Re: getting tons of SPAM
On 06/26/2014 04:23 PM, motty cruz wrote: as you can see, looks like Amavisd did not scan, spamassassing should have stop this email. yes, it really looked in the original mail that amavis did not scan it. The question is why it did not scan it. check the logs to see the reason - if amavis does not scan e-mail, it's impossible to block it (if you use amavis there's no apparent reason to use spamassassin separately, since amavis uses spamassassin) On 26.06.14 08:02, motty cruz wrote: I apologize, I did not articulate my questions correctly. Spamassassin is enable but did not block spam, I know my configuration is wrong. I was wondering if someone can help me figure out. # languages allow ifplugin Mail::SpamAssassin::Plugin::TextCat ok_languagesen es ok_locales en es you should understant that ok_locales has nothing with TextCat plugin. It only detect charset class, now it scores non-latin alphabets like cyrillic, chinese etc. whitelist_from mtc-dist.com it's very unsafe to use whitelist_from, spammers forge sender domains to work around this! finally, don't play with scores, but check out if you use network checks and have loaded plugins like razor/pyzor/dcc, and also if the razor/pyzor/dcc are installed on your system. ## Optional Score Increase last 4.0 increase to 4.5 score BAYES_50 1.800 score BAYES_60 2.200 score BAYES_80 3.200 score BAYES_95 3.500 score BAYES_99 4.500 score BODY_ENHANCEMENT 2.513 score BODY_ENHANCEMENT2 1.513 score DRUGS_ERECTILE 3.513 score DRUG_ED_SILD 2.013 score HELO_DYNAMIC_DHCP 2.513 score HS_INDEX_PARAM 1.513 score ONLINE_PHARMACY 3.013 score RDNS_DYNAMIC 1.013 score RDNS_NONE 2.013 score STOX_REPLY_TYPE 2.013 score SUBJ_BUY 2.013 score TVD_VISIT_PHARMA 2.913 score TVD_SPACE_RATIO 1.913 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: Funky HARP Spam
On Thu, 26 Jun 2014 19:02:42 -0600 Philip Prindeville wrote: Since #x042C is outside the US-ASCII character set, this would be an encoding violation. It's not. In HTML #x042C is an ASCII representation of a unicode character. It represents a character within HTML, but as far as mime is concerned it's 7 characters - that's the whole point of allowing unicode to be represented this way. Actually the mime section it's in is text/html, not text/plain, but it's legal either way. As I mentioned before, the real violation is in the previous mime section, which claims 7bit, but contains octets with the high-bit set.
Re: getting tons of SPAM
Thank you, I can't figureout why spammy email get very little score, X-Quarantine-ID: 4QFxoaNchYOk X-Virus-Scanned: amavisd-new at fqdn.com X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: unexpected end of header X-Spam-Flag: NO X-Spam-Score: 0.102 X-Spam-Level: X-Spam-Status: No, score=0.102 tagged_above=-999 required=5.3 tests=[AWL=0.311, DKIM_SIGNED=0.001, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-0.001, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] --- Received: by bell.cuxrrb.com id hllmas0e97ct for mo...@fdqn.com; Fri, 27 Jun 2014 08:58:12 -0400 (envelope-from life-motty+5F=f...@cuxrrb.com) From: Pimsleur Approach l...@cuxrrb.com Date: Fri, 27 Jun 2014 08:58:12 -0400 Subject: Want to speak a foreign language but don't have a lot of time? Reply-To: reply-b89161365ddc621bf5b4340f26597...@cuxrrb.com Message-ID: b89161365ddc621bf5b4340f2659783e095437-2598-hinbi...@cuxrrb.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=b89161365ddc621bf5b4340f2659783e69.692014062755451 --b89161365ddc621bf5b4340f2659783e69.692014062755451 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit You've received the alternative text version of an HTML email. If you'd like a good view of this email, please open it in your computer. !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html head meta http-equiv=Content-Type content=text/html; charset=UTF-8 / TITLELanguage Learning/TITLE /head body style= On Fri, Jun 27, 2014 at 12:06 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 06/26/2014 04:23 PM, motty cruz wrote: as you can see, looks like Amavisd did not scan, spamassassing should have stop this email. yes, it really looked in the original mail that amavis did not scan it. The question is why it did not scan it. check the logs to see the reason - if amavis does not scan e-mail, it's impossible to block it (if you use amavis there's no apparent reason to use spamassassin separately, since amavis uses spamassassin) On 26.06.14 08:02, motty cruz wrote: I apologize, I did not articulate my questions correctly. Spamassassin is enable but did not block spam, I know my configuration is wrong. I was wondering if someone can help me figure