RE: DKIM Score
Hi Matus, Suppose there is a user someb...@example.com is on vacation and using 3rd party SMTP server (w/o DKIM) for sending email. I want temporary whitelist it to bypass DKIM checking. For blacklist, suppose I only want 1 VIP user (v...@example.org ) require DKIM checking instead of whole domain. Regards, Lee -Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Tuesday, August 16, 2016 4:27 PM To: users@spamassassin.apache.org Subject: Re: DKIM Score On 16.08.16 08:18, Chris Lee wrote: >Besides, it is possible to just whitelist or blacklist some email address for >DKIM checking? do you mean to exempt a domain from DKIM checking? I don't see the point still... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
RE: DKIM Score
Hi Merijn, Still digest your solution, look like it rather complex to me. Besides, it is possible to just whitelist or blacklist some email address for DKIM checking? Regards, Chris Lee -Original Message- From: Merijn van den Kroonenberg [mailto:mer...@web2all.nl] Sent: Tuesday, August 16, 2016 4:00 PM To: users@spamassassin.apache.org Subject: RE: DKIM Score > Besides, can I change the lines as following? > > header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i > header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i > header __DKIM_REQUIRED From:addr =~ /\@( example\.nl)$/i > . > . > > > As I have lots of domain to handle. You could script the generation of a single line like Bill Cole suggested (and you can use include files in the config to make this easier). However I am curious about the performance of a rule like that with a lot of domains in it. Alternatively you could also set up a dns based list of sender domains. In fact I have been wondering if someone is maintaining a list like that. Because I guess a lot of people must be doing similar things on their own. Eg. we require dkim of spf to be present for some local bank domains. Especially banks and the like have already a policy, often specified on their site, for which of their domains require dkim or spf. Would there be a point in a central, maybe self maintained dns based domain list where organisations can register domains as 'requiring' dkim/spf? Sort of an explicit opt-in for organisations who really know they have everything correctly set-up. A dns list configuration would look like this (and might be easier maintainable for some people): # Check envelope from against domain-based list at dkiml.example.com header __DKIM_REQUIRED_DNSeval:check_rbl_from_domain('dkiml', 'dkiml.example.com.') describe__DKIM_REQUIRED_DNSEnvelope sender listed in dkiml.example.com (Example domain listing) tflags __DKIM_REQUIRED_DNSnet reuse __DKIM_REQUIRED_DNS describeDKIM_REQUIRED_FAIL Sender requires a valid DKIM signature but it was not present metaDKIM_REQUIRED_FAIL (__DKIM_REQUIRED_DNS && !DKIM_VALID_AU) score DKIM_REQUIRED_FAIL 10.0 What would be the performance pros and cons between a hardcoded regex with a lot of domains or a dns list (lookup)? I think it probably doesn't matter that much unless the regex is really huge. So its just a matter of personal preference for maintainebility? This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
RE: DKIM Score
Dear Merjin, Excellent! It's work prefect! Besides, can I change the lines as following? header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.nl)$/i . . As I have lots of domain to handle. Regards, Lee -Original Message- From: Merijn van den Kroonenberg [mailto:mer...@web2all.nl] Sent: Monday, August 15, 2016 7:19 PM To: users@spamassassin.apache.org Subject: Re: DKIM Score > Hi, > > How to setup to give high score for specific domain cannot pass DKIM test? > > For example: My own email domain is example.com > > Any incoming email from: example.com does not pass DKIM test score > 10.0 > describe__DKIM_REQUIRED Require a valid DKIM signature for these domains header __DKIM_REQUIRED From:addr =~ /\@(example\.com|example\.org)$/i describeDKIM_REQUIRED_FAIL Sender requires a valid DKIM signature but it was not present metaDKIM_REQUIRED_FAIL (__DKIM_REQUIRED && !DKIM_VALID_AU) score DKIM_REQUIRED_FAIL 10.0 This tests the from address for a *@example.com (and org) address. If it matches then it requires a valid DKIM signature for the domain of the sender (in this case example.com or example.org). This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
DKIM Score
Hi, How to setup to give high score for specific domain cannot pass DKIM test? For example: My own email domain is example.com Any incoming email from: example.com does not pass DKIM test score 10.0 Spamassassin Version: 3.4.1 Release: 6.fc23 OS: Fedora FC 23 Many thanks in advance. Cheers, Lee This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
Re: Fwd: plonk
no idea, I read emails from both you and him and didn't see anything amiss. Benny's signature does not parse as English so it's hard to say what it means. I wouldn't worry about it. -lee On 5/7/2013 8:56 AM, Joe Acquisto-j4 wrote: Whatever that means. I think that if someone has cause offense they should be allowed to know what it was, in unambiguous terms. joe a. Benny Pedersen m...@junc.eu 05/07/13 6:08 AM respect my signature atleast
Re: Fwd: plonk
some folks are preachy and sensitive... like those bottom posters who seem to like telling top posters how wrong they are. I wouldn't worry about it. But it was interesting to hear the history of the word plonk.. that was cool. -lee On 5/7/2013 12:06 PM, Joe Acquisto-j4 wrote: John Hardin jhar...@impsec.org 05/07/13 10:43 AM On Tue, 7 May 2013, Joe Acquisto-j4 wrote: Whatever that means. plonk is the notional sound that the offensive user's email address makes when it hits the bottom of the Usenet killfile of the person who said that. In other words, I'm ignoring you now, usually with a strong implied you moron. That part I got. What I did not get was why my attempts to clarify whatever offense was taken were met by reject messages. Seems a bit rude, if not childish, to figuratively spit on someone, then go hide. If I offend, at least have the courtesy to tell me what the issue is and not ignore attempts to reconcile the matter. Especially, since in reviewing my email, I can see nothing to take offense at. At least in my reality. In any event I'm for getting on with more important things. joe a.
Re: Fwd: plonk
On 5/7/2013 12:11 PM, Jim Popovitch wrote: On Tue, May 7, 2013 at 12:06 PM, Joe Acquisto-j4 j...@j4computers.com wrote: What I did not get was why my attempts to clarify whatever offense was taken were met by reject messages. Quite simply put, Benny Pedersen m...@junc.eu wants you to respect his signature, which reads: senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it -Jim P. must be a slow day... but I can't parse that sentence into anything meaningful.
Re: New versions of Perl are slower
On 4/11/2012 8:23 PM, Julian Yap wrote: On Tue, Apr 10, 2012 at 4:57 PM, Lee Dilkie l...@dilkie.com wrote: On 4/10/2012 10:50 PM, Julian Yap wrote: Hmm, thanks for the info. It certainly explains things. Yeah, SpamAssassin previously used to blaze through mail scans (everything scanned in less than 3 seconds) on the same hardware. It's annoying that Perl is getting slower over time and there's no way to stop it because older versions of Perl get deprecated. - Julian I've found that bsdpan-Mail-SpamAssassin-CompiledRegexps makes a vast improvement in rules regex scanning. Yep, I've been using that. Maybe I should run some tests with it disabled. - Julian are you sure it's being used after your perl upgrade? Perhaps that's what you are seeing. Maybe you need to re-compile your SA rules again.
Re: New versions of Perl are slower
On 4/10/2012 10:50 PM, Julian Yap wrote: Hmm, thanks for the info. It certainly explains things. Yeah, SpamAssassin previously used to blaze through mail scans (everything scanned in less than 3 seconds) on the same hardware. It's annoying that Perl is getting slower over time and there's no way to stop it because older versions of Perl get deprecated. - Julian I've found that bsdpan-Mail-SpamAssassin-CompiledRegexps makes a vast improvement in rules regex scanning. -lee
RE: Help with blocking Chinese Spam
Well, it is not easy to quote properly from hotmail. Excuse my mess up and top posting. Bottom line is... I got rid of this chinese crap. Thank you all for the help SA users. Jenny - Subject: Re: Help with blocking Chinese Spam On Tue, 13 Mar 2012 12:40:16 + Jenny Lee bodycar...@live.com wrote: Will give this a go. What I don't understand is that... Why is this not catching this 'utf' which is on the subject? You need the :raw tag to see the raw, unencoded header. The meta-rule: header __RP_SUBJ_CJK Subject =~ /[\xe4-\xe9]/ attempts to limit matches on UTF-8 subjects to Chinese characters because the leading bytes e4-e9 in UTF-8 (mostly) cover CJK ideographs. It's not a perfect filter, but blocking all UTF-8-encoded subjects would yield way too many FPs for us. Regards, David. PS: I haven't looked at SA's Bayes implementation. Can it handle words in non-western character sets properly? Thank you David, Jared and Jari. Adding: Subject:raw =~/=\?utf-8\?B/i Subject =~ /[\xe4-\xe9]/ caused this crap get caught. Both works, so I will keep David's advice. So I think I will just remove this TexCat plugin which does not identify it properly. This is great list, thanks again for everyone. All help appreciated. Jenny
Help with blocking Chinese Spam
Dear SA Users, I am getting this chinese spam every hour. I tried, ok_locales, ok_languages with texcat plugin... I tried matching the subject... but these people are always getting through. http://www.pastebin.ca/2127622 What rules/modifications do I need to do to get rid of this? J
RE: Help with blocking Chinese Spam
Dear SA Users, I am getting this chinese spam every hour. I tried, ok_locales, ok_languages with texcat plugin... I tried matching the subject... but these people are always getting through. http://www.pastebin.ca/2127622 What rules/modifications do I need to do to get rid of this? J My wrong for omitting info. It would help to mention that this is a freaking botnet. So IP, email, country, etc... are all random. J
RE: Help with blocking Chinese Spam
Date: Tue, 13 Mar 2012 08:25:21 -0400 From: d...@roaringpenguin.com To: users@spamassassin.apache.org Subject: Re: Help with blocking Chinese Spam On Tue, 13 Mar 2012 09:48:37 + Jenny Lee bodycar...@live.com wrote: I am getting this chinese spam every hour. I tried, ok_locales, ok_languages with texcat plugin... I tried matching the subject... but these people are always getting through. http://www.pastebin.ca/2127622 What rules/modifications do I need to do to get rid of this? We use this rule, but it's aggressive. It will block any Chinese message with a Word or Excel attachment. For our user-base, that's fine, but YMMV. Regards, David. # Chinese spams header __RP_SUBJ_UTF8 Subject:raw =~/=\?utf-8\?B/i header __RP_SUBJ_GB2312 Subject:raw =~ /=\?gb2312\?B/i header __RP_SUBJ_CJK Subject =~ /[\xe4-\xe9]/ full __RP_8BIT_FNAME /name=.{0,30}[\x80-\xff]/ full __RP_EXCEL /application\/vnd.ms-excel/i full __RP_DOC /application\/msword/i full __RP_GB2312_FNAME /name=.?=\?gb2312\?/i meta RP_D_00032 (__RP_SUBJ_UTF8 __RP_SUBJ_CJK (__RP_EXCEL || __RP_DOC || __RP_8BIT_FNAME)) || (__RP_SUBJ_GB2312 (__RP_GB2312_FNAME || __RP_EXCEL || __RP_DOC || __RP_8BIT_FNAME)) describe RP_D_00032 Looks like a Chinese spam score RP_D_00032 5.0 Thank you David. Will give this a go. What I don't understand is that... Why is this not catching this 'utf' which is on the subject? I used this for testing purposes. It catches other botnet headers like 'Experian', etc. header XX_CUSTOM_HEADER Subject =~ /Experian|\$1500|to your account on file today|into your account today|video|clip|movie| vid|episode|utf/i score XX_CUSTOM_HEADER 8.0 describe XX_CUSTOM_HEADER XX Custom Rules - Header J
RE: Help with blocking Chinese Spam
Date: Tue, 13 Mar 2012 12:19:38 + From: rwmailli...@googlemail.com To: users@spamassassin.apache.org Subject: Re: Help with blocking Chinese Spam On Tue, 13 Mar 2012 12:14:36 + RW wrote: On Tue, 13 Mar 2012 09:48:37 + Jenny Lee wrote: Dear SA Users, I am getting this chinese spam every hour. I tried, ok_locales, ok_languages with texcat plugin... I tried matching the subject... but these people are always getting through. http://www.pastebin.ca/2127622 What rules/modifications do I need to do to get rid of this? J You can enable the TextCat plugin in v310.pre and set ok_languages. UNWANTED_LANGUAGE_BODY scores 2.8 which should help a lot. Sorry, I missed that you'd tried textcat, but I ran the example through spamassassin and it did hit UNWANTED_LANGUAGE_BODY which is absent in your headers. Are you sure you actually turned it on? I did turn it on in the .pre. It is also supposed to add a header, but it does not. How can I check if it is working or not? I have: ok_locales en ok_languages en Jenny
RE: Help with blocking Chinese Spam
Subject: Re: Help with blocking Chinese Spam From: mar...@gregorie.org To: users@spamassassin.apache.org Date: Tue, 13 Mar 2012 12:09:19 + On Tue, 2012-03-13 at 09:48 +, Jenny Lee wrote: Dear SA Users, I am getting this chinese spam every hour. I tried, ok_locales, ok_languages with texcat plugin... I tried matching the subject... but these people are always getting through. http://www.pastebin.ca/2127622 What rules/modifications do I need to do to get rid of this? If that UTF-8 prefix - =?utf-8?B? - is specific for Chinese, then a rule something like: header __FC1 From =~ /=?utf-8?B?/ header __FC2 From =~ /\.cn/i meta FAKE_CHINESE (__FC1 !__FC2) might do it. Dear Martin, Thank you for your input. Subject is always with utf-8. From is half of the time with utf-8. I checked our regular mail and we never have utf-8 in the subject from anyone (last 2 months check). Can some expert advise on blocking based on this utf-8 in the subject? Equally obviously, if all the spam is coming from Argentina, Botnet. Country is not relevant on this. Jenny
RE: Help with blocking Chinese Spam
Date: Tue, 13 Mar 2012 05:47:03 -0700 From: le...@jam-software.com To: users@spamassassin.apache.org Subject: RE: Help with blocking Chinese Spam Jenny Lee-2 wrote: I did turn it on in the .pre. It is also supposed to add a header, but it does not. How can I check if it is working or not? I have: ok_locales en ok_languages en Jenny Add this to your config file: add_header all Language _LANGUAGES_ This adds the header. Thank you. However, running: spamassassin -D chinesespam Does not catch this. Jenny Mar 13 17:06:36.294 [27011] dbg: plugin: Mail::SpamAssassin::Plugin::TextCat=HASH(0x1d50bc8) implements 'extract_metadata', priority 0 Mar 13 17:06:36.294 [27011] dbg: message: MIME PARSER START Mar 13 17:06:36.295 [27011] dbg: message: parsing multipart, got boundary: =_NextPart_000_004F_0181A2CA.182A5CF0 Mar 13 17:06:36.295 [27011] dbg: message: found part of type multipart/alternative, boundary: =_NextPart_001_034A_0181A2CA.182A5CF0 Mar 13 17:06:36.296 [27011] dbg: message: added part, type: multipart/alternative Mar 13 17:06:36.299 [27011] dbg: message: found part of type application/vndms-excel, boundary: =_NextPart_000_004F_0181A2CA.182A5CF0 Mar 13 17:06:36.299 [27011] dbg: message: added part, type: application/vndms-excel Mar 13 17:06:36.299 [27011] dbg: message: parsing multipart, got boundary: =_NextPart_001_034A_0181A2CA.182A5CF0 Mar 13 17:06:36.300 [27011] dbg: message: found part of type text/plain, boundary: =_NextPart_001_034A_0181A2CA.182A5CF0 Mar 13 17:06:36.300 [27011] dbg: message: added part, type: text/plain Mar 13 17:06:36.301 [27011] dbg: message: found part of type text/html, boundary: =_NextPart_001_034A_0181A2CA.182A5CF0 Mar 13 17:06:36.301 [27011] dbg: message: added part, type: text/html Mar 13 17:06:36.301 [27011] dbg: message: parsing normal part Mar 13 17:06:36.302 [27011] dbg: message: parsing normal part Mar 13 17:06:36.302 [27011] dbg: message: parsing normal part Mar 13 17:06:36.302 [27011] dbg: message: MIME PARSER END Mar 13 17:06:36.303 [27011] dbg: message: decoding base64 Mar 13 17:06:36.303 [27011] dbg: message: decoding base64 Mar 13 17:06:36.310 [27011] dbg: textcat: classifying, skipping: yi sco lv is bs sl la ga sa eu et rm cy eo fy gd lt Mar 13 17:06:36.328 [27011] dbg: textcat: can't determine language uniquely enough Mar 13 17:06:36.328 [27011] dbg: textcat: X-Languages: , X-Languages-Length: 671
RE: Help with blocking Chinese Spam
Date: Tue, 13 Mar 2012 09:14:10 -0400 From: d...@roaringpenguin.com To: users@spamassassin.apache.org Subject: Re: Help with blocking Chinese Spam On Tue, 13 Mar 2012 12:40:16 + Jenny Lee bodycar...@live.com wrote: Will give this a go. What I don't understand is that... Why is this not catching this 'utf' which is on the subject? You need the :raw tag to see the raw, unencoded header. The meta-rule: header __RP_SUBJ_CJK Subject =~ /[\xe4-\xe9]/ attempts to limit matches on UTF-8 subjects to Chinese characters because the leading bytes e4-e9 in UTF-8 (mostly) cover CJK ideographs. It's not a perfect filter, but blocking all UTF-8-encoded subjects would yield way too many FPs for us. Regards, David. PS: I haven't looked at SA's Bayes implementation. Can it handle words in non-western character sets properly? Thank you David, Jared and Jari. Adding: Subject:raw =~/=\?utf-8\?B/i Subject =~ /[\xe4-\xe9]/ caused this crap get caught. Both works, so I will keep David's advice. So I think I will just remove this TexCat plugin which does not identify it properly. This is great list, thanks again for everyone. All help appreciated. Jenny
RE: Help with blocking Chinese Spam
Date: Tue, 13 Mar 2012 06:42:05 -0700 From: jhar...@impsec.org To: users@spamassassin.apache.org Subject: Re: Help with blocking Chinese Spam On Tue, 13 Mar 2012, David F. Skoll wrote: PS: I haven't looked at SA's Bayes implementation. Can it handle words in non-western character sets properly? It seems to. All of the Chinese-language spam I get hits BAYES_99. Make sure you train bayes with this garbage! I did train with with these Chinese spam I got but it did not work. That is why I turned to the list. Otherwise my bayes db catches everything very accurately for me. Jenny
RE: real world spamassassin experiences re: processing on servers emailing from .info domains
From: list...@abbacomm.net To: users@spamassassin.apache.org Subject: real world spamassassin experiences re: processing on servers emailing from .info domains Date: Thu, 27 Oct 2011 09:15:13 -0700 greetings SA users there sure seems to be a lot of from .info server spamming wierd temp registered .info domains spamming eh? for those of you with volume, large or small, care to share an SA tips on how you deal with .info domains? i would imagine there is a very small percentage of valid emails coming from .info domains should we just pull the plug and reject all .info from touching the smtp server or carefully craft SA rules? real close to doing so and just reject them all, unless there is a list of valids out there somewhere thank you in advance - rh In 14 years, we never received any single legit mail from .info. It costs $1 per year to register an info domain, and if the people I do business cannot afford $10 a year for their domain, they probably will not give me business to start with. We reject all .info on sendmail during transaction stage. Half of my rejected connections are .info (rest are same-sender/same-recipient). You have to assess your own situation. Jenny
RE: Why doesn't anything at all get these botnet spammers?
Date: Mon, 17 Oct 2011 19:10:28 -0400 From: dar...@chaosreigns.com To: users@spamassassin.apache.org Subject: Re: Why doesn't anything at all get these botnet spammers? On 10/15, Jenny Lee wrote: fwoicka odrp jbguybf etvwmbwm i aluawj ggn. http://[redacted].tumblr.com/ poxpzafxc, cl ipcvlhboht ajjd wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu. Is anybody else having a problem with this kind of spam? I definitely find it interesting. It doesn't sound likely to be very profitable. We do have many domains and he hits most of them. I am positive many people get this. It is profitable, becase either: a. He gets money from those porn sites per signup b. He is those porn sites As with everything else, the head of the snake must be severed (as in pharma or akai spam). I am sure few knowledgeable people can cut his main income so he would not be doing this. It is similiar porn sites all the time. On 10/17, Jenny Lee wrote: What baffles me is why it takes so long for RBLs to catch up on the URL. Are you reporting them? Unfortunately, as I mentioned earlier, we are not in a position to constantly do maintenance in our mails. On 10/17, Jenny Lee wrote: Why bother trying to defeat 1/4 of botnet SPAM? I was getting rid of *all* of it with greylisting since 3-4 years. No need for bothering with MXes. So why don't you go back to greylisting without spamassassin? Nobody profits from you using SA, use whatever works for you. We probably will do that since SA is taking too much of our time. Or if your bayes is so accurate, just increase the scores for those rules? score BAYES_00 -5 score BAYES_05 -4 score BAYES_20 -3 score BAYES_40 -2 score BAYES_50 5 score BAYES_60 6 score BAYES_80 7 score BAYES_95 8 score BAYES_99 9 (To be clear, I don't recommend this for most people, only if you have bayes results as accurate as Jenny.) I do have top one high. I have not seen BAYES_80 or BAYES_95 before, so it is not necessary to set it. It is always BAYES_99. I have seen BAYES_60 though, but I am not keeping that high just in case. Our legit mail is not being mistakenly caught, so I have not bothered with lower scores either. With such accurate bayes results, that should override most other results. And if you're just using bayes, might as well not use spamassassin and go with a dedicated bayesian filter like spamprobe. Thank you for this information. I will check it out. Without bayes, SA does not work at all for us. We get about 10-20 legit emails (everyone uses internal IM) with 4-5 SPAM a day. Most of which is same-sender/same-receipient rejected at transaction stage. Spamd processes about 10K a day. Blocking more than 99% of spam, without blocking a problematic amount of non-spam, is hard. Bayes seems to be working very well in this aspect. Our issue is not with FPs. We are not having any issues with our legit mail. It is only this guy's spam is passing through (which is taken care of by custom rules, but requiring constant maintenance). We have some very old domains and these domains are used in commonly-typed email addresses (like donts...@me.com (me.com is not ours, just an example, i am not disclosing our domains here) ). When we were implementing only greylisting, no spam except ebolamonkey 419 spam passed through. That was easy to discard with simple procmail filters. However, our client's RHEL5 sendmail did not play well with greylisting, so we decided to do sa+grey. Postfix + postgrey worked great for me, when I last felt a need to use greylisting. We use sendmail + milter-greylist. Thank you for all the help in this list. I learnt quite few things during these conversations. Jenny
RE: Why doesn't anything at all get these botnet spammers?
Every 2nd of my emails to this list from hotmail is returning as a nondeliverable. Hotmail does not give any info as to what failed but I am assuming it is the SPAM filters of the mailing list. Well done! Also how ironic is it to write: users -at- spamassassin.apache.org on the website!!! What a confidence in a spam-fighting tool! Write it as users@sa, show you mean business. Back to the subject: We are under the false assumption that he is mangling the subjects with gibberish or with porn words. His target is to get the URL accross. As I mentioned, I get as many emails without any punctuation or porn words (see below). In fact, since I started this discussion, I got about 2 mangled headers versus 100+ like the one below (before at least the ratio was 50/50)! What baffles me is why it takes so long for RBLs to catch up on the URL. He was spamming me (i have different domains) for a good one month before his URL got dropped into an RBL, another one was never in an RBL. Perhaps I am misunderstanding RBL concept. Or perhaps he is already working with one of hte RBLs and has access to the honeypot emails. Jenny Date: Sun, 16 Oct 2011 16:01:48 +0200 From: Ckoe kalvscompu...@yahoo.com To: michael_ott...@ymail.com Subject: pznvm baniouq ljqtzfghf. tgbc, czatiaibw csa http://h1.ripway.com/punkizta_nc143hf/index.html lhkjgv kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a tfpeyvq fkhaohcddt rdl bvfoju. i am trimming the rest of the mail in order not to get another undeliverable
RE: Why doesn't anything at all get these botnet spammers?
Date: Mon, 17 Oct 2011 19:26:21 +0100 From: n...@unixmail.co.uk To: users@spamassassin.apache.org Subject: Re: Why doesn't anything at all get these botnet spammers? On 17/10/11 19:07, Jenny Lee wrote: Every 2nd of my emails to this list from hotmail is returning as a nondeliverable. Hotmail does not give any info as to what failed but I am assuming it is the SPAM filters of the mailing list. Well done! Then stop posting spam to the list. You can see what rules you're hitting in the headers of your posts: X-ASF-Spam-Status: No, hits=9.8 required=10.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,URIBL_BLACK,URIBL_SBL Just because I posted a single blacklisted URL does not mean my message should be tagged as SPAM on a mailing list. Perhaps you need to tune these filters for accuracy: FREEMAIL_ENVFROM_END_DIGIT: With a freaking 1.2 billion freemail users, I would like to see a freemail account that does not end in a digit. I surely do not have anybody on my contact list that does not end with one. FREEMAIL_FROM: As above... 1.2 billion. HTML_MESSAGE: That is default on freemail accounts. URIBL_BLACK: 1.7 on my system URIBL_SBL: 1.6 on my system So I still would like to see how I get over 10 sending legit convo and having a blacklisted URL. Deliverable happenned to me when I was posting the pastebin URL during a conversation. I, in fact, asked another user on this list if he could post my pastebin! Jenny
RE: Why doesn't anything at all get these botnet spammers?
One way you can get rid of about 1/4 of your botnet spam is to set your highest numbered MX record as follows: tarbaby.junkemailfilter.com Why bother trying to defeat 1/4 of botnet SPAM? I was getting rid of *all* of it with greylisting since 3-4 years. No need for bothering with MXes. The problem started after I implemented spamassassin couple of months ago. Even though I have near ~100% accuracy with bayes (over 1 million SPAM, zero FP), this guy always gets through. We get about 10-20 legit emails (everyone uses internal IM) with 4-5 SPAM a day. Most of which is same-sender/same-receipient rejected at transaction stage. Spamd processes about 10K a day. When we were implementing only greylisting, no spam except ebolamonkey 419 spam passed through. That was easy to discard with simple procmail filters. However, our client's RHEL5 sendmail did not play well with greylisting, so we decided to do sa+grey. Working very well, but needing constant attention because of this one pos. Jenny
RE: Why doesn't anything at all get these botnet spammers?
Date: Sun, 16 Oct 2011 08:39:42 -0700 From: jhar...@impsec.org To: users@spamassassin.apache.org Subject: Re: Why doesn't anything at all get these botnet spammers? On Sun, 16 Oct 2011, Martin Gregorie wrote: On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote: On Sat, 15 Oct 2011, Jenny Lee wrote: Hello Everyone, Is there any way to get these people? Subject: T !r (a -n*n =le ` S !e .x| Subject: Se^x M-o ^v ~l e - What about something like: header POX Subject ~= /[!\(-*\.^~]\w *[!\(-*\.^~]\w/ Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll have to be quick to see the actual results... :) Thank you. I would like to say that an equal many comes without any subject mangling. He manages to get only one through to me (I get about 50 of these daily) until I add his URL once a week... But because of this **, I have to constantly maintain my install. Because of him, I am thinking of going back to straight greylisting (where I never got any of his crap). Jenny Date: Sun, 16 Oct 2011 16:01:48 +0200 From: Ckoe kalvscompu...@yahoo.com To: michael_ott...@ymail.com Subject: pznvm baniouq ljqtzfghf. tgbc, czatiaibw csa http://h1.ripway.com/punkizta_nc143hf/index.html lhkjgv kfitvtar dmsiczsme sjfyaicbd hiqjdjpr. a tfpeyvq fkhaohcddt rdl bvfoju.
Why doesn't anything at all get these botnet spammers?
Hello Everyone, Is there any way to get these people? Instead of doing greylisting, I started doing SA+Greylisting 3 months ago. Since then, this guy always gets through until I modify our custom ruleset to block his URLs. Currently I have: uri OUR_CUSTOM_URI /\.(tumblr\.com|de\.tl|fileave\.com|ripway\.com)\// Bayes is on, and it gets trained with his emails. Bayes is 100% accurate for us with no false-positives. This is requiring constant maintenance. There surely must be a solution. Thank you. Jenny Return-Path: sabr...@lbstudio.eu X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=6.0 required=5.0 tests=AWL,BAYES_50, MSGID_FROM_MTA_HEADER,OUR_CUSTOM_URI autolearn=no version=3.3.1 X-Spam-Report: * 5.0 OUR_CUSTOM_URI URI: Botnet spammers * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5769] * 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay * 0.2 AWL AWL: From: address is in the auto white-list X-Spam-Checker-Version: SPAMASSASSIN 3.3.1 (20/09/2011) Received: from netup.it (netup.consultingweb.it [195.128.235.186]) by our_domain.comt (version_here) with ESMTP id p8QGoDc9030358 for some...@ourdomain.com; Mon, 26 Sep 2011 20:50:15 +0400 Message-Id: 201109261650.p8qgodc9030...@ourdomain.com Received: from uvecfhputwix ([93.176.234.155]) by netup.it with MailEnable ESMTP; Sun, 25 Sep 2011 21:07:46 +0200 Date: Sun, 25 Sep 2011 22:02:06 +0200 From: sabr...@lbstudio.eu User-Agent: Thunderbird 2.0.0.27 (Windows/20090808) MIME-Version: 1.0 To: blessedpinkan...@aol.com Subject: [SPAM] T !r (a -n*n =le ` S !e .x| Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Delayed for 00:00:00 by milter-greylist-4.3.9 (ourdomain.com [1.1.1.1]); Mon, 26 Sep 2011 20:50:16 +0400 (MUT) X-CENSOR-Robot: SPAM BUSTER v4.0 (08/08/2011) Active Mode X-Spam-Prev-Subject: T !r (a -n*n =le ` S !e .x| X-CENSOR-Class: SPAM fwoicka odrp jbguybf etvwmbwm i aluawj ggn. http://darrentanch1.tumblr.com/ poxpzafxc, cl ipcvlhboht ajjd wfyy vjrmafmgas ntqewzxa xtsf qwkvoiiof jogdhxhmkw pdyyfdoiu. or a more recent one: Subject: Se^x M-o ^v ~l e - zp, qtw iqgcjlmkyk bnwbspnoix dzgujz f v tdovsp. http://hnungarid.fileave.com/index.html czqrrgdmud ymlfkdv wh jhuaemf dus iv wztppda nqq vwoq nppfb.
Re: BOTNET IPv6 patch
interesting. the ipv6 address is correct, spock.dilkie.com was the source of the email. however, the quoted ipv4 address, 216.191.234.70 is my employer's mail gateway (Mitel), and I suspect the script grabbed the ip address I used to send the test message to my server that was relayed to Yves. (ie. the first hop was ipv4, the second was ipv6). -lee On 7/2/2011 4:06 AM, Yves Goergen wrote: On 30.06.2011 13:06 CE(S)T, Matthew Newton wrote: On Wed, Jun 29, 2011 at 09:59:52PM +0200, Yves Goergen wrote: Received: from sp***ck.di***ie.com ([2001:***::40]) by do***rd.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from L***e@Di***ie.com) id 1Qc0UA-0001R3-DT for nospam.list@un***ed.de; Wed, 29 Jun 2011 21:31:44 +0200 X-Spam-Report: Content analysis details: 0.2 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=2**.1**.2**.7*,maildomain=Di***ie.com,nordns] Doesn't seem to work. It's a false positive again. And Botnet recognises the incoming IPv6 address as some IPv4 address and reports that one. That doesn't look right - unless your munging has really messed it up. BOTNET seemed to check an IPv4 address there: 2**.1**.2**.7* Do a dig -x against that IPv4 address, and the 2001:***::40 address, and see if both have correct PTRs. I cannot interpret the results: $ dig -x 216.191.234.70 ; DiG 9.7.0-P1 -x 216.191.234.70 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 22386 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;70.234.191.216.in-addr.arpa.IN PTR ;; AUTHORITY SECTION: 234.191.216.in-addr.arpa. 3446 IN SOA ns1.business.allstream.net. hostmaster.business.allstream.net. 2010030901 3600 900 604800 21600 ;; Query time: 1 msec ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2) ;; WHEN: Sat Jul 2 10:02:25 2011 ;; MSG SIZE rcvd: 118 and $ dig -x 2001:470:8900::40 ; DiG 9.7.0-P1 -x 2001:470:8900::40 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34084 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR ;; ANSWER SECTION: 0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.0.7.4.0.1.0.0.2.ip6.arpa. 3600 IN PTR spock.dilkie.com. ;; Query time: 1141 msec ;; SERVER: 2a01:4f8:121:5161::2#53(2a01:4f8:121:5161::2) ;; WHEN: Sat Jul 2 10:02:38 2011 ;; MSG SIZE rcvd: 120 (I figured out it's useless to obfuscate addresses and names here as they're sent over the list as well.)
Re: ups.com virus has now switched to dhl.com
it's IPv4.5 -lee On 3/31/2011 1:47 PM, Lawrence @ Rogers wrote: On 31/03/2011 1:29 PM, Michael Scheidell wrote: 'from' dhl.com (come on ups/dhl.. I know SPF is broken, but in this case it would sure help is decide if the sending ip is authorized to send on your behalf) with some pretty weird received lines: is this 'ipv8'? Doubtful. IPv8 is still very much a pipe dream. The world hasn't even embraced IPv6 yet. I would say most of the Received: headers are just messed up to bypass IPv4 and RBL checks. - Lawrence
Re: __PILL_PRICE Problems
On 3/20/2011 8:48 AM, Michael Scheidell wrote: On 3/20/11 6:04 AM, Matt Elson wrote: body__PILL_PRICE_3 /free\s(?:pill|tablet|cap(?:sule|let))s/i tflags __PILL_PRICE_3 multiple Specifically, they're causing spamassassin to run in an endless loop when the tflags line active when the rule hits. Debug just shows the following line endlessly: Mar 20 05:37:56.391 [6677] dbg: rules: ran one_line_body rule __PILL_PRICE_3 == got hit: Free Pills I don't have a full example of an email that triggers this, but I have the body of one that will regularly trigger it here: http://pastebin.com/iGQ2RJ6v Works here, compiled rules, freebsd 7.3, amd64, perl 5.10, re2c, 0.13.5 fails for me, loops, freebsd 7.3, intel, perl 5.12.3, SA 3.3.1, re2c 001305 what rule should we comment out until this is fixed? -lee
Re: Points for missing MX Records
You are confusing servers with *domains*. It's perfectly acceptable that an outgoing mail server not accept incoming mail but the issue here is whether is it is valid for a *domain* to be send-only. It's an interesting question. For DSN's to work, you need to accept email for that domain. But is it allowed, in the rfcs, to be a send-only domain (no MX record) even if that means DSN's cannot be delivered? good question. -lee On 2/23/2011 12:51 PM, Michelle Konzack wrote: Hello Henry | Security Division, Am 2011-02-23 13:50:19, hacktest Du folgendes herunter: This is also very interesting, Michael: (From the RFC link I sent before) Being able to detect domains that never accept email offers many resource savings to an SMTP server. In the first instance, it can choose to reject email during the SMTP conversation that does not present a deliverable 2821.MailFrom domain. Then you will reject Mails from nearly ANY big ISPs because they have seperated OUT-BOUND and IN-BOUND servers... Ans OUT-BOUND servers will not receive mails. Thanks, Greetings and nice Day/Evening Michelle Konzack
Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)
I recently gave up on greylisting after using it for years as well. Two reasons really, one was the complaints from users (and I found that they often asked folks to send mail to me twice to try and get mail to work better and that was just embarrassing). The second was that I've found that the other spam-catching filtering is doing a much better job than it was years ago and turning off greylisting didn't adversely affect the amount of spam that got through. -lee On 1/18/2011 5:41 PM, Warren Togami Jr. wrote: On 01/18/2011 12:31 PM, David F. Skoll wrote: On Tue, 18 Jan 2011 22:18:20 + Gary Forrestga...@netnorth.co.uk wrote: Interesting 2 of our 3 scanning heads use a grey list system that uses /32 addresses as part of the process, these two servers have 100's of emails delayed for well over a day. Our 3rd scanning head uses a grey list system that is less granular /24 , this does not. Ah, I should mention that we use a /24 for greylisting for IPv4 and a /64 for IPv6. On the other hand, we also add a hash of the subject into the greylisting tuple so it becomes: I recently gave up entirely on greylisting after: * Last week I discovered /24 was not good enough for redelivery attempts at one major ISP. All mail from that ISP was failing for the past month except in rare cases where randomly the same /24 attempted delivery within the time window. * Years of complaints of mail delivery delays or failures from my users. They had began creating gmail accounts in order to bypass. They kept running into too many cases of broken individual mail servers (major companies!) who failed to redeliver. Users don't care about so and so is violating RFC-XXX. They are trying to get business done and it was simply causing too many problems. Warren
Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)
On 1/19/2011 10:02 AM, David F. Skoll wrote: On Wed, 19 Jan 2011 09:56:47 -0500 Lee Dilkie l...@dilkie.com wrote: The second was that I've found that the other spam-catching filtering is doing a much better job than it was years ago and turning off greylisting didn't adversely affect the amount of spam that got through. That's possibly true, but look at this. A greylisted message: mimedefang[17175]: p0I4xvRE017628: Filter time is 85ms A scanned message:mimedefang[17175]: p0I50ACP017683: Filter time is 906ms On a busy system, this can make a huge difference. SpamAssassin scanning is by no means cheap. Regards, David. Agreed there, I did have to install the compiled regex package to get SA speeds up enough to handle the increased load (my server is not even close to yours in performance but I did drop SA time from 10-30s to 3s). Don't get me wrong, I liked GL but there are a number of big ISPs that have quite long retry timeouts (for some reason, sympatico comes to mind) and it got to be too annoying. who knows, all the code is still there and I might switch it on again in the future.
Re: Does anyone known the braindead anti-spam software MagicSpam ?
On 11/10/2010 6:32 AM, Michael Scheidell wrote: On 11/10/10 2:45 AM, Matus UHLAR - fantomas wrote: On 10.11.10 08:23, Per Jessen wrote: I got the following reject this morning: book...@example.com: host mail.example.com[1.2.3.4] said: 550 Dynamic Style reverse DNS IP=[212.25.14.40].Rejected by MagicSpam 1.0.4-9.1 (http://www.magicspam.com/). 40.14.25.212.in-addr.arpa. 3600 IN CNAME 40.32-63.14.25.212.in-addr.arpa. well, the 40.32-63.14.25.212.in-addr.arpa is surely dynamic-looking ;-) as expected for classless DNS CIDR subdelegation, and valid according to rfrc's. magicspam didn't resolve the cname (either of them I suspect). not sure if I would use a cnam for quarantine.spamcheck.net. .. just put a second record in the zone file. This looks like RDNS delegation to me, allowing a statically assigned block of addresses from an ISP to control their own RDNS lookups.The owner of the address block wouldn't be able to modify the upstream's RDNS zone files so that's why the upstream has put in CNAME records, to force the resolver to the owners zone file. and if it is... most certainly not a dynamic ip. -lee host -t ptr 212.25.14.40 40.14.25.212.in-addr.arpa is an alias for 40.32-63.14.25.212.in-addr.arpa. 40.32-63.14.25.212.in-addr.arpa domain name pointer quarantine.spamchek.net. # host -t a quarantine.spamchek.net quarantine.spamchek.net is an alias for thorium.enidan.ch. thorium.enidan.ch has address 212.25.14.40 # host -t a thorium.enidan.ch thorium.enidan.ch has address 212.25.14.40
Re: might be a dev list question, getting deprecated warnings with perl 5.12
:) love your style. -lee On 9/26/2010 8:00 PM, Karsten Bräckelmann wrote: *Might* have been a dev question, but it actually is not. Not even close to it. ;) On Sun, 2010-09-26 at 17:29 -0400, Lee Dilkie wrote: Use of goto to jump into a construct is deprecated at /usr/local/lib/perl5/site_perl/5.12.2/Mail/SpamAssassin/Plugin/Check.pm line 409 seeing this in a number of places after I upgraded perl to 5.12. Should I submit a bug report or this already known? Please do NOT file a bug report. It is known. And fixed. great Why is this not a dev question, even though it talks code? Because bugzilla offers a search feature. Yes, seriously. ;) I mean, you would have searched for the error message first, before filing it anyway, wouldn't you? ;) There are at least two whole strings, unique to this issue, that immediately jump out to search for. indeed, I would have likely done a search. Just for curiousity, I did a search for perl 5.12, deprecated and Check.pm line 409 (I also did a search for the entire error string but that didn't yield anything). funny enough, none of those searches yielded 6392. The closest I got was 6488, Lint errors with Perl 5.12 in AntiVirus.pm, which if one looks into it closely does mention 6392. Unfortunately, we'll never know if I would have checked out 6488, based on it's description, or if I would have following the striked-out link to 6392... Not sure I would have had enough of a clue to do that and hindsight is 20/20. Bug 6392 [1]. Please check if the patch for 3.3 fixes this for you. Commit revision link also available in the bug report. If there are any such warnings left, please feel free to bring it up again here, reopen that bug, or file a new bug report. Anyway, thanks for caring and bringing up the issue, Lee. Much appreciated. :) that's me, all caring and mushy.. seriously though, I waited before upgrading perl and after seeing these warnings I waited for an sa upgrade (freebsd ports) and I didn't see a peep in the users list from anyone else for a couple of weeks that this was seen elsewhere... so that's why I posted the query as I wasn't sure this wasn't simply a case of a config messup at my end. I wonder if perl 5.12 isn't widely deployed yet (usually freebsd isn't so leading edge). [1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6392
Re: Please Help with SA Rule: FH_HOST_IN_ADDRARPA
the rule is flagging the fact that the servers are using non-assigned address space. On 6/17/2010 2:19 PM, gwilodailo wrote: Hello all, I've discovered that some mail between two of my clients (on separate hosts) is getting flagged as spam, because of this rule (FH_HOST_IN_ADDRARPA). I'm not at all an expert with spamassassin, and I'm having some difficulty finding what this rule is about and what to do about it. Any help would be greatly appreciated. Thanks!
Re: Performance problem body tests
On 6/3/2010 12:02 PM, Charles Gregory wrote: On Thu, 3 Jun 2010, Helmut Schneider wrote: I then started from scratch and tried with SA 3.2.5. The particular body_tests take only 5 seconds (instead of 30). As I mentioned before, I noticed this difference myself, and presumed it was just a characteristic of the 'improved' logic for deep-scanning the body of emails, and perhaps just a larger number of rules than before Though I am still intrigued by your comment that this happens only on 'some' e-mails, not all. Apologies if I missed a response, but was there any difference noticable for the mails that process quicker? - Charles Are you folks using sa-compile? I found a vast improvement in body scan performance by switching to it. -lee
Re: [OT] was SORBS
On 4/30/2010 7:43 AM, corpus.defero wrote: On Fri, 2010-04-30 at 11:46 +0100, n.frank...@gmail.com wrote: Here's the chuckle Mail transport error, MTSPro SMTP Relay Agent could not deliver the following message for users@spamassassin.apache.org. Reason: 550 Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?217.36.54.209 The old bucket still holds water. It is your ISP that needs to resolve this - as a customer you can do nothing. Really they should have dealt with this a long time ago. I've lost track of it, is this two weeks later now? Really - you should sack your ISP and go to someone competent. First, I'd like to point out that not everyone has the option of changing ISP's. Believe it or not, there are many folks who have only one choice for high-speed internet access (myself included). Second. The fact that a mail server rejects, outright, based on something so false-positivity as a db for dynamic ip's is irresponsible on the part of the admin. Sure, add some spammy points and do a scan but an outright rejection? -lee
Re: Problems with sa-update
I reported this issue about a month ago and didn't receive a response. So I set about fixing it myself. First, I edited the sa-update script to not delete the rules that it downloaded and was running lint on... I looked at those rules to see if I could spot the problem, but I couldn't... looked for control chars, ^M's, nothing... So I removed the lint check from sa-update and that allowed it to install the rules. The I ran sa-update again and a new ruleset was downloaded... and this one passed the lint check... I have no idea what was wrong with that original set but it prevented sa-update from continuing and it appears to me that sa-update seems to just get the next released rules rather than get the last released rules and that held up downing a good set to replace the bad set... I dunno if that's the case but it matches my observations. your mileage may vary... I've had no problem since and the original sa-update has been used since my one time hack. -lee Personal Técnico wrote: Hi, I'm getting this error when I run sa-update: config: failed to parse line, skipping, in /tmp/.spamassassin26787Cjo628tmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin26787Cjo628tmp/72_active.cf: mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin26787Cjo628tmp/72_active.cf: mimeheader __TVD_MIME_ATT_TPContent-Type =~ /^text\/plain/i channel: lint check of update failed, channel failed Spamassassin installed version is 3.3.1-1 in a Debian Lenny 64 bits system. Why am I getting this error? Thanks.
