Domain Age
Hello, today we came up with the idea to look at the domain age. It may be a criteria for otherwise perfect messages. Is there something I could ask with a domainname and receive the age as answer? Andreas
Re: SPAM from a registrar
Tom Hendrikx: but postfix has a feature that can check the MX and NS records of the envelope sender or hostname of the connecting ip. I know and use that. If these are all the same, you could block connections based on those. that's intersting, no idea how to compare something in postfix. Could you post an example? Andreas
Re: writing rules howto?
Karsten Bräckelmann: Since SA 3.4, there are template tags which already might be all you need. The template tags _URIHOSTS_ and _URIDOMAINS_ list all extracted (and to be looked up) URIs, including full hostname and domain only respectively. No path information. add_header all UriHosts _URIHOSTS_ will add an X-Spam-UriHosts header. Since this actually is provided by the URIDNSBL plugin, skiplist and max number apply as outlined. Kasten, thanks for these comprehensive answers. I think they are valuable pointers. Andreas
Re: writing rules howto?
Andreas Schulze: Kasten, sorry - Karsten works wonderful. I now have a list of hostnames SA find in the messagebody as new header! Thanks. Much simpler then I thought... Andreas
writing rules howto?
Hello,
I have to get an overview on http links in a specific mail stream.
My plan is to use spamassassin as it could parse message body much better then
I do :-)
There is a plugin URIDNSBL that could fire dns queries for every url found.
That's fine for me, as the url is then in my dnsserver log.
But I like to combine it with other properties of a message.
Is ist possible to do something like this:
if (subject =~ foo) {
uridnsbl URIBL_FOO foo.myzone. A
body URIBL_FOO eval:check_uridnsbl('URIBL_FOO')
}
if (subject =~ bar)
uridnsbl URIBL_BAR bar.myzone. A
body URIBL_BAR eval:check_uridnsbl('URIBL_BAR')
}
Thanks for hints
Andreas
Re: Availability of 3.4.0 release candidate 5
Zitat von Mark Martinec mark.martinec...@ijs.si: Curl uses environment variable http_proxy (lowercase), same as wget and LWP (libwww-perl) and similar tools. Don't know where you got the uppercase variant. Good point. The uppercase version simply did it's job. I just tried the lowercase version and sa-update work again (without .curlrc) So I now have two version to use a proxy :-) Thanks Mark!
Re: Availability of 3.4.0 release candidate 5
Hello, thanks for that great software. The only problem I found is an issue with sa-update: My network require to use a http proxy incl. authentication. To load updates I currently (sa-3.3.2) set HTTP_PROXY=... for sa-update. That does not work anymore in 3.4 As I use curl I now have to create a file ~sa/.curlrc proxy = proxy.example.org:3128 proxy-user = foobar:pass That solves the issue for me. Andreas
Re: Available of 3.4.0 Release Candidate 3
Am 11.10.2013 17:05 schrieb Kevin A. McGrail: On behalf of the PMC, the ASF SpamAssassin Project is pleased to announce the availability of our third release candidate for 3.4.0. Hi all! thanks for that great software first! I found two minor issues in perl documentation and attach a patch. There is an other documentation issue in Conf.pm (found by debian lintian): --- lintian output: W: spamassassin: manpage-has-errors-from-man usr/share/man/man3/Mail::SpamAssassin::Conf.3pm.gz 1749: warning [p 25, 4.5i, div `an-div', 0.2i]: can't break line N: N:This man page provokes warnings or errors from man. N: N:cannot adjust or can't break are trouble with paragraph filling, N:usually related to long lines. Adjustment can be helped by left N:justifying, breaks can be helped with hyphenation, see Manipulating N:Filling and Adjusting and Manipulating Hyphenation in the manual. N: N:can't find numbered character usually means latin1 etc in the input, N:and this warning indicates characters will be missing from the output. N:You can change to escapes