Re: How to get rid of this spam? Spam assassin does not catch it
On Fri, 2015-10-30 at 12:53 -0500, j...@lexoncom.com wrote: > I did configure local recursive server and set both spam local.cf and > resolved.conf to point to 127.0.0.1 and I still get the blocks. > Double check that there are no 'forward' options in /etc/names.conf or in files in /etc/named Kindly show us the listen-on{...} option(s) in /etc/named.conf as well as exactly what is in /etc/resolv.conf. The number and order of 'nameserver' directives is important because they, in conjunction with the DNS listen-on options affect what DNS server(s) SA will try to use. Martin PS: apologies if this seems to be failing to keep up with the rest of the discussion, but currently something in my ISP's smarthost seems to be taking 24 hours to pass on the mail it receives.
Re: How to get rid of this spam? Spam assassin does not catch it
> > > Am 31.10.2015 um 16:06 schrieb j...@lexoncom.com: >> So after initial learning it looks better now. (BAYES_50) > > BAYES_50 is not really good for clear spam > yep i though that bayes was used but it seems like it was all useless >> When sendmail sends email to procmail and procmail passes it to spam >> assassin, does spam assassin runs as root user or as the user the email >> is destined to? > > depends on how SA is called in detail, normally it should switch to that > unix-user and hence training as root makes no sense, *nothing* should > proceed potentially dangerous input as root at all - inbound mailcontent > is by definition that sort of "don#t do that" input > >> I run the sa-learn as root user > > oh my god... i run it through the crontab yes i can create new user and force sa-learn to use that user > >> and it seems like this is the data based >> that is being used so it would be global data base used for all mail >> users? > > https://wiki.apache.org/spamassassin/SiteWideBayesSetup i switched to global setup now all users should use same db and i will use the manual learning process > >> X-Spam-Flag: YES >> X-Spam-Level: >> X-Spam-Status: Yes, score=12.9 required=5.0 >> tests=BAYES_50,FROM_12LTRDOM, >> >> HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BRBL_LASTEXT,RCVD_IN_MSPIKE_BL, >> >> RCVD_IN_MSPIKE_L5,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_DBL_SPAM, >> URIBL_JP_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.4.0 > > well, the quota of your sa-headers was enough to reject my repsonse on > the submission spamass-milter > > result: Y 16 - URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL > > no sure what this means?
Re: How to get rid of this spam? Spam assassin does not catch it
Am 31.10.2015 um 16:06 schrieb j...@lexoncom.com: So after initial learning it looks better now. (BAYES_50) BAYES_50 is not really good for clear spam When sendmail sends email to procmail and procmail passes it to spam assassin, does spam assassin runs as root user or as the user the email is destined to? depends on how SA is called in detail, normally it should switch to that unix-user and hence training as root makes no sense, *nothing* should proceed potentially dangerous input as root at all - inbound mailcontent is by definition that sort of "don#t do that" input I run the sa-learn as root user oh my god... and it seems like this is the data based that is being used so it would be global data base used for all mail users? https://wiki.apache.org/spamassassin/SiteWideBayesSetup X-Spam-Flag: YES X-Spam-Level: X-Spam-Status: Yes, score=12.9 required=5.0 tests=BAYES_50,FROM_12LTRDOM, HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BRBL_LASTEXT,RCVD_IN_MSPIKE_BL, RCVD_IN_MSPIKE_L5,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_DBL_SPAM, URIBL_JP_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.4.0 well, the quota of your sa-headers was enough to reject my repsonse on the submission spamass-milter result: Y 16 - URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL signature.asc Description: OpenPGP digital signature
Re: How to get rid of this spam? Spam assassin does not catch it
So after initial learning it looks better now. (BAYES_50) When sendmail sends email to procmail and procmail passes it to spam assassin, does spam assassin runs as root user or as the user the email is destined to? I run the sa-learn as root user and it seems like this is the data based that is being used so it would be global data base used for all mail users? X-Spam-Flag: YES X-Spam-Level: X-Spam-Status: Yes, score=12.9 required=5.0 tests=BAYES_50,FROM_12LTRDOM, HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BRBL_LASTEXT,RCVD_IN_MSPIKE_BL, RCVD_IN_MSPIKE_L5,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_DBL_SPAM, URIBL_JP_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.4.0 X-Spam-Report: * 1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: curingaidtrade.com] * 1.2 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: curingaidtrade.com] * 1.4 RCVD_IN_BRBL_LASTEXT RBL: No description available. * [95.128.19.6 listed in bb.barracudacentral.org] * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist * [URIs: curingaidtrade.com] * 0.4 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [95.128.19.6 listed in zen.spamhaus.org] * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: curingaidtrade.com] * 2.4 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) * [95.128.19.6 listed in bl.mailspike.net] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted * 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS * 0.1 FROM_12LTRDOM From a 12-letter domain > On Fri, 30 Oct 2015, j...@lexoncom.com wrote: > >> thx, that explains the issue. >> I setup a dns server outside the amazon server. >> Now, i can finally do the lookup: >> root@aws:~# host -tTXT 2.0.0.127.multi.uribl.com >> 2.0.0.127.multi.uribl.com descriptive text "permanent testpoint" >> >> X-Spam-Flag: YES >> X-Spam-Level: *** >> X-Spam-Status: Yes, score=7.0 required=5.0 tests=BAYES_00, >> >> HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100, >> >> RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BRBL_LASTEXT,SPF_HELO_PASS, >> SPF_PASS,URIBL_BLACK,URIBL_DBL_SPAM autolearn=disabled version=3.4.0 >> X-Spam-Report: >> * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist >> * [URIs: yokooo.com] >> * 1.4 RCVD_IN_BRBL_LASTEXT RBL: No description available. >> * [208.80.12.43 listed in bb.barracudacentral.org] >> * -0.0 SPF_PASS SPF: sender matches SPF record >> * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record >> * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% >> * [score: 0.] >> * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >> * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or >> identical to >> * background >> * 0.0 HTML_MESSAGE BODY: HTML included in message >> * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% >> * [cf: 100] >> * 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence >> level >> * above 50% >> * [cf: 100] >> * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) >> * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist >> * [URIs: yokooo.com] > > Bravo! Now all you need to do is wipe and retrain your Bayes database with > known-good corpora to get rid of that BAYES_00. > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >...the Fates notice those who buy chainsaws... >-- www.darwinawards.com > --- > Tomorrow: Halloween >