Re: DATE_IN_FUTURE_24_48 more often?

[Matus UHLAR - fantomas]

>> > > I think I am starting to see this more often.  Today I was 
>> > > checking again every server to see if the ntp time is syncing 
>> > > properly.  But don't notice anything weird, can't really believe 
>> > > this sending had a bad clock.  Can anyone suggest what/where to 
>> > > look for?

>> > >
>> > >
>> > > DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after
>> >
>> > When you  looked at the Date: header, what did it say?  The part of 
>> > your question where you gave an example didn't make it through the 
>> > mailinglist!

>>
>> I was wondering if I am the only one seeing this.  Could also be 
>> related to my transitioning to el9.  I can remember having to change 
>> some scripts for time/timezone.  Logged times seem ok:

>>
>> mta logging was on this date: Jul  4 08:51:37
>> message header Date: Thu, 4 Jul 2024 08:51:35 +0200
>> message header Received:   Thu, 4 Jul 2024 08:51:37 +0200

>This does not look like something out of the ordinary not? Even if it is
>a timezone/summertime issue it is still not 'is 24 to 48 hours after'

This looks correctly.
I remember seeing this issue when users put incorrect date or incorrect
timezone.


On 25.07.24 20:57, Marc wrote:

Incorrect date on the Windows / MacOS will trigger this?


yes.  Date in future will move time 24 hours into the future, or multiple 
times (48,72,94).


incorrect time zone may push time few hours forwards or backwards.  (here it 
happens when people set the time to current, while keeping american 
timezone)


Together it may generate different hour shifts.


Do those still appear?


Looks like it is still a low %, except this T_DATE_IN_FUTURE_96_Q

DATE_IN_FUTURE_03_06
0.1% DATE_IN_FUTURE_12_24
0.1% DATE_IN_FUTURE_06_12
31% T_DATE_IN_FUTURE_96_Q


I believe I don't have to explain how spammers use(d) this to show their 
mail first in their MUAs


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.

RE: DATE_IN_FUTURE_24_48 more often?

[Marc]

> 
> >> > > I think I am starting to see this more often. Today I was checking
> >> > > again every server to see if the ntp time is syncing properly. But
> >> > > don't notice anything weird, can't really believe this sending had
> a
> >> > > bad clock. Can anyone suggest what/where to look for?
> >> > >
> >> > >
> >> > > DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after
> >> >
> >> > When you  looked at the Date: header, what did it say?   The part of
> >> > your question where you gave an example didn't make it through the
> >> > mailinglist!
> >>
> >> I was wondering if I am the only one seeing this. Could also be
> related
> >> to my transitioning to el9. I can remember having to change some
> scripts
> >> for time/timezone. Logged times seem ok:
> >>
> >> mta logging was on this date: Jul  4 08:51:37
> >> message header Date: Thu, 4 Jul 2024 08:51:35 +0200
> >> message header Received:   Thu, 4 Jul 2024 08:51:37 +0200
> 
> >This does not look like something out of the ordinary not? Even if it is
> a timezone/summertime issue it is still not 'is 24 to 48 hours after'
> 
> This looks correctly.
> I remember seeing this issue when users put incorrect date or incorrect
> timezone.

Incorrect date on the Windows / MacOS will trigger this?

> Do those still appear?

Looks like it is still a low %, except this T_DATE_IN_FUTURE_96_Q

 DATE_IN_FUTURE_03_06
0.1% DATE_IN_FUTURE_12_24
0.1% DATE_IN_FUTURE_06_12
 31% T_DATE_IN_FUTURE_96_Q

Re: DATE_IN_FUTURE_24_48 more often?

[Matus UHLAR - fantomas]

> > I think I am starting to see this more often. Today I was checking
> > again every server to see if the ntp time is syncing properly. But
> > don't notice anything weird, can't really believe this sending had a
> > bad clock. Can anyone suggest what/where to look for?
> >
> >
> > DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after
>
> When you  looked at the Date: header, what did it say?   The part of
> your question where you gave an example didn't make it through the
> mailinglist!

I was wondering if I am the only one seeing this. Could also be related
to my transitioning to el9. I can remember having to change some scripts
for time/timezone. Logged times seem ok:

mta logging was on this date: Jul  4 08:51:37
message header Date: Thu, 4 Jul 2024 08:51:35 +0200
message header Received:   Thu, 4 Jul 2024 08:51:37 +0200


On 22.07.24 09:58, Marc wrote:

This does not look like something out of the ordinary not? Even if it is a 
timezone/summertime issue it is still not 'is 24 to 48 hours after'


This looks correctly.
I remember seeing this issue when users put incorrect date or incorrect 
timezone.


Do those still appear?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759

Re: uridnsbl_skip_domain question

[Matus UHLAR - fantomas]

Hello,

I was hoping to fix this finally...


On 5/17/24 3:17 PM, Matus UHLAR - fantomas wrote:

I have configured exclusion for some common domains e.g. gov.sk in SA:

uridnsbl_skip_domain [...] gov.sk slovensko.sk

However it seems that that domain is still queried:

 9826  68.951573    127.0.0.1 → 127.0.0.1    DNS 104 Standard query 0xbffe A 
mail.gov.sk.multi.uribl.com OPT

in SA 4 docs I see that:

   uridnsbl_skip_domain domain1 domain2 ...
   Specify a domain, or a number of domains, which should be skipped
   for the URIBL checks.  This is very useful to specify very common
   domains which are not going to be listed in URIBLs.

   In addition to trimmed domain, the full hostname is also checked
   from the list.

Do I have to exclude subdomains for each host too?
(this would kind of defeat the directive imho).

This is SA 3.4.6 (debian 11) which does not have the latter paragraph but I 
assume the difference is only in documentation


On 18.05.24 19:30, giova...@paclan.it wrote:

From a quick look at the code it seems that subdomains check has been added to 
Mail::SpamAssassin::Plugin::URIDNSBL with commit r1889093 ~10 days after 3.4.6 
release.
In addition to that Mail::SpamAssassin::Plugin::DNSEval honor 
uridnsbl_skip_domain preference only in trunk code.


I have retried this with SA 4.0.0 (debian 12), and unfortunately this still 
happens:


18:05:31.348747 IP 192.168.251.228.45721 > 54.233.104.8.53: 26118 [1au] A? 
g2inmail1.gov.sk.multi.uribl.com. (73)
18:15:39.860161 IP 192.168.251.228.55448 > 54.152.34.162.53: 29958 [1au] A? 
g2inmail3.gov.sk.multi.uribl.com. (73)

and SA debug output shows:

Jul 24 18:20:28.580 [8512] dbg: check: tagrun - tag URIHOSTS is now ready, 
value: ARY:[g2inmail1.gov.sk,mail.gov.sk,msx1.upvsp.gov.sk]
Jul 24 18:41:13.899 [9295] dbg: check: tagrun - tag URIDOMAINS is now ready, 
value: ARY:[g2inmail1.gov.sk,mail.gov.sk,upvsp.gov.sk]

I see that gov.sk is listed in:

20_aux_tlds.cf:util_rb_2tld edu.sk gov.sk mil.sk

Can this listing be the reason why its subdomains are still queried?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

RE: DATE_IN_FUTURE_24_48 more often?

[Marc]

> 
> >
> > > I think I am starting to see this more often. Today I was checking
> > > again every server to see if the ntp time is syncing properly. But
> > > don't notice anything weird, can't really believe this sending had a
> > > bad clock. Can anyone suggest what/where to look for?
> > >
> > >
> > > DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after
> >
> > When you  looked at the Date: header, what did it say?   The part of
> > your question where you gave an example didn't make it through the
> > mailinglist!
> 
> I was wondering if I am the only one seeing this. Could also be related
> to my transitioning to el9. I can remember having to change some scripts
> for time/timezone. Logged times seem ok:
> 
> mta logging was on this date: Jul  4 08:51:37
> message header Date: Thu, 4 Jul 2024 08:51:35 +0200
> message header Received:   Thu, 4 Jul 2024 08:51:37 +0200

This does not look like something out of the ordinary not? Even if it is a 
timezone/summertime issue it is still not 'is 24 to 48 hours after'

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

[Grant Taylor via users]

On 7/19/24 5:34 AM, giova...@paclan.it wrote:

do you intend to have a rule like this one ?

header __TO_NAME To:name =~ /(?.*)/
body   DEAR_NAME /Dear %{TO_NAME}/


Once I'm dealing with versions of SpamAssassin that support such, yes.

I'm currently caring for and feeding a small group of older servers.



--
Grant. . . .
unix || die

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

[giovanni]

On 7/18/24 5:10 AM, Grant Taylor via users wrote:

On 7/17/24 18:04, Matija Nalis wrote:

I.e. would you consider it to be significantly less likely to be spam if it contained "Dear 
Elizabeth," while being addressed to "mark@domain" instead of to "elizabeth@domain" ?


I've seen quite a bit of spam that opens message bodies with:

     

Where  is "Dear" or some other greeting, often language specific and 
 is the local part of the email address.

Something like the following is probably a good indication that it's spam:

--8<--
Dear ux37932,

I've missed talking to you, what is your opinion of ?  Please check it out 
and let me know what you think.
-->8--

If there was any doubt about the paragraph, the "ux37932" makes it quite 
evident to a human that the name in the salutation is not real.  This is ESPECIALLY true 
when the name in the salutation is identical, byte for byte, including case, as the local 
part of the email address.


do you intend to have a rule like this one ?

header __TO_NAME To:name =~ /(?.*)/
body   DEAR_NAME /Dear %{TO_NAME}/

  Giovanni



OpenPGP_signature.asc
Description: OpenPGP digital signature

RE: DATE_IN_FUTURE_24_48 more often?

[Marc]

> 
> > I think I am starting to see this more often. Today I was checking
> > again every server to see if the ntp time is syncing properly. But
> > don't notice anything weird, can't really believe this sending had a
> > bad clock. Can anyone suggest what/where to look for?
> >
> >
> > DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after
> 
> When you  looked at the Date: header, what did it say?   The part of
> your question where you gave an example didn't make it through the
> mailinglist!

I was wondering if I am the only one seeing this. Could also be related to my 
transitioning to el9. I can remember having to change some scripts for 
time/timezone. Logged times seem ok:

mta logging was on this date: Jul  4 08:51:37
message header Date: Thu, 4 Jul 2024 08:51:35 +0200
message header Received:   Thu, 4 Jul 2024 08:51:37 +0200

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

[Grant Taylor via users]

On 7/18/24 15:58, Mark London wrote:
I asked ChatGPT how to test for a "Dear 'username'".  After a bit of 
work, I got working code.


Okay.


ChatGPT knows perl.


I question the value of "knows" as in knowledge of Perl.

I already had a Perl file EvalTests.pm file with customized Perl eval 
functions, so I threw it in there.  Otherwise, you'll need to create 
your own file with the proper headers.


sub check_body_for_username {
     my ($self, $permsgstatus) = @_;

     my $to = $permsgstatus->get('To:addr');
     return 0 unless $to;

     my ($username) = $to =~ /([^@]+)/;
     return 0 unless $username;

     # Check if the username is in the body of the email
     my $body = $permsgstatus->get_decoded_stripped_body_text_array();
     foreach my $line (@$body) {
     if ($line =~ /^(Dear|Hi|Hello) \Q$username\E\b/i) {
     return 1;
     }
     }
     return 0;
}

header DEAR_USERNAME    eval:check_body_for_username()


Very interesting.

I'll have to find a stick to poke this with and some time to do the poking.

Thank you for sharing.



--
Grant. . . .


smime.p7s
Description: S/MIME Cryptographic Signature

Re: DATE_IN_FUTURE_24_48 more often?

[Greg Troxel]

Marc  writes:

> I think I am starting to see this more often. Today I was checking
> again every server to see if the ntp time is syncing properly. But
> don't notice anything weird, can't really believe this sending had a
> bad clock. Can anyone suggest what/where to look for?
>
>
> DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after

When you  looked at the Date: header, what did it say?   The part of
your question where you gave an example didn't make it through the
mailinglist!

Re: Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

[Mark London]

I asked ChatGPT how to test for a "Dear 'username'".  After a bit of 
work, I got working code.  ChatGPT knows perl.


I already had a Perl file EvalTests.pm file with customized Perl eval 
functions, so I threw it in there.  Otherwise, you'll need to create 
your own file with the proper headers.


sub check_body_for_username {
my ($self, $permsgstatus) = @_;

my $to = $permsgstatus->get('To:addr');
return 0 unless $to;

my ($username) = $to =~ /([^@]+)/;
return 0 unless $username;

# Check if the username is in the body of the email
my $body = $permsgstatus->get_decoded_stripped_body_text_array();
foreach my $line (@$body) {
if ($line =~ /^(Dear|Hi|Hello) \Q$username\E\b/i) {
return 1;
}
}
return 0;
}

header DEAR_USERNAMEeval:check_body_for_username()

On 7/17/2024 11:10 PM, Grant Taylor via users wrote:

On 7/17/24 18:04, Matija Nalis wrote:
I.e. would you consider it to be significantly less likely to be spam 
if it contained "Dear Elizabeth," while being addressed to 
"mark@domain" instead of to "elizabeth@domain" ?


I've seen quite a bit of spam that opens message bodies with:



Where  is "Dear" or some other greeting, often language 
specific and  is the local part of the email address.


Something like the following is probably a good indication that it's 
spam:


--8<--
Dear ux37932,

I've missed talking to you, what is your opinion of ? Please 
check it out and let me know what you think.

-->8--

If there was any doubt about the paragraph, the "ux37932" makes it 
quite evident to a human that the name in the salutation is not real.  
This is ESPECIALLY true when the name in the salutation is identical, 
byte for byte, including case, as the local part of the email address.

DATE_IN_FUTURE_24_48 more often?

[Marc]

I think I am starting to see this more often. Today I was checking again every 
server to see if the ntp time is syncing properly. But don't notice anything 
weird, can't really believe this sending had a bad clock. Can anyone suggest 
what/where to look for?


DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after

Re: Blocking Malformed "From" Headers

[Bill Cole]

On 2024-07-17 at 13:17:16 UTC-0400 (Wed, 17 Jul 2024 10:17:16 -0700)
Kirk Ismay 
is rumored to have said:


I have a spammer using a malformed From header, as follows:

From: sha...@marketcrank.com

The envelope from is: direcc...@delher.com.mx, and I've set up blocks 
for that address.


Sendmail is munging the From: header to change  to 
, so it ends up looking like a local address to my 
users.


How do I detect similar mangled From headers in Spamassassin?


I believe SA already has a more general rule that will catch the *BAD* 
form, but depending on how you've integrated SA and Sendmail, it may 
only see the "cleaned up" form that Sendmail provides. I believe SA sees 
the unmolested headers only in a milter interface, NOT if you've got it 
hooked into a mailer.


If not, here's a rule that should work:

header FROM_ANGLE_UNQUAL  From =~ /<[^<\@]*>[^\@]*\@/

Also does anyone know how to prevent Sendmail from rewriting the From 
header like this?  The documentation for confFROM_HEADER is a 
somewhat cryptic:


https://www.sendmail.org/~ca/email/doc8.12/cf/m4/tweaking_config.html#confFROM_HEADER

I'd rather it say  instead, or reject it 
entirely.


Thanks,
Kirk


Remove FEATURE(always_add_domain) from your .mc and remake sendmail.cf. 
Consult the Ops guide and/or cf/README for all of the effects of that.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Evaluate UTF-8 From / Subject

[Nikolaos Milas]

Hello,

Is there a way we can search for strings in UTF-8 encoded From and/or 
Subject headers?


For example, here is part of a phishing mail header:

...
From: =?utf-8?B?Is6VzpjOnc6ZzprOlyDOpM6hzpHOoM6VzpbOkSI=?=
 
To: exam...@example.com
Message-id: <9d6ceda2599640f6....@amtelecom.net>
Date: Thu, 18 Jul 2024 09:40:04 +0200
X-Mailer: Oracle Communications Messenger Express 8.0.2.5.20200127 64bit 
(built

 Jan 27 2020)
Content-language: en
Subject: ***Spam?***
 =?UTF-8?Q?=CE=95=CF=80=CE=B5=CE=AF=CE=B3=CE=BF=CF=85=CF=83=CE=B1_=CE=95?=
 =?UTF-8?Q?=CE=BD=CE=B7=CE=BC=CE=AD=CF=81=CF=89=CF=83=CE=B7:_=CE=91=CE=BD?=
 =?UTF-8?Q?=CE=B1=CE=B2=CE=AC=CE=B8=CE=BC=CE=B9=CF=83=CE=B7_=CE=91=CF=83?=
 =?UTF-8?Q?=CF=86=CE=B1=CE=BB=CE=B5=CE=AF=CE=B1=CF=82_=CE=91=CF=80=CE=B1?=
 =?UTF-8?Q?=CE=B9=CF=84=CE=B5=CE=AF=CF=84=CE=B1=CE=B9_=CE=B3=CE=B9=CE=B1_?=
 =?UTF-8?Q?=CF=84=CE=BF=CE=BD_=CE=9B=CE=BF=CE=B3=CE=B1=CF=81=CE=B9=CE=B1?=
 =?UTF-8?Q?=CF=83=CE=BC=CF=8C_=CF=83=CE=B1=CF=82_=CF=83=CF=84=CE=B7=CE=BD_?=
 =?UTF-8?Q?=CE=95=CE=B8=CE=BD=CE=B9=CE=BA=CE=AE_=CE=A4=CF=81=CE=AC=CF=80?=
 =?UTF-8?Q?=CE=B5=CE=B6=CE=B1?= !
X-Accept-Language: en
...

