Re: list of netblocks which bounceback spam about web forms?

2012-12-13 Thread David F. Skoll 
On Thu, 13 Dec 2012 13:03:55 -0800
Jo Rhett  wrote:

> I am wondering if someone has already created a list of netblocks
> which shift the cost of their customer's abuse to us by sending
> bounceback spam informing us to use their web forms.

I believe the now-defunct rfc-ignorant.org kept a list of domains
that didn't handle mail to abuse@... properly, but not netblocks.

> If not, I'm going to create one so that I can add scores for their
> netblocks. In a recent review I've found that we persistently get
> more spam from their netblocks, because they are actively avoiding
> dealing with it.

Sounds like a good idea for a DNSBL...

Regards,

David.

Re: bayes score no showing up in the header

2012-12-13 Thread John Hardin 

On Thu, 13 Dec 2012, motty cruz wrote:


Thank you very much John,
I tried this
chown  -R  vscan:vscan  /var/spool/amavis/.spamassassin
and now bayes score are showing up in the headers. Also, i tried the right
sa- database.

Thanks a bunch.


Happy to help!

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Tea Party wants to remove the Crony from Crony Capitalism.
  OWS wants to remove Capitalism from Crony Capitalism.
-- Astaghfirullah
---
 2 days until Bill of Rights day

Re: bayes score no showing up in the header

2012-12-13 Thread motty cruz 
Thank you very much John,
I tried this
chown  -R  vscan:vscan  /var/spool/amavis/.spamassassin
and now bayes score are showing up in the headers. Also, i tried the right
sa- database.

Thanks a bunch.

On Wed, Dec 12, 2012 at 3:12 PM, John Hardin  wrote:

> On Wed, 12 Dec 2012, motty cruz wrote:
>
>  Thanks again for your prompt reply, the command i ran as root user
>> when i did su vscan user was unable to open spam messages from directory
>>
>> I'm not sure how to fix this problem but you pointed me in the right
>> direction.
>>
>
> Where are the database files?
>
>
> You wrote:
>
>> I copied the database from a heathy system
>>
>
> If you have the default per-user Bayes config, you will probably want to
> move the files to the vscan user's home directory and set permissions such
> that the vscan user can read and write them.
>
> Then, future training will need to be done as the vscan user.
>
> If it's a global Bayes config, just set the file permissions such that the
> vscan user can get to them and read them. If you're doing autolearn, then
> the vscan user will also need to be able to write to them. With a global
> config, you *can* run sa-learn as root and it will update the correct
> files, but the permissions have to be open enough for SA to read them at
> scan time.
>
>
>  Thanks
>>
>> On Wed, Dec 12, 2012 at 2:24 PM, John Hardin  wrote:
>>
>>  On Wed, 12 Dec 2012, motty cruz wrote:
>>>
>>>  Thanks John,
>>>
 It does not show up in any message at all!
 here is the sa-learn --dump magic command:
 # sa-learn --dump magic
 0.000  0   4680  0  non-token data: nspam
 0.000  0  88357  0  non-token data: nham

>>>
>>> Ok, so that database has 4k spam and 88k ham tokens, it should be active.
>>>
>>>  any idea?
>>>


>>> Apart from "too few tokens" the most common problem is "training to a
>>> database that SA is not using". In the default SA configuration you have
>>> to
>>> train the database as the same user that SA is running under, so that the
>>> files get created in the correct place.
>>>
>>> What user is SA running as?
>>>
>>> What user did you run the sa-learn --dump command as?
>>>
>>> Have you overridden the default per-user Bayes database config to a
>>> systemwide shared Bayes database config?
>>>
>>
> --
>  John Hardin KA7OHZ
> http://www.impsec.org/~**jhardin/
>  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> --**--**
> ---
>   Mine eyes have seen the horror of the voting of the horde;
>   They've looted the fromagerie where guv'ment cheese is stored;
>   If war's not won before the break they grow so quickly bored;
>   Their vote counts as much as yours.  -- Tam
>
> --**--**
> ---
>  3 days until Bill of Rights day
>

list of netblocks which bounceback spam about web forms?

