Re: report settings
Ron McKeating wrote: Is it possible to have a standard setting that does not put a full report in the header for normal users, but does for one or 2 selected users? Ron Are you directly using Spamc or using Amavis or MailScanner or something else as a wrapper. If you are using MailScanner then you can do it, I don't know abt Amavis. Rakesh -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Re: Upgrade/install over earlier version
Dr Robert Young wrote: Does anyone have information on the installation/upgrade of V3 of Spamassassin, on a system already running V2? Should the new version go "on top" of the older one, or as a separate product install? Any issues one should be aware of? I am installing on RedHat 6.2 and using a fairly recent version (last 2 yrs) of sendmail (I'll have to look it up for the precise version if that matters). http://svn.apache.org/repos/asf/spamassassin/branches/3.0/UPGRADE Rakesh -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
embedded image spams
Hi I have been bugged a lot by embedded image spams recently, although some of these spams got trapped due URI checks, some managed to pass as well as the url wasn't yet blocked in the SURBLs. I probably found something tht i wanted to share with u guys and try and see if we can trap those spams further on the basis of tht. I have classified those embedded image spams into two classes. Class 1 of image of fulllist of viagra and other meds and Class 2 of image of one liner information on cheap softwares or viagra. I was thinking of if possibly we can understand a common pattern and try and make a ruleset on top of tht so tht we dont have to wait for updates at URIbl, then it would be really some thing good. These image only spams apparently have a prob tht we can trap on :). The loophole is in most of the cases the message id of the mail and the content id or cid of the embedded image is exactly same. For e.g. Message-ID: <[EMAIL PROTECTED]> Content-ID: <[EMAIL PROTECTED]> some variations also had something like this Message-ID: <[EMAIL PROTECTED]> Content-ID: But thts applicable to class1 of the spams and in class 2 which are just images containing oneliners has some variations. In some cases the content id is smartly tampered but again there is a loophole and here is an example of tht Message-ID: <[EMAIL PROTECTED]> Content-ID: <[EMAIL PROTECTED]> the message id and the content id both contain the domain name of the sending server. And a valid mail that had embedded image in it but was sent from outlook had details something like this From Outlook Message-ID: <[EMAIL PROTECTED]> Content-ID: <[EMAIL PROTECTED]> Frankly I haven't seen how content id appears when images are embedded using other valid email clients like netscape or thunderbird. But if we compare the above set of patterns, what appears is tht if a image is embedded using a client like outlook then "@" appears in the content id of the attachment but the latter part of @ is not the domain name, but has the name of the attachment itself and the messageid is different from the content id, whereas incase of the spammers content ids that appear are either exactly same to tht of the message id, or doesnt have a @ or has the domain name of the server as a latter part of the @ in content id. So my question is can we have rulesets in spamassassin that can compare the sending host domain with the latter part of @ of content id or look for @ in the content id. Any suggestions ? comments ? -- Regards, Rakesh B. Pal Project Leader Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. Success is how high you reach after you hit the bottom. -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Way to evade URI checks
Seems Spammers have found a way to evade the URI checks the domain coolestrxever.com is listed in multi.surbl.org. But the spammers managed to to evade the URI checks by appending special charaters at the end of the url which are happily allowed by the browsers. The spam that I recieved had http://www.coolestrxever.com: (aa colon at the end of the url) After a bit of R&D I found the other options for spammers to carry this techinque http://www.coolestrxever.com; (a semicolon) http://www.coolestrxever.com, (a comma) http://www.coolestrxever.com. (a fullstop) http://www.coolestrxever.com? (a question mark) With all these special characters at the end of url, URI checks tries to make lookup as debug: querying for coolestrxever.com:.sc.surbl.org End result, passed the promising URI checks. I am seeing the first of its kind of spam. If any version of Spamassassin fixes this in its URI retrieval program please let me know -- Regards, Rakesh B. Pal Project Leader Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. Success is how high you reach after you hit the bottom.
