Re: score 0 autolearn=ham
On 11/3/2012 at 9:15 PM, Joseph Acquisto j...@j4computers.com wrote: Why do these score 0 ? http://pastebin.com/U4zFu8wk http://pastebin.com/MV9KbnbU Two more this AM. I did not bother posting these, they're virtually identical. Pastebin will expire the evening. Obvious SPAM/MAlware. I had once asked about a rule that could specify a domain (to ban) in an htlm link in the message body. I don't recall this being entirely successful. I recall doing some early work, which hit via command line operation (perlish regex checks) but never seemed to work when put in local.cf joe a.
Re: score 0 autolearn=ham
On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: On 11/3/2012 at 9:15 PM, Joseph Acquisto j...@j4computers.com wrote: Why do these score 0 ? http://pastebin.com/U4zFu8wk http://pastebin.com/MV9KbnbU I ran the second one through my testing SA system: it got hits from several blacklists together with hits on RDNS_NONE and UNPARSEABLE_RELAY: RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL though from the looks of it there's little else in its contents that should trigger body rules. Have you considered greylisting? When my ISP turned it on my mail stream immediately changed from 80% spam to 95%+ ham. I had once asked about a rule that could specify a domain (to ban) in an htlm link in the message body. I don't recall this being entirely successful. You can try using the setup I developed to deal with a spam-ridden mailing list that linked to a forum - the forum is trivially easy for spammers to dump junk into, so they do. However, building this type of SA rule can be like playing wack-a-mole until you start to recognise patterns in the URLs/domain names/product names/phrases used and begin to use a combination of broadly-matching regexes and meta-rules to get an acceptable FP rate. This rule maintenance tool may help you to build and extend them: http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz Martin
Re: score 0 autolearn=ham
On 11/4/2012 at 8:34 AM, Martin Gregorie mar...@gregorie.org wrote: On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: On 11/3/2012 at 9:15 PM, Joseph Acquisto j...@j4computers.com wrote: Why do these score 0 ? http://pastebin.com/U4zFu8wk http://pastebin.com/MV9KbnbU I ran the second one through my testing SA system: it got hits from several blacklists together with hits on RDNS_NONE and UNPARSEABLE_RELAY: I have RDNS_NONE 0, and UNPARSEABLE_RELAY 2. I understand 0 to mean don't test, but don't get why it did not flag UNPARSEABLE_RELAY. RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL I'd love to use RBL but understand I can't, as the last IP is always the same, as I fetch all mail from a single POP.Perhaps I am missing something? though from the looks of it there's little else in its contents that should trigger body rules. Have you considered greylisting? When my ISP turned it on my mail stream immediately changed from 80% spam to 95%+ ham. I had once asked about a rule that could specify a domain (to ban) in an htlm link in the message body. I don't recall this being entirely successful. You can try using the setup I developed to deal with a spam-ridden mailing list that linked to a forum - the forum is trivially easy for spammers to dump junk into, so they do. However, building this type of SA rule can be like playing wack-a-mole until you start to recognise patterns in the URLs/domain names/product names/phrases used and begin to use a combination of broadly-matching regexes and meta-rules to get an acceptable FP rate. This rule maintenance tool may help you to build and extend them: http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz I'll give it a look. Martin joe a.
