Re: Is there a test on blacklisted nameservers
ram wrote: On Wed, 2007-09-05 at 10:50 +0200, mouss wrote: But if his DNS points to your server and you dont host DNS for him, his domain will not get resolved. I could easily check for such domains then. well. they can also hack a machine and use its real hostname. Note that owned machine is not necessarily under administrative control of the DNS manager.
Re: Is there a test on blacklisted nameservers
Steve Freegard writes: > Yet Another Ninja wrote: > > On 9/5/2007 5:27 PM, Marc Perkel wrote: > >> I have to say that the idea of having a blacklist of name servers used > >> by spammers is interesting. Something to investigate. > >> > > one, and its a good one, is already in use :-) > > > > uridnsblURIBL_SBL sbl.spamhaus.org. TXT > > Yes - true, but the SBL lists the IP of the nameservers. > > I think Ram has seen the same thing as me in the past, I've had stuff > that has slipped past the URIBL_* tests and upon investigation of the > FNs - the *domain name* of the nameservers for the referenced domain is > already listed in either SURBL or URIBL, so therefore if the URIBL_* > tests were expanded to lookup the nameservers hostnames, strip of the > domains and test those against the URIBL_* lists, then it might yield > some good results. Could that be a temporal issue, ie. fast-flux causing the domain to change, and you caught it just in time to spot it? I would be very surprised if one of the BLs wasn't already doing this on the backend... --j.
Re: Is there a test on blacklisted nameservers
Hi, Yet Another Ninja wrote: On 9/5/2007 5:27 PM, Marc Perkel wrote: mouss wrote: ram wrote: I am using SA 3.2.3 and very few spam get thru But I can still see some spam with urls because the the urls are not yet listed in uribls I tried to do some analysis on my quarantine, I found atleast some spammer domains have the same NS records. Now in my spamassassin can I do a DNS check (on all domains in body-urls or mail-from, reply-to etc) to find their NS records and score them on bad NS servers. What is the risk of FP's because innocent DNS providers may see themselves getting list better show an example so that we can see. if the NS belongs to a spam organization, then it's ok. otherwise, just because a spammer configures his dns to point to my domain doesn't mean you can block me! I have to say that the idea of having a blacklist of name servers used by spammers is interesting. Something to investigate. one, and its a good one, is already in use :-) uridnsblURIBL_SBL sbl.spamhaus.org. TXT Yes - true, but the SBL lists the IP of the nameservers. I think Ram has seen the same thing as me in the past, I've had stuff that has slipped past the URIBL_* tests and upon investigation of the FNs - the *domain name* of the nameservers for the referenced domain is already listed in either SURBL or URIBL, so therefore if the URIBL_* tests were expanded to lookup the nameservers hostnames, strip of the domains and test those against the URIBL_* lists, then it might yield some good results. Cheers, Steve.
Re: Is there a test on blacklisted nameservers
On 9/5/2007 5:27 PM, Marc Perkel wrote: mouss wrote: ram wrote: I am using SA 3.2.3 and very few spam get thru But I can still see some spam with urls because the the urls are not yet listed in uribls I tried to do some analysis on my quarantine, I found atleast some spammer domains have the same NS records. Now in my spamassassin can I do a DNS check (on all domains in body-urls or mail-from, reply-to etc) to find their NS records and score them on bad NS servers. What is the risk of FP's because innocent DNS providers may see themselves getting list better show an example so that we can see. if the NS belongs to a spam organization, then it's ok. otherwise, just because a spammer configures his dns to point to my domain doesn't mean you can block me! I have to say that the idea of having a blacklist of name servers used by spammers is interesting. Something to investigate. one, and its a good one, is already in use :-) uridnsblURIBL_SBL sbl.spamhaus.org. TXT
Re: Is there a test on blacklisted nameservers
mouss wrote: ram wrote: I am using SA 3.2.3 and very few spam get thru But I can still see some spam with urls because the the urls are not yet listed in uribls I tried to do some analysis on my quarantine, I found atleast some spammer domains have the same NS records. Now in my spamassassin can I do a DNS check (on all domains in body-urls or mail-from, reply-to etc) to find their NS records and score them on bad NS servers. What is the risk of FP's because innocent DNS providers may see themselves getting list better show an example so that we can see. if the NS belongs to a spam organization, then it's ok. otherwise, just because a spammer configures his dns to point to my domain doesn't mean you can block me! I have to say that the idea of having a blacklist of name servers used by spammers is interesting. Something to investigate.
Re: Is there a test on blacklisted nameservers
On Wed, 2007-09-05 at 10:50 +0200, mouss wrote: > ram wrote: > > I am using SA 3.2.3 and very few spam get thru > > But I can still see some spam with urls because the the urls are not yet > > listed in uribls > > > > I tried to do some analysis on my quarantine, I found atleast some > > spammer domains have the same NS records. > > > > Now in my spamassassin can I do a DNS check (on all domains in body-urls > > or mail-from, reply-to etc) to find their NS records and score them on > > bad NS servers. > > What is the risk of FP's because innocent DNS providers may see > > themselves getting list > > > > > better show an example so that we can see. > if the NS belongs to a spam organization, then it's ok. otherwise, just > because a spammer configures his dns to point to my domain doesn't mean > you can block me! > But if his DNS points to your server and you dont host DNS for him, his domain will not get resolved. I could easily check for such domains then.
Re: Is there a test on blacklisted nameservers
ram wrote: I am using SA 3.2.3 and very few spam get thru But I can still see some spam with urls because the the urls are not yet listed in uribls I tried to do some analysis on my quarantine, I found atleast some spammer domains have the same NS records. Now in my spamassassin can I do a DNS check (on all domains in body-urls or mail-from, reply-to etc) to find their NS records and score them on bad NS servers. What is the risk of FP's because innocent DNS providers may see themselves getting list better show an example so that we can see. if the NS belongs to a spam organization, then it's ok. otherwise, just because a spammer configures his dns to point to my domain doesn't mean you can block me!
Is there a test on blacklisted nameservers
I am using SA 3.2.3 and very few spam get thru But I can still see some spam with urls because the the urls are not yet listed in uribls I tried to do some analysis on my quarantine, I found atleast some spammer domains have the same NS records. Now in my spamassassin can I do a DNS check (on all domains in body-urls or mail-from, reply-to etc) to find their NS records and score them on bad NS servers. What is the risk of FP's because innocent DNS providers may see themselves getting list Thanks Ram
Re: why not doing a test that checks "name"- pairs
Kai Schätzl wrote: >> >> You don't understand at all. What gets put in the comment is up to the >> sender. >> They can put *everything* there and it's legit. You do not control it at all >> and you do not send them a reply "please change my name in your addressbook >> to >> xyz". It can be the name, a part of the name, several parts of the name, >> reverted parts of the name, a company name in all its variations, an >> acronym, >> misspelled, something like "Tony's brother", the email address, quoted or >> bracketed in several ways, could be nothing - too show a few. Such a rule >> would be prone to a huge number of FPs. It may work for you after a lot of >> work, but not for others. It's not worth it. >> while it is up to senders to make up display names, I usually see either - no display name at all - the name exacltly as I spell it (from replies) - the name parts rearranged from a web form submission in worthy mails. If someone decides to put "Idiot" as a display name, I take the liberty to not read it. Maybe some people really get mail sent to "Daddy" or whatever. As others have pointed out, checking display names is a personal thing ... and it seems to work with the mails I receive Wolfgang Hamann
Re: why not doing a test that checks "name"- pairs
Alberto, your reasoning is correct, based on my experience of actually implementing and using such a system, albeit in a small scale environment. As "sm" points out, it is particularly useful as a "pass" rule for exact matches to your users' actual email client "real name"s. I've implemented this as part of a qmail filter that runs after SA. As I've mentioned in other posts, I'm in a shared web hosting environment, and have no control over SA, so designed my filter to complement the great strengths of SA, and fill in the holes that are created by a limited environment. Just over twenty domains use my filter, and we all share data, so as to improve everyone's killrates. I have no idea how practical this would be as an SA plugin, and am Pearl-illiterate, so I merely describe how I have approached it. More than a year ago, I started using _VERY_ crude general header based (To/Cc checking) real name "pass" rules, then in March of 2007 I added an explicit "RealName" virtual header so as to allow more powerful rules, including "match not" type penalty rules. * Main Issues: * - generating a list of account specific real names (preferably automatically) - real-time extraction of the correct "real name" - some "real names" have been compromised, and should receive MUCH lower pass scores - some account names are inherently poorly suited to real name pass rules (e.g. "jayne.cobb" since all words in the real name also appear as words in the account part - "jcobb" is a better form) - some senders transpose real name parts (e.g. "Cobb, Jayne" in place of "Jayne Cobb") - some senders use cutesy nicknames or other tricks (e.g. "Hero of Canton" in place of "Jayne Cobb") - some senders (particularly Bulkers) use the complete account name as the real name, and should not be scored normally (e.g. "[EMAIL PROTECTED]" [EMAIL PROTECTED]) * PREP: Semi-automatic Real Name Data Generation: * I'm just-a-programmer, not a sysadmin, so don't know how a typical pipeline works, however, if it's practical, automatic real name extraction should be fairly straight forward. Just write something that you can temporarily plug in _AFTER_ SA, and which extracts the account & real name pair from everthing which passes SA, accumulates the frequencies, and picks the most often occurring real name(s) for each account (I usually limit this to one or two). Include an option for human inspection, mainly for cases where there is no clear cut winner. In my experience, the majority of accounts can be generated automatically, however it's wise to inspect all possibilities. That's manageable for small companies (less than 20), and shouldn't be too bad for low 100s. The collector app only needs to be run for a week or so. New users could be added manually. It took me much less than five minutes to generate such a data list AND all matching rules for the last person to join my Team (18 accounts, one week of data), and my tool merely dumps the per account RealNames with frequencies. A slicker tool could make this VERY practical for larger userbases. Maintenance and verification would probably be an utter pain for anything in the 1000s, so best to let us small and nimble types prove its efficacy. :) There is anecdotal evidence that Hotmail may be doing something with real name based rules, granted, there's reports that it's a somewhat sub optimal implementation. I speculate that they could easily pull the real name straight out of each user's settings. * Plugin: Real Name Extraction: * An actual SA plugin would need to use the SMTP Recipient (or most reliable Delivered-To account name) to pick out the matching account from the To or Cc headers, then pull out its real name. There should also be some facility for associating external aliases with accounts (e.g. a redirected ISP account). If it FAILS to find a matching account, _ALL_ other real name tests should be skipped or return false. * Plugin: Real Name Testing: * If it does find a matching account, three main real name based tests can be performed: empty, match, match not. It's probably easier to understand how these work with a sample, so let's say we have a user whose account is "[EMAIL PROTECTED]", the real name in his email client is "Jayne Cobb", and an automatic real name collector has shown that occasionally he receives important email that uses the real name "Hero of Canton". Somewhere, we would construct two data lists specific to his account, that would look something like this: realname_full = jayne cobb, hero of canton realname_words = jayne, cobb, hero, canton The generic real name "match" test wou
Re: why not doing a test that checks "name"- pairs
Aag_uk wrote on Sat, 18 Aug 2007 03:33:49 -0700 (PDT): > it´s quite unlikely that somebody tags any of > my users as I said it may work for you, it will not work for the majority of SA users. The whole effort and the FPs would not be worth it. If you don't believe that, start coding. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: why not doing a test that checks "name"- pairs
At 23:58 17-08-2007, aag_uk wrote: >a) is probably going to be quite resource-intensive; I don´t really know, according to Compared to all the checks performed on a message, it isn't. My idea was that you could have a list that links each recipient to possible names that could be used (basically first name, surname and possibly a short name), not necesary NIS or LDAP. About fuzzy matching I think it shouldn't be difficult to do. It´s something like what Google does when you misspell something or enter something that is not "usual", it suggests you another search and, in my opinion, its guess is usually very good. That's not how "names" work in practice. It may take more than a lookup in your system database. It's not difficult but it requires some work to understand the naming conventions. That may not be possible in a heterogeneous environment. The fuzzy matching is not that easy. Once you get into that, you turn the process into a resource intensive one. well, maybe if you have thousands of users in your domain and you want to enter the names-recipient links (as I explained in the previous paragraph) for the first time, it will require a lot of work. In my case I have about 100 recipients and from time to time I have to add new ones; so, that wouldn't be a problem. It's only a name/recipient link if we make an assumption about the "display name". Once this becomes a general rule, it will be circumvented. I already have one case where this rule would have the adverse of the intended effect. Regards, -sm
Re: why not doing a test that checks "name"- pairs
>What gets put in the comment is up to the sender. >They can put *everything* there and it's legit. You do not control it at all > I know it depends on the sender and everything is legit, but it is also legit if I send an email to somebody talking about the stock market or certain medicine and it could score high when the message is perfectly normal. It´s true that you can put whatever you want there but there are also some restrictions; let´s say, for example, all my users are Spanish,Italian,Russian... so, it´s quite unlikely that somebody tags any of my users with names like Jack, Peter, John (which is the case in 99% of the spam). -- View this message in context: http://www.nabble.com/why-not-doing-a-test-that-checks-%22name%22-%3Cemail-address%3E-pairs-tf4288052.html#a12212374 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: why not doing a test that checks "name"- pairs
