Re: PORTERS QUESTION: SA 3.3.0 and rules
In this case, I would use the sa-update --install option. On Sun, Jan 31, 2010 at 19:56, Michael Scheidell scheid...@secnap.net wrote: Working on official SA 3.3.0 port for Freebsd, have a Question: if user who installs SA 3.3.0 does NOT install or use sa-update, then I have to install the default ruleset. where should I put it? into the updates directory? ../3.003000/updates_spamassassin_org/ or where it was for 3.2.5? ../share/mail/spamassassin? assuming they will either NEVER update it, or they will (someday) get smart and run sa-update? where is the best place to put it? and, will checksum/location of default ruleset ever change? -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __ -- --j.
Re: PORTERS QUESTION: SA 3.3.0 and rules
On 2/1/10 5:52 AM, Justin Mason wrote: In this case, I would use the sa-update --install option. thanks, yes, I think during the freebsd fetch, I will fetch both tarballs, install the default rule set so that if they start spamd or run SA, it won't fail. (so that it is consistent with existing installations) Q: will that 'default' tarball of rules ALWAYS be available? and ALWAYS have the same md5 sig and size? or will it change? if it 'moves' or changes, then ports and rpm maintainers will need a 'static', (release version) that doesn't change. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: PORTERS QUESTION: SA 3.3.0 and rules
it's a release version -- each release's version of that file and its sigs will never change. On Mon, Feb 1, 2010 at 10:55, Michael Scheidell scheid...@secnap.net wrote: On 2/1/10 5:52 AM, Justin Mason wrote: In this case, I would use the sa-update --install option. thanks, yes, I think during the freebsd fetch, I will fetch both tarballs, install the default rule set so that if they start spamd or run SA, it won't fail. (so that it is consistent with existing installations) Q: will that 'default' tarball of rules ALWAYS be available? and ALWAYS have the same md5 sig and size? or will it change? if it 'moves' or changes, then ports and rpm maintainers will need a 'static', (release version) that doesn't change. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 | SECNAP Network Security Corporation Certified SNORT Integrator 2008-9 Hot Company Award Winner, World Executive Alliance Five-Star Partner Program 2009, VARBusiness Best Anti-Spam Product 2008, Network Products Guide King of Spam Filters, SC Magazine 2008 This email has been scanned and certified safe by SpammerTrap®. For Information please see http://www.secnap.com/products/spammertrap/ -- --j.
Re: warn: reporter: DCC report via dccproc failed
On 1/31/10 9:03 PM, Chris wrote: SA 3.3.0, just installed via CPAN this afternoon. When running my spam reporter script I noticed this: warn: reporter: DCC report via dccproc failed: Can't locate object method close_pipe_fh via package Mail::SpamAssassin::Reporter at /etc/mail/spamassassin/DCC.pm line 803,DCC line 2. Jan 31 18:01:05.755 [17665] info: reporter: could not report spam to DCC via dccproc you did a spamassassin -r? you have a new(ish) version of DCC? the standard version? or the commercial version? -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: warn: reporter: DCC report via dccproc failed
On Mon, 2010-02-01 at 06:38 -0500, Michael Scheidell wrote: On 1/31/10 9:03 PM, Chris wrote: SA 3.3.0, just installed via CPAN this afternoon. When running my spam reporter script I noticed this: warn: reporter: DCC report via dccproc failed: Can't locate object method close_pipe_fh via package Mail::SpamAssassin::Reporter at /etc/mail/spamassassin/DCC.pm line 803,DCC line 2. Jan 31 18:01:05.755 [17665] info: reporter: could not report spam to DCC via dccproc you did a spamassassin -r? In a way yes, I run a perl script that runs sa-learn and also reports the spam to razor/pyzor/DCC all in one run. you have a new(ish) version of DCC? the standard version? or the commercial version? I have the standard (free) version of DCC. There were no issues when I ran the script a few days previously with 3.2.5. -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: warn: reporter: DCC report via dccproc failed
On 2/1/10 7:07 AM, Chris wrote: I have the standard (free) version of DCC. There were no issues when I ran the script a few days previously with 3.2.5. cdcc -V exit what do you get? at least 1.3.111? -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Summary Tokens
Reading at least a few of the latest messages helps reduce postings about duplicate issues. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
more troubles with DCC on SA 3.30 : dccifd options? dcc_options sent to wrong place?
was using this on SA 3.2.5 in local.cf dcc_options -R -x 0 dcc_home /usr/local/dcc dcc_dccifd_path /usr/local/dcc/dccifd now, on SA 3.30, I get this (constantly). Feb 1 07:19:14 mx1 dccifd[10069]: unrecognized option value: -R -x 0 note, that dcc_options are options that are supposed to be sent to the dccproc command, NOT dccifd. dcc_options options Specify additional options to the dccproc(8) command. Please note that only characters in the range [0-9A-Za-z ,._/-] are allowed for security reasons. The default is undef. from man dccproc: -R says the first Received lines have the standard helo (name [address])... format and the address is that of the SMTP client that would otherwise be provided with -a. The -a option should be used if the local SMTP server adds a Received line with some other format or does not add a Received line. Received headers specifying IP addresses marked MX or MXDCC in the -w whiteclnt file are skipped. -x exitcode specifies the code or status with which dccproc exits if the -c thresholds are reached or the -w whiteclnt file blacklists the mes- sage. The default value is EX_NOUSER. EX_NOUSER is 67 on many systems. Use 0 to always exit successfully. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: more troubles with DCC on SA 3.30 : dccifd options? dcc_options sent to wrong place?
Michael, was using this on SA 3.2.5 in local.cf dcc_options -R -x 0 dcc_home /usr/local/dcc dcc_dccifd_path /usr/local/dcc/dccifd now, on SA 3.30, I get this (constantly). Feb 1 07:19:14 mx1 dccifd[10069]: unrecognized option value: -R -x 0 note, that dcc_options are options that are supposed to be sent to the dccproc command, NOT dccifd. Wrong options. Please open a bug report. I believe this is the fix: --- lib/Mail/SpamAssassin/Plugin/DCC.pm (revision 905273) +++ lib/Mail/SpamAssassin/Plugin/DCC.pm (working copy) @@ -679,7 +679,7 @@ my $left; my $right; my $timeout = $conf-{dcc_timeout}; - my $opts = $conf-{dcc_options}; + my $opts = $conf-{dccifd_options}; my @opts = !defined $opts ? () : split(' ',$opts); $permsgstatus-enter_helper_run_mode(); @@ -906,7 +906,7 @@ my $conf = $self-{main}-{conf}; my $timeout = $conf-{dcc_timeout}; # instead of header use whatever the report option is - my $opts = $conf-{dcc_options}; + my $opts = $conf-{dccifd_options}; my @opts = !defined $opts ? () : split(' ',$opts); $options-{report}-enter_helper_run_mode(); Mark
Re: more troubles with DCC on SA 3.30 : dccifd options? dcc_options sent to wrong place?
