Catch-22 unsubscribing from this list.
There doesn't seem to be a web interface to subscribe/unscribe from this list. The email address users-unsubscr...@spamassassin.apache.org complains that my IP address is dynamic (which is why I use dyndns.org, thank you very much.) And on that subject, am I the only person who thinks that blocking by IP address block is inefficient, brute force, and prone to both false positives and false negatives? I'm setting up filters (ironically using spamassassin) to block this list, but frankly it strikes me as impolite to filter this list - isn't there a way to unsubscribe? Mike-
Re: flooded with jr* spam
On Thu, 07 Feb 2008 12:51:51 +0100, you wrote: Michael W Cocke wrote: They use DHCP. Netops has to trace it, and I seem to be about 5Kth on the list. sigh Ironic as hell, considering the effort I put into avoiding MIT netops about 20 years ago. But you should be able to run tcpdump locally on your own machine? Unless the addresse changes rapidly, you catch one such ICMP then report the IP to your netops guys. /Per Jessen, Zürich All that shows is their external address. They use NAT. Anyway, it's academic - netops seems to have found it and pulled it offline. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice per second with ICMP packets, and netops can't find who I had to degrade the logging on my snort-inline because the system was drowning. Mike- On Tue, 5 Feb 2008 13:58:30 -0500, you wrote: Has anyone else noticed a similar pattern or does someone out there hate me? :) The top 100 SPAM senders on my network (1 minute snapshot below) are all forgeries starting with jr- or jq- 24 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 21 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 15 [EMAIL PROTECTED] 15 [EMAIL PROTECTED] 14 [EMAIL PROTECTED] 14 [EMAIL PROTECTED] 14 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] The annoying thing is, nothing particularly similar about the SPAM being relayed... -Vlad -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
They use DHCP. Netops has to trace it, and I seem to be about 5Kth on the list. sigh Ironic as hell, considering the effort I put into avoiding MIT netops about 20 years ago. Mike- On Tue, 05 Feb 2008 21:01:04 +0100, you wrote: Michael W Cocke wrote: I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice per second with ICMP packets, and netops can't find who tcpdump ? /Per Jessen, Zürich -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
Yes, I do have a lot more detail. It's all been reported to MIT per their procedure. Unfortunately it comes down to whatever is happening is happening in the MIT network, we'll take it from here, have a nice day (Without a pause for breath even) Up to a large point I have sympathy for them - it's no damn fun finding a specific system on any campus, and MIT is bigger than anything I've seen, even Berkeley. Mike- On Tue, 5 Feb 2008 20:09:10 + (GMT), you wrote: the inline snort station should show some more detail. do you have access to your routers and switches ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Michael W Cocke [EMAIL PROTECTED] wrote: I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice per second with ICMP packets, and netops can't find who I had to degrade the logging on my snort-inline because the system was drowning. Mike- On Tue, 5 Feb 2008 13:58:30 -0500, you wrote: -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
A rule for empty body and pdf attachment??
These blasted PDF spams are driving me mad! Any ideas for a rule that would trip if there's no text in the body, just a PDF attachment ? (I'm using the PDFinfo plugin now, but I don't really understand it) Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: A rule for empty body and pdf attachment??
Thanks, both of you. Looks like an update to pdfinfo snuck out while I wasn't looking. I've made the adjustments. Mike- On Thu, 2 Aug 2007 10:39:20 +0200, you wrote: Michael W Cocke [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] These blasted PDF spams are driving me mad! Any ideas for a rule that would trip if there's no text in the body, just a PDF attachment ? (I'm using the PDFinfo plugin now, but I don't really understand it) Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, If you're using the PDFinfo plugin, you should see a rule called GMD_PDF_EMPTY_BODY on those spams - it should fire on any message containing a PDF and a blank body. Obviously you can modify that rule's score if you want to make it higher, or meta it with other rules. Also make sure you're using the latest version of the plugin and the associated .cf file from www.rulesemporium.com/plugins.htm. Cheers, Jeremy -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
announce: urlx utility for spamassassin
Most systems that I'm familiar with nowadays have the users put spam emails that manage to get past the filters into a special folder (directory) so they can be examined, in order to make the spam filter system more effective. In pursuit of that Idea, I've written urlx. Urlx is designed to extract urls, both clear and obfusticated, from those spam emails and convert them into SpamAssassin rules automatically (Note: When I say automatic, I still expect a human to apply a sanity check somewhere). Urlx is not yet released to the general public, but if you're interested in helping test, please drop me an email. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Using SA code to extract URLs ?
