WhiteListSubject Plugin
I am running SpamAssassin under Amavisd-new (Mac OS X Yosemite; OS X Server). My local.cf file contains loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject header SUBJECT_IN_BLACKLIST eval:check_subject_in_blacklist() describe SUBJECT_IN_BLACKLIST Subject header is in user's black-list include /usr/local/mail/blacksubjects The plugin does not appear to be running. Ideas? -- Vicki Vicki Brown cfcl.com/vlb twitter.com/vlb
How to check that plugin is accessed?
I am running SpamAssassin under Amavisd-new (Mac OS X Yosemite; OS X Server). My local.cf file contains loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject header SUBJECT_IN_BLACKLIST eval:check_subject_in_blacklist() describe SUBJECT_IN_BLACKLIST Subject header is in user's black-list include /usr/local/mail/blacksubjects Other than lowering the score for subjects in the blacklist, is there a simple way to test that the plugin is loading? -- Vicki Vicki Brown cfcl.com/vlb twitter.com/vlb
Testing for an X-header
I have some X-headers I'm adding with Procmail, e.g. X-Procmail: [DEAR-OCCUPANT] I thought that SA's ALL header test type would do the trick for matching these but it doesn't seem to be triggering. The rule header CF_DEAR_OCCUPANT ALL =~ /\[DEAR-OCCUPANT\]/ score CF_DEAR_OCCUPANT 0.5 describe CF_DEAR_OCCUPANT Not explicitly To (or Cc) me The email From: Online Pharmacy-Wholesale [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Frequency Date: Thu, 31 Mar 2005 18:35:44 -0800 X-Priority: 3 X-Procmail: [DEAR-OCCUPANT] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: * X-Spam-Status: Yes, score=5.2 required=0.5 tests=EXTRA_MPART_TYPE, FORGED_RCVD_HELO,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE autolearn=disabled version=3.0.2 p.s. Yes, ran spamassassin --lint p.p.s. Yes I hupped spamd -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: How do I whitelist this list? (*nix procmail recipe)
At 09:37 -0600 03/22/2005, Bob McClure Jr wrote: I don't even allow mail from this list to go through SA. In my ~/.procmailrc, I have a recipe prior to the call to spamc like this: I do something similar but different. All of my white lists are outside of my procmailrc so I can edit them more easily. One address per line, e.g. users@spamassassin.apache.org I do blacklisting the same way. I keep a separate whitemlists file for mailing lists vs. people because some lists put the list address in the From: field, but many put the list name in the To: field. My human correspondents whitelist only checks From. Here's an excerpt from my procmailrc. Whenever I bypass SA, I add an X header to tell me that I bypassed and why. GREP=egrep -iqsf# ignore case, quiet, suppress errors, FGREP=fgrep -iwf# ignore case (whole words? -w) # mail from the following bypasses all other filtering WHITELIST=$PMDIR/whitelist # people WHITEMLISTS=$PMDIR/whitemlists # mailing lists WHITEDOMAINS=$PMDIR/whitedomains# domains # mail from these is deleted BLACKLIST=$PMDIR/blacklist # people BLACKDOMAINS=$PMDIR/blackdomains# domains BLACKSUBJECTS=$PMDIR/blacksubjects # subject lines SUBJECT=`formail -zxSubject:` SENTFROM=`formail -zxFrom: -zxReply-To:` SENTTO=`formail -zxTo: -zxCc:` ... # White Listing # mailing lists (To) :0 H * ? (echo ${SENTFROM} | $FGREP ${WHITEMLISTS}) { :0f * ^Subject: | formail -A 'X-Bypass: [MLIST-OK]' :0 ${DEFAULT} } :0 H * ? (echo ${SENTTO} | $FGREP ${WHITEMLISTS}) { :0f * ^Subject: | formail -A 'X-Bypass: [MLIST-OK]' :0 ${DEFAULT} } -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
back where I was: why is this rule misfiring?
