subject:"\?\?\?\?\? \?\?\? \?\?\?\?\?\?"

On Thursday, July 04, 2024 02:01 AEST, Benny Pedersen  wrote:

> Simon Wilson via users skrev den 2024-07-03 15:54:
> 
> > header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
> > header USER_IN_DKIM_WHITELIST   eval:check_for_dkim_whitelist_from()
> 
> keep scores of them neutral
> 
> meta MY_DKIM_FAILS_NOTRUST (AUTHRES_DKIM_PASS && USER_IN_DKIM_WHITELIST)
> describe MY_DKIM_FAILS_NOTRUST Meta: AUTHRES_DKIM_PASS && 
> USER_IN_DKIM_WHITELIST
> score MY_DKIM_FAILS_NOTRUST -1 -1 -1 -1
> 
> i say no trust since authres can be fooled by untrusted AR headers, when 
> authres_networks all is in use

I understand this, thank you.

> 
> > and generate -100 that the DKIM plugin assigns to a DKIM
> > pass/USER_IN_DKIM_WHITELIST entry.
> 
> why ? are you sure -100 is a very good idea ?

Selected as that is the score allocated by USER_IN_DKIM_WHITELIST

> 
> > …but I don't know how to do that properly. I can combine into a meta
> > rule, but that will call the existing DKIM plugin's subroutine to
> > evaulate USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.
> 
> need more info on your mta setup, if postfix then i need postconf -nf 
> and postconf -Mf in private mail, as i see you can  :)

-- 
Simon WilsonM: 0400 121 116

Re: whitelist_auth return_path / from

On Thursday, July 04, 2024 01:11 AEST, Bill Cole 
 wrote:

> On 2024-07-03 at 10:19:28 UTC-0400 (Thu, 04 Jul 2024 00:19:28 +1000)
> Simon Wilson via users 
> is rumored to have said:
> 
> > On 03.07.24 23:54, Simon Wilson via users wrote:
> >> Simon Wilson via users skrev den 2024-07-03 14:56:
> >>> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
> >>> trusting my upstream authres_trusted_authserv only?
> >>
> >> both works in paralel, so no need to disable, best results came 
> >> from 
> >> both enabled
> >>
> >> its up to you to add more authres_trusted_authserv or more 
> >> authres_ignored_authserv lines
> >>
> >> possible we can now have a very long debate on dmarc plugin ? :)
> >
> > Please, Simon, quote the text you are replying to.
> >  
> > I have been - was that directed at Benny?
> >  
> 
> No, it is because your mail is multipart/alternative with a text/plain 
> part that lacks any indicators of quoting. Looks like your MUA is 
> broken.
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
> addresses)
> Not Currently Available For Hire

I have switched it into plain text mode.

Re: whitelist_auth return_path / from

2024-07-03 Thread Matus UHLAR - fantomas


On 03.07.24 23:54, Simon Wilson via users wrote:

Simon Wilson via users skrev den 2024-07-03 14:56:

Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)



Matus UHLAR - fantomas skrev den 2024-07-03 16:14:

Please, Simon, quote the text you are replying to.


On 03.07.24 17:47, Benny Pedersen wrote:

i am not Simon


...I was not replying to you then.

Simon does not quote text he replies to, so it's hard to see who has written 
what.


compare your:
https://www.mail-archive.com/users@spamassassin.apache.org/msg111627.html

to Simon's:
https://www.mail-archive.com/users@spamassassin.apache.org/msg111628.html



my question is does spamassassin dmarc plugin use authres results ?

not yet.


also what i feared, but it should imho do

also authres does imho not have spf_helo testing


Do you know anything that adds spf_helo to Authentication-Results ?
afaik pyspf-milter adds helo information only for DSNs


have dmarc ?


yes
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.

Re: whitelist_auth return_path / from


Simon Wilson via users skrev den 2024-07-03 07:48:


whitelist_auth supp...@wasabi.com
whitelist_auth *@mmemail.wasabi.com


its more simple to set From: "Simon"  in mua

then both spf and dkim gives pass on same domain, note -d in dkim is not 
same domain, so you need a new dkim sign key for subdomain in dkim 
signer

Re: whitelist_auth return_path / from


Simon Wilson via users skrev den 2024-07-03 15:54:


header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
header USER_IN_DKIM_WHITELIST   eval:check_for_dkim_whitelist_from()


keep scores of them neutral

meta MY_DKIM_FAILS_NOTRUST (AUTHRES_DKIM_PASS && USER_IN_DKIM_WHITELIST)
describe MY_DKIM_FAILS_NOTRUST Meta: AUTHRES_DKIM_PASS && 
USER_IN_DKIM_WHITELIST

score MY_DKIM_FAILS_NOTRUST -1 -1 -1 -1

i say no trust since authres can be fooled by untrusted AR headers, when 
authres_networks all is in use



and generate -100 that the DKIM plugin assigns to a DKIM
pass/USER_IN_DKIM_WHITELIST entry.


why ? are you sure -100 is a very good idea ?


…but I don't know how to do that properly. I can combine into a meta
rule, but that will call the existing DKIM plugin's subroutine to
evaulate USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.


need more info on your mta setup, if postfix then i need postconf -nf 
and postconf -Mf in private mail, as i see you can  :)

Re: whitelist_auth return_path / from


Bill Cole skrev den 2024-07-03 17:11:


Not Currently Available For Hire


lol :)

back to sandbox, hehe

Re: whitelist_auth return_path / from


Matus UHLAR - fantomas skrev den 2024-07-03 16:14:

On 03.07.24 23:54, Simon Wilson via users wrote:

Simon Wilson via users skrev den 2024-07-03 14:56:

Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)


Please, Simon, quote the text you are replying to.


i am not Simon


my question is does spamassassin dmarc plugin use authres results ?

not yet.


also what i feared, but it should imho do

also authres does imho not have spf_helo testing, have dmarc ?

Re: whitelist_auth return_path / from

2024-07-03 Thread Bill Cole


On 2024-07-03 at 10:19:28 UTC-0400 (Thu, 04 Jul 2024 00:19:28 +1000)
Simon Wilson via users 
is rumored to have said:


On 03.07.24 23:54, Simon Wilson via users wrote:

Simon Wilson via users skrev den 2024-07-03 14:56:

Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came 
from 

both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)


Please, Simon, quote the text you are replying to.
 
I have been - was that directed at Benny?
 


No, it is because your mail is multipart/alternative with a text/plain 
part that lacks any indicators of quoting. Looks like your MUA is 
broken.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: whitelist_auth return_path / from


Simon Wilson via users skrev den 2024-07-03 14:56:

> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
> trusting my upstream authres_trusted_authserv only?

both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)

my question is does spamassassin dmarc plugin use authres results ?
 
- SA's DKIM plugin has failed a message so USER_IN_DKIM_WHITELIST tag will not 
get assigned, and a +0.1 is added for a DKIM fail
- with AuthRes plugin installed, my trusted Authentication-Results header ‘DKIM 
pass’ = -0.5 is applied
- yes, the -0.5 overrides the +0.1 from the false DKIM fail, but this does not 
overcome the reason I wanted the sender in whitelist_auth - to overcome the FP 
of their emails triggering a KAM rule
 
Ideally what I want is for authres.cf to combine:
 
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
with 
header USER_IN_DKIM_WHITELIST   eval:check_for_dkim_whitelist_from()
 
and generate -100 that the DKIM plugin assigns to a DKIM 
pass/USER_IN_DKIM_WHITELIST entry.
 
…but I don't know how to do that properly. I can combine into a meta rule, but 
that will call the existing DKIM plugin's subroutine to evaulate 
USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.

OK, I have done the following and it seems to be working, but will take 
guidance on if this is going to have unexpected consequences from my ignorance…
 
- removed the SA DKIM plugin from loading
- Authres plugin working and trusting my own mail server's auth tests 
(including DKIM)
- created a meta rule:
 
## Whitelist Wasabi, subject to passing of auth
header __LR_FROM_WASABI  From =~ /support\@wasabi\.com/i
meta LR_WASABI_AUTH (__LR_FROM_WASABI && AUTHRES_DKIM_PASS && AUTHRES_SPF_PASS)
score LR_WASABI_AUTH -100
 
This now scores the Wasabi emails OK. Please feel free to tell me if this was a 
really bad plan :)
 
Simon

Re: whitelist_auth return_path / from


On 03.07.24 23:54, Simon Wilson via users wrote:
>Simon Wilson via users skrev den 2024-07-03 14:56:
>> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
>> trusting my upstream authres_trusted_authserv only?
>
>both works in paralel, so no need to disable, best results came from 
>both enabled
>
>its up to you to add more authres_trusted_authserv or more 
>authres_ignored_authserv lines
>
>possible we can now have a very long debate on dmarc plugin ? :)

Please, Simon, quote the text you are replying to.
 
I have been - was that directed at Benny?

Re: whitelist_auth return_path / from

2024-07-03 Thread Matus UHLAR - fantomas


On 03.07.24 23:54, Simon Wilson via users wrote:

Simon Wilson via users skrev den 2024-07-03 14:56:

Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)


Please, Simon, quote the text you are replying to.


my question is does spamassassin dmarc plugin use authres results ?


not yet.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

Re: whitelist_auth return_path / from


Simon Wilson via users skrev den 2024-07-03 14:56:

> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
> trusting my upstream authres_trusted_authserv only?

both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)

my question is does spamassassin dmarc plugin use authres results ?
 
- SA's DKIM plugin has failed a message so USER_IN_DKIM_WHITELIST tag will not 
get assigned, and a +0.1 is added for a DKIM fail
- with AuthRes plugin installed, my trusted Authentication-Results header ‘DKIM 
pass’ = -0.5 is applied
- yes, the -0.5 overrides the +0.1 from the false DKIM fail, but this does not 
overcome the reason I wanted the sender in whitelist_auth - to overcome the FP 
of their emails triggering a KAM rule
 
Ideally what I want is for authres.cf to combine:
 
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
with 
header USER_IN_DKIM_WHITELIST   eval:check_for_dkim_whitelist_from()
 
and generate -100 that the DKIM plugin assigns to a DKIM 
pass/USER_IN_DKIM_WHITELIST entry.
 
…but I don't know how to do that properly. I can combine into a meta rule, but 
that will call the existing DKIM plugin's subroutine to evaulate 
USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.

Re: whitelist_auth return_path / from


Simon Wilson via users skrev den 2024-07-03 14:56:


Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came from 
both enabled


its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines


possible we can now have a very long debate on dmarc plugin ? :)

my question is does spamassassin dmarc plugin use authres results ?

Re: whitelist_auth return_path / from


 
Simon Wilson via users skrev den 2024-07-03 14:13:

> I don't think SA 3.4.6 on RH8 has AuthRes plugin:

take it from spamassassin trunc, this plugin works on 3.4.6 aswell, but 
was not released or tested on it, i have verify it does work

#!/bin/sh

svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk 
spamassassin-trunk

OK, done and working. Plugin added, loaded with a .pre and configured with a .cf
 
Working, e.g.:X-Spam-Status: No, score=-1.798 tagged_above=-999 required=6.2
 tests=[AUTHRES_ARC_FAIL=1.5, AUTHRES_DKIM_PASS=-0.5, AUTHRES_DMARC_PASS=-0.5,
 AUTHRES_SPF_PASS=-0.5, BAYES_00=-1.9, DCC_REPUT_70_89=0.1, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
 LR_ARC_FAIL=1, LR_DMARC_PASS=-0.1, RCVD_IN_DNSWL_LOW=-0.7,
 RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
 by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
 with LMTP id qiXZppjAGmSg for ;
 Wed,  3 Jul 2024 22:48:54 +1000 (AEST)
Authentication-Results: mail.simonandkate.net;
spf=pass smtp.helo=smtp-out.orange.com;
spf=pass smtp.mailfrom=orange.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=none dis=none) 
header.from=orange.com
Authentication-Results: mail.simonandkate.net; arc=fail 
smtp.remote-ip=80.12.126.238
Authentication-Results: mail.simonandkate.net;
dkim=pass (2048-bit key, secure) header.d=orange.com 
header.i=@orange.com header.a=rsa-sha256 header.s=orange002 header.b=OKdWrX63
 
Next question though - 
When the next email comes from Wasabi that my server tags as 
“Authentication-Results: mail.simonandkate.net; dkim=pass”, I understand that 
Authres plugin will accept the authres_trusted_authserv assignment to my 
server, resulting in AUTHRES_DKIM_PASS=-0.5. 
Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting 
my upstream authres_trusted_authserv only?

Re: whitelist_auth return_path / from


Simon Wilson via users skrev den 2024-07-03 14:13:


I don't think SA 3.4.6 on RH8 has AuthRes plugin:


take it from spamassassin trunc, this plugin works on 3.4.6 aswell, but 
was not released or tested on it, i have verify it does work


#!/bin/sh

svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk 
spamassassin-trunk

Re: whitelist_auth return_path / from






On Wednesday, July 03, 2024 22:06 AEST, "Simon Wilson via users" 
 wrote:

 

Dave Funk skrev den 2024-07-03 09:29:
> On Wed, 3 Jul 2024, Simon Wilson via users wrote:

> You say "passing SPF and DKIM" however in the SA rules report it 
> clearly says:
> DKIM_SIGNED=0.1, DKIM_INVALID=0.1
> 
> So eventho you think 'passed DKIM' SA clearly does NOT think it does. 
> That DKIM_INVALID will prevent the whitelist_auth from firing, thus you 
> need to investigate what's going wrong there.

whitelist_auth support Return-Path so spf is evaluated aswell as dkim is

grep logs DKIM_VALID_EF

or enable DMARC plugin
Hi Benny, none of that helps unless I'm being dense this evening :-D
* I know whitelist_auth supports spf and dkim, that is in the documentation * 
Grepping for DKIM_VALID_EF only tells me what I now already know - SA thinks 
that one of the emails did not pass DKIM, when my server validated that it did 
and entered an Authentication-Results header saying that it did * I already 
have DMARC assessment, and that is shown in the headers I 
postedAuthentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
The authentication headers that my server adds are:Authentication-Results: 
mail.simonandkate.net;
spf=none smtp.helo=o562.ptr9861.wasabi.com;
spf=pass smtp.mailfrom=mmemail.wasabi.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
Authentication-Results: mail.simonandkate.net; arc=none 
smtp.remote-ip=159.183.86.216
Authentication-Results: mail.simonandkate.net;
dkim=pass (2048-bit key, unprotected) header.d=wasabi.com header.i=@wasabi.com 
header.a=rsa-sha256 header.s=mmd header.b=uhRSt2r0
However SA thinks DKIM failed. 
 
I note your other email Benny on adding authres settings. I'm not averse to 
doing so, but would like to first understand why SA is behaving differently 
with these two emails.
 
