Google Safe Browsing plugin?
Hi everyone, I want to try and detect malicious uri in the body of emails better and thought there might be something I could use, since I imagine google have a good list of them. I found this link, but it fails to install. http://search.cpan.org/~danborn/Bundle-SafeBrowsing/lib/Bundle/SafeBrowsing.pm I'm using FreeBSD. Does anyone use this? Or do you have any other suggestions? Thanks, Rich
RE: Image spam - FuzzyOCR?
>-Original Message- >From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] >Sent: Thursday, September 1, 2016 14:30 >To: users@spamassassin.apache.org >Subject: Re: Image spam - FuzzyOCR? >>On Wed, 31 Aug 2016 12:55:15 + Richard Mealing wrote: >>> 2) I'm getting some horny date spam coming through with just >>> images and text inside an image at the bottom. My bayes seems to be >>> scoring this with -1.90 Bayes_00. I keep sending this to my database >>> as spam but I'm not sure how many I need to feed it and I don't get >>> much. >On 01.09.16 14:25, RW wrote: >>It not a good sign when spam resists being trained way from BAYES_00. >> >>IIWY I'd reset the database, and if possible turn-off autotraining and >>train manually. >> >>Also you might want to set: >> >> bayes_token_sources all >> >>This adds in mimepart hashes, which may help Bayes identify repeated >>images. >I think what happens more often is that the training data are sent to wrong >user. >when using amavis, training must be done as 'amavis' user, or other than >amavis runs as. I'm scanning for quite a few different domains (100+) and I'm not that familiar with how bayes works - I can't really find much documentation. TBH it seems to be working fine and scoring quite well, but there are instances where it fails. Also I am using it through sql - use_bayes 1 bayes_auto_learn 1 bayes_auto_expire 1 bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:sa_bayes:x.x.x.x:3306 bayes_sql_username sa_user bayes_sql_password I need to do more reading on how to make it better, but I have a few dormant domains delivering emails to a POP box and I rsync that to my filtering server and run sa-learn just using some bash script. I read this isn't recommended though, but I would have thought using a domain that no one should know about, like a honeypot, this should be ok? Maybe I should just rethink the whole thing. I remember someone telling me about that flesh plugin. I'm sure it was my boss! Was it not called pornsweeper? Looks like the DNS was removed for the website, but I looked at googles cached copy.. Thanks for all your advice, it is much appreciated. >-- >Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ >Warning: I wish NOT to receive e-mail advertising to this address. >Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >"Where do you want to go to die?" [Microsoft]
Image spam - FuzzyOCR?
Hi everyone, I am looking at Fuzzy ocr to detect more image spam and I had a couple of questions; 1) Is this being used? Does it detect image spam, or should I be looking at something else? 2) I'm getting some horny date spam coming through with just images and text inside an image at the bottom. My bayes seems to be scoring this with -1.90 Bayes_00. I keep sending this to my database as spam but I'm not sure how many I need to feed it and I don't get much. Are there any other means of feeding bayes with image spam (or any spam really) from a source on the internet? Or is that a bad idea since that's not my spam? 3) If I use Fuzzy OCR on FreeBSD, how does it get updated? 4) I installed it from the ports and I had to install tesseract or I got a dependency warning message. Now I still get a warning - warn: FuzzyOcr: Cannot find executable for gifinter - Is this normal? How should I omit this error since I can't find gifinter in the ports tree? Thanks, Rich
RE: KAM error?