Aag_uk wrote on Fri, 17 Aug 2007 23:58:05 -0700 (PDT): > >b) requires LDAP, NIS, etc., so that SpamAssassin can have a clue > >about your accounts; > >c) requires competent fuzzy matching so that, when a user sends mail > >to "Chris St. Pierre <[EMAIL PROTECTED]>", it doesn't flag it > >as spam because my "real name" is Christopher; > >d) is prone to FPs, since its the clients who add that name, and it > >could be literally _anything_ ("chris", "some guy", "", etc.) without > >being spam; and > > My idea was that you could have a list that links each recipient to possible > names that could be used (basically first name, surname and possibly a short > name), not necesary NIS or LDAP. About fuzzy matching I think it shouldn't > be difficult to do. It´s something like what Google does when you misspell > something or enter something that is not "usual", it suggests you another > search and, in my opinion, its guess is usually very good. You don't understand at all. What gets put in the comment is up to the sender. They can put *everything* there and it's legit. You do not control it at all and you do not send them a reply "please change my name in your addressbook to xyz". It can be the name, a part of the name, several parts of the name, reverted parts of the name, a company name in all its variations, an acronym, misspelled, something like "Tony's brother", the email address, quoted or bracketed in several ways, could be nothing - too show a few. Such a rule would be prone to a huge number of FPs. It may work for you after a lot of work, but not for others. It's not worth it. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: why not doing a test that checks "name"- pairs
>a) is probably going to be quite resource-intensive; I don´t really know, according to http://www.nabble.com/forum/ViewPost.jtp?post=12207486&framed=y sm-7 say that it shouldn´t be >b) requires LDAP, NIS, etc., so that SpamAssassin can have a clue >about your accounts; >c) requires competent fuzzy matching so that, when a user sends mail >to "Chris St. Pierre <[EMAIL PROTECTED]>", it doesn't flag it >as spam because my "real name" is Christopher; >d) is prone to FPs, since its the clients who add that name, and it >could be literally _anything_ ("chris", "some guy", "", etc.) without >being spam; and My idea was that you could have a list that links each recipient to possible names that could be used (basically first name, surname and possibly a short name), not necesary NIS or LDAP. About fuzzy matching I think it shouldn't be difficult to do. It´s something like what Google does when you misspell something or enter something that is not "usual", it suggests you another search and, in my opinion, its guess is usually very good. >e) is fairly site-specific and would require a fair amount of >configuration. well, maybe if you have thousands of users in your domain and you want to enter the names-recipient links (as I explained in the previous paragraph) for the first time, it will require a lot of work. In my case I have about 100 recipients and from time to time I have to add new ones; so, that wouldn't be a problem. >It might be an interesting plugin, but I think that the kind of >scoring I'd be comfortable doing for a plugin like that -- very low -- >wouldn't be worth the tradeoff in CPU time, network traffic, etc. I think is could add a low partial score, but the effect could be good because most of these emails I´m talking about are already quite suspicious, they usually match other tests (e.g. BAYES_99, which already adds a pretty high score). -- View this message in context: http://www.nabble.com/why-not-doing-a-test-that-checks-%22name%22-%3Cemail-address%3E-pairs-tf4288052.html#a12211144 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: why not doing a test that checks "name"- pairs
John D. Hardin wrote: > > On Fri, 17 Aug 2007, aag_uk wrote: > > (1) Check your MTA options. Some allow you to configure rejection of a > message after X number of invalid recipients are given. > > (2) Consider a rule that adds a point if more than X names appear in > the TO: and/or CC: headers. Here are mine (20 is the limit): > > describe TO_TOO_MANY To: too many recipients > header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/ > scoreTO_TOO_MANY 1.50 > > describe CC_TOO_MANY Cc: too many recipients > header CC_TOO_MANY Cc =~ /(?:,[^,]{1,80}){20}/ > > Thanks for your answer, but the spam I´m trying to identify is not about too many recipients, usually it´s only 5 or 6, and they all contain correct email addresses. The thing is that some spammers make up the name that goes before the email address (e.g. "John Smith"<[EMAIL PROTECTED]>) -- View this message in context: http://www.nabble.com/why-not-doing-a-test-that-checks-%22name%22-%3Cemail-address%3E-pairs-tf4288052.html#a12210954 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: why not doing a test that checks "name"- pairs
>> >> Hi,=20 >> >> I=C2=B4m pretty new to SpamAssassin and maybe what I am saying is nonsense = >> or >> somebody else has suggested this, or the test already exists but I don=C2= >> =B4t >> know how to configure it, anyway here is my question. >> >> I=C2=B4ve noticed that some spam messages not marked as spam by spamassassi= >> n (the >> score is lower than the limit I=C2=B4ve set: 5.0. Those emails usually have= >> some >> hints that suggest they are probably spam: score about 4.6). These message >> are addressed to many people in my domain but the names before the email >> address are random. To explain it more clearly, for example, the recipient >> in the TO field is something like this: "John" <[EMAIL PROTECTED]>. Very >> ofter the CC field includes other recipients like: "Peter" >> <[EMAIL PROTECTED]>; "Mike" <[EMAIL PROTECTED]>; etc... The think is that >> the email recepients (user1, user2, user3,...) are real, they exist in my >> domain, but the names "Peter, John, Mike" have nothing to do with "user1, >> user2, user3", they are picked randomly. Wouldn=C2=B4t be interesting to ha= >> ve a >> test that checks the "user name-email address" pairs according to some >> settings?=20 >> >> Regards, >> >> Alberto. Hi, you can do quite a few things to trap mail that probably is rubbish but it may be extra work. I use some prefilter in line with forbidden attachment and virus scanning but it could probably be written as a _personal_ plugin. I like mail sent to just the plain email address or in "user" format written exactly as I spell it. I collect mail from some other mailboxes, so of course the rule must know about these other addresses as well. For mail sent to my primary address (at a big isp) I dont like to see another address in the To or Cc The one that really caused work: I dont like mails where my address does not appear in either To or Cc, unless the sender appears in a whitelist. You need to add mailing lists, monthly password reminders from mailing lists, sourceforge addresses, whatnot... Wolfgang Hamann
Re: why not doing a test that checks "name"- pairs
At 13:58 17-08-2007, Chris St. Pierre wrote: That's an interesting idea, but it a) is probably going to be quite resource-intensive; Not really. c) requires competent fuzzy matching so that, when a user sends mail to "Chris St. Pierre <[EMAIL PROTECTED]>", it doesn't flag it as spam because my "real name" is Christopher; That's the main problem. There are also misspellings which are difficult to catch. d) is prone to FPs, since its the clients who add that name, and it could be literally _anything_ ("chris", "some guy", "", etc.) without being spam; and It could be used for negative scoring when the client hits reply to answer your message. That would also let some spam through though as some use the real name. Regards, -sm
Re: why not doing a test that checks "name"- pairs
On Fri, 17 Aug 2007, aag_uk wrote: > These message are addressed to many people in my domain but the > names before the email address are random. To explain it more > clearly, for example, the recipient in the TO field is something > like this: "John" <[EMAIL PROTECTED]>. Very ofter the CC field > includes other recipients like: "Peter" <[EMAIL PROTECTED]>; > "Mike" <[EMAIL PROTECTED]>; etc... The think is that the email > recepients (user1, user2, user3,...) are real, they exist in my > domain, but the names "Peter, John, Mike" have nothing to do with > "user1, user2, user3", they are picked randomly. (1) Check your MTA options. Some allow you to configure rejection of a message after X number of invalid recipients are given. (2) Consider a rule that adds a point if more than X names appear in the TO: and/or CC: headers. Here are mine (20 is the limit): describe TO_TOO_MANY To: too many recipients header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/ scoreTO_TOO_MANY 1.50 describe CC_TOO_MANY Cc: too many recipients header CC_TOO_MANY Cc =~ /(?:,[^,]{1,80}){20}/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A sword is never a killer, it is but a tool in the killer's hands. -- Lucius Annaeus Seneca (Martial) 4BC-65AD --- 8 days until The 1928th anniversary of the destruction of Pompeii
Re: why not doing a test that checks "name"- pairs
On Fri, 17 Aug 2007, aag_uk wrote: I´ve noticed that some spam messages not marked as spam by spamassassin (the score is lower than the limit I´ve set: 5.0. Those emails usually have some hints that suggest they are probably spam: score about 4.6). These message are addressed to many people in my domain but the names before the email address are random. To explain it more clearly, for example, the recipient in the TO field is something like this: "John" <[EMAIL PROTECTED]>. Very ofter the CC field includes other recipients like: "Peter" <[EMAIL PROTECTED]>; "Mike" <[EMAIL PROTECTED]>; etc... The think is that the email recepients (user1, user2, user3,...) are real, they exist in my domain, but the names "Peter, John, Mike" have nothing to do with "user1, user2, user3", they are picked randomly. Wouldn´t be interesting to have a test that checks the "user name-email address" pairs according to some settings? That's an interesting idea, but it a) is probably going to be quite resource-intensive; b) requires LDAP, NIS, etc., so that SpamAssassin can have a clue about your accounts; c) requires competent fuzzy matching so that, when a user sends mail to "Chris St. Pierre <[EMAIL PROTECTED]>", it doesn't flag it as spam because my "real name" is Christopher; d) is prone to FPs, since its the clients who add that name, and it could be literally _anything_ ("chris", "some guy", "", etc.) without being spam; and e) is fairly site-specific and would require a fair amount of configuration. It might be an interesting plugin, but I think that the kind of scoring I'd be comfortable doing for a plugin like that -- very low -- wouldn't be worth the tradeoff in CPU time, network traffic, etc. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
why not doing a test that checks "name"- pairs
Hi, I´m pretty new to SpamAssassin and maybe what I am saying is nonsense or somebody else has suggested this, or the test already exists but I don´t know how to configure it, anyway here is my question. I´ve noticed that some spam messages not marked as spam by spamassassin (the score is lower than the limit I´ve set: 5.0. Those emails usually have some hints that suggest they are probably spam: score about 4.6). These message are addressed to many people in my domain but the names before the email address are random. To explain it more clearly, for example, the recipient in the TO field is something like this: "John" <[EMAIL PROTECTED]>. Very ofter the CC field includes other recipients like: "Peter" <[EMAIL PROTECTED]>; "Mike" <[EMAIL PROTECTED]>; etc... The think is that the email recepients (user1, user2, user3,...) are real, they exist in my domain, but the names "Peter, John, Mike" have nothing to do with "user1, user2, user3", they are picked randomly. Wouldn´t be interesting to have a test that checks the "user name-email address" pairs according to some settings? Regards, Alberto. -- View this message in context: http://www.nabble.com/why-not-doing-a-test-that-checks-%22name%22-%3Cemail-address%3E-pairs-tf4288052.html#a12206852 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
test my auto-generated ruleset
I've been working on a new way to auto-generate body rules recently -- I discussed it on my blog at http://taint.org/2007/03/05/134447a.html and http://taint.org/2007/08/04/200125a.html . Anyway, the results are checked into SVN trunk daily in the "rulesrc/sandbox/jm/20_sought.cf" file. We haven't had much time to figure out how to produce auto-generated 3.2.x rule updates for our entire ruleset at updates.SpamAssassin.org, so instead of dealing with that, I've taken a shortcut around it ;) I'm now making *just* the "20_sought.cf" ruleset available as a standalone, unofficial sa-update ruleset at sought.rules.yerp.org. Before using it, you'll need the GPG key: wget http://yerp.org/rules/GPG.KEY sudo sa-update --import GPG.KEY then use this to update: sudo sa-update \ --gpgkey 6C6191E3 --channel sought.rules.yerp.org \ [...other channels...] \ --channel updates.spamassassin.org (similar to how you'd use Daryl's sa-update version of the SARE rulesets: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt ) Please consider it alpha; I may take it down in a few months depending on how it goes, or if we can get it working as part of the core updates. In the meantime though, I'm curious to hear how you get on with it. (In particular, copies of false positives would be very welcome.) --j.
Re: plugin to test attachments from unknown senders
On 8/11/2007 6:41 PM, Matthias Leisi wrote: > Don't forget the "ifplugin" conditions: > > ifplugin Mail::SpamAssassin::Plugin::MIMEHeader >> mimeheader __L_C_TYPE_APP Content-Type =~ /^application/i >> [..] > > endif good point, I've updated the rules and added more comments to explain the prerequisites at http://www.ntrg.com/misc/spamassassin/stranger_gifts.cf -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: plugin to test attachments from unknown senders
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric A. Hall schrieb: Don't forget the "ifplugin" conditions: ifplugin Mail::SpamAssassin::Plugin::MIMEHeader > mimeheader__L_C_TYPE_APP Content-Type =~ /^application/i > [..] endif - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFGvjsjxbHw2nyi/okRAkj8AJ4oRN+TN33dof2uTkJhLegBjxjTSgCgkSK/ uZcNWiJwMnax+OrKFVv2uqg= =Nr3Q -END PGP SIGNATURE-
Re: plugin to test attachments from unknown senders
On 7/14/2007 3:49 PM, Eric A. Hall wrote: > Like other folks I've been getting hit with the PDF spam pretty hard. I > think the way to solve this and the image spam in general is to do a > plugin that does two things: > > 1) looks in the message to see if there is a binary attachment > > 2) looks in the AWL to see if the sender tuple is known > > 3) if (1==true) && (2==false) fire a score I was able to do this with basic rules. Note the low (0.1) scores. It would be nice to use this as a DEFER check in the MTA, since resends will hit the AWL rule and get cleared. # # This rule looks for in-line MIME Content-Type headers of various # types, and then looks to see if the sender tuple is already known # to the autowhitelist system. If the message contains a binary # attachment and the sender tuple is unknown, fire a rule that tells # us that the message is a gift from a stranger. # mimeheader __L_C_TYPE_APP Content-Type =~ /^application/i mimeheader __L_C_TYPE_IMAGEContent-Type =~ /^image/i mimeheader __L_C_TYPE_AUDIOContent-Type =~ /^audio/i mimeheader __L_C_TYPE_VIDEOContent-Type =~ /^video/i mimeheader __L_C_TYPE_MODELContent-Type =~ /^model/i metaL_STRANGER_APP (!AWL && __L_C_TYPE_APP) score L_STRANGER_APP 0.1 tflags L_STRANGER_APP noautolearn priorityL_STRANGER_APP 1001 # defer till after AWL metaL_STRANGER_IMAGE(!AWL && __L_C_TYPE_IMAGE) score L_STRANGER_IMAGE0.1 tflags L_STRANGER_IMAGEnoautolearn priorityL_STRANGER_IMAGE1001 # defer till after AWL metaL_STRANGER_AUDIO(!AWL && __L_C_TYPE_AUDIO) score L_STRANGER_AUDIO0.1 tflags L_STRANGER_AUDIOnoautolearn priorityL_STRANGER_AUDIO1001 # defer till after AWL metaL_STRANGER_VIDEO(!AWL && __L_C_TYPE_VIDEO) score L_STRANGER_VIDEO0.1 tflags L_STRANGER_VIDEOnoautolearn priorityL_STRANGER_VIDEO1001 # defer till after AWL metaL_STRANGER_MODEL(!AWL && __L_C_TYPE_MODEL) score L_STRANGER_MODEL0.1 tflags L_STRANGER_MODELnoautolearn priorityL_STRANGER_MODEL1001 # defer till after AWL -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Net::DNS t/10-recurse test fails
Hello, I hope I'm doing this right. I'm trying to install an SA required module, Net::DNS, and it fails one of the tests. Running "make test" I see the following: t/10-recurse...1..12 ok 1 - use Net::DNS::Resolver::Recurse; ok 2 - The object isa Net::DNS::Resolver::Recurse ok 3 - hints() set ok 4 - sanity check worked ok 5 - got a packet ok 6 - answer has RRs ok 7 - got a packet ok 8 - anwer section had RRs Server [206.176.250.54] did not give answers at /root/Net-DNS-0.61/blib/lib/Net/DNS/Resolver/Recurse.pm line 86. Server [206.176.250.54] did not give answers at /root/Net-DNS-0.61/blib/lib/Net/DNS/Resolver/Recurse.pm line 86. not ok 9 # Failed test in t/10-recurse.t at line 92. # got: undef # expected: '3' # Looks like you planned 12 tests but only ran 9. # Looks like you failed 1 test of 9 run. dubious Test returned status 1 (wstat 256, 0x100) DIED. FAILED tests 9-12 Failed 4/12 tests, 66.67% okay I've searched around, and can't find any reason why this might be happening. Any help would be greatly appreciated.
