Re: Blacklist for spam-words
OK, i updated it with cpan after uninstalling. But i had to change something in amavis-new, according to: http://o-o-s.de/?p=2735 And now my sa-config is in /etc/mail/spamassassin. Before, it was one level higher, which is really not important. -- View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29744006.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: injected headers are triggering dns whitelists
On fre 17 sep 2010 16:55:11 CEST, Lawren Quigley-Jones wrote I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2 is this a joke ? :) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: injected headers are triggering dns whitelists
στις 17/09/2010 09:21 μμ, O/H Neil Lazarow έγραψε: Sergey Tsabolov ( aka linuxman ) wrote: στις 17/09/2010 05:55 μμ, O/H Lawren Quigley-Jones έγραψε: I've been repeatedly running into problems where dns white-lists have been causing false negatives in spam. Valid looking headers are being injected at the beginning of emails which are tripping dns whitelists (see below). As a result I've been slowly disabling dns whitelist rules: score HABEAS_ACCREDITED_COI 0 score HABEAS_ACCREDITED_SOI 0 score RCVD_IN_DNSWL_MED 0 score RCVD_IN_BSP_TRUSTED 0 score RCVD_IN_DNSWL_HI 0 I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2 You mast to upgrade it with this way http://mail-archives.apache.org/mod_mbox/spamassassin-users/201009.mbox/browser And after you can change configuration . First step is upgrade . Has anyone else been seeing this? Is this a mis-configuration on my part? Is there anything I can do to get SpamAssassin to check only the last header and ignore anything below that? === Return-Path: Received: from murder ([unix socket]) (authenticated user=postmaster bits=0) by myservername (Cyrus v2.2.13-Debian-2.2.13-13ubuntu3) with LMTPA; Fri, 17 Sep 2010 10:15:14 -0400 X-Sieve: CMU Sieve 2.2 Received: from X98.bbn07-081.lipetsk.ru (unknown [178.234.81.98]) by myservername.athenium.com (Postfix) with ESMTP id D53E41D40B0 for ; Fri, 17 Sep 2010 10:15:12 -0400 (EDT) Received: from svtmail04.prod.sabre.com (svtmail00.prod.sabre.com [151.193.64.1]) by server42.appriver.com with esmtp id 3651BD-000812-22 for ab...@athenium.com; Fri, 17 Sep 2010 18:15:01 +0300 Received: from microsof56e61a (10.208.60.9:76737) by svtmail09.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id <9.649bf...@svtmail08.prod.sabre.com>; Fri, 17 Sep 2010 18:15:01 +0300 Date: Fri, 17 Sep 2010 18:15:01 +0300 From: "Jerry Burton" To: ab...@athenium.com Message-ID: <94685159.45679744792947233404.javamail@microsof56e61a> Subject: Re: Vacation MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_Part_7403571_82314638.3159918817094" X-Virus-Scanned: clamav-milter 0.95.3 at myservername X-Virus-Status: Clean X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_99,HTML_MESSAGE, RCVD_IN_DNSWL_HI,SPF_SOFTFAIL,UNPARSEABLE_RELAY autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on myservername.xxx.athenium.com I have been getting some of those as well. I tried adjusting the RCVD_IN_DNSWL rules to half of their default values to reduce their effect on the spam score, but am not sure how much of an effect that will have yet. Why , you found some not normal ? -- -- Don't send me documents in .doc , .docx, .xls, .ppt . , .pptx Send it with ODF format : .odt , .odp , .ods or .pdf . Try to use Open Document Format : http://www.openoffice.org/ Save you money& use GNU/Linux Distro http://distrowatch.com/ -
Re: Yahoo HTML Base64 Attachments