2012-12-13 Thread Jo Rhett 
I am wondering if someone has already created a list of netblocks which shift 
the cost of their customer's abuse to us by sending bounceback spam informing 
us to use their web forms.

If not, I'm going to create one so that I can add scores for their netblocks. 
In a recent review I've found that we persistently get more spam from their 
netblocks, because they are actively avoiding dealing with it.

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

Re: sa-update... perhaps not working

2012-12-13 Thread Mark Martinec 
> Dec 13 12:29:40.402 [22852]
>   dbg: *dns: 2.3.3.updates.spamassassin.org => 3.3, parsed as 3*

See the other thread of today: "sa-update don't update".

  Mark

Re: Suddenly a lot of low scores

2012-12-13 Thread Bowie Bailey 

Please keep this on the list.

On 12/12/2012 8:09 PM, Joseph Acquisto wrote:

It doesn't matter how many messages SA has processed.  What matters is
how many messages Bayes has learned via autolearn or manual sa-learn runs.

You can log in as the user SA runs as and check the bayes database:

$ sa-learn --dump magic

You want to look at the nham and nspam numbers.  You MUST do this as the
same user SA is using or the results will not be useful.  Also, if you
do manual learning via sa-learn, you must do it as the same user as SA.


This is my result:

0.000  0  3  0  non-token data: bayes db version
0.000  0878  0  non-token data: nspam
0.000  0   1064  0  non-token data: nham
0.000  0 114391  0  non-token data: ntokens
0.000  0 1352511853  0  non-token data: oldest atime
0.000  0 1355310610  0  non-token data: newest atime
0.000  0  0  0  non-token data: last journal sync atime
0.000  0 1355278210  0  non-token data: last expiry atime
0.000  02764800  0  non-token data: last expire atime delta
0.000  0  38573  0  non-token data: last expire reduction 
coun

I run sa-learn via script, as root.   spamd runs as root.  spamassassin, in  
/etc/postfix/main.cf has the user defined as spamfilter.
I don't know if that is an issue.


It might be.  Take a look at spamfilter's database.

If spamd is running as root, it may be doing per-user filtering 
depending on your setup.  If this is the case, the spamd will switch 
users each time it receives a message to scan the message using that 
user's settings.  This means that each user's bayes db must be above the 
threshold before that user will see bayes scoring.



What should I see in headers if bayes is active?


If bayes is active, you should see a BAYES_XX rule hit on every email.


Tangent - I noticed this in /var/log/messages (probably unrelated)

Dec 12 02:13:55 open-122 echo[665]: Starting spamd:
Dec 12 02:13:58 open-122 echo[645]: Starting the SpamAssassin Proxy Daemon:
Dec 12 06:14:09 open-122 spampd[682]: defined(@array) is deprecated at 
/usr/lib/perl5/vendor_perl/5.16.0/Net/Server.pm line 211.
Dec 12 06:14:11 open-122 spampd[682]: (Maybe you should just omit the 
defined()?)
Dec 12 06:14:50 open-122 systemd[1]: spampd.service: main process exited, 
code=exited, status=1
Dec 12 06:14:50 open-122 systemd[1]: Unit spampd.service entered failed state.

Seen a few times, over month or so.


No idea about this.

