Re: 3.3.0 and sa-compile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 to...@starbridge.org a écrit : to...@starbridge.org a écrit : Benny Pedersen a écrit : On fre 25 sep 2009 13:38:19 CEST, to...@starbridge.org wrote I've tested with SA 3.2.5 and it's working fine with Rule2XSBody active. I've tried to delete compiled rules and compile again: same result. forget to sa-compile in 3.3 ? sa-compile has been run correctly with no errors (even in debug) has anyone encountered the same problem ? nobody ? i really need help on this one thx Regards Tonio -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrBpuIACgkQ8FtMlUNHQINEvwCg27ECYMTslFW1K80srvM5SdB3 YB0AoIytnseU1nW6iqlRasCNTCNFjrQW =tjQR -END PGP SIGNATURE-
Re: Hostkarma Blacklist Climbing the Charts
Hi! No one has actually implemented the rules for my blacklists correctly. My lists support both IP and hostname lookups. The hostname assumes that you have forward confirmed the RDNS so that you eliminate those who might spoof. Most people copy/paste from your wiki, so if this is true ... i am not sure where the real problem lies ;) Yellow means that the IP or hostname contains no useful information as to spam or no spam. On my system once I determine a host is yellow I skip all blacklists and whitelists tests. Yellow is for Yahoo, Hotmail, Gmail, etc where the IP has no information and all host tests are meaningless. My NoBL list is similar to yellow except that you can skip black list lookup but maybe might be whitelisted somewhere. Please dont combine black and whitelists together in one BL. This will trouble you. Many tools cannot look at the retern values. I think its a bad idea. You can say hey not my problem but it will give a BL a bad karma ;) If you just want to score points then Black, White, and Brown can be assigned points. Yellow should be zero points regardless of how it tests. Why would it be added to SA if the score is zero? I think the real power of my lists is in the host name lookups. It would be worthwhile to implement that. I think my white listing is very accurate at this point. The thing about white servers is that they aren't evasive like spammers. There should be some short circuiting options to reduce system load on SA for white lookups. Ouch, from your point of view it might be fine, but we see strange stuff with DNSWL allready i certainly would not use this to shortcircuit things. A question from the operational side, how many people are working on the BL? Just you i assume? Not telling this is bad, but its a risk when adding this into SA i feel personally. Same for the infra the BL is running on. I might sounds harsh, but i am rather carefull, then again, we have SA update. So it might not hurt that much. But during outages or DDoS it will hurt for hours till its gone again. Bye, Raymond.
Re: Hostkarma Blacklist Climbing the Charts
Hi! If that's so, then we probably want that in the spamassassin rule name. Your wiki page suggests JMF is the name. A number of people probably already configured their spamassassin using your suggested JMF rule names and they would need to be educated to remove it. How about these for rule names, so the rule names are not too long? RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown I would use the names that are advertised for months on the WIKI now, so you can override them and not duplicate lookups on installs that have it in their local.cf (or any place else). Why did you invent (Marc) completely new names out of the blue? The JMF_ stuff is there for months, please stick to it. We didnt invent those, you did Bye, Raymond.
Re: About reporting
spamassassin -r and spamassassin -k do other things - report to network services like razor/pyzor/dcc and SpamCop. On 22.09.09 22:11, João Eiras wrote: Hum, then how do the default spam filters that come with a clean spam assassin installation know what's spam and what's not ? Is there service we can report spam to ? SA contains many rules that score the mail. BAYES is something you can use fotr better scoring if any of those rules misfire -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes.
Re: Hostkarma Blacklist Climbing the Charts
On Tue, Sep 29, 2009 at 09:29:16AM +0200, Raymond Dijkxhoorn wrote: Ouch, from your point of view it might be fine, but we see strange stuff with DNSWL allready i certainly would not use this to shortcircuit things. What exactly is the strange stuff you see with DNSWL? Granted, I'm not processing millions of messages, only tens of thousands, but I'm not seeing anything fuzzy. I basically shortcircuit on DNSWL_MED and DNSWL_HI, when there aren't any suspicious rules hit (ClamAV/Sanesecurity, relay from africa, bayes over 60 etc). The FP rate is abysmally low.
Re: Hostkarma Blacklist Climbing the Charts
Hi! header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -5 Hopefully my comment isn't out of place with the current discussion of JMF/Hostkarma. I think this is not only a really bad default score, but it should be reduced to -0.5 or perhaps not used at all. I have a money/fraud email that hit RCVD_IN_JMF_W that passed through these servers: Received: from 41.220.75.3 Received: from webmail.stu.qmul.ac.uk (138.37.100.37) by mercury.stu.qmul.ac.uk Received: from qmwmail2.stu.qmul.ac.uk ([138.37.100.210] Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6]) It also hit these other rules: X-Spam-Status: No, hits=1.3 tagged_above=-300.0 required=5.0 use_bayes=1 tests=AE_GBP, BAYES_50, LOTS_OF_MONEY, LOTTERY_PH_004470, LOTTO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W, RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL Unless I'm really missing something, which server has JMF/Hostkarma whitelisted that shouldn't be? You are not missing anything. Its my point also. Bye, Raymond.
