Re: Discord used to share malware

[Gary Smith]

I received one today as well.  First time I have seen this type.

It was a pretty well drawn thread overall, they are stepping it up

From: Alan 
Sent: Monday, July 26, 2021 10:56:29 AM
To: users@spamassassin.apache.org
Subject: Discord used to share malware

Not sure if this is news or not but it's the first time I've seen this.
I got a fake "here's the invoice" message with a link to a Excel Macro
file from

https://cdn.discordapp.com/attachments/{redacted}.xlsm

This thing slipped in with a score of 0.4, KAM_NUMSUBJECT being the only
trigger of significance. Reported the link to Discord.

--
For SpamAsassin Users List

Re: Thanks to Guardian Digital & LinuxSecurity for the nice post about SpamAssassin's upcoming change

[Gary Smith]

Maybelist?
Neutrallist?
Pcbalancedlist?





Sent via the Samsung Galaxy, powered by Cricket Wireless


 Original message 
From: Olivier 
Date: 7/22/20 7:38 PM (GMT-08:00)
To: users@spamassassin.apache.org
Subject: Re: Thanks to Guardian Digital & LinuxSecurity for the nice post about 
SpamAssassin's upcoming change

I am wondering what grey list should be renamed...
--

RE: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[Gary Smith]

The technical merit is simple, it's not broken, don't fix it.

There is no technical merit to be achieved here.  I feel that a lot of the 
argument here is just that.
 
The is merely a moral merit.

I think these types of changes should be used for new projects, but for 
existing projects like SA the risk versus reward might be too high.  Will SA 
live long if the implantation fails and takes down a couple systems for notable 
companies?  If email fails because of a small change you risk hurting the 
project more than promoting it.  
I think this moral merit change is splitting this community at this point, and 
that is how we kill projects.  

Now I'm not weighing in on whether this change is right or wrong from a 
geopolitical point of view and that's just a rabbit hole for absolute 
interpretation by the observers (what offends one does not offend the other, 
vice versa).  You will never please 100% of the people 100% of the time, you 
will only ever please the loudest or the ones that would cause the most trouble 
(these are just general observations of life).

Hopefully this is not the hill SA dies on.


-Original Message-
From: jdow  
Sent: Tuesday, July 14, 2020 3:07 AM
To: users@spamassassin.apache.org; Marc Roos ; 
kmcgrail 
Subject: Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve 
language around whitelist/blacklist and master/slave

Please Marc, stick to technical merit for your argument. Getting nasty does not 
solve technical problems, which we have here. Attacks are not going to solve 
anything. Rational arguments may not. But, they should be made just the same. 
Then the open source developers will go off and do what they (think they) want. 
The job is to lead them to thinking they want something different for what they 
see as good reasons. Personally I believe the change is a technical failure and 
will not provide the social results they seem to desire. They should think 
about it.

{o.o}

On 20200714 02:57:19, Marc Roos wrote:
>   
> 
> 
> 
>> To you and others spouting off, be reminded that this is a publicly
> archived mailing list and you
>> will be on the wrong side of history.  Consider that when you post.
> 
> You must be feeling like a king in your little PMC? Who are you to 
> judge whom is on the wrong side of history. No wonder people raise 
> questions here, with someone like you deciding things. I think the PMC 
> should disqualify your vote.
> 

Off-Topic, any spamhaus people here?

[Gary Smith]

I know this is way off topic, but I'm trying to get ahold of any spamhaus.org 
support members.

Re: How to view bayesian database in legible text

[Gary Smith]

I could be absolutely wrong but isn't bayes a hash of the string parts which is 
part of the performance of bayes?



From: Emanuel 
Sent: Thursday, November 9, 2017 8:15 AM
To: users@spamassassin.apache.org
Subject: How to view bayesian database in legible text


Hello,

I am working in a server with spamassassin 3.4.1, i need see the bayes in a 
legible text

The command sa-learn --dump all, show this info:

0.987  1  0 1491158923  936e45469a
0.987  1  0 1490742234  996c4b779f
0.997  5  0 1510240620  99bbb1343d
0.005  0  3 1510242056  9a19089c49
0.016  0  1 1509728119  a14e640e1d
0.987  1  0 1492521796  a3b7843c4a
0.987  1  0 1491153511  a4b1ec7417
0.995  3  0 1510164226  aac1930026
0.033245   2686 1510242162  abee185aa7
0.993  2  0 1510241704  aec056d3b9
0.987  1  0 1490534092  af315bd372
0.005  0  3 1510237626  af79a72241
0.995  3  0 1510230300  b036d8c25c
0.987  1  0 1507076906  b2c21ed6b8


I am interested in seeing the bayes info in the database, because it was 
created years ago

Regards,

Emanuel.

--
[envialosimple.com]
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com
www.envialosimple.com
[by donweb]


Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación 
y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, 
notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised use or 
dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter 
dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi 
endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias 
realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer 
informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a 
para o autor.

RE: Looking for assist on a rule

[Gary Smith]

Bowie (and the rest that answered), 

Thanks for the follow up.  I went with your suggestion of adding the additional 
addr field and fixed the ^ and it’s catching now.  The multiple values on the 
same line were intentional.  I actually have different scored for bayes 
inclusion and network test (just tweaking them a little).

Final is:

header HS_BAD_DOMAIN From:addr =~ 
/\.(top|study|click|party|link|stream|info|trade|bid|xxx)$/i

Thanks again, 

Gary-

-Original Message-
From: Bowie Bailey [mailto:bowie_bai...@buc.com] 
Sent: Wednesday, November 1, 2017 12:03 PM
To: users@spamassassin.apache.org
Subject: Re: Looking for assist on a rule

On 11/1/2017 2:39 PM, Gary Smith wrote:
> We have recently seen a huge uptick in spam from a bunch of different TLD's.  
> Bayes has been a little whacky with them as well.  Our install is 3.3.1 
> (we're going to be replacing it soon).
>
> I'm looking to implement a rule that will assign a higher score to specific 
> TLD's.  I tried the rule below based upon the guidelines from 
> https://wiki.apache.org/spamassassin/WritingRules.  Nothing seems to hit it 
> though.
>
> header HS_BAD_DOMAIN From =~ 
> /^\.(top|study|click|party|link|stream|info|trade|bid|xxx)/i
> describe HS_BAD_DOMAIN Contains one of the bad domains that commonly 
> spams score HS_BAD_DOMAIN 0.1 0.1 0.1 0.1

The problem is the caret (^).  That says that the match must START with a 
period.  For example:

From: .top

What you probably want is to anchor the expression on the other end:

header HS_BAD_DOMAIN From:addr =~
/\.(top|study|click|party|link|stream|info|trade|bid|xxx)$/i

The ':addr:' part makes sure the match only hits on the first email address in 
the header to prevent false positives.

Also, you don't need to specify multiple scores unless they are different.

score HS_BAD_DOMAIN 0.1

This works exactly the same and is a bit easier to read.

--
Bowie

Looking for assist on a rule

[Gary Smith]

We have recently seen a huge uptick in spam from a bunch of different TLD's.  
Bayes has been a little whacky with them as well.  Our install is 3.3.1 (we're 
going to be replacing it soon).

I'm looking to implement a rule that will assign a higher score to specific 
TLD's.  I tried the rule below based upon the guidelines from 
https://wiki.apache.org/spamassassin/WritingRules.  Nothing seems to hit it 
though.

header HS_BAD_DOMAIN From =~ 
/^\.(top|study|click|party|link|stream|info|trade|bid|xxx)/i
describe HS_BAD_DOMAIN Contains one of the bad domains that commonly spams
score HS_BAD_DOMAIN 0.1 0.1 0.1 0.1

RE: Spamassasin not as effective anymore

[Gary Smith]

From: Mark London [mailto:m...@psfc.mit.edu]
Sent: Monday, September 29, 2014 2:59 PM
To: users@spamassassin.apache.org
Subject: Re: Spamassasin not as effective anymore

On 9/29/2014 12:58 PM, Mark London wrote:
On 9/29/2014 4:21 AM, 
users-digest-h...@spamassassin.apache.orgmailto:users-digest-h...@spamassassin.apache.org
 wrote:
From:
Lorenzo Thurman lore...@thethurmans.commailto:lore...@thethurmans.com

Date:
9/26/2014 10:59 PM


I've been using spamassasin for a number of years with excellent results. But, 
now over the last month or so, it has been scoring spam very low. It still 
catches most spam, but whereas only about a dozen or so might get through to my 
inbox in a week, I'm suddenly getting a dozen or so a day. I run sa-update via 
cron every dat and I have a special mail folder where I place missed spam and 
run sa-learn against it weekly. I know its an arms race out there fighting 
spam, but here some sample subject lines  with SA's scores that I think should 
be caught. I know spamassasin looks at a lot more than subject lines, but Does 
anyone know what I can do to increase spamassasin's ability to detect spam? My 
threshold is set to 4.6.



Complete Our Survey, qualify for free-samples 4.1

Re: Your Score-Changes on: 09/26/2014* 2.9

Weird 30 second trick cURES Diabetes.. 4.1

Quality Window Replacement Deals 4.4

Find a PhD degree online in the specialty field 2.8

Your background check is Available online 2.4

Perfect vision with one weird trick 0.0

What are the From: addresses in those spam emails?  We have been recently 
inundated from spam using domains such as .eu and .coThe IP names that the 
spammers are using, are constantly changing, so that the URIBLs are not able to 
keep up with them. you've had to add customized rules that increases the spam 
scores, for emails from these and other domains, that are now popular with 
spammers.

I meant to say I've had to add..., not you've had to add...

