Re: SA suddenly giving lots of FP's?
On Tuesday 03 January 2006 17:30, mouss wrote: >Gene Heskett a écrit : >> - >> From [EMAIL PROTECTED] Sat Dec 31 23:16:57 2005 >> Return-Path: <[EMAIL PROTECTED]> >> Received: from localhost (localhost.localdomain [127.0.0.1]) >> by coyote.coyote.den (8.12.11/8.12.10) with ESMTP id >> k014Gv7g021793 >> for <[EMAIL PROTECTED]>; Sat, 31 Dec 2005 23:16:57 -0500 > >so this is the "after fetchmail" header > >> Received: from incoming.verizon.net [206.46.232.10] >> by localhost with POP3 (fetchmail-6.2.5.5) >> for [EMAIL PROTECTED] (single-drop); Sat, 31 Dec 2005 23:16:57 >> -0500 (EST) > >and this is the fetchmail header. > >- you should add 206.46.232.10 to your trusted_networks >- SA will recognize this as a fetchmail hop, and will "reinitialize" > its received parsing (This is my understanding, but I may be wrong. > But this is what I understand from -D output). > Yes, I put it into local.cf as 206.46.232/24 and I believe it has helped. Time will tell & its only been about 20 hrs so far, during which I built and rebooted to 2.6.15. >> >> which is not the same message, and therefore a waste of bandwidth I >> think. > >what do you mean? > >> Too bad the /var/spool/mail/gene files contents are so ephemeral. > >what do you mean? -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
Gene Heskett a écrit : > Well, I've now defined it to be 2.8 in local.cf, and thats working > better but I feel I may have to reduce it another few tenths. > > One of the problems I think I've detected is that fetchmail isn't doing > a 100% verbatum suck from vz, but seems to be deleting some of the > history near the top of the header, but how much is unk. no, it doesn't, unless you can prove it. most probably your MUA (kmail) does. I could copy > the mailfile off before kmail grabs it and zeros out the mailfile and > then compare messages to see exactly whats missing. That would define > where the loss is better than my SWAG's. I'll do that tomorrow. > you'll probably find it easier to let kmail get the mail from the "original" server instead of using fetchmail this way. If kmail has problems, please report them to the kmail developpers. an alternative setup is to let fetchmail to talk to an MTA (postfix, qmail, sendmail, exim). This will allow you to run a "common setup". This is what I am using for some of my accounts (including this one). Unfortunately, fetchmail adds more problems than "solutions". so I'm moving away slowly.
Re: SA suddenly giving lots of FP's?
Gene Heskett a écrit : > - > From [EMAIL PROTECTED] Sat Dec 31 23:16:57 2005 > Return-Path: <[EMAIL PROTECTED]> > Received: from localhost (localhost.localdomain [127.0.0.1]) > by coyote.coyote.den (8.12.11/8.12.10) with ESMTP id > k014Gv7g021793 > for <[EMAIL PROTECTED]>; Sat, 31 Dec 2005 23:16:57 -0500 so this is the "after fetchmail" header > Received: from incoming.verizon.net [206.46.232.10] > by localhost with POP3 (fetchmail-6.2.5.5) > for [EMAIL PROTECTED] (single-drop); Sat, 31 Dec 2005 23:16:57 > -0500 (EST) and this is the fetchmail header. - you should add 206.46.232.10 to your trusted_networks - SA will recognize this as a fetchmail hop, and will "reinitialize" its received parsing (This is my understanding, but I may be wrong. But this is what I understand from -D output). > > which is not the same message, and therefore a waste of bandwidth I > think. what do you mean? > > Too bad the /var/spool/mail/gene files contents are so ephemeral. > what do you mean?
Re: SA suddenly giving lots of FP's?
From: "Gene Heskett" <[EMAIL PROTECTED]> On Monday 02 January 2006 23:22, jdow wrote: From: "Gene Heskett" <[EMAIL PROTECTED]> On Monday 02 January 2006 22:34, Craig White wrote: On Mon, 2006-01-02 at 22:19 -0500, Gene Heskett wrote: On Sunday 01 January 2006 22:51, jdow wrote: [...] >> Anyway, the rule thats applying the 3.8 score is >> HELO_DYNAMIC_IPADDR2. >> >> ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / >> because that rule isn't present in any of the >> .spamassassin(/rulesdujour) or /etc/mail/spamassassin >> directories. If I can reduce that by about 1.2, that would fix >> the majority of the FP's here. That rule even grabbed a >> message from a close friend just 10 miles away last nite cause >> he'd also stuck a bunch of !!! on the end of a happy new year >> subject line. > >/usr/share/spamassassin/*.cf > >The score you got seems higher than the 3.04 score. But that > could have been adjusted with 3.10 so I didn't comment. > >{^_^} Well, I've now defined it to be 2.8 in local.cf, and thats working better but I feel I may have to reduce it another few tenths. One of the problems I think I've detected is that fetchmail isn't doing a 100% verbatum suck from vz, but seems to be deleting some of the history near the top of the header, but how much is unk. I could copy the mailfile off before kmail grabs it and zeros out the mailfile and then compare messages to see exactly whats missing. That would define where the loss is better than my SWAG's. I'll do that tomorrow. to my knowledge, fetchmail doesn't remove any headers at all. Procmail may be doing it or your MTA, depending upon how you are handling it. Humm, AFAIK, fetchmail gets it from vz, writing it to /var/spool/mail/gene and kmail takes it from there. And I'm just using what the servers support, which for vz is 99.9% of zip, plain text for everything. With the fragment you posted fetchmail hands it off to whatever is your sendmail tool on your system. That runs and places the mail in your inbox. I didn't see a stanza like the following in your fetchmailrc piece you posted: defaults mda "/usr/bin/procmail -d gene" So precisely what runs spamassassin there? {^_^} kmail, by pipeing it thru via a filter setting of Pipe Through, using spamc -u gene spamd of course is from rc3.d linkage. That should work. When you cut and pasted the headers for your problem message perhaps kmail had done some "cleanup." {^_^}
Re: SA suddenly giving lots of FP's?