Re: Hostkarma Blacklist Climbing the Charts
Hi! Ouch, from your point of view it might be fine, but we see strange stuff with DNSWL allready i certainly would not use this to shortcircuit things. What exactly is the strange stuff you see with DNSWL? Granted, I'm not processing millions of messages, only tens of thousands, but I'm not seeing anything fuzzy. I basically shortcircuit on DNSWL_MED and DNSWL_HI, when there aren't any suspicious rules hit (ClamAV/Sanesecurity, relay from africa, bayes over 60 etc). The FP rate is abysmally low. The regular things, whitelisted servers sending spams. So shortcircuitting isnt an option for those and its also not whaqt DNSWL is about. they WL sender mailservers, those could be an ISP also. You dont want to shortcircuit them and say hey, someone put it on his whitelist, feel free to spam me. Bye, Raymond.
Re: Hostkarma Blacklist Climbing the Charts
Marc Perkel wrote: My NoBL list is similar to yellow except that you can skip black list lookup but maybe might be whitelisted somewhere. I keep seeing IPs that are on both the NoBL *and* the blacklist. An example of this 89.206.179.213. That IP currently returns 127.0.0.2 (blacklisted) and 127.0.0.5 (NoBL listed). Can you make sense of this entry? --Blaine
Re: Hostkarma Blacklist Climbing the Charts
On Tue, Sep 29, 2009 at 10:05:57AM +0200, Raymond Dijkxhoorn wrote: Hi! Ouch, from your point of view it might be fine, but we see strange stuff with DNSWL allready i certainly would not use this to shortcircuit things. What exactly is the strange stuff you see with DNSWL? Granted, I'm not processing millions of messages, only tens of thousands, but I'm not seeing anything fuzzy. I basically shortcircuit on DNSWL_MED and DNSWL_HI, when there aren't any suspicious rules hit (ClamAV/Sanesecurity, relay from africa, bayes over 60 etc). The FP rate is abysmally low. The regular things, whitelisted servers sending spams. So shortcircuitting isnt an option for those and its also not whaqt DNSWL is about. they WL sender mailservers, those could be an ISP also. You dont want to shortcircuit them and say hey, someone put it on his whitelist, feel free to spam me. Bad big mailservers sending mixed stuff are not supposed to be on MED/HI lists. If they are, you are supposed to report it. So I kind of disagree with you. I would imagine most people see 0.5% FP rates, even without any further meta checks.
Re: rbldns help OT
On Mon, 2009-09-28 at 15:50 -0700, Marc Perkel wrote: This should be easy but I'm missing something. I have a RBL list (dnset) for host testbl.junkemailfilter.com :2:Test .xx.host.example.com :4: .host.example.com :3: .example.com :9: .com :6: Works fine. But - I want to create an A record for testbl.junkemailfilter.com of 65.49.42.100. How do I do that? Isn't it just testbl.junkemailfilter.com:65.49.42.100: -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: 3.3.0 and sa-compile
On Tue, 2009-09-29 at 08:19 +0200, to...@starbridge.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 to...@starbridge.org a écrit : to...@starbridge.org a écrit : Benny Pedersen a écrit : On fre 25 sep 2009 13:38:19 CEST, to...@starbridge.org wrote I've tested with SA 3.2.5 and it's working fine with Rule2XSBody active. I've tried to delete compiled rules and compile again: same result. forget to sa-compile in 3.3 ? sa-compile has been run correctly with no errors (even in debug) has anyone encountered the same problem ? Someone posted a problem with perl 5.6. What version of perl are you running? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: 3.3.0 and sa-compile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 McDonald, Dan a écrit : On Tue, 2009-09-29 at 08:19 +0200, to...@starbridge.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 to...@starbridge.org a écrit : to...@starbridge.org a écrit : Benny Pedersen a écrit : On fre 25 sep 2009 13:38:19 CEST, to...@starbridge.org wrote I've tested with SA 3.2.5 and it's working fine with Rule2XSBody active. I've tried to delete compiled rules and compile again: same result. forget to sa-compile in 3.3 ? sa-compile has been run correctly with no errors (even in debug) has anyone encountered the same problem ? Someone posted a problem with perl 5.6. What version of perl are you running? thx for your answer perl v5.10.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrCDtUACgkQ8FtMlUNHQIOPZgCfSY4GphHXEhWNolU7h0pYKcas r8kAn1iP1rtNl9WHYPszFPBrpgpjECqv =ccGX -END PGP SIGNATURE-
Re: Hostkarma Blacklist Climbing the Charts
On 29/09/2009 05:27, MySQL Student wrote: header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -5 Hopefully my comment isn't out of place with the current discussion of JMF/Hostkarma. I think this is not only a really bad default score, but it should be reduced to -0.5 or perhaps not used at all. I have a money/fraud email that hit RCVD_IN_JMF_W that passed through these servers: Received: from 41.220.75.3 Received: from webmail.stu.qmul.ac.uk (138.37.100.37) by mercury.stu.qmul.ac.uk Received: from qmwmail2.stu.qmul.ac.uk ([138.37.100.210] Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6]) It also hit these other rules: X-Spam-Status: No, hits=1.3 tagged_above=-300.0 required=5.0 use_bayes=1 tests=AE_GBP, BAYES_50, LOTS_OF_MONEY, LOTTERY_PH_004470, LOTTO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W, RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL Unless I'm really missing something, which server has JMF/Hostkarma whitelisted that shouldn't be? This happens time after time. I receive spam every single day from hosts listed on the HostKarma whitelist. In comparison, it's very rare that I see any spam from hosts listed on dnswl.org. I chose a score of -0.2 here. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Understanding the hostKarma Lists
Responding to a lot of questions here. The lists contain both host names and IP addresses. IP addresses everyone understands. So I'll talk about host names. Wells Fargo Bank - for example - (wellsfargo.com - is in the white list as is all of Wells Fargo's hosts. This bank sends nothing but 100% good email. But to avoid spoofing of pointer records you have to use Forward Confirmed RDNS (FcRDNS). 1.2.3.4 PTR -- mail.example.com mail.example.com A -- 1.2.3.4 This is nearly impossible to spoof. Same it true for yellow lists. If the FcRDNS resolves to hotmail.com, yahoo.com, gmail.com then you can skip all other IP testing because the IP address tells you nothing about if it is or isn't spam. Warren Togami wrote: On 09/28/2009 10:07 PM, Marc Perkel wrote: I'd like to keep the name HOSTKARMA as standard. If that's so, then we probably want that in the spamassassin rule name. Your wiki page suggests JMF is the name. A number of people probably already configured their spamassassin using your suggested JMF rule names and they would need to be educated to remove it. How about these for rule names, so the rule names are not too long? RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown I'm willing go go with whatever name works better for the community. I will change my wiki to be consistent. Hi Marc, I appreciate your desire for everyone to wholly benefit from your work, but please let us implement this for spamassassin in stages starting from the lowest hanging fruit. First please confirm that you approve of the above new rule names, if you don't want it to be known as JMF. Yes - or whatever works best. I can change my wiki to reflect consensus. Hi Warren, No one has actually implemented the rules for my blacklists correctly. My lists support both IP and hostname lookups. The hostname assumes that you have forward confirmed the RDNS so that you eliminate those who might spoof. Please explain in greater detail? Can this be determined wholly from the Headers and message body after the MTA had passed the mail to the MDA? Yes - it does require 2 DNS calls to do this for FcRDNS. You need a PTR call to get the RDNS and an A record call to confirm it. Yellow means that the IP or hostname contains no useful information as to spam or no spam. On my system once I determine a host is yellow I skip all blacklists and whitelists tests. Yellow is for Yahoo, Hotmail, Gmail, etc where the IP has no information and all host tests are meaningless. My NoBL list is similar to yellow except that you can skip black list lookup but maybe might be whitelisted somewhere. Please help me better understand, what are examples of a sequence of events that would land an IP address on the NoBL? NoBL is determined a number of ways. NoBL is what most RBLs call white listing in that it means don't include it in any black list. To me white list means a spam free source. People who remove their IP manually using my form will be on the NoBL list. Or it might be what I have determined that there is some good email coming from the IP and they may be a candidate for white listing but I have yet to determine that. Yellow listing is where I know they should not be black listed but I also know they should not be white listed. (yahoo, gmail, hotmail). NoBL is where I know they should not be black listed but might be white listed. An important point to understand here is that I don't use my own lists in Spam Assassin. I do most of my filtering with Exim rules. I use my lists to avoid using SA to reduce system load. SA sees mostly yellow listed hosts. If you just want to score points then Black, White, and Brown can be assigned points. Yellow should be zero points regardless of how it tests. I am aware that Yellow isn't useful for scores. It is however useful for statistical analysis in masschecks, and it doesn't cost spamassassin any more to print if it hits. In particular I'm looking to see if there are any reliable trends of overlap between Yellow and other spamassassin rules. Fair enough. I just didn't want you assigning points to a yellow listing because the results would be false. I think the real power of my lists is in the host name lookups. It would be worthwhile to implement that. Please describe how this is more effective than IP lookups? I don't have a list of IP addresses that Yahoo uses. However, if the FcRDNS resolves to yahoo then I can skip all other RBL resting because I know it's a yahoo source. Same is true of white and black listed host names. On my system if a host name lookup returns yellow, then I add the sending IP to my yellow lists for those using IP lookups. Same with the other colors. I think my white listing is very accurate at this point. The thing about white servers is that they aren't evasive like spammers. There should be some short circuiting options to reduce system load on SA for white
Re: Hostkarma Blacklist Climbing the Charts
MySQL Student wrote: Hi, Hopefully my comment isn't out of place with the current discussion of JMF/Hostkarma. I think this is not only a really bad default score, but it should be reduced to -0.5 or perhaps not used at all. I have a money/fraud email that hit RCVD_IN_JMF_W that passed through these servers: Received: from 41.220.75.3 Received: from webmail.stu.qmul.ac.uk (138.37.100.37) by mercury.stu.qmul.ac.uk Received: from qmwmail2.stu.qmul.ac.uk ([138.37.100.210] Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6]) It also hit these other rules: X-Spam-Status: No, hits=1.3 tagged_above=-300.0 required=5.0 use_bayes=1 tests=AE_GBP, BAYES_50, LOTS_OF_MONEY, LOTTERY_PH_004470, LOTTO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W, RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL Unless I'm really missing something, which server has JMF/Hostkarma whitelisted that shouldn't be? This happens time after time. Yep - this isn't a perfect list. however if I got some good feedback on this I could weed out the white listes and get it more accurate. There are also a lot of hosts I could include with more data.
