General question about SA default ruleset
Hi Folks, I can't get nowhere, Wiki, FAQ, mail archive, this thing. I'm looking for a kind of dictionnary providing an explanation for each rule of the default ruleset provided with spamassassin ... Sorry for my poor english. Let's have an exemple : RCVD_ILLEGAL_IP : In my .cf files, I only got Received: contains illegal IP address. I would like to know what exactly means an illegal IP (looks like it can sometimes be an IP block undefined or some other weird thing). In fact, if you know if this kind of index/dictionnary like this exists, and if so, where it can be found, I would really appreciate. If this doesn't exist, I would like to try to make one myself. If someone got any information, that would be nice. I precide I'm not looking for something like http://systems.cs.uoregon.edu/Solaris/spamassassin.php Or http://www.nesox.com/document/Spamassassin%20Explanation.asp That basically just rewrite what can be found on .cf files ... Thanks.
RE: Spamassassin detailed log entries
De : Bowie Bailey Envoyé : mercredi 18 octobre 2006 18:17 What I do is this: add_header all Report _REPORT_ This gives me the detailed X-Spam-Report header listing the scores, rule names, and rule descriptions. Thanks for the answer. I've tried most add_header options (like all or _TESTSSCORES(,)_, the mail headers are the way I want them. But I can't get the same modifications in the maillog file. This is for my qmail/spamassassin V3.1.6 setup. I also got a MailScanner/postfix/spamassassin V3.0.5 and the log file (/var/log/maillog) contains TESTS triggered + SCORES. De : Theo Van Dinter 18 octobre 2006 16:44 I cant find how to ask spamassassin (spamd in my case) to write detailed score in my log files. There's currently no way to modify the log output from a config file. You'd have to modify the spamd code to change its log output. So if I understand, in my MailScanner setup (where the log is perfectly what I need), it's not spamassassin that write the logs this way but MailScanner ?
Spamassassin detailed log entries
Hi All, I cant find how to ask spamassassin (spamd in my case) to write detailed score in my log files. I'm pretty sure it's in my local.cf file (cause it's system wide), but I can't find which command to insert. I've seen on the spamassassin wiki the _TESTSSCORES(,)_ tag, but I dont find in which option it fits. -- F a b i e n G a r z i a n o
RE: Need help with several things in SA
Thanks Matt for this long explanation. I agree with the fact that you should avoid raising rules score or think twice before doing it. A lot of trouble may appear with a rule with a to high score. I got in trouble at the beginning with that. I raised some scores very high (more than 20), and I got AWL (see http://wiki.apache.org/spamassassin/AutoWhitelist) running. When I realized I made a mistake with that scores, I lowered them down. But AWL kept on score high, logically ... Now I think the only score rules I change are RBL, URIBL etc. And I check my bayes scoring regulary ... By the way, anyone knows where I can find an explanation for each rules of the default sa ruleset ? I know, most of the time, the title or desc are explicit, but sometimes not. I've search (maybe not enough) the Wiki but didnt found ... thanks -Message d'origine- 2) finding and testing some of the add-on rulesets to expand the diversity of rules in your SA set. Generally speaking, you'll get fewer FPs from 2 rules that score 2.5 each on a particular spam than you will from 1 rule scoring 5.0.
Low spam score but marqued as spam
Hi folks, I'm in trouble with 1 particular mail and in front of a strange problem. I got a mail which my spamassassin score 1.5 (the score limit before spam is identified is 5.2) but it tag it like spam anyway X-caliseo-MailScanner: Found to be clean X-caliseo-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (score=1.562, requis 5.8, BAYES_00 -2.60, HTML_90_100 0.02, HTML_FONT_BIG 0.14, HTML_MESSAGE 0.00, HTML_NONELEMENT_00_10 0.00, HTML_SHOUTING3 0.02, RCVD_IN_XBL 3.98) X-caliseo-MailScanner-SpamScore: 1 X-caliseo-MailScanner-From: [EMAIL PROTECTED] X-Spam-Status: Yes SpamAssassin version 3.0.5 running on Perl version 5.8.6 I can't find anything in the previous mails in here. And google give nothing. Anyone got an idea ? -- F a b i e n G a r z i a n o
RE: Low spam score but marqued as spam
I agree with you. I'll turn off this right now. I didn't know this and I realized I bother spamassassin mailing list for nothing, Sorry guys :-( Thanks for the answers Anthony and François. Note : it's stranger that when I use online web XBL checks result is negative (no match). And now mails received from my gateway, from the same user, the same smtp server, are not XBL positive. Strange huh ? -Message d'origine- De : Anthony Peacock [mailto:[EMAIL PROTECTED] Envoyé : vendredi 6 octobre 2006 15:37 À : users@spamassassin.apache.org Objet : Re: Low spam score but marqued as spam Hi, François Rousseau wrote: I don't know MailScanner but maybe because they have found the adress in a XBL list? X-caliseo-MailScanner-SpamCheck: spam, SBL+XBL, Yes, MailScanner can be configured to do the RBL lookups itself and to mark messages on that basis (this is regardless of the SA score). This can be configured on the MailScanner.conf file: # If a message appears in at least this number of Spam Lists (as defined # above), then the message will be treated as spam and so the Spam # Actions will happen, unless the message reaches the levels for High # Scoring Spam. By default this is set to 1 to mimic the previous # behaviour, which means that appearing in any Spam Lists will cause # the message to be treated as spam. # This can also be the filename of a ruleset. Spam Lists To Be Spam = 1 Personally I turn this off and let SA do its scoring. The MailScanner settings are a little too cut and dried for my taste. If I was to trust a RBL that much I would use it at SMTP time anyway. 