Re: Whitelist question
Hi, For clarity: assuming your MTA inserts a Return-Path: header, or adds a clause to the Received header about the envelope sender, whitelist_from_rcvd will match against it, in addition to the From: header, and several other from-like headers. (however Resent-From should take priority if present..) I ran a different message (don't have the original any longer), and it showed only loopback as the trusted network: [18656] dbg: received-header: parsed as [ ip=127.0.0.1 rdns=localhost.localdomain helo=localhost by=localhost ident= envfrom= intl=0 id=5161B42 auth= msa=0 ] [18656] dbg: received-header: relay 127.0.0.1 trusted? yes internal? yes msa? no [18656] dbg: received-header: parsed as [ ip=127.0.0.1 rdns= helo=smtp01.example.com by=localhost ident= envfrom= intl=0 id=09005-449 auth= msa=0 ] [18656] dbg: received-header: relay 127.0.0.1 trusted? yes internal? yes msa? no What am I missing? Shouldn't there be an ip= entry for smtp01.example.com? I have trusted_networks defined in local.cf, and it includes the smtp01.example.com server. Thanks, Alex
Re: SPF soft fail problem
Matus UHLAR - fantomas uh...@fantomas.sk wrote on 08/23/2010 04:50:39 PM: Looking at it more deeply, nawilliams.com has three nameservers (but only 2 delegations from .com), where two return -all and one returns ~all: % dig spf nawilliams.com @beulah.zootsplace.com. nawilliams.com. 30 IN SPF v=spf1 mx -all On 24.08.10 00:30, Emin Akbulut wrote: To everybody; one of the best online diagnostic tool http://www.intodns.com/nawilliams.com 1. this tool didn't find the error mentioned, and while it's very hard to detect this problem, posting this address here just wouldn't help. 2. the tool incorrectly reports Missing nameservers reported by parent as FAIL, since this is not a problem by itself. it should cause warning. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes.
Re: SPF soft fail problem
To everybody; one of the best online diagnostic tool http://www.intodns.com/nawilliams.com 1. this tool didn't find the error mentioned, and while it's very hard to detect this problem, posting this address here just wouldn't help. FWIW, to find DNS inconsistencies you need a full-traversal DNS checker like: http://www.squish.net/dnscheck Anthony -- www.fonant.com - Quality web sites
Re: SPF soft fail problem
On Tue, 2010-08-24 at 19:03 +0100, Anthony Cartmell wrote: To everybody; one of the best online diagnostic tool http://www.intodns.com/nawilliams.com 1. this tool didn't find the error mentioned, and while it's very hard to detect this problem, posting this address here just wouldn't help. FWIW, to find DNS inconsistencies you need a full-traversal DNS checker like: http://www.squish.net/dnscheck Thanks for that. Bookmarked. Martin
russian spam with only two lines in the body
Hi, Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4 All of their characteristic is that there are two line in the body. First is a sentence, second is url ending with .ru/ How can I write a rule for this type of spam. Or can spamassassin team write a rule to distribute via sa-learn update? Thanks.
RE: How the hell barracuda behaves?