On Monday 02 January 2006 23:22, jdow wrote: >From: "Gene Heskett" <[EMAIL PROTECTED]> > >> On Monday 02 January 2006 22:34, Craig White wrote: >>>On Mon, 2006-01-02 at 22:19 -0500, Gene Heskett wrote: On Sunday 01 January 2006 22:51, jdow wrote: [...] >> Anyway, the rule thats applying the 3.8 score is >> HELO_DYNAMIC_IPADDR2. >> >> ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / >> because that rule isn't present in any of the >> .spamassassin(/rulesdujour) or /etc/mail/spamassassin >> directories. If I can reduce that by about 1.2, that would fix >> the majority of the FP's here. That rule even grabbed a >> message from a close friend just 10 miles away last nite cause >> he'd also stuck a bunch of !!! on the end of a happy new year >> subject line. > >/usr/share/spamassassin/*.cf > >The score you got seems higher than the 3.04 score. But that > could have been adjusted with 3.10 so I didn't comment. > >{^_^} Well, I've now defined it to be 2.8 in local.cf, and thats working better but I feel I may have to reduce it another few tenths. One of the problems I think I've detected is that fetchmail isn't doing a 100% verbatum suck from vz, but seems to be deleting some of the history near the top of the header, but how much is unk. I could copy the mailfile off before kmail grabs it and zeros out the mailfile and then compare messages to see exactly whats missing. That would define where the loss is better than my SWAG's. I'll do that tomorrow. >>> >>> >>>to my knowledge, fetchmail doesn't remove any headers at all. >>> Procmail may be doing it or your MTA, depending upon how you are >>> handling it. >> >> Humm, AFAIK, fetchmail gets it from vz, writing it >> to /var/spool/mail/gene >> and kmail takes it from there. And I'm just using what the servers >> support, which for vz is 99.9% of zip, plain text for everything. > >With the fragment you posted fetchmail hands it off to whatever is >your sendmail tool on your system. That runs and places the mail in >your inbox. I didn't see a stanza like the following in your > fetchmailrc piece you posted: defaults mda "/usr/bin/procmail -d > gene" > >So precisely what runs spamassassin there? > >{^_^} kmail, by pipeing it thru via a filter setting of Pipe Through, using spamc -u gene spamd of course is from rc3.d linkage. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
On Monday 02 January 2006 23:16, jdow wrote: >From: "Gene Heskett" <[EMAIL PROTECTED]> > >> On Monday 02 January 2006 00:50, Chris Purves wrote: >>>On Sunday 01 January 2006 12:24, Gene Heskett wrote: On Saturday 31 December 2005 20:21, Chris Purves wrote: >On Sun, January 1, 2006 3:28 am, Gene Heskett said: >> On Saturday 31 December 2005 13:38, Rick Macdougall wrote: >>>Gene Heskett wrote: On Saturday 31 December 2005 12:42, Gene Heskett wrote: > This morning I'm going thru my JunqueMail folder and find > that about a dozen msgs to the OpenOffice list, 5 or 6 to > the fedeora list, and one to the gimp-print-devel list were > flaged and sorted as *SPAN*. With one exception, > all were in english. >>> >>>Would help if you let us know what rules got hit. >> >> Content analysis details: (5.7 points, 5.0 required) >> >> pts rule name description >> -- >> -- >> 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious >> hostname (IP addr >> 2) >> 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match >> 'Received' headers >> -0.2 BAYES_40 BODY: Bayesian spam probability is >> 20 to 40% >> [score: 0.3369] >> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in >> abuse.rfc-ignorant.org > >Is that the entire header? You're missing a bunch of "Received" > lines. FWIW, fetchmail sucks it and dumps it to /var/spool/mail/gene, & kmail sucks it from there. This is due to a bug in the kmail suck from servers code of quite long duration, 3 or 4 years now. Humm, headers do seem to be getting lost! >>> >>>If some of the header is being removed, then that might be a >>> problem. That could definitely trigger the FORGED_YAHOO_RCVD rule >>> if the received header listing the Yahoo! server was removed. >> >> In that event, how do I go about telling fetchmail that the >> mailfile it generates in /var/spool/mail/gene is to be a verbatum >> copy of what was sucked in the vz's server. My fetchmailrc is >> comparatively clean, with no options that I know about set that >> would encourage the shrunken headers. There are no OPTIONS >> currently defined. > >Fetchmail is verbatim in the sense needed. Does fetchmail go through >the tool that fires off SpamAssassin or is this done up in KMail as >it reads? If so KMail may have sanitized off headers in much the same >way as Outlook or Exchange. This makes KMail pretty useless IMAO if >this is what they do. > >{^_^} Nope, its two seperate processes, Joanne. Fetchmail is run from rc.local, and is totally independant of kmail. Where I made that statement was that I was compareing an old message that kmail had sucked directly, to the contents of the /var/spool/mail/gene file. Kmail in turn, and completely asynchronously, grabs and processes the /var/spool/mail/gene file and sorts it a bit, then calls spamassasin on what I haven't sorted out, then looks at the output of the spamassassin pipe when its done and finishes the sorting. But it was obviously two seperate messages, hence the ambiguity from that alone. Over the next few days I will stop the auto fwd to vz from gmail so that I can set the fetchmail output to other than "as gene" & then send myself a message at the gmail address. As soon as it comes back, copy it to a tmp file, wait for kmail to pick it up, and then compare the contents of the tmp file with the message shown me by kmail. Then stop the fetchmail scan of gmail, send another message and look at it with the web interface before I tell kmail to suck it directly. Somewhere in there, I hope to be able to "red dot" the perp, if indeed there is one. I could very well be barking at the moon and chaseing rabbits, but hopefully I'll also be a little smarter too. Right now I'm watching GA show the home team how its done. WV31-GA27, but GA has closed the door on us after the first 15 minutes. Seriously slammed it, and our guys are fumbling the ball away 4 times now. Later, it looks like maybe we might pull one off, WV38-GA35, 1:45 to go with WV in possession. 1:10 left, new 1st down by WV. Rich called for a fake punt and pulled it off very well. And with about 25 secs to go, GA walked out on the field to make it official, WV has won the Sugar Bowl! -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
On Mon, 2006-01-02 at 20:16 -0800, jdow wrote: > From: "Gene Heskett" <[EMAIL PROTECTED]> > Fetchmail is verbatim in the sense needed. Does fetchmail go through > the tool that fires off SpamAssassin or is this done up in KMail as > it reads? If so KMail may have sanitized off headers in much the same > way as Outlook or Exchange. This makes KMail pretty useless IMAO if > this is what they do. I can find a lot to criticize about Outlook but I've not ever seen Outlook remove header information - but I don't have any Exchange Server installations which might be why. In Gene's case, he's probably got Kmail fetching directly from /var/spool/mail/gene without any pop3/imap server and thus not getting any additional header information and then the Kmail filtering is invoking spamassassin. I can't think of any reason not to do it that way, unless of course, he is doing all this as root. Craig
Re: SA suddenly giving lots of FP's?
