Re: How to get rid of spam with From spoofed to my own domain
Date: Sun, 11 Sep 2011 17:02:58 -0700 (PDT) From: John Hardin jhar...@impsec.org To: users@spamassassin.apache.org Subject: Re: How to get rid of spam with From spoofed to my own domain On Sun, 11 Sep 2011, René Berber wrote: On 9/11/2011 3:47 PM, rutra80 wrote: Hello, lately I receive spam which looks like coming from my domain, sometimes it is spoofed like coming from accounts that don't exist, and sometimes from the ones that really do. The only SA rule that it triggers is Bayesian one, with nearly 100% probability - it assigns 3.5 points, but my rejection limit is set to 4.5 and I'm not eager to lower it. What would be the most elegant and technically correct way to get rid of the problem? 1. Require authentication. 2. SPF. 3. If your domain's mail will only ever originate from your MTA, then set up your MTA to reject any mail having a From address in your domain unless it comes from your trusted network(s). John Hardin -- My MTA is Sendmail and I use Milter-Regex which can compare against the server's proper IP address and reject any that You are not me. Not sure if this fits your issue, but sounds like it. If not using Sendmail, then something like milter-regex perhaps. Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
header issues
Sorry to have to return to the trough so soon, but still dealing with issues since recent upgrade of SA. Downgraded but no help there either, so went back to latest version. Am using FBSD-7.x with Sendmail and SA-3.3.1_3 Here is the SA headers in an email tagged as spam but got through anyway: X-Spam-Flag: YES X-Scanned-By: milter-spamc/1.15.388 (mail.sagedata.net [38.106.15.121]); Sun, 02 Jan 2011 08:42:43 -0600 X-Spam-Status: YES, hits=11.50 required=4.50 X-Spam-Level: xxx X-Spam-Report: Content analysis details: (11.5 points, 4.5 required) Additionally, in my local.cf file I have tried to manage the X-Spam headers to exclude the X-Spam_Level, but it's still there contrary to the config: X-Spam-Level: xxx First I tried the remove_header spam Level and didn't change a thing. So, then went to the extreme and started with the clear_headers config with add-backs of only those I wanted. Still no joy. Here's my setup for the headers with an overkill of trying to remove the Level at the end (by default, SA adds X-Spam-). What have I missed here: My local.cf # Remove default hearders clear_headers add_header all Flag _YESNOCAPS_ add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_ add_header spam Relays-Untrusted _RELAYSUNTRUSTED_ add_header all Relays-Internal _RELAYSINTERNAL_ add_header all Relays-External _RELAYSEXTERNAL_ add_header all Relay-Country _RELAYCOUNTRY_ add_header spam Report _REPORT_ #add_header all Pyzor _PYZOR_ add_header all URICountry _URICountry_ remove_header spam Level Thanks for any advice for a fix. (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: header issues
At 04:23 PM 1.2.2011 -0600, Dave Funk wrote: On Sun, 2 Jan 2011, Jack L. Stone wrote: Sorry to have to return to the trough so soon, but still dealing with issues since recent upgrade of SA. Downgraded but no help there either, so went back to latest version. Am using FBSD-7.x with Sendmail and SA-3.3.1_3 Here is the SA headers in an email tagged as spam but got through anyway: X-Spam-Flag: YES X-Scanned-By: milter-spamc/1.15.388 (mail.sagedata.net [38.106.15.121]); Sun, 02 Jan 2011 08:42:43 -0600 X-Spam-Status: YES, hits=11.50 required=4.50 X-Spam-Level: xxx X-Spam-Report: Content analysis details: (11.5 points, 4.5 required) Additionally, in my local.cf file I have tried to manage the X-Spam headers to exclude the X-Spam_Level, but it's still there contrary to the config: X-Spam-Level: xxx First I tried the remove_header spam Level and didn't change a thing. So, then went to the extreme and started with the clear_headers config with add-backs of only those I wanted. Still no joy. The spamassassin header add/remove functionality is all predicated upon spamassassin being used as a filter element in a mail processing pipeline. (IE messages are passed to SA (either directly or via spamc) on standard-in and the results on std-out are then passed on to the mail delivery system. Thus SA can modify the message, adding/removing headers, wrapping the body etc. You are using SA with sendmail a sendmail-milter (milter-spamc). In that architecture sendmail hands a -copy- of the message to the milter, the milter passes it on to SA, the milter receives the results from SA, and the milter then decides what operations it should tell sendmail to perform on the original message inside sendmail (add/modify/remove headers, accept or reject the message, etc). So the SA header operations (which are written to std-out of SA) do not have any direct effect on the message as passed thru sendmail. That is entirely the function of the milter. You need to look at the documentation (or source code) of the milter to see what header mods you can make/change. -- Dave Funk University of Iowa Hi, Dave. No, the milter-spamc doesn't change the header in this case. I had checked on that before. It can tag the subject only and I have that turned off. Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: header issues
At 06:29 PM 1.2.2011 -0600, Dave Funk wrote: On Sun, 2 Jan 2011, Jack L. Stone wrote: At 04:23 PM 1.2.2011 -0600, Dave Funk wrote: On Sun, 2 Jan 2011, Jack L. Stone wrote: Sorry to have to return to the trough so soon, but still dealing with issues since recent upgrade of SA. Downgraded but no help there either, so went back to latest version. Am using FBSD-7.x with Sendmail and SA-3.3.1_3 Here is the SA headers in an email tagged as spam but got through anyway: X-Spam-Flag: YES X-Scanned-By: milter-spamc/1.15.388 (mail.sagedata.net [38.106.15.121]); Sun, 02 Jan 2011 08:42:43 -0600 X-Spam-Status: YES, hits=11.50 required=4.50 X-Spam-Level: xxx X-Spam-Report: Content analysis details: (11.5 points, 4.5 required) Additionally, in my local.cf file I have tried to manage the X-Spam headers to exclude the X-Spam_Level, but it's still there contrary to the config: X-Spam-Level: xxx First I tried the remove_header spam Level and didn't change a thing. So, then went to the extreme and started with the clear_headers config with add-backs of only those I wanted. Still no joy. [snip..] Hi, Dave. No, the milter-spamc doesn't change the header in this case. I had checked on that before. It can tag the subject only and I have that turned off. Jack Not sure exactly what header you're refering to when you say 'milter-spamc doesn't change the header in this case'. I thought you were talking about the X-Spam-Level header which milter-spamc -does- insert. See the first part of the page: http://www.snertsoft.com/sendmail/milter-spamc/ Please note that milter-spamc may examine the results stream from SA, pull out any X-Spam-Level contents, and pass that on to sendmail or it may chose to fabricate a X-Spam-Level header based upon some criteria and ignore any X-Spam-Level header that may or may not have been passed back from SA. In either case the milter must take explicit actions for a given header to be added to the message. Having done milter hacking I'm familiar with both of these processes as well as other fun things that milters can do. ;) -- Dave Funk University of Iowa Dave: Ouch! Right you are about the insertions shown at the top of that page. My milter-spamc.cf file only contains the options which are managed by a -option or +option. Since you have hacked it, is there any way to turn off the X-Spam-Level in milter-spamc? Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Rules skipped