3.2.3 spamd_hup test failed
SpamAssassin v3.2.3, Perl 5.8.8, Solaris 9 What would cause this error? t/spamd_hup.ok 1/110# Failed test 5 in t/spamd_hup.t at line 40 # t/spamd_hup.t line 40 is: ok (-e $pid_file) or warn "$pid_file does not exist post restart"; log/spamd.pid does not exist post restart at t/spamd_hup.t line 40. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. Could not open pid file log/spamd.pid: No such file or directory Exiting subroutine via next at t/SATest.pm line 844. t/spamd_hup.FAILED tests 5, 7-110 Failed 105/110 tests, 4.55% okay The same test on a different, supposedly identical system passed. Also it passed when I ran it manually with "prove -v t/spamd_hup.t".
Test Bayes?
I've been running spamassassin along with a bayes setup for (literally) years on the same server. I'm using a MySQL backend that appears to be working wonderfully. However, I have been seeing a lot of the same spam over and over, even after having bayes learn about them. Is this normal? Is there a way I can actually test the bayes data to be sure that it is working properly? The bayes_seen table currently has 1,129,184 records and is changing all the time, so SOMETHING is happening. For the most part I have been using a mutt macro to learn spam/ham with sa-learn --spam --single and --ham respectively... -- Matthew Daubenspeck http://oddprocess.org Gentoo Linux x86_64 Dual Core AMD Opteron(tm) Processor 165 08:01:33 up 20 days, 11:51, 2 users, load average: 0.17, 0.06, 0.02
List Test Message Please Ignore
Test. Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow
Re: How to create my own test.
On Friday 27 July 2007 15:24:00 Benjamin E. Zeller wrote: > On Friday 27 July 2007 14:30:16 McDonald, Dan wrote: > > On Fri, 2007-07-27 at 06:54 -0400, Chuck Payne wrote: > > > Hi, > > > > > > I have five servers and it a bit of a pain to have to use webmin to > > > appy the same rules. What I like to do is create my own dictionary or > > > test file, so that I can just scp it from the box that I have created > > > and test one. > > > > > > If you know link that explain how to that would be really great. > > > > just create a file with the extension .cf in the /etc/mail/spamassassin > > directory. > > > > > Thanks > > > > > > PS. the reason is to stop those damn greeting cards. > > > > I've found http://www.impsec.org/~jhardin/antispam/postcard.cf to be > > very effective at killing those off. I > > As a pity, your link gives a 404 :-( > > I'd like to use that too. > Found it, its postcards.cf, not postcard :-) Sorry for bothering > Benni -- Benjamin E. Zeller Ing.-Büro Hohmann Bahnhofstr. 34 D-82515 Wolfratshausen Tel.: +49 (0)8171 347 88 12 Mobil: +49 (0)160 99 11 55 23 Fax: +49 (0)8171 910 778 mailto: [EMAIL PROTECTED] www.ibh-wor.de pgp8TsDNNeJxN.pgp Description: PGP signature
Re: How to create my own test.
On Friday 27 July 2007 14:30:16 McDonald, Dan wrote: > On Fri, 2007-07-27 at 06:54 -0400, Chuck Payne wrote: > > Hi, > > > > I have five servers and it a bit of a pain to have to use webmin to > > appy the same rules. What I like to do is create my own dictionary or > > test file, so that I can just scp it from the box that I have created > > and test one. > > > > If you know link that explain how to that would be really great. > > just create a file with the extension .cf in the /etc/mail/spamassassin > directory. > > > Thanks > > > > PS. the reason is to stop those damn greeting cards. > > I've found http://www.impsec.org/~jhardin/antispam/postcard.cf to be > very effective at killing those off. I As a pity, your link gives a 404 :-( I'd like to use that too. Benni -- Benjamin E. Zeller Ing.-Büro Hohmann Bahnhofstr. 34 D-82515 Wolfratshausen Tel.: +49 (0)8171 347 88 12 Mobil: +49 (0)160 99 11 55 23 Fax: +49 (0)8171 910 778 mailto: [EMAIL PROTECTED] www.ibh-wor.de pgpSiO8B3TjAU.pgp Description: PGP signature
Re: How to create my own test.
On Fri, 2007-07-27 at 06:54 -0400, Chuck Payne wrote: > Hi, > > I have five servers and it a bit of a pain to have to use webmin to > appy the same rules. What I like to do is create my own dictionary or > test file, so that I can just scp it from the box that I have created > and test one. > > If you know link that explain how to that would be really great. just create a file with the extension .cf in the /etc/mail/spamassassin directory. > > Thanks > > PS. the reason is to stop those damn greeting cards. I've found http://www.impsec.org/~jhardin/antispam/postcard.cf to be very effective at killing those off. I throw away a few thousand a day: [EMAIL PROTECTED] ~]$ sudo grep POSTCARD_01 /var/log/mail/info | cut -d \ -f1,2 | uniq -c 1576 Jul 22 2600 Jul 23 4639 Jul 24 2551 Jul 25 2992 Jul 26 946 Jul 27 > > > > www.britishscifiexchange.com > www.magigames.net -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
How to create my own test.
Hi, I have five servers and it a bit of a pain to have to use webmin to appy the same rules. What I like to do is create my own dictionary or test file, so that I can just scp it from the box that I have created and test one. If you know link that explain how to that would be really great. Thanks PS. the reason is to stop those damn greeting cards. www.britishscifiexchange.com www.magigames.net
Re: plugin to test attachments from unknown senders
At 12:49 14-07-2007, Eric A. Hall wrote: Like other folks I've been getting hit with the PDF spam pretty hard. I think the way to solve this and the image spam in general is to do a plugin that does two things: 1) looks in the message to see if there is a binary attachment 2) looks in the AWL to see if the sender tuple is known 3) if (1==true) && (2==false) fire a score You might also verify the AWL score in step to and fire step 3 if that score is above an arbitrary value. Note that your rule may trigger false positive for one-time senders. Regards, -sm
RE: plugin to test attachments from unknown senders
Aren't spammer tuples in the AWL too? I thought that it averaged both ways; Country AND Western. Dan -Original Message- From: Eric A. Hall [mailto:[EMAIL PROTECTED] Sent: Saturday, July 14, 2007 3:49 PM To: users@spamassassin.apache.org Subject: plugin to test attachments from unknown senders Like other folks I've been getting hit with the PDF spam pretty hard. I think the way to solve this and the image spam in general is to do a plugin that does two things: 1) looks in the message to see if there is a binary attachment 2) looks in the AWL to see if the sender tuple is known 3) if (1==true) && (2==false) fire a score I've been meaning to adapt my SAGREY plugin [1] for this but have not had time and may not have time for a while yet, so I thought I'd throw this out there to see if anybody else is interested in doing it [1] http://www.ntrg.com/misc/sagrey/ -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
plugin to test attachments from unknown senders
Like other folks I've been getting hit with the PDF spam pretty hard. I think the way to solve this and the image spam in general is to do a plugin that does two things: 1) looks in the message to see if there is a binary attachment 2) looks in the AWL to see if the sender tuple is known 3) if (1==true) && (2==false) fire a score I've been meaning to adapt my SAGREY plugin [1] for this but have not had time and may not have time for a while yet, so I thought I'd throw this out there to see if anybody else is interested in doing it [1] http://www.ntrg.com/misc/sagrey/ -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Errors in CPAN test
Jonathan Allen wrote: > Hi List, > > So what's with 3.2.1 ? I'm running 3.1.8 and did the standard: > >cpan Mail::SpamAssassin > Symptom of bug 5510 that affects 3.2.1: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5510 Essentially, make test will always fail if run as root, which is exactly what CPAN does. Unfortunately, this is fixed, but it's targeted for release in 3.2.2, which isn't out yet.. You can either force install, or install from a tarball and do your make/make test as a non-root user, then su to root for the make install part.
Re: Errors in CPAN test
Force install or wait for 3.2.2 on 7/3/07 10:46 AM, Jonathan Allen at [EMAIL PROTECTED] wrote: > Hi List, > > So what's with 3.2.1 ? I'm running 3.1.8 and did the standard: > >cpan Mail::SpamAssassin > > and got: > > t/spamc_optCFAILED tests 2, 4, 6, 8 > Failed 4/9 tests, 55.56% okay > t/spamc_optLFAILED tests 1-16 > Failed 16/16 tests, 0.00% okay > t/spamd_allow_user_rulesFAILED test 4 > Failed 1/5 tests, 80.00% okay > t/spamd_plugin..FAILED tests 2, 4, 6 > Failed 3/6 tests, 50.00% okay > Failed TestStat Wstat Total Fail List of Failed > --> - > t/spamc_optC.t94 2 4 6 8 > t/spamc_optL.t 16 16 1-16 > t/spamd_allow_user_rules.t51 4 > t/spamd_plugin.t 63 2 4 6 > 23 tests skipped. > Failed 4/129 test scripts. 24/1924 subtests failed. > > Not found: reported spam = Message successfully reported/revoked > # Failed test 2 in t/SATest.pm at line 635 > Output can be examined in: log/d.spamc_optC/out.1 > Not found: revoked ham = Message successfully reported/revoked > # Failed test 4 in t/SATest.pm at line 635 fail #2 > Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 > Not found: failed to report spam = Unable to report/revoke message > # Failed test 6 in t/SATest.pm at line 635 fail #3 > Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 > log/d.spamc_optC/out.5 > Not found: failed to revoke ham = Unable to report/revoke message > # Failed test 8 in t/SATest.pm at line 635 fail #4 > Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 > log/d.spamc_optC/out.5 log/d.spamc_optC/out.7 > # Failed test 1 in t/spamc_optL.t at line 20 > Not found: learned spam = Message successfully un/learned > # Failed test 2 in t/SATest.pm at line 635 > Output can be examined in: > # Failed test 3 in t/spamc_optL.t at line 24 > Not found: already learned spam = Message was already un/learned > # Failed test 4 in t/SATest.pm at line 635 fail #2 > Output can be examined in: > ERROR: Bayes dump returned an error, please re-run with -D for more > information > # Failed test 5 in t/spamc_optL.t at line 28 > Not found: spam in database = 1 0 non-token data: nspam > # Failed test 6 in t/SATest.pm at line 635 fail #3 > Output can be examined in: > # Failed test 7 in t/spamc_optL.t at line 32 > Not found: forget spam = Message successfully un/learned > # Failed test 8 in t/SATest.pm at line 635 fail #4 > Output can be examined in: > # Failed test 9 in t/spamc_optL.t at line 36 > Not found: learned ham = Message successfully un/learned > # Failed test 10 in t/SATest.pm at line 635 fail #5 > Output can be examined in: > # Failed test 11 in t/spamc_optL.t at line 40 > Not found: already learned ham = Message was already un/learned > # Failed test 12 in t/SATest.pm at line 635 fail #6 > Output can be examined in: > ERROR: Bayes dump returned an error, please re-run with -D for more > information > # Failed test 13 in t/spamc_optL.t at line 44 > Not found: ham in database = 1 0 non-token data: nham > # Failed test 14 in t/SATest.pm at line 635 fail #7 > Output can be examined in: > # Failed test 15 in t/spamc_optL.t at line 48 > Not found: learned ham = Message successfully un/learned > # Failed test 16 in t/SATest.pm at line 635 fail #8 > Output can be examined in: > Not found: myfoo = 1.0 MYFOO > # Failed test 4 in t/SATest.pm at line 635 > Output can be examined in: log/d.spamd_allow_user_rules/out.2 > log/d.spamd_allow_user_rules/spamd.err.1 > Not found: called1 = test: called myTestPlugin, round 1 > # Failed test 2 in t/SATest.pm at line 635 > Output can be examined in: log/d.spamd_plugin/out.1 > log/d.spamd_plugin/spamd.err.1 > Not found: called2 = called myTestPlugin, round 2 > # Failed test 4 in t/SATest.pm at line 635 fail #2 > Output can be examined in: log/d.spamd_plugin/out.1 > log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.3 > log/d.spamd_plugin/spamd.err.1 > Not found: called3 = called myTestPlugin, round 3 > # Failed test 6 in t/SATest.pm at line 635 fail #3 > Output can be examined in: log/d.spamd_plugin/out.1 > log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.3 > log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.5 > log/d.spamd_plugin/spamd.err.1 > Failed 4/129 test programs. 24/1924 subtests failed. > make: *** [test_dynamic] Error 255 > > What do I do next ? > > Jonathan -- Mike Yrabedra B^)>
Errors in CPAN test
Hi List, So what's with 3.2.1 ? I'm running 3.1.8 and did the standard: cpan Mail::SpamAssassin and got: t/spamc_optCFAILED tests 2, 4, 6, 8 Failed 4/9 tests, 55.56% okay t/spamc_optLFAILED tests 1-16 Failed 16/16 tests, 0.00% okay t/spamd_allow_user_rules....FAILED test 4 Failed 1/5 tests, 80.00% okay t/spamd_plugin..FAILED tests 2, 4, 6 Failed 3/6 tests, 50.00% okay Failed TestStat Wstat Total Fail List of Failed --- t/spamc_optC.t94 2 4 6 8 t/spamc_optL.t 16 16 1-16 t/spamd_allow_user_rules.t51 4 t/spamd_plugin.t 63 2 4 6 23 tests skipped. Failed 4/129 test scripts. 24/1924 subtests failed. Not found: reported spam = Message successfully reported/revoked # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: log/d.spamc_optC/out.1 Not found: revoked ham = Message successfully reported/revoked # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 Not found: failed to report spam = Unable to report/revoke message # Failed test 6 in t/SATest.pm at line 635 fail #3 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 log/d.spamc_optC/out.5 Not found: failed to revoke ham = Unable to report/revoke message # Failed test 8 in t/SATest.pm at line 635 fail #4 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 log/d.spamc_optC/out.5 log/d.spamc_optC/out.7 # Failed test 1 in t/spamc_optL.t at line 20 Not found: learned spam = Message successfully un/learned # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: # Failed test 3 in t/spamc_optL.t at line 24 Not found: already learned spam = Message was already un/learned # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: ERROR: Bayes dump returned an error, please re-run with -D for more information # Failed test 5 in t/spamc_optL.t at line 28 Not found: spam in database = 1 0 non-token data: nspam # Failed test 6 in t/SATest.pm at line 635 fail #3 Output can be examined in: # Failed test 7 in t/spamc_optL.t at line 32 Not found: forget spam = Message successfully un/learned # Failed test 8 in t/SATest.pm at line 635 fail #4 Output can be examined in: # Failed test 9 in t/spamc_optL.t at line 36 Not found: learned ham = Message successfully un/learned # Failed test 10 in t/SATest.pm at line 635 fail #5 Output can be examined in: # Failed test 11 in t/spamc_optL.t at line 40 Not found: already learned ham = Message was already un/learned # Failed test 12 in t/SATest.pm at line 635 fail #6 Output can be examined in: ERROR: Bayes dump returned an error, please re-run with -D for more information # Failed test 13 in t/spamc_optL.t at line 44 Not found: ham in database = 1 0 non-token data: nham # Failed test 14 in t/SATest.pm at line 635 fail #7 Output can be examined in: # Failed test 15 in t/spamc_optL.t at line 48 Not found: learned ham = Message successfully un/learned # Failed test 16 in t/SATest.pm at line 635 fail #8 Output can be examined in: Not found: myfoo = 1.0 MYFOO # Failed test 4 in t/SATest.pm at line 635 Output can be examined in: log/d.spamd_allow_user_rules/out.2 log/d.spamd_allow_user_rules/spamd.err.1 Not found: called1 = test: called myTestPlugin, round 1 # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: log/d.spamd_plugin/out.1 log/d.spamd_plugin/spamd.err.1 Not found: called2 = called myTestPlugin, round 2 # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: log/d.spamd_plugin/out.1 log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.3 log/d.spamd_plugin/spamd.err.1 Not found: called3 = called myTestPlugin, round 3 # Failed test 6 in t/SATest.pm at line 635 fail #3 Output can be examined in: log/d.spamd_plugin/out.1 log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.3 log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.5 log/d.spamd_plugin/spamd.err.1 Failed 4/129 test programs. 24/1924 subtests failed. make: *** [test_dynamic] Error 255 What do I do next ? Jonathan
NetBSD, OpenBSD, Windows users -- please test something...
