How to verify specific commits are in current ruleset?
Hello all- Been using spamassassin for awhile now, basically letting it run on auto-pilot and it's been great so far. However, after the recent __STYLE_GIBBERISH bug (https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7707), I need to have a little more understanding of SA. My biggest issue at the moment is that I saw John's message last night that said an update would be pushed out with yesterday's update (https://www.mail-archive.com/users@spamassassin.apache.org/msg104352.html). However, this morning, the only way I was able to verify that, was by looking at his change (https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?r1=1857655&r2=1857654&pathrev=1857655) and comparing that to the code currently running on my mail servers. Is there any easier way to verify that a specific commit is in my currently running rule set? Mike Ray
Re: SA From header checks
- Original Message - > On 08/11/2016 06:03 PM, Mike Ray wrote: > <.snip.> > > > > > > > However, after I had sent that message, I decided to play around a > > bit. I had rearranged existing rules in the file yesterday to make > > sure that my new rules weren't somehow silently destroying file > > parsing, but I had never added a new rule that I would have expected > > work (e.g. rawbody). I added one, ran my same update procedure and > > found that my new rawbody rule was not working, but my gmail rule > > was! At this point, I started to work off of Martin's idea that I had > > screwed up the restart process. I manually started restarting > > processes and found eventually that I do not need to restart > > spamassassin, but need to restart amavis instead. > > > > > > At this point, I'm wandering outside of SA territory, but I'll ask > > anyway. Postfix talks to amavis which uses spamassassin (and clamav). > > I'd be less surprised if I had to restart both amavis and > > spamassassin, but it seems very weird that I only have to restart > > amavis for new rules to start working. Perhaps amavis internally > > restarts spamassassin? Or perhaps spamassassin is already configured > > to check local.cf for changes? Anyone have an idea about this? > > Amavis uses SA libraries and doesn't need spamd/spamassassin > (see Amavis docs) > > If you change any SA file you need to reload via Amavis - anything else > will be ignored. > > > > That would explain it. Thanks for the help all!
Re: SA From header checks
- Original Message - > On Wed, 2016-08-10 at 17:04 -0500, Mike Ray wrote: > > Hello all- > > > > Must be doing something stupid here, but could use a second set of > > eyes and persons more knowledgeable than myself. > > > > None of my header checks that operate on "From" seem to be working. > > > > SA version 3.4.0-1ubuntu2.1 > > "spamassassin --lint" does not throw any errors > > "spamassassin --lint -D" shows the rule being parsed (I gave it no > > description and see the warning). > > > > Rawbody rules or rules on other headers (e.g. Subject) work just > > fine. > > > > Here is a sample one that I stripped down to the basics just to get > > it to work, based on a very similar one in the documentation (https:/ > > /wiki.apache.org/spamassassin/WritingRules): > > > > header PREF_T1 From =~ /gmail\.com/i > > score PREF_T1 0.1 > > > > I've tried adding a description, setting the score to an integer, > > removing the regex modifier and adding ".*" to match the whole > > address with no success. > > > > Anyone see what I'm missing? > > > How is it being executed when its run against a message? > Where is the file defining it relative to local.cf and what is it > called? > > Why those questions? > > Here's why: I do all rule development on a different machine to my > production SA setup. On the development machine I use a call to > 'spamassassin' to do lint checks, but move the *.cf files etc. to a > conventional spamd setup on the development system to run tests against > test messages because: > (a) that's very similar to my live setup. It uses spamc to submit > messages from my spam corpus > (b) this arrangement gives me better indications of how this rule > set will perform on the live system. > > Periodically, I see exactly the same problem you're reporting, but it > is invariably due to one of two reasons: > (1) I've not uploaded the new .cf files to where the development spamd > expects to find them. > (2) I did upload the files, but didn't restart the development spamd > after doing the upload. > > Under short (< 10 message) test runs spamd will be started by the test > script and will be stoped when it ends, so the second situation won't > happen, but if I'm doing something else while a much longer whole- > corpus test is running and I miss the 'sudo' prompt the test script > issues when it needs to stop spamd at the end of the test run, sudo > times out and the test script exits leaving spamd running. > > If I don't notice this and just upload modified .cf file(s) before > starting another test, spamd won't see any revised rules because its > still running. This causes more or less exactly the effect you're > you're seeing: changes to rule(s) seem to be silently ignored. > > > Martin > > > I inadvertently sent Martin a direct message, so I include that here: "The rules are being put directly in /etc/spamassassin/local.cf, which documentation indicates is the proper place for custom rules. I justify it as "safe enough" to mutate that "live" rules since I assign such low scores while debugging. I am using ansible to manage that file and have it hooked into a handler that restarts spamassassin if that file changes, so I am confident that is not the issue." However, after I had sent that message, I decided to play around a bit. I had rearranged existing rules in the file yesterday to make sure that my new rules weren't somehow silently destroying file parsing, but I had never added a new rule that I would have expected work (e.g. rawbody). I added one, ran my same update procedure and found that my new rawbody rule was not working, but my gmail rule was! At this point, I started to work off of Martin's idea that I had screwed up the restart process. I manually started restarting processes and found eventually that I do not need to restart spamassassin, but need to restart amavis instead. At this point, I'm wandering outside of SA territory, but I'll ask anyway. Postfix talks to amavis which uses spamassassin (and clamav). I'd be less surprised if I had to restart both amavis and spamassassin, but it seems very weird that I only have to restart amavis for new rules to start working. Perhaps amavis internally restarts spamassassin? Or perhaps spamassassin is already configured to check local.cf for changes? Anyone have an idea about this?
SA From header checks
Hello all- Must be doing something stupid here, but could use a second set of eyes and persons more knowledgeable than myself. None of my header checks that operate on "From" seem to be working. SA version 3.4.0-1ubuntu2.1 "spamassassin --lint" does not throw any errors "spamassassin --lint -D" shows the rule being parsed (I gave it no description and see the warning). Rawbody rules or rules on other headers (e.g. Subject) work just fine. Here is a sample one that I stripped down to the basics just to get it to work, based on a very similar one in the documentation (https://wiki.apache.org/spamassassin/WritingRules): header PREF_T1 From =~ /gmail\.com/i score PREF_T1 0.1 I've tried adding a description, setting the score to an integer, removing the regex modifier and adding ".*" to match the whole address with no success. Anyone see what I'm missing? Thanks, Mike Ray
Hotmail false positives through the roof since 3.3.1 update.
Hi all, I updated to 3.3.1 last week. The capture rate went way up, which is good, but... I am now getting complaints that "legit" Hotmail is getting tagged pretty much for every email coming in. What would be the recommended way to dial down the Hotmail detection? Thanks! Ray Dzek Network Operations Specialized Bicycles Ph: 408-782-5420 www.specialized.com
URIBL Notice
I just received the dreaded URIBL "You send us to many DNS queries" notice. This is fine. We have been growing and I am sure our queries have gone up. But when looking at their data feed service options the first thing I noticed was that there is no fee structure. I don't know about you, but that is always a red flag in my world. Before I even get past the first paragraph it already smells like a "shakedown". But... My real question is how badly is my SA environment going to be impacted by turning URIBL off? What increase in spam should I expect? Ray
Using SpamAssassin for just the Bayesian filtering?
Having gone over the FAQ and other doc-sections on the wiki, I haven't been able to answer my questions. So here's hoping the user-community can help! My company is currently using a home-brew solution for applying naive Bayes filtering to data. Currently, what we're doing is basically spam filtering on email messages that pass through our system. However, we have a need to do filtering on other content, filtering that isn't the same as spam-testing. In a nutshell, we currently use the "bogofilter" application to classify messages, and invoke it with different word-list files to represent different filtering requirements. But this isn't going to scale well for us as written, and I'm the lucky soul tasked with coming up with a better way. I'd like to adapt SA to this, if I can. I've used it in the past (and my ISP for my personal email is fiercely loyal to it), but only ever for basic email analysis. What I need, in this case, is a scalable Bayesian classifier. I see from the docs that using SA will get me a usable client/server model, which would take care of most of the scaling issues by making it easier for us to move the classifier to a dedicated machine (if needed, or at least a less-loaded one). What I *can't* puzzle out from the docs, is how to set up such a daemon to do *only* the Bayes part, not the rest of the typical spam checking (for one thing, these won't be email messages and thus will not have any SMTP headers at all). Also, I (we) would need to be able to either have the one daemon dynamically choose the database/word-list to use when judging a message, or run multiple instances that each look at a different db/word-list. Is this do-able with SA? I had hoped that there would be a more general solution around bogofilter, either a client/server application pair or a more API/library-based interface to calling it for training and for evaluation. But there isn't (not that I can find, anyway). And SA is a system with a long history and a solid code-base, so it seemed worthwhile to at least check and see if this was possible. Thanks in advance for any help, advice, etc. Randy -- """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Randy J. Ray Oodle, Inc. http://www.oodle.com rj...@corp.oodle.com
Re: config status
Justin Mason jmason.org> writes: > On Mon, Mar 2, 2009 at 22:13, Roger Marquis roble.com> wrote: > > David Morton wrote: > >>> > >>> As full time mail/systems admins we get invaluable data from > >>> tripwire/integrit, 'postconf -n', dconf, 'rpm -qa', 'dpkg -l \*', > >>> 'pkg_info -a', ... whose output is checked in to RCS daily. This provides > >>> a nice configuration snapshot and historical record but its real > >>> usefulness comes from rcsdiff piped into a daily report. > >> > >> That is the coolest idea I've heard today! And it's so obvious, yet easily > >> missed, I suppose. > >> > >> Do you have the whole thing scripted and automated? > > > > Yes and no. It is scripted but not packaged. Would probably take a few > > hours to complete. Wish I had the time to do it for free. > > > > OTOH, if you have scripting skills it's pretty straightforward. The only > > time consuming part is parsing the data down to just the essential elements > > and formatting it for easy reading. A few dozen iterations and voila. > > this is a pretty compelling idea! You might get a leg up using NetBSD's /etc/security, one of the available daily audits -- there's a short routine in there for backing up and diffing. It pulls in /etc/rc.subr for some of the routines. In addition, it might be nice to have SA config output dividable between rules and other config. RSK
Re: config status; rewrite_header not taking
Karsten Bräckelmann rudersport.de> writes: > You must not assume or allow for mis-spelled configuration keywords or > otherwise illegal syntax. Just lint check. If it comes back clean, all > is good. If it doesn't, you NEED to fix it anyway. I don't have privs, and conceivably a misspelling isn't fatal. The power is not mine to allow or deny misspellings in site-wide config. > > I think that assuming there are _no_ misspellings in someone else's > > site-wide config is leaving a door open to problems. As you appear to > > indicate, lint checking the config to validate it is very important. > > Yes, you must exactly assume that. There are no site-wide mis-spellings. And > you can verify it easily. But it's not called "assuming" if you verify? I must be missing you here, sorry. I would side with "you must verify" rather than "you must assume". > > [> check: no loaded plugin implements 'check_main': cannot scan! at > > [> /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line > > [> 164. > > Ahem. Your SA is crippled. It does nothing. It can't. (And no, this is > not about a mis-spelling...) I'm trying not to come across as unnecessarily contrary; please pardon me when I say that you are wrong here. The SA installation works well enough to score and judge (add X-Spam-Score, e.g.), and it's doing a pretty good job so far. It even marks up subject lines in a way I don't like. It's pretty clear it's operating. It seems likely then that this config check error is from my account running jailed. They've given me visibility to things like /usr/share/spamassasin, but it's likely they haven't given me the entirety of what's driving the site-wide SA. Since I'm not the user that spamd runs as, it's probably not critical to give me access to all of this hosts's SA config. (Querying for the in-effect config becomes especially important if the site-wide config is in part hidden from my account. But it also becomes more complicated -- IPC with spamd? I don't know how spamd is architected. Anyway, sorry, I said I'd stop harping on this.) I'll bypass the portion of your message predicated on SA not operating. Let me know if there's anything in that I shouldn't bypass. > I don't know about general trustworthiness of site-wide config in your case. > The above is a gross failure. Which might just be a broken install and simply > needs to be fixed. Bad, but not necessarily affecting trust. Trustworthiness > is much more -- it involves not breaking or even changing without knowledge. > If you can't trust your system admin, switch your system. I feel I can trust the competence of the site admins to mostly run a pretty good system. They've locked things down pretty hard, though. This is a difficulty, but the validity of ... well, I wasn't going to talk about that. Anyway the following topic still stands: > > One specific problem I'm having is that my user_prefs config for undoing the > > site-wide rewrite_header does not appear to be working. How does a user > > stop SA from rewriting the header? (Note that this effort is a step towards > > the goal of preserving spam for later manually-directed `sa-learn` > > training.) I _can_ in fact adjust required_score. Is there any reason I wouldn't be able to adjust rewrite_header? RSK
Re: config status; rewrite_header not taking
