RE: emailreg.org - tainted white list
> -Original Message- > From: LuKreme [mailto:krem...@kreme.com] > Sent: Thursday, 17 December 2009 4:59 p.m. > To: users@spamassassin.apache.org > Subject: Re: emailreg.org - tainted white list > > On 16-Dec-2009, at 16:11, Michael Hutchinson wrote: > > So far only 1 person on this list has claimed to have been hit by > Spam that has been let through by the Habeas rules in SA. > > > I'm the only one? Really? That doesn’t jibe with my memory, but I'm not > scanning the entire list to prove you wrong. > > Really? > > Yeah, sorry, not buying it. > OK I am probably wrong, but the list certainly hasn't been inundated with people saying that they have that exact issue. Come on, how many people have been hit with Spam, to find that the only reason it has gotten through their Gateway is because of a Habeas rule? I only remember Richard complaining about this. Everyone else started carrying on about the Habeas rules being present at all, when it is more than within their power to disable those rules. Buy what you want, but I'm not selling anything. Cheers, Mike
RE: emailreg.org - tainted white list
> > The trouble with this is how often are these rules being re-examined > and re-evaluated? > > Not that often. HABEAS has been through three iterations since those > rules were set at −4 and −8. > > What is enabled by default should be the safest possible settings. > Relying on a third party that is in the spam business to make money > doesn't seem very prudent to me, especially when it might be 5 years > before the scores in the default config are evaluated again. And that > doesn't even take into account the glacial speed at which most people > upgrade their systems. We still see questions here for SA 3.1 and > earlier. > > (Whatever you think of HABEAS they ARE in the SPAM business and they > are in it to make money). > So far only 1 person on this list has claimed to have been hit by Spam that has been let through by the Habeas rules in SA. No-one else has posted figures (Well, I did a while ago - showing that since June this year, not one piece of Spam that slipped through was assisted by a Habeas rule) but that has dropped by the way side. My question is, what would you do without Spamassassin? Surely its time to quit moaning about a whitelist that very few people have an actual real issue with (ISSUE, as in an existing problem with Spam sailing in thanks to Habeas rules, not the other ISSUE which seems to be "There's a whitelist I don’t approve of here" - well DISABLE it. I agree that the safest settings should be default, but in saying that, it is also on the shoulders of the system's Administrator to ensure that the software he/she installs is configured correctly for their site, and IMHO this would include any default whitelists/blacklists/RBL's etc. Cheers, Mike
RE: [sa] RE: emailreg.org - tainted white list
Hello, > The taunting *is* the issue. The rest of the arguments, about design > and > defaults, are carried on by numerous individuals in a quite civilized > manner. But when someone starts throwing arond stupid accusations, then > the person attacked focuses their efforts on 'defending' themselves, > rather than on a fair unbiased review of what *should* be the 'issue'. Fair call. > To make a point requires nothing more than well-established facts. But > name-calling and mindless accusations are an ego-driven thing. Once > someone invests their arguments with ego, you cannot count on anything > they say being accurate to any degree. They will literally say anything > to > advance their 'cause' and 'win' whatever argument they have joined. I'd have to agree on this point. My missus does this all of the time. She will know she is wrong, and still tell me until blue in the teeth that she's right about said topic.. So I guess what you're saying here is that it's no longer possible to do what we did in the "old days" and just 'ignore the troll'.. > > Someone has to stir the pot occasionally, and it doesn't hurt to > > have someone around that makes you think outside the square. > > Interestingly enough, *I* have stirred this same pot a couple of times, > with very little effect. So while it is a reasonable argument that > being > offensive and abusive fails to achieve results, I have to admit that > being > quiet and deferring in tone also has little effect. So I wonder, what > *does* it take for the 'amateurs' (that would be folks like me! *grin*) > to bring a possible issue to the attention of the people in the 'know', > and have it discussed? If you ask me, it's the whole "newbie" thing. People with lesser knowledge/skills are probably too afraid to raise issues, thinking that their issue is probably caused by their own ignorance, or lack of experience. I know I've felt like this before, and have certainly been made to feel rather stupid after asking certain questions - this is not specific to this mailing list, but mailing lists in general. > I ask again, on the issue of whitelists, is there a serious issue with > spammers targetting white-listed IP's as favored candidates for > hacking? > I'm okay with the answer being 'no'. I'm sure people with large servers > and good statistics could answer this question. But I get no answer at > all. I don't think it is because of any conspiracy. But perhaps the > people > who know are just too busy? To answer the first question : No. We do not have any problems with Spam or hacking regarding our Mail gateway, using Spamassassin. Any Spam that has slipped through in the last several months certainly have not had any SA Default Whitelist scores assigned to them whatsoever. If anything, spam that gets through our system is stuff that hits almost no rules at all (positive or negative). Statistics are at the end of this E-Mail. I think one of the issues with getting information from people that aren't having any problems is the fact that they probably can't be bothered posting if they don't have any issues to resolve. What do you think? Statistics Since Thursday 04th Jun, 2009 RBL Reject: 8480229 HELO Reject:5827978 Clean Messages: 2014848 Invalid Recipients: 277983 Spam Messages: 228941 Relay Denied: 26112 Virus Messages: 2588 Total Messages Processed: 16858679 I get all of the Spam messages that slip through the system submitted to a public folder on our network, and analyse the headers for what rules did/did not fire. As previous, I've not seen any Spam that has default SA whitelist scores associated.
RE: emailreg.org - tainted white list
> But I will miss (a) the entertainment value of some of his posts (his > "dark forces" one from earlier today was a classic) --AND-- last but > not > least--I will miss his willingness to break through the political > correctness and bring up various points that few others were willing > (or > brave enough?) to point out. If everyone could ignore the taunting, and just carry on, there wouldn't be an issue. I agree that the entertainment value is good, but your last point is best of all. I re-quote: "I will miss his willingness to break through the political correctness and bring up various points that few others were willing (or brave enough?) to point out." Me too. Someone has to stir the pot occasionally, and it doesn't hurt to have someone around that makes you think outside the square. My 2cents. Cheers, Mike
RE: HABEAS_ACCREDITED SPAMMER
> I do note that the company concerned continues spamming on a daily > basis > and remains white listed: > > 80.75.69.201 > sa-accredit.habeas.com > list.dnswl.org > > So please, spare me the sob story about what a wonderful idea HABEAS > is. > Talk is cheap, action speaks louder than words. +1 to that. I can't understand why anyone on this list would still be whitelisting Habeas to the tune of 4, or even 8 points after the discussions in here. There should be no option at all for spammers, and currently Habeas is an option for them. Surely if we (mail admins) wanted something that Habeas is pushing, we can enable our own whitelist rules, or whatever to get the mail through. We certainly don’t need to start whitelisting an outfit, out-of-the-box, that obviously many people don’t trust. Cheers, Mike
RE: Geocities closed
> -Original Message- > From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk] > Sent: Wednesday, 28 October 2009 3:00 a.m. > Cc: users@spamassassin.apache.org > Subject: Re: Geocities closed > > I just found this one working: > > http://uk.geocities.com/midsomerland/midsomerland_indexone.htm > > so providence would suggest leaving things alone. Funnily enough, including that link and having no To: field in your message was enough to have the mail treated as Spam by our gateway ;-P I had to release it but lost the headers in the process. However, it seems to have nearly missed being caught by some other server first: X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on stinger X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=4.7 required=5.0 tests=ALL_TRUSTED,FU_UKGEOCITIES, MISSING_HEADERS,MISSING_SUBJECT autolearn=disabled version=3.2.5 Which is basically what our Spam gateway thought of the message, minus the trusted part. Cheers, Mike
RE: Geocities closed
> -Original Message- > From: Mike Cardwell [mailto:spamassassin-us...@lists.grepular.com] > Sent: Tuesday, 27 October 2009 11:54 p.m. > To: users@spamassassin.apache.org > Subject: Re: Geocities closed > > Alex wrote: > > > Thought I would pass along that geocities closed up and went home > today: > > > > http://geocities.yahoo.com/ > > > > Wondering what this means in terms of the geocities SA rules? Would > > sure be nice to just block them outright at the gateway, but in > > From/To header and body, no? > > Why have any geocities specific rules any more if geocities doesn't > exist? It's not as if spammers can host their websites on geocities > anymore so there's no reason why a spammer would include a geocities > url > in their spam. May as well just delete the rules... Or, on the other hand, Spammers may see it as an opportunity - assuming that people will be doing just that - removing rules against Geocities. Hmm. I wouldn't be doing that any time soon - after all there is nothing stopping Spammers from faking geocities originating addresses or other header info. Cheers, Michael.
RE: Drivel
> -Original Message- > From: Charles Gregory [mailto:cgreg...@hwcn.org] > Sent: Tuesday, 15 September 2009 9:34 a.m. > To: users@spamassassin.apache.org > Subject: Drivel > > On Mon, 14 Sep 2009, Clunk Werclick wrote: > (more drivel) > > Good users all. Never heard of a troll? > Nonsensical. Irritating. Taunting. > > Best defense against this kind of childish antic is to IGNORE it. > > Yes, a firewall setting doesn't hurt. > Yes, and as previously asked, where are the list moderators? On a very long smoke break? Sure we can Ignore it. That doesn't mean that a list moderator shouldn't get involved and solve the problem. Should be pretty easy to do, right? There have been too many cases recently. Cheers, Mike
RE: Non scoring 'Bank Deposit' spam
> -Original Message- > From: --[ UxBoD ]-- [mailto:ux...@splatnix.net] > Sent: Monday, 14 September 2009 11:27 p.m. > To: Matus UHLAR - fantomas > Cc: users@spamassassin.apache.org > Subject: Re: Non scoring 'Bank Deposit' spam > > - "Matus UHLAR - fantomas" wrote: > > | > > > > On 12-Sep-2009, at 10:27, Clunk Werclick wrote: > | > > > > > I disagree. It can do as much harm as good. My own view and > | > > > > > observation from the past have rendered it pointless in my > | context. It > | > > > > > adds latency, is easily poisoned and rarely makes much > | difference to > | > > > > > the score. I do appreciate some people like it, but my own > | view is > | > > > > > spam has moved on beyond the point of it being useful. > | > > > | > > > On Sun, 2009-09-13 at 16:37 -0600, LuKreme wrote: > | > > > > Facts? we don't need no pesky facts. You are very > | misinformed. > | > > > | > > On 14.09.09 08:48, Clunk Werclick wrote: > | > > > Myself, I've seen some very poor Bayesian databases where users > | have > | > > > been allowed to categorize mail as spam-v-ham. One company who > | deal with > | > > > Pharmaceuticals for famine relief in Uganda and other poor > | African > | > > > countries found bayes to mess with their core mail to a point > | that made > | > > > it worthless in their context. > | > | > On Mon, 2009-09-14 at 11:46 +0200, Matus UHLAR - fantomas wrote: > | > > I would say that is a result of badly trained BAYES, not fgrom > its > | bad > | > > design. > | > | On 14.09.09 12:06, Clunk Werclick wrote: > | > The *issue* with bayes is it *can* have user input. Would you trust > | your > | > users influencing system wide policy? > | > | That only happens if you allow your users to train system-wide BAYES. > | However this is usually also called "misconfiguration" - in common > | situations either users have their own bayes databases, or they can't > | train > | the site-wide one. > | > | > > If you insist on not using bayes, just because it can be > | mistrained, > | > > better don't use any configurable software, because _everything_ > | > > configurable will go wrong if miscongured. > | > | > I've already stated I'll try it. So read the fucking follow up > | before > | > shouting your thick foreign mouth off you stupid cunt! > | > | I have read your previous posts, I only wanted to react on some of > | your > | "arguments". > I would post the private email I received from Clunk but I will not > lower myself or expose the list to such vulgarity. > Why not? Everyone else seems to be able to get away with it! M.
RE: antispam comparison by virus bulletin
> -Original Message- > From: mouss [mailto:mo...@ml.netoyen.net] > Sent: Monday, 7 September 2009 9:59 a.m. > To: Justin Mason > Cc: users@spamassassin.apache.org > Subject: Re: antispam comparison by virus bulletin > > Justin Mason a écrit : > > In fairness, they got in touch to ask for help in setting up a more > > recent SA, but none of us (ie the PMC) had the spare cycles to help > > out. Comparative third-party tests like this always take a lot of > > hand-holding. We don't have the same kind of marketing budget as the > > commercial companies, needless to say. > > > > OTOH, I think that McAfee's Email & Web Security Appliance runs on > > SpamAssassin, or at least it did when I worked there ;) > > > > they acquired Secure Computing. so I'd say the test involved what was > called Ironmail. Did Ironmail use SA? They probably used McAfee SpamAssassin. Other Net-App kit of theirs certainly does: http://www.mcafee.com/uk/local_content/datasheets/ds_spamkiller_appliances.pdf I'd say it is probable that McAfee use SpamAssassin in every one of their Anti-Spam devices/software products. It certainly wouldn't be surprising. When we had errors come from some of their A/V+AntiSpam products, the existence of Spamassassin "under-the-hood" became apparent (especially when it moans about not being able to load a 20_something_or_other.cf file :-) Cheers, Mike
RE: Your message to the Irish Online Help Desk Re: ObfuscationQuestion
> -Original Message- > From: Karsten Bräckelmann [mailto:guent...@rudersport.de] > Sent: Friday, 28 August 2009 1:34 p.m. > To: Irish Online Help Desk > Cc: users@spamassassin.apache.org > Subject: Re: Your message to the Irish Online Help Desk Re: > ObfuscationQuestion > > See, this is one of the reasons why I prefer NOT to moderate through > posts by non-subscribers. Then why do it? If it causes you frustration, is the time worthwhile?. Surely readers of this list aren't expecting anyone to develop an Aneurysm from dealing with non-subscribers to the list.. Cheers, Mike
OT: RE: your mail
+1 to that. I'm sick of seeing people being flamed in here. Makes you not want to post, TBH. Michael Hutchinson -Original Message- From: Evan Platt [mailto:e...@espphotography.com] Sent: Friday, 21 August 2009 3:18 p.m. To: users@spamassassin.apache.org Subject: Re: your mail At 07:43 PM 8/20/2009, you wrote: >Didn't we have an email a couple weeks ago talking about >inappropriate language on a public list and that it won't be tolerated? I'd agree. Looking at his / her last 10 posts, each of them has at least one swear in them. It's time for a ban, IMHO.
OT: RE: Barracuda RBL in first place
> -Original Message- > From: MySQL Student [mailto:mysqlstud...@gmail.com] > Sent: Monday, 17 August 2009 10:56 a.m. > To: SpamAssassin Users List > Subject: Re: Barracuda RBL in first place > > Hi, > > > So perhaps instead of adding another RBL, maybe some admins need to > > consider adding in some HELO checking / rejection. > > Can you explain a bit more here? What are you checking for, that the > host is valid? > > Thanks, > Alex Sure. Firstly, the server requires that a HELO command is sent to start the SMTP session. Without that, the connection will be dropped - this in itself drops quite a bit of Spam. Secondly, the argument to the HELO command is checked as to whether it is in Fully Qualified Domain form - if not, the connection is dropped. Our clients are all setup for this to work properly. That's it. We have an additional option: "Require resolvable hostnames" for HELO arguments, but do not use that. We have made 6 exceptions for hosts that do not pass the HELO argument properly, that are out of our control, but known to our network (ie: trusted via VPN, etc). They haven't relayed any Spam either ;) Cheers, Michael Hutchinson
RE: received-header: unparseable:
> -Original Message- > From: Chris [mailto:cpoll...@embarqmail.com] > Sent: Monday, 17 August 2009 10:45 a.m. > To: users@spamassassin.apache.org > Subject: received-header: unparseable: > > I keep seeing this when running some messages throught spamassassin -D > -t. Is this having an effect on whether or not short circuit works? > > received-header: unparseable: from spam01.embarq.synacor.com (LHLO > smtpout01.embarq.synacor.com) (10.50.1.1) by md29.embarq.synacor.com > with LMTP; Is "LHLO" a valid SMTP command? Perhaps this is causing the unparseable header problem.. > Should this be in my trusted_networks in local.cf: > > 10.50.1/24 > > -- > KeyID 0xE372A7DA98E6705C
RE: Barracuda RBL in first place
Hello All, Considering all of the interesting information that's being going around regarding Barracuda, and it's RBL's, I probably wouldn't use it. Not any time soon. But that's based purely on reputation, and has nothing to do with hit ratio. Our Spam gateway seems to do just fine without it. We query 3 RBLs, which get rid of a great deal of Spam: bl.spamcop.net zen.spamhaus.org cbl.abuseat.org Everything else (Spam) gets stopped by HELO rejections, Virus Scanning, Recipient Rejection and Spamassassin Scanning. Mail Stats since 4th June: Total Messages Processed: 5281347 RBL Rejected: 60.6 % HELO Rejected: 27.4 % Invalid Recipient Rejection: 2.8 % Viruses (detected by ClamAV, & Kaspersky), and other Spam detected by Spamassassin: 1.1 % Clean Messages: 8.1 % What really makes a difference is the HELO rejections - we never did this before 4th June, and the amount of Spam that is delivered has dropped so significantly since then is... quite remarkable. (at a loss for other words). So perhaps instead of adding another RBL, maybe some admins need to consider adding in some HELO checking / rejection. Thanks and Cheers, Michael Hutchinson
RE: Any one interested in using a proper forum?
Gidday Peter, > I don't know about anyone else, but I'm getting a bit hacked of with > this > 1980's style forum. I'm trying to get to the bottom of an SA issue and > this > list/forum thing is giving me a bigger headache than SA! It's a bit like that when you're using Mailing lists, just another thing to get used to in I.T life! > Spamassassin has more than one or two users now and I personally think > that > it should have a support forum to match the class of software, which is > now > world class. > > I know it's free and all that, but even so, if this is the only form of > support they provide, I'm thinking that I'll just start an alternative > support forum, using standard, full featured forum software (like SMF). > > Is there any support for this (I already know there will be opposition > from > those who are 'resident' here. Sorry guys, I just want do something to > help > those who just dive in when they have an urgent problem. No hard > feelings I > hope.) FWIW I think you're driving at creating a forum that would be easier to use or understand for the average joe-bloggs user. This is all very well, but Mailing Lists aren't exactly hard to stay on top of. As for using E-Mail to discuss problems with Spamassassin, I can think of nothing more applicable. Anyone being an Admin of a Spamassassin enabled Mail Server server, should be familiar enough with E-Mail to be able to handle Mailing Lists without too much fuss. If this is such a big problem perhaps they shouldn't be Administering a Mail Filtering system at all. Just my 2cents. Michael Hutchinson.