Gene Heskett wrote: In that event, how do I go about telling fetchmail that the mailfile it generates in /var/spool/mail/gene is to be a verbatum copy of what was sucked in the vz's server. My fetchmailrc is comparatively clean, with no options that I know about set that would encourage the shrunken headers. There are no OPTIONS currently defined. -sanitized of course--- poll incoming.verizon.net with proto pop3 user XXX with password is gene #options OPTIONS poll pop.gmail.com with proto pop3 user ZZ with password is gene options ssl # end of file - Or is there some option I need to set to make it do verbatum sucks? I think you should confirm that it is fetchmail that is removing headers. I use fetchmail myself and haven't had any problems. In the manual page there is an --invisible option that keeps fetchmail from inserting its own received header. You could try that. -- Good day, eh. Chris
Re: SA suddenly giving lots of FP's?
From: "Gene Heskett" <[EMAIL PROTECTED]> On Monday 02 January 2006 22:34, Craig White wrote: On Mon, 2006-01-02 at 22:19 -0500, Gene Heskett wrote: On Sunday 01 January 2006 22:51, jdow wrote: [...] >> Anyway, the rule thats applying the 3.8 score is >> HELO_DYNAMIC_IPADDR2. >> >> ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / >> because that rule isn't present in any of the >> .spamassassin(/rulesdujour) or /etc/mail/spamassassin >> directories. If I can reduce that by about 1.2, that would fix >> the majority of the FP's here. That rule even grabbed a message >> from a close friend just 10 miles away last nite cause he'd also >> stuck a bunch of !!! on the end of a happy new year subject >> line. > >/usr/share/spamassassin/*.cf > >The score you got seems higher than the 3.04 score. But that could >have been adjusted with 3.10 so I didn't comment. > >{^_^} Well, I've now defined it to be 2.8 in local.cf, and thats working better but I feel I may have to reduce it another few tenths. One of the problems I think I've detected is that fetchmail isn't doing a 100% verbatum suck from vz, but seems to be deleting some of the history near the top of the header, but how much is unk. I could copy the mailfile off before kmail grabs it and zeros out the mailfile and then compare messages to see exactly whats missing. That would define where the loss is better than my SWAG's. I'll do that tomorrow. to my knowledge, fetchmail doesn't remove any headers at all. Procmail may be doing it or your MTA, depending upon how you are handling it. Humm, AFAIK, fetchmail gets it from vz, writing it to /var/spool/mail/gene and kmail takes it from there. And I'm just using what the servers support, which for vz is 99.9% of zip, plain text for everything. With the fragment you posted fetchmail hands it off to whatever is your sendmail tool on your system. That runs and places the mail in your inbox. I didn't see a stanza like the following in your fetchmailrc piece you posted: defaults mda "/usr/bin/procmail -d gene" So precisely what runs spamassassin there? {^_^}
Re: SA suddenly giving lots of FP's?
On Mon, 2006-01-02 at 22:57 -0500, Gene Heskett wrote: > > > >to my knowledge, fetchmail doesn't remove any headers at all. > > Procmail may be doing it or your MTA, depending upon how you are > > handling it. > > > Humm, AFAIK, fetchmail gets it from vz, writing it > to /var/spool/mail/gene perhaps you are using a customized configuration or perhaps you don't know what you are talking about...I don't know. man fetchmail...the first sentence... fetchmail is a mail-retrieval and forwarding utility; it fetches mail from remote mailservers and forwards it to your local (client) machine’s delivery system. your local machine's delivery system is AFAIK, your MTA. I am guessing that you have kmail retrive it either directly from /var/spool/mail/gene or using a pop3 or IMAP (I hope) connection. > and kmail takes it from there. And I'm just using what the servers > support, which for vz is 99.9% of zip, plain text for everything. > > Gmail's pop3 server at least uses ssl encryption for everything. OTOH, > I have my gmail prefs set to fwd it to vz, which is probably not the > 'schmardtest' thing to do. I should cancel that, and let fetchmail > get it direct. > > >after a few years of using fetchmail with 'proto imap' or 'proto > >auto' (which used imap protocol), I ended up switching to 'proto > > pop3' because the email 'accepted' by my isp included things like > > NUL characters in the headers which caused fetchmail to gag on the > > mail. When I switched to 'proto pop3' - the fetchmail politely > > handed the email off to my MTA (postfix) and expunged it from my ISP > > and thus, it ended up being a bit tidier. YMMV > > Well, my reasons for using fetchmail is that its configuration is > pretty brain dead simple. And kmail has this habit of forgetting to > hit the network & fetch the mail itself if its config isn't refreshed > about 2x a week. Your basic old dogs (me at 71) and new tricks > story... I don't use kmail very often and when I do, it's via IMAP from my local server and it seems to work without fail. In fact, if Kmail wasn't reliable in retrieving email via POP3 or IMAP day in / day out, it would be fixed as those protocols are old enough, stable enough that I would expect any end user mail program to be sufficient to retrieve mail without resetting configurations at all. Now - if I recall correctly, you use stuff as root which is definitely not the recommended methodology and can be problematic with things like KDE. I don't do root logins. Craig
Re: SA suddenly giving lots of FP's?
