Re: Whitelist IP Address

[Mike Carlson]

I was quite shocked to find out that you couldnt whitelist an IP Address.
It seems like a very simple and expected feature.

Since I have no experience in regex and very little perl experience, I
will just tell our users to deal with the tagged spam coming from our own
webserver. Hopefully this will get added to a future version.

--Mike

-Original Message-
From: "Mikael Hakman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>, , "Matt Kettler"
<[EMAIL PROTECTED]>
Date: Thu, 10 Mar 2005 11:39:41 +0100
Subject: Re: Whitelist IP Address

> Wouldn't you all agree that blocking or letting through emails sent
> from or 
> relayed by specified IP addresses and subnets is quite a basic 
> functionality? In a sense it is more basic than doing the same with DNS
> names and SMTP addresses because all those names ultimately resolve to
> IP 
> numbers. All communication (routing) on the Internet is done by numbers
> not 
> by names.
> 
> Then why can't we have such a generic rule built-in into SA? Creating
> custom 
> header rules is ok as long as you want to recognize particular IP host 
> addresses and subnets with IP ranges on whole byte boundary. In the
> general 
> case however you have to do bitwise AND between address from SMTP
> header and 
> a subnet mask and compare the result to the result of doing bitwise AND
> between subnet address and the same subnet mask. AFAIK this is not
> possible 
> to do in SA custom header rules unless you find a way to express this
> as a 
> Perl regular expression for pattern matching. Then why can't we have a 
> test/rule, say, WHITELIST_NUMERIC_IP and BLACKLIST_NUMERIC_IP that take
> IP 
> number and subnet mask as arguments and does this double AND operation
> and 
> comparison against each IP number from Received headers?
> 
> To all who do not understand why so many people want to work with IP
> numbers 
> rather than with DSN names or SMTP addresses:
> 
> When an SMTP server receives email it knows IP number of the sender
> (relay). 
> It knows it from IP packet header source IP address. This number is 
> independent of what sender's SMTP server says he is. This is because
> both 
> SMTP and the underlying TCP require sending IP packets in both
> directions 
> for this reception process to succeed. Therefore at the time an SMTP
> server 
> receives email from an IP then it knows that this IP is real, it
> exists, and 
> is world-reachable through the global routing system. Therefore it can
> be 
> traced and you cannot forge it. Each IP number belongs to a range of IP
> addresses (subnet) managed by a known authority. Each such authority
> has 
> received its IP range from yet another higher known authority etc.
> until you 
> reach the top (RIPE etc). Contrary to DNS names you cannot simply buy
> or 
> register an unrelated IP number and therefore IP numbers are much more 
> difficult to forge and easier to trace  than names.
> 
> - Original Message - 
> From: "Matt Kettler" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; 
> Sent: Thursday, March 10, 2005 1:55 AM
> Subject: Re: Whitelist IP Address
> 
> 
> > At 07:49 PM 3/9/2005, Mike Carlson wrote:
> >>How do you whitelist an IP address? I want to allow all email from a
> >>specific IP address to pass through the filter without being tagged
> as 
> >>spam.
> >>
> >>I added all 4 IP addresses of the server to the trusted networks
> list,
> >>but that didnt seem to do it.
> >
> > Pretty much the only way I know of is to make a custom header rule
> that 
> > looks for a Received: header that came from that IP.
> >
> > __ NOD32 1.1022 (20050309) Information __
> >
> > This message was checked by NOD32 antivirus system.
> >  part000.txt - is OK
> >
> > http://www.nod32.com
> >
> > 
> 

Whitelist IP Address

[Mike Carlson]

How do you whitelist an IP address? I want to allow all email from a
specific IP address to pass through the filter without being tagged as spam.

I added all 4 IP addresses of the server to the trusted networks list,
but that didnt seem to do it.

--Mike

Re: sa-learn with lotus notes

[Mike Carlson]

** This is a very quick and raw howto. I should spend some time putting 
something webanized together with screenshots and everything. **

I have attached the 3 files I use on my FreeBSD box. GetHam.txt and 
GetSpam.txt are the bash scripts. Pretty straight forward. I also 
attached a copy of my fetchmailrc file so you can get the email from the 
Notes server via POP3. I am sure a bash scripting guru could get this 
into one file, but I dont mind 3 files.

I created a user on my FreeBSD box called spamd. This is the user that 
MIMEDefang is running as.

We created two users on our Notes server called Spam Collector and Ham 
Collector.

We enabled POP3 access to the Notes server so we could download the 
messages via fetchmail.

***
To create the "Report Spam" Action do following:
In your Notes client, click Create at the top and select Agent
Give it a name. We called ours "Report Spam" and "Report Non-Spam". Our 
users would have no idea what HAM is.

Make sure it is set up as a Simple Action agent.
Add an action to copy documents to a database and select the database 
you want to copy the documents to.

Add an action to delete the documents from the database.
This will copy the message to the SpamCollector database and then delete 
them from the users database.

For the "Report Non-Spam" Action, do the same steps, just leave off the 
delete part. This will allow them to keep the message in the mailbox. 
After all they really did want it.

***
Our Notes guy is out of the office right now, but I will see if I can 
get some instructions from him on how to add the actions to the server 
template that you may be using. I didnt do that part. I had it set up as 
a private agent in my client for a few months before we finally rolled 
it out to the rest of the company through the general template everyone 
is using.

I manually go through the spam and ham collector mailboxes in my Notes 
client to remove any emails that should not be in there. We have a few 
users that use the "Report Spam" action as a delete function so we get 
all kinds of company email in there too.

I then run the bash script while being logged in via ssh as the spamd 
user on my FreeBSD box. I did notice that you have to actually be logged 
in as the spamd user (or whatever you have SA/MIMEDefang running as) and 
not su'd to the spamd user. If you are su'd it learns the spam in your 
logged in users bayes databases. There is probably a way around this, 
but I just log in as spamd to avoid any problems.

I could, and did for a while, set these bash scripts up to run through 
cron, but since our users tend to fill the mailboxes with crap I chose 
to run it manually so I can keep the bayes cleaner.

I will try to get something webanized this weekend. I didnt think there 
was much of a need so I never bothered.

If something doesnt make sense, or I am way off, or something can be 
simplified, let me know.

--Mike
Jeffrey Lee wrote:
Sometimes, when we upgrade here, our agents fail to work on the never  
versions... I guess some of them are very complex but I just like to  
check. Could you send me that code as well?

I have a RH box but it is being replaced by FDSD soon but I should be  
able to take what you have and alter it to work with RH

Thanks,
Jeffrey Lee
reflex8.com
On Jan 20, 2005, at 10:28 AM, Mike Carlson wrote:
We dont use OS X here so I am not sure.
Its just an agent so it will work in almost any version of Notes. We  
used it on 5.x for a long time before we recently upgraded to 6.

Its just a simple agent that moves the selected messages to a 
specific  database.

--Mike
Jeffrey Lee wrote:
Would you happen to know if there is a domino 6.0 app for OS X?
Also is your code exclusive to Notes 6.0 + or will it work on 5.0.9?
On Jan 20, 2005, at 10:05 AM, Mike Carlson wrote:
We created 2 mailboxes on our Notes server called SpamCollector 
and   HamCollector.

We then set up an Agent in the template that added an action to 
move   selected untagged spam to the Spam Collector mailbox and copy 
the   selected HAM messages to the Ham collector mailbox.

I created a bash script on my FreeBSD box that is running SA to 
log   into the different accounts via POP3 to the spamd account on 
the SA   box and then runs the learn process.

It works pretty slick.
You have to setup an agent to move or copy the messages to the   
databases instead of forwarding them otherwise you lose the headers.

I can provide some code if you want. We are on Notes 6.5 and 
Domino   6.0.

--Mike
[EMAIL PROTECTED] wrote:
Help...  I need to feed spam and ham to sa-learn.  We are using  
lotus  notes
R5 and I need to get the messages into a format that sa-learn can   
use.  The
closest I have found is to export messages as "structured text",  
and  this
exports multiple messages as one file, the example below is how  
they  are
exported...  I

Re: sa-learn with lotus notes

[Mike Carlson]

We created 2 mailboxes on our Notes server called SpamCollector and 
HamCollector.

We then set up an Agent in the template that added an action to move 
selected untagged spam to the Spam Collector mailbox and copy the 
selected HAM messages to the Ham collector mailbox.

I created a bash script on my FreeBSD box that is running SA to log into 
the different accounts via POP3 to the spamd account on the SA box and 
then runs the learn process.

It works pretty slick.
You have to setup an agent to move or copy the messages to the databases 
instead of forwarding them otherwise you lose the headers.

I can provide some code if you want. We are on Notes 6.5 and Domino 6.0.
--Mike
[EMAIL PROTECTED] wrote:
Help...  I need to feed spam and ham to sa-learn.  We are using lotus notes
R5 and I need to get the messages into a format that sa-learn can use.  The
closest I have found is to export messages as "structured text", and this
exports multiple messages as one file, the example below is how they are
exported...  Is this usable by sa-learn?  Any suggestions?  Thanks for the
advice.

Received:  from p2kwshp1 ([10.67.3.129])  by
psplotp1.transplace.com (Lotus Domino Release 5.0.11)  with SMTP id
2005012009223223:23490 ;  Thu, 20 Jan 2005 09:22:32 -0600
Received:  From smtp.transplace.com ([10.67.100.156]) by p2kwshp1
(WebShield SMTP v4.5 MR1a P0803.345); id 110623455278; Thu, 20 Jan 2005
09:22:32 -0600
Received:  by smtp.transplace.com (Postfix, from userid 1035) id
01B1A11447; Thu, 20 Jan 2005 09:22:31 -0600 (CST)
Received:  from mail.apache.org (hermes.apache.org [209.237.227.199])   by
smtp.transplace.com (Postfix) with SMTP id D786E1146A for
<[EMAIL PROTECTED]>; Thu, 20 Jan 2005 09:22:30 -0600 (CST)
Received:  (qmail 19329 invoked by uid 500); 20 Jan 2005 15:22:09 -
Mailing_List:  contact [EMAIL PROTECTED]; run by ezmlm
Precedence:  bulk
list_help:  
list_unsubscribe:  
list_post:  
List_Id:  
Delivered_To:  mailing list users@spamassassin.apache.org
Received:  (qmail 19226 invoked by uid 99); 20 Jan 2005 15:22:08 -
X_ASF_Spam_Status:  No, hits=0.0 required=10.0
tests=HTML_60_70,HTML_MESSAGE
X_Spam_Check_By:  apache.org
Received_SPF:  pass (hermes.apache.org: local policy)
Received:  from mail.lastar.com (HELO server11.lastar.com) (65.89.139.10)
by apache.org (qpsmtpd/0.28) with SMTP; Thu, 20 Jan 2005 07:22:06 -0800
Received:  from spamfilter.lastar.com ([192.168.70.12]) by
server11.lastar.com (SMSSMTP 4.0.0.59) with SMTP id M2005012010220301455
for ; Thu, 20 Jan 2005 10:22:03 -0500
Received:  from localhost (localhost [127.0.0.1]) by
spamfilter.lastar.com (Postfix) with ESMTP id 9845CEFCE4for
; Thu, 20 Jan 2005 10:22:03 -0500 (EST)
Received:  from spamfilter.lastar.com ([127.0.0.1]) by localhost
(spamfilter [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31569-10
for ; Thu, 20 Jan 2005 10:22:03 -0500 (EST)
Received:  from server24.ctg.com (server24.ctg.com [192.168.74.10]) by
spamfilter.lastar.com (Postfix) with ESMTP id 58550EFCE0for
; Thu, 20 Jan 2005 10:22:03 -0500 (EST)
X_MimeOLE:  Produced By Microsoft Exchange V6.5.7226.0
MIME_Version:  1.0
Subject:  Testing a message
PostedDate:  01/20/2005 09:22:02 AM
$MessageID:  <[EMAIL PROTECTED]>
X_MS_Has_Attach:
X_MS_TNEF_Correlator:
Thread_Topic:  Testing a message
Thread_Index:  AcT/A8r1xq4Lq9KHR4yEJ+GLien6cQ==
From:  "Jason Gauthier" <[EMAIL PROTECTED]>
SendTo:  "SPAMASSASSIN" 
X_Virus_Scanned:  amavisd-new at lastar.com
X_Virus_Checked:  Checked
X_Spam_Checker_Version:  SpamAssassin 2.63 (2004-01-11) on
pfbspmp1.transplace.com
X_Spam_Status:  No, hits=-4.8 required=4.0 tests=AWL,BAYES_00,HTML_MESSAGE
autolearn=ham version=2.63
X_Spam_Level:
$MIMETrack:  Itemize by SMTP Server on psplotp1/com(Release 5.0.11  |July
24, 2002) at 01/20/2005 09:22:32 AM,MIME-CD by Notes Client on Kyle
Reynolds/com(Release 5.0.8 |June 18, 2001) at 01/20/2005 09:44:21
AM,MIME-CD complete at 01/20/2005 09:44:21 AM
SMTPOriginator:
[EMAIL PROTECTED]
$UpdatedBy:
$Orig:
Categories:
$Revisions:
RouteServers:  CN=psplotp1/O=com
RouteTimes:  01/20/2005 09:22:32 AM-01/20/2005 09:22:32 AM
$MsgTrackFlags:  0
DeliveredDate:  01/20/2005 09:22:32 AM
Greetings!
  I'm using SA 3.0.2 with postfix and amavisd.  (so no spamd is running)
A message came in that was not spam that got blocked.  I took it to
sa-learn and learned it as ham.
I want to take the message now and re-score it to see how it holds up.
What is the best way of accomplishing this?
Jason

Received:  from p2kwshp1 ([10.67.3.129])  by
psplotp1.transplace.com (Lotus Domino Release 5.0.11)  with SMTP id
2005012009323090:24101 ;  Thu, 20 Jan 2005 09:32:30 -0600
Received:  From smtp.transplac

RE: Exchange 2003 And Spamassassin

[Mike Carlson]

I am running Exchange 2003 with a FreeBSD box running SA as the front end relay 
and I am getting all my headers. If I right click on the message on outlook and 
click Options it has all the scores and everything in there. It also worked 
fine with Exchange 2k.
 
I didn't do anything special to get it to work, it just has.
 
I have about a dozen rules in Outlook that move messages based on the scores in 
the headers as well.
 
If the email is coming into the Exchange 5.5 box and then getting sent to the 
Exchange 2k3 box from the 5.5 box, I would guess the 5.5 box is stripping the 
headers when it moves it to the other server. I'm not sure if you can tell the 
connectors to not munge the headers or not but I would guess that's where the 
problem lies.
 
--Mike



From: Martin Hepworth [mailto:[EMAIL PROTECTED]
Sent: Wed 12/15/2004 3:20 AM
To: Jan Englund
Cc: users@spamassassin.apache.org
Subject: Re: Exchange 2003 And Spamassassin



Jan

Exchange is stripping the headers off. No doubt theres a stting buried
somewhere where you can tell it not to, but I have seen this problem
before in Ex-2000  (for passing emails to a folder dor sa-learn to pick
up). Never found a solution, but then I'm not an exchange admin/user
so..probably something to do with group policies..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Jan Englund wrote:
> Hi
> We are running a Exchange 5.5 and Exchange 2003 mixed mode environment.
> Since introducing Exchange 2003 servers we do not get any message
> headers from the spamassassin relay sent to users on the Exchange 2003
> box.
>
> ive seen other people experiencing this but my question is if Exchange
> 2003 is supported by Spamassassin and if so if there is anyone that
> has found a solution to this.
>
> Thanks
> Jan

**

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**

RE: Move Bayes To New Server

[Mike Carlson]

Yeah its all site wide. The email is relayed back to a backend exchange
server at home and a backend Notes server at work.

--Mike

-Original Message-
From: Gary W. Smith [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 06, 2004 9:01 PM
To: Mike Carlson; SpamAssassin Users
Subject: RE: Move Bayes To New Server

We use site wide only DB's.  If that's what you use as well, and your
work, then I don't see that much of a problem.

Gary

> -Original Message-
> From: Mike Carlson [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 06, 2004 7:02 PM
> To: Gary W. Smith; SpamAssassin Users
> Subject: RE: Move Bayes To New Server
> 
> I was thinking of grabbing the bayes db from work and using it at home

> so it isnt mission critical. I don't get the exact same type of spam
at
> home, but I get a lot of the rolex, drugs, pen1s type spam at both 
> places.
> 
> --Mike
> 
> -Original Message-
> From: Gary W. Smith [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 06, 2004 8:20 PM
> To: Mike Carlson; SpamAssassin Users
> Subject: RE: Move Bayes To New Server
> 
> We have 6 relays that we did this for quite regularly.  We have
switched
> over the MySQL though.  Basically we tarballed it up and the other 
> machines would pickup the tarball, uncompress it and the swap it into 
> place.  It was only effective to a point but it kept them "close" to 
> sync.  We did it four times a day.  We did all of our training on the 
> one machine that was the mater.
> 
> YMMV
> 
> Gary Smith
> 
> > -Original Message-
> > From: Mike Carlson [mailto:[EMAIL PROTECTED]
> > Sent: Monday, December 06, 2004 5:26 PM
> > To: SpamAssassin Users
> > Subject: Move Bayes To New Server
> >
> > Can I copy my bayes db to another server that handles a different 
> > domain?
> >
> > --Mike
> 

RE: Move Bayes To New Server

[Mike Carlson]

I was thinking of grabbing the bayes db from work and using it at home
so it isnt mission critical. I don't get the exact same type of spam at
home, but I get a lot of the rolex, drugs, pen1s type spam at both
places.

