Re: Unsubscribe
On 4/5/2017 11:53 AM, Reindl Harald wrote: * when you subscribe you get a welcome message * that message explains it and says "keep me stored" * HOW did you subscribe? the same way you unsubscribe And if I subscribed 2 years ago, do you honestly think I remember how I subscribed? * every mailing list on this planet works the same way Actually, they don't. Most mailing lists I subscribe to contain an unsubscribe link at the bottom of the message. common sense: how and why do you imagine that 1000, 2000 or how much subscribers a list has handle your request? I don't. I'm just playing the other side here. Techies like us tend to be unfriendly about the way we communicate. We also expect people to just know stuff. But for people who are doing multiple jobs, and who isn't these days, the people who "just know" stuff are fewer. I would never send an unsubscribe to a list because I know it's bad etiquette, just like I know that typing in all caps is "shouting". But people do it all the time without meaning to offend anyone. The technology world has changed. Many people are used to graphical interfaces and haven't the slightest idea how to run anything from the command line. Many of them have never seen a message header, let alone could read it. I know there should be a higher expectation on this list. But would it be so bad to add a footer that says how to unsubscribe? It would be more friendly. And it would help people not offend others. Just saying...
RE: Unsubscribe
True that, but it's not entirely obvious how to view the message headers in many of today's mail clients. Of course, if you're on this list, you'd think you'd understand where to find them... -Original Message- From: John Hardin [mailto:jhar...@impsec.org] Sent: Tuesday, April 4, 2017 4:29 PM To: users@spamassassin.apache.org Subject: Re: Unsubscribe On Tue, 4 Apr 2017, j...@lexoncom.com wrote: {nothing} This is a self-service list. To unsubscribe, send an email to "users-unsubscr...@spamassassin.apache.org" from the address you wish to unsubscribe. This is noted in the headers of *every* list message.
Re: Ignore forwarding headers from specific sender
Why not just add the blocked email address to the blocked sender list for your Hotmail account? On 7/30/2015 12:28 PM, RW wrote: On Thu, 30 Jul 2015 13:21:35 -0500 Al B wrote: I have 2 accounts: myaccount@gmail.commyacco...@hotmail.com I've been using Spamassassin with both accounts and all has been well. Recently I decided to have Hotmail forward email to my Gmail account, so that I only have to check one account. Is there anyway to tell Spamassassin to ignore any headers added by myacco...@hotmail.com? blacklist_from s...@spam.com An email I receive from s...@spam.com using the Hotmail account is correctly identified as being from a blacklisted sender. However, the same email after being forwarded to Gmail is seen as coming from myacco...@hotmail.com and is not blacklisted. Is there anyway around this? Not if there is a Resent-From header. However, that heady is usually only added on manual forwarding, not when mail is being redirected automatically. smime.p7s Description: S/MIME Cryptographic Signature
Re: dns*.registrar-servers.com as a rogue registrar?
I use NameCheap for my own domain registrations and recommend it to others, so I can guarantee that at least my family's email isn't spam... Bret Miller Manager, Information Technology Grace Communion International Email: bret.mil...@gci.org mailto:bret.mil...@gci.org Phone: (626) 650-2343 On 5/7/2013 12:26 PM, Chris Santerre wrote: RE: dns*.registrar-servers.com as a rogue registrar? The owner is NameCheap, Inc. A quick google will bring up historical problems with NameCheap and its owner and its DBAs. I dare not say anything bad about them and let you judge for yourself on their history. Richard Kirkendall has a tendency to yell Slander! when someone even mentions their name. --Chris (I top post because I care.) -Original Message- From: lcon...@go2france.com [mailto:lcon...@go2france.com] Sent: 2013-05-07 14:15 To: users@spamassassin.apache.org Subject: dns*.registrar-servers.com as a rogue registrar? Nearly all of the .pw domains have their authoritative NS at dns*.registrar-servers.com. that registrar and few others are always at the top of my reports for NSs of sender domains of spam we reject. Does anybody score a msg if its sender domain is DNS hosted by registrar-servers.com or other? what would that rule look like? Len smime.p7s Description: S/MIME Cryptographic Signature
Re: How to get spam score by Windows command-line
On 11/14/2011 12:23 PM, Bowie Bailey wrote: On 11/14/2011 3:07 PM, Mike Koleszar wrote: Hi all, I would like to put together a script that will show me the spam score of emails that come in. I was hoping that someone could help push me in the right direction to do this. I'm hoping there is a simple way to do this, using one of the SpamAssassin exe files over command-line. I appreciate any advice or suggestions. Thank you. There are a couple of ways to do this. First off, SpamAssassin will not block anything by itself, so one way is to set it up in your mail server so that it scans all of the incoming email. Each email will have a header added showing the SA score. Emails determined to be spam will have a more detailed report in the header. Unless you configure your mailserver to check the scores, the mail will still be delivered normally. This is the most accurate way to do it. If you want a more manual way, you can check each email with a command. First, you need to get the email in a text file. If your mailserver uses the maildir storage format, then you can just pull the messages from there. Otherwise, you will need to save the messages in some manner that preserves all of the message headers. If the headers are changed in any way, the scoring may be affected. Once you have the message, you can test it like this: spamassassin -t messagefile.txt This will output the original message plus a report at the bottom. It will *always* claim the message is spam, so ignore that and just look at the scores. NOTE: The above command line is in linux format. The windows command may be slightly different. Just remove the space between and the output file. I'd also suggest that it might be more helpful to pipe the output to a file so you can review it more easily. spamassassin -tmessagefile.txtmessagefile-report.txt
Re: proper rule writing for N
You could say header __LOCAL_MAILENGINE ALL =~ /mailengine.+\.com/i to match anything between mailengine and .com. Bret Miller Manager, Information Technology Grace Communion International On 10/21/2011 9:13 AM, R - elists wrote: There are a couple of ways to do it. If you know that the numbers are 1-9, you could do this: header __LOCAL_MAILENGINE ALL =~ /mailengine[1-9]\.com/i (this is matching a single character. You could NOT do [1-12]) If you just want to allow for a number, you could do this: header __LOCAL_MAILENGINE ALL =~ /mailengine\d+\.com/i This one matches a number of any length. For more information, do a search for Perl regular expressions. -- Bowie Bowie, thank you what about the case of non numeric WHATEVERLEGALCHARS, ie any legal character in a domain name replacing the number series? i.e. header __LOCAL_MAILENGINE ALL =~ /mailengineWHATEVERLEGALCHARS\.com/i i do understand that it would be similar to a catchall, yet still interested in knowing in cases of funkiness ;-) - rh
Re: broken emails from techtarget/crn mag? omeda communications?
Well, I don't actually subscribe to any active techtarget lists, but I do still get marketing garbage from them. Got one on the 19th that looked fine here. Bret On 7/22/2011 8:50 AM, Michael Scheidell wrote: any of you subscribed to techtarget or crm emails? seems on june 16th or 17th, something broke. and I am trying to determine if its something we did or something they did. headers come in, received, received, then a BIG BLANK LIKE, then DATA DKIM (its almost like they shoved an extra DATA\r\n in there. or SA did.. or amavisd-new did) sometimes they are totally blank. headers (yes, it looks like spam, this one does) but we do have people who subscribed to it. notice the blank line after the received header? if you grep for 205.162.4[0-7]\.* you might see some like this. (and, no, this is not after microsoft mangles it.. maybe amavisd/sa/dkim version 38 does, but I don't know) Received: from crnnetwork.com (crnnetwork.com [205.162.47.163]) by mx2.slpowers.com.ionspam.net (Postfix) with ESMTP id 115F06FE15B for u...@domain.com; Fri, 22 Jul 2011 10:08:50 -0400 (EDT) DATA DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1311343699; d=crnnetwork.com; s=dkim; h=date:message-id:from:to:subject:mime-version:content-type:list-unsubscribe; bh=WveFEzHxhYkhwXaVxeYtjjm8Q34bjdVex+sTxWOdwXg=; b=lL4+c3ymOfW+NTTsa1liqJrB4TPeV5ANFPiFeTkow8XWD796wMJdsCUVh8iNyuThGzngShLI0AByxbZk5g6MmWMNbujzSKf2Tnpm59BcISmOxOsVvUpNSfYO07K2rrqvDlRyiu0SZ6LZz85XAcVJGFHYXYXr1Z+GG6QwByltY4M=; Date: Fri, 22 Jul 2011 09:08:19 -0500 (CDT) Message-ID: 4oz1ccmcedmcbfmlekdnsxjec.md.1311343694...@oms05.crnnetwork.com From: CRN crnmagaz...@crnnetwork.com Sender: CRN crnmagaz...@crnnetwork.com Reply-To: CRN crnmagaz...@crnnetwork.com To: u...@domain.com Subject: Confirm Your Free Subscription to CRN Magazine Now MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=4Oz1ccmceDmcBfmLekDNsxjec.mD X-MailSessionID: 4Oz1ccmceDmcBfmLekDNsxjec.mD.1311343694695 Referer: http://crnnetwork.com/portal/ --4Oz1ccmceDmcBfmLekDNsxjec.mD common factors seem to be their ESP NetRange: 205.162.40.0 - 205.162.47.255 CIDR: 205.162.40.0/21 OriginAS: NetName:SPRINTLINK NetHandle: NET-205-162-40-0-1 Parent: NET-205-160-0-0-1 NetType:Reassigned RegDate:2003-11-12 Updated:2003-11-12 Ref: http://whois.arin.net/rest/net/NET-205-162-40-0-1 OrgName:Omeda Communications
Re: Should Spamhaus default to disabled?
(Sorry about the top post...) One of the big issues with RBL services like this is the rules that use them change over time. We quite nicely fit into free use, but I realize that there are many others who do not. It might be a good enhancement to SA to be able to make a way to disable all queries to any service so that it could easily be disabled by those admin without having to constantly check to make sure sa-update hasn't included a new rule that hits the service. Something like use_dnsbl spamhaus 0 (defaults to 1) That way, if I decide I don't trust a certain services that SA defaults to use, I can disable the whole service and know that new rules will still be disabled because the service is. It would seriously simply the configuration for these cases. Bret On 6/11/2010 7:42 AM, Andy Dills wrote: After recently upgrading to a new mail cluster with SA 3.3.1, we were contacted (at every imaginable POC address) with a solicitation to purchase access to utilize the Spamhaus blacklists, or they'll stop answering our queries. We felt the amount of money being asked for was unreasonable, as we felt we likely wouldn't see an increase in spam if we turned them off. So, local.cf got: score URIBL_DBL_SPAM 0 score URIBL_DBL_ERROR 0 score RCVD_IN_ZEN 0 I think those are the only queries that generate lookups against Spamhaus, but I'm not positive. Regardless, we noticed no increase in spam after disabling these tests. I imagine there's lots of overlap on the blacklists. I think the maintainers of SA should strongly consider defaulting Spamhaus to "off". At the very least, it should be better documented how to entire disable Spamhaus queries. They have the right to charge for their data, but I question whether it's appropriate for an open-source project to generate sales leads in this manner. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: SORBS
On 4/20/2010 8:10 AM, John Rudd wrote: Are you the ISP for the IP address, or the client/user? According to SORBS, requests for removal from the DUHL should come from the ISP that owns the IP space, not the end user that rents it. See: http://www.au.sorbs.net/faq/dul.shtml End users (non ISP staff): SORBS support staff may ask you to ask your ISP to request the change as you are not authoritative information about the network ranges in question. The SORBS support staff may need to request you change the rDNS naming scheme, so to save time and trouble, ask your ISP to log a ticket and do not log a ticket yourselves. My guess is: you're submitting the IP for removal, the SORBS staff sees that you're not the actual IP owner, and thus they ignore the ticket (aside from the automated reply). You need to get your ISP to send in the request. Having had to deal with this issue in our last two ISP changes, I can echo this. Your ISP needs to submit the request to SORBS or it'll never get delisted. And from experience, it's not always easy to get them to understand that it needs to happen. Just make sure they understand that their not doing it is lowering your satisfaction with them as an organization. You need your email to be delivered reliably to everyone on the internet and that's the only way it's going to happen. Bret On Tue, Apr 20, 2010 at 06:04, Nigel Frankcomn.frank...@gmail.com wrote: Hi All, Am I the only one incabale of figuring out the SORBS interface? I'm told by various mailserver that sorbs is blocking me (including this list hence mailing from my gmail account). When I log on to sorbs, give my details I get a nice email back saying: $Id: Act.pm,v 1.16 2006/11/27 03:36:09 lem Exp $ I'm a robot writing you on behalf of the SORBS' admins. The reason you're getting this automated response, is our desire to provide you with consistent and fast responses. I'm prepared to correctly analyze most of the cases appearing in the DUHL queue. You might want to keep your responses as short as possible (and to trim my own responses) to help humans better serve you should the need arise. I'm glad to report that the IP space will be submitted for delisting from the DUHL. Best regards. SORBS It's now Day 6. and I'm still listed. If anyone has any ideas - please let me know? Kind regards Nigel
Re: SORBS
On 4/20/2010 9:05 AM, Benny Pedersen wrote: On tir 20 apr 2010 18:00:23 CEST, Bret Miller wrote them as an organization. You need your email to be delivered reliably to everyone on the internet and that's the only way it's going to happen. not correct, hotmail gmail yahoo works without isp dependice, why care ? It doesn't effect all destinations, but it affects thousands of companies who use SpamAssassin to filter their email. And it affects some who use SORBS DUL to reject email outright. To me that's outright crazy, but I support a small non-profit company and my opinion is worthless when it comes to convincing people that rejecting email solely based on how your ISP reports or does not report your IP address is stupid. And on top of that, there are some less-known DNSBL's that include the SORBS DUL and get used to block email. My users just want their email to be delivered reliably both incoming and outgoing. If I don't care, then legitimate email gets rejected because of others' stupidity. The only part of SORBS DUL I can control is pressuring my ISP to tell SORBS that my IP range is static. So far, that has worked. There are plenty of other ineffective methods for reducing spam that I cooperate with only because we need email to be delivered reliably-- not because I think those methods are worth anything overall. I'm too small to take a stand on principle. That takes much larger organizations with some clout to effect change. Bret
Re: How to use the Spamhaus DBL
On 4/20/2010 3:09 PM, Jack Knowlton wrote: Hi all. I noticed Spamhaus made available a new URIBL. I updated my SA package (debian testing) to the latest version and I wanted to implement check on the DBL list too. How do I configure spamassassin to do that? Thanks, -JK Get SA 3.3.1. Run sa-update. Bret
Re: Installation error on Windows Server 2008 / 64-bit
I didn't try to make spamc with mine. If you're doing that, it is possible that there could be a configuration situation that prevents it. I'm not sure why else it would fail. For the few items I had to manually compile and install I used Visual Studio 2008 Express. Bret On 3/22/2010 10:40 AM, weirdbeardmt wrote: Actually, I was using the x64 bit version of AP, hence the need to use the CPAN route for NetAddr-IP as I couldn't find a repo that included it for x64. Have tried your suggestions below using x86 AP, and, still not working. Nmake fails with the same error. quote=Error optional module missing: Razor2 optional module missing: Net::Ident optional module missing: IO::Socket::SSL optional module missing: Encode::Detect warning: some functionality may not be available, please read the above report before continuing! Checking if your kit is complete... Looks good Writing Makefile for Mail::SpamAssassin Makefile written by ExtUtils::MakeMaker 6.55 C:\Program Files (x86)\Neolane\Neolane v5\bin\SpamAssassinnmake Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. syntax error at -e line 1, next char ) Missing right curly or square bracket at -e line 1, at end of line Execution of -e aborted due to compilation errors. NMAKE : fatal error U1077: 'C:\Windows\system32\cmd.exe' : return code '0xff' Stop. Dmake (installed via PPM) also fails. The only thing that's slightly weird is the makefile complaining about a lack of nmake on my path, despite C:\perl\bin; being set in PATH, PERLLIB and PERL5LIB. What else can I try? C:\Program Files (x86)\Neolane\Neolane v5\bin\SpamAssassinperl makefile.pl Set up gcc environment - 3.4.5 (mingw-vista special r3) It looks like you don't have either nmake.exe or dmake.exe on your PATH, so you will not be able to execute the commands from a Makefile. Is there a reason why you use CPAN? If adding the right repositories there is no need for that. 3.3.1 has just been released, so first download this from the official site. Then try the following: 1. Stop the "Windows Installer" service. This can be accomplished from the command prompt using the following command: c:\ net stop "Windows Installer" 2.Temporarily remove or rename PERLLIB and PERL5LIB environment variables in the system environment. 3. Temporarily remove or rename the following registry values: [\\HKEY_LOCAL_MACHINE\Software\Perl] lib = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] sitelib = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] lib-PerlVersion = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] sitelib-PerlVersion = directory(REG_SV) 4. Install ActivePerl 5.10 (x86) 5. Open Dos Box, type the following ppm remove --area perl DB_File ppm repo add bribes ppm repo add trouchelle ppm install Prompt-Timeout ppm install Net-DNS ppm install NetAddr-IP ppm install DB_File ppm install Mail-SPF ppm install IP-Country ppm install IO-Socket-INET6 ppm install Mail-DKIM 6. go to SA Source and type perl makefile.pl nmake nmake install If this fails again, it has definitely nothing to do with your perl installation or some modules.