What is going on here? The rule header CF_NOT_FOR_METoCc !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])\.com/i score CF_NOT_FOR_ME 0.01 describe CF_NOT_FOR_ME Neither To nor Cc me The mail Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by cfcl.com (8.12.6/8.12.6) with ESMTP id j2MNxFnu051106 for [EMAIL PROTECTED]; Tue, 22 Mar 2005 15:59:16 -0800 (PST) (envelope-from [EMAIL PROTECTED]) ... From: Marcel Bresink [EMAIL PROTECTED] Subject: Re: TinkerTool System Feedback Date: Wed, 23 Mar 2005 00:56:43 +0100 To: Vicki Brown [EMAIL PROTECTED] The SA Report X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: * X-Spam-Status: Yes, score=1.0 required=0.5 tests=CF_NOT_FOR_ME autolearn=disabled version=3.0.2 X-Spam-Report: * 1.0 CF_NOT_FOR_ME Neither To nor Cc me The mail is To: Vicki Brown [EMAIL PROTECTED] The test should not trigger Required disclaimer: Yes, I ran spamassassin --lint Yes I hupped spamd recently (I shouldn't need to; this is a user rule) Yes we allow user rules (yes we trust our users :) Last time someone suggested that my M[TU]A might add a To: line if it was missing. Even if that was occurring, I doubt it would add my full name as well Besides which, according to my procmail logs, my address _was_ in the To: header well before the mail was piped into spamc. procmail: [47355] Tue Mar 22 15:38:13 2005 ... procmail: Executing formail,-zxFrom:,-zxReply-To: procmail: Assigning SENTFROM=Marcel Bresink [EMAIL PROTECTED] procmail: Executing formail,-zxTo:,-zxCc: procmail: Assigning SENTTO=Vicki Brown [EMAIL PROTECTED] So why does spamd say that Vicki Brown [EMAIL PROTECTED] !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])\.com/i I ran this through vanilla Perl and Vicki Brown [EMAIL PROTECTED] =~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])\.com/i -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: re-read the config file iff it has changed
At 13:55 -0500 03/20/2005, Theo Van Dinter wrote: I simply do not believe there can be a substantial hit if spamd re-reads the config file Besides the fact there are tens of config files that would have to be watched ( It's _already_ watching and __reading__ tens of config files. man spamd: ...spamd will check per-user config files for every message, What's one more on rare occasions, really? I'm sorry. I don't buy the arguments. I will remain unconvinced. -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: All_TRUSTED (not)
At 19:07 -0500 03/20/2005, David Brodbeck wrote: I actually have the opposite opinion -- because the trust path guessing fails in a fair number of cases, I think it might be better to just have SpamAssassin refuse to run if people don't set it. That's not an opposite opinion. That's precisely my opinion. -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: re-read the config file iff it has changed
At 13:55 -0500 03/20/2005, Theo Van Dinter wrote: Well, that's not sendmail rereading the config. newaliases generates a new DBM/hash file from a flat text file. Sendmail then realizes the file (that it has open) has changed and reopens the new file for access. The DB is a lookup table, not a config (ala sendmail.cf). Duh. Sendmail then realizes the file (that it has open) has changed and reopens the new file for access. This is what we programmers call an implementation detail. if spamd/spamc already _had_ the code to do what I want I wouldn't be asking for it, now would I? At 11:24 +0900 03/21/2005, alan premselaar wrote: For clarity's sake, sendmail has real-time access to certain db files (like aliases.db which is generated by 'newaliases'). since sendmail has real-time access to these files, re-creating the .db file from the text version is all that is necessary. Uhuh. in order to read the config file in only when it has been changed you need to store state information somewhere uhuh. when fine-tuning for performance, even a call to stat() on a file or group of files can introduce performance hits. This is because it effectively still has to open and close the file-handle. options. Recall that I did say an option to...'. I will accept the hit (which I personally think wouldn't be big enough to notice). Theo Van Dinter This is a very standard method of having a daemon notice a config change. But this is a daemon that notices changes in user prefs files in real time so the performance issue is spurious. It's _already_ taking a performances hit _every single time_ for every single user. -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: spamd and spamassassin appear to have different results
At 13:36 -0600 03/19/2005, Michael Parker wrote: On Sat, Mar 19, 2005 at 11:24:43AM -0800, Vicki Brown wrote: Why can't spamd re-read the system rules file if it's been changed? That's not difficult to test for (quickly). I'll take an option to do this PLEASE. You might enjoy that, but the performance hit it would cause would not be liked by everyone else. a) I don't think there'd be that much of a performance hit if it first checked to see if the file had changed and only read the rule set iff the file had changed b) that's precisely why I said I'll take an option to do this because that way _no one else would be affected_ unless they were someone like me who thought reading the changes was more important than half a microsecond. -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: Best way to disable a test from running?
