Reject mail
Hi im using spamassassin 3.2.5 with exim4 @ubuntu I've configured spamassassin with sa-exim and it works quite good. The only problem is, that i dont want to send mails to the sender back if they are rejected. Can anyone tell me where i can find the option to deactivate the "answer-mail". Thank you
RE: How to configure domain level whitelist and blacklist filtration?
>Dear All, > >I have Mail Filtration Gateway for our company. We have put filtration on 5 >domain and 2 sub domains. So now, abc.com domain want mails from @yahoo.com >and another, xyz.com >do not want. So is there any facility to do domain level >blacklist/whitelist filtration via Spamassassin? > >I am using CentOS-5.4 32 bit OS, spamassassin-3.3, and latest sendmail MTA. > >Thank you, > >-- >Kind regards, >Dhaval Soni >Red Hat Certified Architect >RHCE No: 804007900325939 > >Cell: +91-966 20 29 620 >* > >Wiki: https://fedoraproject.org/wiki/User:Sonidhaval > >Registered Linux User: >http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=507726 Dhaval, I'm not too sure if this is what you're looking for but take a look at here: http://wiki.apache.org/spamassassin/UsingSQL In the MySQL database, it allows you to select per-domain settings. Kaleb
Domain specific configuration files??
Is it possible to have domain specific configuration files for spamassassin? I am using spamd and would like to set a different required_score for my different domains for example. example1.com required_score 6.0 example2.com required_score 8.0 Anyone know if this is possible with a single instance of spamd and where those configuration files would go? If its not possible is it possible to launch multiple spamd instances for the different domains on different ports on the server? Many thanks for any help you can give. Martin -- View this message in context: http://old.nabble.com/Domain-specific-configuration-files---tp28156455p28156455.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Freemail Rule help
Hi,
I'm having a problem with emails that are from a freemail domain with
simply a shorturl in them, like this:
http://bit.ly/aqI4o1>http://bit.ly/aqI4o1/Benjaminlovee
ya
rawbodyLOC_BITLY
/href\=http:\/\/bit\.ly\/.+\w{1,8}>http:\/\/bit\.ly\/.+\w{1,15}\/.+\w{1,15}<\/a>/
Is this the most effective and best way to accomplish this? I believe
it works (reliably?) but am concerned about what seemed to be
excessive memory usage and false positives, obviously. Do you have any
suggestions to improve this?
It also seems that no matter how many times I train these they don't
score higher than BAYES_50, at least the FNs.
Thanks,
Alex
Re: Domain specific configuration files??
martinmcnally wrote: > Is it possible to have domain specific configuration files for spamassassin? > I am using spamd and would like to set a different required_score for my > different domains for example. > > example1.com required_score 6.0 > example2.com required_score 8.0 > > Anyone know if this is possible with a single instance of spamd and where > those configuration files would go? > > If its not possible is it possible to launch multiple spamd instances for > the different domains on different ports on the server? > Depends on your configuration. If you are running a per-user configuration, your can put the required_score line in the user_prefs for each user. If you are running a sitewide configuration, you're out of luck as far as I know. I think you could run multiple spamd instances by specifying different locations for the configpath, but I've never tried it. The trick would be convincing the MTA to connect to the proper instance depending on the domain. -- Bowie
Re: Freemail Rule help
Alex wrote:
Hi,
I'm having a problem with emails that are from a freemail domain with
simply a shorturl in them, like this:
http://bit.ly/aqI4o1>http://bit.ly/aqI4o1/Benjaminlovee
ya
rawbodyLOC_BITLY
/href\=http:\/\/bit\.ly\/.+\w{1,8}>http:\/\/bit\.ly\/.+\w{1,15}\/.+\w{1,15}<\/a>/
Is this the most effective and best way to accomplish this? I believe
it works (reliably?) but am concerned about what seemed to be
excessive memory usage and false positives, obviously. Do you have any
suggestions to improve this?
It also seems that no matter how many times I train these they don't
score higher than BAYES_50, at least the FNs.
Thanks,
Alex
I'm seeing these mostly from hotmail accounts so I use a URI rule
(rather than your rawbody example) and meta it with FROM_HOTMAIL. For
example,
uri LOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
describeLOCAL_URI_BITLY contains bit.ly link
metaLOCAL_HOTMAIL_SPAM_URI (__FROM_HOTMAIL_COM && LOCAL_URI_BITLY)
describeLOCAL_HOTMAIL_SPAM_URI From hotmail.com and bit.ly
I've been training these hotmail with links spam for months, and they
all score BAYES_99 for me.
Re: skipping dynamic tests for ISP's own dynamic networks?