- Mark

We have also seen an increase in unmarked spam (from 95% to maybe 20%).  Last 
night I did a dump of my bayes DB, which was 10 months since we reset it and 
started the training process again with 3k know spams and 1k known hams and 
we're hitting 95% again.
It seems that enough hammy looking ones got trained automagically and the 
snowball effect happened.
YMMV

Gary

RE: Should Emails Have An Expiration Date

[Gary Smith]

 
 I think this would be a great idea.  Many end users never bother to
 delete old emails and on some, such as sales etc, there is no valid
 reason for them to countinue to waste disk and server space.
 
 http://www.zdnet.com/news/should-emails-have-an-expiration-date/6197888

No since emails are now a large part of business processes and those business 
processes become your basis for legal protected, allowing the sender to say 
x-delete: 24 hours and then sues you for something for which you no longer 
have any proof would cause significant global catastrophe.

The result of a scenario would consists of both Jesus crying and cats falling 
dead randomly all over the world. For the love of anything, if you want to 
delete your email, you do it. Don't let others decide for you!

End of debate.

RE: preventing authenticated smtp users from triggering PBL

[Gary Smith]

 I've got an issue where users off-campus who are doing authenticated
 SMTP/TLS from home networks are having their mail hit by the PBL.  I
 have trusted_networks set to include the incoming relay,  but still the
 PBL hits it as follows:
 

I mentioned in a direct email (as my blackberry won't make it to the list).

Use submission port (587 rfc) and only allow authentication over this port.  
Set your MTA not to do any type of checks with mail coming in from this one.  
On postfix, it's a simple config in the master.cf file.

This is secure enough and will accomplish what you want with very little 
headache.  In fact, it's better because now you don't have to worry about any 
SA overhead for outgoing email.  Everyone authenticates against this, and no 
worries about zombie machines, etc, because it will require a password either 
way.

RE: TMPDIR as a tmpfs

[Gary Smith]

 It is safe to use spamassassin tmpdir on a tmpfs mounted system ?
 And if its safe it would have a better performance ?
 Here where i work we have big problems with the hard drives, because we 
 basically are sharing virtual machines disk over nfs. and spamassasin is a 
 virtual machine.
 Any other tips for better performance ?

Ram, lots of it.  This seem to have the biggest impact on my systems.  The only 
time I see disk thrashing on our SA and ClamAV VM's is when they are starved 
for ram.

RE: TMPDIR as a tmpfs

[Gary Smith]

My ram dos not get full, i do not have so many process, i limit it in postfix.

It reduces the chances of losing emails if i do not have many process of 
spamassassin runing.

So is safe or not to use tmpfs for tempdir in spamassassin. ?

This way, everything that spamassassin have to do with the message it does on 
tmpfs.

---

Outside smtp - postfix - postfix after queue - spamassassin - postfix - 
destination

Even if SA is going slow, no email will be lost.  If it is, something else is 
broken.  If postfix and SA are on the same VM, it's the postfix queue that 
could be slowing things down.  In this case there isn't much you can do as you 
need postfix to be on persistent media.

Also, my understanding is that SA only uses temp files for Razor and DCC 
checks.  Otherwise it should be in ram anyway.  Are you doing Razor or DCC?

RE: TMPDIR as a tmpfs

[Gary Smith]

 I don't know if it is safe.  I suspect it will function normally, but I
 think you'd be in danger of losing a few messages on an unexpected
 reboot.
 
 I had a very dramatic performance improvement by switching bayes and
 awl
 databases to MySQL instead of the default BerkeleyDB.  It costs more
 RAM, CPU, and disk space, but scan times reduced dramatically.  I'm
 certain we were I/O bound before this change because we had plenty of
 RAM and CPU available.
 

I agree to the bayes DB being MySQL.  When we switched to that years ago it was 
night and day.  We have a central MySQL cluster feeding multiple SA instances 
without any problem.  Generally we are running VM's for SA as we can randomly 
spin then up when we need them on machines with idle CPU's.

Gary

RE: Bayes MySQL and innoDB settings question

[Gary Smith]

 We've found that our MyISAM tables being used with Bayes in MySQL have
 caused some bottlenecks on our busier mail servers. We're
 contemplating using inooDB just for the Bayes database. If MySQL will
 only be using innoDB, does anyone have any recommendations for innoDB
 settings in my.cnf to optimize this setup? Things such as:
 

I think a lot of that really depends on the size of the database.  If it's 
under 1GB in size, I'd say that stock setting will work fine.  There are some 
guides out there on capacity planning innodb that you can search on.  
Generally, if it's a dedicated mysql server, then you can tweak them.  If it's 
shared, I wouldn't change much (except maybe the maximum connections to the 
server).

This is what we run on a 4gb ram server.  The innodb_buffer_pool_size is larger 
than the entire dataset, so I think ours could even be low than that.

innodb_file_per_table
innodb_flush_log_at_trx_commit  = 1
innodb_autoextend_increment = 2M
innodb_buffer_pool_size = 256M
innodb_additional_mem_pool_size = 48M

RE: user_pref override options

[Gary Smith]

 the Mail::SpamAssassin::Conf doc/man page shows which settings are
 privileged and which are not.

That's what I was looking for.  Thanks.

user_pref override options

[Gary Smith]

What options can't be overridden in user prefs?  I would like to disable RBL 
checks and possible use a separate mysql bayes database for one user.  But it 
would be generally nice if know if there are options that are global that can't 
overridden.

RE: SORBS

[Gary Smith]

 if your isp give you dul ip, then you must use isp smtp servers as relay

This ins't necessarily true.  I've had to deal with this ever time I've changed 
hosts (to include Level 3 static IP assignments).  Some ISP's just don't 
publish their ranges as all static.

 not a fault of sorbs some isp is badly informing users on howto
 
 if you really want to use you ip as server make sure it relly is
 allowed from your isp, the report from sorbs says me its not a static ip
 
 ps: if you need to have mail sent from home server make it use smtp
 auth to gmail, and the problem is totaly gone, if that is not possible
 change isp !

Probably not good advice to tell people relay everything through google.  I'm 
sure he's using a google email because his current email is blocked.

 --
 xpoint http://www.unicom.com/pw/reply-to-harmful.html

multiple instances

[Gary Smith]

I have a need to run several different instances of SA on a single box (in 
development).  In production, we have 3  different SA environments (with 2+ 
servers each) that have different rule sets and specific routing rules 
determine which instance it gets sent to.   We need to mimic this in 
development.  

Ideally I would like to create all 3 instances (*2 mimicing load balancing) on 
a single development box.  We're not worried about the performance or memory 
aspect.

Is this possible, and if so, is there an easy way to do this.   I was thinking 
that I could create separate chroot environments for each one if necessary and 
either bind each instance to an IP (which I'm not sure if that's possible) or 
at least a different port.

Any advice (or some sample scripts on doing this) would be greatly appreciated.

Gary Smith

RE: multiple instances

[Gary Smith]

 
 I'm sure it's possible, but rather than going through all the work of
 trying to script and setup chroot environments, why not use VMs?  You
 can then quite literally match the production setup.
 
 Since you are not worried about performance or memory you could give
 each VM 128 MB of RAM and only be using 1 GB or so total...
 

Dennis, 

I had though about that, but the target is a mobile laptop.  Our in house 
development we do use VM's for almost everything just for this purpose.

Looking into spamd, I think I will just copy the config folder for each 
instance type and then run the daemon via a bash script to create it against 9 
local IP's.

I know for things like MySql some people already have some multi-instance 
scripts laying around.  Anyway, I think this will suffice for now.

Gary 

multiple instances, simplification

[Gary Smith]

Background:

I've been using SA for a long time, and for a verity of reasons, we run 
different servers to support some minor changes in different rules.  While 
trying to setup a multi instance version on my laptop, I copied these rules 
over into different directories, setup the startup/shutdown script and ran my 
tests and everything worked fine until I found that I didn't create the user 
filter that I run everything as (for SA).  So, I created filter1, filter2, 
etc., for each instance that I want to run.  I noticed that the log still 
complained that filter didn't exist.  Looking into it, it appears that filter 
is the value being passed in via the spamc call.  Now, because SA always works, 
I generally don't touch some of these little things, so I tend to forget things 
like that calling user spamc must exist on the remote spamd server, etc, as I 
never really need to change anything.

Question:

Instead of running multiple SA servers, it is possible to run a single 
consolidated SA server where only the userpref's are different for each spamc 
caller (given that the local config will override the global config) AND still 
use a single bayes DB?  We use a clustered MySql instance for bayes, and I 
don't want to have to worry about a bayes DB per user.

This big difference between the instances are mostly the required_score 
threshold, few score overrides and a few custom rules.

Any recommendations on how to handle this?  I would be really nice to use a 
single config for all SA instances, whereas the only difference being the user 
config.

Gary

RE: multiple instances, simplification

[Gary Smith]

 Why don't you just run 3 instances of spamd, each listening on different
 ports/sockets and each with their own configuration:
 
 spamd --siteconfigpath=/etc/spam1 --socketpath=/tmp/spam1.sock --port=783
 spamd --siteconfigpath=/etc/spam2 --socketpath=/tmp/spam2.sock --port=784
 spamd --siteconfigpath=/etc/spam3 --socketpath=/tmp/spam3.sock --port=785
 
 This way you can enable/disable different plugins for each config as
 well as having totally different configurations in each instance.
 Afterwards it's just a matter of calling the right instance from your
 MDA by choosing the proper socket or tcp-port.
 
