Re: Erroneous doubled letters in subject
On Thu, Oct 2, 2008 at 2:49 PM, Kenneth Porter <[EMAIL PROTECTED]>wrote: > On Wednesday, September 17, 2008 4:02 PM +0100 Justin Mason <[EMAIL > PROTECTED]> > wrote: > > This is just in the dev ruleset -- for 3.3.0 -- so you're best off adding >> it manually. right now it's like this: >> >> # thanks to Phil Randal on the users list for this tip >> rawbody __PR_TD_NOWRAP // >> meta PR_TD_NOWRAP_BAT (__THEBAT_MUA && __PR_TD_NOWRAP) >> > > I just want to report that this has been an incredibly effective rule, with > no false positives. I'm amazed that I'm still catching tons of spam with it, > that the spammers haven't changed their code. (But I've probably jinxed it > by saying so, and it will be replaced tomorrow.) > > > > I have a rule that looks only for the bat mailer. I have NEVER received a non-spam email from anyone using the bat mailer. It's a very effective rule for me that has never misfired. I'll give that td_nowrap a looksie.
Re: Another low scoring obvious spam message
> > > anyway, if your SA only misses few spam, there's no need to try to improve > that with new rules. > > > Yeah, this is the first spam I've gotten in about a month or maybe two. Still, I let it bug me too much. That, and it's slow at work today. I guess I'll just let it go.
Re: Another low scoring obvious spam message
> > sought != sought_fraud. > Whoops! Thanks! Got it now, but still no hits in that rule set either.
Re: Another low scoring obvious spam message
>>> >>> >> I am using bayes, but it didn't catch it. I was quite surprised at >> that. > > h... > > Content analysis details: (6.3 points, 5.0 required) > > > pts rule name description -- > -- > 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > [score: 1.] > -0.0 SPF_HELO_PASS SPF: HELO matches SPF record > -0.0 SPF_PASS SPF: sender matches SPF record > 1.3 MISSING_HEADERSMissing To: header > 1.5 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF > 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding > > How interesting that you are hitting the BASE64_LENGTH_79_INF rule and I'm not. I just looked and I have never triggered that rule in any spams, but I have triggered it in a couple of hams. Now why would it work for you and not for me hm. I am using SA 3.2.4. By the way, that mime block is only 76 characters wide. > > sa-update and jm sought here. without Bayes, it's missed. > > I ran sa-update just a few minutes ago and it didn't make a difference. I habitually run most of my spam through sa-learn and most of my ham too. I know it's work b/c I do have a lot of spam trigger the BAYES_99 rule (and others too). I am still surprised that I had such a low score on this one. Bayes would have been my only saving grace here too.
Re: Another low scoring obvious spam message
> > Silly question, but is "peloruso" the user that spamd is running as? > user/database mismatch is a common problem. > I'm not using spamd, I call spamassassin from procmail. I'm on a shared host that doesn't allow users to run their own daemons (although they are running their own spamd, but not with the options I want/need) But, yes, all processes under my account are run as peloruso.
Re: Another low scoring obvious spam message
Sorry about the double post--operator error.
Re: Another low scoring obvious spam message
>> I am using bayes, but it didn't catch it. I was quite surprised at >> that. > > Doesn't look to me like you are using bayes. There is no bayes score in > the headers. > Oh. I thought I was. I do get reports in some messages. Here's the debug from this particular message: [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf [12541] dbg: config: read file /home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf [12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [12541] dbg: config: fixed relative path: /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using "/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf" for included file [12541] dbg: config: read file /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: fixed relative path: /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using "/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf" for included file [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_toks [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_seen [12541] dbg: bayes: found bayes db version 3 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680 [12541] dbg: bayes: score = 2.02454774056449e-08 [12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size: 15, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire: 1220940612, Current time: 1221712855 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: untie-ing Anything look funny in there? I see a very low score: 2.02e-08, but isn't it still working?
Re: Another low scoring obvious spam message
>> I am using bayes, but it didn't catch it. I was quite surprised at >> that. > > Doesn't look to me like you are using bayes. There is no bayes score in > the headers. > Oh. I thought I was. I do get reports in some messages. Here's the debug from this particular message: [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf [12541] dbg: config: read file /home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf [12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [12541] dbg: config: fixed relative path: /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using "/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf" for included file [12541] dbg: config: read file /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: fixed relative path: /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using "/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf" for included file [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_toks [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_seen [12541] dbg: bayes: found bayes db version 3 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680 [12541] dbg: bayes: score = 2.02454774056449e-08 [12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size: 15, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire: 1220940612, Current time: 1221712855 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: untie-ing Anything look funny in there? I see a very low score: 2.02e-08, but isn't it still working?
Re: Another low scoring obvious spam message
On Thu, September 18, 2008 9:33 am, John Hardin wrote: > On Thu, 18 Sep 2008, Skip wrote: > > >> What can I do to increase my chances on spammies like this one: >> http://pastebin.com/m5f5d11e0 >> > > (1) train your bayes with it > I am using bayes, but it didn't catch it. I was quite surprised at that. > > (2) try the sought fraud ruleset that Justin is generating > > > http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough > t_fraud.cf > I'm using that too, and again no joy there. It may be time for an sa-update though. Thanks for the ideas though :) Skip
Re: Another low scoring obvious spam message
On Thu, September 18, 2008 8:55 am, mouss wrote:
> Skip wrote:
>
>> What can I do to increase my chances on spammies like this one:
>> http://pastebin.com/m5f5d11e0
>>
>>
>
> maybe
>
> header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64
> Content-Transfer-Encoding =~ m|base64|
>
>
I wonder if that would have too many false positives.
It got me thinking though. I looked in the 20_body_tests.cf rules and see
the following rules:
rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count')
describe __MIME_BASE64 Includes a base64 attachment
rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
describe MIME_BASE64_BLANKSExtra blank lines in base64 encoding
rawbody MIME_BASE64_TEXT
eval:check_for_mime('mime_base64_encoded_text')
describe MIME_BASE64_TEXT Message text disguised using base64 encoding
and from the 20_head_tests.cf
meta FROM_EXCESS_BASE64__FROM_ENCODED_B64 &&
!__FROM_NEEDS_MIME
describe FROM_EXCESS_BASE64From: base64 encoded unnecessarily
Interestingly, I have had exactly three spams fire the MIME_BASE64_TEXT
rule in the past six months, but I have had ten hams fire the rule. Too
many FPs for me.
Same with the FROM_EXCESS_BASE64 rule: I have had zero spams fire that
rule, but have had two hams fire it (they were newsletters from Red Hat).
Sadly, these both sound like they would be good rules, but they don't seem
to live up to their potential. (Btw, I am working with about 6,000 spams
and 3,500 hams)
Quick aside: Does SA decode the message body before running the body
tests? I was really surprised that the decoded content on this message
didn't trigger any of the get rich quick rules, or my bayes.
Another low scoring obvious spam message
What can I do to increase my chances on spammies like this one: http://pastebin.com/m5f5d11e0 -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Setting up razor
Skip Morrow wrote: On Sun, September 7, 2008 10:09 am, Skip wrote: Michael Scheidell wrote: It was the firewall. I go that fixed. Now, here's my next problem. I think taint mode is stopping razor from running on my system. Since I can't be root, I have to install Razor in my home home directory. So Will the system administrator allow you to set up a 'jailed',zen or vm environment so you can look like you are root while protecting his bas server? Can you razor installed in the main system root? I seriously doubt it. Is that my only option? I posted this over the weekend, and I would like to politely and respectfully repost it one more time this morning to see if anyone has any ideas to help me install Razor. Sorry to be such a pest. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED] Please? :) Any Razor experts out there that can help me? -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Setting up razor
On Sun, September 7, 2008 10:09 am, Skip wrote: > > Michael Scheidell wrote: >>> It was the >>> firewall. I go that fixed. Now, here's my next problem. I think taint >>> mode is stopping razor from running on my system. Since I can't be root, >>> I have to install Razor in my home home directory. So >> Will >> the system administrator allow you to set up a 'jailed',zen or vm >> environment so you can look like you are root while protecting his bas >> server? Can you razor installed in the main system root? >I seriously doubt it. Is that my only option? I posted this over the weekend, and I would like to politely and respectfully repost it one more time this morning to see if anyone has any ideas to help me install Razor. Sorry to be such a pest. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Setting up razor
Michael Scheidell wrote: It was the firewall. I go that fixed. Now, here's my next problem. I think taint mode is stopping razor from running on my system. Since I can't be root, I have to install Razor in my home home directory. So Will the system administrator allow you to set up a 'jailed',zen or vm environment so you can look like you are root while protecting his bas server? Can you razor installed in the main system root? I seriously doubt it. Is that my only option? -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Setting up razor
Theo Van Dinter wrote: On Sat, Sep 06, 2008 at 11:32:54AM -0400, Skip wrote: [EMAIL PROTECTED] [~]# telnet discovery.razor.cloudmark.com 2703 Trying 208.83.137.205... telnet: connect to address 208.83.137.205: Connection timed out Trying 208.83.137.117... telnet: connect to address 208.83.137.117: Connection timed out It would seem you probably have a firewall in the way. As far as I know, no, you can't use other ports, the servers only run on 2703. It was the firewall. I go that fixed. Now, here's my next problem. I think taint mode is stopping razor from running on my system. Since I can't be root, I have to install Razor in my home home directory. So while everything seems fine outside of SA, as soon as SA starts running, my PERL5LIB environment variable gets reset and Razor2 doesn't know how to run. At least that's my theory. Any thoughts on how I could fix this? [EMAIL PROTECTED] [~]# perl -e 'require Mail::SpamAssassin::Plugin::Razor2' [EMAIL PROTECTED] [~]# perl -e 'require Razor2::Client::Agent' [EMAIL PROTECTED] [~]# cat Procmail/pmlog-skip |grep taint [27100] dbg: util: running in taint mode? yes [27100] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [EMAIL PROTECTED] [~]# cat Procmail/pmlog-skip |grep razor -i [27100] dbg: config: read file /home/peloruso/.spamassassin/25_razor2.cf [27100] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [27100] dbg: razor2: razor2 is not available [27100] dbg: config: fixed relative path: /home/peloruso/.spamassassin/updates_spamassassin_org/25_razor2.cf [27100] dbg: config: using "/home/peloruso/.spamassassin/updates_spamassassin_org/25_razor2.cf" for included file [27100] dbg: config: read file /home/peloruso/.spamassassin/updates_spamassassin_org/25_razor2.cf [27100] dbg: config: fixed relative path: /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/25_razor2.cf [27100] dbg: config: using "/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/25_razor2.cf" for included file By the way, I have also tried pointing the loadplugin right to the Razor2.pm file, but that didn't help either, again because I think perl doesn't know how to find the rest of the files it needs once SA starts running. #loadplugin Mail::SpamAssassin::Plugin::Razor2 /home/peloruso/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Razor2.pm I am using SA version 3.2.4 -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Setting up razor
Ron Smith wrote: I think razor is not free anymore. Ron Smith [EMAIL PROTECTED] "Having an email problem is painful, but character-building." Unless there is something newer than this, I believe Razor is free. http://sourceforge.net/forum/forum.php?forum_id=576145 -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Setting up razor
= ac razordiscovery = discovery.razor.cloudmark.com rediscovery_wait = 172800 report_headers = 1 turn_off_discovery = 0 use_engines= 4,8 whitelist = razor-whitelist [EMAIL PROTECTED] [~]# telnet discovery.razor.cloudmark.com 2703 Trying 208.83.137.205... telnet: connect to address 208.83.137.205: Connection timed out Trying 208.83.137.117... telnet: connect to address 208.83.137.117: Connection timed out Should I be able to telnet to discovery.razor.cloudmark.com on port 2703? If my system is blocking that port for some reason, can other ports be used and where is that configured? I don't know how successful I would be at getting my server to unblock that port. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Another "this should have triggered more rules" post
Skip wrote: can you be more explicit. you got FPs with how many ','? did you have an FP with 100? Sure. When I ran it against my inbox, with 4587 "good" emails, I had 130 hits on MATCH20 and 2 hits on MATCH50, or 2.877% (0 with MATCH100). The interesting thing is, if you think about it, people who routinely send emails to lots of people (jokes, family updates, whatever--you know who I mean), well, I think they will be on most people's whitelists in the first place. A compete stranger, or even someone who you do know, probably isn't going to send you an email along with 49 of his/her closest friends as his first email to you. Although, it is not beyond the realm of possibility. For instance, I am starting a new job tomorrow (true--I just retired from the military after 20 years of service). Let's say there's a person who sends out a certain report and it goes to 100+ people. Normally, I will get this at my work address. Now, a few weeks from now, I need him to send it to my home address, just that once. Now, he has never sent me anything and this comes in. Bang. So there is definitely risk. I would assign it a relatively low score, probably no more than 1/3 of your spam threshold. Funny thing is, when I ran the script against my spam folder, it had exactly ONE hit--just this email in question. I have never seen a spam like that before. I just realized I forgot to add the data for CC headers: I had a total of 5 hits on the MATCH20 out of 4587 good emails for 0.109% and that's it--no other hits. The above data (2.877%) was for the To: header only. -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Another "this should have triggered more rules" post
can you be more explicit. you got FPs with how many ','? did you have an FP with 100? Sure. When I ran it against my inbox, with 4587 "good" emails, I had 130 hits on MATCH20 and 2 hits on MATCH50, or 2.877% (0 with MATCH100). The interesting thing is, if you think about it, people who routinely send emails to lots of people (jokes, family updates, whatever--you know who I mean), well, I think they will be on most people's whitelists in the first place. A compete stranger, or even someone who you do know, probably isn't going to send you an email along with 49 of his/her closest friends as his first email to you. Although, it is not beyond the realm of possibility. For instance, I am starting a new job tomorrow (true--I just retired from the military after 20 years of service). Let's say there's a person who sends out a certain report and it goes to 100+ people. Normally, I will get this at my work address. Now, a few weeks from now, I need him to send it to my home address, just that once. Now, he has never sent me anything and this comes in. Bang. So there is definitely risk. I would assign it a relatively low score, probably no more than 1/3 of your spam threshold. Funny thing is, when I ran the script against my spam folder, it had exactly ONE hit--just this email in question. I have never seen a spam like that before. Just thinking aloud here: wouldn't it be a good idea to also the the CC headers for the same conditions? When I asked this question, my intention was to stimulate discussion as to the worth of adding rules to my SA setup to also check the CC header. This thread has been focused on the To: header, but I think I will also include the CC rules. Thanks for the updated code though. describe TO_HARVESTED To: obviously harvested header TO_HARVESTED To =~ /\@(?:(?:(?:example|your| some)\.domain)|(?:(?:example|your\.domain)\.com)|your\.favou?rite \.machine)\b/ The more I think about it, the "HARVESTED" rule really seems quite safe, and I think it could be made more robust. Anyone sending mail to you along with obvious made up email addresses like that is certainly up to no good. -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Another "this should have triggered more rules" post
perl script.pl * That did it! Thanks! I would definitely have had some FPs now that I have checked. Just thinking aloud here: wouldn't it be a good idea to also the the CC headers for the same conditions? -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Another "this should have triggered more rules" post
describe TO_TOO_MANY To: too many recipients
header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
describe TO_WAY_TOO_MANY To: way too many recipients
header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){50}/
The {20} variant will cause "normal" FPs. I don't think the {50} would
really cause FPs. but then
header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){100}/
should more than conservative.
