Re: user_prefs not recognized?
On 2010-03-05 10:14, Karsten Bräckelmann wrote: On Thu, 2010-03-04 at 15:41 -0600, Ron Johnson wrote: On 2010-03-04 15:13, Karsten Bräckelmann wrote: [snip] How is SA called? (Lines manually continued for easy reading.) # grep spam /etc/postfix/master.cf smtp inet n - n - - \ smtpd -o content_filter=spamfilter: spamfilter unix - n n - - pipe flags=Rq user=spamfilter \ argv=/usr/local/bin/spamfilter.sh \ -f ${sender} -- ${recipient} Are you using per-user configuration? I think so. But that user=spamfilter makes me now think otherwise. Hardly a postfix expert here, but I believe you are doing your spam filtering as the user spamfilter. Site-wide configuration, not per-user. The $HOME used is the one of spamfilter. Hmmm. Someone correct me, if I'm wrong. :) I set this up years ago, and only now care about whitelisting. I'd suggest to do it right from the beginning. That is, exclusively use the constraint rcvd or auth whitelisting variants. Also, is there any valid reason you need this to be per-user? As opposed to maintain a clean whitelisting site-wide anyway. My wife and I don't need to white-list the same people. Also, as I previously hinted -- a *need* for whitelisting often is caused by some mis-configuration or training. Whitelisting is very rarely necessary. Do you really need it? I have noticed lately (maybe after the 3.3.0 upgrade) that the bayesian filter quite often thinks that ham is really 50% probability spam, sometimes even 100% spam. SA then adds a big section to the email saying why it thinks the message is spam. Does sa-learn know to skip over such stuff? -- Ron Johnson, Jr. Jefferson LA USA If God had wanted man to play soccer, he wouldn't have given us arms. Mike Ditka
Re: user_prefs not recognized?
On 2010-03-04 15:41, Ron Johnson wrote: On 2010-03-04 15:13, Karsten Bräckelmann wrote: [snip] How is SA called? (Lines manually continued for easy reading.) # grep spam /etc/postfix/master.cf smtp inet n - n - - \ smtpd -o content_filter=spamfilter: spamfilter unix - n n - - pipe flags=Rq user=spamfilter \ argv=/usr/local/bin/spamfilter.sh \ -f ${sender} -- ${recipient} Are you using per-user configuration? I think so. But that user=spamfilter makes me now think otherwise. I set this up years ago, and only now care about whitelisting. Definitely looks like SA isn't being run from the individual users's accounts. m...@haggis:~$ spamassassin -D --lint 2 SA-debug.output.txt m...@haggis:~$ grep user_prefs SA-debug.output.txt Mar 5 11:32:48.538 [11220] dbg: config: using \ /home/me/.spamassassin/user_prefs for user prefs file Mar 5 11:32:48.538 [11220] dbg: config: read \ file /home/me/.spamassassin/user_prefs r...@haggis:~# spamassassin -D --lint 2 SA-debug.output.txt r...@haggis:~# grep user_prefs SA-debug.output.txt r...@haggis:~# -- Ron Johnson, Jr. Jefferson LA USA If God had wanted man to play soccer, he wouldn't have given us arms. Mike Ditka
Re: Rule help
On 2010-03-05 14:51, Henrik K wrote: On Fri, Mar 05, 2010 at 11:02:35AM -0500, Alex wrote: Hi all, I'm having trouble with an elusive spam for the past few days with just re in the subject. It looks to be routed through hotmail.com, but doesn't have an SPF signature, so I don't really understand. Here's an example: http://pastebin.com/Lg63Xek4 I've trained probably 50 of these, yet they still have BAYES_50. If you want to see what your bayes tokenizes in the message: spamassassin -t -D bayes msg 21 | grep bayes: It may give you a hint why it doesn't work. Will that ignore the Spam detection software, running on the system... stuff and just look at the real email that's now just an attachment? -- Ron Johnson, Jr. Jefferson LA USA If God had wanted man to play soccer, he wouldn't have given us arms. Mike Ditka
user_prefs not recognized?
Hi, I want my users (it's a small at-home setup of fetchmail, postfix, SA and courier-imap) to be able to whitelist certain users. This is what my various config files look like: $ tail -n1 /etc/spamassassin/local.cf allow_user_rules1 $ cat ~/.spamassassin/user_prefs headerL_TO_ME ToCc =~ /ron\.l\.johns...@cox\.net/ describe L_TO_ME Email addressed to me score L_TO_ME 0.010 whitelist_from nytdir...@nytimes.com After adding allow_user_rules to local.cf, I bounced SA by doing: # /etc/init.d/spamassassin restart The L_TO_ME stuff I got from the wiki page: http://wiki.apache.org/spamassassin/UserPrefRuleTest If relevant, this is Debian Sid, running v3.3.0-1 Thanks -- Ron Johnson, Jr. Jefferson LA USA If God had wanted man to play soccer, he wouldn't have given us arms. Mike Ditka
Re: user_prefs not recognized?
