RE: Testing meta rule
Because I was too narrow-minded to think about doing that...but thanks for info. I think that will be much better than the rule I created. -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 20, 2005 11:06 AM To: 'SpamAssassin Users' Subject: Re: Testing meta rule On Tue, Dec 20, 2005 at 11:00:18AM -0600, Casey King wrote: > have created two rules, and I want to make sure all geocities emails > are tagged as spam, while at the same time, allowing SA users messages > to be allowed without spam tagging. Why not just whitelist, or even better skip processing for, mails that come from users@spamassassin.apache.org ? -- Randomly Generated Tagline: Act now and get a free gift with that tagline!
Testing meta rule
Title: Testing meta rule I am requesting someone to please send me an email from the SA users list with a normal geocities conversation in the body of the message. I have created two rules, and I want to make sure all geocities emails are tagged as spam, while at the same time, allowing SA users messages to be allowed without spam tagging. Thanks Casey
Recurring abuser
Title: Recurring abuser
My MailScanner boxes are still getting drilled with the Sober.Virus and spam (none which have made it through) from a single IP address. I did a lookup on dnsstuff.com for the address {66.243.13.178} but made no headway on what to do about this. What steps do I need to do in order to get this to stop? I haven't seen a degridation in mail processing, but seeing over 150 Sober infected emails, and countless spam each day is a bit annoying.
RE: Blacklist-uri.cf problem
...and I thank you for helping me, b/c I couldn't figure it out...I can admit that I am not too bright. I hope you didn't feel I was being spiteful...no reason for that...maybe all of the other events of the day here at work are starting to get to me a little. Sorry if I came off a bit jaded. -Original Message- From: John Narron [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 11:29 AM To: 'Casey King'; users@spamassassin.apache.org Subject: RE: Blacklist-uri.cf problem Dunno, I don't maintain it, just providing a workaround until it can be properly fixed by the maintainer :) John Narron| "Sacrifice, they always say Network Administration | Is a sign of nobility CDS/CDSinet, LLC | But where does one draw the line http://www.cdsinet.net | In the face of injury?" (660) 886 4045 | - Queensryche > -----Original Message- > From: Casey King [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 01, 2005 11:24 AM > To: [EMAIL PROTECTED]; users@spamassassin.apache.org > Subject: RE: Blacklist-uri.cf problem > > I will definitely do this, but what happens when the update comes in > tomorrow...will this be fixed by then? >
RE: Blacklist-uri.cf problem
I will definitely do this, but what happens when the update comes in tomorrow...will this be fixed by then? -Original Message- From: John Narron [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 11:15 AM To: 'Casey King'; users@spamassassin.apache.org Subject: RE: Blacklist-uri.cf problem In sa-blacklist.current.uri.cf, edit line 16: uri WLS_URI_OPT_0 m/\b//document-records.com\b/i to look like: uri WLS_URI_OPT_0 m/\b\/document-records.com\b/i If you have any sa-blacklist.current.uri.cf. files, delete those and re-run RDJ John Narron| "Sacrifice, they always say Network Administration | Is a sign of nobility CDS/CDSinet, LLC | But where does one draw the line http://www.cdsinet.net | In the face of injury?" (660) 886 4045 | - Queensryche From: Casey King [mailto:[EMAIL PROTECTED] Sent: Thursday, December 01, 2005 10:42 AM To: 'SpamAssassin Users' Subject: Blacklist-uri.cf problem As of this morning (aproximately 6:30am up to now.) all three of my systems have failed to update RDJ. This is what I am getting as an error. Rules Du Jour Run Summary:RulesDuJour Run Summary on wks-lin9: William Stearn's URI blacklist has changed on wks-lin9. Version line: #sa-blacklist.uri: 200512010914 ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/blacklist-uri.cf /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/blacklist-uri.cf.20051201-1019 /etc/mail/spamassassin/blacklist-uri.cf; Lint output: [2514] warn: Backslash found where operator expected at (eval 3485) line 1, near "com\" [2514] warn: config: invalid regexp for rule WLS_URI_OPT_0: m//document-records.co/i: syntax error [2514] warn: config: warning: description exists for non-existent rule WLS_URI_OPT_0 [2514] warn: config: warning: score set for non-existent rule WLS_URI_OPT_0 [2514] warn: lint: 3 issues detected, please rerun with debug enabled for more information
Blacklist-uri.cf problem
Title: Blacklist-uri.cf problem
As of this morning (aproximately 6:30am up to now…) all three of my systems have failed to update RDJ. This is what I am getting as an error.
Rules Du Jour Run Summary:RulesDuJour Run Summary on wks-lin9:
William Stearn's URI blacklist has changed on wks-lin9.
