A flood of new domains ?
Has anyone else noticed this stream of new spamvertized domains : http://files.jessen.ch/list-of-new-domains Typically accompanied by messages/subject lines such as: You should check your status update and see if it changed This method of language learning is super easy. Please confirm that this update is accurate. Teach yourself a new foreign language in 10 days Just being curious. Yesterday I got another 10 different domains. -- Per Jessen, Zürich (5.4°C)
Re: A flood of new domains ?
Am 21.03.2012 09:09, schrieb Per Jessen: Has anyone else noticed this stream of new spamvertized domains : http://files.jessen.ch/list-of-new-domains Typically accompanied by messages/subject lines such as: You should check your status update and see if it changed This method of language learning is super easy. Please confirm that this update is accurate. Teach yourself a new foreign language in 10 days Just being curious. Yesterday I got another 10 different domains. Hi Per, nothing special like that, was noticed here -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Re : Sought rules alive?
Axb wrote: SOUGHT rule updates are working again. That is truly wonderful news! The last update I had was from 2011-11-10. Looking forward to the revivied goodness! Thanks JM! Yes. Thanks! Bob
Re: Allowing IMAP users to train spam/ham
On Fri, 9 Mar 2012 16:38:49 +0100 Matus UHLAR - fantomas wrote: You can of course configure mailer to train automatically on anything received/delivered. However this would apparently cause much more FP's and FN's rate than letting user train only those that misfire. On 10.03.12 00:07, RW wrote: The use of the word apparently never inspires much confidence. I'm guessing that you don't have any real evidence. No, I don't have evidence from comparing between long-time running autolearn versus manual learning. However cases were mentioned here on the list where people complained about autolearn going well when no manual traing was used. If you're going to train on error then train on the right error, not a rarer, correlated error. The only error that really matters is the one that causes misfiring. No, it isn't. Bayes is a statistical filter it needs to learn a lot of diverse spam and ham to reach it's optimum accuracy. It's been demonstrated on Bogofilter that train-on-everything outperforms train-on-error on the same corpora. They both end-up with similar accuracy, but train-on-everything gets there very much faster. Bogofilter is almost identical to BAYES; they just differ in the details of the tokenizer and the Robinson parameters. Training on SA miss-classification is going to be glacially slow. there are two problems when requiring users to manually learn on everythhing. - it's more work to implement - it's more work for users to do the training. Note that the main goal of spam filters is to save people some work, not to give it to them. The users will want to to the train only on misfires, and the sooner they get there, the better. Maybe relaxing the autolearn rules until number of hams and spams will cross the required values would help us. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor.
OT how to bypass public nameservers as bind forwarders?
I get this in SpamAssassin report: 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. I use public DNS services as forwarders in my LAN dns (bind9). I remember that once disabled forwarders for some URIBL but the setting is gone, and I can't find a recipe. Howto? -- Try to get all of your posthumous medals in advance. signature.asc Description: OpenPGP digital signature
Re: Allowing IMAP users to train spam/ham
On 3/21/12 5:06 AM, Matus UHLAR - fantomas wrote: there are two problems when requiring users to manually learn on everythhing. - it's more work to implement - it's more work for users to do the training. and, if 95% of the users are using microsoft exchange, exchange will horribly mangle the headers, and the body, even changing the actual encoding. so, what would you manually learn? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: OT how to bypass public nameservers as bind forwarders?
On 21.03.12 14:24, Jari Fredriksson wrote: I get this in SpamAssassin report: 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. I use public DNS services as forwarders in my LAN dns (bind9). I remember that once disabled forwarders for some URIBL but the setting is gone, and I can't find a recipe. Howto? the public DNS services you use as forwarders are blacklisted on dnswl, apparently because of high traffic. Are they google DNS servers, or your isp's? Use your own DNS server. If you have BIND9, there's usually no need for using other servers as forwarders. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
Re: OT how to bypass public nameservers as bind forwarders?