Karsten Bräckelmann rudersport.de> writes: > > just local.cf, IIUC, but potentially any of the 47 files in my hosting > > provider's /usr/share/spamassassin and /etc/mail/spamassassin dirs (or any > > Aah... no. :) The stuff in /usr/share/spamassassin (granted, plus the .pre > files) is exactly the *base*. Stock SA. No user-servicable parts inside. This > dir won't even be used, after an sa-update. Ah, okay, that's good to learn, thanks. That's not a detail I found out from the docs (but I should have understood it from the directory hierarchy). > Frankly, there are some important differences between SA and postfix > "configuration". Just to start the list, not exhaustive: > > 'postconf' without the handy -n switch dumps about 500 lines. The > equivalent dump for SA including the rules is about 6000 lines. And > that's a plain dump, *without* following and unfolding meta rules or > anything. > > Also, frankly, I don't think SA rules are really the same as settings. This is maybe one of the communication difficulties here. When I think "config" I'm really thinking what you're calling "settings". At this point I'm not as interested in the rules. (I haven't gotten past grokking the more fundamental "config" of the system, which I feel I should understand before I move on to rules.) Perhaps the confusion here arises from the fact that rule definition is a subset of "proper" config? (I don't even know if this is the case for sure as I haven't gotten to rules.) > There are exactly two (sensible) possible places for custom configu- > ration. /etc/mail/spamassassin and the user_prefs, if any. I'm not assured a sensible installation when I am not the person who did the installation. (Perhaps not even then.) But, again, good to learn this information. Thank you. I note that so far this seems like orally-transmitted folk knowledge more so than documented system nature. > > others if they happen to have configured such), plus my user_prefs file > > (_except_ any items which are prohibited from being overridden (except the > > privileged settings which are actually allowed by allow_user_rules (except > > those privileged settings which are actually "administrator" privileged > > settings which cannot be allowed via allow_user_rules))), but minus > > misspellings and possibly minus rules following misspellings in any of the > > config files. > > Hell, no! Assuming there are mis-spellings is inherently broken. Do lint > check your configuration after *any* change. No complaints, no mis-spellings. I'm not sure I understand you here. I think that assuming there are _no_ misspellings in someone else's site-wide config is leaving a door open to problems. As you appear to indicate, lint checking the config to validate it is very important. No complaints and I can then assume that the effective config is not modulated by errors, which is a good (yet additional) step toward knowing the effective config. I would be sorely pressed to understand the implications of lint complaints that I couldn't understand like: [> check: no loaded plugin implements 'check_main': cannot scan! at [> /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 164. The response here may be "that's not a lint message, and you can safely ignore it". But my point is that I'm required to understand this to know its effect on the config if I am manually parsing the config and don't have a tool to show the effective config. I'm not sure if I'm clear with where I've been going with all this. To know the effective config I am having to search for more bodies. And the process appears to be unbounded. Thankfully I have SA sherpas to help out, but I really didn't want to bother you guys in the first place and I think that it would be nicer if noobs like me didn't bother you guys. Not that I want to encourage surliness and "RTFM!" from the natives, but an in-effect config printer might help, as it might also help a lot of debugging. > > [...] Meaning, if I want to know for sure exactly what results in the > > effective config, do I consult the POD? Or maybe the POD and the man pages, > > and perhaps a particular wiki article and that's it, period. > > POD == man pages. > > Anyway, you're contradicting yourself. POD plus a single wiki page -- to grok > the FULL configuration? That's what you requested to be dumped by a > postconf-alike. Right, 6000 lines full of meta-rules and ghastly REs. > Understood after the tiny bit of lecture you mentioned? No way. I imagine the full config with rules would be awful, yeah. But what about config aside from rules? That's really what I'm talking about. (postconf doesn't really output "rules".) Isn't there something of a semantic distinction between "bayes_auto_learn" and "redirector_pattern"? I think the Conf POD page gives one just about everything one needs to understand any non-rule config. Don't folks ever want to list out non-rule configs? The response here may be "
Re: config status
Karsten Bräckelmann rudersport.de> writes: > On Thu, 2009-02-26 at 16:12 +0000, Ray wrote: > > Is there a feature like PostFix's `postconf` to display the currently > > parsed > > and calculated config? > > That pretty much equals your local.cf, no? No, the currently effective config is not equal to my local.cf (even for postconf -n equivalency) because, as you say, users can change their user_prefs. So we're lead to "Isn't that your local.cf plus your user_prefs?" Well, not just local.cf, IIUC, but potentially any of the 47 files in my hosting provider's /usr/share/spamassassin and /etc/mail/spamassassin dirs (or any others if they happen to have configured such), plus my user_prefs file (_except_ any items which are prohibited from being overridden (except the privileged settings which are actually allowed by allow_user_rules (except those privileged settings which are actually "administrator" privileged settings which cannot be allowed via allow_user_rules))), but minus misspellings and possibly minus rules following misspellings in any of the config files. Have I missed anything? _I don't know._ If manual parsing is really the way to know for sure what my effective SA config is, is this the procedure I need? * determine all site-wide SA config dirs * locate hosting provider's config dirs, manually parse four dozen files - perhaps know any config item interdependencies - understand the impact of config aberrations like misspellings * modulo this result with my user_prefs file - know which config items cannot be overriden That looks pretty ugly, but theoretically it's not so bad. Except the open-ended search to learn the distinct parts when coming new to SA. There's lots of very good documentation, but it's fragmented. Meaning, if I want to know for sure exactly what results in the effective config, do I consult the POD? Or maybe the POD and the man pages, and perhaps a particular wiki article and that's it, period. You come upon another party's camp in the icy wastes and chase off the raiders. With moderate effort you find two people strewn among the wreckage, and with a little more you find a third, and you bring them all back to your base camp. But if you'd looked a little harder you would have found another. I imagine just about every SA admin here has played out the scenario repeatedly and knows the locations of the bodies. "Come on, there are only four." Heck, even though I didn't install the SA here and I'm coming at this as a total noob I may already have all the critical details I need. But how am I to know that? This is what I mean by open-ended. Maybe there are no noob SA admins, so maybe the postconf-reveals-all-the-bodies desire I have is weird and just a byproduct my unusually ignorant perspective? That feels very unlikely, but I'm keeping an open mind about it. Maybe my being a "user" versus a site-wide administrator is the atypical thing here? RSK
config status
Is there a feature like PostFix's `postconf` to display the currently parsed and calculated config? If not, how do I submit a feature request? Thanks, RSK
Re: config no subject rewrite, learning spam headers
RW googlemail.com> writes: > On Wed, 18 Feb 2009 23:00:03 + (UTC) > Ray misinformation.org> wrote: > > * How do I determine what the current SA config is? > > The locations where spamassassin looks for configuration are listed in > the main manpage. I managed to find the config directory on this system, thanks for the pointer. I guess I have to parse all of these files to know how SA is actually config'd? Alas, I was hoping for something like Postfix's `postconf` to show the active/final configuration in its entirety. Where can one submit a feature request, and does this sound like a sensible one? > If it appears to autolearning, then bayes and autolearning are enabled. The magically incrementing `sa-learn --dump magic|grep am` values suggest so. It's odd that there isn't any indication in the "X-Spam-Status" header that this is happening, as one would expect after reading the wiki article AutolearnNotWorking. > Note that autolearning uses its own, more conservative, rules, it's not > based on the normal single threshold - you should use sa-learn to > manually train too, if you can. I noticed the additional thresholds for autolearning. I was hoping to do manual training only, but maybe that level of control is just not achievable in my circumstance. (The problem being that my headers may be bad for sa-learn.) > By default Bayes scoring wont turn-on until you've learned 200 spam, > and 200 ham (non-spam) messages. If you are going to make a judgement > about moving the threshold then you should ignore the early mails that > lack BAYES_* hits. I imagine after Bayes scoring goes into effect I'll have a nicer distribution of scores (pushed towards the poles). > > * Can I stop SA from judging spamminess (that is, making the binary > > declaration of whether something is spam, X-Spam-Status, > > X-Spam-Flag) and retain the scoring markup? I suppose this may not > > be important, as sa-learn is said to ignore prior SA markup, it's > > just that having the declaration sitting in the headers from there on > > makes these mails look spammy whether they truly are, and other more > > naive tools might be misled. > > Some third-party Baysian filters let you you ignore unwanted headers. I think this response might mean that I can't stop SA adding X-Spam-Status and/or X-Spam-Flag, as the response proceeds without answering the question directly. I would like to have just the scoring without the judgements, but I suppose again this is not an issue with regards to future application of sa-learn. The only other markup I feel it's actually necessary to hinder is the subject markup. > Even if you use one that doesn't, a single spam/ham token isn't likely > to have all that much effect compared to all the other SA tokens. There That's reassuring. > are two main ways to use SA with a separate Bayesian filter. One is to > score it into SA (which you can't do) and the other is to let the > Bayesian filter pick-up extra tokens from the SA headers. In the latter > case you would probably want to leave in the result at the default > threshold anyway. And I or another person shouldjust remember while looking at these emails that the judgement is not necessarily correct. I guess I'm including myself (and other humans) among the naive tools to worry about. > I think you could get rid of it by creating a custom header, but it's > probably not worth the effort. "It" here referring to the final spamminess judgement? Oh, sorry, I misunderstood earlier, then. > > * If I can't stop SA from judging spamminess, can I at least > > override the site-wide config to mark up subjects? I can't figure > > this out. Currently I have 'rewrite_header subject ""', but that > > fails. The docs say the string should be set to 'a null value', but > > the config file's syntax for specifying nulls is not described. > > I believe it just means: > > rewrite_header subject Ah, that's one of the permutations I tried. Any idea why it may not have worked? I've been able to modify required_score, as is evidenced by mail headers that come through, so I must be working in a picked-up config file. (Again a `sa-conf` to view live/final config would be much better for me than tweaking my user config file's required_score and then waiting for a spam to arrive so I can know if a config specification went into effect.) My only guess now is that somehow site-wide config overrides user config for this item or that user config for this item is disallowed. Right now SA's config'd to prepend "***SPAM*** ". But I don't see this string or the string "rewrite_header" an
config no subject rewrite, learning spam headers
I just moved to a new hosting provider who has Spamassassin 3.2.4 running (on some kind of Linux, 2.6.18-92.1.22.el5) and I'm otherwise unfamiliar with SA. I'd like some degree of control over what SA is doing, but config for this is proving confusing for me. Ideally if I could get SA just to mark up headers with its observations / scoring, I'd have a good idea of where to set score threshold while I sort mails correctly for later training. First monitor, then act. However, SA currently appears to be making spam judgement and to be bayes autolearning. (A reasonable default setup from the hosting provider.) I think these things would help me to achieve my goals: * How do I determine what the current SA config is? Specifically, can I see whether bayes is enabled, and whether it's auto-learning (if that's distinct from merely enabled)? Anyway, seeing the whole config would be useful. The best I've done so far is `spamassassin -D < /dev/null 2>&1 | less` and `sa-learn --dump magic`. (I may not actually have read access to the site-wide SA config file, and `locate` is twitted.) * Can I stop SA from judging spamminess (that is, making the binary declaration of whether something is spam, X-Spam-Status, X-Spam-Flag) and retain the scoring markup? I suppose this may not be important, as sa-learn is said to ignore prior SA markup, it's just that having the declaration sitting in the headers from there on makes these mails look spammy whether they truly are, and other more naive tools might be misled. * If I can't stop SA from judging spamminess, can I at least override the site-wide config to mark up subjects? I can't figure this out. Currently I have 'rewrite_header subject ""', but that fails. The docs say the string should be set to 'a null value', but the config file's syntax for specifying nulls is not described. Again, this may not be critical, as sa-learn might ignore the markup, but seeing as the markup is an arbitrary string, how would sa-learn figure out to ignore the specific string '***SPAM***' if the config ever changes? Thanks, RSK
Re: Off Topic?
Ray Jette wrote: Sorry if this is off topic. I am using a Microsoft DNS server. I am putting a big load on it with Mailscanner / Spamassassin and MTA RBL's. Would you recommend that I use a local BIND Cache server? Does anyone have any good resources as to how to set this up? I have installed bind9 and bind-utils. I changed /etc/resolve.conf to be the following: nameserver 127.0.0.1 When I did this the server was not able to resolve any names. Do I have to forward this name server to my Microsoft DNS server? Can it be configured to use the Root Hints? Sorry about being off topic. Thanks for the help. Ray Thank you for all the help everyone has provided.
Re: Off Topic?
John Hardin wrote: On Fri, 2008-12-05 at 10:53 -0500, Ray Jette wrote: Now I want to be able to view the bind cache so I can verify that it is caching records. I have searched all over the Internet with no luck. At most, I can find that the cache is stored in RAM. run "man rndc" http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch05/?page=2 Thanks for the link. I found the command: rndc dumpdb When I run the command I get the following error: rndc: connect ailed: 127.0.0.1#953: connection refused Any ideas about this?
Re: Off Topic?
Martin Gregorie wrote:
On Fri, 2008-12-05 at 10:04 -0500, Ray Jette wrote:
Sorry if this is off topic. I am using a Microsoft DNS server. I am
putting a big load on it with Mailscanner / Spamassassin and MTA RBL's.