Version line: #sa-blacklist.uri: 200512010914
***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is: mv -f /etc/mail/spamassassin/blacklist-uri.cf /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/blacklist-uri.cf.20051201-1019 /etc/mail/spamassassin/blacklist-uri.cf;
Lint output: [2514] warn: Backslash found where operator expected at (eval 3485) line 1, near "com\"
[2514] warn: config: invalid regexp for rule WLS_URI_OPT_0: m//document-records.co/i: syntax error
[2514] warn: config: warning: description exists for non-existent rule WLS_URI_OPT_0
[2514] warn: config: warning: score set for non-existent rule WLS_URI_OPT_0
[2514] warn: lint: 3 issues detected, please rerun with debug enabled for more information
###
Trying to figure out what the issue is. I opened the current blacklist-uri.cf, and searched for "document-records"…not too hard to find since it was at the top of the file. I commented those lines out and ran RDJ from the command line, and came up with the same problem. Seeing this didn't fix the problem, I ran spamassassin --lint, and it ran without errors.
My current configuration is as follows:
rules_du_jour file is v1.27, and I commented out
#ANTIDRUG=7;
# CF_URLS[7]="http://mywebpages.comcast.net/mkettler/sa/antidrug.cf"
# CF_FILES[7]="antidrug.cf";
# CF_NAMES[7]="Matt Kettler's AntiDrug";
#PARSE_NEW_VER_SCRIPTS[7]="${PERL} -ne 'print if /^\s*#.*(vers?|version|rev|revision)[:\.\s]*[0-9]/i;' | sort | ${TAIL}";
/etc/rulesdujour/config
# changed 2005.12.01 CLK
# modified: Removed ANTIDRUG
# Comes as part of SA 3.1
# TRUSTED_RULESETS="TRIPWIRE ANTIDRUG EVILNUMBERS BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_RATWARE SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER_ABUSE SARE_SPECIFIC SARE_CODING_HTML SARE_GENLSUBJ SARE_UNSUB SARE_URI SARE_REDIRECT_POST300";
TRUSTED_RULESETS="TRIPWIRE EVILNUMBERS BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER_ABUSE SARE_SPECIFIC SARE_CODING_HTML SARE_GENLSUBJ SARE_UNSUB SARE_URI0 SARE_REDIRECT_POST300 SARE_OBFU SARE_SPAMCOP_TOP200";
SA_DIR="/etc/mail/spamassassin";
SA_RESTART="/etc/init.d/MailScanner restart";
## I started adding to list after SARE_RANDOM
## Here is a list of the rulesets setup below ##
## TRIPWIRE
## EVILNUMBERS
## BLACKLIST_URI
## RANDOMVAL
## BOGUSVIRUS
## SARE_ADULT
## SARE_FRAUD
## SARE_BML
## SARE_SPOOF
## SARE_BAYES_POISON_NXM
## SARE_OEM
## SARE_RANDOM
## SARE_HEADER_ABUSE
## SARE_SPECIFIC
## SARE_CODING_HTML
## SARE_GENLSUBJ
## SARE_UNSUB
## SARE_URI0
## SARE_REDIRECT_POST300
## SARE_SPAMCOP_TOP200
## SARE_OBFU
##
# NON AUTO-UPDATED RULES #
## 2005.11.21
## BACKHAIR
## CHICKENPOX
## DIVSPELLRULES
## RCDIVOBS
## ANTIDRUG (part of SA 3.1)
##
RE: New Spammer?
Matt, You are right, these are viruses being sent. I have been working with SA for about 6 months now, and I must say...originally I was confused about the 'features' of SA, but have since learned that SA has nothing to do with viruses. I probably eluded to the idea that I was worried SA wasn't scoring high enough; hence, making everything think that I felt SA should give a higher score b/c of the virus attached, but that is not what I was getting at. You are also right that I need to send an email out to the users, and let them know about the virus outbreak. No message has made it through without being tagged, so the servers are working as they should. I mainly sent out the email to see if others were seeing an influx also. Thanks for the information. As always, if it were not for this active mailing list, I would not be as knowledgeable as I am now...but I would still be considered a "novice," much like what you and Julian have been discussing on the MailScanner list. Casey -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 22, 2005 9:47 AM To: Casey King; SpamAssassin Users Subject: Re: New Spammer? At 09:56 AM 11/22/2005, Casey King wrote: >This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. >40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak > Been getting a lot of phone calls from across the company about these > emails. At least my mailscanner boxes are stripping the files, and > tagging it as spam, but what worries me, is the low scores these messages > are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. >I start tagging spam, at 3.5 so each message has been tagged, but still >sent through. Any one else seeing these emails? I see plenty of viruses, and never give them a mind. My selective greylisting helps, but so far this morning my mailscanner still got 20 of them. There was also a steep burst last Weds, 18 of them, which then leveled off through the rest of the day. *shrug*.. tell your users in a broadcast email that there is a virus outbreak, but to not be concerned unless they have a message that looks like a virus and isn't tagged. You might also want to include some standard educational notes about viruses and their auto-sending, auto-forging habits.