How can we search for a particular string in From / Subject?

Note: In the above case, encoded text is in Greek language.

I would appreciate your feedback.

We are at Rocky Linux 8, with spamassassin 3.4.6 (under amavis).

Best regards,
Nick




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

[Grant Taylor via users]

On 7/17/24 18:04, Matija Nalis wrote:
I.e. would you consider it to be significantly less likely to be 
spam if it contained "Dear Elizabeth," while being addressed to 
"mark@domain" instead of to "elizabeth@domain" ?


I've seen quite a bit of spam that opens message bodies with:



Where  is "Dear" or some other greeting, often language 
specific and  is the local part of the email address.


Something like the following is probably a good indication that it's spam:

--8<--
Dear ux37932,

I've missed talking to you, what is your opinion of ?  Please check 
it out and let me know what you think.

-->8--

If there was any doubt about the paragraph, the "ux37932" makes it quite 
evident to a human that the name in the salutation is not real.  This is 
ESPECIALLY true when the name in the salutation is identical, byte for 
byte, including case, as the local part of the email address.




--
Grant. . . .


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

[Matija Nalis]

On Wed, Jul 17, 2024 at 04:45:16PM -0400, Mark London wrote:
> Does anyone have a rule to detect "Dear xxx," in the body of the message,
> where the "To:" address is xxx@domain?
> 
> We've been getting phishing email sent to us with variations of that. Hi,
> Dear, etc, followed by the username of the address.

Is the second part even important? 

I.e. would you consider it to be significantly less likely to be spam
if it contained "Dear Elizabeth," while being addressed to
"mark@domain" instead of to "elizabeth@domain" ?

-- 
Opinions above are GNU-copylefted.

Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

[Mark London]

Does anyone have a rule to detect "Dear xxx," in the body of the 
message, where the "To:" address is xxx@domain?


We've been getting phishing email sent to us with variations of that. 
Hi, Dear, etc, followed by the username of the address.


Thanks. - Mark

Re: Blocking Malformed "From" Headers

[Kirk Ismay]

I am already using the no_default_msa, but the system does accept mail 
both as an MTA and MSA.  I am using DAEMON_OPTIONS to listen on port 465 
etc, but even adding the M=C (no canonify) switch, the From: header 
rewriting still occurs.


I've tested with another system using Postfix, and it does the same thing.

Weird.

Thanks,
Kirk

On 2024-07-17 10:55 a.m., Dave Funk wrote:


The SMTP protocol RFCs are pretty clear, anything in angle-brackets 
'<' & '>' take priority in defining an address field. So technically 
that's a legit local address and sendmail is doing default MSA 
processing on it (IE treating it as a bare username that needs the 
local hostname added).


Is this sendmail instance just an incoming MTA or is it also used as 
an outgoing MSA for your users?


If it's just an incoming MTA (IE your users have another instance 
they're using for outgoing MSA service) then just turn off the MSA 
feature for that specific sendmail instance to stop that processing: 
"FEATURE(` no_default_msa')"



On Wed, 17 Jul 2024, Kirk Ismay wrote:


I have a spammer using a malformed From header, as follows:

From: sha...@marketcrank.com

The envelope from is: direcc...@delher.com.mx, and I've set up blocks 
for that address.


Sendmail is munging the From: header to change  to 
, so it ends up looking like a local address to my 
users.


How do I detect similar mangled From headers in Spamassassin?

Also does anyone know how to prevent Sendmail from rewriting the From 
header like this?  The documentation for confFROM_HEADER is a 
somewhat cryptic:


https://www.sendmail.org/~ca/email/doc8.12/cf/m4/tweaking_config.html#confFROM_HEADER 



I'd rather it say  instead, or reject it 
entirely.


Thanks,
Kirk

Re: Blocking Malformed "From" Headers

[Dave Funk]

The SMTP protocol RFCs are pretty clear, anything in angle-brackets '<' & '>' 
take priority in defining an address field. So technically that's a legit local 
address and sendmail is doing default MSA processing on it (IE treating it as a 
bare username that needs the local hostname added).


Is this sendmail instance just an incoming MTA or is it also used as an outgoing 
MSA for your users?


If it's just an incoming MTA (IE your users have another instance they're using 
for outgoing MSA service) then just turn off the MSA feature for that specific 
sendmail instance to stop that processing: "FEATURE(` no_default_msa')"



On Wed, 17 Jul 2024, Kirk Ismay wrote:


I have a spammer using a malformed From header, as follows:

From: sha...@marketcrank.com

The envelope from is: direcc...@delher.com.mx, and I've set up blocks for 
that address.


Sendmail is munging the From: header to change  to , 
so it ends up looking like a local address to my users.


How do I detect similar mangled From headers in Spamassassin?

Also does anyone know how to prevent Sendmail from rewriting the From header 
like this?  The documentation for confFROM_HEADER is a somewhat cryptic:


https://www.sendmail.org/~ca/email/doc8.12/cf/m4/tweaking_config.html#confFROM_HEADER

I'd rather it say  instead, or reject it entirely.

Thanks,
Kirk




--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Blocking Malformed "From" Headers

[Kirk Ismay]

I have a spammer using a malformed From header, as follows:

From: sha...@marketcrank.com

The envelope from is: direcc...@delher.com.mx, and I've set up blocks 
for that address.


Sendmail is munging the From: header to change  to 
, so it ends up looking like a local address to my users.


How do I detect similar mangled From headers in Spamassassin?

Also does anyone know how to prevent Sendmail from rewriting the From 
header like this?  The documentation for confFROM_HEADER is a somewhat 
cryptic:


https://www.sendmail.org/~ca/email/doc8.12/cf/m4/tweaking_config.html#confFROM_HEADER

I'd rather it say  instead, or reject it entirely.

Thanks,
Kirk

Re: Finance spam

[Alex]

> this whole range of 185.3.229.x is on my dns blacklist and everything on
> that is either rejected or marked. I can only suggest doing something
> similar ;)
>

Very helpful. Thanks for sharing.

> RCVD_IN_HOSTKARMA_W=-2.5
> change to -0.1

That does seem to be a bit heavy-handed.

> and lastly i unsubscribed you :=)

lol, thanks :-)

Re: X-Amavis-Alert: BANNED, message contains x.com

[Gerald Vogt]

Hi,

On 16.07.24 17:28, Thomas Barth via users wrote:
today a mail has been banned (false positive). It says message contains 
x.com


X-Quarantine-ID: 
X-Amavis-Alert: BANNED, message contains x.com


I couldnt find x.com in the mail body itself, but the mail had a zipfile 
as an attachment. The zip file probably contains invoices.


Are there any further explanations for the banning of x.com?


You probably have to look into the zip file to find it. You have 
configured amavis to ban files with extension .com and there seems to be 
a file x.com somewhere in there...


-Gerald

Re: X-Amavis-Alert: BANNED, message contains x.com

[Benny Pedersen]

Bill Cole skrev den 2024-07-16 19:00:


asking to be sure


That is NOT a SpamAssassin message, as SA does nothing so silly. It is
clearly and strictly an Amavis issue.


i know :)

Re: X-Amavis-Alert: BANNED, message contains x.com

[Bill Cole]

On 2024-07-16 at 11:55:50 UTC-0400 (Tue, 16 Jul 2024 17:55:50 +0200)
Benny Pedersen 
is rumored to have said:


Thomas Barth via users skrev den 2024-07-16 17:28:


X-Quarantine-ID: 
X-Amavis-Alert: BANNED, message contains x.com



Are there any further explanations for the banning of x.com?


ask on amavis maillist

are spamassassin using extractext ?

asking to be sure


That is NOT a SpamAssassin message, as SA does nothing so silly. It is 
clearly and strictly an Amavis issue.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: Finance spam

[Benny Pedersen]

Alex skrev den 2024-07-16 15:00:

Hi all,

Does anyone have any further ideas on how to block "approved for
funding" spam?
https://pastebin.com/2rKiAEpt

This one is another namecheap domain registered from Reykjavik. I can
create body rules, but the language is very much in line with
legitimate lending companies. I've also added the phone to my phone
rules, but everyone knows they only last for a few days.

Other ideas greatly appreciated.


spf_helo_none add more possitive score to it

RCVD_IN_HOSTKARMA_W=-2.5

change to -0.1

and lastly i unsubscribed you :=)

Re: X-Amavis-Alert: BANNED, message contains x.com

[Benny Pedersen]

Thomas Barth via users skrev den 2024-07-16 17:28:


X-Quarantine-ID: 
X-Amavis-Alert: BANNED, message contains x.com



Are there any further explanations for the banning of x.com?


ask on amavis maillist

are spamassassin using extractext ?

asking to be sure

X-Amavis-Alert: BANNED, message contains x.com

[Thomas Barth via users]

Hello,

today a mail has been banned (false positive). It says message contains 
x.com


X-Quarantine-ID: 
X-Amavis-Alert: BANNED, message contains x.com


I couldnt find x.com in the mail body itself, but the mail had a zipfile 
as an attachment. The zip file probably contains invoices.


Are there any further explanations for the banning of x.com?

Thomas B

RE: Finance spam

[Marc]

this whole range of 185.3.229.x is on my dns blacklist and everything on that 
is either rejected or marked. I can only suggest doing something similar ;)


185.3.229.4 perfstat.hostex.lt.
185.3.229.5 post.alfa.lt.
185.3.229.6 
185.3.229.7 
185.3.229.8 
185.3.229.9 
185.3.229.10
185.3.229.11
185.3.229.12lexsystem.data.lt.
185.3.229.13
185.3.229.14
185.3.229.15
185.3.229.16
185.3.229.17sys6.placetgroup.com.
185.3.229.18
185.3.229.19
185.3.229.20
185.3.229.21
185.3.229.22
185.3.229.23ox-proxy1.data.lt.
185.3.229.24ox-proxy2.data.lt.
185.3.229.25
185.3.229.26
185.3.229.27
185.3.229.28
185.3.229.29
185.3.229.30mail.turbotransfers.com.
185.3.229.31ttexpress.data.lt.
185.3.229.32
185.3.229.33
185.3.229.34
185.3.229.35
185.3.229.36
185.3.229.37mail2.oxgroup.com.
185.3.229.38
185.3.229.39
185.3.229.40
185.3.229.41
185.3.229.42
185.3.229.43
185.3.229.44
185.3.229.45
185.3.229.46
185.3.229.47
185.3.229.48
185.3.229.49
185.3.229.50
185.3.229.51
185.3.229.52
185.3.229.53
185.3.229.54
185.3.229.55bs-backups-dir1-ext.data.lt.
185.3.229.56news.masinis.lt.
185.3.229.57ox-mail2.data.lt.
185.3.229.58ox-mail3.data.lt.
185.3.229.59ox-php.data.lt.
185.3.229.60
185.3.229.61
185.3.229.62
185.3.229.63
185.3.229.64
185.3.229.65
185.3.229.66
185.3.229.67
185.3.229.68
185.3.229.69
185.3.229.70alfa-lamp.data.lt.
185.3.229.71
185.3.229.72hnit-baltic-mail.data.lt.
185.3.229.73
185.3.229.74
185.3.229.75
185.3.229.76
185.3.229.77
185.3.229.78
185.3.229.79
185.3.229.80
185.3.229.81
185.3.229.82
185.3.229.83
185.3.229.84
185.3.229.85
185.3.229.86post.okgbi.ru.
185.3.229.87
185.3.229.88pzx-pastas.data.lt.
185.3.229.89
185.3.229.90
185.3.229.91
185.3.229.92
185.3.229.93
185.3.229.94
185.3.229.95
185.3.229.96
185.3.229.97news.masinis.lt.
185.3.229.98aliuminiok-web.data.lt.
185.3.229.99
185.3.229.100   
185.3.229.101   ns3.data.lt.
185.3.229.102   webapp2.supermama.lt.
185.3.229.103   
185.3.229.104   
185.3.229.105   
185.3.229.106   alfa-sentry.data.lt.
185.3.229.107   ox-mail4.data.lt.
185.3.229.108   ox-mail2.data.lt.
185.3.229.109   ox-mail3.data.lt.
185.3.229.110   
185.3.229.111   
185.3.229.112   
185.3.229.113   
185.3.229.114   
185.3.229.115   
185.3.229.116   
185.3.229.117   
185.3.229.118   
185.3.229.119   
185.3.229.120   cloud.miskas.org.
185.3.229.121   
185.3.229.122   
185.3.229.123   
185.3.229.124   oneview2.hostex.lt.
185.3.229.125   mail1.sendersrv.com.
185.3.229.126   mail2.sendersrv.com.
185.3.229.127   mail3.sendersrv.com.
185.3.229.128   mail4.sendersrv.com.
185.3.229.129   mail5.sendersrv.com.
185.3.229.130   mail6.sendersrv.com.
185.3.229.131   mail7.sendersrv.com.
185.3.229.132   mail8.sendersrv.com.
185.3.229.133   mail9.sendersrv.com.
185.3.229.134   mail10.sendersrv.com.
185.3.229.135   mail1.sendersrv2.com.
185.3.229.136   mail2.sendersrv2.com.
185.3.229.137   mail3.sendersrv2.com.
185.3.229.138   mail4.sendersrv2.com.
185.3.229.139   mail5.sendersrv2.com.
185.3.229.140   mail6.sendersrv2.com.
185.3.229.141   mail7.sendersrv2.com.
185.3.229.142   mail8.sendersrv2.com.
185.3.229.143   mail9.sendersrv2.com.
185.3.229.144   mail10.sendersrv2.com.
185.3.229.145   mail1.sendersrv3.com.
185.3.229.146   mail2.sendersrv3.com.
185.3.229.147   mail3.sendersrv3.com.
185.3.229.148   mail4.sendersrv3.com.
185.3.229.149   mail5.sendersrv3.com.
185.3.229.150   mail6.sendersrv3.com.
185.3.229.151   mail7.sendersrv3.com.
185.3.229.152   mail8.sendersrv3.com.
185.3.229.153   mail9.sendersrv3.com.
185.3.229.154   mail10.sendersrv3.com.
185.3.229.155   mail11.sendersrv3.com.
185.3.229.156   mail12.sendersrv3.com.
185.3.229.157   
185.3.229.158   
185.3.229.159   
185.3.229.160   
185.3.229.161   
185.3.229.162   
185.3.229.163   
185.3.229.164   mail-3.owexxhosting.com.
185.3.229.165   mail2-3.owexxhosting.com.
185.3.229.166   

> 
> Does anyone have any further ideas on how to block "approved for funding"
> spam?
> https://pastebin.com/2rKiAEpt
> 
> 
> This one is another namecheap domain registered from Reykjavik. I can
> create body rules, but the language is very much in line with legitimate
> lending companies. I've also added the phone to my phone rules, but
> everyone knows they only last for a few days.
> 
> Other ideas greatly appreciated.

Finance spam

[Alex]

Hi all,

Does anyone have any further ideas on how to block "approved for funding"
spam?
https://pastebin.com/2rKiAEpt

This one is another namecheap domain registered from Reykjavik. I can
create body rules, but the language is very much in line with legitimate
lending companies. I've also added the phone to my phone rules, but
everyone knows they only last for a few days.

Other ideas greatly appreciated.

Re: CC: address matches To: address

[Benny Pedersen]

Peter skrev den 2024-07-12 05:25:

I have been getting spam from outlook.com (surprise) and a defining 
feature

is that the same emnail address is used as the To: and CC: address.