From: "Gene Heskett" <[EMAIL PROTECTED]> On Monday 02 January 2006 00:50, Chris Purves wrote: On Sunday 01 January 2006 12:24, Gene Heskett wrote: On Saturday 31 December 2005 20:21, Chris Purves wrote: >On Sun, January 1, 2006 3:28 am, Gene Heskett said: >> On Saturday 31 December 2005 13:38, Rick Macdougall wrote: >>>Gene Heskett wrote: On Saturday 31 December 2005 12:42, Gene Heskett wrote: > This morning I'm going thru my JunqueMail folder and find > that about a dozen msgs to the OpenOffice list, 5 or 6 to the > fedeora list, and one to the gimp-print-devel list were > flaged and sorted as *SPAN*. With one exception, all > were in english. >>> >>>Would help if you let us know what rules got hit. >> >> Content analysis details: (5.7 points, 5.0 required) >> >> pts rule name description >> -- >> -- >> 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious >> hostname (IP addr >> 2) >> 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match >> 'Received' headers >> -0.2 BAYES_40 BODY: Bayesian spam probability is >> 20 to 40% >> [score: 0.3369] >> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in >> abuse.rfc-ignorant.org > >Is that the entire header? You're missing a bunch of "Received" > lines. FWIW, fetchmail sucks it and dumps it to /var/spool/mail/gene, & kmail sucks it from there. This is due to a bug in the kmail suck from servers code of quite long duration, 3 or 4 years now. Humm, headers do seem to be getting lost! If some of the header is being removed, then that might be a problem. That could definitely trigger the FORGED_YAHOO_RCVD rule if the received header listing the Yahoo! server was removed. In that event, how do I go about telling fetchmail that the mailfile it generates in /var/spool/mail/gene is to be a verbatum copy of what was sucked in the vz's server. My fetchmailrc is comparatively clean, with no options that I know about set that would encourage the shrunken headers. There are no OPTIONS currently defined. Fetchmail is verbatim in the sense needed. Does fetchmail go through the tool that fires off SpamAssassin or is this done up in KMail as it reads? If so KMail may have sanitized off headers in much the same way as Outlook or Exchange. This makes KMail pretty useless IMAO if this is what they do. {^_^}
Re: SA suddenly giving lots of FP's?
On Monday 02 January 2006 22:34, Craig White wrote: >On Mon, 2006-01-02 at 22:19 -0500, Gene Heskett wrote: >> On Sunday 01 January 2006 22:51, jdow wrote: >> [...] >> >> >> Anyway, the rule thats applying the 3.8 score is >> >> HELO_DYNAMIC_IPADDR2. >> >> >> >> ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / >> >> because that rule isn't present in any of the >> >> .spamassassin(/rulesdujour) or /etc/mail/spamassassin >> >> directories. If I can reduce that by about 1.2, that would fix >> >> the majority of the FP's here. That rule even grabbed a message >> >> from a close friend just 10 miles away last nite cause he'd also >> >> stuck a bunch of !!! on the end of a happy new year subject >> >> line. >> > >> >/usr/share/spamassassin/*.cf >> > >> >The score you got seems higher than the 3.04 score. But that could >> >have been adjusted with 3.10 so I didn't comment. >> > >> >{^_^} >> >> Well, I've now defined it to be 2.8 in local.cf, and thats working >> better but I feel I may have to reduce it another few tenths. >> >> One of the problems I think I've detected is that fetchmail isn't >> doing a 100% verbatum suck from vz, but seems to be deleting some >> of the history near the top of the header, but how much is unk. I >> could copy the mailfile off before kmail grabs it and zeros out the >> mailfile and then compare messages to see exactly whats missing. >> That would define where the loss is better than my SWAG's. I'll do >> that tomorrow. > > >to my knowledge, fetchmail doesn't remove any headers at all. > Procmail may be doing it or your MTA, depending upon how you are > handling it. > Humm, AFAIK, fetchmail gets it from vz, writing it to /var/spool/mail/gene and kmail takes it from there. And I'm just using what the servers support, which for vz is 99.9% of zip, plain text for everything. Gmail's pop3 server at least uses ssl encryption for everything. OTOH, I have my gmail prefs set to fwd it to vz, which is probably not the 'schmardtest' thing to do. I should cancel that, and let fetchmail get it direct. >after a few years of using fetchmail with 'proto imap' or 'proto >auto' (which used imap protocol), I ended up switching to 'proto > pop3' because the email 'accepted' by my isp included things like > NUL characters in the headers which caused fetchmail to gag on the > mail. When I switched to 'proto pop3' - the fetchmail politely > handed the email off to my MTA (postfix) and expunged it from my ISP > and thus, it ended up being a bit tidier. YMMV Well, my reasons for using fetchmail is that its configuration is pretty brain dead simple. And kmail has this habit of forgetting to hit the network & fetch the mail itself if its config isn't refreshed about 2x a week. Your basic old dogs (me at 71) and new tricks story... -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
On Mon, 2006-01-02 at 22:19 -0500, Gene Heskett wrote: > On Sunday 01 January 2006 22:51, jdow wrote: > [...] > > >> Anyway, the rule thats applying the 3.8 score is > >> HELO_DYNAMIC_IPADDR2. > >> > >> ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / > >> because that rule isn't present in any of the > >> .spamassassin(/rulesdujour) or /etc/mail/spamassassin directories. > >> If I can reduce that by about 1.2, that would fix the majority of > >> the FP's here. That rule even grabbed a message from a close > >> friend just 10 miles away last nite cause he'd also stuck a bunch > >> of !!! on the end of a happy new year subject line. > > > >/usr/share/spamassassin/*.cf > > > >The score you got seems higher than the 3.04 score. But that could > >have been adjusted with 3.10 so I didn't comment. > > > >{^_^} > > Well, I've now defined it to be 2.8 in local.cf, and thats working > better but I feel I may have to reduce it another few tenths. > > One of the problems I think I've detected is that fetchmail isn't doing > a 100% verbatum suck from vz, but seems to be deleting some of the > history near the top of the header, but how much is unk. I could copy > the mailfile off before kmail grabs it and zeros out the mailfile and > then compare messages to see exactly whats missing. That would define > where the loss is better than my SWAG's. I'll do that tomorrow. to my knowledge, fetchmail doesn't remove any headers at all. Procmail may be doing it or your MTA, depending upon how you are handling it. after a few years of using fetchmail with 'proto imap' or 'proto auto' (which used imap protocol), I ended up switching to 'proto pop3' because the email 'accepted' by my isp included things like NUL characters in the headers which caused fetchmail to gag on the mail. When I switched to 'proto pop3' - the fetchmail politely handed the email off to my MTA (postfix) and expunged it from my ISP and thus, it ended up being a bit tidier. YMMV Craig