Of course. The threshold for "too many" is naturally something that will
vary for different people and situations.
Anyway, this is worth an MTA reject
Good point - I added some tests to my milter-regex.
However, not everyone can do MTA rejects on this, so SA rules do have
utility.
What would be a command line equivalent that I can test this _expression_
against my current inbox in order to see if I would have had any FPs?
Something like
for file in *; do egrep ^To:.*(?:,[^,]{1,80}){20} $file;done
but this will only check one line (the To: header is obviously many,
many lines long) and generates a syntax error as is.
--
Get my PGP Public key here:
http://pelorus.org/[EMAIL PROTECTED]
Re: Another "this should have triggered more rules" post
John Hardin wrote: On Sun, 2008-08-31 at 14:33 -0400, Skip wrote: describe TO_HARVESTED To: obviously harvested header TO_HARVESTED To =~ /\@(?:(?:(?:example|your| some)\.domain)|(?:(?:example|your\.domain)\.com)|your\.favou?rite \.machine)\b/ Can you tell me how this rule works? Or give a more realistic example (in my case I would use pelorus.org, so feel free to demonstrate with that) It checks for any of the following domains in the To: list of addresses: @example.domain @your.domain @some.domain @example.com @your.domain.com @your.favorite.machine It's essentially a set of nested OR'd substring comparisons. An equivalent RE would be: /@(?:example\.domain|your\.domain|some\.domain|example\.com|your\.domain \.com|your\.favorite\.machine)\b/i That rule is the actual rule you'd use. You wouldn't need to change it based on your own domain, as all of those domains are bogus. They either refer to nonexistent domains commonly used in examples, or real domains (e.g. example.com) explicitly registered only for use in examples. If you see one of those domains in a recipient list, it's a pretty clear indication of automatic address harvesting and sloppy list cleaning. That's the spam sign this rule is checking for. Oh, I get it--I thought I was supposed to replace "your.domain" with my email domain or something like that. How clever. Yeah, those would be obviously harvested, that's for sure. Good rule. -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Another "this should have triggered more rules" post
How about these rules? (watch the line wrap) describe TO_HARVESTED To: obviously harvested header TO_HARVESTED To =~ /\@(?:(?:(?:example|your| some)\.domain)|(?:(?:example|your\.domain)\.com)|your\.favou?rite \.machine)\b/ Can you tell me how this rule works? Or give a more realistic example (in my case I would use pelorus.org, so feel free to demonstrate with that) How can google let this go out? I was wondering that too. Did it really come from gmail? Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Another "this should have triggered more rules" post
This one only scored a 2.9 on my installation, as you can see. I do have some custom rules (Saught and SARE) but no hits there. Skip Oops... I meant to include this the first time. These were the rules that it triggered on my installation: X-Spam-Report: * 2.5 HEAD_LONG Message headers are very long * 0.0 DKIM_SIGNED Domain Keys Identified Mail: message has a signature * -0.0 SPF_PASS SPF: sender matches SPF record * 0.4 URI_HEX URI: URI hostname has long hexadecimal sequence * 0.0 HTML_MESSAGE BODY: HTML included in message -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Another "this should have triggered more rules" post
Got this one today. Never seen anything like this before. http://pelorus.org/mix (I couldn't even paste into pastebin--their spam catcher caught it) This one only scored a 2.9 on my installation, as you can see. I do have some custom rules (Saught and SARE) but no hits there. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: This spam should have triggered more rules
uri URI_EXE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)(?:\W{0,20}$|\?)/i
WARNING: quickly tested (and only with tunderbird).
This will also catch things like "foo.exe- blah blah" and "foo.exe!!!
blah blah". Testing with TB shows that it ignores "trailing
punctutation".
Wouldn't it be better if
- the uri parser removes such trailing "punctuation"?
- the uri parser checks two variants: "full" uri and the uri without
the query string?
Looks promising. Quick question: How do you test regular expressions
with thunderbird? I've been using TB since the early 1930's and don't
remember seeing any regular expression type search options.
Well, maybe not the 30's but I've been using it a long time.
Skip
--
Get my PGP Public key here:
http://pelorus.org/[EMAIL PROTECTED]
Re: This spam should have triggered more rules
mouss wrote: Jason Haar wrote: Karsten Bräckelmann wrote: uri EXECUTABLE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)$/i That won't stop "blah.exe?token=cookie". Web servers will still return "blah.exe" (and the attacker can trackback who clicked on it too that way! ;-) How about uri EXECUTABLE /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat)($|\?)/i and these won't catch "foo.exe," and the like due to how URIs are parsed by SA. Any smart RE guys/gals out there that want to suggest a better expression here. I think some of the counter points raised here are quite valid, but I'm not the guy to fix them. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: This spam should have triggered more rules
Scored well here: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) X-Spam-Level: x X-Spam-Status: Reqd:5.0 Hits:17.1 Learn:disabled Tests:JM_SOUGHT_2=4, JM_SOUGHT_3=4,SG_EXECUTABLE_URI=3,UNPARSEABLE_RELAY=0.001, URIBL_AB_SURBL=1.613,URIBL_BLACK=1.961,URIBL_SC_SURBL=2.523 -d Yesterday when I received the message, it didn't trigger the SC SURBL, but it does today for me too. I know sometimes it can take them a while to catch up to the spammers. Tell me, where did you get the SG_EXECUTABLE_URI rule? I don't have it in my installation. http://www.google.com/search?num=100&hl=en&safe=off&q=SG_EXECUTABLE_URI&btnG=Search returns 0 hits. -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
This spam should have triggered more rules
http://pastebin.com/m5b376775 I have the botnet rules enabled and they trigger on a lot of my spam, as well as the sought rules. But not this message. This spam however only triggered two rules, however I feel it should have triggered more. Yeah, it passed my spam threshold and was caught, but just barely. Anything I could have done to increased my chances on this one? Perhaps something about linking to an exe? That can't be good. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Re: more help on whitelist_from_rcvd
Skip wrote: Noel Jones wrote: On Mon, Aug 11, 2008 at 12:30 PM, Skip <[EMAIL PROTECTED]> wrote: Randal, Phil wrote: I see no whitelist_from_dkim *@ebay.com emarsys.net in your list. Not that I'm sure that's the problem. A whitelist_from_rcvd *@ebay.com emarsys.net Should have caught that one too (if your really trust emarsys.net). Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK *sigh* that whitelist_from_dkim rule didn't do it. That whitelist_from_rcvd rule however did do the trick, but I am still interested in figuring out how to get the dkim rule working. Any other ideas? Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED] The only argument is the From: address; this seems to work for me: whitelist_from_dkim *@ebay.com whitelist_from_dkim *.ebay.com -- Noel Jones -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED] Oops... sorry about the subject line getting changes there. I hope it doesn't mess up you "threading" guys. -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: Sender NOT in Whitelist-- Re: more help on whitelist_from_rcvd
Noel Jones wrote: On Mon, Aug 11, 2008 at 12:30 PM, Skip <[EMAIL PROTECTED]> wrote: Randal, Phil wrote: I see no whitelist_from_dkim *@ebay.com emarsys.net in your list. Not that I'm sure that's the problem. A whitelist_from_rcvd *@ebay.com emarsys.net Should have caught that one too (if your really trust emarsys.net). Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK *sigh* that whitelist_from_dkim rule didn't do it. That whitelist_from_rcvd rule however did do the trick, but I am still interested in figuring out how to get the dkim rule working. Any other ideas? Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED] The only argument is the From: address; this seems to work for me: whitelist_from_dkim *@ebay.com whitelist_from_dkim *.ebay.com -- Noel Jones Here's what I got when I tried that: [5953] dbg: dkim: performing public key lookup and signature verification [5953] dbg: dkim: signing identity: @ebay.com, d=ebay.com, a=rsa-sha1, c=relaxed/relaxed [5953] dbg: dkim: signing identity: [EMAIL PROTECTED], d=ebay.com, a=rsa-sha1, c=nofws [5953] dbg: dkim: signature verification result: PASS [5953] dbg: dkim: VALID third-party signature by id @ebay.com, author [EMAIL PROTECTED], no valid matches [5953] dbg: dkim: FAILED author signature by id [EMAIL PROTECTED], author [EMAIL PROTECTED], MATCHES whitelist_from_dkim (?i-xsm:[EMAIL PROTECTED]) [5953] dbg: dkim: FAILED author signature by id [EMAIL PROTECTED], author [EMAIL PROTECTED], MATCHES whitelist_from_dkim (?i-xsm:^.*\.ebay\.com$) [5953] dbg: dkim: FAILED author signature by id [EMAIL PROTECTED], author [EMAIL PROTECTED], MATCHES whitelist_from_dkim (?i-xsm:[EMAIL PROTECTED]) [5953] dbg: dkim: FAILED author signature by id [EMAIL PROTECTED], author [EMAIL PROTECTED], no valid matches [5953] dbg: dkim: author [EMAIL PROTECTED], found in whitelist_from_dkim BUT IGNORED [5953] dbg: dkim: policy: performing lookup [5953] dbg: dkim: policy result neutral: o=~ and my rules are: whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] us.emarsys.net whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] emarsys.net whitelist_from_dkim [EMAIL PROTECTED] us.emarsys.net whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim *.ebay.com whitelist_from_dkim [EMAIL PROTECTED] -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: more help on whitelist_from_rcvd
