Spamassassin 3.3.2 for Ubuntu LTS
Hi, does anyone know where I can find spamassassin 3.3.2 in deb format for Ubuntu 10.04? Thanks -- Alessio Cecchi is: @ ILS - http://www.linux.it/~alessice/ on LinkedIn - http://www.linkedin.com/in/alessice Assistenza Sistemi GNU/Linux - http://www.cecchi.biz/ @ PLUG - ex-Presidente, adesso senatore a vita, http://www.prato.linux.it @ LOLUG - Socio http://www.lolug.net
Re: Spamassassin 3.3.2 for Ubuntu LTS
Am 07.02.2012 10:58, schrieb Alessio Cecchi: Hi, does anyone know where I can find spamassassin 3.3.2 in deb format for Ubuntu 10.04? Thanks http://packages.ubuntu.com/search?keywords=spamassassinsearchon=namessuite=oneiricsection=all Package spamassassin oneiric (mail): Perl-based spam filter using text analysis 3.3.2-1: all simple recompile the debian way or look in a ppa https://launchpad.net/~patrickdk/+archive/general-lucid/+packages -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
User Preferences on SQL with Amavis, in Multi-Server Environment
Hi all Spamassassin version: 3.3.0 OS: Debian Lenny SA called by Amavis through its command, so NOT using spamc/spamd. I've two separate servers: One contains SMTP/IMAP/POP3 servers and (virtual) user maildirs. And another has Amavisd-new along with SpamAssassin and anti-virus installed. As you know, Amavis gets mail from MTA and scans it by calling SA and anti-virus, then returning the result (mail, response, tagged mail...) to MTA. The question is: Can I use Spamassassin user preferences stored on SQL database with this configuration? Thanks for any help.
Re: User Preferences on SQL with Amavis, in Multi-Server Environment
Mozafar, Spamassassin version: 3.3.0 OS: Debian Lenny SA called by Amavis through its command, so NOT using spamc/spamd. I've two separate servers: One contains SMTP/IMAP/POP3 servers and (virtual) user maildirs. And another has Amavisd-new along with SpamAssassin and anti-virus installed. As you know, Amavis gets mail from MTA and scans it by calling SA and anti-virus, then returning the result (mail, response, tagged mail...) to MTA. The question is: Can I use Spamassassin user preferences stored on SQL database with this configuration? Yes, since 2.7.0 : - per-recipient (or per- policy bank) SpamAssassin configuration files or SQL configuration sets are supported (@sa_userconf_maps), and per-recipient SQL Bayes database usernames (@sa_username_maps); For details search release notes for: - per-recipient (or per- policy bank, or global) SpamAssassin configuration [...] - added a global configuration setting $sa_num_instances with a default [...] - per-recipient (or per- policy bank) SpamAssassin SQL database usernames [...] There are some caveats: configuration switching overhead, global scope of SpamAssassin rules set (not scoped to a SpamAssassin instance object). Mark
Re: Lots of comment in mail, how to score
body __SR1 /html\s{0,2}!--/
body __SR2 /--\s{0,2}body/
does not work since body rules strip html comments
with rawbody it ignore limits but hits on both
And don't score too high.
Example: Confirmations from Travelocity contain a 28 KB comment.
Joseph Brennan
Columbia University Information Technology
Re: Lots of comment in mail, how to score
Joseph Brennan wrote:
body __SR1 /html\s{0,2}!--/
body __SR2 /--\s{0,2}body/
does not work since body rules strip html comments
with rawbody it ignore limits but hits on both
And don't score too high.
Example: Confirmations from Travelocity contain a 28 KB comment.
Eugh.
Any idea what's in that comment?
-kgd
Re: Lots of comment in mail, how to score
On Tue, 2012-02-07 at 11:04 -0500, Kris Deugau wrote:
Joseph Brennan wrote:
body __SR1 /html\s{0,2}!--/
body __SR2 /--\s{0,2}body/
does not work since body rules strip html comments
with rawbody it ignore limits but hits on both
And don't score too high.
Example: Confirmations from Travelocity contain a 28 KB comment.
BUT is that comment between html and body tags in a Travelocity
confirmation? It is in the example mail and, since I've never see a
comment there in mail or or on a web page this seemed like a fairly
safe thing to trigger on.
Eugh.
Kindly note that my suggestion has been misquoted, probably by Joe
Brennan. As he quoted it, its missing the meta which is somewhat
important in thus case. With correction to doing a rawbody scan it
should be:
rawbody __SR1 /html\s{0,2}!--/
rawbody __SR2 /--\s{0,2}body/
metaRULE (__SR1 __SR2)
which is actually quite specific since it won't fire unless the comment
is between just those tags and separated from them by at most two
whitespace characters.
