RE: RDJ error

[Rocco Scappatura]

> > I lauch every night:
> >
> > sa-update && rcamavisd restart
> >
> > I'ld like to do so also 'sought ruleset' will be installed in the 
> > future. Is there a way to do so?
> 
> To add other rule sets, you need a few parameters to 
> sa-update.  Here is how I do it:
> 
> sa-update --channelfile /root/sare-sa-update-channels.txt 
> --gpgkey 856AA88A && /usr/local/etc/rc.d/amavisd restart
> 
> Where the key 856AA88A is for the SARE rules.  The 
> sare-sa-update- channels.txt file is this:
> 
> --cut here--
> # sa-update --channelfile sare-sa-update-channels.txt 
> --gpgkey 856AA88A # see also 
> http://wiki.apache.org/spamassassin/SareChannels
> updates.spamassassin.org
> 70_sare_adult.cf.sare.sa-update.dostech.net
> 70_sare_evilnum0.cf.sare.sa-update.dostech.net
> 70_sare_evilnum1.cf.sare.sa-update.dostech.net
> 70_sare_genlsubj0.cf.sare.sa-update.dostech.net
> 70_sare_genlsubj1.cf.sare.sa-update.dostech.net
> 70_sare_header_0.cf.sare.sa-update.dostech.net
> 70_sare_header_1.cf.sare.sa-update.dostech.net
> 70_sare_html0.cf.sare.sa-update.dostech.net
> 70_sare_html1.cf.sare.sa-update.dostech.net
> 70_sare_obfu0.cf.sare.sa-update.dostech.net
> 70_sare_obfu1.cf.sare.sa-update.dostech.net
> 70_sare_oem.cf.sare.sa-update.dostech.net
> 70_sare_random.cf.sare.sa-update.dostech.net
> 70_sare_specific.cf.sare.sa-update.dostech.net
> 70_sare_spoof.cf.sare.sa-update.dostech.net
> 70_sare_stocks.cf.sare.sa-update.dostech.net
> 70_sare_unsub.cf.sare.sa-update.dostech.net
> 70_sare_uri0.cf.sare.sa-update.dostech.net
> 70_sare_uri1.cf.sare.sa-update.dostech.net
> 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
> 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
> --cut here--
> 
> 
> So I get the spam assassin updates and SARE rules I want.
> 
> If you want to add the sought rules, just add the necessary 
> parts to the file and command line.
> 

var/lib/spamassassin/3.002004 # ls
sought_rules_yerp_org updates_spamassassin_org
sought_rules_yerp_org.cf  updates_spamassassin_org.cf

Great! Now every time that I launch

sa-update && rcamavisd restart

also the ruleset listed in sought_rules_yerp_org.cf will be updated..
Right?

Still thanks,

rocsca

RE: RDJ error

[Rocco Scappatura]

> sa-update, not sa-learn.
> 
> http://wiki.apache.org/spamassassin/RuleUpdates
> 

Sorry. Thanks. I have not found there the info needed by me.. :-(

I lauch every night:

sa-update && rcamavisd restart

I'ld like to do so also 'sought ruleset' will be installed in the
future. Is there a way to do so?

Tnx,

rocsca

RE: RDJ error

[Rocco Scappatura]

> On 27.06.08 09:14, Rocco Scappatura wrote:
> > Has someone experienced with this error during RDJ update? 
> > 
> > Lint output: [14250] warn: config: failed to parse line, 
> skipping, in
> > "/etc/mail/spamassassin/70_sare_evilnum0.cf":  > HTTP-EQUIV="Refresh" CONTENT="0.1"> [14250] warn: config: failed to 
> > parse line, skipping, in 
> "/etc/mail/spamassassin/70_sare_evilnum0.cf":
> >  [14250] warn: config:
> > failed to parse line, skipping, in
> > "/etc/mail/spamassassin/70_sare_evilnum0.cf":  HTTP-EQUIV="Expires"
> > CONTENT="-1"> [14250] warn: config: failed to parse line, 
> skipping, in
> > "/etc/mail/spamassassin/70_sare_evilnum0.cf":  [14250]
> > warn: lint: 4 issues detected, please rerun with debug enabled for 
> > more information
> > 
> > What is the action to be taken?
> 
> use sa-update, RDJ is afaik obsolete. 

OK.

BTW, with RDJ I could choose which rulest update automatically and which
not.

How could I setup sa-learn so that it updates ruleset different the
standard one's, such as 'sought ruleset'.

Thanks,

rocsca

RDJ error

[Rocco Scappatura]

Has someone experienced with this error during RDJ update? 

Lint output: [14250] warn: config: failed to parse line, skipping, in
"/etc/mail/spamassassin/70_sare_evilnum0.cf":  [14250] warn: config: failed to
parse line, skipping, in "/etc/mail/spamassassin/70_sare_evilnum0.cf":
 [14250] warn: config:
failed to parse line, skipping, in
"/etc/mail/spamassassin/70_sare_evilnum0.cf":  [14250] warn: config: failed to parse line, skipping, in
"/etc/mail/spamassassin/70_sare_evilnum0.cf":  [14250]
warn: lint: 4 issues detected, please rerun with debug enabled for more
information

What is the action to be taken?

Thanks,

rocsca

RE: SQL DB schema issue

[Rocco Scappatura]

> On May 28, 2008, at 10:38 AM, Rocco Scappatura wrote:
> 
> >
> > Hello,

Hello,

> > I'm using SA with SQL support under Amavid-new. My DBMS is MySQL.
> >
> > I 'm preparing one another Antispam server and I ve installed the 
> > latest stable software available.
> >
> > I ve dumped bayes DB (schema + data) from an already 
> working machine 
> > and I ve restore them on the new machine.
> 
> 
> How did you do this dump?  Which tables did you get?


Thanks for your interesting.. It was a my fault.. Infact I have noted
that the 'amavis' user could not access to all bayes  DB tables other
then 'awl'..

Anyway, now all works fine..

Still thanks,

rocsca

SQL DB schema issue

[Rocco Scappatura]

Hello,

I'm using SA with SQL support under Amavid-new. My DBMS is MySQL.

I 'm preparing one another Antispam server and I ve installed the latest
stable software available.

I ve dumped bayes DB (schema + data) from an already working machine and
I ve restore them on the new machine.

But when I try to start amavisd in debug mode I get the following
errors:

May 28 17:37:29.010 av8.stt.vir /usr/local/sbin/amavisd[17102]:
SpamAssassin debug facilities: info
bayes: database version 0 is different than we understand (3), aborting!
at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/BayesStore/SQL.pm
line 136.
bayes: database version 0 is different than we understand (3), aborting!
at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/BayesStore/SQL.pm
line 136.
May 28 17:37:30.155 av8.stt.vir /usr/local/sbin/amavisd[17102]:
(!!)TROUBLE in pre_loop_hook: check: no loaded plugin implements
'check_main': cannot scan! at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line
164.
Suicide () TROUBLE in pre_loop_hook: check: no loaded plugin implements
'check_main': cannot scan! at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line
164.

While the version specified in the database is really '3'.

What it could be the source of this error?

Thanks,

rocsca

RE: Too false negative

[Rocco Scappatura]

> --[ UxBoD ]-- wrote:
> > policyd works a treat :) V2 is also in development aswell.
> >   
> 
> it's not the same. I don't know why they call it V2.
> As far as I know, Cami is no more involved. so I would stick 
> with the "current" (which is a single C threaded program).

So you still prefer policyd not policydV2..

Some questions:

- Does any web interface for policyd exist?
- I have different SMTP gateways, on each of which I have to install
policyd. Is it possible to share a single DB between the different
policyd servers?

For other possible question I will refer to policyd ML. :-)

Thanks,

rocsca

RE: Too false negative

[Rocco Scappatura]

> policyd works a treat :) V2 is also in development aswell.

I will take in account your judge..

:-)

rocsca

RE: Too false negative

[Rocco Scappatura]

> > What do I need to set up GL? Only the command below or there is 
> > something other parameter that I could set up (eg: the time spent 
> > before a message is accepted and so on)?
> >
> >   
> 
> of course, you need to install a policy server! Cami's 
> policyd is a good choice (it also has other features such 
> throttling, blacklisting, ... 
> etc). for postfix config see below.

I already sow it quickly.. I hope it usage is not too 'invasive' with
my current system..

Any way I will try to use it and I let you know..

Thanks,

rocsca

RE: Too false negative

[Rocco Scappatura]

> > And spammer are becoming more faster as the time goes on.. Is it 
> > convenient to use gray listing
> 
> newer bots retry, so GL is only effective is the time 
> interval is large enough, but that's not a neutral thing so 
> should be restricted to suspicious mail. That's what I use GL 
> for anyway.

What do I need to set up GL? Only the command below or there is
something other parameter that I could set up (eg: the time spent before
a message is accepted and so on)?

> the spam you showed has:
> 
> Received: from [125.128.59.158] (unknown [125.128.59.158]) 
> 
> 
> which means the client is "unknown" and it helo'ed with a 
> literal IP (it's from Korea too but let's ignore this). My 
> postfix has a check_helo_acces with a pcre:
> 
> /^[/  reject_unknown_client, policy_greylist
> 
> This rejects mail if the client is unknown and helo's with a 
> literal IP. 

It's very interesting.. In what restriction do I have to put the rulese
above?

> I've not seen literal IPs in ham on an MX. Note that this 
> test must not be applied on an MSA: MUAs like Thunderbird do 
> helo with a literal IP.

Infact..

Indeed I'm not using MSA.. So this complicates the things.. :-(

> The test is run before DNSBL checks, so it saves some cycles 
> and reduces the load on DNSBL sites. these days, the test 
> catches about 15% of mail rejected at MTA time.
> 
> Note that reject_unknown_client returns a temp error, but 
> unlike GL, you'll need to whitelist the client if you want to 
> accept his mail). if this is a real issue, just remove the 
> reject_unknown_client part and leave the greylisting check. but

So you are saying that I have to WL the client that present himself to
my server with an IP rather than a hostname?

And how I could withelist that client?

> of course, this is mostly a temporary cure. if ratware learns 
> to helo with a hostname, it won't be caught. but let's fight 
> the spam of today for now ;-p

I agree with.. Compliment for your exahustive argumentation..

rocsca

Re: Too false negative

[Rocco Scappatura]

> % telnet yourserver 25
> ...
> EHLO somehostname
> ...
> MAIL FROM:
> ...
> RCPT TO:
> DATA
> copy-patse the message with full headers except the Delivered-To that
> contains your recipient address
> end with a line containing a dot ('.') like this:
> .
> QUIT

Infact I get:

Feb 26 23:07:50 av4 amavis[17589]: (17589-03) Blocked SPAM,
[] [] <[EMAIL PROTECTED]> -> <>,
quarantine: r/spam-rGPEbZ4mzhH4.gz, Message-ID:
<[EMAIL PROTECTED]>, mail_id: rGPEbZ4mzhH4, Hits: 7.193,
size: 4063, 1874 ms

And spammer are becoming more faster as the time goes on.. Is it
convenient to use gray listing or there is something other effective
tecnique that I could use to reduce false negative?

Thanks,

rocsca

RE: URIBL

[Rocco Scappatura]

> Quoting Rocco Scappatura <[EMAIL PROTECTED]>:
>
>> Maybe, now is the case to set up a copy of zone locally on my server.. I
>> ve about 1300K messages rejected per day!!
>
> Yes, you should not query 1.3 million messages per day on the public
> nameservers.  That would be considered abusive.

Je suis desolee.. I will try to to implement the SURBL zone copy during
the next days.. Should this improve the performance of message scan?

rocsca

Re: Too false negative

[Rocco Scappatura]

> Rocco Scappatura wrote:
>>> [snip]
>>
>> Sorry It was not the case to send the entire email.. Here the
>> X-Spam-Status  after running the message against 'spamassassin -D':
>>
>> X-Spam-Status: Yes, score=11.2 required=5.0
>> tests=AWL,BAYES_50,HTML_MESSAGE,
>>
>> RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SU
>> RBL,
>> URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable
>> version=3.2.4
>>
>> But it is really strange from amavisd-new log I see that the message is
>> passed as clean:
>>
>>
>
> the URL may have been added in $uri lists in the meantime. That said,
> make sure Bayes is using the right "user". rerun spamassassin as the
> amavisd user. if your Bayes db is in mysql, use
> bayes_sql_override_username to force a single user.

X-Spam-Status: Yes, score=6.3 required=5.0 tests=AWL,BAYES_50,HTML_MESSAGE,

RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,
URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable version=3.2.4

What URL? What is $uri_list? I had already set bayes_sql_override_username:

[EMAIL PROTECTED]:/tmp> cat /etc/mail/spamassassin/local.cf | grep
bayes_sql_override_username
bayes_sql_override_username amavis

Is it possible that there is a lack of spamhaus? I suppose that I query
the DNSBL much more then 100.000 times per day.. :-(

Thanks,

rocsca

RE: Too false negative

[Rocco Scappatura]

> > Since some days the number of SMTP connections rejected  by 
> my server 
> > is increased (maybe doubled). It doesn't worry me. But 
> there is a side 
> > effect because even the number of false negative is increased.
> >
> > For example, at the moment a spam message with this header is 
> > considered clean by Amavisd-new-2.5.3+SpamaAssiassin-3.2.4:
> >
> >   
> 
> > How I have to do to make my system more reliable?
> >   
> The provided information isn't sufficient. Can you post the 
> X-Spam-Status for one of the affected emails?

Sorry It was not the case to send the entire email.. Here the
X-Spam-Status  after running the message against 'spamassassin -D':

X-Spam-Status: Yes, score=11.2 required=5.0
tests=AWL,BAYES_50,HTML_MESSAGE,
 
RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SU
RBL,
URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable
version=3.2.4

But it is really strange from amavisd-new log I see that the message is
passed as clean:

Feb 26 08:09:48 av4 amavis[18267]: (18267-12) Passed CLEAN,
[125.128.59.158] [125.128.59.158] <[EMAIL PROTECTED]> ->
>,>,>,
Message-ID: <[EMAIL PROTECTED]>, mail_id: kgXmlG1zg5ao,
Hits: 3.558, size: 3731, queued_as: 9D8E775037D, 2132 ms

rocsca

Too false negative

[Rocco Scappatura]

Hello,

Since some days the number of SMTP connections rejected  by my server is
increased (maybe doubled). It doesn't worry me. But there is a side
effect because even the number of false negative is increased.

For example, at the moment a spam message with this header is considered
clean by Amavisd-new-2.5.3+SpamaAssiassin-3.2.4:

Received: from  ([]) by ntfi10.hq.ignesti.it with
Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 Feb 2008 08:09:48 +0100
Received: from localhost (localhost [127.0.0.1]) by  (Postfix)
with ESMTP id 9D8E775037D; Tue, 26 Feb 2008 08:09:48 +0100 (CET)
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="_=_NextPart_004_01C87846.932E4D28"
Received: from  ([127.0.0.1]) by localhost (av4.stt.vir
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgXmlG1zg5ao; Tue,
26 Feb 2008 08:09:46 +0100 (CET)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: from [125.128.59.158] (unknown [125.128.59.158]) by 
(Postfix) with ESMTP id 9CF34750371; Tue, 26 Feb 2008 08:09:45 +0100
(CET)
Received: from [125.128.59.158] by dator.plaahn.com; Tue, 26 Feb 2008
16:38:13 +0900
Content-class: urn:content-classes:message
Subject: Comprate la forza per il pene, e salvate 85 %.
Date: Tue, 26 Feb 2008 08:38:13 +0100
Message-ID: <[EMAIL PROTECTED]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Comprate la forza per il pene, e salvate 85 %.
Thread-Index: Aca6QAN67HSGN9YGB40WPNS14XFFVQ==
From: "Wesley Hutchinson" <[EMAIL PROTECTED]>
To: "Mosconi Raoul" 

I use a PRE-LISTING :

reject_rbl_client zen.spamhaus.org
reject_rbl_client list.dsbl.org

And I update SA ruleset regularly with rules_du_jour and sa-update.

How I have to do to make my system more reliable?

Thanks in advance,

rocsca

RE: URIBL

[Rocco Scappatura]

> Quoting Rocco Scappatura <[EMAIL PROTECTED]>:
>
>>> I have to
>>> > enable only the plugin with loadPlugin.
>>>
>>> ... and it's enabled by default, so you should be all set. :)
>>>
>>> > Then I have to use the command 'urirhssub' of the plugin
>>> URIDNSBL to
>>> > specify that I want to use SURBLs:
>>>
>>> ... the rules exist by default, so you should be all set. :)
>>
>> OK. So the SURBL on my gateway should already work.. But how could I
>> check this fact?
>>
>> rocsca
>>
>
> You should see many spams with the rules named SURBL hitting.  You can
> also try:
>
>spamassassin -D < message

Infact..

X-Spam-Status: Yes, score=9.573 tag=2 tag2=6.2 kill=6.31
tests=[ALL_TRUSTED=-1.8, AWL=0.583, BAYES_80=2, HTML_MESSAGE=0.001,
URIBL_AB_SURBL=1.86, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501,
URIBL_OB_SURBL=1.5, URIBL_SBL=1.499, URIBL_SC_SURBL=0.474]

SURBL works!

Maybe, now is the case to set up a copy of zone locally on my server.. I
ve about 1300K messages rejected per day!!

Even though my customers complain a lot of false negative.. What I can do
more??

Thanks,

rocsca

RE: URIBL

[Rocco Scappatura]

> I have to 
> > enable only the plugin with loadPlugin.
> 
> ... and it's enabled by default, so you should be all set. :)
> 
> > Then I have to use the command 'urirhssub' of the plugin 
> URIDNSBL to 
> > specify that I want to use SURBLs:
> 
> ... the rules exist by default, so you should be all set. :)

OK. So the SURBL on my gateway should already work.. But how could I
check this fact?

rocsca

RE: URIBL

[Rocco Scappatura]

> HI, Rocco

Hi Luis,

> > I don't know what you mean for 'PRE QUEUE blacklist'.. 
> Anyway I would  
> > like to help SpamAssassin in scoring emails..
> >
> 
> He means a blacklist which runs IN the MTA, not at SA level, 
> when the MTA has accepted the message. It rejects spammers as 
> they connect, mostly based on their IP. I run Zen, from 
> Spamhaus here, with very good results.

Indeed, I'm using PRE QUEUE blacklist too (Zen from spamhaus, like you).

I get appreciable results, but during the last days I get an huge increase of 
rejected emails, but at the same time I get a major number of false negative.

So I want to lower the number of false negative.

rocsca

RE: URIBL

[Rocco Scappatura]

> Quoting Rocco Scappatura <[EMAIL PROTECTED]>:
> 
> 
> > I have looked at the SURBL site. If I have well understood 
> I have to 
> > enable only the plugin with loadPlugin.
> >
> > Then I have to use the command 'urirhssub' of the plugin 
> URIDNSBL to 
> > specify that I want to use SURBLs:
> >
> > urirhssub URIBL_JP_SURBL  multi.surbl.org.A   64
> > body  URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
> > describe  URIBL_JP_SURBL  Has URI in JP at 
> > http://www.surbl.org/lists.html
> > tflagsURIBL_JP_SURBL  net
> >
> > score URIBL_JP_SURBL3.0
> >
> > Indeed, I have not understood a number of things:
> >
> > 1. Why I have to use 'URIBL_JP_SURBL' as 'NAME_OF_RULE'? Is it an 
> > arbitrary name or it exists a number of 'NAME_OF_RULE'?
> > 2. Does the body command have to specify 
> > 'eval:check_uridnsbl('NAME_OF_RULE')' where 'NAME_OF_RULE' 
> is the name 
> > of the rule specified as parameter of the command 'urirhssub'?
> > 3. tflags?
> > 4. score?
> > 5. Is there any simpler URIDNSBL plugin setting? Maybe a 
> default one?
> >
> > rocsca
> 
> 
> 
> If you want to use SURBL and URIBL all you need to do is 
> enable network tests:
> 
>http://www.surbl.org/faq.html#nettest
> 
> URI checking is built into SpamAssassin.

$sa_local_tests_only = 0;

I have already set in /etc/amavisd.conf:

$sa_local_tests_only = 0;

So you say that SURBL is already set?

rocsca

RE: URIBL

[Rocco Scappatura]

> > Anyway I heard talking about URIBL, which as I have understod is a 
> > quite different service (it blacklists 'domains' rather 
> 'IPs'). But is 
> > it maybe a dangerous practice to fight spam? Anyway, does anyone 
> > suggest me to use URIBL?
> 
> Are you looking for a PRE QUEUE blacklist? Or a way to help 
> score SpamAssassin emails?
> 
> URIBL (I think from spamcop/ironport/cisco) is already 
> included in modern SA builds.

I don't know what you mean for 'PRE QUEUE blacklist'.. Anyway I would
like to help SpamAssassin in scoring emails..

rocsca

RE: URIBL

[Rocco Scappatura]

> From: Theo Van Dinter [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, February 20, 2008 8:08 PM
> To: users@spamassassin.apache.org
> Subject: Re: URIBL
> 
> On Wed, Feb 20, 2008 at 06:52:14PM +, Nigel Frankcom wrote:
> > >Anyway I heard talking about URIBL, which as I have understod is a 
> > >quite different service (it blacklists 'domains' rather 
> 'IPs'). But 
> > >is it maybe a dangerous practice to fight spam? Anyway, 
> does anyone 
> > >suggest me to use URIBL?
> 
> URI black lists have been around for several years now, and 
> are generally very helpful at detecting spam.  URIBL is one 
> of the standard such black lists that are in use in SA, but 
> there are others: SURBL (the oldest and most well known
> IMO) as well as Razor (also does message hashing but largely 
> uses domain detection these days).  (I may be forgetting 
> someone else, sorry, these are just the ones that come to mind.)
> 
> Here are my results for the past 60 days for the different groups:
> 
> (you want the most spam% with the lowest ham%, aka: the 
> higher the S/O the
> better)
> 
> OVERALLSPAM% HAM% S/ORANK   SCORE  NAME
>   0   769001570130.931   0.000.00  (all messages)
> 0.0  93.0978   6.90220.931   0.000.00  (all messages as %)
> 
>  65.312  70.1541   0.00531.000   1.000.00  URIBL_JP_SURBL
>  54.979  59.0545   0.00181.000   0.990.00  URIBL_SC_SURBL
>  33.513  35.9976   0.00181.000   0.980.00  URIBL_AB_SURBL
>  58.407  62.7323   0.06670.999   0.940.00  URIBL_OB_SURBL
>  43.120  46.3111   0.07370.998   0.930.00  URIBL_WS_SURBL
>   1.385   1.4874   0.00350.998   0.870.00  URIBL_PH_SURBL
> 
>   0.758   0.8091   0.07020.920   0.780.00  URIBL_RED
>  71.920  77.1604   1.23310.984   0.710.00  URIBL_BLACK
>   1.545   1.4891   2.30470.393   0.520.00  URIBL_GREY
> 
>  69.598  74.7537   0.06140.999   0.950.00  
> RAZOR2_CF_RANGE_E8_51_100
> 
> 
> So URIBL is a bit more problematic than the others by itself, 
> due to the high ham hit rate, but given SA's method of using 
> multiple data sources to determine ham/spam, the false 
> positive issue is minimized.
> 

I have looked at the SURBL site. If I have well understood I have to
enable only the plugin with loadPlugin.

Then I have to use the command 'urirhssub' of the plugin URIDNSBL to
specify that I want to use SURBLs:

urirhssub URIBL_JP_SURBL  multi.surbl.org.A   64  
body  URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Has URI in JP at
http://www.surbl.org/lists.html
tflagsURIBL_JP_SURBL  net

score URIBL_JP_SURBL3.0

Indeed, I have not understood a number of things:

1. Why I have to use 'URIBL_JP_SURBL' as 'NAME_OF_RULE'? Is it an
arbitrary name or it exists a number of 'NAME_OF_RULE'?
2. Does the body command have to specify
'eval:check_uridnsbl('NAME_OF_RULE')' where 'NAME_OF_RULE' is the name
of the rule specified as parameter of the command 'urirhssub'?
3. tflags?
4. score?
5. Is there any simpler URIDNSBL plugin setting? Maybe a default one?

rocsca

RE: URIBL

[Rocco Scappatura]

> For what it's worth I'm seeing an escalation here in the UK 
> and on US and AUS servers so it's not isolated. Admittedly 
> it's not a large proportion but it is a rise.

How do you have inferred this?

rocsca

URIBL

[Rocco Scappatura]

During last days I have noticed an increasing of 'rejected' messages.

I'm currently using 'zen.spamhaus.org' and 'list.dsbl.org' as reputation
servers.

At the same time, the number of false negative is growth.

I would like to know if is there any better reputation server that
anyone know (of course, it would be nice if it is a free service :-)).

Anyway I heard talking about URIBL, which as I have understod is a quite
different service (it blacklists 'domains' rather 'IPs'). But is it
maybe a dangerous practice to fight spam? Anyway, does anyone suggest me
to use URIBL?

Thanks,

rocsca

RE: RulesDuJour

[Rocco Scappatura]

> But it is.
> 
> RulesDuJour delivery is broken, and it gives only HTTP-error 
> page, which causes the error.
> 
> sa-update can deliver the rules without errors.

However, I already use sa-update other than RulesDuJour, which is
scheduled as follow:

22 14 * * 1,2,3,4,5 sa-update && rcamavisd restart

What channels sa-update updates?

And if I use the '--channelfile' what happens? Maybe sa-update updates
only the channels included in the file specifided for the argument
'--channelfile' or it adds the file listed to the default list of
channels maintained by sa-update?

Thanks,

rocsca

RE: RulesDuJour

[Rocco Scappatura]

> Using sa-update is the suggested method now:
> 
> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt

I don't think that this is related to the error discussed in this
thread.

rocsca

RulesDuJour

[Rocco Scappatura]

Hello,

It is some weeks that I get errors while I try to updates the SA
rulesets.