 Since you use MySql for Bayes, you can configure each instance with the
 same configuracion so that they all access the same database. And
 because its just for testing, don't forget to add --min-children=1
 --max-children=1 so that each instance only runs one scanner instance,
 thus conserving RAM.

Jorge,

This is all just a thought, based upon me try to create a development 
environment on a laptop, which spawned off possible configuration changes to a 
production environment.

We currently have 6+ server running these.  3 sets of load balanced SA servers. 
 These servers are roughly 70% idle most of the time.  Running them with user 
preferences, instead of different instances, would allow us to remove 50% of 
the hardware.  Running them as multiple instances on the same box, means we 
will still need to balance across the same number of servers.

I think the virtual user angle might work, I just was thinking of a way to 
use a single consolidated mysql instance, where it doesn't care about 
user_name.  If I can't elegantly resolve this, I could always just patch the 
source to use a hard coded user name in the sql statement to ensure that bayes 
stays consistent.

Bayes is the only real concern here, as I know I can run multiple copies (and 
had forgot that I could run a single copy with user_prefs).  So I think this 
will work either way.  I just needed to put a little thought into it and 
bounce off of people who might have already done something like this.  

Gary Smith

RE: multiple instances, simplification

[Gary Smith]

 If you're just trying to keep your Bayes table from exploding due to
 multiple users, use the bayes_sql_override_username option.

I'm not worried about it exploding as we don't allow user_prefs.  The machines 
are processed via relays.  I believe the bayes_sql_override_username will solve 
the last piece of the puzzle.  I think I will test this out this weekend on the 
laptop, then our test environment.  

Thanks for all of the information.

Gary Smith

RE: Pathological messages causing long scan times

[Gary Smith]

 Here's one pretty much guaranteed to peg a CPU core for ~130 seconds (or
 more):
 
 http://pastebin.com/2ssy2YEk
 

I'm not seeing your 130 sec CPU issue on my end.  Are as mentioned by Matt, are 
you running into some DNS issue?  These are stock rule + other house rules in 
place.  I'm not getting any type of DNS hit, this might because you modified 
the headers.  Either way, 5 seconds for me.

[r...@hsoakmsa01 ~]# time cat bad.msg | spamc -R -p  -u filter 
10.8/0.0
Spam detection software, running on the system hsoakmsa01.holdstead.local, has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Attention Freind, How are you today? I pray this mail gets
   to you in a perfect health condition. My Name is Mrs Laura Pedro General
  Secretary Compensation Award House inconjunction with the online lottery 
organization.I
   have been waiting for you to contact me for your Confirmable Bank Draft worth
   $14.6,000.00 million United States Dollars which is still valid for payment,
   but I have not hear from you. [...] 

Content analysis details:   (10.8 points, 0.0 required)

 pts rule name  description
 -- --
 2.1 SUBJ_ALL_CAPS  Subject is all capitals
 1.5 MILLION_USDBODY: Talks about millions of dollars
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
 1.2 ADVANCE_FEE_2  Appears to be advance fee fraud (Nigerian 419)
 1.4 ADVANCE_FEE_3  Appears to be advance fee fraud (Nigerian 419)
 0.8 MSOE_MID_WRONG_CASEMSOE_MID_WRONG_CASE
 0.6 ADVANCE_FEE_4  Appears to be advance fee fraud (Nigerian 419)
 3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook


real0m5.038s
user0m0.017s
sys 0m0.061s

RE: Off Topic - SPF - What a Disaster

[Gary Smith]

  SPF works great as a selective whitelist in SpamAssassin. (And I don't
  mean whitelisting all SPF passes. That would be stupid. I mean
  whitelisting mail coming from domain X, but only when it passes SPF
  and demonstrates that yes, it really came from domain X.)
 
  I'd say that what you found is *not* that SPF itself is a disaster,
  but that enforcing SPF by rejecting failures is a disaster.
 
 +1

+1.  I implement SPF records on all my hosted domains, it's trivial, but to 
this date I haven't found any real use for it filtering on it.  I think the 
only reason that I put it in place to begin with is to be in compliance with 
yahoo (or some other provider) some years ago after they bounced some mail.  

I feel that if it were enforced but several of the larger email companies then 
it would cause everyone to implement it and then it might have value at 
limiting zombies, but that's about it.  Since they haven't enforced it, there 
isn't much more that can be done.  If we enforce it, it makes us look like 
idiots when our clients can't get email, and then we look like idiots and they 
turn to the larger (or should I say more popular) companies.

RE: Speeding up even further - Can I make this work?

[Gary Smith]

Dan, 

Run two separate SA daemons and two separate MTA daemons.  We do this with a 
postfix/SA install.  You can then tweak additional settings for your MTA to 
also ignore these types of checks as well.  We run Postfix on port 25 for 
incoming and on 587 (submission) for outgoing.  We also have an alternate port 
for outgoing as well (which only responds to local network (of 2525).  Each 
port/IP combo in postfix can pass things to it's own filter (thus two separate 
instances of SA).

Hope that helps.

Gary Smith

From: Dan Gambiera [mailto:anu...@gmail.com] 
Sent: Monday, December 28, 2009 2:07 PM
To: users@spamassassin.apache.org
Subject: Speeding up even further - Can I make this work?

I'm trying to get spamassassin to work more quickly on outgoing email. Since I 
know where the email is coming from et cetera there is no need to do any of the 
DNSeval, SPF, DKIM, RBL and similar tests. I don't want to just set the scores 
for a bunch of the standard tests to zero. I want to keep them from getting run 
at all. Does anyone have any insight on what I will need to modify in the code 
to do this?

The FAQ and Wiki aren't terribly helpful.

Regards,
Dan Gambiera

RE: OT bad news

[Gary Smith]

 (Standing ovation on both emails)
 
 --
 Dan Schaefer
 Web Developer/Systems Analyst
 Performance Administration Corp.

I feel beat down now :( 

j/k

RE: OT bad news

[Gary Smith]

 and the problem is?
 
 if they want exchange, give them exchange. don't fight (directly),
 watch
 instead. take pleasure of the situation, get fun as you can. I
 personally took fun all day long in windows-only (and believe it or
 not,
 in linux-only) environments.
 
 
 that said, you can still try to explain that exchange should not be
 exposed to the internet. you still need a relay (such as
 freebsd/postfix).


Many of our clients run Exchange but solely use Postfix/SA/ClamAV on the wall.  
There is no direct access to SMTP on the Exchange box for incoming.  We use 
Postfix w/LDAP with SSL for SMTP clients (such as iphones, etc).  In most cases 
we also use IMAP proxy to Exchange (when we can).

Our biggest problems, as mentioned, is the admin side of it.  If it's a Windows 
mentality shop, no *nix, if it's a *nix shop, no Windows.  I would still argue 
the case that all incoming email still be passed through a relay and filtered.  
Let them have as much Windows stuff as they want.  Just plead the case to 
supplement.  Start by allowing all of their email to flow unfiltered, let them 
lose emails because of the overly paranoid Exchange settings, then, after they 
tweak the settings, let them get swamped by the under tagging.  Make sure to 
remind them to keep AV updated on their Exchange, then just offer to put the 
relay back into place.

RE: unsubscribe

[Gary Smith]

Didn't we already have this discussion today.  You need to use the link in the 
headers!

Try 
users-unsubscr...@spamassassin.apache.orgmailto:users-unsubscr...@spamassassin.apache.org

From: Danny [mailto:d...@eastcogroup.com.hk]
Sent: Tuesday, September 29, 2009 8:34 PM
To: users@spamassassin.apache.org
Subject: unsubscribe

RE: AWL q?

[Gary Smith]

 memcache is nice, but how do you use memcache data in postfix ?

There is a patch for memcached and postfix.  The problem is, which is what I'm 
working on, is how to populate it.  They only give you the mechanism for using 
memcached.   (http://www.aurore.net/projects/postfix_memcached/)
 

So, my intent, when I have time over the couple weeks is to work on an app that 
will populate it (add/update) from a key pair stream (thus I can populate it 
with whatever data call I want) and just crontab it out.  The problem is my C 
is pretty rusty and the data formats for the script languages use a different 
format for memcached than the C api.  

But the theory is sound and for something like having AWL integrated into 
postfix, this would be an ideal way to handle it as it's fast and can be 
modified externally.

With that said, I spend some time last night thinking of a better 
implementation of what Len had mentioned.  I don't want to block singleton 
email addresses as most of the emails are coming from random IP's so it defeats 
the purpose.  I was thinking that, instead of that, create a table that will 
house the domain and IP, with an aggregate score (based upon some algorithm yet 
to be defined) and use that for the quick lookup for postfix.  If a domain has 
passed in a couple spams from a single IP, this could be a fluke, but if they 
are passing hundreds, it's obviously not.

Anyway, if you have any ideas on populating the memcached and have C 
experience, and some time, you might want to run with the idea as well and 
share some code.

AWL q?

[Gary Smith]

I've been finding a lot of singletons in the AWL db for domains that are all 
spam.  Is there a way put an entire domain into AWL or set it up to give an 
average score for that domain?

Obviously I can put this directly into the config file but I'm looking for a 
less intrusive way to do this.  What might be useful is an awl_domain table 
that it manages the average for the domain/ip as well as just the single email.

Anyway, is there a way to do this currently?

Example of the database (I think I have like 500 for these guys now from this 
week).

