Re: Flooded by a SPAM always containing the same picture

[Randy]

Ned Slider wrote:

Ned Slider wrote:

Martin Gregorie wrote:

On Wed, 2009-05-06 at 02:08 +0100, Ned Slider wrote:
I had one sneak through today which didn't hit any rules at all (it 
hits a few DNSBLs now but not when I received it). It contained an 
inline png:


Content-Type: image/png
Content-Transfer-Encoding: base64
Content-Disposition: inline

here's the full message:

http://pastebin.com/m608defa5

Any idea how to tackle these? I have the DSC png rule in place 
but obviously that doesn't apply to this example.


Perhaps I need a rule for "Content-Type: image/png" too?


This works for me:

describe   MG_NONAME Image with no filename
mimeheader __MG_NON1 Content-Type =~ /image\/(png|gif)/i
mimeheader __MG_NON2 Content-Type !~ /name\=/i
meta   MG_NONAME (__MG_NON1 && __MG_NON2)
score  MG_NONAME 1.5

If you want a more bullet-proof rule, don't overlook the two sex terms
in the subject line: write a rule that fires on that sort of stuff in
the subject and combine it with the two image rules in a meta that 
looks

something like this:

meta IMAGE_SPAM ( SEX_SUBJECT && ( MG_NONAME || FAKE_PHOTO ))

where FAKE_PHOTO represents your DSCnnn.png detection rule.

 
Martin






Thanks everyone :)

Here's what I have to test with so far using a combination of the 
suggestions:


# image has no name
mimeheader__LOCAL_IMAGE_NONAMEContent-Type !~ /name\=/

metaLOCAL_IMAGE_SPAM((__HTML_IMG_ONLY || 
__DC_IMG_HTML_RATIO || __DC_IMG_TEXT_RATIO || __LOCAL_IMAGE_NONAME) 
&& (__PNG_ATTACH_1 || __GIF_ATTACH_1))



which might be a little aggressive but should hopefully hit on most 
variants of these for the time being.


This particular example hits on __DC_IMG_TEXT_RATIO, 
__LOCAL_IMAGE_NONAME and __PNG_ATTACH_1 triggering the meta rule.





Just following up on this...

__LOCAL_IMAGE_NONAME causes false positives when used in the above.

John Hardin's "Image-only spams" thread rule from yesterday looks 
better :)


AWL/ BOTNET / EMPTY_MESSAGE / SORBS / BAYES / DATE_IN_FUTURE ( on most i 
have seen ). will trigger on these spams and as I said, you will 
probably never need the rule after a week. Also they changed the name 
and image ( slightly ) . Now the image is "Gibas.png" or at least, they 
are using this too. The last we received was this mourning and it 
triggered BAYES_99=3.5, BOTNET=2.2, BOTNET_NORDNS=1.1, 
EMPTY_MESSAGE=2.308, RCVD_IN_PBL=0.001. Do the math.

Re: mcafee sees drop in spam?

[Randy]

Michael Scheidell wrote:

looks like mcafee sees a 20% drop in spam?

wonder what that is about.  I'm not seeing a drop in ATTEMPTED spam (I 
see MORE ATTEMPTED spam).  Mostly this new 'blank email with a png' in 
it.

Sanesecurity rules seem to be keeping up with it for the most part.

I wonder what they are using to count/catch/ block spam?

anyone else seeing a 20% drop in spam?

OT: mcafee might not even be using their own SECURITY products to 
protect their own internal networks, according to this report:


 http://news.cnet.com/8301-1009_3-10234033-83.html
They are wrong. A large volume spammer started about a 2 weeks ago. This 
includes the *png spam and others I know are the same spammer becuase it 
all started at once. Our spam levels are up 100%.

Re: mcafee sees drop in spam?

[Randy]

Martin Hepworth wrote:
Spamcop stats don't show this - yes the number of picture spams is 
going up, but not spam generally.


http://www.spamcop.net/spamgraph.shtml?spamyear

--
Martin Hepworth
Oxford, UK

2009/5/8 Michael Scheidell >


looks like mcafee sees a 20% drop in spam?

wonder what that is about.  I'm not seeing a drop in ATTEMPTED
spam (I see MORE ATTEMPTED spam).  Mostly this new 'blank email
with a png' in it.
Sanesecurity rules seem to be keeping up with it for the most part.

I wonder what they are using to count/catch/ block spam?

anyone else seeing a 20% drop in spam?

OT: mcafee might not even be using their own SECURITY products to
protect their own internal networks, according to this report:

 http://news.cnet.com/8301-1009_3-10234033-83.html
-- 
Michael Scheidell, CTO

Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation

  * Certified SNORT Integrator
  * 2008-9 Hot Company Award Winner, World Executive Alliance
  * Five-Star Partner Program 2009, VARBusiness
  * Best Anti-Spam Product 2008, Network Products Guide
  * King of Spam Filters, SC Magazine 2008

_
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_






Spamcop does show this. The Mcafee report states spam has slowed 20% 
during the first quarter of this year. Spamcop shows that spam has risen 
40%. 40% = 25/35. This is a visual estimate of what I see in Jan. 
divided by the current rate.

Re: Increase in Spam since 7am EDT

[Randy]

Rick Macdougall wrote:

Hi,

I'm seeing a massive increase in connection attempts since 7am EDT 
this morning.


Most is being rejected because of not existing users but the majority 
that is getting through is hitting 
"Sanesecurity.Casino.11228.UNOFFICIAL".


I'm seeing this across 5 different servers, all hosting different 
domains and on different IP space.


Anyone else seeing this ?

Regards,

Rick
Back skatter? Someone forged the return address? We had this the other 
day which almost took us offline.

Re: Is email becoming unusable due to spam and antispam?

[Randy]

Igor Chudov wrote:

Just today a buyer reported that my reply to him ended up in his spam
folder. Concerned by this, I sent an email to my Yahoo! account and
that one disappeared somewhere. The one I sent to gmail, however, got
there quickly. I may be overreacting and, perhaps, it is a coincidence
that Yahoo just happens to be slow at the moment. But I am concerned. 


I have a general feeling that spammers became so good at making their
messages look legitimate, that [poor] spam filters flag even
completely innocent stuff as spam. 


This sending email by regular people who own their mailservers (as
opposed to gmail and such) becomes more and more risky and impossible,
in other words, email is quickly being undermined by spammers and
filters to being unreliable and flaky.

That is, now the damage from spam is not only in unwanted messages,
but also in email lost due to sloppy filtering.

I looked up my PC (75.146.106.188 on static IP from Comcast) and my
mailserver (65.182.171.162 hosted in a datacenter) and did not find
any RBL records to match.

Any thoughts?

i
  
Their filtering sucks because they don't spend enough time fixing the 
false positives. Yahoo throws stuff in the spam directory which comes 
from big well known, not spamming companies without regard. Comcast 
blocks e-mail lists that are legit even when you are on their feedback 
loop and them blames you when you call them as asks questions like, "Are 
you filtering outgoing e-mail" and are convinced that that is the way to 
remain unblocked even though the mail server isn't public and you know 
100% the e-mail leaving your network is not spam. They all suck.

Re: copy spam mail to separate mailbox

[Randy]

Evan Platt wrote:
> At 11:22 AM 7/16/2009, you wrote:
>> I have a postfix/SA setup and I was wondering if anyone knew how to
>> COPY an email marked as spam instead of redirecting.
>> Not this:
>> /^X-Spam-Flag: YES/   REDIRECT spam...@example.com
>
> As that's really a postfix question, not a SpamAssassin question, if
> you don't get an answer here you may want to try on a postfix mailing
> list. 
Procmail. Set postfix to use this as local delivery agent. Then create a
"recipe" that does what you want.

"procmailrc"

SPAMIT="$whatever_dir_you_want_to_use/.SPAM/"
:0:
* ^X-Spam-Status: Yes
$SPAMIT


This would need to be modified for your specs of course.

RCR

botnet dos

[Randy]

Hi,

We are being spammed by a botnet to a single email address which makes 
it difficult to block. Spamhaus catches about 1/2 of them, but the rest 
are blocked via postfix becuase this is an old account and does not have 
a mailbox.


Why would a botnet waste resources by sending tens of thousands of spam 
to a single e-mail address? The only thing we can think of is that the 
botnet is messed up. This is interesting because whoever  runs it 
doesn't even know what the botnet is doing. Wouldn't it be normal to 
monitor your botnet and fix the issues so that it can spam more 
recipients? I could also addd thousands of infected hosts to a BL, but 
is it worth the time and which list would be best for this?


Any insight into this would be nice.

Thanks,
Randy Ramsdell

Re: botnet dos

[Randy]

Martin Gregorie wrote:
Why would a botnet waste resources by sending tens of thousands of spam 
to a single e-mail address?




Is it really a spambot or could it be a DDOS attack?


Martin

  


It is  both but not actually. :)

It appears to be a spambot ( botnet ) , and it really isn't enough 
traffic to cause DDOS so I really should change the topic header. The 
traffic may be 4 - 10 emails per day for this email address. I 
would think they would try to  connect more often to cause a DDOS. It 
really isn't a true DDOS since the syn/syn-ack/ack takes place, but 
don't quote me on that.


Thanks,
Randy Ramsdell

Re: botnet dos

[Randy]

Ken A wrote:

Randy wrote:

Martin Gregorie wrote:
Why would a botnet waste resources by sending tens of thousands of 
spam to a single e-mail address?




Is it really a spambot or could it be a DDOS attack?


Martin

  


It is  both but not actually. :)

It appears to be a spambot ( botnet ) , and it really isn't enough 
traffic to cause DDOS so I really should change the topic header. The 
traffic may be 4 - 10 emails per day for this email address. 
I would think they would try to  connect more often to cause a DDOS. 
It really isn't a true DDOS since the syn/syn-ack/ack takes place, 
but don't quote me on that.


Thanks,
Randy Ramsdell




Are you sure it's not spam bounces (joe job)?
This is more common than a spam attack
Ken







Yeah we get those in spurts, but this appears to not be the case. We are 
getting thousands of connects from non MX hosts and many are blocked at 
the smtp layer by our mail server. The connecting hosts are non valid 
MXes which many do not resolve, are listed in Spamhaus and use fake HELO 
all sending to a single e-mail address.

Re: botnet dos

[Randy]

John Hardin wrote:

On Tue, 14 Oct 2008, Randy wrote:

It appears to be a spambot ( botnet ) , and it really isn't enough 
traffic to cause DDOS so I really should change the topic header. The 
traffic may be 4 - 10 emails per day for this email address.


To a _single_ invalid address? If it were me I'd accept that as a sign 
G*D wants me to tarpit that botnet... :)





Yeah something along these lines would be appropriate. What is 
interesting is that I am logging every know host in this botnet! :) 
Hence, I wanted to see what others thought would be a good way to deal 
with it by reporting to Spamhaus, etc... I will obviously keep these 
logs, but why unless there is some way to use it.

Re: botnet dos

[Randy]

mouss wrote:

Ned Slider a écrit :
  

Randy wrote:


Ken A wrote:
  

Randy wrote:

Are you sure it's not spam bounces (joe job)?
This is more common than a spam attack
Ken



Yeah we get those in spurts, but this appears to not be the case. We
are getting thousands of connects from non MX hosts and many are
blocked at the smtp layer by our mail server. The connecting hosts are
non valid MXes which many do not resolve, are listed in Spamhaus and
use fake HELO all sending to a single e-mail address.

  

If that's the case then I guess there's not a lot you do about it other
than suck up the volume. About the only thing I can think of is to add a
check_recipient_access entry for that e-mail address to specifically
reject the mail before it gets as far as your RBL checks in postfix. At
least then you could save a bunch of hits against Spamhaus and reject
the mail as early as possible in the smtp process.




and even return a 421 so that the connection is closed immediately.
  

421 or 554?
I think 554 is the smtp server default code.

Re: How do i block email with a domain in a message like this?

[Randy]

McDonald, Dan wrote:

On Thu, 2008-10-16 at 08:02 -0700, linuxbox wrote:
  
Hello there.  I have a problem with blocking an email with spamassassin. 
normally when i want to block a domain in an email, be it html or plain text

i would have a rule such as this, and this works perfectly:

rawbody spam_domains /blockeddomain\.com/i
score spam_domains 20



Why not use a uri rule instead of rawbody?  That way, it doesn't matter
how they encode it...

uri spam_domains /blockeddoamin\.com/i
score spam_domains 20


  
If you need to block a domain from sending e-mail, then use the mail 
server to handle it. It is better to block messages from even getting to 
your filtering applications.


Randy Ramsdell
Foreclosure.com

Re: How do i block email with a domain in a message like this?

[Randy]

John Hardin wrote:

On Thu, 16 Oct 2008, Randy wrote:


McDonald, Dan wrote:

On Thu, 2008-10-16 at 08:02 -0700, linuxbox wrote:

> rawbody spam_domains /blockeddomain\.com/i

uri spam_domains /blockeddoamin\.com/i


If you need to block a domain from sending e-mail, then use the mail 
server to handle it. It is better to block messages from even getting 
to your filtering applications.


How does the MTA block on a domain name _in the message body_ without 
passing it to a filtering application?


Your answer, while valid, isn't germane to the OP's question.

Postfix can do this so my suggestion stands. Look for body_checks in 
Postfix. However, this isn't "germane" if the OP simply chooses mark 
messages as spam with spammassassin. The key word he used was "block" 
and when I read block I look at the MTA.


OP original quote.

"Hello there. I have a problem with blocking an email with spamassassin. 
normally when i want to block a domain in an email, be it html or plain 
text

i would have a rule such as this, and this works perfectly: "

rfc-ignorant spamassassin score

[Randy]

Is this really necessary for yahoo.com generated e-mail?

0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
1.4 DNS_FROM_RFC_WHOIS RBL: Envelope sender in whois.rfc-ignorant.org
1.7 DNS_FROM_RFC_POST RBL: Envelope sender in postmaster.rfc-ignorant.org

RCR

Re: rfc-ignorant spamassassin score

[Randy]

Michael Scheidell wrote:

Is this really necessary for yahoo.com generated e-mail?

0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
1.4 DNS_FROM_RFC_WHOIS RBL: Envelope sender in whois.rfc-ignorant.org
1.7 DNS_FROM_RFC_POST RBL: Envelope sender in postmaster.rfc-ignorant.org




Run sa-update on recent versions of SA and it will automatically drop those
scored.

Long time ago, in a land far away, GOOD site admins actually had working
abuse@ and postmater@ addresses.

Long ago, ICANN used to delist domains that had broken or unreachable whois
contact information.

