Re: USPS Spam

2013-08-30 Thread Simon Loewenthal 
Plenty this week. I've just been sending to spamcop, but not a lot else. 

Matt  wrote:
>I am seeing tons of junk getting through claiming to be from the USPS
>about a missed delivery package.  Anyone else seeing this?
>
>I am running SpamAssassin 3.3.1 and execute sa-update weekly.

Re: SA Bugzilla – Bug 6558

2013-08-13 Thread Simon Loewenthal 
Great. Thanks Anthony. 
--
as silly as fun
  simon@klunky / .co.uk / .net
pgp 4BA78604

Antony Stone  wrote:
>On Tuesday 13 August 2013 at 17:17, Simon Loewenthal wrote:
>
>> Hi,
>> 
>>  Did this make it into 3.3.2? ( e.g mended )
>> 
>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6558
>
>Yes, according to 
>http://svn.apache.org/repos/asf/spamassassin/branches/3.3/build/announcements/3.3.2.txt
>
>
>Regards,
>
>
>Antony.

SA Bugzilla – Bug 6558

2013-08-13 Thread Simon Loewenthal 
 

Hi, 

 Did this make it into 3.3.2? ( e.g mended ) 

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6558 

Cheers, S

Re: Test email hitting BAYES_00

2013-07-24 Thread Simon Loewenthal 
 

On 2013-07-24 15:59, RW wrote: 

> On Wed, 24 Jul 2013 15:15:01 +0200
> Simon Loewenthal wrote:
> 
>> I rewrote this (not GTUBE anymore) and had the same bayes score 
>> http://pastebin.com/ATqch32Y [1] [3]
> 
> It's not particularly surprising it hits BAYES_00, aside from the
> obfuscated words it's not very spammy. 
> 
> What you originally said was:
> 
>> Yesterday, this did not hit BAYES at all
> 
> Did you mean that literally? Or did you mean that it previously got a
> neutral result (BAYES_50)?

Literally. I don't recall seeing bayes yesterday, but sadly I've closed
the terminal and have no logging since then. Hopefully this is my
imaginative memory at work and this scored neutrally. I;m glad you asked
this question because you made me think a little clearer instead of
guessing. 

-- 
 

Links:
--
[1] http://pastebin.com/ATqch32Y

Re: Test email hitting BAYES_00

2013-07-24 Thread Simon Loewenthal 
 

On 2013-07-24 14:41, RW wrote: 

> On Wed, 24 Jul 2013 14:04:36 +0200
> JK4 wrote:
> 
>> On 2013-07-24 13:31, RW wrote:
> This isn't a GTUBE email, it's an email with lots of innocuous text and the 
> obfuscated name of a drug claiming to be a GTUBE email. 
> http://spamassassin.apache.org/gtube/ [1] [2] If it wasn't previously getting 
> any BAYES result then presumably it was short-circuiting on something. 
> Perhaps the previous mail was a real GTUBE mail short-circuiting on GTUBE - 
> although I'm not sure why anyone would want to do that. This is a GTUBE test 
> email I'm using to test if rules I wrote fired. I just don't know why this 
> started hitting bayes zero all of a sudden.

As I already said, it's *not* a GTUBE test email. Take a look at the
definition in [2] and then take a look at the email you posted in
[1].

Even if it were there's no reason Bayes should recognise a GTUBE mail as
spam unless it's been trained to recognise them. SpamAssassin will
recognise a GTUBE email, but there's no reason why each of its
individual components should be aware of GTUBE.

> Links: -- [1] http://pastebin.com/5N0xhWms [2] [2] 
> http://spamassassin.apache.org/gtube/ [1]

I rewrote this (not GTUBE anymore) and had the same bayes score
http://pastebin.com/ATqch32Y [3]
 

Links:
--
[1] http://spamassassin.apache.org/gtube/
[2] http://pastebin.com/5N0xhWms
[3] http://pastebin.com/ATqch32Y

Test email hitting BAYES_00

2013-07-24 Thread Simon Loewenthal 
 

Hi, 

 Yesterday, this did not hit BAYES at all, and now this hits BAYES_00,
and I did not use autolearn. I did a sa-learn --forget for good measure
and this changed nothing (*see below). I am a little flummoxed. Do any
of you have any ideas? 

Little email and result of spamc can be found here
http://pastebin.com/5N0xhWms [1] 

Thanks, Simon. 

_*_ 

_# sa-learn --forget --username=spammyd aaa_
_Forgot tokens from 0 message(s) (1 message(s) examined)_

 

Links:
--
[1] http://pastebin.com/5N0xhWms

Re: IP Blacklisting

2013-07-12 Thread Simon Loewenthal 
 

On 2013-07-12 9:02, Karsten Bräckelmann wrote: 

> On Fri, 2013-07-12 at 05:14 +0430, Moein Sarvi wrote:
> 
>> Hello is there anyway to blacklist an IP address?
> 
> Yes. Step 1: Create your own blacklist. Step 2: Report the IP. Optional
> step 3: Create rules in SA to query your blacklist created in step 1. Of
> course, I am merely assuming here you are actually asking something
> relevant to SA...
> 
> Joking apart, your question is *really* vague. In cases like this, it is
> a lot better to describe your actual problem, rather than asking
> something this broad. You still can add the missing info, and tell us
> about your problem.
> 
> Bunch-o-pointers regarding "blacklisting" an IP address:
> 
> SA does not reject, quarantine, drop or deliver mail. All it does is
> scoring. Thus, in case your "blacklisting" query involves these, you'd
> better check back with your SA calling layer.
> 
> If you definitely are about rejecting mail from a given IP, you'd want
> to look at your MX STMP configuration.
> 
> If you are happy to "severely punish" mail sent from a given IP, without
> a need to reject the mail, SA can do what you want. Punishment ranges
> from scoring, classifying as spam, all the way up to quarantining and
> simply dropping down the bin bucket -- the latter two depending on the
> following tools in your mail-processing chain.
> 
> Flooring mail in SA sent via a given IP (aka blacklisting) is possible
> in various ways, depending on your needs, configuration, accuracy of
> your configuration (like receiving mail via mailing lists) -- and of
> course your knowledge of mail headers, SA rules, SA pseudo headers, and
> RE in general. But I digress...
> 
> Likely candidates are the X-Spam-Relays-* Untrusted and External pseudo
> headers. But that could be done more efficiently in your SMTP, if you
> mean *black* as a pseudonym of *block*.
> 
> And if you really dislike the IP, you could als craft some simple
> Received header rules in SA. Though at this point, we're crossing the
> line between blacklist and blacklist. And deep header parsing.
> 
> Where did I start off again? Oh, right -- what exactly is the problem
> you're facing and the result you want to achieve?

Hi, 

Perhaps: 

header BLACKLIST_IP Received=~ /[IPaddress]/
 score BLACKLIST_IP 100
 describe BLACKLIST_IP Disallow from IP address 

If you use Postfix for your MTA, then drop into your_ header_checks_
file 

/^Received: from IPaddress/ REJECT Bye bye to your IP address

and then and add into the_ main.cf_ 

header_checks = pcre:/etc/postfix/header_checks 

Completely untested and not really thought about, of course. I suspect
my regexes are broken, but this gives you an idea. 

-- 
"I decided that I was a lemon for a couple of weeks. I kept myself
amused all that time jumping in and out of a gin and tonic."
simon@klunky .co.uk / .org

Just interested: MIME validation ruleset and ASCII-0

2013-05-30 Thread Simon Loewenthal 
 

Hi there, 

 The SA custom rulesets page refers to _MIME validation_ ruleset. This
is a small .cf file. I am interested in this rule: 

# ASCII-0 can crash mail clients. This is an absolute NO!
rawbody MIME_ASCII0 //
describe MIME_ASCII0 Message body contains ASCII-0 character
score MIME_ASCII0 1.5

Does anyone know why this char should crash an email client? I did
google a little for ASCII charsets and this char, but I could not see
how this might cause a crash. I wonder if this is not caused by badly
coded email client implementations?

Perhaps I am showing off my noob-ness :)

Thanks!
Simon

Re: CLAMAV skipped on same email when sent from spamd, yet not skipped when sent from spamc.

2013-05-29 Thread Simon Loewenthal 
 

On 2013-05-29 12:43, Matus UHLAR - fantomas wrote: 

> On 29.05.13 12:29, Simon Loewenthal wrote:
> 
>> The socket seems ok to me: srw-rw-rw- 1 clamav clamav 0 May 14 21:43 
>> /var/run/clamav/clamd.ctl
> 
> what are permissions for /var/run/clamav ?

 drwxr-xr-x 

Since the enabling of debug, I am seeing connections back to clamav, and
a result is returned. 
Wed May 29 12:44:05 2013 [13217] info: spamd: processing message
<20130529104323.ga24...@example.sk> for exam...@example.co.uk:5002
Wed May 29 12:44:07 2013 [13217] dbg: ClamAV: invoking
File::Scan::ClamAV, port/socket: /var/run/clamav/clamd.ctl
Wed May 29 12:44:07 2013 [13217] dbg: ClamAV: result - No
Wed May 29 12:44:07 2013 [13217] dbg: FuzzyOcr: Starting FuzzyOcr...
Wed May 29 12:44:07 2013 [13217] info: FuzzyOcr: Processing Message with
ID "<20130529104323.ga24...@example.sk>" (example 
-> users@spamassassin.apache.org)

Re: CLAMAV skipped on same email when sent from spamd, yet not skipped when sent from spamc.

2013-05-29 Thread Simon Loewenthal 
 

On 2013-05-29 11:40, Mark Martinec wrote: 

> Simon,
> 
>> I looked at scoring for an email on an SA installation and noticed 
>> differences between hand scanning with spamc and scanning with spamd. My 
>> manually scanned email hit CLAMAV sane security, (ignore Bayes because the 
>> user had Bayes process this and then asked me about this), whilst this spamd 
>> delivered message did not hit CLAMAV_SANE The local.cf had a timeout of 250 
>> seconds (default is 300). The clamav logs did not record any connection from 
>> SA during the spamd scan, yet did record a connection from spamc when I 
>> manually scanned the message so I think spamd skipped clamav scans.
> 
>> I'd be really grateful if you could tell me where I could start looking so 
>> that I can work out why CLAMAV did not get read/called. Running on Debian 6 
>> / SpamAssassin 3.3.2
> 
> Start looking by enabling debugging in spamd.
> 
> Assuming the ClamAVPlugin from SpamAssassin Wiki is used, you could
> selectively enable just its debug area in spamd: --debug=ClamAV
> 
> The first suspect would be access rights to the clamd socket
> vs. the UID under which a spamd child process is running.
> 
> Mark

Hi Mark, 

 The socket seems ok to me: 

srw-rw-rw- 1 clamav clamav 0 May 14 21:43 /var/run/clamav/clamd.ctl
I'll run spamd with the option you mentioned for a little while: 

 /usr/bin/perl -T -w /usr/sbin/spamd --debug=ClamAV --create-prefs -x -q
--ipv4 --max-children 2 --timeout-child 180 --sql-config --nouser-config
--username spamd --helper-home-dir -s /var/log/spamd.log
--virtual-config-dir=/users/%d/%u -d --pidfile=/var/run/spamd.pid

Simon 

-- 
"I decided that I was a lemon for a couple of weeks. I kept myself
amused all that time jumping in and out of a gin and tonic."
simon@klunky .co.uk / .org

Re: CLAMAV skipped on same email when sent from spamd, yet not skipped when sent from spamc.

2013-05-29 Thread Simon Loewenthal 
 

On 2013-05-29 9:21, Matus UHLAR - fantomas wrote: 

> On 28.05.13 17:30, Simon Loewenthal wrote:
> 
>> I looked at scoring for an email on an SA installation and noticed 
>> differences between hand scanning with spamc and scanning with spamd. My 
>> manually scanned email hit CLAMAV sane security, (ignore Bayes because the 
>> user had Bayes process this and then asked me about this), whilst this spamd 
>> delivered message did not hit CLAMAV_SANE The local.cf had a timeout of 250 
>> seconds (default is 300). The clamav logs did not record any connection from 
>> SA during the spamd scan, yet did record a connection from spamc when I 
>> manually scanned the message so I think spamd skipped clamav scans.
> 
> The only reason why spamc/spamd could give different results than
> spamassassin is that they scan as different user, otherwise they should use
> just the same configs.
> 
>> Hand scanned with # cat $MESSAGEFILE | spamc -R -u spamd
> 
> Here you instruct spamc to scan message as user spamd which means the
> spamd's user preferences.
> 
>> Results when scanned by spamd via postfix:
> 
>> Tue May 28 14:17:55 2013 [20590] info: spamd: result: . 5 - 
>> BAYES_50,DCC_CHECK,HTML_IMAGE_ONLY_20,HTML_MESSAGE,JOB_OFFERS_PHASES,MTX_FAIL,RDNS_NONE,SPF_HELO_SOFTFAIL,SPF_SOFTFAIL,T_REMOTE_IMAGE
>>  
>> scantime=18.9,size=145848,user=exam...@example.co.uk,uid=5002,required_score=6.0,rhost=localhost,raddr=127.0.0.1,rport=38517,mid=<51a49fdb.908...@hsbc.co.uk>,bayes=0.500979,autolearn=no,shortcircuit=no
> 
> ^^
> here postfix instructs spamd to scan as user "exam...@example.co.uk"
> 
> what happens when you pass arguments "-u exam...@example.co.uk" to spamc,
> instead of "-u spamd" ?