We have a patch in development which fixes some platform-specific perl setuid brokenness, but it needs testing on those 3 platforms with spamd. The patch is at: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5518#c18 and applies to SpamAssassin 3.2.1. It should be possible to start a spamd using something like spamd --virtual-config-dir=/tmp -u nobody -D , and then see it setuid to "nobody" safely without issuing the 'spamd: initial attempt to change real uid failed, trying BSD workaround' warning. On windows, probably more complex however ;) If you *already* have spamd running on windows, I'd appreciate it if you could try running it, the same way as you're currently using it -- if it doesn't die, that's good enough for me! ;) thanks, --j.
RE: "make test" dnsbl tests sporadically fail
I installed both patches and still get errors in some of the dnsbl tests. Here is a possibly relevant section of t/log/d.dns/1 from a system where the test succeeded: [27718] dbg: check: running tests for priority: 500 [27718] dbg: async: select found 1 socks ready [27718] dbg: uridnsbl: query for uribl-example-b.com took 4 seconds to look up (multi.surbl.org.:uribl-example-b.com) [27718] dbg: uridnsbl: query for uribl-example-a.com took 4 seconds to look up (multi.uribl.com.:uribl-example-a.com) ... [27718] dbg: uridnsbl: query for uribl-example-a.com took 4 seconds to look up (bl.open-whois.org.:uribl-example-a.com) [27718] dbg: async: queries completed: 73 started: 0 [27718] dbg: async: queries active: at Fri Jun 15 11:42:27 2007 [27718] dbg: dns: success for 0 of 73 queries [27718] dbg: rules: running head tests; score so far=18.85 And here is the corresponding log where the tests failed: [10362] dbg: check: running tests for priority: 500 [10362] dbg: async: select found no socks ready [10362] dbg: uridnsbl: query for uribl-example-b.com took 2 seconds to look up (multi.surbl.org.:uribl-example-b.com) [10362] dbg: uridnsbl: query for uribl-example-a.com took 2 seconds to look up (multi.uribl.com.:uribl-example-a.com) ... [10362] dbg: uridnsbl: query for uribl-example-a.com took 2 seconds to look up (bl.open-whois.org.:uribl-example-a.com) [10362] dbg: async: queries completed: 44 started: 0 [10362] dbg: async: queries active: DNSBL-A=10 DNSBL-TXT=19 at Fri Jun 15 11:59:06 2007 [10362] dbg: async: select found no socks ready [10362] dbg: async: queries completed: 0 started: 0 [10362] dbg: async: queries active: DNSBL-A=10 DNSBL-TXT=19 at Fri Jun 15 11:59:07 2007 [10362] dbg: async: select found no socks ready ... [10362] dbg: async: queries completed: 0 started: 0 [10362] dbg: async: queries active: DNSBL-A=10 DNSBL-TXT=19 at Fri Jun 15 11:59:27 2007 [10362] dbg: async: escaping: must have lost requests [10362] dbg: async: aborting remaining lookups [10362] dbg: dns: success for 44 of 73 queries [10362] dbg: rules: running head tests; score so far=14.85 So what is going on, and why aren't my socks ready? (Sounds like a laundry problem...) BTW, looking up "134.88.73.210.sb.dnsbltest.spamassassin.org" (one of the failed lookups) from the command line returns a successful answer immediately. From: Randal, Phil [mailto:[EMAIL PROTECTED] Sent: Thursday, June 14, 2007 3:41 AM To: users@spamassassin.apache.org Subject: RE: "make test" dnsbl tests sporadically fail Possibly related to http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5511 as discussed in the "DNS tests getting aborted" thread? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From: Rosenbaum, Larry M. [mailto:[EMAIL PROTECTED] Sent: 13 June 2007 22:01 To: users@spamassassin.apache.org Subject: "make test" dnsbl tests sporadically fail When I run "make test" for v3.2.1, why do some of the dnsbl tests sporadically fail? For instance: t/dnsbl..... Not found: P_2 = [127.0.0.4] # Failed test 1 in t/SATest.pm at line 635 Not found: P_7 = # Failed test 2 in t/SATest.pm at line 635 fail #2 Not found: P_4 = [127.0.0.1] t/dnsbl.NOK 1# Failed test 3 in t/SATest.pm at line 635 fail #3 Not found: P_3 = [127.0.0.12] # Failed test 4 in t/SATest.pm at line 635 fail #4 Not found: P_5 = [127.0.0.1] # Failed test 5 in t/SATest.pm at line 635 fail #5 t/dnsbl.NOK 2 Not found: P_1 = [127.0.0.2] # Failed test 6 in t/SATest.pm at line 635 fail #6 Not found: P_6 = [127.0.0.2] # Failed test 7 in t/SATest.pm at line 635 fail #7 Not found: P_15 = DNSBL_RHS t/dnsbl.NOK 3# Failed test 8 in t/SATest.pm at line 635 fail #8 Not found: P_17 = DNSBL_SB_FLOAT t/dnsbl.NOK 4# Failed test 9 in t/SATest.pm at line 635 fail #9 Not found: P_18 = DNSBL_SB_STR # Failed test 10 in t/SATest.pm at line 635 fail #10 Not found: P_16 = DNSBL_SB_TIME # Failed test 11 in t/SATest.pm at line 635 fail #11 t/dnsbl.NOK 5 Not found: P_10 = DNSBL_TEST_DYNAMIC # Failed test 12 in t/SATest.pm at line 635 fail #12 Not found: P_12 = DNSBL_TEST_RELAY # Failed test 13 in t/SATest.pm at line 635 fail #13 t/dnsbl.NOK 6 Not found: P_11 = DNSBL_TEST_SPAM # Failed test 14 in t/SATest.pm at line 635 fail #14 Not found: P_8 =
RE: "make test" dnsbl tests sporadically fail
Possibly related to http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5511 as discussed in the "DNS tests getting aborted" thread? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From: Rosenbaum, Larry M. [mailto:[EMAIL PROTECTED] Sent: 13 June 2007 22:01 To: users@spamassassin.apache.org Subject: "make test" dnsbl tests sporadically fail When I run "make test" for v3.2.1, why do some of the dnsbl tests sporadically fail? For instance: t/dnsbl.Not found: P_2 = [127.0.0.4] # Failed test 1 in t/SATest.pm at line 635 Not found: P_7 = # Failed test 2 in t/SATest.pm at line 635 fail #2 Not found: P_4 = [127.0.0.1] t/dnsbl.NOK 1# Failed test 3 in t/SATest.pm at line 635 fail #3 Not found: P_3 = [127.0.0.12] # Failed test 4 in t/SATest.pm at line 635 fail #4 Not found: P_5 = [127.0.0.1] # Failed test 5 in t/SATest.pm at line 635 fail #5 t/dnsbl.NOK 2 Not found: P_1 = [127.0.0.2] # Failed test 6 in t/SATest.pm at line 635 fail #6 Not found: P_6 = [127.0.0.2] # Failed test 7 in t/SATest.pm at line 635 fail #7 Not found: P_15 = DNSBL_RHS t/dnsbl.NOK 3# Failed test 8 in t/SATest.pm at line 635 fail #8 Not found: P_17 = DNSBL_SB_FLOAT t/dnsbl.NOK 4# Failed test 9 in t/SATest.pm at line 635 fail #9 Not found: P_18 = DNSBL_SB_STR # Failed test 10 in t/SATest.pm at line 635 fail #10 Not found: P_16 = DNSBL_SB_TIME # Failed test 11 in t/SATest.pm at line 635 fail #11 t/dnsbl.NOK 5 Not found: P_10 = DNSBL_TEST_DYNAMIC # Failed test 12 in t/SATest.pm at line 635 fail #12 Not found: P_12 = DNSBL_TEST_RELAY # Failed test 13 in t/SATest.pm at line 635 fail #13 t/dnsbl.NOK 6 Not found: P_11 = DNSBL_TEST_SPAM # Failed test 14 in t/SATest.pm at line 635 fail #14 Not found: P_8 = DNSBL_TEST_TOP # Failed test 15 in t/SATest.pm at line 635 fail #15 Not found: P_9 = DNSBL_TEST_WHITELIST t/dnsbl.NOK 7# Failed test 16 in t/SATest.pm at line 635 fail #16 Not found: P_14 = DNSBL_TXT_RE # Failed test 17 in t/SATest.pm at line 635 fail #17 Not found: P_13 = DNSBL_TXT_TOP t/dnsbl.NOK 8# Failed test 18 in t/SATest.pm at line 635 fail #18 t/dnsbl.NOK 9Output can be examined in: log/d.dns/1 t/dnsbl.FAILED tests 1-18 Failed 18/23 tests, 21.74% okay If I run t/dnsbl.t later, a smaller number of the subtests fail. If I repeat it later, a different set of dnsbl subtests fail. There is nothing obviously wrong with the DNS server. What causes this problem?
"make test" dnsbl tests sporadically fail
When I run "make test" for v3.2.1, why do some of the dnsbl tests sporadically fail? For instance: t/dnsbl.Not found: P_2 = [127.0.0.4] # Failed test 1 in t/SATest.pm at line 635 Not found: P_7 = # Failed test 2 in t/SATest.pm at line 635 fail #2 Not found: P_4 = [127.0.0.1] t/dnsbl.NOK 1# Failed test 3 in t/SATest.pm at line 635 fail #3 Not found: P_3 = [127.0.0.12] # Failed test 4 in t/SATest.pm at line 635 fail #4 Not found: P_5 = [127.0.0.1] # Failed test 5 in t/SATest.pm at line 635 fail #5 t/dnsbl.NOK 2 Not found: P_1 = [127.0.0.2] # Failed test 6 in t/SATest.pm at line 635 fail #6 Not found: P_6 = [127.0.0.2] # Failed test 7 in t/SATest.pm at line 635 fail #7 Not found: P_15 = DNSBL_RHS t/dnsbl.NOK 3# Failed test 8 in t/SATest.pm at line 635 fail #8 Not found: P_17 = DNSBL_SB_FLOAT t/dnsbl.NOK 4# Failed test 9 in t/SATest.pm at line 635 fail #9 Not found: P_18 = DNSBL_SB_STR # Failed test 10 in t/SATest.pm at line 635 fail #10 Not found: P_16 = DNSBL_SB_TIME # Failed test 11 in t/SATest.pm at line 635 fail #11 t/dnsbl.NOK 5 Not found: P_10 = DNSBL_TEST_DYNAMIC # Failed test 12 in t/SATest.pm at line 635 fail #12 Not found: P_12 = DNSBL_TEST_RELAY # Failed test 13 in t/SATest.pm at line 635 fail #13 t/dnsbl.NOK 6 Not found: P_11 = DNSBL_TEST_SPAM # Failed test 14 in t/SATest.pm at line 635 fail #14 Not found: P_8 = DNSBL_TEST_TOP # Failed test 15 in t/SATest.pm at line 635 fail #15 Not found: P_9 = DNSBL_TEST_WHITELIST t/dnsbl.NOK 7# Failed test 16 in t/SATest.pm at line 635 fail #16 Not found: P_14 = DNSBL_TXT_RE # Failed test 17 in t/SATest.pm at line 635 fail #17 Not found: P_13 = DNSBL_TXT_TOP t/dnsbl.NOK 8# Failed test 18 in t/SATest.pm at line 635 fail #18 t/dnsbl.NOK 9Output can be examined in: log/d.dns/1 t/dnsbl.FAILED tests 1-18 Failed 18/23 tests, 21.74% okay If I run t/dnsbl.t later, a smaller number of the subtests fail. If I repeat it later, a different set of dnsbl subtests fail. There is nothing obviously wrong with the DNS server. What causes this problem?