So, long ago, ignorant, stupid or lazy was a good indication of spam
sources.
Today, it indicates yahoo.com.


  

Thanks! And so true. Nice way to put it too.

RCR

Re: had it with spaces spam and idiots at hotmail

[Randy]

Michael Scheidell wrote:
I have had it with spaces live random url spam.  we get thousands of 
them, most from zombots, and idiots at hotmail want a valid live 
account to process the complaint"


"Thank you for reporting spam to the Windows Live Hotmail Support 
Team. This is an auto-generated response to inform you that we have 
received your submission. Please note that you will not receive a 
reply if you respond directly to this message.
Unfortunately, in order to process your request, Hotmail Support needs 
a valid Windows Live Hotmail hosted account."




this looks for it, assigns some reasonable scores, and if (add your 
favorite shortcut) bumps it up another 5.


uri ST_SPACES   /\.spaces\.live\.com/$
score   ST_SPACES 5 3 4 2

meta ST_SPACES_BUMP (ST_SPACES && (RCVD_IN_BL_SPAMCOP_NET || 
RCVD_IN_XBL || RCVD_IN_BL_SPAMCOP_NET || DCC_CHECK))

tflags ST_SPACES_BUMP net
score ST_SPACES_BUMP 5



We are receiving lots of this. Also look out for the university degree 
spam which seems new and using botnet.


Randy Ramsdell

Re: why is this message hitting URIBL_BLACK ...

[Randy]

Claudia Burman wrote:

...if the URI is not listed in www.uribl.com ?

Return-Path: <[EMAIL PROTECTED]>
Received: from [...] (sending to my server)
Received: from pikachu.nic.ar (unknown [140.191.48.11])
by maderna.nic.ar (Postfix) with ESMTP id 83E07D7049;
Wed, 29 Oct 2008 12:23:19 -0200 (ARST)
Received: by pikachu.nic.ar (Postfix, from userid 2)
id 0C59B17873; Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
Subject: Solicitud de Modificacion de Datos de .com.ar Recibida
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 29 Oct 2008 12:23:18 -0200 (ARST)
X-Virus-Scanned: amavisd-new at x.com
X-Spam-Status: Yes, score=6.469 required=5 
tests=[DNS_FROM_RFC_ABUSE=0.479,
DNS_FROM_RFC_POST=1.44, EXCLAMACION_ES=1, NO_REAL_NAME=0.55, 
URIBL_BLACK=3]

X-Spam-Score: 6.469
X-Spam-Level: **
X-Spam-Flag: YES



Another message from the same domain doesn't hit the rule

Return-Path: <[EMAIL PROTECTED]>
Received: from [...] (sending to my server, same route)
Received: from pikachu.nic.ar (unknown [140.191.48.11])
by maderna.nic.ar (Postfix) with ESMTP id 4DDD3D70A4;
Wed, 29 Oct 2008 13:22:41 -0200 (ARST)
Received: by pikachu.nic.ar (Postfix, from userid 2)
id 1E9C917873; Wed, 29 Oct 2008 13:22:41 -0200 (ARST)
Subject: Solicitud de Renovacion de .net.ar Recibida
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 29 Oct 2008 13:22:41 -0200 (ARST)
X-Virus-Scanned: amavisd-new at .com
X-Spam-Status: No, score=3.469 required=5 
tests=[DNS_FROM_RFC_ABUSE=0.479,

DNS_FROM_RFC_POST=1.44, EXCLAMACION_ES=1, NO_REAL_NAME=0.55]
X-Spam-Score: 3.469
X-Spam-Level: ***


I am using spamassassin through amavis and rules where updated last week.
And no, it was not delisted in the last our, the same happened a 
couple of hours ago with two messages from the same place


Thanks
Claudia Burman
Argentina

Could it have been listed then removed?

Re: Phishing rules?

[Randy]

Micah Anderson wrote:

I keep getting hit by phishing attacks, and they aren't being stopped by
anything I've thrown up in front of them:

postfix is doing:
reject_rbl_client   b.barracudacentral.org,
reject_rbl_client   zen.spamhaus.org,
reject_rbl_client   list.dsbl.org,

I've got clamav pulling signatures updated once a day from sanesecurity
(phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx,
securesiteinfo) and Malware Black List, MSRBL (images, spam).

I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand
pulls in the 25_uribl.cf automatically, right? Or do I need to configure
that? if its automatic, that pulls in SURBL phishing). I've got Botnet
setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the
hashcash, and SPF plugins loaded, imageinfo, pretty much everything I
can think ofbut for some reason phishing attempts keep getting
through.

Sadly, I do not have an example I can share at the moment, as I
typically delete them in a rage after training my bayes filter on
them. However, I am looking for any suggestions of other things I can
turn on... in particular, are there rules that people have created that
look for certain keywords where the body is asking for your
account/password information?

Thanks for any ideas,
micah

  
Report these and maybe they will add something that catches them. If one 
wanted to, they can get any mail the want through your filters if they 
are good and don't use things that trigger the rules.

appriver.com backskatter

[Randy]

Appriver.com, an e-mail filtering company, sends backskatter or it sure appears 
so.


-- Forwarded Message
From: <[EMAIL PROTECTED]>
Date: Thu, 13 Nov 2008 08:22:41 -0500
To: <[EMAIL PROTECTED]>
Subject: WARNING. Mail Delayed: Lose 20 pounds in 3 weeks!!!

This is a warning message only.
 Your message remains in the server queue,
 the server will try to send it again.
 You should not try to resend your message now.


Message delivery to '[EMAIL PROTECTED]' delayed
SMTP module(domain [66.236.24.150]) reports:
No SMTP prompt at the host

Reporting-MTA: dns; server115.appriver.com

Original-Recipient: rfc822;<[EMAIL PROTECTED]>
Final-Recipient: rfc822;<[EMAIL PROTECTED]>
Action: delayed
Status: 4.0.0
Received: from [10.238.9.1] (HELO inbound.appriver.com)
 by server115.appriver.com (CommuniGate Pro SMTP 5.2.9)
 with ESMTP id 441395662 for [EMAIL PROTECTED]; Thu, 06 Nov 2008
16:34:46 -0500
Received: from host150-43-dynamic.33-79-r.retail.telecomitalia.it
([79.33.43.150] verified)
 by inbound.appriver.com (CommuniGate Pro SMTP 5.1.7)
 with ESMTP id 145588314 for [EMAIL PROTECTED]; Thu, 06 Nov 2008
16:34:46 -0500
Message-ID: <[EMAIL PROTECTED]>
From: "Lose 20 pounds in 3 weeks" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Lose 20 pounds in 3 weeks!!!
Date: Thu, 06 Nov 2008 19:47:31 +
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_0007_01C94057.02EC986A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

-- End of Forwarded Message

Re: New spam-to me-and how do I stop.

[Randy]

Craig wrote:

Hello All-
 
I have recently been getting MANY spam slipping through Spamassassin 
and I am looking for help on how to stop.  I have used Spamassassin 
with Bayes successfully for many years now and once I train the system 
on new spam, the system does an excellent job of stopping. These 
messages are very short and include a link.  The subject is usually 
regarding watches, or are thinly disguised viagra ads. Many are sent 
from aim.com Below is header info and below that is the Spamassassin 
output of an email that has slipped through. 



 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]

Content analysis details:   (3.3 points, 5.0 required)

Train the messages as spam with sa-learn which should add 3.5 to the score.

3.5+3.3=6.8
6.8 > 5.0 = spam

Re: New spam-to me-and how do I stop.

[Randy]

Craig wrote:



>>> Randy  1/6/2009 2:18 PM >>>
Craig wrote:
> Hello All-
> 
> I have recently been getting MANY spam slipping through Spamassassin

> and I am looking for help on how to stop.  I have used Spamassassin
> with Bayes successfully for many years now and once I train the system
> on new spam, the system does an excellent job of stopping. These
> messages are very short and include a link.  The subject is usually
> regarding watches, or are thinly disguised viagra ads. Many are sent
> from aim.com Below is header info and below that is the Spamassassin
> output of an email that has slipped through.
>
>
>  0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
> [score: 0.5000]
Content analysis details:   (3.3 points, 5.0 required)

Train the messages as spam with sa-learn which should add 3.5 to the 
score.


3.5+3.3=6.8
6.8 > 5.0 = spam
 
thanks for your quick reply-
 
You are correct if I teach the system this email it will score as 
spam.  But, I have trained a lot of spam over the last 2 weeks that 
are very similar to this one and unfortunately the new messages are 
getting through.


Post 3 similar messages on pastbin so that we can determine a common 
factor between them. Use pastbin, not this list to post the message.

Re: New spam-to me-and how do I stop.

[Randy]

Matus UHLAR - fantomas wrote:

On 07.01.09 11:46, Craig wrote:
  

X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP



  

Randy  1/6/2009 2:42 PM >>>
  
Post 3 similar messages on pastbin so that we can determine a common 
factor between them. Use pastbin, not this list to post the message.



  

I have 3 messages posted at pastebin.com under the user craig.
 
Thanks.



Please, quote content you are replying to, so we can differ between text
written by you and others.

  
I briefly looked for this and can't find the 3 messages. I thinking 
posting a link may help.

Re: Novice Installation Help

[Randy]

dave_c00 wrote:

I dont have any package manager... The people we rent the server from are
absolutely useless and provide no help unless you pay them a small fortune.
My server details are as follows:
Linux 2.6.22-8-server i686 GNU/Linux
Perl 5.8
Spamassassin 3.2.5
 
I may appear thick but when it comes to Linux I am completely lost...


I think I am using qmail if that helps but am unsure as to how to find out
what mail system I am using...?

Can I use CPAN to install it? 



  

Try these commands and report back what the results are.

zypper search spamassassin
yum search spamassassin

These are 2 package managers that may work for Centos, Suse and Redhat. 
If you are running Linux, there IS a package manager installed. We 
simply need to figure which one. It would help if you know the flavor on 
Linux you are using. I know the hosting company does because they 
probably asked which distro. you want to use.


rcr

SA timeout

[Randy]

Hi,

Mail occasionally slows down here and the main issue we see is the very 
long SA checks and SA TIMEOUTS. This forces us to drop the size mail we 
scan and restart Amavis and Apamassasin otherwise the queues will grow 
into the thousands. Also note that the Amavis daemons will be running at 
100% or so during this. I have included a sampling of our logs and 
wanted to see what people thought as to possible problems or solutions 
for this. What information should I add to help diagnose this problem.


Spamassassin v. 3.1.8
We do have network checks on to catch embedded urls which catches a 
large number of spam messages.




This is a normal, for us, timing log. Is 1193 ms slow as a norm?

Jan 12 18:22:10 atl02010303 amavis[24952]: (24952-08) TIMING [total 1193 
ms] - SMTP EHLO: 2 (0%)0, SMTP pre-MAIL: 0 (0%)0, SMTP pre-DATA-flush: 1 
(0%)0, SMTP DATA: 81 (7%)7, body_digest: 1 (0%)7, gen_mail_id: 0 (0%)7, 
mime_decode: 10 (1%)8, get-file-type2: 10 (1%)9, decompose_part: 1 
(0%)9, parts_decode: 0 (0%)9, AV-scan-1: 7 (1%)9, spam-wb-list: 1 
(0%)10, SA msg read: 1 (0%)10, SA parse: 3 (0%)10, SA check: 926 
(78%)88, update_cache: 1 (0%)88, fwd-connect: 3 (0%)88, fwd-mail-from: 1 
(0%)88, fwd-rcpt-to: 1 (0%)88, write-header: 1 (0%)88, fwd-data: 1 
(0%)88, fwd-data-end: 131 (11%)99, fwd-rundown: 1 (0%)99, 
main_log_entry: 7 (1%)100, update_snmp: 1 (0%)100, unlink-2-files: 1 
(0%)100, rundown: 0 (0%)100 

Shortly after the above we start to see this. 

Jan 12 18:22:49 atl02010303 amavis[25081]: (25081-06) SA TIMED OUT, 
backtrace: at 
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DBBasedAddrList.pm 
line 165\n\teval {...} called at 
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DBBasedAddrList.pm 
line 
165\n\tMail::SpamAssassin::DBBasedAddrList::remove_entry('Mail::SpamAssassin::DBBasedAddrList=HASH(0xb118eb4)', 
'HASH(0xb10ca64)') called at 
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/AutoWhitelist.pm line 
135\n\tMail::SpamAssassin::AutoWhitelist::check_address('Mail::SpamAssassin::AutoWhitelist=HASH(0xb33b358)', 
'newslet...@foreclosure.com', 201.122.43.11) called at 
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/AWL.pm line 
356\n\teval {...} called at 
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/AWL.pm line 
352\n\tMail::SpamAssassin::Plugin::AWL::check_from_in_auto_whitelist('Mail::SpamAssassin::Plugin::AWL=HASH(0xa012814)', 
'Mail::SpamAssassin::PerMsgStatus=H...


This is an example TIMING during the problem. 
   
Jan 12 18:22:51 atl02010303 amavis[25149]: (25149-01) TIMING [total 
29310 ms] - SMTP EHLO: 4 (0%)0, SMTP pre-MAIL: 0 (0%)0, mkdir tempdir: 0 
(0%)0, create email.txt: 0 (0%)0, SMTP pre-DATA-flush: 2 (0%)0, SMTP 
DATA: 77 (0%)0, body_digest: 1 (0%)0, gen_mail_id: 0 (0%)0, mkdir parts: 
0 (0%)0, mime_decode: 12 (0%)0, get-file-type2: 11 (0%)0, 
decompose_part: 1 (0%)0, parts_decode: 0 (0%)0, AV-scan-1: 8 (0%)0, 
spam-wb-list: 2 (0%)0, SA msg read: 1 (0%)0, SA parse: 2 (0%)0, SA 
check: 29062 (99%)100, update_cache: 1 (0%)100, fwd-connect: 4 (0%)100, 
fwd-mail-from: 0 (0%)100, fwd-rcpt-to: 1 (0%)100, write-header: 1 
(0%)100, fwd-data: 1 (0%)100, fwd-data-end: 105 (0%)100, fwd-rundown: 1 
(0%)100, main_log_entry: 9 (0%)100, update_snmp: 1 (0%)100, 
unlink-2-files: 1 (0%)100, rundown: 0 (0%)100


Another example.
   
Jan 12 18:23:21 atl02010303 amavis[25149]: (25149-01-2) TIMING [total 
30040 ms] - SMTP pre-DATA-flush: 1 (0%)0, SMTP DATA: 39 (0%)0, 
body_digest: 1 (0%)0, gen_mail_id: 0 (0%)0, mime_decode: 5 (0%)0, 
get-file-type1: 9 (0%)0, parts_decode: 0 (0%)0, AV-scan-1: 6 (0%)0, 
spam-wb-list: 1 (0%)0, SA msg read: 1 (0%)0, SA parse: 2 (0%)0, SA 
check: 29874 (99%)100, update_cache: 2 (0%)100, post-do_spam: 1 (0%)100, 
fwd-connect: 5 (0%)100, fwd-mail-from: 1 (0%)100, fwd-rcpt-to: 1 
(0%)100, write-header: 1 (0%)100, fwd-data: 1 (0%)100, fwd-data-end: 79 
(0%)100, fwd-rundown: 1 (0%)100, main_log_entr

Re: more habeas spam

[Randy]

Neil Schwartzman wrote:

On 2009-01-06 22:19:39 GMT LuKreme  kreme.com> wrote:
 
  

If you want the real history of Habeas in a nutshell, the company went
to hell when Anne Mitchell left (the same Anne Mitchell who was part
of MAPS back in the day).  She's now at the Institute for Spam and
Internet Public Policy . What habeas
became after she left was something quite different from what it had
been under her stewardship.



Hi there.
 
I was there too! (Habeas employee #3).
 
Habeas is no more, we (Return Path) bought them last August.

http://www.returnpath.net/blog/2008/08/return-path-to-acquire-habeas.php
 
To address a couple of issues raised here ...
 
We have only just begun doing compliance work on Safelist. SA scoring is, of

course, your server, your SpamAssassin rules. I can't speak to what went on
in the past but it is a new day for Habeas clients. We will be applying
programme standards compliance in the same firm, even-handed manner as we do
Sender Score Certified.
 
If you are presently dissatisfied with the standardized scoring and have

re-weighted, please consider keeping an eye on our performance via the QA
tests Justin made note of, and your own views.
 
As to the complaint submission issues noted here are concerned, the best

point of contact moving forward for SA users would be
sa-ab...@senderscorecertified.com (please don¹t use my personal address as I
travel frequently, and our Standards team see stuff sent to this alias in
our ticketing queue). Please be sure to make note of the issue being
Safelist or Sender Score Certified, preferably in the subject line.
 
We acknowledge that there may be some suboptimal hotspots, and we welcome

any data points you can provide. I do want to let you know that given the
immense amount of work ahead of us, (we are working towards systems
integration which is an non-trivial task, along with getting up to speed on
existing clients and issues), responses and actions taken may require a
longer-turn around time than is our intended end-point.
 
What I can say is that we have a proven track-record (BondedSender -> Sender

Score Certified) and so your patience and help during this transition period
is much appreciated.

  
Yep, I would say some spam is HABEAS_ACCREDITED_SOI. I would call these 
1/2 spammers because some of their stuff is legit (Headers, Sent via 
Legit mail server, etc ...) :)


Return-Path: 
X-Original-To: u...@address.com
Delivered-To: u...@address.com
Received: from localhost (localhost [127.0.0.1])
by mail1.livedatagroup.com (Postfix) with ESMTP id 681F6146C6A
for ; Thu, 15 Jan 2009 13:37:17 -0500 (EST)
Received: from mail1.livedatagroup.com ([an ip address])
by localhost (mail1.livedatagroup.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 04245-08 for ;
Thu, 15 Jan 2009 13:37:16 -0500 (EST)
Received: from mta27br.cmpgnr.com (mta27br.cmpgnr.com [216.24.228.27])
by mail1.livedatagroup.com (Postfix) with SMTP id CB0F3B602C
for ; Thu, 15 Jan 2009 13:37:15 -0500 (EST)
Message-ID: <11981478.1232044625948.kadasegment.23...@mta27br.cmpgnr.com>
Date: Thu, 15 Jan 2009 13:37:05 -0500 (EST)
From: SanNas Times Webinar Series 
Reply-To: "SanNas Times Webinar Series" 

To: itst...@livedatagroup.com
Subject: Data Deduplication Demystified
Errors-To: gotb1394501_1393170_920385_1617844...@cmpgnr.com
Mime-Version: 1.0
X-Campaign: 1394501.1393170.920385.1617844263
Bounces-To: gotb1394501_1393170_920385_1617844...@cmpgnr.com
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: amavisd-new at livedatagroup.com
X-Spam-Status: No, score=-4.673 tagged_above=- required=5
tests=[BAYES_20=-0.74, HABEAS_ACCREDITED_SOI=-4.3, HTML_MESSAGE=0.001,
HTML_TEXT_AFTER_BODY=0.115, MIME_HTML_ONLY=0.001, URIBL_GREY=0.25]
X-Spam-Score: -4.673

Re: Flooded by a SPAM always containing the same picture

[Randy]

Adam Cécile (Le_Vert) wrote:

Hello,

Both my personnal and pro. emails get this stupid spam.
Here is the image: http://dedibox.le-vert.net/divers/DSC.png

Is there any rules that can block it ? It seems the picture is always 
the same.


Thanks in advance,

Regards, Adam.
You may be flooded now as we were, but these emails should be caught 
soon. Most of the ips/domains for this spam are listed in BL and score 
well in to the 30s now. We received these for a day or two. All are 
caught now and I don't think you need fuzzyOCR or any custom rules for 
these. Maybe a custom URI rule for the first day or two.

Re: Flooded by a SPAM always containing the same picture

[Randy]

Charles Gregory wrote:


Just a quick question:

I'm noticing that these 'png' spams don't have a text section, or any 
message body text, and yet my SA does not trigger on any 'message does 
not contain text' rules? I've seen rules trigger when messages are a 
high percentage of image versus text, but why no hits when 100% image?


- Charles

These hit the EMPTY_MESSAGE rule for me.

Re: Flooded by a SPAM always containing the same picture

[Randy]

Adam Cécile (Le_Vert) wrote:

RW a écrit :

On Tue, 5 May 2009 14:44:29 +0200
Matus UHLAR - fantomas  wrote:

 

On 05.05.09 14:16, "Adam Cécile (Le_Vert)" wrote:
   

Both my personnal and pro. emails get this stupid spam.
Here is the image: http://dedibox.le-vert.net/divers/DSC.png

Is there any rules that can block it ? It seems the picture is
always the same.
  

OCR module like FuzzyOCR should catch that. I just fed the image to
gocr, ocrad and tesseract (OCRs I've found in debian) and allo of
them were able to catch at least the "VIAGRA HOT OFFER" (gocr was the
best at that).

However you will apparently need SA from SVN...



I think it's supposed to be the other way around - according to the
FuzzyOCR site you need the development version of the plug-in for
recent versions of SA.

However I've tried the  p5-FuzzyOcr and p5-FuzzyOcr-devel ports in
FreeBSD, both of which are pretty old, 2.3b and 3.4.2, and they work
for me, at least with a few test messages. I have seen SA die quite a
lot with SIGPIPE, but that happens anyway (I think due to razor) so
I'm not really sure about whether FuzzyOcr is flakey . It always seems
to work on the next attempt.
  

Hello,

Thanks for all your replies. I was working on it at work and figured 
out that fuzzyocr is now included in debian testing/sid.
A quick backport for stable (no changes needed, only rebuild) later, I 
had the package installed on my MTAs and this stupid SPAM gets +10 
from FuzzyOCR.
No additionnal configuration is required, just install the package (I 
added gocr and ocrad too) and restart amavis.


Awesome!

Adam.
This spam is fly-by-night and you won't receive this after a week or so. 
It is the same spammer sending spam of the form.


$SOME LONG SENTENCE THE SPAMMER DECIDED LOOKED GOOD.
$WEB_LINK

I guess the OCR thing will catch it but overkill for the time this is 
spam. Also BOTNET / EMPTY_MESSAGE / SORBS / BAYES / DATE_IN_FUTURE / PBL 
all trigger on this spam.

FW: Bit OT but it's about SPAM

[Diffenderfer, Randy]

 Well, as we say here in Detroit, YMMV.

We have several customers who have "Ivory" status, >99.44% pure ...
spam!

The spam is out there.  Be happy(ier) if you are only at 70-80% ... :-)

rnd

-Original Message-
From: Bart Schaefer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 17, 2007 11:58 AM
To: users@spamassassin.apache.org
Subject: Re: Bit OT but it's about SPAM

On 10/17/07, Tom Ray <[EMAIL PROTECTED]> wrote:
> I just thought if anyone hasn't read it yet, this article might be 
> interesting to many of you. According to this report SPAM has now 
> reached being 95% of all email.

This is hyperbole.

What it really means is that 95% of the mail processed by someone's
commercial spam filter has been classified, possibly incorrectly, as
spam.  The rates are much lower (though still too high for comfort) if
false positives are accounted for.

See, for example:  http://www.bcs.org/server.php?show=conWebDoc.14617

Manuel check vs. auto

[Randy Ramsdell]

Hi,

I have doing some checking of spam messages that make it through our 
mail filtering systems and noticed that the spam score does not reflect 
what I get when checking manually.


An example spam report:

X-Spam-Status: No, score=3.068 tagged_above=- required=5
tests=[BAYES_50=0.001, HELO_DYNAMIC_DHCP=3.066, HTML_MESSAGE=0.001]
X-Spam-Score: 3.068



But when using "spamassassin -D -lint < $message" it hits more rules:

Content analysis details:   (12.5 points, 5.0 required)

pts rule name  description
 -- 
--

3.1 HELO_DYNAMIC_DHCP  Relay HELO'd using suspicious hostname (DHCP)
2.0 TVD_FUZZY_DEGREE   BODY: TVD_FUZZY_DEGREE
0.0 HTML_MESSAGE   BODY: HTML included in message
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
   [41.212.143.24 listed in zen.spamhaus.org]
0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
   [41.212.143.24 listed in zen.spamhaus.org]

That is a big difference!

Any ideas about why this is?

Thanks,
Randy Ramsdell

Re: Manuel check vs. auto

[Randy Ramsdell]

Theo Van Dinter wrote:

On Thu, Dec 13, 2007 at 11:29:21AM -0500, Randy Ramsdell wrote:
  
I have doing some checking of spam messages that make it through our 
mail filtering systems and noticed that the spam score does not reflect 
what I get when checking manually.


An example spam report:
X-Spam-Status: No, score=3.068 tagged_above=- required=5
tests=[BAYES_50=0.001, HELO_DYNAMIC_DHCP=3.066, HTML_MESSAGE=0.001]
X-Spam-Score: 3.068

But when using "spamassassin -D -lint < $message" it hits more rules:


[...]
  

3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL

That is a big difference!
Any ideas about why this is?



It appears that the first results are a) using a different Bayes DB,
and b) not using network tests (aka: local mode).

  


This is a log message from our server which shows it checks 
sbl-xbl.spamhaus.org and rejects the message. Also it using a different 
bayes and I am not sure about that either. Actually I think I do and 
will check, but it looks like I need to sort out some things here.


postfix/smtpd[10855]: NOQUEUE: reject: RCPT from 
acd34.internetdsl.tpnet.pl[83.16.55.34]: 554 Service unavailable; Client 
host [83.16.55.34] blocked using sbl-xbl.spamhaus.org; 
http://www.spamhaus.org/query/bl?ip=83.16.55.34; 
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> 
proto=ESMTP helo=

Re: Manuel check vs. auto

[Randy Ramsdell]

Randy Ramsdell wrote:

Theo Van Dinter wrote:

On Thu, Dec 13, 2007 at 11:29:21AM -0500, Randy Ramsdell wrote:
 
I have doing some checking of spam messages that make it through our 
mail filtering systems and noticed that the spam score does not 
reflect what I get when checking manually.


An example spam report:
X-Spam-Status: No, score=3.068 tagged_above=- required=5
tests=[BAYES_50=0.001, HELO_DYNAMIC_DHCP=3.066, HTML_MESSAGE=0.001]
X-Spam-Score: 3.068

But when using "spamassassin -D -lint < $message" it hits more rules:


[...]
 
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 
100%

3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL

That is a big difference!
Any ideas about why this is?



It appears that the first results are a) using a different Bayes DB,
and b) not using network tests (aka: local mode).

  


This is a log message from our server which shows it checks 
sbl-xbl.spamhaus.org and rejects the message. Also it using a 
different bayes and I am not sure about that either. Actually I think 
I do and will check, but it looks like I need to sort out some things 
here.


postfix/smtpd[10855]: NOQUEUE: reject: RCPT from 
acd34.internetdsl.tpnet.pl[83.16.55.34]: 554 Service unavailable; 
Client host [83.16.55.34] blocked using sbl-xbl.spamhaus.org; 
http://www.spamhaus.org/query/bl?ip=83.16.55.34; 
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> 
proto=ESMTP helo=


s

Correction.

1.Obviously the log above was from postfix and not spamassassin and 
spamassassin is probably set up for local only! But this leads to an 
interesting question. How would postfix "sbl-xbl" checks miss this and 
spamassassin not? It does appear as if that is the case.


2. The bayes are different as one was root and the other was the user 
that spamassassin runs as. The root bayes seems much better for this 
particular e-mail. Is it recommended to swap these databases as I 
believe some learning was done as the wrong user?

Re: Manuel check vs. auto

[Randy Ramsdell]

Richard Frovarp wrote:

Randy Ramsdell wrote:

Randy Ramsdell wrote:

Theo Van Dinter wrote:

On Thu, Dec 13, 2007 at 11:29:21AM -0500, Randy Ramsdell wrote:
 
I have doing some checking of spam messages that make it through 
our mail filtering systems and noticed that the spam score does 
not reflect what I get when checking manually.


An example spam report:
X-Spam-Status: No, score=3.068 tagged_above=- required=5
tests=[BAYES_50=0.001, HELO_DYNAMIC_DHCP=3.066, HTML_MESSAGE=0.001]
X-Spam-Score: 3.068

But when using "spamassassin -D -lint < $message" it hits more rules:


[...]
 
3.5 BAYES_99   BODY: Bayesian spam probability is 99 
to 100%

3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL

That is a big difference!
Any ideas about why this is?



It appears that the first results are a) using a different Bayes DB,
and b) not using network tests (aka: local mode).

  


This is a log message from our server which shows it checks 
sbl-xbl.spamhaus.org and rejects the message. Also it using a 
different bayes and I am not sure about that either. Actually I 
think I do and will check, but it looks like I need to sort out some 
things here.


postfix/smtpd[10855]: NOQUEUE: reject: RCPT from 
acd34.internetdsl.tpnet.pl[83.16.55.34]: 554 Service unavailable; 
Client host [83.16.55.34] blocked using sbl-xbl.spamhaus.org; 
http://www.spamhaus.org/query/bl?ip=83.16.55.34; 
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> 
proto=ESMTP helo=


s

Correction.