On Fri, 17 Sep 2010, Joseph Brennan wrote: On fre 17 sep 2010 00:30:27 CEST, Chris Owen wrote > 1) From yahoo.com > 2) Have a HTML attachment > 3) Are base64 encoded The html includes something like this, inside a comment. It's really over a hundred escaped characters: document.write(unescape("%3C%53%43%52%49%50%54%20%4C and I think this matches it: /document\.write\(unescape\(\"(\%..\%){10,}/ This seems to need a RAWBODY check to match. That's as far as I've got. Adding to my sandbox for masscheck: rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- No representation without taxation! --- Today: the 223rd anniversary of the signing of the U.S. Constitution
Re: Yahoo HTML Base64 Attachments
On fre 17 sep 2010 00:30:27 CEST, Chris Owen wrote 1) From yahoo.com 2) Have a HTML attachment 3) Are base64 encoded The html includes something like this, inside a comment. It's really over a hundred escaped characters: document.write(unescape("%3C%53%43%52%49%50%54%20%4C and I think this matches it: /document\.write\(unescape\(\"(\%..\%){10,}/ While unescape is a legitimate function, it's odd that a string would start off with a lengthy series of escaped characters. This seems to need a RAWBODY check to match. That's as far as I've got. Joseph Brennan Columbia University Information Technology
Re: Yahoo HTML Base64 Attachments
On Sep 17, 2010, at 2:27 PM, Joseph Brennan wrote: > They're not really from Yahoo. No DKIM, no Newman property. That's > a fake header. Looks like I missed the real header. All the better I guess though. Makes catching these even easier. Chris -- - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
Re: Yahoo HTML Base64 Attachments
--On Thursday, September 16, 2010 17:30 -0500 Chris Owen wrote: We're seeing a lot of what I assume are exploit files coming from yahoo.com. They are all base64 encoded HTML attachments with a bunch of javascript in them. http://pastebin.com/ZSmW0kwW They're not really from Yahoo. No DKIM, no Newman property. That's a fake header. The javascript is just an incredibly obfuscated way of putting in a url. Base 64, javascript, two layers of redirect and... it's the "Canadian" Pharmacy. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: injected headers are triggering dns whitelists
στις 17/09/2010 05:55 μμ, O/H Lawren Quigley-Jones έγραψε: I've been repeatedly running into problems where dns white-lists have been causing false negatives in spam. Valid looking headers are being injected at the beginning of emails which are tripping dns whitelists (see below). As a result I've been slowly disabling dns whitelist rules: score HABEAS_ACCREDITED_COI 0 score HABEAS_ACCREDITED_SOI 0 score RCVD_IN_DNSWL_MED 0 score RCVD_IN_BSP_TRUSTED 0 score RCVD_IN_DNSWL_HI 0 I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2 You mast to upgrade it with this way http://mail-archives.apache.org/mod_mbox/spamassassin-users/201009.mbox/browser And after you can change configuration . First step is upgrade . Has anyone else been seeing this? Is this a mis-configuration on my part? Is there anything I can do to get SpamAssassin to check only the last header and ignore anything below that? === Return-Path: Received: from murder ([unix socket]) (authenticated user=postmaster bits=0) by myservername (Cyrus v2.2.13-Debian-2.2.13-13ubuntu3) with LMTPA; Fri, 17 Sep 2010 10:15:14 -0400 X-Sieve: CMU Sieve 2.2 Received: from X98.bbn07-081.lipetsk.ru (unknown [178.234.81.98]) by myservername.athenium.com (Postfix) with ESMTP id D53E41D40B0 for ; Fri, 17 Sep 2010 10:15:12 -0400 (EDT) Received: from svtmail04.prod.sabre.com (svtmail00.prod.sabre.com [151.193.64.1]) by server42.appriver.com with esmtp id 3651BD-000812-22 for ab...@athenium.com; Fri, 17 Sep 2010 18:15:01 +0300 Received: from microsof56e61a (10.208.60.9:76737) by svtmail09.