Supposed bounces

[@lbutlr]

On 2022 Jul 12, at 13:08, users-h...@spamassassin.apache.org wrote:
> Hi! This is the ezmlm program. I'm managing the
> users@spamassassin.apache.org mailing list.
> 
> 
> Messages to you from the users mailing list seem to
> have been bouncing. I've attached a copy of the first bounce
> message I received.

... 

> --- Enclosed is a copy of the bounce message I received.
> 
> Return-Path: <>
> Received: (qmail 78834 invoked for bounce); 7 Oct 2019 19:56:32 -
> Date: 7 Oct 2019 19:56:32 -
> From: mailer-dae...@apache.org
> To: users-return-1212...@spamassassin.apache.org
> Subject: failure notice

So, a supposed bounce from also three years ago. And that bounce did not come 
from my mail server as I have never run qmail. No IP addresses, no Received 
headers, nothing that could possibly be used to figure out what is going on 
here.

-- 
Lady Astor: "If you were my husband I'd give you poison."
Churchill: "If you were my wife, I'd drink it."

Re: Another evil number

[@lbutlr]

On 2022 May 02, at 22:40, Kevin A. McGrail  wrote:
> Fascinating thread I just stumbled on. Yes, in early parts of the phone 
> system, the letters were geographic and referenced the street for where the 
> central office was located switching those calls.  For example, in Arlington 
> VA, my grandfathers number was 533-9389 which was referred to as JE3-9389 and 
> the CO was on Jefferson St.  I'm pretty sure this fell apart rapidly as the 
> system grew.

At least here a lot of time the names for the changed were neighborhood names, 
or the name of a prominent street in the area, but not necessarily the one the 
CO was on.

For example, the CO near where I lived when I was about 8yo was located on 
Pennsylvania Street, but the exchange was named Pearl, because Pearl was the 
street that had a small commercial district on it and, I think, had once had a 
streetcar line (before my time).

The University exchange was 871 (UniverSity, I guess?), and most of Denver 
University's numbers were still in 871- in the 1990s.

The whole history of telephone exchanges is filled with odd little stories, but 
most of the information about why and where and when has been lost, and quite. 
A lot of exchanges forgotten.

I tired to do some research on the Denver exchanges around 20-25 years ago, but 
there really wasn't much there. Phone books would generally list the letters, 
but not the names, and sometimes the phone books were even divided by exchange 
first, and then names.

I never had to deal with exchanges myself, but I did have to deal with a party 
line.

Do. Not. Recommend.

Especially not when you're 14 and trying to talk to this girl about serious 
topics over the course of several hours...

-- 
Overhead, without any fuss, the stars were going out.

Re: Getting right GPG key for KAM

[@lbutlr]

On 2022 Mar 21, at 04:37, Henrik K  wrote:
> Right, it does seem you haven't imported the key..

Thanks! That's what was missing. Odd, considering there were KAM files present, 
just not recent ones. Anyway, not my system, but all sorted now.

-- 
(on emojis) Remember when they added Groucho and no Harpo?

Re: Getting right GPG key for KAM

[@lbutlr]

On 2022 Mar 21, at 03:54, Henrik K  wrote:
> On Mon, Mar 21, 2022 at 03:48:51AM -0600, @lbutlr wrote:
>> When running sa-update on an old system (not updated in at least a year) I 
>> am getting:
>> 
>> # sa-update --gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com
>> gpg: process '/usr/local/bin/gpg' finished: exit 2
>> error: GPG validation failed!
> 
> Sounds like the gpg command failed, not relating to keys.  sa-update -D
> could give clues.

Thanks, I did run sa-update (non KAM) and it worked. Running it again with -D 
on KAM gives:

Mar 21 04:13:56.804 [89542] dbg: gpg: calling gpg
Mar 21 04:13:56.811 [89542] dbg: gpg: [GNUPG:] NEWSIG
Mar 21 04:13:56.811 [89542] dbg: gpg: gpg: Signature made Fri Mar 18 10:25:02 
2022 MDT
Mar 21 04:13:56.812 [89542] dbg: gpg: gpg: using RSA key 
21D97142272C9066FCAA792B4A156DA524C063D8
Mar 21 04:13:56.812 [89542] dbg: gpg: [GNUPG:] ERRSIG 4A156DA524C063D8 1 8 00 
1647620702 9 21D97142272C9066FCAA792B4A156DA524C063D8
Mar 21 04:13:56.812 [89542] dbg: gpg: [GNUPG:] NO_PUBKEY 4A156DA524C063D8
Mar 21 04:13:56.812 [89542] dbg: gpg: gpg: Can't check signature: No public key
gpg: process '/usr/local/bin/gpg' finished: exit 2

That doesn't look like a configuration issue n my side?

-- 
There are strange things done in the midnight sun/By the men who moil
for gold; The Arctic trails have their secret tales/That would
make your blood run cold; The Northern Lights have seen queer
sights,/But the queerest they ever did see Was the night on the
marge of Lake Lebarge/ When I cremated Sam McGee

Getting right GPG key for KAM

[@lbutlr]

When running sa-update on an old system (not updated in at least a year) I am 
getting:

# sa-update --gpgkey 24C063D8 --channel kam.sa-channels.mcgrail.com
gpg: process '/usr/local/bin/gpg' finished: exit 2
error: GPG validation failed!
The update downloaded successfully, but it was not signed with a trusted GPG
key.  Instead, it was signed with the following keys:

24C063D8

Perhaps you need to import the channel's GPG key?  For example:

wget https://spamassassin.apache.org/updates/GPG.KEY
sa-update --import GPG.KEY

channel 'kam.sa-channels.mcgrail.com': GPG validation failed, channel failed


I went ahead and rand the commands, but that didn't change the behavior (not 
that I expected it would). I assume there is a different path for the KAM GPG 
key.

-- 
“What’s a little boy like you doing with big boy smut like this?”

Re: Process of domain submission for inclusion in 60_whitelist_auth.cf

[@lbutlr]

On 01 Jul 2021, at 16:43, Reindl Harald  wrote:
> Am 02.07.21 um 00:32 schrieb @lbutlr:
>>> I also manually maintain a private blacklist, which contains the 'From'
>>> addresses of advertising e-mails from companies that I've dealt with in
>>> the past. This works because many (most?) companies use different
>>> subdomains for advertising messages than they use for order
>>> confirmations etc. This makes blacklisting the advertising 'From'
>>> addresses very simple to do and is a manual process.
>> If a company insists on sending me advertising mail I do not want, I don't 
>> want to do any business with that company
> 
> not everyones mailserver is just for him and his family
> in your case you may reject the world except whitelists
> fine for a child setup

On my mail server any domain admin can blacklist any email address, either for 
the domain itself or for specific addresses.

-- 
"We take off our Republican hats and put on our American hats" --
Many Republicans in Sep 2008

Re: Process of domain submission for inclusion in 60_whitelist_auth.cf

[@lbutlr]

On 29 Jun 2021, at 04:50, Martin Gregorie  wrote:
> On Tue, 2021-06-29 at 00:52 -0400, Bill Cole wrote:
>> On 2021-06-28 at 17:04:05 UTC-0400 (Mon, 28 Jun 2021 23:04:05 +0200)
>> Robert Harnischmacher 
>> is rumored to have said:

>>> In which form can one submit the subdomain of a mail sender for the 
>>> integration in 60_whitelist_auth.cf. Which information is required
>>> for 
>>> consideration?

> There's nothing preventing yo from maintaining your own whitelist (and
> blacklist).
> 
> I wrote my own automatic whitelister, which whitelists mail from anybody
> I've sent mail to. It works by scanning my outgoing mail stream: almost
> no maintenance needed and it would be quite difficult to spoof.

Sending spam, viruses, ransom demands, and/or spearfishing from "known" 
addresses is extremely common, so how effective that is depends a lot on the 
sort of mail and the amount of mail you receive.

It is very common for me to get spam mail that appears to be from known 
addresses, mostly clients and the less sophisticated family members (computer 
sophisticated, at least) who have the bad habit of sharing their contacts with 
whatever random app they download.

> I also manually maintain a private blacklist, which contains the 'From'
> addresses of advertising e-mails from companies that I've dealt with in
> the past. This works because many (most?) companies use different
> subdomains for advertising messages than they use for order
> confirmations etc. This makes blacklisting the advertising 'From'
> addresses very simple to do and is a manual process.

If a company insists on sending me advertising mail I do not want, I don't want 
to do any business with that company.

-- 
'You're your own worst enemy, Rincewind,' said the sword. Rincewind
looked up at the grinning men. 'Bet?' --Colour of Magic

Re: Another evil number

[@lbutlr]

On 25 Jun 2021, at 12:24, RW  wrote:
> On Fri, 25 Jun 2021 05:51:24 -0700
> Loren Wilton wrote:
> 
>> From a fake "subscription" spam:
>> 
>> You can reach out
>>   to our Customer Support Team+1 (800) 781 - 2511.
> 
> 
> Is it common in the US to put 800 in brackets like that?

Yes.

> In my
> experience brackets normally go around either country codes or area
> codes, digits that may be optional.

800 is an area code, it's just a special area code that is not tied to an 
actual area.

The normal format for phone number in the US is

(AAA) XXX-

Where AAA is the three digits area code, XXX is the three digit local exchange 
(a largely historical feature) and  is the number.

Sometimes a "1 " precedes the area code and sometimes in calling areas that do 
not require ten digit dialing, the area code will be omitted. "+1 is correct, 
but is Arely used in the US.

The oddest thing in that is the space surrounding the - and the lack of space 
before +1

-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but pants with horizontal stripes make me look
chubby."

Re: Scan Attachment Content Using Spamassassin

[@lbutlr]

> On 03 Jun 2021, at 01:32, Matus UHLAR - fantomas  wrote:
> 
>> On Thu, Jun 03, 2021 at 01:15:03AM -0500, Dave Funk wrote:
>>> Even more limiting, spamassassin is designed for small to medium size
>>> messages, scanning anything over 500KB or so is going to be a resource hog.
> 
> 500KB is default max size for spamc, not for spamassassin itself.
> You can rise it.
> 
> On 03.06.21 09:23, Henrik K wrote:
>> That's just outdated information.  It's fine to scan even 20MB+ messages, it
>> just requires some memory.
> 
> and CPU and time...

If you have the RAM you will be hard pressed to notice any spike in CPU. Not 
sure about the amount of time to process, but it's not going to take much 
processing on anything but a very very lowe-end and old CPU. (Think pre 
Pentium, not anything from the last decade or so).

-- 
If puns are outlawed, only outlaws will have puns.

Re: More fake order spam

[@lbutlr]

On 27 Apr 2021, at 11:57, Steve Dondley  wrote:
> On 2021-04-27 01:19 PM, Dave Wreski wrote:
>> Invalid List-ID. You can then use that with other weirdness in a meta.
>> header__LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/
>> meta   LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && !__LIST_ID_DOMAIN_IN_BRACKETS
>> score  LIST_ID_IMPROPER_FORMAT 0.001
>> describe LIST_ID_IMPROPER_FORMAT List-id has improper format
> 
> You lost me here. The spam has this:
> 
> List-Id: MzY3NDAxMi01Nzg2LTU= 
> 
> That's not legit? It's in brackets.

That was my question as well, AFAIK that conforms to the requirements of a 
List-ID header.

Looks legit to me.

This is the spec.

> list-id-header = "List-ID:" [phrase] "<" list-id ">" CRLF


And

>list-id = list-label "." list-id-namespace
>list-label = dot-atom-text
>list-id-namespace = domain-name / unmanaged-list-id-namespace

And here are the RFC 2919 examples for valid List-ID headers:

> List-Id: List Header Mailing List 
> List-Id: 
> List-Id: "Lena's Personal Joke List"
>  
> List-Id: "An internal CMU List" <0Jks9449.list-id.cmu.edu>
> List-Id: 

And dot-atom-text includes every character in the above:

> atext   =   ALPHA / DIGIT / ; Any character except controls,
> "!" / "#" / ;  SP, and specials.
> "$" / "%" / ;  Used for atoms
> "&" / "'" /
> "*" / "+" /
> "-" / "/" /
> "=" / "?" /
> "^" / "_" /
> "`" / "{" /
> "|" / "}" /
> "~"

> dot-atom-text   =   1*atext *("." 1*atext)

Starts with one of atext? Yep. No consecutive periods? Yep.

What's the problem?

-- 
I noticed that but was still trying to work out a way of drawing it
to everyone's attention that would be sufficiently satisfying,
combining maximum entertainment value for readers with maximum
humiliation for you. -- Laura

Re: How do you set nomail for the List?

