update-rules script: Error with latest LWP:::UserAgent on FreeBSD
I'm getting the following error when my update_rules script runs: "my" variable $uri masks earlier declaration in same scope at /usr/local/lib/perl5/site_perl/LWP/UserAgent.pm line 783. I think(?) this comes from this package: ❯ pkg info p5-libwww p5-libwww-6.63 Name : p5-libwww Version: 6.63 Installed on : Tue Apr 26 15:03:58 2022 CDT Origin : www/p5-libwww Architecture : FreeBSD:13:* Prefix : /usr/local Categories : devel perl5 www Licenses : ART10, GPLv1+ Maintainer : sunp...@freebsd.org WWW: https://metacpan.org/release/libwww-perl Comment: Perl5 library for WWW access Annotations: build_timestamp: 2022-04-26T16:51:34+ built_by : poudriere-git-3.3.99.20211130 port_checkout_unclean: no port_git_hash : 192ed4c74fe5 ports_top_checkout_unclean: no ports_top_git_hash: 0f1527691c04 repo_type : binary repository : poudriere Flat size : 419KiB Description: Libwww-perl is a collection of Perl modules which provides a simple and consistent programming interface (API) to the World-Wide Web. The main focus of the library is to provide classes and functions that allow you to write WWW clients, thus libwww-perl said to be a WWW client library. The library also contain modules that are of more general use. The main architecture of the library is object oriented. The user agent, requests sent and responses received from the WWW server are all represented by objects. This makes a simple and powerful interface to these services. The interface should be easy to extend and customize for your needs. WWW: https://metacpan.org/release/libwww-perl ler in thebighonker in ~ via ☕ v1.8.0 via v5.32.1 via v3.0.4 ❯ /usr/local/etc/mail/spamassassin/update-rules.sh ❯ cat /usr/local/etc/mail/spamassassin/update-rules.sh #!/bin/sh PATH=$PATH:/usr/local/bin export PATH /usr/local/bin/sa-update EXIT=$? case $EXIT in 0) /usr/local/bin/sa-compile kill -1 `cat /var/run/spamd/spamd.pid`;; *) ;; esac ler in thebighonker in ~ via ☕ v1.8.0 via v5.32.1 via v3.0.4 ❯ ❯ pkg info spamassassin zsh: correct 'spamassassin' to '.spamassassin' [nyae]? n spamassassin-3.4.5 Name : spamassassin Version: 3.4.5 Installed on : Sun Apr 3 17:05:29 2022 CDT Origin : mail/spamassassin Architecture : FreeBSD:13:amd64 Prefix : /usr/local Categories : perl5 mail Licenses : APACHE20 Maintainer : zeis...@freebsd.org WWW: http://spamassassin.apache.org/ Comment: Highly efficient mail filter for identifying spam Options: AS_ROOT: on DCC: off DKIM : on DOCS : on GNUPG : off GNUPG2 : on GNUPG_NONE : off MYSQL : off PGSQL : on PYZOR : off RAZOR : on RELAY_COUNTRY : on RLIMIT : off SPF_QUERY : on SSL: on Shared Libs required: libperl.so.5.32 Annotations: FreeBSD_version: 1301501 build_timestamp: 2022-04-02T22:38:31+ built_by : poudriere-git-3.3.99.20211130 cpe: cpe:2.3:a:apache:spamassassin:3.4.5:freebsd13:x64 port_checkout_unclean: no port_git_hash : 819f25b36d45 ports_top_checkout_unclean: no ports_top_git_hash: d0d63dec4011 repo_type : binary repository : poudriere Flat size : 3.28MiB Description: SpamAssassin is a mail filter which attempts to identify spam using text analysis and several internet-based realtime blacklists. Using its rule base, it uses a wide range of heuristic tests on mail headers and body text to identify "spam", also known as unsolicited commercial email. Once identified, the mail can then be optionally tagged as spam for later filtering using the user's own mail user-agent application. Additional drop-in rule sets are available at http://wiki.apache.org/spamassassin/CustomRulesets WWW: http://spamassassin.apache.org/ ler in thebighonker in ~ via ☕ v1.8.0 via v5.32.1 via v3.0.4 Ideas? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Re: What does this header mean?... X-Spam_score_int: -38
On 03/31/2022 3:04 pm, Bill Cole wrote: On 2022-03-31 at 12:48:06 UTC-0400 (Thu, 31 Mar 2022 12:48:06 -0400) Don Saklad is rumored to have said: What does this header mean?... X-Spam_score_int: -38 No clue. It is not a standard (or common) SpamAssassin header. Ask your mail admin. IIRC, that's a Exim SA variable, and that probably means a score of -3.8. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Re: [Spamhaus notice] New plug-in is now available for use with Spamhaus Domain Blocklist with hostnames which goes into production on February 1st.
On 01/11/2022 8:16 am, Riccardo Alfieri wrote: On 11/01/22 14:50, AJ Weber wrote: Sorry for not having followed as closely as maybe I should have, but... Is there a list of "legacy" Spamhaus cf/pm/plugin entries we would remove if we were to install the new DBL plug-in? I don't see anything on the github page, but maybe it's documented elsewhere? Hello, you won't need to remove anything, it should just work (TM) will spamhaus-dqs be updated with this? or should I change FreeBSD to pull this branch? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Re: 3.4.4: Lots of DNS no callback messages (FreeBSD)
On 02/14/2020 3:56 am, Henrik K wrote:
On Thu, Feb 13, 2020 at 08:53:30AM -0600, Larry Rosenman wrote:
Greetings,
I upgraded to SpamAssassin 3.4.4 last night, and ever since, I'm
seeing a
ton of:
<22>1 2020-02-13T08:51:17.00-06:00 thebighonker.lerctr.org spamd
26116 -
- dns: no callback for id
62451/IN/TXT/d.1.0.0.0.5.0.0.0.0.0.0.0.0.0.0.c.6.0.6.1.0.0.0.1.c.1.0.0.1.6.2.bl.spamcop.net,
ignored, packet on next debug line
<22>1 2020-02-13T08:51:17.00-06:00 thebighonker.lerctr.org spamd
26116 -
- dns: no likely matching queries for id 62451
What do I need to do to figure out why thes are now failing. It seems
to
happen for EVERY lookup.
Are you using lots of shortcircuiting?
Have you changed rbl_timeout setting?
Is it always IPv6 related like that?
It's just seeing some stale DNS responses from previous scans, so
either you
are aborting scans with shortcircuiting or rbl_timeout is too small to
wait
for all responses, or generally you have some problem receiving DNS
responses in time.
Anyway it's just a cosmetic message, in trunk this stale "problem" is
fixed.
If you can't fix the DNS delays with higher rbl_timeout etc, feel free
to
change the code to dbg() in DnsResolver.pm.
info("dns: no callback for id $id, ignored, packet on next debug
line");
I do have short circuits in place, and it's ALL types of requests.
The DNS server is fine as it's local to the box and responsive.
So these are PROBABLY because of ShortCircuit?
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
3.4.4: Lots of DNS no callback messages (FreeBSD)
Greetings, I upgraded to SpamAssassin 3.4.4 last night, and ever since, I'm seeing a ton of: <22>1 2020-02-13T08:51:17.00-06:00 thebighonker.lerctr.org spamd 26116 - - dns: no callback for id 62451/IN/TXT/d.1.0.0.0.5.0.0.0.0.0.0.0.0.0.0.c.6.0.6.1.0.0.0.1.c.1.0.0.1.6.2.bl.spamcop.net, ignored, packet on next debug line <22>1 2020-02-13T08:51:17.00-06:00 thebighonker.lerctr.org spamd 26116 - - dns: no likely matching queries for id 62451 What do I need to do to figure out why thes are now failing. It seems to happen for EVERY lookup. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Re: Lint Failed on auto download?
On 08/20/2019 7:05 am, Henrik K wrote: Install Geo::IP or wait for 3.4.3. When is 3.4.3 due? FreeBSD ports no longer contains Geo::IP. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Lint Failed on auto download?