--Mike 

-Original Message-
From: Gary W. Smith [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 06, 2004 8:20 PM
To: Mike Carlson; SpamAssassin Users
Subject: RE: Move Bayes To New Server

We have 6 relays that we did this for quite regularly.  We have switched
over the MySQL though.  Basically we tarballed it up and the other
machines would pickup the tarball, uncompress it and the swap it into
place.  It was only effective to a point but it kept them "close" to
sync.  We did it four times a day.  We did all of our training on the
one machine that was the mater.

YMMV

Gary Smith

> -Original Message-
> From: Mike Carlson [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 06, 2004 5:26 PM
> To: SpamAssassin Users
> Subject: Move Bayes To New Server
> 
> Can I copy my bayes db to another server that handles a different 
> domain?
> 
> --Mike

Move Bayes To New Server

[Mike Carlson]

Can I copy my bayes db to another server that handles a different
domain?

--Mike

RE: SURBLS

[Mike Carlson]

Yeah we pretty much did, but I was replying to his response. I am going
to fix my syntax stuff and then run it for a while and see if I have any
changes.

Thanks,
--Mike 

-Original Message-
From: Dallas L. Engelken [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 02, 2004 9:13 PM
To: SpamAssassin Users
Subject: RE: SURBLS

> Here is everything I got from debug. I ran it as root so there is a 
> Bayes error that normally wouldn't pop up.
> 

Mike, didn't we already rule out SA off-list?  You might want to try the
MIMEDefang list.

d

RE: SURBLS

[Mike Carlson]

running header regexp tests; score so far=0
debug: registering glue method for check_for_spf_fail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x8c36f2c))
debug: SPF: message was delivered entirely via trusted relays, not
required
debug: all '*To' addrs: 
debug: SPF: message was delivered entirely via trusted relays, not
required
debug: running body-text per-line regexp tests; score so far=2.49
debug: running uri tests; score so far=2.49
debug: bayes corpus size: nspam = 26018, nham = 244
debug: tokenize: header tokens for *RT = " "
debug: tokenize: header tokens for *RU = " "
debug: cannot use bayes on this message; none of the tokens were found
in the database
debug: bayes: not scoring message, returning undef
debug: bayes: opportunistic call found expiry due
debug: Syncing Bayes and expiring old tokens...
bayes expire_old_tokens: lock: 2130 cannot create lockfile
/root/.spamassassin/bayes.mutex: Permission denied
debug: Syncing complete.
debug: bayes: 2130 untie-ing
debug: bayes: 2130 untie-ing db_toks
debug: bayes: 2130 untie-ing db_seen
debug: Razor2 is available
debug: entering helper-app run mode
 Razor-Log: Computed razorhome from env: /root/.razor
 Razor-Log: Found razorhome: /root/.razor, however, can't write to it.
 Razor-Log: No /root/.razor/razor-agent.conf found, skipping.
 Razor-Log: No razor-agent.conf found, using defaults. 
Dec 02 13:53:50.151653 check[2130]: [ 2] [bootup] Logging initiated
LogDebugLevel=9 to stdout Dec 02 13:53:50.153351 check[2130]: [ 5]
computed razorhome=/root/.razor, conf=, ident=/root/.razor/identity Dec
02 13:53:50.154455 check[2130]: [ 8] Client supported_engines: 4 8 Dec
02 13:53:50.156740 check[2130]: [ 8]  prep_mail done: mail 1 headers=41,
mime0=76 Dec 02 13:53:50.158354 check[2130]: [ 5] read_file: 1 items
read from /root/.razor/servers.discovery.lst
Dec 02 13:53:50.159599 check[2130]: [ 5] read_file: 2 items read from
/root/.razor/servers.nomination.lst
Dec 02 13:53:50.160806 check[2130]: [ 5] read_file: 3 items read from
/root/.razor/servers.catalogue.lst
Dec 02 13:53:50.162245 check[2130]: [ 9] Assigning defaults to
folly.cloudmark.com Dec 02 13:53:50.163148 check[2130]: [ 9] Assigning
defaults to joy.cloudmark.com Dec 02 13:53:50.164035 check[2130]: [ 9]
Assigning defaults to thrill.cloudmark.com Dec 02 13:53:50.164904
check[2130]: [ 9] Assigning defaults to pride.cloudmark.com Dec 02
13:53:50.165733 check[2130]: [ 9] Assigning defaults to
wonder.cloudmark.com Dec 02 13:53:50.168264 check[2130]: [ 5] read_file:
12 items read from /root/.razor/server.pride.cloudmark.com.conf
Dec 02 13:53:50.170123 check[2130]: [ 5] read_file: 12 items read from
/root/.razor/server.pride.cloudmark.com.conf
Dec 02 13:53:50.172344 check[2130]: [ 5] read_file: 15 items read from
/root/.razor/server.thrill.cloudmark.com.conf
Dec 02 13:53:50.174447 check[2130]: [ 5] read_file: 15 items read from
/root/.razor/server.thrill.cloudmark.com.conf
Dec 02 13:53:50.175602 check[2130]: [ 5] 158147 seconds before closest
server discovery Dec 02 13:53:50.176502 check[2130]: [ 6]
thrill.cloudmark.com is a Catalogue Server srl 5048; computed min_cf=6,
Server se: C8 Dec 02 13:53:50.177434 check[2130]: [ 8] Computed
supported_engines: 4 8 Dec 02 13:53:50.178263 check[2130]: [ 8] Using
next closest server thrill.cloudmark.com:2703, cached info srl 5048 Dec
02 13:53:50.179002 check[2130]: [ 8] mail 1 has no subject Dec 02
13:53:50.180321 check[2130]: [ 6] preproc: mail 1.0 went from 76 bytes
to 39 Dec 02 13:53:50.180935 check[2130]: [ 6] computing sigs for mail
1.0, len 39 Dec 02 13:53:50.188948 check[2130]: [ 6] skipping whitelist
file (empty?): /root/.razor/razor-whitelist Dec 02 13:53:50.190005
check[2130]: [ 5] Connecting to thrill.cloudmark.com ...
Dec 02 13:53:55.267749 check[2130]: [ 3] Unable to connect to
thrill.cloudmark.com:2703; Reason: Invalid argument.
Dec 02 13:53:55.268716 check[2130]: [ 5] 168177 seconds before closest
server discovery Dec 02 13:53:55.269543 check[2130]: [ 6]
pride.cloudmark.com is a Catalogue Server srl 141; computed min_cf=6,
Server se: 58 Dec 02 13:53:55.270299 check[2130]: [ 8] Computed
supported_engines: 4 Dec 02 13:53:55.270928 check[2130]: [ 8] Using next
closest server pride.cloudmark.com:2703, cached info srl 141 Dec 02
13:53:55.271619 check[2130]: [ 5] Connecting to pride.cloudmark.com ...
^Clogmsg: server hit by SIGCHLD
logmsg: handled cleanup of child pid 2134
logmsg: handled cleanup of child pid 2133
logmsg: handled cleanup of child pid 2132
logmsg: handled cleanup of child pid 2131
logmsg: handled cleanup of child pid 2130
logmsg: server killed by SIGINT, shutting down 