1.Obviously the log above was from postfix and not spamassassin and 
spamassassin is probably set up for local only! But this leads to an 
interesting question. How would postfix "sbl-xbl" checks miss this 
and spamassassin not? It does appear as if that is the case.




Postfix is looking at the connecting host. SA is looking in all the 
untrusted RCVD lines. Hence the rule name RCVD_IN_


Yep thanks.

Re: FORGED_YAHOO_RCVD

[Randy Ramsdell]

Loren Wilton wrote:

score FORGED_YAHOO_RCVD 0

   Loren


Ok thanks turning it off works. I should edit the *.cf files or is there 
another way to turn it off instead of settings things up so updates kill 
off the setting? Anyway, I would think the rule is useful to some extent 
and if not, why is it included with spamassassin?

Re: FORGED_YAHOO_RCVD

[Randy Ramsdell]

Loren Wilton wrote:
Ok thanks turning it off works. I should edit the *.cf files or is 
there another way to turn it off instead of settings things up so 
updates kill off the setting? Anyway, I would think the rule is 
useful to some extent and if not, why is it included with spamassassin?


Put it in local.cf.  That is where local adjustments to release rules 
and such should go.


Which version are you running?  I had vaguely thought that this rule 
had been dropped a while ago for poor hitrate, but I may be confusing 
it with some other rules.  There have been problems with both Yahoo 
and AOL changing their configurations enough recently to end up 
getting FPs on these sort of rules.


As a general thing, rules are added and scored because *at the time 
they are scored* they do well against spam on the test corpuses of 
spam.  That is no guarantee that they will necessarily work for 
someone else with a much different mail stream, although of course we 
all hope that they will turn out fairly well in most cases.  Also, the 
rules did well when they are scored.  Depending on how fast things 
change, they may not do well at all years, months, or possibly even 
weeks later.


If you are not using it, you should look into turning on spamassassin 
updates.  There are updated rule sets available for the more recent 
releases that will change scores and add or subtract rules to match 
the latest corpus characteristics.


   Loren


We are using 3.1.1 ( distro patched ) until we upgrade our servers to a 
newer version.



Thanks,
Randy

Re: New credit card scams .. how to catch these

[Randy Ramsdell]

ram wrote:

https://ecm.netcore.co.in/tmp/dinner.eml.txt



The scam works like this:

They send you a mail asking wether you accept credit cards at your
hotel 

They get you to confirm you will accept credit card for payment. Once 
you agree they ask you to bill them extra fictional charges for taxis, 
etc on the card, and then wire transfer back (a portion) of the 
fictional overcharges. The victim thinks he will make some extra free 
money on top of the dinner charges.


The people never show for dinner, and you are out the wire transfer
amount.



And my SA scores nothing on this spam ? 





Thanks
Ram

  


1. bayes gave it  -2.60, so relearn it.
2. Gather a few messages and look for similarities then create a meta 
rule that will match those and only those.
3. Since it comes from hotmail, report it. I really don't know how 
responsive they are so YMMV.


Randy Ramsdell

Re: [OT] Yahoo Deferred

[Randy Ramsdell]

SM wrote:

At 08:54 25-02-2008, Tony Bunce wrote:

Is anyone else having issues sending mail to Yahoo?


No.

They are returning 421 Message temporarily deferred to every message 
my servers try to send.  My server then retries like it should but 
yahoo never accepts the message, even after day of retrying.
Google turned up several people having the same issue but no one with 
a solution.  My DSN is right, I have SPF records, and sign outgoing 
messages using DomainKeys.


They are deferring connections from your mail servers due to spam or 
complaints.


Regards,
-sm
Incorrect! They rate limit everyone. If you're mail isn't being delayed, 
then you do not send much mail to them. This has been an issue as long 
as I can remember and nothing works to help. Use DKIM/Domain Keys, rotor 
e-mail to different ips, fill out ALL there forms and comply with all 
their rules. This will not put you on their whitelist and they do not 
have a formal feedback loop. I have formally asked that we warn our 
users to no use yahoo email addresses for this reason. As a matter of 
fact, I have been able to work with every other large e-mail provider/ 
ISP (AOL/Comcast/Netzero , etc...) and work out e-mail issues with them. 
I even have several contact numbers directly the administrators of these 
companies. Yahoo simply sucks in this regard and they have not yet 
figured out a way to properly set up restrictions so bulk e-mailers may 
send e-mail. If you are going to store the largest numbered e-mail 
accounts, then you will receive bulk mail.


Randy Ramsdell

Re: [OT] Yahoo Deferred

[Randy Ramsdell]

Matt wrote:

Is anyone else having issues sending mail to Yahoo?



Yes.  I have heard using Domainkeys or DKIM helps greatly?  Is that
true?  We have not implemented it yet but do use SPF records which are
much easier to implement with Exim or any MTA and do mostly the same
thing if you ask me.

Matt
  
We use Domainkeys and have used the newer DKIM and spf records  and it 
does not work with yahoo.

Re: Email with no "hits" and "required"

[Randy Ramsdell]

Massimiliano Marini wrote:

System: Debian with Qmail + QmailScanner + SpamAssassins + ClamAV
Installation: qmailrocks.org

I've updated SA (original from qmailrocks.org 3.0.2) to 3.2.4 
my locale.cf is :


rewrite_header Subject *SPAM*
report_safe 0
required_score 4
required_hits 5
use_bayes 1

Question 1. The email still tagged like this:

Received: from  ... [snip] ... with qmail-scanner-1.25-st-qms
(clamdscan: 0.83/705. spamassassin: 3.0.2. perlscan: 1.25-st-qms.
^^
I've updated to 3.2.4
spamd -V :
SpamAssassin Server version 3.2.4
  running on Perl 5.8.4

  
I can only guess that you still have two versions of spamassasin 
installed. I would search the disk for multiple copies of 
spamd/spamc/spamassassin and remove the older version. Also remember 
that spamassassin  probably runs as non-root or at least, it should.



Question 2. And some email have this tag

X-Spam-Status: No, hits=? required=?

Why?

Cheers
--
Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/
"It's easier to invent the future than to predict it."  -- Alan Kay
  

AWL - BAYES_99/ general questions

[Randy Ramsdell]

Hi,

One thing I do not understand regarding AWL and BAYES. When a message is 
reported to me as spam and was not marked as spam, I test is using debug 
before and after sa-learn. Each time I do this, BAYES_99 does hit, but 
they will also include AWL.


1. Does anyone understand why this happens?
2. I also noticed that when using "spamassassin -D" on a message, I 
sometimes see a nice report like below (2nd example) but other times it 
doesn't show report formatted. Any ideas on this one?


Here are an example of two spam report headers for the same message.

Before sa-learn:

X-Spam-Status: No, score=3.982 tagged_above=- required=5
tests=[ADVANCE_FEE_1=0, BAYES_60=1, SUB_HELLO=2.141, UNDISC_RECIPS=0.841]
X-Spam-Score: 3.982
X-Spam-Level: ***

After sa-learn:

Content analysis details:   (5.2 points, 5.0 required)

pts rule name  description
 -- 
--

2.1 SUB_HELLO  Subject starts with "Hello"
0.8 UNDISC_RECIPS  Valid-looking To "undisclosed-recipients"
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
0.0 ADVANCE_FEE_1  Appears to be advance fee fraud (Nigerian 419)
-1.2 AWLAWL: From: address is in the auto white-list

Thanks,
Randy Ramsdell

Re: AWL - BAYES_99/ general questions

[Randy Ramsdell]

Jari Fredriksson wrote:

Hi,

One thing I do not understand regarding AWL and BAYES.
When a message is reported to me as spam and was not
marked as spam, I test is using debug before and after
sa-learn. Each time I do this, BAYES_99 does hit, but
they will also include AWL. 


1. Does anyone understand why this happens?
2. I also noticed that when using "spamassassin -D" on a
message, I sometimes see a nice report like below (2nd
example) but other times it doesn't show report
formatted. Any ideas on this one? 




If I understood you correctly..

In your samples, the first run gets 3.9 points, which is less than needed to 
classify the post as spam. The second run (after the learning) gets 5.2 points, 
which is more than needed to classify the post as spam.

  
No. What I wanted to know is why do messages that are passed through 
sa-learn include AWL as well as BAYES_99. Notice the message did not hit 
AWL initially, but did so after the sa-learn process. giving a message a 
AWL score of -1.2 and BAYES score of 3.5 compete with each other to mark 
this message as spam.

Your configuration prints the formatted report only for spam. There is no point 
in delivering reports to users for email which is  not spam.

  

Sweet thanks for this.


The limit for spam is 5.0 points (as the report says, 5.0 required), which is 
the default and a pretty good value.




  



Here are an example of two spam report headers for the
same message. 


Before sa-learn:

X-Spam-Status: No, score=3.982 tagged_above=-
required=5 tests=[ADVANCE_FEE_1=0, BAYES_60=1,
SUB_HELLO=2.141, UNDISC_RECIPS=0.841] X-Spam-Score: 3.982
X-Spam-Level: ***

After sa-learn:

Content analysis details:   (5.2 points, 5.0 required)

pts rule name  description
 --
--
2.1 SUB_HELLO  Subject starts with "Hello"
0.8 UNDISC_RECIPS  Valid-looking To
"undisclosed-recipients" 
3.5 BAYES_99   BODY: Bayesian spam

   probability is 99 to 100%
[score: 1.] 
0.0 ADVANCE_FEE_1  Appears to be advance fee

fraud (Nigerian 419) -1.2 AWLAWL:
From: address is in the auto white-list 


Thanks,
Randy Ramsdell

Re: AWL - BAYES_99/ general questions

[Randy Ramsdell]

Karsten Bräckelmann wrote:

On Thu, 2008-02-28 at 09:21 -0500, Randy Ramsdell wrote:
  

Hi,

One thing I do not understand regarding AWL and BAYES. When a message is 
reported to me as spam and was not marked as spam, I test is using debug 
before and after sa-learn. Each time I do this, BAYES_99 does hit, but 
they will also include AWL.


1. Does anyone understand why this happens?



AWL is a score averager. SA has seen that sender before.
  http://wiki.apache.org/spamassassin/AutoWhitelist

Run it through SA again, and you will see the AWL score getting closer
to 0, since the score without AWL is constant. The AWL score is
negative, because previous scores have been lower.

  guenther


  
I understand that  AWL is averaging what it has seen before and it must 
have seen the message as ham, but why would one have to sa-learn the 
message as spam multiple times. This also means that a system wide 
approach to improving our SPAM effectiveness requires me parse the AWL 
score after sa-learning the message to determine if I need to run it 
again. This would a monumental task and very resource intensive. 
Wouldn't a better approach be to set AWL to max positive  if I manually 
learn the message as spam? Or is there a way to modify the DB to correct 
the previous AWL hits on this message?

Re: China TLD links

[Randy Ramsdell]

JP Kelly wrote:

any takers on this?


On Feb 27, 2008, at 2:31 PM, Chip M. wrote:


The main thing that stands out (to me) is the China TLD in the URL.
We block all those on sight (unless they're in the recipient's domain 
skip

list - so far, none of my users have any China TLDs in theirs).

Perhaps one of the regex gurus will whip you up a rule. :)


* Both should be run through a manual sa-learn. ( It would have caught 
the first example )
* As Chip wrote earlier,  each message has China based links in them. 
Mark those.
* If this is a company server, I would certainly not have an issue with 
blocking or adding a high score for the word "Whore" and could do 
something with the word "Schoolgirl."


Randy Ramsdell

Re: China TLD links

[Randy Ramsdell]

Karsten Bräckelmann wrote:

On Thu, 2008-02-28 at 18:04 -0500, Daryl C. W. O'Shea wrote:
  

Of course, now that I've used the word "whore" three times and quoted it
once I'm sure I'll get a deluge of bounces (not rejects) from people
running Microsoft's Antigen for SMTP.

http://daryl.dostech.ca/blog/2008/02/22/microsoft-antigen-brain-dead-content-filter/



Yes!

There's at least one user on this list, somewhere behind an MS Antigen
for SMTP, apparently run by psp.com (thank you, Sony), which has been
bugging me a couple times already when answering questions. The OP dared
to munge private email addresses:

  Filter name: "KEYWORD= spam: xxx "

I would not have expected anyone on *this* list to run such a stupid
single-word content "filter". But hey, the subscriber is unlikely to get
a lot of traffic from this list anyway passed beyond that wall...

I'm curious to see the reason for /dev/null'ing this mail and instead
send out a useless and annoying note. Which one will win the race, whore
or triple x? :)

  guenther

  
Blocking is one thing, but scoring is another. Aren't single words 
defined in many rules for spamassassin?  I know "fsck"
and "v%%gra" are which are not part of a meta rule. I do agree, however, 
anything M$ does is stupid.

Re: aren't SPF_ rules network?

[Randy Ramsdell]

Matus UHLAR - fantomas wrote:

Hello,

I wonder if SPF rules shouldn't be considered network... they require DNS
lookups, don't they?
  

Yes. Network related.

Re: Whitelist Question

[Randy Ramsdell]

[EMAIL PROTECTED] wrote:


Here is the header info. What is the alternate solution to using 
whitelist_from ? I  been also trying to setup AWL via MySQL.no 
luck on that.

I use Exim for mail then , it relays to Lotus Domino.if that helps.


Content analysis details:   (5.7 points, 10.0 required)
pts rule name  description
 -- 
--
-4.0 RCVD_IN_DNSWL_MED  RBL: Sender listed at 
http://www.dnswl.org/, medium

trust
[199.67.179.116 listed in list.dnswl.org]
1.0 EXTRA_MPART_TYPE   Header has extraneous 
Content-type:...type= entry

-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
1.8 SUBJ_ALL_CAPS  Subject is all capitals
-0.0 SPF_PASS   SPF: sender matches SPF record
0.0 HTML_MESSAGE   BODY: HTML included in message
1.4 SARE_GIF_ATTACHFULL: Email has a inline gif
1.5 MY_CID_AND_ARIAL2  SARE CID and Arial2


This isn't the full header. A full header will show exactly what to 
whitelist.

1. Did you restart spamd or amavis/spamd?




On Tue, 11 Mar 2008, [EMAIL PROTECTED] wrote:

> I add users to whitelist in the local.cf file "whitelist_from
> [EMAIL PROTECTED]" but they still get tagged as Spam, is there a
> altnerative solution.