Hi, Matus, I tried this and had the same results when I passed the -u
exam...@example.co.uk 

-- 
"I decided that I was a lemon for a couple of weeks. I kept myself
amused all that time jumping in and out of a gin and tonic."
simon@klunky .co.uk / .org

CLAMAV skipped on same email when sent from spamd, yet not skipped when sent from spamc.

2013-05-28 Thread Simon Loewenthal 
 

Hallo there, 

 I looked at scoring for an email on an SA installation and noticed
differences between hand scanning with spamc and scanning with spamd. My
manually scanned email hit CLAMAV sane security, (ignore Bayes because
the user had Bayes process this and then asked me about this), whilst
this spamd delivered message did not hit CLAMAV_SANE The local.cf had a
timeout of 250 seconds (default is 300). The clamav logs did not record
any connection from SA during the spamd scan, yet did record a
connection from spamc when I manually scanned the message so I think
spamd skipped clamav scans.

I'd be really grateful if you could tell me where I could start looking
so that I can work out why CLAMAV did not get read/called.

Running on Debian 6 / SpamAssassin 3.3.2 

Thanks,

S.

-

Hand scanned with # cat $MESSAGEFILE | spamc -R -u spamd 

Content analysis details: (15.7 points, 6.0 required)

 pts rule name description
 --
--
 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
 [score: 1.]
-0.1 JOB_OFFERS_PHASES BODY: Phrases typical of English language job
 offers
 0.0 MTX_FAIL MTX: Failed: http://www.chaosreigns.com/mtx/
 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
 0.7 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
 1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
 0.0 HTML_MESSAGE BODY: HTML included in message
 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
 0.0 CLAMAV Clam AntiVirus detected something doubtful contained within.
[Sanesecurity.Rogue.0hr.0528v11148.UNOFFICIAL(f96fcb039ace92f345acb2356f3462b2:145148)]
 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
 7.5 CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
 0.0 T_REMOTE_IMAGE Message contains an external image

Results when scanned by spamd via postfix: 

Tue May 28 14:17:36 2013 [20590] info: spamd: processing message
<51a49fdb.908...@hsbc.co.uk> for exam...@example.co.uk:5002
Tue May 28 14:17:55 2013 [20590] info: spamd: result: . 5 -
BAYES_50,DCC_CHECK,HTML_IMAGE_ONLY_20,HTML_MESSAGE,JOB_OFFERS_PHASES,MTX_FAIL,RDNS_NONE,SPF_HELO_SOFTFAIL,SPF_SOFTFAIL,T_REMOTE_IMAGE
scantime=18.9,size=145848,user=exam...@example.co.uk,uid=5002,required_score=6.0,rhost=localhost,raddr=127.0.0.1,rport=38517,mid=<51a49fdb.908...@hsbc.co.uk>,bayes=0.500979,autolearn=no,shortcircuit=no


X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on example.co.uk
X-Spam-Level: *
X-Spam-Status: No, score=5.5 required=6.0 tests=BAYES_50,DCC_CHECK,
 HTML_IMAGE_ONLY_20,HTML_MESSAGE,JOB_OFFERS_PHASES,MTX_FAIL,RDNS_NONE,
 SPF_HELO_SOFTFAIL,SPF_SOFTFAIL,T_REMOTE_IMAGE shortcircuit=no
autolearn=no
 version=3.3.2
X-Spam-Virus: No
X-Spam-Report:
 * -0.1 JOB_OFFERS_PHASES BODY: Phrases typical of English language job
 * offers
 * 0.0 MTX_FAIL MTX: Failed: http://www.chaosreigns.com/mtx/
 * 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
 * 0.7 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
 * 1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of
words
 * 0.0 HTML_MESSAGE BODY: HTML included in message
 * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
 * [score: 0.5001]
 * 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
 * 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
 * 0.0 T_REMOTE_IMAGE Message contains an external image

Re: Bayes & sa-learn training question - How to exclude certain URLs found in emails

2013-05-16 Thread Simon Loewenthal 

 Thank-you everyone. 

I shall have Bayes forget emails, then retrain with a rule that counts linkedin 
invitations as spam. I have one I wrote earlier and implemented after Bayes had 
gone off track.

Cheers, S.
--
as silly as fun
  simon@klunky / .co.uk / .org / .net
pgp 4BA78604

Benny Pedersen  wrote:
>Simon Loewenthal skrev den 2013-05-16 15:17:
>
>> * have sa-learn exclude references to linkedin?
>
>basicly you need to know how bayes works, it does not just use the word
>
>linkedin as writed, but more or less split it to each letter, so 
>linkedin and other content is splited into atoms that being stored into
>
>bayes database, it does not matter if that atoms is ham or spam yet
>
>but if you sa-learn --spam then the atoms is counted as spam, and if 
>you use --ham is counted as ham, --forget is when you like bayes to 
>autolearn again on no data from this emails with linkedin in :)
>
>thats the basic, what was the question now ? :(

Re: Bayes & sa-learn training question - How to exclude certain URLs found in emails

2013-05-16 Thread Simon Loewenthal 

On 2013-05-16 16:17, RW wrote:


On Thu, 16 May 2013 15:17:14 +0200
Simon Loewenthal wrote:


Hi all, I turned shortcircuit for BAYES_00 on a server, and noticed
that LinkedIn invitation emails hit BAYES_00.


When you say email, I presume you mean spam.


Yep




A bit strange I thought being unlikely someone had run sa-learn on
LinkedIn emails. I grepped on all the Ham and Spam directories and 
hit

lots of "linkedin,com" in URLs in the body, yet no "linkedin.com"
entries in the headers.


The few invitations spams I've received have all hit BAYES_50 or
greater, despite my learning a lot of ham with linkedin.com URIs - I'm
doubtful that's the sole explanation.


I shall try running some linked in stuff into Bayes then and see how it 
comes along. Can't hurt ;)


Thank-you RW for ideas.

S

Bayes & sa-learn training question - How to exclude certain URLs found in emails

2013-05-16 Thread Simon Loewenthal 

Hi all,

 I turned shortcircuit for BAYES_00 on a server, and noticed that 
LinkedIn

invitation emails hit BAYES_00. A bit strange I thought being
unlikely someone had run sa-learn on LinkedIn emails.

I grepped on all the Ham and Spam directories and hit lots of
"linkedin,com" in URLs in the body, yet no "linkedin.com" entries in 
the

headers.

Do you know if sa-learn will count URLs in emails, and put this into 
Bayes?

( I thought so, but should verify with this email list)

If the answer above is yes, then how could I:

* have bayes disregard the linkedin references from Bayes except by 
using

the --forget option on the suspect email, and

* have sa-learn exclude references to linkedin?

( I know I could recover this from backups, but would like to have 
solution

that avoids this again)

Regards, Si

Re: Norwegian language spam

2013-05-02 Thread Simon Loewenthal 
 

Hi Martin, 

May be you could try something like this, but change
the English text into Norwegian accordingly. 

describe J_MAILBOX_FULL
Your mailbox has exceeded spam
body J_MAILBOX_FULL /^Your? ((web|E-?)
?mail|mailbox) .*(is|has) .*(exceed|over)/i
score J_MAILBOX_FULL 1.0


---
"I decided that I was a lemon for a couple of weeks. I kept myself
amused all that time jumping in and out of a gin and
tonic."
simon@klunky .co.uk / .org

On 2013-05-02 12:45, Martin Gregorie
wrote: 

> The last two days I've started to get a small amount of spam
with these
> characteristics:
> - its of the "you've exceeded your 2GB
mailbox size. Click  to
> revalidate your account" variety
> 
> -
sender has a Hispanic name and (so far) has been sending the mail from
>
a Spanish-speaking country which is the TLD in both the sender URI
> and
message ID
> 
> - the body text is recognised as Norwegian by
Babelfish
> 
> - the target URL is a website hosted by webs.com
> 
> Is
anybody else seeing this?
> 
> Is webs.com generally known for hosting
spam-related websites? I have
> only one other occurrence of it in my
spam collection of 835 messages.
> 
> Martin

Re: pyzor 401/unauthorized?

2013-03-06 Thread Simon Loewenthal 
Same here:

$ pyzor discover
downloading servers from http://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3

$ pyzor ping
public.pyzor.org:24441  (401, 'Unauthorized: User is not authorized to request 
the operation.')
$

This explains the Pyzor errors I've had recently. .
--
fight apathy or don't
  simon@klunky / .co.uk / .org
pgp 4BA78604

"Dan Mahoney, System Admin"  wrote:

>I was in the process of "linting" my SA config when I discovered that
>the 
>pyzor servers are handing back this response to all commands:
>
>/usr/local/bin/pyzor --homedir /usr/local/etc/mail/spamassassin/.pyzor 
>ping
>public.pyzor.org:24441  (401, 'Unauthorized: User is not authorized to 
>request the operation.')
>
>As opposed to the myriad of other issues I've seen on this list where
>the 
>user can't set pyzor_home correctly or firewall issues, I'm pretty sure
>
>I'm doing things right (I don't get a backtrace or anything) and this 
>appears to be server-side.
>
>-Dan

Re: Upgrade from SA 3.3.1 to 3.3.2 - increase in memory requirements on Debian 6

2013-03-06 Thread Simon Loewenthal 
 

Guess what? After removal of, 

local_phishing_reply.cf


99_anonwhois.cf 

malware.blocklist.cf 

the memory usage dropped to
15% of RAM. 

Time to add more children into the mix. 

Cheers, S 

On
2013-03-06 15:55, Kevin A. McGrail wrote: 

> On 3/6/2013 9:53 AM, Simon
Loewenthal wrote:
> 
>> Hi KAM and AxB, The system is a small low cost
VM. The provider (for some reason) only offers to move the server to a
new box, instead of adding an extra half gig, which is pretty poor. I
don't have the time to spare for such a move for the moment. Yep - It's
64bit : amd64. Rule sets. I shall drop some rule sets. An sa-compile is
run every time the automatically downloaded rulesets change, but this
won't necessarily cut here when so tight on ram.
> 
> Understood.
Definitely look at rule sets and using 64Bit for a machine 
> with 500MB
of RAM just seems like a massive way to waste memory. When 
> you move,
if you are locked to ~4GB or less, go with x86.
> 
> Regards,
> KAM

Re: Upgrade from SA 3.3.1 to 3.3.2 - increase in memory requirements on Debian 6

2013-03-06 Thread Simon Loewenthal 
 

Hi KAM and AxB, 

 The system is a small low cost VM. The provider
(for some reason) only offers to move the server to a new box, instead
of adding an extra half gig, which is pretty poor. I don't have the time
to spare for such a move for the moment. Yep - It's 64bit : amd64.


Rule sets. I shall drop some rule sets. An sa-compile is run every
time the automatically downloaded rulesets change, but this won't
necessarily cut here when so tight on ram. 

