Re: Tricky University spam
That is just sad. Ronan McGlue wrote: Chris Santerre wrote: > > Hey all! > > So I can't seem to stop this spam. All it is are a bunch of random > words then a gif file. Below is an example of the words: > > cocky may spice a drove not omit it silas or allegheny not > arcadia try obstinacy it heft but essay may lamb and dignify > a nudge and vine or anna ! jiffy but robe on dependent or > captious it's escheat it cloak try expert a coda , albatross > , on adventurous be chauncey some > some emitting try keystone it's > > Then a gif with the spam. Anyone know how to even begin to stop this? > The only thing that is constant with any of them is the size > of the gif > at 18.3K. Thanks all! James, that info is about as usefull as Lawrence Welk being a hockey coach. Who's Lawrence Welk ? :) These types of spams have to be looked at from the headers. Why not just post the whole spam with headers, and obfuscate the email address in it? --Chris -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Re: Rejecting emails in procmailrc?
You could of course pipe the mail to a script like perl or awk etc. and
do the real work there.
:0fh
* ^X-Spam-Level: \*{20}.*
| /home/myname/mycoolprogram.pl
Another alternative is use mimedefang and write a rule in
mimedefang_filter filter_end() to do the job.
Greg Allen wrote:
If you are using Postfix you can do something like this in header_checks :
/^X-Spam-Level: \*{20}.*/ REJECT Spam content rejected.
(Test the syntax, but I think the above is correct or very very close.)
header_checks is run as a Postfix process AFTER SA is done with the
message, so you can use it to detect SA spam headers and take an action.
Rather than send a message back (which could make you a spammer) it
would be better to just send it to an admin account for further review
or just delete it.
/^X-Spam-Level: \*{20}.*/ REDIRECT [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
-Original Message-
*From:* Alex Jalali [mailto:[EMAIL PROTECTED]
*Sent:* Monday, February 27, 2006 2:49 AM
*To:* users@spamassassin.apache.org
*Subject:* Rejecting emails in procmailrc?
Hello,
How can I reject mails that have a high score along with a reason
message instead of moving them to a folder?
I am using this in procmailrc to send spams to junk mail folder
which works fine.
:0:
* ^X-Spam-Status: Yes
/${HOME}/'Junk E-mail'
Now I need something like this to reject mails with score 16 or more
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
?? "550 Your email is in our spam list. To be removed, write
to us at xxx"
I have setup spamassasin 3 with sendmail and procmail on redhat 9
--
----
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com
Re: SPF Error: cannot get HELO, cannot use SPF
Yes I am sure I see the -100 score effect, here is an example from this
message posted to the list:
X-Spam-Status: No, hits=-107.0 required=5.0
tests=1.6:AWL;
version=3.1.0
X-Scanned-By: MIMEDefang 2.53 on 68.122.243.210
Note that it is mimedefang and not spamassassin that is writing the X-Spam-Status
from the filter_end() function which I have modified.
I added my whitelist_from commands to my local.cf file which is in
/etc/mail/spamassassin. I am sure that these
rules are being read as I have watch the startup with spamassassin -D --lint
And I have run --lint with no errors.
I know I have muddied the water a bit with mimedefang but what I do in
filter_end() is pretty straight forward.
my($hits, $req, $names, $report) = spam_assassin_check();
# look at $report and take the n.n tag part out
my $myrpt = '';
for my $ln (split '\n', $report) {
next unless $ln =~ /^ *(\d+\.\d+) +(\w+) /;
$myrpt .= "$1:$2;";
}
# Regardless of hit or miss generate the X-Spam-Status
action_change_header("X-Spam-Status", &build_status_line($hits, $req,
$names, $myrpt));
The build_status_line() mimics SA's output pretty much to create multiple
wrapped lines of 'score:rule;...'
I write this in both ham and spam emails. The $myrpt is also written to the log file.
I have never seen the USER_IN_WHITELIST rule.
Here is what I see if I run spamassassin from the command line on this message
after first doing a spamassassin -d to strip
off the headers and then doing a spamassassin X-Spam-Level:
X-Spam-Status: No, score=-107.0 required=5.0 tests=AWL,BAYES_00,SPF_PASS,
USER_IN_WHITELIST,USER_IN_WHITELIST_TO autolearn=unavailable
version=3.1.0
But not that the score=-107.0 is the same score I get via SA run by mimedefang.