(2) Post *all* the headers from a message that was incorrectly marked as
spam, as well as the whitelist command you put in that you think should
have whitelisted that message.

Re: Improving a spam report?

[Randy Ramsdell]

mouss wrote:

Matus UHLAR - fantomas wrote:

On 11.03.08 12:16, Jay Langley wrote:
 

Below I have offered the content of my spam score report generated by
Spam Assassin.   We are Kintera subscribers.  Problem is I don't know
how to make changes in the text that will result in a better score. 


you should turn on network rules, allow plugins and instal apropriate
software (razor, pyzor, DCC). see *.pre settings in spamassassin config
directory. Note that using some network checks (DCC, spamhaus filters)
require additional steps when receiving many (>100k) mails per day.

  


my understanding is that he sends mail and wants to know how to get a 
lower score. In other words, his question is "how to make sure my mail 
won't be tagged as spam by others?".
Ok then I would change the email so that "HTML_TITLE_UNTITLED BODY: HTML 
title contains "Untitled" 0.7" this rule doesn't trigger. I don't know 
for sure, but it says that the "title" is untitled so I would add a title.


Randy Ramsdell

Re: Scanning without attachments

[Randy Ramsdell]

Drew Burchett wrote:

I've noticed a new trend in spam on my mail server that is getting by
SpamAssassin.  The spammer is creating his message and then attach a
couple of garbage PDFs to the email.  These PDFs make it too large for
SpamAssassin to scan the message, so it gets by the system.  I have
tried turning up the size so SpamAssassin will scan it, but it takes WAY
too long to scan a message.  Does anyone have any suggestions on how I
could catch/scan these messages without putting too much of a load on
SpamAssassin?

Drew Burchett
United Systems & Software
Ph:  (270)527-3293
Fax:  (270)527-3132


  


And it works too. I suppose more spammers don't use this technique more 
often and so far, I have not found a nice way to deal with it.

Re: SpamAssassin GUI

[Randy Ramsdell]

Peter Kingsbury wrote:


Hello,

Since installing SpamAssassin on my company’s Exchange server, I 
wanted to make kludging through potential spam/ham messages faster 
than using the slow remote desktop interface that is in place.


I wrote a program which allows an admin to quickly scan SA-filtered 
messages, and move them to the Learn-Ham or Learn-Spam directories 
with single keystrokes. I have found the program quite useful, and 
want to share it (source and application) with whomever is interested.


I coded the application in VB.NET using MS’s free Visual Studio.NET 
Express 2008, so I guess it could be ported to other OS’s that use 
Mono too. Not sure if it would be totally useful in that environment, 
but as I strongly believe in open source software, I want to 
contribute where I can.


If you’re interested, please drop me a line at 
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>


Best regards,

- Peter



Sincerely, thank you for this effort.

If you want to support OSS then why code it in a patent encumbered 
language. I actually don't know what licenses the software uses, but I 
do know that I would never ask my company to use it simply based on the 
fact that I wouldn't want some patent issues creeping in.


Randy Ramsdell

Re: Scanning without attachments

[Randy Ramsdell]

Henrik K wrote:

On Wed, Mar 12, 2008 at 09:48:37AM -0400, Randy Ramsdell wrote:
  

Drew Burchett wrote:


I've noticed a new trend in spam on my mail server that is getting by
SpamAssassin.  The spammer is creating his message and then attach a
couple of garbage PDFs to the email.  These PDFs make it too large for
SpamAssassin to scan the message, so it gets by the system.  I have
tried turning up the size so SpamAssassin will scan it, but it takes WAY
too long to scan a message.  Does anyone have any suggestions on how I
could catch/scan these messages without putting too much of a load on
SpamAssassin?

Drew Burchett
United Systems & Software
Ph:  (270)527-3293
Fax:  (270)527-3132


  
  
And it works too. I suppose more spammers don't use this technique more  
often and so far, I have not found a nice way to deal with it.



Probably ClamAV is the way to go for big messages. Try Sanesecurity
signatures if you don't already.

  
You can use spamassassin and clamav with or without Amavis, but to check 
the message, you must make a system wide change that will affect every 
message. Bypassing file size limits with any of those setups might not 
be an ideal solution. After a brief read on Sanesecurity signatures, it 
appears that the size limits will still come into the equation and 
again, a system wide setting change is required.


Randy Ramsdell

Re: Scanning without attachments

[Randy Ramsdell]

Henrik K wrote:

On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
  
You can use spamassassin and clamav with or without Amavis, but to check  
the message, you must make a system wide change that will affect every  
message. Bypassing file size limits with any of those setups might not  
be an ideal solution. After a brief read on Sanesecurity signatures, it  
appears that the size limits will still come into the equation and  
again, a system wide setting change is required.



What are you talking about? I have no limits on size for ClamAV scans.

  
I am talking about message/attachment size limits or was that a 
rhetorical question? You can set the size limit which I believe is 
"StreamMaxLength." From the docs, this should be set to the mail server 
size limit so maybe it isn't a factor. The addon for clamav does seem to 
be interesting given this.


rcr

Re: Scanning without attachments

[Randy Ramsdell]

Henrik K wrote:

On Wed, Mar 12, 2008 at 11:16:32AM -0400, Randy Ramsdell wrote:
  

Henrik K wrote:


On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
  
  
You can use spamassassin and clamav with or without Amavis, but to 
check  the message, you must make a system wide change that will 
affect every  message. Bypassing file size limits with any of those 
setups might not  be an ideal solution. After a brief read on 
Sanesecurity signatures, it  appears that the size limits will still 
come into the equation and  again, a system wide setting change is 
required.



What are you talking about? I have no limits on size for ClamAV scans.

  
  
I am talking about message/attachment size limits or was that a  
rhetorical question? You can set the size limit which I believe is  
"StreamMaxLength." From the docs, this should be set to the mail server  
size limit so maybe it isn't a factor. The addon for clamav does seem to  
be interesting given this.



Ofcourse it's not a factor. StreamMaxLength is only applied when the clamd
daemon is on a separate server. And even more, the default is 10MB which is
more than enough for what we are talking about. I really doubt spammers
would be sending _that_ big files.

  
I agreed that size does not matter. :) But I was mostly responding to 
your statement "I have no limits on size for ClamAV scans," but there 
are message size limits that can be set. So you do have limits.

Just get the Sanesecurity signatures and be done with it, it will help a lot
in any case. Maybe it has signatures for these "big" spams too. Also if you
are using amavisd-new, you should set virus_name_to_spam_score_maps
accordingly.

  
Just get "Sanesecurity signatures" even though it has nothing to do with 
the large file attachments directly? I actually looked into this 
technology because of the thread, but it doesn't help in my case. 

Re: Not scoring high enough on this spam...

[Randy Ramsdell]

Andrew Hearn wrote:

http://pastebin.ca/961075

I've only seen one so far but apart from the 0.0 BAYES_50 (I will 
learn this message), does anyone have rules that pushes this kind of 
message over 5.0?


thanks!

Andrew


If you learn the message which = 3.5 wouldn't that put the score +5?

Re: Blank messages

[Randy Ramsdell]

Ed Kasky wrote:
> I can't seem to catch these emails with blank bodies.  I upped the
> BLANK_LINES_80_90 score to 3 but the email below didn't get a hit off
> the rule.
>
> Is there another rule that I don't know about that is designed for
> blank message bodies?
>
> Thanks in advance on this one.  These things have been plaguing me for
> some time and no matter how many I run through sa-learn, they never
> seem to score above a 5...
>
>> Return-Path: <[EMAIL PROTECTED]>
>> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
>> yoda.wrenkasky.com
>> X-Spam-Level: *
>> X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE,
>> RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4
>>
>
> Ed Kasky
> ~
> Randomly Generated Quote (758 of 1229):
> Lots of times you have to pretend to join a parade in which you're
> not really interested in order to get where you're going.
> -Christopher Morley, writer (1890-1957)
>

It scored 5, but your cutoff is 6.3.

Re: False Negatives

[Randy Ramsdell]

Tony Bunce wrote:

Hi everyone,

I'm starting to see a noticeable amount of message sneak by spamassassin with 
scores mostly the 3-4 range but some as low as 1 point.

I'm running 3.2.4 with SARE, sough, and Botnet.   We don't use bayes.  Here are 
some samples of messages that have got through:
http://pastebin.com/m16055c85
http://pastebin.com/m52635526
http://pastebin.com/m491c4882
http://pastebin.com/m7c1240f2


Anyone have any suggestions?

Thanks in advance!


---
Tony Bunce: [EMAIL PROTECTED]
Sr. Programming Systems Administrator - GO Concepts Inc.
  
I think in our case, bayes would put these above the top. Without bayes 
or custom rules, these messages would not be marked as spam currently.


For the first:
Content analysis details:   (5.7 points, 5.0 required)

pts rule name  description
 -- 
--

0.2 NORMAL_HTTP_TO_IP  URI: Uses a dotted-decimal IP address in URL
0.0 HTML_MESSAGE   BODY: HTML included in message
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
   above 50%
   [cf: 100]
0.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
   [cf: 100]
0.0 URIBL_RED  Contains an URL listed in the URIBL redlist
   [URIs: 71.187.15.19]
-0.4 AWLAWL: From: address is in the auto white-list

Re: False Negatives

[Randy Ramsdell]

mouss wrote:

Koopmann, Jan-Peter wrote:

http://pastebin.com/m16055c85



Content analysis details:   (9.6 points, 6.0 required)

 pts rule name  description
 --
--
 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
[URIs: diroma.us]
 0.5 SPF_HELO_FAIL  SPF: HELO does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?id=mail4.go-concepts.com&ip=10.1.5.17&receive
r=proxy.intern.seceidos.de]
 0.0 NORMAL_HTTP_TO_IP  URI: Uses a dotted-decimal IP address in URL
 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired
language
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
 2.0 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
 0.7 SARE_BANK_URI_IP   SARE_BANK_URI_IP
 0.1 CRM114_CHECK   CRM114: message is UNSURE with crm114-score
-2.0200

 unwanted language 


It was not on uribl/surbl when OP sent it, and "unwanted language" 
isn't appropriate for everybody. I ran a test on the first (when OP 
sent it) and it scored a little less than 5 (I don't remember if DCC 
was hit, but razor was).
It really doesn't matter to me whether it was on urisbl/surbl when he 
sent it. I provided what our server marked this as as an example of 
rules that he could look at as to why it was scored low. Other people 
that don't use "unwanted language" may not need it, but in some cases it 
helps, specifically this case. I ran a test on our log and could not 
find one incident of hitting the "unwanted" rule, so maybe he should use 
it. I also stated that bayes would help mostly in the cases he provided.


thanks.
rcr

Re: S-P-A-M Extra long domain names rule?

[Randy Ramsdell]

Bookworm wrote:

I'm starting to see some new phishing/scam attempts.

What I was thinking was that it might be worthwhile to add a rule to 
not so much check links, but count periods.

Here's the example that just came in my email -

(removing http:// ) - 
connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm 



Notice that there are ten periods.  That makes it be an eleventh level 
domain name? :)


In general, you see fewer than four periods in a domain name - but 
I've seen this sort of behavior in spams before.

Thoughts?

(I'm just a general administrator.  I use other people's rules, I 
haven't had time to learn to make my own)


BW

I haven't, but I think a rule for this would be a good idea. I always 
write rules then check them every so often with a custom perl script.

Re: Extra long domain names rule?

[Randy Ramsdell]

Bookworm wrote:


I'm starting to see some new phishing/scam attempts.

What I was thinking was that it might be worthwhile to add a rule to not
so much check links, but count periods.

I was going to put in the web address that I received as an example, 
but I think that's why this is a second attempt - the first one never 
went through.


Basically, it's a 'colonial bank' scam - it uses eleven sections to 
the domain name - 10 periods.  (What would that be - I mean, we have 
TLD for the .com/net/etc, second level domain names for the bleah.com 
domains.. what would you say it is for an 11th level?)


In general, you see fewer than four periods in a domain name - but I've
seen this sort of behavior in spams before.

Thoughts?

(I'm just a general administrator.  I use other people's rules, I
haven't had time to learn to make my own)

BW


I noticed you started a thread a few days ago with he exact same body 
and a changed subject. There are 10-20 replies to that thread so I am 
not sure why start a new exactly the thread a week later.

My suggestion would be to read that thread.

rcr

Re: Connection timed out

[Randy Ramsdell]

Ross Boylan wrote:

On Thu, 2008-05-01 at 13:54 -0400, Jean-Paul Natola wrote:
  

OPTIONS="--create-prefs --max-children 5 --helper-home-dir \
--username=mail --socketpath=/var/run/spamd/socket"



I'm running on a Pentium 4 with hyperthreading, which appears as 2 CPU's
to the OSs.  There's really only 1 CPU.  I wonder if that could have
something to do with the trouble.
  



How much ram do you have, are you exceeding your physical mem?

 



2G physical + 2G swap.  I don't think I'm exceeding it.

Ross

  
Look for OOM messages in /var/log/messages. If you run out of swap you 
will see errors as it kills off processes.

Re: Experimental - use my server for your high fake MX record

[Randy Ramsdell]

DAve wrote:

Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam 
and at the same time help me track spambots for my black list. This 
is free and mutual benefit. I (junkemailfilter.com) want to be your 
highest numbered fake MX record. Here's how you would configure your 
domain:


A generous offer and an admirable effort. But if you think I or my 
clients are going to route mail to your servers you are mistaken. Even 
if I knew you personally, I don't think ethics or common sense would 
allow me to do so.


DAve
Not taking a position on this, but isn't outsourcing spam filtering 
normal? Although I would think one would consider carefully about 
outsourcing their e-mail filtering, I don' think common sense or ethics 
have a whole lot to do with it.

mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20

I will never actually receive your email. The recipient all always 
get a 451 error just after the DATA command. So if your servers are 
down you won't lose anything. A 451 error is a "I'm not ready, come 
back later" error.


This will help you reduce your spambot spam generally by half. Many 
spambots try the highest number MX records first and never try again. 
So these attempts just go away. Your system load drops, your spam is 
reduced, spamassassin doesn't have to work as hard. And some spammers 
will actually blacklist you because when they see a 
junkemailfilter,com host in the MX they don't even try because they 
know that it will only reduce their spambot army to even attenpt to 
send a spam.