RE: Pyzor or DCC
> -Original Message- > > If you get an E-Mail scoring in both Pyzor and DCC, the chances are > > very high that the message is Spam. We only deal with around 90,000 > > incoming delivery attempts per day - but have not had a false > > positive from Pyzor or DCC yet, and have been using both for some > > years. > > > That's odd, I get quite a lot of DCC FPs and a few Pyzor FPs on a > relatively small amount of email. They tend to hit on bulk mail, like > newsletters, automated mail and very generic mails. I saw a test > message with just the word test in the subject hit DCC once. That's really strange, I don't see how DCC would fire on the subject.. the checksum of the message must have somehow matched some Spam.. Actually now that you mention it, I had to deal with a newsletter FP some time ago that was being hit by Pyzor, and then was being pushed over the threshold thanks to the formatting of the E-Mail. I had whitelisted the address for a while, and after testing about a month later, Pzyor was no longer hitting it, and whitelisting was removed. > I've not seen anything FP on both though, and BAYES would > probably prevent an FP if it did. Agreed, although the score assignments of Pyzor and DCC may warrant a review by some mail administrators - to be sure to be sure (that mail does flow). Cheers, Mike.
RE: Pyzor or DCC
Hello Luis, > -Original Message- > Ok, here is my doubt. I know who are Pyzor and DCC, and I really > convinced > that a statistic test is a must to detect spam. But my doubt is next: > - It is good to have both tests or just one? It is good to have both tests. Pyzor and DCC are both rather good at what they do. > I was thinking, lets have a mail that it is not a SPAM, and a SA with a > spam > level of 5. If > Pyzor reports 2.6 and DCC 2.7 then it is 5.3 and that good mail will be > spam. > I'm not really sure about if having both test will be good or just one. If you get an E-Mail scoring in both Pyzor and DCC, the chances are very high that the message is Spam. We only deal with around 90,000 incoming delivery attempts per day - but have not had a false positive from Pyzor or DCC yet, and have been using both for some years. IMHO there is nothing wrong with using both. If you do see FP's it would be a surprise, and the first I've heard of it, personally. Cheers, Michael Hutchinson
RE: 20_dnsbl_tests.cf
Hello John, > Upgrading one package from CPAN _shouldn't_ be _that_ intrusive. > Telling > it to upgrade everthing is probably a bad idea, though. I think that last time we used CPAN, I went to upgrade just one package, and it caught the fact that I would be missing dependencies. It then went about automatically upgrading all the packages we apparently needed to support the Perl module I was upgrading. I understand this behaviour can be switched off, but I'm in no hurry to touch CPAN again thanks :) > > I don't see where Net::DNS is causing an issue, however.. > > It probably is not, but I don't pay a great deal of attention > discussion > of problems in it, so I'm not sure. Upgrading it shouldn't hurt and may > help. > > > Is there some debug routine I can throw in to get a general idea of > how > > it is performing for all E-Mail? > > "it" being DNS? Yes, "-D dns" as you've done, or the more verbose "-- > debug > area=dns". You can also run "--debug area=dns,all" to see everything > else > too. And with -D I discovered: Apr 8 22:41:08 tuatara spamd[1291]: dns: timeout for zen-lastexternal,zen,zen-lastexternal after 4 seconds Apr 8 22:41:09 tuatara spamd[1292]: dns: timeout for sorbs-lastexternal,sorbs after 7 seconds Apr 8 22:41:09 tuatara spamd[1292]: dns: timeout for zen-lastexternal,zen,zen-lastexternal after 7 seconds Apr 8 22:41:16 tuatara spamd[1921]: dns: timeout for zen after 5 seconds Apr 8 22:41:16 tuatara spamd[1921]: dns: timeout for zen-lastexternal,zen,zen-lastexternal after 5 seconds Apr 8 22:41:18 tuatara spamd[1291]: dns: timeout for sorbs-lastexternal,sorbs after 7 seconds I have managed to replicate this from the command line, so this probably isn't a spamassassin issue anymore. So, I've found the problem, or at least part of it. We're going to run analysis of this via NetPriva and get some more logging happening with Bind (also running on the mail server), and I will enable --debug area=dns at your suggestion to see if we can pin this issue for good. > > If I am correct, this server hasn't used any swap for quite some > time, > > but does keep the physical memory well consumed for performance > reasons. > > (Debian 3.1 Sarge). > > That looks good. > > These are superficial suggestions, of course. They all help, John. Thanks for your response and ideas! :) Cheers, Michael Hutchinson
RE: 20_dnsbl_tests.cf
> > MailServer:~/spamassassin# spamassassin -D dns -t > [27256] dbg: dns: is Net::DNS::Resolver available? yes > > [27256] dbg: dns: Net::DNS version: 0.61 > > You might want to fire up CPAN and upgrade Net::DNS. [choke]. The last time I used CPAN for upgrading anything on this box, it broke Spamassassin rather badly and I had to spend several hours restoring it to it's former glory from backups (and removing additional Perl modules that got installed on my system, but aren't compatible with SA 3.1.7). Is there another way to upgrade that Module without using CPAN, and giving myself some kind of instant "revert to Net::DNS" fallback ability if it fails? I fear that I will not be able to upgrade Net::DNS as our Debian Sarge will be too old to support it. I'll see if I can manually implement the upgrade, without breaking dependencies and so forth. I don't see where Net::DNS is causing an issue, however.. Is there some debug routine I can throw in to get a general idea of how it is performing for all E-Mail? > > See the horrible scantimes. These are logged in between other tests > that look quite normal: > > > > There does not appear to be a common rule that hits the Mail that > takes > > too long to scan. I'd say that around 1/4 of all mail, perhaps less > > (without knowing for sure) takes an excessive amount of time to scan. > > ...how are you for memory? Those three were all close together in time, > maybe (WAG) you're hitting swap? #free -m -t total used free sharedbuffers cached Mem: 2027 1945 82 0117 1023 -/+ buffers/cache:804 1223 Swap: 1906 0 1906 Total:3933 1945 1988 If I am correct, this server hasn't used any swap for quite some time, but does keep the physical memory well consumed for performance reasons. (Debian 3.1 Sarge). Cheers, Mike
RE: 20_dnsbl_tests.cf
> -Original Message- > From: Karsten Bräckelmann [mailto:guent...@rudersport.de] > Sent: Wednesday, 8 April 2009 11:31 a.m. > To: users@spamassassin.apache.org > Subject: Re: 20_dnsbl_tests.cf > > On Wed, 2009-04-08 at 11:09 +1200, Michael Hutchinson wrote: > > Hello everyone, > > > > Does anyone know of a way to perform individual debug tests on the > > DNSBL's listed in 20_dnsbl_tests.cf? In essence I need to see > failures > > and/or timeouts. > > spamassassin -D. In particular, I believe -D dns should limit it to the > results you're after. Sorry, from memory, not tested. Too lazy and too > late this night. ;) I have done this, and appear to have quite a nominal time for those checks: MailServer:~/spamassassin# spamassassin -D dns -t DNS available (set dns_available to override) [27256] dbg: dns: is DNS available? 1 [27256] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [27256] dbg: dns: checking RBL zen.spamhaus.org., set zen [27256] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [27256] dbg: dns: checking RBL plus.bondedsender.org., set ssc-firsttrusted [27256] dbg: dns: checking RBL combined.njabl.org., set njabl [27256] dbg: dns: checking RBL bl.spamcop.net., set spamcop [27256] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [27256] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [27256] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal [27256] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [27256] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted This took about 2 seconds or less. So I'm guessing that is quite normal. I suspect that some of these may be failing occasionally, perhaps this suggests some kind of occasional DNS lookup failure... > > I have made some changes to my SA 3.1.7 20_dnsbl_tests.cf when I > > compared it to the 3.2.5 release. I basically just removed 2 DNSBL > > lookups that are redundant. This is done in attempt to solve an issue > > random scan times of 30 seconds plus. > > It would help to let us know about the changes. That way we might > already be able to tell you, if it possibly could fix such issue. > > Other than that -- update. :-) Can't for reasons already described. Sorry for trying to get you guys to help me fix old technology. Eh. > > There does not appear to be any common rule firing against the E- > Mails > > that take 30+ seconds to scan. > > I have not managed to replicate the long scan time by testing > > Spamassassin locally with network tests enabled. > > Size? Well, maybe not, given the non-reproducibility. DNS timeouts? > Possibly. See above... > > > Any pointers would be greatly appreciated ;) > > Some real meat in your problem description would be appreciated as > well. ;) Now.. Meat.. Sorry about the address rewrites.. Been told by the boss.. Apr 8 11:47:02 tuatara spamd[23141]: spamd: result: Y 23 - BAYES_99,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,TW_AQ,TW_JW,TW_QJ,TW_QK,TW_QZ,TW_YF,URIBL_AB_SURBL,URIBL_BLACK,URIBL_SBL scantime=30.3,size=2233,user=ema...@hosteddomain1.co.nz,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=56696,mid=(unknown),bayes=0.98520162275,autolearn=spam Apr 8 11:47:08 tuatara spamd[23298]: spamd: result: Y 17 - BAYES_80,HELO_DYNAMIC_IPADDR,HTML_30_40,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,UNPARSEABLE_RELAY,URIBL_AB_SURBL scantime=30.4,size=30018,user=ema...@hosteddomain2.co.nz,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=56703,mid=<000d01c9b7db$12f8b5e0$6400a...@disputesle13>,bayes=0.887238649863803,autolearn=spam Apr 8 11:47:57 tuatara spamd[22212]: spamd: result: . 0 - AWL,BAYES_00,NO_REAL_NAME scantime=30.0,size=27338,user=ema...@hosteddomain3.co.nz,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=56719,mid=<58215568.1239148009994.javamail.j...@akcux371>,bayes=0.000695157869939289,autolearn=no See the horrible scantimes. These are logged in between other tests that look quite normal: Apr 8 11:59:49 tuatara spamd[25073]: spamd: result: Y 18 - AWL,BAYES_50,DATE_IN_PAST_24_48,HTML_MESSAGE,HTML_TAG_BALANCE_BODY,TW_YC,UNPARSEABLE_RELAY,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URIBL_WS_SURBL scantime=2.6,size=8192,user=clamav,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=57186,mid=<49826502-d1f5-4d43-b329-9e8a6eb34...@aloha.wst.pwsrotterdam.nl>,bayes=0.528807234903339,autolearn=no There does not appear to be a common rule that hits the Mail that takes too long to scan. I'd say that around 1/4 of all mail, perhaps less (without knowing for sure) takes an excessive amount of time to scan. Cheers, Mike
RE: 20_dnsbl_tests.cf
Hello Dave, > -Original Message- > From: Dave Koontz [mailto:dkoo...@mbc.edu] > Sent: Wednesday, 8 April 2009 11:34 a.m. > To: Michael Hutchinson > Cc: users@spamassassin.apache.org > Subject: Re: 20_dnsbl_tests.cf > > Michael Hutchinson wrote ... (4/7/2009 7:09 PM): > > I have made some changes to my SA 3.1.7 20_dnsbl_tests.cf when I > > compared it to the 3.2.5 release. I basically just removed 2 DNSBL > > lookups that are redundant. This is done in attempt to solve an issue > > random scan times of 30 seconds plus. > When was the last time you used sa-update? Not that it will be but so > effective on a 3.1.x install. > > Is there a particular reason you can not upgrade this sever to 3.2.x? > 3.1.7 is quite old now, and many rbls have gone away or changed since > then. Two immediately changes come to mind, spamhaus changed to their > zen rbl, and whois is gone. I believe in addition to these, > list.dsbl.org is now gone. I am sure others here can give you more > changes or reasons to update! ;-) Can't update SA until another 20 days or so. Need to get this server running normally again. I have changed the SBLXBL list to ZEN. I have removed DSBL and WHOIS. Cheers, Mike
RE: 20_dnsbl_tests.cf
Hello Matt, thanks for the response.
> -Original Message-
> From: Matt Kettler [mailto:mkettler...@verizon.net]
> Sent: Wednesday, 8 April 2009 11:26 a.m.
> To: Michael Hutchinson
> Cc: users@spamassassin.apache.org
> Subject: Re: 20_dnsbl_tests.cf
>
> Michael Hutchinson wrote:
> > Hello everyone,
> >
> > Does anyone know of a way to perform individual debug tests on the
> > DNSBL's listed in 20_dnsbl_tests.cf? In essence I need to see
> failures
> > and/or timeouts.
> >
> > I have made some changes to my SA 3.1.7 20_dnsbl_tests.cf when I
> > compared it to the 3.2.5 release.
> This is, in general, a very bad idea. Those files get dropped or
> deleted
> when you run sa-update. So now you have to make sure you never run
> sa-update or your changes might get nuked.
>
> Better to make your over-rides in a file in /etc/mail/spamassassin.
Yes, I understand and had thought that as well. Considering my SA is
version 3.1.7, no updates are coming out for it at the moment anyway.
So, I would only run SA-update to get 3rd party rules (ie SARE) but I
understand there are no updates for those rulesets either, so probably
won't run sa-update until we have upgraded the server.
I know I can override the scores in /etc/mail/spamassassin.. But how
would I disable any one specific DNSBL test from there? (didn't see a
way to do it before, hence the edits of the cf file directly). (And I
know I can't run sa-update now).
> > I basically just removed 2 DNSBL
> > lookups that are redundant.
> Which ones?
Heh.. the list is a bit longer than I might have previously suggested:
This one got nuked:
header RCVD_IN_NJABL_DULeval:check_rbl('njabl-lastexternal',
'combined.njabl.org.', '127.0.0.3')
describe RCVD_IN_NJABL_DUL NJABL: dialup sender did non-local SMTP
tflags RCVD_IN_NJABL_DULnet
#reuse RCVD_IN_NJABL_DUL
SBL_XBL got changed to ZEN. No biggie there.
PBL added:
# PBL is the Policy Block List: http://www.spamhaus.org/pbl/
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '127.0.0.1[01]')
describe RCVD_IN_PBLReceived via a relay in Spamhaus PBL
tflags RCVD_IN_PBL net
#reuse RCVD_IN_PBL T_RCVD_IN_PBL_WITH_NJABL_DUL RCVD_IN_NJABL_DUL
These nuked:
header DNS_FROM_RFC_POSTeval:check_rbl_sub('rfci_envfrom',
'127.0.0.3')
describe DNS_FROM_RFC_POST Envelope sender in
postmaster.rfc-ignorant.org
tflags DNS_FROM_RFC_POSTnet
#reuse DNS_FROM_RFC_POST
header DNS_FROM_RFC_ABUSE eval:check_rbl_sub('rfci_envfrom',
'127.0.0.4')
describe DNS_FROM_RFC_ABUSE Envelope sender in
abuse.rfc-ignorant.org
tflags DNS_FROM_RFC_ABUSE net
#reuse DNS_FROM_RFC_ABUSE
header DNS_FROM_RFC_WHOIS eval:check_rbl_sub('rfci_envfrom',
'127.0.0.5')
describe DNS_FROM_RFC_WHOIS Envelope sender in
whois.rfc-ignorant.org
tflags DNS_FROM_RFC_WHOIS net
#reuse DNS_FROM_RFC_WHOIS
And these got nuked too:
# CompleteWhois blacklists
header __RCVD_IN_WHOIS eval:check_rbl('whois',
'combined-HIB.dnsiplists.completewhois.com.')
tflags __RCVD_IN_WHOIS net
header RCVD_IN_WHOIS_BOGONS eval:check_rbl_sub('whois', '127.0.0.2')
describe RCVD_IN_WHOIS_BOGONS CompleteWhois: sender on bogons IP block
tflags RCVD_IN_WHOIS_BOGONS net
header RCVD_IN_WHOIS_HIJACKED eval:check_rbl_sub('whois', '127.0.0.3')
describe RCVD_IN_WHOIS_HIJACKED CompleteWhois: sender on hijacked IP
block
tflags RCVD_IN_WHOIS_HIJACKED net
header RCVD_IN_WHOIS_INVALIDeval:check_rbl('whois-lastexternal',
'combined-HIB.dnsiplists.completewhois.com.', '127.0.0.4')
describe RCVD_IN_WHOIS_INVALID CompleteWhois: sender on invalid IP
block
tflags RCVD_IN_WHOIS_INVALIDnet
#reuse RCVD_IN_WHOIS_INVALIDRCVD_IN_RFC_IPWHOIS
# another domain-based blacklist
header DNS_FROM_SECURITYSAGEeval:check_rbl_envfrom('securitysage',
'blackhole.securitysage.com.')
describe DNS_FROM_SECURITYSAGE Envelope sender in
blackholes.securitysage.com
tflags DNS_FROM_SECURITYSAGEnet
#reuse DNS_FROM_SECURITYSAGE
I have refrained from adding any new ones, apart from the PBL.
> > This is done in attempt to solve an issue
> > random scan times of 30 seconds plus.
> >
> > There does not appear to be any common rule firing against the E-
> Mails
> > that take 30+ seconds to scan.
> > I have not managed to replicate the long scan time by testing
> > Spamassassin locally with network tests enabled.
> >
> > Any pointers would be greatly appreciated ;)
> >
> Upgrade to 3.2.x.
>
> Seriously, 3.1.7 is vastly to old to be very
20_dnsbl_tests.cf
Hello everyone, Does anyone know of a way to perform individual debug tests on the DNSBL's listed in 20_dnsbl_tests.cf? In essence I need to see failures and/or timeouts. I have made some changes to my SA 3.1.7 20_dnsbl_tests.cf when I compared it to the 3.2.5 release. I basically just removed 2 DNSBL lookups that are redundant. This is done in attempt to solve an issue random scan times of 30 seconds plus. There does not appear to be any common rule firing against the E-Mails that take 30+ seconds to scan. I have not managed to replicate the long scan time by testing Spamassassin locally with network tests enabled. Any pointers would be greatly appreciated ;) Thanks and Cheers, Michael Hutchinson Manux Solutions Limited
RE: JoeJobbed - Vbounce plugin - SPF?.
-Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Tuesday, 17 March 2009 10:17 p.m. To: users@spamassassin.apache.org Subject: Re: JoeJobbed - Vbounce plugin - SPF?. On 17.03.09 14:02, Michael Hutchinson wrote: >> I'm running Spamassassin 3.1.7, with netqmail 1.05, ClamAv etc.. > old ! The current SA version is 3.2.5 - upgrade. Yes, I know it's old :) The upgrade is in the pipeline, but not for a couple of months yet. Mind you, it still runs pretty well and does catch a lot of Spam, for it's age. >> We initially tried 'riding out the storm' as it were, but were unable >> to keep on top of the load put on the servers by excessive E-Mail >> messages requiring scanning by SA. This got so bad that the mailserver >> had become unresponsive to our clients. > qmail is known for bouncing, instead of rejecting unknown recipients at SMTP leve. You filter unknown > recipients? If not, this is your problem. If an smtproutes entry forces me to accept unknown recipients for said affected domain, then Yes, and I would assume that this is the behaviour. >> How might I keep delivery flowing to valid recipients for the domain >> (smarthosted (smtproutes) to exchange) but reject the blowback at SMTP >> time? >So you do NOT reject invalid recipients? Change qmail, or at least its SMTP server. There are afaik some >that can do that. Yes, that can be done with a valid rcptto patch for qmail. I've not applied the patch, but have added it to the list. >And, optionally, consider some rules of rejecting before queeuing - block invalid HELO strings, senders in >some reliable blacklists etc. This helps. I will work at blocking invalid HELO and some certain subjects at SMTP time, for a while after a joe job. >> I was considering convincing the powers to let me setup SPF, but their >> requirement would be to have both v1 and v2 spf tags - and I'm not >> sure whether Q-Mail is up to both yet, but some kind of SPF >> implementation where we check the tags (not necessarily publish them) >> but I guess that's an MTA question:) >forget SPF v2. Use v1 but don't expect huge results, there's still many SMTP servers not checking the >SPF... OK, What's wrong with SPF v2 ? Thanks for your reply, Matus, I appreciate your help and ideas. Cheers, Michael Hutchinson Manux Solutions Limited.
JoeJobbed - Vbounce plugin - SPF?.
Hello everyone, I'm running Spamassassin 3.1.7, with netqmail 1.05, ClamAv etc.. We've been subject to being joe-jobbed on one of our domains here at work. We were lucky as we were able to switch off delivery to the affected domain and effectively blocked the blowback by refusing E-Mail from all the Postmasters around the world sending NDR's and so forth to the now non-existent mailboxes. However, This was a far-from-optimal solution, as I'm sure many people will be wanting to point out already, what if we needed that domain to still receipt legitimate E-Mail... We initially tried 'riding out the storm' as it were, but were unable to keep on top of the load put on the servers by excessive E-Mail messages requiring scanning by SA. This got so bad that the mailserver had become unresponsive to our clients. I removed a bunch of our own site rules (which were going to be whittled away anyhow) to decrease the average scantime of E-Mails by Spamassassin - this did work, for about 15 minutes. Then, an average scantime of 4 seconds was not good enough - clients still denied SMTP (too busy). I decided (wrongly) to implement the Vbounce plugin. Read the install doc, got it setup, tested SA with debug and lint, everything appeared to test OK. Put it into practice by reloading SA and then Wang! Average scantimes hit the roof: 38 seconds. Needless to say I disabled the plugin. Although whilst it was running, it did appear to be doing the job correctly according to my mail logs - and there were no errors. So we blocked the domain. I am interested to know the following: Has anyone else had this kind of result when installing the Vbounce plugin? (largely increased scantimes) How might I keep delivery flowing to valid recipients for the domain (smarthosted (smtproutes) to exchange) but reject the blowback at SMTP time? I was considering convincing the powers to let me setup SPF, but their requirement would be to have both v1 and v2 spf tags - and I'm not sure whether Q-Mail is up to both yet, but some kind of SPF implementation where we check the tags (not necessarily publish them) but I guess that's an MTA question:) Thanks in advance for any useful information :) Cheers, Michael Hutchinson
RE: Hopfield nerons for porn image detection
-Original Message- From: Luis Daniel Lucio Quiroz [mailto:luis.daniel.lu...@gmail.com] Sent: Wednesday, 4 March 2009 9:19 a.m. To: users@spamassassin.apache.org Subject: Re: Hopfield nerons for porn image detection Good one, Hopfield networks are not the fastest, but they can identify paterns with noise. I was wondering to cut an image in smaller zones nxn and then run hopfield network to detect naked body parts. After detectin these, a grade could be done. Any comment. Yes - Why even bother detecting naked body parts when there is little point? Others on this list have already commented about the fact that there is very little image Spam out there nowdays - in fact, is there any?, and what there is uses external links to display it's content, there are no images in the actual E-Mail message, or attached to it. I guess if you really wanted naked body part image matching work, you could write another Net-Nanny style program to filter websites for families... 2c Cheers, Mike
OT: RE: URI with spaces are not recognized
"plenty of people are greedy, gullible, uninformed, overly trusting,
stupid, or some combination of the above"
This also means: "Anyone that doesn't use a computer as much as an
E-Mail administrator"
You can't expect everyone to know enough about Spam to not be fooled by
it. The reason people do get fooled is because they aren't all computer
technicians. Everyone is good at something, lets not get carried away
and blame joe bloggs for being.. joe bloggs.. after all, he might be the
next automotive technician to fix your car.
Why write off topic? Well, we do need to understand the end-user, they
are the ones who see the benefit of our work, no? Are they not the ones
who pay many of our wages?
2c/Cheers.
-Original Message-
From: Kevin Parris [mailto:kpar...@ed.sc.gov]
Sent: Saturday, 14 February 2009 9:43 a.m.
To: users@spamassassin.apache.org
Subject: Re: URI with spaces are not recognized
Artificial intelligence will never overcome natural stupidity (or the
clever ingenuity of criminals) ... if people actually DO that (copy the
"url" and remove the spaces) there is some temptation to say they get
what they deserve ... but on the other hand most of the spam/scam stuff
out there is based on the premise that plenty of people are greedy,
gullible, uninformed, overly trusting, stupid, or some combination of
the above.
>>> Franz Schwartau 02/13/09 2:18 PM >>>
C'mon...
Patient: "Doctor, if I press down here it really hurts..."
Doctor: "Don't press there then."
You won't solve a problem by defining there is no problem.
In these spams people are requested to remove the spaces when entering
the given string ("url") in their browser.
Benny Pedersen wrote:
> On Thu, February 12, 2009 18:26, Franz Schwartau wrote:
>> www . abcdef . net
>>
>> After reading the source for a while I found that $schemelessRE in
>> line 1720 of Mail::SpamAssassin::PerMsgStatus.pm seems to be
>> responsible for that. Unfortunally this regexp doesn't care
>> about whitespaces.
>
> give me a url to a browser that can show above url is simple :)
>
> even my firefox in my nokia phone wont show this, did i miss another
> one ?
>
>> Has anyone a solution?
>
> none so far have a problem ?
>
>> Would be fine if I could use the "uri" directive
>> or even some uribl on this kind of "urls".
>
> it will if there was a problem
RE: Can't locate object method "new" via package "Net::DNS::RR::TXT"
Hello, I once had this problem. It was caused by an improper/incomplete upgrade of Spamassassin. Perl modules actually, some had been downloaded and added to the system via CPAN, which were supposed to go with a new Spamassassin binary. The binary was never installed however, and we had lots of problems like the "can't locate object method" error. Investigating the Perl modules afterwards, it was clear that some were a new version, while others were the old version - God only knows how that happened (probably misuse of CPAN). Restoring the old perl modules from backup fixed the issue. HTH Cheers, Michael Hutchinson -Original Message- From: mouss [mailto:mo...@ml.netoyen.net] Sent: Thursday, 22 January 2009 9:40 a.m. To: users@spamassassin.apache.org Subject: Re: Can't locate object method "new" via package "Net::DNS::RR::TXT" Brian J. Murrell a écrit : > I seem to be getting a lot of these in the last 36h: > > > 12:02:26 spamd Can't locate object method "new" via package > "Net::DNS::RR::TXT" at /usr/lib/perl5/Net/DNS/RR.pm line 305. > 12:02:26 spamd caught at /usr/share/perl5/Mail/SpamAssassin/DnsResolver.pm > line 419 > > Any ideas why? > probably a bug in one of: Net::DNS or Mail::SPF or Mail::SPF::Query.
RE: help please
Hello brunope...@aol.com, Though it might sound mean to the un-initiated, I totally agree with Kai. If you have a Mail Server admin, and they are putting the job of fixing Spamassassin on the user, they are not doing their job. You may need a new Mail Server admin. Make a complaint to management - do something, but I do not think that learning how to run/configure Spamassassin is the right thing for you to do - this is not a userland program (well, it shouldn't be). Cheers, Mike -Original Message- From: Kai Schaetzl [mailto:mailli...@conactive.com] Sent: Friday, 16 January 2009 1:32 p.m. To: users@spamassassin.apache.org Subject: Re: help please brunope...@aol.com wrote on Thu, 15 Jan 2009 11:28:09 -0500: > My mail server guy > > told me it is because of SpamAssassin . Great, you have a "mail server guy". That's the right person who can fix that for you. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
RE: Russian spam
Hello,
Be careful with the character-set matching rules. I was using some of them and
got a high rate of FP's - it was mainly because of the koi8-r charset, and
scoring against that meant I was also scoring against perfectly legitimate
technical resource newsletters that are in English.
Cheers,
Mike
-Original Message-
From: Ned Slider [mailto:n...@unixmail.co.uk]
Sent: Thursday, 15 January 2009 2:04 p.m.
To: users@spamassassin.apache.org
Subject: Re: Russian spam
Francis Russell wrote:
> Anyone know of any good rule-sets to block this sort of spam?
>
> http://www.unchartedbackwaters.co.uk/files/russian_spam.txt
>
> I find that Pyzor and Razor completely miss it as well as the DNS
> blacklists (although I believe this one has a relay in one of the
> Spamhaus ones now). I'm aware of the language whitelisting feature but
> presumably there is a better way then just assuming everything in
> language x is spam?
>
> Francis
>
If you want something that's language specific, checking for koi8-r can
be quite effective, but if you do receive legitimate Russian mail then
it may lead to FPs. Anyway, here's a rule to check the subject that
would hit your example:
header LOCAL_CHARSET_SUBJECT Subject:raw =~
/\=\?(koi8-r|windows-1251|iso-2022-jp|gb2312)\?/i
There's a few other foreign character sets thrown in there that I also
reject - edit to suit your needs.
Looking at the rest of the mail, I have a few other custom rules that
fire on your example:
header LOCAL_THEBAT_MUAX-Mailer =~ /^The Bat!/
uri LOCAL_URI_RUm{https?://.{1,40}\.ru\b}
uri LOCAL_URI_CHAT_RU m{https?://.{1,40}\.chat\.ru\b}
I score against The Bat MUA, and also against any [dot] ru domains, plus
an additional (additive) score for [dot] chat [dot] ru URIs. I have no
legitimate use for these in emails (I also have a similar rule for
Chinese domains that's very popular!)
So I have 4 or 5 custom rules that all score against your example and
add a little to the score taking it well over the spam threshold.
RE: Russian spam
Hello, You could write a Meta rule that contained two sub rules - one for matching "The Bat!" mailer, and the other matching the "chat.ru" link at the bottom. Fire a score if both rules hit. It may not be optimal, but it got rid of that Spam for me, and I haven't had a FP yet. If you check out the meta that was posted on here not long ago to do with the "Spaces Live" Spam, that has a very similar concept, involving The Bat mailer and Spaces Live links at the bottom of the Spam. Cheers, Mike -Original Message- From: Francis Russell [mailto:francis+saus...@unchartedbackwaters.co.uk] Sent: Thursday, 15 January 2009 1:35 p.m. To: users@spamassassin.apache.org Subject: Russian spam Anyone know of any good rule-sets to block this sort of spam? http://www.unchartedbackwaters.co.uk/files/russian_spam.txt I find that Pyzor and Razor completely miss it as well as the DNS blacklists (although I believe this one has a relay in one of the Spamhaus ones now). I'm aware of the language whitelisting feature but presumably there is a better way then just assuming everything in language x is spam? Francis
RE: TO: and FROM: line are the same.
I was just supplying info I found that related to an earlier discussion, that might be useful to some rule writers out there. I found it interesting that someone had discovered how to match TO and FROM in S.A. But yes, MTA level would be better. Sorry if I missed any archives that detailed successful SA To and From matching - Mike out. > -Original Message- > From: Sahil Tandon [mailto:sa...@tandon.net] > Sent: 5 January 2009 12:43 p.m. > To: users@spamassassin.apache.org > Subject: Re: TO: and FROM: line are the same. > > Matt Kettler wrote: > > > > There was some discussion on this list a while back about catching > > > Spam that contains the same E-Mail address in the TO and FROM lines. I > > > think it was decided that this could not be done, for some reason. > > > > > I don't know that anyone said it couldn't be done. It is however rather > > expensive. That long multi-header regex could take a very long time to > > run because it may have to scan the entire header block if one of the > > From/To headers is missing. > > > > Besides, Most "to and from are same" problems really boil down to > > "unauthorized host forging my domain as the sender and delivering mail > > to my server". There are many ways to deal with this problem already if > > it also occurs in the envelope FROM. SPF for example. > > Another option would be to simply block such emails (those with ENVELOPE > FROM == TO) at the MTA, before passing mail to SpamAssassin. The OP > should read the archives for discussion about the pros and cons. > > -- > Sahil Tandon
TO: and FROM: line are the same.
Hello, There was some discussion on this list a while back about catching Spam that contains the same E-Mail address in the TO and FROM lines. I think it was decided that this could not be done, for some reason. I just read a post on the SARE mailing list from Tom Brown containing some rules that might help people that want to catch these types of Spam, or at least write their own rules for their Site(s). They lint OK, and appear to work for me. The original post is as follows (Happy New Year!): Subject: [Sare-users] forged bounces... these rules might be usefull. I woke up to a slew of these in my inbox... my thinking in the score of 1 for TOM_TO_EQ_FR is that legit messages of this form should look VERY legit and be unlikely to score high... header __TOM_TO_EQ_FRa ALL =~ m/^From:\s+??(\s|$)[^\0]*^To:.*\1/m header __TOM_TO_EQ_FRb ALL =~ m/^To:\s+??(\s|$)[^\0]*^From:.*\1/m meta TOM_TO_EQ_FR __TOM_TO_EQ_FRa || __TOM_TO_EQ_FRb scoreTOM_TO_EQ_FR 1 describe TOM_TO_EQ_FR To and From are the same, could be a cc or a forgery header __TOM_BOUNCE Subject =~ /(This mail is refused message|\*\*Message you sent blocked by our bulk email filter\*\*|Your message could not be delivered|Non delivery report: 5.9.4 \(Spam SLS\/RBL\)|Please confirm your message|Returned mail: Quota exceeded)/ meta TOM_BAD_BOUNCE __TOM_BOUNCE && TOM_TO_EQ_FR describe TOM_BAD_BOUNCE looks like a forged bounce (known sub and to==from) scoreTOM_BAD_BOUNCE 2.5
RE: Spam slipping through
Hrm, I get exactly the same score: Content analysis details: (2.5 points, 5.0 required) pts rule name description -- -- 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4995] 2.5 FORGED_MUA_EUDORA Forged mail pretending to be from Eudora Interestingly enough it hit a bunch of Subrules: [16405] dbg: check: subtests=__ANY_QUALCOMM_MUA,__CT,__CT_TEXT_PLAIN,__EUDORA_MU A,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HAS_X_MAILER,__HAS_X_PRIORITY,_ _LOCAL_P P_NONPPURL,__MIME_VERSION,__MSGID_OK_HOST,__NAKED_TO,__NONEMPTY_BODY,__R ATWARE_0 _TZ_DATE,__SANE_MSGID,__SARE_BODY_BLNK_5_100,__SARE_META_MURTY3,__SARE_U RI_ANY,_ _SARE_WHITELIST_FLAG,__TOCC_EXISTS,__TVD_BODY,__TVD_MIME_ATT_TP But must have missed enough for the combined rules not to fire. Cheers, Michael Hutchinson Manux Solutions Ltd > -Original Message- > From: Greg Skouby [mailto:gsko...@mail.sitesnow.com] On Behalf Of Greg > Skouby > Sent: 18 December 2008 9:50 a.m. > To: users@spamassassin.apache.org > Subject: Spam slipping through > > Hi Everybody, > > > Can you please do me a favor and run this through your setup and let me > know what it scores: > > > http://pastebin.com/m791c34be > > > > As of now the URL at the bottom is not in URIBL or SURBL and the sending > IP is not on any major blacklist. I am curious if others have rules that > hit on this. > > (I know 2.5 is a *really* low required score) > > > Thanks! > > > > --Greg
RE: bohunu
> -Original Message- > From: Chris [mailto:[EMAIL PROTECTED] > Sent: 4 December 2008 3:39 p.m. > To: users@spamassassin.apache.org > Subject: Re: bohunu > > On Wednesday 03 December 2008 7:01 pm, Michael Hutchinson wrote: > > > > > Hello, > > > > I was using Pyzor until about 2 months ago. It was quite good then, I > > don't think I ever got a False Positive with it, and it did stop a lot > > of Spam - not as much as Razor, but still significant. I had to take it > > offline as I was getting timeouts doing E-Mail scanning. I have not > > tried the new version yet - I badly want to, but our Mail server sits on > > Debian Sarge, and there is no way I can run the Binary of Bohuno as it > > requires a version of SSL I cannot use in Sarge. > > Hopefully someone can try it on a more recent distro, and provide some > > information as to whether it is any good or not. > > > > Cheers, > > Mike > > The old Pyzor is still working at least for me: > > X-Spam-Pyzor: Reported 20 times. > > Are you using this in your 'servers' file > > 82.94.255.100:24441 > [EMAIL PROTECTED] ~]$ pyzor ping > 82.94.255.100:24441 (200, 'OK') > Yes, and that all works fine. I think the problem was more to do with how many times we were doing lookups per [segment of time]. Disabling it and re-enabling it later would allow it to work again, but then timeouts would set in later in the day - Bohuno sounds like it may solve this problem by downloading a database of message digests regularly, instead of doing a network lookup for every E-Mail that is checked. This is exactly what I wanted to do with Pyzor anyway, now with Bohuno it's just a matter of when management will let me upgrade the server. Cheers, Mike
RE: bohunu
> -Original Message- > From: Niels Przybilla [mailto:[EMAIL PROTECTED] > Sent: 3 December 2008 6:01 p.m. > To: users@spamassassin.apache.org > Subject: bohunu > > Hi, > > is somebody here using bohunu.com > > Is it worth testing it ? > > BR Niels Hello, I was using Pyzor until about 2 months ago. It was quite good then, I don't think I ever got a False Positive with it, and it did stop a lot of Spam - not as much as Razor, but still significant. I had to take it offline as I was getting timeouts doing E-Mail scanning. I have not tried the new version yet - I badly want to, but our Mail server sits on Debian Sarge, and there is no way I can run the Binary of Bohuno as it requires a version of SSL I cannot use in Sarge. Hopefully someone can try it on a more recent distro, and provide some information as to whether it is any good or not. Cheers, Mike
Spamassassin Restart and E-Mail being scanned at time of restart.
