Re: spamd fails to remove bayes.lock file

[Motty Cruz]

Have you check permissions on './spamassassin'?

I had semiliar issue in the past!

Thanks,
Motty


On 10/24/18 8:10 AM, John Hardin wrote:

On Wed, 24 Oct 2018, Emanuel Gonzalez wrote:


Hello.!!

I have a problem with the `/.spamassassin/bayes.lock`

This is the error I'm seeing :

   Oct 23 15:12:14 server spamd[18073]: bayes: cannot open bayes 
databases

/.spamassassin/bayes_* R/W: lock failed: File exists
   Oct 23 15:12:14 server spamd[18157]: bayes: cannot open bayes 
databases

/.spamassassin/bayes_* R/W: lock failed: File exists
   Oct 23 15:12:14 server spamd[18107]: bayes: cannot open bayes 
databases

/.spamassassin/bayes_* R/W: lock failed: File exists


The command `spamassassin -V` is showing :

   SpamAssassin version 3.4.1
   running on Perl version 5.10.1

   bayes_expiry_max_db_size 15
   bayes_learn_to_journal 1
   bayes_auto_learn 0


128K    bayes_journal
547M    bayes_seen
4,0M    bayes_toks


   # spamassassin

   SPAMDOPTIONS="-u nobody -H --round-robin --min-children=30
--max-children=190 --min-spare=5 --max-spare=80 --timeout-child=120
--max-conn-per-child=100 -i -A IP"

   # directory perms

Also the command `ll -d /.spamassassin` is showing :

   drwxrwxrwx 3 nobody nobody 4096 oct 23 15:16 /.spamassassin

I restart the service and it works, but the problem reappears again

Do you have any idea how to solve it?



As was suggested earlier, disable auto-expiry and run a cron job to 
expire Bayes tokens.

Re: low score on very spammy email

[Motty Cruz]

Thank you all for your help, suggestions.

per your suggestions MTA and SA tweaked and already seen a huge difference.

Thanks again!

On 04/11/2018 09:14 AM, Matus UHLAR - fantomas wrote:

On 04/10/2018 03:49 PM, Motty Cruz wrote:

I apologize here is the email headers and body

https://pastebin.com/bgXrfKaQ


On 10.04.18 16:28, David Jones wrote:

Content analysis details:   (16.0 points, 5.0 required)

pts rule name  description
 -- 
--

4.2 RCVD_IN_IVMBL_LASTEXTERNAL RBL: No description available.
   [178.62.193.238 listed in 
sip.invaluement.com]

5.2 BAYES_99   BODY: Bayes spam probability is 99 to 100%
   [score: 0.9996]
3.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
   [score: 0.9996]
1.2 ENA_RELAY_IN   Relayed through India
0.0 MISSING_MIME_HB_SEP    BODY: Missing blank line between MIME 
header and

   body
2.2 ENA_RELAY_NOT_US   Relayed from outside the US and not on 
whitelists

0.0 ENA_BAD_SPAM   Spam hitting really bad rules.


Since most ofthose rules are 3rd party and other have tuned scores, it's
quite expected that the mail scored 3.5.

(BAYES_999 was apparently not hit, it would score 3.7 then).

we sometimes must accept that a FP appears.
otherwise, there would be no spam and no discussion here :-)

Re: low score on very spammy email

[Motty Cruz]

Thank you very much for your suggestions David. MTA is configured to use 
RBLs,


reject_rbl_client b.barracudacentral.org

worked really well for me at one point. Also,

 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client cbl.abuseat.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client multi.uribl.com,
 reject_rbl_client rabl.nuclearelephant.com,


On 04/10/2018 03:14 PM, David Jones wrote:

On 04/10/2018 05:04 PM, Leandro wrote:
2018-04-10 18:52 GMT-03:00 David Jones <djo...@ena.com 
<mailto:djo...@ena.com>>:


    On 04/10/2018 04:47 PM, Leandro wrote:

    2018-04-10 17:49 GMT-03:00 Motty Cruz <motty.c...@gmail.com
    <mailto:motty.c...@gmail.com> <mailto:motty.c...@gmail.com
    <mailto:motty.c...@gmail.com>>>:

     I apologize here is the email headers and body

    https://pastebin.com/bgXrfKaQ



    You should not take this domain mrface.com <http://mrface.com>
    <http://mrface.com> seriously because it is a TLD used for free
    dynamic IP service (changeip.com <http://changeip.com>
    <http://changeip.com>).

    There is even a fake Windows Update domain in this TLD:

    ubuntu@matrix:~$ dig +short A windowsupdate.mrface.com
    <http://windowsupdate.mrface.com>
    <http://windowsupdate.mrface.com 
<http://windowsupdate.mrface.com>>

    185.133.40.63




     Thanks,



    I noticed it was listed on the DBL dnsbl.spfbl.net
    <http://dnsbl.spfbl.net> and was just working to add that to my
    local rules.  Anyone know how to set this DBL up in SA?  I am trying
    to find an example in the stock SA rules now...



Yes. We list any IP using any free dynamic TLD.

A legit mail server never uses crap, or shouldn't use.

Documentation to set this DNSBL at SA:

https://spfbl.net/en/dnsbl/


    --     David Jones




I found an example in KAM.cf:

[root@server spamassassin]# pwd
/etc/mail/spamassassin
[root@server spamassassin]# cat 99_spfbl.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval

header    __RCVD_IN_SPFBL    eval:check_rbl('spfbl', 
'dnsbl.spfbl.net')

tflags    __RCVD_IN_SPFBL    net

header    __RCVD_IN_SPFBL_3    eval:check_rbl_sub('spfbl', 
'127.0.0.3')

meta    RCVD_IN_SPFBL    __RCVD_IN_SPFBL_3 && !RCVD_IN_SPFBL_LASTEXT
describe    RCVD_IN_SPFBL    Received is listed in SPFBL.net RBL
score    RCVD_IN_SPFBL    1.2
tflags    RCVD_IN_SPFBL    net

header    RCVD_IN_SPFBL_LASTEXT 
eval:check_rbl('spfbl-lastexternal', 'dnsbl.spfbl.net')
describe RCVD_IN_SPFBL_LASTEXT    Last external is listed in 
SPFBL.net RBL

score    RCVD_IN_SPFBL_LASTEXT    2.2
tflags    RCVD_IN_SPFBL_LASTEXT    net

endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS

askdns    SENDER_IN_SPFBL    _SENDERDOMAIN_.dnsbl.spfbl.net A 
/^127\.0\.0\.3$/

tflags    SENDER_IN_SPFBL    nice net
describe    SENDER_IN_SPFBL    Sending domain listed in SPFBL.net DBL
score    SENDER_IN_SPFBL    2.2

endif

Re: low score on very spammy email

[Motty Cruz]

I apologize here is the email headers and body

https://pastebin.com/bgXrfKaQ

Thanks,


On 04/10/2018 01:40 PM, David Jones wrote:

On 04/10/2018 03:34 PM, Motty Cruz wrote:

Thanks for your help David,

https://pastebin.com/wsYRfM8K


That email is missing a lot of headers that are critical.  Please post 
the entire email including the Received: headers.




-Motty


On 04/10/2018 01:22 PM, David Jones wrote:

On 04/10/2018 03:05 PM, Motty Cruz wrote:

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt



The Bayes setup looks good.  Can you put a lightly redacted version 
of that email on pastbin.com so we can run it through our SA instances?


Amavis should have blocked that message based on the score being 
3.501 and the kill threshhold being 3.1.  This sounds like an amavis 
config issue.


Please post the output of 'grep 723EC1A1706 maillog' to get the full 
message conversation from Postfix.



Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706: 
from=<emily.thomp...@spontaneous-search-level.com>, size=16883, 
nrcpt=1 (queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] [171.61.147.96] 
<emily.thomp...@spontaneous-search-level.com> -> 
<iu...@domainfq.com>, Message-ID: 
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>, 
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms

root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get 
low score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: <emily.thomp...@spontaneous-search-level.com>
X-Envelope-To: <iu...@domainfq.com>
X-Envelope-To-Blocked: <iu...@domainfq.com>
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
 tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
 by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 
10024)

 with ESMTP id G71jMeOxz-Ha for <iu...@domainfq.com>;
 Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com 
[178.62.193.238])

 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0





Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep 
-i bayes' run as the amavis user

Re: low score on very spammy email

[Motty Cruz]

Thanks for your help David,

https://pastebin.com/wsYRfM8K

-Motty


On 04/10/2018 01:22 PM, David Jones wrote:

On 04/10/2018 03:05 PM, Motty Cruz wrote:

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt



The Bayes setup looks good.  Can you put a lightly redacted version of 
that email on pastbin.com so we can run it through our SA instances?