At 15:26 -0500 03/19/2005, Eric A. Hall wrote: Vicki Brown wrote: I could give it a score of 0 but I'd like to simply say don't even test against it. I'm getting tired of seeing ALL_TRUSTED. We run SMTP; they connect directly to us; there are no interim hosts. You just want to do this for specific hosts, or period? I am getting ALL_TRUSTED on the same report that says the sender is in a black list. I am unable to trust ALL_TRUSTED. -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
re-read the config file iff it has changed
At 17:40 -0800 03/19/2005, jdow wrote: There is a substantial hit, Vicki, on the order of a factor of two on my machines. We are talking about Only when the Config File has Changed_. OK, so you get a factor of two, what, once a week? Sendmail does this (you run newaliases or maketo trigger it). I simply do not believe there can be a substantial hit if spamd re-reads the config file Only When The Config File Has Changed You can accomplish the same thing you seem to want by changing your call to spamc into a call to spamassassin itself. You can simulate exactly what you want by changing to one child and the child runs once, I think. no; that will run the config file every time. I do not want to read the config file very time. Because the spamd speedup comes from caching the system rules as well as from avoiding the perl startup time. That has only a slight peripheral relationship to what I requested. Rebuild the Cache IFF the Config file has changed -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: Best way to disable a test from running?
At 16:36 -0800 03/19/2005, jdow wrote: I'm getting tired of seeing ALL_TRUSTED. We run SMTP; they connect directly to us; there are no interim hosts. Fix the DNS. This rule is not nice to disable. Nice for whom? This rule is lying to me. What do you mean by fix the DNS? There's nothing wrong with our DNS. Hit the wiki and look for ALL_TRUSTED for some hints. Um, 3 hits out of 485 pages searched. specifically, two pages, nothing useful. Could you be more specific? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
All_TRUSTED (not)
At 10:45 -0800 03/20/2005, Jeff Chan wrote: The trust path needs to be set correctly for things to work properly. If the trust path is not set correctly by default, then the rule should not be enabled by default. That's just wrong. It's nice to know it's not just me getting bitten by this http://readlist.com/lists/incubator.apache.org/spamassassin-users/1/9592.html Subject: disabling ALL_TRUSTED Group: Spamassassin-users From: Arvinn Løkkebakken Date: 07 Feb 2005 How do I disable the ALL_TRUSTED test? It's hitting spam more and more often by misinterpreting Received: headers, i.e. claiming the mail passed through trusted hosts when it didn't. That makes it a very dangerous setting since it may trigger auto-learning spam as ham. It allready has several times on my server. http://bugzilla.spamassassin.org/show_bug.cgi?id=3636 ALL_TRUSTED rule is being triggered on E-Mail that is from a mail server outside of my network. Trusted networks are not specified in my config. * marked WONTFIX http://www.paulstimesink.com/ pwestbro | 16 March, 2005 14:43 I have started seeing spam messages getting though my filter. It looks like it is being caused because the spammers are sending mail from computers that have not been listed as untrusted relays. So as spammers are taking over more and more zombie PCs, the ALL_TRUSTED rule is being triggered. http://www.mailarchives.org/list/spam-assassin/msg/2004/12778 From: Matt Kettler [mailto:mkettler_sa@protected] Sent: Thu 11/4/2004 7:55 AM To: Jason Haar; SpamAssassin Users Subject: Re: Should ALL_TRUSTED be doing this? At 04:20 PM 11/4/2004 +1300, Jason Haar wrote: I've been getting a fair amount of missed spam with SA-3.01 that looks like it would have been caught if it wasn't for ALL_TRUSTED. No, it should not. You have one of two problems: 1) SA is confused about trust. This typically happens if your outer-most mailserver is address translated and has a reserved non-routable IP address assigned. SA generally assumes the first non-reserved IP is your outside MX, but this isn't true for a lot of networks that NAT their mailservers. To fix: set trusted_networks manually in your local.cf. Include just your mailservers in this. ie if I had two servers, one external MX numbered 192.168.1.8 and a SA scanning box at 192.168.20.8 I could do this: trusted_networks 192.168.1.8/32 trusted_networks 192.168.20.8/32 2) The other case is SA can't parse your Received: headers. If you run a message through spamassassin -D you'll see debug lines complaining about it: debug: received-header: unknown format: To fix: short term, force the score of ALL_TRUSTED to 0. score ALL_TRUSTED_0 If it's a received line starting with by, then it's this bug: http://bugzilla.spamassassin.org/show_bug.cgi?id=3600 Otherwise, create a new bug in the bugzilla, and attach a sample. -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