like \[:a] described on the groff_char man N:page. N: N:Other warnings are often formatting typos, like missing quotes around a N:string argument to .IP. These are likely to result in lost or malformed N:output. See the groff_man (or groff_mdoc if using mdoc) man page for N:information on macros. N: N:This test uses man's --warnings option to enable groff warnings that N:catch common mistakes, such as putting . or ' characters at the start of N:a line when they are intended as literal text rather than groff N:commands. This can be fixed either by reformatting the paragraph so that N:these characters are not at the start of a line, or by adding a N:zero-width space (\) immediately before them. N: N:At worst, warning messages can be disabled with the .warn directive, see N:Debugging in the groff manual. N: N:To test this for yourself you can use the following command: N: LANG=en_US.UTF-8 MANWIDTH=80 man --warnings -E UTF-8 -l file /dev/null N: N:Severity: normal, Certainty: certain Andreas Index: spamassassin-3.4.0.rc3/lib/Mail/SpamAssassin/Conf.pm === --- spamassassin-3.4.0.rc3.orig/lib/Mail/SpamAssassin/Conf.pm 2013-10-12 22:44:34.0 +0200 +++ spamassassin-3.4.0.rc3/lib/Mail/SpamAssassin/Conf.pm 2013-10-12 22:54:35.0 +0200 @@ -2620,11 +2620,11 @@ for example CFrom:addr:raw or CFrom:raw:addr is currently the same as CFrom:addr . -=over 4 - For example, appending C:addr to a header name will result in example@foo in all of the following cases: +=over 4 + =item example@foo =item example@foo (Foo Blah) Index: spamassassin-3.4.0.rc3/lib/Mail/SpamAssassin/Plugin/DNSEval.pm === --- spamassassin-3.4.0.rc3.orig/lib/Mail/SpamAssassin/Plugin/DNSEval.pm 2013-10-12 22:55:30.0 +0200 +++ spamassassin-3.4.0.rc3/lib/Mail/SpamAssassin/Plugin/DNSEval.pm 2013-10-12 22:57:13.0 +0200 @@ -318,6 +318,8 @@ _check_rbl_addresses(@_, $_[1]-all_from_addrs()); } +=over 4 + =item check_rbl_from_domain This checks all the from addrs domain names as an alternate to check_rbl_from_host
Re: When/How to train bayes from user mail?
Zitat von Florian Lindner mailingli...@xgm.de: Since we move our server (and upgrade from oldstabe to stable) I want to reconsider how I organize mails serverside. Debian, MTA is postfix, MDA maildrop (like procmail), IMAP was courier, will be dovecot. if you use dovecot, maildrop is obsolete. deliver your mail via LMTP (or dovecot-lda) to dovecot and let dovecot-sieve do the filtering to subfolders. Also consider using amavisd-new + clamav + spamassassin to REJECT mails. (not accept + delete) You may connect amavisd-new as SMTPD_PROXY or using amavisd-milter to your postfix MTA. My biggest open question is how to integrate the SA bayes filter, esp. when and on what folders to do training. I train sa only using the autolearn feature. Andreas
header field without value invalid?
Hello, today I found messages with strage headers: they had an empty value. example: From: ... To: ... X-MS-TNEF-Correlator:spacenewline Date: ... Is this against any rfc and could/should [not?] be rejected or used to identify spam? Thanks Andreas
From header required
Hello, Every mail MUST have exact one From header (RFC5322, 3.6). Same RFC, Section 3.6.2 allow a from header contain a list of senders (Why ???) In this case exact one sender header MUST be present and it MUST NOT a list. Are there SA Rules to score a missing or multiple from header? Does anybody do score these and is willing to share his SA rules? Thanks Andreas
Re: Interpreting an Authentication-Results: header ?
Am 29.03.2013 02:36 schrieb Karsten Bräckelmann:
On Fri, 2013-03-29 at 00:56 +, John Levine wrote:
Is there any way to tell spamassassin to look at the A-R header rather
than trying to rerun the SPF and DKIM checks itself?
in sa-3.3.2/Plugin/SPF.pm is still code like this:
if ($hdr =~ /^received-spf:) {
// parse return
} elsif ($hdr =~ /^Authentication-Results:) {
// parse return
}
check_spf
Maybe it's simply not documented ...
Andreas
Re: wrong RCVD_IN_PBL?
