AW: Pyzor problem

2010-09-29 Thread Hans-Werner Friedemann 
It´s obfuscating!
Today it works fine..

Thanks anyway... 

-Ursprüngliche Nachricht-
Von: Gerald Turner [mailto:gtur...@unzane.com] 
Gesendet: Donnerstag, 30. September 2010 06:57
An: Hans-Werner Friedemann
Cc: spamassassin
Betreff: Re: Pyzor problem

"Hans-Werner Friedemann"  writes:

> Hi @ all
>
> what´s the matter with pyzor if I get the following hint by starting 
> spamd?
>
> Wed Sep 29 11:23:29 2010 [5176] info: urlredirect: No redirectors!
> Wed Sep 29 11:23:29 2010 [5176] info: zoom: able to use 675/1223 
> 'body_0' compiled rules (55.192%) Wed Sep 29 11:23:39 2010 [5176] 
> info: pyzor: [5182] error: TERMINATED, signal 15 (000f) Wed Sep 29 
> 11:23:39 2010 [5176] info: spamd: server started on port 783/tcp 
> (running version 3.3.1) Wed Sep 29 11:23:39 2010 [5176] info: spamd: 
> server pid: 5176 Wed Sep 29 11:23:39 2010 [5176] info: spamd: server 
> successfully spawned child process, pid 5184 Wed Sep 29 11:23:39 2010 
> [5176] info: spamd: server successfully spawned child process, pid 
> 5185 Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully 
> spawned child process, pid 5186 Wed Sep 29 11:23:39 2010 [5176] info: 
> spamd: server successfully spawned child process, pid 5187 Wed Sep 29 
> 11:23:39 2010 [5176] info: spamd: server successfully spawned child 
> process, pid 5189
>
> Thanks for your help!

I've been investigating this problem as well, I believe it is a timeout error.  
People have been discussing the timeout issue on the pyzor mailing list for 
months, with no resolution:

http://sourceforge.net/mailarchive/forum.php?thread_name=4C07B30A.8080300%40spamexperts.com&forum_name=pyzor-users

-- 
Gerald Turner   Email: gtur...@unzane.com   JID: gtur...@unzane.com
GPG: 0xFA8CD6D5  21D9 B2E8 7FE7 F19E 5F7D  4D0C 3FA0 810F FA8C D6D5

Re: Pyzor problem

2010-09-29 Thread Gerald Turner 
"Hans-Werner Friedemann"  writes:

> Hi @ all
>
> what´s the matter with pyzor if I get the following hint by starting
> spamd?
>
> Wed Sep 29 11:23:29 2010 [5176] info: urlredirect: No redirectors!
> Wed Sep 29 11:23:29 2010 [5176] info: zoom: able to use 675/1223 'body_0' 
> compiled rules (55.192%)
> Wed Sep 29 11:23:39 2010 [5176] info: pyzor: [5182] error: TERMINATED, signal 
> 15 (000f)
> Wed Sep 29 11:23:39 2010 [5176] info: spamd: server started on port 783/tcp 
> (running version 3.3.1)
> Wed Sep 29 11:23:39 2010 [5176] info: spamd: server pid: 5176
> Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned 
> child process, pid 5184
> Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned 
> child process, pid 5185
> Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned 
> child process, pid 5186
> Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned 
> child process, pid 5187
> Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned 
> child process, pid 5189
>
> Thanks for your help!

I've been investigating this problem as well, I believe it is a timeout
error.  People have been discussing the timeout issue on the pyzor
mailing list for months, with no resolution:

http://sourceforge.net/mailarchive/forum.php?thread_name=4C07B30A.8080300%40spamexperts.com&forum_name=pyzor-users

-- 
Gerald Turner   Email: gtur...@unzane.com   JID: gtur...@unzane.com
GPG: 0xFA8CD6D5  21D9 B2E8 7FE7 F19E 5F7D  4D0C 3FA0 810F FA8C D6D5


pgpz7nvw2Mdge.pgp
Description: PGP signature

using SA as a tool

2010-09-29 Thread Diffenderfer, Randy 
I was under the impression that there was a clear-cut way to use SA as a 
factory within a custom perl wrapper (I have looked at the Mail::SpamAssassin 
doco).  My objective is to do various things to the parsed message, such as 
distill out URLs for example.

