Re: Negative score spamassassin
need to see the rule hits for the negative scores.. also I don't see any RBL, URIBL, pyzor or razor scores in there, have you disabled network tests? these are really valuable - just make sure you only choose a couple of the RBL's (see http://wiki.mailscanner.info/doku.php?id=maq:index#getting_the_best_out_of_spamassassinfor some ideas - it's a little outdated but still usefull I think) -- Martin Hepworth Oxford, UK you can see here example of spam not found : my server is mailhost.estaim.fr Received: from ecisnet196.ec-is.net (ecisnet196.ec-is.net [62.62.128.89]) by mailhost.estaim.fr (Postfix) with ESMTP id A4FBE1DACB3 for si...@lequar.com; Tue, 22 Nov 2011 09:08:06 +0100 (CET) X-Spam-Processed: ecisnet196.ec-is.net, Tue, 22 Nov 2011 09:07:25 +0100 X-Spam-Level: X-Spam-Status: No, score=-3.9 required=6.0 tests=BAYES_00,FROM_12LTRDOM, RDNS_NONE,TVD_SPACE_RATIO,TVD_SPACE_RATIO_MINFP shortcircuit=no autolearn=ham version=3.3.2 X-Spam-Report: * -4.7 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS * 0.0 TVD_SPACE_RATIO TVD_SPACE_RATIO * 0.0 TVD_SPACE_RATIO_MINFP TVD_SPACE_RATIO_MINFP * 0.0 FROM_12LTRDOM From a 12-letter domain X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) Received: from hmxc4jwwtbg1d.52vmcohn.ouicamrsfi ([180.254.164.165]) by ecisnet196.ec-is.net (ecisnet196.ec-is.net) (MDaemon PRO v12.5.1) with ESMTP id 34-md5095393.msg for si...@lequar.com; Tue, 22 Nov 2011 09:07:24 +0100 X-MDOP-RefID: str=0001.0A0B0207.4ECB583D.00C0,ss=1,fgs=0 (_st=1 _vt=0 _iwf=0) X-Rcpt-To: si...@lequar.com X-MDRcpt-To: si...@lequar.com X-MDRemoteIP: 180.254.164.165 X-Envelope-From: elizash...@archwireless.net From: HilaryLavone elizash...@archwireless.net Message-ID: 4ecb65f1.a8731...@archwireless.net Date: Tue, 22 Nov 2011 10:05:53 +0100 MIME-Version: 1.0 Subject: 4wpa7h To: si...@lequar.com Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Return-Path: elizash...@archwireless.net X-MDaemon-Deliver-To: si...@lequar.com From: elizash...@archwireless.net [Add to Whitelist | Add to Blacklist] -- View this message in context: http://old.nabble.com/Negative-score-spamassassin-tp32870223p32872170.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Negative score spamassassin
Darxus wrote: On 11/21, ercibrest wrote: Maybe there is a problem of configuration because all of my emails come from the same IP. From internet, email send to my domain is receive from my provider and then, the provider relay mails to my mailscanner 's server. Add that IP to your trusted_networks setting, documented in the spamassassin man page: http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html#network_test_options Also some info here: http://wiki.apache.org/spamassassin/TrustPath -- It's never too late to panic. http://www.ChaosReigns.com trusted_networks must be put in local.cf ? -- View this message in context: http://old.nabble.com/Negative-score-spamassassin-tp32870223p32872173.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: In subject how to detect a word in an EVAL string?