Amavis should have blocked that message based on the score being 3.501 
and the kill threshhold being 3.1.  This sounds like an amavis config 
issue.


Please post the output of 'grep 723EC1A1706 maillog' to get the full 
message conversation from Postfix.



Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706: 
from=<emily.thomp...@spontaneous-search-level.com>, size=16883, 
nrcpt=1 (queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] [171.61.147.96] 
<emily.thomp...@spontaneous-search-level.com> -> 
<iu...@domainfq.com>, Message-ID: 
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>, 
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms

root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get 
low score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: <emily.thomp...@spontaneous-search-level.com>
X-Envelope-To: <iu...@domainfq.com>
X-Envelope-To-Blocked: <iu...@domainfq.com>
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
 tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
 by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 
10024)

 with ESMTP id G71jMeOxz-Ha for <iu...@domainfq.com>;
 Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com 
[178.62.193.238])

 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0





Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep 
-i bayes' run as the amavis user

Re: low score on very spammy email

[Motty Cruz]

Thanks for you help! I'm trying to figure out why this email "get very 
low" score. Yes, Amavisd didn't stop it. I understand that, it is not 
part of the question here.


I fed a lot of similar emails "learn spam" and still get very low score. 
It too thought it was permissions issues.



On 04/10/2018 01:12 PM, Reindl Harald wrote:

this is *amavis* not spamassassin

X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
3.501 is clearly above kill=3.1

Delivered-To: spam-quarantine

so it *does not* get very low score, ask amavis folks, spamassasin is
only one piece of your setup

Am 10.04.2018 um 22:05 schrieb Motty Cruz:

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt

Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706:
from=<emily.thomp...@spontaneous-search-level.com>, size=16883, nrcpt=1
(queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN
{RelayedInbound}, [127.0.0.1] [171.61.147.96]
<emily.thomp...@spontaneous-search-level.com> -> <iu...@domainfq.com>,
Message-ID:
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>,
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms
root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:

tons of spam fed to my spam-filter and yet very spammy emails get low
score.

zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: <emily.thomp...@spontaneous-search-level.com>
X-Envelope-To: <iu...@domainfq.com>
X-Envelope-To-Blocked: <iu...@domainfq.com>
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
  tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
  by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 10024)
  with ESMTP id G71jMeOxz-Ha for <iu...@domainfq.com>;
  Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com [178.62.193.238])
  (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
  (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0




Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep -i
bayes' run as the amavis user

Re: low score on very spammy email

[Motty Cruz]

Thanks for your prompt reply:

https://pastebin.com/bLy3Jcqt

Apr 10 11:51:44 vm1 postfix/qmgr[791]: 723EC1A1706: 
from=<emily.thomp...@spontaneous-search-level.com>, size=16883, nrcpt=1 
(queue active)
Apr 10 11:51:46 vm1 amavis[1395]: (01395-01) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] [171.61.147.96] 
<emily.thomp...@spontaneous-search-level.com> -> <iu...@domainfq.com>, 
Message-ID: 
<1747601d3d0fc$dc189190$9449b4b0$@spontaneous-search-level.com>, 
mail_id: G71jMeOxz-Ha, Hits: 3.501, size: 16883, 1972 ms

root@vm1


On 04/10/2018 12:34 PM, David Jones wrote:

On 04/10/2018 02:13 PM, Motty Cruz wrote:
tons of spam fed to my spam-filter and yet very spammy emails get low 
score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: <emily.thomp...@spontaneous-search-level.com>
X-Envelope-To: <iu...@domainfq.com>
X-Envelope-To-Blocked: <iu...@domainfq.com>
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
 tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
 by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id G71jMeOxz-Ha for <iu...@domainfq.com>;
 Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com [178.62.193.238])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0





Need more info:

- example email in pastbin.com only lightly redacted
- mail log output from this message
- output of the bayes DB: 'sa-learn --dump magic' run as amavis user
- output of this command: 'spamassassin -D --lint 2>&1 | /bin/grep -i 
bayes' run as the amavis user

low score on very spammy email

[Motty Cruz]

tons of spam fed to my spam-filter and yet very spammy emails get low 
score.


zcat /var/virusmails/spam-G71jMeOxz-Ha.gz | less
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: 
X-Envelope-To: 
X-Envelope-To-Blocked: 
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.501 tag=-999.9 tag2=3.1 kill=3.1
    tests=[BAYES_99=3.5, HTML_MESSAGE=0.001] autolearn=disabled
Received: from vm1.domainfq.com ([127.0.0.1])
    by vm1 (vm1.domainfq.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id G71jMeOxz-Ha for ;
    Tue, 10 Apr 2018 11:51:44 -0700 (PDT)
Received: from pba.mrc.mrface.com (pba.mrc.mrface.com [178.62.193.238])
    (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
    (No client certificate requested)


in local.cf
use_bayes 1

skip_rbl_checks 1
#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 0

bayes_path /var/amavis/.spamassassin/bayes

use_razor2 1
# Tell SA that we want to use Razor version 2

use_pyzor 0
# Tells SA that we don't want to use Pyzor

dns_available yes
# If you are sure you have DNS access set it to "yes"

#

score DKIM_POLICY_SIGNALL 2
score DKIM_SIGNED 0.00
score DKIM_POLICY_SIGNSOME 2
score DKIM_POLICY_TESTING 2
score DKIM_VERIFIED 0.0
score T_DKIM_INVALID 3.59
score T_DKIM_VALID_AU 3.59
score DKIM_INVALID 3.59
score DKIM_VALID_AU 3.59

score HTML_LINK_CLICK_HERE 3
score LINES_OF_YELLING 2
score BODY_ENHANCEMENT 5.213
score BODY_ENHANCEMENT2 5.213
score DRUGS_ERECTILE 5.713
score DRUG_ED_SILD 5.713
score HELO_DYNAMIC_DHCP 4.213
score HS_INDEX_PARAM 5.713
score ONLINE_PHARMACY 5.713
score RDNS_DYNAMIC 2.99
score RDNS_NONE 2.99
score NO_DNS_FOR_FROM 5.5
score SPF_HELO_FAIL 5.0

Re: how to remove T_RP_MATCHES_RCVD

[Motty Cruz]

Thanks Tom,

my scores were definitely a problem.

Thanks again,
Motty

On 04/05/2018 09:48 AM, Tom Hendrikx wrote:

On 05-04-18 18:40, Motty Cruz wrote:

Thanks for your prompt reply John,

X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
     tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
     T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no


BAYES_00 means 'pretty sure it's ham'.
BAYES_99 means 'pretty sure it's spam'.
BAYES_50 means 'no idea'.

Scoring BAYES_50 at 4.3 is your scoring issue, nothing's wrong with
T_RP_MATCHES_RCVD.

Kind regards,
Tom



always the score is -0.01 regardless; I will take your suggestion and
set it to 0.01, will report back shortly.

Thanks,


On 04/05/2018 09:32 AM, John Hardin wrote:

On Thu, 5 Apr 2018, Motty Cruz wrote:


Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past
through. Is there a way to disable in local.cf?

The best way to disable it without breaking any meta-rules that may be
using it is to set its score to 0.001 in your local config file.

I don't see a score for it in the latest rules update, so it should by
default be *adding* one point to scores, which won't contribute to FNs.

What is it currently scored in your environment?

It is, however, used as a suppressor subrule in some spam meta-rules.
Is that why it's causing FNs for you?

Re: how to remove T_RP_MATCHES_RCVD

[Motty Cruz]

Thanks for your prompt reply John,

X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
    tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
    T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no

always the score is -0.01 regardless; I will take your suggestion and 
set it to 0.01, will report back shortly.


Thanks,


On 04/05/2018 09:32 AM, John Hardin wrote:

On Thu, 5 Apr 2018, Motty Cruz wrote:

Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past 
through. Is there a way to disable in local.cf?


The best way to disable it without breaking any meta-rules that may be 
using it is to set its score to 0.001 in your local config file.


I don't see a score for it in the latest rules update, so it should by 
default be *adding* one point to scores, which won't contribute to FNs.


What is it currently scored in your environment?

It is, however, used as a suppressor subrule in some spam meta-rules. 
Is that why it's causing FNs for you?

how to remove T_RP_MATCHES_RCVD

[Motty Cruz]

Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past 
through. Is there a way to disable in local.cf?


