No RBL checks - was - Re: score 0 autolearn=ham
>>> On 11/5/2012 at 6:44 PM, "Joseph Acquisto" wrote: On 11/5/2012 at 10:34 AM, Bowie Bailey wrote: >> On 11/4/2012 10:10 PM, Joseph Acquisto wrote: >> On 11/4/2012 at 4:09 PM, Jari Fredriksson wrote: 04.11.2012 22:33, Joseph Acquisto kirjoitti: > I'd love to use RBL but understand I can't, as the "last IP" is always the same, as I fetch all mail > from a single POP.Perhaps I am missing something? Yes. You put that "single POP" ESP address to your "trusted networks". Then it works as designed. >>> It is there, and has been, but RBL's are not being used, at all, it appears. >>> >>> Using lint I see: >>> . . . >>> Nov 4 20:58:40.611 [21327] dbg: config: read file >> /etc/mail/spamassassin/local.cf >>> Nov 4 20:58:40.611 [21327] dbg: config: using >> "/root/.spamassassin/user_prefs" for user prefs file >>> . . . >>> Nov 4 20:58:40.434 [21327] dbg: dns: is Net::DNS::Resolver available? yes >>> . . . >>> Nov 4 20:58:40.625 [21327] dbg: plugin: loading >> Mail::SpamAssassin::Plugin::SpamCop from @INC >>> Nov 4 20:58:40.627 [21327] dbg: reporter: local tests only, disabling >> SpamCop >>> . . . . >>> >>> I see no mention of SpamHaus, or others, which I understood to be enabled >>> by > >> default. I have not disabled any of them, as far as I can tell. >> >> You don't have the "skip_rbl_checks" option set in the config or "-L" or >> "--local" on your spamd config line do you? >> >> -- >> Bowie > > You mean in /etc/sysconfig/spamd ? > > Oh, no, no, never . . . ok, yes. > > (But it says *default*) > > joe a. Hey, Guess What? All of a sudden it started working . . .all by it self . . . Yeah, yeah, that's it . . . that's the ticket . . . My thanks to one and all . . . I am beside myself with barely suppressed Joy . . . I should go now, before I try more one-liners . . . joe a.
Re: score 0 autolearn=ham
>>> On 11/5/2012 at 10:34 AM, Bowie Bailey wrote: > On 11/4/2012 10:10 PM, Joseph Acquisto wrote: > On 11/4/2012 at 4:09 PM, Jari Fredriksson wrote: >>> 04.11.2012 22:33, Joseph Acquisto kirjoitti: I'd love to use RBL but understand I can't, as the "last IP" is always the >>> same, as I fetch all mail from a single POP.Perhaps I am missing something? >>> Yes. You put that "single POP" ESP address to your "trusted networks". >>> Then it works as designed. >>> >> It is there, and has been, but RBL's are not being used, at all, it appears. >> >> Using lint I see: >> . . . >> Nov 4 20:58:40.611 [21327] dbg: config: read file > /etc/mail/spamassassin/local.cf >> Nov 4 20:58:40.611 [21327] dbg: config: using > "/root/.spamassassin/user_prefs" for user prefs file >> . . . >> Nov 4 20:58:40.434 [21327] dbg: dns: is Net::DNS::Resolver available? yes >> . . . >> Nov 4 20:58:40.625 [21327] dbg: plugin: loading > Mail::SpamAssassin::Plugin::SpamCop from @INC >> Nov 4 20:58:40.627 [21327] dbg: reporter: local tests only, disabling > SpamCop >> . . . . >> >> I see no mention of SpamHaus, or others, which I understood to be enabled by > default. I have not disabled any of them, as far as I can tell. > > You don't have the "skip_rbl_checks" option set in the config or "-L" or > "--local" on your spamd config line do you? > > -- > Bowie You mean in /etc/sysconfig/spamd ? Oh, no, no, never . . . ok, yes. (But it says *default*) joe a.