Re: Hostkarma Blacklist Climbing the Charts
Blaine Fleming wrote: Marc Perkel wrote: My NoBL list is similar to yellow except that you can skip black list lookup but maybe might be whitelisted somewhere. I keep seeing IPs that are on both the NoBL *and* the blacklist. An example of this 89.206.179.213. That IP currently returns 127.0.0.2 (blacklisted) and 127.0.0.5 (NoBL listed). Can you make sense of this entry? --Blaine That would be a bug in my system. I'll need to look into that.
Hostkarma white list
For those of you getting spam from IPs/Hostnames on my hostkarma white list, if you could email me a list of false hits (IP or host name) I could probable clean out the bad entries in the white list pretty quick.
Re: Hostkarma Blacklist Climbing the Charts
On 09/29/2009 12:27 AM, MySQL Student wrote: Hi, header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -5 Hopefully my comment isn't out of place with the current discussion of JMF/Hostkarma. I think this is not only a really bad default score, but it should be reduced to -0.5 or perhaps not used at all. I believe spamassassin does not assign any negative score to any whitelist by default precisely for good reason. USER_IN_DEF_DKIM_WL has the score -7.50 because it is a lot more certain than a mere whitelist, having done cryptographic checking on the DKIM signature to verify that the domain is both known non-spammer and it is not spoofed. Warren Togami wtog...@redhat.com
RE: Problems with high spam
Dear Sirs, First of all thank them for their help I was out of the office for some days that is why I am taking up this issue recently. I made the changes I recommended such as: Add RBL Add SARE rules and SOUGTH Reducing the amount of SPAM processes from 20 to 5 Set spamc -x not-safe-fallback In Qmail add rbl zen.spamhaus.org And the result for yesterday is as follows: Total messages:Ham: Spam: % Spam: -- 7505 5218 2287 30.47% Compared with the statistics before making changes: Total messages:Ham: Spam: % Spam: -- 11451 5153 6298 55.00% It shows is that the total amount of emails has decreased considerably and this has been for add zen.spamhaus.org to qmail. But I have reports that users are receiving SPAM emails I have some questions: - How to calculate the amount of memory and CPU used by each process Spamd? - Approximately 85% of spam are in Spanish, this can be a problem for SpamAssassin? - Which tool can I use to get statistics of SpamAssassin, I am currently using the script sa-stats.pl. Thanks Jose Luis Date: Wed, 23 Sep 2009 13:33:26 -0700 From: jhar...@impsec.org To: users@spamassassin.apache.org Subject: Re: Problems with high spam On Wed, 23 Sep 2009, Jari Fredriksson wrote: - the high load is because of high number of spamd children running. - the missing scores of some emails are because you need more of spamd children running, connections are refused so any spamc client just passes messages as they are. And this is where spamc option -x helps. Failed ones will be put back yo queue. I believe the OP put the -x in the spamd command line, not the spamc command line... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We are hell-bent and determined to allocate the talent, the resources, the money, the innovation to absolutely become a powerhouse in the ad business. -- Microsoft CEO Steve Ballmer ...because allocating talent to securing Windows isn't profitable? --- Approximately 8793360 firearms legally purchased in the U.S. this year _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE
Re: Hostkarma Blacklist Climbing the Charts
On tir 29 sep 2009 17:37:20 CEST, Warren Togami wrote On 09/29/2009 12:27 AM, MySQL Student wrote: header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') this one could be changed to some trusted variant for testing on local trusted_networks so change lastexternal to firsttrusted and if one want do please add it to masscheck, if its not possible to test it, drop it :) -- xpoint
Re: Understanding the hostKarma Lists
On 09/29/2009 10:23 AM, Marc Perkel wrote: RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown I'm willing go go with whatever name works better for the community. I will change my wiki to be consistent. Hi Marc, I appreciate your desire for everyone to wholly benefit from your work, but please let us implement this for spamassassin in stages starting from the lowest hanging fruit. First please confirm that you approve of the above new rule names, if you don't want it to be known as JMF. Yes - or whatever works best. I can change my wiki to reflect consensus. It seems that people have already been using the rules copied from your site. It will be confusing to them if we change the official name. Some will accidentally have your lists twice. RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown OTOH, I really like these new names. My brain thinks less hard to recognize them. How do other people feel. Should we stick to his old names with JMF in the Wiki or these new names? Warren