I've just caught up with another issue noticed when manually running some spam through SA. Perhaps I have an obsolete module - body_500.pm perhaps that's causing this? Dec 30 08:27:56.192 [10711] dbg: zoom: loading compiled ruleset from /var/db/spamassassin/compiled/5.008/3.003001 Dec 30 08:27:56.228 [10711] dbg: zoom: using compiled ruleset in /var/db/spamassassin/compiled/5.008/3.003001/Mail/SpamAssassin/CompiledRegex ps/body_0.pm for Mail::SpamAssassin::CompiledRegexps::body_0 Dec 30 08:27:56.232 [10711] dbg: zoom: skipping rule __BACK_SCRATCH, code differs in compiled ruleset Dec 30 08:27:56.233 [10711] dbg: zoom: skipping rule __DORMANT_ACCT, code differs in compiled ruleset Dec 30 08:27:56.235 [10711] dbg: zoom: skipping rule FB_V_SPACE_GRA, code differs in compiled ruleset Dec 30 08:27:56.235 [10711] dbg: zoom: skipping rule __DECEASED, code differs in compiled ruleset Dec 30 08:27:56.236 [10711] dbg: zoom: skipping rule __EX_CUSTOMER, code differs in compiled ruleset Dec 30 08:27:56.237 [10711] dbg: zoom: skipping rule __WILL_LEGAL, code differs in compiled ruleset Dec 30 08:27:56.241 [10711] dbg: zoom: skipping rule __CONTACT_YOU, code differs in compiled ruleset Dec 30 08:27:56.242 [10711] dbg: zoom: skipping rule __LUCRATIVE, code differs in compiled ruleset Dec 30 08:27:56.243 [10711] dbg: zoom: skipping rule __HUSH_HUSH, code differs in compiled ruleset Dec 30 08:27:56.244 [10711] dbg: zoom: able to use 1181/1310 'body_0' compiled rules (90.152%) Dec 30 08:27:56.258 [10711] dbg: zoom: using compiled ruleset in /var/db/spamassassin/compiled/5.008/3.003001/Mail/SpamAssassin/CompiledRegex ps/body_500.pm for Mail::SpamAssassin::CompiledRegexps::body_500 Dec 30 08:27:56.258 [10711] dbg: zoom: able to use 1/1 'body_500' compiled rules (100%) Thanks for any guidence on this one. Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Rules skipped
TOP POST correction Ooops! that module body_0.pm not body_500.pm Jack At 08:33 AM 12.30.2010 -0600, Jack L. Stone wrote: I've just caught up with another issue noticed when manually running some spam through SA. Perhaps I have an obsolete module - body_500.pm perhaps that's causing this? Dec 30 08:27:56.192 [10711] dbg: zoom: loading compiled ruleset from /var/db/spamassassin/compiled/5.008/3.003001 Dec 30 08:27:56.228 [10711] dbg: zoom: using compiled ruleset in /var/db/spamassassin/compiled/5.008/3.003001/Mail/SpamAssassin/CompiledRegex ps/body_0.pm for Mail::SpamAssassin::CompiledRegexps::body_0 Dec 30 08:27:56.232 [10711] dbg: zoom: skipping rule __BACK_SCRATCH, code differs in compiled ruleset Dec 30 08:27:56.233 [10711] dbg: zoom: skipping rule __DORMANT_ACCT, code differs in compiled ruleset Dec 30 08:27:56.235 [10711] dbg: zoom: skipping rule FB_V_SPACE_GRA, code differs in compiled ruleset Dec 30 08:27:56.235 [10711] dbg: zoom: skipping rule __DECEASED, code differs in compiled ruleset Dec 30 08:27:56.236 [10711] dbg: zoom: skipping rule __EX_CUSTOMER, code differs in compiled ruleset Dec 30 08:27:56.237 [10711] dbg: zoom: skipping rule __WILL_LEGAL, code differs in compiled ruleset Dec 30 08:27:56.241 [10711] dbg: zoom: skipping rule __CONTACT_YOU, code differs in compiled ruleset Dec 30 08:27:56.242 [10711] dbg: zoom: skipping rule __LUCRATIVE, code differs in compiled ruleset Dec 30 08:27:56.243 [10711] dbg: zoom: skipping rule __HUSH_HUSH, code differs in compiled ruleset Dec 30 08:27:56.244 [10711] dbg: zoom: able to use 1181/1310 'body_0' compiled rules (90.152%) Dec 30 08:27:56.258 [10711] dbg: zoom: using compiled ruleset in /var/db/spamassassin/compiled/5.008/3.003001/Mail/SpamAssassin/CompiledRegex ps/body_500.pm for Mail::SpamAssassin::CompiledRegexps::body_500 Dec 30 08:27:56.258 [10711] dbg: zoom: able to use 1/1 'body_500' compiled rules (100%) Thanks for any guidence on this one. Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Rules skipped
At 03:53 PM 12.30.2010 +0100, Benny Pedersen wrote: On tor 30 dec 2010 15:45:10 CET, Jack L. Stone wrote Ooops! that module body_0.pm not body_500.pm yes sa-compiles pt priority rules body foo /foo/ priority foo 500 body bar /bar/ priority bar 100 when no priority 0 is used -- xpoint http://www.unicom.com/pw/reply-to-harmful.html Thanks! All lints out okay now. Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Issuing rollback DBI Mysql
At 11:43 PM 12.26.2010 +0100, Karsten Bräckelmann wrote: On Sat, 2010-12-25 at 09:04 -0600, Jack L. Stone wrote: At 09:07 AM 12.24.2010 -0600, Jack L. Stone wrote: Guess I'm the only one with this issue or was it an ignorant question? Guess you're a little bit impatient, bumping your question after 24 hours, given the date and it being holiday season for quite a few folks on this list... ;) You must be really busy minding everyone's business. If you don't know an answer, then let things pass. The other members can take care of themselves I suspect. Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Issuing rollback DBI Mysql
At 12:19 PM 12.27.2010 -0500, Michael Scheidell wrote: On 12/27/10 12:14 PM, Jack L. Stone wrote: At 11:43 PM 12.26.2010 +0100, Karsten Bräckelmann wrote: You must be really busy minding everyone's business. If you don't know an answer, then let things pass. The other members can take care of themselves I suspect. Jack he is the moderator of this list and was trying to help you. you will get exactly what you paid for when you installed spamassassin. or, are you new to opensource software and support? Michael Scheidell, CTO I moderate lists as well which are global and very technical in science, but would never admonish any member for asking a question unless it was offensive. Don't think mine was. Been using SA and Unix for many years which has nothing to do with my question. I figured I should just ignore Karsten's useless reply. I could see I wasn't going to get an answer. This whole thing is so minor but I guess entertaining to some. Forget I asked Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Issuing rollback DBI Mysql
