Issue RAZOR
Hello and good afternoon, They could help me to solve the problem that we have with razor: https://www.mail-tester.com/web-13coh=3 [cid:image001.png@01D2F024.07D1BB00] We took 3 weeks trying to solve the problem. Thank you. Sergio Villalba Moreno IT Department DEKRA Testing and Certification, S.A.U. Parque Tecnológico de Andalucía Severo Ochoa, 2 & 6 | 29590 | Málaga | Spain Phone: +34 952 619 823 Fax: +34 95 261 91 13 sergio.villa...@dekra.com | www.dekra-product-safety.com/wireless<http://www.dekra-product-safety.com/wireless> DEKRA. On the safe side. [http://wireless.dekra-product-safety.com/images/arbol.jpg]Please consider the environment before printing this email. IMPORTANT NOTICE The information contained in this e-mail is intended for the named recipients only. It may contain privileged and confidential information and if you are not the intended recipient you must not copy, distribute or take any action in reliance upon it. If you have received this e-mail in error, please notify us immediately by e-mail or telephone. INFORMACIÓN IMPORTANTE La información contenida en este e-mail va dirigida únicamente a su destinatario y podría contener información confidencial, si Ud. no es el destinatario indicado, no debe copiar, distribuir, o llevar a cabo ninguna acción con el mismo. Si hubiera recibido este e-mail, por error, por favor notifíquenos inmediatamente por e-mail o teléfono.
Re: Anyone else just blocking the ".top" TLD?
This is what I block: (bid|book|click|club|cricket|date|democrat|directory|download|faith|help|link|ninja|party|press|pro|racing|reviews?|rocks|science|site|social|space|top|uno|webcam|website|work|win|xyz) I will add some from what you have posting, thanks. Sergio On Wed, Apr 27, 2016 at 5:39 PM, @lbutlr <krem...@kreme.com> wrote: > On Apr 27, 2016, at 2:06 PM, Olivier Coutu <olivier.co...@zerospam.ca> > wrote: > > I have affected a hefty penalty in SA to any mail that comes from one of > these TLDs: > > > > > (party|science|click|link|faith|racing|win|zip|review|country|kim|cricket|work|gq|date|lol|top|download|space|site|online) > > Are you doing this with the cooperation of Amavis? > > (I’ve had no luck with adding scoring rules to local.cf that amavis > recognizes.) > > -- > Friends help you move. Real friends help you move bodies. > >
Fwd: Where to download the latest KAM rules?
Thank you, Larry. -- Forwarded message -- From: Date: Sun, May 10, 2015 at 2:19 PM Subject: Re: Where to download the latest KAM rules? On 2015-05-10 15:11, Sergio wrote: Hi, where is the best place to download the lastest KAM rules? Thanks in advance. Sergio http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Where to download the latest KAM rules?
Hi, where is the best place to download the lastest KAM rules? Thanks in advance. Sergio
Fwd: help with a sintax rule appreciated
Hi all, first of all, big thanks for all the inputs. I am seeing a nice quantity of blocked spammers it was really a high rate of them and KAM you, as always, are right. It is taking some FP on the run, but from 640 blocked emails less than a 1 percent were FP, that FPs are being taking care on a white list. So, for me, at the moment the rule is working great @ Benny Pendersen and RW, you wrote: Benny: Or just blacklist_from *.(com|net|org|biz)@*.* More simple and should do the same imho RW: blacklist_from *=*.(com|net|org|biz)@*.* How do you set this rule? This is a new type of rule for me :) Once again, thanks for your inputs. Sergio On Wed, Jul 9, 2014 at 7:19 AM, Kevin A. McGrail kmcgr...@pccc.com wrote: On 7/9/2014 9:08 AM, RW wrote: VERP and similar schemes work on the envelope, so checking the From header should relatively safe. Not debating that point because it's not really my point. I'm trying to focus on the fact that the existence of the schema he is looking for with the rule looks to me to be likely indicative of simply being from some mailing list and bulkmail providers and hence likely prone to significant FPs. Regards, KAM
help with a sintax rule appreciated
Hi all, long time not bother you with my doubts, sorry if this has been posted before and your help is appreciated. I have been hammered with a lot of spam that comes like this in the from: Example list: bounces+974322-5ea9-user=domain@sendgrid.info harprefinancelender-user=domain@formmobily.com fldelitylife-user=domain@bajarvideos.net whoswho-user=domain@bayangpinoy.com garanciacambogia-user=domain@mymedcases.com oceansbounty-user=domain@myivr.com amazoncoupons-user=domain@lastawhdak.com These are the headers from amazoncoupons-user=domain@lastawhdak.com: Message Headers:Received: from tech.lastawhdak.com ([23.254.130.183]:5780) by server.domain.com with esmtp (Exim 4.82) (envelope-from AmazonCoupons-user=domain@lastawhdak.com) id 1X4VcB-004Aw1-EW for u...@domain.com; Tue, 08 Jul 2014 08:39:23 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=LASTAWHDAK.COM ; h=Mime-Version:Content-Type:Message-Id:Date:From:To:Subject; i= amazoncoup...@lastawhdak.com; bh=VixSKqSnPl10ughWH0h+w7BHHVg=; b=fSr1ulVa9jHHrl9uO6cwHVfcn/7XO1trKlZqYwyWjhB0QF19t7mkqx8GeF9j6eA6N7gAqTL+EyXA 5ZIEPBli4fsSqced4ZwhNnc3SCFzGk+V6dqZCbVYsfUcO9hxFybv/YsHq00aiU7tbxbagvX96c/W B7/2YgktkeAXy/D6aos= Received: by tech.LASTAWHDAK.COM id hnfq3o0001gp for u...@domain.com; Tue, 8 Jul 2014 13:18:07 + (envelope-from AmazonCoupons-user= domain@lastawhdak.com) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=becf-9486-0840-97dd-1672-cc2d-bab3-5594 Message-Id: 49553babd2cc2761dd7904806849fceb.10158442971ce...@lastawhdak.com Date: Tue, 8 Jul 2014 13:18:07 + *From: *Amazon Coupons amazoncoup...@lastawhdak.com To: u...@domain.comt Subject: =?utf-8?B?Q29uZ3JhdHVsYXRpb25zIG9uIHlvdXIgQW1hem9uIFN1cnZleSBSZXdhcmQ=?= *From:*amazoncoupons-user=domain@lastawhdak.com I have created the following rule, because I thought that I could block any From that includes a domain name with the extensions .com or .net or .org or .biz before @ headerBLACKLIST_REGEXFrom:address =~ /\=.*\.(com|net|org|biz)\@/i score BLACKLIST_REGEX5 But it is not working, the rule is not catching any of the From from above example list. I have also tried but with no luck: headerBLACKLIST_REGEXFrom =~ /\=.*\.(com|net|org|biz)\@/i score BLACKLIST_REGEX5 So, my question is, Do I have to go and better check for the Received ? Something like: headerBLACKLIST_REGEXReceived =~ /\\=.*.(com|net|org|biz)\@/i score BLACKLIST_REGEX5 Or if you have a better way on doing this, your advice is appreciated. Best Regards, Sergio
Re: help with a sintax rule appreciated
It seems that my rule using Received instead of From did the trick, the rule is working now. Thanks! Regards, Sergio On Tue, Jul 8, 2014 at 10:43 PM, Sergio sec...@gmail.com wrote: Hi all, long time not bother you with my doubts, sorry if this has been posted before and your help is appreciated. I have been hammered with a lot of spam that comes like this in the from: Example list: bounces+974322-5ea9-user=domain@sendgrid.info harprefinancelender-user=domain@formmobily.com fldelitylife-user=domain@bajarvideos.net whoswho-user=domain@bayangpinoy.com garanciacambogia-user=domain@mymedcases.com oceansbounty-user=domain@myivr.com amazoncoupons-user=domain@lastawhdak.com These are the headers from amazoncoupons-user=domain@lastawhdak.com: Message Headers:Received: from tech.lastawhdak.com ([23.254.130.183]:5780) by server.domain.com with esmtp (Exim 4.82) (envelope-from AmazonCoupons-user=domain@lastawhdak.com) id 1X4VcB-004Aw1-EW for u...@domain.com; Tue, 08 Jul 2014 08:39:23 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d= LASTAWHDAK.COM; h=Mime-Version:Content-Type:Message-Id:Date:From:To:Subject; i= amazoncoup...@lastawhdak.com; bh=VixSKqSnPl10ughWH0h+w7BHHVg=; b=fSr1ulVa9jHHrl9uO6cwHVfcn/7XO1trKlZqYwyWjhB0QF19t7mkqx8GeF9j6eA6N7gAqTL+EyXA 5ZIEPBli4fsSqced4ZwhNnc3SCFzGk+V6dqZCbVYsfUcO9hxFybv/YsHq00aiU7tbxbagvX96c/W B7/2YgktkeAXy/D6aos= Received: by tech.LASTAWHDAK.COM id hnfq3o0001gp for u...@domain.com; Tue, 8 Jul 2014 13:18:07 + (envelope-from AmazonCoupons-user= domain@lastawhdak.com) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=becf-9486-0840-97dd-1672-cc2d-bab3-5594 Message-Id: 49553babd2cc2761dd7904806849fceb.10158442971ce...@lastawhdak.com Date: Tue, 8 Jul 2014 13:18:07 + *From: *Amazon Coupons amazoncoup...@lastawhdak.com To: u...@domain.comt Subject: =?utf-8?B?Q29uZ3JhdHVsYXRpb25zIG9uIHlvdXIgQW1hem9uIFN1cnZleSBSZXdhcmQ=?= *From:*amazoncoupons-user=domain@lastawhdak.com I have created the following rule, because I thought that I could block any From that includes a domain name with the extensions .com or .net or .org or .biz before @ headerBLACKLIST_REGEXFrom:address =~ /\=.*\.(com|net|org|biz)\@/i score BLACKLIST_REGEX5 But it is not working, the rule is not catching any of the From from above example list. I have also tried but with no luck: headerBLACKLIST_REGEXFrom =~ /\=.*\.(com|net|org|biz)\@/i score BLACKLIST_REGEX5 So, my question is, Do I have to go and better check for the Received ? Something like: headerBLACKLIST_REGEXReceived =~ /\\=.*.(com|net|org|biz)\@/i score BLACKLIST_REGEX5 Or if you have a better way on doing this, your advice is appreciated. Best Regards, Sergio
Re: SA not correctly classifying spam
On Thursday, November 28 2013, Kris Deugau wrote: I'm not quite sure I understand what you're trying to obscure, and chances are it's causing a lot of your trouble. Disable this for a while and see what happens. On Friday, November 29 2013, Karsten Bräckelmann wrote: On Thu, 2013-11-28 at 17:02 -0500, Kris Deugau wrote: Sergio Durigan Junior wrote: UNPARSABLE_RELAY was happening because I modify the headers of every message sent through my server in order to anonymize the sender's IP address; Do NOT do that. I would like to thank you both. I tweaked my exim and removed the hack, and things are working like a charm now. Apparently it had something to do with the presence of my mangled header there; though it was correctly formated according to the RFC, SA would indeed not run some tests... Thanks a lot! -- Sergio
Re: SA not correctly classifying spam
On Monday, November 11 2013, I wrote: Hi there, Hi, again! I am sorry to ressurect this thread, but after some time, investigation and fixes, I would like to share what I did and ask for more opinions. First, I have fixed the previous warnings that I was seeing on the messages. URI_BLOCKED was easily fixed by setting up my own named (which, I confess, I should have done right after installing my server, but I was unfortunately postponing it...). UNPARSABLE_RELAY was happening because I modify the headers of every message sent through my server in order to anonymize the sender's IP address; however, SA has a strict rule for checking the Received: header, and I needed to adapt my modifications to that rule. Anyway, now everything's OK. Having said that, my SA is still missing lots of spams. For example, take a look at: http://sergiodj.net/~sergio/sa/spam.txt This is a spam message I have just received. SA did not recognize that as spam, and put the message on the INBOX folder. This has been happening for all spam messages I receive. I understand that a message like the one mentioned above doesn't have many terms for SA to work, so I assume it's OK for it to classify it as ham even when it isn't. But take a look at this other message, for example: http://sergiodj.net/~sergio/sa/spam2.txt It's a classical spam, I think. The score is even higher than the first spam. But it's still not catching it. I've already looked at the tests performed by SA, but couldn't find anything suspicious. So I'd like to ask for opinions here... Does anybody see anything wrong/suspicious in those messages? BTW, it's worth mentioning that my Bayes databse still has too few spam entries (17, as of now), so it's not being used for the tests, of course. Thanks a lot! -- Sergio
Re: Enabling allow-tell?