Randal, Phil wrote: I see no whitelist_from_dkim [EMAIL PROTECTED] emarsys.net in your list. Not that I'm sure that's the problem. A whitelist_from_rcvd [EMAIL PROTECTED] emarsys.net Should have caught that one too (if your really trust emarsys.net). Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK *sigh* that whitelist_from_dkim rule didn't do it. That whitelist_from_rcvd rule however did do the trick, but I am still interested in figuring out how to get the dkim rule working. Any other ideas? Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: more help on whitelist_from_rcvd
Awesome. The DKIM module works for that message, but I can't get it to accept this message Received: from e3uspmta152.emarsys.net ([91.194.248.152]) by box106.bluehost.com with esmtp (Exim 4.69) (envelope-from <[EMAIL PROTECTED]>) id 1KSGh7-0004Qw-2I for [EMAIL PROTECTED]; Sun, 10 Aug 2008 13:35:13 -0600 DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; q=dns; s=emarsys2007; d=ebay.com; h=From:To:Subject:MIME-Version:Content-Type:Date:Message-Id; b=Wk4mOk98BeMCjqcPi0ww6lUqXUd+TtWf+BHbYd4UYCrUyXQTRspzy79lASjSq2TVFzJLb94xPK4b 5LMorMkcXh4IFjhmrrvbMOGBd8T07N2qc2Z57khJG5qp3INxfwrq DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=emarsys2007; d=ebay.com; b=BF5coyhrrrOOmNXR5ja235DpRo0dnrkb0/J/bBML4STNlCNJZgKNVxyti7DReZXor4bBPWm6tHZa FliDIttfU/K6zs4ODcyxWwDQdkIIGvW9yg3ZP/AhSWwK9PQFCeIJ; Received: from us.emarsys.net (10.105.0.82) by e3uspmta152.emarsys.net (PowerMTA(TM) v3.2r2) id hjt1f80g8bc6 for <[EMAIL PROTECTED]>; Sun, 10 Aug 2008 21:35:14 +0200 (envelope-from <[EMAIL PROTECTED]>) From: eBay Motors <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: List your car locally on eBay Motors! X-EMarSys-Environment: e3us X-EMarSys-Identify: 1301_810712249304_831911679098 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_--=_112358201558820" Date: Sun, 10 Aug 2008 21:35:14 +0200 Message-Id: <[EMAIL PROTECTED]> X-user: 91.194.248.152:box106.bluehost.com:: ebay often uses emarsys.net as their bulk mailer. I have added the following fules (more or less at random in the hope that one of them would work--I know I can delete some of them once I get this working) whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] us.emarsys.net whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] us.emarsys.net whitelist_from_dkim @ebay.com whitelist_from_dkim [EMAIL PROTECTED] but when I pipe the message through sa, I get this: [5464] dbg: dkim: performing public key lookup and signature verification [5464] dbg: dkim: signing identity: @ebay.com, d=ebay.com, a=rsa-sha1, c=relaxed/relaxed [5464] dbg: dkim: signing identity: [EMAIL PROTECTED], d=ebay.com, a=rsa-sha1, c=nofws [5464] dbg: dkim: signature verification result: PASS [5464] dbg: dkim: VALID third-party signature by id @ebay.com, author [EMAIL PROTECTED], no valid matches [5464] dbg: dkim: FAILED author signature by id [EMAIL PROTECTED], author [EMAIL PROTECTED], MATCHES whitelist_from_dkim (?i-xsm:[EMAIL PROTECTED]) [5464] dbg: dkim: FAILED author signature by id [EMAIL PROTECTED], author [EMAIL PROTECTED], MATCHES whitelist_from_dkim (?i-xsm:[EMAIL PROTECTED]) [5464] dbg: dkim: FAILED author signature by id [EMAIL PROTECTED], author [EMAIL PROTECTED], no valid matches [5464] dbg: dkim: author [EMAIL PROTECTED], found in whitelist_from_dkim BUT IGNORED [5464] dbg: dkim: policy: performing lookup [5464] dbg: dkim: policy result neutral: o=~ would you believe that the following google search has zero hits? http://www.google.com/search?num=100&hl=en&safe=off&q=%22failed+author+signature%22+dkim&btnG=Search Thanks in advance! Skip Randal, Phil wrote: whitelist_from_dkim might be a better way to go: http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_D KIM.html Cheers, Phil -- Phil Randal Networks Engineer Herefordshire Council Hereford, UK -Original Message- From: Skip [mailto:[EMAIL PROTECTED] Sent: 11 August 2008 14:15 To: SpamAssassin Users List Subject: more help on whitelist_from_rcvd I'm trying to make sure email from ebay is legit. I received an email from ebay today with the following headers: Received: from mxsmfpool02.ebay.com ([66.135.209.199] helo=mxsmfpool01.ebay.com) by box106.bluehost.com with esmtp (Exim 4.69) (envelope-from <[EMAIL PROTECTED]>) id 1KSISe-0003wZ-8P for [EMAIL PROTECTED]; Sun, 10 Aug 2008 15:28:24 -0600 Received: from sjc2bat11.sjc.ebay.com ([10.8.194.232]) by mxsmfpool01.ebay.com (8.13.5/8.13.5) with ESMTP id m7ALSNCM012713 for <[EMAIL PROTECTED]>; Sun, 10 Aug 2008 14:28:27 -0700 DomainKey-Signature: a=rsa-sha1; s=dksm28; d=ebay.com; c=nofws; q=dns; h=x-ebay-mailtracker:to:from:mime-version:content-type:subject:date: message-id:reply-to:x-ebay-mailversiontracker; b=oMkULX7sexFP8Davsg9eBquC6yrj7BytJZVtNZ8qQwuipOJUcwjSPZvcmQdYyx+zU 68Ot5VuDBGylST0mLRzsQ== X-eBay-MailTracker: 11020.567.0.0 To: [EMAIL PROTECTED] From: eBay <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=23401732.1218403700945.JavaMail.ebba.sjc2bat11 Subject: Check out the latest items from your favorite sellers on eBay Date: Sun, 10 Aug 08 14:28:20 GMT-0700 Message-ID: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] X-eBay-MailVersionTr
more help on whitelist_from_rcvd
I'm trying to make sure email from ebay is legit. I received an email from ebay today with the following headers: Received: from mxsmfpool02.ebay.com ([66.135.209.199] helo=mxsmfpool01.ebay.com) by box106.bluehost.com with esmtp (Exim 4.69) (envelope-from <[EMAIL PROTECTED]>) id 1KSISe-0003wZ-8P for [EMAIL PROTECTED]; Sun, 10 Aug 2008 15:28:24 -0600 Received: from sjc2bat11.sjc.ebay.com ([10.8.194.232]) by mxsmfpool01.ebay.com (8.13.5/8.13.5) with ESMTP id m7ALSNCM012713 for <[EMAIL PROTECTED]>; Sun, 10 Aug 2008 14:28:27 -0700 DomainKey-Signature: a=rsa-sha1; s=dksm28; d=ebay.com; c=nofws; q=dns; h=x-ebay-mailtracker:to:from:mime-version:content-type:subject:date: message-id:reply-to:x-ebay-mailversiontracker; b=oMkULX7sexFP8Davsg9eBquC6yrj7BytJZVtNZ8qQwuipOJUcwjSPZvcmQdYyx+zU 68Ot5VuDBGylST0mLRzsQ== X-eBay-MailTracker: 11020.567.0.0 To: [EMAIL PROTECTED] From: eBay <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=23401732.1218403700945.JavaMail.ebba.sjc2bat11 Subject: Check out the latest items from your favorite sellers on eBay Date: Sun, 10 Aug 08 14:28:20 GMT-0700 Message-ID: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] X-eBay-MailVersionTracker: 567.6690890 X-user: 66.135.209.199:box106.bluehost.com:: And I figured the following SA rules would guarantee passage: whitelist_from_rcvd [EMAIL PROTECTED] sjc2bat11.sjc.ebay.com whitelist_from_rcvd [EMAIL PROTECTED] mxsmfpool02.ebay.com whitelist_from_rcvd [EMAIL PROTECTED] mxsmfpool01.ebay.com whitelist_from_rcvd [EMAIL PROTECTED] ebay.com whitelist_from_rcvd [EMAIL PROTECTED] emarsys.net trusted_networks 192.168/16 trusted_networks 69.89.22.106 trusted_networks 68.231.250/8 internal_networks 192.168/16 internal_networks 69.89.22.106 internal_networks 68.231.250/8 But alas, it does not work--I'm still not able to whitelist this message. I realize that with this route, I would have to whitelist every one of ebay's outgoing mail servers (right???), or is there a better way? In concept, this seems like a great way to ensure one does not get spoofed emails, but gosh, it sure is hard to set up the rules for it. Unless I'm missing something simple Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
sa-update configuration pre rules
I'm trying to use sa-update for the first time, but I am getting some
errors. I hope you gurus can help.
I believe the root of my problem is that sa-update is looking for my
*.pre rules in /etc/mail/spamassassin. But my rules are not there. And
I don't see a command line option to tell sa-update to look somewhere
else (like the --siteconfigpath option for the spamassassin command). I
do not have access to my /etc directory, so moving my rules there is not
an option. Am I missing something in the sa-update command that will
get me going?
Cheers!
Skip
[EMAIL PROTECTED] [~]# sa-update --updatedir
/home/peloruso/.spamassassin/ \
--gpghomedir .spamassassin/ --gpgkey 6C6191E3 --channel
sought.rules.yerp.org \
--channel updates.spamassassin.org -D
[5217] dbg: logger: adding facilities: all
[5217] dbg: logger: logging level is DBG
[5217] dbg: generic: SpamAssassin version 3.2.4
[5217] dbg: config: score set 0 chosen.
