Particular subject blacklist seems not to work
I am running SpamAssassin version 3.1.7 with Postfix via amavisd on a FreeBSD machine. In the last few weeks, all of a sudden messages with the same 4 or 5 subject lines started coming through undetected for some reason. So I decided to add patterns matching those to /usr/local/share/spamassassin/60_whitelist_subject.cf They are in the form of: blacklist_subject ** All of them seemed to work, except for one. I continue to get messages with the following Subject header: :: 86% Cheaper than Original Price: aRolex, Cartier, Omega, Chanel, Tag Heuer, I had tried adding the following entries: blacklist_subject *Cheaper than Original Price* blacklist_subject *aRolex* ...but to no avail. Is there some pattern in that subject line that allows it to come through unscathed? Thanks, -FONG - shot through the heart ooh baby do you know what that's worth and you're to blame ooh heaven is a place on earth darling you give love they say in heaven love comes first a bad name we'll make heaven a place on earth ORBITAL "Halcyon Live"
Re: Particular subject blacklist seems not to work
I am fairly sure. The other subject lines started getting flagged when I added entries for them. And I sent emails from an outside account with a subject that matched one of the other patterns and it got flagged. Is there a more concrete way to determine whether 60_whitelist_subject.cf is actually working? On Thu, 24 Jan 2008, John D. Hardin wrote: On Thu, 24 Jan 2008 [EMAIL PROTECTED] wrote: In the last few weeks, all of a sudden messages with the same 4 or 5 subject lines started coming through undetected for some reason. So I decided to add patterns matching those to /usr/local/share/spamassassin/60_whitelist_subject.cf Silly question: are you sure that your WhiteListSubject plugin is even working in the first place? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If Microsoft made hammers, everyone would whine about how poorly screws were designed and about how they are hard to hammer in, and wonder why it takes so long to paint a wall using the hammer. --- 3 days until the 41st anniversary of the loss of Apollo 1
starting spamd
Good afternoon, I am running into an issue with spamassassin. According to the logs I am being denied permissions to the root homedirectory bayes: cannot open bayes databases /root/.spamassassin/bayes_* R/O: tie failed: Permission denied Dec 16 14:31:47 tracyrh02 spamd[8124]: spamd: processing message <[EMAIL PROTECTED]> for root:501 Dec 16 14:31:47 tracyrh02 spamd[8124]: bayes: cannot open bayes databases /root/.spamassassin/bayes_* R/O: tie failed: Permission denied locker: safe_lock: cannot create tmp lockfile /root/.spamassassin/auto-whitelist.lock.tracyrh02.8124 for /root/.spamassassin/auto-whitelist.lock: Permission denied Could not extract score from
RE: starting spamd
Thanks for the response. I would not mind running spamd as root, but I get the same error and the documentation have found that is when it tries to run as root it runs as nobody Thank you, Richard Tracy -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Saturday, December 16, 2006 2:46 PM To: users@spamassassin.apache.org Subject: Re: starting spamd On Sat, Dec 16, 2006 at 02:37:35PM -0700, spamassassin wrote: > bayes: cannot open bayes databases /root/.spamassassin/bayes_* R/O: tie > failed: Permission denied > > spamd --helper-home-dir=/home/spamd --username=spamd --groupname=spamd > --allow-tell -d start the spamd user is unlikely to be able to access root's homedir. > But it continues to try to access the root home folder and gets > permission denied. > Can anyone please tell me what I am missing How are you trying to use spamd? If site-wide, use bayes_path and the other appropriate config options to do side-wide. If per-user, don't force spamd to run as non-root. -- Randomly Selected Tagline: I'm just a peripheral visionary.
RE: starting spamd
When I try to run it using the -u root this is the error that I get spamd: cannot run as nonexistent user or root with -u option Thank you, Richard Tracy -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Saturday, December 16, 2006 2:54 PM To: users@spamassassin.apache.org Subject: Re: starting spamd On Sat, Dec 16, 2006 at 02:50:58PM -0700, spamassassin wrote: > Thanks for the response. I would not mind running spamd as root, but I > get the same error and the documentation have found that is when it > tries to run as root it runs as nobody If you call spamd as root, then it falls back to nobody for security reasons. If root is the only user who is calling spamd, then configure site-wide. If root is just an occasional scanner, either have root aliased to a real user (this is how it's normally done) or for root call spamd with a specific username (spamc -u ...) -- Randomly Selected Tagline: "I love every living creature." -Leela "Even me?" -Fry "As a friend." -Leela
RE: starting spamd
Thanks for all your help. I was using version 2 of spamass-milter so I upgraded to the latest version 3.1 and now I get this error Milter (spamassassin): error connecting to filter: Connection refused by /var/run/spamass.sock And then spamassassin stops. Everything looks ok permissions wise, but I am not sure why this is failing. Sorry to be such a bother, but this has me baffled Thank you, Richard Tracy -Original Message- From: Magnus Holmgren [mailto:[EMAIL PROTECTED] Sent: Saturday, December 16, 2006 3:41 PM To: users@spamassassin.apache.org Subject: Re: starting spamd On Saturday 16 December 2006 23:02, spamassassin wrote: > When I try to run it using the -u root this is the error that I get > > spamd: cannot run as nonexistent user or root with -u option That's right. spamd refuses to do that for security reasons. If run without -u , it changes identity to the caller, or "nobody" if the caller is root, after accepting a connection. If run with -u , it changes identity to after binding to its listening socket, unless is root, in which case it complains and exits. "Configuring site-wide" means adding a dedicated spamassassin user to run spamd as. Also use -x to stop spamd from reading any personal config files. If you want per-user configuration, you can arrange for it to be stored in a database (but that sounds unnecessarily fancy). The thing to realise is that running things as root is dangerous and should be limited to an absolute minimum. Under no circumstance treat root as a normal user among the rest! -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) "Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack)" -- Dave Evans
Re: Backscatter.org used as RBL??
If anyone has an example config for sendmail to use the backscatter rbl at smtp time please send it. I take a beating from backscatterers. I would think you could do this with a macro that checks "mail from" and triggers an rbl check on the ip. Sounds simple but my cf skills are barely above trial and error. Thanks, Sean
server reached --max-clients setting, consider raising it
Hello I'm new to spamassassin and need some help. First spamassassin is version 3.0.1 on mac OSX 10.3.9 running on a communigate server. I have an interface that we use call MPP which is basically a webmin module to control spamassassin, clamav, mailshell, and such. I have been getting some errors that we never received before. (server reached --max-clients setting, consider raising it ). This is not a very busy server and I don't know why we would be getting these errors. I did some searching to avoid asking questions that have already been answered but I'm still at a loss to figure out how to fix this. Here is a bit from our log Mar 6 10:04:51 localhost spamd[407]: spamd: server successfully spawned child process, pid 585 Mar 6 10:04:51 localhost spamd[407]: prefork: child states: S Mar 6 10:04:51 localhost spamd[407]: prefork: server reached --max- clients setting, consider raising it Mar 6 10:04:51 localhost spamd[407]: spamd: handled cleanup of child pid 581 due to SIGCHLD Mar 6 10:04:51 localhost spamd[407]: prefork: child states: Mar 6 10:04:51 localhost spamd[586]: setrgid() not implemented at / usr/bin/spamd line 863. Mar 6 10:04:51 localhost spamd[407]: spamd: server successfully spawned child process, pid 586 Mar 6 10:04:51 localhost spamd[407]: prefork: child states: S Mar 6 10:04:51 localhost spamd[407]: prefork: server reached --max- clients setting, consider raising it Mar 6 10:04:52 localhost spamd[407]: spamd: handled cleanup of child pid 582 due to SIGCHLD Mar 6 10:04:52 localhost spamd[407]: prefork: child states: Mar 6 10:04:52 localhost spamd[587]: setrgid() not implemented at / usr/bin/spamd line 863. Mar 6 10:04:52 localhost spamd[407]: spamd: server successfully spawned child process, pid 587 Mar 6 10:04:52 localhost spamd[407]: prefork: child states: S Mar 6 10:04:52 localhost spamd[407]: prefork: server reached --max- clients setting, consider raising it Mar 6 10:04:52 localhost spamd[407]: spamd: handled cleanup of child pid 583 due to SIGCHLD Mar 6 10:04:52 localhost spamd[407]: prefork: child states: Mar 6 10:04:52 localhost spamd[407]: spamd: server successfully spawned child process, pid 588 Mar 6 10:04:52 localhost spamd[588]: setrgid() not implemented at / usr/bin/spamd line 863. Mar 6 10:04:52 localhost spamd[407]: prefork: child states: S Mar 6 10:04:52 localhost spamd[407]: prefork: server reached --max- clients setting, consider raising it Mar 6 10:04:53 localhost spamd[407]: spamd: handled cleanup of child pid 586 due to SIGCHLD Mar 6 10:04:53 localhost spamd[407]: prefork: child states: On the message boards some have said this is a bug with max-clients supposing to be max-children. I'm not sure where to make this change. I tried in my local.cf file but got errors when I tried to lint. Any help would be appreciated Thanks Nick
Can SA tag addresses seen for the first time?
Hello list:
This is the challenge I face. I would like to be able to filter emails
based on MySQL-stored preferences. For each email coming in, I would like
SpamAssassin to check the database for $WHITELISTED or $BLACKLISTED email
addresses and tag the email as ${UNSEEN} if it is a newly seen address.
Is SA able to perform this task? Are there any other known projects that
would be able to perform this job?
Thanks,
Ron
How to get the X-Spam headers back to the bottom
This small edit will place x-spam headers back at the bottom of the original headers where god intended. I assume they changed this for a reason, presumably to maintain any cryptographic email signatures that include bits of header, so use this edit with discretion. Find the file "PerMsgStatus.pm". Here's an example of where it might be: /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm Around line 967, change this: $new_hdrs_pre .= "X-Spam-$header: $line\n"; to this: $new_hdrs_post .= "X-Spam-$header: $line\n"; That's it. -Sean
60_whitelist.cf
I am running spamassassin with postfix via amavisd on a FreeBSD Intel box. Email from Nintendo's Wii service is getting flagged as spam, despite me entering it into the whitelist. This seems to be the case with other unrelated entries that I have whitelisted as well. I have entered the following into /usr/local/share/spamassassin/60_whitelist.cf: whitelist_from_rcvd [EMAIL PROTECTED] bsaa42453.tk.mesh.ad.jp Then I ran amavisd reload. But still the msg's get flagged. I have attached the full headers of the spam-flagged msg. Wondering if I am not doing something right. Suggestions? TIA -FONG - shot through the heart ooh baby do you know what that's worth and you're to blame ooh heaven is a place on earth darling you give love they say in heaven love comes first a bad name we'll make heaven a place on earth ORBITAL "Halcyon Live"From [EMAIL PROTECTED] Mon Jun 23 01:15:41 2008 Return-Path: <[EMAIL PROTECTED]> X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost [127.0.0.1]) by helix.fantasyland.com (Postfix) with ESMTP id EF8E91D2C1 for <[EMAIL PROTECTED]>; Mon, 23 Jun 2008 01:15:40 -0400 (EDT) X-Spam-Flag: YES X-Spam-Score: 4.284 X-Spam-Level: X-Spam-Status: Yes, score=4.284 tagged_above=-999 required=1.95 tests=[AWL=-0.463, BAYES_40=-0.185, FORGED_RCVD_HELO=0.135, FROM_ENDS_IN_NUMS=2.53, FROM_LOCAL_HEX=1.305, NO_REAL_NAME=0.961, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] Received: from helix.fantasyland.com ([127.0.0.1]) by localhost (helix.fantasyland.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JPfcUJfOfos; Mon, 23 Jun 2008 01:15:37 -0400 (EDT) Received: from bsaa42453.tk.mesh.ad.jp (bsaa42453.wc24.wii.com [133.205.103.194]) by helix.fantasyland.com (Postfix) with ESMTP id A92681D2FE for <[EMAIL PROTECTED]>; Mon, 23 Jun 2008 01:15:36 -0400 (EDT) Received: from bsaa42112 by bsaa42453.tk.mesh.ad.jp (kbkr/4318161106) with ESMTP id m5N5FZtU023557 for [EMAIL PROTECTED]; Mon, 23 Jun 2008 14:15:35 +0900 Date: 23 Jun 2008 05:06:07 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> Subject: _SPAM_ Wii Message MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit werd
Re: 60_whitelist.cf
Thanks for everyone's tips.. Stupid question: what is the difference between whitelist_auth and def_whitelist_auth? On Mon, 23 Jun 2008, Benny Pedersen wrote: On Mon, June 23, 2008 08:02, [EMAIL PROTECTED] wrote: whitelist_from_rcvd [EMAIL PROTECTED] bsaa42453.tk.mesh.ad.jp def_whitelist_auth [EMAIL PROTECTED] whitelist_auth [EMAIL PROTECTED] dont use both since its 2 diff scores, and only use the one that are needed here is the spf http://old.openspf.org/wizard.html?mydomain=wii.com&submit=Go%21 perldoc Mail::SpamAssassin::Conf perldoc Mail::SpamAssassin::Plugin::SPF i use whitelist_auth since if wii later changes to dkim or other supported auths in spamassassin you dont need to change the whitelist Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Weighting a particular domain?