dy_0 . 100% Completed 2382.78 rules/sec in 00m00s .. .. .. .. .. .. .. 100% Completed 45.13 bases/sec in 02m28s Aug 20 06:24:40.984 [71305] info: body_0: 4852 base strings extracted in 149 seconds Aug 20 06:24:42.288 [71305] info: rules: meta test KAM_FAKE_DELIVER has dependency 'KAM_RAPTOR_ALTERED' with a zero score Aug 20 06:24:42.289 [71305] info: rules: meta test KAM_BADPDF2 has dependency 'KAM_RPTR_SUSPECT' with a zero score Aug 20 06:24:42.291 [71305] info: rules: meta test JMQ_CONGRAT has dependency 'KAM_RAPTOR_ALTERED' with a zero score Aug 20 06:24:42.325 [71305] info: rules: meta test KAM_NOTIFY2 has dependency 'KAM_IFRAME' with a zero score Aug 20 06:24:42.374 [71305] info: rules: meta test KAM_REALLY_FAKE_DELIVER has dependency 'KAM_RPTR_PASSED' with a zero score Aug 20 06:24:42.381 [71305] info: rules: meta test KAM_CARD has dependency 'KAM_RPTR_SUSPECT' with a zero score Aug 20 06:24:42.385 [71305] info: rules: meta test KAM_JURY has dependency 'KAM_RAPTOR_ALTERED' with a zero score sa-compile: not compiling; 'spamassassin --lint' check failed! Can someone look at it? Thanks! -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Re: Spamhaus Technology contributions to SpamAssassin
On 07/03/2019 4:43 am, Riccardo Alfieri wrote: Hello everyone, I'm sure that many of you are aware that our datasets are already in use with SpamAssassin's default config, but I wanted to reach out and let you know that we have developed a SpamAssassin plugin that helps you get more out of our DNSBLs. The plugin works with our Data Query Service (DQS). The DQS provides you with additional feeds: Zero Reputation Domain & AuthBL, and it also receives updates in 'realtime.' This last point is key, because, as you can see in the latest Virus Bulletin report (https://www.virusbulletin.com/testing/results/latest/vbspam-email-security), DQS catches 42% more spam than our RSYNC service or public mirrors. Last but not least, the usage terms for the DQS are the same as for our public mirrors, meaning that if you already use our public mirrors, you can register for a personal DQS key free of charge. You can find all the needed files here: https://github.com/spamhaus/spamassassin-dqs Have fun with our data, and if there are difficulties in installing the plugin, or if you have suggestions, you can drop us a line at datafeed-supp...@spamteq.com or post here. I'll try to keep the list monitored to deliver as much help as I can. I'm seeing the following: <20>1 2019-07-03T10:59:51.00-05:00 thebighonker.lerctr.org spamd 80260 - - Use of uninitialized value $this_domain in concatenation (.) or string at /usr/local/etc/mail/spamassassin/SH.pm line 135. <20>1 2019-07-03T10:59:51.00-05:00 thebighonker.lerctr.org spamd 80260 - - Use of uninitialized value $_ in pattern match (m//) at /usr/local/etc/mail/spamassassin/SH.pm line 139. <20>1 2019-07-03T10:59:51.00-05:00 thebighonker.lerctr.org spamd 80260 - - Use of uninitialized value $this_domain in concatenation (.) or string at /usr/local/etc/mail/spamassassin/SH.pm line 135. <20>1 2019-07-03T10:59:51.00-05:00 thebighonker.lerctr.org spamd 80260 - - Use of uninitialized value $_ in pattern match (m//) at /usr/local/etc/mail/spamassassin/SH.pm line 139. <20>1 2019-07-03T10:59:51.00-05:00 thebighonker.lerctr.org spamd 80260 - - Use of uninitialized value $this_domain in concatenation (.) or string at /usr/local/etc/mail/spamassassin/SH.pm line 135. <20>1 2019-07-03T10:59:51.00-05:00 thebighonker.lerctr.org spamd 80260 - - Use of uninitialized value $_ in pattern match (m//) at /usr/local/etc/mail/spamassassin/SH.pm line 139. <20>1 2019-07-03T10:59:51.00-05:00 thebighonker.lerctr.org spamd 80260 - - Use of uninitialized value $this_domain in concatenation (.) or string at /usr/local/etc/mail/spamassassin/SH.pm line 135. <20>1 2019-07-03T10:59:51.00-05:00 thebighonker.lerctr.org spamd 80260 - - Use of uninitialized value $_ in pattern match (m//) at /usr/local/etc/mail/spamassassin/SH.pm line 139. Is this a bug in my setup or a bug in the plugin? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Re: Spamhaus Technology contributions to SpamAssassin
On 07/03/2019 9:56 am, Riccardo Alfieri wrote: On 03/07/19 16:53, @lbutlr wrote: On 3 Jul 2019, at 06:54, Riccardo Alfieri wrote: If you have a debian based distriution, do an # apt-get install liblist-moreutils-perl or, if you use something RPM based, the correct command should be # yum install perl-List-MoreUtils portmaster lang/p5-List-MoreUtils or pkg install p5-List-MoreUtils Thanks, this is for FreeBSD right? If that's the case I'll update the documentation yes it is. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Re: Turn OFF SA spam filtering but keep ON header examination
On Thu, Jan 18, 2018 at 05:43:04PM -0500, Chip wrote: > yes I'm starting to see that. I may need to build a box specifically > suited for this using procmail. I had hoped that I could stay with the VPS. > I'd look at using sieve instead. Procmail has had some issues and not well maintained. (My opinion FWIW) -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
Re: Fwd: [Bug 7331] channel: SHA1 verification failed, channel failed
ctor -fno-strict-aliasing-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -DPIC -fPIC "-I/usr/local/lib/perl5/5.24/mach/CORE" scanner7.c cc -c-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_FORTIFY_SOURCE=2 -O2 -pipe -fstack-protector -fno-strict-aliasing-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -DPIC -fPIC "-I/usr/local/lib/perl5/5.24/mach/CORE" scanner8.c cc -c-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_FORTIFY_SOURCE=2 -O2 -pipe -fstack-protector -fno-strict-aliasing-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -DPIC -fPIC "-I/usr/local/lib/perl5/5.24/mach/CORE" scanner9.c rm -f blib/arch/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so cc -shared -L/usr/local/lib/perl5/5.24/mach/CORE -lperl -L/usr/local/lib -fstack-protector-strong body_0.o scanner1.o scanner10.o scanner11.o scanner12.o scanner13.o scanner14.o scanner15.o scanner16.o scanner17.o scanner18.o scanner19.o scanner2.o scanner20.o scanner21.o scanner22.o scanner23.o scanner24.o scanner3.o scanner4.o scanner5.o scanner6.o scanner7.o scanner8.o scanner9.o -o blib/arch/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so chmod 755 blib/arch/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so Manifying 1 pod document make install "/usr/local/bin/perl5.24.3" -MExtUtils::Command::MM -e 'cp_nonempty' -- body_0.bs blib/arch/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.bs 644 Manifying 1 pod document Files found in blib/arch: installing files in blib/lib into architecture dependent library tree Installing /var/db/spamassassin/compiled/5.024/3.004001/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so Installing /var/db/spamassassin/compiled/5.024/3.004001/Mail/SpamAssassin/CompiledRegexps/body_0.pm Installing /tmp/.spamassassin64001KeIeSXtmp/ignored/lib/perl5/site_perl/man/man3/Mail::SpamAssassin::CompiledRegexps::body_0.3 Appending installation info to /tmp/.spamassassin64001KeIeSXtmp/ignored/lib/perl5/5.24/mach/perllocal.pod cp /tmp/.spamassassin64001KeIeSXtmp/bases_body_0.pl /var/db/spamassassin/compiled/5.024/3.004001/bases_body_0.pl cd / rm -rf /tmp/.spamassassin64001KeIeSXtmp -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
Re: Mailsploit
thebighonker.lerctr.org /home/ler $ cat bin/update-KAM.sh
#!/bin/sh
PATH=$PATH:/usr/local/bin
URL="http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf;
URL2="http://www.peregrinehw.com/downloads/SpamAssassin/contrib/nonKAMrules.cf;
PRODFILE="/usr/local/etc/mail/spamassassin/KAM.cf"
PRODFILE2="/usr/local/etc/mail/spamassassin/nonKAMrules.cf"
mkdir /tmp/KAM
cd /tmp/KAM
fetch -q ${URL}
RC=$?
if [ ${RC} -ne 0 ]; then
cd /
echo "NON-ZERO RC from fetch(1): " ${RC}
rm -rf /tmp/KAM
exit ${RC}
fi
fetch -q ${URL2}
RC=$?
if [ ${RC} -ne 0 ]; then
cd /
echo "NON-ZERO RC from fetch(1): " ${RC}
rm -rf /tmp/KAM
exit ${RC}
fi
diff -q ${PRODFILE} KAM.cf >/dev/null 2>&1
RC=$?
diff -q ${PRODFILE2} nonKAMrules.cf >/dev/null 2>&1
RC2=$?
case ${RC}${RC2} in
00) ;;
10 | 01 | 11 ) mv KAM.cf ${PRODFILE}
mv nonKAMrules.cf ${PRODFILE2}
/usr/local/bin/sa-compile
kill -1 `cat /var/run/spamd/spamd.pid`
cd `dirname ${PRODFILE}`
git commit -a -m "KAM update `date '+%Y-%m-%d %H:%M'`"
;;
20 | 02 | 22 ) echo "ISSUES WITH DIFF -- CHECK IT";;
esac
cd /
rm -rf /tmp/KAM
exit 0
thebighonker.lerctr.org /home/ler $
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
From: Groach <groachmail-stopspammin...@yahoo.com>
Date: Wednesday, December 13, 2017 at 2:59 PM
To: IBM Corporation <users@spamassassin.apache.org>
Subject: Re: Mailsploit
On 13/12/2017 20:48, Antony Stone wrote:
On Wednesday 13 December 2017 at 21:41:04, Groach wrote:
Is there any suggestions on a rule or procedure to implement that will
help defend against the MAILSPLOIT type of spoofing?
See https://marc.info/?l=spamassassin-users=151265708616825=2 and follow-
ups?
Thanks for that.
I followed the thread you mentioned: I see that 'Kevin' says he has a rule in
his personal KAM.cf and that there isnt anything published in base spamassassin
scores. (Or am I missing something)?
So how does one:
a, obtain KAM.cf or
b, decipher the mechanism to which Kevin uses in order we can apply similar in
our own local.cf
(All help appreciated)
Re: Latest Spamassassin Rules
On Fri, Oct 27, 2017 at 12:38:35PM -0500, Shane Wise wrote: > Greetings, > > I am running version 3.4.1 of Spamassassin and my rules have not updated > since June 24th. When I run sa-update I receive the following: > > channel: current version is 1799552, new version is 1799552, skipping > channel > > Is this really still the most current? If not what do I need to do to get > my system to get the latest? > > Thanks, > Shane There is an Infrastructure issue with the rules update. See the archives. That is the most current. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
Re: Bank fraud phish
On Wed, Oct 25, 2017 at 11:52:17AM -0500, David Jones wrote: > I have a script (see below) watching a "SpamCop" folder that sends it to my > custom SpamCop address as an attachment using mutt. All I have to do is > drag-n-drop into that folder and the submission is automated. I wait a > couple of minutes for the SpamCop submission email with it's link to the > spam report then click it to confirm the submission. > > > We're still seeing tons of those "payment enclosed" emails with the > > short body and compromised URLs that automatically download a docx. > > I'd like to report the spam, but really would like to see the URLs > > blacklisted, and at the time I receive them, they are not. > > > > Spammers tend to batch these up and blast them out in waves so they can get > maximum usage for each compromised web server. They only get a few hours or > so before that URL is blocked or taken down (hopefully) so again these > zero-hour spam are going to hard to block. We still need to report them. > The feedback does help. > > Coincidentally, I am seeing a ton of new spam today from compromised > accounts all around the Internet. The subjects have "from" or "to" and the > recipients name along with a URL containing the recipients name. Many are > abusing .webcam URLs so the bad guys must have found new exploits of webcams > and have saved up a bunch of compromised accounts to burn through today. > > > Ideally I'd like something where I can pass an email as a filename as > > an argument to a shell script. If submitting to spamcop by email is > > the only way, what is the format? As an attachment? In-line? Does > > anyone have a command-line shell script that can be used to send this > > email? > > > > If you have access to the filesystem and cron on your mail server then you > can run something simple like this directly on your mail server: > > cd /var/vmail/vmail1/.../Maildir/.Spamcop/new > mv * ../cur > cd ../cur > > for FILE in *; do > echo "Spam attached." | mutt -e 'my_hdr From:some...@example.com' -a > "$FILE" -s "Spam Submission" -- submit.special.addr...@spam.spamcop.net > sleep 9 > done > > I have an iRedMail Dovecot spamtrap server that stores the emails in maildir > format where I can run this from cron every 5 minutes. I am also able to > release emails from my MailScanner servers to this spamtrap mailbox > retaining the original headers. > > If you don't have direct access to your server and it's a remote POP or > IMAP, collect the spam via fetchmail or something to get it into a local > folder then use mutt to send it as an attachment. > > -- > David Jones You might also be able to set up something using imapsieve to do the same thing as the mail gets copied to that folder. I have my SpamAssassin getting trained for messages in and out of my spam folder. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106 signature.asc Description: PGP signature
SQL Destroy/Rollback?