Re: Understanding the hostKarma Lists
On 09/29/2009 12:45 PM, Henrik K wrote: It seems that people have already been using the rules copied from your site. It will be confusing to them if we change the official name. Some will accidentally have your lists twice. RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown OTOH, I really like these new names. My brain thinks less hard to recognize them. Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why would this drop the use then? We're bikeshedding here, but I believe these names are better because it is absolutely clear what it means without _IN. Shorter name is better and easier to read I think. Warren
Re: Understanding the hostKarma Lists
On Tue, Sep 29, 2009 at 12:50:13PM -0400, Warren Togami wrote: On 09/29/2009 12:45 PM, Henrik K wrote: It seems that people have already been using the rules copied from your site. It will be confusing to them if we change the official name. Some will accidentally have your lists twice. RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown OTOH, I really like these new names. My brain thinks less hard to recognize them. Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why would this drop the use then? We're bikeshedding here, but I believe these names are better because it is absolutely clear what it means without _IN. Shorter name is better and easier to read I think. Sorry but it doesn't make any sense. Also I think everyone that has got to know Marc/JMF/hostkarma will find JMF the most familiar name. Atleast I do.
Re: Hostkarma white list
Hi, For those of you getting spam from IPs/Hostnames on my hostkarma white list, if you could email me a list of false hits (IP or host name) I could probable clean out the bad entries in the white list pretty quick. I'm not sure this is the best approach. I have a procmail recipe that filters specifically the JMF_W and I go through it every day before training the folder as ham. I'd say around a quarter of the messages are spam. How many entries on the whitelist? How were they added? I'd almost rather start from scratch (or from a more proven list) with a percentage known to be valid and build from there. At the least, wouldn't it be best to move the default score closer to zero on your wiki page for the time being? Maybe another method for submitting FPs rather than emailing them to you could be created? Wouldn't the veracity of the list be better assured if you built the list from a pile of known ham? Mail originating from priorityoneemail.com [69.10.237.52] would be one prime suspect for removal consideration. On a somewhat related topic, how do people classify topica.com? That is one for sure sends junk, but looks like people may actually request it, heh. Thanks, Alex
Re: Understanding the hostKarma Lists
Warren Togami wrote: On 09/29/2009 12:45 PM, Henrik K wrote: It seems that people have already been using the rules copied from your site. It will be confusing to them if we change the official name. Some will accidentally have your lists twice. RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown OTOH, I really like these new names. My brain thinks less hard to recognize them. Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why would this drop the use then? We're bikeshedding here, but I believe these names are better because it is absolutely clear what it means without _IN. Shorter name is better and easier to read I think. Warren What about scripts looking for occurrences of 'RCVD_IN' in log files etc? I agree it's clear without, but I'd also rather be consistent :)
Re: Hostkarma white list
Oops! Sorry, I didn't intend to send my previous message to the list. Nedry On 9/29/09 at 12:51 PM -0500 Larry Nedry wrote: On 9/29/09 at 7:41 AM -0700 Marc Perkel wrote: For those of you getting spam from IPs/Hostnames on my hostkarma white list, if you could email me a list of false hits (IP or host name) I could probable clean out the bad entries in the white list pretty quick. Here are my hostkarma white FPs for the month of September. I can go back further if you like. Nedry --- snipped --
DNSWL and JMF White false positives, what to do exactly?