Re: score 0 autolearn=ham
04.11.2012 22:33, Joseph Acquisto kirjoitti: I'd love to use RBL but understand I can't, as the last IP is always the same, as I fetch all mail from a single POP.Perhaps I am missing something? Yes. You put that single POP ESP address to your trusted networks. Then it works as designed. -- Is that really YOU that is reading this? signature.asc Description: OpenPGP digital signature
Re: score 0 autolearn=ham
On Sun, 2012-11-04 at 15:33 -0500, Joseph Acquisto wrote: On 11/4/2012 at 8:34 AM, Martin Gregorie mar...@gregorie.org wrote: On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: On 11/3/2012 at 9:15 PM, Joseph Acquisto j...@j4computers.com wrote: Why do these score 0 ? http://pastebin.com/U4zFu8wk http://pastebin.com/MV9KbnbU I ran the second one through my testing SA system: it got hits from several blacklists together with hits on RDNS_NONE and UNPARSEABLE_RELAY: I have RDNS_NONE 0, and UNPARSEABLE_RELAY 2. I understand 0 to mean don't test, but don't get why it did not flag UNPARSEABLE_RELAY. Pass. Not enough information for me to understand the problem and anyway its not something I fully understand. RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL I'd love to use RBL but understand I can't, as the last IP is always the same, as I fetch all mail from a single POP.Perhaps I am missing something? My set-up is very similar to yours. I use getmail[1] to read mail from my POP3 mailbox on my ISP's mailserver and pass it on to my MTA, Postfix running on my house server, which hands incoming mail to Dovecot for delivery to my mailreader. In SA's local.cf I've set: internal_networks192.168.7/24 trusted_networks 192.168.7/24 trusted_networks 77.75.108.10 # my ISP's mailserver and with this set-up the various RBLs and URIBLs work just fine. [1] I started by using fetchmail, but it is buggy (network transients can cause it to leave mail it has read in the ISP mailbox forever) and various forums report that its author has marked these as won't fix. So, I now use getmail instead. No problems to report so far! getmail even uses the same MDA script you may have written for fetchmail. The only significant difference is that fetchmail is a daemon that controls its own fetch frequency while getmail is a program that crond runs every 'n' minutes to look for and fetch mail. Martin
Re: score 0 autolearn=ham
On 11/4/2012 at 4:09 PM, Jari Fredriksson ja...@iki.fi wrote: 04.11.2012 22:33, Joseph Acquisto kirjoitti: I'd love to use RBL but understand I can't, as the last IP is always the same, as I fetch all mail from a single POP.Perhaps I am missing something? Yes. You put that single POP ESP address to your trusted networks. Then it works as designed. It is there, and has been, but RBL's are not being used, at all, it appears. Using lint I see: . . . Nov 4 20:58:40.611 [21327] dbg: config: read file /etc/mail/spamassassin/local.cf Nov 4 20:58:40.611 [21327] dbg: config: using /root/.spamassassin/user_prefs for user prefs file . . . Nov 4 20:58:40.434 [21327] dbg: dns: is Net::DNS::Resolver available? yes . . . Nov 4 20:58:40.625 [21327] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC Nov 4 20:58:40.627 [21327] dbg: reporter: local tests only, disabling SpamCop . . . . I see no mention of SpamHaus, or others, which I understood to be enabled by default. I have not disabled any of them, as far as I can tell. joe a.
Re: score 0 autolearn=ham
On 11/4/2012 at 7:10 PM, Martin Gregorie mar...@gregorie.org wrote: On Sun, 2012-11-04 at 15:33 -0500, Joseph Acquisto wrote: On 11/4/2012 at 8:34 AM, Martin Gregorie mar...@gregorie.org wrote: On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: On 11/3/2012 at 9:15 PM, Joseph Acquisto j...@j4computers.com wrote: Why do these score 0 ? http://pastebin.com/U4zFu8wk http://pastebin.com/MV9KbnbU I ran the second one through my testing SA system: it got hits from several blacklists together with hits on RDNS_NONE and UNPARSEABLE_RELAY: I have RDNS_NONE 0, and UNPARSEABLE_RELAY 2. I understand 0 to mean don't test, but don't get why it did not flag UNPARSEABLE_RELAY. Pass. Not enough information for me to understand the problem and anyway its not something I fully understand. RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL I'd love to use RBL but understand I can't, as the last IP is always the same, as I fetch all mail from a single POP.Perhaps I am missing something? My set-up is very similar to yours. I use getmail[1] to read mail from my POP3 mailbox on my ISP's mailserver and pass it on to my MTA, Postfix running on my house server, which hands incoming mail to Dovecot for delivery to my mailreader. In SA's local.cf I've set: internal_networks192.168.7/24 trusted_networks 192.168.7/24 trusted_networks 77.75.108.10 # my ISP's mailserver and with this set-up the various RBLs and URIBLs work just fine. [1] I started by using fetchmail, but it is buggy (network transients can cause it to leave mail it has read in the ISP mailbox forever) and various forums report that its author has marked these as won't fix. So, I now use getmail instead. No problems to report so far! getmail even uses the same MDA script you may have written for fetchmail. The only significant difference is that fetchmail is a daemon that controls its own fetch frequency while getmail is a program that crond runs every 'n' minutes to look for and fetch mail. Martin It was simple to setup getmail to get a test message, but it did not deliver it as expected. I expected it to be handed off to postfix/spamassassin, but it did not seem to do that. But that is not a discussion for this list, I guess. joe a.
