Re: [guinevere-discuss] Lint errors in 3.4

[Joe Zitnik]

>>> On 12/18/2007 at 10:02 AM, Matt Kettler <[EMAIL PROTECTED]>
wrote:
Joe Zitnik wrote:
> >>> On 12/18/2007 at 9:00 AM, Matt Kettler <[EMAIL PROTECTED]>
> wrote:
> Clay Davis wrote:
> > I've see several people write this.  Can someone point me to some
debate
> > I can review?  It seems to me that if you set the autolearn
threshold
> > fairly high and keep any eye on your bayes scoring, it would be a
good
> > thing.
> >  
> IMHO, autolearning is a good thing. However, exclusively
autolearning
> without ever providing any manual training is a situation that can
to
> lead to a mislearning disaster. The autolearner is most vulnerable
when
> it has to make judgments and there's no existing training to compare
> against.
>
> It's probably bad experience with that effect which has caused such
> gross over-reactions.
>
>
> You're exactly right, and in numerous posts on that forum, I've
stated
> exactly that.  On at least three different occasions, I have had to
> scrap my bayes database, and resend all e-mail received within a
given
> period because my bayes database became corrupted, either one way or
> the other.  In the years since that has happened, I have manually
fed
> bayes, and between the rules I have added, and some additional
> plugins, not only have I never had that issue again, my spam
catching
> is at an all time high.  All by taking a few minutes every week to
> feed the spam in that's making past the filters.  What may be a
gross
> over-reaction to you seems perfectly sensible to me.  I'm sure there
> are people who have great success with it, but for me, it was
NOTHING
> but trouble.  Mine is not the only story that I have read that has
had
> exactly the same results.
Well, if you had trouble exclusively autolearning with no manual
training. Perhaps the solution is to start using manual training in
addition to autolearning.

Also, generally speaking, you hear about the problems, but rarely hear
about the non-problems.

I've had autolearning enabled on the same bayes database I've been
using
since the bayes feature was introduced in SpamAssassin 2.50 back in
February of 2003. I've never had to scrap my bayes database. Not once.
I'm still using the same database (with a couple format conversions
during various upgrades) that I pre-initialized with several hundred
hand-picked messages.

My only variation is that somewhere around SA 3.0 (Sept 2004) I
lowered
the bayes_auto_learn_threshold_nonspam from the default to -0.001, and
added some rules with -0.001 scores that key off industry keywords.
This
was largely a precautionary measure, but I felt a positive-score for
this option was potentially dangerous. This is especially true if you
let your SA version get a little stale, as it becomes less effective
over time and spam is more likely to hit a 0 score. I wasn't having
any
troubles prior to my change, I was just being paranoid because I knew
I
was letting my SA version slip sometimes, and never switched back.

YMMV, but on an otherwise well maintained SA and bayes database,
auto-learning seems to work just fine.






I never exclusively autolearned, just to get bayes working requires
some manual feeding.  The first time my bayes blew up it had been
running fine for over six months.  During that time I manually fed in
thousands of spam and ham.  The second time it may have even been
longer.  The third time I'll take responsibility for, I had it shut off,
but an upgrade overwrote the value and turned it back on.
It's there for a reason, and much smarter men than me are responsible
for the spamassassin project, so I have to image large numbers of people
have had success with it.  Once again, from my vantage point, I was
burned three different times with it, so I don't use it.

Re: [guinevere-discuss] Lint errors in 3.4

[Joe Zitnik]

>>> On 12/18/2007 at 9:00 AM, Matt Kettler <[EMAIL PROTECTED]>
wrote:
Clay Davis wrote:
> I've see several people write this.  Can someone point me to some
debate
> I can review?  It seems to me that if you set the autolearn
threshold
> fairly high and keep any eye on your bayes scoring, it would be a
good
> thing.
>   
IMHO, autolearning is a good thing. However, exclusively autolearning
without ever providing any manual training is a situation that can to
lead to a mislearning disaster. The autolearner is most vulnerable
when
it has to make judgments and there's no existing training to compare
against.

It's probably bad experience with that effect which has caused such
gross over-reactions.


You're exactly right, and in numerous posts on that forum, I've stated
exactly that.  On at least three different occasions, I have had to
scrap my bayes database, and resend all e-mail received within a given
period because my bayes database became corrupted, either one way or the
other.  In the years since that has happened, I have manually fed bayes,
and between the rules I have added, and some additional plugins, not
only have I never had that issue again, my spam catching is at an all
time high.  All by taking a few minutes every week to feed the spam in
that's making past the filters.  What may be a gross over-reaction to
you seems perfectly sensible to me.  I'm sure there are people who have
great success with it, but for me, it was NOTHING but trouble.  Mine is
not the only story that I have read that has had exactly the same
results.

deprecated rules

[Joe Zitnik]

I thought I read in an earlier post that some of the SARE rules,
specifically the rules targeting the nigerian 419 spam, had not been
updated in some time because they had been rolled in to version 3.2.x. 
Is that correct, and if so, are there any other SARE rules that should
be gotten rid of after a move from 3.1.x (in my case 3.1.5) to 3.2.1
because of redundancy?  Is this documented anywhere?  If not, shouldn't
it be?  I know the SARE site used to list after the rules that if you
were at SA x.x.x, then this rule is no longer necessary, but that only
seems to happens when the rules are being actively updated.  As always,
TIA.

Re: Sneaky [EMAIL PROTECTED] slipped through

[Joe Zitnik]

http://rulesemporium.com/other-rules.htm

>>> John Rudd <[EMAIL PROTECTED]> 08/17/07 4:02 PM >>>

Hm.  This is the first I've heard of the chickenpox rule.  Where does it

come from?  Is it part of SARE?


Rick Zeman wrote:
> Yep.  Thanks, all.  As a johnny-come-lately to spamassassin, what's
common knowledge to you all is a revelation to me.  :-)
> 

 [EMAIL PROTECTED] 8/17/2007 2:31 PM >>>
> again, chickenpox.cf almost surely would have caught this.
> 
> Kai
> 

Re: Rule for PDF and eCard Spam Needed

[Joe Zitnik]

>>> On 8/14/2007 at 6:31 PM, "John D. Hardin" <[EMAIL PROTECTED]>
wrote:
On Tue, 14 Aug 2007, Diego Pomatta wrote:

> and this ruleset for postcards&ecards  -> 
> http://www.impsec.org/~jhardin/antispam/postcards.cf 

We're starting to get into whack-a-mole territory with the postcard 
spams. There will be another update out tonight.