Re: Installation error on Windows Server 2008 / 64-bit
On 3/19/2010 5:25 AM, weirdbeardmt wrote: I'm trying to install SA 3.30 on W2k8 64-bit. I have ActivePerl 5.10.1 with dmake 4.12 (since nmake won't run on 64-bit). I am quite new to this so sorry if I'm asking something stupidly obvious. I've installed Net-DNS, IP-Country, Mail-SPF, Error, XML::Writer and NetAddr-IP. Creating the makefile seems to go OK Dmake seems to work OK. However, when I issue dmake install, it gets so far through the process, says Installingmodule but then exits with an error: snip I worked on it for a while on Windows Server 2008R2, and concluded that I was not going to get it running in 64-bit ActivePerl. There were just too many dependencies that would not compile or were missing features in x64 mode. So I cleared it all off, reinstalled ActivePerl 32-bit and proceeded to install spamassassin without incident on my 64-bit server running in 32-bit mode. I am having occasional issues with spamassassin just dying. Not sure what that's about since restarting it always allows it to scan whatever message caused it to crash in the first place. Other things have been priority, so haven't gotten back to trying to track down the cause of the crash. Bret
Re: Installing under windows
You might try running ppm insteractively. Perhaps Win32-Registry-File is already installed, or ppm is unable to load the package database from ActiveState? I know both those packages exist because I have them installed on ActivePerl 5.8.8.820. Bret On 2/15/2009 5:42 AM, Jim wrote: I'm trying to install Spam Assassin on Windows Server 2003 Active Perl 5.8.8.820 is installed. In section 1 of the instructions http://wiki.apache.org/spamassassin/InstallingOnWindows The following commands fail: ppm install Win32-Registry-File ppm install failed: Can't find any package that provide Win32-Registry-File ppm install DB_File ppm install failed: Can't find any package that provide DB_File Anyone any ideas what's wrong? Jim
Re: Temporary 'Replacements' for SaneSecurity
On 1/15/2009 1:36 AM, Rasmus Haslund wrote: SM wrote: "Botnet Plugin" sounds like a plugin that detect botnets ... If Rasmus is finding that many false ositives, then he's using the wrong tools. Well I am not using the botnet plugin because i am not sure how to implement it with the SA engine running in Icewarp Merak. Anyway we do have alot of problems with FP when we try out new things and I just have to say some things just does not work good on a large scale where you have to deal with all kinds og languages from all over the world. OK, so thanks to Rob you all know what I concluded about the botnet plugin. It didn't work for us because of the very reasons Rasmus cites (too many hits on legitimate mail). However, implementing it in Merak vs any other mail server isn't the issue. You just drop the plugin .pm file and the rules .cf file into your local configuration folder and restart it. No big deal to implement. If you choose to implement it, considering my own experience, I'd score it low and monitor what it hits on for a while, creating the exceptions (whitelist entries) you need before increasing the score. It's a bit of work to make sure it won't filter out a bunch of stuff you really need. Botnet will hit stuff that other rules won't, so it has real advantages. You just have to take the time to make sure you won't be losing stuff first. Bret
Re: Razor2 and Windoze
No... I'd say if it's working for you, then no worries. I'll have to try installing it again when I have a chance. Perhaps it matters what kind of compiler you use for installing too... Bret On 11/10/2008 6:04 AM, Dan Barker wrote: I read it on the internet (so it has to be trueg) that razor2 does not work with Windows. (Note that Razor support does not seem to work on Windows systems. Win32 users should disable the Razor tests using score RAZOR2_CHECK 0.) My research was poorly done before my install, and I didn't find this tidbit of wisdom until afterwards. I did the download, untar, nmake, nmake install, -create, -discover, -register, loadplugin, test and roll out to production, and THEN found the Wiki article. I'm wondering if I should be concerned. Razor2 seems to work very effectively and really makes a difference in my installlation. 6,000 spams hit RAZOR2 in only 10K emails since install. This is a wonderful result. I've yet to find a false positive. Does anybody know what problems I was supposed to have running razor2 under windows? I'd really hate to find I must stop using it, but I'd certainly like to know in advance. Dan Barker Environment: Wintel box, Celeron 3.2GHz/1G ram, IDE W2K Server, SP4 IMail 8.15.hf2 ActiveState perl: 5.8.8.822 Spamassassin: 3.2.5 razor-agents-sdk-2.07.tar.bz razor-agents-2.85.tar.bz (but it reports as 2.84 anyway) SpamAssassin Caller for Windows: 1.6 (www.visioncomm.net/sac) REF: http://wiki.apache.org/spamassassin/InstallingRazor
RE: SA Windows Version stable?
What are your experiences with SA on Windows Platform, since i am not using it for now. Would you recommended it or are there too many caveats? I have run SA on Windows for several years. Most built-in stuff works just fine. With a couple small modifications, you can even store your bayes and awl stuff in MSSQL. DCC/Razor/Pyzor don't work. It's difficult to get stuff that needs to compile to actually compile-- for example, DomainKeys support is not a straightforward install though it can be done. I'm not sure sa-compile works. I started working on the compatibility issues at one point, but our stated direction for email is now outsourcing, so I'm not spending time debugging SA but getting stuff integrated with the new email solution. I find SA to be rather CPU-intensive, and have had many days this year where email got backlogged by a couple hours and was unable to catch up during business hours. Of course, the CPU load can be lessened by running less rules, but doing so makes SA less effective as well. We've had to opt for less effective so that we don't get overloaded as often. I'm not sure these are entirely Windows issues, though. I don't see SA crashing like it used to on Windows. It's been very stable that way. However, some email messages take a long time to process, so make sure your timeout value is set really high. I'm thankful that we've gotten the multithreading issues resolved to the point where one message doesn't hold up the rest any longer. I would recommend it if you've got the power to spare. Bret smime.p7s Description: S/MIME cryptographic signature
RE: Apache SpamAssassin 3.2.4
New upgrade is running GREAT here :) Running fine here on Windows Server 2003 with CommuniGate Pro. :) smime.p7s Description: S/MIME cryptographic signature
Timeout issues with recent updates
Yesterday (at least that's when it was noticed), we started having timeout issues with SpamAssassin again. My average scan time went from 8.5 seconds last week and the week before to 20.5 seconds yesterday with many messages (primarily ham) running near the 120 second range. What happened in updates.spamassassin.org to cause this?? I'll see if I can run some tests to track down more specifically where things get stuck for so long, but at I thought the issue should at least be raised. (Maybe someone else has already seen and tracked it down?) Bret smime.p7s Description: S/MIME cryptographic signature
RE: Parsing Received Headers
I'm trying to get received headers to parse correctly because the ones from CommuniGate Pro don't always. And, since I'm already modifying the headers in my connector due to the MTA not being able to do RDNS without rejecting based on it, I'm not aware that certain types of headers don't parse correctly. My current problem is this one: ... My RDNS lookup was modifying the header to read: Since you are already fixing broken Received header fields, I suggest you do it by the book. The syntax is prescribed by RFC 2821 (4.4 Trace Information): ... This line MUST be structured as follows: - The FROM field, which MUST be supplied in an SMTP environment, SHOULD contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection. ... From-domain = FROM FWS Extended-Domain CFWS Extended-Domain = Domain / ( Domain FWS ( TCP-info ) ) / ( Address-literal FWS ( TCP-info ) ) TCP-info = Address-literal / ( Domain FWS Address-literal ) ; Information derived by server from TCP connection ; not client EHLO. Domain = (sub-domain 1*(. sub-domain)) / address-literal As for reporting this to the CommuniGate people, I doubt they have any interest in fixing it. After all, they still use the domain name instead of the machine name for their own EHLO/HELO command and provide no way of overriding it for RFC compliance. We got around it by (against their recommendation) licensing our copy to the machine instead of the domain. Anyway, the above doesn't make any more sense to me than reading examples in the mail I receive. So far, I haven't come up with a format that works for SA. So, please correct: HELO bretspc, IP 192.168.1.125, RDNS bretspc.example.com Received: from bretspc (bretspc.example.com 192.168.1.125)... HELO [192.168.1.125], IP 192.168.1.125, RDNS none Received: from [192.168.1.125] (unknown 192.168.1.125)... HELO 192.168.1.125, IP 192.168.1.125, RDNS 192.168.1.125 (yeah, I've seen ones like this) Received: from 192.168.1.125 (192.168.1.125 192.168.1.125)... And then there's the matter of adding whether the sender was authenticated, and what was supplied as mail from. Perhaps the better way to do this would be to fix SA to read the CGPro headers, do it's own RDNS lookup if necessary. The problem is that not all the information is available to SA at that point, so I have to supply some of it, and I suppose there would be concerns as to whether SA should be doing the RDNS lookup itself too. Maybe a plugin? But can a plugin get control early enough to re-write the received header info so that it's correct for all the other places in SA it gets used? So I guess my choices are there-- rewrite the received header to make it readable, patch SA to read the information correct (this doesn't solve my missing RDNS info problem unless I add the lookup to SA too), or add a plugin if it's possible to do what needs to be done with it. Honestly, rewriting the header is probably the easiest, which is why I chose to do that. Now it's just a matter of rewriting it so that SA can actually read it properly. I guess another problem is that I might have to say I'm NOT running CommuniGate Pro so that SA doesn't try it's custom code on it... Bret smime.p7s Description: S/MIME cryptographic signature
Parsing Received Headers
I'm trying to get received headers to parse correctly because the ones from CommuniGate Pro don't always. And, since I'm already modifying the headers in my connector due to the MTA not being able to do RDNS without rejecting based on it, I'm not aware that certain types of headers don't parse correctly. My current problem is this one: Received: from [206.74.184.2] (HELO [206.74.184.2]) by mail.wcg.org (CommuniGate Pro SMTP 5.1.11) with ESMTP id 22363646 for [EMAIL PROTECTED]; Fri, 31 Aug 2007 10:32:08 -0700 Which is unmodified except for the obscuring of the email address. My RDNS lookup was modifying the header to read: Received: from [206.74.184.2] (HELO [206.74.184.2]) (206.74.184.2) by mail.wcg.org (CommuniGate Pro SMTP 5.1.11) with ESMTP id 22363646 for [EMAIL PROTECTED]; Fri, 31 Aug 2007 10:32:08 -0700 Meaning that there was no RDNS for 206.74.184.2 and when it said helo, it said HELO [206.74.184.2]. However, SA is not parsing it that way. So, can anyone tell me how to write the received header so SA understands it? How do I know it's not parsing correctly? Debug log: [-2240] dbg: received-header: parsed as [ ip=206.74.184.2 rdns=HELO helo=!206.74.184.2! by=mail.wcg.org ident= envfrom= intl=0 id=22363646 auth= msa=0 ] [-2240] dbg: received-header: relay 206.74.184.2 trusted? no internal? no msa? no [-2240] dbg: metadata: X-Spam-Relays-Trusted: [-2240] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=206.74.184.2 rdns=HELO helo=!206.74.184.2! by=mail.wcg.org ident= envfrom= intl=0 id=22363646 auth= msa=0 ] [-2240] dbg: metadata: X-Spam-Relays-Internal: [-2240] dbg: metadata: X-Spam-Relays-External: [ ip=206.74.184.2 rdns=HELO helo=!206.74.184.2! by=mail.wcg.org ident= envfrom= intl=0 id=22363646 auth= msa=0 ] [-2240] dbg: metadata: X-Relay-Countries: US Obviously, the RDNS wasn't HELO. Or perhaps I should just open a bug ticket to fix SA's not understanding problem... Bret smime.p7s Description: S/MIME cryptographic signature
RE: Need a plugin written relating to black/white/yellow lists
From: Marc Perkel [mailto:[EMAIL PROTECTED] Bret Miller wrote: From: Marc Perkel [mailto:[EMAIL PROTECTED] Bret Miller wrote: Bret Miller wrote: * 127.0.0.1 - whilelist - trusted nonspam * 127.0.0.2 - blacklist - block spam * 127.0.0.3 - yellowlist - mix of spam and nonspam * 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist And hotmail.com warrants being blacklisted?? Ouch. I do like the idea of white and yellow lists. If I could just get CommuniGate to add the ability to use it... Hotmail would be yellow listed. My headers say RCVD_IN_JMF_BL, the rule says: header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 1.0 And here are the headers: X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1, FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_B L= 1, RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no X-Spam-Score: 1.4 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org X-Spam-Level: + X-TFF-CGPSA-Version: 1.6a5 X-WCG-CGPSA-Filter: Scanned Return-Path: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com) by mail.wcg.org (CommuniGate Pro SMTP 5.1.11) with ESMTP id 22324864 for [EMAIL PROTECTED]; Mon, 27 Aug 2007 11:29:31 -0700 Received: from hotmail.com ([65.55.130.13]) by bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 27 Aug 2007 11:29:16 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Aug 2007 11:29:15 -0700 Message-ID: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV; Mon, 27 Aug 2007 18:29:10 + X-Originating-IP: [71.110.94.199] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: Common Ground mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] To: Subject: Back to School Blessings Date: Mon, 27 Aug 2007 11:29:09 -0700 MIME-Version: 1.0 Content-Type: multipart/related; boundary==_NextPart_000_0023_01C7E89D.7C72B430; type=multipart/alternative X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC) FILETIME=[2C450810:01C7E8D8] Return-Path: [EMAIL PROTECTED] To me, this equals hotmail is on the black list. Bret Something is odd. That IP isn't in any of my lists. Indeed. The problem is the rule, not the list. The check looks back at all IPs in the path, including the X-Originating-IP headers. So, [2860] dbg: dns: hit dns:199.94.110.71.hostkarma.junkemailfilter.com 127.0.0.2 is what SA says is the problem. I guess I need to look at fixing it so it scans only the last external... Bret I did some experimenting a while back looking at all the received IP addresses and got too many false positives. I had to give up on the idea because it didn't work. OK... but the rules you supplied for SpamAssassin did exactly that-- they looked back at all the received headers and X-Original-IP and tested them against the lists. Add a -lastexternal to the set name to get only the last IP outside your network. Bret Not familiar with -lastexternal - can you give an example? I think, as I read in the configuration docs, that you'd do it like this: header __RCVD_IN_JMF eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.') describe __RCVD_IN_JMF Sender listed in JunkEmailFilter tflags __RCVD_IN_JMF net header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -5 header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 1.0 header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4') describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN tflags RCVD_IN_JMF_BR net score RCVD_IN_JMF_BR 0.5 smime.p7s Description: S/MIME cryptographic signature
RE: SA Updating
Is there a way of updating spamassassin automatically to adapt to new ways of spamming. For instance, when picture spam came I had to install fuzzOCR, now with PDF and RTF, new modules are required. I also heard about rules-du-jour or something, do I always have to manually compile, add and install these things to spamassassin or is there a 3th party tool that can keep track off my SA install and update it every day or week? There is a tool (sa-update) that will keep the base product updated with the latest definitions for that version, but adding new modules and 3rd-party rule sets has to be done manually. Once they're added, many can be updated with sa-update and/or rules-du-jour. However, when new versions of SpamAssassin come out, you have to basically reinstall it. Bret smime.p7s Description: S/MIME cryptographic signature
RE: YAGI: Yet Another Great Idea