Thanks,
Motty

SpamAssassin does not scan consistently

[Motty Cruz]

Although both of this emails were blocked, both emails were really spammy;
one received high score while the other was percentage point away from
passing through. My question pertains to spamassassin not consistently given
"razor score, URIBL, T_REMOTE_IMAGE" to all emails. It is not being more
aggressive? 

 

X-Quarantine-ID: 

X-Spam-Flag: YES

X-Spam-Score: 5.502

X-Spam-Level: *

X-Spam-Status: Yes, score=5.502 tag=-999.9 tag2=5.4 kill=5.5

tests=[BAYES_999=0.2, BAYES_99=5.3, HTML_FONT_LOW_CONTRAST=0.001,

HTML_MESSAGE=0.001] autolearn=no autolearn_force=no

Received: from m1.fqdn.com ([127.0.0.1])

 

X-Quarantine-ID: 

X-Spam-Flag: YES

X-Spam-Score: 16.578

X-Spam-Level: 

X-Spam-Status: Yes, score=16.578 tag=-999.9 tag2=5.4 kill=5.5

tests=[BAYES_999=0.2, BAYES_99=5.3, HTML_MESSAGE=0.001,

RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,

RAZOR2_CHECK=2.5, T_REMOTE_IMAGE=1.99, URIBL_BLACK=1.7,

URIBL_DBL_SPAM=2.5, URI_TRY_USME=0.001]

autolearn=no autolearn_force=no

 

local.cf

## Optional Score Increases

score DCC_CHECK 4.000

score RAZOR2_CHECK 2.500

score BAYES_99 5.300

score BAYES_90 4.500

score BAYES_80 4.000

# For scores have a look at /usr/local/share/spamassassin/50_scores.cf

# file.

score HTML_FONT_INVISIBLE 3

score HTML_FONTCOLOR_UNKNOWN 2

score ORDER_NOW 1.5

score CLICK_BELOW 1

score LIMITED_TIME_ONLY 1

# This rule might be extreme but html only spams get through too easy.

# In other words, if you can't take the time to write something and are

# posting an image only, then you're 86'd!

score HTML_IMAGE_ONLY_02 2

score HTML_IMAGE_ONLY_04 2

score OFFERS_ETC 2

score HTML_LINK_CLICK_HERE 1

score LINES_OF_YELLING 1

score RP_MATCHES_RCVD 0

# adding more feb 8 2017

score BODY_ENHANCEMENT 5.213

 

Thanks, 
Motty

RE: Anyone else just blocking the ".top" TLD?

[Motty Cruz]

Getting tons of this: 

 

top.professional.wo...@ub6eual.cpatter.top

 

 

I am Just blocking  "*.top" 

 

 

From: Vincent Fox [mailto:vb...@ucdavis.edu] 
Sent: Thursday, November 03, 2016 9:27 AM
To: users@spamassassin.apache.org
Subject: Re: Anyone else just blocking the ".top" TLD?

 

Resurrecting thread 

 

TOP remains at the err... top of abuse heap.

 

XYZ insights anyone?  They have been on my reject list

for a long time, but claim to be cleaning it up.  Thinking to

drop my shields on this one.

 

https://gen.xyz/blog/antiabuse 


  

  XYZ says NO to abuse | .xyz Domain Names |
Join Generation XYZ

gen.xyz

It's safe to say that almost everyone likes a good party. You invite your
friends, enjoy the food & festivities, and make sure there's fun to be had
for everyone ...

 

My current total-block list:

From:link   REJECT

From:websiteREJECT

From:berlin REJECT

From:club   REJECT

From:email  REJECT

From:csr24.emailOK

From:guru   REJECT

From:wang   REJECT

From:xyzREJECT

From:driver.xyz ACCEPT

From:photographyREJECT

From:rocks  REJECT

From:click  REJECT

From:xn--czrs0t REJECT

From:xn--hxt814eREJECT

From:xn--flw351eREJECT

From:xn--qcka1pmc   REJECT

From:xn--45q11c REJECT

From:xn--vermgensberatung-pwb   REJECT

From:xn--vermgensberater-ctbREJECT

From:xn--p1acf  REJECT

From:xn--vhquv  REJECT

From:xn--xhq521bREJECT

From:xn--1qqw23aREJECT

From:xn--kput3i REJECT

From:xn--4gbrim REJECT

From:xn--czr694bREJECT

From:xn--80adxhks   REJECT

From:xn--ses554gREJECT

From:xn--czru2d REJECT

From:xn--rhqv96gREJECT

From:xn--nqv7f  REJECT

From:xn--i1b6b1a6a2eREJECT

From:xn--nqv7fs00emaREJECT

From:xn--c1avg  REJECT

From:xn--d1acj3bREJECT

From:xn--mgbab2bd   REJECT

From:xn--6frz82gREJECT

From:xn--io0a7i REJECT

From:xn--55qx5d REJECT

From:xn--fiq64b REJECT

From:xn--3bst00mREJECT

From:xn--6qq986b3xl REJECT

From:xn--fiq228c5hs REJECT

From:xn--3ds443gREJECT

From:xn--55qw42gREJECT

From:xn--zfr164bREJECT

From:xn--q9jyb4cREJECT

From:xn--ngbc5azd   REJECT

From:xn--80asehdb   REJECT

From:xn--80aswg REJECT

From:xn--unup4y REJECT

From:ninja  REJECT

From:gripe  REJECT

From:loans  REJECT

From:luxury REJECT

From:market REJECT

From:marketing  REJECT

From:pink   REJECT

From:whoswhoREJECT

From:work   REJECT

From:cricketREJECT

From:xn--plai   REJECT

From:review REJECT

From:countryREJECT

From:kimREJECT

From:scienceREJECT

From:party  REJECT

From:gq REJECT

From:topREJECT

From:unoREJECT

From:winREJECT

From:download   REJECT

From:tk REJECT

From:pw REJECT

From:international  REJECT

From:slice.internationalOK

From:date   REJECT

From:gdnREJECT

From:proREJECT

From:mm.law.pro OK

From:npocpa.pro OK

From:bidREJECT

From:trade  REJECT

From:press  REJECT

From:faith  REJECT

From:racing REJECT

From:stream REJECT

From:diet   REJECT

From:tokyo  REJECT

From:accountant REJECT

From:webcam REJECT

From:help   REJECT

From:space  REJECT

From:menREJECT

 

 

 

RE: local.cf example

[Motty Cruz]

Thanks for your help! 

I discovered AWL enable in init.pre which short-circuit all other plugins. I
disabled AWL and spamassassin is working fine now. 

Thanks for your help!
_Motty

-Original Message-
From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] 
Sent: Wednesday, November 02, 2016 10:16 AM
To: users@spamassassin.apache.org
Subject: Re: local.cf example

On 01.11.16 11:24, Motty Cruz wrote:
>Very strange, missed configuration, here is another header and I have 
>not change any configuration and yet this one was scanned:

>X-Spam-Status: No, score=2.604 tagged_above=-999.9 required=5.6
>tests=[AWL=2.468, DATE_IN_PAST_03_06=1.076, DKIM_SIGNED=0.99,
>DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VERIFIED=0.99,
>HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, 
>RCVD_IN_DNSWL_NONE=2.3,
>RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
>RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_SAFE=-2, SPF_HELO_PASS=-0.001,
>SPF_PASS=-0.001] autolearn=no autolearn_force=no

the former was scanned too, but it only hit RDNS_NONE with extremely
increased score.

...I have increased score for RCVD_IN_RP_CERTIFIED to -0.03 and
RCVD_IN_RP_SAFE to -0.02 to avoid spam from "certified" spammers.