At 12:54 PM 12.27.2010 -0500, David F. Skoll wrote: On Mon, 27 Dec 2010 12:46:39 -0500 Jason Bertoch ja...@i6ix.com wrote: Dec 24 08:54:05 mail spamd[24172]: Issuing rollback() due to DESTROY without explicit disconnect() of DBD::mysql::db handle bayes:127.0.0.1:3306 at /usr/local/lib/perl5/site_perl/5.8.9/Mail/SpamAssassin/Plugin/Bayes.pm line 1516, GEN140 line 2. Sounds like a timeout with mysql. I don't think so. That message typically comes about when a DBI database handle goes out of scope without disconnect() having been called. It's probably harmless, but it does indicate carelesness in the Perl code. Regards, David. David: That was also one of my thoughts but noticed (as I recall) that the Bayes.pm module has been the same code on that line for a while. It does sound like a disconnect flaw, and I may experiment with adding a disconnect on the offending line. Thanks for the helpful input! Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Issuing rollback DBI Mysql
At 01:34 PM 12.27.2010 -0500, David F. Skoll wrote: On Mon, 27 Dec 2010 12:25:28 -0600 Jack L. Stone ja...@sage-american.com wrote: I don't think so. That message typically comes about when a DBI database handle goes out of scope without disconnect() having been called. That was also one of my thoughts but noticed (as I recall) that the Bayes.pm module has been the same code on that line for a while. It does sound like a disconnect flaw, and I may experiment with adding a disconnect on the offending line. Well, the line where the error gets reported might not be the real location of the problem. That's certainly where $self goes out of scope, but the caller should be hanging on to a reference to avoid the DBI handle's destruction. I tried reading the SpamAssassin code, but I gave up after a while. It's pretty convoluted. Makes me pine for the relative simplicity of the Sendmail source. :) [OUCH] Regards, David David: We're on the same page as I wondered what other snakes might bite me later by tampering with that line. Don't think it would be fatal though to do some tinkeringor not. This is no doubt found in the logs of many others and hoped it would draw attention to a qualified fix by an expert. OTOH, thought it might just be my install although I've installed configured versions going back several years without the MySQL prob. SA has served me well. Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Anti-Perl rant (was Re: Issuing rollback DBI Mysql)
At 02:26 PM 12.27.2010 -0500, David F. Skoll wrote: On Mon, 27 Dec 2010 11:16:23 -0800 Ted Mittelstaedt t...@ipinc.net wrote: Larry Wall never envisioned the octopus monstrosity that Perl has become. Um. Just because you can write overly-complex slow Perl code doesn't mean that all Perl code is necessarily overly-complex or slow. Not that I am unhappy with the existence of SA but anyone who uses it must understand that an enormous amount of CPU power is wasted on SA merely due to the inefficiency of it being written in Perl. While Perl is part of the problem, a lot of the problem is SA itself and some of it is simply the nature of content-based anti-spam techniques... slinging around regexes, normalizing HTML, extracting URLs sanely, extracting Bayes tokens, etc. is going to be slow no matter how you do it. Regards, David. In my case a very small percentage of mail actually reaches SA because of several filters in front of it. Sendmail, Regex-milter, Greylist-milter, and other milters catch most of the truly bad stuff, and then hands off finally to SA. Thus, my server load is not so bad now. It used to be heavy indeed before adding the front filters. Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Issuing rollback DBI Mysql
At 09:07 AM 12.24.2010 -0600, Jack L. Stone wrote: Top post: Guess I'm the only one with this issue or was it an ignorant question? Jack Using: FBSD-7.x p5-Mail-SpamAssassin-3.3.1_3 perl-5.8.9_3 mysql-server-5.0.90 I'm getting a lot of these error messages from the perl module Bayes.pm. The SA archives or google shows very little useful about it. Can anyone help? AFAIK, only started with upgrade to SA-3.3. Dec 24 08:54:05 mail spamd[24172]: Issuing rollback() due to DESTROY without explicit disconnect() of DBD::mysql::db handle bayes:127.0.0.1:3306 at /usr/local/lib/perl5/site_perl/5.8.9/Mail/SpamAssassin/Plugin/Bayes.pm line 1516, GEN140 line 2. Thanks for any suggestions Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Issuing rollback DBI Mysql
Using: FBSD-7.x p5-Mail-SpamAssassin-3.3.1_3 perl-5.8.9_3 mysql-server-5.0.90 I'm getting a lot of these error messages from the perl module Bayes.pm. The SA archives or google shows very little useful about it. Can anyone help? AFAIK, only started with upgrade to SA-3.3. Dec 24 08:54:05 mail spamd[24172]: Issuing rollback() due to DESTROY without explicit disconnect() of DBD::mysql::db handle bayes:127.0.0.1:3306 at /usr/local/lib/perl5/site_perl/5.8.9/Mail/SpamAssassin/Plugin/Bayes.pm line 1516, GEN140 line 2. Thanks for any suggestions Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Capture -D --lint output
At 03:16 PM 9.11.2008 +0200, Mariusz Kruk wrote: On czw, 2008-09-11 at 15:06 +0200, John Wilcock wrote: No need for that attitude, we were all newbies once... Sorry, wasn't meant as an insult or anything like that. Was more like surprised because I really didn't understand the problem. It wouldn't have taken any longer to give the actual solution: spamassassin -D --lint 21 | grep database Unless, of course, you're using another shell. I'd send the original asker to man page of his shell anyway. To read about input/output redirection. It can be quite useful in many other cases. -- Sorry to be a bother on this again, it is the shell issue. Is anyone running the csh (or tcsh) shell and know what the syntax should be to make this work? It works in the borne shell (sh). I've read the man pages on the shells but no joy with various efforts: (this is sh) spamassassin -D --lint 21 | grep database (what for csh?) spamassassin -D --lint ?commands? Thanks again, Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Capture -D --lint output
Folks, I'm trying to capture/grep specific given info from the subject output, like this: #spamassassin -D --lint | grep database I KNOW that doesn't work, but describes my issue at hand. I've spent an hour+ searching for others with this same question without success. I remember this being posted on this list apprx 2 years ago and I can't find it now. Piping and grepping is easy to grab on other commands, but this one escapes me. Appreciate any help. Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Capture -D --lint output
At 03:16 PM 9.11.2008 +0200, Mariusz Kruk wrote: On czw, 2008-09-11 at 15:06 +0200, John Wilcock wrote: No need for that attitude, we were all newbies once... Sorry, wasn't meant as an insult or anything like that. Was more like surprised because I really didn't understand the problem. It wouldn't have taken any longer to give the actual solution: spamassassin -D --lint 21 | grep database Unless, of course, you're using another shell. I'd send the original asker to man page of his shell anyway. To read about input/output redirection. It can be quite useful in many other cases. -- Kruk@ -\ | Microsoft Office 2000: Wzrasta Twoje IQ Yes, it was the shell csh I use. Tried sh and the suggested redirects work fine. Thanks Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Why doesn't Spamassassin bounce spam?
