Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011 07:36:05 Karsten Bräckelmann wrote: On Tue, 2011-08-16 at 01:07 +0930, Rodney Baker wrote: On Tue, 16 Aug 2011 00:48:13 Bowie Bailey wrote: * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// I'm attempting to filter on the modified subject line (which for some reason isn't working - that rule never seems to match and spam never gets moved into the Spam folder, even though I've tested the regex manually). I thought of filtering on the X-Spam-Status header instead, but when I had a look at a message that was marked as Spam (according to the subject line) I found something rather strange... Yes, filtering on the SA X-Spam Status or Level headers is the way to go. After you found and fixed where SA gets called a second time (actually the first time), these won't be harmed and overwritten -- and useful for filtering. Anyway, the secret why the above procmail recipe doesn't work is simply, because procmail uses a rather limited sub-set of REs and its own flavor. It's not PCRE. In particular procmail does not understand {x,y} range quantifiers, but treats that part as a plain string to match. Which doesn't. (Caveat: From memory, not actually looked it up again for verification.) Ah, thankyou. Despite googling for lots of stuff on procmail I've not been able to find a definitive reference for what can and can't be used in a procmail recipe. Maybe I just haven't use the right search terms (or maybe I just haven't understood what I've read). Anyway, thanks for the clarification. 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB 3.0 IMPOTENCE BODY: Impotence cure -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1050] 2.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS Oh, yeah, these do ring quite some bells... ;) After you fixed your mail processing chain to not have SA chew twice on the spam -- you should manually train Bayes, feeding it a lot of hand classified spam, and possibly ham. Check your 'sa-learn --dump magic' numbers. The Bayes score of 0.1 is way out of line. Agreed. I do run sa-learn --spam (actually now have it scheduled to run weekly on a folder into which I drop all the non-classified spam messages) and --ham (on a folder with messages that were false-positives). Note though, that a previous site-wide SA filter might use a site-wide user, not the one owning the procmail recipe. Thus Bayes scores might suddenly change once it's run per user. Check the numbers and performance for the user you'll use after fixing the chain issue. You need to fix whatever is causing the message to be scanned twice. OK - that makes sense. Now I'm wondering if there is a global mail config somewhere that is routing the message through SA, and then my local .procmailrc is doing it again. Time to go digging... Site-wide /etc/procmailrc, SMTP server milter, transport or similar, or even something like Amavis in the chain? There is no /etc/procmailrc, no milter that I'm aware of, running fetchmail/sendmail/dovecot. This machine doubles as my home mail server/file server and desktop machine. The only reason I'm running IMAP is so that I can access the same mail from my laptop or netbook when I need to (and I used to run squirrelmail to allow access remotely via https webmail, but not any more). That then leaves the question as to why my procmail recipe isn't triggering on the rewritten subject, but that is probably not for this list. It's sufficiently related. ;) See above. Thanks again. :-) -- == Rodney Baker rod...@jeremiah31-10.net web: www.jeremiah31-10.net ==
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011 05:02:20 John Hardin wrote: On Tue, 16 Aug 2011, Rodney Baker wrote: :0fw: spamassassin.lock : | spamc Just as a test, if you comment that bit out of your personal .procmailrc does everything work they way you'd expect (i.e. one SA pass, the correct score in the X- headers)? Yep,that was the first thing that I did. Somehow spamassassin is still checking the messages, even though they're not being piped through spamc via procmail. I'm sure that fetchmail isn't doing it, so that leaves sendmail, dovecot or kmail. So begins the process of elimination (or maybe I just leave it out of procmailrc and be done with it...). Thanks, Rodney. -- == Rodney Baker rod...@jeremiah31-10.net web: www.jeremiah31-10.net ==
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On 8/16/2011 8:55 AM, Rodney Baker wrote: On Tue, 16 Aug 2011 07:36:05 Karsten Bräckelmann wrote: After you fixed your mail processing chain to not have SA chew twice on the spam -- you should manually train Bayes, feeding it a lot of hand classified spam, and possibly ham. Check your 'sa-learn --dump magic' numbers. The Bayes score of 0.1 is way out of line. Agreed. I do run sa-learn --spam (actually now have it scheduled to run weekly on a folder into which I drop all the non-classified spam messages) and --ham (on a folder with messages that were false-positives). When you are trying to fix a Bayes problem, it can be useful to feed it as much as possible. Put *all* your ham and *all* your spam (properly classified or not) into those folders and let Bayes learn from it. -- Bowie
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 2011-08-16 at 22:29 +0930, Rodney Baker wrote: On Tue, 16 Aug 2011 05:02:20 John Hardin wrote: Just as a test, if you comment that bit out of your personal .procmailrc does everything work they way you'd expect (i.e. one SA pass, the correct score in the X- headers)? Yep,that was the first thing that I did. Somehow spamassassin is still checking the messages, even though they're not being piped through spamc via procmail. I'm sure that fetchmail isn't doing it, so that leaves sendmail, dovecot or kmail. So begins the process of elimination (or maybe I just leave it out of procmailrc and be done with it...). If you don't use Delivery Control Options with fetchmail (see that section in the man pages) like an explicit MDA or SMTP, this should not be where SA gets invoked. You don't, do you? The default is to pass it on to port 25, which should just be your Sendmail. A site-wide procmail configuration doesn't exist, as you mentioned in another reply to this thread. Dovecot will not filter messages. It's an IMAP server that serves what has been delivered already. The dovecot MDA could, but you seem to use procmail for direct delivery into the Maildir store. Another one to rule out. Kmail as an MUA must not modify delivered mail (and doesn't), so while it could call SA again, you won't see SA headers. Both Dovecot and Kmail are after the procmail recipe you initially showed anyway, so there's no chance they could cause the matching issues you reported. Leaves us with Sendmail in the chain to dig further... After all, procmail already sees SA headers, without a filter. What you're hunting for is before procmail in the chain. Regarding leaving it out of procmail and being done with it -- maybe. This is likely to bite later, though. If it is before procmail, odds are it's using a site-wide user. Which implies Bayes training has to be done as that user, not the recipient... -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Inconsistent spam scores between spam headers and rewritten subject line.
Hi all. I'm running spamassassin 3.3.1 on my openSuse 11.2 box at home. Mail is collected from multiple ISP mail accounts via fetchmail and delivered to local IMAP mail folders via procmail. My user account .procmailrc file begins thus: LOGFILE=$HOME/pm.log :0fw: spamassassin.lock | spamc :0 * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// I'm attempting to filter on the modified subject line (which for some reason isn't working - that rule never seems to match and spam never gets moved into the Spam folder, even though I've tested the regex manually). I thought of filtering on the X-Spam-Status header instead, but when I had a look at a message that was marked as Spam (according to the subject line) I found something rather strange... X-Virus-Flag: no X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on my.local.mailhost.name.removed X-Spam-Level: * X-Spam-Status: No, score=1.5 required=6.5 tests=BAYES_00,IMPOTENCE,NO_RELAYS autolearn=no version=3.3.1 X-Spam-Virus: No Received: from localhost by my.local.mailhost.name.removed with SpamAssassin (version 3.3.1); Mon, 15 Aug 2011 18:58:01 +0930 From: Adele Key spam.address.removed To: another.u...@iinet.net.au Subject: SPAM(10.1) spam-subject-removed Date: Mon, 15 Aug 2011 18:12:48 +0900 Message-Id: 165971112.54106003786840@spamdomain.removed MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4E48E6A1.127A41A2 X-Length: 7330 X-UID: 83487 X-KMail-Filtered: 61220 Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: Spam detection software, running on the system my.local.mailhost.name.removed, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see postmaster for details. Content preview: [...] Content analysis details: (10.1 points, 6.5 required) pts rule name description -- -- 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB 3.0 IMPOTENCE BODY: Impotence cure -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1050] 2.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS I don't get it - the content analysis shows a score of 10.1, the modified subject line shows 10.1, but the X-Spam-Status header shows 1.5! What have I messed up in my configuration? My /etc/mail/spamassassin/local.cf looks like this: # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # for details of what can be tweaked. # # do not change the subject # to change the subject, e.g. use # rewrite_header Subject SPAM(_SCORE_) rewrite_header subject SPAM(_SCORE_) # Set the score required before a mail is considered spam. # required_score 5.00 # uncomment, if you do not want spamassassin to create a new message # in case of detecting spam # report_safe 0 # Enhance the uridnsbl_skip_domain list with some usefull entries # Do not block the web-sites of Novell and SUSE ifplugin Mail::SpamAssassin::Plugin::URIDNSBL uridnsbl_skip_domain suse.de opensuse.org suse.com suse.org uridnsbl_skip_domain novell.com novell.org novell.ru novell.de novell.hu novell.co.uk uridnsbl_skip_domain kernel.org endif # Mail::SpamAssassin::Plugin::URIDNSBL # Everything above this line is as per the installed openSuSE default ok_languages en #The combination of SpamAssassin + The Bat! as mail client can cause false positives. #The reason for the high spam rating is the Reply-To header inserted by mailman, #which seems to have more quoting than The Bat! can do. #If you have such problem activate the next two lines #header IS_MAILMAN exists:X-Mailman-Version #score IS_MAILMAN -2 required_score 6.5 whitelist_from multiple mailing daemon addresses [...] use_bayes 1 report_header 1 fold_headers 1 report_safe 2 Thanks in advance. Rodney. -- == Rodney Baker rod...@jeremiah31-10.net web: www.jeremiah31-10.net ==
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On 8/15/2011 10:57 AM, Rodney Baker wrote: Hi all. I'm running spamassassin 3.3.1 on my openSuse 11.2 box at home. Mail is collected from multiple ISP mail accounts via fetchmail and delivered to local IMAP mail folders via procmail. My user account .procmailrc file begins thus: LOGFILE=$HOME/pm.log :0fw: spamassassin.lock | spamc :0 * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// I'm attempting to filter on the modified subject line (which for some reason isn't working - that rule never seems to match and spam never gets moved into the Spam folder, even though I've tested the regex manually). I thought of filtering on the X-Spam-Status header instead, but when I had a look at a message that was marked as Spam (according to the subject line) I found something rather strange... X-Virus-Flag: no X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on my.local.mailhost.name.removed X-Spam-Level: * X-Spam-Status: No, score=1.5 required=6.5 tests=BAYES_00,IMPOTENCE,NO_RELAYS autolearn=no version=3.3.1 X-Spam-Virus: No Received: from localhost by my.local.mailhost.name.removed with SpamAssassin (version 3.3.1); Mon, 15 Aug 2011 18:58:01 +0930 From: Adele Key spam.address.removed To: another.u...@iinet.net.au Subject: SPAM(10.1) spam-subject-removed Date: Mon, 15 Aug 2011 18:12:48 +0900 Message-Id: 165971112.54106003786840@spamdomain.removed MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4E48E6A1.127A41A2 X-Length: 7330 X-UID: 83487 X-KMail-Filtered: 61220 Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: Spam detection software, running on the system my.local.mailhost.name.removed, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see postmaster for details. Content preview: [...] Content analysis details: (10.1 points, 6.5 required) pts rule name description -- -- 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB 3.0 IMPOTENCE BODY: Impotence cure -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1050] 2.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS I don't get it - the content analysis shows a score of 10.1, the modified subject line shows 10.1, but the X-Spam-Status header shows 1.5! What have I messed up in my configuration? This message is going through SA twice. The first time, it is marked as spam and the message is re-written per your report_safe setting. This generates the analysis shown in the body itself. The second time, the re-written message is scanned by SA. This time, all of the incriminating stuff has been hidden by the rewrite, so it is not marked as spam. This is the analysis shown in the header. You need to fix whatever is causing the message to be scanned twice. -- Bowie
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011 00:48:13 Bowie Bailey wrote: On 8/15/2011 10:57 AM, Rodney Baker wrote: Hi all. I'm running spamassassin 3.3.1 on my openSuse 11.2 box at home. Mail is collected from multiple ISP mail accounts via fetchmail and delivered to local IMAP mail folders via procmail. My user account .procmailrc file begins thus: LOGFILE=$HOME/pm.log :0fw: spamassassin.lock : | spamc : :0 * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// I'm attempting to filter on the modified subject line (which for some reason isn't working - that rule never seems to match and spam never gets moved into the Spam folder, even though I've tested the regex manually). I thought of filtering on the X-Spam-Status header instead, but when I had a look at a message that was marked as Spam (according to the subject line) I found something rather strange... X-Virus-Flag: no X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on my.local.mailhost.name.removed X-Spam-Level: * X-Spam-Status: No, score=1.5 required=6.5 tests=BAYES_00,IMPOTENCE,NO_RELAYS autolearn=no version=3.3.1 X-Spam-Virus: No Received: from localhost by my.local.mailhost.name.removed with SpamAssassin (version 3.3.1); Mon, 15 Aug 2011 18:58:01 +0930 From: Adele Key spam.address.removed To: another.u...@iinet.net.au Subject: SPAM(10.1) spam-subject-removed Date: Mon, 15 Aug 2011 18:12:48 +0900 Message-Id: 165971112.54106003786840@spamdomain.removed MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4E48E6A1.127A41A2 X-Length: 7330 X-UID: 83487 X-KMail-Filtered: 61220 Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: Spam detection software, running on the system my.local.mailhost.name.removed, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see postmaster for details. Content preview: [...] Content analysis details: (10.1 points, 6.5 required) pts rule name description -- -- 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB 3.0 IMPOTENCE BODY: Impotence cure -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1050] 2.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS I don't get it - the content analysis shows a score of 10.1, the modified subject line shows 10.1, but the X-Spam-Status header shows 1.5! What have I messed up in my configuration? This message is going through SA twice. The first time, it is marked as spam and the message is re-written per your report_safe setting. This generates the analysis shown in the body itself. The second time, the re-written message is scanned by SA. This time, all of the incriminating stuff has been hidden by the rewrite, so it is not marked as spam. This is the analysis shown in the header. You need to fix whatever is causing the message to be scanned twice. OK - that makes sense. Now I'm wondering if there is a global mail config somewhere that is routing the message through SA, and then my local .procmailrc is doing it again. Time to go digging... That then leaves the question as to why my procmail recipe isn't triggering on the rewritten subject, but that is probably not for this list. Thanks for the pointer. Rodney. -- == Rodney Baker rod...@jeremiah31-10.net web: www.jeremiah31-10.net ==
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Mon, 15 Aug 2011 11:18:13 -0400, Bowie Bailey wrote: On 8/15/2011 10:57 AM, Rodney Baker wrote: snip :0 * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// snip This message is going through SA twice. Indeed. And by the way, for what it is worth, my .procmailrc says (inter alia) :0: * ^X-Spam-Status: Yes # The trailing slashdot means do it as MH # instead of MBOX (the default) junk/. # Otherwise it falls through May I suggest that that's rather simpler than the regex which you are using? In addition, should I in the future decide for some reason to change or revoke the subject rewriting, I won't need to change .procmailrc.