RE: Spam is marked but delivered anyway
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 12:13 AM To: users@spamassassin.apache.org Subject: Re: Spam is marked but delivered anyway > On Thursday 07 April 2005 09:38, [EMAIL PROTECTED] typed: > > > SpamAssassin is only a tagging filter, not a delivery agent. You need > something else in the pipeline that checks the status lines after SA is > finished and routes the mail appropriately. > > There is the chance that bayes_99 will trip on legit mail, but normally > this only occurs if you haven't trained the bayesian database properly so > that it has a good set of tokens representing ham and spam. > I see. So you're saying that the BAYES_99 mail that is being delivered is due to the configuration of my MTA (Postfix), not SpamAssassin? I checked my Postfix config files (main.cf, master.cf) and neither have anything about it, so I would think that SpamAssassin is the one deciding on which spam to drop and which spam to let through. If that isn't the case, any idea what file I need to edit to block the BAYES_99 spam? Are you using any content filter like Amavis or MailScanner in your setup ? If no and you are directly delivering the mail to spamd using postfix then don't expect the spams to be stopped or quarantined it will be tagged as spamassassin is just a tagging agent and not a filtering agent. Usually people do put in a content filter (e.g Amavis ) after their MTA which scans the mails for viruses and spams by invoking spamassassin. Can you please confirm whether are you using any content filter or not ?
Re: rewrite_subject 0 lint: 1 issues detected
Matt wrote: Lint output: config: SpamAssassin failed to parse line, skipping: rewrite_subject 0 lint: 1 issues detected. please rerun with debug enabled for more information. I understand it is due to SA 3.0.2 no longer supporting "rewrite_subject 0". Question is how do I fix it? I think this has been changed to rewrite_header or something. You will get the actual info in the the in the post Install manuals -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. "First they ignore you. Then they laugh at you. Then they fight you. Then you win." - M. Gandhi
{Spam?} Re: Outgoing mail scanning
Hi all, Since this specific post involves the FormMail.pl, I thought you guys might be interested in this article and its suggestions http://www.linuxexposed.com/Articles/Hacking/The-FormMail-Hack-Explained.html regards Rakesh EB wrote: Hi Kenneth: But did you change the /etc/rc.d/init.d/sendmail file to point elsewhere? Because it's pointing to the /usr/sbin/sendmail now and it's expecting it as a daemon. Karen On Fri, 04 Feb 2005 15:18:10 -0600, Kenneth Andresen <[EMAIL PROTECTED]> wrote: Hello Filip, Thank you for your script! I have been looking up several alternative paths now, and yours seem to be the better way to go. I had not noticed before that /usr/sbin/sendmail in fact only was a symlink. I have been testing your script, and it is necessary for me to modify it. This is what I did: I stored your script on my own local machine, added execute permissions, and made the symlink /usr/sbin/sendmail point to that file. I edited the script with the sendmail variable to point to /etc/alternatives/mta (which points to the true sendmail executable on all my redhat based systems) Then I tried to execute the following from command line: echo -e "test\ntest" | mail -s "test" "[EMAIL PROTECTED]" that gave the result "2.6/5.0"... The mail was sent, without any modification, but that's likely because I did it on the command line. Anyway, the script has been of great help, and I will likely have a filter in place some time next week. Best regards, Kenneth On Mon, 2005-01-31 at 17:43, Andrzej Adam Filip wrote: Kenneth Andresen wrote: How is it possible to make such a sendmail wrapper script? Any links to examples? No but you can modify the script below to fit your needs: #!/bin/sh # temporary directory TMPDIR=/tmp # temporary working file name - unix time and process ID TMPFILE=`/bin/date +%s`.$$ # temporary working file full path TMPPATH="$TMPDIR/$TMPFILE" # "true" sendmail path SENDMAIL=/usr/sbin/sendmail # directory to keep "classified as spam" messages QUARANTINEDIR=/var/spool/quarantine # remove temporary file in case of problems trap "rm -f $TMPPATH" 0 1 2 3 15 # copy input to temporary file cat - > $TMPPATH # use spamc to check if it is a spam spamc -c < $TMPPATH if [ "$?" = "0" ] ; then # No spam or spamc error $SENDMAIL "$@" < $TMPPATH EXITCODE=$? rm $TMPPATH exit $EXITCODE else # classified as spam mv $TMPPATH $QUARANTINEDIR/$TMPFILE echo "$@" > $QUARANTINEDIR/$TMPFILE.options fi -- regards, Rakesh B. Pal, Project Leader, Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. == I came, I saw, I conquered ==