I'm going to propose you another great idea which will probably radically change the spam-detection technics. No, come one: I'm just kitting. :) I think this idea could eventually help in better detecting the kind of spam in which some words are garbled in order to deceive their detection. Some of you probably already know that there exists alghoritms devoted to detecting the language in which a text is written. I just discovered the paper in http://www.sfs.uni-tuebingen.de/iscl/Theses/kranig.pdf , which by the way says that such detectors are already available as Perl modules in CPAN (see chapter 7). The idea is that, applying this alghoritms to the text in a message, one could eventually obtain the probability that the given text is written in a given language. Let say that a text is written in english, then these perl routines should yield a high probability that the given text is english. Now, say that some of the words in that text are somehow scrambled. The language detectors would probably decrease the probability that the text is in english but, assuming the words are randomly scrambled, the probability that the text is in another language wouldn't increase, too. Now, we could apply some thresholding to language scores such that, when the score of the probable language is below a given threshold above the mean of the language scores, then we could say that the message contains some scrambled worlds and apply a penalty score to it. I know there are scores for scrambled versions of words like cialis, but this method would be more solid with respect to non-english languages: I'm from Italy, and I'm used to see some FPs on italian words like via galileo as being a scrambled version of viagra. Also, attempting to collect all the good versions of spam words is expensive in terms of effort. Please note that: - language decoding doesn't (actually) work for ideomatic languages (chinese, japanese, korean and such); - I didn't even have a run of the language decoding modules; - a message written in many ( 3, 4?) languages may probably trigger the penalty score. I'm just trying to see if such an idea seems definitely broken to you, as well as if anybody did altready try to run into this. What happens with computer lingo and things like URLs that aren't really language? I guess the idea would be to write it and see what such a rule would hit. Bret smime.p7s Description: S/MIME cryptographic signature
RE: Need a plugin written relating to black/white/yellow lists
From: Marc Perkel [mailto:[EMAIL PROTECTED] Bret Miller wrote: Bret Miller wrote: * 127.0.0.1 - whilelist - trusted nonspam * 127.0.0.2 - blacklist - block spam * 127.0.0.3 - yellowlist - mix of spam and nonspam * 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist And hotmail.com warrants being blacklisted?? Ouch. I do like the idea of white and yellow lists. If I could just get CommuniGate to add the ability to use it... Hotmail would be yellow listed. My headers say RCVD_IN_JMF_BL, the rule says: header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 1.0 And here are the headers: X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1, FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_B L= 1, RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no X-Spam-Score: 1.4 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org X-Spam-Level: + X-TFF-CGPSA-Version: 1.6a5 X-WCG-CGPSA-Filter: Scanned Return-Path: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com) by mail.wcg.org (CommuniGate Pro SMTP 5.1.11) with ESMTP id 22324864 for [EMAIL PROTECTED]; Mon, 27 Aug 2007 11:29:31 -0700 Received: from hotmail.com ([65.55.130.13]) by bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 27 Aug 2007 11:29:16 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Aug 2007 11:29:15 -0700 Message-ID: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV; Mon, 27 Aug 2007 18:29:10 + X-Originating-IP: [71.110.94.199] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: Common Ground mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] To: Subject: Back to School Blessings Date: Mon, 27 Aug 2007 11:29:09 -0700 MIME-Version: 1.0 Content-Type: multipart/related; boundary==_NextPart_000_0023_01C7E89D.7C72B430; type=multipart/alternative X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC) FILETIME=[2C450810:01C7E8D8] Return-Path: [EMAIL PROTECTED] To me, this equals hotmail is on the black list. Bret Something is odd. That IP isn't in any of my lists. Indeed. The problem is the rule, not the list. The check looks back at all IPs in the path, including the X-Originating-IP headers. So, [2860] dbg: dns: hit dns:199.94.110.71.hostkarma.junkemailfilter.com 127.0.0.2 is what SA says is the problem. I guess I need to look at fixing it so it scans only the last external... Bret I did some experimenting a while back looking at all the received IP addresses and got too many false positives. I had to give up on the idea because it didn't work. OK... but the rules you supplied for SpamAssassin did exactly that-- they looked back at all the received headers and X-Original-IP and tested them against the lists. Add a -lastexternal to the set name to get only the last IP outside your network. Bret smime.p7s Description: S/MIME cryptographic signature
RE: Need a plugin written relating to black/white/yellow lists
Before you look at this as just another blacklist - the real power is in the white and yellow lists. First - an overview. My list returns these codes: * 127.0.0.1 - whilelist - trusted nonspam * 127.0.0.2 - blacklist - block spam * 127.0.0.3 - yellowlist - mix of spam and nonspam * 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist And hotmail.com warrants being blacklisted?? Ouch. I do like the idea of white and yellow lists. If I could just get CommuniGate to add the ability to use it... Bret smime.p7s Description: S/MIME cryptographic signature
RE: Need a plugin written relating to black/white/yellow lists
* 127.0.0.1 - whilelist - trusted nonspam * 127.0.0.2 - blacklist - block spam * 127.0.0.3 - yellowlist - mix of spam and nonspam * 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist And hotmail.com warrants being blacklisted?? Ouch. I do like the idea of white and yellow lists. If I could just get CommuniGate to add the ability to use it... Hotmail would be yellow listed. My headers say RCVD_IN_JMF_BL, the rule says: header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 1.0 And here are the headers: X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1, FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_BL= 1, RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no X-Spam-Score: 1.4 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org X-Spam-Level: + X-TFF-CGPSA-Version: 1.6a5 X-WCG-CGPSA-Filter: Scanned Return-Path: [EMAIL PROTECTED] Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com) by mail.wcg.org (CommuniGate Pro SMTP 5.1.11) with ESMTP id 22324864 for [EMAIL PROTECTED]; Mon, 27 Aug 2007 11:29:31 -0700 Received: from hotmail.com ([65.55.130.13]) by bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 27 Aug 2007 11:29:16 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Aug 2007 11:29:15 -0700 Message-ID: [EMAIL PROTECTED] Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV; Mon, 27 Aug 2007 18:29:10 + X-Originating-IP: [71.110.94.199] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: Common Ground [EMAIL PROTECTED] To: Subject: Back to School Blessings Date: Mon, 27 Aug 2007 11:29:09 -0700 MIME-Version: 1.0 Content-Type: multipart/related; boundary==_NextPart_000_0023_01C7E89D.7C72B430; type=multipart/alternative X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC) FILETIME=[2C450810:01C7E8D8] Return-Path: [EMAIL PROTECTED] To me, this equals hotmail is on the black list. Bret smime.p7s Description: S/MIME cryptographic signature
RE: Need a plugin written relating to black/white/yellow lists
Bret Miller wrote: * 127.0.0.1 - whilelist - trusted nonspam * 127.0.0.2 - blacklist - block spam * 127.0.0.3 - yellowlist - mix of spam and nonspam * 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist And hotmail.com warrants being blacklisted?? Ouch. I do like the idea of white and yellow lists. If I could just get CommuniGate to add the ability to use it... Hotmail would be yellow listed. My headers say RCVD_IN_JMF_BL, the rule says: header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 1.0 And here are the headers: X-Spam-Tests: tests=AWL=0.782,BAYES_00=-2.599,EXTRA_MPART_TYPE=1, FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,PART_CID_STOCK=1.635,RCVD_IN_JMF_BL= 1, RCVD_IN_MXRATE_WL=-2,RDNS_NONE=0.1,T_TVD_FW_GRAPHIC_ID1=0.01;autolearn=no X-Spam-Score: 1.4 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.hq.wcg.org X-Spam-Level: + X-TFF-CGPSA-Version: 1.6a5 X-WCG-CGPSA-Filter: Scanned Return-Path: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Received: from [65.54.246.239] (HELO bay0-omc3-s39.bay0.hotmail.com) by mail.wcg.org (CommuniGate Pro SMTP 5.1.11) with ESMTP id 22324864 for [EMAIL PROTECTED]; Mon, 27 Aug 2007 11:29:31 -0700 Received: from hotmail.com ([65.55.130.13]) by bay0-omc3-s39.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 27 Aug 2007 11:29:16 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Aug 2007 11:29:15 -0700 Message-ID: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Received: from 71.110.94.199 by BAY125-DAV3.phx.gbl with DAV; Mon, 27 Aug 2007 18:29:10 + X-Originating-IP: [71.110.94.199] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: Common Ground mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] To: Subject: Back to School Blessings Date: Mon, 27 Aug 2007 11:29:09 -0700 MIME-Version: 1.0 Content-Type: multipart/related; boundary==_NextPart_000_0023_01C7E89D.7C72B430; type=multipart/alternative X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-OriginalArrivalTime: 27 Aug 2007 18:29:15.0665 (UTC) FILETIME=[2C450810:01C7E8D8] Return-Path: [EMAIL PROTECTED] To me, this equals hotmail is on the black list. Bret Something is odd. That IP isn't in any of my lists. Indeed. The problem is the rule, not the list. The check looks back at all IPs in the path, including the X-Originating-IP headers. So, [2860] dbg: dns: hit dns:199.94.110.71.hostkarma.junkemailfilter.com 127.0.0.2 is what SA says is the problem. I guess I need to look at fixing it so it scans only the last external... Bret smime.p7s Description: S/MIME cryptographic signature
BOTNET Exceptions for Today
I keep saying that I have false positives with botnet, but haven't substantiated that to date. So, today I'm spending a little time making exceptions since I would like this to work. Here are todays: Americanpayroll.org, sent from IP 67.106.104.135, resolves to 67.106.106.135.ptr.us.xo.net #OK, that's just stupid. Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93, 86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com. meridiencancun.com.mx, sent from IP , resolves to customer-148-233-9-212.uninet-ide.com.mx #more stupidity Wordreference.com (WordReference Forums), sent from IP 75.126.51.99, resolves to www2mail.wordreference.com, again no idea why it gets flagged. Cityofpasadena.net (City of Pasadena, California), sent from IP 204.89.9.11, resolves to 204-89-9-11-cityofpasadena.net, ns3.pasadenapubliclibrary.com, and ns3.cityofpasadena.net. What's with all this putting of IP addresses in the host name... AltoEdge Hardware, sent from IP 69.94.122.246, resolves to server.nch.com.au, another no idea why BOTNET=1, but it does. Just out of curiosity, I ran this through again with debug enabled so I could get more details. Here's what it says: [2472] dbg: Botnet: starting [2472] dbg: Botnet: no trusted relays [2472] dbg: Botnet: get_relay didn't find RDNS [2472] dbg: Botnet: IP is '69.94.122.246' [2472] dbg: Botnet: RDNS is 'server.nch.com.au' [2472] dbg: Botnet: HELO is 'server.nch.com.au' [2472] dbg: Botnet: sender '[EMAIL PROTECTED]' [2472] dbg: Botnet: hit (baddns) [2472] dbg: rules: ran eval rule BOTNET == got hit (1) I'm not sure what it means. The IP resolves to server.nch.com.au and it resolves to the IP. Not sure what is bad about dns here. I'm also not sure what headers botnet looks at. The top Received header is ours and the others are all internal to the sender. Return-Path: [EMAIL PROTECTED] Received: from [69.94.122.246] (HELO server.nch.com.au) by mail.wcg.org (CommuniGate Pro SMTP 5.1.11) with ESMTPS id 22264274 for [EMAIL PROTECTED]; Tue, 21 Aug 2007 09:58:14 -0700 Received: from server.nch.com.au (localhost.localdomain [127.0.0.1]) by server.nch.com.au (8.12.11/8.12.11) with ESMTP id l7LHRYOp002918 for [EMAIL PROTECTED]; Tue, 21 Aug 2007 13:27:34 -0400 Received: (from [EMAIL PROTECTED]) by server.nch.com.au (8.12.11/8.12.11/Submit) id l7LHRXY5001737; Tue, 21 Aug 2007 13:27:33 -0400 Date: Tue, 21 Aug 2007 13:27:33 -0400 Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From: AltoEdge Hardware Orders [EMAIL PROTECTED] Subject: Online Hardware Order (ref: HW13315) Enough time spent today... More at a later date. I've had actual complaints about 2 of the exceptions listed above, and as you might surmise from above, I only run with the score set to 1. I'd like it higher, but there are tons more of these that I have to make exceptions for before I can do that. It's a good idea-- too bad there isn't a way to make it somewhat more accurate. Bret smime.p7s Description: S/MIME cryptographic signature
RE: BOTNET Exceptions for Today
Bret Miller wrote: Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93, 86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com. baddns. baddns means lack of full circle DNS. In this case, the name returned by the PTR record (smtp22.enews.webbuyersguide.com) does not resolve at all ... let alone not resolving back to the sending IP address. meridiencancun.com.mx, sent from IP , resolves to customer-148-233-9-212.uninet-ide.com.mx #more stupidity Wordreference.com (WordReference Forums), sent from IP 75.126.51.99, resolves to www2mail.wordreference.com, again no idea why it gets flagged. # nslookup www2mail.wordreference.com Non-authoritative answer: Name: www2mail.wordreference.com Address: 75.126.29.11 baddns. AltoEdge Hardware, sent from IP 69.94.122.246, resolves to server.nch.com.au, another no idea why BOTNET=1, but it does. Just out of curiosity, I ran this through again with debug enabled so I could get more details. Here's what it says: [2472] dbg: Botnet: starting [2472] dbg: Botnet: no trusted relays [2472] dbg: Botnet: get_relay didn't find RDNS [2472] dbg: Botnet: IP is '69.94.122.246' [2472] dbg: Botnet: RDNS is 'server.nch.com.au' [2472] dbg: Botnet: HELO is 'server.nch.com.au' [2472] dbg: Botnet: sender '[EMAIL PROTECTED]' [2472] dbg: Botnet: hit (baddns) [2472] dbg: rules: ran eval rule BOTNET == got hit (1) I'm not sure what it means. The IP resolves to server.nch.com.au and it resolves to the IP. Not sure what is bad about dns here. I'm also not sure what headers botnet looks at. The top Received header is ours and the others are all internal to the sender. # nslookup server.nch.com.au Non-authoritative answer: Name: server.nch.com.au Address: 69.94.122.247 So, server.nch.com.au's name does not resolve back to the sending IP address, thus baddns. OK... I guess I didn't check closely enough. But the point is still that users expect these emails and complain if they don't receive them. Today's list were mostly just top offenders, and it's going to take me time to make exceptions for all the servers we receive email from that are badly configured dns-wise. Maybe these aren't false positives because botnet is identifying them for what they are-- badly configured. But to give a rule like botnet a default score that's high enough to consider the messages spam all on its own causes users to think we have a bad spam filtering program. When I see on the list that many people run botnet with ZERO false positives, I have to ask myself, how? And why is our setup here so different? Perhaps they already block email with invalid rdns at the MTA level, so none of this ever gets looked at. Perhaps their users just give up when they don't get email that they expect and use a free email account instead for that email. I don't know, but botnet hits a significant amount of legitimate email here, regardless of how badly configured the sending servers are. I just don't have the option of telling our president's assistant that we can't accept email from your husband because the IT department at the City of Pasadena won't fix their DNS issues for their email server. That's just not acceptable in a corporate environment, even if she had a clue what the statement meant besides that I was refusing to do what she wants. The majority of these badly configured servers won't ever get fixed unless someone that matters to them stands up and tells them they need to fix it. I do that when I can, but most of the time I just don't matter enough to get it done. Bret smime.p7s Description: S/MIME cryptographic signature
RE: BOTNET Exceptions for Today
At 12:36 21-08-2007, John Rudd wrote: # nslookup www2mail.wordreference.com Non-authoritative answer: Name: www2mail.wordreference.com Address: 75.126.29.11 baddns. There's an authoritative answer for www2mail.wordreference.com. # nslookup server.nch.com.au Non-authoritative answer: Name: server.nch.com.au Address: 69.94.122.247 And one for server.nch.com.au as well. The point isn't authoritative or not. The point is that the email was sent (in the last case) from 69.94.122.246, which resolves back to server.nch.com.au, which resolves to 69.94.122.247, a DIFFERENT IP address. The sending IP need RDNS and that RDNS name needs to resolve back to the same IP, otherwise, it's broken. Bret smime.p7s Description: S/MIME cryptographic signature
FW: Question - How many of you run ALL your email through SA?