I was told a while back that the best way to extract urls from emails was to use code from SpamAssassin. Ok - Now, I need to do just that. Any pointers? I've looked thru the code in SpamCopURI, but unless there are some docs hidden somewhere I can't even figure out the entry point. Are there some docs hidden somewhere (I hope!)? Thanks! Mike-
Re: Why won't imageinfo.pm work with SA 3.17? - access
On Mon, 27 Nov 2006 01:16:42 -0500, you wrote: loadplugin Mail::SpamAssassin::Plugin::ImageInfo ImageInfo.pm That was it, thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Newbie Question
For what it's worth, on the system here I have a special directory on the server set up, and when the users get a spam message they do a 'save as ascii text file' to that directory. sa-learn runs thru that directory every half hour. Just a thought. Mike- On Fri, 24 Nov 2006 15:39:35 +, you wrote: Matt, Thank you, that makes things a lot clearer, is there any way to utilise forwarded messages or is it a lost cause? Thanks Andrew On Fri, 2006-11-24 at 10:22 -0500, Matt Kettler wrote: Andrew Sykes wrote: Hi, I'm writing some code to integrate SpamAssassin with Apache JAMES. I want to setup an address to allow me to pipe spam into sa-learn. I have a prototype of this working fine, but would like to allow various webmail client users to be able to forward spam messages to this address. As I have very limited understanding of how SA works, I don't want to end up blocking the forwarding addresses. If I whitelist the forwarding addresses, can I then simply pipe a forwarded spam from that address into sa-learn or is there more to it? There's MUCH more to it.. In fact, whitelisting won't really affect what sa-learn does at all. Generally speaking, forwarded messages are mostly useless to sa-learn. Exactly how useless depends a bit on the mail client.. SA tokenizes MANY mail headers, including Received:, not just From: and To. All the headers in a forwarded message are completely new, thus the sa-learn process will be learning the headers generated by forwarding, and not spam. SA also tokenizes the body of the message. However, most mail clients substantially modify the body of the message when you forward. Generally speaking they only preserve one of the mime sections in a multipart/alternative message. Spammers FREQUENTLY have text/plain sections which are dissimilar from the text/html. By forwarding you're loosing all but one mime section (generally text/html is kept). On top of this, most mail clients also insert Forwarded message: type text into the body, and add Fwd: to the subject. SA also tokenizes the in-body mime headers describing how the message was encoded. However, when you forward, the mail client doing the forward re-encodes things its own way. What might have been base64 encoded may now be quoted-printable, 8 bit, or 7 bit. So, fundamentally, as far as bayes is concerned the forwarded message is a completely different message than the original spam. You can try this sometime by taking an original spam, and a forwarded version of it and feed them both to spamassassin or sa-learn with -D bayes added. This will cause the debug output to list all the tokens used. Take a look at the tokens. .some are the same, but many are different. -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Why won't imageinfo.pm work with SA 3.17? - access
I can't get the imgeinfo plugin to load with SA 3.17? I put this in v310.pre loadplugin Mail::SpamAssassin::Plugin::ImageInfo The Imageinfo.pm file is in the same directory as other PM files that are being correctly found, and When I try a spamassassin --lint, I get [5522] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8) at (eval 80) line 1. [5522] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::ImageInfo at (eval 81) line 1. What am I missing? Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, access Description: Binary data
Re: blarsbl
On Tue, 21 Nov 2006 10:29:15 -0600, you wrote: Has anyone had any dealings with this guy. I take my mail server very seriously. Further I take spamming very seriously in general. Even when I detect one of my customers sending spam I disable there internet until the problem is resolved The guy that runs the blarsbl list wants to charge my company 1500$ to remove our mail server from his list. When it was listed there for no good reason. I checked my mail logs going back 6 months there wasn't a single email sent nor received from this guys domain and or ip block. It would seem to me he's nothing more then a petty extortionist. He is. My system is on his list too, which is pretty amazing when you consider that my mail server supports 3, count them, 3 users - myself, my wife, and my 10 year old son - and he's somehow determined that my site hosts spammers. I ignore him. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
amavisd-new or mailscanner?
I started out using amavisd-new then switched to MailScanner as my mail tester 'framework' (SpamAssassin has been a constant) Looking thru the docs of Mailscanner, it doesn't come out and SAY that it just does the 'basic' spam test features, but reading between the lines it seems to - I have a feeling that amavisd worked better, but that's completely subjective... Does anyone have an opinion? Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: [OT] Re: Fw: failure notice / spaassassin.apache.org
On Mon, 2 Oct 2006 23:31:57 +0200 (CEST), you wrote: On Fri, September 29, 2006 19:59, Andreas Pettersson wrote: It looks like you are listed in spamcop and apparently Comcast is either using spamcop or they have their own list that is blocking you. Comcast themselves are using a spam filter? (Let me taste that line one more time...) Comcast themselves are using a spam filter? Then why aren't they using one to block their own customers from spamming the rest of the world? FYI, Comcast just resells a 'white label' service from ATT / SBC, and there is indeed a group at ATT research south that monitors spam activities. Sometimes they have to decide between the customer who's sending the spam and the customers who are receiving it, is all... I recently interviewed for a job in that group. Didn't get it, but I learned a few things during the 4 hour interview. I recommended they look into SA, BTW. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Please sanity check these ideas for rules.
I've got every ruleset blacklist available and I'm still getting buried - the bayes poison in all of the recent spam has wrecked that. Does anyone see a reason why I can't assume messages with blank subjects are junk? Also, I've got an idea about maybe doing an nslookup on the envelope sender domain and junking anything without an entry. I'm probably missing something that I should consider, especially on that last one. Would anyone care to educate me what I'm missing? Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Please sanity check these ideas for rules.
On 31 Aug 2006 20:39:47 -, you wrote: On Thu, 31 Aug 2006, Michael W Cocke wrote: I've got every ruleset blacklist available and I'm still getting buried - the bayes poison in all of the recent spam has wrecked that. Does anyone see a reason why I can't assume messages with blank subjects are junk? maybe add a point for missing subject, but some automatically generated messages (print queue failure, etc) have blank subjects, and lots of nubies forget to add a subject. That's exactly why I asked here - I didn't think of error essages. Thanks! Also, I've got an idea about maybe doing an nslookup on the envelope sender domain and junking anything without an entry. Um, why aren't you already doing this at the SMTP-MTA level? Checking for a valid sender domain has been SOP for years. I am, but not quite the way I'm thinking of doing it now. One caveat, do a temp-fail (451) not a hard-fail for domain lookup failure, occasionally DNS servers do get constipated. ;) I made that mistake once, several years ago, M$ had all their primary DNS servers on -one- subnet, had a router failure and they all went MIA. My MTAs started bouncing all hotmail. ;() LOL - can't say I'd miss hotmail, but I take your point. Thanks everyone. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
sa-stats ver 6256 w/SA 3.1
I never looked in the tools directory before, but I just noticed sa-stats. (sa-stats version 6256, SA version 3.10). I tried running it, and got all zeros for every number. Is there an init step that's non-obvious (I set the config info up), or did this version not work? It's not a priority - SA is working perfectly! - it would just be something to show the users. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: AWL growing too large
On Wed, 15 Mar 2006 18:24:41 -0500, you wrote: jdow wrote: OK, when the storage structure of the tarball based package you want changes how do you extirpate the old and insert the new without the rather depressingly familiar dual SpamAssassin install? (Not that the package systems like RPM always get it right. They do better than most if you stick with the RPMs.) The depressingly familiar dual install for install-from-tarball users only comes about when you don't build the same way. i.e.: if you built with PREFIX=/usr one time, make sure you pass the same *every* time. I've been building from source tarball since SA 2.40 and I've never had a dual-install problem when installing this way. On the other hand back in 2.31 era I was using cpan, and I *did* get a dual install once. However that was CPAN deciding to install a whole new copy of perl to put SA into because the required perl version was screwed up. After that I ditched CPAN and went to pure tarball installs and have never regretted it. You could never convince me to do that - the CPAN install facility is just too useful for me to do anything that would impede my using it! (Was that a sentence? it's too early here.) I install anything perl from either CPAN or source tarball, in that order. I've never gotten into a dual-install problem (if I understand your use of the term) that I couldn't straighten out fairly easily, and as a half-assed perl hacker I treat it as a learning experience. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