I can
tell you reliably that I will crawl through the wires back to the MTA
that bounced back to me and rip the CPU out of the hard drive. And if
the operator is nearby I will rip his heart out through his mouth.
{o.o} Joanne hates idiots who bounce and thus commit joe jobs.
'Nuf said?
H, I could be a false-positive idiot. I'd better create another special
filter and call it the ex-wife filter. (:-))
(^_^)
Happy trails,
Jack L. Stone
System Admin
Sage-american
Re: Freebsd Port of SA 3.2.1
At 10:47 PM 6.12.2007 -0400, Michael Scheidell wrote: If anyone wants a 'pre release' of the Freebsd sa 3.2.1 portfile, you can download it here: http://www.secnap.com/downloads/sa321.tgz Instructions: rm everything in /usr/ports/mail/p5-Mail-SpamAssassin, untar above there, make or portupgrade it. Some dependencies that have not been committed to freebsd ports are also needed. One I just stumbled upon, for anyone using Mail::SPF: in SA INSTALL doc: If using Mail::SPF note that NetAddr::IP (required by Mail::SPF) versions up to and including version 4.006 include a bug that will slow down the entire perl interpreter. NetAddr::IP version 4.007 or later fixes this. (freebsd ports still has 4.004, but here are patches against ../ports/net-mgmt/p5-NetAddr-IP) You need these patches in /usr/ports/net-mgmt/p5-NetAddr-IP http://www.secnap.com/downloads/netaddrip.patch See http://www.freebsd.org/cgi/query-pr.cgi?pr=113638 Also, you need patches for re2c =.12.0 (ports has .11.1), Razor 2.8.2_1 (ports has 2.8.2) http://www.secnap.com/downloads/re2c.tgz (ports package, clean out ../ports/devel/re2c and untar this) See: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/112501 If you use Razor, you should update it: http://www.secnap.com/downloads/razor.patch (patches against ../ports/mail/razor-agents) see http://www.freebsd.org/cgi/query-pr.cgi?pr=112522 Anyone with freebsd and want to see something (universal!, not site specific), send me an explaination of what it is, what it does, and if you include that and patches against the current 3.2.0, it will likely be included in freebsd 3.2.1 port since I am the official ports maintainer. (note: thanks jimmy I have included the libspamc* support as you requested in http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/106441 -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news Michael: Many thanks for your upgrade to the port. I am using FBSD-6.2 amd64 and ran into this problem when running make: bunch of other stuff all okay stopped here: Manifying blib/man3/Mail::SpamAssassin::Plugin::RelayCountry.3 make -f spamc/Makefile spamc/libspamc.so gcc -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libspamc.so -shared -L/usr/local/lib -lz /usr/bin/ld: /var/tmp//cchaPM1S.o: relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC /var/tmp//cchaPM1S.o: could not read symbols: Bad value *** Error code 1 (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Body_x.pm errors
I have just upgraded to SA-3.2 running on FBSD-6.2. I noticed a while back there was some discussions about errors (not warnings) about the upgrade to SA-3.2 vis-a-vis several body_x.pm. I'm still getting the two shown below and I'm wondering what I missed during my upgrade. It is true that the 2 .pms are not on my system -- and that these errors do not prevent spamassassin from starting. The errors are annoying tho. I note if I leave loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody commented out in v320.pre, I don't get the errors, nor the feature benefit either though. What should I do? [9036] error: Can't locate Mail/SpamAssassin/CompiledRegexps/body_0.pm in @INC (@INC contains: /var/db/spamassassin/compiled/3.002000 /var/db/spamassassin/compiled/3.002000/auto lib /usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/5.8.8/BSDPAN /usr/local/lib/perl5/site_perl/5.8.8/mach /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.8.8/mach /usr/local/lib/perl5/5.8.8) at (eval 1598) line 1. [9036] error: Can't locate Mail/SpamAssassin/CompiledRegexps/body_500.pm in @INC (@INC contains: /var/db/spamassassin/compiled/3.002000 /var/db/spamassassin/compiled/3.002000/auto lib /usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/5.8.8/BSDPAN /usr/local/lib/perl5/site_perl/5.8.8/mach /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.8.8/mach /usr/local/lib/perl5/5.8.8) at (eval 1599) line 1. (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: How to use dnswl.org whitelisting with SA 3.2.0 (quick-fix)
At 01:46 PM 5.7.2007 +0200, Matthias Leisi wrote:
[Disclosure: I'm involved with the dnswl.org project]
SA 3.2.0 misses one rule to get the actual dnswl.org lookup rules working
(reported in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5450,
targetted for resolution in 3.2.1).