Apparently I must be a spammer since I can't send e-mail to perkel.com... At least this response has been delayed since 9:16 a.m. pacific time yesterday. Oh well... Here's the response. Bret -Original Message- From: Bret Miller [mailto:[EMAIL PROTECTED] Sent: Thursday, August 16, 2007 9:14 AM To: Marc Perkel Subject: RE: Question - How many of you run ALL your email through SA? As opposed to preprocessing before using SA to reduce the load. (ie. using blacklist and whitelist before SA) We use blacklists (spamhaus, dsbl), do not scan mail submitted by our users with SA, and pre-process with ClamAV McAfee. Bret smime.p7s Description: S/MIME cryptographic signature
RE: how to stop the spam assassin
I am running SA 3.1.7. I need to upgrade it. I have to stop the current running SA. how to stop the service? That really depends on how you are calling SA. I know you run it on Windows, but what mail server, and how is it called. I use CommuniGate Pro with CGPSA. To stop SA, I have to kill the cgpsa.pl process by using a command-line tool or Task Manager (right click, end process tree). Doing this with CommuniGate Pro stops inbound email until I get it back running again, so spam doesn't get through. I also have the option of disabling the helper, which allows email to continue flowing, but obviously without being filtered. HTH, Bret smime.p7s Description: S/MIME cryptographic signature
RE: Plugin Install
Hi, I have tried to install plugin in this mode: - I have put .cf file in /etc/mail/spamassassin - I have put .pm file in /usr/lib/perl5/5.8.8 Put it in /etc/mail/spamassassin. - I have edit v310.pre and I have add the line: loadplugin Mail::SpamAssassin::Plugin::PDFInfo Then try: loadplugin Mail::SpamAssassin::Plugin::PDFInfo /etc/mail/spamassasin/PDFInfo.pm ..but in log file I have: [23220] dbg: plugin: loading Mail::SpamAssassin::Plugin::PDFInfo from @INC [23220] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/PDFInfo.pm in @INC (@INC contains: lib /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8) at (eval 73) line 1. [23220] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::PDFInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::PDFInfo at (eval 74) line 1. I have read another post but this says about 'MAIL' and not 'Mail'. Thanks. Bret
RE: Parsing attachments
I ran across the script (pasted below, and watch wrapping) on this list about a year ago or so. I use it to parse attachments forwarded as attachments from MS Outlook. It worked very well until I upgraded to SpamAssassin 3.2.1 I imagine they changed something in the way that the find_parts works, but for the life of me I can't figure out why the script doesn't work anymore. Essentially what happens is it returns a 0 byte message after it parses the message. Any pointers or suggestions would be much appreciated. I'll take a stab at this since I had to fix my script recently too. I'm not sure I know exactly what I'm doing, but I'll point out the differences below: #!/usr/bin/perl use strict; use warnings; my @message = STDIN; my $path = /tmp/spam/; use Mail::SpamAssassin::Message; use Data::UUID; my $msg = Mail::SpamAssassin::Message-new( { 'message' = [EMAIL PROTECTED], } ) || die Message error?; Mine says: my $msg = Mail::SpamAssassin::Message-new({ message = [EMAIL PROTECTED], parsenow = 1, subparse = 1 }) || die Message error?; foreach my $p ($msg-find_parts(qr/^message\b/i, 0)) { Mine says: foreach my $p ($msg-find_parts(qr/^message\b/i, 0, 0)) { I don't have an eval statement. I don't use $p-{'type'} though I suspect it would still work. And the rest looks fine to me. I'd post my script, but it uses IMAP to re-store the forwarded messages in the mail server, not in the file system. eval { no warnings ; my $type = $p-{'type'}; my $ug = new Data::UUID; my $uuid1 = $ug-create_str(); my $attachname = $path . $uuid1 . .eml; open OUT, , $attachname || die Can't write file $attachname:$!; binmode OUT; print OUT $p-decode(); }; } HTH, Bret
RE: FORGED_AOL_TAGS hitting on real AOL mail
I'm starting to see a lot of AOL mail getting pushed into the review folder (above 4.0 score) with the FORGED_AOL_TAGS rule hitting, and apparently on real AOL e-mail. At least the e-mails were SPF_PASS and received from an AOL server... Add this to local.cf, all fixed: score FORGED_AOL_TAGS 0 (ps, to fix a rule, or report a bug, best to go to bugzilla.spamassassin.org) Thanks, Michael. I just hadn't tracked down which rule set it was in yet. If it hadn't been an official SA rule, then this is still probably the best place to report it. And, it appears there is already a bug ticket submitted by you on 6/4. It just hasn't been corrected in over a month... So, I'll just reduce the score for now as it doesn't seem to hit with a high frequency on spam anyway. The notice here might point out to other admins that it could be causing FPs on their servers too. Bret
FORGED_AOL_TAGS hitting on real AOL mail
I'm starting to see a lot of AOL mail getting pushed into the review folder (above 4.0 score) with the FORGED_AOL_TAGS rule hitting, and apparently on real AOL e-mail. At least the e-mails were SPF_PASS and received from an AOL server... Here are two examples: http://webmail.wcg.org/~support/spam/20070705-01.txt http://webmail.wcg.org/~support/spam/20070705-02.txt This rule seems to score awfully high for the ham hit rate... I'll probably take the time tomorrow to track down where it's coming from and perhaps adjust the score down so I don't have to keep adding AOL users to my whitelist. I just don't like doing that because those scoring adjustments then have to be evaluated regularly. It'd be nicer if someone fixed the rule. Bret
RE: SaneSecurity
Perhaps more a clamav question, but does anyone use the additional definitions for clam from SaneSecurity and are they helpful in the Spam Wars? You're in luck! I just installed them yesterday. Had been meaning to for a while, but things have been too busy to get the script written to update them. So, in less than 24 hours, hit over 1800 spam messages here-- about 1/3 of our spam volume. So, yeah, they are helping here. Bret
RE: SaneSecurity
Bret Miller wrote: Perhaps more a clamav question, but does anyone use the additional definitions for clam from SaneSecurity and are they helpful in the Spam Wars? You're in luck! I just installed them yesterday. Had been meaning to for a while, but things have been too busy to get the script written to update them. So, in less than 24 hours, hit over 1800 spam messages here-- about 1/3 of our spam volume. I've been told that 3rd party clamav signatures can make clamav unstable, because they seem to not be as well tested as the clamav signatures. You end up with more than a few cases of error in 3rd party signature file causes clamav to choke and not run. Which is all to say: watch the results of your updates closely. Warning noted. ClamAV has been crashing often enough, at least on the Windows platform, due to ClamAV's own very well tested signatures. Still, the benefit here is worth the risk. I've seen paid-for antivirus have similar issues with crashing and false positives too, so it's not just the free software community that has these problems. As always, YMMV. Please test thoroughly before you throw something at your live server. Bret
RE: Setup SA to use mysql DB
OK, I don't use MySQL, but I do use SQL for Bayes and AWL. Here are my settings (which are working currently in 3.2.1): # auto_whitelist settings auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList user_awl_dsn DBI:ODBC:Driver={SQL Server};Server=MAIL;Database=sql-database user_awl_sql_username sql-user-name user_awl_sql_password sql-password user_awl_sql_override_username global # Bayes settings bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:ODBC:Driver={SQL Server};Server=MAIL;Database=sql-database bayes_sql_username sql-user-name bayes_sql_password sql-password bayes_sql_override_username global HTH, Bret -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 21, 2007 2:23 PM To: users@spamassassin.apache.org Subject: Setup SA to use mysql DB OK, i have gotten a little further after searching some other email. This is what i get when i run spamassassin --lint [3069] warn: config: failed to parse line, skipping: bayes_store_dsn DBI:mysql:sadb:Spamassassin Can't locate Mail/Spamassassin/BayesStore/MySQL.pm in @INC (@INC contains: lib /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/5.8.3/i586-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.3/i586-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl) at (eval 2266) line 2. This is what my local.cf looks like: bayes_store_dsnDBI:mysql:sadb:Spamassassin*what does this signify? Can someone break this line down? bayes_sql_username nameis this the user of the mysql DB? bayes_sql_password passwordis this the password for the user of the mysql DB? bayes_sql_override_username vscan*is this suppose to be here? bayes_store_module Mail::Spamassassin::BayesStore::MySQL
RE: Update directory
On Tue, 2007-06-19 at 18:03 +, Duane Hill wrote: On Tue, 19 Jun 2007, Robert Fitzpatrick wrote: Can someone tell me for sure which way this needs to be and how to get sa-update to look at /usr/local/share/spamassassin again if that is what I need to do? I'm using FreeBSD here and as of SA 3.2.0, /var/db/spamassassin/the_version is where rules should show up after sa-update is ran without the --updatedir parameter. Prior, it placed the rules in /var/lib/spamassassin/the_version. Thanks, yes, actually, the first time it happened, it was /var/lib now that you mention it. /usr/local/share/spamassassin has the potential for getting overwritten on future updates. Therefore it would be advisable not to make changes within. So, I should move my core rules to /var/db/spamassassin/the_version after setting up SA from the ports system? The issue is debug does not seem to find my core rules under /usr/share, there is no mention of them in the debug output. Depends on what you mean by core rules. Assuming the ones that came with SpamAssassin, you don't do anything with those. SA just picks them up automatically from the update directory. If you're talking about rules you added, then those should be in /etc/mail/spamassassin. Bret
SA 3.2.1 Running Fine on Windows
The subject says it. I installed 3.2.1 on Windows Server 2003 with ActivePerl 5.8.8.820 yesterday. No problems since installing. Good job as usual. Bret
RE: Status of Spamassassin
On Wed, Jun 13, 2007 at 07:30:10AM -0500, Dallas Engelken wrote: The Doctor wrote: Cans rules_du_jour work? Still getting a no update state. SARE is back up (knock on wood). Delete your .cf files and re-run RDJ... -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. I got: Script started on Wed Jun 13 06:38:41 2007 doctor.nl2k.ab.ca//etc/mail/spamassassin$ rulesdu _du_jour exec: curl -w %{http_code} --compressed -O -R -s -S -z /etc/mail/spamassassin/RulesDuJour/rules_du_jour http://sandgnat.com/rdj/rules_du_jour 21 curl_output: 304 304 is the HTTP return code for you already have the latest version. Performing preliminary lint (sanity check; does the CURRENT config lint?). No files updated; No restart required. snip And thus, I'd expect no files updated since you have the latest versions. Bret
RE: how to configure spamassassin in MS Exchange 2003 server
sg wrote: hi We are using MS Exchange 2003 server on windows 2003 server. We have registered with domain service and using 50 mail users. We are getting lot of spam mails. I want to know the configuring details of Mail-spamassassin-3.1.7 and how to control the spam mails.. I'd offer to help, but I have no familiarity with doing this. My own approach is to use a Linux mailserver as my Internet connected MTA, run spamassassin on that, and have it forward mail to Exchange. SpamAssassin can be made to run directly on win32, but AFAIK this isn't entirely trivial. If you're comfortable with ActivePerl you shouldn't have trouble, but be aware that perl and SpamAssassin are aliens on the Windows platform. They're both designed around the *nix way of doing things. Perhaps not trivial, but if you're starting from scratch it's not too bad. See: http://wiki.apache.org/spamassassin/InstallingOnWindows You start running into problem when you already have perl applications running and can't install the latest ActivePerl release, or install the latest required modules. There are a few if you want to areas in the install instructions that you should skip if you're not familiar with building applications on Windows. If you really do want those things, come back and do them after you have SpamAssassin working. I run SpamAssassin on Windows Server 2003 with ActivePerl 5.8.8.820. I have not had significant problems building or using it for a couple years. That said, it looks like a fellow named Chris Lewis has written an Exchange event sink and has links to several tips, but I've got no experience using his tools. http://www.christopherlewis.com/ESA/default.htm And I, also, have no experience using his tools. But I've heard good reports from others about them. Bret
RE: DKIM / Domainkey feature ins spamassassin
i got a question , Domainkey is now unsupportet, Dkim is supportet, and Domainkey compat. when i use this plugins with spamassassin, what are the main differents between using this plugin for checking sign on incoming mails, and checking it via a MTA (and domainkeys). Normaly the Mta, then rejects the messages / or accept it depends on settings, but with spamassassin it gets a score if sign or not sign (false sign) or didnt i understand it? sorry for my poor english Using DKIM in SpamAssassin not only scores a minor adjustment on the message, but allows you to whitelist certain people or domains more safely using whitelist_auth. If a messages comes in from example.com and is signed, using whitelist_auth [EMAIL PROTECTED] would whitelist the message. If a message comes from example.com and is not signed, the whitelist score isn't applied. That way if a spammer spoofs a domain to send spam, they aren't whitelisted just because you want to receive other real mail from example.com. The same logic applies to using SPF in SpamAssassin. HTH, Bret
RE: sa-update
Hi! Below the debug output of my sa-update - what about this ('require' failed) lines - do I have to install Perl modules to get this Spamassassin modules? I don't see anything in the debut output that indicates that it failed. The missing requires are all optional modules AFAIK, so it all looks like it's working to me. No update was done because the version of the update matched the version already installed. Bret 3694] dbg: logger: adding facilities: all [3694] dbg: logger: logging level is DBG [3694] dbg: generic: SpamAssassin version 3.2.0 [3694] dbg: config: score set 0 chosen. [3694] dbg: dns: no ipv6 [3694] dbg: dns: is Net::DNS::Resolver available? yes [3694] dbg: dns: Net::DNS version: 0.55 [3694] dbg: generic: sa-update version svn523403 [3694] dbg: generic: using update directory: /var/lib/spamassassin/3.002000 [3694] dbg: diag: perl platform: 5.008008 linux [3694] dbg: diag: module installed: Digest::SHA1, version 2.10 [3694] dbg: diag: module installed: HTML::Parser, version 3.48 [3694] dbg: diag: module installed: Net::DNS, version 0.55 [3694] dbg: diag: module installed: MIME::Base64, version 3.07 [3694] dbg: diag: module installed: DB_File, version 1.814 [3694] dbg: diag: module installed: Net::SMTP, version 2.29 [3694] dbg: diag: module not installed: Mail::SPF ('require' failed) [3694] dbg: diag: module installed: Mail::SPF::Query, version 1.997 [3694] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [3694] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 [3694] dbg: diag: module not installed: Net::Ident ('require' failed) [3694] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [3694] dbg: diag: module installed: IO::Socket::SSL, version 0.97 [3694] dbg: diag: module installed: Compress::Zlib, version 1.35 [3694] dbg: diag: module installed: Time::HiRes, version 1.86 [3694] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [3694] dbg: diag: module not installed: Mail::DKIM ('require' failed) [3694] dbg: diag: module installed: DBI, version 1.50 [3694] dbg: diag: module installed: Getopt::Long, version 2.35 [3694] dbg: diag: module installed: LWP::UserAgent, version 2.033 [3694] dbg: diag: module installed: HTTP::Date, version 1.47 [3694] dbg: diag: module installed: Archive::Tar, version 1.24 [3694] dbg: diag: module installed: IO::Zlib, version 1.04 [3694] dbg: diag: module not installed: Encode::Detect ('require' failed) [3694] dbg: gpg: Searching for 'gpg' [3694] dbg: util: current PATH is: /usr/bin:/bin [3694] dbg: util: executable for gpg was found at /usr/bin/gpg [3694] dbg: gpg: found /usr/bin/gpg [3694] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE [3694] dbg: channel: attempting channel updates.spamassassin.org [3694] dbg: channel: update directory /var/lib/spamassassin/3.002000/updates_spamassassin_org [3694] dbg: channel: channel cf file /var/lib/spamassassin/3.002000/updates_spamassassin_org.cf [3694] dbg: channel: channel pre file /var/lib/spamassassin/3.002000/updates_spamassassin_org.pre [3694] dbg: channel: metadata version = 543064 [3694] dbg: dns: 0.2.3.updates.spamassassin.org = 543064, parsed as 543064 [3694] dbg: channel: current version is 543064, new version is 543064, skipping channel [3694] dbg: diag: updates complete, exiting with code 1
RE: sa-compile and SARE
Does this fix the performance problems I was having, or does it just fix the UTF errors showing in the logs with Perl 5.8.8 ? You might try it and see if it helps with the performance. Since it does fix the UTF-8 issue it won't be doing as much logging and grinding. let us know if it helps. The sare obfu1 set is still crashing when calling the sa perl object on Windows. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5425 I expect there's nothing that the SA devs are going to be able to do to catch it, but in case there's a way to rework the rule so it doesn't crash, I thought I'd let someone know. It would be good for Windows users to remove the obfu set (obfu0 is ok, but obfu and obfu1 are not) if they're upgrading to SA 3.2.0. Bret
RE: perl version
Is there a standard perl version that the SA team aspires to and uses as a baseline or some sort? If so, is it the 5.8.8 or newer or ??? For running on Windows, 5.8.8 is highly recommended. 5.6.1 can work, but it is rather unstable. Can't really comment on what runs best for other environments. Bret
RE: /etc/mail/spamassassin files
Someone mentioned issues with config files in /etc/mail/spamassassin in regards to the newer 3.2.0 I understand what you mentioned about what should be in .pre files and .cf files Did you find any other issues with just general alternatively named .cf files or problems with them? It's just a way to order the loading as I understand. .pre files are all read and processed before any .cf files. It insures that any plugins can be loaded and initialized prior to any rules that use the plugins. Bret
RE: SPF custom rule
Thanks for the info Bret. What I've come up with is this: header _FROM_DOMAIN From ~= /example\.com/i header _SPF_TRUE /\bSPF_FAIL\b/ meta DOMAIN_SPF_TRUE (_FROM_DOMAIN_SPF_TRUE) score DOMAIN_SPF_TRUE 10.0 Will this work? Kinda, with few changes: header __FROM_DOMAIN From ~= /\bexample\.com\b/i header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/ This will make sure you get example.com and not myexample.communists. However, the From header is *really* easy to spoof, so this isn't much of a check. You would probaly be better off looking for the host name in one of the received headers. You also need to give a target to the second header test. I used ALL to search all of the headers for the string you want. However, if you know the name of the header you are looking for, you could better do something like header __SPF_CHECKSPF_FAIL:Exists Assuming the header was named SPF_FAIL Note also you want two leading underscores, not one, on those meta parts, so the final line becomes: meta DOMAIN_SPF_TRUE (__FROM_DOMAIN __SPF_TRUE) Loren Hi Loren Thank you very much. I'll give it a try. The final filter will then look like this? header __FROM_DOMAIN From ~= /\bexample\.com\b/i header __SPF_TRUE ALL ~= /\bSPF_FAIL\b/ meta DOMAIN_SPF_TRUE (__FROM_DOMAIN__SPF_TRUE) score DOMAIN_SPF_TRUE 10.0 Just a question though.. This whole process happens in Spamassassin... Will there be a SPF_FAIL in the header already at the time of this check?? I get the feeling there won't.. If the SPF test is happening in SA anyway, then you can reduce this to two rules: header __FROM_DOMAIN From ~= /\bexample\.com\b/i meta DOMAIN_SPF_TRUE (__FROM_DOMAINSPF_FAIL) score DOMAIN_SPF_TRUE 10.0 SPF_FAIL is part of the standard rule set in 25_spf.cf. No sense in checking the condition twice. Bret
RE: SPF custom rule
I need to look at setting up a custom rule based on a SPF result. If mail is sent from domain xyz.com and the SPF record matches, let it pass as per normal. If on the other hand the SPF record fails for xyz.com, add +5 to the score. This has to happen ONLY for domain xyz.com. All others will be handled by Spamassassin the normal way. I can't specify the syntax directly for you, but a good method of doing this would be to create a rule to detect the message is from that domain then use a meta rule to score if the message hits both from that domain and SPF_FAIL. Bret
RE: notice diff between using 3.1.8 and 3.2.0 ?