Is there indeed a clear way to do this?

Thanks,
rnd

what in the world is this phish? what is outbind?

2010-09-29 Thread Michael Scheidell 

 

what in the world is outbind?



(I guess if I click on it on my mac, nothing will happen)
looks like its a MS thing:



--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
> *| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best in Email Security,2010: Network Products Guide
   * King of Spam Filters, SC Magazine 2008

__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
__

Re: DOS_OE_TO_MX

2010-09-29 Thread Karsten Bräckelmann 
On Wed, 2010-09-29 at 08:32 -0700, njjrdell wrote:
> Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0) for
> (unknown):500 in 1.0 seconds, 142218 bytes.\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
> AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
> scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0, [...]

I'd suspect your AWL database got corrupt. To remove just her address,
see 'man spamassassin-run' for the --remove-addr-from-whitelist=addr
option.

Alternatively, burn the entire auto-whitelist file and let it start from
scratch.

> I never seen anything with such a score of 4006. DOS_OE_TO_MX is the rule
> that is consistent, so I was hoping to find out where it is to make sure
> nothing is scored wrong

The reason for scores about 200, and now even 4000 is not a single rule,
unless you manually set it. Even GTUBE can not do *this*. Hence, I
suspect AWL database corruption. From memory, last time I saw scores in
such a range, this was the issue.


Anyway, serious question. Why does she trip on DOS_OE_TO_MX at all? It
implies she directly submits the message from her MUA to your MX. Does
that very same box run her (outgoing) SMTP and the MX for the
destination domain?

If so, make her use authentication (preferred over Submission port
rather than SMTP), and that hit should stop.

If the above is not the case, you got your trusted and internal networks
broken.


> by AWL do you mean manual whitelist in my local.cf. I'm not aware of auto
> white listing a user

As Larry already said, it's an (admittedly badly named) automatic score
averager, keeping track of previous scores per sender and net block.


On a related note, there's some more strangeness with the samples you
showed. She's hitting DATE_IN_FUTURE_12_24, which most likely means
either her machine's time, or your server's time is broken. Well,
intermittently, it seems -- the first sample did not hit it.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

RE: DOS_OE_TO_MX

2010-09-29 Thread Rosenbaum, Larry M. 
> From: njjrdell [mailto:nruggi...@dellmagazines.net]
> Sent: Wednesday, September 29, 2010 12:05 PM
> To: users@spamassassin.apache.org
> Subject: RE: DOS_OE_TO_MX
> 
> 
> also, won't whitelisting her address open her up for spoofing?

AWL has nothing to do with whitelist_from and other similar options.  It's more 
of a score averager.
http://wiki.apache.org/spamassassin/AutoWhitelist

> thanks for the scores. Now would that just go into
> /usr/local/share/spamassassin/50_scores.cf?
> and why would that score be missing.

It's not missing.  It is in
/var/lib/spamassassin/3.003001/updates_spamassassin_org/50_scores.cf
or some similar directory. To find your config directory path, try this:

spamassassin -D config --lint


> 
> Rosenbaum, Larry M. wrote:
> >
> >
> >
> >> -Original Message-
> >> From: njjrdell [mailto:nruggi...@dellmagazines.net]
> >> Sent: Wednesday, September 29, 2010 11:32 AM
> >> To: users@spamassassin.apache.org
> >> Subject: Re: DOS_OE_TO_MX
> >>
> >>
> >> I'm pretty sure she would not send a GTUBE. Here is another from her
> >>
> >> Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
> >> Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
> >> [127.0.0.1] at port 50098\n
> >> Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
> >> <000b01cb5f6e$b1bbfe80$6629a...@traci> for (unknown):500\n
> >> Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0)
> >> for
> >> (unknown):500 in 1.0 seconds, 142218 bytes.\n
> >> Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
> >> AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
> >>
> scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=l
> >>
> ocalhost,raddr=127.0.0.1,rport=50098,mid=<000b01cb5f6e$b1bbfe80$6629a...@t
> >> raci>,bayes=0.483846,autolearn=no\n
> >>
> >>
> >> I never seen anything with such a score of 4006. DOS_OE_TO_MX is the
> rule
> >> that is consistent, so I was hoping to find out where it is to make
> sure
> >> nothing is scored wrong
> >
> > score DOS_OE_TO_MX 2.602 3.086 2.265 2.523
> >
> >
> >
> 
> --
> View this message in context: http://old.nabble.com/DOS_OE_TO_MX-
> tp29839497p29840133.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: DOS_OE_TO_MX

2010-09-29 Thread njjrdell 

also, won't whitelisting her address open her up for spoofing?

thanks for the scores. Now would that just go into
/usr/local/share/spamassassin/50_scores.cf?
and why would that score be missing.



Rosenbaum, Larry M. wrote:
> 
> 
> 
>> -Original Message-
>> From: njjrdell [mailto:nruggi...@dellmagazines.net]
>> Sent: Wednesday, September 29, 2010 11:32 AM
>> To: users@spamassassin.apache.org
>> Subject: Re: DOS_OE_TO_MX
>> 
>> 
>> I'm pretty sure she would not send a GTUBE. Here is another from her
>> 
>> Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
>> Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
>> [127.0.0.1] at port 50098\n
>> Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
>> <000b01cb5f6e$b1bbfe80$6629a...@traci> for (unknown):500\n
>> Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0)
>> for
>> (unknown):500 in 1.0 seconds, 142218 bytes.\n
>> Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
>> AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
>> scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=l
>> ocalhost,raddr=127.0.0.1,rport=50098,mid=<000b01cb5f6e$b1bbfe80$6629a...@t
>> raci>,bayes=0.483846,autolearn=no\n
>> 
>> 
>> I never seen anything with such a score of 4006. DOS_OE_TO_MX is the rule
>> that is consistent, so I was hoping to find out where it is to make sure
>> nothing is scored wrong
> 
> score DOS_OE_TO_MX 2.602 3.086 2.265 2.523
> 
> 
> 

-- 
View this message in context: 
http://old.nabble.com/DOS_OE_TO_MX-tp29839497p29840133.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: DOS_OE_TO_MX

2010-09-29 Thread Rosenbaum, Larry M. 


> -Original Message-
> From: njjrdell [mailto:nruggi...@dellmagazines.net]
> Sent: Wednesday, September 29, 2010 11:32 AM
> To: users@spamassassin.apache.org
> Subject: Re: DOS_OE_TO_MX
> 
> 
> I'm pretty sure she would not send a GTUBE. Here is another from her
> 
> Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
> [127.0.0.1] at port 50098\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
> <000b01cb5f6e$b1bbfe80$6629a...@traci> for (unknown):500\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0) for
> (unknown):500 in 1.0 seconds, 142218 bytes.\n
> Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
> AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
> scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=l
> ocalhost,raddr=127.0.0.1,rport=50098,mid=<000b01cb5f6e$b1bbfe80$6629a...@t
> raci>,bayes=0.483846,autolearn=no\n
> 
> 
> I never seen anything with such a score of 4006. DOS_OE_TO_MX is the rule
> that is consistent, so I was hoping to find out where it is to make sure
> nothing is scored wrong

score DOS_OE_TO_MX 2.602 3.086 2.265 2.523

Re: DOS_OE_TO_MX

2010-09-29 Thread njjrdell 

I'm pretty sure she would not send a GTUBE. Here is another from her

Sep 28 08:35:26 nsmail spamd[207]: prefork: child states: II\n
Sep 28 08:35:55 nsmail spamd[287]: spamd: connection from localhost
[127.0.0.1] at port 50098\n
Sep 28 08:35:55 nsmail spamd[287]: spamd: checking message
<000b01cb5f6e$b1bbfe80$6629a...@traci> for (unknown):500\n
Sep 28 08:35:55 nsmail spamd[287]: spamd: identified spam (4006.3/5.0) for
(unknown):500 in 1.0 seconds, 142218 bytes.\n
Sep 28 08:35:55 nsmail spamd[287]: spamd: result: Y 4006 -
AWL,BAYES_50,DATE_IN_FUTURE_12_24,DOS_OE_TO_MX
scantime=1.0,size=142218,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50098,mid=<000b01cb5f6e$b1bbfe80$6629a...@traci>,bayes=0.483846,autolearn=no\n