I'm seeing the following: Jun 16 12:31:47 thebighonker spamd[40908]: Issuing rollback() due to DESTROY without explicit disconnect() of DBD::Pg::db handle dbname=bayes;host=localhost;port=5432 at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/Bayes.pm line 1656, line 2. In my logs occasionally. SpamAssassin: spamassassin-3.4.1_10 Highly efficient mail filter for identifying spam From FreeBSD ports. Ideas? What can I supply to help? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281 signature.asc Description: PGP signature
Re: recent increase in spam getting through
On 2016-12-15 12:56, Ian Zimmerman wrote: On 2016-12-15 11:32, Kevin A. McGrail wrote: I'm a fan of MIMEDefang but I am not very familiar with Arch Linux so I don't know what mta you are using nor it's capabilities. By now I have heard of MIMEDefang many times, and each time I wanted to try it. But it seems to require the milter interface in the MTA (ie. sendmail or _maybe_ postfix), and I'm married to Exim. :-( I have RBLs, ClamAV and SpamAssassin working quite well with Exim on my FreeBSD mail server, FWIW. I'm willing to share config if anyone's interested. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281
Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold)
On 2016-08-01 12:02, Matus UHLAR - fantomas wrote: On 31 Jul 2016, at 22:12, Benny Pedersen <m...@junc.eu> wrote: i bet greylist is cough invalid mailservers at the doorstep, it could be that postscreen is bad aswell ? On 01.08.16 07:46, @lbutlr wrote: Sure, if by “invalid” you mean Amazon, most banks, several airlines, large mail services, and many many others. Nearly any company with multiple mail servers will send mail from any of their servers, and may retry from a different server than the initial attempt, thus resetting the greylist. while we're at it, I really don't understand why they do it like this. what's the point behind changing IP address after each delivery attempt? Shared outbound spool, and the next available host sends it. It's not nefarious, just load balancing. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281
Re: SA bayes file db permission issue
On 2016-06-09 16:25, Martin Gregorie wrote: On Thu, 2016-06-09 at 16:54 -0400, Yu Qian wrote: Ok, I found out. so the db files generated on Mac can not be used on Linux. vice versa. Newline symbols differ: '/n' is 0x0a (LF) for Linux, 0x0d (CR) for Macs. The bad news is that this screws up many programs. The good news is that its easily fixed by using the tr utility or special-purpose text file conversion programs - provided the files don't contain binary fields or anything else that that could leave one of these bit patterns in a byte. Martin This is NO LONGER true for Mac OS X. It's Unix/Unix-like. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281
Re: How to configure FOO=-1.0 in X-Spam-Status ?
On 2015-11-12 08:20, Bowie Bailey wrote: On 11/12/2015 6:31 AM, Christian Jaeger wrote: Hi I'm seeing X-Spam-Status headers from some other installation come with =$x appended to the individual matches, which evidently helps figuring out why a mail is being classified the way it is. I've spent more than an hour on googling and rtfm but couldn't figure it out. Also, grep does not turn on any occurrence of 'Spam-Status' in the source code, and I don't feel like reading all of the source code for this right now. Please tell me how I can set this up. Show us a sample of the header so we can see exactly what you are looking for. I have this is in my user_prefs for the user that Exim connects to spamassassin as: thebighonker.lerctr.org /usr/local/etc/mail/spamassassin $ sudo su - smmsp Password: $ cd .spamassassin/ $ ls bayes_journal bayes_seen bayes_toks user_prefs $ more user_prefs clear_report_template report SpamScore (_SCORE_/_REQD_) _TESTSSCORES(,)_ $ and this gives: X-Spam-Score: -106.9 (---) X-LERCTR-Spam-Score: -106.9 (---) X-Spam-Report: SpamScore (-106.9/5.0) BAYES_00=-1.9,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_HOSTKARMA_W=-5,SHORTCIRCUIT=-100 X-LERCTR-Spam-Report: SpamScore (-106.9/5.0) BAYES_00=-1.9,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_HOSTKARMA_W=-5,SHORTCIRCUIT=-100 from this Exim Rules: warn message = X-Spam-Score: $spam_score ($spam_bar) spam = smmsp:true warn message = X-LERCTR-Spam-Score: $spam_score ($spam_bar) spam = smmsp:true warn message = X-Spam-Report: $spam_report spam = smmsp:true warn message = X-LERCTR-Spam-Report: $spam_report spam = smmsp:true -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
New warnings after Perl upgrade to 5.20?
Getting the following on sa-learn: each on reference is experimental at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/URILocalBL.pm line 353. keys on reference is experimental at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/URILocalBL.pm line 377. keys on reference is experimental at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/URILocalBL.pm line 406. this is after I upgraded my PERL to 5.20. (SA 3.4.1 on FreeBSD 10.2-STABLE from Ports) -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
Re: Fwd: Cron smmsp@thebighonker /home/ler/bin/update-bayes.sh
This appears to be from the EnemiesList.PM pliugin being invoked during sa-learn. I'm not quite sure why the EnemiesList.PM is being called in this case. Doc the plugin (from 2009, not changed): http://enemieslist.com/how/spamassassin.html [3] I don't know if the plug-in just needs to be updated, or if something more needs to be done on the SA side. On 2015-06-05 15:36, Kevin A. McGrail wrote: It's caused by the domain =.sa.enemieslist.com having that complete invisible null label between = and . which is an invalid DNS entry. I believe that this is covered in: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7156 [1] This warning was added some time between 3.3.2 to 3.4.0. It does not indicate an error, it's just a reminder that an URL found in a message contained such invalid domain name. The warning was intentionally left in the DNS code to remind us that it is probably up to the URL-gathering code do decide what to do with such invalid domains (e.g. sanitize them or ignore), so that such domain names won't reach DNS resolver code any longer. You have emails somewhere in those mail boxes that have that domain of .sa.enemieslist.com Regards, KAM On 6/5/2015 4:21 PM, Larry Rosenman wrote: Can anyone help me silence this? these are from: thebighonker.lerctr.org /home/ler/bin $ cat update-bayes.sh #!/bin/sh PATH=$PATH:/usr/local/bin export PATH sa-learn --spam --mbox /home/ler/mail/SA/FN sa-learn --spam --mbox /home/ler/mail/SPAM sa-learn --spam --mbox /home/mrm/mail/@SAFN-flag sa-learn --spam --mbox /home/mrm/mail/@Spam sa-learn --spam --mbox /home/mrm/mail/Junk E-mail sa-learn --spam --mbox /home/ctr/mail/Junk E-mail sa-learn --spam --mbox /home/ctr/mail/SPAM sa-learn --spam --mbox /home/ctr/mail/kill-file sa-learn --ham --mbox /home/mrm/mail/@NOT-SPAM thebighonker.lerctr.org /home/ler/bin $ I do have an Enemieslist plugin, but I'm not sure why sa-learn is calling it. Original Message Subject: Cron smmsp@thebighonker /home/ler/bin/update-bayes.sh Date: 2015-06-05 14:45 From: sm...@lerctr.org (Cron Daemon) To: sm...@lerctr.org dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. Learned tokens from 1 message(s) (11 message(s) examined) dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. Use of uninitialized value $msgscore in addition (+) at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/TxRep.pm line 1415. Use of uninitialized value $msgscore in subtraction (-) at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/TxRep.pm line 1415. Learned tokens from 0 message(s) (14 message(s) examined) Learned tokens from 0 message(s) (1 message(s) examined) dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. dns: new_dns_packet (domain=.sa.enemieslist.com. type=A class=IN) failed: a domain
Fwd: Cron smmsp@thebighonker /home/ler/bin/update-bayes.sh
=.sa.enemieslist.com. type=A class=IN) failed: a domain name contains a null label plugin: eval failed: oops, no key at /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/AsyncLoop.pm line 180. Learned tokens from 0 message(s) (122 message(s) examined) Learned tokens from 0 message(s) (21 message(s) examined) -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Fwd: Cron smmsp@thebighonker /home/ler/bin/update-bayes.sh
I guess my question is why is it being called during sa-learn. On 2015-06-05 16:48, Kevin A. McGrail wrote: On 6/5/2015 5:33 PM, Larry Rosenman wrote: This appears to be from the EnemiesList.PM pliugin being invoked during sa-learn. I'm not quite sure why the EnemiesList.PM is being called in this case. Doc the plugin (from 2009, not changed): http://enemieslist.com/how/spamassassin.html [1] I don't know if the plug-in just needs to be updated, or if something more needs to be done on the SA side. Hard to say without studying the plugin. If the DNS warning goes away when you disable the plugin, it's likely something the EnemiesList people need to update. Regards, KAM -- Larry Rosenman http://www.lerctr.org/~ler [2] Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688 Links: -- [1] http://enemieslist.com/how/spamassassin.html [2] http://www.lerctr.org/~ler
Re: Cron smmsp@thebighonker /home/ler/bin/update-bayes.sh
On 2015-06-05 18:04, RW wrote: On Fri, 05 Jun 2015 18:11:48 -0400 Bill Cole wrote: On 5 Jun 2015, at 17:53, Larry Rosenman wrote: I guess my question is why is it being called during sa-learn. You have yet to demonstrate that to be occurring. SA has a misfeature of attempting to de-obfuscate obfuscated URIs and trusting the results of its inherently imperfect de-obfuscation to provide putative domain names, which it may do various sorts of resolution on. So if you have a message that contains a line like: To look up a domain at EnemiesList, prepend it to the DNS domain: .sa.enemieslist.com then SA may pick up '.sa.enemieslist.com' as a domain name to be examined. That's unlikely since (if I'm reading it correctly) the error lines are only seen when sa-learn is training on spam. Bingo -- the output I sent was from SA-LEARN. If I disable the plugin, the issue goes away. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: user_prefs custom rules, not matching
On 2015-05-21 16:47, Forrest wrote: On 5/21/15 5:36 PM, Benny Pedersen wrote: On May 21, 2015 11:08:28 PM Bill Cole sausers-20150...@billmail.scconsult.com wrote: On 21 May 2015, at 14:42, Benny Pedersen wrote: Note that plus addressing, users can only subscribe, is 2 + valid in mailto: ? Sure, why not? See RFC's 821, 822, 2821, 2822, 5321, and 5322 :) There is nothing special about '+' in an email address in SMTP or in the email data format. It is only special to some delivery agents that may be configured to treat it specially. Here my mail client replaced + with a space char so ended to a invalid addr, why would anyone like to reply to 3rd party spammers to unsubscribe, well nice to see that my mail client does not support this even if its a bug in rfc These spammers have been active on Google Groups for a while -- why they haven't been shut down is beyond me. But, does anyone know what alerts or other info a Groups admin gets with people who unsubscribe? If anything, they are clever in exploiting the Google service to do all their bidding, seemingly without any notice from Google. You can't even get to the groups page. Lot's of Java and other apps that validate e-mail addresses think the + sign is a URL encoded SPACE and REJECT it. :( RFC's be damned. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Where to download the latest KAM rules?