Spamassassin debug test
I recently saw this happening when testing. Is this stuff left over from some older version, or something not installed? What should I do with the undefined dependencies? [29724] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [29724] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero score [29724] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [29724] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [29724] info: rules: meta test SARE_HEAD_SUBJ_RAND has dependency 'X_AUTH_WARN_FAKED' with a zero score [29724] info: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_DATE' [29724] info: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_RECV' [29724] info: rules: meta test SARE_MULT_RATW_03 has undefined dependency '__SARE_MULT_RATW_03E' [29724] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [29724] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [29724] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [29724] info: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG50' [29724] info: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG55' [29724] info: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG65' [29724] info: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG75' [29724] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG50' [29724] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG55' [29724] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG65' [29724] info: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG75' X
Re: test=none
Martin Hochreiter wrote: Daryl C. W. O'Shea schrieb: --- trusted_networks 80.123.XXX.XXX trusted_networks 80.122.XXX.XXX internal_networks 192.168.1.0/24 internal_networks 192.168.2.0/24 internal_networks 127.0.0.1 --- I am using the SuSE rpm spamassassin-3.1.8-9.2 (OpenSuSE 10.1) - I am really not a specialist in configuring spamassassin so I am using almost the default values from the SuSE config. I inserted those trusted/internal networks lines because I get often these ALL_TRUSTED Headers - maybe thats the wrong solution for it. I printed a little network topology of my net - can anybody tell me please, what really should be mentioned in local.conf (trusted_networks, internal_networks)? 192.168.2.0(net) --- 80.123.XXX.XXX ~~~VPN~~~ 80.122.XXX.XXX --- 192.168.1.0 (net)- 192.168.1.104 (mailserver) Imap4-SSL and Smtp is portforwarded from the firewall to the mailserver. Something like the following might work (I'm not 100% clear on what mail is being scanned and from who/where): trusted_networks 192.168.1.0/24 192.168.2.0/24 80.122.0.0/15 127.0.0.1 internal_networks 192.168.1.0/24 192.168.2.0/24 80.122.0.0/15 127.0.0.1 Daryl
Re: test=none
Daryl C. W. O'Shea schrieb: > > --- > trusted_networks 80.123.XXX.XXX > trusted_networks 80.122.XXX.XXX > internal_networks 192.168.1.0/24 > internal_networks 192.168.2.0/24 > internal_networks 127.0.0.1 > --- I am using the SuSE rpm spamassassin-3.1.8-9.2 (OpenSuSE 10.1) - I am really not a specialist in configuring spamassassin so I am using almost the default values from the SuSE config. I inserted those trusted/internal networks lines because I get often these ALL_TRUSTED Headers - maybe thats the wrong solution for it. I printed a little network topology of my net - can anybody tell me please, what really should be mentioned in local.conf (trusted_networks, internal_networks)? 192.168.2.0(net) --- 80.123.XXX.XXX ~~~VPN~~~ 80.122.XXX.XXX --- 192.168.1.0 (net)- 192.168.1.104 (mailserver) Imap4-SSL and Smtp is portforwarded from the firewall to the mailserver. lg Martin
Re: test=none
Matt Kettler wrote: Matt Kettler wrote: Daryl C. W. O'Shea wrote: I get now hints from the logfiles concerning a timeout, my trusted/internal networks in local.cf are set as follwing --- trusted_networks 80.123.XXX.XXX trusted_networks 80.122.XXX.XXX internal_networks 192.168.1.0/24 internal_networks 192.168.2.0/24 internal_networks 127.0.0.1 --- That doesn't pass a lint check, does it? If it does you're using a really old version of SpamAssassin. If it doesn't it's because internal_networks must also be trusted and if you're using 3.2, 127.0.0.1 is always trusted+internal (so it'll warn about it already being configured). Interesting.. How does 3.2 deal with a trusted MX that must accept mail directly from dialup nodes without SMTP AUTH? In older versions, you'd configure that server to be trusted but make it not a member of internal_networks to avoid the DUL tests being applied to it. Nevermind.. I wrapped my brain around it backwards.. Yeah. FWIW, though, for net checks to be useful you always want your MX to be trusted+internal. If your MX also acts as an MSA you'll still want it to be trusted+internal and have your users use some sort of auth that shows up in the Received header. If the relay is just an MSA, then yeah, trusted and not internal is workable and possibly advisable (although I'd use msa_networks instead). Daryl
Re: test=none
Matt Kettler wrote: > Daryl C. W. O'Shea wrote: > >>> I get now hints from the logfiles concerning a timeout, >>> my trusted/internal networks in local.cf are set as follwing >>> --- >>> trusted_networks 80.123.XXX.XXX >>> trusted_networks 80.122.XXX.XXX >>> internal_networks 192.168.1.0/24 >>> internal_networks 192.168.2.0/24 >>> internal_networks 127.0.0.1 >>> --- >>> >> That doesn't pass a lint check, does it? If it does you're using a >> really old version of SpamAssassin. If it doesn't it's because >> internal_networks must also be trusted and if you're using 3.2, >> 127.0.0.1 is always trusted+internal (so it'll warn about it already >> being configured). >> > Interesting.. How does 3.2 deal with a trusted MX that must accept mail > directly from dialup nodes without SMTP AUTH? > > In older versions, you'd configure that server to be trusted but make it > not a member of internal_networks to avoid the DUL tests being applied > to it. > Nevermind.. I wrapped my brain around it backwards..
Re: test=none
Daryl C. W. O'Shea wrote: >>> >> I get now hints from the logfiles concerning a timeout, >> my trusted/internal networks in local.cf are set as follwing >> --- >> trusted_networks 80.123.XXX.XXX >> trusted_networks 80.122.XXX.XXX >> internal_networks 192.168.1.0/24 >> internal_networks 192.168.2.0/24 >> internal_networks 127.0.0.1 >> --- > > That doesn't pass a lint check, does it? If it does you're using a > really old version of SpamAssassin. If it doesn't it's because > internal_networks must also be trusted and if you're using 3.2, > 127.0.0.1 is always trusted+internal (so it'll warn about it already > being configured). Interesting.. How does 3.2 deal with a trusted MX that must accept mail directly from dialup nodes without SMTP AUTH? In older versions, you'd configure that server to be trusted but make it not a member of internal_networks to avoid the DUL tests being applied to it.
Re: test=none
Martin Hochreiter wrote: Some messages here get tests=none. The two conditions I've found here are 1) like Matt already mentioned, a timeout in communication using spamc, or 2) the message was received totally within our network (trusted/internal). Perhaps maybe you don't have the trusted/internal networks set up correctly. Just speculating as I don't know much about Amavis to know exactly how much SA tweaking you can do to make a difference. I get now hints from the logfiles concerning a timeout, my trusted/internal networks in local.cf are set as follwing --- trusted_networks 80.123.XXX.XXX trusted_networks 80.122.XXX.XXX internal_networks 192.168.1.0/24 internal_networks 192.168.2.0/24 internal_networks 127.0.0.1 --- That doesn't pass a lint check, does it? If it does you're using a really old version of SpamAssassin. If it doesn't it's because internal_networks must also be trusted and if you're using 3.2, 127.0.0.1 is always trusted+internal (so it'll warn about it already being configured). Assuming you're running a recent version of SA your effective config is: trusted_networks 80.123.XXX.XXX trusted_networks 80.122.XXX.XXX Daryl
Re: test=none
> > Some messages here get tests=none. The two conditions I've found here > are 1) like Matt already mentioned, a timeout in communication using > spamc, or 2) the message was received totally within our network > (trusted/internal). > > Perhaps maybe you don't have the trusted/internal networks set up > correctly. Just speculating as I don't know much about Amavis to know > exactly how much SA tweaking you can do to make a difference. > I get now hints from the logfiles concerning a timeout, my trusted/internal networks in local.cf are set as follwing --- trusted_networks 80.123.XXX.XXX trusted_networks 80.122.XXX.XXX internal_networks 192.168.1.0/24 internal_networks 192.168.2.0/24 internal_networks 127.0.0.1 ---
Re: test=none
On Tue, 15 May 2007, Mark Martinec wrote: No, score=0 tagged_above=-999 required=1.7 tests=[none] What does "tests=[none]" mean? Matt Kettler wrote: That's generated by amavis, not spamassassin. My guess, based on my limited knowledge of amavis, is that message means one of the following: Amavis did run the message through SA, but no rules matched at all. Amavis timed out the spamassassin run. Amavis chose not to run spamassassin on the message due to some amavis level whitelisting. However, I don't know enough about amavis to tell you which of these... Actually the "[none]" comes directly from SpamAssassin, amavisd just reports what it gets after calling SA. The relevant code is in SpamAssassin/PerMsgStatus.pm, sub _get_tag: TESTSSCORES => sub { my $arg = (shift || ","); my $line = ''; foreach my $test (sort @{$self->{test_names_hit}}) { if (!$line) { $line .= $test . "=" . $self->{conf}->{scores}->{$test}; } else { $line .= $arg . $test . "=" . $self->{conf}->{scores}->{$test}; } } return $line ? $line : 'none'; }, It seems that really no rules matched. Some messages here get tests=none. The two conditions I've found here are 1) like Matt already mentioned, a timeout in communication using spamc, or 2) the message was received totally within our network (trusted/internal). Perhaps maybe you don't have the trusted/internal networks set up correctly. Just speculating as I don't know much about Amavis to know exactly how much SA tweaking you can do to make a difference.
Re: test=none
> Actually the "[none]" comes directly from SpamAssassin, amavisd just > reports what it gets after calling SA. > > The relevant code is in SpamAssassin/PerMsgStatus.pm, sub _get_tag: > > TESTSSCORES => sub { > my $arg = (shift || ","); > my $line = ''; > foreach my $test (sort @{$self->{test_names_hit}}) { > if (!$line) { > $line .= $test . "=" . $self->{conf}->{scores}->{$test}; > } else { > $line .= $arg . $test . "=" . $self->{conf}->{scores}->{$test}; > } > } > return $line ? $line : 'none'; > }, > > It seems that really no rules matched. > > Mark > > Hi! I updated my rules to the latest ones - maybe I get now less of these "test=[none]" (Actually 2-3 mails out of 60 spammails in one account are affected) lg Martin
Re: test=none
> > No, score=0 tagged_above=-999 required=1.7 tests=[none] > > What does "tests=[none]" mean? Matt Kettler wrote: > That's generated by amavis, not spamassassin. > My guess, based on my limited knowledge of amavis, is that message means > one of the following: > Amavis did run the message through SA, but no rules matched at all. > Amavis timed out the spamassassin run. > Amavis chose not to run spamassassin on the message due to some amavis > level whitelisting. > However, I don't know enough about amavis to tell you which of these... Actually the "[none]" comes directly from SpamAssassin, amavisd just reports what it gets after calling SA. The relevant code is in SpamAssassin/PerMsgStatus.pm, sub _get_tag: TESTSSCORES => sub { my $arg = (shift || ","); my $line = ''; foreach my $test (sort @{$self->{test_names_hit}}) { if (!$line) { $line .= $test . "=" . $self->{conf}->{scores}->{$test}; } else { $line .= $arg . $test . "=" . $self->{conf}->{scores}->{$test}; } } return $line ? $line : 'none'; }, It seems that really no rules matched. Mark
Re: test=none
Martin Hochreiter wrote: > Hi! > > I am using spamassassin with amavis. > > I sometimes get mails (Spam Mails) - not tagged with ***SPAM*** > but tagged with the following header: > > No, score=0 tagged_above=-999 required=1.7 tests=[none] > > What does "tests=[none]" mean? > That's generated by amavis, not spamassassin. My guess, based on my limited knowledge of amavis, is that message means one of the following: Amavis did run the message through SA, but no rules matched at all. Amavis timed out the spamassassin run. Amavis chose not to run spamassassin on the message due to some amavis level whitelisting. However, I don't know enough about amavis to tell you which of these that header means. If you don't get better help here, you might want to ask on the amavis list and/or check your mail logs for that message.
test=none
Hi! I am using spamassassin with amavis. I sometimes get mails (Spam Mails) - not tagged with ***SPAM*** but tagged with the following header: No, score=0 tagged_above=-999 required=1.7 tests=[none] What does "tests=[none]" mean? lg Martin
RE: Test?
> -Original Message- > From: Daniel Aquino [mailto:[EMAIL PROTECTED] > Sent: Friday, May 11, 2007 10:05 AM > To: users@spamassassin.apache.org > Subject: Test? > > > Is this how I send to the list ? Yes, and its better then the old way of posting. Which required bringing a shrubbery and taunting with a herring. --Chris
Re: Test?
Daniel Aquino schrieb: Is this how I send to the list ? Congratulations you have made it ;-). -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Test?
Is this how I send to the list ?
Re: razor_timeout in mailscanner.cf failing lint test
That fixed it! Thank you! Daryl C. W. O wrote: > > Make sure that the Razor2 plugin is being loaded. The loadplugin line > for it is in v310.pre. If enabled (and the .pm file isn't missing, > you'll see it being loaded in the debug output). > > Daryl > -- View this message in context: http://www.nabble.com/razor_timeout-in-mailscanner.cf-failing-lint-test-tf3717236.html#a10399367 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: razor_timeout in mailscanner.cf failing lint test
harp2812 wrote: I have 3 mail servers with relatively identical configurations that I just upgraded to MailScanner 4.59.4 and SpamAssassin 3.2.0. Two of them are working fine, however on one of them, sa-compile won't run, due to the spamassassin --lint check failing. "spamassassin --lint --debug" only turns up this: [17079] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": razor_timeout 10 Looking at my two good boxes, that line seems like it should work just fine... On all 3 boxes Razor 2.82 v3 is installed and running correctly, MailScanner and SpamAssassin are parsing and scoring incoming messages without any errors, and mailscanner.cf is identical on all boxes. I'm at a loss to figure out what's going on... does anyone have any ideas? Thanks in advance! -Geromy Make sure that the Razor2 plugin is being loaded. The loadplugin line for it is in v310.pre. If enabled (and the .pm file isn't missing, you'll see it being loaded in the debug output). Daryl
razor_timeout in mailscanner.cf failing lint test
I have 3 mail servers with relatively identical configurations that I just upgraded to MailScanner 4.59.4 and SpamAssassin 3.2.0. Two of them are working fine, however on one of them, sa-compile won't run, due to the spamassassin --lint check failing. "spamassassin --lint --debug" only turns up this: [17079] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": razor_timeout 10 Looking at my two good boxes, that line seems like it should work just fine... On all 3 boxes Razor 2.82 v3 is installed and running correctly, MailScanner and SpamAssassin are parsing and scoring incoming messages without any errors, and mailscanner.cf is identical on all boxes. I'm at a loss to figure out what's going on... does anyone have any ideas? Thanks in advance! -Geromy -- View this message in context: http://www.nabble.com/razor_timeout-in-mailscanner.cf-failing-lint-test-tf3717236.html#a10399185 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
FUN: Help Rob McEwen test his new anti-spam tools!