Any idea what's in that comment?
a huge amount of garbage consisting of English words grouped by matched
parens, something like this: axe (elsewhere) zoo this (whenever
numeric) ... with nothing showing an obvious pattern except the
paired parens with text between them. I suppose you could use something
like:
body RULE2 /\([\s\w]{1,30}\)/
tflag RULE2 multiple
which would be specific from this garbage, but would you really want to
run that across more than 80kb of comment? I suggested the approach of
matching each end of the comment and using a meta to ensure both are
present because that should run a lot faster than anything I could dream
up that matched against the guts of the comment.
Martin
Re: Lots of comment in mail, how to score
Martin Gregorie wrote:
BUT is that comment betweenhtml andbody tags in a Travelocity
confirmation? It is in the example mail and, since I've never see a
comment there in mail or or on a web page this seemed like a fairly
safe thing to trigger on.
*nod* I should have just trimmed the quote down; I wasn't referring
specifically to those potential rules.
Kindly note that my suggestion has been misquoted, probably by Joe
Brennan. As he quoted it, its missing the meta which is somewhat
important in thus case. With correction to doing a rawbody scan it
should be:
rawbody __SR1 /html\s{0,2}!--/
rawbody __SR2 /--\s{0,2}body/
metaRULE (__SR1 __SR2)
*nod* I can't say I recall if I've seen comments arranged like that;
I've paid more attention to the length and lack of useful content in the
spamples I've come across.
Any idea what's in that comment?
a huge amount of garbage consisting of English words grouped by matched
parens, something like this: axe (elsewhere) zoo this (whenever
numeric) ... with nothing showing an obvious pattern except the
paired parens with text between them.
*nod* Yeah, I've been seeing those.
I've got a number of rules targeting strange things in HTML comments
generally:
rawbody LONG_COMMENTm|!--[^{};]{200,}--|
rawbody DUMB_COMMENT_1 m|!--\n?\s*\d+\s*\n?--|
rawbody DUMB_COMMENT_2 m|!--\n?\s*(?:-{72}\n){2,}-+\n?\s*--|
rawbody BACK2BACK_COMMENT m|--!!--[\n\s\w]{,200}--!!--|
rawbody FILLER_COMMENT
m|!--\n?\s*(?:\(?[\w.]{2,14}\)?\s{0,2}/\s{0,2}){8}|
Note the first one started at ~60 chars, then I kept having to bump it
up due to Outlook's bizarre HTML generation.
The other oddity I've tripped over are excessively long style/style
tags; legit email seems to use as much as ~3K, but I've seen spams put
all kinds of non-CSS garbage in there up to 20-30K in length.
-kgd
T_FROM_MISSPACED score
Hi, Is there a reason T_FROM_MISSPACED is still only a testing rule? It seems to trigger on quite a few spams and phishing attacks and hardly any ham on my systems. Regards, David.
Re: T_FROM_MISSPACED score
On Tue, 7 Feb 2012 14:31:17 -0500 David F. Skoll d...@roaringpenguin.com wrote: Is there a reason T_FROM_MISSPACED is still only a testing rule? Never mind... I wasn't looking at an up-to-date ruleset. Regards, David.
Ham hitting too generic rule
We have a customer who is a legitimate non-spamming investment advisor. Their outbound disclaimer has the phrase investment advice which hits the rule INVESTMENT_ADVICE in 20_phrases.cf. We can certainly zero out the score in local.cf, but it seems to me this is a pretty generic phrase, and it has an awfully high score (2.199). I can well imagine people getting mail from their stock broker or the like with this phrase in it somewhere. Any chance the score can at least be reduced? -- Brian Bebeau Security Researcher - Spiderlabs Research Trustwave bbeb...@trustwave.com www.trustwave.com This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Re: Ham hitting too generic rule
On Tue, 7 Feb 2012, Brian Bebeau wrote: We have a customer who is a legitimate non-spamming investment advisor. Their outbound disclaimer has the phrase investment advice which hits the rule INVESTMENT_ADVICE in 20_phrases.cf. We can certainly zero out the score in local.cf, but it seems to me this is a pretty generic phrase, and it has an awfully high score (2.199). I can well imagine people getting mail from their stock broker or the like with this phrase in it somewhere. Any chance the score can at least be reduced? Can you provide samples for the masscheck corpus? I'd be willing to include them in my corpora if he subscribes me, and I promise to not follow any of his advice... :) My corpora are semi-public, though (any SA dev can read them) so if the information is proprietary you might need to run local masschecks yourself, or make arrangements with someone who is doing local masschecks. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Users mistake widespread adoption of Microsoft Office for the development of a document format standard. --- 5 days until Abraham Lincoln's and Charles Darwin's 203rd Birthdays
Re: Lots of comment in mail, how to score
Martin Gregorie mar...@gregorie.org wrote: Example: Confirmations from Travelocity contain a 28 KB comment. BUT is that comment between html and body tags in a Travelocity confirmation? It is in the example mail and, since I've never see a comment there in mail or or on a web page this seemed like a fairly safe thing to trigger on. No, it was inside body .. /body at least. We noticed it a couple of years ago, and I have only a note on file about it being 28 KB, without an example. I don't remember exactly what was in it, but it was some kind of content that seemed to be about the reservation. Most likely comment before body begins is unique to spam, but... you never know. It sounds like valid html so some web programmer might find a reason to put it in mail output. Now style ... /style with garbage in it is interesting. That would never be in real mail. Or so you'd think! Joseph Brennan Columbia University Information Technology
Re: Lots of comment in mail, how to score
On Tue, 7 Feb 2012, Joseph Brennan wrote: Now style ... /style with garbage in it is interesting. That would never be in real mail. Or so you'd think! I do have a rule for garbage styles that is doing fairly well in masschecks: http://ruleqa.spamassassin.org/rule=STYLE_GIBBERISH -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Your mouse has moved. Your Windows Operating System must be relicensed due to this hardware change. Please contact Microsoft to obtain a new activation key. If this hardware change results in added functionality you may be subject to additional license fees. Your system will now shut down. Thank you for choosing Microsoft. --- 5 days until Abraham Lincoln's and Charles Darwin's 203rd Birthdays
Re: Lots of comment in mail, how to score
On Tue, 2012-02-07 at 20:13 -0500, Joseph Brennan wrote:
Now style ... /style with garbage in it is interesting. That
would never be in real mail. Or so you'd think!