Is anyone noticing small, medium, or large improvements in how well 3.2.0 does it's job compared to 3.1.8 ??? I'm seeing less spam slipping through in 3.2.0 rc3 than with 3.1.8. Of course, that could be coincidental, but I'd rather attribute it to the SA upgrade. Bret
RE: Catching and stopping 419 spam
On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote: OK - I did this with Exim rules but the same trick could be used in SA. I figured out a trick that catches 419 spam with amazing accuracy. ... So - who uses one freemail address with a reply-to of another? 419 spammers. So if you make a list of domains that are popular freemail vendors used by spammers and if both the from and reply-to addresses are in this list and they are different, it's a 419 spammer. ... Anyhow - I figure this trick would be easy to code up for SA and someone should try it. Good idea. I made a simple plugin for testing.. http://sa.hege.li/FreeMail.pm So far, it's only hitting on some better deal insurance messages that use tripod-mail.com. To me, it looks like Tripod uses different from and reply-to addresses with the reply-to being a sequencial number, perhaps for threading the messages. Both the reply-to and from addresses are tripod-mail.com. The reply-to and return-path addresses are different, but use the same sequencial number in them, and the errors-to and from are different and do not use the number. That is, 4 from/reply addresses on each message. Of course, it's spam anyway, but not really the type we're trying to catch with this technique. Bret
whitelist_from_rcvd problem
One of my users is supposed to get messages from this person, but they often get marked as spam. So I want to whitelist, and I can use whitelist_from, but I want to use whitelist_from_rcvd. BUT, it doesn't work for me. I said: whitelist_from_rcvd [EMAIL PROTECTED] sbc.com Which I think means that as long as his e-mail comes from any host in any subdomain of sbc.com, it should be whitelisted. But the message didn't hit the whitelist. (Headers below.) Before I opened a bug ticket, I just wanted to make sure my reasoning was sound in thinking that this should have been whitelisted by the above configuration entry. (I've had to report bugs previously with whitelist_spf not parsing the received headers from CommuniGate Pro, so perhaps this is related. I wonder if the header-parsing code is a central routine of if each plugin has its own way of doing it...) Thanks, Bret X-Spam-Tests: tests=AWL=4.115,BAYES_50=0.001,DKIM_POLICY_SIGNSOME=0.001, FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,RCVD_IN_MXRATE_WL=-1, RDNS_NONE=0.1;autolearn=no X-Spam-Score: 4.7 X-Spam-Checker-Version: SpamAssassin 3.2.0-rc2 (2007-04-13) on mail.hq.wcg.org X-Spam-Level: X-TFF-CGPSA-Version: 1.6a5 X-WCG-CGPSA-Filter: Scanned X-SPAM-FLAG: Yes Return-Path: [EMAIL PROTECTED] Received: from nlpi029.sbcis.sbc.com ([207.115.36.58] verified) by mail.wcg.org (CommuniGate Pro SMTP 5.1.8) with ESMTP id 21043544 for [EMAIL PROTECTED]; Thu, 26 Apr 2007 11:37:26 -0700 Received-SPF: none receiver=mail.wcg.org; client-ip=207.115.36.58; [EMAIL PROTECTED] X-ORBL: [63.198.171.170] Received: from JBROD (adsl-63-198-171-170.dsl.lsan03.pacbell.net [63.198.171.170]) by nlpi029.sbcis.sbc.com (8.13.8 out.dk.spool/8.13.8) with ESMTP id l3QIUgM5027947 for [EMAIL PROTECTED]; Thu, 26 Apr 2007 13:31:11 -0500 From: Jon Brod [EMAIL PROTECTED] To: 'Bernie Schnippert' [EMAIL PROTECTED] Subject: RE: California/Ontario Estate Matter Date: Thu, 26 Apr 2007 11:30:09 -0700 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0010_01C787F6.4582C0D0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 In-Reply-To: [EMAIL PROTECTED]
RE: whitelist_from_rcvd problem
One of my users is supposed to get messages from this person, but they often get marked as spam. So I want to whitelist, and I can use whitelist_from, but I want to use whitelist_from_rcvd. BUT, it doesn't work for me. I said: whitelist_from_rcvd [EMAIL PROTECTED] sbc.com Which I think means that as long as his e-mail comes from any host in any subdomain of sbc.com, it should be whitelisted. But the message didn't hit the whitelist. (Headers below.) OK, never mind. Upgrading to rc3 (or something in the update process) fixed this. Bret Before I opened a bug ticket, I just wanted to make sure my reasoning was sound in thinking that this should have been whitelisted by the above configuration entry. (I've had to report bugs previously with whitelist_spf not parsing the received headers from CommuniGate Pro, so perhaps this is related. I wonder if the header-parsing code is a central routine of if each plugin has its own way of doing it...) Thanks, Bret X-Spam-Tests: tests=AWL=4.115,BAYES_50=0.001,DKIM_POLICY_SIGNSOME=0.001, FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,RCVD_IN_MXRATE_WL=-1, RDNS_NONE=0.1;autolearn=no X-Spam-Score: 4.7 X-Spam-Checker-Version: SpamAssassin 3.2.0-rc2 (2007-04-13) on mail.hq.wcg.org X-Spam-Level: X-TFF-CGPSA-Version: 1.6a5 X-WCG-CGPSA-Filter: Scanned X-SPAM-FLAG: Yes Return-Path: [EMAIL PROTECTED] Received: from nlpi029.sbcis.sbc.com ([207.115.36.58] verified) by mail.wcg.org (CommuniGate Pro SMTP 5.1.8) with ESMTP id 21043544 for [EMAIL PROTECTED]; Thu, 26 Apr 2007 11:37:26 -0700 Received-SPF: none receiver=mail.wcg.org; client-ip=207.115.36.58; [EMAIL PROTECTED] X-ORBL: [63.198.171.170] Received: from JBROD (adsl-63-198-171-170.dsl.lsan03.pacbell.net [63.198.171.170]) by nlpi029.sbcis.sbc.com (8.13.8 out.dk.spool/8.13.8) with ESMTP id l3QIUgM5027947 for [EMAIL PROTECTED]; Thu, 26 Apr 2007 13:31:11 -0500 From: Jon Brod [EMAIL PROTECTED] To: 'Bernie Schnippert' [EMAIL PROTECTED] Subject: RE: California/Ontario Estate Matter Date: Thu, 26 Apr 2007 11:30:09 -0700 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0010_01C787F6.4582C0D0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 In-Reply-To: [EMAIL PROTECTED]
RE: RBL tests on MTA vs. RBL rules on SA
Hi, list, I know this is one of those egg and chicken kind of questions, but having now the possibility of checking the impact of various setups, I was wondering if it is more convenient to let the MTA perform the RBL checks, or disable them and let SA do this job. Currently I am using zen.spamhaus.org as my primary (and only) RBL tester on Postfix, and I am kinda surprised. The daily statistics show that my server is rejecting almost 22000 connections a day, and accepting only 2500-3000 emails. The major drawback is bayes. It seems to lack the necessary amount of data to catch up as the spam evolves, so I'm continuously getting new kinds of spam (meaning that I can't figure out a tendency to draw a rule from). So I'm asking if anyone has a solution for this, or how do you deal with this (to me) dellicate balance. For me, it's not an either-or choice. The RBLs I can use on the MTA are very limited because the consequences of a false-positive are very severe (i.e., the message doesn't even get received). Dropping the same from SA reduces its effectiveness. So, I just run them in both places. Repeating a DNS lookup shouldn't be too expensive if your DNS server caches the result. Bret
RE: RBL tests on MTA vs. RBL rules on SA
You do not mean you run the same RBLs at the MTA and SA level do you? If the MTA rejects on an RBL there should be nothing for SA to score on as that message is rejected already. I currently score in SA on a number of RBLs but would be interested to know what you regard as safe to use at the MTA level. Although our mail volume is small we need to receive mail from customers who I have found can be listed on several of the more agressive RBLs, thus I have given up trying to reject at the MTA level. I do actually run some of the same RBLs in both places. The MTA only checks the actual server it's receiving from. SA, in many cases, checks farther back, so you may hit RBLs in SA that you wouldn't on your MTA. I use zen.spamhaus.org and list.dsbl.org on the MTA. Bret Thanks Bret Miller wrote: Hi, list, I know this is one of those egg and chicken kind of questions, but having now the possibility of checking the impact of various setups, I was wondering if it is more convenient to let the MTA perform the RBL checks, or disable them and let SA do this job. Currently I am using zen.spamhaus.org as my primary (and only) RBL tester on Postfix, and I am kinda surprised. The daily statistics show that my server is rejecting almost 22000 connections a day, and accepting only 2500-3000 emails. The major drawback is bayes. It seems to lack the necessary amount of data to catch up as the spam evolves, so I'm continuously getting new kinds of spam (meaning that I can't figure out a tendency to draw a rule from). So I'm asking if anyone has a solution for this, or how do you deal with this (to me) dellicate balance. For me, it's not an either-or choice. The RBLs I can use on the MTA are very limited because the consequences of a false-positive are very severe (i.e., the message doesn't even get received). Dropping the same from SA reduces its effectiveness. So, I just run them in both places. Repeating a DNS lookup shouldn't be too expensive if your DNS server caches the result. Bret
RE: which sa-update channels (was RBL tests on MTA vs. RBL rules on SA)
snip Regarding sa-update, which channels are you using? I'm currently running on saupdates.openproect.com. Any suggestions on this subject? I Use: updates.spamassassin.org 00_FVGT_File001.cf.sare.sa-update.dostech.net 99_FVGT_meta.cf.sare.sa-update.dostech.net 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_evilnum1.cf.sare.sa-update.dostech.net 70_sare_evilnum2.cf.sare.sa-update.dostech.net 70_sare_genlsubj.cf.sare.sa-update.dostech.net 70_sare_header.cf.sare.sa-update.dostech.net 70_sare_highrisk.cf.sare.sa-update.dostech.net 70_sare_html.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri.cf.sare.sa-update.dostech.net 70_sare_uri_eng.cf.sare.sa-update.dostech.net 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_zmi_german.cf.zmi.sa-update.dostech.net Some of these are rather aggressive, but we have very, very few false positives here. And when we do, we simply whitelist the sender so it doesn't happen again. Bret
RE: 3.2.0-rc2?