I have developed an extremely accurate way of detecting spambots and 
getting them listed on the first attempt to send spam. It involves 
detecting a combination of several sins that if they hit this 
combination, and most do, it's a virus infected spambot. Without 
going into great detail one of the unique things I look for is hosts 
not closing the connection with quit but rather allowing the 
connection to time out after receiving the 451 error. When you 
combine that it's the highest MX, no QUIT, and several other tests on 
HELO and other things I can get these hosts blacklisted which blacks 
their spam for everyone who uses my blacklists. And - unless you are 
huge - you can use my blacklists for free.


Here's what an SMTP session to my tarbaby server looks like.

telnet tarbaby.junkemailfilter.com 25
Trying 65.49.42.79...
Connected to tarbaby.junkemailfilter.com.
Escape character is '^]'.
220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008 
08:20:24 -0700

helo mydomain.com
250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
mail from:<>
250 OK
rcpt to:[EMAIL PROTECTED]
250 Accepted
data
451 DEFER - Try a lower numbered MX record - 
http://www.junkemailfilter.com


So - if you are interested all you have to do is set your highest 
numbered MX to tarbaby.junkemailfilter.com. If you want to know more 
about my lists you can read about them here.


http://wiki.junkemailfilter.com/index.php/Main_Page

This is experimental. I'm looking to see what kind of useful data I 
can derive from this to see how well it work and if I'll continue it. 
Send me a private email if you have any questions.

Re: Experimental - use my server for your high fake MX record

[Randy Ramsdell]

Marc Perkel wrote:



Randy Ramsdell wrote:

DAve wrote:

Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam 
and at the same time help me track spambots for my black list. This 
is free and mutual benefit. I (junkemailfilter.com) want to be your 
highest numbered fake MX record. Here's how you would configure 
your domain:


A generous offer and an admirable effort. But if you think I or my 
clients are going to route mail to your servers you are mistaken. 
Even if I knew you personally, I don't think ethics or common sense 
would allow me to do so.


DAve
Not taking a position on this, but isn't outsourcing spam filtering 
normal? Although I would think one would consider carefully about 
outsourcing their e-mail filtering, I don' think common sense or 
ethics have a whole lot to do with it.




Thanks Randy,

I am in the outsourced spam filtering business so this all seems 
natural to me. And I look at it as win/win. I get useful data, the 
person letting me use their high numbered MX record gets some spam 
reduction. I'm not interested in the content of the message or 
anything other than catching the IP addresses of virus infected spam 
bots. That's all I want to do.


I think sender score does something similar, but I am not very familiar 
with how they obtain stats. I recall something about  an isp, etc... 
providing log data and then use the data to rate domains.  Comcast  
started using them. Personally, I wasn't impressed with the data they 
had for certain domains, especially our own and I see a need to improve 
that actually.


As DAve pointed out, getting someone to redirect corporate e-mail to you 
for testing may  not be something people could or would do. As a paid 
vendor for someone with appropriate agreements, it becomes more reasonable.

Re: False positive on forged_mua_outlook

[Randy Ramsdell]

Jeff Koch wrote:


Hi Matus:


Here's the header. We're seeing a lot of these now:


Received: from unknown (HELO jade.xx.com) (216.99.193.136)
  by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 
-

Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161])
by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133

This is a multi-part message in MIME format.





At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:

On 09.05.08 12:08, Jeff Koch wrote:
> Our users are getting false positives with hits on
>
> 4.2 FORGED_MUA_OUTLOOK
>
> and are saying they are 100% certain that the email was sent from MS
> Outlook Express. Is this a known problem or are these users doing 
something

> wrong?

may be... can you show us headers of such e-mail?

meta __FORGED_OE(__OE_MUA && !__OE_MSGID_1 && 
!__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
meta __FORGED_OUTLOOK_DOLLARS   (__OUTLOOK_DOLLARS_MUA && 
!__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID && 
!__IMS_MSGID && !__UNUSABLE_MSGID)
meta FORGED_MUA_OUTLOOK (__FORGED_OE || 
__FORGED_OUTLOOK_DOLLARS)


at least Message-Id and X-Mailer...

btw do do you update rules periodically?
--
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic 
messages."

"That's nothing. If you play it forward it will install Windows."


Best Regards,

Jeff Koch, Intersessions
Could you include the whole complete header including the spam report 
because this looks like a valid M$ outlook/express header?

Re: False positive on forged_mua_outlook

[Randy Ramsdell]

Jeff Koch wrote:


Hi Randy - here's the whole thing:

Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 -
Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s
 scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4
Received: from localhost by libra..com
with SpamAssassin (version 3.2.4);
Tue, 06 May 2008 15:13:09 -0400
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: *SPAM* Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
libra..com
X-Spam-Level: *
X-Spam-Status: Yes, score=5.3 required=3.0 
tests=FORGED_MUA_OUTLOOK,RDNS_NONE,

TVD_PDF_FINGER01 autolearn=no version=3.2.4
X-Spam-Report:
*  0.1 RDNS_NONE Delivered to trusted network by a host with 
no rDNS
*  1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam 
fingerprint
*  4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS 
Outlook

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--=_4820ADC5.A4580A7F"

This is a multi-part message in MIME format.

=_4820ADC5.A4580A7F
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "libra.xxx.com", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
[EMAIL PROTECTED] for details.

Content preview:  [...]

Content analysis details:   (5.3 points, 3.0 required)

 pts rule name  description
 -- 
--
 0.1 RDNS_NONE  Delivered to trusted network by a host 
with no rDNS

 1.0 TVD_PDF_FINGER01   Mail matches standard pdf spam fingerprint
 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


=_4820ADC5.A4580A7F
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Received: from unknown (HELO jade.xx.com) (216.99.193.136)
  by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 
-

Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133

This is a multi-part message in MIME format.

--=_NextPart_000_0039_01C8AF72.8920CD60
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit


--=_NextPart_000_0039_01C8AF72.8920CD60



At 04:29 PM 5/9/2008, Randy Ramsdell wrote:

Jeff Koch wrote:


Hi Matus:


Here's the header. We're seeing a lot of these now:


Received: from unknown (HELO jade.xx.com) (216.99.193.136)
  by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 
19:13:06 -

Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161])
by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133

This is a multi-part message in MIME format.





At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:

On 09.05.08 12:08, Jeff Koch wrote:
> Our users are getting false positives with hits on
>
> 4.2 FORGED_

Re: False positive on forged_mua_outlook

[Randy Ramsdell]

Randy Ramsdell wrote:

Jeff Koch wrote:


Hi Randy - here's the whole thing:

Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 -
Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s
 scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4
Received: from localhost by libra..com
with SpamAssassin (version 3.2.4);
Tue, 06 May 2008 15:13:09 -0400
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: *SPAM* Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
libra..com
X-Spam-Level: *
X-Spam-Status: Yes, score=5.3 required=3.0 
tests=FORGED_MUA_OUTLOOK,RDNS_NONE,

TVD_PDF_FINGER01 autolearn=no version=3.2.4
X-Spam-Report:
*  0.1 RDNS_NONE Delivered to trusted network by a host with 
no rDNS
*  1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam 
fingerprint
*  4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from 
MS Outlook

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--=_4820ADC5.A4580A7F"

This is a multi-part message in MIME format.

=_4820ADC5.A4580A7F
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "libra.xxx.com", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
[EMAIL PROTECTED] for details.

Content preview:  [...]

Content analysis details:   (5.3 points, 3.0 required)

 pts rule name  description
 -- 
--
 0.1 RDNS_NONE  Delivered to trusted network by a host 
with no rDNS

 1.0 TVD_PDF_FINGER01   Mail matches standard pdf spam fingerprint
 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


=_4820ADC5.A4580A7F
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Received: from unknown (HELO jade.xx.com) (216.99.193.136)
  by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 
19:13:06 -

Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133

This is a multi-part message in MIME format.

--=_NextPart_000_0039_01C8AF72.8920CD60
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit


--=_NextPart_000_0039_01C8AF72.8920CD60



At 04:29 PM 5/9/2008, Randy Ramsdell wrote:

Jeff Koch wrote:


Hi Matus:


Here's the header. We're seeing a lot of these now:


Received: from unknown (HELO jade.xx.com) (216.99.193.136)
  by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 
19:13:06 -
Received: from server (216-99-214-161.dsl.aracnet.com 
[216.99.214.161])

by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133

This is a multi-part message in MIME format.





At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:

On 09.05.08 12:08, Jeff Koch wrote:
> Our users are getting false positives with 

Re: FORGED_MUA_OUTLOOK 4.1

[Randy Ramsdell]

Philippe Couas wrote:

Hi,

I have an Server programm sending mail to an PC. This PC reading mail
then forward it to user group.
Mails are reading correctly, but when it was forwarded, it is SPAMMED
with

FORGED_MUA_OUTLOOK 4.1

How could i avoid it ?

Regards
Philippe

Find out why it is being flagged. ( Read the rule then compare it to the 
message header ) How else?

FW: Spamd not killing children

[Diffenderfer, Randy]

Folks,

I, too, have been having somewhat similar issues with 3.1.7.  On a RH ES
3.0u7  box, kernel 2.4.21-40.ELsmp, I see these symptoms in syslog
(spamd running with "-s local2"):

Oct 14 21:42:01 samler1 spamd[18694]: prefork: child states: III
Oct 14 21:42:01 samler1 spamd[14338]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 60505
Oct 14 21:42:01 samler1 spamd[14338]: spamd: processing message
<[EMAIL PROTECTED]> for mailadm:500
Oct 14 21:42:01 samler1 spamd[14338]: spamd: clean message (0.0/5.0) for
mailadm:500 in 0.046 seconds, 2059 bytes.
Oct 14 21:42:01 samler1 spamd[14338]: spamd: result: . 0 - HTML_MESSAGE
scantime=0.046,size=2059,user=mailadm,uid=500,required_score=5.0,rhost=l
ocalhost.localdomain,raddr=127.0.0.1,rport=60505,mid=<01c6f014$365c5
[EMAIL PROTECTED]>,autolearn=disabled
Oct 14 21:47:02 samler1 spamd[18328]: prefork: sysread(8) failed after
300 secs at
/usr/local/spam/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/SpamdForkSca
ling.pm line 561.
Oct 14 21:47:02 samler1 spamd[14338]: prefork: sysread(7) failed after
300 secs at
/usr/local/spam/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/SpamdForkSca
ling.pm line 561.

spamd's 2 kids are both marked defunct in a 'ps', and spamd processing
is effectively *stopped*.  This isn't a good thing -- a 'kill -9' and
spamd restart is necessary to get things running again.

What do I start to look at?

rnd

-Original Message-
From: Chris Lear [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 16, 2006 5:32 AM
To: SpamAssassin
Subject: Spamd not killing children


Subject sounds unpleasantly like incitement to filicide, for which I
apologise.

The problem I'm having is that spamd doesn't seem to be able to clean up
unwanted idle child processes.

Here's the logfile evidence:

Oct 16 00:12:59 marvin spamd[6351]: prefork: child states: III Oct 16
00:13:09 marvin spamd[18043]: spamd: connection from localhost
[127.0.0.1] at port 35720 Oct 16 00:13:09 marvin spamd[18043]: spamd:
setuid to spamd succeeded Oct 16 00:13:09 marvin spamd[18043]: spamd:
checking message <[EMAIL PROTECTED]> for spamd:210 Oct 16
00:13:12 marvin spamd[25627]: spamd: connection from localhost
[127.0.0.1] at port 35722 Oct 16 00:13:12 marvin spamd[25627]: spamd:
setuid to spamd succeeded Oct 16 00:13:12 marvin spamd[25627]: spamd:
checking message <[EMAIL PROTECTED]> for spamd:210 Oct 16
00:13:14 marvin spamd[18043]: spamd: identified spam (29.7/5.0) for
spamd:210 in 5.3 seconds, 1545 bytes. Oct 16 00:13:14 marvin
spamd[18043]: spamd: result: Y 29 -
BAYES_99,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANG
E_E8_51_100,RAZOR2_CHECK,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL
_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
scantime=5.3,size=1545,user=spamd,uid=210,required_score=5.0,rhost=local
host,raddr=127.0.0.1,rport=35720,mid=<[EMAIL PROTECTED]>,ba
yes=0.891,autolearn=spam
Oct 16 00:13:15 marvin spamd[6351]: prefork: child states: IBK
-^
[...] Time passes, and spamd continues to work [...]

Oct 16 10:18:00 marvin spamd[6351]: prefork: child states: IIKK
-^^

spamd seems to be trying to kill child processes to get the number of
threads down to 2. But for some (apparently unreported) reason the
threads don't die, and the server is slowly collecting children marked
as "K".

I recently upgraded spamassassin to 3.1.5, and I also installed
FuzzyOcr, which I suspect might be part of the problem.

Can anyone tell me a) what logs to look in to work out why this has
happened? (I've looked in the FuzzyOcr log, which does show some errors
and timeouts, but apparently none at relevant times), b) whether there's
anything I can do about it (I'll start by disabling FuzzyOcr, but I'd
like to use it), or c) whether there's a spamassassin bug?

I looked at the code in SpamdForkScaling.pm, and I see that there are 2
places where child processes are killed. In one place (sub
child_error_kill, line 134), there is a warn line if the kill fails. In
the other (sub need_to_del_server, line 732) there isn't.

Chris

Re: R: BIG increase in spam today

[Randy Smith]

On Thursday 02 November 2006 08:42, François Rousseau wrote:
> Greylisting is not always good...
>
> The greylisting insert delay in delevery and sometimes the email have to be
> delever fast.
>
> For example: on some public wireless network, you have to register to have
> access to the internet.  You can access internet without authentification
> for 15 minutes.  In this 15 minutes, you have to register in the captive
> portal and then go confirm your inscription by clicking in a link received
> by email.  If the greylisting insert more then 15 minutes of delay...

I use policyd and give my users the ability to optout (or optin depending on 
the domain settings) of greylisting if they choose. They can do it through a 
plugin in SquirrelMail so, if they choose, they can turn it off for a few 
minutes to get "instant" delivery and turn it back on when they are done or 
just leave it off. It seems to work well enough here.

I have to agree with others in this thread that, in general, the more you can 
safely stop before it hits your filtering system, the happier you'll be.

>
> I think technologies like SPF have a better futur.

I don't know. I've seen too many problems with SPF and mail forwarding from 
hosting providers.

[snip]
-- 
Randy Smith
http://perlstalker.amigo.net/
"Work is the miracle by which talent is brought to the surface and
dreams become reality." - Gordon B. Hinckley


pgp9538h8Ezzd.pgp
Description: PGP signature

Re: spam

[Randy Smith]

On Monday 06 November 2006 06:28, Maccie Roux wrote:
> Hi.
>
> I'm running Fedora Core 5 with Postfix Dovecot Open LDAP and spamassassin.
> Everything is working fine and spamassassin tags the spam correct, but
> I want to know how to move the spam mail to a separate mailbox.