Would you recommend that I use a local BIND Cache server? Does anyone
have any good resources as to how to set this up?
I have installed bind9 and bind-utils. I changed /etc/resolve.conf to be
the following:
nameserver 127.0.0.1
Try adding
forwarders {
ip-of-MS-DNS;
};
to the options{} section of /etc/named.conf
This will should send all DNS requests it can't handle itself to your MS
DNS server.
Martin
I have added what you recommended but I added it to the
/etc/bind/named.con.options file.
This solved my problem. Now I want to be able to view the bind cache so
I can verify that it is caching records. I have searched all over the
Internet with no luck. At most, I can find that the cache is stored in RAM.
Thanks again,
Ray
Re: Off Topic?
Ray Jette wrote: Sorry if this is off topic. I am using a Microsoft DNS server. I am putting a big load on it with Mailscanner / Spamassassin and MTA RBL's. Would you recommend that I use a local BIND Cache server? Does anyone have any good resources as to how to set this up? I have installed bind9 and bind-utils. I changed /etc/resolve.conf to be the following: nameserver 127.0.0.1 When I did this the server was not able to resolve any names. Do I have to forward this name server to my Microsoft DNS server? Can it be configured to use the Root Hints? Sorry about being off topic. Thanks for the help. Ray One more question. How do I go about viewing the DNS cache? I know it's stored in memory but it there a way to view it?
Re: Off Topic?
Jack Pepper wrote: Have a look at Black hole DNS. http://www.malwaredomains.com jp Quoting Ray Jette <[EMAIL PROTECTED]>: Sorry if this is off topic. I am using a Microsoft DNS server. I am putting a big load on it with Mailscanner / Spamassassin and MTA RBL's. Would you recommend that I use a local BIND Cache server? Does anyone have any good resources as to how to set this up? I have installed bind9 and bind-utils. I changed /etc/resolve.conf to be the following: nameserver 127.0.0.1 When I did this the server was not able to resolve any names. Do I have to forward this name server to my Microsoft DNS server? Can it be configured to use the Root Hints? Sorry about being off topic. Thanks for the help. Ray No I have not. I don't rely think this is what I am trying to do. I want to run a caching DNS server on my mail server to keep traffic off of our primary DNS server. I have an issue where the Microsoft DNS server fails ater heavy load. Ray
Off Topic?
Sorry if this is off topic. I am using a Microsoft DNS server. I am putting a big load on it with Mailscanner / Spamassassin and MTA RBL's. Would you recommend that I use a local BIND Cache server? Does anyone have any good resources as to how to set this up? I have installed bind9 and bind-utils. I changed /etc/resolve.conf to be the following: nameserver 127.0.0.1 When I did this the server was not able to resolve any names. Do I have to forward this name server to my Microsoft DNS server? Can it be configured to use the Root Hints? Sorry about being off topic. Thanks for the help. Ray
Re: Rule to catch PO#
Ray Jette wrote:
mouss wrote:
Ray Jette a écrit :
Karsten Bräckelmann wrote:
Back on-list.
On Tue, 2008-12-02 at 13:40 -0500, Ray Jette wrote:
Yes, and it does match case insensitively.
I guess the issue is with your testing environment. How are you
testing
the rule, err, regexp for a rule?
I sent to messages from yahoo. One with a subject of PO and the other
with a subject of po.
Wow, that's quite a lag for debugging and testing. Try calling
spamassassin with the message piped into instead. Also be sure to
always
--lint before going live.
The rule only applyed to PO.
You either (a) forgot to restart the daemon, or (b) are actually
using
a different rule in your cf files than you pasted in your mail.
I reset the daemon. How do I cann spamassassin with the message. I'm
not
sure how to create a message from the server with out sending one.
use your favourite editor and write a file named message.eml:
- cut here ---
Date: Tue, 02 Dec 2008 14:06:52 -0500
From: Ray Jette <[EMAIL PROTECTED]>
To: Ray Jette <[EMAIL PROTECTED]>
Subject: PO ney
blah blah
- cut here
then run:
spamassassin -t < message.eml
I created the test message and ran it through both ways. One with PO
and the other with po. The rule fired on both.
When receiving mail from the outside the rule only fires on PO and not
po. Is there any reason for this to happen?
The following looks like it will work. Does any one see any reasons why
this would not work?
/\bPO ?s?:?#?\d{0,10}?[a-z]{0,5}?/i
Ray
Re: Rule to catch PO#
John Hardin wrote:
On Thu, 4 Dec 2008, Ray Jette wrote:
A lot of these rules look good but not appear to work for what I am
trying to do. Sorry about all the trouble. I'm not realy that good at
regular expressions but I am learning. Here are some real examples
from my mail server:
* PO1786
* PO 42111
* PO# 314980
* PO#36605
* PO 484579-0
* PO:458121
* PO: 6718972-1
* PO's #47509
* PO#v156-2008-003
* PO-121556
* PO's 47509
Some of these are million's of dollers worth of orders. I can't loose
these. I am trying to create a negative scoring rule. Thanks for any
help you can provide. Please let me know if you need any more
information.
Subject =~ /\bPO\D{0,6}[-\d]+/i
(untested)
Thank you. I will test this and get back to you.
Re: Rule to catch PO#
Ray Jette wrote:
Bowie Bailey wrote:
Ray Jette wrote:
Bowie Bailey wrote:
Ray Jette wrote:
Good morning,
I am trying to write a negative scoring rule that files on the
following: PO PO#
PO #
Following is the rule I am using:
header PO_AND_ORDERSSubject =~ /\bPO*?#?/i
score PO_AND_ORDERS-0.50
describe PO_AND_ORDERSA negative scoring rule that searches
the subject for PO #'s.
Thanks for any help you can provide.
Try this one:
Subject =~ /\bPO\b ?#?/i
The "\b" after the "PO" will prevent it from matching things like
"positive", "pollen", or anything else that happens to start with
"po". Keep in mind that the "i" at the end makes it
case-insensitive, so this will match "PO", "po", "pO", etc.
Sometimes the subject will be: PO#34598459 so do I realy want to us
\b? I need to match all of the ollowing:
PO
PO#
PO [0-9] - im not sure the max amount of numbers
PO# [0-9] - im not sure the number of numbers
PO[0-9] - not sure how many numbers
PO#[0-9] - not sure how many numbers
\b matches a zero-length word boundary. This means that one side is a
"word character" and the other side is not. Word characters are defined
as alphanumeric plus "_". So the only option in your list that would
cause a problem is "PO12345".
Try this one:
Subject =~ /\bPO(?:\b ?#?|\d)/i
Actually, since both the space and the hash are optional, is there any
point in matching them?
This might be better:
Subject =~ /\bPO(?:\b|\d)/i
Or you could look for the number (which removes the need for a word
boundary check):
Subject =~ /\bPO ?#? ?\d/i
A lot of these rules look good but not appear to work for what I am
trying to do. Sorry about all the trouble. I'm not realy that good at
regular expressions but I am learning. Here are some real examples
from my mail server:
* PO1786
* PO 42111
* PO# 314980
* PO#36605
* PO 484579-0
* PO:458121
* PO: 6718972-1
* PO's #47509
* PO#v156-2008-003
* PO-121556
* PO's 47509
Some of these are million's of dollers worth of orders. I can't loose
these. I am trying to create a negative scoring rule. Thanks for any
help you can provide. Please let me know if you need any more
information.
Ray Jette
I am trying to write an expression to match above. I need to match the
following
PO /\bPO
optional space /\bPO ?
Optional # /\bPO ?#?
Optional : /\bPO ?#?:?
Optional ' /\bPO ?#?:?'?
Optional s /\bPO ?#?:?'?s?
Optional space after # or : before numbers - /\bPO ?#?:?'?s? ?
Then I need numbers and letters - [0-9a-z]\{1,10\} - I may need need this.
Thank you very much. I have been working on this for over a week and
still can't seem to get it. It is critical that I get this working.
Thaknks for any help you may provide.
Ray Jette
Network Engineer.
Re: Rule to catch PO#
Bowie Bailey wrote: Ray Jette wrote: Bowie Bailey wrote: Ray Jette wrote: Good morning, I am trying to write a negative scoring rule that files on the following: PO PO# PO # Following is the rule I am using: header PO_AND_ORDERSSubject =~ /\bPO*?#?/i score PO_AND_ORDERS-0.50 describe PO_AND_ORDERSA negative scoring rule that searches the subject for PO #'s. Thanks for any help you can provide. Try this one: Subject =~ /\bPO\b ?#?/i The "\b" after the "PO" will prevent it from matching things like "positive", "pollen", or anything else that happens to start with "po". Keep in mind that the "i" at the end makes it case-insensitive, so this will match "PO", "po", "pO", etc. Sometimes the subject will be: PO#34598459 so do I realy want to us \b? I need to match all of the ollowing: PO PO# PO [0-9] - im not sure the max amount of numbers PO# [0-9] - im not sure the number of numbers PO[0-9] - not sure how many numbers PO#[0-9] - not sure how many numbers \b matches a zero-length word boundary. This means that one side is a "word character" and the other side is not. Word characters are defined as alphanumeric plus "_". So the only option in your list that would cause a problem is "PO12345". Try this one: Subject =~ /\bPO(?:\b ?#?|\d)/i Actually, since both the space and the hash are optional, is there any point in matching them? This might be better: Subject =~ /\bPO(?:\b|\d)/i Or you could look for the number (which removes the need for a word boundary check): Subject =~ /\bPO ?#? ?\d/i A lot of these rules look good but not appear to work for what I am trying to do. Sorry about all the trouble. I'm not realy that good at regular expressions but I am learning. Here are some real examples from my mail server: * PO1786 * PO 42111 * PO# 314980 * PO#36605 * PO 484579-0 * PO:458121 * PO: 6718972-1 * PO's #47509 * PO#v156-2008-003 * PO-121556 * PO's 47509 Some of these are million's of dollers worth of orders. I can't loose these. I am trying to create a negative scoring rule. Thanks for any help you can provide. Please let me know if you need any more information. Ray Jette
Re: Rule to catch PO#
mouss wrote: Ray Jette a écrit : Karsten Bräckelmann wrote: Back on-list. On Tue, 2008-12-02 at 13:40 -0500, Ray Jette wrote: Yes, and it does match case insensitively. I guess the issue is with your testing environment. How are you testing the rule, err, regexp for a rule? I sent to messages from yahoo. One with a subject of PO and the other with a subject of po. Wow, that's quite a lag for debugging and testing. Try calling spamassassin with the message piped into instead. Also be sure to always --lint before going live. The rule only applyed to PO. You either (a) forgot to restart the daemon, or (b) are actually using a different rule in your cf files than you pasted in your mail. I reset the daemon. How do I cann spamassassin with the message. I'm not sure how to create a message from the server with out sending one. use your favourite editor and write a file named message.eml: - cut here --- Date: Tue, 02 Dec 2008 14:06:52 -0500 From: Ray Jette <[EMAIL PROTECTED]> To: Ray Jette <[EMAIL PROTECTED]> Subject: PO ney blah blah - cut here then run: spamassassin -t < message.eml I created the test message and ran it through both ways. One with PO and the other with po. The rule fired on both. When receiving mail from the outside the rule only fires on PO and not po. Is there any reason for this to happen?
Re: Rule to catch PO#
mouss wrote: Ray Jette a écrit : Karsten Bräckelmann wrote: Back on-list. On Tue, 2008-12-02 at 13:40 -0500, Ray Jette wrote: Yes, and it does match case insensitively. I guess the issue is with your testing environment. How are you testing the rule, err, regexp for a rule? I sent to messages from yahoo. One with a subject of PO and the other with a subject of po. Wow, that's quite a lag for debugging and testing. Try calling spamassassin with the message piped into instead. Also be sure to always --lint before going live. The rule only applyed to PO. You either (a) forgot to restart the daemon, or (b) are actually using a different rule in your cf files than you pasted in your mail. I reset the daemon. How do I cann spamassassin with the message. I'm not sure how to create a message from the server with out sending one. use your favourite editor and write a file named message.eml: - cut here --- Date: Tue, 02 Dec 2008 14:06:52 -0500 From: Ray Jette <[EMAIL PROTECTED]> To: Ray Jette <[EMAIL PROTECTED]> Subject: PO ney blah blah - cut here then run: spamassassin -t < message.eml Thanks, I'll give that a try. This will make my testing a lot easer to do.
Re: Rule to catch PO#
Karsten Bräckelmann wrote: On Tue, 2008-12-02 at 14:06 -0500, Ray Jette wrote: [ *snipp* ] I reset the daemon. How do I cann spamassassin with the message. I'm not sure how to create a message from the server with out sending one. If all else fails, just save the message out of your MUA. You can then test with the saved file and investigate the output: spamassassin < message.file | less That might be hard to do. I am using Exchange.