For example recently I get an error after the update of TripWire and
SARE rulesets:

***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is:  mv -f /etc/mail/spamassassin/tripwire.cf
/tmp/RulesDuJour/99_FVGT_Tripwire.cf.2; mv -f
/tmp/RulesDuJour/tripwire.cf.20070831-1530
/etc/mail/spamassassin/tripwire.cf; mv -f
/etc/mail/spamassassin/70_sare_stocks.cf
/tmp/RulesDuJour/70_sare_stocks.cf.2; mv -f
/tmp/RulesDuJour/70_sare_stocks.cf.20070831-1530
/etc/mail/spamassassin/70_sare_stocks.cf;

Lint output: [826] warn: config: failed to parse line, skipping:
 [826] warn:
config: failed to parse line, skipping:  [826] warn: config: failed to parse line, skipping:
 [826] warn: config: failed to
parse line, skipping:  [826] warn: lint: 4 issues
detected, please rerun with debug enabled for more information

I can't  try how to solve this problem..

Maybe is there any outdates ruleset? If yes, who is it?

Thanks,

rocsca

Greeting card

[Rocco Scappatura]

It is possible to block the spam sent by GreetingCards.com which invites
the receiver to access an URL and browse the ecard?

I mean that spam which has subject similar to:

You've received a greeting ecard from a Colleague!

BR,

rocsca

Temporary dir

[Rocco Scappatura]

Hello,

I have problem with the directory tmp inside the home directory of the
user running amavisd-new (which use spamassassin).

That directory is configured as temporary dir for Amavisd-new. I mounted
on it a tmpfs file system. The size of the partition is the one
suggested for this job (to do the temporary directory for amavisd-new).
But Often it filled up.

I saw the other files (directory) is contained inside that directory..

drwx-- 2 amavis amavis 180 May 21 13:01 .spamassassin5530r7wcrVtmp
drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7237wyAuoBtmp
drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7288uoiiXPtmp
drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7289MYWBOwtmp
drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7289QcqPY2tmp
drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7289sijshHtmp
drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7297BbAzmltmp
drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7418uqGnv3tmp

and I can't figure out why they are there!

Have someone an idea?

thanks

rocsca

RE: How are cllassified this?

[Rocco Scappatura]

> > But It won't be indiscriminant in my case.. Is there any 
> other solution?
> 
> Keep messages on the list.
> 
> These are very simple messages that are exploiting an image 
> hosting service.  There are very few spam signs in them.  I 
> have decided that for the time being none of my users are 
> affected by scoring purely on the imageshack.us url.
> 
> In cases like these it is very difficult to come up with 
> generic solutions that fit everyones requirements.  Which is 
> why I would recommend that you have a look at learning how to 
> write very simple rules.  That way you will be able to write 
> something that meets your very specific needs.  If you are 
> uncertain of your rules, you should set a small score (say 
> 0.1) first so that any misfires do not have a major affect on 
> overall scoring, but you can see them in your results.  You 
> can also send your rules to this list and the regulars here 
> will be able to check them out and give you advice.
> 
> Failing that you will have to be very specific about your 
> requirements for these spams, and someone might be able to 
> suggest a rule that meets your needs.

Thank you. You are very clear..

I'm going to think that I will try to use you're rule, and then I'll
observ what happen..

rocsca

How are cllassified this?

[Rocco Scappatura]

Since this morning I'm receiving spam like that below..

What I can't figure out is if this is a new kind of spam or if I can
update it using the available rulesets (with sa-update or RDJ).

Can some one give an hint?

Here one of the messages with it's haeder:

>From [EMAIL PROTECTED] Mon Apr  2 17:21:23 2007
Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: by posta.sttspa.it (Postfix, from userid 7011)
id A7AC21098099; Mon,  2 Apr 2007 17:21:07 +0200 (CEST)
Received: from av3.stt.vir (smtp02.sttspa.it [80.74.176.141])
by posta.sttspa.it (Postfix) with ESMTP id 765CD1098090
for <[EMAIL PROTECTED]>; Mon,  2 Apr 2007 17:21:07 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by av3.stt.vir (Postfix) with ESMTP id 5249F75010D
for <[EMAIL PROTECTED]>; Mon,  2 Apr 2007 17:21:07 +0200 (CEST)
X-Virus-Scanned: amavisd-new at stt.vir
Received: from av3.stt.vir ([127.0.0.1])
by localhost (av6.stt.vir [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id FNwSusNccx3t for <[EMAIL PROTECTED]>;
Mon,  2 Apr 2007 17:21:06 +0200 (CEST)
Received: from dsl51B7EDE5.pool.t-online.hu
(dsl51B7EDE5.pool.t-online.hu [81.183.237.229])
by av3.stt.vir (Postfix) with ESMTP id 315D47500F7
for <[EMAIL PROTECTED]>; Mon,  2 Apr 2007 17:21:05 +0200 (CEST)
Received: from home ([116.192.136.130])
by dsl51B7EDE5.pool.t-online.hu (8.13.4/8.13.4) with SMTP id
F9A70115F0EDB1;
Mon, 2 Apr 2007 17:22:00 +0200
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 2 Apr 2007 17:21:23 +0200
To: [EMAIL PROTECTED]
From: "Nele jankuniene" <[EMAIL PROTECTED]>
Subject: All the Tablet PC
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <[EMAIL PROTECTED]>

Search engine, fax scanting software?
http://img133.imageshack.us/img133/5553/webvq2.gif


)

RE: Big trouble

[Rocco Scappatura]

> >   2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on 
> bogons IP block
> > [102.176.29.76 listed in 
> > combined-HIB.dnsiplists.completewhois.com]
> 
> I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
> (unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED, 
> which are nonzero)
> 
> rules/50_scores.cf :
>   score RCVD_IN_WHOIS_BOGONS 0 # n=0 n=1 n=2 n=3

I don't understand.. maybe my remark is wrong, but I get this score for
the rules above:

 2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP
block
   [102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]

Anyway, what implies you that the score for RCVD_IN_WHOIS_BOGONS is 0?

rocsca

RE: Big trouble

[Rocco Scappatura]

> There is another discussion on this list about rules that 
> catch these sorts of messages.  Check that out for ideas.
> 
> For what it is worth these are the rules I get:
> 
> Content analysis details:   (10.5 points, 5.0 required)
> 
>   pts rule name  description
>  --
> --
>   2.9 FROM_LOCAL_NOVOWEL From: localpart has series of 
> non-vowel letters
>   0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
>   0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain 
> signs some 
> mails
>   0.6 J_CHICKENPOX_14BODY: 1alpha-pock-4alpha
>   3.5 BAYES_99   BODY: Bayesian spam probability 
> is 99 to 100%
>  [score: 1.]
>   2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on 
> bogons IP block
> [102.176.29.76 listed in
> combined-HIB.dnsiplists.completewhois.com]
>   1.0 RCVD_IN_JANET_RBL  RBL: Relay in JANET MAPS RBL+ RBL
>[102.176.29.76 listed in 
> rbl-plus.mail-abuse.ja.net]
>   0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay

I get:

 pts rule name  description
 --
--
 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel
letters
 0.1 TW_GD  BODY: Odd Letter Triples with GD
 0.1 TW_LG  BODY: Odd Letter Triples with LG
-0.2 BAYES_40   BODY: Bayesian spam probability is 20 to 40%
[score: 0.3955]
 2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP
block
   [102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 0.6 AWLAWL: From: address is in the auto white-list

But only after some hours that I have received the messages..

I suppose that at that time the score assigned by your SA was lower than
you just report above.. (maybe at that time, the IP 102.176.29.76 was
"not-DNSBListed" ).

Anyway, I figure out that your SA use different rulesets of mine..

Could you instruct me about a good set of ruleset I have to use to lower
the chance that spam pass trhough my spam-scanner, maintaining a good
level of performance?

TIA,

rocsca

RE: Big trouble

[Rocco Scappatura]

> Before anyone can you give you a hint on how to block the 
> messages, we would need to see what the messages are.
> 
> Same form as before, save the message (with full headers) and 
> place it somewhere where we can download it.

http://www.rocsca.it/INBOX

rocsca

RE: Big trouble

[Rocco Scappatura]

> What MTA are you using ?

Postfix+MySQL+Amavisd-new

rocsca

Big trouble

[Rocco Scappatura]

Since some day, It's increased the number of spams which SA doesn't
block.

Every time I'm going to analyse the message:

1) Save the message in mbox format 'message.mbox'
2) su - amavis -c "spamassassin -t < message.mbox"

And I get that the score is greater the 5.0 and often I get:

 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  [Blocked - see
]

That is, if the message is sent just now, the message is rejected (?).

So I feel that every time that I receive a spam, the system spend a
period of time to 'learn' that that message is spam.

If this is the truth, I would like to figure out how I can block these
messages in advance..

Could someone give me an hint?

TIA,

rocsca

RE: why I get it?

[Rocco Scappatura]

> You really don't give enough information that we can guess 
> what could be done to help catch these.  All I can guess is 
> that you might not be runing network tests, since I don't see 
> any network test hits on the two examples.
> 
> Try posting a complete spam with the headers attached, and we 
> may be able to say more.

OK Loren. Thanks first of all. But I would like to test if the network
test is enabled.. Could you instruct me about?

rocsca

RE: why I get it?

[Rocco Scappatura]

> Chances are that your Bayesian database changed between the 
> time you recieved this message and the time you rescanned it 
> from the command line.  Rescanning something is _not_ a 
> reliable way to figure out what score SA gave it on receipt.  
> You should use the _TESTSSCORES(,)_ macro in your add_header 
> line to figure that out.

I agree with you! Infact, today I get another spam and after seven hours
that it was received I analyse it and I get again a score greater that
5.0 points:

Content preview:  "Yes, I exactly heard it spoken flight of, self
decision but
   I did not know the scorch "And who man found brain this mark father
for you?"
   plead "Half-past six o'clock has strod cold purpose just struck, M.
Bertuccsucceed
   "The week Count receive shoe of Monte Cristo." [...]

Content analysis details:   (5.6 points, 5.0 required)

 pts rule name  description
 --
--
 1.1 EXTRA_MPART_TYPE   Header has extraneous Content-type:...type=
entry
 0.0 HTML_MESSAGE   BODY: HTML included in message
 3.0 BAYES_95   BODY: Bayesian spam probability is 95 to 99%
[score: 0.9680]
 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif
 0.7 MY_CID_AND_STYLE   SARE cid and style


But there is a strategy for preventing that this emails reaches the
mailboxes before that spamassassin learns about them (maybe greylist?)?

thanks,

rocsca

RE: why I get it?

[Rocco Scappatura]

> Well Rocco, without knowing a little bit more about your 
> setup its hard to say.  For instance, are you NEW to spamassassin?

Thanks John. No, I'm using spamassassin for two years. But, I'm going in
depth with the usage of spamassassin because I would like to reduce the
spam that arrives in my mailboxes.

I'm using a Postfix+MySQL+Amavisd-new setup.

> If so you might be under the mistaken impression that 
> Spamassassin deletes spam.  It doesn't.  It just marks it.
> 
> If you want it deleted you have to do that with some other 
> means, such as with filters in your mail reader, or procmail 
> or amavisd etc.

It is clear.

rocsca

RE: why I get it?

[Rocco Scappatura]

> What version of SA are you running?  If not 3.1.8 then upgrade.

# spamassassin -V
SpamAssassin version 3.1.8
  running on Perl version 5.8.8

rocsca

RE: Another false negative

[Rocco Scappatura]

> > Do I have to set it to 0?
> 
> No, but that may explain why the two servers have different 
> Bayes scores for similar messages.  If they receive different 
> message streams they will be learning a different view of the 
> email world.

OK. Thanks all clear for me!!

> > But Then how I have to instruct Spamassassin? What is the 
> best way? Do 
> > I have a spam folder to instruct SA?
> 
> I don't think you need to turn off autolearn, you may want to 
> adjust your threshholds, mine are set to this:
> 
> bayes_auto_learn_threshold_nonspam -0.1
> bayes_auto_learn_threshold_spam 12.0
> 
> I have autolearn switched on, but I also manually train with 
> false negatives, and I occasionally train a bunch of recent 
> ham as ham.

OK. I will do that to!

rocsca

RE: Another false negative

[Rocco Scappatura]

> > what it can be the reason of the different score assigned?
> > why the second system doesn't assign an AWL score?
> 
> They give different Bayes scores so the Bayes databases have 
> been trained with different messages.  Do you have autolearn 
> switched on?

#   Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1

Do I have to set it to 0?

But Then how I have to instruct Spamassassin? What is the best way? Do I
have a spam folder to instruct SA?

> And you must understand that the Bayes system is not a one 
> shot and you have if fixed kind of system.  Just training a 
> single message will alter the scoring, but you may also need 
> to train it with a few similar messages for it to 
> significantly change its scoring.

You're saying right. Now I understand. 

Thank you,

rocsca

why I get it?

[Rocco Scappatura]

Hello,

I receiveid a spam message this morning in my mailbox. So I submit it to
spamassassin to calculate the score that spamassassin give it.

Here the result:

Content preview:  "Diable!" bird market light sort said Monte Cristo
compassionately,
   "it i Villefort pressed her plate earth hand to set long let her know
it
  was "Ah, true."theory skin "Oh, no, sir," she blade slope answered;
"but you
   know, things [...]

Content analysis details:   (6.2 points, 5.0 required)

 pts rule name  description
 --
--
 1.1 EXTRA_MPART_TYPE   Header has extraneous Content-type:...type=
entry
 0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
 0.0 HTML_MESSAGE   BODY: HTML included in message
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to
100%
[score: 0.9991]
 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif
 0.7 MY_CID_AND_STYLE   SARE cid and style

So it is clear at all why i have retreived the message in my mailbox..

If someone could give an explanation of this phaenomenon, I will
apreciate it,

BR,

rocsca

RE: Another false negative

[Rocco Scappatura]

> > So you are saying that I have to train SA?
> 
> That would be how you would improve your Bayes accuracy, yes.

I have trained SA on my server but I still get a score lower than 5.0..

Content analysis details:   (4.3 points, 5.0 required)

 pts rule name  description
 --
--
 1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
 0.1 HTML_TEXT_AFTER_BODY   BODY: HTML contains text after BODY close
tag
 2.0 BAYES_80   BODY: Bayesian spam probability is 80 to 95%
[score: 0.8738]
 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.2 AWLAWL: From: address is in the auto white-list

while on another server (that I have instructed with the same messages)
I get:

Content analysis details:   (5.7 points, 5.0 required)

 pts rule name  description
 --
--
 1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
 0.1 HTML_TEXT_AFTER_BODY   BODY: HTML contains text after BODY close
tag
 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to
100%
[score: 0.9996]
 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

what it can be the reason of the different score assigned?
why the second system doesn't assign an AWL score?

rocsca

RE: Another false negative

[Rocco Scappatura]

> Assuming this is your score line:
> 
>  > X-Spam-Status: No, score=2.5 required=5.0  > 
> tests=AWL,BAYES_50,HTML_30_40,  > 
> HTML_MESSAGE,HTML_TEXT_AFTER_BODY,MIME_HTML_ONLY,SARE_PROLOSTOCK_SYM3
>  > autolearn=no version=3.1.8
> 
> Then the biggest difference is that my Bayesian scoring gives it a
> BAYES_99 score and your's gives it a BAYES_50 score.

So you are saying that I have to train SA?

rocsca

RE: Another false negative

[Rocco Scappatura]

> > Content analysis details:   (5.7 points, 5.0 required)
> > 
> >   pts rule name  description
> >  --
> > --
> >   0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
> >   1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
> >   0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
> >   0.0 HTML_MESSAGE   BODY: HTML included in message
> >   3.5 BAYES_99   BODY: Bayesian spam probability 
> > is 99 to 100%
> >  [score: 1.]
> >   0.0 MIME_HTML_ONLY BODY: Message only has text/html 
> > MIME parts
> 
> Please, could you tell me what do I miss?
> 

Maybe I have to update the list of ruleset? What I have to installa
other that the default set of ruleset delivered with SA 3.1.8?

TIA,

rocsca

RE: Another false negative

[Rocco Scappatura]

> I get the following:
> 
> Content analysis details:   (5.7 points, 5.0 required)
> 
>   pts rule name  description
>  --
> --
>   0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
>   1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
>   0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
>   0.0 HTML_MESSAGE   BODY: HTML included in message
>   3.5 BAYES_99   BODY: Bayesian spam probability 
> is 99 to 100%
>  [score: 1.]
>   0.0 MIME_HTML_ONLY BODY: Message only has text/html 
> MIME parts

Please, could you tell me what do I miss?

TIA,

rocsca

RE: Another false negative

[Rocco Scappatura]

> http://www.rocsca.it/INBOX

Could someone give me an hint on how to block email like the one above?