On 2015-05-10 15:11, Sergio wrote: Hi, where is the best place to download the lastest KAM rules? Thanks in advance. Sergio http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf -- Larry Rosenman http://www.lerctr.org/~ler [1] Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688 Links: -- [1] http://www.lerctr.org/~ler
Re: Particularly annoying spam
On 2015-05-02 15:40, John Hardin wrote: On Fri, 1 May 2015, RW wrote: On Fri, 01 May 2015 09:55:31 -0500 Larry Rosenman wrote: X-Spam-Report: SpamScore (3.8/5.0) BAYES_99=3.5,BAYES_999=0.2 Consider increasing the score of BAYES_99 above 5. For me BAYES_99 has an FP rate that's negligible compared with the FP rate of spamassassin itself. ...and if you don't want to bump BAYES_99 that much, bump BAYES_999 - it's a little bit safer. I wound up turning on SHORTCIRCUIT for BAYES_99 and BAYES_00. and a couple of other tweaks. So far my mailbox has been blissfully clean :) Thanks guys! -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Particularly annoying spam
On 2015-05-01 10:08, Kevin A. McGrail wrote: On 5/1/2015 11:06 AM, Joe Quinn wrote: On 5/1/2015 10:55 AM, Larry Rosenman wrote: http://pastebin.com/4gck7uLD This one and one's like it seem to get through multiple times/day. Any help here? Today's is WITH 3.4.1.. That's a variant on a pretty old campaign that I haven't seen get through in a long while. I've updated KAM.cf so it hits your sample, which you can set a cronjob to download from here: http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf The rule it will hit on is KAM_SALEA. Beat me to it. I was just adding the domain to the RBL as well. Thanks, Guys! I have a cronjob running every 6 hours (but I ran it early to get this one). Which RBL did you add it to, KAM? and, invalument(sp?) seems to want $$ and this is a PERSONAL server :( -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Particularly annoying spam
http://pastebin.com/4gck7uLD This one and one's like it seem to get through multiple times/day. Any help here? Today's is WITH 3.4.1.. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Mail Filter Recommendations
On 2015-04-07 17:35, Alex Regan wrote: Hi, I think the reason it didn't match on anything useful for the OP is because he doesn't have the latest RegisterBoundaries.pm. If he had the latest, it would have at least matched the MSGID and MALFORMED rules. Select the download link here: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Util/RegistrarBoundaries.pm?view=log I believe this works with at least 3.4.0 or is it only 3.4.1? I'm using it successfully with 3.4.0. I believe that this is being heavily modified for 3.4.1 to be in a .cf file. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 2015-04-02 09:55, @lbutlr wrote: On Apr 1, 2015, at 6:15 PM, Kevin A. McGrail kmcgr...@pccc.com wrote: The RegistrarBoundaries.pm for new TLDs is hard coded How would I check this for a ports version of SA? I am also getting heavily spammed from new .tlds (.work is the main offender for me). I have /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Util/RegistrarBoundaries.pm but is it being used? I do a portsnap cron update daily and also sa-update (current version is 1670273) The ports version does NOT update it. You need to pull it from Apache's SVN, and move it into place: usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Util/RegistrarBoundaries.pm -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 2015-04-01 19:23, Kevin A. McGrail wrote: On 4/1/2015 8:21 PM, Larry Rosenman wrote: Is there an ETA for 3.4.1? And, is there anything else I can do mean time? 3.4.1 is planned to announce for release during ApacheCon in about 2 weeks. 1 - Make sure you are using the new Registrar Boundary with the TLDs that are plaguing you. 2 - Are you using KAM.cf? regards, KAM I'll pull a new RegistrarBoundaries.pm, and YES, I poll KAM.cf every 6 hours, and when it changes, I install the new one. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 2015-04-01 19:23, Kevin A. McGrail wrote: On 4/1/2015 8:21 PM, Larry Rosenman wrote: Is there an ETA for 3.4.1? And, is there anything else I can do mean time? 3.4.1 is planned to announce for release during ApacheCon in about 2 weeks. 1 - Make sure you are using the new Registrar Boundary with the TLDs that are plaguing you. 2 - Are you using KAM.cf? regards, KAM Ok, I pulled a new RegistrarBoundaries.pm and now we wait. BTW, is my every 6 hour pull of KAM.cf kosher with you? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Help with today's (and previous) spam uptick?
I've been getting pounded with stuff from new tld's (cricket, science, work, et al). I'm wondering how to make SA more immune to it. Spamples: http://pastebin.com/jc3efYju Thanks! -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 2015-04-01 19:20, Kevin A. McGrail wrote: On 4/1/2015 8:18 PM, Larry Rosenman wrote: On 2015-04-01 19:15, Kevin A. McGrail wrote: On 4/1/2015 8:13 PM, Larry Rosenman wrote: I've been getting pounded with stuff from new tld's (cricket, science, work, et al). I'm wondering how to make SA more immune to it. Spamples: http://pastebin.com/jc3efYju Are you using a recent SA from trunk? The RegistrarBoundaries.pm for new TLDs is hard coded. Regards, KAM No the FreeBSD port, but I think(!) I updated the RegistrarBoundaries.pm: # Last update: 2015-02-21-axb Is there a plan to automate this and SOON? 3.4.1 / svn trunk has some patches in place that should allow us to implement this with sa-update. It's a key issue I'm working through on rc2. Regards, KAM Is there an ETA for 3.4.1? And, is there anything else I can do mean time? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 2015-04-01 19:15, Kevin A. McGrail wrote: On 4/1/2015 8:13 PM, Larry Rosenman wrote: I've been getting pounded with stuff from new tld's (cricket, science, work, et al). I'm wondering how to make SA more immune to it. Spamples: http://pastebin.com/jc3efYju Are you using a recent SA from trunk? The RegistrarBoundaries.pm for new TLDs is hard coded. Regards, KAM No the FreeBSD port, but I think(!) I updated the RegistrarBoundaries.pm: # Last update: 2015-02-21-axb Is there a plan to automate this and SOON? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: TVD_PH_BODY_META rule: Hitting legit HAM from my Credit Uniomn
On 2014-01-15 07:41, RW wrote: On Tue, 14 Jan 2014 16:30:02 -0600 Larry Rosenman wrote: I just had 3 messages that are HAM that hit TVD_PH_BODY_META=3.625 and got marked as SPAM. It seems that Funds could take up to two business days to post to your account. is hitting: body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i I think this one needs more work. I agree that this rule is too wide for such a high score. How can I help? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
TVD_PH_BODY_META rule: Hitting legit HAM from my Credit Uniomn