I scanned my spam folders and found a few false positives that hit on either DNSWL or JMF (HOSTKARMA? See how confusing it is not knowing what to call it?) Is there an easy automated way we can forward FP's to DNSWL and JMF so their maintainers can decide what to do about the offending senders? I'd attach it to mail but it might get caught in the spam filter... Warren Togami wtog...@redhat.com
SQL Bayes behavior
Hi, I've few question about the behavior of Bayes and SQL. Before the questions, i've followed this tutorial http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html that should be the same thing of this: http://spamassassin.apache.org/full/3.0.x/dist/sql/README.bayes, my db are updated constantly, so it should woks. 1- In the bayes_vars http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 table i've only a row for amavis user. Theoretically is it a good choise to use only one db for all users of my domain? (if i've understood well, spamassassin use this single db to store Bayes for all users of my domain) 2- How can i use single Bayes db for each users? Should i use bayes_sql_override_username ? I don't know where to get the right username. 3- Every 10-15 seconds, the counts of ham_count or spam_count in bayes_vars http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 table increase without that any users send or receave mails. So, the behavior of spamassassin is to analize all mails presents in all my users's Maildirs? Thanks :) Marco
Problem with SA
Dear Sirs, I have a problem with the SA, I have added the option Spam-x since that time the SA is no return emails, no subject or message body, prodria be the problem which. greetings _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE
Re: Problem with SA
That doesn't look much like a SpamAssassin option there, to me. Perhaps you may get more useful responses if you give us more detail about your system configuration. What mailserver are you running? How does it invoke SpamAssassin? Do you have a virus scanner installed? What operating system do you use? Luis campo lcr_2...@hotmail.com 09/29/09 2:44 PM Dear Sirs, I have a problem with the SA, I have added the option Spam-x since that time the SA is no return emails, no subject or message body, prodria be the problem which. greetings
unsubscribe
Re: unsubscribe
Paul Andrews wrote: Try users-unsubscr...@spamassassin.apache.org -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: unsubscribe
At 12:31 PM 9/29/2009, you wrote: Nothing As the headers for every message state... list-unsubscribe: mailto:users-unsubscr...@spamassassin.apache.org
Re: Understanding the hostKarma Lists
It seems that people have already been using the rules copied from your site. It will be confusing to them if we change the official name. Some will accidentally have your lists twice. RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown OTOH, I really like these new names. My brain thinks less hard to recognize them. How do other people feel. Should we stick to his old names with JMF in the Wiki or these new names? Warren I prefer new names. Whatever the names will be, will they be stock in 3.3? I have not installed these (old or new) in my local.cf
Re: Problem with SA
On Tue, 29 Sep 2009, Luis campo wrote: I have a problem with the SA, I have added the option Spam-x since that time the SA is no return emails, no subject or message body, Whatever is calling spamc is not responding properly to an error code from spamc. Since this is causing lost messages, remove -x from the spamc command line. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Efficiency can magnify good, but it magnifies evil just as well. So, we should not be surprised to find that modern electronic communication magnifies stupidity as *efficiently* as it magnifies intelligence. -- Robert A. Matern --- Approximately 8990700 firearms legally purchased in the U.S. this year
Re: [sa] Re: Is there an echo in here?
On Mon, 28 Sep 2009, John Hardin wrote: At 04:10 PM 9/28/2009, you wrote: Is it just me, or are others getting multiple copies of list posts the last hour or so? Not I Only see a few posts in the last day, and only one of each. Huh. I guess the ASF MTA doesn't like me, then. The only time I evr get duplicates is when my (receiving) mail server gets overloaded and fails to process the message within the 5 minute 'timeout' value imposed by the sending server. The sender 'gives up' to retry, and the receiver finishes delivering the mail before noticing the connection has dropped. - Charles
Re: Understanding the hostKarma Lists
On 09/29/2009 12:50 PM, Warren Togami wrote: On 09/29/2009 12:45 PM, Henrik K wrote: It seems that people have already been using the rules copied from your site. It will be confusing to them if we change the official name. Some will accidentally have your lists twice. RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown OTOH, I really like these new names. My brain thinks less hard to recognize them. Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why would this drop the use then? We're bikeshedding here, but I believe these names are better because it is absolutely clear what it means without _IN. Shorter name is better and easier to read I think. Warren Marc, Could you please decide between the existing JMF rule names or the above proposed HOSTKARMA names? It seems opinions are split here. Warren
Re: Understanding the hostKarma Lists
Hi! We're bikeshedding here, but I believe these names are better because it is absolutely clear what it means without _IN. Shorter name is better and easier to read I think. Could you please decide between the existing JMF rule names or the above proposed HOSTKARMA names? It seems opinions are split here. Please stick to JMF, its called like that for a long long time now. And there is installed base. Dont confuse people if its not needed. Thanks, Raymond.
Re: SQL Bayes behavior
pm...@email.it wrote: Hi, I've few question about the behavior of Bayes and SQL. Before the questions, i've followed this tutorial http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html that should be the same thing of this: http://spamassassin.apache.org/full/3.0.x/dist/sql/README.bayes, my db are updated constantly, so it should woks. 1- In the bayes_vars http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 table i've only a row for amavis user. seems you are using amavisd-new, you might want to check out the amavis list (I have set replies. join the list). 2- How can i use single Bayes db for each users? Should i use bayes_sql_override_username ? I don't know where to get the right username. won't help on amavis, just mess things up. 3- Every 10-15 seconds, the counts of ham_count or spam_count in bayes_vars http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 table increase without that any users send or receave mails. So, the behavior of spamassassin is to analize all mails presents in all my users's Maildirs? ?eh, if ham_count and spam_count increase, then you are receiving emails. Thanks :) Marco _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: Understanding the hostKarma Lists
On tir 29 sep 2009 23:30:15 CEST, Warren Togami wrote Could you please decide between the existing JMF rule names or the above proposed HOSTKARMA names? It seems opinions are split here. let it be the long names that loose ? ironical you wanted to be shurt names but created a longer one ? -- xpoint
Re: [sa] Re: Is there an echo in here?