[5217] dbg: dns: no ipv6
[5217] dbg: dns: is Net::DNS::Resolver available? yes
[5217] dbg: dns: Net::DNS version: 0.63
[5217] dbg: generic: sa-update version svn607589
[5217] dbg: generic: using update directory: /home/peloruso/.spamassassin/
[5217] dbg: diag: perl platform: 5.008008 linux
[5217] dbg: diag: module installed: Digest::SHA1, version 2.11
[5217] dbg: diag: module installed: HTML::Parser, version 3.56
[5217] dbg: diag: module installed: Net::DNS, version 0.63
[5217] dbg: diag: module installed: MIME::Base64, version 3.07
[5217] dbg: diag: module installed: DB_File, version 1.815
[5217] dbg: diag: module installed: Net::SMTP, version 2.31
[5217] dbg: diag: module installed: Mail::SPF, version v2.005
[5217] dbg: diag: module installed: Mail::SPF::Query, version 1.999001
[5217] dbg: diag: module installed: IP::Country::Fast, version 604.001
[5217] dbg: diag: module not installed: Razor2::Client::Agent ('require'
failed)
[5217] dbg: diag: module not installed: Net::Ident ('require' failed)
[5217] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed)
[5217] dbg: diag: module installed: IO::Socket::SSL, version 1.14
[5217] dbg: diag: module installed: Compress::Zlib, version 2.001
[5217] dbg: diag: module installed: Time::HiRes, version 1.9715
[5217] dbg: diag: module installed: Mail::DomainKeys, version 1.0
[5217] dbg: diag: module installed: Mail::DKIM, version 0.32
[5217] dbg: diag: module installed: DBI, version 1.605
[5217] dbg: diag: module installed: Getopt::Long, version 2.37
[5217] dbg: diag: module installed: LWP::UserAgent, version 5.810
[5217] dbg: diag: module installed: HTTP::Date, version 5.810
[5217] dbg: diag: module installed: Archive::Tar, version 1.38
[5217] dbg: diag: module installed: IO::Zlib, version 1.09
[5217] dbg: diag: module installed: Encode::Detect, version 1.01
[5217] dbg: gpg: adding key id 6C6191E3
[5217] dbg: gpg: Searching for 'gpg'
[5217] dbg: util: current PATH is:
/ramdisk/bin:/ramdisk/bin:/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/X11R6/bin:/home/peloruso/bin:/home/peloruso/usr/bin
[5217] dbg: util: executable for gpg was found at /usr/bin/gpg
[5217] dbg: gpg: found /usr/bin/gpg
[5217] dbg: gpg: release trusted key id list:
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
26C900A46DD40CD5AD24F6D7DEE01987265FA05B
0C2B1D7175B852C64B3CDC716C55397824F434CE 6C6191E3
[5217] dbg: channel: attempting channel sought.rules.yerp.org
[5217] dbg: channel: update directory
/home/peloruso/.spamassassin/sought_rules_yerp_org
[5217] dbg: channel: channel cf file
/home/peloruso/.spamassassin/sought_rules_yerp_org.cf
[5217] dbg: channel: channel pre file
/home/peloruso/.spamassassin/sought_rules_yerp_org.pre
[5217] dbg: dns: 4.2.3.sought.rules.yerp.org => 682080, parsed as 682080
[5217] dbg: channel: preparing temp directory for new channel
[5217] dbg: generic: update tmp directory /tmp/.spamassassin5217OxWvR5tmp
[5217] dbg: generic: lint checking site pre files once before attempting
channel updates
[5217] dbg: generic: SpamAssassin version 3.2.4
[5217] dbg: config: score set 0 chosen.
[5217] dbg: dns: no ipv6
[5217] dbg: dns: is Net::DNS::Resolver available? yes
[5217] dbg: dns: Net::DNS version: 0.63
[5217] dbg: ignore: using a test message to lint rules
[5217] dbg: config: using "/etc/mail/spamassassin" for site rules pre files
[5217] dbg: config: using "/tmp/.spamassassin5217OxWvR5tmp/doesnotexist"
for sys rules pre files
[5217] dbg: config: using "/tmp/.spamassassin5217OxWvR5tmp/doesnotexist"
for default rules dir
[5217] dbg: config: using
"/tmp/.spamassassin5217OxWvR5tmp/doesnotexist/doesnotexist" for user
prefs file
config: no configuration text or files found! please check your setup
[5217] dbg: conf: finish parsing
[5217] dbg: config: score set 0 chosen.
[5217] dbg: message: main message type: text/plain
[5217] dbg: message: MIME PARSER START
[5217] dbg: message: parsing
Giving Back--A stats script I wrote
This may be kinda simple for you gurus out there, in which case I welcome your feedback and suggestions to make this better. But if anyone finds this useful...great! I wanted a stats tool that would tell me what rules were hit on the most. Which ones ONLY trigger on spam and which ones ONLY trigger on HAM? I wanted to know what percentage of my HAM was whitelisted. Do I have my rule scores set high or low enough and do I have the required score for the SPAM threshold at the right place? I wanted something that was flexible and powerful. So I thought about ways to get my spamassassin data into mysql. Look at this screenshot and you'll get the idea: http://pelorus.org/pictures/mailstats.gif Obviously, with that type of granularity, I could generate any kind of report I wanted. The way I do it is I generate a few custom headers in procmail to make things easier, and I have a couple of special SA headers added, again, to make things easier. Then I pipe a carbon copy of each email through this bash script which parses it and puts all the data into mysql. I just finished it today, so I don't have any pretty charts or anything yet, but I do think it will meet my needs. I did look at some of the other data collection utilities out there, but I didn't see any that were quite this flexible, if I do say so myself. Perhaps I am mistaken and there is one (or more) that can do what this does and more. Here's the script, along with many (helpful, I hope) comments. http://pastebin.com/f743e7daa Like I said, if any of you smart guys out there see ways to improve this, I sure would appreciate the feedback. Thanks. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: whitelist_from_rcvd
Jari Fredriksson wrote: Why would I not be whitelisted here? I have the following entrines in my user_prefs file whitelist_from_rcvd [EMAIL PROTECTED] pelorus.org internal_networks 192.168/16 internal_networks 69.89.22.106 It seems pelorus.org is your mx for incoming mail. According this the snippet, and your mail to this list, your outgoing email server is eastrmmtao101.cox.net (68.230.240.7) So I think your whitelist_from_rcvd should be whitelist_from_rcvd [EMAIL PROTECTED] eastrmmtao101.cox.net The pelorus.org is not visible on your email headers. However, it must be seen in your trusted_networks (if not internal_networks - I don't know if it is internal (managed by you) or just trusted). Regards jarif I thought it might be that and had actually tried that before. I just tired it again hoping that perhaps I had made a typo and it still did not work. According to the documentation, the trusted_networks settings shouldn't affect this, but here are mine just in case someone else thinks it makes a difference. internal_networks 192.168/16 internal_networks 69.89.22.106 Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
whitelist_from_rcvd
Why would I not be whitelisted here? I have the following entrines in my user_prefs file whitelist_from_rcvd [EMAIL PROTECTED] pelorus.org internal_networks 192.168/16 internal_networks 69.89.22.106 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on box106.bluehost.com X-Spam-Level: R X-Spam-Status: Yes, score=5.3 required=3.0 tests=AWL,BAYES_00,SPF_NEUTRAL, TVD_SPACE_RATIO autolearn=no version=3.2.4 X-Spam-Report: * 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] * 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO * 5.0 AWL AWL: From: address is in the auto white-list Received: from eastrmmtao102.cox.net ([68.230.240.8]) by box106.bluehost.com with esmtp (Exim 4.69) (envelope-from <[EMAIL PROTECTED]>) id 1KMCUb-0001WW-AU for [EMAIL PROTECTED]; Thu, 24 Jul 2008 19:53:13 -0600 Received: from eastrmimpo03.cox.net ([68.1.16.126]) by eastrmmtao102.cox.net (InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Thu, 24 Jul 2008 21:53:15 -0400 Received: from [192.168.1.113] ([68.231.250.115]) by eastrmimpo03.cox.net with bizsmtp id u1tE1Z0062W8SQ4021tEyq; Thu, 24 Jul 2008 21:53:14 -0400 Message-ID: <[EMAIL PROTECTED]> Date: Thu, 24 Jul 2008 21:53:05 -0400 From: Skip <[EMAIL PROTECTED]> User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Skip Morrow <[EMAIL PROTECTED]> Subject: Test X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-user: 68.230.240.8:box106.bluehost.com:: Testing -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: DNS Tests not always getting done
Karsten Bräckelmann wrote: On Mon, 2008-07-21 at 17:58 -0400, Skip wrote: I thought you guys would like a little humor. Here's what I sent my host and what I got in response. *sigh* Maybe tomorrow I'll have better luck with them. FROM: <[EMAIL PROTECTED]> SITE: pelorus.org ADDR: 68.231.250.115 Why would I be getting this on box106? [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org ;; connection timed out; no servers could be reached [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org Host 2.0.0.127.zen.spamhaus.org not found: 2(SERVFAIL) [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org ;; connection timed out; no servers could be reached I would like to use the spamhaus services with my spamassassin setup, but for some reason, I can't connect to them at all from my box. Any ideas? ^^ This probably is, what confused them. Don't have the entire thread in mind, but IIRC the issue is, that the shared DNS you are using returns this. Thus, you are not directly contacting spamhaus DNS servers. Your provider is... I'd try explaining the issue providing "slightly" more details. And try not to sound like a user who got problems using his web-browser. ;-) guenther Well, it just gets better. I sent this back to them and got the following reply: I'm sorry, you didn't understand my question. I can see their website just fine from my home computer. What I am talking about is when I ssh into box 106, I cannot resolve spamhaus for some reason. I don't know why bluehost's nameserver is not finding spamhaus.org. [EMAIL PROTECTED] [~]# cat /etc/resolv.conf domain bluehost.com search bluehost.com nameserver 74.220.195.37 nameserver 74.220.195.38 nameserver 74.220.195.39 [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org ;; connection timed out; no servers could be reached [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org Host 2.0.0.127.zen.spamhaus.org not found: 2(SERVFAIL) [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org ;; connection timed out; no servers could be reached Hello, I apologize for the problems you are experiencing, thank you for your patience. You may need to contact your ISP and or spamhaus.org to get information regarding your inability to connect to them, typically timing out is indicative of your ISP. Anyway, forget them. I am on my own again. I ran a few other commands. What do you think of this? [EMAIL PROTECTED] [~]# host 2.0.0.127.yahoo.com Host 2.0.0.127.yahoo.com not found: 3(NXDOMAIN) [EMAIL PROTECTED] [~]# host 2.0.0.127.google.com Host 2.0.0.127.google.com not found: 3(NXDOMAIN) [EMAIL PROTECTED] [~]# host 2.0.0.127.pelorus.org Host 2.0.0.127.pelorus.org not found: 3(NXDOMAIN) [EMAIL PROTECTED] [~]# host 2.0.0.127.bluehost.com Host 2.0.0.127.bluehost.com not found: 3(NXDOMAIN) I'll be honest, I'm not familiar with the host command, so maybe these commands don't mean a thing. But I do know that I get positive hits on spamcop all the time (on real spam messages, that is), so I can do some dns tests in SA. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: DNS Tests not always getting done
I thought you guys would like a little humor. Here's what I sent my host and what I got in response. *sigh* Maybe tomorrow I'll have better luck with them. FROM: <[EMAIL PROTECTED]> SITE: pelorus.org ADDR: 68.231.250.115 Why would I be getting this on box106? [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org ;; connection timed out; no servers could be reached [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org Host 2.0.0.127.zen.spamhaus.org not found: 2(SERVFAIL) [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org ;; connection timed out; no servers could be reached I would like to use the spamhaus services with my spamassassin setup, but for some reason, I can't connect to them at all from my box. Any ideas? Skip And their response.. Good day, Since we are not SPAMHAUS.ORG we are not sure why you would be unable to connect to there site. They are the filter that all of the mail go through before it hits our servers. If you are unable to view the site try going to a different connection to see if you can get to spamhaus.org. If you are there must be a block from your IP that you will need to contact them about. Thanks, -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: DNS Tests not always getting done
