SA Timeouts
Hi All, Having a problem with my SA setup. I'm using amavisd and Postfix. For some reason I get the following occasionally Aug 19 15:37:20.176 ceg.caznet.com.au /usr/sbin/amavisd[5]: (5-01-6) SA dbg: bayes: database connection established Aug 19 15:37:20.177 ceg.caznet.com.au /usr/sbin/amavisd[5]: (5-01-6) SA dbg: bayes: found bayes db version 3 Aug 19 15:37:20.179 ceg.caznet.com.au /usr/sbin/amavisd[5]: (5-01-6) SA dbg: bayes: Using userid: 4 Aug 19 15:37:20.184 ceg.caznet.com.au /usr/sbin/amavisd[5]: (5-01-6) SA dbg: bayes: corpus size: nspam = 5993, nham = 24505 Aug 19 15:39:30.977 ceg.caznet.com.au /usr/sbin/amavisd[4]: (4-02-4) (!)SA TIMED OUT, backtrace: at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PerMsgStatus.pm line 1961\n\teval {...} called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PerMsgStatus.pm line 1961\n\tMail::SpamAssassin::PerMsgStatus::_get_parsed_uri_list('Mail::SpamAs sassin::PerMsgStatus=HASH(0xb0945cc)') called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PerMsgStatus.pm line 1852\n\tMail::SpamAssassin::PerMsgStatus::get_uri_detail_list('Mail::SpamAss assin::PerMsgStatus=HASH(0xb0945cc)') called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 207\n\tMail::SpamAssassin::Plugin::URIDNSBL::parsed_metadata('Mail::SpamAssa ssin::Plugin::URIDNSBL=HASH(0xae5421c)', 'HASH(0xb05f97c)') called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PluginHandler.pm line 202\n\teval {...} called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/Plugin[...] Any ideas?
Re: gpgkey failures with sa-update
On Tue, 2009-08-18 at 06:40 -0400, Gene Heskett wrote: One of the channels I use, yerp, has a failing gpg key despite my importation of that key. Several times. On 18.08.09 21:49, Gene Heskett wrote: ... [25964] dbg: gpg: key id 6C6191E3 is not release trusted error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed can you show us the key update process? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Re: HELO_DYNAMIC_IPADDR false positive
Bob Proulx a écrit : The following header line: Received: from static-96-254-126-11.tampfl.fios.verizon.net [96.254.126.11] by windows12.uvault.com with SMTP; Wed, 12 Aug 2009 08:26:40 -0400 Hits the HELO_DYNAMIC_IPADDR rule. I tested it this way: $ perl -le 'if (static-96-254-126-11.tampfl.fios.verizon.net =~ /[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+/) { print Yes } else { print No };' Yes But the address doesn't appear to be in a dynamic block. And it doesn't look like a dynamic address pattern to me. On 19.08.09 00:48, mouss wrote: The name of the rule is worng, but the result is ok. Instead of dynamic, I suggest: UMO for Unidentifiable Mailing Object. whether static-ip- is static or not doesn't matter. a lot of junk comes from such hosts, and we can't report/complain to a domain, since the domain is that of the SP (and getting SPs to block abuse sources have proven vain). I'd be glad to see if there's any difference in percentage of spam from dynamic and static (generic) IP addresses. There's also __RDNS_STATIC rule which excludes those static from being considered as dynamic. There should be one for HELO rules too - It would make me angry if I got scored more just because my server is properly configured and uses proper helo which is the same as RDNS (some helo checks have higher score than RCVD_HELO_IP_MISMATCH) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue.
SA-Update - SHA1 Verification failed
Hello all, I only run sa-update once per day and the last two days it has failed with a SHA1 verification error. Here is the debug output: (apologies for the line wrap(s)) ... [2208] dbg: plugin: Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xb0b2c3c) implements 'finish_tests', priority 0 [2208] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0xb10c234) implements 'finish_tests', priority 0 [2208] dbg: generic: lint check of site pre files succeeded, continuing with channel updates [2208] dbg: channel: reading MIRRORED.BY file [2208] dbg: channel: found mirror http://daryl.dostech.ca/sa-update/sare/90_2tld.cf/ [2208] dbg: channel: found mirror http://updates.sa-update.com/sare/90_2tld.cf/ [2208] dbg: channel: selected mirror http://updates.sa-update.com/sare/90_2tld.cf [2208] dbg: http: GET request, http://updates.sa-update.com/sare/90_2tld.cf/200908170100.tar.gz [2208] dbg: http: GET request, http://updates.sa-update.com/sare/90_2tld.cf/200908170100.tar.gz.sha1 [2208] dbg: http: GET request, http://updates.sa-update.com/sare/90_2tld.cf/200908170100.tar.gz.asc [2208] dbg: http: IMS GET request, http://updates.sa-update.com/sare/90_2tld.cf/MIRRORED.BY, Wed, 12 Aug 2009 16:37:16 GMT [2208] dbg: sha1: verification wanted: 200908170100 [2208] dbg: sha1: verification result: 13a6b42853abe9f5d8a94d56d6c6e294b3783ac5 channel: SHA1 verification failed, channel failed [2208] dbg: generic: cleaning up temporary directory/files [2208] dbg: diag: updates complete, exiting with code 4 Is this a temporary mirror problem or something I should investigate further? Thanks for any help or suggestions Mark signature.asc Description: This is a digitally signed message part
Re: HELO_DYNAMIC_IPADDR false positive
Matus UHLAR - fantomas a écrit : Bob Proulx a écrit : The following header line: Received: from static-96-254-126-11.tampfl.fios.verizon.net [96.254.126.11] by windows12.uvault.com with SMTP; Wed, 12 Aug 2009 08:26:40 -0400 Hits the HELO_DYNAMIC_IPADDR rule. I tested it this way: $ perl -le 'if (static-96-254-126-11.tampfl.fios.verizon.net =~ /[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+/) { print Yes } else { print No };' Yes But the address doesn't appear to be in a dynamic block. And it doesn't look like a dynamic address pattern to me. On 19.08.09 00:48, mouss wrote: The name of the rule is worng, but the result is ok. Instead of dynamic, I suggest: UMO for Unidentifiable Mailing Object. whether static-ip- is static or not doesn't matter. a lot of junk comes from such hosts, and we can't report/complain to a domain, since the domain is that of the SP (and getting SPs to block abuse sources have proven vain). I'd be glad to see if there's any difference in percentage of spam from dynamic and static (generic) IP addresses. http://enemieslist.com/news/archives/2009/07/why_we_suspect.html There's also __RDNS_STATIC rule which excludes those static from being considered as dynamic. There should be one for HELO rules too - It would make me angry if I got scored more just because my server is properly configured and uses proper helo which is the same as RDNS (some helo checks have higher score than RCVD_HELO_IP_MISMATCH) if your PTR is generic, then it is better to set the HELO to a non-generic value. just make it resolve to the same IP. while it is not always possible to set a custom rdns, there is no excuse for not setting a meaningful HELO.
