RE: new PDF Launch malware exploit (with sample)
Quoting Rosenbaum, Larry M. rosenbau...@ornl.gov: Please don't send live malware samples to the list. Um... The OP did not send malware to the list. A link was supplied to the original message. You must have a scanner set up to follow links. That isn't a good idea, in my opinion. -Original Message- From: Chip M. [mailto:sa_c...@iowahoneypot.com] Sent: Wednesday, April 28, 2010 2:01 PM To: users@spamassassin.apache.org Subject: new PDF Launch malware exploit (with sample) FILE QUARANTINED Microsoft Forefront Security for Exchange Server removed a file since it was found to be infected. File name: Body of Message Virus name: TrojanDropper:Win32/Pidrop.A
Re: How do I filter out phishing email?
Quoting Jari Fredriksson ja...@iki.fi: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Why are you scanning messages to the SA list? I do not for your reasoning.
Re: How do I filter out phishing email?
Quoting Jari Fredriksson ja...@iki.fi: On 14.4.2010 19:57, d.h...@yournetplus.com wrote: Quoting Jari Fredriksson ja...@iki.fi: Please do not post spammy mail to the list (it poisons our Bayes with spammy tokens with hammy score). Why are you scanning messages to the SA list? I do not for your reasoning. Because currently I want to. I have a mechanism to skip mailing lists, any mailing list, and I used to use it earlier. But currently I do scan those, just to get data for AWL and bayes hammy tokens. Understandable. All messages from the SA list should be hammy. I can't rightfully recall when a spam message came through to the SA list. I can't recall when a spam message came through to any list I'm on. There have been a few in the very distant past.
Re: Match returned message headers on any NDR
Quoting Michael Scheidell scheid...@secnap.net: On 4/14/10 12:21 PM, Kris Deugau wrote: Is there a consistent way to match whatever headers might be available in a returned message? use the vbounce rules. google for sa and vbounce. its already done if you are using a newer version of SA. you need to specifically whitelist the outbound mail servers, and it can catch OOO and vacation messages (anything machine generated) FYI: search from the SA wiki: http://wiki.apache.org/spamassassin/VBounceRuleset
Re: A possibly suspect idea
Quoting Bowie Bailey bowie_bai...@buc.com: Martin Gregorie wrote: On Fri, 2010-03-12 at 08:15 +0200, Henrik K wrote: Why don't you simply maintain your wordlists in some files and use a script to generate portmanteau.cf? You could use Regexp::Assemble module to optimize also. Who cares what the actual rules look like? The more words (simple alternations) there are in a single RE, the better it performs. If you want clarity in the cf, keep the original words listed in a comment block. - does the order of alternations have any effect on performance or is alphabetic order good enough? It would certainly make rule generation simpler. I believe Regexp::Assemble will optimize the RE for you, so it shouldn't matter what order the words are listed. Correct. It does wonders here for other purposes. For a non-optimized RE, you should list shorter or more common options first.
Re: RBLs not run when dns_available=yes?
Quoting Jeff_47 pyt...@finity.org: I have an odd situation - it seems like I must be missing something but I don't know what. In my local.cf, I had the following lines: dns_available yes skip_rbl_checks 0 I noticed that no RBL checks were being run. If I change dns_available to test or comment out the line (same function), now the RBL checks are run as expected. In SA v3.3.0: Commenting out the line results in using the default setting. The default setting for 'dns_available' is 'test'. Perhaps there is a DNS issue on your server. 'skip_rbl_checks' is defaulted to '0'. You shouldn't have to include it. Check out: http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html Can someone clue me in on why dns_available yes seems to result in the RBL checks being skipped? I thought this was the recommended setting.
Re: RBLs not run when dns_available=yes?
Quoting Jeff_47 pyt...@finity.org: d.hill wrote: Quoting Jeff_47: I have an odd situation - it seems like I must be missing something but I don't know what. In my local.cf, I had the following lines: dns_available yes skip_rbl_checks 0 I noticed that no RBL checks were being run. If I change dns_available to test or comment out the line (same function), now the RBL checks are run as expected. In SA v3.3.0: Commenting out the line results in using the default setting. The default setting for 'dns_available' is 'test'. Perhaps there is a DNS issue on your server. Thanks, I understood the part about commenting it out. But my question is this: since 'dns_available test' results in all the rbls being run, then doesn't that mean that the test is succeeding? In which case, how is that different than my entering 'dns_available yes'. In other words, a successful test run by 'dns_available test' is not producing the same result as 'dns_available yes' - that's where I was surprised. 'skip_rbl_checks' is defaulted to '0'. You shouldn't have to include it. Right. When I was troubleshooting and not getting expected results, I added it to be explicit. Have you attempted doing a local (on your server) lookup of the IP address in question? What DNS servers are your server using for resolution?
Re: SA 3.3.0 depends on Perl 5.10 (FreeBSD Ports)???
Quoting LuKreme krem...@kreme.com: On 04-Mar-10 21:41, James Smallacombe wrote: I tried to upgrade from SA 3.2.5 to 3.3.0 by installing the newer one from FreeBSD Ports. Really? I just did a update of the port tree and yet $ portversion p5-Mail-SpamAssassin p5-Mail-SpamAssassin= $ where SpamAssassin p5-Mail-SpamAssassin-3.2.5_4 is in mail/p5-Mail-SpamAssassin mail/p5-Mail-SpamAssassin On my system SA has not updated in ports to 3.3.0 yet Getting ready to upgrade here. I just now did a portsnap to update the ports tree and: smtpgate# cat /usr/ports/mail/p5-Mail-SpamAssassin/distinfo MD5 (Mail-SpamAssassin-3.3.0.tar.gz) = 38078b07396c0ab92b46386bc70ef086 SHA256 (Mail-SpamAssassin-3.3.0.tar.gz) = 51676f4c3af787e3b186aeb8c5ca556330f91a6e213c266480fda3518ed53564 SIZE (Mail-SpamAssassin-3.3.0.tar.gz) = 1322429 smtpgate# it shows version 3.3.0 here.
Re: Putting your dead domains to use
Quoting Lucio Chiappetti lu...@lambrate.inaf.it: On Mon, 1 Mar 2010, Marc Perkel wrote: For what it's worth - if any of you have domains you don't use you can point them to my virus harvesting server for spam harvesting. Hmm ... how dead is dead ? :-) We had for some time three domains (our institute was moved from one national organization to another, so we had the old domain under the old organization, and the new official domain and an alias to it under the new one). All of them shared the same couple of MX. After several months, when we were sure that (almost) all our legitimate correspondants were using the new domains, and only spam was getting through the old domain, we had it removed it altogether from the DNS (no SOA record and no other DNS record of any sort). However for a long time we have been receiving on our MX's spam addressed to the really dead domain (of course this was interpreted as a non-existing domain and caused the appropriate sendmail error). Like the spammers had stored the MX somewhere. dead is dead. nowhere to go.
Re: SpamAssassin, One Baye for a lot of SpamAssassin server
Quoting LuKreme krem...@kreme.com: On 22-Jan-2010, at 02:07, Ralph Bornefeld-Ettmann wrote: bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:mailscanner:servername:3306 bayes_sql_username bayesuser bayes_sql_password bayespass bayes_sql_override_username bayesuser Where do you specify the name of the database to use? In the above, 'mailscanner' would be the database.
Re: newbie: configure SA to reject spam
Quoting Kai Schaetzl mailli...@conactive.com: LuKreme wrote on Thu, 14 Jan 2010 06:31:48 -0700: I've always been hesitant to try running SA during the transaction because I was afraid it would take too long. Indeed, that's why I would not consider it. And I assume if you do it this way that also means you have to scan *every* message and not only the 10% that make it thru normal MTA rejection by policy. Virus and spam scanning get done here in the data phase within Exim. That is well after RBL rejection, greylisting, etc. High scoring spam gets rejected at SMTP time. Average message scan times are between 0.2 and 1.5 seconds.
Re: Spamhaus and paid subscription
Quoting Raymond Dijkxhoorn raym...@prolocation.net: Hi! Can't you do zone transfers? Then you can do away with the subscriber_key thing and have DNS resolve locally for spamhaus.org and not have to query their DNS servers. They sell datafeed and they sell queries, we bought queries. I do not believe they would think kindly on my trying a zone transfer. I'm just happy we got a paid subscription. It's the best support I can provide Spamhaus to keep them in business. I wish you good luck doing a zone transfer on a rbldnsd server, its not implemented so its not an available option. Correct. Rsync is used to transfer the actual rbldnsd zones.
Re: Spamhaus and paid subscription
Quoting DAve dave.l...@pixelhammer.com: Good morning all, I recently got my employer to pay for spamhaus queries, finally. I need to use a key to access spamhaus now. Not an issue for for me MTA but SA is another problem. When I change the rules to use our key, the key is displayed in the spam report. When I add this to override the URL SA uses, header RCVD_IN_PBL eval:check_rbl('pbl-lastexternal', 'subscriber_key.zen.dq.spamhaus.net.' , '127.0.0.1[01]') I get this is my spam reporting, 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [4.23.231.50 listed in subscriber_key.zen.dq.spamhaus.net] I can't be printing our key in the emails, what is a sysadmin to do? Can't you do zone transfers? Then you can do away with the subscriber_key thing and have DNS resolve locally for spamhaus.org and not have to query their DNS servers.
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
Quoting Per Jessen p...@computer.org: I seem to be having more emails with NO_RELAYS than I normally see, and I'd like to havee spamd just refuse to process them. That way they'd get left in the queue, and I'd have something to debug. NO_RELAYS indicates there are no Received headers: http://wiki.apache.org/spamassassin/Rules/NO_RELAYS Have you checked the headers of the messages to see if there are any?
Re: How was your holiday weekend spam traffic?
Quoting Chris Santerre csante...@merchantsoverseas.com: I'm just curious this morning. I see a dip in spam trapped, but a pretty big rise in blocking. I expected a lot worse over the long holiday weekend. Did someone get arrested or something? I'm not fully awake yet but it looks like my blocking numbers from RBLs tripled over weekend. Same here. I've seen an increase in the number of rejections based on greet_pause. Ironically, it was extensively discussed on the SPAM-L list over the holiday weekend.
Re: Is there a way of forcing spamd not to process malformed messages? (NO_RELAYS, NO_RECEIVED etc).
Quoting Per Jessen p...@computer.org: d.h...@yournetplus.com wrote: Quoting Per Jessen p...@computer.org: I seem to be having more emails with NO_RELAYS than I normally see, and I'd like to havee spamd just refuse to process them. That way they'd get left in the queue, and I'd have something to debug. NO_RELAYS indicates there are no Received headers: http://wiki.apache.org/spamassassin/Rules/NO_RELAYS Have you checked the headers of the messages to see if there are any? I know for a fact there are some, yes. Post a message somewhere via pastebin or something that everyone can take a look at.
Re: How was your holiday weekend spam traffic?
Quoting d.h...@yournetplus.com: Quoting Chris Santerre csante...@merchantsoverseas.com: I'm just curious this morning. I see a dip in spam trapped, but a pretty big rise in blocking. I expected a lot worse over the long holiday weekend. Did someone get arrested or something? I'm not fully awake yet but it looks like my blocking numbers from RBLs tripled over weekend. Same here. I've seen an increase in the number of rejections based on greet_pause. Ironically, it was extensively discussed on the SPAM-L list over the holiday weekend. Sorry I didn't clarify. The *use* of greet_pause was extensively discussed.
Re: FP on blacklist hostkarma
Quoting Benny Pedersen m...@junc.org: On tir 01 dec 2009 00:51:38 CET, Raymond Dijkxhoorn wrote So if you have a crappy connection towards your mailserver Marc you can get listed, thats rather funny, and annoying. Connections do break also when not running a botnet... pfff maybe i am dump, but what do you mean by the above ? if my internet connection is down for 30 days i get listed for not being in service ?, how magical can my ip change when its static ? worst case of admins is ones that accept mail from localhost as not spam I believe Raymond's response was addressing the fact a server connection could possibly be interrupted before it had a chance to issue the SMTP QUIT command. I would think being listed for that alone would be ridiculous.
Re: Crashes running SA as milter in Postfix
Quoting Patrick Ben Koetter p...@state-of-mind.de: We regularly experience SA crashes on a Ubuntu Hardy machine. The setup is as follows: Postfix (2.5.1) - SpamAssassin Milter (0.3.1-6) - SpamAssassin (3.2.4-1ubuntu1.1) The milter is run like this: /usr/sbin/spamass-milter -P /var/run/spamass/spamass.pid -f \ -p /var/spool/postfix/spamass/spamass.sock \ -u spamass-milter -i 127.0.0.1 -r 10 SpamAssassin is run like this: /usr/bin/perl -T -w /usr/sbin/spamd -s local5 -u spamassassin \ --nouser-config --max-children 10 --debug=spamd -d \ --pidfile=/var/run/spamd.pid It crashed again this weekend. This is what I found in the log: Oct 29 08:01:51 mail01 spamd[10249]: spamd: fork: Cannot allocate memory at /usr/sbin/spamd line 999. Oct 29 08:01:53 mail01 spamd[301]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /nonexistent/.spamassassin/auto-whitelist.lo ck.mail01.example.com.301 for /nonexistent/.spamassassin/auto-whitelist.lock: No such file or directory Oct 29 08:01:53 mail01 spamd[301]: spamd: clean message (1.1/5.0) for singer-paf:65534 in 2.3 seconds, 28868 bytes. Oct 29 08:01:53 mail01 spamd[301]: spamd: result: . 1 - EXTRA_MPART_TYPE,HTML_MESSAGE,RDNS_NONE scantime=2.3,size=28868,user=singer-paf,uid=65534,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=42576,mid=542376cea87a0943b958afd2bf4636cd166...@dc01.example.local,autolearn=no Oct 29 08:01:53 mail01 spamd[301]: syswrite() to parent failed: Broken pipe at /usr/share/perl5/Mail/SpamAssassin/SpamdForkScaling.pm line 576. Something that annoys me, is that it keeps complaining cannot create tmp lockfile /nonexistent/.spamassassin/, while I keep it running as user spamassassin. I am purley speculating: Could this be in relation to my crash problem? The home directory for the username spamassassin is probably set to /nonexistant in the passwd file (or whatever it is in Ubuntu).
Re: Crashes running SA as milter in Postfix
Quoting Patrick Ben Koetter p...@state-of-mind.de: * d.h...@yournetplus.com d.h...@yournetplus.com: The home directory for the username spamassassin is probably set to /nonexistant in the passwd file (or whatever it is in Ubuntu). Thanks for the reply. I wish, it was that easy, but it is not. The $HOME is /home/spamassassin. That's the only place I could think where the /nonexistant path would be coming from.
Re: Spamassassin not tagging some emails
Quoting Angus Dunn angus.d...@3idea.com: 2. I am using procmailrc to invoke spamassassin. Here is the /etc/procmailrc: DROPPRIVS=yes :0fw * 25600 | /usr/bin/spamc :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* /dev/null ~ As someone suggested, this may be due to size of the email. It looks like spamassassion will not be invoked if email is larger than 25600 bytes. I changed the above to the following: DROPPRIVS=yes :0fw * 102400 | /usr/bin/spamc :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* /dev/null That seems to fix the problem. I also have a question: Do i really need to check for the size of email? Should I just remove the size check? spamc documentation shows the default scan size is 500Kb. If you have the system resources, you could eliminate the size restriction. I'm calling spamc directly from the MTA and have the size set to 256Kb.
Re: Spamassassin not tagging some emails
Quoting Angus Dunn angus.d...@3idea.com: Thanks everyone for your help! I have changed procmailrc to the following: DROPPRIVS=yes :0fw * 512000 | /usr/bin/spamc :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* /dev/null It is now working fine. Someone mentioned that i can actually invoke spamassassin directly from sendmail. What will be the advantage/disadvantage to do that? Also any docs on how to do that? Seeing as you responded to my message, I don't recall seeing anyone mentioning a particular MTA. I could be wrong as I jumped into the conversation late. I invoke SA directly from Postfix, myself.
Re: sneaky pharma spam shooting past standard rules
Quoting LuKreme krem...@kreme.com: On 15-Oct-2009, at 17:31, MySQL Student wrote: Hi, With this: Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f) (79.163.117.156) my postfix setup would have simply dropped it on the floor at the HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't talk to it. Kurt, can you explain how you're doing it with postfix? I'm not kurt, but how about reject_unknown_sender_domain That's what I use. That will reject unknown sender domains. How about: reject_non_fqdn_helo_hostname An example from the logs: Oct 16 00:00:05 smtpgate postfix/smtpd[80448]: NOQUEUE: reject: RCPT from 68.115.206-77.rev.gaoland.net[77.206.115.68]:2082: 504 5.5.2 utilisat77cfbd: Helo command rejected: need fully-qualified hostname; from=f...@example.com to=t...@example.com proto=ESMTP helo=utilisat77cfbd
Re: Spamc issues with remote userprefs
Quoting Jari Fredriksson ja...@iki.fi: Hi, We're rebuilding a mail server and are having some issues with SQL-based SA preference lookups. We're running Postfix 2.5.5 and SA 3.2.5 (Debian Lenny version) - here's our Postfix config from master.cf: spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -u ${user} -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} old non-lookup line: user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} What's happening is that individual incoming messages get handed off to SA using the spamc command above, but SA is only processing the first message and never handing it back to Postfix, while the other messages never seem to get processed at all (nothing at all about them in the logs). The old non-lookup line works fine. Has anyone here experienced similar issues? Ryan Thoryk The old non-lookup line works fine spamc has no option -f How can that work fine? If the old line works fine, why do you try to raplace with a new line? You are correct. It is a sendmail option. This is what I have: spamass unix - n n - 6 pipe user=spamd argv=/usr/local/bin/spamc -u ${recipient} -s 524288 -e /usr/local/sbin/sendmail -oi -f ${sender} ${recipient} Sorry for the confusion.
Re: some domains in my local.cf file not being tagged
Quoting Matt Kettler mkettler...@verizon.net: Mark Mahabir wrote: 2009/9/3 Matt Kettler mkettler...@verizon.net: Does the From: header of these messages match *...@domain.com, or are they *...@something.somedomain.com (which wouldn't match)? They're definitely *...@domain.com in the From: header. Does the X-Spam-Status header show that a blacklist matched (USER_IN_BLACKLIST)? No, they don't (the ones that don't get tagged). Thanks, Mark Interesting, then one of the following is the cause: 1) there's errors in your config, and SA isn't parsing local.cf at all. To check for this, run spamassassin --lint. It should run quietly, if it complains, find and fix the offending lines. 2) You're editing a local.cf in the wrong path. Check what the site rules dir is near the top of the debug output when you run spamassassin -D --lint. 3) the offending message has multiple From: headers, and SA is interpreting the other one. You can try looking at the raw message source for this. 4) The configuration being used at delivery time is over-riding the one used at the command line. You can try pumping the message as a file through spamassassin on the command line and see what it comes up with. If it matches USER_IN_BLACKLIST on the command-line, but fails to match at delivery, something is fishy about your integration and how it configures SA. Or, does order of comparison matter. From the documentation, blacklist_from states to see whitelist_from. whitelist_from states: The headers checked for whitelist addresses are as follows: if Resent-From is set, use that; otherwise check all addresses taken from the following set of headers: Envelope-Sender Resent-Sender X-Envelope-From From If taken in that order, the From header field would be compared last.
Re: Barracuda RBL in first place
Quoting Ned Slider n...@unixmail.co.uk: LuKreme wrote: On 16-Aug-2009, at 16:55, MySQL Student wrote: So perhaps instead of adding another RBL, maybe some admins need to consider adding in some HELO checking / rejection. Can you explain a bit more here? What are you checking for, that the host is valid? http://www.mail-archive.com/postfix-us...@postfix.org/msg15167.html That gives me a 46% rejection rate just on HELO/EHLO and a 47% rejection rate on unknown users. I see similar figures and would also recommend using HELO/EHLO restrictions. I see around a third of spam hit HELO/EHLO restrictions, a third hits commonly forged non-existent recipient addresses and a third hits zen.spamhaus.org (checks and rejections performed in that order). Although a dns lookup to zen.spamhaus.org probably isn't that expensive, I'm sure they appreciate reducing the load by two thirds by pre-filtering as much obvious spam as possible. Question - in Postfix do user unknown rejections still incur a dns RBL lookup, or does the rejection occur before reject_rbl_client? That all depends upon how you have Postfix configured. I have a gateway set up here and do the RBL lookups late in the smtpd_recipient_restrictions just before the greylist policy. I.e.: smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination, reject_unverified_recipient, check_recipient_access cdb:/usr/local/etc/postfix/skip_filter, reject_rbl_client zen.spamhaus.local=127.0.0.10, reject_rbl_client zen.spamhaus.local=127.0.0.11, reject_rbl_client zen.spamhaus.local, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/YnP0licy, permit Overall only a very small proportion of spam ever reaches SA - typically 1% of rejected mail.
Re: Barracuda RBL in first place
Quoting Matus UHLAR - fantomas uh...@fantomas.sk: On 17.08.09 12:07, d.h...@yournetplus.com wrote: That all depends upon how you have Postfix configured. I have a gateway set up here and do the RBL lookups late in the smtpd_recipient_restrictions just before the greylist policy. I.e.: smtpd_recipient_restrictions = [...] reject_rbl_client zen.spamhaus.local=127.0.0.10, reject_rbl_client zen.spamhaus.local=127.0.0.11, reject_rbl_client zen.spamhaus.local, [...] isn't this a bit superflous? the last line should doo all the job Nope. Only one query to the local spamhaus zone is performed: http://www.postfix.org/STRESS_README.html#hangup
Re: Barracuda RBL in first place
Quoting Matus UHLAR - fantomas uh...@fantomas.sk: Quoting Matus UHLAR - fantomas uh...@fantomas.sk: On 17.08.09 12:07, d.h...@yournetplus.com wrote: That all depends upon how you have Postfix configured. I have a gateway set up here and do the RBL lookups late in the smtpd_recipient_restrictions just before the greylist policy. I.e.: smtpd_recipient_restrictions = [...] reject_rbl_client zen.spamhaus.local=127.0.0.10, reject_rbl_client zen.spamhaus.local=127.0.0.11, reject_rbl_client zen.spamhaus.local, [...] isn't this a bit superflous? the last line should doo all the job On 17.08.09 12:38, d.h...@yournetplus.com wrote: Nope. Only one query to the local spamhaus zone is performed: http://www.postfix.org/STRESS_README.html#hangup I am not talking about number of DNS queries made but about the fact that the last line does all the work for the first two, so the first two lines are useless... This is way off-topic and will be my last response. It is explained in the link.
RE: Barracuda RBL in first place
Quoting Michael Hutchinson mhutchin...@manux.co.nz: Hello All, Considering all of the interesting information that's being going around regarding Barracuda, and it's RBL's, I probably wouldn't use it. Not any time soon. But that's based purely on reputation, and has nothing to do with hit ratio. Our Spam gateway seems to do just fine without it. We query 3 RBLs, which get rid of a great deal of Spam: bl.spamcop.net zen.spamhaus.org cbl.abuseat.org You can remove cbl.abuseat.org as it is incorporated into zen.spamhaus.org. Everything else (Spam) gets stopped by HELO rejections, Virus Scanning, Recipient Rejection and Spamassassin Scanning. Mail Stats since 4th June: Total Messages Processed: 5281347 RBL Rejected: 60.6 % HELO Rejected: 27.4 % Invalid Recipient Rejection: 2.8 % Viruses (detected by ClamAV, Kaspersky), and other Spam detected by Spamassassin: 1.1 % Clean Messages: 8.1 % What really makes a difference is the HELO rejections - we never did this before 4th June, and the amount of Spam that is delivered has dropped so significantly since then is... quite remarkable. (at a loss for other words). So perhaps instead of adding another RBL, maybe some admins need to consider adding in some HELO checking / rejection.
Re: Backscatter.org used as RBL??
Quoting LuKreme krem...@kreme.com: On 5-Aug-2009, at 10:53, d.h...@yournetplus.com wrote: Quoting LuKreme krem...@kreme.com: On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote: Quoting LuKreme krem...@kreme.com: On 3-Aug-2009, at 18:36, Dennis G German wrote: Is Backscatter.org http://www.backscatterer.org/index.php used by any rules? Pretty sure not. The way to use that RBL is as an RBL. Don't accept the backscatter in the first place. If you use the lists as an RBL to reject at SMTP, you will end up rejecting legitimate email. Here, I have the zones rsync to rbldnsd locally and have SA rules test the last external IP. If you do it right, you are very unlikly to lose legitimate bounces. I wasn't referring to legitimate bounces. I was referring to legitimate messages (non bounce). If I started using the backscatterer.org RBL's at STMP time, guarantee I will get calls and several email messages asking why a message was rejected. No, not if you do it right. I've posted here before, but you only check backscatter.org's RBL to check bounce messages. I stand corrected. After reviewing my configuration, I am doing it the very same way you are with your latter Postfix example. I just haven't touched the configuration in a while and had forgotten.
Re: Backscatter.org used as RBL??
Quoting McDonald, Dan dan.mcdon...@austinenergy.com: On Wed, 2009-08-05 at 10:34 -0600, LuKreme wrote: On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote: Quoting LuKreme krem...@kreme.com: On 3-Aug-2009, at 18:36, Dennis G German wrote: If you use the lists as an RBL to reject at SMTP, you will end up rejecting legitimate email. Here, I have the zones rsync to rbldnsd locally and have SA rules test the last external IP. If you do it right, you are very unlikly to lose legitimate bounces. I thought I'd test a few rules on it, but I'm having trouble getting rbldnsd to deal with the zones. Does anyone have a sample config that works? I've gotten other zones to load via rbldnsd, so I'm sure it's something stupid on my part, or maybe it just doesn't like - in zonenames... service rbldnsd restart Stopping rbldnsd: invaluement [ OK ] Starting rbldnsd: invaluement [ OK ] Stopping rbldnsd: uceprotect[ OK ] Starting rbldnsd: uceprotect[ OK ] Starting rbldnsd: dnsbl-2.uceprotect.net:ip4set:uceprotect/dnsbl-2.uceprotect.net rbldnsd: no zone(s) to service specified (-h for help) [FAILED] Starting rbldnsd: dnsbl-3.uceprotect.net:ip4set:uceprotect/dnsbl-3.uceprotect.net rbldnsd: no zone(s) to service specified (-h for help) [FAILED] Stopping rbldnsd: uceprotect4 [ OK ] Starting rbldnsd: uceprotect4 [ OK ] The relevant stanza is uceprotect -r/var/lib/rbldnsd -q -b127.0.0.1/5354 \ dnsbl-1.uceprotect.net:ip4set:uceprotect/dnsbl-1.uceprotect.net \ dnsbl-2.uceprotect.net:ip4set:uceprotect/dnsbl-2.uceprotect.net \ dnsbl-3.uceprotect.net:ip4set:uceprotect/dnsbl-3.uceprotect.net \ Once I get that running I'll try to tackle a meta rule for blank from: and It appears you are trying to load the zones from within a directory called uceprotect within the chrooted /var/lib/rbldnsd. Perhaps /var/lib/rbldnsd/uceprotect doesn't contain any zone files.
Re: Backscatter.org used as RBL??
Quoting LuKreme krem...@kreme.com: On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote: Quoting LuKreme krem...@kreme.com: On 3-Aug-2009, at 18:36, Dennis G German wrote: Is Backscatter.org http://www.backscatterer.org/index.php used by any rules? Pretty sure not. The way to use that RBL is as an RBL. Don't accept the backscatter in the first place. If you use the lists as an RBL to reject at SMTP, you will end up rejecting legitimate email. Here, I have the zones rsync to rbldnsd locally and have SA rules test the last external IP. If you do it right, you are very unlikly to lose legitimate bounces. I wasn't referring to legitimate bounces. I was referring to legitimate messages (non bounce). If I started using the backscatterer.org RBL's at STMP time, guarantee I will get calls and several email messages asking why a message was rejected.
Re: Backscatter.org used as RBL??
Quoting LuKreme krem...@kreme.com: On 3-Aug-2009, at 18:36, Dennis G German wrote: Is Backscatter.org http://www.backscatterer.org/index.php used by any rules? Pretty sure not. The way to use that RBL is as an RBL. Don't accept the backscatter in the first place. If you use the lists as an RBL to reject at SMTP, you will end up rejecting legitimate email. Here, I have the zones rsync to rbldnsd locally and have SA rules test the last external IP.
Re: two databases
Quoting Micah Anderson mi...@riseup.net: any case I might have had some issues because my MySQL database needed to be optimized, but I was not able to determine how and now I just run one of the spamd's without bayes, which is not too bad because my bayes database seems to be totally worthless at the moment. :P http://dev.mysql.com/doc/refman/5.0/en/optimize-table.html I have a cronjob set up that does an optimize table on all the SA tables every 24 hours to make sure everything is in line.
Re: FW: SpamAssassin error Interrupted system call
Quoting Luis campo lcr_2...@hotmail.com: The service is still active spamd just does not process the emails, all giving a score of zero and then get the error message ServerA spamc [7277]: connect to spamd on 172.16.0.14 Failed, retrying (# 1 of 3): Interrupted system call When this problem occurs restarted spamd and runs approximately 20 minutes and then switch back to the same problem. Correct. When you restart the spamd proccess, it frees up memory that was used. Once spamd gets running again, it starts taking up memory. If you run out of memory, your server starts to swap. Once your server starts to swap, things slow down dramatically. The amount of memory each spamd process will take depends upon what rules you have loaded and how many. Here, our filter server (16Gb RAM) with spamd startup parameters: --min-children=9 --max-children=36 --min-spare=9 --max-spare=18 has been running flawless with no issues for over a year. Each spamd process on our filter server takes up aproximately 100meg.
Re: FW: SpamAssassin error Interrupted system call
Quoting Luis campo lcr_2...@hotmail.com: The service is still active spamd just does not process the emails, all giving a score of zero and then get the error message ServerA spamc [7277]: connect to spamd on 172.16.0.14 Failed, retrying (# 1 of 3): Interrupted system call When this problem occurs restarted spamd and runs approximately 20 minutes and then switch back to the same problem. Quoting Luis campo lcr_2...@hotmail.com: The service is still active spamd just does not process the emails, all giving a score of zero and then get the error message ServerA spamc [7277]: connect to spamd on 172.16.0.14 Failed, retrying (# 1 of 3): Interrupted system call When this problem occurs restarted spamd and runs approximately 20 minutes and then switch back to the same problem. Correct. When you restart the spamd proccess, it frees up memory that was used. Once spamd gets running again, it starts taking up memory. If you run out of memory, your server starts to swap. Once your server starts to swap, things slow down dramatically. The amount of memory each spamd process will take depends upon what rules you have loaded and how many. Here, our filter server (16Gb RAM) with spamd startup parameters: --min-children=9 --max-children=36 --min-spare=9 --max-spare=18 has been running flawless with no issues for over a year. Each spamd process on our filter server takes up aproximately 100meg.
Re: Hrm, this spam is annoying
Quoting LuKreme krem...@kreme.com: Scores 1.0 for me http://home.kreme.com/spam20090521.txt X-Spam-Report: * 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server * [93.86.56.82 listed in dnsbl.sorbs.net] * -0.0 SPF_PASS SPF: sender matches SPF record * -3.3 USER_IN_DEF_DKIM_WL From: address is in the default DKIM white-list * -1.3 DKIM_VERIFIED Domain Keys Identified Mail: signature passes * verification * -1.0 DKIM_SIGNED Domain Keys Identified Mail: message has a signature * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4986] * 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different * 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO * 2.0 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words * 1.7 SARE_HTML_IMG_ONLY FULL: Short HTML msg, IMG and A HREF, maybe * naught else * 0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image * -0.7 ENV_AND_HDR_DKIM_MATCH Env and Hdr From used in default DKIM WL * Match total of -6.3 if ham scores, sigh. Gotten multiples of this spam on multiple accounts, include one that ONLY gets spam. Stock SA v3.2.5, no additional rules: X-Spam-Status: Reqd:5.0 Hits:7.7 Learn:disabled Tests:HTML_IMAGE_ONLY_04=1.462, HTML_MESSAGE=0.001,HTML_SHORT_LINK_IMG_1=1.078,MPART_ALT_DIFF=1.143, RCVD_IN_SORBS_WEB=1.117,SPF_PASS=-0.001,TVD_SPACE_RATIO=2.899
Re: make SA remove X-Spam-Flag
On Thu, 12 Jun 2008 at 10:54 +0200, [EMAIL PROTECTED] confabulated: Hi, just 10 minutes ago i received a false positive. First i was confused then i figured that my SA setup didn't actually flag it, but the senders SA. So, how could i tell SA to remove any X-Spam flags in case the mail has been identified as non spam? It is evident to me SpamAssassin removes all headers starting with: X-Spam-* before processing. I fetch mail from my work email server via fetchmail to my workstation running Postfix and SA. I never see the SA markup from my work email server. If I ever need to do that, i just disable the SA content filter on my workstation.
Re: how to keep updated against german spam?
On Tue, 10 Jun 2008 at 14:35 +0200, [EMAIL PROTECTED] confabulated: Yet Another Ninja wrote: Is there a place where you posted these spams so potential rule writers know which you're talking about? I just uploaded three different examples of recent spamwave to my webpage: http://www.goldfisch.at/goldfisch/temp/spam1 Using the messages as you have posted them, ALL would have been tagged as spam here regardless of language: X-Spam-Level: xx X-Spam-Status: Bayes:0.5 Score:6.5 Reqrd:5.0 AutoLrn:no Tests:NO_DNS_FOR_FROM=1.407,RCVD_IN_BL_SPAMCOP_NET=2.188,RCVD_IN_XBL=2.896 X-Spam-Level: X-Spam-Status: Bayes:0.5 Score:8.7 Reqrd:5.0 AutoLrn:no Tests:NO_DNS_FOR_FROM=1.407,RCVD_IN_BL_SPAMCOP_NET=2.188,RCVD_IN_PBL=0.509, RCVD_IN_SORBS_DUL=1.615,RCVD_IN_XBL=2.896,RDNS_DYNAMIC=0.1 X-Spam-Level: xxx X-Spam-Status: Bayes:0.5 Score:7.1 Reqrd:5.0 AutoLrn:no Tests:FH_HELO_EQ_D_D_D_D=0.498,NO_DNS_FOR_FROM=1.407, RCVD_IN_BL_SPAMCOP_NET=2.188,RCVD_IN_XBL=2.896,RDNS_DYNAMIC=0.1 You probably don't have network tests enabled.
Re: heads up: .13.3 of re2c might be broken
On Tue, 10 Jun 2008 at 15:20 -0400, [EMAIL PROTECTED] confabulated: Heads up: don't upgrade to re2c 13.3!!! I upgraded from re2c 12.1 to 13.3 and now, things that used to compile, don't. re2c -i -b -o scanner17.c scanner17.re re2c: error: line 99, column 2: Token exceeds limit command failed! at /usr/local/bin/sa-compile line 285, $fh line 5271. fl# su - vscan -c spamassassin --lint [11581] warn: netset: cannot include 10.1.1.1/32 as it has already been included (lint is fine) line 99 of scanner17.re: we now offer over 30,000 products for your dollar store or d {RET(__FRAUD_QFY __SARE_OEM_1C __SARE_OEM_2C __SEEK_PUQJ1X);} I noticed that too. 13.3 is the latest version in the FreeBSD ports tree. I see according to http://re2c.sourceforge.net, the latest version is 13.5. I managed to manually updated the re2c port to 13.4 and was able to complete a successful compile. I'm not sure about 13.5 yet.
Re: google netblocks records etc
On Tue, 3 Jun 2008 at 15:42 +0300, [EMAIL PROTECTED] confabulated: On Tue, Jun 03, 2008 at 02:02:29PM +0200, Benny Pedersen wrote: http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS i know this fact, but OP question only based on reverse :/ One should always assume reverse means _confirmed_ reverse. I don't know why anyone would assume otherwise by default. :) Especially if we are talking about serious software like postfix etc. In Postfix: reject_unknown_reverse_client_hostname Reject the request when the client IP address has no address-name mapping. reject_unknown_client_hostname Reject the request when 1) the client IP address-name mapping fails, 2) the name-address mapping fails, or 3) the name-address mapping does not match the client IP address. reject_unknown_client_hostname would be what you are calling confirmed reverse. If I were to use that, support would start getting phone calls and customers would start getting upset.
Re: google netblocks records etc
On Tue, 3 Jun 2008 at 16:15 +0300, [EMAIL PROTECTED] confabulated: On Tue, Jun 03, 2008 at 01:08:07PM +, D Hill wrote: On Tue, 3 Jun 2008 at 15:42 +0300, [EMAIL PROTECTED] confabulated: On Tue, Jun 03, 2008 at 02:02:29PM +0200, Benny Pedersen wrote: http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS i know this fact, but OP question only based on reverse :/ One should always assume reverse means _confirmed_ reverse. I don't know why anyone would assume otherwise by default. :) Especially if we are talking about serious software like postfix etc. In Postfix: reject_unknown_reverse_client_hostname Reject the request when the client IP address has no address-name mapping. reject_unknown_client_hostname Reject the request when 1) the client IP address-name mapping fails, 2) the name-address mapping fails, or 3) the name-address mapping does not match the client IP address. reject_unknown_client_hostname would be what you are calling confirmed reverse. If I were to use that, support would start getting phone calls and customers would start getting upset. You are talking about rejecting clients with bad DNS. Not only it's guaranteed to reject legimate mail in both cases, but it's not even in scope of this thread. We are talking about identifying mail coming from google. Sorry. Response retracted.
Re: google netblocks records etc
On Tue, 3 Jun 2008 at 15:30 +0200, [EMAIL PROTECTED] confabulated: D Hill wrote: [snip] In Postfix: reject_unknown_reverse_client_hostname Reject the request when the client IP address has no address-name mapping. reject_unknown_client_hostname Reject the request when 1) the client IP address-name mapping fails, 2) the name-address mapping fails, or 3) the name-address mapping does not match the client IP address. reject_unknown_client_hostname would be what you are calling confirmed reverse. If I were to use that, support would start getting phone calls and customers would start getting upset. He is about check_client_access. recent postfix also have check_reverse_client_hostname_access which acts on PTR (unconfirmed rDNS), but is intended for blocking, not whitelisting. Yes. Don't know where my head was...
Re: Testing DNSRBLs using SA
On Fri, 23 May 2008 at 10:32 -0400, [EMAIL PROTECTED] confabulated: Good morning all, I am trying to use SA to test a DNSBL and I am not having any luck getting the rule to hit. I've looked through 20_dnsbl_tests.cf, and read the appropriate section in the docs. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings Here is what I have currently, headerRCVD_IN_SIP eval:check_rbl('sip', 'sip.invaluement.com.') describe RCVD_IN_SIP sender is known in Invaluement list tflagsRCVD_IN_SIP net score RCVD_IN_SIP 0.01 And yes, when I query my rbldnsd server from the server running SA with an IP known to be in the list, I do get the proper response. Anyone see a flaw in this concept? To me that rule looks fine. Perhaps your testing is completely within your trusted path? Feed the message with SpamAssassin with the -D debug switch to see for sure.
Re: dsbl.org dying?
On Wed, 21 May 2008 at 14:26 -0400, [EMAIL PROTECTED] confabulated: On May 21, 2008, at 10:01 AM, mouss wrote: dsbl.org are having problems. it would be nice if people who use it disable it, at least temporarily. I asked about this on the spamtools list on the 12th to deafening silence. On that day, if you were to look at their status page, http://dsbl.org/nsstatus, you would have seen half of their DNS primaries listed as broken. Today I see page not found with a generic drupal error message. Not looking promising if you ask me. Time to stop using it, as far as I am concerned. I stopped using the list a few months ago. Rejections based on the list was at ~0.06% of the total number of RBL rejections. The figures were ~3.7 million total RBL rejections to ~2,500 dsbl.org rejections. It my eyes, the list was not worth keeping around when the server(s) are handling over seven(7) million messages per day.
Re: msrbl.com disappeared
On Sun, 11 May 2008 at 22:45 +0200, [EMAIL PROTECTED] confabulated: Frank Bures wrote: Hi, I could not update SANE Security signatures in the last couple of days. It looks like domain msrbl.com disappeared. Could please anyone shed some light on this? $ host msrbl.com msrbl.com has address 64.22.86.210 msrbl.com mail is handled by 20 newton.8086.net. msrbl.com mail is handled by 30 mxuk.camelnetwork.com. msrbl.com mail is handled by 90 mxus.camelnetwork.com. msrbl.com mail is handled by 1000 mx.fakemx.net. It is back up now. The update script I've been using (which is one found off the site) was getting this error: rsync: getaddrinfo: rsync.mirror.msrbl.com 873: hostname nor servname provided, or not known
Re: False positive on forged_mua_outlook
On Sat, 10 May 2008 at 10:13 +0200, [EMAIL PROTECTED] confabulated: Randy Ramsdell wrote: [snip] Scratch that and reverse it. If it does match, then it will score the message header as fake. oops :) sorry. Let me check some more things. Did outlook really generate this message-id: Message-ID: [EMAIL PROTECTED] I just sent myself a test message from Outlook Express 6.00.2900.2180: Message-ID: [EMAIL PROTECTED] The message ID's part before the '@' and is two characters less than what you show. 'meme' is the name of my computer. Outlook and Outlook Express use the name of the computer in the message ID after the '@'. I don't have access to Outlook for testing. On a side note, Outlook and Outlook Express also HELO with the computer's name when sending a message through an email server.
Re: fractional scores and syntax
On Fri, 9 May 2008 at 09:42 -0700, [EMAIL PROTECTED] confabulated: I am not sure how to ask this We have a test URIBL # # # ### # urirhssub URIBL_TEST uri.test.local.A 2 body URIBL_TEST eval:check_uridnsbl('URIBL_TEST') describe URIBL_TEST Contains an URL listed in the TEST blacklist tflags URIBL_TEST net #reuse URIBL_TEST # score URIBL_TEST 0 1 0 1 this works... :-) what do I need to look or search for regarding syntax so that I can change the score from what you see above to have lower fractional score like score URIBL_TEST 0 .1 0 .1 and get a good output from spamassassin --lint thanks in advance If you are referring to this: [42778] warn: config: SpamAssassin failed to parse line, test_rule .1 is not valid for score, skipping: score test_rule .1 [42778] warn: lint: 1 issues detected, please rerun with debug enabled for more information You have to prefix all decimal score values with zero(0). So in your case: score URIBL_TEST 0 0.1 0 0.1
Re: can we make AWL ignore mail from self to self?
On Tue, 29 Apr 2008 at 17:53 -0700, [EMAIL PROTECTED] confabulated: Now please stop arguing that AWL is useless. It works for me. If it doesn't work for you, then you have no reason to reply on this thread. (not trying to be rude, but this conversation is pointless) Works for me too. I was going to reply to the thread days weeks ago and didn't have time. Some of my AWL scores on spam have been in the negative. However, bayes_99 quickly brings it back onto the positive side for the rest of the positive scoring rules.
Re: can we make AWL ignore mail from self to self?
On Tue, 29 Apr 2008 at 17:58 -0700, [EMAIL PROTECTED] confabulated: I'm not repeating for the 5th time that there are no trusted mailservers. Only this host. Correct. On our filter server(s) which are strictly inbound only (nothing trusted but itself): # Begin SA Network Settings clear_trusted_networks clear_internal_networks clear_msa_networks trusted_networks 192.168.1.100 # smtpgate.ndunet.com internal_networks 192.168.1.100 # smtpgate.ndunet.com
Re: gpg failure on sa-update due to non-cross-certified key
Re-download a GPG key and import: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY This is in the wiki: http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29 I had the same thing happen and all is well now. -d On Fri, 18 Apr 2008 at 08:24 -0500, [EMAIL PROTECTED] confabulated: I recently installed Mandriva 2008.1 on one of my spamfilters. It includes gpg version 1.4.9. When I try to run sa-update, I get: [EMAIL PROTECTED] ~]$ sudo sa-update Password: gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys' gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys' error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed When I ran sa-update in debug mode, I see this message: [1518] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.sha1 [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.asc [1518] dbg: sha1: verification wanted: 129293f2f748a7398442daf97a26e2af387192a6 [1518] dbg: sha1: verification result: 129293f2f748a7398442daf97a26e2af387192a6 [1518] dbg: channel: populating temp content file [1518] dbg: gpg: populating temp signature file [1518] dbg: gpg: calling gpg gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys' [1518] dbg: gpg: gpg: Signature made Wed 16 Apr 2008 04:28:44 AM CDT using RSA key ID 24F434CE [1518] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [1518] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information [1518] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1 [1518] dbg: gpg: gpg: Can't check signature: general error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed Looking at the gnupg faq, this appears to be a problem with the way the key is created. I was able to run sa-update with the --nogpg option, and sa-compile worked fine after sa-update ran, but I would like to know the best way to fix this long term. Is this a gnupg bug? or a spamassassin bug? Or... ? -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: gpg failure on sa-update due to non-cross-certified key
On Fri, 18 Apr 2008 at 10:30 -0500, [EMAIL PROTECTED] confabulated: On Fri, 2008-04-18 at 13:51 +, D Hill wrote: Re-download a GPG key and import: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY This is in the wiki: http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29 I had the same thing happen and all is well now. Ah, thank you. I dug around the wiki for an hour last night and didn't find this article... A search for the word 'update' on the Wiki is how I found it.
Re: sa-learn incapable of handling large amounts of messages?
On Tue, 15 Apr 2008 at 21:53 -0400, [EMAIL PROTECTED] confabulated: I'm trying to run sa-learn --spam /spamdir/* on a directory with 2449 spam messages. But it doesn't seem to work. I'm not sure why. What format are the messages in? mdir? mbox? sa-learn --spam [EMAIL PROTECTED] spam/ works from here as an mdir mailbox, and: sa-learn --spam --mbox [EMAIL PROTECTED] spam works from here as an mbox format. I have never had issues with learning messages using SA v3.2.4. -d
Re: FW: Why is this spam passing my SA (counterfeit goods)
On Fri, 11 Apr 2008 at 14:10 -0400, [EMAIL PROTECTED] confabulated: Josie Walls wrote: Hello, Would this group agree that requiring 5 hits in order to classify an email as spam is too conservative a number? I suspect ISPs have their filter settings at 3 or less. Any insight would be appreciated. I'm an ISP and we use 5 to mark and 10 to reject at smtp time (not bounce, smtp reject 551). ISP here, too. I have the score at 5 as well. If I were to drop it any lower, customers would start screeming too much email was going into their spambox. We also allow the customer to adjust the score individually from a web interface.
Re: foreign spam slipping through
On Thu, 3 Apr 2008 at 16:12 -0400, [EMAIL PROTECTED] confabulated: the attached email is one of the mails that keeps slipping through. I have no idea what it says, or why it continues to slip through my filter (well why it has a lower score than what's required). kmail runs spamassassin -L with filters to check for spam I've also told kmail mails from these people are spam before it uses this. sa-learn -L --spam --no-sync and I periodically run this from the cli. sa-learn --showdots --spam .kde/share/apps/kmail/mail/spam/cur/* these are the relevant settings in ~/.spamassassin user_prefs required_score 4 ok_languages en I can't understand why with it not being in english and these settings that it still slips through. Most of those are getting caught here. Here is what your message scored: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) X-Spam-Level: xxx X-Spam-Status: Hits:7.9 Tests:BAD_ENC_HEADER=2.87,EXTRA_MPART_TYPE=1, RCVD_IN_BL_SPAMCOP_NET=2.188,RCVD_IN_DNSWL_LOW=-1,UNWANTED_LANGUAGE_BODY=2.8
Re: foreign spam slipping through
On Thu, 3 Apr 2008 at 16:51 -0400, [EMAIL PROTECTED] confabulated: How do I unsubscribe from here? There are no unsubscribe links at the bottom of these messages. As found in the headers of ALL list messages: list-unsubscribe: mailto:[EMAIL PROTECTED]
Re: foreign spam slipping through
On Thu, 3 Apr 2008 at 17:00 -0400, [EMAIL PROTECTED] confabulated: On Thursday 03 April 2008 04:32:40 pm you wrote: Most of those are getting caught here. Here is what your message scored: any way to increase the score that language receives? I have the same: ok_languages en I also have: ok_locales en In your headers, I didn't see UNWANTED_LANGUAGE_BODY. Do you have the TextCat plugin enabled/loaded? In my install, it is found in: /etc/mail/spamassassin/v310.pre This is actually the default config file where it is loaded. Also, do you have RBL checks enabled? By default, this is enabled unless you have set 'skip_rbl_checks'.
Re: SORBS_DUL
On Wed, 26 Mar 2008 at 11:39 +1100, [EMAIL PROTECTED] confabulated: On Wed, 26 Mar 2008 03:31:34 am mouss wrote: James Gray wrote: Why are rules that look up against this list still in the base of SpamAssassin?? The SORBS dynamic list is so poorly maintained that it's practically useless and if you are an unfortunate who ends up incorrectly listed in it, good luck getting off it! Case at hand, the company I work for purchased a /19 address block directly from APNIC before anyone else had it (IOW, we were the first users of that block). We now have both our external mail IP's listed in SORBS_DUL despite the fact the /24 they belong to, and the /24's on either side have NEVER been part of a dynamic pool. SORBS refuse to delist them as our MX records are different to these outgoing mail servers! FFS - we run managed services for a number of ISP's why the hell would we *want* to munge all our inbound and outbound mail through the same IP's?!? Seriously folks, can we make SORBS_DUL optional and not on by default in the general distribution? If you have a complaint, provide _evidence_. otherwise, it goes to /dev/troll0. while you are at it, fix your DNS. your domain has been succesfully submitted to rfci (boguxms): http://www.rfc-ignorant.org/tools/lookup.php?domain=gray.net.au I forgot to mention: thanks for getting me listed on rfci too: $ dig -x 82.239.111.75 --8-- snipped --8-- ;; ANSWER SECTION: 75.111.239.82.in-addr.arpa. 85430 INPTR ouzoud.netoyen.net. MX records are not suppose to contain CNAMEs: %dig @localhost dot.com.au mx ... dot.com.au. 3600IN MX 10 node.office.dot.net.au. ;; AUTHORITY SECTION: dot.com.au. 3600IN NS ns1.viperplatform.net.au. dot.com.au. 3600IN NS ns2.viperplatform.net.au. ;; Query time: 534 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Mar 26 00:45:34 2008 ;; MSG SIZE rcvd: 139 %nslookup smtp.mas.viperplatform.net.au Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: smtp.mas.viperplatform.net.au canonical name = mail.mas.viperplatform.net.au. Name: mail.mas.viperplatform.net.au Address: 202.147.74.50 Your MX contains a CNAME. _| |_|
Re: SORBS_DUL
On Wed, 26 Mar 2008 at 00:47 -, [EMAIL PROTECTED] confabulated: On Wed, 26 Mar 2008 at 11:39 +1100, [EMAIL PROTECTED] confabulated: On Wed, 26 Mar 2008 03:31:34 am mouss wrote: James Gray wrote: Why are rules that look up against this list still in the base of SpamAssassin?? The SORBS dynamic list is so poorly maintained that it's practically useless and if you are an unfortunate who ends up incorrectly listed in it, good luck getting off it! Case at hand, the company I work for purchased a /19 address block directly from APNIC before anyone else had it (IOW, we were the first users of that block). We now have both our external mail IP's listed in SORBS_DUL despite the fact the /24 they belong to, and the /24's on either side have NEVER been part of a dynamic pool. SORBS refuse to delist them as our MX records are different to these outgoing mail servers! FFS - we run managed services for a number of ISP's why the hell would we *want* to munge all our inbound and outbound mail through the same IP's?!? Seriously folks, can we make SORBS_DUL optional and not on by default in the general distribution? If you have a complaint, provide _evidence_. otherwise, it goes to /dev/troll0. while you are at it, fix your DNS. your domain has been succesfully submitted to rfci (boguxms): http://www.rfc-ignorant.org/tools/lookup.php?domain=gray.net.au I forgot to mention: thanks for getting me listed on rfci too: $ dig -x 82.239.111.75 --8-- snipped --8-- ;; ANSWER SECTION: 75.111.239.82.in-addr.arpa. 85430 INPTR ouzoud.netoyen.net. MX records are not suppose to contain CNAMEs: %dig @localhost dot.com.au mx ... dot.com.au. 3600IN MX 10 node.office.dot.net.au. ;; AUTHORITY SECTION: dot.com.au. 3600IN NS ns1.viperplatform.net.au. dot.com.au. 3600IN NS ns2.viperplatform.net.au. ;; Query time: 534 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Mar 26 00:45:34 2008 ;; MSG SIZE rcvd: 139 %nslookup smtp.mas.viperplatform.net.au Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: smtp.mas.viperplatform.net.au canonical name = mail.mas.viperplatform.net.au. Name: mail.mas.viperplatform.net.au Address: 202.147.74.50 Your MX contains a CNAME. Actually, closer inspection shows your: ns2.viperplatform.net.au is still reporting back: smtp.mas.viperplatform.net.au as the ONLY MX record. _| |_|
Re: SORBS_DUL
Now your confusing the subject. The previous response you made was from: From: James Gray [EMAIL PROTECTED] Now you are using: From: James Gray [EMAIL PROTECTED] BOTH of those domains point to an MX that has a CNAME to: smtp.mas.viperplatform.net.au On Wed, 26 Mar 2008 at 00:51 -, [EMAIL PROTECTED] confabulated: On Wed, 26 Mar 2008 at 00:47 -, [EMAIL PROTECTED] confabulated: On Wed, 26 Mar 2008 at 11:39 +1100, [EMAIL PROTECTED] confabulated: On Wed, 26 Mar 2008 03:31:34 am mouss wrote: James Gray wrote: Why are rules that look up against this list still in the base of SpamAssassin?? The SORBS dynamic list is so poorly maintained that it's practically useless and if you are an unfortunate who ends up incorrectly listed in it, good luck getting off it! Case at hand, the company I work for purchased a /19 address block directly from APNIC before anyone else had it (IOW, we were the first users of that block). We now have both our external mail IP's listed in SORBS_DUL despite the fact the /24 they belong to, and the /24's on either side have NEVER been part of a dynamic pool. SORBS refuse to delist them as our MX records are different to these outgoing mail servers! FFS - we run managed services for a number of ISP's why the hell would we *want* to munge all our inbound and outbound mail through the same IP's?!? Seriously folks, can we make SORBS_DUL optional and not on by default in the general distribution? If you have a complaint, provide _evidence_. otherwise, it goes to /dev/troll0. while you are at it, fix your DNS. your domain has been succesfully submitted to rfci (boguxms): http://www.rfc-ignorant.org/tools/lookup.php?domain=gray.net.au I forgot to mention: thanks for getting me listed on rfci too: $ dig -x 82.239.111.75 --8-- snipped --8-- ;; ANSWER SECTION: 75.111.239.82.in-addr.arpa. 85430 INPTR ouzoud.netoyen.net. MX records are not suppose to contain CNAMEs: %dig @localhost dot.com.au mx ... dot.com.au. 3600IN MX 10 node.office.dot.net.au. ;; AUTHORITY SECTION: dot.com.au. 3600IN NS ns1.viperplatform.net.au. dot.com.au. 3600IN NS ns2.viperplatform.net.au. ;; Query time: 534 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Mar 26 00:45:34 2008 ;; MSG SIZE rcvd: 139 %nslookup smtp.mas.viperplatform.net.au Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: smtp.mas.viperplatform.net.au canonical name = mail.mas.viperplatform.net.au. Name: mail.mas.viperplatform.net.au Address: 202.147.74.50 Your MX contains a CNAME. Actually, closer inspection shows your: ns2.viperplatform.net.au is still reporting back: smtp.mas.viperplatform.net.au as the ONLY MX record. _| |_| _| |_|
RE: Why two spam assassins rank the same message so differently?
On Mon, 24 Mar 2008 at 18:14 -0400, [EMAIL PROTECTED] confabulated: by dgw218.neoplus.adsl.tpnet.pl with smtp (Exim 4.62 We've been blocking adsl.tpnet.pl for over a year yet they still barrage our servers daily with bot-infested clients. Some sites block the whole .PL tld, but that's a bit evil IMO. This is just pure speculation. You are rejecting email accounts that do not exist on your server(s) at SMTP time (not bouncing after accepting the message for delivery), correct??? If not, that would be one reason you are on their blacklist based on what you have described. Myself, I have seen several servers from the tld .pl bouncing where they should be rejecting. _| |_|
Re: Spamassassin not checking a particular Email.
On Mon, 10 Mar 2008 at 18:00 -0400, [EMAIL PROTECTED] confabulated: Michael Hutchinson wrote: Hi all, Another query.. another busy SA day. I have a piece of Spam that is getting through to one of our biggest clients. I have written rules to tag this Spam, but it is as if it isn't even being checked by Spamassassin. [snip] We can see from the headers that it has been looked at by Simscan, but has not been parsed through SA, at least, I don't think it has. We always have X-Spam-Status in our headers. I can attach the actual Email if anyone would like to see it. Any ideas where to start troubleshooting the issue? Could this be a Simscan related problem? Cheers, Mike How big is the email ? By default spamd won't scan anything over 255k Is it spamd that has the default? I know for sure spamc has the default set to 500Kb (at least in the latest release): %man spamc ... -s max_size, --max-size=max_size Set the maximum message size which will be sent to spamd -- any bigger than this threshold and the message will be returned unpro- cessed (default: 500 KB). If spamc gets handed a message bigger than this, it won't be passed to spamd. The maximum message size is 256 MB. I don't recall the OP stating what version of SA was running. - _|_ |_| |
Re: SpamAssassin 3.2.4 and syslog
On Wed, 5 Mar 2008 at 11:41 -0700, [EMAIL PROTECTED] confabulated: Just an observation hereI did my 3.2.3 to 3.2.4 and suddenly sysloging of spamd stopped. I had to manually add ?s mail to my startup to get it to play fair again. Was this change documented anywhere...that syslog was now turned off by default? I just upgraded the port under FreeBSD 7.0 from 3.2.3 to 3.2.4 this morning and everything is logging fine here. Perhaps your issue is package specific on the OS you are running. You didn't indicate if you were installing from the download off the SA site or not. - _|_ |_| |
Re: Headers not being updated
On Mon, 15 Oct 2007 at 15:26 -0700, [EMAIL PROTECTED] confabulated: I have recently moved to a new VPS, everything has been setup for me and is working well except Spamassassin. (I've never had problems with it on my previous host and I'm a newbie to working with it, so please excuse my ignorance.). Hopefully this might help. Server: Apache/1.3.37 Spamassassin Version 3.2.3 running on perl 5.8.8 I have tested the install by using spamassassin -D sample-spam.txt and it seems to work fine. Now the problem, all incoming emails on all accounts have following headers :- X-Spam-Status: No, score= X-Spam-Score: X-Spam-Bar: X-Spam-Flag: NO Even if I send the Spam test email. My hosting support company has tried to fix it but have suggested I try here. I hope someone can help. Any advice much appreciated. Have you changed the default setting for adding headers in SA? Look for 'X-Spam-Bar' in your SA config file (local.cf). You may have an issue with something outside the realm of SA. Also, the default setting for the header 'X-Spam-Status' doesn't contain the word 'score'. Are you running anything else that calls SA? -- _|_ (_| |
Re: Advice on MTA blacklist
On Tue, 9 Oct 2007 at 10:00 -0700, [EMAIL PROTECTED] confabulated: Spamhaus: yes. Use zen.spamhaus.org (you might end up needing to pay for it, and use a local cache, if you're a heavy traffic site, but, frankly, it's worth paying for). We use Spamhaus here with their datefeed service. Our two filter servers reject an average 3.2 million messages every 24 hours with using zen.spamhaus.org.