Re: KAM_Back rule

2018-10-26 Thread RW 
On Fri, 26 Oct 2018 17:29:24 -0400
Bill Cole wrote:

> On 26 Oct 2018, at 15:13, John wrote:
> 
> > I just got an email from a mailing list of which i am a member (UK
> > academic geophysics) which was scored at 5, mainly from a 5.5
> > contribution from KAM_BACK, described as background check SPAM.  I 
> > have
> > not managed to work out what that rule is trying to do, but it is
> > the first detected oh-nasty from using the KAM rules.
> >
> > Clearly I can reduce the score but I am struggling to see what was
> > wrong with the message, attached.  
> 
> There's nothing wrong with the message, the rule is too aggressive.
> 
> It consists of 5 sub-rules, 3 body and 2 header for From and Subject. 
> Hitting any three satisfies the meta-rule.

And 'criminal' in the Subject implies a second hit on 'criminal' in the
body.

Re: KAM_Back rule

2018-10-26 Thread Bill Cole 

On 26 Oct 2018, at 15:13, John wrote:


I just got an email from a mailing list of which i am a member (UK
academic geophysics) which was scored at 5, mainly from a 5.5
contribution from KAM_BACK, described as background check SPAM.  I 
have

not managed to work out what that rule is trying to do, but it is the
first detected oh-nasty from using the KAM rules.

Clearly I can reduce the score but I am struggling to see what was
wrong with the message, attached.


There's nothing wrong with the message, the rule is too aggressive.

It consists of 5 sub-rules, 3 body and 2 header for From and Subject. 
Hitting any three satisfies the meta-rule. It seems to be targeted at 
spam selling criminal and/or financial background reports (which is a 
real market here in the US, where we have no serious privacy laws...) 
Unfortunately, it does not seem to be constructed with an appreciation 
for the fact that people discuss criminality in non-spam.


Personally, I just zeroed the score for that on my personal system. 
Thanks for bringing it to light.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Re: Version 3.4.2, Debian Stretch

2018-10-26 Thread Matus UHLAR - fantomas 

On 26.10.18 10:04, Jan Münnich wrote:

The Debian package is not well maintained anymore unfortunately.


who told you that? 3.4.2 is in unstable sinde Oct 01, testing since Oct 03.


But it's very easy to compile SpamAssassin yourself on Debian Stretch:


this leads to problems, you must prepared to do builds for yourself always.
Simply do NOT do this, not on debian.

If you really want built, download source package from sid and try building
on stretch/jessie.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors

KAM_Back rule

2018-10-26 Thread John 

I just got an email from a mailing list of which i am a member (UK
academic geophysics) which was scored at 5, mainly from a 5.5
contribution from KAM_BACK, described as background check SPAM.  I have
not managed to work out what that rule is trying to do, but it is the
first detected oh-nasty from using the KAM rules.