Re: Outgoing mail scanning
EB wrote: We also have a problem to scan outgoing mail. It seems like a user on our server is making scripts to send out spam to a large list of AOL users in the "Cc" part that we are still trying to track them down. The mail header looks as it was sent from our local 127.0.0.1 from [EMAIL PROTECTED] user, so we can't block user or ip address. I had considered the other's suggestion to use a wrapper for sendmail, but looking at the dependencies of /usr/sbin/sendmail, it seems like a lot of work to replace it with the wrapper as everyone knows the location of /usr/sbin/sendmail already. Is there a way in spamassassin that we can set a rule to reject mail that contains a large list of "Cc" ? EB, if mails are originating from 127.0.0.1 and is being sent by [EMAIL PROTECTED] then this really a matter of concern. It may not be necessary tht some of your internal user is creating the problem for you, but it might be some script in your web application that is used to send mails or notifications to the end users and the spammers are exploiting that script. This might be because one of your CGI script might be sending mails or notifications using command line "sendmail" and spammers can easily pass parameters through the browser address bar and add a lot of cc to the mail. So apart from trying to block the spams originating from your server try to trace down the CGI script. Look for a script that has sendmail in it, hopefully that might solve your problem. Also using command line sendmail in CGI script is really a bad idea, if you are using perl then better use MIME::Lite or something like that to send mails and notifications. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. I came, I saw, I conquered -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Re: Mailscanner
Kurt Buff wrote: Sorry to reply to my own post, but here's a link for for your perusal: http://archives.neohapsis.com/archives/postfix/2003-09/1730.html Don't use Mailscanner with Postfix. The author of Postfix states that it's not a good idea. I'll take his word for it. Kurt Agreed on tht, MailScanner directly accesses the queue files of postfix and places it from one queue to another. Postfix author says this might corrupt some of your mails. But this has worked fine for me for ages. Anyways I think this is not the right forum to argue on this point. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. I came, I saw, I conquered -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Re: Mailscanner
Invalid wrote: > Time error started Jan 30 19:15:04 Jan 30 19:15:04 addr3ss MailScanner[11506]: MailScanner E-Mail Virus Scanner version 4.38.9 starting... Jan 30 19:15:04 addr3ss update.virus.scanners: Delaying cron job up to 600 seconds Jan 30 19:15:04 addr3ss MailScanner[11506]: Could not read directory /var/spool/mqueue Jan 30 19:15:04 addr3ss MailScanner[11506]: Error in configuration file line 133, directory /var/spool/mqueue for outqueuedir does not exist (or is not readable) > I haven't even configured MailScanner yet This error > continued. Until I figured it out you cannot expect MailScanner to work fine for you unless you configure it. If you intend to use postfix u need to specify the MTA in the MailScanner configuration file. > My question is...Should I manually config the files? Or use Webmin Invalid What ever tht suits you. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. I came, I saw, I conquered -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Re: Mailscanner