Re: Reducing scan time
Chris, Do you use sa-compile? I found that made a tremendous difference for me. -lee Chris wrote: I've posted two files below, one is the time output for a spam and one for ham. Seems like over the past few weeks SA scan times have become slower and slower. For instance stats from last night below. Anyone with any ideas on how to speed things up? Email:62 Autolearn: 0 AvgScore: -16.94 AvgScanTime: 21.25 sec Spam: 17 Autolearn: 0 AvgScore: 35.71 AvgScanTime: 23.12 sec Ham: 45 Autolearn: 0 AvgScore: -36.82 AvgScanTime: 20.54 sec For instance my scan times about two weeks ago were: Email:58 Autolearn: 0 AvgScore: -12.38 AvgScanTime: 11.36 sec Spam: 16 Autolearn: 0 AvgScore: 85.06 AvgScanTime: 8.52 sec Ham: 42 Autolearn: 0 AvgScore: -49.50 AvgScanTime: 12.45 sec Spam http://pastebin.com/fhd3XwHp Ham http://pastebin.com/jbSD894i Any advice would be appreciated. Chris
Re: Scanning large-body spam
Alex wrote: Hi, What settings do people typically have these days for the maximum scanned message size? Surprisingly, at least to me, I'm seeing spam in the 650k and 700k range, at least a few per hour, and are not scanned. Does anyone have any suggestions for optimizing the process for spam containing just a large image that would therefore bypass the typical scanning? Should I be scanning messages that large, then? Thanks, Alex I just bumped mine up from 150K to 1M to cover these new ones that contain a jpeg or png and are in the 500K range in size. I'm not sure if it'll matter too much to scan the odd email that's large I'll have to monitor my stats. -lee
lint failed with FuzzyOCR error
Hi Folks, My nightly sa-upgrade caught this funny error and I cannot figure out... Mar 25 04:15:45.030 [76697] info: body_0: 1547 base strings extracted in 37 seconds rules: failed to run FUZZY_OCR test, skipping: (Timeout::_run: Insecure dependency in open while running with -T switch at /usr/local/lib/perl5/site_perl/5.8.9/Mail/SpamAssassin/Plugin/FuzzyOcr.pm line 425. ) sa-compile: not compiling; 'spamassassin --lint' check failed! sub logfile { my $logtext = $_[0]; my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ) = localtime(time); my $time = sprintf( %4d-%02d-%02d %02d:%02d:%02d, $year + 1900, $mon + 1, $mday, $hour, $min, $sec ); $logtext =~ s/\n/\n /g; ***unless ( open LOGFILE, $logfile ) { warn Can't open $logfile for writing, check permissions; } flock( LOGFILE, LOCK_EX ); seek( LOGFILE, 0, 2 ); print LOGFILE [$time] $logtext\n; flock( LOGFILE, LOCK_UN ); close LOGFILE; } The error line is at the *** above. I'm far from being a Perl expert, what is a Insecure dependency in open (I'm guessing that -T is the perl switch to enable taint checks???) And I checked (copied the warn line to above the open), the file /var/log/FuzzyOcr.log is owned and writable by the user (mailnull in my case as I'm running on freebsd). TIA, -lee
Re: Whitelist isn't working
Curious that SPF_FAIL is reported... X-Spam-Report: * 1.9 TVD_RCVD_IP TVD_RCVD_IP * 3.2 FH_DATE_PAST_20XX The date is grossly in the future. * 1.5 FROM_STARTS_WITH_NUMS From: starts with many numbers * 1.9 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date * 0.7 SPF_FAIL SPF: sender does not match SPF record (fail) * [SPF failed: Please see $ host -t TXT freecycle.org freecycle.org descriptive text v=spf1 mx ip4:66.249.5.32 a:mailers.freecycle.org ~all so mx records, 66.249.5.32 and mailers.freecycle.org are permitted. $ host -t MX freecycle.org freecycle.org mail is handled by 10 mail.freecycle.org. $ host mail.freecycle.org mail.freecycle.org has address 209.208.102.2 $ host mailers.freecycle.org mailers.freecycle.org has address 94.102.151.10 mailers.freecycle.org has address 94.102.157.234 mailers.freecycle.org has address 95.172.20.138 mailers.freecycle.org has address 95.172.20.170 mailers.freecycle.org has address 209.40.195.67 mailers.freecycle.org has address 209.208.102.2 mailers.freecycle.org has address 66.249.5.27 mailers.freecycle.org has address 66.249.5.32 mailers.freecycle.org has address 66.249.5.33 mailers.freecycle.org has address 66.249.23.110 mailers.freecycle.org has address 67.223.226.47 mailers.freecycle.org has address 67.223.248.208 mailers.freecycle.org has address 67.223.252.100 mailers.freecycle.org has address 77.92.68.91 mailers.freecycle.org has address 77.92.72.179 mailers.freecycle.org has address 77.92.72.180 mailers.freecycle.org has address 83.170.113.10 $ host bulkmail2.freecycle.org bulkmail2.freecycle.org has address 95.172.20.170 bulkmail2.freecycle.org is a permitted sender, it's listed under mailers.freecycle.org. however, this email was from bounces.freecycle.org and it needs an SPF record as well. $ host -t TXT bounces.freecycle.org bounces.freecycle.org descriptive text v=spf1 include:freecycle.org -all bounces.freecycle.org does not have an A record but it's ip address, 95.172.20.170, is listed above in mailers.freecycle.org and also as bulkmail2.freecycle.org. Wonder why it failed? oh wait a minute.. Envelope-to: myn...@exemail.com.au Delivery-date: Tue, 16 Mar 2010 17:51:22 +1100 Received: from 146.2.233.220.static.exetel.com.au ([220.233.2.146] helo=mscip02.mailsentry.net.au) by chestnut2.exetel.com.au with esmtp (Exim 4.68) (envelope-from post-1601702-2890...@bounces.freecycle.org) id 1NrQcc-PC-Us for myn...@exemail.com.au; Tue, 16 Mar 2010 17:51:22 +1100 Received: from bulkmail2.freecycle.org ([95.172.20.170]) by mscip02.mailsentry.net.au with ESMTP; 16 Mar 2010 17:51:21 +1100 Received: from localhost ([127.0.0.1] helo=freecycle.org) by bulkmail2.freecycle.org with esmtp (Exim 4.69) was this a forwarded email? from mscip02.mailsentry.net.au to chestnut2.exetel.com.au? I don't think you can apply an SPF check after it's been forwarded. -lee Mark Martinec wrote: Phill, def_whitelist_from_rcvd *...@posts.freecycle.org posts.freecycle.org Received: from bulkmail2.freecycle.org ([95.172.20.170]) by mscip02.mailsentry.net.au with ESMTP; 16 Mar 2010 17:51:21 +1100 From: frances.dejong 2890...@posts.freecycle.org Can anyone explain why the whitelist entry isn't preventing this from being tagged as spam? posts.freecycle.org != bulkmail2.freecycle.org Mark
Re: can I roll back to an earlier version of updates
You'll love this.. My nightly sa-update cron ran last night and upgraded my modified rules (was version 916621) to a newer version (version 917420). This, of course, undid my changes. And equally surprising, --lint passed. I looked at the diffs and sure enough, the same lines were back (number of other changes too). Not sure why the gremlins were banished. Interesting mystery. -lee Lee Dilkie wrote: Final update folks, sorry for the noise if it's bothersome... commented out the three offending lines in 72_active.cf and --lint passed and I'm back up and running. No idea what the issue is, those lines looked fine to me. I'm running perl 5.8.9, could that be an issue? -lee details: ##lee is my handiwork ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##lee mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##lee mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##lee mimeheader __TVD_MIME_ATT_TPContent-Type =~ /^text\/plain/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /image\d+\.(?:gif|jpe?g|png)\@/ endif Lee Dilkie wrote: progress report.. commented out the place where the lint results were checked and rules got installed. looking at 72_active.cf I see a number of lines ending in CR (^M). Is this intentional? ie. header __SUBJ_3DIGIT Subject =~ /\b\d{3}[^0-9]/^M header __SUBJ_APPROVE Subject =~ /Approve/i^M header __SUBJ_RE Subject =~ /^R[eE]:/^M -lee Lee Dilkie wrote: no joy. doesn't look like the ports version of SA comes with any stock rules (nothing obvious in the ports dir tree, the work/ directory had en empty 72_active.cf file)... I deinstalled and then installed and it all went well but it tells me to run sa-update to get the rules, and that's my problem You may wish to run sa-update now to obtain the latest rules. NOTE: FREEBSD users: If you are updating from a version prior to 3.20. sa-update now places state files in /var/db/spamassassin and not /var/lib/spamassassin. This is to be consistant with Freebsd file directory conventions. If you run sa-compile, you will notice that files are in /var/db/spamassassin/compiled/perlversion/version instead of /var/db/spamassassin/compiled/version. No attempts have been made to move old versions over. You must recompile. === Installing rc.d startup script(s) === Compressing manual pages for p5-Mail-SpamAssassin-3.3.0_3 === Running ldconfig /sbin/ldconfig -m /usr/local/lib === Registering installation for p5-Mail-SpamAssassin-3.3.0_3 r...@spock: /usr/ports/mail/p5-Mail-SpamAssassin $ sa-update config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i channel: lint check of update failed, channel failed So is there *any* way for me to get this ruleset and put it on my server and edit out the offending lines in 72_active.cf?? Is there an archive I can download? (I'm thinking of modifying sa-update to comment-out where it removes the tmp files) -lee Karsten Bräckelmann wrote: On Mon, 2010-03-01 at 06:45 -0500, Lee Dilkie wrote: Karsten Bräckelmann wrote: Anyway, what comes to mind: Did you run sa-update after the upgrade to 3.3.0 at all? If not, did you install the rules tarball alongside SA? I was originally running the 3.3 rules and that was fine, and as far as I know, I did even run sa-upgrade (can't tell you if it upgraded the rules over the base ones) but it's the latest sa-update that pulled in newer rules that didn't link. And it's my monkeying around, deleting rules directories, that has left me without rules from updates spamassassin_org. And boy! do they block a lot of spam or what! ;) How did you upgrade? Any chance both versions ended up living on your system? Running 3.3.0 with a broken sa-update for whatever reason, can be cured by removing the entire update dir, and installing the plain, stock 3.3.0 rules tarball, if not already done. I'm on freebsd, I'm
Re: can I roll back to an earlier version of updates
Karsten Bräckelmann wrote: On Sun, 2010-02-28 at 18:44 -0500, Lee Dilkie wrote: For what ever reason, my sa-update to 3.30 has buggered itself. In my efforts to debug it's now at the situation that SA has no rules to run and I'm getting swamped. The first sentence is seriously confusing. You can not sa-update to 3.3.0. sa-update only updates the rules, for the already installed version. Yeah, sorry about that... As I've discovered, it's all tied to the version of SA and 3.2 rules won't run with 3.3 SA. How, if it's possible, can I tell SA and sa-update to use the 3.2 version of the ruleset? Simply deleting the tree and sa-compiling did not work. SA is still looking for 3.3 rules and as it finds none, is letting everything through. You cannot really and reliably make SA 3.3 use 3.2 rules. agreed ;) Anyway, what comes to mind: Did you run sa-update after the upgrade to 3.3.0 at all? If not, did you install the rules tarball alongside SA? I was originally running the 3.3 rules and that was fine, and as far as I know, I did even run sa-upgrade (can't tell you if it upgraded the rules over the base ones) but it's the latest sa-update that pulled in newer rules that didn't link. And it's my monkeying around, deleting rules directories, that has left me without rules from updates spamassassin_org. And boy! do they block a lot of spam or what! ;) How did you upgrade? Any chance both versions ended up living on your system? Running 3.3.0 with a broken sa-update for whatever reason, can be cured by removing the entire update dir, and installing the plain, stock 3.3.0 rules tarball, if not already done. I'm on freebsd, I'm going to try and find out where that's stored, it's likely in the ports tree somewhere. thanks for the help.. Unfortunately, my update to the latest ruleset fails lint... as I said in an earlier email... config: failed to parse line, skipping, in /tmp/.spamassassin545130JflrRtmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin545130JflrRtmp/72_active.cf: mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin545130JflrRtmp/72_active.cf: mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i Is there any way that I can force the system to download the ruleset so I can comment out the offending lines and carry on? (I'd at least like to see what they are, and why it doesn't parse, maybe it's something in my config). -lee -- Fuelly http://www.fuelly.com/driver/dilkie/golf
Re: can I roll back to an earlier version of updates
no joy. doesn't look like the ports version of SA comes with any stock rules (nothing obvious in the ports dir tree, the work/ directory had en empty 72_active.cf file)... I deinstalled and then installed and it all went well but it tells me to run sa-update to get the rules, and that's my problem You may wish to run sa-update now to obtain the latest rules. NOTE: FREEBSD users: If you are updating from a version prior to 3.20. sa-update now places state files in /var/db/spamassassin and not /var/lib/spamassassin. This is to be consistant with Freebsd file directory conventions. If you run sa-compile, you will notice that files are in /var/db/spamassassin/compiled/perlversion/version instead of /var/db/spamassassin/compiled/version. No attempts have been made to move old versions over. You must recompile. === Installing rc.d startup script(s) === Compressing manual pages for p5-Mail-SpamAssassin-3.3.0_3 === Running ldconfig /sbin/ldconfig -m /usr/local/lib === Registering installation for p5-Mail-SpamAssassin-3.3.0_3 r...@spock: /usr/ports/mail/p5-Mail-SpamAssassin $ sa-update config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i channel: lint check of update failed, channel failed So is there *any* way for me to get this ruleset and put it on my server and edit out the offending lines in 72_active.cf?? Is there an archive I can download? (I'm thinking of modifying sa-update to comment-out where it removes the tmp files) -lee Karsten Bräckelmann wrote: On Mon, 2010-03-01 at 06:45 -0500, Lee Dilkie wrote: Karsten Bräckelmann wrote: Anyway, what comes to mind: Did you run sa-update after the upgrade to 3.3.0 at all? If not, did you install the rules tarball alongside SA? I was originally running the 3.3 rules and that was fine, and as far as I know, I did even run sa-upgrade (can't tell you if it upgraded the rules over the base ones) but it's the latest sa-update that pulled in newer rules that didn't link. And it's my monkeying around, deleting rules directories, that has left me without rules from updates spamassassin_org. And boy! do they block a lot of spam or what! ;) How did you upgrade? Any chance both versions ended up living on your system? Running 3.3.0 with a broken sa-update for whatever reason, can be cured by removing the entire update dir, and installing the plain, stock 3.3.0 rules tarball, if not already done. I'm on freebsd, I'm going to try and find out where that's stored, it's likely in the ports tree somewhere. man spamassassin See the section Configuration Files. The first path mentioned for Default Configuration Data should be the sa-update one. SA version is embedded in that path, inside /var/lib here, IIRC /var/db or something on FreeBSD. The last one in that block of paths should be where SA expects the stock rules. The first existing one from that list wins, anything else will be ignored. spamassassin -D can help in identifying bad rule sets being picked up, and where SA ultimately looks for the cf files. Is there any way that I can force the system to download the ruleset so I can comment out the offending lines and carry on? (I'd at least like to see what they are, and why it doesn't parse, maybe it's something in my config). Drop the bad update first, and revert to stock. Re-install it from ports, if need be. -- Fuelly http://www.fuelly.com/driver/dilkie/golf
Re: can I roll back to an earlier version of updates
progress report.. commented out the place where the lint results were checked and rules got installed. looking at 72_active.cf I see a number of lines ending in CR (^M). Is this intentional? ie. header __SUBJ_3DIGIT Subject =~ /\b\d{3}[^0-9]/^M header __SUBJ_APPROVE Subject =~ /Approve/i^M header __SUBJ_RE Subject =~ /^R[eE]:/^M -lee Lee Dilkie wrote: no joy. doesn't look like the ports version of SA comes with any stock rules (nothing obvious in the ports dir tree, the work/ directory had en empty 72_active.cf file)... I deinstalled and then installed and it all went well but it tells me to run sa-update to get the rules, and that's my problem You may wish to run sa-update now to obtain the latest rules. NOTE: FREEBSD users: If you are updating from a version prior to 3.20. sa-update now places state files in /var/db/spamassassin and not /var/lib/spamassassin. This is to be consistant with Freebsd file directory conventions. If you run sa-compile, you will notice that files are in /var/db/spamassassin/compiled/perlversion/version instead of /var/db/spamassassin/compiled/version. No attempts have been made to move old versions over. You must recompile. === Installing rc.d startup script(s) === Compressing manual pages for p5-Mail-SpamAssassin-3.3.0_3 === Running ldconfig /sbin/ldconfig -m /usr/local/lib === Registering installation for p5-Mail-SpamAssassin-3.3.0_3 r...@spock: /usr/ports/mail/p5-Mail-SpamAssassin $ sa-update config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i channel: lint check of update failed, channel failed So is there *any* way for me to get this ruleset and put it on my server and edit out the offending lines in 72_active.cf?? Is there an archive I can download? (I'm thinking of modifying sa-update to comment-out where it removes the tmp files) -lee Karsten Bräckelmann wrote: On Mon, 2010-03-01 at 06:45 -0500, Lee Dilkie wrote: Karsten Bräckelmann wrote: Anyway, what comes to mind: Did you run sa-update after the upgrade to 3.3.0 at all? If not, did you install the rules tarball alongside SA? I was originally running the 3.3 rules and that was fine, and as far as I know, I did even run sa-upgrade (can't tell you if it upgraded the rules over the base ones) but it's the latest sa-update that pulled in newer rules that didn't link. And it's my monkeying around, deleting rules directories, that has left me without rules from updates spamassassin_org. And boy! do they block a lot of spam or what! ;) How did you upgrade? Any chance both versions ended up living on your system? Running 3.3.0 with a broken sa-update for whatever reason, can be cured by removing the entire update dir, and installing the plain, stock 3.3.0 rules tarball, if not already done. I'm on freebsd, I'm going to try and find out where that's stored, it's likely in the ports tree somewhere. man spamassassin See the section Configuration Files. The first path mentioned for Default Configuration Data should be the sa-update one. SA version is embedded in that path, inside /var/lib here, IIRC /var/db or something on FreeBSD. The last one in that block of paths should be where SA expects the stock rules. The first existing one from that list wins, anything else will be ignored. spamassassin -D can help in identifying bad rule sets being picked up, and where SA ultimately looks for the cf files. Is there any way that I can force the system to download the ruleset so I can comment out the offending lines and carry on? (I'd at least like to see what they are, and why it doesn't parse, maybe it's something in my config). Drop the bad update first, and revert to stock. Re-install it from ports, if need be. -- Fuelly http://www.fuelly.com/driver/dilkie/golf
Re: can I roll back to an earlier version of updates
Final update folks, sorry for the noise if it's bothersome... commented out the three offending lines in 72_active.cf and --lint passed and I'm back up and running. No idea what the issue is, those lines looked fine to me. I'm running perl 5.8.9, could that be an issue? -lee details: ##lee is my handiwork ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/ endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##lee mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##lee mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEEval ##lee mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i endif ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __TVD_OUTLOOK_IMGContent-Id =~ /image\d+\.(?:gif|jpe?g|png)\@/ endif Lee Dilkie wrote: progress report.. commented out the place where the lint results were checked and rules got installed. looking at 72_active.cf I see a number of lines ending in CR (^M). Is this intentional? ie. header __SUBJ_3DIGIT Subject =~ /\b\d{3}[^0-9]/^M header __SUBJ_APPROVE Subject =~ /Approve/i^M header __SUBJ_RE Subject =~ /^R[eE]:/^M -lee Lee Dilkie wrote: no joy. doesn't look like the ports version of SA comes with any stock rules (nothing obvious in the ports dir tree, the work/ directory had en empty 72_active.cf file)... I deinstalled and then installed and it all went well but it tells me to run sa-update to get the rules, and that's my problem You may wish to run sa-update now to obtain the latest rules. NOTE: FREEBSD users: If you are updating from a version prior to 3.20. sa-update now places state files in /var/db/spamassassin and not /var/lib/spamassassin. This is to be consistant with Freebsd file directory conventions. If you run sa-compile, you will notice that files are in /var/db/spamassassin/compiled/perlversion/version instead of /var/db/spamassassin/compiled/version. No attempts have been made to move old versions over. You must recompile. === Installing rc.d startup script(s) === Compressing manual pages for p5-Mail-SpamAssassin-3.3.0_3 === Running ldconfig /sbin/ldconfig -m /usr/local/lib === Registering installation for p5-Mail-SpamAssassin-3.3.0_3 r...@spock: /usr/ports/mail/p5-Mail-SpamAssassin $ sa-update config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin92852PBQ5Yktmp/72_active.cf: mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i channel: lint check of update failed, channel failed So is there *any* way for me to get this ruleset and put it on my server and edit out the offending lines in 72_active.cf?? Is there an archive I can download? (I'm thinking of modifying sa-update to comment-out where it removes the tmp files) -lee Karsten Bräckelmann wrote: On Mon, 2010-03-01 at 06:45 -0500, Lee Dilkie wrote: Karsten Bräckelmann wrote: Anyway, what comes to mind: Did you run sa-update after the upgrade to 3.3.0 at all? If not, did you install the rules tarball alongside SA? I was originally running the 3.3 rules and that was fine, and as far as I know, I did even run sa-upgrade (can't tell you if it upgraded the rules over the base ones) but it's the latest sa-update that pulled in newer rules that didn't link. And it's my monkeying around, deleting rules directories, that has left me without rules from updates spamassassin_org. And boy! do they block a lot of spam or what! ;) How did you upgrade? Any chance both versions ended up living on your system? Running 3.3.0 with a broken sa-update for whatever reason, can be cured by removing the entire update dir, and installing the plain, stock 3.3.0 rules tarball, if not already done. I'm on freebsd, I'm going to try and find out where that's stored, it's likely in the ports tree somewhere. man spamassassin See the section Configuration Files. The first path mentioned for Default Configuration Data should be the sa-update one. SA version is embedded in that path, inside /var/lib here, IIRC /var/db or something on FreeBSD. The last one in that block of paths should be where SA expects the stock rules. The first existing one from that list wins, anything else will be ignored
Re: Error with sa-update.