--
Bowie

sa-update... perhaps not working

2012-12-13 Thread Giles Coochey 

If I run sa-update -D I get the following output at the bottom:

Dec 13 12:29:40.190 [22852] dbg: channel: attempting channel 
updates.spamassassin.org
Dec 13 12:29:40.190 [22852] dbg: channel: update directory 
/var/lib/spamassassin/3.003002/updates_spamassassin_org
Dec 13 12:29:40.190 [22852] dbg: channel: channel cf file 
/var/lib/spamassassin/3.003002/updates_spamassassin_org.cf
Dec 13 12:29:40.192 [22852] dbg: channel: channel pre file 
/var/lib/spamassassin/3.003002/updates_spamassassin_org.pre

Dec 13 12:29:40.192 [22852] dbg: channel: metadata version = 1417778
Dec 13 12:29:40.402 [22852] dbg: *dns: 2.3.3.updates.spamassassin.org => 
3.3, parsed as 3*
Dec 13 12:29:40.403 [22852] dbg: channel: current version is *1417778*, 
new version is 3, skipping channel

Dec 13 12:29:40.406 [22852] dbg: diag: updates complete, exiting with code 1


But if I do an nslookup it looks like the available version is later 
than my current version:


$ nslookup
> set type=txt
> 2.3.3.updates.spamassassin.org
Server:172.21.0.66
Address:172.21.0.66#53

Non-authoritative answer:
*2.3.3.updates.spamassassin.orgtext = "1418219"*

Any ideas?

--
Regards,

Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
gi...@coochey.net



smime.p7s
Description: S/MIME Cryptographic Signature

Re: sa-update don't update - FreeBSD ports patch

2012-12-13 Thread Виктор Белоус 

Thanks, Mark

with this patch file after vi patch-bug6872, make clean, make, make 
deinstall, make install my sa-update works good


Dec 13 15:43:03.235 [83049] dbg: generic: unlinking user_prefs.template
Dec 13 15:43:03.236 [83049] dbg: diag: updates complete, exiting with code 0

Victor.

13.12.12 15:36, Mark Martinec пишет:

Michael, could you please fold-in the above (or similar)
patch to FreeBSD port mail/p5-Mail-SpamAssassin

Here is the 'patch-bug6872' patch file, suitable for inclusion
in the /usr/ports/mail/p5-Mail-SpamAssassin/files/
directory of FreeBSD ports:


--- sa-update.raw   (revision 1421187)
+++ sa-update.raw   (working copy)
@@ -1136,9 +1136,11 @@
if ($RR) {
  foreach my $rr ($RR->answer) {
my $text = $rr->rdatastr;
-  local($1);
-  $text =~ /^"(.*)"$/;
-  push @result, $1;
+  if (defined $text&&  $text ne '') {
+local($1);
+$text =~ s/^"(.*)"\z/$1/s;
+push(@result,$text);
+  }
  }
}
else {



Mark

Re: sa-update don't update - FreeBSD ports patch

2012-12-13 Thread Mark Martinec 
> Michael, could you please fold-in the above (or similar)
> patch to FreeBSD port mail/p5-Mail-SpamAssassin

Here is the 'patch-bug6872' patch file, suitable for inclusion
in the /usr/ports/mail/p5-Mail-SpamAssassin/files/
directory of FreeBSD ports:


--- sa-update.raw   (revision 1421187)
+++ sa-update.raw   (working copy)
@@ -1136,9 +1136,11 @@
   if ($RR) {
 foreach my $rr ($RR->answer) {
   my $text = $rr->rdatastr;
-  local($1);
-  $text =~ /^"(.*)"$/;
-  push @result, $1;
+  if (defined $text && $text ne '') {
+local($1);
+$text =~ s/^"(.*)"\z/$1/s;
+push(@result,$text);
+  }
 }
   }
   else {



Mark

Re: sa-update don't update

2012-12-13 Thread Mark Martinec 
Victor,

> I just installed spamassassin on FreeBSD
> FreeBSD Kratos.strelna 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3

> Dec 13 12:14:49.560 [78833] dbg: generic: SpamAssassin version 3.3.2
> Dec 13 12:14:49.560 [78833] dbg: generic: Perl 5.014002,
> Dec 13 12:14:49.579 [78833] dbg: dns: Net::DNS version: 0.70

Indeed there is a bug in sa-update of SpamAssassin 3.3
which doesn't play well with the change brought by Net::DNS 0.69
and later.