I just had 3 messages that are HAM that hit TVD_PH_BODY_META=3.625 and got marked as SPAM. The text contents are: [quote] This message confirms your deposit of $70.94 has been approved and processed. Funds could take up to two business days to post to your account. Please do not destroy the deposited check yet. Refer to our Check Handling Procedures for check destruction guidance at www.goamplify.com/FAQ. Please do not respond to this message or send email to this address. This message is for information purposes only. Thank you, Amplify Credit Union NOTICE OF CONFIDENTIALITY: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. [/quote] Headers: [quote] Return-path: bou...@goamplify.com Envelope-to: pare...@lerctr.org Delivery-date: Tue, 14 Jan 2014 01:13:00 -0600 Received: from 209-99-54-7.fwd.datafoundry.com ([209.99.54.7]:23535 helo=webmail.goamplify.com) by thebighonker.lerctr.org with esmtps (TLSv1:AES128-SHA:128) (Exim 4.82 (FreeBSD)) (envelope-from bou...@goamplify.com) id 1W2yBH-0009Pf-3d for pare...@lerctr.org; Tue, 14 Jan 2014 01:13:00 -0600 Received: from CubusApp.ibmtefcu.org (192.168.235.83) by ExternalRelay.ibmtefcu.org (192.168.235.148) with Microsoft SMTP Server id 14.2.328.9; Tue, 14 Jan 2014 01:12:47 -0600 Message-ID: 44210-22014121471244...@goamplify.com X-EM-Version: 6, 0, 0, 3 X-EM-Registration: #0030630810D01800AA20 From: cumail cum...@goamplify.com To: pare...@lerctr.org Subject: AMPLIFY Email Alert: Account Balance Date: Tue, 14 Jan 2014 01:12:44 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Score: 1.1 (+) X-LERCTR-Spam-Score: 1.1 (+) X-Spam-Report: SpamScore (1.1/5.0) BAYES_00=-1.9,EL_STATIC=2,RDNS_DYNAMIC=0.982,TVD_RCVD_IP=0.001 X-LERCTR-Spam-Report: SpamScore (1.1/5.0) BAYES_00=-1.9,EL_STATIC=2,RDNS_DYNAMIC=0.982,TVD_RCVD_IP=0.001 [/quote] I've already asked the CU to get VALID reverse DNS for their relay, but what else should I or they do here to not hit the rule, or is the rule (which is too complicated for me to understand atm) too aggressive for this case? Thanks! -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: TVD_PH_BODY_META rule: Hitting legit HAM from my Credit Uniomn
On 2014-01-14 16:30, Larry Rosenman wrote: I just had 3 messages that are HAM that hit TVD_PH_BODY_META=3.625 and got marked as SPAM. The text contents are: [quote] This message confirms your deposit of $70.94 has been approved and processed. Funds could take up to two business days to post to your account. Please do not destroy the deposited check yet. Refer to our Check Handling Procedures for check destruction guidance at www.goamplify.com/FAQ. Please do not respond to this message or send email to this address. This message is for information purposes only. Thank you, Amplify Credit Union NOTICE OF CONFIDENTIALITY: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. [/quote] Headers: [quote] Return-path: bou...@goamplify.com Envelope-to: pare...@lerctr.org Delivery-date: Tue, 14 Jan 2014 01:13:00 -0600 Received: from 209-99-54-7.fwd.datafoundry.com ([209.99.54.7]:23535 helo=webmail.goamplify.com) by thebighonker.lerctr.org with esmtps (TLSv1:AES128-SHA:128) (Exim 4.82 (FreeBSD)) (envelope-from bou...@goamplify.com) id 1W2yBH-0009Pf-3d for pare...@lerctr.org; Tue, 14 Jan 2014 01:13:00 -0600 Received: from CubusApp.ibmtefcu.org (192.168.235.83) by ExternalRelay.ibmtefcu.org (192.168.235.148) with Microsoft SMTP Server id 14.2.328.9; Tue, 14 Jan 2014 01:12:47 -0600 Message-ID: 44210-22014121471244...@goamplify.com X-EM-Version: 6, 0, 0, 3 X-EM-Registration: #0030630810D01800AA20 From: cumail cum...@goamplify.com To: pare...@lerctr.org Subject: AMPLIFY Email Alert: Account Balance Date: Tue, 14 Jan 2014 01:12:44 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Score: 1.1 (+) X-LERCTR-Spam-Score: 1.1 (+) X-Spam-Report: SpamScore (1.1/5.0) BAYES_00=-1.9,EL_STATIC=2,RDNS_DYNAMIC=0.982,TVD_RCVD_IP=0.001 X-LERCTR-Spam-Report: SpamScore (1.1/5.0) BAYES_00=-1.9,EL_STATIC=2,RDNS_DYNAMIC=0.982,TVD_RCVD_IP=0.001 [/quote] I've already asked the CU to get VALID reverse DNS for their relay, but what else should I or they do here to not hit the rule, or is the rule (which is too complicated for me to understand atm) too aggressive for this case? Thanks! Whoops, wrong headers [quote] Here's the right ones. Return-path: amplifymob...@goamplify.com Envelope-to: l...@lerctr.org Delivery-date: Tue, 14 Jan 2014 15:20:57 -0600 Received: from [173.227.169.138] (port=26985 helo=webmail2.goamplify.com) by thebighonker.lerctr.org with esmtps (TLSv1:AES128-SHA:128) (Exim 4.82 (FreeBSD)) (envelope-from amplifymob...@goamplify.com) id 1W3BPs-000JZi-16 for l...@lerctr.org; Tue, 14 Jan 2014 15:20:57 -0600 Received: from Tweety03 (192.168.199.67) by ExternalRelayDR.ibmtefcu.org (192.168.220.148) with Microsoft SMTP Server id 14.2.328.9; Tue, 14 Jan 2014 15:20:45 -0600 MIME-Version: 1.0 From: amplifymob...@goamplify.com To: l...@lerctr.org Date: Tue, 14 Jan 2014 15:20:45 -0600 Subject: Amplify Mobile Deposit Content-Type: multipart/alternative; boundary=--boundary_12747_6699b0bf-fd0f-4cc3-bd2d-fbd3e23ff55e Message-ID: 23e38f7e-b5a5-4eed-83bb-bee9fc64e...@angeliadr.ibmtefcu.org X-Spam-Score: 5.2 (+) X-LERCTR-Spam-Score: 5.2 (+) X-Spam-Report: SpamScore (5.2/5.0) BAYES_50=0.8,HTML_MESSAGE=0.001,RDNS_NONE=0.793,TVD_PH_BODY_META=3.625 X-LERCTR-Spam-Report: SpamScore (5.2/5.0) BAYES_50=0.8,HTML_MESSAGE=0.001,RDNS_NONE=0.793,TVD_PH_BODY_META=3.625 X-Spam-Flag: YES X-LERCTR-Spam-Flag: YES [/quote] -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: TVD_PH_BODY_META rule: Hitting legit HAM from my Credit Uniomn
On 2014-01-14 17:07, Benny Pedersen wrote: Larry Rosenman skrev den 2014-01-14 23:33: Whoops, wrong headers is it possible to learn it as ham with bayes ?, bayes 50 is more or less neotral score for unsure content, help learning it as ham will solve it to go under 5 Already done, but this seems a bit high for a first time hit :( -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Am i sending spam?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/23/2011 4:23 PM, David F. Skoll wrote:
On Fri, 23 Dec 2011 23:13:43 +0100 Lars Ebeling
lars.ebel...@leopg9.no-ip.org wrote:
We automatically block mail from anyone who HELOs as our
machine (unless it really *is* from our machine, of course!)
how do you do that?
We use MIMEDefang which lets you code tests like that in Perl. (So
this is done outside of SpamAssassin, but you may be able to hack a
SpamAssassin rule to do it too.)
Regards,
David.
In Exim, I do the following:
# kill off the folks that use OUR ip's in HELO Nice and Early.
drop message= Forged IP detected in HELO: $sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${if \
eq{$sender_helo_name}{$interface_address}{yes}{no}}
# Forged hostname - HELOs as my own hostname or domain (early as well)
drop message= Forged hostname detected in HELO:
$sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${lookup {$sender_helo_name} \
lsearch{/usr/local/etc/exim/checkfiles/our_host_names}{yes}{no}}
- --
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: l...@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJO9QKnAAoJENC8dtAvA1zmv9EIAKReeH0gP6j2oOojXIJ9fMjJ
y32vFdjm8wvzBFxdHIHsqZ88yV//LDEUqq1JPWeFbz0XvXirRAmgJXuF8JAwWIiP
WqttoEsm9ljreZFOTrkH6Ak8DwR0Jx8fBSMIWVU9dcUOLAV2pxnATWAcuoLAIJ5N
dtM4SEiKlypcAEh46D5ih7d4iztMGCDIZLKxSokiUNfRIDU2COVLBdajYUQn2vd6
cmuY2Mr8UlDVETnZZVwJnFGfjsIsWSUsLvV/LFop/Dpq++nlZNxWxaX7QVj+ZoY2
vsQtgj0w7jdfmEpcTVuTv+sFNSo/VjpwhXB0Y0PM1NLiP5w49J0RN8CwpakhBVg=
=WSY8
-END PGP SIGNATURE-
RE: ANNOUNCE: Apache SpamAssassin 3.2.0 available
Yes, there is a PR in the queue. The FreeBSD ports tree is currently frozen for the Xorg 7.2 import. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683E-Mail: [EMAIL PROTECTED] US Mail: 430 Valona Loop, Round Rock, TX 78681-3893 -Original Message- From: Julian Yap [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 5:08 PM To: Duane Hill Cc: users@spamassassin.apache.org Subject: Re: ANNOUNCE: Apache SpamAssassin 3.2.0 available Has anyone contacted the FreeBSD ports maintainer for re2c to update to 0.12.0? On 5/8/07, Duane Hill [EMAIL PROTECTED] wrote: On Tue, 8 May 2007, Michael Scheidell wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 07, 2007 6:59 PM To: Duane Hill Cc: users@spamassassin.apache.org Subject: Re: ANNOUNCE: Apache SpamAssassin 3.2.0 available really? news to me ;) Not sa-compile, just sa-compile on freebsd (since it requires version .12 of re2c and port is currently at .11.1) I have emailed the port maintainer, and may test some patches myself if I get a chance. I have just successfully installed re2c 0.12.0 from sources. The version reported back from 're2c -V' shows '001200'. Further testing by tossing random messages through with text from the tests, I have not seen any errors yet.
FP Forged Yahoo....