In order to use dnswl.org lookups already today, add the following to your
local.cf or other appropriate location:
header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted',
'list.dnswl.org.')
For additional information on the project, see http://www.dnswl.org/.
-- Matthias
When I run manual test:
[EMAIL PROTECTED] host 2.0.0.127.list.dnswl.org
...I get
2.0.0.127.list.dnswl.org has address 127.0.10.0
Not return of 127.0.0.2???
(^_^)
Happy trails,
Jack L. Stone
System Admin
Sage-american
RE: ANNOUNCE: Apache SpamAssassin 3.2.0 available
At 06:45 PM 5.7.2007 +, Duane Hill wrote: On Mon, 7 May 2007, Jack L. Stone wrote: At 04:51 PM 5.7.2007 +, you wrote: On Sat, 5 May 2007, Michael Scheidell wrote: [SNIP] There are a LOT of subtle changes... But for the brave, here is a tarball. cd /usr/ports/mail/p5-Mail-SpamAssassin rm -rf Untar this there: http://www.secnap.com/downloads/sa320.tgz Just an FYI followup. I have upgraded without any errors. I did notice sa-compile is not checked in the config by default. I know it is apparently broken. After I untar'd the file, I did a 'pkg_info | grep SpamAssassin' to locate the name of the currently installed port and followed that up with a 'portupgrade p5-Mail-SpamAssassin-3.1.8_1'. The port was successfully upgraded to 3.2.0. 'SpamAssassin --lint' does not show any errors. Nor are there any errors reported in either the messages or maillog log files. Now I have to run some mail through to test it out. This is not a production server and I want to make sure of no errors before going live. Didn't work here: === Found saved configuration for p5-Mail-SpamAssassin-3.2.0 === Extracting for p5-Mail-SpamAssassin-3.2.0 = MD5 Checksum OK for Mail-SpamAssassin-3.2.0.tar.gz. = SHA256 Checksum OK for Mail-SpamAssassin-3.2.0.tar.gz. === p5-Mail-SpamAssassin-3.2.0 depends on file: /usr/local/bin/perl5.8.8 - found === Patching for p5-Mail-SpamAssassin-3.2.0 === p5-Mail-SpamAssassin-3.2.0 depends on file: /usr/local/bin/perl5.8.8 - found === Applying FreeBSD patches for p5-Mail-SpamAssassin-3.2.0 1 out of 1 hunks failed--saving rejects to sa-learn.raw.rej = Patch patch-sa-learn-raw failed to apply cleanly. = Patch(es) patch-ImageInfo.pm patch-sa-compile.raw applied cleanly. *** Error code 1 Stop in /usr/ports/mail/p5-Mail-SpamAssassin. *** Error code 1 I do not have a patch-sa-learn.raw in /usr/ports/mail/p5-Mail-SpamAssassin/files after following instructions that Michael Scheidell had given. Your error shows it is doing a patch with patch-sa-learn-raw. My guess is you did not get everything removed from /usr/ports/mail/p5-Mail-SpamAssassin. You need to make sure you delete EVERYTHING in /usr/ports/mail/p5-Mail-SpamAssassin. Right you are got it now. Thanks for the catch! (^_^) Happy trails, Jack L. Stone System Admin Sage-american
RE: ANNOUNCE: Apache SpamAssassin 3.2.0 available
At 07:56 AM 5.5.2007 -0400, Michael Scheidell wrote: -Original Message- From: Jack L. Stone [mailto:[EMAIL PROTECTED] Sent: Friday, May 04, 2007 9:20 AM To: Justin Mason; users@spamassassin.apache.org; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: ANNOUNCE: Apache SpamAssassin 3.2.0 available Any projection when SA-3.2 will be in the FBSD ports? Sent email to [EMAIL PROTECTED], but bounced back. Thanks for any news on this There are a LOT of subtle changes... But for the brave, here is a tarball. cd /usr/ports/mail/p5-Mail-SpamAssassin rm -rf Untar this there: http://www.secnap.com/downloads/sa320.tgz (and, yes, I am the official maintainer of the SA port, just want to test it on a few more systems before submitting it, and sa-compile doesn't work via ports due to the .11.0 version of rec2) Many thanks for the reply and add'l info about the new version. I usually like to jump right on these updates, but methinks I'll hold off a little longer until it settles down a bit more. (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: ANNOUNCE: Apache SpamAssassin 3.2.0 available
At 01:43 PM 5.2.2007 +0100, Justin Mason wrote: Apache SpamAssassin 3.2.0 is now available! This is the official release, and contains a significant number of changes and major enhancements -- please use it! Downloads are available from: http://spamassassin.apache.org/downloads.cgi?update=200705021400 Any projection when SA-3.2 will be in the FBSD ports? Sent email to [EMAIL PROTECTED], but bounced back. Thanks for any news on this (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: ANNOUNCE: Apache SpamAssassin 3.2.0 available
At 10:03 AM 5.4.2007 -0700, Doug Barton wrote: Jack L. Stone wrote: At 01:43 PM 5.2.2007 +0100, Justin Mason wrote: Apache SpamAssassin 3.2.0 is now available! This is the official release, and contains a significant number of changes and major enhancements -- please use it! Downloads are available from: http://spamassassin.apache.org/downloads.cgi?update=200705021400 Any projection when SA-3.2 will be in the FBSD ports? Sent email to [EMAIL PROTECTED], but bounced back. Thanks for any news on this Well this one got through in any case. :) I haven't maintained spam assassin for over 3.5 years however. I'm curious as to why people keep thinking that I do ... Doug Doug: It's in the SA port pkg-descr file -- guess not being updated. BTW: I hadn't yest seen the other discussions about the FBSD SA port issues before asking. (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Re-route spam for all users to a single mailbox?
On 10 Jan 2007 at 9:35, John D. Hardin wrote: On Wed, 10 Jan 2007, JohnKelly wrote: When installing SpamAssassin, it gave the option to delete spam, Spamassassin marks, it does NOT dispose. There's some automatic infrastructure beyond spamassassin involved here. Can you give us some more details about your MTA and how it delivers messages to use mailboxes? Docs didn't seem to explain how to do this, so I'm not sure of SpamAssassin can do this or procmail (Linux server). There's a sample spamassassin procmail script at http://www.impsec.org/~jhardin/antispam/ Hi, John: Looked at your stuff with interest, especially the milter- regex.conf file. This line: header /Subject/i/[?? ...appears to be missing a delimiter on the end /i perhaps? ...or anything more should be there and what does it do? Sorry to shift from the procmail portion Regards, Jack L. Stone System Admin
Re: Re-route spam for all users to a single mailbox?