On Mon, Apr 5, 2010 at 11:10 AM, Kris Deugau wrote: > Royce Williams wrote: >> >> What is the optimal configuration (local.cf or other) for an ISP's >> MSAs to prevent unauthenticated dynamic-IP customers from triggering >> dynamic tests, but still benefiting from general filtering? >> >> I was hoping for a magical 'mua_networks' option, which let me >> enumerate the IP space that my users submit from, and automatically >> exempt them from DOS_OE_TO_MX, etc., but I haven't been able to find >> anything like that. >> >> From my reading of the .conf manpage, the TrustPath page, and the >> archives (see references below), I've tentatively concluded that I >> will need to have some local rule overrides on all of my MSAs for any >> rule or meta-rule that detects dynamic-looking hostnames ... but that >> seems high-maintenance locally as well as a lot of duplicated work for >> other SA users. > > Read, read, and re-read. It's a bit tangled and confusing balancing the > various requirements but you should be able to get it right with a little > effort. > > To summarize what I've applied here: > > trusted_networks: Contains CIDR ranges for our servers. These systems are > "trusted" in that we know they will not forge Received: headers. I've added > a number of third-party systems here for various reasons. > > internal_networks: IPs or CIDR ranges for your inbound mail flow, *within > your network*. Usually equivalent to trusted_networks, but not always; > must be *entirely contained by* trusted_networks. I've included one of > Postini's IP ranges here to catch mail relayed to domains handled by Postini > that might otherwise have been blocked at the MTA level by Spamhaus' Zen. > > msa_networks: IPs of CIDR ranges for your outbound mail flow, IE systems > that accept mail from your authorized customer IP ranges. (and anywhere > else via SMTP AUTH or similar). As far as I can tell, these *may* overlap > internal_networks but if you're big enough that these settings are a > problem, they probably don't. Also a subset of trusted_networks. (FWIW, I > found overlapping this with internal_networks caused problems. YMMV.) > > We scan all outbound mail with the same SA cluster as our inbound scanning, > and I haven't seen misbehaviour I could blame on these settings since > sometime last summer (couple of corner-case oddities IIRC); before that it > would have been more than a year since I dug into them in detail and added > the msa_networks entries along with the upgrade to SA 3.2 (IIRC). Kris, thanks for the good summary. Some new information. In this 2008 thread: http://old.nabble.com/ALL_TRUSTED-and-DOS_OE_TO_MX-td15659736.html ... Daryl says: "So if (and I'll admit I don't think this occurred to me before) you're running SA on outgoing mail on your MSA right after you receive it (it's not relayed to an intermediate machine) SA can't detect the MSA and the whole msa_networks thing doesn't work." That is exactly our setup - our outbound servers are accepting mail from customers and handing them off to the world, not going through any other servers. Could this be the issue? Also, I think that an example snippet of.cf illustrating and briefly explaining each of the three _networks options might be in order, and might make the reading, re-reading, and re-reading of the docs a little less painful. Writing one will also demonstrate that I've correctly grokked what's been going on here. :-) I'll take a stab at one. Royce
Re: Freemail Rule help
On Tue, 6 Apr 2010, Ned Slider wrote:
uri LOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
describeLOCAL_URI_BITLY contains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want to
penalize them?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
So Microsoft's invented the ASCII equivalent to ugly ink spots that
appear on your letter when your pen is malfunctioning.
-- Greg Andrews, about Microsoft's way to encode apostrophes
---
7 days until Thomas Jefferson's 267th Birthday
Re: skipping dynamic tests for ISP's own dynamic networks?
Royce Williams wrote: Some new information. In this 2008 thread: http://old.nabble.com/ALL_TRUSTED-and-DOS_OE_TO_MX-td15659736.html ... Daryl says: "So if (and I'll admit I don't think this occurred to me before) you're running SA on outgoing mail on your MSA right after you receive it (it's not relayed to an intermediate machine) SA can't detect the MSA and the whole msa_networks thing doesn't work." That is exactly our setup - our outbound servers are accepting mail from customers and handing them off to the world, not going through any other servers. Could this be the issue? Hmm. We have the same general setup, but we may be avoiding trouble because our outbound scan is done while the SMTP transaction is in progress, and the message SA sees does not have our MSA's Received: header yet. (Of course, we then hit NO_RECEIVED and a collection of related tests, but none of them score very high IIRC; have to check the specifics.) -kgd
Re: Freemail Rule help
John Hardin wrote:
On Tue, 6 Apr 2010, Ned Slider wrote:
uriLOCAL_URI_BITLYm{https?://bit\.ly/\w{6}}
describeLOCAL_URI_BITLYcontains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want to
penalize them?
As I said, I use that rule in a meta rule combining with FROM_HOTMAIL.
Anyway, for *me* and with *my* mail flow - yes, I want to penalize
bit.ly in emails sent from hotmail.com, as they are without exception
spam. In fact I suspect we all penalize a lot of legitimate domains that
regularly appear in spam (abused by spammers).
Anyway, the purpose of my response was more to illustrate that Alex
could use a URI rule to match, rather that the rawbody rule he cited :)
Re: Freemail Rule help
On Tue, 6 Apr 2010, Ned Slider wrote:
John Hardin wrote:
On Tue, 6 Apr 2010, Ned Slider wrote:
> uriLOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
> describe LOCAL_URI_BITLY contains bit.ly link
bit.ly is a legitimate URL-shortening service. Are you sure you want
to penalize them?
As I said, I use that rule in a meta rule combining with FROM_HOTMAIL.