How's this working out? Any good/bad reports? Just installed, tested and deployed this today on CommuniGate Pro on Windows 2003. So far, seems to be running well. Only time will tell if it's better or worse than 3.1.8. I actually managed to get DKIM support installed on Windows this time around too. So we'll see if that helps anything... Bret
RE: sa-update too quiet
Could future versions of sa-update please be a little more vocal? Like maybe no new updates found | loaded xxx new updates | error xxx Exit codes are not evident when simply typing sa-update on the command line... I created my own simple batch file for windows. It runs sa-update. Checks the return code. Creates a message (some/no updates). GREP's some basic info from the debug output so you can tell what got updated. And using a perl script, sends the message, report, and debug output to me in e-mail every morning. All this would be easy to do on any OS, I presume since I didn't use any windows-specific tools except for the batch language itself. Here's what the batch file looks like (watch the line wrapping): call sa-update --channelfile sa-update-channels.txt --gpgkey 856AA88A -D 1sa-update-out.txt 2sa-update-dbg.txt if errorlevel 1 goto noupd echo Some rules updated.sa-update-msg.txt goto makelog :noupd echo No updates available.sa-update-msg.txt :makelog echo.sa-update-msg.txt echo Log files attached.sa-update-msg.txt c:\bat\grep -F -f sa-update-grep.txt sa-update-dbg.txt sa-update-log.txt perl sa-update-send.plsa-update-msg.txt - And here's the perl script to send the e-mail: # E-mail notification settings. The download/version log is sent plus # if auto updating, the SA lint stdout and stderr are sent. # E-mail is only sent if there is a newer version of at least one rule file. # Set $mail_host to '' for no notification. my $from_address = '[EMAIL PROTECTED]'; my $to_address = '[EMAIL PROTECTED]'; my $mail_host = 'mail.wcg.org'; my $subject = 'SpamAssassin Rule Updates'; use MIME::Lite; use NET::SMTP; my $message_body = ; while () { $message_body .= $_ } if ($mail_host) { # Notify admins $msg = MIME::Lite-new ( From = $from_address, To = $to_address, Subject = $subject, Type ='multipart/mixed' ) or die Error creating message: $!\n; $msg-attach ( Type = 'TEXT', Data = $message_body ) or die Error adding the text message part: $!\n; $msg-attach ( Type = 'text/plain', Path = sa-update-log.txt, Filename = sa-update-log.txt, Disposition = 'attachment' ) or die Error adding sa-update-log.txt: $!\n; $msg-attach ( Type = 'text/plain', Path = sa-update-dbg.txt, Filename = sa-update-dbg.txt, Disposition = 'attachment' ) or die Error adding sa-update-dbg.txt: $!\n; $msg-attach ( Type = 'text/plain', Path = sa-update-out.txt, Filename = sa-update-out.txt, Disposition = 'attachment' ) or die Error adding sa-update-out.txt: $!\n; MIME::Lite-send('smtp', $mail_host, Timeout=60); $msg-send; } - HTH, Bret
Why doesn't whitelist_from_rcvd work on this?
I'm having trouble figuring out why my whitelist_from_rcvd statement doesn't work on this message. whitelist_from_rcvd [EMAIL PROTECTED] *.cems.wamu.com #Washington Mutual Statements Message Headers: X-Spam-Tests: tests=AWL=0.427,BAYES_00=-2.599,DBL_12_LETTER_PGIMG=0.2, HEADER_SPAM=3.789,HTML_MESSAGE=0.001,HTML_TAG_BALANCE_BODY=0.228, MSGID_FROM_MTA_ID=1.393,NORMAL_HTTP_TO_IP=0.175, SARE_HTML_MANY_BR05=0.5;autolearn=no X-Spam-Score: 4.1 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.hq.wcg.org X-Spam-Level: X-TFF-CGPSA-Version: 1.6a5 X-WCG-CGPSA-Filter: Scanned X-SPAM-FLAG: Yes X-Deliver-To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from mtaw014.cems.wamu.com ([167.88.194.145] verified) by mail.wcg.org (CommuniGate Pro SMTP 5.1.5) with ESMTP id 20140775 for [EMAIL PROTECTED]; Thu, 01 Feb 2007 03:58:33 -0800 Received-SPF: none receiver=mail.wcg.org; client-ip=167.88.194.145; [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary==_NEXT_28374530 Date: Thu, 01 Feb 2007 03:56:59 -0800 Mime-Version: 1.0 Reply-To: [EMAIL PROTECTED] Mime-Subversion: 30c687-27c6f0 From: Washington Mutual [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: A New Statement is Ready Content-Transfer-Encoding: binary Message-ID: [EMAIL PROTECTED] In my debug output, I get: [3260] dbg: received-header: parsed as [ ip=167.88.194.145 rdns=mtaw014.cems.wamu.com helo=mtaw014.cems.wamu.com by=mail.wcg.org ident= envfrom= intl=0 id=20140775 auth= ] [3260] dbg: received-header: relay 167.88.194.145 trusted? no internal? No So, to me, it looks like it parsed the received header just fine. The from address matches, and the received mtaw013.cems.wamu.com should match *.cems.wamu.com should it not? What am I missing here? Bret
RE: SA on SBS
Any issues installing SA on a Microsoft Small Business Server with their Exchange version? I can't think of any. Any recommendations pros/cons will be appreciated. Get the latest ActivePerl (5.8.8.820) and perl modules. See http://wiki.apache.org/spamassassin/InstallingOnWindows See http://www.christopherlewis.com/ESA/ExchangeSpamAssassin.htm HTH, Bret
RE: MTA for Windows
Kenneth Porter wrote: I'm looking for an MTA I can install in an all-Windows SOHO. Open source and free preferable. Ideally with hooks for SpamAssassin. (At home I have a Linux box with sendmail, but a friend has no Linux on his LAN.) Free for a small number of user accounts (5 I think?), multi-platform (in case you want to run it on Linux, FreeBSD, Solaris, MacOSX, etc. in addition to Windows), has free plugins for SpamAssassin and some anti-virus engines, but is not itself open source: CommuniGate Pro Funny thing, I was just going to say that too. CommuniGate Pro is not open source, but offers a free community edition license (i.e., no key required) for 5 or less users. It runs fine on Windows (I use it at the office), has free 3rd-party add-ons for SpamAssassin (http://www.tffenterprises.com/cgpsa/) and ClamAV (http://webmail.wcg.org/~support/cgFilterMessages/history.html). HTH, Bret
RE: MTA for Windows
Bret Miller wrote: [snip] CommuniGate Pro is not open source, but offers a free community edition license (i.e., no key required) for 5 or less users. It runs fine on Windows (I use it at the office), has free 3rd-party add-ons for SpamAssassin (http://www.tffenterprises.com/cgpsa/) and ClamAV (http://webmail.wcg.org/~support/cgFilterMessages/history.html). A better option for using ClamAV (w/o having to install it): http://www.niversoft.com/products/cgscripts/cgpclamav It's better, but it's not free. Bret
RE: Odd mail makes SA fall over
I received an odd email that makes spamd fall over. I'm using the SAWin32 port, and was wondering whether other users could also see the same problem with this message or whether the problem is peculiar to the Windows port. The glaring weirdness with this email is obviously the RSET in the To field - I don't know whether that was originally in the email or inserted by Mercury when it downloaded it from my POP account. I've lightly edited the To email addresses but have confirmed that the edited mail still kills spamd on my system. The X-Spam header was present in the original email. SA 3.1.8 on Windows XP handles it just fine: X-Spam-Tests: tests=BAYES_50=0.001,J_CHICKENPOX_66=0.6,MISSING_HB_SEP=2.5, MISSING_SUBJECT=1.816,NO_REAL_NAME=0.961,RCVD_IN_BL_SPAMCOP_NET=1.558, RCVD_IN_SORBS_WEB=1.456,SARE_ADULT2=0.987,UNPARSEABLE_RELAY=0.001, URIBL_AB_SURBL=3.812,URIBL_BLACK=3,URIBL_CNKR=2.5,URIBL_JP_SURBL=4.087, URIBL_OB_SURBL=3.008,URIBL_SC_SURBL=4.498,URIBL_WS_SURBL=2.14;autolearn= spam X-Spam-Score: 32.9 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) Bret
RE: updating 3.1.1 to 3.1.7
using the DAG site and rpm -U, I updated spamassassin and spamassissin-tools to 3.1.7-1 Things don't look so good. Here is what happened when I restarted spamd spamd[26917]: spamd: server killed by SIGTERM, shutting down spamd[27082]: persistent_udp: no such method at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/DnsResolver .pm line 99 spamd[27082]: logger: removing stderr method spamd[27084]: config: failed to parse line, skipping: rewrite_subject 1 spamd[27084]: config: failed to parse line, skipping: subject_tag [:] spamd[27084]: config: failed to parse line, skipping: check_mx_delay 3 spamd[27084]: config: failed to parse line, skipping: report_header 1 spamd[27084]: config: failed to parse line, skipping: use_terse_report 1 spamd[27084]: config: failed to parse line, skipping: detailed_phrase_score 0 spamd[27084]: config: failed to parse line, skipping: spam_level_stars 0 spamd[27084]: config: failed to parse line, skipping: defang_mime 0 spamd[27084]: config: score: the non-numeric score (-.3) is not valid, a numeric score is required spamd[27084]: config: SpamAssassin failed to parse line, FROM_POSTOFFICE - .3 is not valid for score, skipping: score FROM_POSTOFFICE -.3 spamd[27084]: config: failed to parse line, skipping: razor_timeout 1 spamd[27084]: config: failed to parse line, skipping: dcc_timeout 1 spamd[27084]: config: failed to parse line, skipping: pyzor_add_header 0 spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'RAZOR2_CHECK' spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' spamd[27084]: rules: meta test DRUGS_ERECTILE has undefined dependency '__DRUGS_ERECTILE7' spamd[27084]: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' spamd[27084]: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' spamd[27084]: spamd: server started on port 783/tcp (running version 3.1.7) spamd[27084]: spamd: server pid: 27084 spamd[27084]: spamd: server successfully spawned child process, pid 27091 spamd[27084]: spamd: server successfully spawned child process, pid 27092 spamd[27084]: prefork: child states: IS spamd[27084]: prefork: child states: II I don't see anything mentioned about this in /usr/share/doc/spamassassin-3.1.7/UPGRADE The failed to parse line warnings are all deprecated settings IIRC. Check the documentation for current equivalents. I would be surprised if 3.1.1 didn't note those as well. The score from FROM_POSTOFFICE should be -0.3 instead of -.3. Is that in your local.cf? The undefined dependency info messages are new in a recent version (sorry-- don't remember which). However, the end result is the same as before as far as processing goes. It's just the undefined dependencies are actually noted somewhere now where they weren't before. If you develop your own meta rules, having this is very helpful. For stardard or other 3rd-party rules, it's just annoying. Is your Net::DNS up-to-date per the release notes? HTH, Bret
RE: To create a cf file: notepad and youfile.cf enough?
Is it enough to create a cf file using notepad and save the file like yourfile.cf (with quotes) Yes. I notice that files that I make that way have the wordpad icon, but the original cf files I have in my ftp, has no icon. I generally have to use Wordpad with cf files supplied by others because they use unix line feeds instead of dos/windows ones. Notepad reads the entire file as one line when the line feeds aren't right. Wordpad splits the lines properly. Bret
RE: Newbie upgrade
Please give me some simple advice - I've upgraded 3.0.3 to 3.1.7 from backports.org for my Debian Sarge (stable) installation. I'm still using my former local.cf. I've noticed that my ham is no longer being tagged with X-Spam headers, but the spam is getting these headers - at the top of the headers now, in contrast to at the bottom like they used to be. What's changed about inserting the header info? All the spam that's getting trapped has huge scores (~30), and I can't see what the scores for the ham (some really spam) are because the headers aren't there. Any specific help with these 2 issues would be greatly appreciated. According to the doc, these are the defaults, note that Checker-Version can not be changed or removed: add_header spam Flag _YESNOCAPS_ add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ add_header all Level _STARS(*)_ add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_ So, the score should be added to all messages. It would, of course, depend on what you've done in your local.cf configuration. So, what do you have in local.cf for report/header options? Bret
RE: White Listing
I am looking for an easy way for my spamassassin to relearn messages marked as spam that users would like to get. Would it be safe and avoid bayesian poisoning if I were to setup an email box such as [EMAIL PROTECTED] and have users forward nonspam emails to this email address and then learn it as ham? There was a script posted a while back as an example of how you could detach forward as attachment messages into a folder for learning. I don't remember the author, but I'm reposting the script since it could be useful here. WARNING: lines may wrap _ #!/usr/bin/perl use strict; use warnings; my @message = STDIN; my $path = /tmp/spam/; use Mail::SpamAssassin::Message; use Data::UUID; my $msg = Mail::SpamAssassin::Message-new( { 'message' = [EMAIL PROTECTED], } ) || die Message error?; foreach my $p ($msg-find_parts(qr/^message\b/i, 0)) { eval { no warnings ; my $type = $p-{'type'}; my $ug = new Data::UUID; my $uuid1 = $ug-create_str(); my $attachname = $path . $uuid1 . .eml; open OUT, , $attachname || die Can't write file $attachname:$!; binmode OUT; print OUT $p-decode(); }; } __END__
RE: White Listing
Forwarding is not a good idea, it adds and or changes the headers in the mail. Forward as attachment(s) could be a solution since original mail headers are kept intact. I've asked a similar question on this list some days ago, but nobody could say if there's a common practice how to feed such messages into spamassassin on the server. There have been several systems discussed in the last few months using IMAP, it may be worth digging through the archives for them. Sounds like misusing IMAP ;-) Not really. It's actually a fairly good system if you have an IMAP server. You create IMAP folders for spam and ham. These can be shared or individual for each user. The users then copy any mis-categorized mail to these folders. A program on the SpamAssassin server connects to the IMAP server, copies the messages from these folders, and runs sa-learn on them. This way, it is simple for the users and the headers do not get mangled. I don't use this method myself, so I can't give you any configuration details. Search the list, this has been discussed multiple times. I do use the IMAP method here. We run in site-wide mode for both bayes and awl, so we create a couple of shared IMAP folders that users can drop messages into when they want to mark something as spam or not spam. Then we run an IMAP-to-SA learner script that learns the messages. (Actually, we have a manual review in between the user dragging the message and learning because users will do the darndest things.) That script was posted on the list a while back as well. I could be persuaded to clean up mine and send it if you can't find the original. Bret
RE: errors with spamassain in windows
Answer n when it asks about building spamc. Or try this port: http://physics.ucsd.edu/~epivovar/anti-spam.htm Bret Im trying to install SpamAssasin under Windows,I installed perl and nmake. But I'm getting these errors: --- C:\Perl\bin\perl.exe version.h.pl version.h.pl: creating version.h copy config.h.win config.h copy spamc.h.win spamc.h C:\Perl\bin\perl.exe ..\build\preprocessor -Mvars -iMakefile.win -oMakefile cd .. NMAKE -f spamc/Makefile spamc/spamc.exe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cd spamc NMAKE spamc.exe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cl /DWIN32 /W4 spamc.c replace\getopt.c libspamc.c utils.c ws2_32.lib 'cl' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x1' Stop. NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2' Stop. NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2' Stop. C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7 C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7s pamassassin -D sample-spam .txt 'spamassassin' is not recognized as an internal or external command, operable program or batch file. C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7NMAKe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. NMAKE -f spamc/Makefile spamc/spamc.exe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cd spamc NMAKE spamc.exe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cl /DWIN32 /W4 spamc.c replace\getopt.c libspamc.c utils.c ws2_32.lib 'cl' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x1' Stop. NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2' Stop. NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2' Stop. C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7NMAKE -f spamc/Makefile spamc /spamc.exe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cd spamc NMAKE spamc.exe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cl /DWIN32 /W4 spamc.c replace\getopt.c libspamc.c utils.c ws2_32.lib 'cl' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x1' Stop. NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2' Stop. C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7cd spamc C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7\s pamcNMAKE spamc.exe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cl /DWIN32 /W4 spamc.c replace\getopt.c libspamc.c utils.c ws2_32.lib 'cl' is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x1' Stop. C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7\spamc Do you how I can fix it or how I let it work. Yours Sincerely, Guido
RE: SPF detection making mistakes