On 2/1/10 8:01 AM, Mark Martinec wrote: Wrong options. Please open a bug report. I believe this is the fix: Thanks, that fixed mine. won't help 'chris's problem, will it? -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: PORTERS QUESTION: SA 3.3.0 and rules
On 31-Jan-2010, at 14:21, Michael Scheidell wrote: maybe I should have read ../INSTALL file :-) Install rules from a compressed tar archive: sa-update --install Mail-SpamAssassin-rules-xxx.tgz Does this mean 3.3.0 should now show up in ports? -- What are you, Ghouls? There are no dead students here. This week.
Re: warn: reporter: DCC report via dccproc failed
Chris, SA 3.3.0, just installed via CPAN this afternoon. When running my spam reporter script I noticed this: warn: reporter: DCC report via dccproc failed: Can't locate object method close_pipe_fh via package Mail::SpamAssassin::Reporter at /etc/mail/spamassassin/DCC.pm line 803,DCC line 2. Jan 31 18:01:05.755 [17665] info: reporter: could not report spam to DCC via dccproc spamd[18248]: rules: failed to run DCC_REPUT_13_19 test, skipping: spamd[30068]: util: failed to spawn a process /usr/local/bin/dccproc, -H, -x, 0, -a, 204.15.81.110: Insecure dependency in exec while running setgid at /usr/lib/perl5/site_perl/5.10.1/Mail/SpamAssassin/Util.pm line 1533. at /usr/lib/perl5/site_perl/5.10.1/Mail/SpamAssassin/Util.pm line 1438. you did a spamassassin -r? In a way yes, I run a perl script that runs sa-learn and also reports the spam to razor/pyzor/DCC all in one run. Can you reproduce the problem with a plain 'spamassassin -r' (possibly setgui'd, like yours)? I wasn't successful. I guess you will have to show your (stripped down) code that calls DCC reporting so that the problem is reproducible. Please open a bug report if you won't be able to locate the problem. One of the arguments/options or a command path itself was tainted. Mark
Re: more troubles with DCC on SA 3.30 : dccifd options? dcc_options sent to wrong place?
Thanks, that fixed mine. Thanks for testing. Please open the bug report nevertheless, so that the fix is documented and can be properly rolled into 3.3.1. won't help 'chris's problem, will it? No, its is unrelated. Mark
Re: more troubles with DCC on SA 3.30 : dccifd options? dcc_options sent to wrong place?
On 2/1/10 8:16 AM, Mark Martinec wrote: Thanks, that fixed mine. Thanks for testing. Please open the bug report nevertheless, so that the fix is documented and can be properly rolled into 3.3.1. bug opened, patch documented! thanks for help across the big pond! bet the snow capped mountains are unbelievable there this week! chris's: wonder if he is using dccproc or dccifd... -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Magical mystery colon
On Saturday January 30 2010 21:16:01 Philip A. Prindeville wrote: Also, how come the eval block: unless (eval require $thing) {...} doesn't contain a terminating ';', i.e.: eval require $thing; instead? It is not needed. It is an 'eval EXPR', not 'eval BLOCK'. A semicolon in perl is a statement separator, not a statement terminator. Mark
Hostkarma whitelist FP
This was listed in the Hostkarma whitelist: [198.217.64.52 listed in hostkarma.junkemailfilter.com] Can we get this IP removed? (I was going to report this directly, but I lost the email address and wasn't able to find anything on the junkemailfilter website.) -- Bowie
90_sare_freemail.cf.sare.sa-update.dostech.net
Is there still a reason for this update channel? 90_sare_freemail.cf.sare.sa-update.dostech.net Or is it now built in to SA v3.3.0?
Status of Freebsd 3.30 port
I am almost ready to post the pr to upgrade SA 3.2.5 to SA 3.3.0 which is the first step in getting the SA 3.30 port officially on FreeBsd ports system. Prior to this, please update your dependencies, specifically, upgrade p5-Mail-DKIM to at least 0.37, and if you are using amavisd-new, upgrade to at least 2.6.4 If you are using DCC, upgrade to at least 1.3.111 (if you are using the non-commercial version), or to use the new DCC reputations in the commercial version, use at least 2.3.111 Not having these minimum dependencies will cause the portupgrade program to fail until you upgrade. Note: new installs will automagicly install the minimum dependencies as long as your ports tree is updated. Once I have the ports patches uploaded to Freebsd, I will port the PR number. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Sought Rules Back?
On Mon, 2010-02-01 at 00:10 -0500, Jared Hall wrote: Update returned sought rules 1/31/2010. Actually back since Jan 6. :) Re-viewed about 1k fraud spam the following days, for the Sought Fraud sub-set. Had to pinch myself 2.5 times (1 per month) to be sure. Thanks. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Sought Rules Back?
Update returned sought rules 1/31/2010. Actually back since Jan 6. :) Re-viewed about 1k fraud spam the following days, for the Sought Fraud sub-set. Btw, the three rules JM_SOUGHT_FRAUD_{1,2,3} have a score of zero as per Justin's request (Bug 6155 c 38, c72, c89, c124). Not sure if people using the channel realize that scores need to be bumped up. Btw, I prefer to avoid them monopolizing the score when more than one hits: score JM_SOUGHT_FRAUD_1 0.1 score JM_SOUGHT_FRAUD_2 0.1 score JM_SOUGHT_FRAUD_3 0.1 meta JM_SOUGHT_FRAUD_ANY JM_SOUGHT_FRAUD_1 || JM_SOUGHT_FRAUD_2 || JM_SOUGHT_FRAUD_3 score JM_SOUGHT_FRAUD_ANY 3.0 Mark
Re: Sought Rules Back?
On 2/1/2010 10:30 AM, Mark Martinec wrote: Btw, the three rules JM_SOUGHT_FRAUD_{1,2,3} have a score of zero as per Justin's request (Bug 6155 c 38, c72, c89, c124). Not sure if people using the channel realize that scores need to be bumped up. Btw, I prefer to avoid them monopolizing the score when more than one hits: score JM_SOUGHT_FRAUD_1 0.1 score JM_SOUGHT_FRAUD_2 0.1 score JM_SOUGHT_FRAUD_3 0.1 meta JM_SOUGHT_FRAUD_ANY JM_SOUGHT_FRAUD_1 || JM_SOUGHT_FRAUD_2 || JM_SOUGHT_FRAUD_3 score JM_SOUGHT_FRAUD_ANY 3.0 I tried to read all 6 months of the comments on Bug 6155, but I just don't have the time this morning to do so. Since the bug is now closed as fixed, is there a reason why scores haven't been pushed out in an update? If this ruleset is expected to come into and out of service, and timely status updates generally aren't sent to this list, I'd rather not manually add scores in local.cf.
Re: Hostkarma whitelist FP
That's the outgoing email gateway for a hospital. It stays whitelisted. Bowie Bailey wrote: This was listed in the Hostkarma whitelist: [198.217.64.52 listed in hostkarma.junkemailfilter.com] Can we get this IP removed? (I was going to report this directly, but I lost the email address and wasn't able to find anything on the junkemailfilter website.)