spamd and spamassassin appear to have different results
The rule header __CF_NOT_TO_ME To !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i header __CF_NOT_CC_ME Cc !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i meta CF_NOT_FOR_ME__CF_NOT_TO_ME __CF_NOT_CC_ME score CF_NOT_FOR_ME 0.01 describe CF_NOT_FOR_ME Neither To nor Cc me The mail: Date: Fri, 18 Mar 2005 09:05:50 -0500 From: TINY Video Camera [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: A TINY digital video camera from DigiVu This Advertisment was brought to you by Newageoptin... The SA result: X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: X-Spam-Status: No, score=-0.6 required=0.5 tests=ALL_TRUSTED,CF_NOT_FOR_ME, HTML_30_40,HTML_MESSAGE,URIBL_SBL autolearn=ham version=3.0.2 And that's not right. It _is_ for me. The CF_NOT_FOR_ME rule should not have triggered. What I like even less about this is that if I send that message through spamassassin -D I get the results I expect (CF_NOT_FOR_ME does _not_ trigger). debug: is spam? score=-0.371 required=0.5 debug: tests=ALL_TRUSTED,URIBL_SBL debug: subtests=__CF_NOT_CC_ME,__HAS_SUBJECT,__UNUSABLE_MSGID Date: Fri, 18 Mar 2005 09:05:50 -0500 From: TINY Video Camera [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: A TINY digital video camera from DigiVu X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: X-Spam-Status: No, score=-0.4 required=0.5 tests=ALL_TRUSTED,URIBL_SBL autolearn=ham version=3.0.2 Spamassassin does what I think it should; spamc/spamd fails me. I am beginning to get the bad feeling that spamd is not working correctly. But what if anything can I / should I do about it? Should I adjust all of our user procmail files to call spamassassin directly instead of using spamc/spamd? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
spamd rules ans scores
At 23:25 -0800 03/18/2005, jdow wrote: Not having read the first part of this I do note there is not any blanket way to say it's only related to not starting spamd. There is still the 3.0x bug related to spamd children. The FIRST time a child runs a message it reads rules properly. Every time after the first time it does not pick up the per user rule scores. It picks up the user rules but not the scores. I *WISH* this could be repaired. {^_^} FERVENT agreement here. This bug is driving me nutso. According to the bugzilla thread, it's been repaired but where's the patch update? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Best way to disable a test from running?
I could give it a score of 0 but I'd like to simply say don't even test against it. I'm getting tired of seeing ALL_TRUSTED. We run SMTP; they connect directly to us; there are no interim hosts. I could edit the underlying rule file but then I'd have to do that after any update. is there an off switch I've missed seeing? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: spamd and spamassassin appear to have different results
At 10:55 -0500 03/19/2005, Matt Kettler wrote: And be sure to spamassassin --lint it (should run without any messages), and restart spamd after adding the rules. vent I realize that this is standard canonical advice and I will make the necessary assumption that it's not really being directed at me but... I am s tired of seeing this reminder. I KNOW about this now. Honest. I only have to be told once. lint; HUP; edit; lint; HUP. I'm about to script the [EMAIL PROTECTED]* infernal thing. Why can't spamd re-read the system rules file if it's been changed? That's not difficult to test for (quickly). I'll take an option to do this PLEASE. /vent -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: spamd and spamassassin appear to have different results
At 23:02 -0800 03/18/2005, Daniel Quinlan wrote: Easier: header CF_NOT_FOR_METoCc !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i Well, yeah, at least shorter and arguably cleaner but I was a) playing with meta rules and b) at one point had this idea that I might actually do something with the individual NOT_TO and NOT_CC information... I did switch to the shorter test above (last night) and the problem seems to be gone as far as my mailbox is concerned, which brings me back to my initial question: Why do spamd and spamassassin appear to have different results? Why does spamassassin seem to have no problems understanding header __CF_NOT_TO_ME To !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i header __CF_NOT_CC_ME Cc !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i meta CF_NOT_FOR_ME__CF_NOT_TO_ME __CF_NOT_CC_ME and doing the right thing but spamd does appear to have problems and do the wrong thing. Is there something wrong with the header or meta rules above? Or is there something wrong with spamd? (We've passed the get Vicki's configuration working general tech support question and have now moved into the area of understanding and debugging the workings of SA and friends). -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