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011 01:15:11 Walter Hurry wrote: On Mon, 15 Aug 2011 11:18:13 -0400, Bowie Bailey wrote: On 8/15/2011 10:57 AM, Rodney Baker wrote: snip :0 * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// snip This message is going through SA twice. Indeed. And by the way, for what it is worth, my .procmailrc says (inter alia) :0: * ^X-Spam-Status: Yes # The trailing slashdot means do it as MH # instead of MBOX (the default) junk/. # Otherwise it falls through May I suggest that that's rather simpler than the regex which you are using? Of course, and that's what I wanted to do, except that if you have a look at my X-Spam-Status header it says No, which is the opposite of what I expect for a message marked as spam (apparently due, as already suggested, to spamassassin processing the message twice). In addition, should I in the future decide for some reason to change or revoke the subject rewriting, I won't need to change .procmailrc. Of course, if I can just get the message flagged as Spam in the headers, I'll be able to do the same. ;-) -- == Rodney Baker rod...@jeremiah31-10.net web: www.jeremiah31-10.net ==
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 16 Aug 2011, Rodney Baker wrote: :0fw: spamassassin.lock | spamc Just as a test, if you comment that bit out of your personal .procmailrc does everything work they way you'd expect (i.e. one SA pass, the correct score in the X- headers)? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...for a nation to tax itself into prosperity is like a man standing in a bucket and trying to lift himself up by the handle. -- Winston Churchill --- Today: the 66th anniversary of the end of World War II
Re: Inconsistent spam scores between spam headers and rewritten subject line.
On Tue, 2011-08-16 at 01:07 +0930, Rodney Baker wrote: On Tue, 16 Aug 2011 00:48:13 Bowie Bailey wrote: * ^Subject.*SPAM\([0-9]{1,3}\.[0-9]\).* $HOME/Maildir/.Spam// I'm attempting to filter on the modified subject line (which for some reason isn't working - that rule never seems to match and spam never gets moved into the Spam folder, even though I've tested the regex manually). I thought of filtering on the X-Spam-Status header instead, but when I had a look at a message that was marked as Spam (according to the subject line) I found something rather strange... Yes, filtering on the SA X-Spam Status or Level headers is the way to go. After you found and fixed where SA gets called a second time (actually the first time), these won't be harmed and overwritten -- and useful for filtering. Anyway, the secret why the above procmail recipe doesn't work is simply, because procmail uses a rather limited sub-set of REs and its own flavor. It's not PCRE. In particular procmail does not understand {x,y} range quantifiers, but treats that part as a plain string to match. Which doesn't. (Caveat: From memory, not actually looked it up again for verification.) 3.8 KB_DATE_CONTAINS_TAB KB_DATE_CONTAINS_TAB 3.0 IMPOTENCE BODY: Impotence cure -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1050] 2.0 KB_FAKED_THE_BAT KB_FAKED_THE_BAT 1.2 RDNS_NONE Delivered to internal network by a host with no rDNS Oh, yeah, these do ring quite some bells... ;) After you fixed your mail processing chain to not have SA chew twice on the spam -- you should manually train Bayes, feeding it a lot of hand classified spam, and possibly ham. Check your 'sa-learn --dump magic' numbers. The Bayes score of 0.1 is way out of line. Note though, that a previous site-wide SA filter might use a site-wide user, not the one owning the procmail recipe. Thus Bayes scores might suddenly change once it's run per user. Check the numbers and performance for the user you'll use after fixing the chain issue. You need to fix whatever is causing the message to be scanned twice. OK - that makes sense. Now I'm wondering if there is a global mail config somewhere that is routing the message through SA, and then my local .procmailrc is doing it again. Time to go digging... Site-wide /etc/procmailrc, SMTP server milter, transport or similar, or even something like Amavis in the chain? That then leaves the question as to why my procmail recipe isn't triggering on the rewritten subject, but that is probably not for this list. It's sufficiently related. ;) See above. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
***SPAM-MEDIUM*** Re: ***SPAM-MEDIUM*** spamassassisn 3.3.x and message size setting lower
Huh, sorry, of course, 100kB :) I tried that as a argument in the master.cf, but I placed it wrong - postfix server misconfiguration. So I wasn't sure and asked here. Now all's all right. master.cf: spamassassin unix - n n - - pipe user=mail argv=/usr/bin/spamc -s 10 -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Thank you for kicking to the right way. Best regards J.K. Cituji RW rwmailli...@googlemail.com: On Fri, 01 Apr 2011 12:48:14 +0200 Josef Karliak karl...@ajetaci.cz wrote: hi guys, is it possible to decrease a message size from 51200 bytes to 10kB ? In the local.cf file or in the postfix's master.cf ? I presume you mean from 512kB to 100kB If you are using spamd with spamc, the maximumum message size is set as either as an argument to spamc or in spamc.conf. Spamc has the default of 512k so probably that's where the cutoff is currently applied. -- Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu, zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji. My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP) policy and check. If you've problem with sending emails to me, start using email origin methods mentioned above. Thank you. This message was sent using IMP, the Internet Messaging Program. binnPsF9Y2LCs.bin Description: Veřejný PGP klíč
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wed, 24 Feb 2010 12:41:29 +0100 Per Jessen p...@computer.org wrote: Christian Brel wrote: On Wed, 24 Feb 2010 11:39:43 +0100 Rob Sterenborg r.sterenb...@netsourcing.nl wrote: On 2010-02-24, Kai Schaetzl wrote: Postfix: I would have two different smtpd daemons - one for You don't have to run two postfixes for this. I think Per means: 2 smtpd processes, not 2 Postfixes.. -- Rob Humour me. Does this not mean a need to change the outbound to either a different IP or port? IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I'm also thinking about those forwarding services out there - does the two SMTPd approach not break this in the same way SPF would break if the forwarder was not permitted to send?
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wed, 24 Feb 2010 13:38:55 +0200 Henrik K h...@hege.li wrote: On Wed, Feb 24, 2010 at 11:30:25AM +, Christian Brel wrote: On Wed, 24 Feb 2010 11:39:43 +0100 Rob Sterenborg r.sterenb...@netsourcing.nl wrote: On 2010-02-24, Kai Schaetzl wrote: Postfix: I would have two different smtpd daemons - one for You don't have to run two postfixes for this. I think Per means: 2 smtpd processes, not 2 Postfixes.. -- Rob Humour me. Please stop humouring our resident troll. That would be you then as your post has no purpose other than to inflame. Kinda reminds me of that old saying 'takes one to know one.'
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wednesday, 24 of February 2010, Christian Brel wrote: IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. They should be using submission service on port 587 and authenticate themselves, for example with smtp-auth. (of course you can still authenticate them and let them send on port 25 - it's perfectly possible from technical point of view; because you authenticate your clients, right?). I'm also thinking about those forwarding services out there - does the two SMTPd approach not break this in the same way SPF would break if the forwarder was not permitted to send? In case of forwarding the envelope address is that of the original sender, not that of the receiver. You have email from addre...@domain1.com to addre...@domain2.com. MX for domain2.com tries to forward the mail to addre...@domain3.com, so it sends mail from addre...@domain1.com to addre...@domain3.com. Domain3.com checks SPF records and sees that domain2.com is not permitted to send mails for domain1.com, so it refuses to accept such mail. We were talking about (let's assume we're domain3.com) not letting people from outside world send mail from domain3.com. -- Kruk@ -\ | }- epsilon.eu.org | http:// -/ | |
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Christian Brel wrote: Humour me. Does this not mean a need to change the outbound to either a different IP or port? IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. Then presumably they submit email via port 587 after appropriate authentication. Then you just add that requirement - can't remember what the exact postfix option is. I have people working from home-offices too, that's how they are set up. It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I think it actually is. Allow mynetworks, allow authenticated users, reject everything else. I'm also thinking about those forwarding services out there - does the two SMTPd approach not break this in the same way SPF would break if the forwarder was not permitted to send? I can't quite follow you - there's is no forwarding involved AFAICS? /Per Jessen, Zürich
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wed, 24 Feb 2010 14:37:49 +0100 Per Jessen p...@computer.org wrote: Christian Brel wrote: Humour me. Does this not mean a need to change the outbound to either a different IP or port? IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. Then presumably they submit email via port 587 after appropriate authentication. No, they submit on 25 using TLS+SASL. Would making the changes to Firewall, MTA, plus potentially thosands of clients be easier than SPF? Would all those angry users screaming because they can't send mail at all be a good thing? I don't think so myself. It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I think it actually is. Allow mynetworks, allow authenticated users, reject everything else. But that would reject *everything* that was not authenticated or in 'my networks'. For a single IP/Port listening to the world this does not work. It requires multiple SMTP instances with different IP's or Ports which may not suit the needs of the admin and the users concerned. Tell you what, wouldn't it be a great idea to save all the messing around and use something universal and simple for the job? Something lightweight and easy to deploy. I know! What about using SPF! /Per Jessen, Zürich Of course, all this has very little to do with Spamassassin..
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
On Wednesday, 24 of February 2010, Christian Brel wrote: No, they submit on 25 using TLS+SASL. Would making the changes to Firewall, MTA, plus potentially thosands of clients be easier than SPF? Would all those angry users screaming because they can't send mail at all be a good thing? I don't think so myself. Well, you _should_ use submission anyway. (BTW, in my experience it's easier to filter one kind of traffic on 25, and another on 587 than filtering both on one port. YMMV) It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I think it actually is. Allow mynetworks, allow authenticated users, reject everything else. But that would reject *everything* that was not authenticated or in 'my networks'. For a single IP/Port listening to the world this does not work. It requires multiple SMTP instances with different IP's or Ports which may not suit the needs of the admin and the users concerned. It doesn't. permit mynetworks/sasl_authenticated/whatever, reject my_domains, permit my_destination, reject_everything_else. Of course you may add other restrictions in this chain. -- \.\.\.\.\.\.\.\.\.\.\.\.\.\ .\.k...@epsilon.eu.org.\.\. \.http://epsilon.eu.org/\.\ .\.\.\.\.\.\.\.\.\.\.\.\.\.
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Christian Brel wrote: On Wed, 24 Feb 2010 14:37:49 +0100 Per Jessen p...@computer.org wrote: Christian Brel wrote: Humour me. Does this not mean a need to change the outbound to either a different IP or port? IP yes. I assume your external and internal network are on different IP-ranges. What about my home workers? I don't have a VPN, they hook in by DSL from any number of different providers from outside using SASL/TLS. Then presumably they submit email via port 587 after appropriate authentication. No, they submit on 25 using TLS+SASL. Would making the changes to Firewall, MTA, plus potentially thosands of clients be easier than SPF? Would all those angry users screaming because they can't send mail at all be a good thing? I don't think so myself. Then keep them on port 25, it's no big deal as long as they are authenticated. It's like you say, you were thinking out loud and I can see where you are coming from, but it's not a fix for every situation. I think it actually is. Allow mynetworks, allow authenticated users, reject everything else. But that would reject *everything* that was not authenticated or in 'my networks'. No. See Mariusz' explanation. Tell you what, wouldn't it be a great idea to save all the messing around and use something universal and simple for the job? Something lightweight and easy to deploy. I know! What about using SPF! Christian, I suspect we don't have quite the same understanding of what 'easy' means. /Per Jessen, Zürich
Re: [SPAM:9.6] Smut spam
On Fri, 29 Jan 2010 11:09:49 -0500 Robert Fitzpatrick li...@webtent.net wrote: Could I get someone to run an example of smut spam I cannot seem to block in SA 3.2.5? This is a typical message that has been hammering one or two customers and despite learning many of these messages with bayes, still they continue... http://mx1.webtent.net/test.msg I am using Sanesecurity as well as the saupdates. --Robert Do the links always point to: globalnamesgroup.com or do they vary?
Re: [SPAM:9.6] Smut spam
On Fri, 2010-01-29 at 16:19 +, Christian Brel wrote: On Fri, 29 Jan 2010 11:09:49 -0500 Robert Fitzpatrick li...@webtent.net wrote: Could I get someone to run an example of smut spam I cannot seem to block in SA 3.2.5? This is a typical message that has been hammering one or two customers and despite learning many of these messages with bayes, still they continue... http://mx1.webtent.net/test.msg I am using Sanesecurity as well as the saupdates. --Robert Do the links always point to: globalnamesgroup.com or do they vary? All different, even the content, here is another example... http://mx1.webtent.net/test2.msg
Re: [SPAM:9.6] Smut spam
Robert Fitzpatrick wrote: On Fri, 2010-01-29 at 16:19 +, Christian Brel wrote: On Fri, 29 Jan 2010 11:09:49 -0500 Robert Fitzpatrick li...@webtent.net wrote: Could I get someone to run an example of smut spam I cannot seem to block in SA 3.2.5? This is a typical message that has been hammering one or two customers and despite learning many of these messages with bayes, still they continue... http://mx1.webtent.net/test.msg I am using Sanesecurity as well as the saupdates. --Robert Do the links always point to: globalnamesgroup.com or do they vary? All different, even the content, here is another example... http://mx1.webtent.net/test2.msg Nothing much hitting on either of those examples here either (the first one now hits uri black but probably didn't at the time you received it). Keep learning them through bayes is about all I can suggest. Are these all from hotmail? The amount of spam emanating from hotmail is getting ridiculous lately. If you're a small server you could possibly penalize all mail from hotmail and then whitelist known good senders for your clients but that's getting a bit extreme.