Re: Sought Rules Back?
On 2/1/10 9:30 AM, Mark Martinec mark.martinec...@ijs.si wrote: Update returned sought rules 1/31/2010. Actually back since Jan 6. :) Re-viewed about 1k fraud spam the following days, for the Sought Fraud sub-set. Btw, the three rules JM_SOUGHT_FRAUD_{1,2,3} have a score of zero as per Justin's request (Bug 6155 c 38, c72, c89, c124). Doesn't appear to be that way in the 3.2.5 channel: $ cd /var/lib/spamassassin/3.002005/sought_rules_yerp_org/ $ grep score * 20_sought.cf:score JM_SOUGHT_1 4.0 20_sought.cf:score JM_SOUGHT_2 4.0 20_sought.cf:score JM_SOUGHT_3 4.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_1 3.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_2 3.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_3 3.0 $ ls -l total 128 -rw-r--r-- 1 root root 44591 Feb 1 07:12 20_sought.cf -rw-r--r-- 1 root root 80120 Feb 1 07:12 20_sought_fraud.cf -rw-r--r-- 1 root root29 Feb 1 07:12 MIRRORED.BY And in fact, looking at the 3.3.0 channel on a different box, the scores are the same: $ cd /var/lib/spamassassin/3.003000/sought_rules_yerp_org/ $ grep score * 20_sought.cf:score JM_SOUGHT_1 4.0 20_sought.cf:score JM_SOUGHT_2 4.0 20_sought.cf:score JM_SOUGHT_3 4.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_1 3.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_2 3.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_3 3.0 Not sure if people using the channel realize that scores need to be bumped up. Btw, I prefer to avoid them monopolizing the score when more than one hits: score JM_SOUGHT_FRAUD_1 0.1 score JM_SOUGHT_FRAUD_2 0.1 score JM_SOUGHT_FRAUD_3 0.1 meta JM_SOUGHT_FRAUD_ANY JM_SOUGHT_FRAUD_1 || JM_SOUGHT_FRAUD_2 || JM_SOUGHT_FRAUD_3 score JM_SOUGHT_FRAUD_ANY 3.0 Mark -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Sought Rules Back?
On Mon, 1 Feb 2010 16:30:04 +0100 Mark Martinec mark.martinec...@ijs.si wrote: Update returned sought rules 1/31/2010. Actually back since Jan 6. :) Re-viewed about 1k fraud spam the following days, for the Sought Fraud sub-set. Btw, the three rules JM_SOUGHT_FRAUD_{1,2,3} have a score of zero as per Justin's request (Bug 6155 c 38, c72, c89, c124). Not sure if people using the channel realize that scores need to be bumped up. That doesn't seem to be correct: $ grep score 20_sought_fraud.cf score JM_SOUGHT_FRAUD_1 3.0 score JM_SOUGHT_FRAUD_2 3.0 score JM_SOUGHT_FRAUD_3 3.0 $ ls -l 20_sought_fraud.cf -rw-r--r-- 1 root wheel 80120 1 Feb 15:38 20_sought_fraud.cf
Re: Sought Rules Back?
On 2/1/2010 10:58 AM, RW wrote: On Mon, 1 Feb 2010 16:30:04 +0100 Mark Martinec mark.martinec...@ijs.si wrote: Update returned sought rules 1/31/2010. Actually back since Jan 6. :) Re-viewed about 1k fraud spam the following days, for the Sought Fraud sub-set. Btw, the three rules JM_SOUGHT_FRAUD_{1,2,3} have a score of zero as per Justin's request (Bug 6155 c 38, c72, c89, c124). Not sure if people using the channel realize that scores need to be bumped up. That doesn't seem to be correct: $ grep score 20_sought_fraud.cf score JM_SOUGHT_FRAUD_1 3.0 score JM_SOUGHT_FRAUD_2 3.0 score JM_SOUGHT_FRAUD_3 3.0 $ ls -l 20_sought_fraud.cf -rw-r--r-- 1 root wheel 80120 1 Feb 15:38 20_sought_fraud.cf updates_spamassassin_org/50_scores.cf overrides the scores in the sought ruleset.
Re: Sought Rules Back?
On 2/1/10 9:59 AM, Jason Bertoch ja...@i6ix.com wrote: On 2/1/2010 10:58 AM, RW wrote: On Mon, 1 Feb 2010 16:30:04 +0100 Mark Martinec mark.martinec...@ijs.si wrote: Update returned sought rules 1/31/2010. Actually back since Jan 6. :) Re-viewed about 1k fraud spam the following days, for the Sought Fraud sub-set. Btw, the three rules JM_SOUGHT_FRAUD_{1,2,3} have a score of zero as per Justin's request (Bug 6155 c 38, c72, c89, c124). Not sure if people using the channel realize that scores need to be bumped up. That doesn't seem to be correct: $ grep score 20_sought_fraud.cf score JM_SOUGHT_FRAUD_1 3.0 score JM_SOUGHT_FRAUD_2 3.0 score JM_SOUGHT_FRAUD_3 3.0 $ ls -l 20_sought_fraud.cf -rw-r--r-- 1 root wheel 80120 1 Feb 15:38 20_sought_fraud.cf updates_spamassassin_org/50_scores.cf overrides the scores in the sought ruleset. Ah, I didn't catch that. But it is only in the 3.3.0 channel. Fixing my 3.3.0 test machines now -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Status of Freebsd 3.30 port
-- Original Message -- From: Michael Scheidell scheid...@secnap.net Date: Mon, 01 Feb 2010 10:11:36 -0500 I am almost ready to post the pr to upgrade SA 3.2.5 to SA 3.3.0 which is the first step in getting the SA 3.30 port officially on FreeBsd ports system. Prior to this, please update your dependencies, specifically, upgrade p5-Mail-DKIM to at least 0.37, and if you are using amavisd-new, upgrade to at least 2.6.4 If you are using DCC, upgrade to at least 1.3.111 (if you are using the non-commercial version), or to use the new DCC reputations in the commercial version, use at least 2.3.111 Not having these minimum dependencies will cause the portupgrade program to fail until you upgrade. Note: new installs will automagicly install the minimum dependencies as long as your ports tree is updated. Once I have the ports patches uploaded to Freebsd, I will port the PR number. Any adjustments required in amavisd-new? thanks for the porting work Len
Re: Sought Rules Back?