[OT] postfix and MailScanner?
I just heard (on this list, which is why I'm following up here) that it is possible to use MailScanner with Postfix. Could someone who is please email me (my address is unmunged) a working main.cf master.cf? I tried all day, but I'm missing something. Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Amavisd replacement suggestion
On Tue, 7 Mar 2006 14:10:26 -, you wrote: Shane Have a look at MailScanner as an alternative to amavisd - it's nice to have a choice isn't it.. My understanding is that mailscanner doesn't work safely with postfix. (IIRC someone on this list told me that when I first encountered mailscanner and was going to switch from amavisd myself.) What problems are you having with amavisd? Since it's written in perl it's actually pretty straightforward to make mods to it. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Amavisd replacement suggestion
On Tue, 7 Mar 2006 15:04:11 -, you wrote: Works fine with postfix... http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:pos tfix:politicss=politics Thanks Martin - very interesting! When I first heard of mailscanner I was very excited - I've been using Amavisd-new forever, but I'm not exactly in love with it. When I was told mailscanner didn't work with postfix I was very disappointed... Guess I should have checked further. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: What do these messages with -D mean?
On Sun, 12 Feb 2006 15:11:12 -0800, you wrote: I ran spamassassin -D and got the following in the debug output. Is this a problem? If so what should I do? [27299] dbg: bayes: no dbs present, cannot tie DB R/O: /var/spool/MIMEDefang/mimedefang-bayes_toks [27299] dbg: bayes: not scoring message, returning undef [27299] dbg: bayes: opportunistic call attempt failed, DB not readable Your bayes database isn't present (or you have a permission problem, or your dbg was compiled wrong). I can tell you're using Mimedefang and Spamassassin, but that's as good as my telepathy gets this morning. If you can't figure out how to fix it yourself we'll need details to help more. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Xtracting urls from saved spams making SA rules - xurl001.p l
*Apologies if you've already seen this - I can't find any indication that it sent when I hit send and I'm fooling with a new mail client* On Fri, 10 Feb 2006 11:21:25 -0500, you wrote: I think I know a bit about extracting URLs from spam ;) A bit. massive understatement It is pretty damn complicated. A lot of tricks they play, like www.amazon.com.buy-my-drugs-com.optelnd.net Then you have hex and decimal links to deal with. And yeah, they do pepper the spam with legit urls. What about akami image links? Its was common to see 20 links in a spam, and only one was the evil one you wanted. Automation without a LOT of checks and balances = FPs. You have to have a LOT more autoresearched evidence then just that they are contained in a spam. But hey! A+ for effort! Its a start, and it will always get better. xurl is designed to deal with the rare spam that makes it thru my SA/amavisd/clam setup... In the (relatively small) sample of spams I worked from (not much makes it thru all that), I didn't encounter anything xurl would create FPs from - mainly what makes it thru my current setup is one or two lines of glop (bayes poison) and an url. xurl is only designed to clean up the dust behind SA - in NO WAY is it supposed to be a front line defense. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Xtracting urls from saved spams making SA rules - xurl001.pl
It's absolutely not finished, but attached is a quick perl hack I'm using to read thru a directory of saved spam (text files), extract urls and automatically build SA rules for them. It's not debugged throughly and I have a few more things to add, but I know I'm not the only person who can use this. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, xurl001.pl Description: Binary data
Re: spam still isn't being caught much.