On 3/21/12 8:24 AM, Jari Fredriksson wrote: I use public DNS services as forwarders in my LAN dns (bind9). I remember that once disabled forwarders for some URIBL but the setting is gone, and I can't find a recipe. Howto? don't use public forwarders. unless you are doing 100K dns queries per day, just use bind and root zones. if you want information on how to fix bind, then you need the bind faq/man page/news group. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Allowing IMAP users to train spam/ham
On 3/21/12 5:06 AM, Matus UHLAR - fantomas wrote: there are two problems when requiring users to manually learn on everythhing. - it's more work to implement - it's more work for users to do the training. On 21.03.12 08:38, Michael Scheidell wrote: and, if 95% of the users are using microsoft exchange, exchange will horribly mangle the headers, and the body, even changing the actual encoding. so, what would you manually learn? Mangling data by exchange is a big. problem when trying to filter spam in front of it. I see two ways to avoid this problem: - use spam server for exchange. We use one from GFI, with quite good results. - you can use spam filter in front of exchange, store copies on it and learn from them. However, you will probably be the only one who can train spamfilter in such case. you actually _can_ train from messages that went through exchange, but mangling by exchange will somehow blur the results and lower bayes accuracy. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: OT how to bypass public nameservers as bind forwarders?
On 3/21/2012 8:24 AM, Jari Fredriksson wrote: I get this in SpamAssassin report: 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. I use public DNS services as forwarders in my LAN dns (bind9). I remember that once disabled forwarders for some URIBL but the setting is gone, and I can't find a recipe. Howto? First, I'm glad you noticed this. We worked hard to implement this procedure to notify admins and not cause purposeful FPs. Second, you should just use your own root hints and not a forwarder if you already have bind9. Third, I think you are looking for something like: zone X.dnswl.com IN { type forward; forward first; forwarders { IP Address of a Server; }; }; That will forward on a per zone basis to a different forwarder. You might also be able to do something like type hint; file root.servers; instead. Overall though the second is the right answer. Regards, KAM
Re: OT how to bypass public nameservers as bind forwarders?
Am 21.03.2012 13:39, schrieb Matus UHLAR - fantomas: On 21.03.12 14:24, Jari Fredriksson wrote: I get this in SpamAssassin report: 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. I use public DNS services as forwarders in my LAN dns (bind9). I remember that once disabled forwarders for some URIBL but the setting is gone, and I can't find a recipe. Howto? the public DNS services you use as forwarders are blacklisted on dnswl, apparently because of high traffic. Are they google DNS servers, or your isp's? Use your own DNS server. If you have BIND9, there's usually no need for using other servers as forwarders. http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html forward A forward zone is a way to configure forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders statement, which will apply to queries within the domain given by the zone name. If no forwarders statement is present or an empty list for forwarders is given, then no forwarding will be done for the domain, canceling the effects of any forwarders in the options statement. Thus if you want to use this type of zone to change the behavior of the global forward option (that is, forward first to, then forward only, or vice versa, but want to use the same servers as set globally) you need to re-specify the global forwarders. so perhaps delete somthing like forward first; in your config and/or as said cancel forwarders section total -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: OT how to bypass public nameservers as bind forwarders?
21.3.2012 14:40, Michael Scheidell kirjoitti: On 3/21/12 8:24 AM, Jari Fredriksson wrote: I use public DNS services as forwarders in my LAN dns (bind9). I remember that once disabled forwarders for some URIBL but the setting is gone, and I can't find a recipe. Howto? don't use public forwarders. unless you are doing 100K dns queries per day, just use bind and root zones. if you want information on how to fix bind, then you need the bind faq/man page/news group. I used public forwarderds because app called namebench told me that they are faster. I need bind for my own LAN, but the rest is server as is fastest. One is google, other another public one, not google. zone solutions is how I have it now. Let us see how it goes... -- Bridge ahead. Pay troll. signature.asc Description: OpenPGP digital signature
Re: OT how to bypass public nameservers as bind forwarders?