Agreed. Seems to me that any discussion related to blocking spam is relevant. no Perkel, everthing posted is not necessarily acceptable, helpful and/or relevant. especially when spamming the list for your tarbaby stuff, free or not. it appears to me that you used to be a lot more involved with brainstorming, and other ideas, programming, and asking for help programming your ideas. many ideas are/were excellent and some have born fruit. some have not. if you would invest even more of your monies time and persue some of what has been suggested on and by the knowledgeable list participants, you will eventually bring forth a lot more fruit. - rh
Re: russian spam with only two lines in the body
On 08/25/2010 10:06 AM, Ibrahim Harrani wrote: Hi, Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4 All of their characteristic is that there are two line in the body. First is a sentence, second is url ending with .ru/ This is an example of what I reported a couple of weeks ago, Subject: short pharma spam shoots straight through The content changes per message, along with the link. The From and Subject lines intent scream I am spam - but are changed every time making blocking on string matches time consuming and a losing battle It's nasty :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
RE: After upgrade the SA to 3.3.1, Mail scanning stop working partially
Below is my full local.cf. I already run 'spamassassin --lint' No other rules are conflicting with test.cf. [r...@spd spamassassin]# cat local.cf # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # # Only a small subset of options are listed below # # Add *SPAM* to the Subject header of spam e-mails # rewrite_header Subject SPAM-123 # Save spam messages as a message/rfc822 MIME attachment instead of # modifying the original message (0: off, 2: use text/plain instead) # report_safe 1 # Set which networks or hosts are considered 'trusted' by your mail # server (i.e. not spammers) # # trusted_networks 212.17.35. # Set file-locking method (flock is not safe over NFS, but is faster) # # lock_method flock # Set the threshold at which a message is considered spam (default: 5.0) # required_score 5.0 # Use Bayesian classifier (default: 1) # use_bayes 1 # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 1 # Set headers which may provide inappropriate cues to the Bayesian # classifier # # bayes_ignore_header X-Bogosity # bayes_ignore_header X-Spam-Flag # bayes_ignore_header X-Spam-Status # Some shortcircuiting, if the plugin is enabled # ifplugin Mail::SpamAssassin::Plugin::Shortcircuit # # default: strongly-whitelisted mails are *really* whitelisted now, if the # shortcircuiting plugin is active, causing early exit to save CPU load. # Uncomment to turn this on # # shortcircuit USER_IN_WHITELIST on # shortcircuit USER_IN_DEF_WHITELIST on # shortcircuit USER_IN_ALL_SPAM_TO on # shortcircuit SUBJECT_IN_WHITELISTon # the opposite; blacklisted mails can also save CPU # # shortcircuit USER_IN_BLACKLIST on # shortcircuit USER_IN_BLACKLIST_TOon # shortcircuit SUBJECT_IN_BLACKLISTon # if you have taken the time to correctly specify your trusted_networks, # this is another good way to save CPU # # shortcircuit ALL_TRUSTED on # and a well-trained bayes DB can save running rules, too # # shortcircuit BAYES_99spam # shortcircuit BAYES_00ham endif # Mail::SpamAssassin::Plugin::Shortcircuit below is the spamd logfile entries.. Aug 25 08:07:01 spd spamd[3776]: spamd: connection from spd [127.0.0.1] at port 59296 Aug 25 08:07:01 spd spamd[3776]: spamd: setuid to clamav succeeded Aug 25 08:07:01 spd spamd[3776]: spamd: processing message 00fb01cb43fe$5e706710$1b5135...@com for clamav:46 Aug 25 08:07:12 spd spamd[3776]: spamd: clean message (4.0/5.0) for clamav:46 in 10.7 seconds, 2792 bytes. Aug 25 08:07:12 spd spamd[3776]: spamd: result: . 4 - ALL_TRUSTED,HTML_MESSAGE,LOCAL_DEMONSTRATION_RULE,MIME_HTML_MOSTLY,TVD_SPACE_RATIO scantime=10.7,size=2792,user=clamav,uid=46,required_score=5.0,rhost=spd,raddr=127.0.0.1,rport=59296,mid=00fb01cb43fe$5e706710$1b5135...@com,autolearn=no Aug 25 08:07:12 spd spamd[3775]: prefork: child states: II It seems that it consider test.cf file (LOCAL_DEMONSTRATION_RULE) while processing the mail..but still not consider it as a mail... -Original Message- From: Karsten Bräckelmann [mailto:guent...