--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ 
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] 
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...every time I sit down in front of a Windows machine I feel as
  if the computer is just a place for the manufacturers to put their
  advertising.-- fwadling on Y! SCOX
--
Tomorrow: The 62nd anniversary of the end of World War II


John,
I've been looking at the rule, and POSTCARD_02 and POSTCARD_03 along
with DQ_URI_ONLY_ARGS  has no associated score line.  Is this an
intentional omission?

Re: Botnet 0.8 Plugin is available (FINALLY!!!)

[Joe Zitnik]

John,
>>> On 8/6/2007 at 1:18 PM, John Rudd <[EMAIL PROTECTED]> wrote:
Kai Schaetzl wrote:
> John Rudd wrote on Sun, 05 Aug 2007 19:39:07 -0700:
> 
>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar 
> 
> Hi John, just checking out your plugin the first time. I notice that
it 
> just untars all files to the current location. It would be nice if
you 
> could encapsulate it in a directory, so that untarring creates a
directory 
> of the same name as the filename (without the .tar suffix, of
course). 
> Most tarred up distributions do this and if one doesn't and there are
a 
> lot of other files in the same directory it's a nuisance to "collect"
your 
> files.


I'll look into re-working it.

 
Thanks for all your hard work on this.  Don't know if that was
mentioned anywhere yet.

Re: BAYES_99 and ham

[Joe Zitnik]

Bump your BAYES_99 score.  That's the beauty of spamassassin, it is
highly customizable.  The determinant of whether it is spam or not is
the total score versus your threshold.  You can change either.  I have
my BAYES_99 set to 5.0 points.  My threshold is 4.0 points.  If there is
enough about that e-mail to be a 99% chance it's spam based on what I've
fed bayes, that's good enough for me.  If you have your threshold set to
10, you can't expect bayes to know this and adjust accordingly.

>>> On 7/26/2007 at 7:17 AM, martin f krafft
<[EMAIL PROTECTED]> wrote:
Hi list,

I just had a flood of spam coming through, which SA classified as
ham. On closer inspection, it turns out that the only tests
triggered for all those mails were HTML_MESSAGE and BAYES_99.

HTML messages are commonplace today (unfortunately), so they don't
add anything to the score.

BAYES_99 yields 3.5 points.

What's curious is that in this scenario, even though SA thinks that
the message is 99%-100% likely to be spam, it will always classify
it as ham, and further learning does not have any noticeable effect.

I know how SA scores are computed. I do wonder how that algorithm
applies to the BAYES_* tests though. Don't you think BAYES_99 should
yield > 5 points to trigger the threshold on default installs?
Shouldn't thus BAYES_* be renormalised?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]

spamtraps: [EMAIL PROTECTED] 

"... alle sätze der logik sagen aber dasselbe. nämlich nichts."
   -- wittgenstein

Re: Rulesemporium

[Joe Zitnik]

>>> Mike Grau <[EMAIL PROTECTED]> 07/09/07 5:15 PM >>>
On 07/09/2007 04:01 PM the voices made Joe Zitnik write:
> I can't get here:
> http://www.rulesemporium.com/rules
> Is rulesemporium having issues again?

I can rarely get there (via a browser). So rarely the site is almost 
useless.


I've been having intermittent issues getting there from home for a
while.  Last time it happened, the site was down.  I still can't get
there

Rulesemporium

[Joe Zitnik]

I can't get here:
http://www.rulesemporium.com/rules
Is rulesemporium having issues again?

Rulesemporium

[Joe Zitnik]

Is it having troubles again?  I'm having problems reaching the site.

Re: A bit off topic for spamassassin but whats up with rulesemporium.com?

[Joe Zitnik]

>>> On 6/7/2007 at 1:45 PM, Nigel Frankcom <[EMAIL PROTECTED]>
wrote:
On Thu, 07 Jun 2007 18:41:49 +0100, Nigel Frankcom
<[EMAIL PROTECTED]> wrote:

>On Thu, 07 Jun 2007 19:26:59 +0200, arni <[EMAIL PROTECTED]> wrote:
>
>>Kevin W. Gagel schrieb:
>>> I'm not able to get to www.rulesemporium.com, what's up there? Any
one
>>> know?
>>>   
>>Do you read also or just write?
>
>
>rulesemporium is under suspected DDOD. They have requested that all
>users suspend automated downloads until further notice.
>
>KR
>
>Nigel


That would be DDOS it's been a long day

Although I would imagine a Distributed Department of Defense attack
would be equally as damaging.

Whitelist question

[Joe Zitnik]

How would I whitelist mail from a listserv?  Since the mail is shown to
be from the user who sent it and not the listserv, I can't do a
whitelist_from.  Would it be easier to make a rule to look for the
listserv domain in the header?  How would I make a rule to look for just
a word in the header, rather than a defined type?

Re: My Credit rateing does TOO matter

[Joe Zitnik]

>>> On 12/1/2006 at 7:01 AM, Justin Mason <[EMAIL PROTECTED]> wrote:

> Guys -- vague hints as to the contents of the mail really don't help.
 
> 
> It's spam -- we're all getting thousands of spams a day, most of us
(ok, I
> for one at least) seem to be finding those going into the spam bins
> without our help, and I'd say it's unlikely that many of us (ok, me
> again ;) are going to go rooting through the trash there looking for
> something that seems to match what you're hinting at.
> 
> Why not just post a spample, or a link to one?
> 
> --j.
> 
> Joe Zitnik writes:
>> >>> On 12/1/2006 at 5:22 AM, John Andersen <[EMAIL PROTECTED]>
wrote:
>> On Friday 01 December 2006 00:29, Loren Wilton wrote:
>> >  guess you're just lucky.  I just went through the last month's
spam
>> and I
>> > can't find anything with a subject about credit ratings.  
>> 
>> Oh, no, I didn't mean to suggest it was in the subject.  
>> 
>> Its usually some random subject.  Then a paragraph starting with
"your
>> credit 
>> rating doesn't matter to us" with the usual misspellings, etc,
followed
>> by 
>> (usually) a geocities link and some random text at the end.
>> 
>> -- 
>> _
>> John Andersen
>> 
>> 
>> I was wondering the same thing.  Even given the random text, I
would
>> think between the default rules, and the fact that I've dumped a
bunch
>> in to bayes, that the spammy content would be enough to nail them
for
>> sure.  I'm still seeing a significant number skate by.


It wasn't really a vague hint, or rather, if you're receiving them, you
know exactly the spam he's talking about.  I wasn't asking for a
solution, I was just commenting on the fact that, like John, I was
surprised these spams would make it through.  At least that's why I
didn't post the contents or a link to the contents.