On Tue, 07 Feb 2006 18:58:08 +0100, you wrote: I know that SuSE had -L as default at one point in time. Just remove the '-L' part. It still does as of 10.0, Bog knows why. And as of 9.3 it was a an incredibly poor idea to allow YaST to update SpamAssassin. Mike- (Amavisd-new, f-prot, clam, SpamAssassin, postfix, and now Snort-Inline. The next step is to unplug the network.) -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Is this really eBay?
On Sat, 8 Oct 2005 12:45:14 +0200, you wrote: Hi, is this an eBay e-mail? All the links are going to mediaplex.com, that's what makes me ask. I've put the e-mail here: http://zmi.at/x/ebay.txt small part of e-mail Sammeln und Seltenes: http://ebay.de.mediaplex.com/ad/ck/1066-24214-7834-45?id=04 Briefmarken http://ebay.de.mediaplex.com/ad/ck/1066-24214-7834-45?id=05 small part of e-mail Thanks for checking. mfg zmi Did you happen to check with ebay security? http://pages.ebay.com/securitycenter/?ssPageName=home:f:f:US Third menu choice down - spoof 'fake' email. Rather than ask a bunch of folks who can make educated guesses, you might as well ask the people who can tell you for certain. Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
Rule: envelope to header to - help?
Does anyone have a rule to chech the envelope To: against the header to: ? I'm sure that there's a reason why it's allowed to be different, but it doesn't apply here, and almost half of the spam that gets thru everything else would get stopped by that. Thanks! Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
Re: MSExec plugin?
On Tue, 26 Apr 2005 15:53:42 -0400, you wrote: On Tue, Apr 26, 2005 at 03:36:46PM -0400, Michael W Cocke wrote: I'm in the middle of rebuilding my mail server from scratch, and I just came across a reference to an SA plugin that doesn't seem to be available anymore - MSExec. More out of curiousity than anything else, what happened to it/the author? MSExec never existed for 3.0, it was only ever included in the 3.1 development tree. At last check it got renamed AntiVirus: http://svn.apache.org/repos/asf/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm I don't believe there's anything 3.1 specific in there, but YMMV. :) Thanks! I wonder how the heck it got installed in my previous 3.0.2? No I don't... not really. Pulling old config files from a backup and upgrading/reconstructing everything is SUCH fun! Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
MSExec plugin?
I'm in the middle of rebuilding my mail server from scratch, and I just came across a reference to an SA plugin that doesn't seem to be available anymore - MSExec. More out of curiousity than anything else, what happened to it/the author? Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
[OT] Replacement for amavisd-new?
A serious bug seems to have crept into amavis somewhere, or maybe BerkeleyDB - stability has gone to hell. In any case, I'm starting to think about replacing Amavisd. I can't afford to futz around with my email server - it needs to work. Currently I run postfix, amavisd, spamassassin, clam fprot (most recent stable versions of all). Recommendations? Thanks! Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
Re: [OT] Replacement for amavisd-new?
On Mon, 31 Jan 2005 00:08:32 +, you wrote: Michael W Cocke wrote: A serious bug seems to have crept into amavis somewhere, or maybe BerkeleyDB - stability has gone to hell. In any case, I'm starting to think about replacing Amavisd. I can't afford to futz around with my email server - it needs to work. Currently I run postfix, amavisd, spamassassin, clam fprot (most recent stable versions of all). Recommendations? I've been using MailScanner for some 3 years nearly and it's great! Totally reliable. As is the support. http://www.mailscanner.info Thanks! Hmm.. Looks pretty impressive! I think I'll try it tomorrow. Thanks for the tip! Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
Re: [OT] Replacement for amavisd-new?