On 2010-03-04 15:13, Karsten Bräckelmann wrote: On Thu, 2010-03-04 at 14:36 -0600, Ron Johnson wrote: I want my users (it's a small at-home setup of fetchmail, postfix, SA and courier-imap) to be able to whitelist certain users. You do *not* need allow_user_rules, to enable per-user whitelist_* or blacklist_* settings. See the docs [1], and pay special attention to the first sentence in the User Preferences section. Also note that Whitelist and Blacklist Options is a sub-section of this. :) Already read this: full/3.3.x/doc/Mail_SpamAssassin_Conf.html#user_preferences On a related note, the plain whitelist_from without a rcvd or auth constraint is dangerous to use. If possible, always use the constraint ones, and the plain one strictly as a fall-back if there is no other possibility -- and you really need the whitelist. In almost all cases, you don't, and the real problem (if any) goes by unnoticed. Right. I wanted to get the simple stuff working first; then the more complicated configurations. This is what my various config files look like: $ tail -n1 /etc/spamassassin/local.cf allow_user_rules1 $ cat ~/.spamassassin/user_prefs headerL_TO_ME ToCc =~ /ron\.l\.johns...@cox\.net/ describe L_TO_ME Email addressed to me score L_TO_ME 0.010 For this, you need allow_user_rules 1. whitelist_from nytdir...@nytimes.com For this, you don't. OK. However, you did *not* show any evidence, headers, or whatever, that the L_TO_ME user rule does not work... In Thunderbird View-Message Source, I searched for L_TO_ME. Am I fundamentally *wrong* about something here? How is SA called? (Lines manually continued for easy reading.) # grep spam /etc/postfix/master.cf smtp inet n - n - - \ smtpd -o content_filter=spamfilter: spamfilter unix - n n - - pipe flags=Rq user=spamfilter \ argv=/usr/local/bin/spamfilter.sh \ -f ${sender} -- ${recipient} Are you using per-user configuration? I think so. But that user=spamfilter makes me now think otherwise. I set this up years ago, and only now care about whitelisting. [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html -- Ron Johnson, Jr. Jefferson LA USA If God had wanted man to play soccer, he wouldn't have given us arms. Mike Ditka
Re: sudden deluge of university spams
Ramprasad writes: I am doing regex match something like /1 *- *2 *2 *- *3 *3 */ Any inputs ? Yes, as SA collapses multiple spaces down to a single space (in 'body' tests), you only need to look for a single instance of the space, not an unlimited number. Also you can omit that final ' *' as it's an optional tail match, thus the rule will work without it. IE: /1 ?- ?2 ?2 ?- ?3/ Wow SA is doing a lot of work already. Can I also have a collapsed body string with all whitespaces removed so I could do collapsedbody BADNUMBER /1-22-33/ score BADNUMBER 10 I this this will also help get rid of the genu ine uni versity degre es With the side issue of The pen is mightier than the sword and many other potential accidents. IOW handle with care.
Re: Can SA be used to implement greylisting?
Steven W. Orr writes: And this is my point. SA *DOESN'T* work on messages after they have been received. Since I use spamass-milter, SA sees the messages before reception is completed. (You're free to do otherwise.) Then when SA decides that the message doesn't conform to its high standards, the report of that fact goes back to spamass-milter which then returns status back to sendmail. The current result is a reject 5xx status. So all we need is for SA to manage one extra table and to allow some sort of reportage that spamass-milter could be mucked to understand. Is this making sense? Yes. And if you can manage to do the heavy lifting a lot of people will thank you. (I have little problem accepting that you can do pretty much anything via milter. But there's enough stuff that looks tricky that I'd be surprised if it goes high on anybody's todo list) To get back to your original point (memory resident versus databases) there are some interesting setups that you can look at using mimedefang. http://whatever.frukt.org/mimedefangfilter.text.shtml and from the wiki: http://www.mimedefang.com/kwiki/index.cgi?Greylisting I understand, you're probably not interested in mimedefang. Still worth a look IMO.