Simon
 

I don't think SA 3.4.6 on RH8 has AuthRes plugin:
 
-r--r--r-- 1 root root  4659 Apr  9  2021 AccessDB.pm
-r--r--r-- 1 root root  4559 Apr  9  2021 AntiVirus.pm
-r--r--r-- 1 root root 29117 Apr  9  2021 AskDNS.pm
-r--r--r-- 1 root root 17071 Apr  9  2021 ASN.pm
-r--r--r-- 1 root root  8803 Apr  9  2021 AutoLearnThreshold.pm
-r--r--r-- 1 root root 19936 Apr  9  2021 AWL.pm
-r--r--r-- 1 root root 55885 Apr  9  2021 Bayes.pm
 
…etc…

Re: whitelist_auth return_path / from


Dave Funk skrev den 2024-07-03 09:29:
> On Wed, 3 Jul 2024, Simon Wilson via users wrote:

> You say "passing SPF and DKIM" however in the SA rules report it 
> clearly says:
> DKIM_SIGNED=0.1, DKIM_INVALID=0.1
> 
> So eventho you think 'passed DKIM' SA clearly does NOT think it does. 
> That DKIM_INVALID will prevent the whitelist_auth from firing, thus you 
> need to investigate what's going wrong there.

whitelist_auth support Return-Path so spf is evaluated aswell as dkim is

grep logs DKIM_VALID_EF

or enable DMARC plugin
Hi Benny, none of that helps unless I'm being dense this evening :-D
 * I know whitelist_auth supports spf and dkim, that is in the documentation * 
Grepping for DKIM_VALID_EF only tells me what I now already know - SA thinks 
that one of the emails did not pass DKIM, when my server validated that it did 
and entered an Authentication-Results header saying that it did * I already 
have DMARC assessment, and that is shown in the headers I 
postedAuthentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
The authentication headers that my server adds are:Authentication-Results: 
mail.simonandkate.net;
spf=none smtp.helo=o562.ptr9861.wasabi.com;
spf=pass smtp.mailfrom=mmemail.wasabi.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
Authentication-Results: mail.simonandkate.net; arc=none 
smtp.remote-ip=159.183.86.216
Authentication-Results: mail.simonandkate.net;
dkim=pass (2048-bit key, unprotected) header.d=wasabi.com 
header.i=@wasabi.com header.a=rsa-sha256 header.s=mmd header.b=uhRSt2r0
However SA thinks DKIM failed. 
 
I note your other email Benny on adding authres settings. I'm not averse to 
doing so, but would like to first understand why SA is behaving differently 
with these two emails.
 
Simon

Re: whitelist_auth return_path / from


Simon Wilson via users skrev den 2024-07-03 09:48:


So I guess the question is why SA is not accepting a trusted header
with a DKIM pass recorded with the same mail path through the system?
I have no AuthRes settings set specifically in local.cf.


so add it :)

ifplugin Mail::SpamAssassin::Plugin::AuthRes

authres_networks all

authres_trusted_authserv mail.simonandkate.net

describe AUTHRES_ARC_FAIL Authentication-Results: has "arc=fail" 
result
describe AUTHRES_ARC_NONE Authentication-Results: has "arc=none" 
result
describe AUTHRES_ARC_PASS Authentication-Results: has "arc=pass" 
result

header AUTHRES_ARC_FAIL eval:check_authres_result('arc', 'fail')
header AUTHRES_ARC_NONE eval:check_authres_result('arc', 'none')
header AUTHRES_ARC_PASS eval:check_authres_result('arc', 'pass')
score AUTHRES_ARC_FAIL 1.5
score AUTHRES_ARC_NONE 0.5
score AUTHRES_ARC_PASS -1.5

describe AUTHRES_ADSP_DISCARD Authentication-Results: has 
"dkim-adsp=discard" result
describe AUTHRES_ADSP_FAIL Authentication-Results: has 
"dkim-adsp=fail" result
describe AUTHRES_ADSP_NONE Authentication-Results: has 
"dkim-adsp=nonr" result
describe AUTHRES_ADSP_NXDOMAIN Authentication-Results: has 
"dkim-adsp=nxdomain" result
describe AUTHRES_ADSP_PASS Authentication-Results: has 
"dkim-adsp=pass" result
describe AUTHRES_ADSP_PERMERROR Authentication-Results: has 
"dkim-adsp=permerror" result
describe AUTHRES_ADSP_TEMPERROR Authentication-Results: has 
"dkim-adsp=temperror" result
describe AUTHRES_ADSP_UNKNOWN Authentication-Results: has 
"dkim-adsp=unknown" result
header AUTHRES_ADSP_DISCARD eval:check_authres_result('dkim-adsp', 
'discard')
header AUTHRES_ADSP_FAIL eval:check_authres_result('dkim-adsp', 
'fail')
header AUTHRES_ADSP_NONE eval:check_authres_result('dkim-adsp', 
'none')
header AUTHRES_ADSP_NXDOMAIN eval:check_authres_result('dkim-adsp', 
'nxdomain')
header AUTHRES_ADSP_PASS eval:check_authres_result('dkim-adsp', 
'pass')
header AUTHRES_ADSP_PERMERROR eval:check_authres_result('dkim-adsp', 
'permerror')
header AUTHRES_ADSP_TEMPERROR eval:check_authres_result('dkim-adsp', 
'temperror')
header AUTHRES_ADSP_UNKNOWN eval:check_authres_result('dkim-adsp', 
'unknown')

score AUTHRES_ADSP_DISCARD 1.5
score AUTHRES_ADSP_FAIL 0.5
score AUTHRES_ADSP_NONE 0.5
score AUTHRES_ADSP_NXDOMAIN 1.5
score AUTHRES_ADSP_PASS -0.5
score AUTHRES_ADSP_PERMERROR 0.5
score AUTHRES_ADSP_TEMPERROR 0.5
score AUTHRES_ADSP_UNKNOWN 0.5

describe AUTHRES_ATPS_FAIL Authentication-Results: has 
"dkim-atps=fail" result
describe AUTHRES_ATPS_NEUTRAL Authentication-Results: has 
"dkim-atps=neutral" result
describe AUTHRES_ATPS_NONE Authentication-Results: has 
"dkim-atps=none" result
describe AUTHRES_ATPS_PASS Authentication-Results: has 
"dkim-atps=pass" result
describe AUTHRES_ATPS_PERMERROR Authentication-Results: has 
"dkim-atps=permerror" result
describe AUTHRES_ATPS_TEMPERROR Authentication-Results: has 
"dkim-atps=temperror" result
header AUTHRES_ATPS_FAIL eval:check_authres_result('dkim-atps', 
'fail')
header AUTHRES_ATPS_NEUTRAL eval:check_authres_result('dkim-atps', 
'neutral')
header AUTHRES_ATPS_NONE eval:check_authres_result('dkim-atps', 
'none')
header AUTHRES_ATPS_PASS eval:check_authres_result('dkim-atps', 
'pass')
header AUTHRES_ATPS_PERMERROR eval:check_authres_result('dkim-atps', 
'permerror')
header AUTHRES_ATPS_TEMPERROR eval:check_authres_result('dkim-atps', 
'temperror')

score AUTHRES_ATPS_FAIL 0.5
score AUTHRES_ATPS_NEUTRAL 0.5
score AUTHRES_ATPS_NONE 1.5
score AUTHRES_ATPS_PASS -1.5
score AUTHRES_ATPS_PERMERROR 0.5
score AUTHRES_ATPS_TEMPERROR 0.5

describe AUTHRES_DKIM_FAIL Authentication-Results: has "dkim=fail" 
result
describe AUTHRES_DKIM_PASS Authentication-Results: has "dkim=pass" 
result
describe AUTHRES_DKIM_NEUTRAL Authentication-Results: has 
"dkim=neutral" result
describe AUTHRES_DKIM_NONE Authentication-Results: has "dkim=none" 
result
describe AUTHRES_DKIM_POLICY Authentication-Results: has 
"dkim=policy" result
describe AUTHRES_DKIM_PERMERROR Authentication-Results: has 
"dkim=permerror" result
describe AUTHRES_DKIM_TEMPERROR Authentication-Results: has 
"dkim=temperror" result

header AUTHRES_DKIM_FAIL eval:check_authres_result('dkim', 'fail')
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
header AUTHRES_DKIM_NEUTRAL eval:check_authres_result('dkim', 
'neutral')

header AUTHRES_DKIM_NONE eval:check_authres_result('dkim', 'none')
header AUTHRES_DKIM_POLICY eval:check_authres_result('dkim', 
'policy')
header AUTHRES_DKIM_PERMERROR eval:check_authres_result('dkim', 
'permerror')
header AUTHRES_DKIM_TEMPERROR eval:check_authres_result('dkim', 
'temperror')

score AUTHRES_DKIM_FAIL 0.5
score AUTHRES_DKIM_PASS -0.5
score

Re: whitelist_auth return_path / from


Dave Funk skrev den 2024-07-03 09:29:

On Wed, 3 Jul 2024, Simon Wilson via users wrote:


You say "passing SPF and DKIM" however in the SA rules report it 
clearly says:

 DKIM_SIGNED=0.1, DKIM_INVALID=0.1

So eventho you think 'passed DKIM' SA clearly does NOT think it does. 
That DKIM_INVALID will prevent the whitelist_auth from firing, thus you 
need to investigate what's going wrong there.


whitelist_auth support Return-Path so spf is evaluated aswell as dkim is

grep logs DKIM_VALID_EF

or enable DMARC plugin

Re: whitelist_auth return_path / from


On Wed, 3 Jul 2024, Simon Wilson via users wrote:

> Does whitelist_auth work on From header, or Return-Path? Reason I ask:
>
> 
> 
> I have two emails from “support .at. wasabi.com”. Due to their emails usually 
> triggering KAM rules I have (in
> /etc/mail/spamassassin/local.cf):
>
> 
> 
> ## Whitelist Wasabi, subject to passing of auth
> whitelist_auth supp...@wasabi.com
[snip..]

> The other is not triggering whitelist_auth and is marked as spam due to the 
> KAM rule fails. It has:
> 
> Return-Path: 
> ... 
> From: Wasabi 
> ... 
> Reply-To: supp...@wasabi.com
> 
> Despite passing SPF and DKIM, not whitelisted:
> 
> X-Spam-Score: 20.212
> X-Spam-Level: 
> X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
> tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
> DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
> KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
> KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
> SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
> autolearn=no autolearn_force=no
[snip]
> 
> Thanks.
> Simon.

You say "passing SPF and DKIM" however in the SA rules report it clearly says:
DKIM_SIGNED=0.1, DKIM_INVALID=0.1

So eventho you think 'passed DKIM' SA clearly does NOT think it does. That 
DKIM_INVALID will prevent the whitelist_auth from firing, thus you need to 
investigate what's going wrong there.


-- 
Dave Funk University of Iowa
 College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Good spot, thank you.
 
The email that passed (sent from Wasabi's Salesforce) clearly passes SPF and 
DKIM, and SA accepts that it has passed both:X-Spam-Score: -182.112
X-Spam-Level:
X-Spam-Status: No, score=-182.112 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HELO_STATIC_HOST=-0.001,
 HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001, KAM_BODY_URIBL_PCCC=9,
 KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1, LR_DMARC_PASS=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01,
 USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100,
 USER_IN_SPF_WELCOMELIST=-0.01, USER_IN_SPF_WHITELIST=-100]
 autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
 by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
 with LMTP id FRQBp6eagRev for ;
 Wed,  3 Jul 2024 11:33:21 +1000 (AEST)
Authentication-Results: mail.simonandkate.net;
spf=pass 
smtp.helo=smtp-0e3fa5fa5492d81fe.core1.sfdc-lywfpd.mta.salesforce.com;
spf=pass smtp.mailfrom=wasabi.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
Authentication-Results: mail.simonandkate.net; arc=none 
smtp.remote-ip=44.227.237.13
Authentication-Results: mail.simonandkate.net;
dkim=pass (1024-bit key, unprotected) header.d=wasabi.com 
header.i=@wasabi.com header.a=rsa-sha256 header.s=sfdcproduction 
header.b=VPfjwPoA
Received: from smtp-0e3fa5fa5492d81fe.core1.sfdc-lywfpd.mta.salesforce.com 
(smtp-0e3fa5fa5492d81fe.core1.sfdc-lywfpd.mta.salesforce.com [44.227.237.13])
by mail.simonandkate.net (Postfix) with ESMTPS id B2E4460E1
for ; Wed,  3 Jul 2024 11:33:20 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wasabi.com;
s=sfdcproduction; t=1719970393;
bh=HT3vxtae+200eJTAlHJkPaLUuYEbpqXqTkY70+hSYa4=;
h=Date:From:To:Subject:MIME-Version:Content-Type;
b=VPfjwPoAe8Gu3ruU2nvnYYggXO5JZ/7IaxEDNaBsvvxIZ5PHW+7rXN1usl5qmJZ5u
 asB0RBBCXNTH/5SDXXJEu1Pc6jRvsdc+POPLrkQkHqhXgX1DmUjnVYnDBA2tu/8RIk
 M7ISxYS4psZXdm73/ZF7sILSdS+USXdTM5JlfbV4=
 
The failed one is assessed by OpenDKIM as having passed by my server 
(mail.simonandkate.net), but you are correct SA sees it as invalid.
 
So I guess the question is why SA is not accepting a trusted header with a DKIM 
pass recorded with the same mail path through the system? I have no AuthRes 
settings set specifically in local.cf.
 X-Spam-Score: 20.212
X-Spam-Level: 
X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
 KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
 KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
 autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
 by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
 with LMTP id 0dPigJ_ugPPb for ;
 Wed,  3 Jul 2024 07:48:51

Re: whitelist_auth return_path / from

2024-07-03 Thread Dave Funk


On Wed, 3 Jul 2024, Simon Wilson via users wrote:


Does whitelist_auth work on From header, or Return-Path? Reason I ask:



I have two emails from “support .at. wasabi.com”. Due to their emails usually 
triggering KAM rules I have (in
/etc/mail/spamassassin/local.cf):



## Whitelist Wasabi, subject to passing of auth
whitelist_auth supp...@wasabi.com

[snip..]


The other is not triggering whitelist_auth and is marked as spam due to the KAM 
rule fails. It has:

Return-Path: 
... 
From: Wasabi 
... 
Reply-To: supp...@wasabi.com

Despite passing SPF and DKIM, not whitelisted:

X-Spam-Score: 20.212
X-Spam-Level: 
X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
 KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
 KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
 autolearn=no autolearn_force=no

[snip]


Thanks.
Simon.


You say "passing SPF and DKIM" however in the SA rules report it clearly says:
 DKIM_SIGNED=0.1, DKIM_INVALID=0.1

So eventho you think 'passed DKIM' SA clearly does NOT think it does. That 
DKIM_INVALID will prevent the whitelist_auth from firing, thus you need to 
investigate what's going wrong there.



--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

whitelist_auth return_path / from

2024-07-02 Thread Simon Wilson via users


Running SA 3.4.6 on RH8. 
 
Does whitelist_auth work on From header, or Return-Path? Reason I ask:
 
I have two emails from “support .at. wasabi.com”. Due to their emails usually 
triggering KAM rules I have (in /etc/mail/spamassassin/local.cf):
 
## Whitelist Wasabi, subject to passing of auth
whitelist_auth supp...@wasabi.com
 
First email triggers whitelist_auth and is passed as expected. It 
has:Return-Path: 
... 
From: Wasabi Support X-Spam-Score: -182.112
X-Spam-Level:
X-Spam-Status: No, score=-182.112 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HELO_STATIC_HOST=-0.001,
 HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001, KAM_BODY_URIBL_PCCC=9,
 KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1, LR_DMARC_PASS=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01,
 USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100,
 USER_IN_SPF_WELCOMELIST=-0.01, USER_IN_SPF_WHITELIST=-100]
The other is not triggering whitelist_auth and is marked as spam due to the KAM 
rule fails. It has:Return-Path: 

... 
From: Wasabi 
... 
Reply-To: supp...@wasabi.com
Despite passing SPF and DKIM, not whitelisted:X-Spam-Score: 20.212
X-Spam-Level: 
X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
 KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
 KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
 autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
 by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
 with LMTP id 0dPigJ_ugPPb for ;
 Wed,  3 Jul 2024 07:48:51 +1000 (AEST)
Authentication-Results: mail.simonandkate.net;
spf=none smtp.helo=o562.ptr9861.wasabi.com;
spf=pass smtp.mailfrom=mmemail.wasabi.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
Authentication-Results: mail.simonandkate.net; arc=none 
smtp.remote-ip=159.183.86.216
Authentication-Results: mail.simonandkate.net;
dkim=pass (2048-bit key, unprotected) header.d=wasabi.com 
header.i=@wasabi.com header.a=rsa-sha256 header.s=mmd header.b=uhRSt2r0
Received: from o562.ptr9861.wasabi.com (o562.ptr9861.wasabi.com 
[159.183.86.216])
by mail.simonandkate.net (Postfix) with ESMTPS id C105157044
for ; Wed,  3 Jul 2024 07:48:47 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wasabi.com;
h=content-type:from:mime-version:subject:reply-to:to:list-unsubscribe:
list-unsubscribe-post:cc:content-type:from:subject:to;
s=mmd; bh=cy4eC8HJMJh8b6CwYtOAzArbHod4C/sAQkNIrkSQFPA=;
b=uhRSt2r0lE9yE6sSCc7+QA90N0PCyzA0FNP0bOo2ApH/U+u6yCpjvt0KZJ+VO2MfDKuh
xmzJPFgaHNvajQDOyqfLCfF4xwTrxYyBaKTMf/qinqP6JHpFsKVaDNykv96ZIac/SwRbha
SO4yPkPl1NO5k4ENyD5va2J9LftRyQ0te+awrnbjypQAKJiJ0yPoqNTFCJZGdQSCuJOZG8
ASnJcPZRoL2J83FEJCMPZdS5Wpf0GAgHp7aEpzAFf7TEpfJA8IMsbRSlRs3ptdZtYvwKMR
K6oi/d+w3UBSdFGRpRFZlgFeVjNIp/xCz5pDGf7109C0A+QSjn4zZ3edrOjF1JPg==
Received: by filterdrecv-6576d68dbc-fxxdn with SMTP id 
filterdrecv-6576d68dbc-fxxdn-1-668475B6-1
2024-07-02 21:48:38.112531956 + UTC m=+1292691.168998080
Received: from MzUyNTk2MzU (unknown)
by geopod-ismtpd-4 (SG) with HTTP
id X_mTOosARsSFXqinaxYfEw
Tue, 02 Jul 2024 21:48:38.008 + (UTC)
Content-Type: multipart/mixed; 
boundary=75633f0201749d47c1ba5a273d403dbaa85162228d469a5e23d94a668c10
Date: Tue, 02 Jul 2024 21:48:38 + (UTC)
From: Wasabi 
Mime-Version: 1.0
Message-ID: 
Subject: [SPAM] Wasabi Technologies LLC Invoice
Reply-To: supp...@wasabi.com
Do I need to add the return-path, i.e.:
 
## Whitelist Wasabi, subject to passing of auth
whitelist_auth supp...@wasabi.com
whitelist_auth *@mmemail.wasabi.com
?
 
Thanks.
Simon.

Re: help with ubuntu 22.04

2024-07-01 Thread Matus UHLAR - fantomas


On 29.06.24 17:07, Rick Gutierrez wrote:

hi list , The latest version of spamassassin on Ubuntu 22.04 does not
exist or they did not create the deb package, someone on the list who
has the deb package and wants to share it.


https://packages.ubuntu.com/search?keywords=spamassassin


perhaps you want to upgrade to ubuntu 24.04 LTS which has SA 4.0.0 included.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.

help with ubuntu 22.04

2024-06-29 Thread Rick Gutierrez

hi list , The latest version of spamassassin on Ubuntu 22.04 does not
exist or they did not create the deb package, someone on the list who
has the deb package and wants to share it.

thnk for any help.

-- 
rickygm

http://gnuforever.homelinux.com

Re: ChatGPT > Spamassassin? :)

2024-06-28 Thread Marcin Mirosław


W dniu 2024-06-25 15:55, John Hardin napisał(a):

On Mon, 24 Jun 2024, Mark London wrote:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something 
that was generated using ChatGPT.  In any event,  I put the text 
through ChatGPT, and asked if it looked like spam.  At the bottom of 
this email , is it's analysis.  I've not been fully reading this 
group.  Has there been any work to allow Spamassassin to use AI?  
Thanks.  - Mark


In a very limited manner. There is code in the repo that allows you to 
set up ham and spam corpora and scan the spam corpora to pick out 
common phrases and filter them via the ham corpora, then create 
rules.based on the phrases and (IIRC) combinations of them.


This was being used to generate dynamic fraud rulesets (the "sought" 
rules, still somewhat there as ADVANCE_FEE rules which I occasionally 
manually update) until Justin Mason left the project. It's been 
languishing since as he was providing the resources (infra and 
maintenance) to run it for those rules. I was feeding those corpora for 
a long time.


Take a look in the repo at the stuff under:

  https://svn.apache.org/viewvc/spamassassin/trunk/masses/rule-dev/

  
https://svn.apache.org/viewvc/spamassassin/trunk/masses/evolve_metarule/


I don't know whether the project would be willing to set up infra to 
revive dynamic advance fee fraud (or more general) rule generation, but 
it's possible if someone was willing to bring that code up-to-date and 
figure out what was needed and corpora providers were available.



This code still works, at least for me. I'm using my own corpora.

Sv: Re: ChatGPT > Spamassassin? :)

2024-06-25 Thread Anders Gustafsson

That is the way some email clients, say GroupWise does it. There is an option 
to put all mail from new
receivers in the junk folder for perusal. OTOH should simple graylisting do the 
same thing. But yes, an option
to deduct points from previously unseen senders would be useful.

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> Mark London  2024-06-26 00:38 >>>
Bill - Thanks for the response.  As an aside, it would be nice (though 
impossible?) for a spam filter to be more suspicious of emails coming 
from a new email address, that is not in my Sent folder or my Inbox. 
FWIW. - Mark

On 6/25/2024 11:21 AM, Bill Cole wrote:
> Mark London 
> is rumored to have said:
>
>> I received a spam email with the text below, that wasn't caught by 
>> Spamassasin (at least mine).   The text actually looks like something 
>> that was generated using ChatGPT.  In any event,  I put the text 
>> through ChatGPT, and asked if it looked like spam.  At the bottom of 
>> this email , is it's analysis.  I've not been fully reading this 
>> group.  Has there been any work to allow Spamassassin to use AI?
>
> "Artificial intelligence" does not exist. It is a misnomer.
>
> Large language models like ChatGPT have a provenance problem. There's 
> no way to know why exactly the model "says" anything. In a single 
> paragraph, ChatGPT is capable of making completely and directly 
> inconsistent assertions. The only way to explain that is that despite 
> appearances, a request to answer the ham/spasm question generates text 
> with no semantic connection to the original, but which seems like an 
> explanation.
>
> SpamAssassin's code and rules all come from ASF committers, and the 
> scores are determined by examining the scan results from contributors 
> and optimizing them to a threshold of 5.0. Every scan of a message 
> results in a list of hits against documented rules. The results can be 
> analyzed and understood.
>
> We know that ChatGPT and other LLMs that are publicly available have 
> been trained on data to which they had no license. There is no way to 
> remove any particular ingested data. There's no way to know where any 
> particular LLM will have problems and no way to fix those problems. 
> This all puts them outside of the boundaries we have as an ASF 
> project. However, we do have a plugin architecture, so it is possible 
> for 3rd parties to create a plugin for LLM integration.
>
>

Re: ChatGPT > Spamassassin? :)

2024-06-25 Thread Bill Cole


On 2024-06-25 at 17:38:28 UTC-0400 (Tue, 25 Jun 2024 17:38:28 -0400)
Mark London 
is rumored to have said:

Bill - Thanks for the response.  As an aside, it would be nice 
(though impossible?) for a spam filter to be more suspicious of emails 
coming from a new email address, that is not in my Sent folder or my 
Inbox. FWIW. - Mark


Matija's mention of AWL/TxRep is correct here. While some people find it 
a nuisance when it makes one FP into an ongoing series, I think it is 
worth enabling for most sites.


However, if you do enable either of those tools, you should have a 
mechanism for  feeding FPs into both a sitewide Bayes DB and into the 
AWL/TxRep DB by using the blocklist/welcomelist options of the 
spamassassin script.





On 6/25/2024 11:21 AM, Bill Cole wrote:

Mark London 
is rumored to have said:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like 
something that was generated using ChatGPT.  In any event,  I put 
the text through ChatGPT, and asked if it looked like spam.  At the 
bottom of this email , is it's analysis.  I've not been fully 
reading this group.  Has there been any work to allow Spamassassin 
to use AI?


"Artificial intelligence" does not exist. It is a misnomer.

Large language models like ChatGPT have a provenance problem. There's 
no way to know why exactly the model "says" anything. In a single 
paragraph, ChatGPT is capable of making completely and directly 
inconsistent assertions. The only way to explain that is that despite 
appearances, a request to answer the ham/spasm question generates 
text with no semantic connection to the original, but which seems 
like an explanation.


SpamAssassin's code and rules all come from ASF committers, and the 
scores are determined by examining the scan results from contributors 
and optimizing them to a threshold of 5.0. Every scan of a message 
results in a list of hits against documented rules. The results can 
be analyzed and understood.


We know that ChatGPT and other LLMs that are publicly available have 
been trained on data to which they had no license. There is no way to 
remove any particular ingested data. There's no way to know where any 
particular LLM will have problems and no way to fix those problems. 
This all puts them outside of the boundaries we have as an ASF 
project. However, we do have a plugin architecture, so it is possible 
for 3rd parties to create a plugin for LLM integration.






--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: ChatGPT > Spamassassin? :)

2024-06-25 Thread Matija Nalis



On Tue, Jun 25, 2024 at 05:38:28PM -0400, Mark London wrote:
> Bill - Thanks for the response.  As an aside, it would be nice (though
> impossible?) for a spam filter to be more suspicious of emails coming from a
> new email address, that is not in my Sent folder or my Inbox. FWIW. - Mark

Something similar is accomplished by TxRep (or to a lesser degree AWL)
Spamassassin plugin.

Ideally you should use it with mailbox learning (spam/ham training), 
see https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TxRep


-- 
Opinions above are GNU-copylefted.

Re: ChatGPT > Spamassassin? :)

2024-06-25 Thread Mark London

Bill - Thanks for the response.  As an aside, it would be nice (though 
impossible?) for a spam filter to be more suspicious of emails coming 
from a new email address, that is not in my Sent folder or my Inbox. 
FWIW. - Mark


On 6/25/2024 11:21 AM, Bill Cole wrote:

Mark London 
is rumored to have said:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something 
that was generated using ChatGPT.  In any event,  I put the text 
through ChatGPT, and asked if it looked like spam.  At the bottom of 
this email , is it's analysis.  I've not been fully reading this 
group.  Has there been any work to allow Spamassassin to use AI?


"Artificial intelligence" does not exist. It is a misnomer.

Large language models like ChatGPT have a provenance problem. There's 
no way to know why exactly the model "says" anything. In a single 
paragraph, ChatGPT is capable of making completely and directly 
inconsistent assertions. The only way to explain that is that despite 
appearances, a request to answer the ham/spasm question generates text 
with no semantic connection to the original, but which seems like an 
explanation.


SpamAssassin's code and rules all come from ASF committers, and the 
scores are determined by examining the scan results from contributors 
and optimizing them to a threshold of 5.0. Every scan of a message 
results in a list of hits against documented rules. The results can be 
analyzed and understood.


We know that ChatGPT and other LLMs that are publicly available have 
been trained on data to which they had no license. There is no way to 
remove any particular ingested data. There's no way to know where any 
particular LLM will have problems and no way to fix those problems. 
This all puts them outside of the boundaries we have as an ASF 
project. However, we do have a plugin architecture, so it is possible 
for 3rd parties to create a plugin for LLM integration.

Re: ChatGPT > Spamassassin? :) -- move along, this is not the reply you are looking for.

2024-06-25 Thread Grant Taylor via users


On 6/25/24 12:21 PM, Adam Bowen wrote:
I asked a well known chatbot: What would Bill Cole say if he was asked 
about integrating AI in to spamassassin?


LOL

I needed that laugh.

Thank you Adam.




--
Grant. . . .
unix || die

Re: ChatGPT > Spamassassin? :)

2024-06-25 Thread Adam Bowen


On 25/06/2024 16:21, Bill Cole wrote:

On 2024-06-24 at 17:18:11 UTC-0400 (Mon, 24 Jun 2024 17:18:11 -0400)
Mark London 
is rumored to have said:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something 
that was generated using ChatGPT.  In any event,  I put the text 
through ChatGPT, and asked if it looked like spam.  At the bottom of 
this email , is it's analysis.  I've not been fully reading this 
group.  Has there been any work to allow Spamassassin to use AI?


"Artificial intelligence" does not exist. It is a misnomer.

Large language models like ChatGPT have a provenance problem. There's 
no way to know why exactly the model "says" anything. In a single 
paragraph, ChatGPT is capable of making completely and directly 
inconsistent assertions. The only way to explain that is that despite 
appearances, a request to answer the ham/spasm question generates text 
with no semantic connection to the original, but which seems like an 
explanation.


SpamAssassin's code and rules all come from ASF committers, and the 
scores are determined by examining the scan results from contributors 
and optimizing them to a threshold of 5.0. Every scan of a message 
results in a list of hits against documented rules. The results can be 
analyzed and understood.


We know that ChatGPT and other LLMs that are publicly available have 
been trained on data to which they had no license. There is no way to 
remove any particular ingested data. There's no way to know where any 
particular LLM will have problems and no way to fix those problems. 
This all puts them outside of the boundaries we have as an ASF 
project. However, we do have a plugin architecture, so it is possible 
for 3rd parties to create a plugin for LLM integration.


I asked a well known chatbot: What would Bill Cole say if he was asked 
about integrating AI in to spamassassin?


Bill Cole, the maintainer of SpamAssassin, is likely to be 
enthusiastic about the potential of AI to improve spam detection.


Here's what he might say:

* Improved Spam Filtering: AI could be used to analyze spam emails 
with greater accuracy than traditional rule-based methods. 
SpamAssassin currently relies on matching email content to predefined 
rules, but AI could identify spam based on subtler cues like phrasing, 
sender behavior, and content structure.


* Adapting to Evolving Threats: Spammers constantly develop new 
tactics to bypass filters. AI can learn and adapt to these evolving 
threats much faster than manually updating rules.


* Mitigating False Positives: AI could help reduce the number of 
legitimate emails mistakenly flagged as spam (false positives). This 
is a major concern for SpamAssassin users.