Re: SA suddenly giving lots of FP's?
On Sunday 01 January 2006 22:51, jdow wrote: [...] >> Anyway, the rule thats applying the 3.8 score is >> HELO_DYNAMIC_IPADDR2. >> >> ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / >> because that rule isn't present in any of the >> .spamassassin(/rulesdujour) or /etc/mail/spamassassin directories. >> If I can reduce that by about 1.2, that would fix the majority of >> the FP's here. That rule even grabbed a message from a close >> friend just 10 miles away last nite cause he'd also stuck a bunch >> of !!! on the end of a happy new year subject line. > >/usr/share/spamassassin/*.cf > >The score you got seems higher than the 3.04 score. But that could >have been adjusted with 3.10 so I didn't comment. > >{^_^} Well, I've now defined it to be 2.8 in local.cf, and thats working better but I feel I may have to reduce it another few tenths. One of the problems I think I've detected is that fetchmail isn't doing a 100% verbatum suck from vz, but seems to be deleting some of the history near the top of the header, but how much is unk. I could copy the mailfile off before kmail grabs it and zeros out the mailfile and then compare messages to see exactly whats missing. That would define where the loss is better than my SWAG's. I'll do that tomorrow. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
On Monday 02 January 2006 00:50, Chris Purves wrote: >On Sunday 01 January 2006 12:24, Gene Heskett wrote: >> On Saturday 31 December 2005 20:21, Chris Purves wrote: >> >On Sun, January 1, 2006 3:28 am, Gene Heskett said: >> >> On Saturday 31 December 2005 13:38, Rick Macdougall wrote: >> >>>Gene Heskett wrote: >> On Saturday 31 December 2005 12:42, Gene Heskett wrote: >> > This morning I'm going thru my JunqueMail folder and find >> > that about a dozen msgs to the OpenOffice list, 5 or 6 to the >> > fedeora list, and one to the gimp-print-devel list were >> > flaged and sorted as *SPAN*. With one exception, all >> > were in english. >> >>> >> >>>Would help if you let us know what rules got hit. >> >> >> >> Content analysis details: (5.7 points, 5.0 required) >> >> >> >> pts rule name description >> >> -- >> >> -- >> >> 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious >> >> hostname (IP addr >> >> 2) >> >> 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match >> >> 'Received' headers >> >> -0.2 BAYES_40 BODY: Bayesian spam probability is >> >> 20 to 40% >> >> [score: 0.3369] >> >> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in >> >> abuse.rfc-ignorant.org >> > >> >Is that the entire header? You're missing a bunch of "Received" >> > lines. >> >> FWIW, fetchmail sucks it and dumps it to /var/spool/mail/gene, & >> kmail sucks it from there. This is due to a bug in the kmail suck >> from servers code of quite long duration, 3 or 4 years now. Humm, >> headers do seem to be getting lost! > >If some of the header is being removed, then that might be a problem. > That could definitely trigger the FORGED_YAHOO_RCVD rule if the > received header listing the Yahoo! server was removed. In that event, how do I go about telling fetchmail that the mailfile it generates in /var/spool/mail/gene is to be a verbatum copy of what was sucked in the vz's server. My fetchmailrc is comparatively clean, with no options that I know about set that would encourage the shrunken headers. There are no OPTIONS currently defined. -sanitized of course--- poll incoming.verizon.net with proto pop3 user XXX with password is gene #options OPTIONS poll pop.gmail.com with proto pop3 user ZZ with password is gene options ssl # end of file - Or is there some option I need to set to make it do verbatum sucks? -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
On Sunday 01 January 2006 12:24, Gene Heskett wrote: > On Saturday 31 December 2005 20:21, Chris Purves wrote: > >On Sun, January 1, 2006 3:28 am, Gene Heskett said: > >> On Saturday 31 December 2005 13:38, Rick Macdougall wrote: > >>>Gene Heskett wrote: > On Saturday 31 December 2005 12:42, Gene Heskett wrote: > > This morning I'm going thru my JunqueMail folder and find that > > about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora > > list, and one to the gimp-print-devel list were flaged and > > sorted as *SPAN*. With one exception, all were in > > english. > >>> > >>>Would help if you let us know what rules got hit. > >> > >> > >> Content analysis details: (5.7 points, 5.0 required) > >> > >> pts rule name description > >> -- > >> -- > >> 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname > >> (IP addr > >> 2) > >> 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match > >> 'Received' headers > >> -0.2 BAYES_40 BODY: Bayesian spam probability is 20 > >> to 40% > >> [score: 0.3369] > >> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in > >> abuse.rfc-ignorant.org > > > >Is that the entire header? You're missing a bunch of "Received" > > lines. > > > FWIW, fetchmail sucks it and dumps it to /var/spool/mail/gene, & kmail > sucks it from there. This is due to a bug in the kmail suck from > servers code of quite long duration, 3 or 4 years now. Humm, headers > do seem to be getting lost! > If some of the header is being removed, then that might be a problem. That could definitely trigger the FORGED_YAHOO_RCVD rule if the received header listing the Yahoo! server was removed. -- Good day, eh. Chris
Re: SA suddenly giving lots of FP's?