Is there a way for Spamassassin to detect that?


i have a plugin, but not one i need anymore :)

lets see if thay dont send spam

ifplugin Mail::SpamAssassin::Plugin::WLBLEval

enlist_addrlist (SPAM_FROM_MICROSOFT) *@outlook.com
enlist_addrlist (SPAM_FROM_MICROSOFT) *@hotmail.com

header   SPAM_FROM_MICROSOFT 
eval:check_from_in_list('SPAM_FROM_MICROSOFT')

scoreSPAM_FROM_MICROSOFT 3 3 3 3
describe SPAM_FROM_MICROSOFT Other untrustworthy From

endif # ifplugin Mail::SpamAssassin::Plugin::WLBLEval

for worst tlds

ifplugin Mail::SpamAssassin::Plugin::WLBLEval

enlist_addrlist (GREY_TLDS) *.com
enlist_addrlist (GREY_TLDS) *.online
enlist_addrlist (GREY_TLDS) *.site
enlist_addrlist (GREY_TLDS) *.store
enlist_addrlist (GREY_TLDS) *.sbs
enlist_addrlist (GREY_TLDS) *.org
enlist_addrlist (GREY_TLDS) *.net
enlist_addrlist (GREY_TLDS) *.xyz
enlist_addrlist (GREY_TLDS) *.cfd
enlist_addrlist (GREY_TLDS) *.top
enlist_addrlist (GREY_TLDS) *.shop
enlist_addrlist (GREY_TLDS) *.fun
enlist_addrlist (GREY_TLDS) *.website
enlist_addrlist (GREY_TLDS) *.cn
enlist_addrlist (GREY_TLDS) *.cloud
enlist_addrlist (GREY_TLDS) *.tech
enlist_addrlist (GREY_TLDS) *.ru
enlist_addrlist (GREY_TLDS) *.co
enlist_addrlist (GREY_TLDS) *.info
enlist_addrlist (GREY_TLDS) *.space

header   GREY_TLDS eval:check_replyto_in_list('GREY_TLDS')
scoreGREY_TLDS 0.1 0.1 0.1 0.1
describe GREY_TLDS Other untrustworthy TLDS

endif # ifplugin Mail::SpamAssassin::Plugin::WLBLEval

adjust score as you need

Re: CC: address matches To: address

[John Hardin]

On Fri, 12 Jul 2024, Peter wrote:


Hi,

I have been getting spam from outlook.com (surprise) and a defining feature
is that the same emnail address is used as the To: and CC: address.

Is there a way for Spamassassin to detect that?

Thanks.


There are rules for To equals From, they can be fairly easily modified.

It would be easier to verify them if actual samples were available.

It would be best if you don't try to obfuscate the email addresses. If you 
have some where you want to keep the email addresses private you can post 
them temporarily to pastebin as unlisted and send me the links directly 
rather than providing the pastebin links publicly here on the list.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 3 days until the 79th anniversary of the dawn of the Atomic Age

Re: Requesting help, sa-update, cron, gpg, unsafe ownership on homedir

[Bill Cole]

On 2024-07-12 at 10:51:08 UTC-0400 (Fri, 12 Jul 2024 10:51:08 -0400)
Steve Charmer 
is rumored to have said:


I have a cron job running as root, which calls sa-update

it warns about unsafe ownership


gpg: WARNING: unsafe ownership on homedir
`/var/lib/spamassassin/sa-update-keys'


Note that this is only a warning, not a failure.





this is my current ownership

ls -la /var/lib/spamassassin/sa-update-keys
total 16
drwx-- 2 spamd root  4096 Jun 20  2017 .
drwxr-xr-x 7 spamd spamd 4096 Nov 22  2018 ..
-rwx-- 1 spamd root  2783 Jun 20  2017 pubring.gpg
-rwx-- 1 spamd root 0 Jun 20  2017 pubring.gpg~
-rwx-- 1 spamd root 0 Jun 20  2017 secring.gpg
-rwx-- 1 spamd root  1200 Jun 20  2017 trustdb.gpg



I've read that the ownership should be root,


Would reading that advice again help you follow it? :)

Make the owner root.


so does having the owner =
spamd, and the group = root, causing that warning?


I'm betting yes, although I have not tested it. The definitive answer 
would come from looking at the gpg documentation, I expect.



I thought having group =
root would fix any ownership issues.


It will not, because gpg wants its keys to be owned by the user running 
gpg and no one else. it works with this setup because you're running as 
root, but it still knows that those keys belong to someone else.



I cannot recall now, why I set owner
to spamd. maybe spamd could not read the gpg keys when trying an 
update

before?


Why would a program run as root need that?

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Requesting help, sa-update, cron, gpg, unsafe ownership on homedir

[Steve Charmer]

I have a cron job running as root, which calls sa-update

it warns about unsafe ownership


gpg: WARNING: unsafe ownership on homedir
`/var/lib/spamassassin/sa-update-keys'


this is my current ownership

ls -la /var/lib/spamassassin/sa-update-keys
total 16
drwx-- 2 spamd root  4096 Jun 20  2017 .
drwxr-xr-x 7 spamd spamd 4096 Nov 22  2018 ..
-rwx-- 1 spamd root  2783 Jun 20  2017 pubring.gpg
-rwx-- 1 spamd root 0 Jun 20  2017 pubring.gpg~
-rwx-- 1 spamd root 0 Jun 20  2017 secring.gpg
-rwx-- 1 spamd root  1200 Jun 20  2017 trustdb.gpg



I've read that the ownership should be root, so does having the owner =
spamd, and the group = root, causing that warning? I thought having group =
root would fix any ownership issues. I cannot recall now, why I set owner
to spamd. maybe spamd could not read the gpg keys when trying an update
before?


Should I chown the folders and files to be root : root ?

CC: address matches To: address

[Peter]

Hi,

I have been getting spam from outlook.com (surprise) and a defining feature
is that the same emnail address is used as the To: and CC: address.

Is there a way for Spamassassin to detect that?

Thanks.

Re: namechep and DOB

[Alex]

On Mon, Jul 8, 2024 at 7:33 PM Matija Nalis 
wrote:

> On Mon, Jul 08, 2024 at 05:13:29PM -0400, Alex wrote:
> > Are there RBLs available that can be used to determine registrar or date
> of
> > registration? I understand the limits of querying a registrar but thought
> > there might be an RBL out there with this info?
>
> https://spameatingmonkey.com/services  lists folowing RBLs:
>
> SEM-FRESHZERO — Domains never seen before (typically registered in the
> last 24 hours)
> SEM-FRESH — Domains registered in the last 5 days
> SEM-FRESH10 — Domains registered in the last 10 days
> SEM-FRESH15 — Domains registered in the last 15 days
> SEM-FRESH30 — Domains registered in the last 30 days
>
> perhaps that might help?
>

I do have the SEM rules in place (it's been a while, yikes) but they didn't
hit here.

It also look like it's really only the SEM_FRESH rules that are hitting
anything, and not any of the others, like SEM_URI or SEM_URIRED, etc. Also
not updates on their site since 2017.

Re: namechep and DOB

[Matija Nalis]

On Mon, Jul 08, 2024 at 05:13:29PM -0400, Alex wrote:
> Are there RBLs available that can be used to determine registrar or date of
> registration? I understand the limits of querying a registrar but thought
> there might be an RBL out there with this info?

https://spameatingmonkey.com/services  lists folowing RBLs:

SEM-FRESHZERO — Domains never seen before (typically registered in the last 24 
hours)
SEM-FRESH — Domains registered in the last 5 days
SEM-FRESH10 — Domains registered in the last 10 days
SEM-FRESH15 — Domains registered in the last 15 days
SEM-FRESH30 — Domains registered in the last 30 days

perhaps that might help?

-- 
Opinions above are GNU-copylefted.

Re: namechep and DOB

[Alex]

Hi,

Alex - Check out the FROM_FMBLA_NEWDOM rules.  Are you seeing any emails
> hitting them?
>

Yes, got them, from here:
https://github.com/fmbla/spamassassin/blob/master/FMBLA.cf

Didn't hit.
Jul  8 18:02:53.537 [4189153] dbg: dnseval: checking [sendersrv.com] /
FROM_NEWDOMAIN_FMBLA / blfmbla / bl.fmb.la
Jul  8 18:02:53.537 [4189153] dbg: dns: launching rule
FROM_NEWDOMAIN_FMBLA, set blfmbla, type A, subtest 127.0.0.2
Jul  8 18:02:53.537 [4189153] dbg: async: query 41110/IN/A/
sendersrv.com.bl.fmb.la already underway, adding no.4, rules:
FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.537 [4189153] dbg: dnseval: checking [smartlendingclub.com]
/ FROM_NEWDOMAIN_FMBLA / blfmbla / bl.fmb.la
Jul  8 18:02:53.538 [4189153] dbg: dns: launching rule
FROM_NEWDOMAIN_FMBLA, set blfmbla, type A, subtest 127.0.0.2
Jul  8 18:02:53.538 [4189153] dbg: async: query 43398/IN/A/
smartlendingclub.com.bl.fmb.la already underway, adding no.4, rules:
FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.638 [4189153] dbg: async: calling callback on key A/
sendersrv.com.bl.fmb.la, rules: FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.639 [4189153] dbg: async: calling callback on key A/
smartlendingclub.com.bl.fmb.la, rules: FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.782 [4189153] dbg: async: completed in 0.137 s: DNSBL, A/
sendersrv.com.bl.fmb.la, rules: FROM_URIBL_COMMUNICADO_FMBLA,
FROM_URIBL_FMBLA, FROM_NEWDOMAIN_14_FMBLA, FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.787 [4189153] dbg: async: completed in 0.137 s: DNSBL, A/
smartlendingclub.com.bl.fmb.la, rules: FROM_URIBL_FMBLA,
BODY_NEWDOMAIN_14_FMBLA, BODY_NEWDOMAIN_FMBLA,
FROM_URIBL_COMMUNICADO_FMBLA, FROM_NEWDOMAIN_FMBLA,
FROM_NEWDOMAIN_14_FMBLA, BODY_URIBL_FMBLA, BODY_URIBL_COMMUNICADO_FMBLA

In my case, URIBL_RHS_DOB is no longer working at all.   Is this still
> working? - Mark
>
>
It doesn't appear to be working here, either.

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net  A   2
body URIBL_RHS_DOB  eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB  Contains an URI of a new domain (Day Old
Bread)
tflags URIBL_RHS_DOBnet
endif

$ spamassassin -t -D plugin < notice-lending-spam 2>&1|grep URIDNSBL
Jul  8 18:16:22.404 [480] dbg: plugin: loading
Mail::SpamAssassin::Plugin::URIDNSBL from @INC
Jul  8 18:16:28.366 [480] dbg: plugin:
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x558387e6dea0) implements
'check_dnsbl', priority 0

Re: namechep and DOB

[Mark London]

Alex - Check out the FROM_FMBLA_NEWDOM rules.  Are you seeing any emails 
hitting them?


In my case, URIBL_RHS_DOB is no longer working at all.   Is this still 
working? - Mark


On 7/8/2024 5:13 PM, Alex wrote:

Hi,

I'm seeing emails from smartlendingclub dot com getting through that 
are clearly spam. It's a namecheap domain registered in the last two 
weeks or so.


IIRC, in the past there was more flexibility with the URIBL_RHS_DOB 
rules to penalize domains recently registered, but now it doesn't 
appear to have hit any rules related to registration dates.


Domain name: smartlendingclub dot com
Registry Domain ID: 2891563192_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com 
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2024-06-17T18:42:01.00Z
Registrar Registration Expiration Date: 2025-06-17T18:42:01.00Z

This email also hit the following rules:
describe RCVD_IN_IADB_VOUCHED   ISIPP IADB lists as vouched-for sender

But this rule has virtually 0 score?
describe RCVD_IN_IADB_DOPTIN_LT50  IADB: Confirmed opt-in used less 
than 50% of the time


It hit some other IADB rules like RCVD_IN_IADB_SENDERID but not any 
DOB rules. Am I missing something? Maybe it was the HOSTKARMA rules 
I'm remembering?


Are there RBLs available that can be used to determine registrar or 
date of registration? I understand the limits of querying a registrar 
but thought there might be an RBL out there with this info?

namechep and DOB

[Alex]

Hi,

I'm seeing emails from smartlendingclub dot com getting through that are
clearly spam. It's a namecheap domain registered in the last two weeks or
so.

IIRC, in the past there was more flexibility with the URIBL_RHS_DOB rules
to penalize domains recently registered, but now it doesn't appear to have
hit any rules related to registration dates.

Domain name: smartlendingclub dot com
Registry Domain ID: 2891563192_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2024-06-17T18:42:01.00Z
Registrar Registration Expiration Date: 2025-06-17T18:42:01.00Z

This email also hit the following rules:
describe RCVD_IN_IADB_VOUCHED   ISIPP IADB lists as vouched-for sender

But this rule has virtually 0 score?
describe RCVD_IN_IADB_DOPTIN_LT50  IADB: Confirmed opt-in used less than
50% of the time

It hit some other IADB rules like RCVD_IN_IADB_SENDERID but not any DOB
rules. Am I missing something? Maybe it was the HOSTKARMA rules I'm
remembering?

Are there RBLs available that can be used to determine registrar or date of
registration? I understand the limits of querying a registrar but thought
there might be an RBL out there with this info?

Re: whitelist_auth return_path / from

[Simon Wilson via users]

On Thursday, July 04, 2024 02:01 AEST, Benny Pedersen  wrote:

> Simon Wilson via users skrev den 2024-07-03 15:54:
> 
> > header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
> > header USER_IN_DKIM_WHITELIST   eval:check_for_dkim_whitelist_from()
> 
> keep scores of them neutral
> 
> meta MY_DKIM_FAILS_NOTRUST (AUTHRES_DKIM_PASS && USER_IN_DKIM_WHITELIST)
> describe MY_DKIM_FAILS_NOTRUST Meta: AUTHRES_DKIM_PASS && 
> USER_IN_DKIM_WHITELIST
> score MY_DKIM_FAILS_NOTRUST -1 -1 -1 -1
> 
> i say no trust since authres can be fooled by untrusted AR headers, when 
> authres_networks all is in use

I understand this, thank you.

> 
> > and generate -100 that the DKIM plugin assigns to a DKIM
> > pass/USER_IN_DKIM_WHITELIST entry.
> 
> why ? are you sure -100 is a very good idea ?

Selected as that is the score allocated by USER_IN_DKIM_WHITELIST

> 
> > …but I don't know how to do that properly. I can combine into a meta
> > rule, but that will call the existing DKIM plugin's subroutine to
> > evaulate USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.
> 
> need more info on your mta setup, if postfix then i need postconf -nf 
> and postconf -Mf in private mail, as i see you can  :)

-- 
Simon WilsonM: 0400 121 116

Re: whitelist_auth return_path / from

[Simon Wilson via users]

On Thursday, July 04, 2024 01:11 AEST, Bill Cole 
 wrote:

> On 2024-07-03 at 10:19:28 UTC-0400 (Thu, 04 Jul 2024 00:19:28 +1000)
> Simon Wilson via users 
> is rumored to have said:
> 
> > On 03.07.24 23:54, Simon Wilson via users wrote:
> >> Simon Wilson via users skrev den 2024-07-03 14:56:
> >>> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
> >>> trusting my upstream authres_trusted_authserv only?
> >>
> >> both works in paralel, so no need to disable, best results came 
> >> from 
> >> both enabled
> >>
> >> its up to you to add more authres_trusted_authserv or more 
> >> authres_ignored_authserv lines
> >>
> >> possible we can now have a very long debate on dmarc plugin ? :)
> >
> > Please, Simon, quote the text you are replying to.
> >  
> > I have been - was that directed at Benny?
> >  
> 
> No, it is because your mail is multipart/alternative with a text/plain 
> part that lacks any indicators of quoting. Looks like your MUA is 
> broken.
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
> addresses)
> Not Currently Available For Hire

I have switched it into plain text mode.

Re: whitelist_auth return_path / from

[Matus UHLAR - fantomas]

On 03.07.24 23:54, Simon Wilson via users wrote:

Simon Wilson via users skrev den 2024-07-03 14:56:

Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)



Matus UHLAR - fantomas skrev den 2024-07-03 16:14:

Please, Simon, quote the text you are replying to.


On 03.07.24 17:47, Benny Pedersen wrote:

i am not Simon


...I was not replying to you then.

Simon does not quote text he replies to, so it's hard to see who has written 
what.


compare your:
https://www.mail-archive.com/users@spamassassin.apache.org/msg111627.html

to Simon's:
https://www.mail-archive.com/users@spamassassin.apache.org/msg111628.html



my question is does spamassassin dmarc plugin use authres results ?

not yet.


also what i feared, but it should imho do

also authres does imho not have spf_helo testing


Do you know anything that adds spf_helo to Authentication-Results ?
afaik pyspf-milter adds helo information only for DSNs


have dmarc ?


yes
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.

Re: whitelist_auth return_path / from

[Benny Pedersen]

Simon Wilson via users skrev den 2024-07-03 07:48:


whitelist_auth supp...@wasabi.com
whitelist_auth *@mmemail.wasabi.com


its more simple to set From: "Simon"  in mua

then both spf and dkim gives pass on same domain, note -d in dkim is not 
same domain, so you need a new dkim sign key for subdomain in dkim 
signer

Re: whitelist_auth return_path / from

[Benny Pedersen]

Simon Wilson via users skrev den 2024-07-03 15:54:


header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
header USER_IN_DKIM_WHITELIST   eval:check_for_dkim_whitelist_from()


keep scores of them neutral

meta MY_DKIM_FAILS_NOTRUST (AUTHRES_DKIM_PASS && USER_IN_DKIM_WHITELIST)
describe MY_DKIM_FAILS_NOTRUST Meta: AUTHRES_DKIM_PASS && 
USER_IN_DKIM_WHITELIST

score MY_DKIM_FAILS_NOTRUST -1 -1 -1 -1

i say no trust since authres can be fooled by untrusted AR headers, when 
authres_networks all is in use



and generate -100 that the DKIM plugin assigns to a DKIM
pass/USER_IN_DKIM_WHITELIST entry.


why ? are you sure -100 is a very good idea ?


…but I don't know how to do that properly. I can combine into a meta
rule, but that will call the existing DKIM plugin's subroutine to
evaulate USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.


need more info on your mta setup, if postfix then i need postconf -nf 
and postconf -Mf in private mail, as i see you can  :)

Re: whitelist_auth return_path / from

[Benny Pedersen]

Bill Cole skrev den 2024-07-03 17:11:


Not Currently Available For Hire


lol :)

back to sandbox, hehe

Re: whitelist_auth return_path / from

[Benny Pedersen]

Matus UHLAR - fantomas skrev den 2024-07-03 16:14:

On 03.07.24 23:54, Simon Wilson via users wrote:

Simon Wilson via users skrev den 2024-07-03 14:56:

Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)


Please, Simon, quote the text you are replying to.


i am not Simon


my question is does spamassassin dmarc plugin use authres results ?

not yet.


also what i feared, but it should imho do

also authres does imho not have spf_helo testing, have dmarc ?

Re: whitelist_auth return_path / from

[Bill Cole]

On 2024-07-03 at 10:19:28 UTC-0400 (Thu, 04 Jul 2024 00:19:28 +1000)
Simon Wilson via users 
is rumored to have said:


On 03.07.24 23:54, Simon Wilson via users wrote:

Simon Wilson via users skrev den 2024-07-03 14:56:

Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came 
from 

both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)


Please, Simon, quote the text you are replying to.
 
I have been - was that directed at Benny?
 


No, it is because your mail is multipart/alternative with a text/plain 
part that lacks any indicators of quoting. Looks like your MUA is 
broken.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: whitelist_auth return_path / from

[Simon Wilson via users]

Simon Wilson via users skrev den 2024-07-03 14:56:

> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
> trusting my upstream authres_trusted_authserv only?

both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)

my question is does spamassassin dmarc plugin use authres results ?
 
- SA's DKIM plugin has failed a message so USER_IN_DKIM_WHITELIST tag will not 
get assigned, and a +0.1 is added for a DKIM fail
- with AuthRes plugin installed, my trusted Authentication-Results header ‘DKIM 
pass’ = -0.5 is applied
- yes, the -0.5 overrides the +0.1 from the false DKIM fail, but this does not 
overcome the reason I wanted the sender in whitelist_auth - to overcome the FP 
of their emails triggering a KAM rule
 
Ideally what I want is for authres.cf to combine:
 
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
with 
header USER_IN_DKIM_WHITELIST   eval:check_for_dkim_whitelist_from()
 
and generate -100 that the DKIM plugin assigns to a DKIM 
pass/USER_IN_DKIM_WHITELIST entry.
 
…but I don't know how to do that properly. I can combine into a meta rule, but 
that will call the existing DKIM plugin's subroutine to evaulate 
USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.

OK, I have done the following and it seems to be working, but will take 
guidance on if this is going to have unexpected consequences from my ignorance…
 
- removed the SA DKIM plugin from loading
- Authres plugin working and trusting my own mail server's auth tests 
(including DKIM)
- created a meta rule:
 
## Whitelist Wasabi, subject to passing of auth
header __LR_FROM_WASABI  From =~ /support\@wasabi\.com/i
meta LR_WASABI_AUTH (__LR_FROM_WASABI && AUTHRES_DKIM_PASS && AUTHRES_SPF_PASS)
score LR_WASABI_AUTH -100
 
This now scores the Wasabi emails OK. Please feel free to tell me if this was a 
really bad plan :)
 
Simon

Re: whitelist_auth return_path / from

[Simon Wilson via users]

On 03.07.24 23:54, Simon Wilson via users wrote:
>Simon Wilson via users skrev den 2024-07-03 14:56:
>> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
>> trusting my upstream authres_trusted_authserv only?
>
>both works in paralel, so no need to disable, best results came from 
>both enabled
>
>its up to you to add more authres_trusted_authserv or more 
>authres_ignored_authserv lines
>
>possible we can now have a very long debate on dmarc plugin ? :)

Please, Simon, quote the text you are replying to.
 
I have been - was that directed at Benny?
 

Re: whitelist_auth return_path / from

[Matus UHLAR - fantomas]

On 03.07.24 23:54, Simon Wilson via users wrote:

Simon Wilson via users skrev den 2024-07-03 14:56:

Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)


Please, Simon, quote the text you are replying to.


my question is does spamassassin dmarc plugin use authres results ?


not yet.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

Re: whitelist_auth return_path / from

[Simon Wilson via users]

Simon Wilson via users skrev den 2024-07-03 14:56:

> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
> trusting my upstream authres_trusted_authserv only?

both works in paralel, so no need to disable, best results came from 
both enabled

its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines

possible we can now have a very long debate on dmarc plugin ? :)

my question is does spamassassin dmarc plugin use authres results ?
 
- SA's DKIM plugin has failed a message so USER_IN_DKIM_WHITELIST tag will not 
get assigned, and a +0.1 is added for a DKIM fail
- with AuthRes plugin installed, my trusted Authentication-Results header ‘DKIM 
pass’ = -0.5 is applied
- yes, the -0.5 overrides the +0.1 from the false DKIM fail, but this does not 
overcome the reason I wanted the sender in whitelist_auth - to overcome the FP 
of their emails triggering a KAM rule
 
Ideally what I want is for authres.cf to combine:
 
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
with 
header USER_IN_DKIM_WHITELIST   eval:check_for_dkim_whitelist_from()
 
and generate -100 that the DKIM plugin assigns to a DKIM 
pass/USER_IN_DKIM_WHITELIST entry.
 
…but I don't know how to do that properly. I can combine into a meta rule, but 
that will call the existing DKIM plugin's subroutine to evaulate 
USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.
 

Re: whitelist_auth return_path / from

[Benny Pedersen]

Simon Wilson via users skrev den 2024-07-03 14:56:


Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
trusting my upstream authres_trusted_authserv only?


both works in paralel, so no need to disable, best results came from 
both enabled


its up to you to add more authres_trusted_authserv or more 
authres_ignored_authserv lines


possible we can now have a very long debate on dmarc plugin ? :)

my question is does spamassassin dmarc plugin use authres results ?

Re: whitelist_auth return_path / from

[Simon Wilson via users]

 
Simon Wilson via users skrev den 2024-07-03 14:13:

> I don't think SA 3.4.6 on RH8 has AuthRes plugin:

take it from spamassassin trunc, this plugin works on 3.4.6 aswell, but 
was not released or tested on it, i have verify it does work

#!/bin/sh

svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk 
spamassassin-trunk

OK, done and working. Plugin added, loaded with a .pre and configured with a .cf
 
Working, e.g.:X-Spam-Status: No, score=-1.798 tagged_above=-999 required=6.2
 tests=[AUTHRES_ARC_FAIL=1.5, AUTHRES_DKIM_PASS=-0.5, AUTHRES_DMARC_PASS=-0.5,
 AUTHRES_SPF_PASS=-0.5, BAYES_00=-1.9, DCC_REPUT_70_89=0.1, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
 LR_ARC_FAIL=1, LR_DMARC_PASS=-0.1, RCVD_IN_DNSWL_LOW=-0.7,
 RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
 by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
 with LMTP id qiXZppjAGmSg for ;
 Wed,  3 Jul 2024 22:48:54 +1000 (AEST)
Authentication-Results: mail.simonandkate.net;
spf=pass smtp.helo=smtp-out.orange.com;
spf=pass smtp.mailfrom=orange.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=none dis=none) 
header.from=orange.com
Authentication-Results: mail.simonandkate.net; arc=fail 
smtp.remote-ip=80.12.126.238
Authentication-Results: mail.simonandkate.net;
dkim=pass (2048-bit key, secure) header.d=orange.com 
header.i=@orange.com header.a=rsa-sha256 header.s=orange002 header.b=OKdWrX63
 
Next question though - 
When the next email comes from Wasabi that my server tags as 
“Authentication-Results: mail.simonandkate.net; dkim=pass”, I understand that 
Authres plugin will accept the authres_trusted_authserv assignment to my 
server, resulting in AUTHRES_DKIM_PASS=-0.5. 
Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting 
my upstream authres_trusted_authserv only?
 

Re: whitelist_auth return_path / from

[Benny Pedersen]

Simon Wilson via users skrev den 2024-07-03 14:13:


I don't think SA 3.4.6 on RH8 has AuthRes plugin:


take it from spamassassin trunc, this plugin works on 3.4.6 aswell, but 
was not released or tested on it, i have verify it does work


#!/bin/sh

svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk 
spamassassin-trunk

Re: whitelist_auth return_path / from

[Simon Wilson via users]

On Wednesday, July 03, 2024 22:06 AEST, "Simon Wilson via users" 
 wrote:

 

Dave Funk skrev den 2024-07-03 09:29:
> On Wed, 3 Jul 2024, Simon Wilson via users wrote:

> You say "passing SPF and DKIM" however in the SA rules report it 
> clearly says:
> DKIM_SIGNED=0.1, DKIM_INVALID=0.1
> 
> So eventho you think 'passed DKIM' SA clearly does NOT think it does. 
> That DKIM_INVALID will prevent the whitelist_auth from firing, thus you 
> need to investigate what's going wrong there.

whitelist_auth support Return-Path so spf is evaluated aswell as dkim is

grep logs DKIM_VALID_EF

or enable DMARC plugin
Hi Benny, none of that helps unless I'm being dense this evening :-D
* I know whitelist_auth supports spf and dkim, that is in the documentation * 
Grepping for DKIM_VALID_EF only tells me what I now already know - SA thinks 
that one of the emails did not pass DKIM, when my server validated that it did 
and entered an Authentication-Results header saying that it did * I already 
have DMARC assessment, and that is shown in the headers I 
postedAuthentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
The authentication headers that my server adds are:Authentication-Results: 
mail.simonandkate.net;
spf=none smtp.helo=o562.ptr9861.wasabi.com;
spf=pass smtp.mailfrom=mmemail.wasabi.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
Authentication-Results: mail.simonandkate.net; arc=none 
smtp.remote-ip=159.183.86.216
Authentication-Results: mail.simonandkate.net;
dkim=pass (2048-bit key, unprotected) header.d=wasabi.com header.i=@wasabi.com 
header.a=rsa-sha256 header.s=mmd header.b=uhRSt2r0
However SA thinks DKIM failed. 
 
I note your other email Benny on adding authres settings. I'm not averse to 
doing so, but would like to first understand why SA is behaving differently 
with these two emails.
 
Simon
 

I don't think SA 3.4.6 on RH8 has AuthRes plugin:
 
-r--r--r-- 1 root root  4659 Apr  9  2021 AccessDB.pm
-r--r--r-- 1 root root  4559 Apr  9  2021 AntiVirus.pm
-r--r--r-- 1 root root 29117 Apr  9  2021 AskDNS.pm
-r--r--r-- 1 root root 17071 Apr  9  2021 ASN.pm
-r--r--r-- 1 root root  8803 Apr  9  2021 AutoLearnThreshold.pm
-r--r--r-- 1 root root 19936 Apr  9  2021 AWL.pm
-r--r--r-- 1 root root 55885 Apr  9  2021 Bayes.pm
 
…etc…

Re: whitelist_auth return_path / from

[Simon Wilson via users]

Dave Funk skrev den 2024-07-03 09:29:
> On Wed, 3 Jul 2024, Simon Wilson via users wrote:

> You say "passing SPF and DKIM" however in the SA rules report it 
> clearly says:
> DKIM_SIGNED=0.1, DKIM_INVALID=0.1
> 
> So eventho you think 'passed DKIM' SA clearly does NOT think it does. 
> That DKIM_INVALID will prevent the whitelist_auth from firing, thus you 
> need to investigate what's going wrong there.

whitelist_auth support Return-Path so spf is evaluated aswell as dkim is

grep logs DKIM_VALID_EF

or enable DMARC plugin
Hi Benny, none of that helps unless I'm being dense this evening :-D
 * I know whitelist_auth supports spf and dkim, that is in the documentation * 
Grepping for DKIM_VALID_EF only tells me what I now already know - SA thinks 
that one of the emails did not pass DKIM, when my server validated that it did 
and entered an Authentication-Results header saying that it did * I already 
have DMARC assessment, and that is shown in the headers I 
postedAuthentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
The authentication headers that my server adds are:Authentication-Results: 
mail.simonandkate.net;
spf=none smtp.helo=o562.ptr9861.wasabi.com;
spf=pass smtp.mailfrom=mmemail.wasabi.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
Authentication-Results: mail.simonandkate.net; arc=none 
smtp.remote-ip=159.183.86.216
Authentication-Results: mail.simonandkate.net;
dkim=pass (2048-bit key, unprotected) header.d=wasabi.com 
header.i=@wasabi.com header.a=rsa-sha256 header.s=mmd header.b=uhRSt2r0
However SA thinks DKIM failed. 
 
I note your other email Benny on adding authres settings. I'm not averse to 
doing so, but would like to first understand why SA is behaving differently 
with these two emails.
 
Simon

Re: whitelist_auth return_path / from

[Benny Pedersen]

Simon Wilson via users skrev den 2024-07-03 09:48:


So I guess the question is why SA is not accepting a trusted header
with a DKIM pass recorded with the same mail path through the system?
I have no AuthRes settings set specifically in local.cf.


so add it :)

ifplugin Mail::SpamAssassin::Plugin::AuthRes

authres_networks all

authres_trusted_authserv mail.simonandkate.net

describe AUTHRES_ARC_FAIL Authentication-Results: has "arc=fail" 
result
describe AUTHRES_ARC_NONE Authentication-Results: has "arc=none" 
result
describe AUTHRES_ARC_PASS Authentication-Results: has "arc=pass" 
result

header AUTHRES_ARC_FAIL eval:check_authres_result('arc', 'fail')
header AUTHRES_ARC_NONE eval:check_authres_result('arc', 'none')
header AUTHRES_ARC_PASS eval:check_authres_result('arc', 'pass')
score AUTHRES_ARC_FAIL 1.5
score AUTHRES_ARC_NONE 0.5
score AUTHRES_ARC_PASS -1.5

describe AUTHRES_ADSP_DISCARD Authentication-Results: has 
"dkim-adsp=discard" result
describe AUTHRES_ADSP_FAIL Authentication-Results: has 
"dkim-adsp=fail" result
describe AUTHRES_ADSP_NONE Authentication-Results: has 
"dkim-adsp=nonr" result
describe AUTHRES_ADSP_NXDOMAIN Authentication-Results: has 
"dkim-adsp=nxdomain" result
describe AUTHRES_ADSP_PASS Authentication-Results: has 
"dkim-adsp=pass" result
describe AUTHRES_ADSP_PERMERROR Authentication-Results: has 
"dkim-adsp=permerror" result
describe AUTHRES_ADSP_TEMPERROR Authentication-Results: has 
"dkim-adsp=temperror" result
describe AUTHRES_ADSP_UNKNOWN Authentication-Results: has 
"dkim-adsp=unknown" result
header AUTHRES_ADSP_DISCARD eval:check_authres_result('dkim-adsp', 
'discard')
header AUTHRES_ADSP_FAIL eval:check_authres_result('dkim-adsp', 
'fail')
header AUTHRES_ADSP_NONE eval:check_authres_result('dkim-adsp', 
'none')
header AUTHRES_ADSP_NXDOMAIN eval:check_authres_result('dkim-adsp', 
'nxdomain')
header AUTHRES_ADSP_PASS eval:check_authres_result('dkim-adsp', 
'pass')
header AUTHRES_ADSP_PERMERROR eval:check_authres_result('dkim-adsp', 
'permerror')
header AUTHRES_ADSP_TEMPERROR eval:check_authres_result('dkim-adsp', 
'temperror')
header AUTHRES_ADSP_UNKNOWN eval:check_authres_result('dkim-adsp', 
'unknown')