Clearly I can reduce the score but I am struggling to see what was
wrong with the message, attached.
==John ffitch>From paul.linf...@historicengland.org.uk Fri Oct 26 17:53:17 2018
Return-path: 
Envelope-to: j...@codemist.co.uk
Delivery-date: Fri, 26 Oct 2018 17:53:17 +0100
Received: from air.cs.bath.ac.uk ([138.38.108.3])
by codemist.co.uk with esmtp (Exim 4.91)
(envelope-from )
id 1gG5MH-0004AA-8m
for j...@codemist.co.uk; Fri, 26 Oct 2018 17:53:17 +0100
Received: from deneb.ease.lsoft.se ([212.247.25.116])
by air.cs.bath.ac.uk with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from )
id 1gG5Lh-0004bf-DA
for j...@cs.bath.ac.uk; Fri, 26 Oct 2018 17:52:38 +0100
Received: from JISC (JISC.ease.lsoft.se [212.247.25.31])
by deneb.ease.lsoft.se (Postfix) with ESMTP id D66B479D9;
Fri, 26 Oct 2018 18:52:19 +0200 (CEST)
Received: by JISCMAIL.AC.UK (LISTSERV-TCP/IP release 16.0) with spool id
  417637025 for geophys...@jiscmail.ac.uk; Fri, 26 Oct 2018 17:52:19
  +0100
Received: from cluster-d.mailcontrol.com (cluster-d.mailcontrol.com
  [85.115.60.190]) by JISCMAIL.AC.UK (SMTPL release 1.1d)
  (envelope-from ) for
  geophys...@jiscmail.ac.uk with TCP; Fri, 26 Oct 2018 17:52:08 +0100
Received: from SVMEX01.english-heritage.org.uk ([194.62.32.10]) by
  rly51d.srv.mailcontrol.com (MailControl) with ESMTP id
  w9QGq1dO042668; Fri, 26 Oct 2018 17:52:04 +0100
Received: from SVMEX01.english-heritage.org.uk (172.24.17.50) by
  SVMEX01.english-heritage.org.uk (172.24.17.50) with Microsoft SMTP
  Server (TLS) id 15.0.1263.5; Fri, 26 Oct 2018 17:52:04 +0100
Received: from SVMEX01.english-heritage.org.uk ([fe80::55db:1744:1ca5:526]) by
  SVMEX01.english-heritage.org.uk ([fe80::55db:1744:1ca5:526%12]) with
  mapi id 15.00.1263.000; Fri, 26 Oct 2018 17:52:04 +0100
Thread-Topic: Archaeological Geophysics Environmental & Criminal Forensics
  Conference, 4th-5th December 2018: Meeting Programme
Thread-Index: AdRtPcWN3qIuTW5NRK6noSFVdxNH7g==
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.24.49.67]
x-exclaimer-md-config: 02890ccf-f504-4c9a-81c5-5e8444a502b6
Content-Type: multipart/related; 
boundary="_004_f43a9f519a994266b5b8a03e93167729SVMEX01englishheritageo_"; 
type="multipart/alternative"
MIME-Version: 1.0
X-Scanned-By: MailControl 44278.2057 (www.mailcontrol.com) on 10.68.0.161
Message-ID:  
Date: Fri, 26 Oct 2018 16:52:04 +
Reply-To: "Linford, Paul" 
Sender:   The British Geophysical Association's Open Email Discussion List 

From: "Linford, Paul" 
Comments: To: "isap-...@archprospection.org" 
To:   geophys...@jiscmail.ac.uk
Precedence: list
List-Help: ,
   
List-Unsubscribe: 
List-Subscribe: 
List-Owner: 
List-Archive: 
X-Spam-Score: -0.5 (/)
X-Spam-Score: 5.0 (+)
X-Spam-Report: This mail is probably spam.  The original message has been 
attached
 along with this report, so you can recognize or block similar unwanted
 mail in future.  If you have any questions, mail
 postmas...@codemist.co.uk
 ==
 Content preview:  Further to my previous message, I’m pleased to say we now
have the provisional programme for the joint NSGG Archaeological Geophysics
and FGG Environmental & Criminal Forensics meetings available for download
on the NSGG website meetings page (http://www.nsgg.org.uk/meetings/) and
   the direct link to the PDF is: 
http://www.nsgg.org.uk/meetings/NSGG-FGG-2018_programme_v4.pdf.
[...] 
 
 Content analysis details:   (5.0 points, 4.0 required)
  pts rule name  description
  -- -
 -0.0 SPF_PASS   SPF: sender matches SPF record
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 domains are different
 -0.5 BAYES_05   BODY: Bayes spam probability is 1 to 5%
 [score: 0.0238]
  5.5 KAM_BACK   Background Check SPAM
Subject: +++SPAM+++: Archaeological Geophysics

Re: Error running sa-update - cannot refresh mirrors file

2018-10-26 Thread Rodney Baker 
On Friday, 26 October 2018 23:46:18 ACDT RW wrote:
> On Fri, 26 Oct 2018 22:40:54 +1030
> 
> Rodney Baker wrote:
> > Should I be concerned about the error updating the mirrors file?
> 
> No. sa-update tries to update it after a week so you pick-up new
> servers and spread the load, but the old one will probably still be
> usable for years.
> 
> The only time it matters is after a SpamAssassin version change when
> a new versioned directory is created to hold the rules. Even then you
> could just copy over the old MIRRORED.BY file if the server is down.

