Re: Latest spammers' trick - email address in body instead of url
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Randal, Phil wrote: > Hi folks, > > We're seeing increasing amounts of spam coming in which the email's body > contains seemingly innocuous (but obviously irrelevant) text plus an > email address for more information. > [snip] Phil, Not seen any of these yet, any chance of some examples? C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEEZ0gMDDagS2VwJ4RAsRfAJ4oB6Cu7MF7cS651zhFWaI65/XKaQCg3zdA MwxVGbyWV4hfzl22qFXgpmI= =hEdT -END PGP SIGNATURE-
Re: SUBJ_ILLEGAL_CHARS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philip Prindeville wrote: [snip] > I mean it's not X.400, right? ;-) Thank the Gods... C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEGGJbMDDagS2VwJ4RAlycAJsEuPBxIMR1vwJqnlsT5nUdJKOK2wCeK4Ic 6Pq0jomOmnPcTWbH3muDC1o= =weNm -END PGP SIGNATURE-
Re: Importance of SMTP gateway reverse lookup domain?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Monnerie wrote: > On Donnerstag, 16. März 2006 17:15 Stewart, John wrote: >> Aye; thanks. Unfortunately, our current external DNS server doesn't >> yet support SPF records. =( > > SPF is setup just via TXT records, what DNS software doesn't support > that? > > mfg zmi A better question might be "What DNS hosts don't support TXT records". That would be quite a few. 1and1.co.uk for instance, hence the fact I'm moving... C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEGfq2MDDagS2VwJ4RAoTcAJ0Vf3EZjaanSN17jqkt6z1GdvdAnACg0ecp gSH7yh7Kc33VBvefSJ3v3Ow= =+0o/ -END PGP SIGNATURE-
Re: 3.1.1 Upgrade Problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter wrote: > On Fri, Mar 17, 2006 at 08:18:35PM -0800, Dan Kohn wrote: >> Anything else to try? > > Nothing comes to mind. It looks like a bug in IO::Zlib or perl on > your platform. > > Anyone else on FreeBSD having simliar problems? FBSD 5.2.1-RELEASE, SA3.1.1 on Perl 5.8.7 with IO::ZLib 1.04, no problems here. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEHBe5MDDagS2VwJ4RAumaAJwI9XcBKyAo6gqgCKGNTj4Mv9voiwCgpxz+ okblmXCtsvUmuY7fD6dS4l4= =7KKS -END PGP SIGNATURE-
Changes to SATest.pm to get SA 3.1.1 "make test" working on FreeBSD jails.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Folks, I've tinkered with t/SATest.pm to help get "make test" working correctly in jails on FreeBSD. What's the best way to get this to the committers? bugzilla? the dev list? Thanks, C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEHFvdMDDagS2VwJ4RApahAJ98tcChJ3G1idPFELiAqdZvMDpwOQCeMHA6 E7p0sXcZEEbZvNmrtpOwp5M= =X4NH -END PGP SIGNATURE-
Re: INVALID_DATE
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Lee wrote: > On Fri, 24 Mar 2006, mouss wrote: > >> Daryl C. W. O'Shea a écrit : >>> David Lee wrote: >>> >>>> If, conversely, it is not in breach, then SA has a problem: it shouldn't >>>> be marking it "INVALID_DATE". Incidentally, it is this aspect (rather >>>> than any other) of the date that is triggering this SA rule, isn't it? >>> >>> I guess we could fix it by renaming the rule "STUPIDLY_FORMATTED_DATE". Heh. Never a truer word spoken, than in jest. >>> Anyone writing their own mail application, such as this mobile >>> providers, should really stick to formatting as seen in well established >>> MTAs. >>> >> sure, but if we take it the rfc way, >> FROM_ENDS_IN_NUMS, NO_REAL_NAME >> are pure abuse. and they do cause FPs (dunno about FROM_LOCAL_HEX). That's certainly my opinion. > 1. INVALID_DATE: I think we all agree that the ISP (mobile provider O2; > mmail) are almost certainly in breach of 822/2822. (Being as generous as > possible, we would agree (I think) that they are way, way out of step with > good practice.) No disagreement here. > (We now shift discussion from the "Date:" field to the "From:" field.) > > 2. FROM_ENDS_IN_NUMS: Here, I actually find myself in some sympathy with > the ISP. Their service is about email on a cellphone, with a "From:" that > is, by definition, that cellphone number: >From: [EMAIL PROTECTED] > > (I have "x"d some of the real number). It does seem to make sense, for > their service, in their context. > > 3. NO_REAL_NAME: It would be nice if the ISP could adjust this to be > something like (in my own case): >From: David Lee <[EMAIL PROTECTED]> > > But with a block-booking from a customer (my own number above is part of > such a thing from my employer) they might not have enough information for > this. So again, I find myself in some sympathy with them. > > 4. FROM_LOCAL_HEX: presumably this is because the "local" part is, by > definition of their service, a cellphone number. There seems little that > can be done about this. > > > For those final three items (those concerning "From:") this is a judgement > call, and a reasonable case can be made that we (the receiving customer, > having this service for our people on the road checking back in) might > need to adjust our SA scores slightly downwards, and/or have supplementary > rules that add a small negative score for "@mmail.co.uk". That's not the > main issue at discussion on this thread. (But advice and suggestions > would be welcome.) As mentioned, NO_REAL_NAME hits way to much ham to be viable IMNSHO. It doesn't score here. In any case, I'm sure the rules could be tweaked to create metas whereby FROM_LOCAL_HEX or FROM_ENDS_IN_NUMS won't fire if (say) FROM_IS_MOBILE or FROM_MMAIL is true. You'll need to write those rules, but they are trivial. > The real issue is being able to demonstrate to the ISP that their 17-char, > space-separated (therefore non-alphabetic) "GMT Standard Time" in their > "Date:" is (or isn't) in clear technical breach of 822/2822. > How big is your contract with the cellphone provider? Do you have the clout to get them to re-write bits of their MTA? C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEI/U+MDDagS2VwJ4RAn70AKCxt2V5bynwdFXFsITQxg4JaekaKACfUwvU dXCq17JFAoKP5maGlgWK7eg= =XEcW -END PGP SIGNATURE-
Re: some messages does not seem to get to spamassassin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sipos Gabor wrote: > Hello everyone, > Hi! [snip SA not marking some mail] > Where to start looking? > > thanks everyone > Gabor Sipos > I had a similar problem here, with only a couple of mail accounts and no real load to speak of. I added a global procmail rule to check that SA had seen and marked every message, and pass the mail through spamc again if it didn't. Then it checks again, and passes the mail through 'spamassassin' proper if needed. If it still doesn't get the SA headers, it gets an "X-Everthing-Missed" header which I can grep for. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEI/dKMDDagS2VwJ4RAgkRAKDeJ3kq2NOTIU502gTewxho1xIXkwCgr8wg 4m/x+7dkHHjy4U4pNuQKLdI= =ir88 -END PGP SIGNATURE-
Re: Install help for Spamassasian 3.1.1 on Fedora Core 4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Abel Jeffcoat wrote: > Hello, > > I'm trying to install the new version of Spamassasian on a new mail > server I building. I'm using Fedora Core 4, and I have the latest > updates for Perl, etc. > > When I attempt to install it via cpan. Does anyonr of any experience > getting Spamassasian installed on Fedora Core 4? > > Any help would be apprecciated. > > Abel Jeffcoat [snip] Hey Abel, Axel T has already done the business for you: http://atrpms.net/dist/fc4/spamassassin/ Regards, Craig. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEMaTAMDDagS2VwJ4RAsckAKCrCrMBjgRev5VEVi3cOvpMpAXkdwCg/jJB dxj0g7ERdSt4NdSrVBZq0ME= =Zqly -END PGP SIGNATURE-
Re: Stopping recent stock pumping spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ forgot to copy list - d'oh ] Tristan Miller wrote: [snip image-only stock p&d spam comments] > Does anyone have a filterset or other recommended settings that will block > this kind of spam? > > Regards, > Tristan I ran a couple of those messages through SA here (3.1.1), and the main hits were Bayes, TVD_FW_GRAPHIC_(ID1|NAME_LONG), SARE_GIF_(STOX|ATTACH), and HTML_IMAGE_ONLY_*. Bayes I can't help you with, it just needs training. TVD stuff is from SA 3.1.1's 80_additional.cf, SARE_GIF is from SARE_STOCKS and HTML_IMAGE_ONLY is, IIRC, standard issue. Out of interest, simply attaching a GIF to a mail can get you over 4 points here, all the HTML_IMAGE_ONLY rules have had their scores upped pretty high. This system, however, has a total of 2 users. Me and the wife. YMMV. Those mails scored between 10 and 14 here... C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEMuN+MDDagS2VwJ4RAq4WAKDcTnC1fH1TgOw6vGNOxqu7hUYQmACfa9h7 plA/YvMZoo7ub7ieFk4pYwE= =Ujka -END PGP SIGNATURE-
Re: Charity spam - is this a new kind of 419?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Campion-Bye wrote: > Received the message below at the weekend. I could be completely wrong and > this is a genuine misguided attempt at recruiting charity workers, but it > looks to me like a new kind of 419 scam - if you show an interest I suspect > they will want bank account details and/or money up front. > Suspicious that she can't even decide how to spell her own surname! > [snip headers] > > Hello, >I am Helen from Save the Children Charity Work.Save the children is a child > charity that works in the uk and worldwide. find out > how you can do volunteering, fundraising and make a donation. >We are presently looking for people from United Kingdom,United > States,Canada,Australia and Ireland who can work online with our Branch in > Africa.We are willing to make arranging for payment on everyone who is > ready to part-take under this umbrella of our Charity Work(Save The > Children). > We want to make sure that Children are safe and secured from every bad > diseases occuring around the world now, and this Organization will be > making payment for everybody working under it but it depends on how many > people you can bring into this Organization. > Payment for single/new person who just join this Save the Children Health > Organization is 400pounds per week and the payment will be made in > cheque/money order or directly into your account everyweek as a part of > this Organization. > We are pleased to welcome you as a member of this Children Health > Organization which is made for schools and everybody in the world can > part-take as member because we need just 20 more people to be member/workers > of this Organization and this Organization need people who can make > themselves avaliable at least twice a week for the work because we may need > any member to reach places where help is needed. >I hope this is more comprehensive and you are highly welcome to be a > member/worker under this Children Health Organization. > You can contact the Ass. Coordinator for more informations through this > mailto: [EMAIL PROTECTED] > We are very pleased to invite you to part-take as a member/worker in this > Children Health Organization and you read more from our other branch website > under united States (www.savethechildren.org) > Thanks >Mrs Helen Cockran >Ass. Coordinator >NB: mailto: [EMAIL PROTECTED] Smells like 419 to me, given (among other things) the level of literacy displayed. If you have no objections I'll drop the sender a line and see what the scam is... C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFETMenMDDagS2VwJ4RAl6/AKD4yjnzQRvWCe0L6Q5zgWBCy/8tRQCgtx5R 7vLF9MtcUV9eokJxU1uVt3s= =LWPB -END PGP SIGNATURE-
Re: OR NOT Logic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter P. Benac wrote: [snip] > > And your domain is my Mother's Maiden Name :) > > Regards, > Pete Remind me who you bank with? ;-) C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEWfgdMDDagS2VwJ4RAvgsAKCcYO497ItTZVLoruJ77tY1L4vyHACePYe3 QHIUcm3EhUMpycvS9Ek5NWY= =D6jx -END PGP SIGNATURE-
Re: home owner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jean-Paul Natola wrote: I have a couple of homebrew ones which seem to work, although as soon as I post them here they will become obsolete :-) They are not masschecked, so use them with care. http://fukka.co.uk/sa-rules/local/loans_rules.cf C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEWhuDMDDagS2VwJ4RAlA/AKCtWtELZzpn4eqB4Po3iKO61mMhmACggePg rc2Eete27U0zum5JuQdRIx8= =OZt9 -END PGP SIGNATURE-
Re: home owner/credit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jean-Paul Natola wrote: > Still getting hammered, > > Anyone else found a fix, getting these in DAILY > Not being psychic, I can't help. Perhaps you can put some examples up on the web somewhere? C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEX5DhMDDagS2VwJ4RAiZAAKCDzSd91rR6jbQ3fZ1ao5aCQiGv5gCcC8oO LCMuaPSINPWYiX94zy0ASzQ= =vJ6T -END PGP SIGNATURE-
Re: Latest sa-stats from last week
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Net tests also seem to have a big impact here, but BAYES still rocks on a small (3-user) install... I Note that URIBL_(?:BLACK|SBL), RCVD_IN_BL_SPAMCOP_NET, HTML_MESSAGE are hitting some fair ham though. FORGED_RCVD_HELO is an artefact of bigfoot; L_MISC_LONGSTRING is a throwaway/testing local rule and NO_REAL_NAME ham is thanks to auto-responder and list-posters mainly Regards, C. TOP SPAM RULES FIRED - -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM - -- 1BAYES_99 482513.23 97.360.55 2HTML_MESSAGE 333715.93 67.338.18 3URIBL_BLACK 2730 7.53 55.080.37 4URIBL_SC_SURBL 2368 6.27 47.780.01 5URIBL_JP_SURBL 2333 6.22 47.070.07 6URIBL_WS_SURBL 2209 5.91 44.570.09 7URIBL_SBL2026 5.59 40.880.27 8URIBL_OB_SURBL 1987 5.34 40.090.10 9RCVD_IN_BL_SPAMCOP_NET 1900 6.50 38.341.71 10FORGED_RCVD_HELO 181019.53 36.52 16.97 11URIBL_AB_SURBL 1528 4.04 30.830.01 12ADVANCE_FEE_11420 3.82 28.650.08 13ADVANCE_FEE_21265 3.35 25.520.01 14EXTRA_MPART_TYPE 1196 3.18 24.130.02 15RCVD_IN_XBL 1176 3.11 23.730.00 16ADVANCE_FEE_31069 2.82 21.570.00 17HTML_90_100 1017 3.42 20.520.84 18DNS_FROM_RFC_ABUSE916 2.76 18.480.39 19HTML_SHORT_LINK_IMG_1 888 2.35 17.920.00 20SUBJ_ALL_CAPS 863 2.39 17.410.12 - -- TOP HAM RULES FIRED - -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM - -- 1BAYES_002627969.440.08 79.89 2SPF_PASS2266860.111.63 68.92 3DK_SIGNED606316.936.98 18.43 4FORGED_RCVD_HELO 558219.53 36.52 16.97 5USER_IN_SPF_WHITELIST498613.170.00 15.16 6RCVD_BY_IP 467413.216.60 14.21 7ALL_TRUSTED 3219 8.510.009.79 8HTML_MESSAGE 269115.93 67.338.18 9NO_REAL_NAME 1355 4.345.794.12 10L_MISC_LONGSTRING 829 2.482.242.52 11BAYES_50 702 1.980.932.13 12TW_EV 619 1.640.041.88 13DK_POLICY_SIGNSOME563 2.648.801.71 14RCVD_IN_BL_SPAMCOP_NET561 6.50 38.341.71 15TW_OC 534 1.410.001.62 16DK_VERIFIED 526 1.601.571.60 17DK_POLICY_TESTING 473 2.388.621.44 18HTML_30_40453 1.683.711.38 19AWL 435 1.170.161.32 20HTML_40_50425 1.523.011.29 - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEX6PvMDDagS2VwJ4RAmRiAJwPr3y7eGtN4n+y1tKwsd1D4kUaOQCbBMDb C+Ttaa28fk0tqjGfmEIVjNc= =x6wv -END PGP SIGNATURE-
Re: Suing Spammers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc Perkel wrote: > So - has anyone here actually sued a spammer? I'm seriously considering > it. I hooked up with a lawyer today who specializes in it and I do front > end spam filtering for about 500 domains. I'm wondering, is there any > reason why I should not sue spammers if I can do it? I'm wondering if I > make enough money suing spammers I could give my services away for free > just to get the spam to sue for. > > Someone tell me if I'm nuts? No, you're not nuts, at least not in the EU: http://spamlegalaction.pbwiki.com/ Rules in CA might be a little different, but the principle is likely to be the same.. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEZdynMDDagS2VwJ4RAt/8AKDrS4OTa2cnHxQj362R/qEtqAY5mQCg2yIK Afy//ujPOl25FBq2beUqtYQ= =LqRl -END PGP SIGNATURE-
Re: RULE using %
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jean-Paul Natola wrote:
> Hi all
>
> These homeowner spasm are still getting through ( a lot less though since
> adding the KAM_GEO_STRING2 rule.
>
> I do NOT know how to write rules, but I have an idea that perhaps can reduce
> the homeowner / credit spams.
>
> It would be something along the lines of;
>
> If message contains the % symbol score it .2
> If message contains the % 2 times score it .5
> If Message contains the % 3 or more times score it 1.5
[snip]
Just a quick note of caution, It's a bad idea to match on multiple
occurrences of single characters (like %). Off the top of my head, I can
think of a half-dozen opt-in newsletters which I get that offer
discounts ( "10% discount", " saving of 17%", "get 20% off" etc.) and
would easily contain a dozen "%" characters.
If you are going to match, try doing it with patterns, like (off the top
of my head, and untested!)
/(?:£\$}\s?\d+(?:[\.,]\d+)?.{1,20}\d.{1,10}%/
might attempt to match:
"$250,000 loan at 6.35%"
"£ 1 for you just 6%!"
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED] Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEaKk+MDDagS2VwJ4RAvu1AJ4h0HNMCQ+aDttQOb7rzjCwJKUztACfbide
u07VmNQpzbXOi/OZ6Aa6FWI=
=aVCy
-END PGP SIGNATURE-
Re: RULE using %
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Craig McLean wrote:
> Jean-Paul Natola wrote:
>>> Hi all
>>>
>>> These homeowner spasm are still getting through ( a lot less though since
>>> adding the KAM_GEO_STRING2 rule.
>>>
>>> I do NOT know how to write rules, but I have an idea that perhaps can reduce
>>> the homeowner / credit spams.
>>>
>>> It would be something along the lines of;
>>>
>>> If message contains the % symbol score it .2
>>> If message contains the % 2 times score it .5
>>> If Message contains the % 3 or more times score it 1.5
> [snip]
>
> Just a quick note of caution, It's a bad idea to match on multiple
> occurrences of single characters (like %). Off the top of my head, I can
> think of a half-dozen opt-in newsletters which I get that offer
> discounts ( "10% discount", " saving of 17%", "get 20% off" etc.) and
> would easily contain a dozen "%" characters.
> If you are going to match, try doing it with patterns, like (off the top
> of my head, and untested!)
>
> /(?:£\$}\s?\d+(?:[\.,]\d+)?.{1,20}\d.{1,10}%/
>
Heh, need more coffee, should be \$) not \$}, but even so it belongs in
a [], not a (). Right, get the kettle on...
/[£\$]\s?\d+(?:[\.,]\d+)?.{1,20}\d.{1,10}%/
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED] Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEaKs5MDDagS2VwJ4RAgxoAJ0XZBtldWsosVUZSOlEsxW96NolUQCffmrE
NQk8iPHch0U//HW8rc+rMRU=
=BdpK
-END PGP SIGNATURE-
Re: RULE using %
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jean-Paul Natola wrote: > > well that is why I would only score it like a total of 1.5 points, that > combined with the other KAM_GEO rule, would then take it over the 5.5 > threshold, the 1.5 points on its own would not discard the message Sure thing, it's your choice what to check for and how to score it, I'm just offering advice. In this case, my advice is that "more than 3 '%' symbols in a message is worth 1.5 points" might be a bit drastic. Here's how I scored a typical loan spam: 1.5 CM_TXT_LOANBODY: Loan at a certain rate. 2.0 TVD_DEAR_HOMEOWNER BODY: TVD_DEAR_HOMEOWNER 1.5 CM_CREDIT_SCOREBODY: Your score doesn't matter 1.0 CM_IMMEDIATE_CASH BODY: Immediate cash 1.0 CM_DEAR_HOMEOWNER BODY: Dear Homeowner Plus BAYES_99 for 4 points, and 4 x URIBL hits for 11.6 in this case. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEaLZcMDDagS2VwJ4RAh4HAKCX9CrbF6bwOhV4SJOGmokluyRG3wCgtSzW sQxXhlCVdTvk86q7FhEXRDw= =a+n2 -END PGP SIGNATURE-
Re: Comment Crashes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dan wrote:
>> If you could give us a sample of what you are trying to match, maybe
>> we could suggest an alternate route.
>
> Stuart,
>
> Its lines and lines of this kind of thing:
>
> "> V L A
> V P X
> C
>
> Dan
>
Hmmm, four DIVs, near each other, each with a single alpha and
whitespace. May not be what you are trying to catch, but it's the only
real pattern I can see from that snippet.
rawbody T_4_DODGY_DIVS
m'\s+\w.{1,40}?\s+\w.{1,40}?\s+\w.{1,40}?\s+\w'i
describe T_4_DODGY_DIVS Testing...
score T_4_DODGY_DIVS0.01
(note, the regexp should be on one line with no spaces)
That will catch it. You'd have to see what it FPs on though.
You could also get it to pick on single alphas between html tags with a
little tweaking.
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED] Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEaPXUMDDagS2VwJ4RAgjdAJ9Uv7TmKzEeE4ee8zh51r7J8UFbvwCgywG0
ZGaVPYHX6X9+e5e5+fUGDFM=
=/hQ0
-END PGP SIGNATURE-
Re: Comment Crashes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dan wrote:
>> Hmmm, four DIVs, near each other, each with a single alpha and
>> whitespace. May not be what you are trying to catch, but it's the only
>> real pattern I can see from that snippet.
>>
>> rawbody T_4_DODGY_DIVS
>> m'\s+\w.{1,40}?\s+\w.{1,40}?\s+\w.{1,40}?\s+\w'i
>>
>> describe T_4_DODGY_DIVS Testing...
>> score T_4_DODGY_DIVS0.01
>
> Interesting, instead asking for the count, you are actually showing it
> how many. Scaled up to 30 and adding space variations, it would look like:
>
>
[snipped]
I use this style to catch a couple of common text formatting oddities
caused by machine-generated input, see:
http://fukka.co.uk/sa-rules/local/textstyles.cf
Thinking about it, this stuff will nest fairly well, so this should work:
rawbody T_30_DODGY_DIVS m'(?:\s{0,}?[\$%\w]\s{0,}?.{1,40}?){30}'i
Stick with rawbody, you don't need full. Also, you'll probably want
case-insensitive, and \s{0,}? to match zero or more whitespace.
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED] Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEaQ+fMDDagS2VwJ4RAiJdAKDfS/Nila7mMDnG3FBBQ10gRX0oHQCgiXt9
vzH0Cu0GJrL/Nc5gxJa1D/c=
=Rh9D
-END PGP SIGNATURE-
Re: Comment Crashes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David B Funk wrote:
> On Tue, 16 May 2006, Craig McLean wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> [snipped]
>>
>> I use this style to catch a couple of common text formatting oddities
>> caused by machine-generated input, see:
>> http://fukka.co.uk/sa-rules/local/textstyles.cf
>>
>> Thinking about it, this stuff will nest fairly well, so this should work:
>>
>> rawbody T_30_DODGY_DIVS m'(?:\s{0,}?[\$%\w]\s{0,}?.{1,40}?){30}'i
>>
>> Stick with rawbody, you don't need full. Also, you'll probably want
>> case-insensitive, and \s{0,}? to match zero or more whitespace.
>
> Only problem with that is "rawbody" processes the original message one
> line at a time, unlike "full" or "body" which concatinate the whole
> message into one large string. So if you're looking for some
> characteristic of a message which is spread accross multiple lines of
> input you cannot use "rawbody".
Bugger, you are correct of course. My thanks to you and Sanford Whiteman
for reminding me that rawbody doesn't (yet) allow multiline matches.
It's 2 AM, I shouldn't be allowed near email :-(
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED] Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEaSY5MDDagS2VwJ4RAnDXAJ9IkMhnjIwhhjWad4KfbZWYYxarjACdFccH
/0Fq/bDhx3WUgS5fCwelKk0=
=x5Ln
-END PGP SIGNATURE-
Re: Delete spam or move to a folder?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yusuf Ahmed wrote: > Hi Guys, > > Couldn't find a thread like this hence this new one. Just wondering what > strategy people are using when it comes to dealing with email that gets > enough points to be considered as spam. Eg. being deleted and > quarantined, or delivered and quarantined etc. > > I'm using store and deliver - is that the general concept out there with > everyone? > > Regards, > Yusuf. Hey Yusuf. Everything received here gets delivered, and procmail sorts the spam and likely-spam into different folders. This means we can quickly see misfires either way, and has the added benefit over milter-level bounces that bayes gets to see everything too. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEauQQMDDagS2VwJ4RAlX/AKCc+98dlkA43ReYXk3mMSVQJcdOWACdF8lD rJgm0R4Omwch2jH7UXbVs0U= =Bg73 -END PGP SIGNATURE-
Re: Filtering windows-1252 charset
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philip Prindeville wrote: > Jonathan Armitage wrote: > >> I see some spam with "windows-1252" or other unwanted character sets at >> the start of the subject. I reject them via an Exim ACL, so SA doesn't >> even have to scan them. >> >> > > Which brings up the subject... How legitimate is email sent as > windows-1252? I have a bunch of stuff from paypal and ebay, and much more, which include this charset. I'm not attempting to answer the philosophical question, just the statistical one. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbJwCMDDagS2VwJ4RAgcdAJ0bIf+EPRmsGEFhqeamY6W5dWBwVgCeLbPf dALIAlLZans4C6EM6R17nyU= =IUJJ -END PGP SIGNATURE-
Re: Delete spam or move to a folder?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will Nordmeyer wrote: > Craig, > > How do you have procmail set up to deliver to the spam vs. likely spam > folders? Use the "X-Spam-Level" marker. Anything with < 10 stars and a "X-Spam-Status" of "Yes" gets put in a 'likely-spam' folder. Anything else goes to 'spam'. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbOizMDDagS2VwJ4RAhmQAJ9jzjQCSdnH+HgZul/5KptDsSLhBwCg9vPc 0Ga2XQi7nrNQL1lJaeQmtUw= =ails -END PGP SIGNATURE-
Re: Proposal: First URI black list, how about email address black lists?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dallas L. Engelken wrote: > > Well, the only thread on sa-users I found about this was from Dec 2005. > http://www.nabble.com/A-thought-about-phone-numbers-and-URIBLs-t716464.h > tml > > We had a thread on uribl staff list about this last July which we > cross-posted to sare where loren brought up some good points. After a > good discussion on it, it dropped off the radar as something that would > take to much time and have very little impact. > > If anyone plans to move forward with this, I'd be willing to share our > threads on it. > > Dallas Actually, after some off-list chat with Rob Skedgell I recently finished a first attempt at a plugin for a dnsbl for phone numbers[1], having put together a monstrous, by-country static ruleset based on international dialing codes[2]. It's met with reasonable success here against 419 and associated check-fraud spam using harvested data[3], but will need some serious thought, testing, tweaking and infrastructure before it can be used in production... I'd be intrigued to read any other comments and discussion that have happened... Thanks, C. [1] http://fukka.co.uk/sa-rules/local/PhoneBL.pm [2] http://fukka.co.uk/sa-rules/local/phone.cf [3] http://fukka.co.uk/sa-rules/local/evilnumbers.db - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEbO81MDDagS2VwJ4RAnrcAJ9VkTH6Py8SYqeqFuPKdhqiFJkZHACgrm8M qUy8K2/4EIZUZh2bQuoQACY= =OKu+ -END PGP SIGNATURE-
Re: AWL whitelist & CGPSA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tracey Gates wrote: > I apologize if this has already been addressed.I am using CGPro with > CGPSA. I have placed an entry in my local.cf > [snip] In addition to other comments in this thread, Given: > -- > 4.8 FROM_KING_COM From known spammer 'king.com' and: > [EMAIL PROTECTED] I'd say that the FROM_KING_COM rule might be misfiring, and for 4.8 points too! C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEb1MVMDDagS2VwJ4RAoXPAKCmBUP+J20OQvh5F3sa65PV/4KavQCdHVle Hy4r1k8v4uRWRs49gz7ZxmM= =XJSr -END PGP SIGNATURE-
Re: SA Milter problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chan, Wilson wrote: > Any else having this problem with spamass-milter with spamassassin? Nope. (ask a vague question...) C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEcjndMDDagS2VwJ4RApjPAJ9wIzFBnqp7lqgZVNkfTibksaU/uACfZe/n 5MUqsaJzNJkQc+4/pjkHn0U= =3Qkr -END PGP SIGNATURE-
Re: sa-learn script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Matthews wrote: > Hi there, > > i'm running RHEL4 with spamassassin-3.0.5-3.el4 and i'm looking for a > script that will make sa-learn go though everyone's Junk mail folder and > 'learn' what is Junk. > > i've come up with this > > #!/bin/bash > > for i in $( ls /home/MYDOMAIN); do > sa-learn --spam /home/MYDOMAIN/i$/mail/Junk > done > > If i set it to run as a cron job once a week, Will that do what I want it > to do? > Almost certainly not, unless you change that "i$" to "$i" ;-) C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEdWGSMDDagS2VwJ4RAiRfAJ9/0LsDofegmY1FMQMLgQRL9MnwcACeJOYd LH64xcCF3cfXHfAo/KTO4zc= =KOF+ -END PGP SIGNATURE-
Re: Lots of this kind of spam getting through
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philip, See inline.. Philip Mak wrote: > I'm getting about 50+ per day of these spams not being caught by > SpamAssassin (SpamAssassin version 3.1.1 running on Perl version > 5.8.4). There's two types: > > 1. Lose weight type spam, uses bad English e.g. "yrs" instead of > "years", "u" instead of "you", "ur" instead of "your", talks about not > having talked to the recipient in years > > http://www.aaanime.net/pmak/spam/2006-05-27/1.txt X-Spam-Status: Yes, score=23.0 required=6.0 tests=BAYES_60,DK_POLICY_SIGNSOME, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_XBL,SPF_NEUTRAL,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SBL autolearn=spam version=3.1.2 > http://www.aaanime.net/pmak/spam/2006-05-27/2.txt X-Spam-Status: Yes, score=21.1 required=6.0 tests=BAYES_99, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_XBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL autolearn=spam version=3.1.2 > http://www.aaanime.net/pmak/spam/2006-05-27/3.txt X-Spam-Status: Yes, score=15.5 required=6.0 tests=BAYES_95, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_NJABL_DUL,RCVD_IN_XBL,URIBL_BLACK,URIBL_WS_SURBL autolearn=spam version=3.1.2 > > These spams all have different URLs, but if you visit them they're > exactly the same site. The first two resolve to the same IP address > too, though the third doesn't despite having the same content. > > 2. Homeowner credit, or something > > http://www.aaanime.net/pmak/spam/2006-05-27/a.txt X-Spam-Status: Yes, score=18.1 required=6.0 tests=BAYES_99,CM_MISC_GEOC, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,WEB_403 autolearn=spam version=3.1.2 > http://www.aaanime.net/pmak/spam/2006-05-27/b.txt X-Spam-Status: Yes, score=14.2 required=6.0 tests=BAYES_99,CM_MISC_GEOC, RCVD_IN_BL_SPAMCOP_NET,WEB_403 autolearn=spam version=3.1.2 > These spams keep slipping through SpamAssassin consistently. Most of > my false negatives are variants of the messages I posted above. Any > suggestions on how to block them? Razor and multi.uribl.com RBL for the first 3, the WebRedirect plugin and a rule which gives any geocities URL a healthy dose of points (a la http://fukka.co.uk/sa-rules/local/misc.cf) for the second 2. XBL and spamcop (no flames please) for all, plus make sure you get your bayes trained on this type of spam to drive the score up there, too. Mine doesn't do so well because I haven't seen much of this spam. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD4DBQFEeKisMDDagS2VwJ4RAoXKAJ96gIM5e6t2whxcVdkE6E1gDXv5IQCYxvIU QEzXO9X18bskPa9UhTusMw== =ZLh6 -END PGP SIGNATURE-
Re: Lots of this kind of spam getting through
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig McLean wrote: > > Razor and multi.uribl.com RBL for the first 3 Oops, and multi.surbl.org... C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEeKmvMDDagS2VwJ4RAvKJAKCJQ4LXrMqUiW5l0bDwqE6e2/nRUgCfVCwz cwYRQTOZKLgw3wV+rVovDXE= =z6f9 -END PGP SIGNATURE-
Re: SA 3.1.3 Binary RPMs for FC4?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John D. Hardin wrote: > All: > > My hosted mail server is Fedora Core 4, and I'd rather not put a > development environment on it if I can avoid doing so. Is anybody > hosting binary RPMs for SA 3.1.x (ideally 3.1.3) for FC4? > Don't know about 3.1.3, but Axel hosts 3.1.2 at atrpms.net: http://atrpms.net/dist/fc4/spamassassin/ instructions on setting up yum to use the atrpms repo can also be found on the site: http://atrpms.net/install.html C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEiygNMDDagS2VwJ4RAns2AKDrpqtAWZPEMBBHOWH9Wl4Kqf0rAgCeKPf5 rn6LeGs9h/5m4sSCyJr3R2M= =hsQC -END PGP SIGNATURE-
Re: Loading Rules - Possible Memory Issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Duane Hill wrote: [snippage] > I think what it boils down to is just getting carried away. > > Thanks for the response. This is still relatively new with running our > MTA on FreeBSD. It was migrated away from Windows about three weeks ago. FWIW I have had real success using FBSD-6.0-RELEASE, SA from CPAN and spamass-milter and sendmail from the ports collection. Just lately I've moved away from the milter, towards a procmail-based SA setup for better configurability. Ping me if you want more details. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEkCirMDDagS2VwJ4RAgqZAKDz6HIvWmqhLE/VSk1fonA1w7RkswCgzSj+ Clsn7VfuQcWVDkgfYK6x9pw= =RThC -END PGP SIGNATURE-
Re: Its nice when spammers declare their intentions...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton wrote: > Subject: PayPal Fraud Intention !!! Verify Account & Billing Information !!! > From: "PayPal.inc Security Center Department " <[EMAIL PROTECTED]> > > Its nice to know that they intend to defraud me. Maybe I won't bother > playing their game. > > Loren Heh, got this one yesterday: From: "Lazarus Dennis" To: <[EMAIL PROTECTED]> Subject: bastard And thought, why's he calling me a bastard? Maybe he knows his crap isn't going to get through... C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEloZvMDDagS2VwJ4RAo9+AKD8ukwZr6oFJlcoOa2GcWBShQxFwQCgkczn EE/t68LA8bfo2eFwLNkjVV8= =5DqP -END PGP SIGNATURE-
Re: [sa-list] Re: spamd children run as root (again)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FWIW I *don't* see this issue on FBSD 5.2.1 running SA 3.0.4 with perl 5.6.1 Craig. Justin Mason wrote: > > ah, good to hear -- although it would have been nice to have had that noted on bug 3900, which was still listed as "awaiting confirmation"... > > --j. > > Charles Sprickman writes: > >>>I've seen this problem as well, even in the latest "ports" version. Still >>>runs as root. If I apply the attached patch (obtained from one of the bugzilla entries), it works properly. Running FBSD 4.11 w/perl 5.6.2 (5.8.7 had the same problem, I backed out of 5.8 since it chewed up more >>>memory than I was comfortable with). >>>Charles >>>On Mon, 8 Aug 2005, Dan Mahoney, System Admin wrote: On Tue, 26 Apr 2005, Justin Mason wrote: >It's specifically a problem with perl on *BSD platforms -- there's a bug open about it, but it's stalled because we don't have any developers with BSD machines ;) Anyone want a test machine where this is occurring? Where it DIDN'T occur before under 3.0.3? Contact me offlist. I've had a bugzilla report sitting in "NEW" status for over a month now, I think. I flagged it as "security" because I a) thought maybe there was some priority to that and b) actually believe it to be, but nobody has done anything with it. http://bugzilla.spamassassin.org/show_bug.cgi?idD98 -Dan >at least on some platforms (MacOS X) it appears perl's setuid support substantially does not work. >--j. >Brandon Kuczenski writes: >>I've seen this question posted a couple times in the mailing list archives >>(from October 2004) but no resolution. The question again: >>I'm running SpamAssassin 3.0.2 on FreeBSD 4.10 in spamc/spamd format with >>the '-u spamd' flag. Problem is, all the child processes are running as >>root: >>$ ps aux | grep spam >>root 333 0.0 10.1 27636 25932 ?? I11Apr05 1:03.83 spamd >>child (perl) >>root 332 0.0 10.5 29020 27032 ?? I11Apr05 1:07.96 spamd >>child (perl) >>root 331 0.0 9.7 26544 24852 ?? I11Apr05 0:52.68 spamd >>child (perl) >>root 330 0.0 9.9 27152 25524 ?? I11Apr05 1:04.40 spamd >>child (perl) >>root 329 0.0 9.8 26864 25116 ?? I11Apr05 0:58.08 spamd >>child (perl) >>spamd 294 0.0 7.1 22392 18220 ?? Is 11Apr05 0:01.61 /usr/local/bin/spamd -d -c -u spamd -H /home/spamd -r /var/run/spamd.pid >>(perl) >>$ >>Is this intended or is it a bug? The two threads I've seen that pertain >>to it (both dating from Oct04) are left unresolved: >>http://thread.gmane.org/gmane.mail.spam.spamassassin.general/57900 http://thread.gmane.org/gmane.mail.spam.spamassassin.general/58087 The practical consequence of this (aside from the unorthodoxy -- undesired >>processes owned by root) is that the permissions of my >>~user/.spamassassin/bayes_journal file get changed to root:spamd 0660. >>I wanted them to be spamd:user 0660, so that the user can run sa-learn without asking for root's help. Is that not the 'right way' to >>do things? >>Has there been a resolution to this question? If not, .. doesn't everybody have this problem? Or is it not a problem? If not, why not? >>-Brandon > Output from gpg 298BC7D0 gpg: There is no indication that the signature belongs to the >owner. 298B C7D0 -- "Don't try to out-wierd me. I get stranger things than you free with my breakfast cereal." -Button seen at I-CON XVII (and subsequently purchased) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- >>>--0-343817720-1123532392=:14641 >>>Content-Type: TEXT/PLAIN; charset=US-ASCII; name="spamd-euid.patch" Content-Transfer-Encoding: BASE64 >>>Content-ID: <[EMAIL PROTECTED]> >>>Content-Description: >>>Content-Disposition: attachment; filename="spamd-euid.patch" >>>LS0tIHNwYW1kLm9sZAlXZWQgT2N0IDEzIDE2OjQ5OjU4IDIwMDQNCisrKyBz >>>cGFtZAlUaHUgT2N0IDE0IDIwOjE1OjUzIDIwMDQNCkBAIC03MDAsNiArNzAw >>>LDE1IEBADQogICAjIENoYW5nZSBVSUQNCiAgICQ+ID0gJHV1aWQ7ICAgICAg >>>ICAgICAgIyBlZmZlY3RpdmUgdWlkDQogICAkPCA9ICR1dWlkOyAgICAgICAg >>>ICAgICMgcmVhbCB1aWQuIHdlIG5vdyBjYW5ub3Qgc2V0dWlkIGFueW1vcmUN >>>CisNCisgIGlmICggJDwgIT0gJHV1aWQgKSB7DQorICAgIHdhcm4oImluaXRp >>>YWwgYXR0ZW1wdCB0byBjaGFuZ2UgcmVhbCB1aWQgZmFpbGVkLCB0cnlpbmcg >>>QlNEIHdvcmthcm91bmQiKSBpZiAkb3B0eydkZWJ1Zyd9Ow0KKw0KKyAgICAk >>>PiA9ICQ8OwkJCSMgcmV2ZXJ0IGV1aWQgdG8gcnVpZA0KKyAgICAkPCA9ICR1 >>>dWlkOwkJCSMgY2hhbmdlIHJ1aWQgdG8gdGFyZ2V0DQorICAgICQ+ID0gJHV1 >>>aWQ7CQkJIyBjaGFuZ2UgZXVpZCBiYWNrIHRvIHRhcmdldA0KKyAgfQ0KKw0K >>>ICAgaWYgKCAkPiAhPSAkdXVpZCBhbmQgJD4gIT0gKCAkdXVpZCAtIDIqKjMy >>>ICkgKSB7DQogICAgIGRpZSAiZmF0YWw6IHNldHVpZCB0byB1aWQgJHV1aWQg >>>ZmFpbGVkXG4iOw0KICAgfQ0K >>>--0-343817720-1123532392=:14
Re: Ham not auto-learning?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew Yette wrote: | Running the sa-stats.pl version 0.9 that produces a chart with stats on | what rules are hit for spam and ham most frequently, I notice that of | all 13,411 autolearns performed, every one of them was for spam. Ham has | 0 messages autolearned. Wouldn't, for example, a message that comes in | and has been whitelisted (and therefore scoring ~ -100) be autolearned? | My bayes thresholds are set for 12.1 (spam) and -12.0(ham). Matthew, If I recall correctly, bayes learning thresholds are compared against a message score *before* whitelist adjustments are made, so unless a message scores -12 using just the standard rules (unlikely) it will never be learned as ham. Just set the ham threshold to 0 and you'll see any message hitting no positive scoring tests being learned as ham. Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDBiVFMDDagS2VwJ4RAkBVAJ9IHh/KpJ3uZRG+pZYQ7Mo77cPiaQCgvEOw F4d9wRpAt5ZHl2jHGfSE7RQ= =cXb8 -END PGP SIGNATURE-
Re: SURBL Redirection Problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 3.1.0-rc1 nailed it to the wall. Craig. Ilan Aisic wrote: | | pts rule name description | -- - -- | 0.9 RCVD_BY_IP Received by mail server with no name | -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' | -0.0 DK_VERIFIEDDomain Keys: signature passes verification | 0.0 DK_SIGNED Domain Keys: message has an unverified signature | 3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam | 1.3 INFO_TLD URI: Contains an URL in the INFO top-level domain | 1.0 LOCAL_INFO_TLD URI: Contains an URL in the INFO top-level domain | 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist | [URIs: moonboard.info] | 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist | [URIs: moonboard.info] | 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist | [URIs: moonboard.info] | 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist | [URIs: moonboard.info] | 2.0 URIBL_XS_SURBL Has URI in XS - Testing | [URIs: moonboard.info] | 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist | [URIs: moonboard.info] | 3.0 URIBL_SC2_SURBLHas URI in SC2 at http://www.surbl.org/lists.html | [URIs: moonboard.info] | 1.7 SARE_OBFU_VISIT2 found apparent obfuscation of word used in spam | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDEOEtMDDagS2VwJ4RAvTNAJ4j7+6v+Dj/j+JrmE7iwVC5dTLHWwCgtikJ 6x0dpPWA8KhAvFRbH/5yE3k= =hs1n -END PGP SIGNATURE-
Re: phish/bayes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (Note: CC: changed to users@spamassassin.apache.org - @incubator.apache.org address is deprecated). Sander Holthaus - Orange XL wrote: [snip] | But couldn't some 'simple' rules fix this? One metafilter that looks for | valid links (images, href's, email-addresses) to ebay, amazon, banks, | etc. and another meta-rule that looks for links that point to non-ebay, | non-amazon, non-bank links. A phisers will always need to point the | users to a site that is under his control and it shouldn't be too hard | to recognize this site. I've been using the attached for a while to catch paypal phishing scams, and am in the process of modifying it to catch ebay account scams too. Caveat: It's never FPd for me but there is plenty of potential there. Anyway, feel free to use/adapt/whatever to suit. Kind Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDEvKjMDDagS2VwJ4RArUWAKDU1UZss3lF3joOxT+CZg1o2izfXQCglmt7 9owI38Yw6sPtLuhj9Cw/5Rs= =W+hS -END PGP SIGNATURE- # # Rules to catch PayPal phishing attempts. # # Checks for common paypal "update your account" phrases, or "unauthorised # access" phrases. Confirms that the mail came from @paypal and contains # only paypal.com links, otherwise throws scores. # # Craig McLean - 2005/05/22 header __LOCAL_PP_ISFROMPP From:addr =~ /[EMAIL PROTECTED]/i header __LOCAL_PP_S_UPD Subject: =~ m'(?:confirm|update) (?:your|the) (?:billing)?(?:records?|information|account)'i header __LOCAL_PP_S_AUT Subject: =~ m'unauthori[sz]ed access'i body __LOCAL_PP_B_UPD m'(?:confirm|updated?|verify|restore) (?:your|the) (?:account|current|billing|personal)? ?(?:records?|information|account|identity|access|data)'i body __LOCAL_PP_B_ATT m'one or more attempts'i body __LOCAL_PP_B_ACT m'unusual activity'i uri __LOCAL_PP_PPCGIURL m'https?://www\.paypal\.com/([A-Za-z0-9-_]+/)?cgi-bin/webscr\?'i uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!(paypal)\.com)(?:[A-Za-z0-9-_\.]+)'i meta LOCAL_PP_UPD_BADURL (__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) || __LOCAL_PP_PPCGIURL) && __LOCAL_PP_NONPPURL) meta LOCAL_PP_UPD_BADADDR (!__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) && __LOCAL_PP_PPCGIURL)) describe LOCAL_PP_UPD_BADURL paypal/ebay account update, but has bad URL describe LOCAL_PP_UPD_BADADDR paypal/ebay account update, but from bad email score LOCAL_PP_UPD_BADURL 4 score LOCAL_PP_UPD_BADADDR 4
Re: SURBL Redirection Problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daryl C. W. O'Shea wrote: | Craig McLean wrote: | |> -BEGIN PGP SIGNED MESSAGE- |> Hash: SHA1 |> |> 3.1.0-rc1 nailed it to the wall. |> |> Craig. | <...> |> domain |> | 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL |> blocklist |> | [URIs: moonboard.info] | | Did you detect that with a redirector_pattern? I don't see that | detected with a stock 3.1.0-rc1 here (no hint of it when SA is run with | -Duri). This is stock 3.1.0-rc1 with some of the SARE rulesets. If you let me have the original message you got (munged headers if necessary) I'll try running the whole thing through, see what hits. Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDEvQiMDDagS2VwJ4RAjcTAKCkSBWvq48UJFbeUFI91T0ViUPvDwCfSWLT M3yHQKY/7aLNhTYtIKyjN/M= =AbUr -END PGP SIGNATURE-
Re: Help with Spam Assassin/MIMEDefang
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nels Lindquist wrote: | Looks like you're missing IO-stringy and | MIME-tools, at a minimum. | | If you don't like the CPAN route, I believe all the perl modules | required by MIMEDefang are available as RPMs from Dag Wieers' yum | repository. Out of interest, IO-stringy and MIME-Tools are both in the FC4 extras repo. Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDIK+dMDDagS2VwJ4RAnB1AJ99vDA9dFpKMFCtgsrzKHFKbQzRrACgnV6S zeXobO1nxd1u1BCOaSgSpR8= =2Sto -END PGP SIGNATURE-
Re: sa-learn
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 M.Lewis wrote: > > Is there a best practices recommendation for how often to run sa-learn ? In addition to all the good responses you've had I would add that if you keep the spam after learning, as I do (in case the bayes DB get killed) then it can sometimes take a while for sa-learn to finish, even though it will skip messages it has already seen. I learn from 5 mailboxes (ham and spam) and recently hit a problem where one sa-learn had not finished by the time the next one started, and failed because the DB (using file-based db) was locked. Long story short, if you want to run multiple sa-learn's from cron, space them out by an hour or so... D'oh! Perhaps one day I'll get around to putting a feature request into bugzilla to ask for sa-learn to check for already running instances and wait for them to finish. I'd love to write it, but unless you want it in ksh C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD4DBQFDU/KVMDDagS2VwJ4RAolZAJif6CSxo/B1BA05aAP87QRjRSRBAJ0YSgpP XwdE0aELWqspp2elhCdqeg== =H1VU -END PGP SIGNATURE-
Re: OK guys - why did this one get through.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 jdow wrote: [Headers snipped] I've been using the rules below to catch the paypal phishing mails I get. I know they don't counter the header issues you are seeing, but I'd be interested to know if they hit on the full message. If not, I'd appreciate a zipped copy of the original with anything sensitive removed... http://fukka.co.uk/sa-rules/local/paypal_rules.cf C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDZ7bKMDDagS2VwJ4RAgmGAKCoROMXRo9QTfyoj/2k7/WlEDtSZwCfXhnc 2fQtJWmYtyJVMYRg8jgmpes= =8qsY -END PGP SIGNATURE-
Re: Can't locate object method "check_hostname"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philipp Snizek wrote: > Hi > > when starting SA 3.1.0 I'm getting this in my logs: [snip] > Nov 6 14:46:53 mail spamd[20449]: rules: failed to run > INVALID_HOSTNAME test, skipping: > Nov 6 14:46:53 mail spamd[20449]: _(Can't locate object method > "check_hostname" via package "Mail::SpamAssassin::PerMsgStatus > " at /usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/PerMsgStatus.pm > line 2581, line 45. I can't find that rule in my SA 3.1.0 setup, perhaps it's left over from an old install? Check the usual suspects in /usr[/local]/share/spamassassin, /etc/mail/spamassassin &c. C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDbnGOMDDagS2VwJ4RAo8EAKDWs/4j9VmdUe1utVWn3h6X94ZESgCgtELr RatO6P7HgBCk3PaT0qomLl4= =6QBE -END PGP SIGNATURE-
Re: Typical settings for bayes_ignore_header?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: > I'm pretty sure my Bayes database is muntered Although I can't help with your problem, I *have* just found my new "word for the week". And for that, I thank you. C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDc1YLMDDagS2VwJ4RAhbFAJwOL+lgJzXWqLwIWRbsfA731SUqgACeLOp3 RcG227Si/boF2EZlITD+3Lo= =q8LL -END PGP SIGNATURE-
Re: Blocking on tld and/or HELO with own domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andy Pieters wrote: > Hi list > > We have been receiving a lot of spam from the .jp tld lately. What's more is > this: [snip] [Saw this on the fedora list..] Andy, As mentioned on the Fedora list, if you want to block by "fake" HELO at the MTA level, you can do so using the sendmail m4 hack at http://www.cs.niu.edu/~rickert/cf/hack/block_bad_helo.m4 You should be aware that anything which refuses "incorrect" HELOs in this way breaks a few best-practice rules and at least one RFC (2821) and is, as the name suggests, a hack. See http://www.cs.niu.edu/~rickert/cf/bad-ehlo.html for caveats! First make copies of your current sendmail.(cf|mc) and submit.(cf|mc), just in case. Drop the m4 file from the link above into /usr/share/sendmail-cf/hack/ and include it into /etc/mail/sendmail.mc (like the cf.m4 file is..). Do your "make sendmail.cf" and restart sendmail. You can also do this with MimeDefang, as suggested by Alexander Dalloz in http://www.redhat.com/archives/fedora-list/2005-November/msg02176.html Or you can do it with postfix, as suggested by Andy Green in http://www.redhat.com/archives/fedora-list/2005-November/msg02179.html Also, assuming you are using Fedora on a box with 24/7 connection, you might consider commenting out the accept_unresolvable_domains feature, and changing the confPRIVACY_FLAGS to something more restrictive, like `goaway,nobodyreturn,needmailhelo'. C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDd7jTMDDagS2VwJ4RAkxxAJ9giqbqmU+OOmgxjvOoP0YcA2C+OQCfVvbo Ku6+O9I3IyKJtrH5IQzzcBw= =x5dS -END PGP SIGNATURE-
Re: Blocking on tld and/or HELO with own domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andy Pieters wrote: > On Sunday 13 November 2005 23:06, Craig McLean wrote: >> Andy Pieters wrote: >>> Hi list >>> >>> We have been receiving a lot of spam from the .jp tld lately. What's >>> more is this: >> [snip] >> [Saw this on the fedora list..] > > Correct, and the list also sugested to post on spamassassin... Yep, that was me ;-) This is a list for users and admins of SA, about configuring and rule-writing and so-on. [snip] >> http://www.cs.niu.edu/~rickert/cf/bad-ehlo.html for caveats! > > I tried that, I appended the m4 file to the sendmail.mc file and then did a > Make -C /etc/mail and service mail restart but after that sendmail doesn't > even start. Ok, well if you read my last message, I've indicated a better way than appending the whole thing in. Just include it using a line like: include(`/usr/share/sendmail-cf/hack/block_bad_helo.m4')dnl to your sendmail.mc, do a "make sendmail.cf" and then "service sendmail restart". > > The instructions are a bit vague as well, I want to specify that 127.0.0.1 is > allowed to forward (duh!) and 81.220.168.250 as well. Furthermore I want > that if someone claims to be vlaamse-kern.com it gets rejected. Don't worry about that, as long as 81.220.168.250 HELOs as a valid (i.e. with a "." in it) hostname that's not vlaamse-kern.com then you'll be fine. Localhost mail is allowed. > Furthermore I lost the sendmail.mc file because I thought vi made a backup > copy but aparently it didn't and I deleted the sendmail.mc. I'll forward mine to you. > postfix is a replacement for sendmail? Yep. http://www.postfix.org/ >> Also, assuming you are using Fedora on a box with 24/7 connection, you >> might consider commenting out the accept_unresolvable_domains feature, >> and changing the confPRIVACY_FLAGS to something more restrictive, like >> `goaway,nobodyreturn,needmailhelo'. >> > Could you explain what this means please? You'll have a line like: define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl in sendmail.mc. Consider changing it to define(`confPRIVACY_FLAGS',`goaway,nobodyreturn,needmailhelo,restrictqrun')dnl 'goaway' means that sendmail will give almost no help to the remote system when it connects (it shouldn't need *any* help) and is a "catch all" for a bunch of other rules (at least on bsd). 'nobodyreturn' Won't return the body of a message if it is bounced, 'needmailhelo' requires that a HELO is recieved before mail can be sent, and 'restrictqrun' will only allow root to run the mail queue manually. If you want to have a chat about this (sendmail, that is) in more detail, we might want to take it off-list. C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDd8u5MDDagS2VwJ4RAsP1AKDwqVFPeV/DFZSR/IkNrOBF2tktjwCg5OE7 XeM/Uu6CK4UqTpnZdFHIPVk= =mBgT -END PGP SIGNATURE-
Re: Blocking on tld and/or HELO with own domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Porter wrote: > --On Sunday, November 13, 2005 11:26 PM +0000 Craig McLean > <[EMAIL PROTECTED]> wrote: > >> Ok, well if you read my last message, I've indicated a better way than >> appending the whole thing in. Just include it using a line like: >> >> include(`/usr/share/sendmail-cf/hack/block_bad_helo.m4')dnl >> >> to your sendmail.mc, do a "make sendmail.cf" and then "service sendmail >> restart". > > I think you can replace that with: > > HACK(block_bad_helo)dnl > > See the macro definitions in cfhead.m4. HACK is essentially the same as > FEATURE, except that it looks in the hack directory and doesn't check > that a mailer is defined first. > That's what I like about Unix/Linux, you learn something new every day ;-) C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDeMDlMDDagS2VwJ4RAswwAKDuxbK1QGGPcbcYI/CyIy8XI7P09wCg2dlU 9+SYWVvtmCN6QjMWlBtfO48= =rBKv -END PGP SIGNATURE-
Re: SA Errors on --lint run
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tracey Gates wrote: > I'm trying to run it as user root but I'm still getting these error > messages: > > > [EMAIL PROTECTED] mail]# /usr/local/sbin/rules_du_jour > mkdir: cannot create directory `/etc/mail/spamassasin/RulesDuJour': No > such file or directory [snip] Do you actually *have* an /etc/mail/spamassassin directory? This error is commonly seen when creating a directory /a/b/c/d when the directory /a/b/c does not exist. If you are storing your local rules somewhere other than /etc/mail/spamassassin, you should make the relevant change in /etc/rulesdujour/config C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDeP4fMDDagS2VwJ4RAhOOAKCeIw28G+6p22+w2CirDKEhShew0wCfZwrO nuzZr8Ff6TPSG+oeJNCzfvY= =OpYd -END PGP SIGNATURE-
Re: [Fwd: Re: uol.com.br]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 jdow wrote: > > procmail: > :0: > # was from one specific person > * ^From: AntiSpam UOL <[EMAIL PROTECTED]> > /dev/null > > ... > # I just got pissed. > :0: > * ^From: .*uol.com.br > $HOME/mail/uol_crap Or (assuming you are your own MX) /etc/mail/access: uol.com.br 550 Fix your POS greylisting > > > These bozoids are executing a minor DOS attack of these confirm emails. > I sent 6. I have received at LEAST 36 challenge/response messages from > the [EMAIL PROTECTED](((@)(*#$)(& . They are GONE from my Internet > universe. Hear, hear. C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDfGuVMDDagS2VwJ4RAhnEAKDikHf5lVxnzw/6Vv2LAbCj5X2T1ACfXSiN yOLZpZ+i3/qHIAkpmQZYn+o= =nMYa -END PGP SIGNATURE-
Re: Spam not getting tagged as Spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter wrote: [snip] > Bayes is good at catching words which are spam/ham for you, make sure to > learn those mails. SA will work better for people who tune it to the > mail they receive though -- add your own rules for words and phrases > you consider spam, generate your own scoreset from your own corpus, etc. > As if to reinforce Theo's comments.. By coincidence, last night I ran my monthly sa-stats for all the mail here since May. There are only 2 accounts on this system (me and the wife), but below is an indicator of just how right Theo is... Figures from 8231 spam and 29181 ham messages: Bayes: BAYES_99 gives me 4.0 (not default) and BAYES_00 gives me -2.599. I *love* bayes. RULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM BAYES_99 7636 7.1720.41 92.770.40 BAYES_0023435 26.7962.640.41 80.31 Local rules for spammy words (not huge hitters, but relevant): RULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM LOCAL_419_ACCOUNT1094 1.032.92 13.290.09 LOCAL_NEXT_OF_KIN 856 0.802.29 10.400.01 LOCAL_419_BENEFICIARY 734 0.691.968.920.00 LOCAL_LOT_APPROVED672 0.631.808.160.00 Tuning your scoreset from real mail: HTML_MESSAGE scores at 0.001, which is good because it hits 10% of my ham... HTML_MESSAGE 3094 2.918.27 37.599.47 FORGED_RCVD_HELO scores at 0.135 in the current mode. Again, lucky it's low: FORGED_RCVD_HELO 1829 1.724.89 22.228.62 Next time you see a thread about the spamcop.net blacklist hitting too much ham (scoring 1.332/1.558): RCVD_IN_BL_SPAMCOP_NET 4145 3.89 11.08 50.361.05 And a justification (perhaps) for having a "proper" name set up in your mail client (many of the ham hits are from fedora-users and spamassassin-users): NO_REAL_NAME 1251 1.433.34 15.894.29 Anyway, Just some data to back up the rhetoric ;-) Cheers! C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDiafhMDDagS2VwJ4RAkHlAKDjqaQb3LwXzxTm9UnmkxkhIay6SACg8ZAZ 5IKFsqgjdOTgHUWUL/I1/OU= =vE2o -END PGP SIGNATURE-
A thought about phone numbers and URIBLs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey folks, I was having a thought about phone numbers in spam messages, and the old brain pinged an idea at me. I'd really appreciate any feedback! It occurred to me that I get a fair amount of spam which includes phone/fax numbers. It also occurred to me that given a string like "Number:+447031916662" (from real spam), then we could strip out the phone number and do a lookup thus: mail# host 447031916662.evilnumbers 447031916662.evilnumbers has address 127.0.0.2 (real dns lookup to a specially created "evilnumbers" zone) And hey presto, it would work just like a URIBL would. I'm no perl hacker, so what are the odds the current URIDNSBL code could be re-used to perform this? Would any of the SURBL guys be interested in hosting the back-end if it's worth doing? Comments welcomed. Thanks for your time! C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDmykyMDDagS2VwJ4RAhHZAJ95zuQwJJwd5CsIovQ68tlSVOTaIQCePaDg 6CdQ749VZ5mmK88c6f9RNMc= =PjtL -END PGP SIGNATURE-
Re: A thought about phone numbers and URIBLs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 List Mail User wrote: >> Hey folks, I was having a thought about phone numbers in spam messages, >> and the old brain pinged an idea at me. I'd really appreciate any feedback! >> >> It occurred to me that I get a fair amount of spam which includes >> phone/fax numbers. It also occurred to me that given a string like >> "Number:+447031916662" (from real spam), then we could strip out the >> phone number and do a lookup thus: >> >> mail# host 447031916662.evilnumbers >> 447031916662.evilnumbers has address 127.0.0.2 >> >> (real dns lookup to a specially created "evilnumbers" zone) >> And hey presto, it would work just like a URIBL would. [snip] >> Comments welcomed. Thanks for your time! >> >> C. >> ... > > Often these numbers are as disposable as the domains. This > number is a British telephone number possibly "ported" to a cell phone. > The original allocation was: [snip] > I usually only see telephone/fax numbers in 419s, but everyone > gets a different set of spam. > > Paul Shupak > [EMAIL PROTECTED] As you rightly say, these numbers are as disposable as the domains, but we still track the domains via BLs so it's surely possible to do the same for phone numbers? If nothing else, they are fingerprints which can be used to identify potential spam. The big question is "is it worth the effort?", because I can't write this code, only suggest it ;-) I also got a very interesting off-list response with some cool ideas about using a "reverse lookup" style of approach which would allow for granularity like: 2.6.6.6.1.9.1.3.0.7.4.4.example.com A 127.0.0.2 TXT "[used in spam: ]" but also: 9.1.3.0.7.4.4.example.com TXT "c=GB/o=Magrathea/mobile,personal,pn2" down to: 4.4.example.com TXT "c=GB/IDD" Thanks for the feedback! C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDm0igMDDagS2VwJ4RAqX4AJ0fq6/713hD+HPNvBgU2ffmz0csBgCgkLJM x+lI+BTFNgAvn9hmlhWbgyU= =8nqK -END PGP SIGNATURE-
Re: 3.1 on cpan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
jdow wrote:
>> On Sat, Dec 10, 2005 at 12:07:05PM -0800, JP Kelly wrote:
>>> is SA 3.1 available through cpan yet?
>>> If not will it be?
>>
>> Has been since September:
>>
>> http://cpan.org/modules/by-module/Mail/Mail-SpamAssassin-3.1.0.tar.gz
>
> Speaking of which is there a way to load a specific version using CPAN
> rather than getting the very latest?
>
> {^_^}
>
You need the full path. In the CPAN shell, try:
"i /SpamAssassin/"
check the items listed under "Distribution" at the top, note the full
path in the second column.
then:
"install J/JM/JMASON/Mail-SpamAssassin-3.0.2.tar.gz"
or whatever.
Regards,
C.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDm2sKMDDagS2VwJ4RAhxdAJ0Z9VG2Sfxv+wd3T3bmZ7LiSkxDagCfZQRV
6Uegk+BRYECmF82LZcc/8Cw=
=esgW
-END PGP SIGNATURE-
Re: A thought about phone numbers and URIBLs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dallas L. Engelken wrote: [snip OP] > We had this discussion at uribl.com - RE: phone number/email address > contacts zone... for those spams that try and have you contact them > without using uris. We just never took any action on it, because it > would take a lot of manual feeding of the zone file. I'm chatting off list with someone who might be able to help there. Let us have a think. > If it were a bigger problem, we may take action, but most hardcore > spammers don't want anything to do with land line. Sure, but the phishers, 419ers and cash-handlers often do. 38 of the 257 spams in this months corpus (to date) here have a phone number in them, which is about 30%. Being able to track numbers like this will greatly reduce the lifetime of these numbers, and they are not all free. Think, pay-as-you-go SIMs, voicemail boxes, and so on. Anything which makes spammers lives more complex/expensive/painful can't be bad. Also if we could, say, score +5 if a mail has a nigerian phone number in it, and +3 for holland, and +7 for "free" voicemailboxes, -3 for real landlines and, well, you see where I'm going with this... > Now email address > contacts may be another story, where they could then set up an > autoresponse system to feed their message back to the people who > actually email the contact address. Email addresses are far more throwaway than phone numbers, but your point is well taken. I assume from your comments that email addresses in the body of messages do not currently get looked at? Thanks! C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDm3YTMDDagS2VwJ4RAhfsAJwKw1+GMAeG/rAOze8U3DhUTOp8PwCg/KRF zzH1Z1tmN9SSc0UOgz266TU= =r+1e -END PGP SIGNATURE-
Re: A thought about phone numbers and URIBLs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I was bored, so I knocked together rules for every international dialing
code. They are first-pass, very rough but (with the exception of the USA
and Canada rules hitting some dodgy message-id's) have a 100% accuracy
rate against my corpus. They might make a useful building block for
others...
Note that this means they seem to hit where they should, so LOCAL_P_USA
should hit any USA number formed +1\d{4,10} (so will LOCAL_P_CANADA),
LOCAL_P_DOMINICAN_REPUBLIC should hit anything +1809\d{3,10} and so on...
The rules are a bit big to post to the list, so if anyone wants them,
they're at http://fukka.co.uk/sa-rules/local/phone_rules.cf
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED] Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDm5XQMDDagS2VwJ4RAiZBAKDOaLU8QycgP1QeKERsuO++KHkWdgCfTeXa
UG7A0PqRdl5mVxQOvXnqDeI=
=5SY6
-END PGP SIGNATURE-
Re: I'm afraid I might have to report this list as a spam source
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kai Schaetzl wrote: > You are all speculating. No one knows why or if the original poster can't > unsubscribe. I'll agree with that, to a point. > And, frankly, it was the first posting of this kind I've ever > seen. It's not a problem at all. > I'll disagree with you here, I have had to contact the list-owner to get a dynamic address unsubscribed because when I tried the normal channels everything got bounced. Maybe this guy is just the first to complain out loud? Anyway, I'll second (third?) Jim Nasby's comments that: "It's surprising to me that the SA lists aren't just run through SA. Spam making it past that is a good indication of where SA could be improved afterall." C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDrB+nMDDagS2VwJ4RAr3EAJ9cvML0MGnq6cYMHYn+TFETxWREowCfUCRL mmY3RsZCaMJVWmog7WPMot8= =Xjch -END PGP SIGNATURE-
Re: I'm afraid I might have to report this list as a spam source
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Hepworth wrote: > > >> -Original Message----- >> From: Craig McLean [mailto:[EMAIL PROTECTED] >> Sent: 23 December 2005 16:03 >> To: users@spamassassin.apache.org >> Subject: Re: I'm afraid I might have to report this list as a spam source >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Kai Schaetzl wrote: >>> You are all speculating. No one knows why or if the original poster >> can't >>> unsubscribe. >> I'll agree with that, to a point. >> >>> And, frankly, it was the first posting of this kind I've ever >>> seen. It's not a problem at all. >>> >> I'll disagree with you here, I have had to contact the list-owner to get >> a dynamic address unsubscribed because when I tried the normal channels >> everything got bounced. >> Maybe this guy is just the first to complain out loud? >> >> Anyway, I'll second (third?) Jim Nasby's comments that: >> >> "It's surprising to me that the SA lists aren't just run through SA. >> Spam making it past that is a good indication of where SA could be >> improved afterall." >> >> C. >> > > But of course when people drop examples etc it'll get blocked. I have the SA > list whitelisted other wise it's FP all over the place. As is the oft-repeated mantra of this list: "SA doesn't block mail, it scores it." C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDrCVHMDDagS2VwJ4RAsDdAKD0rVshgzsCE1xzBlPpE9eSux7q+QCfbxJ3 XtA0kFwc1ZBBMaxNuEDAxXQ= =bu5v -END PGP SIGNATURE-
Re: I'm afraid I might have to report this list as a spam source
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kai Schaetzl wrote: > Craig McLean wrote on Fri, 23 Dec 2005 16:02:47 +: > >> I'll disagree with you here, I have had to contact the list-owner to get >> a dynamic address unsubscribed > > You mean an address for which you sent email from dynamic IP space? > Honestly, and not meant to be offensive, but if you do that that's your > problem you should know better. I don't accept such mail either. And don't > tell me you cannot send mail another way. You're missing the point. I *subscribed* with a dyndns-style address in a dynamic space, then couldn't *unsubscribe* it because the list bounced everything. This was even when using my ISPs SMTP relay smarthost-style. I'm still posting from the same IP range, but using a "real" domainname, and never seem to have a problem hitting the list, but the list management addresses may be a different matter. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDrqPxMDDagS2VwJ4RAnS4AKDXkh1Gb86tKs/7/uTaIxwM5uiiXACgoru+ W95JsHh1QSu6ixEVRn07814= =jCh+ -END PGP SIGNATURE-
Re: I'm afraid I might have to report this list as a spam source
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kai Schaetzl wrote: > Craig McLean wrote on Sun, 25 Dec 2005 13:51:46 +: > >> I *subscribed* with a dyndns-style address in >> a dynamic space, then couldn't *unsubscribe* it because the list bounced >> everything. This was even when using my ISPs SMTP relay smarthost-style. > > I don't know what a "dyndns-style address" is. e.g. [EMAIL PROTECTED] craig.dnsalias.com is a dynamic DNS domain provided by dyndns.com. It's specifically designed for people who want to have a domain-name, but have dynamic IP addresses. It generally gives very short leases, and uses a client daemon to update your entry in the zone. In my case, my IP is supposedly dynamic, in that it's in a dynamic range, but in reality hasn't changed in over a year. That's why I got fukka.co.uk and just pointed it at this year-old IP lease. > An RBL will include IP numbers not email addresses. Yep. I was aware of that. > If your mail is bounced even when sending over > a smarthost then something may be broken. What *is* the reason given in the > bounced message? No idea, it was months ago and the mails have been removed. I remember them not giving any useful information other than something curt about dialup addresses and being, if I recall, from an unexpected (to me at least) address in Scandinavia. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDsZY7MDDagS2VwJ4RAmOyAKDxahZ1bfsRsu4mmUVOFYPu+yh+hQCfda3N Nwpp5PhP0ryqicMB5lMa2m4= =+uzO -END PGP SIGNATURE-
Re: List of subjects of most common spams?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 alex wrote: > Sometimes simple is good, I've found when the message is > from x-mailer=thebat or squirrelmail for example it is > probably spam. > Just FYI, if you tried that here you'd hit 4 spam (from corpus of 1350) and 8 ham (from 4936) for squirrelmail and 6 spam/51 ham for thebat. Kind Regards, C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDtdm+MDDagS2VwJ4RAmwZAJwLSRvzVy0MoPDSl1ImE0V1ICyDWQCdGx6a iHZ8OOWTAO8BX0Qqs36WLwE= =Ug/t -END PGP SIGNATURE-
Re: correct way of whitelisting mailing lists
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leonardo Rodrigues Magalhães wrote: > >Hello Guys, > >I had some problems this morning trying to whitelist some mailing > lists (ML) on my SpamAssassin 3.1.0 instalation, including this SA ML:) > [snip] >I would like to know if there's an easier way to whitelist ML that > keeps the original sender address as From address of the messages, just > like this ML .. Try using whitelist_to instead of whitelist_from(_rcvd)? Personally I have: whitelist_to users@spamassassin.apache.org bayes_ignore_to users@spamassassin.apache.org in local.cf. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDvBHJMDDagS2VwJ4RAl5QAKDF5B/ud0AASnhVqJCX8gBnxc+aOQCePwMC Q6ZUt5W3jeAkm5Sv4PshGhI= =mR5g -END PGP SIGNATURE-
FUZZY_MORTGAGE misfire.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear list, The attached message was nailed to the tune of 3.7 points by FUZZY_MORTGAGE. Unfortunately it's a legit opt-in mailing, and appears to have triggered the rule because a URL containing the word "mortgage" got split across lines 269/270 (correct me if I'm wrong). Is this expected behaviour? It seems a little extreme? I can easily lower the score locally, and with a little better bayes training we would never have hit the threshold, but thoughts and comments would be appreciated. Thanks in advance, C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDvxS3MDDagS2VwJ4RAj25AKCkXLJYhcov5sJzsHgWlWsLDXdfuQCfRwv0 p+vFUn0JDQEi5mo8nYfTiHU= =6rLK -END PGP SIGNATURE- --- Begin Message --- Spam detection software, running on the system "mail.vega", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: If you can't read this email or you would like to see previous issues go to http://homes-on-line.com/update To stop receiving these mailings go to http://homes-on-line.com/update/[EMAIL PROTECTED] [...] Content analysis details: (8.7 points, 7.0 required) pts rule name description -- -- 0.5 ADDRESS_IN_SUBJECT To: address appears in Subject 0.1 TW_AQ BODY: Odd Letter Triples with AQ 3.7 FUZZY_MORTGAGE BODY: Attempt to obfuscate words in spam 0.3 HTML_COMMENT_SAVED_URL BODY: HTML message is a saved web page 0.1 HTML_90_100BODY: Message is 90% to 100% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 4.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9981] The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. --- Begin Message --- Title: [EMAIL PROTECTED] If you can't read this email or you would like to see previous issues go to http://homes-on-line.com/update To stop receiving these mailings go to http://homes-on-line.com/update/[EMAIL PROTECTED] Sponsored by The Money Centre Buy-to-Let mortgages from 3.49% fixed for one year Click here Issue 0268, 04 January 2005. 393,273 subscribers UK Property Search How much is my house worth ? Sell my house Conveyancing Mortgages, Including CCJ, arrears and self employed specialists Buy to Let Removals Loans Insurance Independent financial advice Local Information International Property Search Books Classifieds News Weather
Re: AWL and Auto Learn Bayes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Bartlett wrote: > Since finding out the trusted_network issue I question the rest of my > local.cf setup. Right now I have AWL turned off and auto learning for bayes > turned off. My question is does SA benefit from turning those 2 back on? Of > course I would clear out AWL and bayes and start from scratch if I did. But > would it make it easier for bayes to be "poisoned" if I turned auto learn > on? Im on SA 3.0.1. Opinions vary. Here's mine: AWL: I use it, and it has never caused me pain, however it does sometimes assigned positive, i.e. bad, scores to ham senders (esp. on this list). I'm considering turning it off because it doesn't add *enough* value to my setup to justify the CPU cycles it burns. Bayes: Round here, BAYES_99 hit 92.77% of spam and 0.40% of ham in the last year, BAYES_00 hit 80.31% of ham and 0.41% of spam in the same period. I'd say a well trained bayed db is *very* worthwhile. As for "bayes poison", I don't think it exists in the sense it's being used here. Almost every spam I've got with long, random paragraphs in it is scored by bayes just fine. My bayes FP rate doesn't get pushed up either. Regards, C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDxqNRMDDagS2VwJ4RAtwgAKDQlxuG1W7kLYQb1e/6v/YGQ+QrLwCg+T7w I/LF8QnC/kE+CCm0VwarWbo= =578H -END PGP SIGNATURE-
Re: AWL and Auto Learn Bayes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim Knuth wrote: [snip] > > how can I change the defaults of learning threshold? I use SA V > 3.1.0 http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#learning_options Specifically, bayes_auto_learn_threshold_nonspam and bayes_auto_learn_threshold_spam C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDxquHMDDagS2VwJ4RAu7yAJwMerw6z+HTG1EsYJPz0J/0xocxBACeLDMt gm0hP0p6Zj76V6x98dReqxw= =bjQa -END PGP SIGNATURE-
Re: AWL and Auto Learn Bayes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (Please don't top-post, it ruins the formatting and flow of the thread!) Robert Bartlett wrote: > Are there any "starter" ham/spam emails I can use? I thought I saw one, but > it wasn't for a MySQL database. Im using Bayes, site wide, in mysql. I hate > to feed it emails I think is ham or spam. > I'd avoid using public spam corpus', the tokens learned will differ from "real spam" seen at your site, this can cause bayes to be unreliable. In the beginning, while training bayes, you should be very careful to feed accurate info into it. Set up a spamtrap and a "spam" folder for manually identified spam, feed those into bayes by hand using sa-learn. Do the same for ham. There are plenty of ways to get a sizeable spam corpus fairly quickly :-) C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDxtqTMDDagS2VwJ4RArcJAJ404Di75yTk3qfV9zjA+r0ryt2wFQCfTmRo J/LMaN2h3LPQym3jlD747QM= =ceaO -END PGP SIGNATURE-
Re: spam scores low (Sendmail + smtp-vilter + SA )
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
jdow wrote:
> (And sometimes it is fun to exercise morbid curiosity and look at some of
> the outlandishly large scores and laugh at the poorly defined
> messages. "Die Vile Spam!")
>
> {^_-}
I'm glad it's not just me :-)
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED] Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDyTvTMDDagS2VwJ4RAqmsAKDlbQqlRAXb6taTF8gop/lk/BJplwCcCllv
+5oOvbw1MgraqmN0kD/TEwk=
=0a0B
-END PGP SIGNATURE-
Re: X-Spam Status
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gene Heskett wrote: > > No I'm not, Joanne! Fetchmail is run from rc.local and delivers the > mail from vz and gmail to /var/spool/mail/gene on a 10 minute repeating > loop. > Kmail, then, completely asynchronously but on the same basic 10 > minute repeat timing, grabs the contents of that file and sorts it into > its various folders after pipeing _some_ of the mail through SA. [snip] > > Now, it looks as if I should make /etc/procmail/procmailrc be owned by > gene:gene, and that I should set kmail to pipe the mail, using > > procmail -pm /etc/procmail/procmailrc > > from the man pages, but I'm not sure what other arguments might be > needed. I've copied your recipe into /etc/procmail/procmailrc > and /etc/procmail/* is owned by gene:gene. Erm, I think you should use per-user procmail recipes rather than tinker with the globals. I believe your ~/.procmailrc can sort this out. > So I think the next step is to add the filtering rule to kmail and fire > a message off to the fedora list for effect, which will generate > testing mails aplenty. > Gene, I'm a little confused about your setup, why not just get fetchmail to deliver all mail to procmail as the local MDA (man fetchmail will help you out), then let procmail sort into folders and spam check as necessary, and then use KMail as what it essentially is - a mail reader. Have I missed something obvious? Kind Regards, C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD083GMDDagS2VwJ4RAjDuAJ9jPcoSOeJx3mDvtVNEX3oeqnqX5ACfTq9J r8CxJhkwuN1js79c/ig18a4= =5ICI -END PGP SIGNATURE-
Re: RulesDuJour Recommendation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joey wrote: > Hello everyone, > > As I'm sure you are aware the spam these days seems to be getting worse. > In an attempt to be more aggressive we started using RulesDuJour. > What I would like to know is which rules are you using without too much > headache so that we can implement them into our configuration. > I didn't want to load them all because I felt that it may be too aggressive > and cause many client complaints. > > Also if you have found any solutions for the recent barrage of image spam I > would appreciate you sharing them with me. I am, and have been for a while, using SARE_REDIRECT_POST300 SARE_HTML SARE_BAYES_POISON_NXM TRIPWIRE EVILNUMBERS SARE_RANDOM SARE_WHITELIST SARE_OBFU SARE_STOCKS SARE_SPOOF to good effect (though someone will probably tell me that at least one of those is no longer advisable). I also have a bunch of homebrew rules which add weigh to the specific types of spam I see here. They're on the website below if your interested. If you are getting a lot of pump-and-dump stock/microcap image spam, I can heartily recommend SARE_STOCKS. It's a masterpiece. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD6fHuMDDagS2VwJ4RAtCtAKDwILYsdZOAu0urBJ7pN2ZlqOHE1wCdGUPd 6vGN6heBBMSEUtKA755v8rE= =tQw7 -END PGP SIGNATURE-
Re: getmail?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gene Heskett wrote:
[snip fetchmail discussion]
>
> In further reading tonight, sendmail grew the libmilter freature at
> 8.12, which is the base version running here, and yum won't update it,
> says its current.
What version of the OS are you running, Gene? FC4 has 8.13.4-2 as the
latest, not that it necessarily makes any odds.
> Right now, I'm looking at the <http://www.bmsi.com/python/milter.html>
> site, trying to see how this is done.
>
> But, here is the headache: At no place in the various files sitting
> in /etc/mail that serve to configure sendmail, is there an example of
> how to configure sendmail to make use of these feature facilities.
Basic milter information can be found at:
http://www.sendmail.org/~ca/email/doc8.12/cf/m4/adding_mailfilters.html
and more in-depth here:
http://www.milter.org/
An example of how to get sendmail to use spamass-milter (and
clamav-milter, I use both) looks like this, from sendmail.mc:
- -quote-
dnl ** Milter Configurations **
define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name},
{if_addr}')
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, F=,
T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=,
T=C:15m;S:4m;R:4m;E:10m')
dnl define(`confINPUT_MAIL_FILTERS', `spamassassin,clmilter')
- -quote-
Over here I use spamass-milter to pass mail to spamc as it passes
through the MTA, because I *am* my domain's MX.
This means sendmail needs to be configured to accept mail via SMTP which
is fine for me, but might be far more overhead than you need.
> Spamassassin 3.10 contains only very scant references to using it with
> sendmail, apparently sanctioning only the procmail interface, which in
> turn then is set to call spamc or spamassassin, adding needless time
> wasting cpu cycles to what should be a pretty simple job. I fail to
> understand why (although it will take smarter people than me what with
> sendmails configuration complexity) there is no readily published
> recipe for incorporating spamc into the sendmail processing chain,
> either by pipeing, or when the libmilter feature is there?
libmilter just provides a mechanism for sendmail to pass the email, via
a socket, to a small C program, thence to spamc. Talk about "needless
time wasting CPU cycles"?
In a configuration where you don't readily run sendmail to accept mail,
I would suggest staying the hell away from it and:
a) configuring fetchmail to simply use procmail as the MDA. ("--mda
/usr/bin/procmail" or similar, IIRC)
b) having procmail run everything handed to it through spamc, and filter
accordingly.
Peice of cake (relatively speaking) to set up, no sendmail black magic
and fairly quick to run.
> Or am I simply on the wrong mailing list? I've sent 3 subscribe
> messages to the getmail-user list over the last 3 days with no response
> which is discouraging. OTOH, now that I know it can't do what I want,
> who cares. It might be that if there was a manpage for getmail, it
> might be possible. A pox on software that doesn't come with readable
> manuals.
Or *any* manuals
All the best!
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED] Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFD7eXCMDDagS2VwJ4RAklQAKDDkbeOOGGfp7I5RuubaSmAAJCjiwCgjwbM
bVGx27+TfZgUG9QwfK6VJU8=
=QDMd
-END PGP SIGNATURE-
Re: Spammasssin skips rules?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joost Kraaijeveld wrote: > Hi, > > I have two rules in a file "/etc/spamassassin/80_jkr.cf" that seem be to > skipped by spamassassin: > > bodyJKR_TEST_BODY_RULE/e/ > score JKR_TEST_BODY_RULE0.0 > describeJKR_TEST_BODY_RULEJKR body rule > > header JKR_TEST_HEADER_RULE Subject =~ /e/ > score JKR_TEST_HEADER_RULE 0.0 > describeJKR_TEST_HEADER_RULE JKR header rule > > [snip] > Is my regex wrong or are there circumstances that Spamassassin skips any > rules? > > Rules scored at 0 will be skipped by SA. If you want the rule to fire but with a very low score (for testing, etc) assign a score like 0.01 to it. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD7fO+MDDagS2VwJ4RAnPPAJwLX5SKGxES4WxR61ks+rgTyXTGkgCgk1sN U3ogYpdyrpGGDiPpQuZFMsA= =ugT8 -END PGP SIGNATURE-
Re: getmail?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gene Heskett wrote:
[snip sendmail discussion]
> I've about come to that conclusion myself, so I'm now investigating the
> fetchmail->procmail_>dovecot solution right now. But the dovecot
> mailing list might be a problem, I've subbed about an hour ago but have
> rx'd no please confirm message yet.
>
> Joanne has me about straight on the fetchmail and procmail stuffs, and I
> may even see if I can turn that part on just for grins, but
> dovecot's .conf looks like it'll need a philly lawyer to decode it
> correctly so it works.
Heh, yeah. The dovecot config can be pretty daunting, I'll try and
summarise how I've got it set up here, but many things may not be needed
where you are.
The only uncommented lines in my config are:
- -quote-
protocols = imap imaps # We don't use POP
ssl_cert_file = /etc/mail/certs/fukka.co.uk.cert # SSL stuff
ssl_key_file = /etc/mail/certs/fukka.co.uk.key # SSL stuff
disable_plaintext_auth = no # Nasty Squirrelmail
# hack
login_user = dovecot # Discrete user for
# processes
login_processes_count = 1# Tuning
login_max_processes_count = 12 # Tuning
login_max_logging_users = 12 # Tuning
first_valid_uid = 1000 # Security
first_valid_gid = 0 # Hack for my GID
mail_extra_groups = mail # Permissions tweak
default_mail_env = mbox:/var/mail/%u # YMMV - check the docs
lock_method = flock # Multiple things lock
# mail here
maildir_copy_with_hardlinks = yes# Dunno. Check docs
mbox_read_locks = flock # Locking
mbox_write_locks = flock # Locking
mbox_lazy_writes = no# Tweak
protocol imap { # IMAP settings in {}
login_greeting_capability = no
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
tb-extra-mailbox-sep
}
auth_verbose = yes # Just because
auth default { # User auth setings in
# {}
mechanisms = plain
passdb pam {
}
userdb passwd {
}
user = root
}
- -quote-
I've found the docs for dovecot to be fairly good, if a little tech-heavy.
On the other hand, FC also includes both UW-IMAP and Cyrus, more about
UW at http://www.washington.edu/imap/ and Cyrus at
http://asg.web.cmu.edu/cyrus/imapd/
Either of these is likely to be easier to configure that dovecot.
>> In a configuration where you don't readily run sendmail to accept
>> mail, I would suggest staying the hell away from it and:
>
> Sendmail does run to collect local mail here, like from amanda and
> cron/logwatch, that sort of stuff. And I'd like to figure out a way to
> collect mail from the firewall box so I didn't have to log in via ssh
> 2-3 times a week and read the chkrootkit reports and such. Its
> normally a mounted samba share from here, so maybe I could get kmail to
> do that now that I think about it. Humm, off to try it by golly.
>
You'll be a whizz at installing IMAP servers soon, you could install one
on the firewall box and use fetchmail to pull it onto the main server.
Assuming you felt suitably insane.
Regards,
C.
- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED] Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFD7nHaMDDagS2VwJ4RAklCAJ4yFrD5DTEtx6kY6fM/wdr9ocsESwCfZQfB
wnAhZlgEFECvt98TsXiL5GA=
=8ACT
-END PGP SIGNATURE-
Re: Syslog not working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don O'Neil wrote: > Hi all... I've tried using the FAQ entry to get spamd to log to syslog and > thus to a file, but it's just not working... > > I launch spamd like this: > /usr/local/bin/spamd -s local5 & > > I I have "local5.*; /var/log/spamassassin" in my syslogd.conf file. I HUP > syslog, and relaunch spampd, but the messages still go to the console and > not to the file. > Any ideas? You could try "/usr/local/bin/spamd -s /var/log/spamassassin &" C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD74WUMDDagS2VwJ4RAkFxAJ9d1p+Jn7tbQorXxgp8irv25/Bb9QCeKI4E /EubhEC3DTNLyWfIzo2yjHI= =tkD9 -END PGP SIGNATURE-
Re: Syslog not working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Henry F. Camacho Jr wrote: > You need the -d. > > HFC > > > Craig McLean wrote: > > Don O'Neil wrote: > > >>>> Hi all... I've tried using the FAQ entry to get spamd to log to >>>> syslog and >>>> thus to a file, but it's just not working... >>>> >>>> I launch spamd like this: >>>> /usr/local/bin/spamd -s local5 & >>>> I I have "local5.*; /var/log/spamassassin" in my syslogd.conf file. I >>>> HUP >>>> syslog, and relaunch spampd, but the messages still go to the console >>>> and >>>> not to the file. >>>> Any ideas? >>>> > > You could try "/usr/local/bin/spamd -s /var/log/spamassassin &" > > C. > > -- > Craig McLeanhttp://fukka.co.uk > [EMAIL PROTECTED]Where the fun never starts > Powered by FreeBSD, and GIN! I kind of assumed there was a good reason the OP was using & rather than - -d, not that I know what it might be... C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD4DBQFD74nVMDDagS2VwJ4RAnw8AJY/8qbUYx5BvQIpgIEuNztmH0vxAJ9DDjJC WW3CLZaiXyKFp7qOuwSvbg== =uMAg -END PGP SIGNATURE-
Re: It's nice when they tell you they are sending a spam...
Apologies for the top-posting and crappy formatting. I need a better mail client for my handheld... I know that SA strips existing headers these days, but would it be possible to add a custom rule which checks for the existence of such headers, added by an upstream MTA, and scores accordingly? Throwing mail away on the back of someone else's opinion of the spammishness of a message is undoubtedly bad, but taking their opinion into account may not be... C. mouss wrote: Gene Heskett a écrit : > Thinking out loud here, could a procmail rule be written that checked > that, and /dev/null'd it so SA doesn't have to waste even more time on > it? > That would be a bad idea. intermediary MTAs may filter mail and add their own headers. they may consider the message spam based on a local config. this config may not be suitable for you. If that MTA rejected/bounced the mail, it would have been its problem. once that you get it, it's yours, and you should use your own rules/policy to decide.
What to do with my spam?
All, I don't have a massive mail system. Just 2 users, of which this is one ;-) and ~200 messages a day. In order to train bayes I created a junk user and seeded it to a few messageboards to get it on the spam lists. The account isn't used for anything else so every message is spam and gets learned as such, the whole mailbox gets deleted each night. The real address (this one) gets sa-learned by hand as ham/spam about once a week. The question is: What other use is there for this "guaranteed" spam I am getting? It's only about 40 messages a day but is it useful to anyone else, or should I just keep deleting it? Kind Regards, Craig. signature.asc Description: This is a digitally signed message part
OT: Bayes for VoIP anyone?
A whole new set of challenges heading our way... http://www.theregister.co.uk/2005/02/17/spam_gets_vocal_with_voip/ Craig.
Re: Update on Autolearn, SA/SA-milter ID problem, etc
Don, some thoughts inline.. Don Levey wrote: If the definition of insanity is doing the same thing multiple times and expecting a different result, what is it when you're doing the same thing multiple times, expecting the same result, and you get DIFFERENT results? Sounds like the definition of computer sciences to me ;-) [snip] Here's what I want to do with them: Sounds like the setup I have here (with the exception of pyzor) but I run it on BSD instead of Fedora. Some comments below... * The spamd/spamass-milter processes should not run as root (user 'spamassassin'). I gather from your previous mail that you already run this as "spamassassin". Make sure it owns the bayes files defined by bayes_path. I created a subdirectory owned by the user and let SA get on with it. * I want a single set of user preferences/bayes DB. While additional user preferences could in theory be OK, I want only one Bayes DB. OK, the prefs in /etc/mail/spamassassin/*.cf and the bayes BD in bayes_path then. * As the above may mention, I want to use the Bayes DB for learning and auto-learning. Should work fine as long as the user running spamd owns the directory/files used by bayes. * I want tagged spam to rewrite the subject. * I want to attch the original message to the report. looks like that's set up fine, judging by your local.cf * I want to use RBLs for things not covered otherwise in sendmail (i.e. for URLs in the messages) Make sure you have the perl Net::DNS stuff installed. Check with 'spamassassin -D --lint, look for: debug: is Net::DNS::Resolver available? yes * I want to use Razor/Pyzor OK. Haven't bothered with them yet. * Eventually, I may drop egregious spam examples, but I'm not sure I want to do that yet. Well, it can be done if you choose to. What seems to happen is that I can get some subset of these things, but not all at once. Additionally, while I often think I've got things working correctly, they appear to change randomly from working to non-working. Can you be more specific? What's not working? Any error messages in messages/maillog/&c. The last point, on dropping spam, seems to be happening anyway. From what I can tell, anything with a score greater than 15 is being rejected automatically. This is seriously reducing my spam load. That may well be a function of how SA/sendmail are configured on Fedora? As I mentioned last week, I was getting "autolearn=failed" when BAYES_00 was the only rule that hit. If I got ANY other rule that also hit, autolearn did not fail. At least part of the problem there had to do with creating the lock file for the Bayes DB; Even though I thought I was running as root, and root owned the directory in question (/etc/mail/spamassassin) I needed to open the permissions in order for things to work correctly. I'd imagine that spamd runs as root only for long enough to create the priv'd socket it needs, and then drops privs. I have everything in /var/bayesdb/bayes_* and /var/bayesdb is 755 owned by 'spam' user (which runs the milter/spamd). /etc/mail/spamassassin is 755 owned by root. No problems.. From what I see now, this is because if root is running it then the user shifts to 'nobody'. This is damn inconvenient. So, I've tried to shift to using user 'spamassassin' by using the "-u spamassassin" switch on both spamd and spamass-milter. When I do this, though, I can't actually read the user_prefs file for user root. But why am I even trying to open it for root, when spamassassin is the UID? Why not combine the user_prefs and the local.cf, and move the whitelist somewhere where 'spamassassin' user can read/write to it? The biggest problem right now is that for some reason message rewriting has stopped for spam messages. The header is tagged correctly, but the message is never rewritten. From my local.cf file (below), it looks like this should be happening. I don't know of any change I made which could account for this, and indeed this seemed to happen overnight, when I didn't do anything. [snip] The config looks ok to me, but I'm no expert. Any error messages in /var/log/maillog (or wherever on Fedora), or in the output from spamassassin -D --lint? http://www.eruditer.org:6080/spamassassin/local.cf http://www.eruditer.org:6080/spamassassin/root-user_prefs http://www.eruditer.org:6080/spamassassin/sysconfig-spamassassin http://www.eruditer.org:6080/spamassassin/sysconfig-spamassassin-milter Can't get to those URL's, timeout... Cheers! Craig.
Re: Update on Autolearn, SA/SA-milter ID problem, etc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Levey wrote: | Craig McLean wrote: | | |>> * The spamd/spamass-milter processes should not run as root (user |>>'spamassassin'). |> |>I gather from your previous mail that you already run this as |>"spamassassin". Make sure it owns the bayes files defined by |>bayes_path. I created a subdirectory owned by the user and let SA get |>on with it. |> | | I had tried running as 'spamassassin', but ran into difficulties. In | particular, it kept giving errors that it couldn't open | /root/.spamassassin/user_prefs for writing, even when I made the file and | the directory wide-open (777). Since I seem to recall seeing somewhere that | I should make changed to the user_prefs and not the local.cf (as that might | be updated and overwritten with upgrades), I had been using the user_prefs | instead. I even went to the point of setting up a wide-open user_prefs file | in a wide open directory, and linking to that for all users, but that didn't | help (it still looked only for the one in the root home dir) I didn't think local.cf is overwritten during upgrades. I hope it doesn't, that would be counter-productive. It is true that the /usr/[local]/share/spamassassin directory may well get overwritten, which is why local rules should be in local.cf. Also, I believe SA reads *all* files ending in .cf in /etc/mail/spamassassin for configuration, so you could just call yours localconfig.cf or some such. | | I'm getting header tags, but I'm not getting message rewriting/attachment, | or a subject rewrite. | Spooky. I don't want to sound like a windows specialist, but have you tried stopping and starting spamd? |>> * I want to use RBLs for things not covered otherwise in sendmail |>> (i.e. for URLs in the messages) |> |>Make sure you have the perl Net::DNS stuff installed. Check with |>'spamassassin -D --lint, look for: |>debug: is Net::DNS::Resolver available? yes |> | | I *think* this is set up correctly; I'm not currently getting any errors | that I can see. That line is indeed present. It should be fairly obvious from the spam you get if you see rules like RCVD_IN_SORBS, RCVD_IN_BL_SPAMCOP_NET or other hits on RBL: rules. | |>> * Eventually, I may drop egregious spam examples, |>> but I'm not sure I want to do that yet. |> |>Well, it can be done if you choose to. |> | | Not only that, but it seems to be happening now! I vaguely remember seeing | which config file would control this, but re-Googling for it doesn't turn | anything up now. Damn this memory! Likewise.. | |>>What seems to happen is that I can get some subset of these things, |>>but not |>>all at once. Additionally, while I often think I've got things |>>working |>>correctly, they appear to change randomly from working to |>>non-working. |> |>Can you be more specific? What's not working? Any error messages in |>messages/maillog/&c. |> | | At this particular moment, the big problem is the subject/message rewriting. | But then I'm still running as root (or, apparently, 'nobody') and I'm not | sure this is the best thing to do. Probably not, get a dedicated user for spamd and use that, keeps things tidy. | |>>The last point, on dropping spam, seems to be happening anyway. From |>>what I can |>>tell, anything with a score greater than 15 is being rejected |>>automatically. |>>This is seriously reducing my spam load. |> |>That may well be a function of how SA/sendmail are configured on |>Fedora? |> | | It could be - but that wasn't happening as of Friday. I was seeing scores | into the 20s come through - but tagged/rewritten. Out of interest, you don't have a conflicting user_prefs laying about in ~ either root's or spamassassin's $HOME/.spamassassin do you? If so, get them out of the way until you get the basic config up and running. You never know... [snip] | | I don't think I'm getting errors on the whitelist, just user_prefs. But I | *could* combine the user_prefs and local.cf files (I did that briefly, but I | thought that was a bad idea for some reason or another). Seeing as you want site-wide config and bayes, a site-wide config file would make more sense that using a basic config in /etc/mail/spamassassin and added configuration elsewhere. | | I'm not seeing any error in maillog (yes, you've got the location correct) | nor anything in 'spamassassin -D --lint'. Running the latest message itself | through spamassassin -D shows that it is tagged correctly, and indeed it is | being rewritten properly (sbject and body). I ran that test as root; this | must have something to do with user IDs but I'm seeing no errors that I can | find. We
Re: Update on Autolearn, SA/SA-milter ID problem, etc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Levey wrote: [snip] [Spamassassin rejecting mail above a certain score] | Not only that, but it seems to be happening now! I vaguely remember seeing | which config file would control this, but re-Googling for it doesn't turn | anything up now. Damn this memory! AHA! It came to me, it's the spamass-milter. There is a startup option (-r ) where n is the score to reject at. Also, check that it's not running with -m/-M, that would screw thing up. In fact, it's probably worth checking the whole milter config against the man page. Cheers! Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCUW3oMDDagS2VwJ4RAmjTAJ0YEc5vkmDcfx+GHO2RQ4ocsqtZKACgoOA/ LwJjGjySxEJj7dYgC1RRN5Q= =2ZAQ -END PGP SIGNATURE-
Re: Update on Autolearn, SA/SA-milter ID problem, etc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Levey wrote: [snip] | The latest in my quest to get SA to work properly... | | I've made sure that the whitelist and Bayes DB can be written to and be read | by 'spamassassin'. I've set the '-u spamassassin' flag for both the | /etc/sysconfig/spamassassin and /etc/sysconfig/spamass-milter startup files. | I've restarted spamd, spamass-milter, and sendmail. | | My ps list shows that 'spamassassin' is running spamd, and 'root' is running | spamass-milter. In my maillog file, I am getting errors: | * for 'named' accounts, spamd can't find the user_prefs file | * for 'aliased' accounts, spamd can't find the username. | | I know that I can solve the latter by putting the '-x' flag on the | spamass-milter startup line. Do I need to worry about the former? That is, | am I causing any problems by running this way, or am I simply now set up so | that I can run user-specific rules in addition to the site-wide ones? No need to worry, SA is looking for per-user user_prefs files, and can't find them. Which is not a problem. It's a function of the -u option to spamass-milter. If you don't want individual user_prefs you might turn it off. And as you said, -x might be useful as well Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCU8MSMDDagS2VwJ4RAnteAKCg71c8ufHkrHcWOHWBA55Ll28gogCfR9Yq mcfugS5jgb9417bNibe+LcI= =4YBD -END PGP SIGNATURE-
Local 419 mail rule set.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear list, I've got a few local rules which I use to supplement the basic SA installation (3.0.2), but I don't really have a sizeable ham/spam corpus to test them against. Also, I'm aware that there will likely be some cross-over with the SARE ruleset, which I'm not using at the moment. So I've attached the .cf for anyone who's interested, please feel free to use it however you see fit. I'd be grateful for any suggestions to reduce FP's, masscheck results, or suggestions for better places to submit these rules :-). Thanks in advance. Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCXTQkMDDagS2VwJ4RAs5fAJ9Qppbc5uNWptYZ9C9d3joT5QCXqACg8Sd8 pM4pbUDySW1+7cf73hyEzic= =RvIT -END PGP SIGNATURE-
Local 419 mail rule set. Take 2.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone spot the deliberate mistake? :-( Craig. - This time with the attachment. - Dear list, I've got a few local rules which I use to supplement the basic SA installation (3.0.2), but I don't really have a sizeable ham/spam corpus to test them against. Also, I'm aware that there will likely be some cross-over with the SARE ruleset, which I'm not using at the moment. So I've attached the .cf for anyone who's interested, please feel free to use it however you see fit. I'd be grateful for any suggestions to reduce FP's, masscheck results, or suggestions for better places to submit these rules :-) . -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCXTWcMDDagS2VwJ4RApzQAJ9vIxtyKXCakRHImwTLEGTQFXb0YQCfdN6O 5sN39DGghqY9X51uv3eCdvo= =abd4 -END PGP SIGNATURE- # Local rules for 419-like messages # ### # body LOCAL_419_DEPOSIT /\b(?:a|th(?:e|is)) deposit was made\b/i describe LOCAL_419_DEPOSIT A deposit was made body LOCAL_419_DEPOSIT_2/\bmade a deposit\b/i describe LOCAL_419_DEPOSIT_2A deposit was made body LOCAL_419_DOCUMENTS/\ball (?:relev(?:a|e)nt|nec?ces?s(?:a|e)ry) documents?\b/i describe LOCAL_419_DOCUMENTSAll relevant or necessary documents body LOCAL_419_SURPRISE /\b(?:e?(?:-|.)mail|message|letter)? (?:(?:may|must|might|will|be)(?: \w+)? com(?:e|ing) to you as|will be) a (?:\w+ )?sur?prise\b/i describe LOCAL_419_SURPRISE A surprise mail, how nice! body LOCAL_419_INTRODUCE/\bintroduce myself\b/i describe LOCAL_419_INTRODUCEWhy would you need to introduce yourself? body LOCAL_419_REPS /\b(?:searching|looking) for (?:a )?representatives?\b/i describe LOCAL_419_REPS Looking for representative body LOCAL_419_BUSMEN /\bgroup of businessmen\b/i describe LOCAL_419_BUSMEN A group of businessmen body LOCAL_419_PAYME/\b(?:we|that|they) will pay you\b/i describe LOCAL_419_PAYMEShow me the money! body LOCAL_419_LUCKY/\blucky (?:international) recipients?\b/i describe LOCAL_419_LUCKYLucky recipient body LOCAL_419_ACCOUNT /\bbank account\b/i describe LOCAL_419_ACCOUNT Mentions Bank Account body LOCAL_419_STERLING /\bpounds sterling\b/i describe LOCAL_419_STERLING Mentions Pounds sterling body LOCAL_419_RELIABLE /\bI (?:am in )?need (?:of )?a (?:(?:trustworthy|reliable) and )?(?:trustworthy|reliable) person\b/i describe LOCAL_419_RELIABLE Needs a reliable or trustworthy person body LOCAL_419_DONTKNOW /\b(?:don\'t|dont|(?:did |do )?not) know (?:ourselves|each other|me)\b/i describe LOCAL_419_DONTKNOW You don't know me, but... body LOCAL_419_TRUNKBOX /\btrunk box(?:s|es)?\b/i describe LOCAL_419_TRUNKBOX Mentions a trunk box. body LOCAL_419_PRIV_EMAIL /\bprivate e?mail ad?dres?s/i describe LOCAL_419_PRIV_EMAIL Mentions a private email address. body LOCAL_419_TRANSFER /tran?s?fer (?:of )?(?:th[oei]se? |my |some |said )?funds?/i describe LOCAL_419_TRANSFER Mentions a transfer of funds # Local scores score LOCAL_419_DEPOSIT 1.5 score LOCAL_419_DEPOSIT_2 1.5 score LOCAL_419_DOCUMENTS 1.5 score LOCAL_419_SURPRISE 1.5 score LOCAL_419_INTRODUCE 2.0 score LOCAL_419_REPS 0.4 score LOCAL_419_BUSMEN 0.3 score LOCAL_419_PAYME 0.5 score LOCAL_419_LUCKY 0.8 score LOCAL_419_ACCOUNT 0.8 score LOCAL_419_STERLING 0.7 score LOCAL_419_RELIABLE 0.9 score LOCAL_419_DONTKNOW 0.9 score LOCAL_419_TRUNKBOX 0.6 score LOCAL_419_PRIV_EMAIL 0.4 score LOCAL_419_TRANSFER 0.5
Re: Need for a new rule?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Davour wrote: [snip] | Are there any rule for this? Would one be hard do design? I haven't seen | anything about is in the documentation. OR, I haven't understood what | I've read... I just wrote a bunch of obfu-rules with negative lookaheads and made meta-rules out of them, nails anything like this because there is generally no need to people to spell dollar with 2 |'s (or "will", "overall" etc.) Anyway, the attached might help a bit (with apologies for all the SA installs which it may trigger)... Pointers, corrections etc. welcome as always. Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCXZmkMDDagS2VwJ4RAohYAKDx631Ya2sxgwJ76vLCHFKgYwTLEQCeMkxE IdzMVRyuNtJb+XR8x27k22Y= =+tzz -END PGP SIGNATURE- # Local rules for stocks and shares scams # ### # body LOCAL_STOCK_ACT/The Private Securities Litigation Reform Act/i describe LOCAL_STOCK_ACTMentions the Reform Act body LOCAL_STOCK_NOVICE /is not an investment expert/i describe LOCAL_STOCK_NOVICE Not an investment expert body LOCAL_STOCK_BULL_1 /bu[1\|l][1\|l] market/i describe LOCAL_STOCK_BULL_1 Bull market body LOCAL_STOP_MAILINGS/t[0o] st[0o]p future mai[\|l]ings?/i describe LOCAL_STOP_MAILINGSLink or mail to stop future mailings #OBFU Rules body __LOCAL_OBF_BULL /(?!bull)bu[1\|l][1\|l]/i describe __LOCAL_OBF_BULL Bull-OBFU body __LOCAL_OBF_WILL /(?!will)wi[1\|l][1\|l]/i describe __LOCAL_OBF_WILL Will-OBFU body __LOCAL_OBF_DOLLAR /(?!dollar)do[1\|l][1\|l]ar/i describe __LOCAL_OBF_DOLLAR Dollar-OBFU body __LOCAL_OBF_ALL/(?!all)a[1\|l][1\|l]/i describe __LOCAL_OBF_ALLAll-OBFU body __LOCAL_OBF_WELL /(?!well)we[1\|l][1\|l]/i describe __LOCAL_OBF_WELL Well-OBFU body __LOCAL_OBF_OVERALL/(?!overall)[0o]vera[1\|l][1\|l]/i describe __LOCAL_OBF_OVERALLOverall-OBFU body __LOCAL_OBF_OIL/(?!oil)[0o]i[1\|l]/i describe __LOCAL_OBF_OILOil-OBFU meta LOCAL_OBF_1 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) > 0) describe LOCAL_OBF_1 Found 1 obfuscated word #meta LOCAL_OBF_2 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) > 1) #describe LOCAL_OBF_2 Found 2 obfuscated words #meta LOCAL_OBF_3 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) > 2) #describe LOCAL_OBF_3 Found 3 obfuscated words meta LOCAL_OBF_4 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) > 3) describe LOCAL_OBF_4 Found 4 obfuscated words #meta LOCAL_OBF_5 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) > 4) describe LOCAL_OBF_5 Found 5 obfuscated words #meta LOCAL_OBF_6 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) > 5) describe LOCAL_OBF_6 Found 6 obfuscated words meta LOCAL_OBF_7 (( __LOCAL_OBF_BULL + __LOCAL_OBF_WILL + __LOCAL_OBF_DOLLAR + __LOCAL_OBF_ALL + __LOCAL_OBF_WELL + __LOCAL_OBF_OVERALL + __LOCAL_OBF_OIL) > 6) describe LOCAL_OBF_7 Found 7 obfuscated words score LOCAL_STOCK_ACT 1.5 score LOCAL_STOCK_NOVICE0.6 score LOCAL_STOCK_BULL 0.6 score LOCAL_STOP_MAILINGS 0.6 score LOCAL_OBF_1 1 #score LOCAL_OBF_2 2 #score LOCAL_OBF_3 2 score LOCAL_OBF_4 3 #score LOCAL_OBF_5 3 #score LOCAL_OBF_6 4 score LOCAL_OBF_7 4
RE: RCVD_IN_SORBS_WEB
On Thu, April 14, 2005 12:04 pm, Gray, Richard said: [snip] > When we've had to deal with this, I tend to write to write a short email > demonstrating the effectiveness of the tool (produce some statistics on > spam stopped) and point out that there is no way to achieve a 100% > efficiency. Or just switch off SA scanning of that customer's mail for a day or so, that should give them an idea of how effective it is... ;-) Craig.
OT?: If you need proof that spammers use the same resources as us...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Call me paranoid, but a few weeks back I posted a couple of rules on this list and to the exit0 wiki which were designed to catch a common phrase seen in many 419 spams. Notably one which catches a common "allow me to introduce myself" style opening. It was not particularly clever, simply searching for the 2-word phrase "introduce myself", but lo and behold this week I get: "allow me to introduce my humble-self" "must introduce,myself" "to introduce my very self" And various others. It appears to me a timely reminder, as if one were needed, that some spammers know what measures are being used against them and learn how to combat at least some of them. Three cheers for Bayes and the SARE ninjas, then! Kind Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFCcPQLMDDagS2VwJ4RAuUCAJ0eGw/K60vIsldw2fkilb6iKOAzfgCguATZ bYwcFpv4Gt4BAGgAvL7dZ+M= =+iBS -END PGP SIGNATURE-
Re: Blacklist Not Working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ron Shuck wrote: | Has anyone ever seen a situation where entries in the black_list are not | being used or matching? Yes. Kind Regards, Craig. P.S Perhaps you could be more specific? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCclLyMDDagS2VwJ4RAgUwAKC7UAV2XAAOieKd1TijBxviagGMawCg/cot bL44Harwe9Bx0cR7XELHVqs= =0R2x -END PGP SIGNATURE-
Re: Blacklist Not Working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Well that looks fine to me. Would it be possible for you to post the headers from a message that fails to trigger against the blacklist, and the real line from local.cf that you expect it to hit? Also how is SA being called (i.e. spamd, milter, procmail..)? Cheers, Craig. Ron Shuck wrote: | I am using SpamAssassin 3.0.2. I have entries in | /etc/mail/spamassassin/local.cf like blacklist_from [EMAIL PROTECTED] I | have restarted SpamAssassin, but I have received messages from | domain.com and USERS_IN_BLACKLIST is not one of the tests notated in the | header. I have modified the init.d script for SpamAssassin to include | -D, and there are no errors in the startup. | | | | Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant | Buchanan Associates - People. Process. Technology. | | -Original Message- | From: Craig McLean [mailto:[EMAIL PROTECTED] | Sent: Friday, April 29, 2005 10:30 AM | To: Ron Shuck | Cc: users@spamassassin.apache.org | Subject: Re: Blacklist Not Working | | *** PGP SIGNATURE VERIFICATION *** | *** Status: Good Signature from Invalid Key | *** Alert:Please verify signer's key before trusting signature. | *** Signer: Craig McLean (Local Address) <[EMAIL PROTECTED]> | (0x2D95C09E) | *** Signed: 4/29/2005 10:29:54 AM | *** Verified: 4/29/2005 10:30:51 AM | *** BEGIN PGP VERIFIED MESSAGE *** | | Ron Shuck wrote: | | Has anyone ever seen a situation where entries in the black_list are | | not being used or matching? | | Yes. | | Kind Regards, | Craig. | P.S Perhaps you could be more specific? | | *** END PGP VERIFIED MESSAGE *** | | | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCcle0MDDagS2VwJ4RArrVAKC9wZYMaM4hiYDqj+5j1S/TOzkQVACg/TWI rBdvy/k9UqV4Co8cja89avE= =WqSX -END PGP SIGNATURE-
Re: Blacklist Not Working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ron Shuck wrote: | Here is the log. I don't have the message, but as you can see it did not | match the blacklist. | | ---log-- | Apr 24 04:39:43 mail postfix/smtpd[25746]: connect from | castile.calmra.com[72.11.146.117] | Apr 24 04:39:44 mail postfix/smtpd[25746]: AE20883C: | client=castile.calmra.com[72.11.146.117] | Apr 24 04:39:45 mail postfix/cleanup[26437]: AE20883C: | message-id=<[EMAIL PROTECTED]> | Apr 24 04:39:45 mail postfix/qmgr[4304]: AE20883C: | from=<[EMAIL PROTECTED]>, size=2034, nrcpt=1 (queue active) | Apr 24 04:39:45 mail spamd[14218]: connection from localhost.localdomain | [127.0.0.1] at port 48918 | Apr 24 04:39:45 mail spamd[14218]: info: setuid to filter succeeded | Apr 24 04:39:45 mail spamd[14218]: processing message | <[EMAIL PROTECTED]> for filter:501. | Apr 24 04:39:46 mail spamd[14218]: clean message (4.8/5.0) for | filter:501 in 1.2 seconds, 2000 bytes. | Apr 24 04:39:46 mail spamd[14218]: result: . 4 - | ALL_TRUSTED,AWL,BAYES_20,DNS_FROM_AHBL_RHSBL,HTML_50_60,HTML_IMAGE_ONLY_ | 12,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,URIB | L_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL | scantime=1.2,size=2000,mid=<[EMAIL PROTECTED]>,bayes=0.0627053670 | 923895,autolearn=no Ok, but the real key is in the message headers. From the wiki: The headers checked for whitelist [or blacklist] addresses are as follows: if Resent-From is set, use that; otherwise check all addresses taken from the following set of headers: ~Envelope-Sender ~Resent-Sender ~X-Envelope-From ~From So we really need to see if the envelope sender info made it into the headers, which is not guaranteed. Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCcmskMDDagS2VwJ4RAk4XAJ0d/n/d+SCCwHSgfocvmZempmSaGgCffYHf bFSC0IxenyijouyvS2LegpA= =f++Y -END PGP SIGNATURE-
Re: INVALID_MSGID hitting improperly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ring, John C wrote: | I just learned of an issue we're having on a fail positive due to a hit on | INVALID_MSGID (and that I'd jacked the score on that up to 20, but that's | another story...). While I just learned of the issue today, it started a | bit ago for this sender. Looking in the logs, I see the last message we | received from them where the INVALID_MSGID rule was NOT hitting showed: [snip] | So, looking at: | | "/GUID:QPywoUg6DZ06+yvqCupCVJw*/G=Cam/S=Dowlat/OU=Corporate-Markham/O=Alcate | l Cable/PRMD=ACAB/ADMD=ATTMAIL/C=CA/"@MHS | | "-GUID:QnGodydG460CKmx35BCOvbw*-G=Cam-S=Dowlat-OU=Corporate-Markham-O=Alcate | l Cable-PRMD=ACAB-ADMD=ATTMAIL-C=CA-"@MHS | | Side-by-side, it seems[1] that the only substantial difference between them | is that they've replaced the "/" with "-". So I'm not certain why, if the | 1st is valid, why the 2nd one would not be considered valid as well? They both seem to hit INVALID_MSGID here. I'm having some problems understanding why, it seems to be the space in "Alcatel Cable" as mandated by __SANE_MSGID (which I believe is not against RFC2822, as stated, provided it is in a quoted string). It would be interesting to see the full headers of the message that hit this rule. BTW, why have *any* single rule scored at 20? Especially this one. Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCcq7mMDDagS2VwJ4RAt2HAJ90DPerqRK1svv4hRYQmibyqFTxPwCgsXLv leuuAl6eG9xgM+p7IDFxqcA= =Tpi5 -END PGP SIGNATURE-
Re: INVALID_MSGID hitting improperly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In reply to my own earlier post: Thanks to Matt Kettler for a better understanding of the facts. I should have RTFRFC again before opening my mouth! | They both seem to hit INVALID_MSGID here. As they should, see below. | I'm having some problems understanding why, it seems to be the space in | "Alcatel Cable" as mandated by __SANE_MSGID (which I believe is not | against RFC2822, as stated, provided it is in a quoted string). Ok, I take the comment in parenthesis back ;-) | | BTW, why have *any* single rule scored at 20? Especially this one. | This question, however, still stands. Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCcrGwMDDagS2VwJ4RAqE6AJ9Rf9NwAZAqu0puwwki4ps52j7xogCaAqy2 cZdJXxC16uzfmjXcat8f65I= =KJL+ -END PGP SIGNATURE-
Re: Letting spam through
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Chambers wrote: | I finally got spamassassin working (I think), via installed | spamassassin-milter and it seems to stop the spam, as well as I see the | headers showing it's checking. | | spamass-milter-0.3.0-1.1.fc3.rf | spamassassin-3.0.3-3.fc4 | | The problem is that it is just stopping it, and I don't see the spammed | emails at all. [snip] | Any ideas how to allow the spam through and let me decide what is/isn't | spam? SpamAssassin won't throw mail away, it just scores it. spamass-milter, however, can be told to reject mail if it scores above a certain level using the "-r " option. If this is how it's being called, any message scoring over will be rejected by sendmail. Consider setting the figure higher, or removing the -r option. Kind Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCcrYWMDDagS2VwJ4RAnwiAKDutg6YnnrCh8Rjwsuu4eU+TPZohwCgoNnw J9Tu3CUfY2H9URqgV1vOV+8= =N+9V -END PGP SIGNATURE-
Re: INVALID_MSGID hitting improperly?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter wrote: | On Fri, Apr 29, 2005 at 11:14:10PM +0100, Craig McLean wrote: | |>| BTW, why have *any* single rule scored at 20? Especially this one. |> |>This question, however, still stands. | | | If a rule doesn't FP for you, then you can set it to 20. Sure, you *can*, but why would you want to score a single rule at 20? Especially one like this which, as we've just seen, can produce FP's. | In general, people tend to be a little more conservative and expect FPs, but it's | really up to your level of comfort and what type of mail you receive. I believe it's got to be better to have many low-scoring rules than one single rule that scores 300% higher than your SA threshold. But, as you rightly say, to each their own... Kind Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCcr4HMDDagS2VwJ4RAk19AJ4p2n14A1n4bDn0kPi+ZvsKaQyMqQCg+e89 j+HyUdVEPLqx2TZRKFkutJU= =OgX/ -END PGP SIGNATURE-
Re: Blank subject gets around filtering rules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Weber wrote: | This one came in on my 3.0.2 gateway, haven't yet had one try my other | gateway which is 3.0.3. | | -Michael Without adding anything useful, except perhaps corroborating evidence, this has also been an issue here on 3.0.2 and still is on 3.0.3, using: rewrite_header Subject **SPAM (_SCORE_)** Kind Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFCd5s7MDDagS2VwJ4RAsa6AJ9gbK2ZzoPfC7kKKVGc0O3dN8DPIQCbBvHv mz8HTQ7mFZkGKcdAu/P2OIw= =2FO0 -END PGP SIGNATURE-
Re: AWL whaaat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler wrote: | | HSA (Historical Score Averager) might be reasonably accurate, but unless | you think about the math, it's purpose isn't clear. (And in my | experience, most people don't enjoy thinking about math. ) | | Got any better suggestions for a name? Well it's a weighting, added to a message score based on historical scores given to past messages from that sender, so how about Sender Historical Weighting? (or just Sender Weighting) | Perhaps this should be added to bugzilla as a lowish priority | enhancement request so suggestions, concepts and ideas can be tracked. I agree. It's an annoyance rather than a bug, but the OP is right that this FAQ seems to pop up rather a lot. Kind Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCeQVKMDDagS2VwJ4RAq4SAJ9I+yQaFEXclvRpq1Un7Rb457cohwCfTvDI 5vlwr9hAU76KY8lR0ZgKwrk= =sF83 -END PGP SIGNATURE-
Re: Subscribing to spam lists
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johnson, S wrote: | Anyone know the best way to subscribe to receive all the spam I can | possibly get? | | | Thanks A foolproof way used by the 419 eaters used to be: 1) search in google for "MUGU GUYMAN" 2) post a message in the resulting guestbooks, with email addy. 3) ??? 4) Profit! MUGU GUYMAN is used predominantly by nigerian 419 scammers to "mark their territory", so you may not get too many spams hitting antidrug or wristwatch rules, but should get plenty of 419 scams. I get between 20 and 50 per day, per address. Many duplicates though. Another good way is to respond to any spam you get, but from a spam-trap address (I assume this is why you want the spam). Spammers don't know whether they sent the mail to that address or not. They don't keep track. Yet another is to follow the "unsubscribe" links, but only of it links to a form you can enter any address into (like unsub.html). If it contains an identifier (like unsub.cgi?something=231jkmd093) avoid it like the plague, it uniquely identifies which address the spam is sent to and unless you want legitemate addresses getting more spam, that's not necessarily what you want. These last two methods will quickly get you on the highly-prized "verified address" spam lists. | | | Disclaimer for the disclaimer: | | | | I by no means authorized the following disclaimer, but thanks to our | state government we are required to attach to all outbound emails. J That's OK, I didn't read it ;-) Kind Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFCgNnuMDDagS2VwJ4RAqiLAKDHx2mYUXfsBozgKgCemZHPhSaiJQCg7Rmq 7PeJrloAEB8HNWcjEq3ieU8= =1baq -END PGP SIGNATURE-
Re: Weighing spam with sa-learn
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johnson, S wrote: > > > Im looking at creating an email address to capture spam and only be > used for spam. Since I can be guaranteed that all email I received to > this address is spam, is there a way to weigh this higher in the sa-learn? > Spam is spam, and ham is ham. AFAIUnderstand that's all there is to it. I have a spam-trap account which I've "advertised" on just about all the crappy pages I can think of, and simply "sa-learn --spam" the whole inbox every 3 hours. I do the ham learning manually on my personal inbox once it's been checked for suspect meat product, or let SA autolearn it. Spam-traps are useful for many reasons, one of which is to see what might be getting through. It's one of the compelling reasons that clamav is now installed here, and why I have a bundle of local rules... Kind Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFCgN3CMDDagS2VwJ4RAvcvAJ9XfsXztFpqL3mLaBWf4jbJkLOroACfY1Yl KTkX/C+lNcAZFeOoFBlRtHk= =PHke -END PGP SIGNATURE-
Re: Weighing spam with sa-learn
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
jdow wrote:
| From: "Craig McLean" <[EMAIL PROTECTED]>
|
|>-BEGIN PGP SIGNED MESSAGE-
|>Hash: SHA1
|>
|>Johnson, S wrote:
|>
|>>
|>>I'm looking at creating an email address to capture spam and only be
|>>used for spam. Since I can be guaranteed that all email I received to
|>>this address is spam, is there a way to weigh this higher in the
|
| sa-learn?
|
|>Spam is spam, and ham is ham. AFAIUnderstand that's all there is to it.
|>I have a spam-trap account which I've "advertised" on just about all the
|>crappy pages I can think of, and simply "sa-learn --spam" the whole inbox
|>every 3 hours.
|>I do the ham learning manually on my personal inbox once it's been checked
|>for suspect meat product, or let SA autolearn it.
|>
|>Spam-traps are useful for many reasons, one of which is to see what might
|>be getting through. It's one of the compelling reasons that clamav is now
|>installed here, and why I have a bundle of local rules...
|>
|>Kind Regards,
|>Craig.
|
|
| One also needs guaranteed ham for proper training. I hope he doesn't
| think all he needs to feed salearn is spam.
|
| {^_^}
|
|
jdow,
See above where I said:
"I do the ham learning manually on my personal inbox once it's been
checked for suspect meat product, or let SA autolearn it."
Kind Regards,
Craig.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFCgQhBMDDagS2VwJ4RAnLIAJ4/swOZmTyijwGIVgi6KCPTMvkwzACfbsYF
ReezH5XhED9pvCcngnVB2GM=
=Y+wX
-END PGP SIGNATURE-
Re: AWL -> SQL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan Munday wrote: | | Is it possible to move the awl data when migrating to SQL? | Sounds like a job for convert_awl_dbm_to_sql which, here at least, is in: /var/cpan/build/Mail-SpamAssassin-3.0.3/tools/ Then again, I might be talking out of my behind. I've never used this tool. Kind Regards, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFChNcSMDDagS2VwJ4RAp1jAJoDJ/WCiNhdFAO51C/qKLRVnfiq6ACgryh1 YmT+zXXw8VEwl6+qpe2+Cg8= =zy0U -END PGP SIGNATURE-
Strange SA report maths.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, Using SA 3.0.3 on FreeBSD, I noticed the following interesting maths in the report from a message received a moment ago: - -quote- Content analysis details: (4.1 points, 4.0 required) ~ pts rule name description - -- - -- ~ 0.0 NO_REAL_NAME From: does not include a real name ~ 0.2 INVALID_DATE Invalid Date: header (not RFC 2822) ~ 0.1 HTML_COMMENT_SAVED_URL BODY: HTML message is a saved web page ~ 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% ~[score: 1.] ~ 0.0 HTML_MESSAGE BODY: HTML included in message ~ 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size ~ 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars - -quote- (Full headers below.) Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ? Kind Regards, Craig. - -original headers- Return-Path: <[EMAIL PROTECTED]> Received: from mta126.mail.ukl.yahoo.com (mta126.mail.ukl.yahoo.com [217.12.11.75]) by craig.dnsalias.com (8.12.10/8.12.10) with SMTP id j4FFYBIW010078 for <[EMAIL PROTECTED]>; Sun, 15 May 2005 16:34:14 +0100 (BST) (envelope-from [EMAIL PROTECTED]) X-Yahoo-Forwarded: from [EMAIL PROTECTED] to [EMAIL PROTECTED] X-Rocket-Track: 0: 100 ; IPCR=n-w0,n100,g0 ; IP=212.43.206.16 ; SERVER=217.12.12.165 Authentication-Results: mta126.mail.ukl.yahoo.com ~ from=freesurf.fr; domainkeys=neutral (no sig) X-Originating-IP: [212.43.206.16] Received: from 212.43.206.16 (EHLO fidel.freesurf.fr) (212.43.206.16) ~ by mta126.mail.ukl.yahoo.com with SMTP; Sun, 15 May 2005 15:33:43 + Received: from acps-77b8dgiwqw (du-204-236.nat.dialup.freesurf.fr [212.43.204.236]) by fidel.freesurf.fr (Postfix) with SMTP id 326832A7CBA; Sun, 15 May 2005 17:33:36 +0200 (CEST) From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Reply-To: <[EMAIL PROTECTED]> Subject: **SPAM (4.1)** International Cd e-mail adress Date: Sun, 15 may 2005 16:49:36 +0200 Importance: normal Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_42876BF9.E8A0075B" Message-Id: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Status: Yes, score=4.1 required=4.0 tests=BAYES_99, HTML_COMMENT_SAVED_URL,HTML_FONT_BIG,HTML_MESSAGE,INVALID_DATE, MIME_QP_LONG_LINE,NO_REAL_NAME autolearn=no version=3.0.3 X-Spam-Report: * 0.0 NO_REAL_NAME From: does not include a real name * 0.2 INVALID_DATE Invalid Date: header (not RFC 2822) * 0.1 HTML_COMMENT_SAVED_URL BODY: HTML message is a saved web page * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size * 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on mail.vega X-Virus-Scanned: ClamAV devel-20050513/879/Sun May 15 14:43:45 2005 on vega-mail.vega X-Virus-Status: Clean This is a multi-part message in MIME format. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCh2+MMDDagS2VwJ4RAr6KAJ92D9I4Vh8NHV26dZKCZfwzSe50hQCgzJet rEGs1JUXc0QMQMn7J2qPQUo= =p0Bn -END PGP SIGNATURE-
Re: Strange SA report maths.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton wrote: |>Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ? | | | Rounding. See the wiki. | Can you be more specific? A search of wiki.apache.org/spamassassin shows 2 pages containing "rounding": StatusRounding - orphaned. RoundingIssues - this is not the issue I'm talking about, and in any case was fixed in 3.0. Yours in confusion, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCh3Y9MDDagS2VwJ4RAuRAAKC575Fqcj2bpzp8CzcVE4sTiYghogCfTE0r 4205GfjsZXFuTIismKdcqBg= =g52E -END PGP SIGNATURE-
Re: Strange SA report maths.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Heise wrote: | | On Sun, 15 May 2005, Craig McLean wrote: | | |>-BEGIN PGP SIGNED MESSAGE- |>Hash: SHA1 |> |>Loren Wilton wrote: |>|>Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ? |>| |>| Rounding. See the wiki. |> |>Can you be more specific? A search of wiki.apache.org/spamassassin shows |>2 pages containing "rounding": |>StatusRounding - orphaned. |>RoundingIssues - this is not the issue I'm talking about, and in any |>case was fixed in 3.0. | | | I don't what the wiki says, but here's my guess. The scores applied | are actually three digits after the decimal. In the header report | they are rounded off. Suppose the exact scores in the example you | gave are 3.544 + 0.231 + 0.142 + 0.145. These add up to 4.062, | which rounds to 4.1. | Yeah, that could well be it. I'll look at the scores in the .cf files and see what gives.. Thanks! Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCh50uMDDagS2VwJ4RAhHbAKCvXU7kmnRC3wjZBqwrvkz4UQQDOQCgsCCw bP6QuwgSAvQHMzz/BzhWB4w= =j+cu -END PGP SIGNATURE-