-Original Message-
From: Jeff Chan [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 02, 2004 7:47 PM
To: SpamAssassin Users
Subject: Re: SURBLS

On Thursday, December 2, 2004, 4:47:59 PM, Mike Carlson wrote:
> Here is a snippet of what I got:

> debug: URIDNSBL: domains to query: 
> debug: is Net::DNS::Resolver available? yes
&

RE: SURBLS

[Mike Carlson]

Here is a snippet of what I got:

debug: URIDNSBL: domains to query: 
debug: is Net::DNS::Resolver available? yes
debug: Net::DNS version: 0.48
debug: all '*From' addrs: [EMAIL PROTECTED] 

--Mike

-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 02, 2004 6:30 PM
To: Mike Carlson; users@spamassassin.apache.org
Subject: RE: SURBLS

At 06:13 PM 12/2/2004, Mike Carlson wrote:
>I have Net::DNS installed.
>
>It's a FreeBSD 4.9 with SA being called by MIMEDefang.
>
>I am not sure if any of the RBL stuff is working. I figured I would 
>work on one thing at a time.

Well, I'd start with at least verifying you have a fully working DNS
setup for SA to work with:

Try running spamassasssin --lint -D and look for lines like these:

debug: is Net::DNS::Resolver available? yes
debug: trying (3) gmx.net...
debug: looking up MX for 'gmx.net'
debug: MX for 'gmx.net' exists? 1
debug: MX lookup of gmx.net succeeded => Dns available (set
dns_available to hardcode)
debug: is DNS available? 1


In particular, the "is DNS available? 1" is important. If SA concludes 0

here, then no RBLS or URIBLS will work. 

RE: SURBLS

[Mike Carlson]

I have both those options set.

--Mike 

-Original Message-
From: Guyang Mao [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 02, 2004 5:13 PM
To: users@spamassassin.apache.org
Subject: RE: SURBLS

Make sure your mimedefang is configuring SA to use the RBL.

In the mimedefang-filter file make sure this is there:

$SALocalTestsOnly = 0; 

In the sa-mimedefang.cf file, whatever it's named in FBSD:

skip_rbl_checks 0

..

-Original Message-
From: Mike Carlson [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 02, 2004 5:14 PM
To: Matt Kettler; users@spamassassin.apache.org
Subject: RE: SURBLS

I have Net::DNS installed.

It's a FreeBSD 4.9 with SA being called by MIMEDefang.

I am not sure if any of the RBL stuff is working. I figured I would work
on one thing at a time.

--Mike 

RE: SURBLS

[Mike Carlson]

I have Net::DNS installed.

It's a FreeBSD 4.9 with SA being called by MIMEDefang.

I am not sure if any of the RBL stuff is working. I figured I would work
on one thing at a time.

--Mike 

-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 02, 2004 2:55 PM
To: Mike Carlson; users@spamassassin.apache.org
Subject: RE: SURBLS

At 02:46 PM 12/2/2004, Mike Carlson wrote:
>It wasnt in the hits either.
>
>--Mike

Hmm. Do you have Net::DNS installed? Do any normal RBLs work?