Greetings, Got an FP on the Forged_Yahoo_received: Return-path: [EMAIL PROTECTED] Envelope-to: ler@lerctr.org Delivery-date: Sun, 07 Jan 2007 12:13:32 -0600 Received: from mail-relay1.yahoo.com ([216.145.48.34]:30422) by thebighonker.lerctr.org with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.64 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1H3cWO-000HdQ-Sf for ler@lerctr.org; Sun, 07 Jan 2007 12:13:32 -0600 Received: from speedster.cc.kana.corp.yahoo.com (speedster.cc.kana.corp.yahoo.com [207.126.228.28]) by mail-relay1.yahoo.com (8.13.8/8.13.6/mr1) with SMTP id l07IDGSl038034 for ler@lerctr.org; Sun, 7 Jan 2007 10:13:27 -0800 (PST) Message-Id: [EMAIL PROTECTED] Precedence: bulk Auto-Submitted: auto-replied Date: Sun, 07 Jan 2007 10:13:26 -0800 To: Larry Rosenman ler@lerctr.org Subject: A message from Yahoo! Customer Care (KMM42667402V93302L0KM) From: Yahoo! Mail [EMAIL PROTECTED] Reply-To: Yahoo! Mail [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset = us-ascii Content-Transfer-Encoding: 7bit X-Mailer: KANA Response 7.0.1.142 X-Spam-Score: 5.5 (+) X-LERCTR-Spam-Score: 5.5 (+) X-Spam-Report: (5.5 points, 5.0 required) BAYES_50=0.001 DK_POLICY_SIGNSOME=0.001 DK_POLICY_TESTING=0.001 DNS_FROM_RFC_ABUSE=0.2 DNS_FROM_RFC_POST=1.708 DNS_FROM_RFC_WHOIS=1.447 FORGED_YAHOO_RCVD=1.849 HOST_MISMATCH_COM=0.311 X-LERCTR-Spam-Report: (5.5 points, 5.0 required) BAYES_50=0.001 DK_POLICY_SIGNSOME=0.001 DK_POLICY_TESTING=0.001 DNS_FROM_RFC_ABUSE=0.2 DNS_FROM_RFC_POST=1.708 DNS_FROM_RFC_WHOIS=1.447 FORGED_YAHOO_RCVD=1.849 HOST_MISMATCH_COM=0.311 X-Spam-Flag: YES X-LERCTR-Spam-Flag: YES DomainKey-Status: no signature This is from an Auto-Ack to an abuse complaint Thanks! -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
SA-UPDATE and recent branches/3.1 rules?
Is there some process that needs to be automated to ship out the 3.1 branch rules changes via sa-update? I know I've seen commits to branches/3.1, but no sa-update since 12/19 Just asking... -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
FP: RCVD_HELO_IP_MISMATCH?
Greetings, I had the following headers: Return-path: [EMAIL PROTECTED] Envelope-to: ler@lerctr.org Delivery-date: Thu, 07 Dec 2006 23:26:40 -0600 Received: from smtp-vbr15.xs4all.nl ([194.109.24.35]:2793) by thebighonker.lerctr.org with esmtp (Exim 4.63 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1GsYFo-000OEi-SQ for ler@lerctr.org; Thu, 07 Dec 2006 23:26:40 -0600 Received: from bag.python.org (bag.python.org [194.109.207.14]) by smtp-vbr15.xs4all.nl (8.13.8/8.13.8) with ESMTP id kB85QZZo098068 for ler@lerctr.org; Fri, 8 Dec 2006 06:26:35 +0100 (CET) (envelope-from [EMAIL PROTECTED]) Received: from bag.python.org (bag [127.0.0.1]) by bag.python.org (Postfix) with ESMTP id 4397A1E4019 for ler@lerctr.org; Fri, 8 Dec 2006 06:26:35 +0100 (CET) X-Original-To: mailman-users@python.org Delivered-To: [EMAIL PROTECTED] Received: from bag.python.org (bag [127.0.0.1]) by bag.python.org (Postfix) with ESMTP id 646CA1E401A for mailman-users@python.org; Fri, 8 Dec 2006 06:26:07 +0100 (CET) X-Spam-Status: OK 0.010 Received: from bag (HELO bag.python.org) (127.0.0.1) by bag.python.org with SMTP; 08 Dec 2006 06:26:06 +0100 X-Greylist: delayed 665 seconds by postgrey-1.21 at bag.python.org; Fri, 08 Dec 2006 06:26:06 CET Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6]) by bag.python.org (Postfix) with ESMTP for mailman-users@python.org; Fri, 8 Dec 2006 06:26:06 +0100 (CET) Received: from 207.233.32.18 (zoot.lafn.org [206.117.18.6]) by zoot.lafn.org (8.13.6/8.13.4) with SMTP id kB85EuSN093511 for mailman-users@python.org; Thu, 7 Dec 2006 21:14:58 -0800 (PST) (envelope-from [EMAIL PROTECTED]) Message-Id: [EMAIL PROTECTED] To: mailman-users@python.org From: [EMAIL PROTECTED] Date: Thu, 7 Dec 2006 21:14:58 GMT X-Mailer: Endymion MailMan Standard Edition v3.0.26 X-Virus-Scanned: by XS4ALL Virus Scanner X-Virus-Status: Clean Subject: [Mailman-Users] Mailman stop delivering ... problem with Approval.py? X-BeenThere: mailman-users@python.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailman mailing list management users mailman-users.python.org List-Unsubscribe: http://mail.python.org/mailman/listinfo/mailman-users, mailto:[EMAIL PROTECTED] List-Archive: http://mail.python.org/pipermail/mailman-users List-Post: mailto:mailman-users@python.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://mail.python.org/mailman/listinfo/mailman-users, mailto:[EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-Spam-Score: 6.4 (++) X-LERCTR-Spam-Score: 6.4 (++) X-Spam-Report: (6.4 points, 5.0 required) BAYES_00=-2.599 DATE_IN_PAST_06_12=0.827 DK_POLICY_SIGNSOME=0.001 FORGED_RCVD_HELO=0.135 HOST_EQ_NL=1.545 NO_REAL_NAME=0.961 RCVD_HELO_IP_MISMATCH=4 RCVD_NUMERIC_HELO=1.5 TW_CF=0.077 X-LERCTR-Spam-Report: (6.4 points, 5.0 required) BAYES_00=-2.599 DATE_IN_PAST_06_12=0.827 DK_POLICY_SIGNSOME=0.001 FORGED_RCVD_HELO=0.135 HOST_EQ_NL=1.545 NO_REAL_NAME=0.961 RCVD_HELO_IP_MISMATCH=4 RCVD_NUMERIC_HELO=1.5 TW_CF=0.077 X-Spam-Flag: YES X-LERCTR-Spam-Flag: YES DomainKey-Status: no signature And the rule that marked this as SPAM is the RCVD_HELO_IP_MISMATCH. Why is this rule so high? What exactly is it checking? This is from a legit mailing list. Thanks, Larry Rosenman -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: FP: RCVD_HELO_IP_MISMATCH?
aubreyl wrote: Larry Rosenman wrote: Greetings, I had the following headers: [snip] This checks what the server initiating the SMTP connection to your server says it is, and what it's domain name resolves to. Let's say that fakedomain.com resolves to 45.45.45.45 then ~# telnet yourdomain.com 25 Trying 123.123.123.123... Connected to yourdomain.com. Escape character is '^]'. 220 mail.yourdomain.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 8 Dec 2006 19:30:05 -0600 *helo fakedomain.com* 250 mail.yourdomain.com *Hello 12-34-56-78.client.isp.com [12.34.56.78]*, pleased to meet you during this interaction, it is obvious that the connection was made from 12-34-56-78.client.isp.com that has an IP of 12.34.56.78. But since in the helo giviaubreyln, the server says that it is fakedomain.com. This is common for some small mail servers, like mine, who use to be able to stand behind a router with a different outgoing IP. Now it has become common practice to void messages from such servers. I'm not up to speed with all of the RFC's, but perhaps there's one in there for this? Anyone know? -=Aubrey=- I'm very familiar with the HELO/Etc. My concern is the high score And the fact that this message was legit, to a well-known mailing-list. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: Spamassassin doesn't ding sender for saying HELO i-am-you
John D. Hardin wrote:
On Wed, 6 Dec 2006, Kelly Jones wrote:
Recently, someone connected our server, call it mx.xyz.com, and said
HELO mx.xyz.com. Spamassassin didn't ding it for doing this.
IMHO this is worthy of a 500 reject at the MTA level. There is NO
legitimate reason for J. Random User out on the internet to claim his
MTA is yours.
I've posted milter-regex examples that do this here before.
I have the following in my EXIM Rcpt ACL:
---
# kill off the folks that use OUR ip's in HELO Nice and Early.
drop message= Forged IP detected in HELO: $sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${if \
eq{$sender_helo_name}{$interface_address}{yes}{no}}
# Forged hostname - HELOs as my own hostname or domain (early as well)
drop message= Forged hostname detected in HELO:
$sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${lookup {$sender_helo_name} \
lsearch{/usr/local/etc/exim/checkfiles/our_host_names}
{yes}{no}}
If they try and HELO/EHLO as my IP or host name, we unceremoniusly drop the
connection.
Just one other solution to this issue.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: How can I learn a mail which how many score it got from each my rules?