Thanks,

rocsca

> I get the following score:
> 
> From [EMAIL PROTECTED] Wed Mar 14 07:13:02 2007
> Return-Path: <[EMAIL PROTECTED]>
> X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on av6.stt.vir
> X-Spam-Level: **
> X-Spam-Status: No, score=2.5 required=5.0 
> tests=AWL,BAYES_50,HTML_30_40,
>  
> HTML_MESSAGE,HTML_TEXT_AFTER_BODY,MIME_HTML_ONLY,SARE_PROLOSTOCK_SYM3
> autolearn=no version=3.1.8
> X-Original-To: [EMAIL PROTECTED]
> Delivered-To: [EMAIL PROTECTED]
> Received: by posta.sttspa.it (Postfix, from userid 7011)
> id 8F9A51098056; Wed, 14 Mar 2007 07:14:06 +0100 (CET)
> Received: from av6.stt.vir (smtp02.sttspa.it [80.74.176.141])
> by posta.sttspa.it (Postfix) with ESMTP id 6858B1098004;
> Wed, 14 Mar 2007 07:14:06 +0100 (CET)
> Received: from localhost (localhost [127.0.0.1])
> by av6.stt.vir (Postfix) with ESMTP id F7500A7;
> Wed, 14 Mar 2007 07:14:06 +0100 (CET)
> X-Virus-Scanned: amavisd-new at stt.vir
> Received: from av6.stt.vir ([127.0.0.1])
> by localhost (av6.stt.vir [127.0.0.1]) (amavisd-new, 
> port 10024)
> with ESMTP id I3LCVzlxLfiv; Wed, 14 Mar 2007 07:14:03 +0100
> (CET)
> Received: from kbra3qsxm9mslhj (203-118-114-113.static.asianet.co.th
> [203.118.114.113])
> by av6.stt.vir (Postfix) with SMTP id 362367500A2;
> Wed, 14 Mar 2007 07:13:14 +0100 (CET)
> Message-ID: <[EMAIL PROTECTED]>
> Reply-To: "IParker NDickey" <[EMAIL PROTECTED]>
> From: "IParker NDickey" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> Subject: transmitting wolf
> Date: Wed, 14 Mar 2007 13:13:02 +0700
> MIME-Version: 1.0
> Content-Type: text/html
> 
> 
> 
> 
> 
> 
> 
> Our Next Winner for color="#FF"> March 14th  color="#FF">CEO AMERICA INC  Tick : CEOA 
> Priced : $0.07 Won't last 
> long at this stage, This one is going to color="#008080"> $1.00 Grab yourself some color="#FF"> tomorrow avoid the rush And 
> experience a 10 bagger.  align="center"> FAA said the rule change 
> -- a temporary one -- was made for safety reasons. The 
> NTSB's of starting that fire with murder. A light wind 
> was cited by federal investigators = San Benardino National 
> Forest to its very core and shocked the entire world." 
> October 26 in Southern California's San Jacinto 
> Mountains.=ttempted a U-turn with only 1,300 feet of room for 
> the turn. To make a successful turn, 
> 
> 
> 
> 
> 
> 
> )
> Spam detection software, running on the system "av6.stt.vir", 
> has identified this incoming email as possible spam.  The 
> original message has been attached to this so you can view it 
> (if it isn't spam) or label similar future email.  If you 
> have any questions, see the administrator of that system for details.
> 
> Content preview:  Our Next Winner for March 14th CEO AMERICA 
> INC Tick :
> CEOA
>Priced : $0.07 Won't last long at this stage, This one is 
> going to $1.00
>   Grab yourself some tomorrow avoid the rush And experience a 
> 10 bagger.
> [...]
> 
> 
> Content analysis details:   (2.5 points, 5.0 required)
> 
>  pts rule name  description
>  --
> --
>  1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
>  0.1 HTML_TEXT_AFTER_BODY   BODY: HTML contains text after BODY close
> tag
>  0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
>  0.0 HTML_MESSAGE   BODY: HTML included in message
>  0.0 BAYES_50   BODY: Bayesian spam probability 
> is 40 to 60%
> [score: 0.5547]
>  0.0 MIME_HTML_ONLY BODY: Message only has text/html 
> MIME parts
>  0.3 AWLAWL: From: address is in the auto 
> white-list
> 

RE: Another false negative

[Rocco Scappatura]

> If you can post the full email (headers and body), I'll run it over my
> system which has lots and lots of third party add on rules from
> www.rulesemporium.com and others and see if I can make SA 
> score it high
> enough for Amavisd-new to block the email..

Thanks. 

http://www.rocsca.it/INBOX

I get the following score:

>From [EMAIL PROTECTED] Wed Mar 14 07:13:02 2007
Return-Path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on av6.stt.vir
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.0 tests=AWL,BAYES_50,HTML_30_40,
 
HTML_MESSAGE,HTML_TEXT_AFTER_BODY,MIME_HTML_ONLY,SARE_PROLOSTOCK_SYM3
autolearn=no version=3.1.8
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: by posta.sttspa.it (Postfix, from userid 7011)
id 8F9A51098056; Wed, 14 Mar 2007 07:14:06 +0100 (CET)
Received: from av6.stt.vir (smtp02.sttspa.it [80.74.176.141])
by posta.sttspa.it (Postfix) with ESMTP id 6858B1098004;
Wed, 14 Mar 2007 07:14:06 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
by av6.stt.vir (Postfix) with ESMTP id F7500A7;
Wed, 14 Mar 2007 07:14:06 +0100 (CET)
X-Virus-Scanned: amavisd-new at stt.vir
Received: from av6.stt.vir ([127.0.0.1])
by localhost (av6.stt.vir [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id I3LCVzlxLfiv; Wed, 14 Mar 2007 07:14:03 +0100
(CET)
Received: from kbra3qsxm9mslhj (203-118-114-113.static.asianet.co.th
[203.118.114.113])
by av6.stt.vir (Postfix) with SMTP id 362367500A2;
Wed, 14 Mar 2007 07:13:14 +0100 (CET)
Message-ID: <[EMAIL PROTECTED]>
Reply-To: "IParker NDickey" <[EMAIL PROTECTED]>
From: "IParker NDickey" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Subject: transmitting wolf
Date: Wed, 14 Mar 2007 13:13:02 +0700
MIME-Version: 1.0
Content-Type: text/html







Our Next Winner for March
14th
CEO AMERICA INC 
Tick : CEOA
Priced : $0.07
Won't last long at this stage, This one is going to
$1.00
Grab yourself some tomorrow avoid the
rush
And experience a 10 bagger.

FAA said the rule change -- a temporary one -- was made
for safety reasons. The NTSB's
of starting that fire with murder. A light wind was cited by federal
investigators = San Benardino National Forest to its very core and
shocked the entire world."
October 26 in Southern California's San Jacinto Mountains.=ttempted a
U-turn with only 1,300 feet of room for the turn. To make a successful
turn,







)
Spam detection software, running on the system "av6.stt.vir", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Our Next Winner for March 14th CEO AMERICA INC Tick :
CEOA
   Priced : $0.07 Won't last long at this stage, This one is going to
$1.00
  Grab yourself some tomorrow avoid the rush And experience a 10 bagger.
[...]


Content analysis details:   (2.5 points, 5.0 required)

 pts rule name  description
 --
--
 1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
 0.1 HTML_TEXT_AFTER_BODY   BODY: HTML contains text after BODY close
tag
 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5547]
 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.3 AWLAWL: From: address is in the auto white-list

Another false negative

[Rocco Scappatura]

Hello, 

SA have not blocked an email with this headers:

Microsoft Mail Internet Headers Version 2.0
Received: from posta.sttspa.it ([80.74.176.144]) by srv5.stt.loc with
Microsoft SMTPSVC(6.0.3790.1830);
 Wed, 14 Mar 2007 07:14:08 +0100
Received: by posta.sttspa.it (Postfix, from userid 7011)
id 8F9A51098056; Wed, 14 Mar 2007 07:14:06 +0100 (CET)
Received: from av6.stt.vir (smtp02.sttspa.it [80.74.176.141])
by posta.sttspa.it (Postfix) with ESMTP id 6858B1098004;
Wed, 14 Mar 2007 07:14:06 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
by av6.stt.vir (Postfix) with ESMTP id F7500A7;
Wed, 14 Mar 2007 07:14:06 +0100 (CET)
X-Virus-Scanned: amavisd-new at stt.vir
Received: from av6.stt.vir ([127.0.0.1])
by localhost (av6.stt.vir [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id I3LCVzlxLfiv; Wed, 14 Mar 2007 07:14:03 +0100
(CET)
Received: from kbra3qsxm9mslhj (203-118-114-113.static.asianet.co.th
[203.118.114.113])
by av6.stt.vir (Postfix) with SMTP id 362367500A2;
Wed, 14 Mar 2007 07:13:14 +0100 (CET)
Message-ID: <[EMAIL PROTECTED]>
Reply-To: "IParker NDickey" <[EMAIL PROTECTED]>
From: "IParker NDickey" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Subject: transmitting wolf
Date: Wed, 14 Mar 2007 13:13:02 +0700
MIME-Version: 1.0
Content-Type: text/html
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 14 Mar 2007 06:14:08.0281 (UTC)
FILETIME=[F9A5D890:01C765FF]


which have in the body:

Our Next Winner for March 14th

and other contents..

Why SA doesn't block this email? Do I miss some important ruleset?
I'have already configured Postfix to use some DNSBL.