Usha fix the following ... Feb 1 10:33:33 ethnic postfix: succeeded Feb 1 10:33:33 ethnic postfix/postsuper[2615]: warning: bogus file name: hold/razor-agent.log Feb 1 10:33:33 ethnic postfix/postfix-script: starting the Postfix mail system Feb 1 10:33:33 ethnic postfix: succeeded Feb 1 10:33:33 ethnic postfix/master[2619]: daemon started -- version 2.1.0-pre-20040209 Feb 1 10:33:37 ethnic MailScanner[2627]: MailScanner E-Mail Virus Scanner version 4.38.9 starting... Feb 1 10:33:37 ethnic MailScanner[2627]: Read 2 hostnames from the phishing whitelist Feb 1 10:33:37 ethnic MailScanner[2627]: User's home directory /var/spool/postfix is not writable Feb 1 10:33:37 ethnic MailScanner[2627]: You need to set the "SpamAssassin User State Dir" to a directory that the "Run As User" can write to Feb 1 10:33:37 ethnic MailScanner[2627]: Enabling SpamAssassin auto-whitelist functionality... SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin (Make sure this directory exists if not create it, this is where MailScanner will store you bayes and change permissions of this directory to be owned by user Postfix or which ever user you are running MailScanner as.) Run As User = postfix (you need to set this to postfix in case ur using postfix. This enables MailScanner to access the queue directory of postfix) Feb 1 10:33:38 ethnic MailScanner[2522]: Using locktype = flock Feb 1 10:33:38 ethnic MailScanner[2522]: Messages found but no hashed queue directories. Please enable hashed queues for incoming and deferred with a depth of 1 or 2. See the Postfix documentation for hash_queue_names and hash_queue_depth Feb 1 10:33:43 ethnic MailScanner[2522]: Messages found but no hashed queue directories. Please enable hashed queues for incoming and deferred with a depth of 1 or 2. See the Postfix documentation for hash_queue_names and hash_queue_depth You are getting this error because you are running Razor. Razor creates a log file (razor-agent.log) in its user's home directory and in case of postfix the home directory is /var/spool/postfix. Since you are holding all the mails first the log file is created in /var/spool/postfix/hold. MailScanner needs hashed queue structure (where as postfix by default supports hashed queue) but since the log file is not actually a directory the MailScanner is not able to do chdir to it and ends up giving this error. However this doesnt effect the functionality of MailScanner. If you want to fix this error you can safely change the home directory of postfix to /tmp in /etc/passwd, this doesnt hamper's postfix's or MailScanner's performance. It may happen that after changing the home dir of postfix you still get the error for sometime so in tht case just make sure tht you have removed the file /var/spool/postfix/hold/razor-agent.log and restart the MailScanner. That should fix your problem, also make sure that you have done the other MailScanner configurations properly and in cases of MailScanner problems please post on MailScanner discussion forum or ask on mailscanner channel on freenode irc. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. I came, I saw, I conquered -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
bayes making me sick now
Hii Can any body tell me when does Bayes00 gives the score. Is it 1) If a mail has a lot of tokens that Bayes has never seen before. or 2) If the mail has a lot of tokens that Bayes has previously learnt has spam. The reason of my weird question is that recently I have suddenly started recieving a huge chunk of Payroll Spams from Indian spammers and my Bayes always gives them a score of -4.9. And after individually giving feedback of every mail i manage to get some better score from bayes on these mails. I think my bayes is badly poisoned, however i need to give a good explaination to my Boss before i nuke my bayes and start all over again. thanks Rakesh
Re: more spam gets through since SA 3.x
Florian Effenberger wrote: Hi Rakesh, Well i cannot help much in your problem apart from saying what Jeff had said earlier, that you need to upgrade some of your Perl modules. the problem is that I run on a Debian 3.0 system that has older Perl modules. :-) But I couldn't help my curiosity as to why you have disabled Bayes. I know you might be having a good reason for doing that, I was just curious in knowing it. I want to check out how it works in some time, and then I'll activate it. I just disabled it because I did not have the time to look at it. :-) Florian Oh wow thts gr8 :-)
Re: more spam gets through since SA 3.x
