good ideas for spam blocking

[Paul Matthews]

Hi there,

at the moment I have the rules_du_jour script running every week and I
have the script below running every night telling SpamAssassin to learn
what I can from the uses junk mail folders, but I still seam to get a lot
of junk mail that gets past the scanners, can anyone make any suggestions
on something to do to block more spam?

Also the way i have setup the script below, does that add what is being
learnt from the sa-learn program into a database for all users, or just
for the single user is runs as?

#!/bin/bash

log=/var/log/procmail/SpamAssassin/sa-learn.log
echo $log 2/dev/null
date $log 2/dev/null
echo  $log 2/dev/null

for i in $( ls /home/DOMAIN); do
 echo $i $log 2/dev/null
 echo Reading /home/DOMAIN/$i/mail/Junk $log 2/dev/null
 sa-learn -p /home/DOMAIN/$i/.spamassassin/user_prefs -u [EMAIL PROTECTED]
--siteconfigpath=/etc/mail/spamassassin --mbox --spam /home/CATHE$
done
echo SpamAssassin Learn Program Has Run
/etc/init.d/spamassassin restart

spamassassin: execvp: Permission denied

[Paul Matthews]

I get this error message in my boot log file, anyone have any idea what it
is?

spamassassin: execvp: Permission denied

sa-learn script

[Paul Matthews]

Hi there,

i'm running RHEL4 with spamassassin-3.0.5-3.el4 and i'm looking for a
script that will make sa-learn go though everyone's Junk mail folder and
'learn' what is Junk.

i've come up with this

#!/bin/bash

for i in $( ls /home/MYDOMAIN); do
 sa-learn --spam /home/MYDOMAIN/i$/mail/Junk
done

If i set it to run as a cron job once a week, Will that do what I want it
to do?

Re: sa-learn script

[Paul Matthews]

 Almost certainly not, unless you change that i$ to $i ;-)

okay, say I do change it, will that script work? if i just add it in a
cron job?

Also, i'm using the squirrelmail plugin spam_button.

http://www.squirrelmail.org/plugin_view.php?id=242

But what I want it to do is once it is marked as spam to move the e-mail
from /var/spool/mail/user to $HOME/mail/Junk

and same as marking it ham, move it from $HOME/mail/Junk to
/var/spool/mail/user

Can anyone tell me how-to do that?

Re: sa-learn script

[Paul Matthews]

 Also, i'm using the squirrelmail plugin spam_button.

 http://www.squirrelmail.org/plugin_view.php?id=242

 But what I want it to do is once it is marked as spam to move the e-mail
 from /var/spool/mail/user to $HOME/mail/Junk

 and same as marking it ham, move it from $HOME/mail/Junk to
 /var/spool/mail/user

 Can anyone tell me how-to do that?

I've slightly changed the script I was using, can anyone tell me:

if it will still work?
if it will work better, worse or no change?
Am I missing anything in the script that should be there?
I notice i the --help option for sa-learn there is a --sync is that
something I have to do after this script has run?

#!/bin/bash

for i in $( ls /home/MYDOMAIN); do
 sa-learn -p /home/MYDOMAIN/$i/.spamassassin/user_prefs -u [EMAIL PROTECTED]
--siteconfigpath=/etc/mail/spamassassin --mbox --spam
/home/MYDOMAIN/$i/mail/Junk
 sa-learn -p /home/MYDOMAIN/$i/.spamassassin/user_prefs -u [EMAIL PROTECTED]
--siteconfigpath=/etc/mail/spamassassin --mbox --ham
/var/spool/mail/$i
done

rules_du_jour

[Paul Matthews]

Hi there,

I've found this website

http://www.exit0.us/index.php?pagename=RulesDuJour

It's a list of rules that can automatically update, it's telling me in the
config file you can tell it what lists to download

TRUSTED_RULESETS=TRIPWIRE SARE_ADULT SARE_OBFU1 SARE_URI0 SARE_URI1

Can anyone give me a list of avaiable lists i can download? or tell me
where to find a list of them?

RE: checksumming image spam

[Paul Matthews]

 Razor is also a good check, but it only free for personal use
 (same as dcc): http://razor.sourceforge.net
 Razor compile and install is a bit more difficult than dcc or
 pyzor, as it might need a whole lot of perl modules
 (depending on what is already there), so better get your CPAN
 right and use perl newer than 5.8.3.

 -Sietse

 As of March 30, 2006, Razor2 no longer has the Personal Use Only
 clause.

http://sourceforge.net/mailarchive/forum.php?thread_id=10079360forum_id=4258

So I see that razor is now free, but what about DCC? I went to the DCC
website  shown in another post.

http://www.rhyolite.com/anti-spam/dcc/

And I didn't see anything about payment, or being free for only personal
use, the only thing I found about is this.

The Distributed Checksum Clearinghouse source carries a license that is
free to organizations that do not sell filtering devices or services
except to their own users and that participate in the global DCC network.
(I.e. ISPs that use the DCC to filter mail for their own users are
intended to be covered in the free license.) You also can't call it your
own or blame anyone for using it.

And to me that sounds like me running a Small Business Server I should be
alrighht?

Re: Re[2]: checksumming image spam

[Paul Matthews]

 And  to  me  that  sounds  like me running a Small Business Server I
 should be alrighht?

 Yes, absolutely.

 --Sandy



When I want to test that spam assassin it working it's fairly easy, look
in the header information or user the gtude command

http://spamassassin.apache.org/gtube/

But what about when I want to test that DCC  razor are working? are there
any tests for that?