Note that you have enabled network tests but I see no sign of RAZOR, PYROZ
and DCC (they all need extra SW installed).
Also, still no BAYES (maybe manual training would help)


>On 01.11.16 08:43, Motty Cruz wrote:
>>X-Virus-Scanned: amavisd-new at fqdn.com
>>X-Spam-Flag: NO
>>X-Spam-Score: 5.5
>>X-Spam-Level: *
>>X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6
>>tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no
>>Received: from HOST1.fqdn.com ([127.0.0.1])
>>
>>This-election is the craziest in our country's history so far but 
>>in-spite of all the press-surrounding it, there is something that NO 
>>ONE seems to have the-guts to talk about...
>>
>>Totally spam E-mail, should have score higher, but there was only one
>score?
>
>RDNS_NONE does only score 1.1/0.7, why did you bump it to 5.5?
>
>You apparently miss modules, network checks, BAYES (database apparently 
>under "amavis" user) ...
>
>yes, even in such cases you may only get only one rule hit (e.g. 
>BAYES_99) but it's quite rare case
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email
to 100 your friends - let them see what an idiot you are

RE: local.cf example

[Motty Cruz]

Very strange, missed configuration, here is another header and I have not
change any configuration and yet this one was scanned: 

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 2.604
X-Spam-Level: **
X-Spam-Status: No, score=2.604 tagged_above=-999.9 required=5.6
tests=[AWL=2.468, DATE_IN_PAST_03_06=1.076, DKIM_SIGNED=0.99,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VERIFIED=0.99,
HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=2.3,
RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_SAFE=-2, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: HOST1.fqdn.com (amavisd-new);
dkim=pass (1536-bit key) header.d=kevineikenberry.com;
domainkeys=pass (1536-bit key)
header.from=repl...@kevineikenberry.com
header.d=kevineikenberry.com

I'm very confused. 

Thanks, 
Motty

-Original Message-
From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] 
Sent: Tuesday, November 01, 2016 9:41 AM
To: users@spamassassin.apache.org
Subject: Re: local.cf example

On 01.11.16 08:43, Motty Cruz wrote:
>X-Virus-Scanned: amavisd-new at fqdn.com
>X-Spam-Flag: NO
>X-Spam-Score: 5.5
>X-Spam-Level: *
>X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6
>tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no
>Received: from HOST1.fqdn.com ([127.0.0.1])
>
>This-election is the craziest in our country's history so far but 
>in-spite of all the press-surrounding it, there is something that NO 
>ONE seems to have the-guts to talk about...
>
>Totally spam E-mail, should have score higher, but there was only one
score?

RDNS_NONE does only score 1.1/0.7, why did you bump it to 5.5?

You apparently miss modules, network checks, BAYES (database apparently
under "amavis" user) ...

yes, even in such cases you may only get only one rule hit (e.g. BAYES_99)
but it's quite rare case

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety. -- Benjamin Franklin, 1759

RE: local.cf example

[Motty Cruz]

If I disable AWL: 

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 5.5
X-Spam-Level: *
X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6
tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no
Received: from HOST1.fqdn.com ([127.0.0.1])

This-election is the craziest in our country's history so far but
in-spite of all the press-surrounding it, there is something that
NO ONE seems to have the-guts to talk about...

Totally spam E-mail, should have score higher, but there was only one score?



Any idea? 

Thanks, 
Motty

-Original Message-
From: RW [mailto:rwmailli...@googlemail.com] 
Sent: Saturday, October 29, 2016 5:35 AM
To: users@spamassassin.apache.org
Subject: Re: local.cf example

On Fri, 28 Oct 2016 22:25:54 -0700
motty cruz wrote:

> AWL is allowing spam email through,

It will do, it's a score averager, it moves the score towards the average
score for the sender. 

AWL is vulnerable to spoofing so you check the from address on the spam. If
that's happening you should consider switching to TxRep. TxRep also excludes
Bayes from the score averaging which make it less resistant to learning.  


> X-Spam-Status: ..., DKIM_VALID=-0.1, ... DKIM_VERIFIED=0.99,

Why do you have DKIM_VERIFIED=0.99? It's just an old name for DKIM_VALID and
not a spam indicator anyway.

local.cf example

[motty cruz]

Hello, can someone provide local.cf working example?

AWL is allowing spam email through,

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 5.114
X-Spam-Level: *
X-Spam-Status: No, score=5.114 tagged_above=-999.9 required=5.6
tests=[AWL=-2.530, BAYES_99=4.799, BAYES_999=0.2, DKIM_SIGNED=0.99,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VERIFIED=0.99,
HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_02=0.437,
HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.428, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001] autolearn=no autolearn_force=no

-- 
Thanks for your support,
Motty

Re: PatioDeals@recolong.review how to get high score

[Motty Cruz]

Thanks all, for your support.
I did fed spammy emails, most are blocked but users still get bunch of 
those emails a day. I added this in MTA:


smtpd_sender_restrictions  
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions  
=reject_unknown_sender_domain  
http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

in the .cf file I addes
blacklist_from *.review
blacklist_from *.work
blacklist_from *.date

I will be monitoring,

Thanks,



On 08/13/2015 11:34 AM, John Hardin wrote:

On Thu, 13 Aug 2015, John Hardin wrote:


On Thu, 13 Aug 2015, Motty Cruz wrote:


 Can I configure Spam-assassin to drop emails with extensions .review?



 From: Patio Deals PatioDeals@recolong.review


untested:

 header  FROM_TLD_REVIEW   From:addr =~ /\.review$/i


Also, if you want to poison-pill such senders, do it at the MTA level.

spamassassin low score

[Motty Cruz]

Hello,
I get a spam with very low score. AWL=1.350 but that address in not in 
the whitelist.


local.cf
required_score 5.0

X-Virus-Scanned: amavisd-new at sscsinc.com
X-Spam-Flag: NO
X-Spam-Score: -0.559
X-Spam-Level:
X-Spam-Status: No, score=-0.559 tagged_above=-999 required=5.3
tests=[AWL=1.350, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no

any suggestions?

Thanks,
Motty

how to change GTUBE default score

[Motty Cruz]

Hi,
spamassassing is blocking email from my own dowmain because GTUBE score 
is too high,
I tried changing in ~/.spamassassin/user_prefs to score GTUBE 3.0 but 
no difference.


X-Spam-Flag: YES
X-Spam-Score: 847.462
X-Spam-Level: 


X-Spam-Status: Yes, score=847.462 tag=-999 tag2=5.5 kill=5.6
tests=[ALL_TRUSTED=-1, AWL=0.370, BAYES_00=-1.9, GTUBE=1000,
HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, LOCAL_RCVD=-50,
T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100]
autolearn=no autolearn_force=no

any ideas?

Thanks,
Motty

BAYES_999=0.2 how to set this score higher?

[motty cruz]

Hello, I would like to set BAYES_999=0.2 score higher than 0.2; I searching
for file but I can't find it in /usr/local/etc/mail/spamassassin (am using
FreeBSD)

Thanks for your support,
Motty

Re: getting tons of SPAM

[motty cruz]

here are the RBLs I am using:
 reject_rbl_client b.barracudacentral.org,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net

is there a way to block *.eu and *.link ?

here is part of local.cf
#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0 changed to 4.5 9-7-12
required_score 6.2


#   Use Bayesian classifier (default: 1)
#
use_bayes 1
bayes_path /var/amavis/.spamassassin/bayes

here is amavisd.conf
$sa_kill_level_deflt = 6.2;  # triggers spam evasive actions (e.g. blocks
mail)

is this right combination? am i doing something wrong?

I get a bery spammy emails:
e0de6633145833.2909801.2920014.2920...@sly111.windowcostssuggest.com,
mail_id: G1bV4l8INAHn, Hits: 1.99, size: 1683, queued_as: 430584563F1, 1062
ms

very low score.

Thanks,
Motty

On Thu, Oct 16, 2014 at 3:39 PM, Reindl Harald h.rei...@thelounge.net
wrote:


 Am 17.10.2014 um 00:24 schrieb Benny Pedersen:

 On October 16, 2014 11:23:57 PM motty cruz motty.c...@gmail.com wrote:

  I tried to post a sample but got rejected:


 Good, thats means that its local problem

  Here is goes again, the header:
 tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,
 T_RP_MATCHES_RCVD=-0.01] autolearn=no


 What plugins is loaded?


 URIBL are just not enabled or working

 even the quote to the last message with headers get blocked by
 URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL combined




-- 
Thanks for your support,
Motty

Re: getting tons of SPAM

[motty cruz]

Hello Axb,

yes you're right I am trying to reject emails that end with *.eu and
*.link. can I do a wild card *.eu? *.link?

Thanks,

On Mon, Oct 20, 2014 at 7:51 AM, Axb axb.li...@gmail.com wrote:

 On 10/20/2014 04:48 PM, motty cruz wrote:

 here are the RBLs I am using:
   reject_rbl_client b.barracudacentral.org,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client bl.spamcop.net

 is there a way to block *.eu and *.link ?


 block means *reject*, right?

 use Postfix access tables (hash/pcre/regex)




-- 
Thanks for your support,
Motty

Re: getting tons of SPAM

[motty cruz]

Hello Benny,
I tried to find a legitimate way to reject or drop spam email. I was
getting tons of very spammy emails, with very low score. I take very
serious your advise and suggestions. I joined this forum because I want to
listen to experts.

going through the configuration files I realize I had missed configure
something, for the last 3 hours I had been monitoring my spam filter,
discarding a lot of spam.