mouss wrote: Skip wrote: mouss wrote: Skip wrote: [snip] Anyway, please bear with me as I do have a few more questions. In this thread before, some people thought I should look at a possible DNS problem, or perhaps my system is exceeding the daily threshold for spamhaus. All they say at the spamhaus FAQ is that if you exceed the threshold "your access to Spamhaus's public DNSBL servers is very likely to be cut off without warning". We already established that since I am on a shared hosting system, it is entirely possible that we (as a system, but not as a domain) may be exceeding the threshold, but I don't know how to go about checking at spamhaus to see if that is indeed the case. try: $ host 2.0.0.127.zen.spmahaus.org 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 BTW, what DNS server(s) are you using? [snip] I got this: $ host 2.0.0.127.zen.spmahaus.org Host 2.0.0.127.zen.spmahaus.org not found: 3(NXDOMAIN) my bad, it's spamhaus, not spmahaus. That can't be good. it's good for now :) try with the correct name... I do not know what dns server we are using at bluehost. First, look in your /etc/resolv.conf. this will show you where the nameservers are. I did a ps and searched for anything that looked like a dns server, but couldn't find any. Sometimes it can really suck being on a shared system like this. Running a mail server on a shared system is problematic. if you only do filtering (and not MX or submission), it should work provided you get the DNS right. my nameservers are running on different boxes other than this one. This box just has the web and mail servers. Typical shared system. I ran the host command a few times and got two different responses. [EMAIL PROTECTED] [~]# cat /etc/resolv.conf domain bluehost.com search bluehost.com nameserver 74.220.195.37 nameserver 74.220.195.38 nameserver 74.220.195.39 [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org ;; connection timed out; no servers could be reached [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org Host 2.0.0.127.zen.spamhaus.org not found: 2(SERVFAIL) [EMAIL PROTECTED] [~]# host 2.0.0.127.zen.spamhaus.org ;; connection timed out; no servers could be reached As for the CPU exceeded error that a few of you got (if you went to website, pelorus.org), that happens occasionally if I am doing something CPU intensive. Not related to this--at least I don't think it is. I'm pretty sure all they do is stop serving up web pages when you get a in CPU exceeded situation. I don't think they'd turn off internal DNS lookups. I sure do appreciate the help you guys are giving me here. Thanks a bunch! :) Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: DNS Tests not always getting done
mouss wrote: Skip wrote: [snip] Anyway, please bear with me as I do have a few more questions. In this thread before, some people thought I should look at a possible DNS problem, or perhaps my system is exceeding the daily threshold for spamhaus. All they say at the spamhaus FAQ is that if you exceed the threshold "your access to Spamhaus's public DNSBL servers is very likely to be cut off without warning". We already established that since I am on a shared hosting system, it is entirely possible that we (as a system, but not as a domain) may be exceeding the threshold, but I don't know how to go about checking at spamhaus to see if that is indeed the case. try: $ host 2.0.0.127.zen.spmahaus.org 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 BTW, what DNS server(s) are you using? [snip] I got this: $ host 2.0.0.127.zen.spmahaus.org Host 2.0.0.127.zen.spmahaus.org not found: 3(NXDOMAIN) That can't be good. I do not know what dns server we are using at bluehost. I did a ps and searched for anything that looked like a dns server, but couldn't find any. Sometimes it can really suck being on a shared system like this. -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: DNS Tests not always getting done
Sahil Tandon wrote: Skip <[EMAIL PROTECTED]> wrote: But I want to stop the test from even being done at all. I guess I should have included more of the previous post. Sorry :( Please do not top-post (google if you are unfamiliar with the term). And as already advised, just set score to 0 to disable individual DNSBLs. To disable all checks, set skip_rbl_checks to 1. This functionality is noted in the documentation: http://wiki.apache.org/spamassassin/DnsBlocklists Sorry about that :) I am actually quite familiar with bottom posting and wish it were used in the workplace, but I doubt we'll ever see that. And thanks for the answer to my question. Anyway, please bear with me as I do have a few more questions. In this thread before, some people thought I should look at a possible DNS problem, or perhaps my system is exceeding the daily threshold for spamhaus. All they say at the spamhaus FAQ is that if you exceed the threshold "your access to Spamhaus's public DNSBL servers is very likely to be cut off without warning". We already established that since I am on a shared hosting system, it is entirely possible that we (as a system, but not as a domain) may be exceeding the threshold, but I don't know how to go about checking at spamhaus to see if that is indeed the case. Anyway, I'd like to show one more snippet from my log, to see what you guys think. >grep spamhaus Procmail/pmlog-skip|grep 8874 [8874] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [8874] dbg: dns: launching DNS A query for 95.2.18.64.zen.spamhaus.org. in background [8874] dbg: async: starting: DNSBL-A, dns:A:95.2.18.64.zen.spamhaus.org. (timeout 15.0s, min 3.0s) [8874] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal [8874] dbg: dns: checking RBL zen.spamhaus.org., set zen [8874] dbg: dns: launching DNS A query for 222.84.98.85.zen.spamhaus.org. in background [8874] dbg: async: starting: DNSBL-A, dns:A:222.84.98.85.zen.spamhaus.org. (timeout 15.0s, min 3.0s) [8874] dbg: async: starting: URI-DNSBL, DNSBL:sbl.spamhaus.org.:100.142.44.89 (timeout 15.0s, min 3.0s) [8874] dbg: async: completed in 5.040 s: URI-DNSBL, DNSBL:sbl.spamhaus.org.:100.142.44.89 [8874] dbg: async: aborting after 7.527 s, deadline shrunk: DNSBL-A, dns:A:222.84.98.85.zen.spamhaus.org. [8874] dbg: async: aborting after 7.534 s, deadline shrunk: DNSBL-A, dns:A:95.2.18.64.zen.spamhaus.org. [8874] dbg: async: timing: 5.040 . DNSBL:sbl.spamhaus.org.:100.142.44.89 [8874] dbg: async: timing: 7.527 X dns:A:222.84.98.85.zen.spamhaus.org. [8874] dbg: async: timing: 7.534 X dns:A:95.2.18.64.zen.spamhaus.org. Here you can see that three calls to spamhaus were going to be made for this message. The first call made it and was completed in 5.040 s. The other two were aborted after 7.5 s with that mysterious "deadline shrunk" message. Since I got a successful return on the first test, I don't think it could be a DNS problem on my end, but please correct me if I am mistaken and overlooking something. By the way, I googled "deadline shrunk". Twenty five hits total with the majority of them pointing to this thread and the spamassassin source code. No real help. Anyway, back to my log here. The one completed call is interesting because if you go to the spamhaus website, that IP address actually hits positive http://www.spamhaus.org/query/bl?ip=89.44.142.100 *89.44.142.100 is listed in the SBL*, in the following records: * SBL65873 <http://www.spamhaus.org/sbl/sbl.lasso?query=SBL65873> * SBL65994 <http://www.spamhaus.org/sbl/sbl.lasso?query=SBL65994> But you'll notice that I don't get the hit message here in my log. In fact, I have never gotten a hit from spamhaus on ANY message. So, my question for the community is, what could I possibly have misconfigured here? Or is it most certainly that we (me and all customers using the same hosting company as me) are banned from spamhaus lookups do to our volume and I should look for resolution that way? Anyone know who I would email at spamhaus to find out? What information would I need to give them? Btw, I am using ver 3.2.4. Sorry for being such a pest, but before I go knocking on spamhaus' and/or bluehost's (my hosting company) door, I'd like to be as sure as possible about these things, and possibly even point them to this thread. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: DNS Tests not always getting done
But I want to stop the test from even being done at all. I guess I should have included more of the previous post. Sorry :( Skip Raymond Dijkxhoorn wrote: Hi! I was actually thinking the same thing about configuring SA to use a different resolver, but could not find such a configuration option. What is the generally approved way to disable individual RBL checks? I can easily disable all of them, but I haven't figured out how to disable individual ones. Just score the tests you want to disable 0. Bye, Raymond. -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: DNS Tests not always getting done
Wow, I wonder how I am going to convince Bluehost that they are having issues. What's the best way to disable individual RBL checks? I'm also curious which tests you consider to be most effective on your system. I was actually thinking the same thing about configuring SA to use a different resolver, but could not find such a configuration option. Skip What is the generally approved way to disable individual RBL checks? I can easily disable all of them, but I haven't figured out how to disable individual ones. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: DNS Tests not always getting done
Kai Schaetzl wrote: Skip wrote on Thu, 17 Jul 2008 16:19:07 -0400: As for too many connection per day, my domain certainly does not generate anywhere near the 100,000 connections spamhaus considers as the cutoff, but I'll be my host (bluehost) does. If all they check is originating IP address, then I'm sure I'll fall in that category. Yeah, you actually query the resolver at your hosting provider. As do others of his customers. That combined connection pool may well exceed the limits. In that case you could set up a local caching nameserver and no forwarders. However, this would also impact your other dns queries. It might actually be a good idea if SA developers allowed to use a different resolver for SA than the system resolver. As for the timeouts, I won't have access to that, since I am on a shared hosting system, but are you sure that those errors are what's being reported by the local nameserver? I am surprised that every test would fail (that is, not complete) in one case, and then in the next case all but the spamhaus test would complete. Intermittant problems mean that a DNS is overloaded. Could be the typical sign of "spamassassinating" an RBL. I'm not surprised that many of your open-whois.org lookups fail. It wouldn't be the first RBL that falls apart after it got promoted to default use in SA. It's also possible that your forwarder DNS is sometimes overloaded. If you get timeouts on five RBLs and next second all of them are well and then again on a bunch of them I'd say that the bottleneck could actually be the forwarder. Also, several of these RBL checks do not add any extra value in my eyes. For instance habeas and bondedsender. I would get rid at least of these. I have been switching off SA RBL checks on all my systems almost right after I started using it years ago and still do so. I also don't use any of the distributed fingerprint systems. I use three RBLs I trust on MTA level for rejection. That's *much* more efficient. In SA I use only the other network checks for SURBL etc. as these *are* effective. (Although looking at the hit count all but one have declined in accurateness from last year.) Kai Wow, I wonder how I am going to convince Bluehost that they are having issues. What's the best way to disable individual RBL checks? I'm also curious which tests you consider to be most effective on your system. I was actually thinking the same thing about configuring SA to use a different resolver, but could not find such a configuration option. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: DNS Tests not always getting done
Richard Frovarp wrote: mouss wrote: Skip wrote: Periodically I have seen spam come in my inbox and after reviewing the headers, I'd see that it didn't hit any of the DNS/URL BL checks. So I left SA running in debug mode for a while and saw some strange entries (sorry for the long post here). Fortunately, these don't happen too often, but I would like to know if there is anything I can do... 1) ...to configure my setup more correctly. For instance, I believe spamhaus is now closed, correct? I see that same abort message in EVERY message. So, how should I disable the spamhaus check. Or, if it is still working, why is mine not? possibly because you (or your dns forwarder) generate(s) too many connections per day: http://www.spamhaus.org/organization/dnsblusage.html 2) What can I do in procmail to check to make sure the DNS tests were completed? Maybe give each mail a second or third chance to get the DNS checks done. I'll probably have to pick one or two of them and call them vital, and run a check against them just to see if it was successful in testing the message, and if not, do it again. Something like that, perhaps??? I don't understand this part. Looks like they have timeouts. Make sure you use a local caching nameserver. Sometimes things will just timeout due to other issues, but a caching nameserver helps big time. As for too many connection per day, my domain certainly does not generate anywhere near the 100,000 connections spamhaus considers as the cutoff, but I'll be my host (bluehost) does. If all they check is originating IP address, then I'm sure I'll fall in that category. As for the timeouts, I won't have access to that, since I am on a shared hosting system, but are you sure that those errors are what's being reported by the local nameserver? I am surprised that every test would fail (that is, not complete) in one case, and then in the next case all but the spamhaus test would complete. Finally, as for the procmail question, what I meant was, when those test complete, and the IP addresses were hit in the test, it's easy for me to write a rule in procmail because SA puts information in the headers about this fact. However, on the contrary, if a message is tested and passes (NON_HIT), then SA has no reason to write anything additional in the header. Futhermore, if the test fails completely (times out, for instance, and no report made at all), then again, no information is added to the header of the email. I have no way to test in procmail whether the test failed or passed--I can only test whether it was a "HIT". I would like to know if there's a clever way to add a little more information about the results of these tests in the headers (call it "HIT", "NON_HIT", and "FAIL"), so I can make decisions whether or not to reprocess the message the SA. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
