Re: how can i finetune to spamassassin to handle spams (not latest 72_active.cf)

[Eddy Beliveau]

 Message original 
Sujet : Re: how can i finetune to spamassassin to handle spams (not 
latest 72_active.cf)

De : Bowie Bailey 
Pour : users@spamassassin.apache.org
Date : 2010-01-29 11:30

Eddy Beliveau wrote:
  

Hi!

Interesting subject... which make me checked my 3.3.0 installation

I did update spamassassin to version 3.3.0
Then I erased /var/lib/spamassassin/*
did a "sa-update --verbose"
/Update available for channel updates.spamassassin.org
Update was available, and was downloaded and installed successfully/

cd /var/lib/spamassassin/3.003000/updates_spamassassin_org
grep FH_DATE_PAST_20XX 72_active.cf

and the grep command display nothing !!

Did I missed something ?



Well, if you don't have the rule, then you don't have to worry about it
misfiring!  :)
  

Hi!

Many thanks for your reply.

Maybe this rule got replaced with something else in 3.3.0.  I haven't
updated my systems yet, so I'm not sure.
  

Yes, it make sense  ;-)

Anyway, I just add this to my local.cf file

header   DATE_ONE_YEAR_FUTURE  
eval:check_for_shifted_date('8760', 'undef')
describe DATE_ONE_YEAR_FUTURE  Date: is more than a year in 
future after Received: date
lang fr describe DATE_ONE_YEAR_FUTURE  Date: est au moins un an après la 
date de l'en-tête Received:

scoreDATE_ONE_YEAR_FUTURE  2.0
scoreFH_DATE_PAST_20XX 0.0

this way, I won't have to change it every 10 years

Cheers,
Eddy

--
Eddy Beliveau
HEC Montreal
Montreal (Quebec)
Canada

Re: how can i finetune to spamassassin to handle spams (not latest 72_active.cf)

[Eddy Beliveau]

 Message original 
Sujet : Re: how can i finetune to spamassassin to handle spams
De : Bowie Bailey 
Pour : users@spamassassin.apache.org
Date : 2010-01-29 09:28

ram wrote:
  
 


The rules in /usr/share/spamassassin are the original rules from the
install.  If /var/lib/spamassassin/3.002.005 exists, those rules
will be
used instead.  You can verify which rules are being used by
running this
command:

   $ spamassassin --lint -D 2>&1 | grep "read file"

 
 spamassassin --lint -D 2>&1 | grep "read file"

[26114] dbg: config: read file /etc/mail/spamassassin/init.pre
[26114] dbg: config: read file /etc/mail/spamassassin/v310.pre
[26114] dbg: config: read file /etc/mail/spamassassin/v312.pre
[26114] dbg: config: read file /etc/mail/spamassassin/v320.pre
[26114] dbg: config: read file
/var/lib/spamassassin/3.002005/updates_spamassassin_org.cf

[26114] dbg: config: read file /etc/mail/spamassassin/local.cf

[26114] dbg: config: read file
/var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf

[26114] dbg: config: read file
/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf



[snip]
  

[26114] dbg: config: read file
/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf

[26114] dbg: config: read file
/var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf




So you are running from the updated rules...

  

To see if you have the latest rule, cd to
/var/lib/spamassassin/3.002005/updates_spamassassin_org and do this:

   $ grep FH_DATE_PAST_20XX 72_active.cf 

 
grep FH_DATE_PAST_20XX 72_active.cf 

##{ FH_DATE_PAST_20XX
header   FH_DATE_PAST_20XX  Date =~ /20[2-9][0-9]/ [if-unset: 2006]
describe FH_DATE_PAST_20XX  The date is grossly in the future.
##} FH_DATE_PAST_20XX




Hi!

Interesting subject... which make me checked my 3.3.0 installation

I did update spamassassin to version 3.3.0
Then I erased /var/lib/spamassassin/*
did a "sa-update --verbose"
/Update available for channel updates.spamassassin.org
Update was available, and was downloaded and installed successfully/

cd /var/lib/spamassassin/3.003000/updates_spamassassin_org
grep FH_DATE_PAST_20XX 72_active.cf

and the grep command display nothing !!

Did I missed something ?

Thanks,
Eddy

Re: URI-DNSBL problem with spamassassin 3.2.5

[Eddy Beliveau]

 Message original 
Sujet : Re: URI-DNSBL problem with spamassassin 3.2.5
De : Dan Schaefer 

Dan Schaefer wrote:
Please, can someone feed http://pastebin.ca/1495707 into 
spamassassin 3.3.0 and see how it works ?

