RE: whitelist_from in SQL not applied?
Philippe Ratté skrev den 2013-02-14 15:24: The mail came from 65.54.190.123 and it passes SPF dont use whitelist_from, with that setting anyone can use that email as sender to get whitelisted, this is okay if you do spf testing in mta only, so spamassassin follow it as an ok, but not if you are not testing spf in mta What should I use, then? 1: spamassassin 21 -D --lint | less 2: perldoc Mail::SpamAssassin::Plugin::SPF SPF is not checked at mta ok have you configured Mail::SPF to reuse mta spf (recieved-spf header) ? No could still be relevant problem if its added remotely and not localy, but this is why i asked 1: on above, can you post it to pastebin and give a link here ? 2: is just informative to you what to configure in local.cf for the sql whitelist use same preferences as it would be in local.cf, and btw have you multiple sql users preferences or just one ?, is it really checking the right user ?
Sought/Rules.yerp.org problem - Re: [Fwd: Cron root@zoogz /usr/share/spamassassin/sa-update.cron -D 21 | tee -a /var/log/sa-update.log]
On 2/14/2013 6:35 PM, Emmett Culley wrote: Hi KAM, Can you give me a hint on who or what to contact. I don't know how those rules got into my system. It was working flawlessly for many years until a week or so ago. Well, it still works it seems :-) Thanks for the reply. Emmett, that appears to be JM's Sought Rules. I'll cc Justin to see if he can enlighten anyone. For more information about the rules, see http://taint.org/2007/08/15/004348a.html Regards, KAM On 02/14/2013 12:26 PM, Kevin A. McGrail wrote: Hi Emmett, To me, it appears you have a non-SA project channel being updated. Why you can't update that is something only the rules.yerp.org people can help. Regards, KAM On 2/14/2013 12:28 PM, emmett wrote: I have been seeing this in my log once a day for a few days now. What is the problem and how can I get it resolved. This is the latest log entry, but all were failures with amazonaws: http: GET http://rules.yerp.org.s3.amazonaws.com/rules/stage/3302013021221.tar.gz request failed: 403 Forbidden: ?xml version=1.0 encoding=UTF-8? ErrorCodeAccessDenied/CodeMessageAccess Denied/MessageRequestIdA1A070CD5615A700/RequestIdHostIdrg2byfiwxIKwAsqNLZ7JhD0pm3tiH/Avc59kZgu3fYFNOggFvfAMCrnfasV7FRIq/HostId/Error channel: could not find working mirror, channel failed
Re: X-Relay-Countries
On Thu, 14 Feb 2013 13:26:33 +0100, Benny Pedersen wrote: Steve Freegard skrev den 2013-02-12 21:19: header RELAY_NOT_US X-Relay-Countries =~ /\b(?!US)[A-Z]{2}\b/ and what date is the database from ?, ip2cc ipv4-addr, to show it when its build, to update it either use the new relay_country plugin or update ip2cc database, if its over 6 mounts its time for a change The former option wasn't really available for me, so I followed the notes at http://wiki.apache.org/spamassassin/RelayCountryPlugin as suggested by Jeff Mincy. First I installed IP::Country::Fast, and noted that the database was from July 2009. So I downloaded the two files from http://mailfud.org/ip-country-fast/ as mentioned in the wiki article. Better: June 2012. Finally I built them myself using the RIPE downloads, again as suggested in the wiki article. $ ip2cc 213.174.72.92 IP::Country modules (v2.27) Copyright (c) 2002-05 Nigel Wetters Gourlay Database updated Fri Feb 15 18:04:48 2013 Address: 213.174.72.92 Country: DK (Denmark) $ So I have up-to-date ip.gif and cc.gif. If anyone wants them, post here and I'll put them on an ftp site somewhere.