score AUTHRES_ADSP_DISCARD 1.5
score AUTHRES_ADSP_FAIL 0.5
score AUTHRES_ADSP_NONE 0.5
score AUTHRES_ADSP_NXDOMAIN 1.5
score AUTHRES_ADSP_PASS -0.5
score AUTHRES_ADSP_PERMERROR 0.5
score AUTHRES_ADSP_TEMPERROR 0.5
score AUTHRES_ADSP_UNKNOWN 0.5

describe AUTHRES_ATPS_FAIL Authentication-Results: has 
"dkim-atps=fail" result
describe AUTHRES_ATPS_NEUTRAL Authentication-Results: has 
"dkim-atps=neutral" result
describe AUTHRES_ATPS_NONE Authentication-Results: has 
"dkim-atps=none" result
describe AUTHRES_ATPS_PASS Authentication-Results: has 
"dkim-atps=pass" result
describe AUTHRES_ATPS_PERMERROR Authentication-Results: has 
"dkim-atps=permerror" result
describe AUTHRES_ATPS_TEMPERROR Authentication-Results: has 
"dkim-atps=temperror" result
header AUTHRES_ATPS_FAIL eval:check_authres_result('dkim-atps', 
'fail')
header AUTHRES_ATPS_NEUTRAL eval:check_authres_result('dkim-atps', 
'neutral')
header AUTHRES_ATPS_NONE eval:check_authres_result('dkim-atps', 
'none')
header AUTHRES_ATPS_PASS eval:check_authres_result('dkim-atps', 
'pass')
header AUTHRES_ATPS_PERMERROR eval:check_authres_result('dkim-atps', 
'permerror')
header AUTHRES_ATPS_TEMPERROR eval:check_authres_result('dkim-atps', 
'temperror')

score AUTHRES_ATPS_FAIL 0.5
score AUTHRES_ATPS_NEUTRAL 0.5
score AUTHRES_ATPS_NONE 1.5
score AUTHRES_ATPS_PASS -1.5
score AUTHRES_ATPS_PERMERROR 0.5
score AUTHRES_ATPS_TEMPERROR 0.5

describe AUTHRES_DKIM_FAIL Authentication-Results: has "dkim=fail" 
result
describe AUTHRES_DKIM_PASS Authentication-Results: has "dkim=pass" 
result
describe AUTHRES_DKIM_NEUTRAL Authentication-Results: has 
"dkim=neutral" result
describe AUTHRES_DKIM_NONE Authentication-Results: has "dkim=none" 
result
describe AUTHRES_DKIM_POLICY Authentication-Results: has 
"dkim=policy" result
describe AUTHRES_DKIM_PERMERROR Authentication-Results: has 
"dkim=permerror" result
describe AUTHRES_DKIM_TEMPERROR Authentication-Results: has 
"dkim=temperror" result

header AUTHRES_DKIM_FAIL eval:check_authres_result('dkim', 'fail')
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
header AUTHRES_DKIM_NEUTRAL eval:check_authres_result('dkim', 
'neutral')

header AUTHRES_DKIM_NONE eval:check_authres_result('dkim', 'none')
header AUTHRES_DKIM_POLICY eval:check_authres_result('dkim', 
'policy')
header AUTHRES_DKIM_PERMERROR eval:check_authres_result('dkim', 
'permerror')
header AUTHRES_DKIM_TEMPERROR eval:check_authres_result('dkim', 
'temperror')

score AUTHRES_DKIM_FAIL 0.5
score AUTHRES_DKIM_PASS -0.5
score 

Re: whitelist_auth return_path / from

[Benny Pedersen]

Dave Funk skrev den 2024-07-03 09:29:

On Wed, 3 Jul 2024, Simon Wilson via users wrote:


You say "passing SPF and DKIM" however in the SA rules report it 
clearly says:

 DKIM_SIGNED=0.1, DKIM_INVALID=0.1

So eventho you think 'passed DKIM' SA clearly does NOT think it does. 
That DKIM_INVALID will prevent the whitelist_auth from firing, thus you 
need to investigate what's going wrong there.


whitelist_auth support Return-Path so spf is evaluated aswell as dkim is

grep logs DKIM_VALID_EF

or enable DMARC plugin

Re: whitelist_auth return_path / from

[Simon Wilson via users]

On Wed, 3 Jul 2024, Simon Wilson via users wrote:

> Does whitelist_auth work on From header, or Return-Path? Reason I ask:
>
> 
> 
> I have two emails from “support .at. wasabi.com”. Due to their emails usually 
> triggering KAM rules I have (in
> /etc/mail/spamassassin/local.cf):
>
> 
> 
> ## Whitelist Wasabi, subject to passing of auth
> whitelist_auth supp...@wasabi.com
[snip..]

> The other is not triggering whitelist_auth and is marked as spam due to the 
> KAM rule fails. It has:
> 
> Return-Path: 
> ... 
> From: Wasabi 
> ... 
> Reply-To: supp...@wasabi.com
> 
> Despite passing SPF and DKIM, not whitelisted:
> 
> X-Spam-Score: 20.212
> X-Spam-Level: 
> X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
> tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
> DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
> KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
> KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
> SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
> autolearn=no autolearn_force=no
[snip]
> 
> Thanks.
> Simon.

You say "passing SPF and DKIM" however in the SA rules report it clearly says:
DKIM_SIGNED=0.1, DKIM_INVALID=0.1

So eventho you think 'passed DKIM' SA clearly does NOT think it does. That 
DKIM_INVALID will prevent the whitelist_auth from firing, thus you need to 
investigate what's going wrong there.


-- 
Dave Funk University of Iowa
 College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Good spot, thank you.
 
The email that passed (sent from Wasabi's Salesforce) clearly passes SPF and 
DKIM, and SA accepts that it has passed both:X-Spam-Score: -182.112
X-Spam-Level:
X-Spam-Status: No, score=-182.112 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HELO_STATIC_HOST=-0.001,
 HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001, KAM_BODY_URIBL_PCCC=9,
 KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1, LR_DMARC_PASS=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01,
 USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100,
 USER_IN_SPF_WELCOMELIST=-0.01, USER_IN_SPF_WHITELIST=-100]
 autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
 by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
 with LMTP id FRQBp6eagRev for ;
 Wed,  3 Jul 2024 11:33:21 +1000 (AEST)
Authentication-Results: mail.simonandkate.net;
spf=pass 
smtp.helo=smtp-0e3fa5fa5492d81fe.core1.sfdc-lywfpd.mta.salesforce.com;
spf=pass smtp.mailfrom=wasabi.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
Authentication-Results: mail.simonandkate.net; arc=none 
smtp.remote-ip=44.227.237.13
Authentication-Results: mail.simonandkate.net;
dkim=pass (1024-bit key, unprotected) header.d=wasabi.com 
header.i=@wasabi.com header.a=rsa-sha256 header.s=sfdcproduction 
header.b=VPfjwPoA
Received: from smtp-0e3fa5fa5492d81fe.core1.sfdc-lywfpd.mta.salesforce.com 
(smtp-0e3fa5fa5492d81fe.core1.sfdc-lywfpd.mta.salesforce.com [44.227.237.13])
by mail.simonandkate.net (Postfix) with ESMTPS id B2E4460E1
for ; Wed,  3 Jul 2024 11:33:20 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wasabi.com;
s=sfdcproduction; t=1719970393;
bh=HT3vxtae+200eJTAlHJkPaLUuYEbpqXqTkY70+hSYa4=;
h=Date:From:To:Subject:MIME-Version:Content-Type;
b=VPfjwPoAe8Gu3ruU2nvnYYggXO5JZ/7IaxEDNaBsvvxIZ5PHW+7rXN1usl5qmJZ5u
 asB0RBBCXNTH/5SDXXJEu1Pc6jRvsdc+POPLrkQkHqhXgX1DmUjnVYnDBA2tu/8RIk
 M7ISxYS4psZXdm73/ZF7sILSdS+USXdTM5JlfbV4=
 
The failed one is assessed by OpenDKIM as having passed by my server 
(mail.simonandkate.net), but you are correct SA sees it as invalid.
 
So I guess the question is why SA is not accepting a trusted header with a DKIM 
pass recorded with the same mail path through the system? I have no AuthRes 
settings set specifically in local.cf.
 X-Spam-Score: 20.212
X-Spam-Level: 
X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
 KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
 KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
 autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
 by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
 with LMTP id 0dPigJ_ugPPb for ;
 Wed,  3 Jul 2024 07:48:51 

Re: whitelist_auth return_path / from

[Dave Funk]

On Wed, 3 Jul 2024, Simon Wilson via users wrote:


Does whitelist_auth work on From header, or Return-Path? Reason I ask:



I have two emails from “support .at. wasabi.com”. Due to their emails usually 
triggering KAM rules I have (in
/etc/mail/spamassassin/local.cf):



## Whitelist Wasabi, subject to passing of auth
whitelist_auth supp...@wasabi.com

[snip..]


The other is not triggering whitelist_auth and is marked as spam due to the KAM 
rule fails. It has:

Return-Path: 
... 
From: Wasabi 
... 
Reply-To: supp...@wasabi.com

Despite passing SPF and DKIM, not whitelisted:

X-Spam-Score: 20.212
X-Spam-Level: 
X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
 KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
 KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
 autolearn=no autolearn_force=no

[snip]


Thanks.
Simon.


You say "passing SPF and DKIM" however in the SA rules report it clearly says:
 DKIM_SIGNED=0.1, DKIM_INVALID=0.1

So eventho you think 'passed DKIM' SA clearly does NOT think it does. That 
DKIM_INVALID will prevent the whitelist_auth from firing, thus you need to 
investigate what's going wrong there.



--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

whitelist_auth return_path / from

[Simon Wilson via users]

Running SA 3.4.6 on RH8. 
 
Does whitelist_auth work on From header, or Return-Path? Reason I ask:
 
I have two emails from “support .at. wasabi.com”. Due to their emails usually 
triggering KAM rules I have (in /etc/mail/spamassassin/local.cf):
 
## Whitelist Wasabi, subject to passing of auth
whitelist_auth supp...@wasabi.com
 
First email triggers whitelist_auth and is passed as expected. It 
has:Return-Path: 
... 
From: Wasabi Support X-Spam-Score: -182.112
X-Spam-Level:
X-Spam-Status: No, score=-182.112 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HELO_STATIC_HOST=-0.001,
 HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001, KAM_BODY_URIBL_PCCC=9,
 KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1, LR_DMARC_PASS=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01,
 USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100,
 USER_IN_SPF_WELCOMELIST=-0.01, USER_IN_SPF_WHITELIST=-100]
The other is not triggering whitelist_auth and is marked as spam due to the KAM 
rule fails. It has:Return-Path: 

... 
From: Wasabi 
... 
Reply-To: supp...@wasabi.com
Despite passing SPF and DKIM, not whitelisted:X-Spam-Score: 20.212
X-Spam-Level: 
X-Spam-Status: Yes, score=20.212 tagged_above=-999 required=6.2
 tests=[BAYES_00=-1.9, DCC_CHECK=1.1, DCC_REPUT_99_100=1.4, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KAM_BODY_MARKETINGBL_PCCC=0.001,
 KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_MARKETINGBL_PCCC=1,
 KAM_REALLYHUGEIMGSRC=0.5, LR_DMARC_PASS=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
 autolearn=no autolearn_force=no
Received: from mail.simonandkate.net ([127.0.0.1])
 by localhost (amavis.simonandkate.net [127.0.0.1]) (amavis, port 10024)
 with LMTP id 0dPigJ_ugPPb for ;
 Wed,  3 Jul 2024 07:48:51 +1000 (AEST)
Authentication-Results: mail.simonandkate.net;
spf=none smtp.helo=o562.ptr9861.wasabi.com;
spf=pass smtp.mailfrom=mmemail.wasabi.com
Authentication-Results: mail.simonandkate.net; dmarc=pass (p=quarantine 
dis=none) header.from=wasabi.com
Authentication-Results: mail.simonandkate.net; arc=none 
smtp.remote-ip=159.183.86.216
Authentication-Results: mail.simonandkate.net;
dkim=pass (2048-bit key, unprotected) header.d=wasabi.com 
header.i=@wasabi.com header.a=rsa-sha256 header.s=mmd header.b=uhRSt2r0
Received: from o562.ptr9861.wasabi.com (o562.ptr9861.wasabi.com 
[159.183.86.216])
by mail.simonandkate.net (Postfix) with ESMTPS id C105157044
for ; Wed,  3 Jul 2024 07:48:47 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wasabi.com;
h=content-type:from:mime-version:subject:reply-to:to:list-unsubscribe:
list-unsubscribe-post:cc:content-type:from:subject:to;
s=mmd; bh=cy4eC8HJMJh8b6CwYtOAzArbHod4C/sAQkNIrkSQFPA=;
b=uhRSt2r0lE9yE6sSCc7+QA90N0PCyzA0FNP0bOo2ApH/U+u6yCpjvt0KZJ+VO2MfDKuh
xmzJPFgaHNvajQDOyqfLCfF4xwTrxYyBaKTMf/qinqP6JHpFsKVaDNykv96ZIac/SwRbha
SO4yPkPl1NO5k4ENyD5va2J9LftRyQ0te+awrnbjypQAKJiJ0yPoqNTFCJZGdQSCuJOZG8
ASnJcPZRoL2J83FEJCMPZdS5Wpf0GAgHp7aEpzAFf7TEpfJA8IMsbRSlRs3ptdZtYvwKMR
K6oi/d+w3UBSdFGRpRFZlgFeVjNIp/xCz5pDGf7109C0A+QSjn4zZ3edrOjF1JPg==
Received: by filterdrecv-6576d68dbc-fxxdn with SMTP id 
filterdrecv-6576d68dbc-fxxdn-1-668475B6-1
2024-07-02 21:48:38.112531956 + UTC m=+1292691.168998080
Received: from MzUyNTk2MzU (unknown)
by geopod-ismtpd-4 (SG) with HTTP
id X_mTOosARsSFXqinaxYfEw
Tue, 02 Jul 2024 21:48:38.008 + (UTC)
Content-Type: multipart/mixed; 
boundary=75633f0201749d47c1ba5a273d403dbaa85162228d469a5e23d94a668c10
Date: Tue, 02 Jul 2024 21:48:38 + (UTC)
From: Wasabi 
Mime-Version: 1.0
Message-ID: 
Subject: [SPAM] Wasabi Technologies LLC Invoice
Reply-To: supp...@wasabi.com
Do I need to add the return-path, i.e.:
 
## Whitelist Wasabi, subject to passing of auth
whitelist_auth supp...@wasabi.com
whitelist_auth *@mmemail.wasabi.com
?
 
Thanks.
Simon.

Re: help with ubuntu 22.04

[Matus UHLAR - fantomas]

On 29.06.24 17:07, Rick Gutierrez wrote:

hi list , The latest version of spamassassin on Ubuntu 22.04 does not
exist or they did not create the deb package, someone on the list who
has the deb package and wants to share it.


https://packages.ubuntu.com/search?keywords=spamassassin


perhaps you want to upgrade to ubuntu 24.04 LTS which has SA 4.0.0 included.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.

help with ubuntu 22.04

[Rick Gutierrez]

hi list , The latest version of spamassassin on Ubuntu 22.04 does not
exist or they did not create the deb package, someone on the list who
has the deb package and wants to share it.

thnk for any help.

-- 
rickygm

http://gnuforever.homelinux.com

Re: ChatGPT > Spamassassin? :)

[Marcin Mirosław]

W dniu 2024-06-25 15:55, John Hardin napisał(a):

On Mon, 24 Jun 2024, Mark London wrote:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something 
that was generated using ChatGPT.  In any event,  I put the text 
through ChatGPT, and asked if it looked like spam.  At the bottom of 
this email , is it's analysis.  I've not been fully reading this 
group.  Has there been any work to allow Spamassassin to use AI?  
Thanks.  - Mark


In a very limited manner. There is code in the repo that allows you to 
set up ham and spam corpora and scan the spam corpora to pick out 
common phrases and filter them via the ham corpora, then create 
rules.based on the phrases and (IIRC) combinations of them.


This was being used to generate dynamic fraud rulesets (the "sought" 
rules, still somewhat there as ADVANCE_FEE rules which I occasionally 
manually update) until Justin Mason left the project. It's been 
languishing since as he was providing the resources (infra and 
maintenance) to run it for those rules. I was feeding those corpora for 
a long time.


Take a look in the repo at the stuff under:

  https://svn.apache.org/viewvc/spamassassin/trunk/masses/rule-dev/

  
https://svn.apache.org/viewvc/spamassassin/trunk/masses/evolve_metarule/


I don't know whether the project would be willing to set up infra to 
revive dynamic advance fee fraud (or more general) rule generation, but 
it's possible if someone was willing to bring that code up-to-date and 
figure out what was needed and corpora providers were available.