Hi!
pts rule name  description
 -- 
--

0.0 HTML_MESSAGE   BODY: HTML included in message
-4.0 BAYES_00   BODY: Bayesian spam probability is 0 to 1%

Sorry that's 3.2.5

Hi! Dan,

Many thanks for your reply.

I'm also having 3.2.5 but spamassassin freeze when processing this email,
it just freeze during 20 minutes and then give the same rule as you 
mentionned.


I also try to use the plugin HitFreqsRuleTiming (see this thread) 
without any success with 3.2.5


I'm trying to find which rule is the culprit one !

Any hint ?

Thanks,
Eddy

Re: URI-DNSBL problem with spamassassin 3.2.5

[Eddy Beliveau]

 Message original 
Sujet : Re: URI-DNSBL problem with spamassassin 3.2.5
Date : 2009-07-14 11:07
but Ido not find any timing.log file on my current directory or 
anywhere on my system!!

Did I missed something ?
I doubt all the necessary hooks are in place for that plugin to work 
in 3.2.5, you'd need to run 3.3 to make use of that plugin.

Michael

On Jul 9, 2009, at 1:40 PM, Eddy Beliveau wrote:
Hi! Michael,

Many thanks for the hint.

The current devel version is 3.3.0-alpha1 (dated 2 weeks ago)

Do you know when the production release will be available ?

I do not want to put non-production version on my academic server.

Maybe I can send you the culprit email if you have 3.3 installed and 
see how it reacts on your location !


Is there a web page where I can inject the email to have it analysed 
by some SA version ?
I tried my 250KB message with http://flashmarketing.com/spam-check.htm 
but it said that my message is too big


Thanks,
Eddy


Hi!

Please, can someone feed http://pastebin.ca/1495707 into spamassassin 
3.3.0 and see how it works ?


Many thanks for your help
Eddy

--
Eddy Beliveau
HEC Montreal
Montreal (Quebec)
Canada

Re: URI-DNSBL problem with spamassassin 3.2.5

[Eddy Beliveau]

 Message original 
Sujet : Re: URI-DNSBL problem with spamassassin 3.2.5
De : Michael Parker 
Pour : Eddy Beliveau 
Copie à : users@spamassassin.apache.org, Mark Martinec 


Date : 2009-07-09 19:37


On Jul 9, 2009, at 1:40 PM, Eddy Beliveau wrote:


but Ido not find any timing.log file on my current directory or 
anywhere on my system!!


Did I missed something ?



I doubt all the necessary hooks are in place for that plugin to work 
in 3.2.5, you'd need to run 3.3 to make use of that plugin.


Michael



Hi! Michael,

Many thanks for the hint.

The current devel version is 3.3.0-alpha1 (dated 2 weeks ago)

Do you know when the production release will be available ?

I do not want to put non-production version on my academic server.

Maybe I can send you the culprit email if you have 3.3 installed and see 
how it reacts on your location !


Is there a web page where I can inject the email to have it analysed by 
some SA version ?
I tried my 250KB message with http://flashmarketing.com/spam-check.htm 
but it said that my message is too big


Thanks,
Eddy

Re: URI-DNSBL problem with spamassassin 3.2.5

[Eddy Beliveau]

Is there some way to find the culprit rule ?
other that removing all rules and adding them one at the time.



Perhaps the best timing tool for rules is the HitFreqsRuleTiming
plugin, which can be found in masses/plugins/HitFreqsRuleTiming.pm
in the distribution. Should work with 3.2.5 and with 3.3.0.
It is quite primitive in that it does not have any configurables,
but just dumps its results to a file 'timing.log' in the current
working directory (make sure it is writable for the UID under
which SA is running, no error is issued if it can not write there).

To activate it, copy it to some place, then add a loadplugin
command to one of your .pre files, such as a local.pre, providing
the path to the .pm file, e.g.:

loadplugin HitFreqsRuleTiming /etc/mail/spamassassin/HitFreqsRuleTiming.pm

Then run a command line spamassassin giving it a sample message, e.g.:

$ spamassassin -t   

Hi! Mark,

Many thanks for your reply.