You'll need a filter of somesort such as procmail, maildrop or dovecot LDA.

>
> Hope someone can help me.
>
> Thanks
> Maccie Roux

-- 
Randy Smith
http://perlstalker.amigo.net/
"Work is the miracle by which talent is brought to the surface and
dreams become reality." - Gordon B. Hinckley


pgpkvpy8cpN0F.pgp
Description: PGP signature

Re: Hostkarma whitelist problem

[Randy Ramsdell]

Marc Perkel wrote:
err...@junkemailfilter.com will work. If you have suggestions for 
automation I'm interested.


Bowie Bailey wrote:
That one also hit DNSWL_MED and actually ended up with a negative 
score.  I reported to dnswl via their website.


It would be useful to have a reporting mechanism on your website so 
we don't have to send these to the list.


Bowie

Marc Perkel wrote:
No list is perfect. Thanks for reporting it. Although I try to get 
everything right there will always be mistakes. Sometimes I do get 
to leaning white because false positives are 100 times worse than a 
few spams getting through. Probably what happened with that is that 
the sender does a pretty good job of stopping spam and after we get 
25 good emails and no spam they get white listed. So what a spam 
sneaks through is gets past.


I need to build up my yellow list more. My yellow list is for ISPs 
and freemail providers that are mostly non-spam but some spam gets 
through. I'm always looking for new tricks to build up these lists.


Bowie Bailey wrote:
I couldn't find any place on junkmailfilter website to report this, 
so I'll put it here.


I received a 419 scam email with this whitelist hit:

* -3.0 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE
*  [213.4.129.18 listed in hostkarma.junkemailfilter.com]







It can be automated by creating a web form and having the form, do input 
validation, and ...

1. Send and e-mail to you or other maintainers.
2. Automatically removing the incorrect entry.
3. Removing it and then parse through your list to see if the domain is 
currently sending spam. ( If you have logs etc... )

4.  Removing it and sending an e-mail to the maintainers.

There are so many ways to handle this.

Got one!

[Diffenderfer, Randy]

Seems like it's gonna cost some of the big boys a little coin...

http://detroit.fbi.gov/dojpressrel/pressrel09/de062209.htm

Let's hope there are more indictments where these came from!

rnd

Re: What changes would you make to stop spam? - United Nations Paper

[Randy Smith]

On Tuesday 01 August 2006 14:16, Ninja Dude wrote:
> Evan Platt wrote:
> > Turning Spamming into a capital offense punishable by death would be a
> > good start. :-D
>
> Now I'm trying to figure out what a capital offense would be that
> *isn't* punishable by death...

Using the wrong case on the letters/words of your ransom note?

-- 
Randy Smith
http://perlstalker.amigo.net/
"Work is the miracle by which talent is brought to the surface and
dreams become reality." - Gordon B. Hinckley


pgpAyHSpVz7Ff.pgp
Description: PGP signature

Re: Google docs spam

[Randy Ramsdell]

ram wrote:
Now google docs abuse spam. 


Spammer is using the docs page with a id from google. Atleast google
should have a decent abuse reporting system 




This mail went by almost clean, Are there any rules I am missing 
https://ecm.netcore.co.in/tmp/spamgd.txt



Thanks
Ram


  
I am slow. How are they doing this? I couldn't even figure it out 
looking at the example e-mail.

Re: uri rules

[Randy Ramsdell]

Matt Kettler wrote:

Joseph Brennan wrote:


I was surprised that this rule...

 uri CU_CN_LINK  /http:..\w+\.cn\b/

matches not only this...

 http://foobar.cn";>

but also this...

 http://www.columbia.edu/foo.html";>KooXoo Buys Kuxun.cn 
Domain



First, I did not realize that SpamAssassin's idea of "uri" includes not
only the uri, but the start tag, end tag, and all in between.  That's
useful but not real clear in Mail::SpamAssassin::Conf.
Actually, it doesn't.. your second example has two URIs as far as 
SpamAssassin is concerned. "http://www.columbia.edu/foo.html"; and 
"http://Kuxun.cn";. Two separate URIs.


Since many email clients "auto-link" domains in text portions, like 
www.google.com, SpamAssassin tries to find text strings that clients 
will treat as URIs and use them in the URI tests as well.




How so? How does spamassassin URI check determine Kuxun.cn  in a URI as 
opposed to someone who forgot to add a "space" after a sentence end? Is 
it because it is located within the "a" tag?


Second, I can't figure out how \w+ matches the punctuation and spaces!

It doesn't. :)

Re: skip inbox ?

[Randy Ramsdell]

almaren wrote:

Is it possible to somehow tell spamassassin to move all messages marked as
spam directly into the spam/ham/trash folders ? 
The thing is I'm running backups on my mailbox and although I omit

spam/ham/trash I do collect the mails from my inbox, and in most cases there
are 40-50 messages with subjects starting with *SPAM*. I don't want
to have theme there.
  
Spamassassin uses a local delivery agent  to do this. We use procmail 
and created a recipe ( regex ) that moves all spam messages to the users 
spam folder. If you use a local ( not system wide ) setup, then simply 
create a filter in the e-mail client.

OT: Re: skip inbox ?

[Randy Ramsdell]

almaren wrote:

well first of all - thanks for the quick response :)


John Hardin wrote:
  

You didn't explain your MTA tool chain, so we have no idea how to
recommend configuring it to change where messages scored as "spammy" get
saved.

Tell us what does delivery (e.g. procmail) in your environment and
someone may be able to tell you how to configure delivery of spammy
messages to a spam folder.




I'm running qmail as MTA and courier-imap, there is also procmail on the
server.


  

"/etc/procmailrc"

SPAMIT="$HOME/Maildir/.SPAM/"

:0:
* ^X-Spam-Status: Yes
$SPAMIT

This will send messages to a users .SPAM directory.
You will have to create the directory in each users directory.

Re: skip inbox ?

[Randy Ramsdell]

Jari Fredriksson wrote:

almaren wrote:


Is it possible to somehow tell spamassassin to move all
messages marked as spam directly into the spam/ham/trash
folders ? 
The thing is I'm running backups on my mailbox and

although I omit spam/ham/trash I do collect the mails
from my inbox, and in most cases there are 40-50
messages with subjects starting with *SPAM*. I
don't want to have theme there. 

  

Spamassassin uses a local delivery agent  to do this. We
use procmail and created a recipe ( regex ) that moves
all spam messages to the users spam folder. If you use a
local ( not system wide ) setup, then simply create a
filter in the e-mail client. 



SpamAssassin does NOT use local delivery agent. But local delivery agent may 
use SpamAssassin, and then forward messages according to SA originated headers.


  
Yes. I should have written that spamassassin sends the message back to 
postfix or whatever and this is what sends to the local delivery agent.

Re: Clamav Plugin for Spamassassin

[Randy Ramsdell]

metamorph wrote:

James Lay wrote:
  

On 6/22/08 9:30 PM, "metamorph" <[EMAIL PROTECTED]> wrote:



Spamassassin/Clamav/Ubuntu/PHP5/Apache2/citadel/

I just installed spamassasin and tested it with gtube and it worked, but
when I tried to install clamav it still lets the EICAR files through.  I
read through old posts and everything on the spamassassin site and still
cannot get it to work.

Any suggestions on what I  am not doing correctly are greatly
appreciated.

The steps I took:
filescanclamav is a pearl module, so I had to use CPAN to install it.

Then, I created the files clamav.cf and clamav.pm with the text from
http://wiki.apache.org/spamassassin/ClamAVPlugin.

Placed the two files in the /etc/spamassassin directory.

Made the recommended change to clamav.pm: our $CLAMD_SOCK =
"/var/run/clamav/clamd.ctdl";   # changed

Restarted spamassassin. grep shows spamassassin.

Sent EICAR  AV text test and it still doesn't do anything.

  

Got any headers to show that it's actually piping through ClamAV?  (hint:
look for X-Spam-Virus:)
J~

Citadel does not support headers, so it just sends the email back or
deletes it.



Any other suggestions on how to check if it is piping through clamav and how
to set it if it is not are greatly appreciated.  Do I need to post any other
info ?
  

  


1. Create test file with the EICAR test included.
2. Run spamassassin -D < $testfile
3. Read through the output thoroughly

or
1. spamassassin -D --lint : this should show if the plugin loaded.

rcr

Re: Spam volumes down since last week

[Randy Ramsdell]

ram wrote:

I am seeing a clear downtrend in the number for spams hitting our
servers, I am not sure why ? Since Last week spams are at 50% of what
they used to be last month. Is this what you all are seeing 



 But the  irritant 419's are still coming in ( and some get past SA ),
in many new variants. I have seen scamsters are sending targetted spams
to people of hotel industry , holiday industry etc 



Thanks
Ram




  
Our spam levels are 1/2 to 1/3 of what they were two weeks ago. Also, 
virus e-mails are also very very low. Low enough for me to start 
reviewing the e-mail logs for anomalies.

Sa-learn huh

[Randy Ramsdell]

[09:23]  sa-learn { forget,spam,ham} SHOULD change the BAYES 
scores correct?
[09:24]  We upgraded spamassassin and it just does not work like 
it did before.
[09:24]  I would normally be able to learn as spam and change 
the bayes score to a 3.5
[09:25]  but now i relearn as sapm it the score stay at 0.0 
BAYES_50


I do get one error when learning.
netset: cannot include 127.0.0.1/32 as it has already been included

vscan@:/home/vscan_salearn> sa-learn --forget  
1275414726.M714825P12557.dfbbl16,W=9799:2,Sb

netset: cannot include 127.0.0.1/32 as it has already been included
Forgot tokens from 1 message(s) (1 message(s) examined)

vscan@:/home/vscan_salearn> sa-learn --spam  
1275414726.M714825P12557.dfbbl16,W=9799:2,Sb

netset: cannot include 127.0.0.1/32 as it has already been included
Learned tokens from 1 message(s) (1 message(s) examined)

I appears to learn the message as spam, but BAYES score does not change.

Re: Sa-learn huh

[Randy Ramsdell]

Michael Scheidell wrote:

On 6/2/10 11:39 AM, Randy Ramsdell wrote:
[09:23]  sa-learn { forget,spam,ham} SHOULD change the BAYES 
scores correct?
[09:24]  We upgraded spamassassin and it just does not work 
like it did before.
[09:24]  I would normally be able to learn as spam and change 
the bayes score to a 3.5
[09:25]  but now i relearn as sapm it the score stay at 0.0 
BAYES_50


I do get one error when learning.
netset: cannot include 127.0.0.1/32 as it has already been included


that means nothing.


Forgot tokens from 1 message(s) (1 message(s) examined)

vscan@:/home/vscan_salearn> sa-learn --spam  
1275414726.M714825P12557.dfbbl16,W=9799:2,Sb

netset: cannot include 127.0.0.1/32 as it has already been included
Learned tokens from 1 message(s) (1 message(s) examined)

I appears to learn the message as spam, but BAYES score does not change.
hopefully, it takes more then one set of tokens to change a properly 
trained Bayesian database.  if not, then all the poison emails would 
trash it.


No, one email isn't going to take Bayesian from bayes_0 to bayes_95



IIRC, when I sent messages through sa-learn on the old mail server as 
spam, then checking with  spamassassin debug, this would show a 3.5 
BAYES score. I will double check this, but I would hope to at least add 
a positive score when training a spam message.


Thanks,
RCR

NO_RELAYS spam

[Randy Ramsdell]

We are getting a ton of this type and it scores low because there are no 
received headers. What is this type of mail? I do not recall seeing 
these in the past.


Thanks,
RCR

Re: NO_RELAYS spam

[Randy Ramsdell]

Michael Scheidell wrote:

On 6/17/10 10:38 AM, Randy Ramsdell wrote:
We are getting a ton of this type and it scores low because there are 
no received headers. What is this type of mail? I do not recall 
seeing these in the past.



its coming from you then :-(

or, your mail server is stripping out or not adding headers. RFC's 
require your mail server to add the header for the SMTP server that 
connected to you and add a header.


check your 'contact us' forms on your web site for holes.

then, check the blacklists to see how to get removed.


Thanks,
RCR


Blacklists? What makes you think we are on a blacklist? As far as I can 
tell we are not on any lists.


Well looks like you are correct regarding the mail server stripping 
these. It makes no sense because we do not have rules that do this. The 
modifications done are done by spamassassin when it rewrites the header 
with a report and score.


The original email did not hit the NO_RELAYS rule but subsequent runs 
through do hit this rule and it isn't on all email.


Example:

Original rules hit.

X-Spam-Status: No, score=-0.394 tagged_above=- 
required=5tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, 
RCVD_IN_SORBS_WEB=0.619,URG_BIZ=1.585]


After running spamassassin -D

X-Spam-Status: No, score=4.2 required=5.0 
tests=AWL,BAYES_80,HTML_MESSAGE,NO_RECEIVED,NO_RELAYS,TO_MALFORMED,URG_BIZ 
autolearn=no version=3.2.5




Any ideas how this could happen?

Re: NO_RELAYS spam

[Randy Ramsdell]

Michael Scheidell wrote:

On 6/17/10 10:38 AM, Randy Ramsdell wrote:
We are getting a ton of this type and it scores low because there are 
no received headers. What is this type of mail? I do not recall 
seeing these in the past.



its coming from you then :-(

or, your mail server is stripping out or not adding headers. RFC's 
require your mail server to add the header for the SMTP server that 
connected to you and add a header.


check your 'contact us' forms on your web site for holes.

then, check the blacklists to see how to get removed.


Thanks,
RCR



I just checked our spam reports and this rule never hits. It is not 
locally generated email either or I can not find any coming from us. 
This is an strange issue and I am not where to begin to determine what 
is doing this.

Re: NO_RELAYS spam

[Randy Ramsdell]

Michael Scheidell wrote:

On 6/17/10 11:31 AM, Randy Ramsdell wrote:


I just checked our spam reports and this rule never hits. It is not 
locally generated email either or I can not find any coming from us. 
This is an strange issue and I am not where to begin to determine 
what is doing this.



if you have an insecure web form, contact form, 'email us' form, the 
spammers will use it to send spam.

MAYBE it is coming from that.

(and if it is, and spammers are using you, you will get on blacklists 
:-( )


do you need packet dumps? what about mail logs? does your mail server 
tell you where these emails are coming from?