RE: Rule for this
Title: Message I do understand that the trusted hosts needs to be fixed, but not being fully in control, I am not allowed to do this. I have had this discussion with the Senior Admin. I am running SA 3.1, and yes I do have an antidrug rule in place. I am currently looking for a more up to date antidrug rule b/c the one I have has not updated since 4/28/04. So I know I need to get this changed. Here is a list of the rules I am currently running. TRIPWIRE ANTIDRUG EVILNUMBERS BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BMLSARE_SPOOFSARE_BAYES_POISON_NXMSARE_OEMSARE_RANDOM SARE_HEADER_ABUSESARE_SPECIFICSARE_CODING_HTMLSARE_GENLSUBJSARE_UNSUBSARE_URI0 SARE_REDIRECT_POST300SARE_SPAMCOP_TOP200SARE_OBFU -Original Message-From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Monday, November 21, 2005 4:55 PMTo: users@spamassassin.apache.orgSubject: Re: Rule for this First, fix your trusted hosts. You shoudln't be trusting a DSL line on some other system. Second, you don't mention what version of SA you are using, nor what rules files you are using. It looks like you don't have antidrug rules, which would imply 2.6x. In any case some of the SARE rules would probably have caught this, and probably th ebuilt-in antidrug rules in 3.x. Loren
New Spammer?
Title: New Spammer? This morning we have been getting drilled by spam/virus emails. 40 so far. Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. I start tagging spam, at 3.5 so each message has been tagged, but still sent through. Any one else seeing these emails? Header: Return-Path: < g> Received: from bohoqsobp.us (12-219-139-163.client.mchsi.com [12.219.139.163]) by mail.lovebox.com (8.13.4/8.13.4) with SMTP id jALMiLIS008948; Mon, 21 Nov 2005 16:44:22 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Mon, 21 Nov 2005 22:41:54 UTC Subject: Mail delivery failed Importance: Normal X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="==5d580c.aff4910fa20fafbb2a" Content-Transfer-Encoding: 7bit Subject: Mail delivery failed Report: MailScanner: Executable DOS/Windows programs are dangerous in email (File-packed_da.exe) Inoculate: File ./jALMiLIS008948/mail_body.zip is infected by virus: Win32/Sober.W!Worm Inoculate: File ./jALMiLIS008948/mail_body.zip/File-packed_dataInfo.exe/ is infected by virus: Win32/Sober.W!Worm ClamAV: mail_body.zip contains Worm.Sober.U Inoculate: File ./jALMiLIS008948/File-packed_dataInfo.exe is infected by virus: Win32/Sober.W!Worm ClamAV: File-packed_dataInfo.exe contains Worm.Sober.U MailScanner: Executable DOS/Windows programs are dangerous in email (File-packed_dataInfo.exe) MailScanner: Executable DOS/Windows programs are dangerous in email (File-packed_da.exe) Inoculate: File ./jALMiLIS008948/File-packed_dataInfo.exe is infected by virus: Win32/Sober.W!Worm ClamAV: File-packed_dataInfo.exe contains Worm.Sober.U MailScanner: Executable DOS/Windows programs are dangerous in email (File-packed_dataInfo.exe) SpamAssassin Score: 3.85 Spam Report: Score Matching Rule Description-1.80 ALL_TRUSTED Did not pass through any untrusted hosts 2.19 INVALID_DATE Invalid Date: header (not RFC 2822) 0.96 NO_REAL_NAME From: does not include a real name 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E4_51_100 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) /var/log/maillog Nov 21 16:44:42 wks-lin12 MailScanner[21338]: Saved archive copies of jALMiUOJ008973 jALMiLIS008948 Nov 21 16:44:52 wks-lin12 MailScanner[21338]: Message jALMiLIS008948 from 12.219.139.163 ([EMAIL PROTECTED]) to lovebox.com is spam, SpamAssassin (score=3.854, required 3, ALL_TRUSTED -1.80, INVALID_DATE 2.19, NO_REAL_NAME 0.96, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50) Nov 21 16:44:53 wks-lin12 MailScanner[21338]: Spam Actions: message jALMiLIS008948 actions are store,deliver,striphtml Nov 21 16:44:55 wks-lin12 MailScanner[21338]: File /var/spool/MailScanner/incoming/21338/./jALMiLIS008948/File-packed_dataInfo.exe is infected by virus: Win32/Sober.W!Worm Nov 21 16:44:55 wks-lin12 MailScanner[21338]: File /var/spool/MailScanner/incoming/21338/./jALMiLIS008948/mail_body.zip is infected by virus: Win32/Sober.W!Worm Nov 21 16:44:55 wks-lin12 MailScanner[21338]: File /var/spool/MailScanner/incoming/21338/./jALMiLIS008948/mail_body.zip is infected by virus: Win32/Sober.W!Worm Nov 21 16:44:57 wks-lin12 MailScanner[21338]: /var/spool/MailScanner/incoming/21338/./jALMiLIS008948/File-packed_dataInfo.exe: Worm.Sober.U FOUND Nov 21 16:44:57 wks-lin12 MailScanner[21338]: /var/spool/MailScanner/incoming/21338/./jALMiLIS008948/mail_body.zip: Worm.Sober.U FOUND Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Infected message jALMiLIS008948 came from 12.219.139.163 Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Filename Checks: Windows/DOS Executable (jALMiLIS008948 File-packed_dataInfo.exe) Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Filename Checks: Windows/DOS Executable (jALMiLIS008948 File-packed_dataInfo.exe) Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved entire message to /var/spool/MailScanner/quarantine/20051121/jALMiLIS008948 Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved infected "File-packed_da.exe" to /var/spool/MailScanner/quarantine/20051121/jALMiLIS008948 Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved infected "mail_body.zip" to /var/spool/MailScanner/quarantine/20051121/jALMiLIS008948 Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved infected "File-packed_dataInfo.exe" to /var/spool/MailScanner/quarantine/20051121/jALMiLIS008948 Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Logging message jALMiLIS008948 to SQL Nov 21 16:44:57 wks-lin12 MailScanner[1488]: jALMiLIS008948: Logged to MailWatch SQL Nov 21 16:44:58 wks-lin12 sendmail[9046]: jALMiLIS008948: to=dfair, ctladdr=<[EMAIL PROTECTED]> (8/0), delay=00:00:36, mailer=local, pri=285904, dsn=5.1.1, stat=U
RE: Rule for this
I am still receiving spam, that is wrapped in html code. I am not sure
why this rule I added is not picking it up. From what I read, it seems
to work for others, but adding it to my local.cf, and running -lint with
no errors, my spam checks still ignore it. What can I do to stop this?