This code still works, at least for me. I'm using my own corpora.

Sv: Re: ChatGPT > Spamassassin? :)

[Anders Gustafsson]

That is the way some email clients, say GroupWise does it. There is an option 
to put all mail from new
receivers in the junk folder for perusal. OTOH should simple graylisting do the 
same thing. But yes, an option
to deduct points from previously unseen senders would be useful.

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> Mark London  2024-06-26 00:38 >>>
Bill - Thanks for the response.  As an aside, it would be nice (though 
impossible?) for a spam filter to be more suspicious of emails coming 
from a new email address, that is not in my Sent folder or my Inbox. 
FWIW. - Mark

On 6/25/2024 11:21 AM, Bill Cole wrote:
> Mark London 
> is rumored to have said:
>
>> I received a spam email with the text below, that wasn't caught by 
>> Spamassasin (at least mine).   The text actually looks like something 
>> that was generated using ChatGPT.  In any event,  I put the text 
>> through ChatGPT, and asked if it looked like spam.  At the bottom of 
>> this email , is it's analysis.  I've not been fully reading this 
>> group.  Has there been any work to allow Spamassassin to use AI?
>
> "Artificial intelligence" does not exist. It is a misnomer.
>
> Large language models like ChatGPT have a provenance problem. There's 
> no way to know why exactly the model "says" anything. In a single 
> paragraph, ChatGPT is capable of making completely and directly 
> inconsistent assertions. The only way to explain that is that despite 
> appearances, a request to answer the ham/spasm question generates text 
> with no semantic connection to the original, but which seems like an 
> explanation.
>
> SpamAssassin's code and rules all come from ASF committers, and the 
> scores are determined by examining the scan results from contributors 
> and optimizing them to a threshold of 5.0. Every scan of a message 
> results in a list of hits against documented rules. The results can be 
> analyzed and understood.
>
> We know that ChatGPT and other LLMs that are publicly available have 
> been trained on data to which they had no license. There is no way to 
> remove any particular ingested data. There's no way to know where any 
> particular LLM will have problems and no way to fix those problems. 
> This all puts them outside of the boundaries we have as an ASF 
> project. However, we do have a plugin architecture, so it is possible 
> for 3rd parties to create a plugin for LLM integration.
>
>

Re: ChatGPT > Spamassassin? :)

[Bill Cole]

On 2024-06-25 at 17:38:28 UTC-0400 (Tue, 25 Jun 2024 17:38:28 -0400)
Mark London 
is rumored to have said:

Bill - Thanks for the response.  As an aside, it would be nice 
(though impossible?) for a spam filter to be more suspicious of emails 
coming from a new email address, that is not in my Sent folder or my 
Inbox. FWIW. - Mark


Matija's mention of AWL/TxRep is correct here. While some people find it 
a nuisance when it makes one FP into an ongoing series, I think it is 
worth enabling for most sites.


However, if you do enable either of those tools, you should have a 
mechanism for  feeding FPs into both a sitewide Bayes DB and into the 
AWL/TxRep DB by using the blocklist/welcomelist options of the 
spamassassin script.





On 6/25/2024 11:21 AM, Bill Cole wrote:

Mark London 
is rumored to have said:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like 
something that was generated using ChatGPT.  In any event,  I put 
the text through ChatGPT, and asked if it looked like spam.  At the 
bottom of this email , is it's analysis.  I've not been fully 
reading this group.  Has there been any work to allow Spamassassin 
to use AI?


"Artificial intelligence" does not exist. It is a misnomer.

Large language models like ChatGPT have a provenance problem. There's 
no way to know why exactly the model "says" anything. In a single 
paragraph, ChatGPT is capable of making completely and directly 
inconsistent assertions. The only way to explain that is that despite 
appearances, a request to answer the ham/spasm question generates 
text with no semantic connection to the original, but which seems 
like an explanation.


SpamAssassin's code and rules all come from ASF committers, and the 
scores are determined by examining the scan results from contributors 
and optimizing them to a threshold of 5.0. Every scan of a message 
results in a list of hits against documented rules. The results can 
be analyzed and understood.


We know that ChatGPT and other LLMs that are publicly available have 
been trained on data to which they had no license. There is no way to 
remove any particular ingested data. There's no way to know where any 
particular LLM will have problems and no way to fix those problems. 
This all puts them outside of the boundaries we have as an ASF 
project. However, we do have a plugin architecture, so it is possible 
for 3rd parties to create a plugin for LLM integration.






--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: ChatGPT > Spamassassin? :)

[Matija Nalis]

On Tue, Jun 25, 2024 at 05:38:28PM -0400, Mark London wrote:
> Bill - Thanks for the response.  As an aside, it would be nice (though
> impossible?) for a spam filter to be more suspicious of emails coming from a
> new email address, that is not in my Sent folder or my Inbox. FWIW. - Mark

Something similar is accomplished by TxRep (or to a lesser degree AWL)
Spamassassin plugin.

Ideally you should use it with mailbox learning (spam/ham training), 
see https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TxRep


-- 
Opinions above are GNU-copylefted.

Re: ChatGPT > Spamassassin? :)

[Mark London]

Bill - Thanks for the response.  As an aside, it would be nice (though 
impossible?) for a spam filter to be more suspicious of emails coming 
from a new email address, that is not in my Sent folder or my Inbox. 
FWIW. - Mark


On 6/25/2024 11:21 AM, Bill Cole wrote:

Mark London 
is rumored to have said:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something 
that was generated using ChatGPT.  In any event,  I put the text 
through ChatGPT, and asked if it looked like spam.  At the bottom of 
this email , is it's analysis.  I've not been fully reading this 
group.  Has there been any work to allow Spamassassin to use AI?


"Artificial intelligence" does not exist. It is a misnomer.

Large language models like ChatGPT have a provenance problem. There's 
no way to know why exactly the model "says" anything. In a single 
paragraph, ChatGPT is capable of making completely and directly 
inconsistent assertions. The only way to explain that is that despite 
appearances, a request to answer the ham/spasm question generates text 
with no semantic connection to the original, but which seems like an 
explanation.


SpamAssassin's code and rules all come from ASF committers, and the 
scores are determined by examining the scan results from contributors 
and optimizing them to a threshold of 5.0. Every scan of a message 
results in a list of hits against documented rules. The results can be 
analyzed and understood.


We know that ChatGPT and other LLMs that are publicly available have 
been trained on data to which they had no license. There is no way to 
remove any particular ingested data. There's no way to know where any 
particular LLM will have problems and no way to fix those problems. 
This all puts them outside of the boundaries we have as an ASF 
project. However, we do have a plugin architecture, so it is possible 
for 3rd parties to create a plugin for LLM integration.

Re: ChatGPT > Spamassassin? :) -- move along, this is not the reply you are looking for.

[Grant Taylor via users]

On 6/25/24 12:21 PM, Adam Bowen wrote:
I asked a well known chatbot: What would Bill Cole say if he was asked 
about integrating AI in to spamassassin?


LOL

I needed that laugh.

Thank you Adam.




--
Grant. . . .
unix || die

Re: ChatGPT > Spamassassin? :)

[Adam Bowen]

On 25/06/2024 16:21, Bill Cole wrote:

On 2024-06-24 at 17:18:11 UTC-0400 (Mon, 24 Jun 2024 17:18:11 -0400)
Mark London 
is rumored to have said:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something 
that was generated using ChatGPT.  In any event,  I put the text 
through ChatGPT, and asked if it looked like spam.  At the bottom of 
this email , is it's analysis.  I've not been fully reading this 
group.  Has there been any work to allow Spamassassin to use AI?


"Artificial intelligence" does not exist. It is a misnomer.

Large language models like ChatGPT have a provenance problem. There's 
no way to know why exactly the model "says" anything. In a single 
paragraph, ChatGPT is capable of making completely and directly 
inconsistent assertions. The only way to explain that is that despite 
appearances, a request to answer the ham/spasm question generates text 
with no semantic connection to the original, but which seems like an 
explanation.


SpamAssassin's code and rules all come from ASF committers, and the 
scores are determined by examining the scan results from contributors 
and optimizing them to a threshold of 5.0. Every scan of a message 
results in a list of hits against documented rules. The results can be 
analyzed and understood.


We know that ChatGPT and other LLMs that are publicly available have 
been trained on data to which they had no license. There is no way to 
remove any particular ingested data. There's no way to know where any 
particular LLM will have problems and no way to fix those problems. 
This all puts them outside of the boundaries we have as an ASF 
project. However, we do have a plugin architecture, so it is possible 
for 3rd parties to create a plugin for LLM integration.


I asked a well known chatbot: What would Bill Cole say if he was asked 
about integrating AI in to spamassassin?


Bill Cole, the maintainer of SpamAssassin, is likely to be 
enthusiastic about the potential of AI to improve spam detection.


Here's what he might say:

* Improved Spam Filtering: AI could be used to analyze spam emails 
with greater accuracy than traditional rule-based methods. 
SpamAssassin currently relies on matching email content to predefined 
rules, but AI could identify spam based on subtler cues like phrasing, 
sender behavior, and content structure.


* Adapting to Evolving Threats: Spammers constantly develop new 
tactics to bypass filters. AI can learn and adapt to these evolving 
threats much faster than manually updating rules.


* Mitigating False Positives: AI could help reduce the number of 
legitimate emails mistakenly flagged as spam (false positives). This 
is a major concern for SpamAssassin users.


However, Bill Cole might also mention some challenges:

* Training Data Bias: The effectiveness of AI depends on the quality 
and balance of training data. Biases in the training data could lead 
to the AI disproportionately flagging certain types of emails as spam.
* Transparency and Explainability: It can be difficult to understand 
how AI systems arrive at their decisions. This lack of transparency 
could make it hard to debug errors or identify potential biases.
* Computational Cost: Training and running AI models can require 
significant computational resources, which might not be feasible for 
all SpamAssassin users.


Overall, Bill Cole would likely be cautiously optimistic about the 
potential of AI to improve SpamAssassin. He would acknowledge the 
potential benefits but also highlight the challenges that need to be 
addressed.



:)

Re: ChatGPT > Spamassassin? :)

[Bill Cole]

On 2024-06-24 at 17:18:11 UTC-0400 (Mon, 24 Jun 2024 17:18:11 -0400)
Mark London 
is rumored to have said:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something 
that was generated using ChatGPT.  In any event,  I put the text 
through ChatGPT, and asked if it looked like spam.  At the bottom of 
this email , is it's analysis.  I've not been fully reading this 
group.  Has there been any work to allow Spamassassin to use AI?


"Artificial intelligence" does not exist. It is a misnomer.

Large language models like ChatGPT have a provenance problem. There's no 
way to know why exactly the model "says" anything. In a single 
paragraph, ChatGPT is capable of making completely and directly 
inconsistent assertions. The only way to explain that is that despite 
appearances, a request to answer the ham/spasm question generates text 
with no semantic connection to the original, but which seems like an 
explanation.


SpamAssassin's code and rules all come from ASF committers, and the 
scores are determined by examining the scan results from contributors 
and optimizing them to a threshold of 5.0. Every scan of a message 
results in a list of hits against documented rules. The results can be 
analyzed and understood.


We know that ChatGPT and other LLMs that are publicly available have 
been trained on data to which they had no license. There is no way to 
remove any particular ingested data. There's no way to know where any 
particular LLM will have problems and no way to fix those problems. This 
all puts them outside of the boundaries we have as an ASF project. 
However, we do have a plugin architecture, so it is possible for 3rd 
parties to create a plugin for LLM integration.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: ChatGPT > Spamassassin? :)

[John Hardin]

On Mon, 24 Jun 2024, Mark London wrote:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something that 
was generated using ChatGPT.  In any event,  I put the text through ChatGPT, 
and asked if it looked like spam.  At the bottom of this email , is it's 
analysis.  I've not been fully reading this group.  Has there been any work 
to allow Spamassassin to use AI?  Thanks.  - Mark


In a very limited manner. There is code in the repo that allows you to set 
up ham and spam corpora and scan the spam corpora to pick out common 
phrases and filter them via the ham corpora, then create rules.based on 
the phrases and (IIRC) combinations of them.


This was being used to generate dynamic fraud rulesets (the "sought" 
rules, still somewhat there as ADVANCE_FEE rules which I occasionally 
manually update) until Justin Mason left the project. It's been 
languishing since as he was providing the resources (infra and 
maintenance) to run it for those rules. I was feeding those corpora for a 
long time.


Take a look in the repo at the stuff under:

  https://svn.apache.org/viewvc/spamassassin/trunk/masses/rule-dev/

  https://svn.apache.org/viewvc/spamassassin/trunk/masses/evolve_metarule/

I don't know whether the project would be willing to set up infra to 
revive dynamic advance fee fraud (or more general) rule generation, but 
it's possible if someone was willing to bring that code up-to-date and 
figure out what was needed and corpora providers were available.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 9 days until the 248th anniversary of the Declaration of Independence

Re: ChatGPT > Spamassassin? :)

[jarland]

I'm very interested in the concept. I imagine you'd need to have a 
locally running LLM rather than using an API, both for concerns of 
privacy and performance. Even if not SpamAssassin, I'd love to find 
anyone's open source implementation of AI for spam filtering.


On 2024-06-24 16:18, Mark London wrote:

I received a spam email with the text below, that wasn't caught by
Spamassasin (at least mine).   The text actually looks like something
that was generated using ChatGPT.  In any event,  I put the text
through ChatGPT, and asked if it looked like spam.  At the bottom of
this email , is it's analysis.  I've not been fully reading this
group.  Has there been any work to allow Spamassassin to use AI?
Thanks.  - Mark

-

From: Jeff Rothschild 

Subject: From a dreamer!

Date: June 22, 2024 at 18:50:03 EDT

To: YOU 
 Reply-To: orangebluem...@naver.com

Dear Friend,

I hope this letter finds you well, surrounded by the warmth of loved
ones and the promise of a new day. My name is Jeff Rothschild, and I
am writing to you today with a heart full of excitement and a vision
for a different kind of philanthropy.

Below is a profile of me:
www.forbes.com/profile/jeff-rothschild/?sh=457d14d2c87a [1]

For many years, I have dedicated myself to supporting various
charities and causes that are dear to my heart. While I am proud of
the impact we have made together, I have come to realize that there is
more to giving than simply writing a check.

Recently, I had a dream—a vivid, inspiring dream that left me with a
sense of clarity and purpose. In that dream, I saw the faces of
ordinary people like you and me, each with their own hopes, dreams,
and struggles. And in that moment, I knew that I needed to be more
personal with my giving, to touch lives in a way that has never been
done before.

That is why I am reaching out to you today, not as a distant
benefactor, but as a fellow traveler on this journey we call life. I
want to invite you to be a part of something truly special, something
that goes beyond traditional philanthropy and connects us on a deeper,
more personal level.

Consider this letter your golden ticket to a brighter future. You've
been selected as the recipient of a generous donation from me., This
is my appreciation for your presence in this world. But this gift is
more than just a material offering; it is an invitation to join me in
a shared mission of compassion, empathy, and human connection.

Together, we can make a difference in the lives of ordinary people in
ways that are both meaningful and profound. Whether it's lending a
listening ear to a friend in need, offering a helping hand to a
neighbor facing adversity, or simply sharing a smile with a stranger,
every act of kindness has the power to create ripple effects of love
and positivity.

So please, accept this gift with an open heart and know that it comes
with no expectations or obligations. Consider it a gesture of
friendship, a symbol of our shared humanity, and a catalyst for the
extraordinary things we can achieve when we come together with purpose
and passion.

Kindly provide your full name and address, and I will guide you on how
to receive this donation..

Thank you for being a part of this journey with me. May our shared
vision of a kinder, more compassionate world inspire us to take bold
action and spread love wherever we go.

With warmest regards,

Jeff Rothschild

--

The email you received raises several red flags that suggest it might
be spam or a phishing attempt. Here are key indicators:

*

Unexpected Generosity: Receiving an unsolicited offer of money from a
stranger, especially someone claiming to be a well-known
philanthropist, is highly unusual and a common tactic in scams.
*

Emotional Appeal: The email uses a highly emotional and inspirational
tone, which is often employed to lower the recipient's guard and
elicit a positive response.
*

Request for Personal Information: The email asks for your full name
and address, which can be used for identity theft or other malicious
purposes.
*

Generic Greeting: The email addresses you as "Dear Friend" rather than
using your name, indicating it could be sent to a large number of
recipients.
*

Vague and Grandiose Claims: The email makes grand claims about
personal philanthropy without providing specific details or a clear
rationale for why you were chosen.
*

Suspicious Link: While the email includes a link to a legitimate
profile on Forbes, this could be a tactic to add credibility to the
scam. Scammers often use real profiles to appear legitimate, but this
doesn't verify the authenticity of the email.
*

No Verification Method: There's no way to independently 

Re: BayesStore MariaDB on EL9

[Lucas Rolff]

If you're running almalinux, then report it to almalinux, they can usually 
patch things faster than RedHat can.