+--++---+---+--+
| username | email  | ip| count | totscore |
+--++---+---+--+
| filter   | ajdiohxo...@weekendhotdeals.info   | 76.73 | 1 |6.519 
| 
| filter   | ajuxorpc...@weekendhotdeals.info   | 76.73 | 1 |6.519 
| 
| filter   | aqxkopmj...@weekendhotdeals.info   | 76.73 | 2 |   10.872 
| 
| filter   | atjwoxps...@weekendhotdeals.info   | 76.73 | 1 |   11.918 
| 
| filter   | bckxiypg...@weekendhotdeals.info   | 76.73 | 1 |6.519 
| 
| filter   | beqrikuo...@weekendhotdeals.info   | 76.73 | 2 |   10.872 
| 
| filter   | bkqrasni...@weekendhotdeals.info   | 76.73 | 2 |   13.038 
| 
| filter   | blyhovks...@weekendhotdeals.info   | 76.73 | 1 |6.519 
| 
| filter   | bsfmogqa...@weekendhotdeals.info   | 76.73 | 2 |   10.872 
| 
| filter   | bsgjuulc...@weekendhotdeals.info   | 76.73 | 2 |   10.872 
| 
+--++---+---+--+

RE: AWL q?

[Gary Smith]

 I don't let that junk get past envelope stage:
 
 postmap -q weekendhotdeals.info mysql:/usr/local/etc/postfix/mysql-
 from_senders_rhsbl.cf
 554 RHSBL_DOMAIN
 

I assume you are running some type of background process that generates the 
list of senders based upon some criteria.  Can you share more.  

I also use mysql lookups for postfix (though I'm in the process of converting 
them to memcache for some of the larger ones (with a preloader) so I can hit 
memcached first (then lookup to the database after if necessary).  I'm also 
looking for better ways to deal with spam. 

RE: using external spamassassin server with postfix

[Gary Smith]

 We have a cluster of postfix servers through a load balancer.  I would
 like to set up an external set of spamassassin servers where these
 postfix servers simply query the spamassassin servers over the network
 for spam decisions then drop or relay accordingly.   This is for
 outbound email only.  I would prefer that spamassassin live outside of
 these relay servers.  Is this possible?
 
 Thanks!

Terry,

Are you saying you want the spam processing to be on another computer or do you 
want to hand the entire email to another cluster to process it.

My recommendation is to setup a set of spamassassin servers and then run them 
through the normal spamc pipe on the postfix server but just specify the remote 
server to connect to (in our case a load balancer of spamassassin instances).  
In essence, make the SA processing a remote call.  It's easy to do.

This leads to a small problem through if you are using bayes.  You will 
probably want to use bayes via MySql and then use a shared MySql server, 
otherwise they will quickly get out of sync.

Our environment

Postfix (A) -- HANDOFF ClamAV (B) -- HANDBACK Postfix (A) -- PIPE to spamc 
-- Postfix - DEST

WHERE:
spamc -u filter -d ip address of remote sa cluster/lb

This will take all of the load off the postfix server.

Gary

RE: using external spamassassin server with postfix

[Gary Smith]

 
 Very cool.  I think that's exactly what we want.  How is the handoff
 to clamav handled?  I would probably want that to be on the external
 server too.

Here you go.  Smtp, well, that should be obvisous.  Anyway, it' hands it off to 
[IP]:PORT (clamsmtpd) which will then call back on 9993.  9993 will then hand 
it off to the spamassassin PIPE, which will then call the 
/etc/postfix/spamassassin-filter.sh script.  From there it's inject back into 
postfix to continue on it's way.  You do need to make sure you start 
spamassassin the array with -i 0.0.0.0 -A 0.0.0.0/0 where 0.0.0.0 and 
0.0.0.0/0 are your network settings, so as not to allow random access to your 
SA server.  Make sure you have the clamsmtpd to make this work properly.

If you are going to go through all of this trouble, I should probably ask are 
you also running sometype of greylisting as well? 

/etc/postfix/spamassassin-filter.sh: (tweak the command options to fix your 
needs).
spamc -u filter -d IP  | sendmail -i $@

/etc/postfix/master.cf
smtp inet  n   -   n   -   -   smtpd -o 
content_filter=scan:[IP]:PORT
  -o myhostname=yada
9993  inet  n   -   n   -   -   smtpd
  -o content_filter=spamassassin:dummy
  -o 
smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
spamassassin unix  -   n   n   -   32  pipe
  flags=Rq user=filter argv=/etc/postfix/spamassassin-filter.sh -f 
${sender} -- ${recipient} 


That's all I can think of right now.  There's probably more.

RE: your mail

[Gary Smith]

 Because as I said numerous times I'm not talking about ISPs. I'm not
 sure precisely which part of I'm not talking about ISPs you don't
 understand.
 
 Are you not aware that there are companies that provide email services
 without being ISPs: Google, Fastmail, Tuffmail etc.
 

Just because they don't provide your connection to the internet doesn't mean 
they aren't an ISP.  The definition of ISP has changed, or evolved over time.  
Clearly, freemail providers fall into that category nowadays.

As mentioned, there are clear reasons for what ISP's, and mail server admins, 
do what they do.  

I remember when yahoo was an open relay and no ISP or mail server blocked ports 
from their service.  The result was the invention of spam.  This group is 
against spam.  You don't have to use the product, but others do, and if you 
don't like that, complain to them.

Just my $0.02

RE: your mail

[Gary Smith]

 Again, I've no idea what relevance that has to anything I've written.
 
 All I ever said in his thread was that I don't in general rate ISP mail
 very highly, and that if an ISP blocks outgoing connections to port 25
 you can still connect to a third-party server through either the
 submission port or the SMTPS port.
 
 Despite the fact that I repeated ad nausem that I'm not talking about
 connecting to ISP mail servers, Res kept repeating over and over again
 that it's not supported by all ISPs.
 
 And then you chimed-in with your contribution - which I think is
 overpriced.
 
  Just my $0.02

My apologies.  You are right that I should have read more into the thread.  
People can indeed send email in a variety of ways to get around the ISP 
limitations put in place to block spam.  I myself do that from my ISP to get it 
through to my company mail, by using, as you said, another port (in my case, 
SMTPS with SSL) as do several of my clients (as their providers don't allow 
them to send email if the email address isn't that of their ISP -- another very 
stupid rule).

RE: your mail

[Gary Smith]

 I agree.  We're and ISP and I don't want us to be associated with
 companies like Google.  I don't want Google operating in my market and
 I'm sure as heck that Google doesn't want me operating in the search
 engine market, either.
 
 I don't agree with this everyone's an ISP mentality that's become
 so prevalent, recently.
 
 Ted

Ted, 

So you think google is just in the search engine market...  RW is even using 
google mail. (I'm just heckling you :) )

RE: mail slipping through

[Gary Smith]

  Aug 19 15:03:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 -
 
 BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RH
 S_DOB
 
 scantime=0.2,size=4543,user=filter,uid=124,required_score=0.0,rhost=10.
 80.65.9,raddr=10.80.65.9,rport=53097,mid=509800d.5...@biblegame.info,
 bayes=0.498828,autolearn=no
 
 All BAYES_50? Silly question, but are you sure you're properly
 training?
 Running sa-learn as the right user, and all that?
 
 All but one have subsecond scan times. Did you score an old Cray or
 something? :) That might indicate a problem, not sure.
 
 So you have any SMTP-time DNSBL checks in place on the public MTA?


I will look into the bayes issue.  It is possible that I'm not training as the 
proper user.  Normally we always use the user filter.  Everything else seems 
to be working right.  Not sure why the scan time is sub second on those emails. 
 As for the MTA, yes, we do use RBL's (listed below)

   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client rhsbl.ahbl.org,
   reject_rbl_client dnsbl-1.uceprotect.net,

Scan time on the ones below, that were marked as spam, still had very low scan 
times.  

Aug 18 04:25:47 hsoakmsa03l02 spamd[21306]: spamd: result: Y 10 - 
BAYES_95,DATE_IN_PAST_03_06,URIBL_BLACK,URIBL_JP_SURBL 
scantime=0.2,size=3331,user=filter,uid=124,required_scor
e=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=39455,mid=oetds6-oo6bsfb8...@mx2.tiresled.com,bayes=0.971262,autolearn=no
 

Aug 18 04:29:34 hsoakmsa03l02 spamd[21306]: spamd: result: Y 29 - 
BAYES_99,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MPART_ALT_DIFF_COUNT,SUBJECT_NEEDS_ENCODING,SUBJ
_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RED,URIBL_WS_SURBL 
scantime=0.4,size=3376,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rpo
rt=41968,mid=0.0.18.6fd.1ca1fdc484bc7b4.13a...@mail.provisionmoo.com,bayes=1.00,autolearn=spam


Anyway, I will look into the bayes as to why these are being seen as bayes_50 
and also look into the bayes training scripts.

One quick question.  On out old SA boxes I believe we had several SARE rules in 
place.  This box doesn't.  It's been a while since I've kept up with the 
recommended rules for general SA machines.  Is it recommended to put SARE rules 
in place anymore?

Gary

RE: mail slipping through

[Gary Smith]

 All BAYES_50? Silly question, but are you sure you're properly
 training?
 Running sa-learn as the right user, and all that?
 

I must have been tired.  I thought I had run sa-learn --dump ealier, but I 
guess I didn't.  It looks like the new server has a very high ham rate and a 
low spam rate.  I'm thinking that maybe in our divine wisdom of script writing 
that someone loaded a bunch of spams using the ham script.  That's the best I 
can figure.  I checked the scripts and they are indeed using the correct user 
id.  So, I will dump the database and retrain today.  That will probably fix it.