Here my SA configuration:

[19689] dbg: logger: adding facilities: all
[19689] dbg: logger: logging level is DBG
[19689] dbg: generic: SpamAssassin version 3.1.8
[19689] dbg: config: score set 0 chosen.
[19689] dbg: util: running in taint mode? yes
[19689] dbg: util: taint mode: deleting unsafe environment variables,
resetting PATH
[19689] dbg: util: PATH included '/sbin', keeping
[19689] dbg: util: PATH included '/usr/sbin', keeping
[19689] dbg: util: PATH included '/usr/local/sbin', keeping
[19689] dbg: util: PATH included '/opt/gnome/sbin', keeping
[19689] dbg: util: PATH included '/root/bin', keeping
[19689] dbg: util: PATH included '/usr/local/bin', keeping
[19689] dbg: util: PATH included '/usr/bin', keeping
[19689] dbg: util: PATH included '/usr/X11R6/bin', keeping
[19689] dbg: util: PATH included '/bin', keeping
[19689] dbg: util: PATH included '/usr/games', keeping
[19689] dbg: util: PATH included '/opt/gnome/bin', keeping
[19689] dbg: util: PATH included '/usr/lib/mit/bin', which doesn't
exist, dropping
[19689] dbg: util: PATH included '/usr/lib/mit/sbin', which doesn't
exist, dropping
[19689] dbg: util: final PATH set to:
/sbin:/usr/sbin:/usr/local/sbin:/opt/gnome/sbin:/root/bin:/usr/local/bin
:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin
[19689] dbg: message:  MIME PARSER START 
[19689] dbg: message: main message type: text/plain
[19689] dbg: message: parsing normal part
[19689] dbg: message: added part, type: text/plain
[19689] dbg: message:  MIME PARSER END 
[19689] dbg: dns: is Net::DNS::Resolver available? yes
[19689] dbg: dns: Net::DNS version: 0.59
[19689] dbg: config: using "/etc/mail/spamassassin" for site rules pre
files
[19689] dbg: config: read file /etc/mail/spamassassin/init.pre
[19689] dbg: config: read file /etc/mail/spamassassin/v310.pre
[19689] dbg: config: read file /etc/mail/spamassassin/v312.pre
[19689] dbg: config: using "/var/lib/spamassassin/3.001008" for sys
rules pre files
[19689] dbg: config: read file
/var/lib/spamassassin/3.001008/updates_spamassassin_org.pre
[19689] dbg: config: using "/var/lib/spamassassin/3.001008" for default
rules dir
[19689] dbg: config: read file
/var/lib/spamassassin/3.001008/updates_spamassassin_org.cf
[19689] dbg: config: using "/etc/mail/spamassassin" for site rules dir
[19689] dbg: config: read file
/etc/mail/spamassassin/70_sare_evilnum0.cf
[19689] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu.cf
[19689] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf
[19689] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf
[19689] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf
[19689] dbg: config: read file
/etc/mail/spamassassin/bogus-virus-warnings.cf
[19689] dbg: config: read file /etc/mail/spamassassin/local.cf
[19689] dbg: config: read file /etc/mail/spamassassin/random.cf
[19689] dbg: config: read file /etc/mail/spamassassin/tripwire.cf
[19689] dbg: config: using "/root/.spamassassin" for user state dir
[19689] dbg: config: using "/root/.spamassassin/user_prefs" for user
prefs file
[19689] dbg: config: read file /root/.spamassassin/user_prefs
[19689] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from
@INC
[19689] dbg: plugin: registered
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x

RE: veryfing the score of a message

[Rocco Scappatura]

> > Well what puzzles me is, is the message in queue, waiting 
> to be sent 
> > to someone within your domain, or is it outbound? 
 
to be sent outbound..

> Why are you wanting 
> > to manually scan it?

A user of mine try to send an email using my SMTP server, but he can't
send me the message which is blocked by my spam scanner (SA), in mbox
format.. (so that I can analyse it and find the cause of the blocking)
Neverthless I know the right way to control the scanning of that
message.. So I said it to send to an outbound address such that it
remains on the queue of the mail server and I can analyse it...

If you have a better method to solve my problem, it is wellcome!

rocsca

veryfing the score of a message

[Rocco Scappatura]

Hello,

I would like to verify the score of a message that sendmail left in
queue for some reason.

Normally, I have two messages in queue directory:

- qfX
- dfX

Could I 'cat' qfX and dfX in a temp file 'tmp'

and

than calculate the score so:

spamassassin -t < tmp

?

Or I will get a wrong score?

TIA,

rocsca

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> I didn't want to cloud the situation, as we were progressing 
> in very small steps in improving the scoring of the OPs SA.  
> As he was already using RDJ for the SARE rules I thought the 
> easiest first step would be to get sa-update set up for the 
> default ruleset and then once the OP was happy with that 
> worry about moving his existing mechanism if neccessary.

I agree with you..

rocsca

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> The other thing to do is to run sa-update to make sure you 
> are running the latest versions of the standard SA rules.
> 
> http://spamassassin.apache.org/full/3.1.x/doc/sa-update.html

I already use rules_du_jour.. It's OK? Or I can obtain further
improvement using sa-update?

rocsca

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> I think the next thing you need to do is run the command with 
> the -D switch.

The output is attached..

> It doesn't look like you are running any network tests, you 
> are certainly not running any Bayes tests.

I have executed the command you've sayed me after lauching spamd..

> Can you remind us what OS this is on, what version of 
> spamasssassin, how you installed SA, how you call SA?

I call SA via amavisd-new-2.4.4

# /usr/bin/spamassassin --version
SpamAssassin version 3.1.7
  running on Perl version 5.8.8

OS: SLES 10
Linux av5 2.6.16.21-0.8-bigsmp #1 SMP Mon Jul 3 18:25:39 UTC 2006 i686
i686 i386 GNU/Linux

rocsca


it_by_confocal.out.debug
Description: it_by_confocal.out.debug

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> If you have the email saved in a text file called email.txt, 
> run this command making sure that you are logged in as the 
> user who spamd run as.
> 
> spamassassin -t < email.txt
> 
> If you want a lot more information you can use the debug switch
> 
> spamassassin -D -t < email.txt

Thanks.

Here the output on my system..

Spam detection software, running on the system "av5.stt.vir", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  BULLISH REPORT! Campaign for: MISJPrice: $0.17Target:
  $0.95Market: hellish! SOMEBODY KNOWS SOMETHING. [...]

Content analysis details:   (0.3 points, 5.0 required)

 pts rule name  description
 --
--
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.3 HTML_FONT_BIG  BODY: HTML tag for a big font size

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> Can you so us which tests these emails hit on your system?

Please tell me how I have to do..

rocsca

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> Enable network tests.  You may have to set up several things 
> correctly to get this to work, but just removing "-L" from 
> the spamd startup line may be enough as a start.

I don' understand..  If I have a message in mbox format, what I have to
do so that I can see what score SA should assign to it?

I have seen the sintax of spamd command but It doesn't accept any kind
of message as input parameter.. Should I run it in demonized mode and
send the message on the the listening port?

> >> Looking at this my Bayes scores it highly, but so does a 
> rules from 
> >> the SARE_STOCKS rule set.  There are also a number of 
> network tests 
> >> which get this.
> 
> > And so? How do you justify this? What I miss?
> 
> Add-on rulesets.  In this case the SARE stocks ruleset.

Thanks,

rocsca

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> > Put a full email (including all headers) on a web page somewhere.
> 
> http://www.rocsca.it/it_by_confocal.out
> 
> That's not a drug spam, that's a stock spam.  It just happens 
> to be for a pharmacutical company.

Sorry! I'm not very experienced with the kinds of spam..

I'ld very to learn to classify the spam per content.. I need a few
documentation..

> Get the SARE stocks ruleset and you will have some better 
> luck.  Often these are GIF images, so ImageInfo and FuzzyOCR 
> can both help a lot.

OK. I will do.. Indeed I already use FuzzyOCR.. but it often miss to
block this email.. I'm afraid that I use a bad dictonary (the default)
and I'm looking for a better one..

rocsca

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> My scores:
> 
> Content analysis details:   (10.4 points, 5.0 required)
> 
>   pts rule name  description
>  --
> --
>   0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
>   0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain 
> signs some 
> mails
>   1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
>   0.0 HTML_MESSAGE   BODY: HTML included in message
>   3.5 BAYES_99   BODY: Bayesian spam probability 
> is 99 to 100%
>  [score: 1.]
>   0.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
>   1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
>  above 50%
>  [cf: 100]
>   0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>  [cf: 100]
>   1.0 RCVD_IN_JANET_DUL  RBL: Relay in JANET MAPS RBL+ DUL
>[60.215.113.19 listed in 
> rbl-plus.mail-abuse.ja.net]
>   1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in 
> bl.spamcop.net
> [Blocked - see
> ]

How I have to do to get the score for the same message on my platform?

> Looking at this my Bayes scores it highly, but so does a 
> rules from the SARE_STOCKS rule set.  There are also a number 
> of network tests which get this.

And so? How do you justify this? What I miss?

Thanks,

rocsca

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> Put a full email (including all headers) on a web page somewhere.

http://www.rocsca.it/it_by_confocal.out

RE: ANTIDRUG rulesets

[Rocco Scappatura]

> Antidrug has been mereged into 20_drugs.cf from the standard 
> ruleset. If you read through the file, you'll find the 
> antidrug rules. It's about halfway down.