-Original Message-
From: Jean-Paul Natola [mailto:[EMAIL PROTECTED]
Sent: Monday, November 14, 2005 2:50 PM
To: Gene Heskett; users@spamassassin.apache.org
Subject: RE: Rule for this ??-LINT
On Monday 14 November 2005 11:22, Casey King wrote:
>Okay,
>
>I have the rule in my local.cf as
>
>body L_DRUGS11 /([CVAXP] ){5}/
>header L_DRUGS12 MESSAGEID =~
>/^<[EMAIL PROTECTED]>/
>meta L_DRUGS1 L_DRUGS11 && L_DRUGS12
>score L_DRUGS1 5
>describe L_DRUGS1 Strange Message-ID and Spam signature in body
>
>
>Since it did not seem to get picked up by the rule. I updated
>rulesdujour from the command line:
>
>./rules_du_jour
>
This sounds like a great idea.
If it works with 3.0.4, where can I get it?
>No errors were reported.
>
>Doing a spamassassin --lint returned no errors.
>
>To see if I could stop this type of message, I sent from one of my
>trash accounts, and this is what happens when the message comes
>through. Still not getting tagged with the new rule.
>
>
>-1.80 ALL_TRUSTED Did not pass through any untrusted hosts
>-2.71 AWL From: address is in the auto white-list
>0.50 HTML_40_50 Message is 40% to 50% HTML
>0.00 HTML_MESSAGEHTML included in message
>0.64 SARE_MSGID_LONG40 Message ID has suspicious length
>0.69 SARE_SPEC_LEO_LINE06
>5.00 SARE_URI_EQUALS Trying to hide the real URL with IE parsing bug
>0.00 UPPERCASE_25_50 message body is 25-50% uppercase
>
>-Original Message-
>From: Pierre Thomson [mailto:[EMAIL PROTECTED]
>Sent: Monday, November 14, 2005 9:19 AM
>To: Casey King; SpamAssassin Users
>Subject: RE: Rule for this ??
>
>Casey King wrote:
>>> body L_DRUGS11 /([CVAXP] ){5}/
>>> header L_DRUGS12 MESSAGEID =~
>>> /^<[EMAIL PROTECTED]>/
>>> meta L_DRUGS1 L_DRUGS11 && L_DRUGS12
>>> score L_DRUGS1 5
>>> describe L_DRUGS1 Strange Message-ID and Spam signature in body.
>>
>> This rule goes in the local.cf file right? I added this rule, and
>> restarted MailScanner and it does not seem to be reading the rule. I
>> am not so good with writing rules, but I was wondering
>>
>> Body L_DRUGS11
>> Score L_DRUGS1
>>
>> Are these supposed to be set this way, or do these both need to be
>> set
>>
>> to '1' or '11'???
>
>There are two sub-rules (L_DRUGS11 and L_DRUGS12) and one meta rule
>(L_DRUGS1) which gets the score and description. But you might have a
>problem with the line wrap; the line starting with "header" should end
>in "+>/". Run "spamassassin --lint" to check your configuration.