At 10:07 AM 3/9/2009, Matus UHLAR - fantomas wrote: Are you getting spam from hotmail/yahoo addresses? All the time.
SPF_NEUTRAL scoring?
I have user mail being sent from my domain to my domain flagging as spam. that's ok really. It's what's making it flag as spam that's bugging me - SPF_NEUTRAL X-Spam-Status: Yes, score=4.659 tagged_above=-999 required=4.3 tests=[DYN_RDNS_SHORT_HELO_HTML=0.287, HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, HTML_NONELEMENT_30_40=1.775, MISSING_SUBJECT=1.285, RDNS_DYNAMIC=0.1, SPF_NEUTRAL=1.21] SPF_NEUTRAL is sender does not match SPF record (neutral) since it's from me TO me that implies my spf is wrong. My SPF (aka TXT) record is currently set to (per nslookup): example.com text = "v=spf1 a mx ptr" What's wrong with that? the MX record comes back as the mail server. Rick Steeves http://www.sinister.net "The journey is the destination"
Re: SPF_NEUTRAL scoring?
Interesting, but, the domain I'm asking about isn't sinister.net :-) My current guess is that when the mail processes into amavis, when send from local <> local (all on the same server) the email comes from localhost, triggers SA, localhost isn't in the SPF record, and thus triggers the SPF_NEUTRAL rule. I"ll probably just fix this by adding localhost to the local domain list (once I figure out how) so SA doesn't check. Would adding ip4:127.0.0.1 ato the SPF record also work? rick At 07:20 PM 3/11/2009, Martin Gregorie wrote: On Wed, 2009-03-11 at 15:16 -0400, spamassas...@corwyn.net wrote: > v=spf1 a mx ptr Interesting: I just pointed thre SPF testing tools at http://www.kitterman.com/spf/validate.html at sinister.net. That retrieved: spf1 ip4:75.180.132.0/24 mx include:aspmx.googlemail.com include:mail.zoneedit.com include mail7.zoneedit.com ~all and says its invalid because it doesn't start "v=spf1". I found the SPF record construction difficult, mainly because I didn't think the specification was clear, so I ended up building it using the wizard at http://www.openspf.org/ and then used the Kitterman test tools to check the result. HTH Martin
Filtering / flagging specific email addresses?
Is it possible to get spamassassin to score email addresses with 4 (or more) numeric digits in sequence in the user name? (seems like a lot of our spam comes in for garbage users with user names that are strings of numbers). Thanks! rick Rick Steeves http://www.sinister.net "The journey is the destination"
Re: Filtering / flagging specific email addresses?
At 11:19 AM 3/26/2009, John Hardin wrote:
On Thu, 26 Mar 2009, spamassas...@corwyn.net wrote:
(seems like a lot of our spam comes in for garbage users with user
names that are strings of numbers).
...your MTA should _not_ be accepting invalid recipient addresses
for delivery. Fix your MTA configuration so that it rejects invalid
recipient addresses at SMTP time, don't try to patch this via SA rules.
Typo on my part, that should be "from garbage users". I already
received a response for adding
describe FOURNUMBERS flag things with 4 or more numbers in the from:
header FOURNUMBERS from: \d{4}
scoreFOURNUMBERS .5
that should resolve what I wanted it to resolve
Rick
received-header: unknown format
I'm new to the list but have been running SA for some time I am using spamassassin-3.0.4-1.fc3 with qmail-scanner-1.25-st-qms + autowhitelist No Razor No Pyzor No Bayes on a test system to evaluate SA. I had been running successfully (only a few spam emails getting through until shortly after upgrade to 3.0.4-1 ( circa august 1) I'm running with debug option and the logs show that the spam emails that are getting through are mostly those with "received-header: unknown format" entri es. Some of the "received-header: unknown format" entries:-- This header from a SPAM email scored at 13.3/5.0 ... Jul 31 07:44:33 backup spamd[3748]: debug: received-header: unknown format: from creative-workers.ch (creative-workers.ch [217.26.52.13])by user-0c99gr6.cab le.mindspring.com with esmtpid 7D892D14F9 for ; Sat, 30 Jul 2005 23:43:08 -0700 ... This header from a SPAM email scored at 0.8/5.0 ... Aug 1 07:25:28 backup spamd[3733]: debug: received-header: unknown format: from clv107.clv.al.alcoa.com (na-msw1.alcoa.com [192.135.120.50])by p54A6F7A6.di p.t-dialin.net with esmtpid B6EE2E4E54 for ; Sun, 31 Jul 2005 04:05:23 -0700 ... This header from a SPAM email scored at 3.2/5.0 ... Aug 1 07:25:30 backup spamd[3735]: debug: received-header: unknown format: from croqui.com.br (smtp-gw.croqui.com.br [200.182.98.155])by lau06-2-82-234-141 -64.fbx.proxad.net with esmtpid B3EBAEB7F8 for ; Sun, 31 Jul 2005 10:14:25 -0700 ... This header from a SPAM email scored at 1.6/5.0 ... Aug 1 07:25:39 backup spamd[3734]: debug: received-header: unknown format: from glnet.com (mx2.ewol.com [66.209.32.24])by pool-151-205-249-128.cap.east.ver izon.net with esmtpid 9A8F90A189 for ; Sun, 31 Jul 2005 20:44:41 -0700 ... This header from a SPAM email scored at 5.5/5.0 ... Aug 1 12:05:06 backup spamd[3734]: debug: received-header: unknown format: from heartbridge.org (mail.heartbridge.org [66.235.220.201])by 111.Red-83-41-82. pooles.rima-tde.net with esmtpid 9C1A7C9FF3 for ; Mon, 01 Aug 2005 04:02:48 -0700 ... This header from a SPAM email scored at 3.2/5.0 ... Aug 1 17:34:31 backup spamd[3734]: debug: received-header: unknown format: from darelfarouk.com.eg (domainsfilter.link.net [213.131.64.229])by isi-shop.dewith esmtpid 40E19F7354 for ; Mon, 01 Aug 2005 09:33:56 -0700 ... This header from a SPAM email scored at 0.5/5.0 ... Aug 2 01:00:33 backup spamd[3733]: debug: received-header: unknown format: from cioli.com (mail.cioli.com [62.94.222.235])by 82-170-124-168-mx.xdsl.tiscali.nl with esmtpid 70123723CF for ; Mon, 01 Aug 2005 15:39:31 -0700 ... This header from a SPAM email scored at 3.2/5.0 ... Aug 3 12:42:14 backup spamd[3735]: debug: received-header: unknown format: from advancenet.net (mx1.egix.net [209.131.216.157])by mercamicro.es with esmtpid 2E8F3674BC for ; Wed, 03 Aug 2005 04:41:24 -0700 ... This header from a SPAM email scored at 3.5/5.0 ... Aug 3 19:06:58 backup spamd[3732]: debug: received-header: unknown format: from coolwriter.com (mail.bluegravity.com [64.57.64.4])by jezo.com with esmtpid06FF902A83 for ; Wed, 03 Aug 2005 11:04:26 -0700 ... In the sample I looked at I've had only one email with the received-header problem that may not be spam. However that email was from an email marketing company. In my test setup I do not receive very many emails so I do not know if the above problem is representative of installations with a large email throughput I note from googling that there are references to this problem http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/68550 and to an associated bug report http://bugzilla.spamassassin.org/show_bug.cgi?id=3949 It appears to me that the received-header: unknown format: is being exploited by the spammers to minimise the scoring. My questions are as follows: Does the header problem indicate that an email that is non compliant with rfc formats? Are there legitimate situations where you could expect this parsing problem to occur (Assuming email/SA software setup correctly)? Can I configure spamassassin to flag any email with this problem as spam? Chris
70_sare_spoof.cf SARE_FORGED_CITI False Positive
Hi I've found FP 70_sare_spoof.cf triggering with SARE_FORGED_CITI In the rule header __RCVD_CITIBNK Received =~ /(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i header __FROM_CITIBNK From =~ /citi(?:bank)?\.com/i uri __URI_CITIBNK /citi(?:bank)?\.com/i meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK) wouldn't it be better with a \b in front of the From (or/and URI) Something like: header __FROM_CITIBNK From =~ /\bciti(?:bank)?\.com/i How is the From field of the legit mails from them? We have domains like for example citiDOTcomDOTar that are triggering False Positives The from is citiDOTcomDOTar, they put an uri on them, but (fortunately) they are not sending mails from the bank. Thanks Saludos -- Leonardo Helman Pert Consultores Argentina
Custom Rule to catch this
Does anyone have written a custom rule to catch this spam? It would of great help. Thanks. -Original Message- From: Carmella Boehm [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 07, 2007 6:51 PM To: [EMAIL PROTECTED] Subject: Account Info Friendly Reminder; Get your desired products still on sale up to 80 Percent off. Point your browser towards this website www.superveils . com to ensure that your orders have been discounted. Removal Reminder also processed from the above website. Regards, Dr.Johnson
Re: Custom Rule to catch this
Hi, I searched the list and found this rule to catch URL with single space (www.ledrx .com). Please help me in modifying this rule to catch URL with double space (www.superveils . com). body URL_WITH_SPACE m/\bhttp:\/\/[a-z0-9\-.]+[!*%&, -]+\.?com\b/ Thanks. -Original message- From: David Goldsmith [EMAIL PROTECTED] Date: Wed, 7 Mar 2007 11:57:21 -0500 To: users@spamassassin.apache.org Subject: Re: Custom Rule to catch this > -BEGIN PGP SIGNED MESSAGE-> Hash: SHA1 > > [EMAIL PROTECTED] wrote: > > Does anyone have written a custom rule to catch this spam? > > > > It would of great help. > > > > Thanks. > > > > -Original Message- > > From: Carmella Boehm [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, March 07, 2007 6:51 PM > > To: [EMAIL PROTECTED] > > Subject: Account Info > > > > Friendly Reminder; Get your desired products still on sale up to 80 Percent > > off. > > > > Point your browser towards this website www.superveils . com to ensure that > > your orders have been discounted. > > > > Removal Reminder also processed from the above website. > > > > Regards, > > Dr.Johnson > > > > Content analysis details: (9.1 points, 5.0 required) > > pts rule name description > - -- > - -- > - -0.0 NO_RELAYS Informational: message was not relayed via > SMTP > 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > [score: 0.5901] > 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level > above 50% > [cf: 100] > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > [cf: 100] > 3.7 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) > 2.2 DCC_CHECK Listed in DCC > (http://rhyolite.com/anti-spam/dcc/) > 0.8 DIGEST_MULTIPLEMessage hits more than one network digest check > - -0.0 NO_RECEIVEDInformational: message has no Received headers > > > Using SA 3.1.8, SARE, DCC, Pyzor, Razor > > > David Goldsmith > -BEGIN PGP SIGNATURE-> Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFF7s7/417vU8/9QfkRAvXfAJ94Nb0Kl5aLNBcKLFzGvV8q3EfYfwCgiArg > ffTqJWqOn/kHq/2cxiybEfo= > =KiEx > -END PGP SIGNATURE-
trusted_networks setup not working
