Re: Mail Marked Spam For VPN Users
On Mon, 12 Apr 2010, Carlos Mennens wrote: When users are on the LAN, their client IP is in range of 'mynetworks' parameter via Postfix. When they're home and VPN into my network, they fire up Outlook / Thunderbird & send email as they would if they were sitting in the office. However their client IP is now their ISP connected IP and their reverse DNS is not correct so SA thinks this is a spammer without a proper RDNS entry per RFC guidelines. Is there a way to fix this mix up? When they connect to your mail server via your VPN, are they connecting to the _private_ IP address of the mail server? If they are connecting to the _public_ IP address then the fact that they are using a VPN is probably irrelevant as traffic isn't traversing the VPN. I suspect this is a VPN configuration issue, not a SA issue. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The world has enough Mouse Clicking System Engineers. -- Dave Pooser --- Tomorrow: Thomas Jefferson's 267th Birthday
Re: FROM_STARTS_WITH_NUMS matches on text-to-email
On 4/12/2010 4:26 PM, Bob O'Brien wrote: Other media references, too: 90210, 4100, I'm sure there are more which have been chosen by fans of one theme or another. Back in the late 1990s, I remember hearing that some site (maybe Hotmail?) was restricted to US residents, but didn't check very thoroughly. They just made sure that the city, state and zip code matched. Strangely, they had a lot of users living in Beverly Hills, 90210. -- Kelson Vibber SpeedGate Communications
Re: FROM_STARTS_WITH_NUMS matches on text-to-email
On 4/12/2010 4:58 PM, Martin Gregorie wrote: I had quite a bit to do with phone numbers en mass a while back. My initial reaction is that its not easy: not only do phone numbers vary in length between locales, but even such things as the 'international dialing' and non-local-call prefix vary from country to country. That is certainly true with all phone numbers, but I suspect it's not for cell phone numbers using text-to-email. I don't have any non-US examples to verify against, but it really wouldn't make sense for providers to use international dialing codes in this case...at least not a huge variety at any rate. I'm hoping that those in the non-US community can contribute opinions. Maybe this problem isn't as complex as it initially sounds. On 4/12/2010 5:57 PM, Ted Mittelstaedt wrote: The fundamental flaw here is in the assumption that an all-number mailbox user ID is virtually certain to be spam. It is not. Clearly, the default score assignment to that rule is too high. That could certainly be true and it may prove that doing the proposed tests just aren't worth the CPU cycles. Only a test against the corpus will say with any degree of certainty. Sadly, I don't have the perl skills to make that judgment, hence my appeal to the community for ideas, opinions, and possible code to test the theory. /Jason
Re: FROM_STARTS_WITH_NUMS matches on text-to-email
Martin Gregorie wrote: However, there is one fairly straight forward question that can be easily answered: has anybody ever seen an all-number mailbox/user id in circumstances where it *isn't* a phone number? Yes. I have seen personal addresses with all-digit LHS. It's almost always been "42" or "6" or "1" but it happens. Other media references, too: 90210, 4100, I'm sure there are more which have been chosen by fans of one theme or another. Bob --
Re: New log errors on upgrading
Micah, > More new errors that I am getting from an upgrade to spamassassin 3.3: 3.3.0 ? > Use of uninitialized value $start_time in addition (+) at > /usr/sbin/spamd line 1382, That was fixed in 3.3.1 . > and also the following: > > spf: lookup failed: Can't locate object method "new_from_string" via > package "Mail::SPF::Mech::All" at /usr/share/perl5/Mail/SPF/Record.pm > line 227. > > I'm using libmail-spf-perl version: 2.005-1 > > Might this be fixed in a newer perl version? No idea. Try Mail-SPF-v2.007, the 2.005 is three years old. Mark
Re: Country Relay Filter on SA 3.3.1
On Mon, 12 Apr 2010 21:05:25 +0100 RW wrote: > On Mon, 12 Apr 2010 14:25:36 -0400 > Kaleb Hosie wrote: > > > Hey Everyone, > > I'm having an issue with the Country Relay filter. I've realized > > that it hasn't been effecting the score rating at all since I've > > upgraded from version 2.6.5. > > > >.. > > decrease or increase the score. I also have made sure that the > > RelayCountry plug-in has been uncommented in the init.pre file. > > The plugin requires an additional perl module, IP::Country. Perhaps it > fell-off during the SA upgrade, or needs to be updated. Sorry, I missed the bit about the header being present.