On 3/21/2012 9:07 AM, Jari Fredriksson wrote: I used public forwarderds because app called namebench told me that they are faster. I need bind for my own LAN, but the rest is server as is fastest. One is google, other another public one, not google. zone solutions is how I have it now. Let us see how it goes... A good reason to use public forwarders but one which I would say can cause a variety of issues including problems with DNSRBLs with SA. I would not recommend that you use a public forwarder with an SA installation for a variety of reasons that primarily boil down to predictable results within your control. regards, KAM
Re: Allowing IMAP users to train spam/ham
On Wed, 21 Mar 2012 10:06:58 +0100 Matus UHLAR - fantomas wrote: On Fri, 9 Mar 2012 16:38:49 +0100 Matus UHLAR - fantomas wrote: No, it isn't. Bayes is a statistical filter it needs to learn a lot of diverse spam and ham to reach it's optimum accuracy. It's been demonstrated on Bogofilter that train-on-everything outperforms train-on-error on the same corpora. They both end-up with similar accuracy, but train-on-everything gets there very much faster. Bogofilter is almost identical to BAYES; they just differ in the details of the tokenizer and the Robinson parameters. Training on SA miss-classification is going to be glacially slow. there are two problems when requiring users to manually learn on everythhing. I'm not advocating that users be forced to do anything, my preference is to allow them to choose what they want to train on. Whether or not your script chooses to learn everything they submit is it different matter. - it's more work to implement In general it's easier to implement explicit learn-spam and learn-ham folders than it is to keep track of what is moved in and out of a spam folder. - it's more work for users to do the training. Not really, If they choose to learn just the spamassassin miss-classifications it's the same work, but they have option to learn more - in particular important ham. Personally, if I saw that important mail was hitting BAYES_50, I'd feel pretty frustated sitting around waiting for FPs to train Bayes, knowing that those FPs are avoidable. Note that the main goal of spam filters is to save people some work, not to give it to them. The users will want to to the train only on misfires, and the sooner they get there, the better. On Wed, 21 Mar 2012 08:38:24 -0400 Michael Scheidell wrote: On 3/21/12 5:06 AM, Matus UHLAR - fantomas wrote: there are two problems when requiring users to manually learn on everythhing. - it's more work to implement - it's more work for users to do the training. and, if 95% of the users are using microsoft exchange, exchange will horribly mangle the headers, and the body, even changing the actual encoding. so, what would you manually learn? That applies to any form of manual user training, so it's a different issue. I don't know the details of what exchange does, but I suspect it matters less than you think because most of the information used by Bayes is in normalized form.
Re: Allowing IMAP users to train spam/ham
On Wed, 21 Mar 2012 13:44:49 +0100 Matus UHLAR - fantomas uh...@fantomas.sk wrote: Mangling data by exchange is a big. problem when trying to filter spam in front of it. I see two ways to avoid this problem: - use spam server for exchange. We use one from GFI, with quite good results. - you can use spam filter in front of exchange, store copies on it and learn from them. However, you will probably be the only one who can train spamfilter in such case. Actually, there's a third way and it's what we do (but difficult to set up with pure SpamAssassin.) We tokenize inbound messages and store the tokens on the server. In each message, we add links for doing training. When you click on a training link, the system trains the message based on the tokens stored on the server. In that way, you are training using exactly the tokens that the Bayes code saw. Regards, David.
Re: Allowing IMAP users to train spam/ham
On 3/21/2012 9:30 AM, David F. Skoll wrote: Actually, there's a third way and it's what we do (but difficult to set up with pure SpamAssassin.) We tokenize inbound messages and store the tokens on the server. In each message, we add links for doing training. When you click on a training link, the system trains the message based on the tokens stored on the server. In that way, you are training using exactly the tokens that the Bayes code saw. Regards, David. Very elegant IMO. I'd love to look at moving some of the framework to support this into SA. Any objections? Won't be anything quick but it's a really great idea.
