Per user blacklist
I have setup SpamAssassin 2.64, and qmail-scanner 1.23 on FreeBSD with perl-5.8.4 and have been using them separately with great success. However, I have decided to use qmail-scanners ability to run SpamAssassin as the mail is processed. And, I have this working to a point (i.e. the mail is flagged correctly accoring to rules), but I cannot get the blacklist to be recongized. Spamd is running as root. Spamc is called from the qmail-scanner-queue.pl script with -u qscand. qscand is the user whose rules I would like to have used. In debug, I see the following logmsg: handle_user: unable to find user '[EMAIL PROTECTED]'! logmsg: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. I understand not being able to find the user [EMAIL PROTECTED] since this server is simply a relay for scanning, etc. before the e-mail is delivered to the Exchange server. My thinking was that with the -u option whenever a user is not found, the rules in the /home/qscand/.spamassassin directory would be used. The other thing that is puzzling is that I have added, for testing purposes, my e-mail address to the blacklist for nobody, and once the e-mail is received, I am not being identified as a blacklisted sender. If I add the blacklist entry to local.cf, I am properly identified as a blacklisted send. How do I force SpamAssassin to use a particular user's rules, as opposed to nobody, when the user is not found? Any ideas what I might be doing wrong with the blacklists? Thanks for all your help. Jay
Re: Rule problem (.exe attachments)
[EMAIL PROTECTED] wrote:
Jay Hall wrote:
I am experiencing a problem with one of my rules that I
cannot seem to find.
I have the following rules defined.
rawbody __RAW_EXE_ATTACHMENT/filename=\".*\.exe\"/i
rawbody __RAW_VBS_ATTACHMENT/filename=\".*\.exe\"/i
rawbody __RAW_COM_ATTACHMENT/filename=\".*\.com\"/i
rawbody __RAW_PIF_ATTACHMENT/filename=\".*\.pif\"/i
rawbody __RAW_CMD_ATTACHMENT/filename=\".*\.cmd\"/i
rawbody __RAW_BAT_ATTACHMENT/filename=\".*\.bat\"/i
meta ATTACHMENT_RULES (__RAW_EXE_ATTACHMENT || __RAW_VBS_ATTACHMENT ||
__RAW_COM_ATTACHMENT || __RAW_PIF_ATTACHMENT ||
__RAW_CMD_ATTACHMENT ||
__RAW_BAT_ATTACHMENT)
score ATTACHMENT_RULES 25.00
Any attachments listed above will be properly identified as and the
tests run with the exception of an EXE attachment. A filename with an
.exe extension is not flagged.
I have added an additional rule that checks for an .exe
attachment, that
is not part of the meta rule, and I receive the same results. This
leads me to believe there is something wrong with my test for .exe
attachments.
I am running SA 2.64, spamd, and it is invoked from q-mail.
Any suggestions would be greatly appreciated.
Thanks in advance for your assistance.
Jay Hall
How about trying:
rawbody ATTACHMENT_RULES
/filename=\"?.*\.(?:exe|vbs|com|pif|cmd|bat|cpl|scr)\"?\s*$/i
score ATTACHMENT_RULES 25.00
Note: added .cpl and .scr
added end-of-line test $ to avoid false positives on things like
"example.com contract.doc"
made quotes optional
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
I went back through the e-mail logs this evening, and e-mails with an
exe attachment were being scored correctly until last night about 7:00
pm. Is it possible there is something wrong with one of the bayes files?
Thanks for your help.
Jay
Re: Rule problem (.exe attachments)
[EMAIL PROTECTED] wrote:
Jay Hall wrote:
I am experiencing a problem with one of my rules that I
cannot seem to find.
I have the following rules defined.
rawbody __RAW_EXE_ATTACHMENT/filename=\".*\.exe\"/i
rawbody __RAW_VBS_ATTACHMENT/filename=\".*\.exe\"/i
rawbody __RAW_COM_ATTACHMENT/filename=\".*\.com\"/i
rawbody __RAW_PIF_ATTACHMENT/filename=\".*\.pif\"/i
rawbody __RAW_CMD_ATTACHMENT/filename=\".*\.cmd\"/i
rawbody __RAW_BAT_ATTACHMENT/filename=\".*\.bat\"/i
meta ATTACHMENT_RULES (__RAW_EXE_ATTACHMENT || __RAW_VBS_ATTACHMENT ||
__RAW_COM_ATTACHMENT || __RAW_PIF_ATTACHMENT ||
__RAW_CMD_ATTACHMENT ||
__RAW_BAT_ATTACHMENT)
score ATTACHMENT_RULES 25.00
Any attachments listed above will be properly identified as and the
tests run with the exception of an EXE attachment. A filename with an
.exe extension is not flagged.
I have added an additional rule that checks for an .exe
attachment, that
is not part of the meta rule, and I receive the same results. This
leads me to believe there is something wrong with my test for .exe
attachments.
I am running SA 2.64, spamd, and it is invoked from q-mail.
Any suggestions would be greatly appreciated.
Thanks in advance for your assistance.
Jay Hall
How about trying:
rawbody ATTACHMENT_RULES
/filename=\"?.*\.(?:exe|vbs|com|pif|cmd|bat|cpl|scr)\"?\s*$/i
score ATTACHMENT_RULES 25.00
Note: added .cpl and .scr
added end-of-line test $ to avoid false positives on things like
"example.com contract.doc"
made quotes optional
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
I changed the rules as you suggested, but e-mails with exe attachments
are still not being marked as SPAM. However, others are. Following are
the headers from an e-mail sent with an exe attachment.
To: [EMAIL PROTECTED]
Subject: EXE Test 1 - exe
Content-Type: multipart/mixed;
boundary="050409040702070007040104"
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on mnea-hq.mnea.org
X-Spam-Level:
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham
version=2.64
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 29 Sep 2004 22:12:44.0170 (UTC)
FILETIME=[71AA06A0:01C4A671]
If I am reading the headers correctly, it appears the attachment tests
were not done in this case. The file attached to the message was
vncviewer.exe.
What additional information should I be looking for to troubleshoot this
problem?
Thanks for your help.
Jay
Rule problem (.exe attachments)
I am experiencing a problem with one of my rules that I cannot seem to find. I have the following rules defined. rawbody __RAW_EXE_ATTACHMENT/filename=\".*\.exe\"/i rawbody __RAW_VBS_ATTACHMENT/filename=\".*\.exe\"/i rawbody __RAW_COM_ATTACHMENT/filename=\".*\.com\"/i rawbody __RAW_PIF_ATTACHMENT/filename=\".*\.pif\"/i rawbody __RAW_CMD_ATTACHMENT/filename=\".*\.cmd\"/i rawbody __RAW_BAT_ATTACHMENT/filename=\".*\.bat\"/i meta ATTACHMENT_RULES (__RAW_EXE_ATTACHMENT || __RAW_VBS_ATTACHMENT || __RAW_COM_ATTACHMENT || __RAW_PIF_ATTACHMENT || __RAW_CMD_ATTACHMENT || __RAW_BAT_ATTACHMENT) score ATTACHMENT_RULES 25.00 Any attachments listed above will be properly identified as and the tests run with the exception of an EXE attachment. A filename with an .exe extension is not flagged. I have added an additional rule that checks for an .exe attachment, that is not part of the meta rule, and I receive the same results. This leads me to believe there is something wrong with my test for .exe attachments. I am running SA 2.64, spamd, and it is invoked from q-mail. Any suggestions would be greatly appreciated. Thanks in advance for your assistance. Jay Hall