On 10 Jan 2007 at 18:21, John D. Hardin wrote: On Wed, 10 Jan 2007, Jack L. Stone wrote: Hi, John: Looked at your stuff with interest, especially the milter- regex.conf file. This line: header /Subject/i/[?? ...appears to be missing a delimiter on the end /i perhaps? ...or anything more should be there and what does it do? That line has raw high-bit characters in it. It's not too surprising that it looks wierd, depending on the editor you use, and it may not display properly in a browser. Ah yes. Did a wget and opened in a Unix editor and got the high bits. Makes sense now. Thanks! Regards, Jack L. Stone System Admin
Re: SA-Learn Recover to SQL is slow.
On 3 Jan 2007 at 21:45, Gary V wrote: It finally finished the restore. For the sake of information to help future users The backup file being used to restore into the new SQL database was 99MB and took 17hrs to import on my AMD 1.2Ghz machine with 1GB of RAM. Dave Could be your database was not expiring. Probably a good idea to do a --force-expire prior to a backup. Just curious, If you run --force-expire now, what does --dump magic look like? Gary V I'm not seeing any change in this same manner. Nothing changed: [EMAIL PROTECTED] sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0253 0 non-token data: nspam 0.000 0 1817 0 non-token data: nham 0.000 0 126548 0 non-token data: ntokens 0.000 0 1161347400 0 non-token data: oldest atime 0.000 0 1167885013 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1167919691 0 non-token data: last expiry atime 0.000 05529600 0 non-token data: last expire atime delta 0.000 0 39556 0 non-token data: last expire reduction count Regards, Jack L. Stone System Admin
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
On 7 Dec 2006 at 13:21, Justin Mason wrote: Kelly Jones writes: Spamassassin has lots of tests for fake HELOs. If someone says HELO hotmail.com, but aren't connecting from a Hotmail IP address, they get dinged (spam score is increased). Recently, someone connected our server, call it mx.xyz.com, and said HELO mx.xyz.com. Spamassassin didn't ding it for doing this. Is there a ruleset that does this? I realize xyz.com couldn't be hardcoded (otherwise, it'd be a different ruleset for everyone), but is there a generic ruleset that uses a function call or something to figure out your MX server (or the name of the machine spamassassin is running on) and then ding someone HELO'ing as that? This is a great spam-sign alright, but I don't know of a way to detect what the local site's HELO is, bar each site writing their own rules to do so. Bayes does a good job of figuring this out, btw. Any suggestions? --j. I use milter-regex as the frontline wall and this regex for catching fakers: ## HELO faking my own IP address tempfail Malformed HELO (can't be me) helo /^70\.86\.37\.82$/ HTH. Regards, Jack L. Stone System Admin
Re: 5 digit probe spam?
On 5 Dec 2006 at 20:50, Loren Wilton wrote: But there is no conclusion or discussion on what the point of that type of message is. I would bet there is at least one person on this list that knows the real answer. But I strongly suspect he/she is a lurker and doesn't post. That said, this shows all the signs of being a spam run misfire. There is probably a new program out there that was supposed to take numbers in a form like %12345% or some such and generate random spam bodies, or at least the frontend bayes poison text. Either the generator program had a bug, or more likely Novice Spammer had a bug and forgot the percent signs (or whatever magic characters were required for the macro expansion). Novice Spammer probably also forgot the important part of the spam, as well as screwing up the macro call. Loren FWIW: I am receiving a few of those that are coming through one of my web forms -- perhaps a robot test probe to see if form is viable for the spammer use. Regards, Jack L. Stone System Admin
Ignoring outgoing mail
I have looked through the SA list archives for any method to make SA ignore outgoing emails but nothing found that helped. I'm using the flag that I thought helped do this when I load the scanner spamass-milter: -i 127.0.0.1 (plus a few more IPs) I do not see any flages on spamd to help with this either. This may be more of a spamass-milter question, but I have been using spamd spamass-milter for years and thought I knew all of the tricks. The scans are slowing down the send out of emails signficantly and ad to remove one custom rule I found that was causing a 19 sec timeout related delay -- ixhash was the culprit. Once I disable that ruleset, the delay dropped from 19 secs to only 3 sec. I have used spamc-milter before and had pretty good results with that one and see that it has had further updates -- still don't know if I can bypass the outgoing tho. Any tips appreciated, pleaase. Thanks, Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Mail server performance problems. Possible SA slow down?
