Re: Turning the Screws

2007-06-17 Thread Lindsay Haisley 
On Sun, 2007-06-17 at 19:24 -0400, Michael B Allen wrote:
> Although rule_du_jour is still giving me HTML for SARE_OEM.

Delete /etc/mail/spamassassin/RulesDuJure/70_sare_oem*
(or /etc/spamassassin/RulesDuJure/70_sare_oem*) and run rules_du_jour
again.

-- 
Lindsay Haisley   | "In an open world,| PGP public key
FMP Computer Services |who needs Windows  |  available at
512-259-1190  |  or Gates"| http://pubkeys.fmp.com
http://www.fmp.com|   |

Re: Turning the Screws

2007-06-17 Thread Michael B Allen 
Hi Jerry,

I added a bunch of other SARE cfs and I'm doing much much better now.

Although rule_du_jour is still giving me HTML for SARE_OEM.

Thanks to all who helped,
Mike

On Sun, 17 Jun 2007 12:45:34 -0700
Jerry Durand <[EMAIL PROTECTED]> wrote:

> 70_sare_oem.cf

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

Re: Turning the Screws

2007-06-17 Thread Jerry Durand 

At 12:39 PM 6/17/2007, Michael B Allen wrote:

Hi,

With only SARE_STOCKS EVILNUMBERS0 SARE_RANDOM I'm still getting 
quite a bit of spam.


What SARE rule do people recommend? Is it ok to have a lot of them?

Mike


While no means a special list, here's what I use:

updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_evilnum1.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net
70_sare_whitelist_spf.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_obfu1.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net
00_FVGT_File001.cf.sare.sa-update.dostech.net
88_FVGT_headers.cf.sare.sa-update.dostech.net
backhair.cf.sare.sa-update.dostech.net
chickenpox.cf.sare.sa-update.dostech.net
mangled.cf.sare.sa-update.dostech.net
weeds.cf.sare.sa-update.dostech.net



--
Jerry Durand, Durand Interstellar, Inc.  www.interstellar.com
tel: +1 408 356-3886, USA toll free: 1 866 356-3886
Skype:  jerrydurand

Re: Turning the Screws

2007-06-17 Thread Michael B Allen 
Hi,

With only SARE_STOCKS EVILNUMBERS0 SARE_RANDOM I'm still getting quite a bit of 
spam.

What SARE rule do people recommend? Is it ok to have a lot of them?

Mike

Re: Turning the Screws

2007-06-16 Thread Lindsay Haisley 
On Sat, 2007-06-16 at 15:49 -0700, SM wrote:
> Unfortunately, nobody reads that or else we would not be seeing one 
> week of messages about SARE RBJ failures.

Oh well 

I guess you have to be an old-time UNIX geek to know to look in script
files for clues on how to use them.

-- 
Lindsay Haisley   | "In an open world,| PGP public key
FMP Computer Services |who needs Windows  |  available at
512-259-1190  |  or Gates"| http://pubkeys.fmp.com
http://www.fmp.com|   |

Re: Turning the Screws

2007-06-16 Thread SM 

At 15:02 16-06-2007, Lindsay Haisley wrote:

/var/lib/spamassassin/rules_du_jour has copious comments with usage
instructions and commented settable options in the script itself.  Take
a look at it with your favorite text editor.


Unfortunately, nobody reads that or else we would not be seeing one 
week of messages about SARE RBJ failures.


Regards,
-sm

Re: Turning the Screws

2007-06-16 Thread Lindsay Haisley 
Rules Emporium has been having some issues with a DDoS attack and made
some configuration changes pursuant to overcoming this and probably
balancing their load.  Looks like they had a redirect and curl doesn't
understand a http-equiv="refresh" or else the HTML was incorrect and
curl just barfed on it, which looks more likely from the error.

Go to /etc/spamassassin/RulesDuJour
(or /etc/mail/spamassassin/RulesDoJour) and delete all the
99_FVGT_Tripwire* files and re-run rules_du_jour.  All should be well.