Re: FROM_STARTS_WITH_NUMS matches on text-to-email
On 4/12/2010 1:58 PM, Martin Gregorie wrote: On Mon, 2010-04-12 at 16:29 -0400, Jason Bertoch wrote: I just received a FP report on a message sent from a phone via their text-to-email gateway. FROM_STARTS_WITH_NUMS matched because the sender's address is [10-digit phone numb...@somecarrier.com. My initial instinct was to file a bug suggesting there be a check in the rule to see if there are 10 and only 10 numbers. However, I quickly remembered SA is international software with phone numbers being various lengths around the globe. I wonder how difficult it would be to make location specific exceptions based on RelayCountry? Thoughts or suggestions? I had quite a bit to do with phone numbers en mass a while back. My initial reaction is that its not easy: not only do phone numbers vary in length between locales, but even such things as the 'international dialing' and non-local-call prefix vary from country to country. My guess is that determining by inspection whether the number is a phone number probably involves a plugin and a (large) set of numbering scheme templates. However, the domain name might help: obviously so for small, single country telcos, but while the globotelcos will certainly have to use national number structures in each country, do they also use different domains for each country they operate in? My guess is that some do and some don't. However, there is one fairly straight forward question that can be easily answered: has anybody ever seen an all-number mailbox/user id in circumstances where it *isn't* a phone number? No, but I could set one up just to piss off someone... Seriously, you shouldn't be asking that question. The fundamental flaw here is in the assumption that an all-number mailbox user ID is virtually certain to be spam. It is not. Clearly, the default score assignment to that rule is too high. Ted Martin
New log errors on upgrading
More new errors that I am getting from an upgrade to spamassassin 3.3: Use of uninitialized value $start_time in addition (+) at /usr/sbin/spamd line 1382, and also the following: spf: lookup failed: Can't locate object method "new_from_string" via package "Mail::SPF::Mech::All" at /usr/share/perl5/Mail/SPF/Record.pm line 227. I'm using libmail-spf-perl version: 2.005-1 Might this be fixed in a newer perl version? Micah
Re: FROM_STARTS_WITH_NUMS matches on text-to-email
On Mon, 2010-04-12 at 16:29 -0400, Jason Bertoch wrote: > I just received a FP report on a message sent from a phone via their > text-to-email gateway. FROM_STARTS_WITH_NUMS matched because the > sender's address is [10-digit phone numb...@somecarrier.com. > > My initial instinct was to file a bug suggesting there be a check in the > rule to see if there are 10 and only 10 numbers. However, I quickly > remembered SA is international software with phone numbers being various > lengths around the globe. I wonder how difficult it would be to make > location specific exceptions based on RelayCountry? > > Thoughts or suggestions? > I had quite a bit to do with phone numbers en mass a while back. My initial reaction is that its not easy: not only do phone numbers vary in length between locales, but even such things as the 'international dialing' and non-local-call prefix vary from country to country. My guess is that determining by inspection whether the number is a phone number probably involves a plugin and a (large) set of numbering scheme templates. However, the domain name might help: obviously so for small, single country telcos, but while the globotelcos will certainly have to use national number structures in each country, do they also use different domains for each country they operate in? My guess is that some do and some don't. However, there is one fairly straight forward question that can be easily answered: has anybody ever seen an all-number mailbox/user id in circumstances where it *isn't* a phone number? Martin
dcc: [26896] terminated: exit 241
I'm getting a lot of these log entries ever since I've upgraded: Apr 9 22:31:14 spamd2 spamd[2774]: dcc: [26896] terminated: exit 241 Obviously this is related to dcc, but I am not finding anything about what 'exit 241' is, and how I can adjust things so I no longer get them (or maybe they are normal and I need to start ignoring them?) Does anyone have a clue about these? thanks! micah -- "It is no measure of health to be well adjusted to a profoundly sick society." - J Krishnamurti
FROM_STARTS_WITH_NUMS matches on text-to-email
I just received a FP report on a message sent from a phone via their text-to-email gateway. FROM_STARTS_WITH_NUMS matched because the sender's address is [10-digit phone numb...@somecarrier.com. My initial instinct was to file a bug suggesting there be a check in the rule to see if there are 10 and only 10 numbers. However, I quickly remembered SA is international software with phone numbers being various lengths around the globe. I wonder how difficult it would be to make location specific exceptions based on RelayCountry? Thoughts or suggestions? -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: skipping dynamic tests for ISP's own dynamic networks?