[@lbutlr]

On 20 Apr 2021, at 18:29, Bob Proulx  wrote:
> Hmm...  No.  I disagree.  It's not if-one-then-the-other.  All that is
> needed to disprove it is one example.  And as it happens I can list
> two immediately.

Which does nothing to disprove "most mailing list require subscription" which 
is absolutely true.

-- 
The omnipotent eyesight of various supernatural entities is often
remarked upon. It is said that they can see the fall of every
sparrow. And this may be true. But there is only one who is
always there when it hits the ground. --Hogfather

Re: Spoofed amazon order email

[@lbutlr]

On 16 Apr 2021, at 16:16, RW  wrote:
> On Fri, 16 Apr 2021 11:25:19 -0400 Greg Troxel wrote:
> 
>>  Probably not for normals, score up MPART_ALT_DIFF because nobody
>>  should be sending mail with a text/plain part that is not
>>  semantically equivalent to the html.
> 
> Unfortunately it's quite common. 

Yep. Often the plain text part is just a URL to the page containing the html 
version of the attachment, and this is not a particularly good spam indicator, 
sadly. In fact, it might be a counter indicator.

-- 
I can't die, I haven't seen The Jolson Story

Re: Spoofed amazon order email

[@lbutlr]

On 16 Apr 2021, at 16:03, John Hardin  wrote:
>   header __FROM_NAME_AMAZONCOM From:name =~ /\bamazon\.com\b/i
>   meta   POSSIBLE_AMAZON_PHISH_01  (__FROM_NAME_AMAZONCOM && NAME_EMAIL_DIFF)
>   meta   POSSIBLE_AMAZON_PHISH_02  (__FROM_NAME_AMAZONCOM && 
> !__HDR_RCVD_AMAZON)

It seems something like this should be built in for sites like amazon.com 
PayPal.com google.com apple.com citi.com, etc etc.

Not gmail,. Of course, it would fail spectacularly if used for that, but for 
stores and banks and such, it seems like this is bloody obvious. Probably a 
score 0.01 for POSSIBLE_AMAZON_PHISH_01, but I don't see anything wrong with a 
killshot 5.0 for POSSIBLE_AMAZON_PHISH_02. (Not that I am testing it with a 5.0 
score, but I sure expect to see a score around there).

-- 
Hamburgers. The cornerstone of any nutritious breakfast.

Re: google.com spam

[@lbutlr]

On 04 Apr 2021, at 05:21, Matus UHLAR - fantomas  wrote:
> On 04.04.21 13:09, Benny Pedersen wrote:
>> change score to 7.5
>> change score to -3.5
> 
> I prefer to solve problems instead of playing with scores.

The way that SA solves problems is by changing score values.

The entire foundation of SA is "playing with scores".

-- 
It was not, it could not be real. But in the roaring air he knew that
it was, for all who needed to believe, and in a belief so strong
that truth was not the same as fact... he knew that for now, and
yesterday, and tomorrow, both the thing, and the whole of the
thing.

Re: No rule for fake payPal messages?

[@lbutlr]

On 19 Mar 2021, at 17:11, Loren Wilton  wrote:
> I just got this little wonder, and was surprised that it got thru as ham.
> 
>   From: "PayPal Billing" 
> 
> I've fixed that locally, but I'd think SA ought to have a rule for "PayPal" 
> that doesn't come from paypal.

It does, but it looks at the from email address.


-- 
When this kiss is over it will start again But not be any different
could be exactly the same It's hard to imagine that nothing at
all Could be so exciting, could be this much fun

Re: Trouble with XM_RANDOM rule

[lbutlr]

On 24 Feb 2021, at 7:10, Alessio Cecchi wrote:


Hi,

I noticed that email sent from our webmail are catched always by 
XM_RANDOM rule.


And what is the score of that rule?


that match "X-Mailer =~ /q(?!q?mail|\d|[-\w]*=+;)[^u]/i"

Is "Qboxmail" the problem?


Yes.

Since this is the name of our company are there any chances to keep it 
without catching the rule?


Score the rule down, of create a specific rule that counters that score 
to match you own header.


(Also, “are caught” and “hitting the rule” or “triggering the 
rule” or “being caught by the rule” would be grammatical, if you 
care.)




script execution error (#1): /Users/lbutlr/mysisg: No such file or 
directory


##

Re: Scoring Based on IP Address

[@lbutlr]

On 17 Dec 2020, at 16:19, Dave Wreski  wrote:
> On 12/17/20 6:05 PM, Matt wrote:
>> Is there a way with spamassassin local.conf to add a higher score
>> based on source ip address or subnet?  Basically the last IP in
>> "Received:" header.
>> bad_subnet_add_20_points: 192.168.240.0/24
>> Raising the score if that IP appeared anywhere in headers or body
>> might work too.

> Yes, but if you're effectively going to create a "poison pill" rule where any 
> mail from a particular network is quarantined, you might be better of doing 
> this at the firewall or in postfix directly and just rejecting it outright.
> 
> header __BAD_IP_RCVD  Received  =~ /192\.168\.240\.\d{1,3}/
> body   __BAD_IP_BODY /192\.168\.240\.\d{1,3}/
> rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/
> meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY
> score MY_BAD_SENDER 20
> describe MY_BAD_SENDER Contains bad IP

Won't this match for that IP in ANY Received: header?

-- 
"How good bad music and bad reasons sound when we march against an
enemy." -  Friedrich Nietzsche

Re: More undetected hidden test spam signs

[@lbutlr]

On 17 Dec 2020, at 09:58, John Hardin  wrote:
> Such rules are there. Unfortunately, for whatever reason, lots of ham uses 
> "invisible" text so it's not useful as a spam sign by itself and it's hard to 
> come up with any useful combination rules.

In the "Archive" folder on my work email there are 76,200 emails and 113,566 
incidents of the string "display:\s*none". Who knew?

One archived email I noticed had 24 occurrences of the string, about a third of 
them followed by "!important".

I used to have a dehtmlizer tool that stripped the HTML down to bare text and 
links by piping the html mime part pf the messages through lynx --dump, but 
that proved to be problematic in its own way and I haven't gotten pipes working 
with sieve anyway.ZZ


-- 
I AM ZOMBOR! (kelly) ZOMBOR!

Re: More undetected hidden test spam signs

[@lbutlr]

On 16 Dec 2020, at 23:21, Loren Wilton  wrote:
> I just got a batch of spams containing
> 
> 

Interesting. I remember in the early days of html spam there were various rules 
to tag messages as spam when they had content that did not display. (Possibly 
pre-SpamAssasin or at least pre my use of SpamAssasin).

-- 
>You are forgetting something: the Nazgul are immune to non-magical
>weapons.
>
"Any sufficiently advanced technology is indistinguishable from magic."

Re: per-user bayes

[@lbutlr]

On 08 Dec 2020, at 13:54, micah anderson  wrote:
> Kris Deugau  writes:

>> There will only be one database and set of tables, but one of the fields 
>> in each table is the user identifier.  Fair warning - if you go full 
>> per-user on a large system, this will MASSIVELY balloon the size of your 
>> Bayes database, and most users will idle below the learning thresholds 
>> for quite a long time.

> Can you give an idea of the size calculation? I'm wanting to do this,
> but I need to figure out how much space I need to allocate per user!

That would be pretty hard to predict as it would vary a lot based on the users 
and the mail.

I don't think Bayes is really that big (a few MB max?)

-- 
Varium et mutabile semper Femina.

Re: per-user bayes

[@lbutlr]

On 08 Dec 2020, at 08:36, Benoit Panizzon  wrote:
> Adding the list back to CC as I believe this is an interesting topic
> many have pondered over.

Forgot to fix the reply to on this list for some reason. Fixed now.

> Yes, I see that is states 'per user' but I still don't see, how that
> 'bayes user' is being set on a per recipient base.
> 
> On the email platform there is ONE config file for spamassassin. So if I
> set the user with: 
> 
> bayes_sql_override_username  someusername
> 
> That is the username under which the bayes data is being stored for all
> recipients (thousands of mailboxes on a big ISP mailserver)


It can be. It can also be, for example, %u (It may be more complicated than 
that). Or perhaps sa_username_maps?

> How do I tell SpamAssassin to pass the recipient to the bayes
> filter while scanning an email?

Through the SQL query, IIRC. 

-- 
Nothing like grilling a kosher dog over human hair to bring out the
subtle flavors.

Re: per-user bayes

[@lbutlr]

On 07 Dec 2020, at 13:56, micah anderson  wrote:
> A per-user setup would let each user do their own thing, but I don't see
> how I can do that because our system doesn't have individual system
> users and I don't see that there are options in the bayes sql
> configuration or per-user tables possible.

This may help



-- 
"Dignity intact! Dignity intact!" -- Aisling Bee, dancing on a pier in her 
pants.

KAM info messages

[@lbutlr]

When I run my cron task to update SA. I am getting a LOT of lines in the crpn 
output along the lines of

info: rules: meta test KAM_REALLY_FAKE_DELIVER has dependency 'KAM_RPTR_PASSED' 
with a zero score

And a lot of compile lines like:

cc -c-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -DUSE_THREAD_SAFE_LOCALE 
-fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include 
-D_FORTIFY_SOURCE=2 -O2 -pipe -fstack-protector-strong -fno-strict-aliasing   
-DVERSION=\"1.0\"  -DXS_VERSION=\"1.0\" -DPIC -fPIC "-

Basically, I get about 200 lines each day. I am assuming something is wrong in 
my setup?

Crontab:
19 1  *  *  *  sa-update ; sa-update --gpgkey 24C063D8 --channel 
kam.sa-channels.mcgrail.com ; sa-compile && service sa-spamd restart 

I could redirect sa-compile to null, of course, but having spamd restart only 
when the compile succeeds seems like a good idea?

Also, I don't remember SA being this noisy? OTOH, I don't keep these cron logs 
more than a day or two, so maybe they were always this noisy and I didn't 
notice.

Is this something I need to worry about or just expected behavior? (I generally 
only look at this log file when there is a problem, and there hasn't beed a 
problem in a while.)

-- 
We’re despairing in style, as befits two former High Kings of Fillory.

Re: Are these valid email headers?

[@lbutlr]

On 05 Dec 2020, at 13:03, John Capo  wrote:
> On Sat, December 5, 2020 14:30, Loren Wilton wrote:
>> I don't have a Faceboox account and don't know anyone on Facebook that would
>> send me mail (and don't want to!), so I have absolutely no idea if these 
>> headers from recent spams
>> are completely made up out of the air (and thus spam signs) or are valid 
>> headers.
>> 
>> Can anyone tell me if this stuff is valid or obviously fake?
>> 
>> 
>> X-Facebook: from 2401:db00:1050:208b:face:0:4f:0 ([MTI3LjAuMC4x])
>> by www.facebook.com with HTTPS (ZuckMail); X-Priority: 3
>> X-Mailer: ZuckMail [version 1.00]
>> X-Facebook-Notify: skipped_password_change;
>> mailid=5ac39662d1c08G5af32c89e396G5ac39afc31edaG569 Feedback-ID:
>> 509:skipped_password_change:Facebook
>> X-FACEBOOK-PRIORITY: 0
>> X-Auto-Response-Suppress: All
>> Require-Recipient-Valid-Since: gouldi...@earthlink.net; Sunday, 29 Nov 2009
>> 00:17:08 +
> 
> Except for mailid: I see those headers in mail from Facebook.

Yeah, I use X-Facebook to auto-junk mail to me. For me it is 100% spam sign, 
but then again I refuse to use Facebook.


-- 
You have severe reading comprehension problems that I can not be held
responsible for.

Re: Happy Thanksgiving and Announcing the Apache SpamAssassin Channel for the KAM Rule Set

[@lbutlr]

On 26 Nov 2020, at 09:22, Kevin A. McGrail  wrote:
> Announcing the Apache SpamAssassin Channel for the KAM Rule Set

Excellent and most welcome news!

-- 
They looked at the drinks.
They drank the drinks.

Re: Apache SpamAssassin and Spammers 1st Amendment Rights

[@lbutlr]

On 20 Nov 2020, at 07:59, AJ Weber  wrote:
> On 11/20/2020 9:28 AM, @lbutlr wrote:
>> A whole lot of people have decided their right to free speech means an 
>> obligation from others to listen to them. It's not just spammers, it's also 
>> racists, fascists, republicans, and god-botherers.
> I think you should keep politics out of this.  If I want to hear opinions 
> from the liberal-left, I'll be sure to circle back with you.  That's not what 
> this is about.

Since that is the argument spammers are making, it is EXACTLY what this is 
about.

-- 
"Are you pondering what I'm pondering?"
"I think so, Mr. Brain, but if the sun'll come out tomorrow, what's
it doing right now?"

Re: Apache SpamAssassin and Spammers 1st Amendment Rights

[@lbutlr]

On 19 Nov 2020, at 14:25, Kevin A. McGrail  wrote:
> So over the years, I have gotten a lot of complaints from spammers about how 
> I'm breaking their 1st amendment rights by blocking their spam as free 
> speech.  I've had to explain that I'm not the government and hence there are 
> no 1st amendment rights involved.

A whole lot of people have decided their right to free speech means an 
obligation from others to listen to them. It's not just spammers, it's also 
racists, fascists, republicans, and god-botherers.

Just because a spammer has the right to speak does not mean I have to listen. I 
am within my rights to drown them out with a loudspeaker while I stand next to 
them so I can't hear them, because that is MY rights to free speech.

And, of course, their rights to free speech do not apply to anything but 
government interference. It does not apply to mailing lists, Twitter, web 
comments, and it does not give them the right to access my server and deliver 
crap to my users/accounts.

> However, my friend, Steve Effros, just wrote a far more eloquent article 
> about it and I thought others on this list might appreciate it:
> 
> 

It's a good summary.

-- 
IT WOULD BE A MILLION TO ONE CHANCE, said Death. EXACTLY A MILLION TO
ONE CHANCE. 'Oh,' said the Bursar, intensely relieved. 'Oh dear.
What a shame.' --Eric

Re: check doman against uri bl of spamassassin

[@lbutlr]

On 21 Oct 2020, at 13:35, Marc Roos  wrote:
> What is the best way to check an url against the default active 
> spamassassin uribl, on a linux server that does not have spamassassin 
> installed? 

This is clearly in the "how do I do a thing while imposing conditions that make 
 impossible to do" class of question.

"How do I dive 300 meters under water without an oxygen supply or pressure 
suit?"

"How can I get from New York City to Los Angels in less than 10 hours without 
flying?"

If you want to test something against spamasassin you need one thing for sure, 
access to spamassassin.

-- 
'I really should talk to him, sir. He's had a near-death experience!'
'We all do. It's called living.'

Tagging outbound messages

[@lbutlr]

I seem to recall, but cannot find, a recent message where someone had their 
outbound messages being tagged as spam.

I sent an email to a friend today and it arrived with SA tagging because SA 
tagged my home IP address, but the message was sent through my mail server, and 
so my home IP address shouldn’t be getting flagged for being in SORB/PBL.

As far as I know, this has not generally been a problem and I sent many mails a 
day, so I don't know why this one seems different.

This is what it looked like in my logs.

Oct 20 13:08:35 mail spamd[21962]: spamd: processing message 
<3450f6a4-85d8-432f-bb11-72accc356...@kreme.com> for mun...@munged.com:58
Oct 20 13:08:35 mail.covisp.net postfix/smtps/smtpd[49972] 4CG37R2S7Gz36hw3: 
permit: RCPT from c-my.ho.me.ip.hsd1.co.comcast.net[my.ho.me.ip]: 
action=permit_sasl_authenticated for Client 
host=c-my.ho.me.ip.hsd1.co.comcast.net[my.ho.me.ip] ; from= 
to= proto=ESMTP helo=<[10.0.0.11]>
Oct 20 13:08:35 mail.covisp.net postfix/smtps/smtpd[49972] 4CG37R2S7Gz36hw3: 
permit: RCPT from c-my.ho.me.ip.hsd1.co.comcast.net[my.ho.me.ip]: 
action=permit_sasl_authenticated for Client 
host=c-my.ho.me.ip.hsd1.co.comcast.net[my.ho.me.ip] ; from= 
to= proto=ESMTP helo=<[10.0.0.11]>
Oct 20 13:08:35 mail.covisp.net postfix/smtps/smtpd[49972] 4CG37R2S7Gz36hw3: 
permit: RCPT from c-my.ho.me.ip.hsd1.co.comcast.net[my.ho.me.ip]: 
action=permit_sasl_authenticated for Client 
host=c-my.ho.me.ip.hsd1.co.comcast.net[my.ho.me.ip] ; from= 
to= proto=ESMTP helo=<[10.0.0.11]>
Oct 20 13:08:37 mail spamd[21962]: spamd: identified spam (5.2/5.0) for 
mun...@munged.com:58 in 1.3 seconds, 187457 bytes.
Oct 20 13:08:38 mail.covisp.net postfix/smtp[49976] 4CG37R2S7Gz36hw3: 
to=, relay=mx-caprica.easydns.com[64.68.200.41]:25, 
delay=2.9, delays=1.7/0.01/0.61/0.58, dsn=2.0.0, status=sent (250 2.0.0 Ok: 
queued as E0F0853019)

The issue is not that SA is wrong about my home IP being in SORBS. But that the 
email was tagged as if it was an external delivery to a local address, so I 
need to change settings in my config (postfix $current).

smtpd_milters = unix:/var/run/spamass-milter.sock,
milter_connect_macros = j {daemon_name} v {if_name} _

-- 
"Everyone has a photographic Memory, some just don't have film."
~Steven Wright

Re: 1.6 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla

[@lbutlr]

On 23 Sep 2020, at 13:22, Jerry Malcolm  wrote:
> the MTAs that had the courtesy of bouncing with a reason said the IP address 
> was blacklisted but didn't say where

This may indicate that the IP address was added to permanently block lists 
before you got it, or based on your provider, or your country. For example, 
there are IPs that I finally manually added to my block list years ago and I 
have never checked if it might be safe to remove them. Also, if your IP is in 
China or Russia, my mail server will reject your connection as I get no 
legitimate mail from these countries and much spam.

There are tools to see what the state of you IP address is, but the bounces 
that you get that say your IP is blacklisted should show the IP that is being 
checked. I suspect that Ip is not your Malcolms.com IP address, as that one is 
quite clean. I think you will find the issue is elsewhere.




-- 
I WILL NOT ENCOURAGE OTHERS TO FLY Bart chalkboard Ep. 7F03

Re: Catching Phishing messages

[@lbutlr]

On 21 Sep 2020, at 08:21, Daryl Rose  wrote:
> I don't have the email server, it's hosted by a provider.  This provider does 
> a crappy job at filtering spam and phishing, so I am running ISBG and 
> Spamassassin to block the spam and phishing.

This isn't really a workable solution as there are many tests that 
your SA can't do that a mail server can do. The better solutions include:

1) Never use ISP email, they are pretty much universally garbage.
2) Get your own domain and pay for someone to run email service 
   for you, pick a company that does a good job at managing spam 
   and if you are unhappy with them, move to another provider.
4) Gmail
5) a service like SaneBox or others that acts as an intermediary 
   to filter spam (and often for other services as well.
6) Get an email from a provider that takes email and spam seriously.
7) Run your own server (I don't recommend this)

Probably several others I am not thinking of.



-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but couldn't the constant use of a henna rinse
lead to premature baldness?"

Re: Catching Phishing messages

[@lbutlr]

On 20 Sep 2020, at 08:35, Daryl Rose  wrote:
> I can blacklist the email address, but I know that won't help.  Is there a 
> rule that I can set up to catch more phishing attempts?

SPF and DMARC seem to be the only ways to deal with spams from large senders 
that are faked, but what is considered ‘faked’ may nt always match expectations.

As an example, with many GUI mail clients the client shows the “nice” part of 
the from, and does not show the actual address. So some scammer can send an 
email from

From: “supportad...@paypal.com” 

And the recipient will only see a fake PayPal address.


-- 
"...and Digby considered how much he liked salt..."

Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

[@lbutlr]

On 21 Aug 2020, at 14:15, Benny Pedersen  wrote:
> blacklist_from *+14927644-*

I think adding 5.0 to all sendgrid mail is the best idea I've heard.

Sendgrid makes me long for the days of the SPEWS RBL.


-- 
These are the thoughts that kept me out of the really good schools.
-- George Carlin

Re: Freshdesk (again)

[@lbutlr]

On 17 Aug 2020, at 11:25, Philip Prindeville 
 wrote:
> I’ve been calling out phishing from the same (IP) address for 10 days without 
> any apparent (observable) action from Sendgrid.

Not a shock; they simply do not care.

> At this point I’m wondering if they have compromised relays.

It seems to me like everything is working by design.

-- 
According to the philosopher Ly Tin Weedle, chaos is found in
greatest abundance wherever order is being sought. It always
defeats order, because it is better organized.

Re: Blacklisting a stubborn sender

[@lbutlr]

On 02 Aug 2020, at 07:54, Kevin A. McGrail  wrote:
> If they aren't spending spam, why care about their MID or Helo format
> unless there is a delivery issue.

If they are sending mail with an invalid helo then it is perfectly valid to 
drop the connections. This may be a problem when you want to use this as an 
obvious spam fighting measure, but clueless gits misconfigure their mail 
servers and you then have to punch a hole through your perfectly reasonable 
anti-spam policy just to serve their cluelessness so that people get mail they 
want to get.

Every time you make your front-line defense weaker you increase the amount of 
spam you have to deal with to a great degree. Having to do this for someone is 
just incompetent is aggravating and expensive.

But, as always, you have to balance your aggravation against receiving the mail 
that the accounts on your server want to receive, and no one can measure that 
but the receiving mail server.

-- 
I gotta call my glitter guy

Re: Constructive solution to the blacklist thread

[@lbutlr]

On 25 Jul 2020, at 13:25, Thom van der Boon  wrote:
> Dear everybody,
> 
> Could we please "cut the crap" and stop with all the polictics. 

Yes, but starting a new thread that is attracting the same BS again is not 
going to help.

I already have a half-dozen threads muted and a few persistent posters actually 
killfiled, and now I will have a half-dozen and one as it has already attracted 
the same old crap.

I am very much looking forward to all the people claiming they are leaving 
spamassassin actually leaving.




-- 
"I can't see the point in the theatre. All that sex and violence. I
get enough of that at home. Apart from the sex, of course." -
Baldrick

Re: IMPORTANT NOTICE: Rules referencing WHITELIST or BLACKLIST in process of being Renamed

[@lbutlr]

On 19 Jul 2020, at 21:23, Olivier  wrote:
> Please consider adding an easy way to turn the backward compatibility on
> and off.

I would suggest to settings, one that warns the definition has changed and one 
that errors on the old term rather than just a "turn on compatibility" which 
will mean that some people just turnout on an then never update.



-- 
'Never build a dungeon you wouldn't be happy to spend the night in
yourself,' said the Patrician (...). 'The world would be a
happier place if more people remembered that.' --Guards! Guards!

Re: Thanks to Guardian Digital & LinuxSecurity for the nice post about SpamAssassin's upcoming change

[@lbutlr]

On 15 Jul 2020, at 20:34, Noel Butler  wrote:
> December 27 (our quietest time of year generally) this year has been slated 
> for our changeover to remove spamassassin from our network.

Nose. Spite. Face.

Can you stop posting about this topic now?

-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but won't it go straight to my hips?!"

Re: Stop this before it goes any further (was Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave)

[@lbutlr]

On 14 Jul 2020, at 12:59, Kurt Fitzner  wrote:
> This is truly unfortunate. 

Thanks for changing the topic to evade filters killing this idiotic thread. How 
supremely selfish and self-centered of you.

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[@lbutlr]

On 14 Jul 2020, at 01:22, jdow  wrote:
> How does this move improve the technical quality of the product from the end 
> users' perspective?

You've been told repeatedly that the decision has been made, and you have 
ignored everyone and attacked anyone who has posted on this any opinion that 
deviated from you WRONG opinion. No one cares.

Stop it.



-- 
The cat turned and tried to find a place of safety in the suit's
breastplate. He was beginning to doubt he'd make it through the
knight.

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[@lbutlr]

On 11 Jul 2020, at 16:38, Reindl Harald  wrote:
> yeah - by quoting your own idiocy - wow

I did no t want to call out any particular posting or poster.

> nobody right in his mind thins about black people in chanis when read
> something like this in a technical context: slave, master, blacklist,
> whitelist, blackhat, whitehat

Do you notice how your words are nothing more than an attack on anyone whose 
opinion differs from yours?

For the record, I know *many* people who are perfectly sane who find using the 
terms master and slave in a technical context to be deeply offensive.

But you denigrate anyone who doesn't agree with you.

And you whine that nothing should be changed for other people because it's fine 
with you and those people are lesser than you and therefore their feelings are 
unimportant.

This is exactly what I meant by, "it betrays at the very least a real lack of 
empathy;" rather than make an effort to understand why people have a difference 
of opinion it is simpler to attack them and diminish them as having mental 
issues for daring to not toe to your line.

The decision has been made. Anyone who doesn't like it is free to fork their 
own version of Spamassassin, bind, and other packages for whatever reason they 
want, even the mostly trivially selfish of reasons.


-- 
I'm from a predominately black family --Eddie Murphy

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[@lbutlr]

On 11 Jul 2020, at 16:04, @lbutlr  wrote:
> It is astonishing, but not surprising, how angry people are over these 
> changes though; it betrays at the very least a real lack of empathy.

If there is anyone paying attention to the mailing list, can you please just 
kill this thread? It's not providing any useful content at this point and is 
just churning the same people posting about how terrible it is that they might, 
possibly but almost certainly really not, suffer the mildest of inconveniences 
in a small change to the package.

There's literally nothing to see here anymore, if there ever was past the 
initial post.

And some of you in this thread… wow.




-- 
I WILL NOT PLEDGE ALLEGIANCE TO BART Bart chalkboard Ep. 7F09

Re: spamhaus enabled by default

[@lbutlr]

On 11 Jul 2020, at 04:33, Riccardo Alfieri  wrote:
> And I don't know where you got a quote of "hundreds of dollars per month" for 
> 1000 mailboxes, but it's not really the case if you use DQS.

Maybe they thought the yearly cost was monthly?

(Last I checked, DQS stars at $250/yr)



-- 
The other cats just think he's a tosser. --Neil Gaiman

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[@lbutlr]

On 11 Jul 2020, at 00:51, Bill Cole  
wrote:
> On 10 Jul 2020, at 20:02, Luis E. Muñoz wrote:
> 
>> On 10 Jul 2020, at 12:29, @lbutlr wrote:
>> 
>>> If people are so fragile that they have to hold on to terms that are 
>>> extremely offensive to some of their peers, they will get more spam. Oh 
>>> noes.
>> 
>> I keep hearing about this mythical people that get terribly offended by the 
>> use of these words. I've been working in IT since the 90s, and I've never 
>> actually seen one in real life. Do they really exist?
> 
> "Terribly offended" is not what I've heard from anyone but the issue has been 
> raised by Black colleagues a few times in multiple contexts, as Yet Another 
> Minor Annoyance in a world stuffed full of such little things.

Exactly. Although in other packages and usages the one that *has* caused 
terrible offense is master/slave. Many projects have been changing this over 
the last several years.

It is astonishing, but not surprising, how angry people are over these changes 
though; it betrays at the very least a real lack of empathy.


-- 
When the least they could do to you was everything, then the most
they could do to you suddenly held no terror. --Small Gods

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[@lbutlr]

On 10 Jul 2020, at 02:06, Matus UHLAR - fantomas  wrote:
>  thought guys can also mean women, at least I've seen it being used that
> way…

Yes, guy/s is gender neutral, but many women do not agree.




-- 
Train Station: where the train stops. Work Station: …

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[@lbutlr]

On 10 Jul 2020, at 02:02, jdow  wrote:
> The problem is that at least one woman (me) reading this list doesn't give a 
> tinker's damn. The intent is communicated and that's sufficient to satisfy my 
> sensibilities. Seems I grew up and became an adult when I wasn't looking. 
> Things like this just wash by me as I dive in for the meat of the 
> communications.

Do you realize that your stametemnt is saying that people who are offended by 
terms they find hurtful are immature insensible and lesser than you? In 
addition you are saying that since YOU do not care, no one else's feeling are 
valid.



-- 
This zone of tranquility is compromised

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[@lbutlr]

On 10 Jul 2020, at 01:38, Olivier  wrote:
> Axb  writes:
> 
>> the US problems won't be fixed with renaming B lists.
>> Seriously.. you have more important issues...
> 
> While thet change in names will not fix any societal issue, for a
> product like SpamAssassin that relies heavily on plugins (including some
> plugins that may have been developped locally, long time ago, by someone
> who is not working there anymore) and that is
> also embeded (like in amavis) these sort of changes may break a lot of
> implementations, to the point that people will be reluctant to upgrade.

If people are so fragile that they have to hold on to terms that are extremely 
offensive to some of their peers, they will get more spam. Oh noes.

> And if SA is not upgraded, the user base will shrink and it may lead to
> the death of SA.

If it cannot function without being offensive to many people, then so be it.

Allow/deny I think are better than welcome/block, but I don't care.

Allow/block might be better too.



-- 
"He is of Asgard, and he is my brother"
> He killed 80 people in 2 days.
"He's adopted."

Re: Multiple regex on same URL

[@lbutlr]

On 07 Jul 2020, at 07:16, Henrik K  wrote:
> On Tue, Jul 07, 2020 at 11:41:01AM +, Pedro David Marco wrote:
>> 
>>> On Tuesday, July 7, 2020, 01:05:36 PM GMT+2, Henrik K  wrote:
>> 
>> 
>>> What examply do you mean by checking multiple regex on the "same" URL?  Give
>> an example.  Most likely it's already possible without any changes.
>> 
>> 
>> for example..  checking if an URL matches Regex1  BUT does NOT matches 
>> Regex2 
>> can be done  with looksahead/behind but is cpu-expensive and may be too 
>> complex
>> to maintain... 
> 
> Why would lookahead be expensive?  It's normal regex.  It's probably more
> expensive to run two separate regexes.

Is the ReDos Attack relevant here?


"The Regular expression Denial of Service (ReDoS) is a Denial of Service 
attack, that exploits the fact that most Regular Expression implementations may 
reach extreme situations that cause them to work very slowly (exponentially 
related to input size). An attacker can then cause a program using a Regular 
Expression to enter these extreme situations and then hang for a very long 
time."



-- 
Once upon a time, a woman was picking up firewood. She came upon a
poisonous snake frozen in the snow. She took the snake home and
nurse it back to health. One day the snake bit her on the cheek.
As she lay dying, she asked the snake, "Why have you done this to
me?" And the snake answered, "Look, bitch, you knew I was a
snake."

Re: Rule HK_SCAM is triggered by standard business email

[@lbutlr]

On 01 Jul 2020, at 14:20, Aner Perez  wrote:
> we have the spam threshold set very low (2.4)

This is a terrible idea and exposes a fundamental misunderstanding of how SA 
works.

If SA scores an email as 3.3 then the message is not considered spam by SA. If 
you ignore this and mark it as sam anyway, you have no one to blame but 
yourself. Reducing the threshold increases the number of non-spam messages that 
are marked as spam. It will also have very little effect on actual spam 
messages. The only exception to this is if you have a badly trained Bayes, as 
that can swing the scoring quite a lot.

Set your threshold back to 5.0 and train your Bayes with actual spam you 
receive and actual ham you receive. The best Spam to train is spam that is not 
tagged by SA as spam (ignoring the bayes portion of a score). So, a message 
marked at 5.5 with BAYES_50 is a price candidate for training as it would be 
marked 4.7 without the BAYES_50.

It would have been better, I think, had SA designed the system to score 
anything over 0 as spam and anything under 0 as ham as I suspect very few 
people would make this mistake, but it's a bit late for that now.

Just think of it this way, when you set the threshold below 5, you are saying 
to SA "please mark legitimate mail theat I want to receive as spam."



-- 
'Oh, them as makes the endings don't get them,' said Granny.
--Maskerade

Re: Frequency of SUSP_NTLD updates

[@lbutlr]

On 30 Jun 2020, at 09:31, RW  wrote:
> On Tue, 30 Jun 2020 11:30:17 +
> Roald Stolte wrote:
> 
> 
>> These mails were all using TLDs such as .site and .online and were
>> getting marked because of it.

Are others seeing a decrease in spam from .site and .online? All I see from 
these TLD is 100% spam. They are not at the volume that .top was when this 
free-for all on TLDs started, but they are not generating any legitimate mail 
on my servers. I've loosened some restrictions on .fm tv and ,info, since there 
are legitimate senders there, but even those are still mostly spam.

I see connections from domains like server.creativecabin.online, 
mail.mobile-advertising.site, mail.freebitcoins.site, dand 
fame.servetxt.online, and most of it is coming in to spam-trap email addresses.

> You could just drop the score for FROM_SUSPICIOUS_NTLD &
> FROM_SUSPICIOUS_NTLD_FP.

This is probably the best way, but I'd be wary of dropping it too much.



-- 
Good old Dame Fortune. You can _depend_ on her.

Re: Freshdesk (again)

[@lbutlr]

On 26 Jun 2020, at 19:01, Bill Cole  
wrote:
> it might help to add your complaint via ab...@sendgrid.com.

I very much doubt it. Sendgrid's business is sending mail and they do not care 
if that mail is spam or not. If enough servers block them they will go away.




-- 
Don't be too sure I'm as crooked as I'm supposed to be. ~ Sam Spade

Re: How to write a rule to block phishing?

[@lbutlr]

On 15 Jun 2020, at 17:18, Daryl Rose  wrote:
> I analyzed the headers, the message comes from a server here in the United 
> States, the spam score is 5, and Spamassassian says "No Spam".

SpamAssassin thinks the mail is spam if it scored 5. Someone (you?) has changed 
the default spam score from 5.0 to some other number.

Doing this will result in spam being marked as not spam.




-- 
The whole thing that makes a mathematician's life worthwhile is that
he gets the grudging admiration of three or four colleagues

Re: UTF-7 emails

[@lbutlr]

On 12 Jun 2020, at 08:01, Nix  wrote:
> On 5 May 2020, Bill Cole outgrape:
>> Apparently Evolution supports UTF-7 and can be set to use it with the user 
>> being unaware of it.
> 
> Probably user error -- UTF-7 is right below UTF-8 in the list of encodings 
> supported by the composer, so it's easy to aim for UTF-8, hit UTF-7 and 
> whoops…

I don’t use Evolution, but I have heard complaints of it “falling back” to 
UTF-7 instead of UTF-8 in some cases.

The solution seems to be to make sure it is set specifically to UTF-8 and not 
to something like LATIN-1.

Re: Technically not spam

[@lbutlr]

On 31 May 2020, at 06:53, micah anderson  wrote:
> "@lbutlr"  writes:
> 
>> Squirrelmail is not supported and I would definitely not recommend
>> anyone run it, especially since you have to run a version of PHP that
>> hasn’t been supported in 4 years and has known exploits that will
>> never be fixed.
> 
> I don't want to disagree with you, because I agree... except to point
> out that the statement about old PHP being required is not true, you can
> run squirrelmail with php7.3.

Good to know (I guess?) the last update note I saw for Squirrelmail was to make 
it work with PHP 5.5 back in 2013. Is there a fork somewhere or does it just 
work with PHP 7.3. And does that include 7.2?


-- 
"Are you pondering what I'm pondering?"
"Well, I think so, Brain, but snort no, no, it's too stupid!"

Re: Technically not spam

[@lbutlr]

On 29 May 2020, at 11:11, Benny Pedersen  wrote:
> On 2020-05-29 17:40, @lbutlr wrote:
> 
>> I can't just blacklist the IPs because some people want these emails.
> 
> http://squirrelmail.org/ have support for list-* headers

They generally do not have list headers, of course. At least not 
List-unsubscribe. Most of them pretend they are not mailing lists at all, as is 
the case with nearly all marketing email.

> round-cube and others web-mail missing it,

Roundcube has plugins that support list headers (Roundcube has plugins for most 
things). I believe Horde does as well, but I am less sure there.

> oh dear is software from 2011 still stable ?

Squirrelmail is not supported and I would definitely not recommend anyone run 
it, especially since you have to run a version of PHP that hasn’t been 
supported in 4 years and has known exploits that will never be fixed.



-- 
'I think, if you want thousands, you've got to fight for one.'

Re: Technically not spam

[@lbutlr]

On 29 May 2020, at 10:57, Anne P. Mitchell, Esq.  wrote:
> "an e-mail recipient cannot be required to pay a fee, provide information 
> other than his or her e-mail address and opt-out preferences, or take any 
> steps other than sending a reply e-mail message or visiting a single Internet 
> Web page to opt out of receiving future e-mail from a sender."
> 
> It's this:
> 
> "or take any steps other than sending a reply e-mail message or visiting a 
> single Internet Web page to opt out of receiving future e-mail from a sender"

Thank you!


-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but don't you need a swimming pool to play Marco
Polo?"