rule didn't fire
Ok. What totally minless dumb thing did I do that I just can't see? This rule is in my /etc/mail/spamassassin/local.cf body CF_BAD_URL4 /www\.(vdrugz|gh6)\.net/i score CF_BAD_URL4 10.0 describe CF_BAD_URL4 .net Junk site I received a piece of mail containing the string http://www.gh6.net/ Yet the rule did not fire Subject: Prescription Drugs Date: Thu, 17 Mar 2005 07:39:25 +0700 X-Priority: 3 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: *** X-Spam-Status: Yes, score=3.0 required=0.5 tests=FORGED_RCVD_HELO autolearn=no version=3.0.2 Online pharmacy - Visit our online store and save. Save up to 80% compared to normal rates. All popular drugs are available! - World wide shipping - No Doctor Visits - No Prescriptions - Next Day Priority Shipping - Discreet Packaging - Buy in Bulk and Save! We make it easier and faster than ever to get the prescriptions you need. Go here: http://www.gh6.net/ -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: Blacklisting embedded URLs
At 23:31 +0100 03/16/2005, Kai Schaetzl wrote: Vicki Brown wrote on Wed, 16 Mar 2005 13:00:59 -0800: Okaaay. Help me out here, please? If network tests are enabled? I change essentially nothing from the defaults. Mail::SpamAssassin::Plugin::URIDNSBL is loaded in init.pre. Net::DNS is up to date. But as I'm apparently not using URIDNSBL or SURBL... how do I ensure that network tests are enabled? You don't need to have RBL tests enabled if that is what is meant by network tests. You only need to have it configured in init.pre (I think's commented out by default). I assume you have to have dns_available yes. Test it with spamassassin -D. it? Meaning URIDNSBL? That is enabled. %cat /etc/mail/spamassassin/init.pre # This is the right place to customize your installation of SpamAssassin. ... # URIDNSBL - look up URLs found in the message against several DNS # blocklists. # loadplugin Mail::SpamAssassin::Plugin::URIDNSBL ... I assume you have to have dns_available yes. Where? In /etc/mail/spamassassin/local.cf but perhaps not as SA seems to figure this out on its own (see below) Test it with spamassassin -D. I'm not sure what I'm supposed to be looking for, but if this is any indication: debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84f3804) implements 'parsed_metadata' debug: is Net::DNS::Resolver available? yes debug: Net::DNS version: 0.48 debug: trying (3) google.com... debug: looking up NS for 'google.com' debug: NS lookup of google.com succeeded = Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: URIDNSBL: domains to query: debug: all '*From' addrs: Network hooha and DNS are all properly enabled and yet... doing nothing valuable seems to be happening as far as I can tell. The empty list of domains to query seems to be a big clue that something is very wrong. debug: URIDNSBL: domains to query: So... what is _still_ missing? What do I need to turn on / configure / set? And where? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: rule didn't fire
At 17:57 -0800 03/16/2005, Loren Wilton wrote: Ok. What totally minless dumb thing did I do that I just can't see? How are you running SA? spamd -d -c at system startup then, from procmailrc, I push each message through | /usr/local/bin/spamc -s 256000 -t 60 Did you restart spamd? N. In many setups SA is persistant, and needs to be explicitly reloaded in some way or other to reload the modified rules. Oh that would be truly disgustable. You say In many setups. What's the best way to ensure that I am _not_ ne of those setups? Did you run spamassassin --lint from the console yes. No errors. It would be better to use (?: rather than just (. Without the ?: the parends form a capturing group, which is very slow. With the (?: the group is just a grouping indicator, which is fast. Thanks. Performance improvement hints are always appreciated. Also, it wouldn't hurt to make sure that there aren't more letters before the www or after the net, to make sure that you are seeing what you really think you are seeing. Well, I don't really care, actually, for this pattern. There's probably a / in front (specifically http://) and a / or a space or whoknowswhat after. But few things that aren't URLs have this look about them and I figure the www. and the .net are sufficient to ensure it's actually a URL and not the middle of something else. Your point is well taken for dictionary word patterns of course. -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: [SPAM-TAG] rule didn't fire