Royce Williams wrote:
From the documentation, msa_networks designates those servers that
accept only authenticated messages, regardless of type. I'm the new
guy on the list, and have some catching up to do with learning how the
*_networks directives work, but the evidence is mounting that if MSAs
listed in msa_networks can't tell that they're in msa_networks, then
msa_networks does not work as documented.
Can you provide a more detailed explanation of the system(s) that are
misbehaving? I've got three different sets of servers with three
different SA integration methods for outbound mail, and all three Do The
Right Thing(TM) with the same *_networks settings.
It sounds like you've got some factor interfering, but aside from DTDW
("Damn Thing Doesn't Work") errors telling us that *something* is
broken, it's hard to see where the trust path is breaking down.
I think from your 10/8 example you've got your head pretty much wrapped
around the semantics of the configuration options (the only thing I
would set differently would be to add services like Postini to
internal_networks, because you want eg Spamhaus rules to trigger on the
IP that relayed to Postini, not the Postini filter server IP).
-kgd
Re: Country Relay Filter on SA 3.3.1
On Mon, 12 Apr 2010 14:25:36 -0400 Kaleb Hosie wrote: > Hey Everyone, > I'm having an issue with the Country Relay filter. I've realized that > it hasn't been effecting the score rating at all since I've upgraded > from version 2.6.5. > >.. > decrease or increase the score. I also have made sure that the > RelayCountry plug-in has been uncommented in the init.pre file. The plugin requires an additional perl module, IP::Country. Perhaps it fell-off during the SA upgrade, or needs to be updated.
Country Relay Filter on SA 3.3.1
Hey Everyone, I'm having an issue with the Country Relay filter. I've realized that it hasn't been effecting the score rating at all since I've upgraded from version 2.6.5. Here is a sample of what I have in the local.cf file: header RELAYCOUNTRY_CA X-relay-countries =~ /CA/ describe RELAYCOUNTRY_CA Relayed through Canada score RELAYCOUNTRY_CA -1 add_header all Relay-Country _RELAYCOUNTRY_ Each email that comes in adds the "Relay-country" headers properly with the country that it was sent from, however it doesn't actually decrease or increase the score. I also have made sure that the RelayCountry plug-in has been uncommented in the init.pre file. Does anyone have experience on this? Thanks, Kaleb
Re: Mail Marked Spam For VPN Users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/12/10 12:11 PM, Carlos Mennens wrote: > On Mon, Apr 12, 2010 at 1:02 PM, Michael Scheidell > wrote: >> then read this part if I somehow confused you. >> >> On 4/12/10 12:55 PM, Carlos Mennens wrote: > other option is set up submit port that only available via vpn, or use > smtp > auth and give anyone coming in via that -100 points. > (amavisd-new can add credit for smtp-auth users) > > How would I credit -100 points for someone who is using smtp auth? > User's should be using TLS and SASL authentication so that should be > fine. I just need to know how I would configure something of the > such... One option is to use amavisd-new to do it as others have mentioned - or as a more generic method, you can have Postfix add a header and look for that: /etc/postfix/helo_add_auth_header.regexp : /.