However, Bill Cole might also mention some challenges:

* Training Data Bias: The effectiveness of AI depends on the quality 
and balance of training data. Biases in the training data could lead 
to the AI disproportionately flagging certain types of emails as spam.
* Transparency and Explainability: It can be difficult to understand 
how AI systems arrive at their decisions. This lack of transparency 
could make it hard to debug errors or identify potential biases.
* Computational Cost: Training and running AI models can require 
significant computational resources, which might not be feasible for 
all SpamAssassin users.


Overall, Bill Cole would likely be cautiously optimistic about the 
potential of AI to improve SpamAssassin. He would acknowledge the 
potential benefits but also highlight the challenges that need to be 
addressed.



:)

Re: ChatGPT > Spamassassin? :)

2024-06-25 Thread Bill Cole


On 2024-06-24 at 17:18:11 UTC-0400 (Mon, 24 Jun 2024 17:18:11 -0400)
Mark London 
is rumored to have said:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something 
that was generated using ChatGPT.  In any event,  I put the text 
through ChatGPT, and asked if it looked like spam.  At the bottom of 
this email , is it's analysis.  I've not been fully reading this 
group.  Has there been any work to allow Spamassassin to use AI?


"Artificial intelligence" does not exist. It is a misnomer.

Large language models like ChatGPT have a provenance problem. There's no 
way to know why exactly the model "says" anything. In a single 
paragraph, ChatGPT is capable of making completely and directly 
inconsistent assertions. The only way to explain that is that despite 
appearances, a request to answer the ham/spasm question generates text 
with no semantic connection to the original, but which seems like an 
explanation.


SpamAssassin's code and rules all come from ASF committers, and the 
scores are determined by examining the scan results from contributors 
and optimizing them to a threshold of 5.0. Every scan of a message 
results in a list of hits against documented rules. The results can be 
analyzed and understood.


We know that ChatGPT and other LLMs that are publicly available have 
been trained on data to which they had no license. There is no way to 
remove any particular ingested data. There's no way to know where any 
particular LLM will have problems and no way to fix those problems. This 
all puts them outside of the boundaries we have as an ASF project. 
However, we do have a plugin architecture, so it is possible for 3rd 
parties to create a plugin for LLM integration.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: ChatGPT > Spamassassin? :)

2024-06-25 Thread John Hardin


On Mon, 24 Jun 2024, Mark London wrote:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something that 
was generated using ChatGPT.  In any event,  I put the text through ChatGPT, 
and asked if it looked like spam.  At the bottom of this email , is it's 
analysis.  I've not been fully reading this group.  Has there been any work 
to allow Spamassassin to use AI?  Thanks.  - Mark


In a very limited manner. There is code in the repo that allows you to set 
up ham and spam corpora and scan the spam corpora to pick out common 
phrases and filter them via the ham corpora, then create rules.based on 
the phrases and (IIRC) combinations of them.


This was being used to generate dynamic fraud rulesets (the "sought" 
rules, still somewhat there as ADVANCE_FEE rules which I occasionally 
manually update) until Justin Mason left the project. It's been 
languishing since as he was providing the resources (infra and 
maintenance) to run it for those rules. I was feeding those corpora for a 
long time.


Take a look in the repo at the stuff under:

  https://svn.apache.org/viewvc/spamassassin/trunk/masses/rule-dev/

  https://svn.apache.org/viewvc/spamassassin/trunk/masses/evolve_metarule/

I don't know whether the project would be willing to set up infra to 
revive dynamic advance fee fraud (or more general) rule generation, but 
it's possible if someone was willing to bring that code up-to-date and 
figure out what was needed and corpora providers were available.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 9 days until the 248th anniversary of the Declaration of Independence

Re: ChatGPT > Spamassassin? :)

2024-06-24 Thread jarland

I'm very interested in the concept. I imagine you'd need to have a 
locally running LLM rather than using an API, both for concerns of 
privacy and performance. Even if not SpamAssassin, I'd love to find 
anyone's open source implementation of AI for spam filtering.


On 2024-06-24 16:18, Mark London wrote:

I received a spam email with the text below, that wasn't caught by
Spamassasin (at least mine).   The text actually looks like something
that was generated using ChatGPT.  In any event,  I put the text
through ChatGPT, and asked if it looked like spam.  At the bottom of
this email , is it's analysis.  I've not been fully reading this
group.  Has there been any work to allow Spamassassin to use AI?
Thanks.  - Mark

-

From: Jeff Rothschild 

Subject: From a dreamer!

Date: June 22, 2024 at 18:50:03 EDT

To: YOU 
 Reply-To: orangebluem...@naver.com

Dear Friend,

I hope this letter finds you well, surrounded by the warmth of loved
ones and the promise of a new day. My name is Jeff Rothschild, and I
am writing to you today with a heart full of excitement and a vision
for a different kind of philanthropy.

Below is a profile of me:
www.forbes.com/profile/jeff-rothschild/?sh=457d14d2c87a [1]

For many years, I have dedicated myself to supporting various
charities and causes that are dear to my heart. While I am proud of
the impact we have made together, I have come to realize that there is
more to giving than simply writing a check.

Recently, I had a dream—a vivid, inspiring dream that left me with a
sense of clarity and purpose. In that dream, I saw the faces of
ordinary people like you and me, each with their own hopes, dreams,
and struggles. And in that moment, I knew that I needed to be more
personal with my giving, to touch lives in a way that has never been
done before.

That is why I am reaching out to you today, not as a distant
benefactor, but as a fellow traveler on this journey we call life. I
want to invite you to be a part of something truly special, something
that goes beyond traditional philanthropy and connects us on a deeper,
more personal level.

Consider this letter your golden ticket to a brighter future. You've
been selected as the recipient of a generous donation from me., This
is my appreciation for your presence in this world. But this gift is
more than just a material offering; it is an invitation to join me in
a shared mission of compassion, empathy, and human connection.

Together, we can make a difference in the lives of ordinary people in
ways that are both meaningful and profound. Whether it's lending a
listening ear to a friend in need, offering a helping hand to a
neighbor facing adversity, or simply sharing a smile with a stranger,
every act of kindness has the power to create ripple effects of love
and positivity.

So please, accept this gift with an open heart and know that it comes
with no expectations or obligations. Consider it a gesture of
friendship, a symbol of our shared humanity, and a catalyst for the
extraordinary things we can achieve when we come together with purpose
and passion.

Kindly provide your full name and address, and I will guide you on how
to receive this donation..

Thank you for being a part of this journey with me. May our shared
vision of a kinder, more compassionate world inspire us to take bold
action and spread love wherever we go.

With warmest regards,

Jeff Rothschild

--

The email you received raises several red flags that suggest it might
be spam or a phishing attempt. Here are key indicators:

*

Unexpected Generosity: Receiving an unsolicited offer of money from a
stranger, especially someone claiming to be a well-known
philanthropist, is highly unusual and a common tactic in scams.
*

Emotional Appeal: The email uses a highly emotional and inspirational
tone, which is often employed to lower the recipient's guard and
elicit a positive response.
*

Request for Personal Information: The email asks for your full name
and address, which can be used for identity theft or other malicious
purposes.
*

Generic Greeting: The email addresses you as "Dear Friend" rather than
using your name, indicating it could be sent to a large number of
recipients.
*

Vague and Grandiose Claims: The email makes grand claims about
personal philanthropy without providing specific details or a clear
rationale for why you were chosen.
*

Suspicious Link: While the email includes a link to a legitimate
profile on Forbes, this could be a tactic to add credibility to the
scam. Scammers often use real profiles to appear legitimate, but this
doesn't verify the authenticity of the email.
*

No Verification Method: There's no way to independently

Re: BayesStore MariaDB on EL9

2024-06-24 Thread Lucas Rolff

If you're running almalinux, then report it to almalinux, they can usually 
patch things faster than RedHat can.

Sent from Outlook for iOS

From: Gerald Vogt 
Sent: Monday, June 24, 2024 9:59:35 AM
To: users@spamassassin.apache.org 
Subject: Re: BayesStore MariaDB on EL9

Hi,

for your information and anyone who comes across this problem: I have
opened an issue with RedHat.

https://issues.redhat.com/browse/RHEL-43418

It probably will be backported, but may take some time, maybe in 9.5 or
possibly later.

We'll see...

Regards,

Gerald

On 19.06.24 08:41, Gerald Vogt wrote:
> On 18.06.24 22:23, Bill Cole wrote:
>> On 2024-06-18 at 14:58:15 UTC-0400 (Tue, 18 Jun 2024 20:58:15 +0200)
>> Gerald Vogt 
>> is rumored to have said:
>>
>>> Hi,
>>>
>>> for a test, I have increased the column length of token to binary(32)
>>> and used a test file to import containing a single token.
>>>
>>> This time it went through. However, as I suspected, the token length
>>> is not 5 byte. Token line from backup:
>>>
>>> t101718024618027121926a
>>>
>>> Hex representation of content in database:
>>>
>>> MariaDB [spamassassin]> select hex(token) from bayes_token\G
>>> *** 1. row ***
>>> hex(token):
>>> 027121C2926A
>>> 1 row in set (0.000 sec)
>>>
>>> Compared:
>>>
>>> Original 02 71 2192 6a
>>> Database 02 71 21 C2 92 6A
>>>
>>> C2 92 is the UTF-8 encoding of U+0092, thus basically the token is
>>> written in UTF-8 into the database.
>>
>> That's odd... What is the character set of the database?
>
> It is standard DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci
> just like the table.
>
>>> Running sa-learn with DBI_TRACE=2 I can also see that it looks like
>>> it actually has the UTF-8 encoding already in there during parameter
>>> binding:
>>>
>>> Binding parameters: INSERT INTO bayes_token
>>>(id, token, spam_count, ham_count, atime)
>>>VALUES ('43','^Bq!j','1','0','1718024618')
>>>ON DUPLICATE KEY UPDATE spam_count =
>>> GREATEST(spam_count + '1', 0),
>>>ham_count = GREATEST(ham_count
>>> + '0', 0),
>>>atime = GREATEST(atime,
>>> '1718024618')
>>>
>>> Thus, I would say it's not an issue with the database.
>>>
>>> Any idea?
>>>
>>> Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.
>>
>> First: upgrade to 4.0.1
>
> Well, it's the RHEL packaged version. I don't really want to upgrade to
> a manually handled version.
>
>> There were substantial changes in how encoding was handled between
>> 3.4.6 and 4.0, and there is a substantial likelihood that any problem
>> with encoding would not occur in 4.0 or later.
>
> Yes, you are right. It works with 4.0.1.
>
> I have looked into the source code and the reason became obvious pretty
> quickly, e.g. the part in _put_token in 3.4.6
>
> https://github.com/apache/spamassassin/blob/4a1fe99da9296364be0c50f02d2a73b5af74207a/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L827
>
> compared with this in trunk
>
> https://github.com/apache/spamassassin/blob/8307bb22a7709125ab0f8e94fb7a271461944f61/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L997
>
> 4.0 does specifically tag the token as BINARY while default is VARCHAR I
> think. Thus, it automatically encodes it.
>
> This was added in
>
> https://github.com/apache/spamassassin/commit/3dd8ea4ff51d50a72212ac8cbb2f6f8d443c3489
>
> I'll open a bug with redhat and see if they either upgrade spamassassin
> in EL9 or backport something into 3.4.6.
>
> Just for the fun of it, I have replaced the packaged file with the 4.0.1
> MySQL.pm file and then it works. Looking at the commit and the commit
> history after, I think the 4.0.1 MySQL.pm should work just fine in 3.4.6.
>
> Anyway, we'll see what RedHat does about this.
>
> Thanks a lot!
>
> Regards,
>
> Gerald

Re: BayesStore MariaDB on EL9

2024-06-24 Thread Gerald Vogt

Hi,

for your information and anyone who comes across this problem: I have
opened an issue with RedHat.

https://issues.redhat.com/browse/RHEL-43418

It probably will be backported, but may take some time, maybe in 9.5 or
possibly later.

We'll see...

Regards,

Gerald

On 19.06.24 08:41, Gerald Vogt wrote:

On 18.06.24 22:23, Bill Cole wrote:

On 2024-06-18 at 14:58:15 UTC-0400 (Tue, 18 Jun 2024 20:58:15 +0200)
Gerald Vogt
is rumored to have said:

Hi,

for a test, I have increased the column length of token to binary(32)
and used a test file to import containing a single token.

This time it went through. However, as I suspected, the token length
is not 5 byte. Token line from backup:

t 1 0 1718024618 027121926a

Hex representation of content in database:

MariaDB [spamassassin]> select hex(token) from bayes_token\G
*** 1. row ***
hex(token):
027121C2926A

1 row in set (0.000 sec)

Compared:

Original 02 71 21 92 6a
Database 02 71 21 C2 92 6A

C2 92 is the UTF-8 encoding of U+0092, thus basically the token is
written in UTF-8 into the database.

That's odd... What is the character set of the database?

It is standard DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci
just like the table.

Running sa-learn with DBI_TRACE=2 I can also see that it looks like
it actually has the UTF-8 encoding already in there during parameter
binding:

Binding parameters: INSERT INTO bayes_token
(id, token, spam_count, ham_count, atime)
VALUES ('43','^Bq!j','1','0','1718024618')
ON DUPLICATE KEY UPDATE spam_count =
GREATEST(spam_count + '1', 0),
ham_count = GREATEST(ham_count
+ '0', 0),
atime = GREATEST(atime,
'1718024618')

Thus, I would say it's not an issue with the database.

Any idea?

Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.

First: upgrade to 4.0.1

Well, it's the RHEL packaged version. I don't really want to upgrade to
a manually handled version.

There were substantial changes in how encoding was handled between
3.4.6 and 4.0, and there is a substantial likelihood that any problem
with encoding would not occur in 4.0 or later.

Yes, you are right. It works with 4.0.1.

I have looked into the source code and the reason became obvious pretty
quickly, e.g. the part in _put_token in 3.4.6

https://github.com/apache/spamassassin/blob/4a1fe99da9296364be0c50f02d2a73b5af74207a/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L827

compared with this in trunk

https://github.com/apache/spamassassin/blob/8307bb22a7709125ab0f8e94fb7a271461944f61/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L997

4.0 does specifically tag the token as BINARY while default is VARCHAR I
think. Thus, it automatically encodes it.

This was added in

https://github.com/apache/spamassassin/commit/3dd8ea4ff51d50a72212ac8cbb2f6f8d443c3489

I'll open a bug with redhat and see if they either upgrade spamassassin
in EL9 or backport something into 3.4.6.

Just for the fun of it, I have replaced the packaged file with the 4.0.1
MySQL.pm file and then it works. Looking at the commit and the commit
history after, I think the 4.0.1 MySQL.pm should work just fine in 3.4.6.

Anyway, we'll see what RedHat does about this.

Thanks a lot!

Regards,

Gerald

Re: Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired

2024-06-24 Thread giovanni


On 6/23/24 10:26 PM, Larry Nedry via users wrote:

On 7/21/23 9:10 AM, Giovanni Bechis wrote:

Hi,
phishstats[.]info domain has recently moved to a parking domain, if you are using 
Mail::SpamAssassin::Plugin::Phishing plugin with data downloaded from PhishStats[.]info 
it would be better to comment "phishing_phishstats_feed" configuration line.
If PhishStats[.]info will not find a new home I am going to remove the relevant 
code from the plugin.