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id <9.649bf...@svtmail08.prod.sabre.com>; Fri, 17 Sep 2010 18:15:01 +0300 Date: Fri, 17 Sep 2010 18:15:01 +0300 From: "Jerry Burton" To: ab...@athenium.com Message-ID: <94685159.45679744792947233404.javamail@microsof56e61a> Subject: Re: Vacation MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_Part_7403571_82314638.3159918817094" X-Virus-Scanned: clamav-milter 0.95.3 at myservername X-Virus-Status: Clean X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_99,HTML_MESSAGE, RCVD_IN_DNSWL_HI,SPF_SOFTFAIL,UNPARSEABLE_RELAY autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on myservername.xxx.athenium.com -- -- Don't send me documents in .doc , .docx, .xls, .ppt . , .pptx Send it with ODF format : .odt , .odp , .ods or .pdf . Try to use Open Document Format : http://www.openoffice.org/ Save you money& use GNU/Linux Distro http://distrowatch.com/ -
Re: injected headers are triggering dns whitelists
On 9/17/2010 10:55 AM, Lawren Quigley-Jones wrote: > I've been repeatedly running into problems where dns white-lists have > been causing false negatives in spam. Valid looking headers are being > injected at the beginning of emails which are tripping dns whitelists > (see below). As a result I've been slowly disabling dns whitelist rules: > score HABEAS_ACCREDITED_COI 0 > score HABEAS_ACCREDITED_SOI 0 > score RCVD_IN_DNSWL_MED 0 > score RCVD_IN_BSP_TRUSTED 0 > score RCVD_IN_DNSWL_HI 0 > > I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2 > > Has anyone else been seeing this? Is this a mis-configuration on my > part? Is there anything I can do to get SpamAssassin to check only > the last header and ignore anything below that? If you have your trusted_networks and internal_networks set properly, then the whitelists should only fire on trusted headers. If you do not specify these, then SA will take its best guess. Fake headers inserted by the sender should not affect a properly configured SA. -- Bowie
Re: The most amazing spam ...
Giles Coochey wrote: > On Thu, September 16, 2010 15:57, Martin Gregorie wrote: >> On Thu, 2010-09-16 at 13:36 +0200, Giles Coochey wrote: >>> On Thu, September 16, 2010 13:28, Martin Gregorie wrote: >>> > On Thu, 2010-09-16 at 07:28 +0200, Per Jessen wrote: >>> >> http://public.jessen.ch/files/mazeweb-spam.jpeg >>> >> >>> >> >>> > A cynic might wonder whether it also harvests valid e-mail >>> > addresses. >>> > >>> >>> Appears to be a perfectly reputable service to me... what makes you >>> think >>> there is anything untoward? >>> >> An anti-spammer spamming? C'mon! >> > > They must know their stuff if spamassassin didn't catch it. Not much to know really - it was a very ordinary email, scored barely 1.4 points. It was DKIM signed, verified, failed SPF because it was forwarded via ieee.org. /Per Jessen, Zürich
injected headers are triggering dns whitelists
I've been repeatedly running into problems where dns white-lists have been causing false negatives in spam. Valid looking headers are being injected at the beginning of emails which are tripping dns whitelists (see below). As a result I've been slowly disabling dns whitelist rules: score HABEAS_ACCREDITED_COI 0 score HABEAS_ACCREDITED_SOI 0 score RCVD_IN_DNSWL_MED 0 score RCVD_IN_BSP_TRUSTED 0 score RCVD_IN_DNSWL_HI 0 I'm running SpamAssassin on ubuntu hardy: spamassassin 3.2.4-1ubuntu1.2 Has anyone else been seeing this? Is this a mis-configuration on my part? Is there anything I can do to get SpamAssassin to check only the last header and ignore anything below that? === Return-Path: Received: from murder ([unix socket]) (authenticated user=postmaster bits=0) by myservername (Cyrus v2.2.13-Debian-2.2.13-13ubuntu3) with LMTPA; Fri, 17 Sep 2010 10:15:14 -0400 X-Sieve: CMU Sieve 2.2 Received: from X98.bbn07-081.lipetsk.ru (unknown [178.234.81.98]) by myservername.athenium.com (Postfix) with ESMTP id D53E41D40B0 for ; Fri, 17 Sep 2010 10:15:12 -0400 (EDT) Received: from svtmail04.prod.sabre.com (svtmail00.prod.sabre.com [151.193.64.1]) by server42.appriver.com with esmtp id 3651BD-000812-22 for ab...