RE: SURBLS

[Mike Carlson]

If I run that command I get this:
 
hades# spamd -D -p 800 2>&1 | grep postcard
Ambiguous output redirect.
hades# 
 
--Mike



From: Dallas L. Engelken [mailto:[EMAIL PROTECTED]
Sent: Thu 12/2/2004 2:05 PM
To: Mike Carlson
Cc: users@SpamAssassin.apache.org
Subject: RE: SURBLS




> Ok, I tried the command, but I am SSH's so the output
> redirection didnt work.
> 
> I did do spamd -D -p 800 | grep postcard
> 

# spamd -D -p 800 2>&1 | grep postcard

Notice the stderr to stdout redirector??

d

RE: SURBLS

[Mike Carlson]

bug:  MIME PARSER END 
debug: decoding: no encoding detected
debug: Message too short for language analysis
debug: URIDNSBL: domains to query: 
debug: is Net::DNS::Resolver available? yes
debug: Net::DNS version: 0.48
debug: all '*From' addrs: 
debug: Running tests for priority: 0
debug: running header regexp tests; score so far=0
debug: registering glue method for check_for_spf_fail 
(Mail::SpamAssassin::Plugin::SPF=HASH(0x8c36f2c))
debug: SPF: message was delivered entirely via trusted relays, not required
debug: all '*To' addrs: 
debug: SPF: message was delivered entirely via trusted relays, not required
debug: running body-text per-line regexp tests; score so far=2.49
debug: running uri tests; score so far=2.49
debug: bayes corpus size: nspam = 26018, nham = 244
debug: tokenize: header tokens for *RT = " "
debug: tokenize: header tokens for *RU = " "
debug: cannot use bayes on this message; none of the tokens were found in the 
database
debug: bayes: not scoring message, returning undef
debug: bayes: opportunistic call found expiry due
debug: Syncing Bayes and expiring old tokens...
bayes expire_old_tokens: lock: 2130 cannot create lockfile 
/root/.spamassassin/bayes.mutex: Permission denied
debug: Syncing complete.
debug: bayes: 2130 untie-ing
debug: bayes: 2130 untie-ing db_toks
debug: bayes: 2130 untie-ing db_seen
debug: Razor2 is available
debug: entering helper-app run mode
 Razor-Log: Computed razorhome from env: /root/.razor
 Razor-Log: Found razorhome: /root/.razor, however, can't write to it.
 Razor-Log: No /root/.razor/razor-agent.conf found, skipping.
 Razor-Log: No razor-agent.conf found, using defaults. 
Dec 02 13:53:50.151653 check[2130]: [ 2] [bootup] Logging initiated 
LogDebugLevel=9 to stdout
Dec 02 13:53:50.153351 check[2130]: [ 5] computed razorhome=/root/.razor, 
conf=, ident=/root/.razor/identity
Dec 02 13:53:50.154455 check[2130]: [ 8] Client supported_engines: 4 8
Dec 02 13:53:50.156740 check[2130]: [ 8]  prep_mail done: mail 1 headers=41, 
mime0=76
Dec 02 13:53:50.158354 check[2130]: [ 5] read_file: 1 items read from 
/root/.razor/servers.discovery.lst
Dec 02 13:53:50.159599 check[2130]: [ 5] read_file: 2 items read from 
/root/.razor/servers.nomination.lst
Dec 02 13:53:50.160806 check[2130]: [ 5] read_file: 3 items read from 
/root/.razor/servers.catalogue.lst
Dec 02 13:53:50.162245 check[2130]: [ 9] Assigning defaults to 
folly.cloudmark.com
Dec 02 13:53:50.163148 check[2130]: [ 9] Assigning defaults to joy.cloudmark.com
Dec 02 13:53:50.164035 check[2130]: [ 9] Assigning defaults to 
thrill.cloudmark.com
Dec 02 13:53:50.164904 check[2130]: [ 9] Assigning defaults to 
pride.cloudmark.com
Dec 02 13:53:50.165733 check[2130]: [ 9] Assigning defaults to 
wonder.cloudmark.com
Dec 02 13:53:50.168264 check[2130]: [ 5] read_file: 12 items read from 
/root/.razor/server.pride.cloudmark.com.conf
Dec 02 13:53:50.170123 check[2130]: [ 5] read_file: 12 items read from 
/root/.razor/server.pride.cloudmark.com.conf
Dec 02 13:53:50.172344 check[2130]: [ 5] read_file: 15 items read from 
/root/.razor/server.thrill.cloudmark.com.conf
Dec 02 13:53:50.174447 check[2130]: [ 5] read_file: 15 items read from 
/root/.razor/server.thrill.cloudmark.com.conf
Dec 02 13:53:50.175602 check[2130]: [ 5] 158147 seconds before closest server 
discovery
Dec 02 13:53:50.176502 check[2130]: [ 6] thrill.cloudmark.com is a Catalogue 
Server srl 5048; computed min_cf=6, Server se: C8
Dec 02 13:53:50.177434 check[2130]: [ 8] Computed supported_engines: 4 8
Dec 02 13:53:50.178263 check[2130]: [ 8] Using next closest server 
thrill.cloudmark.com:2703, cached info srl 5048
Dec 02 13:53:50.179002 check[2130]: [ 8] mail 1 has no subject
Dec 02 13:53:50.180321 check[2130]: [ 6] preproc: mail 1.0 went from 76 bytes 
to 39 
Dec 02 13:53:50.180935 check[2130]: [ 6] computing sigs for mail 1.0, len 39
Dec 02 13:53:50.188948 check[2130]: [ 6] skipping whitelist file (empty?): 
/root/.razor/razor-whitelist
Dec 02 13:53:50.190005 check[2130]: [ 5] Connecting to thrill.cloudmark.com ...
Dec 02 13:53:55.267749 check[2130]: [ 3] Unable to connect to 
thrill.cloudmark.com:2703; Reason: Invalid argument.
Dec 02 13:53:55.268716 check[2130]: [ 5] 168177 seconds before closest server 
discovery
Dec 02 13:53:55.269543 check[2130]: [ 6] pride.cloudmark.com is a Catalogue 
Server srl 141; computed min_cf=6, Server se: 58
Dec 02 13:53:55.270299 check[2130]: [ 8] Computed supported_engines: 4
Dec 02 13:53:55.270928 check[2130]: [ 8] Using next closest server 
pride.cloudmark.com:2703, cached info srl 141
Dec 02 13:53:55.271619 check[2130]: [ 5] Connecting to pride.cloudmark.com ...
^Clogmsg: server hit by SIGCHLD
logmsg: handled cleanup of child pid 2134
logmsg: handled cleanup of child pid 2133
logmsg: handled cleanup of child pid 2132
logmsg: handled cleanup of child pid 2131
logmsg: handled cleanup of child pid 2130
logmsg: server killed by SIGINT, shutting down

___

RE: SURBLS

[Mike Carlson]

It wasnt in the hits either.
 