Maybe, maybe not. I think spammers have found that you can put any old
junk between style/style tags. I base this on screwing up styles
when I was learning to use them and noticing that anything the browser
can't parse in there is silently ignored.
For fun I kicked this together:
=
!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01//EN
html
head
meta name=generator content=
HTML Tidy for Linux/x86 (vers 25 March 2009), see www.w3.org
titleBig red test/title
style type=text/css
Maybe, maybe not. As a pure guess, I think spammers may have found that
you can put any old junk between [style] and [/style] tags. I base
this on
screwing up styles when I was learning to use them and noticing that
anything the browser can't parse in there is silently ignored.
/style
style type=text/css
p.c1 {color: red; font-size: xx-large; font-weight: bold}
/style
style type=text/css
Maybe, maybe not. As a pure guess, I think spammers may have found that
you can put any old junk between [style] and [/style] tags. I base
this on
screwing up styles when I was learning to use them and noticing that
anything the browser can't parse in there is silently ignored.
p.c1 {color: red; font-size: xx-large; font-weight: bold}
/style
/head
body
p class=c1Big red test/p
pHeading should be red/p
/body
/html
=
I used three style sections because, when I put the junk text into one
style section in front of the actual style definition, that got ignored.
If you cut and paste this example as a file and feed it to your browser,
you should see the first body line in bold red letters. I've tested this
with FireFox and Lynx, which work as I expected. As you can see, the
file has been passed through HTML by HTML-tidy, which says it is valid
HTML.
Martin
Re: Spamassassin 3.3.2 for Ubuntu LTS
Il 07/02/2012 11:17, Robert Schetterer ha scritto: Am 07.02.2012 10:58, schrieb Alessio Cecchi: Hi, does anyone know where I can find spamassassin 3.3.2 in deb format for Ubuntu 10.04? Thanks http://packages.ubuntu.com/search?keywords=spamassassinsearchon=namessuite=oneiricsection=all Package spamassassin oneiric (mail): Perl-based spam filter using text analysis 3.3.2-1: all simple recompile the debian way or look in a ppa https://launchpad.net/~patrickdk/+archive/general-lucid/+packages Thanks, ppa is fine for me :-) -- Alessio Cecchi is: @ ILS - http://www.linux.it/~alessice/ on LinkedIn - http://www.linkedin.com/in/alessice Assistenza Sistemi GNU/Linux - http://www.cecchi.biz/ @ PLUG - ex-Presidente, adesso senatore a vita, http://www.prato.linux.it @ LOLUG - Socio http://www.lolug.net
Re: Spamassassin 3.3.2 for Ubuntu LTS
Il 07/02/2012 11:17, Robert Schetterer ha scritto: Am 07.02.2012 10:58, schrieb Alessio Cecchi: Hi, does anyone know where I can find spamassassin 3.3.2 in deb format for Ubuntu 10.04? Thanks [...] or look in a ppa https://launchpad.net/~patrickdk/+archive/general-lucid/+packages Spamassassin update from PPA for Ubuntu 10.04: aptitude install python-software-properties add-apt-repository ppa:patrickdk/general-lucid aptitude update aptitude install spamassassin spamc sa-update sa-compile /etc/init.d/spamassassin restart Bye -- Alessio Cecchi is: @ ILS - http://www.linux.it/~alessice/ on LinkedIn - http://www.linkedin.com/in/alessice Assistenza Sistemi GNU/Linux - http://www.cecchi.biz/ @ PLUG - ex-Presidente, adesso senatore a vita, http://www.prato.linux.it @ LOLUG - Socio http://www.lolug.net