Re: checksumming image spam

[Paul Matthews]

I see in my webmin module, 'Location of DCC client program' but I don't
think I have it installed, what package should I be looking for, i'm
running rhel4 can i installed it from up2date or is there an rpm out
there? Any information on using DCC with spamassassin and rhel would be
great.

 http://www.nytimes.com/2006/05/21/business/yourmoney/21spam.html

 Matt Sergeant (of MessageLabs, and one of the early SpamAssassin
 committers too!) is interviewed about spam, with a bit of relevance
 regarding image checksumming (which we've been talking about recently):


   The spammers were trying to circumvent the world's junk-mail filters by
   embedding their messages -- whether peddling something called China
   Digital Media for $1.71 a share, or a Hot Pick! company called GroFeed
   for just 10 cents -- into images.

   It worked, but only briefly. Antispam developers at MessageLabs, one of
   several companies that essentially reroute their clients' e-mail traffic
   through proprietary spam-scrubbing servers before delivering it, quickly
   developed a checksum, or fingerprint, for the images, and created a
   filter to block them. [...]

   Shortly after MessageLabs created a filter to catch the stock spams, the
   images they contained changed again.

   They were now arriving with what looked to the naked eye like a gray
   border. Zooming in, however, the MessageLabs team discovered that the
   border was made up of thousands of randomly ordered dots. Indeed, every
   message in that particular spam campaign was generated with a new image
   of the border -- each with its own random array of dots. [...]

   We actually developed some technology to detect borders in images and
   figure out the entropy -- that is, to figure out if the border was
   random, Mr. Sergeant said. So that was fine. Of course, shortly
   afterward, they decided to stop using the borders, he added.

   From there, the senders began placing a small number of barely
   perceptible and, again, randomly placed dots -- a pink one here, a blue
   one there, a green one near the bottom -- throughout the images. Then
   they shifted to multiple images, with words spelled partially in plain
   text and partially as images, so that the content, when viewed on a
   common e-mail reader like Outlook or AOL, would look like an ordinary
   message.


 Aside from that techie stuff, it's a good interview too ;)

 --j.



-- 
Paul Matthews
Junior Network Technician | The Cathedral School
Ph  (07) 47222 194 |  Fax (07) 47222 111
PO Box 944 Aitkenvale Q 4814
E:  [EMAIL PROTECTED]
W: www.cathedral.qld.edu.au

Anglican coeducation | Day and Boarding | Early Childhood to Year 12
Educating for life-long success



***

IMPORTANT NOTICE REGARDING CONFIDENTIALITY

This electronic email message is intended only for the addressee and may
contain confidential information. If you are not the addressee, you are
notified that any transmission, distribution or photocopying of this email
is strictly prohibited. The confidentiality attached to this email is not
waived, lost or destroyed by reasons of a mistaken delivery to you.

RE: checksumming image spam

[Paul Matthews]

 DCC is at: http://www.rhyolite.com/anti-spam/dcc/

 Don't know about rpm's, you can try http://rpmfind.net (Don't think they
 have RH EL rpms)
 Or http://dag.wieers.com

 But probably you'll have to compile it yourself (As I did for my RH EL3),
 which is pretty simple.

okay, i'll install it from source, were do I find the source? and can you
also tell me what is Pyzor? and what do it do?

list of rules

[Paul Matthews]

Hi there,

I've just installed spam assassin and it's working okay, but some spam is
still getting in, I only have like 3 rules at the moment that I added in,
is there a list of pretty safe rules out there that I could just copy into
my local.cf SA file?

Re: list of rules

[Paul Matthews]

 Are you using sa-update?

i'm not sure, how do i know if i am, but i did a locate sa-update and i
came up with nothing so i have to guess that i'm not.

Although, i've found the website

http://www.sa-blacklist.stearns.org/sa-blacklist/

and i've add the following information into a script and set it to run as
a cron job once a week.

wget http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.cf
wget
http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
wget http://www.sa-blacklist.stearns.org/sa-blacklist/random.current.cf

Has anyone out there used this website? is it any good? does it work?

Re: list of rules

[Paul Matthews]

 What version of SA are you using? If older than 3.1.1, consider
 upgrading to the current version before adding on extra rulesets.

i'm running RHEL4 with spamassassin-3.0.5-3.el4

I don't want to upgrade because I manage all my packages with redhat's
up2date program and a new version of SA hasn't been release with RHEL4
yet.

 1) sa-blacklist is based on email addresses. This is not a very
 effective tactic for fighting spam.

Fair enough, removes file

 2) sa-blacklist is a nearly 2meg file, which will increase your spamd
 size by about 100 megs per-instance. This massive memory increase will
 grind most boxes to a halt.

it's accually a 13 mg file and your right, i did notice a big drop in
preformance

 3) sa-blacklist-uri is superseded by the URIBL test  URIBL_WS_SURBL.
 This test is more accurate (it's a live query to DNS, thus rapidly
 updated) and uses much less memory. However, it does require use of DNS.

I've removed all the files that I got from that website, but i'm still
looked for a self updating soluation for SA.

Any idea's?


-- 
Paul Matthews
Junior Network Technician | The Cathedral School
Ph  (07) 47222 194 |  Fax (07) 47222 111
PO Box 944 Aitkenvale Q 4814
E:  [EMAIL PROTECTED]
W: www.cathedral.qld.edu.au

Anglican coeducation | Day and Boarding | Early Childhood to Year 12
Educating for life-long success



***

IMPORTANT NOTICE REGARDING CONFIDENTIALITY

This electronic email message is intended only for the addressee and may
contain confidential information. If you are not the addressee, you are
notified that any transmission, distribution or photocopying of this email
is strictly prohibited. The confidentiality attached to this email is not
waived, lost or destroyed by reasons of a mistaken delivery to you.