date:20090929


Hi!

No one has actually implemented the rules for my blacklists correctly. My 
lists support both IP and hostname lookups. The hostname assumes that you 
have forward confirmed the RDNS so that you eliminate those who might spoof.


Most people copy/paste from your wiki, so if this is true ... i am not 
sure where the real problem lies ;)


Yellow means that the IP or hostname contains no useful information as to 
spam or no spam. On my system once I determine a host is yellow I skip all 
blacklists and whitelists tests. Yellow is for Yahoo, Hotmail, Gmail, etc 
where the IP has no information and all host tests are meaningless.


My NoBL list is similar to yellow except that you can skip black list lookup 
but maybe might be whitelisted somewhere.


Please dont combine black and whitelists together in one BL. This will 
trouble you. Many tools cannot look at the retern values. I think its a 
bad idea. You can say hey not my problem but it will give a BL a bad karma 
;)


If you just want to score points then Black, White, and Brown can be assigned 
points. Yellow should be zero points regardless of how it tests.


Why would it be added to SA if the score is zero?

I think the real power of my lists is in the host name lookups. It would be 
worthwhile to implement that.


I think my white listing is very accurate at this point. The thing about 
white servers is that they aren't evasive like spammers. There should be some 
short circuiting options to reduce system load on SA for white lookups.


Ouch, from your point of view it might be fine, but we see strange stuff 
with DNSWL allready i certainly would not use this to shortcircuit things.


A question from the operational side, how many people are working on the 
BL? Just you i assume? Not telling this is bad, but its a risk when adding 
this into SA i feel personally. Same for the infra the BL is running on.


I might sounds harsh, but i am rather carefull, then again, we have SA 
update. So it might not hurt that much. But during outages or DDoS it will 
hurt for hours till its gone again.


Bye,
Raymond.

Re: Hostkarma Blacklist Climbing the Charts


Hi!

If that's so, then we probably want that in the spamassassin rule name.  Your 
wiki page suggests JMF is the name.  A number of people probably already 
configured their spamassassin using your suggested JMF rule names and they 
would need to be educated to remove it.


How about these for rule names, so the rule names are not too long?

RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown


I would use the names that are advertised for months on the WIKI now, so 
you can override them and not duplicate lookups on installs that have it 
in their local.cf (or any place else).


Why did you invent (Marc) completely new names out of the blue?
The JMF_ stuff is there for months, please stick to it. We didnt invent 
those, you did


Bye,
Raymond.

Re: About reporting

2009-09-29 Thread Matus UHLAR - fantomas

 spamassassin -r and spamassassin -k do other things - report to network
 services like razor/pyzor/dcc and SpamCop.

On 22.09.09 22:11, João Eiras wrote:
 Hum, then how do the default spam filters that come with a clean spam
 assassin installation know what's spam and what's not ? Is there service
 we can report spam to ?

SA contains many rules that score the mail. BAYES is something you can use
fotr better scoring if any of those rules misfire
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.

Re: Hostkarma Blacklist Climbing the Charts

On Tue, Sep 29, 2009 at 09:29:16AM +0200, Raymond Dijkxhoorn wrote:

 Ouch, from your point of view it might be fine, but we see strange stuff  
 with DNSWL allready i certainly would not use this to shortcircuit 
 things.

What exactly is the strange stuff you see with DNSWL?

Granted, I'm not processing millions of messages, only tens of thousands,
but I'm not seeing anything fuzzy. I basically shortcircuit on DNSWL_MED and
DNSWL_HI, when there aren't any suspicious rules hit (ClamAV/Sanesecurity,
relay from africa, bayes over 60 etc). The FP rate is abysmally low.

Re: Hostkarma Blacklist Climbing the Charts


Hi!


header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
tflags RCVD_IN_JMF_W net nice
score RCVD_IN_JMF_W -5



Hopefully my comment isn't out of place with the current discussion of
JMF/Hostkarma. I think this is not only a really bad default score,
but it should be reduced to -0.5 or perhaps not used at all.

I have a money/fraud email that hit RCVD_IN_JMF_W that passed through
these servers:

Received: from 41.220.75.3
Received: from webmail.stu.qmul.ac.uk (138.37.100.37) by mercury.stu.qmul.ac.uk
Received: from qmwmail2.stu.qmul.ac.uk ([138.37.100.210]
Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6])

It also hit these other rules:

X-Spam-Status: No, hits=1.3 tagged_above=-300.0 required=5.0 use_bayes=1
tests=AE_GBP, BAYES_50, LOTS_OF_MONEY, LOTTERY_PH_004470,
LOTTO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W,
RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL

Unless I'm really missing something, which server has JMF/Hostkarma
whitelisted that shouldn't be?


You are not missing anything. Its my point also.

Bye,
Raymond.

Re: Hostkarma Blacklist Climbing the Charts


Hi!


Ouch, from your point of view it might be fine, but we see strange stuff
with DNSWL allready i certainly would not use this to shortcircuit
things.



What exactly is the strange stuff you see with DNSWL?

Granted, I'm not processing millions of messages, only tens of thousands,
but I'm not seeing anything fuzzy. I basically shortcircuit on DNSWL_MED and
DNSWL_HI, when there aren't any suspicious rules hit (ClamAV/Sanesecurity,
relay from africa, bayes over 60 etc). The FP rate is abysmally low.