Re: Idea for new SA Rule
Paolo Cravero as2594 writes: Gustafson, Tim wrote: Could SpamAssassin benefit from a filter that would actually check the spelling of the text parts of the message, and if misspelled words exceeds, for example, 50%, then we can add a few points to the SPAM score? I'm not sure how to begin coding this, but I think it should be pretty easy (using pSpell or aSpell or something) and I think it would be a very useful tool. And how would you deal with messages in other languages? Over here 99% of messages in English are spam! AFAIK there's no language indicator in email messages. Don't know if anybody's really interested in the details, but I can tell you that you can make a fairly reliable guess as to language. One of the guys at work here fires back an automated message in the language of the sender (the choices here are French and English, but there's no particular reason Italian couldn't be handled)
Re: Annoying spammer
Evan Platt writes: Well, as if there's a NON annoying spammer.. I'm getting HAMMERED with the re: Hello spams. http://www.espphotography.com/stopthisspammer.txt Best way I can see to drop this guy is to block on The Bat! (v3.62.14) Home in the header. Near as I can see searching my 4+ years of archived messages and mailing list, I have yet to see this string appear in ANY legitimate mail. Wouldn't work for me. One very active user chose The Bat as his mail client. No idea why, but I know he chose it after a fair amount of checking. Any compelling reason not to, or does anyone see a better way to put this spam in the bitbucket? And yes, I have been feeding these to sa-learn. Evan
[now OT] Re: Google search as spam URI
Chris Santerre writes: Hah! Am I reading that right? Translate English to English! I give them 1 point for coming up with that one. OT, but I recall reading that there are at least two English to English translation books published. Guides for people who've learned English and are having problems when what is said doesn't match the intended meaning. Only recall one example. The phrase I hear you. To somebody who's learned English that means, I understand your point and grant that it may be valid Where the intended meaning is, I don't want to talk about this any longer Mentioned in the Economist. Wish I'd saved the article.
Re: Antidrug.cf deprecated and no longer maintained.
Matt Kettler writes: At 09:36 PM 11/29/2005, mouss wrote: it would be good to make the file empty, only containing this info. this way, even those who miss this message (and the previous one) still have a chance to get the info. Yes, but there are still users out there that aren't using SA 3.0.x due to perl version problems. For them, I still wish to make the file available. How about a pre-3.0 version (last meaningful version) and post-3.0 (mouss's suggestion)
Re: Antidrug.cf deprecated and no longer maintained.
Matt Kettler writes: At 10:33 AM 11/30/2005, Ron Johnson wrote: Matt Kettler writes: At 09:36 PM 11/29/2005, mouss wrote: it would be good to make the file empty, only containing this info. this way, even those who miss this message (and the previous one) still have a chance to get the info. Yes, but there are still users out there that aren't using SA 3.0.x due to perl version problems. For them, I still wish to make the file available. How about a pre-3.0 version (last meaningful version) and post-3.0 (mouss's suggestion) Is that mouss's suggestion? I read his message as suggesting that I wipe-out the contents of antidrug.cf and replace it with a notice. Sorry, Ron needs an editor. What I was suggesting was. a) pre-3.0 (last meaningful version) b) post-3.0 (no contents beyond a notification message -- as mouss suggested)
Re: [FW: spam control
The Doctor writes: - Forwarded message from Angry and Concerned Customer - All right, the short and simple is that Spam-Assassin may not be doing the correct job. This user has a whitelist in place and some e-mail are getting the label of spam. Even some of my cron jobs are getting a [SPAM] label when they should nt. Why? What version are you running? Are you running any additional rulesets? Have you written any custom rules yourself? Do you have bayes enabled? If so, are you running with autolearn? Do you have AWL enabled? (If so, you may want to start over) You need to find out what rules your false positives are tripping over. I personally find it convenient to run the false positives manually (though that's really not required)
Re: Exchange/Outlook - how do you learn spam?
Jon Dossey writes: I'm sure a lot of us have a similar setup, linux/bsd mx gateways (running SA) relaying mail to Exchange, and Outlook clients. I'm just curious how everyone handles learning? It seems like a lot of people recommend a public folder for users to dump spam in, but how do you get it back out into a useable format that sa-learn will understand? Saving messages out of Outlook (for me anyway) into a txt file removes all the internet headers. So how else do you handle getting your messages back out of exchange/outlook, and sa-learn'ed? You need to setup the public folder so that messages placed there are not treated as a forward. Under properties/Admistration set Drag/Drop posting is a: Move/Copy After which: Well the way I do it is via IMAP Started from a script: http://www.dmzs.com/tools/files/spam/DMZS-sa-learn.pl And modified it a bit to suit my needs. (basically tossed in a call to formail so I can have a text copy that I can work with if need be)
Re: sendmail installation saught
MC writes: Kirk D Bailey General Mismanager wrote: I want to use spamassassin with sendmail. Maybe it's buried on the website, but I am not finding instructions on how to use it with sendmail MTA. Can anyone point me at the procedure to do this? You could also go along the MimeDefang path which I find does a pretty good job at integrating alot of features quite easily. Piling on to second the motion. Mimedefang has a superb HowTo http://www.mickeyhill.com/mimedefang-howto/ (and a very responsive mailing list -- poke around at mimedefang.com) Of course it's far from the only choice, but it does turn the trick.
