Re: Tricky University spam
That is just sad. Ronan McGlue wrote: Chris Santerre wrote: > > Hey all! > > So I can't seem to stop this spam. All it is are a bunch of random > words then a gif file. Below is an example of the words: > > cocky may spice a drove not omit it silas or allegheny not > arcadia try obstinacy it heft but essay may lamb and dignify > a nudge and vine or anna ! jiffy but robe on dependent or > captious it's escheat it cloak try expert a coda , albatross > , on adventurous be chauncey some > some emitting try keystone it's > > Then a gif with the spam. Anyone know how to even begin to stop this? > The only thing that is constant with any of them is the size > of the gif > at 18.3K. Thanks all! James, that info is about as usefull as Lawrence Welk being a hockey coach. Who's Lawrence Welk ? :) These types of spams have to be looked at from the headers. Why not just post the whole spam with headers, and obfuscate the email address in it? --Chris -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Re: Rejecting emails in procmailrc?
You could of course pipe the mail to a script like perl or awk etc. and do the real work there. :0fh * ^X-Spam-Level: \*{20}.* | /home/myname/mycoolprogram.pl Another alternative is use mimedefang and write a rule in mimedefang_filter filter_end() to do the job. Greg Allen wrote: If you are using Postfix you can do something like this in header_checks : /^X-Spam-Level: \*{20}.*/ REJECT Spam content rejected. (Test the syntax, but I think the above is correct or very very close.) header_checks is run as a Postfix process AFTER SA is done with the message, so you can use it to detect SA spam headers and take an action. Rather than send a message back (which could make you a spammer) it would be better to just send it to an admin account for further review or just delete it. /^X-Spam-Level: \*{20}.*/ REDIRECT [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> -Original Message- *From:* Alex Jalali [mailto:[EMAIL PROTECTED] *Sent:* Monday, February 27, 2006 2:49 AM *To:* users@spamassassin.apache.org *Subject:* Rejecting emails in procmailrc? Hello, How can I reject mails that have a high score along with a reason message instead of moving them to a folder? I am using this in procmailrc to send spams to junk mail folder which works fine. :0: * ^X-Spam-Status: Yes /${HOME}/'Junk E-mail' Now I need something like this to reject mails with score 16 or more :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* ?? "550 Your email is in our spam list. To be removed, write to us at xxx" I have setup spamassasin 3 with sendmail and procmail on redhat 9 -- ---- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Re: SPF Error: cannot get HELO, cannot use SPF
Yes I am sure I see the -100 score effect, here is an example from this message posted to the list: X-Spam-Status: No, hits=-107.0 required=5.0 tests=1.6:AWL; version=3.1.0 X-Scanned-By: MIMEDefang 2.53 on 68.122.243.210 Note that it is mimedefang and not spamassassin that is writing the X-Spam-Status from the filter_end() function which I have modified. I added my whitelist_from commands to my local.cf file which is in /etc/mail/spamassassin. I am sure that these rules are being read as I have watch the startup with spamassassin -D --lint And I have run --lint with no errors. I know I have muddied the water a bit with mimedefang but what I do in filter_end() is pretty straight forward. my($hits, $req, $names, $report) = spam_assassin_check(); # look at $report and take the n.n tag part out my $myrpt = ''; for my $ln (split '\n', $report) { next unless $ln =~ /^ *(\d+\.\d+) +(\w+) /; $myrpt .= "$1:$2;"; } # Regardless of hit or miss generate the X-Spam-Status action_change_header("X-Spam-Status", &build_status_line($hits, $req, $names, $myrpt)); The build_status_line() mimics SA's output pretty much to create multiple wrapped lines of 'score:rule;...' I write this in both ham and spam emails. The $myrpt is also written to the log file. I have never seen the USER_IN_WHITELIST rule. Here is what I see if I run spamassassin from the command line on this message after first doing a spamassassin -d to strip off the headers and then doing a spamassassin X-Spam-Level: X-Spam-Status: No, score=-107.0 required=5.0 tests=AWL,BAYES_00,SPF_PASS, USER_IN_WHITELIST,USER_IN_WHITELIST_TO autolearn=unavailable version=3.1.0 But not that the score=-107.0 is the same score I get via SA run by mimedefang. If no one here has an idea I will ask on the mimedefang list. Thanks Matt Kettler wrote: Barton L. Phillips wrote: This is a little off this post, but why don't I ever see USER_IN_WHITELIST in my emails. I see the -100's affect in my X-Spam-Status but I don't see the rule. I am running SpamAssassin via mimedefang. Could that have something to do with it, or is there a configuration option I have missed? Hmm that seems rather odd. Are you *sure* you're seeing the -100 score effect? What exactly are you seeing in your X-Spam-Status? Where did you add your whitelist commands (what file)? Have you run "spamassassin --lint" lately? -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Re: SPF Error: cannot get HELO, cannot use SPF