Daryl C. W. O'Shea wrote: Are you still having this issue? yes indeed Wow. That's an incredibly bad idea. Allowing sa-update to install Perl, or other, code (--allowplugins) without verifying that the code is signed (--nogpg) is pretty risky. If a mirror gets hacked you'll run (possibly as root) whatever code the attacker wants you to. I used pgp keys originally, then it broke and I was unable to get it to work without --nopgp so I left it that way. I'll give some effort to getting it to work again. config: failed to parse line, skipping, in /tmp/.spamassassin46123uY1E3Ntmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin46123uY1E3Ntmp/72_active.cf: mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin46123uY1E3Ntmp/72_active.cf: mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i channel: lint check of update failed, channel failed On the surface this indicates an issue with the MIMEEval plugin. However, it appears that you're loading that plugin (see below). Maybe verify that your version of MIMEEval is OK. [...@cyan Plugin]$ sha1sum MIMEEval.pm ec62013c06d3a51d972cd02d51169221be6d51c2 MIMEEval.pm [...@cyan Plugin]$ $ sha1 /usr/local/lib/perl5/site_perl/5.8.9/Mail/SpamAssassin/Plugin/MIMEEval.pm SHA1 (/usr/local/lib/perl5/site_perl/5.8.9/Mail/SpamAssassin/Plugin/MIMEEval.pm) = ec62013c06d3a51d972cd02d51169221be6d51c2 matches yours. Feb 26 04:15:02.614 [14130] dbg: generic: lint check of site pre files succeeded, continuing with channel updates That's good. A lint succeeds using minimal configuration. Feb 26 04:15:06.323 [14130] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC The MIMEEval plugin seems to be loading. config: failed to parse line, skipping, in /tmp/.spamassassin14130V3YzQDtmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin14130V3YzQDtmp/72_active.cf: mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin14130V3YzQDtmp/72_active.cf: mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i These are all MIMEEval rules. I've checked and they are all wrapped in the appropriate ifplugin statements. Question. How does one check if the tmp files are deleted at the end? Which ifplugin is is wrapped in? Feb 26 04:15:07.438 [14130] dbg: zoom: loading compiled ruleset from /var/db/spamassassin/compiled/5.008/3.003000 Feb 26 04:15:07.447 [14130] dbg: zoom: using compiled ruleset in /var/db/spamassassin/compiled/5.008/3.003000/Mail/SpamAssassin/CompiledRegexps/body_0.pm for Mail::SpamAssassin::CompiledRegexps::body_0 Hmm. This is probably a flaw in sa-update, but probably doesn't affect your issue. For fun, try rm'ing /var/db/spamassassin/compiled/ and run sa-update again. Tied that Daryl and still no good, same error Thanks for lending a hand. -lee
Re: Error with sa-update.
On getting pgp to work... Following HOWTO at http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY; worked fine $ sa-update --import GPG.KEY gpg: keyblock resource `/usr/local/etc/mail/spamassassin/sa-update-keys/secring.gpg': No such file or directory gpg: keyblock resource `/usr/local/etc/mail/spamassassin/sa-update-keys/pubring.gpg': No such file or directory gpg: no writable keyring found: Unknown system error gpg: error reading `GPG.KEY': General error gpg: import from `GPG.KEY' failed: General error there is no directory 'sa-update-keys' under '/usr/local/etc/mail/spamassassin' should they have been installed with the SA package (I'm running on FreeBSD). $ sa-update -V sa-update version svn897929 running on Perl version 5.8.9 -lee
Re: Error with sa-update.
nevermind, it eventually created the directory and jeyring files... not quite sure how that happened.. Lee Dilkie wrote: On getting pgp to work... Following HOWTO at http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY; worked fine $ sa-update --import GPG.KEY gpg: keyblock resource `/usr/local/etc/mail/spamassassin/sa-update-keys/secring.gpg': No such file or directory gpg: keyblock resource `/usr/local/etc/mail/spamassassin/sa-update-keys/pubring.gpg': No such file or directory gpg: no writable keyring found: Unknown system error gpg: error reading `GPG.KEY': General error gpg: import from `GPG.KEY' failed: General error there is no directory 'sa-update-keys' under '/usr/local/etc/mail/spamassassin' should they have been installed with the SA package (I'm running on FreeBSD). $ sa-update -V sa-update version svn897929 running on Perl version 5.8.9 -lee -- Fuelly http://www.fuelly.com/driver/dilkie/golf
can I roll back to an earlier version of updates
Folks, For what ever reason, my sa-update to 3.30 has buggered itself. In my efforts to debug it's now at the situation that SA has no rules to run and I'm getting swamped. How, if it's possible, can I tell SA and sa-update to use the 3.2 version of the ruleset? Simply deleting the tree and sa-compiling did not work. SA is still looking for 3.3 rules and as it finds none, is letting everything through. TIA -lee http://www.fuelly.com/driver/dilkie/golf
Re: Off Topic - SPF - What a Disaster
Marc Perkel wrote: I'm not hearing from people in this forum who are saying it works. Even those who are SPF evangelists can't point to any significant results in either blocking spam or passing ham. Well it's no magic bullet, but nothing is. I use SPF to try and make my domain less a target for spammers to forge. I got hit with a massive backscatter flood last week that killed my service and I changed my SPF records to hardfail and had to notify my (few) clients to let them know that they were now required to use my server for outgoing mail (auth on port 587). Only time will tell if helps. But I immediately saw the effect in the bounce messages, domains like gmail were aware of the hardfail on their spf check. One of the problems is that in SA, an SPF_FAIL (hard) doesn't score much above a SPF_SOFTFAIL but in my view it should. If an admin has made the effort to setup a hardfail record, it should be trusted. SPF_PASS shouldn't be trusted as far as spam processing, as we all know, as spammers can setup valid SPF records. But it does help against spambot's, doesn't it? It's hard to setup valid SPF records when you're sending spam from a million infected machines. -lee
Web host which allows a full SA install incl your own trainable Bayes?
Hello, Following my recent queries on this list, for which I am still grateful, I abandoned my ambitions for installing and running SA on Windows XP, and decided to take on web hosting which offers SA. (I have re-uploaded an old web site essentially for the purpose of getting hosting which includes SA) However, the host I am with only offers a compromised/partly crippled SA 3.2.4, partly due to its integration with CPanel and also their server policies on 'shared' hosting accounts, which I have. It appears from some queries that this situation may be typical of many hosts' shared plans. So, can any of you recommend a web host where I could use/build/run my own SA install including my own trainable Bayes? I appreciate this may not be on a 'shared' host as I am now, but it seems unreasonable to pay for a dedicated server when the only 'complex' thing I want to do is run SA. Alternatively, is there anyone reading this who can offer the above on their own server running an up to date and fully configured SA, presumably for a fee? My email load is low, no more than say 100 emails a day at the very most including spam, and derived from ISP POP3 accounts. I have no plans to increase that load and all I am doing is handling personal non-business email. Feel free to email me off-list, should you want to. Many thanks, Lee UK
Re: Web host which allows a full SA install incl your own trainable Bayes?
Thanks very much for the various replies on this, both on and off list. I'm very grateful and am considering things. Lee
Re: SA on Windows (XP) with Cygwin
Thanks for the below, Martin. Maybe so far I missed it on the web, but that's the clearest description I've come across and actually makes sense to me. :) Lee Martin Gregorie wrote: The main benefit for low volume (personal) mail is that using spamc/spamd avoids the considerable start/stop times of vanilla SA. spamd is a server that starts at boot time and runs until shutdown while raw SA is started and stopped for every message. spamc replaces SA in the message processing chain. All it does is to pass messages to spamd for inspection and tagging. Its a small C program, so it starts and stops very fast. Martin
Re: SA on Windows (XP) with Cygwin
Hello Kevin, I agree with you regarding my ambitions V ability. I have decided to give up. I do however still want to find something for free and using online lookups, but I appreciate that's not for here. I'm aware I am resisting one or two commercial desktop solutions apparently offering what I'm looking for. Kevin Parris wrote: This part of your message has really confused me about what you are trying to accomplish: Lee 06/28/09 9:45 PM I need the ability for SA to connect to SSL connections as well as insecure ones, so I don't know if I have to install extra bits for that, maybe including openSSL and Stunnel on Cygwin. Again, I have seen bits and pieces implying this may be the case. If you are one person trying to filter spam for one mailbox on a single-user Windows system, why do you need a filtering product that will listen on more than one connection, much less more than one type of connection? What I meant is; I have various POP accounts from various suppliers, some requiring or offering a secure connection, and some not. Separate question: have you considered switching to an ISP that provides spam filtering as part of their email service, and save yourself all the bother? I currently have a mixture of free POP email accounts from Yahoo/BT Internet, UK Online and Sky(Gmail), all of which offer some method of junk filtering but I believe none specifically use SpamAssassin. I do prefer doing any spam detection myself at desktop level anyway, hence my obsession with SA being arguably the best, although sadly not aimed at desktops for free. For info, my internet connection itself is provided by the ISP UK Online. Lee
Re: SA on Windows (XP) with Cygwin
Thanks for your reply, René, René Berber wrote: The easy way is really easy: Install base Cygwin, then install perl and gcc (version 3.x or 4.x) for Cygwin (using the same installer: http://cygwin.com/setup-1.7.exe). Use cpan shell and 'install spamassassin' ... that will pull all the dependencies (is a very long install, one of those where you only have to answer 'yes' to everything). You still have to configure SA, the usual way, and at that point you have a working spamassassin command; I can handle that much ok so far, assuming no dependency installs fail. Then I have no idea what to do, except trying to 'force them' which may not work properly. I need the ability for SA to connect to SSL connections as well as insecure ones, so I don't know if I have to install extra bits for that, maybe including OpenSSL and Stunnel on Cygwin. Again, I have seen bits and pieces implying this may be the case. spamd/spamc need more setting up, in Cygwin you use cygrunsrv to configure and install services, spamd is enabled as a service with that. I've yet to grasp the purpose of SpamC and/or SpamD on Windows in my kind of scenario. I've seen mention of them a lot in my web searches, but all I think I have yet grasped is that SpamC makes the mail filtering faster due to a multi threaded approach at calling SA. Have I got that right? Now, the above procedure I don't think it installs DCC and Razor (is that even used anymore?), I never used those plugins, but I used others and they are just as easy to install. If DCC and Razor no longer exist, especially for free, which other look-up / blacklist methods are recommended for SA? My plan had/has using DCC and Razor as a central benefit to it all, to avoid just naive bayesian training alone. There are more tools you'll need, like cron, bind, and perhaps others I don't recall. The point being if you are not a sys admin or developer this gets more confusing as you progress; yes there are guides, articles, and books, but perhaps is overkill for what you really want. The second part of your question shows you don't have a clear idea of what to do with SA, procmail is a tool used if you run a mail server, fetchmail is a tool used if you don't (but fetch your mail from other server(s)). With both tools the idea is to run spamassassin or spamc on each message, then use the added headers in your mail client; I haven't used them, I had exim which has support for using spamd (and clamd). I know what I want to do with SA, but I'm indeed not clear on how to achieve it, once having successfully installed the latest SA with necessary modules/plugins. I would need to explore mail piping and retrieval methods in much detail, probably more elsewhere than on here. You need to make a plan that solves your specific needs. I still see SpamAware as a better choice, it beats SAWin which anyway was intended to be used on mail servers not mail clients, the POP3 proxy is an independent tool, not really needed if you have a proper plugin. The trouble is, I really am not keen on using Outlook Express to be able to use SpamAware. The Thunderbird spinoff seems to be discontinued/incomplete, as I think you said. I'm not fixated on keeping Thunderbird, and would happily move to another free client if it incorporated junk detection using online lookups. I'm aware of something called NoSpamToday but I read it runs on a Java Runtime Environment and reviews say it is very cumbersome and laggy. I think I mean NoSpamToday, anyway; I'm just typing this from memory. So where does this leave me at the moment ... probably, as expected, still somewhat out of my depth with much work ahead, doesn't it ? I suspect I will have to shortly conclude this whole project is really a non starter for me, and put it back in its box. Then just use TB and Popfile until the end of time. Or indeed until a mystical time when a new XP/Vista desktop SAproxy/client gets made. :) Lee
SA on Windows (XP) with Cygwin
Hello René and anyone else who has run SA on Windows under Cygwin, I've been dabbling a little with this, having not used Cygwin beforehand, and I think I have grasped the basic operational principles of installing/building modules and SA, but it appears it may turn out to be a waste of time and fruitless venture; by that I mean it seems to be a pain or impossible to get various modules working including things like DCC and Razor. Is this indeed the case? I think however René earlier said he had a 'full' install working? Bearing in mind I am only a Windows XP person, whose grasp of 'command line' operations previously went no further than basic .bat files or using 'run' and typing 'cmd' 'ok', I need a relatively guaranteed and specific guide on how to get all the above working, should it in fact be possible. As usual, I've found various bits and pieces on the net on SA under Cygwin, but none fully comprehensive or seemingly up to date. My thinking is; I only want to pursue SA under Cygwin if I can at least achieve a better and more up to date equivalent of the Sourceforge September 2007 package of SAwin32/SAProxy. Otherwise, I may as well revert to using Popfile which is an active project although just a naive bayesian training method. (I think.) I appreciate I will also need to install some other bits to pipe the emails into SA and out to a desktop email client; presumably this will involve something like Procmail or Fetchmail which were mentioned recently. Maybe even a Windows mail server. I do appreciate all this may be considered highly excessive for the sake of filtering personal email, but I like a project as long as I know how to do it specifically and can be assured it will work. For info, here's what that SAwin32/SAProxy package claims/claimed to do: --- SpamAssassin POP3 Proxy for Win32 (SAproxy) v3.2.3.3 Includes SpamAssassin v3.2.3, DCC v1.3.58 and Vipul's Razor v2.84. This tool is a free and powerful spam filter for any Microsoft Windows mail client (Outlook Express, Eudora, Microsoft Outlook, etc.). It supports SSL, but it is for POP3 accounts only and will not work with IMAP, Exchange, Lotus, web-based (such as Hotmail) and other non-POP3 accounts. It includes SpamAssassin (http://spamassassin.apache.org/) and fully supports online spam databases DCC(http://www.rhyolite.com/anti-spam/dcc/) and Razor (http://razor.sf.net/). This build is based on free SAproxy v1.2 and is not associated with Stata Labs (which no longer sells SAproxy Pro). -- So, can an up to date and painless build of that be achieved under Cygwin? If so, which specific Cygwin and CPAN modules (and versions) will work with SA 3.2.5 or at least SA 3.2.4? Thanks in advance; if you feel it is most likely going to be a pain and an unknown quantity, just tell me so, and I won't frustrate myself with attempting this line of thought any further. I appreciate one or two posters have already said / implied this. Lee UK
Re: SA on Windows XP + POP to desktop client?