Re: My Credit rateing does TOO matter

[Joe Zitnik]

>>> On 12/1/2006 at 5:22 AM, John Andersen <[EMAIL PROTECTED]> wrote:
On Friday 01 December 2006 00:29, Loren Wilton wrote:
>  guess you're just lucky.  I just went through the last month's spam
and I
> can't find anything with a subject about credit ratings.  

Oh, no, I didn't mean to suggest it was in the subject.  

Its usually some random subject.  Then a paragraph starting with "your
credit 
rating doesn't matter to us" with the usual misspellings, etc, followed
by 
(usually) a geocities link and some random text at the end.

-- 
_
John Andersen


I was wondering the same thing.  Even given the random text, I would
think between the default rules, and the fact that I've dumped a bunch
in to bayes, that the spammy content would be enough to nail them for
sure.  I'm still seeing a significant number skate by.

sa-update question, kinda

[Joe Zitnik]

I know you can use sa-update to download the new sa-rules as they become
available.  Are the rules located somewhere that they can be manually
downloaded as they are updated, kind of like rulesemporium?  I was
poking around the sa site, but couldn't find updated rules, only full
releases.

RE: Rulesemporium rules

[Joe Zitnik]

A simple no would have sufficed.

>>> On 10/10/2006 at 4:25 PM, Chris Santerre
<[EMAIL PROTECTED]>
wrote:

> 
>> -Original Message-
>> From: Joe Zitnik [mailto:[EMAIL PROTECTED] 
>> Sent: Tuesday, October 10, 2006 1:39 PM
>> To: users@spamassassin.apache.org 
>> Subject: Rulesemporium rules
>> 
>> 
>> Just out of curiosity, is there a reason why the updates on the
>> rulesmporium rules have dropped so drastically lately?  I
understand
>> that the authors all have other things to do, and I am EXTREMELY
>> GRATEFUL for all their hard work.  I was just wondering if there
were
>> any other reasons.
> 
> Many possible reasons:
> 
> 1) I was pulling some ticks off my Siberian Husky.
> 2) Ninja Convention?
> 3) Hockey Season Started
> 4) Halloween costumes don't make themselves!
> 5) We're waiting for the Yankees head coach to be fired.
> 6) The Vista Beta is so secure it won't let us in our own machines!
> 7) We have not yet closed all the gates to Oblivion!
> 8) Apple Pickin!
> 9) 1 beer turned out to be 10!
> 10) Making top ten lists. 
> 
> Thanks,
> 
> Chris Santerre
> SysAdmin and Spamfighter
> www.rulesemporium.com 
> www.uribl.com

Rulesemporium rules

[Joe Zitnik]

Just out of curiosity, is there a reason why the updates on the
rulesmporium rules have dropped so drastically lately?  I understand
that the authors all have other things to do, and I am EXTREMELY
GRATEFUL for all their hard work.  I was just wondering if there were
any other reasons.

Re: Feeding bayes outbounds

[Joe Zitnik]

Well, that was part of my reason for doing it.  My bayes is seriously
skewed for the spam side, something like 4 to 1.  The problem is I'm
getting about 90% spam coming in, so it's difficult enough finding
legitimate mail to feed it.  I wasn't talking about feeding strictly
outbounds, but using them as an additional source of ham.

>>> On 8/21/2006 at 6:20 PM, "jdow" <[EMAIL PROTECTED]> wrote:
> From: "Joe Zitnik" <[EMAIL PROTECTED]>
> 
>> Our scanning program has the ability to archive all e-mail, both
inbound
>> and outbound, which we have been doing for months now.  Given that
your
>> outbound mail is almost certainly ham, the majority of it's content
is
>> going to be specific to our business sector, wouldn't feeding
outbounds
>> through bayes manually be a win win situation?  Am I
oversimplifying
>> things, or am I missing something with that logic?
> 
> If the terms in the outbound mail are likely to be the same as
> acceptable terms on the inbound mail that may be true. If your
> outbound mail you have captured is not all pure business it might
> reduce the Bayes accuracy somewhat.
> 
> It might introduce a huge mismatch between ham and spam, also.
> 
> And it might introduce potential issues with email privacy on the
> outgoing emails if you save them for a mass feed.
> 
> {^_^}

Feeding bayes outbounds

[Joe Zitnik]

Our scanning program has the ability to archive all e-mail, both inbound
and outbound, which we have been doing for months now.  Given that your
outbound mail is almost certainly ham, the majority of it's content is
going to be specific to our business sector, wouldn't feeding outbounds
through bayes manually be a win win situation?  Am I oversimplifying
things, or am I missing something with that logic?

deprecated rules

[Joe Zitnik]

Here is the list of rules I am currently using, in addition to the SA 3.0.4 default rules:
 
70_sare_adult.cf70_sare_bayes_poison_nxm.cf70_sare_evilnum0.cf70_sare_evilnum1.cf70_sare_genlsubj0.cf70_sare_header0.cf70_sare_html0.cf70_sare_html1.cf70_sare_obfu.cf70_sare_oem.cf70_sare_random.cf70_sare_specific.cf70_sare_spoof.cf70_sare_stocks.cf70_sare_unsub.cf70_sare_uri0.cf70_sare_whitelist.cf72_sare_bml_post25x.cf72_sare_redirect_post3.0.0.cf88_FVGT_body.cf88_FVGT_headers.cf88_FVGT_rawbody.cf88_FVGT_subject.cf88_FVGT_uri.cf99_FVGT_meta.cf99_FVGT_Tripwire.cf99_sare_fraud_post25x.cf99_sober.cfbogus-virus-warnings.cfmime_validate.cfmysurbl.cfrolex.cfstockspam.cfsubevil.cfweeds_2.cf
 
Are there any of these rules that are redundant, no longer necessary, or of no benefit?  My mail volume used to be about 30,000 a day, and these rules were fine for that volume.  We're now getting upwards of 140,000 on some days, and my boxes are having trouble keeping up.  Rolex and stockspam are probably covered in others, but they're only about 2k a piece.  I'm hoping some of the larger ones can go buh-bye.