Just for the record and FYI - I found the cause of at least one major problem, and possibly more. SuSE 9.1 ships with the BerkeleyDB built incorrectly! As shipped, It will only support DB_PRIVATE operations, which causes problems with amavisd and possibly nmdb and postfix. You need to recompile BDB 4.2.52 (that version specifically, unless you also want to recompile nmdb and postfix) with --enable-cxx and NOT --enable-posixmutexes. You may also need to recompile perl-BerkeleyDB. I've no idea is other distros also suffer from the same problem. Try 'db_stat -c -h /path-to/a-database' and if it errors out with BerkeleyDB is compiled to only support LD_PRIVATE operations' - you have a problem. Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
Re: What to do with my spam?
On Mon, 24 Jan 2005 22:11:48 -0500, you wrote: On Mon, Jan 24, 2005 at 09:07:27PM -0600, Thomas Cameron wrote: Does anyone know if there is a way to automagically report messages via spamd, maybe if they score over a certain level? No way. It does checks only. Well, it depends... I have a directory where all false negatives from every user in the system are supposed to be 'saved as' text files, and a cron job that runs thru that directory hourly. Here's part of that job. /usr/bin/gunzip /home/spam4sa-learn/*.gz cat /home/spam4sa-learn/* | /usr/bin/sa-learn --spam --mbox cat /home/spam4sa-learn/* | /usr/bin/razor-report It works pretty well. The users love it because they feel like they're participating in the process of reducing their spam and not just being cargo. I'd say I get 98% compliance from them - and it does make for fast learning. I also run sa-learn -ham over all of the system mailboxes. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: OT: Crippled Verizon phones
On Sat, 22 Jan 2005 20:47:05 -0800, you wrote: months I had them. Verizon may be annoying, but at least I can use their system. Note that Verizon and Verizon Wireless seem to be separate companies. I got my cel phone from Verizon Wireless before Verizon itself was selling cell phones. I still get separate bills, and pay them to different accounting centers. Comparing the ads in the last bills from each one, the deals from Verizon Wireless in general made more sense, if you actually added up what you would end up paying. Lorne They are indeed separate companies, and have been for at least a year now. That noted, if you want to experience a sharp drop in your wired phone service quality, switch from Verizon to ATT. Ditto cell phone service. Contrariwise, if you want your DSL service to go completely to hell, switch from ATT to Verizon. (Joke I've heard - the reason Verizon DSL gives you the first 3 months free is that that's how long it will take them to get it working properly.) I know too many people who will swear to the truth of that joke. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: OT: Crippled Verizon phones
On Sat, 22 Jan 2005 14:11:26 -0500, you wrote: Chris Santerre wrote: LOL FWIW, the site mentioned in my original post is still UP!! After reading what verizon wireless did with the bluetooth cell phones(1), I've pretty much given up hope that ANYONE in upper managment of any verizon company has a clue! The really unfortunate thing is that I end up using Verizon anyway. I hate their business practices but they're the only cell phone company around that has decent coverage in rural areas. ATT, TMobile, and the other digital-only carriers only work when you're in an area with a decent population or within half a mile or so of an interstate highway. They don't work real well there either. I used to use ATT wireless. It was easier to just drive wherever I was trying to call. BADLY overloaded circuits... I think I got maybe 2 calls thru in the 3 months I had them. Verizon may be annoying, but at least I can use their system. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Heads up! SuSE YOU update broke SA 3.01
Just passing this along so you don't have to kill 2 days trying to figure out why SA suddenly stopped doing anything - I foolishly allowed SuSE auto-update (YOU) to update my Spamassassin. It (in theory) installed version 3.01 (which was already installed and working perfectly). Shortly after, I started receiving TONS of spam. SA-Learn wasn't learning, etc. I reinstalled from CPAN - and everything seems to be working again. I don't know what they broke, but they broke it throughly. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Heads up! SuSE YOU update broke SA 3.01
Just passing this along so you don't have to kill 2 days trying to figure out why SA suddenly stopped doing anything - I foolishly allowed SuSE auto-update (YOU) to update my Spamassassin. It (in theory) installed version 3.01 (which was already installed and working perfectly). Shortly after, I started receiving TONS of spam. SA-Learn wasn't learning, etc. I reinstalled from CPAN - and everything seems to be working again. I don't know what they broke, but they broke it throughly. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: wich is the best milter interface for spamassassin?
