Re: Almost no score
I could be asking the same thing as Charles, if I am I apologize. I installed the rules below, ran the headers.txt file- thru SA and the rules did not trigger. Do I need to configure something else? Thanks Craig >>> Charles Gregory 5/1/2009 9:48 AM >>> Uh, what do these 'ratware' rules trigger on? How effective are they, and what are the chances of false positives? - Charles On Thu, 30 Apr 2009, LuKreme wrote: > (single lines) > header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: > <([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="=_NextPart_000__\1\.\2/msi > > # " > > header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: > <([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="=_NextPart_000__\1\.\2/msi > > # " > > header KB_RATWARE_BOUNDARYALL =~ /^Message-Id: > <([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="=_NextPart_000__\1\./msi > > # " > > score KB_RATWARE_BOUNDARY 2.0 > score KB_RATWARE_OUTLOOK_16 0.1 > > > -- > Exit, pursued by a bear. >
Re: New spam-to me-and how do I stop. THANK YOU!
Your ideas and suggestions worked! I just wanted to say thanks for everyone who replied, I hope I am incorrect in the following statement but I am going to say it anyway-I am guessing many users on this thread are like me-we post questions ( I have posted 2 over the last 5 years) , but rarely if ever feel we are expert enough to help answer any, or more sadly, take the time too. I do appreciate those of you who help people like me out! Cheers- Craig >>> Sergey Kovalev 1/9/2009 3:52 AM >>> Craig wrote: > > Here are the links to 3 sample messages- > > http://pastebin.com/d59f95b6d > http://pastebin.com/d17f12f4 > http://pastebin.com/m46ce2877 I can only see the last message now. Probably you may try to detect blank lines in the body or blank spaces in html. In Mail::SpamAssassin::Plugin::BodyEval there is a function check_blank_line_ratio(...) which can be modified for using just N head lines or rule like body BLANK_LINES_30_80 eval:check_blank_line_ratio('30','80','40') describe BLANK_LINES_30_80 Message body has 30-80% blank lines may be created. But you should supply your one parameters to the function. Because I don't know how many legitimate e-mails with many blank lines you receive.
Re: New spam-to me-and how do I stop.
>>> Randy 1/8/2009 8:09 AM >>> Matus UHLAR - fantomas wrote: > On 07.01.09 11:46, Craig wrote: > >> X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP >> > > >>>>> Randy 1/6/2009 2:42 PM >>> >>>>> >> Post 3 similar messages on pastbin so that we can determine a common >> factor between them. Use pastbin, not this list to post the message. >> > > >> I have 3 messages posted at pastebin.com under the user craig. >> >> Thanks. >> > > Please, quote content you are replying to, so we can differ between text > written by you and others. > > I briefly looked for this and can't find the 3 messages. I thinking posting a link may help. Here are the links to 3 sample messages- http://pastebin.com/d59f95b6d http://pastebin.com/d17f12f4 http://pastebin.com/m46ce2877 Thanks.
Re: New spam-to me-and how do I stop.
Links would help- http://pastebin.com/d59f95b6d http://pastebin.com/d17f12f4 http://pastebin.com/m46ce2877 >>> "Craig" 1/7/2009 11:46 AM >>> >>> Randy 1/6/2009 2:42 PM >>> Craig wrote: > > > >>> Randy 1/6/2009 2:18 PM >>> > Craig wrote: > > Hello All- > > > > I have recently been getting MANY spam slipping through Spamassassin > > and I am looking for help on how to stop. I have used Spamassassin > > with Bayes successfully for many years now and once I train the system > > on new spam, the system does an excellent job of stopping. These > > messages are very short and include a link. The subject is usually > > regarding watches, or are thinly disguised viagra ads. Many are sent > > from aim.com Below is header info and below that is the Spamassassin > > output of an email that has slipped through. > > > > > > 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > > [score: 0.5000] > Content analysis details: (3.3 points, 5.0 required) > > Train the messages as spam with sa-learn which should add 3.5 to the > score. > > 3.5+3.3=6.8 > 6.8 > 5.0 = spam > > thanks for your quick reply- > > You are correct if I teach the system this email it will score as > spam. But, I have trained a lot of spam over the last 2 weeks that > are very similar to this one and unfortunately the new messages are > getting through. > Post 3 similar messages on pastbin so that we can determine a common factor between them. Use pastbin, not this list to post the message. I have 3 messages posted at pastebin.com under the user craig. Thanks.
Re: New spam-to me-and how do I stop.
>>> Randy 1/6/2009 2:42 PM >>> Craig wrote: > > > >>> Randy 1/6/2009 2:18 PM >>> > Craig wrote: > > Hello All- > > > > I have recently been getting MANY spam slipping through Spamassassin > > and I am looking for help on how to stop. I have used Spamassassin > > with Bayes successfully for many years now and once I train the system > > on new spam, the system does an excellent job of stopping. These > > messages are very short and include a link. The subject is usually > > regarding watches, or are thinly disguised viagra ads. Many are sent > > from aim.com Below is header info and below that is the Spamassassin > > output of an email that has slipped through. > > > > > > 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > > [score: 0.5000] > Content analysis details: (3.3 points, 5.0 required) > > Train the messages as spam with sa-learn which should add 3.5 to the > score. > > 3.5+3.3=6.8 > 6.8 > 5.0 = spam > > thanks for your quick reply- > > You are correct if I teach the system this email it will score as > spam. But, I have trained a lot of spam over the last 2 weeks that > are very similar to this one and unfortunately the new messages are > getting through. > Post 3 similar messages on pastbin so that we can determine a common factor between them. Use pastbin, not this list to post the message. I have 3 messages posted at pastebin.com under the user craig. Thanks.
Re: New spam-to me-and how do I stop.
>>> Randy 1/6/2009 2:42 PM >>> Craig wrote: > > > >>> Randy 1/6/2009 2:18 PM >>> > Craig wrote: > > Hello All- > > > > I have recently been getting MANY spam slipping through Spamassassin > > and I am looking for help on how to stop. I have used Spamassassin > > with Bayes successfully for many years now and once I train the system > > on new spam, the system does an excellent job of stopping. These > > messages are very short and include a link. The subject is usually > > regarding watches, or are thinly disguised viagra ads. Many are sent > > from aim.com Below is header info and below that is the Spamassassin > > output of an email that has slipped through. > > > > > > 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > > [score: 0.5000] > Content analysis details: (3.3 points, 5.0 required) > > Train the messages as spam with sa-learn which should add 3.5 to the > score. > > 3.5+3.3=6.8 > 6.8 > 5.0 = spam > > thanks for your quick reply- > > You are correct if I teach the system this email it will score as > spam. But, I have trained a lot of spam over the last 2 weeks that > are very similar to this one and unfortunately the new messages are > getting through. > Post 3 similar messages on pastbin so that we can determine a common factor between them. Use pastbin, not this list to post the message. Pastbin-I am not familiar with this-what is the url?
Re: New spam-to me-and how do I stop.
>>> Randy 1/6/2009 2:18 PM >>> Craig wrote: > Hello All- > > I have recently been getting MANY spam slipping through Spamassassin > and I am looking for help on how to stop. I have used Spamassassin > with Bayes successfully for many years now and once I train the system > on new spam, the system does an excellent job of stopping. These > messages are very short and include a link. The subject is usually > regarding watches, or are thinly disguised viagra ads. Many are sent > from aim.com Below is header info and below that is the Spamassassin > output of an email that has slipped through. > > > 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > [score: 0.5000] Content analysis details: (3.3 points, 5.0 required) Train the messages as spam with sa-learn which should add 3.5 to the score. 3.5+3.3=6.8 6.8 > 5.0 = spam thanks for your quick reply- You are correct if I teach the system this email it will score as spam. But, I have trained a lot of spam over the last 2 weeks that are very similar to this one and unfortunately the new messages are getting through.
Listing all rules and all scores
Spamassassin Users, Is there an easy way to get spamassassin to list out all of the rules and all of the rule scores it's currently using? The debug output only tells you what modules and configuration files are loaded, but we're looking for a comprehensive accounting of all of the rule names/ scores. Thanks, Craig D. Cocca Lead Developer ULTIMATE Internet Access [EMAIL PROTECTED]
Re: not scoring correctly
I use 256K, but I have a small volume (about a thousand emails a day) server load. We are also experimenting with the SaneSecurity definitions for clam which catch a lot of this rodent mail as well and should lower the SA load. Glad it helped. Robert Fitzpatrick wrote: On Wed, 2007-07-18 at 09:57 -0500, Administrator wrote: A rough guess and probably wrong as usual, but could the message size be larger than what you have set in amavisd-new? If so then SA would be bypassed but not when you manually test the message. Ding! Thanks! It is set at 64*1024 falling short of all these 70K+ PDF messages. What is recommended bypass these days considering the types of spam out there? I raised it to 128*1024, but I don't want to choke these heavily used gateways. begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: pdf tools clarification?
Not really SA specific, but to add to your list are the SaneSecurity virus definitions for ClamAV which also apparently catches a lot of this type of rodent-mail if you are willing to use third party virus definitions. I have also enabled additional RBL look-ups for our site for some of the quicker responding, but more aggressive RBLs and the additional modest scores from some of these has helped us to catch nearly all of the pdf-type scams. YMMV JT DeLys wrote: Hi Jerry, I noticed that sa-update last night pulled in something new, but I don't know which of the files changed since they all have today's date on them. Maybe that was it. i don't know if it's the /only/ place that it's available, but, you're correct -- a manual sa-update pulled the 80_additioanl.cf file. Thanks. Still hoping to get some clarification about/among the others. -- Thanks, JTDeLys
Re: Returned mail: see transcript for details
Jonathan: No need to apologize at all; you did me a favor by letting me know we were still having these issues with our ISP's "anti-spam" methods. Will get this sorted out one way or the other. Trying to keep your user's mailboxes free of spam is work enough, but having to to battle with your ISP over services you are suppose to be opted out of is another issue. Thanks again and another apology to any on the list who were offended by my ISP's response. Jonathan Allen wrote: > List and [EMAIL PROTECTED], > > >> First off sorry for the problem and to any from the country of Poland >> that were offended by this. >> > > I need to apologise to the nice chap at cobatco - I really didn't mean > to cause you any embarassment on the public list, but I didn't think > I could reach you any other way since your ISP is blocking my emails. > Someone else suggested that I should have used the [EMAIL PROTECTED] > address since by the RFC that isn't supposed to be filtered, but I had > already posted by then. > > >> Gives me something to address this afternoon since I thought I had this >> solved ... >> > > Hope you get it fixed ... > > Jonathan > >
SaneSecurity
Perhaps more a clamav question, but does anyone use the additional definitions for clam from SaneSecurity and are they helpful in the Spam Wars? Thanks
Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam
Matt wrote: >> First - use dummy MX records. Real mail retries. Botnet and must >> spammers don't. It's easier for them to try to spam someone else than to >> fight your filter. MX config is as follows: >> >> dummy - 10 >> real - 20 >> real-backups - 30 >> dummy - 40 >> dummy - 50 >> dummy - 60 > > Currently I have mail.mydomain.com as 10. Can I just change that to > 20 and add mail5.mydomain.com as 10 but not have an IP associated with > mail5.mydomain.com or will that cause trouble? > > Matt > Are you sure about this approach? Most of what hits our backup server, listed at a higher MX record, is spam. I was, and am, under the impression that many spambots are set to fire at higher MXs under the assumption that admins might not spend as much time on the anti-spam set-up of this servers.