At 18:12 -0800 03/16/2005, Jeff Chan wrote: Don't make a rule, use SURBLs. This one is listed five times over: Well, yes, good idea. But. As you're already aware, I'm (somehow) not able to do that. Different thread... Besides, it's actually only a coincidental detail as to which rule didn't fire. Thgis happened to be a rule for a URL. The basic question is I have a rule; it didn't fire. I'm confused. :( (nevertheless I am indebted to Matt Kettler - I had missed the existence of uri rules). -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: Blacklisting embedded URLs
Did the message you tested with have a URI? If so what was it? Sigh. :-( No. I naively thought it would list something anyway. Back to circle 1. OK, so I ran it again against a message with lots of URIs (specifically one of my previous messages which got pummeled by dailyhills :-) and spamassassin -D had a grand old time telling me which URLs were listed at which BL sites. Yippee. It works with spamassassin -D. :-( This still doesn't explain why it doesn't work with my standard setup, i.e. spamd -d -c in the background and /usr/local/bin/spamc -s 256000 -t 60 via procmail :-( For proof, here's the spam report on a (different) message I received tonight. First, as it arrived in my inbox earlier this evening having passed through spamd/spamc): X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: *** X-Spam-Status: Yes, score=3.6 required=0.5 tests=BIZ_TLD,MSGID_DOLLARS autolearn=no version=3.0.2 X-Spam-Report: * 0.5 BIZ_TLD URI: Contains an URL in the BIZ top-level domain * 3.1 MSGID_DOLLARS Message-Id has pattern used in spam And here's the spam report for the identical message after I pushed it manually through spamassassin -D (cool, my URI rules are firing now; many thanks to Loren Wilton and Matt Kettler ;-) X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: X-Spam-Status: Yes, score=16.8 required=0.5 tests=ALL_TRUSTED,BIZ_TLD, CF_BAD_URL1,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL, URIBL_WS_SURBL autolearn=no version=3.0.2 X-Spam-Report: * -2.8 ALL_TRUSTED Did not pass through any untrusted hosts * 10 CF_BAD_URL1 URI: XXX site * 0.5 BIZ_TLD URI: Contains an URL in the BIZ top-level domain * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: a123s.biz] * 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: a123s.biz] * 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: a123s.biz] * 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: a123s.biz] * 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: a123s.biz] -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Blacklisting embedded URLs
I've been going through a bunch of spam and blacklisting domains. However, some of the more frequent offenders are in the body of the message. For example, today I found about half a dozen porno spams that contained a reference to http://www.a123s.biz/... I can do a body match rule. Is there anything else I can do? Is there something useful that could be added to SpamAssassin for blacklisting URLs within the body of a message? I have something like this for my weblog; I use Movable Type with MT-Blacklist. It goes through a spam comment and grabs all the URLs it finds and adds those to the internal blacklist. Very handy for Texas Hold-em Poker spamments. -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: Blacklisting embedded URLs
At 20:48 -0800 03/15/2005, Jeff Chan wrote: Yes, please see URIDNSBL and SURBL: http://spamassassin.apache.org/full/3.0.x/dist/lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm http://www.surbl.org/ which are built into SpamAssassin 3 and enabled by default if network tests are enabled. Okaaay. Help me out here, please? If network tests are enabled? I change essentially nothing from the defaults. Mail::SpamAssassin::Plugin::URIDNSBL is loaded in init.pre. Net::DNS is up to date. But as I'm apparently not using URIDNSBL or SURBL... how do I ensure that network tests are enabled? I run spamd -d -c at system startup then, from procmailrc, I push each message through | /usr/local/bin/spamc -s 256000 -t 60 What do I need to know/do/read to enable network tests? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: rule for mail not to me