Halid Faith wrote: I use spamassassin3.1.7 I go through some mails. I see a mail in /var/log/spamd.log as below Wed Dec 6 13:33:49 2006 [4484] info: spamd: result: Y 15 - EXTRA_MPART_TYPE,FRONTPAGE,HTML_MESSAGE,INVALID_DATE,MIME_BOUND_NEXTPART ,MIME_QP_LONG_LINE,MSGID_MULTIPLE_AT,SARE_GIF_ATTACH,SARE_OBFUGIRLS,SUBJ_ALL _CAPS,SUBJ_ILLEGAL_CHARS,TW_IY,UNPARSEABLE_RELAY,UPPERCA SE_25_50 scantime=0.6,size=36790,[EMAIL PROTECTED],uid=1001,required_score=15.0,rhost= localhost,raddr=127.0.0.1,rport=50832,mi d=[EMAIL PROTECTED]@domain.com,autolearn=no Yet, I can't understand which my rule, how many score gave that mail. How can I learn a mail which how many score it got from each my rules? is there a command for it ? In your user_prefs, add the following: report _TESTSSCORES( )_ That shows the tests *AND* the scores: X-LERCTR-Spam-Report: (-108.6 points, 5.0 required) BAYES_00=-2.599 DK_POLICY_SIGNSOME=0.001 SPF_PASS=-0.001 UPPERCASE_25_50=0 USER_IN_WHITELIST=-100 USER_IN_WHITELIST_TO=-6 -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: rulesemporium
jp wrote: Does anyone know how to get the replacements for the 88_FVGT* rules? I was trying to update them and the ones at www.rulesemporium.com refer to a new numbering system that starts with 00_FVGT. Those files don't exist. Rulesemporium is the master site for the the files according to the comments in the top of the cf files. These new smiley subject suffixed spams seem to be picked up by those rules, so I am getting them as up to date as possible. Thanks, Jason I'm using the following with sa-update: 88_fvgt_body.cf.sare.sa-update.dostech.net 88_fvgt_rawbody.cf.sare.sa-update.dostech.net 88_fvgt_subject.cf.sare.sa-update.dostech.net 88_fvgt_headers.cf.sare.sa-update.dostech.net 88_fvgt_uri.cf.sare.sa-update.dostech.net (Along with a bunch of others). VERY effective set that I have now. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: Increase in Spam
Steve Lake wrote: Oh, this sounds spectacular. One question. Is there a port on Freebsd for this? I don't see one offhand. If there is, then that would assume that all the other necessary ports are present as well. If not, it'll be a royal b trying to get the nix versions installed instead if no freebsd ported versions are available. :( Also, stupid question to go with the first comment. Will this plugin be included in 3.2.0 so that it's native, or at least an optional feature? I don't care if it takes a bit of extra processor power. The server is a low volume dedicated server, so CPU load isn't an issue. Spam catching of near 100% is. :) At 05:01 PM 10/12/2006 -0700, Kelson wrote: Max Clark wrote: I have seen an increase in the amount of spam that has made its way through our filters and in to our inboxes. Most of this seems to be the stock pitches that are image attachments. Is there any way to effectively combat this? Look into FuzzyOCR. http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Drawback: it needs lots of CPU and extra time per message (more precisely, per message with attached images). YMMV. -- Kelson Vibber SpeedGate Communications www.speed.net Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community All the ports, except one, are there. I really should put together a port (I'm running it on my FreeBSD/amd64 mailhost. Works great. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
Spamd: forkscaling issue?
3.1.6 on FreeBSD: Oct 9 12:54:42 lists spamd[46015]: prefork: ordered child to accept, but child reported state '1' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/SpamdForkScalin g.pm line 450. Any ideas on what this means? Previous prefork status: Oct 9 12:54:39 lists spamd[46015]: prefork: child states: BI Ideas? It caused spamd to die :( Thanks. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: Spamd: forkscaling issue?
I've placed a comment in 4594. Thanks for the pointer, Daryl! -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
Sa-learn / mbx?
Is there a problem with 3.1.5 (FreeBSD port) and sa-learn --mbx? I get the following: /usr/local/bin/sa-learn --spam --mbx --showdots /home/ler/Mail/SA/FN archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory archive-iterator: unable to open /home/ler/Mail/SA/FN./home/ler/Mail/SA/FN: No such file or directory Learned tokens from 0 message(s) (0 message(s) examined) This worked in 3.1.4 Ideas?
RE: Sa-learn / mbx?
I hadn't needed to in previous releases, and MBOX format seems(!) to work I'll re-verify. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893 -Original Message- From: mouss [mailto:[EMAIL PROTECTED] Sent: Friday, September 15, 2006 3:25 PM Cc: users@spamassassin.apache.org Subject: Re: Sa-learn / mbx? Larry Rosenman wrote: Is there a problem with 3.1.5 (FreeBSD port) and sa-learn --mbx? I get the following: /usr/local/bin/sa-learn --spam --mbx --showdots /home/ler/Mail/SA/FN did you try /usr/local/bin/sa-learn --spam --mbx --showdots /home/ler/Mail/SA/FN
RE: Sa-learn / mbx?
/.spamassassin1378GH7mLltmp: No such file or directory archive-iterator: unable to open /tmp/.spamassassin1378GH7mLltmp./tmp/.spamassassin1378GH7mLltmp: No such file or directory Learned tokens from 0 message(s) (0 message(s) examined) $ -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893 -Original Message- From: Larry Rosenman [mailto:[EMAIL PROTECTED] Sent: Friday, September 15, 2006 4:37 PM To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: RE: Sa-learn / mbx? I hadn't needed to in previous releases, and MBOX format seems(!) to work I'll re-verify. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893 -Original Message- From: mouss [mailto:[EMAIL PROTECTED] Sent: Friday, September 15, 2006 3:25 PM Cc: users@spamassassin.apache.org Subject: Re: Sa-learn / mbx? Larry Rosenman wrote: Is there a problem with 3.1.5 (FreeBSD port) and sa-learn --mbx? I get the following: /usr/local/bin/sa-learn --spam --mbx --showdots /home/ler/Mail/SA/FN did you try /usr/local/bin/sa-learn --spam --mbx --showdots /home/ler/Mail/SA/FN
RE: Sa-learn / mbx?
It's a file.
Where's the BZ, and I'll create a bug. It did seem to break when I put
3.1.5 on.
(This is in a nightly update script, that's been running for months).
I'll attach the MBX to the BZ ticket.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Friday, September 15, 2006 5:19 PM
To: users@spamassassin.apache.org
Subject: Re: Sa-learn / mbx?
I think you're going to have to give us more information...
On Fri, Sep 15, 2006 at 05:11:50PM -0500, Larry Rosenman wrote:
$ sa-learn --mbx --showdots --spam /home/ler/Mail/SA/FN
Is FN a directory or a file?
archive-iterator: unable to open
/home/ler/Mail/SA/FN./home/ler/Mail/SA/FN:
No such file or directory
It seems that the path is being doubled for some reason.
/tmp/.spamassassin1378GH7mLltmp./tmp/.spamassassin1378GH7mLltmp: No
such file or directory
Hrm. Yeah, I'd say there's probably a SA bug somewhere doubling the paths
for no good reason. There was a fairly large ArchiveIterator change made
between
3.1.4 and 3.1.5 (which in hindsight we probably shouldn't have done, but
different discussion,) which could have caused it.
If you can open a bugzilla ticket about it, please include your examples,
and if possible an mbx file that we can test against. (I don't believe any
of the devs used mbx, so ...)
Thanks.
--
Randomly Selected Tagline:
do {nothing} while (HearFromMe==0)
RE: Sa-learn / mbx?
I found the BZ.
Bug 5101
Thanks...
PS: I'm willing to test patch(es).
LER
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
-Original Message-
From: Larry Rosenman [mailto:[EMAIL PROTECTED]
Sent: Friday, September 15, 2006 5:22 PM
To: 'Theo Van Dinter'; users@spamassassin.apache.org
Subject: RE: Sa-learn / mbx?
It's a file.
Where's the BZ, and I'll create a bug. It did seem to break when I put
3.1.5 on.
(This is in a nightly update script, that's been running for months).
I'll attach the MBX to the BZ ticket.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Friday, September 15, 2006 5:19 PM
To: users@spamassassin.apache.org
Subject: Re: Sa-learn / mbx?
I think you're going to have to give us more information...
On Fri, Sep 15, 2006 at 05:11:50PM -0500, Larry Rosenman wrote:
$ sa-learn --mbx --showdots --spam /home/ler/Mail/SA/FN
Is FN a directory or a file?
archive-iterator: unable to open
/home/ler/Mail/SA/FN./home/ler/Mail/SA/FN:
No such file or directory
It seems that the path is being doubled for some reason.
/tmp/.spamassassin1378GH7mLltmp./tmp/.spamassassin1378GH7mLltmp: No
such file or directory
Hrm. Yeah, I'd say there's probably a SA bug somewhere doubling the paths
for no good reason. There was a fairly large ArchiveIterator change made
between
3.1.4 and 3.1.5 (which in hindsight we probably shouldn't have done, but
different discussion,) which could have caused it.
If you can open a bugzilla ticket about it, please include your examples,
and if possible an mbx file that we can test against. (I don't believe any
of the devs used mbx, so ...)
Thanks.
--
Randomly Selected Tagline:
do {nothing} while (HearFromMe==0)
RE: All image spam
Sandy S wrote:
We're also being bombarded with these and I noticed that the bottom
received header on all of them is in a format like
Received: from [87.245.169.135] (port=2971 helo=aflmpt)
by amdy with esmtp
id 1FGG09-0005lZ-7J
I put in a rule to catch this:
header ODD_PORT_SS Received =~ /from
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] \(port=\d{4} helo=[a-z]{3,6}/
My question to the group is - how likely is a header with that
non-standard port likely to show up in real mail? Is this a good
spam sign?
(And Theo, no, the ISP does not have a good corpus, at least not of
ham - average user doesn't have a clue as to how to submit messages
with all the headers intact and doesn't understand why they should
anyway, and privacy issues prevent us from gathering a corpus of ham
ourselves)
Thanks,
Sandy S
every message that goes through my Exim server will log the port the CLIENT
used.
LER
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: All image spam
Sandy S wrote:
- Original Message -
From: Larry Rosenman ler@lerctr.org
To: 'Sandy S' [EMAIL PROTECTED]; users@spamassassin.apache.org
Sent: Wednesday, March 08, 2006 10:13 AM
Subject: RE: All image spam
Sandy S wrote:
We're also being bombarded with these and I noticed that the bottom
received header on all of them is in a format like
Received: from [87.245.169.135] (port=2971 helo=aflmpt) by amdy
with esmtp id 1FGG09-0005lZ-7J
I put in a rule to catch this:
header ODD_PORT_SS Received =~ /from
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] \(port=\d{4} helo=[a-z]{3,6}/
My question to the group is - how likely is a header with that
non-standard port likely to show up in real mail? Is this a good
spam sign?
(And Theo, no, the ISP does not have a good corpus, at least not of
ham - average user doesn't have a clue as to how to submit messages
with all the headers intact and doesn't understand why they should
anyway, and privacy issues prevent us from gathering a corpus of
ham ourselves)
Thanks,
Sandy S
every message that goes through my Exim server will log the port the
CLIENT used.