If no one here has an idea I will ask on the mimedefang list.
Thanks
Matt Kettler wrote:
Barton L. Phillips wrote:
This is a little off this post, but why don't I ever see
USER_IN_WHITELIST in my emails. I see the -100's affect in my
X-Spam-Status but I don't see the rule. I am running SpamAssassin via
mimedefang. Could that have something to do with it, or is there a
configuration option I have missed?
Hmm that seems rather odd.
Are you *sure* you're seeing the -100 score effect?
What exactly are you seeing in your X-Spam-Status?
Where did you add your whitelist commands (what file)?
Have you run "spamassassin --lint" lately?
--
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com
Re: SPF Error: cannot get HELO, cannot use SPF
This is a little off this post, but why don't I ever see USER_IN_WHITELIST in my emails. I see the -100's affect in my X-Spam-Status but I don't see the rule. I am running SpamAssassin via mimedefang. Could that have something to do with it, or is there a configuration option I have missed? Chris Purves wrote: Chris Purves wrote: I am not getting SPF_ hits for most messages that I expect should pass SPF. On one message when I run through spamassassin with debug I see: [5959] dbg: spf: checking HELO (helo=, ip=66.111.4.28) [5959] dbg: spf: cannot get HELO, cannot use SPF [5959] dbg: spf: checking EnvelopeFrom (helo=, ip=66.111.4.28, [EMAIL PROTECTED]) [5959] dbg: spf: cannot get HELO, cannot use SPF The received header looks like: Received: from out4.smtp.messagingengine.com ([66.111.4.28]) by aurora.northfolk.ca with esmtp (Exim 4.50) id 1FCneI-0001Q8-Hs for [EMAIL PROTECTED]; Sat, 25 Feb 2006 08:51:09 +0800 I found another clue... In one of my e-mails sent to this list, the header shows: X-Spam-Report: * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO * -1.3 AWL AWL: From: address is in the auto white-list But if I run the same message from a user account with spamassassin -t < ... I get: -100 USER_IN_WHITELIST From: address is in the user's white-list 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -0.0 SPF_PASS SPF: sender matches SPF record It looks like SPF and whitelisting (I have spamassassin set in whitelist_from_rcvd) are not being run when SA is called from exim, but it works when calling spamassassin manually. Any suggestions? -- ---- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Re: attachment policy?
Of course under Windows a .pl may well be linked to perl and therefore be executable without having to do a chmod (which of course Windows doesn't understand). However, in general I have no problem with either in-lining or attaching script code. Executables, on the other hand are a different story. For one, I and, I expect others, have software running (like mimedefang) that will reject attached executables. If one really needs to post an executable it would, IMHO, be better to do so via a web page. As I use Linux I don't have much of a problem with attached .exe or .com files etc. I NEVER read my mail on any of my Windows machines, and I restrict my web browsing to only very well trusted sites and then only when I can't use Linux or Firefox because the sites are so Windows only designed. Christopher X. Candreva wrote: On Fri, 24 Feb 2006, Theo Van Dinter wrote: On Thu, Feb 23, 2006 at 04:14:05PM -0800, OpenMacNews wrote: i'm noticing, e.g., *.pl scripts as attachments ... rather than links to posts at code-paste sites. I don't think we have a policy about it specifically. Generally speaking though, it's good netiquette to do as you said: put your large attachments Sorry. I was thinking of it as a code example, not a program. The script in question was 29 lines totaling 376 bytes. I was going to in-line it into the e-mail, to show how short it was, and made an attachment at the last minute, probably thinking it would be easier to look at . I tend to think of text attachments as just sections of an e-mail, and don't think of perl files as executables, since they aren't until you chmod them. Now, please don't tell me there is some mail program that will automatically run a file because it ends in .pl, or begins with #! line ! -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Re: spamd & mysql redux
To specify the socket in a perl DBI connect do the following:
my $DBH =
DBI->connect('dbi:mysql:databaseName;mysql_socket=/tmp/mysql.sock',
'user', 'password',
{ShowErrorStatement => 1}) or die "Can't open database";
Steve Thomas wrote:
Feb 22 11:45:42 ronin spamd[3322]: bayes: unable to connect to database:
Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13)
Is that where mysql.sock is located? I don't know where the MySQL RPMs
might
stick it, but source installs stick it at /tmp/mysql.sock by default.
Yep, that's where it's at. I've also tried specifying the port in the dsn
options in the cf file, i.e.