Re: Rule to catch PO#
Karsten Bräckelmann wrote: Back on-list. On Tue, 2008-12-02 at 13:40 -0500, Ray Jette wrote: Yes, and it does match case insensitively. I guess the issue is with your testing environment. How are you testing the rule, err, regexp for a rule? I sent to messages from yahoo. One with a subject of PO and the other with a subject of po. Wow, that's quite a lag for debugging and testing. Try calling spamassassin with the message piped into instead. Also be sure to always --lint before going live. The rule only applyed to PO. You either (a) forgot to restart the daemon, or (b) are actually using a different rule in your cf files than you pasted in your mail. I reset the daemon. How do I cann spamassassin with the message. I'm not sure how to create a message from the server with out sending one.
Re: Rule to catch PO#
Matt Garretson wrote: Ray Jette wrote: PO PO PO# PO# PO # PO # Try: Subject =~ /PO ?\#? ?\d+/i If you don't need case insensitivity, remove the trailing 'i'. Thanks for the reply. I tryed to use Subject ~ That matched PO but it did not match po. I have /i at the end.
Re: Rule to catch PO#
Ray Jette wrote: Good morning, I am trying to write a negative scoring rule that files on the following: PO PO# PO # Following is the rule I am using: header PO_AND_ORDERSSubject =~ /\bPO*?#?/i score PO_AND_ORDERS-0.50 describe PO_AND_ORDERSA negative scoring rule that searches the subject for PO #'s. Thanks for any help you can provide. I am having a lot of issues with this. Sorry but my regex skills are not very good. I'm trying to learn through. This is a skill I need to learn. I decided to start at the beginning and build the expression up from there. I have the following: /\bPO\b/i I would assume this would match PO and po. The problem is that it is only matching PO. It will not match po. Any ideas why?
Re: Rule to catch PO#
Thanks for all the help. I am still having issues. Let me try to explain a little more. Subjects can contain the following PO PO PO# PO# PO # PO # I can match PO with /\bPO/i but this does not fill my requirements. I need to be able to match all above and i'm not sure where to start. Thank you for any help you may provide. Ray
Re: Rule to catch PO#
Karsten Bräckelmann wrote: Please note that you do *not* need to specify all variations explicitly, if you actually want to match *anything* that starts with "PO"... Thanks for the information I will make sure to read it. I am going to try /\bPO\b now and see if it helps. Since this isn't your first attempt to write ham rules... Rather than trying to catch FPs like this, I first would investigate why any need for this in the place. *Why* are your hams looking that spammy? Which rules do they trigger? I have users reporting missing e-mails but when i ask for specifics for the messages they never have them. I have not information to go by so I want to try to prevent them the best I can until I can get speciic's from them.
Re: Rule to catch PO#
Bowie Bailey wrote: Ray Jette wrote: Bowie Bailey wrote: Ray Jette wrote: Good morning, I am trying to write a negative scoring rule that files on the following: PO PO# PO # Following is the rule I am using: header PO_AND_ORDERSSubject =~ /\bPO*?#?/i score PO_AND_ORDERS-0.50 describe PO_AND_ORDERSA negative scoring rule that searches the subject for PO #'s. Thanks for any help you can provide. Try this one: Subject =~ /\bPO\b ?#?/i The "\b" after the "PO" will prevent it from matching things like "positive", "pollen", or anything else that happens to start with "po". Keep in mind that the "i" at the end makes it case-insensitive, so this will match "PO", "po", "pO", etc. Sometimes the subject will be: PO#34598459 so do I realy want to us \b? I need to match all of the ollowing: PO PO# PO [0-9] - im not sure the max amount of numbers PO# [0-9] - im not sure the number of numbers PO[0-9] - not sure how many numbers PO#[0-9] - not sure how many numbers \b matches a zero-length word boundary. This means that one side is a "word character" and the other side is not. Word characters are defined as alphanumeric plus "_". So the only option in your list that would cause a problem is "PO12345". Try this one: Subject =~ /\bPO(?:\b ?#?|\d)/i Actually, since both the space and the hash are optional, is there any point in matching them? This might be better: Subject =~ /\bPO(?:\b|\d)/i Or you could look for the number (which removes the need for a word boundary check): Subject =~ /\bPO ?#? ?\d/i Thanks again. I am using the following rule: /\bPO(?:\b|\d)/i This rule working when matching 'PO' but it will not match 'po'. It ends in a /i so I can't see why this would not work. Ray
Re: Rule to catch PO#
Karsten Bräckelmann wrote: I am trying to write a negative scoring rule that files on the following: PO PO# PO # Following is the rule I am using: header PO_AND_ORDERSSubject =~ /\bPO*?#?/i In REs, the asterisk '*' is a quantifier, not a wildcard as it is with the shell, and means "zero or more occurrences". So /PO*/ will match a plain 'P', too, just like 'POOO'. (To complicate things, the *? means "as little as possible while still matching the RE", but we better ignore that for now. ;) Btw, you need to escape the hash '#', not because this is an RE, but because it is Perl. :) Might I suggest reading some introduction about Regular Expressions first, before trying to write more of them? http://perldoc.perl.org/perlre.html The Perl RE Reference seriously will be overkill and explains more than you ever would want to know. Have a look at the quick-start introduction and the tutorial linked in the first paragraph there. The Reference itself might still be useful as, well, a reference. ;) Sometimes the subject will be: PO#34598459 so do I realy want to us \b? Yes. A word boundary \b does not mean "space", but a (zero-width) transition from a word char \w to a non-word char \W. Word chars are alphanumerical plus the underscore, non-word chars are anything else. Maybe something like this? This requires an actual number, with either combination of spaces and an optional hash between PO (case sensitive, upper case only) and the number. /\bPO *(\# *)?\d/ I need to match all of the ollowing: PO PO# PO [0-9] - im not sure the max amount of numbers PO# [0-9] - im not sure the number of numbers PO[0-9] - not sure how many numbers PO#[0-9] - not sure how many numbers That's easy. /\bPO\b/ will do -- might hit on spam as well, though, since it is really short. Please note that you do *not* need to specify all variations explicitly, if you actually want to match *anything* that starts with "PO"... Thanks for the information I will make sure to read it. I am going to try /\bPO\b now and see if it helps. Ray
Re: Rule to catch PO#
Bowie Bailey wrote: Ray Jette wrote: Good morning, I am trying to write a negative scoring rule that files on the following: PO PO# PO # Following is the rule I am using: header PO_AND_ORDERSSubject =~ /\bPO*?#?/i score PO_AND_ORDERS-0.50 describe PO_AND_ORDERSA negative scoring rule that searches the subject for PO #'s. Thanks for any help you can provide. Try this one: Subject =~ /\bPO\b ?#?/i The "\b" after the "PO" will prevent it from matching things like "positive", "pollen", or anything else that happens to start with "po". Keep in mind that the "i" at the end makes it case-insensitive, so this will match "PO", "po", "pO", etc. Sometimes the subject will be: PO#34598459 so do I realy want to us \b? I need to match all of the ollowing: PO PO# PO [0-9] - im not sure the max amount of numbers PO# [0-9] - im not sure the number of numbers PO[0-9] - not sure how many numbers PO#[0-9] - not sure how many numbers Thanks, Ray
Rule to catch PO#
Good morning, I am trying to write a negative scoring rule that files on the following: PO PO# PO # Following is the rule I am using: header PO_AND_ORDERSSubject =~ /\bPO*?#?/i score PO_AND_ORDERS-0.50 describe PO_AND_ORDERSA negative scoring rule that searches the subject for PO #'s. Thanks for any help you can provide.
Re: Negative Scoring Rules
jdow wrote:
From: "Ray Jette" <[EMAIL PROTECTED]>
Sent: Monday, 2008, December 01 12:41
Ray Jette wrote:
*Good afternoon,
I am trying to write a rule that gives negative scores to messages
that contain names of our company's and products. I have a few
question regarding this. Will the rule at the end of this message
work? Can I put line brakes in the rule? How can I go about adding
an optional s for \bBoiler\b? Thanks for any help you can provide.
*
body DEVISIONS_AND_PRODUCTS/\bAir
Balance\b|\bAirtherm\b|\bAlton\b|\bAmerican
Warming\b|\bAWV\b|\bAnemostat\b|\bApplied Air\b|
\bArgo Baseboard\b|\bArrow United\b|\bAxon
Electric\b|\bBeacon Morris\b|\bCesco Products\b|\bCoilmate\b|
\bDadanco\b|\bDahlstrom\b|\bEmbassy\b|\bEngel\b|\bMestek\b|\bFormtek\b|\bHill
Engineering\b|\bHydrotherm\b|
\bIowa Precision\b|\bKoldwave\b|\bL\.J\.
Wing\b|\bLockformer\b|\bLouvers\b|\bDampers\b|\bRBI\b|\bWater
Heaters\b|
\bBoiler\b|\bReed
Institute\b|\bSpacepak\b|\bSterling\b|\bHVAC\b|\bTemprite\b|\bTishken\b|\bTwinflo\b|\bVulcan\b|\bYoder\b/\i
Are you REALLY sure you want the last two characters to he "\i"? The
escape
on the i might keep the rule from being case insensitive and lead to
strange
matching requirements to make the rule fire correctly all the time.
score DEVISIONS_AND_PRODUCTS -0.1
describe DEVISIONS_AND_PRODUCTS A negative scorring rule
that contains products and devisions.
Sorry about that. I solved it. I forgot the closing ).
{^_^}
Thanks. I changed it.
Re: Negative Scoring Rules
Ray Jette wrote: *Good afternoon, I am trying to write a rule that gives negative scores to messages that contain names of our company's and products. I have a few question regarding this. Will the rule at the end of this message work? Can I put line brakes in the rule? How can I go about adding an optional s for \bBoiler\b? Thanks for any help you can provide. * body DEVISIONS_AND_PRODUCTS/\bAir Balance\b|\bAirtherm\b|\bAlton\b|\bAmerican Warming\b|\bAWV\b|\bAnemostat\b|\bApplied Air\b| \bArgo Baseboard\b|\bArrow United\b|\bAxon Electric\b|\bBeacon Morris\b|\bCesco Products\b|\bCoilmate\b| \bDadanco\b|\bDahlstrom\b|\bEmbassy\b|\bEngel\b|\bMestek\b|\bFormtek\b|\bHill Engineering\b|\bHydrotherm\b| \bIowa Precision\b|\bKoldwave\b|\bL\.J\. Wing\b|\bLockformer\b|\bLouvers\b|\bDampers\b|\bRBI\b|\bWater Heaters\b| \bBoiler\b|\bReed Institute\b|\bSpacepak\b|\bSterling\b|\bHVAC\b|\bTemprite\b|\bTishken\b|\bTwinflo\b|\bVulcan\b|\bYoder\b/\i score DEVISIONS_AND_PRODUCTS -0.1 describe DEVISIONS_AND_PRODUCTS A negative scorring rule that contains products and devisions. Sorry about that. I solved it. I forgot the closing ). Thanks again.