On 2013-03-06 15:36, Kevin
A. McGrail wrote: 

> On 3/6/2013 9:17 AM, Simon Loewenthal wrote: 
>

>> Options are : /usr/sbin/spamd --create-prefs -x -q --ipv4
--max-children 1 --timeout-child 180 --sql-config --nouser-config
--username spamd --helper-home-dir -s /var/log/spamd.log
--virtual-config-dir=/users/%d/%u -d --pidfile=/var/run/spamd.pid 
>>

>> ( 1 child set because of lack of memory. 2 causes it to swap) 
>>

>> As far as I can tell no rulesets have changed. I have these
additional ones added : 
>> 
>> # MALWARE BLOCKLIST
>>
"http://www.malwarepatrol.net/cgi/submit?action=list_sa"; [1] -O
MALWARE.BLOCKLIST.CF 
>> 
>> # 99_ANONWHOIS
>>
"http://anonwhois.org/99_anonwhois.cf"; [2] -O 99_ANONWHOIS.CF 
>> 
>> #
kAOS rESIgns MTX Blacklist
>> /usr/local/bin/mtx_blacklist.pl
>> 
>> #
SOUGHT rules via sa-update
>> --channel SOUGHT.rules.yerp.org --channel
updates.spamassassin.org 
>> 
>> # Generate Spamassassin rules from the
phishing_reply_addresses list
>>
/usr/local/bin/addresses2spamassassin.pl - Prodcues file:
LOCAL_PHISHING_REPLY.CF
>> 
>> CUSTOM RULES IN LOCAL.CF 
>> 
>> I have a
several custom rules comprising of 231 lines. These are simple rules
comprising of some simple regex. Some were copied from this mailing
list. I should turn these off and see what happens. 
>> 
>> In the past
24 hours the spamd memory usage has dropped to 198 Mb, which is a
relief, but this happened after I did a update on the server from
squeeze/updates, squeeze, and security. Before time I just had security
configured.
> Hi Simon,
> 
> I've never really worked with a system that
tight on ram but I would definitely look at the configs you are adding.
Some of those look to change per day and the memory usage seems fairly
high.
> 
> Here's an x86 system where I'm running a few spamds:
> 
>
spamd 1088 46.5 2.1 98024 90144 ? R 08:31 29:40 spamd child
> root 14509
0.0 1.0 49964 44116 ? Ss Mar04 1:00 /usr/local/bin/spamd -d
--min-spare=1 --min-children=5 --max-spare=10 --max-conn-per-child=1000
--max-children=40 -q -x -u spamd --allowed-ips=127.0.0.1 -r
/var/run/spamd.pid
> spamd 14697 5.5 2.1 95192 87896 ? R Mar05 39:04
spamd child
> spamd 17369 3.4 1.6 73480 66964 ? S 00:18 19:04 spamd
child
> spamd 18328 1.9 2.2 99632 91804 ? S Mar04 40:01 spamd child
>
spamd 25112 1.0 2.2 100220 92116 ? S Mar05 19:55 spamd child
> spamd
28567 0.5 1.6 74424 67364 ? S Mar05 9:39 spamd child
> spamd 29384 0.0
1.1 54908 48348 ? R 03:52 0:05 spamd child
> spamd 29656 0.2 1.4 65020
58132 ? S Mar05 3:40 spamd child
> spamd 31115 0.0 1.0 49964 42432 ? S
05:01 0:00 spamd child
> spamd 32566 0.0 1.0 49964 42432 ? S 06:52 0:00
spamd child
> 
> For comparison, your memory foot print seems higher.
Are you on a 64 bit system? Assuming note...
> 
> regards,
> KAM



Links:
--
[1]
http://www.malwarepatrol.net/cgi/submit?action=list_sa
[2]
http://anonwhois.org/99_anonwhois.cf

Re: Upgrade from SA 3.3.1 to 3.3.2 - increase in memory requirements on Debian 6

2013-03-06 Thread Simon Loewenthal 
 

Hi KAM, 

Options are : /usr/sbin/spamd --create-prefs -x -q --ipv4
--max-children 1 --timeout-child 180 --sql-config --nouser-config
--username spamd --helper-home-dir -s /var/log/spamd.log
--virtual-config-dir=/users/%d/%u -d --pidfile=/var/run/spamd.pid 

( 1
child set because of lack of memory. 2 causes it to swap) 

As far as I
can tell no rulesets have changed. I have these additional ones added :


# MALWARE BLOCKLIST

"http://www.malwarepatrol.net/cgi/submit?action=list_sa"; -O
MALWARE.BLOCKLIST.CF 

# 99_ANONWHOIS

"http://anonwhois.org/99_anonwhois.cf"; -O 99_ANONWHOIS.CF 

# kAOS
rESIgns MTX Blacklist
 /usr/local/bin/mtx_blacklist.pl

# SOUGHT rules
via sa-update
 --channel SOUGHT.rules.yerp.org --channel
updates.spamassassin.org 

# Generate Spamassassin rules from the
phishing_reply_addresses list
 /usr/local/bin/addresses2spamassassin.pl
- Prodcues file: LOCAL_PHISHING_REPLY.CF

CUSTOM RULES IN LOCAL.CF 

I
have a several custom rules comprising of 231 lines. These are simple
rules comprising of some simple regex. Some were copied from this
mailing list. I should turn these off and see what happens. 

In the
past 24 hours the spamd memory usage has dropped to 198 Mb, which is a
relief, but this happened after I did a update on the server from
squeeze/updates, squeeze, and security. Before time I just had security
configured. 

Cheers, S 

On 2013-03-06 14:57, Kevin A. McGrail wrote:


> On 3/5/2013 7:36 AM, Simon Loewenthal wrote: 
> 
>> I just upgraded
a small server from 3.3.1 to 3.3.2 (Debain Squeeze). 
>> 
>> I notice
that spamd now takes 64% of the memory which is 317 mb. This is rather
high in my opinion. 
>> 
>> I realize this may well be a Debian specific
question, but does _spamassassin 3.3.2-2~bpo60+1_ have any performance
related dependencies on other packages? Currently, Perl is
5.10.1-17squeeze4.
> What spamd options are you using now? What were you
using?
> 
> What rulesets are you using now? What were you using?
> 
>
Regards,
> KAM

Upgrade from SA 3.3.1 to 3.3.2 - increase in memory requirements on Debian 6

2013-03-05 Thread Simon Loewenthal 
 

Hi all, 

 I just upgraded a small server from 3.3.1 to 3.3.2
(Debain Squeeze). 

I notice that spamd now takes 64% of the memory
which is 317 mb. This is rather high in my opinion. 

I realize this may
well be a Debian specific question, but does _spamassassin
3.3.2-2~bpo60+1_ have any performance related dependencies on other
packages? Currently, Perl is 5.10.1-17squeeze4. 

Regards, S 

-- 
"I
decided that I was a lemon for a couple of weeks. I kept myself amused
all that time jumping in and out of a gin and tonic."
simon@klunky
.co.uk / .org

Re: sa-learn " splice() offset past end of array at /usr/share/perl5/Mail/SpamAssassin/HTML.pm line 492 and 502.

2013-02-27 Thread Simon Loewenthal 


Mark Martinec  wrote:

>Simon Loewenthal wrote:
>> > Just notcied sa-learn kick up a fuss with some files fed into
>> > it from a user's HAM directory in a dovecot directory.
>> > 
>> > I put a copy of
>> > the ham on http://pastebin.com/MLEhYsG7
>> 
>> Could you go to the SpamAssassin bugzilla and open a bug for this,
>and
>> attach the sample?
>
>Looks like a Bug 6468, fixed with 3.3.2 I believe:
>
>  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6468
>  Bug 6468 - splice() offset past end of array in HTML.pm
>
>
>Mark


I have better upgrade

sa-learn " splice() offset past end of array at /usr/share/perl5/Mail/SpamAssassin/HTML.pm line 492 and 502.

2013-02-27 Thread Simon Loewenthal 
 

Hi, 

 Just notcied sa-learn kick up a fuss with some files fed into
it from a user's HAM directory in a dovecot directory. 

I put a copy of
the ham on http://pastebin.com/MLEhYsG7

splice() offset past end of
array at /usr/share/perl5/Mail/SpamAssassin/HTML.pm line 492.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
splice() offset
past end of array at /usr/share/perl5/Mail/SpamAssassin/HTML.pm line
492.
Use of uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
splice() offset
past end of array at /usr/share/perl5/Mail/SpamAssassin/HTML.pm line
492.
Use of uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
splice() offset
past end of array at /usr/share/perl5/Mail/SpamAssassin/HTML.pm line
492.
Use of uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
splice() offset
past end of array at /usr/share/perl5/Mail/SpamAssassin/HTML.pm line
492.
Use of uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Use of
uninitialized value within @rgb in sprintf at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 502.
Learned tokens from
0 message(s) (1 message(s) examined)

Note that due to the content, the
email has had to be heavily redacted. All content has been replaced with
the words "contend removed" or similar, but all formatting (including
smilies and punctuation) has been unaltered. The IP addresses and
message IDs have had to be changed into something that has obviously
been changed 

/usr/share/perl5/Mail/SpamAssassin/HTML.pm 

line 492 and
502 

 elsif ($name eq 'style') {
 $new{style} = $attr->{style};
 my
@parts = split(/;/, $new{style});
 foreach (@parts) {
 if
(/^s*(background-)?color:s*(.+)s*$/i) {
 my $whcolor = $1 ? 'bgcolor' :
'fgcolor';
 my $value = lc $2;

 if ($value =~ /rgb/) {
 $value =~
tr/0-9,//cd;
 my @rgb = split(/,/, $value);
 SPLICE @RGB, 3;
 for(my
$i=0; $i<3; $i++) {
 if (!defined $rgb[$i]) {
 $_ = 0;
 }
 elsif
($rgb[$i] > 255) {
 $rgb[$i] = 255;
 }
 }

    $NEW{$WHCOLOR} =
SPRINTF("#%02X%02X%02X", @RGB);
 }
 else {
 $new{$whcolor} =
name_to_rgb($value);
 }
 }
 elsif (/^s*([a-z_-]+)s*:s*(S.*?)s*$/i) {
 #
"display: none", "visibility: hidden", etc.
 $new{'style_'.$1} = $2;
 }

}
 }

sa-learn still exits with a zero. 

Does any one know what may
have tripped this up? Is it a bug, or some strange formatting in the
email message? 

Not a big deal for me, but perhaps interesting for
someone else. (/shrug) :D 

Cheers, Simon. 

-- 
"I decided that I was a
lemon for a couple of weeks. I kept myself amused all that time jumping
in and out of a gin and tonic."
simon@klunky .co.uk / .org

Re: White Text Rule

2013-02-05 Thread Simon Loewenthal 
 

Hi Mark, 

maybe this works. This I stole it from someone who posted
here. 

# HTML - White text on a white background. What is the
point?
rawbody HTML_TEXT_WHITE_SHORT /style=.color#FFF;/
describe
HTML_TEXT_WHITE_SHORT White html txt on white bg
score
HTML_TEXT_WHITE_SHORT 0.1 

Simon 

---
"I decided that I was a lemon
for a couple of weeks. I kept myself amused all that time jumping in and
out of a gin and tonic."
simon@klunky .co.uk / .org

On 2013-02-05
16:17, Marc Perkel wrote: 

> Is there some sort of rule to catch white
text on white background to 
> hide text? Seems like there should be.
>

>

Re: Question about rule: 2.0 DEAR_SOMETHING BODY: Contains 'Dear (something)'

2012-10-25 Thread Simon Loewenthal 


dar...@chaosreigns.com wrote:
>
>But more importantly, it's because we do not have have the rule
>hit statistics from your email ..

Which has been on my personal backlog for over a year. (It is self-serving & 
should have a higher priority thus) .

Re: Question about rule: 2.0 DEAR_SOMETHING BODY: Contains 'Dear (something)'

2012-10-25 Thread Simon Loewenthal 
Except for formal letters to administrative addresses.
Dear Bob was a frivolous and incorrect example. It is really Sir/Madam

As Alex noted, I coils score it lower,bit am concerned on the overall effect. 
I'lltest first.

Cheers.

RW  wrote:

>On Thu, 25 Oct 2012 16:47:20 +0200
>Simon Loewenthal wrote:
>
>> 
>> Evening all,
>> 
>> A great majority of our ham starts with Dear Sir/ Dear Madam / Dear
>> Bob.
>> 
>> Therefore I've always wondered why this this is scored so highly: 
>> 
>> *  2.0 DEAR_SOMETHING BODY: Contains 'Dear (something)'
>> 
>> 
>> Does anyone know the rational behind this, or is our user base simply
>> communicating on a higher level?  :)  I imagine the rational is
>> sound, but I do not know what it is.
>> 
>> 
>
>The test is
>
>/\bDear (?:IT\W|Internet|candidate|sirs?|madam|investor|travell?er|car
>shopper|web)\b/i
>
>So it wont hit Dear Bob, but will hit Dear Sir etc. It seems
>reasonable, they're all forms of address that typically wouldn't  be
>used if the recipient's name were known to the sender.

Question about rule: 2.0 DEAR_SOMETHING BODY: Contains 'Dear (something)'

2012-10-25 Thread Simon Loewenthal 

Evening all,

A great majority of our ham starts with Dear Sir/ Dear Madam / Dear Bob.

Therefore I've always wondered why this this is scored so highly: 

*  2.0 DEAR_SOMETHING BODY: Contains 'Dear (something)'


Does anyone know the rational behind this, or is our user base simply 
communicating on a higher level?  :)  I imagine the rational is sound, but I do 
not know what it is.


Cheers, S

-- 
 PGP is optional: 4BA78604
I won't accept your confidentiality
agreement, and your Emails are mine.
   ~Ö¿Ö~

Re: Academic interested in interviewing you for research paper.

2012-08-18 Thread Simon Loewenthal 


>... for their own protection.
What do we need protection from?

s
--
Dogs are tough. 
I've been interrogating this one for hours and he still won't tell me who's a 
good boy. 
  simon@klunky / .co.uk / .org

jonathonb  wrote:

>Hi All,
>
>Some interesting responses already. Michael is correct the ethics board
>of
>my university generally prefer us to keep contributors anonymous, for
>their
>own protection. However should anybody wished to be named and/or
>officially
>acknowledged then I will be more than happy to do so. However the
>community
>itself 'spam assassin' will have to be under a pseudonym to protect any
>contributors who have not 'opted in' to being named. 
>
>Michael has very kindly offered to be interviewed. Are their any other
>takers?
>
>If a skype interview is a little too much, how about a quick Email
>survey? 
>
>Jonathon Bell 
>
>
>
>--
>View this message in context:
>http://spamassassin.1065346.n5.nabble.com/Academic-interested-in-interviewing-you-for-research-paper-tp101241p101262.html
>Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: spamassassin bayesian training on foreign characters

2012-07-24 Thread Simon Loewenthal 
Hi

   I have Bayes correctly  scoring BAYES_99 on Dutch and French straight out of 
the box. No problems.
--
Dogs are tough. 
I've been interrogating this one for hours and he still won't tell me who's a 
good boy. 
  simon@klunky / .co.uk / .org

John Hardin  wrote:

>On Mon, 23 Jul 2012, David Kentwood wrote:
>
>> Hello,
>>
>> I get a lot of foreign spams (eg. chinese, russian, etc) and am
>thinking of
>> training spamassassin to identify such spams. My questions are:
>>
>> 1) can a stock install of spamassassin recognize foreign characters
>without
>> special configurations?
>
>Yes.
>
>> 2) how well does Bayesian training work on foreign spams?
>
>Quite well here. I have trained it on chinese, portuguese and spanish
>and 
>it always hits BAYES_99 on such.
>
>> Thanks for any advice on this matter.
>
>There shouldn't be anything special about the language w/r/t bayes.