For some reason, spamassassin thinks that 0/0 is trusted, even after my most strenuous attempts to dissuade it: $ grep _networks /etc/spamassassin/* /etc/spamassassin/local.cf:# trusted_networks 212.17.35. /etc/spamassassin/local.cf:clear_trusted_networks /etc/spamassassin/local.cf:trusted_networks 192.35.100/24 71.41.210.146/31 /etc/spamassassin/local.cf:clear_internal_networks /etc/spamassassin/local.cf:internal_networks 192.35.100.1 /etc/spamassassin/local.cf:# if you have taken the time to correctly specify your "trusted_networks", (Nor does "_networks" appear anywhere in /var/lib/spamassassin except in comments.) spamassassin --lint produces no complaints except Nov 7 07:55:59.001 [12730] warn: netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included Nov 7 07:55:59.001 [12730] warn: netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included Nov 7 07:55:59.764 [12730] warn: netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included Nov 7 07:55:59.765 [12730] warn: netset: cannot include 192.35.100.0/24 as it has already been included Nov 7 07:55:59.765 [12730] warn: netset: cannot include 71.41.210.146/31 as it has already been included Nov 7 07:55:59.766 [12730] warn: netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included Nov 7 07:55:59.766 [12730] warn: netset: cannot include 192.35.100.1/32 as it has already been included I'm using the stock Debian package spamassassin_3.3.2-2_all.deb, with minor customization in /etc/spamassassin/local.cf. Example (spam) message headers: >From sentto-75324041-69-1320656806-user=horizon@returns.groups.yahoo.com >Mon Nov 07 09:06:49 2011 Return-Path: Delivered-To: u...@horizon.com Received: (qmail 21638 invoked by uid 77); 7 Nov 2011 04:06:48 -0500 Received: from unknown (HELO ng9-ip6.bullet.mail.ne1.yahoo.com) (98.138.215.185) by ns.horizon.com with SMTP; 7 Nov 2011 04:06:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoogroups.com; s=lima; t=1320656807; bh=B+2CRPWFYZVCY1DXrNkAx7Z7Vn2pwbbTv7mBTRHfUEc=; h=Received:Received:Received:X-Yahoo-Newman-Id:X-Sender:X-Apparently-To:X-Received:X-Received:X-Received:X-Received:X-Received:X-Received:To:Message-ID:User-Agent:X-Mailer:X-Originating-IP:X-eGroups-Msg-Info:X-Yahoo-Post-IP:From:X-Yahoo-Profile:Sender:MIME-Version:Mailing-List:Delivered-To:List-Id:Precedence:List-Unsubscribe:Date:Subject:Reply-To:X-Yahoo-Newman-Property:Content-Type; b=uejsWeTAyRAM5XyTOWpAyAuwdeTt4mNi68WDKLpZvvqDiiN1pGASu3JkegfVwvPbpU6eCyFGBf5gj/A6h1vhxCa9/JTUQ9KA1MMTKV6MmI2NBWH7s6FS2TeOGKXzQP1m DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lima; d=yahoogroups.com; b=k1nfvLFJu4/MNv05m+mZz95ptTyY/tIuO/Sjj2VsNXOzeJegs/TUjzJMUtFlzxeG4L/E4IXgMkI7vhuqT8U2mbSHpe9nMUCqtWxLaDpZqnp/r65I9P6afes4R2GhnIiQ; Received: from [98.138.217.176] by ng9.bullet.mail.ne1.yahoo.com with NNFMP; 07 Nov 2011 09:06:47 - Received: from [69.147.65.171] by tg1.bullet.mail.ne1.yahoo.com with NNFMP; 07 Nov 2011 09:06:46 - Received: from [98.137.62.105] by t13.bullet.mail.sp1.yahoo.com with NNFMP; 07 Nov 2011 09:06:46 - X-Yahoo-Newman-Id: 75324041-m69 X-Sender: avveamuro...@yahoo.com.tw X-Apparently-To: nhs...@yahoogroups.com X-Received: (qmail 97529 invoked from network); 7 Nov 2011 09:06:46 - X-Received: from unknown (98.137.34.46) by m16.grp.sp2.yahoo.com with QMQP; 7 Nov 2011 09:06:46 - X-Received: from unknown (HELO ng5-ip1.bullet.mail.ne1.yahoo.com) (98.138.215.144) by mta3.grp.sp2.yahoo.com with SMTP; 7 Nov 2011 09:06:45 - X-Received: from [98.138.217.178] by ng5.bullet.mail.ne1.yahoo.com with NNFMP; 07 Nov 2011 09:06:45 - X-Received: from [69.147.65.149] by tg3.bullet.mail.ne1.yahoo.com with NNFMP; 07 Nov 2011 09:06:45 - X-Received: from [98.137.34.72] by t9.bullet.mail.sp1.yahoo.com with NNFMP; 07 Nov 2011 09:06:45 - To: nhs...@yahoogroups.com Message-ID: User-Agent: eGroups-EW/0.82 X-Mailer: Yahoo Groups Message Poster X-Originating-IP: 98.138.215.144 X-eGroups-Msg-Info: 1:6:0:0:0 X-Yahoo-Post-IP: 186.215.93.25 From: "avveamuroa67" X-Yahoo-Profile: avveamuroa67 Sender: nhs...@yahoogroups.com MIME-Version: 1.0 Mailing-List: list nhs...@yahoogroups.com; contact nhsalu-ow...@yahoogroups.com Delivered-To: mailing list nhs...@yahoogroups.com List-Id: Precedence: bulk List-Unsubscribe: <mailto:nhsalu-unsubscr...@yahoogroups.com> Date: Mon, 07 Nov 2011 09:06:43 - Subject: [nhsalu] =?big5?B?s7Gy9LxXpGq8V7LKVklWSUQgq/mkW7bKsaEgp6e2?= =?big5?B?pyBheGtv?= Reply-To: nhs...@yahoogroups.com X-Yahoo-Newman-Property: groups-email-ff-u Content-Type: multipart/alternative; boundary="2-4218244732-1725731749=:0" And spamassassin adds: X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on science.horizon.com X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=7.0 required=5.0 tests=ALL_TRUSTED,BAYES_99, FREEMAIL_FR
Re: trusted_networks setup not working
> Probably hit by a bug in NetAddr::IP, see: > > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6681 > > Upgrade it to NetAddr-IP-4.055 or downgrade to 4.048. Bingo! I upgraded to 4.056 and no more problem! Apparently there'a a workaround, too, mentioned in comment 20 above: 4.053 Wed Oct 26 08:52:34 PDT 2011 In Lite.pm v1.36 fix bug #71925. A a sub-varient of #62521 that showed up only for short notation for IPv4. i.e. 127/n, 127.0/n, 127.0.0/n but not 127.0.0.0/n I haven't tested that, however. Thank you all so much for the instant response! (And yes, I'm running unstable. *Someone* has to go first and find the bugs! Actually, Debian "unstable" is pretty darn stable. The bleeding edge is "experimental".)
Re: new paradigm
On 23/11/11 17:55, Christian Grunfeld wrote: > What do I mean? you never never answer (or it is really strange) a > spam message. On my personal email system, my MSA records Message-Id's of outgoing mail into a database. If a message comes in to my MTA with one of those Message-Id's in the "In-Reply-To" header, it bypasses the spam filtering because it is a response to a message that I sent, so clearly shouldn't be filtered. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F signature.asc Description: OpenPGP digital signature
Re: new paradigm
On 24/11/11 13:18, Lucio Chiappetti wrote: >> If a message comes in to my MTA with one of those Message-Id's in the >> "In-Reply-To" header, it bypasses the spam filtering because it is a >> response to a message that I sent > > what about if your message was stored in a folder of your correspondent, > his machine is infected by a virus, and this virus sends fake replies > using your message id ? I've seen cases like that in the past. That has never happened to me. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F signature.asc Description: OpenPGP digital signature
Re: A SpamAssassin Crash Course for Admins
On 30/11/11 07:17, Ted Mittelstaedt wrote: >>> I've attached version 2.0 with this email (it's the clean version without >>> all the comments :) ). I've pretty much finished up the definitions and >>> some cleaning up. Again, I would really enjoy feedback! >> >> Everywhere you say "SpamAssassin" you should probably be saying "Apache >> SpamAssassin." >> > > And instead of saying "Linux" you should say GNU/Linux, and instead of > saying Ford you should say Ford Motor Company, and instead of saying > Coke you should say Coca Cola, and instead of saying. > > Never thought I'd see the day when branding became this important in the > Free Software arena... :-( It's not always just branding. It's also, giving proper attribution. Organisations and people should be credited appropriately for their contributions. It's the respectful thing to do. "GNU/Linux" is the best example of this IMO. At least you said "free software arena" and not "open source world" ;) -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F signature.asc Description: OpenPGP digital signature
Re: Bayes and MySQL - does it actually work?
On 23/12/11 11:29, Henrik K wrote: >> Performance with the database on physical disks simply wasn't >> keeping up with more than about double the average message rate (if >> that...), so I fell back to the "good enough" setup of putting the >> SA database on a RAMdisk, > I guess it still boils down to basics. No matter what the database server is > used for, same principles apply. If you have slooow disks, then things are > going to be slow. As I understand it, if the MySQL query cache is tuned appropriately, then most of the queries should not be touching disk anyway? -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F signature.asc Description: OpenPGP digital signature
Re: Bayes and MySQL - does it actually work?
On 23/12/11 14:20, Henrik K wrote: >> As I understand it, if the MySQL query cache is tuned appropriately, >> then most of the queries should not be touching disk anyway? > > Enabling query cache will probably (marginally) slow things down. Bayes > queries are extremely random, so there's nothing to cache. Any write to the > table will invalidate caches anyway. And those writes happen every time a > token is read (atime is updated). To stop the query cache being invalidated, it would probably be better if the writes were queued and then done in batches. Can SpamAssassin handle this sort of queue internally, or would some sort of additional technology be required? I don't know what the point of the atime data is, but is there any need to update the atime on every read? Could that write be skipped if the atime is already within a certain period of time? Ie, if the atime has already been updated in the last 5 minutes, is there any point in doing it again? -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F signature.asc Description: OpenPGP digital signature
Re: Bayes and MySQL - does it actually work?
On 23/12/11 14:25, David F. Skoll wrote: > The only downside to CDB is that incremental updates are not possible. > To train, you need to rebuild the entire CDB file. For us, that's > an acceptable tradeoff, but YMMV. Another major downside to this approach compared to using MySQL, is that it doesn't allow you to access the same bayes db from multiple machines at the same time. Unless I'm mistaken..? -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F signature.asc Description: OpenPGP digital signature
Re: URIBL blocked
On 23/01/12 12:22, Tom Kinghorn wrote: > Resolving the block might be as simple as using your own caching > nameserver to avoid being lumped together with other users queries; > setting up your own mirror of the DNS-blocklist; or paying to use the > blocklist. The choice is up to the DNS-Blocklist administrator. > Okay, so my question is, How can I rectify this as we use our own > caching servers already? Contact the people who are blocking your lookups (URIBL) and ask them what you need to do to get unblocked. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: OpenPGP digital signature
Outbound Filtering.