Am So, 18.11.2012, 18:48 schrieb dar...@chaosreigns.com: are you sure? I will report it to my ISP No, I'm not sure, which is why I said I believe and But I haven't actually looked into those details lately. We need better documentation of this. But I am very confident something along these lines is your problem, and that it's appropriate to complain to your ISP that they're not properly indicating authentication in the received header they're adding. Hi all, I have a similiar issue with a web.de (german webmail) user. He uses his iPhone to submit mail via web.de submission service. (TLS + Authentication) The message triggers RCVD_IN_PBL and others. Any hint to make those message pass sa? here are the headers: --- snip X-Spam-Status: Yes, score=7.14 tag=-999 tag2=5 kill=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_12=2.059, HTML_MESSAGE=0.001, MTX_NONE=0.001, RCVD_IN_PBL=3.335, RCVD_IN_PSBL=2.7, RCVD_IN_RP_RNBL=1.31, RP_MATCHES_RCVD=-0.369, TVD_SPACE_RATIO=0.001] autolearn=no X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on idvamavis03.datev.de X-Spam-ASN: AS8560 82.165.0.0/16 Received: from mout-xforward.web.de (mout-xforward.web.de [82.165.159.34]) by idvmailin03.datev.de (Postfix) with ESMTP id 3Y5btV2sQ8z690G; Tue, 20 Nov 2012 20:04:02 +0100 (CET) Received: from [192.168.178.43] ([93.205.254.85]) by smtp.web.de (mrweb102) with ESMTPSA (Nemesis) id 0MA5v3-1TPekj36PR-00BSUp; Tue, 20 Nov 2012 19:59:01 +0100 Subject: test References: a0323c6a-fb02-42df-aa94-c97672816...@web.de From: foo...@web.de foo...@web.de Mime-Version: 1.0 (1.0) Content-Type: multipart/alternative; boundary=Apple-Mail-87E5DAF2-18C6-4FCD-BF0D-CD6386E473CE X-Mailer: iPhone Mail (10A523) Message-Id: e41b88ea-b9cf-4ab1-a033-c2c7c0a13...@web.de Date: Tue, 20 Nov 2012 19:58:57 +0100 Cc: foo...@datev.de Content-Transfer-Encoding: 7bit To: foo...@datev.de X-Provags-ID: V02:K0:EvqK/RN09UfFRommwYltjAXMl2r5JXh5KWYmQ/XvFE7 v78RzfvGZ2i90sbUnAmle0j16h4tGzLgsFuwPaanb1zpyriAC1 wbvb4NZuBy1wZDi2uIhlRUmtyTNNXdYa4InULTNS7wG4t+vqOm ugaM5p60njVb35BTzZd8ONV2nh4sL0Mke/7RawEhWRPZkuXKs8 LiB5mlVf7ikRcHdur53ew== --Apple-Mail-87E5DAF2-18C6-4FCD-BF0D-CD6386E473CE --- snap
Solved: SA without Mail::SPF::Query
Am Do, 6.09.2012, 13:08 schrieb Andreas Schulze: Is it possible to use the result of the milter in the same way SA would do with its own SPF implementation? Than the SPF information could have an influance to the spamcore. I run smf-spf milter (sf.net/projects/smfs) and applied a number of patches. Among them a patch to use the milter api function INSERT header instead of ADD header. Intension was to not append new headers at bottom but insert them on top (logical: in place) The milter documentation (https://www.milter.org/developers/api/smfi_insheader) mention idx: 0 makes it the topmost header Sounds fine. But there is a hidden side effect I learned today: Added header from one milter are visible to the next milter. But that seem not true if inserting at position 0. Then the insert is delayed until all milters are finished. Now the header is on Top. But the header is hidden to other milters. So my amavisd-milter - amavisd-new - spamassassin chain never saw the Received-SPF header. simple solution: I modified my patch to insert at position 1. Instantly the Received-SPF Header was visible to spamassassin and sa start using the header. No writing rules, no other sa voodoo. spamassassin does simple it's job :-) Andreas
SA without Mail::SPF::Query
Hello, for technical reasons I have no Mail::SPF::Query. So my SA has no view to the spf settings of an incomming mail. But I run an SPF-Milter in front of SA without Mail::SPF::Query. That Filter adds an Received-SPF header to the mails but do not reject. Is it possible to use the result of the milter in the same way SA would do with its own SPF implementation? Than the SPF information could have an influance to the spamcore. Thanks Andreas
Re: SA without Mail::SPF::Query
Am 06.09.2012 17:08 schrieb Ned Slider: If your milter adds the Received-SPF header before the mail is passed to SA then maybe you could simply write a rule to check the Received-SPF header and score as you see appropriate. Yes, the Milter add a Received-SPF header. Could you point me to some sample Rules? Thanks Andreas
OT: survey
Hello, I like to ask you how knows/uses MTX (http://www.chaosreigns.com/mtx) Thanks for a shot response offlist. Andreas
Re: SpamTips.org: Why run your own DNS server?
