Re: Score=x+5
On Thursday December 7 2006 18:21, Fred T wrote: > > -0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64 > I'm curious about P0F_UNIX could you share this rule with me? And any > similar fingerprint rules? Thanks! The rules are quite straightforward (see below) - just matching on inserted header field, which can be inserted by amavisd-new (or some other sw component like milter or policy daemon or SA plugin), based of results from p0f ( http://lcamtuf.coredump.cx/p0f.shtml ). See release notes, p0f support was introduced with version 2.4.0: http://www.ijs.si/software/amavisd/release-notes.txt Here is my current set: header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 SP)/ score L_P0F_WXP 3.0 header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/ score L_P0F_W 1.7 header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /^UNKNOWN/ score L_P0F_UNKN 0.8 header L_P0F_Unix X-Amavis-OS-Fingerprint =~ /^((Free|Open|Net)BSD|Solaris|HP-UX|Tru64)/ score L_P0F_Unix -1.0 header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /^Linux/ score L_P0F_Linux -0.1 plus a couple to slightly favour network proximity, which works well in my environment, but may not work so well elsewhare: header L_P0F_D1234 X-Amavis-OS-Fingerprint =~ /\bdistance [1-4](?![0-9])/ header L_P0F_D5X-Amavis-OS-Fingerprint =~ /\bdistance 5(?![0-9])/ header L_P0F_D6X-Amavis-OS-Fingerprint =~ /\bdistance 6(?![0-9])/ header L_P0F_D7X-Amavis-OS-Fingerprint =~ /\bdistance 7(?![0-9])/ header L_P0F_D8X-Amavis-OS-Fingerprint =~ /\bdistance 8(?![0-9])/ header L_P0F_D9X-Amavis-OS-Fingerprint =~ /\bdistance 9(?![0-9])/ header L_P0F_D10 X-Amavis-OS-Fingerprint =~ /\bdistance 10(?![0-9])/ header L_P0F_D11 X-Amavis-OS-Fingerprint =~ /\bdistance 11(?![0-9])/ score L_P0F_D1234 -0.5 score L_P0F_D5-0.5 score L_P0F_D6-0.5 score L_P0F_D7-0.5 score L_P0F_D8-0.5 score L_P0F_D9-0.5 score L_P0F_D10 -0.3 score L_P0F_D11 -0.3 Mark
Re: Score=x+5
Hello Alan, Wednesday, November 29, 2006, 8:23:14 PM, you wrote: > -0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64 I'm curious about P0F_UNIX could you share this rule with me? And any similar fingerprint rules? Thanks! -- Best regards, Fredmailto:[EMAIL PROTECTED]
Re: Score=x+5
Alan Munday wrote: > I've just seen a mail marked as spammy (amavisd-new) where the score > header had Score=x+5 where x was the sum of the SA tests. > > X-Spam-Status: Yes, score=0.917+5 tagged_above=0 required=5 > tests=[AWL=0.727,BAYES_00=-2.599, BOTNET_SERVERWORDS=-0.01, > FORGED_RCVD_HELO=0.135,HTML_MESSAGE=0.001, P0F_UNIX=-0.001, > SARE_HTML_MANY_BR05=0.5,SARE_HTML_TD_BR=0.934, SARE_UNA=1.231, > SPF_PASS=-0.001] > > I'm curious as to where the 5 came from as the the mail report does > not look like spam: My guess would be amavis's soft-blacklist feature.
Re: Score=x ?
Benny Pedersen wrote: On Wed, October 4, 2006 05:59, M.Lewis wrote: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] check amavisd.conf for $sa_mail_body_size_limit is highter then the mail size in this mail, if it is amavisd disabled scanning of this mail Thanks Benny. I seriously doubt that was it as the message in question was 268KB. However I will check it out. Thank you very much! Mike -- Software engineer: One who engineers others into writing the code for him/her. 02:35:01 up 2:18, 7 users, load average: 0.46, 0.31, 0.24 Linux Registered User #241685 http://counter.li.org
Re: Score=x ?
