Re: Per-user bayes filter DBs not accessible to mail delivered to aliases?
I have a mailserver running postfix and spamassassin. I have a user 'user1' and an alias 'alias1', like this in /etc/aliases: Two obvious things to check: 1) did you run 'newaliases' to rebuild the aliases database? Positive. The mail is delivered to the right place, it just doesn't get the bayes checks done (or check the user's whitelist, or anything that needs access to their home directory) 2) As there is more than one way to call SA from Postfix, are you sure that Postfix has rewritten the To: header before passing the message to SA? I'm not sure, no. I'm using the milter interface (see the main.cf snippet from the previous message), which as I understand it receives events from postfix as they happen (so that it can reject at SMTP-time emails with a very high score). So my guess is that very little has been done by postfix by the time spamassassin sees it
Re: Per-user bayes filter DBs not accessible to mail delivered to aliases?
On Wed, 16 Mar 2011 12:24:18 -0500 David King dk...@ketralnis.com wrote: I have a mailserver running postfix and spamassassin. I have a user 'user1' and an alias 'alias1', like this in /etc/aliases: Two obvious things to check: 1) did you run 'newaliases' to rebuild the aliases database? Positive. The mail is delivered to the right place, it just doesn't get the bayes checks done (or check the user's whitelist, or anything that needs access to their home directory) I don't think spamassassin understands aliases. I've never used spamass-milter, but judging by an online copy of its man page, I suspect you may be missing the -x option. -x' Pass the recipient address through sendmail -bv, which will perform virtusertable and alias expansion. The resulting username is then passed to spamc. Requires the -u flag.
Re: Very large subjects in all caps with no spaces
Thanks so much for you help. I took a combination of rules approach as well - let's hope this stops them coming through. -Jamie Lawrence @ Rogers wrote: I use the following rule that, combined with other meta rules, catches the majority of these header LW_SUBJECT_SPAMMY Subject =~ /^[0-9a-zA-Z,.+_\-'!\\\/]{31,}$/ describe LW_SUBJECT_SPAMMY Subject appears spammy (31 or more characters without spaces. Only numbers, letters, and formatting) score LW_SUBJECT_SPAMMY 0.2 The key is to score the actual subject rule low, but bump the SA score with meta rules that increase the score as more indicators are hit. I've had moderate success with the rules below: # Rule 2: Message is HTML and has a tracking ID, or comes from a free mail address # Therefore, must hit HTML_MESSAGE, and either TRACKER_ID or FREEMAIL_FROM meta LW_SPAMMY_EMAIL1 (LW_SUBJECT_SPAMMY HTML_MESSAGE (TRACKER_ID || FREEMAIL_FROM)) describe LW_SPAMMY_EMAIL1 Spammy HTML message that has a tracking ID or is freemail score LW_SPAMMY_EMAIL1 1.0 #tflags LW_SPAMMY_EMAIL1 noautolearn # Rule 3: Message hits LW_SPAMMY_EMAIL1 and MIME_QP_LONG_LINE # It's unusual for non-spam HTML messages to have really long Quoted Printable lines meta LW_SPAMMY_EMAIL2 (LW_SPAMMY_EMAIL1 (MIME_QP_LONG_LINE || __LW_NET_TESTS)) describe LW_SPAMMY_EMAIL2 Spammy HTML message also has a Quoted Printable line 76 chars, or hits net check score LW_SPAMMY_EMAIL2 1.0 #tflags LW_SPAMMY_EMAIL2 noautolearn Hope this helps! Regards, Lawrence On 15/03/2011 1:53 AM, jambroo wrote: Is there a way of filtering emails with very large one-word subjects. They are also in all caps. I can see rules that set emails to spam if they contain specific wording but nothing like this. Thanks. -- View this message in context: http://old.nabble.com/Very-large-subjects-in-all-caps-with-no-spaces-tp31151015p31168876.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Per-user bayes filter DBs not accessible to mail delivered to aliases?
I have a mailserver running postfix and spamassassin. I have a user 'user1' and an alias 'alias1', like this in /etc/aliases: Two obvious things to check: 1) did you run 'newaliases' to rebuild the aliases database? Positive. The mail is delivered to the right place, it just doesn't get the bayes checks done (or check the user's whitelist, or anything that needs access to their home directory) I don't think spamassassin understands aliases. I've never used spamass-milter, but judging by an online copy of its man page, I suspect you may be missing the -x option. -x' Pass the recipient address through sendmail -bv, which will perform virtusertable and alias expansion. The resulting username is then passed to spamc. Requires the -u flag. You are exactly right, this did the trick. Thank you!
Performance on Spear Phishing?
Hi folks -- wondering if anyone has monitored SA's performance against phishing mails. SA is able to detect 86% of phishing emails my clients get, with 0.5% false positives on all the ham. It seems non-phish-SPAM is easier to be detected than phish (~99% for non-phish spam). Probably I need to participate on nightly checks to improve phish and lower false positives. But all the above stuff is about bulk-phish, excluding spear phish. I haven't received any spear phishing complain from my clients, and yet none of the detected phish mails are spear phish -- which is alarming as it's too good to be true that no one did spear phishing yet (specially that it works far better than bulk-phish)! What's the scenario in your mail systems folks? Do you detect spear phishing mail by SA? Users report it? -- H
Re: Performance on Spear Phishing?
