Re: Help with new rule, and local.cf
On 03.06.10 20:45, cviebrock wrote: Thanks for the link. That'll help. In general, though, can I write a SA rule that looks at the raw message body with trying to decode attachments, etc.? I thought that would be the easiest way to catch these messages (and some other spam that comes in as PNG files). for images, there is FuzzyOcr plugin that can catch image spam. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: Problems with spamass-milter, postfix, spamassassin
Bug 6403 comment 19 [1]?
[cut]
You are aware you still will have to add the macros to the postfix conf,
as stated in that bug report and [1]? Did you do that?
No, i was not aware of that. Can't understand how i missed it - it's
even plainly stated in spamass-milter docs. *bonk*
Just for the reference to others with the same problem,
adding this to main.cf will fix UNPARSABLE_RELAY. And RCVD_*
tests will start matching.
milter_connect_macros = j {daemon_name} v {client_addr} _
Thank you Matus, Kris and especially Karsten.
Frn
Re: Problems with spamass-milter, postfix, spamassassin
Am 03.06.2010 16:42, schrieb Kris Deugau: Tarvo Kurm wrote: Mails coming in thru postfix+spamass-milter+spamassassin have drastically lower scores than those checked manually with spamassasin or spamc. Specifically, mails taking the milter path will not have RCVD_IN rules matched _almost_ never. I'm suspicious of the UNPARSABLE_RELAY match, but not sure what causes it. Milters typically see the message before any Received: headers are added by the local MTA. As a result, the milter itself needs to add a synthetic one that SA can use. Unfortunately, this synthetic header seems to be a lot harder to generate than you might think. I've heard reports now and then for several years now that spamass-milter still hasn't quite got this ironed out. My own preferred milter, MIMEDefang, has also had intermittent problems generating a correct Received: header to pass to SA. The fact that RBL rules are not firing, and you're getting UNPARSEABLE_RELAY, says to me that *something* is wrong with the generated header you're getting. Check and see if there's a way you can get spamass-milter to keep the message with the generated header somewhere so you can compare what's actually generated with the live header Postfix adds later, and which you see in your mailbox. There has been a bug in spamass-milter which might or might not be relevant, but as far as i can see, it's been fixed in the debian package... (See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510665 ) Fixed in the version you're running, or just unstable/testing? -kgd whatever, i am using spamass-milter since years without any trouble with local files, with mysql on test bed also no errors perhaps check all config of all parts -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Help with new rule, and local.cf
On Thu, 2010-06-03 at 19:44 -0700, cviebrock wrote:
I'm trying to write a rule to catch a bunch of spam I'm getting recently that
contain only an .RTF file. The filename, subject line, and other details
vary, but the raw message body is always the same i.e. the base64 encoded
RTF file.
See the headers and first few lines of the email here, plus my attempted
rule (which doesn't seem to be firing).
Are you certain that the string you're matching is common to all RTF
spam messages without being common to all RTF messages, e.g. a standard
RTF header?
I'm trapping all the RTF spam I'm getting by firstly recognising the RTF
attachment:
describe MG_RTF RTF text file
mimeheader MG_RTF Content-Type =~ /name\=\.{1,20}\.rtf\/i
score MG_RTF 0.75
and using that in meta-rules that combine it with other information (I
don't accept RTF attachments from some mailing lists or if they're sent
to an address that I don't send mail from or use for subscriptions.
