Re: unblacklist_from_rcvd

2010-09-08 Thread William Taylor 

On Sep 7, 2010, at 6:36 PM, Matt Kettler wrote:

> On 9/7/2010 7:11 PM, William Taylor wrote:
>> I want to be able to only allow a certain email to be sent from one of 
>> several hosts.
>> 
>> Currently im doing something like:
>> 
>> blacklist_from   sa...@foo.com
>> whitelist_from_rcvd sa...@foo.com mail.foo.com
>> whitelist_from_rcvd sa...@foo.com sales.foo.com
>> 
>> This doesn't really do what I want because the blacklist and whitelist 
>> scores cancel each other out.
>> 
>> I saw talk in the past (2002?) about adding a unblacklist_from_rcvd
>> 
>> what I really want is a
>> blacklist_from sa...@foo.com
>> unblacklist_from_rcvd sa...@foo.com mail.foo.com
>> 
>> OR
>> 
>> only_allow_from_rcvd sa...@foo.com mail.foo.com
>> 
>> 
>> What are my options for to accomplish this?
> SA does not have any support for this.
> 
> The unblacklist commands do exist, but will only remove an entry that they 
> match *EXACTLY*. Their function is implemented as "if this is found, delete 
> it", and are intended to allow a user_prefs to completely delete site-wide 
> white/blacklist entries. They cannot be used to create a blacklist with 
> "holes" in it.
> 
> You can negate a blacklist with a whitelist, but the scores simply offset, as 
> you've seen.
> 
> It is possible to change the scores of the whitelist rule, to make it larger 
> in magnitude than the blacklist rule, and thus keeping some negative score..
> i.e: adding this to your local.cf:
> 
> score USER_IN_WHITELIST -120.000
> 
> Would cause any white/black overlap to result in a -20 score. However, any 
> whitelists without overlap would now get -120 instead of -100... That may or 
> may not be an issue for you, but it is one approach to the problem you have.
> 
> 
> see also man Mail::SpamAssassin::Conf:
> 
>unwhitelist_from_rcvd a...@ress.com
>Used to override a default whitelist_from_rcvd entry, so for example
>a distribution whitelist_from_rcvd can be overridden in a local.cf
>file, or an individual user can override a whitelist_from_rcvd entry
>in their own "user_prefs" file.
> 
>The specified email address has to match exactly the address
>previously used in a whitelist_from_rcvd line.
> 

Yes I already looked at the docs && code and saw how they match.
I figured a "black list address if not received through this host" feature 
would be a pretty desirable feature for folks especially larger companies with 
large use bases that have addresses like sales/support etc.

I guess I could hack something in but figured I would ask first to make sure 
the code didn't exist out there somewhere first.

unblacklist_from_rcvd

2010-09-07 Thread William Taylor 
I want to be able to only allow a certain email to be sent from one of several 
hosts.

Currently im doing something like:

blacklist_from  sa...@foo.com
whitelist_from_rcvd sa...@foo.com mail.foo.com
whitelist_from_rcvd sa...@foo.com sales.foo.com

This doesn't really do what I want because the blacklist and whitelist scores 
cancel each other out.

I saw talk in the past (2002?) about adding a unblacklist_from_rcvd

what I really want is a
blacklist_from sa...@foo.com
unblacklist_from_rcvd sa...@foo.com mail.foo.com

OR

only_allow_from_rcvd sa...@foo.com mail.foo.com


What are my options for to accomplish this?

Thanks,
  William

Web Proxy RBL ?

2009-12-29 Thread William Taylor 
Looking for an RBL or something to determine if a given IP is coming from a web 
proxy.
Trying to cut down on spam coming from exploited users sites.
Would like to do some logging and see if this helps.

Thanks,
  William

Re: is Pyzor worth it?

2008-10-13 Thread William Taylor 
On Mon, Oct 13, 2008 at 08:44:08AM -0700, Bill Landry wrote:
> Here are some stats for this past weekend comparing Pyzor to other hash
> tests:
> 
>  36 CTYME_IXHASH
>  38 HOSTEUROPE_IXHASH
>  92 GENERIC_IXHASH
> 129 NIXSPAM_IXHASH
> 218 RAZOR2_CF_RANGE_E4_51_100
> 256 PYZOR_CHECK
> 388 RAZOR2_CF_RANGE_E8_51_100
> 411 RAZOR2_CF_RANGE_51_100
> 418 RAZOR2_CHECK
> 426 DCC_CHECK
> 
> The only downside to Pyzor is that it requires python rather than perl.
>  Otherwise, it certainly helps here.
> 
> Bill
Thanks Bill

is Pyzor worth it?

2008-10-13 Thread William Taylor 
Is Pyzor worth running these days?
Is it still effective?
Can anyone using it comment on it?