From: "Gene Heskett" <[EMAIL PROTECTED]> On Sunday 01 January 2006 13:35, Stanislaw Halik wrote: Gene Heskett <[EMAIL PROTECTED]> wrote: ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / because that rule isn't present in any of the .spamassassin(/rulesdujour) or /etc/mail/spamassassin directories. it's in $PREFIX/share/spamassassin. regards, And you are likewise correct. Now I'm beginning to wonder, just where are _the definitive_ rulesets for SA? They seem to be scattered around rather liberally, almost like a friggin viri... I'd make a remark about cows and flat rocks, but I suspect there aren't too many farmer experienced folks reading this. Stock rules are always in the address Stanislaw cited. The variable rules go into the /etc//spamassassin directory with the usually expanding the directory to /etc/mail/spamassassin. Sometimes it is blank, though. {^_^}
Re: SA suddenly giving lots of FP's?
From: "Gene Heskett" <[EMAIL PROTECTED]> On Sunday 01 January 2006 00:56, jdow wrote: From: "Gene Heskett" <[EMAIL PROTECTED]> On Saturday 31 December 2005 12:42, Gene Heskett wrote: Greetings; This morning I'm going thru my JunqueMail folder and find that about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora list, and one to the gimp-print-devel list were flaged and sorted as *SPAN*. With one exception, all were in english. Damn, ancient fingers don't reliably type what I think. Fedeora is of course fedora, and SPAN=SPAM. And rules=? I'm still batting 999 on spam and ham here. (Sadly had a spam, one line message, no url or any other "address", and four lines if silliness quotes got through. No hams marked as spam. But with the setup you've described in the past, "I ain't surprised, Gene ol' buddy." Aww, common Joanne, I can't be all bad, why I even rode a Harley once. But usually rice burners, most of them brought me home from wherever I'd ridden them. Except for one KZ-750, it ALWAYS came home in a pickup truck, so my name only lasted about a year on the title to that one. {^_-} Anyway, the rule thats applying the 3.8 score is HELO_DYNAMIC_IPADDR2. ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / because that rule isn't present in any of the .spamassassin(/rulesdujour) or /etc/mail/spamassassin directories. If I can reduce that by about 1.2, that would fix the majority of the FP's here. That rule even grabbed a message from a close friend just 10 miles away last nite cause he'd also stuck a bunch of !!! on the end of a happy new year subject line. /usr/share/spamassassin/*.cf The score you got seems higher than the 3.04 score. But that could have been adjusted with 3.10 so I didn't comment. {^_^}
Re: SA suddenly giving lots of FP's?
Gene Heskett a écrit : > pts rule name description > -- > -- > 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP > addr > 2) > 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' > headers > -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to > 40% > [score: 0.3369] > 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in > abuse.rfc-ignorant.org > - make sure your trusted networks are set correctly. This should be manually set. since you're using fetchmail, include your MSP IP in the trusted_networks (not your ISP MSA). otherwise, SA will try to guess, which is a bug IMHO (the fix being simple: require that people set their trusted net). - which headers match the HELO_DYNAMIC_IPADDR2 and FORGED_YAHOO_RCVD?
Re: SA suddenly giving lots of FP's?
Gene Heskett <[EMAIL PROTECTED]> wrote: > Now I'm beginning to wonder, just where are _the definitive_ rulesets > for SA? They seem to be scattered around rather liberally, almost > like a friggin viri... ones in $PREFIX/share/spamassassin are the default 'safe' rulesets from SA distribution. these in $PREFIX/etc/mail/spamassassina are the optional ones, added by you or some script. -- Stanisław Halik, http://tehran.lain.pl pgpjuFNn0OXZc.pgp Description: PGP signature
Re: SA suddenly giving lots of FP's?
On Sunday 01 January 2006 13:35, Stanislaw Halik wrote: >Gene Heskett <[EMAIL PROTECTED]> wrote: >> ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / >> because that rule isn't present in any of the >> .spamassassin(/rulesdujour) or /etc/mail/spamassassin directories. > >it's in $PREFIX/share/spamassassin. > >regards, And you are likewise correct. Now I'm beginning to wonder, just where are _the definitive_ rulesets for SA? They seem to be scattered around rather liberally, almost like a friggin viri... I'd make a remark about cows and flat rocks, but I suspect there aren't too many farmer experienced folks reading this. One of the advantages of being an old fart :-) -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
Gene Heskett <[EMAIL PROTECTED]> wrote: > ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / because > that rule isn't present in any of the .spamassassin(/rulesdujour) or > /etc/mail/spamassassin directories. it's in $PREFIX/share/spamassassin. regards, -- Stanisław Halik, http://tehran.lain.pl pgpfo9RoZrnJt.pgp Description: PGP signature
Re: SA suddenly giving lots of FP's?