*/ PREPEND X-SMTP-Auth: not_on_myhost /etc/mail/spamassassin/local.cf: header __NO_SMTP_AUTH X-SMTP-Auth =~ /not_on_myhost/ meta SMTP_AUTH ( __NO_SMTP_AUTH < 1 ) describe SMTP_AUTH Message sent using SMTP Authentication tflags SMTP_AUTH nice score SMTP_AUTH -5 and then on the end of your smtpd_recipient_restrictions in main.cf: check_client_access pcre:/etc/postfix/helo_add_auth_header.regexp SMTP Auth connections get ok'd before the regexp file is matched, and they never get the header, and then spamassassin sees that and gives a - -5 credit. - -- David Morton Morton Software & Design http://www.dgrmm.net - Ruby on Rails PHP Applications Maia Mailguard http://www.maiamailguard.com- Spam management for mail servers -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFLw2CNUy30ODPkzl0RAiwTAJ0c01qY5S/TGJEihJNnXHW9ljPJ2QCgrQ78 WOO94Is1oj/CBYPftPK02B8= =drjQ -END PGP SIGNATURE-
Re: Mail Marked Spam For VPN Users
On 4/12/10 1:11 PM, Carlos Mennens wrote: (amavisd-new can add credit for smtp-auth users) How would I credit -100 points for someone who is using smtp auth? User's should be using TLS and SASL authentication so that should be fine. I just need to know how I would configure something of the such... since you are using amavisd-new, you should look at the amavisd-new mailing list. look for smtp-auth and policy banks. several examples, depending on what you are doing. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Mail Marked Spam For VPN Users
On Mon, Apr 12, 2010 at 1:02 PM, Michael Scheidell wrote: > then read this part if I somehow confused you. > > On 4/12/10 12:55 PM, Carlos Mennens wrote: >>> >>> > other option is set up submit port that only available via vpn, or use >>> > smtp >>> > auth and give anyone coming in via that -100 points. >>> > (amavisd-new can add credit for smtp-auth users) How would I credit -100 points for someone who is using smtp auth? User's should be using TLS and SASL authentication so that should be fine. I just need to know how I would configure something of the such...
Re: Mail Marked Spam For VPN Users
then read this part if I somehow confused you. On 4/12/10 12:55 PM, Carlos Mennens wrote: > other option is set up submit port that only available via vpn, or use smtp > auth and give anyone coming in via that -100 points. > (amavisd-new can add credit for smtp-auth users) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Mail Marked Spam For VPN Users
On Mon, Apr 12, 2010 at 12:43 PM, Michael Scheidell wrote: > are they not authenticating through, and sending out via (forgive me) an > exchange server? > if outlook is authenticating direct to the exchange server, then the > exchange server would be the source ip, and you would eliminate lots of > this. > > other option is set up submit port that only available via vpn, or use smtp > auth and give anyone coming in via that -100 points. > (amavisd-new can add credit for smtp-auth users) I am totally lost. Who has an Exchange server? I have a Postfix mail server. When users are on the LAN, their client IP is in range of 'mynetworks' parameter via Postfix. When they're home and VPN into my network, they fire up Outlook / Thunderbird & send email as they would if they were sitting in the office. However their client IP is now their ISP connected IP and their reverse DNS is not correct so SA thinks this is a spammer without a proper RDNS entry per RFC guidelines. Is there a way to fix this mix up? Nobody is authenticating through any Exchange servers or anything like that...