-Original Message- From: RW [mailto:rwmailli...@googlemail.com] Sent: 25 April 2016 13:13 To: users@spamassassin.apache.org Subject: Re: KAM error? On Mon, 25 Apr 2016 11:43:07 + Richard Mealing wrote: > Hi everyone, > > I'm seeing this a bit on google, but I'm not quite sure of the fix. on Google? - Yes apologies I was searching for this error on google and could not find much - only reinstall spamassassin! > Apr 25 12:41:21.264 [49367] warn: rules: failed to run __KAM_SPF_NONE > test, skipping: Apr 25 12:41:21.264 [49367] warn: (Can't locate > object method "check_for_spf_none" via package "Mail: > [...]:SpamAssassin::PerMsgStatus" at (eval 2219) line 825. Apr 25 > 12:41:21.264 [49367] warn: ) Apr 25 12:41:23.300 [49367] warn: lint: > 1 issues detected, please rerun with debug enabled for more > information > > Could someone point me to a link or something as I would really quite > like to use KAM if possible. Or should I not be using it? __KAM_SPF_NONE is just a duplicate of the ordinary rule SPF_NONE. The first thing I'd do is run spamassassin --lint and see what the the error is. - Thanks. That was actually a --lint. I was am using a milter on my mta to check for SPF, then using a header rule in SA which broke this, so I have now disabled that and it seems to be working! I have another question though - How often does KAM.cf get updated? Last I can see is March 30th. I'm just wondering if I should add something to cron say once per month? Thanks, Rich
KAM error?
Hi everyone, I'm seeing this a bit on google, but I'm not quite sure of the fix. Apr 25 12:41:21.264 [49367] warn: rules: failed to run __KAM_SPF_NONE test, skipping: Apr 25 12:41:21.264 [49367] warn: (Can't locate object method "check_for_spf_none" via package "Mail: [...]:SpamAssassin::PerMsgStatus" at (eval 2219) line 825. Apr 25 12:41:21.264 [49367] warn: ) Apr 25 12:41:23.300 [49367] warn: lint: 1 issues detected, please rerun with debug enabled for more information Could someone point me to a link or something as I would really quite like to use KAM if possible. Or should I not be using it? Thanks, Rich
RE: XPRIO - Can you help me?
-Original Message- From: Reindl Harald [mailto:h.rei...@thelounge.net] Sent: 12 April 2016 16:15 To: users@spamassassin.apache.org Subject: Re: XPRIO - Can you help me? Am 12.04.2016 um 16:40 schrieb John Hardin: > On Tue, 12 Apr 2016, Richard Mealing wrote: > >> I have come across a strange issue where I need some guidance to debug. >> >> I just can't understand why one of the servers will not fire on my >> XPRIO rule. Both the headers have the same information pretty much. >> >> I've checked the spamassassin debug and they both have the same >> LOCAL_STATE_DIR=/var/db/spamassassin. >> >> The machine that does not fire the rule has this rule in the >> /var/db/spamassassin/3.004001/updates_spamassassin_org/10_hasbase.cf >> file. >> The machine that works and fires the rule has it set in this file - >> /var/db/spamassassin/3.004000/updates_spamassassin_org/10_hasbase.cf > > That's odd. XPRIO should be in 72_active.cf as it's a sandbox rule... it *is* there /var/lib/spamassassin/3.004001/updates_spamassassin_org/10_hasbase.cf just contains "header __XPRIO exists:X-Priority" and the same for /usr/share/spamassassin/10_hasbase.cf /var/lib/spamassassin/3.004001/updates_spamassassin_org]$ find.sh XPRIO cf /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_scores.cf /var/lib/spamassassin/3.004001/updates_spamassassin_org/10_hasbase.cf -- I'm learning as I go here! Thanks so much for your help. It makes so much sense now - the server that was working did not have the DKIM plugin enabled, so actually it was scoring way too high! I'm surprised it did that, but now I have enabled it I probably won't see this rule hit a lot going forward. It will certainly fix some fp's. Thanks again. Rich
XPRIO - Can you help me?
Hi everyone, I have come across a strange issue where I need some guidance to debug. I have 2 servers and when an email filters through 1 of them, I get this back - (not cached, score=5.403,required 4, BAYES_50 0.80, HTML_IMAGE_ONLY_28 1.40, HTML_MESSAGE 0.30, HTML_MIME_NO_HTML_TAG 0.38, LOCAL_MARKETING_RULE 0.30, LOCAL_MARKETING_RULE2 1.00, MIME_HTML_ONLY 0.72, RCVD_IN_DNSWL_NONE -0.00, SPF_CHECK_PASS -1.50, XPRIO 2.00 Then when I send a similar email with the same x-priority header through the second server I get this back - (not cached,score=0.2, required 4 BAYES_20 -0.00, DKIM_SIGNED 0.10,DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_IMAGE_ONLY_32 0.00, HTML_MESSAGE 0.30, HTML_MIME_NO_HTML_TAG 0.38, LOCAL_FAX4_RULE 0.10, LOCAL_MARKETING_RULE 0.30, LOCAL_MARKETING_RULE2 1.00, MIME_HTML_ONLY 0.72, RCVD_IN_DNSWL_NONE -0.00, SPF_CHECK_PASS -1.50, SPF_PASS -1.00 I just can't understand why one of the servers will not fire on my XPRIO rule. Both the headers have the same information pretty much. I've checked the spamassassin debug and they both have the same LOCAL_STATE_DIR=/var/db/spamassassin. The machine that does not fire the rule has this rule in the /var/db/spamassassin/3.004001/updates_spamassassin_org/10_hasbase.cf file. The machine that works and fires the rule has it set in this file - /var/db/spamassassin/3.004000/updates_spamassassin_org/10_hasbase.cf The machine that works - grep " XPRIO " /var/log/maillog | wc -l 630 The machine that does not work - grep " XPRIO " /var/log/maillog # (so nothing) Can you tell me how I can debug this? I don't see any mention of this rule in the debug output, which I have sent to a file. I can provide this output on paste bin or something if you need it. I can't really see any problems. The machine that works has an older version of sa installed. I'm stumped! Thanks, Rich
RE: New rules..
-Original Message- From: John Hardin [mailto:jhar...@impsec.org] Sent: 03 November 2015 17:18 To: users@spamassassin.apache.org Subject: RE: New rules.. On Tue, 3 Nov 2015, Richard Mealing wrote: > So I'm looking for something that would block this - > > fastnet.co.uk.12056010.bob.jones885@vmta27.toprea... > > I was thinking of just creating a rule to sort this out with something > like - ^fastnet\.co\.uk.\d+..*@ > > header FROM_IS_FAKE_FASTNET From =~ /^fastnet\.co\.uk.\d+..*@/i > score FROM_IS_FAKE_FASTNET 1.0 > describe FROM_IS_FAKE_FASTNET from contains fastnet.co.uk_something_@ > > But I wondered if there was a better way to do it. Would this work do > you think? Obviously this would only catch the items on my own domain, > so it's not a brilliant solution. I was wondering if anyone wrote > something better. So, to generalize the pattern: *your* (the recipient) domain is (somewhere) in the username part of the From email address? Hi John - Yup! >From address is - fastnet.co.uk.12056010.bob.jones885@vmta27.toprea... It's not actually that, but similar. We are seeing this quite a bit and I wondered if anyone else was. I guess not? Thanks, Rich
RE: New rules..
From: Joe Quinn [mailto:jqu...@pccc.com] Sent: 02 November 2015 17:13 To: users@spamassassin.apache.org Subject: Re: New rules.. On 11/2/2015 12:00 PM, Richard Mealing wrote: Hi there, Would this be the best list to talk about new rules for spamassassin? I'm new here.. Thanks, Rich This would be an excellent place, yes. The more technical discussion for things like bugs in eval rules will generally happen in dev@ but there can be some overlap. So I'm looking for something that would block this - fastnet.co.uk.12056010.bob.jones885@vmta27.toprea... I was thinking of just creating a rule to sort this out with something like - ^fastnet\.co\.uk.\d+..*@ header FROM_IS_FAKE_FASTNET From =~ /^fastnet\.co\.uk.\d+..*@/i score FROM_IS_FAKE_FASTNET 1.0 describe FROM_IS_FAKE_FASTNET from contains fastnet.co.uk_something_@ But I wondered if there was a better way to do it. Would this work do you think? Obviously this would only catch the items on my own domain, so it's not a brilliant solution. I was wondering if anyone wrote something better. Thanks, Rich
New rules..
Hi there, Would this be the best list to talk about new rules for spamassassin? I'm new here.. Thanks, Rich