On Wednesday, November 13 2013, Florian Lindner wrote: Hello, Hey there, I'm a bit confused by the allow-tell option in spamd. My setup is so that all configuration is done by the system users, they use spamc only for perfomance reasons. Users use their local bayes database and should of course be able to update this database or use remote services like pyzor. There is not site-wide database. Should I set --allow-tell for spamd? Currently I have --create-prefs --max- children 5 --helper-home-dir. Or do I get the spamd/spamc thing entirely wrong? According to spamd's manpage: -l, --allow-tell Allow learning and forgetting (to a local Bayes database), reporting and revoking (to a remote database) by spamd. The client issues a TELL command to tell what type of message is being processed and whether local (learn/forget) or remote (report/revoke) databases should be updated. This option is useful if you use spamc -L to feed spamd for learning. However, from what you said above, I assume your users are directly using sa-learn to do that. Therefore, if your local users maintain local Bayes databases, then you shouldn't need --allow-tell, unless you are going/planning to allow the users to also run spamc -L to train their databases. -- Sergio
Re: Enabling allow-tell?
On Wednesday, November 13 2013, Florian Lindner wrote: What is about autolearning, which is not done using sa-learn? Does this need the --allow-tell switch? autolearn is done by spamd internally, not needing any intervention by external programs, therefore it also doesn't need --allow-tell. This flag is only useful if you're going to use spamc -L, AFAIK. -- Sergio
SA not correctly classifying spam
Hi there, As requested by Karsten here (I took the liberty to include him in the Cc list): https://mail-archives.apache.org/mod_mbox/spamassassin-users/201311.mbox/browser I am starting this new thread in order to try to solve/identify what's going on with my SA instance (*if* there's anything wrong, of course). First of all, I am using: - Debian 7.1 (stable) - SpamAssassin version 3.3.2 running on Perl version 5.14.2 Here is an example of a misclassified spam message: http://sergiodj.net/~sergio/sa/spam.txt (This spam message was sent to a mailing list, not directly to my address, as can be seen. I still don't have spams that were sent directly to my e-mail address.). And here's a ham: http://sergiodj.net/~sergio/sa/ham.txt Here's the content of /etc/spamassassin/local.cf: http://sergiodj.net/~sergio/sa/local.cf.txt (As I mentioned in another message, this is Debian's default file, untouched.). Here's what I see when I run sa-learn --dump magic: 0.000 0 3 0 non-token data: bayes db version 0.000 0 5 0 non-token data: nspam 0.000 0 71 0 non-token data: nham 0.000 0 6229 0 non-token data: ntokens 0.000 0 1383057593 0 non-token data: oldest atime 0.000 0 1384207955 0 non-token data: newest atime 0.000 0 1384058847 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count AFAIU nspam is much smaller than nham because autolearn is enabled. And here's how I run my spam solution on my server: - I run spamd as root, using the following options: --create-prefs --max-children 5 --helper-home-dir --allow-tell -d --pidfile=/var/run/spamd.pid - I run spamc directly from my .procmailrc: :0fw: spamassassin.lock * 256000 | spamc # All mail tagged as spam (eg. with a score higher than the set # threshold) is moved to Spam/. :0 * ^X-Spam-Status: Yes Spam/ - I update SA rules (sa-update) daily via cronjob. - I feed every spam message that I receive to sa-learn (however, now I am keeping the spam messages around in order to diagnose the problem). I am wondering what could possibly be wrong in my configuration. Maybe I should tweak the SA's config files more, in order to get a proper detection done. Suggestions and comments are welcome, of course. Thanks, -- Sergio
Re: SA not correctly classifying spam
On Monday, November 11 2013, Karsten Bräckelmann wrote: On Mon, 2013-11-11 at 20:26 -0200, Sergio Durigan Junior wrote: Here is an example of a misclassified spam message: http://sergiodj.net/~sergio/sa/spam.txt (This spam message was sent to a mailing list, not directly to my address, as can be seen. I still don't have spams that were sent directly to my e-mail address.). None directly at all, or during the last 24 hours? Do you so far exclusively receive spam via mailing-lists? Since we've exchanged the e-mails in the other thread, I haven't received no direct spam. However, I had some direct spams before, but as I explined in the other thread, I deleted them after I fed sa-learn. That said, in order to scan list traffic properly, you need to extend your network to include the list server IP(s). As a result, SA will then not treat the handing-over (here list-server) SMTP as an untrusted relay, but the actual omitter of the spam sending it to the list server. This is important, because some header rules and most notably DNSBLs need that last external host info for proper operation. See the trusted_networks option, and http://wiki.apache.org/spamassassin/TrustPath Hm, all right, I will definitely look into that. Currently, in my .procmailrc, the first thing I do is scan for spam. However, as you have noticed, this scanning also covers mailing lists (and everything else). I think I will tweak my .procmailrc to do the SA scanning *after* I have filtered my mailing lists. The X-Spam-Status header shows another problem: URIBL_BLOCKED. ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. Aha, this is indeed a problem that I hadn't noticed! I now configured my named to resolve things locally (with caching enabled), which solved the URIBL_BLOCKED problem. Thanks! UNPARSABLE_RELAY and SPF_FAIL are things to dig down, too. The above two issues though are by far more important. Ok. After a quick look, I found this about UNPARSABLE_RELAY: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572600 Which contains: After looking at the code the conclusion is: This will always be set for Postfix, because it generates a 'Received:'-Line not starting with from: Received: by $HOST (Postfix) id $QUEUEID; $DATE Which spamassassin does not parse (on purpose), increases the num_unparsed counter and thus triggers the rule. *sigh* Hm, I run exim4 as my MTA, and after looking at my messages, I see that they contain Received: lines that don't start with from: as well. I still have to look deeper, but I am guessing this is the problem. As for SPF_FAIL, I will investigate it more later today. - I run spamc directly from my .procmailrc: # Mailing-list recipes belong here. :0fw: spamassassin.lock * 256000 | spamc Indeed :-). Thanks for the help so far. If I receive another spam directed to my e-mail, I will post an update here. -- Sergio
Re: SA not correctly classifying spam
On Monday, November 11 2013, John Hardin wrote: On Mon, 11 Nov 2013, Sergio Durigan Junior wrote: Here is an example of a misclassified spam message: http://sergiodj.net/~sergio/sa/spam.txt There's not a lot there for SA to work with. Indeed. Sorry, that was the only spam I had... The biggest issue is URIBL_BLOCKED. Your URIBL queries are being blocked, likely because you're using an upstream DNS server whose volume exceeds their free query limits. I suggest you configure (if possible) a local caching recursive nameserver on your MTA, and use that instead of any upstream or ISP nameserver. Nice catch, thank you and Karsten! As I said to him, I've just configured my own named with caching, and the error stopped happening. Thanks! -- Sergio
Re: SA not correctly classifying spam
On Monday, November 11 2013, John Hardin wrote: It's a very good idea to retain your training corpora. It makes it a lot easier to review if Bayes goes off the rails, and to wipe and retrain from scratch if problems occur. That's a good reason for keeping them around. Currently, in my .procmailrc, the first thing I do is scan for spam. However, as you have noticed, this scanning also covers mailing lists (and everything else). I think I will tweak my .procmailrc to do the SA scanning *after* I have filtered my mailing lists. That's not what Karsten was suggesting. If you get spam via that mailing list you should complain to the list admin that they need to do a better job of filtering their inbound. It is *also* what Karsten suggested, actually. :0fw: spamassassin.lock * 256000 | spamc You might also want to up that size limit to about 512KB. Spams with attachments can get larger than that and still be detected. I'm not receiving such large spams. I will change the size when it comes to it. Thanks, -- Sergio
Re: SA not correctly classifying spam
On Tuesday, November 12 2013, Benny Pedersen wrote: Karsten Bräckelmann skrev den 2013-11-12 03:20: [1] Also, just as shown in this thread, properly handling list posts is not trivial. maillist is good ham learning spams :) Yeah, that's a good reason to keep scanning mailing lists. Actually, it's because of that that I have lots of hams learned :-). -- Sergio
Re: Positive / Negative
On Sunday, November 10 2013, Karsten Bräckelmann wrote: On Sun, 2013-11-10 at 03:32 -0200, Sergio Durigan Junior wrote: On Sunday, November 10 2013, Karsten Bräckelmann wrote: For all messages that I received since I started using SA (about 20 messages, of which 5 were false-negatives, and the rest were true-negatives), [...] Given you state below no spam has been identified yet, you're confusing terms. SA tests for spam. Thus a positive result is classified spam, and not spam is a negative test result. True means the result is correct, whereas false indicates a mis-classification by the test. False (mis-classified) negatives (rated not-spam) are spam, which SA failed to classify spam. I don't think I am confusing terms. false-negative: spam that got classified as ham false-positive: ham that got classified as spam true-negative: ham true-positive: spam Maybe my terms aren't the correct ones, and if that's the case, sorry about it. If you prefer, refer to them as missed spam, or (in)correctly classified ham and spam. OK, I will make use of those terms if it makes things clearer for you. I do receive spam. About 1 or 2 per day. But so far SA hasn't been able to catch any of them, and all spam I receive has been marked as ham so far. The message headers are OK, there is nothing apparently wrong with SA, but it is just not catching most of my spam. I assume this is normal behavior since I just started using SA a few days ago. No, that is not normal. In fact, since no spam has been identified at all yet, there is something really broken or mis-configured. Indeed, no spam has been classified at all since I started running SA. An interesting fact is that, before I started using SA, I had some spams left in my INBOX. Well, when I decided that it was time to use SA, I manually fed those spams to spamc (for testing purposes), and SA correctly identified almost all of them! But now, as I said, SA is failing to classify the spam I've been receiving. I suggest to start a new thread (no reply) about this. For starters, we'd need details about your environment and how you set up SA. Plus some X-Spam-Status headers of ham and (missed) spam. OK, fair enough. Unfortunately, I don't have any spam messages left. I used them all to feed sa-learn, and then deleted them. But as soon as I get another misclassified spam, I will start another thread on this topic, with all the information requested (BTW, I am using a default Debian SA configuration, and did not modify anything so far). Thanks, -- Sergio