The regular things, whitelisted servers sending spams. So shortcircuitting 
isnt an option for those and its also not whaqt DNSWL is about. they WL 
sender mailservers, those could be an ISP also. You dont want to 
shortcircuit them and say hey, someone put it on his whitelist, feel free 
to spam me.


Bye,
Raymond.

Re: Hostkarma Blacklist Climbing the Charts

2009-09-29 Thread Blaine Fleming

Marc Perkel wrote:
 My NoBL list is similar to yellow except that you can skip black list
 lookup but maybe might be whitelisted somewhere.

I keep seeing IPs that are on both the NoBL *and* the blacklist.  An
example of this 89.206.179.213.  That IP currently returns 127.0.0.2
(blacklisted) and 127.0.0.5 (NoBL listed).  Can you make sense of this
entry?

--Blaine

Re: Hostkarma Blacklist Climbing the Charts

On Tue, Sep 29, 2009 at 10:05:57AM +0200, Raymond Dijkxhoorn wrote:
 Hi!

 Ouch, from your point of view it might be fine, but we see strange stuff
 with DNSWL allready i certainly would not use this to shortcircuit
 things.

 What exactly is the strange stuff you see with DNSWL?

 Granted, I'm not processing millions of messages, only tens of thousands,
 but I'm not seeing anything fuzzy. I basically shortcircuit on DNSWL_MED and
 DNSWL_HI, when there aren't any suspicious rules hit (ClamAV/Sanesecurity,
 relay from africa, bayes over 60 etc). The FP rate is abysmally low.

 The regular things, whitelisted servers sending spams. So 
 shortcircuitting isnt an option for those and its also not whaqt DNSWL is 
 about. they WL sender mailservers, those could be an ISP also. You dont 
 want to shortcircuit them and say hey, someone put it on his whitelist, 
 feel free to spam me.

Bad big mailservers sending mixed stuff are not supposed to be on MED/HI
lists. If they are, you are supposed to report it. So I kind of disagree
with you. I would imagine most people see 0.5% FP rates, even without any
further meta checks.

Re: rbldns help OT

2009-09-29 Thread McDonald, Dan

On Mon, 2009-09-28 at 15:50 -0700, Marc Perkel wrote:
 This should be easy but I'm missing something. I have a RBL list (dnset) 
 for host testbl.junkemailfilter.com
 
 :2:Test
 
 .xx.host.example.com :4:
 .host.example.com :3:
 .example.com :9:
 .com :6:
 
 Works fine. But - I want to create an A record for 
 testbl.junkemailfilter.com of 65.49.42.100. How do I do that?

Isn't it just 

testbl.junkemailfilter.com:65.49.42.100:


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


signature.asc
Description: This is a digitally signed message part

Re: 3.3.0 and sa-compile

2009-09-29 Thread McDonald, Dan

On Tue, 2009-09-29 at 08:19 +0200, to...@starbridge.org wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 to...@starbridge.org a écrit :
  to...@starbridge.org a écrit :
  Benny Pedersen a écrit :
  On fre 25 sep 2009 13:38:19 CEST, to...@starbridge.org wrote
  I've tested with SA 3.2.5 and it's working fine with
  Rule2XSBody active. I've tried to delete compiled rules and
  compile again: same result.
  forget to sa-compile in 3.3 ?
  sa-compile has been run correctly with no errors (even in debug)
  has anyone encountered the same problem ?

Someone posted a problem with perl 5.6. What version of perl are you
running?

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


signature.asc
Description: This is a digitally signed message part

Re: 3.3.0 and sa-compile

2009-09-29 Thread to...@starbridge.org

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

McDonald, Dan a écrit :
 On Tue, 2009-09-29 at 08:19 +0200, to...@starbridge.org wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1

 to...@starbridge.org a écrit :
 to...@starbridge.org a écrit :
 Benny Pedersen a écrit :
 On fre 25 sep 2009 13:38:19 CEST, to...@starbridge.org
 wrote
 I've tested with SA 3.2.5 and it's working fine with
 Rule2XSBody active. I've tried to delete compiled rules
 and compile again: same result.
 forget to sa-compile in 3.3 ?
 sa-compile has been run correctly with no errors (even in
 debug)
 has anyone encountered the same problem ?

 Someone posted a problem with perl 5.6. What version of perl are
 you running?

thx for your answer

perl v5.10.0

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkrCDtUACgkQ8FtMlUNHQIOPZgCfSY4GphHXEhWNolU7h0pYKcas
r8kAn1iP1rtNl9WHYPszFPBrpgpjECqv
=ccGX
-END PGP SIGNATURE-

Re: Hostkarma Blacklist Climbing the Charts

2009-09-29 Thread Mike Cardwell


On 29/09/2009 05:27, MySQL Student wrote:


header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
tflags RCVD_IN_JMF_W net nice
score RCVD_IN_JMF_W -5


Hopefully my comment isn't out of place with the current discussion of
JMF/Hostkarma. I think this is not only a really bad default score,
but it should be reduced to -0.5 or perhaps not used at all.