RE: Image only spam

[Joe Zitnik]

After you stop and restart SA, correct?>>> On 7/12/2006 at 10:48 AM, Bowie Bailey <[EMAIL PROTECTED]> wrote:
Jack Gostl wrote:> Thanks for the response.> > Take it slow with me, spamassassin has been running so well for so> long that I haven't had to fiddle with it in ages and I don't> remember the details. Do I add these rules to my user_prefs? Or to my> /etc/mail/local.cf files? Just drop the new rules file in the same directory with your local.cffile.  SA will automatically run all the rule files in that directory.-- Bowie

Spam success stats

[Joe Zitnik]

Does anyone have a source for statistics on spam victims, ie. the number of people who actually click on the "Remove Me" line, or who "update their banking information", or who actually buy those pencil enlargement pills? 

new stock spam

[Joe Zitnik]

For the last few days, I've been receiving stock spam, same format as the other stock spam, except the spam is a gif image.  Some randomstringofletters.gif, and a bunch of text.  The random text will show up at the bottom of the page.  The ones I'm currently seeing are for Golden Apple Oil and Gas.  Because the subject is always different, the name of the gif is always different, and the text is always at least a little different, there's no way to consistently stop these, is there?  I've been feeding them to bayes, but they're still slipping past, I'm guessing because each one is so dissimilar from the next.

SARE Rule question

[Joe Zitnik]

Any update on when the stock spam rule might be posted?  I've fed dozens in to bayes, and they're still making it through.

OT: Using ldap_routing in sendmail to verify GroupWise Recipients before SA

[Joe Zitnik]

I'm trying to configure sendmail to perform recipient verification by using ldap_routing in order to reduce the number of messages that need to be scanned by Guinevere and SpamAssassin.
 
Our configuration is similar to the setup discussed in comp.mail.sendmail, readable here:
 
http://www.issociate.de/board/post/266566/check_users_and_forward_to_an_other_mail_server.html 
 
I've basically been successful in setting this up in a test environment as follows:
 
FEATURE(`ldap_routing',`null',`ldap -1 -T -v mail -k mail=%0',`bounce')dnlLDAPROUTE_DOMAIN(hfcc.edu)dnlLDAPROUTE_DOMAIN(hfcc.net)dnlLDAPROUTE_DOMAIN(henryford.cc.mi.us)dnlLDAPROUTE_DOMAIN(mail.henryford.cc.mi.us)dnldefine(`confLDAP_DEFAULT_SPEC', `-h hostname -b o=org -s sub')dnl
 
There's only one problem. We have multiple domains (as you can see above) and yet each user only has one domain in their mail attribute.
 
I don't need to route, just verify existance and drop non-matches. I can't find any documentation on the parameters for ldap_routing except that -v and -k are required fields and a couple of examples here and there.
 
So here's my question: It's apparent that %0 is the recipient's email address. If there was an easy way to only check the lhs of the address, I could compare it against a different attribute and it would match all possible domains, and that would be good enough. I don't know enough about sendmail rule hacking to do this, but I'm sure it can be done.

Bayes feeding

[Joe Zitnik]

I apologize if this has been addressed before, but is there a consensus on feeding bayes ham that is outbound from your organization?  It seems to make sense to me.  You can almost guarantee the words bayes will be "learning" are related to your organizations business function.  Even if they are personal e-mail, it seems to be an excellent source of ham.  Is there a problem with this, or a flaw in my reasoning?  Part of the reason this is so attractive is that I am having problems matching the amount of ham I feed bayes with the amount of spam I have access to.  Right now, about 80% of my inbound mail is spam.

Re: How to block this email??

[Joe Zitnik]

I know some of the rules at SARE: http://www.rulesemporium.com/rules.htm are aimed at English only environments, and will score non English e-mail higher.  Look for the .cf files with _eng in the names.>>> "Bryan Haase" <[EMAIL PROTECTED]> 6/20/2005 11:30 AM >>>
Does anyone have a rule that will score foreign characters or characters with the dashes on top?Below is example email that is not scoring at all for me.ThanksBryan>>> berton laurence <[EMAIL PROTECTED]> 6/18/2005 7:52 PM >>>   ? XXI  ? ??? ?? ? ??? ???:- ?? ??? ? ??  ?? ?-?  ?  ??  ??? ? ?? ??? ? .- ? ? ?? ? ?  ? ??? ? ? ? ? ??, ??  ??? ???, ??? ? ? ?? ??.-??? ??? ?  ?. ???: 8(926)530-13-94

Re: Re[2]: [SARE] obfu.cf, specific.cf updated

[Joe Zitnik]

Sorry.  If I'm not bitching, I'm not happy.>>> Robert Menschel <[EMAIL PROTECTED]> 5/26/2005 8:39 PM >>>
Hello Joe,Thursday, May 26, 2005, 7:37:55 AM, you wrote:JZ> Can someone get the file specific information straight forJZ> those of us who download manually?  ...Sure, someone could.  Apparently not me.   :-)Anyone got a good secretary available?Bob Menschel

Re: Is Bayes Really Necessary?

[Joe Zitnik]

I have autolearn off.  I have been burned by it twice.>>> <[EMAIL PROTECTED]> 5/26/2005 10:33 AM >>>
On Thu, 26 May 2005, Joe Zitnik wrote:> I think points can be made for both sides of the argument.  The thing> that makes bayes different, is that a well trained bayes database is> specific to your environment.  If you're a law firm, your learned ham is> going to be heavy in legalese, medical related org, heavy in that> terminology.  Because spam and ham is learned specific to your> environment, it can make a big difference.>> >>> Jake Colman <[EMAIL PROTECTED]> 5/26/2005 10:08 AM >>>>> Given the rather complete set of rules that ship with SA and which can> expanded with SARE, does bayes learning really help?  Won't the rules> catch> pretty much everything anyway?Bayes definitely helps, but auto-learn can cause problems.  Perhaps abetter question would be, "Is autolearn really neccessary?"James Smallacombe          PlantageNet, Inc. CEO and Janitor[EMAIL PROTECTED]                                http://3.am=

Re: [SARE] obfu.cf, specific.cf updated

[Joe Zitnik]

Can someone get the file specific information straight for those of us who download manually?  Example: specific shows Last update 2005-5-26, but if you open the file, its modified date is # Modified: 2005-03-26, header is the same way, last update is 2005-05-21, but modified day in the file is # Modified: 2005-03-21, until you read down to the revision history, which shows the correct date.  obfu is the only one correct in both places.  I always look at the modified date in the file to see if there have been changes, rather than the Last update on the page, because the I have seen big discrepancies between the two.>>> Robert Menschel <[EMAIL PROTECTED]> 5/26/2005 2:03 AM >>>
Just a quick note that the SARE specific.cf and obfu.cf rules fileshave been updated.Documentation at http://www.rulesemporium.com/rules.htm#specific andhttp://www.rulesemporium.com/rules.htm#obfuUpdates to specific.cf are minor.Updates to obfu.cf include 36 new rules, including several for hrefobfuscation and table obfuscation,Bob Menschel

Re: Is Bayes Really Necessary?

