from:"Craig "


Gary V wrote:
Exactly. How you prevent sending the message through SA is not a 
function of SA itself, but of the implementation, and because of the 
large number of implementations and configurations I question whether it 
would be practical (or even related) to provide examples of the various 
procedures.


Point well taken Gary.



I didn't see much of anything on this subject in the Wiki.


Neither did I.

I've been googling a bit and the cornucopia of hits for 
+spamassassin is a mess. :-)


--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: whitelisted where?


Scott Kopel wrote:
I'm noticing a bunch of obviously spam that is getting thru because it 
is "whitelisted"

where is this whitelist? it's not something I created.
it's not the auto_whitelist is it? wouldn't that say AWL
is it the phishing whitelist? when I start MailScanner I see "Read 755 
hostnames from the phishing whitelist"


As a follow-up: http://wiki.mailscanner.info/doku.php?id=maq:index

#
For whitelist: edit the spam.whitelist.rules from the rules directory 
following the format shown in the file.

#

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: whitelisted where?


Scott Kopel wrote:
I'm noticing a bunch of obviously spam that is getting thru because it 
is "whitelisted"

where is this whitelist? it's not something I created.
it's not the auto_whitelist is it? wouldn't that say AWL
is it the phishing whitelist? when I start MailScanner I see "Read 755 
hostnames from the phishing whitelist"

thanks for any help


[snippage]


X-English-FSU-MailScanner-SpamCheck: not spam (whitelisted),


I think you answered your own question here..

'not spam (whitelisted)' is not something SA adds.

Might wanna tug the chain for the MailScanner folks.

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: webg bug


Jean-Paul Natola wrote:



I was wondering if there is a way to either strip away,  or totally block
messages that have "web bugs"  that report back to servers like 
www.readnotify.com



http://www.impsec.org/email-tools/procmail-security.html



Can someone help a newbie find some info on installing  procmail ?

 



http://www.google.com/search?q=installing+procmail

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Prevent scanning internal mail


Theo Van Dinter wrote:

On Thu, Nov 30, 2006 at 01:02:29PM -0800, leemansvg wrote:

This might be a simple question for most of you. How would I prevent
spamassassin from scanning my internal mail, e.g from a particular server,
or originating from my internal network.


Don't pass those to SpamAssassin.  Once SA gets a mail, it'll be scanned.



Is there a FAQ entry for this somewhere on the wiki?

If not, there should be.. This is the 3rd or 5th time in the past couple 
days something similar has been asked..


--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: forged spam emails from my own domain


vertito wrote:

i am receiving spam emails coming from my own domain.com
but that email address does not existing from my own domain.com.

say my domain is mydomain.com and that spam email had FROM header that shows

[EMAIL PROTECTED]

which is currently whitelisted from spamassassin global rules and 
currently does not exist from my users list.

that is why i am receiving it from my INBOX and not from SPAM folder,

anyone has idea or a script to move this to SPAM folder?
tnx


Have your MTA reject addresses that aren't present in your user list.

You'll have to look to your MTA's documentation to find the recipe though.

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: This is so obvious...


Jon D. Slater wrote:
To me, they look like Perl regular expressions (which I **have** 
written).  Do I add my new rule to my local.cf or directly to 
70_sare_specific.cf?




local.cf is the best place. Placing them in any of the stock SA rule 
files or in the RDJ files will cause you to lose them if you upgrade 
them by any automatic means.


 


Are there any guides to writing rules?



http://wiki.apache.org/spamassassin/WritingRules

 

Also the area code below is written with an ‘L’ instead of a 1, so I’m 
assuming I should I test for ‘314’, ‘3l4’ and ‘3|4’




That looks to be the case, yes.

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: tagging based on score level

2006-11-29 Thread Craig Morrison


beast wrote:
Is it possible to make different tag for a different score/classes, for 
example:


high: [SPAM!!!]  if score > 50
medium: [SPAM!!]  if score between 20 - 50
low: [SPAM]  if score between treshold - 20

The reason is client filter or other redirection program (for example to 
be redirected/ quarantined for further inspection) can not parse the 
score directly.


perldoc Mail::SpamAssassin::Conf

Look for the TEMPLATE TAGS section, in particular the _STARS(*)_ tag.

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Loads of 'xxx wrote:' Spam

2006-11-27 Thread Craig Morrison


Theo Van Dinter wrote:

On Mon, Nov 27, 2006 at 09:48:03PM +, Justin Mason wrote:

As has been the suggestion for the past X months, run sa-update. :)

we've got to make this a more prominent FAQ somehow...


Yeah, I keep coming across people on IRC and such that don't know about
sa-update, even though it's been out for months.  I suggest we add a
section to the next release announcements about it.



Since its right off the home page and there is a tab for it labeled 
'Docs', this would be an excellent place:


http://spamassassin.apache.org/doc.html

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Why won't imageinfo.pm work with SA 3.17? - access

2006-11-26 Thread Craig Morrison


Michael W Cocke wrote:

I can't get the imgeinfo plugin to load with SA 3.17?

I put this in v310.pre

loadplugin Mail::SpamAssassin::Plugin::ImageInfo


Try this:

loadplugin Mail::SpamAssassin::Plugin::ImageInfo ImageInfo.pm

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: How to use --allow-tell?

2006-11-26 Thread Craig Morrison


Craig Morrison wrote:

Todd A. Jacobs wrote:

I was perusing the man pages for spamd in spamassassin 3.1.7, and came
across something that seems to imply that I can use spamc to tell spamd
to update a sitewide bayesian database:

-l, --allow-tell
Allow learning and forgetting (to a local Bayes database),
reporting and revoking (to a remote database) by spamd. The
client issues a TELL command to tell what type of message is
being processed and whether local (learn/forget) or remote
(report/revoke) databases should be updated.

However, I can't find any explanation of how to actually *do* this. What
am I missing here?



Look at the source code for spamc.. Its in there.

If you are writing your own `spamc' client, the header set up is:

TELL SPAMC/1.3
Message-class: spam|ham
Set: local|remote
*or*
Remove: local|remote

Followed by the usual 'user' and 'content-length' spamd headers.

For spamc:

spamc ... -L spam|ham|forget -C report|revoke ...



Okay, my interpretation of the code was a bit off, but I did find this
(after scratching my head for a while):

http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_current_release_3.1.x/spamd/PROTOCOL

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: How to use --allow-tell?

2006-11-26 Thread Craig Morrison


Todd A. Jacobs wrote:

I was perusing the man pages for spamd in spamassassin 3.1.7, and came
across something that seems to imply that I can use spamc to tell spamd
to update a sitewide bayesian database:

-l, --allow-tell
Allow learning and forgetting (to a local Bayes database),
reporting and revoking (to a remote database) by spamd. The
client issues a TELL command to tell what type of message is
being processed and whether local (learn/forget) or remote
(report/revoke) databases should be updated.

However, I can't find any explanation of how to actually *do* this. What
am I missing here?



Look at the source code for spamc.. Its in there.

If you are writing your own `spamc' client, the header set up is:

TELL SPAMC/1.3
Message-class: spam|ham
Set: local|remote
*or*
Remove: local|remote

Followed by the usual 'user' and 'content-length' spamd headers.

For spamc:

spamc ... -L spam|ham|forget -C report|revoke ...

--
Craig

Not sure what to do about this...

2006-11-25 Thread Craig Zeigler



it seems over the past couple of weeks, I'm getting 50-80 of these per 
day into my inbox. From what I can tell, it isn't hitting the bayes 
filters when other messages do. Anyone have any idea? I have sorted 
these and trained the bayes filters, but if it isn't hitting them I 
don't know what more to do. Sometimes the same message ends up in my 
junk filter, and the bayes score is in the header. I'm at a loss. 
Thanks, Craig


The message got sent back to me, so i'm going to have to just paste what 
I can from the headers...


To:
<[EMAIL PROTECTED]>
Return-Path:
<[EMAIL PROTECTED]>
X-Spam-Checker-Version:
SpamAssassin 3.1.3-gr0 (2006-06-01) on charlotte.ctrust.com
X-Spam-Level:

X-Spam-Status:
No, score=4.5 required=5.0 tests=DNS_FROM_RFC_ABUSE, 
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100, 
RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK autolearn=no version=3.1.3-gr0

Re: Who wants my spam - seriously!

2006-11-25 Thread Craig Morrison


Marc Perkel wrote:
As you all know I'm in the spam blocking business and looking to share 
my information with others to help them block spam for everyone. I'm 
currently feeding my spam to several people now.




You asked


Feedback welcome.




Given the rants on your website and just your general nature, I wouldn't 
trust anything you published for consumption.


--
Craig

Re: saupdate

Jack Gostl wrote:

- Original Message - From: "Craig Morrison" <[EMAIL PROTECTED]>
To: "Jack Gostl" <[EMAIL PROTECTED]>
Cc: "spamassassin" 
Sent: Thursday, November 23, 2006 2:40 PM
Subject: Re: saupdate

Please keep replies on the list for the benefit of others.. Comments 
inline..

Jack Gostl wrote:

 Question 2:
 After running saupdate, I assume that all I have to do is to 
restart spamd. How can I force spamd to restart and reload its 
rules? Can a do a simple kill -1? Or do I need an actual kill and 
restart?

That is highly dependent upon how spamd is invoked.

--
Craig

Thanks for the response.

It was invoked through /etc/inittab with the command:

spam:2:once:/usr/opt/perl5/bin/spamd -m20 -d -A 10.165.1.3,127.0.0.1 -i

Which means no automatic respawning. So does spamd respond to a 
SIGHUP by restarting?

`man spamd':

"DESCRIPTION
   The purpose of this program is to provide a daemonized version 
of the spamassassin executable.  The goal is improving throughput 
performance for automated mail checking.

   This is intended to be used alongside "spamc", a fast, 
low-overhead C client program.

   See the README file in the "spamd" directory of the 
SpamAssassin distribution for more details.

   Note: Although "spamd" will check per-user config files for 
every message, any changes to the system wide config files will 
require either restarting spamd or forcing it to reload itself via 
SIGHUP for the changes to take effect.

   Note: If "spamd" receives a SIGHUP, it internally reloads 
itself, which means that it will change its pid and might not restart 
at all if its environment changed  (ie. if it can’t change back into 
its own directory).  If you plan to use SIGHUP, you should always 
start "spamd" with the -r switch to know its current pid."

I'm usually not a RTFM prude, however, SpamAssassin is VERY well 
documented in its manual pages.

--
Craig

I understand about RTFM, but there is so much new stuff introduced in 
this release, I'm trying to catch up. What is funny is that I read all 
the documentation, and this stuff just flew by me. Anyway, one final 
thing, and I'm pretty sure this one isn't in the manual.

When I run sa-update, I get this message:

Use of uninitialized value in concatenation (.) or string at 
/usr/opt/perl5/lib/5.8.2/Scalar/Util.pm line 30.

Not sure what to do about that one. Or if it even matters.

Jack

I can't comment on if it matters, but I am fairly certain from 
experience the answer is most likely going to be upgrading Perl to at 
least 5.8.8..

--
Craig

Re: A false positive...

Michael Scheidell wrote:

-Original Message-
From: Craig Morrison [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 23, 2006 12:53 PM

To: users@spamassassin.apache.org
Subject: Re: A false positive...
TZ format you should consider sa-learn'ing the messages as 
ham. On your 
SA setup these messages are hitting BAYES_95 which is adding 
3 points to 
their score.

I odn't think learning one message as spam will drop the _95 rating.

Hoever, maybe this will help (put in local.cf)

score SARE_LEGIT_EBAY  -3.5

If learning them as ham doesn't affect the score then what is the point 
of the learning system at all?

What am I missing?

--
Craig

Re: saupdate



Please keep replies on the list for the benefit of others.. Comments 
inline..


Jack Gostl wrote:



 Question 2:
 After running saupdate, I assume that all I have to do is to restart 
spamd. How can I force spamd to restart and reload its rules? Can a 
do a simple kill -1? Or do I need an actual kill and restart?


That is highly dependent upon how spamd is invoked.

--
Craig



Thanks for the response.

It was invoked through /etc/inittab with the command:

spam:2:once:/usr/opt/perl5/bin/spamd -m20 -d -A 10.165.1.3,127.0.0.1 -i

Which means no automatic respawning. So does spamd respond to a SIGHUP 
by restarting?




`man spamd':

"DESCRIPTION
   The purpose of this program is to provide a daemonized version 
of the spamassassin executable.  The goal is improving throughput 
performance for automated mail checking.


   This is intended to be used alongside "spamc", a fast, 
low-overhead C client program.


   See the README file in the "spamd" directory of the SpamAssassin 
distribution for more details.


   Note: Although "spamd" will check per-user config files for 
every message, any changes to the system wide config files will require 
either restarting spamd or forcing it to reload itself via SIGHUP for 
the changes to take effect.


   Note: If "spamd" receives a SIGHUP, it internally reloads 
itself, which means that it will change its pid and might not restart at 
all if its environment changed  (ie. if it can’t change back into its 
own directory).  If you plan to use SIGHUP, you should always start 
"spamd" with the -r switch to know its current pid."


I'm usually not a RTFM prude, however, SpamAssassin is VERY well 
documented in its manual pages.


--
Craig

Re: saupdate


Jack Gostl wrote:
I'm trying to understand saupdate and how to use it. I have two 
questions. I'm running AIX 5.3.
 
Question 1:
 
 I run the following command:
 
/usr/opt/perl5/bin/sa-update --nogpg -D --updatedir /tmp/update
 
It finishes with a return code of 1. It sounds to me like something 
failed. I can't find any documentation on the return codes, so I'm not 
sure where to take this. Here is the debug output:
 
Use of uninitialized value in concatenation (.) or string at 
/usr/opt/perl5/lib/5.8.2/Scalar/Util.pm line 30.

[27694] dbg: logger: adding facilities: all
[27694] dbg: logger: logging level is DBG
[27694] dbg: generic: SpamAssassin version 3.1.7
[27694] dbg: config: score set 0 chosen.
[27694] dbg: message:  MIME PARSER START 
[27694] dbg: message: main message type: text/plain
[27694] dbg: message: parsing normal part
[27694] dbg: message: added part, type: text/plain
[27694] dbg: message:  MIME PARSER END 
[27694] dbg: dns: is Net::DNS::Resolver available? yes
[27694] dbg: dns: Net::DNS version: 0.59
[27694] dbg: generic: sa-update version svn454083
[27694] dbg: generic: using update directory: /tmp/update
[27694] dbg: diag: perl platform: 5.008002 aix
[27694] dbg: diag: module installed: Digest::SHA1, version 2.11
[27694] dbg: diag: module installed: Net::SMTP, version 2.29
[27694] dbg: diag: module installed: Mail::SPF::Query, version 1.999001
[27694] dbg: diag: module installed: IP::Country::Fast, version 604.001
[27694] dbg: diag: module not installed: Razor2::Client::Agent 
('require' failed)

[27694] dbg: diag: module installed: Net::Ident, version 1.20
[27694] dbg: diag: module not installed: IO::Socket::INET6 ('require' 
failed)

[27694] dbg: diag: module not installed: IO::Socket::SSL ('require' failed)
[27694] dbg: diag: module installed: Time::HiRes, version 1.52
[27694] dbg: diag: module installed: DBI, version 1.53
[27694] dbg: diag: module installed: Getopt::Long, version 2.34
[27694] dbg: diag: module installed: LWP::UserAgent, version 2.003
[27694] dbg: diag: module installed: HTTP::Date, version 1.44
[27694] dbg: diag: module installed: Archive::Tar, version 1.30
[27694] dbg: diag: module installed: IO::Zlib, version 1.04
[27694] dbg: diag: module installed: DB_File, version 1.814
[27694] dbg: diag: module installed: HTML::Parser, version 3.35
[27694] dbg: diag: module installed: MIME::Base64, version 2.21
[27694] dbg: diag: module installed: Net::DNS, version 0.59
[27694] dbg: channel: attempting channel updates.spamassassin.org
[27694] dbg: channel: update directory /tmp/update/updates_spamassassin_org
[27694] dbg: channel: channel cf file 
/tmp/update/updates_spamassassin_org.cf
[27694] dbg: channel: channel pre file 
/tmp/update/updates_spamassassin_org.pre

[27694] dbg: channel: metadata version = 477972
[27694] dbg: dns: 7.1.3.updates.spamassassin.org => 477972, parsed as 477972
[27694] dbg: channel: current version is 477972, new version is 477972, 
skipping channel

[27694] dbg: diag: updates complete, exiting with code 1


man sa-update:

EXIT CODES
   An exit code of 0 means an update was available, and was 
downloaded and installed successfully.


   An exit code of 1 means no fresh updates were available.

   An exit code of 4 or higher, indicates that errors occurred 
while attempting to download and extract updates.


 
Question 2:
 
After running saupdate, I assume that all I have to do is to restart 
spamd. How can I force spamd to restart and reload its rules? Can a do a 
simple kill -1? Or do I need an actual kill and restart?


That is highly dependent upon how spamd is invoked.

--
Craig

Re: A false positive...


Justin Mason wrote:

Steve [Spamassasin] writes:

An ebay "watched item" email has been wrongly tagged as spam... with the
following rules:

--
 2.2 INVALID_DATE   Invalid Date: header (not RFC 2822)
 0.8 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
 0.1 TW_SJ  BODY: Odd Letter Triples with SJ
 0.0 HTML_MESSAGE   BODY: HTML included in message
 3.0 BAYES_95   BODY: Bayesian spam probability is 95 to 99%
[score: 0.9887]
 0.2 HTML_TITLE_EMPTY   BODY: HTML title contains no text
-0.0 SARE_LEGIT_EBAYHas signs it's from ebay, from, headers, uri
-1.1 AWLAWL: From: address is in the auto white-list
--


The (sanitised) headers read:


--
Subject:...
From:eBay <[EMAIL PROTECTED]>
Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00

While I understand why this email may have triggered the Bayesian rule (where 
spammers have copied ebay's email style...) I am bemused by INVALID_DATE and 
DATE_IN_PAST_06_12.

The dates I see in the header look valid to me - and (if we allow for time 
international time differences) the message was sent two seconds before it was 
received.

Am I overlooking something here?  Why doesn't SpamAssassin like these dates?


they're malformed, missing spaces.  this is what an RFC-compliant
date looks like:

  Date: Wed, 22 Nov 2006 16:20:29 +

this is what the ebay.co.uk date looks like, according to yr mail:

  Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00

note: missing spaces; extra ":" in the TZ offset; and the TZ name.  all
are non-rfc-compliant.

--j.



Technically the only thing wrong with the date is the TZ. Section 2.2 of 
RFC2822 states:


   Header fields are lines composed of a field name, followed by a colon
   (":"), followed by a field body, and terminated by CRLF.

No reference to a mandatory SP character starting the field body.

To the OP, since I highly doubt that you will get eBay to change their 
TZ format you should consider sa-learn'ing the messages as ham. On your 
SA setup these messages are hitting BAYES_95 which is adding 3 points to 
their score.


--
Craig

Re: ****Re: blarsbl

2006-11-21 Thread Craig White

On Tue, 2006-11-21 at 12:07 -0500, DAve wrote:
> Thomas Lindell wrote:
> > At&t mail servers use his service. 
> > 
> > Which means I can't send to mediacom which is an at&t partner
> > 
> > I couldn't believe at&t used his service.  
> > 
> > What's odd is that my company uses at&t backhaul bandwidth in the form of 4
> > t1's
> > 
> > Grr the whole thing is frustrating
> > 
> > Tom
> > 
> > -Original Message-
> > From: DAve [mailto:[EMAIL PROTECTED] 
> > Sent: Tuesday, November 21, 2006 10:37 AM
> > To: spamassassin
> > Subject: Re: blarsbl
> > 
> > Thomas Lindell wrote:
> >> Has anyone had any dealings with this guy.
> >>
> >> I take my mail server very seriously.  Further I take spamming very 
> >> seriously in general.
> >>
> >> Even when I detect one of my customers sending spam I disable there 
> >> internet until the problem is resolved
> >>
> >> The guy that runs the blarsbl list wants to charge my company 1500$ to 
> >> remove our mail server from his list.
> >>
> >> When it was listed there for no good reason.
> >>
> >> I checked my mail logs going back 6 months there wasn't a single email 
> >> sent nor received from this guys domain and or ip block.
> >>
> >> It would seem to me he's nothing more then a petty extortionist.
> >>
> >> Anyone else had to deal with this?
> >>
> >> This is the guy's www site
> >>
> >>
> >> http://www.blars.org/errors/block.html
> > 
> > Any admin blocking based on Blars has no mail we would miss, and we have
> > very liberal limits for mail we accept due to our clients business models.
> > He falls in the same category as SpamBag.
> > 
> > DAve
> > 
> > --
> > Three years now I've asked Google why they don't have a logo change for
> > Memorial Day. Why do they choose to do logos for other non-international
> > holidays, but nothing for Veterans?
> > 
> > Maybe they forgot who made that choice possible.
> 
> I would think a phone call to your account manager with an appropriate 
> link to the guys website would be enough to get the problem solved.
> 
> http://www.blars.org/blars06c.jpg
> 
> A copy of your past quarter bill from ATT would help to put the point 
> into perspective.

by appearances, he doesn't seem much like that AT&T type - that picture
pretty much sums it up.

;-)

Craig

Re: Are other people seeing higher Load Averages after moving to 3.1.7?

2006-10-18 Thread Craig Baird

I think spam is *way* up the last week or two. My server started hovering at
a load average of around 55 a week or so ago. I started doing some
investigating when I realized that the load was not coming down. I found
that My server has been taking between 400,000 and 500,000 messages per
day. A few months ago, it was more like 150,000 to 200,000 per day.
Unfortunately,

I moved logging over to a new syslog server recently, so I can't say whether
the increase was sudden or gradual. I think some of it has been gradual, but
it sure feels like it's only been the past few weeks that we've been getting
hit *really* hard. After deciding that the load average was likely due to
actual spam load, I implemented a couple of RBLs at the MTA level. My load
is now back down between 1 and 3, and messages making it through to SA are
now back to around 200,000 per day.

Craig

Quoting ccrowley <[EMAIL PROTECTED]>:

I reverted to 3.1.3, and I still see the very high LA. So it does not appear
to be a function of the upgrade. Probably just a lot of traffic.

ccrowley wrote:

All -

Just a quick inquiry. I updated from 3.1.3 to 3.1.7 yesterday. I'm seeing
substantially higher LA on the system. The system used to run at a range
of 2.x - 8.x LA. With 3.1.7 I'm seeing 10.x - 50.x.

I'm in the process of reverting to see if the behavior persists or is
eliminated. But, I thought to check to see if anyone else has experienced
similar behavior?

--
View this message in context:
http://www.nabble.com/Are-other-people-seeing-higher-Load-Averages-after-moving-to-3.1.7--tf2468623.html#a6883136

Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Mail server performance problems. Possible SA slow down?

2006-10-09 Thread Craig Baird


I have an old Redhat box that started doing this a while back.  After a lot of
hair pulling, I finally figured out that the problem was related to spam
floods, but seemed to be caused by the syslog daemon.  I shut down syslogd
for a few days, and the problem went away completely.  After those few days,
I turned syslogd back on, but configured it to log to a separate syslog
server (thinking that perhaps the problem was disk I/O related).  However,
the problem began happening again.  I finally downgraded my syslogd to the
previous version, and haven't seen any problems since.

Note that this is very likely not what is causing your problem.  But it
sometimes pays to consider the non-obvious.  Your problem may be caused by
something relatively unrelated to (but affected by) mail.

Craig

Quoting Matias Lopez Bergero <[EMAIL PROTECTED]>:


Hello!

I was very happy using SpamAssassin at my email server (Xeon 2.8GHz, 1.5
GB memory, Dual Ultra SCSI HD 73.4GB in RAID 1, Linux 2.4.33)

The last few weeks I have noted (angry users calling me by phone) that
the server is really slow. The loadav goes from 1.5 to 12.5; normally is
about 3.00.

There are only 2500 email boxes at the server. The server is running:
Sendmail, SpamAssassin 3.1.5 (using milter-spamc), ClamAV (using
clamav-milter), Apache 1.3.x, SquirrelMail, pop3, etc.

I have seeing some king of bursts of incoming emails (spam mostly), that
it is producing a DoS effect.

The server shows a table of ~1700 processes and about ~800 tcp sessions
(sendmail and milter-spamc most) during this bursts. This seems to
prevent other users from connecting to the server in order to use pop3
or smtp services.

I have increased the child processes of spamd, but I was unsuccessfully
to reduce this effect(I have seing in the logs a message about the need
of increase the spamd childs). Also I tweak the sendmail.cf to easy the
connection, but the problem persist.

Looks to me that SpamAssassin is taking to long to process the incoming
emails, and as result, it is slowing down the server, and finally
causing the DoS.

Can anyone help me with some ideas to solve this? or to see were exactly
is the problem? Do I need to improve my hardware?

Thanks.

BR,
Matias.

Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5

2006-09-29 Thread Donald Craig





Well I think the FAQ note is a good idea, since a hyperactive
DNS server wasn't the first thing I thought of when I saw
this problem.  However, turning off the OpenDNS hyperactivity
does require a fixed IP address to originate the queries - I
found it easier to use OpenDNS for my desktops, and switch
to something else for the SpamAssassin server.

cheers,
Don Craig

Jeff Chan wrote:

  On Wednesday, September 27, 2006, 11:17:59 PM, Donald Craig wrote:
  
  
And Theo Van Dinter pointed out:
You're not by chance using the opendns.{com,org} folks for DNS, are you?

  
  Of course.  I'm an idiot.  I switched to OpenDNS a couple of weeks back.
Time to return from whence I came.  Thank you,
Don Craig
 
I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly.  I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.c
  This is SpamAssassin 3.1.5, all was fine in 3.1.2.
  
  For now I have set both those tests to 0.00.
  
  Don Craig

  



  
Thanks for the reminder guys.  I've added the following note
about OpenDNS compatibility to the SURBL FAQ:
__

  http://www.surbl.org/faq.html#opendns

"I'm using OpenDNS and getting wrong answers to SURBL DNS queries

OpenDNS is a service that changes the responses to some DNS
queries in order to prevent users from visiting spam, phishing,
etc., sites. It also has a "typo correction" feature that directs
mistyped domain names to custom sites controlled by OpenDNS
instead of sites controlled by typosquatters, phishers, etc.

When using SURBLs with an OpenDNS nameserver it's important to
disable the typo correction feature, or the responses to
non-matching SURBL queries will be incorrect to a SURBL
application. The reason is that the OpenDNS nameservers return an
IP address of their own web site in those cases, and that
modified IP address will have an incorrect effect on SURBL list
identification that depends on where the bit patterns happen to
be in the modified response.

SURBLs will work with OpenDNS if their typo correction feature is
disabled on servers or clients doing SURBL queries."

__

Does that look about right?

Jeff C.

Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5

2006-09-28 Thread Donald Craig

And Theo Van Dinter pointed out:
You're not by chance using the opendns.{com,org} folks for DNS, are you?

Of course.  I'm an idiot.  I switched to OpenDNS a couple of weeks back.
Time to return from whence I came.  Thank you,
Don Craig
 
I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly.  I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi

This is SpamAssassin 3.1.5, all was fine in 3.1.2.

For now I have set both those tests to 0.00.

Don Craig

Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5

2006-09-27 Thread Donald Craig

I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly.  I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi

This is SpamAssassin 3.1.5, all was fine in 3.1.2.

For now I have set both those tests to 0.00.

Don Craig

Re: .GIF images without .gif in filename and empty messages

2006-08-15 Thread Craig Baird


Quoting Loren Wilton <[EMAIL PROTECTED]>:


Thanks to the imageinfo plugin, most of my image spam has disappeared except
for one particular type.  I'm still seeing .gif image spams where the
filename for the image does not contain .gif.  Like this:


Are you using the latest version that 'decoder' posted?  I'm pretty 
sure he added code to handle improper file type suffixes.  (Of course 
he might not handle the no suffix case.)




Didn't decoder post the OCR stuff?  I thought imageinfo was posted by 
Dallas. Anyway, regardless, I think I may be running an older version.  
I'll check it

and upgrade if necessary.

The other type of spam I'm seeing are empty messages.  They have a 
single word


I haven't noticed any of these on my system, but they should be easy 
enough to catch.  Without seeing one I can't guess why the empty body 
rule would be failing.  Can you post one as a txt message


Sure:

http://pastebin.com/769187

Note that I am aware that I am running an older version of SA (3.0.x). 
Unfortunately, upgrading is not feasible at this time.


Thanks for any help or advice you can give!

Craig

.GIF images without .gif in filename and empty messages

2006-08-15 Thread Craig Baird

I have two types of spam that are slipping through, and I'm wondering if
anyone has rules to help with them.

Thanks to the imageinfo plugin, most of my image spam has disappeared except
for one particular type.  I'm still seeing .gif image spams where the
filename for the image does not contain .gif.  Like this:

Content-Type: image/gif;
 name="glitter"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>


The other type of spam I'm seeing are empty messages.  They have a single word
for a subject, but nothing in the body.  About a year ago, I was getting
flooded with these, and I solved the problem by using the SARE_HTML_NO_BODY
rule from 70_sare_html4.cf.  However, this rule does not seem to hit on this
recent crop of empty messages.  I have no idea why.

Is anyone else seeing these, and more importantly, does anyone have a rule for
them?

Craig

Slow scan time

2006-08-11 Thread Craig Morrison



http://www3.2cah.com/spam/sa_slowhtml.txt

I got inundated with messages similar to this today. The average scan 
time here for these is 25+ seconds when the box is under _low_ load.


My guess is that it has to do with the number of URLs.

Any thoughts on this?

--
Craig

Re: SPF and envelope senders

2006-08-10 Thread Craig Morrison


Daryl C. W. O'Shea wrote:

Logan Shaw wrote:


So I looked in my own personal mailbox to see which messages
have Return-Path headers, and out of the hundreds of messages
in there, basically all messages do have a Return-Path header,
except that not a single one from from majorcustomer.com does.

So...  is it safe to assume their servers are configured
incorrectly?  Or should our MTA be somehow adding that
header if it's missing?  Or is there some other way that our
MailScanner+SpamAssassin combo should be getting the envelope
sender information?


Your MDA should be adding it, and whatever is calling SpamAssassin 
(MailScanner) should be at least faking it in the message it hands SA.


Daryl



http://wiki.apache.org/spamassassin/EnvelopeSenderInReceived

Is also useful for the bag of tricks too..

--
Craig

Re: Always add report headers

2006-08-05 Thread Craig Morrison


Arik Raffael Funke wrote:

Nigel Frankcom wrote:

On Sat, 05 Aug 2006 14:08:45 +0200, Arik Raffael Funke
<[EMAIL PROTECTED]> wrote:
how to I get spamd/spamc to always add the spamassassin report 
headers? I.e. also to ham messages...


I have the following in my local.cf and user_pref.cf but to no 
apparent use:


use_auto_whitelist 0
use_bayes 0
add_header all Report _REPORT_
add_header all Status _YESNO_, hits=_HITS_ required=_REQD_ 
tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_


I am using version 3.1.4.


report_safe1


That wasn't it either. As I understand the documentation this config 
variable is supposed to attach the original message unmodified to a 
spamassassin spam report message. This is not what I was looking for.


For me the usual X-Spam-Status headers suffice, but I also want them in 
ham. As a call with "spamassassin ham.txt" would produce... just I want 
them also with "less ham.txt | spamc".


I attach my local.cf below to avoid any uncertainties.

Thanks for the help.

- Arik




 File: local.cf ---
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###

#   Add *SPAM* to the Subject header of spam e-mails
#
# rewrite_header Subject *SPAM*


#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1


#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.


#   Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock


#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0


#   Use Bayesian classifier (default: 1)
#
use_bayes 0


#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0


#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status

use_auto_whitelist 0
use_bayes 0
add_header all Report _REPORT_
add_header all Status _YESNO_, hits=_HITS_ required=_REQD_ tests=_TESTS_ 
autolearn=_AUTOLEARN_ version=_VERSION_

report_safe1




The point is, who or what is calling spamassassin..

You have to have something in the mix of things that is screwing with 
your headers. Even with report_safe 0, SA adds the X-Spam* headers..


--
Craig

Re: What changes would you make to stop spam? - United Nations Paper

2006-08-04 Thread Craig Morrison


John Rudd wrote:
I've been re-thinking Marc's "IMAP for sending, instead of SMTP" 
proposal.  And this "block Bcc" part got me thinking even more.


I think he may be on to something.  But lets take it one step further.

Email via fingerd.  That'll throw off the spammers.


Wouldn't identd be more apropos?



And to slow down their spam-bot attacks, I propose we replace the 
internet backbones with the long-proposed-but-never-implemented 
IP-via-carrier-pigeon.  We'll need an authentication scheme to go with 
this.  I'm going to suggest a GSSAPI method for wax envelope seals.  
Perfect for carrier pigeon packets.  And _EACH_ packet is individually 
authenticated.  PERFECT!


RFC 1149, I had forgotten about that! This *could* be the answer.



And we'll send preferred traffic (because we hate net neutrality!) over 
bongo-net.


Or better yet, use mockingbirds instead of pigeons,



I think this new internet architecture will stop the spammers in their 
tracks.  No, really, it will.





Either that or get them shat on, which would be a messy affair. :-D

/me goes back to lurking...

--
Craig

RE: Help for beginner

2006-07-25 Thread Craig White

On Tue, 2006-07-25 at 16:02 -0600, Nels Lindquist wrote:
> On 25 Jul 2006 at 14:17, Craig White wrote:
> 
> 
> 
> > http://www.mailscanner.info/linux.html
> > 
> > This is the information page for installing MailScanner on RPM based
> > Linux system.
> > 
> > If you read this, you will see that even though you are using an rpm
> > based system, you download a tarball package, 'un-tar' the tarball and
> > then start the installation process via 'install.sh' command. This
> > actually ends up installing MailScanner and all requisite perl packages
> > via RPM.
> > 
> > Please read this guide.
> 
> I seem to be missing the part where the original poster mentioned he 
> was using or wanted to use Mailscanner.  Was that in a different 
> thread, perhaps?

I vaguely remember it now, I've deleted the thread now.

Craig

RE: Help for beginner

2006-07-25 Thread Craig White

Hi - let's keep this on list OK?

answer at bottom

On Tue, 2006-07-25 at 13:19 -0700, Cabell, Dale wrote:
> I am confused. Are you recommending that I not use RPM with the tarball
> and instead untar and use the script?
> 
> Please let me know.
> 
> Thanks,
> Dale Cabell
> 
> -----Original Message-
> From: Craig White [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, July 25, 2006 12:00 PM
> To: users@spamassassin.apache.org
> Subject: Re: Help for beginner
> 
> On Tue, 2006-07-25 at 14:16 -0400, Theo Van Dinter wrote:
> > FWIW, Dale's been mailing me privately where I've been answering, but
> just for
> > everyone's info:
> > 
> > On Tue, Jul 25, 2006 at 11:04:18AM -0700, Cabell, Dale wrote:
> > > Where do I put the tar? After I untar it, where do I execute the
> > > rpmbuild from?
> > 
> > "rpmbuild -tb" says to build a binary RPM from a tarball.  So:
> > 
> > rpmbuild -tb Mail-SpamAssassin-3.1.3.tar.gz
> > 
> > will build the RPMs from the named tarball.  Depending on your
> environment,
> > you may need to be root and the packages may appear under
> /usr/src/redhat.
> > 
> > The download page also mentions the '--define "srcext .bz2"' option
> which you
> > need if you download the bz2 tarball instead of the gz one.
> 
> given the methodology that MailScanner uses, I don't think that I would
> do that (compile an rpm from a tarball). Unless you know something that
> I don't know that is.
> 
> The MailScanner download for rpm based system is indeed a tarball which
> you have to extract and then run the 'install.sh' script which is a perl
> program which actually builds a lot of requisite perl packages and
> finally mailscanner itself into rpm files and installs the rpm's (or not
> if you already have newer versions of the rpm's installed already). It's
> a sophisticated, comprehensive approach to installing a whole lot of
> stuff and doing it the way the system is configured (via rpm).

http://www.mailscanner.info/linux.html

This is the information page for installing MailScanner on RPM based
Linux system.

If you read this, you will see that even though you are using an rpm
based system, you download a tarball package, 'un-tar' the tarball and
then start the installation process via 'install.sh' command. This
actually ends up installing MailScanner and all requisite perl packages
via RPM.

Please read this guide.

Craig

Re: Help for beginner

2006-07-25 Thread Craig White

On Tue, 2006-07-25 at 14:16 -0400, Theo Van Dinter wrote:
> FWIW, Dale's been mailing me privately where I've been answering, but just for
> everyone's info:
> 
> On Tue, Jul 25, 2006 at 11:04:18AM -0700, Cabell, Dale wrote:
> > Where do I put the tar? After I untar it, where do I execute the
> > rpmbuild from?
> 
> "rpmbuild -tb" says to build a binary RPM from a tarball.  So:
> 
> rpmbuild -tb Mail-SpamAssassin-3.1.3.tar.gz
> 
> will build the RPMs from the named tarball.  Depending on your environment,
> you may need to be root and the packages may appear under /usr/src/redhat.
> 
> The download page also mentions the '--define "srcext .bz2"' option which you
> need if you download the bz2 tarball instead of the gz one.

given the methodology that MailScanner uses, I don't think that I would
do that (compile an rpm from a tarball). Unless you know something that
I don't know that is.

The MailScanner download for rpm based system is indeed a tarball which
you have to extract and then run the 'install.sh' script which is a perl
program which actually builds a lot of requisite perl packages and
finally mailscanner itself into rpm files and installs the rpm's (or not
if you already have newer versions of the rpm's installed already). It's
a sophisticated, comprehensive approach to installing a whole lot of
stuff and doing it the way the system is configured (via rpm).

Craig

Re: Network tests slowing down spamassassin

2006-07-13 Thread Craig Morrison


Ramprasad wrote:

Hi,
  SA works fine , for the quiet large setup that we have. ( we get upto
200k mails an hour at peak times ) 
  But I notice it is too network dependent. A little problem with the

network and all hell breaks loose. Mailq shoots up and SA starts timing
out. 
 Probably because I have enabled all kinds of BL tests and uri checks.

But these checks are indispensable without these SA would have no teeth
at all.
  
  So what is the best way to reduce network traffic. We are already

getting the sbl-xbl lists from spamhaus so as to serve those lists
locally , can I get any other lists locally ?  Commercial agreements
also are ok.



Are you running a local caching nameserver?

For my group that seems to help a great deal.

--
Craig

RE: sudden deluge of university spams

2006-06-22 Thread Craig Baird


Quoting Chris Santerre <[EMAIL PROTECTED]>:


There's a reason. The amount of permutations is ridiculous. But SARE has
Evilnumbers which catches these.


Except that evilnumbers hasn't been updated in over a year   :-)

I've been writing custom rules to block the phone numbers used in these.  You
could write rules for the wording, but like Chris said, it changes so often
that it's a very fast-moving target.  It's probably much more difficult for
the spammer to change their phone number than to change the text of their
e-mails, so write a rule for the phone number, and then score it through the
roof.

I've noticed that it usually takes a handful of phone number rules to stop
these spams for a while, then the spammer changes numbers, and you have to do
it all over again.  Modifications in the phone number format are also a small
challenge.  For example 555.555., 555-555-, 555 555 , 555-
555-, (555)555., etc etc.  So you have to write your rules to take
that into account.

Craig

Re: Its nice when spammers declare their intentions...

2006-06-19 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Loren Wilton wrote:
> Subject: PayPal Fraud Intention !!! Verify Account & Billing Information !!!
> From: "PayPal.inc Security Center Department " <[EMAIL PROTECTED]>
> 
> Its nice to know that they intend to defraud me.  Maybe I won't bother
> playing their game.
> 
> Loren

Heh, got this one yesterday:

From: "Lazarus Dennis" 
To: <[EMAIL PROTECTED]>
Subject: bastard

And thought, why's he calling me a bastard? Maybe he knows his crap
isn't going to get through...

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEloZvMDDagS2VwJ4RAo9+AKD8ukwZr6oFJlcoOa2GcWBShQxFwQCgkczn
EE/t68LA8bfo2eFwLNkjVV8=
=5DqP
-END PGP SIGNATURE-

Re: Loading Rules - Possible Memory Issue

2006-06-14 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Duane Hill wrote:
[snippage]
> I think what it boils down to is just getting carried away.
> 
> Thanks for the response. This is still relatively new with running our
> MTA on FreeBSD. It was migrated away from Windows about three weeks ago.

FWIW I have had real success using FBSD-6.0-RELEASE, SA from CPAN and
spamass-milter and sendmail from the ports collection. Just lately I've
moved away from the milter, towards a procmail-based SA setup for better
configurability. Ping me if you want more details.

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEkCirMDDagS2VwJ4RAgqZAKDz6HIvWmqhLE/VSk1fonA1w7RkswCgzSj+
Clsn7VfuQcWVDkgfYK6x9pw=
=RThC
-END PGP SIGNATURE-

Re: For those who are considering a Barracuda Network Device server

2006-06-12 Thread Craig White

On Mon, 2006-06-12 at 19:34 -0700, jdow wrote:
> If I was feeling stinky I'd note that I do not like web administration
> tools as much as I like editing the files myself by hand doing things
> I understand from an overdose of RTFM. And I'm not a Linux guy last
> time I checked myself in front of a mirror.
> 
> {^,-}   But I'm not. (Besides "ix guy" is perhaps more to the point.
> I also "dabble" with FreeBSD; but, I don't use it for anything
> important yet.) (It's been a contentious day on several lists.
> Some humor was needed.)

You mean calling GPL License 'nonsense' wasn't your best effort of the
day? 

You hurled similar bombshells on other lists?

Craig

Re: SA 3.1.3 Binary RPMs for FC4?

2006-06-10 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John D. Hardin wrote:
> All:
> 
> My hosted mail server is Fedora Core 4, and I'd rather not put a
> development environment on it if I can avoid doing so. Is anybody
> hosting binary RPMs for SA 3.1.x (ideally 3.1.3) for FC4?
> 

Don't know about 3.1.3, but Axel hosts 3.1.2 at atrpms.net:
http://atrpms.net/dist/fc4/spamassassin/

instructions on setting up yum to use the atrpms repo can also be found
on the site:
http://atrpms.net/install.html

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEiygNMDDagS2VwJ4RAns2AKDrpqtAWZPEMBBHOWH9Wl4Kqf0rAgCeKPf5
rn6LeGs9h/5m4sSCyJr3R2M=
=hsQC
-END PGP SIGNATURE-

Auto delete if >= X on per user basis

2006-06-05 Thread Craig Mead


Hello all,

I've had a good look around but am unable to find an answer to this 
exact scenario. I've had a bash @ using global settings on the 
user_pref's file, but didn't appear to work, so figured I'd ask. If you 
are aware of a reference to this that I've missed, I apologise.


Pretty much all I'm trying to do is setup on a per-user basis an auto 
delete mechanism for mail if it receives > score XX. I've read all the 
doco about the preferred method being to setup filters and do it client 
side, but a number of clients of mine are getting a large amount of 
spam, and we've been watching what's been flagged as such over a 6 month 
period and there's been only 1 instance of a false positive (which was 
an exteremely spam like email anyway, so understandable) and the clients 
more than happy to take that risk. Going to keep his required_score at 5 
but want to auto-delete if it's above 8 or so. Any help would be greatly 
appreciated.


TIA

Re: SPAM: Re: Re[2]: Hiring for Spam Assassin Troubleshooting

2006-06-03 Thread Craig Morrison

I usually don't top quote, but folks, this is a troll..

And we all bit..

So troller, you have been sourced, go away..

WFGB Team wrote:

Spam detection software, running on the system "DEDE143", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
Contact Wayne for details.

Content preview:  Hi Sandy, I tried to and I kept getting an error when
  attempting to join. It kept telling me communication error so I figured
  I would wait until later to see if it was an issue on my end or on their
  end. [...] 

Content analysis details:   (7.3 points, 7.0 required)

 pts rule name  description
 -- --
 0.8 EXTRA_MPART_TYPE   Header has extraneous Content-type:...type= entry
 0.1 HTML_TAG_EXIST_TBODY   BODY: HTML has "tbody" tag
 1.0 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
 0.0 HTML_MESSAGE   BODY: HTML included in message
 2.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records
 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP address
[68.56.253.77 listed in dnsbl.sorbs.net]
 1.7 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
[68.56.253.77 listed in combined.njabl.org]
-1.0 AWLAWL: From: address is in the auto white-list

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Subject:
Re: Re[2]: Hiring for Spam Assassin Troubleshooting
From:
"WFGB Team" <[EMAIL PROTECTED]>
Date:
Sat, 3 Jun 2006 23:22:07 -0400 (Eastern Daylight Time)
To:
, "Sanford Whiteman" 
<[EMAIL PROTECTED]>

To:
, "Sanford Whiteman" 
<[EMAIL PROTECTED]>

Hi Sandy,

I tried to and I kept getting an error when attempting to join.  It kept 
telling me communication error so I figured I would wait until later to 
see if it was an issue on my end or on their end.

Wayne

/---Original Message---/

/*From:*/ Sanford Whiteman 
<mailto:[EMAIL PROTECTED]>

/*Date:*/ 06/03/06 20:09:26
/*To:*/ WFGB Team <mailto:[EMAIL PROTECTED]>; 
users@spamassassin.apache.org <mailto:users@spamassassin.apache.org>

/*Subject:*/ Re[2]: Hiring for Spam Assassin Troubleshooting

 > I have talked to the SM tech support and have searched through their

 > forum but they believe this is SA issue.

P.S.  You didn't start *a new thread* on their forum, which is as much

community-supported  as  vendor-supported. This is not being thorough,
for what seems like an urgent issue.

--Sandy

.

FREE emoticons for your email! click Here! 
<http://www.incredimail.com/index.asp?id=98432>

--
Craig

RE: 3.1.2-Windows, exit codes broken?

2006-05-30 Thread Emmitt, Craig

>I mean this:
>
>- bug 3754: if there's a problem opening a file via sa-learn or
spamassassin, return an error exit value. 
>
>It indicates there might have been changes to that area of the code
which concerns your problem.
>
>Kai

I understand, thanks for the clarification.

I had some time over the weekend to install 3.1.2 on a second Windows
box and had the same result, exit code always zero with -e option and
messages determined by spamassassin to be spam.

Oh well, back to 3.1.1 for me.  The ability to script spamassassin as an
MTA pickup event and process the message according to the result code is
too good to give up :)

Thanks,

Craig

Re: Lots of this kind of spam getting through

2006-05-27 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Craig McLean wrote:
> 
> Razor and multi.uribl.com RBL for the first 3

Oops, and multi.surbl.org...

C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEeKmvMDDagS2VwJ4RAvKJAKCJQ4LXrMqUiW5l0bDwqE6e2/nRUgCfVCwz
cwYRQTOZKLgw3wV+rVovDXE=
=z6f9
-END PGP SIGNATURE-

Re: Lots of this kind of spam getting through

2006-05-27 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Philip,
See inline..

Philip Mak wrote:
> I'm getting about 50+ per day of these spams not being caught by
> SpamAssassin (SpamAssassin version 3.1.1 running on Perl version
> 5.8.4). There's two types:
> 
> 1. Lose weight type spam, uses bad English e.g. "yrs" instead of
> "years", "u" instead of "you", "ur" instead of "your", talks about not
> having talked to the recipient in years
> 
> http://www.aaanime.net/pmak/spam/2006-05-27/1.txt

X-Spam-Status: Yes, score=23.0 required=6.0
tests=BAYES_60,DK_POLICY_SIGNSOME,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,
  RCVD_IN_XBL,SPF_NEUTRAL,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,
URIBL_OB_SURBL,URIBL_SBL autolearn=spam version=3.1.2

> http://www.aaanime.net/pmak/spam/2006-05-27/2.txt

X-Spam-Status: Yes, score=21.1 required=6.0 tests=BAYES_99,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,
RCVD_IN_XBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL
autolearn=spam version=3.1.2

> http://www.aaanime.net/pmak/spam/2006-05-27/3.txt

X-Spam-Status: Yes, score=15.5 required=6.0 tests=BAYES_95,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,
RCVD_IN_NJABL_DUL,RCVD_IN_XBL,URIBL_BLACK,URIBL_WS_SURBL
autolearn=spam version=3.1.2
>
> These spams all have different URLs, but if you visit them they're
> exactly the same site. The first two resolve to the same IP address
> too, though the third doesn't despite having the same content.
>
> 2. Homeowner credit, or something
>
> http://www.aaanime.net/pmak/spam/2006-05-27/a.txt

X-Spam-Status: Yes, score=18.1 required=6.0 tests=BAYES_99,CM_MISC_GEOC,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,WEB_403 autolearn=spam
version=3.1.2

> http://www.aaanime.net/pmak/spam/2006-05-27/b.txt

X-Spam-Status: Yes, score=14.2 required=6.0 tests=BAYES_99,CM_MISC_GEOC,
RCVD_IN_BL_SPAMCOP_NET,WEB_403 autolearn=spam version=3.1.2

> These spams keep slipping through SpamAssassin consistently. Most of
> my false negatives are variants of the messages I posted above. Any
> suggestions on how to block them?

Razor and multi.uribl.com RBL for the first 3, the WebRedirect plugin
and a rule which gives any geocities URL a healthy dose of points (a la
http://fukka.co.uk/sa-rules/local/misc.cf) for the second 2.

XBL and spamcop (no flames please) for all, plus make sure you get your
bayes trained on this type of spam to drive the score up there, too.
Mine doesn't do so well because I haven't seen much of this spam.

C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD4DBQFEeKisMDDagS2VwJ4RAoXKAJ96gIM5e6t2whxcVdkE6E1gDXv5IQCYxvIU
QEzXO9X18bskPa9UhTusMw==
=ZLh6
-END PGP SIGNATURE-

RE: 3.1.2-Windows, exit codes broken?

2006-05-26 Thread Emmitt, Craig

>> 3.1.2 is not setting a non-zero exit code when a message is
classified 
>> as spam (spamassassin.bat -e < mailfilein > mailfileout)  Known 
>> issue/bug?

>There is something about exit codes in the changelog.


I had checked the changelog and didn't see anything obviously relevant.


Craig

3.1.2-Windows, exit codes broken?

2006-05-26 Thread Emmitt, Craig

Windows Server 2003 SP1
ActivePerl 5.8.8.817
Upgrade from a working 3.1.1 installation

3.1.2 is not setting a non-zero exit code when a message is classified
as spam (spamassassin.bat -e < mailfilein > mailfileout)  Known
issue/bug?



Craig

Re: sa-learn script

2006-05-25 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul Matthews wrote:
> Hi there,
> 
> i'm running RHEL4 with spamassassin-3.0.5-3.el4 and i'm looking for a
> script that will make sa-learn go though everyone's Junk mail folder and
> 'learn' what is Junk.
> 
> i've come up with this
> 
> #!/bin/bash
> 
> for i in $( ls /home/MYDOMAIN); do
>  sa-learn --spam /home/MYDOMAIN/i$/mail/Junk
> done
> 
> If i set it to run as a cron job once a week, Will that do what I want it
> to do?
> 

Almost certainly not, unless you change that "i$" to "$i" ;-)

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEdWGSMDDagS2VwJ4RAiRfAJ9/0LsDofegmY1FMQMLgQRL9MnwcACeJOYd
LH64xcCF3cfXHfAo/KTO4zc=
=KOF+
-END PGP SIGNATURE-

Re: SA Milter problem

2006-05-22 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chan, Wilson wrote:
> Any else having this problem with spamass-milter with spamassassin?

Nope.

(ask a vague question...)
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEcjndMDDagS2VwJ4RApjPAJ9wIzFBnqp7lqgZVNkfTibksaU/uACfZe/n
5MUqsaJzNJkQc+4/pjkHn0U=
=3Qkr
-END PGP SIGNATURE-

Re: AWL whitelist & CGPSA

2006-05-20 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tracey Gates wrote:
> I apologize if this has already been addressed.I am using CGPro with
> CGPSA.  I have placed an entry  in my local.cf 
> 
[snip]

In addition to other comments in this thread, Given:

> --
>  4.8 FROM_KING_COM From known spammer 'king.com'

and:

> [EMAIL PROTECTED]

I'd say that the FROM_KING_COM rule might be misfiring, and for 4.8
points too!

C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEb1MVMDDagS2VwJ4RAoXPAKCmBUP+J20OQvh5F3sa65PV/4KavQCdHVle
Hy4r1k8v4uRWRs49gz7ZxmM=
=XJSr
-END PGP SIGNATURE-

Re: Proposal: First URI black list, how about email address black lists?

2006-05-18 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dallas L. Engelken wrote:
> 
> Well, the only thread on sa-users I found about this was from Dec 2005.
> http://www.nabble.com/A-thought-about-phone-numbers-and-URIBLs-t716464.h
> tml
> 
> We had a thread on uribl staff list about this last July which we
> cross-posted to sare where loren brought up some good points.   After a
> good discussion on it, it dropped off the radar as something that would
> take to much time and have very little impact.
> 
> If anyone plans to move forward with this, I'd be willing to share our
> threads on it.
> 
> Dallas

Actually, after some off-list chat with Rob Skedgell I recently finished
a first attempt at a plugin for a dnsbl for phone numbers[1], having put
together a monstrous, by-country static ruleset based on international
dialing codes[2]. It's met with reasonable success here against 419 and
associated check-fraud spam using harvested data[3], but will need some
serious thought, testing, tweaking and infrastructure before it can be
used in production...

I'd be intrigued to read any other comments and discussion that have
happened...

Thanks,
C.

[1] http://fukka.co.uk/sa-rules/local/PhoneBL.pm
[2] http://fukka.co.uk/sa-rules/local/phone.cf
[3] http://fukka.co.uk/sa-rules/local/evilnumbers.db
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEbO81MDDagS2VwJ4RAnrcAJ9VkTH6Py8SYqeqFuPKdhqiFJkZHACgrm8M
qUy8K2/4EIZUZh2bQuoQACY=
=OKu+
-END PGP SIGNATURE-

Re: Delete spam or move to a folder?

2006-05-18 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Will Nordmeyer wrote:

> Craig,
>
> How do you have procmail set up to deliver to the spam vs. likely spam
> folders?

Use the "X-Spam-Level" marker. Anything with < 10 stars and a
"X-Spam-Status" of "Yes" gets put in a 'likely-spam' folder. Anything
else goes to 'spam'.

C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEbOizMDDagS2VwJ4RAhmQAJ9jzjQCSdnH+HgZul/5KptDsSLhBwCg9vPc
0Ga2XQi7nrNQL1lJaeQmtUw=
=ails
-END PGP SIGNATURE-

Re: Filtering windows-1252 charset

2006-05-18 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Philip Prindeville wrote:
> Jonathan Armitage wrote:
> 
>> I see some spam with "windows-1252" or other unwanted character sets at 
>> the start of the subject. I reject them via an Exim ACL, so SA doesn't 
>> even have to scan them.
>>  
>>
> 
> Which brings up the subject...  How legitimate is email sent as
> windows-1252?

I have a bunch of stuff from paypal and ebay, and much more, which
include this charset.
I'm not attempting to answer the philosophical question, just the
statistical one.

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEbJwCMDDagS2VwJ4RAgcdAJ0bIf+EPRmsGEFhqeamY6W5dWBwVgCeLbPf
dALIAlLZans4C6EM6R17nyU=
=IUJJ
-END PGP SIGNATURE-

Re: Delete spam or move to a folder?

2006-05-17 Thread Craig McLean

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yusuf Ahmed wrote:
> Hi Guys,
>  
> Couldn't find a thread like this hence this new one. Just wondering what
> strategy people are using when it comes to dealing with email that gets
> enough points to be considered as spam. Eg. being deleted and
> quarantined, or delivered and quarantined etc.
>  
> I'm using store and deliver - is that the general concept out there with
> everyone?
>  
> Regards,
> Yusuf.

Hey Yusuf.
Everything received here gets delivered, and procmail sorts the spam and
likely-spam into different folders.
This means we can quickly see misfires either way, and has the added
benefit over milter-level bounces that bayes gets to see everything too.

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEauQQMDDagS2VwJ4RAlX/AKCc+98dlkA43ReYXk3mMSVQJcdOWACdF8lD
rJgm0R4Omwch2jH7UXbVs0U=
=Bg73
-END PGP SIGNATURE-

Re: Comment Crashes

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

David B Funk wrote:
> On Tue, 16 May 2006, Craig McLean wrote:
> 
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> [snipped]
>>
>> I use this style to catch a couple of common text formatting oddities
>> caused by machine-generated input, see:
>> http://fukka.co.uk/sa-rules/local/textstyles.cf
>>
>> Thinking about it, this stuff will nest fairly well, so this should work:
>>
>> rawbody T_30_DODGY_DIVS m'(?:\s{0,}?[\$%\w]\s{0,}?.{1,40}?){30}'i
>>
>> Stick with rawbody, you don't need full. Also, you'll probably want
>> case-insensitive, and \s{0,}? to match zero or more whitespace.
> 
> Only problem with that is "rawbody" processes the original message one
> line at a time,  unlike "full" or "body" which concatinate the whole
> message into one large string. So if you're looking for some
> characteristic of a message which is spread accross multiple lines of
> input you cannot use "rawbody".

Bugger, you are correct of course. My thanks to you and Sanford Whiteman
 for reminding me that rawbody doesn't (yet) allow multiline matches.

It's 2 AM, I shouldn't be allowed near email :-(

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEaSY5MDDagS2VwJ4RAnDXAJ9IkMhnjIwhhjWad4KfbZWYYxarjACdFccH
/0Fq/bDhx3WUgS5fCwelKk0=
=x5Ln
-END PGP SIGNATURE-

Re: Comment Crashes

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dan wrote:
>> Hmmm, four DIVs, near each other, each with a single alpha and
>> whitespace. May not be what you are trying to catch, but it's the only
>> real pattern I can see from that snippet.
>>
>> rawbody T_4_DODGY_DIVS
>> m'\s+\w.{1,40}?\s+\w.{1,40}?\s+\w.{1,40}?\s+\w'i
>>
>> describe T_4_DODGY_DIVS Testing...
>> score T_4_DODGY_DIVS0.01
> 
> Interesting, instead asking for the count, you are actually showing it
> how many.  Scaled up to 30 and adding space variations, it would look like:
> 
> 
[snipped]

I use this style to catch a couple of common text formatting oddities
caused by machine-generated input, see:
http://fukka.co.uk/sa-rules/local/textstyles.cf

Thinking about it, this stuff will nest fairly well, so this should work:

rawbody T_30_DODGY_DIVS m'(?:\s{0,}?[\$%\w]\s{0,}?.{1,40}?){30}'i

Stick with rawbody, you don't need full. Also, you'll probably want
case-insensitive, and \s{0,}? to match zero or more whitespace.

C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEaQ+fMDDagS2VwJ4RAiJdAKDfS/Nila7mMDnG3FBBQ10gRX0oHQCgiXt9
vzH0Cu0GJrL/Nc5gxJa1D/c=
=Rh9D
-END PGP SIGNATURE-

Re: Comment Crashes

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dan wrote:
>> If you could give us a sample of what you are trying to match, maybe
>> we could suggest an alternate route.
> 
> Stuart,
> 
> Its lines and lines of this kind of thing:
> 
> ">   V  L  A 
>  V  P  X  
> C 
>  
> Dan
> 

Hmmm, four DIVs, near each other, each with a single alpha and
whitespace. May not be what you are trying to catch, but it's the only
real pattern I can see from that snippet.

rawbody T_4_DODGY_DIVS
m'\s+\w.{1,40}?\s+\w.{1,40}?\s+\w.{1,40}?\s+\w'i
describe T_4_DODGY_DIVS Testing...
score T_4_DODGY_DIVS0.01

(note, the regexp should be on one line with no spaces)

That will catch it. You'd have to see what it FPs on though.
You could also get it to pick on single alphas between html tags with a
little tweaking.

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEaPXUMDDagS2VwJ4RAgjdAJ9Uv7TmKzEeE4ee8zh51r7J8UFbvwCgywG0
ZGaVPYHX6X9+e5e5+fUGDFM=
=/hQ0
-END PGP SIGNATURE-

Re: RULE using %

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jean-Paul Natola wrote:
> 
> well that is why I would only score it like a total of 1.5 points, that
> combined with the other KAM_GEO rule,  would then take it over the 5.5
> threshold, the 1.5 points on its own would not discard the message

Sure thing, it's your choice what to check for and how to score it, I'm
just offering advice. In this case, my advice is that "more than 3 '%'
symbols in a message is worth 1.5 points" might be a bit drastic. Here's
how I scored a typical loan spam:

 1.5 CM_TXT_LOANBODY: Loan at a certain rate.
 2.0 TVD_DEAR_HOMEOWNER BODY: TVD_DEAR_HOMEOWNER
 1.5 CM_CREDIT_SCOREBODY: Your score doesn't matter
 1.0 CM_IMMEDIATE_CASH  BODY: Immediate cash
 1.0 CM_DEAR_HOMEOWNER  BODY: Dear Homeowner

Plus BAYES_99 for 4 points, and 4 x URIBL hits for 11.6 in this case.

C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEaLZcMDDagS2VwJ4RAh4HAKCX9CrbF6bwOhV4SJOGmokluyRG3wCgtSzW
sQxXhlCVdTvk86q7FhEXRDw=
=a+n2
-END PGP SIGNATURE-

Re: RULE using %

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Craig McLean wrote:
> Jean-Paul Natola wrote:
>>> Hi all
>>>
>>> These homeowner  spasm are still getting through ( a lot less though since
>>> adding the KAM_GEO_STRING2 rule.
>>>
>>> I do NOT know how to write rules, but I have an idea that perhaps can reduce
>>> the homeowner / credit spams.
>>>
>>> It would be something along the lines of;
>>>
>>> If message contains the % symbol  score it .2
>>> If message contains the % 2 times score it .5
>>> If Message contains the % 3 or more times score it 1.5
> [snip]
> 
> Just a quick note of caution, It's a bad idea to match on multiple
> occurrences of single characters (like %). Off the top of my head, I can
> think of a half-dozen opt-in newsletters which I get that offer
> discounts ( "10% discount", " saving of 17%",  "get 20% off" etc.) and
> would easily contain a dozen "%" characters.
> If you are going to match, try doing it with patterns, like (off the top
> of my head, and untested!)
> 
> /(?:£\$}\s?\d+(?:[\.,]\d+)?.{1,20}\d.{1,10}%/
> 

Heh, need more coffee, should be \$) not \$}, but even so it belongs in
a [], not a (). Right, get the kettle on...

/[£\$]\s?\d+(?:[\.,]\d+)?.{1,20}\d.{1,10}%/

C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEaKs5MDDagS2VwJ4RAgxoAJ0XZBtldWsosVUZSOlEsxW96NolUQCffmrE
NQk8iPHch0U//HW8rc+rMRU=
=BdpK
-END PGP SIGNATURE-

Re: RULE using %