I'm using SpamAssassin version 3.2.5 running on Perl version 5.8.5

I did extract HitFreqsRuleTiming.pm from spamassassin_20090708151200.tar.gz,
move it to /etc/mail/spamassassin
then create the /etc/mail/spamassassin/local.pre file with the following 
line

loadplugin HitFreqsRuleTiming /etc/mail/spamassassin/HitFreqsRuleTiming.pm

Now, on /tmp directory,  I execute "spamassassin --lint -t -D" which 
correctly said:

...cut...
[24936] dbg: plugin: loading HitFreqsRuleTiming from 
/etc/mail/spamassassin/HitFreqsRuleTiming.pm

...cut...
[27955] dbg: plugin: HitFreqsRuleTiming=HASH(0x114a8588) implements 
'start_rules', priority 0

[27955] dbg: rules: compiled one_line_body tests
[27955] dbg: plugin: 
Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0x1197b19c) implements 
'run_body_fast_scan', priority 0

[27955] dbg: rules: running head tests; score so far=0
[27955] dbg: rules: compiled head tests
[27955] dbg: plugin: HitFreqsRuleTiming=HASH(0x114a8588) implements 
'ran_rule', priority 0

...cut...
[27955] dbg: check: is spam? score=4.205 required=5
[27955] dbg: check: 
tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS
[27955] dbg: check: 
subtests=__BOTNET_NOTRUST,__HAS_MSGID,__HAVE_BOUNCE_RELAYS,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID


but Ido not find any timing.log file on my current directory or anywhere 
on my system!!


Did I missed something ?

Thanks,
Eddy

Re: URI-DNSBL problem with spamassassin 3.2.5

[Eddy Beliveau]

 Message original 
Sujet : Re: URI-DNSBL problem with spamassassin 3.2.5
De : John Hardin 
Pour : Eddy Beliveau 
Copie à : SpamAssassin Users List 
Date : 2009-07-07 16:49

On Tue, 7 Jul 2009, Mark Martinec wrote:


It is not the DNS query that is a problem here.


Eddy:

What happens when you run the test using -L (no network tests)? Does 
it still take as long?



Hi!

Mark & John, many thanks for your replies

So I spin it again with "-L -D"

...cut...
09:24:09.030 14.943 0.217 [20476] dbg: rules: running uri tests; score 
so far=0

09:24:09.058 14.971 0.028 [20476] dbg: rules: compiled uri tests
09:24:09.078 14.991 0.020 [20476] dbg: rules: ran uri rule 
__DOS_HAS_ANY_URI ==> got hit: "h"
09:24:09.099 15.012 0.020 [20476] dbg: rules: ran uri rule 
__LOCAL_PP_NONPPURL ==> got hit: "http://www.davekeller.com";
09:24:09.220 15.133 0.121 [20476] dbg: pdfinfo: Identified 0 possible 
mime parts that need checked for PDF content
09:24:09.220 15.133 0.000 [20476] dbg: pdfinfo: set_tag called for 
PDFCOUNT 0
09:24:09.220 15.133 0.000 [20476] dbg: pdfinfo: set_tag called for 
PDFIMGCOUNT 0

09:24:09.378 15.291 0.158 [20476] dbg: eval: stock info total: 0
09:24:09.379 15.293 0.002 [20476] dbg: rules: ran eval rule 
__SARE_BODY_BLANKS_5_100 ==> got hit (1)
09:24:09.380 15.294 0.001 [20476] dbg: rules: ran eval rule 
__TAG_EXISTS_BODY ==> got hit (1)
09:24:09.431 15.344 0.051 [20476] dbg: eval: text words: 2280, html 
words: 2257
09:24:09.438 15.351 0.007 [20476] dbg: eval: madiff: left: 22, orig: 
2257, max-difference: 0.97%
09:24:09.446 15.359 0.008 [20476] dbg: rules: ran eval rule __MIME_HTML 
==> got hit (1)
09:24:09.529 15.443 0.084 [20476] dbg: rules: ran eval rule HTML_MESSAGE 
==> got hit (1)
09:24:09.532 15.445 0.002 [20476] dbg: rules: ran eval rule 
__TAG_EXISTS_HTML ==> got hit (1)
09:24:09.546 15.460 0.015 [20476] dbg: rules: ran eval rule 
__TVD_MIME_ATT_TP ==> got hit (1)
09:24:09.561 15.474 0.014 [20476] dbg: rules: ran eval rule 
__HAVE_BOUNCE_RELAYS ==> got hit (1)
09:24:09.563 15.476 0.002 [20476] dbg: rules: running rawbody tests; 
score so far=0.001