Warren, Anyone have any better tips of an alternate DNS resolver, or configuration options to improve this suggested configuration? please distinguish between DNS server and recursive+caching resolver. The HowTo meen the second one... http://en.wikipedia.org/wiki/Domain_Name_System#Name_servers other resolvers installable by users are - unbound ( http://unbound.net ) - dnscache ( http://cr.yp.to/dnscache.html ) - bind (off course) - http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software -- Andreas Schulze
day old bread DNSBL
Hi all, yesterday I learned about day old bread, a list of domains registered in the last five day. I found informations from 2007: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200704.mbox/4615e4b7.5010...@inetmsg.com Has anybody current experiences ?? Thanks -- Viele Grüße Andreas Schulze
Re: Testing Needed: spamassassin-3.3.2-rc1
Am 14.05.2011 22:34 schrieb Warren Togami Jr.: Warren, It would be helpful for folks to test it and provide feedback. the perldoc in some files is minimalistic :-) But sometimes the perldoc produces mangages with errors: - lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm - lib/Mail/SpamAssassin/Util/DependencyInfo.pm - lib/Mail/SpamAssassin/Util/RegistrarBoundaries.pm Attached my patch. Andreas -- # # Andreas Schulze # https://andreasschulze.de # # GnuPG Key-ID: A7DBA67F, https://andreasschulze.de/sca.asc # GnuPG Fingerprint: 14C1 39A8 CE6D 6BE0 28C6 5652 03B5 6793 A7DB A67F # # $Id: .signature,v 1.3 2007-12-27 21:13:36 sca Exp $ Index: spamassassin-3.3.2-rc1/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm === --- spamassassin-3.3.2-rc1.orig/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm 2011-05-14 12:07:52.0 +0200 +++ spamassassin-3.3.2-rc1/lib/Mail/SpamAssassin/Plugin/OneLineBodyRuleType.pm 2011-05-15 22:08:31.0 +0200 @@ -1,6 +1,6 @@ =head1 NAME -Mail::SpamAssassin::Plugin::OneLineBodyRuleType +Mail::SpamAssassin::Plugin::OneLineBodyRuleType - spamassassin body test plugin =cut Index: spamassassin-3.3.2-rc1/lib/Mail/SpamAssassin/Util/DependencyInfo.pm === --- spamassassin-3.3.2-rc1.orig/lib/Mail/SpamAssassin/Util/DependencyInfo.pm 2011-05-14 12:07:52.0 +0200 +++ spamassassin-3.3.2-rc1/lib/Mail/SpamAssassin/Util/DependencyInfo.pm 2011-05-15 22:08:31.0 +0200 @@ -17,6 +17,16 @@ # limitations under the License. # /@LICENSE +=head1 NAME + +Mail:SpamAssassin::Util::DependencyInfo - spamassassin debugging helpers + +=head1 SYNOPSIS + +loadplugin Mail:SpamAssassin::Util::DependencyInfo + +=cut + package Mail::SpamAssassin::Util::DependencyInfo; use strict; @@ -220,6 +230,10 @@ =over 4 +=head1 METHODS + +=over 4 + =item $f-debug_diagnostics () Output some diagnostic information, useful for debugging SpamAssassin Index: spamassassin-3.3.2-rc1/lib/Mail/SpamAssassin/Util/RegistrarBoundaries.pm === --- spamassassin-3.3.2-rc1.orig/lib/Mail/SpamAssassin/Util/RegistrarBoundaries.pm 