file locking errors and general fyi
greetings, :-) coupla days ago upgraded from 3.2.5 to 3.3.1 on a production centos4 machine all 3.2.5 old files and dirs and all conflicting/duplicate rules removed from machine. it appears that overall things went quite well 2 days later doing some normal log parsing i noticed this spamd[2489]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call spamd[2489]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: Interrupted system call changed from flock to default in /etc/mail/spamassassin/local.cf then this error ;-) spamd[19334]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: File exists spamd[19337]: bayes: cannot open bayes databases /home/spamd/.spamassassin/bayes_* R/W: lock failed: File exists hmm so i did some chmod'ing and changed back to flock we currently do a force expire every 2 days off peak then, started to do some research... the only thing that jumped out at me was the "default" tokens of 15 in bayes is that for any bayes db type or SQL related only? - rh
Re: Mail Marked Spam For VPN Users
On 4/12/10 12:38 PM, Carlos Mennens wrote: On my Postfix server, when my co-workers VPN from their laptops from home, they then send mail via Outlook and their ISP IP address. When the message gets to it's recipient, it's marked ***SPAM*** by SA. are they not authenticating through, and sending out via (forgive me) an exchange server? if outlook is authenticating direct to the exchange server, then the exchange server would be the source ip, and you would eliminate lots of this. other option is set up submit port that only available via vpn, or use smtp auth and give anyone coming in via that -100 points. (amavisd-new can add credit for smtp-auth users) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Mail Marked Spam For VPN Users
On my Postfix server, when my co-workers VPN from their laptops from home, they then send mail via Outlook and their ISP IP address. When the message gets to it's recipient, it's marked ***SPAM*** by SA. User's are complaining that email from internal users are being marked as 'spam' and they don't know why. When I check the message source, I can see that the user is connected to their personal ISP (tampabay.res.rr.com in this case) to tunnel / VPN in and send mail from their work account. My question is what can I fix to eliminate this confusion for my co-workers w/o compromising actual spam to get through? If this is good normal behavior from SA / Postfix, then I will leave it alone based on your expect recommendations however if you think I can tune Postfix / SA to handle mail better, I would greatly appreciate any suggestions. I see below in the headers that the message is being tagged as spam due to parameters that are typical or big ISP's. The message source is below: Return-Path: X-Original-To: slacha...@mydomain.tld Delivered-To: slacha...@mydomain.tld Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.mydomain.tld (Postfix) with ESMTP id CD2D7778382; Mon, 12 Apr 2010 09:08:57 -0400 (EDT) X-Virus-Scanned: amavisd-new at mydomain.tld X-Spam-Flag: YES X-Spam-Score: 5.266 X-Spam-Level: * X-Spam-Status: Yes, score=5.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, FSL_HELO_NON_FQDN_1=0.001, HELO_NO_DOMAIN=0.001, RCVD_IN_PBL=3.335, RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982, O_EQ_FM_DIRECT_MX=0.001] autolearn=no Received: from mail.mydomain.tld ([127.0.0.1]) by localhost (mydomain.tld [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qDSvk1vgoHls; Mon, 12 Apr 2010 09:08:57 -0400 (EDT) Received: from elugo2 (165-252.200-68.tampabay.res.rr.com [68.200.252.165]) by mail.mydomain.tld (Postfix) with ESMTP id ABF3477838C; Mon, 12 Apr 2010 09:08:56 -0400 (EDT) From: "Esteban Lugo" To: "'Esteban Lugo'" , "'Richard'" , "'Scott'" , "'David'" , "'Hassan'" , "'Travis'" References: <000a01caa428$249ebb70$6ddc32...@org> <75e1fe1c6e1c924a8f27e609cbe62c3d47e1394...@hvxmsp1.us.somedomain.tld> In-Reply-To: Subject: ***SPAM*** RE: WHL Request 4/12-4/16 Date: Mon, 12 Apr 2010 09:08:54 -0400 Message-ID: <000901cada41$4f7bc000$ee7340...@org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_NextPart_000_000A_01CADA1F.C86A2000" X-Mailer: Microsoft Office Outlook 12.0
Re: How to configure spamassassin