I'm interested in using SpamAssassin and would like to know if anyone has used it for outbound filtering. For example: I would like the ability to filter messages by domain. To prevent being blacklisted by AOL or such companies, I would like to filter outbound email destined to AOL for spam and/or viruses. Is this possible with SpamAssassin? Thank you, Nina -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.9 - Release Date: 5/12/2005
Forged outlook headers
We have users who's mail is sent through a proxy server before it gets filtered through SpamAssassin. The proxy server rewrites the header of the message and then sends it on. When our SpamAssassin server filters the message it reads it as a forged outlook header and assigns it 3 points. We are getting a lot of false positives because of this. Messages are being stopped when they aren't supposed to because of this forged outlook header. Does anyone know of a way to change the proxy headers or know of a way around this? Thanks, Nina -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.9/39 - Release Date: 7/4/2005
sa-learn dump showing only binary tokens
I've searches low and high for answers to this problem, but I believe they answers out there don't have regular predictable keywords to find them. SA 3.0.1 Redhat FC2 In short, when I run sa-learn --dump, I see a slew of binary tokens. I've isolated the problem by creating a test directory, pointing sa-dump to it via --dbpath, and creating a new db. Even after loading only a single spam message, my db dump still shows all binary/useless tokens. It seems to be like sa-learn and my berkeley db version don't jive, perhaps? I don't seem to be getting any bayesian matching out of this in spamassassin, so I'm concluding it is a real issue and not just aesthetic. Sample output (mind you after loading only ONE 32-line/304-word spam message). (actual output 166 lines long. truncated...): # sa-learn --dbpath /tmp/bayes-testing/ --dump 0.000 0 3 0 non-token data: bayes db version 0.000 0 1 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0156 0 non-token data: ntokens 0.000 0 1098394307 0 non-token data: oldest atime 0.000 0 1098394307 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count 0.500 1 0 1098394307 146128b352 0.500 1 0 1098394307 4d8914a48a 0.500 1 0 1098394307 9b1dba02fa 0.500 1 0 1098394307 c6e33f2228 0.500 1 0 1098394307 e565aece1c 0.500 1 0 1098394307 e8778e7918 0.500 1 0 1098394307 0c90d22ab4 0.500 1 0 1098394307 948257a188 0.500 1 0 1098394307 e53979c58e 0.500 1 0 1098394307 da0dafd155 0.500 1 0 1098394307 6152cff59d 0.500 1 0 1098394307 801ee7924b Thanks in advance
Re: sa-learn dump showing only binary tokens
Thanks for the responses. Good explanations that make perfect sense.
SO.. now that I'm past the hex-in-db issue, I clearly do have some issue
nonetheless. The following spam got through with a score of -4.3, seemingly
because of the AWL. My AWL, however is empty per tools/check_whitelist. How
could this have happened:
>From line From [EMAIL PROTECTED] Fri Oct 29 12:47:49 2004
Return-Path: <[EMAIL PROTECTED]>
Received: from PETER ([168.226.158.15])by ... (8.13.1/8.13.1) with SMTP id
i9TGlf0s020930for ...; Fri, 29 Oct 2004 12:47:46 -0400
Received: from
ip358-RND_DIGIT[2-3]-RND_DIGIT[2-3]-RND_DIGIT[2-3].ViKKCqF.customer.tradeexperts.com
(74-RND_DIGIT[2-3]-RND_DIGIT[2-3]-RND_DIGIT[2-3].customer.tradeexperts.com
[88.80.6.68])by KemiQI.tradeexperts.com
(RND_DIGIT[1-3].RND_DIGIT[1-3].RND_DIGIT[1-3]/RND_DIGIT[1-3].RND_DIGIT[1-3].RND_DIGIT[1-3])
with SMTP id saxXd3DEf5YGt50HG0Afor ...
Received: (qmail RND_DIGIT[4-8] invoked by uid RND_DIGIT[3-5]); Sat, 30 Oct
2004 05:45:09 -0400
Message-Id: <[EMAIL PROTECTED]>
X-country: US
X-language: en_US
Date: Sat, 30 Oct 2004 08:40:09 -0100
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: Microsoft Outlook Express 6.00.2462.
From: "Dr. Loyd Shafer " <[EMAIL PROTECTED]>
To: ...
Subject: Huge Selection 3
X-Spam-Checker-Version: SpamAssassin 8.2-spambr_6119620U on tradeexperts.com
X-Spam-Level:
X-Spam-Status: No, hits=-4.3 required=3.0 tests=AWL,NO_REAL_NAME autolearn=no
version=4.8-spambr_398464947C
X-UIDL: fWsr7bLnBZtX
X-Spam-Score: 3.2 (***) FORGED_MUA_OUTLOOK
X-Scanned-By: MIMEDefang 2.45
Content-Transfer-Encoding: 8bit
debug output:
# spamassassin -D --lint
debug: SpamAssassin version 3.0.1
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/usr/kerberos/sbin', keeping.
debug: PATH included '/usr/kerberos/bin', keeping.
debug: PATH included '/usr/local/sbin', keeping.
debug: PATH included '/usr/local/bin', keeping.
debug: PATH included '/sbin', keeping.
debug: PATH included '/bin', keeping.
debug: PATH included '/usr/sbin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/usr/X11R6/bin', keeping.
debug: PATH included '/root/bin', which doesn't exist, dropping.
debug: Final PATH set to:
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin
debug: diag: module installed: DBI, version 1.45
debug: diag: module installed: DB_File, version 1.808
debug: diag: module installed: Digest::SHA1, version 2.10
debug: diag: module installed: IO::Socket::UNIX, version 1.21
debug: diag: module installed: MIME::Base64, version 3.05
debug: diag: module installed: Net::DNS, version 0.48
debug: diag: module not installed: Net::LDAP ('require' failed)
debug: diag: module not installed: Razor2::Client::Agent ('require' failed)
debug: diag: module installed: Storable, version 2.13
debug: diag: module installed: URI, version 1.30
debug: ignore: using a test message to lint rules
debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre
debug: config: read file /etc/mail/spamassassin/init.pre
debug: using "/usr/share/spamassassin" for default rules dir
debug: config: read file /usr/share/spamassassin/10_misc.cf
debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
debug: config: read file /usr/share/spamassassin/20_body_tests.cf
debug: config: read file /usr/share/spamassassin/20_compensate.cf
debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
debug: config: read file /usr/share/spamassassin/20_drugs.cf
debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
debug: config: read file /usr/share/spamassassin/20_head_tests.cf
debug: config: read file /usr/share/spamassassin/20_html_tests.cf
debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
debug: config: read file /usr/share/spamassassin/20_phrases.cf
debug: config: read file /usr/share/spamassassin/20_porn.cf
debug: config: read file /usr/share/spamassassin/20_ratware.cf
debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
debug: config: read file /usr/share/spamassassin/23_bayes.cf
debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
debug: config: read file /usr/share/spamassassin/25_hashcash.cf
debug: config: read file /usr/share/spamassassin/25_spf.cf
debug: config: read file /usr/share/spamassassin/25_uribl.cf
debug: config: read file /usr/share/spamassassin/30_text_de.cf
debug: config: read file /usr/share/spamassassin/30_text_fr.cf
debug: config: read file /usr/share/spamassassin/30_text_nl.cf
debug: config: read file /usr/share/spamassassin/30_text_pl.cf
debug: config: read file /usr/share/spamassassin/50_scores.cf
debug: conf
Re: sa-learn dump showing only binary tokens
I have a development idea. How about the tokens db storing not only the hash and frequency, but also the actual plaintext string. The string would only be used for database dumps and reports, while the hash would be used for the actual matching and scoring. I think this would give the best of both worlds, the only potential issue being privacy. Given that words aren't associated with user accounts or messages in the DB, I don't really see any merit to the privacy argument. JP Matt Kettler wrote .. > At 04:42 PM 10/29/2004, [EMAIL PROTECTED] wrote: > >Thanks for the responses. Good explanations that make perfect sense. > >SO.. now that I'm past the hex-in-db issue, I clearly do have some issue > >nonetheless. The following spam got through with a score of -4.3, > >seemingly because of the AWL. My AWL, however is empty per > >tools/check_whitelist. How could this have happened: > > 1) I don't see the AWL being generated by YOUR version of SA.. I see it > being generated by someone who is using a DIFFERENT version of SA... > > > X-Spam-Checker-Version: SpamAssassin 8.2-spambr_6119620U on > > tradeexperts.com > > X-Spam-Level: > > X-Spam-Status: No, hits=-4.3 required=3.0 tests=AWL,NO_REAL_NAME > > autolearn=no version=4.8-spambr_398464947C > > That's not you.. you're not running a "spambr" variant of SA. > > I'd double-check and make sure you're not doing something like bypassing > all mail that has an X-Spam-Status header.. that's a sure-fire way to be > abused by spammers as above. > > 2) YOUR system is generating these hits (from your debug output) > > >debug: > >tests=ALL_TRUSTED,BAYES_60,MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME > > YOUR problem seems to be the hit of ALL_TRUSTED. > > >debug: metadata: X-Spam-Relays-Trusted: > >debug: metadata: X-Spam-Relays-Untrusted: > > That looks like SA being unable to parse any of the Received: headers in > the message.. Not so good.
debug: received-header: unknown format
I think it was Michael Parker (thanks) that gave me the tip that SA might not be reading my headers right. I followed up on that and confirmed. I'm getting the above debug message when I run a test on a specific single spam that made it through. Here is my whole debug line showing the header in the mail: debug: received-header: unknown format: from harmonypets.every1.net ([222.47.73.116])by myhost.mydomain.com (8.13.1/8.13.1) with SMTP id i9UBhAFh025756;Sat, 30 Oct 2004 07:43:12 -0400 I looked at the parse_received_headers code, and I can see some tests that I thought this would match. One potential difference is no "for" message.. received from * by * with * "for". My headers don't have that for line often while many of the regexs seem to expect that. Is this a common format I should have? Is my sendmail tweaked? Any known changes in the header format added by sendmail 8.13.1 that could be slipping through all the regexs? Thanks jp
Re: debug: received-header: unknown format
No typo.. there is indeed no space between the close-paren and "by." Additionally, looking at some upstream headers on some of this spam I see the same thing from other mailers: Received: from p508d7ae3.dip.t-dialin.net (p508D7AE3.dip.t-dialin.net [80.141.122.227])by myhost.mydomain.com (8.13.1/8.13.1) with SMTP id i9UEUCgw006599;Sat, 30 Oct 2004 10:30:21 -0400 Received: from wproxy.gmail.com ###(CR added for clarity) ([76.47.52.220]:61893 "EHLO mproxy.gmail.com")by avas-mx17.boardermail.com with ESMTP id S131155AbUJINgX;Sat, 30 Oct 2004 09:46:49 -0500 Actually, now that I look, even my ham - this mailing list in particular - follow that format - you sure it isn't normal? Received: from [63.240.76.165] (HELO sccimhc91.asp.att.net) (63.240.76.165)by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 30 Oct 2004 07:21:42 -0700 Received: from linus.heise.nu (12-223-226-13.client.insightbb.com[12.223.226.13])by sccimhc91.asp.att.net (sccimhc91) with ESMTPid <20041030142139i9100hp1ime>; Sat, 30 Oct 2004 14:21:40 + Received: from linus.heise.nu (linus.heise.nu [192.168.1.101])by linus.heise.nu (8.12.10/8.12.10) with ESMTP id i9UELdw6003612for ; Sat, 30 Oct 2004 09:21:39 -0500 Theo Van Dinter wrote .. > On Sat, Oct 30, 2004 at 12:53:31PM -0400, [EMAIL PROTECTED] wrote: > > debug: received-header: unknown format: from harmonypets.every1.net > > ([222.47.73.116])by > myhost.mydomain.com (8.13.1/8.13.1) with SMTP id i9UBhAFh025756;Sat, 30 > Oct 2004 07:43:12 -0400 > > > > I looked at the parse_received_headers code, and I can see some tests > that I thought this would match. One potential difference is no "for" > message.. received from * by * with * "for". My headers don't have that > for line often while many of the regexs seem to expect that. Is this a > common format I should have? Is my sendmail tweaked? Any known changes > in the header format added by sendmail 8.13.1 that could be slipping through > all the regexs? > > The problem in the format is that there is no space between ")" and "by". > Was > that a cut/paste error, or the actual received header? By adding the space > in, the header is parsed just fine. > > For example, I have lots of Sendmail 8.13.x Received headers in my corpus, > and they all work fine: > > Received: from mcafee.wpi.edu (mcafee.WPI.EDU [130.215.36.86]) > by mail1.WPI.EDU (8.13.1/8.13.1) with SMTP id i95Hxq8F018271; > Tue, 5 Oct 2004 13:59:52 -0400 > > becomes: > > debug: received-header: parsed as [ ip=130.215.36.86 rdns=mcafee.WPI.EDU > helo=mcafee.wpi.edu by=mail1.WPI.EDU ident= envfrom= intl=0 id=i95Hxq8F018271 > ] > > -- > Randomly Generated Tagline: > ..you could spend *all day* customizing the title bar. Believe me. I > speak from experience." > (By Matt Welsh)
HTML Filtering
List: I was wondering if SpamAssassin could be used to filter HTML emails and force execution of an external program to convert html to text. I'm using SpamAssassin 3.0.1 with amavisd-new Thanks in advance, *Ronald Vincent VazquezVice President of Technology GroupSenior Unix Systems AdministratorSenior Network ManagerChrist Tabernacle Church Ministries (240) 401-9192 Cell (301) 540-9394 Home*
small problem... how to change report text to german
hi all, i guess i have a very odd but hopfeully easy question.. i searched the web and the newsgroups as good as i could.. but may i use the wrong searchwords then i beleive the answer is already somewhere. i'm using sa 3.0 by injecting the mails via procmail to spamc.. the configuration is stored in a sql database. i set report_safe to 1 and now all the mails are getting this english text telling why this a mail is spam etc... i found also the german version in 30_text_de.cf but .. what do i need to change to get the german version into the emails??? thanks torsten
Add an IP to the DNSBL checks
Hi guys, I am working on a plugin to check X-PHP-Script and am wondering if there is a way to add the IP to the DNSBL check list? Regards, Lawrence
Re: Add an IP to the DNSBL checks
On 12.06.2014 22:14, spamassas...@lcwsoft.com wrote: Hi guys, I am working on a plugin to check X-PHP-Script and am wondering if there is a way to add the IP to the DNSBL check list? Regards, Lawrence I'm guessing nobody knows the answer
Re: Add an IP to the DNSBL checks
On 13.06.2014 19:47, Kevin A. McGrail wrote: On 6/13/2014 6:15 PM, spamassas...@lcwsoft.com wrote: On 12.06.2014 22:14, spamassas...@lcwsoft.com wrote: Hi guys, I am working on a plugin to check X-PHP-Script and am wondering if there is a way to add the IP to the DNSBL check list? Regards, Lawrence I'm guessing nobody knows the answer Perhaps a question better asked on the dev list. Regards, KAM Thanks and done! Lawrence
Penalizing code not working
The code below is found in several places online and for some months I
have been trying to get it to work, but whatever I do it flags up Fail
even if the source is good. Typically I have been concentrating on
gmail: from known good contacts I always get NOTVALID_GMAIL (I have
reduced the scores to 0.01 to avoid false rejections). Is this code
known to fail or is it something I'm doing wrong?