I have a money/fraud email that hit RCVD_IN_JMF_W that passed through
these servers:

Received: from 41.220.75.3
Received: from webmail.stu.qmul.ac.uk (138.37.100.37) by mercury.stu.qmul.ac.uk
Received: from qmwmail2.stu.qmul.ac.uk ([138.37.100.210]
Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6])

It also hit these other rules:

X-Spam-Status: No, hits=1.3 tagged_above=-300.0 required=5.0 use_bayes=1
  tests=AE_GBP, BAYES_50, LOTS_OF_MONEY, LOTTERY_PH_004470,
LOTTO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W,
RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL

Unless I'm really missing something, which server has JMF/Hostkarma
whitelisted that shouldn't be?

This happens time after time.


I receive spam every single day from hosts listed on the HostKarma 
whitelist. In comparison, it's very rare that I see any spam from hosts 
listed on dnswl.org. I chose a score of -0.2 here.


--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Understanding the hostKarma Lists

Responding to a lot of questions here. The lists contain both host names 
and IP addresses. IP addresses everyone understands. So I'll talk about 
host names. Wells Fargo Bank - for example - (wellsfargo.com - is in the 
white list as is all of Wells Fargo's hosts. This bank sends nothing but 
100% good email. But to avoid spoofing of pointer records you have to 
use Forward Confirmed RDNS (FcRDNS).


1.2.3.4 PTR -- mail.example.com
mail.example.com A -- 1.2.3.4

This is nearly impossible to spoof.

Same it true for yellow lists. If the FcRDNS resolves to hotmail.com, 
yahoo.com, gmail.com then you can skip all other IP testing because the 
IP address tells you nothing about if it is or isn't spam.


Warren Togami wrote:

On 09/28/2009 10:07 PM, Marc Perkel wrote:

I'd like to keep the name HOSTKARMA as standard.


If that's so, then we probably want that in the spamassassin rule
name. Your wiki page suggests JMF is the name. A number of people
probably already configured their spamassassin using your suggested
JMF rule names and they would need to be educated to remove it.

How about these for rule names, so the rule names are not too long?

RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown


I'm willing go go with whatever name works better for the community. I 
will change my wiki to be consistent.



Hi Marc,

I appreciate your desire for everyone to wholly benefit from your 
work, but please let us implement this for spamassassin in stages 
starting from the lowest hanging fruit.


First please confirm that you approve of the above new rule names, if 
you don't want it to be known as JMF.

Yes - or whatever works best. I can change my wiki to reflect consensus.



Hi Warren,

No one has actually implemented the rules for my blacklists correctly.
My lists support both IP and hostname lookups. The hostname assumes that
you have forward confirmed the RDNS so that you eliminate those who
might spoof.


Please explain in greater detail?  Can this be determined wholly from 
the Headers and message body after the MTA had passed the mail to the 
MDA?
Yes - it does require 2 DNS calls to do this for FcRDNS. You need a PTR 
call to get the RDNS and an A record call to confirm it.




Yellow means that the IP or hostname contains no useful information as
to spam or no spam. On my system once I determine a host is yellow I
skip all blacklists and whitelists tests. Yellow is for Yahoo, Hotmail,
Gmail, etc where the IP has no information and all host tests are
meaningless.

My NoBL list is similar to yellow except that you can skip black list
lookup but maybe might be whitelisted somewhere.


Please help me better understand, what are examples of a sequence of 
events that would land an IP address on the NoBL?
NoBL is determined a number of ways. NoBL is what most RBLs call white 
listing in that it means don't include it in any black list. To me white 
list means a spam free source. People who remove their IP manually using 
my form will be on the NoBL list. Or it might be what I have determined 
that there is some good email coming from the IP and they may be a 
candidate for white listing but I have yet to determine that. Yellow 
listing is where I know they should not be black listed but I also know 
they should not be white listed. (yahoo, gmail, hotmail). NoBL is where 
I know they should not be black listed but might be white listed.


An important point to understand here is that I don't use my own lists 
in Spam Assassin. I do most of my filtering with Exim rules. I use my 
lists to avoid using SA to reduce system load. SA sees mostly yellow 
listed hosts.




If you just want to score points then Black, White, and Brown can be
assigned points. Yellow should be zero points regardless of how it 
tests.


I am aware that Yellow isn't useful for scores.  It is however useful 
for statistical analysis in masschecks, and it doesn't cost 
spamassassin any more to print if it hits.  In particular I'm looking 
to see if there are any reliable trends of overlap between Yellow and 
other spamassassin rules.
Fair enough. I just didn't want you assigning points to a yellow listing 
because the results would be false.




I think the real power of my lists is in the host name lookups. It would
be worthwhile to implement that.


Please describe how this is more effective than IP lookups?
I don't have a list of IP addresses that Yahoo uses. However, if the 
FcRDNS resolves to yahoo then I can skip all other RBL resting because I 
know it's a yahoo source. Same is true of white and black listed host 
names. On my system if a host name lookup returns yellow, then I add the 
sending IP to my yellow lists for those using IP lookups. Same with the 
other colors.




I think my white listing is very accurate at this point. The thing about
white servers is that they aren't evasive like spammers. There should be
some short circuiting options to reduce system load on SA for white

Re: Hostkarma Blacklist Climbing the Charts




MySQL Student wrote:

Hi,

Hopefully my comment isn't out of place with the current discussion of
JMF/Hostkarma. I think this is not only a really bad default score,
but it should be reduced to -0.5 or perhaps not used at all.