Re: Where the spams are stored

2012-04-13 Thread Simon Loewenthal 
Hi,

SA does not store spam. It scans it. It is up to your to decide what to do with 
it.

I send mine to Dovecot for delivery to the users' mailboxes.

S
--
Dogs are tough. 
I've been interrogating this one for hours and he still won't tell me who's a 
good boy. 
  simon@klunky / .co.uk / .org

Ysahel  wrote:

>
>I use Ubuntu 11.10, and I need to know 
>
>1/ where are the spams taggued by spamassassin are stored ??
>
>2/ what is the type of file of spam stored ( textual or binary )
>
>thank you very much in advance !!

Re: Mail::SpamAssassin::Plugin::SpamCop

2012-04-11 Thread Simon Loewenthal 
On 04/12/2012 12:58 AM, Benny Pedersen wrote:
> Den 2012-04-11 15:37, Simon Loewenthal skrev:
>
>> Partially answered.
>> # spamassassin --lint
>> Apr 11 15:35:06.700 [24545] warn: config: failed to parse line,
>> skipping, in "/etc/spamassassin/local.cf": auto_report_threshold 30
>> Was it replaced by something else, or simply superceded?
>
> is spamcop plugin even loaded ?
>
> spamcop.pm is open source btw :)
>
>
# grep -i spamcop v310.pre
# SpamCop - perform SpamCop message reporting
loadplugin Mail::SpamAssassin::Plugin::SpamCop

# -D --lint
Apr 12 01:26:54.403 [17560] dbg: plugin: loading
Mail::SpamAssassin::Plugin::SpamCop from @INC
Apr 12 01:26:54.405 [17560] dbg: reporter: local tests only, disabling
SpamCop

Yup.  Looks like it.

Re: Mail::SpamAssassin::Plugin::SpamCop

2012-04-11 Thread Simon Loewenthal 
On 11/04/12 15:30, Simon Loewenthal wrote:
> Hi,
>
> Are these options still valid for
> Mail::SpamAssassin::Plugin::SpamCop settings in the local.cf
> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_SpamCop.html
>
> (from spamcop.net http://spamcop.net/fom-serve/cache/331.html ).
> *It is recommended the default settings in SpamAssassin be:
>
> * required_hits 10
> * auto_report_threshold 30
> * use_terse_report 1
> * defang_mime 0
> * spam_level_stars 0*
>
>
> I did not see any docs about auto_report_threshold.  What does the value
> mean (other than a numeric number)?
>
> Cheers, S
>
Partially answered.
# spamassassin --lint
Apr 11 15:35:06.700 [24545] warn: config: failed to parse line,
skipping, in "/etc/spamassassin/local.cf": auto_report_threshold 30
Was it replaced by something else, or simply superceded?

Mail::SpamAssassin::Plugin::SpamCop

2012-04-11 Thread Simon Loewenthal 
Hi,

Are these options still valid for
Mail::SpamAssassin::Plugin::SpamCop settings in the local.cf
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_SpamCop.html

(from spamcop.net http://spamcop.net/fom-serve/cache/331.html ).
*It is recommended the default settings in SpamAssassin be:

* required_hits 10
* auto_report_threshold 30
* use_terse_report 1
* defang_mime 0
* spam_level_stars 0*


I did not see any docs about auto_report_threshold.  What does the value
mean (other than a numeric number)?

Cheers, S

Re: Quick question about enabling a private rules in the local.cf

2012-03-26 Thread Simon Loewenthal 
Hi,

Still lost with this so I created a simple rule in the local.cf
(spamassasin --lint && restart done)  :-

describe MYTEST mytest
body MYTEST  /cdromland/
score MYTEST 0.1


I added this since word in to a file named aaa.
cdromland

# spamc   -y -R 
> # spamc -y -R < 20120323.spam
> http://pastebin.com/kVFn71B3
>
> Full email with headers via spamassassin -t . Slightly redacted:
> http://pastebin.com/HFmWfZa6
>
>
> On 23/03/12 13:59, Banyan He wrote:
>> 60.Mar 23 10:39:43.265 [28017] dbg: config: read file
>> /etc/spamassassin/local.cf
>> 61.Mar 23 10:39:43.428 [28017] dbg: config: read file
>> /etc/spamassassin/malware.blocklist.cf
>> 62.Mar 23 10:39:43.491 [28017] dbg: config: read file
>> /etc/spamassassin/sql.cf
>>
>> Seems it does load the config file you customized. How about the spamc
>> run?
>>
>> spamc -y -R < /path/to/sampler
>>
>> What did you see here then?
>>
>> ----
>> Banyan He
>> Blog: http://www.rootong.com
>> Email: ban...@rootong.com
>>
>>
>> On 2012-03-23 8:49 PM, Simon Loewenthal wrote:
>>> Indeed I certainly can.
>>>
>>> http://pastebin.com/c2an4irw
>>>
>>> On 23/03/12 13:44, Banyan He wrote:
>>>> Maybe you can share with us the debug output for the second thought in
>>>> this case, Simon.
>>>>
>>>> Best regards,
>>>>
>>>> 
>>>> Banyan He
>>>> Blog: http://www.rootong.com
>>>> Email: ban...@rootong.com
>>>>
>>>>
>>>> On 2012-03-23 5:48 PM, Simon Loewenthal wrote:
>>>>> Hi there everyone,
>>>>>
>>>>>   I have a many custom rules defined in the local.cf shown
>>>>> below.  I
>>>>> checked spamassassin -D --lint, and did not find any reference to it.
>>>>> Neither were any error messages reported.
>>>>>
>>>>> Any example is this private black list:-
>>>>>
>>>>> describe RBODY_PDOMAINS1 private blacklist of domain names strings
>>>>> rawbody RBODY_PDOMAINS1
>>>>> /\@(?:axeabout|career-lists|careers-consult|eur-exlusive|europe-career|europ-exlusive|it-jobsearch\.com|uk-exlusive|tech-newposition|new-joboffers|joblists|web-newcarer|world-jobsearch|gb-totaljob|simple-jobneed|sprytex-it|europjobs\.eu|businesinsiders\.com|sucabikes\.com\.ar|mpe-export\.com|eceurop\.com|cdromland\.nl|buyshield\.com)/
>>>>>
>>>>>
>>>>> scoreRBODY_PDOMAINS1 5.0
>>>>>
>>>>> SA version is 3.3.1-1 running on Debian Squeeze.
>>>>>
>>>>> Something ought to have changed, because I swear these custom rules
>>>>> works last month.
>>>>>
>>>>> Regards, Simon
>>>>>
>>>>>
>


-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: Quick question about enabling a private rules in the local.cf

2012-03-23 Thread Simon Loewenthal 


# spamc -y -R < 20120323.spam
http://pastebin.com/kVFn71B3

Full email with headers via spamassassin -t . Slightly redacted:
http://pastebin.com/HFmWfZa6


On 23/03/12 13:59, Banyan He wrote:
> 60.Mar 23 10:39:43.265 [28017] dbg: config: read file
> /etc/spamassassin/local.cf
> 61.Mar 23 10:39:43.428 [28017] dbg: config: read file
> /etc/spamassassin/malware.blocklist.cf
> 62.Mar 23 10:39:43.491 [28017] dbg: config: read file
> /etc/spamassassin/sql.cf
>
> Seems it does load the config file you customized. How about the spamc
> run?
>
> spamc -y -R < /path/to/sampler
>
> What did you see here then?
>
> 
> Banyan He
> Blog: http://www.rootong.com
> Email: ban...@rootong.com
>
>
> On 2012-03-23 8:49 PM, Simon Loewenthal wrote:
>> Indeed I certainly can.
>>
>> http://pastebin.com/c2an4irw
>>
>> On 23/03/12 13:44, Banyan He wrote:
>>> Maybe you can share with us the debug output for the second thought in
>>> this case, Simon.
>>>
>>> Best regards,
>>>
>>> 
>>> Banyan He
>>> Blog: http://www.rootong.com
>>> Email: ban...@rootong.com
>>>
>>>
>>> On 2012-03-23 5:48 PM, Simon Loewenthal wrote:
>>>> Hi there everyone,
>>>>
>>>>   I have a many custom rules defined in the local.cf shown
>>>> below.  I
>>>> checked spamassassin -D --lint, and did not find any reference to it.
>>>> Neither were any error messages reported.
>>>>
>>>> Any example is this private black list:-
>>>>
>>>> describe RBODY_PDOMAINS1 private blacklist of domain names strings
>>>> rawbody RBODY_PDOMAINS1
>>>> /\@(?:axeabout|career-lists|careers-consult|eur-exlusive|europe-career|europ-exlusive|it-jobsearch\.com|uk-exlusive|tech-newposition|new-joboffers|joblists|web-newcarer|world-jobsearch|gb-totaljob|simple-jobneed|sprytex-it|europjobs\.eu|businesinsiders\.com|sucabikes\.com\.ar|mpe-export\.com|eceurop\.com|cdromland\.nl|buyshield\.com)/
>>>>
>>>>
>>>> scoreRBODY_PDOMAINS1 5.0
>>>>
>>>> SA version is 3.3.1-1 running on Debian Squeeze.
>>>>
>>>> Something ought to have changed, because I swear these custom rules
>>>> works last month.
>>>>
>>>> Regards, Simon
>>>>
>>>>


-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: Quick question about enabling a private rules in the local.cf

2012-03-23 Thread Simon Loewenthal 
Indeed I certainly can.

http://pastebin.com/c2an4irw

On 23/03/12 13:44, Banyan He wrote:
> Maybe you can share with us the debug output for the second thought in
> this case, Simon.
>
> Best regards,
>
> 
> Banyan He
> Blog: http://www.rootong.com
> Email: ban...@rootong.com
>
>
> On 2012-03-23 5:48 PM, Simon Loewenthal wrote:
>> Hi there everyone,
>>
>>  I have a many custom rules defined in the local.cf shown below.  I
>> checked spamassassin -D --lint, and did not find any reference to it.
>> Neither were any error messages reported.
>>
>> Any example is this private black list:-
>>
>> describe RBODY_PDOMAINS1 private blacklist of domain names strings
>> rawbody RBODY_PDOMAINS1
>> /\@(?:axeabout|career-lists|careers-consult|eur-exlusive|europe-career|europ-exlusive|it-jobsearch\.com|uk-exlusive|tech-newposition|new-joboffers|joblists|web-newcarer|world-jobsearch|gb-totaljob|simple-jobneed|sprytex-it|europjobs\.eu|businesinsiders\.com|sucabikes\.com\.ar|mpe-export\.com|eceurop\.com|cdromland\.nl|buyshield\.com)/
>>
>> scoreRBODY_PDOMAINS1 5.0
>>
>> SA version is 3.3.1-1 running on Debian Squeeze.
>>
>> Something ought to have changed, because I swear these custom rules
>> works last month.
>>
>> Regards, Simon
>>
>>

-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Quick question about enabling a private rules in the local.cf

2012-03-23 Thread Simon Loewenthal 

Hi there everyone,

I have a many custom rules defined in the local.cf shown below.  I
checked spamassassin -D --lint, and did not find any reference to it.
Neither were any error messages reported.  

Any example is this private black list:-

describe RBODY_PDOMAINS1 private blacklist of domain names strings
rawbody RBODY_PDOMAINS1
/\@(?:axeabout|career-lists|careers-consult|eur-exlusive|europe-career|europ-exlusive|it-jobsearch\.com|uk-exlusive|tech-newposition|new-joboffers|joblists|web-newcarer|world-jobsearch|gb-totaljob|simple-jobneed|sprytex-it|europjobs\.eu|businesinsiders\.com|sucabikes\.com\.ar|mpe-export\.com|eceurop\.com|cdromland\.nl|buyshield\.com)/
scoreRBODY_PDOMAINS1 5.0

SA version is 3.3.1-1 running on Debian Squeeze.

Something ought to have changed, because I swear these custom rules
works last month.