Re: Bayes Misidentification
Just a guess and probably wrong, but if you encrypt your data in mySQL are you sure your system can read the key file and de-crypt the data? If not bayes will be feed encrypted mail and will soon become corrupted. Also have you tried to simply delete all from your mySQL bayes bases and retrain it? Ben Lentz wrote: > Greetings list! > > Starting Friday, June 1st, every email that passes through my > site-wide SpamAssassin system has been coming through with BAYES_99. > I've been running with Bayes for months without any accuracy problems, > and I can't figure out what has changed. > > I am storing the Bayes data in a MySQL database. I tried truncating > the database on Friday when I first detected this issue, but sure > enough, all my external messages are now coming through with BAYES_99 > again. > > I don't trust the Bayes system any more and after many user > complaints, I've opted to turn it off. However, setting use_bayes 0 > doesn't seem to do anything; messages are still coming through with > BAYES_99. > > Is anyone else having this issue? Is my database just being poisoned > over and over again? > > Thanks for any input anyone can provide. > begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: SA 3.2 , AWL and auto_whitelist_factor
For how AWL computes its scores see http://wiki.apache.org/spamassassin/AutoWhitelist. For doing manual whitelisting see http://wiki.apache.org/spamassassin/ManualWhitelist. How do you call spamassassin? If from amavis you can also whitelist in its config files. .rp wrote: I'm very confused now. How does it determine which message to use for the 'old score' ? if I wanted to assign a negative number to those addresses that are whitelisted in order to let more of them through, what am I supposed to use if not AWL ? thanks, On 31 May 2007 at 11:56, Craig Carriere wrote: Perhaps I am misinterpreting what you are asking, but AWL is not a whitelist that you can assign a set score to it is a weighting function. By assigning a factor of 0.7 to AWL you asked it to bias its setting to basically 70% of the difference between the old score for that message and the new score for mail of this type. At its default setting of 0.5 if you receive a mail message that is scored at 2 and another comes in at 4, AWL will assign a score of -1 to the message to bring it to a total of 3. This will vary with each message and I see no way or value in have this function defined at a set number. I wish they would change the name of this thing to something more descriptive. .rp wrote: in the /etc/mail/spamassassin/local.cf there is an entry auto_whitelist_factor 0.7 Yet in the scoring , the listing is: *header * -0.1 AWL AWL: From: address is in the auto white-list where did the -0.1 come from? how can i change it to -1.0 ? thanks. begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: SA 3.2 , AWL and auto_whitelist_factor
Perhaps I am misinterpreting what you are asking, but AWL is not a whitelist that you can assign a set score to it is a weighting function. By assigning a factor of 0.7 to AWL you asked it to bias its setting to basically 70% of the difference between the old score for that message and the new score for mail of this type. At its default setting of 0.5 if you receive a mail message that is scored at 2 and another comes in at 4, AWL will assign a score of -1 to the message to bring it to a total of 3. This will vary with each message and I see no way or value in have this function defined at a set number. I wish they would change the name of this thing to something more descriptive. .rp wrote: in the /etc/mail/spamassassin/local.cf there is an entry auto_whitelist_factor 0.7 Yet in the scoring , the listing is: * header * -0.1 AWL AWL: From: address is in the auto white-list where did the -0.1 come from? how can i change it to -1.0 ? thanks. begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: Lint results question
In my humble opinion, no. What you are seeing is a warning from SA that the author of that rule has been too verbose in their description section. SA has gotten more strict with many aspects of rules format over the past several releases. The warning is not an indication that the rule will not be called. Clay Davis wrote: Should I be concerned with the following as a result of "--lint -D"? config: SpamAssassin failed to parse line, skipping: check_mx_delay 5 warning: description for FS_START_DOYOU2 is over 50 chars Thanks, Clay begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: BAYES_99 triggered on every message
Perhaps a dumb comment on my part, but have you tried to delete the table entries from the mySQL database and are you sure you are using the SA user? Doesn't sa-learn --clean only clear the Berkeley dbs and you appear to state that you are using mySQL. Best Jari Fredriksson wrote: > > SpamAssassin version 3.1.8 assembled via cpan > > Every message gets BAYES_99, even when > > a) the message has no body > > b) I have cleaned the database with sa-learn --clean (Still BAYES_99 > while the bayes should be off!) > > The bayes database is in a MySQL instance, and the connection works > (-D --lint sees it). > > I tried to google and found one similar question out there, but no > answers. So it is not a systematic error in some version but something > more rare. > > I have used SA for years, and this thing appeared when I installed SA > once more again via cpan, while earlier versions installed with Debian > Sarge worked ok. Also earlier versions installed via cpan on top of > Red Hat 7.3 worked ok. > > > begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: Problem installing SA 3.2.0 via CPAN on OPenSuSE 10.2 or SLES 10
Stephen: A follow up to my own message. I have been able to successfully install 3.2 on my backup SLES 10 mail server from the download source code. CPAN still fails with the error you mentioned. When I installed 3.18 I used CPAN without problems. Best Craig Carriere wrote: > Stephen: > > Cannot help you out, but I also receive the same errors on both of my > SLES10 boxes. Install on Opensuse 10.1 from either source or cpan works > fine which is strange since SLES10 is based on 10.1. > > Best, > > Stephen Carter wrote: > >> Hi guys, >> >> I've tried to install SA 3.2.0 on both an unpatched and fully patched >> versions of OpenSuSE 10.2 and SLES 10 via CPAN but on all attempts I receive >> the following errors during one of the test phases. It would be great if >> someone could help me out. >> >> t/spamc_z...Not found: firstline = Return-Path: [EMAIL >> PROTECTED] >> # Failed test 2 in t/SATest.pm at line 633 >> Not found: subj = Subject: There yours for FREE! >> # Failed test 3 in t/SATest.pm at line 633 fail #2 >> Not found: endsinnums = TEST_ENDSNUMS >> # Failed test 4 in t/SATest.pm at line 633 fail #3 >> Not found: noreal = TEST_NOREALNAME >> # Failed test 5 in t/SATest.pm at line 633 fail #4 >> Not found: lastline = This must be the very last line >> # Failed test 6 in t/SATest.pm at line 633 fail #5 >> Not found: flag = X-Spam-Flag: YES >> # Failed test 7 in t/SATest.pm at line 633 fail #6 >> Not found: stars = X-Spam-Level: ** >> # Failed test 8 in t/SATest.pm at line 633 fail #7 >> Not found: status = X-Spam-Status: Yes, score= >> # Failed test 9 in t/SATest.pm at line 633 fail #8 >> Output can be examined in: log/d.spamc_z/out.1 >> t/spamc_z...FAILED tests 2-9 >> Failed 8/9 tests, 11.11% okay >> >> Thanks, >> >> >> begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc. adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: Problem installing SA 3.2.0 via CPAN on OPenSuSE 10.2 or SLES 10
Stephen: Cannot help you out, but I also receive the same errors on both of my SLES10 boxes. Install on Opensuse 10.1 from either source or cpan works fine which is strange since SLES10 is based on 10.1. Best, Stephen Carter wrote: > Hi guys, > > I've tried to install SA 3.2.0 on both an unpatched and fully patched > versions of OpenSuSE 10.2 and SLES 10 via CPAN but on all attempts I receive > the following errors during one of the test phases. It would be great if > someone could help me out. > > t/spamc_z...Not found: firstline = Return-Path: [EMAIL > PROTECTED] > # Failed test 2 in t/SATest.pm at line 633 > Not found: subj = Subject: There yours for FREE! > # Failed test 3 in t/SATest.pm at line 633 fail #2 > Not found: endsinnums = TEST_ENDSNUMS > # Failed test 4 in t/SATest.pm at line 633 fail #3 > Not found: noreal = TEST_NOREALNAME > # Failed test 5 in t/SATest.pm at line 633 fail #4 > Not found: lastline = This must be the very last line > # Failed test 6 in t/SATest.pm at line 633 fail #5 > Not found: flag = X-Spam-Flag: YES > # Failed test 7 in t/SATest.pm at line 633 fail #6 > Not found: stars = X-Spam-Level: ** > # Failed test 8 in t/SATest.pm at line 633 fail #7 > Not found: status = X-Spam-Status: Yes, score= > # Failed test 9 in t/SATest.pm at line 633 fail #8 > Output can be examined in: log/d.spamc_z/out.1 > t/spamc_z...FAILED tests 2-9 > Failed 8/9 tests, 11.11% okay > > Thanks, > > begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc. adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: AWL Troubles
AWL is not a whitelist as I think you are referring to it as. AWL is a weighting that applies a +/- score to mail that it sees as spam or ham from repeated learning of similar mail types. If AWL is routinely assigning the wrong weight to your mail then I would delete the table in your database and let the system relearn; however if this is the case I would suspect that your bayes database most also be askew. Best Clay Davis wrote: I need a quickie on the AWL. It looks like some spam is getting assigned a negative score because of an AWL rule(?). The messages are text and not too spammy otherwise, but from a layman's perspective, definitely not something that should be on a whitelist. I know how to remove from the whitelist, but how did they get there in the first place? Thanks, gang. Clay begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc. adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: ANNOUNCE: Apache SpamAssassin 3.2.0 available
I receive the exact same error on SLES10 FWIW. Michael Scheidell wrote: -Original Message- From: Justin Mason [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 02, 2007 8:43 AM To: users@SpamAssassin.apache.org; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: ANNOUNCE: Apache SpamAssassin 3.2.0 available Apache SpamAssassin 3.2.0 is now available! This is the official release, and contains a significant number of changes and major enhancements -- please use it! Downloads are available from: http://spamassassin.apache.org/downloads.cgi?update=200705021400 Still get this on Freebsd, sa-compile SEEMS to run fine, but this happens [97520] dbg: rules: compiled one_line_body tests [97520] dbg: zoom: run_body_fast_scan for body_0 start /libexec/ld-elf.so.1: /var/db/spamassassin/compiled/3.002000/auto/Mail/SpamAssassin/CompiledRe gexps/body_0/body_0.so: Undefined symbol "Mail_SpamAssassin_CompiledRegexps_body_0_scan1" _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _ begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc. adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: RBL tests on MTA vs. RBL rules on SA
Bret: You do not mean you run the same RBLs at the MTA and SA level do you? If the MTA rejects on an RBL there should be nothing for SA to score on as that message is rejected already. I currently score in SA on a number of RBLs but would be interested to know what you regard as safe to use at the MTA level. Although our mail volume is small we need to receive mail from customers who I have found can be listed on several of the more agressive RBLs, thus I have given up trying to reject at the MTA level. Thanks Bret Miller wrote: Hi, list, I know this is one of those "egg and chicken" kind of questions, but having now the possibility of checking the impact of various setups, I was wondering if it is more convenient to let the MTA perform the RBL checks, or disable them and let SA do this job. Currently I am using zen.spamhaus.org as my primary (and only) RBL tester on Postfix, and I am kinda surprised. The daily statistics show that my server is rejecting almost 22000 connections a day, and accepting only 2500-3000 emails. The major drawback is bayes. It seems to lack the necessary amount of data to catch up as the spam evolves, so I'm continuously getting new kinds of spam (meaning that I can't figure out a tendency to draw a rule from). So I'm asking if anyone has a solution for this, or how do you deal with this (to me) dellicate balance. For me, it's not an either-or choice. The RBLs I can use on the MTA are very limited because the consequences of a false-positive are very severe (i.e., the message doesn't even get received). Dropping the same from SA reduces its effectiveness. So, I just run them in both places. Repeating a DNS lookup shouldn't be too expensive if your DNS server caches the result. Bret begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc. adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Bayes Question
Hello All- My bayes database seems to have problems and I would like suggestion on how to correct. Here is my issue- I take any spam email from my users and run the following commands a. spamassassin -R name of spam file to check b. spamassassin -r name of spam file to check c. sa-learn --forget name of spam file to check d. sa-learn --spam name of spam file to check I re-run an email (spamassassin -D -t name of spam file to check.txt) to check all is well-that bayes learned the email as spam. Today after running the above I still have several messages with the following output info: Content analysis details: (-0.1 points, 5.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.2729] Thoughts? Thanks Craig
Re: Rules report
I utilize amavisd-maia (Maia Mailguard) which provides updated rules stats. The program also provides an easy method to constantly train your bayes filters. You might want to take a look at it. Best Robert Fitzpatrick wrote: On Thu, 2007-04-19 at 15:03 +0100, Chris Lear wrote: * Matt Kettler wrote (19/04/07 14:49): If you want to know how accurate a particular rule is, by comparing the spam vs nonspam hit rates, those stats are useless, because of the bias. You need a manually sorted corpus to get this kind of information. If you want to see which rules are getting used a lot, vs those that are rarely getting used, these stats are quite useful. If you want a "top x rules" list, sa-stats can do that for you: http://www.rulesemporium.com/programs/sa-stats.txt http://www.rulesemporium.com/programs/sa-stats-1.0.txt is probably a bit better in this case. It will parse a spamd logfile and report the most-frequently used spam and nonspam rules (and you can configure how many it will list for each) The 1.0 version can do per-domain and per-user info, given a 3.1 log. Yes, this is all I'm after, but we use Amavisd-new to pass off to SA, not spamd. The amavisd logs don't seem to show that information. Will it work? Or is there a way to do this with amavisd?