[Joe Zitnik]

I think points can be made for both sides of the argument.  The thing that makes bayes different, is that a well trained bayes database is specific to your environment.  If you're a law firm, your learned ham is going to be heavy in legalese, medical related org, heavy in that terminology.  Because spam and ham is learned specific to your environment, it can make a big difference.>>> Jake Colman <[EMAIL PROTECTED]> 5/26/2005 10:08 AM >>>
Given the rather complete set of rules that ship with SA and which canexpanded with SARE, does bayes learning really help?  Won't the rules catchpretty much everything anyway?-- Jake ColmanSr. Applications DeveloperPrincipia Partners LLCHarborside Financial Center1001 Plaza TwoJersey City, NJ 07311(201) 209-2467www.principiapartners.com

Re: Custom rule

[Joe Zitnik]

A couple of further questions.  I was looking through your howto on the spamassassin site, and didn't see any info on full type rules.  So where I would normally put header, body, etc, I'd put full, correct?  Is there some way I could eliminate the /Content-Disposition: attachment;.{0,30} portion of the rule and just search for the filename=.{0,50}\.foo\.bar/i portion of the rule, since because the extension is specific to our organization, a match on that filename would be enough?>>> Matt Kettler <[EMAIL PROTECTED]> 5/20/2005 11:16:58 AM >>>
Joe Zitnik wrote:> I'd like to write a custom rule that would allow e-mail in from users> that have an attachment with a weird in house extension like foo.bar . > How would I do this?You'd need to use a full rule, as body and rawbody won't be able to see the mimesection headers.You'll want to have the rule target headers like this:Content-Disposition: attachment; filename="EVI-Attachment-Warning.txt"Sometimes, these headers wrap like this one:Content-Disposition: attachment;    filename="00_non_deliverable.cf"A full rule won't cover the linewrap, so you need to include an optional \s or .after the attachment part.So something like this should work:full L_FOO_BAR        /Content-Disposition: attachment;.{0,30}filename=.{0,50}\.foo\.bar/iSome files can have an inline disposition, but I doubt your in-house extensiondoes. That's usually used for text, html and/or graphics that a mail client canrender.

Re: Custom Rule

[Joe Zitnik]

I try never to admit this, but we have spamassassin running on a windows box with a third party app.  Users send e-mails with .bar attachments.  Some are getting hit as spam because of content.  I'd like a rule that says if you have a .bar extension on an attachment, let me in.

Custom rule

[Joe Zitnik]

I'd like to write a custom rule that would allow e-mail in from users that have an attachment with a weird in house extension like foo.bar .  How would I do this?

Re: Help with Bayes auto-learn

[Joe Zitnik]

Yes, but his scoring list BAYES_99 as one of the scores, which means bayes is active, which means it has been fed the necessary 200 spam and 200 ham.  If it hadn't been fed the necessary spam and ham, it would not have been given a BAYES score at all.  The fact that the mail was not autolearned could mean that it did not fall within the autolearn range OR that an identical message had already been learned.  With a score like BAYES_99, it is probably the latter.>>> wolfgang <[EMAIL PROTECTED]> 5/13/2005 4:38 AM >>>
In an older episode (Friday 13 May 2005 08:38), Geoff Sweet wrote:> I would like to enable the Bayes system with auto-learning.  I thought > that I had my config setup correctly but apparently I don't.  My config > looks like this:> > ##> # How we want to modify the email> rewrite_header subject [**SPAM**]> report_safe 0> > #Bayes learning system> use_bayes 1> bayes_auto_learn 1In an older episode (Friday 13 May 2005 10:17), George Breahna wrote:> I really recommend you research your question before asking it.good point, anyway:man Mail::SpamAssassin::Conf andhttp://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.htmlwould tell you:bayes_min_ham_num (Default: 200)bayes_min_spam_num (Default: 200)    To be accurate, the Bayes system does not activate until a certain number of ham (non-spam) and spam have been learned. The default is 200 of each ham and spam, but you can tune these up or down with these two settings.for information how to learn the needed amount of mails, seeman sa-learnregards,wolfgang

Bayes question

[Joe Zitnik]

I apologize if this has been asked before, but I need some
clarification.  If I have autolearn for ham set to 0, and the default
BAYES_00 score assigns mail a negative value, and a spam message comes
through with enough good text in it to give it a BAYES_00 and therefore
a negative value BUT it is not a message that has been learned before,
is there the potential for that mail to be learned as ham based on the
negative BAYES score assigned it?  

If nothing else, I just wrote the king of all run on sentences.

Re: sa-learn hangs

[Joe Zitnik]

I had that happen once before, but it was an earlier version of the
Bayes DB, and it was because my database was hosed.

>>> Eric Dantan Rzewnicki <[EMAIL PROTECTED]> 3/15/2005 6:01 PM >>>
Hello,

I'm using spamassassin 3.0.2 from within MailScanner 4.39.6 on Debian
woody. After upgrading to spamassassin 3.0.2 (installed from source
tarball) I am unable to use sa-learn to train the bayes engine on ham
or
spam. Spamassassin is otherwise working fine. Before upgrading I wiped
out my previous bayes database. It has since grown well beyond the 200
minimum ham and spam and Spamassassin is using bayes to score mail.  

sa-learn --dump magic -p /opt/MailScanner/etc/spam.assassin.prefs.conf
works fine and shows that the bayes database is growing as it should
through autolearning.  

spamassassin -D -p  --lint doesn't show any problems that I
can see.

if I run: 
sa-learn --showdots --mbox --ham -p
/opt/MailScanner/etc/spam.assassin.prefs.conf 

sa-learn just hangs. Same happens for --spam.

strace shows it stuck on a read(0,

Any ideas?

I've tried searching the archives and the wiki, but haven't turned up
anything yet. There doesn't seem to be anything about this in the FAQ,
either. I've reported this on the MailScanner list as well, but so far
have not received a response.
-- 
Eric Dantan Rzewnicki  |  Systems Administrator
Technical Operations Division  |  Radio Free Asia
2025 M Street, NW  |  Washington, DC 20036  |  202-530-4900
CONFIDENTIAL COMMUNICATION
This e-mail message is intended only for the use of the addressee and
may contain information that is privileged and confidential. Any 
unauthorized dissemination, distribution, or copying is strictly 
prohibited. If you receive this transmission in error, please contact
[EMAIL PROTECTED]

Re: SQL settings & Deprecated rulesets?

[Joe Zitnik]

Actually the "0" rules are rules which have hit ONLY spam, and are the
safest for preventing false positives.