Re: SA-Update - SHA1 Verification failed
Hi, On Wed, 19.08.2009 at 08:49:22 +0100, Arthur Dent misc.li...@blueyonder.co.uk wrote: I only run sa-update once per day and the last two days it has failed with a SHA1 verification error. I just discovered a very similar problem: # sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A ... lots of stuff, then: [26719] dbg: channel: reading MIRRORED.BY file [26719] dbg: channel: found mirror http://daryl.dostech.ca/sa-update/zmi/70_zmi_german.cf/ [26719] dbg: channel: found mirror http://updates.sa-update.com/zmi/70_zmi_german.cf/ [26719] dbg: channel: selected mirror http://updates.sa-update.com/zmi/70_zmi_german.cf [26719] dbg: http: GET request, http://updates.sa-update.com/zmi/70_zmi_german.cf/200906100942.tar.gz [26719] dbg: http: GET request, http://updates.sa-update.com/zmi/70_zmi_german.cf/200906100942.tar.gz.sha1 [26719] dbg: http: GET request, http://updates.sa-update.com/zmi/70_zmi_german.cf/200906100942.tar.gz.asc [26719] dbg: http: IMS GET request, http://updates.sa-update.com/zmi/70_zmi_german.cf/MIRRORED.BY, Sun, 15 Mar 2009 22:18:09 GMT [26719] dbg: sha1: verification wanted: 200906100942 [26719] dbg: sha1: verification result: 707c3d6c1c90992e054829938349803790408c60 channel: SHA1 verification failed, channel failed [26719] dbg: generic: cleaning up temporary directory/files [26719] dbg: diag: updates complete, exiting with code 4 Kind regards, --Toni++
Re: gpgkey failures with sa-update
General advice: Post the error messages. Do a debug run. Post the relevant parts of the debug info. Gene -- with your headstrong, infamous around here user setup, you should first check exactly that -- users. Which one runs the cron job? Which one do you sudo to? And which one imported the GPG key? Thanks for the complement. I have studied on trying to do it right for almost 75 years now. And yet you're doing it different than anyone else... ;) [25964] dbg: gpg: calling gpg [25964] dbg: gpg: gpg: Signature made Tue 18 Aug 2009 03:24:59 AM EDT using DSA key ID 6C6191E3 [25964] dbg: gpg: [GNUPG:] SIG_ID XMBVEC+9EnYV7uMWvdrn/1H/+Hw 2009-08-18 1250580299 [25964] dbg: gpg: [GNUPG:] GOODSIG DC85341F6C6191E3 Justin Mason Signing Key (Code Signing Only) signing...@jmason.org [25964] dbg: gpg: gpg: Good signature from Justin Mason Signing Key (Code Signing Only) signing...@jmason.org [25964] dbg: gpg: [GNUPG:] VALIDSIG 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 2009-08-18 1250580299 0 3 0 17 2 00 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 [25964] dbg: gpg: [GNUPG:] TRUST_UNDEFINED [25964] dbg: gpg: gpg: WARNING: This key is not certified with a trusted signature! [25964] dbg: gpg: gpg: There is no indication that the signature belongs to the owner. [25964] dbg: gpg: Primary key fingerprint: 8D25 B5E9 1DAF 0F71 5F60 B588 DC85 341F 6C61 91E3 [25964] dbg: gpg: found signature made by key 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 [25964] dbg: gpg: key id 6C6191E3 is not release trusted ^^^ You failed to provide the obligatory --gpgkey 6C6191E3 option. channel: GPG validation failed, channel failed Obviously this is a trust setting, not a gpg failure as I assumed when I posted. Which then begs the question of who is untrusted, me, or yerp.org? Your sa-update run doesn't trust that key to sign releases. Please see man sa-update [1] for general information about that option, and the SOUGHT rule-set usage instructions [2] again, on how to use sa-update with that channel. [1] http://spamassassin.apache.org/full/3.2.x/doc/sa-update.html [2] http://taint.org/2007/08/15/004348a.html -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: HELO_DYNAMIC_IPADDR false positive
On 19.08.09 00:48, mouss wrote: The name of the rule is worng, but the result is ok. Instead of dynamic, I suggest: UMO for Unidentifiable Mailing Object. whether static-ip- is static or not doesn't matter. a lot of junk comes from such hosts, and we can't report/complain to a domain, since the domain is that of the SP (and getting SPs to block abuse sources have proven vain). Matus UHLAR - fantomas a écrit : I'd be glad to see if there's any difference in percentage of spam from dynamic and static (generic) IP addresses. http://enemieslist.com/news/archives/2009/07/why_we_suspect.html it says something very close to nothing. from SA point of view, the ham/spam ratio is important and that is what I am curious about... There's also __RDNS_STATIC rule which excludes those static from being considered as dynamic. There should be one for HELO rules too - It would make me angry if I got scored more just because my server is properly configured and uses proper helo which is the same as RDNS (some helo checks have higher score than RCVD_HELO_IP_MISMATCH) On 19.08.09 09:55, mouss wrote: if your PTR is generic, then it is better to set the HELO to a non-generic value. just make it resolve to the same IP. while it is not always possible to set a custom rdns, there is no excuse for not setting a meaningful HELO. I wouldn't say so. Automatic helo string is much easier to configure and requires less work than manual... Yes, with current SA setting it may be true. But since we are complaining about this, this ain't an answer... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Re: SA-Update - SHA1 Verification failed
I only run sa-update once per day and the last two days it has failed with a SHA1 verification error. [2208] dbg: channel: reading MIRRORED.BY file [2208] dbg: channel: found mirror http://daryl.dostech.ca/sa-update/sare/90_2tld.cf/ [2208] dbg: channel: found mirror http://updates.sa-update.com/sare/90_2tld.cf/ [2208] dbg: channel: selected mirror http://updates.sa-update.com/sare/90_2tld.cf It is selecting a bad mirror. The domain expired recently. :-/ channel: SHA1 verification failed, channel failed Is this a temporary mirror problem or something I should investigate further? As a quick fix, just remove or comment out the bad mirror in all your MIRRORED.BY files. This should do: sed -i -e '/^http:\/\/updates.sa-update.com/ s/^/# /' */MIRRORED.BY -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA-Update - SHA1 Verification failed