On Mon, 21 Nov 2011 22:32:42 +0100, Karsten Bräckelmann wrote: =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?= Not eval, but encoded -- in this case even necessary, rather than an attempt at obfuscation, because it contains non ASCII letters. yep its base64 encode string between last two ? ?B? is the sign of mime header for base64 ?Q? qotedprintelble but use ripmime :-) and create rules from the output
Re: Negative score spamassassin
On 11/22/2011 3:25 AM, ercibrest wrote: need to see the rule hits for the negative scores.. also I don't see any RBL, URIBL, pyzor or razor scores in there, have you disabled network tests? these are really valuable - just make sure you only choose a couple of the RBL's (see http://wiki.mailscanner.info/doku.php?id=maq:index#getting_the_best_out_of_spamassassinfor some ideas - it's a little outdated but still usefull I think) you can see here example of spam not found : my server is mailhost.estaim.fr Then why is the SpamAssassin scanning being done on ecisnet196.ec-is.net? Received: from ecisnet196.ec-is.net (ecisnet196.ec-is.net [62.62.128.89]) by mailhost.estaim.fr (Postfix) with ESMTP id A4FBE1DACB3 for si...@lequar.com; Tue, 22 Nov 2011 09:08:06 +0100 (CET) X-Spam-Processed: ecisnet196.ec-is.net, Tue, 22 Nov 2011 09:07:25 +0100 X-Spam-Level: X-Spam-Status: No, score=-3.9 required=6.0 tests=BAYES_00,FROM_12LTRDOM, RDNS_NONE,TVD_SPACE_RATIO,TVD_SPACE_RATIO_MINFP shortcircuit=no autolearn=ham version=3.3.2 X-Spam-Report: * -4.7 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS * 0.0 TVD_SPACE_RATIO TVD_SPACE_RATIO * 0.0 TVD_SPACE_RATIO_MINFP TVD_SPACE_RATIO_MINFP * 0.0 FROM_12LTRDOM From a 12-letter domain X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) Received: from hmxc4jwwtbg1d.52vmcohn.ouicamrsfi ([180.254.164.165]) by ecisnet196.ec-is.net (ecisnet196.ec-is.net) (MDaemon PRO v12.5.1) with ESMTP id 34-md5095393.msg for si...@lequar.com; Tue, 22 Nov 2011 09:07:24 +0100 X-MDOP-RefID: str=0001.0A0B0207.4ECB583D.00C0,ss=1,fgs=0 (_st=1 _vt=0 _iwf=0) X-Rcpt-To: si...@lequar.com X-MDRcpt-To: si...@lequar.com X-MDRemoteIP: 180.254.164.165 X-Envelope-From: elizash...@archwireless.net From: HilaryLavone elizash...@archwireless.net Message-ID: 4ecb65f1.a8731...@archwireless.net Date: Tue, 22 Nov 2011 10:05:53 +0100 MIME-Version: 1.0 Subject: 4wpa7h To: si...@lequar.com Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Return-Path: elizash...@archwireless.net X-MDaemon-Deliver-To: si...@lequar.com From: elizash...@archwireless.net [Add to Whitelist | Add to Blacklist] The only thing I see here is that your Bayes database appears to be mistrained. It is scoring this message as BAYES_00, which means definitely not spam. At a minimum, you need to manually learn any messages that are being scored the wrong way with Bayes. If this is happening with all of your spam, you may want to just delete the Bayes db completely and start over. In order to give any more useful feedback, we would need to see the entire message. Rather than sending it to the list, please put it in pastebin.com and give us the link. Also, when a message ends with a signature that starts with two dashes (like mine below), please delete the signature in your reply rather than replying below it. The two dashes indicate the start of a signature and quite a few mail clients will automatically remove anything below that when replying. -- Bowie
Sought rules revisited
Is it just me, or is the last sought_rules update November 9th? And it is not like an update is available: # sa-update --gpgkey 6C6191E3 -D --channel sought.rules.yerp.org dbg: channel: attempting channel sought.rules.yerp.org ... dbg: channel: current version is 3301199767, new version is 3301199767, skipping channel dbg: diag: updates complete, exiting with code 1 # _ -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872635p32872635.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Sought rules revisited