Thanks for this info and good idea about this meta rule! Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Status of Freebsd 3.30 port
Any adjustments required in amavisd-new? No, should be fine with 2.6.4. Some of the new 3.3.0 features are already recognized and used by this version. See also my posting on the amavis list: http://marc.info/?l=amavis-userm=126452700028360 For other versions the release notes tell: - versions of amavisd-new between 2.5.2 and 2.6.1 (inclusive) are incompatible with SpamAssassin 3.3; please upgrade amavisd to 2.6.2 or later, or apply a workaround https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6257 Mark
Re: warn: reporter: DCC report via dccproc failed
On 1/31/10 9:03 PM, Chris wrote: SA 3.3.0, just installed via CPAN this afternoon. When running my spam reporter script I noticed this: warn: reporter: DCC report via dccproc failed: Can't locate object method close_pipe_fh via package Mail::SpamAssassin::Reporter at /etc/mail/spamassassin/DCC.pm line 803,DCC line 2. Jan 31 18:01:05.755 [17665] info: reporter: could not report spam to DCC via dccproc you did a spamassassin -r? On 01.02.10 06:07, Chris wrote: In a way yes, I run a perl script that runs sa-learn and also reports the spam to razor/pyzor/DCC all in one run. now, how does this differ from running spamassassin -r? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: how can i finetune to spamassassin to handle spams
ram wrote: hi what i am looking is iam looking sitewide, not userwide so if the user feel its spam mail, he will send that mail to another email of local account, from there i want to choose the bayes learn and decide what is spam and what is not spam hope i explained well i feel Yes. Makes much more sense this time! :) You can do something similar to that, but if you do a normal forward, you will generally lose the header information. There are two basic ways to do it. 1) Have the user copy the emails to a local spam folder and then have a process that collects the mail from those folders and learns from it on a regular basis. This is easy to do if you are using IMAP or webmail since everything is on the server. If you are using POP3, it gets more complicated since everyone's mail folder is on their own computer. 2) Have the user forward the mail as an attachment. This will usually preserve the headers depending on the mail client. The downside is that you then have to extract the original mail from the attachment before you can learn from it and you have to teach your users how to forward mail as an attachment. -- Bowie
Re: Magical mystery colon
On 02/01/2010 05:35 AM, Mark Martinec wrote: On Saturday January 30 2010 21:16:01 Philip A. Prindeville wrote: Also, how come the eval block: unless (eval require $thing) {...} doesn't contain a terminating ';', i.e.: eval require $thing; instead? It is not needed. It is an 'eval EXPR', not 'eval BLOCK'. A semicolon in perl is a statement separator, not a statement terminator. Mark Ok. No one knows why I'm seeing the warnings from the cron job, however?
Re: Hostkarma whitelist FP
Even if they are emailing me regarding the amazingly large sum of money some unknown person apparently left me in his will? :) Marc Perkel wrote: That's the outgoing email gateway for a hospital. It stays whitelisted. Bowie Bailey wrote: This was listed in the Hostkarma whitelist: [198.217.64.52 listed in hostkarma.junkemailfilter.com] Can we get this IP removed? (I was going to report this directly, but I lost the email address and wasn't able to find anything on the junkemailfilter website.)
Re: How should this tricky spam be filtered?
Martin Gregorie wrote: Apparently putting the spam's payload in the personal name part of the From: header is as old a trick as putting it in the Subject: header though I hadn't seen it used until recently. There was a recent suggestion that 'personal name' text from the From: header should be included in the text examined by 'body' rules, which already includes the Subject: text. This sounds like a good thing to do. My tests have been mildly successful on this note, with FROM_WWW already getting promoted out of testing: http://ruleqa.spamassassin.org/?rule=/FROM_Wsrcpath=khop This indicates that we don't actually need to parse any further because there is no sizable mass of legitimate mail that does this (and hopefully by getting this rule out the door, people considering it might decide against it). Developers note: I'm probably going to merge those two rules since while FROM_WEBSITE sometimes flips and has a sub-.500 S/O, its ham% in even those instances is always negligible. This rule is particularly exciting because most of its hits are low-scoring; 21.37% of spam is 5 and under, 68.39% is 8 and under. This reflects a feature that (afaik) the genetic algorithm doesn't specifically breed for and that is somewhat rare. Is it already in the developer's to-do list or should somebody (me?) raise a bug requesting it? It might be nice to have the URI rule check From, Reply-to, and Subject. We'd have to be careful so as to not include /all/ headers as many different mailing lists use various headers for subscription management and PGP systems often use headers for pubkey locations, and I'm sure there's other stuff out there too.
Re: Hostkarma whitelist FP
Yep - sutterhealth.org is a hospital. Making sure good email gets through is more important than a little bit of occasional spam. Bowie Bailey wrote: Even if they are emailing me regarding the amazingly large sum of money some unknown person apparently left me in his will? :) Marc Perkel wrote: That's the outgoing email gateway for a hospital. It stays whitelisted. Bowie Bailey wrote: This was listed in the Hostkarma whitelist: [198.217.64.52 listed in hostkarma.junkemailfilter.com] Can we get this IP removed? (I was going to report this directly, but I lost the email address and wasn't able to find anything on the junkemailfilter website.)
Re: Hostkarma whitelist FP
They are the kind of people I email about these problems because it could signal they've been hacked. And that's a bad thing for hospitals. The sooner they know the sooner they can clean house. {^_^} - Original Message - From: Marc Perkel m...@perkel.com Sent: Monday, 2010/February/01 09:31 Yep - sutterhealth.org is a hospital. Making sure good email gets through is more important than a little bit of occasional spam. Bowie Bailey wrote: Even if they are emailing me regarding the amazingly large sum of money some unknown person apparently left me in his will? :) Marc Perkel wrote: That's the outgoing email gateway for a hospital. It stays whitelisted. Bowie Bailey wrote: This was listed in the Hostkarma whitelist: [198.217.64.52 listed in hostkarma.junkemailfilter.com] Can we get this IP removed? (I was going to report this directly, but I lost the email address and wasn't able to find anything on the junkemailfilter website.)
Re: How should this tricky spam be filtered?