>>> "Loren Wilton" <[EMAIL PROTECTED]> 02/27 10:37 PM >>>
Check the SARE page for the various rulesets to see if any have been
depreciated for 3.0.  I don't believe any of the ones you have listed
have
been, but it is worht a check.

That said: you have some ANCIENT rulesets there that have been updated
several times and have new names.  I don't believe that we have any
rulesets
now with numbers above 70.

Also, you show header0 and gensubj0.  Almost always you would also want
the
"1" version of these rulesets.  The "0" version mostly just sets up
stuff
used by the other sets, I believe.

> 70_SARE_Adult.cf.bak
> 70_SARE_Genlsubj0.cf.bak
> 70_SARE_Header0.cf.bak
> 70_SARE_Random.cf.bak
> 70_SARE_SPOOF.cf.bak
> 71_SARE_Redirect_pre3.cf.bak
> 72_SARE_BML.cf.bak
> 99_FVGT_Tripwire.cf.bak
> 99_OBFU_drugs.cf.bak
> 99_SARE_Fraud.cf.bak
>   99_SARE_OEM.cf

Antidrug is in 3.0

> * antidrug.cf.bak
> backhair.cf.bak

Dump bigevil!  Turn on the net rules instead.

> * bigevil.cf.bak
> bogus-virus-warnings.cf.bak
> * chickenpox.cf.bak

Evilnumbers can be useful if you don't have net rules running, but the
net
tests will generally do better.

> evilnumbers.cf.bak

Some of the ratware stuff is probably in 3.0.  Also, there is some in
SARE
rulesets, such as Random and Specific.

I think (though I'm not positive) that random and useless are old
depreciated rulesets.

> ratware.cf.bak
> useless.cf.bak
> weeds.cf.bak

Backhair, bogus-virus-warnings (which may have been updated since your
version), chickenpox, tripwire, and weeds can all still be useful
rulesets,
even they haven't been updated in ages.

Loren

Re: GroupWise-Mails...

[Joe Zitnik]

>From within the e-mail in GroupWise, go to File>Attachments>View, and
that will show the message with the Mime.822 "attachment" at the top. 
That will show the e-mail in it's unmangled form.

>>> Matt Kettler <[EMAIL PROTECTED]> 01/21 9:31 AM >>>
At 04:29 AM 1/21/2005, Peter Guhl wrote:
>Hello
>
>Mails ending in Novell GroupWise don't seem to be useful for
sa-learn.
>Does somebody have some experience or solutions to that problem?
Could
>the same POP3-Solution described in "sa-learn with lotus notes" do
it's
>job here too?
>
>More for GroupWise professionals would be the question how to turn
>forwarded spam (forwarding as attachment in GroupWise sends you the
>headers too - so far so good...)  into single mails resembling the
>original as close as possible...


If you dig around in the groupwise interface you can find an
"attachment" 
named mime.822.. it's the undadulterated message and that works pretty
well.

I believe mime.822 is only visible if you "view" the message using the

right-click menu instead of "open" it.

I've been trying to figure out a good way to get users to be able to 
forward that attachment, but without saving it to disk first I've had
no 
luck, GW seems to be "smart" about it and forwards the grouwise mangled

version.

Re: Spam getting through

[Joe Zitnik]

Thank you JD, that is the direction most everyone has been pointing me
in.

>>> "jdow" <[EMAIL PROTECTED]> 01/14/05 3:50 PM >>>
From: "Joe Zitnik" <[EMAIL PROTECTED]>

> Keith,
> Why would you need to be psychic?
> 
> 1.  My e-mail shows the NAME of my rule - MY_CAPABLE
> 2.  My e-mail shows the MY_CAPABLE rule worked, adding 11 points to
the
> score
> 3.  My e-mail shows my threshold is 4 points, and the e-mail scored
> 14.
> 4.  I stated this was from an e-mail that made it through.
> 
> I was not asking for rule debugging, since the rule obviously worked
> and works on other e-mail, as it shows in the scoring of the e-mail
when
> fed through manually.  What I was looking for was possible reasons
> e-mail that was over my threshold might be making it through.  I hope
> that clarifies.

Joe, if it was properly marked as spam and got through that means some
filter OUTSIDE of SpamAssassin is screwing up. Look there.
{^_^}

Re: Spam getting through

[Joe Zitnik]

Thomas,
We use a program called Guinevere, that works with Novell GroupWise
systems to filer the e-mail after it has passed through SA.  All of the
suggestions I have received seem to point to the fact that this may be
where the error lies.  I appreciate all the suggestions by the group.

>>> Thomas Arend <[EMAIL PROTECTED]> 01/14 11:00 AM >>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am Freitag, 14. Januar 2005 13:04 schrieb Loren Wilton:
> Well, it obviously was scored correctly, and showed at least some
headers
> indicating this.  So SA must be doing its job.
>
> Since SA isn't in charge of deciding what to DO with the mail once it
is
> scored, the problem must lie in some other part of your system.
>
> The only possibiliity I can think of offhand (and I don't have your
> original posting left to check) might be that the original mail
didn't have
> a Subject, in which case 3.0.1 and 3.0 would not have done subject
markup. 
> So if you were filtering on subject, then it would probably have made
it
> through.

His original message had a subject:
Subject: ***Spam*** i just cheated on my boyfriend

and a 

X-Spam-Prev-Subject: i just cheated on my boyfriend

nether noticed this on my spam but I include the message in an appendix
not in 
the text.


All messages are passed back. So to redirect mails to other
destinations then 
the original recipient is a task of the Mail-transport an not a task of

spammassassin. 

So what we need to know is the rule to filter mails after
spam-checking.


Thomas
 
> Loren

- -- 
icq:133073900
http://www.t-arend.de 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFB5+y+He2ZLU3NgHsRAunCAJ0XUFhqlQF2RRtbSufjeht5WafFVwCeJpIS
Oig+HehjhaADgpJjcW3eELA=
=xwli
-END PGP SIGNATURE-

Re: Spam getting through

[Joe Zitnik]

Keith,
I think you may have seen too many Oliver Stone movies, or perhaps
gotten too wrapped up in the X-Files.  Are you somehow involved in the
paranormal?  All this talk of secretiveness and psychics might be better
suited to the alt.psycho.babble newsgroup.  The "entire process" that I
was speaking about not posting to the group is how I filter through my
archives to remove spam e-mails and other filtered e-mails from my
overall archives to only have the mail that made it through to the
users.  That part has nothing to do with spamassassin, and therefore
does not belong here. There was nothing secretive about it. I've
received several helpful suggestions from other members of the group,
with none of the sarcasm or paranoia associated with yours, who
obviously had no problems understanding the question I was asking.