Florian Effenberger wrote: warning: description for TO_ADDRESS_EQ_REAL is over 50 chars warning: description for PRIORITY_NO_NAME is over 50 chars warning: description for HTML_MIME_NO_HTML_TAG is over 50 chars warning: description for MSGID_FROM_MTA_HEADER is over 50 chars warning: description for __RCVD_IN_SBL_XBL is over 50 chars warning: description for EXCUSE_REMOVE is over 50 chars warning: description for T_DNS_FROM_SECURITYSAGE is over 50 chars warning: description exists for non-existent rule T_DNS_FROM_SECURITYSAGE Well is it possible that the above warnings are coming because the cf files in /usr/share/spamassassin are that of the old 2.6X version and not that of 3.x. Net::DNS version is 0.23, but need 0.34dnsavailable-1 at /usr/local/share/perl/5.6.1/Mail/SpamAssassin/Dns.pm line 1230. debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is not available: no executable dccproc found. debug: Pyzor is not available: pyzor not found lint: 188 issues detected. please rerun with debug enabled for more information. Thanks Florian -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. Success is not a destination that you ever reach. Success is the quality of your journey -- Netcore's New Website http://www.netcore.co.in --
Re: more spam gets through since SA 3.x
Florian Effenberger wrote: Hi Loren, Are you running bayes and getting a lot of bayes_99 hits? If so, the score for bayes-99 is a lot lower in 3.0. This has caused problems for some people. I don't run Bayes. Did not run it with 2.64 as well, and it worked fine without. Well i cannot help much in your problem apart from saying what Jeff had said earlier, that you need to upgrade some of your Perl modules. But I couldn't help my curiosity as to why you have disabled Bayes. I know you might be having a good reason for doing that, I was just curious in knowing it. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. Success is not a destination that you ever reach. Success is the quality of your journey -- Netcore's New Website http://www.netcore.co.in --
can any body help me understand this
These days my bayesian engine is giving me a lots of false positive, although i keep on having a periodic expiry of my bayes database, still my bayes_seen is growing large (about which i read in Matt's post in th forum some time back). However now i am trying to investigate whether my Bayes is really poisoned or not. I did a sa-learn --dump data and got an output of the following kind. Can any one please help me understand the output. 0.000 0108 1103190407 N:H*i:sk:NNfNNNc 0.978 2 0 1103188668 UNLIKE 0.009 0 6 1102997003 U*sambalpur 0.958 1 0 1103003309 H*M:OEBfa62 0.958 1 0 1103171817 Tins 0.049 0 1 1102985500 D*ms52.hinet.net 0.013219 25539 1103193138 H*r:Unix 0.027 31 1717 1103192325 N:HX-Qmail-Scanner:N.NN 0.467123219 1103186329 PERSONAL 0.013 0 4 1103027319 HTo:U*Jesrine 0.985 3 0 1103099578 backfiring 0.017 0 3 1103031379 YÒk 0.049 0 1 1102972766 Wspecial 0.958 1 0 1102981540 sk:QHKBAZC Also if my Bayes is poisoned can i safely replace the existing bayes db of this server with one of my another server as right now spams over there are being properly trapped. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. Success is not a destination that you ever reach. Success is the quality of your journey -- Netcore's New Website http://www.netcore.co.in --
Re: A change in tact
Brett Cove wrote: I've noticed much of the spam containing geocities urls contain a query string at the end. Example: www.geocities.com/giovanni_campos_42/?s=lexi&m=ZVQcj.RhhQfY,hVX Is this something that occurs often in 'non-spam' geocities links? I have even recieved spam without the querystring. Well you cannot predict what the spammers are sending in. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. Success is not a destination that you ever reach. Success is the quality of your journey -- Netcore's New Website http://www.netcore.co.in --
Re: Attachment size rule?
Pat Traynor wrote: Does anyone know how I could write a rule based on an attachment size? I'm getting a lot of spams with this specific file attached. It's always named differently, the the size is exactly the same each time. --pat-- What kind of contents are there in the attachment ? Are they mails related to kazakhistan and other countries economy ? Rakesh
Re: [sa-list] A change in tact
Dan Mahoney, System Admin wrote: On Wed, 15 Dec 2004, Rakesh wrote: I think for the four or five large free website providers, a hook could be added to spamassassin -r that reports them specifically (although spamcop already does this, they'll only be advised of the actual site if you're using a full-blown spamcop account, not the anon thing). Sounds interesting to me, what others have to say ? can we build up a reporting mechanism for the big providers. Hii I am using Spamassassin with URI, Razor and DCC checks to catch spams. After implementing URI checks my life had became easier. But ever since the SURBLs and URI checks became popular means of trapping spams the spammers have devised a ne way to send their mails in.