OLD SERVER

0.000  0  3  0  non-token data: bayes db version
0.000  01179630  0  non-token data: nspam
0.000  0 830497  0  non-token data: nham
0.000  0 128519  0  non-token data: ntokens
0.000  0 1250654065  0  non-token data: oldest atime
0.000  0 1250780279  0  non-token data: newest atime
0.000  0  0  0  non-token data: last journal sync atime
0.000  0 1250708192  0  non-token data: last expiry atime
0.000  0  54835  0  non-token data: last expire atime delta
0.000  0  34281  0  non-token data: last expire reduction 
count

NEW SERVER

0.000  0  3  0  non-token data: bayes db version
0.000  0   5490  0  non-token data: nspam
0.000  0  10678  0  non-token data: nham
0.000  0 141755  0  non-token data: ntokens
0.000  0 1240965283  0  non-token data: oldest atime
0.000  0 1250779298  0  non-token data: newest atime
0.000  0  0  0  non-token data: last journal sync atime
0.000  0 1250735397  0  non-token data: last expiry atime
0.000  0  86400  0  non-token data: last expire atime delta
0.000  0  56262  0  non-token data: last expire reduction 
count

 All but one have subsecond scan times. Did you score an old Cray or
 something? :) That might indicate a problem, not sure.
 
 So you have any SMTP-time DNSBL checks in place on the public MTA?
 
 --
   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 ---
W-w-w-w-w-where did he learn to n-n-negotiate like that?
 ---
   5 days until the 1930th anniversary of the destruction of Pompeii

RE: sare channels

[Gary Smith]

 Read the top of the rulesemporium site:
 
 http://www.rulesemporium.com/
 
 SARE rules aren't being updated. Hence, sa-updating them is pointless.

Is it still recommended to run the SARE rules?

RE: sare channels

[Gary Smith]

 
 There's nothing wrong with running them if you want.. but using
 sa-update on them regularly is utterly pointless..

Matt, 

Thanks.  I used them years ago back before rulesemporium actually existed, and 
I know they had value at the time.  I just didn't know if the rules were 
migrated into the mainline or something like that.  It's been years since I 
really had to configure an SA box.  

Anyway, I put a couple of them in there and I can already see some of the rules 
being hit as expected.

Gary

mail slipping through

[Gary Smith]

I've been having a pretty good hit rate on spam until recently (about two 
weeks).  Two types of email have been coming through at a good rate.  I'm 
receiving at least four per hour from the domains included below.  I've also 
been training bayes with them as well, to no avail.

*...@chocolatebearbear .INFO
*...@biblegame .info
*...@clickbetterthere .info

To make matters worse, they seem to be using normal SMTP process of some type 
as they are getting through sqlgrey, without any problem.  I blew away the all 
entries from sqlgrey for awl and the connection log, yet they came right back.

+-+---+---+-+-+
| sender_name | sender_domain | src   | first_seen  | 
last_seen   |
+-+---+---+-+-+
| evcoieytabo | apostlesblog.info | 208.110.94| 2009-08-19 14:22:51 | 
2009-08-19 14:35:15 | 
| edfluzvpbio | apostlesblog.info | 208.110.94.34 | 2009-08-19 14:26:23 | 
2009-08-19 14:46:51 | 
| flnkaxscfue | parishstore.info  | 76.73.123 | 2009-08-19 14:27:34 | 
2009-08-19 14:39:46 | 
| qmfeypysuno | parishstore.info  | 76.73.123 | 2009-08-19 14:36:40 | 
2009-08-19 14:48:53 | 
| xomdaygtyqi | parishstore.info  | 76.73.2   | 2009-08-19 14:45:04 | 
2009-08-19 14:58:41 | 
| hnmuelcljhu | biblegame.info| 76.73.85  | 2009-08-19 14:33:29 | 
2009-08-19 14:45:18 | 
| cfkgytorpxe | biblegame.info| 76.73.85.250  | 2009-08-19 14:41:28 | 
2009-08-19 14:56:16 | 
| obzfyowgbse | biblegame.info| 76.73.85.250  | 2009-08-19 14:40:57 | 
2009-08-19 14:55:38 | 
...
+-+---+---+-+-+

Anyway, I'm using sorbs and spamhaus in postfix, but these guys aren't listed 
on either of the two.  I know some time ago SA had a list of fresh top X 
daily/weekly spammers.  Does that still exist?  Anyone have any recommended 
action to take on this.

My SA config is pretty basic and is hitting lots of other spams, just not these 
guys.

RE: mail slipping through

[Gary Smith]

 Is it pretty much the same body, just different senders?

Yes and no.  They are all the same body layout, some with different items in 
it.  You can take a look at the body content here (screen captures of the 
content):

http://www.localassociates.com/?page_id=7

Wares range from auto warrantee's to shoes.

Anyway, 
Header: http://pastebin.com/m51fd9344
body: http://pastebin.com/m7fe4c798

Please note, I use a perl script for doing the SA check.  If the score is lower 
than a specific user threshold then the original email is attached.  In the 
cases of all of these emails, they are to my personal account (or our testing 
accounts).  So, no headers doesn't equal bad.  Each message is indeed checked.  
I'm going to turn on debugging on one of the SA servers and see what the logs 
report for these actual requests (which will have to wait for 4 hours or so -- 
when most of the clients aren't using email).

 
 If it's just the senders you could easily blacklist the domains, none
 of these domains look all that legit.

I was thinking that would be the easy way to fix these couple domains, but I'm 
sure they have more bogus ones as well.

 Can you copy a message or two (with full headers) to pastebin so we
 can have a look?
 
 --Dennis

RE: mail slipping through

[Gary Smith]

 
 I'd think that disclaimer code would be good bayes fodder, if the spams
 are as consistent as you say.

That was in the comment right after the pastebin attachment.  I will enable 
debugging on the SA server so I can save it there tonight and see what it says.

RE: mail slipping through

[Gary Smith]

  That was in the comment right after the pastebin attachment.  I will
  enable debugging on the SA server so I can save it there tonight and
 see
  what it says.
 
 Huh? You've lost me.
 
 And I meant to say disclaimer text, the Any such information we
 gather
 shall never be shared with blah blah. Multitasking error, sorry. :)
 

Sorry for the confusion.  I had meant that there are no SA headers because the 
script that processes the message will only return the marked up email message 
(from SA) if it's higher than the users threshold.  By default, the score 
threshold in our system is 0.0, which marks most things as spam, but we have a 
lookup where each user sets their own score, and if it's higher than the score, 
they get the marked up email.

So in order for me to show the marked up headers I need to turn the logging up 
on the SA servers, wait for the message to come in, and then get the details 
from the log.

RE: SA and mail from backup mx?

[Gary Smith]

 
 Hello,
   Mail from my backup mx is not being scanned for spam as it's
 coming
 in. Is this something i'd have to turn on at the MTA level, content
 filter,
 or SA? A majority of stuff my backup mx sends me is spam and i'd like
 to get
 it tagged as such.

Is the backup on the same network as the primary?  Do you have it listed as a 
trusted machine in the local.cf file?

One of our backup MX's is external and it forwards the mail direct to the 
primary when it goes back online.  Best way to find out is to look into the 
headers and see how the message is being relayed around.

RE: SA and mail from backup mx?

[Gary Smith]

 Is the backup on the same network as the primary?  Do you have it
 listed as
 a trusted machine in the local.cf file?
 
   The backup is not on the same network as the primary and it is
 not
 listed as a trusted machine in local.cf. My setup is like yours, if the
 primary goes down for maintence or whatever the backup holds messages
 then
 relays when the primary is back.

I'd look into the headers then and look at the flow to make sure you are seeing 
flow that you expect.  We do a lot of bouncing of mail on odd ports internally 
to different servers (as each server provides a different service) and each 
port has different rules setup.

What MTA are you using?

RE: mail slipping through

[Gary Smith]

 
 Ah. Okay. You might also be able to look up the Message-ID in
 /var/log/maillog, if you're using spamd.
 

Didn't think of that.  Here is the corresponding spam result for the pastbin 
entry (http://pastebin.com/m51fd9344)

503bb52.5...@biblegame.info

Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: processing message 
503bb52.5...@biblegame.info for filter:124 
Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB
 
scantime=0.1,size=4525,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58357,mid=503bb52.5...@biblegame.info,bayes=0.499430,autolearn=no
 

++
| spam_threshold |
++
|  7 | 
++

Here are some more from the same set/type of senders.
Aug 19 14:39:46 hsoakmsa03l02 spamd[28319]: spamd: result: Y 2 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_RHS_DOB 
scantime=0.2,size=4584,user=filter,uid=124,
required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=37185,mid=1359ae2.5...@parishstore.info,bayes=0.490932,autolearn=no
 

Aug 19 14:45:18 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB 
scantime=0.2,size=4516,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=33643,mid=509800d.5...@biblegame.info,bayes=0.498825,autolearn=no
 

Aug 19 14:46:52 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB
 
scantime=0.1,size=4511,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=33664,mid=2b19fe.5...@apostlesblog.info,bayes=0.499484,autolearn=no
 

Aug 19 14:48:58 hsoakmsa03l02 spamd[29369]: spamd: result: Y 4 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB 
scantime=4.0,size=4610,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=54478,mid=1359ae2.5...@parishstore.info,bayes=0.490647,autolearn=no
 

Aug 19 14:50:54 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB 
scantime=0.1,size=4554,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=54515,mid=5b96444.5...@parishstore.info,bayes=0.446187,autolearn=no
 

Aug 19 14:53:10 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB
 
scantime=0.1,size=4525,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58357,mid=503bb52.5...@biblegame.info,bayes=0.499430,autolearn=no
 

Aug 19 14:53:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB
 
scantime=0.1,size=5905,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58363,mid=503bb52.5...@biblegame.info,bayes=0.496882,autolearn=no
 