DKIM scoring with spamassassin
Does anyone tweak the DKIM scores given by SA? There are plenty of scenarios where DKIM has failed, yet SA does not give the email a particularly high spam mark. 3 example test cases below. I guess I was expecting SA would score DKIM failures more aggressively if there are problems with the signing: Case 1. Actively modify from field of the message and send in manually via SMTP keeping the same signature. X-Spam-Status: No, score=-1.379 tagged_above=-10 required=6.6 tests=[ALL_TRUSTED=-1, BAYES_05=-0.5, DKIM_SIGNED=0.1, NO_DNS_FOR_FROM=0.001, T_DKIM_INVALID=0.01, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01, T_NOT_A_PERSON=-0.01, T_UNKNOWN_ORIGIN=0.01] autolearn=no Authentication-Results: zqa-398.eng.vmware.com (amavisd-new); dkim=fail (1024-bit key) reason=fail (message has been altered) header.d=dkimtest.com Case 2. Update signature on a domain, but don't update it in DNS. X-Spam-Status: No, score=-0.057 tagged_above=-10 required=6.6 tests=[ALL_TRUSTED=-1, BAYES_20=-0.001, DKIM_SIGNED=0.1, NO_DNS_FOR_FROM=0.001, RDNS_NONE=0.793, T_BIG_HEADERS_2K=0.01, T_DKIM_INVALID=0.01, T_HELO_NO_DOMAIN=0.01, T_LONG_HEADER_LINE_80=0.01, T_NOT_A_PERSON=-0.01, T_THREAD_INDEX_BAD=0.01, T_UNKNOWN_ORIGIN=0.01] autolearn=no Authentication-Results: zqa-398.eng.vmware.com (amavisd-new); dkim=fail (1024-bit key) reason=fail (bad RSA signature) header.d=dkimtest.com Case 3. Don't populate DNS record with DKIM signature at all X-Spam-Status: No, score=-1.957 tagged_above=-10 required=6.6 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, DKIM_SIGNED=0.1, RDNS_NONE=0.793, T_BIG_HEADERS_2K=0.01, T_DKIM_INVALID=0.01, T_HELO_NO_DOMAIN=0.01, T_LONG_HEADER_LINE_80=0.01, T_NOT_A_PERSON=-0.01, T_THREAD_INDEX_BAD=0.01, T_UNKNOWN_ORIGIN=0.01] autolearn=no Authentication-Results: zqa-398.eng.vmware.com (amavisd-new); dkim=neutral reason=invalid (public key: not available) header.d=dkimtest.com Thanks, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: DKIM scoring with spamassassin
On Fri, 15 Feb 2013, Quanah Gibson-Mount wrote: Does anyone tweak the DKIM scores given by SA? There are plenty of scenarios where DKIM has failed, yet SA does not give the email a particularly high spam mark. 3 example test cases below. I guess I was expecting SA would score DKIM failures more aggressively if there are problems with the signing: DKIM and SPF are anti-forgery tools, not anti-spam tools. If you take a DKIM-signed email that is whitelisted because of whitelist_auth and make a change that invalidates the signature, does it still get whitelisted? If not, then SA is doing all that it can reasonably be expected to do with the invalid signature. DKIM or SPF pass or fail *by itself* is not useful as a spam sign. Taken together with other factors (such as DKIM invalid + claims to be from Wells Fargo) it's useful. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows. -- anytwofiveelevenis on Y! SCOX --- 7 days until George Washington's 281st Birthday
Re: DKIM scoring with spamassassin
--On Friday, February 15, 2013 5:01 PM -0800 John Hardin jhar...@impsec.org wrote: On Fri, 15 Feb 2013, Quanah Gibson-Mount wrote: Does anyone tweak the DKIM scores given by SA? There are plenty of scenarios where DKIM has failed, yet SA does not give the email a particularly high spam mark. 3 example test cases below. I guess I was expecting SA would score DKIM failures more aggressively if there are problems with the signing: DKIM and SPF are anti-forgery tools, not anti-spam tools. If you take a DKIM-signed email that is whitelisted because of whitelist_auth and make a change that invalidates the signature, does it still get whitelisted? If not, then SA is doing all that it can reasonably be expected to do with the invalid signature. DKIM or SPF pass or fail *by itself* is not useful as a spam sign. Taken together with other factors (such as DKIM invalid + claims to be from Wells Fargo) it's useful. Ok, thanks. If any of our users ask, this is a good summary. :) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration