Re: SUBJECT_ENCODED_TWICE really wrong?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/25/07 11:15 PM, John Wilcock wrote: Andy Spiegl wrote: But the score for SUBJECT_ENCODED_TWICE is pretty high: 1.723 How does that justify? No doubt it is justified by the fact that the corpora used to determine SpamAssassin scores don't contain enough non-English-language content. You'll almost certainly find that you want to lower the score for this rule (and other rules such as SUBJ_ILLEGAL_CHARS which tend to cause FPs on genuine non-English mail). John. I've had to reduce the SUBJ_ENCODED_TWICE score (to .001 so i know it hits but so it doesn't have any impact) because it's basically required to handle long 2-byte subject encoding. I've left SUBJ_ILLEGAL_CHARS as is because the subject really shouldn't contain raw non-ascii characters, it should be encoded. So far I haven't had any problems with this combination. just my 2 yen worth. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGMpHtE2gsBSKjZHQRAsfMAJwO8iqLnF/BpAw5tX/YOm/tsSGCVQCfaJHP JRPY+2PKlce6j0hKfKsoQ9Y= =BEbK -END PGP SIGNATURE-
Re: spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Coffey, Neal wrote: Rosenbaum, Larry M. wrote: This matches the spam message, but it also matches messages where the number is followed by a blank line and more text, which is a false positive. In all cases I got the same results. What am I missing? Try a compound rule. Look for the number, and then anything that's not a number. (Mind the line wrapping, of course.) body ORNL_B0RKEN1_SHORTNUM /^\d{3,5}\n{1,3}$/s body ORNL_B0RKEN1_BODYTEXT /[a-zA-Z]/ meta ORNL_B0RKEN1(ORNL_B0RKEN1_SHORTNUM ORNL_B0RKEN1_BODYTEXT) describe ORNL_B0RKEN1B0rken spamware, message just contains a short number scoreORNL_B0RKEN11.0 That'll prevent the rule from matching if there's so much as a single letter in the body. Actually, that'll only hit if there's a 3-5 digit number followed by 1 to 3 \n characters *AND* there *ARE* alphabetical characters in the body. I'm guessing this isn't what you want. your meta should probably look like (!ORNL_B0RKEN1_BODYTEXT ORNL_B0RKEN1_SHORTNUM) (this is untested, but should work as expected) Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFdiJQE2gsBSKjZHQRAtfXAJ9YMWfkxAx7Oq31DilaqdGCqA9WegCgvBaL 9ld47BoNnFo2ePYG3IlcK0k= =DQ7t -END PGP SIGNATURE-
Re: How to examine a system and determine the mail delivery agent.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Saklad wrote: How would, where would a mail transfer agent tell you the mail delivery agent for a the system at hand?... Developing instructive information without acronyms, without industry jargon that complete novices, neophytes can use easily is the heart of the matter. Don, to my knowledge, there is no way to determine the MDA (mail delivery agent) without having access to the mail server's configuration files. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFdNfxE2gsBSKjZHQRAlDCAJ4uSVmxnpkNzqWaWOiuDSVYiPYF+ACfbxD+ UgSh4d/dst6sC+AoruiCrxU= =dP3a -END PGP SIGNATURE-
Re: Problem with spam from non-existant users of my domain.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steven W. Orr wrote: On Tuesday, Nov 28th 2006 at 08:09 -0800, quoth John D. Hardin: =On Tue, 28 Nov 2006, Steven W. Orr wrote: = = Spam comes in to steveo from [EMAIL PROTECTED] and I want to = reject it because it's coming from an address that doesn't exist. = Sendmail does not support this; i.e., it can only reject mail *to* = an address that doesn't exist. = = Is there a way to do this? = =First off, what exactly do you mean by does not exist? The domain =is not registered? Or the username is not valid within the domain? Sorry, I was afraid this might not be clear. I want to find a way to reject/tag all messages that come From the syslang.net domain (I am that domain) which are From a user which does not exist. I'm not talking about messages coming in that have a From address that is not syslang.net. One more example to be clearerer. This message came in from someplace in Russia (maybe), to syslang.net and claims to come from bs at syslang.net. I don't have a bs on my machine. If it helps, I'd even be willing to create a file with a list of all of my valid account names. ...snip... So this idea is to reject all mail from invalid accounts that claim to be coming from my own domain. ...snip... Steven, you should be able to do this pretty easily within MIMEDefang. you could put a routine in the filter_sender() subroutine that does something like a getpwent on the user portion of the sender address if the domain portion is in your domain. (there are probably plenty of ways to do this) on top of that, if you have any control over your DNS settings (and your DNS provider supports TXT records) you may want to consider configuring SPF. SPF is designed (in part) to reduce this type of scenario. so, with SPF what will happen is, some machine in RU connects to you and sends a MAIL FROM: [EMAIL PROTECTED] ... the SPF checks will lookup the SPF information from your DNS records and determine if that host in RU is allowed to send mail for your domain. if not, it get a score boost. (or with something like MIMEDefang you could just reject on failed SPF if you chose to) hope this helps, Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFb8lfE2gsBSKjZHQRAqenAKDrcNu7h2l7xZFKC09CgQERto3OEwCgo1x/ Ivq9yfQf8kWC0FUcouCi9xI= =HN2v -END PGP SIGNATURE-
Re: netset: cannot include w.x.y.z as it has already been included
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler wrote: Gilles Hamel wrote: Hello, We are running v3.1.5 with mimedefang. Here is our setup : our own MTA with spamassassin ---/-- MTA at our ISP, our MX is HERE w.x.y.z / INTERNET In the local.cf file we have : trusted_networks w.x.y.z # Our MX Every time mimedefang spawn a child, we get this warning in log file. If we remove the trusted_networks parameter, the warning vanishes. Can you explain the reason of this warning ? Thank you Is there a duplicate setting in some other config file, ie: sa-mimedfang.cf? I've just done a new install of mimedefang 2.58 with spamassassin 3.17 and have confirmed that there are no duplicate settings in any of the config files in /etc/mail/spamassassin. also /etc/mail/sa-mimedefang.cf is a symbolic link to /etc/mail/spamassassin/sa-mimedefang.cf for forwards compatibility. the error happens once each for every network included in either trusted_networks or internal_networks. as an example in sa-mimedefang.cf: trusted_networks 1.1.1.1/32 2.2.2.2/32 internal_networks 127.0.0.1/32 3.3.3.0/24 the error in my log files are: mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 1.1.1.1/32 as it has already been included mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 2.2.2.2/32 as it has already been included mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 127.0.0.1/32 as it has already been included mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 3.3.3.0/24 as it has already been included This doesn't appear to be causing any problems, however. cross-posting to mimedefang list as well. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUabbE2gsBSKjZHQRAsFfAKDs0jgr4mFGbI+dWTzUgILiuaSWiwCg4P79 RA2RFW42Ivnn0D9M33hQnv0= =+BKD -END PGP SIGNATURE-
Re: How do i catch this
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suhas (QualiSpace) wrote: Hi, How do I catch these types of mails? Received: from wk-2022 [125.92.211.28] by ourdomain.com (SMTPD-8.22) id AF800E44; Wed, 01 Nov 2006 01:32:32 -0500 Received: (qmail 1474 invoked by uid 0); Wed, 1 Nov 2006 14:30:22 -) Received: from unknown (HELO evmneyumjf) (192.168.1.7) by 192.168.1.21 with SMTP; Wed, 1 Nov 2006 14:30:22 - Date: Wed, 1 Nov 2006 14:25:22 +0800 From: adam [EMAIL PROTECTED] http://mail.mirackle.com:8383/Xb8439bcf99989399cf9e911fc4cb/newmsg.cgi?mbx=Main[EMAIL PROTECTED] Mime-Version: 1.0 To: [EMAIL PROTECTED] Subject: This is not shown on TV. Content-Type: multipart/mixed; boundary=---D502AA0C7D660BFD Message-Id: [EMAIL PROTECTED] http://mail.mirackle.com:8383/Xb8439bcf99989399cf9e911fc4cb/newmsg.cgi?mbx=Main[EMAIL PROTECTED] X-Envelope-From:[EMAIL PROTECTED] http://mail.mirackle.com:8383/Xb8439bcf99989399cf9e911fc4cb/newmsg.cgi?mbx=Main[EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on server1 X-Spam-Level: X-Spam-Status: No, score=4.0 required=4.5 tests=BAYES_80,RCVD_BY_IP, SARE_GIF_ATTACH autolearn=no version=3.0.1 You're getting really close, I bet if you turned on network tests you'd be fine. You may also want to look into setting up DCC and/or Razor as well. HTH Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSGqGE2gsBSKjZHQRAqJ5AJ4w9uOGii11hsaiweqKbIvthah3qQCcDZeD H1GXqjPxsVkVmQtqkVNXihU= =rdkQ -END PGP SIGNATURE-
Re: why this spam has a negative score?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: I edit my setting to: whitelist_from_rcvd * fw.muvalmez.cz the spam with negative score is coming through spamassassin again Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on fw.muvalmez.cz X-Spam-Status: No, score=-80.5 required=5.0 tests=BAYES_50,DC_GIF_UNO_LARGO, DC_IMAGE_SPAM_HTML,DC_IMAGE_SPAM_TEXT,DC_IMG_HTML_RATIO, DC_IMG_TEXT_RATIO,EXTRA_MPART_TYPE,HTML_90_100,HTML_IMAGE_ONLY_08, HTML_MESSAGE,MIME_HTML_MOSTLY,MY_CID_AND_CLOSING,MY_CID_AND_STYLE, SARE_GIF_ATTACH,SARE_GIF_STOX,UNPARSEABLE_RELAY,USER_IN_WHITELIST ^^ You don't happen to have [EMAIL PROTECTED] in your whitelist do you? Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSYrvE2gsBSKjZHQRAuIyAKDsNuKCRJF1cediMAhFrlj/EPTuuwCgg1si //6OQ9JjPbissU9bTrm/8lI= =CRaS -END PGP SIGNATURE-
Re: Calling Regex Experts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 D.J. wrote: OK, I'm stumped. I need to create a regex that will match if anything other than two terms I've specified exist. So for example, I have two terms I like, say cat and dog. I want the rule to match if a string contains anything other than cat or dog. I tried ... $value !~ /cat|dog/ ...but this had the unintended consequence of still matching a string like cat dog bird or cat bird since the string does contain one of my two terms. So what do I need to do? Thanks in advance! - D.J. D.J., you're probably best off using META rules for this. So you could have something like (completely untested and off the top of my head in the middle of the night): body __CAT /cat/ body __DOG /dog/ meta NOT_CAT_AND_DOG(!__CAT !__DOG) you should definitely check the man pages and/or wiki about writing rules to do this properly, but that should get you started. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7dfoE2gsBSKjZHQRAozpAKC+edJGc52qWz1qguOQReCLUy3z9ACgzFpn V20guvwnlLaKHy3Aiy8FLQs= =eGwC -END PGP SIGNATURE-
Re: HUMOR: Gap needs to fire Marketing people.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 snip... And the first thing in the Ham was about adding their address to your contacts to make sure you get their email. If they were so worried, they would write better marketing emails. --Chris Maybe you should send them an email to tell them that. Help educate the masses! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEmLR5E2gsBSKjZHQRApM4AJ4z3WayRJWqXYm7c3mlT2xwMPuTgACcCGwv cVGA02JeQRszgiSGU6dclrI= =hLBB -END PGP SIGNATURE-
Re: How to detect current images-only messages?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 jdow wrote: From: Chris Santerre [EMAIL PROTECTED] From: Yves Goergen [mailto:[EMAIL PROTECTED] Hello, I keep receiving messages that contain of nothing but composed images. They're HTML messages with only img/ tags in them. There seems to be a rule that checks if the message has *any* image and compares it to its length. That gave my spam some scores recently but not so today. I received a message that looks just like the others but has no score at all due to the fact that it only contains of images. Is there any way to detect this type of message with SpamAssassin? I cannot think of a regular expression that would do it, and even if I could, SA offered no way to match it reliably. (See the line-by-line problem with 'rawbody' and encoding problems with 'full'.) I keep hearing this is a problem, but I'm not seeing it on my end. Most are being caught: I'll have to adjust for those 2. :) In case he means no score and no SA markup there is still a way this can happen. If an email comes in during a very tiny window when spamd is reloading its configuration (-HUP) the email can sneak through. {^_^} Of course this can also happen if the message size is greater than the upper size limit set (default 250k) ... being that it's an image only, I'd say it's definitely a possibility. (I've seen that happen on my system in the past) Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEl45SE2gsBSKjZHQRAmKdAKCmcutB8fkoZZQCVMDsZSfBHXpwxACffS9X 5T96aD/02CijQdHB+uoy54c= =XRir -END PGP SIGNATURE-
Re: FP's on BAD_ENC_HEADER in bounces from Microsoft SMTPSVC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick Leverton wrote: [snip] We don't have an M$ mail server (and I for one don't want one). We're a Unix shop, as qmail and qpsmtpd in our own headers shows :) I'm quite prepared to believe this is a MS bug, it certainly looks like it. But it seems to be a long term one - seen in emails from SMTPSVC versions 5.0.2195.6713 and 6.0.3790.1830. Remote MS servers, configured for foreign languages, sending genuine non-spam bounces to non-spam mails cause SA to FP on this rule. Nick Nick, As much as I'd like to say yeah, it's yet another bad MS program ... i'm not entirely convinced of that. We used to run Exchange 2000 with Japanese DSN messages and I'm certain that we didn't have this problem. As such, I suspect that the organizations that are using these particular Exchange servers have probably just mis-configured them. Of course I find it curious that they would use utf-7 encoding instead of utf-8 (which seems more widely accepted). Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEkjeVE2gsBSKjZHQRApMVAKCd4nBjHBPAPSDdy+ZYnbovP3YqTACgkEu/ vvA7PRzYcUULfx+kTp/aEoM= =fv/m -END PGP SIGNATURE-
Re: FP's on BAD_ENC_HEADER in bounces from Microsoft SMTPSVC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick Leverton wrote: [snip] Subject: =3D?unicode-1-1-utf-7?Q?+kU1P4XK2YUuQGnfl- =20 (+MKgw6TD8-)?=3D Aside from the QP scatter, this subject doesn't look like it's properly encoded. if memory serves, if the encoded subject needs to be broken across multiple lines, each line needs to have its own encoding start/end tags. so it should look something like: Subject: =?unicode-1-1-utf-7?Q?encoded_part?= =?unicode-1-1-utf-7?Q?more_encoded_part?= (someone correct me if i'm wrong) Of course it's hard to tell because of the QuotedPrintable encoding artifacts, but it looks like your MS mail server is in some way misconfigured. Either that or something else is wrapping the headers and breaking the encoding. HTH alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEkMk5E2gsBSKjZHQRAtCkAKDaCCjpeUTVIzC/vYppbh8Bn0j66gCffW1v 27zlnRX/AbNzWsw7HgTj14I= =IaOn -END PGP SIGNATURE-
Re: RCVD_IN_WHOIS_BOGONS mis-firing since 3.13 upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rolf wrote: I have just noticed the same thing. Increase in false positives due to that rule telling me the upstream mail server addresses (which I don't control) have been listed in combined-HIB.dnsiplists.completewhois.com. Which is not right for any reason - they ought not be there. Looking around at www.completewhois.com I cannot find those addresses at all. I've had to change the score of the rule to zero as its hitting every piece of mail as they all pass through those upstream servers. Any suggestions would be appreciated. thanks [snip] I've filed a bug report on this issue, if you'd care to contribute any details or useful information. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4951 Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEjSv4E2gsBSKjZHQRAlB3AKCV48WtvKs4N4MbVHTzykjzKgTiOQCfbFQP VPCbjK+UCT2GA7hpRg5Dj1s= =SbWk -END PGP SIGNATURE-
Re: TextCat and ok_languages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ben Wylie wrote: With --lint, I am getting the following error: [2900] warn: config: failed to parse, now a plugin, skipping: ok_languages en fr es I have looked up the docs here: http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_ TextCat.html and it seems to say that a setting of: ok_languages en fr es is acceptable. I have it in my local.cf Why am I getting this error message? Thanks Ben Ben, make sure that you have the textcat plugin loaded in either your init.pre or v3xx.pre files. you don't want to load the plugin in your local.cf file as it'll load after any of the rules that call it do and will therefor not be useable. of course, after making those changes be sure to restart spamd if you're using it. HTH Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEjTenE2gsBSKjZHQRAjh8AKCTz5Cwq1ikn0ore5b9k7h0jmRvNwCcCLMi 8GIRiFLFsPjx+x1kHhCX1Qw= =sbLF -END PGP SIGNATURE-
RCVD_IN_WHOIS_BOGONS mis-firing since 3.13 upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was using 3.1.0 until today on my mail server at work and after the upgrade suddenly I'm seeing a lot of RCVD_IN_WHOIS_BOGONS misfiring. one example of a sender domain that triggered is d.dena.ne.jp which doesn't directly resolve, but ns.dena.ne.jp resolves to 64.56.174.130 which shows as a network that appears in the allocated-netrange-arin_after1995.txt on completewhois.com [1] I've checked my trusted_networks and that seems to be OK... if i let the trusted_network be auto-determined (i.e. not set manually) or if i set it manually I get the same results. The machine is on a global network with a separate interface on an internal network. DISGUISE_PORN_MUNDANE appears to be hitting on Japanese text as well. I'm only seeing the tests in the mail logs so I don't have any actual headers at the moment. can anyone offer any ideas as to where I should look or what might be happening? here's some debug info that might be useful: [4392] dbg: dns: is Net::DNS::Resolver available? yes [4392] dbg: dns: Net::DNS version: 0.57 [4392] dbg: diag: perl platform: 5.008005 linux [4392] dbg: diag: module installed: Digest::SHA1, version 2.11 [4392] dbg: diag: module installed: Net::SMTP, version 2.29 [4392] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [4392] dbg: diag: module installed: IP::Country::Fast, version 604.001 [4392] dbg: diag: module installed: Razor2::Client::Agent, version 2.67 [4392] dbg: diag: module not installed: Net::Ident ('require' failed) [4392] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [4392] dbg: diag: module installed: IO::Socket::SSL, version 0.97 [4392] dbg: diag: module installed: Time::HiRes, version 1.87 [4392] dbg: diag: module installed: DBI, version 1.45 [4392] dbg: diag: module installed: Getopt::Long, version 2.34 [4392] dbg: diag: module installed: LWP::UserAgent, version 2.032 [4392] dbg: diag: module installed: HTTP::Date, version 1.46 [4392] dbg: diag: module installed: Archive::Tar, version 1.29 [4392] dbg: diag: module installed: IO::Zlib, version 1.04 [4392] dbg: diag: module installed: MIME::Base64, version 3.07 [4392] dbg: diag: module installed: HTML::Parser, version 3.54 [4392] dbg: diag: module installed: DB_File, version 1.810 [4392] dbg: diag: module installed: Net::DNS, version 0.57 Thanks, Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEjNs2E2gsBSKjZHQRAkMhAJ40RgtMeXak2enbljP0PQGQR4xh/wCgtmcd dfZ7z+wtX2oVtrQR90L4lpI= =BxhD -END PGP SIGNATURE-
Re:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Massey wrote: Hi All I hope somebody on the list can help me here. Our set-up is as follows: Internet -- Spam Gateway -- pop server/exchange server we are using: FreeBSD 6.1 Sendmail 8.13 forward s mail via smtp from mailertable spamass-milter spamassassin 3.1.3 Our problem is that we want to send everything marked as spam to a separate smtp server to create customer spam traps but allow the rest of the mail to be forwaded by smtp to the original popserver or smtp server. Is this possible with sendmail? Thanks in advance for your time Dan Dan, you could use a MILTER such as MIMEDefang as an alternative to spamass-milter to give you the ability to do that fairly easily. (assuming you're familiar with Perl programming to a certain degree) HTH alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiT/sE2gsBSKjZHQRAhJqAKDnSrG46HHnFxEvapqdK4/tYcZibgCgi0JF iXHlzOYshx83Kajq5LlnIIw= =FVwr -END PGP SIGNATURE-
Re: LOCAL_RCVD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Mason wrote: Shelley Waltz writes: Spamassassin 2.63-1/amavisd-new-20030616-p8 I am trying to configure spamassassin such that any email originating from my domain is not spam tagged. I have tried in local.cf both these syntaxes. header LOCAL_RCVD Received =~ /.*\(\S+\.myhost\.mydom\.edu\s+\[.*\]\)/ header LOCAL_RCVD Received =~ /\S+\.myhost\.mydom\.edu\s+\(.*\[.*\]\)/ In each case only one rule will work for one particular received from header. I have these two styles(one from mozilla, and one from webmail) Received: from [192.168.1.10] (myhost.mydom.edu [192.168.1.10]) Received: from webmail.mydom.edu (localhost.localdomain [127.0.0.1]) Is there a rule which will work for both, or is there a simpler way to achieve this result, ie, to not filter locallly originating mail? use trusted_networks; this is what ALL_TRUSTED is for. --j. Justin, The OP is using SA version 2.63 which, if not mistaken, doesn't have the trusted_networks settings in it. (I could be wrong) That being said, You should definitely look into upgrading to at the very least 2.64 as 2.63 is vunerable to DoS attacks in certain situations. (if memory serves) now, with regards to the rules, you could use meta rules to test for either the first or the second pattern. something like this (untested): [beware of line wraps] header __LOCAL_RCVD1 Received =~ /(?:\S+\.myhost\.mydom\.edu\s+\[.{,20}\])/ header __LOCAL_RCVD2 Received =~ /\S+\.myhost\.mydom\.edu\s+\(.{,20}\[.{1,15}\]\)/ meta LOCAL_RCVD (__LOCAL_RCVD1 || __LOCAL_RCVD2) score LOCAL_RCVD 0.01 (score as appropriate) HTH alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEcSSzE2gsBSKjZHQRAtI6AKDt4HWxdQrpw4OgvvJcC91KO2uw5ACgkYTQ aDtvjU/csAmS3BW+2nB8sBU= =M+Fu -END PGP SIGNATURE-
Re: Spam and the Internet [Was: xxxl spam]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler wrote: ...snip... Here's one, if you want to see it: http://mywebpages.comcast.net/mkettler/spam.jpg There's pretty close to zero chance that anyone in the US is going to hop on a plane and fly to Guatemala to buy ordinary lawn care products from a small store. But that's the kind of ads I'm getting. but they've got heart-shaped pancake molds... you wouldn't fly to guatamala for that? and at Q.29?! what a bargain! (heh, i couldn't resist) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEQ0keE2gsBSKjZHQRAjkKAJ9AnC7vS409cSYvoyczXPpK9NNa9QCgtZsb 68xY13eQIvXXLSrkT996/hM= =rejD -END PGP SIGNATURE-
Re: Non-English languages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Porter wrote: ...snip... To those of you who've successfully learned 2nd and 3rd languages as an adult, what do you recommend for accomplishing that? Kenneth, I started learning Japanese when I was 30. (I feel so old saying it like that) ... anyways, I started with a teach yourself Japanese book and a computer program to help. after that I took courses after work at my local community college. *THEN* I moved to Japan and really started to learn :p Anyways, I've learned a number of programming languages since I was young. I applied the same techniques to learning Japanese (specifically with reading/writing (or typing as the case may be)) and made sure I had good reference materials handy. also, I got involved with the Japanese communities on iVisit which helped a lot too. alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEQ06tE2gsBSKjZHQRAutxAJ0SrBAWtgkt5fNVQdYG4VGGAMaXuACg4XrN 1kPOs6ScAZ3Gieb/sG323R8= =Twyl -END PGP SIGNATURE-
Re: 1.72 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kai Schaetzl wrote: I just saw that a normal Ebay outbid notice hit two high-score rules. One is from sare-spoof and I already contacted the maintainer. But one is in the default 3.1.1 ruleset and I think this rule should get completely removed or get a score of 0. It's 1.72 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice From grepping the rules it does what it says: it checks if there are two B/Q encoding identifiers in the subject. Why is this scoring with 1.72 or at all? This is absolutely valid Q/B encoding and actually *required* by RFC if your subject line is longer than 80 (or was it 72?) characters (minus the encoding, so it's actually more like a 60 raw character limit). This rule will hit on *lots* of non-ASCII mail and on almost all mail coming from Ebay Germany. There are also the rules SUBJECT_EXCESS_QP and SUBJECT_EXCESS_BASE64 which are similar. QP scores 0 and BASE64 scores 0.449. This is much more reasonable. Kai This utterly wreaks havoc on just about all Japanese email, so I dropped the score to nearly nothing. alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEPfgmE2gsBSKjZHQRAt82AKDAY4xTmST0kaY5cje1xH1ScDajOACg6fMH msifLKqJuv1IpudxbKGDcfQ= =ZDQE -END PGP SIGNATURE-
Re: 2nd mail server problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joshua, C.S. Chen wrote: Looks like I have to enable SA in the 2nd server. It might be a spam hole if the spam sent to 2nd first, then forcily relayed to the primary. Sorry for the late response, I'm just catching up on some backlog. Here's my personal opinion: your secondary mail server should have stronger restrictions on it than your primary mail server. The reason I say this is because for some time now it has been a common spammer practice to hit your secondary, terciary, etc. MX servers first with the assumption that they are typically configured with fewer restrictions or merely, as yours is, as a store-and-forward. For specific reasons I'm unable to implement greylisting on my primary MX server however, it's perfectly acceptable for me to enable it on my secondary MX server. On top of that, I have value user checks, antivirus checks and share the bayes database (using MySQL) with the primary MX server for spamassassin checks. Because your secondary MX is in place for in case the primary mail server fails you should have to have the same kind of horsepower. my secondary server is significantly lower powered than my primary MX server. in the case that the primary server is still running, the secondary will most likely only be dealing with SPAM anyways, and it won't matter if it takes awhile to process those messages. in the case that the primary server is down, well, your users aren't going to be getting their email anytime soon anyways so it shouldn't matter if it takes a bit more time to process those incoming mails. if the mail coming into the 2nd MX server is SPAM, it should reject it (not bounce) properly either way, if it's not SPAM, it should accept it and then pass it off to the primary MX server once it's back up and running. this scenario has been working well for us here for the past 2 years or so. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFENj0vE2gsBSKjZHQRArxzAJwIZ3zyz00psNgFWTkgMqhua9fqDACg2ecD R/So24Tv3qHBAjOI/Aqymxk= =rZvg -END PGP SIGNATURE-
Re: Couple of newbie questions... (repost)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philip Prindeville wrote: Matt Kettler wrote: Philip Prindeville wrote: I.e. any provider or country that doesn't have an institutional policy of prosecuting spam senders... Erm, so you're going to block all of the US, correct? No. We have laws against spam that hopefully most legitimate ISP's attempt to conform to. Interestingly enough, Japan also has laws against spam that most legitimate ISPs attemp to conform to. You probably weren't aware of that. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD6GovE2gsBSKjZHQRAlnIAKCVG92Hp7VPSw86rB+6RhuPPY/bzwCgzn1Q 7PGyS3eN8ekYWCkYBgxf058= =/zRt -END PGP SIGNATURE-
Re: OKAY I'am the black man !!!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler wrote: At 02:35 PM 12/3/2005, you wrote: :) ... shoot me! [this was 1 (one) line]greetings Chris :)) I can't speak for others on the list, but it's not my intention to shoot, attack, or insult you. I've asked some pointed questions, and made some pointed suggestions about problems in your script, but I'm not doing so to insult you. I asked how it differed from RDJ because I seriously wanted to know. I pointed out you should remove antidrug.cf because everyone should unless they're using really old versions of SA. Regardless, antidrug.cf by that name will never be upgraded again, except to replace it with a warning message pointing out the new filenames. Hence, it's pointless to have an auto-update script checking it now, even for users of SA 2.64. That's not an attack, but an honest suggestion to fix an error in your script and improve it. I think he was responding to Kai Schaetzl's Re: lint only on rule file HURRAAAYY its WORKING response in which he suggested Chris not send 1800 lines of text to the SA mailing list. alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDkre2E2gsBSKjZHQRAtRzAJwNLN7CjbIuMiEZF8IITWlTkjBkeACff/sj hjdkPV6NCTQTEghBsE47oAs= =v0wE -END PGP SIGNATURE-
Re: any extra language effort for SA? (esp. Asian SPAM)
Jason Haar wrote: Hi there I just did a stat-run on email I received 31st Oct, and found that of the mail SA scored lower than 5/5 (i.e. SA classified as ham), a large amount was SPAM. In fact it only caught 80% of the SPAM I received that day (this is with SA 3.1.0) Of that I was able to tell that the vast majority of missed SPAM was actually Asian SPAM - the Subject: lines alone were 100% non-ASCII - bit of a give-away as I am ignorant and can't speak anything but Kiwi-English ;-) If I removed that Asian SPAM from the figures, the effectiveness of SA shot up to 98% - pretty darn good! Now personally I can run SA on my workstation with ok_locales en and bang extra points onto non-English mail - but I certainly can't do that for our company as a whole - which has customers from every country/nationality, etc. So the only thing I can think of is that there appears to be a need for more non-English rulesets to add points for different language usages of viagra/porn/whatever. Am I correct in my thinking, and if so is the SA group getting help from non-English developers to make this happen? I see a couple of body_test rules that appear to be for Spanish and Polish - but no others? Jason, I know that I have personally contributed some rules to catch certain phrases in Japanese, however this seems like a really scenario for manual bayes training. While the auto-learning is convenient and often good enough, I think the general concensus is that you should do at least a certain bit of manual training so that your bayes databases better represent your mail traffic patterns. hope this helps, alan
Re: Would like to rewrite arbitrary headers
[EMAIL PROTECTED] wrote: Greetings, battlers. I would like to rewrite headers on incoming spam without having SA prepend X-Spam- to them. Two reasons: First, I want to get rid of Disposition-Notification-To because many of my users configure their Outlook to automatically honour delivery notifications. That creates an outgoing email when they read or delete a spam message. Second, I have a set of GroupWise users. They cannot write rules on arbitrary headers, such as X-Spam-Flag. Instead, they can only write rules based on a list of headers that Novell have chosen, none of which begins with X-Spam-. Sadly both of these reasons sound lame: daft Outlook users and a daft Novell application. However there's nothing I can do about that so I'm going to hack SA instead. Does anyone else have similar needs? Is such a feature already in the works? Thanks in advance. If you're using Sendmail as your MTA, you could use MIMEDefang (a milter) to do that very easily. alan
Re: Using spam tools for viruses
Thomas Cameron wrote: Howdy - I recently responded to a thread on a local LUG mailing list where a guy wanted to report a virus as spam. I have always thought that using a spam tool to fight viruses was wrong, and I said so. He asked why, and basically my response was use the right tool for the job, as in use a virus tool for viruses, and use a spam tool for spam. What is the conventional wisdom on this list? Should viruses be reported as spam? If so, why? If not, why not? Thanks! Thomas Thomas, here's my 2 cents worth. It seems like you have two seperate scenarios you're talking about here. actual virus protection and seperate, reporting. I personally think it's important (also) to use the right tools for the right job, therefor I use both anti-virus software *AND* anti-spam software. It's also important to understand what these products do and what their individual limitations are and how to get them to compliment each other in your installation. with regards to reporting a virus as spam, If the virus is sending an email that is spammy, I think it doesn't hurt to records and report those emails as spam. It will help to train your bayesian database and also help community services (i.e. DCC, Spamcop, Razor, etc) to provide information about the characteristics of that mail. HOWEVER; reporting the virus signature is a different story. I don't think the actual virus signature should be reported as spam. lastly, there's the general logic of do you want one product that does a whole bunch of things but in a mediocre way? or do you want a bunch of products that do one thing really really well? alan
Re: Special rules ...
Garry Glendown wrote: I've run into kind of a problem at a customer installation, someone suggested part of my problem could be solved w/ SpamAssassin, though at the moment it might still miss some features required ... Here we go ... This customer before had (and is still in the process of changing over from) Novel w/ Tobit David. While the whole system might be a POS considering a decent Unix system :) it had some features that come in handy - specifically the customer had been able to define what happened with certain mails. Before, he was able to: - quarantine large files for admin approval - quarantine certain file types for admin approval - limit number of recipients, mails exceeding the number would be quarantined again plus a couple of other minor things that I could implement easily w/MailScanner or similar tools. Now, I could limit the recipients, but it's a all or nothing situation at the moment (running sendmail, which I would rather not change if possible). From browsing the docs, I found config options for the .cf files that might allow me to change the recipient header to somebody else if certain rules are met. What I did not find, either overlooked, by not knowing what to look for, or because it's simply not there, are the points listed above. In that combination (I can block files types w/ Mailscanner, but again, they would not be brought to the admin's attention). So, is there any chance of implementing the above features with SpamAssassin, or does anybody happen to know a tool that might be able to? I'd be willing to go through the sources to tweak them a bit for added features, too, if someone could point me towards the general direction ... (not really much of a Perl hacker, though, rather do C...) Tnx, -garry Garry, from what it sounds like, you should be able to accomplish all that (and more) with Can-IT Pro ... it's a commercial product based on the MIMEDefang engine. You can probably do it all with MIMEDefang, but since you said you're not much of a Perl hacker, it'd be easier for you to go with the already-feature-rich commercial product. (at least look at it) you can check out http://www.mimedefang.org/ or http://www.roaringpenguin.com/ for references for both respectively. HTH alan
TextCat usage and language dependent rules
I've looked thru the documentation and the wiki, etc. and haven't found any clear information on how to use the TextCat plugin. previously I used the config file switch ok_languages en ja ko ... after upgrading to 3.10 and uncommenting the textcat plugin spamassassin -D --lint isn't returning any parsing errors on that line, but i'm not sure if it's actually taking effect. Also, tests like PLING_QUERY and GAPPY_SUBJECT which were properly skipped for ISO-2022-JP encoded mail is starting to hit again. additionally, SUBJECT_ENCODED_TWICE is hitting quite a lot, but double-encoding is normal for Japanese mail. often the mail client used to send mail will take a long subject and break it into multiple lines, each with the iso-2022-jp encoding. This is more than likely due to the 2-byte characters and line length limitations. (do i need to file a bug report on this?) can someone give me some insight into how the textcat plugin stuff works and what I should be expecting to see as a result of enabling it and leaving the ok_languages directive set? Thanks, alan
Re: trusted_networks use
NFN Smith wrote: Thanks for the ongoing feedback Bowie Bailey wrote: Now that you've made those changes, post the headers from another example email so we can see if anything changed. See below. Also, you may want to save your email into a file and manually run it through SA to see what happens. Just add '-t -D' to the option list I did that, and found a couple of things. I'm closer, but not there yet. In reading the debugging output, I realized that I was putting my work in /etc/mail/sa-mimedefang.cf, and all my other local config settings are in /etc/mail/spamassassin/local.cf. When I moved this work to local.cf, debug showed me getting further. I also found that Net::DNS wasn't installed -- up until now, I haven't needed it, because I haven't been doing stuff that requires DNS queries. I installed that, and am making further progress. With the two changes, I'm getting correct designation of which hosts are trusted or not (which I wasn't getting before), but still not getting the ALL_TRUSTED rule. By the way, I've also made sure that the $HOME/.spamassassin/user_prefs doesn't have any user-specific settings that may be interfering. Debug output shows: debug: using /usr/share/spamassassin for default rules dir debug: using /etc/mail/spamassassin for site rules dir debug: using /home/test-user/.spamassassin for user state dir debug: using /home/test-user/.spamassassin/user_prefs for user prefs file debug: Failed to parse line in SpamAssassin configuration, skipping: internal_networks 64.65.180.91 debug: Failed to parse line in SpamAssassin configuration, skipping: internal_networks 10.10.10.141 debug: Score set 1 chosen. debug: Initialising learner debug: received-header: parsed as [ ip=68.99.120.79 rdns=lakecmmtao05.coxmail.com helo=lakecmmtao05.coxmail.com by=pulsar.lfa.com ident= ] debug: received-header: parsed as [ ip=24.249.175.20 rdns=really helo=!192.168.1.100! by=lakecmmtao05.coxmail.com ident= ] debug: received-header: relay 68.99.120.79 trusted? yes debug: received-header: relay 24.249.175.20 trusted? no debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=5.733 debug: running uri tests; score so far=6.536 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=6.573 debug: Current PATH is: /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin debug: all '*From' addrs: [EMAIL PROTECTED] debug: all '*To' addrs: [EMAIL PROTECTED] [EMAIL PROTECTED] debug: is Net::DNS::Resolver available? yes debug: trying (3) kernel.org... debug: looking up MX for 'kernel.org' debug: MX for 'kernel.org' exists? 1 debug: MX lookup of kernel.org succeeded = Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: DNS MX records found: 1 debug: forged-HELO: from=really helo=!192.168.1.100! by=coxmail.com debug: running meta tests; score so far=6.573 debug: is spam? score=7.673 required=4 tests=CLICK_BELOW,EXCUSE_3,FREE_CONSULTATION,MAILTO_TO_REMOVE,MIME_MISSING_BOUNDARY,NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE From [EMAIL PROTECTED] Tue Sep 27 15:22:19 2005 Received: from localhost by pulsar.lfa.com with SpamAssassin (2.64 2004-01-11); Tue, 27 Sep 2005 15:24:16 -0700 From: NFN Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: *SPAM* Sequential test #12a Date: Tue, 27 Sep 2005 15:21:15 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on pulsar.lfa.com X-Spam-Level: *** X-Spam-Status: Yes, hits=7.7 required=4.0 tests=CLICK_BELOW,EXCUSE_3, FREE_CONSULTATION,MAILTO_TO_REMOVE,MIME_MISSING_BOUNDARY, NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE autolearn=no version=2.64 MIME-Version: 1.0 Anything else obvious that I might be missing? I think I'm close Smith If I'm not mistaken (and I could be, it's been awhile since I've used the 2.6x series), the ALL_TRUSTED rule wasn't introduced until the 3.0x series. your headers show you're using 2.64. also your debug output shows that spamassassin wasn't able to parse the internal_network settings (which also weren't introduced until the 3.0x series). So, you either have some misconceptions about 2.64's capabilities, or you have 2 copies of spamassassin running in 2 different locations on your machine and the one in your path is 2.64, and causing you headaches. HTH alan
Re: trusted_networks use
NFN Smith wrote: Following up on my own post. I'm still thrashing, and not getting any difference in results. ...snip... Sorry, I just have to ask. Since you're using MIMEDefang... you are remembering to restart (or reload) mimedefang after making your changes, right? and you're making changes to the sa-mimedefang.cf file, right? alan
Re: User Blacklist Spamassassin Behavior
Paul R. Ganci wrote: This is somewhat a philosophical question, but I will ask it anyways. Recent discussions have occurred on this list regarding what Spamassassin should do with Spam. The recent consensus seems to be that it is only Spamassassin's job to tag Spam and that some other program should decide what to do about it. I can accept this argument especially in regard to the old spam_action config option especially when set to delete. However, I have a user who raises a good point. He has a blacklist in his user_prefs. Spamassassin processes his Email message and indeed finds this blacklisted message as USER_IN_BLACKLIST shows up in the header. In addition lots of other processing occurs before the final score of 99 is tallied. His question is simply this: Why does this message show up in his box at all? His point being the message was blacklisted. Why is it not a good idea for Spamassassin to immediately send to /dev/null a message flagged in somebody's blacklist ASAP ... i.e. no further processing? Is the only way to handle this via a procmail recipe? Similar what about a whitelist ... shouldn't it be sent on as Ham ASAP ... i.e. a minimal of processing? How do others handle these cases? Paul, here's my take on it. keep in mind i'm in no way affiliated with the developers, it's just my opinion as a mail system administrator and SpamAssassin user. for one thing, SA has been designed for specific reasons *not* to process the mail, but only to add headers as necessary. One of these reasons is that SA can remain extremely versatile in this configuration. for instance, I use SpamAssassin via a call from MIMEDefang which runs as a Sendmail Milter. Others may call spamassassin/spamc from procmail, others may integrate with qmail-scanner or amavis-new (neither of which am I familiar with, but they get quite a bit of mention on this and other lists) For SpamAssassin to be able to do SMTP level rejections, it would have to *always* be integrated into the MTA. Granted there are tools to allow the integration of SA into the MTA, but they are designed and supported by third parties (and in my opinion, rightfully so). Philosophically, it makes more sense for SpamAssassin to focus on identifying SPAM, and let another application (MTA, procmail, etc) focus on what it was primarily designed for: processing (delivery,rejection,etc) of said email. It's certainly no more of a hassle to add a procmail rule to dump a blacklist hit to /dev/null than it is to add a procmail rule for other delivery options. There may be cases where it would be very inappropriate for *any* mail, blacklisted or not, to be dumped to /dev/null. having SA have to account for all possible handlings of blacklisted mail would add more bloat and logic requirements to the code which, in my opinion, aren't necessary. When you're dealing with mail delivery, you have to account for local delivery inconsistencies, whether the mail will be delivered to a remote machine anyways, etc. again, these types of situations make it more appropriate for applications written specifically to handle them than to try to add them to SA and pull the focus away from identifying SPAM to delivering mail. just my $.02 worth. Alan
Re: User Blacklist Spamassassin Behavior
Paul R. Ganci wrote: Alan Premselaar wrote: Philosophically, it makes more sense for SpamAssassin to focus on identifying SPAM, and let another application (MTA, procmail, etc) focus on what it was primarily designed for: processing (delivery,rejection,etc) of said email. It's certainly no more of a hassle to add a procmail rule to dump a blacklist hit to /dev/null than it is to add a procmail rule for other delivery options. There may be cases where it would be very inappropriate for *any* mail, blacklisted or not, to be dumped to /dev/null. I don't disagree with most of what you said. However, I don't necessarily agree with the above because while I can add a procmail rule to handle a specific user's blacklist I can't get back the wasted CPU cycles which spamassassin expended ... perhaps all I am really asking is if there is a way to allow spamassassin to just stop processing a message that is in a blacklist to save the cycles? I am not asking for spamassassin to become an MTA/MDA. In that case it would be ultimately more efficient to add a rejection rule to your MTA (i.e. sendmail's access db) than to even rely on SA's blacklisting (even if it did stop processing after determining the blacklist hit) Privately Ed Kasky raised the good point about spoofing. I believe whitelists have to have the full weight of a spamassassin scan to catch messages with spoofed addresses. But blacklists ... I don't believe suffer this problem. Yes I might receive a spam message from somebody spoofing an arbitrary Email address. If that address happens to have @ebay.com then I am highly unlikely to blacklist it. If it is from @anybody.com then unless I have some reason to believe that I should expect legitimate Email from that address, I argue that blacklisting it does no harm and that any message found to be on a blacklist could be processed with the minimal of effort by spamassassin. But then what do I know? :) My (not so clear) point is that there may be situations such as Corporate Policy, for right or for wrong, disallowing the discarding of *any* mail prior to delivery. We certainly don't have that policy here, but I've seen it come up in discussion before. I'm certainly not saying it's a bad Idea, I'm merely expressing some of the points that have come up in conversation on the list previously. On the flipside, I handle all my don't need to waste processing time by calling SA type transactions from within MIMEDefang and have been quite happy with my configuration. I personally wouldn't benefit from this type of feature, but neither would I suffer. anyways, just my opinion. alan
Re: connect(AF_INET) to spamd at 127.0.0.1 failed
Chris wrote: I've seen this a couple of times the last few days in my syslog. Tonight, I saw it after updating to 3.0.4: Jun 11 19:38:21 cpollock spamd[7668]: server killed by SIGTERM, shutting down Jun 11 19:38:22 cpollock spamassassin: spamd shutdown succeeded Jun 11 19:53:32 cpollock spamc[26370]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Jun 11 19:53:33 cpollock spamc[26370]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused is it possible that you had some incoming mail that was trying to connect to spamd even after you shut it down for upgrading? Prior to upgrading from .0.3 to .0.4 I ran #service spamassassin stop, and also shut down fetchmail so that nothing was processed, when the update was finished I started spamassassin and fetchmail. The below is 'not' when I started SA Jun 11 19:55:10 cpollock spamd[26754]: spamd starting Jun 11 19:55:11 cpollock spamd[26754]: server started on port 48373/tcp (running version 3.0.4) Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child process, pid 26760 Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child process, pid 26761 Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child process, pid 26762 Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child process, pid 26763 Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child process, pid 26764 Did these appear during the installation process? if so, if you ran 'make test' these are probably the results of that. This is where I started SA and fetchmail Jun 11 19:57:21 cpollock spamd[27144]: spamd starting Jun 11 19:57:21 cpollock spamassassin: spamd startup succeeded Jun 11 19:57:30 cpollock fetchmail[27167]: starting fetchmail 6.2.5 daemon Jun 11 19:57:33 cpollock spamd[27146]: server started on port 783/tcp (running version 3.0.4) But between 19:55 and 19:57 there is this: Jun 11 19:55:12 cpollock spamd[26760]: processing message 9PS291LhupY for root:0. Jun 11 19:55:12 cpollock spamd[26760]: identified spam (15.6/5.0) for root:0 in 0.4 seconds, 3131 bytes. Jun 11 19:55:12 cpollock spamd[26760]: result: Y 15 - ALL_NATURAL,DATE_IN_FUTURE_03_06,DIET_1,DRUGS_ERECTILE,DRUGS_PAIN,EXCUSE_12, EXCUSE_4,FORGED_YAHOO_RCVD,FROM_ENDS_IN_NUMS,FROM_HAS_MIXED_NUMS, INVALID_DATE,INVALID_MSGID,NORMAL_HTTP_TO_IP,NO_REAL_NAME,SELECTED_YOU, SUBJ_FREE_CAP,UNDISC_RECIPS scantime=0.4,size=3131,mid=9PS291LhupY,autolearn=spam again, this is probably the results of the 'make test' and actually running tests against spamd. I use spamassassin in such a way that I do not use spamd (nor need it) yet during the 'make test' part of my CPAN install, i see spamd messages in my maillog (as a result). I do 'not' have autolearn enabled. Any ideas what may have happened? Googling the error in the first lines seems to mention something about spamassassin as a server and spamd not running. Spamd is most certainly running as shown in running processes. Sorry for the long msg with log cuts but not sure what, if anything is amiss. Thanks Chris alan
Re: Question about SPF checks
Ronny Nussbaum wrote: Hello, I've tried to find an answer to this, but couldn't. I'm using SA 3.0.3, invoked by Amavisd-New (latest version), on Fedora Core 3. I've installed the Mail::SPF::Query module, and it works fine. My question is, how can I disable it from being used by SA? I'm looking for another way besides giving the value of zero to all SPF tests in my local.cf http://local.cf. In a way, I want to uninstall it, so that SA is not even aware of it. Thanks -RoNNY Ronny, you should be able to comment out the loadplugin line for SPF in the init.pre file (in /etc/mail/spamassassin on my installation) Alan
Re: Bombarded by German political spam
Matias Lopez Bergero wrote: David B Funk wrote: Tonight our site is being bombarded by German political spam or Joe-jobbed bounce fall-out. So far it appears to all be coming from trojaned PCs. Other than the specific URLs in the messages havn't found any easily identified parts to create rules for. anybody else seeing this? I'm being bombarded to! Matías. I'm mostly just getting the bogus MAILER-DAEMON bounces from being joe-jobbed. I've litterally had 100's of these compared to the 2 or 3 actual spams. (usually 50+ at a time) alan
Re: Problem with mail being rejected by friends!
Rick Macdougall wrote: Neil Watson wrote: On Fri, Apr 15, 2005 at 10:24:47AM -0400, Steven W. Orr wrote: their mail rejected by sa. I have been adding whitelist entries like crazy but I really loathe having to disable spam rejection by spamass-milter. Rejecting spam is not a good idea. Most of the time you end up spamming some poor sod who has been joe-jobbed. Discard spam. Don't add the to problem. Hi, While this has been discussed before, I don't think rejecting spam at the smtp level is a bad idea, ie 551 - We think this is spam. How ever, bouncing spam after the smtp acceptance is a bad idea. Since most spam is coming either from infected PC's or spammers dsl connections, rejecting at the smtp level is usually not a bad idea. It also allows for legitimate email that is marked as spam to be returned to the owner, if you just make spam vanish to /dev/null you may find you have some very unhappy clients further down the road who are wondering where that letter from the Legal department is. Regards, Rick Not only that, but if Steve had been discarding spam, neither he nor his friends would have been aware of this problem.
Re: SQL install with mSQL driver
Gary W. Smith wrote: Hello, Im using 3.0.x on RHEL 3 right now in our production environment and was looking at setting up a new test environment. We use MySQL for the common bayes DB which is working well for us in production. Today I tried installing the same packages for Perl that I did for our production installs which require DBD::mSQL. When I do an install of this package it fails miserably. Googling around it appears that this package is, or is being, deprecated or unsupported. Is there an alternate package that I should be using? Some of the articles I have read recommend that we use DBD::mysql instead of DBD::mSQL. Does anyone know if this will work in place of the other package? Gary Wayne Smith Gary, I'm not a database expert by any means, but I've done a bit with the DBI and MySQL. My understanding is that DBD::mSQL is an interface to a different SQL server than MySQL, although I don't remember which one off the top of my head. If you're using MySQL, you want to use the DBD::mysql module. I'd be surprised if DBD::mSQL worked at all with MySQL. hope this helps. Alan
Re: SQL install with mSQL driver
Gary W. Smith wrote: Alan, I have installed DBD::mysql and it still doesn't work. The install file says that DBD::mSQL is required and the options that I specified when we installed it was for mysql (as the mSQL diver is covers it as well). It's funny though that AWL is logging to the DB. Also, something to note, is that in production we are running 3.0.1 and this is 3.0.2. Maybe it's not required and the code is just broken. Unfortunately my older dev environment is down otherwise I would try upgrading the 3.0.2 to see if it has the same problems. Here is the specific error: Apr 12 17:22:44 pxtoakdev04 spamd[3378]: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/SQL.pm line 157, GEN2 line 2. Apr 12 17:22:44 pxtoakdev04 spamd[3378]: Use of uninitialized value in numeric ne (!=) at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/SQL.pm line 159, GEN2 line 2. Apr 12 17:22:44 pxtoakdev04 spamd[3378]: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/SQL.pm line 160, GEN2 line 2. Apr 12 17:22:44 pxtoakdev04 spamd[3378]: bayes: Database version is different than we understand (3), aborting! at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/SQL.pm line 160, GEN2 line 2. Local.cf auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList user_awl_dsn DBI:mysql:spamassassin:10.0.0.41 user_awl_sql_usernamespamassassinuser user_awl_sql_passwordspamassassinpass bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:spamassassin:10.0.0.41 bayes_sql_username spamassassinuser bayes_sql_password spamassassinpass Gary, these calls (DBI:mysql:spamassassin) are definitely telling the system to use DBD::mysql (not DBD::mSQL) based on this line: Apr 12 17:22:44 pxtoakdev04 spamd[3378]: bayes: Database version is different than we understand (3), aborting! at it looks like the database either isn't configured properly or it's corrupted. try running sa-learn --dump magic to see what it reports, and assuming it fails you may then want to try sa-learn -D --lint are both your production (3.0.1) and this new (3.0.2) machine pointing to the same database? alan
Re: question about greylisting
Rob McEwen wrote: I have a question about greylisting. Does greylisting **always** involve blocking upon receipt of the SMTP envelope and not accepting the rest of the message? Or, can greylisting alternatively work where it **does** accept the **entire** message (for auditing purposes, for example) and THEN returns the temporary rejection code? Thanks, Rob McEwen PowerView Systems Rob, That depends on how you implement it. Certainly if you're running Sendmail, a tool like MIMEDefang would allow you to implement greylisting in any manner you saw fit for your installation. however, temporarily rejecting the message after fully receiving it and processing it kind of defeats the purpose of greylisting. (or at least one major purpose of it) hth alan
interesting problem with SQL backend
Today I had an interesting situation. This is more of an FYI in case anyone else has run into similar problems. (cross-posted to MIMEDefang list as well) I use SpamAssassin with MIMEDefang. I got notified by one of my users that they were unable to send mail suddenly. after checking the logs I determined that MIMEDefang was timing out and returning errors. the cause for this was very unclear (which is why i'm sharing my findings with all of you)... After digging around (and some assistance from David Skoll on the MIMEDefang list) I was able to determine that the problem was caused by SpamAssassin not being able to connect to the database server where the bayes database is stored. (using MySQL on a remote host) this caused all sorts of weirdness for no apparently good reason and was initially very confusing to diagnose. The symptoms were: * mimedefang started to return busy timeout errors. * when restarting MIMEDefang (with embedded perl enabled) the multiplexor wouldn't complete loading and mimedefang wouldn't create the socket, causing sendmail to spit out file /path/to/mimedefang/socket/file unsafe errors. * turning off embedded perl would allow mimedefang to start and create the socket, but then would spawn multiple instances of mimedefang.pl which just hung. * mimedefang.pl -test and/or mimedefang.pl -features would hang indefinitely with no output. the workaround: after determining the problem to be the connection to the SQL server, simply setting use_bayes 0 in sa-mimedefang.cf and restarting mimedefang resolved the problem. however, this obviously didn't utilize the bayes facilities. the questions: I understand that the SQL code for SA is still 'experimental'. is there any way currently to set a forced timeout to connect to the SQL server? is this something I should open a BZ ticket about? being that I'm definitely not an SQL guru, does anyone have any suggestions for configuring a high-availability MySQL server configuration that could failover to a backup server should the primary one become incapacitated by a low-level hard drive failure? Currently I have 1 MySQL database server with the bayes databases on it (among other databases) and my primary and secondary mail servers both make connections to it to check the bayes database. This may be somewhat specific to the MIMEDefang implentation, but I suspect that there is a possibility that this type of behavior could have negative impact in other types of SA implementations as well. again, this is mostly an FYI, but any suggestions are welcome. Thanks, Alan
Re: back where I was: why is this rule misfiring?
Vicki Brown wrote: What is going on here? The rule header CF_NOT_FOR_METoCc !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])\.com/i score CF_NOT_FOR_ME 0.01 describe CF_NOT_FOR_ME Neither To nor Cc me Vicki, You're using a negated OR test, you want to use a negated AND test. so, you're saying if the mail isn't for vlb[at]cfcl OR the mail isn't for vicki.vlb[at]gmail then it's not for me in this situation, if one of the tests is true, the other one is false and thus the entire test is true. because one of the criteria passes the !~ test. This is why you're not seeing the expected results. [...snip...] hope this helps, alan
Re: re-read the config file iff it has changed
Vicki Brown wrote: At 17:40 -0800 03/19/2005, jdow wrote: There is a substantial hit, Vicki, on the order of a factor of two on my machines. We are talking about Only when the Config File has Changed_. OK, so you get a factor of two, what, once a week? Sendmail does this (you run newaliases or maketo trigger it). For clarity's sake, sendmail has real-time access to certain db files (like aliases.db which is generated by 'newaliases'). since sendmail has real-time access to these files, re-creating the .db file from the text version is all that is necessary. However; if you make changes to the sendmail.mc file and the run make to create the sendmail.cf file, you still need to restart sendmail for it to read those changes. SpamAssassin reads in all its config files into memory and has no real-time file access for configuration files. I simply do not believe there can be a substantial hit if spamd re-reads the config file Only When The Config File Has Changed in order to read the config file in only when it has been changed you need to store state information somewhere (in memory or a real-time accessed db file, etc) for each config file. Since SA will read in /path/to/configfiles/*.cf there could be any number of files that state needs to be stored for. Also, to be prudent, state would also need to be stored for /usr/share/spamassassin/*.cf since some people will change those config files even against recommendations. when fine-tuning for performance, even a call to stat() on a file or group of files can introduce performance hits. This is because it effectively still has to open and close the file-handle. Then there's the matter of; in what way, and how often do you poll the .cf files to check for changes? that in itself could add a lot of overhead to the program that is unnecessary. [..snip..] alan
Re: Spammers Target Secondary MX hosts?
[EMAIL PROTECTED] wrote: Kelson wrote: Larry Starr wrote: On Friday 18 March 2005 08:17, Alexander Bochmann wrote: there are many setups where the ISP or someone else runs a backup MX for his customer's domains as a service. With this configuration, the secondary MX will usually not know about valid users in the destination domain. That, in fact, is the setup that I am operating and, yes, most of what comes through my secondary MX, at my ISP, is SPAM. Some time ago I implemented a rule that adds a (small) spam score for mail received via my secondary MX. I'm on the flip side of that: we provide secondary MX services for some of our customers, and I've started adding a small bonus score for mail being sent *to* them through our server. I've also added meta-rules to treat certain rules more harshly. The really annoying thing, from our standpoint, is the backscatter we have to process: 1. Spammer sends to secondary MX (us). 2. We filter out some of the more obvious spam (for the most part using our regular criteria). 3. We relay what's left to the primary MX. 4. Primary MX rejects mail to nonexistant users and mail that trips their own spam filters. 5. We generate DSNs that go to third parties or nonexistant hosts, contributing to backscatter and cluttering up our outbound queue. The backscatter becomes a real problem in the legitimate relay situation, because it's basically unavoidable. If the spam is sent directly to you, you can accept it, discard it, or reject it, and it stops. But if you're relaying to someone, and *they* reject it, now you have to decide whether to generate a DSN or not. We've actually set up a separate queue for bounces that aren't delivered immediately, so that it won't bog down normal mail. Two solutions occur to me: 1) Allow a way for the secondary MX to tell whether the primary MX is up - if it is, don't accept any connections 2) Allow a way for the secondary MX to tell what email addresses on the primary MX are valid (LDAP occurs to me) Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, MIMEDefang can do both of these... I use it on my secondary MX server to check for valid users on the primary server. as a safety, if the primary MX server is down, it'll accept and queue the mail. if it can't validate the user on the primary server, yet the server is up, it'll fail with user unknown. alan
Re: URI Tests and Japanese Chars (solved)
List Mail User wrote: (B... (BTo: "Daryl C. W. O'Shea" [EMAIL PROTECTED] (BCc: List Mail User [EMAIL PROTECTED], [EMAIL PROTECTED], (B users@spamassassin.apache.org (BSubject: Re: URI Tests and Japanese Chars (solved) (BIn-Reply-To: [EMAIL PROTECTED] (BFrom: [EMAIL PROTECTED] (Justin Mason) (B (B (B Justin, (B (B (BDaryl C. W. O'Shea writes: (B (BList Mail User wrote: (B (BJeff, (B (BRFC 1630 make pretty clear that a email address in either a "mailto:" (Bor "cid:" clause *is* a URI. It does not address whether a bare email (Baddress (Bwould count (it seems that it doesn't fit the RFC definition, but does fit (Bsome other I found by Goggle). (B (BI could be convinced either way from a bare address (as it stand now, (Bmaybe someone else has something to add). But a "mailto:" "mail:" or "cid:" (Bclause should (in my opinion) be looked up by the URI rules - they are URI, (Bnot URL rules (though URLs are clearly the most common from of URIs). (B (BI was surprised to see that from the RFC, even "Msg-Id:" clauses (Bare URIs. (B (BPaul Shupak (B[EMAIL PROTECTED] (B (BI'd agree with Paul, what's the difference between doing the lookup of (Bthe domain listed in a mailto: link and a http: link -- both of which (Bare often found in someone's signature? (B (BEliminating the mailto: domain lookup could lead to spam such as "email (Bus at [EMAIL PROTECTED] for all the junk you don't really want". (B (BHowever, it's an impedance mismatch between what's going into the backends (B(the SBL and SURBL uribls) and what we're matching on the other end. (B (BAt least for SBL, it's definitely problematic, since a SBL escalation (B(of mail relays) will blocklist mail that *mentions* that domain! (B (B (B Thats not true in general. Since the SBL is an IP based list, (B a mail server escalation would have no effect on any other domain, only (B on messages relayed through the servers. (B (B The more common case where a SBL escalation will affect other domains (B is (the typical kind I've noticed) when they list all corporate servers and (B some otherwise innocent domains use name servers within that space (this was (B the Russian government/Rostelecom earlier this week). (B (B Still, you are correct, there is a big difference between the SURBL (B policy of zero FPs and the SBL policy, which I can best state as "kill the (B spammers". SURBLs rarely have `collateral' damage and their default scores (B reflect that; The URIBL_SBL is only assigned scores of "0 0.629 0 0.996" (B in 3.0.2 - Only URIBL_AB_SURBL with set 3 and URIBL_WS_SURBL with set 1 are (B ever assigned lower scores than the URIBL_SBL. All the other SURBL have (B significantly higher scores - URIBL_SC_SURBL is many times what URIBL_SBL is. (B (You may not know, but I even proposed adding back the SPEWS lists, though (B with low scores, and I do use all the rfci lists with relatively low scores (B except for bogusmx, which may be the best single indicator I have ever found, (B and I still assign it fewer points than URIBL_SC_SURBL). (B (B- --j. (B{snipped PGP SIGNATURE] (B (B (B Paul Shupak (B [EMAIL PROTECTED] (B (B P.S. I understand the political problems with the particular FPs that SPEWS (B generates, but I do hope the rfci lists make it to the URIBL rulesets. (B (B (BSince you mentioned the scores, please note the Bobby Rose, the original (Bposter of this issue had modified the score for URIBL_SBL from its (Bdefaults to 10 ... (B (BI had suggested that he reduce the score (possibly setting it back to (Bthe defaults) (B (BWhile it doesn't negate the issues surrounding the way the URI lookups (Bwork (or should possibly work) ... it's obvious that there is enough FP (Bpotential to warrant not scoring it so high. (B (Balan
Re: rule didn't fire
Vicki Brown wrote: At 17:57 -0800 03/16/2005, Loren Wilton wrote: Ok. What totally minless dumb thing did I do that I just can't see? How are you running SA? spamd -d -c at system startup then, from procmailrc, I push each message through | /usr/local/bin/spamc -s 256000 -t 60 Did you restart spamd? N. I don't use spamd, but if memory serves, you'll need to at least HUP spamd to re-read the config file... a restart of spamd would guarantee it. check the man pages for specifics. alan
Re: Blacklisting embedded URLs
Vicki Brown wrote: Did the message you tested with have a URI? If so what was it? Sigh. :-( No. I naively thought it would list something anyway. Back to circle 1. OK, so I ran it again against a message with lots of URIs (specifically one of my previous messages which got pummeled by dailyhills :-) and spamassassin -D had a grand old time telling me which URLs were listed at which BL sites. Yippee. It works with spamassassin -D. :-( This still doesn't explain why it doesn't work with my standard setup, i.e. spamd -d -c in the background and /usr/local/bin/spamc -s 256000 -t 60 via procmail :-( For proof, here's the spam report on a (different) message I received tonight. First, as it arrived in my inbox earlier this evening having passed through spamd/spamc): X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: *** X-Spam-Status: Yes, score=3.6 required=0.5 tests=BIZ_TLD,MSGID_DOLLARS autolearn=no version=3.0.2 X-Spam-Report: * 0.5 BIZ_TLD URI: Contains an URL in the BIZ top-level domain * 3.1 MSGID_DOLLARS Message-Id has pattern used in spam And here's the spam report for the identical message after I pushed it manually through spamassassin -D (cool, my URI rules are firing now; many thanks to Loren Wilton and Matt Kettler ;-) X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: X-Spam-Status: Yes, score=16.8 required=0.5 tests=ALL_TRUSTED,BIZ_TLD, CF_BAD_URL1,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, URIBL_WS_SURBL autolearn=no version=3.0.2 X-Spam-Report: * -2.8 ALL_TRUSTED Did not pass through any untrusted hosts * 10 CF_BAD_URL1 URI: XXX site * 0.5 BIZ_TLD URI: Contains an URL in the BIZ top-level domain * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: a123s.biz] * 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: a123s.biz] * 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: a123s.biz] * 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: a123s.biz] * 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: a123s.biz] Have you restarted or HUP'd spamd yet? spamd will read the config files once on initial execution and retain it in memory until it's HUP'd or restarted. Even if you make changes to the config file, the changes won't be loaded until HUP or restart. spamc relies on spamd, and the config that spamd has in memory. spamassassin will load the config files each time it's executed and does not rely on spamd to be running. based on your results, I would say it's highly likely that restarting or HUPing spamd will solve your problems. alan
Re: URI Tests and Japanese Chars
Rose, Bobby wrote: I have a user that is of Japanese origin and who converses with other individuals in Japan in his same field of study. The messages they send are in Japanese and trip the URI_SBL rule. These people are in different .jp domains and I really don't want to get into the administrative overhead of whitelisting. I don't see anything in the message bodies that even looks like a URI. Has anyone else ran into this? Bobby Rose Wayne State University School of Medicine Bobby, That seems a little strange, especially if there are no URIs in the mail. I live in Japan and have mail servers local and state-side that process Japanese email without this problem. Can you provide more details about your setup/configuration and possibly provide a sample email that triggers the rule? alan
Re: MRTG SPAM SYSLOG ?
ip.guy wrote: hi all is anyone using a tool that can parse /var/log/messages to find identified SPAM and is able to then build MTRG graphs ? i was using a tool that could do this a while ago but have totally forgotten the name of the project any help appreciated I've used graphdefang in conjunction with MIMEDefang... although I think you can run it independantly of MIMEdefang. alan
Re: X-Spam-Status/content analysis details inconsistencies.
jeffrey.arnold wrote: Hi users, I have a weird problem here that i know i am not the only one to encounter, and have yet to see (in much searching) a solution for. I am running spamassassin for all mail via spamd/spamc, and filtering on the X-Spam-Status: Yes header. The majority of my spam is getting caught, but quite a bit is getting through. The vast majority of the spam that gets through is tagged as spam in the subject line (i enable rewrite_header), but not tagged as spam in the X-Spam-Status header line. In an example spam, i get the following spamass header: X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on phase.nyc.analogue.net X-Spam-Level: X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_50,HTML_10_20, HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_SBL autolearn=no version=3.0.2 The subject/body, on the other hand, contains: Subject: SPAM(10.9) Become the man that women desire Content analysis details: (10.9 points, 5.0 required) ...snip... So it appears that spamassassin tagged this as spam with 10.9 points, but left out some of the rules when writing the X-Spam-Status header, claiming the email only received 4.8 points. Spamassassin is installed directly out of freebsd ports on a fbsd4.11 box with perl 5.8.5. My local.cf is included below. Why would spamassassin be dropping rules like this? Thanks much, -jba Jeffrey, This type of symptom seems to be common to mail being scanned twice (or more) by spamassasin. how do you have the call to spamd/spamc implemented? alan
Re: SA 3.01 eventually stops noticing DNSBLs
Jay Levitt wrote: [SNIP] I tried to create a test harness to see if I can replicate this outside of SA, but for some reason, even though I double-checked the code I copied from Dns.pm, I'm getting weird results - it's always giving me the root nameservers, instead of the name servers for each of the domains. This is true with recurse = 0, recurse = 1, or recurse left out entirely as it is in Dns.pm. I'm no Perl whiz; can anyone see my mistake? Code follows: - #!/usr/bin/perl no strict; no warnings; require Net::DNS; require Net::DNS::Resolver; use strict; use warnings; my @EXISTING_DOMAINS = qw{ adelphia.net akamai.com apache.org cingular.com colorado.edu comcast.net doubleclick.com ebay.com gmx.net google.com intel.com kernel.org linux.org mit.edu motorola.com msn.com sourceforge.net sun.com w3.org yahoo.com }; my $res = Net::DNS::Resolver-new ( recurse = 0, retry = 1, retrans = 0, dnsrch = 0, defnames = 0, tcp_timeout = 3, udp_timeout = 3, persistent_tcp = 1, persistent_udp = 1 ); die unless defined $res; for(;;) { my @domains = @EXISTING_DOMAINS; my $domain = splice(@domains, rand(@domains), 1); print trying '$domain'...\n; lookup_ns($domain); } sub lookup_ns { my ($self, $dom) = @_; Since you're not using this as a Perl Module (OOP) my guess is that $self contains the value you expect to be in $dom and $dom is NULL. Try removing $self from your argument list and make it look like: my ($dom) = @_; and see if that works for you. debug statements are your friend. :) hope this helps alan
Re: Bayes for VoIP anyone?