Aug 19 14:53:43 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB 
scantime=0.1,size=4579,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58369,mid=5b96444.5...@parishstore.info,bayes=0.446202,autolearn=no
 

Aug 19 14:55:38 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB
 
scantime=0.2,size=4508,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58422,mid=2b19fe.5...@biblegame.info,bayes=0.499487,autolearn=no
 

Aug 19 14:56:17 hsoakmsa03l02 spamd[28319]: spamd: result: Y 5 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_NONE,SPF_HELO_SOFTFAIL,URIBL_BLACK,URIBL_RHS_DOB
 
scantime=0.2,size=4545,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=58442,mid=1a25f92.5...@biblegame.info,bayes=0.498743,autolearn=no
 

Aug 19 14:58:42 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB 
scantime=0.2,size=4594,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=52316,mid=1a25f92.5...@parishstore.info,bayes=0.487605,autolearn=no
 

Aug 19 15:03:11 hsoakmsa03l02 spamd[28319]: spamd: result: Y 4 - 
BAYES_50,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK,URIBL_RHS_DOB 
scantime=0.2,size=4543,user=filter,uid=124,required_score=0.0,rhost=10.80.65.9,raddr=10.80.65.9,rport=53097,mid=509800d.5...@biblegame.info,bayes=0.498828,autolearn=no


This servers average scores (not too many domains going through this one right 
now).
  Count Score
  3 -1
267 -10
 47 -11
 26 -12
 22 -13
 53 -14
  7 -15
  9 -16
  8 -17
  6 -18
 10 -19
  2 -2
  4 -20
  2 -21
  2 -23
  5 -3

Spamcheck and how it affects bayes question

[Gary Smith]

We have a process in place using the perl CPAN module for invoking SA.  This is 
outside of the scope of the normal mail system.  Basically we use this to see 
what scores emails would generate for some statistical stuff.  The spam engine 
this calls is to set use -100 as the score so that everything is considered 
spam.  Our production spam engine is set to 7.  We are looking at the score 
that the perl modules returns and logging it (rather than the isspam flag).  To 
complicate things a little more, we are using MySql for the bayes store.  This 
store is also used by our production boxes.  This isn't the problem, just what 
we are doing.

The CPAN module has this as the decription:
public instance (\%) process (String $msg, Boolean $is_check_p)
Description:
This method makes a call to the spamd server and depending on the value of
C$is_check_p either calls PROCESS or CHECK.

Given that the perl call as a boolean option for PROCESS and CHECK, I would 
assume that they make some difference, but it really doesn't what the 
difference is.  Currently in our code we are it with a false value, which 
executes the PROCESS commnad.

What I'm wondering is will this through off bayes if we keep doing this as 
everything that SA is returning is considered spam?  I'm just worried that 
these continued tests will cause bayes to get wacky.  Also, should we be using 
PROCESS or CHECK when doing this type of checks.

Gary

RE: Spamcheck and how it affects bayes question

[Gary Smith]

 The bayes auto-learning system does not care what your required_score
 is set to, and does not care if messages are tagged as spam or not. It
 uses its own thresholds, and its own additional criteria for learning.
 
 So, feeding it lots of mail with the threshold set to -100 shouldn't
 matter at all.

I can live with that answer.  That's what I was looking for.

Thanks, 

Gary

RE: SORBS bites the dust

[Gary Smith]

If you follow the unlisting proceedure and meet all of the requirements, then 
you get unlisted.  As with all things, it just takes a little patients.  After 
converting my IP's over from my ISP to my DNS servers, I was listed (because 
the ISP no longer listed us a static).  We were able to resolve it in a fairly 
resonable amount of time.  I don't recall even paying a dime.


From: Jeremy Morton [ad...@game-point.net]
Sent: Monday, June 22, 2009 3:01 PM
To: rich...@buzzhost.co.uk
Cc: users@spamassassin.apache.org
Subject: Re: SORBS bites the dust

rich...@buzzhost.co.uk wrote:

You really can't?

SORBS accidentally blacklist your domain.  You then have to pay their
tithe money to get people to start receiving your e-mail again.  I say
that sucks.  BTW, it happened to my domain, I tried to contact them, and
got one automated response e-mail.  Nothing more.  Good riddance to them.

Best regards,
Jeremy Morton (Jez)

RE: Is email becoming unusable due to spam and antispam?

[Gary Smith]

Igor, 

I'd say your paranoid, but I had a crazy problem recently with my outgoint 
email.

This is my $0.02.  

About middle March emails sent from our domain to craiglist started bouncing 
back saying that they would not accept email from hosts with the works dyn or 
static in their RDNS zones.  Well, I've been under the impression that static 
was the way to go for years.  So, I called my ISP and forwarded them the email 
and they said, okay, we'll transfer your IP's to you (we have two 1/2 C's and 1 
C').  Well, the 1/2 C's can't be transfered but the full C was.

So, like any good administrator, I changed them to be hostxxx.domain.tld.  
Setup and tested DNS/RDNS and everything was happy go lucky.  My clients and I 
were able to send to ebay and criagslist again without any problem.

Well, that was until we were listed as dynamic by spamhaus and sorbs.  
Apparently after the ARIN transfer, the setting of static through my parent ISP 
was now lost and we had one very fun time fixing that.  Fixing spamhaus seemed 
trivial, tool a little patient and some tweaking.

Problem was SORBS.  Apparently SORBS will list you as a dynamic block if your 
hostnames are incremental and do not contain the word static in the RDNS.  So, 
I tweaked all of the entries again, with the exception of a specific single 
outgoing relay (which only accepts email from specific internal IP's).  I 
managed to get that one unlisted after almost 30 days of bounces (and finally 
getting someone at SORBS who in the end was very helpful to guiding me to 
fixing the problem to suit their rules).

Now, with all that being said, my email (from m...@domain.tld to 
m...@yahoo.com) being sometimes identified as spam since this entire change.

Also, the domain in question, which isn't the one I'm sending from, also has an 
SPF record properly configured, before and after the problem.  

I think sometimes people make an overly zelous attempt at stopping spam that 
they cause the type of problems you are seeing.  I think that larger companies 
are even worse at this as they want to satisfy every Tom, Dick, and Mary.

Here is an odd, and possible funny reason why we are seeing this problem.  I 
received an email about a year ago from a client saying they were receiving 
spam from kp.org (not Kaiser, I'm substituting a domain here).  For whatever 
reason, they asked me to block the emails because they were spam and forwarded 
to me.  Indeed it was kp.org, I checked all of the headers, and it stated that 
they had an update their the lab work for a recent medial visit and that the 
results were online.  I called the client to explain what this email was and 
they were still confused.  Now, what would bigger companies do?  Probably after 
enough attemps, block.  

This is why we left our hosting company 10+ years ago and started doing email 
hosting...

Many people on this list were doing effective spam filtering long before the 
big players did and they still doing effectively.  This big players still, to 
this date, haven't figured out 10+ year old technology and how to use it 
properly.

Gary


From: Igor Chudov [i...@chudov.com]
Sent: Friday, May 15, 2009 1:53 PM
To: Spamassassin Mailing List
Subject: Is email becoming unusable due to spam and antispam?

Just today a buyer reported that my reply to him ended up in his spam
folder. Concerned by this, I sent an email to my Yahoo! account and
that one disappeared somewhere. The one I sent to gmail, however, got
there quickly. I may be overreacting and, perhaps, it is a coincidence
that Yahoo just happens to be slow at the moment. But I am concerned.

I have a general feeling that spammers became so good at making their
messages look legitimate, that [poor] spam filters flag even
completely innocent stuff as spam.

This sending email by regular people who own their mailservers (as
opposed to gmail and such) becomes more and more risky and impossible,
in other words, email is quickly being undermined by spammers and
filters to being unreliable and flaky.

That is, now the damage from spam is not only in unwanted messages,
but also in email lost due to sloppy filtering.

I looked up my PC (75.146.106.188 on static IP from Comcast) and my
mailserver (65.182.171.162 hosted in a datacenter) and did not find
any RBL records to match.

Any thoughts?

i

RE: [OT] Email Servers

[Gary Smith]

The target environment (software and hardware) would help as well.
Under RedHat 9, RHEL3 and Fedora we use postfix, SA, Vexira A/V
(commercial but works well) and uw-imap.  Configuration was fairly
simple.

Gary Wayne Smith


-Original Message-
From: Jeffrey Lee [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 21, 2004 11:59 AM
To: users@spamassassin.apache.org
Subject: [OT] Email Servers

The email server I am using now has some unwelcomed price changes 
happening soon and I would like to switch to another server. I would 
like something that works well with SA and possibly ClamAV. The server 
would require pop, imap, and webmail. If someone could suggest other 
solutions please do.

Thanks,
Jeffrey Lee

RE: scan times up!

[Gary Smith]

Chris, 
 
Your priorities are wrong...  Give the wife and kids the old hardare. :)
 
It seems that AWL could also be to blame.  Looking at some of the threads on 
performance and memory issues everyone seems to have AWL configured.  When we 
ran 3.0.0 rc4 in development it seemed to work fine even with a load.  These 
used bayes and SURBL but AWL.  I didn't see any performance or real memory 
problems.
 
Just my $0.02.
 
Gary



From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: Tue 10/5/2004 1:48 PM
To: 'scohen'
Cc: Spamassassin-Talk (E-mail)
Subject: RE: scan times up!





-Original Message-
From: scohen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 05, 2004 4:35 PM
To: Chris Santerre
Cc: Spamassassin-Talk (E-mail)
Subject: RE: scan times up!




On Tue, 5 Oct 2004, Chris Santerre wrote:

 If anyone remembers this thread, I have more feedback.