At 01:09 PM 10.9.2006 -0500, David B Funk wrote: On Mon, 9 Oct 2006, Matias Lopez Bergero wrote: Hello! I was very happy using SpamAssassin at my email server (Xeon 2.8GHz, 1.5 GB memory, Dual Ultra SCSI HD 73.4GB in RAID 1, Linux 2.4.33) There are only 2500 email boxes at the server. The server is running: Sendmail, SpamAssassin 3.1.5 (using milter-spamc), ClamAV (using clamav-milter), Apache 1.3.x, SquirrelMail, pop3, etc. The server shows a table of ~1700 processes and about ~800 tcp sessions (sendmail and milter-spamc most) during this bursts. This seems to prevent other users from connecting to the server in order to use pop3 or smtp services. With all those services running on that box your 1.5GB isn't enough to service 800 incoming simultanious connects. Either throw more RAM at it or edit your sendmail config to limit the number of incoming connections. Use the sendmail 'MaxDaemonChildren' and 'ConnectionRateThrottle' options to limit incoming connects. -- Dave Funk University of Iowa I haven't seen mention of adding more mail queues for sendmail's use. I run several busy mail discussion lists + some fairly large customer mail lists -- in additon to my user traffic. I increased the number of queues (x10 then x20) and saw a blazing jump in speed. Something to consider??? (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: OT - verify addresses
At 11:48 AM 10.5.2006 +0100, Nigel Frankcom wrote: On Thu, 05 Oct 2006 12:32:07 +0200, [EMAIL PROTECTED] wrote: I can't speak for others, but our server policy is to allow (n) probes; should they all prove to be bad addresses the IP is banned for 24 hours. The probes don't all have to come at once, just from the same IP within any 24 hour period. This system works very well for dictionary attacks as well. Nigel Nigel: Where how do you set that probe -- ?? I like the sounds of that. Thanks! (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Sa-stats.pl - perl version 5.8.x needed
BTW: Just FYI, back to the sa-stats.pl that comes with sa-3.04, I found on the FBSD-4.11x server that I had to upgrade to perl-5.8.7 to get the script to run. Perl-5.6.2 gave errors and aborted, although not zeros as others report. After installing 5.8.7, it runs fine. My other servers use FBSD-5.4x with the builtin perl-5.8 and runs the script fine too. Happy trails, Jack L. Stone System Admin Sage-american
Re: Re[2]: [SARE] obfu rule set update
At 06:59 PM 5.12.2005 -0700, Robert Menschel wrote: Hello Jack, Chris, Thursday, May 12, 2005, 8:46:40 AM, you wrote: JLS At 09:19 AM 5.12.2005 +0100, Chris Russell wrote: Trying to Update this morning gives: Lint output: warning: description exists for non-existent rule JLS SARE_OBFU_SPL_ORDERING lint: 1 issues detected. please rerun with debug enabled for more JLS information. JLS Am running FBSD-4.11 and SA-3.03_3 JLS I find that same problem. Also, when I open the rule with an editor, I see JLS the file is filled with those DOS carriage returns - ^M JLS When I remove them, then the --lint sees 9 problems. Fixed. I did a --lint before publishing, but apparently missed the description line problem? Don't know how/why. Also fixed problem with my ftp client that wasn't stripping the ^M. Bob Menschel Bob: Yes, seems to be okay now. Thanks for the extra effort! Happy trails, Jack L. Stone System Admin Sage-american
RE: [SARE] obfu rule set update
At 09:19 AM 5.12.2005 +0100, Chris Russell wrote: Trying to Update this morning gives: Lint output: warning: description exists for non-existent rule SARE_OBFU_SPL_ORDERING lint: 1 issues detected. please rerun with debug enabled for more information. Cheers, Chris Am running FBSD-4.11 and SA-3.03_3 I find that same problem. Also, when I open the rule with an editor, I see the file is filled with those DOS carriage returns - ^M When I remove them, then the --lint sees 9 problems. Happy trails, Jack L. Stone System Admin Sage-american
Re: [SARE] obfu rule set update
At 09:23 AM 5.12.2005 -0700, Loren Wilton wrote: Am running FBSD-4.11 and SA-3.03_3 I find that same problem. Also, when I open the rule with an editor, I see the file is filled with those DOS carriage returns - ^M When I remove them, then the --lint sees 9 problems. Strange. SA normally doesn't care beans about dos CRs in the rules files. I edit them that way all the time with no problems. Loren I have found that the DOS carriage breaks will clobber some perl scripts and perhaps PHP, can't remember for sure. I just avoid using an editor that adds 'em. Happy trails, Jack L. Stone System Admin Sage-american
Re: SA 3.x files in root FS
At 12:17 PM 1.31.2005 -0500, Rick Macdougall wrote: Jim Maul wrote: [EMAIL PROTECTED] wrote: Upgraded to 3.0.2 a couple of weeks ago, and just noticed that the root FS was nearly full. I had seen this problem in the past with bayes files growing out of control, but have been doing a sa-learn --force-expire daily which helps keep that under control. However, now I noticed that two other files that hadn't been a problem in the past: /root/.razor/razor-agent.log and /root/.spamassassin/auto-whitelist I deleted the razor-agent.log and put a cron job in to delete it nightly, but I am not sure whether I should do this with the auto-whitelist file...does spamd consult this file every time? What's the best way to keep it under control? Not to quibble, but why doesn't the SA default to putting all these files under /var or at least /usr ? Filling up the root FS can cause big problems... It doesnt normally fill up /root/ unless you are running spamd as root which i would REALLY not do. my .razor/ and .spamassassin/ directories are in /home/spamd/. Hi, Incorrect, or at least incorrect on the Linux and FBSD servers I maintain. Even running with -u username, spamd will still occasionally write files in /root/.spamassassin unless you specifically specify the path in local.cf. In my case I run spamd with -u vpopmail, and before I added the bayes, awl and other paths in my local.cf, half of the data got written to ~vpopmail/.spamassassin and the other half to /root/.spamasassin. Just FYI Regards, Rick I have found using a symlink from ~root/.spamassassin -- real user takes care of that. Happy trails, Jack L. Stone System Admin Sage-american
RE: SpamAssassin not flagging much (SA version=3.0.2, Unix, spamd)
At 09:40 AM 1.30.2005 -0500, Chris Harvey wrote: Why aren't more tests being triggered? I was having similar problems recently where SA didn't seem to be picking up much spam. Running spamd in debug mode showed me a number of things were going wrong that must have happened over time with various other binary updates (i.e. DNS wasn't working) and secondly some config mistakes I made a while back. Perhaps running in debug mode will give you more of a clue as to what is going on? Unfortunately I can't use custom rules because my host (vonetwork.com) isn't willing to let users run custom rules. :( How do I stop this sort of spam? Are you running an email server with SA or are you simply seeing the results of 'their' SA defenses? Why don't you just run the spamstats.pl program and see a summary of the rules being fired. Again, here's mine with SA running about 7 hours: http://www.sage-american.com/spamstats.html Happy trails, Jack L. Stone System Admin Sage-american
Re: A good stats script?
At 08:22 PM 1.18.2005 -0500, MIKE YRABEDRA wrote: on 1/18/05 6:12 PM, MIKE YRABEDRA at [EMAIL PROTECTED] wrote: What is a good script that folks are using to generate SA stats off a mail log? I am mainly looking for one that reports on the rulesets that are catching the spam too. I don't think sa-stats.pl does that? Well, you might be interested in this report from sa-stats.pl showing 4+ hours of scans by SA. Most of my filtering is done by 3 or 4 other layers at the MTA, so this is all that gets through to the SA that I use for the final filtering layer. Most is ham at this point. The top half is for spams and the bottom for ham: http://www.sage-american.com/spamstats.html HTH.. Happy trails, Jack L. Stone System Admin Sage-american
Re: A good stats script?