At 20:15 -0800 03/06/2005, Vicki Brown wrote: I can create a user rule for mail not addressed (To or Cc) to me header CF_NOT_FOR_METoCc !~ /[EMAIL PROTECTED]/ score CF_NOT_FOR_ME 4.0 describe CF_NOT_FOR_ME Neither To nor Cc me However, the still-not-addressed user scores bug prevents me from setting the score any higher than 1 for these. http://bugzilla.spamassassin.org/show_bug.cgi?id=4121 Many thanks to the SpamAssassin development team for fixing bug 4121! However, I'm still interested in knowing: is there a magic variable for my address that would allow me to set up a general site-wide rule of this type? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
rule for mail not to me
I can create a user rule for mail not addressed (To or Cc) to me header CF_NOT_FOR_METoCc !~ /[EMAIL PROTECTED]/ score CF_NOT_FOR_ME 4.0 describe CF_NOT_FOR_ME Neither To nor Cc me However, the still-not-addressed user scores bug prevents me from setting the score any higher than 1 for these. http://bugzilla.spamassassin.org/show_bug.cgi?id=4121 is there a magic variable for my address that would allow me to set up a general site-wide rule of this type? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
local rule, score is ignored
We allow user rules. (Please don't argue with me about this. It's a very small site and yes, we do trust our users.) The following are in my .spamassassin/user_prefs header CF_SUB_UID Subject =~ /vlb|Vicki/i score CF_SUB_UID4.0 describe CF_SUB_UID Subject: contains my ID header CF_NOT_FOR_METoCc !~ /[EMAIL PROTECTED]/ score CF_NOT_FOR_ME 3.0 describe CF_NOT_FOR_ME Neither To nor Cc me Here are the headers from a piece of spam X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: * X-Spam-Status: Yes, score=5.0 required=0.5 tests=CF_NOT_FOR_ME,CF_SUB_UID, FORGED_RCVD_HELO autolearn=no version=3.0.2 X-Spam-Report: * 1.0 CF_SUB_UID Subject: contains my ID * 1.0 CF_NOT_FOR_ME Neither To nor Cc me * 3.0 FORGED_RCVD_HELO Received: contains a forged HELO What am I doing wrong? My tests are running. But why are my tests scoring only 1.0 and not the score I specify? Does anyone see something really lame I'm missing? -- Vicki Brown ZZZJourneyman Sourceror: SF Bay Area, CAzz |\ _,,,---,,_ Scripts Philtres http://www.cfcl.com zz /,`.-'`'-. ;-;;,_Code, Doc, Process, QA http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW '---''(_/--' `-'\_) ___
best way to look for Bcc:d mail
I want to set up a High-scoring rule for mail that looks like this :( Date: Thu, 10 Feb 2005 17:53:31 +0200 From: Morris Price [EMAIL PROTECTED] Subject: Is your daughter a a sick person To: Katydid [EMAIL PROTECTED] I'm not in the To: list (the To: is a nonexistent address but that's beside the point here). I'm not in the Cc: list (there are no Cc's). The From is not on my whitelist. Obviously my address is buried in the Bcc:s somewhere. I want to bump the score if neither the To: nor the Cc: field contains my address. I'm guessing I want something like this: header __NOT_TO_ME To !~ /[EMAIL PROTECTED]/ header __NOT_CC_ME Cc !~ /vlb~cfcl.com/ meta NOT_FOR_ME ( __NOT_TO_ME __NOT_CC_ME ) score NOT_FOR_ME 10 Or should I just try this? header NOT_FOR_ME ToCc !~ /([EMAIL PROTECTED]/ I can play with possibilities but I'd love a recommendation from someone who has working code! -- Vicki Brown ZZZJourneyman Sourceror: SF Bay Area, CAzz |\ _,,,---,,_ Scripts Philtres http://www.cfcl.com zz /,`.-'`'-. ;-;;,_Code, Doc, Process, QA http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW '---''(_/--' `-'\_) ___
Re: Insecure dependency in eval while running setuid [DOMAIN-OK]
At 08:53 -0500 11/15/2004, Matt Kettler wrote: 1) are you SURE you want allow_user_rules set? positive. Unless you trust all your users this can be a bit risky. I trust all my users. Or, to put it more specifically, I trust the three or four who might bother to edit their files and the rest are all me anyway as far as that goes. Unless you're going to put body, rawbody, header or meta statements in user_prefs, body and header, yep. That's precisely why I have allow_user_rules 2) I'd check for malformed body rules. Run spamassassin --lint to see if it can help you. Line 1669 of PerMsgStatus is where SA is executing the expressions for body rules. Did that. I got a bunch of score for a rule that doesn't exist errors. Nothing that looked serious. I'd check for add-on rules that have unescaped punctuation (ie instead of \) in /etc/mail/spamassassin/*.cf and in user_prefs. Most likely it's a typo. yeah, that's what I figured, although I haven't found it. I did toss a couple of rules. However, it's going to be a body rule that's the troublemaker. -- Vicki Brown ZZZJourneyman Sourceror: SF Bay Area, CAzz |\ _,,,---,,_ Scripts Philtres http://www.cfcl.com zz /,`.-'`'-. ;-;;,_Code, Doc, Process, QA http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW '---''(_/--' `-'\_) ___
bayes db version 2 is not able to be used, aborting!