Richard Ozer wrote: I can't wait to tell my customers that they need to get SpitAssassin. RO That just makes me think of 'Alumn' (referenced from the old Bugs Bunny / Daffy Duck cartoons) alan
Re: Bayes for VoIP anyone?
Jim Maul wrote: Chris Santerre wrote: Autodialing for commercial solicitation to a residence without prior consent by a for-profit group that you're not already doing business with is automatically subject to a $500 minimum damage per-call. I don't know of many residences with VoIP ;) Also: LOL @ LoogieLauncher! --Chris (On top of Mt. Wannahuckaloogie and the ring of fire!) While there arent many homes with voip yet, there are more and more every day. With vonage and optimum pushing their voip products hard, its only a matter of time. Especially with optimum and their voip + cable tv + cable modem for $100/month deal. I've had VOIP at home for over a year now. (included with my ADSL service) alan
more ALL_TRUSTED issues?
Today I got an email thru which hit ALL_TRUSTED. My mail server isn't (BNAT'd. I haven't specifically setup trusted_networks or (Binternal_networks but this is the first I've had a problem with it. (B (BI'm running RH 9 with Sendmail 8.13.3, MIMEDefang 2.49, SpamAssassin 3.02. (B (Bthe Received headers look a little funky but I haven't really checked (Bthem against any RFCs. is this a problem with SA? or my setup? (B (Bany help is appreciated. (B (Bthanks, (B (Balan (B (Bhere are the unaltered headers of the email in question: (B (BReturn-Path: [EMAIL PROTECTED] (BReceived: from sndr199.beta-ca.mxsvrbsminc.net (B(sndr199.beta-ca.mxsvrbsminc.net [72.5.1.199]) (Bby mojo.12inch.com (8.13.3/8.13.0) with ESMTP id j1A1JvBx029323 (Bfor [EMAIL PROTECTED]; Thu, 10 Feb 2005 10:19:57 +0900 (BReceived: by sndr199.beta-ca.mxsvrbsminc.net id h1apo006574r; Wed, 9 Feb (B2005 16:55:49 -0800 (envelope-from [EMAIL PROTECTED]) (BReceived: from localhost by BSMgateway. (B() (Bwith ESMTP id mid98433179.msg (Bfor [EMAIL PROTECTED]; Wed, 9 Feb 2005 16:55:49 -0800 (BDate: Wed, 9 Feb 2005 16:55:49 -0800 (BFrom: "Little-Blue Pill." [EMAIL PROTECTED] (BTo: "Online Consumer" [EMAIL PROTECTED] (BReply-To: [EMAIL PROTECTED] (BSubject: Is this what your life is like alien? (BMessage-ID: [EMAIL PROTECTED] (BX-envid: 98433179 (BX-Mailer: MOM Agent (v.9.8.433179) (BX-CRC32ID: 38112EE1;AEF06669;D9F55A5F (Bx-MOMID1: VFdZVl1FQlQJAQAHVFRYUlwA (Bx-MOMID2: XF5dUFVHW14cCQcA (Bx-MOMID3: XV1CVVdbRVgSAQYPWFpXUVpPICNjHQIGXVtaXVleQ10LBAQbWloA (BMIME-Version: 1.0 (BContent-Type: multipart/alternative; (Bboundary="--98433179_abFeb1029" (BX-Spam-Scanner: SpamAssassin 3.02 (http://www.spamassassin.org/) on (Bmojo.12inch.com (BX-Spam-Score: 1.857 / 4.000: 26.857% (BX-Spam-Tests: (BDCC_CHECK(2.169),BAYES_99(1.886),URIBL_SBL(0.996),HTML_IMAGE_RATIO_04(0.105),HTML_MESSAGE(0.001),ALL_TRUSTED(-3.300) (BX-SPF-Header: mojo.12inch.com: domain of (B[EMAIL PROTECTED] designates 72.5.1.199 as permitted sender (BX-Scanned-By: MIMEDefang 2.49 on 64.7.201.48
Re: How do I disable spews?
Brenda Bell wrote: I upgraded from 3.0.1 to 3.0.2 this morning and all of a sudden, I can't send myself email from work because spews blacklisted an entire block of uunet addresses and my company is in the middle of the block. (side note: we do not spam and we fight it with every bit of technology we have). I've searched both local.cf and all of the rules files for spews and for the life of me, I can't figure out why my SA is checking spews. Could someone please point me in the right direction? Brenda, how are you calling SpamAssassin? SA only tags mail that scores as spam, it doesn't (in and of itself) do any rejection or movement of mail . Another piece of the puzzle has to do those sort of things. Chances are if your mail is being rejected (5xx errors), then there's something in your MTA configuration that's checking SPEWS and rejecting based on its results. (which I personally feel isn't such a great tactic for just THIS reason) you should check that out, but considering the lack of any useful information, we can't offer you any further assistance. alan
Re: MIT Spam conference
Daniel Quinlan wrote: William Stearns [EMAIL PROTECTED] writes: ...snip... If you're ever in the SF Bay Area and would like to get together, drop me a line. I've met with Jeff a few times. if any of you are ever in tokyo, i'd be down for meeting up for drinks or something. alan
trying to install 3.0.2 via CPAN
for some reason i'm getting SPF failures during the 'make test' phase: t/spf...Not found: helo_pass = SPF_HELO_PASS # Failed test 1 in t/SATest.pm at line 530 Not found: pass = SPF_PASS # Failed test 2 in t/SATest.pm at line 530 fail #2 t/spf...FAILED tests 1-2 Failed 2/2 tests, 0.00% okay t/sql_based_whitelist...ok SpamAssassin 3.0.1 is currently running on the systems (it's happening on 2 RedHat systems, one 7.2 and one 9.0). Mail::SPF::Query is installed and the latest version. the 7.2 system is running perl 5.6.1 and the 9.0 system is running perl 5.8.0 I didn't find any information on bugzilla regarding this. any ideas? thanks, alan
Re: trying to install 3.0.2 via CPAN
Loren Wilton wrote: for some reason i'm getting SPF failures during the 'make test' phase: t/spf...Not found: helo_pass = SPF_HELO_PASS # Failed test 1 in t/SATest.pm at line 530 Not found: pass = SPF_PASS # Failed test 2 in t/SATest.pm at line 530 fail #2 t/spf...FAILED tests 1-2 Failed 2/2 tests, 0.00% okay t/sql_based_whitelist...ok I didn't find any information on bugzilla regarding this. There were some comments on the dev list just last night or earlier today about this problem, or one very much like it. I didn't quite follow where the comments led, since I'm not very interested in SPF myself. But I think this is something the devs have seen. Loren Loren, thanks for the response. So, it's probably best if i just wait to upgrade to 3.0.2 until something about this is resolved? I didn't see anything on bugzilla about it. obviously I could force install, but i really prefer not doing that if I can avoid it. alan
Re: spamd vs spamass-milter
[EMAIL PROTECTED] wrote: currently i'm using procmailrc to start spamd since i have a couple users who dont want their mails checked by SA, now i'm looking into spamass-milter. Is their a option within the milter api to exclude certain users from SA or is their another workaround to do so ? many thanks matt Matt, I'm not all that familiar with spamass-milter, however I can say that you can do what you want to do with MIMEDefang (another milter) alan
low scoring SPAM
I've recently (about a month ago) installed a new mail server and upgraded to SA 3.01. I've been training the bayes database by hand (most of our mail is japanese and the autolearning wasn't a good way to start the bayes learning) anyways, I'm not using any custom or 3rd party rules. I'm a little baffled why the following email scored so low. i'm also a little puzzled why the BAYES_99 has such a low score. i'm tempted to crank it up a bit, but concerned about how that will effect the system in general and also concerned about false positives. can anyone give me some insight? thanks alan P.S. in the past i've refrained from sending the why didn't this mail score higher types of messages to the list, but I've been seeing a pattern of hitting BAYES_99 and not many other rules. Original Message Return-Path: [EMAIL PROTECTED] Received: from mail-3.tiscali.it (mail-3.tiscali.it [213.205.33.23]) by mail.mydomain.tld (8.13.1/8.13.1) with ESMTP id iB3HsScd004906 for [EMAIL PROTECTED]; Sat, 4 Dec 2004 02:54:29 +0900 Received: from [80.179.190.4] by mail-3.tiscali.it with HTTP; Fri, 3 Dec 2004 18:49:21 +0100 Date: Fri, 3 Dec 2004 09:49:21 -0800 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: DEAR lick, PLEASE I WANT YOU TO ACT AS THE NEXT OF KIN OF MR, WINSTON lick. To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Spam-Scanner: SpamAssassin 3.01 (http://www.spamassassin.org/) on mail.mydomain.tld X-Spam-Score: 3.339 / 5.000: 23.339% X-Spam-Tests: BAYES_99(1.886),RCVD_IN_BL_SPAMCOP_NET(1.216),RISK_FREE(0.230),NO_REAL_NAME(0.007) X-Spam-Level: *** X-Spam-Disposition: Suspected X-Scanned-By: MIMEDefang 2.49 on 127.0.0.1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.valueclick.jp id iB3HsScd004906 FROM: THE DESK OF BARR, KEN MARK. MARKLAWCHAMBERS NO, 56 WARF ROAD APAPA LAGOS NIGERIA. Email; [EMAIL PROTECTED] TO: lick, I am Barrister Mark Ken green, a solicitor. I am the private Attorney to Mr. Winston lick, a National of your country, who used to work with Strabag Construction Company in Nigeria. On the 21st of April were involved in a car accident along Sagbama Express Road. All occupants of the vehicle unfortunately lost their lives. Since then I have made several enquiries to your Embassy to locate any of my client's relatives, this has also proved unsuccessful. After these several unsuccessful attempts, I decided to trace his last name over the Internet, to locate any member of his family hence I contacted you. I have contacted you to assist in repatriating the money and property left behind by my client before they get confiscated or declared unserviceable by the Finance Company where this huge deposits were lodged where the deceased had an account valued at about 10 Million Dollars has issued me a notice! To provide the next of kin or have the account confiscated. Since I have been unsuccessful in locating the relatives for over 2 years now I seek your consent to present you as the next of kin of the deceased since you have the same last name so that the proceeds of this account valued at 10 Million Dollars can be paid to you and then you and me can share the money. 50% for me and 40% for you and 10% will be used for any expenses that this might cost on the process of this transaction. I have all necessary legal documents that can be used to back up any claim we may make. All I required is your honest co-operation to enable us see this deal through. I guarantee that this transaction will be executed under a legitimate arrangement that will protect you from any breach of the law. It is 100% risk-free. Please get in touch with me by my private email address, [EMAIL PROTECTED] to enable us discuss further Awaiting to hear from you soon. Thanks and God bless you, Mark Ken green (Esq. __ Tiscali Adsl 2 Mega Free: l'adsl piu' veloce e' gratis! Naviga libero dai costi fissi con Tiscali Adsl 2 Mega Free, l'adsl Free piu' veloce in Italia. In piu', se ti abboni entro il 13 dicembre 2004, navighi gratis fino al 31 marzo 2005 e non paghi il costo di adesione. http://abbonati.tiscali.it/adsl/
Re: spamd does not start
xoops$B
Re: spamd does not start
jdow wrote: (B From: "alan premselaar" [EMAIL PROTECTED] (B To: "xoops$B<B83<<4IM}?M(B" [EMAIL PROTECTED] (B Cc: users@spamassassin.apache.org (B Sent: 2004 December, 02, Thursday 23:27 (B Subject: Re: spamd does not start (B (B (B (Bxoops$B<B83<<4IM}?M(B wrote: (B (BHi, (B (BI have newly installed spamassassin-3.0.1 into linux box 2.4.18-22 (B (B running qmail with qmail-queue patch. (B (BHaving a trouble to start spamd with SPAMDOPTIONS="-x -u spamd -H (B (B /home/spamd -d": (B (B "Starting spamd: Bareword "SO_REUSEPORT" not allowed while "strict (B (B subs" in use at /usr/lib/perl5/5.6.1/IO/Socket/INET.pm line 160. (B (BCompilation failed in require at (B (B /usr/lib/perl5/5.6.1/i386-linux-thread-multi/IO/Socket.pm line 21. (B (BCompilation failed in require at /usr/bin/spamd line 38. (BBEGIN failed--compilation aborted at /usr/bin/spamd line 38. (B (BI installed prerequisited modules, HTML::Parser, DB_File Net::DNS, (B (B BerkeleyDB, Net::SMTP, Mail::SPF::Query, IP::Country::Fast. (B (BAnd it's wonder another linux box with the same configuration is (B (B running allright. (B (BThanks for any help. (B (BHodaka (B (B (BHodaka-san, (B (B what version of IO::Socket do you have installed? you may need to (Bupdate it. I haven't personally experienced this problem, but i've got (Bthe latest IO::Socket installed from CPAN. (B (Bhope this helps (B (Balan (B (B (B Please, could you use a smaller font. This one spreads the message all over (B my screen and I can't read it. It's like (B one word per line. (B (B {O.O}(And that's sarcasm if you don't get it.) (B (B (Bdon't know what you're talking about. I only use plain text email so (Bthere shouldn't be any font size control. The only thing I can think of (Bis that in replying to the original message, the charset (ISO-2022-JP) (Bwas retained and perhaps you have really small fonts settings for (BISO-2022-JP type mail in your mail client :p (B (Balan
Re: Test and Keep spam
Kenneth Porter wrote: Been getting a bunch of these lately, and they're falling on either side of the 5.0 margin. Two that came in under 5.0 today have unusual characteristics: The Bayes score on one is 60% and scores higher than one with an 80% Bayes score. You can see my current uncaught corpus here: http://home.sewingwitch.com:8000/Stuff/UncaughtSpam.mbox Kenneth, I've noticed with my corpus that BAYES_95 and BAYES_99 score less than say BAYES_80 ... which has been a little discouraging for me since most of the mail i'm filtering is japanese and other test don't hit often so I have to rely heavily on my (manually trained) Bayes database... having items that hit BAYES_99 only scoring 1.8 and change compared to the 2 and change that BAYES_80 scores has been a little frustrating. I'm tempted to change the scores for BAYES_95 and BAYES_99, but i'm concerned about what other effects that might have ... not sure if this information will be helpful or not, but thought i'd share anyways. alan p.s. I'm using SA 3.01 with MIMEDefang 2.49 on this machine. no 3rd party rulesets installed.