Martin
Re: Clean Mandriva runs SA3.2.5 but not 3.3.1
On Friday June 4 2010 07:09:25 Scot Meyer wrote: I am unable to get a clean install using the directions in INSTALL from working. I have a VM of the Mandriva image prior to installing any version of spamassassin. Then I downloaded 3.3.1 and followed the directions including running sa-update (see output below sorry for the verbosity) spamd fails to start saying did I run sa-update? Then, I downloaded 3.2.5 and did the exact same procedure below without sa-update and it worked correctly spamd starts and creates a valid PID. Please help. There must be something missing when the rules are updated from sa-update. Im not sure why it fails to find the rules that were downloaded. If need be I can supply the spamd --lint -D output as well. [r...@localhost Mail-SpamAssassin-3.3.1]# make install Installing /usr/lib/perl5/site_perl/5.10.1/Mail/SpamAssassin.pm [...] Installing /usr/local/bin/sa-update [r...@localhost Mail-SpamAssassin-3.3.1]# sa-update -D [...] [13768] dbg: generic: SpamAssassin version 3.2.5 The sa-update you run here is 3.2.5, yet you installed the 3.3.1 sa-update into /usr/local/bin/. Either you are using your old sa-install, or the new one is using old 3.2.5 perl modules. [13768] dbg: extracting: /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.c In any case, the rules it installs are under /var/lib/ and 3.002005 ... [r...@localhost Mail-SpamAssassin-3.3.1]# spamd -D Jun 3 23:51:38.521 [13891] dbg: config: using /usr/share/spamassassin for sys rules pre files Jun 3 23:51:38.522 [13891] dbg: config: using /usr/share/spamassassin fordefault rules dir ... yet your spamd expects them to be in /usr/share/spamassassin and 3.003001. Mark
Re: Clean Mandriva runs SA3.2.5 but not 3.3.1
Whoa, thanks I completely missed that. Apparenlty Mandriva 2010 free includes perl-Mail-SpamAssassin and spamassassin rpms by default even though I am pretty sure I unselected mail server from the list of install options. Scot --- On Fri, 6/4/10, Mark Martinec mark.martinec...@ijs.si wrote: From: Mark Martinec mark.martinec...@ijs.si Subject: Re: Clean Mandriva runs SA3.2.5 but not 3.3.1 To: users@spamassassin.apache.org Date: Friday, June 4, 2010, 5:29 AM On Friday June 4 2010 07:09:25 Scot Meyer wrote: I am unable to get a clean install using the directions in INSTALL from working. I have a VM of the Mandriva image prior to installing any version of spamassassin. Then I downloaded 3.3.1 and followed the directions including running sa-update (see output below sorry for the verbosity) spamd fails to start saying did I run sa-update? Then, I downloaded 3.2.5 and did the exact same procedure below without sa-update and it worked correctly spamd starts and creates a valid PID. Please help. There must be something missing when the rules are updated from sa-update. Im not sure why it fails to find the rules that were downloaded. If need be I can supply the spamd --lint -D output as well. [r...@localhost Mail-SpamAssassin-3.3.1]# make install Installing /usr/lib/perl5/site_perl/5.10.1/Mail/SpamAssassin.pm [...] Installing /usr/local/bin/sa-update [r...@localhost Mail-SpamAssassin-3.3.1]# sa-update -D [...] [13768] dbg: generic: SpamAssassin version 3.2.5 The sa-update you run here is 3.2.5, yet you installed the 3.3.1 sa-update into /usr/local/bin/. Either you are using your old sa-install, or the new one is using old 3.2.5 perl modules. [13768] dbg: extracting: /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.c In any case, the rules it installs are under /var/lib/ and 3.002005 ... [r...@localhost Mail-SpamAssassin-3.3.1]# spamd -D Jun 3 23:51:38.521 [13891] dbg: config: using /usr/share/spamassassin for sys rules pre files Jun 3 23:51:38.522 [13891] dbg: config: using /usr/share/spamassassin fordefault rules dir ... yet your spamd expects them to be in /usr/share/spamassassin and 3.003001. Mark
Re: Help with new rule, and local.cf
You're right in that it *could* be a common RTF header, but a bit of decoding of the attachments on my end seems to indicate that it isn't. All these spam RTFs are practically identical except for a different URL link in the document, and a different (probably forged) generator Msftedit #.##.##.### line. I guess my question is more general: how do I write a rule that looks at the undecoded content of the emails, versus one that looks at the decoded parts? - Colin -- View this message in context: http://old.nabble.com/Help-with-new-rule%2C-and-local.cf-tp28775147p28780895.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help with new rule, and local.cf
On Fri 04 Jun 2010 04:44:46 AM CEST, cviebrock wrote http://pastebin.com/xFddVaX8 http://sanesecurity.org/ dont know what clamav rules helps for this, but this is another way to stop spam attachements remember to make good choice of official sigs in clamd if using clamav milter, only reject official sigs, and i belive one can enabled it on call to deamon so all is being scored as spam, not tryed, but i belive it can be done -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Will spam-assassin check the mail content?