 After disabling Bayes, AWL, and reducing the system to 4
children, I now am
 running average scan times of 3.5 seconds. Much better!

 You devs are some seriously sexy coders!

 --Chris (Bayes?..poppycock!)

I haven't been reading this list for a couple of weeks. Are you
seriously saying that in order to get good performance out
SA3.0 you have
to disable bayes and only run 4 children? With the complaints of poor
performance and increased memory usage is there any reason to
put this on
a production system?


Good grief NO! You read this wrong. I'm running it on a system that
archeologists are interested in! I think the Boston Computer museum left me
a message wanting to take the system away! Hell I'm running on a system that
couldn't run a PC game from 2 years ago!!  3.0 caused my old iron to hit
swap a lot at busy times. It's not SA's fault, but my budget of $10.99 that
causes it :)

--Chris (Seriously, my 4 yr old has a computer twice as powerful!)

RE: SA 3.0 is eating up all my memory!!!

[Gary Smith]

Hence my comments on the OT thread earlier today about the BigEvil
author going mad one day...  :)



 -Original Message-
 From: snowjack [mailto:[EMAIL PROTECTED]
 Sent: Friday, October 01, 2004 4:20 PM
 To: users@spamassassin.apache.org
 Subject: Re: SA 3.0 is eating up all my memory!!!
 
 Loren Wilton wrote:
  80M doesn't strike me as unusual for spamd if you have any of the
addon
  rulesets.
 
 [EMAIL PROTECTED]@#sputter...! Yes, that is too unusual unless you're using
 ALL the addon rulesets, including BigEvil, which, I hear, eats pets
and
 small children when nobody's looking, and should be avoided. And also
 probably several non-SARE rulesets too.

[OT] The list is quiet...

[Gary Smith]

Title: [OT] The list is quiet...






Almost too quiet!

Echo... 

Echo.. 

Echo.

I guess no ones home today.

RE: scan times up!

[Gary Smith]

Chris, 

You wouldn't by chance be running the old bigevil ruleset would you.  We
heard that the author went mad and the final product started ripping the
souls out of their systems...

Just a thought :)

Gary

 -Original Message-
 From: Chris Santerre [mailto:[EMAIL PROTECTED]
 Sent: Friday, October 01, 2004 7:26 AM
 To: 'Nick Leverton'; Spamassassin-Talk (E-mail)
 Subject: RE: scan times up!
 
 
 
 -Original Message-
 From: Nick Leverton [mailto:[EMAIL PROTECTED]
 Sent: Friday, October 01, 2004 6:49 AM
 To: Spamassassin-Talk (E-mail)
 Subject: Re: scan times up!
 
 
 On Thu, Sep 30, 2004 at 05:10:27PM -0400, Chris Santerre wrote:
  Well...
 
  veravg scan time
  2.4x   2.7 seconds
  3.030.4 seconds
 
  OH MY! Network test :)
 
  Any longer and I might just be doing greylisting by accident. ;)
 
 Have you got a local (on-site, preferably on-machine) DNS cache ?
 This makes a lot of difference to the DNS-based network tests (which
 is to say, most of them).  One mail probably won't see much
difference,
 but when the next one comes in, many of its lookups are
 already cached :)
 
 
 This is also on my list of TTD. I'm running on some very old iron as
well.
 The 5 children might be bothering the sysem a little. I may reduce
that.
 
 I'll post some feedback if my users ever let me get back to it :)
 
 --Chris

RE: Bayes not working

[Gary Smith]

BTW, something else to keep in mind.  There is a gotcha for sa-learn.
If you happened to be logged in as root when training then the journal
file is owned by root and SA can no longer entries in bayes.  Check the
ownership of the file.  If it's not owned by the same user.group as SA
needs then change it.

Gary

 -Original Message-
 From: Matt Kettler [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, September 29, 2004 11:02 AM
 To: Robert Leonard; users@spamassassin.apache.org
 Subject: Re: Bayes not working
 
 At 01:49 PM 9/29/2004, Robert Leonard wrote:
   I've deleted all my bayes databases and am trying to start the
database
  from scratch.. I auto-learn..
 
 For some reason SA sees 8 spams in the database but won't learn any
 more...
 
 What files does bayes need?  I have the bayes_toks and bayes_seen
files,
 but nothing more..
 
 That's all it needs. Sometimes it makes a journal file, but that
 eventually
 gets re-synched into the toks file and deleted.
 
 
 Below is the part of the lint that seems to imply it is attaching...
But
 I have received numerous spams scoring above my 20 point threshold
since
 starting up SA this morning..
 
 Just because the email scored 20 points doesn't mean it's above a
learning
 threshold of 20 points.
 
 Bear in mind that autolearning isn't based on the final email score,
it's
 based on a recomputed score that's calculated with bayes disabled,
 including scoreset change, and with any userconf rules disabled. It
also
 won't autolearn anything as spam unless it has 3.0 worth of header AND
3.0
 of body, regardless of total score. It also tries not to learn
anything
 that strongly contradicts existing learning.
 
 Really, I'd shy away from auto-learn only if possible. Even if you
only
 manually train a small amount of mail at the start and let it
autolearn
 from then forward you're likely to get a much better bayes database.
 

RE: Spammers using my server

[Gary Smith]

You can alternatively tell the SMTP proxy to deny anything from your
internal network except from individual machines (such as your RH 3 mail
server). 

We also limit who can hit the DMZ perimeter SMTP servers at the firewall
level.  Therefore only the Exchange servers (in our case) or our client
postfix servers can forward out through our SMTP proxies.  

Gary

-Original Message-
From: jdow [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 24, 2004 9:21 AM
To: users@spamassassin.apache.org
Subject: Re: Spammers using my server

Some system on your internal network is owned by a hacker network. It
is time to clean all your windows machines COMPLETELY of viruses.

{^_^}
- Original Message - 
From: Jay Ehrhart [EMAIL PROTECTED]


 This morning I had over 7000 emails in my Linux server's outbound
queue
 which I deleted.  My firewall log shows over 20,000 emails went out
with a
 SunTrust bank announce saying to login and enter your username and
password.
 I do not see the emails coming in like I would in a relay.  How can I
stop
 this or how are they doing this?

 My firewall using a SMTP proxy and only allows my domain in.  I run
 MailScanner on my Red Hat 3.0 mail server with Sendmail.  The box has
the
 lastest patches from Red Hat.  I have Sendmail setup to accept only my
 domain email.

 The non-deliverable reports are coming from my Linux apache user.
 Non-deliverables usually come from root.  I am running apache on the
server
 with forms.  The forms software is the latest version and patches.

 Can anybody help on this?

 Thanks,
 Jay

RE: What the Hell? Fw: Mail delivery failed: returning message to sender

[Gary Smith]

Which is where the converstation original started :).  I have a PDA phone that 
I used but I cannot send out email through earthlink in the matter discussed.  
So I send it through my own service (which in on a leased line from Earthlink). 
 I use pop-before-smtp which has been working reliably.  I could use SMTP auth 
but it's just simpler this way.  
 
 



From: snowjack [mailto:[EMAIL PROTECTED]
Sent: Tue 9/21/2004 1:13 PM
To: users@spamassassin.apache.org
Subject: Re: What the Hell? Fw: Mail delivery failed: returning message to 
sender



It is more likely that some clueless Earthlink customer screwed up,
misconfigured some DSBL software setup, and accidentally got their own
mail relay listed.

RE: EIP in 3.0 rc5 on FC2

[Gary Smith]

I had similar problems, not related to SA though, and found that the mm 
application was trying to allocate randomly high memory locations.  Turned out 
to be a bad memory chip.  Using the Fedora core 2 boot disk I did a 
memtest86...  Might be worth the extra hour...



From: jeff jones [mailto:[EMAIL PROTECTED]
Sent: Fri 9/17/2004 8:04 AM
To: users@spamassassin.apache.org
Subject: EIP in 3.0 rc5 on FC2



Hello all, I was wondering is someone can help me out? 3.0 RC1 was real
stable for me. Should I downgrade or do I need to update additional
software. This machine is RH FC2 with all security updates, and patches.

Thanks,
Jeff


Sep 16 15:23:21 mail1 kernel: [ cut here ]
Sep 16 15:23:21 mail1 kernel: kernel BUG at mm/rmap.c:410!
Sep 16 15:23:21 mail1 kernel: invalid operand:  [#1]
Sep 16 15:23:21 mail1 kernel: Modules linked in: wcfxo(U) wcfxs(U)
zaptel(U) crc_ccitt ip_conntrack_irc ip_nat_ftp ip_conntrack_ftp
ipt_state ipt_multiport ipt_esp ipt_ah ipt_TOS ipt_tcpmss ipt_mark
ipt_REJECT ipt_owner ipt_MASQUERADE ipt_limit ipt_LOG iptable_nat
iptable_mangle iptable_filter ip_tables ip_conntrack md5 ipv6 e1000
dm_mod uhci_hcd ehci_hcd button battery asus_acpi ac ext3 jbd ata_piix
sata_promise libata sd_mod scsi_mod
Sep 16 15:23:21 mail1 kernel: CPU:0
Sep 16 15:23:21 mail1 kernel: EIP:0060:[0215464a]Not tainted
Sep 16 15:23:21 mail1 kernel: EFLAGS: 00010246   (2.6.8-1.521)
Sep 16 15:23:21 mail1 kernel: EIP is at page_remove_rmap+0x17/0x8f
Sep 16 15:23:21 mail1 kernel: eax: 2002006c   ebx: 03971d60   ecx:
03f71d40   edx: 03971d60
Sep 16 15:23:21 mail1 kernel: esi:    edi: 2000   ebp:
3a0f415c   esp: 2182dbfc
Sep 16 15:23:21 mail1 kernel: ds: 007b   es: 007b   ss: 0068
Sep 16 15:23:21 mail1 kernel: Process spamd (pid: 8465,
threadinfo=2182d000 task=754e60b0)
Sep 16 15:23:21 mail1 kernel: Stack: 0214d1c2 4b8eb005 3000 00855000
023c9cf4 00855000 00858000 3513f00c
Sep 16 15:23:21 mail1 kernel:023c9cf4 0214d25f 3000 
00855000 3513f00c 00858000 023c9cf4
Sep 16 15:23:21 mail1 kernel:0214d2b6 3000  2182dca4
00855000 36f6da50 00858000 0214d3c1

RE: [SARE] Some SARE spam.