I have a money/fraud email that hit RCVD_IN_JMF_W that passed through
these servers:

Received: from 41.220.75.3
Received: from webmail.stu.qmul.ac.uk (138.37.100.37) by mercury.stu.qmul.ac.uk
Received: from qmwmail2.stu.qmul.ac.uk ([138.37.100.210]
Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6])

It also hit these other rules:

X-Spam-Status: No, hits=1.3 tagged_above=-300.0 required=5.0 use_bayes=1
 tests=AE_GBP, BAYES_50, LOTS_OF_MONEY, LOTTERY_PH_004470,
LOTTO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W,
RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL

Unless I'm really missing something, which server has JMF/Hostkarma
whitelisted that shouldn't be?

This happens time after time.

  


Yep - this isn't a perfect list. however if I got some good feedback on 
this I could weed out the white listes and get it more accurate. There 
are also a lot of hosts I could include with more data.

Re: Hostkarma Blacklist Climbing the Charts







Blaine Fleming wrote:

  Marc Perkel wrote:
  
  
My NoBL list is similar to yellow except that you can skip black list
lookup but maybe might be whitelisted somewhere.

  
  
I keep seeing IPs that are on both the NoBL *and* the blacklist.  An
example of this 89.206.179.213.  That IP currently returns 127.0.0.2
(blacklisted) and 127.0.0.5 (NoBL listed).  Can you make sense of this
entry?

--Blaine

  


That would be a bug in my system. I'll need to look into that.

Hostkarma white list

For those of you getting spam from IPs/Hostnames on my hostkarma white 
list, if you could email me a list of false hits (IP or host name) I 
could probable clean out the bad entries in the white list pretty quick.

Re: Hostkarma Blacklist Climbing the Charts


On 09/29/2009 12:27 AM, MySQL Student wrote:

Hi,


header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
tflags RCVD_IN_JMF_W net nice
score RCVD_IN_JMF_W -5


Hopefully my comment isn't out of place with the current discussion of
JMF/Hostkarma. I think this is not only a really bad default score,
but it should be reduced to -0.5 or perhaps not used at all.


I believe spamassassin does not assign any negative score to any 
whitelist by default precisely for good reason.


USER_IN_DEF_DKIM_WL has the score -7.50 because it is a lot more certain 
than a mere whitelist, having done cryptographic checking on the DKIM 
signature to verify that the domain is both known non-spammer and it is 
not spoofed.


Warren Togami
wtog...@redhat.com

RE: Problems with high spam

2009-09-29 Thread Jose Luis Marin Perez


Dear Sirs, 

 First of all thank them for their help 

 I was out of the office for some days that is why I am taking up this issue 
recently. 

 I made the changes I recommended such as: 

 Add RBL 
 Add SARE rules and SOUGTH 
 Reducing the amount of SPAM processes from 20 to 5 
 Set spamc -x not-safe-fallback 
 In Qmail add rbl zen.spamhaus.org 

 And the result for yesterday is as follows:

Total messages:Ham:   Spam:  % Spam:   
--
7505   5218   2287   30.47%

 Compared with the statistics before making changes: 

Total messages:Ham:   Spam:  % Spam:   
--
11451  5153   6298   55.00%

It shows is that the total amount of emails has decreased
considerably and this has been for add zen.spamhaus.org to qmail. 

 But I have reports that users are receiving SPAM emails 

 I have some questions: 
 - How to calculate the amount of memory and CPU used by each process Spamd? 
 - Approximately 85% of spam are in Spanish, this can be a problem for 
SpamAssassin? 
 - Which tool can I use to get statistics of SpamAssassin, I am currently using 
the script sa-stats.pl.

Thanks

Jose Luis


 Date: Wed, 23 Sep 2009 13:33:26 -0700
 From: jhar...@impsec.org
 To: users@spamassassin.apache.org
 Subject: Re: Problems with high spam
 
 On Wed, 23 Sep 2009, Jari Fredriksson wrote:
 
 
  - the high load is because of high number of spamd
  children running.
 
  - the missing scores of some emails are because you need
   more of spamd children running, connections are refused
   so any spamc client just passes messages as they are.
 
 
  And this is where spamc option -x helps. Failed ones will be put back yo 
  queue.
 
 I believe the OP put the -x in the spamd command line, not the spamc 
 command line...
 
 -- 
   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 ---
We are hell-bent and determined to allocate the talent, the
resources, the money, the innovation to absolutely become a
powerhouse in the ad business.   -- Microsoft CEO Steve Ballmer
...because allocating talent to securing Windows isn't profitable?
 ---
   Approximately 8793360 firearms legally purchased in the U.S. this year
  
_
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE

Re: Hostkarma Blacklist Climbing the Charts

2009-09-29 Thread Benny Pedersen


On tir 29 sep 2009 17:37:20 CEST, Warren Togami wrote

On 09/29/2009 12:27 AM, MySQL Student wrote:

header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')


this one could be changed to some trusted variant for testing on local  
trusted_networks


so change lastexternal to firsttrusted and if one want do please add  
it to masscheck, if its not possible to test it, drop it :)


--
xpoint

Re: Understanding the hostKarma Lists


On 09/29/2009 10:23 AM, Marc Perkel wrote:

RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown



I'm willing go go with whatever name works better for the community. I
will change my wiki to be consistent.


Hi Marc,

I appreciate your desire for everyone to wholly benefit from your
work, but please let us implement this for spamassassin in stages
starting from the lowest hanging fruit.