I never seen anything with such a score of 4006. DOS_OE_TO_MX is the rule
that is consistent, so I was hoping to find out where it is to make sure
nothing is scored wrong

by AWL do you mean manual whitelist in my local.cf. I'm not aware of auto
white listing a user

Regards



John Hardin wrote:
> 
> On Wed, 29 Sep 2010, njjrdell wrote:
> 
>> Hello,
>>
>> one of our users at a remote location is having her mail trashed by
>> spamassassin.
>>
>> Sep 28 12:48:43 nsmail spamd[199]: prefork: child states: II\n
>> Sep 28 12:49:28 nsmail spamd[268]: spamd: connection from localhost
>> [127.0.0.1] at port 50226\n
>> Sep 28 12:49:28 nsmail spamd[268]: spamd: checking message
>> <001101cb5f2d$1c3937b0$6629a...@traci> for (unknown):500\n
>> Sep 28 12:49:29 nsmail spamd[268]: spamd: identified spam (288.2/5.0) for
>> (unknown):500 in 1.2 seconds, 2345 bytes.\n
>> Sep 28 12:49:29 nsmail spamd[268]: spamd: result: Y 288 -
>> AWL,BAYES_40,DOS_OE_TO_MX,FAKE_REPLY_C
>> scantime=1.2,size=2345,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50226,mid=<001101cb5f2d$1c3937b0$6629a...@traci>,bayes=0.297864,autolearn=no\n
>>
>> I'm trying to track down why this message is getting such a high score. I
>> have been trying to find were the DOS_OE_TO_MX rule is and what it's
>> score
>> is set to, but can't find it anywhere.
> 
> 288 points? I'd look to AWL rather than any of the other rules. Did she 
> perhaps send a GTUBE at some point?
> 
> -- 
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>The yardstick you should use when considering whether to support a
>given piece of legislation is "what if my worst enemy is chosen to
>administer this law?"
> ---
>   79 days until TRON Legacy
> 
> 

-- 
View this message in context: 
http://old.nabble.com/DOS_OE_TO_MX-tp29839497p29839666.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: DOS_OE_TO_MX

2010-09-29 Thread John Hardin 

On Wed, 29 Sep 2010, njjrdell wrote:


Hello,

one of our users at a remote location is having her mail trashed by
spamassassin.

Sep 28 12:48:43 nsmail spamd[199]: prefork: child states: II\n
Sep 28 12:49:28 nsmail spamd[268]: spamd: connection from localhost
[127.0.0.1] at port 50226\n
Sep 28 12:49:28 nsmail spamd[268]: spamd: checking message
<001101cb5f2d$1c3937b0$6629a...@traci> for (unknown):500\n
Sep 28 12:49:29 nsmail spamd[268]: spamd: identified spam (288.2/5.0) for
(unknown):500 in 1.2 seconds, 2345 bytes.\n
Sep 28 12:49:29 nsmail spamd[268]: spamd: result: Y 288 -
AWL,BAYES_40,DOS_OE_TO_MX,FAKE_REPLY_C
scantime=1.2,size=2345,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50226,mid=<001101cb5f2d$1c3937b0$6629a...@traci>,bayes=0.297864,autolearn=no\n

I'm trying to track down why this message is getting such a high score. I
have been trying to find were the DOS_OE_TO_MX rule is and what it's score
is set to, but can't find it anywhere.