Re: [SPAM:9.6] Re: [SPAM:9.6] Smut spam
On Fri, 29 Jan 2010 11:28:31 -0500 Robert Fitzpatrick li...@webtent.net wrote: On Fri, 2010-01-29 at 16:19 +, Christian Brel wrote: On Fri, 29 Jan 2010 11:09:49 -0500 Robert Fitzpatrick li...@webtent.net wrote: Could I get someone to run an example of smut spam I cannot seem to block in SA 3.2.5? This is a typical message that has been hammering one or two customers and despite learning many of these messages with bayes, still they continue... http://mx1.webtent.net/test.msg I am using Sanesecurity as well as the saupdates. --Robert Do the links always point to: globalnamesgroup.com or do they vary? All different, even the content, here is another example... http://mx1.webtent.net/test2.msg About the best I can come up with: In both cases the originating IP header leads to a bad/listed IP: X-Originating-IP: [78.175.50.246] ~ RUNNING REPORT TYPE: single IP 78.175.50.246 ~ 78.175.50.246listed in b.barracudacentral.org. 78.175.50.246listed in PBL (ISP) X-Originating-IP: [109.75.193.116] ~ RUNNING REPORT TYPE: single IP 109.75.193.116 ~ 109.75.193.116 listed in PBL (SPAMHAUS) 109.75.193.116 listed in dnsbl-2.uceprotect.net. 109.75.193.116 listed in dnsbl-3.uceprotect.net. BUT! AFAIK SA would not block on these and I guess that is because Hotmail users tend to connect with a web browser from dynamic connections. Therefore blocking them on an a dynamic space policy list (PBL) could result in shed loads of FP's. I'm not sure if the RelayCountry module would pick these up One is in Turkey, the other gives me an Unknown AS number or IP network error (I have an old whois client). This is good spam that defeats SpamAssassin pretty easily as the sender (hotmail) is mostly globally trusted. I agree with the other poster that the amount of Spam from Hotmail is a royal pain in the backside, but this is a spam filter and there needs to be a way to block this kind of stuff. Perhaps there needs to be some meta rules such as; 'comes from hotmail, has a single link, originating IP is in a Country that is often seen sending spam, lots of broken encoded characters before the HTML section'. But I am to the world of writing rules what Myra Hindley was to child care.
RE: [SPAM:9.6] Re: [SPAM:9.6] Re: semi-legit senders in DNSWL and habeas - a hard problem
From: Christian Brel Sensible folk know people like Return Path will never grow the balls to stand up to eBay, they will just take the money and smile. Christian Brel, are you suggesting that orgs like Return Path buy some body part growth pharma ? ;- - rh
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: semi-legit senders in DNSWL and habeas - a hard problem
On Wed, 06 Jan 2010 14:27:25 +0530 ram r...@netcore.co.in wrote: On Wed, 2010-01-06 at 07:51 +, Christian Brel wrote: On Tue, 5 Jan 2010 14:18:54 -0800 jdow j...@earthlink.net wrote: From: J.D. Falk jdfalk-li...@cybernothing.org Sent: Tuesday, 2010/January/05 12:43 On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote: Once again I went to returnpath and senderscorecertified's web pages, and found no link to an email address to report being spammed by one of their customers. Is the font size for Contact Us and Support too small? I'll forward your report to the appropriate team. J.D., rather than getting snarky it might be a good idea to suggest to your webmaster that a formal Report Abuse link be placed on your front page? I'd not look to support or contact us for reporting abuse, myself. So I can understand Greg's problem. {o.o} I'm jealous, at least you can get a *narky* reply from Return Path. I've been trying for three days http://www.spampig.org.uk/bbs/showthread.php?tid=31 Ebay is definitely a too big spammer. So what if they pay habeas and other accreditation lists Their unsubscribe doesnt work. I had all notifications off still I used to get their mails. I got fed up of their reminders .. even though I have never purchased anything at ebay they keep sending me nonsense The only last resort ... I configured a dummy alias on my server and changed the ebay notification email address to the dummy alias. After activating the dummy .. now I give a std 450 Try later to all mails that come to the dummy. The point is, if you accredit someone as a email professional, and that sender fails to act professionally - it's the accreditation that is brought into question, not the spammy sender. After all, the accrediation is saying - more or less - that the sender is not a spammer and will act professionally when complaints are raised. Just because eBay is a big company does not mean it respects peoples choices and behaves appropriately. However, this in *not* the place for that discussion. It just starts a hissy fit between the 'professional spammers' and those that seek to stop them. Sensible folk know people like Return Path will never grow the balls to stand up to eBay, they will just take the money and smile.
send spam messages to spam folder
Hi! I'm using postfix with mailscanner to integrate spamassassin and clamav, but when spamassassin score a message as spam the subject of the message is chagnged to {Spam?} subject and i want to send every message that spamassasin mark directly to the spam folder. PS.: i'm using cyrus-sasl
Re: send spam messages to spam folder
On Wed, 2009-12-02 at 09:06 -0300, Walter Breno wrote: I'm using postfix with mailscanner to integrate spamassassin and clamav, but when spamassassin score a message as spam the subject of the message is chagnged to {Spam?} subject and i want to send every message that spamassasin mark directly to the spam folder. It's not up to SA. SA only marks the message. It's MDA (usually procmail) who should act based on that information (for example by putting it into a specific folder). -- d'`'`'`'`'`'`'`'`'`'`'`'`'Yb `b k...@epsilon.eu.org d' d' http://epsilon.eu.org/ Yb `b,-,.,-,.,-,.,-,.,-,.,-,.d'
Re: send spam messages to spam folder
On 12/2/2009 7:06 AM, Walter Breno wrote: Hi! I'm using postfix with mailscanner to integrate spamassassin and clamav, but when spamassassin score a message as spam the subject of the message is chagnged to {Spam?} subject and i want to send every message that spamassasin mark directly to the spam folder. PS.: i'm using cyrus-sasl We use Dovecot as our LDA along with server-side sieve scripts to auto-sort messages that score above N into an IMAP Junk folder. Client-side, it's generally pretty easy to do something similar. Thunderbird already has a checkbox in Account Options that lets it trust SA headers (under Junk settings). In other mail clients, you're going to have to write a rule that looks for X-SpamFlag being equal to YES. (Either way, SA just marks the message with the X-Spam-* headers and leaves the rest of the handling up to the mail server or the email client. So you may need to ask on the Cyrus mailing list as to exactly how to do server-side sorting.) The sieve script might look something like (it only moves messages where the score is = 10.0, and avoids the negative sign problem by also checking X-Spam-Flag): require [comparator-i;ascii-numeric,fileinto,relational]; if allof ( header :contains X-Spam-Flag YES, header :value ge :comparator i;ascii-numeric [X-Spam-Score] [10] ) { fileinto Junk; stop; }
Re: Spam or Not Spam :)
On Fri, 2009-02-13 at 19:24 -0800, an anonymous Nabble user wrote: I have some mails that I know they are spam but spamassassin gives secores below 5.0(generally zero) for some of them. I updated the rules,changed the score threshold but spamassassin still sees them as normal emails. Am I missing something or is this normal? Depends on the amount -- but yes, generally sounds just about right. There *is* spam out there, that basically dos not hit any rules other than Bayes and some URI and DNS BLs. Now, as you are post-processing (old?) messages for some stats, it is entirely possible the blacklist listings have expired, as someone explained before. Given the previous discussions and this description, I can only assume you are not using Bayes -- so that won't trigger either. I have like 1800 emails but it sees only 5 of them as spam. Mixed up these numbers, eh? ;) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Spam or Not Spam :)
I have some mails that I know they are spam but spamassassin gives secores below 5.0(generally zero) for some of them. I updated the rules,changed the score threshold but spamassassin still sees them as normal emails. Am I missing something or is this normal? I have like 1800 emails but it sees only 5 of them as spam. -- View this message in context: http://www.nabble.com/Spam-or-Not-Spam-%3A%29-tp22008849p22008849.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spam or Not Spam :)
cnone wrote: I have some mails that I know they are spam but spamassassin gives secores below 5.0(generally zero) for some of them. I updated the rules,changed the score threshold but spamassassin still sees them as normal emails. Am I missing something or is this normal? I have like 1800 emails but it sees only 5 of them as spam. Well, you could start off by training the bayes database to know that they are spam, making use of the sa-learn tool to do so. $man sa-learn You might also want to make sure none of those messages are matching ALL_TRUSTED. If any do, then you probably need to configure your trusted_networks manually. (The trust-path auto-guesser gets confused if your MX is NATed, or otherwise has a non-routable IP)
Card/Gift/Shopping Spam (or: More Spam Reduction Techniques)
I'm seeing a lot of shopping, gifts, prizes, and cards (ie. credit card, gift card) related spam in the last week or so. (Maybe due to Black Friday?) I'm using Sought, Bayes, and default rules. Is there anything I can do to reduce the amount of spam getting through? I've already knocked the threshold down a little. If it helps, here are some examples: http://dpaste.com/94956/ http://dpaste.com/94957/ http://dpaste.com/94958/ Thanks, Neil.