Re: Negative Scoring Rules
Ray Jette wrote: *Good afternoon, I am trying to write a rule that gives negative scores to messages that contain names of our company's and products. I have a few question regarding this. Will the rule at the end of this message work? Can I put line brakes in the rule? How can I go about adding an optional s for \bBoiler\b? Thanks for any help you can provide. * body DEVISIONS_AND_PRODUCTS/\bAir Balance\b|\bAirtherm\b|\bAlton\b|\bAmerican Warming\b|\bAWV\b|\bAnemostat\b|\bApplied Air\b| \bArgo Baseboard\b|\bArrow United\b|\bAxon Electric\b|\bBeacon Morris\b|\bCesco Products\b|\bCoilmate\b| \bDadanco\b|\bDahlstrom\b|\bEmbassy\b|\bEngel\b|\bMestek\b|\bFormtek\b|\bHill Engineering\b|\bHydrotherm\b| \bIowa Precision\b|\bKoldwave\b|\bL\.J\. Wing\b|\bLockformer\b|\bLouvers\b|\bDampers\b|\bRBI\b|\bWater Heaters\b| \bBoiler\b|\bReed Institute\b|\bSpacepak\b|\bSterling\b|\bHVAC\b|\bTemprite\b|\bTishken\b|\bTwinflo\b|\bVulcan\b|\bYoder\b/\i score DEVISIONS_AND_PRODUCTS -0.1 describe DEVISIONS_AND_PRODUCTS A negative scorring rule that contains products and devisions. Thanks again for the help. Following is the rule I ended up using: body DEVISIONS_AND_PRODUCTS/\b(Air Balance|Airtherm|Alton|American Warming|AWV|Anemostat|Applied Air|Argo Baseboard|Arrow United|Axon Electric|Beacon Morris|Cesco Products|Coilmate|Dadanco|dahlstrom|Embassy|Engel|Mestek|Formtek|Hill Engineering|Hydrotherm|Iowa Precision|Koldwave|L\.J\. Wing|Lockformer|Louvers?|Dampers?|Rbi|Boilers?|Reed Institute|Spacepak|Sterling|HVAC|Temprite|Tishken|Twinflo|Vulcan|Yoder\b/i score DEVISIONS_AND_PRODUCTS-0.20 describe DEVISIONS_AND_PRODUCTS A negative scorring rule that contains products and devisions. When I ran a 'MailScanner -debug -debug-sa 2>&1' I receive the following: [20621] info: config: invalid regexp for rule DEVISIONS_AND_PRODUCTS: /\b(Air Balance|Airtherm|Alton|American Warming|AWV|Anemostat|Applied Air|Argo Baseboard|Arrow United|Axon Electric|Beacon Morris|Cesco Products|Coilmate|Dadanco|dahlstrom|Embassy|Engel|Mestek|Formtek|Hill Engineering|Hydrotherm|Iowa Precision|Koldwave|L\.J\. Wing|Lockformer|Louvers?|Dampers?|Rbi|Boilers?|Reed Institute|Spacepak|Sterling|HVAC|Temprite|Tishken|Twinflo|Vulcan|Yoder\b/i: Unmatched ( in regex; marked by <-- HERE in m/(?i)\b( <-- HERE Air Balance|Airtherm|Alton|American Warming|AWV|Anemostat|Applied Air|Argo Baseboard|Arrow United|Axon Electric|Beacon Morris|Cesco Products|Coilmate|Dadanco|dahlstrom|Embassy|Engel|Mestek|Formtek|Hill Engineering|Hydrotherm|Iowa Precision|Koldwave|L\.J\. Wing|Lockformer|Louvers?|Dampers?|Rbi|Boilers?|Reed Institute|Spacepak|Sterling|HVAC|Temprite|Tishken|Twinflo|Vulcan|Yoder\b/ Any idea what the problem could be? Thanks. Ray
Negative Scoring Rules
*Good afternoon, I am trying to write a rule that gives negative scores to messages that contain names of our company's and products. I have a few question regarding this. Will the rule at the end of this message work? Can I put line brakes in the rule? How can I go about adding an optional s for \bBoiler\b? Thanks for any help you can provide. * body DEVISIONS_AND_PRODUCTS/\bAir Balance\b|\bAirtherm\b|\bAlton\b|\bAmerican Warming\b|\bAWV\b|\bAnemostat\b|\bApplied Air\b| \bArgo Baseboard\b|\bArrow United\b|\bAxon Electric\b|\bBeacon Morris\b|\bCesco Products\b|\bCoilmate\b| \bDadanco\b|\bDahlstrom\b|\bEmbassy\b|\bEngel\b|\bMestek\b|\bFormtek\b|\bHill Engineering\b|\bHydrotherm\b| \bIowa Precision\b|\bKoldwave\b|\bL\.J\. Wing\b|\bLockformer\b|\bLouvers\b|\bDampers\b|\bRBI\b|\bWater Heaters\b| \bBoiler\b|\bReed Institute\b|\bSpacepak\b|\bSterling\b|\bHVAC\b|\bTemprite\b|\bTishken\b|\bTwinflo\b|\bVulcan\b|\bYoder\b/\i score DEVISIONS_AND_PRODUCTS -0.1 describe DEVISIONS_AND_PRODUCTS A negative scorring rule that contains products and devisions.
Re: SPF rules
Thanks for the quick reply. Do you know what .pre file this is contained in? From the /etc/spamassassin directory I ran the following: grep SPF_PASS *.pre but came up with nothing. Thanks. On Thu, 2008-10-02 at 09:44 -0500, McDonald, Dan wrote: > or just remove the module from the .pre file that it's loaded from.
SPF rules
Good morning, The SPF_PASS and SPF_HELO_PASS rules hit several hundred messages a day. I am doing SPF lockup's at the MTA. How do I go about stopping these tests from within SA? Thanks, Ray
Re: Alan Ralsky indicted
I think I know this guy. I think I've actually done stuff for him about
8-10 years ago. Yeah, the ISP I was working with at the time thought
that SPAM was a quick buck and supported a few spamming houses.
jdow wrote:
http://it.slashdot.org/article.pl?sid=08/01/04/0154229
Points to this article at freep.com
http://www.freep.com/apps/pbcs.dll/article?AID=/20080103/NEWS06/80103045/1008/NEWS06
Mich. spammer, 10 others indicted in alleged pump-and-dump scam
{^_^}
Bit OT but it's about SPAM
I just thought if anyone hasn't read it yet, this article might be interesting to many of you. According to this report SPAM has now reached being 95% of all email. http://www.net-security.org/secworld.php?id=5545 From the report: * Global spam levels reached an all-time high of 95% of all emails at its peak during the quarter. * Blended threat messages -- or spam messages with links to malicious URLs -- accounted for up to 8% of all global email traffic during the peaks of various attacks during the quarter. * One massive outbreak mid-quarter utilized over 11,000 dynamic zombie IP addresses to host malicious web sites. Leading zombie locations included the United States (36%) and Russia (8%). * Image spam declined to a level of less than 5% of all spam, down from 30% in the first quarter of 2007; also, image pump-and-dump spam has all but disappeared, with pornographic images taking its place. * PDF Spam represented 10-15% of all spam in early July and then dropped significantly, however a steady stream of PDF spam is still being maintained at 3-5% of all spam messages. * Pharmaceuticals and sexual enhancers were the most popular spam topics, at 30% and 23%, respectively.
Re: SpamAssassin 3.1.9 not catching any emails
Dave Addey wrote: Hi all, As part of an “Ensim” (Linux control panel) installation, I’m running the Ensim-provided install of SpamAssassin 3.1.9. Unfortunately, I’m finding that no emails are being caught as spam. Whilst I’m sure that Ensim is doing some non-standard stufff around SpamAssassin, I’m wondering if anyone can help me (as a relative newbie to SpamAssassin) to debug what may be causing the problem. I'm pretty sure that SpamAssassin is set up correctly. However, every single spam message seems to be getting through (assuming it is even being checked). All emails have a header of "X-Spam-Status: No, No" - which I assume means that SpamAssassin is checking the messages, and passing them all regardless of their spam-ness? I really don't know where to start in debugging this. spamd is definitely running. I've run sa-update. I've sent myself an email with the GTUBE string in it, as described in http://wiki.apache.org/spamassassin/TestingInstallation , and it also came through with the same header as above. I have "Enable tests that connect to remote servers" enabled in Ensim's "Spam Filter Configuration" settings, but disabling it doesn't seem to make a difference. Can anyone suggest some things I could investigate to find out where the problem may lie? Many thanks in advance, - maurj. First thing you need to know about running Ensim, is not to run Ensim. I had nothing but problems on the ensim server that I had. I thought it was going to be the low cost answer to my problems and it just was a high cost problem. Their support was horrid also. Do you have access to logs to see if the mail is actually being scanned? It doesn't sound like it at all. Is this your box or someone else's?
Re: charter.net
Kai Schaetzl wrote: Jonn R Taylor wrote on Fri, 24 Aug 2007 07:30:22 -0500: What even more interesting is that they block 25 out going. So I am not sure why we all see so much spam from them. The spam is comming from *.dhcp.*.*.charter.com. Obviously, there's no such blockage. I reject everything from there right-away. Kai Like most ISP, charter.net will block port 25 for those _not_ on their network. I had clients who were using my mail servers for their outgoing mail services until early last year when Comcast, ATT, and Charter (the ones I had to deal with) all seem to start blocking port 25 traffic. All my clients have to use SMTP_Auth in order to send mail through me but Charter.net will not allow off network traffic on port 25. So in a sense, yes they block port 25 but only for non-charter networks. Just as I only allow my dialup and DSL customers to send mail through my servers without authenticating. Charter.net is also horrible about their mail servers deferring mail. I have customers who are forwarding their domain mail to their charter accounts and at least twice a week I see entries in my exim logs showing that Charter.net is deferring incoming mail for various reasons. Mostly it's 421 errors, always nice not to have your mail servers not responding or active. I've called their support and they are beyond horrible. They have no idea what they are doing. It really ticks me off when I have to deal with this. I've been working for small ISP/Hosting companies since 1996 and have spent the last 3 years running my own company. I am self taught with no university or college degrees or any other official certification yet I know more then 95% of the people I talk to at my home cable company (I live in Windsor ON but my business is in MI, US) or any of these other ISPs/Cable/Hosting companies I deal with on a regular basis for my clients. I always love it when I start talking to a "Tech Support Rep" and they have no idea what I am saying because they have no clue. I usually get "I'm sorry sir, I don't know what you are talking about. I just know what my screen tells me" Oh and I'm also am on my 6th request and 3rd month of waiting for Charter.net's upper level support team to contact me so we can figure out why they always seem to defer mail 2-3 times a week. -- Tom Ray Cheif Operations Officer Detroit Online DSL * VoIP * Networking * Email * Hosting * Programming http://www.detroitonline.com Toll Free: 888-235-6817 x202 Outside US: 313-887-0805 x202 Fax: 313-887-8321
Re: is it possible to setup SA in a different machine?
I'm a little late stepping in on this and it seems the original email
was deleted from my mail box by mistake. As everyone has saids, yes you
can use spam assassin on a separate server. I do that right now and it
works pretty well. It's also pretty slick because I have it setup not
only to filter SPAM only for the domains I tell it but also only for
specific email accounts I tell it to.
In your primary zone file set up two MX records for the domain. 10 goes
to the spam server, 2o goes straight to the mail machine.
On the server that is running spam assassin I have it setup with Exim
4.67, SA 3.2.2, ClamAV .091.2, Bind 9.3.3
* Create a user equal to the domain. So domain.com is user domaincom.
For me the user dir is /home/sa-users/domaincom
* In the home dir setup a directory for each account you want to run
along with a 0 byte file called "spamcheck" so you end up with something
like /home/sa-users/domaincom/tom/spamcheck
* I add all the domains I'm accepting mail for in /etc/exim/domains
* I add all the domains I'm filtering for in /etc/exim/sa-list
* I create a zone file in /var/named with the following two lines. In my
resolv.conf I have it looking at the local machine only.
IN MX 10 mail.domainnamehere.com.
mailIN A 1.1.1.120
My exim.conf Router and Transport for SA looks like this:
Router:
# SpamAssassin
spamcheck_router:
driver = accept
no_verify
check_local_user = false
# When to scan a message :
# - it isn't already flagged as spam
# - it isn't already scanned
condition = "${if and { {!def:h_X-Spam-Flag:} {!eq
{$received_protocol}{spam-scanned}}} {1}{0}}"
require_files = /mail/${domain}/spamassassin/${local_part}/spamcheck
transport = spamcheck
# Only send mail for our domains
lookuphost:
driver = dnslookup
domains = /etc/exim/domains
transport = remote_smtp
no_more
Transport:
spamcheck:
driver = pipe
command = /usr/local/exim/bin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/bin/spamc -u
${lookup{$domain}lsearch*{/etc/exim/sa-list}{$value}}
home_directory = /tmp
current_directory = /tmp
# must use a privileged user to set $received_protocol on the way
back in!
user = exim
group = exim
log_output = true
return_fail_output = true
return_path_add = false
message_prefix =
message_suffix =
Basically it accepts the mail for the domain, if it's supposed to check
it for SPAM it does, all mail is scanned for viruses. I automatically
drop anything with .vbs .scr or other types of attachments and then it
sends the mail onto my mail server or what ever other mail server I
specify for the domain in the local zone file. I have clients running in
house email servers but I scan for viruses and spam before delivering it
on to them. The other beauty is if the main mail server(s) go down, the
spam server will hold the message in queue until the server(s) are
responding again. I hold messages for 14 days before thawing and dumping
them.
Oh and finally, once SA scans email once for the domain it puts the
user_prefs file in /home/sa-users/domaincom/.spamassassin
Hope this helps.
--
Tom Ray
Cheif Operations Officer
Detroit Online
DSL * VoIP * Networking * Email * Hosting * Programming
http://www.detroitonline.com
Toll Free: 888-235-6817 x202
Outside US: 313-887-0805 x202
Fax: 313-887-8321
RE: charter.net
Just as a side note... I am a charter customer. I have spoken with their techincal assistance many times, and at various levels, for myself and on behalf of others I have tried to assist. They are by far the most incompetent ISP I have ever dealt with. They only have one answer for everything, which is reboot your computer and your modem. And god help you if you let them troubleshoot beyond that. They make the "Geek Squad" look like computer savants. So frankly, this type of brute force solution does not surprise me in the slightest. > -Original Message- > From: Jonn R Taylor [mailto:[EMAIL PROTECTED] > Sent: Friday, August 24, 2007 5:30 AM > To: users@spamassassin.apache.org > Subject: Re: charter.net > > Kai Schaetzl wrote: > > Matt Kettler wrote on Thu, 23 Aug 2007 22:59:11 -0400: > > > >> I think it's a brain-dead attempt to counter the image and pdf > >> spams that have been so popular lately. > > > > It would be nice if they would block their outgoing spam in the same > > effective way. They are among the biggest spam sources for us. > > > > Kai > > > > Yes, That is very true. Alot of the spam that I see is from > charter.net, > but I do see alot of spoofed address with there name. What even more > interesting is that they block 25 out going. So I am not sure why we > all > see so much spam from them. > > Jonn
Re: MySQL error?
