Re: Erroneous doubled letters in subject
On Thu, Oct 2, 2008 at 2:49 PM, Kenneth Porter <[EMAIL PROTECTED]>wrote: > On Wednesday, September 17, 2008 4:02 PM +0100 Justin Mason <[EMAIL > PROTECTED]> > wrote: > > This is just in the dev ruleset -- for 3.3.0 -- so you're best off adding >> it manually. right now it's like this: >> >> # thanks to Phil Randal on the users list for this tip >> rawbody __PR_TD_NOWRAP // >> meta PR_TD_NOWRAP_BAT (__THEBAT_MUA && __PR_TD_NOWRAP) >> > > I just want to report that this has been an incredibly effective rule, with > no false positives. I'm amazed that I'm still catching tons of spam with it, > that the spammers haven't changed their code. (But I've probably jinxed it > by saying so, and it will be replaced tomorrow.) > > > > I have a rule that looks only for the bat mailer. I have NEVER received a non-spam email from anyone using the bat mailer. It's a very effective rule for me that has never misfired. I'll give that td_nowrap a looksie.
Re: Another low scoring obvious spam message
> > > anyway, if your SA only misses few spam, there's no need to try to improve > that with new rules. > > > Yeah, this is the first spam I've gotten in about a month or maybe two. Still, I let it bug me too much. That, and it's slow at work today. I guess I'll just let it go.
Re: Another low scoring obvious spam message
> > sought != sought_fraud. > Whoops! Thanks! Got it now, but still no hits in that rule set either.
Re: Another low scoring obvious spam message
>>> >>> >> I am using bayes, but it didn't catch it. I was quite surprised at >> that. > > h... > > Content analysis details: (6.3 points, 5.0 required) > > > pts rule name description -- > -- > 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > [score: 1.] > -0.0 SPF_HELO_PASS SPF: HELO matches SPF record > -0.0 SPF_PASS SPF: sender matches SPF record > 1.3 MISSING_HEADERSMissing To: header > 1.5 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF > 0.0 MIME_BASE64_BLANKS RAW: Extra blank lines in base64 encoding > > How interesting that you are hitting the BASE64_LENGTH_79_INF rule and I'm not. I just looked and I have never triggered that rule in any spams, but I have triggered it in a couple of hams. Now why would it work for you and not for me hm. I am using SA 3.2.4. By the way, that mime block is only 76 characters wide. > > sa-update and jm sought here. without Bayes, it's missed. > > I ran sa-update just a few minutes ago and it didn't make a difference. I habitually run most of my spam through sa-learn and most of my ham too. I know it's work b/c I do have a lot of spam trigger the BAYES_99 rule (and others too). I am still surprised that I had such a low score on this one. Bayes would have been my only saving grace here too.
Re: Another low scoring obvious spam message
> > Silly question, but is "peloruso" the user that spamd is running as? > user/database mismatch is a common problem. > I'm not using spamd, I call spamassassin from procmail. I'm on a shared host that doesn't allow users to run their own daemons (although they are running their own spamd, but not with the options I want/need) But, yes, all processes under my account are run as peloruso.
Re: Another low scoring obvious spam message
Sorry about the double post--operator error.
Re: Another low scoring obvious spam message
>> I am using bayes, but it didn't catch it. I was quite surprised at >> that. > > Doesn't look to me like you are using bayes. There is no bayes score in > the headers. > Oh. I thought I was. I do get reports in some messages. Here's the debug from this particular message: [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf [12541] dbg: config: read file /home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf [12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [12541] dbg: config: fixed relative path: /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using "/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf" for included file [12541] dbg: config: read file /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: fixed relative path: /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using "/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf" for included file [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_toks [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_seen [12541] dbg: bayes: found bayes db version 3 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680 [12541] dbg: bayes: score = 2.02454774056449e-08 [12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size: 15, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire: 1220940612, Current time: 1221712855 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: untie-ing Anything look funny in there? I see a very low score: 2.02e-08, but isn't it still working?