Re: move spam to IMAP spam folder (amavisd-new,spamassassin,dovecot,postfix,squirrelmail)
Morvan Daniel Müller schrieb am 20.11.2007 13:49: How I say to postfix to direct subject=[SPAM ] xx (mark by spamassassin) to ~home\mail\SPAM (imap folder) I'm using Mailbox no Maildir. Postfix deliver to /var/mail/$user and Dovecot read from mail_location = mbox:~/mail:INBOX=/var/mail/%u Procmail can do this, not postfix. Use this entry in postfix' main.cf to let procmail deliver your mail: mailbox_command = /usr/bin/procmail -a $USER Then use a procmail recipe like this to filter spam into imap folders. It does not check the subject line, but simply the standard X-Spam- headers created by Spamassassin: # Spam via SpamAssassin :0 *^X-Spam-Flag:.*YES { :0 *^X-Spam-Status:.*autolearn=no { :0 *!^X-Spam-Status:.*BAYES_99 mail/spam/learn } :0 *^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* mail/spam/sure :0 mail/spam/probable } This recipe moves spam that was not autolearned into mail/spam/learn, mail with score=10 into mail/spam/sure and the rest into mail/spam/probable (which is spam with score between 5 and 10). It depends on the X-Spam-Level header as well, you must not disable that header in local.cf. These folders are in the user's home directories, while the main inbox still resides in /var/mail/$USER. I need to change my config to use MAILDIR? Not required for postfix+procmail+dovecot+squirrelmail. This combination is running here very well on a Fedora 7 system and worked since Fedora Core 3 I think. How I say to squirrelmail to see the SPAM folder without create one by one in each squirrelmail user profile? As soon as procmail moves the first spam into one of the imap spam folders, that folder is automatically created. It should then immediately be available in squirrelmail. Alex
Re: move spam to IMAP spam folder (amavisd-new,spamassassin,dovecot,postfix,squirrelmail)
Thanks Alex, procmail filter works fine! As soon as procmail moves the first spam into one of the imap spam folders, that folder is automatically created. It should then immediately be available in squirrelmail This don't work, If create a spam folder with squirrelmail (options, folders) than it works fine. Squirrel/Imap server have a .imap folder under the spam Folder and at ~MYHOME/mail/.subscriptions a list of the squirrel folders is listed. I will try to find if I can tell to squirrelmail config to create a DEFAULT spam folder in the same way it creates the folders INBOX, Sent, Drafts, ..! Thanks! Morvan - Original Message - From: Alex Woick [EMAIL PROTECTED] To: Morvan Daniel Müller [EMAIL PROTECTED]; Spamassassin users@spamassassin.apache.org Sent: Tuesday, November 20, 2007 1:52 PM Subject: Re: move spam to IMAP spam folder (amavisd-new,spamassassin,dovecot,postfix,squirrelmail) Morvan Daniel Müller schrieb am 20.11.2007 13:49: How I say to postfix to direct subject=[SPAM ] xx (mark by spamassassin) to ~home\mail\SPAM (imap folder) I'm using Mailbox no Maildir. Postfix deliver to /var/mail/$user and Dovecot read from mail_location = mbox:~/mail:INBOX=/var/mail/%u Procmail can do this, not postfix. Use this entry in postfix' main.cf to let procmail deliver your mail: mailbox_command = /usr/bin/procmail -a $USER Then use a procmail recipe like this to filter spam into imap folders. It does not check the subject line, but simply the standard X-Spam- headers created by Spamassassin: # Spam via SpamAssassin :0 *^X-Spam-Flag:.*YES { :0 *^X-Spam-Status:.*autolearn=no { :0 *!^X-Spam-Status:.*BAYES_99 mail/spam/learn } :0 *^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* mail/spam/sure :0 mail/spam/probable } This recipe moves spam that was not autolearned into mail/spam/learn, mail with score=10 into mail/spam/sure and the rest into mail/spam/probable (which is spam with score between 5 and 10). It depends on the X-Spam-Level header as well, you must not disable that header in local.cf. These folders are in the user's home directories, while the main inbox still resides in /var/mail/$USER. I need to change my config to use MAILDIR? Not required for postfix+procmail+dovecot+squirrelmail. This combination is running here very well on a Fedora 7 system and worked since Fedora Core 3 I think. How I say to squirrelmail to see the SPAM folder without create one by one in each squirrelmail user profile? As soon as procmail moves the first spam into one of the imap spam folders, that folder is automatically created. It should then immediately be available in squirrelmail. Alex
Delivering [Spam] to the .Spam Folder
I am using Spamassassin 3.1.8 which is the most recent available of the 3.1.x series to Gentoo users. Using qmail, vpopmail, and qmail-scanner to invoke spamassassin. I am using verbose spamassassin mode, and am trying to get mails tagged with rewrite_subject [Spam] to be auto-delivered to the Maildir/.Spam folder. The challenge is that I want this to be done site-wide, and for some reason that I cannot tell, this no longer works for me. Meaning that it was working, and I cannot explain why not any longer. Except that on Friday, I needed to remove fprot from the qmail-scanner process. It was throwing some nasty errors on my box, and when I recompiled everything, I've just been getting no love at all. However, one thing that is of interest is that MOST of the [Spam] ends up in the proper place. Some [Spam] slips by. The stuff that slips by is somehow using the /etc/spamassassin/local.cf preferences. All the [Spam] that is properly delivered to Maildir/.Spam is using my /var/vpopmail/domains/%d/%l/.spamassassin/user_prefs file. What would be the cause of two different prefs files in use by the same account? It's the weirdest thing. Qmail-scanner config options: ./configure --spooldir /var/spool/qmailscan --qmaildir /var/qmail --bindir /var/qmail/bin --qmail-queue-binary /var/qmail/bin/qmail-queue --admin postmaster --domain ark --notify psender,nmlvadm --local-domains ark --silent-viruses auto --lang en_GB --debug 1 --unzip 1 --block-password-protected 0 --add-dscr-hdrs 0 --archive 0 --redundant yes --log-details syslog --log-crypto 0 --fix-mime 2 --ignore-eol-check 0 --scanners auto --install 1 Spamd runtime options: -c -d -v -s local4 -q -u vpopmail --virtual-config-dir=/var/vpopmail/domains/%d/%l/.spamassassin/ -H /var/vpopmail Any help would be greatly appreciated, I have lost 3 days looking for an answer but have just exhausted myself trying. Thanks. -- View this message in context: http://www.nabble.com/Delivering--Spam--to-the-.Spam-Folder-tf4129345.html#a11742651 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Routing messages marked as [Spam] to Maildir/.Spam
I apologize if this is a duplicate. I posted the original using Nabble, but there was an error message and not sure if it went through or not. Here goes: I am using Qmail-Scanner 1.25 and Spamassassin 3.1.8 which is the most recent available of the 3.1.x series to Gentoo users. Using qmail, vpopmail, and qmail-scanner to invoke spamassassin. I am using verbose spamassassin mode, and am trying to get mails tagged with rewrite_subject [Spam] to be auto-delivered to the Maildir/.Spam folder. The challenge is that I want this to be done site-wide, and for some reason that I cannot tell, this no longer works for me. Meaning that it was working, and I cannot explain why not any longer. Except that on Friday, I needed to remove fprot from the qmail-scanner process. It was throwing some nasty errors on my box, and when I recompiled everything, I've just been getting no love at all. However, one thing that is of interest is that MOST of the [Spam] ends up in the proper place. Some [Spam] slips by. The stuff that slips by is somehow using the /etc/spamassassin/local.cf preferences. All the [Spam] that is properly delivered to Maildir/.Spam is using my /var/vpopmail/domains/%d/%l/.spamassassin/user_prefs file. What would be the cause of two different prefs files in use by the same account? It's the weirdest thing. Qmail-scanner config options: ./configure --spooldir /var/spool/qmailscan --qmaildir /var/qmail --bindir /var/qmail/bin --qmail-queue-binary /var/qmail/bin/qmail-queue --admin postmaster --domain ark --notify psender,nmlvadm --local-domains ark --silent-viruses auto --lang en_GB --debug 1 --unzip 1 --block-password-protected 0 --add-dscr-hdrs 0 --archive 0 --redundant yes --log-details syslog --log-crypto 0 --fix-mime 2 --ignore-eol-check 0 --scanners auto --install 1 Spamd runtime options: -c -d -v -s local4 -q -u vpopmail --virtual-config-dir=/var/vpopmail/domains/%d/%l/.spamassassin/ -H /var/vpopmail Any help would be greatly appreciated, I have lost 3 days looking for an answer but have just exhausted myself trying. Thanks.
Solution to Bayes poisoning, high load levels, image spam, and botnet spam
I'm seeing a lot of people saying that bayes isn't working like it used to, that load levels are high, and that they are getting a lot of image and botnet spam. There are a few simple tricks you can do to get rid of 90% of it. First - use dummy MX records. Real mail retries. Botnet and must spammers don't. It's easier for them to try to spam someone else than to fight your filter. MX config is as follows: dummy - 10 real - 20 real-backups - 30 dummy - 40 dummy - 50 dummy - 60 ... All dummy IP addresses are dead IPs. Port 25 closed. Don't do a 4xx on the lowest numbers IP because QMail is brain dead and won't retry the higher numbered servers. The upper MX can return 4xx if you want to log botnet traffic. This will eliminate 75%-90% of your spam with no false positives ust making this change. Second - use blacklists in a way that blocks the spam, not just score it. If you use the spamhaus list you,ll get rid of about 1/3 of what's left. Then - you just let SA process the rest. What you'll find is that most all botnet spam will be gone, Bayes will start working again. Load levels will drop dramatically. Another thing - I don't know what everyone else uses but Exim is my MTA and it has the power to be easily configured to do just about anything you can imagine. If you are unhappy with your MTA Exim is the what I think is the right choice. Another solution is to just have me get rid of your spam for you and make the problem go away. If anyone is tired of all this and just wants it done you can email me privately and I'll set you up.
Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam
Marc Perkel schrieb: I'm seeing a lot of people saying that bayes isn't working like it used to, that load levels are high, and that they are getting a lot of image and botnet spam. There are a few simple tricks you can do to get rid of 90% of it. 56th reinvention of the square wheel You might wanna search this lists archive for further comments ... arni
Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam
Marc Perkel schrieb: I'm seeing a lot of people saying that bayes isn't working like it used to, that load levels are high, and that they are getting a lot of image and botnet spam. There are a few simple tricks you can do to get rid of 90% of it. ah nice can you tell me how to implant this ins SpamAssassin
Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam
First - use dummy MX records. Real mail retries. Botnet and must spammers don't. It's easier for them to try to spam someone else than to fight your filter. MX config is as follows: dummy - 10 real - 20 real-backups - 30 dummy - 40 dummy - 50 dummy - 60 Currently I have mail.mydomain.com as 10. Can I just change that to 20 and add mail5.mydomain.com as 10 but not have an IP associated with mail5.mydomain.com or will that cause trouble? Matt
Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam
Matt wrote: First - use dummy MX records. Real mail retries. Botnet and must spammers don't. It's easier for them to try to spam someone else than to fight your filter. MX config is as follows: dummy - 10 real - 20 real-backups - 30 dummy - 40 dummy - 50 dummy - 60 Currently I have mail.mydomain.com as 10. Can I just change that to 20 and add mail5.mydomain.com as 10 but not have an IP associated with mail5.mydomain.com or will that cause trouble? Matt Are you sure about this approach? Most of what hits our backup server, listed at a higher MX record, is spam. I was, and am, under the impression that many spambots are set to fire at higher MXs under the assumption that admins might not spend as much time on the anti-spam set-up of this servers.
Re: Solution to Bayes poisoning, high load levels, image spam, and botnet spam
Craig Carriere wrote: Matt wrote: First - use dummy MX records. Real mail retries. Botnet and must spammers don't. It's easier for them to try to spam someone else than to fight your filter. MX config is as follows: dummy - 10 real - 20 real-backups - 30 dummy - 40 dummy - 50 dummy - 60 Currently I have mail.mydomain.com as 10. Can I just change that to 20 and add mail5.mydomain.com as 10 but not have an IP associated with mail5.mydomain.com or will that cause trouble? Matt Are you sure about this approach? Most of what hits our backup server, listed at a higher MX record, is spam. I was, and am, under the impression that many spambots are set to fire at higher MXs under the assumption that admins might not spend as much time on the anti-spam set-up of this servers. Yes - the trick works two ways. If the spambots hit the high server then there's nothing there and they go on. If they hit the lowest numbered server they also get nothing and go on. A real server will hit the lowest number MX and get nothing and then retry and get the second lowest one which is real. The trick relies on the idea that spambots unlike real server won't walk the MX order looking for the real server. If I were a spammer I would think it easier to move on to the next email address than to try to fight a good spam filter.
[Possible SPAM] Re: [Possible SPAM] Malformed UTF-8 character (unexpectednon-continuation byte 0x00
On Monday 07 May 2007 8:51 pm, Loren Wilton wrote: rule SARE_OBFUMONEY1, line 1. I saw the same thing earlier this weekend but passed it off to possibly something I didn't have configured right. No. Its a combination of a perl bug and a change in SA to allow rules in other than the ascii character set. Previous versions of SA had 'use bytes' in the rule processing, so the regexs containing things like /\xA8/i worked fine. Without use bytes, the combination of high bit characters and an uncased regex fall intp a perl bug, and at the very least result in this error message. We have to rewrite a fairly large number of the regexes, which ain't trivial to do, as they are large and hard to read. And none of us have managed to get the time to do this since it showed up as a problem. I'm hoping aI can make some time in a few days to fix this. Loren Thanks Loren, I doubt then that this accounts for the strange sa-update run I had this morning which I've posted the cron output here: http://mediasafe.embarq.com/chris1948/Hosted/saupdate0507.tar.bz2 Todays update run had such oddities as: [1536] dbg: config: using /tmp/.spamassassin1536V11iKbtmp/doesnotexist for sys rules pre files [1536] dbg: config: using /tmp/.spamassassin1536V11iKbtmp/doesnotexist for default rules dir [1536] dbg: config: using /tmp/.spamassassin1536V11iKbtmp/doesnotexist/doesnotexist for user prefs file [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [1536] dbg: dcc: local tests only, disabling DCC [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [1536] dbg: pyzor: local tests only, disabling Pyzor [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [1536] dbg: razor2: local tests only, skipping Razor [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [1536] dbg: reporter: local tests only, disabling SpamCop [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [1536] dbg: plugin: loading Mail::SpamAssassin::Plugin::TextCat from @INC Yesterdays update was a normal one. -- Chris KeyID 0xE372A7DA98E6705C pgprzaosCUbeG.pgp Description: PGP signature
Re: [Possible SPAM] Re: [Possible SPAM] Malformed UTF-8 character (unexpectednon-continuation byte 0x00
Chris wrote: Thanks Loren, I doubt then that this accounts for the strange sa-update run I had this morning which I've posted the cron output here: http://mediasafe.embarq.com/chris1948/Hosted/saupdate0507.tar.bz2 I don't see anything strange at all in that output. Yesterdays update was a normal one. None of the channels you are using had new updates yesterday (or any for a while actually). Daryl
[Possible SPAM] Re: [Possible SPAM] Re: hey
On Saturday 05 May 2007 10:31 pm, Loren Wilton wrote: tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599, PYZOR_CHECK=3.7] Though they did not tag it as spam, they still have a mis-configured setup, note the [ALL_TRUSTED]. Also note the Bayes_00. If they have bayes trained to think spam is ham, they have a problem. Loren They definately do have one and I've been bugging them about it daily and only get the we're working on the issue/we've escaulated the issue/and so forth. They must prepend the subject of every one of my messages automatically even if their SA doesn't score it as such: Old-X-Spam-Score: -1.895 Old-X-Spam-Level: Old-X-Spam-Status: No, score=-1.895 tagged_above=-10 required=6.6 tests=[AWL=0.704, BAYES_00=-2.599] -- Chris KeyID 0xE372A7DA98E6705C pgpV5YV52bqM5.pgp Description: PGP signature
[Possible SPAM] Re: [Possible SPAM] Possibly [OT] - Embarq Mail
On Saturday 28 April 2007 11:22 pm, Matt Kettler wrote: From the looks of it, you need to adjust your trusted_networks. Right now it looks like it is mis-judging the network boundaries, and tagging all mail with the DUL lists. http://wiki.apache.org/spamassassin/TrustPath Matt, here are the markups from your reply, mine first then Embarqs/Synacors: X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on cpollock.localdomain X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00=-6.4 autolearn=disabled version=3.1.8 Old-X-Spam-Status: No, score=-2.545 tagged_above=-10 required=6.6 tests=[ALL_TRUSTED=-1.8, AWL=-0.054, BAYES_00=-2.599, DNS_FROM_RFC_ABUSE=0.2, DNS_FROM_RFC_POST=1.708] Yet your reply is marked as [possible spam]. Here is my trust paths in my local.cf: trusted_networks 127/8 192.168/16 207.217.121/24 209.86.93/24 208.47.184/24 71.48.160.0/20 internal_networks 71.48.160.0/20 Looking at my post to the mailing list here are the markups: This one I'll have to guess is Synacor's X-Virus-Scanned: amavisd-new at Old-X-Spam-Score: -2.599 Old-X-Spam-Level: Old-X-Spam-Status: No, score=-2.599 tagged_above=-10 required=6.6 tests=[BAYES_00=-2.599] Then there is this one: X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= Old-X-Spam-Check-By: apache.org Then there is this one: Message-Id: [EMAIL PROTECTED] X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Flag: YES X-Old-Spam-Status: Yes, score=9.068 tagged_above=-10 required=6.6 tests=[AWL=1.576, BAYES_99=3.5, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] Now I'm confused as to which Old-X-Spam markup is from Embarq/Synacor and which is from Apache.org. The last one 'looks' like the markups that have been showing up from Embarq/Synacor on my cronjob output posts: X-Spam-Remote: Host localhost.localdomain X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on cpollock.localdomain X-Spam-Status: No, score=-4.0 required=5.0 tests=ALL_TRUSTED=-1.8,AWL=4.209, BAYES_00=-6.4 autolearn=disabled version=3.1.8 The one above is the markup from my box on a cronjob output, the one below is the same cronjob output but marked up by Embarq/Synacor: Old-X-Spam-Flag: YES Old-X-Spam-Score: 7.384 Old-X-Spam-Level: *** Old-X-Spam-Status: Yes, score=7.384 tagged_above=-10 required=6.6 tests=[AWL=3.256, BAYES_50=0.001, FORGED_RCVD_HELO=0.135, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] My question then is what good would it do me to adjust my trusted_networks setting, if in fact I have it incorrect. The [possible spam] markups are being made by Embarq/Synacor not me. BTW Matt, here is how your reply to me scored, on my box and by Embarq/Synacor: X-Spam-Remote: Host localhost.localdomain X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on cpollock.localdomain X-Spam-Status: No, score=-4.0 required=5.0 tests=ALL_TRUSTED=-1.8,AWL=4.209, BAYES_00=-6.4 autolearn=disabled version=3.1.8 Old-X-Spam-Flag: YES Old-X-Spam-Score: 7.384 Old-X-Spam-Level: *** Old-X-Spam-Status: Yes, score=7.384 tagged_above=-10 required=6.6 tests=[AWL=3.256, BAYES_50=0.001, FORGED_RCVD_HELO=0.135, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] Chris -- Chris KeyID 0xE372A7DA98E6705C pgpTCfQ9K90S8.pgp Description: PGP signature
Re: [Possible SPAM] Re: [Possible SPAM] Possibly [OT] - Embarq Mail
Chris wrote: My question then is what good would it do me to adjust my trusted_networks setting, if in fact I have it incorrect. The [possible spam] markups are being made by Embarq/Synacor not me. Ahh, I get it.. Well, whoever is tagging that has a broken trusted_networks. Their winding up with verizon's mailserver being considered internal, and thus SA is seeing the message as if my home PC was direct-delivering to your network. Having the _DUL tests fire off on properly relayed mail is a sure-fire sign that SA's trust-path is over-trusting. My guess is they've got their inbound mailservers static NATed, and SA by default assumes (guesses) that all private-range IP's are internal, plus the first non-private. This guess breaks down when the inbound MX is private-IP'ed due to static NATing, and here SA winds up thinking verizon's smarthost is part of the local network when it isn't.