Thanks all for your help!
Motty



On Mon, Oct 20, 2014 at 2:08 PM, Benny Pedersen m...@junc.eu wrote:

 On October 20, 2014 4:51:35 PM Axb axb.li...@gmail.com wrote:

  use Postfix access tables (hash/pcre/regex)


 If he reject he will not listen to what he ask for, pointless




-- 
Thanks for your support,
Motty

spam - why spam score is low,

[motty cruz]

Hello,
I am getting tons of spam with very low score:

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 4.712
X-Spam-Level: 
X-Spam-Status: No, score=4.712 tagged_above=-999 required=6.1
tests=[AWL=-0.001, BAYES_99=4.5, BAYES_999=0.2,
HTML_EXTRA_CLOSE=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001,
T_REMOTE_IMAGE=0.01] autolearn=no
Received: from maria.fqdn.com ([127.0.0.1])

-- 
Thanks for your support,
Motty

Re: I was wrong - Bayes filter not quite right

[motty cruz]

I had similar issue, I am running FreeBSD, in my etc/group

vscan:*:110:clamav

also, cd /var
ls -la

drwxr-x 8   vscan   vscan   amavis

because inside /var/amavisd
db .spamassassin

Thanks,



On Wed, Jul 9, 2014 at 1:26 PM, Bruce Sackett br...@oecnw.com wrote:

 On Jul 8, 2014, at 9:42 AM, John Hardin jhar...@impsec.org wrote:
 
  On Tue, 8 Jul 2014, motty cruz wrote:
 
  Hi Bruce,
  I was having similar issues, can you do  su - vscan and restart amavisd
  service?
 
  user vscan != user amavis.
 
  On Tue, Jul 8, 2014 at 8:54 AM, Bruce Sackett br...@oecnw.com wrote:
 
  So I was able to get the Bayes filter working under spamassassin -D as
 the
  ‘amavis’ user (which should be correct), but when I run a live message
  through the mail server, it is apparently NOT using Bayes.  Any ideas
 on
  where/how I could troubleshoot that specifically?
 
  Which user is amavisd running under? If it's indeed running under user
 vscan then training and testing Bayes as user amavis probably won't
 help any.
 
  --
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  ---
   Gun Control laws cannot reduce violent crime, because gun control
   laws focus obsessively on a tool a criminal might use to commit a
   crime rather than the criminal himself and his act of violence.
  ---
  12 days until the 45th anniversary of Apollo 11 landing on the Moon


 I’ve carefully verified the user the service is running under is ‘amavis’
 and that I can su amavis and successfully get Bayes results with
 spamassassin -D  (TESTEMAIL)

 It’s very strange - like the service is ignoring the bases database even
 though as the user it reads it just fine.  The DB for that user has around
 2000 spam and 500 ham right at the moment, and not reporting any errors.

Re: I was wrong - Bayes filter not quite right

[motty cruz]

Hi Bruce,
I was having similar issues, can you do  su - vscan and restart amavisd
service?

make sure you vscan user can read /var/amavisd.

also, you must feed about 200+ ham/spam emails to activate bayes.

Thanks,


On Tue, Jul 8, 2014 at 8:54 AM, Bruce Sackett br...@oecnw.com wrote:

 So I was able to get the Bayes filter working under spamassassin -D as the
 ‘amavis’ user (which should be correct), but when I run a live message
 through the mail server, it is apparently NOT using Bayes.  Any ideas on
 where/how I could troubleshoot that specifically?

 --Bruce Sackett – e: br...@oecnw.com - w: www.oecnw.com - p: 541.342.3325 -
 tw: @OECTECH - fb: www.facebook.com/oecnw

Re: getting tons of SPAM

[motty cruz]

I am using the following RBLs:



On Tue, Jul 1, 2014 at 10:08 PM, Steve Bergman sbergma...@gmail.com wrote:

 On 07/01/2014 11:15 PM, Daniel Staal wrote:

  You probably can.  ;)  But I'm sure Windstream didn't get you every
 piece of mail immediately after it was sent - just as soon as they could
 after they got it.


 Yeah. I'm conservatively holding myself to higher standards than is
 perhaps warranted. But I think that those standards are along the lines of
 what my long-time customer thought they were getting from Windstream. And
 it Winstream had too many issues, I think I would have heard about it.

 And their servers *did* become unavailable for short periods from time to
 time.

 But once I'm satisfied that I've reached parity, the real fun starts. We
 were on POP3. Now we're on our own IMAP. And there is Dovecot full text
 search in our near future. It will be fun to be able to go beyond and show
 off a little. My client company's CEO does a lot of full text searching
 over his email history.


   I'm not even saying I like greylisting - I'm just

 saying you should work to set user expectations to reality,


 When trust died on the Internet, telnet died, but somehow the unbelievably
 naive email system did not. It was never prepared for spammer abuse. And
 we're still accommodating to 7 bit systems for crying out loud. If it were
 material I suppose it would make a fine antique in someone's collection.
 Right along side the PDP-11.


  which is

 that email sometimes takes time to get delivered and (rarely) gets
 lost.  If something is absolutely time-critical, they should treat email
 as a backup,


 I think that It's largely a matter of *peoples* expectations and
 understanding, If a mail gets missed, folks can understand an occasional I
 never got your email, we'll send someone over right away.

 What I object to is the idea of regular and unpredictable delays as
 introduced by greylisting. And it's just plain ugly from an aesthetic
 standpoint. But then so are our current email protocols. But I do think
 that can be fixed.

 Never did like texting. And that's the alternative.

 -Steve

Re: getting tons of SPAM

[motty cruz]

I am using the following RBLs :

 reject_rbl_client b.barracudacentral.org,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client all.spamrats.com

any other suggestions? spam still flowing:

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: -0.129
X-Spam-Level:
X-Spam-Status: No, score=-0.129 tagged_above=-999 required=5.3
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_IMAGE_RATIO_08=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01]
autolearn=unavailable autolearn_force=no
Authentication-Results: rico.fqdn.com (amavisd-new);
dkim=pass (1024-bit key) header.d=e.safenet-inc.com;
domainkeys=pass (1024-bit key)
header.from=sentineli...@e.safenet-inc.com header.d=
e.safenet-inc.com

very low score for spammy email.

any suggestions?


On Wed, Jul 2, 2014 at 7:49 AM, motty cruz motty.c...@gmail.com wrote:

 I am using the following RBLs:



 On Tue, Jul 1, 2014 at 10:08 PM, Steve Bergman sbergma...@gmail.com
 wrote:

 On 07/01/2014 11:15 PM, Daniel Staal wrote:

  You probably can.  ;)  But I'm sure Windstream didn't get you every
 piece of mail immediately after it was sent - just as soon as they could
 after they got it.


 Yeah. I'm conservatively holding myself to higher standards than is
 perhaps warranted. But I think that those standards are along the lines of
 what my long-time customer thought they were getting from Windstream. And
 it Winstream had too many issues, I think I would have heard about it.

 And their servers *did* become unavailable for short periods from time to
 time.

 But once I'm satisfied that I've reached parity, the real fun starts. We
 were on POP3. Now we're on our own IMAP. And there is Dovecot full text
 search in our near future. It will be fun to be able to go beyond and show
 off a little. My client company's CEO does a lot of full text searching
 over his email history.


   I'm not even saying I like greylisting - I'm just

 saying you should work to set user expectations to reality,


 When trust died on the Internet, telnet died, but somehow the
 unbelievably naive email system did not. It was never prepared for spammer
 abuse. And we're still accommodating to 7 bit systems for crying out loud.
 If it were material I suppose it would make a fine antique in someone's
 collection. Right along side the PDP-11.


  which is

 that email sometimes takes time to get delivered and (rarely) gets
 lost.  If something is absolutely time-critical, they should treat email
 as a backup,


 I think that It's largely a matter of *peoples* expectations and
 understanding, If a mail gets missed, folks can understand an occasional I
 never got your email, we'll send someone over right away.

 What I object to is the idea of regular and unpredictable delays as
 introduced by greylisting. And it's just plain ugly from an aesthetic
 standpoint. But then so are our current email protocols. But I do think
 that can be fixed.

 Never did like texting. And that's the alternative.

