Re: URI-DNSBL problem with spamassassin 3.2.5
Hi! Please, can someone feed http://pastebin.ca/1495707 into spamassassin 3.3.0 and see how it works ? Many thanks for your help Eddy pts rule name description -- -- 0.0 HTML_MESSAGE BODY: HTML included in message -4.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1% -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: URI-DNSBL problem with spamassassin 3.2.5
Dan Schaefer wrote: Hi! Please, can someone feed http://pastebin.ca/1495707 into spamassassin 3.3.0 and see how it works ? Many thanks for your help Eddy pts rule name description -- -- 0.0 HTML_MESSAGE BODY: HTML included in message -4.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1% Sorry that's 3.2.5 -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: {Spam?} RE: The www[variations]continue....
The rules should also proactively cover (dot) and {dot} as well as [dot]
I agree.
--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
copy spam mail to separate mailbox
I have a postfix/SA setup and I was wondering if anyone knew how to COPY an email marked as spam instead of redirecting. Not this: /^X-Spam-Flag: YES/ REDIRECT spam...@example.com -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: copy spam mail to separate mailbox
As that's really a postfix question, not a SpamAssassin question, if you don't get an answer here you may want to try on a postfix mailing list. I know. Since everybody here is so great at answering my questions so far, I thought I'd try this list first. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
auto learn threshold
Clip of /etc/mail/spamassassin/local.cf __ required_score 7 ifplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold bayes_auto_learn_threshold_nonspam 0.1 bayes_auto_learn_threshold_spam 10.0 endif __ Some messages with a SA score of 10 or higher are auto-learned as spam and some are not. Any suggestions? What is the default? Perhaps my bayes_auto_learn_threshold_spam isn't being used. The results seem to be random. Is there a certain rule that is ignored when determining the score SA uses for autolearn? Examples: score: 11.6 autolearn=no score: 12.7 autolearn=no score: 33.9 autolearn=spam score: 15.9 autolearn=no score: 19.0 autolearn=no score: 19.6 autolearn=spam score: 18.4 autolearn=spam Thanks, Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: auto learn threshold
Is there a certain rule that is ignored when determining the score SA uses for autolearn? Maybe this? perldoc Mail::SpamAssassin::Plugin::AutoLearnThreshold " Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body to auto-learn as spam. Therefore, the minimum working value for this option is 6." This is very possible. I checked a few of my examples and this turned out to be true. Thanks to both Nuno and Bowie for the answer. This is another one of my questions that could have been answered with RTFMP. I am, however, a semi-rookie System Admin and I'm still learning the tricks. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam http://pastebin.com/m40f7cff4 -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Benny Pedersen wrote: On Wed, July 22, 2009 21:39, Dan Schaefer wrote: For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam http://pastebin.com/m40f7cff4 reject it with rbl testing in mta, and its found in blacklist, reason it not found in obfu is that its not obfu :) Does this mean that if I have a custom rule to search for exactly the "via" site, my rule will be overlooked because the site is in a blacklist? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
rule counter
I don't have a test server to try this, so maybe someone could test it for me or maybe someone has tried this before... I want to create a rule that counts the number of rules that have a score and add my score. I don't want to count the total score. Can I use !! instead of the rule name. I may not have explained it well, so here's an example. I want at least 3 out of 5 rules to pass before adding my 5 points. #(!!1.25) = true = 1? in SA meta MY_RULE (!!RULE_ONE + !!RULE_TWO + !!RULE_THREE + !!RULE_FOUR + !!RULE_FIVE >= 3) score MY_RULE 5 instead of the following, because the total score would be counted meta MY_RULE (RULE_ONE + RULE_TWO + RULE_THREE + RULE_FOUR + RULE_FIVE >= 3) Thanks in advance, Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