Re: Another low scoring obvious spam message
>> I am using bayes, but it didn't catch it. I was quite surprised at >> that. > > Doesn't look to me like you are using bayes. There is no bayes score in > the headers. > Oh. I thought I was. I do get reports in some messages. Here's the debug from this particular message: [12541] dbg: config: read file /home/peloruso/.spamassassin/23_bayes.cf [12541] dbg: config: read file /home/peloruso/.spamassassin/70_sare_bayes_poison_nxm.cf [12541] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [12541] dbg: config: fixed relative path: /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using "/home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf" for included file [12541] dbg: config: read file /home/peloruso/.spamassassin/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: fixed relative path: /home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf [12541] dbg: config: using "/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/23_bayes.cf" for included file [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_toks [12541] dbg: bayes: tie-ing to DB file R/O /home/peloruso/.spamassassin/skip/bayes/bayes_seen [12541] dbg: bayes: found bayes db version 3 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: corpus size: nspam = 4748, nham = 1680 [12541] dbg: bayes: score = 2.02454774056449e-08 [12541] dbg: bayes: DB expiry: tokens in DB: 136363, Expiry max size: 15, Oldest atime: 1216674739, Newest atime: 1221711862, Last expire: 1220940612, Current time: 1221712855 [12541] dbg: bayes: DB journal sync: last sync: 1221706869 [12541] dbg: bayes: untie-ing Anything look funny in there? I see a very low score: 2.02e-08, but isn't it still working?
Re: Another low scoring obvious spam message
On Thu, September 18, 2008 9:33 am, John Hardin wrote: > On Thu, 18 Sep 2008, Skip wrote: > > >> What can I do to increase my chances on spammies like this one: >> http://pastebin.com/m5f5d11e0 >> > > (1) train your bayes with it > I am using bayes, but it didn't catch it. I was quite surprised at that. > > (2) try the sought fraud ruleset that Justin is generating > > > http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sough > t_fraud.cf > I'm using that too, and again no joy there. It may be time for an sa-update though. Thanks for the ideas though :) Skip
Re: Another low scoring obvious spam message
On Thu, September 18, 2008 8:55 am, mouss wrote:
> Skip wrote:
>
>> What can I do to increase my chances on spammies like this one:
>> http://pastebin.com/m5f5d11e0
>>
>>
>
> maybe
>
> header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64
> Content-Transfer-Encoding =~ m|base64|
>
>
I wonder if that would have too many false positives.
It got me thinking though. I looked in the 20_body_tests.cf rules and see
the following rules:
rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count')
describe __MIME_BASE64 Includes a base64 attachment
rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
describe MIME_BASE64_BLANKSExtra blank lines in base64 encoding
rawbody MIME_BASE64_TEXT
eval:check_for_mime('mime_base64_encoded_text')
describe MIME_BASE64_TEXT Message text disguised using base64 encoding
and from the 20_head_tests.cf
meta FROM_EXCESS_BASE64__FROM_ENCODED_B64 &&
!__FROM_NEEDS_MIME
describe FROM_EXCESS_BASE64From: base64 encoded unnecessarily
Interestingly, I have had exactly three spams fire the MIME_BASE64_TEXT
rule in the past six months, but I have had ten hams fire the rule. Too
many FPs for me.
Same with the FROM_EXCESS_BASE64 rule: I have had zero spams fire that
rule, but have had two hams fire it (they were newsletters from Red Hat).
Sadly, these both sound like they would be good rules, but they don't seem
to live up to their potential. (Btw, I am working with about 6,000 spams
and 3,500 hams)
Quick aside: Does SA decode the message body before running the body
tests? I was really surprised that the decoded content on this message
didn't trigger any of the get rich quick rules, or my bayes.
Re: Setting up razor
On Sun, September 7, 2008 10:09 am, Skip wrote: > > Michael Scheidell wrote: >>> It was the >>> firewall. I go that fixed. Now, here's my next problem. I think taint >>> mode is stopping razor from running on my system. Since I can't be root, >>> I have to install Razor in my home home directory. So >> Will >> the system administrator allow you to set up a 'jailed',zen or vm >> environment so you can look like you are root while protecting his bas >> server? Can you razor installed in the main system root? >I seriously doubt it. Is that my only option? I posted this over the weekend, and I would like to politely and respectfully repost it one more time this morning to see if anyone has any ideas to help me install Razor. Sorry to be such a pest. Skip -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]
Re: auto-whitelist file location in 3.2.4
> That option wasn't removed from SA.. it was removed from the main conf > docs, as all of the AWL is now a plugin. That option is documented in the > docs for the AWL plugin, which is where it really belongs. (if the option > isn't valid without the plugin, then it in theory shouldn't be in the main > Conf manpage..) > > > > See > http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_AWL > .html > > > I see, and got it working. Next question: How would I set it up so that I could have a separate whitelist for each user (I only have four users)? Again, I call spamassassin from procmail, and each user has its own procmailrc, so I can easily hardcode in the command as an argument to spamassassin. But I haven't seen a way yet to tell spamassassin to look in a particular place for the .cf files for the plugins. On bluehost, somehow spamassassin knows to look in the ~/.spamassassin folder for the *.cf files. Worst case I write a rule to copy the right .cf file into place depending on which procmailrc is executing (and placing in some file locks of course), but I'd hate to kludge that into place.