 -Steve

Re: getting tons of SPAM

[motty cruz]

bayan filter is not running: according to header,

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: -0.009
X-Spam-Level:
X-Spam-Status: No, score=-0.009 tagged_above=-999 required=5.3
tests=[HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01]
autolearn=unavailable
Received: from

# sa-learn --dump magic
Error Opening file /usr/local/share/GeoIP/GeoIPv6.dat
0.000  0  3  0  non-token data: bayes db version
0.000  0   3338  0  non-token data: nspam
0.000  0784  0  non-token data: nham

any ideas?


On Wed, Jul 2, 2014 at 9:05 AM, Steve Bergman sbergma...@gmail.com wrote:


  whereis sa-update
 sa-update: /usr/local/bin/sa-update


 Yeah. You're a /usr/*local*/bin guy.

 At age 51, I'm I've become a /usr/bin guy. LOL.

 :-)

Re: getting tons of SPAM

[motty cruz]

looks like gmail won't allow out going email with sample of spam emails,




On Wed, Jul 2, 2014 at 2:45 PM, John Hardin jhar...@impsec.org wrote:

 On Wed, 2 Jul 2014, motty cruz wrote:

  bayan filter is not running: according to header,

 X-Virus-Scanned: amavisd-new at fqdn.com
 X-Spam-Flag: NO
 X-Spam-Score: -0.009
 X-Spam-Level:
 X-Spam-Status: No, score=-0.009 tagged_above=-999 required=5.3
tests=[HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01]
autolearn=unavailable
 Received: from

 # sa-learn --dump magic
 Error Opening file /usr/local/share/GeoIP/GeoIPv6.dat
 0.000  0  3  0  non-token data: bayes db version
 0.000  0   3338  0  non-token data: nspam
 0.000  0784  0  non-token data: nham

 any ideas?


 You need to post samples (to pastebin). We can't make comments on what
 *should* be hitting unless we can see the message itself.


 --
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 ---
   The third basic rule of firearms safety:
   Keep your booger hook off the bang switch!

 ---
  2 days until the 238th anniversary of the Declaration of Independence

Re: getting tons of SPAM

[motty cruz]

Hello, I am trying to manipulate spamassassin scores, I am getting lots of
SPAM with very low score.

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5.3
tests=[DKIM_SIGNED=0.001, HTML_IMAGE_RATIO_06=0.001,
HTML_MESSAGE=0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=unavailable
Authentication-Results: maria.fqdn.com (amavisd-new);
dkim=fail (1024-bit key) reason=fail (body has been altered)
header.d=dttusa.com


Please help,
Thanks


On Fri, Jun 27, 2014 at 8:16 AM, Matus UHLAR - fantomas uh...@fantomas.sk
wrote:

 On 27.06.14 07:50, motty cruz wrote:

 I can't figureout why spammy email get very little score,


  X-Quarantine-ID: 4QFxoaNchYOk
 X-Virus-Scanned: amavisd-new at fqdn.com
 X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: unexpected end of
header


 This might explain much. seems that the mail was broken somehow.
 Did you use default configs for spamassassin and amavis?


  X-Spam-Flag: NO
 X-Spam-Score: 0.102
 X-Spam-Level:
 X-Spam-Status: No, score=0.102 tagged_above=-999 required=5.3
tests=[AWL=0.311, DKIM_SIGNED=0.001, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-0.001, HTML_MESSAGE=0.001,
T_RP_MATCHES_RCVD=-0.01]
 ---
 Received: by bell.cuxrrb.com id hllmas0e97ct for mo...@fdqn.com; Fri,
 27
 Jun 2014 08:58:12 -0400 (envelope-from life-motty+5F=f...@cuxrrb.com)
 From: Pimsleur Approach l...@cuxrrb.com
 Date: Fri, 27 Jun 2014 08:58:12 -0400
 Subject: Want to speak a foreign language but don't have a lot of time?

 Reply-To: reply-b89161365ddc621bf5b4340f26597...@cuxrrb.com
 Message-ID: b89161365ddc621bf5b4340f2659783e095437-2598-hINbimNU@
 cuxrrb.com


  MIME-Version: 1.0
 Content-Type: multipart/alternative;
 boundary=b89161365ddc621bf5b4340f2659783e69.692014062755451


 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!

Re: getting tons of SPAM

[motty cruz]

maybe I missed your questions,
was this your questions  Did you use default configs for spamassassin and
amavis?

because if it is, I replied immediately, here is my response again,

yes I was using default configurations except for language scores I added
some time ago. 

Thanks,


On Tue, Jul 1, 2014 at 8:49 AM, Matus UHLAR - fantomas uh...@fantomas.sk
wrote:

 On 27.06.14 07:50, motty cruz wrote:

  X-Quarantine-ID: 4QFxoaNchYOk
 X-Virus-Scanned: amavisd-new at fqdn.com
 X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: unexpected end of
header


  On Fri, Jun 27, 2014 at 8:16 AM, Matus UHLAR - fantomas 
 uh...@fantomas.sk
 wrote:

 This might explain much. seems that the mail was broken somehow.
 Did you use default configs for spamassassin and amavis?


 On 01.07.14 07:48, motty cruz wrote:

 Hello, I am trying to manipulate spamassassin scores, I am getting lots of
 SPAM with very low score.



 you haven't answered my question, have you?


 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Chernobyl was an Windows 95 beta test site.

Re: getting tons of SPAM

[motty cruz]

Hello Jeremy,

I have the following rbl main.cfg in postfix:
 reject_rbl_client b.barracudacentral.org,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client all.spamrats.com

RBL are very nice, helping me block lots of SPAM but a lot of spam are
making it through, with very low score. I trained SA with about 700 SPAM
emails and with about 258 HAM emails.

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5.3
tests=[DKIM_SIGNED=0.001, HTML_IMAGE_RATIO_06=0.001,
HTML_MESSAGE=0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=no

Email hearder is very spammy,
I need help stoping this attack,

Thanks for your support,




On Tue, Jul 1, 2014 at 12:17 PM, Jeremy McSpadden jer...@fluxlabs.net
wrote:

  No mention of RBLs or greylisting ...


 --
 Jeremy McSpadden
 Flux Labs | http://www.fluxlabs.net | Endless Solutions
 Office : 850-250-5590x501 850-250-5590;501 | Cell : 850-890-2543 | Fax
 : 850-254-2955

 On Jul 1, 2014, at 2:06 PM, Steve Bergman sbergma...@gmail.com wrote:

  Hey motty cruz,

 I just moved our 100 users over from our ISP's mail servers to our own.
 Apparently, the ISP's mail servers were doing remarkably well. Because it
 turns out that we get some 5000 spams a day, and users were getting
 essentially no spam.

 Then I upgraded us to a new OS on our Debian/X2Go/MATE desktop server, and
 move us to our own mail server, and the spam was coming through like water
 through the sluice gates of a dam.

 It didn't help that I'd moved everyone from Evolution to Thunderbird. So
 the client bayesian spam filters were completely untrained.

 So I installed SA on the server. That helped. But it wasn't enough. I
 compiled up DCC and and installed Pyzor, and that helped some. (Though SA's
 Pyzor support had some teething problems, as you can see from my recent
 posts, which I think may be now resolved.)

 What SA really needs if for its own Bayesian filter to kick in. But to be
 used at all, you need at least 200 ham and 200 spam messages registered
 with it.

 i.e. if you have to have a way to train the filter. I don't really have
 much confidence in autolearn. And I'm a little scared of it. So I turned
 it off. We use Dovecot. So I used the dovecot-antispam plugin to
 automatically train SA when mail gets moved in or out of the junk folder.
 (It handles the moving of mail from Junk into Trash or regular folders
 intelligently and appropriately.)

 But that only solved half the problem. You need 200 hams and 200 spams.
 Mail was not getting marked as ham when it went into the Inboxes. So I
 wrote a script that could be called from the users' .forward files to mark
 messages as ham. Then if the user, or Thunderbird's own spam filter chooses
 to move it to Junk, it gets relearned as spam.

 Finally, to deal with many of the false positives I was getting with SA, I
 wrote a script, executed from cron, which takes new mail in the users' Sent
 folders, and whitelists them with spamassassin in the users' own individual
 user_prefs files.

 This is what it took before I was really happy with the performance of SA.
 Well... that and adding a 1 second sleep after connection in the Postfix
 configuration. That made a huge difference. But our mail volume is small
 enough that the 1 second sleep doesn't cause any problems as it would on a
 really high volume server.

 I hope that rough outline is helpful to you in some way.