HateSpam wrote on Mon, 12 Apr 2010 07:12:36 -0700 (PDT): > I wanted to ask that forum but there was not any contact or registration > option, so I wonder if anyone else has done the same configuration. You should not use it if you don't know how it works and it is not supported anymore. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: How to filter emails in a text file
Ok thanks, I will give this a try. Daniel Lemke wrote: > > > yongke wrote: >> >> Hi guys >> >> Is it possible to just run spamassassin on a text file? I don't have a >> mailsever or anything. Is it possible to have like a totally standalone >> spamassassin to just check emails I generate but haven't sent out yet? >> > > > Uhm, not sure what you mean with "totally standalone" but have you tried > something like this? > > spamassassin < yourtextfile > -- View this message in context: http://old.nabble.com/How-to-filter-emails-in-a-text-file-tp28218339p28219140.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to filter emails in a text file
yongke wrote: > > Hi guys > > Is it possible to just run spamassassin on a text file? I don't have > a mailsever or anything. Is it possible to have like a totally > standalone spamassassin to just check emails I generate but haven't > sent out yet? Yep, just run 'spamassassin
Re: How to filter emails in a text file
yongke wrote: > > Hi guys > > Is it possible to just run spamassassin on a text file? I don't have a > mailsever or anything. Is it possible to have like a totally standalone > spamassassin to just check emails I generate but haven't sent out yet? > Uhm, not sure what you mean with "totally standalone" but have you tried something like this? spamassassin < yourtextfile -- View this message in context: http://old.nabble.com/How-to-filter-emails-in-a-text-file-tp28218339p28218474.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
How to filter emails in a text file
Hi guys Is it possible to just run spamassassin on a text file? I don't have a mailsever or anything. Is it possible to have like a totally standalone spamassassin to just check emails I generate but haven't sent out yet? -- View this message in context: http://old.nabble.com/How-to-filter-emails-in-a-text-file-tp28218339p28218339.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to configure spamassassin
I wanted to ask that forum but there was not any contact or registration option, so I wonder if anyone else has done the same configuration. Matus UHLAR - fantomas wrote: > > On 12.04.10 06:16, hateSpam wrote: >> I used instruction for http://onetforum.com/fourm/viewtopic.php?f=2&t=34 > > Why don't you ask on that forum for help then? > >> and reloaded the postfix now when I receive any email I have [SPAM] added >> on subject > > turn subject rewriting off. > >> all emails even it is not a spam. > > You shoul read another page > http://wiki.apache.org/spamassassin/FalsePositives > >> hateSpam wrote: >> > I have Spamassassin on my Centos 5.4. For send and receive email I use >> > postfix and Dovecot and Sendmail version 8.13.8. Since I have installed >> > the spamassassin I have not configured it. We are getting about 20 >> spams >> > per day. I want to configure it and get it working. I did google it >> there >> > are some information but all in different server, some I tried did not >> > work. >> > >> > I will appreciate if anyone know how to configure it from scratch after >> > installing it. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > A day without sunshine is like, night. > > -- View this message in context: http://old.nabble.com/How-to-configure-spamassassin-tp28190479p28218311.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Enable autolearn for certain shortcircuits
RW-15 wrote:
>
> On Mon, 12 Apr 2010 04:25:13 -0700 (PDT)
> Daniel Lemke wrote:
>
>>
>>
>> RW-15 wrote:
>> >
>> >
>> > The default is learn, not noautolearn - either prevents autoleaning.
>> >
>> >
>>
>> Hmm, so it's not possible to use a tflag for telling bayes to learn
>> the message? What else can I do?
>
> I'm not familiar with how scores work under short-circuiting, but I
> would imagine that auto-learning would work if you simply define
> neither flag, i.e.
>
> tflags BAYES_00 nice
>
>
Already tried that, no effect on autolearn ("autolearn=disabled").