Regards, Simon


-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: Better phish detection

2012-03-12 Thread Simon Loewenthal 
Paul Russell  wrote:

>On 3/12/2012 12:58, Simon Loewenthal wrote:
>> 
>>  At first glance:
>> This is private black list of email assesses maintened by many.  Free
>to use, but it'll turn into a huge file for a server to parse.
>> 
>>  Eventually we moved from hosts files to DNS :)
>> 
>>  I should rather block content not email addresses. 
>
>The list was originally started by a group of email administrators in
>higher education who 
>were attempting to deal with an epidemic of compromised accounts that
>were being exploited 
>to send password phishing spam, mostly to addresses at other colleges
>and universities. At 
>that point in time, it was easier to filter by sender address or
>reply-to address than 
>content. Over time, the phishers seem to have expanded the target
>demographic to include 
>everyone everywhere.

The list could be accessed by DNS and used as an rbl. 
--
Dogs are tough. 
I've been interrogating this one for hours and he still won't tell me who's a 
good boy. 
  simon@klunky / .co.uk / .org

Re: Better phish detection

2012-03-12 Thread Simon Loewenthal 
"David F. Skoll"  wrote:

>Hi,
>
>I've been following this thread... not sure how many of you are aware
>of
>this project:
>
>http://code.google.com/p/anti-phishing-email-reply/
>
>We use the phishing address list and it does catch a few things.  We
>don't yet use the phishing URL list, but it looks like it might help.
>
>Naturally, this list is reactive, but if enough people used it and
>contributed to it, the results might be pretty good.
>
>Regards,
>
>David.

 At first glance:
This is private black list of email assesses maintened by many.  Free to use, 
but it'll turn into a huge file for a server to parse.

 Eventually we moved from hosts files to DNS :)

 I should rather block content not email addresses.

Re: Spamassassin detect my mails as spam

2012-03-09 Thread Simon Loewenthal 
On 09/03/12 11:29, FC Mario Patty wrote:
> I'm sorry for not giving full information before.
>
> We set our mail server to use SMTP with TLS (port 587) and the
> outgoing server (of the mail client on android smart phone) as our
> server itself (in other words, not relaying through the provider
> server). Thank you for the suggestion.
>
> Regards,
> Mario
>
>
>
>
> On Fri, Mar 9, 2012 at 4:59 PM, Nick Warr  > wrote:
>
> Il 09/03/2012 10.28, FC Mario Patty ha scritto:
>> Hi, I wonder why spamassassin detects email sent from android to
>> our mail server as spams? I ran spamassassin -D < the_email and
>> got result as below
>>
>> Content analysis details:   (13.8 points, 4.0 required)
>>
>>  pts rule name  description
>>  --
>> --
>>  2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
>> bl.spamcop.net 
>>  [Blocked -
>> see ]
>>  2.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
>> 
>> [118.97.95.30 listed in zen.spamhaus.org ]
>>  4.5 HELO_LOCALHOST HELO_LOCALHOST
>>  1.2 SPF_NEUTRALSPF: sender does not match SPF record
>> (neutral)
>>  2.9 TVD_SPACE_RATIOBODY: TVD_SPACE_RATIO
>>  0.1 RDNS_NONE  Delivered to trusted network by a
>> host with no rDNS
>>
>> I checked spamcop.net  and spamhaus.org
>>  and found 118.97.95.30 in both sites and
>> had delisted them, but I guess it was going to happen again. This
>> ip address is legit and just listed there today so I think
>> perhaps email sent this morning has triggered this ip to get
>> listed there (but I'm not sure why?). What can I do let emails
>> from android smart-phone to arrive safely in our mail server?
>> Thank-you in advance.
>>
>> Regards,
>> Mario
> Configure your phone(s) to send directly through your SMTP server,
> via SSL on port 465 (for example), instead of relaying through
> your phone provider's SMTP server.
>
>
Based on a likely incorrect presumption that you use postfix and
spamass-milter to get it done:

Have users send only on submission port (587) or some other port (as you
said you already do) and add/modify these lines in the master.cf

*postfix/master.cf*
submission inet n   -   -   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject


Add this switch to spamass-milter start-up options:
*-I * Ignores messages if the sender has authenticated via SMTP AUTH.

Or, if not spamass-milter then something else.

Unsure how to do this with spamassassin itself.  Perhaps could disable
spamchecks for authenticated users or at least some RBL lists - can SA
do this?

Although how long until spammers add sasl headers into their spam? :(
Since these are mobile users then internal networks or trusted networks
won't work.

Re: Some rules I created for suspicious Javascript practices

2012-03-06 Thread Simon Loewenthal 
Hi,

Were these rules, or an improved variant, added to the rules?


Regards, Simon.

On 16/02/12 01:43, neon_overload wrote:
> Hello,
>
> I have created some rules which I have found to be very effective so far at
> identifying a certain type of spam that spamassassin otherwises cannot
> detect.
>
> Here are the rules:
>
> # highly suspicious practices
> rawbody LOCAL_UNNECESSARY_UNESCAPE
> /[+=]\s*unescape\s*\(\s*["']%(6[1-9A-F]|7[0-9A])/
> score LOCAL_UNNECESSARY_UNESCAPE 1.7
> rawbody LOCAL_UNNECESSARY_STRCONCAT /[+=]\s*"[a-zA-Z0-9]+"\+"[a-zA-Z0-9]+"/
> score LOCAL_UNNECESSARY_STRCONCAT 0.5
> rawbody LOCAL_HIDE_FROMCHARCODE /=\s*String\.fromCharCode\b/
> score LOCAL_HIDE_FROMCHARCODE 0.7
> rawbody LOCAL_HIDE_URL /"h"\+"tt"\+"p:"\+"\/"/
> score LOCAL_HIDE_URL 0.7
>
> I have noticed a common trend of spam which has base64-encoded HTML
> attachments, highly obfuscated with Javascript generating and concatenating
> links.  The above four rules detect patterns which should only be present in
> Javascript whose intention is to hide its true function (obfuscate itself).
>
> The first rule checks for use of unescape() on constants where the
> characters are just lowercase letters which wouldn't need escaping anyway.
>
> The second checks for unnecessary string concatenation with constant strings
> consisting entirely of letters.  It would match ="asdf"+"jkl" or
> +"asdf"+"jkl".
>
> The third test checks for substituting another name for the function
> String.fromCharCode, which would be common when trying to obfuscate strings
> in Javascript.
>
> The fourth test was just a specific pattern I saw in a lot of spam, but is
> less generic.  It looks for the string "h"+"tt"+"p:"+"/".  This would
> probably need more alteration to be useful in a more general context.
>
> These are unlikely to hit non-spam, even if it contains Javascript, and even
> if it contains minified Javascript.  It is plausible, however, that it may
> generate hits on discussions that are specifically about how to get through
> spam filters, such as a discussion between spammers, or makers of spam
> filters - since these patterns will occur in the context of "how to get
> through spam filters".
>
> Use these as you wish!  I hereby license them under the WTFPL which is GPL
> and Apache license compatible.
>
> Thomas Rutter


-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: uribl lastminute.com listed in uribl whte and is now used for nordea phisting mails

2012-03-02 Thread Simon Loewenthal 
It was a last minute decision.

Jeremy McSpadden  wrote:

>Ha. Nice
>
>
>--
>Jeremy McSpadden
>
>On Mar 2, 2012, at 10:38 AM, "Michael Scheidell"
> wrote:
>
>> On 3/2/12 11:36 AM, Benny Pedersen wrote:
>>> just a note to whom it might concern :)
>>> 
>> phisting?
>> 
>> OUCH.
>> 
>> 
>> -- 
>> Michael Scheidell, CTO
>> o: 561-999-5000
>> d: 561-948-2259
>> >*| *SECNAP Network Security Corporation
>> 
>>   * Best Mobile Solutions Product of 2011
>>   * Best Intrusion Prevention Product
>>   * Hot Company Finalist 2011
>>   * Best Email Security Product
>>   * Certified SNORT Integrator
>> 
>>
>__
>> This email has been scanned and certified safe by SpammerTrap(r). For
>Information please see http://www.spammertrap.com/
>>
>__ 
>

Re: Bayes now changed to autolearn=unavailable.

2012-02-27 Thread Simon Loewenthal 
On 27/02/12 15:29, Simon Loewenthal wrote:
> On 27/02/12 15:24, Simon Loewenthal wrote:
>> On 27/02/12 13:55, RW wrote:
>>> On Mon, 27 Feb 2012 11:48:50 +0100
>>> Simon Loewenthal wrote:
>>>
>>>
>>>> Recently I enabled shortcircuit for ham on a server because Bayes
>>>> seems reasonably well trained. It works well.
>>>>
>>>> I noticed that emails that did not hit BAYES_00 (so no shortcircuit)
>>>> were not autolearnt by SA. Even though these were well below the
>>>> autolearn threshold of -1.
>>>>
>>>> In the example below, the score was -7.8.  Below this, the bayes
>>>> settings in the local.cf are listed.  A score of beneath -1 should
>>>> have been autolearnt. 
>>>>
>>>> No, score=-7.8 required=5.0 tests=DCC_CHECK,RCVD_IN_DNSWL_HI,
>>>> RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,SPF_PASS,T_RP_MATCHES_RCVD,URI_HEX
>>>> shortcircuit=no autolearn=unavailable version=3.3.1
>>>> ...
>>>> Ham that shortcircuits has autolearn=disabled, which makes sense to me
>>>> as it is already in Bayes.
>>> Correctly identified isn't the same as "in Bayes", it's presumably
>>> because its not considered safe to autolearn on a incomplete set
>>> of rules.
>>>
>>> autolearn=unavailable means that there was some problem with
>>> accessing Bayes - note that there is no BAYES_* hit at all in the test
>>> list, it's not just that it lacks BAYES_00. 
>>>
>>> I think this might be due to an auto-expiry. Try setting 
>>> "bayes_auto_expire  0"and running "sa-learn  --force-expire"  from
>>> cron in the middle of the night. This is considered best-practice in
>>> any case.
>> BAYES_00 and BAYES_99 hit on other ham/spam without any problem. Only
>> then the result will mention autolearn=disabled instead of
>> autolearn=unavailable.  I don't follow why it would be unavailable for
>> non-shortcirtcuited emails, but disabled for shortcircuited emails.
>> It has to have accessed the Bayes dB in order to score with
>> BAYES_00/50/99.
>>
>> Best time me to run sa-learn  --force-expire is this evening, as only
>> US time zones are using the server. The main users are in Oceania and
>> the EU.
>>
>> Cheers,
>> S
>>
>> -- 
> Hi RW,
>
> Being impatient, I just ran the autoexpire.  New Email still has the
> same disabled or unavailable message, so no change.
>
> # /etc/init.d/spamassassin restart
> Restarting SpamAssassin Mail Filter Daemon: spamd.
> # sa-learn  --force-expire
> # sa-learn  --force-expire --username=spamd  (did it with the
> username=spamd specified as I forgot above)
> #
> # sa-learn  --dump magic
> 0.000  0  3  0  non-token data: bayes db version
> 0.000  0   1555  0  non-token data: nspam
> 0.000  0  14622  0  non-token data: nham
> 0.000  0 527466  0  non-token data: ntokens
> 0.000  0 1308090923  0  non-token data: oldest atime
> 0.000  0 1330350454  0  non-token data: newest atime
> 0.000  0  0  0  non-token data: last journal
> sync atime
> 0.000  0 1330352706  0  non-token data: last expiry atime
> 0.000  0   22118400  0  non-token data: last expire
> atime delta
> 0.000  0   1041  0  non-token data: last expire
> reduction count
>
I just noticed that something came through and was learnt :)

No, score=-6.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,
RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS,T_FRT_COCK,T_KHOP_FOREIGN_CLICK,
T_REMOTE_IMAGE,T_RP_MATCHES_RCVD shortcircuit=no autolearn=ham version=3.3.1

Fantastic.

-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: Bayes now changed to autolearn=unavailable.

2012-02-27 Thread Simon Loewenthal 
On 27/02/12 15:24, Simon Loewenthal wrote:
> On 27/02/12 13:55, RW wrote:
>> On Mon, 27 Feb 2012 11:48:50 +0100
>> Simon Loewenthal wrote:
>>
>>
>>> Recently I enabled shortcircuit for ham on a server because Bayes
>>> seems reasonably well trained. It works well.
>>>
>>> I noticed that emails that did not hit BAYES_00 (so no shortcircuit)
>>> were not autolearnt by SA. Even though these were well below the
>>> autolearn threshold of -1.
>>>
>>> In the example below, the score was -7.8.  Below this, the bayes
>>> settings in the local.cf are listed.  A score of beneath -1 should
>>> have been autolearnt. 
>>>
>>> No, score=-7.8 required=5.0 tests=DCC_CHECK,RCVD_IN_DNSWL_HI,
>>> RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,SPF_PASS,T_RP_MATCHES_RCVD,URI_HEX
>>> shortcircuit=no autolearn=unavailable version=3.3.1
>>> ...
>>> Ham that shortcircuits has autolearn=disabled, which makes sense to me
>>> as it is already in Bayes.
>> Correctly identified isn't the same as "in Bayes", it's presumably
>> because its not considered safe to autolearn on a incomplete set
>> of rules.
>>
>> autolearn=unavailable means that there was some problem with
>> accessing Bayes - note that there is no BAYES_* hit at all in the test
>> list, it's not just that it lacks BAYES_00. 
>>
>> I think this might be due to an auto-expiry. Try setting 
>> "bayes_auto_expire  0"and running "sa-learn  --force-expire"  from
>> cron in the middle of the night. This is considered best-practice in
>> any case.
> BAYES_00 and BAYES_99 hit on other ham/spam without any problem. Only
> then the result will mention autolearn=disabled instead of
> autolearn=unavailable.  I don't follow why it would be unavailable for
> non-shortcirtcuited emails, but disabled for shortcircuited emails.
> It has to have accessed the Bayes dB in order to score with
> BAYES_00/50/99.
>
> Best time me to run sa-learn  --force-expire is this evening, as only
> US time zones are using the server. The main users are in Oceania and
> the EU.
>
> Cheers,
> S
>
> -- 
Hi RW,

Being impatient, I just ran the autoexpire.  New Email still has the
same disabled or unavailable message, so no change.