On Mon, 2010-02-01 at 12:09 -0500, Adam Katz wrote: It might be nice to have the URI rule check From, Reply-to, and Subject. We'd have to be careful so as to not include /all/ headers as many different mailing lists use various headers for subscription management and PGP systems often use headers for pubkey locations, and I'm sure there's other stuff out there too. I've raised an enhancement request bug (6317) suggesting that its only necessary to deal with the 'personal name' part of the From: header. Thats 'personal name' as in From: personal name u...@example.com since Subject can already be searched with body rules. It seems to me that subverting headers other than From: and Subject: doesn't really gain a spammer much since you can't guarantee that any other headers with free text in their value string can be seen by the recipient, particularly if their MUA has its default configuration. I'd like to be able to scan From: headers with body rules as well as uri rules because then one medical product rule can deal with the product reference regardless of whether its in the message body, subject or sender name. I've only raised this bug as a reminder, so feel free to cancel it if its doesn't add any value or the implementation and/or run-time costs are too high. Martin
Re: Hostkarma whitelist FP
On 01/02/2010 17:31, Marc Perkel wrote: Yep - sutterhealth.org is a hospital. Making sure good email gets through is more important than a little bit of occasional spam. http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists And if you never send spam we want you to be on our whitelist. Please follow your own listing criteria and remove the host from your whitelist. Alternatively, update your documentation to reflect the real listing criteria. As it stands, I can understand sutterhealth.org being on your NOBL list, but not on a list which you define as hosts which never send spam. -- Mike Cardwell: UK based IT Consultant, Perl developer, Linux admin Cardwell IT Ltd. : UK Company - http://cardwellit.com/ #06920226 Technical Blog : Tech Blog - https://secure.grepular.com/ Spamalyser : Spam Tool - http://spamalyser.com/
Re: Status of Freebsd 3.30 port
Michael Scheidell wrote: I am almost ready to post the pr to upgrade SA 3.2.5 to SA 3.3.0 which is the first step in getting the SA 3.30 port officially on FreeBsd ports system. Prior to this, please update your dependencies, specifically, upgrade p5-Mail-DKIM to at least 0.37, and if you are using amavisd-new, upgrade to at least 2.6.4 If you are using DCC, upgrade to at least 1.3.111 (if you are using the non-commercial version), or to use the new DCC reputations in the commercial version, use at least 2.3.111 Not having these minimum dependencies will cause the portupgrade program to fail until you upgrade. Note: new installs will automagicly install the minimum dependencies as long as your ports tree is updated. Once I have the ports patches uploaded to Freebsd, I will port the PR number. I'm waiting for 7.3-release so this will work out great. Ted
Re: how can i finetune to spamassassin to handle spams
On Mon, Feb 1, 2010 at 10:23 PM, Bowie Bailey bowie_bai...@buc.com wrote: ram wrote: hi what i am looking is iam looking sitewide, not userwide so if the user feel its spam mail, he will send that mail to another email of local account, from there i want to choose the bayes learn and decide what is spam and what is not spam hope i explained well i feel Yes. Makes much more sense this time! :) You can do something similar to that, but if you do a normal forward, you will generally lose the header information. There are two basic ways to do it. 1) Have the user copy the emails to a local spam folder and then have a process that collects the mail from those folders and learns from it on a regular basis. This is easy to do if you are using IMAP or webmail since everything is on the server. If you are using POP3, it gets more complicated since everyone's mail folder is on their own computer. 2) Have the user forward the mail as an attachment. This will usually preserve the headers depending on the mail client. The downside is that you then have to extract the original mail from the attachment before you can learn from it and you have to teach your users how to forward mail as an attachment. yes i do have different users some use webmail and some use outlook and outlook exress diffrent clients using pop3ssl iam not sure how can i ask user to send spam mail as attachment to some u...@domain.com if spammers know we are allowing u...@domain.com everything, they start filling with spam ? is this correct ? ram
Re: Hostkarma whitelist FP
Mike Cardwell wrote: On 01/02/2010 17:31, Marc Perkel wrote: Yep - sutterhealth.org is a hospital. Making sure good email gets through is more important than a little bit of occasional spam. http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists And if you never send spam we want you to be on our whitelist. Please follow your own listing criteria and remove the host from your whitelist. Alternatively, update your documentation to reflect the real listing criteria. As it stands, I can understand sutterhealth.org being on your NOBL list, but not on a list which you define as hosts which never send spam. Never is a fuzzy line when it comes to institutions like hospitals. It a matter of what is important and to us at Junk Email Filter making sure medical email is delivered is far more important that blocking a few spams.
Re: Hostkarma whitelist FP
Hi, They are the kind of people I email about these problems because it could signal they've been hacked. And that's a bad thing for hospitals. The sooner they know the sooner they can clean house. That's a bad thing for anyone, not just hospitals, but I doubt if the system that sends regular email is in any way connected to the internal patient system. Best, Alex
Re: Hostkarma whitelist FP
Alex wrote: Hi, They are the kind of people I email about these problems because it could signal they've been hacked. And that's a bad thing for hospitals. The sooner they know the sooner they can clean house. That's a bad thing for anyone, not just hospitals, but I doubt if the system that sends regular email is in any way connected to the internal patient system. Best, Alex Not knowing what their system is I have to make sure that email sent from hospitals gets delivered. Passing ham takes precedence over blocking spam.
Re: Hostkarma whitelist FP
That's a bad thing for anyone, not just hospitals, but I doubt if the system that sends regular email is in any way connected to the internal patient system. Not knowing what their system is I have to make sure that email sent from hospitals gets delivered. Passing ham takes precedence over blocking spam. Yes, agreed; I just wanted to point out to jdow that the internal systems are much different than their public systems, so a compromise of their public system doesn't necessarily mean patient records are at risk. Best, Alex
Re: how can i finetune to spamassassin to handle spams
ram wrote: On Mon, Feb 1, 2010 at 10:23 PM, Bowie Bailey bowie_bai...@buc.com mailto:bowie_bai...@buc.com wrote: ram wrote: hi what i am looking is iam looking sitewide, not userwide so if the user feel its spam mail, he will send that mail to another email of local account, from there i want to choose the bayes learn and decide what is spam and what is not spam hope i explained well i feel Yes. Makes much more sense this time! :) You can do something similar to that, but if you do a normal forward, you will generally lose the header information. There are two basic ways to do it. 1) Have the user copy the emails to a local spam folder and then have a process that collects the mail from those folders and learns from it on a regular basis. This is easy to do if you are using IMAP or webmail since everything is on the server. If you are using POP3, it gets more complicated since everyone's mail folder is on their own computer. 2) Have the user forward the mail as an attachment. This will usually preserve the headers depending on the mail client. The downside is that you then have to extract the original mail from the attachment before you can learn from it and you have to teach your users how to forward mail as an attachment. yes i do have different users some use webmail and some use outlook and outlook exress diffrent clients using pop3ssl iam not sure how can i ask user to send spam mail as attachment to some u...@domain.com mailto:u...@domain.com if spammers know we are allowing u...@domain.com mailto:u...@domain.com everything, they start filling with spam ? is this correct ? How to send as an attachment depends on the client. If spammers start sending spam directly to that address, then you just get more spam to learn from. That sounds like an added bonus rather than a problem. -- Bowie
Re: Hostkarma whitelist FP
Alex wrote: That's a bad thing for anyone, not just hospitals, but I doubt if the system that sends regular email is in any way connected to the internal patient system. Not knowing what their system is I have to make sure that email sent from hospitals gets delivered. Passing ham takes precedence over blocking spam. Yes, agreed; I just wanted to point out to jdow that the internal systems are much different than their public systems, so a compromise of their public system doesn't necessarily mean patient records are at risk. Best, Alex I don't have any information about the structure of their email system. They may be emailing patients results of medical test and other important notifications, or doctors in other hospitals. My first job is to make sure the good email gets through and block only the email that I'm sure is not good.
SA 3.30 and 0 scores?
don't know if this is meant to be 0. if 0, and really should be zero, why not make it a meta rule only? 20_drugs.cf:meta DRUGS_ANXIETY_EREC (DRUGS_ERECTILE DRUGS_ANXIETY) 20_drugs.cf:describe DRUGS_ANXIETY_EREC Refers to both an erectile and an anxiety drug 50_scores.cf:score DRUGS_ANXIETY_EREC 0 # n=0 n=1 n=2 n=3 -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: _TOKENSUMMARY_ not working in 3.3.0?