DNS Tests not always getting done
Periodically I have seen spam come in my inbox and after reviewing the headers, I'd see that it didn't hit any of the DNS/URL BL checks. So I left SA running in debug mode for a while and saw some strange entries (sorry for the long post here). Fortunately, these don't happen too often, but I would like to know if there is anything I can do... 1) ...to configure my setup more correctly. For instance, I believe spamhaus is now closed, correct? I see that same abort message in EVERY message. So, how should I disable the spamhaus check. Or, if it is still working, why is mine not? 2) What can I do in procmail to check to make sure the DNS tests were completed? Maybe give each mail a second or third chance to get the DNS checks done. I'll probably have to pick one or two of them and call them vital, and run a check against them just to see if it was successful in testing the message, and if not, do it again. Something like that, perhaps??? Skip Here are the logs: Went well [28851] dbg: async: escaping: lost or timed out requests or responses [28851] dbg: async: aborting after 22.349 s, past original deadline: DNSBL-A, dns:A:250.101.133.209.zen.spamhaus.org. [28851] dbg: async: aborting after 11.761 s, deadline shrunk: URI-A, A:ns2.eonline.com. [28851] dbg: async: aborting after 11.760 s, deadline shrunk: URI-A, A:ns.eonline.com. [28851] dbg: async: aborting after 11.761 s, deadline shrunk: URI-A, A:ns1.atdc1.eonline.com. [28851] dbg: async: aborted 4 remaining lookups [28851] dbg: async: timing: 10.577 . dns:A:250.101.133.209.iadb.isipp.com. [28851] dbg: async: timing: 10.577 . dns:A:250.101.133.209.sa-accredit.habeas.com. [28851] dbg: async: timing: 10.577 . dns:A:response.broadcaster.g4tv.com.dob.sibl.support-intelligence.net. [28851] dbg: async: timing: 10.578 . dns:TXT:250.101.133.209.sa-trusted.bondedsender.org. [28851] dbg: async: timing: 10.579 . dns:A:250.101.133.209.list.dnswl.org. [28851] dbg: async: timing: 10.579 . dns:A:response.broadcaster.g4tv.com.fulldom.rfc-ignorant.org. [28851] dbg: async: timing: 10.579 . dns:A:response.broadcaster.g4tv.com.bl.open-whois.org. [28851] dbg: async: timing: 10.580 . dns:TXT:250.101.133.209.list.dsbl.org. Not so well [11567] dbg: async: aborting after 24.824 s, past original deadline: DNSBL-A, dns:A:250.101.133.209.zen.spamhaus.org. [11567] dbg: async: aborting after 24.827 s, past original deadline: DNSBL-A, dns:A:response.broadcaster.g4tv.com.rhsbl.ahbl.org. [11567] dbg: async: aborting after 24.820 s, past original deadline: DNSBL-TXT, dns:TXT:250.101.133.209.sa-trusted.bondedsender.org. [11567] dbg: async: aborting after 24.833 s, past original deadline: URI-DNSBL, DNSBL:multi.uribl.com.:g4tv.com [11567] dbg: async: aborting after 24.826 s, past original deadline: DNSBL-A, dns:A:250.101.133.209.dob.sibl.support-intelligence.net. [11567] dbg: async: aborting after 24.823 s, past original deadline: DNSBL-A, dns:A:response.broadcaster.g4tv.com.dob.sibl.support-intelligence.net. [11567] dbg: async: aborting after 24.829 s, past original deadline: DNSBL-A, dns:A:250.101.133.209.plus.bondedsender.org. [11567] dbg: async: aborting after 24.833 s, past original deadline: URI-DNSBL, DNSBL:bl.open-whois.org.:g4tv.com [11567] dbg: async: aborting after 24.825 s, past original deadline: NO_DNS_FOR_FROM, DNSBL-MX, dns:MX:response.broadcaster.g4tv.com [11567] dbg: async: aborting after 24.832 s, past original deadline: URI-DNSBL, DNSBL:rhsbl.ahbl.org.:g4tv.com [11567] dbg: async: aborting after 24.822 s, past original deadline: DNSBL-A, dns:A:250.101.133.209.sa-accredit.habeas.com. [11567] dbg: async: aborting after 24.828 s, past original deadline: DNSBL-A, dns:A:250.101.133.209.combined.njabl.org. [11567] dbg: async: aborting after 24.830 s, past original deadline: URI-NS, NS:g4tv.com [11567] dbg: async: aborting after 24.819 s, past original deadline: DNSBL-A, dns:A:response.broadcaster.g4tv.com.bl.open-whois.org. [11567] dbg: async: aborting after 24.825 s, past original deadline: NO_DNS_FOR_FROM, DNSBL-A, dns:A:response.broadcaster.g4tv.com [11567] dbg: async: aborting after 24.818 s, past original deadline: DNSBL-A, dns:A:250.101.133.209.iadb.isipp.com. [11567] dbg: async: aborting after 24.831 s, past original deadline: URI-DNSBL, DNSBL:multi.surbl.org.:g4tv.com [11567] dbg: async: aborted 17 remaining lookups [11567] dbg: async: timing: 8.995 . dns:A:response.broadcaster.g4tv.com.fulldom.rfc-ignorant.org. [11567] dbg: async: timing: 8.997 . dns:TXT:250.101.133.209.list.dsbl.org. [11567] dbg: async: timing: 8.998 . dns:A:250.101.133.209.dnsbl.sorbs.net. [11567] dbg: async: timing: 8.998 . dns:A:250.101.133.209.list.dnswl.org. [11567] dbg: async: timing: 9.003 . dns:TXT:250.101.133.209.bl.spamcop.net. [11567] dbg: async: timing: 9.007 . DNSBL:dob.sibl.support-intelligence.net:g4tv.com or also not so well [27711] dbg: async: escaping: lost or timed out requests or responses [27711]
sare rules?
This was probably discussed at some point, but I haven't been getting emails from the list for some time. The dates I see on all my sare rule sets are in January when I moved to 3.2.4. My updates_spamassassin_org.cf file is dated June 17. I debugged saupdate and this appears correct. But recently I am seeing an increase in spam reaching my end users. Is there something more that I can be doing? Maybe I need to start updating from some additional rule sets? - Skip
Re: auto-whitelist file location in 3.2.4
> That option wasn't removed from SA.. it was removed from the main conf > docs, as all of the AWL is now a plugin. That option is documented in the > docs for the AWL plugin, which is where it really belongs. (if the option > isn't valid without the plugin, then it in theory shouldn't be in the main > Conf manpage..) > > > > See > http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_AWL > .html > > > I see, and got it working. Next question: How would I set it up so that I could have a separate whitelist for each user (I only have four users)? Again, I call spamassassin from procmail, and each user has its own procmailrc, so I can easily hardcode in the command as an argument to spamassassin. But I haven't seen a way yet to tell spamassassin to look in a particular place for the .cf files for the plugins. On bluehost, somehow spamassassin knows to look in the ~/.spamassassin folder for the *.cf files. Worst case I write a rule to copy the right .cf file into place depending on which procmailrc is executing (and placing in some file locks of course), but I'd hate to kludge that into place.
auto-whitelist file location in 3.2.4
How does one set the file location for the auto-whitelist file on a 3.2.x system? I am on a shared hosting system, but call spamassassin manually from procmail. Here's the debug output that deals with auto-whitelist: [25947] dbg: locker: safe_lock: created /ramdisk/etc/spamassassin/data/auto-whitelist.lock.box106.bluehost.com.25947 [25947] dbg: locker: safe_lock: trying to get lock on /ramdisk/etc/spamassassin/data/auto-whitelist with 0 retries [25947] dbg: locker: safe_lock: link to /ramdisk/etc/spamassassin/data/auto-whitelist.lock: link ok [25947] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /ramdisk/etc/spamassassin/data/auto-whitelist [25947] dbg: auto-whitelist: db-based [EMAIL PROTECTED]|ip=71.113 scores 31/-157.366 [25947] dbg: auto-whitelist: AWL active, pre-score: -4.423, autolearn score: -4.423, mean: -5.07632258064516, IP: 71.113.166.229 [25947] dbg: auto-whitelist: add_score: new count: 32, new totscore: -161.789 [25947] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [25947] dbg: auto-whitelist: DB addr list: file locked, breaking lock Now, I checked the docs, and apparently the setting for the auto-whitelist location (auto_whitelist_path) was removed in 3.2.x and I cannot for the life of me figure out how to tell my system where I want it to place my awl. I did have a auto-whitelist file in my ~/.spamassassin directory, but I renamed it, and strangely enough, messages are still getting tagged with the "-2.8 AWL AWL: From: address is in the auto white-list", so I have no idea how sa knows to look on /ramdisk. I am on a shared hosting system, and I would like to place my own whitelist in my home directory and use it, but I guess I have missed to correct documentation. When I call spamassassin, I pass it the -p option with my own configuration file, and I should be able to pass it the -C or --siteconfigpath options to set admin settings. Any help? Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: spamd stops after about 90 seconds?
That looks like it is the problem. I have sent BH an email asking them about it. By any chance do you know the name of the watchdog program that they run to keep an eye on the user processes? Or is it something compiled into the kernel? I have seen where sometimes depending on who you get a hold of in tech support, they don't even know what their own boxes are running and doing. Justin Mason wrote: Skip writes: What do you know? I got permission from my web and email hosting company (BlueHost) to run my own spamd process. Cool! Now I can have a lot more control over the processing of my incoming mail, and I have access to the logs! Well, after starting spamd, I was surprised after a couple of minutes when it mysteriously wasn't running any more. After running some experiments, it seems it is indeed stopping after just over a minute. Here's the command line I'm using to start spamd: spamd -d -i 127.0.0.1 -p 6615 -C /home//.spamassassin --siteconfigpath=/home//.spamassassin --virtual-config-dir=/home//.spamassassin/%l -s /home//.spamassassin/spamd.log --user-config -D -u --pidfile=/home//.spamassassin/spamd.pid --timeout-tcp=0 --timeout-child=0 I tried it without the last two timeout parameters and they don't seem to have any effect on this, and looking over the documentation, I wouldn't have expected them to. Is this a normal behavior of spamd, that if it doesn't see any action from spamc for a while, it just quits? By the way, I don't see anything in the log that tells me spamd is shutting down or anything like that. I have been able to feed spamd some spam and it worked--I saw the scores and everything, but again, a short time after I did the test, alas, spamd shut down again. What did I miss? that sounds a *lot* like Bluehost's automated CPU time limiting apps shutting it down. Use "strace -p" to trace the process activity around the 90 second mark, and see if it's getting a signal. --j.
Re: spamd stops after about 90 seconds?
By the way, this is version 3.2.4. Skip wrote: What do you know? I got permission from my web and email hosting company (BlueHost) to run my own spamd process. Cool! Now I can have a lot more control over the processing of my incoming mail, and I have access to the logs! Well, after starting spamd, I was surprised after a couple of minutes when it mysteriously wasn't running any more. After running some experiments, it seems it is indeed stopping after just over a minute. Here's the command line I'm using to start spamd: spamd -d -i 127.0.0.1 -p 6615 -C /home//.spamassassin --siteconfigpath=/home//.spamassassin --virtual-config-dir=/home//.spamassassin/%l -s /home//.spamassassin/spamd.log --user-config -D -u --pidfile=/home//.spamassassin/spamd.pid --timeout-tcp=0 --timeout-child=0 I tried it without the last two timeout parameters and they don't seem to have any effect on this, and looking over the documentation, I wouldn't have expected them to. Is this a normal behavior of spamd, that if it doesn't see any action from spamc for a while, it just quits? By the way, I don't see anything in the log that tells me spamd is shutting down or anything like that. I have been able to feed spamd some spam and it worked--I saw the scores and everything, but again, a short time after I did the test, alas, spamd shut down again. What did I miss?
spamd stops after about 90 seconds?
What do you know? I got permission from my web and email hosting company (BlueHost) to run my own spamd process. Cool! Now I can have a lot more control over the processing of my incoming mail, and I have access to the logs! Well, after starting spamd, I was surprised after a couple of minutes when it mysteriously wasn't running any more. After running some experiments, it seems it is indeed stopping after just over a minute. Here's the command line I'm using to start spamd: spamd -d -i 127.0.0.1 -p 6615 -C /home//.spamassassin --siteconfigpath=/home//.spamassassin --virtual-config-dir=/home//.spamassassin/%l -s /home//.spamassassin/spamd.log --user-config -D -u --pidfile=/home//.spamassassin/spamd.pid --timeout-tcp=0 --timeout-child=0 I tried it without the last two timeout parameters and they don't seem to have any effect on this, and looking over the documentation, I wouldn't have expected them to. Is this a normal behavior of spamd, that if it doesn't see any action from spamc for a while, it just quits? By the way, I don't see anything in the log that tells me spamd is shutting down or anything like that. I have been able to feed spamd some spam and it worked--I saw the scores and everything, but again, a short time after I did the test, alas, spamd shut down again. What did I miss?