>For those of you that manage these rules, >URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam I'm up to AE_MED45, so I wouldn't expect AE_MEDS38 and 39 to be hitting anything currently. >http://pastebin.com/m40f7cff4 This is not an obfuscated domain. You can see that it hit two URIBLs - JP and WS. I would have expected it to be in URIBL_BLACK (or at least GOLD) as well as Invaluement's URIBL. There are plenty of mechanisms to catch valid URIs - that's not the purpose of the obfuscation rules. And, you still got 15 points - so, what's the problem? Relax. I don't have a problem. I was just pointing out a potential flaw. I was just trying to help out. I just misunderstood the whole blacklist thing, that's all. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
It means that if you were using BL at MTA level your SA might never have seen the message at all. No your rule would not be "overlooked" 'because the site is in a blacklist' *unless* you were using the BL in your MTA and rejected the transaction from a blacklisted IP address and, thus, never submitted it to SA at all. If this is the case, then why does my email have the X-* headers in it? I have nothing in my postfix header_checks to discard the BL rules. Does anyone have a detailed flow chart of SA/postfix setup and describes blacklisting? Or even a webpage describing the process? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: copy spam mail to separate mailbox
I have a postfix/SA setup and I was wondering if anyone knew how to COPY an email marked as spam instead of redirecting. Not this: /^X-Spam-Flag: YES/ REDIRECT spam...@example.com This should work, right? http://onetforum.com/fourm/viewtopic.php?f=2&t=34 -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a sender site that scans for outgoing spam, hasn't already added X-* headers to the message? Martin No. Is that even possible to track down? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a sender site that scans for outgoing spam, hasn't already added X-* headers to the message? No. Is that even possible to track down? There would probably be an X-Spam-Checker-Version header in your inbound mail stream. X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on pony.performanceadmin.com That is my server. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Low Scoring Lotto Spam
Jari Fredriksson wrote: Content analysis details: (6.2 points, 5.0 required) pts rule name description -- -- 1.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4920] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns I get roughly the same... Content analysis details: (0.4 points, 7.0 required) pts rule name description -- -- 0.0 HTML_MESSAGE BODY: HTML included in message -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 3.0 JM_SOUGHT_FRAUD_3 Body contains frequently-spammed text patterns -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Parallelizing Spam Assassin
This whole time I thought the subject line was "Paralyzing Spam Assassin" and the original poster was having trouble with SA locking up. Oops. ;-) -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
I'm glad to see this SPAM traffic has come to a halt. At least on my mail server... -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: DB structure information
Luis Daniel Lucio Quiroz wrote: Hi SAs, I wonder to know if there is a document that explains how is relation-entity database schema designed. TIA LD Is this even a SA question? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Mailbox for auto learning
Stefan wrote: Am Sonntag, 9. August 2009 07:36:54 schrieb Luis Daniel Lucio Quiroz: Hi SAs, Well, after reading this link http://spamassassin.apache.org/full/3.2.x/doc/sa-learn.html I'm still looking for an easy-way to let my mortal users to train our antispam. I was thinking a mailbox such as h...@antispamserver and s...@antispamserver to let users to forward their false positivos or their false netgatives. In isde each box (ham or spam), of course a procmail with sa-learn input will be forwarded. My doubts are nexts: 1. Will forwarded mails be usefull for training, I mean if spam was: From: spa...@example.netTo: u...@mydomain, when forwarding it will be From: mu...@mydomain To: s...@antispamserver. Change of this and forwarding (getting rid of headers because mail-clients) wont change learning? You have to forward the message as an attachment un unpack it after receiving. Have a look at: https://po2.uni-stuttgart.de/~rusjako/sal-wrappe 2. If technique in question 1 is usless, what other way would be nice to let user to report a false positive/negative for training. This may not be ideal, but in Thunderbird, you can drag messages between mailboxes. You could setup each user to have access to their own account and the two learning mailboxes. You can then have your users drag the false positives/negatives to the appropriate box. I have not testing this 100%, so I don't know if any headers get re-written or not. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Image Spam
Why haven't spammers think about this approach before? I can image it is very difficult for Fuzzy OCR to tag this with a high score. http://pastebin.com/m247b74c8 -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Image Spam
Dan Schaefer wrote: Why haven't spammers think about this approach before? I can image it is very difficult for Fuzzy OCR to tag this with a high score. http://pastebin.com/m247b74c8 Oops. Why haven't spammers *thought about this approach before? Spamassasin did a nice job of catching it though. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Image Spam
On ons 19 aug 2009 14:26:31 CEST, Dan Schaefer wrote Why haven't spammers think about this approach before? I can image it is very difficult for Fuzzy OCR to tag this with a high score. you belive fuzzyocr is buggy ? http://pastebin.com/m247b74c8 already detected as spam, what more do you want from spamassassin ? I'm not complaining!! First of all, I don't have FuzzyOCR installed and I'm not using it. Therefore, I couldn't even determine if this email was marked as spam by FuzzyOCR. And second of all, I didn't mention anything about spamassassin. I'm just speculating on difficulty of image scanning. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: your mail
Res wrote: On Sun, 9 Aug 2009, Matus UHLAR - fantomas wrote: Bullshit. Bullshit to what? Didn't we have an email a couple weeks ago talking about inappropriate language on a public list and that it won't be tolerated?
i need your indulgence
Any ideas about this one, besides adding a score to match the subject? I have 4 in my inbox this morning with scores no more than 5. http://pastebin.com/m561b461b -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: i need your indulgence
Any ideas about this one, besides adding a score to match the subject? I have 4 in my inbox this morning with scores no more than 5. http://pastebin.com/m561b461b freemail plugin http://sa.hege.li/ It looks as if the FREEMAIL_BODY is the only rule that works with this email. The From address is not in the freemail domain list, but the Reply-To is. Do both fields have to be in the freemail domain list in order for the Reply-To check to pass? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: i need your indulgence
Scored pretty high here. DCC and JMF-BLACK account for quite a bit, but it would have scored 5.0 and been marked as spam even without them. My required_score is 7. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: i need your indulgence
Karsten Bräckelmann wrote: On Fri, 2009-08-21 at 08:06 -0400, Dan Schaefer wrote: Any ideas about this one, besides adding a score to match the subject? Probably not a smart idea, since you insist on re-using that very subject for your list post... That is incorrect. I put double spaces in the subject, because I knew someone would bring that up. :-) -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: i need your indulgence
LuKreme wrote: On 21-Aug-2009, at 07:45, Dan Schaefer wrote: Scored pretty high here. DCC and JMF-BLACK account for quite a bit, but it would have scored 5.0 and been marked as spam even without them. My required_score is 7. Then you have absolutely no cause for complaint. When the score is a 4.9, then yes I do have a cause... -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Best way to restart SA without undelivered mail?
I occasionally make changes to the local.cf for custom scores and rules and I would obviously need to restart SA. A few times in the past, spam messages have sneaked through just as SA was stopped. If I were to prevent this from happening in the future, would I first stop my MTA, restart SA, and start my MTA again? Will this cause anyone other problems with undelivered mail, especially outgoing? Note, I usually restart during the day after adding rules/scores. Something like this? /etc/init.d/postfix stop && /etc/init.d/spamassassin restart && /etc/init.d/postfix start -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Best way to restart SA without undelivered mail?
RW wrote:
On Fri, 28 Aug 2009 09:05:06 -0400
Dan Schaefer wrote:
I occasionally make changes to the local.cf for custom scores and
rules and I would obviously need to restart SA. A few times in the
past, spam messages have sneaked through just as SA was stopped. If
I were to prevent this from happening in the future, would I first
stop my MTA, restart SA, and start my MTA again? Will this cause
anyone other problems with undelivered mail, especially outgoing?
Note, I usually restart during the day after adding rules/scores.
Something like this?
/etc/init.d/postfix stop && /etc/init.d/spamassassin restart &&
/etc/init.d/postfix start
Could you not simply set a combination of --connect-retries and
--retry-sleep that's high enough to cover the downtime?
I could try that. These arguments are for spamc, so I would need to put
them in /etc/postfix/master.cf?
[r...@host ~]# cat /etc/postfix/master.cf
--cut--
spamassassin unix - n n - - pipe
user=
argv=/usr/bin/spamc
-e /usr/sbin/sendmail
-oi -f ${sender} ${recipient}
--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
Re: Best way to restart SA without undelivered mail?
Dan Schaefer wrote:
RW wrote:
On Fri, 28 Aug 2009 09:05:06 -0400
Dan Schaefer wrote:
I occasionally make changes to the local.cf for custom scores and
rules and I would obviously need to restart SA. A few times in the
past, spam messages have sneaked through just as SA was stopped. If
I were to prevent this from happening in the future, would I first
stop my MTA, restart SA, and start my MTA again? Will this cause
anyone other problems with undelivered mail, especially outgoing?
Note, I usually restart during the day after adding rules/scores.
Something like this?
/etc/init.d/postfix stop && /etc/init.d/spamassassin restart &&
/etc/init.d/postfix start
Could you not simply set a combination of --connect-retries and
--retry-sleep that's high enough to cover the downtime?
I could try that. These arguments are for spamc, so I would need to
put them in /etc/postfix/master.cf?
[r...@host ~]# cat /etc/postfix/master.cf
--cut--
spamassassin unix - n n - - pipe
user=
argv=/usr/bin/spamc
-e /usr/sbin/sendmail
-oi -f ${sender} ${recipient}
Bump :-)
--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.
Re: HTML Image Spam
Casartello, Thomas wrote: Well said :) Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: LuKreme [mailto:krem...@kreme.com] Sent: Monday, August 31, 2009 8:27 PM To: users@spamassassin.apache.org Subject: Re: HTML Image Spam On 31-Aug-2009, at 18:19, Casartello, Thomas wrote: Well my client doesn't load images, and I already check against the zen rbl. The guy who got the message is making a big stink about the fact that he got the message. I figured there's really not that much that can be done. If he wants to get absolutely no spam that is very very easy. Disconnect the Ethernet cord. Short of that, he WILL get spam. SA is good, it's not that good. Nothing is. Or...you could turn off spam filtering for this user to show him just how much spam he's NOT getting. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Custom Bayes score
In a general consensus for those who have customized your BAYES scores, what are they? I have been experimenting with them, but I have not been successful with a "perfect" score. What I'm NOT looking for is a lecture on how everybody's systems are different. Thanks, Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Problems with high spam
Jose Luis Marin Perez wrote: * **body ELLE /is this ELLE/ describe is this ELLE Publicidad score ELLE 10.0* It appears that you are missing ELLE after describe. If you have spelling/format issues in your configuration, SA may not work at all. Run "spamassassin --lint" to see if you have any warnings. I'm pretty sure this is your solution... -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Problems with high spam
Karsten Bräckelmann wrote: On Fri, 2009-09-18 at 16:06 -0400, Dan Schaefer wrote: Jose Luis Marin Perez wrote: body ELLE /is this ELLE/ describe is this ELLE Publicidad score ELLE 10.0 It appears that you are missing ELLE after describe. If you have spelling/format issues in your configuration, SA may not work at all. Run "spamassassin --lint" to see if you have any warnings. I'm pretty sure this is your solution... Nice catch. And the advice of lint checking always is a good one. However, I'm pretty sure he merely describes a rule named "is", which is non-fatal. I added that line to my config and ran spamassassin --lint and received the following error: [3530] warn: config: warning: description exists for non-existent rule is [3530] warn: lint: 1 issues detected, please rerun with debug enabled for more information You are correct, though, in saying that it is non-fatal. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Report in header of SPAM emails
As configure SA to emails that have been submitted to the QUARANTINE directory containing the report SA in the header. Huh? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: unsubscribe
Paul Andrews wrote: Try users-unsubscr...@spamassassin.apache.org -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: unsubscribe
On 29-Sep-2009, at 21:54, Gary Smith wrote: Didn't we already have this discussion today. You need to use the link in the headers! Yes, but if he could read your message, he could read the headers, right? Think about it, the people that unsubscribe aren't really interested in what you have to say about unsubscribing or the correct place to look for the email address. I think a simple reply from one of us with the correct email address would suffice. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: OT bad news
Thomas Mullins wrote: We have been running Spamassassin for maybe eight years now. But, my coworkers do not like OpenSource. So they have finally complained enough that my boss is going to replace our reliable FreeBSD/Spamassassin boxes. They are planning on purchasing something that runs ON Exchange. What a bummer. Shane We are sorry to see you leave. :-( -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: OT bad news
Ted Mittelstaedt wrote: Gary Smith wrote: Let them have as much Windows stuff as they want. Just plead the case to supplement. I'll have to repeat, for the original poster this isn't a technology vs technology argument. If it was, his coworkers would be listing specific things Exchange does that FreeBSD/SA does not do. This is a political battle. He is essentially in the position of a mechanic that someone brings their car to for repair, then sits there telling the mechanic what tools he should be using to repair their car. If the car gets repaired the owner claims that they knew how to repair the car better than the mechanic and the mechanic was an idiot. If the car repair fails the owner claims the mechanic is incompetent and an idiot. Either way, once your boss starts micromanaging, your going to be screwed whether you do a good job or not. He's tried "rescuing" the situation for 8 years, now your giving advice to help him "rescue" the situation more. If he "helps" them by keeping the BSD server in reserve, and they fall flat on their face and he rescues them, then it just is teaching them what to fix on their Exchange setup. They will try it again - perhaps falling flat again - and this will continue over and over with them putting more powerful hardware and more expensive add-on software on their exchange box until eventually they will figure it out, make him get rid of the BSD box - then they won't fall flat anymore. Then they will claim how much better Exchange works, completely ignoring the fact that he helped them troubleshoot their exchange setup. There is absolutely no fix for these types other than to let them fail and not help them back up - just let them be fired for incompetence. Trust me - even if that happened to these coworkers they will just go to the next employer that's a Windows only shop and will never once believe that the Windows solution is worse. It's just like the people who believe in Apple. They will go spend $1K on an iMac and accessories and get -exactly- the same thing that I can build with FreeBSD and a whitebox clone for a quarter of the cost - but will never believe that they overpaid for what they have. Ted (Standing ovation on both emails) -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
just enabled DCC
I just enabled DCC yesterday and everything appears to be working (DCC is registered). Just to make sure, can someone post an email to pastebin that has a DCC hit? Thanks. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: just enabled DCC
Jason Bertoch wrote: Dan Schaefer wrote: I just enabled DCC yesterday and everything appears to be working (DCC is registered). Just to make sure, can someone post an email to pastebin that has a DCC hit? Thanks. IIRC, a message with "test" in the subject and body will match, although your logs should tell you what rules are hitting anyway. Is DCC_CHECK the only DCC rule? Because I didn't find that in my logs yesterday. "test" in the subject and "test" in the body only triggered TVD_SPACE_RATIO and BAYES_00 from my personal email address to my work address. Any other suggestions? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: just enabled DCC
Jeff Mincy wrote: From: Dan Schaefer Date: Tue, 13 Oct 2009 08:54:29 -0400 Jason Bertoch wrote: > Dan Schaefer wrote: >> I just enabled DCC yesterday and everything appears to be working >> (DCC is registered). Just to make sure, can someone post an email to >> pastebin that has a DCC hit? Thanks. >> > IIRC, a message with "test" in the subject and body will match, > although your logs should tell you what rules are hitting anyway. Is DCC_CHECK the only DCC rule? Because I didn't find that in my logs yesterday. "test" in the subject and "test" in the body only triggered TVD_SPACE_RATIO and BAYES_00 from my personal email address to my work address. Any other suggestions? Use spamassassin --test-mode --debug dcc < somespammsg Should print out stuff like: 08:58:51.617 0.375 0.375 [28903] dbg: dcc: network tests on, registering DCC 08:58:54.405 3.164 0.943 [28903] dbg: dcc: dccifd is available: /var/lib/dcc/dccifd 08:58:54.585 3.343 0.179 [28903] dbg: dcc: dccifd got response: X-DCC--Metrics: pinky 1356; bulk Body=3 Fuz1=4384 Fuz2=many 08:58:54.585 3.343 0.000 [28903] dbg: dcc: listed: BODY=3/20 FUZ1=4384/20 FUZ2=99/20 -jeff I followed your instructions and received the following: [1486] dbg: dcc: network tests on, registering DCC [1486] dbg: dcc: dccifd is not available: no r/w dccifd socket found [1486] dbg: dcc: dccproc is not available: no dccproc executable found [1486] dbg: dcc: dccifd and dccproc are not available, disabling DCC After seeing that, I NAT-ed 1023 local to 6277 remote and 6277 remote to 1023 to my mail server in my firewall. I ran the test again and received the same message. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: just enabled DCC
Jeff Mincy wrote: From: Dan Schaefer Date: Tue, 13 Oct 2009 09:18:44 -0400 Jeff Mincy wrote: >From: Dan Schaefer >Date: Tue, 13 Oct 2009 08:54:29 -0400 > >Jason Bertoch wrote: > > Dan Schaefer wrote: >>> I just enabled DCC yesterday and everything appears to be working >>> (DCC is registered). Just to make sure, can someone post an email to >>> pastebin that has a DCC hit? Thanks. >>> >> IIRC, a message with "test" in the subject and body will match, >> although your logs should tell you what rules are hitting anyway. > >Is DCC_CHECK the only DCC rule? Because I didn't find that in my logs >yesterday. "test" in the subject and "test" in the body only triggered >TVD_SPACE_RATIO and BAYES_00 from my personal email address to my work >address. Any other suggestions? > > Use >spamassassin --test-mode --debug dcc < somespammsg > > Should print out stuff like: > >08:58:51.617 0.375 0.375 [28903] dbg: dcc: network tests on, registering DCC >08:58:54.405 3.164 0.943 [28903] dbg: dcc: dccifd is available: /var/lib/dcc/dccifd >08:58:54.585 3.343 0.179 [28903] dbg: dcc: dccifd got response: X-DCC--Metrics: pinky 1356; bulk Body=3 Fuz1=4384 Fuz2=many >08:58:54.585 3.343 0.000 [28903] dbg: dcc: listed: BODY=3/20 FUZ1=4384/20 FUZ2=99/20 > > > -jeff > I followed your instructions and received the following: [1486] dbg: dcc: network tests on, registering DCC [1486] dbg: dcc: dccifd is not available: no r/w dccifd socket found [1486] dbg: dcc: dccproc is not available: no dccproc executable found [1486] dbg: dcc: dccifd and dccproc are not available, disabling DCC After seeing that, I NAT-ed 1023 local to 6277 remote and 6277 remote to 1023 to my mail server in my firewall. I ran the