First please confirm that you approve of the above new rule names, if
you don't want it to be known as JMF.

Yes - or whatever works best. I can change my wiki to reflect consensus.


It seems that people have already been using the rules copied from your 
site.  It will be confusing to them if we change the official name. Some 
will accidentally have your lists twice.


RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown

OTOH, I really like these new names.  My brain thinks less hard to 
recognize them.


How do other people feel.  Should we stick to his old names with JMF in 
the Wiki or these new names?


Warren

Re: Understanding the hostKarma Lists


On 09/29/2009 12:45 PM, Henrik K wrote:

It seems that people have already been using the rules copied from your
site.  It will be confusing to them if we change the official name. Some
will accidentally have your lists twice.

RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown

OTOH, I really like these new names.  My brain thinks less hard to
recognize them.


Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why would
this drop the use then?



We're bikeshedding here, but I believe these names are better because it 
is absolutely clear what it means without _IN.  Shorter name is better 
and easier to read I think.


Warren

Re: Understanding the hostKarma Lists

On Tue, Sep 29, 2009 at 12:50:13PM -0400, Warren Togami wrote:
 On 09/29/2009 12:45 PM, Henrik K wrote:
 It seems that people have already been using the rules copied from your
 site.  It will be confusing to them if we change the official name. Some
 will accidentally have your lists twice.

 RCVD_HOSTKARMA_BL Black
 RCVD_HOSTKARMA_WL White
 RCVD_HOSTKARMA_YL Yellow
 RCVD_HOSTKARMA_BR Brown

 OTOH, I really like these new names.  My brain thinks less hard to
 recognize them.

 Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why would
 this drop the use then?


 We're bikeshedding here, but I believe these names are better because it  
 is absolutely clear what it means without _IN.  Shorter name is better  
 and easier to read I think.

Sorry but it doesn't make any sense. Also I think everyone that has got to
know Marc/JMF/hostkarma will find JMF the most familiar name. Atleast I do.

Re: Hostkarma white list

2009-09-29 Thread MySQL Student

Hi,

 For those of you getting spam from IPs/Hostnames on my hostkarma
 white list, if you could email me a list of false hits (IP or host name) I
 could probable clean out the bad entries in the white list pretty quick.

I'm not sure this is the best approach. I have a procmail recipe that
filters specifically the JMF_W and I go through it every day before
training the folder as ham. I'd say around a quarter of the messages
are spam.

How many entries on the whitelist? How were they added? I'd almost
rather start from scratch (or from a more proven list) with a
percentage known to be valid and build from there.

At the least, wouldn't it be best to move the default score closer to
zero on your wiki page for the time being?

Maybe another method for submitting FPs rather than emailing them to
you could be created?

Wouldn't the veracity of the list be better assured if you built the
list from a pile of known ham?

Mail originating from priorityoneemail.com [69.10.237.52] would be one
prime suspect for removal consideration.

On a somewhat related topic, how do people classify topica.com? That
is one for sure sends junk, but looks like people may actually request
it, heh.

Thanks,
Alex

Re: Understanding the hostKarma Lists

2009-09-29 Thread Ned Slider


Warren Togami wrote:

On 09/29/2009 12:45 PM, Henrik K wrote:

It seems that people have already been using the rules copied from your
site.  It will be confusing to them if we change the official name. Some
will accidentally have your lists twice.

RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown

OTOH, I really like these new names.  My brain thinks less hard to
recognize them.


Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why would
this drop the use then?



We're bikeshedding here, but I believe these names are better because it 
is absolutely clear what it means without _IN.  Shorter name is better 
and easier to read I think.


Warren



What about scripts looking for occurrences of 'RCVD_IN' in log files etc?

I agree it's clear without, but I'd also rather be consistent :)

Re: Hostkarma white list

2009-09-29 Thread Larry Nedry

Oops!  Sorry, I didn't intend to send my previous message to the list.

Nedry


On 9/29/09 at 12:51 PM -0500 Larry Nedry wrote:
On 9/29/09 at 7:41 AM -0700 Marc Perkel wrote:
For those of you getting spam from IPs/Hostnames on my hostkarma white
list, if you could email me a list of false hits (IP or host name) I
could probable clean out the bad entries in the white list pretty quick.

Here are my hostkarma white FPs for the month of September.  I can go back
further if you like.

Nedry

--- snipped --

DNSWL and JMF White false positives, what to do exactly?

I scanned my spam folders and found a few false positives that hit on 
either DNSWL or JMF (HOSTKARMA?  See how confusing it is not knowing 
what to call it?)


Is there an easy automated way we can forward FP's to DNSWL and JMF so 
their maintainers can decide what to do about the offending senders? 
I'd attach it to mail but it might get caught in the spam filter...


Warren Togami
wtog...@redhat.com

SQL Bayes behavior

2009-09-29 Thread pm...@email.it


Hi,

I've few question about the behavior of Bayes and SQL. Before the 
questions, i've followed this tutorial  
http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html that 
should be the same thing of this: 
http://spamassassin.apache.org/full/3.0.x/dist/sql/README.bayes, my db 
are updated constantly, so it should woks.