Re: score 0 autolearn=ham
On 11/4/2012 10:10 PM, Joseph Acquisto wrote: On 11/4/2012 at 4:09 PM, Jari Fredriksson wrote: 04.11.2012 22:33, Joseph Acquisto kirjoitti: I'd love to use RBL but understand I can't, as the "last IP" is always the same, as I fetch all mail from a single POP.Perhaps I am missing something? Yes. You put that "single POP" ESP address to your "trusted networks". Then it works as designed. It is there, and has been, but RBL's are not being used, at all, it appears. Using lint I see: . . . Nov 4 20:58:40.611 [21327] dbg: config: read file /etc/mail/spamassassin/local.cf Nov 4 20:58:40.611 [21327] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file . . . Nov 4 20:58:40.434 [21327] dbg: dns: is Net::DNS::Resolver available? yes . . . Nov 4 20:58:40.625 [21327] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC Nov 4 20:58:40.627 [21327] dbg: reporter: local tests only, disabling SpamCop . . . . I see no mention of SpamHaus, or others, which I understood to be enabled by default. I have not disabled any of them, as far as I can tell. You don't have the "skip_rbl_checks" option set in the config or "-L" or "--local" on your spamd config line do you? -- Bowie
Re: score 0 autolearn=ham
>>> On 11/4/2012 at 7:10 PM, Martin Gregorie wrote: > On Sun, 2012-11-04 at 15:33 -0500, Joseph Acquisto wrote: >> >>> On 11/4/2012 at 8:34 AM, Martin Gregorie wrote: >> > On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: >> >> >>> On 11/3/2012 at 9:15 PM, "Joseph Acquisto" >> >> >>> wrote: >> >> > Why do these score 0 ? >> >> > >> >> > http://pastebin.com/U4zFu8wk >> >> > http://pastebin.com/MV9KbnbU >> >> >> > I ran the second one through my testing SA system: it got hits from >> > several blacklists together with hits on RDNS_NONE and >> > UNPARSEABLE_RELAY: >> >> I have RDNS_NONE 0, and UNPARSEABLE_RELAY 2. I understand 0 to mean "don't > test", but don't >> get why it did not flag UNPARSEABLE_RELAY. >> > Pass. Not enough information for me to understand the problem and anyway > its not something I fully understand. > >> > >> > RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, >> > RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, >> > URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL >> >> I'd love to use RBL but understand I can't, as the "last IP" is always the > same, as I fetch all mail >> from a single POP.Perhaps I am missing something? >> > My set-up is very similar to yours. I use getmail[1] to read mail from > my POP3 mailbox on my ISP's mailserver and pass it on to my MTA, Postfix > running on my house server, which hands incoming mail to Dovecot for > delivery to my mailreader. In SA's local.cf I've set: > > internal_networks192.168.7/24 > > trusted_networks 192.168.7/24 > trusted_networks 77.75.108.10 # my ISP's mailserver > > and with this set-up the various RBLs and URIBLs work just fine. > > [1] I started by using fetchmail, but it is buggy (network transients > can cause it to leave mail it has read in the ISP mailbox forever) and > various forums report that its author has marked these as "won't fix". > So, I now use getmail instead. No problems to report so far! getmail > even uses the same MDA script you may have written for fetchmail. The > only significant difference is that fetchmail is a daemon that controls > its own fetch frequency while getmail is a program that crond runs every > 'n' minutes to look for and fetch mail. > > > Martin It was simple to setup getmail to get a test message, but it did not deliver it as expected. I expected it to be handed off to postfix/spamassassin, but it did not seem to do that. But that is not a discussion for this list, I guess. joe a.
Re: score 0 autolearn=ham
>>> On 11/4/2012 at 4:09 PM, Jari Fredriksson wrote: > 04.11.2012 22:33, Joseph Acquisto kirjoitti: >> I'd love to use RBL but understand I can't, as the "last IP" is always the > same, as I fetch all mail >> from a single POP.Perhaps I am missing something? > Yes. You put that "single POP" ESP address to your "trusted networks". > Then it works as designed. > It is there, and has been, but RBL's are not being used, at all, it appears. Using lint I see: . . . Nov 4 20:58:40.611 [21327] dbg: config: read file /etc/mail/spamassassin/local.cf Nov 4 20:58:40.611 [21327] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file . . . Nov 4 20:58:40.434 [21327] dbg: dns: is Net::DNS::Resolver available? yes . . . Nov 4 20:58:40.625 [21327] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC Nov 4 20:58:40.627 [21327] dbg: reporter: local tests only, disabling SpamCop . . . . I see no mention of SpamHaus, or others, which I understood to be enabled by default. I have not disabled any of them, as far as I can tell. joe a.