FUN PROJECT: Help Rob McEwen test his new anti-spam tools! As many already know... I'm one of a **small** handful of organizations with authority to blacklist and whitelist "at will" on SURBL and I've provided much administrative assistance to SURBL for years, particularly in preventing false positives. Of course, my efforts there are miniscule compared to Jeff Chan's great work! Still, Jeff has thanked me countless times for my assistance. Most importantly, I have an "insider's view" and **uncommon expertise** into what it takes to make a "world class" blacklist and, within the next few business days, I will be officially releasing my 2 new "Invaluement Spam Blocklists": (1) The "Invaluement-URI" blocklist (much like SURBL & URIBL) ..AND.. (2) The "Invaluement-SIP" blocklist, a Sender's IP blocklist (a.k.a. an "RBL", like DSBL, SBL, etc.). SIP = "Sender's IP" Proverbs 15:22 says, "Without counsel plans fail, but with many advisers they succeed." NOT that these two lists will be built by committee... but, along these lines, I sure could use some feedback! You may be asking: --WHY SHOULD WE USE THESE LISTS? --HOW ARE THEY HELPFUL? --WHAT ARE THESE? First, if you are already using SURBL & URIBL, continue to do so! Invaluement-URI will NOT replace SURBL & URIBL as those lists WILL catch things that Invaluement-URI will miss or not catch as quickly. However... ** REGARDING: "Invaluement-URI" blocklist ** (A) The "Invaluement-URI" blocklist is catching over 1,000 URIs (per week) minutes, hours, and even days BEFORE surbl or uribl or even uribl-red! Did you catch that? Let me repeat: Invaluement-URI is listing over 1,000 URIs (per week) minutes, hours, and even days BEFORE surbl or uribl or even uribl-red! (If a URI showed up on ANY 1 of these lists, I didn't count it towards that tally. I ONLY counted items which were not on ANY of those other lists!) Q: Why? How? A: Mostly because Invaluement-URI is a "fast reacting" list! Often even faster than URIBL-RED!! Q: Why is this important? A: Because many new series of spams are listed on Invaluement-URI lightening fast and this will help you block much spam that would otherwise pass through your spam filtering during those minutes/hours BEFORE the URI is listed on SURBL or URIBL. (B) The "False Positive Rate" for Invaluement-URI is extremely low -- and might even be better than SURBL's already very low FP rate! I have yet to spot a single egregious FP... and the **few** that I have spotted (and removed) were VERY questionable to begin with! NOTE: Being aggressive and fast is easy... but doing such **without** the FPs is incredibly difficult. Years of programming and analysis went into the development of these two lists! (C) Additionally, Invaluement-URI is catching many URIs, particularly phishes, that **might** NEVER be getting in SURBL or URIBL... or at least that seems to be the case as several days have gone by without them being listed. NOTE: You might ask, "Rob, why haven't **you** placed these into SURBL or requested them be listed in URIBL?" The answer is simple. In recent weeks, finishing touches on these new lists have consumed most of my time and energies. But I do plan to use this knowledge/data to do more submissions to SURBL & URIBL. However, even then, for various reasons, such submissions will have to be "hand-submitted" and "hand-checked". Therefore, Invaluement-URI will STILL haVE the "upper hand" in being a fast-reaction list. ** REGARDING: "Invaluement-SIP" blocklist ** I find that many Sender's IP blocklists (a.k.a. "RBLs"): (1) tend to catch much spam without FPs, but also seem to have diminishing returns... sort of an upper limit in their effectiveness... a "glass ceiling" ...OR... (2) block much legit mail and/or very credible sources... or even purposely "punish" sources of legit mail for those ISP's/ESP's who are lacking in their prevention of spams sent from their network. So you are "stuck" with one type of Sender's IP blocklist being helpful, but very limited... and the other type too aggressive to be used, requiring that you "score" it very, very low in your filtering to prevent FPs... thus minimizing its effectiveness! IN CONTRAST... you'll find Invaluement-SIP to be a "best of both worlds" Sender's IP Blocklist. It is as aggressive and "fast reacting" as many of the best... listing MANY IPs that are not yet on other RBLs... but NOT having the high FP rate found on many other "aggressive" IP blacklists.
Re: spam test
The last one is the lowest scoring here, look at the results: For the first mail: Content analysis details: (13.2 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -0.0 SPF_PASS SPF: sender matches SPF record 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5751] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [88.155.128.48 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.155.128.48 listed in zen.spamhaus.org] 7.0 BOUNCE_MESSAGE MTA bounce message 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message The second one: Content analysis details: (14.2 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -0.0 SPF_PASS SPF: sender matches SPF record 1.0 DC_IMG_TEXT_RATIO BODY: Low body to pixel area ratio 0.5 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words 0.6 SARE_SPEC_LEO_LINE03e RAW: common Leo body text 1.0 DC_IMG_HTML_RATIO RAW: Low rawbody to pixel area ratio 7.0 BOUNCE_MESSAGE MTA bounce message 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message The third one: Content analysis details: (14.1 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -0.0 SPF_PASS SPF: sender matches SPF record 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5442] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [84.2.4.148 listed in zen.spamhaus.org] 3.0 BOTNET BOTNET 7.0 BOUNCE_MESSAGE MTA bounce message 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message And finaly, the low one: Content analysis details: (5.8 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.3 RCVD_ILLEGAL_IPReceived: contains illegal IP address 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [12.162.173.226 listed in dnsbl.sorbs.net] I give the BOUNCE_MESSAGE a high score because the bonce backs were driving me (and my users) mad. So I just throw them away. I know it's not very RFC-something style, but works like a charm ;-) Luix 2007/4/10, Spamassassin List <[EMAIL PROTECTED]>: > http://hege.li/howto/spam/spamassassin.html Remove everything from Botnet.cf RULES-section and set it up this way: Does the above line mean to remove from the # THE RULES? regards -- - GNU-GPL: "May The Source Be With You... -
Re: spam test
http://hege.li/howto/spam/spamassassin.html Remove everything from Botnet.cf RULES-section and set it up this way: Does the above line mean to remove from the # THE RULES? regards
Re: spam test
On one server I manage, I found Botnet to be a tremendous help in tagging spam, but does produce some FPs, almost entirely because of misconfigured DNS. After notifying several mail/network admins of their fubar DNS, I got tired of trying to clean up the Internet and throttled Botnet back to 4.5 points, since it was often the only spammy factor in the FP. The only other thing I've had to do was whitelist_from_rcvd a couple of remote users who want to send mail directly through our server. I'm still a big fan of Botnet. On a related note, I once set up a new Postfix server for our local ISP to require an rDNS of a connecting client, but got a number of complaints, so I dropped that requirement. I can't fix everyone's screwed up DNS. Be nice if someone could hold their feet to the fire. IIRC, there is a major player on this list who says mail admins without a proper rDNS can go suck a rock, ... or something to that effect. Rave on, brother. On Tue, Apr 10, 2007 at 10:19:06AM +1000, Peter Russell wrote: > I have my trusted network setup correctly - but botnet fires on so many > domains, domains which would normally like to trust. > > Yes its entirely possible its not set up right...but i followed the > instructions as best i could. > > > > Bill Landry wrote: > >Robert Fitzpatrick wrote the following on 4/9/2007 4:37 PM -0800: > >>Bill Landry wrote: > >>>Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: > We dont use Botnet anymore, it fires on anything/everything and > drives me nuts. > > >>>You must not have Botnet and/or your trusted_networks setup correctly > >>>then. > >>> > >>>Bill > >>I am running Postfix+Amavisd-new+SA 3.1.7 gateways on two different > >>public networks. My trusted networks are setup with those networks > >>where these gateways operate. Most delivery is also on those networks, > >>however, I have several off-network locations being delivered to and > >>several users using these gateways as smarthost for their own MS > >>Exchange servers. Is it safe for me to use Botnet with my trusted > >>networks setup as described? > >Sure, your setup is much like mine and botnet runs fine in our > >environment. Just take a bit of time to setup botnet and your > >trusted_networks correctly and all will run just fine. > > > >Bill Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Therefore, as God's chosen people, holy and dearly loved, clothe yourselves with compassion, kindness, humility, gentleness and patience. Colossians 3:12 (NIV)
Re: spam test
I have my trusted network setup correctly - but botnet fires on so many domains, domains which would normally like to trust. Yes its entirely possible its not set up right...but i followed the instructions as best i could. Bill Landry wrote: Robert Fitzpatrick wrote the following on 4/9/2007 4:37 PM -0800: Bill Landry wrote: Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: We dont use Botnet anymore, it fires on anything/everything and drives me nuts. You must not have Botnet and/or your trusted_networks setup correctly then. Bill I am running Postfix+Amavisd-new+SA 3.1.7 gateways on two different public networks. My trusted networks are setup with those networks where these gateways operate. Most delivery is also on those networks, however, I have several off-network locations being delivered to and several users using these gateways as smarthost for their own MS Exchange servers. Is it safe for me to use Botnet with my trusted networks setup as described? Sure, your setup is much like mine and botnet runs fine in our environment. Just take a bit of time to setup botnet and your trusted_networks correctly and all will run just fine. Bill
Re: spam test
Robert Fitzpatrick wrote the following on 4/9/2007 4:37 PM -0800: > Bill Landry wrote: >> Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: >>> We dont use Botnet anymore, it fires on anything/everything and >>> drives me nuts. >>> >> You must not have Botnet and/or your trusted_networks setup correctly >> then. >> >> Bill > I am running Postfix+Amavisd-new+SA 3.1.7 gateways on two different > public networks. My trusted networks are setup with those networks > where these gateways operate. Most delivery is also on those networks, > however, I have several off-network locations being delivered to and > several users using these gateways as smarthost for their own MS > Exchange servers. Is it safe for me to use Botnet with my trusted > networks setup as described? Sure, your setup is much like mine and botnet runs fine in our environment. Just take a bit of time to setup botnet and your trusted_networks correctly and all will run just fine. Bill
Re: spam test
Bill Landry wrote: Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: We dont use Botnet anymore, it fires on anything/everything and drives me nuts. You must not have Botnet and/or your trusted_networks setup correctly then. Bill I am running Postfix+Amavisd-new+SA 3.1.7 gateways on two different public networks. My trusted networks are setup with those networks where these gateways operate. Most delivery is also on those networks, however, I have several off-network locations being delivered to and several users using these gateways as smarthost for their own MS Exchange servers. Is it safe for me to use Botnet with my trusted networks setup as described? -- Robert
Re: spam test
Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: We dont use Botnet anymore, it fires on anything/everything and drives me nuts. You must not have Botnet and/or your trusted_networks setup correctly then. Bill
Re: spam test
We dont use Botnet anymore, it fires on anything/everything and drives me nuts. Content analysis details: (7.5 points, 5.0 required) pts rule name description -- -- 1.5 FH_RELAY_NODNS We could not determine your Reverse DNS -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -0.0 SPF_PASS SPF: sender matches SPF record 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [88.155.128.48 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.155.128.48 listed in zen.spamhaus.org] Evan Platt wrote: At 01:53 PM 4/9/2007, Robert Fitzpatrick wrote: Can anyone run any of these messages to see how your rules score them? Mostly stock symbol spam. I've been improving our scoring with updates today, but still not able to come up with any rules to cover these: http://esmtp.webtent.net/mail1.txt pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=88.155.128.48,hostname=bzq-88-155-128-48.red.bezeqint.net,maildomain=natuurfoto.com,client,ipinhostname] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [88.155.128.48 listed in dnsbl.sorbs.net] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.155.128.48 listed in sbl-xbl.spamhaus.org] http://esmtp.webtent.net/mail2.txt X-Spam-Status: No, score=2.7 required=5.0 tests=HTML_IMAGE_ONLY_16, HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_BOUND_NEXTPART,SARE_SPEC_LEO_LINE03e, SHORT_HELO_AND_INLINE_IMAGE autolearn=no version=3.1.8 http://esmtp.webtent.net/mail3.txt pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=84.2.4.148,hostname=dsl54020494.pool.t-online.hu,maildomain=saarcom.de,client,ipinhostname,clientwords] http://esmtp.webtent.net/mail4.txt X-Spam-Status: No, score=0.2 required=5.0 tests=RCVD_ILLEGAL_IP autolearn=no version=3.1.8 That's my system...
Re: spam test
At 01:53 PM 4/9/2007, Robert Fitzpatrick wrote: Can anyone run any of these messages to see how your rules score them? Mostly stock symbol spam. I've been improving our scoring with updates today, but still not able to come up with any rules to cover these: http://esmtp.webtent.net/mail1.txt pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=88.155.128.48,hostname=bzq-88-155-128-48.red.bezeqint.net,maildomain=natuurfoto.com,client,ipinhostname] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [88.155.128.48 listed in dnsbl.sorbs.net] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.155.128.48 listed in sbl-xbl.spamhaus.org] http://esmtp.webtent.net/mail2.txt X-Spam-Status: No, score=2.7 required=5.0 tests=HTML_IMAGE_ONLY_16, HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_BOUND_NEXTPART,SARE_SPEC_LEO_LINE03e, SHORT_HELO_AND_INLINE_IMAGE autolearn=no version=3.1.8 http://esmtp.webtent.net/mail3.txt pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=84.2.4.148,hostname=dsl54020494.pool.t-online.hu,maildomain=saarcom.de,client,ipinhostname,clientwords] http://esmtp.webtent.net/mail4.txt X-Spam-Status: No, score=0.2 required=5.0 tests=RCVD_ILLEGAL_IP autolearn=no version=3.1.8 That's my system...