On Wed, October 4, 2006 09:18, Benny Pedersen wrote: > On Wed, October 4, 2006 05:59, M.Lewis wrote: >> X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] > check amavisd.conf for $sa_mail_body_size_limit is highter then the mail size > in this > mail, if it is amavisd disabled scanning of this mail sorry its lower, not highter size, but this is the only time i have seen score=x with amavisd, you can raise the size limit so you scan them aswell, just don't set the limit to high, but still high enough to not let spam through -- "This message was sent using 100% recycled spam mails."
Re: Score=x ?
On Wed, October 4, 2006 05:59, M.Lewis wrote: > X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] check amavisd.conf for $sa_mail_body_size_limit is highter then the mail size in this mail, if it is amavisd disabled scanning of this mail -- "This message was sent using 100% recycled spam mails."
Re: Score=x ?
That's an amavis thing, but I presume it means there is no score (ie: SA did not completely analyze the message, so no score was computed). This could mean message was not fed to spamassassin (due to hard whitelist or bypass_spam_checks), or amavis timed-out the spamassassin process (which is very likely to happen if your sa_timeout is less than 120, and you are using bayes). That said, you'd have to ask someone who knows amavisd-new. I don't. But that's my best educated guess. I hope it helps some. M.Lewis wrote: > > I've seen a couple of mails come through lately with score=x. Perhaps > there have been some coming in all along like that and I haven't > noticed it. > > What does score=x mean? > > Thanks, > Mike > > > X-Virus-Scanned: amavisd-new at cajuninc.com > X-Spam-Score: - > X-Spam-Level: > X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] > Received: from moe.cajuninc.com ([127.0.0.1]) > by localhost (moe.cajuninc.com [127.0.0.1]) (amavisd-new, port 10024) > with ESMTP id uJfhQbv7NXdm for <[EMAIL PROTECTED]>; > Tue, 3 Oct 2006 10:58:26 -0500 (EST) > Received: from moe.cajuninc.com (moe.cajuninc.com [127.0.0.1]) > by moe.cajuninc.com (Postfix) with ESMTP id A602F640189 > for <[EMAIL PROTECTED]>; Tue, 3 Oct 2006 10:58:07 -0500 (EST) >
Re: Score=x ?
Matt Kettler wrote: That's an amavis thing, but I presume it means there is no score (ie: SA did not completely analyze the message, so no score was computed). This could mean message was not fed to spamassassin (due to hard whitelist or bypass_spam_checks), or amavis timed-out the spamassassin process (which is very likely to happen if your sa_timeout is less than 120, and you are using bayes). That said, you'd have to ask someone who knows amavisd-new. I don't. But that's my best educated guess. I hope it helps some. Thanks Matt. You could be right. I don't know. I will ask on Amavis list as Theo suggested. M M.Lewis wrote: I've seen a couple of mails come through lately with score=x. Perhaps there have been some coming in all along like that and I haven't noticed it. What does score=x mean? Thanks, Mike X-Virus-Scanned: amavisd-new at cajuninc.com X-Spam-Score: - X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from moe.cajuninc.com ([127.0.0.1]) by localhost (moe.cajuninc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJfhQbv7NXdm for <[EMAIL PROTECTED]>; Tue, 3 Oct 2006 10:58:26 -0500 (EST) Received: from moe.cajuninc.com (moe.cajuninc.com [127.0.0.1]) by moe.cajuninc.com (Postfix) with ESMTP id A602F640189 for <[EMAIL PROTECTED]>; Tue, 3 Oct 2006 10:58:07 -0500 (EST) -- As far as we know, our computer has never had an undetected error. - Weisert 23:25:01 up 13 days, 4:59, 8 users, load average: 0.07, 0.24, 0.39 Linux Registered User #241685 http://counter.li.org
Re: Score=x ?
On Tue, Oct 03, 2006 at 10:59:40PM -0500, M.Lewis wrote:
> I've seen a couple of mails come through lately with score=x. Perhaps
> there have been some coming in all along like that and I haven't noticed it.
>
> What does score=x mean?
> X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[]
> Received: from moe.cajuninc.com ([127.0.0.1])
> by localhost (moe.cajuninc.com [127.0.0.1]) (amavisd-new, port 10024)
[...]
amavis is doing the markup, so I would ask them.
--
Randomly Selected Tagline:
fail("Language designer not persuaded");# :-)
-- Larry Wall in <[EMAIL PROTECTED]>
pgpjbeYgr4aG0.pgp
Description: PGP signature