Ok, thanks - that's good to know.

Regards,
Rodney.

-- 
==
Rodney Baker
rod...@jeremiah31-10.net
CCNA #CSCO12880208
==

Re: Cannot install SpamAssassin on Ubuntu 18.04.1 (gpg not found?)

2018-10-26 Thread Chris Pollock 
On Thu, 2018-10-25 at 15:23 +0100, Dominic Raferd wrote:
> 
> 
> On Thu, 25 Oct 2018 at 15:16, RW  wrote:
> > On Thu, 25 Oct 2018 16:07:02 +0200
> > Matus UHLAR - fantomas wrote:
> > 
> > > >On Thu, 25 Oct 2018 08:37:45 -0400 Alexander Lieflander wrote:  
> > > >> As a side-note, it seems like the error message returned by
> > dpkg
> > > >> (and thus SpamAssassin, I guess) is incorrect. Where it
> > mentions
> > > >> “sa-compile”, it should really be mentioning “sa-update”, as
> > the
> > > >> man page for sa-update contains the “--nogpg” option, and the
> > man
> > > >> page for sa-compile does not.  
> > > 
> > > where did it say sa-compile? 
> > 
> > It failed when sa-compile was being installed
> > 
> > > nothing with sa-compile.
> > > 
> > > On 25.10.18 14:37, RW wrote:
> > > >This is a consequence of Ubuntu (or Debian) splitting off sa-
> > compile
> > > >into a separate  package. The error occurred  while checking
> > > >sa-compile's dependency, the spamassassin package.  
> > > 
> > > this should not happen at all. when sa-compile is installed,
> > > spamassassin (and sa-update) should be installed and configured.
> > 
> > I would guess that there was no problem when spamassassin was
> > installed
> > and sa-compile was installed later.
> 
> I am using SA on Ubuntu 18.04 without any such problems. Looking at
> the package changelogs for SA 3.4.1-8 under Debian/Ubuntu they are
> identical except that, for Ubuntu 18.04, SA was rebuilt
> against openssl1.1. The only sadness is that Ubuntu 18.04 is
> currently stuck with 3.4.1 (3.4.2 is available on 18.10).

FWIW back on 9 Oct I submitted a bug report regarding 3.4.2 for 18.04

https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1796863

I'm hoping that it will be available soon.

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:23:12 up 3 days, 16:37, 1 user, load average: 1.08, 0.96, 0.75
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-38-generic


signature.asc
Description: This is a digitally signed message part

Re: Error running sa-update - cannot refresh mirrors file

2018-10-26 Thread RW 
On Fri, 26 Oct 2018 22:40:54 +1030
Rodney Baker wrote:


> Should I be concerned about the error updating the mirrors file?

No. sa-update tries to update it after a week so you pick-up new
servers and spread the load, but the old one will probably still be
usable for years. 

The only time it matters is after a SpamAssassin version change when
a new versioned directory is created to hold the rules. Even then you
could just copy over the old MIRRORED.BY file if the server is down.

Error running sa-update - cannot refresh mirrors file

2018-10-26 Thread Rodney Baker 
Hi all,

I'm getting the following error when running sa-update on my Raspberry Pi 
(running spamc/spamd with compiled rulesets); 

root@mailpi ~ # sa-update --verbose
Update available for channel updates.spamassassin.org: 1844624 -> 1844740
http: (curl) GET http://spamassassin.apache.org/updates/MIRRORED.BY, FAILED, 
status: 1792
error: unable to refresh mirrors file for channel updates.spamassassin.org, 
using old file
http: (curl) GET http://sa-update.bitwell.fi/1844740.tar.gz, FAILED, status: 
1792
http: (curl) GET http://sa-update.razx.cloud/1844740.tar.gz, success
http: (curl) GET http://sa-update.razx.cloud/1844740.tar.gz.sha1, success
http: (curl) GET http://sa-update.razx.cloud/1844740.tar.gz.asc, success
Update was available, and was downloaded and installed successfully

Should I be concerned about the error updating the mirrors file?