I understand how letting spammers send mail through our systems could 
get us added to lists, but Michael stated "then, check the blacklists to 
see how to get removed." as if we are already on a list. We are not.


Back to the main issue.

Here is an example pastbin. http://pastebin.com/mJqRPzkv

I found this message in the logs and it comes from yahoo. I don't think 
I will focus on our forms because general mail also has its received 
headers stripped. So the question is is what is doing this? I need help 
to determine how to isolate this problem down. If it is postfix, I will 
go to there lists etc... I have not implemented any rules that strip 
received headers nor do I want to.


Thanks,
RCR

Re: NO_RELAYS spam

[Randy Ramsdell]

Charles Gregory wrote:

On Thu, 17 Jun 2010, Randy Ramsdell wrote:
The original email did not hit the NO_RELAYS rule but subsequent runs 
through do hit this rule and it isn't on all email.


This sounds to me like you are 'resending' the mail from a local 
address to your mail server, rather than 'feeding' the original mail 
back into spamassassin. If this is the case, then you would naturally 
produce a new set of headers, and there would be no external relays, 
thus triggering the NO_RELAYS rule


Hmmm, this mail came in and went straight to the users inbox.  1. 
Postfix ---> 2. Amavis ( Spamd/Clamd)  ---> 3. Postfix ---> 4. 
Dovecot-deliver
So the problem is somewhere during the 2 --- > 3  or step 3 or 4. Step 4 
it is unlikely since Deliver simply send the file to a directory location.

Original rules hit.
X-Spam-Status: No, score=-0.394 tagged_above=- 
required=5tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, 
RCVD_IN_SORBS_WEB=0.619,URG_BIZ=1.585]


Right there, we see 'RCVD_IN_SORBS'. This would not happen even if 
your own server was blacklisted with SORBS. There *was* a Received 
header for a relay, and somehow you have 'removed' it, either via a 
filtering mechanism outside SA, or by 'resending' or 'forwarding' the 
mail.



After running spamassassin -D


If this is what you used, then the forwarding and header rewriting 
must have occurred prior to this. Did someone 'forward' the spam to 
you as a complaint? Users often fail to properly forward with full 
headers enclosed.


- C


No, I run a script on the mail server manually that simply moves the 
files. Then I check with spamassassin.

Re: NO_RELAYS spam

[Randy Ramsdell]

Michelle Konzack wrote:

Hello Randy Ramsdell,

Am 2010-06-17 10:38:08, hacktest Du folgendes herunter:
  

We are getting a ton of this type and it scores low because there
are no received headers. What is this type of mail? I do not recall
seeing these in the past.



Hehehe... sounds like a new customer of me...

His mailserver was accessd through telnet using scripts to generate  the
spam messages, hence, it had no "Received:" headers...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

  
Even so, all email should have a received header. In this case, the 
emails are sent to a content filter which will add received headers.

Re: NO_RELAYS spam

[Randy Ramsdell]

David B Funk wrote:

On Thu, 17 Jun 2010, Randy Ramsdell wrote:

  

get us added to lists, but Michael stated "then, check the blacklists to
see how to get removed." as if we are already on a list. We are not.

Back to the main issue.

Here is an example pastbin. http://pastebin.com/mJqRPzkv

I found this message in the logs and it comes from yahoo. I don't think
I will focus on our forms because general mail also has its received
headers stripped. So the question is is what is doing this? I need help
to determine how to isolate this problem down. If it is postfix, I will
go to there lists etc... I have not implemented any rules that strip
received headers nor do I want to.

Thanks,
RCR



Given that it looks like something is taking the original "To:" header,
mutating it into "X-Original-To:" then adding that bogus
"To: " and adding a

"X-Virus-Scanned: amavisd-new at activedatatech.net" header
I would guess that it's your amavisd-new process (or something in
its path) that is doing the header damaging.

Check the Amavisd site/list for trouble-shooting hints & tips.

There may be a way to put a 'tee' filter before & after amavisd in your
postfix confiuration.

  
However, all the emails without the received header field do not show 
this. It is in this specific pastbin example that you see this. Using 
sendmail without certain areguments will cause the To: field to show up 
as .  

Re: NO_RELAYS spam

[Randy Ramsdell]

Matus UHLAR - fantomas wrote:

On Thu, 17 Jun 2010, Randy Ramsdell wrote:
  
The original email did not hit the NO_RELAYS rule but subsequent runs 
through do hit this rule and it isn't on all email.



  

Charles Gregory wrote:

This sounds to me like you are 'resending' the mail from a local  
address to your mail server, rather than 'feeding' the original mail  
back into spamassassin. If this is the case, then you would naturally  
produce a new set of headers, and there would be no external relays,  
thus triggering the NO_RELAYS rule
      


On 17.06.10 12:13, Randy Ramsdell wrote:
  
Hmmm, this mail came in and went straight to the users inbox.  1.  
Postfix ---> 2. Amavis ( Spamd/Clamd)  ---> 3. Postfix ---> 4.  
Dovecot-deliver



in this case, this problem belongs more to amavis mailing list, not to
spamassassin one.

  
I have no problem going over there but I am not convinced that the 
Amavis program is the problem. The header field is changed by 
spamassassin. Doesn't the email simply get handed to Spamassasin by 
Amavis where the headers are modified by spam report etc...?

Re: [sa] Re: NO_RELAYS spam

[Randy Ramsdell]

Charles Gregory wrote:

On Fri, 18 Jun 2010, Randy Ramsdell wrote:
I have no problem going over there but I am not convinced that the 
Amavis program is the problem. The header field is changed by 
spamassassin. Doesn't the email simply get handed to Spamassasin by 
Amavis where the headers are modified by spam report etc...?


The headers are missing.
Spamassassin records this fact, but is not responsible for it.
So find out what happens to your message BEFORE spamassassin is called.
Amavis is just a suggested starting place. And if it is to blame, 
someone on their list will reocgnize your query as soon as you post it.


Suggestion: After each step of your mail processing, if you can, save 
a copy of the mail to a log file. At least that way you get a quick 
overview of *which* component removes those headers


- C
Not exactly. Spamassassin sees the original messages including the 
received headers, then it modifies those headers with its information. I 
see these issues when running subsequent tests with spamassasin. So this 
is why I am not convinced that spamassassin is not causing the problem. 
Just clarifying the issue here. So it could be amavis, spamassassin or 
postfix but I am leaning towards spamassassin at the moment.


From an earlier post in which I wrote:  ( You see that the original 
scan saw the headers, but after delivery they were gone. )


Example:

Original rules hit.

X-Spam-Status: No, score=-0.394 tagged_above=- 
required=5tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, 
RCVD_IN_SORBS_WEB=0.619,URG_BIZ=1.585]


After running spamassassin -D

X-Spam-Status: No, score=4.2 required=5.0 
tests=AWL,BAYES_80,HTML_MESSAGE,NO_RECEIVED,NO_RELAYS,TO_MALFORMED,URG_BIZ 
autolearn=no version=3.2.5

Re: Nonsense spam

[Randy Ramsdell]

Michael Scheidell wrote:
> On 6/24/10 12:07 PM, Randy Ramsdell wrote:
>> Anyone receiving these? It is either a borked spam script or they are
>> probing. They come in with different headers and different body each
>> time so I am not sure how to mark or block them. Any suggestions would
>> be appreciated.
>>  
>> http://pastebin.com/kQJ0SPti
>>   
> at least for THIS one, RCVD_IN_PBL
>
> if you are using this BL, you might just want to block it at the MTA
> level and not even scan it.
>
> (I suspect the spam/vs ham scoring on that rule is so low because the
> people submitting spam corpus probally block it at the MTA level and
> never see it.
> My understanding of PBL is that its at least 99.999% free of FP's)
>
Yet spamassassin scores it with a .9. I have been reluctant to block and
this is compounded by spamassassin scoring it low as if it weren't as
accurate as you state.

Re: Nonsense spam

[Randy Ramsdell]

RW wrote:
> On Thu, 24 Jun 2010 15:59:24 -0400
> Michael Scheidell  wrote:
>
>   
>> On 6/24/10 3:51 PM, Ned Slider wrote:
>> 
>>> The danger comes when people use the PBL incorrectly and deep parse 
>>> all headers which *will* lead to copious FPs.
>>>
>>> Either way, I'd have no hesitation blocking outright on PBL or
>>> scoring very highly in SA.
>>>
>>>   
>
> The current scores are actually:
>
> RCVD_IN_PBL 0 3.558 0 3.335
>
>
>   
I show these current scores which are much lower than what you have. It
this because of the spamassassin version we use or maybe I did not use
sa-update properly. It is odd  that the scores increased by this margin.
What changed about the PBL that would necessitate this?

RCVD_IN_PBL 0 0.509 0 0.905

Re: NO_RELAYS spam

[Randy Ramsdell]

Karsten Bräckelmann wrote:

On Fri, 2010-06-18 at 23:54 +0200, Karsten Bräckelmann wrote:
  

Your issue is kind of weird and far less than common. Read, I cannot
recall coming across such a report *ever* on this list.

Thus, the collective list's lack of pin-pointing the cause with the info
given. The very reason we need you to dig deeper, provide debug logs,
header dumps at all stages -- or any evidence at all this might be SA.
    


Randy, any results? Did you find the cause for the issue?


  
At this time, I have not. Since the messages are originally scanned with 
all the headers in tact and not having the time, I will look into this 
later. I am still not sure how to go about troubleshooting this however.


Thanks,
RCR

Re: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use

[Randy Ramsdell]

Suhag P Desai wrote:

No even when I try to do spamd at very first time after reboot the server, I
get the same message,...

  

huh? See below.
Below are the output of 


[r...@spd ~]# ps -ef | grep spamd
root  3519  3516  0 12:44 ?00:00:00 supervise spamd
root  3544  3519  0 12:44 ?00:00:02 /usr/bin/perl -T -w
/usr/bin/spamd -x -u vpopmail -s stderr
qmaill3548  3520  0 12:44 ?00:00:00 /usr/bin/multilog t s100
n100 /var/log/qmail/spamd
vpopmail  4035  3544  0 12:45 ?00:00:00 spamd child
vpopmail  4036  3544  0 12:45 ?00:00:00 spamd child
root  4586  4549  0 12:59 pts/100:00:00 grep spamd
[r...@spd ~]#

  

Am I missing something? It is running.

Local rules trigger bug

[Randy Ramsdell]

I found an bug in spamassassin that can be reliably reproduced when 
using our local rules. What would be interesting is to track down where 
this bug is exactly.


1. The process runs @ 100% cpu and hangs there.  Has t o be kill -9 'ed
2. I see no errors in spamassassin -D

For the time being I have removed our rules until this problem is resolved.

My question is is what would be the best way to determine what bug I am 
hitting when the process simply hangs?

Re: Local rules trigger bug

[Randy Ramsdell]

Ralf Hildebrandt wrote:

* Randy Ramsdell :
  

I found an bug in spamassassin that can be reliably reproduced when
using our local rules. What would be interesting is to track down
where this bug is exactly.

1. The process runs @ 100% cpu and hangs there.  Has t o be kill -9 'ed
2. I see no errors in spamassassin -D

For the time being I have removed our rules until this problem is resolved.

My question is is what would be the best way to determine what bug I
am hitting when the process simply hangs?



Add first halve of your rules, test
if it exposes the error, split in two halves and test each halve.
etc.

  
Yeah that is the fastest way. :) I used a little diff formula and found 
the issue. My I think this may not be the rule we were going for but ...

body__RCR_MEGADK/.*(M.*E.*G.*A.*D.*K).*/

Re: Local rules trigger bug

[Randy Ramsdell]

Dominic Benson wrote:

On 06/08/10 17:18, Randy Ramsdell wrote:
Yeah that is the fastest way. :) I used a little diff formula and 
found the issue. My I think this may not be the rule we were going 
for but ...

body__RCR_MEGADK/.*(M.*E.*G.*A.*D.*K).*/


There are a few things that strike me as peculiar about that rule. Not 
least of which is that it would appear to match the following - 
hypothetical, but plausible - message. The presence of seven 
unrestricted greedy specifiers makes it perfectly plausible to me that 
it would take quite a long time to process any moderately long message.



Dear Mr. Edwards,

Gary passed your suggestion to me, and I believe that the AMD system 
would be best.


Kind Regards,



Matches Uppercase

It does take a long time to process a message and a very short message 
to boot. In fact, it never finishes and runs the cpus to 100% so the 
rule has been removed. I still wonder if this is a bug.

Re: autolearn : lock_file

[Randy Ramsdell]

Cédric Jeanneret wrote:

Hello,

I have an error with SA using autolearn plugin:
Sep 20 12:25:06 hostname spamd[6157]: plugin: eval failed: bayes: (in
learn) locker: safe_lock: cannot create tmp lockfile
/home/USER/.spamassassin/bayes.lock.host.domain.ltd.6157 for
/home/USER/.spamassassin/bayes.lock: Permission denied

Is it possble to define the lockfile to, say, /tmp/ ?
As I don't have only one user, it can be nice to set the lockfile
somewhere else on the system, where SA process can write. I didn't see
anything about such a configuration variable

SA runs as "vmail" user, if it can help.

Thank you !

C.


SA can write to the users directories. You have something mis-configured 
 or you hosed the perms in the directory.

using SA as a tool

[Diffenderfer, Randy]

I was under the impression that there was a clear-cut way to use SA as a 
factory within a custom perl wrapper (I have looked at the Mail::SpamAssassin 
doco).  My objective is to do various things to the parsed message, such as 
distill out URLs for example.

Is there indeed a clear way to do this?

Thanks,
rnd

which LWP::UserAgent for 3.3.1 install?

[Diffenderfer, Randy]

Looking at the 3.3.1 install, it wants (well, would like...) module 
LWP::UserAgent.

OK ... off to CPAN, but no simple LWP-UserAgent, only a bunch of 
LWP-UserAgent-whatever.  So, which one do I want?

TIA,
rnd

Solved: which LWP::UserAgent for 3.3.1 install?

[Diffenderfer, Randy]

CPAN search is my friend... it's in libwww-perl!

You get too soon old and too late smart... :-)

rnd

_
From: Diffenderfer, Randy
Sent: Thursday, October 14, 2010 4:24 PM
To: 'users@spamassassin.apache.org'
Subject: which LWP::UserAgent for 3.3.1 install?


Looking at the 3.3.1 install, it wants (well, would like...) module 
LWP::UserAgent.

OK ... off to CPAN, but no simple LWP-UserAgent, only a bunch of 
LWP-UserAgent-whatever.  So, which one do I want?

TIA,
rnd