i'm getting some problems with the spamassassin spf modul (Mail::SpamAssassin::Plugin::SPF) maybe i can resolve this problem by asking the list. Please take a look at this header: --- start cut --- Return-path: [EMAIL PROTECTED] Delivery-date: Sun, 17 Dec 2006 10:45:20 +0100 Received: by wp030.webpack.hosteurope.de running Exim 4.43 using esmtp from mi012.mc1.hosteurope.de ([80.237.138.243]); id 1Gvsa8-0007VG-JW; Sun, 17 Dec 2006 10:45:20 +0100 Received: by mx0.webpack.hosteurope.de (80.237.138.5, mi012.mc1.hosteurope.de) running EXperimental Internet Mailer (even more power) using smtp from mail.gmx.net ([213.165.64.20]) id 1Gvsa6-0005C2-As for [EMAIL PROTECTED]; Sun, 17 Dec 2006 10:45:20 +0100 Received: (qmail invoked by alias); 17 Dec 2006 09:45:18 - Received: from pD9E05917.dip.t-dialin.net (EHLO [223.1.1.128]) [217.224.89.23] by mail.gmx.net (mp034) with SMTP; 17 Dec 2006 10:45:18 +0100 X-Authenticated: #202980 From: just a name [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 17 Dec 2006 10:45:33 +0100 MIME-Version: 1.0 Subject: test Reply-to: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Priority: normal X-mailer: Pegasus Mail for Windows (4.41) Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Content-description: Mail message body X-Y-GMX-Trusted: 0 X-HE-Virus-Scanned: yes X-HE-Spam-Level: ++ X-HE-Spam-Score: 2.5 X-HE-Spam-Report: Content analysis details: (2.5 points) pts rule name description --- -- -- 2.1 HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname (T-Dialin) 0.2 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://spf.pobox.com/why.html?sender=xxx%40gmx.deip=223.1.1.12 8receiver=mi012.mc1.hosteurope.de] Huh?? 223.1.1.12? Is 213.165.64.20 part of your trusted networks? Actually the doc for the SPF module says trusted_networks but shouldn't it be checking internal_networks instead? Anyway, it fails because it's checking the wrong IP because it thinks you received it at one stage earlier that you did. That's likely because either or both of trusted_networks and internal_networks are not correctly set. HTH, Bret 0.2 RCVD_ILLEGAL_IP Received: contains illegal IP address Envelope-to: [EMAIL PROTECTED] --- end cut --- As you can see, the spf check fail, but in my understanding if should pass without a failure. This mail was sent via dial-in and smtp-auth ... how can i modify the spf modul that this will check this kind of header correct ? Thanks for help. \jd
RE: Botnet 0.6 plugin for Spam Assassin availabile
Chris Lear wrote: * Oliver Schulze L. wrote (18/12/06 15:42): Nice stats! How do you generate them in SA 3.1.7 ? I use this: http://www.rulesemporium.com/programs/sa-stats-1.0.txt Chris Does this require using spamd instead of invoking spamassassin? It requires spamd-style logging. That may or may not required spamd. I recently wrote my own mod to CGPSA to write this style of log so that I could use sa-stats. Whether you can do this with other tools I don't know. Bret
RE: MSRBL
On Wednesday 13 December 2006 11:35 am, Bret Miller wrote: Has anyone here tried MSRBL (http://www.msrbl.com/site/)? I'm running it in trial now, but thought I'd ask to see if anyone here had an opinion before doing anything serious with it. TIA, Bret Bret, on my home system I use the MSRBL-Images.hdb and MSRBL-Spam.ndb in conjunction with Clamav. I have some stats if you're interested. I'd like to see some stats, please. I'd also like to hear some opinions on FP numbers, effectiveness etc. I installed the MSRBL ClamAV signatures yesterday for a trial run, not actually doing anything with the results. It hit less spam than I hoped and had a few FPs. The FPs were all advertising e-mail, but very clearly from my standpoint were opt-in lists that were very easy to opt-out of, and could have been valuable to someone. My guess here is that MSRBL works a lot like SpamCop.net and relies on user submission to determine what is and isn't spam. That approach can't be relied upon for mail rejection. I didn't see anything that it hit on that SA wasn't already catching, so I'm really not convinced it's worth the effort to do. Bret
RE: Newbie needs help with Spam/Spam Assassin
- why doesn't Spam Assassin recognize all these with the same subject/body as spam? Did you train your bayes database on one or more of these messages to tell it they were spam? It scored bayes_00 meaning it thinks it's not spam. - any suggestions/advice? www.rulesemporium.com. Get the 70_sare_stocks.cf rule set and update it regularly. Bret - is there anywhere else to seek help? Thanks very much. Brooks Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Delivery-date: Fri, 15 Dec 2006 08:44:29 -0500 Received: from rimesrv by server38.tchmachines.com with local-bsmtp (Exim 4.52) id 1GvDMN-0003Is-Pk for [EMAIL PROTECTED]; Fri, 15 Dec 2006 08:44:29 -0500 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on server38.tchmachines.com X-Spam-Level: * X-Spam-Status: No, score=1.4 required=5.0 tests=BAYES_00,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.1.7 Received: from alyon-252-1-24-3.w82-122.abo.wanadoo.fr ([82.122.55.3]) by server38.tchmachines.com with esmtp (Exim 4.52) id 1GvDM6-00031f-5u for [EMAIL PROTECTED]; Fri, 15 Dec 2006 08:44:20 -0500 Received: from 207.188.202.98 (HELO mail.aacr.org) by rimesrv.net with esmtp (2T7,0=-B52 +6)3(N) id 0(,N:Y--5,/4Y-(A for [EMAIL PROTECTED]; Fri, 15 Dec 2006 13:44:16 -0060 From: Jesse Colvin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE:Report Date: Fri, 15 Dec 2006 13:44:16 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: Aca6Q7,8A'8X7H6,38/P140)+-,(1==
RE: How to tell why BAYES_00 is hit
I have a bayes question I am hoping someone may be able to answer for me. Since implementing bayes it has been doing a very good job except for one thing. One particular spam email is not getting tagged as spam. My rules are scoring the email high enough to be tagged as spam, but it is also hitting the BAYES_00 rule, which is deducting 4.9 point, thus causing the email to not be tagged as spam. I am very new to bayes so some of my terms may be incorrect. But it would appear that bayes has learned something incorrectly. I am not sure if something got autolearned as ham, etc. But, my question is how do I go about finding out exactly what within bayes is causing this email to be scored as BAYES_00? And more importantly, how do I undo it? Bayes tokenizes the e-mail, so it's hard to point at exactly what might make it think it's spam. The best way to combat this is to sa-learn --spam the message when it comes it. That way, if it was autolearned as ham, it's reversed. If tokens appeared in several ham messages, then you might have to repeat this a few times before the scores get reversed enough that it hits bayes_99 intead. Bret
MSRBL
Has anyone here tried MSRBL (http://www.msrbl.com/site/)? I'm running it in trial now, but thought I'd ask to see if anyone here had an opinion before doing anything serious with it. TIA, Bret
RE: MSRBL
Has anyone here tried MSRBL (http://www.msrbl.com/site/)? I'm running it in trial now, but thought I'd ask to see if anyone here had an opinion before doing anything serious with it. I ran it here for a few hours with rblsmtpd and it got 0 hits, which also means 0 FP's on a very busy mail server. Didn't do anything for us but I did add it last in the loop for outright blocking. It's removed now as I don't need the extra lookup. I'm beginning to think that myself. It's been running all day without a single hit. If it doesn't ever hit anything, why use it Bret
RE: Breaking up the Bot army - we need a plan
In my above example, SPF did nothing useful. And, my example shows exactly why SPF does not help at all with the spambot problem. If I'm a spambot wrangler, I create a group of throw-away domains, put in SPF records for them that say +all, and then send out my storm of spam. Then I abandon those domains, and create a new batch of them for the next go-round. IMO, SPF is a liability when fighting spambots. So perhaps SPF should consider removing +all as an option. Realisticly anyone that has to say my e-mail might come from anywhere is contributing to the problem and probably deserves to have e-mail bounced. OTOH, I can see where a spammer could easily register a bunch of domains, and then update the SPF records to include the specific spambots that are delivering e-mail from each domain. I'm not sure there IS a solution that works for fighting this. ISPs contribute to the problem by dinging businesses for everything from number of messages relayed, bytes relayed, reverse DNS setup, ... It took me almost 2 months to get all the issues straightened out after we moved and changed ISPs. Everything's an extra cost option. But I have a nice list now, so next time they all get negotiated as included before we sign the contract. Either that, or we find someone else. Then there's the wonderful ISPs that assign static Ips in the middle of dynamic IP blocks. I really hate confirmation-based antispam systems, but I don't really have a better solution to stopping this. If I have to manually approve every person/list I want to send to me, then at least I have control over it. Right now, our server's having trouble keeping up with the load. I honestly don't know how long before I decide it isn't worth the effort to host our own e-mail. Bret
DomainKeys and DKIM for Windows?
Has anyone managed to build DomainKeys or DKIM modules for Windows. I managed to build the OpenSSL libraries OK, but can't get Crypt::OpenSSL:RSA to install, so DomainKeys won't either... Any ideas? Bret
SPF not working with these headers, why?
I should probably submit this to bz, but I thought I'd ask here first in case it's obvious... Why is SFP_PASS not firing on this? X-Spam-Tests: tests=AWL=-1.710,BAYES_50=0.001,BOTNET=0.5,BOTNET_BADDNS=0.01, BOTNET_NOSPF=3.5,DNS_FROM_RFC_ABUSE=0.2,DNS_FROM_RFC_POST=1.708, FM_WHITEONWHITE=0.45,HTML_50_60=0.134,HTML_MESSAGE=0.001, MIME_HEADER_CTYPE_ONLY=0,MIME_HTML_ONLY=0.001,MSGID_FROM_MTA_ID=1.393, SARE_UNA=1.231;autolearn=no X-Spam-Score: 7.4 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.hq.wcg.org X-Spam-Level: +++ X-TFF-CGPSA-Version: 1.6a5 X-WCG-CGPSA-Filter: Scanned X-SPAM-FLAG: Yes Return-Path: [EMAIL PROTECTED] Received: from [65.17.198.50] (HELO 123greetings.info) by mail.wcg.org (CommuniGate Pro SMTP 5.1.3) with SMTP id 19467966 for [EMAIL PROTECTED]; Fri, 08 Dec 2006 08:40:46 -0800 Received-SPF: pass receiver=mail.wcg.org; client-ip=65.17.198.50; [EMAIL PROTECTED] Content-Type: text/html; charset=US-ASCII Date: Fri, 8 Dec 2006 11:40:25 -0500 To: [EMAIL PROTECTED] From: Editor Bob [EMAIL PROTECTED] X-Mailer: Version 5.0 Subject: Celebrate the Holiday Season Organization: 123Greetings.info Message-ID: [EMAIL PROTECTED]
RE: SPF not working with these headers, why?
Bret Miller wrote: I should probably submit this to bz, but I thought I'd ask here first in case it's obvious... Why is SFP_PASS not firing on this? Run the message through spamassassin -Dspf and find out. Daryl OK. It says: [2840] dbg: spf: checking HELO (helo=, ip=65.17.198.50) [2840] dbg: spf: cannot get HELO, cannot use SPF [2840] dbg: spf: checking EnvelopeFrom (helo=, ip=65.17.198.50, [EMAIL PROTECTED]) [2840] dbg: spf: cannot get HELO, cannot use SPF [2840] dbg: spf: def_whitelist_from_spf: [EMAIL PROTECTED] is not in DEF_WHITELIST_FROM_SPF [2840] dbg: spf: whitelist_from_spf: [EMAIL PROTECTED] is not in user's WHITELIST_FROM_SPF Which would indicate it's not parsing the Received header correctly, so I guess a bz ticket is in order. Bret
RE: SPF not working with these headers, why?
Bret Miller wrote: I should probably submit this to bz, but I thought I'd ask here first in case it's obvious... Why is SFP_PASS not firing on this? Run the message through spamassassin -Dspf and find out. Daryl OK. It says: [2840] dbg: spf: checking HELO (helo=, ip=65.17.198.50) [2840] dbg: spf: cannot get HELO, cannot use SPF [2840] dbg: spf: checking EnvelopeFrom (helo=, ip=65.17.198.50, [EMAIL PROTECTED]) [2840] dbg: spf: cannot get HELO, cannot use SPF [2840] dbg: spf: def_whitelist_from_spf: [EMAIL PROTECTED] is not in DEF_WHITELIST_FROM_SPF [2840] dbg: spf: whitelist_from_spf: [EMAIL PROTECTED] is not in user's WHITELIST_FROM_SPF Which would indicate it's not parsing the Received header correctly, so I guess a bz ticket is in order. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5234
RE: new Botnet plugin version soon
Question 2: someone asked why my module is Botnet instead of Mail::SpamAssassin::Plugin::Botnet. The answer is: when I first started this (and this is/was my first SA Plugin authoring attempt), I tried that and it didn't work. If someone wants to look at it, and figure out how to make that work (but still have the files located in /etc/mail/spamassassin) I would happily incorporate it. Use the loadplugin line to specify the location, for example, I do the following: loadplugin Mail::SpamAssassin::Plugin::ImageInfo c:/perl/site/etc/mail/spamassassin/ImageInfo.pm That way you can put the module anywhere and still have it called Mail::SpamAssasssin::Plugin::___ Bret
RE: HTML Source Rule
Hello, I was wondering if there is a way to write a rule for HTML source code contained in an email. I am getting many of these Buy This Stock emails and I am finding that the pictures contained in them all have a portion of a line of source that says... src=cid: Thanks in advance for any help anyone may be able to provide. So does every message sent from Outlook that includes an image. I'd suspect that you'd end up rejecting a lot of legitimate e-mail, unless no one that sends you e-mail uses Outlook or Outlook Express... Bret
RE: How to extract the Reverse DNS hostname by script means?
My mailserver is mail.edu.haifa.ac.il. As you can see there are mail relay servers which is not in my responsibility mr[1-3].haifa.ac.il I want to make a script that parses the mail headers of FP mails and add this line to local.cf whitelist_from_rcvd [EMAIL PROTECTED] i_mtaout3.012.net.il My question is: 1) When I add whitelist_from_rcvd, what should I put into rDNS? Is it i_mtaout3.012.net.il or may be it is enough to put 012.net.il or net.il? It depends on how general you want to be. If i_mtaout3.012.net.il is the only server that sends messages from [EMAIL PROTECTED], then specify that. If other servers in 012.net.il send mail from that address, then use that. It's designed so you can be as specific or general as you need to be. 2) Should I use the first Received: header from the end of the headers, or should rDNS be from the last (upper) header? rDNS comes always after by, right? SpamAssassin will be testing the whitelist_from_rcvd against the topmost (final) received header when SA runs, so that's the one you need to look at. There are some obvious problems with this approach. One is that if all your e-mail goes through a relay before it gets to your server, then you can't reliably use whitelist_from_rcvd because you're never receiving the message from the original source server. Bret Here is an example from one of such headers on my server: Return-Path: [EMAIL PROTECTED] Received: from mail.edu.haifa.ac.il ([unix socket]) by mail.edu.haifa.ac.il (Cyrus v2.2.3) with LMTP; Mon, 06 Nov 2006 09:36:02 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mail.edu.haifa.ac.il (Postfix) with ESMTP id D3A401C5D9 for [EMAIL PROTECTED]; Mon, 6 Nov 2006 09:36:01 +0200 (IST) X-Envelope-To: [EMAIL PROTECTED] X-Envelope-From: [EMAIL PROTECTED] X-Quarantine-id: spam-a304f1ee2d727e77958ad41abfea67d7-20061106-093601-17026-04 Received: from mr3.haifa.ac.il (mr3.haifa.ac.il [132.74.1.219]) by mail.edu.haifa.ac.il (Postfix) with ESMTP id 827C11B404 for [EMAIL PROTECTED]; Mon, 6 Nov 2006 09:35:57 +0200 (IST) Received: from localhost (localhost [127.0.0.1]) by mr3.haifa.ac.il (Postfix) with ESMTP id 9A8C014A3B for [EMAIL PROTECTED]; Mon, 6 Nov 2006 09:19:26 +0200 (IST) X-Virus-Scanned: by amavisd-new at haifa.ac.il Received: from mr3.haifa.ac.il ([127.0.0.1]) by localhost (mr3.haifa.ac.il [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id zUchdRb-SZp8 for [EMAIL PROTECTED]; Mon, 6 Nov 2006 09:19:26 +0200 (IST) Received: from mtaout3.012.net.il (mtaout3.012.net.il [84.95.2.7]) by mr3.haifa.ac.il (Postfix) with ESMTP id F395015E59 for [EMAIL PROTECTED]; Mon, 6 Nov 2006 09:19:23 +0200 (IST) Received: from gilo ([212.199.66.195]) by i_mtaout3.012.net.il (HyperSendmail v2004.12) with SMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Mon, 06 Nov 2006 09:19:23 +0200 (IST) Date: Mon, 06 Nov 2006 09:19:07 +0200 From: =?windows-1255?B?4uns5A==?= [EMAIL PROTECTED] Subject: =?windows-1255?B?9+X48SDw6eTl7CDk7ujkIOT56frl9Okg5eT68OXy5A==?= To: [EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mailer: Microsoft Outlook Express 6.00.2800.1106 Content-type: multipart/alternative; boundary=Boundary_(ID_EDc5PKXnKSc3SqwzzGip3w) X-Priority: 3 X-MSMail-priority: Normal X-Spam-Status: Yes, hits=8.6 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_10, HTML_60_70, HTML_FONTCOLOR_BLUE, HTML_MESSAGE, RCVD_IN_DSBL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_HTTP, RCVD_IN_XBL X-Spam-Level: Best Regards, Leon Kolchinsky -Original Message- From: Bret Miller [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 10:04 PM To: users@spamassassin.apache.org Subject: RE: How to extract the Reverse DNS hostname by script means? Is there any automatic way (using a script), to extract the Reverse DNS hostname for the host that delivered the message to my network? The top Received header should contain the server you received the message from. That's the one that needs to go in the whitelist_from_rcvd line. Bret Because there may be mail-server serving multiple domains, i.e. somedomain.com is served by mailserver.someotherdomain.com and the line in local.cf would look like this: whitelist_from_rcvd [EMAIL PROTECTED] mailserver.someotherdomain.com In case there are multiple Received header how could I extract rDNS automatically? Here is an example of such headers taken fro the net: Received: from gandalf.ctdx.net ([199.0.161.154]) by buythetruck.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 31 Oct 2006 23:27:03 -0500 Received: from harbor.x-cart.com (harbor.x-cart.com [69.20.14.15]) by gandalf.ctdx.net (8.13.7/8.13.6) with ESMTP id kA14M3vT018502 for [EMAIL PROTECTED]; Tue, 31 Oct 2006 23:22
RE: How to extract the Reverse DNS hostname by script means?