Hi, I have installed spam assassin in my server and its working perfectly. I have included the following parameters in the local.cf file rewrite_header Subject [* SPAM _SCORE_ *] required_score 2.0 #to be able to use _SCORE_ we need report_safe set to 0 #If this option is set to 0, incoming spam is only modified by adding some X-Spam- headers and no changes will be made to the body. report_safe 0 # Enable the Bayes system use_bayes 1 use_bayes_rules 1 # Enable Bayes auto-learning bayes_auto_learn1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 0 use_dcc 0 use_pyzor 0 add_header all Report _REPORT_ Besides this all the configurations are in there default values. I checked spam-assassin by sending some mails to the server and when i sent a spam mail from my gmail account , it had a score above 10. But when i checked the spam report it had only rule violation from mail header. I want to know whether spam-assassin will check the mail content also for finding spam score , in its default settings. If not what changes should I make in the configurations for, the spam-assassin to include the mail content , for its spam check. Please reply -- View this message in context: http://old.nabble.com/Will-spam-assassin-check-the-mail-content--tp28781703p28781703.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
spam score limit adivse
Hi, What is the maximum allowed spam score value for a legitimate mail? What value should i set as the spam score limit? -- View this message in context: http://old.nabble.com/spam-score-limit-adivse-tp28781886p28781886.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spam score limit adivse
On 4.6.2010 18:53, aquero wrote: Hi, What is the maximum allowed spam score value for a legitimate mail? What value should i set as the spam score limit? The default is 5 and that value works best for any installation, as the stock rules are configured using that value. You have it at 2 in your another post, that is very dangerous value, false positives will come. -- http://www.iki.fi/jarif/ I use PGP. If there is an incompatibility problem with your mail client, please contact me. You may be gone tomorrow, but that doesn't mean that you weren't here today. signature.asc Description: OpenPGP digital signature
Re: Will spam-assassin check the mail content?
On 4.6.2010 18:40, aquero wrote: I want to know whether spam-assassin will check the mail content also for finding spam score , in its default settings. If not what changes should I make in the configurations for, the spam-assassin to include the mail content , for its spam check. Please reply Yes, mail content will be checked, that is bread and butter for SA. You have disabled razor/pyzor/dcc, I suggest you install at least Razor2 for better results. -- http://www.iki.fi/jarif/ I use PGP. If there is an incompatibility problem with your mail client, please contact me. It may or may not be worthwhile, but it still has to be done. signature.asc Description: OpenPGP digital signature
Re: spam score limit adivse
Jari Fredriksson wrote: On 4.6.2010 18:53, aquero wrote: Hi, What is the maximum allowed spam score value for a legitimate mail? What value should i set as the spam score limit? The default is 5 and that value works best for any installation, as the stock rules are configured using that value. You have it at 2 in your another post, that is very dangerous value, false positives will come. -- http://www.iki.fi/jarif/ I use PGP. If there is an incompatibility problem with your mail client, please contact me. You may be gone tomorrow, but that doesn't mean that you weren't here today. thank you for your reply...:) -- View this message in context: http://old.nabble.com/spam-score-limit-adivse-tp28781886p28782275.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
spam assassin custom rule sets
Hi, When i checked the third party softwares for spam-assassin i found many custom rule sets. Do I have to install these rule sets manually? If I perform sa-update, will it will include all these rule sets into my spam-assassin rules list? -- View this message in context: http://old.nabble.com/spam-assassin-custom-rule-sets-tp28782309p28782309.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spam score limit adivse
aquero wrote: Hi, What is the maximum allowed spam score value for a legitimate mail? What value should i set as the spam score limit? On my own servers, I lean towards being a little extra conservative. I don't tag subject lines until the score reaches 6. However, if the score gets to 15 points, then I consider the message to be sufficiently spammy that it's safe to reject. I don't think I've ever seen a legitimate message score more than about 12 points. The one exception is that occasionally, FuzzyOCR will mis-fire on a low-contrast image, such as a scan of an old newspaper article, or a screen-dump image. For crafting of local rules (and I make lots of use of metas, where significant scores are added only in very specific combinations of hits on low-scoring or zero-scoring rules), one of the things that I tend to do on scoring is if I'm fairly sure that a rule is going to hit only spam, is that I will score a rule at 5.5 points. The idea is that I'm not positive that the message won't hit any non-spam, but providing only a little bit of space for hitting other rules. Smith