Re: Fighting ham
Does this really mean that auto-learn is "out of balance"? My first guess is that this site probably relies only on SA to combat spam and does little at the MTA level to reject UBE mail. They may even run a catch-all account which would markedly increase his spam count if he is not rejecting for non-existent users. At my small mail server even with MTA restrictions, conservative ones, in place our spam hits out number ham by probably 4-5 to 1. It is just the nature of the beast. I do agree that he needs to manually train his bayes bases and probably keep feeding ham into the bayes engine. after it starts to fire. As an aside do you use any MTA restrictions and/or greylisting? Best Duane Hill wrote: > On Wed, 18 Apr 2007, Faisal N Jawdat wrote: > >> On Apr 18, 2007, at 4:26 PM, Robert Fitzpatrick wrote: >>> Thanks, we are rebuilding bayes and now have in SQL with auto learn >>> on, is that good? Now has over 25K spam, but just 180 ham. >> >> You *really* want to train with more ham than spam. > > I have a hard time believing auto learn could be so off-balance. I had > auto learn turned on here once and the two were usually within 200-300 > messages. Before I turned auto learn off, the bayes_token table had > over 85 million records in just over three weeks. We ended up letting > our customers choose whether they wanted to use auto learn or not > through using the sasql plugin for SquirrelMail. >
Re: Fighting ham
Robert: It sounds like your problem rests with your bayes database. Some SA rules will fire on almost all mail, but a properly trained bayes filter should be able to reduce your scores to under your spam threshold. None of these scores rate out very aggressively so I am surprised that these are pushing you over your spam threshold. How have you trained bayes with you spam and ham mail? Also I think that the default SA setting of 200 spam and 200 ham is a little low and do not regard bayes as truly effective until about 1000 message of each kind are learned. That being said I would, and have, reduced the default score for Botnet from 5.0 to 3.0. Also, if your run the 00_ version of Fred's rules note that many of them are very aggressively scored. I personally do not let any rule score at over 3.0, except some network test, to allow bayes to recover the mail from listing as a FP. Best Robert Fitzpatrick wrote: > Our bayes was apparently giving negative scores incorrectly and I > re-built it since it was not effective and letting through a lot of > spam. I didn't realize, but it seems those negative scores were keeping > SA from applying other tests? Since fixing bayes, we are blocking so > much ham it is not funny. These are the rules that I have basically had > to disable them below. We run Rules Du Jour, but only zero level rules, > those are the only updates besides bayes, plus KAM.cf and Botnet.cf. > Given Botnet.cf blocks quite a few, but I understand why. I don't know > if any of these rules are part of RDJ, but why so much ham is being hit > with only these rules. Does SA with updates and these rules hit so much > ham for others? We are constantly getting complaints of our over > aggressive spam filters. > > score PART_CID_STOCK 0 > score PART_CID_STOCK_LESS 0 > score TVD_FW_GRAPHIC_ID1 0 > score TVD_FW_GRAPHIC_ID3 0 > score TVD_FW_GRAPHIC_ID3_2 0 > score MY_CID_AND_STYLE 0 > >
Response
Mário Gamito wrote: > Hi, > > How can i know how many messages did already sa-learn processed ? You mean the total number of messages learned in the bayes database (includes sa-learn and autolearn)? sa-learn --dump magic Make sure you run as SA user to query the right database.
sa-update too quiet
Could future versions of sa-update please be a little more vocal? Like maybe "no new updates found | loaded xxx new updates | error xxx" Exit codes are not evident when simply typing sa-update on the command line... -- View this message in context: http://www.nabble.com/sa-update-too-quiet-tf3487700.html#a9738309 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
SA 3.1.8 with Guinevere and Groupwise integration
Hello All- I currently run Groupwise 7 as my mailserver and use Guinevere with SA enabled to scan messages. My current version of SA is 3.1.7. I tested upgrading to SA 3.1.8 and I receive the following score on ALL emails- 2.5 MISSING_HB_SEP In SA 3.1.7 and earlier there was a fix written by Michael Bell (I am guessing it was him-I want to give credit where credit is do, because I never would have figured it out by myself) the link is http://64.142.36.76/fixguin310.html Yes I realize this is more of a question for the GroupWise/Guinevere people, but this board seems to have a lot of correct answers. Are there some changes I can do to SA to allow me to continue upgrading to the latest versions of SA, or am I going to top out at 3.1.7? Obviously I could give Missing_HB_SEP a score of 0, but I would prefer to keep all tests. Thanks Craig Canfield
Retry of inquiry about single-GIF leaks
Yesterday I wrote to express surprise that our SA tends to leak spam into our Inbox that contains one GIF image, and that none of the built-in tests involving images triggers on such emails. Looking more at such spam, it looks like they avoid the built-in tests by the following means: 1. They provide enough (visible but meaningless) text to exceed HTML_IMAGE_ONLY_32 and __HTML_LENGTH_1536_2048. 2. The text has enough relative area to exceed HTML_IMAGE_RATIO_08. 3. The text size is large enough to exceed the small font size tests. For myself, I would be happy to have one or more new tests that detect something like "one GIF image, the length or area of which exceeds a gadget like a signature, button, or icon". By scoring such a thing with maybe 2 points, I could consign this last major category of spam leaks to the Junk folder. Have such test(s) been written, and if so can I get them, and if so, how? If not, can anyone suggest resources that might help me write my own test(s)? Particularly of interest are routines that measure the source length or decoded area of an image. Thanks, Craig MacKenna www.animalhead.com P.S.: those of you interested in DNSBLs might like http://www.animalhead.com/false_pos.html
spam with image/gif doesn't show a rule for "image"
Hi SA users, We're receiving leaked spam that has one gif image in each. In such emails, the SA status line doesn't show a rule match for an image. Here's a sample: No, score=3.0 required=5.0 tests=EXTRA_MPART_TYPE,HTML_MESSAGE autolearn=no version=3.1.7 Looking at the source for the email with that status line, it contains a MIME header like this: --=_NextPart_751_0238_74D66A10.EB28167E Content-Type: image/gif; name="aedvi.gif" Content-Transfer-Encoding: base64 Shouldn't SA notice this image and show an image item in its status line? If so, is this a known problem and is there a fix available? Thanks for your consideration, Craig MacKenna www.animalhead.com Los Gatos, CA
Re: Training Bayesian Filter
Do you have a size limit set? I.E. only messages less than xxx size will be scanned-and are these spam greater than xxx. >>> <[EMAIL PROTECTED]> 1/4/2007 4:14 AM >>> >[EMAIL PROTECTED] wrote: > Running spamassassin 3.0 and I'm invoking it through amavisd. When I > train the spamassassin using sa-learn for ham and spam respectively, > it seems to only work for the ham not the spam. The command runs fine, > but spam e-mail that I trained spamassassin with still show up > untagged as spam. The ham e-mail that I trained spamassassin with work > fine and they don't get tagged as spam anymore. > > Running spamassassin under Mandriva > 2006 Linux. > > Your help would be appreciated. >This depends on how your server is set up. Are you using mbox style in-boxes? >If so, make sure that you're using the --mbox switch along with the --spam or --ham switches. >-=Aubrey=- I'm not using mbox style in-boxes, therefore I don't use that switch. Like I mentioned bofore. The commands sa-learn --ham and sa-learn --spam run successfully and spamassassin reports that it learns from x amount of messages from both. The issue is that in practice, only the ham seem to take effect and the spam still come through as untagged.
Re: SA not firing on every email
Thanks for your reply Its not that the server is to busy-I can put any one of those emails in the receive directory when no other emails are in the que-and being scanned and it still gets passed through. Size is not an issue, the emails are 26k. More details- I have spamassassin intigrated with Guinevere, and Groupwise is my mail application. Any and all suggestions are welcome! >>> Rick Macdougall <[EMAIL PROTECTED]> 12/06/2006 5:01 PM >>> Craig wrote: > Yes I have asked this question previously, but with not as much detail. > > MY ENVIRONMENT > SA 3.1.7 > running on Windows 2000 > Using Bayes > > In the past 2 days my email server has received 14,973 email messages, > Spamassassin has scanned 10,951 of those messages, and my users have > received @ 250 spam messages. > > Most of those spam messages have Subjects like; > - All love enhancers on one portal! > - Full of health? Then don't click! > - Need medicine? All here! > and my favorite > - She wants a better sex? All you need's here! > > Why does SA fire on some emails (10,951) and not others (4,022) > If I run any of these captured emails through manually, they score 50+ > points. > Hi, Perhaps SA was too busy and those messages timed out and weren't scanned ? Maybe those messages were greater than 250K (default max scan size) ? I'd personally go with option 1 but I don't know your server setup, how many children you allow with spamd and how busy your server is. Regards, Rick
SA not firing on every email
Yes I have asked this question previously, but with not as much detail. MY ENVIRONMENT SA 3.1.7 running on Windows 2000 Using Bayes In the past 2 days my email server has received 14,973 email messages, Spamassassin has scanned 10,951 of those messages, and my users have received @ 250 spam messages. Most of those spam messages have Subjects like; - All love enhancers on one portal! - Full of health? Then don't click! - Need medicine? All here! and my favorite - She wants a better sex? All you need's here! Why does SA fire on some emails (10,951) and not others (4,022) If I run any of these captured emails through manually, they score 50+ points. Below is the header info from one such email. MAIL FROM:<[EMAIL PROTECTED]> RCPT TO:<[EMAIL PROTECTED]> Received: from friend (pool-68-239-67-125.res.east.verizon.net [68.239.67.125]) by United_Way.unitedwayqc.org with ESMTP; Tue, 05 Dec 2006 12:27:42 -0600 Message-ID: <[EMAIL PROTECTED]> From: "Peter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: She wants a better sex? All you need's here!
Re: Best Choice for Bayes filtering on SpamAssassin
Michael Scheidell wrote: -Original Message- From: Nigel Frankcom [mailto:[EMAIL PROTECTED] Sent: Saturday, December 02, 2006 2:24 PM To: SpamAssassin Subject: Re: Best Choice for Bayes filtering on SpamAssassin My MTA has a list of SA servers it will use in series; if 1 is unavailable it will got to 2 and so on. Biggest issue with that, is that box #2 will see less 'real email' then box #1, and have a very jaded view of the world... Almost EVERYTHING would be a spam token.. What you seem to have missed in the conversation is that there is a *single* bayes backend.. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: forged spam emails from my own domain
vertito wrote: config: SpamAssassin failed to parse line, "[EMAIL PROTECTED]" is not valid for "whitelist_from_rcvd", skipping: whitelist_from_rcvd [EMAIL PROTECTED] i tried your advise but i had a line of error from my maillog, which is shown above. [EMAIL PROTECTED] is just for a test. whitelist_from_rcvd [EMAIL PROTECTED] sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: How does some spam pass through?
Thanks for your quick reply Ok, I am new to this-and I am sure its a "no brainer" but "non-spam tagging" -I do not understand. If you could explain-or if its documented feel free to scold me-I would appreciate it. Craig >>> "Loren Wilton" <[EMAIL PROTECTED]> 12/1/2006 11:05 AM >>> Typical case is that you were one of the lucky early recipients before the spam made it into all the blocklists, so it got a low score. You should have got a pretty hefty score from the local tests, but there is another 10+ points in net tests there too. It looks like bayes should have caught it with your 4.0 limit. This makes me suspect bayes didn't run. Look at the original mail tagging and see, if you have a setup where you have non-spam tagging. (and if not, fix things so you do, it makes this easier to debug.) Loren - Original Message - From: Craig ( mailto:[EMAIL PROTECTED] ) To: users@spamassassin.apache.org Sent: Friday, December 01, 2006 8:47 AM Subject: How does some spam pass through? Below are the results from a Spamassassin -D test of a message that was previously delivered this morning. How does something like this pass through- when I run the checks on the email after it is delivered the system clearly knows its spam. Thanks Craig X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET, BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME, HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL, RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7 X-Spam-Report: * 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings * 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [80.171.36.179 listed in dnsbl.sorbs.net] * 3.9 RCVD_IN_XBL RBL: Received via a relay in S pamhaus XBL * [80.171.36.179 listed in sbl-xbl.spamhaus.org] * 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [80.171.36.179 listed in combined.njabl.org] * 1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image * 0.0 BOTNET_CLIENT Hostname looks like a client hostname * 5.0 BOTNET Any Botnet rule hit
How does some spam pass through?