# /etc/init.d/spamassassin restart
Restarting SpamAssassin Mail Filter Daemon: spamd.
# sa-learn  --force-expire
# sa-learn  --force-expire --username=spamd  (did it with the
username=spamd specified as I forgot above)
#
# sa-learn  --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0   1555  0  non-token data: nspam
0.000  0  14622  0  non-token data: nham
0.000  0 527466  0  non-token data: ntokens
0.000  0 1308090923  0  non-token data: oldest atime
0.000  0 1330350454  0  non-token data: newest atime
0.000  0  0  0  non-token data: last journal
sync atime
0.000  0 1330352706  0  non-token data: last expiry atime
0.000  0   22118400  0  non-token data: last expire
atime delta
0.000  0   1041  0  non-token data: last expire
reduction count

Re: Bayes now changed to autolearn=unavailable.

2012-02-27 Thread Simon Loewenthal 
On 27/02/12 13:55, RW wrote:
> On Mon, 27 Feb 2012 11:48:50 +0100
> Simon Loewenthal wrote:
>
>
>> Recently I enabled shortcircuit for ham on a server because Bayes
>> seems reasonably well trained. It works well.
>>
>> I noticed that emails that did not hit BAYES_00 (so no shortcircuit)
>> were not autolearnt by SA. Even though these were well below the
>> autolearn threshold of -1.
>>
>> In the example below, the score was -7.8.  Below this, the bayes
>> settings in the local.cf are listed.  A score of beneath -1 should
>> have been autolearnt. 
>>
>> No, score=-7.8 required=5.0 tests=DCC_CHECK,RCVD_IN_DNSWL_HI,
>> RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,SPF_PASS,T_RP_MATCHES_RCVD,URI_HEX
>> shortcircuit=no autolearn=unavailable version=3.3.1
>> ...
>> Ham that shortcircuits has autolearn=disabled, which makes sense to me
>> as it is already in Bayes.
> Correctly identified isn't the same as "in Bayes", it's presumably
> because its not considered safe to autolearn on a incomplete set
> of rules.
>
> autolearn=unavailable means that there was some problem with
> accessing Bayes - note that there is no BAYES_* hit at all in the test
> list, it's not just that it lacks BAYES_00. 
>
> I think this might be due to an auto-expiry. Try setting 
> "bayes_auto_expire  0"and running "sa-learn  --force-expire"  from
> cron in the middle of the night. This is considered best-practice in
> any case.
BAYES_00 and BAYES_99 hit on other ham/spam without any problem. Only
then the result will mention autolearn=disabled instead of
autolearn=unavailable.  I don't follow why it would be unavailable for
non-shortcirtcuited emails, but disabled for shortcircuited emails.
It has to have accessed the Bayes dB in order to score with BAYES_00/50/99.

Best time me to run sa-learn  --force-expire is this evening, as only US
time zones are using the server. The main users are in Oceania and the EU.

Cheers,
S

-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Bayes now changed to autolearn=unavailable.

2012-02-27 Thread Simon Loewenthal 
Good morning everyone,

Recently I enabled shortcircuit for ham on a server because Bayes
seems reasonably well trained. It works well.

I noticed that emails that did not hit BAYES_00 (so no shortcircuit)
were not autolearnt by SA. Even though these were well below the
autolearn threshold of -1.

In the example below, the score was -7.8.  Below this, the bayes
settings in the local.cf are listed.  A score of beneath -1 should have
been autolearnt. 

No, score=-7.8 required=5.0 tests=DCC_CHECK,RCVD_IN_DNSWL_HI,
RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,SPF_PASS,T_RP_MATCHES_RCVD,URI_HEX
shortcircuit=no autolearn=unavailable version=3.3.1

# grep -i bayes local.cf|grep -v ^#
use_bayes 1
bayes_auto_learn 1
bayes_sql_override_username spamd
bayes_expiry_max_db_size50
bayes_auto_expire   1
bayes_auto_learn_threshold_nonspam-1
bayes_auto_learn_threshold_spam   13.0
bayes_store_module  Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn   DBI:mysql:spamassassin:localhost
bayes_sql_username  x
bayes_sql_password  x
bayes_ignore_to users@spamassassin.apache.org
shortcircuit BAYES_00ham

Ham that shortcircuits has autolearn=disabled, which makes sense to me
as it is already in Bayes.

Is there something wrong with mysql on this server that may have caused
the problem, or is a SA configuration problem?


Regards, S.

-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: warn: config: SpamAssassin failed to parse line, no value provided for "body", skipping: body

2012-02-16 Thread Simon Loewenthal 
Hi Kevin McGrail,

Was there any response on the dev list about this?  I am not
subscribed to it.

I notice that RCVD_IN_MSPIKE_WL is listed in the updates:

# find -exec grep MSPIKE_WL \{\} \; -ls
meta RCVD_IN_MSPIKE_WLRCVD_IN_MSPIKE_H5 || RCVD_IN_MSPIKE_H4 ||
RCVD_IN_MSPIKE_H3
describe RCVD_IN_MSPIKE_WLMailspike good senders
tflags RCVD_IN_MSPIKE_WLnice net
1313054 -rw-r--r--   1 root root 2609 Feb 16 06:53
./3.003001/updates_spamassassin_org/20_mailspike.cf
score RCVD_IN_MSPIKE_WL 0.001 -0.010 0.001 -0.010
131619   12 -rw-r--r--   1 root root11362 Feb 16 06:53
./3.003001/updates_spamassassin_org/72_scores.cf
  score RCVD_IN_MSPIKE_WL  -0.01
131604   48 -rw-r--r--   1 root root48281 Feb 16 06:53
./3.003001/updates_spamassassin_org/50_scores.cf


... but spamassassin throws message back:
Feb 16 10:05:01.084 [10573] warn: config: SpamAssassin failed to parse
line, no value provided for "body", skipping: body
Feb 16 10:05:01.289 [10573] dbg: config: warning: score set for
non-existent rule *RCVD_IN_MSPIKE_WL*


I did not change it ;)
# grep MSPIKE_WL /etc/spamassassin/local.cf
# echo $?
1
#

The rules are there in
./3.003001/updates_spamassassin_org/20_mailspike.cf
./3.003001/updates_spamassassin_org/72_scores.cf
./3.003001/updates_spamassassin_org/50_scores.cf

I can see scrore for example:
score RCVD_IN_MSPIKE_L4  0.001 0.001 0.001 0.001
score RCVD_IN_MSPIKE_L4  1.7


For the time being I want to work out whether this is a error on the
server, or came via an update.




On 03/02/12 20:39, Kevin A. McGrail wrote:
> Can anyone else test with 3.3.1 to see if we are publishing something
> that is breaking on 3.3.1?  I would guess it might have to do with the
> version eval stuff we've been trying to push out.
>
> On 2/3/2012 2:35 PM, Simon Loewenthal wrote:
>>  
>> Yep, fails on standard rules.
>>
>> ( Excuse the slightly messy copy and paste, but I am using ConnectBot on a 
>> smartphone whilst travelling on train.  )
>>
>> # spamassasin -C `pwd` --lint
>> eb  3 20:27:53.349 [19929] warn: config: SpamAssassin failed to parse line, 
>> no
>> value provided for "body", skipping: body 
>> eb  3 20:27:56.862 [19929] warn: lint: 1 issues detected, please rerun with 
>> debug enabled for more information
>>
>>
>> --
>> Dogs are tough. 
>> I've been interrogating this one for hours and he still won't tell me who's 
>> a good boy. 
>>   simon@klunky / .co.uk / .org
>>
>> "Kevin A. McGrail"  wrote:
>>
>>> On 2/3/2012 2:13 PM, Simon Loewenthal wrote:
>>>> Version 3.3.1 on Debian Squeeze
>>> Are the standard rules throwing any errors with lint?
>>>
>>> For example, spamassassin -C 
>>> /var/lib/spamassassin/3.003001/updates_spamassassin_org --lint
>>>
>>> regards,
>>> KAM
>
>
> -- 
> *Kevin A. McGrail*
> President
>
> Peregrine Computer Consultants Corporation
> 3927 Old Lee Highway, Suite 102-C
> Fairfax, VA 22030-2422
>
> http://www.pccc.com/
>
> 703-359-9700 x50 / 800-823-8402 (Toll-Free)
> 703-359-8451 (fax)
> kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>
>
>


-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: warn: config: SpamAssassin failed to parse line, no value provided for "body", skipping: body

2012-02-03 Thread Simon Loewenthal 
Version 3.3.1 on Debian Squeeze
--
Dogs are tough. 
I've been interrogating this one for hours and he still won't tell me who's a 
good boy. 
  simon@klunky / .co.uk / .org

"Kevin A. McGrail"  wrote:

>On 2/3/2012 5:00 AM, Simon Loewenthal wrote:
>>  Hi,
>>
>>  I have an error somewhere in a rule (not that I have added one
>for
>> ages so I cannot fathom how it slipped in).  The error message from
>-D
>> --lint is listed below.  I do not know if these RCVD_IN rules are
>> related. I have not referenced these in the local.cf. I cannot find a
>> undefined body in the local.cf.
>What version of SA are you using?

warn: config: SpamAssassin failed to parse line, no value provided for "body", skipping: body

2012-02-03 Thread Simon Loewenthal 
Hi,

I have an error somewhere in a rule (not that I have added one for
ages so I cannot fathom how it slipped in).  The error message from -D
--lint is listed below.  I do not know if these RCVD_IN rules are
related. I have not referenced these in the local.cf. I cannot find a
undefined body in the local.cf.

Feb  3 10:38:49.782 [6592] dbg: plugin: loading ClamAV from
/etc/spamassassin/clamav.pm
Feb  3 10:38:49.793 [6592] dbg: plugin: did not register
Mail::SpamAssassin::Plugin::Rule2XSBody, already registered
Feb  3 10:38:50.121 [6592] warn: config: SpamAssassin failed to parse
line, no value provided for "body", skipping: body
Feb  3 10:38:50.257 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_WL
Feb  3 10:38:50.257 [6592] dbg: config: warning: score set for
non-existent rule MANY_PILL_PRICE
Feb  3 10:38:50.257 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_L4
Feb  3 10:38:50.257 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_H5
Feb  3 10:38:50.258 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_H2
Feb  3 10:38:50.258 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_ZBI
Feb  3 10:38:50.258 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_L3
Feb  3 10:38:50.259 [6592] dbg: config: warning: score set for
non-existent rule ANY_PILL_PRICE
Feb  3 10:38:50.259 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_H3
Feb  3 10:38:50.259 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_L2
Feb  3 10:38:50.259 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_BL
Feb  3 10:38:50.259 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_H4
Feb  3 10:38:50.259 [6592] dbg: config: warning: score set for
non-existent rule RCVD_IN_MSPIKE_L5
Feb  3 10:38:50.260 [6592] dbg: config: warning: score set for
non-existent rule URIBL_SBL_A
...
Feb  3 10:38:51.765 [6592] warn: lint: 1 issues detected, please rerun
with debug enabled for more information


Any starting pointers?

Cheers, S


-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: [OT] RBLs

2012-01-11 Thread Simon Loewenthal 
On 11/01/12 12:38, Robert Schetterer wrote:
> Am 11.01.2012 12:28, schrieb --[ UxBoD ]--:
>> Hi,
>>
>> we have seen a recent upsurge in SPAM and would like to ask the
>> community for recommendations on both free and commercial RBL offerings.
>> We are currently using:
>>
>> Barracuda
>> SpamRats
>> JunkEmailFilter
>> SpamEatingMonkey
Hi,

I use JunkEmailFilter and SpamHaus with Postfix on the front-end.

reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
reject_rbl_client sbl-xbl.spamhaus.org

Blocks most of the spam sent to us.   Not knowingly had an FP, and no
one has complained (of course I should never know;)

I won't use xen. (or pbl) as I do not wish to penalise people who wish
to run their own email servers on their home networks (e.g SOHO or
hobbyists).  But this is a matter of principle and I have the impression
most use xen/pbl .spamhaus.org

Additionally I use clamav-milter with SaneSecurity, and spamass-milter
with Postfix. Did you consider using these? These are both easy to set-up.