Is there any automatic way (using a script), to extract the Reverse DNS hostname for the host that delivered the message to my network? The top Received header should contain the server you received the message from. That's the one that needs to go in the whitelist_from_rcvd line. Bret Because there may be mail-server serving multiple domains, i.e. somedomain.com is served by mailserver.someotherdomain.com and the line in local.cf would look like this: whitelist_from_rcvd [EMAIL PROTECTED] mailserver.someotherdomain.com In case there are multiple Received header how could I extract rDNS automatically? Here is an example of such headers taken fro the net: Received: from gandalf.ctdx.net ([199.0.161.154]) by buythetruck.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 31 Oct 2006 23:27:03 -0500 Received: from harbor.x-cart.com (harbor.x-cart.com [69.20.14.15]) by gandalf.ctdx.net (8.13.7/8.13.6) with ESMTP id kA14M3vT018502 for [EMAIL PROTECTED]; Tue, 31 Oct 2006 23:22:03 -0500 Received: from localhost (localhost [127.0.0.1]) by harbor.x-cart.com (Postfix) with ESMTP id 32CA4FC2B4 for [EMAIL PROTECTED]; Tue, 31 Oct 2006 20:18:36 -0800 (PST) Received: from harbor.x-cart.com ([127.0.0.1]) by localhost (harbor.x-cart.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJP1WignZXnm for [EMAIL PROTECTED]; Tue, 31 Oct 2006 20:18:34 -0800 (PST) Received: from gw-red.crtdev.local (mail.crtdev.local [192.168.10.1]) by harbor.x-cart.com (Postfix) with ESMTP id 1EE32FC2B2 for [EMAIL PROTECTED]; Tue, 31 Oct 2006 20:18:33 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by gw-red.crtdev.local (Postfix) with ESMTP id 0C9B8112EC3C; Wed, 1 Nov 2006 07:18:33 +0300 (MSK) Received: from gw-red.crtdev.local ([127.0.0.1]) by localhost (mail.crtdev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iqw-2Ddq46oC; Wed, 1 Nov 2006 07:18:32 +0300 (MSK) Received: from gw-green.crtdev.local (green-red-fiber.crtdev.local [192.168.99.13]) by gw-red.crtdev.local (Postfix) with ESMTP id DC976112EC2B for [EMAIL PROTECTED]; Wed, 1 Nov 2006 07:18:32 +0300 (MSK) Received: from sauron.crtdev.local (sauron.crtdev.local [192.168.12.10]) by gw-green.crtdev.local (Postfix) with ESMTP id C1738244C21 for [EMAIL PROTECTED]; Wed, 1 Nov 2006 07:18:32 +0300 (MSK) Received: from sauron.crtdev.local (localhost [127.0.0.1]) by sauron.crtdev.local (8.13.8/8.13.8) with ESMTP id kA14IFAa080272 for [EMAIL PROTECTED]; Wed, 1 Nov 2006 07:18:15 +0300 (MSK) (envelope-from [EMAIL PROTECTED]) Received: (from [EMAIL PROTECTED]) by sauron.crtdev.local (8.13.8/8.13.8/Submit) id kA14IEv1080271; Wed, 1 Nov 2006 07:18:14 +0300 (MSK) (envelope-from www) Date: Wed, 1 Nov 2006 07:18:14 +0300 (MSK) Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Valentine Kaverin has posted a new message for you. From: Qualiteam HelpDesk system [EMAIL PROTECTED] Content-Type: text/plain;charset=iso-8859-1; X-Signature-Check-Ignore: Yes X-Virus-Scanned: ClamAV 0.88.5/2136/Tue Oct 31 22:06:48 2006 on gandalf.ctdx.net X-Virus-Scanned: amavisd-new at x-cart.com X-Virus-System: ClamAV 0.88.5/2136/Tue Oct 31 19:06:48 2006 X-Virus-Status: Clean X-Spam-Status: No, score=3.0 required=5.0 tests=AWL,BAYES_00,BIZ_TLD, SPF_SOFTFAIL,URI_NO_WWW_BIZ_CGI autolearn=no version=3.1.3 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on gandalf.ctdx.net Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 01 Nov 2006 04:27:03.0500 (UTC) FILETIME=[FB3D50C0:01C6FD6D]
RE: BIG increase in spam today
Am Donnerstag, 2. November 2006 16:04 schrieb Amos: (...) Actually, it's getting to the extent that some at work are raising questions as to whether our SA setup will be able to maintain adequate protection from this growing onslaught. Amos Only AFTER adequate initial RBL filtering. Spamhaus does a great job here. It's not doing as great as it used to here. The amount of spam that SA is processing is about 4X what it was in January. If this keep up, we'll have to look at other possible options, maybe more RBLs? Bret
RE: CGPSA
am using CGPro as mail server, and i need some help and advice I am planning to implement CGPSA on our ingate servers and am not quite sure if it is a good idea we recieve almost 7000 email per hour and i don't know if spamassassin is going to miss anything another question for the amount of emails mentioned above am i supposed to configure CGPSA as in HEADERS or FULL mode any help on that regard will be appreciated That's a fairly high volume, but assuming you've set it up to handle that load, it shouldn't be a problem either way. If you're using network tests, you'll probably need local copies of any DNSBL and URIBL zones so there isn't a delay in querying external servers for it. As for headers only vs full mode, there are pros and cons of each. We run in headers-only mode here. Global configuration for everyone, every message gets scanned and tagged. There's a bug in the add-header routine in CGPSA that will try to add more header information to a message than CGPro will allow. I've submitted a code fix for that problem for the next version. In full mode, each domain and user can have individual settings. This can be helpful if you have users who are interested in changing scores, whitelisting people or whatever. Our users just want us to stop the spam without any effort on their part. Full mode requires PWD/CLI access to the server so it can check recipients. By default, only recipients with local accounts are scanned, not forwarders, lists, groups, or any other non-user account recipient. Even so, I think the majority of installations use this mode. I do believe there are some high-volume installations. You might have better luck with feedback if you posted on the CGPSA discussion list instead. HTH, Bret
RE: sa-update versus rulesdujour questions
Theo Van Dinter wrote: FWIW, it happens to be the official tool since no one ever submitted RDJ to be the official tool, so we had to write our own. I would have offered, had I known there was any interest. Chris T. I'm glad it isn't the official tool since it doesn't run natively on Windows. Sa_update does. Bret
RE: Change rule score
I would like to change the scores on the following. Could you tell me what file they are located in or how to modify the score? Thank you HOST_EQ_DSL HOST_EQ_DSL_ HOST_EQ_D_D_D_D HOST_EQ_PACBELL_DSL HOST_MISMATCH_NET I am running Redhat enterprise 4 with SpamAssassin 3.1.4 with the latest MailScanner Assuming the rules load before your local.cf, you could include score lines for each rule there. If they're additional rules you've added, maybe create a zz_scores.cf and add the score lines there for the rules. The zz_ prefix should get that cf to load last. See the documentation for syntax on setting scores... Bret
RE: double letter porn
I've been getting lots of porn site spam containing words with doubled letters, like this one: Orrgy pornn parrties! Lotts of sttupid bitchees gangbangged by queue of guyss. annal_nailing and cum__swallowing orgiees. archiive of group_ssex materiall! http://www.teens229mx.com/?lcajuryrpdbejn Most of these hit razor2, and www.teens???mx.com sooner-or-later show up on the SURBL and URIBL lists, but nothing seem to catch the misspelled words. Can anybody suggest a rule or ruleset to catch these double-letter obfuscations? I'm using Spamassassin 3.1.4. Network tests... That hit URIBL_Black and the SURBL JP and OB tests. I'm sure a rule *could* be written, but those are common double-letter combinations, so it would be a bit more difficult than it seems. Bret
RE: Stock spam in images
...omissis... How about the FuzzyOCR plugin? That has been discussed quite a bit here recently. http://wiki.apache.org/spamassassin/FuzzyOcrPlugin -- Bowie And, by the way, it seems to work! Actually, the only limit I see is the own-made FuzzyOcr.words (and, maybe, the fact that script text may probably get undetected). Wouldn't it be better to inject the detected text back to SA? There should be enough variants of spam worlds to let SA fuzzily catch the ones from images. Am I wrong? Probably not... Just wish there was a compiled version for windows... ImageInfo also works well for the image spam. Check www.rulesemporium.com for that. ImageInfo is also less CPU overhead... Bret
RE: update rules
I just install a new version of spamassassin. What do I need to do, so it learns everything? You may wish to run sa-update: Or install additional add-on rules: http://wiki.apache.org/spamassassin/CustomRulesets Or run sa-learn against a recent set of ham (non-spam) and spam messages. The bayes engine, if enabled, requires a minimum of 200 each of ham and spam before it begins to function on incoming e-mail. Or if you run network tests, you may wish to look at www.uribl.com for additional tests you can add. I could go on, but this would be a good start. Then it's just a matter of watching to see what's getting through the filter and finding some rules to stop those messages. Bret
RE: no tokens ? How can that be ?
I came across a situation that seems non-intuitive; Two emails this am were spam, but hit BAYES_00. So they were (presumably) learned as Ham somewhere along the way. Not a valid presumption. The tokens may have been learned as ham from other messages, but there is no implication that this particular message was learned as ham. So far so good... Doing ' sa-learn -forget ./message.txt ' gets me : Forgot tokens 0 from message(s) (1 message(s) examined) What kind of situation can cause this ? I was under the impression that Bayes_00 meant it was explicitly learned as spam, so there must be related tokens. So this particular message hadn't been learned at all. How about learning it as spam instead? Bret
RE: bayes sync is hogging cpu
Me again. Since I'm not getting any responses I better keep posting more information as I've made some more investigating today. Sometimes when I run sa-learn --force-expire I get this response almost immediately: Bus error (core dumped) When I run again the process just hogs until I break it after about 15 minutes. I used to have problems with bayes locking and journaling. When it finally corrupted the database, I decided it was time to put it into a real SQL database instead of using DB_File. Haven't had a single problem with bayes CPU or locking since. Maybe it's time you consider using MySQL? Bret
RE: bayes sync is hogging cpu
I used to have problems with bayes locking and journaling. When it finally corrupted the database, I decided it was time to put it into a real SQL database instead of using DB_File. Haven't had a single problem with bayes CPU or locking since. Maybe it's time you consider using MySQL? Bret Well, if it solves the problem I'm ready to try almost anything. :) The way you put your words tells me that the problem IS a corrupt database. Can we be certain? And is there any way fo fix it until I can get MySQL up 'n running? If the database is corrupted, it should say so. In my case, it wouldn't expire, learn, sync, or use the db_file database because it ended up corrupted somehow. I could have restored it from backup, but chose to simply delete it and start over with SQL. I don't know for sure that this will solve your problem. Bayes still has to tokenize the message, so there is a certain amount of CPU-intensive operations that must happen. Overall, it just seems a lot more stable using a SQL database. I'm using MSSQL here because I have it and it works. Haven't had a single bayes-related problem since switching to SQL. Used to have them very often, sometimes daily. Are you sure you have enough RAM to handle the number of threads you are running? Bret
RE: Installation Errors
I have SA 3.1.5 installed on Windows Server 2003, but I'm running ActivePerl 5.8.8.817. Guess it's time to check for 819... May I have the "perl makefile.pl" output, please? Bret [EMAIL PROTECTED] From: Thomas Meier [mailto:[EMAIL PROTECTED] Having trouble installing Spam Assassin 3.1.5 (and the same error with 3.1.1) on a stock standard Windows Server 2003. It also has build 819 of Perl installed on it. Has anyone else had this error and managed to get around it? Ive installed all needed packages via the new PPM GUI and verified all the packages. The path definitely has C:/perl/bin in it and server restarted after each attempt to install it again. However, every time, after a successful Perl MAKEFILE.PL command I try and run the NMAKE command it fails. Here is the error message received in the prompt: C:\Mail-SpamAssassin-3.1.5NMAKE Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. NMAKE : fatal error U1064: MAKEFILE not found and no target specified Stop. C:\Mail-SpamAssassin-3.1.5NMAKE INSTALL Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. INSTALL(1) : fatal error U1034: syntax error : separator missing Stop. C:\Mail-SpamAssassin-3.1.5path PATH=C:\Perl\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Pro gram Files\Microsoft SQL Server\80\Tools\BINN C:\Mail-SpamAssassin-3.1.5 Any ideas?? Im stumped! If you require any further info or the complete Makefile.pl printout also please just ask.
RE: Getting Spamassasin to work.
First, thanks all that sent me help to get a test message to work. I was able to successfully get SA to trigger. It appears that SA is only currently working on my local mail accounts and not the alias/forward emails. So what I have is an Hosting provider which hosts my domain, that I setup alias emails for myself and others which then forwards the emails onto their local ISP providers email account. So is SA not going to work for me? Or is there an option that I need to talk to for my hosting provider to get it to work on forwarders? Whether SpamAssassin runs for a message is probably based on the MTA rules. Some providers screen only local accounts, while others screen everything. The difficulty may come in which MTA and SA integration method. I'll give you an example: If you're running CommuniGate Pro as the MTA and using CGPSA, one of the two main integration apps for CommuniGate Pro, you basically can't scan forwarders if you enable user or domain-based settings. The reason for this is that the destination address is resolved prior to scanning the message. So you'd have to apply global settings to messages that weren't destined for local accounts since they resolve to external domains like AOL, HotMail, Yahoo, or whatever. In addition to that there are probably other customers whose addresses would resolve to those domains, so they can't simply allow you to determine what gets scanned and which rules are applied since it would affect others. I'm sure something could be done to implement per-user settings based on the hosted address, but it would require programming changes to CGPSA. So, I don't know which MTA or integration app your provider runs. But this would be something that you'd have to discuss with them. HTH, Bret
RE: gs as a plugin requirement?
A poll for the list: do you consider it reasonable for a plugin to require ghostscript? (Assume for the sake of argument that rendering postscript is necessary to the analysis the plugin is performing.) I don't see how it's any more of a problem than requiring gocr... Actually, probably better than that because windows executables already exist for ghostscript and they don't for gocr. Bret