[Possible SPAM] Re: [Possible SPAM] Possibly [OT] - Embarq Mail
On Sunday 29 April 2007 11:45 am, Loren Wilton wrote: They seem to have a rather confused SA setup on their systems, indicating perhaps that they don't really have a clue about what they are doing. Some fairly obvious questions: 1Why are they tagging your mail through their server as DUL? You are persumably THEIR CUSTOMER and using THEIR ASSIGNED SERVER. They shouldn't be tagging their OWN CUSTOMERS as DUL! 2Why are they tagging you with an AWL of 3.2? This indicates that they think that you are very likely to send spam. Of course the answer to that is probably the 4 points they are assigning you for being one of their dialup customers. 3Why FORGED_RCVD_HELO? This might be some sort of mis-setup onl your end, I suppose. The FORGED_RCVD_HELO comes up on cron output messages, only certain ones though. Here are the complete headers of one that is marked: Received: from localhost (localhost.localdomain [127.0.0.1]) by mailrelay.embarq.synacor.com (Postfix) with ESMTP id A98DE22B7E7 for [EMAIL PROTECTED]; Sun, 29 Apr 2007 09:09:06 -0400 (EDT) X-Virus-Scanned: amavisd-new at Old-X-Spam-Flag: YES Old-X-Spam-Score: 7.389 Old-X-Spam-Level: *** Old-X-Spam-Status: Yes, score=7.389 tagged_above=-10 required=6.6 tests=[AWL=3.261, BAYES_50=0.001, FORGED_RCVD_HELO=0.135, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] Received: from mailrelay.embarq.synacor.com ([127.0.0.1]) by localhost (smtp01.embarq.synacor.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TaXXaKHayC-z for [EMAIL PROTECTED]; Sun, 29 Apr 2007 09:09:06 -0400 (EDT) Received: from cpollock.localdomain (tx-71-48-168-13.dhcp.embarqhsd.net [71.48.168.13]) by mailrelay.embarq.synacor.com (Postfix) with ESMTP id 3264622B7DA for [EMAIL PROTECTED]; Sun, 29 Apr 2007 09:09:06 -0400 (EDT) Received: by cpollock.localdomain (Postfix, from userid 0) id C6761434095; Sun, 29 Apr 2007 08:09:05 -0500 (CDT) From: [EMAIL PROTECTED] (Cron Daemon) To: [EMAIL PROTECTED] Subject: [Possible SPAM] Cron [EMAIL PROTECTED] /usr/local/bin/ss-msrbl.sh X-Cron-Env: SHELL=/bin/bash X-Cron-Env: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin X-Cron-Env: [EMAIL PROTECTED] X-Cron-Env: HOME=/ X-Cron-Env: LOGNAME=root Message-Id: [EMAIL PROTECTED] Date: Sun, 29 Apr 2007 08:09:05 -0500 (CDT) Status: RO Content-Type: X-UID: 5430 X-Length: 2017 Notice 'my' SA never touches it since its processed by procmail into the correct folder. The output of the cronjob doesn't contain any spam that I can see: receiving file list ... done sent 82 bytes received 85 bytes 334.00 bytes/sec total size is 227044 speedup is 1359.54 receiving file list ... done /var/tmp/rsync/MSRBL-Images.hdb sent 4316 bytes received 4025 bytes 5560.67 bytes/sec total size is 479987 speedup is 57.55 4Why did your test message get bayes_95? Did it contain a test spam? No, all it contained was the word 'test' and my gpg signature. Another odd thing, if I send a 'test' message to myself at my embarqmail address its marked-up as such - my markup and embarqs/synacors, the first set is to my embarqmail.com address, then 2nd is to my old earthlink address which earthlink forwards to my embarqmail address: X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on cpollock.localdomain X-Spam-Status: No, score=-4.1 required=5.0 tests=ALL_TRUSTED=-1.8,AWL=4.140, BAYES_00=-6.4 autolearn=disabled version=3.1.8 Old-X-Spam-Score: 9.048 Old-X-Spam-Level: * Old-X-Spam-Status: Yes, score=9.048 tagged_above=-10 required=6.6 tests=[AWL=1.556, BAYES_99=3.5, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on cpollock.localdomain X-Spam-Status: No, score=-3.2 required=5.0 tests=AWL=3.173,BAYES_00=-6.4 autolearn=disabled version=3.1.8 Old-X-Spam-Score: -1.42 Old-X-Spam-Level: Old-X-Spam-Status: No, score=-1.42 tagged_above=-10 required=6.6 tests=[AWL=-0.680, BAYES_20=-0.74] So, why is a message that is marked-up with -1.42 have the subject changed to have [Possible Spam] added? -- Chris KeyID 0xE372A7DA98E6705C pgpl18bxkj76d.pgp Description: PGP signature
[Possible SPAM] Re: [Possible SPAM] Possibly [OT] - Embarq Mail
On Sunday 29 April 2007 3:06 pm, SM wrote: Any words of wisdom I can send to Synacor would be appreciated if they are in fact necessary. Any help on understanding why a message that has a score that says its not spam but has the subject changed to state it is would be appreciated also. It may be better to contact Embarq which is your ISP and complain about valid mail being tagged as spam. Ask them whether you can use SMTP authentication to solve the problem. If all your mail is being tagged as possible spam, then the antispam filtering for embarqmail.com is misconfigured. Forward several examples of incorrectly tagged messages (without your markups) sent to your email address to Embarq technical support to show the problem. Regards, -sm From an email I received from a QA guy at Embarq when I was asking questions about the switch over: The smtp server will be smtp.embarqmail.com and it will be authenticated but the port will be 25 rather than 587. How can you have an authenticated smtp session without 1)Sending to a server such as earthlinks used to be (smtpauth.earthlink.net) and 2)Using port 25 vice port 587? -- Chris KeyID 0xE372A7DA98E6705C pgpEFG1XRkgrI.pgp Description: PGP signature
Re: [Possible SPAM] Re: [Possible SPAM] Possibly [OT] - Embarq Mail
At 13:47 29-04-2007, Chris wrote: From an email I received from a QA guy at Embarq when I was asking questions about the switch over: The smtp server will be smtp.embarqmail.com and it will be authenticated but the port will be 25 rather than 587. They said that smtp.embarqmail.com supports SMTP AUTH. How can you have an authenticated smtp session without 1)Sending to a server such as earthlinks used to be (smtpauth.earthlink.net) and 2)Using port 25 vice port 587? Earthlink may have used smtpauth in the hostname to specify that the SMTP server only supports authenticated SMTP sessions. SMTP authentication is not restricted to port 587 only. It can also be used on port 25 if the mail server supports that. Configure your mail client to use SMTP AUTH (PLAIN or LOGIN). You should also configure the system sending the Cron messages to use SMTP AUTH. Regards, -sm
[Possible SPAM] Re: [Possible SPAM] Re: [Possible SPAM] Possibly [OT] - Embarq Mail
On Sunday 29 April 2007 4:04 pm, SM wrote: Earthlink may have used smtpauth in the hostname to specify that the SMTP server only supports authenticated SMTP sessions. SMTP authentication is not restricted to port 587 only. It can also be used on port 25 if the mail server supports that. Configure your mail client to use SMTP AUTH (PLAIN or LOGIN). You should also configure the system sending the Cron messages to use SMTP AUTH. Regards, -sm I've checked, authentication was set to 'plain', I've just changed it to 'login' and sent myself another test message. The results are below, first markup with authentication set to 'plain' 2nd set to 'login', I see no difference: Old-X-Spam-Flag: YES Old-X-Spam-Score: 9.035 Old-X-Spam-Level: * Old-X-Spam-Status: Yes, score=9.035 tagged_above=-10 required=6.6 tests=[AWL=1.543, BAYES_99=3.5, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] Old-X-Spam-Flag: YES Old-X-Spam-Score: 9.015 Old-X-Spam-Level: * Old-X-Spam-Status: Yes, score=9.015 tagged_above=-10 required=6.6 tests=[AWL=1.523, BAYES_99=3.5, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] -- Chris KeyID 0xE372A7DA98E6705C pgpV5DU5Ugwb9.pgp Description: PGP signature
[Possible SPAM] Re: [Possible SPAM] trustedrelays
On Wednesday 25 April 2007 4:34 pm, Daryl C. W. O'Shea wrote: Chris wrote: [2474] dbg: metadata: X-Spam-Relays-Trusted: [ ip=127.0.0.1 rdns=localhost.localdomain helo=localhost by=mailrelay.embarq.synacor.com ident= envfrom= intl=1 id=8B8062336D7 auth= ] [ ip=127.0.0.1 rdns= helo=mailrelay.embarq.synacor.com by=localhost ident= envfrom= intl=1 id=jfvuG0A1xsHa auth= ] [2474] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=71.48.168.13 rdns=tx-71-48-168-13.dhcp.embarqhsd.net helo=!192.168.2.2! by=mailrelay.embarq.synacor.com ident= envfrom= intl=0 id=228272334BD auth= ] I read what it says, but I guess I don't understand. I see that 127.0.0.1 is trusted and from what the wiki says, thats a given. I read this as my ip being untrusted, is that correct? If thats the case would the only trusted relays be 127.0.0.1? What about the trusted_networks entry? I'm unsure on that also. This is my current trusted_networks line: trusted_networks 127/8 192.168/16 207.217.121/24 209.86.93/24 208.47.184/24 Assuming that 71.48.168.13 is your IP, yeah, it's not trusted, nor should it be given that it's not in your trusted_networks config. That leaves 127.0.0.1 being trusted. 208.47.184.129 is ignored since header parsing restarts after it finds a fetchmail marker. I'm not sure what about the trusted_networks entry you want to know. Actually I'm not sure what at all you want to know. What I'm trying to figure out Daryl is what would be added to my trusted_networks config line to reflect embarq and or synacor. Previously this is all I had on that line, 127/8 192.168/16 207.217.121/24 209.86.93/24. Since I'm now 'in between' hosts, meaning that El is forwarding mail until 31 Oct and I've changed some lists over to the new address. What, if anything, should be added to this line to reflect that change? -- Chris KeyID 0xE372A7DA98E6705C pgpNWMsche5Ig.pgp Description: PGP signature
Re: [Possible SPAM] Re: [Possible SPAM] trustedrelays
Chris wrote: What I'm trying to figure out Daryl is what would be added to my trusted_networks config line to reflect embarq and or synacor. Previously this is all I had on that line, 127/8 192.168/16 207.217.121/24 209.86.93/24. Since I'm now 'in between' hosts, meaning that El is forwarding mail until 31 Oct and I've changed some lists over to the new address. What, if anything, should be added to this line to reflect that change? You'd have to look at the headers of a (number of) message(s) sent from domains external to embarq to determine what networks are involved in embarq's mail network. At a minimum it's going to involve 208.47.184.2. Your previously noted usage of 208.47.184/24 may cover everything, or it may not. You'll have to look at the headers of external mail to find out. Daryl
remove spam reports from spam email body
I am seeing detailted spamassassin reports when a specific spam email was tagged such as below: Content analysis details: (37.9 points, 5.0 required) pts rule name description -- -- 1.0 INVALID_TZ_GMT Invalid date in header (wrong GMT/UTC timezone) 1.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 2.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.2 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words My queries would be, is there anyway I could remove them from the spam email report, since these scores were already included from email headers? TIA
AW: special spam-account for spam mails
Thank you for your help, but as I read mimedefang is only a program for sendmail. can I use it with postfix, too? I have no technical know-how about sendmail... :) Is there anywhere a ready to use howto? Von: aubreyL [mailto:[EMAIL PROTECTED] Gesendet: Montag, 18. Dezember 2006 16:40 An: Fettke, Dirk Cc: users@spamassassin.apache.org Betreff: Re: special spam-account for spam mails Fettke, Dirk wrote: Hello List, here we have a spam-filtering email-gateway with no local mailboxes. all mails getting scanned only for spam and viruses and then forwarded to the specific mailserver for the recipient-domain. now we would like to have the possibility that spam-mails with score 5 saved in local mailboxes which will be automatically generated on our system. all other mails whith score 5 should forwarded further on. The Users then could log into their generated spam-account and read or delete their spam-mails. How can I do this or is there any solution for this? Regards Dirk All of that depends on how your server is set up. I can help you if you are using mimedefang. Hopefully someone else can help you if not.