On Sunday 01 January 2006 00:56, jdow wrote: >From: "Gene Heskett" <[EMAIL PROTECTED]> > >> On Saturday 31 December 2005 12:42, Gene Heskett wrote: >>>Greetings; >>> >>>This morning I'm going thru my JunqueMail folder and find that >>> about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora >>> list, and one to the gimp-print-devel list were flaged and sorted >>> as *SPAN*. With one exception, all were in english. >> >> Damn, ancient fingers don't reliably type what I think. Fedeora is >> of course fedora, and SPAN=SPAM. > >And rules=? > >I'm still batting 999 on spam and ham here. (Sadly had a spam, one > line message, no url or any other "address", and four lines if > silliness quotes got through. No hams marked as spam. But with the > setup you've described in the past, "I ain't surprised, Gene ol' > buddy." Aww, common Joanne, I can't be all bad, why I even rode a Harley once. But usually rice burners, most of them brought me home from wherever I'd ridden them. Except for one KZ-750, it ALWAYS came home in a pickup truck, so my name only lasted about a year on the title to that one. Anyway, the rule thats applying the 3.8 score is HELO_DYNAMIC_IPADDR2. ATM, I have a "grep -R HELO_DYNAMIC_IPADDR2 *" running from / because that rule isn't present in any of the .spamassassin(/rulesdujour) or /etc/mail/spamassassin directories. If I can reduce that by about 1.2, that would fix the majority of the FP's here. That rule even grabbed a message from a close friend just 10 miles away last nite cause he'd also stuck a bunch of !!! on the end of a happy new year subject line. I expect that grep to take a few hours, over 300+GB of drives live off of /, but there isn't any way to tell grep to ignore /amandatapes, which is 180GB of that. Not that I know of anyway. You'll instruct me I expect if there is... I hope you & yours had a merry Christmas, and a suitably blurry new year. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
From: "Gene Heskett" <[EMAIL PROTECTED]> On Saturday 31 December 2005 12:42, Gene Heskett wrote: Greetings; This morning I'm going thru my JunqueMail folder and find that about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora list, and one to the gimp-print-devel list were flaged and sorted as *SPAN*. With one exception, all were in english. Damn, ancient fingers don't reliably type what I think. Fedeora is of course fedora, and SPAN=SPAM. And rules=? I'm still batting 999 on spam and ham here. (Sadly had a spam, one line message, no url or any other "address", and four lines if silliness quotes got through. No hams marked as spam. But with the setup you've described in the past, "I ain't surprised, Gene ol' buddy." {^_-}
Re: SA suddenly giving lots of FP's?
On Saturday 31 December 2005 20:21, Chris Purves wrote: >On Sun, January 1, 2006 3:28 am, Gene Heskett said: >> On Saturday 31 December 2005 13:38, Rick Macdougall wrote: >>>Gene Heskett wrote: On Saturday 31 December 2005 12:42, Gene Heskett wrote: > This morning I'm going thru my JunqueMail folder and find that > about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora > list, and one to the gimp-print-devel list were flaged and > sorted as *SPAN*. With one exception, all were in > english. >>> >>>Would help if you let us know what rules got hit. >> >> No doubt Rick, but I ran them thru learn-ham and manualy sorted >> them to the right folders, but lemme see if I can find one of them >> in the OOo list, brb. Yeah, here's a snip: >> >> Received: from localhost by coyote.coyote.den >> with SpamAssassin (version 3.1.0); >> Fri, 30 Dec 2005 20:39:25 -0500 >> From: Leah Lefler <[EMAIL PROTECTED]> >> To: users@openoffice.org >> Subject: *SPAM* [users] question about Base >> Date: Fri, 30 Dec 2005 16:04:04 -0800 (PST) >> Message-Id: >> <[EMAIL PROTECTED]> >> X-Spam-Flag: YES >> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on >> coyote.coyote.den >> X-Spam-Level: * >> X-Spam-Status: Yes, score=5.7 required=5.0 >> tests=BAYES_40,DNS_FROM_RFC_ABUSE, >> FORGED_YAHOO_RCVD,HELO_DYNAMIC_IPADDR2 autolearn=no >> version=3.1.0 >> MIME-Version: 1.0 >> Content-Type: multipart/mixed; >> boundary="--=_43B5E14D.9501384C" >> X-UID: >> Status: RO >> X-Status: RPC >> X-KMail-EncryptionState: N >> X-KMail-SignatureState: N >> X-KMail-MDN-Sent: >> >> Content analysis details: (5.7 points, 5.0 required) >> >> pts rule name description >> -- >> -- >> 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname >> (IP addr >> 2) >> 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match >> 'Received' headers >> -0.2 BAYES_40 BODY: Bayesian spam probability is 20 >> to 40% >> [score: 0.3369] >> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in >> abuse.rfc-ignorant.org > >Is that the entire header? You're missing a bunch of "Received" > lines. Humm, that was a highlight & paste, with the src file 'show all headers' on in kmail-1.7. I don't usually look at even that much header as they take up way too much screen real estate. I run x at 1600x1200 here, but also use 18 to 20 point fonts. Silky smooth fonts that way. FWIW, fetchmail sucks it and dumps it to /var/spool/mail/gene, & kmail sucks it from there. This is due to a bug in the kmail suck from servers code of quite long duration, 3 or 4 years now. Humm, headers do seem to be getting lost! I just catted the last fetchmail run and there are headers above those IN THIS FILE: - From [EMAIL PROTECTED] Sat Dec 31 23:16:57 2005 Return-Path: <[EMAIL PROTECTED]> Received: from localhost (localhost.localdomain [127.0.0.1]) by coyote.coyote.den (8.12.11/8.12.10) with ESMTP id k014Gv7g021793 for <[EMAIL PROTECTED]>; Sat, 31 Dec 2005 23:16:57 -0500 Received: from incoming.verizon.net [206.46.232.10] by localhost with POP3 (fetchmail-6.2.5.5) for [EMAIL PROTECTED] (single-drop); Sat, 31 Dec 2005 23:16:57 -0500 (EST) which is not the same message, and therefore a waste of bandwidth I think. Too bad the /var/spool/mail/gene files contents are so ephemeral. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