@athenium.com; Fri, 17 Sep 2010 18:15:01 +0300 Received: from microsof56e61a (10.208.60.9:76737) by svtmail09.prod.sabre.com (LSMTP for Windows NT v1.1b) with SMTP id <9.649bf...@svtmail08.prod.sabre.com>; Fri, 17 Sep 2010 18:15:01 +0300 Date: Fri, 17 Sep 2010 18:15:01 +0300 From: "Jerry Burton" To: ab...@athenium.com Message-ID: <94685159.45679744792947233404.javamail@microsof56e61a> Subject: Re: Vacation MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_Part_7403571_82314638.3159918817094" X-Virus-Scanned: clamav-milter 0.95.3 at myservername X-Virus-Status: Clean X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_99,HTML_MESSAGE, RCVD_IN_DNSWL_HI,SPF_SOFTFAIL,UNPARSEABLE_RELAY autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on myservername.xxx.athenium.com
RE: Spamassassing not doing DNSBL lookup
On Fri, 17 Sep 2010, Milind Patil wrote: I run spamassassin via MailScanner and in the MailScanner I have enabled the DNSBL check. Ah, okay. I'm not familiar with MailScanner so I can't offer any advice. Perhaps someone else can, or if there's a MailScanner list you might be able to ask there. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Today: the 223rd anniversary of the signing of the U.S. Constitution
Re: New plugin: DecodeShortURLs
On Fri, 17 Sep 2010 14:11:41 +0100 Steve Freegard wrote: > Hi All, > > Recently I've been getting a bit of filter-bleed from a bunch of > spams injected via Hotmail/Yahoo that contain shortened URLs e.g. > bit.ly/foo that upon closer inspection would have been rejected with > a high score if the real URL had been used. > > To that end - it annoyed me enough to write a plug-in that decodes > the shortened URL using an HTTP HEAD request to extract the location > header sent by the shortening service and to put this into the list > of extracted URIs for other plug-ins to find (such as URIDNSBL). > I think it might be better to take the "blocked page" handling out of the perl and turn it into an ordinary uri rule.
Re: New plugin: DecodeShortURLs
On 17/09/10 14:33, Jari Fredriksson wrote: It has a typo. describe URIBL_SHORT... The rule name is wrong, should be SHORT_URIBL Didn't you --lint it? ;) Doh! - fixed. Regards, Steve.
Re: New plugin: DecodeShortURLs
On 17.9.2010 16:11, Steve Freegard wrote: > Hi All, > > Recently I've been getting a bit of filter-bleed from a bunch of spams > injected via Hotmail/Yahoo that contain shortened URLs e.g. bit.ly/foo > that upon closer inspection would have been rejected with a high score > if the real URL had been used. > > To that end - it annoyed me enough to write a plug-in that decodes the > shortened URL using an HTTP HEAD request to extract the location header > sent by the shortening service and to put this into the list of > extracted URIs for other plug-ins to find (such as URIDNSBL). > > On the messages I tested it with - it raised the scores from <5 to >10 > based on URIDNSBL hits which is just what I wanted. > > Hopefully it will be useful to others; you can grab it from: > > http://www.fsl.com/support/DecodeShortURLs.pm > http://www.fsl.com/support/DecodeShortURLs.cf It has a typo. describe URIBL_SHORT... The rule name is wrong, should be SHORT_URIBL Didn't you --lint it? ;) -- You will not be elected to public office this year.