Hello Everyone, I am wondering, what happens to E-Mail that is being scanned when the root user on the mail system restarts Spamassassin? I see lots of Spamd children before it is restarted and they suddenly all drop off on a restart (as expected) - do the E-Mail's being scanned at that time actually get re-scanned or do they only get partially scanned, and then delivered? It would appear that the number of child processes does not increase quickly back to what it was before - suggesting the E-Mails that were being scanned at restart time do not get fully scanned... Does anyone know what the score is here? Cheers, Michael Hutchinson Manux Solutions Ltd | Phone: 0800 328 324 | Email: [EMAIL PROTECTED] | Web: http://www.manux.co.nz/
RE: Any other tuning tricks or is this it?
> -Original Message- > From: Len Conrad [mailto:[EMAIL PROTECTED] > Sent: 17 October 2008 1:58 p.m. > To: users@spamassassin.apache.org > Subject: Any other tuning tricks or is this it? > > > FreeBSD 6.2 > 2 GHz > 1 GB RAM > > Amavisd-new > 400 KB max msg size to scan > 10 servers > TIMING shows sa-check taking 85% - 90% > > spamassassin: > > rulesets: > updates.spamassassin.org > saupdates.openprotect.com > sought.rules.yerp.org > > We run sa-compile. > > external checks: pyzor, razor, dcc > > bayes uses Berkeley db. I was told SQL was faster, but I don't think it > will matter that much in our case. > > SA RBL activated. RBL checks are also activated at postfix policy-service > and show no RBLs timing out or long responses. > > The machine gets overloaded during peak business hours, with the postfix- > to-vscan delivery delay taking sometime 100s to 1000s of seconds. When > falls behind, can take hours to catch up. > > amavisd-nanny shows all 10 servers busy, and occasional time outs. > > load average about 10 > > CPU idle 0% > > WCPU shows the amavis/vscan processes each taking 7% - 10% > > iostat shows spiky disk i/o with 2-3 seconds of 0 KB i/o between spikes > (disk not saturated), leads us to think a memory disk won't make any > difference. > > free + inactive memory totals about 200 - 300 MB (an amavis process takes > about 75MB), so not memory constrained. > > In business hours (08:00-17:00), traffic inbound is about 400 msgs/hour > > Traffic outbound, is about 1250 msgs/hour. > > postfix-policy services and postfix processes are so idle that don't even > show up in top with "i"dle processes hidden. It's vscans, named, and > occasional clamd > > Is this machine maxed out, or is there other tuning that will speed it up? > > Len > Hi Len, Sounds like you're having the same problem as my site did, with Pyzor lookups frequently taking too long or failing. Problem is, nothing highlighted this until I did some manual tests. Perhaps the box simply is not up to spec, but I'd start testing your setup by disabling some S.A features/plugins/RBL's first, and see if your scan times change. Particulary test Razor and Pyzor - I know first hand these can push scan times up with no warning. Perhaps they need to "discover" their best server again (simple admin stuff there). If that stuff all tests OK, and isn't pushing your scan times up too high, then perhaps the box is under-spec for what you're trying to do. Good Luck, HTH. Michael Hutchinson
RE: permissions on /root/.spamassassin folder
> -Original Message- > From: Kate Kleinschafer [mailto:[EMAIL PROTECTED] > Sent: 15 October 2008 1:32 p.m. > To: users@spamassassin.apache.org > Subject: permissions on /root/.spamassassin folder > > Hi all, > > Just wondering what the permissions should be on the /root/.spamassassin > folder. > > When I run a message by the command > sudo -u postfix spamassassin -p > /etc/MailScanner/spam.assassin.prefs.conf -t < message.MAI > > I am getting the error warn: config: path /root/.spamassassin is > inaccessible permission denied. > owned by root:root > permissions drwx > > Thanks > Kate Hello Kate, The problem is that you're trying to access a file owned by root, and yet your sudo command line changes the user to postfix - so you're actually running the command as the postfix user, not root - and thusly cannot use root's files. If you're already logged in as the root user, perhaps try the command without the "-u postfix" part... or... If you're not already root, replace "postfix" after the "-u" part with "root". The other possibility is that you want to access root's Spamassassin files as the "postfix" user. You can change the permissions on the files, but I don't recommend that - there must be another way to achieve the desired result. (Perhaps user grouping could have something to do with it) - but this is now turning into a postfix question. Cheers, Michael Hutchinson Manux Solutions Ltd
RE: is Pyzor worth it?
Hello William, This is a very good question. I had to ask that of myself just 2 weeks ago. Pyzor is great, it marks up Spam really well. I'm not going to report statistics, but it is *very* effective in reducing levels of Spam. However, as our site is quite busy, the amount of Pyzor hash lookups in any segment of time were becoming too much, and the lookups would start timing out - creating very long scan times for Spamassassin, which eventually got overloaded - Too much incoming mail and not enough time to scan it. So, we regrettably disabled Pyzor for our site. I would happily enable it again, but only as a server - pulling down updates from other servers every so often during the day, and allowing people to do lookups against our server - problem is that the boss doesn't want this... So we just get more Spam. Anyway.. if you're going to enable it, watch Pyzor in case it has problems talking to it's server - the results are undesirable. Cheers, Michael Hutchinson Manux Solutions Ltd > -Original Message- > From: William Taylor [mailto:[EMAIL PROTECTED] > Sent: 14 October 2008 4:26 a.m. > To: users@spamassassin.apache.org > Subject: is Pyzor worth it? > > Is Pyzor worth running these days? > Is it still effective? > Can anyone using it comment on it? > > > Thanks, > William
RE: False Positive on SUBJECT_FUZZY_TION rule
> -Original Message- > From: Ned Slider [mailto:[EMAIL PROTECTED] > Sent: 1 October 2008 12:15 p.m. > To: users@spamassassin.apache.org > Subject: Re: False Positive on SUBJECT_FUZZY_TION rule > > Ned Slider wrote: > > Hi List, > > > > I'm getting some FP hits against the SUBJECT_FUZZY_TION rule in > > 25_replace.cf (SA 3.2.5, latest update): > > > > > > header SUBJECT_FUZZY_TION Subject =~ / P3>(?!tion)/i > > describe SUBJECT_FUZZY_TION Attempt to obfuscate words in Subject: > > replace_rules SUBJECT_FUZZY_TION > > > > > > is hitting on ham from a mailing list with the following subject line: > > > > Subject: Re: [CentOS] mount UFS partition on CentOS 5. > > > > My regex isn't good enough to understand exactly what this rule is > > trying to achieve, but it looks to me like some kind of obfuscation of > > "tion" within a word, but it appears to be hitting on "partition" in > > this case to my untrained eye. A test email containing just the text > > "partition" in the subject line also hits this rule so would appear to > > confirm my assumptions. > > > > Could anyone help me understand what this rule is designed to hit, and > > why it's hitting in this case? > > > > Thanks. > > > > > Replying to my own thread... > > I'm assuming this rule is interpreting "tition" as an obfuscation of > "tion" hence why it hits against "partition" as if it were an > obfuscation of "partion". > > Looking at some very crude stats for this rule against a recent corpus > of ~1700 ham and ~1800 spam on my server, I see 13 FP hits against ham > and only 1 hit against spam (an obfuscation of erection). Admittedly my > ham corpus was a technical mailing list likely to contain the term > "partition" given it's common usage within IT and triggering of the rule > in no way got close to tagging any ham as spam. > > Anyway, to me this rule doesn't appear to represent good value so I'll > probably just adjust the score to 0.001 and monitor it unless someone > can suggest a method to prevent it hitting against legitimate words such > as partition. Hello Ned. Lowering the score to something that will not be relevant at total score time is a good idea for testing any rules. As you've done a corpus test, and proven that it hits more Ham than Spam (by a significant figure) this proves the rule doesn't really work for your site. If it were my site, I'd disable the rule based on the corpus test. Cheers, Mike
RE: New free blacklist: BRBL - Barracuda Reputation Block List
Hello All, There were so many messages regarding this new Block List, I have to admit I have not read them all. I get the general idea that this new Barracuda Reputation Block List isn't all that hot. For instance, how do Barracuda generate their Block List? I don't think this has been answered yet, and I doubt it is the same method(s) as Spamcop or Spamhaus, as there appears to be a lot more hits on Spam with the Barracuda RBL enabled. This suggests to me that False Positives are going to be numerously present. I've also read that the Barracuda's NetApp's score hard on Backscatter, but yet are a source of Backscatter themselves - I hear a ball of twine unravelling here.. enough that would stop me even trying the new RBL - Especially with the recent de-listing saga, I've been put right off. Anyone with good news about the Barracuda RBL to combat that? 2cents. Cheers, Mike
RE: SPAM message received - but should not have been delivered. [Solved]
Hello Matt, > > So, does anyone have a clue as to why the E-Mail in question was > > delivered to our domain? Or even, why would our servers try to deliver > > a message who's recipients don't exist here? > > > I see nothing in those headers that would indicate who the recipients are. > > To:. Cc, etc are purely decorative. They mean *nothing* about who the > message is actually being sent to. > > Messages are delivered based on the address passed during the RCPT TO: > command in the SMTP session. This is also called the "Envelope > recipients". This information may sometimes be added to the email with a > "for" clause in a Received: header, but it is generally not present in > the message headers. Ah, that explains everything - I feel a bit stupid now. I found it interesting to learn that RCPT TO information at SMTP time doesn't get recorded in the mail headers, otherwise this would be useful information to help build domain specific S.A rules. > It's actually rather common for To/Cc to differ from the envelope > recipients. This is actually how Bcc's work, and it also happens on > mailing lists. You'll get copies of messages posted to the list, even > though when you look at the headers they're "To: > users@spamassassin.apache.org"... the apache listserv turns around and > Bcc's all the messages it gets to all of its recipients. Well, that does make good sense. Thank-you Matt for the quick and informative reply :) Cheers, Michael Hutchinson Manux Solutions Ltd
SPAM message received - but should not have been delivered.
Hello everyone. I regularly do a Bayes training run every week on any missed Spam that I collect from various places on the network. I picked some up from a co-worker and began to analyse the headers to determine any Spammyness I could write a S.A rule to bump the score up with. This is when I noticed that the E-Mail message in question should not have hit our servers at all - there is no header information suggesting a recipient that might exist on our network or domains. There are recipients... don't get me wrong... as well as Carbon Copy addresses - none of these addresses are hosted with us at all - and yet the Mail Message in question was delivered to my co-worker who's address has the same domain as my own (Manux.co.nz). The Headers for the E-Mail have been posted at pastebin: http://pastebin.com/m5bcefa6a The E-Mail itself has been posted at pastebin: http://pastebin.com/m8827fb6 We host 2 Exchange servers as well as 2 Qmail servers. Everything usually works fine between the four - no weird delivery issues, no rogue E-Mails etcetera. So, does anyone have a clue as to why the E-Mail in question was delivered to our domain? Or even, why would our servers try to deliver a message who's recipients don't exist here? Thanks for any help in advance, Cheers, Michael Hutchinson Manux Solutions Ltd | Phone: 0800 328 324 | Email: [EMAIL PROTECTED] | Web: http://www.manux.co.nz/
RE: MagicSpam
Hello, I really don't see how Spamassassin is not "up to par", considering many high end Net App's use Spamassassin and promote corporate level products that include it. Maybe it needs to be configured correctly? In fact, I don't think I've seen any real rival to Spamassassin - except, maybe, for DSPAM (but I've never used it) - And I don't see how that is going to be any "easier to drive" than Spamassassin. The only good Spam tagging applications for Windows all seem to have Spamassassin inside them somewhere. None of my users know how to use Spamassassin, in fact, none of my co-workers do either. I wouldn't even pretend to try and get them to do anything to it, apart from send Missed Spam back for Bayes training. If it is other Admins you're giving the product to, and they don't/can't understand it, then they shouldn't be running it. "no clue how to use it and what it's designed to do" - sounds like they need some education, these naïve people that you give Spamassassin to. Cheers, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, 12 September 2008 5:12 a.m. To: users@spamassassin.apache.org Subject: MagicSpam Does anybody have any experience with this product? My company wants to replace SpamAssassin with this product, due to SpamAssassin being not being up to par other products. My argument is that people we give SpamAssassin to have no clue how to use it and what it's designed to do, therefore they think it sucks.
RE: CPAN Install Fails
> -Original Message- > From: James Wilkinson [mailto:[EMAIL PROTECTED] > Sent: 3 September 2008 7:23 p.m. > To: users@spamassassin.apache.org > Subject: Re: CPAN Install Fails > > Bob Cohen wrote: > > I'm running Fedora v9. All of the prerequisite and optional modules > > installed with no problem. Suggestions? > > Well, there's always "install it with yum": > yum install spamassassin > > Hope this helps, > > James. Or, install it from source. I've had problems myself installing Spamassassin via CPAN, so many problems at a time, in fact, that I simply gave up and went with package management - which worked first time and every time after. Installation from source has been a bit more hairy, but nowhere near as hairy as a CPAN install. >From what I have read on the net, it would appear that CPAN installs are best left alone unless you really know what you're doing and are willing to fix things before you get the product installed - but that's just _my opinion_. I don't want to tick anyone off on the list who really likes CPAN - I have nothing against it - I just don't use it :). 2cents. Cheers, Mike
RE: adding score for email from noreply@
> -Original Message- > From: Derek Harding [mailto:[EMAIL PROTECTED] > Sent: 3 September 2008 1:48 p.m. > To: Curtis LaMasters > Cc: users@spamassassin.apache.org > Subject: Re: adding score for email from noreply@ > > On Tue, 2008-08-26 at 14:31 -0500, Curtis LaMasters wrote: > > I'm having a pretty hard time with this one for some reason, mainly > > because I don't understand regex. I have a large number of emails > > that are getting past my spamassassin setup (Maia Mailguard 1.02a) as > > well as my Barracuda. I would like to add a score to email from > > [EMAIL PROTECTED] I'm not asking for anyone to write the rule for me (though > > that would be nice), but general guidance on how to go about doing > > this *easily*. > > I've recently been putting in IP blocks for what seems to be a single > spam outfit using [EMAIL PROTECTED] in all emails. So far it seems they're > moving around a fairly small number of hosting providers but no one is > onto them yet. > > Derek Hello Derek. Check out http://wiki.apache.org/spamassassin/WritingRules for writing custom rules. I learnt how to do it from that page, and then by looking at how everyone else makes rules (check out the ones that already come with Spamassassin - and go about understanding them) If you're on a linux box with the Perl manuals installed, you can get an idea about regular expressions from "man perlre". Takes a little while for regular expressions to sink in, but you've got to start somewhere. It may also help to understand Perl itself a little better... I bought a book to do that :) HTH, Cheers, Michael Hutchinson Manux Solutions Limited.
RE: e greeting exe link [SOLVED]
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: 28 August 2008 1:49 p.m. > To: Michael Hutchinson > Cc: users@spamassassin.apache.org > Subject: Re: e greeting exe link > > Michael Hutchinson wrote: > > > > But only match it from the last trailing / character. In other words, if > > the message carries a link to "card.exe" at any address, it will be > > marked up. > > > > My thoughts were that all I would need is a rule like: > > uri MY_EXE_URI /card.exe/i > > > Caution: . is a wildcard, so the above will match "card exe" "card1exe" > etc. > > Add a \ to force it to be a literal period character. > > uri MY_EXE_URI /card\.exe/i > > That still runs some risk of matching things you don't want, like parts > of the domain, etc. > > I might tighten it up a bit more by adding the / in. trying to match > "/card.exe" instead of just "card.exe" > Again, we need a \ or the / will be interpreted as the end of the > expression, so we add \/ > > uri MY_EXE_URI /\/card\.exe/i That's got it sorted - precisely what I'm after.. Thank-you Matt for clearing this up! I'm going to employ some new rules straight away :) > > Or do I need to actually match all of the stuff before that, using a > > wildcard for example? > > > No, you don't. Regexes will match a substring. Adding .* to the > beginning or end of a regex is a superfluous waste, and has no affect > whatsoever on the strings matched. > > ( note: .* is regex syntax for 0 or more wildcards, equivalent to a > command-line *) Yay, I thought the complicating matching of http or ftp links in the original rule were unnecessary. Nice, that's going to help me tidy up some of my other custom rules. Once again, Thank-you Matt for the clarity on this issue. - happy SA user. Cheers, Michael Hutchinson Manux Solutions.
RE: e greeting exe link
> -Original Message- > From: John Hardin [mailto:[EMAIL PROTECTED] > Sent: 28 August 2008 1:35 p.m. > To: Michael Hutchinson > Cc: users@spamassassin.apache.org > Subject: RE: e greeting exe link > > On Thu, 28 Aug 2008, Michael Hutchinson wrote: > > > I would be hoping to match the same sort of URL: > > http://ns1.shinwa-com.co.jp/~denso/card.exe > > > > But only match it from the last trailing / character. In other words, if > > the message carries a link to "card.exe" at any address, it will be > > marked up. > > Why do you care about the part before the period? You don't like card.exe > but you trust card1.exe? Good point, but I wouldn't like to block all .exe's. Our local users wont bother zipping stuff and will complain. I was going to be happy with just adding some quick firing rules manually for exe's that I specify. I guess if that doesn't make sense, lets not bother too much about it :) > > My thoughts were that all I would need is a rule like: > > uri MY_EXE_URI /card.exe/i > > > > Or do I need to actually match all of the stuff before that, using a > > wildcard for example? > > Look back a couple of messages, a good short version was posted. Nice - thanks for your reply, John. Cheers, Michael Hutchinson Manux Solutions Limited.