> never used this
>
>> Plus the standard ones that are checked with SpamAssassin. We are also
>> about to trial Invaluement.
>>
>> Any help is gratefully appreciated.
>> -- 
>> Thanks, Phil
>>
> beside spamassassin
>
> i use this rbls with postfix
>
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client ix.dnsbl.manitu.net
>
> mostly in with some selective
> setup, clamav milter with sanesecurity, greylist, and some postscreen
> configs
>
> ix.dnsbl.manitu.net perhaps is more in interest for german/euro region
>
> that was enough ever, for most global spam, for sure
> you need analyse your logs an make special setups related to ips
> ,domains etc sometimes
>


-- 
 PGP is optional: 4BA78604
 simon @ klunky  . org
 simon @ klunky  .   co.uk
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: Question for experts....

2011-11-29 Thread Simon Loewenthal 
On 29/11/11 15:21, Bowie Bailey wrote:
> On 11/28/2011 11:21 PM, Dave Warren wrote:
>> On 11/28/2011 7:41 PM, Benny Pedersen wrote:
>>> On Tue, 29 Nov 2011 16:21:56 +1300, Jason Haar wrote:
>>>
 http://0x12.0x12.0x12.0x12/
>>> does not work in chrome
>> I tried in Chrome 16.0.912.41 beta-m and 17.0.953.0 canary, both 
>> instantly changed the displayed URL to "18.18.18.18" then timed out 
>> trying to browse.
> Works in the latest Google Chrome 15 as well.
>
>> http://0xAD.0xC2.0x21.0x34/ (which actually has a web server on it) 
>> works in both versions of Chrome.
> Interestingly, when I clicked on that one, Thunderbird gave me a warning:
>
> Thunderbird thinks this message is a scam. The links in the message may
> be trying to impersonate web pages you want to visit. Are you sure you
> want to visit 173.194.33.52?
>
> So it's not just browsers that can work with these obnoxious urls.
>
Firefox treats it as :

Unable to determine IP address from host name for /0xad.0xc2.0x21.0x34/
Name Error: The domain name does not exist.

Re: Custom rawbody rule in local.cf not triggered

2011-11-23 Thread Simon Loewenthal 
On 23/11/11 16:21, Martin Gregorie wrote:
> On Wed, 2011-11-23 at 15:13 +0100, Simon Loewenthal wrote:
>> I have spam that hits on these rules.
>>
>> X-Spam-Report:
>> *  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
>> *  [URIs: europjobs.eu]
>> *  1.2 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
>> *  [URIs: europjobs.eu]
>> *  0.0 UNPARSEABLE_RELAY Informational: message has unparseable
>> relay lines
>> *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
>> *  [score: 0.5000]
>> *  1.1 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
>> *  1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
>> *  0.3 DIGEST_MULTIPLE Message hits more than one network digest check
>> *  0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
>>
>> What I fail to understand is why it did not hit on this local.cf rule:
>>
>> describe RBODY_JOB_DOMAINS1 English language job opportunity1
>> rawbody RBODY_JOB_DOMAINS1
>> /\@(?:axeabout|career-lists|careers-consult|eur-exlusive|europe-career|europ-exlusive|it-jobsearch\.com|uk-exlusive|tech-newposition|new-joboffers|joblists|web-newcarer|world-jobsearch|gb-totaljob|simple-jobneed|sprytex-it|europjobs.eu|businesinsiders.com)\./
>> scoreRBODY_JOB_DOMAINS1 4.5
>>
>> ( I tried the same by replacing |europjobs.eu| with |europjobs\.eu| in
>> case it helped, but made no difference)
>>
> What Axb said. I'd just add that your rule description appears to be
> misleading in that it seems to be a list of partial domain names rather
> than any specifically English words or phrases and that you'll get fewer
> FPs and, probably, a better hit rate if you use a meta to combine
> generic job offer phrases with something else, along the lines of:
>
> describe JOB_OFFERS Phrases typical of English language job offers
> body JOB_OFFERS /(my client|(contract|permanent) jobs))/i
> scoreJOB_OFFERS 0.01
>
> describe UNWANTED_JOB_OFFERS Jobs at blacklisted sites
> meta UNWANTED_JOB_OFFERS JOB_OFFERS && (URIBL_BLACK ||
> URIBL_JP_SURBL)
> scoreUNWANTED_JOB_OFFERS 4.5
>
> because your rule is in effect a private blacklist that duplicates what
> the URIBLs are already doing. Of course my JOB_OFFERS rule is merely an
> example. In Real Life (tm) it would be a set of rather more elaborate
> rules that you've built to recognise your particular jobspam stream.
>
>
> Martin
>
>
Oh, this is a far better idea, and it uses the results of an already
existing rule.  Thank-you. I shall work on something like this.
Cheers.

-- 
Email  simon AT klunky DOT co DOT uk   
PGP is optional: 4BA78604
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: Custom rawbody rule in local.cf not triggered

2011-11-23 Thread Simon Loewenthal 
On 23/11/11 15:31, Axb wrote:
> On 2011-11-23 15:13, Simon Loewenthal wrote:
>>
>> I have spam that hits on these rules.
>>
>> X-Spam-Report:
>>  *  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
>>  *  [URIs: europjobs.eu]
>>  *  1.2 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
>> blocklist
>>  *  [URIs: europjobs.eu]
>>  *  0.0 UNPARSEABLE_RELAY Informational: message has unparseable
>> relay lines
>>  *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
>>  *  [score: 0.5000]
>>  *  1.1 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
>>  *  1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
>>  *  0.3 DIGEST_MULTIPLE Message hits more than one network digest
>> check
>>  *  0.8 RDNS_NONE Delivered to internal network by a host with no
>> rDNS
>>
>> What I fail to understand is why it did not hit on this local.cf rule:
>>
>> describe RBODY_JOB_DOMAINS1 English language job opportunity1
>> rawbody RBODY_JOB_DOMAINS1
>> /\@(?:axeabout|career-lists|careers-consult|eur-exlusive|europe-career|europ-exlusive|it-jobsearch\.com|uk-exlusive|tech-newposition|new-joboffers|joblists|web-newcarer|world-jobsearch|gb-totaljob|simple-jobneed|sprytex-it|europjobs.eu|businesinsiders.com)\./
>>
>> scoreRBODY_JOB_DOMAINS1 4.5
>>
>> ( I tried the same by replacing |europjobs.eu| with |europjobs\.eu| in
>> case it helped, but made no difference)
>>
>> I should have thought that this would pick it up.  I missed something
>> :(  Anyone know what it was?
>
> first thing I see:
>
> remove the last \.
>
> atm, your regex expects to see a
>
> europjobs.eu\.
>
> also make sure you escape all periods.
>
> make up your mind if you want to not use tlds after the the domain name.
>
> for tidyness, use up sepatrate rules /tld
>
>
>
>
>
Thank-you very much.  This did the trick.

Custom rawbody rule in local.cf not triggered

2011-11-23 Thread Simon Loewenthal 
   
I have spam that hits on these rules.

X-Spam-Report:
*  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
*  [URIs: europjobs.eu]
*  1.2 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
*  [URIs: europjobs.eu]
*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay lines
*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
*  [score: 0.5000]
*  1.1 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
*  1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
*  0.3 DIGEST_MULTIPLE Message hits more than one network digest check
*  0.8 RDNS_NONE Delivered to internal network by a host with no rDNS

What I fail to understand is why it did not hit on this local.cf rule:

describe RBODY_JOB_DOMAINS1 English language job opportunity1
rawbody RBODY_JOB_DOMAINS1
/\@(?:axeabout|career-lists|careers-consult|eur-exlusive|europe-career|europ-exlusive|it-jobsearch\.com|uk-exlusive|tech-newposition|new-joboffers|joblists|web-newcarer|world-jobsearch|gb-totaljob|simple-jobneed|sprytex-it|europjobs.eu|businesinsiders.com)\./
scoreRBODY_JOB_DOMAINS1 4.5

( I tried the same by replacing |europjobs.eu| with |europjobs\.eu| in
case it helped, but made no difference)
 
I should have thought that this would pick it up.  I missed something
:(  Anyone know what it was?


Cheers, S.

-- 
Email  simon AT klunky DOT co DOT uk   
PGP is optional: 4BA78604
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: myfanbox.com

2011-11-06 Thread Simon Loewenthal 
John Hardin  wrote:

On Sun, 6 Nov 2011, Karsten Bräckelmann wrote:

> However, John, I strongly urge you NOT to include that rule in your
> sandbox for stock. This is the wrong thing to do, and basically
> contradicts everything SA stands for.

I suspect the corpora and the scoring logic won't make it have much effect 
anyway, if it makes the promotion criteria.

I'll leave it in for one masscheck cycle just to see how it does. I agree 
with R about SMTP-time reject of those domains.

-- 
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
_

"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
_

Today: Daylight Saving Time ends in U.S. - Fall Back


Hi,

Agree with smtp rejects, & this not being in the ruleset ; Sledgehammer 
approach :(

Rdgs, S
-- 
If you cannot beat them, try to côntrole them.

Re: real world spamassassin experiences re: processing on servers emailing from .info domains

2011-10-27 Thread Simon Loewenthal 
Ned Slider  wrote:

On 27/10/11 18:36, Jenny Lee wrote:
>
>
>
>_

>> From: list...@abbacomm.net
>> To: users@spamassassin.apache.org
>> Subject: real world spamassassin experiences re: processing on servers 
>> emailing from .info domains
>> Date: Thu, 27 Oct 2011 09:15:13 -0700
>>
>>
>> greetings SA users
>>
>> there sure seems to be a lot of from .info server spamming
>>
>> wierd temp registered .info domains spamming eh?
>>
>> for those of you with volume, large or small, care to share an SA tips on
>> how you deal with .info domains?
>>
>> i would imagine there is a very small percentage of valid emails coming from
>> .info domains
>>
>> should we just pull the plug and reject all .info from touching the smtp
>> server or carefully craft SA rules?
>>
>> real close to doing so and just reject them all, unless there is a list of
>> valids out there somewhere
>>
>> thank you in advance
>>
>> - rh
>>
>
>
> In 14 years, we never received any single legit mail from .info. It costs $1 
> per year to register an info domain, and if the people I do business cannot 
> afford $10 a year for their domain, they probably will not give me business 
> to start with.
>
> We reject all .info on sendmail during transaction stage. Half of my rejected 
> connections are .info (rest are same-sender/same-recipient).
>
> You have to assess your own situation.
>
> Jenny 


I haven't had to go as far as rejecting all .info domains yet, but I did 
spot a trend a while back where snowshoe spammers where using 
i...@example.info so I block those at the MTA with a simple PCRE:

/^info@[a-z0-9]+\.info$/REJECT Looks like snowshoe

They seem to have moved on now though as I currently see very little 
.info spam make it as far as SA.

Screwfix in the UK (a large online hardware [screws and nails type] 
supplier) currently send out their mailings from em...@screwfix.info 
even though their main site is at screwfix.com, so there are some legit 
senders.

YMMV


I know a few people who run legitimate .info domains. Primarily for their 
friends & family. I have a .info domain that I use for testing new servers. 
Rather a .info than a .co.cc for testing ;)
-- 
If you cannot beat them, try to côntrole them.

Re: DNSWL returns _HI trust level for everything to "abusive" DNS servers Re: Spam email many have RCVD_IN_DNSWL_MED

2011-10-12 Thread Simon Loewenthal 
dar...@chaosreigns.com wrote:

On 10/12, Alessio Cecchi wrote:
> I have found the problem: Google name server
> 
> >On 10/11, Alessio Cecchi wrote:
> >>Received: from [175.145.6.37] (unknown [175.145.6.37])
> >
> >$ host 37.6.145.175.list.dnswl.org
> >Host 37.6.145.175.list.dnswl.org not found: 3(NXDOMAIN)
> >
> >Should not hit any RCVD_IN_DNSWL_* rules.
> 
> In this installation:
> 
> # cat /etc/resolv.conf
> nameserver 8.8.8.8
> nameserver 8.8.4.4
> 
> # host 37.6.145.175.list.dnswl.org
> 37.6.145.175.list.dnswl.org has address 127.0.10.3

Sorry, I should have realized this problem sooner too.

Relatively recently, DNSWL started returning values that correspond to the
spamassassin rule RCVD_IN_DNSWL_HI for *all* queries, for name servers that
have been deemed "abusive". I found out about it 10 days ago.

A year ago DNSWL announced it would start requiring payment from people
doing more than 100,000 queries per day. This is tied to the determination
of "abusiveness". 

So yes, as Jim Popovitch recommended, you should not have this problem
if you run a local DNS server (without using "abusive" servers as
forwarders), which I think is probably recommended practice for running
spamassassin anyway.