Spamassassin version: 3.3.2
Perl version: 5.14.2
OS: Linux Mint 13
=
The section header for the code runs...
"penalize mail claiming to be from PayPal, eBay, Yahoo or Gmail but was
not signed by their official mailers:"
and the coding is:
header __ML1Precedence =~ m{\b(list|bulk)\b}i
header __ML2exists:List-Id
header __ML3exists:List-Post
header __ML4exists:Mailing-List
header __ML5Return-Path:addr =~
m{^([^\@]+-(request|bounces|admin|owner)|owner-[^\@]+)(\@|\z)}mi
meta __VIA_ML __ML1 || __ML2 || __ML3 || __ML4 || __ML5
describe __VIA_ML Mail from a mailing list
header __AUTH_YAHOO1 From:addr =~ m{[\@.]yahoo\.com$}mi
header __AUTH_YAHOO2 From:addr =~
m{\@yahoo\.com\.(ar|au|br|cn|hk|mx|my|ph|sg|tw)$}mi
header __AUTH_YAHOO3 From:addr =~
m{\@yahoo\.co\.(id|in|jp|nz|th|uk)$}mi
header __AUTH_YAHOO4 From:addr =~
m{\@yahoo\.(ca|cn|de|dk|es|fr|gr|ie|it|no|pl|se)$}mi
meta __AUTH_YAHOO __AUTH_YAHOO1 || __AUTH_YAHOO2 ||
__AUTH_YAHOO3 || __AUTH_YAHOO4
describe __AUTH_YAHOO Author claims to be from Yahoo
header __AUTH_GMAIL From:addr =~ m{\@gmail\.com$}mi
describe __AUTH_GMAIL Author claims to be from gmail.com
header __AUTH_PAYPAL From:addr =~ /[\@.]paypal\.(com|co\.uk)$/mi
describe __AUTH_PAYPAL Author claims to be from PayPal
header __AUTH_EBAYFrom:addr =~
/[\@.]ebay\.(com|at|be|ca|ch|de|ee|es|fr|hu|ie|in|it|nl|ph|pl|pt|se|co\.(kr|uk)|com\.(au|cn|hk|mx|my|sg))$/mi
describe __AUTH_EBAYAuthor claims to be from eBay
meta NOTVALID_YAHOO !DKIM_VERIFIED && __AUTH_YAHOO && !__VIA_ML
priority NOTVALID_YAHOO 500
describe NOTVALID_YAHOO Claims to be from Yahoo but is not
meta NOTVALID_GMAIL !DKIM_VERIFIED && __AUTH_GMAIL && !__VIA_ML
priority NOTVALID_GMAIL 500
describe NOTVALID_GMAIL Claims to be from gmail.com but is not
meta NOTVALID_PAY !DKIM_VERIFIED && (__AUTH_PAYPAL || __AUTH_EBAY)
priority NOTVALID_PAY 500
describe NOTVALID_PAY Claims to be from PayPal or eBay, but is not
scoreNOTVALID_YAHOO 2.8
scoreNOTVALID_GMAIL 2.8
scoreNOTVALID_PAY6
--
Dave Stiles
Re: Penalizing code not working
And a convenient spam purporting to come from google verifies the second part of the test. Thanks again. :) -- Dave Stiles
Re: Penalizing code not working
Bill, thanks for your input. As far as I am aware the versions are the latest for my OS - Mint Maya 13 is essentially Ubuntu 12.04 - but I will check. In any case I'm due to update the OS in the near future. My MTA is postfix but I find it easier to manage rules in SA than in postfix, which I generally set to reject and hence may lose vital emails which SA would deliver to the junk bin. I was unaware that paypal and ebay had split. Thanks for that information. -- Dave Stiles
Re: Penalizing code not working
Bill, thanks for your input. As far as I know those apps are current for my OS, which is essentially Ubuntu 12.04 (due to be updated soon). My MTA is postfix but I generally reject or discard through that, whereas SA delivers most stuff to the junk bin as a final check by me. I was unaware that paypal and ebay had split: thanks for that. -- Dave Stiles
frequent T_SPF_PERMERROR
Hi. I'm getting T_SPF_PERMERROR extremely often. Not exclusively, but especially when spammers are faking my own domain names. Here's an example from the good old xerox copier spam: From cop...@nro.ca Fri May 26 08:26:18 2017 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on nro.ca X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.9 tests=T_SPF_PERMERROR autolearn=disabled version=3.4.1 Received: from static.vnpt.vn (static.vnpt.vn [113.163.197.219] (may be forged)) by nro.ca (8.15.2/8.15.2) with ESMTP id v4QCQGx7015855 for ; Fri, 26 May 2017 08:26:16 -0400 Date: Fri, 26 May 2017 19:26:08 +0700 From: "cop...@nro.ca" When I test with sfpquery the result is fail like you would expect. spfquery -s mfrom --id cop...@nro.ca --ip 113.163.197.219 I've run external checks on my spf records and they seem fine (they haven't changed in years), but this issue is not limited to my domains, other legit mail from big domains has the same issue. I built a clean new server back in March with SA 3.4.1 and Perl-5.24.1. All my perl modules are up to date and the prerequisites seem to check out except Mail-SPF-v2.9.0 It wouldn't install because it's failing tests. I had to force it to install. spfquery worked so initially I thought maybe I was okay. The test failures are all returning temperror, along the lines of: # Expected: 'none' # Got: 'temperror' # Expected: 'fail' # Got: 'temperror' That's a brief overview of the situation. If anyone has any hints about where I should be looking or how I can test further it would be much appreciated.
Re: frequent T_SPF_PERMERROR
Thanks for the tip! I didn't know how to debug that stuff. Here's what happens with a spammer faking one of my own domains: >spamd[21654]: spf: query for >isabelle.2...@nro.ca/41.203.191.125/!41.203.191.125!: result: permerror, >comment: , text: Included domain 'srs.bis.na.blackberry.com' has no applicable >sender policy Looks like Mail::SPF is broken on my system. srs.bis.na.blackberry.com has legit spf txt records. What's weird is that the spfquery command gives correct results. I started reading SPF.pm and saw that I could hack it to avoid using Mail::SPF and instead use (what seems to be) the less preferred Mail::SPF::Query Installing Mail::SPF::Query had to be forced because most of its tests fail but it looks like it is returning correct SPF evaluations. It's recognizing mail sent via blackberry trusted relays, and giving me fail results on spammers as it should. If I get the time I'll look into the guts of Mail::SPF and try to figure out where it's going wrong.
Re: frequent T_SPF_PERMERROR
Mail::SPF version 2.009 is package "Mail-SPF-v2.9.0" which is what I indicated I was using (and had to force install) in my first post. spfquery works, but whatever perl interface SA is using is not producing correct results. Not just on my own domains, but on many others as well. My dns spf records shouldn't matter for this issue. Mail::SPF::Query may be ancient but from what I can tell it's working great so far. I'll just keep using that until I find out why Mail::SPF isn't producing proper results. I would guess it is some kind of issue with newer dependencies or dns resolution. If I wait long enough someone else will figure it out.
Re: frequent T_SPF_PERMERROR
I never mentioned mailing lists. Here's the another version of my original post so we're clear: Latest Mail::SPF (2.9 circa 2013) builds but fails its test suite on my new system. New linux, perl, perl modules, etc. After forcing it to install, I later found that spamassassing is getting T_SPF_PERMERROR returned a lot, not just for spoofs of my own domains, but plenty of other domains. Oddly enough, the spfquery tool it provides works fine. I have since switched to the much older Mail::SPF::Query. Its build tests fail as well. (looks like they test a domain that is no longer registered). I am having good success using Mail::SPF::Query with spamassassin The spfquery tool also appears to work. This bug report from 2014 reflects my experience. Bug #99890 for Mail-SPF: Mail-SPF-v2.9.0 fails Build test https://rt.cpan.org/Public/Bug/Display.html?id=99890 My guess for the cause of the failure is other newer perl modules that have been maintained beyond Mail::SPF, or maybe the dns resolver that SA passes to the spf function is somehow different than the resolver that the spfquery tool is using. On Mon, 05 Jun 2017 23:31:58 +0200, you wrote: >spamassas...@nro.ca skrev den 2017-06-05 16:33: > >> I would guess it is some kind of issue with newer dependencies or dns >> resolution. If I wait long enough someone else will figure it out. > >if it just fails on forwarded emails eq on maillists, add forwarding ip >to trusted_networks solves spf fails > >but it also disable whitelist in dnswl for that forwarding ip > >not all maillists have spf, and spf does generic not being breaked on >maillists since envelope sender changes > >what part fails then ?
