (of type 
"Mail::SpamAssassin::PerMsgStatus") I dont get the information I'm looking for.

Thnx,
peter

Re: How to attach spam messages as HTML instead of TXT

[Benny Pedersen]

On Tue, July 14, 2009 03:42, Fenton, Jason (interVations) wrote:
> Did you know...?
>
> We are the first in the world to offer Web Development Financing.
>
> read more... 

adds

> Is there a way to set SpamAssassin to save and attached the original
> message as HTML instead of TXT which has been caught as spam in-case it
> is a legitimate email?

spamassassin cant save or modify anything not even you stupid html posting, 
that say users have a mua problem understanding how to
use email in the first place

> As a hosting provider the main feedback we get is that the users cannot
> read the TXT file.

find a better hosting provider

> This is obviously because they don't know how to save
> as html to their desktops and open the email from there.

nothing to do with spamassassin

> Any advice would be greatly appreciated.

did you know i deleted 85% of your problem here ?

-- 
xpoint

Re: trusted_networks and internal_networks

[Benny Pedersen]

On Tue, July 14, 2009 13:25, Jari Fredriksson wrote:

> [7594] warn: netset: cannot include 127.0.0.1/32 as it has already been 
> included
> [7594] warn: netset: cannot include 10.0.0.0/8 as it has already been included
> It looks like SA itself configured the trusted.

rfc1918

sa 3.3 ?

-- 
xpoint

Re: sharing the bayes DB?

[Jari Fredriksson]

> google found me nothing authoritative on this, so I
> figured asking is the way to go...
> 
> Is it good/bad/etc to share out a MySQL Bayes DB from a
> central host to multiple machines running spamd?

It is good.

I have shared a bayes database via nfs (w/o SQL) and mysql and those both 
seemed to work. SQL is better though.

Re: deactivate all checks except specific tests

[Justin Mason]

sorry about the double-post -- original message was stuck in moderation queue.

On Fri, Jul 10, 2009 at 18:20,
sebast...@debianfan.de wrote:
> Hello,
>
> i have set up a virtual server for experiments.
>
> I want to disable all the spamassassin tests - except one specific rbl - in
> this topic-  the manitu rbl.
>
> Is there a parameter for disabling all the tests?
>
> Thx
>
> Sebastian
>
>

deactivate all checks except specific tests

[sebast...@debianfan.de]

Hello,

i have set up a virtual server for experiments.

I want to disable all the spamassassin tests - except one specific rbl - 
in this topic-  the manitu rbl.


Is there a parameter for disabling all the tests?

Thx

Sebastian

How to attach spam messages as HTML instead of TXT

[Fenton, Jason (interVations)]

Did you know...?

We are the first in the world to offer Web Development Financing.

read more...  

Hi Everyone

 

Is there a way to set SpamAssassin to save and attached the original
message as HTML instead of TXT which has been caught as spam in-case it
is a legitimate email?

 

As a hosting provider the main feedback we get is that the users cannot
read the TXT file. This is obviously because they don't know how to save
as html to their desktops and open the email from there.

 

Any advice would be greatly appreciated.

 

 

Have a great day!

Regards,

 

 
http://www.intervations.com.au/Email_Stationary/spacer.gif 

http://www.intervations.com.au/Email_Stationary/logo_intervationsR.gif
 
innovative internet + print solutions

 

Jason Fenton
Managing/Creative Director

p: 02 8003 5779
m: 0403 210 405
e: m...@intervations.com.au  

unit 9, 18 woolcott st
waverton nsw 2060

abn: 11 319 701 566

w: www.intervations.com.au  

 
http://www.intervations.com.au/Email_Stationary/spacer.gif 

(c)1997-2008 interVations. abn: 11 319 701 566. All Rights Reserved.
interVations and the stylised logo are the registered(r) trademark(tm)
of the Proprietor trading as interVations.

Disclaimer Notice: This message contains privileged and confidential
information intended only for the use of the addressee named above. If
you are not the intended recipient of this message you are hereby
notified that you must not disseminate, copy or take any action in
reliance on it. If you have received this message in error please notify
interVations immediately on +61 2 8003 5779. Any views expressed in this
message are those of the individual sender, except where the sender has
the authority to issue and specifically states them to be the views of
interVations. interVations advises that this email and any attached
files should be scanned to detect viruses. interVations accept no
liability for loss or damage (whether caused by negligence or not)
resulting from the use of any attached files.
  

 
http://www.intervations.com.au/Email_Stationary/enviro_message.gif 

 

 

sharing the bayes DB?

[Michael 'Moose' Dinn]

google found me nothing authoritative on this, so I figured asking is the way
to go...

Is it good/bad/etc to share out a MySQL Bayes DB from a central host to
multiple machines running spamd?