Re: Allowing IMAP users to train spam/ham
On Wed, 21 Mar 2012 09:57:33 -0400 Kevin A. McGrail kmcgr...@pccc.com wrote: [Storing Bayes tokens on the server and retrieving them when training] Very elegant IMO. I'd love to look at moving some of the framework to support this into SA. Any objections? Won't be anything quick but it's a really great idea. Feel free to use the idea. Alas, the code is proprietary and wouldn't fit well into Spamassassin anyway, so I can't contribute that back. Regards, David.
Re: Allowing IMAP users to train spam/ham
On 3/21/2012 10:03 AM, David F. Skoll wrote: On Wed, 21 Mar 2012 09:57:33 -0400 Kevin A. McGrailkmcgr...@pccc.com wrote: [Storing Bayes tokens on the server and retrieving them when training] Very elegant IMO. I'd love to look at moving some of the framework to support this into SA. Any objections? Won't be anything quick but it's a really great idea. Feel free to use the idea. Alas, the code is proprietary and wouldn't fit well into Spamassassin anyway, so I can't contribute that back. The idea alone is good enough, thanks. I figured you had it in Can-IT so I wanted to ask. Regards, KAM
Re: Allowing IMAP users to train spam/ham
On 3/21/12 9:57 AM, Kevin A. McGrail wrote: Very elegant IMO. I'd love to look at moving some of the framework to support this into SA. Any objections? Won't be anything quick but it's a really great idea. We thought about this once. add (ie: modify body of email) with 'report spam', 'blacklist sender' links. If the links are internal (private ip's), or internally resolvable names, or names or ip's that resolve only locally or via vpn, then that might be ok. But, what do you do about an email that was forwarded to someone else? And, that someone else has one of those silly anti-malware plugins that surfs to every url in any inbound email? (or some forwarder recipient decides to click on of the links) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: OT how to bypass public nameservers as bind forwarders?
Jari Fredriksson wrote: I get this in SpamAssassin report: 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. I use public DNS services as forwarders in my LAN dns (bind9). I remember that once disabled forwarders for some URIBL but the setting is gone, and I can't find a recipe. Hi Jari you set up a zone file for the rbl in question: zone rbl { forward first; forwarders; } -- Per Jessen, Zürich (14.5°C)
Re: Allowing IMAP users to train spam/ham
On 3/21/2012 10:41 AM, Michael Scheidell wrote: On 3/21/12 9:57 AM, Kevin A. McGrail wrote: Very elegant IMO. I'd love to look at moving some of the framework to support this into SA. Any objections? Won't be anything quick but it's a really great idea. We thought about this once. add (ie: modify body of email) with 'report spam', 'blacklist sender' links. If the links are internal (private ip's), or internally resolvable names, or names or ip's that resolve only locally or via vpn, then that might be ok. But, what do you do about an email that was forwarded to someone else? And, that someone else has one of those silly anti-malware plugins that surfs to every url in any inbound email? (or some forwarder recipient decides to click on of the links) From my perspective, the key point is solely the framework to store the Bayesian tokens from the email before delivery of the email so later, a this is spam this is ham mechanism can take advantage of that information without having the entire email. The issues you are pointing to have to deal more with the implementation of the this is spam/this is ham mechanism. Regards, KAM
Re: Allowing IMAP users to train spam/ham
On Wed, 21 Mar 2012 10:41:31 -0400 Michael Scheidell michael.scheid...@secnap.com wrote: But, what do you do about an email that was forwarded to someone else? And, that someone else has one of those silly anti-malware plugins that surfs to every url in any inbound email? By default, our system won't allow training until the user logs in. So clicking the link takes you to an authentication screen and the voting only happens after you log in. We provide an option to bypass this for those who are willing to risk the things you mention. Also, if you're sending outbound mail through our system, we strip off preexisting voting links which helps reduce the probelm, and of course we use the nofollow attribute in the link where possible so that search engines that index mail archives don't cause voting to happen. Regards, David.