RE: e greeting exe link
> -Original Message-
> From: Randal, Phil [mailto:[EMAIL PROTECTED]
> Sent: 23 August 2008 2:05 a.m.
> To: Jean-Paul Natola; users@spamassassin.apache.org
> Subject: RE: e greeting exe link
>
> uri MY_EXECUTABLE_URI
>
/^(?:https?|ftp):\/\/[^\s?]{1,80}\/[^\s?]{1,80}\.(?:exe|scr|dll|pif|vbs|
> wsh|cmd|bat)$/i
> describe MY_EXECUTABLE_URILinks to an executable file
> score MY_EXECUTABLE_URI3.00
>
> Mind the linewrap.
Hello Everyone,
Does anyone have a rule that's not such a complex regex? I couldn't get
this one to expand properly with the Regex Expander over at SARE
(http://www.rulesemporium.com/cgi-bin/expand_regex.cgi) - even
downloading the Perl script and running it locally produces unexpected
results from this rule.
I would be hoping to match the same sort of URL:
http://ns1.shinwa-com.co.jp/~denso/card.exe
But only match it from the last trailing / character. In other words, if
the message carries a link to "card.exe" at any address, it will be
marked up.
My thoughts were that all I would need is a rule like:
uri MY_EXE_URI /card.exe/i
Or do I need to actually match all of the stuff before that, using a
wildcard for example?
Thanks in advance for any light shed upon the matter,
Cheers,
Michael Hutchinson
Manux Solutions
RE: HELP!! spamasssin killing my server
-Original Message- From: doktour1 [mailto:[EMAIL PROTECTED] Sent: Wednesday, 11 June 2008 08:02 a.m. To: users@spamassassin.apache.org Subject: HELP!! spamasssin killing my server If I disable spamassassin in my procmail file. The server load goes down to 85 or less processes in a matter of mintues, but then tons of spam get through to my users. I am running freebsd 5.1 using sendmail and procmail running spamc (spamd loading at startup). The only thing that keeps the server from crashing is to throttle sendmail at 50 connections. But this is unworkable because it delays deliver of mail for several hours. PLEASE HELP IF YOU CAN, ANY ADVICE WOULD HELP SAVE MY SANITY --AS MY HAIR IS ALREADY GONE! Below is the spamd debug log, followed by all of the configuration files for spamassassin. Thank you! Here is a spamd debug log. --- I saw the message from Kevin, not only do you have fix the INET socket problem but there are other config issues too. Tue Jun 10 14:55:37 2008 [72096] dbg: spf: cannot load Mail::SPF module or create Mail::SPF::Server object: Can't locate Mail/SPF.pm in @INC (@INC contains: ... The problem above could be caused by a Perl upgrade, or Perl CPAN module installation, or outright hasn't worked since you set things up. Interestingly it falls back on a legacy module that works. But it is interesting, because what caused this could have caused other problems too. Tue Jun 10 14:55:40 2008 [72216] dbg: config: read_scoreonly_config: cannot open "/usr/home/orkids/.spamassassin/user_prefs": No such file or directory Hmmm. Tue Jun 10 14:55:40 2008 [72218] dbg: config: read_scoreonly_config: cannot open "/home/britt/.spamassassin/user_prefs": No such file or directory Hmmm. Tue Jun 10 14:55:40 2008 [72216] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually Do what it says ^ I suggest you : - make sure your Black/Block Lists are working, test them manually if you have to. Make sure they don't take too much time to look up, if they do disable for now until you've got performance back. - Check for any Perl upgrade that may have happened recently and assess if you need to go back a version. - Check for any Perl Modules that might have been installed lately - this might seem silly but it could save SA. I have a file that Spamassassin doesn't require, that is a perl module. If it is copied into SA's search path, my scan times go from 7 seconds to 60 seconds plus. So Beware Be Warned. - Verify that DCC is working OK, do this manually. - Do you use CPAN ? Have you used it recently? I had to hose my SA install thanks to a few modules being installed via CPAN. This was on Debian however, and if you don't apt-get these things, you can expect these problems. So there's a bit of work to tidy up, but the main one is the one Kevin was talking about with the "Could not create INET socket". Make sure you've set a good allowable amount of child processes. I use 10 on an HP DL380 2x3Ghz 2Gb RAM with no worries. HTH Cheers, Mike
RE: Pyzor & DCC
> -Original Message- > From: Matt [mailto:[EMAIL PROTECTED] > Sent: 3 May 2008 10:14 a.m. > To: users > Subject: Pyzor & DCC > > When already running Spamassassin with Razor how much would adding > Pyzor and DCC to the mix help? > > Matt Pyzor certainly helped our site, but not as much as Razor. DCC I've not enabled for our site so couldn't be sure but it looks like a good idea. Anything you can get your hands on and successfully apply to your site is good. Cheers, Mike
RE: Using Pzyor with high volume
> In regards to Pyzor. I'm wondering if anyone out there is using this > at any large scale. Unlike the razor-agent which appears to be a Perl > module that gets loaded at startup, I'm concerned about SA having to > exec the python interpreter and having that setup/teardown time for > each and every message. > > Adding salt to the wound, our SA servers run on diskless servers; so > having it have to run over NFS makes for a double whammy. > > Is there a better way to implement Pyzor or is it not even worth the > trouble? Hi Robert, It would appear you've had some success with Pyzor and ReadyExec. We use Pyzor over here at Manux, but do not use ReadyExec (we're not running out of cpu or ram any time soon..). One thing I have noticed, however, is related to high volume. Sometimes (and for several minutes at a time) we will not be able to reach the Pyzor server - it rejects our connections. This is most definitely because we're doing too many lookups. Beware of this. You probably will not see anything about it until you notice it's gone from the headers of mail that it should or has hit in the past. The fix for us would be to run our own Pyzor server, and I'll be working on that over the next while - hopefully after a discussion with the author. Anyway, just thought you ought to know about the high volume thing. You might get your end running sweet and fast, but it may cause rejected lookups when you're scanning mail. Cheers, Mike
RE: Dnsbl checks
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 21 April 2008 9:08 p.m. > To: [EMAIL PROTECTED] > Cc: Spamassassin Users > Subject: Re: Dnsbl checks > > > =?utf-8?B?V2lsbGlhbSBUYXlsb3I=?= writes: > > I'm having some issues getting the dns blacklists to work on a box. > > I have an ip in an email that I have verified manually that its listed > in spamcop via dns query and via the webpage. However when I run the > message through spamassassin it doesn't produce a hit. When ran with -D I > see it queries all the blacklists but I never see anything indicating that > it matched them. > > > > Any thoughts on things I can check on to figure this out? > > DCC,Razor,Pyzor works fine. > > hi William -- > > check the resolv.conf configuration to ensure it's using a good > local nameserver; it may be hitting timeouts in SpamAssassin. > > also, post the DNS debug logs... you may have to obscure the > blacklisted domain though. > Is this not a problem of Spamassassin not running network tests, because it is a local message? Isn't there a commandline option to enable network tests for a locally checked message? Cheers, Mike
RE: Canadian Spam - tired of writing rules!
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: 21 April 2008 8:48 a.m.
> To: James Wilkinson
> Cc: users@spamassassin.apache.org
> Subject: Re: Canadian Spam - tired of writing rules!
>
>
> James Wilkinson writes:
> > Michael Hutchinson wrote:
> > > There's been a rise in Canadian Pharmaceutical Spam lately. This spam
> is
> > > quite basic, generally only including some text and a link. The link
> is
> > > always changing so we can't score against that.
> > >
> > > About the only other thing it scores on is the FORGED_HOTMAIL_RCVD
> rule,
> > > which doesn't have a big enough score to push the Spam over the 5.0
> > > points threshold.
> > >
> > > Does anyone have some effective rules / rulesets / update channels
> that
> > > would help to eliminate this stuff? I've been writing rules against it
> > > for the past few months. We've just employed our 61st rule against
> this
> > > type of Spam. Admittedly a lot of those are just basic phrase
> matching,
> > > and aren't complicated rules - but then the Spam changes enough each
> > > cycle, that it avoids complicated rules that I might write.
> >
> > I find that a meta rule where the body contains "http://"; and has no
> > paragraphs above 100 to 140 characters¹ will give a few false positives,
> > so you can't score it too highly, but it catches a *lot* of spam.
> >
> > The ham that matches this rule tends to be surprisingly rare, doesn't
> > score highly on anything else, and is from regular correspondents (so
> > the AWL helps).
> >
> > If any of the SA developers are reading, I'd love to see how rules like
> > this play in the sandbox...
> >
> > James.
> >
> > ¹ I'd like to do it on body length, but I can't find a suitable way of
> > doing this. body /.{100}/ will match on any e-mail which *has* got a
> > paragraph of > 99 characters...
>
> Provide a plugin that does it efficiently, and I'll try it out ;)
>
I think even our internal mail would get caught by that rule - and I can forsee
enough FP's to be a problem straight away. I don't think I'll employ a rule
like this. It must be time to go back to my RegExp training so hopefully I can
come up with some good ones to be rid of the Pharmacy spam.
Cheers,
Mike
RE: SPF and Hotmail
> -Original Message- > From: Benny Pedersen [mailto:[EMAIL PROTECTED] > Sent: 16 April 2008 7:25 p.m. > To: users@spamassassin.apache.org > Subject: RE: SPF and Hotmail > > > On Wed, April 16, 2008 00:14, Michael Hutchinson wrote: > > >> domain: > >> def_whitelist_auth [EMAIL PROTECTED] > >> user: > >> whitelist_auth [EMAIL PROTECTED] > > > Cool, thanks Benny. > > np > > > I can't employ what you've told me as upgrading to 3.2.4 is out of the > > question until I rebuild the mail server (Debian Sarge), but the advice > > is appreciated. > > until you have 3.2.4 then > > def_whitelist_spf [EMAIL PROTECTED] > whitelist_spf [EMAIL PROTECTED] > > newer whitelist a domain, the above its imho better since you still can > control the scores diffrently > > spamassassin 2>&1 -D spf -t < /tmp/msg | less > > to see it works or not > > Thanks for the information Benny. I haven't had time to put things into operation yet so am unable to report success or not, but I'm sure things will work out fine. Thanks again! Cheers, Michael Hutchinson
RE: SPF and Hotmail
> -Original Message- > From: Benny Pedersen [mailto:[EMAIL PROTECTED] > Sent: 15 April 2008 9:57 p.m. > To: users@spamassassin.apache.org > Subject: Re: SPF and Hotmail > > > On Tue, April 15, 2008 00:35, Michael Hutchinson wrote: > > > Can we do SPF checking for specific domains, or is it "once it's on it > > checks everything" type of thing? > > upgrade to 3.2.4 > > perldoc Mail::SpamAssassin::Conf see whitelist_auth > perldoc Mail::SpamAssassin::Plugin::SPF see more spf options > > domain: > def_whitelist_auth [EMAIL PROTECTED] > > user: > whitelist_auth [EMAIL PROTECTED] > > all the best :-) > > Cool, thanks Benny. I can't employ what you've told me as upgrading to 3.2.4 is out of the question until I rebuild the mail server (Debian Sarge), but the advice is appreciated. Cheers, Michael Hutchinson
SPF and Hotmail
Hi Everyone. I am trying to reduce Spam from Forged hotmail addresses. I understand that because I am on Spamassassin 3.1.7, that my hotmail rules are out-of-date. They do, however, manage to correctly fire on the forged hotmail Spam, but not with a score high enough to flag the mail as such. We have SPF enabled in Spamassassin, but I fear that it is not doing anything. Is there another option I am meant to enable other than "loadplugin Mail::SpamAssassin::Plugin::SPF" in init.pre? Can we do SPF checking for specific domains, or is it "once it's on it checks everything" type of thing? Cheers, Michael Hutchinson Manux Solutions Ltd Phone: 0800 328 324 | Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> http://www.manux.co.nz/
RE: Upgrading
Hello Hiram, It's not scary, you have to step up and own it - be prepared. The best way might be to replicate the situation/scenario in a Virtual environment, and attempt upgrading in there first, to see what might go wrong, and how you can avoid problems on your live server. VMWare is great for this, for me. You might find some other Virtualization software suits you, but it is much better to use that than to "learn" Spamassassin on your live server(s). Doing something on a live server that you haven't done before at all, will get you labelled as a loose cannon. Cheers, Mike > -Original Message- > From: hiram [mailto:[EMAIL PROTECTED] > Sent: 14 April 2008 9:04 p.m. > To: users@spamassassin.apache.org > Subject: RE: Upgrading > > > Hi Mike, > > That sounds on the limit to scarry. > I will rethink it before upgrading then. > Thanks for the advice and the information! > > Best regards, > > /Hiram > > > Michael Hutchinson-3 wrote: > > > >> -Original Message- > > > > Sir, > > > > You or someone else, has managed to break apt-get's info about S.A. Im > > not going into fixing that, that is a Debian question. > > > > You need to download the package manually with 'wget'. > > You can "apt-get install wget" if you don't have it. > > Use wget to get the package. > > Example "wget http://somefileyouwant.deb"; > > > > After that use dpkg -i to install the package just as if you'd used > > apt-get. > > "dpkg -i somefileyouwant.deb" > > > > That will install your Spamassassin package. Just remember you're > > opening a can of worms by using anything later than S.A. version 3.1.7 > > on Debian Sarge. The newer versions are reported to run fine on Debian > > Etch. > > > > I botched an upgrade from 3.1.4 -> 3.2.3 on Sarge a while ago, and it > > caused a MASSIVE headache with incorrect dependencies, wrong perl > > modules being installed, and config being installed in new/different > > locations, which ended up with an INSANE installation - more than one > > version existing in binaries or config on one singular computer. Not a > > good look. > > > > It took a long time to fix. (well, it seemed like a very long time) > > > > You'd be better off arranging some downtime. Copying out your current > > S.A config, and completely removing S.A altogether, including manually > > hunting down every config file and binary. Then and only then would I > > consider installing the 3.2.4 package, and restoring the config. > > > > HTH, > > Mike > > > > > > -- > View this message in context: http://www.nabble.com/Upgrading- > tp16630332p16674214.html > Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Upgrading
> -Original Message- > From: hiram [mailto:[EMAIL PROTECTED] > Sent: 14 April 2008 4:32 p.m. > To: users@spamassassin.apache.org > Subject: Re: Upgrading > > > Hi again! > > Sorry, that's what my wife means when she says: "you hear but you don't > listen" :-((. Thanks for the answers. > > Still, I cannot manage to upgrade spam assassin. Does anyone have any idea > what the problem could be? > in debian-sarge: > > apt-get install spamassassin > > /Hiram Sir, You or someone else, has managed to break apt-get's info about S.A. Im not going into fixing that, that is a Debian question. You need to download the package manually with 'wget'. You can "apt-get install wget" if you don't have it. Use wget to get the package. Example "wget http://somefileyouwant.deb"; After that use dpkg -i to install the package just as if you'd used apt-get. "dpkg -i somefileyouwant.deb" That will install your Spamassassin package. Just remember you're opening a can of worms by using anything later than S.A. version 3.1.7 on Debian Sarge. The newer versions are reported to run fine on Debian Etch. I botched an upgrade from 3.1.4 -> 3.2.3 on Sarge a while ago, and it caused a MASSIVE headache with incorrect dependencies, wrong perl modules being installed, and config being installed in new/different locations, which ended up with an INSANE installation - more than one version existing in binaries or config on one singular computer. Not a good look. It took a long time to fix. (well, it seemed like a very long time) You'd be better off arranging some downtime. Copying out your current S.A config, and completely removing S.A altogether, including manually hunting down every config file and binary. Then and only then would I consider installing the 3.2.4 package, and restoring the config. HTH, Mike
Canadian Spam - tired of writing rules!
Hello everyone, There's been a rise in Canadian Pharmaceutical Spam lately. This spam is quite basic, generally only including some text and a link. The link is always changing so we can't score against that. About the only other thing it scores on is the FORGED_HOTMAIL_RCVD rule, which doesn't have a big enough score to push the Spam over the 5.0 points threshold. Does anyone have some effective rules / rulesets / update channels that would help to eliminate this stuff? I've been writing rules against it for the past few months. We've just employed our 61st rule against this type of Spam. Admittedly a lot of those are just basic phrase matching, and aren't complicated rules - but then the Spam changes enough each cycle, that it avoids complicated rules that I might write. Basically, I'm getting sick of writing rules all the time - I'm thinking I probably shouldn't need to. Is there any way around this? I know there is a SARE ruleset against Pharmacy Spam, but I am very hesitant to employ it because we have several clients that are pharmacy outlets, and I worry those rules will burn them. Thanks in advance, for any information. Michael Hutchinson Manux Solutions Ltd Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
RE: DNS Blocklists with Spamassassin (scoring only)
> -Original Message-
> From: Kelson [mailto:[EMAIL PROTECTED]
> Sent: 11 April 2008 11:20 a.m.
> To: users@spamassassin.apache.org
> Subject: Re: DNS Blocklists with Spamassassin (scoring only)
>
> Michael Hutchinson wrote:
> > uridnsbl URIBL_DSBL list.dsbl.org. TXT
> > body URIBL_DSBL eval:check_uridnsbl('URIBL_DSBL')
> > describe URIBL_DSBL Contains a URL listed in the DSBL blocklist
> > (http://dsbl.org)
> > scoreURIBL_DSBL 0.004
>
> Wait... does the DSBL even list URIs? I thought it only listed IP
> addresses (which is already in the default rule, RCVD_IN_DSBL).
>
Ahh see this is what I thought would be the issue, I'm using it the
wrong way. Basically, the website for the DSBL points one to the
Spamhaus FAQ (it doesn't actually point to an existing link, however),
and the SORBS "Using Sorbs" page. Unfortunately, these do not tell you
how to setup for DSBL - I only pirated the setup from another documented
BL setup.
But - there is no point setting it up if it already exists :)
My setup/config is wrong, so people may ignore my previous post.
I went about and added these entries to local.cf, for some additional
checking. I haven't tested them yet - need to make sure I'm not
duplicating config.
Passive Spam Block List (http://psbl.surriel.com)
#header RCVD_IN_PSBL eval:check_rbl('psbl',
'psbl.surriel.com.')