AW: special spam-account for spam mails
Thank you for your help, but as I read mimedefang is only a program for sendmail. can I use it with postfix, too? I have no technical know-how about sendmail... :) Is there anywhere a ready to use howto? Von: aubreyL [mailto:[EMAIL PROTECTED] Gesendet: Montag, 18. Dezember 2006 16:40 An: Fettke, Dirk Cc: users@spamassassin.apache.org Betreff: Re: special spam-account for spam mails Fettke, Dirk wrote: Hello List, here we have a spam-filtering email-gateway with no local mailboxes. all mails getting scanned only for spam and viruses and then forwarded to the specific mailserver for the recipient-domain. now we would like to have the possibility that spam-mails with score 5 saved in local mailboxes which will be automatically generated on our system. all other mails whith score 5 should forwarded further on. The Users then could log into their generated spam-account and read or delete their spam-mails. How can I do this or is there any solution for this? Regards Dirk All of that depends on how your server is set up. I can help you if you are using mimedefang. Hopefully someone else can help you if not.
special spam-account for spam mails
Hello List, here we have a spam-filtering email-gateway with no local mailboxes. all mails getting scanned only for spam and viruses and then forwarded to the specific mailserver for the recipient-domain. now we would like to have the possibility that spam-mails with score 5 saved in local mailboxes which will be automatically generated on our system. all other mails whith score 5 should forwarded further on. The Users then could log into their generated spam-account and read or delete their spam-mails. How can I do this or is there any solution for this? Regards Dirk
AW: special spam-account for spam mails
My current MTA is Postfix with amavisd and spamassassin. In the current config we don't have POP3. All Mails will be relayed to different exchange-server depending on the recipient. I tought I could implement the local mailboxes only with imap-support, so the users could login with a webinterface (e.g: squirrelmail) But for the first step it will be ok using a local POP3-server. The important thing is, that the spam-mails with a score 5 will be stored in the local mailbox of the recipient and will not be delivered to the exchange mailbox. Von: vertito [mailto:[EMAIL PROTECTED] Gesendet: Montag, 18. Dezember 2006 14:35 An: Fettke, Dirk Betreff: RE: special spam-account for spam mails this is possible. the solution you are asking depends on your current hub email server setup and pop3 servers. what is current your MTA and POP3 servers? From: Fettke, Dirk [mailto:[EMAIL PROTECTED] Sent: Monday, December 18, 2006 1:41 PM To: users@spamassassin.apache.org Subject: special spam-account for spam mails Hello List, here we have a spam-filtering email-gateway with no local mailboxes. all mails getting scanned only for spam and viruses and then forwarded to the specific mailserver for the recipient-domain. now we would like to have the possibility that spam-mails with score 5 saved in local mailboxes which will be automatically generated on our system. all other mails whith score 5 should forwarded further on. The Users then could log into their generated spam-account and read or delete their spam-mails. How can I do this or is there any solution for this? Regards Dirk
Re: special spam-account for spam mails
Fettke, Dirk wrote: Hello List, here we have a spam-filtering email-gateway with no local mailboxes. all mails getting scanned only for spam and viruses and then forwarded to the specific mailserver for the recipient-domain. now we would like to have the possibility that spam-mails with score 5 saved in local mailboxes which will be automatically generated on our system. all other mails whith score 5 should forwarded further on. The Users then could log into their generated spam-account and read or delete their spam-mails. How can I do this or is there any solution for this? Regards Dirk All of that depends on how your server is set up. I can help you if you are using mimedefang. Hopefully someone else can help you if not.
Re: How novice end users, neophytes can set things up so that suspected spam or likely spam or definitely spam type messages go to another secondary mail file for later examination in case there are a
Don Saklad wrote: So many end users looking over the SpamAssassin headers on email haven't climbed the too steep learning curve for making the best use of the headers. Most end users (at least in Swden) haven't got access to the MDA configuration, so the porcmail stuff is of no use to them. Instead they'll have to use whatever filtering capabilities their mail reader has. More info about this should be available in the help and the documentation for the mail reader. On Windows that's usually the odd little menu item called Help. Also, not all SpamAssassin installations are the same, so the end users should start by finding out how the mail they receive is marked. This will influence how they set up their filters. How could something be developed that's easier, simple and straightforward?... That's easy. Just force all users to use the same mail client and force all ISPs to use the same markup. :-/ Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
How novice end users, neophytes can set things up so that suspected spam or likely spam or definitely spam type messages go to another secondary mail file for later examination in case there are any f
How do novice end users, neophytes set things up so that suspected spam or likely spam or definitely spam type messages go to another secondary mail file for later examination in case there are any false positives?...
Re: How novice end users, neophytes can set things up so that suspected spam or likely spam or definitely spam type messages go to another secondary mail file for later examination in case there are a
Thank you! Unfortunately, so far the usability of information is rather more advanced than for novices, for the neophytes. How could something be developed that's easier, simple and straightforward?... So many end users looking over the SpamAssassin headers on email haven't climbed the too steep learning curve for making the best use of the headers.
Re: [Devel-spam] {Spam?} ascii art spam and possible solution
On Tue, 3 Oct 2006, Randal, Phil wrote: Surely all you need to do is write a rule which gives style=FONT-SIZE: 4px (or a range of small font sizes) a biggish score? ah ustymm al td ep vhag su ga zeee ok yk ch eq jrg ymp fd vj tg yc jv yo vp km zgdadmrv dh kr lclyea fp wv ja au ln bh bn gmdu nw vs he kb ay nq ak fako lter pu kqvyfs pz ovsc dnoj combined with /\s(?:\S\S\s\s){7}/ maybe? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control: The theory that a woman found dead in an alley, raped and strangled with her panty hose, is somehow morally superior to a woman explaining to police how her attacker got that fatal bullet wound. ---
Re: [Devel-spam] {Spam?} ascii art spam and possible solution
On Tue, October 3, 2006 21:44, John D. Hardin wrote: Surely all you need to do is write a rule which gives combined with /\s(?:\S\S\s\s){7}/ maybe? tripwire.cf -- This message was sent using 100% recycled spam mails.
Bouncing spam vs. Blackholing spam
I've been blocking a lot of spam at connect time that I am 100% sure is spam. However I'm wondering if that is the best idea because it gives spammers feedback as to what works and what doesn't. If I silently absorb the spam and let the spammers think it's delivered then they have no way to know if the spam is getting through or not. Thoughts?
Re: Bouncing spam vs. Blackholing spam
My personal opinion is that the spammers don't care either way. My guess would be that they probably don't even bother checking the logs of what worked and what didn't on the zombie PCs they hijack to send the crap in the first place. Probably far easier to just fire and forget. -Mike Marc Perkel wrote: I've been blocking a lot of spam at connect time that I am 100% sure is spam. However I'm wondering if that is the best idea because it gives spammers feedback as to what works and what doesn't. If I silently absorb the spam and let the spammers think it's delivered then they have no way to know if the spam is getting through or not. Thoughts?
Re: Bouncing spam vs. Blackholing spam
I've been blocking a lot of spam at connect time that I am 100% sure is spam. However I'm wondering if that is the best idea because it gives spammers feedback as to what works and what doesn't. If I silently absorb the spam and let the spammers think it's delivered then they have no way to know if the spam is getting through or not. Thoughts? I don't know whether these zombies record success/failure from SMTP sessions, and/or report this to a 'central database'.. Nevertheless I switched during the last two years from REJECT-ing to DISCARD-ing in my postfix rules. At least in the rules I'm 100% sure about. Indeed I too don't want to give the spammers feedback. Regards Menno van Bennekom
RE: Bouncing spam vs. Blackholing spam
Marc said: I've been blocking a lot of spam at connect time that I am 100% sure is spam. However I'm wondering if that is the best idea because it gives spammers feedback as to what works and what doesn't. If I silently absorb the spam and let the spammers think it's delivered then they have no way to know if the spam is getting through or not. Thoughts? I give most incoming spam a 554 (rejected) response. I think that a 250 response code would cause the spammer to think it worked and got through. But I've often considered giving spammers a 550 unknown user response code in the hopes of motivating them (even more) to remove my addresses from their lists sooner. I do see a marked reduction in the amount of spam per user for customers I've had for a while in comparison to new customers. I attribute this mostly to (1) all the 554 response codes receive over the months during their attempts to spam my customers (2) lack of my users loading image bugs in their spams which alert spammers since there don't make it to my clients anymore (compared to before they were my mail hosting clients) Another consideration is that you put yourself more at risk if you say that you received it successfully and then a FP occurs. Of course, I know that this is next to impossible with YOUR system... and I don't mean that sarcastically... ;) But sending a 554 to a FP does serve a purpose in that it alerts the sender that something went wrong while a 250 response to a FP gives false confidence to the sender. In a sense, you've then broken the contract. I 554 the 85% highest scoring spam and 250 the 15% just barely caught stuff... but then I take full responsibility for that 15% and do extensive auditing on it (mostly through automated tools) so that I can be confident that I haven't created FPs (and so that I can deliver rare FPs in a timely manner, as well as adjusting the filtering to prevent future FPs) Hope this helps! Rob McEwen PowerView Systems
Re: Bouncing spam vs. Blackholing spam
From: John Rudd [EMAIL PROTECTED] On Aug 10, 2006, at 1:58 PM, Marc Perkel wrote: I've been blocking a lot of spam at connect time that I am 100% sure is spam. However I'm wondering if that is the best idea because it gives spammers feedback as to what works and what doesn't. If I silently absorb the spam and let the spammers think it's delivered then they have no way to know if the spam is getting through or not. Thoughts? My thought is: silently deleting email (spam, virus, etc.) a violation of RFCs, and I'm not interested in doing that. I'm more interested in correctly handling the false positives than what happens with true positives (I know, you said you're 100% sure it's spam, but I don't believe in such a thing as automated detection of spam that results in a 100% confidence value). So, the next generation anti-spam mechanism I'm working on for work will reject spam during the SMTP session with a 5xx code. I'm planning on rejecting at a score of 10. This means that if it's a directly attached spam zombie, it will just disappear ... but in a way that doesn't make me an RFC violator. If it's a false-positive, then the sender will know that their mail disappeared. If it's being submitted by an intermediate relay (such as the spam-zombie's ISP's mail server), then it may get bounced back to an innocent third party. But I don't consider that to be _my_ fault/responsibility. I consider that to be the fault/responsibility If I receive a message in my mailbox from a site bouncing email I did not send I place that ENTIRE ISP on my /dev/null list ucsc.edu or not. It simply turns YOU into a spam relay. If you simply reject it that's a somewhat different ballgame. of the intermediate relay for not having spam-scanned and rejected the message themselves. By not accepting the message, I am not accepting responsibility for the message's fate, either. If I were to accept the message, THEN it becomes my responsibility to ensure that the message doesn't disappear nor get bounced back to an innocent third party. It is not the intermediate relay job to spam scan. Its job is to forward HUGE amounts of email to its proper destination. If it has to filter as well then the problem magnifies exponentially. {^_^}
Re: Bouncing spam vs. Blackholing spam
On Aug 10, 2006, at 9:00 PM, jdow wrote: From: John Rudd [EMAIL PROTECTED] On Aug 10, 2006, at 1:58 PM, Marc Perkel wrote: I've been blocking a lot of spam at connect time that I am 100% sure is spam. However I'm wondering if that is the best idea because it gives spammers feedback as to what works and what doesn't. If I silently absorb the spam and let the spammers think it's delivered then they have no way to know if the spam is getting through or not. Thoughts? My thought is: silently deleting email (spam, virus, etc.) a violation of RFCs, and I'm not interested in doing that. I'm more interested in correctly handling the false positives than what happens with true positives (I know, you said you're 100% sure it's spam, but I don't believe in such a thing as automated detection of spam that results in a 100% confidence value). So, the next generation anti-spam mechanism I'm working on for work will reject spam during the SMTP session with a 5xx code. I'm planning on rejecting at a score of 10. This means that if it's a directly attached spam zombie, it will just disappear ... but in a way that doesn't make me an RFC violator. If it's a false-positive, then the sender will know that their mail disappeared. If it's being submitted by an intermediate relay (such as the spam-zombie's ISP's mail server), then it may get bounced back to an innocent third party. But I don't consider that to be _my_ fault/responsibility. I consider that to be the fault/responsibility If I receive a message in my mailbox from a site bouncing email I did not send I place that ENTIRE ISP on my /dev/null list ucsc.edu or not. It simply turns YOU into a spam relay. If you simply reject it that's a somewhat different ballgame. That's what I said: I reject the messages. During the smtp session. It gets a 5xx SMTP response. The it may get bounced back comment was specifically that the intermediate relay might bounce it. I'm not bouncing it, I'm rejecting it. of the intermediate relay for not having spam-scanned and rejected the message themselves. By not accepting the message, I am not accepting responsibility for the message's fate, either. If I were to accept the message, THEN it becomes my responsibility to ensure that the message doesn't disappear nor get bounced back to an innocent third party. It is not the intermediate relay job to spam scan. Its job is to forward HUGE amounts of email to its proper destination. If it has to filter as well then the problem magnifies exponentially. I disagree. It is _every_ mail server's responsibility to be accountable for any email it accepts, even mail that isn't ultimately destined for them. If you're relaying spam, you're relaying spam. If you're relaying viruses, you're relaying viruses. No rationalizations count. Not even the I'm relaying for my customer nor I'm the final destination's MX server rationalizations count. Relaying spam and/or viruses is relaying spam and/or viruses. Of course, part of that responsibility is letting people who use you as a relay know what your policies are (so that if they don't like your policies they can move to a different service), but ... I stand by the assertion that it is the fault of the intermediate relay for bouncing spam back to a third party, and not the fault of the destination which rejected the spam. If the intermediary doesn't like getting black listed for it, then they shouldn't have accepted it into their queue in the first place.