Re: score 0 autolearn=ham
On Sun, 2012-11-04 at 15:33 -0500, Joseph Acquisto wrote: > >>> On 11/4/2012 at 8:34 AM, Martin Gregorie wrote: > > On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: > >> >>> On 11/3/2012 at 9:15 PM, "Joseph Acquisto" > >> >>> wrote: > >> > Why do these score 0 ? > >> > > >> > http://pastebin.com/U4zFu8wk > >> > http://pastebin.com/MV9KbnbU > >> > > I ran the second one through my testing SA system: it got hits from > > several blacklists together with hits on RDNS_NONE and > > UNPARSEABLE_RELAY: > > I have RDNS_NONE 0, and UNPARSEABLE_RELAY 2. I understand 0 to mean "don't > test", but don't > get why it did not flag UNPARSEABLE_RELAY. > Pass. Not enough information for me to understand the problem and anyway its not something I fully understand. > > > > RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, > > RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, > > URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL > > I'd love to use RBL but understand I can't, as the "last IP" is always the > same, as I fetch all mail > from a single POP.Perhaps I am missing something? > My set-up is very similar to yours. I use getmail[1] to read mail from my POP3 mailbox on my ISP's mailserver and pass it on to my MTA, Postfix running on my house server, which hands incoming mail to Dovecot for delivery to my mailreader. In SA's local.cf I've set: internal_networks192.168.7/24 trusted_networks 192.168.7/24 trusted_networks 77.75.108.10 # my ISP's mailserver and with this set-up the various RBLs and URIBLs work just fine. [1] I started by using fetchmail, but it is buggy (network transients can cause it to leave mail it has read in the ISP mailbox forever) and various forums report that its author has marked these as "won't fix". So, I now use getmail instead. No problems to report so far! getmail even uses the same MDA script you may have written for fetchmail. The only significant difference is that fetchmail is a daemon that controls its own fetch frequency while getmail is a program that crond runs every 'n' minutes to look for and fetch mail. Martin
Re: score 0 autolearn=ham
04.11.2012 22:33, Joseph Acquisto kirjoitti: > I'd love to use RBL but understand I can't, as the "last IP" is always the > same, as I fetch all mail > from a single POP.Perhaps I am missing something? Yes. You put that "single POP" ESP address to your "trusted networks". Then it works as designed. -- Is that really YOU that is reading this? signature.asc Description: OpenPGP digital signature
Re: score 0 autolearn=ham
>>> On 11/4/2012 at 8:34 AM, Martin Gregorie wrote: > On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: >> >>> On 11/3/2012 at 9:15 PM, "Joseph Acquisto" wrote: >> > Why do these score 0 ? >> > >> > http://pastebin.com/U4zFu8wk >> > http://pastebin.com/MV9KbnbU >> > I ran the second one through my testing SA system: it got hits from > several blacklists together with hits on RDNS_NONE and > UNPARSEABLE_RELAY: I have RDNS_NONE 0, and UNPARSEABLE_RELAY 2. I understand 0 to mean "don't test", but don't get why it did not flag UNPARSEABLE_RELAY. > > RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, > RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, > URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL I'd love to use RBL but understand I can't, as the "last IP" is always the same, as I fetch all mail from a single POP.Perhaps I am missing something? > though from the looks of it there's little else in its contents that > should trigger body rules. > > Have you considered greylisting? When my ISP turned it on my mail stream > immediately changed from 80% spam to 95%+ ham. > >> I had once asked about a rule that could specify a domain (to ban) in an > htlm link in the message body. >> I don't recall this being entirely successful. >> > You can try using the setup I developed to deal with a spam-ridden > mailing list that linked to a forum - the forum is trivially easy for > spammers to dump junk into, so they do. However, building this type of > SA rule can be like playing wack-a-mole until you start to recognise > patterns in the URLs/domain names/product names/phrases used and begin > to use a combination of broadly-matching regexes and meta-rules to get > an acceptable FP rate. > > This rule maintenance tool may help you to build and extend them: > http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz > I'll give it a look. > Martin joe a.
Re: score 0 autolearn=ham
On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: > >>> On 11/3/2012 at 9:15 PM, "Joseph Acquisto" wrote: > > Why do these score 0 ? > > > > http://pastebin.com/U4zFu8wk > > http://pastebin.com/MV9KbnbU > I ran the second one through my testing SA system: it got hits from several blacklists together with hits on RDNS_NONE and UNPARSEABLE_RELAY: RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL though from the looks of it there's little else in its contents that should trigger body rules. Have you considered greylisting? When my ISP turned it on my mail stream immediately changed from 80% spam to 95%+ ham. > I had once asked about a rule that could specify a domain (to ban) in an htlm > link in the message body. > I don't recall this being entirely successful. > You can try using the setup I developed to deal with a spam-ridden mailing list that linked to a forum - the forum is trivially easy for spammers to dump junk into, so they do. However, building this type of SA rule can be like playing wack-a-mole until you start to recognise patterns in the URLs/domain names/product names/phrases used and begin to use a combination of broadly-matching regexes and meta-rules to get an acceptable FP rate. This rule maintenance tool may help you to build and extend them: http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz Martin
Re: score 0 autolearn=ham
>>> On 11/3/2012 at 9:15 PM, "Joseph Acquisto" wrote: > Why do these score 0 ? > > http://pastebin.com/U4zFu8wk > http://pastebin.com/MV9KbnbU Two more this AM. I did not bother posting these, they're virtually identical. Pastebin will expire the evening. Obvious SPAM/MAlware. I had once asked about a rule that could specify a domain (to ban) in an htlm link in the message body. I don't recall this being entirely successful. I recall doing some early work, which hit via command line operation (perlish regex checks) but never seemed to work when put in local.cf joe a.