I have upgraded to SA 3.0.1 I read the upgrading document I built the new SA, ran the tests, turned off the old spamd, the (old) sa-learn --rebuild installed SA 3.0.1, ran the (new) sa-learn --sync and got this: Argument RBL isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf.pm line 244. Argument RBL isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf.pm line 244. Argument RBL isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf.pm line 244. Argument RBL isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf.pm line 244. bayes: bayes db version 2 is not able to be used, aborting! at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/DBM.pm line 160. sa-learn --dump -D said ... debug: bayes: found bayes db version 2 bayes: bayes db version 2 is not able to be used, aborting! at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/DBM.pm line 160. ERROR: Bayes dump returned an error, please re-run with -D for more information Um... what's bayes db version 2, why do I have it, how do I fix it? what happened? -- Vicki Brown ZZZJourneyman Sourceror: SF Bay Area, CAzz |\ _,,,---,,_ Scripts Philtres http://www.cfcl.com zz /,`.-'`'-. ;-;;,_Code, Doc, Process, QA http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW '---''(_/--' `-'\_) ___
Message is checked but not marked
I have upgraded to SA 3.0.1 spamd is running as spamd -d -c /etc/mail/spamassassin/local.cf contains allow_user_rules 1 my user prefs file contains use_terse_report1 ok_languagesen report_safe 0 According to my Procmail log, the message in question message went through SA. procmail: Executing /usr/local/bin/spamc,-s,256000,-t,60 procmail: [14951] Sat Nov 13 00:55:49 2004 Yet it has no headers added. I read perldoc Mail::SpamAssassin::Conf I am not actively removing headers. I should see X-Spam-Level, X-Spam-Status and X-Spam-Checker-Version yet I do not. Can someone suggest what I might be doing wrong or where to look? Received: from 24.221.172.174 ([61.109.80.34]) by cfcl.com (8.12.6/8.12.6) with SMTP id iAD8safC014888; Sat, 13 Nov 2004 00:54:43 -0800 (PST) (envelope-from [EMAIL PROTECTED]) From: Wilfred Oneill [EMAIL PROTECTED] Reply-To: Wilfred Oneill [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Fioricet, Soma, Buspar, Prozac, and more Prescribed Online and Shipped to Your Door [NoSpam-OK] Message-ID: [EMAIL PROTECTED] Date: Sat, 13 Nov 2004 12:39:33 +0400 MIME-Version: 1.0 Content-Type: multipart/related; boundary=--279549920567187 X-UIDL: OD8!/Hn!I1f!c4~! x-html!x-stuff-for-pete base= src= id=1 charset=/macintoshhtml body p align=leftfont size=2 face=Geneva, Arial, Helvetica, sans-serifstrongDO NOT MISS YOUR OPPORTUNITY TO BUY THE MEDICATIONS FOR THE CHEAPEST PRICES!!!/strong/font/p -- Vicki Brown ZZZJourneyman Sourceror: SF Bay Area, CAzz |\ _,,,---,,_ Scripts Philtres http://www.cfcl.com zz /,`.-'`'-. ;-;;,_Code, Doc, Process, QA http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW '---''(_/--' `-'\_) ___
Insecure dependency in eval while running setuid
I'm getting this error in the spamd logfile: 2004-11-13 17:32:05 [54661] i: processing message 3698158.1100366389516.JavaMai [EMAIL PROTECTED] for vlb:1001. 2004-11-13 17:32:05 [54661] i: error: Insecure dependency in eval while running setuid at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 1669, GEN12 line 37._ No such file or directory, continuing I have upgraded to SA 3.0.1 spamd is running as spamd -d -c /etc/mail/spamassassin/local.cf contains allow_user_rules 1 my user prefs file contains use_terse_report1 ok_languagesen report_safe 0 what problems should I be looking for? -- Vicki Brown ZZZJourneyman Sourceror: SF Bay Area, CAzz |\ _,,,---,,_ Scripts Philtres http://www.cfcl.com zz /,`.-'`'-. ;-;;,_Code, Doc, Process, QA http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW '---''(_/--' `-'\_) ___
body_test redefined at /usr/local/share/spamassassin/20_phrases.cf
I'm getting this error in the spamd logfile: 2004-11-13 18:33:43 [54661] i: Subroutine COPY_ACCURATELY_body_test redefined at /usr/local/share/spamassassin/20_phrases.cf, rule COPY_ACCURATELY, line 10, GE N41 line 85. I have upgraded to SA 3.0.1 spamd is running as spamd -d -c /etc/mail/spamassassin/local.cf contains allow_user_rules 1 my user prefs file contains use_terse_report1 ok_languagesen report_safe 0 what problems should I be looking for? -- Vicki Brown ZZZJourneyman Sourceror: SF Bay Area, CAzz |\ _,,,---,,_ Scripts Philtres http://www.cfcl.com zz /,`.-'`'-. ;-;;,_Code, Doc, Process, QA http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW '---''(_/--' `-'\_) ___