Thanks,
 William

Re: whitelist_from_rcvd propigating between users

2008-10-09 Thread William Taylor 
On Thu, Oct 09, 2008 at 06:31:03PM +0200, Karsten Bräckelmann wrote:
> However, given that other user settings actually do work, this might
> even be isolated to some particular code, rather than a widespread oops.
> 
I could be wrong but it seems to only be happening with the whitelist_from_rcvd 
bit

Re: whitelist_from_rcvd propigating between users

2008-10-09 Thread William Taylor 
On Thu, Oct 09, 2008 at 06:16:30PM +0200, Karsten Bräckelmann wrote:
> William, please search bugzilla for duplicates first. If you're positive
> this issue hasn't been reported before, please feel free to file a new
> bug, adding as much details as possible.  Thanks.
> 
I did search and could only find #4179 but didn't really want to open another
bug because this appears to be the same thing.

Re: whitelist_from_rcvd propigating between users

2008-10-09 Thread William Taylor 
On Thu, Oct 09, 2008 at 05:53:30PM +0200, Karsten Bräckelmann wrote:
> To be a little more helpful and less snippy -- if you want more detailed
> answers, and check if it might be a different bug than the one
> mentioned, telling us about your SA version would be a smart first
> move...
> 

I wasn't being snippy. I replied with more information to Daryl's post but I 
must
have sent it directly to him instead of the list. I don't have the exact reply
handy but I am running  SpamAssassin 3.2.5 (2008-06-10)
The bug does seem to be very simmilar to bug# 4179

So maybe the bug still exists under different circumstances?

Re: whitelist_from_rcvd propigating between users

2008-10-09 Thread William Taylor 
On Mon, Oct 06, 2008 at 11:30:11AM -0700, William Taylor wrote:
> It would seem the whitelist_from_rcvd is incorrectly propigating to the wrong 
> users in the same thread.
> For example usera has "whitelist_from_rcvd *.sonic.net sonic.net" setup. If 
> userb gets sent mail that is
> processed by that same thread it will pickup the whitelist_from_rcvd from 
> usera
> 
> Any ideas where I can look for answers on this to track it down?

I haven't herd any other responses on this. Should I file an official bug 
report ?

Re: dnsbl lookups for X-PHP-Script

2008-10-06 Thread William Taylor 
On Mon, Oct 06, 2008 at 08:55:29PM +0300, Henrik K wrote:
> X-PHP-Script doesn't seem to be very widely patched - or PHP isn't abused
> that much, which is nice. I grepped 3 weeks worth of spam quarantine, 17335
> messages. 46 contained it. 28 unique IPS, out of which 8 was on sbl-xbl and
> one or two on some other big lists. Doesn't seem very effective here.
> 
> Now, if you want to try it in SA, the easiest way is to just edit DNSEval.pm
> and search X-Originating-IP inside it. Add X-PHP-Script to that array.
> 

I wish php wasn't abused so much lol.
I thought they were going to make X-PHP-Script standard in php.. I could be 
wrong.
In a future realase of SA you will be able to define additional headers in your 
conf file.

whitelist_from_rcvd propigating between users

2008-10-06 Thread William Taylor 
It would seem the whitelist_from_rcvd is incorrectly propigating to the wrong 
users in the same thread.
For example usera has "whitelist_from_rcvd *.sonic.net sonic.net" setup. If 
userb gets sent mail that is
processed by that same thread it will pickup the whitelist_from_rcvd from usera

Any ideas where I can look for answers on this to track it down?

Thanks,
  William

Re: ocr plugin

2008-05-02 Thread William Taylor 
On Fri, May 02, 2008 at 06:06:05PM +0300, Henrik K wrote:
> On Fri, May 02, 2008 at 03:38:41PM +0200, polloxx wrote:
> > Hi,
> > 
> > Am I right to say that picture spam has dropped dramatically since the
> > last months?
> 
> Has there been any in a year? That's when I dropped using it.
> 

It's probably not worth the resources running it right now. I only get a few 
that trickle in here and there.
Others mileage may very though.

Re: ocr plugin

2008-05-02 Thread William Taylor 
We are using the SVN version of FuzzyOCR. It seems to be working fine.

-William

On Fri, May 02, 2008 at 03:38:41PM +0200, polloxx wrote:
> Hi,
> 
> Am I right to say that picture spam has dropped dramatically since the
> last months?
> Is it still reasonable to run an orc plugin? I see the latest FuzzyORC
> version is
> not SA 3.2.x compatible. Are there more recent product compatible to 3.2.x?
> Are you guys still running an ocr plugin on production servers?
> 
> Thanks for your answers,
> P.
>

Tests Question

2008-04-25 Thread William Taylor 
I recently started recieving complaints from some users about spam getting 
through.
Upon looking at these messages they are scorring 0.0 from spamassassin.
Not sure if something is jacked with my setup but running manually I see:

[20309] dbg: check: tests=
[20309] dbg: check: 
subtests=__CT,__CTE,__CTYPE_CHARSET_QUOTED,__CT_TEXT_PLAIN,__DOS_HAS_ANY_URI,__DOS_RCVD_WED,__DOS_RELAYED_EXT,__ENV_AND_HDR_FROM_MATCH,__FROM_HOTMAIL_COM,__HAS_ANY_URI,__HAS_MSGID,__HAS_RC
VD,__HAS_SUBJECT,__HOST_HOTMAIL,__JM_REACTOR_DATE,__LAST_UNTRUSTED_RELAY_NO_AUTH,__MIME_VERSION,__MISSING_REF,__MSGID_OK_HOST,__NONEMPTY_BODY,__RATWARE_0_TZ_DATE,__RCVD_IN_DNSWL,__RCVD_IN_SORBS,__RCVD_IN_ZEN,
__SANE_MSGID,__TOCC_EXISTS,__TVD_BODY,__TVD_MIME_ATT_TP


So it isn't scoring anything for actual tests? What exactly are the subtests ? 
Are those showing positive/negative hits ?
I have verified manually that the ip being scanned is listed  in zen.spamhaus: 
122.156.133.252
I can attach a copy of the message if needed.


Thanks,
 William

Re: Errors from spamassassin -r

2008-04-24 Thread William Taylor 
On Tue, Apr 22, 2008 at 06:17:54AM -0700, William Taylor wrote:
> Im still seeing this message is I have bayes disabled. Any ideas?
> 
> [EMAIL PROTECTED] williamt]# formail -s spamassassin  -r < ./Missed-Spam
> 1 message(s) examined.
> Can't call method "learn" on an undefined value at
> /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgLearner.pm line
> 109.
> 1 message(s) examined.
> 
> 

Am I really just totaly brain dead here? This should work w/ bayes turned off 
correct?
It still should report to spamcop, razor, ect...

Thanks,
 William

Errors from spamassassin -r

2008-04-22 Thread William Taylor 
Im still seeing this message is I have bayes disabled. Any ideas?

[EMAIL PROTECTED] williamt]# formail -s spamassassin  -r < ./Missed-Spam
1 message(s) examined.
Can't call method "learn" on an undefined value at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgLearner.pm line
109.
1 message(s) examined.

Dnsbl checks

2008-04-21 Thread William Taylor 
I'm having some issues getting the dns blacklists to work on a box.
I have an ip in an email that I have verified manually that its listed in 
spamcop via dns query and via the webpage. However when I run the message 
through spamassassin it doesn't produce a hit. When ran with -D I see it 
queries all the blacklists but I never see anything indicating that it matched 
them.

Any thoughts on things I can check on to figure this out? 
DCC,Razor,Pyzor works fine.

Thanks,
 William
-- 
William Taylor - [EMAIL PROTECTED]   Sonic.net
System Administrator   2260 Apollo Way
707.522.1000 (Voice)   Santa Rosa, CA 95407
707.547.2199 (Fax) http://www.sonic.net

Error using -r

2008-04-20 Thread William Taylor 
Getting this error when running spamassassin -r < ./MYSPAM
I have bayes disabled so it shouldn't even be running this I think.
If I enable bayes it doesn't do this.
Plus I just the last version I was running didn't do this I think it was
3.1.9 what ever is in the default Centos tree.

Running version 3.2.4

Can't call method "learn" on an undefined value at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgLearner.pm line
109.
Offending Line:
  # to forget it's training.
  $self->{learned} = $self->{bayes_scanner}->learn (1, $self->{msg}, $id);

Thanks,
 William

Re: Extend DNSEval.pm?

2008-04-18 Thread William Taylor 
On Fri, Apr 18, 2008 at 06:22:58PM +0100, Justin Mason wrote:
> 
> William Taylor writes:
> > Is there anyway to extend this in DNSEval.pm locally without patching? 
> > Maybe with a plugin or something?
> > 
> >   my @originating = ();
> >   for my $header ('X-Originating-IP', 'X-Apparently-From') {
> > my $str = $pms->get($header);
> > next unless $str;
> > push (@originating, ($str =~ m/($IP_ADDRESS)/g));
> >   }
> > 
> > I want to add a few headers here but I didn't want to have to patch on each 
> > upgrade.
> 
> hi William --
> 
> meant to reply to your private mail, but list mail is better ;) The best
> bet to get it into the mainline is to add a configuration setting to
> Conf.pm, specifying the names of additional headers to look up.
> 
> Failing that, why not add your additional headers using
> "X-Originating-IP" in the first place? ;)
> 
> --j.
> 

No worries Justin.. Thought about the list today lol

Isn't Conf.pm overwritten when upgrading? 
Can you give me an example of what I would put in there or point me in the 
right direction? 

We need custom ones for internal reasons.

Thanks,
 William

Extend DNSEval.pm?

2008-04-18 Thread William Taylor 
Is there anyway to extend this in DNSEval.pm locally without patching? Maybe 
with a plugin or something?

  my @originating = ();
  for my $header ('X-Originating-IP', 'X-Apparently-From') {
my $str = $pms->get($header);
next unless $str;
push (@originating, ($str =~ m/($IP_ADDRESS)/g));
  }

I want to add a few headers here but I didn't want to have to patch on each 
upgrade.

Thanks,
 William