On Wed, 2009-08-19 at 13:21 +0200, Karsten Bräckelmann wrote: I only run sa-update once per day and the last two days it has failed with a SHA1 verification error. [2208] dbg: channel: reading MIRRORED.BY file [2208] dbg: channel: found mirror http://daryl.dostech.ca/sa-update/sare/90_2tld.cf/ [2208] dbg: channel: found mirror http://updates.sa-update.com/sare/90_2tld.cf/ [2208] dbg: channel: selected mirror http://updates.sa-update.com/sare/90_2tld.cf It is selecting a bad mirror. The domain expired recently. :-/ channel: SHA1 verification failed, channel failed Is this a temporary mirror problem or something I should investigate further? As a quick fix, just remove or comment out the bad mirror in all your MIRRORED.BY files. This should do: sed -i -e '/^http:\/\/updates.sa-update.com/ s/^/# /' */MIRRORED.BY Thanks Karsten, That did the trick... BTW - What is the long fix? Are those MIRRORED.BY files auto-generated somehow or will I have to re-edit them again at some time in the future?... Thanks again! Mark signature.asc Description: This is a digitally signed message part
Re: SA-Update - SHA1 Verification failed
On Wed, 2009-08-19 at 12:55 +0100, Arthur Dent wrote: On Wed, 2009-08-19 at 13:21 +0200, Karsten Bräckelmann wrote: It is selecting a bad mirror. The domain expired recently. :-/ As a quick fix, just remove or comment out the bad mirror in all your MIRRORED.BY files. This should do: sed -i -e '/^http:\/\/updates.sa-update.com/ s/^/# /' */MIRRORED.BY Thanks Karsten, That did the trick... BTW - What is the long fix? Are those MIRRORED.BY files auto-generated somehow or will I have to re-edit them again at some time in the future?... You're welcome. The long fix would be bug 6083 [1], and of course to fix the MIRRORED.BY files on the servers. Reactivating the expired domain would heal all this, but not fix the underlying issue, FWIW. You should not need to re-edit them again, unless you update SA or add new channels affected by the same issue. guenther -- don't forget about the nick ;) [1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6083 -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Image Spam
Why haven't spammers think about this approach before? I can image it is very difficult for Fuzzy OCR to tag this with a high score. http://pastebin.com/m247b74c8 -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Image Spam
Dan Schaefer wrote: Why haven't spammers think about this approach before? I can image it is very difficult for Fuzzy OCR to tag this with a high score. http://pastebin.com/m247b74c8 Oops. Why haven't spammers *thought about this approach before? Spamassasin did a nice job of catching it though. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Image Spam
On Wed, 19.08.2009 at 08:28:21 -0400, Dan Schaefer d...@performanceadmin.com wrote: Dan Schaefer wrote: Why haven't spammers think about this approach before? I can image it is very difficult for Fuzzy OCR to tag this with a high score. http://pastebin.com/m247b74c8 Oops. Why haven't spammers *thought about this approach before? Spamassasin did a nice job of catching it though. W/o looking at the image, what exactly to you mean? Kind regards, --Toni++
Re: SA Timeouts
Cory Hawkless wrote: Hi All, Having a problem with my SA setup. I’m using amavisd and Postfix. For some reason I get the following occasionally Aug 19 15:37:20.176 ceg.caznet.com.au /usr/sbin/amavisd[5]: (5-01-6) SA dbg: bayes: database connection established Aug 19 15:37:20.177 ceg.caznet.com.au /usr/sbin/amavisd[5]: (5-01-6) SA dbg: bayes: found bayes db version 3 Aug 19 15:37:20.179 ceg.caznet.com.au /usr/sbin/amavisd[5]: (5-01-6) SA dbg: bayes: Using userid: 4 Aug 19 15:37:20.184 ceg.caznet.com.au /usr/sbin/amavisd[5]: (5-01-6) SA dbg: bayes: corpus size: nspam = 5993, nham = 24505 Aug 19 15:39:30.977 ceg.caznet.com.au /usr/sbin/amavisd[4]: (4-02-4) (!)SA TIMED OUT, backtrace: at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PerMsgStatus.pm line 1961\n\teval {...} called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PerMsgStatus.pm line 1961\n\tMail::SpamAssassin::PerMsgStatus::_get_parsed_uri_list('Mail::SpamAssassin::PerMsgStatus=HASH(0xb0945cc)') called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PerMsgStatus.pm line 1852\n\tMail::SpamAssassin::PerMsgStatus::get_uri_detail_list('Mail::SpamAssassin::PerMsgStatus=HASH(0xb0945cc)') called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 207\n\tMail::SpamAssassin::Plugin::URIDNSBL::parsed_metadata('Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xae5421c)', 'HASH(0xb05f97c)') called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PluginHandler.pm line 202\n\teval {...} called at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/Plugin[...] Roughly twice a day? If so, I'm guessing a bayes expire run makes the SA run just long enough to get killed (expiry does take a while, depending on hardware and DB size, it adds around 1-2 minutes to a run. . Try either: 1) extend the amavis timeout by 30 seconds 2) disable SA's bayes_auto_expire, and use a cronjob to run sa-learn --force-expire instead. and see if it goes away.
Re: Image Spam
On Wed, 19 Aug 2009 14:45:08 +0200 Toni Mueller support-spamassas...@oeko.net wrote: On Wed, 19.08.2009 at 08:28:21 -0400, Dan Schaefer d...@performanceadmin.com wrote: Dan Schaefer wrote: Why haven't spammers think about this approach before? I can image it is very difficult for Fuzzy OCR to tag this with a high score. http://pastebin.com/m247b74c8 Oops. Why haven't spammers *thought about this approach before? Spamassasin did a nice job of catching it though. W/o looking at the image, what exactly to you mean? It's like a traditional anonymous letter, with letters cut from different sources, with different colours, fonts and backgrounds. To be fair it is in Cyrillic, so FuzzyOCR wouldn't have caught it without an appropriate wordlist anyway, but judging from the last image spam which got through with just a bit of a wave and slightly fuzzy letters, I don't think it's going to be much use in future.
Re: Image Spam
Hi, On Wed, 19.08.2009 at 14:38:12 +0100, RW rwmailli...@googlemail.com wrote: It's like a traditional anonymous letter, with letters cut from different sources, with different colours, fonts and backgrounds. thank you. To be fair it is in Cyrillic, so FuzzyOCR wouldn't have caught it without an appropriate wordlist anyway, Ok. I usually delete such emails w/o ever looking at them, anyway. but judging from the last image spam which got through with just a bit of a wave and slightly fuzzy letters, This sounds like it would be easy to generate this kind of spam, and bypass filters. I don't think it's going to be much use in future. Therefore, I don't understand why spammers don't use it more. When I was at an anti-spam congress two years ago, a guy from Eleven toutet their ability to catch sliced and diced image spam, and produced a statistics which was intended to prove that the rate of this kind of spam was high, and still increasing. I have fundamental objections against services of this kind, however, but could use second opinions. TIA! Kind regards, --Toni++
Re: sa-update: stuck at 795855?