Look in the local.cf for these lines, or (if mysql is being used) look in the userpref table and delete the rows that have those entries. Had the same issue and that cleared it up. -=R Doc Schneider wrote: I'm seeing this in a server I just upgraded from 3.0.6 to 3.1.7 My thoughts are this is contained in the userpref part of MySQL. Any idea or way to fix this? Jan 15 13:59:56 lists spamd[25290]: config: failed to parse line, skipping: use_terse_report 0 Jan 15 13:59:56 lists spamd[25290]: config: failed to parse line, skipping: always_add_headers 1 Jan 15 13:59:56 lists spamd[25290]: config: failed to parse line, skipping: always_add_report 1 TIA,
Re: sa-stats.pl blows up on maillog covering turn of year
Bob McClure Jr wrote: sa-stats.pl as distributed with SA v3.1.7 blows out a ton of WARNING: ignoring future date in syslog line: Dec 31 20:26:56 bubba spamd[7149]: prefork: child states: II and the like, and ends up reporting zeros for results. Another machine with the same sa-stats.pl (and an earlier version as well) works just fine. Both machines are running Fedora Core 4 with Perl v5.8.6, but the one difference I found is in Parse::Syslog. The machine that works has v1.03. The one that blows up has v1.09. I can't tell if it's Parse::Syslog that is broken, or sa-stats.pl is failing to take advantage of a new feature of Parse::Syslog. On both machines, sa-stats.pl is called from a script in /etc/cron.daily/sa-stats thusly: #!/bin/sh # Set a 24-year period. start=`date -d yesterday` # to today end=`date` /usr/local/sbin/sa-stats -s "$start" -e "$end" Has anyone else experienced or fixed this? Cheers, Same problem here. -=R
Re: "insider information" slipping through
Debbie D wrote: Can someone try and help me understand why this keeps slipping through.. in 2+ days I have 40 or more of these to various addresses of my own on the server http://sial.org/pbot/21945 (Thanks Theo for the link) Scores for me: Content analysis details: (19.5 points, 3.0 required) pts rule name description -- -- 10 GMD_FAKETZ GMD_FAKETZ 2.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [124.106.8.240 listed in dnsbl.sorbs.net] 2.6 DNS_FROM_RFC_DSN RBL: Envelope sender in dsn.rfc-ignorant.org
Re: yet another stupid spammer trick
Kelson, My apologies. As I looked at my own reply, my response to your e-mail made it look like I wrote the great background information that you did and I just wanted to publicly give you credit for the elaborate and well thought out response. I was merely agreeing with you and posting a link with more info. -=Ray Ray Anderson wrote: This looks like a failed header injection attack. Some background: Lots of web form handlers, including the most basic Perl and PHP tools, will build the headers and body of a message as one long string, then pass it to Sendmail. If a form allows user-supplied data for any header content -- most often a subject, a sender's name or email address -- and the form does not properly sanitize the input, an attacker can add a newline to the data and build up their own headers and message body. ---snip-- Absolutely what I was trying to say earlier. A _great_ article on the matter is here: http://www.securephpwiki.com/index.php/Email_Injection -=Ray
Re: yet another stupid spammer trick
This looks like a failed header injection attack. Some background: Lots of web form handlers, including the most basic Perl and PHP tools, will build the headers and body of a message as one long string, then pass it to Sendmail. If a form allows user-supplied data for any header content -- most often a subject, a sender's name or email address -- and the form does not properly sanitize the input, an attacker can add a newline to the data and build up their own headers and message body. ---snip-- Absolutely what I was trying to say earlier. A _great_ article on the matter is here: http://www.securephpwiki.com/index.php/Email_Injection -=Ray
Re: Good source for IP addresses by country
My $.02, (and that's about all it's worth). I was running a server with 1and1 who uses ip address blocks assigned to Amsterdam. The server was physically located in New York City. I had several customers who could not send mail outbound because people hate to receive mail from Amsterdam. Period. After calling just about everyone on the planet, I gave up and moved the server to a different provider (after checking the IP blocks). -=Ray Michele Neylon :: Blacknight wrote: You could simply use Geoip scoring using this lot: http://countries.nerd.dk/ It's pretty effective.. http://www.mneylon.com/blog/archives/2005/01/15/geo-specific-scoring/ Regards Michele
Re: Tarpits are fun!
Nicely done!
John D. Hardin wrote:
{snicker!}
Dec 12 09:48:03 ga : Initial Connect - tarpitting: 124.240.124.222 60241 ->
x.x.x.x 25
Dec 12 09:44:20 ga : Initial Connect - tarpitting: 124.240.124.222 53486 ->
x.x.x.x 25 *
Dec 12 12:16:30 ga : Initial Connect - tarpitting: 124.240.124.222 14526 ->
x.x.x.x 25 *
...
Dec 12 16:08:06 ga : Persist Activity: 124.240.124.222 53486 -> x.x.x.x 25
Dec 12 16:09:04 ga : Persist Activity: 124.240.124.222 60241 -> x.x.x.x 25 *
Dec 12 16:11:19 ga : Persist Activity: 124.240.124.222 14526 -> x.x.x.x 25
Dec 12 16:12:07 ga : Persist Activity: 124.240.124.222 53486 -> x.x.x.x 25 *
Dec 12 16:13:05 ga : Persist Activity: 124.240.124.222 60241 -> x.x.x.x 25
Dec 12 16:16:08 ga : Persist Activity: 124.240.124.222 53486 -> x.x.x.x 25 *
Dec 12 16:17:05 ga : Persist Activity: 124.240.124.222 60241 -> x.x.x.x 25
Dec 12 16:19:20 ga : Persist Activity: 124.240.124.222 14526 -> x.x.x.x 25 *
Three spambot threads stuck for *hours*!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
The question of whether people should be allowed to harm themselves
is simple. They *must*. -- Charles Murray
---
3 days until Bill of Rights day
Re: required_score aggressive ??
I use a required_score of 3 and so far have had zero positives (more than 3 years running). I have customers that also run 3 and have opted to have the server /discard/ the message (not quarantine, but /DISCARD/) if it is identified as spam. So far none of those users have complained about not receiving e-mail. -=Ray R Lists06 wrote: When looking up required_score info, as most know, it say that the default is 5.0 and that it is considered aggressive in various circumstances Used to be called required_hits When I first started using SA I was told that as an ISP going in the 4.0 range give or take a little was an excellent choice. If you are able to chime in, please share your wisdom in any area about required_score and/or just how aggressive is everyone on the list as I am thinking of tweaking a little lower. Thanks in advance - rh -- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net
New spam
Hello, I've been lurking for a while and had just recently decided to try to put the FuzzyOCR on my spam filtering machine, when I found the following incredibly obfuscated stock spam (link at bottom of message) The question is this: Will FuzzyOCR find/detect the garbage in this image or is even implenting OCR pointless as the generators get more sophisticated? I wasn't sure if I could post an image, so here is a link to the headers and the image. I'll take it down tomorrow morning. Thanks! -=Ray http://www.rb-com.com/spam.php
Re: Prevent scanning internal mail
Craig Morrison wrote: Gary V wrote: Exactly. How you prevent sending the message through SA is not a function of SA itself, but of the implementation, and because of the large number of implementations and configurations I question whether it would be practical (or even related) to provide examples of the various procedures. Point well taken Gary. I didn't see much of anything on this subject in the Wiki. Neither did I. I've been googling a bit and the cornucopia of hits for +spamassassin is a mess. :-) My solution to this problem is this: I'm running postfix 2.1.5-5 on Fedora Core 3 and recently had this same question come up. I was whitelisting all 30something domains I hosted but ran into spammers using foo@ to get around spam filtering. My solution was to create a rule in postfix main.cf: smtpd_recipient_restrictions = permit_sasl_authenticated, check_client_access pcre:/etc/postfix/non-auth.re, -- snip -- And the contents of non-auth.re is: /^/ PREPEND X-No-Auth: Unauthenticated Sender Since postfix aborts checking at the first match, this has the effect of stamping every single message with a header that I can find and react to, which for me bypasses spamd -- note: this decision takes place _after_ virus scanning, etc. Hope this helps someone. -=Ray
Re: I've got TORA.08 spelled with numbers?
Wouldn't a better solution to be check the e-mail for NOT having any alpha chars? All numbers seems like a no-brainer to me, but I'm fairly new at this. :) Something like Body ~= /[^a-zA-A]/ ? Cheers, -=Ray Justin Mason wrote: this seems to catch them: header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962) --j. Billy Huddleston writes: So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! - Original Message - From: "Evan Platt" <[EMAIL PROTECTED]> To: Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
RE: Train from Outlook?
Imap2mbox resides on a windows server and only converts the imap format into an mbox format. Reading the links you provided there is an executable and external batch files to run on a windows machine. So that would/could be a solution if your environment is windows only. We are running a linux server with postfix + amavisd-new with SA and ClamAV to pre-process mail coming into our Exchange server. The solution I described is an all in one perl script that runs on the linux server. Imap-sa-learn.pl reads directly from the SPAM and NO-SPAM folders on the Exchange server, processes the messages, and removes them. There are no extra processes that need to be run on the Exchange server itself. So – If you are running linux in front of your Exchange server – my solution works. If you are running SA on a windows box – your solution works. From: Jean-Paul Natola [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 23, 2006 12:24 PM To: users@spamassassin.apache.org Subject: RE: Train from Outlook? SLOW DOWN!! That’s sounds like an awful lot when you can just let imap2mbox do it all. Imap2mbox does everything for you , except moving the messages to the folder http://www.byteplant.com/support/nospamtoday/howtolearnexchange.html http://www.byteplant.com/support/nospamtoday/contrib.html From: Ray Dzek [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 23, 2006 3:10 PM To: users@spamassassin.apache.org Subject: RE: Train from Outlook? Your timing is perfect. I just implemented this yesterday! The script you may be looking for is imap-sa-learn.pl from: http://www.gagravarr.org/code/ The how-to is here: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200406.mbox/[EMAIL PROTECTED] Users then drag (very important they drag the message to the folder to preserve headers) the messages into the appropriate public folder and are then processed by the script at the interval you set with a cron job. To fill in some of the missing blanks… You create 2 new public folders. The how-to called them HAM and SPAM. All my users know what SPAM is, but explaining the concept of HAM proved futile for some reason so I just renamed the folder NOT-SPAM. Create a spamassassin user in AD and create an exchange mailbox. No mail is every sent to/from this user, it is only so the user has access permissions to the mailboxes. You may need to add a few perl modules to get this to work. The main one is Mail::IMAPClient. So just CPAN and then install Mail::IMAPClient The script is written with –no-rebuild and --rebuild which is depreciated in current versions of SA, so just edit the script and change those to –no-sync and –sync otherwise the script will throw errors when you run it. Add the script to crontab –e so it runs as often as you like. I run mine every hour. It automatically grabs each message, processes it with sa-learn, and then deletes it from the SPAM folder. If all this is greek, let me know and I will put together something a little more formal. This method will not work for OWA since you are not allowed to copy from your mailbox folders to a public folder in OWA. From: Christopher Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 23, 2006 5:07 AM To: users@spamassassin.apache.org Subject: Train from Outlook? Tell me something, is there a pluggin for outlook that would allow me to train spamassassin on the web server? Eg, messages come in, end up in my Junk Mail folder, can i somehow select them, and click a button with this 'addin' and have it find our web server and train spam assassin with the data in my local inbox? That would be a very cool addon if someone could develop it.
RE: Train from Outlook?
Your timing is perfect. I just implemented this yesterday! The script you may be looking for is imap-sa-learn.pl from: http://www.gagravarr.org/code/ The how-to is here: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200406.mbox/[EMAIL PROTECTED] Users then drag (very important they drag the message to the folder to preserve headers) the messages into the appropriate public folder and are then processed by the script at the interval you set with a cron job. To fill in some of the missing blanks… You create 2 new public folders. The how-to called them HAM and SPAM. All my users know what SPAM is, but explaining the concept of HAM proved futile for some reason so I just renamed the folder NOT-SPAM. Create a spamassassin user in AD and create an exchange mailbox. No mail is every sent to/from this user, it is only so the user has access permissions to the mailboxes. You may need to add a few perl modules to get this to work. The main one is Mail::IMAPClient. So just CPAN and then install Mail::IMAPClient The script is written with –no-rebuild and --rebuild which is depreciated in current versions of SA, so just edit the script and change those to –no-sync and –sync otherwise the script will throw errors when you run it. Add the script to crontab –e so it runs as often as you like. I run mine every hour. It automatically grabs each message, processes it with sa-learn, and then deletes it from the SPAM folder. If all this is greek, let me know and I will put together something a little more formal. This method will not work for OWA since you are not allowed to copy from your mailbox folders to a public folder in OWA. From: Christopher Mills [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 23, 2006 5:07 AM To: users@spamassassin.apache.org Subject: Train from Outlook? Tell me something, is there a pluggin for outlook that would allow me to train spamassassin on the web server? Eg, messages come in, end up in my Junk Mail folder, can i somehow select them, and click a button with this 'addin' and have it find our web server and train spam assassin with the data in my local inbox? That would be a very cool addon if someone could develop it.