Re: New plugin: DecodeShortURLs
2010/9/17 Steve Freegard > Hi All, > > Recently I've been getting a bit of filter-bleed from a bunch of spams > injected via Hotmail/Yahoo that contain shortened URLs e.g. bit.ly/foothat > upon closer inspection would have been rejected with a high score if > the real URL had been used. > > To that end - it annoyed me enough to write a plug-in that decodes the > shortened URL using an HTTP HEAD request to extract the location header sent > by the shortening service and to put this into the list of extracted URIs > for other plug-ins to find (such as URIDNSBL). > > On the messages I tested it with - it raised the scores from <5 to >10 > based on URIDNSBL hits which is just what I wanted. > > Hopefully it will be useful to others; you can grab it from: > > http://www.fsl.com/support/DecodeShortURLs.pm > http://www.fsl.com/support/DecodeShortURLs.cf > > Kind regards, > Steve. > > Thanks Steve! i will test it later!
New plugin: DecodeShortURLs
Hi All, Recently I've been getting a bit of filter-bleed from a bunch of spams injected via Hotmail/Yahoo that contain shortened URLs e.g. bit.ly/foo that upon closer inspection would have been rejected with a high score if the real URL had been used. To that end - it annoyed me enough to write a plug-in that decodes the shortened URL using an HTTP HEAD request to extract the location header sent by the shortening service and to put this into the list of extracted URIs for other plug-ins to find (such as URIDNSBL). On the messages I tested it with - it raised the scores from <5 to >10 based on URIDNSBL hits which is just what I wanted. Hopefully it will be useful to others; you can grab it from: http://www.fsl.com/support/DecodeShortURLs.pm http://www.fsl.com/support/DecodeShortURLs.cf Kind regards, Steve.
RE: Looking for a "How To" to build Spamassassin+ClamAV mail filter
Brent Kennedy wrote: > My setup looks something like this...I use postfix to strip the > headers in emails. That is helpful. This service will be ahead of Exchange in many instances as well. Brent Kennedy wrote: > I know there are some ISP guys on this list who would know how to > handle a customer interface if you wanted one. To provide a professional service I would need to. Brent Kennedy wrote: > Little google search foo: I didn't use your exact search because I use Exim, but I Googled for this information and didn't come up with anything I could use. After that, I decided to look on forums for SpamAssassin. This one was the best I've found so far, and this sub-forum the most appropriate. I searched this forum before posting. -- View this message in context: http://old.nabble.com/Looking-for-a-%22How-To%22-to-build-Spamassassin%2BClamAV-mail-filter-tp29734002p29738038.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
On 17/09/10 11:21, franc wrote: In that case, uninstalling Spamassassin from Apt (and then doing an apt-get --autoremove to clear out Perl libs installed through apt/dpkg) and re-installing with CPAN should be fine, and you'll be able to keep it up to date. I use aptitude, is this the same then? Will this uninstall all Perl? Because i need this for other things. Aptitude does it by default. It won't uninstall Perl, but it will remove Perl libraries that were brought in as dependencies of SA through apt[itude]. As those libraries would also be installed by CPAN as dependencies (possibly newer versions), you want them out of the way so there is no conflict/confusion between the versions. It's the same reason that it is a bad idea to install one way then upgrade another.