 Regards
  Giovanni


Did you remove the relevant code for PhishStats?


Yes, I've removed the code; now PhishStats is back and code has been restored 
after 4.0.1 release.
 Giovanni



OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired

2024-06-23 Thread Larry Nedry via users


On 7/21/23 9:10 AM, Giovanni Bechis wrote:

Hi,
phishstats[.]info domain has recently moved to a parking domain, if 
you are using Mail::SpamAssassin::Plugin::Phishing plugin with data 
downloaded from PhishStats[.]info it would be better to comment 
"phishing_phishstats_feed" configuration line.
If PhishStats[.]info will not find a new home I am going to remove the 
relevant code from the plugin.


 Regards
  Giovanni


Did you remove the relevant code for PhishStats?

Regards,
Larry

Re: Questions about spamassassin

2024-06-22 Thread Matus UHLAR - fantomas


Paul Schmehl skrev den 2024-06-21 01:17:


bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes


On 22.06.24 16:30, Benny Pedersen wrote:

this need spamd running as root :/


according to OP mail the directory is owned by spamd user

https://marc.info/?l=spamassassin-users=171891451702472=2


bayes_path ~/.spamassassin/bayes

path is not a file, just a dir


it's a path + filename prefix 
so the setting is correct.


I however prefer using /var, like in debian:

debian-spamd:x:114:114::/var/lib/spamassassin:/bin/sh

drwx-- 2 debian-spamd debian-spamd 4096 Jun 22 02:13 
/var/lib/spamassassin/.spamassassin/

YMMV of course


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.

Re: Questions about spamassassin

2024-06-22 Thread Benny Pedersen


Paul Schmehl skrev den 2024-06-21 01:17:


bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes


this need spamd running as root :/

bayes_path ~/.spamassassin/bayes

path is not a file, just a dir

expanded without ~ is in gentoo /var/lib/spamd

this support any system users, spamd homedir incl

id spamd
uid=998(spamd) gid=337(spamd) groups=337(spamd),333(amavis)

grep spamd /etc/passwd
spamd:x:998:337:User for the SpamAssassin 
daemon:/var/lib/spamd:/sbin/nologin


hope it helps, else ask

Re: Question about sa-updates

2024-06-22 Thread Benny Pedersen


Paul Schmehl skrev den 2024-06-22 07:44:


It’s not clear to me from your answer. Does SA read rules in both
places?


it eveal first sa-update rules, then later host rules


Or only in /etc/mail/spamassassin/?


this is host rules, you define all global configs here, and it will 
never be overrided by sa-update


add rules to userprefs.cf in same place as local.cf is, score userprefs 
rules with nearly zerro score, but not zerro 0, why this ?


if done this way scores can be changed in ldap/sql pr user, even in 
$HOME./spamassassin/user-prefs


more help, then i need more info :=)

Re: Question about sa-updates

2024-06-22 Thread David B Funk


On Sat, 22 Jun 2024, Paul Schmehl wrote:


  On Jun 22, 2024, at 12:28 AM, Kenneth Porter  
wrote:

On 6/21/2024 8:56 PM, Paul Schmehl wrote:
  I scratched my head, then looked up the man page for sa-update on the 
web. Sure enough, that’s where the rules
  go. Is that where my local.cf file should be located? Right now it’s in 
/etc/mail/spamassassin. There’s a default
  local.cf file in /var/lib/…..


/var/lib/spamassassin is where channels put their rules. /etc/mail/spamassassin 
is where the host admin puts her
customizations. I like to use separate files for different policies, named 
after each effect I'm trying to get. SA will load
anything there with a .cf extension.

It’s not clear to me from your answer. Does SA read rules in both places? Or 
only in /etc/mail/spamassassin/? 



Reading the "man" page documentation for spamassassin, it lists several 
different directories that SA looks for its config files in and the order that 
it reads them from.


The possible directories are distro and version specific so you need to read the 
docs for your specific instance.



--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Question about sa-updates

2024-06-21 Thread Paul Schmehl

> On Jun 22, 2024, at 12:28 AM, Kenneth Porter  wrote:
> 
> On 6/21/2024 8:56 PM, Paul Schmehl wrote:
>> I scratched my head, then looked up the man page for sa-update on the web. 
>> Sure enough, that’s where the rules go. Is that where my local.cf file 
>> should be located? Right now it’s in /etc/mail/spamassassin. There’s a 
>> default local.cf file in /var/lib/…..
> 
> /var/lib/spamassassin is where channels put their rules. 
> /etc/mail/spamassassin is where the host admin puts her customizations. I 
> like to use separate files for different policies, named after each effect 
> I'm trying to get. SA will load anything there with a .cf extension.
> 
> It’s not clear to me from your answer. Does SA read rules in both places? Or 
> only in /etc/mail/spamassassin/? 

Paul Schmehl
paul.schm...@gmail.com

Re: Question about sa-updates

2024-06-21 Thread Kenneth Porter


On 6/21/2024 8:56 PM, Paul Schmehl wrote:
I scratched my head, then looked up the man page for sa-update on the 
web. Sure enough, that’s where the rules go. Is that where my local.cf 
file should be located? Right now it’s in /etc/mail/spamassassin. 
There’s a default local.cf file in /var/lib/…..


/var/lib/spamassassin is where channels put their rules. 
/etc/mail/spamassassin is where the host admin puts her customizations. 
I like to use separate files for different policies, named after each 
effect I'm trying to get. SA will load anything there with a .cf extension.

Question about sa-updates

2024-06-21 Thread Paul Schmehl

I just ran sa-updates. Then I looked in /etc/mail/spamassassin to see if the 
rules had been updated, and none of them had today’s date on them

So, I downloaded the tar file, unzipped it, and searched for one of the files. 
I found them in /var/lib/spamassassin/….

I scratched my head, then looked up the man page for sa-update on the web. Sure 
enough, that’s where the rules go. Is that where my local.cf file should be 
located? Right now it’s in /etc/mail/spamassassin. There’s a default local.cf 
file in /var/lib/…..

Paul Schmehl
paul.schm...@gmail.com

Re: Questions about spamassassin

2024-06-21 Thread Paul Schmehl

> On Jun 21, 2024, at 8:24 AM, Bill Cole 
>  wrote:
> 
> On 2024-06-20 at 19:17:19 UTC-0400 (Thu, 20 Jun 2024 18:17:19 -0500)
> Paul Schmehl 
> is rumored to have said:
> 
>> Here’s every line with bayes_ in it:
>> bayes_#auto_learn 1
>> bayes_learn_to_journal 1
>> bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes
>> bayes_file_mode 0775
>> bayes_ignore_header ReSent-Date
>> bayes_ignore_header ReSent-From
>> bayes_ignore_header ReSent-Message-ID
>> bayes_ignore_header ReSent-Subject
>> bayes_ignore_header ReSent-To
>> bayes_ignore_header Resent-Date
>> bayes_ignore_header Resent-From
>> bayes_ignore_header Resent-Message-ID
>> bayes_ignore_header Resent-Subject
>> bayes_ignore_header Resent-To
>> 
>> I think that first line looks problematic.
> 
> I agree. The spurious # would generate precisely the error message you got.

Fixing that resolved the problem. It’s funny how you can look at config files 
and not even notice problems. Yet, on post in the mailing list and I spotted it.

Thanks for your help.

Paul Schmehl
paul.schm...@gmail.com

Re: MSGID_BELONGS_RECIPIENT and DKIMWL

2024-06-21 Thread Alex

Kris, thanks so much for the direction. It was enough for me to investigate
and make some changes. I hadn't realized I still had Paul Stead's rules
locally as well as updated rules in SA proper.

Thanks,
Alex

On Thu, Jun 20, 2024 at 11:23 AM Kris Deugau  wrote:

> Alex wrote:
> > Hi,
> >
> > I had an obit email very unfortunately get tagged as spam for what
> > appears to be the result of a few DKIMWL rules and
> MSGID_BELONGS_RECIPIENT.
> >
> >   *  1.0 DKIMWL_BULKMAILER_LOW ASKDNS: DKIMwl.org - Low scoring
> bulkmailer
> >   *  [tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org
> >  A:127.0.2.1]
>
> Not a stock rule.
>
>
> >   *  1.5 DKIMWL_BL ASKDNS: DKIMwl.org - Low trust sender
> >   *  [tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org
> >  A:127.0.2.1]
>
> The lookup result looks to have shifted somewhat from "low" to "low-med":
>
> $ host tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org
> tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org has address 127.0.2.2
>
> however it looks likely you've redefined the rule, so it's not behaving
> as per stock or per DKIMwl.org's usage guidelines: http://dkimwl.org/usage
> .
>
> The stock version of this rule should only match results ending in .0.
>
>
> >   *  1.0 MSGID_BELONGS_RECIPIENT Message-ID domain belongs to recipient
>
> Also not a stock rule.  It's difficult to tell with the redactions in
> the pastebin, but it also appears to be misfiring.  You'll have to post
> unredacted headers along with the rule details for specific help.
>
>
> > How reliable are the DKIMWL_ rules? They seem to hit a lot of ham,
>
> That's the intention.  They're to help otherwise legitimate senders that
> may send spammier content still get through.
>
> I've scored them to an advisory -0.001 locally, as I had a few too many
> cases of outright abuse of an otherwise fairly clean platform to send
> scams.  It's been easier to deal with the resulting occasional false
> positive one at a time instead.
>
> -kgd
>

Re: Questions about spamassassin

2024-06-21 Thread Bill Cole

On 2024-06-20 at 19:17:19 UTC-0400 (Thu, 20 Jun 2024 18:17:19 -0500)
Paul Schmehl 
is rumored to have said:

> Here’s every line with bayes_ in it:
> bayes_#auto_learn 1
> bayes_learn_to_journal 1
> bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes
> bayes_file_mode 0775
> bayes_ignore_header ReSent-Date
> bayes_ignore_header ReSent-From
> bayes_ignore_header ReSent-Message-ID
> bayes_ignore_header ReSent-Subject
> bayes_ignore_header ReSent-To
> bayes_ignore_header Resent-Date
> bayes_ignore_header Resent-From
> bayes_ignore_header Resent-Message-ID
> bayes_ignore_header Resent-Subject
> bayes_ignore_header Resent-To
>
> I think that first line looks problematic.

I agree. The spurious # would generate precisely the error message you got.

-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Questions about spamassassin

2024-06-20 Thread Paul Schmehl

> On Jun 20, 2024, at 6:05 PM, Bill Cole 
>  wrote:
> 
> On 2024-06-20 at 16:14:47 UTC-0400 (Thu, 20 Jun 2024 15:14:47 -0500)
> Paul Schmehl mailto:paul.schm...@gmail.com>>
> is rumored to have said:
> 
>> I’m running spamassassin (SA) 3.4, postfix 3.9.0-1, and dovecot 2.2.36-8 on 
>> a linux server. I have some questions about SA that I can’t seem to find 
>> answers for on the web.
>> 
>> The SA conf files are /etc/mail/spamassassin. The bayes files are in 
>> /usr/local/etc/mail/spamassassin/bayes.
>> 
>> I’m running spamd as the content_filter in postfix. spamassassin unix -  
>> n   n   -   -  pipe
>>user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} 
>> ${recipient}
>> 
>> Everything is working as expected, but I have some questions about 
>> permissions. Should spamd be the owner of /etc/mail/spamassassin?
> 
> No. It is entirely normal for any user to read the config files. The spamd 
> user never needs to write to that directory or anything in it.

I set it back to root ownership.
> 
>> Of /usr/local/etc/mail/spamassassin?
> 
> Yes. The bayes_* files there are the active Bayes DB in use by the spamd 
> daemon, so the user the daemon is running as needs to be able to do anything 
> in that directory.

So spamd needs to be the owner of the bayes files.
> 
>> Today I got a warning about the unsafe perms on sa-update-keys. Who should 
>> own those and what should the perms be?
> 
> Files in that directory control whose signatures you trust on daily rules 
> packages, so the directory should be owned by root, perms 0700.
> 
> 
>> Finally, I’m seeing this in my maillogs.
>> config: failed to parse line, skipping, in 
>> "/etc/mail/spamassassin/local.cf": bayes_
>> 
>> This is the config in local.cf:
>> bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes
> 
> Is there any other line in that file starting with 'bayes_' ?
> 
> That error message is not lying to you: you have an error in local.cf which 
> SA cannot parse around. Also look in the lines before the 'bayes_path' line 
> for unterminated quotes.
> 
Here’s every line with bayes_ in it:
bayes_#auto_learn 1
bayes_learn_to_journal 1
bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes
bayes_file_mode 0775
bayes_ignore_header ReSent-Date
bayes_ignore_header ReSent-From
bayes_ignore_header ReSent-Message-ID
bayes_ignore_header ReSent-Subject
bayes_ignore_header ReSent-To
bayes_ignore_header Resent-Date
bayes_ignore_header Resent-From
bayes_ignore_header Resent-Message-ID
bayes_ignore_header Resent-Subject
bayes_ignore_header Resent-To
 
I think that first line looks problematic.
> 
>> This is the contents of the bayes folder:
>> # ls -lsah /usr/local/etc/mail/spamassassin/bayes/
>> total 632K
>>   0 drwxrwxr-x 2 spamd spamd   63 Jun 20 11:36 .
>>   0 drwxrwxr-x 3 spamd spamd   19 Jun 13 06:00 ..
>> 96K -rw--- 1 spamd spamd  95K Jun 20 14:44 bayes_journal
>> 12K -rwxrwxrwx 1 spamd spamd  12K Jun 20 11:32 bayes_seen
>> 524K -rwxrwxrwx 1 spamd spamd 664K Jun 20 11:32 bayes_toks
>> 
>> spamd owns the directory /usr/local/etc/mail/spamassassin and all 
>> subdirectories. The perms are 775 for the directories and 777 for all files. 
>>  (I did this for testing purposes. They normally would be 755 and 644.)
> 
> I hope there's only you on that machine...

It is.
> 
> Using 'chmod 777' to troubleshoot permissions issues is always a bad idea.

Yeah, but when you run out of ideas…..

They’ve already been reset to normal since they didn’t change anything.

Paul Schmehl
paul.schm...@gmail.com

Re: Questions about spamassassin

2024-06-20 Thread Bill Cole


On 2024-06-20 at 16:14:47 UTC-0400 (Thu, 20 Jun 2024 15:14:47 -0500)
Paul Schmehl 
is rumored to have said:

I’m running spamassassin (SA) 3.4, postfix 3.9.0-1, and dovecot 
2.2.36-8 on a linux server. I have some questions about SA that I 
can’t seem to find answers for on the web.


The SA conf files are /etc/mail/spamassassin. The bayes files are in 
/usr/local/etc/mail/spamassassin/bayes.


I’m running spamd as the content_filter in postfix. spamassassin 
unix -  n   n   -   -  pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f 
${sender} ${recipient}


Everything is working as expected, but I have some questions about 
permissions. Should spamd be the owner of /etc/mail/spamassassin?


No. It is entirely normal for any user to read the config files. The 
spamd user never needs to write to that directory or anything in it.



Of /usr/local/etc/mail/spamassassin?