--Mike



From: Matt Kettler [mailto:[EMAIL PROTECTED]
Sent: Thu 12/2/2004 1:36 PM
To: Mike Carlson; users@spamassassin.apache.org
Subject: RE: SURBLS



At 02:35 PM 12/2/2004, Mike Carlson wrote:
>I sent an email with that URL in it and it didnt get tagged.

Well, it won't get tagged by SA based on that alone. There are very few
"sure fire spam" rules in SA, and none of the SURBLs are on that small list.

What you need to do is look at your hits list for the message, and see if
it matched the SC SURBL rule.

If you're using SA 3.x it should show up as URIBL_SC_SURBL in your hits.

If your setup doesn't put the hits list in some message header even for
nonspam, you'll probably have to do it manually using spamassassin -t on
the command line.

You can also send that URL in an email that also contains a GTUBE string.
The GTUBE will force a spam tag, and presumably then your setup, no matter
how strange, should list out all the hits. You should make sure it hits
both the GTUBE rule and the SURBL rule.

http://spamassassin.apache.org/gtube/

RE: SURBLS

[Mike Carlson]

I sent an email with that URL in it and it didnt get tagged.
 
--Mike



From: Matt Kettler [mailto:[EMAIL PROTECTED]
Sent: Thu 12/2/2004 1:25 PM
To: Mike Carlson; users@spamassassin.apache.org
Subject: Re: SURBLS



At 02:01 PM 12/2/2004, Mike Carlson wrote:
>What tests can I do to make sure SURBLS is working? I havent seen any
>scores for SURBLS in any of the caught or uncaught emails.

Send yourself an email with the surbl tespoint in it:




That should trigger the spamcop URI list from surbl.

SURBLS

[Mike Carlson]

What tests can I do to make sure SURBLS is working? I havent seen any scores 
for SURBLS in any of the caught or uncaught emails.
 
Thanks,
--Mike
 
 

URIDNSBL & Bayes

[Mike Carlson]

I haven't seen any tagged spam hitting on any of the URIDNSBL rules. How can I 
tell if its running. Here is a snippet of the output of spamd -D:
 
debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694)
debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c35840)
debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8c36ef0)
 
Also, how can I tell if Bayes is actually being used? I see this in spamd -D:
 
debug: bayes: no dbs present, cannot tie DB R/O: 
/tmp/spamd-90963-init/.spamassassin/bayes_toks
 
But as I understand it, I can ignore that error. I was running 2.64 and 
upgraded to 3.01. Do I have to do anything special to enable it? I don't see 
any scores from Bayes results either. I did run 200 Hams through it and several 
thousand Spams.
 
I have seen some example local.cf that had bayes_file_mode and bayes_path set. 
Do I need to set those values?
 
Thanks,
--Mike
 

RE: Errors reading local.cf

[Mike Carlson]

So I can remove those lines and change auto_learn to bayes_auto_learn?
 
Speaking of bayes, I also noticed this error:
 
debug: bayes: no dbs present, cannot tie DB R/O: 
/tmp/spamd-648-init/.spamassassin/bayes_toks
 
I read a thread somewhere that said I really didnt have to worry about that 
line. Should I be worried?
 
Thanks,
 
--Mike Carlson
[EMAIL PROTECTED]
http://www.uselessthoughts.com
 



From: Matt Kettler [mailto:[EMAIL PROTECTED]
Sent: Thu 11/4/2004 10:32 AM
To: Mike Carlson; users@spamassassin.apache.org
Subject: Re: Errors reading local.cf



At 11:28 AM 11/4/2004, Mike Carlson wrote:
>Since I was in trying to figure out if URIDNSRBL was working I noticed a
>few more errors that were coming up:
>
>debug: config: SpamAssassin failed to parse line, skipping:
>rewrite_subject 1
>debug: config: SpamAssassin failed to parse line, skipping:
>subject_tag (SPAM) _HITS_
>debug: config: SpamAssassin failed to parse line, skipping:
>use_terse_report0
>debug: config: SpamAssassin failed to parse line, skipping:
>auto_learn  0

Those config options are obsolete and no longer supported in SA 3.0.

"auto_learn" never existed, it's always been bayes_auto_learn.

Please read the UPGRADE file for more details on the subject line stuff
http://spamassassin.apache.org/full/3.0.x/dist/UPGRADE


- The "rewrite_subject" and "subject_tag" configuration options were
   deprecated and are now removed. Instead, using "rewrite_header Subject
   [your desired setting]".  e.g.

 rewrite_subject 1
 subject_tag SPAM(_SCORE_)

   becomes

 rewrite_header Subject SPAM(_SCORE_)

Errors reading local.cf

[Mike Carlson]

Since I was in trying to figure out if URIDNSRBL was working I noticed a few 
more errors that were coming up:
 
debug: config: SpamAssassin failed to parse line, skipping: rewrite_subject 
1
debug: config: SpamAssassin failed to parse line, skipping: subject_tag 
(SPAM) _HITS_
debug: config: SpamAssassin failed to parse line, skipping: use_terse_report
0
debug: config: SpamAssassin failed to parse line, skipping: auto_learn  
0
 
My /usr/local/etc/mail/spamassassin/local.cf is pretty straight forward
 
# How many hits before a message is considered spam.
required_hits   5.5
 
# Whether to change the subject of suspected spam
rewrite_subject 1
 
# Text to prepend to subject if rewrite_subject is used
subject_tag (SPAM) _HITS_
 
# Encapsulate spam in an attachment
report_safe 1  
 
# Use terse version of the spam report
use_terse_report0
 
# Enable the Bayes system
use_bayes   1
 
# Enable Bayes auto-learning
auto_learn  0
 
# Enable or disable network checks
skip_rbl_checks 0 
use_razor2  1
use_dcc 1
use_pyzor   1
pyzor_path  /usr/local/bin/pyzor
 
#trusted networks
trusted_networks 65.203.76.
trusted_networks 10.10.5.1
trusted_networks 10.10.5.10
 
#dns server address
dns_available yes
 
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
# - english
ok_languagesen es pt ja ko zh
 
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales  en
 
score FORGED_MUA_OUTLOOK1.5
 
I also have some whitelist stuff at the end that I didnt include.
 