Re: OT how to bypass public nameservers as bind forwarders?
On 03/21, Jari Fredriksson wrote: 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. This is plenty on topic. I tried to update the contents of that wiki link with the useful answers from this thread. Everybody should feel free to further improve the wiki, just create an account, and email d...@spamassassin.apache.org to request write access. -- He who dies with the most toys... still dies. - No Fear http://www.ChaosReigns.com
Re: OT how to bypass public nameservers as bind forwarders?
21.3.2012 16:45, Per Jessen kirjoitti: Jari Fredriksson wrote: I get this in SpamAssassin report: 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. I use public DNS services as forwarders in my LAN dns (bind9). I remember that once disabled forwarders for some URIBL but the setting is gone, and I can't find a recipe. Hi Jari you set up a zone file for the rbl in question: zone rbl { forward first; forwarders; } That forwarders needs empty {} Thanks all, I have now: zone combined.njabl.org { type forward; forward first; forwarders {}; }; zone dnsbl.sorbs.net { type forward; forward first; forwarders {}; }; zone zen.spamhaus.org { type forward; forward first; forwarders {}; }; zone activationcode.r.mail-abuse.com { type forward; forward first; forwarders {}; }; zone nonconfirm.mail-abuse.com { type forward; forward first; forwarders {}; }; zone iadb.isipp.com { type forward; forward first; forwarders {}; }; zone bl.mailspike.net { type forward; forward first; forwarders {}; }; zone wl.mailspike.net { type forward; forward first; forwarders {}; }; zone bb.barracudacentral.org { type forward; forward first; forwarders {}; }; zone psbl.surriel.com { type forward; forward first; forwarders {}; }; zone bl.score.senderscore.com { type forward; forward first; forwarders {}; }; zone list.dnswl.org { type forward; forward first; forwarders {}; }; zone multi.uribl.com { type forward; forward first; forwarders {}; }; Hope it works. -- Knucklehead:Knock, knock Pee Wee:Who's there? Knucklehead:Little ol' lady. Pee Wee:Liddle ol' lady who? Knucklehead:I didn't know you could yodel signature.asc Description: OpenPGP digital signature
Conflicting information about bayes database contents in lint debug output
Hello, I'm having problems with bayes database. When I issue spamassassin --lint -D, I see a following phrase: bayes: not available for scanning, only 0 spam(s) in bayes DB 200. However, a bit further I see this: corpus size: nspam = 59870, nham = 185841. What can be the cause of such behavior? Here's a paste of the full output: http://pastebin.com/0sVTs4Rt sa-learn does learn new messages but scanning result is always at BAYES_00 level. Thanks in advance for any feedback. Adrian -- View this message in context: http://old.nabble.com/Conflicting-information-about-bayes-database-contents-in-lint-debug-output-tp33544583p33544583.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Conflicting information about bayes database contents in lint debug output
On 3/21/2012 11:42 AM, Adrian Gruntkowski wrote: Hello, I'm having problems with bayes database. When I issue spamassassin --lint -D, I see a following phrase: bayes: not available for scanning, only 0 spam(s) in bayes DB 200. However, a bit further I see this: corpus size: nspam = 59870, nham = 185841. What can be the cause of such behavior? Here's a paste of the full output: http://pastebin.com/0sVTs4Rt sa-learn does learn new messages but scanning result is always at BAYES_00 level. Thanks in advance for any feedback. Adrian This has me thinking this is saying you last expired your bayes database in February of 2010 and October 2010 is your newest bayes entry mar 21 14:49:41.864 [29655] dbg: bayes: DB expiry: tokens in DB: 126913, Expiry max size: 15, Oldest atime: 1265831470, Newest atime: 1288551607, Last expire: 1266211518, Current time: 1332337781 I have a feeling when you run the expire, your DB will be quite empty and I'm *guessing* it won't use entries that old. regards, KAM
Re: OT how to bypass public nameservers as bind forwarders?