out. # languages allow ifplugin Mail::SpamAssassin::Plugin::TextCat ok_languagesen es ok_locales en es you should understant that ok_locales has nothing with TextCat plugin. It only detect charset class, now it scores non-latin alphabets like cyrillic, chinese etc. whitelist_from mtc-dist.com it's very unsafe to use whitelist_from, spammers forge sender domains to work around this! finally, don't play with scores, but check out if you use network checks and have loaded plugins like razor/pyzor/dcc, and also if the razor/pyzor/dcc are installed on your system. ## Optional Score Increase last 4.0 increase to 4.5 score BAYES_50 1.800 score BAYES_60 2.200 score BAYES_80 3.200 score BAYES_95 3.500 score BAYES_99 4.500 score BODY_ENHANCEMENT 2.513 score BODY_ENHANCEMENT2 1.513 score DRUGS_ERECTILE 3.513 score DRUG_ED_SILD 2.013 score HELO_DYNAMIC_DHCP 2.513 score HS_INDEX_PARAM 1.513 score ONLINE_PHARMACY 3.013 score RDNS_DYNAMIC 1.013 score RDNS_NONE 2.013 score STOX_REPLY_TYPE 2.013 score SUBJ_BUY 2.013 score TVD_VISIT_PHARMA 2.913 score TVD_SPACE_RATIO 1.913 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: getting tons of SPAM
On 27.06.14 07:50, motty cruz wrote: I can't figureout why spammy email get very little score, X-Quarantine-ID: 4QFxoaNchYOk X-Virus-Scanned: amavisd-new at fqdn.com X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: unexpected end of header This might explain much. seems that the mail was broken somehow. Did you use default configs for spamassassin and amavis? X-Spam-Flag: NO X-Spam-Score: 0.102 X-Spam-Level: X-Spam-Status: No, score=0.102 tagged_above=-999 required=5.3 tests=[AWL=0.311, DKIM_SIGNED=0.001, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-0.001, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] --- Received: by bell.cuxrrb.com id hllmas0e97ct for mo...@fdqn.com; Fri, 27 Jun 2014 08:58:12 -0400 (envelope-from life-motty+5F=f...@cuxrrb.com) From: Pimsleur Approach l...@cuxrrb.com Date: Fri, 27 Jun 2014 08:58:12 -0400 Subject: Want to speak a foreign language but don't have a lot of time? Reply-To: reply-b89161365ddc621bf5b4340f26597...@cuxrrb.com Message-ID: b89161365ddc621bf5b4340f2659783e095437-2598-hinbi...@cuxrrb.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=b89161365ddc621bf5b4340f2659783e69.692014062755451 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: Funky HARP Spam
On Jun 27, 2014, at 7:30 AM, RW rwmailli...@googlemail.com wrote: As I mentioned before, the real violation is in the previous mime section, which claims 7bit, but contains octets with the high-bit set. Yup. Just submitted a patch for this: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7063
SOLVED: Re: Bayer Filter Not Working
On Jun 25, 2014, at 8:45 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On Tue, 24 Jun 2014 15:42:22 -0700 Bruce Sackett wrote: I apologize, I’m sure it’s been covered, but I have not been successful finding results in searches on the web or through the history of the list. I get no BAYES results in the headers, so I don’t see any working. On Jun 25, 2014, at 5:44 AM, RW rwmailli...@googlemail.com wrote: Have you trained it? It requires 200 spam and 200 ham emails before it starts to classify. On 25.06.14 08:22, Bruce Sackett wrote: I have older Ubuntu’s that work, so I kinda know the process, but it’s a big package. Any help is appreciated. The main thing that worries me is the Logger.pm error - is that stopping the Bayes processing are you sure you have trained into the right database? it seems you are using amavis and that it's using site-wide BAYES database. I have trained it: 0.000 0 3 0 non-token data: bayes db version 0.000 0 6664 0 non-token data: nspam 0.000 0473 0 non-token data: nham 0.000 0 134908 0 non-token data: ntokens 0.000 0 1370728914 0 non-token data: oldest atime 0.000 0 1403706445 0 non-token data: newest atime 0.000 0 1402120803 0 non-token data: last journal sync atime 0.000 0 1400652018 0 non-token data: last expiry atime 0.000 01382400 0 non-token data: last expire atime delta 0.000 0 26988 0 non-token data: last expire reduction c Jun 25 07:53:29.670 [13397] dbg: bayes: tie-ing to DB file R/W /var/lib/amavis/.spamassassin/bayes_toks Jun 25 07:53:29.672 [13397] dbg: bayes: tie-ing to DB file R/W /var/lib/amavis/.spamassassin/bayes_seen -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. I found the rather unusual solution to this problem, and I believe it may be unique to Ubuntu 12.04. The way I fixed it was one command: mv /usr/share/perl5/Mail/SpamAssassin/Logger.pm /usr/local/share/perl/5.14.2/Mail/SpamAssassin/ The babes filter immediately started working and the Logger.pm message went away.