-- 
"every time I race I see god" - tsuwa, #motorcycles, EFNet, 7/19/06
http://www.ChaosReigns.com


Although I did not think it was recommended to use Google's DNS with SA. From 
SA FAQ:

Your DNSBL blocks nothing at all!

First, check our FAQ answer for "Your DNSBL blocks the whole Internet!" and 
make sure you've not made a spelling mistake in your mailserver configuration.

Check what DNS resolvers you are using: If you are using a free "open DNS 
resolver" service such as Google Public DNS or Level3's public DNS servers to 
resolve your DNSBL requests, in most cases you will receive a "not listed" 
(NXDOMAIN) reply from Spamhaus' public DNSBL servers. Please use your own DNS 
servers when doing DNSBL queries to Spamhaus.
-- 
If you cannot beat them, try to côntrole them.

Re: Minimal server specs for SA question

2011-10-06 Thread Simon Loewenthal 


  
  
On 05/10/11 12:49, Henrik K wrote:

  On Mon, Oct 03, 2011 at 01:59:59PM -0400, Alex B. wrote:

  


On 2011-10-03, at 6:08 AM, Simon Loewenthal  wrote:



  Hi there,

   I have to set-up a few low power SA boxes. Currently I'm used to
using Intel Xeon 2.6Ghz with 16Gb of memory, but these proposed boxes
are small.  I won't buy one unless I know it can do the job.  I know the
figures below are tiny, but I don't know the Intel Atoms and what they
can really do.

# of active Email addresses (excluding Email aliases) : 80
# of messages (including rejected) appox 3,500 daily
running : Debian/ SA 3.3.1 and spamass-milter  (with MTA postfix,
clamav-milter).


hardware:
http://soekris.eu/shop/net6501_en/
1.6 Ghz Intel Atom E660  (1 core, 2 threads)
1024Mb RAM
Transcend mSATA SSD 32Gb MLC

Cheers for any commentary.

Best regards, Simon.




I would also recommend turning off as many network checks as possible in
SA due to redundant and blocking I/O taking up the majority of SA's
processing times.

  
  
What the FUD?

All default SA rules and functions use async DNS lookups. Processing time
might be little longer yes, but CPU usage averages the same.  You can run
more scans in parallel.

Of course there are some custom plugins out there that don't still use async
lookups.



There is no way I would disable these network checks!

To everyone who replied.  Thank-you very much for all of your useful
suggestions.  Looks like the Soekris will do the job, although the
precide model I want has not yet been released, and the BIOS is not
ready (HyperThreading is unimplemented, but they told me that
they'll get around to it.)

The Thomas-Krenn 1U 19" looks very nice [
http://www.thomas-krenn.com/en/server-systems/1u-rack-server/1u-intel-single-cpu/cse502-server-atom-d510.html
] and I am very tempted as has dual cores.  Sadly, the operating
temperature range is 0-20C, and the Soekris is 0-60C.  I know that
its possible that the box will have to handle a max of 40C on some
rare days so the Thomas-Krenn should be discounted. Shame as its
cheaper and powerful in comparison.  


-- 
	Email  simon AT klunky DOT co DOT uk   
	PGP is optional: 4BA78604
	I won't accept your confidentiality
	agreement, and your Emails are kept.
  		   ~Ö¿Ö~

Re: Minimal server specs for SA question

2011-10-03 Thread Simon Loewenthal 
Martin Hepworth  wrote:

Also make sure youre running a caching nameserver to help with dns requests

Drop unknown recipients at the start before SA checks really stop alot of junk 
too

Martin

On Monday, 3 October 2011, Alex B.  wrote:
>
>
> On 2011-10-03, at 6:08 AM, Simon Loewenthal  wrote:
>
>> Hi there,
>>
>>I have to set-up a few low power SA boxes. Currently I'm used to
>> using Intel Xeon 2.6Ghz with 16Gb of memory, but these proposed boxes
>> are small.  I won't buy one unless I know it can do the job.  I know the
>> figures below are tiny, but I don't know the Intel Atoms and what they
>> can really do.
>>
>> # of active Email addresses (excluding Email aliases) : 80
>> # of messages (including rejected) appox 3,500 daily
>> running : Debian/ SA 3.3.1 and spamass-milter  (with MTA postfix,
>> clamav-milter).
>>
>>
>> hardware:
>> http://soekris.eu/shop/net6501_en/
>> 1.6 Ghz Intel Atom E660  (1 core, 2 threads)
>> 1024Mb RAM
>> Transcend mSATA SSD 32Gb MLC
>>
>> Cheers for any commentary.
>>
>> Best regards, Simon.
>
>
> I would also recommend turning off as many network checks as possible in SA 
> due to redundant and blocking I/O taking up the majority of SA's processing 
> times.
>
> You could also try enabling the compile rule plugin (Rules2XS I believe?) and 
> running sa-compile, however, our in-production benchmarks did not record any 
> performance increases, but it may help you squeeze some slight fraction of 
> performance increase from your server.
>
>
>>
>

-- 
-- 
Martin Hepworth
Oxford, UK


Cheer. I both of those by default on all builds (reject unknown rcpt, 
sa-compile & dns-cache on same network segment <1m/s)

Cheers.
-- 
If you cannot beat them, try to côntrole them.

Re: Minimal server specs for SA question

2011-10-03 Thread Simon Loewenthal 
On 10/03/2011 12:16 PM, Matus UHLAR - fantomas wrote:
> On 03.10.11 12:08, Simon Loewenthal wrote:
>>I have to set-up a few low power SA boxes. Currently I'm used to
>> using Intel Xeon 2.6Ghz with 16Gb of memory, but these proposed boxes
>> are small.  I won't buy one unless I know it can do the job.  I know the
>> figures below are tiny, but I don't know the Intel Atoms and what they
>> can really do.
>>
>> # of active Email addresses (excluding Email aliases) : 80
>> # of messages (including rejected) appox 3,500 daily
>> running : Debian/ SA 3.3.1 and spamass-milter  (with MTA postfix,
>> clamav-milter).
>>
>>
>> hardware:
>> http://soekris.eu/shop/net6501_en/
>> 1.6 Ghz Intel Atom E660  (1 core, 2 threads)
>> 1024Mb RAM
>> Transcend mSATA SSD 32Gb MLC
>
> that should be enough for more users/messages. of course, it depens on
> other services that should run on the machine.
Apache with Roundcube.
Thats it.

-- 
Email  simon AT klunky DOT co DOT uk   
PGP is optional: 4BA78604
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Minimal server specs for SA question

2011-10-03 Thread Simon Loewenthal 
Hi there,

I have to set-up a few low power SA boxes. Currently I'm used to
using Intel Xeon 2.6Ghz with 16Gb of memory, but these proposed boxes
are small.  I won't buy one unless I know it can do the job.  I know the
figures below are tiny, but I don't know the Intel Atoms and what they
can really do.

# of active Email addresses (excluding Email aliases) : 80
# of messages (including rejected) appox 3,500 daily
running : Debian/ SA 3.3.1 and spamass-milter  (with MTA postfix,
clamav-milter).


hardware:
http://soekris.eu/shop/net6501_en/
1.6 Ghz Intel Atom E660  (1 core, 2 threads)
1024Mb RAM
Transcend mSATA SSD 32Gb MLC

Cheers for any commentary.

Best regards, Simon.





-- 
Email  simon AT klunky DOT co DOT uk   
PGP is optional: 4BA78604
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: Increasing score based on membership to commercial whitelist

2011-09-26 Thread Simon Loewenthal 
"David F. Skoll"  wrote:

On Mon, 26 Sep 2011 13:49:36 -0400
dar...@chaosreigns.com wrote:

> On 09/24, David Bennett wrote:
> > It occurred to me that a sender that is paying their way into my
> > inbox is almost certainly sending me junk mail. A little research
> > in my inbox and it turns out to be right on the money. All stuff
> > that I didn't want.

> Disclaimer: I'm a dnswl.org admin, although haven't been active
> lately. Also, dnswl.org (provider of the data used by RCVD_IN_DNSWL_*
> rules) doesn't charge anybody for being listed. They only charge
> very high volume users of the data for use of the data, like Spamhaus
> and some other major blacklist providers.

As someone listed on dnswl.org, I can confirm this. We did not pay to
get our domain (roaringpenguin.com) or IP addresses listed. And I
assume that if we spam, we will be delisted in a hurry.

So please don't automatically assume that we're spammers just because
we're on dnswl.org. :)

Regards,

David.


My domains are listed on dnswl.org, & I did not pay a penny, although if I had 
then it would have been a penny worth paying for :)

-- 
If you cannot beat them, try to côntrole them.

Spamassassin did not log into spamd.log for one message scan (via spamass-milter_

2011-09-22 Thread Simon Loewenthal 
   
Interesting.

I have a spamass-milter reject in the postfix logs:
Sep 21 16:42:26 logout postfix/cleanup[3787]: C1C6A837AB: milter-reject:
END-OF-MESSAGE from blu0-omc3-s7.blu0.hotmail.com[65.55.116.82]: 5.7.1
Blocked by SpamAssassin; from=
to= proto=ESMTP helo=

I tried to find the corresponding record in the spamd.log and
spamd.log.1 so that I could see what triggered the reject.  However, I
cannot see the record.  The only records are these earlier ones:
# grep nn spamd.log
Mon Sep  5 20:11:21 2011 [12221] info: spamd: processing message
<4e6510c8.5010...@klunky.co.uk> for nnn...@hotmail.com:5002
Mon Sep  5 20:11:22 2011 [12221] info: spamd: clean message (-1.9/6.0)
for nnn...@hotmail.com:5002 in 0.5 seconds, 2656 bytes.
Mon Sep  5 20:11:22 2011 [12221] info: spamd: result: . -1 -
BAYES_00,HTML_MESSAGE,SPF_FAIL
scantime=0.5,size=2656,user=nnn...@hotmail.com,uid=5002,required_score=6.0,rhost=localhost,raddr=127.0.0.1,rport=36238,mid=<4e6510c8.5010...@klunky.co.uk>,bayes=0.00,autolearn=no,shortcircuit=no

I wonder why spamd did not record this in spamd.log.  Has anyone got any
ideas?

Simon.

-- 
Email  simon AT klunky DOT co DOT uk   
PGP is optional: 4BA78604
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: Not sure if this is old or new

2011-09-22 Thread Simon Loewenthal 
On 09/22/2011 10:59 AM, Nigel Frankcom wrote:
> On Wed, 21 Sep 2011 17:08:42 +0200, Matus UHLAR - fantomas
>  wrote:
>
>> On 20.09.11 18:57, Nigel Frankcom wrote:
>>> I moved SA to a newer box and have the following output in my logs:
>>> http://pastebin.com/VvZfXwAC
>>>
>>> Apologies if I'm being dense, but is there a way to trace what may be
>>> causing this, not the specifics of parentheses or == but the
>>> particular rule?
>>>
>>> All (printable) help gratefully received.
>>
>> #
>> Compile was succesful. Restarting spamd
>> #
>> Stopping spamd: [  OK  ]
>> #
>> Starting spamd: [  OK  ]
>>
>> I don't see your problem.
> Lines 46 to 63. I am guessing one of my rules has an issue, Wondering
> if there is a way to figure out which rule is triggering this.
>
> body_0.xs: In function
> 'XS_Mail__SpamAssassin__CompiledRegexps__body_0_scan':
> body_0.xs:123: warning: suggest parentheses around assignment used as
> truth value
>
I don't think that this is anything to fret about.  Probably some code
that uses an assignment = {}, but often is a typo for something else

eg.

if (a = b) {...}
This is correct but sometimes the programmer might mean
if (a == b) {...}
Its pointing out a possible confusion.
The warning is pointing out that he might want the latter.
As I have demonstrated above, Google is yours and mine friend ;)

My programming is poor, so I am certain someone will point out whether I
am wrong or right.

-- 
Email  simon AT klunky DOT co DOT uk   
PGP is optional: 4BA78604
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~

Re: Theories on blocking OUTGOING spam

2011-08-23 Thread Simon Loewenthal 
On 08/23/2011 04:37 PM, Per Jessen wrote:
> Matus UHLAR - fantomas wrote:
>
>>> * Marc Perkel :
 Just sharing some ideas on blocking outbound spam.
>> On 20.08.11 21:55, Patrick Ben Koetter wrote:
>>> - We require humans to use submission instead of smtp
>> How do you (want to) enforce this? Or is it just contractual
>> requirement?
>>
>>> - German laws forbid looking at content without local senders consent.
>> does this apply for virus filtering too?
>>
>>> When we look at the SMTP session we MUST NOT log anything that leads
>>> back to the real person or lets us track the person down. If we log we
>>> use hashes to destroy a trackable connection.
>> I thought that the EU requires providers to log the sender and
>> recipient... 

The ISP that I work for does not log this data. Far too much traffic
generated! 
> http://en.wikipedia.org/wiki/Telecommunications_data_retention#European_Union
>
>
> /Per Jessen, Zürich
>


-- 
Email  simon AT klunky DOT co DOT uk   
PGP is optional: 4BA78604
I won't accept your confidentiality
agreement, and your Emails are kept.
   ~Ö¿Ö~