Re: spam assassin custom rule sets
On 4.6.2010 19:33, aquero wrote: Hi, When i checked the third party softwares for spam-assassin i found many custom rule sets. Do I have to install these rule sets manually? If I perform sa-update, will it will include all these rule sets into my spam-assassin rules list? sa-update can be parameterised with a channelfile. Read this: http://khopesh.com/wiki/Anti-spam -- http://www.iki.fi/jarif/ I use PGP. If there is an incompatibility problem with your mail client, please contact me. There is no distinctly native American criminal class except Congress. -- Mark Twain signature.asc Description: OpenPGP digital signature
Extracting text form .rtf and .doc attachments using Extracttext.pm on SA 3.3.1
I am using Extracttext from http://whatever.frukt.org/spamassassin.text.shtml#ExtractText.pm It extracts text from attached .rtf .doc and some other formats. Then feeds the results to BAYES and normal body testing. My issues are that it works great with SA 3.2.5, However on the same server it does not give any results with SA 3.3.1 I downgraded SA back to 3.2.5 and Extracttext works again. The dbg output looks like this in 3.3.1: Jun 3 07:54:17.447 [11937] dbg: extracttext: Part: application/msword spam.doc Jun 3 07:54:17.447 [11937] dbg: extracttext: Match: name spam.doc =~ .*\.doc Jun 3 07:54:17.534 [11937] dbg: extracttext: External call: antiword /usr/bin/antiword,-t,-w,0,-m,UTF-8.txt,- Jun 3 07:54:17.537 [11937] info: extracttext: External extraction command: /usr/bin/antiword,-t,-w,0,-m,UTF-8.txt,- Jun 3 07:54:17.537 [11937] info: extracttext: External extraction object: 17 application/msword spam.doc Jun 3 07:54:17.538 [11937] info: extracttext: External extraction error: antiword 0 ? Jun 3 07:54:17.538 [11937] dbg: extracttext: Match: name spam.doc =~ .*\.doc Jun 3 07:54:17.538 [11937] dbg: extracttext: External call: unrtf /usr/local/bin/unrtf,-t,ExtractText.tags,--nopict Jun 3 07:54:17.539 [11937] info: extracttext: External extraction command: /usr/local/bin/unrtf,-t,ExtractText.tags,--nopict Jun 3 07:54:17.540 [11937] info: extracttext: External extraction object: 17 application/msword spam.doc Jun 3 07:54:17.540 [11937] info: extracttext: External extraction error: unrtf 0 ? Jun 3 07:54:17.616 [11937] dbg: extracttext: Magic: application/x-ole-storage Jun 3 07:54:17.617 [11937] dbg: extracttext: Not extracted Jun 3 07:54:17.617 [11937] dbg: extracttext: X-ExtractText-Words: 0 Jun 3 07:54:17.617 [11937] dbg: extracttext: X-ExtractText-Chars: 0 The dbg output looks like this in 3.2.5: [7828] dbg: extracttext: Part: application/msword spam.doc [7828] dbg: extracttext: Match: name spam.doc =~ .*\.doc [7828] dbg: extracttext: External call: antiword /usr/bin/antiword,-t,-w,0,-m,UTF-8.txt,- [7828] info: extracttext: Extracted 40 chars using antiword [7828] info: extracttext: Text: Viagra [7828] info: extracttext: Text: Free sex [7828] info: extracttext: Text: Free porn [7828] info: extracttext: Text: Cash Out Now [7828] dbg: extracttext: X-ExtractText-Words: 8 [7828] dbg: extracttext: X-ExtractText-Chars: 40 [7828] dbg: extracttext: X-ExtractText-Tools: antiword [7828] dbg: extracttext: X-ExtractText-Types: application/msword [7828] dbg: extracttext: X-ExtractText-Extensions: doc Any thoughts on how to get it to work with 3.3.1? _ Scott Ostrander Staff System Administrator
Re: spam assassin custom rule sets
aquero wrote: Hi, When i checked the third party softwares for spam-assassin i found many custom rule sets. Do I have to install these rule sets manually? If I perform sa-update, will it will include all these rule sets into my spam-assassin rules list? Before you start adding a bunch of 3rd party rules, I would reactivate the RBL checks. Those will catch much more spam than any of the other rulesets. Also, you definitely want to bump your required_score back to 5 before you start adding more rules. That being said, these are the rules that I use (in addition to the stock rules and RBL lists): razor2 dcc sought khop-bl khop-blessed khop-general khop-sc-neighbors Botnet FreeMail iXhash Sought and the khop rules can be updated via sa-update. -- Bowie
Re: Updated rules are not regarded