Hi, The problem is that the spammers test with the SA rulesets as soon as they are released, which is why the rulesets become ineffective. I'm not sure I agree with that. If this were the case, I would have a lot less spam with scores of 50 or more, which obviously aren't even trying to do something as easy as pass it through SA first. Also, couldn't we then draw conclusions from this that, since vendors like Symantec have rules which never are seen by spammers, that their rules are better? Incidentally, are there technologies that vendors like Symantec, Proofpoint, Cisco, Google, etc, use that we don't have or don't have access to? Thanks, Alex
Assistence needed with spamassasin under RedHat 5.2
I have a default install of Redhat 5.2. I have mail scanner using it and it appears to be creating a large number of false positives. The version of SpamAssassin is version 3.2.4 which is running on Perl version 5.8.8. I am using the latest version of mail scanner. I beleive the problem lies with spamassasin. I have a test message which is genuine. Running this through spamassasin with -t (test) mode as described below gives the output below: Running : spamassassin -t /tmp/rose2 gives at the bottom the following (edited for privacy) report. Spam detection software, running on the system somehost.gold.ac.uk, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi .content deleted for privacy. Content analysis details: (0.0 points, 5.0 required) pts rule name description -- -- 0.0 MISSING_MIDMissing Message-Id: header 0.0 MISSING_DATE Missing Date: header So it seems (and I admit i am no expert here) that despite the low score spamassasin is tagging the message as spam (the subject line gets a {spam?} appended to on the output. Can anyone help resolve this. The RH box is upto date with all the spamassasin RPMs. Thanks Erik
Re: Assistence needed with spamassasin under RedHat 5.2
Erik Bloodaxe wrote: I have a default install of Redhat 5.2. I have mail scanner using it and it appears to be creating a large number of false positives. The version of SpamAssassin is version 3.2.4 which is running on Perl version 5.8.8. I am using the latest version of mail scanner. I beleive the problem lies with spamassasin. I have a test message which is genuine. Running this through spamassasin with -t (test) mode as described below gives the output below: Running : spamassassin -t /tmp/rose2 gives at the bottom the following (edited for privacy) report. Spam detection software, running on the system somehost.gold.ac.uk, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi .content deleted for privacy. Content analysis details: (0.0 points, 5.0 required) pts rule name description -- -- 0.0 MISSING_MIDMissing Message-Id: header 0.0 MISSING_DATE Missing Date: header So it seems (and I admit i am no expert here) that despite the low score spamassasin is tagging the message as spam (the subject line gets a {spam?} appended to on the output. Can anyone help resolve this. The RH box is upto date with all the spamassasin RPMs. This is expected behavior. Read The Fine Manual... :) -t, --test-mode Test mode. Pipe message through and add extra report. Note that the report text assumes that the message is spam, since in normal use it is only visible in this case. Pay attention to the score instead. -- Bowie
Re: gpgkey failures with sa-update
On Wednesday 19 August 2009, Matus UHLAR - fantomas wrote: On Tue, 2009-08-18 at 06:40 -0400, Gene Heskett wrote: One of the channels I use, yerp, has a failing gpg key despite my importation of that key. Several times. On 18.08.09 21:49, Gene Heskett wrote: ... [25964] dbg: gpg: key id 6C6191E3 is not release trusted error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed can you show us the key update process? Exactly as shown on the web page at the time I added yerp.org to the channel list. No errors reported then, and I've now forgotten the url. www.yerp.org now gets me a webmail login screen, so obviously that wasn't it. Toss that url to me and I'll replay it again. Thanks. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) The NRA is offering FREE Associate memberships to anyone who wants them. https://www.nrahq.org/nrabonus/accept-membership.asp zpx it's amazing how not-broken debian is compared to slack and rh
Re: Assistence needed with spamassasin under RedHat 5.2
Hi, spamassasin. I have a test message which is genuine. Running this through spamassasin with -t (test) mode as described below gives the output below: Running : spamassassin -t /tmp/rose2 gives at the bottom the following (edited for privacy) report. Try adding some debugging output, and first look for something obviously wrong: # spamassassin -D -t /tmp/rose2 21 | less Go line-by-line looking for something that stands out as obviously wrong. Consider obfuscating your message, replacing your domain with example.com, for instance, and uploading it to pastebin.com. Then post a link here so we can all view the message for further ideas. Regards, Alex
Re: Assistence needed with spamassasin under RedHat 5.2
Bowie Bailey wrote: Erik Bloodaxe wrote: I have a default install of Redhat 5.2. I have mail scanner using it and it appears to be creating a large number of false positives. The version of SpamAssassin is version 3.2.4 which is running on Perl version 5.8.8. I am using the latest version of mail scanner. I beleive the problem lies with spamassasin. I have a test message which is genuine. Running this through spamassasin with -t (test) mode as described below gives the output below: Running : spamassassin -t /tmp/rose2 gives at the bottom the following (edited for privacy) report. Spam detection software, running on the system somehost.gold.ac.uk, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi .content deleted for privacy. Content analysis details: (0.0 points, 5.0 required) pts rule name description -- -- 0.0 MISSING_MIDMissing Message-Id: header 0.0 MISSING_DATE Missing Date: header So it seems (and I admit i am no expert here) that despite the low score spamassasin is tagging the message as spam (the subject line gets a {spam?} appended to on the output. Can anyone help resolve this. The RH box is upto date with all the spamassasin RPMs. This is expected behavior. Read The Fine Manual... :) -t, --test-mode Test mode. Pipe message through and add extra report. Note that the report text assumes that the message is spam, since in normal use it is only visible in this case. Pay attention to the score instead. Ok, Thanks and sorry for not spotting this. However, how can I investigate this problem further. The problem either lies with spam assasin, mailscanner or the interaction between them. I can reproduce the problem by sending the message through the system? Which spamassasin options should I use (I have treid -d but this make not a lot of sence to me). Rob
Re: gpgkey failures with sa-update
Hi, list. No errors reported then, and I've now forgotten the url. www.yerp.org now gets me a webmail login screen, so obviously that wasn't it. Toss that url to me and I'll replay it again. You should be able to search through your browser history, no? With Firefox v3.5, you can also just type yerp in the location bar, and it will do a more aggressive search through your previous URLs for anything containing those letters. Regards, Alex