Re: A change in tact
Rob McEwen wrote: Final thought: If these additional avenues don't produce results with a few weeks, I am going to send ALL of my clients an e-mail explaining the situation to them and telling them: "Geocities cannot seem to police their kiddie pron spamming to a reasonable extent and, therefore, and mail going through my server which mentions the word "Geocities" will now be quarantined for review and will be released if legitimate within 24 hours. Therefore expect delays for any e-mail that mentions Geocities" (I'll include the stats in this e-mail to back me up.) Well even i think that has to be the final resort, but one thing wanted to know. How much of similar kind of mails are you guys recieving ? Is it just the begining or are we already in the middle of it. Rakesh
A change in tact
Hii I am using Spamassassin with URI, Razor and DCC checks to catch spams. After implementing URI checks my life had became easier. But ever since the SURBLs and URI checks became popular means of trapping spams the spammers have devised a ne way to send their mails in. Recently some of the spams had started slipping in through my setup and as every spam that appeared in my boss's inbox my pant was on fire. I found that earlier the urls in these spam mails were pointed to the ad servers or the spammer's website to request images or links. But in these mails that slipped in the links were of geocities.com or tripod or other free webhosting service providers. Earlier I thought tht these links might be forged and actually might be pointing to some other spammers website, but these links actually point to geocities and on visiting the link u get HTML redirection to the spammers site. As sample of such spam is as follows If you can make a woman laugh you can do anything with her. http://www.geocities.com/brenda_paul_100/ So the question is how do we tackle this scenario. Either we blacklist free hosting sites like geocities.com in SURBL and get false positives, or we make a humble request to these free webhosting companies to stop new registrations and crack down on the ids and hope that the webhosting company will really do this or we find out an intermediate way, which i was trying to think of but couldn't make my grey cells work on it. So I am making my last resort. Asking the experts to help me out. So how do we tackle this ? regards Rakesh
Re: Bayes question
Austin Weidner wrote: Really trying to figure out bayes. Auto learn is set up, and my headers are showing autolearn=spam However, when I do sa-learn --dump magic, there are zero spams and zero hams. By using the -D (debug) option, I can see sa-learn is looking at: debug: bayes: 17216 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 17216 tie-ing to DB file R/O /root/.spamassassin/bayes_seen When I get a new spam, these files are NOT being updated. The files being updated are in: /var/spool/mqueue/.spamassassin How do I sort this out? Autolearn seems to be feeding the files in the mqueue directory, but sa-learn (and therefore I would think spamassassin itself) wants it in /root/.spamassassin This is a MailScanner/SA installation. I've tried to set the path in the spam.assassin.prefs.conf file to: bayes_path /root/.spamassassin/bayes bayes_file_mode 0660 But this didn't do anything. In fact, when I did this, autolearn=spam stopped showing up in headers. Any ideas? Did you create a softlink of local.cf in /etc/mail/spamassassin to your spam.assassin.prefs.conf . Which ever path of bayes you set in local.cf spamassassin will follow that path -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. == perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," == -- Netcore's New Website http://www.netcore.co.in --
Re: Rules List
hii, which version of spamassassin are you using ? I would recommend to remove uri rulesets like bigevil and sare URI and use SURBLs instead, tht will help you to get rid of great deal of spams. If you are using older version of spamassassin like 2.63 then you will have to install the SpamCop URI plugin or else upgrade to Spamassassin 3.x. Also try to use dcc and razor if you are not using tht. Rakesh On Sat, 2004-11-06 at 21:41, Anton Krall wrote: > Guys. > > I am using the following rules list but still a lot of spam is going thru.. > Any extra rules you recommend adding? > > 70_sare_adult.cf 70_sare_header1.cf 70_sare_html3.cf > 71_sare_bml_pre25x.cf > 70_sare_bayes_poison_nxm.cf 70_sare_header2.cf 70_sare_html4.cf > 71_sare_redirect_pre3.0.0.cf > 70_sare_genlsubj.cf 70_sare_header3.cf 