Includes Question.
I have SA set up to run per user, my question is does the user_prefs file support any include commands like Apache's httpd.conf or Bind's named.conf file does? I basically don't want to re-write the maing user_prefs file when a user updates their White or Black lists via the web interface I'm providing I'm looking for something like: include whitelist.conf include blacklist.conf Or something along those lines.
Re: Am I wasting my time with SpamCop?
Tom Ray wrote: Derek Harding wrote: On Wed, 2006-08-02 at 16:37 -0400, Tom Ray wrote: Anyone serious about stopping SPAM should not use SpamCop. They have no real checking method, it's like AOL's spam blocking method...they just let users submit what they think is spam and then block it. It's pointless. There's not even a way to contact anyone at SpamCop to fix a falsely listed server or what not. Spamcop has its problems, some very serious, however the above mis-information should be corrected. If you are listed incorrectly you should email [EMAIL PROTECTED] They're quite helpful although their definition of incorrectly may differ from other people's definitions (including my own). For example, when some muppet reported us 25 times for a single email Spamcop removed all but one report and canceled the listing immediately. So to say there's no way to contact them is plain wrong. Derek Let me re-phrase that, there's no listed form of contact on their website. I was just there...you have a choice of Header Help, and Terms. There's no "Contact SpamCop" option, no listed email accounts to mail to. So how does Joe Average know how to contact Spam Cop? I stand corrected I was at SpamCop.com and not SpamCop.net which has these methods...nice to link over to the proper site. So one of their serious problems is not listing the fact there is a way to contact them. I remember when SpamCop started, there was a ton more information on the site plus a way to check if you were listed with SpamCop (which you can't do anymore) plus contact information. None of that exists anymore.
Re: Am I wasting my time with SpamCop?
Derek Harding wrote: On Wed, 2006-08-02 at 16:37 -0400, Tom Ray wrote: Anyone serious about stopping SPAM should not use SpamCop. They have no real checking method, it's like AOL's spam blocking method...they just let users submit what they think is spam and then block it. It's pointless. There's not even a way to contact anyone at SpamCop to fix a falsely listed server or what not. Spamcop has its problems, some very serious, however the above mis-information should be corrected. If you are listed incorrectly you should email [EMAIL PROTECTED] They're quite helpful although their definition of incorrectly may differ from other people's definitions (including my own). For example, when some muppet reported us 25 times for a single email Spamcop removed all but one report and canceled the listing immediately. So to say there's no way to contact them is plain wrong. Derek Let me re-phrase that, there's no listed form of contact on their website. I was just there...you have a choice of Header Help, and Terms. There's no "Contact SpamCop" option, no listed email accounts to mail to. So how does Joe Average know how to contact Spam Cop? So one of their serious problems is not listing the fact there is a way to contact them. I remember when SpamCop started, there was a ton more information on the site plus a way to check if you were listed with SpamCop (which you can't do anymore) plus contact information. None of that exists anymore.
Re: What changes would you make to stop spam? - United Nations Paper
Marc Perkel wrote: Logan Shaw wrote: On Wed, 2 Aug 2006, Marc Perkel wrote: SMTP passwords go away because SMTP goes away. The idea is that outgoing IMAP would replace SMTP and there would be no SMTP between clients and servers. SMTP would be a server to server protocol. That's all well and good saying SMTP is server to server only, but how are you going to get the spammers to cooperate? Do you think they will volunteer? And when you are running an SMTP server, how can you tell if SMTP connections that it receives are really coming from another server? - Logan If SMTP becomes a server to server protocol then it will wipe out consumer virus infected spam zombies. It's not going to get rid of all spam - just most of it. The other problem you run into is the fact that one man's SPAM is another man's acceptable email.
Re: Am I wasting my time with SpamCop?
Anyone serious about stopping SPAM should not use SpamCop. They have no real checking method, it's like AOL's spam blocking method...they just let users submit what they think is spam and then block it. It's pointless. There's not even a way to contact anyone at SpamCop to fix a falsely listed server or what not. They are a joke. John Rudd wrote: On Aug 2, 2006, at 1:09 PM, Zinski, Steve wrote: I use SpamCop to report my spam. I use the SpamHaus RBL as a first line of defense then I use SpamAssassin to catch the rest of the spam coming to my server. Am I wasting my time? Should I just delete low-scoring spam and let the honeypots harvest and report to the various RBLs, or should I keep reporting spam via SpamCop (which wastes a lot of my time). In my experience, SpamCop is a colossal waste of _everything_ it uses. Time, space, energy, matter, etc. But that's just "in my experience". YMMV.
Re: What changes would you make to stop spam? - United Nations Paper
4a) maybe generalize #4 to include various other RFC issues (matching PTR and A records is an RFC requirement, after all), such as the things tracked at RFC-Ignorant Less feasible, too many players. How about: domain registrars are required to block any domain they have registered that does not have working (i.e. read-by-a-human) postmaster@ and abuse@ aliases? Being that I am a domain registrar (small but still) how will I know if they have a working postmaster or abuse alias? And even if they did a quick filter setup at the server level will have those mails /dev/null'd in no time. This isn't a feasible idea for one reason and one reason only, Network Solutions. They'll find some way to re-route that domain to their own use. 5) Require ISP's to channel their customer's email through their own mail servers (which will have some impact upon SPF tracking as well) and not allow any non-business customers, nor any dynamic customers (business or commercial), to directly connect to other mail servers. Totalitarian regimes will *love* that one. ISPs will hate it. Hate to break the news to you but many ISPs are already not allowing their users to connect via port 25 outside their networks. Comcast has done it, as have a few others already. I run into this a lot because I'm also a hosting company and offer SMTP Auth but many customers have issues because they can't connect to port 25 on my mail server. I also totally agree with this practice, if they are going to be on the hook for something their users did then they need to keep a watchful eye on their customers. ISPs don't hate this considering that many ISPs now do hosting, it's a way for them to get their customers to bring the hosting over to them also.
Re: Custom .cf files
Theo Van Dinter wrote: On Wed, Jul 26, 2006 at 03:06:40PM -0400, Tom Ray wrote: Is it possible to have each user have their own 10_misc.cf or any of the other .cf files? Right now all are stored in /usr/share/spamassassin I'd like each user to have their own. Anyone done this before? This is quite usual actually, that's what user_prefs are for. Well I'm still quite new to this. So I can shove that information into user_prefs or do I modify user_prefs to call on a directory? -- Tom Ray Detroit Online http://www.detroitonline.com Toll Free: 888-235-6817 x501 Local: 313-887-0805 x501
Custom .cf files
I know I asked this before but I believe I asked it wrong. Is it possible to have each user have their own 10_misc.cf or any of the other .cf files? Right now all are stored in /usr/share/spamassassin I'd like each user to have their own. Anyone done this before? -- Tom Ray Detroit Online http://www.detroitonline.com Toll Free: 888-235-6817 x501 Local: 313-887-0805 x501
Re: Editing Question....
Martin Hepworth wrote: Tom Depends on what's call SA. SA will only mark the spam, any processing beyond that is up to you.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Tom Ray [mailto:[EMAIL PROTECTED] Sent: 09 June 2006 17:17 To: users@spamassassin.apache.org Subject: Editing Question Is there a way to edit the message that appears in your mail when it's marked as spam. This is the text I want to edit: "Spam detection software, running on the system "mx02.detroitonline.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details." Actually, the better way to phrase this is that I want each domain owner able to edit their own version of that. I do virtual email hosting but I run each domain under it's own user name so the Admin controls their spam rules. I want them to be able to edit that with their own information. Can we do that? I guess I should also ask, where is this default text at?
Editing Question....
Is there a way to edit the message that appears in your mail when it's marked as spam. This is the text I want to edit: "Spam detection software, running on the system "mx02.detroitonline.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details." Actually, the better way to phrase this is that I want each domain owner able to edit their own version of that. I do virtual email hosting but I run each domain under it's own user name so the Admin controls their spam rules. I want them to be able to edit that with their own information. Can we do that? -- Tom Ray Detroit Online http://www.detroitonline.com Toll Free: 888-235-6817 x501 Local: 313-887-0805 x501
Re: Virtual Users
Bowie Bailey wrote: David O'Brien wrote: Hello, I am running SpamAssassin version 3.0.4-2.fc4, exim 4.62-1.fc4 & dovecot 0.99.14-4.fc4 I have virtual users, with mail being stored in the directory format /data/mail/domain.com/user/ So, the mail for [EMAIL PROTECTED] would be stored in /data/mail/obrien.com/david/ I have tried setting the --virtual-config-dir option to --virtual-config-dir=/data/mail/%d/%l so the user_prefs file would be created in the correct location, however %d and %l do not seem to be expanding to the domain and local part of the username. I am getting the following in my log file: "Using default config for nobody: /data/mail///user_prefs" I have seen this mentioned before, but have not seen a solution. Does anyone have any idea what the problem is, and what the solution is? Are you providing the email address via spamc? spamc -u [EMAIL PROTECTED] I'm trying to do the same thing that David is doing. I have spamd running with --config-virtual-dir=/mail/%d/mail/%l so it should expand to mail/detroitonline.com/mail/tom for any email being sent to me. Within my directory I have a directory called ".spamassassin" and within that I have a user_prefs file. I have my score set to 2 while the global is set to 5. Within exim I have spamc set to run as "spamc -u [EMAIL PROTECTED]" which does expand to [EMAIL PROTECTED] However I can't find the logfile that David refers to. Spamd start up, stops, etc all display with in my syslog as to any -D messages. So I have a couple questions.. 1) Where do I find that entry at that David refers to? 2) Spam is being scanned but it's being scored out of 5 instead of 2 which means it's reading the global file and not my user file. 3) It is my understanding that spamc needs to run as a user on the machine, but if these are virtual accounts and don't exist on the machine how will spamc run everything? In Exim the user exim runs everything and all mail files and directories have to be set with exim as the user and group. 4) Am I doing this right? I've laid out my specs before and asked that but no ones said yes or no. Any help would be appreciated. Thanks. -- Tom Ray Detroit Online http://www.detroitonline.com Toll Free: 888-235-6817 x501 Local: 313-887-0805 x501
Just installed Spam Assassin and having a little issue.
Hey all-
I just installed Spam Assassin and I'm running into a small problem. I'm
running a mail server with Exim 4.60 and it's hosting virtual accounts.
So the setup is basically /mail/domain.com/mail/user/inbox what I would
like to do is give each user control over their SA settings so I've
tried two different ways to make SA work the way I wanted.
I've copied the user_prefs template over to the following:
1) Tried doing it this way: /mail/domain.com/mail/.spamassassin/user.cf
2) /mail/domain.com/mail/user/.spamassasin/user_prefs
I have the following Router in my Exim config:
# SpamAssassin
spamcheck_router:
no_verify
check_local_user
# When to scan a message :
# - it isn't already flagged as spam
# - it isn't already scanned
condition = "${if and { {!def:h_X-Spam-Flag:} {!eq
{$received_protocol}{spam-scanned}}} {1}{0}}"
require_files =
/mail/${domain}/mail/.spamassassin/${local_part}/user_prefs
driver = accept
transport = spamcheck
With this Transport:
spamcheck:
driver = pipe
command = /usr/local/exim/bin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/bin/spamc
home_directory = "/tmp"
current_directory = "/tmp"
# must use a privileged user to set $received_protocol on the way
back in!
user = exim
group = exim
log_output = true
return_fail_output = true
return_path_add = false
message_prefix =
message_suffix =
Now I only have one account under one of the domains setup with with a
user_prefs and/or a user.cf file. SA is scanning for SPAM on that
account so I'm assuming that the require_files command in the Router is
working, because other accounts under that domain are not scanning SPAM
nor are any other domains/accounts on the server. However, it will only
read the /etc/mail/spamassassin/local.cf file and is ignoring the lower
score setting I have in my user_prefs file.
My question is, how do I get SA to read from the user_prefs file under
the virtual email user accounts? Anyone done this before? I'm kinda new
to SA and I'm still getting the hang of customizing it.
Thanks!
--
Tom Ray
Detroit Online
http://www.detroitonline.com
Toll Free: 888-235-6817 x501
Local: 313-887-0805 x501
Spamd Child Forks
spamd: handled cleanup of child pid 19888 due to SIGCHLD spamd[5262]: prefork: child states: II I see a lot of mention of these messages showing up in 3.1, but I have not seen a definitive answer as to if I need to pay more attention to them or they are just a minor/visual annoyance in the logs and will be cleaned up with a patch or the next release. Some clarification, please, from those in the know? Thanks! Ray DzekNet Ops / Helpdesk SupervisorSpecialized Bicycle Components
Spamd inscrutability. Does it ever look at a user_prefs file?
