Re: How to use sa rules?

2016-09-02 Thread RW 
On Fri, 2 Sep 2016 08:27:16 -0700 (PDT)
John Hardin wrote:

> On Thu, 1 Sep 2016, David Niklas wrote:
> 
> > I run sa-update but I want to know if any additional configuration
> > is needed to tell sa that I want it to use the rules.  
> 
> You need to check the return status of sa-update to see whether the
> rules were successfully updated, and if so, restart spamd or amavis
> or whatever is using the rules.
> 
> Question for others: if you're using compiled rules does the compiler
> need to be run explicitly, or is that automatic?

It's not automatic, although some packages may install a periodic script
to make it so.

I think the case for running sa-compile after every update is greatly
overstated. It's much more important to update and compile after a
software version update because the rules and compiled rules are in
versioned directories.  If you then stop running sa-compile, all that
happens is that a relatively small number of new and updated rules run
a bit slower in perl. 

Running sa-compile gratuitously doesn't make much difference on most
modern hardware, but it may do  on something like a single-core
Raspberry Pi. I remember on a single core Athlon, it was 30 minutes of
100% cpu usage.

block attachments via plugin

2016-09-02 Thread Robert Boyl 
Hi, guys

Recently I saw this.

http://jrs-s.net/2013/06/14/block-common-trojans-in-spamassassin/

My idea was to create a rule in the way mentioned in this site, such as,
for example, certain attachment file type (such as HTML or ZIP) and a
certain subject, score the message.

The rule works. But I found that it causes false positives for emails that
have HTML in the body and not necessarily attached (internally, I guess its
the same, right?).

Example

--_000_2C3280CB5B1A584F8E4B3E0E263D843251617ACAMBXTB921Cvcarem_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Re: How to use sa rules?

2016-09-02 Thread John Hardin 

On Thu, 1 Sep 2016, David Niklas wrote:


I run sa-update but I want to know if any additional configuration is
needed to tell sa that I want it to use the rules.


You need to check the return status of sa-update to see whether the rules 
were successfully updated, and if so, restart spamd or amavis or whatever 
is using the rules.


Question for others: if you're using compiled rules does the compiler need 
to be run explicitly, or is that automatic?



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Tea Party wants to remove the Crony from Crony Capitalism.
  OWS wants to remove Capitalism from Crony Capitalism.
-- Astaghfirullah
---
 15 days until the 229th anniversary of the signing of the U.S. Constitution

Re: Image spam - FuzzyOCR?

2016-09-02 Thread RW 
On Fri, 02 Sep 2016 10:19:22 +0700
Olivier wrote:

> > Not really, he just said it matches against a word list. My point is
> > that out of the several SA OCR plugins that have been written,
> > FuzzyOCR is the one that's specifically designed for doing fuzzy
> > matching on a finite word list. If you just pass the OCR output to
> > Bayes or add it to the body, it's not "fuzzy OCR" anymore.  
> 
> To my understanding, the fuzzy part refeered to the way it does OCR
> (several passes, with different angles, colours, etc.), not
> to the word matching.


From:




The methods mainly are:

-  Optical Character Recognition using different engines and settings
-  Fuzzy word matching algorithm applied to OCR results
...

Re: Relaycountry problem

2016-09-02 Thread RW 
On Fri, 2 Sep 2016 09:31:41 +
Nicola Piazzi wrote:

> header RELAYCOUNTRY_ITX-Relay-Countries =~ /IT/
> header RELAYCOUNTRY_BAD   X-Relay-Countries
> =~ /^(US|CN|RU|UA|JP|HK|UK|DE|BR|IN)/
> 
> in some cases I have both results in the spam report, I suppose that
> is because plugin evals all ip address end not lastexterlal, is it
> correct ? 

No, it's because you didn't have a ^ before IT.

> is there a way to check only lastexternal ? any suggestion ?

For me it's better to score according to the least wanted country in the
list rather than the first, it does depend on your circumstances
though. Usually it's easiest to do this with meta rules.

> then there is a problem adding the header, I never found it in my
> header how is possible that the rule find it ?

SA creates pseudoheaders to hold metadata. The headers rules run on
both real headers and pseudoheaders.

Adding a header in the output is not necessary, but it can be added
like other headers are added using the appropriate tag. This is well
documented.

Relaycountry problem

2016-09-02 Thread Nicola Piazzi 
header RELAYCOUNTRY_ITX-Relay-Countries =~ /IT/
header RELAYCOUNTRY_BAD   X-Relay-Countries =~ 
/^(US|CN|RU|UA|JP|HK|UK|DE|BR|IN)/

in some cases I have both results in the spam report, I suppose that is because 
plugin evals all ip address end not lastexterlal, is it correct ?
is there a way to check only lastexternal ? any suggestion ?

then there is a problem adding the header, I never found it in my header how is 
possible that the rule find it ?