>>> Keith Whyte <[EMAIL PROTECTED]> 01/14 11:47 AM >>>
Joe Zitnik wrote:

>Keith,
>Why would you need to be psychic?
>  
>
>
Sorry, my way of saying that I didn't think you gave us enough 
information with your request for help.

Did you post the mail that you passed through spam assassin manually,
or 
the one that made it through?
Did you try passing the mail manually through SA as the user your MTA 
filtering runs as?
At what point in your system is the decision made to discard or deliver

mail into the users mailbox?

>I won't go through my entire
>process, 
>
I fear the problem lies in the configuration you are being secretive
about.

k.

Re: Spam getting through

[Joe Zitnik]

Thank you.  I thought I remembered earlier posts where people listed
problems like "some e-mail were not being checked" or "every other
e-mail was being skipped", and I was wondering if I might be
experiencing some of that.

>>> "Loren Wilton" <[EMAIL PROTECTED]> 01/14 7:04 AM >>>
Well, it obviously was scored correctly, and showed at least some
headers
indicating this.  So SA must be doing its job.

Since SA isn't in charge of deciding what to DO with the mail once it
is
scored, the problem must lie in some other part of your system.

The only possibiliity I can think of offhand (and I don't have your
original
posting left to check) might be that the original mail didn't have a
Subject, in which case 3.0.1 and 3.0 would not have done subject
markup.  So
if you were filtering on subject, then it would probably have made it
through.

Loren

Re: Spam getting through

[Joe Zitnik]

Keith,
Why would you need to be psychic?

1.  My e-mail shows the NAME of my rule - MY_CAPABLE
2.  My e-mail shows the MY_CAPABLE rule worked, adding 11 points to the
score
3.  My e-mail shows my threshold is 4 points, and the e-mail scored
14.
4.  I stated this was from an e-mail that made it through.

I was not asking for rule debugging, since the rule obviously worked
and works on other e-mail, as it shows in the scoring of the e-mail when
fed through manually.  What I was looking for was possible reasons
e-mail that was over my threshold might be making it through.  I hope
that clarifies.

>>> Keith Whyte <[EMAIL PROTECTED]> 01/14 2:56 AM >>>
Joe Zitnik wrote:

>some of these e-mails are
>getting caught by my rule and some aren't.  When I run the ones that
are
>getting past through spamassassin manually, they hit my rule as well
and
>are above my spam threshold.  So why do they make it past?
>  
>
Joe, how can you possibly ask that question without also sending your 
rule and an example of a mail that got past your rule
we are not psychic!!

Keith.

Re: Spam getting through

[Joe Zitnik]

Thomas,
That was a mail that made it through.  I won't go through my entire
process, but I archive every mail that comes in to our system, and when
I'm done, I have every e-mail that made it through to the user's desk. 
I have specific rules set up and was wondering why mail that I knew
should have been caught, was making it past.  I took one of these mails,
the one I sent in my letter to the group, fed it through SA manually,
and it confirmed my suspicions.  That was the point.  Why is it making
it past if it is obviously marked as spam?

>>> Thomas Arend <[EMAIL PROTECTED]> 01/13 3:21 PM >>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am Donnerstag, 13. Januar 2005 12:47 schrieb Joe Zitnik:
> We've been having a group of the same type of e-mails making it
through
> spamassassin.  These are the e-mails that have the "get a capable
html
> e-mailer" line in them.  I have yet to see any legitimate e-mail
with
> that line, so I made a custom rule to score 11 points for that
slogan.
> I have also fed hundreds of different e-mails with that line in to
my
> bayes database,  and yet I'm still seeing a lot of e-mails with that
> line making it through, so I fed one of the e-mails through manually
and
> the relevant output is below.  The MY_CAPABLE rule is the custom
rule
> for these types of e-mail, it is adding the points, but a great many
of
> these are still making it through.  I know I saw other posts where
> people were saying spam was making it past or only every other
e-mail
> was being checked, and I'm wondering why e-mails like these are
slipping
> past.

I used my magic eye to find your rule. No joy.

The example you presented seems to be correctly marked as spam.

A message which passes your SA would be helpful. Also the rule.

Regards

Thomas
 
[..]

- -- 
icq:133073900
http://www.t-arend.de 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFB5thmHe2ZLU3NgHsRAou3AJ0Tl3Tu6++Yu7ZVYTqOXql8u8XZ0QCfc382
Cp7/HW2KCopAdauOdDKQfHQ=
=AV57
-END PGP SIGNATURE-

Re: Spam getting through

[Joe Zitnik]

They are enabled.  My problem is more that some of these e-mails are
getting caught by my rule and some aren't.  When I run the ones that are
getting past through spamassassin manually, they hit my rule as well and
are above my spam threshold.  So why do they make it past?

>>> Martin Hepworth <[EMAIL PROTECTED]> 01/13 6:51 AM >>>
Joe

enable the URIRBL rules, these are very effective against html spam.

(make sure you have the latest Net:DNS module installed and the
init.pre 
  file in /etc/mail/spamassassin and the plugin turned on).

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Joe Zitnik wrote:
> We've been having a group of the same type of e-mails making it
through
> spamassassin.  These are the e-mails that have the "get a capable
html
> e-mailer" line in them.  I have yet to see any legitimate e-mail
with
> that line, so I made a custom rule to score 11 points for that
slogan. 
> I have also fed hundreds of different e-mails with that line in to
my
> bayes database,  and yet I'm still seeing a lot of e-mails with that
> line making it through, so I fed one of the e-mails through manually
and
> the relevant output is below.  The MY_CAPABLE rule is the custom
rule
> for these types of e-mail, it is adding the points, but a great many
of
> these are still making it through.  I know I saw other posts where
> people were saying spam was making it past or only every other
e-mail
> was being checked, and I'm wondering why e-mails like these are
slipping
> past.
> 
> 
> Subject: ***Spam*** i just cheated on my boyfriend
> Date: Mon, 10 Jan 2005 23:56:36 -0800
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="Java.FFPYY.0255880571537262588"
> X-Priority: 3
> X-MSMail-Priority: Normal
> Message-Id: <[EMAIL PROTECTED]>
> X-Mailer: Microsoft Outlook Express  6.00.2800.1437
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
> X-Virus-Scanned: ClamAV 0.80/578/Mon Nov  8 09:26:49 2004
>   clamav-milter version 0.80j
>   on xxx.xxx.xxx
> X-Virus-Status: Clean
> X-Spam-Prev-Subject: i just cheated on my boyfriend
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on c588
> X-Spam-Level: **
> X-Spam-Status: Yes, score=14.8 required=4.0
tests=BAYES_60,HTML_20_30,
>
HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_CAPABLE,RCVD_BY_IP,
>   RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_WEB,
>   SARE_FREE_WEBM_ZCom03,SPF_HELO_PASS autolearn=disabled
> version=3.0.2
> X-Spam-Report: 
>   *  0.1 RCVD_BY_IP Received by mail server with no name
>   *  0.7 SARE_FREE_WEBM_ZCom03 Sender used free email account -
> may be spammer
>   * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
>   *   11 MY_CAPABLE BODY: Body contains spam link
>   *  0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
>   *  0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
>   *  [score: 0.6354]
>   *  1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly
text/html
> MIME
>   *  0.0 HTML_MESSAGE BODY: HTML included in message
>   *  0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
>   *  1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
> bl.spamcop.net
>   *  [Blocked - see
> <http://www.spamcop.net/bl.shtml?24.145.177.237>]
>   *  0.4 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
>   *  [24.145.177.237 listed in combined.njabl.org]
>   *  0.0 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web
> server
>   *  [24.145.177.237 listed in dnsbl.sorbs.net]
> 
> 