Thanks for your further replies on this. It indeed appears what I have now may well currently be the most convenient approach, all things considered. To clarify, when I talk about running the SAwin32 program, what I am actually running on my desktop is SAproxy which is part of the click-and-install SAwin32 2007 download from Sourceforge. SA-update is available for it there, but that's only for updating filer rules isn't it, rather than SA itself? I have an error/warning when I run it anyway, which I've been trying to troubleshoot without success on the SAwin32 Sourceforge mail list. I currently have no idea if the SAwin32/SAProxy build I am using can work with current SA rule updates. Regarding VMWare; I'm only a 'moderately technically minded' XP user, and from what I can see, the VMWare stuff is aimed at non-Windows users having a quick look around the site there, it seemed to be aimed at scenarios and applications beyond my grasp. I literally only have a home user XP desktop pc; I'm not running anything else including any servers. I was going to quote and query a couple of helpful posts at this point, but essentially it is simpler to say: I earlier had some success in my experiments using the SA Windows page (below) and Micheal Bell's archived guide, but I perceived the experience as lacking a fully descriptive and up to date picture, making it hard to pinpoint where I was going wrong versus what exactly should be happening. Especially regarding the most suitable Active Perl version, perl module names, and using PPM or PPM3 or PPM4 to find and install perl modules. http://wiki.apache.org/spamassassin/InstallingOnWindows If any of you have the time and will to look at that Windows page and confirm it is fully up to date and clear, then I may again look into installing SA 3.2.5. I appreciate however those instructions may be aimed at a mindset and application at server level rather than desktop, but I assume there are others like me who would love SA's excellent spam filtering in a Windows desktop email client. The initial reason I looked into all this, is that I couldn't find a free email client for XP that included SA filtering. Did I miss one? I would strongly suggest the Windows instructions should include a section on XP/Vista desktop use, stating clearly how to build the latest SA and what can and cannot be achieved, explicitly with a section on using a suitable pop3proxy script/program through to a desktop client, so you're not left with SA and nowhere to go with it. :) Lee
Re: SA on Windows XP + POP to desktop client?
Thanks for the below, René, I think you mentioned SpamAware earlier but I either forgot or I couldn't find it; I'll certainly look into what you've suggested. By the way, you've inspired me to add something I thought about earlier but didn't write: it seems a viable idea for an individual or group to hire web hosting which has SA on it, just to forward/redirect our emails through the hosted domain and thereby get the SA headers to filter on in a POP desktop client. Without fully thinking it through, I imagine that idea may work without mangling headers. The assumption here of course is, to make it worthwhile, we trust the host has correctly installed and fully configured SA for it to work optimumly (if that word exists). Lee René Berber wrote: Lee wrote: [snip] I appreciate however those instructions may be aimed at a mindset and application at server level rather than desktop, but I assume there are others like me who would love SA's excellent spam filtering in a Windows desktop email client. [snip] The best choice for this (desktop) is SpamAware : http://www.jam-software.com/spamaware/ As you pointed out, most solutions are implemented as proxies that need spamd or spamassassin running somewhere. SpamAware is a real MS Outlook (and O-Express) plugin that also includes ClamAV. Just as the proxy solutions I think it can only be used with POP servers, no IMAP, that's a real heavy downside; but I haven't used it or looked in a long time. Since I had SA running under Cygwin I used to update rules, change the ones I wanted, even tried to add plugins (FuzzyOCR and SpamBot)... those didn't work in SpamAware (but do work on Cygwin SA, which by the way, is not a package distributed with Cygwin but easy to install with CPAN). If you use Thunderbird which has integrated SA score awareness there is nothing currently like SpamAware, one experimental plugin Spamness, http://ryanlee.org/software/mozilla/thunderbird/spamness/, also needs SA scoring on the mail server. Perhaps there are options using tools like fetchmail and similar, I haven't searched for those but it could be relatively easy to set them up alongside SA.
Re: I have an SA problem with Thunderbird.
Steven W. Orr wrote: Is there a way to shut off all spam filtering that thunderbird might want to be doing, but at the same time, allow me to click on a message and then click on the Junk button and cause that Junk button to run the sa-learn --spam command on the message? That's a nice idea; if TB buttons can't easily be customised, maybe you could make your own TB button to run such a command/script. I don't know however if buttons can do such things. All I know about TB's junk and SA filtering related to your question, is basic stuff which presumably you're well aware of; I may as well offer it in case it enlightens less advanced users like me, then I'll get back in my box ... You can turn off all TB's adaptive junk filtering/detection by unticking the option in Account Settings, Junk Settings. Those same settings have an option 'Trust junk mail headers set by SpamAssassin', which I _assume_ is the equivalent of manually making a filter to act on the header X-Spam-Status if present. I haven't tried it ... maybe I should! (I made my own filter looking for X-Spam-Status: Yes). Lee
SA on Windows XP + POP to desktop client?
Hello SpamAssassin fans, Having read and tried various things on the SA site and elsewhere, even including some technically dead stuff in the Web Archive, I'm wondering if anyone knows how to achieve the following set up (for free) and is willing to share it :- Install the latest SpamAssassin 3.2.5 (or at least 3.2.4) on Windows XP, whether that be in a convenient point-and-click .exe manner or the more complex procedure of installing Active Perl, making SA, etc in the command line and importantly a method to pass incoming POP emails through SA on the way to a desktop email client such as Thunderbird. I'm currently achieving the above using a very nice program called SAwin32 on Sourceforge, which uses SA 3.2.3 and is almost two years old. It doesn't offer the entire functionality that SA is capable of, but appears to work fine. However, the project appears to be discontinued and I have no idea if it can be updated to run a newer SA version. Thanks in advance if you can help; of course very specific build details may be required for others like me to be able to set it up successfully. I also appreciate some parts/modules of SA may not be workable on Windows. Lee UK
Re: SA on Windows XP + POP to desktop client?
Yet Another Ninja wrote: Lee I'd advise you not to try this path much longer. The effort to get the full functionality is not worth it. You will never get it all, unless you're prepared to port a lot of the stuff to W32 (been there - done (part) of it - never again) Suggest you look around for some VMware appliance image which will run a SA/pop3 proxy for you and you'll get instant happiness :-) Hello Yet Another Ninja and thanks for replying; So, getting a better / more up to date equivalent of SAwin32 is essentially a pain and likely to end in severe frustration? If that's what you're saying, I'm not surprised from what I've found/not found over the last week or so :) What do you mean in your second paragraph? I didn't really follow you there. Did you mean a commercial product for Windows which already includes SA and also acts as a desktop POP proxy? I'm aware there may be a few of those. Indeed, the SAwin32 I'm using gave way to a commercial product, I believe? I might also throw in here, I've seen a page (below) by somebody using the free Delegate proxy program to work with SA, but on Unix, not on Windows. He's using Delegate as a Pop3Proxy type tool. I haven't looked into this seriously yet, but I've had a little attempt at running Delegate on XP (it's cross platform), and so far failed to fully understand how to configure it on its first run and indeed beyond that(!). I suspect it is actually quite simple, however. But of course, if getting a newer version of SA than 3.2.3 to work with it on Windows is a nightmare, sticking with what I have now would certainly be the most viable option. I assume I'm not the only person here using the Sourceforge SAwin32 package from 2007? http://www.deepsea.force9.co.uk/pop3proxy.html Lee
Restarting processes after sa-update?
My Spam assassin is run from /etc/mail/mimedefang-filter via the perl module. Initialized using: spam_assassin_init()-compile_now(1) if defined(spam_assassin_init()); And checked with: my($hits, $req, $names, $report) = spam_assassin_check(); When running sa-update, do I need to run anything to make sure new rules get picked up? I.e. Do I need to restart mimedefang or somehow call the spam_assassin_init()-compile_now(1) ? I do not have a /etc/init.d/spamassassin as mentioned in sa-update's help and we are not running spamd.
RE: Sa-update problem
From: mouss [mailto:mo...@ml.netoyen.net] Sent: Wednesday, March 18, 2009 6:30 PM At question is the statement dbg: channel: current version is 752903, new version is 752903, skipping channel $ host -t txt 3.2.3.updates.spamassassin.org 3.2.3.updates.spamassassin.org descriptive text 752903 so you have the last official update. and it's the same version for 3.2.5: $ host -t txt 5.2.3.updates.spamassassin.org 5.2.3.updates.spamassassin.org descriptive text 752903 last update was on 13-03-2009. That is terrific! Thank you for your help! Do you know about how often these rules are updated?
Sa-update problem
I'm a new administrator at a site and have been tasked with updating Spam Assassin, something I have never worked with before. I am running /usr/perl5/5.8.4/bin/sa-update daily as a cronjob, but I'm not sure if this is accomplishing anything. I have read through FAQs and documentation, but haven't found anything relating to this issue. SpamAssassin version 3.2.3 Platform Solaris 10 Accessed through perl module interfaced by mimedefang At question is the statement dbg: channel: current version is 752903, new version is 752903, skipping channel I believe that 2 weeks ago when I first ran sa-update the version was upgraded and exit status was 0, but since then the version has not increased and all my exit statuses are 1. Is version 3.2.3 completely out of date and not receiving updates anymore? Are updates only done once every few weeks? Do I have a configuration problem? Full output form my current sa-update command follows: [14806] dbg: logger: logging level is DBG [14806] dbg: generic: SpamAssassin version 3.2.3 [14806] dbg: config: score set 0 chosen. [14806] dbg: dns: is Net::DNS::Resolver available? yes [14806] dbg: dns: Net::DNS version: 0.60 [14806] dbg: generic: sa-update version svn540384 [14806] dbg: generic: using update directory: /usr/perl5/5.8.4/var/spamassassin/3.002003 [14806] dbg: diag: perl platform: 5.008004 solaris [14806] dbg: diag: module installed: Digest::SHA1, version 2.11 [14806] dbg: diag: module installed: HTML::Parser, version 3.56 [14806] dbg: diag: module installed: Net::DNS, version 0.60 [14806] dbg: diag: module installed: MIME::Base64, version 3.07 [14806] dbg: diag: module installed: DB_File, version 1.815 [14806] dbg: diag: module installed: Net::SMTP, version 2.31 [14806] dbg: diag: module installed: Mail::SPF, version v2.005 [14806] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [14806] dbg: diag: module installed: IP::Country::Fast, version 604.001 [14806] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [14806] dbg: diag: module installed: Net::Ident, version 1.20 [14806] dbg: diag: module installed: IO::Socket::INET6, version 2.51 [14806] dbg: diag: module installed: IO::Socket::SSL, version 1.07 [14806] dbg: diag: module installed: Compress::Zlib, version 2.004 [14806] dbg: diag: module installed: Time::HiRes, version 1.59 [14806] dbg: diag: module installed: Mail::DomainKeys, version 1.0 [14806] dbg: diag: module installed: Mail::DKIM, version 0.26 [14806] dbg: diag: module installed: DBI, version 1.58 [14806] dbg: diag: module installed: Getopt::Long, version 2.34 [14806] dbg: diag: module installed: LWP::UserAgent, version 2.033 [14806] dbg: diag: module installed: HTTP::Date, version 1.47 [14806] dbg: diag: module installed: Archive::Tar, version 1.32 [14806] dbg: diag: module installed: IO::Zlib, version 1.05 [14806] dbg: diag: module installed: Encode::Detect, version 1.00 [14806] dbg: gpg: Searching for 'gpg' [14806] dbg: util: current PATH is: /usr/sbin:/usr/bin:/usr/local/bin [14806] dbg: util: executable for gpg was found at /usr/local/bin/gpg [14806] dbg: gpg: found /usr/local/bin/gpg [14806] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE [14806] dbg: channel: attempting channel updates.spamassassin.org [14806] dbg: channel: update directory /usr/perl5/5.8.4/var/spamassassin/3.002003/updates_spamassassin_org [14806] dbg: channel: channel cf file /usr/perl5/5.8.4/var/spamassassin/3.002003/updates_spamassassin_org.cf [14806] dbg: channel: channel pre file /usr/perl5/5.8.4/var/spamassassin/3.002003/updates_spamassassin_org.pre [14806] dbg: channel: metadata version = 752903 [14806] dbg: dns: 3.2.3.updates.spamassassin.org = 752903, parsed as 752903 [14806] dbg: channel: current version is 752903, new version is 752903, skipping channel [14806] dbg: diag: updates complete, exiting with code 1
SpamAssassin Client for Outlook
Hello List, I'd like to start off with a little background information to help you understand my question. I currently use Sylpheed-Claws as my email client under Linux. I have it configured so that I can select any message and press a hot key (F5, this was assigned by myself via GTK), which will execute a script on my filesystem and pass it (as a command line argument) the complete path and file name to the email that I selected. This script will then pass the complete filename of the email to spamc, which will then send the email message to a remote SpamAssassin server (spamd) and then display the complete SPAM Score (whether it is spam or not) on my local console. I set this up as an instant feedback mechanism so that I can easily make tweaks to my remote SpamAssassin (spamd) servers and verify that those tweaks have the intended results. This setup works like this: 1. Find a piece of email which is spam, but has not yet been tagged as spam. 2. Highlight that email. 3. Press (F5). 3a. A window will open on my computer which contains the running script. 3b. The email path / file name is passed to my script 3c. The script runs and passes the path / file name to spamc 3d. Spamc runs and passes the contents of the file to the remote spamd server. 3e. The remote spamd server analyzes the message and scores it based on its current setup. 3f. The remote spamd server returns the Spam Score report. 3g. Spamc displays the Spam Score report in the already open window on my computer. I also have a script which I can run manually (and pass the emai file as an argument) which allows me to submit the message to the remote SpamAssassin (spamd) server for learning as HAM / SPAM. Now for my question. I have a client who is running Outlook 2003. She would like the same functionality in her Outlook that I have in my mail client for processing of Spam. She is accessing her email from the network via IMAP. Does anyone know of a plugin for Outlook that will do this for her? If such a plugin does not exist, is there anyone that can help me write this plugin? I would think the procedure would go like this: 1. User selects message. 2. If the message is a email message (not calendar, contact, task, etc), then enable the 'Spam Score' button on the tool bar. 3. User clicks the 'Spam Score' button on the tool bar. 4. The message is extracted from Outlook and saved to a temp file on the file system. 5. SpamC is run against that temp file. 6. The Spam Score from SpamC is displayed on her screen. There should also be a 'Learn SPAM' and 'Learn HAM' buttons on the tool bar. Somewhere there should be a setup screen to specify the remote server name and the various options to be passed to spamc when it is called. If someone could help me out on this, that would be much appreciated! Thanks! NOTE: I am getting married on May 26, 2007. :) NOTE: I will be on my honeymoon from May 26, 2007 through June 3, 2007. NOTE: I will be on vacation from June 23, 2007 through July 8, 2007. -- Lee Leahu RICIS, Inc. Internet Technology Specialist 866-RICIS-77 Toll Free Voice (US) [EMAIL PROTECTED] 708-444-2690 Voice (International) http://www.ricis.com/ 866-99-RICIS Toll Free Fax (US) 708-444-2697 Fax (International) RICIS, Inc. is a member of the Public Safety Alliance Group This email and any attachments that are included in it have been scanned for malicious or inappropriate content and are believed to be safe.
