Rule FH_RANDOM_SURE causing FPs
We're having a problem with the FH_RANDOM_SURE rule causing false positives. It has a subrule __ALL_RANDOM, which is: header __ALL_RANDOM ALL =~ /(?:[%\#\[\$]R?A?NDO?M?|\%(?:CUSTOM|FROM|PROXY|X?MESSA|MAKE_TXT|FROM_USER))/i We have a user ndrier, so legitimate email sometimes has a header that starts like: References: CEFAE1FA.101C2%ndrier@ which matches the rule, since it contains %nd. It looks like it's trying to find %random, but only nd is required to be there. Could the score be way lowered or the rule made more restrictive? Brian Bebeau Email Security Researcher, Spiderlabs t: +1.513.885.7074 Trustwave | SMART SECURITY ON DEMAND www.trustwave.comhttp://www.trustwave.com/ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Ham hitting too generic rule
We have a customer who is a legitimate non-spamming investment advisor. Their outbound disclaimer has the phrase investment advice which hits the rule INVESTMENT_ADVICE in 20_phrases.cf. We can certainly zero out the score in local.cf, but it seems to me this is a pretty generic phrase, and it has an awfully high score (2.199). I can well imagine people getting mail from their stock broker or the like with this phrase in it somewhere. Any chance the score can at least be reduced? -- Brian Bebeau Security Researcher - Spiderlabs Research Trustwave bbeb...@trustwave.com www.trustwave.com This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
RE: Adding a blacklist via sa-update - would you mind?
On Thu, 2011-12-01 at 12:58 -0500, dar...@chaosreigns.com wrote: Since you keep stressing the one, 1, single DNS query per message, I cannot help but nit-pick -- please do have a look at the rules you're talking about. Or maybe, just re-read your own comment 1 on bug 6400. It's not a single query. Yup, sorry. I made the mistake of assuming the mailspike instructions would included everything, but turns out it's just the blacklist: http://mailspike.org/usage.html Only part I care about is the blacklist. I would object to automatically including this. We process over a million emails a day. The usage page is not too clear if they would mind this load for just the blacklist, but I suspect not. In order to turn it off, I'd have to edit local.cf, make a new package, and get IT to schedule a deployment for it to a large number of scanners. If this went through, we'd need a good amount of notice to put that in place. -- Brian Bebeau Security Researcher Spiderlabs Research Trustwave bbeb...@trustwave.com This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
RE: FuzzyOCR
after an apt-get upgrade FuzzyOCR has stopped working. I get the following error in the log: FuzzyOCR: 2011-06-22 17:00:38 [3057] /usr/bin/jpegtopnm: Returned [2048], skipping... I had this problem too, after upgrading SA to 3.3.x and FuzzyOCR to 3.6.0. Upgrading netpbm fixed it for me. System is a Debian Squeeze Running Spamassassin 3.3.1 and FuzzyOCR 3.6.0 Any idea? This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
RE: Writing an MTA
Look in the source directory for spamc. Use the libspamc API. That’s what I do. It’s pretty simple. From: Christopher Dobbs [mailto:crdo...@lybredyne.net] Sent: Sunday, July 25, 2010 12:39 PM To: users@spamassassin.apache.org Subject: Writing an MTA I am writing an MTA that uses mysql as a backend for storage. I want to integrate spamassis into my mta. Is there some C code that I can look at to understand howto do this.
RE: which SA database to use
I have qmail running with the :allow,QMAILQUEUE=/usr/bin/qmail-spamc in /etc/tcp.smtp I have some hams/spams that I want to run sa-learn against, but I can't figure out which database it is qmail filters through. Is it the db of the user spamd, root or some qmail user account? Anyone running qmail with SA that could provide me with some insight that would be great. If you're using the QMAILQUEUE env var, you're generally overriding the qmail-queue program, which usually is owned by user qmailq. You can check who owns /var/qmail/bin/qmail-queue (or wherever qmail-queue is) to see.
Telling spamd to give up
We're using SpamAssassin in our own filter. We call spamd via the libspamc calls (specifically message_filter() to do the real work). Everything works fine. Now I need to figure out how to do large messages ( 1M). I set the timeout in the struct message struct and it times out just fine and I can go on and do other things. However, the spamd process keeps on processing the message, chewing up CPU and, especially, memory. I can see the timeout happen, as the log file gets: Nov 29 16:10:34 developer spamd[1803]: (child processing timeout at /usr/bin/spamd line 1246, GEN5 line 154408. 10 minutes after it's started, but it still is processing the message since it continues printing out rules that hit. Is there some way I can tell spamd that I'm going away now and it should stop processing the message? If I let it go, it will eventually lock up my entire computer, not letting me even move the mouse. Needless to say, that won't fly for production use. So I could really use some way to tell it to give up. If the only way is to not scan messages over a certain size, I guess I'll have to live with that, but I need to be able to tell TPTB that that's how it has to be. -- Brian Bebeau Trustwave http://www.trustwave.com