09:24:09.602 15.515 0.039 [20476] dbg: rules: compiled rawbody tests
09:24:09.778 15.691 0.175 [20476] dbg: rules: ran rawbody rule 
__SARE_HTML_SINGLET2 ==> got hit: ">o<"
09:24:09.817 15.730 0.040 [20476] dbg: rules: ran rawbody rule 
__SARE_BLACK_FG_COLOR ==> got hit: ""color: black"
09:24:10.073 15.986 0.256 [20476] dbg: rules: ran rawbody rule 
__TVD_BODY ==> got hit: "vers"
09:24:10.109 16.022 0.036 [20476] dbg: rules: ran rawbody rule 
__SARE_HAS_FG_COLOR ==> got hit: ""color:"
09:45:09.826 1275.740 1259.717 [20476] dbg: rules: ran eval rule 
__SARE_HTML_HAS_BR ==> got hit (1)
09:45:09.827 1275.741 0.001 [20476] dbg: rules: ran eval rule 
__SARE_HTML_HAS_DIV ==> got hit (1)
09:45:09.828 1275.741 0.000 [20476] dbg: rules: ran eval rule __MIME_QP 
==> got hit (2)
09:45:09.828 1275.741 0.000 [20476] dbg: rules: ran eval rule 
__SARE_HTML_HAS_P ==> got hit (1)
09:45:09.829 1275.742 0.000 [20476] dbg: rules: ran eval rule 
__SARE_HTML_HAS_A ==> got hit (1)
09:45:09.829 1275.742 0.001 [20476] dbg: rules: running full tests; 
score so far=0.001

09:45:09.838 1275.751 0.009 [20476] dbg: rules: compiled full tests
09:45:10.002 1275.915 0.164 [20476] dbg: rules: running meta tests; 
score so far=0.001

09:45:10.003 1275.916 0.001 [20476] dbg: rules: compiled meta tests
09:45:10.003 1275.916 0.000 [20476] dbg: check: running tests for 
priority: 500

09:45:10.003 1275.916 0.000 [20476] dbg: dns: harvest_dnsbl_queries
...cut...

So, after the 20 minutes delay, it says:
09:45:09.826 1275.740 1259.717 [20476] dbg: rules: ran eval rule 
__SARE_HTML_HAS_BR ==> got hit (1)


Can I assume that the 20 minutes delay is caused by the 
__SARE_HTML_HAS_BR rule ?


If so, it is used by one of those 2 rules:
/var/lib/spamassassin/3.002005/70_sare_html0_cf_sare_sa-update_dostech_net/200606040500.cf:
rawbody   __SARE_HTML_HAS_BR   eval:html_tag_exists('br')
/var/lib/spamassassin/3.002005/70_sare_html1_cf_sare_sa-update_dostech_net/200606040500.cf:
rawbody   __SARE_HTML_HAS_BR   eval:html_tag_exists('br')

I then just add the following line to my local.cf file
score   __SARE_HTML_HAS_BR   0

and re-test it with "-L -D" but I'm having the same result !!

Is there some way to find the culprit rule ?
other that removing all rules and adding them one at the time.

For testing purposes, can I reduce the 20 minutes delay variable to 1 
minute ?


Any help will be appreciated.

Many thanks,
Eddy







--
Eddy Beliveau
HEC Montreal
Montreal (Quebec)
Canada

URI-DNSBL problem with spamassassin 3.2.5

[Eddy Beliveau]

 sbl.spamhaus.org

I do not understand how it can take 1220 seconds to complete when it 
said timeout=15s


Can someone help ?

Thanks,
Eddy








--
Eddy Beliveau
HEC Montreal
Montreal (Quebec)
Canada

Re: Malformed UTF-8 character with SA 3.2.5

[Eddy Beliveau]

Hi! Mark,

Many thanks for your reply.

I also have similar WARN error
Jan  9 09:20:02 smtpext2 amavis[20636]: (20636-16) _WARN: Malformed 
UTF-8 character (unexpected continuation byte 0xba, with no preceding 
start byte) in pattern match (m//) at 
/usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/BodyEval.pm line 
243,  line 10082.


As suggested, I created my first spamassassin bug report (6042) and 
include a sample


Thanks,
Eddy

 Message original 
Sujet : Re: Malformed UTF-8 character with SA 3.2.5
De : Mark Martinec 
Pour : users@spamassassin.apache.org
Date : 2009-01-08 18:55


Eddy,


I sent this email to the amavisd-new group but didn't received any replies
I give it a spin on this group
Maybe someone can help


Yes, this is probably a more suitable place for this question.


We are using Postfix 2.5.5 on our RHEL AS release 4 (Nahant Update 6)
academic server.

amavisd-new-2.6.2 (20081215), Unicode aware, LANG="fr"
with spamassassin 3.2.5

Our log file contains many:
 amavis[19738]: (19738-05) _WARN: Malformed UTF-8 character (unexpected
continuation byte 0x8e, with no preceding start byte) in pattern match
(m//) at
/var/lib/spamassassin/3.002005/70_sare_specific_cf_sare_sa-update_dostech_n
et/200605280300.cf, rule SARE_SPEC_REPL_OBFU2, line 1,  line 3620.

That rule is version 01.03.13
Can someone help ?


I searched our logs for something similar and came up with a possibly related
case, but in a different code section. Here is mine (using SA 3.3):

rules: failed to run TVD_STOCK1 test, skipping:   
(Malformed UTF-8 character (fatal) 
at /usr/local/lib/perl5/site_perl/5.10.0/Mail/SpamAssassin/Plugin/BodyEval.pm 
line 250,  line 499.


This one is  within sub _check_stock_info, evaluating the regexp:
  $rnd_chunk =~ /^\s*([^:\s][^:\n]{2,29})\s*:\s*\S/mg
on a perfectly valid UTF-8 string. It turns out it is a bug in
perl5.8.8, 5.8.9 and in 5.10.0 - the bug goes away if the string
is not tainted.

I filed a Perl bug report yesterday:
  perlbug: [perl #62048]
  Unwarranted "Malformed UTF-8 character" on tainted variable

I don't know if your case of "Malformed UTF-8 character" is due
to the same bug, or is it a SpamAssassin problem.

Can you make one of your mail samples available for examination?
With any luck the problem is reproducible, making it much easier
to resolve or provide a workaround. It's probably best to open
a SpamAssassin bug case and attach a sample.

  Mark



--
Eddy Beliveau
HEC Montreal
Montreal (Quebec)
Canada

Malformed UTF-8 character with SA 3.2.5

[Eddy Beliveau]

Hi!

I sent this email to the amavisd-new group but didn't received any replies

I give it a spin on this group

Maybe someone can help

Thanks in advance 
Eddy


- original email

Hi!

We are using Postfix 2.5.5 on our RHEL AS release 4 (Nahant Update 6)
academic server.

amavisd-new-2.6.2 (20081215), Unicode aware, LANG="fr"
with spamassassin 3.2.5

Our log file contains many:
amavis[19738]: (19738-05) _WARN: Malformed UTF-8 character (unexpected 
continuation byte 0x8e, with no preceding start byte) in pattern match 
(m//) at 
/var/lib/spamassassin/3.002005/70_sare_specific_cf_sare_sa-update_dostech_net/200605280300.cf, 
rule SARE_SPEC_REPL_OBFU2, line 1,  line 3620.


That rule is version 01.03.13

Can someone help ?

Many thanks
Eddy
--

Eddy Beliveau
HEC Montreal
Montreal (Quebec)
Canada

Re: Spam abuse report plugin

[Eddy Beliveau]

- Message d'origine - 
De : "Michael Scheidell" <[EMAIL PROTECTED]>
À : "ram" <[EMAIL PROTECTED]>; "spamassassin-users" 


Envoyé : 27 mars 2008 10:04
Objet : Re: Spam abuse report plugin





From: ram <[EMAIL PROTECTED]>
Date: Thu, 27 Mar 2008 15:36:04 +0530
To: spamassassin-users 
Subject: Spam abuse report plugin

I get a lot of spam on my servers which get detected by SA though are
generated by innocent mail servers.

We see a lot of mail users have insanely simple passwords , spammers are
using these accounts and send spam. By the time the administrator
realizes the server has sent 1000's of spam

So you would spam the abuse@ account '-)



If spamassassin had an option to send abuse report to servers
automatically and send mails to abuse@ the moment the
first sure spam comes in the admin could be warned before much damage
has been done. Obviously we limit to only 1 or 2 reports in an hour to a
particular id


Best is to set up something to use 'spamassassin -r' (report) feature.
Set up a SpamCop account, put that information in local.cf.
SpamCop will scan the emails for uri's add them to uri blacklists, add the
server to spamcop blacklists, track down the responsible isp, and 
pre-format

a complain email.

If you have DCC and RAZOR, it will also submit the information to those
databases.

NOTE: YOU DO NOT WANT TO AUTOMATICALLY SEND REPORTS AS THIS _WILL_ SPAM
INNOCENT, FORGED DOMAINS ADDING TO THE BACKSCATTER PROBLEMS.


Hi!

This subject is very interesting

I received many spams daily and have to manually analyse headers or email 
content to be able to send abuse report


Is there a tool which can do this for me ?

I imagine some web form (unix/windows) in which I can put a cut/paste of 
original email (including headers)

and that tool can prepare abuse complaint automagically.

Does that beast exist ?

Thanks,
Eddy 

Re: script to send mail when error detected in log file

[Eddy Beliveau]

Hi!

You said
"then  i add a crontab to run for ever 10 min 

crontab -e 
10 * * * * /your/location/of/script "

Please note that your syntax said to execute once per hour at the 10th minute 
of the hour

To execute at interval of 10 minutes, you may use the following line:
*/10 * * * * /your/location/of/script 

Cheers,
Eddy
  - Message d'origine - 
  De : Agnello George 
  À : Matt Kettler 
  Cc : Spamassassin 
  Envoyé : 7 mars 2008 07:27
  Objet : Re: script to send mail when error detected in log file


> >
> > Your inputs will be of great help
> >
> Might I suggest swatch? Why create your own script, when someone's
> already created a powerful tool to do this.
>
> http://swatch.sourceforge.net/
>
> There's lots of good articles on using it out there:
>
> http://www.linuxsecurity.com/content/view/117281/50/
> http://www.linuxjournal.com/article/4776

  I finally came up with my own script to do this 

  #!/bin/sh -x

  if [ $(tac  /var/log |grep -e "error: syswrite()"  | wc -l ) = 0 ] ; then
  exit 1
  else
  echo "your mailserver is down" |mail -s " pls check server ip 216.185.xxx.xxx 
" [EMAIL PROTECTED]
  fi
   
  then  i add a crontab to run for ever 10 min 

  crontab -e 
  10 * * * * /your/location/of/script 

   
   if there is an easier way kindly tell me !!!



   
--
Regards
Agnello Dsouza
www.linux-vashi.blogspot.com
www.bible-study-india.blogspot.com




  -- 
  Regards
  Agnello Dsouza
  www.linux-vashi.blogspot.com
  www.bible-study-india.blogspot.com 

query failed: 2.2.3.saupdates.openprotect.com => NXDOMAIN

[Eddy Beliveau]

Hi!

I was using SA 3.2.1 on our academic RH4 server and everything was working 
correctly

Now, I just install SA 3.2.2, everything seems to work but I noticed that 
sa-update returned the following error:

query failed: 2.2.3.saupdates.openprotect.com => NXDOMAIN
I test it with 

# dig +short TXT 0.2.3.saupdates.openprotect.com @ns14.zoneedit.com
"78"
# dig +short TXT 1.2.3.saupdates.openprotect.com @ns14.zoneedit.com
"78"
# dig +short TXT 2.2.3.saupdates.openprotect.com @ns14.zoneedit.com
returns nothing

Is this the normal behaviour ?

Do you know when 3.2.2 version of this channel will be available ?

Thanks,

Eddy 

# ls -l  /var/lib/spamassassin/3.002001

drwxr-xr-x  2 root root 4096 Jul 17 15:20 saupdates_openprotect_com
-rw-r--r--  1 root root 1744 Jul 17 15:20 saupdates_openprotect_com.cf
-rw-r--r--  1 root root   50 Jul 17 15:20 saupdates_openprotect_com.pre
drwxr-xr-x  2 root root 4096 Jul 20 12:34 updates_spamassassin_org
-rw-r--r--  1 root root 2384 Jul 16 04:10 updates_spamassassin_org.cf


# ls -l  /var/lib/spamassassin/3.002002
drwxr-xr-x  2 root root 4096 Jul 26 10:29 updates_spamassassin_org
-rw-r--r--  1 root root 2384 Jul 26 10:29 updates_spamassassin_org.cf