>
>Pierre
Hi all, I *believe* I have applied the following rule correctly,
To verify I ran the --lint , it all checked out ok BUT its giving some
errors with respect to the whitelisted entries I have in the local.cf
that resides in the SA directory
I know my whitelist works as I had a previously rejected message resent
, and it came through without a hitch;
Here's the output from lint
And no, I did NOT add the custom rule to the local.cf
milter# spamassassin --lint
[923] warn: config: SpamAssassin failed to parse line, "[EMAIL PROTECTED]" is
not valid for "whitelist_from_rcvd", skipping: whitelist_from_rcvd
[EMAIL PROTECTED] [923] warn: config: SpamAssassin failed to parse line,
"[EMAIL PROTECTED]" is not valid for "whitelist_from_rcvd", skipping:
whitelist_from_rcvd [EMAIL PROTECTED] [923] warn: config: SpamAssassin
failed to parse line, "[EMAIL PROTECTED]" is not valid for
"whitelist_from_rcvd", skipping: whitelist_from_rcvd [EMAIL PROTECTED] [923]
warn: config: SpamAssassin failed to parse line, "[EMAIL PROTECTED]" is not
valid for "whitelist_from_rcvd", skipping: whitelist_from_rcvd
[EMAIL PROTECTED] [923] warn: config: SpamAssassin failed to parse line,
"[EMAIL PROTECTED]" is not valid for "whitelist_from_rcvd", skipping:
whitelist_from_rcvd [EMAIL PROTECTED] [923] warn: config: SpamAssassin
failed to parse line, "[EMAIL PROTECTED]" is not valid for
"whitelist_from_rcvd", skipping: whitelist_from_rcvd [EMAIL PROTECTED]
[923] warn: lint: 6 issues detected, please rerun with debug enabled for
more information
RE: Rule for this ??
Okay,
I have the rule in my local.cf as
body L_DRUGS11 /([CVAXP] ){5}/
header L_DRUGS12 MESSAGEID =~
/^<[EMAIL PROTECTED]>/
meta L_DRUGS1 L_DRUGS11 && L_DRUGS12
score L_DRUGS1 5
describe L_DRUGS1 Strange Message-ID and Spam signature in body
Since it did not seem to get picked up by the rule. I updated
rulesdujour from the command line:
./rules_du_jour
No errors were reported.
Doing a spamassassin --lint returned no errors.
To see if I could stop this type of message, I sent from one of my trash
accounts, and this is what happens when the message comes through.
Still not getting tagged with the new rule.
-1.80 ALL_TRUSTED Did not pass through any untrusted hosts
-2.71 AWL From: address is in the auto white-list
0.50HTML_40_50 Message is 40% to 50% HTML
0.00HTML_MESSAGEHTML included in message
0.64SARE_MSGID_LONG40 Message ID has suspicious length
0.69SARE_SPEC_LEO_LINE06
5.00SARE_URI_EQUALS Trying to hide the real URL with IE parsing bug
0.00UPPERCASE_25_50 message body is 25-50% uppercase
-Original Message-
From: Pierre Thomson [mailto:[EMAIL PROTECTED]
Sent: Monday, November 14, 2005 9:19 AM
To: Casey King; SpamAssassin Users
Subject: RE: Rule for this ??
Casey King wrote:
>> body L_DRUGS11 /([CVAXP] ){5}/
>> header L_DRUGS12 MESSAGEID =~
>> /^<[EMAIL PROTECTED]>/
>> meta L_DRUGS1 L_DRUGS11 && L_DRUGS12
>> score L_DRUGS1 5
>> describe L_DRUGS1 Strange Message-ID and Spam signature in body.
>
> This rule goes in the local.cf file right? I added this rule, and
> restarted MailScanner and it does not seem to be reading the rule. I
> am not so good with writing rules, but I was wondering
>
> Body L_DRUGS11
> Score L_DRUGS1
>
> Are these supposed to be set this way, or do these both need to be set
> to '1' or '11'???
>
There are two sub-rules (L_DRUGS11 and L_DRUGS12) and one meta rule
(L_DRUGS1) which gets the score and description. But you might have a
problem with the line wrap; the line starting with "header" should end
in "+>/". Run "spamassassin --lint" to check your configuration.
Pierre
RE: Rule for this ??
This rule goes in the local.cf file right? I added this rule, and
restarted MailScanner and it does not seem to be reading the rule. I am
not so good with writing rules, but I was wondering
Body L_DRUGS11
Score L_DRUGS1
Are these supposed to be set this way, or do these both need to be set
to '1' or '11'???
thanks
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 14, 2005 3:01 AM
To: [EMAIL PROTECTED]; users@spamassassin.apache.org
Subject: RE: Rule for this ??
This one works like magic .. Also on the new variant which seems to have
been released this weekend.
body L_DRUGS11 /([CVAXP] ){5}/
header L_DRUGS12 MESSAGEID =~
/^<[EMAIL PROTECTED]>/
meta L_DRUGS1 L_DRUGS11 && L_DRUGS12
score L_DRUGS1 5
describe L_DRUGS1 Strange Message-ID and Spam signature in body.
- Ríkharður
-Original Message-
From: Jean-Paul Natola [mailto:[EMAIL PROTECTED]
Sent: 11 November, 2005 7:59 PM
To: users@spamassassin.apache.org
Subject: Rule for this ??
Here's an intelligent html coder
I viewed the source of the code because I was curious as to how these
words flew right through my SA ,
You will note that if turned into plain text , he used a bunch of
tables and cells to produce the following;
From: Firoz Granger [mailto:[EMAIL PROTECTED]
Sent: Friday, November 11, 2005 4:49 AM
To: Jean-Paul Natola
Subject: Glen: interesting information
Hi,
Qui ing f ications - vis aExpres op
t overpayor your Meddit our Pharms Sh
P V C X V Ar I I a A mo A A n L bz G L a I ia R I x U ec A S
M n
69,95 99,95
85,45
What rule, if any , can combat this?