Den 2012-03-21 14:07, Jari Fredriksson skrev: don't use public forwarders. unless you are doing 100K dns queries per day, just use bind and root zones. if you want information on how to fix bind, then you need the bind faq/man page/news group. agre I used public forwarderds because app called namebench told me that they are faster. I need bind for my own LAN, but the rest is server as is fastest. One is google, other another public one, not google. only use public forwards if there is problems with +trace, if so add forwards pr zone, not global zone solutions is how I have it now. Let us see how it goes... namebench needs updating anyway
SPF_FAIL
Hello ! I have question why Spamassasssin doesnt add the header SPF_FAIL in X-Spam-Status ? s61:~# cat sa.log |grep -i spf mar 21 22:42:40.285 [20073] dbg: config: read file /usr/share/spamassassin/25_spf.cf mar 21 22:42:40.287 [20073] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf mar 21 22:42:40.336 [20073] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC mar 21 22:42:40.921 [20073] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered mar 21 22:42:42.365 [20073] dbg: spf: checking to see if the message has a Received-SPF header that we can use mar 21 22:42:42.386 [20073] dbg: spf: using Mail::SPF for SPF checks mar 21 22:42:42.386 [20073] dbg: spf: checking HELO (helo=discus, ip=82.154.150.174) mar 21 22:42:42.386 [20073] dbg: spf: cannot check HELO of 'discus', skipping mar 21 22:42:42.389 [20073] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks mar 21 22:42:42.389 [20073] dbg: spf: found Envelope-From in first external Received header mar 21 22:42:42.389 [20073] dbg: spf: checking EnvelopeFrom (helo=discus, ip=82.154.150.174, envfrom=picturesqu...@ameriton.com) mar 21 22:42:42.390 [20073] dbg: dns: providing a callback for id: 10955/ameriton.com/SPF/IN mar 21 22:42:42.404 [20073] dbg: spf: query for picturesqu...@ameriton.com/82.154.150.174/discus: result: none, comment: , text: No applicable sender policy available mar 21 22:42:42.411 [20073] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.413 [20073] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.895 [20073] dbg: timing: total 2614 ms - init: 1502 (57.4%), parse: 1.58 (0.1%), extract_message_metadata: 82 (3.1%), poll_dns_idle: 21 (0.8%), get_uri_detail_list: 1.03 (0.0%), tests_pri_-1000: 19 (0.7%), compile_gen: 163 (6.2%), compile_eval: 55 (2.1%), tests_pri_-950: 5 (0.2%), tests_pri_-900: 6 (0.2%), tests_pri_-400: 5 (0.2%), tests_pri_0: 857 (32.8%), dkim_load_modules: 56 (2.1%), check_dkim_signature: 0.83 (0.0%), check_dkim_adsp: 150 (5.7%), check_spf: 36 (1.4%), check_pyzor: 0.40 (0.0%), tests_pri_500: 77 (3.0%) s61:~# I have in my config score SPF_FAIL 8 score SPF_SOFTFAIL 6 score SPF_NEUTRAL 4 Regards, Piotr
Re: Allowing IMAP users to train spam/ham
Den 2012-03-21 13:38, Michael Scheidell skrev: so, what would you manually learn? using dspam then its not a problem, it only needs dspam signature internet postfix dspam postfix exchange relay transport now exchange have the dspam signature and can report back if its spam or ham, howto make that work is out of my scope :=) its good that there is no excange smtp problem
Re: SPF_FAIL