Problem installing sa on my pi 3b+
Hi there, when running a 'sudo apt-get install spamassassin' on my raspian pi 3b+ i keep running into a problem with sa-compile: sa-compile (3.4.2-1+deb10u3) wird eingerichtet ... Running sa-compile (may take a long time) In file included from /usr/lib/arm-linux-gnueabihf/perl/5.28/CORE/perl.h:702, from body_0.xs:2: /usr/include/ctype.h: In function ‘tolower’: /usr/include/ctype.h:209:3: internal compiler error: Ungültiger Maschinenbefehl return __c >= -128 && __c < 256 ? (*__ctype_tolower_loc ())[__c] : __c; ^~ 0x76aff11f ??? ../sysdeps/unix/sysv/linux/arm/sigrestorer.S:64 0x76ae9717 __libc_start_main /build/glibc-FUvrFr/glibc-2.28/csu/libc-start.c:308 Can anyone give me a hint what to do? I am rather new to this so other than running some packet installs i've done nothing but working thru howto's. Kind regards Christian
Re: Problem installing sa on my pi 3b+
Ok so it seems I cant do anything to get it running on my side. Funny enough that I use the official raspian which I kept up to date with 'sudo apt-get update' and now the 'sudo apt-get install that claims to use the newest version (3.4.2-1+deb10u3) keeps running into such an error. How to find out who the packet maintainer is? But hey, I found a crude way around it somehow: Instead of my 3b+ with 1 gb ram I used my fresh-out-of-the-box PI 4 that just arrived via mail. I simply swapped the sdcard (I dont know if that will cause other issues but it did boot). Guess what: It did compile and install flawlessly. I swapped the cards back and keep ignoring some wierd errors that get printed on booting but the stuff seems to be running. I if I had to guess I'd say the thing wont compile on a 1gb thingy anymore - maybe earlier, smaller versions did? Do I need to redo all anew on the PI 4 or can I simply use the working setup of my PI 3b+ and slot that card into the PI 4? Noob-question i think, but heck I dont know. Kind regards
Re: Problem installing sa on my pi 3b+
Am 07.04.2021 um 12:27 schrieb Antony Stone: I am running said packet install from an internet tutorial. Who wrote that tutorial and where does it point you to get the packages from? Antony. Hmm, it says execute the following commands: sudo apt-get update sudo apt-get install spamassassin Without any further params. How am I supposed to know where that command does get its package from??? Christian
KAMONLY encapsulated rules
Greetings, I'm using the KAM ruleset and have noticed that, even though I don't have the KAMOnly plugin installed, the KAMONLY encapsulated rules are still getting fired. In particular the rescored rules. How can I disable this feature? Thanks in advance! Nedry
Re: KAMONLY encapsulated rules
X-Spam-Report: * 6.0 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL * blocklist * [URIs: educationcrossing.com] On 4/29/21 10:01 PM, Kevin A. McGrail wrote: Can you be specific and show an example, please? -- Kevin A. McGrail Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail <https://www.linkedin.com/in/kmcgrail> - 703.798.0171 On Thu, Apr 29, 2021 at 9:31 PM <mailto:spamassas...@bluestreak.net>> wrote: Greetings, I'm using the KAM ruleset and have noticed that, even though I don't have the KAMOnly plugin installed, the KAMONLY encapsulated rules are still getting fired. In particular the rescored rules. How can I disable this feature? Thanks in advance! Nedry
Re: KAMONLY encapsulated rules
Thanks KAM,
You're right. It was an old version of the Spamhaus DQS ruleset that was
rescoring that rule.
Regards,
Nedry
On 4/29/21 10:48 PM, Kevin A. McGrail wrote:
Hi Larry,
URIBL_DBL_SPAM isn't a rule from the KAM Ruleset and would be scored
5.0 if it KAMONLY was enabled
That rule is from 25_uribl.cf <http://25_uribl.cf>
Regards,
KAM
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail
<https://www.linkedin.com/in/kmcgrail> - 703.798.0171
On Thu, Apr 29, 2021 at 10:43 PM <mailto:spamassas...@bluestreak.net>> wrote:
X-Spam-Report:
* 6.0 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
* blocklist
* [URIs:educationcrossing.com <http://educationcrossing.com>]
On 4/29/21 10:01 PM, Kevin A. McGrail wrote:
Can you be specific and show an example, please?
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail
<https://www.linkedin.com/in/kmcgrail> - 703.798.0171
On Thu, Apr 29, 2021 at 9:31 PM mailto:spamassas...@bluestreak.net>> wrote:
Greetings,
I'm using the KAM ruleset and have noticed that, even though
I don't
have the KAMOnly plugin installed, the KAMONLY encapsulated
rules are
still getting fired. In particular the rescored rules. How
can I disable
this feature?
Thanks in advance!
Nedry
Re: How would you provide a 554 rejection notice for spam?
dalchri wrote: I've recently put SpamAssassin in front of my Exchange server as an SMTP proxy. Our previous spam filter would provide a 554 rejection notice for anything that was identified as spam. This meant that any FP would be notified so that email would not get silently ignored. Although a rejection notice was sent, we still retained the spam. This meant that when our users got a call from their customer about the rejected spam, they could quickly locate the message without it having to be resent. I would like to continue doing this with the new SA/Exchange setup. Right now I use spampd but I would like to change to Sendmail just because it is part of the default install for Redhat. How would you go about providing a 554 rejection notice? Would you do it on the SMTP proxy? On Exchange? Would you use Sendmail? Postfix? Something else? a milter from sendmail, provided you wish to stick with sendmail. mimedefang springs to mind, but I have no experience with it. Any idea for qmail?
error with 3.2.2
Hi, I just updated to 3.2.2. Encountered an error as follows: Jul 30 21:00:33 beyond spamd[20765]: dcc: check failed: failed to read header Jul 30 21:00:36 beyond spamd[20767]: dcc: check failed: util: setuid 0 to 508 failed! at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Util.pm line 1343. How can i solve this? Thanks LC
Public.pm
Hi List, Does anyone encounter this error and how do you fix it? Use of uninitialized value in string eq at /usr/lib/perl5/vendor_perl/5.8.8/Mail/DomainKeys/Key/Public.pm line 67, line 319. Thanks
[EMAIL PROTECTED] strikes again
The original message was received at Tue, 14 Aug 2007 11:50:13 -0400 from localhost.localdomain [127.0.0.1] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)) (expanded from: <[EMAIL PROTECTED]>) - Transcript of session follows - ... while talking to mail.mx05.net.: RCPT To:<[EMAIL PROTECTED]> <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) 550 5.1.1 [EMAIL PROTECTED] User unknown Return-Path: <[EMAIL PROTECTED]> Received: from localhost (localhost.localdomain [127.0.0.1]) by ns.mx04.com (8.11.6/8.11.6) with ESMTP id l7EFoDt31728 for <[EMAIL PROTECTED]>; Tue, 14 Aug 2007 11:50:13 -0400 Received: from pop.zajil.net [212.24.224.61] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Tue, 14 Aug 2007 11:50:13 -0400 (EDT) Received: from bmwebin.zajil.net ([212.24.224.151]) by pop.zajil.net (Merak 8.3.6) with ESMTP id TXN40659 for <[EMAIL PROTECTED]>; Tue, 14 Aug 2007 18:51:59 +0300 Received: from bmwebin.zajil.net (unknown [127.0.0.1]) by bmwebin.zajil.net (Symantec Mail Security) with ESMTP id C240830429 for <[EMAIL PROTECTED]>; Tue, 14 Aug 2007 18:01:06 +0300 (AST) X-AuditID: d418e097-af8b2bb00a34-15-46c1c3b1f614 Received: from mail.apache.org (hermes.apache.org [140.211.11.2]) by bmwebin.zajil.net (Symantec Mail Security) with SMTP id B37A130140 for <[EMAIL PROTECTED]>; Tue, 14 Aug 2007 18:01:05 +0300 (AST) Received: (qmail 27303 invoked by uid 500); 14 Aug 2007 15:47:18 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: <mailto:[EMAIL PROTECTED]> list-unsubscribe: <mailto:[EMAIL PROTECTED]> List-Post: <mailto:users@spamassassin.apache.org> List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 27294 invoked by uid 99); 14 Aug 2007 15:47:18 - Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Aug 2007 08:47:18 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of [EMAIL PROTECTED] designates 209.85.198.190 as permitted sender) Received: from [209.85.198.190] (HELO rv-out-0910.google.com) (209.85.198.190) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Aug 2007 15:47:14 + Received: by rv-out-0910.google.com with SMTP id c24so1461045rvf for ; Tue, 14 Aug 2007 08:46:54 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=W8riJXKcP7tjMGodnC54UqKof7JusOySWiJDOkqienhASG+HfcRMm55cD0lU62X6qar4wm6gJu6mwVfETukRx3pUJJSB7uOqSm9hFhfwoBHFqhoJ4/JKIrXQLX6JNpSChFKHHZNrVdlbhfQ7sqfvW5g9qZmcDExxIUDqhPpFDtE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Kt0Nt44b3Z02LFQL89KgbvbyqZZO5tLzhbJVsw2O5BwQkP61RsL1uAs+y5LtNMwMfK0v5Y53FJtA+MdwpeJC+IGpVdyujeHtlC+k28nhoxcKz5WuwCJSVzvxIipRUUdk4JRS925cE+O9JRyNWf1j9GQmhjUrJAWQW5HkJOn9+n4= Received: by 10.114.27.20 with SMTP id a20mr2782785waa.1187106414523; Tue, 14 Aug 2007 08:46:54 -0700 (PDT) Received: from dw ( [220.255.72.245]) by mx.google.com with ESMTPS id m10sm10662529waf.2007.08.14.08.46.51 (version=SSLv3 cipher=RC4-MD5); Tue, 14 Aug 2007 08:46:53 -0700 (PDT) Message-ID: <[EMAIL PROTECTED]> From: "Spamassassin List" <[EMAIL PROTECTED]> To: Subject: Public.pm Date: Tue, 14 Aug 2007 23:47:12 +0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 X-Virus-Checked: Checked by ClamAV on apache.org X-Brightmail-Tracker: AA== ATT00550.dat Description: Binary data
picture spams
Hi, Will ImageInfo be able to detect and catch this picture spam soon? http://dreams.741.com/spam.gif Thanks
Combine whitelist_to and whitelist_from
Invoke method : UsedViaProcmail Version : 3.1.9 (2007-02-13) Platform : Linux Fedora 2.6.20-1.2925.fc6 Hello, imagin a newsletters or order mail sent by an seller website with the from address : [EMAIL PROTECTED] I have in my mail system an address like [EMAIL PROTECTED] With that, I can trace where my emails are sent in order to trace spam and site that sell my email. So, only [EMAIL PROTECTED] can send me mail on [EMAIL PROTECTED] (theorical) The problem is that on a mailing list, the [EMAIL PROTECTED] is used by spamer and they send me spam on [EMAIL PROTECTED] Is it possible to combine whitelist_from and whitelist_to in order to tag "no spam" mails with 2 conditions : whitelist_from [EMAIL PROTECTED] AND whitelist_to [EMAIL PROTECTED] OK So, if a spammer [EMAIL PROTECTED] send me a mail on [EMAIL PROTECTED], the second conditions will be OK but not the first and spamassassin will considere it as spam ! Thank you for your help ... Yves
Re: Combine whitelist_to and whitelist_from
[EMAIL PROTECTED] a écrit : Matus UHLAR - fantomas a écrit : On 24.08.07 13:46, [EMAIL PROTECTED] wrote: imagin a newsletters or order mail sent by an seller website with the from address : [EMAIL PROTECTED] I have in my mail system an address like [EMAIL PROTECTED] With that, I can trace where my emails are sent in order to trace spam and site that sell my email. So, only [EMAIL PROTECTED] can send me mail on [EMAIL PROTECTED] (theorical) The problem is that on a mailing list, the [EMAIL PROTECTED] is used by spamer and they send me spam on [EMAIL PROTECTED] Is it possible to combine whitelist_from and whitelist_to in order to tag "no spam" mails with 2 conditions : whitelist_from [EMAIL PROTECTED] AND whitelist_to [EMAIL PROTECTED] OK So, if a spammer [EMAIL PROTECTED] send me a mail on [EMAIL PROTECTED], the second conditions will be OK but not the first and spamassassin will considere it as spam ! the from address can be as easily faked as the to address. I have seen on this mailing list many reports from users whitelisting their own address somehow and thus getting false positives. What you are searching for, is whitelist_from_rcvd which combined from address with address of mailserver the mail was received from, or better, whitelist_auth, if the outgoing domain supports SPF (sellermail.com does not...) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] Hummm, thanks, I saw that and try but severals website send for example : [EMAIL PROTECTED] send a mail to me on [EMAIL PROTECTED] from the provider.com or webhosted.com that are internet or server hosted provider. The probleme in this case is that type of seller can change their sender server. Meanwhile, it won't change the from or or to address (rarely). So the from and to combinated are best that test on headers rcvd (for me) Yves
flooded with undetected spam
Hi, My inbox is flooded by some new spams. Any idea how do I block it? http://202.42.86.77/1.eml http://202.42.86.77/2.eml Best regards
Re: a new kind of spam (with images)
Stephane Bentebba wrote: hi all, i am more or less happy with my spamassassin configuration works good for one year but i have problem with a new kind of spam which easylly go throught it : spam which has poor text, poor token, or none, and a subject always changing the only thing which remain the same is the image incoporated in it it get always very low hit (bellow 3) subject on the image in the body is either "breaking news concerning..." or "we have a runner !" would it be possible to find a solution ? add / modify a test to look at first bytes of an attachement and recognize the image ? i can send you samples of this spam if you like... (prefer not to attach them) Have a look at FuzzyOCR http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Works very well for me - I'm using it in conjuction with ImageInfo and since I'm using them those image spams get through VERY rarely They will also block off legit emails too
Re: a new kind of spam (with images)
Spamassassin List wrote: Stephane Bentebba wrote: hi all, i am more or less happy with my spamassassin configuration works good for one year but i have problem with a new kind of spam which easylly go throught it : spam which has poor text, poor token, or none, and a subject always changing the only thing which remain the same is the image incoporated in it it get always very low hit (bellow 3) subject on the image in the body is either "breaking news concerning..." or "we have a runner !" would it be possible to find a solution ? add / modify a test to look at first bytes of an attachement and recognize the image ? i can send you samples of this spam if you like... (prefer not to attach them) Have a look at FuzzyOCR http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Works very well for me - I'm using it in conjuction with ImageInfo and since I'm using them those image spams get through VERY rarely They will also block off legit emails too How so? I wouldn't expect any from FuzzyOCR but ImageInfo certainly has the chance to block legit mail. Sorry, I meant ImageInfo plugin.. I have many legit emails blocked by this plugin.