Re: Positive / Negative
On Monday, November 11 2013, Karsten Bräckelmann wrote: 'sa-learn --dump magic' still shows less than 200 nham / nspam, right? Yes, it does. Until that issue is resolved, please keep the spam for potential further post-receiving tests. Will certainly do. Not strictly SA configuration, but you probably want to change the following Debian defaults in /etc/default/spamassassin ENABLED=0 CRON=0 and enable the spamd daemon system-wide, as well as sa-update. If you didn't yet run sa-update, do so now. Restart spamd afterward. FWIW, this counts as modifying SA config, since it updates the stock rule-set. Oh, I did that, yeah. I meant to say that I did not touch in any file under /etc/spamassassin. So my /etc/spamassassin/local.cf, for example, is exactly what is shipped with Debian. Thanks, -- Sergio
Re: spamc -L apparently not working properly
On Saturday, November 09 2013, Karsten Bräckelmann wrote: Ham is good mail, messages you want (or actually subscribed to), messages sent to you with your consent. Spam is junk, unsolicited mail sent to you without your consent. Regardless of SA classification or score. False positives and negatives are messages mis-classified by SA. On Saturday, November 09 2013, David B. Funk wrote: For Bayes to work it needs at least 200 examples of Ham (e-mail that you want) and 200 examples of Spam (e-mail that you don't want). It doesn't matter if the messages were correctly or not correctly classified by the rules-based SA engine, just what you consider Ham/Spam (IE correctly classified by -you-). In essence you are teaching the Bayes system how to recognize your preferences in e-mail classifying. So the messages you've kept in your INBOX should be good for Ham. Nice, thanks both of you for the answers. I am now feeding SA with ham from my INBOX, while I also feed it with false-negatives (interestingly, I am receiving now *much* more spam than I was a week ago...). So, I now have yet another question. I let auto_learn active for SA, and now for every false-negative SA will learn that it is not spam, although it is. I'm now thinking that maybe auto_learn is not a good idea, at least until I have a good enough Bayes database (strangely, SA did not catch *any* spam in the last 48 hours...). Can you confirm this? Thanks a lot, and sorry if I'm asking too much :-). -- Sergio
Re: spamc -L apparently not working properly
On Sunday, November 10 2013, Karsten Bräckelmann wrote: On Sun, 2013-11-10 at 01:59 -0200, Sergio Durigan Junior wrote: Nice, thanks both of you for the answers. I am now feeding SA with ham from my INBOX, while I also feed it with false-negatives (interestingly, I am receiving now *much* more spam than I was a week ago...). Given what you stated about your spam volume before, entirely possible. However, you're not using catch-all, do you? No, I'm not. So, I now have yet another question. I let auto_learn active for SA, and now for every false-negative SA will learn that it is not spam, No. False negative (not classified spam, although it is) is NOT what triggers auto-learn ham. All right, I misunderstood things then. I assumed that because of sa-learn --dump magic output: ... 0.000 0 37 0 non-token data: nham ... And this number increases every time I receive a message (whether it is a false-negative or a true-negative). Since I have too little spam to train, it is hard to keep up with the number of ham received. But I will read the docs and learn how this works. although it is. I'm now thinking that maybe auto_learn is not a good idea, at least until I have a good enough Bayes database (strangely, SA did not catch *any* spam in the last 48 hours...). Can you confirm this? Thanks a lot, and sorry if I'm asking too much :-). Just leave auto-learn enabled. And, yet again, do train both ham and spam (all, not only mis-classified messages) for initial training. I am already doing that, thanks for the advice. Auto-learning in SA Bayes is much more than a pure feedback loop, as you described. A message just being classified ham ( 5.0) is NOT learned as ham. Neither are messages scored spam (= 5.0) learned as spam. (1) The thresholds for auto-learning are 0.1 and 12.0 by default. Not the required_score threshold of 5.0 default. (2) Certain rules are not considered for auto-learning, to prevent self- feeding. (3) A minimum of header and body rules are required, to prevent biasing. See M::SA::Plugin::AutoLearnThreshold docs for more details. Part of the X-Spam-Status header way down the end tells you about SA auto-learning or not. Hardly surprising, that's autolearn=(ham|spam|no|unavailable) Great, thanks a lot for the pointers and the explanation. In your case, I'd say just let SA do it's job. Monitor the results, and train both ham and spam, at the very least until BAYES_xx rules show up in X-Spam-Status headers. Keep training Bayes after that, to improve performance. Definitely do train on false positives and negatives. Wait, observe, and learn how to read X-Spam headers. :) Nice, I will keep monitoring everything the way I'm doing. And I will definitely read more about the headers and SA in general. Thanks a lot for the replies and the patience. It's been very educational :-). -- Sergio
Re: spamc -L apparently not working properly
On Sunday, November 10 2013, Karsten Bräckelmann wrote: nham is the Number of HAM learned, in messages. Same for nspam. Keep training until both are at least 200 -- accuracy should improve dramatically after that. I figured that out. Keep an eye on the X-Spam-Status header, autolearn bit. If that happens frequently for FNs, there's a problem somewhere. We'd need the X-Spam headers and preferably the full, raw message put up a pastebin for debugging. After some initial training. For all messages that I received since I started using SA (about 20 messages, of which 5 were false-negatives, and the rest were true-negatives), autolearn seems to be working OK, i.e., when messages score below the threshold, autolearn works, and when messages score above the threshold, I see autolearn=no. There's one thing worrying in your comment: whether false-negative or true-negative. You DO have spam also, right? I mean, classified spam is not just silently discarded without you ever seeing it? That would be really bad at this stage. Take it, verify it, learn it. I do receive spam. About 1 or 2 per day. But so far SA hasn't been able to catch any of them, and all spam I receive has been marked as ham so far. The message headers are OK, there is nothing apparently wrong with SA, but it is just not catching most of my spam. I assume this is normal behavior since I just started using SA a few days ago. For every spam message that I received, I analyze its headers, verify that everything is OK with SA, and then feed it to sa-learn. -- Sergio
spamc -L apparently not working properly
Hey there, I am using Debian Wheezy here (therefore, Exim + Dovecot for e-mail), and I am still deciding how to run SpamAssassin. I am divided between running it by directly calling spamassassin, or by running spamd and calling spamc. Both methods are going to be used via my .procmailrc. Well, but so far I have been testing spamd + spamc because it is the Debian recommended way. I still haven't enabled it via .procmailrc, and just did tests by calling spamc via CLI. However, I am seeing a strange behavior when I try to feed spamd with a false-negative message. Here's what I am doing: # spamc -c spam.file 0.0/5.0 # spamc -L spam spam.file (successful message saying that the spam was learned) # spamc -c spam.file 0.0/5.0 I have already updated my Bayesian database, restarted the spamd service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? I am running spamd with the following options: --create-prefs --max-children 5 --helper-home-dir --allow-tell And the version I am using is: SpamAssassin version 3.3.2 running on Perl version 5.14.2 Comments and suggestions are appreciated. Thanks! -- Sergio
Re: spamc -L apparently not working properly
On Friday, November 08 2013, John Hardin wrote: Not directly addressing your other questions but: running spamassassin directly is only really suitable for *very* low-traffic environments, as that will parse and compile all of the rules and other config *per message*, which is a lot of overhead. spamc+spamd is strongly recommended for production use. Thanks a lot for the input, John. I guess I will end up using spamd and spamc, after all. I'll just wait for the answer to my question, and then I'll set everything up here. Regards, -- Sergio
Re: spamc -L apparently not working properly
On Friday, November 08 2013, John Hardin wrote: On Fri, 8 Nov 2013, Sergio Durigan Junior wrote: # spamc -c spam.file 0.0/5.0 # spamc -L spam spam.file (successful message saying that the spam was learned) # spamc -c spam.file 0.0/5.0 I have already updated my Bayesian database, restarted the spamd service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? Try using sa-learn to train Bayes. I don't think sa-learn can help with spamd. Its own manpage mention that, for spamd users, spamc -L is the way to go. The big thing to keep in mind is that the user running the training needs to be the same user that spamd is running as; if not, depending on your bayes database config, you may be training a different Bayes database than the one spamd is reading. Hm, really? I thought spamd kept a global Bayes database, and that everyone calling spamc -L would end up feeding this database, and not some local one. -- Sergio