Re: Technically not spam

[@lbutlr]

On 29 May 2020, at 10:16, Anne P. Mitchell, Esq.  wrote:
>> Probably not, but the user doesn't care, just wants the mail gone and to 
>> stop showing up. Telling them to go to the site, jump through password 
>> recovery hoop and then unsubscribe (which on some sites is quite difficult, 
>> as you will be signed up for 5 or 6 different mailings, each of which you 
>> have to seek out individually) is … well, not going to work with many users, 
>> especially the less technical.
> 
> Not to mention that it is a violation of Federal law.  Federal law requires a 
> "one-step" unsubscribe method.

Really? Does it specific that the user dodoesn’t have to be logged in to the 
site?

Do you have the law handy, I'd like to add it to some boilerplate.



-- 
"The person, be it gentleman or lady, who has not pleasure in a good
novel, must be intolerably stupid".

Re: Technically not spam

[@lbutlr]

On 29 May 2020, at 09:51, Antony Stone 
 wrote:
> On Friday 29 May 2020 at 17:40:42, @lbutlr wrote:
>> How do people deal with lists that a user subscribed to that require
>> logging in to an account to unsubscribe?
> 
> Well, as you say in your Subject, this isn't spam; it's just email that the 
> user asked for but has decided they no longer want.

"Asked for" may be a bit strong. 

>> Most legitimate mails have a simple unsubscribes list, but many online
>> stores seem to "forget" to do this.
> 
> Surely they do not forget to have a "forgot my password" option, though?

Probably not, but the user doesn't care, just wants the mail gone and to stop 
showing up. Telling them to go to the site, jump through password recovery hoop 
and then unsubscribe (which on some sites is quite difficult, as you will be 
signed up for 5 or 6 different mailings, each of which you have to seek out 
individually) is … well, not going to work with many users, especially the less 
technical.

>> I can't just blacklist the IPs because some people want these emails.
> 
> My opinion is: it's not your (as email admin) problem - it's the user's 
> problem.  They signed up for it; they can sign out of it.  If they no longer 
> know their password, they can use the "forgot password" mechanism to get back 
> in again, and turn off the emails they no longer want.

That may work in a corporate environment where the users can't really get mad 
at you for not fixing it.

> Basically, I don't think this is a problem you need to try to solve, because 
> it's something the users did themselves - it's not like some miscreant has 
> discovered their email address and is sending stuff they *really* don't want 
> to 
> see (and is probably sending to several other of your users too) - that you 
> can block, but this is genuine email which the user signed up for, and is 
> responsible for signing out of.

Well, "genuine" and "signed up" are *technically* correct, but in many cases 
only technically. "We will snd you emails about your order and future orders" 
seems like something you want, until you get 4 or 5 emails a day every day from 
them, exactly one of which was about your order.



-- 
'Can't argue with the truth, sir.' 'In my experience, Vimes, you can
argue with anything.'

Technically not spam

[@lbutlr]

How do people deal with lists that a user subscribed to that require logging in 
to an account to unsubscribe? I seem to be seeing a lot more complaints from 
users who cannot get off lists (probably because they didn't realize they were 
creating an account for getting multiple-mails per day).

Most legitimate mails have a simple unsubscribes list, but many online stores 
seem to "forget" to do this.

I can't just blacklist the IPs because some people want these emails.


-- 
Stomach in! Chest out! on your marks! get set! GO! Now, now that
you're free, what are you gonna be? Who are you gonna see? And
where, where will you go, and how will you know you didn't get it
all wrong?

Re: Spamass milter question

[@lbutlr]

On 27 May 2020, at 18:27, RW  wrote:
> I should have added that if  whitelist_from_rcvd *@* server.example.com
> (without the colon) is only only failing occasionally on mail from
> server.example.com, it's probably just an rDNS lookup failure of some
> sort. 

Well, I do not get anything that I consider spam from that server, so how often 
is this happening? Is it every time spamass-milter thinks the message is spam 
or is it some odd rdns issue? And how could I possibly try? The name and IP of 
the server show up in postfix logs.




-- 
Patty > Melt > Foundry > Terminator > SCSI > Voodoo > Economics >
Discworld > Ringworld > Niven > Pink Panther > Black Panther >
Avengers > Assemble > LEGO > Builder > Bob (word association with
geeks)

Re: Spamass milter question

[@lbutlr]

On 27 May 2020, at 10:44, Robert Schetterer  wrote:
> Am 27.05.20 um 18:35 schrieb @lbutlr:
>> # Allow all mailing list posts from example.com

>> whitelist_from_rcvd: *@* server.example.com

Actual file has "whitelist_from_rcvd *@* server.example.com" without the ':'. 
Was hopeful that was the issue.

>> This seems to be in accordance with the docs.

> i think it was
> 
> *@example.com
> 
> but perhaps my memory is out of date

The docs for whitelist_from_rcvd show the following examples:

  whitelist_from_rcvd j...@example.com  example.com
  whitelist_from_rcvd *@*  mail.example.org
  whitelist_from_rcvd *@axkit.org  [192.0.2.123]
  whitelist_from_rcvd *@axkit.org  [192.0.2.0/24]
  whitelist_from_rcvd *@axkit.org  [192.0.2.0]/24
  whitelist_from_rcvd *@axkit.org  [2001:db8:1234::/48]
  whitelist_from_rcvd *@axkit.org  [2001:db8:1234::]/48

<https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html>



-- 
Instant karma's going to get you!

Spamass milter question

[@lbutlr]

What, if any, local SpamAssassin settings does spams-milter use when processing 
incoming mail?

For example, if I wanted to white list a sender or blacklist a domain, would 
the general settings in /usr/local/etc/spamassasin/local.cf be the place?

I am wondering because I have a server whitelisted in that file (or do I?), but 
I am seeing occasional logs like:

postfix/cleanup[7771] 49MN7m64m8z2rPFW: milter-reject: END-OF-MESSAGE from 
server.example.com[n.n.n.n]: 5.7.1 Blocked by SpamAssassin;

# Allow all mailing list posts from example.com
whitelist_from_rcvd: *@* server.example.com

This seems to be in accordance with the docs.


-- 
The true prize was control. Lord Vetinari knew that. When heavy
weights were balanced on the scales, the trick was to know where
to place your thumb. --The Fifth Elephant

Re: whitelist_auth and outlook.com

[@lbutlr]

On 22 May 2020, at 14:25, Benny Pedersen  wrote:
> too many ip4 in there spf makes it untrusted here, sorry

Why would the number of OPv4 addresses matter?



-- 
But of course there were the rules. Everyone knew there were rules.
They just had to hope like Hell that the gods knew the rules,
too.

Re: spamc learning/reporting

[@lbutlr]

> On 17 May 2020, at 10:07, Grant Taylor  wrote:
> 
> On 5/16/20 8:16 AM, micah anderson wrote:
>> 1. I cannot pass a full email address to -u, if I pass 'user' it works, but 
>> if I pass 'u...@example.com' it fails. How do people handle this with 
>> multiple domains?
> 
> It's been about 15 years, but I'd swear that I had full email address working 
> like that.  Though I was pulling the entries from an SQL database.

It does work, but you have to tell spamc/spamd about the database, otherwise 
-u/--username is looking for a local user with a normal home folder.



-- 
'There's a kind of magic in masks. Masks conceal one face, but reveal
another. The one that only comes out in darkness. I bet you could
do just what you liked, behind a mask...?' —Maskerade

Re: base64 encoded sextorsion

[@lbutlr]

On 29 Apr 2020, at 07:42, Joseph Brennan  wrote:
> FYI part of the sender list below. I don't perceive a pattern to how
> they are generated. (This is from sort -u, not the order of arrival.)

Pattern is to take a name or common word and pad it with garbage characters 
before and after.

“Hey, if common matches on their friend Anne or Kristine in the user, we’re IN!”

(I have no idea how matching works on outlook.com, perhaps it is this stupid?)



-- 
Q is for QUENTIN who sank in the mire R is for RHODA consumed by a
fire

Re: Occasional rejections.

[@lbutlr]

> On 28 Apr 2020, at 12:06, Reindl Harald  wrote:
> 
> 
> 
> Am 28.04.20 um 20:01 schrieb @lbutlr:
>> On 28 Apr 2020, at 02:58, Reindl Harald  wrote:
>>> Am 28.04.20 um 10:38 schrieb @lbutlr:
>>>> I get occasional mails like this:
>>>> 
>>>>> On 24 Apr 2020, at 18:33, users-h...@spamassassin.apache.org wrote:
>>>>> 
>>>>> Hi! This is the ezmlm program. I'm managing the
>>>>> users@spamassassin.apache.org mailing list.
>>>> 
>>>> Etc.
>>> 
>>> cool that you strp the relevant content with
>> 
>> The only thing I stripped was the remaining boilerplate of the bounce. 
>> Nothing relevant at all, but here it is.
>> 
>>>>> Messages to you from the users mailing list seem to
>>>>> have been bouncing. I've attached a copy of the first bounce
>>>>> message I received.
>>>>> 
>>>>> If this message bounces too, I will send you a probe. If the probe 
>>>>> bounces,
>>>>> I will remove your address from the users mailing list,
>>>>> without further notice.
>>>>> 
>>>>> 
>>>>> I've kept a list of which messages from the users mailing list have 
>>>>> bounced from your address.
>>>>> 
>>>>> Copies of these messages may be in the archive.
>>>>> To retrieve a set of messages 123-145 (a maximum of 100 per request),
>>>>> send a short message to:
>>>>>  
>>>>> 
>>>>> To receive a subject and author list for the last 100 or so messages,
>>>>> send a short message to:
>>>>>  
>>>>> 
>>>>> Here are the message numbers:
>>>>> 
>>>>>  121942
>>>>> 
>>>>> --- Enclosed is a copy of the bounce message I received.
>> 
>>>>> Return-Path: <>
>>>>> Received: (qmail 34298 invoked for bounce); 14 Apr 2020 19:22:46 -
>>>>> Date: 14 Apr 2020 19:22:46 -
>>>>> From: mailer-dae...@apache.org
>>>>> To: users-return-1219...@spamassassin.apache.org
>>>>> Subject: failure notice
>>>> 
>>>> So, this is weird because I do not use qmail and when I check my mail logs 
>>>> for 14 Apr 13:22:46 (I am -0600) there is nothing there at all.
>>>> 
>>>> So I assume the bounce is being caused by apache.org and not my server
>>> 
>>> what else when it's coming from users-h...@spamassassin.apache.org?
>>> 
>>> messages of yiu where rejected, most likely because quting high score
>>> spam, it's that easy
>> 
>> 
>> That is exactly the opposite of what the message claims as it says message 
>> TO me are bouncing and I can retrieve the bounced ones. I take it you’ve 
>> never gotten one of these?
> 
> i have and i can read and understand
> 
> what it says is that *your server rejected* list messages for whatever
> reason

And my server did not. That is the issue.

> and yes, "bounce" is a wrong wording
> 
>> So message TO me are bouncing without involving my mail server
> 
> no, *your* server rejects list messages, most likely ones with quoted or
> attached spam stuff

There is no such rejection in my logs. That is the entire point of my original 
post:

> when I check my mail logs for 14 Apr 13:22:46 (I am -0600) there is nothing 
> there at all.

And later:

> In fact, there is no “apache.org” at all in the mail logs between 09:56 and 
> 22:12 for the date in question. Nor for 207.244.88.153 (the IP for Hermes, 
> which actually sends the mail).




-- 
I said pretend you've got no money, she just laughed and said, 'Eh
you're so funny.' I said, 'Yeah? Well I can't see anyone else
smiling in here.’

Occasional rejections.

[@lbutlr]

I get occasional mails like this:

> On 24 Apr 2020, at 18:33, users-h...@spamassassin.apache.org wrote:
> 
> Hi! This is the ezmlm program. I'm managing the
> users@spamassassin.apache.org mailing list.

Etc.

> Return-Path: <>
> Received: (qmail 34298 invoked for bounce); 14 Apr 2020 19:22:46 -
> Date: 14 Apr 2020 19:22:46 -
> From: mailer-dae...@apache.org
> To: users-return-1219...@spamassassin.apache.org
> Subject: failure notice

So, this is weird because I do not use qmail and when I check my mail logs for 
14 Apr 13:22:46 (I am -0600) there is nothing there at all.

So I assume the bounce is being caused by apache.org and not my server.

Since I cannot track this down at all on my end, what am I supposed to 
doppelgänger’s about these bounces.

(I haven’t in this case, but in previous cases who I have requested the missing 
post, I get duplicates).

The 10 day delay is great, as it makes searching the logs much more difficult.






-- 
"Are you pondering what I'm pondering?"
"We think so, Brain! But dressing like twins is so tacky.”

Re: URI is counted two times

[@lbutlr]

On 28 Mar 2020, at 01:09, Cecil Westerhof  wrote:
> Should not one of those two be removed, because it is now penalised
> two times.