2011-05-14 12:07:52.0 +0200 +++ spamassassin-3.3.2-rc1/lib/Mail/SpamAssassin/Util/RegistrarBoundaries.pm 2011-05-15 22:08:31.0 +0200 @@ -18,6 +18,12 @@ # limitations under the License. # /@LICENSE +=head1 NAME + +Mail::SpamAssassin::Util::RegistrarBoundaries - domain delegation rules + +=cut + package Mail::SpamAssassin::Util::RegistrarBoundaries; use strict; @@ -289,6 +295,10 @@ =over 4 +=head1 METHODS + +=over 4 + =item ($hostname, $domain) = split_domain ($fqdn) Cut a fully-qualified hostname into the hostname part and the domain
Re: Testing Needed: spamassassin-3.3.2-rc1
Am 15.05.2011 22:29 schrieb Andreas Schulze: But sometimes the perldoc produces mangages with errors: and some other manpages changes ... Attached my other patch. Andreas -- # # Andreas Schulze # https://andreasschulze.de # # GnuPG Key-ID: A7DBA67F, https://andreasschulze.de/sca.asc # GnuPG Fingerprint: 14C1 39A8 CE6D 6BE0 28C6 5652 03B5 6793 A7DB A67F # # $Id: .signature,v 1.3 2007-12-27 21:13:36 sca Exp $ Index: spamassassin-3.3.2-rc1/lib/Mail/SpamAssassin/Conf.pm === --- spamassassin-3.3.2-rc1.orig/lib/Mail/SpamAssassin/Conf.pm 2011-05-14 12:07:53.0 +0200 +++ spamassassin-3.3.2-rc1/lib/Mail/SpamAssassin/Conf.pm2011-05-15 22:08:41.0 +0200 @@ -279,6 +279,8 @@ =back +=back + =head2 WHITELIST AND BLACKLIST OPTIONS =over 4 @@ -1952,6 +1954,8 @@ =back +=back + =head1 RULE DEFINITIONS AND PRIVILEGED SETTINGS These settings differ from the ones above, in that they are considered @@ -2965,7 +2969,7 @@ sprintf statement with the username as the only parameter, thus is can hold a single __USERNAME__ expression. This will be replaced with the username. -Example: Cldap://localhost:389/dc=koehntopp,dc=de?spamassassinconfig?uid=__USERNAME__ +Example: Cldap://localhost:389/dc=koehntopp,dc=de?saconfig?uid=__USERNAME__ =cut Index: spamassassin-3.3.2-rc1/sa-learn.raw === --- spamassassin-3.3.2-rc1.orig/sa-learn.raw2011-05-14 12:07:56.0 +0200 +++ spamassassin-3.3.2-rc1/sa-learn.raw 2011-05-15 22:08:41.0 +0200 @@ -1326,7 +1326,7 @@ Elthttp://www.paulgraham.com/Egt Paul Graham's A Plan For Spam paper -Elthttp://radio.weblogs.com/0101454/stories/2002/09/16/spamDetection.htmlEgt +Elthttp://www.linuxjournal.com/article/6467Egt Gary Robinson's f(x) and combining algorithms, as used in SpamAssassin Elthttp://www.bgl.nu/~glouis/bogofilter/Egt
why matches FRT_SOMA and URI_HEX ?
Hello, yesterday I noticed a DSN my mailer send back was rejected as spam. I found that SA-Rules FRT_SOMA and URI_HEX matches but I don't find why ?? here is my postfix queuefile I sent and the quarantined file amavisd saved for this investigation: http://andreasschulze.de/tmp/queuefile http://andreasschulze.de/tmp/quarantined What could I change, that my mails no longer matches the mentioned rules ? Thanks -- Viele Grüße Andreas Schulze
Re: autolearn=ham was wrong, howto retrain ?