At 05:55 AM 1.19.2005 -0500, Mike Yrabedra wrote: Jack, Thanks for the info. Where would I get this version of the script? Will it work on a regular spamd log? Mike: Yes, it works on a spamd log. In fact, I re-direct all spamd info to /var/log/spamd.log and run the script against that pure file. I downloaded that script while SA-3.0 was going through shake-down through various stages of RCs. I noted the file is dated July 2004, so suspect I got it from a tarball. If you or anyone can't locate it needs a copy, I guess it would be okay if I posted it for download. Let me know. Happy trails, Jack L. Stone System Admin Sage-american
Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules
At 04:36 AM 1.12.2005 -0800, Loren Wilton wrote: Well, just for grins I ran it here: Content analysis details: (11.3 points, 4.6 required) pts rule name description -- -- 2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject 0.3 SARE_WEOFFER BODY: Offers Something 1.8 LOCAL_OBFU_VIAGRA BODY: Obfuscated 'VIAGRA' in body 1.8 LOCAL_OBFU_TADALAFIL BODY: Obfuscated 'TADALAFIL' in body 1.8 LOCAL_OBFU_CIALIS BODY: Obfuscated 'CIALIS' in body 0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56% [score: 0.5418] 1.0 DRUGS_ERECTILE Refers to an erectile drug 2.0 NOT_TO_ME Mail is not addressed to me You wouldn't have the last one, so should have only gotten 9.3. This is on 2.64. and, for laughs, here on sa-3.0.2 and got a very high score: -- Content analysis details: (31.0 points, 4.5 required) pts rule name description -- -- 0.1 MISSING_HEADERSMissing To: header 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.5 URIBL_CNKR Contains a URL listed in China/Korea [URIs: aujobs.net] 0.5 URIBL_SBL_XBL Contains a URL listed in the SBL-XBL DNSBL [URIs: aujobs.net] 5.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: aujobs.net] 5.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: aujobs.net] 5.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: aujobs.net] 0.5 URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL [URIs: aujobs.net] 5.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: aujobs.net] 0.5 URIBL_SS_RHSBL Contains a URL listed in the SS RHSBL [URIs: aujobs.net] 1.2 MISSING_SUBJECTMissing Subject: header 0.2 DRUGS_ERECTILE Refers to an erectile drug 1.0 MURTY_BADWORDS2Words ending with numbers 1.2 MURTY_BADWORDS3Words with numbers in the middle 0.5 MURTY_BADWORDS4Words with special symbols 1.2 MURTY_BADCHARS Single Characters Happy trails, Jack L. Stone System Admin Sage-american
Re: Can't configure spamd correctly
At 09:51 AM 12.7.2004 -0500, Info wrote: Theo, Thanks for the reply, and there may be some truth in that, but I'm not convinced that it is ever working correctly. There have been NO spamd debug messages in the log since then, despite emails being scanned. There is never any message saying it actually found the Bayes data. I am not convinced that spamd has ever found it, or that it is ever actually being used. If I telnet to port 783 I do get spamd debug messages. Paul Hilton You could isolate the spamd-only messages by adding a syslog switch: Like so: /usr/local/bin/spamd --syslog=local1 -u spamd -x -d -r /var/run/spamd/spamd.pid HTH. Happy trails, Jack L. Stone System Admin Sage-american
Re: duplicate messages
At 02:59 PM 11.11.2004 -0800, Jeff Ramsey wrote: Hi all, I am using SA 3.0.1, spamass-milter 0.2.0, and Sendmail 8.12.11. Seems to work fine. I am using it with the sql tables and everything. There is one problem. I am getting a duplicate for about 2/3 of the mail that is processed by the server. Here are the flags set for each app: Spamassassin: SPAMDOPTIONS=-u spamassassin -D -d -m10 -x -q Spamass-milter: SOCKET=/var/run/spamassassin/spamass.sock EXTRA_FLAGS=-f -d3 -b junkmail Sendmail: sendmail.mc compilied with: INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamassassin/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl I thought I had this working, and then I started to notice the duplicates. Maybe there is something I have changed? Maybe it's just a configuration issue. I have stopped the SA and milter apps, and recompiled my cf file to not use the milter to make certain that this is what is causing the issue. Jeff Ramsey MIS Administrator Tubafor Mill, Inc. Hm Interesting. I'm trying to troubleshoot a similar problem of dups. Some of the members of our majordomo discussion lists have been complaining of dups. Not every message, just random which is why I've had a hard time figuring out what has changed in the system to cause this. However, it definitely after the time of upgrade to SA-3.0x. I'm running: FBSD-4.10p2 Sendmail-8.12.11 spamass-milter-0.2.0_5 Soamassassin-3.0.1_1 Happy trails, Jack L. Stone System Admin Sage-american
SA-3.0.0 for FBSD Ports
Does anyone know who is handling the update of the FBSD ports for the new SA-3 release? Or better yet, when it is scheduled? Thanks! Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED]
Re: rule idea for catching 'zombie spam relays' and question of my logic
At 09:25 AM 9.20.2004 -0600, Sherwood Botsford wrote: In my logic, there is no valid reason that a remote sender would connect directly to our SMTP server from their dynamic/DSL/cable IP to send our customer's an email ... I think ? Valid 'remote to local' emails being sent from these DSL/cable/dialup IP would normally be relayed via their own network's SMTP server, which would then be delved to us by a host that didn't match the dynamic/DSL/cable custom rule. Right? It would either be a 'zombie' spam relay', or some one who setup a SMTP server on a dynamic IP (which just isn't what valid businesses do ... )? The school I work at is some 20 km from the nearest phone exchange. DSL, ADSL, Cable are all non-starters here. We connect through DirecPC oneway. So our outbound connection is thorugh Telus, our local phone company. They refuse to give out a static IP. Ok, so run your smtp through their server: Fine, except they lose messages, or refuse to deliver them. (Remember one end is a satellite link, so the outbound packets have our direcpc address as the 'from' IP. Their server thinks we're asking them to relay.) So I use smtp directly to most destinations. The ones that won't accept our call because we have a dynamic address get sent to Telus, where eventually they get handled. (Why some get bounced, and others not still escapes me.) This is an example of one business/institution that relies on a dynamic IP. -- Sherwood Botsford St. John's School of Alberta Just take a look at zoneedit.com which, among other DNS services make it possible for use of legit dynamic IPs. There are other that do this too. It would be terribly wrong to just latch in on adsl as a spammer. Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED]