Re: spamc -L apparently not working properly
On Friday, November 08 2013, Amir Caspi wrote: On Fri, November 8, 2013 2:39 pm, Sergio Durigan Junior wrote: I don't think sa-learn can help with spamd. Its own manpage mention that, for spamd users, spamc -L is the way to go. Hm, really? I thought spamd kept a global Bayes database, and that everyone calling spamc -L would end up feeding this database, and not some local one. It depends on how spamc is called. If spamd is running as root and spamc is called with the -u flag, then spamd will su to the named user, and will then use that user's local database (and local prefs, if allow_user_prefs is enabled). spamc -L -u would work on the local database; spamc -L (without -u) would work on the database applicable to the spamd user. My spamd is currently running as root, but I am thinking about changing it to run using Debian's pre-setup user (debian-spamd). Unless you guys have better recommendations. It all depends on whether you want your users to have individual databases tailored to their own spam/ham, or a global database. The problem with having a user-tailored database is that I will have to run sa-update for every user, right? Currently, Debian provides the aforementioned spamd user (debian-spamd) and runs sa-update on behalf of it. Therefore, I believe using a global database is probably better in this case. What's your opinion? -- Sergio
Re: spamc -L apparently not working properly
On Friday, November 08 2013, John Hardin wrote: I don't think sa-learn can help with spamd. Its own manpage mention that, for spamd users, spamc -L is the way to go. Not true. sa-learn is just fine for spamd with a global Bayes database, and it's recommended for administrative simplicity if you have that environment. Aha, interesting, thanks for explaining. Global vs. per-user Bayes databases is a site-specific config. However, it should be consistent - spamd should be reading from and training to the bayes database of the user running spamc, so I don't off the top of my head know why it dosn't appear to be working for you. What are the Bayes database statistics before and after running spamc -L? (sa-learn --dump magic) I use a global database and sa-learn, so I don't have any direct experience with spamc -L quirks, sorry. That's why I suggested sa-learn. Nice, thank you. I am more inclined to use a per-user database, and call spamc -u myuser -L spam. Let's see how that goes. -- Sergio
Re: spamc -L apparently not working properly
On Friday, November 08 2013, Karsten Bräckelmann wrote: On Fri, 2013-11-08 at 16:09 -0200, Sergio Durigan Junior wrote: # spamc -c spam.file 0.0/5.0 # spamc -L spam spam.file (successful message saying that the spam was learned) # spamc -c spam.file 0.0/5.0 You mentioned that's a fresh install, actually not even in production yet. The Bayes sub-system requires some training (minimum of 200 ham and spam each) by default, before Bayes rules kick in for scanning. Instead of -c check only, use the -R option to print the report. You'll notice there is no BAYES_xx rule (yet). Thanks. I had used -R before, without much success. But yeah, I found some discussions on this list about Bayes databases, and people saying that at least 200 messages are needed before Bayes can start doing its job. BTW, one spam has just sneaked in right now. On the one hand I'm sad because of those false-negatives, but OTOH I'm happy because I'll be able to train the database faster :-). I have already updated my Bayesian database, restarted the spamd I'm curious -- what does updating your Bayes db mean? Oh, I only meant that I ran sa-learn or spamc -L. Sorry if that is a wrong nomenclature. service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? In addition to required initial training: The Bayesian classifier works on a per-token (think: word) basis. Thus, depending on the tokens in the message and existing ones in the db, the impact of learning can vary quite a lot -- from hardly noticeable to clear detection. All right. Since I don't have a good database yet (only 4 or 5 spams learned), I won't worry about it for now. Let's see when I have a bigger DB... Thanks a lot, -- Sergio
Re: spamc -L apparently not working properly
On Friday, November 08 2013, Amir Caspi wrote: What's your opinion? I would run spamd as root and initiate spamc with the -u option, to allow each user to have his/her own Bayes DB. However, again, it really depends on what kind of email system you're running, and how you want to handle spam. If you're running a corporate server, you might prefer a global DB; if you're running a server with personal users whose email characteristics vary widely, you might prefer per-user DBs. For my setup, I prefer per-user DBs. Thanks for the opinion. I was considering doing that, and your message was the final word I needed. Now everything is setup per-user, and I am feeding the Bayes DB with what I have. Thanks, -- Sergio
Re: spamc -L apparently not working properly
On Saturday, November 09 2013, Karsten Bräckelmann wrote: You don't have any kind of archive of spam? If so, train on recent ones, feel free to exceed the minimum limit, but don't bother too much with old spam. It changes much faster over time than ham does. Also, at least until you reached the minimum required training, do train with identified spam, too. Same with ham. For now, keep training in a ratio somewhere between 1:1 or spam to ham ratio. [Note: By ham I assume you mean false-positives, and not just regular e-mail.] No, (un)fortunately I don't. I've been running this server for 5 months now, and only received about 10 spams so far. I decided to start running SA now because I've received 5 spams in the last 3 days, which triggered my internal alarm. Do train. Spam, as well as ham. If you got some recent-ish archives. Will do. However, I don't have false-positives (ham) to train. As I said above, I only have about 10 spam messages, which I already used to train Bayes. Not sure if it is possible/would be good to search for recent spam archives on the net. I believe not... -- Sergio
Rule to delete emails with empty subject.
Hi all, I tried this rule to stop emails with an empty subject, but it didn't work: header SUBJECT_EMPTY SUBJECT =~ /^$/i describe SUBJECT_EMPTY EMPTY SUBJECT scoreSUBJECT_EMPTY 11 Any hint on what is wrong? Best Regards to all, Sergio
Re: How to delete emails with FROM that is not in the server?
Thank all for your inputs.
What happens is this:
My server is not Open Relayed and it has SPF and DOMAINKEYS in it and that
is working great. The problem is when a hacker has obtained the password
from an account, so, it can send emails authenticating with the account
that has been compromised. When a hacker has access to an account (I am
almost sure that any one on the list has seen this), he sends emails but
the FROM is changed to something that is not a domain on the server, that
is what I am looking to stop.
Maybe a rule that could check that the FROM is not the same as the
authenticated domain.
Could this be done?
Best Regards,
Sergio
On Wed, Aug 15, 2012 at 11:12 PM, David B Funk dbf...@engineering.uiowa.edu
wrote:
On Wed, 15 Aug 2012, Sergio wrote:
Hello all,
wondering if there could be a rule where the email that is delivered from
the server could be checked the FROM that the domain exist on the server,
Is it possible?
What I am looking is to block any email that is send from my server that
is not using any of the domain accounts that belongs to that server.
Thank you in advance.
Best Regards,
Sergio Cabrera
That sort of check is best done at the SMTP-server (MTA) level. How is SA
to know who are the valid users on your system (including aliases,
forwards, etc).
Your SMTP server must know who your valid recipients are so it can reject
unknown users and deliver the valid ones. So just apply the same kind of
check to the From address (IE if domain === us, check to make sure user ==
ours, else SMTP-REJECT). Details are MTA specific, but most have some kind
of built in check for doing this sort of thing.
The thing which SA can be used for is to hit forgery spam. IE if the
'From' domain is ours, and the sending host isn't one we bless, hit it.
(If you have valid SPF records this is trivially easy to do).
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_**adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: How to delete emails with FROM that is not in the server?
Thank you, KAM.
I will take a look at those URLs, appreciated.
John, that is what I am looking to do and that is why I thought that SA
could have a rule for this. I will read the info that KAM sent.
Best Regards,
Sergio
On Thu, Aug 16, 2012 at 2:22 PM, John Hardin jhar...@impsec.org wrote:
On Thu, 16 Aug 2012, Sergio wrote:
My server is not Open Relayed and it has SPF and DOMAINKEYS in it and
that is working great. The problem is when a hacker has obtained the
password from an account, so, it can send emails authenticating with the
account that has been compromised. When a hacker has access to an account
(I am almost sure that any one on the list has seen this), he sends emails
but the FROM is changed to something that is not a domain on the server,
that is what I am looking to stop.
That is indeed considered a subcase of open relay. There should be a list
of domains that control whether mail is accepted by an MTA, such that
({domain in list} - {any}) is accepted, and {{any} - {domain in list}) is
accepted, and anything else is rejected.
--
John Hardin KA7OHZ
http://www.impsec.org/~**jhardin/http://www.impsec.org/%7Ejhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
--**--**
---
An operating system design that requires a system reboot in order to
install a document viewing utility does not earn my respect.
--**--**
---
8 days until the 1933rd anniversary of the destruction of Pompeii
How to delete emails with FROM that is not in the server?
Hello all, wondering if there could be a rule where the email that is delivered from the server could be checked the FROM that the domain exist on the server, Is it possible? What I am looking is to block any email that is send from my server that is not using any of the domain accounts that belongs to that server. Thank you in advance. Best Regards, Sergio Cabrera
is there a rule that could count CC or BCC emails?