On Wed, 01 Dec 2004 11:12:27 -0800, you wrote: Matias Lopez Bergero wrote: I'm also running clamav with clamav-milter, and I would like to hit the best performance, that's why I was asking for comments :) The absolute top performance improvement that you can do to your mail server is to get off sendmail. I switched from sendmail to postfix last year. WHOOSH! Currently running postfix/amavisd-new/clam/f-prot/spamassassin - roughly 33% faster than sendmail/Mimedefang/clam/f-prot/spamassassin, on the exact same hardware. And that's not even using the mysql goodies. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: After upgrade
On Sat, 20 Nov 2004 16:58:48 +, you wrote: Hi all, I have just upgraded my SA from 2.63 to 3.0.1, this all running on SuSE 9.1 Pro. But I must have cocked something up, but as to what I have no clue. This is where the community can offer some insight, Please.. Upon restarting the daemon I get the following message :- 'The -a option has been removed. Please look at the use_auto_whitelist config option instead.' From where and where do I insert the new option ?? TIA, Paul /etc/sysconfig/spamd Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
[OT] Amavisd memory usage
This is off topic and I apologize, but I really couldn't think of a better place to ask. I'm using Postfix 2.1.5/Amavisd 2.1.2/SA 3.01, and I just noticed something odd. Looking at top, the 5 copies of amavisd (I pre-spawn 4) have different memory usage numbers, with the oldest amavis using the most memory, and decreasing down to the newest copy. Is this normal? I would have expected them to be using the same amount of memory, unless there's a leak somewhere. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: [OT] Amavisd memory usage
Thanks! Mike- On Wed, 17 Nov 2004 12:19:27 -0800, you wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 yep, it's normal; big/complex messages result in bigger allocations, and those allocs don't get returned to the OS until the process exits. - --j. Michael W Cocke writes: This is off topic and I apologize, but I really couldn't think of a better place to ask. I'm using Postfix 2.1.5/Amavisd 2.1.2/SA 3.01, and I just noticed something odd. Looking at top, the 5 copies of amavisd (I pre-spawn 4) have different memory usage numbers, with the oldest amavis using the most memory, and decreasing down to the newest copy. Is this normal? I would have expected them to be using the same amount of memory, unless there's a leak somewhere. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBm7JPMJF5cimLx9ARAsfwAJ9eHwszyhQ1lXDBoF9FDSyI8FnJEACeNLAd 0v0GROMKqin/ITdDpiFx8jI= =2eh7 -END PGP SIGNATURE- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: spamc sanity check failures on Suse 9.1
On Tue, 05 Oct 2004 19:26:54 +0100, you wrote: John Beranek wrote: I've not got a spamassassin RPM installed at. I just installed ^all Note to self: Proofread a sentence after rewording it. :) John. I'm a past master at the obscure typo late at night, so I understood you well enough. Off the top, you need to apply your updates - your kernel is the original that shipped with 9.1. The sanity check message is interesting... how much ram and available disk space have you? It would seem the message stream is being chopped somehow mid-message. Damned if I can see how that happens, unless you're out of storage, or possibly timing out somewhere. More details about your configuration please. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,