Below are the results from a Spamassassin -D test of a message that was previously delivered this morning. How does something like this pass through- when I run the checks on the email after it is delivered the system clearly knows its spam. Thanks Craig X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET, BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME, HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL, RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7 X-Spam-Report: * 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings * 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [80.171.36.179 listed in dnsbl.sorbs.net] * 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [80.171.36.179 listed in sbl-xbl.spamhaus.org] * 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [80.171.36.179 listed in combined.njabl.org] * 1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image * 0.0 BOTNET_CLIENT Hostname looks like a client hostname * 5.0 BOTNET Any Botnet rule hit
Re: Easyjet e-mail scoring very high
Chris Lear wrote: * Loren Wilton wrote (01/12/06 14:54): The html contains this sort of thing: http://www.easyjet.com/EN/Members/ Which looks like the culprit. In fact, every full stop in the html is represented as . for some reason. Still wondering though... how do you solve a problem like EasyJet? Sure looks like spam to me. ;-) Which also looks like just about every airline message I've seen from any airline. :-( Apparently they hired spammers to design their marketing campain mail. You could try sending to mostmaster or whatever at whichever marketing company is really sending that mail and see if you can get any attention from them. Probably not, but it might be worth trying. The trouble is, it's not marketing. It's a confirmation of a flight booking, which I paid for. The airline doesn't issue tickets. So it's something I genuinely want in my inbox. It looks like it's generated directly by the easyjet.com web server. If its just a one time thing, there's probably nothing you'll want to spend the time doing about it. If its going to be recurring, it might be worth the effort to dust off your PCRE and write a rule or two to offset the score. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: Prevent scanning internal mail
Gary V wrote: Exactly. How you prevent sending the message through SA is not a function of SA itself, but of the implementation, and because of the large number of implementations and configurations I question whether it would be practical (or even related) to provide examples of the various procedures. Point well taken Gary. I didn't see much of anything on this subject in the Wiki. Neither did I. I've been googling a bit and the cornucopia of hits for +spamassassin is a mess. :-) -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: whitelisted where?
Scott Kopel wrote: I'm noticing a bunch of obviously spam that is getting thru because it is "whitelisted" where is this whitelist? it's not something I created. it's not the auto_whitelist is it? wouldn't that say AWL is it the phishing whitelist? when I start MailScanner I see "Read 755 hostnames from the phishing whitelist" As a follow-up: http://wiki.mailscanner.info/doku.php?id=maq:index # For whitelist: edit the spam.whitelist.rules from the rules directory following the format shown in the file. # -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: whitelisted where?
Scott Kopel wrote: I'm noticing a bunch of obviously spam that is getting thru because it is "whitelisted" where is this whitelist? it's not something I created. it's not the auto_whitelist is it? wouldn't that say AWL is it the phishing whitelist? when I start MailScanner I see "Read 755 hostnames from the phishing whitelist" thanks for any help [snippage] X-English-FSU-MailScanner-SpamCheck: not spam (whitelisted), I think you answered your own question here.. 'not spam (whitelisted)' is not something SA adds. Might wanna tug the chain for the MailScanner folks. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: webg bug
Jean-Paul Natola wrote: I was wondering if there is a way to either strip away, or totally block messages that have "web bugs" that report back to servers like www.readnotify.com http://www.impsec.org/email-tools/procmail-security.html Can someone help a newbie find some info on installing procmail ? http://www.google.com/search?q=installing+procmail -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: Prevent scanning internal mail
Theo Van Dinter wrote: On Thu, Nov 30, 2006 at 01:02:29PM -0800, leemansvg wrote: This might be a simple question for most of you. How would I prevent spamassassin from scanning my internal mail, e.g from a particular server, or originating from my internal network. Don't pass those to SpamAssassin. Once SA gets a mail, it'll be scanned. Is there a FAQ entry for this somewhere on the wiki? If not, there should be.. This is the 3rd or 5th time in the past couple days something similar has been asked.. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: forged spam emails from my own domain
vertito wrote: i am receiving spam emails coming from my own domain.com but that email address does not existing from my own domain.com. say my domain is mydomain.com and that spam email had FROM header that shows [EMAIL PROTECTED] which is currently whitelisted from spamassassin global rules and currently does not exist from my users list. that is why i am receiving it from my INBOX and not from SPAM folder, anyone has idea or a script to move this to SPAM folder? tnx Have your MTA reject addresses that aren't present in your user list. You'll have to look to your MTA's documentation to find the recipe though. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: This is so obvious...
Jon D. Slater wrote: To me, they look like Perl regular expressions (which I **have** written). Do I add my new rule to my local.cf or directly to 70_sare_specific.cf? local.cf is the best place. Placing them in any of the stock SA rule files or in the RDJ files will cause you to lose them if you upgrade them by any automatic means. Are there any guides to writing rules? http://wiki.apache.org/spamassassin/WritingRules Also the area code below is written with an ‘L’ instead of a 1, so I’m assuming I should I test for ‘314’, ‘3l4’ and ‘3|4’ That looks to be the case, yes. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: tagging based on score level
beast wrote: Is it possible to make different tag for a different score/classes, for example: high: [SPAM!!!] if score > 50 medium: [SPAM!!] if score between 20 - 50 low: [SPAM] if score between treshold - 20 The reason is client filter or other redirection program (for example to be redirected/ quarantined for further inspection) can not parse the score directly. perldoc Mail::SpamAssassin::Conf Look for the TEMPLATE TAGS section, in particular the _STARS(*)_ tag. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: Loads of 'xxx wrote:' Spam
Theo Van Dinter wrote: On Mon, Nov 27, 2006 at 09:48:03PM +, Justin Mason wrote: As has been the suggestion for the past X months, run sa-update. :) we've got to make this a more prominent FAQ somehow... Yeah, I keep coming across people on IRC and such that don't know about sa-update, even though it's been out for months. I suggest we add a section to the next release announcements about it. Since its right off the home page and there is a tab for it labeled 'Docs', this would be an excellent place: http://spamassassin.apache.org/doc.html -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: Why won't imageinfo.pm work with SA 3.17? - access
Michael W Cocke wrote: I can't get the imgeinfo plugin to load with SA 3.17? I put this in v310.pre loadplugin Mail::SpamAssassin::Plugin::ImageInfo Try this: loadplugin Mail::SpamAssassin::Plugin::ImageInfo ImageInfo.pm -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: How to use --allow-tell?
Craig Morrison wrote: Todd A. Jacobs wrote: I was perusing the man pages for spamd in spamassassin 3.1.7, and came across something that seems to imply that I can use spamc to tell spamd to update a sitewide bayesian database: -l, --allow-tell Allow learning and forgetting (to a local Bayes database), reporting and revoking (to a remote database) by spamd. The client issues a TELL command to tell what type of message is being processed and whether local (learn/forget) or remote (report/revoke) databases should be updated. However, I can't find any explanation of how to actually *do* this. What am I missing here? Look at the source code for spamc.. Its in there. If you are writing your own `spamc' client, the header set up is: TELL SPAMC/1.3 Message-class: spam|ham Set: local|remote *or* Remove: local|remote Followed by the usual 'user' and 'content-length' spamd headers. For spamc: spamc ... -L spam|ham|forget -C report|revoke ... Okay, my interpretation of the code was a bit off, but I did find this (after scratching my head for a while): http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_current_release_3.1.x/spamd/PROTOCOL -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: How to use --allow-tell?
Todd A. Jacobs wrote: I was perusing the man pages for spamd in spamassassin 3.1.7, and came across something that seems to imply that I can use spamc to tell spamd to update a sitewide bayesian database: -l, --allow-tell Allow learning and forgetting (to a local Bayes database), reporting and revoking (to a remote database) by spamd. The client issues a TELL command to tell what type of message is being processed and whether local (learn/forget) or remote (report/revoke) databases should be updated. However, I can't find any explanation of how to actually *do* this. What am I missing here? Look at the source code for spamc.. Its in there. If you are writing your own `spamc' client, the header set up is: TELL SPAMC/1.3 Message-class: spam|ham Set: local|remote *or* Remove: local|remote Followed by the usual 'user' and 'content-length' spamd headers. For spamc: spamc ... -L spam|ham|forget -C report|revoke ... -- Craig
Not sure what to do about this...
it seems over the past couple of weeks, I'm getting 50-80 of these per day into my inbox. From what I can tell, it isn't hitting the bayes filters when other messages do. Anyone have any idea? I have sorted these and trained the bayes filters, but if it isn't hitting them I don't know what more to do. Sometimes the same message ends up in my junk filter, and the bayes score is in the header. I'm at a loss. Thanks, Craig The message got sent back to me, so i'm going to have to just paste what I can from the headers... To: <[EMAIL PROTECTED]> Return-Path: <[EMAIL PROTECTED]> X-Spam-Checker-Version: SpamAssassin 3.1.3-gr0 (2006-06-01) on charlotte.ctrust.com X-Spam-Level: X-Spam-Status: No, score=4.5 required=5.0 tests=DNS_FROM_RFC_ABUSE, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK autolearn=no version=3.1.3-gr0
Re: Who wants my spam - seriously!
Marc Perkel wrote: As you all know I'm in the spam blocking business and looking to share my information with others to help them block spam for everyone. I'm currently feeding my spam to several people now. You asked Feedback welcome. Given the rants on your website and just your general nature, I wouldn't trust anything you published for consumption. -- Craig
Re: saupdate
Jack Gostl wrote: - Original Message - From: "Craig Morrison" <[EMAIL PROTECTED]> To: "Jack Gostl" <[EMAIL PROTECTED]> Cc: "spamassassin" Sent: Thursday, November 23, 2006 2:40 PM Subject: Re: saupdate Please keep replies on the list for the benefit of others.. Comments inline.. Jack Gostl wrote: Question 2: After running saupdate, I assume that all I have to do is to restart spamd. How can I force spamd to restart and reload its rules? Can a do a simple kill -1? Or do I need an actual kill and restart? That is highly dependent upon how spamd is invoked. -- Craig Thanks for the response. It was invoked through /etc/inittab with the command: spam:2:once:/usr/opt/perl5/bin/spamd -m20 -d -A 10.165.1.3,127.0.0.1 -i Which means no automatic respawning. So does spamd respond to a SIGHUP by restarting? `man spamd': "DESCRIPTION The purpose of this program is to provide a daemonized version of the spamassassin executable. The goal is improving throughput performance for automated mail checking. This is intended to be used alongside "spamc", a fast, low-overhead C client program. See the README file in the "spamd" directory of the SpamAssassin distribution for more details. Note: Although "spamd" will check per-user config files for every message, any changes to the system wide config files will require either restarting spamd or forcing it to reload itself via SIGHUP for the changes to take effect. Note: If "spamd" receives a SIGHUP, it internally reloads itself, which means that it will change its pid and might not restart at all if its environment changed (ie. if it can’t change back into its own directory). If you plan to use SIGHUP, you should always start "spamd" with the -r switch to know its current pid." I'm usually not a RTFM prude, however, SpamAssassin is VERY well documented in its manual pages. -- Craig I understand about RTFM, but there is so much new stuff introduced in this release, I'm trying to catch up. What is funny is that I read all the documentation, and this stuff just flew by me. Anyway, one final thing, and I'm pretty sure this one isn't in the manual. When I run sa-update, I get this message: Use of uninitialized value in concatenation (.) or string at /usr/opt/perl5/lib/5.8.2/Scalar/Util.pm line 30. Not sure what to do about that one. Or if it even matters. Jack I can't comment on if it matters, but I am fairly certain from experience the answer is most likely going to be upgrading Perl to at least 5.8.8.. -- Craig
Re: A false positive...
Michael Scheidell wrote: -Original Message- From: Craig Morrison [mailto:[EMAIL PROTECTED] Sent: Thursday, November 23, 2006 12:53 PM To: users@spamassassin.apache.org Subject: Re: A false positive... TZ format you should consider sa-learn'ing the messages as ham. On your SA setup these messages are hitting BAYES_95 which is adding 3 points to their score. I odn't think learning one message as spam will drop the _95 rating. Hoever, maybe this will help (put in local.cf) score SARE_LEGIT_EBAY -3.5 If learning them as ham doesn't affect the score then what is the point of the learning system at all? What am I missing? -- Craig
Re: saupdate
Please keep replies on the list for the benefit of others.. Comments inline.. Jack Gostl wrote: Question 2: After running saupdate, I assume that all I have to do is to restart spamd. How can I force spamd to restart and reload its rules? Can a do a simple kill -1? Or do I need an actual kill and restart? That is highly dependent upon how spamd is invoked. -- Craig Thanks for the response. It was invoked through /etc/inittab with the command: spam:2:once:/usr/opt/perl5/bin/spamd -m20 -d -A 10.165.1.3,127.0.0.1 -i Which means no automatic respawning. So does spamd respond to a SIGHUP by restarting? `man spamd': "DESCRIPTION The purpose of this program is to provide a daemonized version of the spamassassin executable. The goal is improving throughput performance for automated mail checking. This is intended to be used alongside "spamc", a fast, low-overhead C client program. See the README file in the "spamd" directory of the SpamAssassin distribution for more details. Note: Although "spamd" will check per-user config files for every message, any changes to the system wide config files will require either restarting spamd or forcing it to reload itself via SIGHUP for the changes to take effect. Note: If "spamd" receives a SIGHUP, it internally reloads itself, which means that it will change its pid and might not restart at all if its environment changed (ie. if it can’t change back into its own directory). If you plan to use SIGHUP, you should always start "spamd" with the -r switch to know its current pid." I'm usually not a RTFM prude, however, SpamAssassin is VERY well documented in its manual pages. -- Craig
Re: saupdate
Jack Gostl wrote: I'm trying to understand saupdate and how to use it. I have two questions. I'm running AIX 5.3. Question 1: I run the following command: /usr/opt/perl5/bin/sa-update --nogpg -D --updatedir /tmp/update It finishes with a return code of 1. It sounds to me like something failed. I can't find any documentation on the return codes, so I'm not sure where to take this. Here is the debug output: Use of uninitialized value in concatenation (.) or string at /usr/opt/perl5/lib/5.8.2/Scalar/Util.pm line 30. [27694] dbg: logger: adding facilities: all [27694] dbg: logger: logging level is DBG [27694] dbg: generic: SpamAssassin version 3.1.7 [27694] dbg: config: score set 0 chosen. [27694] dbg: message: MIME PARSER START [27694] dbg: message: main message type: text/plain [27694] dbg: message: parsing normal part [27694] dbg: message: added part, type: text/plain [27694] dbg: message: MIME PARSER END [27694] dbg: dns: is Net::DNS::Resolver available? yes [27694] dbg: dns: Net::DNS version: 0.59 [27694] dbg: generic: sa-update version svn454083 [27694] dbg: generic: using update directory: /tmp/update [27694] dbg: diag: perl platform: 5.008002 aix [27694] dbg: diag: module installed: Digest::SHA1, version 2.11 [27694] dbg: diag: module installed: Net::SMTP, version 2.29 [27694] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [27694] dbg: diag: module installed: IP::Country::Fast, version 604.001 [27694] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [27694] dbg: diag: module installed: Net::Ident, version 1.20 [27694] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [27694] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [27694] dbg: diag: module installed: Time::HiRes, version 1.52 [27694] dbg: diag: module installed: DBI, version 1.53 [27694] dbg: diag: module installed: Getopt::Long, version 2.34 [27694] dbg: diag: module installed: LWP::UserAgent, version 2.003 [27694] dbg: diag: module installed: HTTP::Date, version 1.44 [27694] dbg: diag: module installed: Archive::Tar, version 1.30 [27694] dbg: diag: module installed: IO::Zlib, version 1.04 [27694] dbg: diag: module installed: DB_File, version 1.814 [27694] dbg: diag: module installed: HTML::Parser, version 3.35 [27694] dbg: diag: module installed: MIME::Base64, version 2.21 [27694] dbg: diag: module installed: Net::DNS, version 0.59 [27694] dbg: channel: attempting channel updates.spamassassin.org [27694] dbg: channel: update directory /tmp/update/updates_spamassassin_org [27694] dbg: channel: channel cf file /tmp/update/updates_spamassassin_org.cf [27694] dbg: channel: channel pre file /tmp/update/updates_spamassassin_org.pre [27694] dbg: channel: metadata version = 477972 [27694] dbg: dns: 7.1.3.updates.spamassassin.org => 477972, parsed as 477972 [27694] dbg: channel: current version is 477972, new version is 477972, skipping channel [27694] dbg: diag: updates complete, exiting with code 1 man sa-update: EXIT CODES An exit code of 0 means an update was available, and was downloaded and installed successfully. An exit code of 1 means no fresh updates were available. An exit code of 4 or higher, indicates that errors occurred while attempting to download and extract updates. Question 2: After running saupdate, I assume that all I have to do is to restart spamd. How can I force spamd to restart and reload its rules? Can a do a simple kill -1? Or do I need an actual kill and restart? That is highly dependent upon how spamd is invoked. -- Craig
Re: A false positive...
Justin Mason wrote: Steve [Spamassasin] writes: An ebay "watched item" email has been wrongly tagged as spam... with the following rules: -- 2.2 INVALID_DATE Invalid Date: header (not RFC 2822) 0.8 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date 0.1 TW_SJ BODY: Odd Letter Triples with SJ 0.0 HTML_MESSAGE BODY: HTML included in message 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9887] 0.2 HTML_TITLE_EMPTY BODY: HTML title contains no text -0.0 SARE_LEGIT_EBAYHas signs it's from ebay, from, headers, uri -1.1 AWLAWL: From: address is in the auto white-list -- The (sanitised) headers read: -- Subject:... From:eBay <[EMAIL PROTECTED]> Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00 While I understand why this email may have triggered the Bayesian rule (where spammers have copied ebay's email style...) I am bemused by INVALID_DATE and DATE_IN_PAST_06_12. The dates I see in the header look valid to me - and (if we allow for time international time differences) the message was sent two seconds before it was received. Am I overlooking something here? Why doesn't SpamAssassin like these dates? they're malformed, missing spaces. this is what an RFC-compliant date looks like: Date: Wed, 22 Nov 2006 16:20:29 + this is what the ebay.co.uk date looks like, according to yr mail: Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00 note: missing spaces; extra ":" in the TZ offset; and the TZ name. all are non-rfc-compliant. --j. Technically the only thing wrong with the date is the TZ. Section 2.2 of RFC2822 states: Header fields are lines composed of a field name, followed by a colon (":"), followed by a field body, and terminated by CRLF. No reference to a mandatory SP character starting the field body. To the OP, since I highly doubt that you will get eBay to change their TZ format you should consider sa-learn'ing the messages as ham. On your SA setup these messages are hitting BAYES_95 which is adding 3 points to their score. -- Craig
Re: ****Re: blarsbl
On Tue, 2006-11-21 at 12:07 -0500, DAve wrote: > Thomas Lindell wrote: > > At&t mail servers use his service. > > > > Which means I can't send to mediacom which is an at&t partner > > > > I couldn't believe at&t used his service. > > > > What's odd is that my company uses at&t backhaul bandwidth in the form of 4 > > t1's > > > > Grr the whole thing is frustrating > > > > Tom > > > > -Original Message- > > From: DAve [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, November 21, 2006 10:37 AM > > To: spamassassin > > Subject: Re: blarsbl > > > > Thomas Lindell wrote: > >> Has anyone had any dealings with this guy. > >> > >> I take my mail server very seriously. Further I take spamming very > >> seriously in general. > >> > >> Even when I detect one of my customers sending spam I disable there > >> internet until the problem is resolved > >> > >> The guy that runs the blarsbl list wants to charge my company 1500$ to > >> remove our mail server from his list. > >> > >> When it was listed there for no good reason. > >> > >> I checked my mail logs going back 6 months there wasn't a single email > >> sent nor received from this guys domain and or ip block. > >> > >> It would seem to me he's nothing more then a petty extortionist. > >> > >> Anyone else had to deal with this? > >> > >> This is the guy's www site > >> > >> > >> http://www.blars.org/errors/block.html > > > > Any admin blocking based on Blars has no mail we would miss, and we have > > very liberal limits for mail we accept due to our clients business models. > > He falls in the same category as SpamBag. > > > > DAve > > > > -- > > Three years now I've asked Google why they don't have a logo change for > > Memorial Day. Why do they choose to do logos for other non-international > > holidays, but nothing for Veterans? > > > > Maybe they forgot who made that choice possible. > > I would think a phone call to your account manager with an appropriate > link to the guys website would be enough to get the problem solved. > > http://www.blars.org/blars06c.jpg > > A copy of your past quarter bill from ATT would help to put the point > into perspective. by appearances, he doesn't seem much like that AT&T type - that picture pretty much sums it up. ;-) Craig
Re: Are other people seeing higher Load Averages after moving to 3.1.7?
I think spam is *way* up the last week or two. My server started hovering at a load average of around 55 a week or so ago. I started doing some investigating when I realized that the load was not coming down. I found that My server has been taking between 400,000 and 500,000 messages per day. A few months ago, it was more like 150,000 to 200,000 per day. Unfortunately, I moved logging over to a new syslog server recently, so I can't say whether the increase was sudden or gradual. I think some of it has been gradual, but it sure feels like it's only been the past few weeks that we've been getting hit *really* hard. After deciding that the load average was likely due to actual spam load, I implemented a couple of RBLs at the MTA level. My load is now back down between 1 and 3, and messages making it through to SA are now back to around 200,000 per day. Craig Quoting ccrowley <[EMAIL PROTECTED]>: I reverted to 3.1.3, and I still see the very high LA. So it does not appear to be a function of the upgrade. Probably just a lot of traffic. ccrowley wrote: All - Just a quick inquiry. I updated from 3.1.3 to 3.1.7 yesterday. I'm seeing substantially higher LA on the system. The system used to run at a range of 2.x - 8.x LA. With 3.1.7 I'm seeing 10.x - 50.x. I'm in the process of reverting to see if the behavior persists or is eliminated. But, I thought to check to see if anyone else has experienced similar behavior? -- View this message in context: http://www.nabble.com/Are-other-people-seeing-higher-Load-Averages-after-moving-to-3.1.7--tf2468623.html#a6883136 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Mail server performance problems. Possible SA slow down?
I have an old Redhat box that started doing this a while back. After a lot of hair pulling, I finally figured out that the problem was related to spam floods, but seemed to be caused by the syslog daemon. I shut down syslogd for a few days, and the problem went away completely. After those few days, I turned syslogd back on, but configured it to log to a separate syslog server (thinking that perhaps the problem was disk I/O related). However, the problem began happening again. I finally downgraded my syslogd to the previous version, and haven't seen any problems since. Note that this is very likely not what is causing your problem. But it sometimes pays to consider the non-obvious. Your problem may be caused by something relatively unrelated to (but affected by) mail. Craig Quoting Matias Lopez Bergero <[EMAIL PROTECTED]>: Hello! I was very happy using SpamAssassin at my email server (Xeon 2.8GHz, 1.5 GB memory, Dual Ultra SCSI HD 73.4GB in RAID 1, Linux 2.4.33) The last few weeks I have noted (angry users calling me by phone) that the server is really slow. The loadav goes from 1.5 to 12.5; normally is about 3.00. There are only 2500 email boxes at the server. The server is running: Sendmail, SpamAssassin 3.1.5 (using milter-spamc), ClamAV (using clamav-milter), Apache 1.3.x, SquirrelMail, pop3, etc. I have seeing some king of bursts of incoming emails (spam mostly), that it is producing a DoS effect. The server shows a table of ~1700 processes and about ~800 tcp sessions (sendmail and milter-spamc most) during this bursts. This seems to prevent other users from connecting to the server in order to use pop3 or smtp services. I have increased the child processes of spamd, but I was unsuccessfully to reduce this effect(I have seing in the logs a message about the need of increase the spamd childs). Also I tweak the sendmail.cf to easy the connection, but the problem persist. Looks to me that SpamAssassin is taking to long to process the incoming emails, and as result, it is slowing down the server, and finally causing the DoS. Can anyone help me with some ideas to solve this? or to see were exactly is the problem? Do I need to improve my hardware? Thanks. BR, Matias.
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
Well I think the FAQ note is a good idea, since a hyperactive DNS server wasn't the first thing I thought of when I saw this problem. However, turning off the OpenDNS hyperactivity does require a fixed IP address to originate the queries - I found it easier to use OpenDNS for my desktops, and switch to something else for the SpamAssassin server. cheers, Don Craig Jeff Chan wrote: On Wednesday, September 27, 2006, 11:17:59 PM, Donald Craig wrote: And Theo Van Dinter pointed out: You're not by chance using the opendns.{com,org} folks for DNS, are you? Of course. I'm an idiot. I switched to OpenDNS a couple of weeks back. Time to return from whence I came. Thank you, Don Craig I'm getting matches whenever I have an embedded URL on URIBL_AB_SURBL and URIBL_PH_SURBL - unless the URL is actually in URIBL_SBL, in which case the logic for all the flavors of URIBL_XX_SURBL seems to work correctly. I have verified the absence of the incorrectly matching URLs from SURBL with lookups in http://www.rulesemporium.com/cgi-bin/uribl.c This is SpamAssassin 3.1.5, all was fine in 3.1.2. For now I have set both those tests to 0.00. Don Craig Thanks for the reminder guys. I've added the following note about OpenDNS compatibility to the SURBL FAQ: __ http://www.surbl.org/faq.html#opendns "I'm using OpenDNS and getting wrong answers to SURBL DNS queries OpenDNS is a service that changes the responses to some DNS queries in order to prevent users from visiting spam, phishing, etc., sites. It also has a "typo correction" feature that directs mistyped domain names to custom sites controlled by OpenDNS instead of sites controlled by typosquatters, phishers, etc. When using SURBLs with an OpenDNS nameserver it's important to disable the typo correction feature, or the responses to non-matching SURBL queries will be incorrect to a SURBL application. The reason is that the OpenDNS nameservers return an IP address of their own web site in those cases, and that modified IP address will have an incorrect effect on SURBL list identification that depends on where the bit patterns happen to be in the modified response. SURBLs will work with OpenDNS if their typo correction feature is disabled on servers or clients doing SURBL queries." __ Does that look about right? Jeff C.
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
And Theo Van Dinter pointed out: You're not by chance using the opendns.{com,org} folks for DNS, are you? Of course. I'm an idiot. I switched to OpenDNS a couple of weeks back. Time to return from whence I came. Thank you, Don Craig I'm getting matches whenever I have an embedded URL on URIBL_AB_SURBL and URIBL_PH_SURBL - unless the URL is actually in URIBL_SBL, in which case the logic for all the flavors of URIBL_XX_SURBL seems to work correctly. I have verified the absence of the incorrectly matching URLs from SURBL with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi This is SpamAssassin 3.1.5, all was fine in 3.1.2. For now I have set both those tests to 0.00. Don Craig
Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
I'm getting matches whenever I have an embedded URL on URIBL_AB_SURBL and URIBL_PH_SURBL - unless the URL is actually in URIBL_SBL, in which case the logic for all the flavors of URIBL_XX_SURBL seems to work correctly. I have verified the absence of the incorrectly matching URLs from SURBL with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi This is SpamAssassin 3.1.5, all was fine in 3.1.2. For now I have set both those tests to 0.00. Don Craig
Re: .GIF images without .gif in filename and empty messages
Quoting Loren Wilton <[EMAIL PROTECTED]>: Thanks to the imageinfo plugin, most of my image spam has disappeared except for one particular type. I'm still seeing .gif image spams where the filename for the image does not contain .gif. Like this: Are you using the latest version that 'decoder' posted? I'm pretty sure he added code to handle improper file type suffixes. (Of course he might not handle the no suffix case.) Didn't decoder post the OCR stuff? I thought imageinfo was posted by Dallas. Anyway, regardless, I think I may be running an older version. I'll check it and upgrade if necessary. The other type of spam I'm seeing are empty messages. They have a single word I haven't noticed any of these on my system, but they should be easy enough to catch. Without seeing one I can't guess why the empty body rule would be failing. Can you post one as a txt message Sure: http://pastebin.com/769187 Note that I am aware that I am running an older version of SA (3.0.x). Unfortunately, upgrading is not feasible at this time. Thanks for any help or advice you can give! Craig
.GIF images without .gif in filename and empty messages
I have two types of spam that are slipping through, and I'm wondering if anyone has rules to help with them. Thanks to the imageinfo plugin, most of my image spam has disappeared except for one particular type. I'm still seeing .gif image spams where the filename for the image does not contain .gif. Like this: Content-Type: image/gif; name="glitter" Content-Transfer-Encoding: base64 Content-ID: <[EMAIL PROTECTED]> The other type of spam I'm seeing are empty messages. They have a single word for a subject, but nothing in the body. About a year ago, I was getting flooded with these, and I solved the problem by using the SARE_HTML_NO_BODY rule from 70_sare_html4.cf. However, this rule does not seem to hit on this recent crop of empty messages. I have no idea why. Is anyone else seeing these, and more importantly, does anyone have a rule for them? Craig
Slow scan time
http://www3.2cah.com/spam/sa_slowhtml.txt I got inundated with messages similar to this today. The average scan time here for these is 25+ seconds when the box is under _low_ load. My guess is that it has to do with the number of URLs. Any thoughts on this? -- Craig
Re: SPF and envelope senders
Daryl C. W. O'Shea wrote: Logan Shaw wrote: So I looked in my own personal mailbox to see which messages have Return-Path headers, and out of the hundreds of messages in there, basically all messages do have a Return-Path header, except that not a single one from from majorcustomer.com does. So... is it safe to assume their servers are configured incorrectly? Or should our MTA be somehow adding that header if it's missing? Or is there some other way that our MailScanner+SpamAssassin combo should be getting the envelope sender information? Your MDA should be adding it, and whatever is calling SpamAssassin (MailScanner) should be at least faking it in the message it hands SA. Daryl http://wiki.apache.org/spamassassin/EnvelopeSenderInReceived Is also useful for the bag of tricks too.. -- Craig
Re: Always add report headers
Arik Raffael Funke wrote: Nigel Frankcom wrote: On Sat, 05 Aug 2006 14:08:45 +0200, Arik Raffael Funke <[EMAIL PROTECTED]> wrote: how to I get spamd/spamc to always add the spamassassin report headers? I.e. also to ham messages... I have the following in my local.cf and user_pref.cf but to no apparent use: use_auto_whitelist 0 use_bayes 0 add_header all Report _REPORT_ add_header all Status _YESNO_, hits=_HITS_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ I am using version 3.1.4. report_safe1 That wasn't it either. As I understand the documentation this config variable is supposed to attach the original message unmodified to a spamassassin spam report message. This is not what I was looking for. For me the usual X-Spam-Status headers suffice, but I also want them in ham. As a call with "spamassassin ham.txt" would produce... just I want them also with "less ham.txt | spamc". I attach my local.cf below to avoid any uncertainties. Thanks for the help. - Arik File: local.cf --- # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # # Only a small subset of options are listed below # ### # Add *SPAM* to the Subject header of spam e-mails # # rewrite_header Subject *SPAM* # Save spam messages as a message/rfc822 MIME attachment instead of # modifying the original message (0: off, 2: use text/plain instead) # # report_safe 1 # Set which networks or hosts are considered 'trusted' by your mail # server (i.e. not spammers) # # trusted_networks 212.17.35. # Set file-locking method (flock is not safe over NFS, but is faster) # # lock_method flock # Set the threshold at which a message is considered spam (default: 5.0) # # required_score 5.0 # Use Bayesian classifier (default: 1) # use_bayes 0 # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 0 # Set headers which may provide inappropriate cues to the Bayesian # classifier # # bayes_ignore_header X-Bogosity # bayes_ignore_header X-Spam-Flag # bayes_ignore_header X-Spam-Status use_auto_whitelist 0 use_bayes 0 add_header all Report _REPORT_ add_header all Status _YESNO_, hits=_HITS_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ report_safe1 The point is, who or what is calling spamassassin.. You have to have something in the mix of things that is screwing with your headers. Even with report_safe 0, SA adds the X-Spam* headers.. -- Craig
Re: What changes would you make to stop spam? - United Nations Paper
John Rudd wrote: I've been re-thinking Marc's "IMAP for sending, instead of SMTP" proposal. And this "block Bcc" part got me thinking even more. I think he may be on to something. But lets take it one step further. Email via fingerd. That'll throw off the spammers. Wouldn't identd be more apropos? And to slow down their spam-bot attacks, I propose we replace the internet backbones with the long-proposed-but-never-implemented IP-via-carrier-pigeon. We'll need an authentication scheme to go with this. I'm going to suggest a GSSAPI method for wax envelope seals. Perfect for carrier pigeon packets. And _EACH_ packet is individually authenticated. PERFECT! RFC 1149, I had forgotten about that! This *could* be the answer. And we'll send preferred traffic (because we hate net neutrality!) over bongo-net. Or better yet, use mockingbirds instead of pigeons, I think this new internet architecture will stop the spammers in their tracks. No, really, it will. Either that or get them shat on, which would be a messy affair. :-D /me goes back to lurking... -- Craig
RE: Help for beginner
On Tue, 2006-07-25 at 16:02 -0600, Nels Lindquist wrote: > On 25 Jul 2006 at 14:17, Craig White wrote: > > > > > http://www.mailscanner.info/linux.html > > > > This is the information page for installing MailScanner on RPM based > > Linux system. > > > > If you read this, you will see that even though you are using an rpm > > based system, you download a tarball package, 'un-tar' the tarball and > > then start the installation process via 'install.sh' command. This > > actually ends up installing MailScanner and all requisite perl packages > > via RPM. > > > > Please read this guide. > > I seem to be missing the part where the original poster mentioned he > was using or wanted to use Mailscanner. Was that in a different > thread, perhaps? I vaguely remember it now, I've deleted the thread now. Craig
RE: Help for beginner
Hi - let's keep this on list OK? answer at bottom On Tue, 2006-07-25 at 13:19 -0700, Cabell, Dale wrote: > I am confused. Are you recommending that I not use RPM with the tarball > and instead untar and use the script? > > Please let me know. > > Thanks, > Dale Cabell > > -----Original Message- > From: Craig White [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 25, 2006 12:00 PM > To: users@spamassassin.apache.org > Subject: Re: Help for beginner > > On Tue, 2006-07-25 at 14:16 -0400, Theo Van Dinter wrote: > > FWIW, Dale's been mailing me privately where I've been answering, but > just for > > everyone's info: > > > > On Tue, Jul 25, 2006 at 11:04:18AM -0700, Cabell, Dale wrote: > > > Where do I put the tar? After I untar it, where do I execute the > > > rpmbuild from? > > > > "rpmbuild -tb" says to build a binary RPM from a tarball. So: > > > > rpmbuild -tb Mail-SpamAssassin-3.1.3.tar.gz > > > > will build the RPMs from the named tarball. Depending on your > environment, > > you may need to be root and the packages may appear under > /usr/src/redhat. > > > > The download page also mentions the '--define "srcext .bz2"' option > which you > > need if you download the bz2 tarball instead of the gz one. > > given the methodology that MailScanner uses, I don't think that I would > do that (compile an rpm from a tarball). Unless you know something that > I don't know that is. > > The MailScanner download for rpm based system is indeed a tarball which > you have to extract and then run the 'install.sh' script which is a perl > program which actually builds a lot of requisite perl packages and > finally mailscanner itself into rpm files and installs the rpm's (or not > if you already have newer versions of the rpm's installed already). It's > a sophisticated, comprehensive approach to installing a whole lot of > stuff and doing it the way the system is configured (via rpm). http://www.mailscanner.info/linux.html This is the information page for installing MailScanner on RPM based Linux system. If you read this, you will see that even though you are using an rpm based system, you download a tarball package, 'un-tar' the tarball and then start the installation process via 'install.sh' command. This actually ends up installing MailScanner and all requisite perl packages via RPM. Please read this guide. Craig
Re: Help for beginner
On Tue, 2006-07-25 at 14:16 -0400, Theo Van Dinter wrote: > FWIW, Dale's been mailing me privately where I've been answering, but just for > everyone's info: > > On Tue, Jul 25, 2006 at 11:04:18AM -0700, Cabell, Dale wrote: > > Where do I put the tar? After I untar it, where do I execute the > > rpmbuild from? > > "rpmbuild -tb" says to build a binary RPM from a tarball. So: > > rpmbuild -tb Mail-SpamAssassin-3.1.3.tar.gz > > will build the RPMs from the named tarball. Depending on your environment, > you may need to be root and the packages may appear under /usr/src/redhat. > > The download page also mentions the '--define "srcext .bz2"' option which you > need if you download the bz2 tarball instead of the gz one. given the methodology that MailScanner uses, I don't think that I would do that (compile an rpm from a tarball). Unless you know something that I don't know that is. The MailScanner download for rpm based system is indeed a tarball which you have to extract and then run the 'install.sh' script which is a perl program which actually builds a lot of requisite perl packages and finally mailscanner itself into rpm files and installs the rpm's (or not if you already have newer versions of the rpm's installed already). It's a sophisticated, comprehensive approach to installing a whole lot of stuff and doing it the way the system is configured (via rpm). Craig
Re: Network tests slowing down spamassassin
Ramprasad wrote: Hi, SA works fine , for the quiet large setup that we have. ( we get upto 200k mails an hour at peak times ) But I notice it is too network dependent. A little problem with the network and all hell breaks loose. Mailq shoots up and SA starts timing out. Probably because I have enabled all kinds of BL tests and uri checks. But these checks are indispensable without these SA would have no teeth at all. So what is the best way to reduce network traffic. We are already getting the sbl-xbl lists from spamhaus so as to serve those lists locally , can I get any other lists locally ? Commercial agreements also are ok. Are you running a local caching nameserver? For my group that seems to help a great deal. -- Craig
RE: sudden deluge of university spams
Quoting Chris Santerre <[EMAIL PROTECTED]>: There's a reason. The amount of permutations is ridiculous. But SARE has Evilnumbers which catches these. Except that evilnumbers hasn't been updated in over a year :-) I've been writing custom rules to block the phone numbers used in these. You could write rules for the wording, but like Chris said, it changes so often that it's a very fast-moving target. It's probably much more difficult for the spammer to change their phone number than to change the text of their e-mails, so write a rule for the phone number, and then score it through the roof. I've noticed that it usually takes a handful of phone number rules to stop these spams for a while, then the spammer changes numbers, and you have to do it all over again. Modifications in the phone number format are also a small challenge. For example 555.555., 555-555-, 555 555 , 555- 555-, (555)555., etc etc. So you have to write your rules to take that into account. Craig
Re: Its nice when spammers declare their intentions...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton wrote: > Subject: PayPal Fraud Intention !!! Verify Account & Billing Information !!! > From: "PayPal.inc Security Center Department " <[EMAIL PROTECTED]> > > Its nice to know that they intend to defraud me. Maybe I won't bother > playing their game. > > Loren Heh, got this one yesterday: From: "Lazarus Dennis" To: <[EMAIL PROTECTED]> Subject: bastard And thought, why's he calling me a bastard? Maybe he knows his crap isn't going to get through... C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEloZvMDDagS2VwJ4RAo9+AKD8ukwZr6oFJlcoOa2GcWBShQxFwQCgkczn EE/t68LA8bfo2eFwLNkjVV8= =5DqP -END PGP SIGNATURE-
Re: Loading Rules - Possible Memory Issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Duane Hill wrote: [snippage] > I think what it boils down to is just getting carried away. > > Thanks for the response. This is still relatively new with running our > MTA on FreeBSD. It was migrated away from Windows about three weeks ago. FWIW I have had real success using FBSD-6.0-RELEASE, SA from CPAN and spamass-milter and sendmail from the ports collection. Just lately I've moved away from the milter, towards a procmail-based SA setup for better configurability. Ping me if you want more details. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEkCirMDDagS2VwJ4RAgqZAKDz6HIvWmqhLE/VSk1fonA1w7RkswCgzSj+ Clsn7VfuQcWVDkgfYK6x9pw= =RThC -END PGP SIGNATURE-
Re: For those who are considering a Barracuda Network Device server
On Mon, 2006-06-12 at 19:34 -0700, jdow wrote: > If I was feeling stinky I'd note that I do not like web administration > tools as much as I like editing the files myself by hand doing things > I understand from an overdose of RTFM. And I'm not a Linux guy last > time I checked myself in front of a mirror. > > {^,-} But I'm not. (Besides "ix guy" is perhaps more to the point. > I also "dabble" with FreeBSD; but, I don't use it for anything > important yet.) (It's been a contentious day on several lists. > Some humor was needed.) You mean calling GPL License 'nonsense' wasn't your best effort of the day? You hurled similar bombshells on other lists? Craig
Re: SA 3.1.3 Binary RPMs for FC4?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John D. Hardin wrote: > All: > > My hosted mail server is Fedora Core 4, and I'd rather not put a > development environment on it if I can avoid doing so. Is anybody > hosting binary RPMs for SA 3.1.x (ideally 3.1.3) for FC4? > Don't know about 3.1.3, but Axel hosts 3.1.2 at atrpms.net: http://atrpms.net/dist/fc4/spamassassin/ instructions on setting up yum to use the atrpms repo can also be found on the site: http://atrpms.net/install.html C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEiygNMDDagS2VwJ4RAns2AKDrpqtAWZPEMBBHOWH9Wl4Kqf0rAgCeKPf5 rn6LeGs9h/5m4sSCyJr3R2M= =hsQC -END PGP SIGNATURE-
Auto delete if >= X on per user basis
Hello all, I've had a good look around but am unable to find an answer to this exact scenario. I've had a bash @ using global settings on the user_pref's file, but didn't appear to work, so figured I'd ask. If you are aware of a reference to this that I've missed, I apologise. Pretty much all I'm trying to do is setup on a per-user basis an auto delete mechanism for mail if it receives > score XX. I've read all the doco about the preferred method being to setup filters and do it client side, but a number of clients of mine are getting a large amount of spam, and we've been watching what's been flagged as such over a 6 month period and there's been only 1 instance of a false positive (which was an exteremely spam like email anyway, so understandable) and the clients more than happy to take that risk. Going to keep his required_score at 5 but want to auto-delete if it's above 8 or so. Any help would be greatly appreciated. TIA
Re: SPAM: Re: Re[2]: Hiring for Spam Assassin Troubleshooting
I usually don't top quote, but folks, this is a troll.. And we all bit.. So troller, you have been sourced, go away.. WFGB Team wrote: Spam detection software, running on the system "DEDE143", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see Contact Wayne for details. Content preview: Hi Sandy, I tried to and I kept getting an error when attempting to join. It kept telling me communication error so I figured I would wait until later to see if it was an issue on my end or on their end. [...] Content analysis details: (7.3 points, 7.0 required) pts rule name description -- -- 0.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.1 HTML_TAG_EXIST_TBODY BODY: HTML has "tbody" tag 1.0 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 2.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [68.56.253.77 listed in dnsbl.sorbs.net] 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [68.56.253.77 listed in combined.njabl.org] -1.0 AWLAWL: From: address is in the auto white-list The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. Subject: Re: Re[2]: Hiring for Spam Assassin Troubleshooting From: "WFGB Team" <[EMAIL PROTECTED]> Date: Sat, 3 Jun 2006 23:22:07 -0400 (Eastern Daylight Time) To: , "Sanford Whiteman" <[EMAIL PROTECTED]> To: , "Sanford Whiteman" <[EMAIL PROTECTED]> Hi Sandy, I tried to and I kept getting an error when attempting to join. It kept telling me communication error so I figured I would wait until later to see if it was an issue on my end or on their end. Wayne /---Original Message---/ /*From:*/ Sanford Whiteman <mailto:[EMAIL PROTECTED]> /*Date:*/ 06/03/06 20:09:26 /*To:*/ WFGB Team <mailto:[EMAIL PROTECTED]>; users@spamassassin.apache.org <mailto:users@spamassassin.apache.org> /*Subject:*/ Re[2]: Hiring for Spam Assassin Troubleshooting > I have talked to the SM tech support and have searched through their > forum but they believe this is SA issue. P.S. You didn't start *a new thread* on their forum, which is as much community-supported as vendor-supported. This is not being thorough, for what seems like an urgent issue. --Sandy . FREE emoticons for your email! click Here! <http://www.incredimail.com/index.asp?id=98432> -- Craig
RE: 3.1.2-Windows, exit codes broken?
>I mean this: > >- bug 3754: if there's a problem opening a file via sa-learn or spamassassin, return an error exit value. > >It indicates there might have been changes to that area of the code which concerns your problem. > >Kai I understand, thanks for the clarification. I had some time over the weekend to install 3.1.2 on a second Windows box and had the same result, exit code always zero with -e option and messages determined by spamassassin to be spam. Oh well, back to 3.1.1 for me. The ability to script spamassassin as an MTA pickup event and process the message according to the result code is too good to give up :) Thanks, Craig
Re: Lots of this kind of spam getting through
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig McLean wrote: > > Razor and multi.uribl.com RBL for the first 3 Oops, and multi.surbl.org... C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEeKmvMDDagS2VwJ4RAvKJAKCJQ4LXrMqUiW5l0bDwqE6e2/nRUgCfVCwz cwYRQTOZKLgw3wV+rVovDXE= =z6f9 -END PGP SIGNATURE-
Re: Lots of this kind of spam getting through
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philip, See inline.. Philip Mak wrote: > I'm getting about 50+ per day of these spams not being caught by > SpamAssassin (SpamAssassin version 3.1.1 running on Perl version > 5.8.4). There's two types: > > 1. Lose weight type spam, uses bad English e.g. "yrs" instead of > "years", "u" instead of "you", "ur" instead of "your", talks about not > having talked to the recipient in years > > http://www.aaanime.net/pmak/spam/2006-05-27/1.txt X-Spam-Status: Yes, score=23.0 required=6.0 tests=BAYES_60,DK_POLICY_SIGNSOME, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_XBL,SPF_NEUTRAL,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SBL autolearn=spam version=3.1.2 > http://www.aaanime.net/pmak/spam/2006-05-27/2.txt X-Spam-Status: Yes, score=21.1 required=6.0 tests=BAYES_99, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_XBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL autolearn=spam version=3.1.2 > http://www.aaanime.net/pmak/spam/2006-05-27/3.txt X-Spam-Status: Yes, score=15.5 required=6.0 tests=BAYES_95, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_NJABL_DUL,RCVD_IN_XBL,URIBL_BLACK,URIBL_WS_SURBL autolearn=spam version=3.1.2 > > These spams all have different URLs, but if you visit them they're > exactly the same site. The first two resolve to the same IP address > too, though the third doesn't despite having the same content. > > 2. Homeowner credit, or something > > http://www.aaanime.net/pmak/spam/2006-05-27/a.txt X-Spam-Status: Yes, score=18.1 required=6.0 tests=BAYES_99,CM_MISC_GEOC, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,WEB_403 autolearn=spam version=3.1.2 > http://www.aaanime.net/pmak/spam/2006-05-27/b.txt X-Spam-Status: Yes, score=14.2 required=6.0 tests=BAYES_99,CM_MISC_GEOC, RCVD_IN_BL_SPAMCOP_NET,WEB_403 autolearn=spam version=3.1.2 > These spams keep slipping through SpamAssassin consistently. Most of > my false negatives are variants of the messages I posted above. Any > suggestions on how to block them? Razor and multi.uribl.com RBL for the first 3, the WebRedirect plugin and a rule which gives any geocities URL a healthy dose of points (a la http://fukka.co.uk/sa-rules/local/misc.cf) for the second 2. XBL and spamcop (no flames please) for all, plus make sure you get your bayes trained on this type of spam to drive the score up there, too. Mine doesn't do so well because I haven't seen much of this spam. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD4DBQFEeKisMDDagS2VwJ4RAoXKAJ96gIM5e6t2whxcVdkE6E1gDXv5IQCYxvIU QEzXO9X18bskPa9UhTusMw== =ZLh6 -END PGP SIGNATURE-
RE: 3.1.2-Windows, exit codes broken?
>> 3.1.2 is not setting a non-zero exit code when a message is classified >> as spam (spamassassin.bat -e < mailfilein > mailfileout) Known >> issue/bug? >There is something about exit codes in the changelog. I had checked the changelog and didn't see anything obviously relevant. Craig
3.1.2-Windows, exit codes broken?