Re: spam test
--- Robert Fitzpatrick <[EMAIL PROTECTED]> wrote: > Can anyone run any of these messages to see how your rules score > them? > Mostly stock symbol spam. I've been improving our scoring with > updates > today, but still not able to come up with any rules to cover these: > > http://esmtp.webtent.net/mail1.txt > http://esmtp.webtent.net/mail2.txt > http://esmtp.webtent.net/mail3.txt > http://esmtp.webtent.net/mail4.txt > > For instance, the first one I ran on a system with bayes working and > on > a system without, as you can see, hardly scored :( > > Content analysis details: (-2.5 points, 5.0 required) > > pts rule name description > -- > -- > 0.1 FORGED_RCVD_HELO Received: contains a forged HELO > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to > 1% > [score: 0.] > > Content analysis details: (0.0 points, 5.0 required) > > pts rule name description > -- > -- > _SUMMARY_ It is a pretty low score for a stock spam even with my setup which uses rulesdujour in addition to whatever spamassassin uses. Looks like you could use some blacklisting type rules or plugins: [22947] dbg: check: is spam? score=5.893 required=3.5 [22947] dbg: check: tests=BAYES_40,FORGED_RCVD_HELO,RCVD_IN_SORBS_DUL,RCVD_IN_XBL Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097
spam test
Can anyone run any of these messages to see how your rules score them? Mostly stock symbol spam. I've been improving our scoring with updates today, but still not able to come up with any rules to cover these: http://esmtp.webtent.net/mail1.txt http://esmtp.webtent.net/mail2.txt http://esmtp.webtent.net/mail3.txt http://esmtp.webtent.net/mail4.txt For instance, the first one I ran on a system with bayes working and on a system without, as you can see, hardly scored :( Content analysis details: (-2.5 points, 5.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] Content analysis details: (0.0 points, 5.0 required) pts rule name description -- -- _SUMMARY_ -- Robert
Re: v318/trunk & v320/trunk showing different header displays on FuzzyOCR test
an additional test, with a 'sent/recd' email, rather than just a file test @ cmd_line, shows similarly, with this image, http://img181.imageshack.us/img181/2156/spamsc2.gif attached to an otherwise blank email, on receipt, i see in "FuzzyOCR.log", 2007-02-22 14:22:57 [27803] Processing Message with ID "<[EMAIL PROTECTED]>" ([EMAIL PROTECTED] -> ) 2007-02-22 14:25:10 [6298] Processing Message with ID "<[EMAIL PROTECTED]>" (SnowCrash <[EMAIL PROTECTED]> -> "SnowCrash" <[EMAIL PROTECTED]>) 2007-02-22 14:25:10 [6298] GIF: [320x512] spam.gif (10195) 2007-02-22 14:25:10 [6298] Found: 1 images 2007-02-22 14:25:10 [6298] Found GIF header name="spam.gif" 2007-02-22 14:25:11 [6298] Image is single non-interlaced... 2007-02-22 14:25:12 [6298] Calculating image hash for: /tmp/.spamassassin6298Zhf5nItmp/spam.gif.pnm 2007-02-22 14:25:12 [6298] Scanset Order: ocrad(0) ocrad-invert(0) ocrad-decolorize-invert(0) ocrad-decolorize(0) gocr(0) gocr-180(0) 2007-02-22 14:25:14 [6298] Scanset "ocrad" found word "target" with fuzz of 0. line: "target s" 2007-02-22 14:25:14 [6298] Scanset "ocrad" found word "investor" with fuzz of 0.2500 line: " fhe lncreasing inrest receilled br th liile gotwtg" 2007-02-22 14:25:14 [6298] Scanset "ocrad" found word "breaking" with fuzz of 0.2500 line: " fhe lncreasing inrest receilled br th liile gotwtg" 2007-02-22 14:25:22 [6298] Scanset "ocrad-decolorize" found word "target" with fuzz of 0. line: "target s" 2007-02-22 14:25:22 [6298] Scanset "ocrad-decolorize" found word "investor" with fuzz of 0.2500 line: " fhe lncreasing inrest receilled br th liile gotwtg" 2007-02-22 14:25:23 [6298] Scanset "ocrad-decolorize" found word "breaking" with fuzz of 0.2500 line: " fhe lncreasing inrest receilled br th liile gotwtg" 2007-02-22 14:25:23 [6298] Scanset "gocr" found word "erectile" with fuzz of 0.2500 line: " e increasln ingrest receiled hr j lirg ne t u t " 2007-02-22 14:25:23 [6298] Scanset "gocr" found word "target" with fuzz of 0. line: "target " 2007-02-22 14:25:24 [6298] Scanset "gocr" found word "erectile" with fuzz of 0.2500 line: "eincreaslningrestreceiledhrjlirgnetut" 2007-02-22 14:25:24 [6298] Scanset "gocr" found word "buy" with fuzz of 0. line: "momemnsborqbuy" 2007-02-22 14:25:24 [6298] Scanset "gocr" found word "target" with fuzz of 0. line: "target" 2007-02-22 14:25:25 [6298] Scanset "gocr-180" found word "target" with fuzz of 0. line: "target " 2007-02-22 14:25:26 [6298] Scanset "gocr-180" found word "buy" with fuzz of 0. line: "momemnsborqbuy" 2007-02-22 14:25:26 [6298] Scanset "gocr-180" found word "target" with fuzz of 0. line: "target" 2007-02-22 14:25:26 [6298] Message is spam, score = 9.500 2007-02-22 14:25:26 [6298] Adding Hash to "/var/mail/spamassassin/local/FuzzyOcr.db" with score "9.500" 2007-02-22 14:25:26 [6298] Words found: "erectile" in 1 lines "target" in 1 lines "erectile" in 1 lines "buy" in 1 lines "target" in 1 lines (7.5 word occurrences found) in the rec'd message's header, i see, ... X-Spam-Report: * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 0.0 DK_SIGNED Domain Keys: message has a signature * 0.0 DKIM_SIGNED Domain Keys Identified Mail: message has a signature * 1.0 DC_IMG_TEXT_RATIO BODY: Low body to pixel area ratio * 0.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.0002] * 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO * 1.2 SARE_GIF_ATTACH FULL: Email has a inline gif * 9.5 FUZZY_OCR BODY: ... *again*, with no header 'detail' for the FUZZY_OCR BODY header :-/ since i'm seeing the same 'missing header' biz on both, (1) rec'd email proc'd via spamd running on my mailserver (2) test file submitted to spamassassin via cmd line, and, differing behavior for sa v318 & v320, with the same version of FuzzyOCR, i suspect this is a SA-related issue. but if/what/where? thanks.
v318/trunk & v320/trunk showing different header displays on FuzzyOCR test
i'm testing, spamassassin --version SpamAssassin version 3.2.0-pre1-r499012 running on Perl version 5.8.8 & am using FuzzyOCR 3.5.1 with it. on test, as usual, of, spamassassin -D -t -x < /usr/ports/FuzzyOcr/samples/ocr-animated.eml i see in my 'verbose' fuzzyocr.log, ... 2007-02-22 14:07:35 [6252] Found: 1 images 2007-02-22 14:07:35 [6252] Found GIF header name="CIMG0980.gif" 2007-02-22 14:07:36 [6252] Image is interlaced or animated... 2007-02-22 14:07:36 [6252] File contains <7> images, deanimating... 2007-02-22 14:07:37 [6252] Calculating image hash for: /tmp/.spamassassin6252Qdn9h3tmp/CIMG0980.gif.pnm 2007-02-22 14:07:37 [6252] Updating Exact info File:'CIMG0980.gif' Type:'image/gif' 2007-02-22 14:07:37 [6252] Found Score <15.500> for Exact Image Hash 2007-02-22 14:07:37 [6252] Matched [1] time(s). Prev match: 15 min. 40 sec. ago 2007-02-22 14:07:37 [6252] Message is SPAM. Words found: "investor" in 1 lines "price" in 2 lines "company" in 1 lines "alert" in 1 lines "valium" in 1 lines "trade" in 1 lines "banking" in 1 lines "news" in 1 lines (13.5 word occurrences found) % but, at console, i _only_ see, ... Content analysis details: (43.7 points, 5.0 required) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 4.5 HELO_LOCALHOST HELO_LOCALHOST 0.5 FH_MSGID_01C67 Special MSGID 2.3 CTYPE_001C_A CTYPE_001C_A 1.7 OUTLOOK_3416 Claims to be sent by an unusual build of Outlook (3416) 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 3.3 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.7,ip=58.186.156.15,nordns] 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain signs some mails 0.0 BOTNET_NORDNS Relay's IP address has no PTR record [botnet_nordns,ip=58.186.156.15] 0.0 HTML_MESSAGE BODY: HTML included in message 1.9 TVD_VIS_HIDDEN RAW: TVD_VIS_HIDDEN 1.8 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 100] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 1.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.0 DIGEST_MULTIPLEMessage hits more than one network digest check 3.6 XMAILER_MIMEOLE_OL_465CD XMAILER_MIMEOLE_OL_465CD 1.9 HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) 0.7 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image 11 FUZZY_OCR BODY: % NOTE, there's NO detail to the FUZZY_OCR header output. w/ SA v318/trunk, the additional FuzzyOCR detail would be there in the SA output. has something changed in SA that needs to be re-config? in FuzzyOCR? suggestions? thanks
Re: lint test failed after rulesdujour update
On Thursday 25 January 2007 10:10 am, Matt Kettler wrote: > Dimitri Yioulos wrote: > > On Thursday 25 January 2007 6:33 am, Michael Connors wrote: > >> Hi, > >> I am new to spamassassin so sorry if my question is a bit stupid. > >> I have mail spamassassin 3.1.0 running with mailscanner. > >> It updates it self via RulesDuJour on a regular basis and I get an email > >> which informs me of the update. > >> This morning I noticed that there was a error in the process, I received > >> a second email which contained the following plus a traceback that > >> mentioned missing operators. > >> > >> **WARNING***: spamassassin --lint failed. > >> Rolling configuration files back, not restarting SpamAssassin. > >> Rollback command is: mv -f /etc/spamassassin/antidrug.cf > >> /etc/spamassassin/RulesDuJour/antidrug.cf.2; mv -f > >> /etc/spamassassin/RulesDuJour/antidrug.cf.20070125-0029 > >> /etc/spamassassin/antidrug.cf; > >> > >> > >> I couldnt rollback because the file antidrug.cf.20070125-0029 did not > >> exist so I decided to run spamassassin --lint at the command line myself > >> expecting the same error but instead it ran ok, I sent the spamassassin > >> test email to myself and it was caught so everything seems to be working > >> as expected, however I would really like to know why the above error was > >> thrown. > >> Regards, > >> Michael > > > > The creator of antidrug posted a thorugh explanation of the where and > > when regarding this rule (see > > marc.theaimsgroup.com/?l=spamassassin-users&m=116965442518029&w=2). > > Without trying to sound holier-than-thou (lord knows, I'm the last one > > that should cop that attitude), you should search the archives first. > > That said, a precis of Matt Kettler's post: > > > > 1. The location of antidrug.cf has moved, and; > > 2. It's included in SA 3+ and, in fact, can be counter-productive if > > used in combination with same. > > > > HTH. > > > > Dimitri > > Thank you Dimitri. > > I'd also add: > > 3) I've posted the error-generating file as a last-resort to draw > people's attention to the fact they need to change their RDJ before > someone else, possibly malicious, has control of my old account. A > malicious person could post a replacement file that whitelists spam. Matt, Thanks for completing the info. Hence my "holier-than-thou" disclaimer. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: lint test failed after rulesdujour update
Dimitri Yioulos wrote: > On Thursday 25 January 2007 6:33 am, Michael Connors wrote: > >> Hi, >> I am new to spamassassin so sorry if my question is a bit stupid. >> I have mail spamassassin 3.1.0 running with mailscanner. >> It updates it self via RulesDuJour on a regular basis and I get an email >> which informs me of the update. >> This morning I noticed that there was a error in the process, I received >> a second email which contained the following plus a traceback that >> mentioned missing operators. >> >> **WARNING***: spamassassin --lint failed. >> Rolling configuration files back, not restarting SpamAssassin. >> Rollback command is: mv -f /etc/spamassassin/antidrug.cf >> /etc/spamassassin/RulesDuJour/antidrug.cf.2; mv -f >> /etc/spamassassin/RulesDuJour/antidrug.cf.20070125-0029 >> /etc/spamassassin/antidrug.cf; >> >> >> I couldnt rollback because the file antidrug.cf.20070125-0029 did not >> exist so I decided to run spamassassin --lint at the command line myself >> expecting the same error but instead it ran ok, I sent the spamassassin >> test email to myself and it was caught so everything seems to be working >> as expected, however I would really like to know why the above error was >> thrown. >> Regards, >> Michael >> > > The creator of antidrug posted a thorugh explanation of the where and when > regarding this rule (see > marc.theaimsgroup.com/?l=spamassassin-users&m=116965442518029&w=2). Without > trying to sound holier-than-thou (lord knows, I'm the last one that should > cop that attitude), you should search the archives first. That said, a > precis of Matt Kettler's post: > > 1. The location of antidrug.cf has moved, and; > 2. It's included in SA 3+ and, in fact, can be counter-productive if used in > combination with same. > > HTH. > > Dimitri > > Thank you Dimitri. I'd also add: 3) I've posted the error-generating file as a last-resort to draw people's attention to the fact they need to change their RDJ before someone else, possibly malicious, has control of my old account. A malicious person could post a replacement file that whitelists spam.
Re: lint test failed after rulesdujour update
On Thursday 25 January 2007 6:33 am, Michael Connors wrote: > Hi, > I am new to spamassassin so sorry if my question is a bit stupid. > I have mail spamassassin 3.1.0 running with mailscanner. > It updates it self via RulesDuJour on a regular basis and I get an email > which informs me of the update. > This morning I noticed that there was a error in the process, I received > a second email which contained the following plus a traceback that > mentioned missing operators. > > **WARNING***: spamassassin --lint failed. > Rolling configuration files back, not restarting SpamAssassin. > Rollback command is: mv -f /etc/spamassassin/antidrug.cf > /etc/spamassassin/RulesDuJour/antidrug.cf.2; mv -f > /etc/spamassassin/RulesDuJour/antidrug.cf.20070125-0029 > /etc/spamassassin/antidrug.cf; > > > I couldnt rollback because the file antidrug.cf.20070125-0029 did not > exist so I decided to run spamassassin --lint at the command line myself > expecting the same error but instead it ran ok, I sent the spamassassin > test email to myself and it was caught so everything seems to be working > as expected, however I would really like to know why the above error was > thrown. > Regards, > Michael The creator of antidrug posted a thorugh explanation of the where and when regarding this rule (see marc.theaimsgroup.com/?l=spamassassin-users&m=116965442518029&w=2). Without trying to sound holier-than-thou (lord knows, I'm the last one that should cop that attitude), you should search the archives first. That said, a precis of Matt Kettler's post: 1. The location of antidrug.cf has moved, and; 2. It's included in SA 3+ and, in fact, can be counter-productive if used in combination with same. HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
lint test failed after rulesdujour update
Hi, I am new to spamassassin so sorry if my question is a bit stupid. I have mail spamassassin 3.1.0 running with mailscanner. It updates it self via RulesDuJour on a regular basis and I get an email which informs me of the update. This morning I noticed that there was a error in the process, I received a second email which contained the following plus a traceback that mentioned missing operators. **WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/spamassassin/antidrug.cf /etc/spamassassin/RulesDuJour/antidrug.cf.2; mv -f /etc/spamassassin/RulesDuJour/antidrug.cf.20070125-0029 /etc/spamassassin/antidrug.cf; I couldnt rollback because the file antidrug.cf.20070125-0029 did not exist so I decided to run spamassassin --lint at the command line myself expecting the same error but instead it ran ok, I sent the spamassassin test email to myself and it was caught so everything seems to be working as expected, however I would really like to know why the above error was thrown. Regards, Michael
Re: --lint test fails
That did it thanks. It was in the local.cf file.