2006/10/6, Fabien GARZIANO [EMAIL PROTECTED]: Hi folks, I'm in trouble with 1 particular mail and in front of a strange problem. I got a mail which my spamassassin score 1.5 (the score limit before spam is identified is 5.2) but it tag it like spam anyway X-caliseo-MailScanner: Found to be clean X-caliseo-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (score=1.562, requis 5.8, BAYES_00 -2.60, HTML_90_100 0.02, HTML_FONT_BIG 0.14, HTML_MESSAGE 0.00, HTML_NONELEMENT_00_10 0.00, HTML_SHOUTING3 0.02, RCVD_IN_XBL 3.98) X-caliseo-MailScanner-SpamScore: 1 X-caliseo-MailScanner-From: [EMAIL PROTECTED] X-Spam-Status: Yes SpamAssassin version 3.0.5 running on Perl version 5.8.6 I can't find anything in the previous mails in here. And google give nothing. Anyone got an idea ? -- F a b i e n G a r z i a n o -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
RE: Problem with URIBL rules : false positive and not listed while mannually checking
What version of SpamAssassin are you running? Versions before 3.1 have an infrequent DNS query bug: http://bugzilla.spamassassin.org/show_bug.cgi?id=3997 I'm running SpamAssassin version 3.0.5. (On Perl 5.8.6). I've checked the the bugzilla page about this bug. I dont understand a damn thing 8-|... I guess that i need to update my spamassassin setup and I'm scared. I'm gonna check the wiki for advice on spamassassin updates, but first, get a horse shoe, and recite a hundred mantras ! Another possibility is that there is a DNS proxy or DNS modification service like OpenDNS changing the DNS results in a way that's not compatible with SURBL applications: http://www.surbl.org/faq.html#opendns I dont run any dns service on this box ... It's a clean MailScanner VM and I dont see no process named 'dns' with ps ax In any case, none of the domains mentioned are blacklisted, so there is a problem with your SpamAssassin or DNS. About the checks, did you use http://www.rulesemporium.com/cgi-bin/uribl.cgi ? Do you know a way to see result for each test (PH, OB, etc ... ) ? Thank you for this anwser Jeff
RE: Problem with URIBL rules : false positive and not listed while mannually checking
I did a local DNS query: dig somedomain.com.multi.surbl.org a If you get NXDOMAIN then it's not listed. Do you know a way to see result for each test (PH, OB, etc ... ) ? dig somedomain.com.multi.surbl.org txt will show the lists; so will the lookup page, and so will: spamassassin -D some_message_in_a_file Thanks a lot for the tip with dig. That's what I was looking for. There's usually some DNS service on the box or on your local or ISP network. If you're on a Unix/Linux/BSD box it's usually called 'named'. As long as DNS isn't doing anything unusual, then it's a non-issue. Just use normal, default DNS service if your message volume is less than 100k to 250k per day. And for dns, I'm sorry, I typed it too fast and when I meant no 'dns' i also meant no 'named' process. On this box, i've tried :# dig nortel.com.multi.surbl.org a And it returned me NXDOMAIN as you said, so I guess it may not be a dns problem on this box. (the DNS serveur answering is my ISP's). I think i'm gonna update Spamassassin anyway, it should be a good reason to do it. Thanks for all this goods anwsers ! P.S : sorry Jeff if you receive this Email twice
RE: Stock spam in images
Have been answered few threads ago and more... May be you didn't scan enough ^^ You can use FuzzyOCR module (But dont ask me how to use, I've never tried ^^) -Message d'origine- De : Dylan Bouterse [mailto:[EMAIL PROTECTED] Envoyé : lundi 2 octobre 2006 15:38 À : users@spamassassin.apache.org Objet : Stock spam in images I'm a newbie to the list and have been scanning recent posts to see if what I'm about to ask about has been covered but I haven't seen anything yet. Lately I have been getting more and more of the stock alert spam but now all the good info is in an image and typically following the image is random text to fool the Bayesian filter. I think the random text thing has been covered here recently. It's frustrating when sa is giving a -1.6 (or so) score to these emails right off the bat. Quite a few of these aren't even getting spam headers because they aren't scoring high enough. Is there some magical trick to help score these messages higher? Maybe a future version of sa will incorporate an OCR module? :) Dylan
RE: Stock spam in images
Too bad, cause I agree with Giampaolo, it would be great. What about making a plugin including OCR components but instead of using inner dictionnary, passing it back to spamassassin through the MTA... Yeah, I know, the load will increase ... But that would be nice ? ... ... Ok,I go back to sleep -Message d'origine- De : Randal, Phil [mailto:[EMAIL PROTECTED] Envoyé : lundi 2 octobre 2006 16:19 À : users@spamassassin.apache.org Objet : RE: Stock spam in images Giampaolo Tomassoni wrote: And, by the way, it seems to work! Actually, the only limit I see is the own-made FuzzyOcr.words (and, maybe, the fact that script text may probably get undetected). Wouldn't it be better to inject the detected text back to SA? There should be enough variants of spam worlds to let SA fuzzily catch the ones from images. Am I wrong? I think so. Some of the words would be perfectly legitimate in the text of emails but rarely found in attached legitimate images. Quite apart from the fact that Spamassassin isn't designed for reinjection. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK
Re: bayes sync is hogging cpu
Ok, I may say something dumb, but have you tried to clear the bayes db with : sa-learn --clear --dbpath -- Fab