You _also_ use it in a meta. The rule quoted above assigns one point (by
default) to any bit.ly URL, regardless of whether it appears in a message
received from hotmail.
Anyway, for *me* and with *my* mail flow - yes, I want to penalize
bit.ly in emails sent from hotmail.com, as they are without exception
spam. In fact I suspect we all penalize a lot of legitimate domains that
regularly appear in spam (abused by spammers).
That's likely true. No big deal, as it's not a poison pill; I was just
wondering whether you actually did intend to _always_ punish bit.ly URLs
or whether you omitted the __ by mistake.
Anyway, the purpose of my response was more to illustrate that Alex
could use a URI rule to match, rather that the rawbody rule he cited :)
True, and a good example.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Windows Genuine Advantage (WGA) means that now you use your
computer at the sufferance of Microsoft Corporation. They can
kill it remotely without your consent at any time for any reason;
it also shuts down in sympathy when the servers at Microsoft crash.
---
7 days until Thomas Jefferson's 267th Birthday
Re: non-existing rule with sa-update
On 4/4/2010 12:35 PM, Cecil Westerhof wrote: > When running sa-update with -D I see when there are updates the folowing > lines: > Apr 4 18:26:15.954 [12630] dbg: config: warning: score set for > non-existent rule SHORTCIRCUIT > Apr 4 18:26:15.957 [12630] dbg: config: warning: score set for > non-existent rule SUBJ_RE_NUM > Apr 4 18:26:15.958 [12630] dbg: config: warning: score set for > non-existent rule FM_VIAGRA_SPAM1114 > Apr 4 18:26:15.964 [12630] dbg: config: warning: score set for > non-existent rule AXB_HELO_LH_HOME > Apr 4 18:26:15.968 [12630] dbg: config: warning: score set for > non-existent rule ACCESSDB > > What is happening here? > > At a quick glance, it looks like you might have some score over-rides in your local.cf or user_prefs for rules that no longer exist (i.e.: they were deleted by the update).
Re: Blacklists Compared 17 October 2009
Hi, Last October Marc posted the following URL that compared the various RBLs: > http://www.sdsc.edu/~jeff/spam/cbc.html It seems barracuda is still leading, but is that also everyone's experience? Can anyone provide details on how Jeff computed this information and is it as cut-and-dried as this makes it seem? IOW, barracuda, the free service, is "better" than all the rest... Thanks, Alex
Re: Freemail Rule help
Hi,
>> uri LOCAL_URI_BITLY m{https?://bit\.ly/\w{6}}
>> describe LOCAL_URI_BITLY contains bit.ly link
>
> bit.ly is a legitimate URL-shortening service. Are you sure you want to
> penalize them?
Yes, I don't at all like to do this, but it doesn't take too many of
these before people complain, and it's more likely they'd receive one
that's spam than a valid URL.
Nonetheless,. I would like to add to that the other HTML tags to
further qualify it, which is why I was using a rawbody over just a
URI. For the time-being, I have Ned's suggestion in place over mine
because mine has problems,. along with additional qualifiers (such as
FREEMAIL_FROM) to further reduce the FPs.
Other suggestions welcome...
Thanks,
Alex
Re: Blacklists Compared 17 October 2009
On 4/6/2010 7:41 PM, Alex wrote: Hi, Last October Marc posted the following URL that compared the various RBLs: http://www.sdsc.edu/~jeff/spam/cbc.html It seems barracuda is still leading, but is that also everyone's experience? Can anyone provide details on how Jeff computed this information and is it as cut-and-dried as this makes it seem? IOW, barracuda, the free service, is "better" than all the rest... Thanks, Alex I don't know the details but from what I understand it is a raw count of who spams him. So the experience of others might vary. There's not a lot of comparisons out there so this gives me some clue. But it doesn'y say anything about the quality of the lists as it has apews listed highly. If I created a list that blacklisted everything I would be first. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: Freemail Rule help
On Tue, 6 Apr 2010, Alex wrote:
uriLOCAL_URI_BITLYm{https?://bit\.ly/\w{6}}
For the time-being, I have Ned's suggestion in place over mine because
mine has problems,. along with additional qualifiers (such as
FREEMAIL_FROM) to further reduce the FPs.
Other suggestions welcome...
I'll throw it in the sandbox and see what likely combinations present
themselves. It'll take a couple of days.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Rights can only ever be individual, which means that you cannot
gain a right by joining a mob, no matter how shiny the issued
badges are, or how many of your neighbors are part of it. -- Marko
---
7 days until Thomas Jefferson's 267th Birthday
Re: Blacklists Compared 17 October 2009
Here's another good list that rates quality. http://www.intra2net.com/en/support/antispam/index.php On 4/6/2010 7:41 PM, Alex wrote: Hi, Last October Marc posted the following URL that compared the various RBLs: http://www.sdsc.edu/~jeff/spam/cbc.html It seems barracuda is still leading, but is that also everyone's experience? Can anyone provide details on how Jeff computed this information and is it as cut-and-dried as this makes it seem? IOW, barracuda, the free service, is "better" than all the rest... Thanks, Alex -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