On Sun, January 1, 2006 3:28 am, Gene Heskett said: > On Saturday 31 December 2005 13:38, Rick Macdougall wrote: >>Gene Heskett wrote: >>> On Saturday 31 December 2005 12:42, Gene Heskett wrote: This morning I'm going thru my JunqueMail folder and find that about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora list, and one to the gimp-print-devel list were flaged and sorted as *SPAN*. With one exception, all were in english. >> >>Would help if you let us know what rules got hit. >> > No doubt Rick, but I ran them thru learn-ham and manualy sorted them to > the right folders, but lemme see if I can find one of them in the OOo > list, brb. Yeah, here's a snip: > > Received: from localhost by coyote.coyote.den > with SpamAssassin (version 3.1.0); > Fri, 30 Dec 2005 20:39:25 -0500 > From: Leah Lefler <[EMAIL PROTECTED]> > To: users@openoffice.org > Subject: *SPAM* [users] question about Base > Date: Fri, 30 Dec 2005 16:04:04 -0800 (PST) > Message-Id: <[EMAIL PROTECTED]> > X-Spam-Flag: YES > X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on > coyote.coyote.den > X-Spam-Level: * > X-Spam-Status: Yes, score=5.7 required=5.0 > tests=BAYES_40,DNS_FROM_RFC_ABUSE, > FORGED_YAHOO_RCVD,HELO_DYNAMIC_IPADDR2 autolearn=no > version=3.1.0 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="--=_43B5E14D.9501384C" > X-UID: > Status: RO > X-Status: RPC > X-KMail-EncryptionState: N > X-KMail-SignatureState: N > X-KMail-MDN-Sent: > > Content analysis details: (5.7 points, 5.0 required) > > pts rule name description > -- > -- > 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP > addr > 2) > 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' > headers > -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to > 40% > [score: 0.3369] > 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in > abuse.rfc-ignorant.org > Is that the entire header? You're missing a bunch of "Received" lines. -- Good day, eh. Chris
Re: SA suddenly giving lots of FP's?
On Saturday 31 December 2005 13:38, Rick Macdougall wrote: >Gene Heskett wrote: >> On Saturday 31 December 2005 12:42, Gene Heskett wrote: >>> Greetings; >>> >>> This morning I'm going thru my JunqueMail folder and find that >>> about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora >>> list, and one to the gimp-print-devel list were flaged and sorted >>> as *SPAN*. With one exception, all were in english. >>> >>> Using rulesdujour here, and pyzor too along with SA3.10. Has >>> anyone else had a spate of this today? > >Would help if you let us know what rules got hit. > >Rick No doubt Rick, but I ran them thru learn-ham and manualy sorted them to the right folders, but lemme see if I can find one of them in the OOo list, brb. Yeah, here's a snip: Received: from localhost by coyote.coyote.den with SpamAssassin (version 3.1.0); Fri, 30 Dec 2005 20:39:25 -0500 From: Leah Lefler <[EMAIL PROTECTED]> To: users@openoffice.org Subject: *SPAM* [users] question about Base Date: Fri, 30 Dec 2005 16:04:04 -0800 (PST) Message-Id: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on coyote.coyote.den X-Spam-Level: * X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_40,DNS_FROM_RFC_ABUSE, FORGED_YAHOO_RCVD,HELO_DYNAMIC_IPADDR2 autolearn=no version=3.1.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_43B5E14D.9501384C" X-UID: Status: RO X-Status: RPC X-KMail-EncryptionState: N X-KMail-SignatureState: N X-KMail-MDN-Sent: Spam detection software, running on the system "coyote.coyote.den", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello, Why does Open Office not support Microsoft Access files? If it does, how can I make it work? Thanks. Leah [...] Content analysis details: (5.7 points, 5.0 required) pts rule name description -- -- 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3369] 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. = So the total score isn't a lot over 5. Ideas? -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SA suddenly giving lots of FP's?
Gene Heskett wrote: On Saturday 31 December 2005 12:42, Gene Heskett wrote: Greetings; This morning I'm going thru my JunqueMail folder and find that about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora list, and one to the gimp-print-devel list were flaged and sorted as *SPAN*. With one exception, all were in english. Using rulesdujour here, and pyzor too along with SA3.10. Has anyone else had a spate of this today? Would help if you let us know what rules got hit. Rick
Re: SA suddenly giving lots of FP's?
On Saturday 31 December 2005 12:42, Gene Heskett wrote: >Greetings; > >This morning I'm going thru my JunqueMail folder and find that about > a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora list, and > one to the gimp-print-devel list were flaged and sorted as > *SPAN*. With one exception, all were in english. Damn, ancient fingers don't reliably type what I think. Fedeora is of course fedora, and SPAN=SPAM. >Using rulesdujour here, and pyzor too along with SA3.10. Has anyone >else had a spate of this today? -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.