Re: animated GIF spam
While skimming thru my daily rejected spam pile, did a double take when a GIF spam seemed to "blink" at me. Thought it was a sw glitch at first... then realized the sneaky Borg had adapted again. Took a look at the frames in PaintShopPro's AnimationShop, and the first three are all but blank (wee bit of noise), followed by the payload. Below are links to the raw message, and the extracted GIF: http://Puffin.net/software/spam/samples/0001a_animated_gif.eml http://Puffin.net/software/spam/samples/0001b_been.gif Decoder/Chris, I'd view this as a compliment to your FuzzyOCR. ;) The good news is that ImageInfo should have no problem with this particular instance, as the initial width x height are "correct". Yes ImageInfo got them well.
stock spams
The stock spams are killing me. I had 70_sare_stocks.cf and its not blocking them. Below is part of the spam and the score. What can i do to beat them? W a t c h o u t! ALLINACE ENTERPRSIE (A ETR) Curernt Pirce: 0.80 Add this g e m to your wat ch list, and w atch it tard closely! Nwes Reelase! Teacorp announces breackrough in removing deadly land mines. Mill Valley, California August 25, 2006 - The Allaince Enetrprise Corpoartion announced today a breakthrough in developing an Aeiral Landimne Sytsem aimed at locating, detecting and mapping deadly landm ines. TaeoCrp's mission is to reclaim lands around the globe embedded with lan dmines that victimize countries and their stakeholders. X-Spam-Status: No, score=3.9 required=5.0 tests=DK_POLICY_SIGNSOME, DK_POLICY_TESTING,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL, SARE_RMML_Stock18 autolearn=no version=3.1.4
Re: senders domain has MX or not?
Which rule will help me in checking if senders domain has MX record or not. E.g I am getting email from [EMAIL PROTECTED], then the rule should check whether domain.com has an MX record or not. I think this should be a question on your mail daemon. Not spamassassin.
Re: spam attacks - so and so wrote about a stock
Rob McEwen (PowerView Systems) wrote: In the meantime, it sure would be nice if that new ruleset that Chris bragged about could get on the SARE website ASAP. (Where are you Doc Schneider? I hope we haven't caught you on a busy day. Please hurry.) Rob McEwen PowerView Systems I just got it in the rules set and committed it. Should be available within the hour. 8*) Any update on this? How do i apply it?
do imageinfo and fuzzyocr plugins' results overlap?
i've been using the ImageInfo plugin. i've just installed the FuzzyOcr v3.4.2 plugin. i've found references to hit rates for both -- with FuzzyOcr hitting, generally, at "higher to much higher" rates. but, i can't tell if those are REDUNDANT hits. do i need both plugins?
Re: do imageinfo and fuzzyocr plugins' results overlap?
I use both here. In FuzzyOcr.cf, set focr_autodisable_score to the threshold you require. That way it only scans images if the SA score so far is under the specified threshold. It's a lot "cheaper" to bump up the score using ImageInfo than to do a couple of OCR scans. ok, that does make sense, thanks. i've also just recognized the 'priority' setting in FuzzyOcr that allows me to ensure that other plugins 'run' before it. just curious -- what do you typically set that threshhold at? assuming a 'standard' is_spam thresshold of, say, 5.0.
Re: do imageinfo and fuzzyocr plugins' results overlap?
We Use MailScanner which has concepts of "low-" and "high-" scoring spam. I set focr_autodisable_score to just above my "high spam score" score. If it's already scored high enough for it to not reach the user's mailbox, there's no need for FuzzyOcr to do anything. clear. thanks!
what are default rule priorities?
i understand that the fuzzyocr plugin can be set to have a high (900?) priority, so as to run last. i assume this priority is a threshhold number relative to other rules' priorities. but, what ARE the other rules' priorities? is there documentation of that? nothing on the wiki that i've found.
fuzzyocr 342 fires error & warn, but scores anyway ... does it work?
i've installed fuzzyocr 3.4.2.
using a sample-file from the trac site,
spamassassin -t -x < ocr-gif.eml
i get an error & a warning:
GIF-LIB error: Failed to Read from given file.
[13690] warn: MLDBM error: Second level tie failed, "No such file or
directory" at /etc/mail/spamassassin/FuzzyOcr.pm line 455
...
Return-Path: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.8-r454679
...
but, the message does score:
Content analysis details: (8.4 points, 4.0 required)
pts rule name description
--
--
2.0 RELAY_TW Relayed through Taiwan
0.0 RELAY_DE Relayed through Germany
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some
mails
0.0 HTML_MESSAGE BODY: HTML included in message
1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[217.226.209.237 listed in combined.njabl.org]
0.9 MY_CID_AND_CLOSING SARE cid and closing
1.5 FUZZY_OCR_WRONG_CTYPE BODY: Mail contains an image with wrong
content-type set
Image has format
"GIF" but content-type is
"image/jpeg"
2.5 FUZZY_OCR_CORRUPT_IMG BODY: Mail contains a corrupted image
Corrupt image:
GIF-LIB error: Image is
defective,
decoding aborted.
-0.2 AWLAWL: From: address is in the auto white-list
so, given the error+warn, did/didn't, fuzzyocr work as it should here?
Re: what are default rule priorities?
check perldoc Mail::SpamAssassin::Conf -- ... The default test priority is 0 (zero). ok. i suppose this means that the searchable wiki does NOT include the docs. i thought it did. thanks.
(fixed) Re: fuzzyocr 342 fires error & warn, but scores anyway ... does it work?
GIF-LIB error: Failed to Read from given file. [13690] warn: MLDBM error: Second level tie failed, "No such file after some monkeying about, it seems that the GIF-LIB error is typical/common for non-gif &/or corrupt images. these then, apparently, get "Fixed" and scanned. the MLDBM error turned out to be a missing hash db file. afaict, fuzzyocr does not create them if missing. so a 'touch' and correct perms/own fix that problem. so, i'm up & running with fuzzyocr, testing/scanning with no errors.
Re: what are default rule priorities?
> but, what ARE the other rules' priorities?
>
> is there documentation of that? nothing on the wiki that i've found.
>
Priorities don't exist in released versions SA, only the 3.2 development
branch.
as i understand it, fuzzyocr -- which runs with v3.1.x ("SpamAssassin
3.1.4 or higher")-- specifically relies on priority to ensure that it
runs 'last'.
do i understand you correctly that it, then, has no effect with
v3.1.x? (seems to be working on my system ...)
As for what's in the devel branch, well, that changes regularly. If
you're using development snapshots, you should be comfortable reading
the source code, so that's where you should head.
i'm not using the dev branch/head.
i'm using a svn co of the 31 branch, which i understand is the 317
release, plus bug fixes etc.
thanks.
Re: what are default rule priorities?
Priorities have existed for a while. 3.2 will have short circuit capabilities, which is recommended to be combined with changing priorities. ok. thanks.
fyi: spamhaus' "SBL-XBL" dnsbl being replaced by "ZEN"
http://www.spamhaus.org/zen/ steve linford of spamhaus has recommended that people switch now: "> Is there any reason not to change? None, I advise everyone to change now. The SBL-XBL zone will continue to exist for some time but will not of course contain the new PBL DNSBL and will not contain other future DNSBLs we may release. ZEN is designed to be safely hard-coded into spam filter appliances and commercial filters." i presume this will have effects on the SBL- & XBL- related rules here.
Re: fyi: spamhaus' "SBL-XBL" dnsbl being replaced by "ZEN"
> i presume this will have effects on the SBL- & XBL- related rules here. probably nothing too serious though ;) just some renaming, i'd guess. Where did he mention this, as a matter of interest? in the n.a.n.a.e. loony-bin, of course. :-) http://groups-beta.google.com/group/news.admin.net-abuse.email/msg/2d050ab220faf931
Re: fyi: spamhaus' "SBL-XBL" dnsbl being replaced by "ZEN"
> in the n.a.n.a.e. loony-bin, of course. :-) eek, I'm not reading _that_ ;) :-D i kept kill-filing so much of nanae in my reader that finally it was just easier to killfile *, and whitelist Linford. he pops up there with some useful info every once in awhile :-)
Re: Rules Du Jour briken?
> > Actually, the whole exit0.us site doesnt work. > > Its been down for almost 2 weeks. I thought it would come back up, > but it may be gone for good :( Then what do we do for rule updates? my understanding is that all (most?) rules are available by sa-update, as an alternative/interim solution if you like.
Re: Rules Du Jour briken?
sa-update isn't included if we're running Debian Sarge on our mail server. (SA version 3.0.3) But thanks. sorry, didn't realize this wasn't a build from src :-/ (serves me right for not reading the full thread ...)
Re: I've got TORA.08 spelled with numbers?
> >I'm getting a bunch of spams this morning that have > >TORA.08 spelled out with numbers like this. lordy, lordy! i'm just *SURE* i'm missing the whole point of this sort of spam ... ... but WHY do these spammers even bother with this sort of stuff? even if it *does* temporarily get past filters -- who in their right mind clicks on this stuff? or, worse, would send/invest $$$?
Re: I've got TORA.08 spelled with numbers?