On Tue, 29 Sep 2009, Charles Gregory wrote: On Mon, 28 Sep 2009, John Hardin wrote: At 04:10 PM 9/28/2009, you wrote: Is it just me, or are others getting multiple copies of list posts the last hour or so? Not I Only see a few posts in the last day, and only one of each. Huh. I guess the ASF MTA doesn't like me, then. The only time I evr get duplicates is when my (receiving) mail server gets overloaded and fails to process the message within the 5 minute 'timeout' value imposed by the sending server. The sender 'gives up' to retry, and the receiver finishes delivering the mail before noticing the connection has dropped. That's exactly what was happening to me yesterday. It took me a little while to track down what was happening, and why, and fix it. Sometimes 256MB just ain't enough. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- An AR-15 in civilian hands used to defend a home or business: a High Velocity Assault Weapon with High Capacity Magazines An AR-15 in Law Enforcement Officer hands used to murder six kids: a Police-Style Patrol Rifle --- Approximately 8993460 firearms legally purchased in the U.S. this year
Re: Understanding the hostKarma Lists
On tir 29 sep 2009 23:30:15 CEST, Warren Togami wrote Could you please decide between the existing JMF rule names or the above proposed HOSTKARMA names? It seems opinions are split here. let it be the long names that loose ? ironical you wanted to be shurt names but created a longer one ? JMF may have been a project name, but HOSTKARMA is an will be a brand. I still vote for HOSTKARMA.
Re: Hostkarma white list
On Tue, 29 Sep 2009, Larry Nedry wrote: On 9/29/09 at 7:41 AM -0700 Marc Perkel wrote: For those of you getting spam from IPs/Hostnames on my hostkarma white list, if you could email me a list of false hits (IP or host name) I could probable clean out the bad entries in the white list pretty quick. Here are my hostkarma white FPs for the month of September. I can go back further if you like. Nedry 12.51.239.149 {circa 80k snipped} Please don't send stuff like that to the list. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws assume a violent criminal will obey the law. --- Approximately 8994840 firearms legally purchased in the U.S. this year
Re: Hostkarma white list
On ons 30 sep 2009 00:10:05 CEST, John Hardin wrote Please don't send stuff like that to the list. the list is still usefull in email, it can now be tested with uri rules, but yes never send big samples in public, this is what pastebins are for but we are all humans, and humans make error, only computers would make there time calc pi :) -- xpoint
Re: SQL Bayes behavior
pm...@email.it wrote: Hi, I've few question about the behavior of Bayes and SQL. Before the questions, i've followed this tutorial http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html that should be the same thing of this: http://spamassassin.apache.org/full/3.0.x/dist/sql/README.bayes, my db are updated constantly, so it should woks. 1- In the bayes_vars http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 table i've only a row for amavis user. Theoretically is it a good choise to use only one db for all users of my domain? (if i've understood well, spamassassin use this single db to store Bayes for all users of my domain) In theory, per-user is slightly more accurate than systemwide. However, training is more important than granularity. So when it comes down to it, unless you're ready to set up something where users can individually report spam and nonspam (can be a bit tricky) you're probably better off going with a single system-wide bayes database. At least this way if you need to do some manual training, it's only one DB to train on and everyone benefits. 2- How can i use single Bayes db for each users? Should i use bayes_sql_override_username ? I don't know where to get the right username. You'd need to get amavis to pass this to spamassassin. I don't know enough about amavis to know if this is supported or not. Generally most MTA layer integrations don't, and most MDA integrations do, but there's lots of exceptions. Amavis is a MTA integration, but it might be one of the exceptions. 3- Every 10-15 seconds, the counts of ham_count or spam_count in bayes_vars http://192.168.1.36/phpmyadmin/sql.php?db=spamassassintoken=eea7fc1ed22ce035cad972e37fa36534table=bayes_varspos=0 table increase without that any users send or receave mails. So, the behavior of spamassassin is to analize all mails presents in all my users's Maildirs? No. spamassasin has no concept that your user's maildirs even exist, it will not scan them. There are only 2 ways training occurs: 1) a message passes through SA during delivery, and gets auto-learned due to the scoring criteria 2) someone (or some cronjob) calls sa-learn and explicitly feeds it mail. And the only other way that the counts could update would be during a journal sync, which occurs only during message processing or calls to sa-learn. (the exact triggers are slightly different, but from a high-level view they're more-or-less the same.). It seems strange you're seeing the counts increase without any incoming mail... Are you *positive* nothing is arriving, or recently arrived and is just finishing up being processed by SA? Thanks :) Marco
Rule name for hostKarma Lists
I will go along with the consensus of the group. Jari Fredriksson wrote: It seems that people have already been using the rules copied from your site. It will be confusing to them if we change the official name. Some will accidentally have your lists twice. RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown OTOH, I really like these new names. My brain thinks less hard to recognize them. How do other people feel. Should we stick to his old names with JMF in the Wiki or these new names? Warren I prefer new names. Whatever the names will be, will they be stock in 3.3? I have not installed these (old or new) in my local.cf
Re: Understanding the hostKarma Lists
Warren Togami wrote: On 09/29/2009 12:50 PM, Warren Togami wrote: On 09/29/2009 12:45 PM, Henrik K wrote: It seems that people have already been using the rules copied from your site. It will be confusing to them if we change the official name. Some will accidentally have your lists twice. RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown OTOH, I really like these new names. My brain thinks less hard to recognize them. Probably every single dnsbl in SA rules has the prefix RCVD_IN. Why would this drop the use then? We're bikeshedding here, but I believe these names are better because it is absolutely clear what it means without _IN. Shorter name is better and easier to read I think. Warren Marc, Could you please decide between the existing JMF rule names or the above proposed HOSTKARMA names? It seems opinions are split here. Warren If there is a lack of consensus then I appoint you Warren to make the final call. I personally have no strong preference. I do prefer something with HOSTKARMA in it rather to JEF or JMF.