Re: Blacklist for spam-words
στις 17/09/2010 12:55 μμ, O/H Dominic Benson έγραψε: On 17/09/10 10:42, franc wrote: I doubt if this is possible on a VPS. At least the kernel is not changeable because coming from the host and is old enough (2.6.9). I guess an update to Lucid Lynx (10.04) will be if not unpossible but problematic. Not is not be problematic the most of upgrade . When in operation of upgrade ask you to change some files on host say no keep the default not change with new files , just with this way the upgrade not be problematic . An one question , you use Cpanel on Ubuntu ? I know cpanel not compatible with Debian based Distros So if i use CPAN and keep my Hardy Heron, there won't be problems or yes? Yes, you're right, you won't be able to upgrade to Lucid. Sorry, I didn't notice you were using a VPS. In that case, uninstalling Spamassassin from Apt Not need to uninstalling Spamassassin from Apt Just open backpports sources and give one command apt-get update && apt-get upgrade And you upgrade to SpamAssassin to version 3.2.5 (and then doing an apt-get --autoremove to clear out Perl libs installed through apt/dpkg) and re-installing with CPAN should be fine, and you'll be able to keep it up to date. Dominic -- --- Don't send me documents in .doc , .docx, .xls, .ppt , .pptx . Send it with ODF format : .odt , .odp , .ods or .pdf . Try to use Open Document Format : http://el.openoffice.org/ Save you money and use GNU/Linux Distro http://distrowatch.com/ --
Re: Blacklist for spam-words
> In that case, uninstalling Spamassassin from Apt (and then doing an > apt-get --autoremove to clear out Perl libs installed through apt/dpkg) > and re-installing with CPAN should be fine, and you'll be able to keep > it up to date. I use aptitude, is this the same then? Will this uninstall all Perl? Because i need this for other things. -- View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29736988.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
On 17/09/10 10:42, franc wrote: I doubt if this is possible on a VPS. At least the kernel is not changeable because coming from the host and is old enough (2.6.9). I guess an update to Lucid Lynx (10.04) will be if not unpossible but problematic. So if i use CPAN and keep my Hardy Heron, there won't be problems or yes? Yes, you're right, you won't be able to upgrade to Lucid. Sorry, I didn't notice you were using a VPS. In that case, uninstalling Spamassassin from Apt (and then doing an apt-get --autoremove to clear out Perl libs installed through apt/dpkg) and re-installing with CPAN should be fine, and you'll be able to keep it up to date. Dominic
Re: Blacklist for spam-words
> > If you can, upgrade to Lucid. If you can't - and don't ever plan to > upgrade the machine to a later Ubuntu release - then you could uninstall > and then install via CPAN, but I would fairly strongly recommend against > doing that if you have any intention of upgrading it in the future. In > my experience it causes a bit of a mess! I doubt if this is possible on a VPS. At least the kernel is not changeable because coming from the host and is old enough (2.6.9). I guess an update to Lucid Lynx (10.04) will be if not unpossible but problematic. So if i use CPAN and keep my Hardy Heron, there won't be problems or yes? -- View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29736736.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
This is just what i noticed: there is no Ubuntu package update after the 3.2.4-ubu1 related to: http://packages.ubuntu.com/de/hardy/spamassassin But how then to update? Can i use a package for Ubuntu Maverick (10.10) or is this the absolute wrong way? If you add hardy-backports to your apt sources you can upgrade to 3.2.5, but I don't know of a maintained 3.3.x package source for Hardy. If you can, upgrade to Lucid. If you can't - and don't ever plan to upgrade the machine to a later Ubuntu release - then you could uninstall and then install via CPAN, but I would fairly strongly recommend against doing that if you have any intention of upgrading it in the future. In my experience it causes a bit of a mess! Dominic
Re: Blacklist for spam-words
Hi , in you sources.list you have 2 lines #deb http://archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse #deb-src http://archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse Uncomment that lines and try to apt-get update && apt-get upgrade This upgrade install the spamassassin like to me spamassassin -V SpamAssassin version 3.2.5 running on Perl version 5.8.8 Before I use the older version 10 minutes ago I upgraded it to new version . Or if is possible you can upgrade 8.04 LTS to 10.04 LTS but if you not have many accounts . I will update with cpan, leaving this not maintained hardy installation of sa. If i could update ubuntu to 10.04 i would do it, but i hardly think that is possible on my vps without big problems to my customers and me.. -- View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29735980.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.