RE: Spamd / RDJ
Thanks to everyone who was willing to take the time to respond, and educate me on this issue. Michele, thanks for posting the SA_RULE for the config file. This has fixed my problem. -Original Message- From: Michele Neylon :: Blacknight.ie [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 05, 2005 5:21 PM To: Chris Thielen Cc: SpamAssassin Users; Casey King Subject: Re: Spamd / RDJ Chris Thielen wrote: > > Hi Casey, > > Larry and Dhawal are correct, you shouldn't be restarting spamd if you > don't use it (spamassassin --lint does NOT require spamd). I recommend > changing SA_RESTART to a command that will restart MailScanner, or cause > MailScanner to reload its config files. > > Note: I don't know that mailscanner can actually reload SpamAssassin > config files, I just assume it might have the capability. > > Chris Thielen If you are using MailScanner you should _never_ run spamd/spamc Chris - you still need to run --lint on the SA rules. The way to get MS working with RDJ is to make a minor change to the script Change the line starting: SA_RESTART= to read: SA_RESTART="/etc/init.d/MailScanner restart"; # Command used to restart spamd HTH Michele -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
Spamd / RDJ
Because RDJ –lints SA, I have tried to create a cron job that would stop Spamd from running. I do not want it using up so much memory since MailScanner calls SA on its own. My crontab looks like this: - SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # run-parts 01 * * * * run-parts /etc/cron.hourly 02 4 * * * run-parts /etc/cron.daily 22 4 * * 0 run-parts /etc/cron.weekly 42 4 1 * * run-parts /etc/cron.monthly # shut down spamassassin after rulesdejour does an update 30 * * * * root /etc/init.d/spamassassin stop - From what I “believe” I had set, is for spamassassin to be shut down every 30 minutes. In /etc/cron.daily is my update_spamassassin_rules. --- #!/bin/bash [ -x /etc/mail/spamassassin/RulesDuJour/rules_du_jour ] || exit 0 exec /etc/mail/spamassassin/RulesDuJour/rules_du_jour /etc/init.d/spamassassin stop exit 0 Seeing the cron job was not working, I added the /etc/init.d/spamassassin stop to the file hoping it would stop SA after RDJ finished. This has been no help. Does anyone have another idea of what I can do to shutdown SA after RDJ lints SA? I am getting tired of stopping SA from the command line.
RE: RDJ Blacklist
I think I now see the problem. The url
to retrieve the blacklist-uri has been changed, and this is reflected in
version 1.24. I also see there is a change form random.cf. The
interesting thing I am not sure of….is why System B does not reflect the
changes of version 1.24, but was till downloading the current version of
blacklist-uri.cf
-Original Message-
From: Casey King
[mailto:[EMAIL PROTECTED]
Sent: Thursday, September 29, 2005 9:29 AM
To: SpamAssassin Users
Subject: RDJ Blacklist
While checking RDJ on my systems. I
noticed, blacklist-uri last updated on 9.21.2005 on two of my systems, and on
my third system, it is current as of today. The version of RDJ I am
running on all three systems is 1.21. I know there is a 1.24, but I would
like to get this working again before I decide to change to another
version. I ran the update from the command line and piped it to a test
file. Everything looks the same until reaching the blacklist.uri
part. For some reason systemA says blacklist does not need updated, and
systemB updates to the most current version. Below are snips from systemA
and systemB. As I said before, system A is current to 9.21.2005, and
system B is 9.29.2005
System A
[snip] (top of piped information)
exec: curl -w %{http_code}
--compressed -O -R -s -S -z /etc/mail/spamassassin/RulesDuJour/rules_du_jour
http://sandgnat.com/rdj/rules_du_jour 2>&1
curl_output: 304
[snip]
-- BLACKLIST_URI --
RULESET_NAME=BLACKLIST_URI
INDEX=10
CF_URL=http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
CF_FILE=blacklist-uri.cf
CF_NAME=William Stearn's URI
blacklist
PARSE_NEW_VER_SCRIPT=grep -i
'^#.*sa-blacklist.uri: 200' | sort | tail -1
CF_MUNGE_SCRIPT=
Old sa-blacklist.current.uri.cf
already existed in /etc/mail/spamassassin/RulesDuJour...
Retrieving file from
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf...
exec: curl -w %{http_code}
--compressed -O -R -s -S -z /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf 2>&1
curl_output: 302
sa-blacklist.current.uri.cf was up
to date [skipped downloading of
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf ] ...
System B
[snip] (top of piped information)
Curl version is 7.9 (Not 7.10 or
greater). Falling back to wget.
exec: wget -N
http://sandgnat.com/rdj/rules_du_jour >
/etc/mail/spamassassin/RulesDuJour/wget.log 2>&1
wget_output: --08:36:06-- http://sandgnat.com/rdj/rules_du_jour
=> `rules_du_jour'
Resolving sandgnat.com... done.
Connecting to
sandgnat.com[208.42.148.125]:80... connected.