It is penalized for being in SURBL and then penalized for being in the DBL; 
seems perfectly reasonable to me.



-- 
"You're just impressed by any pretty girl who can walk and talk."
"She doesn't have to talk.”

Re: SpamAssassin Milter – Milter for spam filtering with SpamAssassin

[@lbutlr]

On 09 Mar 2020, at 10:43, David Bürgin  wrote:
> I used to be a user of an alternative milter, spamass-milt,

Do you mean spamass-milter or is this another filter for SA I don’t know?


-- 
"Alas, earwax.”

Re: Question on early detection for relay spam

[@lbutlr]

On 04 Mar 2020, at 16:27, Rupert Gallagher  wrote:
> Fails with travelling clients.

Depends. I block several countries from accessing my mail server. If someone 
travels to one of those countries, they can use webmail to access their mail.

There are always options.

However, most people simply use a VPN.

Re: From Spoofed

[@lbutlr]

On 02 Mar 2020, at 09:32, Robert A. Ober  wrote:
> On 2/26/20 9:54 AM, Bill Cole wrote:
>> 
>> Which puts you in the top 99.999th percentile of email server skills 
>> worldwide!

> Ha,  I hope that's wrong:-)

I’m sure it is, it’s more like 99.999%

Do we think there are 80,000 people in the world with decent email server 
skills? I don’t.

-- 
"Great art is as irrational as great music. It is mad with its own
loveliness." -  George Jean Nathan

Re: SQL preferences: where does the _DOMAIN_ in the query come from

[@lbutlr]

On 18 Feb 2020, at 14:48, RW  wrote:
> It seems perfectly clear to me, if read carefully.

The definition is clear, but the original post specifically addressed the lack 
of _DOMAIN_ being defined:


On 18 Feb 2020, at 00:36, Guido Goluke, Majorlabel  wrote:
> In my setup, the domain variable is empty. How do I get the _DOMAIN_ variable 
> to be filled so that I can make a flexible SQL setup?



-- 
"We take off our Republican hats and put on our American hats" --
Many Republicans in Sep 2008

Re: SQL preferences: where does the _DOMAIN_ in the query come from

[@lbutlr]

On 18 Feb 2020, at 07:25, RW  wrote:
> On Tue, 18 Feb 2020 06:54:22 -0700 @lbutlr wrote:
> 
>> On 18 Feb 2020, at 05:30, RW  wrote:
>>> On Tue, 18 Feb 2020 08:36:11 +0100 Guido Goluke, Majorlabel wrote:  
>>>> I'm in the process of setting up my preferences through SQL. Now
>>>> spamc is invoked through a Postfix milter, but that's besides the
>>>> point, since whatever way spamc is called, it can only specify one
>>>> -u param as the username. However, the WIKI and Docs version of the
>>>> proposed query use both a _USERNAME_ and _DOMAIN_ variable. In my
>>>> setup, the domain variable is empty. How do I get the _DOMAIN_
>>>> variable to be filled so that I can make a flexible SQL setup?  
>>> 
>>> 
>>> Open the docs for Mail::SpamAssassin::Conf and search for _DOMAIN_  
>> 
>> I don’t think that answers the question?
> 
> Have you actually read the definition of _DOMAIN_?

Yes, but did you read the OPs question?

> It's the first match on  _DOMAIN_, it stands out as being a definition, and 
> it says in simple unambiguous language where the value comes from.

If the OP could look up the domain in the sql query they would already KNOW the 
domain to pass to spamc via the postfix milter.



-- 
"Are you pondering what I'm pondering?"
"I think so, Brainwulf, but if we're Danish, where's the cream
cheese? Narf!”

Re: SQL preferences: where does the _DOMAIN_ in the query come from

[@lbutlr]

On 18 Feb 2020, at 05:30, RW  wrote:
> On Tue, 18 Feb 2020 08:36:11 +0100 Guido Goluke, Majorlabel wrote:
>> I'm in the process of setting up my preferences through SQL. Now
>> spamc is invoked through a Postfix milter, but that's besides the
>> point, since whatever way spamc is called, it can only specify one -u
>> param as the username. However, the WIKI and Docs version of the
>> proposed query use both a _USERNAME_ and _DOMAIN_ variable. In my
>> setup, the domain variable is empty. How do I get the _DOMAIN_
>> variable to be filled so that I can make a flexible SQL setup?
> 
> 
> Open the docs for Mail::SpamAssassin::Conf and search for _DOMAIN_

I don’t think that answers the question?


-- 
Battlemage? That's not a profession. It barely qualifies as a hobby.
'Battlemage' is about impressive a title as 'Lord of the Dance'.
 I'm adding Lord of the Dance to my titles.

Re: 3.4.3 fails to start

[@lbutlr]

On 15 Dec 2019, at 00:42, Henrik K  wrote:On Sat, Dec 14, 2019 at 06:49:17PM -0700, @lbutlr wrote:# sa-update plugin: failed to parse plugin (from @INC): Can't locate BSD/Resource.pm in @INC (you may need to install the BSD::Resource module) (@INC contains: /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/site_perl/mach/5.28 /usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/ResourceLimits.pm line 79.BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/ResourceLimits.pm line 79.Compilation failed in require at (eval 435) line 1.plugin: failed to parse plugin (from @INC): Attempt to reload Mail/SpamAssassin/Plugin/ResourceLimits.pm aborted.Compilation failed in require at (eval 502) line 1.Install the perl BSD::Resource module as suggested or disable ResourceLimitsplugin in your *.pre.  It is not enabled by default in SA, so either you orports did it.Oddly, the errors have gone away entirely since I ran sa-compile.-- I WILL NOT PLEDGE ALLEGIANCE TO BART Bart chalkboard Ep. 7F09

Re: 3.4.3 fails to start

[@lbutlr]

On 14 Dec 2019, at 18:49, @lbutlr  wrote:
> child process [51792] exited or timed out without signaling production of a 
> PID file: exit 255 at /usr/local/bin/spamd line 3034.
> /usr/local/etc/rc.d/sa-spamd: WARNING: failed to start spamd

On a lark I ran sa-compile which threw some perl errors, but did compile the 
rules at which point sa-spamd was able to start.

plugin: failed to parse plugin (from @INC): Can't locate BSD/Resource.pm in 
@INC (you may need to install the BSD::Resource module) (@INC contains: 
/usr/local/lib/perl5/site_perl /usr/local/lib/perl5/site_perl/mach/5.28 
/usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at 
/usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/ResourceLimits.pm line 
79.
BEGIN failed--compilation aborted at 
/usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/ResourceLimits.pm line 
79.
Compilation failed in require at (eval 119) line 1.

Dec 14 18:51:24.743 [42670] info: generic: base extraction starting. this can 
take a while...
Dec 14 18:51:24.743 [42670] info: generic: extracting from rules of type body_0
100% [===]  90.59 rules/sec 00m08s DONE
100% [===] 813.19 bases/sec 00m03s DONE
… etc



-- 
'Nothing works against magic. Except stronger magic. And then the
only thing that beats stronger magic is even stronger magic. And
the next thing you know...' 'Phooey?' —Sourcery

3.4.3 fails to start

[@lbutlr]

Exists 3.4.2 install. After using ports to update to 3.4.3 I tried to restart 
sa-spamd as I usually do after an update:

# service sa-spamd restart
Stopping spamd.
Waiting for PIDS: 11957.
Starting spamd.
child process [51792] exited or timed out without signaling production of a PID 
file: exit 255 at /usr/local/bin/spamd line 3034.
/usr/local/etc/rc.d/sa-spamd: WARNING: failed to start spamd

A little bit of googling tells me that I need to run sa-update, so I do that:

# sa-update 
plugin: failed to parse plugin (from @INC): Can't locate BSD/Resource.pm in 
@INC (you may need to install the BSD::Resource module) (@INC contains: 
/usr/local/lib/perl5/site_perl /usr/local/lib/perl5/site_perl/mach/5.28 
/usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at 
/usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/ResourceLimits.pm line 
79.
BEGIN failed--compilation aborted at 
/usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/ResourceLimits.pm line 
79.
Compilation failed in require at (eval 435) line 1.

plugin: failed to parse plugin (from @INC): Attempt to reload 
Mail/SpamAssassin/Plugin/ResourceLimits.pm aborted.
Compilation failed in require at (eval 502) line 1.

# pkg provides sa-update 
Name: spamassassin-3.4.2_3
Desc: Highly efficient mail filter for identifying spam
Repo: FreeBSD
Filename: usr/local/share/spamassassin/sa-update-pubkey.txt
  usr/local/lib/perl5/site_perl/man/man1/sa-update.1.gz
  usr/local/bin/sa-update

So… now what?



-- 
HILLBILLIES ARE PEOPLE TOO Bart chalkboard Ep. AABF11

Re: Spamassassin reporting

[@lbutlr]

On 04 Dec 2019, at 17:07, Chris Pollock  wrote:
> Here's what I use for my home system

That’s nifty, though it would be nice if it could handle compressed files.



-- 
Train Station: where the train stops. Work Station: …

Re: Can someone explain how to read Bayes stats?

[@lbutlr]

On 27 Nov 2019, at 06:52, Anders Gustafsson  wrote:
> 0.000  0   3184  0  non-token data: nspam
> 0.000  0  17298  0  non-token data: nham

Plenty of spam and ham learned

> 0.000  0 1553643652  0  non-token data: oldest atime

Oldest data is from March

> 0.000  0 1574862537  0  non-token data: newest atime

Newest date from today

> I had SA running before, but hd to take a break because of upgrades. I have 
> not had the chance yet to collect over 200 SPAM/HAM messages for training.

You have, but chances are most of it is old. Still, that doesn’t mean useless.

You should see bales scores in incoming mail.


-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but Zero Mostel times anything will still give
you Zero Mostel.”

Re: shortcircuit on alread x-spam-flag: yes

[@lbutlr]

Oops. Sorry about that.

> On 26 Nov 2019, at 13:22, @lbutlr  wrote:
> 
> You know a thorn can main / But a lover does the same / A gem will
>   reflect light / And a Fool will marvel at the sight / A fool such
>   as me,
> /Who sees not the gold, but the beauty of the shine
> /%
> 'You know me,' said Rincewind. 'Just when I'm getting a grip on
>   something Fate comes along and jumps on my fingers.'
>   --Interesting Times

-- 
"Are you pondering what I'm pondering?"
"Wuh, I think so, Brain, but wouldn't anything lose its flavor on the
bedpost overnight?"

Re: shortcircuit on alread x-spam-flag: yes

[@lbutlr]

On 26 Nov 2019, at 08:11, Philipp Ewald  wrote:
> we have "old customer" (with historical terms) there have forwarding rules 
> for any mail and we are not allowed to set SPAM Filter rule or to change the 
> forwarding rules.

Forwarding spam is a good way to be blacklisted as a spam source. This is why I 
have disabled all forwarding rules.

If users want their mail to arrive at another account, they have to pull the 
mail themselves. (Obviously, most people automate this.) Gmail users have to 
use POP3 to get the mail, and I only allow POP3 access for specific users and 
only from google servers (I would gladly allow some other server that can only 
pull from POP, but no one has asked).


-- 
You know a thorn can main / But a lover does the same / A gem will
reflect light / And a Fool will marvel at the sight / A fool such
as me,
/Who sees not the gold, but the beauty of the shine
/%
'You know me,' said Rincewind. 'Just when I'm getting a grip on
something Fate comes along and jumps on my fingers.'
--Interesting Times

Re: Getting spamass-milter to work with postfix

[@lbutlr]

On 24 Nov 2019, at 11:23, Bill Cole  
wrote:
> setting "smtpd_delay_open_until_valid_rcpt = no" should make it available. By 
> default, postfix does not commit a file descriptor and queue ID to a message 
> until it has an accepted recipient. Setting that option to "no" causes it to 
> open the file and assign a queue ID at connect time, which also enhances the 
> logging by postfix itsef, since every entry for a particular SMTP session has 
> a common queue ID in it.

Well, that’s nifty!



-- 
Suddenly the animals look shiny and new

Re: List Of Available Spamassassin Rule

[@lbutlr]

On 24 Oct 2019, at 07:24, Savvas Karagiannidis  wrote:
> you use a perl script like this:

That’s useful enough it should be part of the SA install.




-- 
No matter how fast light travels it finds the darkness has always got
there first, and is waiting for it.

Re: Facebook notifications sent from dynamic address

[@lbutlr]

On Oct 7, 2019, at 11:35 AM, Kris Deugau  wrote:
> So tempting to let my inner BOFH out and just convert those to blacklist_from 
> entries instead though…

So, so tempting!