Is it just me, or is the last sought_rules update November 9th? And it is not like an update is available: # sa-update --gpgkey 6C6191E3 -D --channel sought.rules.yerp.org dbg: channel: attempting channel sought.rules.yerp.org ... dbg: channel: current version is 3301199767, new version is 3301199767, skipping channel dbg: diag: updates complete, exiting with code 1 # _ -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872636p32872636.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Sought rules revisited
Is it just me, or is the last sought_rules update November 9th? And it is not like an update is available: $ sa-update --gpgkey 6C6191E3 -D --channel sought.rules.yerp.org dbg: channel: attempting channel sought.rules.yerp.org ... dbg: channel: current version is 3301199767, new version is 3301199767, skipping channel dbg: diag: updates complete, exiting with code 1 $ _ -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872637p32872637.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Sought rules revisited
Is it just me, or is the last sought_rules update November 9th? And it is not like an update is available: $ sa-update --gpgkey 6C6191E3 -D --channel sought.rules.yerp.org dbg: channel: attempting channel sought.rules.yerp.org [...] dbg: channel: current version is 3301199767, new version is 3301199767, skipping channel dbg: diag: updates complete, exiting with code 1 $ _ Looks, other than the fact that update is from November 9th, okay to me. -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872639p32872639.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Negative score spamassassin
On Tue, 2011-11-22 at 09:26 -0500, Bowie Bailey wrote:
On 11/22/2011 3:25 AM, ercibrest wrote:
X-Spam-Status: No, score=-3.9 required=6.0 tests=BAYES_00,FROM_12LTRDOM,
RDNS_NONE,TVD_SPACE_RATIO,TVD_SPACE_RATIO_MINFP shortcircuit=no
autolearn=ham version=3.3.2
^
And there is the culprit for the Bayes problem.
X-Spam-Report:
* -4.7 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.]
* 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 TVD_SPACE_RATIO TVD_SPACE_RATIO
* 0.0 TVD_SPACE_RATIO_MINFP TVD_SPACE_RATIO_MINFP
* 0.0 FROM_12LTRDOM From a 12-letter domain
According to the RDNS_NONE score, this is sore-set 3, Bayes and network
tests enabled. For auto-learning, the non-Bayes score-set 1 will be
used, with a score for RDNS_NONE even slightly higher. The other rules
are irrelevant, and Bayes of course is not considered.
The default auto-learn threshold for ham is 0.1. This message should
never have been automatically learned as ham.
Your auto-learn threshold settings are terribly messed up. (Possibly the
scores for score-set 1, but that's much less likely.)
The only thing I see here is that your Bayes database appears to be
mistrained. It is scoring this message as BAYES_00, which means
definitely not spam. At a minimum, you need to manually learn any
messages that are being scored the wrong way with Bayes. If this is
happening with all of your spam, you may want to just delete the Bayes
db completely and start over.
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Sought rules revisited
Mynabbler wrote: Is it just me, or is the last sought_rules update November 9th? Sorry about the double posts... It was posted using Nabble, which returned 500 errors, and yet still posted the message. Oops. -- View this message in context: http://old.nabble.com/Sought-rules-revisited-tp32872639p32872671.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: In subject how to detect a word in an EVAL string?
Thank you Benny, I will use this command next time. Sergio By the way your links are very accurate, that are the spammers that sent the email, with my new rule they are On Tue, Nov 22, 2011 at 3:42 AM, Benny Pedersen m...@junc.org wrote: On Mon, 21 Nov 2011 22:32:42 +0100, Karsten Bräckelmann wrote: =?iso-8859-1?B?**LlZlbnRhIGRlIENBTkFTVEFTIE5BVk** lERdFBUyAtIHB1YmyhY2kgZGFk?= Not eval, but encoded -- in this case even necessary, rather than an attempt at obfuscation, because it contains non ASCII letters. yep its base64 encode string between last two ? ?B? is the sign of mime header for base64 ?Q? qotedprintelble but use ripmime :-) and create rules from the output