HTTP request sent, awaiting
response... 200 OK
Length: 60,691
[application/octet-stream]
Server file no newer than local file
`rules_du_jour' -- not retrieving.
[snip]
-- BLACKLIST_URI --
RULESET_NAME=BLACKLIST_URI
INDEX=10
CF_URL=http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
CF_FILE=blacklist-uri.cf
CF_NAME=William Stearn's URI
blacklist
PARSE_NEW_VER_SCRIPT=grep -i
'^#.*sa-blacklist.uri: 200' | sort | tail -1
CF_MUNGE_SCRIPT=
Old sa-blacklist.current.uri.cf
already existed in /etc/mail/spamassassin/RulesDuJour...
Retrieving file from http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf...
exec: wget -N
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf >
/etc/mail/spamassassin/RulesDuJour/wget.log 2>&1
wget_output: --08:36:08--
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
=> `sa-blacklist.current.uri.cf'
Resolving www.stearns.org... done.
Connecting to
www.stearns.org[66.59.111.182]:80... connected.
HTTP request sent, awaiting
response... 302 Found
Location: http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
[following]
--08:36:09--
http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
=> `sa-blacklist.current.uri.cf'
Resolving
www.sa-blacklist.stearns.org... done.
Connecting to
www.sa-blacklist.stearns.org[147.102.222.211]:80... connected.
HTTP request sent, awaiting
response... 200 OK
Length: 2,820,512 [text/plain]
Remote file is newer, retrieving.
--08:36:09--
http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
=> `sa-blacklist.current.uri.cf'
Connecting to
www.sa-blacklist.stearns.org[147.102.222.211]:80... connected.
HTTP request sent, awaiting
response... 200 OK
Length: 2,820,512 [text/plain]
0K ..
.. .. .. .. 1% 60.17 KB/s
50K ..
.. .. .. .. 3% 83.89 KB/s
100K .. ..
.. .. .. 5% 34.41 KB/s
150K .. ..
.. .. .. 7%
RDJ Blacklist
While checking RDJ on my systems. I noticed, blacklist-uri
last updated on 9.21.2005 on two of my systems, and on my third system, it is
current as of today. The version of RDJ I am running on all three systems
is 1.21. I know there is a 1.24, but I would like to get this working
again before I decide to change to another version. I ran the update from
the command line and piped it to a test file. Everything looks the same
until reaching the blacklist.uri part. For some reason systemA says
blacklist does not need updated, and systemB updates to the most current
version. Below are snips from systemA and systemB. As I said
before, system A is current to 9.21.2005, and system B is 9.29.2005
System A
[snip] (top of piped information)
exec: curl -w %{http_code} --compressed -O -R -s -S -z
/etc/mail/spamassassin/RulesDuJour/rules_du_jour
http://sandgnat.com/rdj/rules_du_jour 2>&1
curl_output: 304
[snip]
-- BLACKLIST_URI --
RULESET_NAME=BLACKLIST_URI
INDEX=10
CF_URL=http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
CF_FILE=blacklist-uri.cf
CF_NAME=William Stearn's URI blacklist
PARSE_NEW_VER_SCRIPT=grep -i '^#.*sa-blacklist.uri: 200' |
sort | tail -1
CF_MUNGE_SCRIPT=
Old sa-blacklist.current.uri.cf already existed in
/etc/mail/spamassassin/RulesDuJour...
Retrieving file from
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf...
exec: curl -w %{http_code} --compressed -O -R -s -S -z /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf 2>&1
curl_output: 302
sa-blacklist.current.uri.cf was up to date [skipped
downloading of http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
] ...
System B
[snip] (top of piped information)
Curl version is 7.9 (Not 7.10 or greater). Falling
back to wget.
exec: wget -N http://sandgnat.com/rdj/rules_du_jour >
/etc/mail/spamassassin/RulesDuJour/wget.log 2>&1
wget_output: --08:36:06-- http://sandgnat.com/rdj/rules_du_jour
=> `rules_du_jour'
Resolving sandgnat.com... done.
Connecting to sandgnat.com[208.42.148.125]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 60,691 [application/octet-stream]
Server file no newer than local file `rules_du_jour' -- not
retrieving.
[snip]
-- BLACKLIST_URI --
RULESET_NAME=BLACKLIST_URI
INDEX=10
CF_URL=http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
CF_FILE=blacklist-uri.cf
CF_NAME=William Stearn's URI blacklist
PARSE_NEW_VER_SCRIPT=grep -i '^#.*sa-blacklist.uri: 200' |
sort | tail -1
CF_MUNGE_SCRIPT=
Old sa-blacklist.current.uri.cf already existed in
/etc/mail/spamassassin/RulesDuJour...
Retrieving file from
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf...
exec: wget -N http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
> /etc/mail/spamassassin/RulesDuJour/wget.log 2>&1
wget_output: --08:36:08-- http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
=> `sa-blacklist.current.uri.cf'
Resolving www.stearns.org... done.
Connecting to www.stearns.org[66.59.111.182]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location:
http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
[following]
--08:36:09-- http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
=> `sa-blacklist.current.uri.cf'
Resolving www.sa-blacklist.stearns.org... done.