I noticed the same problem here and this solved it.

On Sat, 2007-06-16 at 18:07 -0400, Michael B Allen wrote:
> But now I see the TRIPWIRE config is croaking on some HTML in the cf:
> 
> ***WARNING***: spamassassin --lint failed.
> Rolling configuration files back, not restarting SpamAssassin.
> Rollback command is:  mv
> -f /etc/mail/spamassassin/tripwire.cf 
> /etc/mail/spamassassin/RulesDuJour/99_FVGT_Tripwire.cf.2; rm -f 
> /etc/mail/spamassassin/tripwire.cf; mv -f 
> /etc/mail/spamassassin/70_sare_evilnum0.cf 
> /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; rm -f 
> /etc/mail/spamassassin/70_sare_evilnum0.cf; mv -f 
> /etc/mail/spamassassin/70_sare_random.cf 
> /etc/mail/spamassassin/RulesDuJour/70_sare_random.cf.2; rm -f 
> /etc/mail/spamassassin/70_sare_random.cf;
> 
> Lint output: [7529] warn: config: failed to parse line, skipping:
> 
> [7529] warn: config: failed to parse line, skipping:  HTTP-EQUIV="Pragma" CONTENT="no-cache">
> [7529] warn: config: failed to parse line, skipping:  HTTP-EQUIV="Expires" CONTENT="-1">
> [7529] warn: config: failed to parse line, skipping: 
> [7529] warn: lint: 4 issues detected, please rerun with debug enabled
> for more information
> 
> Removing it from TRUSTED_RULESETS resolved the problem but apparently
> something is not optimal.

Re: Turning the Screws

2007-06-16 Thread Michael B Allen 
On Sat, 16 Jun 2007 17:02:29 -0500
Lindsay Haisley <[EMAIL PROTECTED]> wrote:

> On Sat, 2007-06-16 at 17:53 -0400, Michael B Allen wrote:
> > When I run ./rules_du_jour I just get a mess of errors about trying
> > to write to /etc/spamassassin which does not exist.
> 
> Make /etc/spamassassin a symlink to /etc/mail/spamassassin.  This is how
> Gentoo Linux has it set up.

Hi Lindsay,

Actually from reading the script I was able to create a suitable config.

> >  Apparently CentOS
> > uses /etc/mail/spamassassin/ and more so /usr/share/spamassassin/ for
> > cf files. Is there any documentation for this script?
> 
> /var/lib/spamassassin/rules_du_jour has copious comments with usage
> instructions and commented settable options in the script itself.  Take
> a look at it with your favorite text editor.

Yup.

But now I see the TRIPWIRE config is croaking on some HTML in the cf:

***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is:  mv -f /etc/mail/spamassassin/tripwire.cf 
/etc/mail/spamassassin/RulesDuJour/99_FVGT_Tripwire.cf.2; rm -f 
/etc/mail/spamassassin/tripwire.cf; mv -f 
/etc/mail/spamassassin/70_sare_evilnum0.cf 
/etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; rm -f 
/etc/mail/spamassassin/70_sare_evilnum0.cf; mv -f 
/etc/mail/spamassassin/70_sare_random.cf 
/etc/mail/spamassassin/RulesDuJour/70_sare_random.cf.2; rm -f 
/etc/mail/spamassassin/70_sare_random.cf;

Lint output: [7529] warn: config: failed to parse line, skipping: 

[7529] warn: config: failed to parse line, skipping: 
[7529] warn: config: failed to parse line, skipping: 
[7529] warn: config: failed to parse line, skipping: 
[7529] warn: lint: 4 issues detected, please rerun with debug enabled for more 
information

Removing it from TRUSTED_RULESETS resolved the problem but apparently
something is not optimal.

Mike

Re: Turning the Screws

2007-06-16 Thread Lindsay Haisley 
On Sat, 2007-06-16 at 17:53 -0400, Michael B Allen wrote:
> When I run ./rules_du_jour I just get a mess of errors about trying
> to write to /etc/spamassassin which does not exist.