This is a little off this post, but why don't I ever see USER_IN_WHITELIST in my emails. I see the -100's affect in my X-Spam-Status but I don't see the rule. I am running SpamAssassin via mimedefang. Could that have something to do with it, or is there a configuration option I have missed? Chris Purves wrote: Chris Purves wrote: I am not getting SPF_ hits for most messages that I expect should pass SPF. On one message when I run through spamassassin with debug I see: [5959] dbg: spf: checking HELO (helo=, ip=66.111.4.28) [5959] dbg: spf: cannot get HELO, cannot use SPF [5959] dbg: spf: checking EnvelopeFrom (helo=, ip=66.111.4.28, [EMAIL PROTECTED]) [5959] dbg: spf: cannot get HELO, cannot use SPF The received header looks like: Received: from out4.smtp.messagingengine.com ([66.111.4.28]) by aurora.northfolk.ca with esmtp (Exim 4.50) id 1FCneI-0001Q8-Hs for [EMAIL PROTECTED]; Sat, 25 Feb 2006 08:51:09 +0800 I found another clue... In one of my e-mails sent to this list, the header shows: X-Spam-Report: * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO * -1.3 AWL AWL: From: address is in the auto white-list But if I run the same message from a user account with spamassassin -t < ... I get: -100 USER_IN_WHITELIST From: address is in the user's white-list 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -0.0 SPF_PASS SPF: sender matches SPF record It looks like SPF and whitelisting (I have spamassassin set in whitelist_from_rcvd) are not being run when SA is called from exim, but it works when calling spamassassin manually. Any suggestions? -- ---- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Re: attachment policy?
Of course under Windows a .pl may well be linked to perl and therefore be executable without having to do a chmod (which of course Windows doesn't understand). However, in general I have no problem with either in-lining or attaching script code. Executables, on the other hand are a different story. For one, I and, I expect others, have software running (like mimedefang) that will reject attached executables. If one really needs to post an executable it would, IMHO, be better to do so via a web page. As I use Linux I don't have much of a problem with attached .exe or .com files etc. I NEVER read my mail on any of my Windows machines, and I restrict my web browsing to only very well trusted sites and then only when I can't use Linux or Firefox because the sites are so Windows only designed. Christopher X. Candreva wrote: On Fri, 24 Feb 2006, Theo Van Dinter wrote: On Thu, Feb 23, 2006 at 04:14:05PM -0800, OpenMacNews wrote: i'm noticing, e.g., *.pl scripts as attachments ... rather than links to posts at code-paste sites. I don't think we have a policy about it specifically. Generally speaking though, it's good netiquette to do as you said: put your large attachments Sorry. I was thinking of it as a code example, not a program. The script in question was 29 lines totaling 376 bytes. I was going to in-line it into the e-mail, to show how short it was, and made an attachment at the last minute, probably thinking it would be easier to look at . I tend to think of text attachments as just sections of an e-mail, and don't think of perl files as executables, since they aren't until you chmod them. Now, please don't tell me there is some mail program that will automatically run a file because it ends in .pl, or begins with #! line ! -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Re: spamd & mysql redux
To specify the socket in a perl DBI connect do the following: my $DBH = DBI->connect('dbi:mysql:databaseName;mysql_socket=/tmp/mysql.sock', 'user', 'password', {ShowErrorStatement => 1}) or die "Can't open database"; Steve Thomas wrote: Feb 22 11:45:42 ronin spamd[3322]: bayes: unable to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) Is that where mysql.sock is located? I don't know where the MySQL RPMs might stick it, but source installs stick it at /tmp/mysql.sock by default. Yep, that's where it's at. I've also tried specifying the port in the dsn options in the cf file, i.e. "user_scores_dsn DBI:mysql:spamassassin:localhost:3306" I'm most curious about the error number given - (13). In mysql speak, that's a 'permission denied', but according to the logs, there's no connection attempt even being made. I don't know if that number is coming from spamd, the perl db api or mysql. I doubt it's coming from mysql, since I'm not seeing any connection attempt whatsoever. Thanks, St- -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Re: X-Spam-Report