Re: --lint test fails
On Sun, Dec 31, 2006 at 05:30:39PM -0500, Vernon Webb wrote: > > 2) "pyzor_add_header" isn't a valid config option. See "perldoc > > Mail::SpamAssassin::Plugin::Pyzor" for more info. Perhaps you want to just > > use the add_header option with the _PYZOR_ tag? (see "perldoc > > Mail::SpamAssassin::Conf" for info on that) > > I'm sorry I know how tired people get of answering questions of people how > have not > read the docs. I have I'm just lost. Where exactly is this line written the > add_header > so I can remove it? Now I'm confused. The original message you posted was about a lint failure for "pyzor_add_header 1", which I had assumed you added in. Are you asking where that config line is? If so, I can't answer that for you, it's your config. ;) It would likely be in your site config area, which is probably /etc/mail/spamassassin. So something like "grep pyzor_add_header /etc/mail/spamassassin/*.cf" is probably going to find it for you. If it doesn't, you can run "spamassassin --lint -D config", get the list of config files being used, and grep each of them looking for "pyzor_add_header". > I've checked the perldoc Mail::SpamAssassin::Plugin::Pyzor and it doesn't > make any > sense to me. I have installed SA and pyzor (and the myriad of other afore > mentioned > plugins) and have not had to modify anything other than SA itself. Is there > something > I am missing here? If you've enabled the plugin, and there are no errors as seen by "--lint -D", then you should be fine. The problem so far is that you added in a config option that's not valid, so you get a lint warning. -- Randomly Selected Tagline: "You are in a twisty little maze of Sendmail rules, all confusing." - jon schatz in <[EMAIL PROTECTED]> pgpQuHQGmRU1m.pgp Description: PGP signature
Re: --lint test fails
> 2) "pyzor_add_header" isn't a valid config option. See "perldoc > Mail::SpamAssassin::Plugin::Pyzor" for more info. Perhaps you want to just > use the add_header option with the _PYZOR_ tag? (see "perldoc > Mail::SpamAssassin::Conf" for info on that) I'm sorry I know how tired people get of answering questions of people how have not read the docs. I have I'm just lost. Where exactly is this line written the add_header so I can remove it? I've checked the perldoc Mail::SpamAssassin::Plugin::Pyzor and it doesn't make any sense to me. I have installed SA and pyzor (and the myriad of other afore mentioned plugins) and have not had to modify anything other than SA itself. Is there something I am missing here? Thanks
Re: --lint test fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vernon Webb wrote: >> Erm, you're not supposed to remove it. You're supposed to ADD it, or if >> it's already there, make sure it's not commented out with a #. > > Well it was there and it was not commented out so I did comment it out but I am still > get the error. > You really really really need to read the documentation. People are here to help you and more than willing to, but it is very impolite to ask questions without reading the docs first (and getting a basic understanding of SpamAssassin). Kind Regards, Sander Holthaus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) iD8DBQFFlcR+Vf373DysOTURAtgaAJ4+kWrFjrxJl/at0YuspcwUtB3dCACeP8Cf gdXrCUQh9ZIF+ZvLf/e84DQ= =SaeB -END PGP SIGNATURE-
Re: --lint test fails
On Fri, Dec 29, 2006 at 07:56:09PM -0500, Vernon Webb wrote: > Well it was there and it was not commented out so I did comment it out but I > am still > get the error. Ok, there's 2 things going on here. 1) You need the plugin loaded. It sounds like you have that, if the "loadplugin" line is there, uncommented in the pre file. 2) "pyzor_add_header" isn't a valid config option. See "perldoc Mail::SpamAssassin::Plugin::Pyzor" for more info. Perhaps you want to just use the add_header option with the _PYZOR_ tag? (see "perldoc Mail::SpamAssassin::Conf" for info on that) -- Randomly Selected Tagline: "Spending time with my ex-wife this weekend was more enjoyable than this interview, but it was close." - Unknown pgp4K4066KceP.pgp Description: PGP signature
Re: --lint test fails
> Erm, you're not supposed to remove it. You're supposed to ADD it, or if > it's already there, make sure it's not commented out with a #. Well it was there and it was not commented out so I did comment it out but I am still get the error.
Re: --lint test fails
Vernon Webb wrote: > I'm using 3.1.4 and I tried removing the line in the v310pre however I am > still get > that error. > Erm, you're not supposed to remove it. You're supposed to ADD it, or if it's already there, make sure it's not commented out with a #. > >> assuming you're running a recent 31x ver of SA, that cmd is no longer >> the way to enable pyzor ... >> >> rather, this >> >>loadplugin Mail::SpamAssassin::Plugin::Pyzor >> >> is added to init.pre. >> > > >
Re: --lint test fails
I'm using 3.1.4 and I tried removing the line in the v310pre however I am still get that error. > assuming you're running a recent 31x ver of SA, that cmd is no longer > the way to enable pyzor ... > > rather, this > > loadplugin Mail::SpamAssassin::Plugin::Pyzor > > is added to init.pre.
Re: --lint test fails
In running a lint test on one of my boxes I get the following error which I can't seem to figure out why. Pyzor is installed and the path is correct: [3075] warn: config: failed to parse line, skipping: pyzor_add_header 1 [3075] warn: lint: 1 issues detected, please rerun with debug enabled for more information assuming you're running a recent 31x ver of SA, that cmd is no longer the way to enable pyzor ... rather, this loadplugin Mail::SpamAssassin::Plugin::Pyzor is added to init.pre.
--lint test fails
In running a lint test on one of my boxes I get the following error which I can't seem to figure out why. Pyzor is installed and the path is correct: [3075] warn: config: failed to parse line, skipping: pyzor_add_header 1 [3075] warn: lint: 1 issues detected, please rerun with debug enabled for more information Anyone?
test
disregard Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: test of HELO addresses
Michael Scheidell wrote: -Original Message- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Saturday, December 23, 2006 10:48 AM To: Michael Scheidell Cc: John van Oppen; users@spamassassin.apache.org Subject: Re: test of HELO addresses Michael Scheidell wrote: -Original Message- From: John van Oppen [mailto:[EMAIL PROTECTED] Is there a test that already does this? SPF I sure hope the SPF module is NOT using the HELO string for checking. That would be incredibly broken. Read the spf specs. It specifies BOTH options. I don't remember seeing that in the SPF specs... but that pretty much removes my one last bit of respect for SPF. The HELO string is pretty much a meaningless piece of garbage. Expecting to do anything useful with that string is pretty pointless, unless you're purely looking for patterns of garbage (ie. SPF has no business looking at it for trinary pass/no-pass/fail, but SA should certainly look for "fingerprints of stupidity" in it).
Re: test of HELO addresses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Rudd wrote: > Michael Scheidell wrote: >>> -Original Message- >>> From: John van Oppen [mailto:[EMAIL PROTECTED] > >>> Is there a test that already does this? >> >> SPF > > I sure hope the SPF module is NOT using the HELO string for > checking. That would be incredibly broken. > > It would be broken in what respect? The HELO/EHLO string a host provides does need to make some sense. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) iD8DBQFFjWBRVf373DysOTURAln9AJ9+/2au8j6loCRIhWL6Z+d40HE/cgCgvQCp 2R8QTYmG1VDxwgK1f2eUadY= =9w1M -END PGP SIGNATURE-
RE: test of HELO addresses
> -Original Message- > From: John Rudd [mailto:[EMAIL PROTECTED] > Sent: Saturday, December 23, 2006 10:48 AM > To: Michael Scheidell > Cc: John van Oppen; users@spamassassin.apache.org > Subject: Re: test of HELO addresses > > > Michael Scheidell wrote: > >> -Original Message- > >> From: John van Oppen [mailto:[EMAIL PROTECTED] > > >> Is there a test that already does this? > > > > SPF > > I sure hope the SPF module is NOT using the HELO string for checking. > That would be incredibly broken. > > Read the spf specs. It specifies BOTH options.
Re: test of HELO addresses
Michael Scheidell wrote: -Original Message- From: John van Oppen [mailto:[EMAIL PROTECTED] Is there a test that already does this? SPF I sure hope the SPF module is NOT using the HELO string for checking. That would be incredibly broken.
RE: test of HELO addresses
> -Original Message- > From: John van Oppen [mailto:[EMAIL PROTECTED] > Sent: Friday, December 22, 2006 5:54 PM > To: users@spamassassin.apache.org > Subject: test of HELO addresses > > > Received: from cpe-76-190-23-240.woh.res.rr.com (HELO earthlink.net) > (76.190.23.240) > by 0 with SMTP; Fri, 22 Dec 2006 14:48:14 -0800 > From: "Kristi B Valladares" <[EMAIL PROTECTED]> > > > What I want to do is lookup the HELO data in DNS (in this case > earthlink.net) and confirm that the IP it was received from > (in this case 76.190.23.240) is not the IP address (or even > in the same subnet) that the HELO resolves to. > > Is there a test that already does this? SPF
RE: test of HELO addresses
Yes, it's called HELO tests. This example you give should be tagged with FORGED_RCVD_HELO And SA does loads more HELO tests by default, if it's not working there's probably something wrong with your DNS setup (missing Net::DNS or something like that). Go the the /usr/share/spamassassin/ dir and do a 'grep HELO *' and see how much it comes up with. -Sietse -Original Message- From: John van Oppen [mailto:[EMAIL PROTECTED] Sent: Friday, December 22, 2006 23:54 To: users@spamassassin.apache.org Subject: test of HELO addresses So, what I am looking for is a test that looks up the HELO address in DNS and compares it to the IP that it was sourced from. I have some spam with the following received characteristics which would have been a great demo for this possible test: Received: from cpe-76-190-23-240.woh.res.rr.com (HELO earthlink.net) (76.190.23.240) by 0 with SMTP; Fri, 22 Dec 2006 14:48:14 -0800 From: "Kristi B Valladares" <[EMAIL PROTECTED]> What I want to do is lookup the HELO data in DNS (in this case earthlink.net) and confirm that the IP it was received from (in this case 76.190.23.240) is not the IP address (or even in the same subnet) that the HELO resolves to. Is there a test that already does this? Thanks, John
test of HELO addresses
So, what I am looking for is a test that looks up the HELO address in DNS and compares it to the IP that it was sourced from. I have some spam with the following received characteristics which would have been a great demo for this possible test: Received: from cpe-76-190-23-240.woh.res.rr.com (HELO earthlink.net) (76.190.23.240) by 0 with SMTP; Fri, 22 Dec 2006 14:48:14 -0800 From: "Kristi B Valladares" <[EMAIL PROTECTED]> What I want to do is lookup the HELO data in DNS (in this case earthlink.net) and confirm that the IP it was received from (in this case 76.190.23.240) is not the IP address (or even in the same subnet) that the HELO resolves to. Is there a test that already does this? Thanks, John
Some ideas to test the To or the cc-lines ...
Hello In those lines you find comma separated E-Mails containing and normally thoose line contains my own e-Mail Adress. a) But sometimes this list contains not only my adress but an known spam-trap-adress too. For example let the spam be adressed to [EMAIL PROTECTED] and [EMAIL PROTECTED] and let the first adress to be the normal adress of someone, while the second one is the newsgroup-adress or an old invalid adress which has had a definte life time. In both cases you can say - if both adresses are appearing, the mail is spam. b) Another interesting test may be the real names of thoose adresse - if availialbe. I'm not "Sandra McKintosh" for example and if the real name part contains a foreign name, it is spam. All you need is an concept to store a set of parameters for each e-mail-adress. a) an list of spam-trap-adresses und b) a list of possible real name values in the "To" and the "cc" line. Best regard Wolfgang Uhr
SPF test issue
I am using the latest and greatest production ver of SA. In it, there is an SPF test and I am having issues with what it is comparing to. Below is the email and the spf record. My emails fail when I remove this "ip4:10.1.3" but pass when I put it in. My issue is why is SA looking at the original sending host (the self reported IP to boot and not the actual external IP). Laptop users could have any IP and for SPF to work, you need to focus on the mail servers. They are the only ones that matter in this. Am I wrong here? Is my mail server putting the wrong headers in? Tom v=spf1 ip4:70.90.48.20 ip4:70.90.48.21 ip4:10.1.3 a mx ptr a:nova.terranovum.com a:crampon.terranovum.com a:smtp.terranovum.com mx:mail.terranovum.com ~all Return-Path: <[EMAIL PROTECTED]> X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on nova.terranovum.com X-Spam-Level: ** X-Spam-Status: No, score=2.7 required=4.0 tests=BLANK_LINES_70_80, SPF_SOFTFAIL autolearn=disabled version=3.1.5 X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from permemail08.alumniconnections.com (permemail08.alumniconnections.com [198.212.10.55]) by nova.terranovum.com (Postfix) with ESMTP id EE3A2356559 for <[EMAIL PROTECTED]>; Wed, 6 Dec 2006 08:51:47 -0500 (EST) Received: from permemail08.alumniconnections.com (localhost [127.0.0.1]) by permemail08.alumniconnections.com (Postfix) with ESMTP id E88FE70B1 for <[EMAIL PROTECTED]>; Wed, 6 Dec 2006 08:44:00 -0500 (EST) Received: from brandy.adelphi.edu (brandy.adelphi.edu [192.147.12.5]) by permemail08.alumniconnections.com (Postfix) with ESMTP id 924436AB8 for <[EMAIL PROTECTED]>; Wed, 6 Dec 2006 08:43:39 -0500 (EST) Received: from brandy.adelphi.edu (127.0.0.1) by brandy.adelphi.edu (MlfMTA v3.2r1b3) id her3pk0171sh for <[EMAIL PROTECTED]>; Wed, 6 Dec 2006 08:35:03 -0500 (envelope-from <[EMAIL PROTECTED]>) Received: from nova.terranovum.com ([70.90.48.21]) by brandy.adelphi.edu (Adelphi University) with ESMTP; Wed, 06 Dec 2006 08:34:59 -0500 Received: from [10.0.1.3] (katahdin.terranovum.com [70.90.48.17]) by nova.terranovum.com (Postfix) with ESMTP id 758C5356595 for <[EMAIL PROTECTED]>; Wed, 6 Dec 2006 08:48:52 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v752.3) Content-Transfer-Encoding: 7bit Message-Id: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=US-ASCII; format=flowed To: Thomas Bolioli <[EMAIL PROTECTED]> From: Thomas Bolioli <[EMAIL PROTECTED]> Subject: test email spf Date: Wed, 6 Dec 2006 08:48:43 -0500 X-Mailer: Apple Mail (2.752.3) X-Mlf-Threat: nothreat X-Mlf-Threat-Detailed: nothreat;none;none;none X-Mlf-UniqueId: i200612061334590051206 X-Virus-Scanned: ClamAV using ClamSMTP this is a test of the new spf records