Hi all,. don't know if this has been answered before and hope you can have a rule for this: Is there a way to have a rule that could count how many @ are in an email? I want to block customers that are sending 200 emails in a CC or BCC, even better a rule that could check that no more than 100 emails in a CC or BCC with attachments no large of 5MB, could be blocked. Is it possible? Best Regards, Sergio Cabrera
Re: is there a rule that could count CC or BCC emails?
Thank you, Kevin. I have EXIM in my box, does the command will be the same for EXIM? Best Regards, Sergio On Mon, Mar 26, 2012 at 10:27 AM, Kevin A. McGrail kmcgr...@pccc.comwrote: On 3/26/2012 12:22 PM, Sergio wrote: Is there a way to have a rule that could count how many @ are in an email? I want to block customers that are sending 200 emails in a CC or BCC, even better a rule that could check that no more than 100 emails in a CC or BCC with attachments no large of 5MB, could be blocked. Is it possible? I think this could only be done at an MTA level implementation because BCCs aren't reflected in the email but split by the MTA into individual emails. For sendmail, define(`confMAX_RCPTS_PER_**MESSAGE',`200')dnl would block emails with over 200 recipients, BCC, To or CC. regards, KAM
Re: Fwd: DNSWL will be disabled by default as of tomorrow
Thank you Kam. Regards, Sergio On Mon, Dec 12, 2011 at 7:37 PM, Kevin A. McGrail kmcgr...@pccc.com wrote: On 12/12/2011 8:35 PM, Sergio wrote: (in case I don't want to wait until tomorrow) What is the best way to dissable DNSWL manually? Add this to your local.cf and reload spamd (if you use that): score RCVD_IN_DNSWL_NONE 0 score RCVD_IN_DNSWL_LOW 0 score RCVD_IN_DNSWL_MED 0 score RCVD_IN_DNSWL_HI 0 regards, KAM
Fwd: DNSWL will be disabled by default as of tomorrow
(Public apologies to Karste, wrote him instead of the list, mmm... I need to remember to write to the list and not just do a Reply.) What is the best way to dissable DNSWL manually? (in case I don't want to wait until tomorrow) Regards, Sergio
error on SA learning.
Hi all, I have run a function in my server to learn some email spams and it shows up the following message: Running sa-learn for spam against [/home/spam/cur] This may take some time depending on the number of emails and the speed of SpamAssassin: # /usr/bin/sa-learn --spam --showdots /home/secmasn/mail/ secmas.net/soporte/.spam/cur *netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included* ... Learned tokens from 7 message(s) (7 message(s) examined) Are they errors? if so, What they mean? *netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included* Thanks in advance. Sergio
how to check the size of the subject?
Hi all, is there a way to check the size of a subject on a rule? Thanks in advance. Sergio
Re: how to check the size of the subject?
Sorry, I always reply to the list, this time it flips on me.
Thanks!
So, this way I can have a check on the large of the subject as a sub rule
and then check for the content, appreciated.
Regards,
Sergio
On Thu, Dec 1, 2011 at 4:33 PM, John Hardin jhar...@impsec.org wrote:
On Thu, 1 Dec 2011, Sergio wrote:
I want to check for specific subject size, thanks.
Let's keep the discussion on-list so others may benefit.
Larger than:
header __SUBJ_GT_100 Subject =~ /.{101}/
Smaller than or equal to:
header __SUBJ_LE_100 Subject =~ /^.{0,100}$/
Sergio
On Thu, Dec 1, 2011 at 3:41 PM, John Hardin jhar...@impsec.org wrote:
On Thu, 1 Dec 2011, Sergio wrote:
is there a way to check the size of a subject on a rule?
Do you want to know if it's larger than or smaller than some specific
size, or do you want to know about how many characters are in it?
--
John Hardin KA7OHZ
http://www.impsec.org/~**jhardin/http://www.impsec.org/%7Ejhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
--**--**
---
Any time law enforcement becomes a revenue center, the system
becomes corrupt.
--**--**
---
14 days until Bill of Rights day
Re: how to check the size of the subject?
Working great! lol On Thu, Dec 1, 2011 at 5:10 PM, Benny Pedersen m...@junc.org wrote: On Thu, 1 Dec 2011 16:59:33 -0600, Sergio wrote: Sorry, I always reply to the list, this time it flips on me. try reply now, just testing :-)
Re: How long can a rule be?
Thank you Adam, I have been working hard in learning a lot of things about antispam rules and I appreciate all the inputs that the list is giving to me. I use MailScanner to check on my emails and I have not yet found a way to train Bayes, I will check on that. On the mean time, I have learned not to check in ALL headers, I have redefined my first rules and now I have seen a better approach on what I am doing, still need a lot more input from experts, :) Regards, Sergio On Tue, Nov 29, 2011 at 2:21 PM, Adam Katz antis...@khopis.com wrote: Summary for the impatient: Do not write rules like this. Instead, train Bayes, make sure you're using DNSBLs. On 11/25/2011 09:49 AM, Sergio wrote: I wrote all the HELO spammers that SA didn't caught ... header CHARLY_RULE1ALL =~ /(...)/i describe CHARLY_RULE1Charly Spammers scoreCHARLY_RULE111 Given the description in your email, that should probably be: header CHARLY_RULE1X-Spam-Relays-Untrusted =~ / helo=(?:...) /i describe CHARLY_RULE1A custom list of uncaught relay HELOs scoreCHARLY_RULE14 You should be *very* careful about scoring any individual rule at or above the spam flagging threshold (default is 5, do not lower). There is almost always a better (and safer!) solution. My concern is, is too much for just one rule or the rule can grow without limit? Let's just say you don't need to worry about that. We have several 150+ character rules on SA's trunk and I've seen rules with regexp lengths in the thousands (not that that's necessarily a good thing, but it does work, albeit slowly). Still, this seems like a really bad idea; one hammy HELO in there and the whole thing starts hurting. I think you'll be *far* better served by training bayes. You should also double check to ensure your DNS lookups are properly configured and plugins like Razor are turned on. We don't have the best of resources to walk you through this, but you can start with http://wiki.apache.org/spamassassin/DnsBlocklists#Questions_And_Answers
What is the best RBL list?
Hi, in your opinion, what it will be the best RBL Anti Spam list that could not be left in a server, payed or free? My server is an small server with a few accounts, but it seems that my RBLs are not the best ones and I will like to have your inputs in which ones I will need to relay on. Best Regards, Sergio
Re: Porn rules to share?
Thank you all for your inputs, as you can see I am creating my own rules as
SA needs help on stopping spam.
I want to thank you KAM for the share of his rules, I have learned a lot
looking on them and thanks to that I have modified the rules that I had to
make them more easy to work, the arithmetic on the rules with the operand
+ is working really nice I have joined a lot of rules and make them
active with =1 so if any of the rules on the group applies then the rule
is triggered.
With the porn rule that I have, it is working but it still left spam of
this type pass, the score line that I wrote on the email had a typo that is
not in my working rule and my major concern is in the garbled words like:
S:C H #O+O L G l, R%L P *0 *R N*
T\E /ENS} P)0_R \N
S:C H #O+O L G l, R%L P *0 *R N*
G ,RA _N N}Y } P %0 ~R |N \
P,0_ R .N PI ~C}T+U-R(E%S.
TR %A *N #S S. E. X{UA`L P0/R N_
What it will be the best way to catch any type of garbled word?
Sergio
On Sun, Nov 27, 2011 at 7:53 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:
On 11/27/2011 8:26 AM, Martin Gregorie wrote:
Change the meta to this:
meta PORN_RULES (__PORN_RULE01 || __PORN_RULE02)
A quick glance at the SA rules for name prefixes would have told you
that rules with names that start with a double underscore have a zero
score, so your meta will never work: these rules are designed to be
combined by using logical operators.
Martin,
That's not true from my knowledge or experience. The meta mathematical
operators are binary. (The value of the sub rule in an arithmetic meta
rule is the true/false (1/0) value for whether or not the rule hit. from
http://wiki.apache.org/**spamassassin/WritingRuleshttp://wiki.apache.org/spamassassin/WritingRules
)
i.e.
True = 1
False = 0
However, your test would have worked as it simplifies the math with an OR
condition.
Thought, his meta of __PORN_RULE01 + __PORN_RULE02 =1 will work.
Though I wish sometimes you could do what you've described. I've done
some crazy work to try and give meta rules extra weighting. But I think
doing so would give the mass check algorithm more permutations than it
could ever handle.
For example, here's how I weighted two options to have the weight of just
one in detecting a refinance spam:
metaKAM_REFI(__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 +
__KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 = 1) + __KAM_REFI7 + __KAM_REFI8
= 4)
Regards,
KAM
Re: Porn rules to share?
On Sun, Nov 27, 2011 at 9:40 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:
On 11/27/2011 10:24 AM, Sergio wrote:
I want to thank you KAM for the share of his rules, I have learned a lot
looking on them and thanks to that I have modified the rules that I had to
make them more easy to work, the arithmetic on the rules with the operand
+ is working really nice I have joined a lot of rules and make them
active with =1 so if any of the rules on the group applies then the rule
is triggered.
You are welcome. As you can see, my focus with content-based rules is to
try and use meta rules almost exclusively to minimize FPs.
With the porn rule that I have, it is working but it still left spam of
this type pass, the score line that I wrote on the email had a typo that is
not in my working rule and my major concern is in the garbled words like:
S:C H #O+O L G l, R%L P *0 *R N*
T\E /ENS} P)0_R \N
S:C H #O+O L G l, R%L P *0 *R N*
G ,RA _N N}Y } P %0 ~R |N \
P,0_ R .N PI ~C}T+U-R(E%S.
TR %A *N #S S. E. X{UA`L P0/R N_
What it will be the best way to catch any type of garbled word?
Those could hard because you can get some false positives pretty quickly.
If this is JUST on the subject header, it might be ok to look at a rule
like:
P.{0,2}[0o].{0,2}R.{0,2},N.*{**0,2}
That looks like it might hit on all the variants above but I wouldn't
score it too high.