]# sa-update --allowplugins --gpgkey ...cut... --channel 
saupdates.openprotect.com --debug
[18353] dbg: logger: adding facilities: all
[18353] dbg: logger: logging level is DBG
[18353] dbg: generic: SpamAssassin version 3.2.2
[18353] dbg: config: score set 0 chosen.
[18353] dbg: dns: is Net::DNS::Resolver available? yes
[18353] dbg: dns: Net::DNS version: 0.59
[18353] dbg: generic: sa-update version svn540384
[18353] dbg: generic: using update directory: /var/lib/spamassassin/3.002002
[18353] dbg: diag: perl platform: 5.008005 linux
[18353] dbg: diag: module installed: Digest::SHA1, version 2.07
[18353] dbg: diag: module installed: HTML::Parser, version 3.55
[18353] dbg: diag: module installed: Net::DNS, version 0.59
[18353] dbg: diag: module installed: MIME::Base64, version 3.01
[18353] dbg: diag: module installed: DB_File, version 1.809
[18353] dbg: diag: module installed: Net::SMTP, version 2.29
[18353] dbg: diag: module installed: Mail::SPF, version v2.005
[18353] dbg: diag: module installed: Mail::SPF::Query, version 1.999001
[18353] dbg: diag: module installed: IP::Country::Fast, version 604.001
[18353] dbg: diag: module installed: Razor2::Client::Agent, version 2.82
[18353] dbg: diag: module installed: Net::Ident, version 1.20
[18353] dbg: diag: module installed: IO::Socket::INET6, version 2.51
[18353] dbg: diag: module installed: IO::Socket::SSL, version 1.07
[18353] dbg: diag: module installed: Compress::Zlib, version 1.42
[18353] dbg: diag: module installed: Time::HiRes, version 1.55
[18353] dbg: diag: module installed: Mail::DomainKeys, version 1.0
[18353] dbg: diag: module installed: Mail::DKIM, version 0.26
[18353] dbg: diag: module installed: DBI, version 1.52
[18353] dbg: diag: module installed: Getopt::Long, version 2.34
[18353] dbg: diag: module installed: LWP::UserAgent, version 2.031
[18353] dbg: diag: module installed: HTTP::Date, version 1.46
[18353] dbg: diag: module installed: Archive::Tar, version 1.32
[18353] dbg: diag: module installed: IO::Zlib, version 1.05
[18353] dbg: diag: module installed: Encode::Detect, version 1.00
[18353] dbg: gpg: adding key id D1C035168C1EBC08464946DA258CDB3ABDE9DC10
[18353] dbg: gpg: Searching for 'gpg'
[18353] dbg: util: current PATH is: 
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin
[18353] dbg: util: executable for gpg was found at /usr/bin/gpg
[18353] dbg: gpg: found /usr/bin/gpg
[18353] dbg: gpg: release trusted key id list: 
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 
26C900A46DD40CD5AD24F6D7DEE01987265FA05B 
0C2B1D7175B852C64B3CDC716C55397824F434CE 
D1C035168C1EBC08464946DA258CDB3ABDE9DC10
[18353] dbg: channel: attempting channel saupdates.openprotect.com
[18353] dbg: channel: update directory 
/var/lib/spamassassin/3.002002/saupdates_openprotect_com
[18353] dbg: channel: channel cf file 
/var/lib/spamassassin/3.002002/saupdates_openprotect_com.cf
[18353] dbg: channel: channel pre file 
/var/lib/spamassassin/3.002002/saupdates_openprotect_com.pre
[18353] dbg: dns: query failed: 2.2.3.saupdates.openprotect.com => NXDOMAIN
[18353] dbg: channel: no updates available, skipping channel
[18353] dbg: diag: updates complete, exiting with code 1

rules_du_jour 1.29 syntax error for 70_sare_stocks.cf

[Eddy Beliveau]

Hi!

I'm not sure if this is the place to post rules_du_jour problem
but the http://sandgnat.com/rdj/rules_du_jour version 1.29
contain an invalid url for 70_sare_stocks.cf

 CF_URLS[70]="${RULESEMPORIUM}/rules/70_sare_stocks.cf";
should be
 CF_URLS[70]="${RULESEMPORIUM}/70_sare_stocks.cf";

Cheers,
Eddy

What happened to blackholes.us ?

[Eddy Beliveau]

For the last couple of days my SA wasn't able to use korea.blackholes.us.
I tried to ping it but it seems dead.   Anyone knows the reason and
if/when it's coming back?

Thanks,
Eddy

any rule for med spam

[Eddy Beliveau]

Hi!

I'm receiving spams with the following subject line
Subject: TRAMAD0OL, MER1DllA, \/ALUUM, XANA, L0RAAZEPAM, AMBllEN, ALPRAZZ0LAM, \/llGRA, CAALlS, 
LEVlTRRA


Spamassassin does not give points to this spam.

Any rule to filter this

Thanks,
Eddy 

Is there some spamassassin's rule against FRENCH nigeria scam

[Eddy Beliveau]

Hi!

We just received this nigeria scam and it passed thru our filters.

We are a french speaking university

I'm familiar with spamassassin english rules but is there some repository where I can find french 
rules ?


Thanks in advance
Eddy
---
Votre respect,

Permettez- moi de m'adresser à vous par l'entremise de ce courrier. Vue l'utilité de l'affaire, je 
vous joins pour avoir votre concours, bien qu'il n'existe aucun lien de parenté entre vous et moi.


Moi , c'est Geneviève amondji la fille du chef Gilbert amondji, un homme d'affaire dans le milieu de 
l'exportation du café et du cacao en côte d'ivoire.


En mars 2005, juste rentré d'un voyage d'affaire d'Europe, notre domicile a subit une attaque armée 
où mon père a été mortellement atteint. Admis dans une clinique de la place, il a demandé 
obligatoirement à me parler puisque je suis la seule enfant, et c'est en ce moment qu'il m'a informé 
que l'origine de l'attaque pourrait provenir de ses associés car il avait un désaccord entre eux et 
lui. Ces derniers lui réclamaient de l'argent qu'il a jugé inopportun et c'est à la suite de cela 
qu'il a effectué son voyage concernant cette affaire.
 

Re: Cannot get rid of new online pharmacy spams

[Eddy Beliveau]

Hi!