Re: Japanese False Postives with Spam Assassin 3.01 and RH WS 3.0
Johnson, Robert F wrote: Hi, I have been having a high occurrence of Japanese false positives since upgrading from Spam Assassin 2.64 on RedHat 7.3 with MimeDefang 2.31 to Spam Assassin 3.01 on RedHat Workstation 3.0 installed site wide via MimeDefang 2.44. I am wondering if this is due to the problem with Red Hat 9.0 Unicode UTF-8. I had no issues with Japanese false positives in the RH 7.3 based environment. I've a few articles regarding this issue, but need some help understanding correct LANG configurations for Spam Assassin 3.01 on RedHat Workstation 3.0 installed site wide via MimeDefang 2.44. I currently have the following set in /etc/sysconfig/ i18n: ( we are US based) LANG=en_US SUPPORTED=en_US I compiled Spam Assassin from tar ball with LANG set to en_US (export LANG=en_US). Are these settings correct? Could this be causing the Japanese false positives? Are there any other known issues that can cause Japanese false positives using Spam Assassin 3.01? Thanks for any help! Rob Rob, just a couple obvious questions. what are your ok_locales and ok_languages settings in your sa-mimedefang.cf file set to? what rules are the japanese emails hitting when they're tagged as false positives? I'm based in Japan, just recently upgraded to SA 3.01 with MD 2.49 and using a MySQL based bayes database and I've been noticing some quirkiness with Japanese email as well, but haven't really pinned it down yet. alan
Re: Japanese False Postives with Spam Assassin 3.01 and RH WS 3.0
Daniel Quinlan wrote: Johnson, Robert F [EMAIL PROTECTED] writes: Based on spt checking of a couple of dozen examples, I didn't see any significant pattern of out of the box rules being involved, mostly SARE or WIKI rules. The most heavily implicated were the following: (MANGLED and SARE_SUB_CASH_CHAR were probably had the biggest impact. SARE Rules SARE_SUB_CASH_CHAR SARE_RAND_2 WIKI Rules MANGLED_LIST MANGLED_LIPS J_CHICKENPOX_12 J_CHICKENPOX_22 HTML_BACKHAIR_4 The last of those is a default rule, but it has almost a zero score. Out of the Box: GAPPY_SUBJECT FREE_SAMPLE OBSCURED_EMAIL The problem doesn't sound like it's SpamAssassin despite the subject line of this email, rather it's third-party rulesets. Daniel I hit GAPPY_SUBJECT and OBSCURED_EMAIL *A LOT* ... i don't have any 3rd party rulesets installed. as a side note, i've been recently trying to update the JAPAN_UCE_SUBJECT rule as there's another phrase that's being used recently, and for some reason it hasn't been triggering. I think part of the problem is that I have to enter it in ISO-2022-JP charset and it contains at least 2 escape(d) characters so the regex might night be accurate. (still working on that) alan
Re: sa-learn problem
Bob Mortimer wrote: *snip* #!/usr/bin/perl5.8.3 -T -w which is clearly where the problem lies. Correcting that to #!/usr/bin/perl5.8.5 -T -w solves the problem but still leaves me wondering how it happened in the first place. Thanks for the help! Bob, I'd suggest changing it to /usr/bin/perl -T -w (instead of /usr/bin/perl5.8.5) to prevent the same kind of confusion should you ever upgrade perl again. alan
Re: sa-learn problem
Bob Mortimer wrote: I've run into a problem with sa-learn. I'm running SA 3.0.1, and since the RPMs always seem to lag behind the binaries it's compiled. I call spamassassin using amavsd. I think the problem has arisen since upgrading my Mandrake system from 10.0 to 10.1, it looks like 10.1 uses Perl 5.8.5, I think 10.0 was on 5.8.3 when I try to sa-learn my ham/spam I get the following: /usr/bin/sa-learn: /usr/bin/perl5.8.3: bad interpreter: No such file or directory I've tried recompiling spamassassin but it seems to have made no difference. ISTR I ran into a similar problem when the SURBL stuff came out and it involved moving some files around somewhere in the /usr/lib/perl5/vendor_perl/5.8.* tree but I seem to have run out of talent in trying to figure it out ;-) Any help appreciated. Regards, Bob Bob, what is the actual sa-learn command you're using? I ran into this using Maildir format by specifying sa-learn -D --spam /path/to/maildir/cur/* and received /usr/bin/sa-learn: /usr/bin/perl: bad interpreter: too many arguments as an error. I found that doing find /path/to/maildir/cur/ -name * -exec sa-learn --spam {} ¥; mostly worked but had some unexpected results that make me think I didn't need to specify the * after my path. (although perl choked if i didn't) this is on a system that I am running Perl 5.8.0 on (although it seems to be working now). I had maybe 1300+ mail files in the directory. anyways, it seems to me like either the file you're telling it to read is either not there, or it's been moved while it was open. hope this helps alan
Re: Configuring bayes lock file locations?
brian wrote: After upgrading to 3.0.1 I've been having problems with bayes. This may be a question for the mimedefang guys, but I'll start here. I have upgraded the databases, and its now reading correctly, as I get bayes scoring now. However autoupdates are failing because of lock files... In my config I have: bayes_path /var/spool/MIMEDefang Maillog is reporting: Nov 17 12:54:02 lithium mimedefang-multiplexor[35151]: Slave 0 stderr: bayes: lock: 35570 cannot create tmp lockfile /var/spool/MIMEDefang.lock.host.domain.com.35570 for /var/spool/MIMEDefang.lock: Permission denied This seems to me a spamassassin error message. It appears that I need to be able to configure where the lock file is written. /var/spool is not an option since its not a very good idea to loosen permissions here for obvious security reasons (not to mention mimedefang will tell you to sod off until you fix it). Brian, This has been discussed on the MIMEDefang list in the past. It appears to be a timing issue between MIMEDefang and the SA locking mechanisms. adding 'bayes_learn_to_journal 1' to your sa-mimedefang.cf file should resolve your problems. (at least it resolved the problem for me) hope this helps. alan
[Fwd: problems with CHARSET_FARAWAY_HEADER rule being triggered]
[resending] Hi, It's been awhile since i've participated on the list. I've just attempted to scour the entire net trying to find some information on this, but I Haven't found anything. I've just installed SpamAssassin 3.01 in conjunction with MIMEDefang 2.48 on a redhat enterprise server 3.0 machine. The problem I'm encountering is that even with ok_languages en ja and ok_locales en ja in my config file, mails that arrive with a japanese (iso-2022-jp) subject are triggering the CHARSET_FARAWAY_HEADERS rule. I'm running the same setup on a redhat 9 machine with version 3.0 of SpamAssassin and 2.45 of MIMEDefang with the same configuration options and i'm not experiencing this problem. Is it possible that something broke in the 3.01 update? for the time being, I've set the CHARSET_FARAWAY_HEADER score to really low (so i can see if it's being triggered, but so it won't push the score up) but i'd like to be able to set it back since we ocassionally get UCE with chinese or other foreign charsets in the subject or header. The bayes database doesn't currently have enough emails trained to be active. the system i'm not having the problem with, has an active bayes database. any assistance will of course be greatly appreciated. Thanks, alan
problems with CHARSET_FARAWAY_HEADER rule being triggered
Hi, It's been awhile since i've participated on the list. I've just attempted to scour the entire net trying to find some information on this, but I Haven't found anything. I've just installed SpamAssassin 3.01 in conjunction with MIMEDefang 2.48 on a redhat enterprise server 3.0 machine. The problem I'm encountering is that even with ok_languages en ja and ok_locales en ja in my config file, mails that arrive with a japanese (iso-2022-jp) subject are triggering the CHARSET_FARAWAY_HEADERS rule. I'm running the same setup on a redhat 9 machine with version 3.0 of SpamAssassin and 2.45 of MIMEDefang with the same configuration options and i'm not experiencing this problem. Is it possible that something broke in the 3.01 update? for the time being, I've set the CHARSET_FARAWAY_HEADER score to really low (so i can see if it's being triggered, but so it won't push the score up) but i'd like to be able to set it back since we ocassionally get UCE with chinese or other foreign charsets in the subject or header. The bayes database doesn't currently have enough emails trained to be active. the system i'm not having the problem with, has an active bayes database. any assistance will of course be greatly appreciated. Thanks, alan