Yes. The bayes_* files there are the active Bayes DB in use by the spamd 
daemon, so the user the daemon is running as needs to be able to do 
anything in that directory.


Today I got a warning about the unsafe perms on sa-update-keys. Who 
should own those and what should the perms be?


Files in that directory control whose signatures you trust on daily 
rules packages, so the directory should be owned by root, perms 0700.




Finally, I’m seeing this in my maillogs.
config: failed to parse line, skipping, in 
"/etc/mail/spamassassin/local.cf": bayes_


This is the config in local.cf:
bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes


Is there any other line in that file starting with 'bayes_' ?

That error message is not lying to you: you have an error in local.cf 
which SA cannot parse around. Also look in the lines before the 
'bayes_path' line for unterminated quotes.




This is the contents of the bayes folder:
# ls -lsah /usr/local/etc/mail/spamassassin/bayes/
total 632K
   0 drwxrwxr-x 2 spamd spamd   63 Jun 20 11:36 .
   0 drwxrwxr-x 3 spamd spamd   19 Jun 13 06:00 ..
 96K -rw--- 1 spamd spamd  95K Jun 20 14:44 bayes_journal
 12K -rwxrwxrwx 1 spamd spamd  12K Jun 20 11:32 bayes_seen
524K -rwxrwxrwx 1 spamd spamd 664K Jun 20 11:32 bayes_toks

spamd owns the directory /usr/local/etc/mail/spamassassin and all 
subdirectories. The perms are 775 for the directories and 777 for all 
files.  (I did this for testing purposes. They normally would be 755 
and 644.)


I hope there's only you on that machine...

Using 'chmod 777' to troubleshoot permissions issues is always a bad 
idea.


Spam that are not caught by SA are moved to my junk folder, and I 
croned a script that parses those and feeds them into bayes_seen. That 
script is working, and the bayes_seen file is being updated. (I 
checked the timestamp on the file after running the script manually.)


I can’t make sense out of this error message. What am I missing?


It is a configuration file parsing error. It has nothing to do with 
permissions or ownership. There's an error in local.cf.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Questions about spamassassin

2024-06-20 Thread Paul Schmehl

I’m running spamassassin (SA) 3.4, postfix 3.9.0-1, and dovecot 2.2.36-8 on a 
linux server. I have some questions about SA that I can’t seem to find answers 
for on the web.

The SA conf files are /etc/mail/spamassassin. The bayes files are in 
/usr/local/etc/mail/spamassassin/bayes.

I’m running spamd as the content_filter in postfix. spamassassin unix -  n  
 n   -   -  pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} 
${recipient}

Everything is working as expected, but I have some questions about permissions. 
Should spamd be the owner of /etc/mail/spamassassin? Of 
/usr/local/etc/mail/spamassassin?

Today I got a warning about the unsafe perms on sa-update-keys. Who should own 
those and what should the perms be?

Finally, I’m seeing this in my maillogs.
config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": 
bayes_

This is the config in local.cf: 
bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes

This is the contents of the bayes folder:
# ls -lsah /usr/local/etc/mail/spamassassin/bayes/
total 632K
   0 drwxrwxr-x 2 spamd spamd   63 Jun 20 11:36 .
   0 drwxrwxr-x 3 spamd spamd   19 Jun 13 06:00 ..
 96K -rw--- 1 spamd spamd  95K Jun 20 14:44 bayes_journal
 12K -rwxrwxrwx 1 spamd spamd  12K Jun 20 11:32 bayes_seen
524K -rwxrwxrwx 1 spamd spamd 664K Jun 20 11:32 bayes_toks

spamd owns the directory /usr/local/etc/mail/spamassassin and all 
subdirectories. The perms are 775 for the directories and 777 for all files.  
(I did this for testing purposes. They normally would be 755 and 644.) 

Spam that are not caught by SA are moved to my junk folder, and I croned a 
script that parses those and feeds them into bayes_seen. That script is 
working, and the bayes_seen file is being updated. (I checked the timestamp on 
the file after running the script manually.)

I can’t make sense out of this error message. What am I missing?

Paul Schmehl
paul.schm...@gmail.com

Re: MSGID_BELONGS_RECIPIENT and DKIMWL

2024-06-20 Thread Kris Deugau


Alex wrote:

Hi,

I had an obit email very unfortunately get tagged as spam for what 
appears to be the result of a few DKIMWL rules and MSGID_BELONGS_RECIPIENT.


  *  1.0 DKIMWL_BULKMAILER_LOW ASKDNS: DKIMwl.org - Low scoring bulkmailer
  *      [tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org 
 A:127.0.2.1]


Not a stock rule.



  *  1.5 DKIMWL_BL ASKDNS: DKIMwl.org - Low trust sender
  *      [tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org 
 A:127.0.2.1]


The lookup result looks to have shifted somewhat from "low" to "low-med":

$ host tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org
tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org has address 127.0.2.2

however it looks likely you've redefined the rule, so it's not behaving 
as per stock or per DKIMwl.org's usage guidelines: http://dkimwl.org/usage.


The stock version of this rule should only match results ending in .0.



  *  1.0 MSGID_BELONGS_RECIPIENT Message-ID domain belongs to recipient


Also not a stock rule.  It's difficult to tell with the redactions in 
the pastebin, but it also appears to be misfiring.  You'll have to post 
unredacted headers along with the rule details for specific help.




How reliable are the DKIMWL_ rules? They seem to hit a lot of ham,


That's the intention.  They're to help otherwise legitimate senders that 
may send spammier content still get through.


I've scored them to an advisory -0.001 locally, as I had a few too many 
cases of outright abuse of an otherwise fairly clean platform to send 
scams.  It's been easier to deal with the resulting occasional false 
positive one at a time instead.


-kgd

Re: Docs confusion and missing dependency on EL9

2024-06-19 Thread Bill Cole


On 2024-06-19 at 01:28:20 UTC-0400 (Wed, 19 Jun 2024 07:28:20 +0200)
Gerald Vogt 
is rumored to have said:


Hi,

for testing I tried to install spamassassin 4.0.1 on EL9 (AlmaLinux 
9.4). I have noticed some dependencies are not mentioned on the 
INSTALL page:


I have had to install perl-ExtUtils-MakeMaker.noarch to run 
Makefile.PL


That module has been a part of the Perl "core" in all versions of Perl 
5.



I have had to install perl-Archive-Tar.noarch to run sa-update.


Archive::Tar has been in the core since Perl v5.9.3


Those two are nowhere mentioned.


A standard Perl installation of any version we support will have both of 
those.


RedHat, for reasons of their own, splits the Perl core into many 
packages. To get the standard core on any EL-based system, install the 
"perl" package.



It also took me a while to find the instructions how to install.

I started at https://spamassassin.apache.org/index.html

where "Click here to get started using SpamAssassin! " looked 
promising.


But at

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/StartUsing

I have spent considerable time to look for where to download and how 
to actually install spamassassin, but eventually gave up. Only now I 
have found some instructions on the SingleUserUnixInstall page.


So I have circled back and checked the Download link from the top. 
There I can download the tar, get hints on Upgrading but still nothing 
on installation.


There is a link at the top of the homepage to "Download" and in the 
tarball on the download page there's a document named "INSTALL"


The overwhelming majority of users who install SA do so using their 
system's packaged version or CPAN.




The Wiki and FAQ links from the top are not helpful either.

So eventually, I have found it on "Docs", pointing to the INSTALL 
file.


From experience, that it not really the first place I would look.


That certainly varies by individual. I definitely look to the 
documentation for information on how to install software.


I would think the "Get Started" page should have a link to the 
Download and INSTALL page at the beginning. Downloading and installing 
seem to be the obvious first steps to get started.


I agree. The whole logical structure of the website needs a more 
rigorous review.



The Download page should have a link for INSTALL like it already has 
for the Upgrade.


And I would say "Where to download" and "How to install" are pretty 
common FAQs, too.


Indeed.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: BayesStore MariaDB on EL9

2024-06-19 Thread Gerald Vogt

On 18.06.24 22:23, Bill Cole wrote:

On 2024-06-18 at 14:58:15 UTC-0400 (Tue, 18 Jun 2024 20:58:15 +0200)
Gerald Vogt
is rumored to have said:

Hi,

for a test, I have increased the column length of token to binary(32)
and used a test file to import containing a single token.

This time it went through. However, as I suspected, the token length
is not 5 byte. Token line from backup:

t 1 0 1718024618 027121926a

Hex representation of content in database:

MariaDB [spamassassin]> select hex(token) from bayes_token\G
*** 1. row ***
hex(token):
027121C2926A

1 row in set (0.000 sec)

Compared:

Original 02 71 21 92 6a
Database 02 71 21 C2 92 6A

C2 92 is the UTF-8 encoding of U+0092, thus basically the token is
written in UTF-8 into the database.

That's odd... What is the character set of the database?

It is standard DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci
just like the table.

Running sa-learn with DBI_TRACE=2 I can also see that it looks like it
actually has the UTF-8 encoding already in there during parameter
binding:

Thus, I would say it's not an issue with the database.

Any idea?

Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.

First: upgrade to 4.0.1

Well, it's the RHEL packaged version. I don't really want to upgrade to
a manually handled version.

There were substantial changes in how encoding was handled between 3.4.6
and 4.0, and there is a substantial likelihood that any problem with
encoding would not occur in 4.0 or later.

Yes, you are right. It works with 4.0.1.

I have looked into the source code and the reason became obvious pretty
quickly, e.g. the part in _put_token in 3.4.6

https://github.com/apache/spamassassin/blob/4a1fe99da9296364be0c50f02d2a73b5af74207a/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L827

compared with this in trunk

https://github.com/apache/spamassassin/blob/8307bb22a7709125ab0f8e94fb7a271461944f61/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L997

4.0 does specifically tag the token as BINARY while default is VARCHAR I
think. Thus, it automatically encodes it.

This was added in

https://github.com/apache/spamassassin/commit/3dd8ea4ff51d50a72212ac8cbb2f6f8d443c3489

I'll open a bug with redhat and see if they either upgrade spamassassin
in EL9 or backport something into 3.4.6.

Anyway, we'll see what RedHat does about this.

Thanks a lot!

Regards,

Gerald

Docs confusion and missing dependency on EL9

2024-06-18 Thread Gerald Vogt


Hi,

for testing I tried to install spamassassin 4.0.1 on EL9 (AlmaLinux 
9.4). I have noticed some dependencies are not mentioned on the INSTALL 
page:


I have had to install perl-ExtUtils-MakeMaker.noarch to run Makefile.PL
I have had to install perl-Archive-Tar.noarch to run sa-update.

Those two are nowhere mentioned.

It also took me a while to find the instructions how to install.

I started at https://spamassassin.apache.org/index.html

where "Click here to get started using SpamAssassin! " looked promising.

But at

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/StartUsing

I have spent considerable time to look for where to download and how to 
actually install spamassassin, but eventually gave up. Only now I have 
found some instructions on the SingleUserUnixInstall page.


So I have circled back and checked the Download link from the top. There 
I can download the tar, get hints on Upgrading but still nothing on 
installation.


The Wiki and FAQ links from the top are not helpful either.

So eventually, I have found it on "Docs", pointing to the INSTALL file.

From experience, that it not really the first place I would look.

I would think the "Get Started" page should have a link to the Download 
and INSTALL page at the beginning. Downloading and installing seem to be 
the obvious first steps to get started.


The Download page should have a link for INSTALL like it already has for 
the Upgrade.


And I would say "Where to download" and "How to install" are pretty 
common FAQs, too.


I hope this helps.

Thanks,

Gerald

Re: BayesStore MariaDB on EL9

2024-06-18 Thread Bill Cole


On 2024-06-18 at 14:58:15 UTC-0400 (Tue, 18 Jun 2024 20:58:15 +0200)
Gerald Vogt 
is rumored to have said:


Hi,

for a test, I have increased the column length of token to binary(32) 
and used a test file to import containing a single token.


This time it went through. However, as I suspected, the token length 
is not 5 byte. Token line from backup:


t   1   0   1718024618  027121926a

Hex representation of content in database:

MariaDB [spamassassin]> select hex(token) from bayes_token\G
*** 1. row ***
hex(token): 
027121C2926A

1 row in set (0.000 sec)

Compared:

Original 02 71 2192 6a
Database 02 71 21 C2 92 6A

C2 92 is the UTF-8 encoding of U+0092, thus basically the token is 
written in UTF-8 into the database.


That's odd... What is the character set of the database?

Running sa-learn with DBI_TRACE=2 I can also see that it looks like it 
actually has the UTF-8 encoding already in there during parameter 
binding:


Binding parameters: INSERT INTO bayes_token
   (id, token, spam_count, ham_count, atime)
   VALUES ('43','^Bq!j','1','0','1718024618')
   ON DUPLICATE KEY UPDATE spam_count = 
GREATEST(spam_count + '1', 0),
   ham_count = GREATEST(ham_count 
+ '0', 0),
   atime = GREATEST(atime, 
'1718024618')


Thus, I would say it's not an issue with the database.

Any idea?

Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.


First: upgrade to 4.0.1

There were substantial changes in how encoding was handled between 3.4.6 
and 4.0, and there is a substantial likelihood that any problem with 
encoding would not occur in 4.0 or later.


I don't know exactly what the cause of the problem is (i.e. why is SA 
trying to write UTF-8 to the database?) but I'm quite sure that an 
official fix for 3.4.x will never happen.






Thanks,

Gerald

On 18.06.24 17:09, Gerald Vogt wrote:

Hi!

I am trying to use a mariadb database as bayesstore, but it fails to 
load tokens. Whenever it tries to insert something into bayes_token 
it fails with an error


dbg: bayes: _put_token: SQL error: Data too long for column 'token' 
at row 1


The table has been created as mentioned in

https://github.com/apache/spamassassin/blob/trunk/sql/bayes_mysql.sql

but the 5 byte binary isn't big enough. I have tried with sa-learn 
--restore as well as learning some spam mails. bayes_token remains 
empty.


MariaDB [spamassassin]> show create table bayes_token\G
*** 1. row ***
    Table: bayes_token
Create Table: CREATE TABLE `bayes_token` (
   `id` int(11) NOT NULL DEFAULT 0,
   `token` binary(5) NOT NULL,
   `spam_count` int(11) NOT NULL DEFAULT 0,
   `ham_count` int(11) NOT NULL DEFAULT 0,
   `atime` int(11) NOT NULL DEFAULT 0,
   PRIMARY KEY (`id`,`token`),
   KEY `bayes_token_idx1` (`id`,`atime`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci
1 row in set (0.000 sec)

Any idea what goes wrong here?

Thanks,

Gerald





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: BayesStore MariaDB on EL9

2024-06-18 Thread Gerald Vogt


Hi,

for a test, I have increased the column length of token to binary(32) 
and used a test file to import containing a single token.


This time it went through. However, as I suspected, the token length is 
not 5 byte. Token line from backup:


t   1   0   1718024618  027121926a

Hex representation of content in database:

MariaDB [spamassassin]> select hex(token) from bayes_token\G
*** 1. row ***
hex(token): 027121C2926A
1 row in set (0.000 sec)

Compared:

Original 02 71 2192 6a
Database 02 71 21 C2 92 6A

C2 92 is the UTF-8 encoding of U+0092, thus basically the token is 
written in UTF-8 into the database.