-- 
"A synonym is a word you use when you can't spell the word you first
thought of." - Burt Bacharach

Re: Migrating from sendmail to Postfix

[@lbutlr]

On Sep 30, 2019, at 7:28 PM, Ramon F Herrera  wrote:
> On 9/29/2019 3:10 PM, Bill Cole wrote:
>> Beyond translating  configuration, there's one important part of Postfix 
>> that has no Sendmail equivalent: the postscreen front-line SMTP screener 
>> program. Postscreen implements a greeting pause, weighted parallel DNSBL 
>> checking, and optionally a few other spambot-detection tactics. Because it 
>> is a unique tool, some distributions do not enable it by default. Make sure 
>> you have it set up, because it is an extremely effective and lightweight 
>> tool.
> 
> Bill: Can you please explain that tool?

There’s good documentation.



-- 
No, YOU’RE drunk!

Re: Spam child

[@lbutlr]

On Sep 15, 2019, at 3:03 PM, RW  wrote:
> On Sun, 15 Sep 2019 13:36:13 -0600
> @lbutlr wrote:
>> On Sep 15, 2019, at 6:53 AM, RW  wrote:
>>> When  child processes are running as root they switch to the unix
>>> user running spamc  (or specified with spamc -u) for processing the
>>> scan. If that would still result in root being used the child
>>> process switches to nobody instead.  
>> 
>> OK, should I set rc.conf to pass -u spamd then?
> 
> Probably, unless you need spamd to use per user files in
> ~/.spamassassin. Running spamc as a single unprivileged user has a
> similar effect, but it's more error prone.

This did not exactly solve the problem, as I still had a stuck process, only it 
was not using 100% of a core and it wasn’t owned by nobody. This lead me to 
move aside the existing bases DB files.

File type and version of the DB is the same, but toehold ones were causing an 
error " cannot open bayes databases /var/spool/spamd/.spamassassin/bayes_* R/W: 
lock failed: Interrupted system call” which was lost it eh noise of the error 
about soma child still running.

 # file .spamassassin*/bayes_seen  
 .spamassassin_old/bayes_seen: Berkeley DB 1.85 (Hash, version 
2, native byte-order)
.spamassassin/bayes_seen: Berkeley DB 1.85 (Hash, version 2, native 
byte-order)
 # ls -ls .spamassassin*/bayes_seen
256 -rw-rw-rw-  1 spamd  spamd131072 Sep 15 15:46 .spamassassin/bayes_seen
31360 -rw-rw-rw-  1 spamd  spamd  20250624 Aug 20 07:28 
.spamassassin_old/bayes_seen

Now I just need to feed some spam and ham to the database.



-- 
'I don't see why everyone depends on me. I'm not dependable. Even I
don't depend on me, and I'm me.’

Re: Spam child

[@lbutlr]

On Sep 15, 2019, at 6:53 AM, RW  wrote:
> When  child processes are running as root they switch to the unix user
> running spamc  (or specified with spamc -u) for processing the scan. If
> that would still result in root being used the child process switches
> to nobody instead.

OK, should I set rc.conf to pass -u spamd then?

And if this is an issue, why is “run as root” marked as “recommended” when 
setting up spamassassin in FreeBSD ports?


-- 
++?++ Out of Cheese Error. Redo From Start.

Re: Spam child

[@lbutlr]

On Sep 15, 2019, at 1:09 AM, Axb  wrote:
> On 9/14/19 9:30 PM, @lbutlr wrote:
>> I am still getting spammed processes that last for hours or days. When I 
>> kill them, `kill -9` they come back after the load drops. The processes use 
>> 100% of the processor.
>> nobody   72041 100.0  2.2  87264  76940  -  R10:36  35:28.97 spamd 
>> child (perl)
>> root 52954   0.0  1.9  76992  67124  -  I13:41   0:01.60 spamd 
>> child (perl)
>> root 55342   0.0  0.2  24904   7828  -  Ss   Sun15   0:06.06 
>> /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd 
>> -r 10 -i 65.121.55.40/29 -i 127.0.0.1 -e covisp.net
>> root 73409   0.0  2.1  84860  75240  -  IWed20   0:59.01 spamd 
>> child (perl)
>> root 84607   0.0  1.8  73880  63700  -  Ss   Tue01   0:20.77 
>> /usr/local/bin/perl -T -w /usr/local/bin/spamd -c -H /var/spool/spamd -d -r 
>> /var/run/spamd/spamd.pid
>> The only way to get rid of it is to stop spamd and restart it.
>> Running SA 3.4.2 on FreeBSD 11.3 with no updates pending. I tried updating 
>> perl, but that did not work at all, it appears SA can’t use perl 5.30.
>> I’ve just setup cron to stop/start sa-spamd periodically until I figure out 
>> why this is happening.
>> What is starting spamd as nobody instead of root like the other processes?
> 
> 
> Is this what you're looking for?

I don’t think so, the issue is spamd child processes that keep running for days 
and peg one of the cores.

> https://spamassassin.apache.org/full/3.4.x/doc/spamd.txt
> -m num, --max-children=numAllow maximum num children
> 
> --min-children=numAllow minimum num children
> 
> --min-spare=num   Lower limit for number of spare children
> 
> --max-spare=num   Upper limit for number of spare children
> 
> --max-conn-per-child=num  Maximum connections accepted by child 
> before it is respawned



-- 

Re: Scoring TLS.

[@lbutlr]

On 6 Sep 2019, at 14:37, @lbutlr  wrote:
> I do need to go through the logs again at some point and see how things are 
> shaping up. It would be interesting to see what the server-to-server 
> encryption looks like now for valid mail. I suspect that 1.1 has dropped to 
> near 0 and 1.0 is more spam than it was, but that’s just a guess.

I ran a quick check and less than 1% of my secure connections (700 out of 
74,000) are using TLSv1 instead of TLSv1.2, and more than half of those are 
from list servers. The rest are mostly unknown with a few named like 
blackboard,bet, shoran.io, and admiral.net.

I’m not blocking TLSv1 servers at this, but I am certainly considering adding a 
point or so in SA. That will not affect the mailing lists at all, but it might 
catch some of the other garbage.





-- 
LOOSE TEETH DON'T NEED MY HELP Bart chalkboard Ep. AABF16

Re: Scoring TLS.

[@lbutlr]

On 6 Sep 2019, at 14:14, Matus UHLAR - fantomas  wrote:
>>>> TLSv1.0 is EOLed and should not be used nor supported.
> 
>> On 6 Sep 2019, at 01:57, Matus UHLAR - fantomas  wrote:
>>> well, if your clients (some old server installations) only support tls1.0, 
>>> it's better to allow it than forgint it to go plaintext or reject the mail 
>>> at all.
> 
>>> On 06.09.19 00:57, @lbutlr wrote:
>> I don’t agree. It is thinking like this that leads to people still wanting 
>> to use RC4-SHA or HTTP AUTH.
> 
> the alternative on server-server connection is no encryption at all.

Which is still going to be the case for a still significant percentage of 
connections. Used a deprecated end-of-life security shouldn’t be encouraged.

>>> http://postfix.1071664.n5.nabble.com/Update-to-recommended-TLS-settings-td78583.html
> 
> On 06.09.19 11:50, @lbutlr wrote:
>> That is four years ago and largely covers maintaining support for the 16 
>> year-old Exchange 2003.
> 
> did tou intentionally skip the link that was an update to this one and only 
> one year old to blame me for the older one?

Of course not, the second one was a followup to the first one, which again was 
largely about Exchange 2003, so I didn’t think it really added anything and it 
was also still before the EOL for TLSv1.0.

>> The difference right now is that TLSv1.0 is end-of-life and has known flaws. 
>>  It should no more be used than MD5 or RC2.
>> 
>> However, I think here we were talking about TLS connections from sending 
>> servers; there TLSv1.0 is already basically unused.  You are more likely to 
>> not get an opportunistic encryption at all that TLSv1.
> 
> I'd be happy to see any statistics about this. Possibly in postfix list, if
> you can…

Your logs will be different than mine, I am sure. When last I checked for 
successfully submitted mails, unencrypted was more common that TLSv1.0, and 
that was … spring?

>51 version=TLSv1,
> 8 version=TLSv1.1,
>   539 version=TLSv1.2,
>92 version=TLSv1.3,

Most of my TLSv1 were connections that were rejected for high degrees of 
spammishness.

I do need to go through the logs again at some point and see how things are 
shaping up. It would be interesting to see what the server-to-server encryption 
looks like now for valid mail. I suspect that 1.1 has dropped to near 0 and 1.0 
is more spam than it was, but that’s just a guess.



-- 
'We get that in here some nights, when someone's had a few. Cosmic
speculation about whether the gods exist. Next thing, there's a bolt of
lightning through the door with a note wrapped round it saying, "Yes, we
do" and a pair of sandals with smoke coming out.' (Small Gods)

Re: Score in subject differs from score in headers

[@lbutlr]

On 6 Sep 2019, at 10:35, Riccardo Alfieri  wrote:
> On 06/09/19 17:45, David Galloway wrote:
> 
>> For example, I'm looking at an e-mail now with "* SPAM 5.4 *" in
>> the subject but "X-Spam-Status: No, score=3.2 required=5.0"
> 
> since when does SpamAssassin also writes the scores in the subject? It's a 
> cool feature that I probably missed completely 

Since forever? Nearly forever?

I used to use (Spam? _SCORE_) when I tagged subjects. I no longer do that. I do 
not recommend that anyone do that, it causes more trouble than it’s worth.

(I am pretty sure that is the syntax, it’s been a number of years).

As for your issue, I suspect you are double processing mail (been there, done 
that, have the t-shirt) and that one process is applying the higher score to 
the subject.



-- 
You've never heard of the Millennium Falcon?

Re: Scoring TLS.

[@lbutlr]

On 6 Sep 2019, at 01:57, Matus UHLAR - fantomas  wrote:
> On 06.09.19 00:57, @lbutlr wrote:
>> TLSv1.0 is EOLed and should not be used nor supported.
> 
> well, if your clients (some old server installations) only support tls1.0, 
> it's better to allow it than forgint it to go plaintext or reject the mail at 
> all.

I don’t agree. It is thinking like this that leads to people still wanting to 
use RC4-SHA or HTTP AUTH.

> http://postfix.1071664.n5.nabble.com/Update-to-recommended-TLS-settings-td78583.html

That is four years ago and largely covers maintaining support for the 16 
year-old Exchange 2003.

The difference right now is that TLSv1.0 is end-of-life and has known flaws. It 
should no more be used than MD5 or RC2.

However, I think here we were talking about TLS connections from sending 
servers; there TLSv1.0 is already basically unused. You are more likely to not 
get an opportunistic encryption at all that TLSv1.

On 6 Sep 2019, at 00:51, Reio Remma  wrote:
> I recently did an experiment where I stopped accepting incoming e-mail 
> without TLS. This seemingly cut off about 95-99% of spam. Unfortunately there 
> still seem to be a small percentage of servers sending without TLS, so that 
> was a no go.


I took that to mean the OP was not talking about submission from clients, but 
incoming mail from other servers.



-- 
The trouble with being a god is that you've got no one to pray to.

Re: Scoring TLS.

[@lbutlr]

On 6 Sep 2019, at 00:51, Reio Remma  wrote:
> Even though I recall QMail having TLSv1 back when we were still using it.

TLSv1.0 is EOLed and should not be used nor supported.

But yes, mailing lists are therein reason I a=have not gone 100% TLS myself 
(it’s not just this one, sadly).

There is very little desired email that does not come from lists that is not 
using TLS 1.1 or better (TLS 1.1 shouldn’t be used either, but I see a fair 
amount of 1.1 still, or did last I looked a few months ago).



-- 
The easiest way to find something lost around the house is to buy a
replacement.

Re: Many sa-learn processes getting stuck

[@lbutlr]

On 30 Aug 2019, at 12:32, @lbutlr  wrote:
> That is probably my error then. I remove the -Q flag manually and didn’t 
> check -u since there is a scan user on the system.

Found the problem, it wasn’t spam assassin at all, it was an old crontab script 
that someone how was re-enabled. removed it from the crontab (instead of 
commenting it out) and killed all the processes and things seem to be running 
OK now, 爛.