--
View this message in context:
http://old.nabble.com/Enable-autolearn-for-certain-shortcircuits-tp28214643p28218041.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to configure spamassassin
On 12.04.10 06:16, hateSpam wrote: > I used instruction for http://onetforum.com/fourm/viewtopic.php?f=2&t=34 Why don't you ask on that forum for help then? > and reloaded the postfix now when I receive any email I have [SPAM] added > on subject turn subject rewriting off. > all emails even it is not a spam. You shoul read another page http://wiki.apache.org/spamassassin/FalsePositives > hateSpam wrote: > > I have Spamassassin on my Centos 5.4. For send and receive email I use > > postfix and Dovecot and Sendmail version 8.13.8. Since I have installed > > the spamassassin I have not configured it. We are getting about 20 spams > > per day. I want to configure it and get it working. I did google it there > > are some information but all in different server, some I tried did not > > work. > > > > I will appreciate if anyone know how to configure it from scratch after > > installing it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: How to configure spamassassin
I used instruction for http://onetforum.com/fourm/viewtopic.php?f=2&t=34 and reloaded the postfix now when I receive any email I have [SPAM] added on subject all emails even it is not a spam. hateSpam wrote: > > Dear All, > I have Spamassassin on my Centos 5.4. For send and receive email I use > postfix and Dovecot and Sendmail version 8.13.8. Since I have installed > the spamassassin I have not configured it. We are getting about 20 spams > per day. I want to configure it and get it working. I did google it there > are some information but all in different server, some I tried did not > work. > > I will appreciate if anyone know how to configure it from scratch after > installing it. > > Thanks in advance > Hatspam > -- View this message in context: http://old.nabble.com/How-to-configure-spamassassin-tp28190479p28217605.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Increase in image/zip spam?
Alex wrote: > Hi, > > Just wondering if others are also seeing an increase in image spam in > the last week or so, some of which contain zip attachments? The body > contains random "bayes killer?" text with an image or zip attachment. Yep, been seeing quite a few of those. Usually one image as a zip-file. Most are filtered out based on origin, but quite a few make it through. /Per Jessen, Zürich
Re: Increase in image/zip spam?
- Original Message - > Hi, > > Just wondering if others are also seeing an increase in image spam in > the last week or so, some of which contain zip attachments? The body > contains random "bayes killer?" text with an image or zip attachment. > I can't otherwise find something to trigger on to block them reliably > and bayes doesn't seem to be doing it for me... > > http://pastebin.com/fSarnJQy > > Any ideas greatly appreciated! > Thanks, Alex Appears to hit a few RBLs: Content analysis details: (7.2 points, 5.0 required) pts rule name description -- -- 0.4 RCVD_IN_XBL 0.5 RCVD_IN_NIX_SPAM 3.0 RCVD_IN_BRBL 1.4 RCVD_IN_BRBL_LASTEXT -0.0 BAYES_20 1.1 DCC_CHECK 0.8 RDNS_NONE -- Thanks, Phil
Re: Enable autolearn for certain shortcircuits
On Mon, 12 Apr 2010 04:25:13 -0700 (PDT) Daniel Lemke wrote: > > > RW-15 wrote: > > > > > > The default is learn, not noautolearn - either prevents autoleaning. > > > > > > Hmm, so it's not possible to use a tflag for telling bayes to learn > the message? What else can I do? I'm not familiar with how scores work under short-circuiting, but I would imagine that auto-learning would work if you simply define neither flag, i.e. tflags BAYES_00 nice
Re: Enable autolearn for certain shortcircuits
RW-15 wrote: > > > The default is learn, not noautolearn - either prevents autoleaning. > > Hmm, so it's not possible to use a tflag for telling bayes to learn the message? What else can I do? -- View this message in context: http://old.nabble.com/Enable-autolearn-for-certain-shortcircuits-tp28214643p28216512.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Enable autolearn for certain shortcircuits
On Mon, 12 Apr 2010 00:30:18 -0700 (PDT) Daniel Lemke wrote: > > Hi, > > I'd like to enable bayes auto learn for a specific shortcircuit rule. > This is what I've got: > > shortcircuit BAYES_00 on > score BAYES_00 -50 > tflags BAYES_00 learn > > It's declared in site wide local.cf. A test showed that SA does > consider changes to the score but ignors removing the "noautolearn" > flag. I added the "learn" tflag instead, same result: The default is learn, not noautolearn - either prevents autoleaning.