Connecting to
www.sa-blacklist.stearns.org[147.102.222.211]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,820,512 [text/plain]
Remote file is newer, retrieving.
--08:36:09-- http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
=> `sa-blacklist.current.uri.cf'
Connecting to www.sa-blacklist.stearns.org[147.102.222.211]:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,820,512 [text/plain]
0K .. .. ..
.. .. 1% 60.17 KB/s
50K .. .. .. ..
.. 3% 83.89 KB/s
100K .. .. .. ..
.. 5% 34.41 KB/s
150K .. .. .. ..
.. 7% 55.37 KB/s
200K .. .. .. ..
.. 9% 36.28 KB/s
250K .. .. .. ..
.. 10% 24.26 KB/s
300K .. .. .. ..
.. 12% 38.40 KB/s
350K .. .. .. ..
.. 14% 20.12 KB/s
400K .. .. .. ..
.. 16% 24.94 KB/s
450K .. .. .. ..
.. 18% 31.51 KB/s
500K .. .. .. ..
.. 19% 19.47 KB/s
550K .. .. .. ..
.. 21% 27.89 KB/s
RE: AutoWhiteList
Since waiting for a reply concerning my issue, I pulled the src.rpm off the CD. 3.0.1 and installed it, and still the same problemwhy is my auto-whitelist file(s) not showing up? -Original Message- From: Casey King [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 3:15 PM To: users@spamassassin.apache.org Subject: AutoWhiteList I seem to be at a loss. I have installed SA 3.0.4 on two identical machines. Both machines are running CentOS4.1. Other software loaded would include: Sendmail 8-13.4-1 (from src rpm) Clamav 0-86 (tar file) MailScanner 4.44.1-1 (tar) MailWatch 1.0.1 (tar) phpMyAdmin 2.6.3-pl1 (tar) Webmin 1.210 (tar) Both machines run smooth, but when I was trying to figure out what is getting AutoWhite listed, I found that "box2" did not have: /root/.spamassassin/auto-whitelist /root/.spamassassin/auto-whitelist.mutex "box1" does have: /root/.spamassassin/auto-whitelist "Box1" and "Box2" are being built to replace a MailScanner system already in use. Upon review of this system, I can see I will run into issues if I cannot check what is being auto-whitelisted. I do find it strange that I installed SA the same way on both machines and have different results. I tried to uninstall SA from "Box 2" by using this command: rpm -e spamassassin I am not sure if this is the best way to uninstall SA, but I do not know of another. I then reinstalled it two ways: 1. rpmbuild -tb Mail-SpamAssassin-3.0.4.tar.gz cd to /usr/src/redhat/RPMS/i386 These three files are in this directory perl-Mail-SpamAssassin-3.0.4-1.i386.rpm spamassassin-tools-3.0.4-1.i386.rpm spamassassin-3.0.4-1.i386.rpm I installed the files (first my moving the tools rpm to another directory and then moving it back and installing it separately) 2. Through untar, I cd to the Mail-SpamAssassin-3.0.4 directory and installed via the INSTALL file instructions. Both ways to install were successful, but I was still unable to see any of the files I was looking for. I would appreciate any feedback on what I am doing wrong and any other approaches I can take to resolve this problem. Casey
AutoWhiteList
I seem to be at a loss. I have installed SA 3.0.4 on two identical machines. Both machines are running CentOS4.1. Other software loaded would include: Sendmail 8-13.4-1 (from src rpm) Clamav 0-86 (tar file) MailScanner 4.44.1-1 (tar) MailWatch 1.0.1 (tar) phpMyAdmin 2.6.3-pl1 (tar) Webmin 1.210 (tar) Both machines run smooth, but when I was trying to figure out what is getting AutoWhite listed, I found that "box2" did not have: /root/.spamassassin/auto-whitelist /root/.spamassassin/auto-whitelist.mutex "box1" does have: /root/.spamassassin/auto-whitelist "Box1" and "Box2" are being built to replace a MailScanner system already in use. Upon review of this system, I can see I will run into issues if I cannot check what is being auto-whitelisted. I do find it strange that I installed SA the same way on both machines and have different results. I tried to uninstall SA from "Box 2" by using this command: rpm -e spamassassin I am not sure if this is the best way to uninstall SA, but I do not know of another. I then reinstalled it two ways: 1. rpmbuild -tb Mail-SpamAssassin-3.0.4.tar.gz cd to /usr/src/redhat/RPMS/i386 These three files are in this directory perl-Mail-SpamAssassin-3.0.4-1.i386.rpm spamassassin-tools-3.0.4-1.i386.rpm spamassassin-3.0.4-1.i386.rpm I installed the files (first my moving the tools rpm to another directory and then moving it back and installing it separately) 2. Through untar, I cd to the Mail-SpamAssassin-3.0.4 directory and installed via the INSTALL file instructions. Both ways to install were successful, but I was still unable to see any of the files I was looking for. I would appreciate any feedback on what I am doing wrong and any other approaches I can take to resolve this problem. Casey