@rudersport.de] Sent: Monday, August 23, 2010 7:40 PM To: users@spamassassin.apache.org Subject: Re: After upgrade the SA to 3.3.1, Mail scanning stop working partially On Mon, 2010-08-23 at 08:16 +0530, Suhag Desai wrote: After upgrade the SpamAssassin Server version to 3.3.1, my mail scanning stop working partially. Below is the setting for local.cf rewrite_header Subject SPAM report_safe 1 required_score 5.0 use_bayes 1 bayes_auto_learn 1 endif # Mail::SpamAssassin::Plugin::Shortcircuit Is that the exact content of your local.cf? That doesn't even pass lint testing. Did you do 'spamassassin --lint'? Let me explain in details. When I set the required score to 5.0, mail scanning is not working properly. When I send the mail with “test123” with required score 5, SA not consider it spam but when I set the required score to 4, SA consider it spam the same mail. I have check the same with many other test. What do the X-Spam headers read SA generates? You are using a test rule with a score of 5.0, which is the same as the required_score threshold. Odds are, there are other rules firing on the message a well. If the sum of these other rules is less than 0, but greater than -1, you'd get exactly what you just described. Below is the log @40004c71e02d1471a28c simscan:[4698]:CLEAN (-1.00/12.00):5.3640s:test123:192.168.10.70:s...@test.com:d...@test.com @40004c71e02f35bee364 tcpserver: end 4698 status 0 @40004c71e02f35bf0e5c tcpserver: status: 0/100 There is no SA logs in there. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
Re: russian spam with only two lines in the body
On ons 25 aug 2010 04:29:02 CEST, Jason Haar wrote It's nasty :-( rules can be nasty to :) # # save into local_russian_domains.cf # uri __RU_TLD /\.ru\b/i uri __RU_TLD_WHITE /\bexample\.ru\b/i meta __URI_LISTED (URIBL_AB_SURBL || URIBL_WS_SURBL || URIBL_JP_SURBL || URIBL_BLACK || URIBL_DBL_SPAM || URIBL_SBL || GREY_LISTED_LOCAL || SPAM_LISTED_LOCAL) meta MATCH_RU_TLD (__RU_TLD !__URI_LISTED) describe MATCH_RU_TLD Meta: ru tld matched (properly new spam domain) score MATCH_RU_TLD 10 # meta MATCH_RU_TLD_WHITE (__RU_TLD_WHITE) # describe MATCH_RU_TLD_WHITE Meta: ru tld matched (but verified not a spam domain) # score MATCH_RU_TLD_WHITE -10 # thats my first version # meta 2ND_MATCH_RU_TLD_WHITE (__RU_TLD !__RU_TLD_WHITE) # this version does not need the -10 score # last version if it does not work make it better -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Whitelist question
On 8/24/2010 1:13 PM, Alex wrote: Hi, For clarity: assuming your MTA inserts a Return-Path: header, or adds a clause to the Received header about the envelope sender, whitelist_from_rcvd will match against it, in addition to the From: header, and several other from-like headers. (however Resent-From should take priority if present..) I ran a different message (don't have the original any longer), and it showed only loopback as the trusted network: [18656] dbg: received-header: parsed as [ ip=127.0.0.1 rdns=localhost.localdomain helo=localhost by=localhost ident= envfrom= intl=0 id=5161B42 auth= msa=0 ] [18656] dbg: received-header: relay 127.0.0.1 trusted? yes internal? yes msa? no [18656] dbg: received-header: parsed as [ ip=127.0.0.1 rdns= helo=smtp01.example.com by=localhost ident= envfrom= intl=0 id=09005-449 auth= msa=0 ] [18656] dbg: received-header: relay 127.0.0.1 trusted? yes internal? yes msa? no What am I missing? Shouldn't there be an ip= entry for smtp01.example.com? I have trusted_networks defined in local.cf, and it includes the smtp01.example.com server. Thanks, Alex Um, no. smtp01.example.com is your own box. Or at least some process running ON YOUR SERVER is connecting over the loopback (127.0.0.1) and delivering mail with a HELO string of smtp01.example.com. Do you have some kind of system that queues and re-delivers mail locally over a SMTP loopback? Regardless, it does look like your DNS server isn't answering reverse lookups for 127.0.0.1. That should be fixed by adding a reverse zone for 0.0.127.in-addr.arpa. Most OS distros come with a sample zone file for this as part of their stock config.