Re: SpamAssassin Client for Outlook
Hey Rob / List, Here you'll find a POP3 proxy that is basically a Win32 edition of SA. It runs on your computer, between your mail server and outlook. And, as I said, it is fully win32 native, no unix emulation. Might not be exactly what you wanted, but very, very close. That looks pretty nice. I'd like to take a moment to share the business objectives / goals that I am trying to meet. The company that my client works for has an archive account. Every email sent / received is copied to this account. Spam Emails are put into one folder, and Ham emails are put into another folder. Every day my client goes through this account and looks for any false positives and false negatives. If she finds any she wants to be able to find out why it was considered ham or spam, and then tweak / train the mail server's SpamAssassin daemon appropriately. The high level business objective is to provide a simple to use interface which can be used to fine-tune the company-wide spam filter. Thanks! NOTE: I am getting married on May 26, 2007. :) NOTE: I will be on my honeymoon from May 26, 2007 through June 3, 2007. NOTE: I will be on vacation from June 23, 2007 through July 8, 2007. -- Lee Leahu RICIS, Inc. Internet Technology Specialist 866-RICIS-77 Toll Free Voice (US) [EMAIL PROTECTED] 708-444-2690 Voice (International) http://www.ricis.com/ 866-99-RICIS Toll Free Fax (US) 708-444-2697 Fax (International) RICIS, Inc. is a member of the Public Safety Alliance Group This email and any attachments that are included in it have been scanned for malicious or inappropriate content and are believed to be safe.
Re: Message not flagged as spam
On Oct 13, 2006, at 4:11 AM, Suhas (QualiSpace) wrote:Can anybody explain me why SA did not flagged this message as spam? X-Spam-Status: No, score=-81.0 required=4.5 tests=BAYES_40,HELO_DYNAMIC_HCC, HELO_DYNAMIC_IPADDR2,HTML_90_100,HTML_FONT_BIG,HTML_IMAGE_ONLY_08, HTML_MESSAGE,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,MPART_ALT_DIFF, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,SPF_HELO_FAIL, USER_IN_WHITELIST autolearn=spam version=3.0.1Just guessing here, as I'm new to SA, but the USER_IN_WHITELIST tag might be the answer. If it's in your whitelist, you want the email, period, regardless of content. -- Lee Manevitch Bradenton, FL [EMAIL PROTECTED]
FuzzyOCR and Animated GIFs
I think I already know the answer to this, but does FuzzyOCR process all frames of an animated GIF? I think the answer is no, because the spam that's getting through untagged by FOCR contains multi-frame animated GIF images, the second- to-last last frame of which contains the commercial message. I ran one such file through giffix and then through gocr, and I didn't get anything meaningful back - so I guess the underlying problem is with gocr instead. Comments? -- Lee Manevitch Bradenton, FL [EMAIL PROTECTED]
Re: Only Local Mail
Jess Mooers wrote: I have 2 email addresses that I would like only local domains to be able to send messages to. Is there a way to do this with SpamAssassin 3.1.1? SA is really the wrong tool for this, you should look at setting up a filter via your Mail Server... Jay begin:vcard fn:Jay Lee n:Lee;Jay org:Philadelphia Biblical University;Information Technology Dept. email;internet:[EMAIL PROTECTED] title:Network / Systems Administrator x-mozilla-html:TRUE version:2.1 end:vcard
Re: spam getting autolearn=ham problem
Bazooka Joe wrote: X-Spam-Status: No, score=1.0 required=3.0 tests=BAYES_60 autolearn=ham version=3.0.4 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on agwebinc.com I have required of 3 which you can see and i have the milter rejecting email w/ score more than 7 On 5/10/06, Matt Kettler [EMAIL PROTECTED] wrote: Bazooka Joe wrote: more and more i am seeing spam marked as autolearn=ham I was wondering the best way to correct this? Depends.. Really you first need to figure out why it this happened before you take any action at all. Can you post a X-Spam-Status header for one of the messages? Have you modified the required_score, or any of the learning thresholds in your config? In general there are only a few rules that can cause a message to be tagged as spam, but do not count toward the computation of score for learning purposes. *_IN_BLACKLIST, AWL, BAYES_*, and GTUBE are the most noteworthy ones. You can set bayes_auto_learn_threshold_nonspam in local.cf to be 0 or a negative number, then autolearn=ham won't kick in unless it's below a certain score (not sure if this counts bayes or not). But yes, the real question is why are no rules triggering... Is DNS working? Are you using the blacklist rules, etc? What does the spam look like? Jay
Re: spam getting autolearn=ham problem
The message you sent directly to me hit the following: * 0.5 HTML_40_50 BODY: Message is 40% to 50% HTML * 0.1 HTML_MESSAGE BODY: HTML included in message * 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level * above 50% * [cf: 100] * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 3.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 10 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: missusoandforever.org] * 4.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: missusoandforever.org] Of course, the scores are heavily inflated by my own personal rules (I don't recommend doing this unless you know what you're doing) but the point is, your SA doesn't seem to be firing on certain things it should, do you have the DNS BL's working? Are you using Razor or DCC? Are you on the latest 3.1.1? Jay
Re: OT: anyone know how to do server-side MS-Exchange filters?
John D. Hardin wrote: On Thu, 11 May 2006, Jason Haar wrote: Has anyone done this, and if so, what sort of tools allow it? A Linux mail relay in front of the Exchange server. :) That wouldn't allow messages to be put in a subfolder instead of inbox, just to do the header tagging. Not having used Exchange I can't answer intellegently on whether or not it supports server side sorting. However, if it doesn't you could use something like Maia Mailguard and a Postfix frontend to the exchange server to quarantine and report the spam, users would be able to configure and safely view and "free" tagged spam messages via a web interface. It also can send regular reports to the users on what spam they've gotten, senders and subject, etc. Website is: http://www.renaissoft.com/maia/
Re: My only problem with URIBL_BLACK
wrote: | But. | | There are some spammers who run subscribe to mailing lists. | | I got spam at home the other day from ediets.co.uk, for example. | | I call this stuff subscription spam and would block most of it anyway. | | Cheers, | | Phil Easier said than done when you have a paying customer who wants this specific mailing. Have you tried lowering the score of the spamassassin rules that are getting hit? Jay
Re: INVALID_DATE
On Fri, 24 Mar 2006, mouss wrote: Daryl C. W. O'Shea a écrit : David Lee wrote: If, conversely, it is not in breach, then SA has a problem: it shouldn't be marking it INVALID_DATE. Incidentally, it is this aspect (rather than any other) of the date that is triggering this SA rule, isn't it? I guess we could fix it by renaming the rule STUPIDLY_FORMATTED_DATE. Anyone writing their own mail application, such as this mobile providers, should really stick to formatting as seen in well established MTAs. sure, but if we take it the rfc way, FROM_ENDS_IN_NUMS, NO_REAL_NAME are pure abuse. and they do cause FPs (dunno about FROM_LOCAL_HEX). 1. INVALID_DATE: I think we all agree that the ISP (mobile provider O2; mmail) are almost certainly in breach of 822/2822. (Being as generous as possible, we would agree (I think) that they are way, way out of step with good practice.) (We now shift discussion from the Date: field to the From: field.) 2. FROM_ENDS_IN_NUMS: Here, I actually find myself in some sympathy with the ISP. Their service is about email on a cellphone, with a From: that is, by definition, that cellphone number: From: [EMAIL PROTECTED] (I have xd some of the real number). It does seem to make sense, for their service, in their context. 3. NO_REAL_NAME: It would be nice if the ISP could adjust this to be something like (in my own case): From: David Lee [EMAIL PROTECTED] But with a block-booking from a customer (my own number above is part of such a thing from my employer) they might not have enough information for this. So again, I find myself in some sympathy with them. 4. FROM_LOCAL_HEX: presumably this is because the local part is, by definition of their service, a cellphone number. There seems little that can be done about this. For those final three items (those concerning From:) this is a judgement call, and a reasonable case can be made that we (the receiving customer, having this service for our people on the road checking back in) might need to adjust our SA scores slightly downwards, and/or have supplementary rules that add a small negative score for @mmail.co.uk. That's not the main issue at discussion on this thread. (But advice and suggestions would be welcome.) The real issue is being able to demonstrate to the ISP that their 17-char, space-separated (therefore non-alphabetic) GMT Standard Time in their Date: is (or isn't) in clear technical breach of 822/2822. -- : David LeeI.T. Service : : Senior Systems ProgrammerComputer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/South Road: : Durham DH1 3LE: : Phone: +44 191 334 2752 U.K. :
INVALID_DATE
System: SA 3.1.0 (called from MailScanner, called from sendmail. The ISP mmail.co.uk (part of the O2 mobile phone (cellphone under trans-Atlantic translation!) company here in the UK) generates a peculiar Date: format. So when it arrives here, our SA is tagging it as spam. Part of the headers: Date: Wed, 22 Mar 06 12:00:00 GMT Standard Time From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: {Spam?} MMail Message X-Mailer: WIN Mail Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 22 Mar 2006 12:00:00.0046 (UTC) FILETIME=[253124E0:01C64DA8] X-DurhamAcUk-MailScanner: Found to be clean X-DurhamAcUk-MailScanner-SpamCheck: spam, SpamAssassin (score=6.804, required 6, BAYES_40 -0.18, FROM_ENDS_IN_NUMS 2.53, FROM_LOCAL_HEX 1.30, INVALID_DATE 2.19, NO_REAL_NAME 0.96) X-DurhamAcUk-MailScanner-SpamScore: ss For data privacy reasons, I have xd out some of the purely-digit From: LHS. Aside: the FROM_ENDS_IN_NUMS and FROM_LOCAL_HEX are probably immutable, as the mmail.co.uk service definition uses a mobile number as that From: LHS. The main addressable issue here seems to be the INVALID_DATE. The Date: supplied by Mmail does not have a simple timezone (e.g. expect GMT), but rather GMT Standard Time. (Correct?) This seems to me to be a clear breach of RFC2822. Mmail's defence is that section 4.3 ends: Other multi-character (usually between 3 and 5) alphabetic time zones have been used in Internet messages. Any such time zone whose meaning is not known SHOULD be considered equivalent to - unless there is out-of-band information confirming their meaning. and that the usually 3 or 5 alphabetic could (they argue) include the 17-character GMT Standard Time. Can someone demonstrate from RFC2822 that GMT Standard Time definitely is, or definitely isn't, technically legal? (If it does happen to be legal, and if this nevertheless triggers SA's INVALID_DATE, then we have an SA bug.) Would GMT (Standard Time) be legal? (I raise that just in case mmail really need to keep that information in that place for some reason; this would give them a way out.) -- : David LeeI.T. Service : : Senior Systems ProgrammerComputer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/South Road: : Durham DH1 3LE: : Phone: +44 191 334 2752 U.K. :
HREF based rule idea...
Has any thought been given to creating a rule that looks for forged links? Here's one I got today in a phishing scam: A href=http://www.createtokill-clan.de/onlineshop/catalog/images/admin/chase.com/index.htm; FONT face=Times New Roman color=#ff style=font-size: 13pt http://www.chase.com/verification.asp/FONT/A So how hard would it be to create a rule that triggers if the href (http://www.createtokill-clan.de...) doesn't match the url that is displayed (http://www.chase.com...) or at least contain the same domain? I realize this is mostly done with phishing scams but it's not unheard of for spammers to use this technique too. I've not seen a SA rule that triggers on this specifically. Any thoughts? Jay begin:vcard fn:Jay Lee n:Lee;Jay org:Philadelphia Biblical University;Information Technology Department email;internet:[EMAIL PROTECTED] title:Network / Systems Administrator version:2.1 end:vcard
Connections in CLOSE_WAIT
Hi I'm running SpamAssassin 3.0.2 on a dedicated linux server. Spamd is running as a daemon and allowing connections from 4 mail servers. Every few hours, spamd will just stop responding, without any errors in its logfiles. Whenever this happends I run a netstat -an on the server and I see lots of connections to spamd in the CLOSE_WAIT state. Once I restart spamd, things start working properly again. Firstly, does anyone know why this is happening? I had tried tweaking with the TCP parameters, but somehow my values get overwritten shortly after I change them. More importantly, I receive duplicate mails whenever spamd dies. My servers are running qmail+vpopmail with simscan. Has anyone ever encountered similar problems before? Regards Mun Fai
Re: Stopping Rules
Chris L. Franklin said: Thanks but we do run my servers as I posted above (minus the Non DNS compliant part). Blacked listed user and Domains my server to not accept messages from. Whitelisted users and domain DO NOT get passed though SA WE DO NOT use negitive scoring. We Stop 99.2% of all spam and get less the %0.82 miss marked emails. We Subject mark at 5 points, and We report a 550 error on all emails with a score of 8 or more during the smtp transaction. (Yes we Do SA scanning during the smtp transaction. Aka we stop spam at the door.) If you are rejecting mail during the SMTP session than you have no way of verifying you are at %0.82 false positive rate. How do you know I'm not sending you a legit message that's being rejected at the SMTP level unless I bother to contact you via other means? (something few senders bother with) 0.82% seems very high to me also, nearly 1 in 100 message is marked wrong? Maybe your users are more tolerant of false positives and just want all spam blocked but this is not the case for most organizations. Many organizations demand an extremely low to non-existant FP percentage while being more tolerant of the occassional false negative. To each his own I guess, but I agree with the first respondant that your missing out by turning off negative scoring... Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Re: Spamassassin vs spamd
shane mullins wrote: Is anyone here running spamd? We use Spamassassin 3.0.4 and several SARE rules. Now that our primary MX server handles about 20k emails a day, cpu usage stays over 90 % and load average is between 5 and 6. I was wondering how much faster spamd is? Much, much faster. It's really the only option when processing this much mail. Switch and watch your load drop dramatically. Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Re: score based on MX's IP?
Mike Jackson wrote: Perhaps this is too much to ask of SpamAssassin, but... My server receives a piece of spam that's undeliverable. It looks up the MX for the sender's address, and finds that the IP is 127.0.0.1. It then complains that there's a configuration problem because it's not set up to handle mail for that domain. What I'd like to do is build a SpamAssassin rule that would assign points against messages sent from senders with those 127.0.0.1 MXes. Granted, it won't do any good in these undeliverable/bounce scenarios, but I'm sure there's spams getting through to legit addresses from them as well, and those are what I'd like to put a stop to. Is that possible (without writing a plugin to do it myself)? 1) Why is your MTA accepting mail that is undeliverable? 2) It would be better to block these MXs at the server level, many MTAs are capable of blocking based on the declared helo or dns lookup of the connecting server. Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Re: Nigerian scam not catched by 3.10?
Menno van Bennekom wrote: I installed 3.10 on my testserver to compare some scores with my current 3.03 version. I only have the default checks. Some spam was not marked in 3.10 because checks like NIGERIAN_BODY* didn't get off. It seems that everything with 'NIGERIAN' in it is removed from /usr/share/spamassassin/*.cf in version 3.10. Any idea why? These checks were really important to me, I get a lot of Nigerian scams especially via hotmail. They're there, names just changed. Look for ADVANCE_FEE_ rules. These still hit Nigerian style scams for me regular as well as more generic scams. I did bump the scores for these rules up somewhat to help them along... Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Re: SA 304/spamc milter question
Dr Robert Young wrote: We want to do some testing of our email system with, and without, SA intercepting the mails. Currently, we have SA 304 installed and running with sendmail, using the milter-spamc hook. I just want to verify that if one manually shuts down the spamd daemon, that the emails would be eventually passed along as unchecked email after any appropriate timeouts are encountered ? I basically want to avoid having to recompile sendmail to remove the milter lines currently in the system. I'm not sure where you question is. To test this out, disable spamd... Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Re: Spamassassin scoring bad after years of service......