Re: AWL
On 4/9/2010 4:33 PM, Dennis B. Hopp wrote: > I have AWL enabled and it seems to be ok with helping out legitimate > senders that occasionally send a "spammy" type message, but lately I > have seen an increase where AWL is adding a negative score to a very > blatant spam. > As long as it's not crossing the your required_score, this is normal and not a problem See the wiki: http://wiki.apache.org/spamassassin/AwlWrongWay Remember, a negative AWL score is *NOT* indicative that the AWL thinks the message is not spam. It might indicate that it thinks it's just spam with a lower positive score. Positive AWL scores on spam are only possible of the sender keeps sending messages that are going down in original score. That's *BAD*, because it means they're starting to bypass other rules and are getting better at evading SA. > So my questions are, do people feel AWL is worth having enabled? > > Is there a way to have the AWL rule only triggered if there is a minimum > number of messages seen by that sender? > No, but you'd still see the same effects. Being a score averager, some messages are going to "look wrong" unless you start crunching the numbers. > --Dennis > > >
Re: Quarantine Management
On Sat, 10 Apr 2010, Dennis B. Hopp wrote: What are people using for quarantine management with spamassassin? We use an homegrown arrangement. I've forgotten the details since it's running without problems since ages, but in the nutshell we have this: - spam is quarantined system-wide (not by user) in a daily folder (actually two, one on each MX) - a crontab rotates the quarantine folder. We keep one week of old folders. - the same crontab sends a report to each user which has received some spam. A complex awk arrangement which also expand mail aliases so it signals also spam sent to internal mailing lists. The list is essentially in a form of lists of from/to/subject. So each user receives 2 to 2n reports (2 one per MX, 2n if there was also spam for n-1 mailing lists he is member of). The user can look at the report and ask for occasional false positives to the sys adm. We get, I guess, only a few of them per month for all our users. See note (*) - the same crontab prepares material for statistics (run later by another crontab of mine) - another crontab (on both MX), using the result of the previous one stored on a shared disk, runs sa-learn, so that both servers learn the same spam. The same crontab also learns additional spam stored by willing users, and exceptionally some ham (false positives retrieved from quarantine by the sys adm) (*) I tend to trust what spamassassin does, and not look at the reports. Instead I have some personal procmail script which take all the reports sent to me in one day, and makes a super-summary ... if there is a message repeated with the same subject for instance it is definitely spam, so the super-summary just says "n messages". If it is alone, it is listed. I do keep the reports in a folder for a week, and I have also additional procmail-based personal spam filtering. -- Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy) Citizens entrusted of public functions have the duty to accomplish them with discipline and honour [Art. 54 Constitution of the Italian Republic] For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
Enable autolearn for certain shortcircuits
Hi, I'd like to enable bayes auto learn for a specific shortcircuit rule. This is what I've got: shortcircuit BAYES_00 on score BAYES_00 -50 tflags BAYES_00 learn It's declared in site wide local.cf. A test showed that SA does consider changes to the score but ignors removing the "noautolearn" flag. I added the "learn" tflag instead, same result: X-Spam-Status: No, hits=-50.0, required=5.0, autolearn=disabled, shortcircuit=BAYES_00 (ham) X-Spam-Report: * -0.0 SHORTCIRCUIT SHORTCIRCUIT * [score: 0.] * -50 BAYES_00 BODY: Bayes spam probability is 0 to 1% * 0.0 HTML_MESSAGE BODY: HTML included in message Any hints? Thanks in advance Daniel -- View this message in context: http://old.nabble.com/Enable-autolearn-for-certain-shortcircuits-tp28214643p28214643.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