#describe RCVD_IN_PSBL Received via a relay in PSBL
(http://psbl.surriel.com)
#tflags RCVD_IN_PSBL net
#scoreRCVD_IN_PSBL 0 1.00 0 1.00
Host Karma White/Black/Yellow List
(http://wiki.ctyme.com/index.php/Spam_DNS_Lists)
#header __RCVD_IN_JMF
eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
#describe __RCVD_IN_JMF Sender listed in JunkEmailFilter
#tflags __RCVD_IN_JMF net
#header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal',
'127.0.0.1')
#describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
#tflags RCVD_IN_JMF_W net nice
#score RCVD_IN_JMF_W -5
#header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal',
'127.0.0.2')
#describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
#tflags RCVD_IN_JMF_BL net
#score RCVD_IN_JMF_BL 3.0
#header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal',
'127.0.0.4')
#describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN
#tflags RCVD_IN_JMF_BR net
#score RCVD_IN_JMF_BR 1.0
Hopfully they will work and help to block some Spam ;)
Cheers,
Mike
DNS Blocklists with Spamassassin (scoring only)
Hi Everyone,
I've been floating around on the web, looking for some specifics to do
with setting up a DNS Block List for scoring in Spamassassin.
I found the setup for the CBL, and copied that for use with the DSBL,
which is what I want to setup for scoring Spam. Strangely enough, a lot
of these BL's reference each other for setup information - which there
is little of out there (especially over at the S.A Wiki - which I will
fix when I get the relevant information)
Can anyone please help to verify that I have the information correct? I
wrote into local.cf (/etc/mail/spamassassin) these lines:
uridnsbl URIBL_DSBL list.dsbl.org. TXT
body URIBL_DSBL eval:check_uridnsbl('URIBL_DSBL')
describe URIBL_DSBL Contains a URL listed in the DSBL blocklist
(http://dsbl.org)
scoreURIBL_DSBL 0.004
I am unsure as to whether the address is correct. Over at the CBL FAQ,
they have a trailing full-stop after the address name and I don't know
if this is right or not. And, is local.cf the correct place to setup
URIBL's?
Thanks for any information in advance,
Cheers,
Michael Hutchinson
RE: Listing all rules and all scores
> -Original Message- > From: Craig Cocca [mailto:[EMAIL PROTECTED] > Sent: 10 April 2008 6:40 a.m. > To: users@spamassassin.apache.org > Subject: Listing all rules and all scores > > Spamassassin Users, > > Is there an easy way to get spamassassin to list out all of the rules > and all of the rule scores it's currently using? The debug output > only tells you what modules and configuration files are loaded, but > we're looking for a comprehensive accounting of all of the rule names/ > scores. > There probably is no feature to just get Spamassassin to output all of that data. It shouldn't have to, however, because what you're looking for is kept in flat text files. Rules are kept in different places, depending on the distribution you're using, and how you've installed S.A. You could search for files with a .cf extension, "locate .cf" or look in some common folders for the rules, They should look like this: 10_misc.cf 20_html_tests.cf 25_antivirus.cf And so on... Mine are in these locations: /usr/share/spamassassin /etc/mail/spamassassin /var/lib/spamassassin I do updates to S.A from third parties, mainly SARE and JM. I think they get put in the /var/lib/Spamassassin/ directory, so they may not exist on your system. You will find a file (or two) in your travels to locating the rules files, and it will be called something like 50_scores.cf which contains many of the scores for the rules. Not all scoring is done in this file, any .cf file can dictate scores, but if you're going to re-score rules you must do it in /etc/mail/spamassassin/local.cf (or wherever local.cf is for you). Hope this helps, Cheers, Mike
RE: spamassassin lint warnings
> -Original Message- > From: Rodney Green [mailto:[EMAIL PROTECTED] > Sent: Thursday, 3 April 2008 12:35 a.m. > To: users@spamassassin.apache.org > Subject: Re: spamassassin lint warnings > > Thanks Mike. However, I'm getting the same warnings for a majority of > the .cf files in /var/lib/spamassassin/3.002004 and > /etc/mail/spamassassin, not just the two files referenced in my > original e-mail. > > Rod Hello, Rod Sorry I seem to have missed the part before about your /etc/mail/spamassassin files doing it as well, I was originally thinking something went wrong with your updating system. But no, if your original SA files are doing it too, something else is afoot. Unfortunately, I don't know what. I would start questioning S.A's dependencies, ie: Perl modules. I had a lot of problems when I was installing these via CPAN, and had to go get the packages and install them manually. It might be worth checking the dependency requirements of S.A for Perl modules, and making sure you're up-to-date. It might also be a broader issue with Perl itself, although that is a lot less likely. Are you running the required version of Perl for the S.A version you are running? Hopefully someone with better experience than I have in this will pickup the discussion and help too ;) Cheers, Mike
RE: spamassassin lint warnings
> -Original Message- > From: Rod G [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 2 April 2008 1:26 a.m. > To: users@spamassassin.apache.org > Subject: spamassassin lint warnings > > Hello. I'm running SA 3.2.4. When I run "spamassassin --lint -D" I get > a bunch of warnings like those below. I'm seeing the same two warnings > for many of the files in /var/lib/spamassassin/3.002004 and > /etc/mail/spamassassin. Any ideas on how to fix these? Thanks! > > > [32690] warn: "my" variable $l masks earlier declaration in same scope > at /var/lib/spamassassin/3.002004/updates_spamassassin_ > org/72_active.cf, rule __DOS_I_AM_25, line 14. > [32690] warn: Global symbol "$scoresptr" requires explicit package > name at /var/lib/spamassassin/3.002004/updates_spamassassin > _org/20_advance_fee.cf, rule __FRAUD_NRG, line 12. Hi There, Turns out I pull the same rule updates and these files are included. (20_advance_fee.cf and 72_active.cf) I looked through my files, and could not find reference to the errors you're getting - I wonder if your install of S.A is sane - have you upgraded S.A recently? Then again, I am on version 3.1.7 so that may be why I don't see the exact same file. Perhaps you could try deleting those two files, and re-running sa-update to pull them down, and then try linting again? Cheers, Mike
RE: Failed to check the emails
> -Original Message- > From: Piotr Zalewa [mailto:[EMAIL PROTECTED] > Sent: Monday, 31 March 2008 2:26 p.m. > To: SpamAssassin > Subject: RE: Failed to check the emails > > Thanks Michael. > > I've run the > spamassassin -D --lint > spamassassin_lint 2>& > > I can't find anything suspicious there - but I'm not the master either. > I think it's rather qmail-scanner configuration problem ... I'll paste > here parts which I think are important ... If it's not helpful I can > attach the file (to priv as I think). > > dbg: logger: adding facilities: all > dbg: logger: logging level is DBG > dbg: generic: SpamAssassin version 3.2.1 > dbg: config: score set 0 chosen. > dbg: util: running in taint mode? no > dbg: dns: is Net::DNS::Resolver available? yes > dbg: dns: Net::DNS version: 0.59 > [...] > dbg: bayes: no dbs present, cannot tie DB > R/O: /root/.spamassassin/bayes_toks > [...] > dbg: dns: is_dns_available() last checked 1206925264 seconds ago; > re-checking > dbg: dns: is DNS available? 0 > [...] > dbg: check: is spam? score=4.205 required=4 > dbg: check: > tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS > dbg: check: > subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__M SO > E_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID > > As I said - emails sent normally from other servers are being checked > for spam > > Piotr > > On Mon, 2008-03-31 at 13:02 +1300, Michael Hutchinson wrote: > > > -Original Message- > > > From: Jason Haar [mailto:[EMAIL PROTECTED] > > > Piotr Zalewa wrote: > > > > But some are coming not being checked ... > > > > X-Spam-Status: No, hits=? required=? > > It sounds like a config issue. It would pay to do a "spamassassin -D > > --lint". This will produce a lot of output, but it is worth reading and > > understanding all of the information, to be able to parse it for errors. > > Cheers, > > Mike > > > > >From what you posted, S.A looks OK, except it couldn't tie your Bayes database. That's mostly a temp issue, if it recurs without resovling itself then it's an issue. However, I think you're right about the fact that it's a config error somewhere else. I use Simscan myself, and haven't touched qmail-scanner before. I do have a config file where I can turn Spam and AV checking on or off for a particular domain, but it is Simscan specific. Besides, that sort of feature should still not leave you with a S.A header in the email. You might want to check the sanity of the receiving end's qmail config. Especially the control files. Have you attempted to track the email through your system by grepping through the logs? I do this for tracking mails, and normally wind up using "tail -f " and leave it running while I do testing... If you're too busy a domain, that wont work for you. It'd be interesting to see if you're getting some kind of failure when S.A is being called. X-Spam-Status: No, hits=? required=? ^^ this isn't normal, S.A should know what it's required hits score is, no matter what it's doing. Can it read/write the file that sets this option? I can only hazard a guess with no more information: Perhaps your system is running S.A in per-domain or per-user mode? There could be a problem that there is no configuration file to read when it's receiving mail from the other system you're talking about, or the config file for that domain exists but S.A doesn't have permissions to deal with it. U could post your "spamassassin -D --lint" to me if you like... I'm not guaranteeing expert analysis tho :) Is qmail-scanner keeping a log on your system? And are you able to see your email traverse from the other domain to the mail server in question, in the log files? (/var/log). If so, perhaps post some log entries or try to see what's going on when that email is being scanned. Cheers, Mike
RE: Failed to check the emails
> -Original Message- > From: Jason Haar [mailto:[EMAIL PROTECTED] > Sent: Monday, 31 March 2008 12:38 p.m. > To: SpamAssassin > Subject: Re: Failed to check the emails > > Piotr Zalewa wrote: > > But some are coming not being checked ... > > I can find this in the header of the message: > > > > with qmail-scanner-2.01st (clamdscan: 0.91.2/6473. spamassassin: 3.2.1. > > perlscan: 2.01st. Clear:RC:0(140.211.11.2):SA:0(?/?):. Processed in > > 3.031013 secs); 30 Mar 2008 15:34:59 - > > X-Spam-Status: No, hits=? required=? > > > Please read the Qmail-Scanner FAQ - this either means the message was > considered too big for spamd to scan, or spamd had a problem and didn't > work correctly. > It sounds like a config issue. It would pay to do a "spamassassin -D --lint". This will produce a lot of output, but it is worth reading and understanding all of the information, to be able to parse it for errors. If a message is too large to scan, you would normally get a log entry in mail.log or mail.info or mail.warn (depending on your setup, the location and names of these will most likely change) stating the message was too large to scan. If that is the case, you should not get a Spamassassin header in the e-mail, as it skips scanning the message entirely if it's size is above the limit. Cheers, Mike
RE: SA-update error
> -Original Message- > From: Dennis Clark [mailto:[EMAIL PROTECTED] > Sent: Thursday, 27 March 2008 3:18 p.m. > To: users@spamassassin.apache.org > Subject: SA-update error > > Using Spamassassin 3.1.8. I haven't updated SA in about six months. Ran > SA-update -D using the default channel of updates.spamassassin.org, > received error "new version is 585884, skipped channel". > > What exactly is going wrong here. Has the sa update default channel been > changed? You need, perhaps, to copy and paste a bit more of the "sa-update -D" output. >From the snippet you provided, many people could easily make the assumption that it's simply skipping the channel, because it is already up to date. I would make this assumption also, without seeing more from the output of your "sa-update -D" Cheers, Mike
RE: Cyrillic spam
> -Original Message- > From: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] > Sent: Friday, 21 March 2008 3:28 a.m. > To: users@spamassassin.apache.org > Subject: Re: Cyrillic spam > > > > For some strange reason, I'm seeing Cyrillic spams very frequently > > > lately. > > > > > > None of my users read any Eastern European languages- is there a quick > > > way to catch these? > > On 20.03.08 08:54, Michael Hutchinson wrote: > > You could use the ok_languages and ok_locales settings. I'm sure > > discussions on those can be found in the archives. > > that should be enough imho. CHARSET_FARAWAY with UNWANTED_LANGUAGE give > scores high enough to be marked as spam.. That sounds great. > > I employed these rules for my site: > > > > header CST_RUSSIANSPAM1 Subject:raw =~ > > /\=\?(koi8\-r|windows\-125[0125]|windows\-874|iso\-8859\-[28])\?/i > > score CST_RUSSIANSPAM1 6.6 > > describe CST_RUSSIANSPAM1 Russian SPAM, trap Subject line for > > language set > > > > header CST_RUSSIANSPAM2 From:raw =~ > > /\=\?(koi8\-r|windows\-125[0125]|windows\-874|iso\-8859\-[28])\?/i > > score CST_RUSSIANSPAM2 6.6 > > describe CST_RUSSIANSPAM2 Russian SPAM, trap From line for > > language set > > I wonder why didn't you use the former? and also, why do you add score of > 6.6 ? The rules caught all of the Russian Spam our site was receiving, so I decided to push the score high enough that it would always be tagged as spam, no matter what route it took. I also thought it would be a good idea to understand some not-so-simple rule writing for Subject and From Email headers... > > These two rules should tag your Cyrillic spam just fine. You might > > prefer to throw the language away entirely with the ok_languages etc. > > Just depends how you want to go about it. > > the ok_* don't "throw anything entirely", they only score unwanted > charsets > and languagees. Ok so the wording may have been incorrect, but as far as the end-user is concerned, it is being thrown away, as their filters (at least on our sites) prevent them from seeing anything tagged with 5 or more points. Anyway, lets stop barking up my rules, and agree there's more than one way to do it, and my way works for my site and your way works for your site. Cheers, Mike
RE: Re: Cyrillic spam
> -Original Message- > From: news [mailto:[EMAIL PROTECTED] On Behalf Of NFN Smith > Sent: Thursday, 20 March 2008 1:54 p.m. > To: users@spamassassin.apache.org > Subject: Re: Cyrillic spam > > Michael Hutchinson wrote: > >> -Original Message- > >> From: Mike Pepe [mailto:[EMAIL PROTECTED] > >> Sent: Thursday, 20 March 2008 5:18 a.m. > >> To: users@spamassassin.apache.org > >> Subject: Cyrillic spam > >> > >> For some strange reason, I'm seeing Cyrillic spams very frequently > > lately. > >> None of my users read any Eastern European languages- is there a quick > >> way to catch these? > >> > >> thanks > >> > >> -Mike > > > > You could use the ok_languages and ok_locales settings. I'm sure > > discussions on those can be found in the archives. > > > > I employed these rules for my site: > > I'll have to check those myself. > > Since I do have users that get Cyrillic content, I have to include > Cyrillic in my ok_locales. > > I did a simple header rule that does a raw search for koi-8 . From > there, I did a couple of meta rules that give big scores to the > combination of Cyrillic plus at least one of: The Bat! as the sending > client, or SPAMMY-XMAILER or OUTLOOK_3416 and gave suitably high scores. > My Cyrillic spam has pretty much vanished. > > Before I implemented these, I checked with my users who do Cyrillic, and > have no complaints from them since implementing. Even though there is a > Russian spell-checking module for The Bat!, as far as I can tell none of > my users exchange mail with Russian-speaking users of The Bat! > > It's been discussed in this list before that going after content with > The Bat! is dangerous, because it's a legitimate client, but among my > users, the frequency of inbound mail with The Bat! is virtually zero. > Thus, although I score 2.1 points for The Bat!, I tend to use that rule > frequently in metas that combine with other more frequently hit rules. > > To me, this is some of the real elegance of SpamAssassin, in that you > can score some number of common patterns with low scores, and beyond the > cumulative score of what turns up, using meta rules to look for > combinations of this, this and that (and when that particular > combination gets a hit, assign suitable high scores) is really useful. If there was a book, you've done your config by it. It's good to see other people using Meta's, they absolutely rock, and it's a good way to avoid FP's, as you've already proven. Cheers, Mike
RE: blogspot spam
> -Original Message- > From: Arvid Ephraim Picciani [mailto:[EMAIL PROTECTED] > Sent: Thursday, 20 March 2008 9:04 a.m. > To: users@spamassassin.apache.org > Subject: Re: blogspot spam > > On Wednesday 19 March 2008 20:48:00 Michael Hutchinson wrote: > > For those that don't run SA 3.2.3, you could test this rule: > > uri CST_URI_BLOGSPOTm,http://\w+\.blogspot\.com\b, > > describe CST_URI_BLOGSPOT blogspot.com throwaway URI > > score CST_URI_BLOGSPOT 3.4 > > thanks Mike, does that match bloglinks like myblog.blogspot.com/myentryxy > ? Apparently, yes :) I have not seen any come through since I employed the rule. I am sure you'd be able to modify the RegExp if required, making it match, say up to 12 characters (of anything) past the / after .com I'm pretty sure you wont need to do that. Employ it and score it at 0.01 to test it :) > if not it might be fine for around 1.0 points imo. i have sare_oem on 3.0 > becouse our entire company runs linux, so we don't talk about windows > software anyway :P > i'd prefer a working uribl though :( HEH, I've just gone thru and rescored a pile of URIBL stuff.. this combined with our recent addition of pyzor has started to score spam hard. Cheers, Mike
RE: Cyrillic spam
> -Original Message- > From: Mike Pepe [mailto:[EMAIL PROTECTED] > Sent: Thursday, 20 March 2008 5:18 a.m. > To: users@spamassassin.apache.org > Subject: Cyrillic spam > > For some strange reason, I'm seeing Cyrillic spams very frequently lately. > > None of my users read any Eastern European languages- is there a quick > way to catch these? > > thanks > > -Mike You could use the ok_languages and ok_locales settings. I'm sure discussions on those can be found in the archives. I employed these rules for my site: header CST_RUSSIANSPAM1 Subject:raw =~ /\=\?(koi8\-r|windows\-125[0125]|windows\-874|iso\-8859\-[28])\?/i score CST_RUSSIANSPAM1 6.6 describe CST_RUSSIANSPAM1 Russian SPAM, trap Subject line for language set header CST_RUSSIANSPAM2 From:raw =~ /\=\?(koi8\-r|windows\-125[0125]|windows\-874|iso\-8859\-[28])\?/i score CST_RUSSIANSPAM2 6.6 describe CST_RUSSIANSPAM2 Russian SPAM, trap From line for language set These two rules should tag your Cyrillic spam just fine. You might prefer to throw the language away entirely with the ok_languages etc. Just depends how you want to go about it. Cheers, Mike
RE: blogspot spam
> -Original Message- > From: Yet Another Ninja [mailto:[EMAIL PROTECTED] > Sent: Thursday, 20 March 2008 1:48 a.m. > To: Arvid Ephraim Picciani > Cc: users@spamassassin.apache.org > Subject: Re: blogspot spam > > On 3/19/2008 1:24 PM, Arvid Ephraim Picciani wrote: > > On Wednesday 19 March 2008 13:21:20 James E. Pratt wrote: > >> Hi. I'm seeing lots of these get by: > >> > >> http://pastebin.com/m8520d64 > >> > >> anyone have a rule for these? > >> > >> The last one I put up is at: > >> > >> http://pastebin.com/m159c02de > >> > >> Thanks, > >> > >> Jamie > > > > yeah exactly my issue. the site is in uribl already but sa doesn't work > with > > uribl and subdomains. see previous posts. > > SARE_OEM helps a little. > > > > it does work! > > if runing > SA 3.2.3 add to local.cf: > > util_rb_2tld blogspot.com > For those that don't run SA 3.2.3, you could test this rule: uri CST_URI_BLOGSPOTm,http://\w+\.blogspot\.com\b, describe CST_URI_BLOGSPOT blogspot.com throwaway URI score CST_URI_BLOGSPOT 3.4 A few people disagree with this, as it will score against legitimate email for some domains. I created it for our site as we do not receive newsletters with blogspot links, so we hose the emails with 3.4 points, which is enough to push them over the 5.0 threshold, as they score on other rules too. Be warned, beware, don't use this unless you're really sure you don't want blogspot links in emails. Customers might become annoyed. (Ours haven't, though, and it's been a month). Cheers, Mike
RBL's at Spamassassin time.