Running sa-learn with DBI_TRACE=2 I can also see that it looks like it 
actually has the UTF-8 encoding already in there during parameter binding:


Binding parameters: INSERT INTO bayes_token
   (id, token, spam_count, ham_count, atime)
   VALUES ('43','^Bq!j','1','0','1718024618')
   ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count 
+ '1', 0),
   ham_count = GREATEST(ham_count + 
'0', 0),
   atime = GREATEST(atime, 
'1718024618')


Thus, I would say it's not an issue with the database.

Any idea?

Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.

Thanks,

Gerald

On 18.06.24 17:09, Gerald Vogt wrote:

Hi!

I am trying to use a mariadb database as bayesstore, but it fails to 
load tokens. Whenever it tries to insert something into bayes_token it 
fails with an error


dbg: bayes: _put_token: SQL error: Data too long for column 'token' at 
row 1


The table has been created as mentioned in

https://github.com/apache/spamassassin/blob/trunk/sql/bayes_mysql.sql

but the 5 byte binary isn't big enough. I have tried with sa-learn 
--restore as well as learning some spam mails. bayes_token remains empty.


MariaDB [spamassassin]> show create table bayes_token\G
*** 1. row ***
    Table: bayes_token
Create Table: CREATE TABLE `bayes_token` (
   `id` int(11) NOT NULL DEFAULT 0,
   `token` binary(5) NOT NULL,
   `spam_count` int(11) NOT NULL DEFAULT 0,
   `ham_count` int(11) NOT NULL DEFAULT 0,
   `atime` int(11) NOT NULL DEFAULT 0,
   PRIMARY KEY (`id`,`token`),
   KEY `bayes_token_idx1` (`id`,`atime`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci
1 row in set (0.000 sec)

Any idea what goes wrong here?

Thanks,

Gerald

BayesStore MariaDB on EL9

2024-06-18 Thread Gerald Vogt


Hi!

I am trying to use a mariadb database as bayesstore, but it fails to 
load tokens. Whenever it tries to insert something into bayes_token it 
fails with an error


dbg: bayes: _put_token: SQL error: Data too long for column 'token' at row 1

The table has been created as mentioned in

https://github.com/apache/spamassassin/blob/trunk/sql/bayes_mysql.sql

but the 5 byte binary isn't big enough. I have tried with sa-learn 
--restore as well as learning some spam mails. bayes_token remains empty.


MariaDB [spamassassin]> show create table bayes_token\G
*** 1. row ***
   Table: bayes_token
Create Table: CREATE TABLE `bayes_token` (
  `id` int(11) NOT NULL DEFAULT 0,
  `token` binary(5) NOT NULL,
  `spam_count` int(11) NOT NULL DEFAULT 0,
  `ham_count` int(11) NOT NULL DEFAULT 0,
  `atime` int(11) NOT NULL DEFAULT 0,
  PRIMARY KEY (`id`,`token`),
  KEY `bayes_token_idx1` (`id`,`atime`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci
1 row in set (0.000 sec)

Any idea what goes wrong here?

Thanks,

Gerald

Re: Sv: Re: Question about a rule

2024-06-18 Thread Laurent S.

I'd also strongly recommend adding boundaries: /\b(blah1|blah2|blah3)\b/i

Otherwise, you might have a whole *pano*ply of words that will make 
legit mails marked a spam. You need to be super sure about poison pills 
rules, or in french - *pillu*le empoisonnée.

Good luck.

On 18.06.24 13:35, Axb wrote:
> You need to enclose in brackets
> body LOCAL_BLAH   /(blah1|blah2|blah3)/i
> 
> On 6/18/24 13:05, Anders Gustafsson wrote:
>> Sure:
>>
>> body LOCAL_PORN_RULE   
>> /kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
>> score LOCAL_PORN_RULE 8
>> describe LOCAL_PORN_RULE   This catches peter's porn spam
>>
>> Sorry again for mailing directly. No idea why it suggests the user and not 
>> users@
>>
>

Re: Sv: Re: Question about a rule

2024-06-18 Thread Axb


You need to enclose in brackets
body LOCAL_BLAH   /(blah1|blah2|blah3)/i

On 6/18/24 13:05, Anders Gustafsson wrote:

Sure:

body LOCAL_PORN_RULE   
/kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Sorry again for mailing directly. No idea why it suggests the user and not 
users@

Re: Sv: Re: Question about a rule

2024-06-18 Thread Matus UHLAR - fantomas


On 18.06.24 14:05, Anders Gustafsson wrote:

body LOCAL_PORN_RULE   
/kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Sorry again for mailing directly. No idea why it suggests the user and not 
users@



I guess that the "sexikäs" causes troubles.
Do you use SA 4.0 ? That should be compatible with utf-8. 




Matus UHLAR - fantomas  2024-06-18 14:00 >>>

On 18.06.24 13:50, Anders Gustafsson wrote:

body LOCAL_PORN_RULE   /word1|word2.|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Funny thing is that it seems to trigger on messages that contain none of those 
words. I have removed the
actual words so that my message will not be regarded ass spam ??

Wonder if it is that last word that matches some regexp??


This can happen in case of incorrect regular expression.
Maybe uf you posted it here, we could see the error.

run spamassassin -D < mail 2>/tmp/mail.err
and you should be able to see which string matched

Finally, SA recommends using multiple rules with small scores instead of
single rule with huge score.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Sv: Re: Question about a rule

2024-06-18 Thread Anders Gustafsson

Sure:

body LOCAL_PORN_RULE   
/kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Sorry again for mailing directly. No idea why it suggests the user and not 
users@

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> Matus UHLAR - fantomas  2024-06-18 14:00 >>>
On 18.06.24 13:50, Anders Gustafsson wrote:
>body LOCAL_PORN_RULE   /word1|word2.|x69-JOOGA/i
>score LOCAL_PORN_RULE 8
>describe LOCAL_PORN_RULE   This catches peter's porn spam
>
>Funny thing is that it seems to trigger on messages that contain none of those 
>words. I have removed the
>actual words so that my message will not be regarded ass spam ??
>
>Wonder if it is that last word that matches some regexp??

This can happen in case of incorrect regular expression.
Maybe uf you posted it here, we could see the error.

run spamassassin -D < mail 2>/tmp/mail.err
and you should be able to see which string matched

Finally, SA recommends using multiple rules with small scores instead of 
single rule with huge score.


-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ 
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Re: Question about a rule

2024-06-18 Thread Matus UHLAR - fantomas


On 18.06.24 13:50, Anders Gustafsson wrote:

body LOCAL_PORN_RULE   /word1|word2.|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Funny thing is that it seems to trigger on messages that contain none of those 
words. I have removed the
actual words so that my message will not be regarded ass spam ??

Wonder if it is that last word that matches some regexp??


This can happen in case of incorrect regular expression.
Maybe uf you posted it here, we could see the error.

run spamassassin -D < mail 2>/tmp/mail.err
and you should be able to see which string matched

Finally, SA recommends using multiple rules with small scores instead of 
single rule with huge score.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Question about a rule

2024-06-18 Thread Anders Gustafsson

We have a rule that is supposed to catch various porn-related stuff:

body LOCAL_PORN_RULE   /word1|word2.|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Funny thing is that it seems to trigger on messages that contain none of those 
words. I have removed the
actual words so that my message will not be regarded ass spam ��

Wonder if it is that last word that matches some regexp??


-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND

Sv: Re: Need some help decoding an SA analysis

2024-06-17 Thread Anders Gustafsson

Read the document. Upgraded. Ran sa-update (always forget that)


We really have a very simple setup, except for our homegrown integration wiith 
our email system. So I added
enable_compat  welcomelist_blocklist" to init.pre

Then did a search/replace of local.cf for all whitelist_from and 
blacklist_from, then just for good measure
egrep -l '(whitelist|blacklist)' /etc/mail/spamassassin/*.cf which caught a few 
in comments.

Now off to read how to implement the new goodies

I apologise for mailing you directly Benny.


-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> Benny Pedersen  2024-06-16 16:09 >>>
Anders Gustafsson skrev den 2024-06-16 13:42:
> This one:
> 
> Return-path: 
> X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on xx
> X-Spam-Level:
> X-Spam-Status: No, score=-95.6 required=5.0 
> tests=BAYES_00,HTML_MESSAGE,
>   MIME_HTML_ONLY,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RDNS_NONE,
>   TO_EQ_FM_DIRECT_MX,TO_NO_BRKTS_NORDNS_HTML,T_SCC_BODY_TEXT_LINE,
>   URIBL_BLACK,URIBL_DBL_SPAM,USER_IN_WELCOMELIST,USER_IN_WHITELIST
>   autolearn=no autolearn_force=no version=3.4.5
> Received: from hosted-by.csrdp.host ([195.10.205.97])
>   by x with ESMTP (TLS encrypted); Sun, 16 Jun 2024 11:52:11 +0300
> Reply-To: Email Mailbox Notification xx  #9698 
> 
> It was a phishing email and the provider has since shut it down. Now we 
> do not have that adress in our
> whitelist. Should I interpret this that some of the entries we do have 
> in our whitelist uses this adress or
> provider?

time to upgrade

https://multirbl.valli.org/lookup/195.10.205.97.html 

remove localy whitelist

change score for whitelist to non default -100

phishing links goes to phishtank.com

train bayes on phishing emails

Re: Need some help decoding an SA analysis

2024-06-16 Thread Benny Pedersen


Anders Gustafsson skrev den 2024-06-16 13:42:

This one:

Return-path: 
X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on xx
X-Spam-Level:
X-Spam-Status: No, score=-95.6 required=5.0 
tests=BAYES_00,HTML_MESSAGE,

MIME_HTML_ONLY,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RDNS_NONE,
TO_EQ_FM_DIRECT_MX,TO_NO_BRKTS_NORDNS_HTML,T_SCC_BODY_TEXT_LINE,
URIBL_BLACK,URIBL_DBL_SPAM,USER_IN_WELCOMELIST,USER_IN_WHITELIST
autolearn=no autolearn_force=no version=3.4.5
Received: from hosted-by.csrdp.host ([195.10.205.97])
by x with ESMTP (TLS encrypted); Sun, 16 Jun 2024 11:52:11 +0300
Reply-To: Email Mailbox Notification xx  #9698 

It was a phishing email and the provider has since shut it down. Now we 
do not have that adress in our
whitelist. Should I interpret this that some of the entries we do have 
in our whitelist uses this adress or

provider?


time to upgrade

https://multirbl.valli.org/lookup/195.10.205.97.html

remove localy whitelist

change score for whitelist to non default -100

phishing links goes to phishtank.com

train bayes on phishing emails

Re: Need some help decoding an SA analysis

2024-06-16 Thread Matus UHLAR - fantomas


On 16.06.24 14:42, Anders Gustafsson wrote:

Return-path: 
X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on xx
X-Spam-Level:
X-Spam-Status: No, score=-95.6 required=5.0 tests=BAYES_00,HTML_MESSAGE,
MIME_HTML_ONLY,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RDNS_NONE,
TO_EQ_FM_DIRECT_MX,TO_NO_BRKTS_NORDNS_HTML,T_SCC_BODY_TEXT_LINE,
URIBL_BLACK,URIBL_DBL_SPAM,USER_IN_WELCOMELIST,USER_IN_WHITELIST
autolearn=no autolearn_force=no version=3.4.5
Received: from hosted-by.csrdp.host ([195.10.205.97])
by x with ESMTP (TLS encrypted); Sun, 16 Jun 2024 11:52:11 +0300
Reply-To: Email Mailbox Notification xx  #9698 

It was a phishing email and the provider has since shut it down. Now we do not 
have that adress in our
whitelist. Should I interpret this that some of the entries we do have in our 
whitelist uses this adress or
provider?


Someone obviously has one of:

Resent-From
Envelope-Sender
Resent-Sender
X-Envelope-From
From

address in whitelist (renamed welcomelist since).

you just need to find out which and where.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Need some help decoding an SA analysis

2024-06-16 Thread Anders Gustafsson

This one:

Return-path: 
X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on xx
X-Spam-Level: 
X-Spam-Status: No, score=-95.6 required=5.0 tests=BAYES_00,HTML_MESSAGE,
MIME_HTML_ONLY,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RDNS_NONE,
TO_EQ_FM_DIRECT_MX,TO_NO_BRKTS_NORDNS_HTML,T_SCC_BODY_TEXT_LINE,
URIBL_BLACK,URIBL_DBL_SPAM,USER_IN_WELCOMELIST,USER_IN_WHITELIST
autolearn=no autolearn_force=no version=3.4.5
Received: from hosted-by.csrdp.host ([195.10.205.97])
by x with ESMTP (TLS encrypted); Sun, 16 Jun 2024 11:52:11 +0300
Reply-To: Email Mailbox Notification xx  #9698  

It was a phishing email and the provider has since shut it down. Now we do not 
have that adress in our
whitelist. Should I interpret this that some of the entries we do have in our 
whitelist uses this adress or
provider?


-- 
Med vänlig hälsning

Anders Gustafsson

Re: Where are your test definitions?

2024-06-15 Thread Matus UHLAR - fantomas


Am 2024-06-14 21:20, schrieb Matus UHLAR - fantomas:
If you want to find out more, feed the mail to "spamassassin -D" and 
that should explain which text matched which rules.


and as we told you already, your client should NOT play with small 
or semi-invisible text in mail. That's what spamers do.


On 14.06.24 23:33, Thomas Barth via users wrote:

Cool, but now I ve more questions! :-)

When the eMail arrived the score was 6.248. I repeat the testlist:

BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497,
FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, 
HTML_MESSAGE=0.001,
RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, 
SPF_PASS=-0.001,

T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01




But when piping the eMail to spamassassin -D the score is 10.5! And 
RDNS_NONE gets a 1.3!


2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus 
DBL

   blocklist
   [URI: www.example.com]
   [URI: example.com]


This happened because spam URL was not on DBL blocklist at the time you have 
received the mail.  This happens all the time.


Also Bill has posted useful info.

However, this is not the output of spamassassin -D, just the resulting spam 
headers.
I'm skipping the rest of recommendations because of the latter.

WARNING

If you colleague is discussing with spammer, skip this discussion and tell 
him not to.  There is no point in helping spammer avoiding filters.


The existence of www.example.com  and example.com URIs in the mail indicates
that the mail was sent by spammer.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.

Re: Where are your test definitions?

2024-06-14 Thread John Hardin


On Fri, 14 Jun 2024, Bowie Bailey wrote:


On 6/14/2024 10:39 AM, Thomas Barth via users wrote:

 Hello,

 I would like to explain a sender what he can do to create an email that is
 not classified as spam.

 X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5
  tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1,
  DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497,
  FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001,
  RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001,
  T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01]


You can get the definitions directly from the rule files.  On my system, the 
updated rules are in /var/lib/spamassassin/3.004006/updates_spamassassin_org.


describe  RDNS_NONE   Delivered to internal network by a host with no rDNS
describe  FONT_INVIS_MSGID   Invisible text + suspicious message ID
describe  FONT_INVIS_NORDNS   Invisible text + no rDNS
describe  HTML_FONT_TINY_NORDNS   Font too small to read, no rDNS


You can also configure SA to include the rule descriptions in an 
X-Spam-Report header when the message is scored as "spammy". Take a look 
at config "report_safe 0".