SA rule to detect prior SA pass?
Looking at my mail streams I see evidence that spammers sometimes add faked SpamAssassin headers to their messages (I assume to try to trick recipients into thinking that the message has already been given a clean bill-of-health). I wrote a few test rules to look for these pre-existing X-Spam- headers to test to see if it could be used as a spam detector. However I got no hits on these rules even on hand crafted test messages that contained such stuff. Checking the SA source I found in PerMsgStatus.pm a line of code: $self-{msg}-delete_header('X-Spam-.*'); that ran before any tests. So looking for SA headers inside of SA is pointless. So does anybody have any ideas how to test for evidence of a prior SA pass? -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: SA rule to detect prior SA pass?
28.06.2014 04:43, David B Funk kirjoitti: Looking at my mail streams I see evidence that spammers sometimes add faked SpamAssassin headers to their messages (I assume to try to trick recipients into thinking that the message has already been given a clean bill-of-health). I wrote a few test rules to look for these pre-existing X-Spam- headers to test to see if it could be used as a spam detector. However I got no hits on these rules even on hand crafted test messages that contained such stuff. Checking the SA source I found in PerMsgStatus.pm a line of code: $self-{msg}-delete_header('X-Spam-.*'); that ran before any tests. So looking for SA headers inside of SA is pointless. So does anybody have any ideas how to test for evidence of a prior SA pass? This is my script /etc/maildroprc # IF ALREADY SCANNED AND FOUND SPAM, DO NOT RE-SCAN if (/^X-Spam-Status: Yes/:h) { # strip markup, and re-test if (/^X-FredSpamComment\: SpamAssassin called at jarif\.iki\.fi\./) { # Already scanned by us, this is when spam resends mail to users when they are clean. SCAN_SPAM=0 } else { xfilter /usr/bin/spamassassin --remove-markup --nocreate-prefs } } -- jarif.bit signature.asc Description: OpenPGP digital signature
Re: SA rule to detect prior SA pass?
28.06.2014 05:47, Jari Fredriksson kirjoitti: 28.06.2014 04:43, David B Funk kirjoitti: Looking at my mail streams I see evidence that spammers sometimes add faked SpamAssassin headers to their messages (I assume to try to trick recipients into thinking that the message has already been given a clean bill-of-health). I wrote a few test rules to look for these pre-existing X-Spam- headers to test to see if it could be used as a spam detector. However I got no hits on these rules even on hand crafted test messages that contained such stuff. Checking the SA source I found in PerMsgStatus.pm a line of code: $self-{msg}-delete_header('X-Spam-.*'); that ran before any tests. So looking for SA headers inside of SA is pointless. So does anybody have any ideas how to test for evidence of a prior SA pass? This is my script /etc/maildroprc # IF ALREADY SCANNED AND FOUND SPAM, DO NOT RE-SCAN if (/^X-Spam-Status: Yes/:h) { # strip markup, and re-test if (/^X-FredSpamComment\: SpamAssassin called at jarif\.iki\.fi\./) { # Already scanned by us, this is when spam resends mail to users when they are clean. SCAN_SPAM=0 } else { xfilter /usr/bin/spamassassin --remove-markup --nocreate-prefs } } And the glue. Later (lots later!) in the same script: # # Here we go! (Death to Spam lol) # if ( $SCAN_SPAM == 1 ) { xfilter spamc -H -x --max-size=500 -d spamd -u spam xfilter reformail -A'X-FredSpamComment: SpamAssassin called at tempest.fredriksson.dy.fi' } If you want to write our own glue, you have the Force. If you rely on SA alone or Amavis it's harder. -- jarif.bit signature.asc Description: OpenPGP digital signature