Hi Everyone. I need to implement some RBL's at the Spamassassin stage in our mail server. We already have spamhaus setup on the firewall, amongst other SMTP rejection lists. What RBL's are people using with Spamassassin to tag email? As far as I can see, we are only using URIBL and Spamcop, which doesn't seem to be enough to keep the Spam down to a reasonable level. Thanks in advance, Michael Hutchinson.
RE: How to catch gibberish spam before URIBL lists it?
> -Original Message- > From: Bob Proulx [mailto:[EMAIL PROTECTED] > Sent: Monday, 17 March 2008 2:10 p.m. > To: users@spamassassin.apache.org > Subject: How to catch gibberish spam before URIBL lists it? > > These eventually show up in the URIBL but with the start of the wave > they are not listed yet. Outside of URIBL (which works great once > they get listed) are there good tactics to catch this type of spam > directly from the content? > > Subject: top bxtrj k cuq Girls wdi ulpq tafz. > > n srak, great qllqn Moms cg bmqet agpxa http://www.struesexfilms.cn ssj > erzn zxuc wlp. h qds t bl hfqun. > v w g vj hydl taqn ahcgn uaorm, w wfz go vthmz cdii fft. > > Thanks > Bob Hi Bob, Even through the list my Spamassassin flagged your mail with 2.4 points (which was AWL adjusted, so was probably higher than that) You may just need to modify some scoring of these rules, which hit the "garbage" you're talking about without a doubt: TW_AQ,TW_BM,TW_BX,TW_GP,TW_HM,TW_LP,TW_MQ,TW_PX,TW_QD,TW_QL,TW_TR,TW_WF, TW_ZX, HTH, Cheers, Mike
RE: directly going to spam folder in yahoo
From: Agnello George [mailto:[EMAIL PROTECTED] Sent: Tuesday, 11 March 2008 7:07 p.m. To: Spamassassin Subject: directly going to spam folder in yahoo >HI >i am facing a problem from sending mail from [EMAIL PROTECTED] >to my yahoo >account , i receive the mail but it automatically come to my >spam folder in >my yahoo account, this happen to all email ID in the yahoo >domain. Is there a >work around on the mail server ( exim ) ( Linux box ). > Bellow is the log >!! Yep, I have this problem with a couple of our clients email servers. One of your MX's (or both) have been tagged as a spam sending MX by Yahoo. This can happen for many reasons. The most prominent seems to be -> if your MX was _EVER_ on a blacklist. It doesn't have to BE on a blacklist, just to have BEEN on one in the past seems to be enough for yahoo. The answer is to move yourself and your clients away from Yahoo. I have battled with them to get our mail delivered properly, and until all of our clients have moved away from them, we have temporarily smart-hosted their email server to ours, which isn't getting auto-spam-flagged by Yahoo. Basically, the battle was not won. There is no responsive administrative contact at Yahoo that can help you out. You are able to fill out a form requesting that your MX is no longer regarded as a spambot. But good luck with that. Cheers, Mike
RE: Plugin eval failed
> -Original Message- > From: Jean-Paul Natola [mailto:[EMAIL PROTECTED] > Sent: Friday, 14 March 2008 12:09 p.m. > To: SpamAssassin > Subject: Plugin eval failed > > Hi all, > > I upgraded to sa 3.2.4 > > And I've been restarting spamd every 15 minutes just to keep mail coming > in, > > This is what is constantly coming up in the maillog > > > plugin: eval failed: child processing timeout at /usr/local/bin/spamd line > 1259. > > Any help would be appreciated > > Running > > Freebsd 6.2 > SA 3.2.4 > Exim 4.68 > Perl 5.8.8 > Clamav 92.1 > > > > JP Hi JP, I had this problem when I upgraded to 3.2.3 temporarily, and for a while after the downgrade to 3.1.7. I had not done enough research and found that I had installed 3.2.3 with a different method than what the original package was installed with. This caused install paths to change for various files, and I ended up with 2 different versions of some files spread over the system. This was causing all sorts of errors, but mainly the having to restart SA constantly as it was falling over. Whilst this may not be your issue, it is worth checking that all of your .cf and pre files are sane, as well as any Perl CPAN modules. I removed all of my CPAN modules, and installed them via apt-get in Debian instead. I then removed all instances of every Spamassassin file on the system, and reinstalled from scratch. (keeping local.cf and user_prefs of course). Hope this is some help, Cheers, Mike
RE: Spamassassin not checking a particular Email.
> -Original Message- > From: Michael Hutchinson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 11 March 2008 1:09 p.m. > To: users@spamassassin.apache.org > Subject: RE: Spamassassin not checking a particular Email. > > On Mon, 10 Mar 2008 at 18:00 -0400, [EMAIL PROTECTED] confabulated: > > SNIP > > > How big is the email ? By default spamd won't scan anything over > 255k > > > > Is it spamd that has the default? I know for sure spamc has the > default > > set to 500Kb (at least in the latest release): > > > >%man spamc > >... > >-s max_size, --max-size=max_size > > Set the maximum message size which will be sent to spamd -- any > > bigger than this threshold and the message will be returned > unpro- > > cessed (default: 500 KB). If spamc gets handed a message bigger > > than this, it won't be passed to spamd. The maximum message > size > > is 256 MB. > > > > I don't recall the OP stating what version of SA was running. > > > > - > > _|_ > > |_| | > > OP is running SA 3.1.7, which has a limit of 25 bytes. The problem > now is where to actually put the -s config. We're using daemontools for > the qmail processes, and it is not obvious, in fact I can't find any run > file that contains a reference to spamc, to be able to give it > commandline options. > > I have found runtime options for spamd in /etc/init.d/spamassassin, but > spamd doesn't have the same options. In fact it doesn't have a max > message size setting at all. > > > Ah HA!! Found the issue. We did not previously have a spamc.conf file on our system. This ought to reside in /etc/mail/spamassassin by default. Once I created this file, and reloaded Spamassassin, our max message size has gone up to 350K /etc/spamassassin/spamc.conf : -s 35 As easy as that Cheers, Mike
RE: Spamassassin not checking a particular Email.
> -Original Message- > From: D Hill [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 11 March 2008 12:23 p.m. > To: users@spamassassin.apache.org > Subject: Re: Spamassassin not checking a particular Email. > > On Mon, 10 Mar 2008 at 18:00 -0400, [EMAIL PROTECTED] confabulated: > > > Michael Hutchinson wrote: > >> Hi all, > >> > >> Another query.. another busy SA day. > >> > >> I have a piece of Spam that is getting through to one of our biggest > >> clients. I have written rules to tag this Spam, but it is as if it > isn't > >> even being checked by Spamassassin. > > [snip] > > >> We can see from the headers that it has been looked at by Simscan, but > >> has not been parsed through SA, at least, I don't think it has. We > >> always have X-Spam-Status in our headers. > >> > >> I can attach the actual Email if anyone would like to see it. > >> Any ideas where to start troubleshooting the issue? Could this be a > >> Simscan related problem? > >> > >> Cheers, > >> Mike > >> > > > > How big is the email ? By default spamd won't scan anything over 255k > > Is it spamd that has the default? I know for sure spamc has the default > set to 500Kb (at least in the latest release): > >%man spamc >... >-s max_size, --max-size=max_size > Set the maximum message size which will be sent to spamd -- any > bigger than this threshold and the message will be returned unpro- > cessed (default: 500 KB). If spamc gets handed a message bigger > than this, it won't be passed to spamd. The maximum message size > is 256 MB. > > I don't recall the OP stating what version of SA was running. > > - > _|_ > |_| | OP is running SA 3.1.7, which has a limit of 25 bytes. The problem now is where to actually put the -s config. We're using daemontools for the qmail processes, and it is not obvious, in fact I can't find any run file that contains a reference to spamc, to be able to give it commandline options. I have found runtime options for spamd in /etc/init.d/spamassassin, but spamd doesn't have the same options. In fact it doesn't have a max message size setting at all.
RE: Spamassassin not checking a particular Email.
> -Original Message- > From: Rick Macdougall [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 11 March 2008 11:01 a.m. > To: Michael Hutchinson > Cc: users@spamassassin.apache.org > Subject: Re: Spamassassin not checking a particular Email. > > Michael Hutchinson wrote: > > Hi all, > > > > Another query.. another busy SA day. > > > > I have a piece of Spam that is getting through to one of our biggest > > clients. I have written rules to tag this Spam, but it is as if it isn't > > even being checked by Spamassassin. > > > > I have checked our qmail control files to ensure we are spamchecking the > > domain, which we are, and also checked other Emails that go to the site, > > and they all have their X-Spam-Status header. Except this one. > > > > Does anyone have an idea on how this email is circumventing the > > Spamassassin check? > > > > Here is the header: SNIP > > > > > > > > We can see from the headers that it has been looked at by Simscan, but > > has not been parsed through SA, at least, I don't think it has. We > > always have X-Spam-Status in our headers. > > > > I can attach the actual Email if anyone would like to see it. > > > > Any ideas where to start troubleshooting the issue? Could this be a > > Simscan related problem? > > > > Cheers, > > Mike > > > > How big is the email ? By default spamd won't scan anything over 255k > Hit the Nail on the head, Rick. It is just a little bigger than that, at 259k. I probably should have thought of this.. but thanks for pointing it out! :) Do you know how to ramp it up a bit? I've done some googling, but I only seem to get results for spamc (we're using spamd), and everything else seems to relate to exim, not qmail. Ill keep nosing around though. Cheers, Mike
Spamassassin not checking a particular Email.
Hi all, Another query.. another busy SA day. I have a piece of Spam that is getting through to one of our biggest clients. I have written rules to tag this Spam, but it is as if it isn't even being checked by Spamassassin. I have checked our qmail control files to ensure we are spamchecking the domain, which we are, and also checked other Emails that go to the site, and they all have their X-Spam-Status header. Except this one. Does anyone have an idea on how this email is circumventing the Spamassassin check? Here is the header: Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 7942 invoked by uid 89); 10 Mar 2008 11:33:14 - Message-ID: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 7937 invoked by uid 89); 10 Mar 2008 11:33:13 - Received: by simscan 1.1.0 ppid: 7807, pid: 7827, t: 26.5915s scanners: attach: 1.1.0 clamav: 0.92/m: spam: 3.1.7 Received: from unknown (HELO Administrators) (59.40.18.182) by 0 with SMTP; 10 Mar 2008 11:32:47 - Received: from Admin [127.0.0.1] by Administrators ( ); From: Cin Chan <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Latest USB Promotional Products Date: Mon, 10 Mar 2008 19:17:03 +0800 Reply-To: Cin Chan <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/related; boundary="_=_OtherPart_000_00039517.80350694" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 We can see from the headers that it has been looked at by Simscan, but has not been parsed through SA, at least, I don't think it has. We always have X-Spam-Status in our headers. I can attach the actual Email if anyone would like to see it. Any ideas where to start troubleshooting the issue? Could this be a Simscan related problem? Cheers, Mike
Testing Bayes Database
Hi all, A few months ago we had to restart our Bayes database, as it went corrupt, according to SA at the time. This was during an SA upgrade, and I believe it was a faulty install that caused this. Our old database was running for years and is rather large ( I still have copies ). The new one is rather small, and it would appear it is causing us to be subject to a lot more Spam than what we are used to. Even Spam in the score range 5-25 has increased, and less spam are crossing the 25 points threshold than what used to. This is withstanding that I have trained the database with our site-specific corpus of Spam (reflects about 1 year of spam). I have made the decision to attempt to reinstate the Bayes database, and have performed the functions over at: http://wiki.apache.org/spamassassin/DbDumpAndLoad in order to try and make sure that the database is no longer "the wrong version" or corrupt. I want to add some confidence to this process by verifying that the Bayes database is valid. Is there any way I can get my live server to do this with Spamassassin, without employing the database live? Does anyone know of any tools that may assist with this? It would be preferable to have Spamassassin check the database, but I guess any verification I can get would be better than none. I know I can build a Virtual Machine and all that but I really don't have the time for this. Building another mail server to test a database seems like a waste of time to me.. but if that's the only way Ill do it.. Cheers, Mike
RE: Blogspot (was Re: giberish)
> -Original Message- > From: Kelson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 4 March 2008 11:44 a.m. > To: spamassassin-users > Subject: Blogspot (was Re: giberish) > > Michael Hutchinson wrote: > > I don't know how the rest of you feel about blogspot links, but I've > > never seen a valid/authentic one in an email that isn't spam before. > > I have. In the last two weeks, I've seen blogspot links in the Drupal > newsletter, the OpenOffice.org newsletter, Fedora Weekly News, and a > newsletter for the Comic Book Legal Defense Fund -- all things I've > signed up for. > > And that's just me -- that's not counting anyone else on the mail server > I manage. I set up a rule to match blogspot links, and tracked the > results. It hit things like the Slashdot daily summary, and several > newsletters & mailing lists that I couldn't guess whether the recipient > signed up or not, on topics ranging from chess to ASP to financial news > to political opinions. > > And then there's people sending personal mail referencing a random blog > post, or including their blogspot-hosted site in their email signatures. > > We do still score blogspot URIs --- but we only add 1 point for it. > Scoring at 5 would block legit mail. > Fair enough, what works for one site may not work for another. We all take that into account. I might review this decision at some stage of the game, but for now so much spam comes with blogspot in the body, and we really aren't losing important mail, that I just don't care to do so anytime soon. We are just flagging it, so the people that want their blogspot spam can still access it, its just automatically filed into a separate folder by their MUA. I fail to see why people tolerate systems that allow themselves to be spam link targets. If making a blog on blogspot took longer, and was a bit harder, I might accept changing the rule on our server, as spammers would go use something else. But for now, it gets the Spam wand waved at it, and gets scored hard. Too bad, never mind. Disclaimer : this works for our site. Everyone's site is different, and I don't expect anything I use for my site to be used by anyone. Especially without modification on it, or thought about it, first. Cheers, Mike
RE: giberish
> -Original Message- > From: JP Kelly [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 4 March 2008 6:54 a.m. > To: spamassassin-users > Subject: giberish > > does anyone know of a rule that might catch this kind of spam which > contains a lot of non words > a grammar checking rule or plugin would be nice too since many spams > contain a lot of nonsense. > > Content-Type: text/plain; charset=iso-8859-1 > > Content-Transfer-Encoding: 8bit > > > > Howdy! > > Go to get further directions: http://jennakilroytm.blogspot.com > > misbrandingmegadyne delightable underbodice undergore > fica orchidist miamiforrad > > commiserates denominablebronteum architectonically capsulogenous > disfigured > > unteemsimulated I score for blogspot links in emails, and give them 5 points while I'm at it: uri CST_BADLY_SPELT2/blogspot\.com/ score CST_BADLY_SPELT2 5.0 describe CST_BADLY_SPELT2 blogspot Link.. probable SPAM I don't know how the rest of you feel about blogspot links, but I've never seen a valid/authentic one in an email that isn't spam before. I used to run phrase matching with lots of OR statements to try catch spam like this, but have since given up rewriting those rules every day in favour of this one. Cheers, Michael Hutchinson.
RE: any rules for this?