LER
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
Rats - I thought I was on to something there! I don't know anything
about Exim - would users be sending mail from odd ports like 2947,
3942, 4821, etc? Our would they use the standard SMTP port 25, or
587 for SMTP auth mail?
Thanks,
Sandy
In my case, it comes via 587, but that's not necessarily logged. Look at
the headers for 'lerami.lerctr.org' in this message.
Here is the header for YOUR message that MY system added:
Received: from merlin.boreal.org ([216.70.16.15]:54736)
by lerami.lerctr.org with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.60)
(envelope-from [EMAIL PROTECTED])
id 1FH1Qf-0001kR-VB
for ler@lerctr.org; Wed, 08 Mar 2006 10:22:30 -0600
LER
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: Apple iCards are being marked as spam
Theo Van Dinter wrote: On Fri, Mar 03, 2006 at 05:08:33PM -0500, Benjamin Adams wrote: Apple iCards are being marked as spam what can I do about it? A piece of the header: X-Spam-Status: Yes, hits=5.108 tagged_above=-999 required=5 tests=FORGED_YAHOO_RCVD, HTML_50_60, HTML_EXTRA_CLOSE, HTML_MESSAGE, MIME_HTML_ONLY, TW_DF X-Spam-Level: * I don't know what TW_DF is, it's not a standard rule. I just sent myself a card: HTML_50_60,HTML_EXTRA_CLOSE,HTML_MESSAGE,MIME_HTML_ONLY HTML_EXTRA_CLOSE is the biggie at 3.6 for set3. HTML_50_60 is 0.1 in set3. The rest are basically 0. FORGED_YAHOO_RCVD is 1.8, but if the card was sent to you from a yahoo.com address, it was technically forged since all yahoo.com mails should come from a Yahoo server. fyi. TW_?? is TripWire. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: lots of new spam
Lisa Casey wrote: I'm having the same trouble with SARE_STOCKS. I have added it to Trusty Rulesets, but when I run rules_du_jour I get this: No index found for ruleset named SARE_STOCKS. Check that this ruleset is still valid. No files updated; No restart required. do you have version 1.28 of rules_du_jour? It's the version that added SARE_STOCKS. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
Mail::DomainKeys 0.80: Known bad with SA 3.1.0?
I have run into an issue, that I think is SA's. If I have Mail::DomainKeys 0.80 installed, SA's DomainKeys plugin can't find Method 'header'. Is this known? Is a fix/patch available? LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3683 US
RE: rbldnsd on FreeBSD
Jeff Peng wrote: hi,Irina, rbldnsd is really a simple dns server.you can use it directly,no any need to bind.and,you can use rsync to download the rbl files. I have both rbldnsd and bind running on my 2 nameservers. I had to bind(pardon the pun) rbldnsd To a separate alias IP, as I couldn't seem to make bind9 do the forward correctly. Rbldnsd is in FreeBSD ports (although it seems to be a release or 2 down, I'll probably submit An update soon). LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3683 US
RE: RE: rbldnsd on FreeBSD
Jeff Peng wrote: when you run ./rbldnsd -h you should see: -b address[/port] - bind to (listen on) this address (required) So you can bind the rbldnsd to another alias IP address,diff from the IP that your BIND server is listening to. I think there is no conflict between the rbldnsd and the BIND. I did that, and bind didn't seem(!) to be forwarding the requests, so I just gave it a different IP address, and told Bind to leave that IP alone. Not a biggie, and it's happily responding. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3683 US
RE: [SURBL-Discuss] RE: Google search as spam URI
[EMAIL PROTECTED] wrote: Dallas L. Engelken wrote: From: Dallas L. Engelken [mailto:[EMAIL PROTECTED] /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9 \-\.]+)$/I Notice the 'I' at the end should be 'i'. Damn outlook, Agreed. I know what I want to say! Have you configured Outlook to use Word as the email editor? If so that might explain the AutoCorrect you are experiencing. Nope, even without word as the editor, it still does it :( (from painful experience). -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: SpamAssassin 3.1.0pre1 PRERELEASE available!
The current one from SARE works fine :) And, the latest RDJ has support for all the SARE rules. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 3535 Gaspar Drive, Dallas, TX 75220-3611 US -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Monday, June 20, 2005 6:23 PM To: Ben Hanson Cc: users@spamassassin.apache.org Subject: Re: SpamAssassin 3.1.0pre1 PRERELEASE available! Ben Hanson wrote: I get 139 errors regarding the 70_sare_whitelist.cf entries. from 3.1pre. Has the syntax for whitelist_from_rcvd changed? Ben This is due to the comments Bob had at the end of each entry, without a # before them. He was going to correct this prior to the 3.1 release. I believe there is an updated version that corrects this available. Daryl
RE: SpamAssassin 3.1.0pre1 PRERELEASE available!
Another one you might want to add to that list: Crypt::OpenSSL::Bignum The pre-req chain for Mail::DomainKeys doesn't req it, but apparently SA 3.1.0pre1 does. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 3535 Gaspar Drive, Dallas, TX 75220-3611 US -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Sunday, June 19, 2005 1:28 PM To: users@spamassassin.apache.org Subject: Re: SpamAssassin 3.1.0pre1 PRERELEASE available! On Sun, Jun 19, 2005 at 11:32:05AM +0200, Kai Schaetzl wrote: I did a make install now. I have it running with a MailScanner setup of a few months ago. I enabled DomainKeys and found that this module isn't included. Is this only for this pre-release? If not, I suggest adding that information to all modules mentioned in v310.pre but are not included. Which module are you talking about? I'm assuming the Mail::DomainKeys module. If so, you need to install that from CPAN, it's not part of SA. I'm adding that to the list of optional modules in the INSTALL doc. -- Randomly Generated Tagline: Mac - A computer with training wheels you can't take off.
RE: SpamAssassin 3.1.0pre1 PRERELEASE available!
Theo Van Dinter wrote:
On Sun, Jun 19, 2005 at 04:02:11PM -0400, Larry Rosenman wrote:
It showed up when I enabled Mail::DomainKeys, so it may be that In
the way SA is using it, FWIW.
Doing some digging, DK uses Crypt::OpenSSL::RSA, which has in it:
BEGIN { eval { require Crypt::OpenSSL::Bignum; }; }
All I can say is that RSA 0.18 doesn't complain that I don't have
Bignum installed on my box.
$ grep Bignum /var/log/maillog
Jun 19 13:35:55 lerami.lerctr.org spamassassin[13366]: Can't locate
Crypt/OpenSSL/Bignum.pm in @INC (@INC contains: lib ../lib
/opt/lib/perl5/site_perl/5.8.3/i386-unixware-thread-multi
/opt/lib/perl5/site_perl/5.8.3
/opt/lib/perl5/5.8.3/i386-unixware-thread-multi /opt/lib/perl5/5.8.3
/opt/lib/perl5/site_perl/5.8.0/i386-unixware-thread-multi
/opt/lib/perl5/site_perl/5.8.0 /opt/lib/perl5/site_perl) at
/opt/lib/perl5/site_perl/5.8.3/i386-unixware-thread-multi/Crypt/OpenSSL/RSA.
pm line 29.
$
Is what tripped me to it :(
Spamassassin --lint did **NOT** complain :(
FWIW.
LER
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 972-414-9812 E-Mail: ler@lerctr.org
US Mail: 3535 Gaspar Drive, Dallas, TX 75220-3611 US
RE: SpamAssassin 3.1.0pre1 PRERELEASE available!
Theo Van Dinter wrote:
On Sun, Jun 19, 2005 at 04:02:11PM -0400, Larry Rosenman wrote:
It showed up when I enabled Mail::DomainKeys, so it may be that In
the way SA is using it, FWIW.
Doing some digging, DK uses Crypt::OpenSSL::RSA, which has in it:
BEGIN { eval { require Crypt::OpenSSL::Bignum; }; }
All I can say is that RSA 0.18 doesn't complain that I don't have
Bignum installed on my box.
Seems I have Crypt::OpenSSL::RSA 0.21.
LER
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 972-414-9812 E-Mail: ler@lerctr.org
US Mail: 3535 Gaspar Drive, Dallas, TX 75220-3611 US
Re: SA against RazorGate
On Thursday 28 April 2005 09:10 am, Nestor Burma wrote: Hello, We are currently looking RazorGate (Mirapoint) appliances, for their anti-spam function. Has anyone of you any feedback on those boxes, compared to SA ? You can point us to links on the net, of course. I eval'ed one at $Previous_Employer. They don't give details on what hit. LER Sincerely, NB __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-351-4152 E-Mail: ler@lerctr.org US Mail: 3535 Gaspar Drive, Dallas, TX 75220-3611
RE: How to purge bayes?
Mark wrote: -Original Message- From: David Guntner [mailto:[EMAIL PROTECTED] Sent: donderdag 24 februari 2005 3:02 To: users@spamassassin.apache.org Subject: Re: How to purge bayes? Mark grabbed a keyboard and wrote: How do I purge my bayes_* files? Especially, my bayes_journal is over 250 MB! I like it to re-init with a fresh start. But when I echo -n the files, and restart SA, I get dbase errors. So, how can I easily go about this? When I had to do it some time ago, I just did a rm bayes_* and poof they were gone. Next time something came in, spamd just recreated them. As I just wrote someone (who suggested the same): When I do that, however, I get this in my log: bayes: no dbs present, cannot scan: /var/db/spamassassin/bayes_toks Is that ok? Thanks, - Mark This smells like a sitewide bayes, and permissions issues. Check what id SPAMD is running as, and the permissions for /var/db/spamassassin. LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
RE: Whitelising IP's?
Johann Spies wrote: On Fri, Feb 18, 2005 at 11:02:15AM -0500, Chris Santerre wrote: Absolutely! But without knowing how you are blocking, I can't say anymore. I am using exim4 with exiscan and refuse to accept mail identified as spam. Regards Johann So, don't run those IP's through the spam check. See !hosts= -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