The message I have tested is spam and I want to add some score when the SPF failed but my X-Spam-Status looks like X-Spam-Status: No, score=4.4 required=5.0 tests=DYN_RDNS_SHORT_HELO_HTML, FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,HTML_MESSAGE,MIME_HTML_ONLY, RCVD_IN_BRBL_LASTEXT,RCVD_IN_RP_RNBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC, TO_EQ_FM_HTML_ONLY,UNPARSEABLE_RELAY autolearn=no version=3.3.2 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) after checking it with command spamassassin -D /home/admin/test.eml there is no SPF_FAIL Thank You for any help Piotr - Original Message - From: Piotr Kloc To: users@spamassassin.apache.org Sent: Wednesday, March 21, 2012 10:48 PM Subject: SPF_FAIL Hello ! I have question why Spamassasssin doesnt add the header SPF_FAIL in X-Spam-Status ? s61:~# cat sa.log |grep -i spf mar 21 22:42:40.285 [20073] dbg: config: read file /usr/share/spamassassin/25_spf.cf mar 21 22:42:40.287 [20073] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf mar 21 22:42:40.336 [20073] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC mar 21 22:42:40.921 [20073] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered mar 21 22:42:42.365 [20073] dbg: spf: checking to see if the message has a Received-SPF header that we can use mar 21 22:42:42.386 [20073] dbg: spf: using Mail::SPF for SPF checks mar 21 22:42:42.386 [20073] dbg: spf: checking HELO (helo=discus, ip=82.154.150.174) mar 21 22:42:42.386 [20073] dbg: spf: cannot check HELO of 'discus', skipping mar 21 22:42:42.389 [20073] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks mar 21 22:42:42.389 [20073] dbg: spf: found Envelope-From in first external Received header mar 21 22:42:42.389 [20073] dbg: spf: checking EnvelopeFrom (helo=discus, ip=82.154.150.174, envfrom=picturesqu...@ameriton.com) mar 21 22:42:42.390 [20073] dbg: dns: providing a callback for id: 10955/ameriton.com/SPF/IN mar 21 22:42:42.404 [20073] dbg: spf: query for picturesqu...@ameriton.com/82.154.150.174/discus: result: none, comment: , text: No applicable sender policy available mar 21 22:42:42.411 [20073] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.413 [20073] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.895 [20073] dbg: timing: total 2614 ms - init: 1502 (57.4%), parse: 1.58 (0.1%), extract_message_metadata: 82 (3.1%), poll_dns_idle: 21 (0.8%), get_uri_detail_list: 1.03 (0.0%), tests_pri_-1000: 19 (0.7%), compile_gen: 163 (6.2%), compile_eval: 55 (2.1%), tests_pri_-950: 5 (0.2%), tests_pri_-900: 6 (0.2%), tests_pri_-400: 5 (0.2%), tests_pri_0: 857 (32.8%), dkim_load_modules: 56 (2.1%), check_dkim_signature: 0.83 (0.0%), check_dkim_adsp: 150 (5.7%), check_spf: 36 (1.4%), check_pyzor: 0.40 (0.0%), tests_pri_500: 77 (3.0%) s61:~# I have in my config score SPF_FAIL 8 score SPF_SOFTFAIL 6 score SPF_NEUTRAL 4 Regards, Piotr
Re: SPF_FAIL
On 3/21/2012 5:48 PM, Piotr Kloc wrote: Hello ! I have question why Spamassasssin doesnt add the header SPF_FAIL in X-Spam-Status ? s61:~# cat sa.log |grep -i spf mar 21 22:42:40.285 [20073] dbg: config: read file /usr/share/spamassassin/25_spf.cf mar 21 22:42:40.287 [20073] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf mar 21 22:42:40.336 [20073] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC mar 21 22:42:40.921 [20073] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered mar 21 22:42:42.365 [20073] dbg: spf: checking to see if the message has a Received-SPF header that we can use mar 21 22:42:42.386 [20073] dbg: spf: using Mail::SPF for SPF checks mar 21 22:42:42.386 [20073] dbg: spf: checking HELO (helo=discus, ip=82.154.150.174) mar 21 22:42:42.386 [20073] dbg: spf: cannot check HELO of 'discus', skipping mar 21 22:42:42.389 [20073] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks mar 21 22:42:42.389 [20073] dbg: spf: found Envelope-From in first external Received header mar 21 22:42:42.389 [20073] dbg: spf: checking EnvelopeFrom (helo=discus, ip=82.154.150.174, envfrom=picturesqu...