[Gary Smith]

BTW, if you open source project happened to have an NPO license from the
state for which it holds a license to conduct business (yes, I know it's
an oxymoron) which isn't hard to get then yes, donations would be a tax
write off...

Gary

 -Original Message-
 From: Chris Santerre [mailto:[EMAIL PROTECTED]
 Sent: Thursday, September 16, 2004 6:37 AM
 To: Spamassassin-Talk (E-mail)
 Subject: [SARE] Some SARE spam.
 
 Greetings Spamfighters.
 
 This is the only time I'll mention this. I , yes I, requested a paypal
 donate button for SARE. I put it up on the homepage of SARE. I wanted
this
 just because our host has been very good to us, and put up with quite
a
 lot
 of traffic :) They Never asked for anything. Not even a mention, which
I
 will do.
 
 Nxtek, for all your hosting needs! www.nxtek.net/
 NO I don't know the cute girl's name on their page. They won't tell
me! :)
 
 
 So anywho, this doesn't go to my Nvidia 6800 or Dodge viper slush
funds. I
 spent that on an ice coffee yesterday. Anything you donate goes to our
 host.
 And NO, you don't have to donate anything to use SARE.
 
 If you do donate, make it odd amounts. Like they all end in 37 cents.
Just
 to drive them silly ;)
 
 Does anyone else seriously think that donating to a open source
project
 should be a tax write off? Or am I the only one??? Would a project
have to
 become a non profit? I just see sooo many people donating things to
open
 source, they should at least get a tax break. I mean, I can work in a
soup
 kitchen and get a write off for my time, but spending hours fighting
spam
 for the world? The SA devs shouldn't have to ever pay taxes ;)
 
 Chris Santerre
 System Admin and SARE Ninja
 http://www.rulesemporium.com
 http://www.surbl.org
 'It is not the strongest of the species that survives,
 not the most intelligent, but the one most responsive to change.'
 Charles Darwin

RE: [SARE] Some SARE spam.

[Gary Smith]

She looks like the girl from CSI except blonde.  Then again, her eyebrows 
aren't!



From: Jim Maul [mailto:[EMAIL PROTECTED]
Sent: Thu 9/16/2004 8:32 AM
To: users@spamassassin.apache.org
Subject: Re: [SARE] Some SARE spam.



Quoting Chris Santerre [EMAIL PROTECTED]:

 Greetings Spamfighters.

 This is the only time I'll mention this. I , yes I, requested a paypal
 donate button for SARE. I put it up on the homepage of SARE. I wanted this
 just because our host has been very good to us, and put up with quite a lot
 of traffic :) They Never asked for anything. Not even a mention, which I
 will do.

 Nxtek, for all your hosting needs! www.nxtek.net/
 NO I don't know the cute girl's name on their page. They won't tell me! :)


Personally i like her better

http://www.relaycom.com/rcanswer.html

But i just got a thing for blondes...

-Jim

RE: [TopPost] RE: [SA-LIST] RE: Subject line

[Gary Smith]

Who said necrophilia is dead?  You wouldn't have to worry about her complaining 
about all of the time that you spend on computers or the amount of spam she 
gets when you don't (gotta love that double edged blade).
 



From: Jim Maul [mailto:[EMAIL PROTECTED]
Sent: Tue 9/14/2004 5:02 PM
To: users@spamassassin.apache.org
Subject: Re: [TopPost] RE: [SA-LIST] RE: Subject line

Like dirt nap gone?  In that case nevermind.

RE: Unreasonable penalty for AOL addresses ending in numbers?

[Gary Smith]

Write a custom rule to reduce it when it's from AOL.  As for the recommendation 
that you use numbers in your name so it's unique...  That's stupid.  
 
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]  sounds like a spammer to mean!  
Subject of RE: Equipment...  No spam sounding there.  The combination together 
probably didn't help the bayes scoring much.   
 
Gary Smith
[EMAIL PROTECTED]



From: Pierre Thomson [mailto:[EMAIL PROTECTED]
Sent: Wed 9/8/2004 5:38 AM
To: users@spamassassin.apache.org
Subject: Unreasonable penalty for AOL addresses ending in numbers?



I have had a couple of FP's recently from valid AOL users.  AOL recommends 
appending digits to your screen name to make it unique, and many users do that. 
 The result (sender using AOL 9.0 client, SA 2.63) is a penalty of 6.39 points 
right off the bat.  Isn't that a bit extreme?

Pierre Thomson
BIC


Received: from imo-m15.mx.aol.com (imo-m15.mx.aol.com [64.12.138.205])
by mail1.domain.com (8.11.6/8.11.6) with ESMTP id i882gcu10544
for [EMAIL PROTECTED]; Tue, 7 Sep 2004 22:42:38 -0400
Received: from [EMAIL PROTECTED]
by imo-m15.mx.aol.com (mail_out_v37_r3.4.) id 4.13c.83038c (3972)
 for [EMAIL PROTECTED]; Tue, 7 Sep 2004 22:42:29 -0400 (EDT)
From: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Date: Tue, 7 Sep 2004 22:42:29 EDT
Subject: Re: Equipment
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary=-1094611349
X-Mailer: 9.0 for Windows sub 5112
X-Local-MailScanner-Information: See www.mailscanner.info for information
X-Local-MailScanner: Found to be clean
X-Local-MailScanner-SpamCheck: spam, SpamAssassin (score=6.651, required 6,
ADDR_NUMS_AT_BIGSITE 2.70, BAYES_40 -0.00, FROM_ENDS_IN_NUMS 0.99,
FROM_WEBMAIL_END_NUMS6 2.70, HTML_MESSAGE 0.10, NO_REAL_NAME 0.16)
X-MailScanner-From: [EMAIL PROTECTED]
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 08 Sep 2004 02:42:45.0517 (UTC) 
FILETIME=[8554E3D0:01C4954D]

RE: ANNOUNCE: ApacheCon US 2004 (SpamAssassin Sessions!)

[Gary Smith]

Since no one else is offering I guess I'll go with you...  Do you know if they 
allow air horns?
 
BTW, I got a free hat at Linux world that say's Linux Rocks by the guy at the 
door because the hat I was wearing had a penguin with his head blown off...  He 
said it was Inpropriate (not a misspelling, he just couldn't talk).  Though 
they we're giving away hats everywhere I thought it was funny because everyone 
else had to buy the Linux Rocks.
 
You buy the tickets, I'll get the hotel room.
 
Gary



From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: Wed 9/8/2004 7:35 AM
To: users@spamassassin.apache.org
Subject: RE: ANNOUNCE: ApacheCon US 2004 (SpamAssassin Sessions!)





-Original Message-
From: Daniel Quinlan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 07, 2004 4:05 PM
To: users@spamassassin.apache.org
Subject: ANNOUNCE: ApacheCon US 2004 (SpamAssassin Sessions!)


ApacheCon US 2004

  Alexis Park Resort
  Las Vegas, Nevada, USA
  13-17 November 2004

  The Apache Software Foundation invites you to ApacheCon U.S. 2004.

  The only sure thing in Las Vegas


OOohh! Who wants to go with me and heckle the speakers?! ;)

--Chris (I joke because I love)

RE: ANNOUNCE: ApacheCon US 2004 (SpamAssassin Sessions!)

[Gary Smith]

Correction, Rooms...  My wife might get a little confused if she reads that 
one! :)
 
Gary



From: Gary Smith [mailto:[EMAIL PROTECTED]
Sent: Wed 9/8/2004 2:16 PM
To: Chris Santerre; users@spamassassin.apache.org
Subject: RE: ANNOUNCE: ApacheCon US 2004 (SpamAssassin Sessions!)



Since no one else is offering I guess I'll go with you...  Do you know if they 
allow air horns?

BTW, I got a free hat at Linux world that say's Linux Rocks by the guy at the 
door because the hat I was wearing had a penguin with his head blown off...  He 
said it was Inpropriate (not a misspelling, he just couldn't talk).  Though 
they we're giving away hats everywhere I thought it was funny because everyone 
else had to buy the Linux Rocks.

You buy the tickets, I'll get the hotel room.

Gary



From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: Wed 9/8/2004 7:35 AM
To: users@spamassassin.apache.org
Subject: RE: ANNOUNCE: ApacheCon US 2004 (SpamAssassin Sessions!)





-Original Message-
From: Daniel Quinlan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 07, 2004 4:05 PM
To: users@spamassassin.apache.org
Subject: ANNOUNCE: ApacheCon US 2004 (SpamAssassin Sessions!)


ApacheCon US 2004

  Alexis Park Resort
  Las Vegas, Nevada, USA
  13-17 November 2004

  The Apache Software Foundation invites you to ApacheCon U.S. 2004.

  The only sure thing in Las Vegas


OOohh! Who wants to go with me and heckle the speakers?! ;)

--Chris (I joke because I love)