The odd part is that I'm not really seeing these spams slipping through so
I have very little corpora to compare. I usually hammer the sexually
explicit spams pretty hard.
I wonder if you need to invest more time in setting up some RBL tests?
Are you using any RBLs right now?
Regards,
KAM
Yes, I use the usually RBLs includijg NEWSPAMHAUS, I have 4 RBLs in my
FireWall. Also, I have collected 400 IPs that are blocked in my FireWall.
I will give it a try on your definition and check how it works, thanks..
Sergio
Re: Where to get rules created by users?
Thank you Kevin! @ RW, you are right I use MailScanner and all my rules are created under the MCP, it works really great and all the rules that I create are there, so I don't mess with Spam Assassin rules. Best Regards, Sergio On Fri, Nov 25, 2011 at 8:08 AM, RW rwmailli...@googlemail.com wrote: On Fri, 25 Nov 2011 08:57:45 -0500 Kevin A. McGrail wrote: On 11/23/2011 2:17 PM, Sergio wrote: is there a place where I could have MCP rules for my server? MCP = Message Content? As opposed to pathway analysis, etc.? MCP appears to be a MailScanner term http://www.mailscanner.info/mcp.html
How long a rule can be?
I have the following rule where I wrote all the HELO spammers that SA didn't caught, I insert the new HELO everytime that I found one. My concern is, is too much for just one rule or the rule can grow without limit? header CHARLY_RULE1ALL =~ /(actaddonuniverse\.net|albeitnetworks\.com|allotic\.info|andersonbolt\.info|atefchoca\.info|backtobackfunding\.com|baskan\.info|betabel\.info|black-and-whiteticket\.info|bodygid\.info|brevardphysicians\.net|cheetloope\.info|circuitfivenine\.com|claimatic\.info|cmasyria\.com|complementhold\.com|CORE5PUMPER2|dauksstold\.info|dtsetfieri\.info|eshisha\.org|evegashotels\.com|felisranty\.info|finkleandthecleanshorts\.com|fisterfarms\.info|furium\.info|furizer\.info|gardenhowevercity\.net|grownvegetables\.com|hookerdaybyday\.info|hostalmiraflores\.com|hotrodbailbondsks\.com|juddy\.org|laughsidecant\.net|layeredvpnzervices\.com|lyonlandscapema\.com|maritimecranesimulator\.com|miiiley\.com|mixcomstar\.net|monitorstarway\.com|naturopathyport\.info|netcontrolusa\.com|pataboden\.info|peoriachat\.com|powerfulrun\.com|print2floors\.com|relacionesy\.com|slowlybuymorning\.info|stonyroadalbum\.com|straighttin\.info|sumejorweb\.com|surelycomplainsecretary\.info|teuksull\.info|theharborccc\.org|themiamibeachheat\.com|thoroughlydevelopment\.info|tivolicn\.com|whaukferth\.com|barrchickenjoint\.info)/i describe CHARLY_RULE1Charly Spammers scoreCHARLY_RULE111 Regards, Sergio
Re: [Fwd: Re: How long a rule can be?]
Thank you Martin, I will give it a try to your pormanteu, appreciated for sharing it. Regards, Sergio On Fri, Nov 25, 2011 at 12:13 PM, Martin Gregorie mar...@gregorie.orgwrote: On Fri, 2011-11-25 at 11:49 -0600, Sergio wrote: I have the following rule where I wrote all the HELO spammers that SA didn't caught, I insert the new HELO everytime that I found one. My concern is, is too much for just one rule or the rule can grow without limit? When I asked this question a while back I was told that several MB should be OK. Currently my largest rule has 371 alternatives. It and a few friends are passed to SA as a 24 kb .cf file. If you're finding your rule is starting to get difficult to maintain, take a look at my rule assembly tool, which is designed to allow such rules to be defined in an easily edited file for each rule that are used to create a single .cf file. See: http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz I was thinking of using a server plus plugin to do this but was convinced that this 'portmanteau rule' approach was better: it certainly works well for me. Martin header CHARLY_RULE1ALL =~ /(actaddonuniverse\.net|albeitnetworks\.com|allotic\.info|andersonbolt\.info|atefchoca\.info|backtobackfunding\.com|baskan\.info|betabel\.info|black-and-whiteticket\.info|bodygid\.info|brevardphysicians\.net|cheetloope\.info|circuitfivenine\.com|claimatic\.info|cmasyria\.com|complementhold\.com|CORE5PUMPER2|dauksstold\.info|dtsetfieri\.info|eshisha\.org|evegashotels\.com|felisranty\.info|finkleandthecleanshorts\.com|fisterfarms\.info|furium\.info|furizer\.info|gardenhowevercity\.net|grownvegetables\.com|hookerdaybyday\.info|hostalmiraflores\.com|hotrodbailbondsks\.com|juddy\.org|laughsidecant\.net|layeredvpnzervices\.com|lyonlandscapema\.com|maritimecranesimulator\.com|miiiley\.com|mixcomstar\.net|monitorstarway\.com|naturopathyport\.info|netcontrolusa\.com|pataboden\.info|peoriachat\.com|powerfulrun\.com|print2floors\.com|relacionesy\.com|slowlybuymorning\.info|stonyroadalbum\.com|straighttin\.info|sumejorweb\.com|surelycomplainsecretary\.info|teuksull\.info|theharborccc\.org|themiamibeachheat\.com|thoroughlydevelopment\.info|tivolicn\.com|whaukferth\.com|barrchickenjoint\.info)/i describe CHARLY_RULE1Charly Spammers scoreCHARLY_RULE111 Regards, Sergio
Re: [Fwd: Re: How long a rule can be?]
@Axb, just curious.. what are you trying to achieve by running these domains through ALL headers? catch senders? received headers? there headers that comes with the following: Received: from [66.85.187.123] *(helo=vpn123.layeredvpnzervices.com)* by izabal.espacioydominio.com with esmtp (Exim 4.69) (envelope-from accountingeducation.yjuee*@nwwrej.afraidageshare.net*) id 1RTzVK-Jp-IR for chard...@secmas.net; Fri, 25 Nov 2011 11:24:02 -0600 From: accounting education accountingeducation.yj...@nwwrej.afraidageshare.net Received: from [66.85.158.200] (*helo=search200.complementhold.com*) by izabal.espacioydominio.com with esmtp (Exim 4.69) (envelope-from nursingschool.ncqq...@aifnqk.laughsidecant.net) id 1RTzPA-0007TD-CR for chard...@secmas.net; Fri, 25 Nov 2011 11:17:40 -0600 From: nursing school *nursingschool.ncqq...@aifnqk.laughsidecant.net* Just to mention two examples, well, the point is that in a lot of spam emails the HELO is the same for a lot of different email addresses, so, I am trying to block that. Is there a better way than checking all the header? @ Christian Grunfeld a blacklist lookup table can achieve the same, cant it? Can you share how to create this lookup table in a rule? Thanks a lot for your inputs. Sergio
Re: [Fwd: Re: How long a rule can be?]
@ Axb, look at it this way.. the less a rule has to do the faster it is and less prone to error/FPs If you check ALL headers, SA will go thru long DKIM headers for a pattern which will not show up in DKIM header, it will look in X headers, From, To, etc,etc.. big waste of time and CPU cycles when all you want to check is Received: try with: header BLAH Received =~/\blayeredvpnzervices\.com\b I have changed all my ALL for Received, thank you for pointing this out. Regards, Sergio
Re: In subject how to detect a word in an EVAL string?
Thank you Benny, I will use this command next time. Sergio By the way your links are very accurate, that are the spammers that sent the email, with my new rule they are On Tue, Nov 22, 2011 at 3:42 AM, Benny Pedersen m...@junc.org wrote: On Mon, 21 Nov 2011 22:32:42 +0100, Karsten Bräckelmann wrote: =?iso-8859-1?B?**LlZlbnRhIGRlIENBTkFTVEFTIE5BVk** lERdFBUyAtIHB1YmyhY2kgZGFk?= Not eval, but encoded -- in this case even necessary, rather than an attempt at obfuscation, because it contains non ASCII letters. yep its base64 encode string between last two ? ?B? is the sign of mime header for base64 ?Q? qotedprintelble but use ripmime :-) and create rules from the output
Fwd: Help with constructing a rule for MCP
Unfortunately, it seems that MCP doesn't like the rule: header __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i header __FROM_DHLFrom =~ /\bdhl(?:[-_][^ .]+)?\.com/i header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i header __FROM_UPSFrom =~ /\bups\.com/i metaDHL_UPS_MISMATCH(__ENV_FROM_DHL __FROM_UPS) || (__ENV_FROM_UPS __FROM_DHL) describe DHL_UPS_MISMATCHvirus DHL-USA or UPS score DHL_UPS_MISMATCH11 When I wrote this to the MPC rules file, none of my other rules work. Regards, Sergio On Mon, Nov 21, 2011 at 10:55 AM, Bowie Bailey bowie_bai...@buc.com wrote: On 11/21/2011 11:35 AM, John Hardin wrote: On Mon, 21 Nov 2011, Bowie Bailey wrote: On 11/20/2011 10:02 PM, Sergio wrote: header __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i header __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i These will match any domain that starts with dh and ends with .com. You overlooked the l. Hmm... Guess I did... For example, they will match someu...@dhalailama.com. Is this expected? It won't. If you just want to match a single character, then get rid of the +. It's to match -usa or other dhl domain name variants. The line wrap in email makes that look like a single character RE. The actual RE I suggested is: /envelope-from [^ @]+@dhl[^ .]+\.com/i The line wrap wasn't an issue. I just didn't see the l. And with this font, I think I see why I didn't see it the first time. It blends in with the square bracket. It also won't match dhl.com. My bad. As I said, it was off the top of my head. These might be better: /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i /\bdhl(?:[-_][^ .]+)?\.com/i Do the @ characters need to be escaped? In a normal Perl RE they would, but I'm not sure if SA is treating them any differently since it is reading them in from a config file. -- Bowie
Re: Fwd: Help with constructing a rule for MCP
That was the error, the @ has to be escaped \@, now it is working. Thank you all for your help on this rule. Regards, Sergio On Mon, Nov 21, 2011 at 1:16 PM, Bowie Bailey bowie_bai...@buc.com wrote: On 11/21/2011 1:30 PM, Sergio wrote: Unfortunately, it seems that MCP doesn't like the rule: header __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i header __FROM_DHLFrom =~ /\bdhl(?:[-_][^ .]+)?\.com/i header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i header __FROM_UPSFrom =~ /\bups\.com/i metaDHL_UPS_MISMATCH(__ENV_FROM_DHL __FROM_UPS) || (__ENV_FROM_UPS __FROM_DHL) describe DHL_UPS_MISMATCHvirus DHL-USA or UPS score DHL_UPS_MISMATCH11 When I wrote this to the MPC rules file, none of my other rules work. I'm not sure if escaping the @ symbols is required or not, but try this: header __ENV_FROM_DHLReceived =~ /envelope-from [^ \@]+\@dhl(?:[-_][^ .]+)?\.com/i header __ENV_FROM_UPS Received =~ /envelope-from [^ \@]+\@ups\.com/i -- Bowie
Re: In subject how to detect a word in an EVAL string?