@ameriton.com mailto:envfrom=picturesqu...@ameriton.com) mar 21 22:42:42.390 [20073] dbg: dns: providing a callback for id: 10955/ameriton.com/SPF/IN mar 21 22:42:42.404 [20073] dbg: spf: query for picturesqu...@ameriton.com/82.154.150.174/discus mailto:picturesqu...@ameriton.com/82.154.150.174/discus: result: none, comment: , text: No applicable sender policy available mar 21 22:42:42.411 [20073] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.413 [20073] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.895 [20073] dbg: timing: total 2614 ms - init: 1502 (57.4%), parse: 1.58 (0.1%), extract_message_metadata: 82 (3.1%), poll_dns_idle: 21 (0.8%), get_uri_detail_list: 1.03 (0.0%), tests_pri_-1000: 19 (0.7%), compile_gen: 163 (6.2%), compile_eval: 55 (2.1%), tests_pri_-950: 5 (0.2%), tests_pri_-900: 6 (0.2%), tests_pri_-400: 5 (0.2%), tests_pri_0: 857 (32.8%), dkim_load_modules: 56 (2.1%), check_dkim_signature: 0.83 (0.0%), check_dkim_adsp: 150 (5.7%), check_spf: 36 (1.4%), check_pyzor: 0.40 (0.0%), tests_pri_500: 77 (3.0%) s61:~# I have in my config score SPF_FAIL 8 score SPF_SOFTFAIL 6 score SPF_NEUTRAL 4 Regards, Piotr The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: dig -t txt ameriton.com ;; QUESTION SECTION: ;ameriton.com. IN TXT ;; AUTHORITY SECTION: ameriton.com. 7200IN SOA NS53.WORLDNIC.com. namehost.WORLDNIC.com. 10914 10800 3600 604800 3600 Regards, KAM
Re: SPF_FAIL
The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? Piotr
Re: SPF_FAIL
Den 2012-03-21 23:00, Piotr Kloc skrev: The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? meta NO_SPF_ON_SENDER_DOMAIN (!SPF_PASS || !SPF_HELO_PASS) or make one for other spam conditions as you see fit
Re: SPF_FAIL
I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? I'm not aware of a no spf record rule but the underlying plugin looks to support what you want. I think you might find that to be a poorly performing rule except in meta rules, though. I'm going to add this to the default rules with a score 0 so you can then just give it a score you want. header SPF_NONEeval:check_for_spf_none() describeSPF_NONESPF sender does not publish an SPF Record score SPF_NONE1 regards, kAM
Re: SPF_FAIL
I'm going to add this to the default rules with a score 0 so you can then just give it a score you want. I also added spf_helo_none svn commit -m 'Added a default rule for SPF_NONE that is disabled with Score 0 for administrators to activate' Sendingrules/25_spf.cf Sendingrules/50_scores.cf Transmitting file data .. Committed revision 1303613. Regards, KAM
Re: SPF_FAIL
On 3/21/12 6:19 PM, Kevin A. McGrail wrote: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? I'm not aware of a no spf record rule but the underlying plugin looks to support what you want. I think you might find that to be a poorly performing rule except in meta rules, though. I'm going to add this to the default rules with a score 0 so you can then just give it a score you want. header SPF_NONEeval:check_for_spf_none() describeSPF_NONESPF sender does not publish an SPF Record score SPF_NONE1 score of zero? or 1? regards, kAM -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __