spamassassin and amavisd
If this topic is deemed inappropriate for this list please disregard and I will join and post on the amavisd-new list. I currently have a postfix/amavisd-new setup which I am very happy with (including postgrey which has been amazing). For any emails that score a tag or are quarantined, amavis inserts a header that gives the failed test name and the score. Is it possible to get the description of the failed test added into the header too? I realize this will add some overhead, but it would make support much easier for those that are false positives. Any help is greatly appreciated. Dylan
RE: Should I use greylisting
I am using postgrey which allows for whitelisting of address ranges, specific IPs, etc. I implemented it on the Thanksgiving weekend so it could build up it's triplet database before hitting the work week email and I've not had a single person complain. On the flip side, I very rarely see spam come through that isn't sent to postmaster@ which is whitelisted. Until the spammers build in retry into their bots, I'm a firm believer of greylisting. Dylan -Original Message- From: Matthew Bickerton [mailto:[EMAIL PROTECTED] Sent: Thursday, January 25, 2007 7:33 AM To: users@spamassassin.apache.org Subject: Should I use greylisting Hi, I am setting up a new server, so have a chance to make big changes to my email server. I have been thinking about implementing Greylisting. However, I am worried about blocking/long delays with e-mails from mail farms (gmail, yahoo etc.) I would very much appreciate other people's recommendations on Greylisting or other approaches to reducing the load on my server by rejecting spam early. Matthew
RE: RelayChecker 0.3 (more overhead?)
-Original Message- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 2:21 PM To: John Rudd Cc: Dylan Bouterse; users@spamassassin.apache.org Subject: Re: RelayChecker 0.3 (more overhead?) John Rudd wrote: Dylan Bouterse wrote: -Original Message- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Sunday, November 12, 2006 8:26 PM To: SpamAssassin Users Subject: RelayChecker 0.3 New version of RelayChecker. http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar Changes: - It's now in a single tar file. Put the tar file into your plugin directory, expand it, and all should be good. The tar file includes: COPYING- the GPL RelayChecker.txt - explanations of each rule and option RelayChecker.pm- the plugin, now with copyright info RelayChecker.cf- example cf file (you should check the file) - There is now an option, relaychecker_reduced_dns, which eliminates all extra DNS checks. Instead of the PTR check, it uses the rdns= part of the Untrusted Relays pseudo-header, and the RELAY_CHECKER_BADDNS test always returns 0. Is there anything about v 0.3 that would require more overhead than the initial version? I just implemented the new version and sa passed -- lint with no errors but within 5-10 min of reloading amavis-new my smtp response time went to multiple seconds and the load on the box went to over 6. Renamed the RelayChecker.cf so it isn't read by sa and reloaded amavisd and back to normal. Any suggestions? Dylan There shouldn't be anything that makes it _more_ intensive than the previous versions. Have you tried the relaychecker_reduced_dns option? It might be that you're just doing a lot of DNS calls today. Oh.. wait, there IS something that could make it more intensive. Each test is going to do the PTR lookup on its own. So, instead of 1 or 2 DNS checks, it's going to do 5 (PTR in NORDNS, PTR in BADDNS, A in BADDNS, PTR in IPHOSNAME, PTR in KEYWORDS). That's per message. But, like I said, you can reduce that with the reduced_dns option. Then it should do 0 DNS checks. Even after setting the reduced_dns option to 1 the load on the server stays high. I re-enabled AWL and my load stays low as long as I don't enable the RelayChecker. I get the following in the log::: Nov 13 15:51:23 p1-lk-mxfilter.power1.com /usr/sbin/amavisd[30169]: (30169-01) SMTP: NOTICE: client broke the connection without a QUIT () Nov 13 15:51:23 p1-lk-mxfilter.power1.com /usr/sbin/amavisd[30169]: (30169-01) extra modules loaded: /etc/mail/spamassassin/RelayChecker.pm Nov 13 15:51:23 p1-lk-mxfilter.power1.com /usr/sbin/amavisd[30169]: (30169-01) load: 100 %, total idle 0.000 s, busy 0.144 s Nov 13 15:51:23 p1-lk-mxfilter.power1.com /usr/sbin/amavisd[30169]: (30169-01) process_request: fileno sock=13, STDIN=0, STDOUT=1
RE: IncrediMail?
Title: RE: IncrediMail? From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 9:27 AM To: '[EMAIL PROTECTED]'; users@spamassassin.apache.org Subject: RE: IncrediMail? has anyone got a good corpus of mail from this mail tool? I hear many anti-image-spam rules have a tendency to FP on its output and I'd like to try to avoid this (where possible). --j. Yes they do FP. I hate that nasty hunk of bloated junk. I do not have a corpus of it, but I'll try to save any new ones that come in. I'll double check, but I think I wrote my own rules to counter these FPs. Which may be why I don't have any in my traps. HTH, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com Would it be a bad idea to write a rule to give a negative score when the string, META content=IncrediMail is found in the body? Dylan
how accurate are rfc-ignorant.org? tests
I have a FP that hit both DNS_FROM_RFC_POST and DNS_FROM_RFC_ABUSE but when I go to http://www.rfc-ignorant.org/ and lookup the sending mail server IP it says not found. Am I right in assuming if an email fails these tests the IP should be listed in the above site? Dylan
RE: Relay Checker Plugin (code review please?)
-Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 01, 2006 5:05 PM To: Dylan Bouterse Cc: users@spamassassin.apache.org Subject: RE: Relay Checker Plugin (code review please?) On Wed, 1 Nov 2006, Dylan Bouterse wrote: # headerRELAY_CHECKER eval:relay_checker() # describe RELAY_CHECKER Check relay for DNS/Hostname issues. to: if ($nordns) { and when I run --lint I get the following errors: /etc/mail/spamassassin/RelayChecker.pm line 44, near 27 @@ ...how exactly did you apply the patch? From the contents of that error message it looks like you just inserted the patch text into the source file... Take a look at man patch. (Sorry if you did do that, but that error message is really suggestive of improper procedure.) I have never used the patch command and was not aware of it. Thank you for pointing me in the right direction. I was able to patch my RelayChecker.cf file using the patch command and the provided patch for that file but I am getting errors when trying to patch the RelayChecker.pm file. [EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch RelayChecker.pm missing header for unified diff at line 3 of patch patching file RelayChecker.pm Hunk #3 succeeded at 102 with fuzz 1. missing header for unified diff at line 77 of patch can't find file to patch at input line 77 Perhaps you should have used the -p or --strip option? The text leading up to this was: -- | if (! defined($name)) { | # the PTR record leads to a host that doesn't resolve in DNS | Mail::SpamAssassin::Plugin::dbg(RelayChecker: badrdns); |- $badrdns = 1; |+ $badrdns = $badrdns_score; | } | else { | Mail::SpamAssassin::Plugin::dbg(RelayChecker: name is $name); @@ -96,7 +123,7 @@ | # the hostname in the PTR record does resolve, but that hostname | # doesn't have $ip as one of its IP addresses | Mail::SpamAssassin::Plugin::dbg(RelayChecker: baddns); |-$baddns = 1; |+$baddns = $baddns_score; | } | else { | ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@ -124,7 +151,7 @@ |# in hex or decimal form ... or the entire thing in decimal |# probably a spambot since this is an untrusted relay |Mail::SpamAssassin::Plugin::dbg(RelayChecker: ipinhostname); |- $ipinhostname = 1; |+ $ipinhostname = $ipinhostname_score; |} | if ($hostname =~ | /(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+ $/ --
RE: Relay Checker Plugin (code review please?)
I did a couple of times. :( -Original Message- From: Billy Huddleston [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 01, 2006 9:20 PM To: Dylan Bouterse; users@spamassassin.apache.org Subject: Re: Relay Checker Plugin (code review please?) You may want to download new RelayChecker.pm file... you may have messed it up previously.. If you still have problems let me know.. - Original Message - From: Dylan Bouterse [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, November 01, 2006 6:39 PM Subject: RE: Relay Checker Plugin (code review please?) -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 01, 2006 5:05 PM To: Dylan Bouterse Cc: users@spamassassin.apache.org Subject: RE: Relay Checker Plugin (code review please?) On Wed, 1 Nov 2006, Dylan Bouterse wrote: # headerRELAY_CHECKER eval:relay_checker() # describe RELAY_CHECKER Check relay for DNS/Hostname issues. to: if ($nordns) { and when I run --lint I get the following errors: /etc/mail/spamassassin/RelayChecker.pm line 44, near 27 @@ ...how exactly did you apply the patch? From the contents of that error message it looks like you just inserted the patch text into the source file... Take a look at man patch. (Sorry if you did do that, but that error message is really suggestive of improper procedure.) I have never used the patch command and was not aware of it. Thank you for pointing me in the right direction. I was able to patch my RelayChecker.cf file using the patch command and the provided patch for that file but I am getting errors when trying to patch the RelayChecker.pm file. [EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch RelayChecker.pm missing header for unified diff at line 3 of patch patching file RelayChecker.pm Hunk #3 succeeded at 102 with fuzz 1. missing header for unified diff at line 77 of patch can't find file to patch at input line 77 Perhaps you should have used the -p or --strip option? The text leading up to this was: -- | if (! defined($name)) { | # the PTR record leads to a host that doesn't resolve in DNS | Mail::SpamAssassin::Plugin::dbg(RelayChecker: badrdns); |- $badrdns = 1; |+ $badrdns = $badrdns_score; | } | else { | Mail::SpamAssassin::Plugin::dbg(RelayChecker: name is $name); @@ -96,7 +123,7 @@ | # the hostname in the PTR record does resolve, but that hostname | # doesn't have $ip as one of its IP addresses | Mail::SpamAssassin::Plugin::dbg(RelayChecker: baddns); |-$baddns = 1; |+$baddns = $baddns_score; | } | else { | ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@ -124,7 +151,7 @@ |# in hex or decimal form ... or the entire thing in decimal |# probably a spambot since this is an untrusted relay |Mail::SpamAssassin::Plugin::dbg(RelayChecker: ipinhostname); |- $ipinhostname = 1; |+ $ipinhostname = $ipinhostname_score; |} | if ($hostname =~ | /(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+ $/ --
TVD tests?
In the 80_additional.cf file I have a list of TVD* rules that are not explained on the http://spamassassin.apache.org/tests_3_1_x.html page (I'm running SA 3.1.7 and up to date with sa-update). Are these new rules added to SA? Most of the scores rank pretty high and I'm seeing them pop up in FPs more and more. Dylan
RE: Relay Checker Plugin (code review please?)
-Original Message- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Monday, October 30, 2006 6:23 PM To: SpamAssassin Users Subject: Relay Checker Plugin (code review please?) I've written a plugin for Spam Assassin that does the relay checks I used to do in MimeDefang. The purpose of these checks is to try to identify those messages that are likely to be coming directly (with no intermediary mail server) from a zombie-bot, and are thus likely to be spam (or maybe virus) content. It does this by looking at characteristics of how ISPs and large networks tend to layout the hostnames of their dynamic hosts and end clients. This includes: 1) no RDNS for the machines that aren't intended to talk to the outside world 2) RDNS that doesn't lead back to a valid A record 3) RDNS that is forged (leads to an A record which doesn't resolve back to the IP you started with) 4) Contains the hosts IP address within the hostname 5) Contains standard key words within the hostname (but not in the TLD nor registered domain name), such as dhcp, dialup, dial-up, dsl, etc. From this, a score of 5 or 6 is generated (it's really 4+ number of checks failed, but several of the checks are mutually exclusive). This should be enough to flag the message for review/quarantine, but not enough to automatically delete or reject the message (because none of you are doing that at a score of 5 or 6, right? right.). Thus, a false positive will merely result in a quarantine situation. In my own results, I have seen this to be HIGHLY accurate. I have yet to get a false positive ... but it has caught several types of spam that other methods simply haven't been able to catch (or require significant processing, such as OCR, to catch). The two files you need (put them in /etc/mail/spamassassin ... or wherever you want to put your plugins) are: http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.cf http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.pm some notes: 1) I don't use Net::DNS for my checks, I use the built in perl get* calls. Mostly because I haven't looked at Net::DNS yet. If someone wanted to submit that code change to me, I'd gladly look at it. I'll get to it eventually on my own, though (might as well; SA already uses Net::DNS, right?). 2) This sort of replaces the other set of rules I created, that did this with metarules instead of a plugin. This made some of the checks less useful. You probably don't need to use both methods. 3) for those who object to SA checks that aren't purely about message content, you wont like this plugin. It's about trying to remove a class of sender (spambots, and mis-configured clients that aren't using their own domain's mail server for outbound traffic), where that class of sender is OVERWHELMINGLY likely to be generating spam. Just like open relays are overwhelmingly likely to be generating spam. My hope is that it may eliminate, or severely reduce, the spambot problem: this is a feature of the sending machine that the spammer and bot-master have _NO_ control over, so they can't adjust their content nor behaviors to adapt to it. They would simply have to give up using systems whose DNS configuration matche these tests. So, if people could take a look at it, test it, see if it does what it advertises, and see if it's as accurate as my experience indicates, I would appreciate getting feedback. If it pans out, I'll see about putting it in a tar ball, and submitting it to the wiki's list of plugins. John How would one adjust the score down for testing purposes? Dylan
RE: Re: spamassassin --lint fails with rules in local.cf
-Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Alain Wolf Sent: Friday, October 27, 2006 8:39 PM To: users@spamassassin.apache.org Subject: Re: spamassassin --lint fails with rules in local.cf -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26.10.2006 14:35, * Dylan Bouterse wrote: I have added some rules in my local.cf file (for adding scores for some SARE rules) but when I run spamassassin -lint (or when I run rules_du_jour which does the same) it says the rules in my local.cf file are non-existent, but spamassassin ultimately runs fine. What am I doing wrong? Dylan Oops, just stumbled upon the release announcemnet of SpamAssassin 3.1.7 http://www.nabble.com/ANNOUNCE%3A-Apache-SpamAssassin-3.1.7-available%21 -tf2415849.html 3.1.7 is a quick-fix release; it contains only a fix for one bug, introduced accidentally in 3.1.6: - - bug 5119: if admins had set rule scores in the site configuration in /etc, sa-update would fail. Back out this change Don't know if Dylan is already using 3.1.7. We are on 3.1.6 because there is no updated FreeBSD-Port out yet. So I wait. Greetings Alain I was actually on 3.1.3 but upgraded to 3.1.7 to get rid of the errors I had when I tried to --lint. I also moved my spamassassin .cf files into the /etc/mail/spamassassin folder and the errors I had with the rules in the local.cf went away. Amavisd was still running fine because it was reading in all the .cf files in /etc/mail/spamassassin and /usr/share/spamassassin. It all looks good now. Thanks everybody! Dylan
RE: spamassassin --lint fails with rules in local.cf (now perl plugin error for TextCat)
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Friday, October 27, 2006 9:13 AM To: Dylan Bouterse Cc: users@spamassassin.apache.org Subject: Re: spamassassin --lint fails with rules in local.cf Dylan Bouterse wrote: ** [EMAIL PROTECTED] spamassassin]# pwd /usr/share/spamassassin [EMAIL PROTECTED] spamassassin]# grep SARE_GIF_ATTACH * 70_sare_stocks.cf:full SARE_GIF_ATTACH /name=\?[0-9a-z._\-]{3,18}\.gif\?/i 70_sare_stocks.cf:describe SARE_GIF_ATTACH Email has a inline gif 70_sare_stocks.cf:scoreSARE_GIF_ATTACH 0.75 [EMAIL PROTECTED] spamassassin]# grep SARE_GIF_STOX * 70_sare_stocks.cf:describe SARE_GIF_STOX Inline Gif with little HTML 70_sare_stocks.cf:scoreSARE_GIF_STOX 1.66 [EMAIL PROTECTED] spamassassin]# grep SARE_SPEC_XXGEOCITIES2 * 70_sare_specific.cf:meta SARE_SPEC_XXGEOCITIES2 !__SARE_SPEC_XXGEOCITIE __SARE_SPEC_XX2GEOCIT 70_sare_specific.cf:describe SARE_SPEC_XXGEOCITIES2 spamsign pointing to free webhost spam site 70_sare_specific.cf:score SARE_SPEC_XXGEOCITIES2 1.666 [EMAIL PROTECTED] spamassassin]# grep SARE_SPEC_XXGEOCITIES3 * 70_sare_specific.cf:meta SARE_SPEC_XXGEOCITIES3 __SARE_SPEC_XXGEOCITIE__SARE_SPEC_XX2GEOCIT 70_sare_specific.cf:describe SARE_SPEC_XXGEOCITIES3 spamsign pointing to free webhost spam site 70_sare_specific.cf:score SARE_SPEC_XXGEOCITIES3 1.666 *My guess is that the lint check is reading the local.cf file before the additional SARE rule sets.** My --list reads:* [16109] dbg: config: using /etc/mail/spamassassin for site rules pre files [16109] dbg: config: read file /etc/mail/spamassassin/init.pre [16109] dbg: config: read file /etc/mail/spamassassin/v310.pre [16109] dbg: config: read file /etc/mail/spamassassin/v312.pre [16109] dbg: config: using /var/lib/spamassassin/3.001003 for sys rules pre files [16109] dbg: config: using /var/lib/spamassassin/3.001003 for default rules dir [16109] dbg: config: read file /var/lib/spamassassin/3.001003/updates_spamassassin_org.cf [16109] dbg: config: using /etc/mail/spamassassin for site rules dir [16109] dbg: config: read file /etc/mail/spamassassin/local.cf *And the SARE ruleset configs come after that. My SARE rulesets are in /usr/share/spamassassin. Should I put my local.cf file there as well or am I** going down** the wrong path?* You're using the wrong path. Move your SARE rules to /etc/mail/spamassassin/ where they belong. The SARE rulesets must be parsed BEFORE your local.cf. Also, are you sure the ones in /usr/share/spamassassin are even being parsed? According to the above, your system is using /var/lib/spamassassin/3.001003 instead of /usr/share/spamassassin. That said, in general, don't monkey with anything but the site rules dir. Any other rule directories, such as the default rules dir, are for SA's own rules, and the SA installer feels perfectly free to rm -f * on those directories. Amavisd read the /usr/share/spamassassin dir which is probably why --lint didn't work but reloading amavisd would work. Either way. I moved my /usr/share/spamassassin dir contents to /etc/mail/spamassassin. I get the following errors when trying to --lint. [3246] dbg: plugin: loading Mail::SpamAssassin::Plugin::TextCat from @INC [3246] warn: textcat: languages filename not defined [3246] dbg: plugin: registered Mail::SpamAssassin::Plugin::TextCat=HASH(0x9760db8) [3246] warn: config: invalid regexp for rule SUBJ_SOMEONE_WROTE: Subject =~ /\bwrote:$/i: missing or invalid delimiters [3246] warn: config: warning: description exists for non-existent rule SUBJ_SOMEONE_WROTE [3246] warn: config: warning: score set for non-existent rule SUBJ_SOMEONE_WROTE [3246] warn: Use of uninitialized value in hash element at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/TextCat.pm line 380. [3246] warn: Use of uninitialized value in join or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/TextCat.pm line 391. [3246] dbg: textcat: language possibly: [3246] warn: Use of uninitialized value in join or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/TextCat.pm line 469. The SUBJ_SOMEONE_WROTE rule that was posted a week ago or so on the list isn't passing. 20_phrases.cf:body SUBJ_SOMEONE_WROTE Subject =~ /\bwrote:$/i 20_phrases.cf:describe SUBJ_SOMEONE_WROTE Search for Subject lines ending in wrote: 50_scores.cf:score SUBJ_SOMEONE_WROTE 3.000 I still get the TextCat errors even if I comment out the SUBJ_SOMEONE_WROTE rule. Dylan
spamassassin --lint fails with rules in local.cf
I have added some rules in my local.cf file (for adding scores for some SARE rules) but when I run spamassassin -lint (or when I run rules_du_jour which does the same) it says the rules in my local.cf file are non-existent, but spamassassin ultimately runs fine. What am I doing wrong? Dylan
RE: spamassassin --lint fails with rules in local.cf
Title: RE: spamassassin --lint fails with rules in local.cf From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Thursday, October 26, 2006 9:31 AM To: Dylan Bouterse; users@spamassassin.apache.org Subject: RE: spamassassin --lint fails with rules in local.cf -Original Message- From: Dylan Bouterse [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 26, 2006 8:35 AM To: users@spamassassin.apache.org Subject: spamassassin --lint fails with rules in local.cf I have added some rules in my local.cf file (for adding scores for some SARE rules) but when I run spamassassin -lint (or when I run rules_du_jour which does the same) it says the rules in my local.cf file are non-existent, but spamassassin ultimately runs fine. What am I doing wrong? A copy of your added lines to your local.cf sure would help us help you. Otherwise I can't use telepathy anymore. Not since that incident at the zoo. Things got a bit... messy. --Chris Below are my uncommented entries in the local.cf file. The only error comes from the additional SARE lines at the bottom. report_safe 0 use_bayes 1 bayes_path /var/amavis/.spamassassin/bayes razor_config /var/amavis/.razor/razor-agent.conf lock_method flock skip_rbl_checks 0 use_razor2 1 use_dcc 0 use_pyzor 0 dns_available yes header LOCAL_RCVD Received =~ /.*\(\S+\.domain\.com\s+\[.*\]\)/ describe LOCAL_RCVD Received from local machine score LOCAL_RCVD -50 ## Optional Score Increases score DCC_CHECK 4.000 score SPF_FAIL 4.000 score SPF_HELO_FAIL 5.000 score RAZOR2_CHECK 2.500 score BAYES_99 4.300 score BAYES_95 3.500 score BAYES_80 3.000 score SARE_GIF_ATTACH 1.75 score SARE_GIF_STOX 2.50 score SARE_SPEC_XXGEOCITIES2 3.000 score SARE_SPEC_XXGEOCITIES3 3.000
RE: Per Domain Whitelisting
-Original Message- From: jasonegli [mailto:[EMAIL PROTECTED] Sent: Monday, October 23, 2006 5:36 PM To: users@spamassassin.apache.org Subject: Per Domain Whitelisting I'm running multiple domains on one SPAM cleaning server. I'm wondering if there's a way in spamassassin to build a separate whitelist for each domain. If not, can you build a whitelist based on BOTH To and From addresses. For example let's say that domain xyz.com wants to allow all messages from yahoo.com, but domain 123.com does not. Is there a way to allow FROM [EMAIL PROTECTED] TO [EMAIL PROTECTED]? Thanks -- View this message in context: http://www.nabble.com/Per-Domain-Whitelisting-tf2497743.html#a6962693 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. I've not implemented or tested it, but I ran across Maia Mailguard a few weeks back. It looks like you can do per user/domain sa settings. http://www.renaissoft.com/maia/ Dylan
RE: sare suggestions.
Thank you. -Original Message- From: Jo Rhett [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 3:59 PM To: Dylan Bouterse; list_spamassassin Subject: sare suggestions. ylan Bouterse wrote: What SARE channels are you subscribing to? I just got the rules_du_jour script running and added several SARE channels and I'm seeing SARE in my amavisd log a LOT. Just wondering if there are certain hightly recommended rule sets to use and those to stay away from that are too strick and product false positives. Thanks for your feedback. Please don't ask for offlist help. Either everyone cares about the topic, or perhaps you shouldn't be mailing me anyway? I don't use rulesdujour because it seems like too much hackery. sa-update (included with spamassassin) does it all very cleanly, and is supported by the team. (sa-update is newer than rdj, so it's not really rdj's fault) Frankly, I subscribed to almost every single ruleset on the rulesemporium page. If I skipped any that weren't do not use then I don't know what they were. -- Jo Rhett Network/Software Engineer Net Consonance
RE: Having issue with a type of spam I havn't seen before
Title: Having issue with a type of spam I havn't seen before Im trying to write a rule to score src="" but I cant seem to get it right. Can somebody shed some light on what Id use for the 20_phrases.cf file so I can start scoring this? Thanks. Dylan From: Thomas Lindell [mailto:[EMAIL PROTECTED] Sent: Friday, October 13, 2006 10:41 AM To: users@spamassassin.apache.org Subject: Having issue with a type of spam I havn't seen before !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN HTMLHEADTITLEJoin the thousands of people who got slim/TITLE /HEAD BODY IMG alt= hspace=0 src="" align=baseline border=0 p /p Note the img tag. It's using src=""> I havn't seen this before. Can anyone shed some light on this for me? Thomas Lindell
Stock spam in images
I'm a newbie to the list and have been scanning recent posts to see if what I'm about to ask about has been covered but I haven't seen anything yet. Lately I have been getting more and more of the stock alert spam but now all the good info is in an image and typically following the image is random text to fool the Bayesian filter. I think the random text thing has been covered here recently. It's frustrating when sa is giving a -1.6 (or so) score to these emails right off the bat. Quite a few of these aren't even getting spam headers because they aren't scoring high enough. Is there some magical trick to help score these messages higher? Maybe a future version of sa will incorporate an OCR module? :) Dylan
RE: Stock spam in images
-Original Message- From: Bowie Bailey [mailto:[EMAIL PROTECTED] Sent: Monday, October 02, 2006 9:46 AM To: users@spamassassin.apache.org Subject: RE: Stock spam in images Dylan Bouterse wrote: I'm a newbie to the list and have been scanning recent posts to see if what I'm about to ask about has been covered but I haven't seen anything yet. Lately I have been getting more and more of the stock alert spam but now all the good info is in an image and typically following the image is random text to fool the Bayesian filter. I think the random text thing has been covered here recently. It's frustrating when sa is giving a -1.6 (or so) score to these emails right off the bat. Quite a few of these aren't even getting spam headers because they aren't scoring high enough. Is there some magical trick to help score these messages higher? Maybe a future version of sa will incorporate an OCR module? :) Dylan How about the FuzzyOCR plugin? That has been discussed quite a bit here recently. http://wiki.apache.org/spamassassin/FuzzyOcrPlugin -- Bowie Thank you everyone for your responses! I will try the FuzzyOCR module. Dylan