Thank you Karsten for your input.
I have modified the rule to the following and is working great:
header ADVERTISE_RULE8Subject =~ /publ.?.c.?.dad/i
describe ADVERTISE_RULE8Encripted word
scoreADVERTISE_RULE811
If I see there are a lot of false positives I will modify it a bit, but for
now it is what I was looking for.
Regards,
Sergio
2011/11/21 Karsten Bräckelmann guent...@rudersport.de
On Mon, 2011-11-21 at 14:46 -0600, Sergio wrote:
I block a lot of spam searching for strings on the subject, but
sometimes the subject in the header comes in EVAL, like this:
Subject:
=?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
Not eval, but encoded -- in this case even necessary, rather than an
attempt at obfuscation, because it contains non ASCII letters.
Anyway, SA *does* decode the header value by default, unless you use
the :raw qualifier.
So, rules like this doesn't work:
header ADVERTISE_RULE8Subject =~ /Publici dad/i
It doesn't work, because one of these chars is not an 'i'. The Subject
decodes to:
.Venta de CANASTAS NAVIDE_AS - publ_ci dad
This is actually directly extracted from SA debugging, and thus decoded
by SA. Note the underscores, which I used in place of the two non-ASCII
chars.
Your rule does not match, because the first 'i' is not. Using the /./
any char instead of it works.
scoreADVERTISE_RULE811
That's a rather high score. And your RE sure could use some /\b/ word
boundaries at the beginning and end of the match.
--
char *t=\10pse\0r\0dtu\0.@ghno
\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8?
c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
}}}
Re: In subject how to detect a word in an EVAL string?
Spammers are using a lot of different ways of using the word publicidad,
I had a few different rules to block them, but since now I saw that there
was a character ¡ used an i and at the same time an i followed by an
space.
So, I used the .?. and it catches the i and the space and just in case
the spamer tries to use publi ci dad it will be catched as well. In my
RegEx editor it passes the test.
About the word publicidad In my server not much people uses that word and
that is why I can block it.
Sergio
2011/11/21 Karsten Bräckelmann guent...@rudersport.de
On Mon, 2011-11-21 at 17:49 -0600, Sergio wrote:
Thank you Karsten for your input.
I have modified the rule to the following and is working great:
header ADVERTISE_RULE8Subject =~ /publ.?.c.?.dad/i
I see you wildcarded both instances of 'i', with an additional, optional
second char each. However, you also dropped the space in publici dad
as per your original rule -- intended?
Doesn't have publicidad a more general meaning, too?
If I see there are a lot of false positives I will modify it a bit,
but for now it is what I was looking for.
Again, I strongly recommend to lower the score. And, of course to add a
\b word boundary at the beginning and end of the patter.
--
char *t=\10pse\0r\0dtu\0.@ghno
\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8?
c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
}}}
Re: Help with constructing a rule for MCP
Thank you John, it was a typo in my email, in my server I wrote the score name the same as the meta name, the rule in my server is: header __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i header __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i header __ENV_FROM_UPSReceived =~ /envelope-from [^ @]+@ups\.com/i header __FROM_UPSFrom =~ /\bups\.com/i meta DHL_UPS_MISMATCH (__ENV_FROM_DHL __FROM_UPS) || (__ENV_FROM_UPS __FROM_DHL) describe DHL_UPS_MISMATCH Correo con virus DHL-USA o UPS scoreDHL_UPS_MISMATCH 11 Regards, Sergio On Sun, Nov 20, 2011 at 11:33 AM, John Hardin jhar...@impsec.org wrote: On Sat, 19 Nov 2011, Sergio wrote: meta DHL_UPS_MISMATCH (__ENV_FROM_DHL __FROM_UPS) || (__ENV_FROM_UPS __FROM_DHL) scoreVIRUS_DHLTOTAL11 Fix the name on the score. -- John Hardin KA7OHZ http://www.impsec.org/~**jhardin/http://www.impsec.org/%7Ejhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --**--** --- North Korea: the only country in the world where people would risk execution to flee to communist China. -- Ride Fast --**--** --- 347 days since the first successful private orbital launch (SpaceX)
Re: Help with constructing a rule for MCP
Hi all, I am new to the list and want thank you in advance if you help me on this. I am creating the following rule: header VIRUS_DHL1FROM =~ /dhl-usa.com/i header VIRUS_DHL2ALL =~ /text inside the email to check for/i meta VIRUS_DHLTOTAL(VIRUS_DHL1 VIRUS_DHL2) describe VIRUS_DHLTOTALDHL-USA Virus scoreVIRUS_DHLTOTAL11 But the rule is not working fine. Any idea what is the error with this rule? By the way, if you wonder if my antivirus has stopped this, yes it has stopped all the emails that comes with the exe file attached to the email, but there was a lot of them that didn't come with the EXE file and for that is why I am creating this rule. Best Regards, Sergio Cabrera
Re: Help with constructing a rule for MCP
RW, Now I understand why it gave a 1 point when I declared 11 on the score, lol. I was trying to follow the spamassassin tutorial and saw the example, it shows the two underscore but never said that they are kind of mandatory, thanks a lot for pointing this out. John Harding, this is one header of the emails that I received: *** Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90]) by MY-SERVER with smtp (Exim 4.69) (envelope-from plaintiveo...@dhl-usa.com) id 1RQNQZ-0002Q1-QD for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600 Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua) by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69) (envelope-from ) id 1MMQJ8-3051eb-TY for my-u...@domain.com; Tue, 15 Nov 2011 19:08:13 +0100 Message-ID: 1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com From: UPS Support auto-not...@ups.com To: pa...@macred.com Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5 Date: Tue, 15 Nov 2011 19:08:13 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0006_01CCA3C9.EBFEF390 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 *** Thanks a lot for your kind answers. Best Regards, Sergio Cabrera On Sat, Nov 19, 2011 at 8:18 AM, RW rwmailli...@googlemail.com wrote: On Sat, 19 Nov 2011 05:42:43 -0600 Sergio wrote: header VIRUS_DHL2 ALL =~ /text inside the email to check for/i This looks for the text in all of the headers. If you meant to look in the body, then you want: body VIRUS_DHL2 /text inside the email to check for/i You should also consider naming the sub-rules with two leading underscore (like __VIRUS_DHL2), or explicitly score them, to prevent then having a one point default score.
Re: Help with constructing a rule for MCP
I finally make my MCP rule like this: header __VIRUS_DHL1FROM =~ /dhl-usa.com/i header __VIRUS_DHL2ALL =~ /CommuniGate Pro SMTP 5.2.3/i meta VIRUS_DHLTOTAL(__VIRUS_DHL1 __VIRUS_DHL2) describe VIRUS_DHLTOTALCorreo con virus de DHL-USA scoreVIRUS_DHLTOTAL11 One more option that I will like to add, for this rule to check is for attachments, where do I look for the attachment file, it is in the body? Once again, thank you. Sergio On Sat, Nov 19, 2011 at 10:45 AM, Sergio sec...@gmail.com wrote: RW, Now I understand why it gave a 1 point when I declared 11 on the score, lol. I was trying to follow the spamassassin tutorial and saw the example, it shows the two underscore but never said that they are kind of mandatory, thanks a lot for pointing this out. John Harding, this is one header of the emails that I received: *** Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90]) by MY-SERVER with smtp (Exim 4.69) (envelope-from plaintiveo...@dhl-usa.com) id 1RQNQZ-0002Q1-QD for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600 Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua) by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69) (envelope-from ) id 1MMQJ8-3051eb-TY for my-u...@domain.com; Tue, 15 Nov 2011 19:08:13 +0100 Message-ID: 1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com From: UPS Support auto-not...@ups.com To: pa...@macred.com Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5 Date: Tue, 15 Nov 2011 19:08:13 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0006_01CCA3C9.EBFEF390 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 *** Thanks a lot for your kind answers. Best Regards, Sergio Cabrera On Sat, Nov 19, 2011 at 8:18 AM, RW rwmailli...@googlemail.com wrote: On Sat, 19 Nov 2011 05:42:43 -0600 Sergio wrote: header VIRUS_DHL2 ALL =~ /text inside the email to check for/i This looks for the text in all of the headers. If you meant to look in the body, then you want: body VIRUS_DHL2 /text inside the email to check for/i You should also consider naming the sub-rules with two leading underscore (like __VIRUS_DHL2), or explicitly score them, to prevent then having a one point default score.