On Saturday 30 January 2010 23:00:45 Michael Schaap wrote: In other words, _TOKENSUMMARY_ is consistently replaced by Bayes not run.. Bayes *is* running OK. Messages are scored correctly, and the _HAMMYTOKENS(5)_ and _SPAMMYTOKENS(5)_ placeholders are correctly filled in. Please open a bug report. The following patch should fix it: --- lib/Mail/SpamAssassin/Plugin/Bayes.pm (revision 905404) +++ lib/Mail/SpamAssassin/Plugin/Bayes.pm (working copy) @@ -832,7 +832,8 @@ }); $permsgstatus-set_tag ('TOKENSUMMARY', sub { - if( defined $self-{tag_data}{BAYESTC} ) + my $bayestc = $permsgstatus-get_tag('BAYESTC'); + if( defined $bayestc || $bayestc ne '' ) { my $tcount_neutral = $permsgstatus-{tag_data}{BAYESTCLEARNED} - $permsgstatus-{tag_data}{BAYESTCSPAMMY} Mark
Re: _TOKENSUMMARY_ not working in 3.3.0?
Sorry, reposting: the || should have been an , the patch below is ok now: On Saturday 30 January 2010 23:00:45 Michael Schaap wrote: In other words, _TOKENSUMMARY_ is consistently replaced by Bayes not run.. Bayes *is* running OK. Messages are scored correctly, and the _HAMMYTOKENS(5)_ and _SPAMMYTOKENS(5)_ placeholders are correctly filled in. Please open a bug report. The following patch should fix it: --- lib/Mail/SpamAssassin/Plugin/Bayes.pm (revision 905404) +++ lib/Mail/SpamAssassin/Plugin/Bayes.pm (working copy) @@ -832,7 +832,8 @@ }); $permsgstatus-set_tag ('TOKENSUMMARY', sub { - if( defined $self-{tag_data}{BAYESTC} ) + my $bayestc = $permsgstatus-get_tag('BAYESTC'); + if( defined $bayestc $bayestc ne '' ) { my $tcount_neutral = $permsgstatus-{tag_data}{BAYESTCLEARNED} - $permsgstatus-{tag_data}{BAYESTCSPAMMY} Mark
Re: Status of Freebsd 3.30 port
On 2/1/10 11:42 AM, Mark Martinec wrote: Any adjustments required in amavisd-new? No, should be fine with 2.6.4. Some of the new 3.3.0 features are already recognized and used by this version. See also my posting on the amavis list: http://marc.info/?l=amavis-userm=126452700028360 For other versions the release notes tell: - versions of amavisd-new between 2.5.2 and 2.6.1 (inclusive) are incompatible with SpamAssassin 3.3; please upgrade amavisd to 2.6.2 or later, or apply a workaround https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6257 and, just to be anal... I force a dependency to 2.6.4 :-) some more testing today, and I'll post a PR to freebsd.org and send a link here. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Hostkarma whitelist FP
Mike Cardwell wrote: On 01/02/2010 17:31, Marc Perkel wrote: Yep - sutterhealth.org is a hospital. Making sure good email gets through is more important than a little bit of occasional spam. http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists And if you never send spam we want you to be on our whitelist. Please follow your own listing criteria and remove the host from your whitelist. Alternatively, update your documentation to reflect the real listing criteria. As it stands, I can understand sutterhealth.org being on your NOBL list, but not on a list which you define as hosts which never send spam. I would suggest that never is a very wrong place to draw the whitelisting line. Perfection is a nice goal, but can't be achieved in practice. Even the best run systems may occasionally have a lapse. What matters most is whether they DEAL with it. Bob --
90_2tld.cf / / 90_3tld.cf
For those using SA 3.3.x I've split the tld files : SA 3.3.x ONLY! http://www.rulesemporium.com/rules/90_3tld.cf SA 3.2.4 http://www.rulesemporium.com/rules/90_2tld.cf SA 3.3.x users will require both files. - If someone knows how to put these two rule sets in one file and activate according to SA version, pls let me know... I'm stumped. - If someone thinks this should be added to mainstream SA, collect votes and submit a bug. enjoy
Re: 90_2tld.cf / / 90_3tld.cf
On Mon, 2010-02-01 at 22:33 +0100, Yet Another Ninja wrote: - If someone knows how to put these two rule sets in one file and activate according to SA version, pls let me know... I'm stumped. Preprocessing Options [1] in the SA Conf documentation. :) if (version = 3.003000) # util_rb_3tld blob goes here endif Hmm, doesn't mention = specifically. Guess it's supported, though, otherwise you'd need a minor hack like 3.002999. guenther [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#preprocessing_options enjoy Thanks! -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Hostkarma whitelist FP
On Mon, 2010-02-01 at 10:52 -0800, Marc Perkel wrote: Mike Cardwell wrote: On 01/02/2010 17:31, Marc Perkel wrote: Yep - sutterhealth.org is a hospital. Making sure good email gets through is more important than a little bit of occasional spam. http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists And if you never send spam we want you to be on our whitelist. Please follow your own listing criteria and remove the host from your whitelist. Alternatively, update your documentation to reflect the real listing criteria. As it stands, I can understand sutterhealth.org being on your NOBL list, but not on a list which you define as hosts which never send spam. Never is a fuzzy line when it comes to institutions like hospitals. It a matter of what is important and to us at Junk Email Filter making sure medical email is delivered is far more important that blocking a few spams. Never means exactly that, never, so your public documentation does need modification to reflect that your version of never doesn't equal the dictionaries and most peoples understanding of it. I can see your point though, however, and it seems if you apply it to one, questions remain as to who else you apply it to, it's just as well all white lists in SA are scored 0 on all mail servers I control so you don't/wont/can't decide white listing policies here. (No , im not totally anal, hospitals here all use domain name of health.$state.gov.au... they bypass SA and MTA tests altogether.)
permission denied error keeps coming back
ever since I did a bayes learn on 200 spams and 200 hams a couple of days ago I've had the following error appearing in my mail log: 'mimedefang-multiplexor[13951]: Slave 0 stderr: bayes: locker: safe_lock: cannot create tmp lockfile /var/lib/spamassassin/bayes/bayes.lock.home.svr5.13952 for /var/lib/spamassassin/bayes/bayes.lock: Permission denied' I did a restart of SA and the problem went away for about 24 hours, but now it's back again. I did a search on google about this but many of the 'cures' already exist in my system. I'm also using mimedefang but I don't know if that's connected to this problem. is this an SA issue or a mimedfeang issue? what causes this error? and is there a fix for this? thanks for any advice. -- View this message in context: http://old.nabble.com/permission-denied-error-keeps-coming-back-tp27412626p27412626.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Status of Freebsd 3.30 port
On Mon, Feb 1, 2010 at 12:57, Michael Scheidell scheid...@secnap.net wrote: On 2/1/10 11:42 AM, Mark Martinec wrote: Any adjustments required in amavisd-new? No, should be fine with 2.6.4. Some of the new 3.3.0 features are already recognized and used by this version. See also my posting on the amavis list: http://marc.info/?l=amavis-userm=126452700028360 For other versions the release notes tell: - versions of amavisd-new between 2.5.2 and 2.6.1 (inclusive) are incompatible with SpamAssassin 3.3; please upgrade amavisd to 2.6.2 or later, or apply a workaround https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6257 and, just to be anal... I force a dependency to 2.6.4 :-) some more testing today, and I'll post a PR to freebsd.org and send a link here. Any thoughts about interoperability with Maia Mailguard? Wouldn't forcing a dependency on amavisd-new break that? Kurt
Re: Status of Freebsd 3.30 port
Kurt, Any thoughts about interoperability with Maia Mailguard? Wouldn't forcing a dependency on amavisd-new break that? No. Maia split from amavisd-new somewhere around 2.2.1. Any thoughts about interoperability with Maia Mailguard? See also: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6290 and: From: Robert LeBlanc r...@renaissoft.com CC: users@spamassassin.apache.org, ... Subject: Re: Bayes stopped working Date: Sun, 17 Jan 2010 18:11:59 -0800 I believe Thomas is using amavisd-maia (from the Maia Mailguard suite), which has not yet been updated for perl 5.10 and SA 3.3. A new release (Maia 1.03) will address these compatibility issues once the new SA release is finalized.