"user_scores_dsn DBI:mysql:spamassassin:localhost:3306"
I'm most curious about the error number given - (13). In mysql speak,
that's a 'permission denied', but according to the logs, there's no
connection attempt even being made. I don't know if that number is coming
from spamd, the perl db api or mysql. I doubt it's coming from mysql,
since I'm not seeing any connection attempt whatsoever.
Thanks,
St-
--
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com
Re: X-Spam-Report
It is quite simple if you are using MIMEDefang, I do it and have even
added a bit more information.
I think you can use the 'add_header' configuration option if you are not
using MIMEDefang. See Mail::SpamAssassin::Conf and look at the
'add_header' option it looks like it could o the job if you use the
'all' argument.
Here is how I do it in MIMEDefang:
Add you logic to filter_end. After the if($Features...
I like to see the rules and scores so I collect them in $myrpt and then
for all mail I do the action_change_header("X-Spam-Status",
&build_status_line($hits, $req, $names, $myrpt));
The build_status_line() function makes the information look more like
SA's normal report.
if ($Features{"SpamAssassin"}) {
if ((-s "./INPUTMSG") < 300*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
# look at $report and take the n.n tag part out
my $myrpt = '';
for my $ln (split '\n', $report) {
next unless $ln =~ /^ *(\d+\.\d+) +(\w+) /;
$myrpt .= "$1:$2;";
}
# Regardless of hit or miss generate the X-Spam-Status
action_change_header("X-Spam-Status", &build_status_line($hits,
$req, $names, $myrpt));
if ($hits >= $req) {.
This is build_status_line.
sub build_status_line {
# Still problems with the autolearn information. the code is here in
case we get it working later
my ($hits, $req, $names, $myrpt, $autolearn) = @_;
my $line;
$line = (($hits >= $req) ? "Yes, " : "No, ");
$line .= sprintf("hits=%2.1f required=%2.1f\n", $hits, $req);
if($_ = $myrpt) {
$Text::Wrap::columns = 74;
$Text::Wrap::huge = 'overflow';
$Text::Wrap::break = ';';
$line .= Text::Wrap::wrap("\ttests=", "\t ", $_) . "\n";
} else {
$line .= "\t0.0:NOTESTS\n";
}
$line .= "\tversion=" . Mail::SpamAssassin::Version();
return $line;
}
Jonn R Taylor wrote:
Hi all,
Is it possible to have X-Spam-Report added to all email headers(spam
and non-spam) and if so how.
Jonn
--
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com
Some mail seems to get stuck
I get a number of these every day. All from 63.86.185.xx. They seem to hang sendmail for a long time. If I do a 'ps ax' these things are sleeping '22298 ?S 0:00 sendmail: k1FL11sL022298 mm.highercashflownetworknow.info [63.86.185.88]: DATA' and sometimes sit around for 20 to 30 minutes (maybe longer). I am running 'mimedefang' with Spam Assassin and see the entries in the /var/spool/MIMEDefang/xxx sub-directory with a COMMAND and HEADER file there. The sub-directories don't ever seem to get cleaned up automatically. Any one have any ideas. I have added a DROP rule to my iptables for this subnet 63.86.185.0/24 but I would like to understand the situation a little better. If you think this is a mimedefang issue I can post there instead. Thanks. Feb 15 12:29:56 bartonphillips sendmail[20778]: k1FJTtsK020778: timeout waiting for input from mm.dreamdeals-networknow.info during message collect Feb 15 12:29:56 bartonphillips sendmail[20778]: k1FJTtsK020778: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=mm.dreamdeals-networknow.info [63.86.185.82] Feb 15 12:29:56 bartonphillips sendmail[20778]: k1FJTtsK020778: to=<[EMAIL PROTECTED]>, delay=01:00:00, pri=3, stat=timeout waiting for input during message collect -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
What do these messages with -D mean?
I ran spamassassin -D and got the following in the debug output. Is this a problem? If so what should I do? [27299] dbg: bayes: no dbs present, cannot tie DB R/O: /var/spool/MIMEDefang/mimedefang-bayes_toks [27299] dbg: bayes: not scoring message, returning undef [27299] dbg: bayes: opportunistic call attempt failed, DB not readable -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
combined distribution of email list
Is there a combined list distribution? Many other email lists distribute one combined email per day instead of dozens of separate email. The volume of emails makes it hard to keep up . -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