1- In the bayes_vars 
http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 
table i've only a row for amavis user. Theoretically is it a good 
choise to use only one db for all users of my domain? (if i've 
understood well, spamassassin use this single db to store Bayes for all 
users of my domain)


2- How can i use single Bayes db for each users? Should i use 
bayes_sql_override_username ? I don't know where to get the right 
username.


3- Every 10-15 seconds, the counts of ham_count or spam_count in 
bayes_vars 
http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 
table increase without that any users send or receave mails. So, the 
behavior of spamassassin is to analize all mails presents in all my 
users's Maildirs?



Thanks :)
Marco

Problem with SA

2009-09-29 Thread Luis campo



Dear Sirs, 

I have a problem with the SA, I have added the option Spam-x since that time 
the SA is no return emails, no subject or message body, 

prodria be the problem which.
 
 
greetings 
_
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE

Re: Problem with SA

2009-09-29 Thread Kevin Parris

That doesn't look much like a SpamAssassin option there, to me.

Perhaps you may get more useful responses if you give us more detail about your 
system configuration.

What mailserver are you running?

How does it invoke SpamAssassin?

Do you have a virus scanner installed?

What operating system do you use?

 Luis campo lcr_2...@hotmail.com 09/29/09 2:44 PM 


Dear Sirs, 

I have a problem with the SA, I have added the option Spam-x since that time 
the SA is no return emails, no subject or message body, 

prodria be the problem which.
 
 
greetings

Re: unsubscribe

2009-09-29 Thread Dan Schaefer


Paul Andrews wrote:
 

Try users-unsubscr...@spamassassin.apache.org

--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: unsubscribe

2009-09-29 Thread Evan Platt


At 12:31 PM 9/29/2009, you wrote:

Nothing



As the headers for every message state...

list-unsubscribe: mailto:users-unsubscr...@spamassassin.apache.org

Re: Understanding the hostKarma Lists

2009-09-29 Thread Jari Fredriksson

 
 It seems that people have already been using the rules
 copied from your site.  It will be confusing to them if
 we change the official name. Some will accidentally have
 your lists twice. 
 
 RCVD_HOSTKARMA_BL Black
 RCVD_HOSTKARMA_WL White
 RCVD_HOSTKARMA_YL Yellow
 RCVD_HOSTKARMA_BR Brown
 
 OTOH, I really like these new names.  My brain thinks
 less hard to recognize them.
 
 How do other people feel.  Should we stick to his old
 names with JMF in the Wiki or these new names?
 
 Warren

I prefer new names.

Whatever the names will be, will they be stock in 3.3?

I have not installed these (old or new) in my local.cf

Re: Problem with SA

2009-09-29 Thread John Hardin


On Tue, 29 Sep 2009, Luis campo wrote:

I have a problem with the SA, I have added the option Spam-x since that 
time the SA is no return emails, no subject or message body,


Whatever is calling spamc is not responding properly to an error code from 
spamc. Since this is causing lost messages, remove -x from the spamc 
command line.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Efficiency can magnify good, but it magnifies evil just as well.
  So, we should not be surprised to find that modern electronic
  communication magnifies stupidity as *efficiently* as it magnifies
  intelligence.   -- Robert A. Matern
---
 Approximately 8990700 firearms legally purchased in the U.S. this year

Re: [sa] Re: Is there an echo in here?

2009-09-29 Thread Charles Gregory


On Mon, 28 Sep 2009, John Hardin wrote:

 At 04:10 PM 9/28/2009, you wrote:
  Is it just me, or are others getting multiple copies of list posts the 
  last hour or so?

 Not I Only see a few posts in the last day, and only one of each.

Huh. I guess the ASF MTA doesn't like me, then.


The only time I evr get duplicates is when my (receiving) mail server gets 
overloaded and fails to process the message within the 5 minute 'timeout' 
value imposed by the sending server. The sender 'gives up' to retry, and 
the receiver finishes delivering the mail before noticing the connection 
has dropped.


- Charles

Re: Understanding the hostKarma Lists


On 09/29/2009 12:50 PM, Warren Togami wrote:

On 09/29/2009 12:45 PM, Henrik K wrote:

It seems that people have already been using the rules copied from your
site. It will be confusing to them if we change the official name. Some
will accidentally have your lists twice.

RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown

OTOH, I really like these new names. My brain thinks less hard to
recognize them.


Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why would
this drop the use then?



We're bikeshedding here, but I believe these names are better because it
is absolutely clear what it means without _IN. Shorter name is better
and easier to read I think.

Warren


Marc,

Could you please decide between the existing JMF rule names or the above 
proposed HOSTKARMA names?  It seems opinions are split here.


Warren

Re: Understanding the hostKarma Lists


Hi!


We're bikeshedding here, but I believe these names are better because it
is absolutely clear what it means without _IN. Shorter name is better
and easier to read I think.


Could you please decide between the existing JMF rule names or the above 
proposed HOSTKARMA names?  It seems opinions are split here.


Please stick to JMF, its called like that for a long long time now. And 
there is installed base. Dont confuse people if its not needed.


Thanks,
Raymond.

Re: SQL Bayes behavior

2009-09-29 Thread Michael Scheidell


pm...@email.it wrote:

Hi,

I've few question about the behavior of Bayes and SQL. Before the 
questions, i've followed this tutorial  
http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html that 
should be the same thing of this: 
http://spamassassin.apache.org/full/3.0.x/dist/sql/README.bayes, my db 
are updated constantly, so it should woks.