Re: Many sa-learn processes getting stuck

[@lbutlr]

On 30 Aug 2019, at 11:49, RW  wrote:
> On Fri, 30 Aug 2019 10:58:30 -0600
> @lbutlr wrote:
> 
>> I have a lot of processes that look like this:
>> 
>> root 48359 100.0  1.4  55984  47680  -  R17:53  989:39.50
>> /usr/local/bin/perl -T -w /usr/local/bin/sa-learn --spam -u vscan
> ...
>> /var/spool/spamd/.spamassassin/bayes_toks Aug 30 10:44:37.624 [19164]
>> dbg: bayes: tie-ing to DB file R/O
> 
> This looks a bit strange. The -u argument to sa-learn is supposed to be
> for SQL virtual users, but spamd is using a single Berkeley database.

That is probably my error then. I remove the -Q flag manually and didn’t check 
-u since there is a scan user on the system.

> bayes_toks is in the default location for the spamd user, do you have
> that location in  bayes_path, otherwise sa-learn is probably looking
> under ~root.

It looks t be looking in /var/spool/spamd/.spamassassin according to the output 
of -D I posted above.

> IIWY I'd run sa-learn as the user spamd using su.

All the as-learn processes are running as root currently, so I don’t think it’s 
a permission issue. I will remove the -u flag though.

> Also disable bayes_auto_expire, if you haven't already.

Will do.

-- 
Nobody puts one over on Fred C. Dobbs.

Re: Many sa-learn processes getting stuck

[@lbutlr]

On 30 Aug 2019, at 11:49, RW  wrote:
> On Fri, 30 Aug 2019 10:58:30 -0600
> @lbutlr wrote:
> 
>> I have a lot of processes that look like this:
>> 
>> root 48359 100.0  1.4  55984  47680  -  R17:53  989:39.50
>> /usr/local/bin/perl -T -w /usr/local/bin/sa-learn --spam -u vscan
> ...
>> /var/spool/spamd/.spamassassin/bayes_toks Aug 30 10:44:37.624 [19164]
>> dbg: bayes: tie-ing to DB file R/O
> 
> This looks a bit strange. The -u argument to sa-learn is supposed to be
> for SQL virtual users, but spamd is using a single Berkeley database.

That is probably my error then. I remove the -Q flag manually and didn’t check 
-u since there is a scan user on the system.

> bayes_toks is in the default location for the spamd user, do you have
> that location in  bayes_path, otherwise sa-learn is probably looking
> under ~root.

It looks t be looking in /var/spool/spamd/.spamassassin according to the output 
of -D I posted above.

> IIWY I'd run sa-learn as the user spamd using su.

All the as-learn processes are running as root currently, so I don’t think it’s 
a permission issue. I will remove the -u flag though.

> Also disable bayes_auto_expire, if you haven't already.

Will do.

-- 
Nobody puts one over on Fred C. Dobbs.

Many sa-learn processes getting stuck

[@lbutlr]

I have a lot of processes that look like this:

root 48359 100.0  1.4  55984  47680  -  R17:53  989:39.50 
/usr/local/bin/perl -T -w /usr/local/bin/sa-learn --spam -u vscan 
/usr/local/virtual/kr...@kreme.com/Maildir/.Junk/cur/15670…  
/usr/local/virtual/kr...@kreme.com/Maildir/.Junk/cur/15670201…  
[ 15 lines ]
/usr/local/virtual/kr...@kreme.com/Maildir/.Junk/cur/15670

I have a script in dovecot that feeds mails to sa-learn —spam when then are 
moved to the junk folder, but it is a script that is used by a lot of people, 
so I doubt the problem is there.

I also have other processes that hit a similar script that marks messages as 
ham when they are moved to the archives mailbox.

FreeBSD is up to date, SA is up to date, postfix and dovecot ar up to date, 
perl is up to date (5.28 branch).

When I run the command manually with -D, (I've recently reset everything, thus 
the bases DB being light on content) I get the following:

Aug 30 10:44:37.624 [19164] dbg: bayes: learner_new: got 
store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x8fe2c84)
Aug 30 10:44:37.624 [19164] dbg: plugin: 
Mail::SpamAssassin::Plugin::Bayes=HASH(0x88969a8) implements 
'learner_is_scan_available', priority 0
Aug 30 10:44:37.624 [19164] dbg: bayes: tie-ing to DB file R/O 
/var/spool/spamd/.spamassassin/bayes_toks
Aug 30 10:44:37.624 [19164] dbg: bayes: tie-ing to DB file R/O 
/var/spool/spamd/.spamassassin/bayes_seen
Aug 30 10:44:37.625 [19164] dbg: bayes: found bayes db version 3
Aug 30 10:44:37.625 [19164] dbg: bayes: DB journal sync: last sync: 0
Aug 30 10:44:37.625 [19164] dbg: bayes: not available for scanning, only 97 
ham(s) in bayes DB < 200
Aug 30 10:44:37.625 [19164] dbg: bayes: untie-ing
Aug 30 10:44:37.625 [19164] dbg: config: score set 1 chosen.
Aug 30 10:44:37.626 [19164] dbg: dns: EDNS, UDP payload size 4096
Aug 30 10:44:37.626 [19164] dbg: dns: servers obtained from Net::DNS : 
[127.0.0.1]:53, [9.9.9.9]:53
Aug 30 10:44:37.626 [19164] dbg: dns: nameservers set to 127.0.0.1, 9.9.9.9
Aug 30 10:44:37.626 [19164] dbg: dns: using socket module: IO::Socket::IP 
version 0.39
Aug 30 10:44:37.626 [19164] dbg: dns: is Net::DNS::Resolver available? yes
Aug 30 10:44:37.626 [19164] dbg: dns: Net::DNS version: 1.2
Aug 30 10:44:37.627 [19164] dbg: sa-learn: spamtest initialized
Aug 30 10:44:37.627 [19164] dbg: learn: initializing learner
Aug 30 10:44:37.627 [19164] dbg: plugin: 
Mail::SpamAssassin::Plugin::Bayes=HASH(0x88969a8) implements 'learner_sync', 
priority 0
Aug 30 10:44:37.627 [19164] dbg: bayes: bayes journal sync starting
Aug 30 10:44:37.627 [19164] dbg: bayes: bayes journal sync completed
Aug 30 10:44:37.627 [19164] dbg: plugin: 
Mail::SpamAssassin::Plugin::Bayes=HASH(0x88969a8) implements 
'learner_expire_old_training', priority 0
Aug 30 10:44:37.627 [19164] dbg: bayes: expiry starting
Aug 30 10:44:37.627 [19164] dbg: locker: mode is 438
Aug 30 10:44:37.627 [19164] dbg: locker: safe_lock: created 
/var/spool/spamd/.spamassassin/bayes.mutex
Aug 30 10:44:37.627 [19164] dbg: locker: safe_lock: trying to get lock on 
/var/spool/spamd/.spamassassin/bayes with 300 timeout

(does this again), then)

Aug 30 10:54:37.675 [19164] dbg: locker: safe_lock: timed out after 300 seconds
bayes: cannot open bayes databases /var/spool/spamd/.spamassassin/bayes_* R/W: 
lock failed: 
Learned tokens from 0 message(s) (1 message(s) examined)
Aug 30 10:54:37.676 [19164] dbg: plugin: 
Mail::SpamAssassin::Plugin::Bayes=HASH(0x88969a8) implements 'learner_close', 
priority 0
ERROR: the Bayes learn function returned an error, please re-run with -D for 
more information at /usr/local/bin/sa-learn line 500.
Aug 30 10:54:37.678 [19164] dbg: netset: cache trusted_networks hits/attempts: 
0/1, 0.0 %

The running process never gives up (as you ca see, its been chugging along for 
a long time).

How can I see what is preventing the lock on the site-wide?





-- 
They say whisky'll kill you, but I don't think it will I'm ridin' with
you to the top of the hill

Re: SIGCHLD died

[@lbutlr]

On 15 Aug 19, at 23:06 , Bill Cole  
wrote:
> On 15 Aug 2019, at 18:41, @lbutlr wrote:
> 
>> I am getting many many pop these errors:
>> 
>> spamd: handled cleanup of child pid [89330] due to SIGCHLD: DIED, signal 11 
>> (000b)
> 
> How fun... A segfault: something in a worker spamd process ( a child of the 
> master spamd process reporting the error) tried to access a completely bogus 
> memory address.
> 
> IMHO spamd shouldn't segfault in anything like normal circumstances. It's a 
> Perl script, so most of the easy ways to segfault are blocked by how how Perl 
> interprets and precompiles the script.
> 
>> It doesn’t appear to be affecting mail delivery, but still, I’d like to 
>> avoid them.
> 
> Is any scoring being done?

Yes, Spamassassin-milter is checking incoming mail and some few messages are 
getting encapsulated into safe-report mails (though I don’t have any of those 
in the last 24 hours, I never have very many since I am aggressive about 
deleting a lot of spam before it even gets o the Junk folder.

It is possible this is hitting on specific mails (ones too large, perhaps?) or 
that it is a new problem since I updated some packages earlier this week.

>>  /usr/local/bin/perl -T -w /usr/local/bin/spamd -c -Q -u spamd -H 
>> /var/spool/spamd -d -r /var/run/spamd/spamd.pid
>> 
>> Though o don’t recall how those options are set (they are not in rc.conf 
>> like spamass-milter)
> 
> That's the normal place on FreeBSD, but you might have set options in 
> /usr/local/etc/rc.d/sa-spamd

Evidently these ar the default flags:

/usr/local/etc/rc.d/sa-spamd:
# Set defaults
: ${spamd_enable:="NO"}
: ${spamd_flags="-c -Q -u spamd -H /var/spool/spamd"}

Seems like a strange set of defaults to me.

(bayes files in /car/spool/spamd/s,pamassassion/ are getting at least touched)



-- 
One of the universal rules of happiness is: always be wary of any
helpful item that weighs less than its operating manual. —Jingo

SIGCHLD died

[@lbutlr]

I am getting many many pop these errors:

spamd: handled cleanup of child pid [89330] due to SIGCHLD: DIED, signal 11 
(000b)

It doesn’t appear to be affecting mail delivery, but still, I’d like to avoid 
them.

I have spamass-milter running:

  /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -r 
10 -i 65.121.55.40/29 -i 127.0.0.1 -e covisp.net

And spamd:

  /usr/local/bin/perl -T -w /usr/local/bin/spamd -c -Q -u spamd -H 
/var/spool/spamd -d -r /var/run/spamd/spamd.pid

Though o don’t recall how those options are set (they are not in rc.conf like 
spamass-milter) and I’m not sure why it is passing -Q since I currently;y do 
not have an SQL database setup for Spamassassin. Asmyway, the -Q flags says it 
needs -x which is not there, so I suspect this config is wrong, even if it is 
not the cause of the above issue.


 # spamassassin -D 

  [16:40] [~] 
Aug 15 16:40:29.889 [31757] dbg: logger: adding facilities: all
Aug 15 16:40:29.890 [31757] dbg: logger: logging level is DBG
Aug 15 16:40:29.890 [31757] dbg: generic: SpamAssassin version 3.4.2
Aug 15 16:40:29.890 [31757] dbg: generic: Perl 5.028002, PREFIX=/usr/local, 
DEF_RULES_DIR=/usr/local/share/spamassassin, 
LOCAL_RULES_DIR=/usr/local/etc/mail/spamassassin, 
LOCAL_STATE_DIR=/var/db/spamassassin
Aug 15 16:40:29.890 [31757] dbg: config: timing enabled
Aug 15 16:40:29.891 [31757] dbg: config: score set 0 chosen.
Aug 15 16:40:29.894 [31757] dbg: util: running in taint mode? yes
Aug 15 16:40:29.894 [31757] dbg: util: taint mode: deleting unsafe environment 
variables, resetting PATH
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/usr/local/bin', keeping
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/root/bin', keeping
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/usr/local/bin', keeping
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/usr/local/bin', keeping
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/sbin', keeping
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/bin', keeping
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/usr/sbin', keeping
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/usr/bin', keeping
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/usr/local/sbin', keeping
Aug 15 16:40:29.894 [31757] dbg: util: PATH included '/usr/local/bin', keeping
Aug 15 16:40:29.895 [31757] dbg: util: final PATH set to: 
/usr/local/bin:/root/bin:/usr/local/bin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
Aug 15 16:40:29.897 [31757] dbg: util: secure_tmpfile created a temporary file 
/tmp/.spamassassin31757VFYz2Vtmp



-- 
If a pig loses its voice, is it disgruntled?

  Current Song: Pearl by Chapterhouse from Pearl - EP (5:16)

Re: Spamhaus Technology contributions to SpamAssassin

[@lbutlr]

On 3 Jul 2019, at 05:08, Stephan Seitz  
wrote:
> By the way is this plugin necessary if you are using postfix/postscreen with 
> your DQS key?

That was my question as well.