See
  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6872
for the full explanation.

Please apply the following patch to sa-update:

--- sa-update.orig  2012-12-13 11:30:16.0 +0100
+++ sa-update   2012-12-13 11:31:24.116150393 +0100
@@ -1139,7 +1139,9 @@
 foreach my $rr ($RR->answer) {
   my $text = $rr->rdatastr;
-  local($1);
-  $text =~ /^"(.*)"$/;
-  push @result, $1;
+  if (defined $text && $text ne '') {
+local($1);
+$text =~ s/^"(.*)"\z/$1/s;
+push(@result,$text);
+  }
 }
   }

(or install the version of SpamAssassin from SVN trunk,
which has this issue fixed)


Michael, could you please fold-in the above (or similar)
patch to FreeBSD port mail/p5-Mail-SpamAssassin

  Mark

sa-update don't update

2012-12-13 Thread Виктор Белоус 

Hi!

I just installed spamassassin on FreeBSD

Kratos/root12:14:50~#uname -a
FreeBSD Kratos.strelna 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 
12 01:47:53 UTC 2012 
r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386


from /usr/ports/mail/p5-Mail-SpamAssassin

with options

Kratos/root12:23:24/usr/ports/mail/p5-Mail-SpamAssassin#cat 
/var/db/ports/p5-Mail-SpamAssassin/options

# This file is auto-generated by 'make config'.
# Options for p5-Mail-SpamAssassin-3.3.2_6
_OPTIONS_READ=p5-Mail-SpamAssassin-3.3.2_6
_FILE_COMPLETE_OPTIONS_LIST= AS_ROOT SPAMC SACOMPILE DKIM SSL GNUPG 
MYSQL PGSQL RAZOR SPF_QUERY RELAY_COUNTRY DCC

OPTIONS_FILE_SET+=AS_ROOT
OPTIONS_FILE_UNSET+=SPAMC
OPTIONS_FILE_SET+=SACOMPILE
OPTIONS_FILE_SET+=DKIM
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_SET+=GNUPG
OPTIONS_FILE_SET+=MYSQL
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_SET+=RAZOR
OPTIONS_FILE_SET+=SPF_QUERY
OPTIONS_FILE_SET+=RELAY_COUNTRY
OPTIONS_FILE_SET+=DCC


and su-update runs with error

Kratos/root13:13:06~#sa-update -D
Dec 13 12:14:49.559 [78833] dbg: logger: adding facilities: all
Dec 13 12:14:49.560 [78833] dbg: logger: logging level is DBG
Dec 13 12:14:49.560 [78833] dbg: generic: SpamAssassin version 3.3.2
Dec 13 12:14:49.560 [78833] dbg: generic: Perl 5.014002, 
PREFIX=/usr/local, DEF_RULES_DIR=/usr/local/share/spamassassin, 
LOCAL_RULES_DIR=/usr/local/etc/mail/spamassassin, 
LOCAL_STATE_DIR=/var/db/spamassassin

Dec 13 12:14:49.561 [78833] dbg: config: timing enabled
Dec 13 12:14:49.563 [78833] dbg: config: score set 0 chosen.
Dec 13 12:14:49.579 [78833] dbg: dns: is Net::DNS::Resolver available? yes
Dec 13 12:14:49.579 [78833] dbg: dns: Net::DNS version: 0.70
Dec 13 12:14:49.580 [78833] dbg: generic: sa-update version svn917659
Dec 13 12:14:49.580 [78833] dbg: generic: using update directory: 
/var/db/spamassassin/3.003002