> -Original Message- > From: Mike Fahey [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 27 February 2008 6:16 a.m. > To: users@spamassassin.apache.org > Subject: any rules for this? > > Does anyone have any rules for these? > > C A 5N A D/1AN P 7 5H A RM A 9CY > > V / 7A G R \A - $1.45 > C 4/ A L / S - $2.26 > S0 O M A - $0.67 > L E7 V / T R A - $3.63 > F E _MALE V 6/ A G \R 4A > U 8 L T 7R A M - $1.36 > 165 Items on S /AL \E Today. > > Grab yours while supplies last Hi Mike. You could write some rules against the first line eg: body SAL_CANADIAN_1 /C A 5N A D\/1AN P 7 5H A RM A 9CY/i score SAL_CANADIAN_15 describe SAL_CANADIAN_1 but you will want to make it dynamic, because they'll probably change the layout so this would be a temporary rule for me. You could score that rule lower and score on the other lines, but that will make it difficult to change your rules if your spam changes. PS beware the forward and backslash characters, they will need to be escaped with a single \ each. Cheers, Michael Hutchinson
RE: [OT] Yahoo Deferred
> > I have tried different approaches, and let us not forget I have filled > out 3 whitelist forms, and received no response from Yahoo. Their service > is breaking RFC's by not delivering mail. They are ignorant towards other > companies trying to use their service. > But they do deliver the mail. You've even said so above. If this is for > paid for accounts, I can see there being an issue. If it is for free > accounts, how do you think they make their money to support free > accounts? By requiring the free accounts to login to do some things. Delivering mail via a filter we have no control of, directly to a folder the user never see's, is not delivering mail, in my book. Or a lot of people's book. It is for paid accounts, by the way. I'm not about to start seeing that what Yahoo is doing is acceptable or correct. No matter what "sense" you try and make of it. Cheers, Mike
RE: [OT] Yahoo Deferred
--- original message --- >From: Tony Bunce [mailto:[EMAIL PROTECTED] >Sent: Tuesday, 26 February 2008 5:54 a.m. >To: users@spamassassin.apache.org >Subject: [OT] Yahoo Deferred > >Sorry for the Off Topic thread but I'm at a loss. > >Is anyone else having issues sending mail to Yahoo? > >They are returning 421 Message temporarily deferred to every message my >>servers try to send. My server then retries like it should but yahoo never >>accepts the message, even after day of retrying. Google turned up >several >people having the same issue but no one with a solution. My DSN is >right, I >have SPF records, and sign outgoing messages using DomainKeys. > >I've filled out every form on the yahoo support site without any luck at >>all. Anyone else seeing this problem or know of a way to get to a real >>person at yahoo? There are a few reports online that yahoo has a paid >>support phone number that will fix the problem but no one list a phone >>number, and as much as I don't want to pay yahoo just to accept my messages >> I'm running out of options and the customer complaints are getting more >>frequent every day. Ahem. OK now I've calmed down... We have the Yahoo issue as well. It caused major problems for us as a large client of ours has a lot of workers that use Xtra (now yahoo) email addresses for home. And all of a sudden, mail stopped being delivered from the clients server to Xtra/Yahoo email boxes. We were not receiving a bounce, though, the messages were being tagged as Spam and being automatically filed under the Yahoo user's Spam folder, which they do not see unless they log into webmail. Apparently this is because of Yahoo's per-user Bayesian database. In other words, if we'd have to be willing to talk every Xtra user through logging into webmail and training the Bayes filter by telling it what messages are/aren't spam, until it properly delivers mail. Which we are not. Why should we, it's not like our clients mail server has been spamming Yahoo. I have contacted Telecom and Xtra about the issue, and they're unable to help... The situation is "out of their control". Fair enough, so I tried to contact Yahoo. What a joke. By the time they've sent you a bulk mail form (which is just trying to get you to agree that you're a bulk mailer, an opportunity for them to ignore the problem) 3 or 4 times, and you agree to fill it out, and do, and wait and wait and wait, and lo and behold, nothing happens. There is no Network Operations Centre to contact at Yahoo, or if there is one, they're keeping it to themselves. This is rather irresponsible from a provider point of view. How are people supposed to report complex issues with a service, if the people you _DO_ get to talk to are just low-level help-you-with-your-email-password worker-bee's who know nothing about email delivery behind the scenes? I have tried different approaches, and let us not forget I have filled out 3 whitelist forms, and received no response from Yahoo. Their service is breaking RFC's by not delivering mail. They are ignorant towards other companies trying to use their service. I even got into a big argument with my boss about this issue, he of course couldn't understand how my hands could be tied so quickly, but what can you do when the offending people won't come to the party, or even talk to you. My recommendation, though we've not done this yet, is to direct everyone away from their email service. They obviously do not want to host people's email. If they did, they would listen/respond to other administrators, and they wouldn't be breaking rules in a negligent manner. Do away with Yahoo. Setup mail on your own domains for your users. Even if it means creating separate home addresses if they want them. Even having two addresses at one domain for one person is better than having to deal with Yahoo. [EMAIL PROTECTED] [EMAIL PROTECTED] Personally, I'd rather blacklist the whole yahoo domain, and tell our clients that Yahoo is not an acceptable email address, that they will need a real one. A real one - that delivers and receives mail, like a mail server should. Cheers Michael Hutchinson [EMAIL PROTECTED] [EMAIL PROTECTED]
RE: Please help with rule
> -Original Message-
> From: Dave Koontz [mailto:[EMAIL PROTECTED]
> Sent: Sunday, 24 February 2008 5:09 p.m.
> To: users@spamassassin.apache.org
> Subject: Please help with rule
>
> I am still getting some Storm Worm messages that are not being caught,
> even with Sane Security / ClamAV. I thought I'd write a rule to score
> any URL that has a dot exe, scr or pif extension. However, my rule is
> not working. Can someone help advise what is wrong? I want it to
> pickup any http or https with those extensions.
>
>
> body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
> describe Dangerous_URLDangerous URL
> scoreDangerous_URL7.5
>
> Thanks in advance!
I don't know if its standard practise on the list, but I do my
attachment filtering with Simscan, not Spamassassin, using
"/var/qmail/control/simcontrol" where config reads:
[EMAIL PROTECTED]:clam=yes,spam=no
[EMAIL PROTECTED]:clam=yes,spam=no
:clam=yes,spam=yes,spam_hits=20,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif
The first two lines mean that for the two domains listed, there will be
no spam checking (Spamassassin), and there will be antivirus scanning
(clamav).
The last line is global configuration, so for every other site,
antivirus checking, and spamassasssin checking are switched on, plus we
block the listed attachments outright.
Sorry if you don't run Simscan, just thought I'd post my $0.2
Cheers,
Michael Hutchinson
RE: Installation on SpamAssassin
> -Original Message- > From: jeco [mailto:[EMAIL PROTECTED] > Sent: Friday, 22 February 2008 1:55 a.m. > To: users@spamassassin.apache.org > Subject: Installation on SpamAssassin > > > Hi to all members here, I'm a new member and would like to ask help on how > to > install SpamAssassin? Aside from working with an email server, will this > work with Webmails like gmail, yahoo, or msn? > > thanks you in advance > -- > View this message in context: http://www.nabble.com/Installation-on- > SpamAssassin-tp15610814p15610814.html > Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Hi jeco, You ought to visit http://spamassassin.apache.org and find out a bit more about it. The installation of SA is quite an easy thing (though I would suggest doing it via package management, and not building it from source) but the configuration is a different story. You've not supplied many details. Are you installing a fresh mail server at the same time? Or are you installing Spamassassin into a live/functional Mail Server? Do you know what MTA you're using, or are going to be using? You really need to answer these questions for yourself, and then find some instructions for configuring SA for your setup/distribution/Mail Transport Agent. It is when you are having problems configuring this that the mailing list can help you. So, to summarise, find out what SA can and can't do for you from it's website. Figure out how you want to use it, and what you are deploying it upon. If you are going to be putting SA on a live server, it would pay to consult with this list first, but you really need to supply some more details. Cheers, Mike
FW: "Nice girl like to chat" spam
> -Original Message- > Michael Hutchinson wrote: > > > body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this > > > (?:afternoon|evening)|tonight)\./ > > > > Forgive my ignorance, but what does the question mark and colon do at > > the start of the brackets? I have (bored|tired) in my own rules, so how > > does (?:bored|tired) affect the outcome? > > Using (?: avoids creating backreferences. It should be slightly > faster if the backreference is not used. > > (?:bored|tired) > > Is the same as: > > (bored|tired) > > But without creating \1 or $1 reference to it. > > SpamAssassin is written in Perl and uses PCRE (Perl Compatible Regular > Expressions). Those are not quite the same as standard Extended > Regular Expressions. For a full description see the 'perlre' man page. > > man perlre > >"(?:pattern)" >"(?imsx-imsx:pattern)" > This is for clustering, not capturing; it groups > subexpressions like "()", but doesn't make > backreferences as "()" does. So > > @fields = split(/\b(?:a|b|c)\b/) > > is like > > @fields = split(/\b(a|b|c)\b/) > > but doesn't spit out extra fields. It's also cheaper > not to capture characters if you don't need to. > > Any letters between "?" and ":" act as flags > modifiers as with "(?imsx-imsx)". For example, > > /(?s-i:more.*than).*million/i > > is equivalent to the more verbose > > /(?:(?s-i)more.*than).*million/i > Yay, less overhead... . Thanks for the pointers Bob, you've been a big help :) Cheers, Michael Hutchinson
FW: Suggestions to block this spam
> -Original Message- > From: Karsten Bräckelmann [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 20 February 2008 3:33 p.m. > To: users@spamassassin.apache.org > Subject: RE: Suggestions to block this spam > > On Wed, 2008-02-20 at 14:26 +1300, Michael Hutchinson wrote: > > You'll be lucky to catch them on anything other than phrase matching, as > > they're very simple in design, those spam messages. Much like the > > "downlooadable sooftware" one's we used to get. To a program, there's > > not much that looks like Spam about these messages. > > This is not true. :) I posted a meta rule that doesn't even look at the > body earlier. > > Also, while URIs arguably could be considered "phrase matching", I > personally don't. Cause I don't even care about the content or > advertising phrases at all, but sniper these annoying, abused domains. > > The quite characteristic HTML markup and the fact that this stupid > spammer uses all lower-case, single word subjects exclusively makes them > identifiable without matching on phrases. The almost constant length of > both multipart/related MIME parts and its overall structure of 2 blobs > gives another hint. Score if all are true. > > Plus, the various blacklists, identifying the sending machines as > zombies and the MX handing over IP as end-user intended. Ah yes, I saw that one earlier on. I hadn't employed it as my phrases are working well, but I do intend to tweak a meta based on the one you posted, once I've had time to fully test the CLIENT_TO_MX part :) Cheers, Michael Hutchinson
RE: How to Know
> -Original Message- > From: Tarak Ranjan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 20 February 2008 1:24 a.m. > To: Spamassassin > Subject: How to Know > > Hi List, > how do i come to know that each and every incoming & outgoing mail is > massing through SA. > > / > Tarak > Hmm. Is this Spam? The original one posted earlier definitely looks like it with the yahoo tags on the bottom. :)
RE: Suggestions to block this spam
> -Original Message- > From: Bazooka Joe [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 20 February 2008 11:22 a.m. > To: users@spamassassin.apache.org > Subject: Re: Suggestions to block this spam > > I too am getting dozens of these emails that are going right through > SA + pyzor + dcc. sa-learn doesn't seem to make any difference. I > just installed razor2 today to try to combat real men. > > Most get through w/ a score of 2 or less. Many of them seem to > trigger spamcop so i bumped that up to 3.5. You'll be lucky to catch them on anything other than phrase matching, as they're very simple in design, those spam messages. Much like the "downlooadable sooftware" one's we used to get. To a program, there's not much that looks like Spam about these messages. Whilst phrase matching works, however, it would be interesting to see how much load it puts on SA when using a few phrases with alternately spelt words ie : (downloadable|downloaadable|downloadablee) (software|sooftware) Hmm, food for thought. Cheers, Mike
RE: "Nice girl like to chat" spam
> I've actually been running this set of 5 rules on several of the ISP
> mail systems I've got my fingers in (watch for line wrap, sorry):
>
> # "Nice girl" wants to send pics, but only if you email the address in
> the body
> # start scoring at .5, see how that whacks'em.
> body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this
> (?:afternoon|evening)|tonight)\./
> describe NICE_GIRL_01 Nice girls don't spam
> score NICE_GIRL_01 0.8
> body NICE_GIRL_02 /I am nice girl that would like to chat with
> you\./
> describe NICE_GIRL_02 Nice girls don't spam
> score NICE_GIRL_02 0.8
> body NICE_GIRL_03 /Email me at [^\s]{,74} only, because I am
> writing not from my personal email\./
> describe NICE_GIRL_03 Nice girls don't spam
> score NICE_GIRL_03 0.8
> # not actually the same spam, but same class/type
> body NICE_GIRL_04 /I will respond right away and send a pic and
> some of my info right away/
> score NICE_GIRL_04 0.8
> describe NICE_GIRL_04 Nice girls don't spam
> body NICE_GIRL_05 /Reply to me and tell me about yourself if
you
> want to chat/
> score NICE_GIRL_05 0.8
> describe NICE_GIRL_05 Nice girls don't spam
>
> body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this
> (?:afternoon|evening)|tonight)\./
Forgive my ignorance, but what does the question mark and colon do at
the start of the brackets? I have (bored|tired) in my own rules, so how
does (?:bored|tired) affect the outcome?
Cheers,
Mike
RE: user_prefs: mind the linebreak
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 19 February 2008 4:43 p.m. > To: [EMAIL PROTECTED] > Cc: users@spamassassin.apache.org > Subject: Re: user_prefs: mind the linebreak > > [EMAIL PROTECTED] wrote: > > MK> Why would there ever be a problem fitting on one line? Lines aren't > > MK> limited to 80 characters or anything silly like that.. > > > > MK> That sounds a bit like complaining that a ship must fit in the > water.. > > MK> There's a whole ocean out there, so who cares if you can't put one > > MK> boat in 2 rain puddles.. > > > > Call me old fashioned, but I still want to be able to keep lines to a > > length I prefer. > > > Call me older fashioned.. I consider line-wrapping a bit too "fancy" for > my config editing preferences. Line wrapping in config is bad. I've had several instances of an editor in linux that I won't name where I've lost config data because of it wrapping lines instead of just displaying it off page until I'm ready to see it. This seems to happen a lot more frequently with terminal emulation, however, usually when SSH'd into a linux box using an emu like putty. And they still haven't got terminal emulation correct, after all these years. Admittedly if you stick to 80x25 you're probably a bit better off, but 80x25 don't cut it on a 21 inch LCD. Cheers, Mike
FW: "Nice girl like to chat" spam
> -Original Message- > From: ItsMikeE [mailto:[EMAIL PROTECTED] > Sent: Monday, 18 February 2008 11:33 p.m. > To: users@spamassassin.apache.org > Subject: "Nice girl like to chat" spam > > > For some time now I have been getting spams that look like > "Hello! I am tired this evening. I am nice girl that would like to chat > with > you. Email me at [EMAIL PROTECTED] only, because I am using my friend's > email > to write this. To see my pics" > > They are still not being picked up, despite me passing them to be learnt > for > the bayes DB. > > Has anyone written a rule to filter these out? > -- > View this message in context: http://www.nabble.com/%22Nice-girl-like-to- > chat%22-spam-tp15542352p15542352.html > Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Yes, I've got rules against that spam! They were sending us a ton of it so I wrote some local.cf rules: body __NICEGIRL_SPAM_1 /Hello! I am (tired|bored) this afternoon/ body __NICEGIRL_SPAM_2 /I am nice girl that would like to chat with you/ body __NICEGIRL_SPAM_3 /[EMAIL PROTECTED]/ meta CST_NICEGRL_SPAM (((1.0* __NICEGIRL_SPAM_1) + (1.0* __NICEGIRL_SPAM_2) + (2 * __NICEGIRL_SPAM_3)) > 1) score CST_NICEGRL_SPAM 7.0 describe CST_NICEGRL_SPAM Want-to-chat SPAM With this, the first two rules have to match for it to trigger, or the 3rd rule by itself can trigger it too (email link to TheHealCare.info). Works rather well, haven't seen any of that spam lately. Matching phrases works really well in SA but you have to watch out for the spammers that are onto changing the way words are spelt, and intentionally mis-spelling words to bypass rules, hence the (tired|bored) part may need to become (tireed|tired|bored) etc. Cheers, Mike
RE: Rule for Russian character sets
> -Original Message- > For the most part you can match any character by the appearance of the > character. Any character with special meaning needs to be escaped in some > way. The easiest way is usually with a backslash, but in some cases you > can > also do it by making it a member of a character class. > > So for you questionmark case, you could do \? or [?], as most of the > special > characters lose their meaning in a character class. The exceptions are > obviously right bracket, backslash, and dash becomes special if it isn't > the > first character. > > > /\=\?koi8\-r\?/ This is what I'd setup originally, except when I ran it past a RE interpreter the results were just.. wrong. I do think it would work, however, and will be testing it on a Virtual Machine today to be sure. > This should work. You don't need to escape the dash, and I'm pretty sure > you don't need to escape the equal sign; just the questionmark. > > Also, you may want to handle this in both uppercase and lowercase, so you > could do > > /=\?koi8-r\?/i > > And you probably don't need the = sign to get reasonably reliable > matching. Ah, this is the bit I was unsure about, limiting how many characters are escaped. I would tend towards the fully escaped one myself, I just wouldn't trust non-escaped = and ? signs. But that's probably got to do with some bad history with Spamassassin:) Thanks for reinforcing some points with RE that needed to be (: Cheers, Mike
FW: Rule for Russian character sets (=?koi8-r? not quite acharset)
-Original Message- > > We don't want to "only allow" the English locale, because we (here at > > my work) do not want our international clients (non Russian) to be > > denied email service. > > ok_locales en ja ko th zh > > This will allow anything but Cyrillic char sets. Please note that en > does *not* mean "English locale" despite its name. It applies to all > Western charsets, including German Umlauts, Swedisch, French, Turkish, > etc. Basically everything that uses the characters in this post, plus > language specific chars. Ok now we're talking turkey. Thanks for providing the much needed clarity on ok_locales. I may just employ that technique yet, pending whether we get any more Russian spam through the gates. > Sorry, I did not mean to troll nor any kind of offense. You have my apologies, as being a Friday afternoon, I was pretty sick of work and shouldn't have taken it out on you or the list. Sorry. > However, you missed my point. Getting detailed with REs is a good thing, > sure. I was not about that -- but the RE in question does not properly > handle charset encoding. See the Subject for an example which is not > encoding, but will be matched by your rule. > > My point was, that the rule discussed aims at being something that it > unfortunately is not, because charset encoding is slightly more complex > and definitely requires a closing part. A Regular Expression that does > this can be found in check_for_faraway_charset_in_headers() in > HeaderEval.pm: > $hdr =~ /=\?(.+?)\?.\?.*?\?=/g > > Hence, the my re-inventing the wheel analogy. And these wheels are quite > flexible, too. ;-) > > Also, your rule applies to the Subject only, whereas ok_locales does > check all MIME parts and will trigger on Russian spam with a "western" > Subject. The RE in question (my one) was not just written for subject, but a separate rule was written for the raw From: line as well. As we only score spam here and leave filing it to the MUA (unless a score of 25 is reached, where SA bins it), scoring against the Subject and From lines makes OK sense, because if you used simply (=?koi8-r?) in the subject it would not score high enough on it's own to be filtered or blocked. (I'm trying to employ what I've learned from the SA webpage about writing multiple low-scoring rules, instead of a few big-scoring ones). I can see it is flawed, but have to also admit that it is working rather well at the moment. Mind you, I have taken the time to translate some of the Russian Spam, work out spammy phrases, and then quote those phrases to be scored against by SA. > Hope this clarifies my previous posts and is appreciated again... Your posts are appreciated, and sorry for the mean comment. Cheers, Mike