Make /etc/spamassassin a symlink to /etc/mail/spamassassin.  This is how
Gentoo Linux has it set up.

>  Apparently CentOS
> uses /etc/mail/spamassassin/ and more so /usr/share/spamassassin/ for
> cf files. Is there any documentation for this script?

/var/lib/spamassassin/rules_du_jour has copious comments with usage
instructions and commented settable options in the script itself.  Take
a look at it with your favorite text editor.

-- 
Lindsay Haisley   |  "We are all broken  | PGP public key
FMP Computer Services |   toasters, but we   |  available at
512-259-1190  | still manage to make |
http://www.fmp.com|toast"|
  |(Cheryl Dehut)|

Re: Turning the Screws

2007-06-16 Thread Michael B Allen 
On Sat, 16 Jun 2007 16:25:48 -0500
Daniel J McDonald <[EMAIL PROTECTED]> wrote:

> On Sat, 2007-06-16 at 17:01 -0400, Michael B Allen wrote:
> > Hi,
> > 
> > I just setup a new server with vanilla SA 
> 
> What version?

3.1.9 on CentOS 5

> > on CentOS 5 and a lot of obvious
> > drug/stock/foreign stuff is getting through. I have verified that DNSBL
> > is being used. In general, I would like to know what the prevailing
> > wisdom is as to increasing the agressiveness of my filter.
> 
> Add the SARE rules.  They tend to kill most of the drug and stock stuff.

When I run ./rules_du_jour I just get a mess of errors about trying
to write to /etc/spamassassin which does not exist. Apparently CentOS
uses /etc/mail/spamassassin/ and more so /usr/share/spamassassin/ for
cf files. Is there any documentation for this script?

> > Will SA get better as it considers the input?
> 
> If you have bayes enabled.

My .spamassassin/bayes_* files are updating. Does that mean it's enabled?

Thanks,
Mike

Re: Turning the Screws

2007-06-16 Thread Daniel J McDonald 
On Sat, 2007-06-16 at 17:01 -0400, Michael B Allen wrote:
> Hi,
> 
> I just setup a new server with vanilla SA 

What version?

> on CentOS 5 and a lot of obvious
> drug/stock/foreign stuff is getting through. I have verified that DNSBL
> is being used. In general, I would like to know what the prevailing
> wisdom is as to increasing the agressiveness of my filter.

Add the SARE rules.  They tend to kill most of the drug and stock stuff.
> 
> Are there certain plugins that I need to make sure are working? If so
> what are they?

That depends.
> 
> Will SA get better as it considers the input?

If you have bayes enabled.
> 
> Also, if I drag spam from the inbox into the Spam folder, will SA learn
> from that? If I drag non-spam out of the Spam folder will SA learn
> from that?

That's up to your MUA , but not likely.

> Is there a way to add the X-Spam-Report to regular messages for a while
> so that I can see exactly why it's getting through?
Yes.  See
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#basic_message_tagging_options

> 
> How do I properly activate filtering based on character encodings used
> in messages? Basically I want to severely penalize non-Latin1 encodings.

In 3.1.x, just set ok_locales en
in 3.2.x, set ok_locales and also enable the Textcat plugin.

Details in
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#language_options
> Mike
-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com

Turning the Screws

2007-06-16 Thread Michael B Allen 
Hi,

I just setup a new server with vanilla SA on CentOS 5 and a lot of obvious
drug/stock/foreign stuff is getting through. I have verified that DNSBL
is being used. In general, I would like to know what the prevailing
wisdom is as to increasing the agressiveness of my filter.

Are there certain plugins that I need to make sure are working? If so
what are they?

Will SA get better as it considers the input?

Also, if I drag spam from the inbox into the Spam folder, will SA learn
from that? If I drag non-spam out of the Spam folder will SA learn
from that?

Is there a way to add the X-Spam-Report to regular messages for a while
so that I can see exactly why it's getting through?

How do I properly activate filtering based on character encodings used
in messages? Basically I want to severely penalize non-Latin1 encodings.

Mike