Horde webmail spam report and spam assassin
Horde webmail has a spam reporting feature, however it is a bit useless. Why? Because it sends the email (without headers) to an email address (the spam admin). This way is very difficult to feed the spam mail into spam detection software. I wonder if somebody has done anything to make it work with the SA-Learn feature of Spam Assassin. -- Atentamente / Kind regards Alejandro Lengua, Virtual Orbis eBusiness Services www.virtualorbis.com, www.vohosting.com
Re: Horde webmail spam report and spam assassin
I wonder if somebody has done anything to make it work with the SA-Learn feature of Spam Assassin. in squirrelmail there is http://www.squirrelmail.org/plugin_view.php?id=242 with is very usefull
Re: Horde webmail spam report and spam assassin
Alejandro Lengua wrote: Horde webmail has a spam reporting feature, however it is a bit useless. Why? Because it sends the email (without headers) to an email address (the spam admin). This way is very difficult to feed the spam mail into spam detection software. I wonder if somebody has done anything to make it work with the SA-Learn feature of Spam Assassin. I havent played around with horde/imp lately but last i checked, the report spam option actually passed the message to spamassassin -r. Your saying it no longer does this? I'll have to check it out.. -Jim
Vouching for mail from a dynamic IP (was: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam)
--On Saturday, May 20, 2006 4:54 PM -0700 jdow [EMAIL PROTECTED] wrote: Looking at your own email it comes from a COMCAST cable connection in Palmer Ranch Florida through the WFGB mailer. The WFGB mailer is not in SORBS anywhere. YOUR address most certainly is a dialup. So it WILL get tagged unless your mail goes through a machine that properly vouches for it. 68.32.0.0/11 (68.32.0.0-68.63.255.255) is a dynamic IP netblock. How does another machine properly vouch for it? If I route my mail to a colocated host under my control, how do I make that host vouch for the mail from my house?
Re: Vouching for mail from a dynamic IP (was: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam)
On Mon, 22 May 2006, Kenneth Porter wrote: How does another machine properly vouch for it? If I route my mail to a colocated host under my control, how do I make that host vouch for the mail from my house? Send it over an ssh tunnel so that to the MTA it appears to be coming from 127.0.0.1. That's how I do it. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The problem is when people look at Yahoo, slashdot, or groklaw and jump from obvious and correct observations like Oh my God, this place is teeming with utter morons to incorrect conclusions like there's nothing of value here.-- Al Petrofsky, in Y! SCOX ---
Re: Vouching for mail from a dynamic IP (was: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam)
On Monday, May 22, 2006 12:28 PM -0700 John D. Hardin [EMAIL PROTECTED] wrote: Send it over an ssh tunnel so that to the MTA it appears to be coming from 127.0.0.1. That's how I do it. Any way to do that with sendmail at both ends? Currently I use an AuthInfo entry in the sending MTA's access DB, and a mailertable entry (or smarthost in sendmail.mc) to direct mail to the receiving MTA for domains that don't like dynamic senders. So the dynamic IP in the Received headers should show up as authenticated for the host with static IP.
Re: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam
Thank you for all of the suggestions and comments. [ A) But probably your server failed to indicate in its received headers that the mail from the dynamicIP was authenticated, or SA failed to parse the received header B) Don't use a dial-up and send direct? {o.o} C) Read about trusted_networks and internal_networks in the Mail::SpamAssassin::Conf man page. These parameters go into your Local.cf configuration file. [ [My Replies] A) There are 4 main things wrong. Is there the error failing to parse the received header for all of them? How do I change that if that is the case. I am using smartermail if anyone is familiar with it. How do I get SA to parse the received header if that is the case? I have placed a header below. B) We are not using a dial-up. What do you mean send direct? We have an Ip for our server and we have our mail server on the same box using a different IP. We have reverse DNS turned on for both IP's. C) I have been searching for a manual everywhere for Windows. I cannot find one. I am on a windows system and do not have access to the man command. [This header to an email being picked up as spam and below it is the SA points] Received: from localhost byServer-Name-RemovedWith SpamAssassin (version 3.1.1);Tue, 16 May 2006 22:26:26 -0500From: "Spectacular Stuff" email-address-removedTo: [EMAIL PROTECTED]Subject: SPAM: Re: your alltel email messageDate: Tue, 16 May 2006 23:25:54 -0400 (Eastern Daylight Time)Message-Id: [EMAIL PROTECTED]X-Spam-Flag: YESX-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on DEDE143X-Spam-Level: *X-Spam-Status: Yes, score=9.9 required=8.0 tests=AWL,HELO_DYNAMIC_IPADDR,HTML_MESSAGE,HTML_TAG_EXIST_TBODY,NO_DNS_FOR_FROM,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.1.1MIME-Version: 1.0Content-Type: multipart/mixed; boundary="--=_446A97E2.4BEC"X-SmarterMail-Spam: SPF_NoneX-Rcpt-To: email-address-removed [SA Points] Content analysis details: (9.9 points, 8.0 required) Pts rule namedescription -- -- 3.4 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr1) 0.1 HTML_TAG_EXIST_TBODY BODY: HTML has "tbody" tag 0.0 HTML_MESSAGE BODY: HTML included in message 2.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 2.0 RCVD_IN_SORBS_DULRBL: SORBS: sent directly from dynamic IP address [68.56.175.199 listed in dnsbl.sorbs.net] 1.7 RCVD_IN_NJABL_DULRBL: NJABL: dialup sender did non-local SMTP [68.56.175.199 listed in combined.njabl.org] 0.1 AWLAWL: From: address is in the auto white-list Wayne ---Original Message--- From: [EMAIL PROTECTED] Date: 05/20/06 02:46:01 To: spectacularstuff Cc: users@spamassassin.apache.org Subject: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam I have just set up Spam Assassin on our server. It is working very nicely however whenever we try to send an email from our own server to someone else on the same server, it gets picked up as spam. I am wondering if anyone here has experience with Spam Assassin and can help me fix the issues below as I don't know what they mean exactly. I have spam assassin set to detect at 8 points whether or not an email is spam. We are way over that because of the following reasons. What do I have to fix on our server to fix the 4 issues below? 1. We are losing 3.4 points because of HELO_DYNAMIC_IPADDR. 2. We are losing 2.6 points because of NO_DNS_FOR_FROM. 3. We are losing 2.0 points because of RCVD_IN_SORBS_DUL. 4. We are losing 1.7 points because of RCVD_IN_NJABL_DUL. Hi, you did not show the full headers - but probably your server failed to indicate in its Received headers that the mail from the dynamic ip was authenticated, or SA failed to parse the received header Wolfgang Hamann
Re: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam
The messages getting tagged most positively are on a segment of addresses that are tagged as dynamically assigned addresses, colloquially called dialup addresses in the anti-spam community. That is what these mean: RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL This is good for several points on any spam checking engine if they do not go through an emailer that vouches for them. A major question you never answered is whether it is your own site filtering outbound mail or other sites that are declaring your email to be spam. Looking at your own email it comes from a COMCAST cable connection in Palmer Ranch Florida through the WFGB mailer. The WFGB mailer is not in SORBS anywhere. YOUR address most certainly is a dialup. So it WILL get tagged unless your mail goes through a machine that properly vouches for it. 68.32.0.0/11 (68.32.0.0-68.63.255.255) is a dynamic IP netblock. {^_^} - Original Message - From: WFGB Team [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Saturday, May 20, 2006 07:53 Subject: Re: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam Thank you for all of the suggestions and comments. [ A) But probably your server failed to indicate in its received headers that the mail from the dynamic IP was authenticated, or SA failed to parse the received header B) Don't use a dial-up and send direct? {o.o} C) Read about trusted_networks and internal_networks in the Mail::SpamAssassin::Conf man page. These parameters go into your Local.cf configuration file. [ [My Replies] A) There are 4 main things wrong. Is there the error failing to parse the received header for all of them? How do I change that if that is the case. I am using smartermail if anyone is familiar with it. How do I get SA to parse the received header if that is the case? I have placed a header below. B) We are not using a dial-up. What do you mean send direct? We have an Ip for our server and we have our mail server on the same box using a different IP. We have reverse DNS turned on for both IP's. C) I have been searching for a manual everywhere for Windows. I cannot find one. I am on a windows system and do not have access to the man command. [This header to an email being picked up as spam and below it is the SA points] Received: from localhost by Server-Name-Removed With SpamAssassin (version 3.1.1); Tue, 16 May 2006 22:26:26 -0500 From: Spectacular Stuff email-address-removed To: [EMAIL PROTECTED] Subject: SPAM: Re: your alltel email message Date: Tue, 16 May 2006 23:25:54 -0400 (Eastern Daylight Time) Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on DEDE143 X-Spam-Level: * X-Spam-Status: Yes, score=9.9 required=8.0 tests=AWL,HELO_DYNAMIC_IPADDR HTML_MESSAGE,HTML_TAG_EXIST_TBODY,NO_DNS_FOR_FROM,RCVD_IN_NJABL_DUL RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_446A97E2.4BEC X-SmarterMail-Spam: SPF_None X-Rcpt-To: email-address-removed [SA Points] Content analysis details: (9.9 points, 8.0 required) Pts rule name description -- -- 3.4 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr1) 0.1 HTML_TAG_EXIST_TBODY BODY: HTML has tbody tag 0.0 HTML_MESSAGE BODY: HTML included in message 2.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [68.56.175.199 listed in dnsbl.sorbs.net] 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [68.56.175.199 listed in combined.njabl.org] 0.1 AWLAWL: From: address is in the auto white-list Wayne ---Original Message--- From: [EMAIL PROTECTED] Date: 05/20/06 02:46:01 To: spectacularstuff Cc: users@spamassassin.apache.org Subject: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam I have just set up Spam Assassin on our server. It is working very nicely however whenever we try to send an email from our own server to someone else on the same server, it gets picked up as spam. I am wondering if anyone here has experience with Spam Assassin and can help me fix the issues below as I don't know what they mean exactly. I have spam assassin set to detect at 8 points whether or not an email is spam. We are way over that because of the following reasons. What do I have to fix on our server to fix the 4 issues below? 1. We are losing 3.4 points because of HELO_DYNAMIC_IPADDR. 2. We are losing 2.6 points because of NO_DNS_FOR_FROM. 3. We are losing 2.0 points because of RCVD_IN_SORBS_DUL. 4. We are losing 1.7 points because of RCVD_IN_NJABL_DUL. Hi, you did not show the full headers
relay distance and spam [was xxxl spam]
Mark Martinec wrote: http://www.ijs.si/software/amavisd/fig1.gif Spam score vs. IP distance in hops (our server is in European academic network Geant) This one is amazing. there seems to be an empty space (most mail has nhops = 10 or = 14). I would guess that most ham wih large nhops is from mailing lists. so the question is what would be the graphic if you take into account: - mailing lists forwarding - multiple internal hops at either sender or receiver (I have N Received headers added by my own MTA. and for mail fetched from an MSP, there are still more). I would conjecture that most legitimate mail has two real hops (the sending MTA and the receiving MTA).
RE: relay distance and spam [was xxxl spam]
mouss wrote: I would conjecture that most legitimate mail has two real hops (the sending MTA and the receiving MTA). That would be one hop.
Re: relay distance and spam [was xxxl spam]
[EMAIL PROTECTED] wrote: mouss wrote: I would conjecture that most legitimate mail has two real hops (the sending MTA and the receiving MTA). That would be one hop. depends on how you count: MUA - my MTA1 - your MTA - your mailbox that's two MTAs, so that's two hops. I prefer to count it this way because this corresponds to Received headers. a direct mail would be MUA - MTA - mailbox and is either: - legitimate from trusted sources - direct spam - an exception if you have an internal MTA and a relay host, or if you have an MTA and relay via an ISP, that adds a hop If you can remove the reception hops (since you know them, you can ignore them in your computations), most legitimate cross-domain mail would be 2-h mail (this is what I believe).
