Re: Additional SPAM recognition method
At 02:20 24-5-2005, you wrote: A similar idea, without the "back-channel" flaw is to test the domain for either 'CNAME' or 'A' record `wildcards' (as in the command "dig '*.spammer_domain.tld' a" and "dig '*.spammer_domain.tld' cname"). This is an excellent spam sign (the host portion of the name is often mapped back into a database to determine the actual recipient). Legitimate domains will use wildcards for 'NS', 'MX' and even occasionally for some more obscure records, but an 'A' or 'CNAME' record is nearly always a spammer. I don't agree. I know of a few popular hosting solutions that create wildcard A entries. H-Sphere (www.hsphere.com) for example is a very popular one used by many large webhosts. There is currently NO way for an end user to remove the wildcard A entry pointing back to their webserver IP. Basically this means that many smaller companies (not yet using dedicated webservers) would be a victim of this scanning method. Marcel Veldhuizen The Netherlands
Re: Problemes => not the same score into spamassassin 3.0.3
At 10:32 19-5-2005, Phibee Network operation Center wrote: The GTUBE rule is defined in the (standard) 20_body_tests.cf rule file. So I'd say for some reason it must not be processing the rules in that file. Try "spamassassin -D --lint" and see if 20_body_tests.cf is being loaded? Then there is the DNS_FROM_AHBL_RHSBL difference, but I don't see how that could make such a big diffe i have a small problems and dont see where is my errors .. On my first spamassassin, a email sort: May 19 10:15:49 gw spamd[16048]: result: Y 998 - ALL_TRUSTED,AWL,FM_MULTI_ODD2,GTUBE scantime=0.2,size=799,mid=<[EMAIL PROTECTED]>,autolearn=failed and on the second server, a new but with the same local.cf: May 19 10:25:20 gw spamd[12950]: result: . -2 - ALL_TRUSTED,AWL,DNS_FROM_AHBL_RHSBL scantime=0.2,size=799,mid=<[EMAIL PROTECTED]>,autolearn=failed
Re: Simple question TRUE or FALSE
At 06:00 19-5-2005, Justin Mason wrote: > Memory usage can be quite huge if you have many custom rulesets, because SA > 3.0.x forks into several processes which all insist on making their own > copy of the ruleset in memory :( When I still used the RDJ bigevil list > (amongst others), it would use 96 MB of memory for each SA process. actually, most of this *is* shared, it's just that linux can no longer report this accurately. What makes you think that? Total used memory on my system is consistent with SpamAssassin processing not sharing any significant amount of memory. Also it reports the memory sharing just fine on applications such as Apache?
Re: Simple question TRUE or FALSE
At 03:25 19-5-2005, David Velásquez Restrepo wrote: Q) With spamassassin you need about 20 to 30 seconds per email message and LOTS of RAM and CPU: a) TRUE b) FALSE False. It depends on your settings and custom rulesets, but scanning a single message takes about 4-5 seconds on Athlon 800 home box. Of course, suppose it would be scanning 10 messages in parallel, it would take 'longer' per message. Memory usage can be quite huge if you have many custom rulesets, because SA 3.0.x forks into several processes which all insist on making their own copy of the ruleset in memory :( When I still used the RDJ bigevil list (amongst others), it would use 96 MB of memory for each SA process. Now that I've trashed bigevil and using URIDNSBL instead, each process uses about 32 MB of memory for me.
Re: (OT, slightly) dealing with AOL spam reports?
At 01:43 19-5-2005, Ryan Sorensen wrote: My biggest concern though is messages that come in from spammers, get filtered by spam assassin (they have ***SPAM*** tags in the subject) and then go on to the AOL forwards. These are defanged messages that still get reported as spam. I have to believe that AOL isn't stupid enough to blacklist me for relaying the message... i hope? Unfortunately, THEY ARE that stupid.. It makes sense in a way, as there is no way to tell the difference between a mailserver forging trace headers and an actual forward, but it causes a world of problems. Several larger shared webhosting companies have disabled forwarding to AOL accounts for this very reason. Some idiot customers of theirs reported mail as spam and got their own webhost's mailserver blacklisted \o/ Marcel Veldhuizen The Netherlands
Problem with ALL_TRUSTED
Hi, I've been having problems with a specific spammer lately. He's sending me about 300 mails a day and they're all passing right through my filtering. Part of the problem is this: * -2.8 ALL_TRUSTED Did not pass through any untrusted hosts SpamAssassin thinks the mail comes directly from my host's mailserver, but it's overlooking a Received header. I think it's because of the X-Virus-Scan header in between. However I have no control over than particular header. Is the order of headers a RFC violation in some way, or is this a SA problem? A full example email is attached. Return-path: <[EMAIL PROTECTED]> Envelope-to: [EMAIL PROTECTED] Delivery-date: Sun, 15 May 2005 23:10:18 +0200 Received: from localhost ([127.0.0.1] ident=root) by hellfire.egelantier.subbot.net with esmtp (Exim 4.50) id 1DXQNO-0005rW-55 for [EMAIL PROTECTED]; Sun, 15 May 2005 23:10:18 +0200 Delivered-To: [EMAIL PROTECTED] Received: from 63.209.158.6 [63.209.158.6] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Sun, 15 May 2005 23:10:18 +0200 (CEST) Received: (qmail 5490 invoked by uid 399); 15 May 2005 21:06:00 - X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses); Sun, 15 May 2005 17:06:00 -0400 Received: from unknown (HELO pkaffe.de) (71.34.15.142) by mail.myhsphere.biz with SMTP; 15 May 2005 21:06:01 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 15 May 2005 21:04:24 GMT Subject: Vorbildliche Aktion Importance: Normal X-Priority: 3 (Normal) X-MSMail-Priority: Normal MIME-Version: 1.0 Message-ID: <[EMAIL PROTECTED]> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on hellfire.egelantier.subbot.net X-Spam-Level: * X-Spam-Status: No, score=1.3 required=5.0 tests=ALL_TRUSTED,AWL, MISSING_MIMEOLE,NO_DNS_FOR_FROM,NO_REAL_NAME,PRIORITY_NO_NAME, RAZOR2_CF_RANGE_51_100 autolearn=disabled version=3.0.2 X-Spam-Report: * 0.2 NO_REAL_NAME From: does not include a real name * -2.8 ALL_TRUSTED Did not pass through any untrusted hosts * 1.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% * [cf: 100] * 1.1 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records * 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE * 1.2 PRIORITY_NO_NAME Message has priority, but no X-Mailer/User-Agent * 0.1 AWL AWL: From: address is in the auto white-list Status: Lese selbst: http://www.npd.de/npd_info/deutschland/2004/d1204-24.html