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Users mistake widespread adoption of Microsoft Office for
  the development of a document format standard.
---
 4 days until SWMBO's Birthday

Re: Where are your test definitions?

2024-06-14 Thread Bill Cole


On 2024-06-14 at 17:33:22 UTC-0400 (Fri, 14 Jun 2024 23:33:22 +0200)
Thomas Barth via users 
is rumored to have said:


Am 2024-06-14 21:20, schrieb Matus UHLAR - fantomas:

grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe
/var/lib/spamassassin/4.00/updates_spamassassin_org/72_active.cf: 
describe FONT_INVIS_NORDNS Invisible text + no rDNS


In my case, I can say with certainty that the mail comes from a 
business partner of a colleague :-)


If you want to find out more, feed the mail to "spamassassin -D" and 
that should explain which text matched which rules.


and as we told you already, your client should NOT play with small or 
semi-invisible text in mail. That's what spamers do.


Cool, but now I ve more questions! :-)

When the eMail arrived the score was 6.248. I repeat the testlist:

BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497,
 FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, 
HTML_MESSAGE=0.001,
 RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, 
SPF_PASS=-0.001,

 T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01

But when piping the eMail to spamassassin -D the score is 10.5! And 
RDNS_NONE gets a 1.3!


It is very likely (almost certain...) that your shell account and your 
mail server have different SpamAssassin configurations. Per-user 
configurations are in ~/.spamassassin/user_prefs by default, while the 
settings used by SpamAssassin via whatever glue you are using to hook 
into your MTA really depends on how you do that. Per-user prefs can 
change scores or even scoresets (i.e. using net and bayes or not) so you 
need to figure out which prefs each checking method is using.


A single user also stands a strong chance of not having enough data 
learned into their own Bayes DB for it to be used, while a system-wide 
DB usually will. The above list has a (favorable) BAYES score, the one 
below has none




 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus 
DBL

blocklist
[URI: www.example.com]
[URI: example.com]


That's a rule that is likely to hit on "aged" spam that it did not hit 
earlier, because it can take time for Spamhaus to list spammers like 
example.com... ( I assume you've redacted to protect the definitely 
guilty.)




 0.0 SPF_HELO_NONE  SPF: HELO does not publish an SPF Record
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily valid
 0.1 DKIM_INVALID   DKIM or DK signature exists, but is not 
valid
 2.0 RELAYCOUNTRY_BAD   Relayed through spammy country at some 
point

 0.0 HTML_MESSAGE   BODY: Nachricht enthlt HTML
-0.0 T_SCC_BODY_TEXT_LINE   No description available.
 1.2 FONT_INVIS_NORDNS  Invisible text + no rDNS
 1.3 RDNS_NONE  Delivered to internal network by a host 
with no rDNS
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted 
Colors

in HTML
 2.5 FONT_INVIS_MSGID   Invisible text + suspicious message ID
 0.0 HTML_FONT_TINY_NORDNS  Font too small to read, no rDNS
 0.9 DMARC_NONE DMARC none policy

Let's just assume that the colleague is corresponding with a spammer


OR: discussing a spammer, with domain names.

and the colleague knows nothing about it. I'm just interested to know 
why the score is lower when the last mail arrived than in the current 
test. Is it because a few hours have already passed and the mail is 
rated differently in the DNS blocklists?


That's the URIBL_DBL_SPAM hit.


Or could it be that something is still wrong with my configuration?


"Wrong" is such a judgy word...
You have variances. Your MTA checks in one way, your shell checks in 
another.


However, I can see in the journal that every mail is checked against 
blocklists, may be not completly? This difference is now irritating 
me.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: Where are your test definitions?


Am 2024-06-14 21:20, schrieb Matus UHLAR - fantomas:

grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe
/var/lib/spamassassin/4.00/updates_spamassassin_org/72_active.cf: 
describe FONT_INVIS_NORDNS Invisible text + no rDNS


In my case, I can say with certainty that the mail comes from a 
business partner of a colleague :-)


If you want to find out more, feed the mail to "spamassassin -D" and 
that should explain which text matched which rules.


and as we told you already, your client should NOT play with small or 
semi-invisible text in mail. That's what spamers do.


Cool, but now I ve more questions! :-)

When the eMail arrived the score was 6.248. I repeat the testlist:

BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497,
 FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, 
HTML_MESSAGE=0.001,
 RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, 
SPF_PASS=-0.001,

 T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01

But when piping the eMail to spamassassin -D the score is 10.5! And 
RDNS_NONE gets a 1.3!


 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus 
DBL

blocklist
[URI: www.example.com]
[URI: example.com]
 0.0 SPF_HELO_NONE  SPF: HELO does not publish an SPF Record
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily valid
 0.1 DKIM_INVALID   DKIM or DK signature exists, but is not 
valid

 2.0 RELAYCOUNTRY_BAD   Relayed through spammy country at some point
 0.0 HTML_MESSAGE   BODY: Nachricht enthlt HTML
-0.0 T_SCC_BODY_TEXT_LINE   No description available.
 1.2 FONT_INVIS_NORDNS  Invisible text + no rDNS
 1.3 RDNS_NONE  Delivered to internal network by a host with 
no rDNS
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted 
Colors

in HTML
 2.5 FONT_INVIS_MSGID   Invisible text + suspicious message ID
 0.0 HTML_FONT_TINY_NORDNS  Font too small to read, no rDNS
 0.9 DMARC_NONE DMARC none policy

Let's just assume that the colleague is corresponding with a spammer and 
the colleague knows nothing about it. I'm just interested to know why 
the score is lower when the last mail arrived than in the current test. 
Is it because a few hours have already passed and the mail is rated 
differently in the DNS blocklists? Or could it be that something is 
still wrong with my configuration? However, I can see in the journal 
that every mail is checked against blocklists, may be not completly? 
This difference is now irritating me.

Re: Where are your test definitions?

2024-06-14 Thread Matus UHLAR - fantomas


Am 2024-06-14 18:24, schrieb Matus UHLAR - fantomas:

1. as I said it's hard to find out without the body
2. hiding data indicates a spammer.


On 14.06.24 19:15, Thomas Barth via users wrote:

Yes, I've now realized that I can simply grep for the descriptions.

grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe
/var/lib/spamassassin/4.00/updates_spamassassin_org/72_active.cf: 
describe FONT_INVIS_NORDNS Invisible text + no rDNS


In my case, I can say with certainty that the mail comes from a 
business partner of a colleague :-)


If you want to find out more, feed the mail to "spamassassin -D" and that 
should explain which text matched which rules.


and as we told you already, your client should NOT play with small or 
semi-invisible text in mail. That's what spamers do.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)

Re: Where are your test definitions?

2024-06-14 Thread Bill Cole


On 2024-06-14 at 10:39:36 UTC-0400 (Fri, 14 Jun 2024 16:39:36 +0200)
Thomas Barth via users 
is rumored to have said:


Hello,

I would like to explain a sender what he can do to create an email 
that is not classified as spam.


X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
DKIM_VALID_AU=-0.1,

 DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497,
 FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, 
HTML_MESSAGE=0.001,
 RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, 
SPF_PASS=-0.001,

 T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01]

I cannot find the definitions on your old site 
https://spamassassin.apache.org/old/tests_3_1_x.html.

FONT_INVIS_NORDNS, FONT_INVIS_MSGID, HTML_FONT_TINY_NORDNS, RDNS_NONE

Is there no current version of the test definition.



The rules get tested, rescored, and assembled into a release package 
daily so it is not really feasible to put a set of static pages up with 
all the descriptions  of all active rules, as the set changes daily.


You can either use sa-update to get the current ruleset and find the 
rule descriptions in that package or go through the current files in the 
repo: https://svn.apache.org/viewvc/spamassassin/trunk/rules/ and 
https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: Where are your test definitions?


Am 2024-06-14 18:24, schrieb Matus UHLAR - fantomas:

1. as I said it's hard to find out without the body
2. hiding data indicates a spammer.


Yes, I've now realized that I can simply grep for the descriptions.

grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe
/var/lib/spamassassin/4.00/updates_spamassassin_org/72_active.cf: 
describe FONT_INVIS_NORDNS Invisible text + no rDNS


In my case, I can say with certainty that the mail comes from a business 
partner of a colleague :-)

Re: Where are your test definitions?

2024-06-14 Thread Matus UHLAR - fantomas


Am 2024-06-14 17:11, schrieb Matus UHLAR - fantomas:

FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514
RDNS_NONE=0.793

working fcrdns would fix much for them.

However, not doing stupid shit with fonts would help even more:
FONT_INVIS_MSGID=2.497
FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514


On 14.06.24 18:00, Thomas Barth via users wrote:

Thanks, I have forwarded these infos and hope it will be corrected.




I cannot find the definitions on your old site 
https://spamassassin.apache.org/old/tests_3_1_x.html.


why 3.1?



Google only shows this old version and I can't find a link to the 
current test definitions on the website itself.


I see them in SA 4.0 rules:

72_active.cf:  meta  FONT_INVIS_MSGID  __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO 
&& !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && 
!__HAS_THREAD_INDEX && !__RCD_RDNS_MTA
72_active.cf:  meta  FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET 
&& !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER
72_active.cf:  rawbody   __FONT_INVIS  
/<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i

72_active.cf:metaHTML_FONT_TINY_NORDNS__HTML_FONT_TINY_NORDNS && 
!__HAS_CID
72_active.cf:meta__HTML_FONT_TINY_NORDNS  (__HTML_FONT_TINY_01 || 
__HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE
72_active.cf:rawbody __AC_TINY_FONT   
/(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
72_active.cf:rawbody __HTML_FONT_TINY_01  /font-size:\s{0,5}[0-4]px;/i
72_active.cf:rawbody __HTML_FONT_TINY_02  
/]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i

1. as I said it's hard to find out without the body
2. hiding data indicates a spammer.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!

Re: Lots of FN because of VALIDITY* rules

2024-06-14 Thread Anne P. Mitchell, Esq.

> On Jun 3, 2024, at 4:09 AM, Matus UHLAR - fantomas  wrote:
> 
> I forgot to add that I have "lowered" (increased to small negative number) 
> scores for RCVD_IN_VALIDITY_*, RCVD_IN_DNSWL_* and RCVD_IN_IADB_*
> because I has similar bad experience with them.

Matus, if you EVER have a bad experience with RCVD_IN_IADB_ (or any other IADB 
test), *please* let me personally know asap. We take our responsibility to the 
receiving industry *very* seriously (always have, for more than 20 years now) - 
that's *why* we invented the data response code concept, and developed it 
specifically so that SA could take advantage of it (and didn't patent it so 
that others could use the concept to, again, assist receivers).  So, *please*, 
again, let me know personally, directly, if you ever find an issue with a 
certified sender (that is who would trigger the IADB tests) not doing the right 
thing!

Thank you,

Anne

--- 
Anne P. Mitchell, Esq.
Internet Law & Policy Attorney
CEO Institute for Social Internet Public Policy (ISIPP)
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law)
Creator of the term 'deliverability' and founder of the deliverability industry
Author: The Email Deliverability Handbook
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Counsel Emeritus, eMail Abuse Prevention System (MAPS)

Re: Where are your test definitions?

2024-06-14 Thread Bowie Bailey


On 6/14/2024 10:39 AM, Thomas Barth via users wrote:

Hello,

I would like to explain a sender what he can do to create an email 
that is not classified as spam.


X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
DKIM_VALID_AU=-0.1,

 DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497,
 FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, 
HTML_MESSAGE=0.001,
 RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, 
SPF_PASS=-0.001,

 T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01]

I cannot find the definitions on your old site 
https://spamassassin.apache.org/old/tests_3_1_x.html.

FONT_INVIS_NORDNS, FONT_INVIS_MSGID, HTML_FONT_TINY_NORDNS, RDNS_NONE

Is there no current version of the test definition.


You can get the definitions directly from the rule files.  On my system, 
the updated rules are in 
/var/lib/spamassassin/3.004006/updates_spamassassin_org.


describe  RDNS_NONE   Delivered to internal network by a host with no rDNS
describe  FONT_INVIS_MSGID   Invisible text + suspicious message ID
describe  FONT_INVIS_NORDNS   Invisible text + no rDNS
describe  HTML_FONT_TINY_NORDNS   Font too small to read, no rDNS

Since those make up the majority of the score, it looks like you should 
explain to the sender that they should not be using tiny or invisible 
fonts in their emails, and that they should fix the reverse DNS for 
their mailserver.


--
Bowie

Re: Where are your test definitions?


Am 2024-06-14 17:11, schrieb Matus UHLAR - fantomas:

FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514
RDNS_NONE=0.793

working fcrdns would fix much for them.

However, not doing stupid shit with fonts would help even more:
FONT_INVIS_MSGID=2.497
FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514



Thanks, I have forwarded these infos and hope it will be corrected.




I cannot find the definitions on your old site 
https://spamassassin.apache.org/old/tests_3_1_x.html.


why 3.1?



Google only shows this old version and I can't find a link to the 
current test definitions on the website itself.

Re: Where are your test definitions?

2024-06-14 Thread Noel Butler


On 15/06/2024 01:04, Thomas Barth via users wrote:


Am 2024-06-14 16:44, schrieb Reindl Harald (privat):

with RDNS_NONE nobody on this planet should accept mails from that 
machine and the admin has to be fired, the message should be jejected 
at SMTP level long before spamassassin


And you would have been dismissed because of your pathological fascist 
thought structure ;-)


Not if he worked for me, it's smtp 101 not only enforce PTRs, but 
enforce matching A/ -> PTR and back again, so they need fix their 
mail server DNS, the bad relay country, not a lot they can do about that 
to that sender.


That said, Harry would never work for me because as you pointed out  
he's pathological, it's why he replies privately, he is perm moderated 
on this and most other lists, please do not reply to him via the list, 
hehas a habit of setting the reply-to, to the list, please check and 
remove it, feel free to tell him what you think of him directly, the 
rest of us already have.


--
Regards,
Noel Butler

Re: Where are your test definitions?


Am 2024-06-14 16:44, schrieb Reindl Harald (privat):
with RDNS_NONE nobody on this planet should accept mails from that 
machine and the admin has to be fired, the message should be jejected 
at SMTP level long before spamassassin


And you would have been dismissed because of your pathological fascist 
thought structure ;-)

Re: Where are your test definitions?

2024-06-14 Thread Matus UHLAR - fantomas


On 14.06.24 16:39, Thomas Barth via users wrote:
I would like to explain a sender what he can do to create an email 
that is not classified as spam.


X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
DKIM_VALID_AU=-0.1,

DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497,
FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, 
HTML_MESSAGE=0.001,
RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, 
SPF_PASS=-0.001,

T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01]


FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514
RDNS_NONE=0.793

working fcrdns would fix much for them.

However, not doing stupid shit with fonts would help even more:
FONT_INVIS_MSGID=2.497
FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514

Without seeing what matched that it's hard to guess more


I cannot find the definitions on your old site 
https://spamassassin.apache.org/old/tests_3_1_x.html.


why 3.1?


FONT_INVIS_NORDNS, FONT_INVIS_MSGID, HTML_FONT_TINY_NORDNS, RDNS_NONE

Is there no current version of the test definition.




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.

Where are your test definitions?