Re: 90_2tld.cf / / 90_3tld.cf
Karsten Bräckelmann wrote: On Mon, 2010-02-01 at 22:33 +0100, Yet Another Ninja wrote: - If someone knows how to put these two rule sets in one file and activate according to SA version, pls let me know... I'm stumped. Preprocessing Options [1] in the SA Conf documentation. :) if (version = 3.003000) # util_rb_3tld blob goes here endif Hmm, doesn't mention = specifically. Guess it's supported, though, otherwise you'd need a minor hack like 3.002999. Yes, please implement that within the same channel so as to limit the need for admins to edit their channel list files. The DNS entries for this channel lack version noting as well: $ host -t txt 0.0.2.90_2tld.cf.sare.sa-update.dostech.net 0.2.90_2tld.cf.sare.sa-update.dostech.net descriptive text 200912211500 So it's apparently okay to use that channel for SA version 2.0.0... This is easily solved by changing the wildcard entry in BIND (assuming you're using BIND), e.g. 4.2.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 5.2.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 6.2.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 *.3.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 *.4.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 That should cover the future revisions 3.2.6 and 3.4.x in addition to the current (new) 3.3.x branch and the two valid previous releases of 3.2.4 and 3.2.5. (I don't think BIND supports other globs.) Surely this shouldn't be hard to add to your publish script... It also has the added advantage of preventing future use of a horribly stale channel e.g. when 3.5.0 comes out. Just write yourself a note that you'll need to update the publishing script or else suffer the complaints. ;-)
Re: Status of Freebsd 3.30 port
So, it looks as if I'm misunderstanding the issue. Per a private email, the dependency will only come into play for amavisd-new if it's detected to be in use. Thus, if I'm understanding correctly, if you use amavisd-new, it'll force a dependency of 2.6.4, but if you don't have amavisd-new installed, it won't try to force installation of amavisd-new 2.6.4. If that's the case, then there's no issue. Cool. Kurt On Mon, Feb 1, 2010 at 15:30, Mark Martinec mark.martinec...@ijs.si wrote: Kurt, Any thoughts about interoperability with Maia Mailguard? Wouldn't forcing a dependency on amavisd-new break that? No. Maia split from amavisd-new somewhere around 2.2.1. Any thoughts about interoperability with Maia Mailguard? See also: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6290 and: From: Robert LeBlanc r...@renaissoft.com CC: users@spamassassin.apache.org, ... Subject: Re: Bayes stopped working Date: Sun, 17 Jan 2010 18:11:59 -0800 I believe Thomas is using amavisd-maia (from the Maia Mailguard suite), which has not yet been updated for perl 5.10 and SA 3.3. A new release (Maia 1.03) will address these compatibility issues once the new SA release is finalized.
Re: SA 3.3.0 spamassassin taint issue
Russ, I have not gotten this into the bugzilla, but ... as it appears a 3.3 release is imminent, I though I should mention seeing this in my log files: I am getting this: Jan 20 18:17:40 vm049244181 spamd[14023]: spamd: Insecure dependency in chown while running with -T switch at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1934, which is: if (($ == 0) ($ == 0) defined($user)) { # chown it my ($uid,$gid) = (getpwnam($user))[2,3]; unless (chown($uid, $gid, $fname)) { warn config: couldn't chown $fname to $uid:$gid for $user: $!\n; } The issue is now tracked as: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6313 and a patch is available there. Thanks for your report! Mark
Re: warn: reporter: DCC report via dccproc failed
On Mon, 2010-02-01 at 07:13 -0500, Michael Scheidell wrote: On 2/1/10 7:07 AM, Chris wrote: I have the standard (free) version of DCC. There were no issues when I ran the script a few days previously with 3.2.5. cdcc -V exit what do you get? at least 1.3.111? cdcc -V exit 1.3.116 -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: warn: reporter: DCC report via dccproc failed
On Mon, 2010-02-01 at 14:14 +0100, Mark Martinec wrote: Chris, SA 3.3.0, just installed via CPAN this afternoon. When running my spam reporter script I noticed this: warn: reporter: DCC report via dccproc failed: Can't locate object method close_pipe_fh via package Mail::SpamAssassin::Reporter at /etc/mail/spamassassin/DCC.pm line 803,DCC line 2. Jan 31 18:01:05.755 [17665] info: reporter: could not report spam to DCC via dccproc spamd[18248]: rules: failed to run DCC_REPUT_13_19 test, skipping: spamd[30068]: util: failed to spawn a process /usr/local/bin/dccproc, -H, -x, 0, -a, 204.15.81.110: Insecure dependency in exec while running setgid at /usr/lib/perl5/site_perl/5.10.1/Mail/SpamAssassin/Util.pm line 1533. at /usr/lib/perl5/site_perl/5.10.1/Mail/SpamAssassin/Util.pm line 1438. you did a spamassassin -r? In a way yes, I run a perl script that runs sa-learn and also reports the spam to razor/pyzor/DCC all in one run. Can you reproduce the problem with a plain 'spamassassin -r' (possibly setgui'd, like yours)? I wasn't successful. I guess you will have to show your (stripped down) code that calls DCC reporting so that the problem is reproducible. Please open a bug report if you won't be able to locate the problem. One of the arguments/options or a command path itself was tainted. Mark Mark, running spamassassin -D -r (spam) nets: Feb 1 19:24:11.481 [16499] dbg: dcc: dccifd is not available: no r/w dccifd socket found Feb 1 19:24:11.482 [16499] dbg: util: current PATH is: /bin:/usr/bin:/usr/local/bin:/usr/games:/usr/lib/qt4/bin:/home/chris/bin Feb 1 19:24:11.482 [16499] dbg: util: executable for dccproc was found at /usr/local/bin/dccproc Feb 1 19:24:11.482 [16499] dbg: dcc: dccproc is available: /usr/local/bin/dccproc Feb 1 19:24:11.483 [16499] dbg: info: entering helper-app run mode Feb 1 19:24:11.484 [16499] dbg: report: opening pipe: /usr/local/bin/dccproc -H -t many -x 0 -a 82.102.24.225 /tmp/.spamassassin16499o8XfN7tmp Feb 1 19:24:11.486 [16536] dbg: util: setuid: ruid=500 euid=500 Feb 1 19:24:11.490 [16499] dbg: info: leaving helper-app run mode Feb 1 19:24:11.500 [16499] warn: reporter: DCC report via dccproc failed: Can't locate object method close_pipe_fh via package Mail::SpamAssassin::Reporter at /etc/mail/spamassassin/DCC.pm line 803, DCC line 2. Feb 1 19:24:11.500 [16499] info: reporter: could not report spam to DCC via dccproc The reporting part of the script is posted here: http://pastebin.com/m18e4e140 -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: more troubles with DCC on SA 3.30 : dccifd options? dcc_options sent to wrong place?