Windows Server 2003 SP1 ActivePerl 5.8.8.817 Upgrade from a working 3.1.1 installation 3.1.2 is not setting a non-zero exit code when a message is classified as spam (spamassassin.bat -e < mailfilein > mailfileout) Known issue/bug? Craig
Re: sa-learn script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Matthews wrote: > Hi there, > > i'm running RHEL4 with spamassassin-3.0.5-3.el4 and i'm looking for a > script that will make sa-learn go though everyone's Junk mail folder and > 'learn' what is Junk. > > i've come up with this > > #!/bin/bash > > for i in $( ls /home/MYDOMAIN); do > sa-learn --spam /home/MYDOMAIN/i$/mail/Junk > done > > If i set it to run as a cron job once a week, Will that do what I want it > to do? > Almost certainly not, unless you change that "i$" to "$i" ;-) C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEdWGSMDDagS2VwJ4RAiRfAJ9/0LsDofegmY1FMQMLgQRL9MnwcACeJOYd LH64xcCF3cfXHfAo/KTO4zc= =KOF+ -END PGP SIGNATURE-
Re: SA Milter problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chan, Wilson wrote: > Any else having this problem with spamass-milter with spamassassin? Nope. (ask a vague question...) C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEcjndMDDagS2VwJ4RApjPAJ9wIzFBnqp7lqgZVNkfTibksaU/uACfZe/n 5MUqsaJzNJkQc+4/pjkHn0U= =3Qkr -END PGP SIGNATURE-
Re: AWL whitelist & CGPSA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tracey Gates wrote: > I apologize if this has already been addressed.I am using CGPro with > CGPSA. I have placed an entry in my local.cf > [snip] In addition to other comments in this thread, Given: > -- > 4.8 FROM_KING_COM From known spammer 'king.com' and: > [EMAIL PROTECTED] I'd say that the FROM_KING_COM rule might be misfiring, and for 4.8 points too! C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEb1MVMDDagS2VwJ4RAoXPAKCmBUP+J20OQvh5F3sa65PV/4KavQCdHVle Hy4r1k8v4uRWRs49gz7ZxmM= =XJSr -END PGP SIGNATURE-
Re: Proposal: First URI black list, how about email address black lists?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dallas L. Engelken wrote: > > Well, the only thread on sa-users I found about this was from Dec 2005. > http://www.nabble.com/A-thought-about-phone-numbers-and-URIBLs-t716464.h > tml > > We had a thread on uribl staff list about this last July which we > cross-posted to sare where loren brought up some good points. After a > good discussion on it, it dropped off the radar as something that would > take to much time and have very little impact. > > If anyone plans to move forward with this, I'd be willing to share our > threads on it. > > Dallas Actually, after some off-list chat with Rob Skedgell I recently finished a first attempt at a plugin for a dnsbl for phone numbers[1], having put together a monstrous, by-country static ruleset based on international dialing codes[2]. It's met with reasonable success here against 419 and associated check-fraud spam using harvested data[3], but will need some serious thought, testing, tweaking and infrastructure before it can be used in production... I'd be intrigued to read any other comments and discussion that have happened... Thanks, C. [1] http://fukka.co.uk/sa-rules/local/PhoneBL.pm [2] http://fukka.co.uk/sa-rules/local/phone.cf [3] http://fukka.co.uk/sa-rules/local/evilnumbers.db - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbO81MDDagS2VwJ4RAnrcAJ9VkTH6Py8SYqeqFuPKdhqiFJkZHACgrm8M qUy8K2/4EIZUZh2bQuoQACY= =OKu+ -END PGP SIGNATURE-
Re: Delete spam or move to a folder?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will Nordmeyer wrote: > Craig, > > How do you have procmail set up to deliver to the spam vs. likely spam > folders? Use the "X-Spam-Level" marker. Anything with < 10 stars and a "X-Spam-Status" of "Yes" gets put in a 'likely-spam' folder. Anything else goes to 'spam'. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbOizMDDagS2VwJ4RAhmQAJ9jzjQCSdnH+HgZul/5KptDsSLhBwCg9vPc 0Ga2XQi7nrNQL1lJaeQmtUw= =ails -END PGP SIGNATURE-
Re: Filtering windows-1252 charset
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philip Prindeville wrote: > Jonathan Armitage wrote: > >> I see some spam with "windows-1252" or other unwanted character sets at >> the start of the subject. I reject them via an Exim ACL, so SA doesn't >> even have to scan them. >> >> > > Which brings up the subject... How legitimate is email sent as > windows-1252? I have a bunch of stuff from paypal and ebay, and much more, which include this charset. I'm not attempting to answer the philosophical question, just the statistical one. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbJwCMDDagS2VwJ4RAgcdAJ0bIf+EPRmsGEFhqeamY6W5dWBwVgCeLbPf dALIAlLZans4C6EM6R17nyU= =IUJJ -END PGP SIGNATURE-
Re: Delete spam or move to a folder?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yusuf Ahmed wrote: > Hi Guys, > > Couldn't find a thread like this hence this new one. Just wondering what > strategy people are using when it comes to dealing with email that gets > enough points to be considered as spam. Eg. being deleted and > quarantined, or delivered and quarantined etc. > > I'm using store and deliver - is that the general concept out there with > everyone? > > Regards, > Yusuf. Hey Yusuf. Everything received here gets delivered, and procmail sorts the spam and likely-spam into different folders. This means we can quickly see misfires either way, and has the added benefit over milter-level bounces that bayes gets to see everything too. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEauQQMDDagS2VwJ4RAlX/AKCc+98dlkA43ReYXk3mMSVQJcdOWACdF8lD rJgm0R4Omwch2jH7UXbVs0U= =Bg73 -END PGP SIGNATURE-
Re: Comment Crashes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David B Funk wrote: > On Tue, 16 May 2006, Craig McLean wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> [snipped] >> >> I use this style to catch a couple of common text formatting oddities >> caused by machine-generated input, see: >> http://fukka.co.uk/sa-rules/local/textstyles.cf >> >> Thinking about it, this stuff will nest fairly well, so this should work: >> >> rawbody T_30_DODGY_DIVS m'(?:\s{0,}?[\$%\w]\s{0,}?.{1,40}?){30}'i >> >> Stick with rawbody, you don't need full. Also, you'll probably want >> case-insensitive, and \s{0,}? to match zero or more whitespace. > > Only problem with that is "rawbody" processes the original message one > line at a time, unlike "full" or "body" which concatinate the whole > message into one large string. So if you're looking for some > characteristic of a message which is spread accross multiple lines of > input you cannot use "rawbody". Bugger, you are correct of course. My thanks to you and Sanford Whiteman for reminding me that rawbody doesn't (yet) allow multiline matches. It's 2 AM, I shouldn't be allowed near email :-( C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEaSY5MDDagS2VwJ4RAnDXAJ9IkMhnjIwhhjWad4KfbZWYYxarjACdFccH /0Fq/bDhx3WUgS5fCwelKk0= =x5Ln -END PGP SIGNATURE-
Re: Comment Crashes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan wrote: >> Hmmm, four DIVs, near each other, each with a single alpha and >> whitespace. May not be what you are trying to catch, but it's the only >> real pattern I can see from that snippet. >> >> rawbody T_4_DODGY_DIVS >> m'\s+\w.{1,40}?\s+\w.{1,40}?\s+\w.{1,40}?\s+\w'i >> >> describe T_4_DODGY_DIVS Testing... >> score T_4_DODGY_DIVS0.01 > > Interesting, instead asking for the count, you are actually showing it > how many. Scaled up to 30 and adding space variations, it would look like: > > [snipped] I use this style to catch a couple of common text formatting oddities caused by machine-generated input, see: http://fukka.co.uk/sa-rules/local/textstyles.cf Thinking about it, this stuff will nest fairly well, so this should work: rawbody T_30_DODGY_DIVS m'(?:\s{0,}?[\$%\w]\s{0,}?.{1,40}?){30}'i Stick with rawbody, you don't need full. Also, you'll probably want case-insensitive, and \s{0,}? to match zero or more whitespace. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEaQ+fMDDagS2VwJ4RAiJdAKDfS/Nila7mMDnG3FBBQ10gRX0oHQCgiXt9 vzH0Cu0GJrL/Nc5gxJa1D/c= =Rh9D -END PGP SIGNATURE-
Re: Comment Crashes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan wrote: >> If you could give us a sample of what you are trying to match, maybe >> we could suggest an alternate route. > > Stuart, > > Its lines and lines of this kind of thing: > > "> V L A > V P X > C > > Dan > Hmmm, four DIVs, near each other, each with a single alpha and whitespace. May not be what you are trying to catch, but it's the only real pattern I can see from that snippet. rawbody T_4_DODGY_DIVS m'\s+\w.{1,40}?\s+\w.{1,40}?\s+\w.{1,40}?\s+\w'i describe T_4_DODGY_DIVS Testing... score T_4_DODGY_DIVS0.01 (note, the regexp should be on one line with no spaces) That will catch it. You'd have to see what it FPs on though. You could also get it to pick on single alphas between html tags with a little tweaking. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEaPXUMDDagS2VwJ4RAgjdAJ9Uv7TmKzEeE4ee8zh51r7J8UFbvwCgywG0 ZGaVPYHX6X9+e5e5+fUGDFM= =/hQ0 -END PGP SIGNATURE-
Re: RULE using %
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jean-Paul Natola wrote: > > well that is why I would only score it like a total of 1.5 points, that > combined with the other KAM_GEO rule, would then take it over the 5.5 > threshold, the 1.5 points on its own would not discard the message Sure thing, it's your choice what to check for and how to score it, I'm just offering advice. In this case, my advice is that "more than 3 '%' symbols in a message is worth 1.5 points" might be a bit drastic. Here's how I scored a typical loan spam: 1.5 CM_TXT_LOANBODY: Loan at a certain rate. 2.0 TVD_DEAR_HOMEOWNER BODY: TVD_DEAR_HOMEOWNER 1.5 CM_CREDIT_SCOREBODY: Your score doesn't matter 1.0 CM_IMMEDIATE_CASH BODY: Immediate cash 1.0 CM_DEAR_HOMEOWNER BODY: Dear Homeowner Plus BAYES_99 for 4 points, and 4 x URIBL hits for 11.6 in this case. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEaLZcMDDagS2VwJ4RAh4HAKCX9CrbF6bwOhV4SJOGmokluyRG3wCgtSzW sQxXhlCVdTvk86q7FhEXRDw= =a+n2 -END PGP SIGNATURE-
Re: RULE using %
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig McLean wrote: > Jean-Paul Natola wrote: >>> Hi all >>> >>> These homeowner spasm are still getting through ( a lot less though since >>> adding the KAM_GEO_STRING2 rule. >>> >>> I do NOT know how to write rules, but I have an idea that perhaps can reduce >>> the homeowner / credit spams. >>> >>> It would be something along the lines of; >>> >>> If message contains the % symbol score it .2 >>> If message contains the % 2 times score it .5 >>> If Message contains the % 3 or more times score it 1.5 > [snip] > > Just a quick note of caution, It's a bad idea to match on multiple > occurrences of single characters (like %). Off the top of my head, I can > think of a half-dozen opt-in newsletters which I get that offer > discounts ( "10% discount", " saving of 17%", "get 20% off" etc.) and > would easily contain a dozen "%" characters. > If you are going to match, try doing it with patterns, like (off the top > of my head, and untested!) > > /(?:£\$}\s?\d+(?:[\.,]\d+)?.{1,20}\d.{1,10}%/ > Heh, need more coffee, should be \$) not \$}, but even so it belongs in a [], not a (). Right, get the kettle on... /[£\$]\s?\d+(?:[\.,]\d+)?.{1,20}\d.{1,10}%/ C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEaKs5MDDagS2VwJ4RAgxoAJ0XZBtldWsosVUZSOlEsxW96NolUQCffmrE NQk8iPHch0U//HW8rc+rMRU= =BdpK -END PGP SIGNATURE-
Re: RULE using %
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jean-Paul Natola wrote: > Hi all > > These homeowner spasm are still getting through ( a lot less though since > adding the KAM_GEO_STRING2 rule. > > I do NOT know how to write rules, but I have an idea that perhaps can reduce > the homeowner / credit spams. > > It would be something along the lines of; > > If message contains the % symbol score it .2 > If message contains the % 2 times score it .5 > If Message contains the % 3 or more times score it 1.5 [snip] Just a quick note of caution, It's a bad idea to match on multiple occurrences of single characters (like %). Off the top of my head, I can think of a half-dozen opt-in newsletters which I get that offer discounts ( "10% discount", " saving of 17%", "get 20% off" etc.) and would easily contain a dozen "%" characters. If you are going to match, try doing it with patterns, like (off the top of my head, and untested!) /(?:£\$}\s?\d+(?:[\.,]\d+)?.{1,20}\d.{1,10}%/ might attempt to match: "$250,000 loan at 6.35%" "£ 1 for you just 6%!" C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEaKk+MDDagS2VwJ4RAvu1AJ4h0HNMCQ+aDttQOb7rzjCwJKUztACfbide u07VmNQpzbXOi/OZ6Aa6FWI= =aVCy -END PGP SIGNATURE-