Re: relay distance and spam [was xxxl spam]
mouss wrote: - multiple internal hops at either sender or receiver (I have N Received headers added by my own MTA. and for mail fetched from an MSP, there are still more). Actually, if I'm reading this right, it's the number of IP hops between the sending server and the receiving server -- in other words, how many lines you'd see if you were on the receiving server and ran traceroute to the sending MTA. I've rarely seen any messages that passed through more than 5 MTAs -- certainly not enough to account for the graph. But 10 routers between me and the sender? That doesn't seem unreasonable at all. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: relay distance and spam [was xxxl spam]
Am Dienstag, 11. April 2006 22:28 schrieb mouss: [EMAIL PROTECTED] wrote: mouss wrote: I would conjecture that most legitimate mail has two real hops (the sending MTA and the receiving MTA). That would be one hop. depends on how you count: MUA - my MTA1 - your MTA - your mailbox that's two MTAs, so that's two hops. I prefer to count it this way because this corresponds to Received headers. well, here it looks like this: MUA - senders MTA - my external MTA -(fetchmail)- my internal MTA - one internal hop through spamassassin - one internal hop through antivirus - my MUA and at my workplace its a similar setup, without the fetchmail. bye, MH
RE: relay distance and spam [was xxxl spam]
Kelson wrote: Actually, if I'm reading this right, it's the number of IP hops between the sending server and the receiving server -- in other words, how many lines you'd see if you were on the receiving server and ran traceroute to the sending MTA. Ah... that makes much more sense :) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: relay distance and spam [was xxxl spam]
On Tuesday April 11 2006 23:17, Kelson wrote: mouss wrote: - multiple internal hops at either sender or receiver (I have N Received headers added by my own MTA. and for mail fetched from an MSP, there are still more). Actually, if I'm reading this right, it's the number of IP hops between the sending server and the receiving server -- in other words, how many lines you'd see if you were on the receiving server and ran traceroute to the sending MTA. Exactly. It is usually the number of hops a traceroute running on MTA would show when tracing route to the host from which it is receiving a message. (I say usually, because routes can be asymmetric, and we are actually observing a remaining TTL field value in the IP packet, taking into account an educated guess on the initial setting, based on detected OS type). Btw, a horizontal spread of 1 unit (in fig1) is an artificial white noise added to spread numerous dots somewhat for a better view. I guess we are somewhat lucky seeing a rather clearcut separation of nearby friendly and distant wild-world hosts, and can use IP distance to contribute a little score weight on distant hosts and subtract a little for nearby hosts. Mark
Re: [SPAM-TAG] Re: [SPAM-TAG] Content type allowing spammers to evade URIBL
On Thursday, May 5, 2005, 12:10:32 AM, Jeff Chan wrote: On Wednesday, May 4, 2005, 9:21:11 PM, Craig Baird wrote: Today, I've received a number of spams containing a domain that is listed on almost all the SURBL lists. I've recieved around 10 of these today, and none of them have hit on any of the SURBLs despite the domain being listed. Here is the message: [...] 09-5[5]-3237-7[3]-087[3] Content-Type: ;text/plain; [...] If you'll notice, the content type is shown as ;text/plain;. It seems that the semicolons are causing Spamassassin not to parse the mail properly. If I run the message through SA as-is, it hits on no SURBLs. However, if I remove the semicolons, and run it again, it hits on all the SURBLs. Needless to say, it would seem some sneaky spammer has found another loophole... Craig SA devs, should this get a bugzilla? Jeff C. BTW I can duplicate Craig's results. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: logs and probably-spam almost-certainly-spam directories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Mittwoch, 26. Januar 2005 19:20 schrieb Tony Lay: Hey Gang, I am trying to establish system wide spam filtering, but only a few users need it right now. So I have the flexibility to go either way. I think that's where my problem stemsI might have some clutter from trying things out that is causing this not to workor I got my wires crossed on invoking. SpamAssassin 3.0.1 FreeBSD 5.3.1 [..] users who are being filtered have the following: ### #.procmailrc# ### DROPPRIVS=yes # Check if procmailrc is working correct include LOGFILE=$HOME/.procmail.log VERBOSE=ON # You should include :0 fw: spamassassin.lock * 256000 | spamassassin BTW: Using spamc with spamd is faster than spamassassin :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* almost-certainly-spam :0: * ^X-Spam-Status: Yes probably-spam :0 * ^^rom[ ] { LOG=*** Dropped F off From_ header! Fixing up. :0 fhw : | sed -e '1s/^/F/' } [..] Cheers Thomas Regards, -Tony - -- icq:133073900 http://www.t-arend.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFB/M1AHe2ZLU3NgHsRAtbjAJoDQdgFFMbtUUvncHBQLeWFlyiTMgCfUPPI 4yb8hKqPr+TUFDflTbhmy3M= =FrN2 -END PGP SIGNATURE-
logs and probably-spam almost-certainly-spam directories
Hey Gang, I am trying to establish system wide spam filtering, but only a few users need it right now. So I have the flexibility to go either way. I think that's where my problem stemsI might have some clutter from trying things out that is causing this not to workor I got my wires crossed on invoking. SpamAssassin 3.0.1 FreeBSD 5.3.1 The filter appears to be working but I'm concerned that mails are getting bounced as opposed to being filtered to my user's spam boxes. So before we get into more detail shouldn't a users .procmailrc work above and beyond the basic system setup? Here's some info on the setup: Spamassassin directory and permissions /etc/mail/spamassassin -rw-rw-r-- 1 root spam 935 Jan 21 11:17 init.pre -rw-rw-r-- 1 root spam 234 Jan 26 12:33 razor-agent.log drwxrwsr-x 2 root spam 512 Jan 26 12:34 .razor -rw-rw-r-- 1 root spam 1360 Jan 26 12:38 local.cf razor-client and razor-admin run as root /etc/mail/.razor -rw-rw-r-- 1 root spam 429 Jan 26 12:33 server.joy.cloudmark.com.conf -rw-rw-r-- 1 root spam38 Jan 26 12:33 servers.nomination.lst -rw-rw-r-- 1 root spam14 Jan 26 12:33 servers.discovery.lst -rw-rw-r-- 1 root spam83 Jan 26 12:33 servers.catalogue.lst -rw-rw-r-- 1 root spam 664 Jan 26 12:34 razor-agent.log -rw--w 1 root spam90 Jan 26 12:34 identity-ru6o_L61rv lrwxr-xr-x 1 root wheel 19 Jan 26 12:34 identity - identity-ru6o_L61rv -rw-rw-r-- 1 root spam 779 Jan 26 12:39 razor-agent.conf spamd is running (will eventually be spamc) phoenix# ps -awx | grep spam 8611 ?? Is 0:00.44 /usr/local/bin/spamd -c -d -r /var/run/spamd.pid (perl) 8616 ?? I 0:00.00 spamd child (perl) 8617 ?? I 0:00.00 spamd child (perl) 8618 ?? I 0:00.00 spamd child (perl) 8619 ?? I 0:00.00 spamd child (perl) 8620 ?? I 0:00.00 spamd child (perl) users who are being filtered have the following: ### #.procmailrc# ### DROPPRIVS=yes * 256000 | spamassassin :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* almost-certainly-spam :0: * ^X-Spam-Status: Yes probably-spam :0 * ^^rom[ ] { LOG=*** Dropped F off From_ header! Fixing up. :0 fhw | sed -e '1s/^/F/' } ### # .forward # ### |IFS=' ' exec /usr/local/bin/procmail -f- || exit 75 #username Again, mail appears to be filtered for the user. I see headers showing messages are being checked. I see autolearning isn't working but I'll cross that bridge when I get to it. X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on SomeAddress X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_BY_IP autolearn=failed version=3.0.1 The client is IMP (horde) and I already have everything set up in there for reporting. $conf['spam']['reporting'] = true; $conf['spam']['program'] = '/usr/local/bin/spamassassin -x -C /etc/mail/spamassassin -r'; $conf['notspam']['reporting'] = true; $conf['notspam']['program'] = '/usr/local/bin/spamassassin -C /etc/mail/spamassassin -k'; I don't see anything relevant in /var/log/maillog /var/log/messages and I've looked in and around the user and system .spamassassin and .razor directories and don't see any logging. I wouldn't be freaking out but one guy gets 200 spams a day and it's down to a dull roar and I need to know where they are going so that we can verify that we aren't getting false positives. In summary I'd like to know where to dig and would appreciate any advice on a basic setup for a few users. If anybody has time to assist I can divulge more details as needed. Regards, -Tony
Re: logs and probably-spam almost-certainly-spam directories
At 01:20 PM 1/26/2005, Tony Lay wrote: I am trying to establish system wide spam filtering, but only a few users need it right now. So I have the flexibility to go either way. I think that's where my problem stems I might have some clutter from trying things out that is causing this not to work or I got my wires crossed on invoking. SpamAssassin 3.0.1 FreeBSD 5.3.1 The filter appears to be working but I'm concerned that mails are getting bounced as opposed to being filtered to my user's spam boxes. So before we get into more detail shouldn't a users .procmailrc work above and beyond the basic system setup? If you're calling from procmail, bouncing is not happening. It's too late in the game for that. From looking at the procmail.cf you have, all the high-scoring spam messages are being redirected from your user's mailbox into a separate mailbox called almost-certainly-spam. All tagged spam is being redirected to probably-spam. Check /var/spool/mail, or wherever your system normally spools delivered mail.
how to pernamently delete spam messages with spam level over 12?
Hi, I have two questions, that I couldn't find answer in spamassassin documentation, FAQ and this group. First one: How to configure spamassassin to pernamently delete all spam messages that has spam level over for example 12? Second one: The message was marked as a spam by spamassassin and quarantined i quarantined folder (/var/virusmails). Then manually I have find out, that it was false positive. How can I simply deliver this mail to it's receipent? Do I need to create a new message and send a false postive mail as a attachement? Is there any way to automate this process? Ps. Sorry for my english :) Sizar
Re: how to pernamently delete spam messages with spam level over 12?
1) Can't be done. SpamAssassin is a ranking tool. It does not delete or even reroute messages. 2) Mooted by the fact that SpamAssassin does not do any quarantine. It simply and only marks mail with a spam likelihood rating. Now, what you seem to be speaking of involves training. SpamAssassin is built to train its Bayes database on spam and ham messages. You can either tell SpamAssassin to autolearn (which I do not use or recommend) or you can tuck mismarked ham and spam into mail folders used for training via salearn. You CAN filter the mail into alternate folders within other tools like milters, AmaVis, Procmail, and others. {^_^} - Original Message - From: Sizar [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 2005 January, 25, Tuesday 02:34 Subject: how to pernamently delete spam messages with spam level over 12? Hi, I have two questions, that I couldn't find answer in spamassassin documentation, FAQ and this group. First one: How to configure spamassassin to pernamently delete all spam messages that has spam level over for example 12? Second one: The message was marked as a spam by spamassassin and quarantined i quarantined folder (/var/virusmails). Then manually I have find out, that it was false positive. How can I simply deliver this mail to it's receipent? Do I need to create a new message and send a false postive mail as a attachement? Is there any way to automate this process? Ps. Sorry for my english :) Sizar
autolearning (was: Re: how to pernamently delete spam messages with spam level over 12?)
On Tue, Jan 25, 2005 at 03:03:16AM -0800, jdow wrote: to train its Bayes database on spam and ham messages. You can either tell SpamAssassin to autolearn (which I do not use or recommend) or Why can't you recommend sa-autolearn? From my experience (sa with autolearning enabled, sitewide installation), autolearning is a very good option. Rainer
Re: autolearning (was: Re: how to pernamently delete spam messages with spam level over 12?)
From: Rainer Sokoll [EMAIL PROTECTED] On Tue, Jan 25, 2005 at 03:03:16AM -0800, jdow wrote: to train its Bayes database on spam and ham messages. You can either tell SpamAssassin to autolearn (which I do not use or recommend) or Why can't you recommend sa-autolearn? From my experience (sa with autolearning enabled, sitewide installation), autolearning is a very good option. I've watched too many people report messed up Bayes databases with it try to get help on this list. (If really messed up delete Bayes* and retrain from cold.) Certainly for a brand new install you do not want to turn autolearning on until you have a rather good spam detection capability from manual training and SARE rule sets. Once you see errors very seldomly autolearn might be handy. Lore says you must have autoexpire and autolearn turned on to get the best results. I found that is not true. Much of my Bayes training is a year old or more at this point. (I've saved all the training messages so I can retrain if I mess things up somehow. But that's another recommendation entirely.) I do not expire it. The ham training is close to immortal anyway. The ham does not change flavors here very much. The spam changes. For the rare times SpamAssassin Bayes badly misfires I feed that to an autolearn script along with a ham or two for some balance. I get a misfire about once or twice a week that is not a ham from the Linux Kernel Mailing List that triggered so many strange three letter groups or chickenpox rules that it got tagged spam. They all come in under 10 so I make sure the score is added to the header, sort headers by score, and spend a few seconds (rather literally at that) catching the one or two LKML false alarms. I have enough mail sorting here for all the mailing lists I am on that it's REALLY easy to see spams that leak in as hams and use them for training. Although, I must admit to getting out of practice lately. In the last two weeks of 700 to 1400 emails a day I've seen two messages I had to do something about. Neither was a Bayes problem. Both required some tricky massaging of custom rules. (Hey, I'm fussy. And I found that some spammer somewhere has a trick for getting around whitelist_from_rcvd that annoyed me heavily. So I developed a perishable test for this ebay.com based trick. (It'll work for any well known ISP that always issues mail from specific addresses. And once someone figures out I have the rule in there it'll lead to utter failure of the rule so I am not sharing it until I can make it spoof proof.) But that's a spam failure rate of maybe 2 in 10,000. I think I can survive that. (It took a LONG time to get it all tuned to this degree of perfection; and, it's all tuned for my particular mail load. Loren's tuning is different.) {^_^}
Re: [SPAM-TAG] Re: {Spam?} Catching Delivery Status Notification messages (SPAM)
On Monday, October 4, 2004, 5:55:27 AM, Martin Hepworth wrote: Jeff Get it Today http://norwegian.com.sweetpharminfo . com http://norwegian.com.sweetpharminfo . com Aha, looks like a true spam domain mentioned on a spam discussion list. The best solution to these is probably to not process spam discussion list messages using SpamAssassin, etc., else hits will happen often. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/