Re: Confession and rage
Chris Santerre writes: *snip* Cliffs: Hairdresser is spamming anyone with an account. Do I: - Show up and try to convince her what a horrible thing she is doing? Yup. FWIW I had a similar experience. I thought I'd convinced the person I talked to that spamming was a losing proposition. What I discovered was that they'd stopped doing the spams themselves. And about a year later had hired professional spammers. Sigh. Still won't do business with them and (as I pointed out to them initially) I'd really like to. - Simply ban their domain from my mailserver and report them to the RBLs? Yup. And tell her you will. Tell her she is about to get all her emails blocked from 3/4 of the earth. Do NOT place false appointments. Do not hack site. DO Educate. Note: Make sure you do all this AFTER they cut your hair :) Coward. I think he'd look good in a pink Mohawk.
Re: [2.64] FORGED_MUA_OUTLOOK buggy
Kris Deugau writes: Per Jessen wrote: So the question is - what is the need for maintaining 2.64? Little to none, IMO. I'm baffled by what people are doing to their poor servers to make them break the way I constantly see reported on this list and elsewhere. g Show of hands, who's still on 2.64 with no exact plans to upgrade? Here; 3 systems. I have no reason to upgrade at the moment because everything's working Just Fine Thanks. Also, 3.0x has been reported to be more of a resource hog than 2.x, and one system is near its limits (although MTA-level RBLs rave dropped the spam rate to ~4:1 from ~10:1 spam:ham, and the message volume has gone down by a factor of ~5). Here: One system. Pretty much the same logic as Kris. I'm loathe to fix what doesn't seem to be broken.
Re: SPAMASSASSIN ON RELAY HOST ???
[EMAIL PROTECTED] writes: If I want to install spamassassin on a SENDMAIL relay host that relays to an internal machine, how do I do ?. As others have said, easy enough. I'd suggest you start without SA -- simply ensure that the relay host can deliver to your internal host(s). We maintain a copy of aliases on the relay host. Other choices are available. You can for instance find examples using LDAP. You need to figure out how you're going to keep address resolution on the relay host in sync with your internal system(s). After you've got delivery stable (and I don't want to seem like it's a big deal -- it's not that tough) *then* introduce SA. I'll second the suggestion of calling SA through MimeDefang. (Of course lots of other approaches will work)
Re: slightly OT: sudden rise in Rumplestiltskin attacks?
Christopher X. Candreva writes: On Tue, 26 Oct 2004, Dave Duffner - NWCWEB.com wrote: The Con is we see tons of sludge when a dictionary attack comes forth, if we had a method to simply reject that with a 550 or other response that'd leave just the important sludge so we can continue to write the SA rules and keep up the pace. OK -- remember in your original question you wanted to 'reject' any mail to a non-valid account, not add a bunch of points to. :-) Sounds like this would have to be custom, in terms of getting SA a list of your valid users. Also, if you do 'reject', make sure you do so in the original SMTP dialog, or silently throw it away. Since these will almost all have bogus return addresses to you do not want to accept then bounce. (Sorry if this is obvious, I'm going on your original question). I agree. And to me that makes it clear to use some kind of sendmail/milter approach. I know of people using Mimedefang who use an LDAP (of course it doesn't have to be LDAP) check before SA is invoked. Seems to me that using some kind of Milter (I'd do it in Mimedefang, but that's because I'm already using it) you could do something like: Does user exist? Process normally Did user ever exist? Bounce. User never existed? Do something like the old spamshield (deny access to the sending system. Choose your method) Heavy lifting left to others. (Won't be hard to dig up code for an LDAP check)
Re: bayes not able to be used
Ronan writes: Ron Johnson wrote: Ronan writes: Answering Matt's question: debug: bayes: found bayes db version 2 bayes: bayes db version 2 is not able to be used, aborting! at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/BayesStore/DBM.pm line 160. No. i dont know hwat you mean here when u say no... The sa-learn --sync converts the bayes db from version 2 to version 3. You still have version 2. So you haven't *successfully* run the sync, and nothing is going to work until you get this to run successfully. Since I run SA through mimedefang I had to run my sync: su defang -c sa-learn -D --prefs-file=/etc/mail/sa-mimedefang.cf --sync Possibly that's your problem, your first sync ran on the wrong db. Matt Kettler wrote: At 02:50 PM 10/20/2004 +0100, Ronan wrote: help? upgrade bayes DB??? Did you run sa-learn --sync, as per the UPGRADE document? yes And anticpating the next problem, unless you need NFS safe locks, put lock_method flock in your local.cf ok i have :
Re: The definitive SPF How-to
Daulton, Douglas writes: Could someone point me to the definitive SPF how-to? If there's something better than: http://spf.pobox.com/dns.html I'd be glad to hear about it.