On Mon, 2010-02-01 at 08:19 -0500, Michael Scheidell wrote: On 2/1/10 8:16 AM, Mark Martinec wrote: Thanks, that fixed mine. Thanks for testing. Please open the bug report nevertheless, so that the fix is documented and can be properly rolled into 3.3.1. bug opened, patch documented! thanks for help across the big pond! bet the snow capped mountains are unbelievable there this week! chris's: wonder if he is using dccproc or dccifd... Using dccproc, always have been. -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: warn: reporter: DCC report via dccproc failed
On Mon, 2010-02-01 at 17:49 +0100, Matus UHLAR - fantomas wrote: On 1/31/10 9:03 PM, Chris wrote: SA 3.3.0, just installed via CPAN this afternoon. When running my spam reporter script I noticed this: warn: reporter: DCC report via dccproc failed: Can't locate object method close_pipe_fh via package Mail::SpamAssassin::Reporter at /etc/mail/spamassassin/DCC.pm line 803,DCC line 2. Jan 31 18:01:05.755 [17665] info: reporter: could not report spam to DCC via dccproc you did a spamassassin -r? On 01.02.10 06:07, Chris wrote: In a way yes, I run a perl script that runs sa-learn and also reports the spam to razor/pyzor/DCC all in one run. now, how does this differ from running spamassassin -r? Not much except sa-learn for ham/spam and reporting to razor/pyzor/DCC and SC are all in one script. Just makes it easier for me to run reporter.pl. The script also moves all spam after it's processed to another folder where I can run another script which reports all spam to their various abuse addresses. -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: How should this tricky spam be filtered?
On Mon, 1 Feb 2010, Adam Katz wrote: Martin Gregorie wrote: Apparently putting the spam's payload in the personal name part of the From: header is as old a trick as putting it in the Subject: header though I hadn't seen it used until recently. There was a recent suggestion that 'personal name' text from the From: header should be included in the text examined by 'body' rules, which already includes the Subject: text. This sounds like a good thing to do. My tests have been mildly successful on this note, with FROM_WWW already getting promoted out of testing: http://ruleqa.spamassassin.org/?rule=/FROM_Wsrcpath=khop This indicates that we don't actually need to parse any further because there is no sizable mass of legitimate mail that does this (and hopefully by getting this rule out the door, people considering it might decide against it). Concur. http://ruleqa.spamassassin.org/20100201-r905213-n/T_FROM_URI/detail?srcpath=jhardin -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- I'm seriously considering getting one of those bright-orange prison overalls and stencilling PASSENGER on the back. Along with the paper slippers, I ought to be able to walk right through security. -- Brian Kantor in a.s.r --- Today: the 7th anniversary of the loss of STS-107 Columbia
Re: Hostkarma whitelist FP
Hi, Can we get this IP removed? (I was going to report this directly, but I lost the email address and wasn't able to find anything on the junkemailfilter website.) I hoped I could use this thread to ask about emediausa.com. This is currently blacklisted on HK, but not on URIBL. This isn't a new domain. Shouldn't it also be blacklisted on there? It's not only registered in the UK (ironic, given its name), but they've been around for quite a while and seem to be established. I'd like to also blacklist them (the score is otherwise low here), but would like to see URIBL also include them. I have one from Marketing Bulletin with a score of 3.7: X-Spam-Status: No, hits=3.7 tagged_above=-300.0 required=5.0 use_bayes=1 tests=BAYES_50, DKIM_SIGNED, DKIM_VERIFIED, HTML_MESSAGE, MIME_HTML_ONLY, RCVD_IN_HOSTKARMA_BL, RCVD_IN_NIX_SPAM, RELAYCOUNTRY_US, SPF_HELO_PASS, SPF_PASS It also includes a List-Unsubscribe: link. I guess I just wanted to get the opinion of others on whether I should start training it as spam or just block it outright at the gateway. Thanks, Alex -
Re: _TOKENSUMMARY_ not working in 3.3.0?
On Mon, 2010-02-01 at 21:44 +0100, Mark Martinec wrote: Sorry, reposting: the || should have been an , the patch below is ok now: On Saturday 30 January 2010 23:00:45 Michael Schaap wrote: In other words, _TOKENSUMMARY_ is consistently replaced by Bayes not run.. Bayes *is* running OK. Messages are scored correctly, and the _HAMMYTOKENS(5)_ and _SPAMMYTOKENS(5)_ placeholders are correctly filled in. Please open a bug report. The following patch should fix it: --- lib/Mail/SpamAssassin/Plugin/Bayes.pm (revision 905404) +++ lib/Mail/SpamAssassin/Plugin/Bayes.pm (working copy) @@ -832,7 +832,8 @@ }); $permsgstatus-set_tag ('TOKENSUMMARY', sub { - if( defined $self-{tag_data}{BAYESTC} ) + my $bayestc = $permsgstatus-get_tag('BAYESTC'); + if( defined $bayestc $bayestc ne '' ) { my $tcount_neutral = $permsgstatus-{tag_data}{BAYESTCLEARNED} - $permsgstatus-{tag_data}{BAYESTCSPAMMY} Mark Thanks Mark, yes that did fix the problem though only after I changed the order in which my add_header all statements were placed in my local.cf. For instance, with 3.2.5 I had: add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES_ _TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ version=_VERSION_ add_header all Bayes bayes=_BAYES_, N=_BAYESTC_(_BAYESTCLEARNED_-_BAYESTCHAMMY_+_BAYESTCSPAMMY_), ham=(_HAMMYTOKENS(5,short)_), spam=(_SPAMMYTOKENS(5,short)_) at the bottom of my list of add_header statements and it worked correctly. After installing the patch I was still seeing: X-spam-token: Summary Bayes not run. However, as an experiment I placed the above two add_header statements as the very first two in my list and: X-spam-token: Summary Tokens: new, 13; hammy, 67; neutral, 36; spammy, 1. Odd that it appears that now the add_header statements need to be in a certain order or at least the ones above appear to have to be first. Of course I could be wrong and it just worked out that way but at least it's working. Thanks Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part