1- In the bayes_vars 
http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 
table i've only a row for amavis user.


seems you are using amavisd-new, you might want to check out the amavis 
list (I have set replies.  join the list).





2- How can i use single Bayes db for each users? Should i use 
bayes_sql_override_username ? I don't know where to get the right 
username.



won't help on amavis, just mess things up.

3- Every 10-15 seconds, the counts of ham_count or spam_count in 
bayes_vars 
http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 
table increase without that any users send or receave mails. So, the 
behavior of spamassassin is to analize all mails presents in all my 
users's Maildirs?



?eh, if ham_count and spam_count increase, then you are receiving emails.



Thanks :)
Marco


_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/

_

Re: Understanding the hostKarma Lists

2009-09-29 Thread Benny Pedersen


On tir 29 sep 2009 23:30:15 CEST, Warren Togami wrote
Could you please decide between the existing JMF rule names or the  
above proposed HOSTKARMA names?  It seems opinions are split here.


let it be the long names that loose ?

ironical you wanted to be shurt names but created a longer one ?

--
xpoint

Re: [sa] Re: Is there an echo in here?

2009-09-29 Thread John Hardin


On Tue, 29 Sep 2009, Charles Gregory wrote:


On Mon, 28 Sep 2009, John Hardin wrote:

   At 04:10 PM 9/28/2009, you wrote:
Is it just me, or are others getting multiple copies of list posts 
the last hour or so?

   Not I Only see a few posts in the last day, and only one of each.
 Huh. I guess the ASF MTA doesn't like me, then.


The only time I evr get duplicates is when my (receiving) mail server 
gets overloaded and fails to process the message within the 5 minute 
'timeout' value imposed by the sending server. The sender 'gives up' to 
retry, and the receiver finishes delivering the mail before noticing the 
connection has dropped.


That's exactly what was happening to me yesterday. It took me a little 
while to track down what was happening, and why, and fix it.


Sometimes 256MB just ain't enough. :)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  An AR-15 in civilian hands used to defend a home or business:
a High Velocity Assault Weapon with High Capacity Magazines
  An AR-15 in Law Enforcement Officer hands used to murder six kids:
a Police-Style Patrol Rifle
---
 Approximately 8993460 firearms legally purchased in the U.S. this year

Re: Understanding the hostKarma Lists

2009-09-29 Thread Jari Fredriksson

 On tir 29 sep 2009 23:30:15 CEST, Warren Togami wrote
 Could you please decide between the existing JMF rule
 names or the above proposed HOSTKARMA names?  It seems
 opinions are split here. 
 
 let it be the long names that loose ?
 
 ironical you wanted to be shurt names but created a
 longer one ? 

JMF may have been a project name, but HOSTKARMA is an will be a brand.

I still vote for HOSTKARMA.

Re: Hostkarma white list

2009-09-29 Thread John Hardin


On Tue, 29 Sep 2009, Larry Nedry wrote:


On 9/29/09 at 7:41 AM -0700 Marc Perkel wrote:

For those of you getting spam from IPs/Hostnames on my hostkarma white
list, if you could email me a list of false hits (IP or host name) I
could probable clean out the bad entries in the white list pretty quick.


Here are my hostkarma white FPs for the month of September.  I can go back
further if you like.

Nedry

12.51.239.149


{circa 80k snipped}

Please don't send stuff like that to the list.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control laws cannot reduce violent crime, because gun control
  laws assume a violent criminal will obey the law.
---
 Approximately 8994840 firearms legally purchased in the U.S. this year

Re: Hostkarma white list

2009-09-29 Thread Benny Pedersen


On ons 30 sep 2009 00:10:05 CEST, John Hardin wrote

Please don't send stuff like that to the list.


the list is still usefull in email, it can now be tested with uri  
rules, but yes never send big samples in public, this is what  
pastebins are for


but we are all humans, and humans make error, only computers would  
make there time calc pi :)


--
xpoint

Re: SQL Bayes behavior

2009-09-29 Thread Matt Kettler

pm...@email.it wrote:
Hi,

I've few question about the behavior of Bayes and SQL. Before the
questions, i've followed this tutorial
http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html that
should be the same thing of this:
http://spamassassin.apache.org/full/3.0.x/dist/sql/README.bayes, my db
are updated constantly, so it should woks.

1- In the bayes_vars
http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0
table i've only a row for amavis user. Theoretically is it a good
choise to use only one db for all users of my domain? (if i've
understood well, spamassassin use this single db to store Bayes for
all users of my domain)
In theory, per-user is slightly more accurate than systemwide. However,
training is more important than granularity. So when it comes down to
it, unless you're ready to set up something where users can individually
report spam and nonspam (can be a bit tricky) you're probably better off
going with a single system-wide bayes database. At least this way if you
need to do some manual training, it's only one DB to train on and
everyone benefits.

2- How can i use single Bayes db for each users? Should i use
bayes_sql_override_username ? I don't know where to get the right
username.
You'd need to get amavis to pass this to spamassassin. I don't know
enough about amavis to know if this is supported or not. Generally most
MTA layer integrations don't, and most MDA integrations do, but there's
lots of exceptions. Amavis is a MTA integration, but it might be one of
the exceptions.