Lorin G. Tremblay wrote: Was wondering if anyone had any clue to why spamassassin would start to score spam badly and let almost any spam throught. Tehy was no change in the hardware of software, it just started to score spam really badly, but had workes for atleast a full year without any glitch! Unfortunately, we are not psychic and cannot determine what the problem might be with the amount of information you gave us. What version are you running? Are you using AWL, Whitelisting, Autolearning, SQL Based Prefs? What platform are you on? What type of spam doesn't get caught anymore and what does the SA report say? We need more details to help you. Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Account # 555711L Spam
Are they any rules to stop this type of spam? It is continually growing and doesnt ever let up. Thanks, Jeff
Re: Early Questions
Mark Williams wrote: I have just installed spamassassin v3.0.4 in a test environment (which is a mirror of the live environment) and have a number of questions, which I can not see within the manuals/support documentation. Firstly, this is my configuration: Server: Linux (RH9.0), with spamassassin installed from spamassassin.org web site using make etc (not RPM's). This machine then runs both IMAP and POP3 for clients. MTA is sendmail Surely your not going live with a distribution as old and unsupported as RedHat 9! Do you want to become a spam zombie? I urge you strongly to look at moving up to RedHat Enterprise Linux 4, CentOS 4 or a recent Fedora release. Also, you really should stick with the RPMS, it makes management and future upgrades much smoother. Client(s): Windows XP. All running Windows XP and MS Outlook 2000. All users connct to POP3 Server (on Linux machine) and use PST files to download their e-mail(s). General: Setup is such that spamassassin is site wide (not per user) - as per management request. All working fine at the moment - just about to switch on bayes Questions: (q1) Given that this is a site-wide installation, how do I get the requisite 200 e-mails (spam/ham) for spamassassin to work with? Where should I put these (an individual mailbox)? Use bayes autolearning so that you don't have to bother to much. Also setup some aliases like [EMAIL PROTECTED] and [EMAIL PROTECTED] where users can forward wrongly classified mail for you to reclassify. Don't try to use someone else's bayes db and don't use just your personal email since it won't match the bayes characteristics of the entire company. Note that you can also modify the number of spam and ham messages the bayes db needs before it starts scoring with these two rules in local.cf: bayes_min_ham_num 100 bayes_min_spam_num 50 be careful about setting it to low though, the less bayes knows about your org's email characteristics the more likely false positives are. Jay
Re: HELP: Looking for mac mail server software
try communigate pro www.stalker.com On Jul 16, 2005, at 9:21 PM, Jonathan Nichols wrote: OS X uses Postfix by default (at least it does on my Powerbook running Tiger). While it's not graphical per-sea, it's not difficult to set up. I'm sure someone out there has written a GUI for it. Check out VersionTracker. Postfix Enabler: http://www.cutedgesystems.com/software/PostfixEnabler/ More good stuff here, even some SpamAssassin on OS X articles! :) http://www.afp548.com/
Re: Distinguishing between mail that is almost certainly or probably spam
Richard Duran wrote: Hello, I'm not sure if this belongs in the dev-list or not, but we have made some minor changes to SA in order for us to allow our users to create separate filters for mail that we consider to be almost certainly spam, versus mail that is probably spam. Just filter based on X-Spam-Level headers. If 8 is certainly spam then have your server side filter or client filter look for 8 *s, then look for 5 *s for probably spam. Very simple, no code changes needed. Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Re: Distinguishing between mail that is almost certainly or probably spam
Tim Litwiller wrote: this is the way I've been doing it in procmail - then I don't have to count *'s # --- # Spamassassin - certainly spam # --- :0 H: * ^X-Spam-Status: +(yes|no), +score=\/[^. ]* * ? (( ${MATCH} 14 )) /dev/null # --- # Spamassassin - probably spam # --- :0 H: * ^X-Spam-Status: Yes.* \;Junk/new I've never understood what procmail users have against human readable code :-) I just use maildrop: if (/^X-Spam-Level: \*\*\*\*\*\*\*\*/:h) { #do something with obvious spam } else { if (/^X-Spam-Level: \*\*\*\*\*/:h) { #do something else with likely spam } } Very simple and easy to understand. My live server actually runs somewhat more complex where the users obvious spam score is stored in a database and retreived for comparison at local delivery time rather than being hard coded, but anyway, I get the ability to have multiple spam categories without source code modification to SpamAssassin. Jay hmm after pasting that in I wonder if there is any chance that the catches large No scores also? It's just easier for most filtering languages to look at the stars, that's why there there. The yes/no only gives you a black/white world, the score number is easy for humans to read but hard for programming languages. Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Re: How to shut down
Steven Dickenson wrote: On Jul 12, 2005, at 1:19 PM, Chris Santerre wrote: Thinking of you, Tom Cruise You owe me for the can of soda I just sprayed on my desk. Good times... How to shut down the spamassassin? so it doesnt run ?? What operating system are you running SA on? How is it being called within your mail path? We can't help you if you don't help us. I think you meant Help me, help you! Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
RFKINDY false positives on faxes
We've had some false positives with the X_LIBRARY, MIME_BOUND_RKFINDY rules being tripped on e-faxes received through www.myvfm.com. Fairly obviously the service has been built using the Indy.Sockets library (www.indyproject.org). The Indyproject knowledge base admits that headers similar to those produced by their library have been found in worms and spams sent with some spamware. Has anyone else experienced this problem ? I couldcreate a rule to decrease the score for emails generated by myvfm.com, but do the format of emails from this servicechange ? How likely is it for spammers to spoof mails from this service in order toreduce their SA scores usingsuch a rule ? Thanks, Martin Martin LeeSenior Software EngineerAnti-spam teamMessageLabs Tel: +44 (1452) 627 042[EMAIL PROTECTED] www.messagelabs.comMessageLabs - Be certain__ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
RE: Amusement value
What an interesting spam ! Which suggests a novel test, search for more than one 'From' or 'Subject' header in an email. But how can I do this in SA ? I know how to search the contents of the From or Subject headers which SA makes available to me. But is it possible to write regexps to search the entire header section of an email ? A sort of headers-as_string method ? Martin From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Sun 15/05/2005 00:41 To: SpamAssassin Mailing List Subject: Amusement value Gee, I wonder what the subject could be? Following is an actual spam header I just got: Return-Path: [EMAIL PROTECTED] Status: U Received: from smtp.earthlink.net [209.86.93.211] by localhost with POP3 (fetchmail-6.2.5) Received: from m6.stockmacro.com ([66.250.17.88]) by tanager.mail.pas.earthlink.net (EarthLink SMTP Server) with ESMTP id 1dx62wuG3NZFmQ0 Received: from localhost (localhost.localdomain [127.0.0.1]) by m6.stockmacro.com (Postfix) with SMTP id 7AD823EE65161 Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Cadenced: divulge braided pontific midas kickoff daughterly unprotected porcelain lovejoy resolve derive floored malayize antibacterial designers allow beaverton Content-Type: multipart/alternative; boundary==_3f35d615795e6eb759ba2e4fb2d6f144 MIME-Version: 1.0 X-M-a8e4: 1090:bHdpbHRvbkBlYXJ0aGxpbmsubmV0:wwztwulguvmq Subject: Looking for Quality Christian Singles? From: Where Christians Meet [EMAIL PROTECTED] Subject: Meet serious Christian Singles, just like you From: Christian Dating [EMAIL PROTECTED] Subject: Looking for Quality Christian Singles? From: Christian Dating [EMAIL PROTECTED] Subject: Meet serious Christian Singles, just like you From: Christian Dating [EMAIL PROTECTED] Subject: Looking for Quality Christian Singles? From: Where Christians Meet [EMAIL PROTECTED] Subject: Looking for Quality Christian Singles? From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Meet serious Christian Singles, just like you From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Christian Dating [EMAIL PROTECTED] Subject: Meet serious Christian Singles, just like you From: Christian Dating [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Looking for Quality Christian Singles? From: Where Christians Meet [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Date: Sat, 14 May 2005 17:20:22 -0700 (PDT) X-ELNK-AV: 0 __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: Reporting scams to fraudwatchinternational
Kris Deugau said: If you use a competent email client you will be offered the option of keeping a local copy, which saves the redundant recipient. Some people deliberately turn this off. I'm not sure why. (I can *sort* of understand it for mailing list mail, but not for direct mail.) Further, you should never assume that other recipients do not see BCCs. That it entirely up to the settings of the recipient's email client. If your MUA is actually adding a real header with BCC: information, it's broken. BCC isn't supposed to be a header in the usual sense; it's a way to tell your mail client to add extra SMTP RCPT TO: commands when sending the message. The recipients should NEVER see those extra recipients. The only way someone might find out about BCC'ed recipients is if they are the server admin (or have access to the mail logs) and are willing to spend the effort to wade through the logs tracking the message ID to see who got a copy. And that only applies in the case where the sender's SMTP server is also the destination; and partially applies if there are multiple recipients at a remote domain. If a remote domain only has one recipient in the list, they will NOT see any information regarding other recipients. I've also seen broken mail servers that add headers based on the rcpt to: so you should assume that recipients bcc or not on the same remote server may be able to discover each other. But if you're confident your mail server/client isn't doing something stupid then there should be no way for [EMAIL PROTECTED] to discover the message was BCCed to [EMAIL PROTECTED] Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Fwd: HELLO
Has anyone been getting these emails? I have received thirteen today on non existent accounts. Begin forwarded message: From: [EMAIL PROTECTED] Date: April 6, 2005 1:03:10 PM CDT To: [EMAIL PROTECTED] Subject: HELLO ALERT! This e-mail, in its original form, contained one or more attached files that were infected with a virus, worm, or other type of security threat. This e-mail was sent from a Road Runner IP address. As part of our continuing initiative to stop the spread of malicious viruses, Road Runner scans all outbound e-mail attachments. If a virus, worm, or other security threat is found, Road Runner cleans or deletes the infected attachments as necessary, but continues to send the original message content to the recipient. Further information on this initiative can be found at http://help.rr.com/faqs/e_mgsp.html. Please be advised that Road Runner does not contact the original sender of the e-mail as part of the scanning process. Road Runner recommends that if the sender is known to you, you contact them directly and advise them of their issue. If you do not know the sender, we advise you to forward this message in its entirety (including full headers) to the Road Runner Abuse Department, at [EMAIL PROTECTED] The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. attachment: body.zip
RE: Spammers Target Secondary MX hosts?
Not only sendmail, you can plug Milter filters into Perl programs using Net::Milter from CPAN. I've not tried plumbing it in yet, but it should certainly be possible. Martin -Original Message- From: Alexander Bochmann [mailto:[EMAIL PROTECTED] Sent: 18 March 2005 18:51 To: users@spamassassin.apache.org Subject: Re: Spammers Target Secondary MX hosts? ...on Fri, Mar 18, 2005 at 10:24:25AM -0800, Kelson wrote: The backscatter becomes a real problem in the legitimate relay situation, because it's basically unavoidable. If the spam is sent directly to you, you can accept it, discard it, or reject it, and it stops. But if you're relaying to someone, and *they* reject it, now you have to decide whether to generate a DSN or not. We've actually set up When I was in that situation, my solution turned out to be milter-ahead, http://www.milter.info/milter-ahead/index.shtml but that won't help you if you're not running sendmail :) Alex. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: sa-learn
I understand that. How then does SA treat messages mainly made up of images? On Jan 26, 2005, at 10:59 AM, Matt Kettler wrote: At 11:47 AM 1/26/2005, Jeffrey Lee wrote: I have been using sa-learn religiously with ALL spam and ham on my server. However, I keep getting repeat spam with low scores. How can I increase the sa-learn points? So that when I learn a message instead of increasing some point by .1 or .2 it will increase by .5 or .6? Well, sa-learning a message doesn't really work by increasing the points of a message, although that's more-or-less the net effect. In short, you'll want to make sure your inbound messages are hitting BAYES_90 or higher, and increase the scores of those rules in your local.cf. Also, while you're at it, check for spam messages matching ALL_TRUSTED. If that's happening, check the archives on setting trusted_networks manually. That rule should *never* match spam but will if SA gets confused by your MTA config. If the spam messages are consistently hitting BAYES_99, sa-learning won't increase the score of that message further, but it does help SA recognize subtle changes over time in spam. So keep up the training as it will keep slight deviations from driving the bayes scores down and causing FN problems that way. When you sa-learn a message, SA learns that the words in that message are more likely to be in spam or ham than it previously new. When new messages come in, SA looks at it's database of words and calculates a spam probability based on the words in that message. It then matches that probability to one of the BAYES_* rules and that causes the score impact.
sa-learn
I have been using sa-learn religiously with ALL spam and ham on my server. However, I keep getting repeat spam with low scores. How can I increase the sa-learn points? So that when I learn a message instead of increasing some point by .1 or .2 it will increase by .5 or .6? Thanks, Jeffrey Lee
Re: sa-learn
Here is an example header: X-Spam-Status: No, score=3.0 required=5.0 tests=AWL,CELL_PHONE_FREE, HTML_90_100,HTML_MESSAGE,HTML_TAG_EXIST_TBODY,HTML_TEXT_AFTER_BODY, HTML_TEXT_AFTER_HTML,HTML_WEB_BUGS,MIME_HTML_ONLY autolearn=no version=3.0.2 On Jan 26, 2005, at 10:59 AM, Matt Kettler wrote: At 11:47 AM 1/26/2005, Jeffrey Lee wrote: I have been using sa-learn religiously with ALL spam and ham on my server. However, I keep getting repeat spam with low scores. How can I increase the sa-learn points? So that when I learn a message instead of increasing some point by .1 or .2 it will increase by .5 or .6? Well, sa-learning a message doesn't really work by increasing the points of a message, although that's more-or-less the net effect. In short, you'll want to make sure your inbound messages are hitting BAYES_90 or higher, and increase the scores of those rules in your local.cf. Also, while you're at it, check for spam messages matching ALL_TRUSTED. If that's happening, check the archives on setting trusted_networks manually. That rule should *never* match spam but will if SA gets confused by your MTA config. If the spam messages are consistently hitting BAYES_99, sa-learning won't increase the score of that message further, but it does help SA recognize subtle changes over time in spam. So keep up the training as it will keep slight deviations from driving the bayes scores down and causing FN problems that way. When you sa-learn a message, SA learns that the words in that message are more likely to be in spam or ham than it previously new. When new messages come in, SA looks at it's database of words and calculates a spam probability based on the words in that message. It then matches that probability to one of the BAYES_* rules and that causes the score impact.
RE: spamassassin and web based mail !
Spammers don't go to Cybercafés to send spam. Oh yes they do ! We see lots of phishing and 419 / lottery scams coming from Cybercafes. The average spammer likes to work from home, the average scammer likes the anonymity of Cybercafes. Cigan - you have a very difficult problem. If you scan content sent to Yahoo / Hotmail, the spammers will change to another webmail service or abuse badly configured cgi scripts. In any case a mail filtering program like SpamAssassin is configured to work on *email* rather than http streams. Hats off to you for attempting to address the problem. I would hazard a guess that asking for ID and visibly writing down the name against a machine / IP address would probably be a technologicaly simple approach, which would be a very strong deterent and would result in the criminal fraternity going elsewhere. Martin -Original Message- From: Peter P. Benac [mailto:[EMAIL PROTECTED] Sent: 15 November 2004 01:20 To: 'Cigan Segun'; users@spamassassin.apache.org Subject: RE: spamassassin and web based mail ! There is always a way; however, do you have the resources to program such an effort? You might be able to modify an Open Source Proxy Server, but even then it will be a effort. You are still missing the major point here. Spammers don't go to Cybercafés to send spam. Why should they go to a cybercafé when they can use there own connections and sit in the comfort of their own home and use Yahoo, MSN or Hotmail. Remember these idiots think they have a legal right to spam the world, so they aren't going to hide in your Cybercafé. I'd be more concerned about Script kiddies, and wannabe hackers using your cybercafé to upload their dirty work, and a good virus scanner can fix that. Regards, Pete Peter P. Benac, CCNA Celtic Spirit Network Solutions Providing Network and Systems Project Management and Installation and Web Hosting. Phone: 919-618-2557 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! -Original Message- From: Cigan Segun [mailto:[EMAIL PROTECTED] Sent: Sunday, November 14, 2004 2:35 PM To: users@spamassassin.apache.org Subject: Re:spamassassin and web based mail ! Is there any way a LINUX box can be configured to solve the problem of checking the mail contents of every http that passes through the linux box? Regards. Cigan. Moving house? Beach bar in Thailand? New Wardrobe? Win £10k with Yahoo! Mail to make your dream a reality. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
[OT] Email Servers
The email server I am using now has some unwelcomed price changes happening soon and I would like to switch to another server. I would like something that works well with SA and possibly ClamAV. The server would require pop, imap, and webmail. If someone could suggest other solutions please do. Thanks, Jeffrey Lee