**

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**

Spam getting through

[Joe Zitnik]

We've been having a group of the same type of e-mails making it through
spamassassin.  These are the e-mails that have the "get a capable html
e-mailer" line in them.  I have yet to see any legitimate e-mail with
that line, so I made a custom rule to score 11 points for that slogan. 
I have also fed hundreds of different e-mails with that line in to my
bayes database,  and yet I'm still seeing a lot of e-mails with that
line making it through, so I fed one of the e-mails through manually and
the relevant output is below.  The MY_CAPABLE rule is the custom rule
for these types of e-mail, it is adding the points, but a great many of
these are still making it through.  I know I saw other posts where
people were saying spam was making it past or only every other e-mail
was being checked, and I'm wondering why e-mails like these are slipping
past.


Subject: ***Spam*** i just cheated on my boyfriend
Date: Mon, 10 Jan 2005 23:56:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="Java.FFPYY.0255880571537262588"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <[EMAIL PROTECTED]>
X-Mailer: Microsoft Outlook Express  6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
X-Virus-Scanned: ClamAV 0.80/578/Mon Nov  8 09:26:49 2004
clamav-milter version 0.80j
on xxx.xxx.xxx
X-Virus-Status: Clean
X-Spam-Prev-Subject: i just cheated on my boyfriend
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on c588
X-Spam-Level: **
X-Spam-Status: Yes, score=14.8 required=4.0 tests=BAYES_60,HTML_20_30,
HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_CAPABLE,RCVD_BY_IP,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_WEB,
SARE_FREE_WEBM_ZCom03,SPF_HELO_PASS autolearn=disabled
version=3.0.2
X-Spam-Report: 
*  0.1 RCVD_BY_IP Received by mail server with no name
*  0.7 SARE_FREE_WEBM_ZCom03 Sender used free email account -
may be spammer
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
*   11 MY_CAPABLE BODY: Body contains spam link
*  0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
*  0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
*  [score: 0.6354]
*  1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html
MIME
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
*  1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
*  [Blocked - see
]
*  0.4 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
*  [24.145.177.237 listed in combined.njabl.org]
*  0.0 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web
server
*  [24.145.177.237 listed in dnsbl.sorbs.net]

SARE Custom rules

[Joe Zitnik]

I posted this some time ago, but I was wondering if anyone had any
information on the timeframe for when some of the SARE custom rules
would be updated?  I know there had been some posts by the developers
about updating and testing, but nothing new as of yet.

Re: Unsubscribe?

[Joe Zitnik]

I've been told by my boss that I can't use anything BUT spamassassin,
because it is open source. ;-)

>>> Jeff Chan <[EMAIL PROTECTED]> 12/21/04 7:47 PM >>>
On Tuesday, December 21, 2004, 4:40:56 PM, Peter Benac wrote:
> And that makes it right because?

No, it makes it wrong.  :-(

Jeff C.
__

> From: Jeff Chan [mailto:[EMAIL PROTECTED]
> On Tuesday, December 21, 2004, 12:32:41 PM, Peter Benac wrote:
>> If I understand you Mail Address correct aren't the Tax Payers the 
>> ones paying the bills.  While I don't live in your County or State I 
>> would have to wonder why the people you work for NEED to spend the 
>> taxpayers money on something they already have for free.

>> Don't they have a better way of spending the money like maybe on 
>> Education, Law Enforcement, EMS Services, or Fire Services... Just a 
>> thought!!

> Hi Pete,
> Apparently you have not worked in government.  Government budgets are
> determined by politics and how much you spend. The more you can budget
and
> spend, the higher your status. If you budget a certain amount and
don't
> spend it, you get less money next year.  Government is structured
towards
> spending more money, not less.

> Jeff C.



Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Spam processing errors

[Joe Zitnik]

I know I saw this in a previous thread, but for the life of me I can not
find it.  I saw some postings where people were reporting that SA was
only processing every other e-mail, or not processing all e-mail.  Was
this the correct list, and if so, can someone point me to the problem
and solution, AND most importantly: Happy Holidays to all on the list.

Re: Custom Rules

[Joe Zitnik]

Thanks to everyone who replied.  I figured SURBL had a lot to do with
the less frequent updates.  I was also looking for more of the "inside
dirt" kind of stuff, like the Ninja meltdowns. ;-)

>>> "Loren Wilton" <[EMAIL PROTECTED]> 12/13 8:25 PM >>>
> Is it me, or have the updates to the SARE "custom rules" and "other
> rules" pages seem to be a lot less frequent than they used to be?

Yup.

> Does
> anyone know why?

Yup.

Loren


Oh, you want to *know* why?  :-)

Several reasons.

1.The rules we ahve now are working pretty darn well.  We started
cutting rules for all the stuff that was leaking through for us.  There
just
isn't much left that leaks through, so now we go looking at merely
low-scoring caught stuff.

2.SURBL.  In a word.

3.We like to mass-check everything before we put it in an update,
and
our main mass-checker has had severe computer problems for about the
last
month.  However, this seems to finally be fixed!

There will be additional rule updates coming.  I have a bunch of rolex
and
other rules waiting to be mass-tested, and I'm sure Bob has a good
bunch of
his own rules to test.  Probably be a Christmas present of new rules in
the
next week or two.

Loren

Custom Rules

[Joe Zitnik]

Is it me, or have the updates to the SARE "custom rules" and "other
rules" pages seem to be a lot less frequent than they used to be?  Does
anyone know why?