Spamassassin 3.04 with SQL support. I'm trying to set up a global textbased or MYSQL based whitelist. I want to be able to support *wildcards* I am able to add specific addresses to the AWL using spamassassin --add-addr-to-whitelist but when I've used wildcards for some of our desired senders, they seemed to have been ignored. I'd like to keep it simple with whitelist_from_rcvd [EMAIL PROTECTED]somedomain.com in the local.cf file. spamd is running with SPAMD_OPTS="-x -q -Q -H /var/lib/spamassassin/nobody --max-children 5" and exim is calling spamc with the user nobody. so I edited the table user_prefs in the mysql database, adding a record that says username nobody preference whitelist_from_rcvd value [EMAIL PROTECTED]somedomain.com I ran spamd with -D and it seems to have connected with the MYSQL server for user prefs as it certainly did for AWL entries and Bayes tokens, but the spam score on the mail message should certainly go down if the email address is really whitelisted. If I use the AWL it goes down to -50 when I use the --add-addr-to-whitelist flag. So I expect a good healthy minus quantity on a wildcard whitelisting but It never seems to happen. I recently migrated from a spamd config as follows. This one had no MYSQL server -u Debian-exim -x --virtual-config-dir /var/lib/spamassassin/%u --create-prefs --max-children 5 --helper-home-dir I put whitelist_from_rcvd in all kinds of files and they all seemed to be ignored, too. Is it a function of running spamd with -x? if so why did it never read local.cf? -Q is supposed to give you mysql user_prefs functionality with -x Any pointers?
Re: Exim with Spamassassin and mimedefang
On Wed, 18 May 2005, Jeffrey N. Miller wrote: I want to setup a SMTP relay filtering SPAM and viruses. The relay will relay the mail to my Exchange server. Is there well documented HOWTOs on setting this up using Exim, Spamassassin, Mimedefang and a good virus scanning software? I see HOWTOs using sendmail but I want to switch to Exim or am I just making things hard? Mimedefang uses the milter interface of sendmail. It won't work with exim. ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems EngineerSoutheastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alt text getting through
I made a custom rule in local.cf to score the following with 5: describe custom_body_checksCustom Body Checks score custom_body_checks5 rawbody __bc_0 /%RND_ALT/I meta custom_body_checks ( __bc_0 ) But it is not catching that phrase in the inbound e-mail. (below) Can anyone tell me why? I have tons of other rules that get caught and marked, but this one seems to sneak by. Stuck on spamassassin-2.55-2.1.92 for now on a Mandrake 9.2 machine. Thanks, -=Ray Good flying never killed [an enemy] yet. Major Edward "Mick" Mannock, RAF, WWI, 50-73 Victories Here is a snip of the original e-mail (hope it doesn't get caught) = SNIP X-Spam-Status: No, hits=0.1 required=3.0 tests=HTML_MESSAGE version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) A40863880133651 Content-Type: multipart/alternative; boundary="--A95370304846963" A95370304846963 Content-Type: text/plain; Charset = "us-ascii" Content-Transfer-Encoding: 7bit --- cut html crap - %RND_ALT%RND_ALT%RND_ALT --- cut html crap - A95370304846963 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit --- cut html crap - %RND_ALT%RND_ALT%RND_ALT --- cut html crap - A95370304846963-- A40863880133651 Content-Type: image/gif; name="vicodinad.gif" Content-Transfer-Encoding: base64
RE: Investor and Stock spam
> Err.. > > body STOCK_SPAM > /inf0rmati(O|0)n|st0ck|profi\|e|invest0rs|pr0file|y0urse(l|\|)f|wil\||symb(o |0)\|/ > > is more efficient.. and still will catch that crap in the subject line also. > > D > > Please excuse my ignorance Would you want to make this a rawbody check so mime-embedded mime-encoded mails also get caught? -=Ray Nothing makes a man more aware of his capabilities and of his limitations than those moments when he must push aside all the familiar defenses of ego and vanity, and accept reality by staring, with the fear that is normal to a man in combat, into the face of Death. Major Robert S. Johnson, USAAF, 27 Victories, WWII
Body checks not identifying spam
I'm thinking it's because the message is in multi-part embedded multi-part mime mail, but I'm not sure. I'm stuck running 2.55 for another 3 months or so before I move to FC3, so until then, does anyone have any advice? This is the second message that's like this, and I'm sure the numbers are going to grow. Funny, how typing a message step by step forces you to realize your own mistake. I had in the local.cf body testname /pattern/ Instead of rawbody testname /pattern/ Works great now! I hope me finding my own answer helps someone out there. Thanks, -=Ray -- As a fighter pilot I knew from my own experiences how decisive surprise and luck can be for a success, which in the long run only comes to the one who combines daring with cool thinking. Lt. General Adolph Galland, Luftwaffe
RE: maintaining the 2.6 branch (was: [2.64] FORGED_MUA_OUTLOOK buggy)
> Alright, so far I've seen 4-5, maybe 6 people saying they > intend to stick to > 2.64 for the foreseeable future. Is that really all? > I'm quite willing myself to put an effort in in maintaining > 2.64, and I'll > probably be doing it on a personal level anyway, but to work > to produce actual > releases for others, I think a bit more of an interest is needed. I am also required to stay with the 2.6 branch for the forseable future, if there's anything I can do to help I'd be happy to. -=Ray ---- Ray Anderson System Development Manager 916.788.2444 (Office) 916.798.9439 (Mobile) PRIDE Industries [EMAIL PROTECTED] http://www.prideindustries.com The winner (of an air battle) may have been determined by the amount of time, energy, thought and training an individual has previously accomplished in an effort to increase his ability as a fighter pilot. Commander Randy "Duke" Cunningham, USN, 5 Victories, Vietnam Conflict
RE: [2.64] FORGED_MUA_OUTLOOK buggy
> meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)
> meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
> !__OE_MSGID_2 && !__UNUSABLE_MSGID)
> header __OE_MSGID_1MESSAGEID =~
> /^<[EMAIL PROTECTED]>$/m
> header __OE_MSGID_2MESSAGEID =~
> /^<(?:[0-9a-f]{8}|[0-9a-f]{12})[EMAIL PROTECTED]>$/m
>
>
> What is the best approach with stuff like this - should I
> simply carry on and
> open a bugreport or is best to bring it up here first?
>
I tried to deal with this one and got told to upgrade, which I cannot do at
this time.
I finally had to put a score in my local.cf that reduces the score to zero.
-=Ray
--
Ray Anderson
R&B Communications
530.478.1137
[EMAIL PROTECTED]
http://www.rb-com.com
--
As a fighter pilot I knew from my own experiences how decisive surprise and
luck can be for a success, which in the long run only comes to the one who
combines daring with cool thinking.
Lt. General Adolph Galland, Luftwaffe
Spamassassin help
Second attempt: Greetings, I've been using spamassassin 2.55 for a while now on Mandrake 9.2. I have a list of URL's that are grouped to form a pretty big meta tag, and this has worked great for years now. Recently, one dirtbag message has found a way through the defenses and I can't figure out where it's breaking. The interesting thing is that if I forward this message to myself it works fine, and uses my custom body checks. I have verified that womenhavebeen.com *IS* in my body_checks list (in my local.cf), but it seems that spamassassin just ignores the body_checks on the original message. Does anyone have any clue as to why this is happening? Many thanks in advance, Original message Original message spamassassin headers: X-Spam-Status: No, hits=0.1 required=3.0 tests=HTML_MESSAGE version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) And when I forward the message to myself, I get the following headers: X-Spam-Status: Yes, hits=75.1 required=3.0 tests=FORGED_MUA_OUTLOOK,MISSING_OUTLOOK_NAME, rays_body_checks version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) ==== -=Ray ---- Ray Anderson System Development Manager 916.788.2444 (Office) 916.798.9439 (Mobile) PRIDE Industries [EMAIL PROTECTED] http://www.prideindustries.com One of the secrets of air fighting was to see the other man first. Seeing airplanes from great distances was a question of experience and training, of knowing where to look and what to look for. Experienced pilots always saw more than the newcomers, because the latter were more concerned with flying than fightingThe novice had little idea of the situation, because his brain was bewildered by the shock and ferocity of the fight. Air Vice-Marshal J.E. "Johnnie" Johnson, RAF
RE: SPF, ALL_TRUSTED Confusion was RE: Default SURBL scores low?
There are bugtrack entries for the ALL_TRUSTED problem that you are describing. On my own network we were seeing all spam hit with -3.3 on ALL_TRUSTED. We are using SA on Postfix as a "man in the middle" relay from our AV to our main mail server. MAIL <--> Postfix+SA <--> AV <--> Inernet The current theory is that the headers coming from the AV server are triggering the ALL_TRUSTED rule to fire. This may or may not be related to other bagtrack entries for ALL_TRUSTED. Maybe one of the developers could address this better. In the mean time it is easy to just leave the ALL_TRUSTED 0 in your local.cf Ray Dzek Network Operations Supervisor Specialized Bicycle Components -Original Message- From: Potato Chip [mailto:[EMAIL PROTECTED] Sent: Friday, October 15, 2004 9:31 AM To: users@spamassassin.apache.org Subject: SPF, ALL_TRUSTED Confusion was RE: Default SURBL scores low? Thank you everyone for your input and for directing me to the real problem -- SPF. For now, I have had to score ALL_TRUSTED -0.01 but would still like to get to the bottom of this SPF, TRUSTED issue. I have a spam which hits ALL_TRUSTED. I've attached the "spamassassin -D < spam" output below. I've excerpted some of the relevant SPF output: debug: metadata: X-Spam-Relays-Trusted: [ ip=80.110.248.122 rdns=chello080110248122.118.11.vie.surfer.at helo=chello080110248122.118.11.vie.surfer.at by=dbox.jline.com ident= envfrom= intl=0 id=1CDRsz-0001DQ-LQ ] debug: metadata: X-Spam-Relays-Untrusted: debug: all '*From' addrs: [EMAIL PROTECTED] debug: SPF: message was delivered entirely via trusted relays, not required >>From my limited understanding of SPF, the relay should be an UNTRUSTED server. # dig frontier.net txt ==> ;; ANSWER SECTION: frontier.net. 26222 IN TXT "v=spf1 ip4:66.118.220.14 ip4:66.118.220.16 ip4:66.118.193.229 -all" However, the sending MTA is ip=80.110.248.122 rdns=chello080110248122.118.11.vie.surfer.at which is not listed in the SPF txt block. "-all" should make the SPF test fail. Does anyone with a better eye than I, see the problem? Jae # spamassassin -D < myspam debug: SpamAssassin version 3.0.0 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/home/BLOCK/bin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/bin/X11', keeping. debug: PATH included '/usr/games', keeping. debug: Final PATH set to: /home/BLOCK/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games debug: using "/etc/spamassassin/init.pre" for site rules init.pre debug: config: read file /etc/spamassassin/init.pre debug: using "/usr/share/spamassassin" for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: config: read file /usr/share/spamassassin/65_debian.cf debug: using "/etc/spamassassin" for site rules dir debug: config: read file /etc/spamassassin/local.cf debug: using "/home/BLOCK/.spamassassin" for user state dir debug: using "/home/BLOCK/.spamassassin/user_prefs" for user prefs file debug: config: read f
RE: Bayes R/O tie failed with SA 3.0
I had the exact same problem. I ran the sa-learn --sync as root instead of the user I have in the spamd startup script. In my case I have spamd -u spamduser So I just simply went to the bayes folder as root and did a chown to make spamduser the owner of all the bayes files again, and restarted spamd. Ray Dzek Network Operations Supervisor Specialized Bicycle Components -Original Message- From: Asif Iqbal [mailto:[EMAIL PROTECTED] Sent: Saturday, October 02, 2004 2:02 PM To: [EMAIL PROTECTED] Subject: Bayes R/O tie failed with SA 3.0 Hi All I just upgraded my SA from 2.63 to 3.0. I did the sa-learn --sync after the upgrade and the restarted spamd. Now I am seeing this error in the log @4000415f15ec35d6286c Cannot open bayes databases /etc/mail/spamassassin/bayes_* R/O: tie failed: Permission denied @4000415f15f0255793f4 2004-10-02 20:56:06 [19857] i: clean message (0.0/5.0) for [EMAIL PROTECTED]:7794 in 3.7 seconds, 2187 bytes. @4000415f15f0255cfeac 2004-10-02 20:56:06 [19857] i: result: . 0 - scantime=3.7,size=2187,mid=<[EMAIL PROTECTED] 04.AD.QINTRA.COM>,autolearn=failed Has anyone else seen the same error? Any help/suggestion to fix this issue is greatly appreciated -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu "...it said: Install Windows XP or better...so I installed Solaris..."
ALL_TRUSTED
I see this is already in bugzilla. Should we just depreciate that rule for now? It is really screwing up my scores. Ray Dzek Network Operations Supervisor Specialized Bicycle Components PH: 408-782-5420 FX: 408-782-5421
t/prefs_include fails
Hi all, Trying to install from CPAN and get the following message on make test. t/prefs_include.Not found: qp-encoded-desc = Invalid Date: header =ae =af =b0 foo # Failed test 1 in t/SATest.pm at line 530 t/prefs_include.FAILED test 1 Failed 1/2 tests, 50.00% okay Any ideas? Thanks! Ray Dzek Network Operations Supervisor Specialized Bicycle Components