70_sare_html_arc.cf > 72_sare_bml_post25x.cf > 70_sare_genlsubj0.cf 70_sare_header_arc.cf 70_sare_html_eng.cf > 72_sare_redirect_post3.0.0.cf > 70_sare_genlsubj1.cf 70_sare_header_eng.cf 70_sare_html_x30.cf > 99_sare_fraud_post25x.cf > 70_sare_genlsubj2.cf 70_sare_header_x264_x30.cf 70_sare_oem.cf > 99_sare_fraud_pre25x.cf > 70_sare_genlsubj3.cf 70_sare_header_x30.cf 70_sare_random.cf > RulesDuJour > 70_sare_genlsubj_arc.cf 70_sare_highrisk.cf 70_sare_specific.cf > antidrug.cf > 70_sare_genlsubj_eng.cf 70_sare_html.cf 70_sare_spoof.cf > bigevil.cf > 70_sare_genlsubj_x30.cf 70_sare_html0.cf70_sare_unsub.cf > bogus-virus-warnings.cf > 70_sare_header.cf70_sare_html1.cf70_sare_uri.cf > evilnumbers.cf > 70_sare_header0.cf 70_sare_html2.cf70_sc_top200.cf > rules_du_jour >
Re: Automatic rejection
On Tue, 2004-11-02 at 18:54, Moussa Fall wrote: > Thank you, Martin and Duncan! > Sorry I did not mention this information. I am using RH9 with Postfix. > Maybe I can use Mailscanner. if you use MailScanner then you can specify in MailScanner configuration to Discard the Spam Mails or simply store (quarantine) the message instead of delivering the message. > > On 2 Nov 2004 at 12:53, Martin Hepworth wrote: > > > Moussa Fall wrote: > > > Question from a newbie: can anyone point me to a location where I can > > > find out to make > > > spamassassin automatically reject spam? I noticed that all tagged spam > > > are really spams and > > > I do not want users to receive mail with scores, etc. > > > > > > Thank you. > > > > Hi > > > > if you want to 'reject' the email you'll need to use milter with > > sendmail or something similir for your MTA (exim, postfix..) > > > > If you want to accept all email then process before delivery you can use > > MailScanner or amavis-new - I use MailScanner. > > > > or you could use procmail if you are on a *nix ermail server to process > > the emails upon deliver. > > > > > > -- > > Martin Hepworth > > Senior Systems Administrator > > Solid State Logic Ltd > > tel: +44 (0)1865 842300 > > > > > > ** > > > > This email and any files transmitted with it are confidential and > > intended solely for the use of the individual or entity to whom they > > are addressed. If you have received this email in error please notify > > the system manager. > > > > This footnote confirms that this email message has been swept > > for the presence of computer viruses and is believed to be clean. > > > > ** > > > >
Re: [sa-list] Re: DSPAM-plugin for SpamAssassin 3.* ?
Juhapekka Tolvanen wrote: but if you plan on running this on a production system with live users, it is a death wish." Death Wish ! I really don't think so. I run SpamAssassin+Razor+URI checks and a good amount of rulesets with MailScanner, all written in PERL on production system processing about a million messages a day for about 120 virtual domains and three virus scanners. And the load on my system never crosses 0.8, so I would never believe that SpamAssassin is a death wish for a production system, just because some one with a system with low RAM and uncessary processes running says so. Infact SpamAssassin has saved my life from irritating client complains about spams. I can not code anything like that myself. I am just (l)user. I think users who cannot code shouldn't boss the developers of what to do and what not do. Atleast we should write a few lines to thank them that they spend so much of their and spend so much efforts for no pay. Even I am user and I really thank them a lot for the great work that they are doing. I reiterate: It does not hurt, if we try out and see what happens. Trying out new stuff is always a good suggestion, but the attitude of suggestion always matters a lot -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. == perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," == -- Netcore's New Website http://www.netcore.co.in --
Re: Ruleset to kill rolex spam
i really dont think there is a need of rolex specific ruleset, Razor, DCC and URI checks took care of them for me. Peter Clark wrote: Apparently hawking Rolexes is the in thing with spammers these days. I haven't seen any rulesets around that would help combat it, so I wrote one. It's available at http://www.violetdreams.com/sa/rolex.cf if anyone would like to try it or critique it. It was written and tested under SA 3.0.1. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. == perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," == -- Netcore's New Website http://www.netcore.co.in --
Re: Minimal Perl.