Re: Logging
Matt Kettler wrote: Skip wrote: One more dumb question (and this really is more of a linux question than a SA question), but if I start spamd -d from a console, and then quit that console, won't the daemon quit too? No, that's what makes it a daemon.. it detaches from the console completely, thus remains active even if the shell that spawned it terminates. I thought that was the case. Thanks. I think the only other option is to "run it from cron" to get it out of a console, but that's a real kludge and I'd rather not do that. Erm.. definitely not. running from cron is only for things you want to run at regular intervals. It is not a valid way for starting daemons (ie: something you want to run once and leave running) I was actually half-way thinking of doing something creative like running it from cron just once and then getting rid of the cron job. But since you confirmed my initial thoughts, I won't have to follow though on this route. You might also want to look at setting up an init script that daemonizes spamd automatically at bootup. There's some sample init scripts in with the spamd directory. How exactly you install it varies with what OS you're using. Good point. I am on a linux, shared hosting site (Bluehost.com). I don't know how I can get it into the startup script for that box, and I only have access to my own home directory. That may be a showstopper right there. I'll have no way of knowing when they reboot the box. Generally it gets installed in /etc/init.d or /etc/rc.d/init.d, and then symlinked to various /etc/rc.d directories to cause it to be called at various runlevels. If your system has redhat-ish and chkconfig, it can automate this part for you, as the redhat init script that comes with spamd has chkconfig tags in it. By the way, I believe the systems are redhat-ish. chkconfig is installed. Skip
Re: Logging
One more dumb question (and this really is more of a linux question than a SA question), but if I start spamd -d from a console, and then quit that console, won't the daemon quit too? I think the only other option is to "run it from cron" to get it out of a console, but that's a real kludge and I'd rather not do that. John Hardin wrote: On Fri, 21 Mar 2008, Skip wrote: If I did go this route, how would I make sure that my spamc talks to my spamd and not the other one that is already running on the box? Don't use the default network port number.
Re: Logging
Justin Mason wrote: Skip writes: My email is hosted on a shared hosting site where I don't have much access to the good stuff, like syslog and /var/*anything*. For that reason, I believe spamc/spamd is out for me. They do in fact have spamd running. Here's the ps -aux output root 9532 0.0 0.6 69628 24544 ? Ss Mar10 7:17 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=5 So, I think if I am to have have any hope of getting a decent log out of SA, then I will need to use the full spamassassin commandline from procmail. No problem, but as I read in the faq, (http://wiki.apache.org/spamassassin/SeparateLogFile) the instructions there on how to get a different log file involve tinkering with things that I don't have access to. Are there any other options for me? Commandline piping? Creative file links? I really need to figure out a way to get into my logs so I can see what my installation is doing and not doing. hi -- You can install SpamAssassin into your home dir and run spamd from there; then use the "spamd -s file" switch to log to a file. However, many shared hosting setups will also limit CPU time, which typically means you can't run daemons. Unfortunately the "spamassassin" script isn't much use for logging :( --j. That's what I was afraid of. I think running the daemon is a no-go, but I guess I could ask the tech support. If I did go this route, how would I make sure that my spamc talks to my spamd and not the other one that is already running on the box?
Logging
My email is hosted on a shared hosting site where I don't have much access to the good stuff, like syslog and /var/*anything*. For that reason, I believe spamc/spamd is out for me. They do in fact have spamd running. Here's the ps -aux output root 9532 0.0 0.6 69628 24544 ? Ss Mar10 7:17 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=5 So, I think if I am to have have any hope of getting a decent log out of SA, then I will need to use the full spamassassin commandline from procmail. No problem, but as I read in the faq, (http://wiki.apache.org/spamassassin/SeparateLogFile) the instructions there on how to get a different log file involve tinkering with things that I don't have access to. Are there any other options for me? Commandline piping? Creative file links? I really need to figure out a way to get into my logs so I can see what my installation is doing and not doing. Thanks in advance. Skip
Feedback on 3.2.4
Other than the initial reports of performance boost from 3.2.4, I haven't seen much discussion on it as yet. Perhaps it is still too soon to know, but has anyone been seeing other benefits - or identified potential problems? - Skip
[OT] RE: remove email
> > > xou4 schrieb: > > >> Hello, > > >> I want to remove the mails on which a score above 30 Or for procmail (this rule is for 20, add or decrease \* as appropriate): :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* /dev/null
RE: all_spam_to issue with multiple recipients
> From: Theo Van Dinter > Typically one would make "all_spam_to" not a global option. I manage the server at the global level. Users do not have the ability to modify their procmail or SA settings in any way. > However, from what you describe, the better method would be > to just skip SA altogether for the one user who apparently > doesn't want the mail marked up. Interesting idea, but I am not certain how to break out one user in this way... Sounds like it would have to be done in procmail, but the question is how... - Skip
all_spam_to issue with multiple recipients
I have an issue which I'd like to figure out how to overcome, if possible. I am not certain if this is something which applies to SA or if this may be a more appropriate question for procmail. I have one user set up with the "all_spam_to" rule. The problem is when there are multiple recipients (in the to: and/or cc: fields) mail is delivered to all recipients if that one user is a recipient. Is there a way to overcome this? Thanks. - Skip
RE: How to trust my "domain"?
Guess this would help: Using sendmail 8.13.8 with SA 3.2.3 - Skip > From: Chris 'Xenon' Hanson [mailto:[EMAIL PROTECTED] >Usually you do this with a combination of trusted_networks > and exclusion in your scanner.
How to trust my "domain"?
I have started to run into a small problem due to some communication internally with emails being flagged as spam. Long question made short: How to I correctly configure SA to trust communication on our network without trusting spoofed addresses? - Skip
RE: Advice on MTA blacklist
> From: Chris Edwards > Your travellers should be using one of: > - Authenticated SMTP submission bypassing your DNSBL tests > - VPN into your network > - Your webmail service All of these are available. Unless I somehow had something configured improperly, the blacklists were rejecting connection to the MTA before SMTP auth. The second two are in place because of this very issue. Users prefer not to use webmail because it is inefficient. A mail client (i.e. Outlook, Thunderbird, etc.) has their address books and keeps better records of sent mail. While this has solved my issues with my travelling users, it does not eliminate the FP issues. And I am not willing to take that risk. If there is a communication breakdown due to a 3rd party falsely flagging a network, that is not going to reflect on the 3rd party. It will reflect on us and results in the potential for lost business. - Skip
RE: Advice on MTA blacklist
> Well, in the real world, many of us who would have to scan > over 150,000 inbound emails a day, of which about 85% are > pure 100% spam simply don't have that luxury... > > We've had best results with zen.spamhaus.org , other dnsbls > seem unreliable/not worth the effort > > regards, > jp Admittedly, I process more on the order of 10,000 messages a day. But your second point here is the very reason I won't use them: unreliable. When I initially rolled out SA, I was using both spamcop and spamhaus along with a couple of others. I quickly eliminated down to those two. Then to one. Then removed them entirely after about 2 months of use. I have a number of travelling personnel from my company. I don't want the call at 11pm on a Wednesday night or 6 am on a Sunday morning from a hotel and the network they are on is on one of those lists and they can't use their email. I also have seen my ISP have a range of their network falsely flagged (and it encompassed our network range) for a period of 36-48 hours. That put a major dent in communication with our customers. I am not certain how anyone can claim that they have no FPs running through those services unless they have prior knowledge of every inbound email. That is impossible. My company deals with on the order of thousands of companies and multiple times that in email addresses. There is no way to know how many of those systems were falsely (or correctly) placed on a blacklist at any point in time. - Skip
RE: Advice on MTA blacklist
None. I'd rather bump up my system resources than allow a system completely out of my control to assess whether or not mail should run through my MTA and SA. - Skip
RE: New PayPal phish?
I saw one of these nearly a month ago, but that was it. That it comes addressed to a personal name is a bit disturbing. - Skip
RE: is this a bug? trying to avoid beeing marked as spam
> 0.8 ZMIvirSobY_SUB33 SPAM from Sober-Y-Virus This score has nothing to do with detecting or not detecting a virus in the message. It is detecting specific text: "Ihr Passwort" and it is likely specific to the test message you are using. I can't speak to why the other rule is getting hit. - Skip
RE: How to analyze scan time
This is probably going to be a stupid question, but how do I go about implementing patches like this? Should this file be copied in place of the file located here?: /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/ - Skip
RE: Suggestion to developers
In order to implement something like this, you would need to know the order of rules processing (which perhaps there is one - but I don't know it). You would need to be careful if you have rules which will assign negative scores which typically do so after other rules have already given positive ones. Every SA implementation would be unique, so SA would have to be modified to rules some specific rule sets first before any others (maybe it does now?) and you would then want to make certain your custom scores go into those files. In my own implementation, I put my custom rules into a unique .cf file which I have created so I can distinguish it from other rule sets. The "out-of-the-box" SA wouldn't run this file first (unless SA can be modified to read a designated file before it reads others). -Original Message- From: Crocomoth [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 12, 2007 9:42 AM To: users@spamassassin.apache.org Subject: Suggestion to developers SpamAssassin is a really great product. But, it is perl-based and checks every message with a lot of (all) rules (, always!). Volume of spam is constantly increasing, as well as CPU and memory load that SA creates on servers. As a SA user, I would be happy to have the following possibility in the next version: 1. Add an option which will allow to limit number of rules run against every message. I.e., if the limit of spam points is reached to required_score, stop further checking and process the message as a spam. I think, not all users really interested in gathering all statistics about all spam messages. 2. According to (1), it makes sense to sort all rules from lightweight to heavyweight (including ones which require internet queries) and make checking in this order. This could allow to lower SA footprint. Thanks. -- View this message in context: http://www.nabble.com/Suggestion-to-developers-tf4429767.html#a12637043 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: forward the spam to another mailbox
While this is a procmail issue, not one for SA - assuming you want to dump it to a mailbox on the same system here is my basic procmailrc recipe: :0fwhb | /usr/bin/spamc -u mail :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\* /dev/null :0H * ^X-Spam-Status: Yes /var/spool/mail/spammailbox -- Basically I am running all mail thru SA, dumping everything with a score over 8.0 (which you can modify if you aren't comfortable with that number by adding \* for each additional point - or just delete that rule completely). All remaining spam goes to whichever account is defined as "spammailbox". - Skip
RE: Bouncing emails from certain countries
This would work fine if you expect emails only from those countries. Our company does business in Central & South America as well (which also means allowing lots of Spanish & Portuguese). We do not do business in Europe or Asia and I see quite a bit of spam from from *.ru and *.su. I do not have a country-based solution in place as the vast majority are caught in other rules. - Skip > I used IP::Country::Fast to block everything except canada and usa... > > I've only had to add one company to an allow list because > they are in Italy... > > I don't think its that bad of a solution, > depending on where your companies customers are located..
RE: Blacklist problems!
> No need for these settings if you have the above "ok_languages en" I think you are correct if you assume that emails coming from *.ru (for example), are written in something other than English, which is rarely the case. Much of the spam I see from *.ru and *.su is in English. - Skip
RE: Bouncing emails from certain countries
Out of curiosity (as this is a feature that I would like to have as well for a couple of speficic countries), is there a reason that a couple of SA plugins cant be used: http://wiki.apache.org/spamassassin/URICountryPlugin Or http://wiki.apache.org/spamassassin/RelayCountryPlugin I am not certain which of these would be the correct one to implement. - Skip
RE: Upgrading from 3.1.4 to 3.2.3
I imagine this depends a little on your distro. Some more details would be helpful. > From: Netdynamix [mailto:[EMAIL PROTECTED] > > I have SA 3.1.4 running on my server successfully. I want to > upgrade to > 3.2.3 for safety sake. > > I have NEVER upgraded SA before and am a little scared that I > break it and can't get it up again. > Is there anyone who can direct me to a simple step-by-step > HOW-TO on how to do this?