 However, having come through all that, I find myself wondering if we
 should simply impose capital punishment for the crime of spamming, or if
 more drastic action is indicated. ;-)

Re: getting tons of SPAM

[motty cruz]

yes I guest I could change the variable delay, I will do a quick search to
see how would affect users. some users are very sensitive to this issues.

Thanks a bunch,



On Tue, Jul 1, 2014 at 1:37 PM, Steve Bergman sbergma...@gmail.com wrote:



 On 07/01/2014 03:29 PM, Martin Gregorie wrote:

 On Tue, 2014-07-01 at 19:17 +, Jeremy McSpadden wrote:

 No mention of RBLs or greylisting ...

  Quite.

 When my ISP switched on greylisting my mail immediately went from a
 spam:ham ratio of 80:20 to one of 20:80


 But the variable delay, which is not under your control? My users
 complained loudly about that minority of mails which took an hour to
 arrive. I had to turn it off. Yes, I'm sure the autowhitelist features help
 with time. But we're always receiving mail from new customers whom our mail
 server has never heard from before. And you really don't want to not
 receive a mail from a new customer for an hour or more when you are a
 service company advertising fast and efficient service of your customers'
 restaurant kitchen equipment during the lunch hours.

 I did not find greylisting viable for our use case. And I suspect many
 businesses would have similar incompatibilities with the strategy.

 -Steve

Re: getting tons of SPAM

[motty cruz]

Today I build a new Spam filter with latest release, I leave all default
configuration except a few changes, for now seem to be doing better at
blocking really spammy emails.

Thanks for all your help,



On Tue, Jul 1, 2014 at 2:39 PM, John Hardin jhar...@impsec.org wrote:

 On Tue, 1 Jul 2014, Martin Gregorie wrote:

  On Tue, 2014-07-01 at 15:37 -0500, Steve Bergman wrote:


 On 07/01/2014 03:29 PM, Martin Gregorie wrote:

 On Tue, 2014-07-01 at 19:17 +, Jeremy McSpadden wrote:

 No mention of RBLs or greylisting ...

  Quite.

 When my ISP switched on greylisting my mail immediately went from a
 spam:ham ratio of 80:20 to one of 20:80


 But the variable delay, which is not under your control?


 You're right: its not.

  My users complained loudly about that minority of mails which took an
 hour to arrive. I had to turn it off.


 I know what can happen, and also that those complaints can arise from a
 total misunderstanding of what e-mail is designed to do: that it is
 *not* an instant messaging medium but it is a reliable one despite
 delivering over sometimes flaky networks. IOW demanding instant e-mail
 delivery is quite unreasonable.


 +1

 And if your business is predicated on instant e-mail you are setting
 yourself up for pain.

 If it needs to be *instant*, have them visit a web page to enter service
 requests.


 --
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 ---
   It is criminal to teach a man not to defend himself when he is the
   constant victim of brutal attacks.  -- Malcolm X (1964)

 ---
  3 days until the 238th anniversary of the Declaration of Independence

Re: getting tons of SPAM

[motty cruz]

Thank you,
I can't figureout why spammy email get very little score,

X-Quarantine-ID: 4QFxoaNchYOk
X-Virus-Scanned: amavisd-new at fqdn.com
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: unexpected end of
header
X-Spam-Flag: NO
X-Spam-Score: 0.102
X-Spam-Level:
X-Spam-Status: No, score=0.102 tagged_above=-999 required=5.3
tests=[AWL=0.311, DKIM_SIGNED=0.001, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VERIFIED=-0.001, HTML_MESSAGE=0.001,
T_RP_MATCHES_RCVD=-0.01]
---
Received: by bell.cuxrrb.com id hllmas0e97ct for mo...@fdqn.com; Fri, 27
Jun 2014 08:58:12 -0400 (envelope-from life-motty+5F=f...@cuxrrb.com)
From: Pimsleur Approach l...@cuxrrb.com
Date: Fri, 27 Jun 2014 08:58:12 -0400
Subject: Want to speak a foreign language but don't have a lot of time?

Reply-To: reply-b89161365ddc621bf5b4340f26597...@cuxrrb.com
Message-ID: b89161365ddc621bf5b4340f2659783e095437-2598-hinbi...@cuxrrb.com

MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=b89161365ddc621bf5b4340f2659783e69.692014062755451


--b89161365ddc621bf5b4340f2659783e69.692014062755451
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

You've received the alternative text version of an HTML email.

If you'd like a good view of this email, please open it in your computer.


!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN 
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html
head
meta http-equiv=Content-Type content=text/html; charset=UTF-8 /
TITLELanguage Learning/TITLE
/head
body style=



On Fri, Jun 27, 2014 at 12:06 AM, Matus UHLAR - fantomas uh...@fantomas.sk
wrote:

 On 06/26/2014 04:23 PM, motty cruz wrote:

 as you can see, looks like Amavisd did not scan, spamassassing should
 have
 stop this email.


 yes, it really looked in the original mail that amavis did not scan it. The
 question is why it did not scan it. check the logs to see the reason - if
 amavis does not scan e-mail, it's
 impossible to block it

 (if you use amavis there's no apparent reason to use spamassassin
 separately, since amavis uses spamassassin)


 On 26.06.14 08:02, motty cruz wrote:

 I apologize, I did not articulate my questions correctly. Spamassassin is
 enable but did not block spam, I know my configuration is wrong. I was
 wondering if someone can help me figure out.


  # languages allow
 ifplugin Mail::SpamAssassin::Plugin::TextCat

 ok_languagesen es
 ok_locales  en es


 you should understant that ok_locales has nothing with TextCat plugin.
 It only detect charset class, now it scores non-latin alphabets like
 cyrillic, chinese etc.

  whitelist_from mtc-dist.com


 it's very unsafe to use whitelist_from, spammers forge sender domains to
 work around this!
 finally, don't play with scores, but check out if you use network checks
 and
 have loaded plugins like razor/pyzor/dcc, and also if the razor/pyzor/dcc
 are installed on your system.


  ## Optional Score Increase last 4.0 increase to 4.5
 score BAYES_50 1.800
 score BAYES_60 2.200
 score BAYES_80 3.200
 score BAYES_95 3.500
 score BAYES_99 4.500
 score BODY_ENHANCEMENT 2.513
 score BODY_ENHANCEMENT2 1.513
 score DRUGS_ERECTILE 3.513
 score DRUG_ED_SILD 2.013
 score HELO_DYNAMIC_DHCP 2.513
 score HS_INDEX_PARAM 1.513
 score ONLINE_PHARMACY 3.013
 score RDNS_DYNAMIC 1.013
 score RDNS_NONE 2.013
 score STOX_REPLY_TYPE 2.013
 score SUBJ_BUY 2.013
 score TVD_VISIT_PHARMA 2.913
 score TVD_SPACE_RATIO 1.913


 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Linux IS user friendly, it's just selective who its friends are...

Re: getting tons of SPAM

[motty cruz]

I apologize, I did not articulate my questions correctly. Spamassassin is
enable but did not block spam, I know my configuration is wrong. I was
wondering if someone can help me figure out.

local.cf

# languages allow
ifplugin Mail::SpamAssassin::Plugin::TextCat

ok_languagesen es
ok_locales  en es

add_header all Language _LANGUAGES_

score _LANGUAGES_ 2.8

endif
# end of languages plugin
# headers
#header chinese_CUSTOM_HEADER Subject =~ /[\xe4-\xe9]/
header chinese_CUSTOM_HEADER Subject =~/=\?utf-8\?B/i
header chinese2_CUSTOM_HEADER Subject =~ /[\xe4-\xe9]/
score chinese_CUSTOM_HEADER 8.0
score chinese2_CUSTOM_HEADER 8.0

# whitelist stuff
use_auto_whitelist 1
whitelist_from mtc-dist.com

use_razor2 1
# tells SA that we want to use Razor version 2

#use_dcc 1
# in case you want DCC.

use_pyzor 1
# tell  SA that we don't want to use Pyzor
## Optional Score Increase last 4.0 increase to 4.5
score BAYES_50 1.800
score BAYES_60 2.200
score BAYES_80 3.200
score BAYES_95 3.500
score BAYES_99 4.500
score BODY_ENHANCEMENT 2.513
score BODY_ENHANCEMENT2 1.513
score DRUGS_ERECTILE 3.513
score DRUG_ED_SILD 2.013
score HELO_DYNAMIC_DHCP 2.513
score HS_INDEX_PARAM 1.513
score ONLINE_PHARMACY 3.013
score RDNS_DYNAMIC 1.013
score RDNS_NONE 2.013
score STOX_REPLY_TYPE 2.013
score SUBJ_BUY 2.013
score TVD_VISIT_PHARMA 2.913
score TVD_SPACE_RATIO 1.913



Thanks,


On Thu, Jun 26, 2014 at 7:31 AM, Axb axb.li...@gmail.com wrote:

 On 06/26/2014 04:23 PM, motty cruz wrote:

 as you can see, looks like Amavisd did not scan, spamassassing should have
 stop this email.