On Thu, 17 Mar 2011, Hamad Ali wrote: Hi folks -- wondering if anyone has monitored SA's performance against phishing mails. SA is able to detect 86% of phishing emails my clients get, with 0.5% false positives on all the ham. It seems non-phish-SPAM is easier to be detected than phish (~99% for non-phish spam). I think phishing is going to be my next project. Probably I need to participate on nightly checks to improve phish and lower false positives. More masscheck participants are always welcome! But all the above stuff is about bulk-phish, excluding spear phish. I haven't received any spear phishing complain from my clients, and yet none of the detected phish mails are spear phish -- which is alarming as it's too good to be true that no one did spear phishing yet (specially that it works far better than bulk-phish)! Spear-phishing is probably going to be rather difficult to detect, I'm not sure even a well-trained Bayes would help. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control is nothing more than an attempt to return to feudalism, where the peasants are helpless and must humbly petition their lord and master to protect them from bandits and thieves (when they can get around to it), and where the lords and masters can abuse the peasants whenever they like without fear of effective resistance. --- 13 days until the M1911 is 100 years old - and still going strong!
Re: Performance on Spear Phishing?
On 3/16/2011 4:08 PM, Hamad Ali wrote: Hi folks -- wondering if anyone has monitored SA's performance against phishing mails. SA is able to detect 86% of phishing emails my clients get, with 0.5% false positives on all the ham. It seems non-phish-SPAM is easier to be detected than phish (~99% for non-phish spam). Probably I need to participate on nightly checks to improve phish and lower false positives. But all the above stuff is about bulk-phish, excluding spear phish. I haven't received any spear phishing complain from my clients, and yet none of the detected phish mails are spear phish -- which is alarming as it's too good to be true that no one did spear phishing yet (specially that it works far better than bulk-phish)! What's the scenario in your mail systems folks? Do you detect spear phishing mail by SA? Users report it? -- H Are you using spamassassin-3.3.1? http://www.spamtips.org/p/ultimate-setup-guide.html Have you tweaked it with the best tested add-ons? Please read this page. In particular the fuzzy hash based plugins like pyzor, Razor and DCC sometimes is effective against phishing. Warren
Re: Performance on Spear Phishing?
So this actually is a reply to the last post to your previous thread how to disable network tests. Merely changing the subject and pruning the quote from the body -- surprise -- does NOT make it a new thread. On the up-side, it appears you at least did read (I mean keep here) the thread. Encouraging. There has been a lot of help, advice, and questions concerning your previous topic, however. The down-side. You did not care to even get back to a single one of them. Very discouraging. Do you really expect anyone to care and try to help a single-shot question you vent on the list again? I for one, bloody don't. On Thu, 2011-03-17 at 06:08 +0400, Hamad Ali wrote: Hi folks -- wondering if anyone has monitored SA's performance against phishing mails. SA is able to detect 86% of phishing emails my clients So you got paying clients. But won't communicate with the community. get, with 0.5% false positives on all the ham. It seems non-phish-SPAM is easier to be detected than phish (~99% for non-phish spam). Probably I need to participate on nightly checks to improve phish and lower false positives. Participating in the mass-checks!? Without any communication (hint, two ways) at all? I don't see that happening. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Performance on Spear Phishing?
On Wed, 2011-03-16 at 20:30 -0700, John Hardin wrote: On Thu, 17 Mar 2011, Hamad Ali wrote: Probably I need to participate on nightly checks to improve phish and lower false positives. More masscheck participants are always welcome! No. There is this thing called trust. Credibility. And track-record. Which pretty much is the opposite of a freemail address, venting two questions on this list -- without ever getting back even to specific requests for better data, offer for precise help, or a dialog. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Performance on Spear Phishing?
On 3/16/2011 5:45 PM, Karsten Bräckelmann wrote: On Wed, 2011-03-16 at 20:30 -0700, John Hardin wrote: On Thu, 17 Mar 2011, Hamad Ali wrote: Probably I need to participate on nightly checks to improve phish and lower false positives. More masscheck participants are always welcome! No. There is this thing called trust. Credibility. And track-record. Which pretty much is the opposite of a freemail address, venting two questions on this list -- without ever getting back even to specific requests for better data, offer for precise help, or a dialog. Karsten, thanks for pointing out that this is the same guy. I had missed that. Warren
Re: Performance on Spear Phishing?
On Wed, 2011-03-16 at 17:50 -1000, Warren Togami Jr. wrote: Karsten, thanks for pointing out that this is the same guy. I had missed that. Heh, you're welcome -- though that would be referring to my other reply to this (sub-) thread. ;) Sometimes it helps to identify patterns. Sometimes it helps to use threaded list view, especially with mailing lists. And sometimes it helps to get offended, pissed-off, or just annoyed by certain non- communicating free-loader behavior. The latter develops over time. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}