Re: Understanding the hostKarma Lists
On 09/29/2009 08:56 PM, Marc Perkel wrote: Could you please decide between the existing JMF rule names or the above proposed HOSTKARMA names? It seems opinions are split here. Warren If there is a lack of consensus then I appoint you Warren to make the final call. I personally have no strong preference. I do prefer something with HOSTKARMA in it rather to JEF or JMF. To me RCVD_IN_JMF_BL is difficult for my brain to instantly recognize. It isn't the length in characters but rather the short name JMF wrapped between underscores. I was leaning towards names like RCVD_HOSTKARMA_BL or RCVD_HOSTKARMA_WL. But then some people commented about the consistency of RCVD_IN_*. RCVD_IN_HOSTKARMA_BL RCVD_IN_HOSTKARMA_WL RCVD_IN_HOSTKARMA_YL RCVD_IN_HOSTKARMA_BR These look good to me. But then we have the transition confusion problem for those who manually configured to use your old JMF rules. I will decide later after we hear more opinions. http://hostkarma.junkemailfilter.com/ Will this be a working redirector in the near future? There is no point in naming it HOSTKARMA if none of the URL's have hostkarma in their name. Warren Togami wtog...@redhat.com
unsubscribe
RE: unsubscribe
Didn't we already have this discussion today. You need to use the link in the headers! Try users-unsubscr...@spamassassin.apache.orgmailto:users-unsubscr...@spamassassin.apache.org From: Danny [mailto:d...@eastcogroup.com.hk] Sent: Tuesday, September 29, 2009 8:34 PM To: users@spamassassin.apache.org Subject: unsubscribe
Re: unsubscribe
At 08:33 PM 9/29/2009, Danny wrote: Nothing As the headers of every message say... list-unsubscribe: mailto:users-unsubscr...@spamassassin.apache.org
RE: Understanding the hostKarma Lists
RCVD_HOSTKARMA_BL Black RCVD_HOSTKARMA_WL White RCVD_HOSTKARMA_YL Yellow RCVD_HOSTKARMA_BR Brown OTOH, I really like these new names. My brain thinks less hard to recognize them. How do other people feel. Should we stick to his old names with JMF in the Wiki or these new names? Warren please keep the original names using JMF since Perkel chose them and it is more descriptive of his domain and nobody has to change anything from what they have now (generally) - rh
RE: Understanding the hostKarma Lists
Marc, Could you please decide between the existing JMF rule names or the above proposed HOSTKARMA names? It seems opinions are split here. Warren warren, marc already decided once, please dont give more choices... you should have thought that out before putting the list in a minor tiz on it. - rh
Re: Hostkarma white list
On Tue, Sep 29, 2009 at 03:10:05PM -0700, John Hardin wrote: On Tue, 29 Sep 2009, Larry Nedry wrote: On 9/29/09 at 7:41 AM -0700 Marc Perkel wrote: For those of you getting spam from IPs/Hostnames on my hostkarma white list, if you could email me a list of false hits (IP or host name) I could probable clean out the bad entries in the white list pretty quick. Here are my hostkarma white FPs for the month of September. I can go back further if you like. Nedry 12.51.239.149 {circa 80k snipped} Please don't send stuff like that to the list. It's not like he intented to.. anyways, for some reason I though it was pretty funny, maybe for the wrong reasons. ;-)
Hostkarma: to be or not to be in SA defaults
been following Warren Togami's aggressive lobbying for adding RBLs to SA's defaults, and I have some questions: - is it wise to add yet even more lookups to BLs and slow down SA's already huge amount of DNS lookups. - is the BL in question (which ever it may be) prepared for sustaining the global traffic load of millions of default SA setups. - does the BL have a track record, wide acceptance, safety and reliability to become a standard in SA? - shouldn't SA be conservative and deliver *safe* default setups allowing the end user/admin/whatever decide how far he/she wants to hog his setup with by querying yet more BLs. - With all respect for Mark and his efforts: there is a track of one man operated BLs being DDOS'd to oblivion, operators disappearing, etc. Should this be weighted as well? I believe these points should have more weight than arguing about trivial naming or BL colours comments? have a good day...