RE: Question - How many of you run ALL your email through SA?
> From: Marc Perkel [mailto:[EMAIL PROTECTED] > OK - it's interesting that of all of you who responded this is the only person who is doing it right. I find this comment interesting because I don't agree with using spamhaus, spamcop, or other similar services to determine whether mail should be dropped/rejected. Systems can easily be errantly flagged - or temporarily flagged - for unknown periods of time. Our ISP provider had an extremely broad range of addresses blocked about a year ago because of systems compromised on networks not belonging to our company. For a period of several days, our company was effected - seeing large numbers of bounces from systems rejecting because the range was listed. This caused huge disruptions for our company, not to mention the potential for significant losses of income. If you were one of our customers expecting communication and are not receiving replies for several days - are you blaming that on your own IT department for using a blacklisting service? ...the actual comprimised system? ...or my company?Customers don't want to hear that the problem is someone else's. It becomes my problem. That is just one of a handful of scenarios which have pursuaded me to eliminate their use on my system. Unfortunately, I have no control over the potential for the above situation repeating itself... - Skip
RE: Question - How many of you run ALL your email through SA?
> As opposed to preprocessing before using SA to reduce the load. (ie. > using blacklist and whitelist before SA) I do. I have so few issues with SA rulesets (and sare rulesets) with FPs or missing spam [other than when new variations come in] that I'd rather put the load on my server. I don't agree with the methodology of sites like spamhaus & spamcop so I only use the scoring rules built into SA rather than just simply give blacklisting control to another service. - Skip
RE: warning - score undef for rule 'MISSING_SUBJECT'...
> The first time I run sa-update after a v3.2.3 install, I get > the following warnings: > > rules: score undef for rule 'MISSING_SUBJECT' in '' > 'MISSING_SUBJECT' at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm > line 2140. > rules: score undef for rule 'EMPTY_MESSAGE' in '' > 'EMPTY_MESSAGE' at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm > line 2140. > rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' > at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm > line 2140. > rules: score undef for rule 'MISSING_SUBJECT' in '' > 'MISSING_SUBJECT' at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm > line 2140. > rules: score undef for rule 'EMPTY_MESSAGE' in '' > 'EMPTY_MESSAGE' at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm > line 2140. > rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' > at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm > line 2140. > ... > (repeated several times) > I got these as well for both upgrades to 3.2.2 and 3.2.3... - Skip
RE: disable spamhaus rbl?
> After reading all the replies I was left wondering.. > These kind of rules are not used when spamd is started with the -L > (--local) switch, right? > I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to > query spamhaus at smtp time. (qmail - tcpserver) > /usr/local/bin/rblsmtpd -b -C -r 'sbl-xbl.spamhaus.org' > I always considered it to be more efficient this way, would > this be correct? If I am not mistaken, this methodology will simply dump any hits on spamhaus rather than score a hit in combination with other scores. Someone can correct me if I am wrong. - Skip
3.2.2 vs 3.2.1
I am currently running 3.1.9 of SA on RHEL3. I've noticed several email the last few days reporting various issues that users are experiencing with 3.2.2. Is this something to be concerned about? Should I update to 3.2.1 instead or does it have its own issues? - Skip
RE: Have Spamassassin forward mail to Spam Folder
Silly enough for which part? Dumping or using the other rules here? I've
had my implementation in place for a year and a half and am confident in
dumping scores of 10+. The highest false positive I have seen in that time
was a 6.2.
When I attempted to implement using /usr/bin/spamassassin I saw nothing
being done in the maillog. When I switched back to using spamc it appears
to be working again.
> -Original Message-
> From: jdow [mailto:[EMAIL PROTECTED]
> Yes if you are silly enough.
> {^_^}
> - Original Message -
> From: "Skip Brott" <[EMAIL PROTECTED]>
>
>
> > These are more appropriately procmail questions, but
> >
> > Do you know if this ruleset will process before or after attempted
> > delivery
> > to the user (and thus triggering the .forward file)? Is there a
> > difference
> > between using /usr/bin/spamassassin versus using
> /usr/bin/spamc ? And can
> > I
> > still use this rule to dump spam with high scores?:
> > :0
> > * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
> > /dev/null
> >
> >> :0fwhb
> >> | /usr/bin/spamassassin
> >> :0H
> >> * ^X-Spam-Status: Yes
> >> /var/spool/mail/spam
> >
> >
RE: False Positives on Spamhaus?
> Getting a ton of false positives today on spamhaus. Generally > they never get it wrong. Anyone else seeing this or is it just me? That's a lot of confidence in a system over which you have no control. - Skip
RE: Have Spamassassin forward mail to Spam Folder
These are more appropriately procmail questions, but Do you know if this ruleset will process before or after attempted delivery to the user (and thus triggering the .forward file)? Is there a difference between using /usr/bin/spamassassin versus using /usr/bin/spamc ? And can I still use this rule to dump spam with high scores?: :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* /dev/null > :0fwhb > | /usr/bin/spamassassin > :0H > * ^X-Spam-Status: Yes > /var/spool/mail/spam
RE: RDJ 404's
> Ahhh. Is sa-update compatible with SpamAssassin 3.0.3? Some of us are still > using that version for what we feel is a good reason (still using Debian > Sarge on servers). I only recently moved to 3.1.9 so I could implement sa-update. I know I was on a version later than 3.0.3 and was unable to get sa-update to work. It didn't have the --import option for the gpgkey and also the channels were unavailable (I believe I was on 3.1.0).
RE: ANNOUNCE: Apache SpamAssassin 3.2.2 available
>> >> Just as in 3.2.1, I still get this error when trying to build: >> >> REQUIRED module out of date: HTML::Parser >> >> But I already installed HTML::Parser 3.56 with no errors. >> >> I can't be the only one who has received this error, but nothing is >> indicating that I am missing any other dependencies. >> >> - Skip > >Bummer > > Build which way? > >You don't give us enough info about your sys and or opsys to help you > > - rh RHEL3, perl 5.8.8, sendmail 8.13, SA 3.1.9 rpmbuild -tb Mail-SpamAssassin-3.2.2.tar.gz throws the error Thanks. - Skip
RE: ANNOUNCE: Apache SpamAssassin 3.2.2 available
Just as in 3.2.1, I still get this error when trying to build: REQUIRED module out of date: HTML::Parser But I already installed HTML::Parser 3.56 with no errors. I can't be the only one who has received this error, but nothing is indicating that I am missing any other dependencies. - Skip
RE: Now its zip attachments ^^
Not sure I agree about banning all attachments, but I would like to ban all email with fonts as BIG as people can find and those which use any kind of background stationary.
RE: not everyone is happy with SA
> Why is it my responsibility as a holder of a valid email address to accept > mail from anyone who wants to send me the mail? As the owner of the email > address or, as the admin of the domain's mail server, I have no obligation to > accept your mail at all. > Obligations should be on the sender. I will respectfully disagree. I believe you are pushing the burden onto the sender rather than have your system accept the reponsibility of reviewing messages for you. The C/R basically works the same way except the challenge goes to the recipient. Just a different concept. Personally, I won't employ either one. And if the sender acknowledges the C/R, if the sender is not a "bot" but is still from a source you don't want sending you email - what control do you have over that?
RE: Sa-update question
Steven Stern wrote: > Did you import his key with sa-update --import his.key.file.here Yes and I found my problem. I missed the last line where I also had to include the --gpgkey option. I had been thinking that the --import option took care of it, but is required both.
RE: not everyone is happy with SA
I have found this whole line of debate somewhat interesting, but it has clearly strayed from the real core question: Who is responsible? Is it the responsibility of the sender to verify that they indeed intended to send the email? Or is it the responsibility of the recipient to verify senders? My personal opinion is that it is the latter. If I send an email to a valid address, I find it a bit offensive that they send a challenge back. Why is it my responsibility as the sender to teach another system to accept mail from me? Would it not seem a lot more appropriate for the recipient to be the one to manage this? The premise is the same, but it places the burden on the recipient to make the determination - which, imho, is where the ultimate responsibility lies. I don't utilize blacklists on our system based on the same rationale. I don't want something completely outside of my control (i.e. spamhaus, spamcop, etc) determining whether or not my email server should accept email from a particular host. While this adds some additional load to our system, I would much rather allow the filtering rules to make the determination based on content not strictly on a host address. - Skip
RE: Sa-update question
I ran with the --nogpg option and was able to get all the files to download. Yay! But do I really want to run it that way? And on that note, how does SA know where to find the .cf files in /var/lib/spamassassin? Does it see subfolders and load the .cf files from there? Or do those downloaded updates automatically replace my .cf files in /etc/mail/spamassassin, where I have always kept my rules? - Skip
Sa-update question
Using the recommended actions from this list, I run this: sa-update --channelfile /etc/mail/spamassassin/saupdate/sare-sa-update-channels.txt -D I get this result from each channel: [29610] dbg: gpg: gpg: Signature made Mon 04 Jun 2007 08:14:08 PM CDT using DSA key ID 856AA88A [29610] dbg: gpg: [GNUPG:] SIG_ID vAQaZijSKL/MKS3+hHVCDl3GfgY 2007-06-05 1181006048 [29610] dbg: gpg: [GNUPG:] GOODSIG 3C5C05EB856AA88A Daryl C. W. O'Shea <[EMAIL PROTECTED]> [29610] dbg: gpg: gpg: Good signature from "Daryl C. W. O'Shea <[EMAIL PROTECTED]>" [29610] dbg: gpg: [GNUPG:] VALIDSIG ABE0C8743B87262E5FB04F2B3C5C05EB856AA88A 2007-06-05 1181006048 0 [29610] dbg: gpg: [GNUPG:] TRUST_UNDEFINED [29610] dbg: gpg: gpg: WARNING: This key is not certified with a trusted signature! [29610] dbg: gpg: gpg: There is no indication that the signature belongs to the owner. [29610] dbg: gpg: Primary key fingerprint: ABE0 C874 3B87 262E 5FB0 4F2B 3C5C 05EB 856A A88A [29610] dbg: gpg: found signature made by key ABE0C8743B87262E5FB04F2B3C5C05EB856AA88A [29610] dbg: gpg: key id 856AA88A is not release trusted error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed I assume I am not the only one who sees this error (or at least who has seen it). Has anyone successfully addressed this? Or do you simply use the --nogpg option when running it? - Skip
Really Stupid Question: Plugins
I haven't yet had to implement any pdf plugins, but I am looking to do so. I am running SA 3.1.9 and perl 5.8.8. From what I can see, my plugins are here: /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/ And there is no related folder for 5.8.8 Is that the location where I want to install the plugin? - Skip
RE: Can you setup a folder for certain emails to go ?
My procmail script is set up to junk all emails with a score over 10.0 and other "low spammy" emails are directed to a generic corporate spam email account for review. Depending on the volume of email, you may not want to wait 3 months. I check mine weekly and typically have close to 2000 emails. And those are just the ones with low scores. Prior to junking "high spammy" emails my volume was double that in a day. I'd share my script, but for fear of people trashing the configuration I wont. I am bad at scripting, so it is clunky but works...
Sa-update problem
I recently was able to upgrade my SA install to 3.1.9 and get sa-update working for the first time as a result. (Thanks, Jonn!) I just ran an sa-update this morning with the -D and I am getting the following: Insecure dependency in eval while running with -T switch at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 1822. Any ideas? The install didn't report and dependency issues, so I am not sure where this problem has arisen from. - Skip
In place upgrade/update
Treat me kindly as I am brand new here. I am currently running SA 3.1.0 on RHEL3 with sendmail 8.13 and am interested in upgrading SA to a newer version. I have not been able to find any documentation as to what I need to back up from my current installation. I assume I need to keep all of my *.cf files located in /etc/mail/spamassassin, but what else should I be concerned about? I had planned to upgrade to 3.2.1 but it was kicking out the dependency problems which I am concerned about. I opted for 3.1.9 and I just completed the rpmbuild so the installation is ready but I don't want to lose any of my existing configuration. Thanks for any and all insight! - Skip