There's another version too. To get around the rather obvious rule they enlarge the text, although that goes beyond their mailers linewrap so it comes through as: heh. and this gets GMAIL to suggest: "Would you like to... Track FedEx package 708060336862" i'm sure glad FedEx are getting real value out of Google's store-n-scan targeted advertising! ;-)
FuzzyOcr failing 'png' tests
(seems like the 'action' is over here ...) i'm running SA v3.1.8-r454679, with the FuzzyOCR v3.4.2-release $SA --lint is error-free. testing the plugin with provided test messages, $SA -t -x < /tmp/ocr-gif.eml $SA -t -x < /tmp/ocr-jpg.eml $SA -t -x < /dev/FuzzyOcr-3.4.2/samples/animated-gif.eml $SA -t -x < /dev/FuzzyOcr-3.4.2/samples/corrupted-gif.eml $SA -t -x < /dev/FuzzyOcr-3.4.2/samples/jpeg.eml $SA -t -x < /dev/FuzzyOcr-3.4.2/samples/ocr-animated.eml all show hits/scores with FuzzyOCR rules, as expected. but, $SA -t -x < /tmp/ocr-png.eml $SA -t -x < /dev/FuzzyOcr-3.4.2/samples/png.eml both complete without apparent error, and score numerous other SA-rule hits, but no FuzzyOCR scores at all. i have verified that i'm not auto-disabling FuzzyOcr, grep focr_autodisable_score FuzzyOcr.cf focr_autodisable_score 999 and, since a number of examples seem to be scoring properly, i'm guessing either FuzzyOcr itself or my config have a problem. 1st question -- can anyone verify success/failure of those png examples with their own SA+FuzzyOcr setup? thanks.
Re: blarsbl
<[EMAIL PROTECTED]>: host gateway.mchsi.com[204.127.203.150] said: 550-12.175.23.161 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net 550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice. (in reply to MAIL FROM command) aha. the mchsi-variant of at&t. i seem to keep bumping into these guys re: questionable emails/policies. thanks for the info!
Re: blarsbl
On 11/21/06, Thomas Lindell <[EMAIL PROTECTED]> wrote: At&t mail servers use his service. can you please share/point-to some evidence of that fact? if that *is* the case, i'll be chatting with my reps at at&t! if i've missed it here, i apologize in advance ... thanks.
Re: blarsbl
This is the guy's www site http://www.blars.org/errors/block.html I had some trouble with his list before too. Not many people is using that list, so i guess, not much of damage done anyway.
Re: Installed FuzzyOCR - What am I missing?
spamassassin < animated-gif.eml > out out shows no FuzzyOCR hits. Am I missing something obvious? when *i* first ran tests, i'd set: focr_autodisable_score 10 the score hit "10" too soon ... and fuzzy ocr didn't run/score any hits. set it 'high', e.g., focr_autodisable_score 999 then try again worked for me. hth.
just wanting to say thanks!
i've installed spamassassin 318 branch with 'botnet', 'imageinfo' & 'fuzzyocr' plugins. i stay regularly updated via sa-update with distro & SARE rules. i've got a well-trained bayes system. my servers see ~ 4-5K messages a day; yes, "tiny volume" by many standards. i admit to 'cheating' by depending heavily on zen.spamhaus.org DNSbl@ SMTP negotiation, and ruthlessly blocking China/Korea at the routers. over the last month or so, i've been (finally) managing a proper quarantine and monitoring stats. fwiw, in ~130K messages, i've seen, 0 false positives 0 false negatives that's certainly "batting a thousand" in my book. and, yes, YMMV and i'm probly just 'lucky' this month. regardless, it's long past time to simply say, THANKS!
should no-autolearned, but highly-scored blabby spam be leanred?
i noted in a recent thread a suggestion to not feed bayes-poisoning spam to sa-learn. that's an interesting thought; and actually makes some initial sense to me. is this, in fact, widely suggested/recommended? e.g., if i have a blabby, bayes-poisoning spam that already scores high, X-Spam-Status: score=11.5/4.0 autolearn=no X-Spam-Report: * 2.0 RELAY_FR Relayed through France * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry * 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails * 0.0 BOTNET_NORDNS IP address has no PTR record * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 1.2 SARE_GIF_ATTACH FULL: Email has a inline gif * 0.7 MY_CID_AND_STYLE SARE cid and style * 5.0 BOTNET The submitting mail server looks like part of a Botnet should this be submitted to sa-learn? or simply discarded? thanks.
some scores (fuzzyocr, spf, tvd_fw_graphic) missing in normal submission; OK in manual resubmit
i have SA 3.1.x branch head installed with FuzzyOCR 350rc1. in --lint tests pass w/o error, and image-containing test messages score as expected. today, i received a spam msg with an attached gif. it scored as spam, and was scored/delivered with report headers of, X-Spam-Status: score=8.6/4.0 autolearn=no X-Spam-Report: * 0.5 RELAY_JP Relayed through Japan * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry * 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails * 1.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% * [score: 0.2209] * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.2 SARE_GIF_ATTACH FULL: Email has a inline gif * 0.9 MY_CID_AND_CLOSING SARE cid and closing * 0.7 MY_CID_AND_STYLE SARE cid and style * 1.2 MY_CID_ARIAL2_CLOSING SARE cid arial2 closing * 1.1 MY_CID_ARIAL_STYLE SARE cid arial2 style * 0.7 MY_CID_AND_ARIAL2 SARE CID and Arial2 note -- *NO* FuzzyOCR tests/score. if i then submit this same suspect message w, spamassassin -D -t -x < ./suspect_message it returns, Content analysis details: (34.1 points, 4.0 required) pts rule name description -- -- 0.5 RELAY_JP Relayed through Japan 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=dvabzg%40hvdaawn.nl&ip=222.228.73.146&receiver=my.domcain.com] 1.8 TVD_FW_GRAPHIC_NAME_LONG BODY: TVD_FW_GRAPHIC_NAME_LONG 1.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.2209] 2.8 TVD_FW_GRAPHIC_ID1 BODY: TVD_FW_GRAPHIC_ID1 0.0 HTML_MESSAGE BODY: HTML included in message 1.2 SARE_GIF_ATTACHFULL: Email has a inline gif 2.0 PART_CID_STOCK Has a spammy image attachment (by Content-ID) 2.0 PART_CID_STOCK_LESSHas a spammy image attachment (by Content-ID, more specific) 0.9 MY_CID_AND_CLOSING SARE cid and closing 0.7 MY_CID_AND_STYLE SARE cid and style 1.2 MY_CID_ARIAL2_CLOSING SARE cid arial2 closing 1.1 MY_CID_ARIAL_STYLE SARE cid arial2 style 0.7 MY_CID_AND_ARIAL2 SARE CID and Arial2 16 FUZZY_OCR_KNOWN_HASH BODY: Image with known hash Words found: "meridia" in 1 lines "target" in 1 lines "symbol" in 1 lines "price" in 2 lines "company" in 1 lines "trade" in 2 lines "recommendation" in 1 lines (13.5 word occurrences found) which now additionaly INCLUDES the Fuzzyocr tests/scores, 16 FUZZY_OCR_KNOWN_HASH BODY: Image with known hash as well as, 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.8 TVD_FW_GRAPHIC_NAME_LONG BODY: TVD_FW_GRAPHIC_NAME_LONG 2.8 TVD_FW_GRAPHIC_ID1 BODY: TVD_FW_GRAPHIC_ID1 given that, grep focr_autodisable_score FuzzyOcr.cf focr_autodisable_score 20 why in only one case does FuzzyOcr -- and these other tests -- score? i've missed something obvious in either my SA or FuzzyOcr config(s), i presume ... but what might it be? thanks.
Re: some scores (fuzzyocr, spf, tvd_fw_graphic) missing in normal submission; OK in manual resubmit
that is hard to tell, can you reproduce the error somehow? (i.e. reproduce the situation where FuzzyOcr did NOT score?). well, there lies the challenge -- and the point, i guess -- *i* can't reproduce the non-scoring. every test i run scores OK. If so, enable debugging to the logfile to see whats going on exactly :) forgot abt the separate log :-/ i cranked logging verbosity from 1->3; and will keep an eye out for next non-scoring message. but, i *did* notice in me "level 1" log, 2006-12-12 11:42:01 [3314] gifsicle is already defined, skipping... 2006-12-12 11:42:01 [3314] giffix is already defined, skipping... 2006-12-12 11:42:01 [3314] giftext is already defined, skipping... 2006-12-12 11:42:02 [3314] gifinter is already defined, skipping... 2006-12-12 11:42:02 [3314] giftopnm is already defined, skipping... 2006-12-12 11:42:02 [3314] jpegtopnm is already defined, skipping... 2006-12-12 11:42:02 [3314] pngtopnm is already defined, skipping... 2006-12-12 11:42:02 [3314] bmptopnm is already defined, skipping... 2006-12-12 11:42:02 [3314] tifftopnm is already defined, skipping... 2006-12-12 11:42:02 [3314] ppmhist is already defined, skipping... 2006-12-12 11:42:02 [3314] gocr is already defined, skipping... 2006-12-12 11:42:02 [3314] ocrad is already defined, skipping... 2006-12-12 11:42:02 [3314] pnmnorm is already defined, skipping... 2006-12-12 11:42:02 [3314] pnminvert is already defined, skipping... 2006-12-12 11:42:02 [3314] convert is already defined, skipping... 2006-12-12 11:42:02 [3314] pamthreshold is already defined, skipping... 2006-12-12 11:42:02 [3314] ppmtopgm is already defined, skipping... 2006-12-12 11:42:02 [3314] pamtopnm is already defined, skipping... 2006-12-12 11:42:02 [3314] Error, label already used earlier in line 170, aborting... 2006-12-12 11:42:02 [3314] Error parsing preprocessor file "/etc/mail/spamassasson/FuzzyOcr.preps", aborting... don't know if this is a problem yet ...
Re: some scores (fuzzyocr, spf, tvd_fw_graphic) missing in normal submission; OK in manual resubmit
also, if i extract the .gif from the spam, attach to a new message and mail that to myself, it scores/reports. correctly with all -- fuzzyocr & others -- test. hm ...
SpamdForkScaling messages?
i have spamassassin --version SpamAssassin version 3.1.8-r454679 running on Perl version 5.8.8 in my debug-level spamd log i see frequently repeating instances of, Wed Dec 13 18:36:13 2006 [923] dbg: prefork: periodic ping from spamd parent Wed Dec 13 18:36:13 2006 [923] dbg: prefork: sysread(9) not ready, wait max 300 secs Wed Dec 13 18:36:13 2006 [923] dbg: prefork: periodic ping from spamd parent Wed Dec 13 18:36:13 2006 [923] dbg: prefork: sysread(9) not ready, wait max 300 secs ... grep'ing in src, i note that these errors originate in, SpamdForkScaling.pm afaict, there's no, manpage available for Mail::SpamAssassin::SpamdForkScaling searching on the website, i find links to the .pm src. both TITLE & FULLTEXT searches on the wiki come up empty. what is SpamdForkScaling? are there docs? are these "not ready" messages a problem? if so, wht do i do about them?
any TextWrapError follow-up?
i've come across this issue, http://wiki.apache.org/spamassassin/TextWrapError where it's noted that the bug was reported to the TextWrap author. is this being followed up one at all by anyone here? anyone have a bug reference for the issue @ TextWrap? thanks.
Re: any TextWrapError follow-up?
I'd say make sure you have something newer than that and try it again. If you still have problems, please reopen bug 5052 w/ the Text::Wrap and SA versions. yup. too old. i'm co'ing current @ (Revision: 486953) which should do the trick. thanks.
spamd won't stay dead. (possible follow-up to bug 4304?)
after launching spamd (31x branch, r486953) with,
spamd --daemonize --nouser-config --allow-tell
--allowed-ips=192.168.1.10,127.0.0.1 --listen-ip=127.0.0.1 --port=783
> /var/log/spamd.log &
i see only,
ps -ax | grep -i spamd
922 ?? S 0:00.18 spamd child
923 ?? S 0:00.14 spamd child
24006 p1 R+ 0:00.01 grep -i spamd
if i want to stop/restart spamd,
kill 922 923
kills the two child processes, which then immediately restart.
iirc, this,
kill -HUP `ps -ax | grep \? | grep "bin/spamd" | cut -c1-5`
used to work because i actually saw a kill-able spamd master process.
how do i kill spamd and "keep it dead"?
this bug,
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4304
seems related, and seomthing (a fix?) WAS committed to r485842, but
i'm still seeing this problem with my version.
was this commit a fix?
was it to TRUNK or bracnh 31x?