Some dependencies i recall are perl-Time-HiRes_1.38-4_i386.rpm perl-Digest-HMAC_1.01-11_noarch.rpm perl-Digest-SHA1_2.07-1.rhfc1.dag_i386.rpm perl-Net-DNS_0.31-3.2_noarch.rpm Correct me if i am wrong or have missed some thing. Is there a list of dependencies for SA so I only have to install what I need for SA to run? -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. == perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," == -- Netcore's New Website http://www.netcore.co.in --
SpamAssassin timed out
Hii I am using spamassassin + (Razor, DCC and URI checks) with MailScanner. Not always but i usually get an error of SpamAssassin timed out and was killed in my maillogs. I am not sure about the exact reason but i feel that this has something to do with Bayes Database as I have observed that when my bayes database grows large of say abt 100 MB I start getting this error. Just need a comment on the possible cause of this. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. == perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," == -- Netcore's New Website http://www.netcore.co.in --
Re: spam slippin through
Try implementing SpamCop URI checks or upgrade to SA 3.0 you will get rid of these unstoppable spam mails. I got amazing results after implementing URI checks. Rakesh [EMAIL PROTECTED] wrote: running a site wide SA 2.6 setup, some XXX html only mails are impossible to stop, getting scores as low as 2.0 the email just calls images, and thats about it. should i paste the subject here, they are quite distinct, and im sure others are getting them.
Re: sa-learn question
I think you should check the SpamAssassin wiki for the solution to your problem http://wiki.apache.org/spamassassin/BayesInSpamAssassin Rakesh Lance wrote: Alright, we're running courier IMAP along with pop3 but our spool is all Maildir format. I've got a public spam folder for certain people so what would the sa-learn command be? sa-learn --spam /var/spool/mail/unixvault.net/shared/.Spam/cur/* or do I need to insert something in there? --mbx/--mbox? I'm not sure if there's a difference on how it learns or not or if it could result in false positives if its not learning correctly. lance
Re: bayes training
I really don't feel the need of any human intervention for training the bayes. There is a script file called "sa-wrapper.pl" which takes care of all the issues. Check out this link http://jousset.org/pub/sa-postfix.en.html for more info on implementation on tht. Follow the steps mentioned in there if your using postfix, incase of sendmail you will have to do a little bit of hardwork to implement it as i am feeling a bit lazy to type out the procedures for sendmail. But incase you couldn't figure out just let me know. After that all you need to do is 1) If you are using Outlook Express or any other mail client then forward the spam mail as an attachment to the [EMAIL PROTECTED] account. 2 If you are using Outlook then save the spam mail on ur desktop and then attach it in a new mail and send to the spam account. This script strips of the attachment from the actual mail and considers only the headers of the spam mail sent to it as an attachment. So no issues about improper training. I have implemented the same for a very large setup where the mail boxes are spread across different servers and syncing the feedback on all the servers is really very difficult so the IMAP way wont work in that case. Also as for the security issue of someone trying to play mischief and trying to send a spam mail to you nospam account as a feedback then the script also takes care about that. There is an array of domains in the script where you have specifiy ur domain names. The script will learn from the feedback only of the domains specified on the array. Hope tht sorts your problem Rakesh Loren Wilton wrote: My users use OE or Netscape mail client to check their mails. Can I ask I am scared that if they *forward* their mails to that account bayes Forwarding from OE will screw the mail over badly, you DO NOT want to do that. Probably the same from NS or most any other mail client, for that matter. The easiest solution with OE is to set up some IMAP folders on the server, and have the OE users *copy* or move the mail to the folder. This will preserve the headers correctly. You then need a simple cron job on the server to feed the mailbox to SAlearn, and perhaps clean it out afterwards. Alternately you could have them create new mails aimed at a spam account, and ATTACH the spam as an attachment. You will need to manually somehow or other unwrap the attachment before feeding it to SA; but it is possible. I would go with the IMAP folder method. Loren