On 05/29/2010 05:03 AM, Yves Goergen wrote: Stepping away from the ZMI issue and headig towards the larger picture, what kind of spam are you trying to nail down with this ruleset? What goals did you hope to meet with the ZMI rules? If it's a specific type of spam, can you pastebin an example so we can help you more directly? I have submitted a couple of those spam messages to the ruleset maintainer, but I'm not sure if it helps. I can repost it here if you like to see it. (ZIP 48 kB) If they're evading bayes and other filters, they might be worth a look. I can take a look at them if you post them to pastebin.com or a similar site and then send me links (this is the best way to avoid spam filters on the list, etc). Are you using Bayes? Are you training it? Yes. Yes. I'm only training it with spam messages though. I assume it autolearns all the rest. But the bayes filter is absolutely useless to me, it most often rates spam 0-1%, even for repeatedly learned spam messages. Maybe I should erase the bayes brain and restart from new? Bayes won't work unless you have lots of both spam and ham. Autolearn is apparently not doing its job if most of your spams hit 0-1%. Try teaching it everything you have. If you're that out of whack, it might be worthwhile to start from scratch as you suggested. Most people who want to improve their deployment's SA filters aren't properly utilizing the various plugins. Specifically, DNSBLs, URIBLs, and Bayes, but also things like Razor2, DCC (if legal), and Pyzor. The very most helpful plugin to me is Botnet. It detects most spam and rates 5 points which is often a big step towards rejection. I've heard good things about Botnet, though most of its dynamic checks appear to already be folded into SA's trunk (I've actually got some detection rules in there that are more sophisticated but are not yet done cooking). That said, the dynamic detection bits like Botnet should pale in comparison to any one of: DNSBLs, URIBLs, Bayes, Razor2, DCC, and Pyzor. Almost every case I encounter with this sort of help me make SA filter better ends up being a misconfiguration of some or all of those things. Most other SA rules don't detect anything although I'm running sa-update daily and it reports an update every some weeks. Only the DNSBL rules apply every once in a while - at least to what is passing the filter. I haven't investigated what's been blocked successfully. I think I've still installed the Image Info thing plugin but I don't think it catches anything these days. Image spam seems to be over. DNSBLs do a good job; you're probably not noticing them because anything they nail gets hit pretty hard by several rules and thus probably hits your block threshold. Image spam comes and goes. Third party plugins like iXhash can help. Upgrading to SA 3.3.1 would be a big step up if you're not there already (if you can't, you might want to consider a back-port of the better DNSBLs to SA 3.2.x like my khop-bl channel). I need to upgrade to SA 3.3, true. It's always been a hassle somewhere between CPAN, other disfunctional Perl junk, source code and Debian packages... It's a very complicated job. I'm also considering setting up the entire machine anew on Ubuntu basis and only use platform packages but that's not something I can do in the near future. Messing with CPAN will work, but might feel daunting, especially if you've never done it before. It also introduces an additional thing to keep track of. For Debian, I recommend the volatile and backports repositories. Go to www.backports.org and add lenny-backports, then pin it to a low priority and un-pin spamassassin. Package: * Pin: release a=lenny-backports Pin-Priority: 150 Package: spamassassin Pin: release a=lenny-backports Pin-Priority: 500 I've also got testing and unstable pinned even lower at 1 and -1, but that's up to you. 500 is the default pin, 101-500 will upgrade a manually-installed newer package if there is a candidate, 1-100 will install candidates if higher pin versions are missing, and lower pins are never installed. See the man page for apt_preferences for detail. # apt-cache policy spamassassin spamassassin: Installed: 3.2.5-2+lenny1.1~volatile1 Candidate: 3.3.1-1~bpo50+1 Package pin: 3.3.1-1~bpo50+1 Version table: 3.3.1-1 500 1 http://debian.lcs.mit.edu/debian/ squeeze/main Packages -1 http://debian.lcs.mit.edu/debian/ unstable/main Packages 3.3.1-1~bpo50+1 500 150 http://www.backports.org lenny-backports/main Packages 3.2.5-2+lenny2 500 500 http://debian.lcs.mit.edu/debian/ lenny/main Packages 3.2.5-2+lenny1.1~volatile1 500 500 http://volatile.debian.org lenny/volatile/main Packages # aptitude install spamassassin ...
What are these errors: DNS_FROM_OPENWHOIS RBL FH_DATE_PAST_20XX??
Hi, I have installed spam-assassin in my mail server and when i sent mails from my gmail accout i always get these errors. * 2.4 DNS_FROM_OPENWHOIS RBL: Envelope sender listed in bl.open-whois.org. * 3.4 FH_DATE_PAST_20XX The date is grossly in the future. Because of these errors my spam score is always greater than 5 and i think a spam score greater than 5 is not good. I googled about these errors , and I read somewhere that if I update spam-assassin, these errors would go. Is it true? Are these errors critical? if not, how can i turn these checks off? -- View this message in context: http://old.nabble.com/What-are-these-errors%3A-DNS_FROM_OPENWHOIS-RBL---FH_DATE_PAST_20XX---tp28787475p28787475.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