test again and received the same message. Your firewall is not the problem shown here. SpamAssassin can't find the dcc socket and executable. Do you have DCC installed? If so, where is the dccproc executable? Did you start dccifd? Where is the dccifd socket? SpamAssassin needs to know where they are. You can use various configuration options to tell SpamAssassin where to look, for example: ## DCC options (Admin only) dcc_home /var/lib/dcc dcc_dccifd_path /var/lib/dcc/dccifd dcc_path /usr/bin/dccproc -jeff I did just install DCC, but I don't know if it is installed correctly. And of course, DCC's website is down (http://www.rhyolite.com/anti-spam/dcc/). I used the instructions here instead: http://www.freespamfilter.org/FC4.html#_Toc110999211 Now when I run: spamassassin -t -D dcc < spam_message I get: [2955] dbg: dcc: network tests on, registering DCC [2955] dbg: dcc: dccifd is not available: no r/w dccifd socket found [2955] dbg: dcc: dccproc is available: /usr/bin/dccproc [2955] dbg: dcc: opening pipe: /usr/bin/dccproc -H -x 0 -a 74.86.146.6 < /tmp/.spamassassin2955q6p1Yatmp [2955] dbg: dcc: got response: X-DCC-SIHOPE-DCC-3-Metrics: pony.performanceadmin.com 1085; Body=2 Fuz1=2 Fuz2=many and 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) in the report Even though the dccfid socket cannot be found, does this appear to be working correctly? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: just enabled DCC
Jeff Mincy wrote: From: Dan Schaefer Date: Tue, 13 Oct 2009 10:17:43 -0400 Jeff Mincy wrote: >From: Dan Schaefer >Date: Tue, 13 Oct 2009 09:18:44 -0400 > >Jeff Mincy wrote: > >From: Dan Schaefer >>Date: Tue, 13 Oct 2009 08:54:29 -0400 >> >>Jason Bertoch wrote: >>> Dan Schaefer wrote: >>>> I just enabled DCC yesterday and everything appears to be working >>>> (DCC is registered). Just to make sure, can someone post an email to >>>> pastebin that has a DCC hit? Thanks. >>>> >>> IIRC, a message with "test" in the subject and body will match, >>> although your logs should tell you what rules are hitting anyway. >> >>Is DCC_CHECK the only DCC rule? Because I didn't find that in my logs >>yesterday. "test" in the subject and "test" in the body only triggered >>TVD_SPACE_RATIO and BAYES_00 from my personal email address to my work >>address. Any other suggestions? >> >> Use >>spamassassin --test-mode --debug dcc < somespammsg >> >> Should print out stuff like: >> >>08:58:51.617 0.375 0.375 [28903] dbg: dcc: network tests on, registering DCC >>08:58:54.405 3.164 0.943 [28903] dbg: dcc: dccifd is available: /var/lib/dcc/dccifd >>08:58:54.585 3.343 0.179 [28903] dbg: dcc: dccifd got response: X-DCC--Metrics: pinky 1356; bulk Body=3 Fuz1=4384 Fuz2=many >>08:58:54.585 3.343 0.000 [28903] dbg: dcc: listed: BODY=3/20 FUZ1=4384/20 FUZ2=99/20 >> >> >> -jeff >> >I followed your instructions and received the following: > >[1486] dbg: dcc: network tests on, registering DCC >[1486] dbg: dcc: dccifd is not available: no r/w dccifd socket found >[1486] dbg: dcc: dccproc is not available: no dccproc executable found >[1486] dbg: dcc: dccifd and dccproc are not available, disabling DCC > >After seeing that, I NAT-ed 1023 local to 6277 remote and 6277 remote to >1023 to my mail server in my firewall. I ran the test again and received >the same message. > > Your firewall is not the problem shown here. SpamAssassin can't find > the dcc socket and executable. Do you have DCC installed? If so, > where is the dccproc executable? Did you start dccifd? Where is the > dccifd socket? SpamAssassin needs to know where they are. You can > use various configuration options to tell SpamAssassin where to look, > for example: > ## DCC options (Admin only) > dcc_home /var/lib/dcc > dcc_dccifd_path /var/lib/dcc/dccifd > dcc_path /usr/bin/dccproc > > -jeff > I did just install DCC, but I don't know if it is installed correctly. And of course, DCC's website is down (http://www.rhyolite.com/anti-spam/dcc/). I used the instructions here instead: http://www.freespamfilter.org/FC4.html#_Toc110999211 Now when I run: spamassassin -t -D dcc < spam_message I get: [2955] dbg: dcc: network tests on, registering DCC [2955] dbg: dcc: dccifd is not available: no r/w dccifd socket found [2955] dbg: dcc: dccproc is available: /usr/bin/dccproc [2955] dbg: dcc: opening pipe: /usr/bin/dccproc -H -x 0 -a 74.86.146.6 < /tmp/.spamassassin2955q6p1Yatmp [2955] dbg: dcc: got response: X-DCC-SIHOPE-DCC-3-Metrics: pony.performanceadmin.com 1085; Body=2 Fuz1=2 Fuz2=many and 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) in the report Even though the dccfid socket cannot be found, does this appear to be working correctly? Yes dccproc is working. You got a hit on DCC_CHECK. You should use dccifd if possible. It is faster. -jeff I added the following lines to my local.cf and everything seems to be working now dcc_home/etc/dcc dcc_dccifd_path /etc/dcc/dccifd I now get: [4817] dbg: dcc: network tests on, registering DCC [4817] dbg: dcc: dccifd is available: /etc/dcc/dccifd [4817] dbg: dcc: dccifd got response: X-DCC-SIHOPE-DCC-3-Metrics: pony.performanceadmin.com 1085; Body=4 Fuz1=4 Fuz2=many Thanks for everyone's help. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
OT: Thunderbird filter
The emails being sent to postfix-users-dig...@cloud9.net are messing with my head. I setup a filter to put emails sent to users@spamassassin.apache.org into a SA folder. Whenever an email gets sent to postfix-users-dig...@cloud9.net, I think there's something wrong with TB. I have subsequently added a filter for that address as well. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: OT: Thunderbird filter
Dan Schaefer wrote: The emails being sent to postfix-users-dig...@cloud9.net are messing with my head. I setup a filter to put emails sent to users@spamassassin.apache.org into a SA folder. Whenever an email gets sent to postfix-users-dig...@cloud9.net, I think there's something wrong with TB. I have subsequently added a filter for that address as well. I'm an idiot...wrong user list :-[ -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Is this list working?
Lars Ebeling wrote: Or am I blacklisted? I got it. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Geocities closed
Matus UHLAR - fantomas wrote: On Tue, 2009-10-27 at 05:50 -0700, John Rudd wrote: You're assuming that spammers will perfectly update all existing spam. There might be crud floating around out there for a while to come. On 27.10.09 13:06, rich...@buzzhost.co.uk wrote: I'm not assuming anything John. Spam with no endgame is pointless spam. All spam has a point and purpose - or it would not exist. Most spammers staging or springboarding from such places turn their links around mighty fast - they know they wont be up for long, so whilst I sure there may be the odd 'floater' around, the enemy is formidable and ahead of the game. Are we talking that the spam should not exist or about the spam still exists? The fact is, that if we get old spam, we should detect it, regardless if spammers make money on it or not. I was about to write something to that effect. Not all spam is created to make money. There is the annoyance factor as well. After the geocities rules are not enforced anymore (and I'm sure Spammers are monitoring this list and the the SA rules), the spammers could start up the geocities spam again just to annoy the users and admins, even though they will be broken links. SA is going to have to re-instate the rules at some point. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: Russian spam
On 1-25-2010 8:42 AM, Richard Smits wrote: Does anyone knows any tricks to fight russian spam ? We are getting a lot of this for the last weeks. I have dealt with Russian spam by using on "en" in the ok_languages variable and increasing the score for "UNWANTED_LANGUAGE_BODY" to 10. I also increased the "CHARSET_FARAWAY" and "CHARSET_FARAWAY_HEADER" scores. However, the email addresses on the server I manage are all English speaking people, so be careful with the changes you make. Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