 If Amavisd did not scan, you need to fix that before asking the SA list
 for help.

Re: getting tons of SPAM

[motty cruz]

Thank you all,

here is another header of a very spammy email:

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 2.301
X-Spam-Level: **
X-Spam-Status: No, score=2.301 tagged_above=-999 required=5.3
tests=[AWL=-0.006, BODY_8BITS=1.5, DKIM_SIGNED=0.001,
HTML_IMAGE_RATIO_02=0.805, HTML_MESSAGE=0.001, T_DKIM_INVALID=0.01,
T_RP_MATCHES_RCVD=-0.01] autolearn=no
Authentication-Results: maria.fqdn.com (amavisd-new);
dkim=fail (1024-bit key) reason=fail (body has been altered)
header.d=u-articles.com


in local.cf

score BAYES_50 (1) (1) (1) (1)
score BAYES_60 2.200
score BAYES_80 3.200
score BAYES_95 3.500
score BAYES_99 4.500
score BODY_ENHANCEMENT 2.513
score BODY_ENHANCEMENT2 1.513
score DRUGS_ERECTILE 3.513
score DRUG_ED_SILD 2.013
score HELO_DYNAMIC_DHCP 2.513
score HS_INDEX_PARAM 1.513
score ONLINE_PHARMACY 3.013
score RDNS_DYNAMIC 1.013
score RDNS_NONE 2.013
score STOX_REPLY_TYPE 2.013
score SUBJ_BUY 2.013
score TVD_VISIT_PHARMA 2.913
score TVD_SPACE_RATIO 1.913
score T_REMOTE_IMAGE 3.5
score URIBL_BLACK 4.7

Thanks,


On Thu, Jun 26, 2014 at 9:42 AM, Benny Pedersen m...@junc.eu wrote:

 motty cruz skrev den 2014-06-26 17:02:

  I apologize, I did not articulate my questions correctly. Spamassassin
 is enable but did not block spam, I know my configuration is wrong. I
 was wondering if someone can help me figure out.


 ...


  ## Optional Score Increase last 4.0 increase to 4.5
 score BAYES_50 1.800


 more scores fails

 this is not an increase but another static score that even changes over
 all score sets :(

 correct way is:

 score BAYES_50 (1) (1) (1) (1)

 that will add 1 point more to this score then default have

 using negatives scores in () will subtract it

Re: I am getting lots of SPAM

[motty cruz]

Thank you, I am running all.spamrats.com, also it may a huge different when
I took the recipient off whitelist.

Thanks for all your support.


On Fri, May 30, 2014 at 11:13 AM, Matus UHLAR - fantomas uh...@fantomas.sk
wrote:

   reject_rbl_client all.spamrats.com http://all.spamrats.com/


 On 29.05.14 13:17, Alex wrote:

 What's that? That doesn't really have a reputation here, and it's not
 going
 to be more effective than zen or barracuda. Set up your RBLs so they're
 weighted. Implement postscreen with postfix.


 5 years ago I have posted question about this blacklist:
 http://marc.info/?l=spamassassin-usersm=123920398923786w=2

  X-Spam-Status: No, score=3.147 tagged_above=-999 required=5.3
  tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,
  MIME_HTML_ONLY=0.723, RDNS_NONE=2.013, T_REMOTE_IMAGE=0.01,
  URIBL_BLACK=1.7, USER_IN_WHITELIST_TO=-6] autolearn=no


 Why is this user whitelisted if you consider it to be spam?


 it's the recipient that is whitelisted. In such case it is really silly to
 blame SA for not marking _any_ mail as spam...


 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Microsoft dick is soft to do no harm

I am getting lots of SPAM

[motty cruz]

Hello, recently I am getting loads of spam, more than usual. I have the
following RBLs.
 reject_rbl_client b.barracudacentral.org,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client all.spamrats.com

any recommendation?

Bayes Headers:

X-Spam-Flag: NO

X-Spam-Score: 3.147

X-Spam-Level: ***

X-Spam-Status: No, score=3.147 tagged_above=-999 required=5.3

tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,

MIME_HTML_ONLY=0.723, RDNS_NONE=2.013, T_REMOTE_IMAGE=0.01,

URIBL_BLACK=1.7, USER_IN_WHITELIST_TO=-6] autolearn=no


local.cf

## Optional Score Increase last 4.0 increase to 4.5

score BAYES_50 1.800

score BAYES_60 2.200

score BAYES_80 3.200

score BAYES_95 3.500

score BAYES_99 4.500

score BODY_ENHANCEMENT 2.513

score BODY_ENHANCEMENT2 1.513

score DRUGS_ERECTILE 3.513

score DRUG_ED_SILD 2.013

score HELO_DYNAMIC_DHCP 2.513

score HS_INDEX_PARAM 1.513

score ONLINE_PHARMACY 3.013

score RDNS_DYNAMIC 1.013

score RDNS_NONE 2.013

score STOX_REPLY_TYPE 2.013

score SUBJ_BUY 2.013

score TVD_VISIT_PHARMA 2.913

score TVD_SPACE_RATIO 1.913

help please!

Re: bayes score no showing up in the header

[motty cruz]

Thank you very much John,
I tried this
chown  -R  vscan:vscan  /var/spool/amavis/.spamassassin
and now bayes score are showing up in the headers. Also, i tried the right
sa- database.

Thanks a bunch.

On Wed, Dec 12, 2012 at 3:12 PM, John Hardin jhar...@impsec.org wrote:

 On Wed, 12 Dec 2012, motty cruz wrote:

  Thanks again for your prompt reply, the command i ran as root user
 when i did su vscan user was unable to open spam messages from directory

 I'm not sure how to fix this problem but you pointed me in the right
 direction.


 Where are the database files?


 You wrote:

 I copied the database from a heathy system


 If you have the default per-user Bayes config, you will probably want to
 move the files to the vscan user's home directory and set permissions such
 that the vscan user can read and write them.

 Then, future training will need to be done as the vscan user.

 If it's a global Bayes config, just set the file permissions such that the
 vscan user can get to them and read them. If you're doing autolearn, then
 the vscan user will also need to be able to write to them. With a global
 config, you *can* run sa-learn as root and it will update the correct
 files, but the permissions have to be open enough for SA to read them at
 scan time.


  Thanks

 On Wed, Dec 12, 2012 at 2:24 PM, John Hardin jhar...@impsec.org wrote:

  On Wed, 12 Dec 2012, motty cruz wrote:

  Thanks John,

 It does not show up in any message at all!
 here is the sa-learn --dump magic command:
 # sa-learn --dump magic
 0.000  0   4680  0  non-token data: nspam
 0.000  0  88357  0  non-token data: nham


 Ok, so that database has 4k spam and 88k ham tokens, it should be active.

  any idea?



 Apart from too few tokens the most common problem is training to a
 database that SA is not using. In the default SA configuration you have
 to
 train the database as the same user that SA is running under, so that the
 files get created in the correct place.

 What user is SA running as?

 What user did you run the sa-learn --dump command as?

 Have you overridden the default per-user Bayes database config to a
 systemwide shared Bayes database config?


 --
  John Hardin KA7OHZ
 http://www.impsec.org/~**jhardin/http://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 --**--**
 ---
   Mine eyes have seen the horror of the voting of the horde;
   They've looted the fromagerie where guv'ment cheese is stored;
   If war's not won before the break they grow so quickly bored;
   Their vote counts as much as yours.  -- Tam

 --**--**
 ---
  3 days until Bill of Rights day

bayes score no showing up in the header

[motty cruz]

here is the header:

X-Virus-Scanned: amavisd-new at mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 5.243
X-Spam-Level: *
X-Spam-Status: No, score=5.243 tagged_above=-999 required=5.3
tests=[DATE_IN_PAST_12_24=0.804, DKIM_ADSP_CUSTOM_MED=0.001,
FREEMAIL_FROM=0.001, INVALID_DATE=0.432, MISSING_MID=0.14,
NML_ADSP_CUSTOM_MED=1.2, RDNS_NONE=2.013, SPF_NEUTRAL=0.652]
autolearn=no

I do not see the bayes_score? any idea?
Thanks in advance!