Re: Image Spam
Toni Mueller wrote: Hi, On Wed, 19.08.2009 at 14:38:12 +0100, RW rwmailli...@googlemail.com wrote: It's like a traditional anonymous letter, with letters cut from different sources, with different colours, fonts and backgrounds. thank you. To be fair it is in Cyrillic, so FuzzyOCR wouldn't have caught it without an appropriate wordlist anyway, Ok. I usually delete such emails w/o ever looking at them, anyway. but judging from the last image spam which got through with just a bit of a wave and slightly fuzzy letters, This sounds like it would be easy to generate this kind of spam, and bypass filters. I don't think it's going to be much use in future. Therefore, I don't understand why spammers don't use it more. Apparently, it isn't especially effective. Nothing says Buy my stuff better than an email done in fuzzy distorted letters. 8-) Even if it gets past the filters, if it doesn't bring in business, it's not useful for spam. Terry
Re: Image Spam
On Wed, 19.08.2009 at 11:40:24 -0400, Terry Carmen te...@cnysupport.com wrote: Nothing says Buy my stuff better than an email done in fuzzy distorted letters. 8-) Ok, got it. ;} Although I'm still amazed about how spam does bring in business in the first place. Sorry for being a bit thick. Kind regards, --Toni++
Re: gpgkey failures with sa-update
On Wednesday 19 August 2009, Karsten Bräckelmann wrote: General advice: Post the error messages. Do a debug run. Post the relevant parts of the debug info. Gene -- with your headstrong, infamous around here user setup, you should first check exactly that -- users. Which one runs the cron job? Which one do you sudo to? And which one imported the GPG key? Thanks for the complement. I have studied on trying to do it right for almost 75 years now. And yet you're doing it different than anyone else... ;) Because I run as root, I wanted to remove the possibility of an email root exploit, until I actually read it with kmail, all email is handled by the user gene, aka me. [25964] dbg: gpg: calling gpg [25964] dbg: gpg: gpg: Signature made Tue 18 Aug 2009 03:24:59 AM EDT using DSA key ID 6C6191E3 [25964] dbg: gpg: [GNUPG:] SIG_ID XMBVEC+9EnYV7uMWvdrn/1H/+Hw 2009-08-18 1250580299 [25964] dbg: gpg: [GNUPG:] GOODSIG DC85341F6C6191E3 Justin Mason Signing Key (Code Signing Only) signing...@jmason.org [25964] dbg: gpg: gpg: Good signature from Justin Mason Signing Key (Code Signing Only) signing...@jmason.org [25964] dbg: gpg: [GNUPG:] VALIDSIG 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 2009-08-18 1250580299 0 3 0 17 2 00 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 [25964] dbg: gpg: [GNUPG:] TRUST_UNDEFINED [25964] dbg: gpg: gpg: WARNING: This key is not certified with a trusted signature! [25964] dbg: gpg: gpg: There is no indication that the signature belongs to the owner. [25964] dbg: gpg: Primary key fingerprint: 8D25 B5E9 1DAF 0F71 5F60 B588 DC85 341F 6C61 91E3 [25964] dbg: gpg: found signature made by key 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 [25964] dbg: gpg: key id 6C6191E3 is not release trusted ^^^ You failed to provide the obligatory --gpgkey 6C6191E3 option. That key is available at the location given in the invocation: # su gene -c /usr/bin/sa-update -D --channelfile ~/.spamassassin/channels.txt --gpghomedir /var/lib/spamassassin/keys channel: GPG validation failed, channel failed Obviously this is a trust setting, not a gpg failure as I assumed when I posted. Which then begs the question of who is untrusted, me, or yerp.org? Your sa-update run doesn't trust that key to sign releases. Please see man sa-update [1] for general information about that option, and the SOUGHT rule-set usage instructions [2] again, on how to use sa-update with that channel. I note that trusstdb.gpg is only $1200 bytes long, whereas pubring is nearly $5000 long. Wandering around with gpg's querys, that key is indeed not in my database. WTF... [1] http://spamassassin.apache.org/full/3.2.x/doc/sa-update.html That shows a different procedure, what I used started with a wget IIRC. [2] http://taint.org/2007/08/15/004348a.html This site has the procedure I used. Several times. Replayed again here, using those instructs: [r...@coyote keys]# su gene [g...@coyote keys]$ cd [g...@coyote ~]$ wget http://yerp.org/rules/GPG.KEY --2009-08-19 11:50:03-- http://yerp.org/rules/GPG.KEY Resolving yerp.org... XX.XX.XX.XX Connecting to yerp.org|XX.XX.XX.XX|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2437 (2.4K) [application/pgp-keys] Saving to: `GPG.KEY.1' 100%[===] 2,437 --.-K/s in 0.007s 2009-08-19 11:50:03 (338 KB/s) - `GPG.KEY.1' saved [2437/2437] Then: [g...@coyote ~]$ sa-update --import GPG.KEY.1 A test run: [g...@coyote ~]$ sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org [g...@coyote ~]$ No reported error. But, back as root: running the su gene -c gene's crontab line and get this for yerp: [6455] dbg: channel: attempting channel sought.rules.yerp.org [6455] dbg: channel: update directory /var/lib/spamassassin/3.002005/sought_rules_yerp_org [6455] dbg: channel: channel cf file /var/lib/spamassassin/3.002005/sought_rules_yerp_org.cf [6455] dbg: channel: channel pre file /var/lib/spamassassin/3.002005/sought_rules_yerp_org.pre [6455] dbg: channel: metadata version = 320805296 [6455] dbg: dns: 5.2.3.sought.rules.yerp.org = 320805296, parsed as 320805296 [6455] dbg: channel: current version is 320805296, new version is 320805296, skipping channel I won't post the lengthy full -D output, but it worked with no errors. What is different now than a couple of months ago when I did it the first 3 or 4 times? A head scratcher for sure. And many thanks for the hand holding, its appreciated. But I hate it when the usual winderz advice of re-installing, actually works. Spooky. The Heisenberg principle at work I guess. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) The NRA is offering FREE Associate memberships to anyone who wants them.
Re: gpgkey failures with sa-update
Hello, On Wed, 19.08.2009 at 12:09:43 -0400, Gene Heskett gene.hesk...@verizon.net wrote: On Wednesday 19 August 2009, Karsten Bräckelmann wrote: [2] http://taint.org/2007/08/15/004348a.html This site has the procedure I used. Several times. I used this procedure just today, with no problem at all. [g...@coyote ~]$ wget http://yerp.org/rules/GPG.KEY --2009-08-19 11:50:03-- http://yerp.org/rules/GPG.KEY Resolving yerp.org... XX.XX.XX.XX No need to obfuscate that ip numer, imho. Then: [g...@coyote ~]$ sa-update --import GPG.KEY.1 Although I'm disturbed by your claim that this command doesn't yield an error message, I venture to guess that you added the key to your (gene's) keyring, while writing to the keyring of sa-update at /etc/mail/spamassassin/sa-update-keys/ (on my computer, anyway) should require root access. Remember, in 2039, MOUSSE PASTA will be available ONLY by prescription!! Which doctor wants to lose their approbation? *eg* Kind regards, --Toni++
Re: gpgkey failures with sa-update