Hi, -forget Forget a message I do sa-learn --forget message; sa-learn --spam message right ? -- Viele Grüße Andreas Schulze
using spamhaus droplist with sa ?
Hello, http://www.spamhaus.org/faq/answers.lasso?section=DROP FAQ mention as very last point to use the Spamhaus Drop list with SA. is anybody doing this and can explain it in detail ? Thanks Andreas
dkim-reputation.org / SA-Plugin
Hi all, dkim-reputation.org has a spamassassin plugin to query their database. http://www.dkim-reputation.org/spamassassin/ unfortunately it is outdated. It's only available for SA 3.2.5 has anybody managed the plugin to run with SA 3.3.1 ? Thanks, Andreas -- # # Andreas Schulze # https://andreasschulze.de # # GnuPG Key-ID: A7DBA67F, https://andreasschulze.de/sca.asc # GnuPG Fingerprint: 14C1 39A8 CE6D 6BE0 28C6 5652 03B5 6793 A7DB A67F # # $Id: .signature,v 1.3 2007-12-27 21:13:36 sca Exp $
abstrus warning in maillog
Hello, I call SA from amavisd-new and found this warning in my logfile. Aug 23 11:36:27 taro amavis[32405]: (32405) _WARN: auto-whitelist: open of auto-whitelist file failed: Can't locate auto/NetAddr/IP/full6.al in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/lo cal/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/AutoWhitelist.pm line 318 I have debian lenny + libnetaddr-ip-perl 4.007+dfsg-2+b1 sa-3.3.1 is build ans installed from the sources. Must I update libnetaddr-ip-perl ? Is there a minimum version of NetAddr-IP required ? If so, why does the buildprocess do not complain about ? -- Andreas
IPv6 problem with sa-update
Hi, at my Debian Lenny /etc/resolv.conf contains options inet6 sa-update failed with retruncode 4. GET http://spamassassin.apache.org/updates/MIRRORED.BY request failed: 500 Can't connect to spamassassin.apache.org:80 (Bad hostname 'spamassassin.apache.org'): 500 Can't connect to spamassassin.apache.org:80 (Bad hostname 'spamassassin.apache.org') error: no mirror data available for channel updates.spamassassin.org channel: MIRRORED.BY contents were missing, channel failed if I remove options inet6 from /etc/resolv.conf the update runs as expected. Any suggestions ? Andreas -- # # Andreas Schulze # https://andreasschulze.de # # GnuPG Key-ID: A7DBA67F, https://andreasschulze.de/sca.asc # GnuPG Fingerprint: 14C1 39A8 CE6D 6BE0 28C6 5652 03B5 6793 A7DB A67F # # $Id: .signature,v 1.3 2007-12-27 21:13:36 sca Exp $
Re: IPv6 problem with sa-update
On Sun, Aug 08, 2010 at 02:57:29PM -0500, Dave Funk wrote: For some reason when you set that options inet6 your system is not willing to fall back to IPv4 mode (or a bug is preventing it). That's what you need to look into (until such time as spamassassin.apache.org gets v6 connected ;). Hi Dave, in my resolver logs I found that some piece of software (maybe sa-update ?) asking for spamassassin.apache.org the resolver responds with nodata [1281297903] unbound[19171:0] info: iterator operate: query spamassassin.apache.org. IN [1281297903] unbound[19171:0] info: processQueryTargets: spamassassin.apache.org. IN [1281297903] unbound[19171:0] info: reply from apache.org. 204.16.254.6#53 [1281297903] unbound[19171:0] info: query response was nodata ANSWER short time later: [1281297903] unbound[19171:0] info: validator operate: query spamassassin.apache.org. A IN [1281297903] unbound[19171:0] info: response for spamassassin.apache.org. A IN [1281297903] unbound[19171:0] info: reply from apache.org. 2001:610:3:200a:192:87:36:2#53 [1281297903] unbound[19171:0] info: query response was ANSWER unfortunly unbound does not log the anwser ;-( So I think, some piece of software does not respect the second answer, when the first shot gives nodata Andreas