Dec 13 12:14:49.989 [78833] dbg: diag: perl platform: 5.014002 freebsd
Dec 13 12:14:49.989 [78833] dbg: diag: [...] module installed: 
Digest::SHA1, version 2.13
Dec 13 12:14:49.989 [78833] dbg: diag: [...] module installed: 
HTML::Parser, version 3.69
Dec 13 12:14:49.990 [78833] dbg: diag: [...] module installed: Net::DNS, 
version 0.70
Dec 13 12:14:49.990 [78833] dbg: diag: [...] module installed: 
NetAddr::IP, version 4.066
Dec 13 12:14:49.990 [78833] dbg: diag: [...] module installed: 
Time::HiRes, version 1.9725
Dec 13 12:14:49.990 [78833] dbg: diag: [...] module installed: 
Archive::Tar, version 1.90
Dec 13 12:14:49.991 [78833] dbg: diag: [...] module installed: IO::Zlib, 
version 1.10
Dec 13 12:14:49.991 [78833] dbg: diag: [...] module installed: 
Digest::SHA1, version 2.13
Dec 13 12:14:49.991 [78833] dbg: diag: [...] module installed: 
MIME::Base64, version 3.13
Dec 13 12:14:49.991 [78833] dbg: diag: [...] module installed: DB_File, 
version 1.821
Dec 13 12:14:49.992 [78833] dbg: diag: [...] module installed: 
Net::SMTP, version 2.31
Dec 13 12:14:49.992 [78833] dbg: diag: [...] module installed: 
Mail::SPF, version v2.008
Dec 13 12:14:49.992 [78833] dbg: diag: [...] module installed: 
IP::Country::Fast, version 604.001
Dec 13 12:14:49.992 [78833] dbg: diag: [...] module installed: 
Razor2::Client::Agent, version 2.84
Dec 13 12:14:49.993 [78833] dbg: diag: [...] module installed: 
Net::Ident, version 1.23
Dec 13 12:14:49.993 [78833] dbg: diag: [...] module installed: 
IO::Socket::INET6, version 2.69
Dec 13 12:14:49.993 [78833] dbg: diag: [...] module installed: 
IO::Socket::SSL, version 1.81
Dec 13 12:14:49.993 [78833] dbg: diag: [...] module installed: 
Compress::Zlib, version 2.058
Dec 13 12:14:49.994 [78833] dbg: diag: [...] module installed: 
Mail::DKIM, version 0.39
Dec 13 12:14:49.994 [78833] dbg: diag: [...] module installed: DBI, 
version 1.622
Dec 13 12:14:49.994 [78833] dbg: diag: [...] module installed: 
Getopt::Long, version 2.38
Dec 13 12:14:49.994 [78833] dbg: diag: [...] module installed: 
LWP::UserAgent, version 6.04
Dec 13 12:14:49.995 [78833] dbg: diag: [...] module installed: 
HTTP::Date, version 6.02
Dec 13 12:14:49.995 [78833] dbg: diag: [...] module installed: 
Encode::Detect, version 1.01

Dec 13 12:14:49.997 [78833] dbg: gpg: Searching for 'gpg'
Dec 13 12:14:49.997 [78833] dbg: util: current PATH is: 
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
Dec 13 12:14:49.998 [78833] dbg: util: executable for gpg was found at 
/usr/local/bin/gpg

Dec 13 12:14:49.999 [78833] dbg: gpg: found /usr/local/bin/gpg
Dec 13 12:14:49.999 [78833] dbg: gpg: release trusted key id list: 
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 
26C900A46DD40CD5AD24F6D7DEE01987265FA05B 
0C2B1D7175B852C64B3CDC716C55397824F434CE
Dec 13 12:14:50.114 [78833] dbg: channel: attempting channel 
updates.spamassassin.org
Dec 13 12:14:50.115 [78833] dbg: channel: update directory 
/var/db/spamassassin/3.003002/updates_spamassassin_org
Dec 13 12:14:50.115 [78833] dbg: channel: channel cf file 
/var/db/spamassassin/3.003002/updates_spamassassin_org.cf
Dec 13 12:14:50.116 [7883