On Wednesday 19 August 2009, Toni Mueller wrote: Hello, On Wed, 19.08.2009 at 12:09:43 -0400, Gene Heskett gene.hesk...@verizon.net wrote: On Wednesday 19 August 2009, Karsten Bräckelmann wrote: [2] http://taint.org/2007/08/15/004348a.html This site has the procedure I used. Several times. I used this procedure just today, with no problem at all. [g...@coyote ~]$ wget http://yerp.org/rules/GPG.KEY --2009-08-19 11:50:03-- http://yerp.org/rules/GPG.KEY Resolving yerp.org... XX.XX.XX.XX No need to obfuscate that ip numer, imho. Then: [g...@coyote ~]$ sa-update --import GPG.KEY.1 Although I'm disturbed by your claim that this command doesn't yield an error message, I venture to guess that you added the key to your (gene's) keyring, while writing to the keyring of sa-update at /etc/mail/spamassassin/sa-update-keys/ (on my computer, anyway) should require root access. And _that_ is a different set of keys! And they were the ones being updated all along. And no root access was used this time. I don't recall that I did before either, I think I just fixed the perms so gene could do it. In /var/lib/sa/keys [r...@coyote keys]# ls -l total 28 -rw--- 1 gene gene 4505 2009-07-22 20:16 pubring.gpg -rw--- 1 gene mail 2783 2008-12-19 08:26 pubring.gpg~ -rw--- 1 gene mail0 2008-12-19 08:26 secring.gpg -rw--- 1 gene mail 1200 2008-12-19 08:26 trustdb.gpg [r...@coyote keys]# cd /etc/mail/spamassassin/sa-update-keys/ [r...@coyote sa-update-keys]# ls -l total 32 -rw--- 1 gene gene 6743 2009-08-19 11:51 pubring.gpg -rw--- 1 gene mail 5021 2008-09-13 08:44 pubring.gpg~ -rw--- 1 gene mail0 2008-04-01 04:52 secring.gpg -rw--- 1 gene mail 1200 2008-04-01 04:52 trustdb.gpg Should I blow the first set away?, asks he, scratching head again. I'm running out of hair at this rate. Thanks Toni. Remember, in 2039, MOUSSE PASTA will be available ONLY by prescription!! Which doctor wants to lose their approbation? *eg* Kind regards, --Toni++ -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) The NRA is offering FREE Associate memberships to anyone who wants them. https://www.nrahq.org/nrabonus/accept-membership.asp Grub first, then ethics. -- Bertolt Brecht
Re: gpgkey failures with sa-update
Hi, On Wed, 19.08.2009 at 13:33:20 -0400, Gene Heskett gene.hesk...@verizon.net wrote: In /var/lib/sa/keys I have neither such a directory, nor any keys in either of /var/lib/spamassassin nor /var/db/spamassassin (depending on which of my machines I look at). But [r...@coyote keys]# cd /etc/mail/spamassassin/sa-update-keys/ [r...@coyote sa-update-keys]# ls -l total 32 -rw--- 1 gene gene 6743 2009-08-19 11:51 pubring.gpg -rw--- 1 gene mail 5021 2008-09-13 08:44 pubring.gpg~ -rw--- 1 gene mail0 2008-04-01 04:52 secring.gpg -rw--- 1 gene mail 1200 2008-04-01 04:52 trustdb.gpg I'm a bit hesitant to believe that such permissions will get you usable rule sets, provided they have similar permissions, because I guess that spamd is running under a different UID, right? Should I blow the first set away?, It would be interesting to find out where these other keys come from, lest you break something else. Kind regards, --Toni++
mail slipping through
I've been having a pretty good hit rate on spam until recently (about two weeks). Two types of email have been coming through at a good rate. I'm receiving at least four per hour from the domains included below. I've also been training bayes with them as well, to no avail. *...@chocolatebearbear .INFO *...@biblegame .info *...@clickbetterthere .info To make matters worse, they seem to be using normal SMTP process of some type as they are getting through sqlgrey, without any problem. I blew away the all entries from sqlgrey for awl and the connection log, yet they came right back. +-+---+---+-+-+ | sender_name | sender_domain | src | first_seen | last_seen | +-+---+---+-+-+ | evcoieytabo | apostlesblog.info | 208.110.94| 2009-08-19 14:22:51 | 2009-08-19 14:35:15 | | edfluzvpbio | apostlesblog.info | 208.110.94.34 | 2009-08-19 14:26:23 | 2009-08-19 14:46:51 | | flnkaxscfue | parishstore.info | 76.73.123 | 2009-08-19 14:27:34 | 2009-08-19 14:39:46 | | qmfeypysuno | parishstore.info | 76.73.123 | 2009-08-19 14:36:40 | 2009-08-19 14:48:53 | | xomdaygtyqi | parishstore.info | 76.73.2 | 2009-08-19 14:45:04 | 2009-08-19 14:58:41 | | hnmuelcljhu | biblegame.info| 76.73.85 | 2009-08-19 14:33:29 | 2009-08-19 14:45:18 | | cfkgytorpxe | biblegame.info| 76.73.85.250 | 2009-08-19 14:41:28 | 2009-08-19 14:56:16 | | obzfyowgbse | biblegame.info| 76.73.85.250 | 2009-08-19 14:40:57 | 2009-08-19 14:55:38 | ... +-+---+---+-+-+ Anyway, I'm using sorbs and spamhaus in postfix, but these guys aren't listed on either of the two. I know some time ago SA had a list of fresh top X daily/weekly spammers. Does that still exist? Anyone have any recommended action to take on this. My SA config is pretty basic and is hitting lots of other spams, just not these guys.
Re: mail slipping through
Quoting Gary Smith gary.sm...@holdstead.com: I've been having a pretty good hit rate on spam until recently (about two weeks). Two types of email have been coming through at a good rate. I'm receiving at least four per hour from the domains included below. I've also been training bayes with them as well, to no avail. Is it pretty much the same body, just different senders? *...@chocolatebearbear .INFO *...@biblegame .info *...@clickbetterthere .info If it's just the senders you could easily blacklist the domains, none of these domains look all that legit. Can you copy a message or two (with full headers) to pastebin so we can have a look? --Dennis
RE: mail slipping through
Is it pretty much the same body, just different senders? Yes and no. They are all the same body layout, some with different items in it. You can take a look at the body content here (screen captures of the content): http://www.localassociates.com/?page_id=7 Wares range from auto warrantee's to shoes. Anyway, Header: http://pastebin.com/m51fd9344 body: http://pastebin.com/m7fe4c798 Please note, I use a perl script for doing the SA check. If the score is lower than a specific user threshold then the original email is attached. In the cases of all of these emails, they are to my personal account (or our testing accounts). So, no headers doesn't equal bad. Each message is indeed checked. I'm going to turn on debugging on one of the SA servers and see what the logs report for these actual requests (which will have to wait for 4 hours or so -- when most of the clients aren't using email). If it's just the senders you could easily blacklist the domains, none of these domains look all that legit. I was thinking that would be the easy way to fix these couple domains, but I'm sure they have more bogus ones as well. Can you copy a message or two (with full headers) to pastebin so we can have a look? --Dennis
RE: mail slipping through
On Wed, 19 Aug 2009, Gary Smith wrote: Anyway, Header: http://pastebin.com/m51fd9344 I don't see any SA markup. What rules hit? body: http://pastebin.com/m7fe4c798 I'd think that disclaimer code would be good bayes fodder, if the spams are as consistent as you say. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What nuts do with guns is terrible, certainly. But what evil or crazy people do with *anything* is not a valid argument for banning that item.-- John C. Randolph j...@idiom.com --- 5 days until the 1930th anniversary of the destruction of Pompeii
RE: mail slipping through
I'd think that disclaimer code would be good bayes fodder, if the spams are as consistent as you say. That was in the comment right after the pastebin attachment. I will enable debugging on the SA server so I can save it there tonight and see what it says.
RE: mail slipping through
On Wed, 19 Aug 2009, Gary Smith wrote: I'd think that disclaimer code would be good bayes fodder, if the spams are as consistent as you say. That was in the comment right after the pastebin attachment. I will enable debugging on the SA server so I can save it there tonight and see what it says. Huh? You've lost me. And I meant to say disclaimer text, the Any such information we gather shall never be shared with blah blah. Multitasking error, sorry. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault. --- 5 days until the 1930th anniversary of the destruction of Pompeii
Re: Image Spam
On ons 19 aug 2009 14:26:31 CEST, Dan Schaefer wrote Why haven't spammers think about this approach before? I can image it is very difficult for Fuzzy OCR to tag this with a high score. you belive fuzzyocr is buggy ? http://pastebin.com/m247b74c8 already detected as spam, what more do you want from spamassassin ? -- xpoint
Re: local mail headers
Karsten Bräckelmann wrote: On Tue, 2009-08-18 at 19:09 -0400, Dave wrote: Hello, I'm a new user of spamassassin. I'm using version 3.2.5 on a CentOS 5.3 machine with postfix 2.3 as the MTA. Spamassassin is being called from amavisd-new version 2.6.4 to scan all messages. I don't want my outgoing emails scanned, i read spamassassin can be configured by not check if it detects specific headers. Here's what i have now for headers: Nope. If SA detects specific headers, it already *is* scanning the mail. What you should do instead, is to configure your glue to not pass the mail on to SA in the first place -- that's either amavis, or even further down the road of your mail processing chain. score LOCAL_RCVD -50 To accomplish what i want would this work: header LOCAL_RCVD Received =~ /.*\(\S+\.example\.com\s+\[.*\]\)/ describe LOCAL_RCVD Received from mail.example.com That will lower the score, but not prevent SA from scanning the mail. This implies a full scan. What we do is setup a separate mailserver, on a separate machine, that is outbound-mail only. All users must authenticate SMTP to this system and no other relaying is allowed on it unless auth SMTP. We don't run SA on this. Besides keeping the configuration simple it has the added effect of dividing the mail load between multiple servers. Ted
RE: mail slipping through
That was in the comment right after the pastebin attachment. I will enable debugging on the SA server so I can save it there tonight and see what it says. Huh? You've lost me. And I meant to say disclaimer text, the Any such information we gather shall never be shared with blah blah. Multitasking error, sorry. :) Sorry for the confusion. I had meant that there are no SA headers because the script that processes the message will only return the marked up email message (from SA) if it's higher than the users threshold. By default, the score threshold in our system is 0.0, which marks most things as spam, but we have a lookup where each user sets their own score, and if it's higher than the score, they get the marked up email. So in order for me to show the marked up headers I need to turn the logging up on the SA servers, wait for the message to come in, and then get the details from the log.
RE: SA and mail from backup mx?
Hello, Mail from my backup mx is not being scanned for spam as it's coming in. Is this something i'd have to turn on at the MTA level, content filter, or SA? A majority of stuff my backup mx sends me is spam and i'd like to get it tagged as such. Is the backup on the same network as the primary? Do you have it listed as a trusted machine in the local.cf file? One of our backup MX's is external and it forwards the mail direct to the primary when it goes back online. Best way to find out is to look into the headers and see how the message is being relayed around.
RE: SA and mail from backup mx?
Hello, Thanks for your reply. Is the backup on the same network as the primary? Do you have it listed as a trusted machine in the local.cf file? The backup is not on the same network as the primary and it is not listed as a trusted machine in local.cf. My setup is like yours, if the primary goes down for maintence or whatever the backup holds messages then relays when the primary is back. Thanks. Dave.
SA and mail from backup mx?
Hello, Mail from my backup mx is not being scanned for spam as it's coming in. Is this something i'd have to turn on at the MTA level, content filter, or SA? A majority of stuff my backup mx sends me is spam and i'd like to get it tagged as such. Thanks. Dave.
RE: SA and mail from backup mx?
Is the backup on the same network as the primary? Do you have it listed as a trusted machine in the local.cf file? The backup is not on the same network as the primary and it is not listed as a trusted machine in local.cf. My setup is like yours, if the primary goes down for maintence or whatever the backup holds messages then relays when the primary is back. I'd look into the headers then and look at the flow to make sure you are seeing flow that you expect. We do a lot of bouncing of mail on odd ports internally to different servers (as each server provides a different service) and each port has different rules setup. What MTA are you using?
Re: SA and mail from backup mx?
On Wed, 19 Aug 2009, Dave wrote: Mail from my backup mx is not being scanned for spam as it's coming in. Is this something i'd have to turn on at the MTA level, content filter, or SA? A majority of stuff my backup mx sends me is spam and i'd like to get it tagged as such. Cue Marc Perkel... :) Search the SA archive for high MX, there are some tricks you can use to reduce the message volume. Are the messages not being scanned at all, or ar they being scanned but not scoring properly? Have you set up anything in your MTA or glue to tell it that host is a backup MX? You would have to have done that *somewhere* for SA to not scan those messages. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- W-w-w-w-w-where did he learn to n-n-negotiate like that? --- 5 days until the 1930th anniversary of the destruction of Pompeii
RE: mail slipping through
On Wed, 19 Aug 2009, Gary Smith wrote: That was in the comment right after the pastebin attachment. I will enable debugging on the SA server so I can save it there tonight and see what it says. Huh? You've lost me. Sorry for the confusion. I had meant that there are no SA headers because the script that processes the message will only return the marked up email message (from SA) if it's higher than the users threshold. By default, the score threshold in our system is 0.0, which marks most things as spam, but we have a lookup where each user sets their own score, and if it's higher than the score, they get the marked up email. So in order for me to show the marked up headers I need to turn the logging up on the SA servers, wait for the message to come in, and then get the details from the log. Ah. Okay. You might also be able to look up the Message-ID in /var/log/maillog, if you're using spamd. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- W-w-w-w-w-where did he learn to n-n-negotiate like that? --- 5 days until the 1930th anniversary of the destruction of Pompeii
Re: SA and mail from backup mx?
On Wed, 19 Aug 2009 17:56:30 -0400 Dave dave.meh...@gmail.com wrote: Hello, Thanks for your reply. Is the backup on the same network as the primary? Do you have it listed as a trusted machine in the local.cf file? The backup is not on the same network as the primary and it is not listed as a trusted machine in local.cf. My setup is like yours, if the primary goes down for maintence or whatever the backup holds messages then relays when the primary is back. It should be listed in your internal network.
RE: SA and mail from backup mx?
Hi, Postfix on my server, the backup mx is using qmail. Dave. -Original Message- From: Gary Smith [mailto:gary.sm...@holdstead.com] Sent: Wednesday, August 19, 2009 6:03 PM To: 'dave.meh...@gmail.com'; 'users@spamassassin.apache.org' Subject: RE: SA and mail from backup mx? Is the backup on the same network as the primary? Do you have it listed as a trusted machine in the local.cf file? The backup is not on the same network as the primary and it is not listed as a trusted machine in local.cf. My setup is like yours, if the primary goes down for maintence or whatever the backup holds messages then relays when the primary is back. I'd look into the headers then and look at the flow to make sure you are seeing flow that you expect. We do a lot of bouncing of mail on odd ports internally to different servers (as each server provides a different service) and each port has different rules setup. What MTA are you using?
RE: mail slipping through
Ah. Okay. You might also be able to look up the Message-ID in /var/log/maillog, if you're using spamd. Didn't think of that. Here is the corresponding spam result for the pastbin entry (http://pastebin.com/m51fd9344) 503bb52.5...@biblegame.info Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: processing message 503bb52.5...@biblegame.info for filter:124 Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4525,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58357,mid=503bb52.5...@biblegame.info,bayes=0.499430,autolearn=no ++ | spam_threshold | ++ | 7 | ++ Here are some more from the same set/type of senders. Aug 19 14:39:46 hsoakmsa03l02 spamd[28319]: spamd: result: Y 2 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_RHS_DOB scantime=0.2,size=4584,user=filter,uid=124, required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=37185,mid=1359ae2.5...@parishstore.info,bayes=0.490932,autolearn=no Aug 19 14:45:18 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4516,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=33643,mid=509800d.5...@biblegame.info,bayes=0.498825,autolearn=no Aug 19 14:46:52 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4511,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=33664,mid=2b19fe.5...@apostlesblog.info,bayes=0.499484,autolearn=no Aug 19 14:48:58 hsoakmsa03l02 spamd[29369]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=4.0,size=4610,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=54478,mid=1359ae2.5...@parishstore.info,bayes=0.490647,autolearn=no Aug 19 14:50:54 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4554,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=54515,mid=5b96444.5...@parishstore.info,bayes=0.446187,autolearn=no Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4525,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58357,mid=503bb52.5...@biblegame.info,bayes=0.499430,autolearn=no Aug 19 14:53:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=5905,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58363,mid=503bb52.5...@biblegame.info,bayes=0.496882,autolearn=no Aug 19 14:53:43 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.1,size=4579,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58369,mid=5b96444.5...@parishstore.info,bayes=0.446202,autolearn=no Aug 19 14:55:38 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4508,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58422,mid=2b19fe.5...@biblegame.info,bayes=0.499487,autolearn=no Aug 19 14:56:17 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4545,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58442,mid=1a25f92.5...@biblegame.info,bayes=0.498743,autolearn=no Aug 19 14:58:42 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4594,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=52316,mid=1a25f92.5...@parishstore.info,bayes=0.487605,autolearn=no Aug 19 15:03:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB scantime=0.2,size=4543,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=53097,mid=509800d.5...@biblegame.info,bayes=0.498828,autolearn=no This servers average scores (not too many domains going through this one right now). Count Score 3 -1 267 -10 47 -11 26 -12 22 -13 53 -14 7 -15 9 -16 8 -17 6 -18 10 -19 2 -2 4 -20 2 -21 2 -23 5 -3
Re: sa-update: stuck at 795855?
MySQL Student wrote: Hi, The problem is that the spammers test with the SA rulesets as soon as they are released, which is why the rulesets become ineffective. I'm not sure I agree with that. If this were the case, I would have a lot less spam with scores of 50 or more, which obviously aren't even trying to do something as easy as pass it through SA first. This isn't applicable if you have Bays turned on which I'd guess you do. Also, couldn't we then draw conclusions from this that, since vendors like Symantec have rules which never are seen by spammers, that their rules are better? obscurity doesn't equal security. If unseen code was so secure then Microsoft Windows XP wouldn't have something like 250 security updates. Incidentally, are there technologies that vendors like Symantec, Proofpoint, Cisco, Google, etc, use that we don't have or don't have access to? Yes, unfortunately. Those vendors have thousands of their products distributed to many different sites. Those products all are passing IP addresses of suspected spam sources to the corporate mothership for RBL checks. If the mothership was written with any logicality, it would be able to use that data to identify spamming sources more quickly than a regular RBL that has no feedback. However, I used to work for Symantec, and I would not believe that they were clever enough to take advantage of this data unless they confirmed it. What they basically do is take the best-of-breed technlogies developed in the Open Source world and wrap them in software that a Windows admin wants to run. There's money in that if your willing to sacrifice your soul. Microsoft does the same thing. The few times when I was there that a more far-sighted product manager tried to introduce Unix-based products to the development staff, the organization proved they didn't have the sticktoitofness to operate in that market. It's not that they are bad people, understand, it's just that they are driven by the gold - not by the desire to take every spammer and have a public execution, like the rest of us are. Ted
Re: gpgkey failures with sa-update
On Wednesday 19 August 2009, Toni Mueller wrote: Hi, On Wed, 19.08.2009 at 13:33:20 -0400, Gene Heskett gene.hesk...@verizon.net wrote: In /var/lib/sa/keys I have neither such a directory, nor any keys in either of /var/lib/spamassassin nor /var/db/spamassassin (depending on which of my machines I look at). But [r...@coyote keys]# cd /etc/mail/spamassassin/sa-update-keys/ [r...@coyote sa-update-keys]# ls -l total 32 -rw--- 1 gene gene 6743 2009-08-19 11:51 pubring.gpg -rw--- 1 gene mail 5021 2008-09-13 08:44 pubring.gpg~ -rw--- 1 gene mail0 2008-04-01 04:52 secring.gpg -rw--- 1 gene mail 1200 2008-04-01 04:52 trustdb.gpg I'm a bit hesitant to believe that such permissions will get you usable rule sets, provided they have similar permissions, because I guess that spamd is running under a different UID, right? No, spamd, and all other parts of spamassassin are running as the user gene direct from the . source called in from the spamassassin launcher in /etc/init.d. Should I blow the first set away?, It would be interesting to find out where these other keys come from, lest you break something else. I'll rename the former dir and see what dies. And 15 minutes later, the only thing that died is the mail server at the tv station, not related to this. I think I'll leave it renamed to wrong-keys for a while. Kind regards, --Toni++ Thanks Toni. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) The NRA is offering FREE Associate memberships to anyone who wants them. https://www.nrahq.org/nrabonus/accept-membership.asp Operator, please trace this call and tell me where I am.
Re: SA and mail from backup mx?
One of the tricks spammers do is send to the backup servers first because they often have less filtering. If you want I have a free MX backup service that helps me harvest those bots. Here's a couple of solutions: http://wiki.junkemailfilter.com/index.php/Project_tarbaby http://www.free-mx-backup.com Dave wrote: Hello, Mail from my backup mx is not being scanned for spam as it's coming in. Is this something i'd have to turn on at the MTA level, content filter, or SA? A majority of stuff my backup mx sends me is spam and i'd like to get it tagged as such. Thanks. Dave.
sare channels
Hello, I'm trying to add additional sa rules and wanted to use the sare channels referenced by the wiki. I'm using sa 3.2.5 and when i atempted to get updates from saupdates.openprotect.com the channel didn't exist. Has it moved? Thanks. Dave.