OK. Now Its all clear!! I have an old 'antidrug.cf' file in SA config
dir.. maybe this overcome 20_drugs.cf? I don't know.. but I have removed
it as well and restarted Amavisd-new, as Docs state for SA>3.0.1 (I have
SA 3.1.7).

But I note that some 'pharma message' still is not blocked.. Do I have
to install some other ruleset? (If yes how I have to configure automatic
update with rdj?)

thanks,

rocsca

ANTIDRUG rulesets

[Rocco Scappatura]

Hello,

SA doesn't blocks emails cointaining spam email with pharmaceutical
contents..

I think of missing some ruleset. I cant figure out what..

I think that the more appropriate is antidrug.cf but on SA site I have
read that it is unnecessary..

But if I look into the dir of conf file of spamassassin I can't find
it.. Is it normal? Or I have to install it?

TIA,

rocsca

RE: Spamassassin does block some email

[Rocco Scappatura]

> > Speaking of ninjas one slipped in here and whispered in my ear that 
> > the original problem rocsca had might benefit from the anti 
> drug rules 
> > on the SARE web site. He should read the various rule set 
> descriptions 
> > and pick those which fit his situation best.
> 
> Fine! I agree with you!! But I can't figure out what SARE 
> rules I I have to use to block that email that SA does not block..
> 
> Moreover, could I update it with rules_du_jour?
> 
> PS: I have the following conf for rules_du_jour..
> 
> TRUSTED_RULESETS="TRIPWIRE RANDOMVAL BOGUSVIRUS";

Maybe I have to use 70_sare_obfu*.cf ruleset files?

It seems to me that my SA configuration doesn't load them.. Infact I
have this only cf files other that in SA dir (/etc/mail/spamassassin):

path_to_SA/10_misc.cf
path_to_SA/20_advance_fee.cf
path_to_SA/20_anti_ratware.cf
path_to_SA/20_body_tests.cf
path_to_SA/20_compensate.cf
path_to_SA/20_dnsbl_tests.cf
path_to_SA/20_drugs.cf
path_to_SA/20_fake_helo_tests.cf
path_to_SA/20_head_tests.cf
path_to_SA/20_html_tests.cf
path_to_SA/20_meta_tests.cf
path_to_SA/20_net_tests.cf
path_to_SA/20_phrases.cf
path_to_SA/20_porn.cf
path_to_SA/20_ratware.cf
path_to_SA/20_uri_tests.cf
path_to_SA/23_bayes.cf
path_to_SA/25_accessdb.cf
path_to_SA/25_antivirus.cf
path_to_SA/25_body_tests_es.cf
path_to_SA/25_body_tests_pl.cf
path_to_SA/25_dcc.cf
path_to_SA/25_dkim.cf
path_to_SA/25_domainkeys.cf
path_to_SA/25_hashcash.cf
path_to_SA/25_pyzor.cf
path_to_SA/25_razor2.cf
path_to_SA/25_replace.cf
path_to_SA/25_spf.cf
path_to_SA/25_textcat.cf
path_to_SA/25_uribl.cf

PS: What other cf file is worth to use without overload the server?

BR,

rocsca

RE: Spamassassin does block some email

[Rocco Scappatura]

> Speaking of ninjas one slipped in here and whispered in my 
> ear that the original problem rocsca had might benefit from 
> the anti drug rules on the SARE web site. He should read the 
> various rule set descriptions and pick those which fit his 
> situation best.

Fine! I agree with you!! But I can't figure out what SARE rules I I have
to use to block that email that SA does not block..

Moreover, could I update it with rules_du_jour?

PS: I have the following conf for rules_du_jour..

TRUSTED_RULESETS="TRIPWIRE RANDOMVAL BOGUSVIRUS";

BR,

rocsca

RE: Token expiration and MySQL

[Rocco Scappatura]

> Not without seeing -D output.  My guess is most of your 
> tokens are within a very small timestamp band.

Tonight I will collect the verbose debug output and submit it to you..

Thanks,

rocsca

RE: Spamassassin does block some email

[Rocco Scappatura]

> There has been quite a bit of discussion of these spams recently.
> 
> See the current "TVD_SILLY_URI_OBFU" thread.

I will do..

Thanks,

rocsca

Spamassassin does block some email

[Rocco Scappatura]

Hello,

SA doesn't succeed in blocking some email (lately are many!) expecially
that email with pharmaceutical contents, where the name is disguised and
the link are changed adding then a comment for obtaining the right link
to digit in the address bar of the browser to reach the cheating site..

Someone could instruct me such kind of spam?

BR,

rocsca

Token expiration and MySQL

[Rocco Scappatura]

Hello,

I have two different SpamAssassin installed on two different server.
Thet store information on two different MySQL server database.

On both I have scheduled several jobs for forcing expiration of tokens.
In crontab I have the following lines:


30 4 * * 0 sa-learn -u amavis --dump magic
40 4 * * 0 sa-learn --sync --force-expire
50 4 * * 0 sa-learn -u amavis --dump magic
0 5 * * 0 echo "optimize table bayes_expire, bayes_seen, bayes_token,
awl;" | mysql -u bayes -h mysql2.sttspa.intranet -p* bayes

While on one server I get that regularly tokens are expired (for
example:

Date: Sun, 17 Dec 2006 04:40:38 +0100
From: Cron Daemon <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Cron <[EMAIL PROTECTED]> sa-learn --sync --force-expire

expired old bayes database entries in 37 seconds
18682012 entries kept, 76418 deleted
token frequency: 1-occurrence tokens: 1.83%
token frequency: less than 8 occurrences: 0.33%

) on the other one I get always that the token are not expired (for
example:

Date: Sun, 4 Feb 2007 04:40:01 +0100
From: Cron Daemon <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Cron <[EMAIL PROTECTED]> sa-learn --sync --force-expire
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Virus-Scanned: by amavisd-new

[16717] warn: FuzzyOcr: Cannot find executable for ocrad
[16717] warn: FuzzyOcr: Cannot find executable for pamthreshold
[16717] warn: FuzzyOcr: Cannot find executable for tesseract
expired old bayes database entries in 617 seconds
13109996 entries kept, 0 deleted
token frequency: 1-occurrence tokens: 79.61%
token frequency: less than 8 occurrences: 16.04%

)

Could someone explai why on the secon machine the tokens are never
expired?

PS: The local.cf is the the same on both machine and I don't get any
error message..

BR,

rocsca

Mail sent from Lotus Notes blocked

[Rocco Scappatura]

Hello,

I use amavisd-new. When I send emails from Lotus Notes they get blocked.

Even If they are "plain" messages. Indeed they are however MIME
messages.

I would like to verify if there is a way to analyse what is the tokens
whose raise the score so that the message is considered spam while the
message is really a false positive.

TIA;

rocsca

RE: Expiring tokens in SA database

[Rocco Scappatura]

Hello,

> >> Do you compact the database afterwards?
> >> 
> >> Nigel
> >
> >No. How I have to do?
> >
> >rocsca
> 
> From the CL use something like this:
> 
> mysql -u root --password= -e "USE 
> spamassassin;OPTIMIZE TABLE awl, bayes_expire, bayes_seen, 
> bayes_token, bayes_vars;"
> 
> Your tables may differ slightly from mine, and some may have 
> no content at all; initially try compacting the one that's biggest.
> 

Infact, that was the problem!!

Many thanks,

rocsca

RE: AWL question

[Rocco Scappatura]

Thanks for your answer,

> > I have seen the awl contains email address with the value 'none' in 
> > the field 'IP'.
> >
> > Why this field for some entriesis not correctly filled?
> 
> Perhaps it could be that mail was submitted locally (not with 
> SMTP), over IPv6 or that the IP address couldn't be extracted 
> for some other reason.

No the email is not submited locally and over TCP. So I think that is
the second reason you have said.. But why the IP could not be
exctracted? (I have many such cases!!!)

BR,

rocsca

RE: Expiring tokens in SA database

[Rocco Scappatura]

> Do you compact the database afterwards?
> 
> Nigel

No. How I have to do?

rocsca

Expiring tokens in SA database

[Rocco Scappatura]

Hello,

I'm using SA with MySQL.

I have to Amavisd-new server, each talking with a different MySQL
server.

I run every night regularly this command:

sa-learn --sync --force-expire

for datbase maintaining.

I have noticed that on the first the 'bayes_token' table occupies always
about 1GB and the size never decrease even after I execute the command
above (se the output in the file attached), while on the second database
the same table occupies less space (about 250 MB).

It seems to me the the expiring doesn't works at all and I can't figure
out why.

Can sombody give an explanation?

TIA,

rocsca


sa-learn.out
Description: sa-learn.out

AWL question

[Rocco Scappatura]

Hello,

I use SA storing data on MySQL databases.

I have seen the awl contains email address with the value 'none' in the
field 'IP'.

Why this field for some entriesis not correctly filled?

Thanks,

rocsca