--Mike Carlson
[EMAIL PROTECTED]
http://www.uselessthoughts.com
 

RE: URIDNSBL

[Mike Carlson]

I have attached a snippet of the output of spamd -D that talks about URIDNSBL
 
debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694)
debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c35840)
debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8c36ef0)
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) implements 
'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c35840) implements 
'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited 
further callbacks
 
Does that look correct? I don't notice any errors, but I wasn't sure about 
"inhibited further callbacks".
 
--Mike Carlson
[EMAIL PROTECTED]
http://www.uselessthoughts.com
 

____

From: Mike Carlson
Sent: Wed 11/3/2004 2:15 PM
To: Mathieu Nantel; users@spamassassin.apache.org
Subject: RE: URIDNSBL


I don't have any of those tests showing up in the tagged spam.
 
I did notice a -2.4 for not passing through untrusted hosts. I am going to have 
to change that score I think. I dont think I am going to give spam credit for 
not being sent through a known spam host.
 
--Mike Carlson
[EMAIL PROTECTED]
http://www.uselessthoughts.com
 



From: Mathieu Nantel [mailto:[EMAIL PROTECTED]
Sent: Wed 11/3/2004 1:55 PM
To: users@spamassassin.apache.org
Subject: Re: URIDNSBL



Heh, that's easy: 99% of your spam will score on either of these tests:

 5.0 URIBL_SBL  Contains an URL listed in the SBL blocklist
 
 5.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
 
 5.0 URIBL_JP_SURBL   

RE: Should ALL_TRUSTED be doing this?

[Mike Carlson]

Do you have to add private IP addresses to the trusted_networks list? I only 
added the public IP Addresses that are set up for our mail server but it does 
have a private IP and is being NAT'd.
 
--Mike
 



From: Matt Kettler [mailto:[EMAIL PROTECTED]
Sent: Thu 11/4/2004 7:55 AM
To: Jason Haar; SpamAssassin Users
Subject: Re: Should ALL_TRUSTED be doing this?



At 04:20 PM 11/4/2004 +1300, Jason Haar wrote:
>I've been getting a fair amount of missed spam with SA-3.01 that looks like
>it would have been caught if it wasn't for ALL_TRUSTED.

No, it should not.

You have one of two problems:

1) SA is confused about trust. This typically happens if your outer-most
mailserver is address translated and has a reserved non-routable IP address
assigned. SA generally assumes the first non-reserved IP is your outside
MX, but this isn't true for a lot of networks that NAT their mailservers.

To fix: set trusted_networks manualy in your local.cf. Include just your
mailservers in this. ie if I had two servers, one external MX numbered
192.168.1.8 and a SA scanning box at 192.168.20.8 I could do this:
 trusted_networks 192.168.1.8/32
 trusted_networks 192.168.20.8/32

2) The other case is SA can't parse your Received: headers. If you run a
message through spamassassin -D you'll see debug lines complaining about it:
 debug: received-header: unknown format:

To fix: short term, force the score of ALL_TRUSTED to 0.
 score ALL_TRUSTED_0

If it's a received line starting with by, then it's this bug:
 http://bugzilla.spamassassin.org/show_bug.cgi?id=3600
Otherwise, create a new bug in the bugzilla, and attach a sample.

RE: URIDNSBL

[Mike Carlson]

I don't have any of those tests showing up in the tagged spam.
 
I did notice a -2.4 for not passing through untrusted hosts. I am going to have 
to change that score I think. I dont think I am going to give spam credit for 
not being sent through a known spam host.
 
--Mike Carlson
[EMAIL PROTECTED]
http://www.uselessthoughts.com
 



From: Mathieu Nantel [mailto:[EMAIL PROTECTED]
Sent: Wed 11/3/2004 1:55 PM
To: users@spamassassin.apache.org
Subject: Re: URIDNSBL



Heh, that's easy: 99% of your spam will score on either of these tests:

 5.0 URIBL_SBL  Contains an URL listed in the SBL blocklist
 
 5.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
 
 5.0 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
  
 5.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
  
 5.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
 
 5.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
   
(yes, my scoring is agressive)

The more proper way of checking this is to run:

spamd -D

which will outputthis if you are loading URIDNSBL:

debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x35ced0)



On November 3, 2004 02:52 pm, Mike Carlson wrote:
> How do I know if SA is using URIDNSBL?
>
> I am running SA 3.0 on FreeBSD with MimeDefang and now emails are scoring
> very very low and some users are getting a ton of spam through. I want to
> make use of URIDNSBL if I can, but I am not sure if it is working or not.
>
> --Mike Carlson
> [EMAIL PROTECTED]
> http://www.uselessthoughts.com

--
Mathieu Nantel - Systems Manager
Ecopia BioSciences Inc.
(514) 336-2724 x434

URIDNSBL

[Mike Carlson]

How do I know if SA is using URIDNSBL? 
 
I am running SA 3.0 on FreeBSD with MimeDefang and now emails are scoring very 
very low and some users are getting a ton of spam through. I want to make use 
of URIDNSBL if I can, but I am not sure if it is working or not.
 
--Mike Carlson
[EMAIL PROTECTED]
http://www.uselessthoughts.com