288 points? I'd look to AWL rather than any of the other rules. Did she 
perhaps send a GTUBE at some point?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The yardstick you should use when considering whether to support a
  given piece of legislation is "what if my worst enemy is chosen to
  administer this law?"
---
 79 days until TRON Legacy

DOS_OE_TO_MX

2010-09-29 Thread njjrdell 

Hello,

one of our users at a remote location is having her mail trashed by
spamassassin. 

Sep 28 12:48:43 nsmail spamd[199]: prefork: child states: II\n
Sep 28 12:49:28 nsmail spamd[268]: spamd: connection from localhost
[127.0.0.1] at port 50226\n
Sep 28 12:49:28 nsmail spamd[268]: spamd: checking message
<001101cb5f2d$1c3937b0$6629a...@traci> for (unknown):500\n
Sep 28 12:49:29 nsmail spamd[268]: spamd: identified spam (288.2/5.0) for
(unknown):500 in 1.2 seconds, 2345 bytes.\n
Sep 28 12:49:29 nsmail spamd[268]: spamd: result: Y 288 -
AWL,BAYES_40,DOS_OE_TO_MX,FAKE_REPLY_C
scantime=1.2,size=2345,user=(unknown),uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=50226,mid=<001101cb5f2d$1c3937b0$6629a...@traci>,bayes=0.297864,autolearn=no\n

I'm trying to track down why this message is getting such a high score. I
have been trying to find were the DOS_OE_TO_MX rule is and what it's score
is set to, but can't find it anywhere.




-- 
View this message in context: 
http://old.nabble.com/DOS_OE_TO_MX-tp29839497p29839497.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Pyzor problem

2010-09-29 Thread Hans-Werner Friedemann 
Hi @ all
 
what´s the matter with pyzor if I get the following hint by starting spamd?
 
Wed Sep 29 11:23:29 2010 [5176] info: urlredirect: No redirectors!
Wed Sep 29 11:23:29 2010 [5176] info: zoom: able to use 675/1223 'body_0' 
compiled rules (55.192%)
Wed Sep 29 11:23:39 2010 [5176] info: pyzor: [5182] error: TERMINATED, signal 
15 (000f)
Wed Sep 29 11:23:39 2010 [5176] info: spamd: server started on port 783/tcp 
(running version 3.3.1)
Wed Sep 29 11:23:39 2010 [5176] info: spamd: server pid: 5176
Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned child 
process, pid 5184
Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned child 
process, pid 5185
Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned child 
process, pid 5186
Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned child 
process, pid 5187
Wed Sep 29 11:23:39 2010 [5176] info: spamd: server successfully spawned child 
process, pid 5189
 
Thanks for your help!

[SOLVED] Re: (no report template found) - no 10_misc.cf but sa-update shows correct paths

2010-09-29 Thread Edward Prendergast 

 On 28/09/2010 12:45, Karsten Bräckelmann wrote:

On Tue, 2010-09-28 at 10:36 +0100, Edward Prendergast wrote:

clear_report_template - I don't have this set in any of my configs

It's part of 10_default_prefs.cf of the stock rule-set.



To get the no template found error I'm running:
spamassassin -C /etc/opt/mail/spamassassin/ -t<  /path/to/message

^^
Why are you using that option? The given path looks like your site
config dir, not the default rule-set dir. The latter, which is what -C
sets, also is the dir where sa-update puts the rules.

See 'man spamassassin-run'. Also see 'man spamassassin' for the dirs
used by default on your site, as set during configure.



Not sure if it's OK to paste debug output here (20k) - if so (and it's
wanted) please let me know and I'll include it/

It is OK -- or use a pastebin, if you prefer.




 Right you are - thanks! I should have been using the --siteconfigpath= 
switch for a more accurate test.


Thanks


The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorised. If you are not the intended recipient, any action taken or
omitted to be taken in reliance on it, any form of reproduction,
dissemination, copying, disclosure, modification, distribution and/or
publication of this E-mail message is strictly prohibited and may be
unlawful. If you have received this E-mail message in error, please notify
us immediately. Please also destroy and delete the message from your
computer.