Thanks in advance,
Rodney.

-- 
==
Rodney Baker VK5ZTV
rod...@jeremiah31-10.net
CCNA #CSCO12880208
==

Re: Version 3.4.2, Debian Stretch

2018-10-26 Thread Jan Münnich 
The Debian package is not well maintained anymore unfortunately. But 
it's very easy to compile SpamAssassin yourself on Debian Stretch:


1. Remove old package but leave configuration:
apt remove spamassassin

2. Install dependencies:
apt install libpcre3-dev libdigest-sha-perl libhtml-parser-perl 
libnet-dns-perl libnet-ident-perl libio-socket-ssl-perl libio-zlib-perl 
libarchive-tar-perl libgdbm-dev libhtml-tree-perl libwww-perl 
libnetaddr-ip-perl libio-socket-inet6-perl libmail-dkim-perl 
libdigest-sha-perl libmail-spf-perl libdbi-perl libencode-detect-perl 
re2c libgeo-ip-perl libio-socket-ip-perl libnet-patricia-perl make 
libdbd-mysql-perl


3. Download 3.4.2 package and unpack in /usr/local/src or somewhere 
else:


4. Compile and install:
perl Makefile.PL
make
make install
sa-update


Best,
Jan

Re: KAM_RAPTOR and other dependencies...

2018-10-26 Thread Dominic Raferd 
On Thu, 25 Oct 2018 at 22:44, Kevin A. McGrail  wrote:

> On 10/25/2018 1:07 AM, Dominic Raferd wrote:
>
> On Tue, 23 Oct 2018 at 14:22, Kevin A. McGrail 
> wrote:
>
>> It means I forgot to encapsulate that rule in a plugin check.  Download
>> the latest KAM.cf and you'll be good.
>>
>> On Mon, Oct 22, 2018 at 4:40 PM Peter L. Berghold 
>> wrote:
>>
>>> I've seen the following message and others similar:
>>> spamd[20463]: rules: meta test KAM_VERY_MALWARE has dependency
>>> 'KAM_RAPTOR' with a zero score
>>>
>>> what is spamassassin trying to tell me?
>>>
>>
> I am seeing 19 of these messages every day when
> /etc/cron.daily/spamassassin runs under anacron (Ubuntu 18.04.1,
> SpamAssassin 3.4.1, Perl 5.26.1). I am using the latest KAM.cf from
> http://www.mcgrail.com/downloads/KAM.cf which I added to
> /etc/spamassassin. The dependencies with zero score are:
> CBJ_GiveMeABreak
> KAM_IFRAME
> KAM_RAPTOR
> KAM_RPTR_PASSED
> KAM_RPTR_SUSPECT
>
> Should I ignore these messages (by modifying /etc/cron.daily/spamassassin)?
>
> Suggest you look at the KAM.cf and get the nonKAMrules.cf file mentioned
> will get rid of a warning or two.  The other warnings on the daily update
> are fine.  It has to do with the fact that I maintain KAM.cf as a single
> source for both internal usage and for the world at large.  So those using
> it externally get some warnings that we don't see internally.
>

Thanks I will do that now and I have edited /etc/cron.daily/spamassassin so
I don't see those specific info messages.

Re: Version 3.4.2, Debian Stretch

2018-10-26 Thread Dominic Raferd 
On Thu, 25 Oct 2018 at 21:16, Vitali Quiering  wrote:

> Is not compatible with debian stretch or just not available as a package?
> Is it tested and considered stable?
>
> Regards,
> Vitali
>
> Am 25.10.2018 um 16:26 schrieb Dominic Raferd :
>
> On Thu, 25 Oct 2018 at 15:12, Vitali Quiering  wrote:
>
>> sorry if this has been asked before. I am new to this list and couldn’t
>> find a solution I liked. :-)
>> Is there a spamassassin 3.4.2 package available for Debian Stretch? I
>> need the the RelayCountryPlugin with GeoIP2.
>
>
> Only in sid and buster at the moment. Ubuntu 18.04 is similarly affected.
>
>
I am confident it will be compatible, just the package for these platforms
has not been built yet.