-- 
 Michael 'Moose' Dinn, Network Manager
 Airfire Telephone and Data Inc.
 (902) 420-1451 / supp...@airfire.ca

Re: trusted_networks and internal_networks

[Jari Fredriksson]

> Jari Fredriksson a écrit :
>>> MrGibbage a écrit :
 #ps11651.dreamhostps.com and pelorus.org
 internal_networks 75.119.219.171
 trusted_networks 75.119.219.171 #I think this is wrong
>>> no, it is not wrong. the documentation says:
>>> 
>>> Every entry in "internal_networks" must appear in
>>> "trusted_net-
>>> 
>>> works";
>>> 
>>> so whenever you put an internal_network line, you should
>>> add the same line with "trusted" instead of "internal".
>>> 
>> 
>> If that is indeed true,
> 
> As of 3.2.5, Received.pm contains this:
> 
> if (!$relay->{auth} &&
>  !$trusted->contains_ip($relay->{ip})) {
>  $in_trusted = 0; $in_internal = 0; # if it's
> not trusted it's not internal 
> 
> 
>}
> 
> so as soon as an "untrusted" relay is found, it is
> considered as "external".
> 
>> it is a BUG IMO.
>> 
> 
> not really a bug. just a configuration annoyance . I
> mean, since internal_networks is a subset of
> trusted_networks, then any "internal" relay should
> automatically be considered as "trusted", without the
> need to duplicate information. 
> 
> 
>> Brain dead requirement!
> 
> the requirement is "reasonable". an "internal" relay that
> wouldn't be "trusted" is irrelevant. why would you want
> to skip PBL/DUL lookup for an IP that may be forged?

I tried with this:

-(local.cf)---

internal_networks 10.0.0.0/8
trusted_networks 10.0.0.0/8 127.0.0.1
trusted_networks 212.16.98.0/24 212.16.100.0/24 62.142.0.0/16 195.197.172.98
trusted_networks 195.74.0.0/16 213.192.189.2/24 217.30.188.0/24 65.54.0.0/16
trusted_networks 83.145.211.136 217.30.180.104
trusted_networks 64.233.183.0/24 209.85.199.0/24 72.14.247.27/24 64.233.163.27
trusted_networks 213.157.94.92

--

Here, internal is a subset of trusted, is that how it should go?

$ spamassassin -D --lint

[7594] warn: netset: cannot include 127.0.0.1/32 as it has already been included
[7594] warn: netset: cannot include 10.0.0.0/8 as it has already been included


It looks like SA itself configured the trusted.

Re: forward mails as spam

[Cedric Knight]

neroxyr wrote:

> I have configured our domain mail to forward messages to a gmail account.
> I did a test sending an email from my gmail account to my domain mail; I
> receive the message sent from my gmail account, but immediately this message
> has to be sent to gmail.

> Mail Delivery Subsystem   13 de julio de 2009
> 17:08
> Para: t...@gmail.com
> The original message was received at Tue, 14 Jul 2009 03:08:52 +0500 (GMT)
> from avx [192.188.xx.xx]
> 
>   - The following addresses had permanent fatal errors -
> t...@gmail.com
>(reason: 550 5.7.1 Blocked by SpamAssassin)
>(expanded from: )

I observe you are sending backscatter.  If your server were set up
better, it would reject spam during the SMTP session (or discard it
later).  The bounce (NDN) would therefore come from the mailer-daemon at
gmail, not from mydomain.com as is shown above.

I use postfix rather than sendmail, but suspect your sendmail milter is
 wrongly configured, or just plain buggy.  What is the name of the
milter you are using?  I understand www.mimedefang.org is more standard
and shouldn't produce backscatter if correctly configured.  And Gmail's
own milter is supposedly quite good, so you might just want to run spamc
from procmail.

CK

Re: trusted_networks and internal_networks

[Jari Fredriksson]

> 
> where did your squirrelmail go now ?

I use it when I'm not sitting at home. It is up on my server, but I do not use 
it if I have access to my workstation.

I prefer Outlook Express with OE-QuoteFix over any other IMAP client I have 
tested.

Re: forward mails as spam

[Benny Pedersen]

On Tue, July 14, 2009 01:45, neroxyr wrote:

> http://www.nabble.com/file/p24471425/block.jpg

now we need to use gocr for helping you ?

-- 
xpoint

Re: trusted_networks and internal_networks

[Benny Pedersen]

On Tue, July 14, 2009 00:42, mouss wrote:
> the requirement is "reasonable". an "internal" relay that wouldn't be
> "trusted" is irrelevant. why would you want to skip PBL/DUL lookup for
> an IP that may be forged?

if thats the problem the mail wont get delivered in the first place

-- 
xpoint

Re: trusted_networks and internal_networks

[Benny Pedersen]

On Tue, July 14, 2009 00:08, Jari Fredriksson wrote:
>> so whenever you put an internal_network line, you should
>> add the same line with "trusted" instead of "internal".
> If that is indeed true, it is a BUG IMO.
> Brain dead requirement!

at least its open source so one can make a good patch to fix it

i find the hardcodes of 127.0.0.1 more brain dead then the above !

back to perl problem right ?, and more works on ExtractText ? :)

where did your squirrelmail go now ?

-- 
xpoint

Re: trusted_networks and internal_networks

[Benny Pedersen]

On Mon, July 13, 2009 23:55, mouss wrote:
> so whenever you put an internal_network line, you should add the same
> line with "trusted" instead of "internal".

in other words, internal cant be untrusted

so if you see spam with origin as internal networks ip then remove that ip as 
internal

-- 
xpoint