Sent from Outlook for iOS

From: Gerald Vogt 
Sent: Monday, June 24, 2024 9:59:35 AM
To: users@spamassassin.apache.org 
Subject: Re: BayesStore MariaDB on EL9

Hi,

for your information and anyone who comes across this problem: I have
opened an issue with RedHat.

https://issues.redhat.com/browse/RHEL-43418

It probably will be backported, but may take some time, maybe in 9.5 or
possibly later.

We'll see...

Regards,

Gerald

On 19.06.24 08:41, Gerald Vogt wrote:
> On 18.06.24 22:23, Bill Cole wrote:
>> On 2024-06-18 at 14:58:15 UTC-0400 (Tue, 18 Jun 2024 20:58:15 +0200)
>> Gerald Vogt 
>> is rumored to have said:
>>
>>> Hi,
>>>
>>> for a test, I have increased the column length of token to binary(32)
>>> and used a test file to import containing a single token.
>>>
>>> This time it went through. However, as I suspected, the token length
>>> is not 5 byte. Token line from backup:
>>>
>>> t101718024618027121926a
>>>
>>> Hex representation of content in database:
>>>
>>> MariaDB [spamassassin]> select hex(token) from bayes_token\G
>>> *** 1. row ***
>>> hex(token):
>>> 027121C2926A
>>> 1 row in set (0.000 sec)
>>>
>>> Compared:
>>>
>>> Original 02 71 2192 6a
>>> Database 02 71 21 C2 92 6A
>>>
>>> C2 92 is the UTF-8 encoding of U+0092, thus basically the token is
>>> written in UTF-8 into the database.
>>
>> That's odd... What is the character set of the database?
>
> It is standard DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci
> just like the table.
>
>>> Running sa-learn with DBI_TRACE=2 I can also see that it looks like
>>> it actually has the UTF-8 encoding already in there during parameter
>>> binding:
>>>
>>> Binding parameters: INSERT INTO bayes_token
>>>(id, token, spam_count, ham_count, atime)
>>>VALUES ('43','^Bq!j','1','0','1718024618')
>>>ON DUPLICATE KEY UPDATE spam_count =
>>> GREATEST(spam_count + '1', 0),
>>>ham_count = GREATEST(ham_count
>>> + '0', 0),
>>>atime = GREATEST(atime,
>>> '1718024618')
>>>
>>> Thus, I would say it's not an issue with the database.
>>>
>>> Any idea?
>>>
>>> Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.
>>
>> First: upgrade to 4.0.1
>
> Well, it's the RHEL packaged version. I don't really want to upgrade to
> a manually handled version.
>
>> There were substantial changes in how encoding was handled between
>> 3.4.6 and 4.0, and there is a substantial likelihood that any problem
>> with encoding would not occur in 4.0 or later.
>
> Yes, you are right. It works with 4.0.1.
>
> I have looked into the source code and the reason became obvious pretty
> quickly, e.g. the part in _put_token in 3.4.6
>
> https://github.com/apache/spamassassin/blob/4a1fe99da9296364be0c50f02d2a73b5af74207a/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L827
>
> compared with this in trunk
>
> https://github.com/apache/spamassassin/blob/8307bb22a7709125ab0f8e94fb7a271461944f61/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L997
>
> 4.0 does specifically tag the token as BINARY while default is VARCHAR I
> think. Thus, it automatically encodes it.
>
> This was added in
>
> https://github.com/apache/spamassassin/commit/3dd8ea4ff51d50a72212ac8cbb2f6f8d443c3489
>
> I'll open a bug with redhat and see if they either upgrade spamassassin
> in EL9 or backport something into 3.4.6.
>
> Just for the fun of it, I have replaced the packaged file with the 4.0.1
> MySQL.pm file and then it works. Looking at the commit and the commit
> history after, I think the 4.0.1 MySQL.pm should work just fine in 3.4.6.
>
> Anyway, we'll see what RedHat does about this.
>
> Thanks a lot!
>
> Regards,
>
> Gerald

Re: BayesStore MariaDB on EL9

[Gerald Vogt]

Hi,

for your information and anyone who comes across this problem: I have 
opened an issue with RedHat.


https://issues.redhat.com/browse/RHEL-43418

It probably will be backported, but may take some time, maybe in 9.5 or 
possibly later.


We'll see...

Regards,

Gerald

On 19.06.24 08:41, Gerald Vogt wrote:

On 18.06.24 22:23, Bill Cole wrote:

On 2024-06-18 at 14:58:15 UTC-0400 (Tue, 18 Jun 2024 20:58:15 +0200)
Gerald Vogt 
is rumored to have said:


Hi,

for a test, I have increased the column length of token to binary(32) 
and used a test file to import containing a single token.


This time it went through. However, as I suspected, the token length 
is not 5 byte. Token line from backup:


t    1    0    1718024618    027121926a

Hex representation of content in database:

MariaDB [spamassassin]> select hex(token) from bayes_token\G
*** 1. row ***
hex(token): 
027121C2926A

1 row in set (0.000 sec)

Compared:

Original 02 71 21    92 6a
Database 02 71 21 C2 92 6A

C2 92 is the UTF-8 encoding of U+0092, thus basically the token is 
written in UTF-8 into the database.


That's odd... What is the character set of the database?


It is standard DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci 
just like the table.


Running sa-learn with DBI_TRACE=2 I can also see that it looks like 
it actually has the UTF-8 encoding already in there during parameter 
binding:


Binding parameters: INSERT INTO bayes_token
   (id, token, spam_count, ham_count, atime)
   VALUES ('43','^Bq!j','1','0','1718024618')
   ON DUPLICATE KEY UPDATE spam_count = 
GREATEST(spam_count + '1', 0),
   ham_count = GREATEST(ham_count 
+ '0', 0),
   atime = GREATEST(atime, 
'1718024618')


Thus, I would say it's not an issue with the database.

Any idea?

Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.


First: upgrade to 4.0.1


Well, it's the RHEL packaged version. I don't really want to upgrade to 
a manually handled version.


There were substantial changes in how encoding was handled between 
3.4.6 and 4.0, and there is a substantial likelihood that any problem 
with encoding would not occur in 4.0 or later.


Yes, you are right. It works with 4.0.1.

I have looked into the source code and the reason became obvious pretty 
quickly, e.g. the part in _put_token in 3.4.6


https://github.com/apache/spamassassin/blob/4a1fe99da9296364be0c50f02d2a73b5af74207a/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L827

compared with this in trunk

https://github.com/apache/spamassassin/blob/8307bb22a7709125ab0f8e94fb7a271461944f61/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L997

4.0 does specifically tag the token as BINARY while default is VARCHAR I 
think. Thus, it automatically encodes it.


This was added in

https://github.com/apache/spamassassin/commit/3dd8ea4ff51d50a72212ac8cbb2f6f8d443c3489

I'll open a bug with redhat and see if they either upgrade spamassassin 
in EL9 or backport something into 3.4.6.


Just for the fun of it, I have replaced the packaged file with the 4.0.1 
MySQL.pm file and then it works. Looking at the commit and the commit 
history after, I think the 4.0.1 MySQL.pm should work just fine in 3.4.6.


Anyway, we'll see what RedHat does about this.

Thanks a lot!

Regards,

Gerald

Re: Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired

[giovanni]

On 6/23/24 10:26 PM, Larry Nedry via users wrote:

On 7/21/23 9:10 AM, Giovanni Bechis wrote:

Hi,
phishstats[.]info domain has recently moved to a parking domain, if you are using 
Mail::SpamAssassin::Plugin::Phishing plugin with data downloaded from PhishStats[.]info 
it would be better to comment "phishing_phishstats_feed" configuration line.
If PhishStats[.]info will not find a new home I am going to remove the relevant 
code from the plugin.

 Regards
  Giovanni


Did you remove the relevant code for PhishStats?


Yes, I've removed the code; now PhishStats is back and code has been restored 
after 4.0.1 release.
 Giovanni



OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired

[Larry Nedry via users]

On 7/21/23 9:10 AM, Giovanni Bechis wrote:

Hi,
phishstats[.]info domain has recently moved to a parking domain, if 
you are using Mail::SpamAssassin::Plugin::Phishing plugin with data 
downloaded from PhishStats[.]info it would be better to comment 
"phishing_phishstats_feed" configuration line.
If PhishStats[.]info will not find a new home I am going to remove the 
relevant code from the plugin.


 Regards
  Giovanni


Did you remove the relevant code for PhishStats?

Regards,
Larry

Re: Questions about spamassassin

[Matus UHLAR - fantomas]

Paul Schmehl skrev den 2024-06-21 01:17:


bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes


On 22.06.24 16:30, Benny Pedersen wrote:

this need spamd running as root :/


according to OP mail the directory is owned by spamd user

https://marc.info/?l=spamassassin-users=171891451702472=2


bayes_path ~/.spamassassin/bayes

path is not a file, just a dir


it's a path + filename prefix 
so the setting is correct.


I however prefer using /var, like in debian:

debian-spamd:x:114:114::/var/lib/spamassassin:/bin/sh

drwx-- 2 debian-spamd debian-spamd 4096 Jun 22 02:13 
/var/lib/spamassassin/.spamassassin/

YMMV of course


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.

Re: Questions about spamassassin

[Benny Pedersen]

Paul Schmehl skrev den 2024-06-21 01:17:


bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes


this need spamd running as root :/

bayes_path ~/.spamassassin/bayes

path is not a file, just a dir

expanded without ~ is in gentoo /var/lib/spamd

this support any system users, spamd homedir incl

id spamd
uid=998(spamd) gid=337(spamd) groups=337(spamd),333(amavis)

grep spamd /etc/passwd
spamd:x:998:337:User for the SpamAssassin 
daemon:/var/lib/spamd:/sbin/nologin


hope it helps, else ask

Re: Question about sa-updates

[Benny Pedersen]

Paul Schmehl skrev den 2024-06-22 07:44:


It’s not clear to me from your answer. Does SA read rules in both
places?


it eveal first sa-update rules, then later host rules


Or only in /etc/mail/spamassassin/?


this is host rules, you define all global configs here, and it will 
never be overrided by sa-update


add rules to userprefs.cf in same place as local.cf is, score userprefs 
rules with nearly zerro score, but not zerro 0, why this ?


if done this way scores can be changed in ldap/sql pr user, even in 
$HOME./spamassassin/user-prefs


more help, then i need more info :=)

Re: Question about sa-updates

[David B Funk]

On Sat, 22 Jun 2024, Paul Schmehl wrote:


  On Jun 22, 2024, at 12:28 AM, Kenneth Porter  
wrote:

On 6/21/2024 8:56 PM, Paul Schmehl wrote:
  I scratched my head, then looked up the man page for sa-update on the 
web. Sure enough, that’s where the rules
  go. Is that where my local.cf file should be located? Right now it’s in 
/etc/mail/spamassassin. There’s a default
  local.cf file in /var/lib/…..


/var/lib/spamassassin is where channels put their rules. /etc/mail/spamassassin 
is where the host admin puts her
customizations. I like to use separate files for different policies, named 
after each effect I'm trying to get. SA will load
anything there with a .cf extension.

It’s not clear to me from your answer. Does SA read rules in both places? Or 
only in /etc/mail/spamassassin/? 



Reading the "man" page documentation for spamassassin, it lists several 
different directories that SA looks for its config files in and the order that 
it reads them from.


The possible directories are distro and version specific so you need to read the 
docs for your specific instance.



--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Question about sa-updates

[Paul Schmehl]

> On Jun 22, 2024, at 12:28 AM, Kenneth Porter  wrote:
> 
> On 6/21/2024 8:56 PM, Paul Schmehl wrote:
>> I scratched my head, then looked up the man page for sa-update on the web. 
>> Sure enough, that’s where the rules go. Is that where my local.cf file 
>> should be located? Right now it’s in /etc/mail/spamassassin. There’s a 
>> default local.cf file in /var/lib/…..
> 
> /var/lib/spamassassin is where channels put their rules. 
> /etc/mail/spamassassin is where the host admin puts her customizations. I 
> like to use separate files for different policies, named after each effect 
> I'm trying to get. SA will load anything there with a .cf extension.
> 
> It’s not clear to me from your answer. Does SA read rules in both places? Or 
> only in /etc/mail/spamassassin/? 

Paul Schmehl
paul.schm...@gmail.com

Re: Question about sa-updates

[Kenneth Porter]

On 6/21/2024 8:56 PM, Paul Schmehl wrote:
I scratched my head, then looked up the man page for sa-update on the 
web. Sure enough, that’s where the rules go. Is that where my local.cf 
file should be located? Right now it’s in /etc/mail/spamassassin. 
There’s a default local.cf file in /var/lib/…..


/var/lib/spamassassin is where channels put their rules. 
/etc/mail/spamassassin is where the host admin puts her customizations. 
I like to use separate files for different policies, named after each 
effect I'm trying to get. SA will load anything there with a .cf extension.

Question about sa-updates

[Paul Schmehl]

I just ran sa-updates. Then I looked in /etc/mail/spamassassin to see if the 
rules had been updated, and none of them had today’s date on them

So, I downloaded the tar file, unzipped it, and searched for one of the files. 
I found them in /var/lib/spamassassin/….

I scratched my head, then looked up the man page for sa-update on the web. Sure 
enough, that’s where the rules go. Is that where my local.cf file should be 
located? Right now it’s in /etc/mail/spamassassin. There’s a default local.cf 
file in /var/lib/…..

Paul Schmehl
paul.schm...@gmail.com

Re: Questions about spamassassin

[Paul Schmehl]

> On Jun 21, 2024, at 8:24 AM, Bill Cole 
>  wrote:
> 
> On 2024-06-20 at 19:17:19 UTC-0400 (Thu, 20 Jun 2024 18:17:19 -0500)
> Paul Schmehl 
> is rumored to have said:
> 
>> Here’s every line with bayes_ in it:
>> bayes_#auto_learn 1
>> bayes_learn_to_journal 1
>> bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes
>> bayes_file_mode 0775
>> bayes_ignore_header ReSent-Date
>> bayes_ignore_header ReSent-From
>> bayes_ignore_header ReSent-Message-ID
>> bayes_ignore_header ReSent-Subject
>> bayes_ignore_header ReSent-To
>> bayes_ignore_header Resent-Date
>> bayes_ignore_header Resent-From
>> bayes_ignore_header Resent-Message-ID
>> bayes_ignore_header Resent-Subject
>> bayes_ignore_header Resent-To
>> 
>> I think that first line looks problematic.
> 
> I agree. The spurious # would generate precisely the error message you got.

Fixing that resolved the problem. It’s funny how you can look at config files 
and not even notice problems. Yet, on post in the mailing list and I spotted it.

Thanks for your help.

Paul Schmehl
paul.schm...@gmail.com

Re: MSGID_BELONGS_RECIPIENT and DKIMWL

[Alex]

Kris, thanks so much for the direction. It was enough for me to investigate
and make some changes. I hadn't realized I still had Paul Stead's rules
locally as well as updated rules in SA proper.

Thanks,
Alex

On Thu, Jun 20, 2024 at 11:23 AM Kris Deugau  wrote:

> Alex wrote:
> > Hi,
> >
> > I had an obit email very unfortunately get tagged as spam for what
> > appears to be the result of a few DKIMWL rules and
> MSGID_BELONGS_RECIPIENT.
> >
> >   *  1.0 DKIMWL_BULKMAILER_LOW ASKDNS: DKIMwl.org - Low scoring
> bulkmailer
> >   *  [tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org
> >  A:127.0.2.1]
>
> Not a stock rule.
>
>
> >   *  1.5 DKIMWL_BL ASKDNS: DKIMwl.org - Low trust sender
> >   *  [tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org
> >  A:127.0.2.1]
>
> The lookup result looks to have shifted somewhat from "low" to "low-med":
>
> $ host tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org
> tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org has address 127.0.2.2
>
> however it looks likely you've redefined the rule, so it's not behaving
> as per stock or per DKIMwl.org's usage guidelines: http://dkimwl.org/usage
> .
>
> The stock version of this rule should only match results ending in .0.
>
>
> >   *  1.0 MSGID_BELONGS_RECIPIENT Message-ID domain belongs to recipient
>
> Also not a stock rule.  It's difficult to tell with the redactions in
> the pastebin, but it also appears to be misfiring.  You'll have to post
> unredacted headers along with the rule details for specific help.
>
>
> > How reliable are the DKIMWL_ rules? They seem to hit a lot of ham,
>
> That's the intention.  They're to help otherwise legitimate senders that
> may send spammier content still get through.
>
> I've scored them to an advisory -0.001 locally, as I had a few too many
> cases of outright abuse of an otherwise fairly clean platform to send
> scams.  It's been easier to deal with the resulting occasional false
> positive one at a time instead.
>
> -kgd
>

Re: Questions about spamassassin

[Bill Cole]

On 2024-06-20 at 19:17:19 UTC-0400 (Thu, 20 Jun 2024 18:17:19 -0500)
Paul Schmehl 
is rumored to have said:

> Here’s every line with bayes_ in it:
> bayes_#auto_learn 1
> bayes_learn_to_journal 1
> bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes
> bayes_file_mode 0775
> bayes_ignore_header ReSent-Date
> bayes_ignore_header ReSent-From
> bayes_ignore_header ReSent-Message-ID
> bayes_ignore_header ReSent-Subject
> bayes_ignore_header ReSent-To
> bayes_ignore_header Resent-Date
> bayes_ignore_header Resent-From
> bayes_ignore_header Resent-Message-ID
> bayes_ignore_header Resent-Subject
> bayes_ignore_header Resent-To
>
> I think that first line looks problematic.