Thanks to all for your replies

I cannot upgrade right now, the current academic semester is not yet completed

In the mean time, I will try Chris Conn's solution:
rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is
full__LW_URI_CR2 /href=\"[^"]*\r[^\n]/is
metaLW_URI_CR__LW_URI_CR1 || __LW_URI_CR2
score   LW_URI_CR(YOUR CHOICE)
describeLW_URI_CRunescaped cr in uri

I'll give you a follow-up very soon.

Thanks and have a nice day
Eddy
- Original Message - 
From: "Alan Munday" <[EMAIL PROTECTED]>

To: "Eddy Beliveau" <[EMAIL PROTECTED]>
Cc: 
Sent: Wednesday, May 25, 2005 9:53 AM
Subject: Re: Cannot get rid of new online pharmacy spams



Eddy Beliveau wrote the following on 25/05/2005 14:19:


Hi!

I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly.  
Thanks  ;-)



Eddy

Have you tried updating to a newer version?

I suspect it will be many peoples first suggestion.

Alan

Re: Cannot get rid of new online pharmacy spams

[Eddy Beliveau]

Hi! Rishi,

Many thanks for your reply

I'm already using that antidrug.cf rule

My problem is that the drug name does not appear as text in the spam
It is included in the gif picture

So the spam contains a picture and many tiny words in the email's body

Does it sound familiar ?

Thanks,
Eddy

- Original Message - 
From: "Rishi Kantesaria" <[EMAIL PROTECTED]>

Subject: Re: Cannot get rid of new online pharmacy spams


You can either do two thingsif you don't have spamassassin rules
for Drug stuff then get that or if you have the rules and emails are
still coming adjust the score in the rules.
http://mywebpages.comcast.net/mkettler/sa/antidrug.cf

On 5/25/05, Eddy Beliveau <[EMAIL PROTECTED]> wrote:


Hi!

I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly.  Thanks 
 ;-)

My current problem is that I cannot get rid of those online pharmacy spams. (see attached 
picture).

The email contains a picture and many words in font size 1.

Am I the only one to receive this junk.

Can someone help ?

Thanks in advance
Eddy

Cannot get rid of new online pharmacy spams

[Eddy Beliveau]

Hi!

I'm running spamassassin 2.4 with pamCopURI 0.24 and it work perfectly.  Thanks 
 ;-)

My current problem is that I cannot get rid of those online pharmacy spams. (see attached picture). 
The email contains a picture and many words in font size 1.


Am I the only one to receive this junk.

Can someone help ?

Thanks in advance
Eddy
<>

Re: Bombarded by German political spam

[Eddy Beliveau]

Many thanks for this rule (99_sober.cf)
It rocks   :-)
Thanks again
Eddy
- Original Message - 
Subject: Re: Bombarded by German political spam


On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote:
Hi!
>>http://mailscanner.prolocation.net/german.cf
>You've got a bit of duplication in there (rules 02 and 22 are the
>same, as are 04 and 26).
I'll clean them, thanks! v0.2 there in a few :)
http://www.citecs.de/99_sober.cf
took subject lines from abobe
- score per subj is 1.0 
- put content patterns (3 missing, got no sample) into it with score 8.0
- the often seen "Lese selbst" is scored 4

Re: spammer is using html code for spamming

[Eddy Beliveau]

Many thanks,
I'll give it a try
Thanks again
Eddy
- Original Message - 
From: "martin smith" <[EMAIL PROTECTED]>
To: "Spamassassin" ; "'Eddy Beliveau'" <[EMAIL PROTECTED]>
Sent: Thursday, May 12, 2005 12:30 PM
Subject: RE: spammer is using html code for spamming


Whoops outlook capitalised this wrong with an I instead of i at the end.
This is what it should have been;
body MS_Body_Hide_DRUG /\b(?:R[!a-z]?eta il|P[!a-z]?ri ces|V.?I RA|C[!a-z]?I
S|(?:V|U)L AM|U[!a-z]?LTRAM|S[!a-z]?MA)\b/i

Was there a BAD SA-BLACKLIST rule file published on oct 10 th or 11th

[Eddy Beliveau]

Hi!
I'm using spamassassin 2.63-1, amavisd-new 20030616-p9 on RedHat 9.0
and it worked correctly
But, today I received complaints from my users about unreceived mails on last 
monday Oct-11th.
While looking at my postfix logfile, I noticed that the rule USER_IN_BLACKLIST has been 
triggered 2 times on THAT day!
The daily average is normally 400.

I'm using the rule /etc/mail/spamassassin/65_sa-blacklist.cf with a daily 
(04hAM) update from
URL=http://www.stearns.org/sa-blacklist/sa-blacklist.current
Of course, the entries of this file is NOW correct
I'm assuming that, on October 10th-11th, there was a publication of some bad 
file
Am I the only one who got that problem ?
Is there some archive of that file ?
Thanks,
Eddy