Re: Help with constructing a rule for MCP
Jhon, thanks a lot for your suggestions I will apply them in my rule, thanks!. Just a little bit more information about this emails, here is another header where I got the CommuniGate Pro SMTP 5.2.3: *** Received: from [81.145.136.213] (helo=dhl-usa.com) by MY SERVER IP with smtp (Exim 4.69) (envelope-from charlescv...@dhl-usa.com) id 1RQvs4-0006uH-Do for MY CUSTOMER EMAIL; Thu, 17 Nov 2011 00:54:54 -0600 Received: from [53.166.161.121] (account charlescv...@dhl-usa.com HELO msrertiksp.dxnbmrblb.com) by (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 144361206 for MY CUSTOMER EMAIL; Thu, 17 Nov 2011 06:54:57 + From: UPS Support nore...@ups.com To: MY CUSTOMER EMAIL Subject: UPS Delivery Notification TrackNum 73-2868202-M56DIEQ Date: Thu, 17 Nov 2011 06:54:57 + Message-ID: 0199874162.asz95ik6314...@wrfgijnsf.ozyaj.com MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_000E_01CCA4F5.D1299D90 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2741.2600 Importance: Normal *** Right now I have set this two rules: header __VIRUS_DHL1 FROM =~ /\b(?dhl-usa|ups)\.com/i header __VIRUS_DHL2 ALL =~ /CommuniGate Pro SMTP 5.2.3/i meta VIRUS_DHLTOTAL(__VIRUS_DHL1 __VIRUS_DHL2) describe VIRUS_DHLTOTALCorreo con virus de DHL-USA scoreVIRUS_DHLTOTAL11 header __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i header __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i header __ENV_FROM_UPSReceived =~ /envelope-from [^ @]+@ups\.com/i header __FROM_UPSFrom =~ /\bups\.com/i meta DHL_UPS_MISMATCH (__ENV_FROM_DHL __FROM_UPS) || (__ENV_FROM_UPS __FROM_DHL) scoreVIRUS_DHLTOTAL11 Once again, thank you for helping me. Best Regards, Sergio Cabrera On Sat, Nov 19, 2011 at 1:27 PM, John Hardin jhar...@impsec.org wrote: On Sat, 19 Nov 2011, Sergio wrote: this is one header of the emails that I received: * Received: from 90.red-217-126-251.staticip.**rima-tde.nethttp://90.red-217-126-251.staticip.rima-tde.net([217.126.251.90]) by MY-SERVER with smtp (Exim 4.69) (envelope-from plaintiveo...@dhl-usa.com) id 1RQNQZ-0002Q1-QD for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600 Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua) by 90.Red-217-126-251.staticIP.**rima-tde.nethttp://90.Red-217-126-251.staticIP.rima-tde.netwith esmtpa (Exim 4.69) (envelope-from ) id 1MMQJ8-3051eb-TY for my-u...@domain.com; Tue, 15 Nov 2011 19:08:13 +0100 Message-ID: 1232210117.3Q65WY5I448622@**azbvbczcdgxeoq.mqfphqgytobofv.** com 1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com From: UPS Support auto-not...@ups.com To: pa...@macred.com Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5 Date: Tue, 15 Nov 2011 19:08:13 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_**0006_01CCA3C9.EBFEF390 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 * Your rules: header __VIRUS_DHL1FROM =~ /dhl-usa.com/i header __VIRUS_DHL2ALL =~ /CommuniGate Pro SMTP 5.2.3/i __VIRUS_DHL1 won't hit on this, it's from UPS.COM. Perhaps: header __VIRUS_DHL1FROM =~ /\b(?dhl-usa|ups)\.com/i No CommuniGate Pro, so _that_ won't hit on this. I note that the envelope-from _is_ dhl-usa.com; Are DHL and UPS affiliated? If not, and if that appears regularly, then perhaps this (off the top of my head, untested) would help: header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i header __FROM_UPS From =~ /\bups\.com/i metaDHL_UPS_MISMATCH (__ENV_FROM_DHL __FROM_UPS) || (__ENV_FROM_UPS __FROM_DHL) -- John Hardin KA7OHZ http://www.impsec.org/~**jhardin/http://www.impsec.org/%7Ejhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --**--** --- Microsoft is not a standards body. --**--** --- 346 days since the first successful private orbital launch (SpaceX)
Re[2]: filter for russian porno message?
Hello Ned, Tuesday, November 11, 2008, 5:43:22 PM, you wrote: sergioser wrote: Hello all! During last month I receive a lot of messages with russian language subjects with hard sexual words. Spamassassin just let through all of them. Maybe somebody have special filters for messages like these, do you know? Or maybe you can help to configure spamd for effective fight with these messages? thanks for any help. This is what I use to detect undesirable character sets in the subject: header LOCAL_CHARSET_SUBJECT Subject:raw =~ /\=\?(koi8-r|windows-1251|iso-2022-jp|gb2312)\?/i score LOCAL_CHARSET_SUBJECT 3 describeLOCAL_CHARSET_SUBJECT Contains charsets we don't accept They are most likely koi8-r so this would catch them. Score the rule as you see fit. Thanks. Sorry,but I'm new in spamassassin users.Can you say where I must write this rules? Thanks again. -- Best regards, Sergio Bortsov(Neonet ISP), mailto:[EMAIL PROTECTED],[EMAIL PROTECTED] phones:8(032)2987593; 8(098)4491155.
how filter messages by subject
Hello spamassasin_list, I want filter messages with some bad words. How can configure yhe SA to do that? Thanks. -- Best regards, Sergio Bortsov(Global Ukraine Lan ISP), mailto:[EMAIL PROTECTED] phones:8(032)2987593; 8(050)3170470.
Re[2]: how filter messages by subject
Hello Chris, Wednesday, January 3, 2007, 4:57:02 PM, you wrote: -Original Message- From: sergio [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 03, 2007 9:13 AM To: spamassasin_list Subject: how filter messages by subject Hello spamassasin_list, I want filter messages with some bad words. How can configure yhe SA to do that? Thanks. Its not really meant to do it, but you can. You first right a rule to match bad words in the subject or body. But two ways to do things after that... header BAD_WORDS Subject =~ /bush/i description BAD_WORDS Oh...he is bad! score BAD_WORDS 100.00 scoring it high will have it marked as spam, and treated however you treat spam. But if you wanted to to put ones that hit this rule somewhere else, then you could score it low and use procmail to look for the "BAD_WORDS" in the report header, and forward the email to another folder or account. All this said I do NOT recommend doing any of this. Why? Its sure to FP on emails. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -- Best regards, Sergio Bortsov(Global Ukraine Lan ISP), mailto:[EMAIL PROTECTED] phones:8(032)2987593; 8(050)3170470.
question about getpwuid and authdaemon
Hello spamassasin_list,
Hello all!
I'm new in this list, so maybe I'll say something wrong.
I seccesfully installed the sa on my system(freebsd 5.3) and
attached him to courirer 0.53. I'm using the AuthCourier.pm script
for cooperation between courier and sa and that is my maildroprc
file:
exception {
xfilter /usr/local/bin/spamc
}
exception {
include $HOME/.mailfilter
}
But when I send some message through courier it said
getpwuid() failed: Unknown error: 0
Sorry, but I dont understand so deep the principles of work the perl
and can't find the reason why it was saing like this.
I'll be thankfull for any help.
Thanks.
--
Best regards,
Sergio Bortsov(Global Ukraine Lan ISP), mailto:[EMAIL
PROTECTED]
phones:8(032)2987593;
8(050)3170470.
Re: Rules SA
Oks... I wrong.. sorry... but, I need too to block any emails with subject SERASA... :/ What I need to do to block it? Mario Sergio Candian - Dreams as if you'll live forever. Live as if you'll die today -- James Dean On Wed, 2 Mar 2005, Matt Kettler wrote: At 01:46 PM 3/2/2005, Mario Sergio Candian wrote: I need to block all emails that I receive with subject SERASA e MAMONAS ASSASSINAS. I try with this: bodyPROVER_MAMONAS1/MAMONAS.*ASSASINAS/i score PROVER_MAMONAS15.0 Looks like you're missing the 4th S in ASSASSINAS
Re: SA 2.64
when i run spamassassin --lint -D, SA get these directorys: debug: using /usr/local/share/spamassassin for default rules dir debug: using /usr/local/etc/mail/spamassassin for site rules dir debug: using /root/.spamassassin for user state dir debug: using /root/.spamassassin/user_prefs for user prefs file debug: using /root/.spamassassin for user state dir debug: bayes: 44152 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 44152 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 ... debug: Current PATH is: /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin :/usr/local/bin:/usr/local/vpopmail/bin debug: DCC is not available: no executable dccproc found. debug: Pyzor is not available: pyzor not found debug: all '*To' addrs: debug: RBL: success for 1 of 1 queries debug: running meta tests; score so far=1.27 debug: is spam? score=1.27 required=3.7 tests=DATE_MISSING,NO_REAL_NAME is SA read the .cf files in the /usr/local/share/spamassassin first? Mario Sergio On Thu, 14 Oct 2004, Matt Kettler wrote: At 02:16 PM 10/14/2004, Mario Sergio Candian wrote: i installed the SA 2.64 with qmail, vpopmail, qmail-scanner, etc... I have one question. I have three files in /usr/local/etc/mail/spamassasin (local.cf, br_rules.cf and relatorio_msg.cf). I need SA read the local.cf and the others files br_rules and relatorio_msg.cf. How i can do it? SA will automatically read ALL the .cf files in the site rules directory. However, you should run spamassassin --lint -D to make sure SA is using /usr/local/etc/mail/spamassassin as the site rules directory, and not some other location it found first. report_safe 0 #auto_report_threshold 30 #use_terse_report 0 version_tag domain.com.br sa-learn --spam /var/spool/spam-box/Maildir/*/ sa-learn --ham /var/spool/nospam-box/Maildir/*/ ok_locales all ok_languagesall Um.. what on earth are sa-learn statements doing in your local.cf? Remove them, they are invalid. sa-learn is a separate program, not a configuration option. run spamassassin --lint and clean up any other compliants SA might have about the file.
testing SA
Hi guys, i have other question, how i can to test the SA, sending a spam email? i need to do that for look if the required_hits is default (5.0) or not. Mario Sergio