It is quite simple if you are using MIMEDefang, I do it and have even added a bit more information. I think you can use the 'add_header' configuration option if you are not using MIMEDefang. See Mail::SpamAssassin::Conf and look at the 'add_header' option it looks like it could o the job if you use the 'all' argument. Here is how I do it in MIMEDefang: Add you logic to filter_end. After the if($Features... I like to see the rules and scores so I collect them in $myrpt and then for all mail I do the action_change_header("X-Spam-Status", &build_status_line($hits, $req, $names, $myrpt)); The build_status_line() function makes the information look more like SA's normal report. if ($Features{"SpamAssassin"}) { if ((-s "./INPUTMSG") < 300*1024) { # Only scan messages smaller than 100kB. Larger messages # are extremely unlikely to be spam, and SpamAssassin is # dreadfully slow on very large messages. my($hits, $req, $names, $report) = spam_assassin_check(); # look at $report and take the n.n tag part out my $myrpt = ''; for my $ln (split '\n', $report) { next unless $ln =~ /^ *(\d+\.\d+) +(\w+) /; $myrpt .= "$1:$2;"; } # Regardless of hit or miss generate the X-Spam-Status action_change_header("X-Spam-Status", &build_status_line($hits, $req, $names, $myrpt)); if ($hits >= $req) {. This is build_status_line. sub build_status_line { # Still problems with the autolearn information. the code is here in case we get it working later my ($hits, $req, $names, $myrpt, $autolearn) = @_; my $line; $line = (($hits >= $req) ? "Yes, " : "No, "); $line .= sprintf("hits=%2.1f required=%2.1f\n", $hits, $req); if($_ = $myrpt) { $Text::Wrap::columns = 74; $Text::Wrap::huge = 'overflow'; $Text::Wrap::break = ';'; $line .= Text::Wrap::wrap("\ttests=", "\t ", $_) . "\n"; } else { $line .= "\t0.0:NOTESTS\n"; } $line .= "\tversion=" . Mail::SpamAssassin::Version(); return $line; } Jonn R Taylor wrote: Hi all, Is it possible to have X-Spam-Report added to all email headers(spam and non-spam) and if so how. Jonn -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
Some mail seems to get stuck
I get a number of these every day. All from 63.86.185.xx. They seem to hang sendmail for a long time. If I do a 'ps ax' these things are sleeping '22298 ?S 0:00 sendmail: k1FL11sL022298 mm.highercashflownetworknow.info [63.86.185.88]: DATA' and sometimes sit around for 20 to 30 minutes (maybe longer). I am running 'mimedefang' with Spam Assassin and see the entries in the /var/spool/MIMEDefang/xxx sub-directory with a COMMAND and HEADER file there. The sub-directories don't ever seem to get cleaned up automatically. Any one have any ideas. I have added a DROP rule to my iptables for this subnet 63.86.185.0/24 but I would like to understand the situation a little better. If you think this is a mimedefang issue I can post there instead. Thanks. Feb 15 12:29:56 bartonphillips sendmail[20778]: k1FJTtsK020778: timeout waiting for input from mm.dreamdeals-networknow.info during message collect Feb 15 12:29:56 bartonphillips sendmail[20778]: k1FJTtsK020778: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=mm.dreamdeals-networknow.info [63.86.185.82] Feb 15 12:29:56 bartonphillips sendmail[20778]: k1FJTtsK020778: to=<[EMAIL PROTECTED]>, delay=01:00:00, pri=3, stat=timeout waiting for input during message collect -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
What do these messages with -D mean?
I ran spamassassin -D and got the following in the debug output. Is this a problem? If so what should I do? [27299] dbg: bayes: no dbs present, cannot tie DB R/O: /var/spool/MIMEDefang/mimedefang-bayes_toks [27299] dbg: bayes: not scoring message, returning undef [27299] dbg: bayes: opportunistic call attempt failed, DB not readable -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com
combined distribution of email list
Is there a combined list distribution? Many other email lists distribute one combined email per day instead of dozens of separate email. The volume of emails makes it hard to keep up . -- Barton L. Phillips Applied Technology Resources, Inc. Tel: (818)652-9850 Web: http://www.applitec.com