3- Every 10-15 seconds, the counts of ham_count or spam_count in
bayes_vars
http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0
table increase without that any users send or receave mails. So, the
behavior of spamassassin is to analize all mails presents in all my
users's Maildirs?
No. spamassasin has no concept that your user's maildirs even exist, it
will not scan them.

There are only 2 ways training occurs:

1) a message passes through SA during delivery, and gets auto-learned
due to the scoring criteria
2) someone (or some cronjob) calls sa-learn and explicitly feeds it mail.

And the only other way that the counts could update would be during a
journal sync, which occurs only during message processing or calls to
sa-learn. (the exact triggers are slightly different, but from a
high-level view they're more-or-less the same.).

It seems strange you're seeing the counts increase without any incoming
mail... Are you *positive* nothing is arriving, or recently arrived and
is just finishing up being processed by SA?

Thanks :)
Marco

Rule name for hostKarma Lists





I will go along with the consensus of the group.

Jari Fredriksson wrote:

  
It seems that people have already been using the rules
copied from your site.  It will be confusing to them if
we change the official name. Some will accidentally have
your lists twice. 

RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown

OTOH, I really like these new names.  My brain thinks
less hard to recognize them.

How do other people feel.  Should we stick to his old
names with JMF in the Wiki or these new names?

Warren

  
  
I prefer new names.

Whatever the names will be, will they be stock in 3.3?

I have not installed these (old or new) in my local.cf

Re: Understanding the hostKarma Lists




Warren Togami wrote:

On 09/29/2009 12:50 PM, Warren Togami wrote:

On 09/29/2009 12:45 PM, Henrik K wrote:
It seems that people have already been using the rules copied from 
your
site. It will be confusing to them if we change the official name. 
Some

will accidentally have your lists twice.

RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown

OTOH, I really like these new names. My brain thinks less hard to
recognize them.


Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why 
would

this drop the use then?



We're bikeshedding here, but I believe these names are better because it
is absolutely clear what it means without _IN. Shorter name is better
and easier to read I think.

Warren


Marc,

Could you please decide between the existing JMF rule names or the 
above proposed HOSTKARMA names?  It seems opinions are split here.


Warren



If there is a lack of consensus then I appoint you Warren to make the 
final call. I personally have no strong preference. I do prefer 
something with HOSTKARMA in it rather to JEF or JMF.

Re: Understanding the hostKarma Lists


On 09/29/2009 08:56 PM, Marc Perkel wrote:


Could you please decide between the existing JMF rule names or the
above proposed HOSTKARMA names? It seems opinions are split here.

Warren



If there is a lack of consensus then I appoint you Warren to make the
final call. I personally have no strong preference. I do prefer
something with HOSTKARMA in it rather to JEF or JMF.


To me RCVD_IN_JMF_BL is difficult for my brain to instantly recognize. 
It isn't the length in characters but rather the short name JMF wrapped 
between underscores.  I was leaning towards names like RCVD_HOSTKARMA_BL 
or RCVD_HOSTKARMA_WL.  But then some people commented about the 
consistency of RCVD_IN_*.


RCVD_IN_HOSTKARMA_BL
RCVD_IN_HOSTKARMA_WL
RCVD_IN_HOSTKARMA_YL
RCVD_IN_HOSTKARMA_BR

These look good to me.  But then we have the transition confusion 
problem for those who manually configured to use your old JMF rules.  I 
will decide later after we hear more opinions.


http://hostkarma.junkemailfilter.com/
Will this be a working redirector in the near future?  There is no point 
in naming it HOSTKARMA if none of the URL's have hostkarma in their name.


Warren Togami
wtog...@redhat.com

unsubscribe

2009-09-29 Thread Danny

RE: unsubscribe

2009-09-29 Thread Gary Smith

Didn't we already have this discussion today.  You need to use the link in the 
headers!

Try 
users-unsubscr...@spamassassin.apache.orgmailto:users-unsubscr...@spamassassin.apache.org

From: Danny [mailto:d...@eastcogroup.com.hk]
Sent: Tuesday, September 29, 2009 8:34 PM
To: users@spamassassin.apache.org
Subject: unsubscribe

Re: unsubscribe

2009-09-29 Thread Evan Platt


At 08:33 PM 9/29/2009, Danny wrote:

Nothing



As the headers of every message say...

list-unsubscribe: mailto:users-unsubscr...@spamassassin.apache.org

RE: Understanding the hostKarma Lists

2009-09-29 Thread R-Elists

 

 
 RCVD_HOSTKARMA_BL Black
 RCVD_HOSTKARMA_WL White
 RCVD_HOSTKARMA_YL Yellow
 RCVD_HOSTKARMA_BR Brown
 
 OTOH, I really like these new names.  My brain thinks less 
 hard to recognize them.
 
 How do other people feel.  Should we stick to his old names 
 with JMF in the Wiki or these new names?
 
 Warren
 
 

please keep the original names using JMF since Perkel chose them and it is
more descriptive of his domain and nobody has to change anything from what
they have now (generally)

 - rh

RE: Understanding the hostKarma Lists

2009-09-29 Thread R-Elists


 
 Marc,
 
 Could you please decide between the existing JMF rule names 
 or the above proposed HOSTKARMA names?  It seems opinions are 
 split here.
 
 Warren
 
 

warren,

marc already decided once, please dont give more choices...

you should have thought that out before putting the list in a minor tiz on
it.

 - rh

Re: Hostkarma white list