I agree. The spurious # would generate precisely the error message you got.

-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Questions about spamassassin

[Paul Schmehl]

> On Jun 20, 2024, at 6:05 PM, Bill Cole 
>  wrote:
> 
> On 2024-06-20 at 16:14:47 UTC-0400 (Thu, 20 Jun 2024 15:14:47 -0500)
> Paul Schmehl mailto:paul.schm...@gmail.com>>
> is rumored to have said:
> 
>> I’m running spamassassin (SA) 3.4, postfix 3.9.0-1, and dovecot 2.2.36-8 on 
>> a linux server. I have some questions about SA that I can’t seem to find 
>> answers for on the web.
>> 
>> The SA conf files are /etc/mail/spamassassin. The bayes files are in 
>> /usr/local/etc/mail/spamassassin/bayes.
>> 
>> I’m running spamd as the content_filter in postfix. spamassassin unix -  
>> n   n   -   -  pipe
>>user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} 
>> ${recipient}
>> 
>> Everything is working as expected, but I have some questions about 
>> permissions. Should spamd be the owner of /etc/mail/spamassassin?
> 
> No. It is entirely normal for any user to read the config files. The spamd 
> user never needs to write to that directory or anything in it.

I set it back to root ownership.
> 
>> Of /usr/local/etc/mail/spamassassin?
> 
> Yes. The bayes_* files there are the active Bayes DB in use by the spamd 
> daemon, so the user the daemon is running as needs to be able to do anything 
> in that directory.

So spamd needs to be the owner of the bayes files.
> 
>> Today I got a warning about the unsafe perms on sa-update-keys. Who should 
>> own those and what should the perms be?
> 
> Files in that directory control whose signatures you trust on daily rules 
> packages, so the directory should be owned by root, perms 0700.
> 
> 
>> Finally, I’m seeing this in my maillogs.
>> config: failed to parse line, skipping, in 
>> "/etc/mail/spamassassin/local.cf": bayes_
>> 
>> This is the config in local.cf:
>> bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes
> 
> Is there any other line in that file starting with 'bayes_' ?
> 
> That error message is not lying to you: you have an error in local.cf which 
> SA cannot parse around. Also look in the lines before the 'bayes_path' line 
> for unterminated quotes.
> 
Here’s every line with bayes_ in it:
bayes_#auto_learn 1
bayes_learn_to_journal 1
bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes
bayes_file_mode 0775
bayes_ignore_header ReSent-Date
bayes_ignore_header ReSent-From
bayes_ignore_header ReSent-Message-ID
bayes_ignore_header ReSent-Subject
bayes_ignore_header ReSent-To
bayes_ignore_header Resent-Date
bayes_ignore_header Resent-From
bayes_ignore_header Resent-Message-ID
bayes_ignore_header Resent-Subject
bayes_ignore_header Resent-To
 
I think that first line looks problematic.
> 
>> This is the contents of the bayes folder:
>> # ls -lsah /usr/local/etc/mail/spamassassin/bayes/
>> total 632K
>>   0 drwxrwxr-x 2 spamd spamd   63 Jun 20 11:36 .
>>   0 drwxrwxr-x 3 spamd spamd   19 Jun 13 06:00 ..
>> 96K -rw--- 1 spamd spamd  95K Jun 20 14:44 bayes_journal
>> 12K -rwxrwxrwx 1 spamd spamd  12K Jun 20 11:32 bayes_seen
>> 524K -rwxrwxrwx 1 spamd spamd 664K Jun 20 11:32 bayes_toks
>> 
>> spamd owns the directory /usr/local/etc/mail/spamassassin and all 
>> subdirectories. The perms are 775 for the directories and 777 for all files. 
>>  (I did this for testing purposes. They normally would be 755 and 644.)
> 
> I hope there's only you on that machine...

It is.
> 
> Using 'chmod 777' to troubleshoot permissions issues is always a bad idea.

Yeah, but when you run out of ideas…..

They’ve already been reset to normal since they didn’t change anything.

Paul Schmehl
paul.schm...@gmail.com

Re: Questions about spamassassin

[Bill Cole]

On 2024-06-20 at 16:14:47 UTC-0400 (Thu, 20 Jun 2024 15:14:47 -0500)
Paul Schmehl 
is rumored to have said:

I’m running spamassassin (SA) 3.4, postfix 3.9.0-1, and dovecot 
2.2.36-8 on a linux server. I have some questions about SA that I 
can’t seem to find answers for on the web.


The SA conf files are /etc/mail/spamassassin. The bayes files are in 
/usr/local/etc/mail/spamassassin/bayes.


I’m running spamd as the content_filter in postfix. spamassassin 
unix -  n   n   -   -  pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f 
${sender} ${recipient}


Everything is working as expected, but I have some questions about 
permissions. Should spamd be the owner of /etc/mail/spamassassin?


No. It is entirely normal for any user to read the config files. The 
spamd user never needs to write to that directory or anything in it.



Of /usr/local/etc/mail/spamassassin?


Yes. The bayes_* files there are the active Bayes DB in use by the spamd 
daemon, so the user the daemon is running as needs to be able to do 
anything in that directory.


Today I got a warning about the unsafe perms on sa-update-keys. Who 
should own those and what should the perms be?


Files in that directory control whose signatures you trust on daily 
rules packages, so the directory should be owned by root, perms 0700.




Finally, I’m seeing this in my maillogs.
config: failed to parse line, skipping, in 
"/etc/mail/spamassassin/local.cf": bayes_


This is the config in local.cf:
bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes


Is there any other line in that file starting with 'bayes_' ?

That error message is not lying to you: you have an error in local.cf 
which SA cannot parse around. Also look in the lines before the 
'bayes_path' line for unterminated quotes.




This is the contents of the bayes folder:
# ls -lsah /usr/local/etc/mail/spamassassin/bayes/
total 632K
   0 drwxrwxr-x 2 spamd spamd   63 Jun 20 11:36 .
   0 drwxrwxr-x 3 spamd spamd   19 Jun 13 06:00 ..
 96K -rw--- 1 spamd spamd  95K Jun 20 14:44 bayes_journal
 12K -rwxrwxrwx 1 spamd spamd  12K Jun 20 11:32 bayes_seen
524K -rwxrwxrwx 1 spamd spamd 664K Jun 20 11:32 bayes_toks

spamd owns the directory /usr/local/etc/mail/spamassassin and all 
subdirectories. The perms are 775 for the directories and 777 for all 
files.  (I did this for testing purposes. They normally would be 755 
and 644.)


I hope there's only you on that machine...

Using 'chmod 777' to troubleshoot permissions issues is always a bad 
idea.


Spam that are not caught by SA are moved to my junk folder, and I 
croned a script that parses those and feeds them into bayes_seen. That 
script is working, and the bayes_seen file is being updated. (I 
checked the timestamp on the file after running the script manually.)


I can’t make sense out of this error message. What am I missing?


It is a configuration file parsing error. It has nothing to do with 
permissions or ownership. There's an error in local.cf.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Questions about spamassassin

[Paul Schmehl]

I’m running spamassassin (SA) 3.4, postfix 3.9.0-1, and dovecot 2.2.36-8 on a 
linux server. I have some questions about SA that I can’t seem to find answers 
for on the web.

The SA conf files are /etc/mail/spamassassin. The bayes files are in 
/usr/local/etc/mail/spamassassin/bayes.

I’m running spamd as the content_filter in postfix. spamassassin unix -  n  
 n   -   -  pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} 
${recipient}

Everything is working as expected, but I have some questions about permissions. 
Should spamd be the owner of /etc/mail/spamassassin? Of 
/usr/local/etc/mail/spamassassin?

Today I got a warning about the unsafe perms on sa-update-keys. Who should own 
those and what should the perms be?

Finally, I’m seeing this in my maillogs.
config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": 
bayes_

This is the config in local.cf: 
bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes

This is the contents of the bayes folder:
# ls -lsah /usr/local/etc/mail/spamassassin/bayes/
total 632K
   0 drwxrwxr-x 2 spamd spamd   63 Jun 20 11:36 .
   0 drwxrwxr-x 3 spamd spamd   19 Jun 13 06:00 ..
 96K -rw--- 1 spamd spamd  95K Jun 20 14:44 bayes_journal
 12K -rwxrwxrwx 1 spamd spamd  12K Jun 20 11:32 bayes_seen
524K -rwxrwxrwx 1 spamd spamd 664K Jun 20 11:32 bayes_toks

spamd owns the directory /usr/local/etc/mail/spamassassin and all 
subdirectories. The perms are 775 for the directories and 777 for all files.  
(I did this for testing purposes. They normally would be 755 and 644.) 

Spam that are not caught by SA are moved to my junk folder, and I croned a 
script that parses those and feeds them into bayes_seen. That script is 
working, and the bayes_seen file is being updated. (I checked the timestamp on 
the file after running the script manually.)

I can’t make sense out of this error message. What am I missing?

Paul Schmehl
paul.schm...@gmail.com

Re: MSGID_BELONGS_RECIPIENT and DKIMWL

[Kris Deugau]

Alex wrote:

Hi,

I had an obit email very unfortunately get tagged as spam for what 
appears to be the result of a few DKIMWL rules and MSGID_BELONGS_RECIPIENT.


  *  1.0 DKIMWL_BULKMAILER_LOW ASKDNS: DKIMwl.org - Low scoring bulkmailer
  *      [tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org 
 A:127.0.2.1]


Not a stock rule.



  *  1.5 DKIMWL_BL ASKDNS: DKIMwl.org - Low trust sender
  *      [tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org 
 A:127.0.2.1]


The lookup result looks to have shifted somewhat from "low" to "low-med":

$ host tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org
tbias-com.20230601.gappssmtp.com.lookup.dkimwl.org has address 127.0.2.2

however it looks likely you've redefined the rule, so it's not behaving 
as per stock or per DKIMwl.org's usage guidelines: http://dkimwl.org/usage.


The stock version of this rule should only match results ending in .0.



  *  1.0 MSGID_BELONGS_RECIPIENT Message-ID domain belongs to recipient


Also not a stock rule.  It's difficult to tell with the redactions in 
the pastebin, but it also appears to be misfiring.  You'll have to post 
unredacted headers along with the rule details for specific help.




How reliable are the DKIMWL_ rules? They seem to hit a lot of ham,


That's the intention.  They're to help otherwise legitimate senders that 
may send spammier content still get through.


I've scored them to an advisory -0.001 locally, as I had a few too many 
cases of outright abuse of an otherwise fairly clean platform to send 
scams.  It's been easier to deal with the resulting occasional false 
positive one at a time instead.


-kgd

Re: Docs confusion and missing dependency on EL9

[Bill Cole]

On 2024-06-19 at 01:28:20 UTC-0400 (Wed, 19 Jun 2024 07:28:20 +0200)
Gerald Vogt 
is rumored to have said:


Hi,

for testing I tried to install spamassassin 4.0.1 on EL9 (AlmaLinux 
9.4). I have noticed some dependencies are not mentioned on the 
INSTALL page:


I have had to install perl-ExtUtils-MakeMaker.noarch to run 
Makefile.PL


That module has been a part of the Perl "core" in all versions of Perl 
5.



I have had to install perl-Archive-Tar.noarch to run sa-update.


Archive::Tar has been in the core since Perl v5.9.3


Those two are nowhere mentioned.


A standard Perl installation of any version we support will have both of 
those.


RedHat, for reasons of their own, splits the Perl core into many 
packages. To get the standard core on any EL-based system, install the 
"perl" package.



It also took me a while to find the instructions how to install.

I started at https://spamassassin.apache.org/index.html

where "Click here to get started using SpamAssassin! " looked 
promising.


But at

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/StartUsing

I have spent considerable time to look for where to download and how 
to actually install spamassassin, but eventually gave up. Only now I 
have found some instructions on the SingleUserUnixInstall page.


So I have circled back and checked the Download link from the top. 
There I can download the tar, get hints on Upgrading but still nothing 
on installation.


There is a link at the top of the homepage to "Download" and in the 
tarball on the download page there's a document named "INSTALL"


The overwhelming majority of users who install SA do so using their 
system's packaged version or CPAN.




The Wiki and FAQ links from the top are not helpful either.

So eventually, I have found it on "Docs", pointing to the INSTALL 
file.


From experience, that it not really the first place I would look.


That certainly varies by individual. I definitely look to the 
documentation for information on how to install software.


I would think the "Get Started" page should have a link to the 
Download and INSTALL page at the beginning. Downloading and installing 
seem to be the obvious first steps to get started.


I agree. The whole logical structure of the website needs a more 
rigorous review.



The Download page should have a link for INSTALL like it already has 
for the Upgrade.


And I would say "Where to download" and "How to install" are pretty 
common FAQs, too.


Indeed.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: BayesStore MariaDB on EL9

[Gerald Vogt]

On 18.06.24 22:23, Bill Cole wrote:

On 2024-06-18 at 14:58:15 UTC-0400 (Tue, 18 Jun 2024 20:58:15 +0200)
Gerald Vogt 
is rumored to have said:


Hi,

for a test, I have increased the column length of token to binary(32) 
and used a test file to import containing a single token.


This time it went through. However, as I suspected, the token length 
is not 5 byte. Token line from backup:


t    1    0    1718024618    027121926a

Hex representation of content in database:

MariaDB [spamassassin]> select hex(token) from bayes_token\G
*** 1. row ***
hex(token): 
027121C2926A

1 row in set (0.000 sec)

Compared:

Original 02 71 21    92 6a
Database 02 71 21 C2 92 6A

C2 92 is the UTF-8 encoding of U+0092, thus basically the token is 
written in UTF-8 into the database.


That's odd... What is the character set of the database?


It is standard DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci 
just like the table.


Running sa-learn with DBI_TRACE=2 I can also see that it looks like it 
actually has the UTF-8 encoding already in there during parameter 
binding:


Binding parameters: INSERT INTO bayes_token
   (id, token, spam_count, ham_count, atime)
   VALUES ('43','^Bq!j','1','0','1718024618')
   ON DUPLICATE KEY UPDATE spam_count = 
GREATEST(spam_count + '1', 0),
   ham_count = GREATEST(ham_count 
+ '0', 0),
   atime = GREATEST(atime, 
'1718024618')


Thus, I would say it's not an issue with the database.

Any idea?

Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.


First: upgrade to 4.0.1


Well, it's the RHEL packaged version. I don't really want to upgrade to 
a manually handled version.


There were substantial changes in how encoding was handled between 3.4.6 
and 4.0, and there is a substantial likelihood that any problem with 
encoding would not occur in 4.0 or later.


Yes, you are right. It works with 4.0.1.

I have looked into the source code and the reason became obvious pretty 
quickly, e.g. the part in _put_token in 3.4.6


https://github.com/apache/spamassassin/blob/4a1fe99da9296364be0c50f02d2a73b5af74207a/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L827

compared with this in trunk

https://github.com/apache/spamassassin/blob/8307bb22a7709125ab0f8e94fb7a271461944f61/lib/Mail/SpamAssassin/BayesStore/MySQL.pm#L997

4.0 does specifically tag the token as BINARY while default is VARCHAR I 
think. Thus, it automatically encodes it.


This was added in

https://github.com/apache/spamassassin/commit/3dd8ea4ff51d50a72212ac8cbb2f6f8d443c3489

I'll open a bug with redhat and see if they either upgrade spamassassin 
in EL9 or backport something into 3.4.6.


Just for the fun of it, I have replaced the packaged file with the 4.0.1 
MySQL.pm file and then it works. Looking at the commit and the commit 
history after, I think the 4.0.1 MySQL.pm should work just fine in 3.4.6.


Anyway, we'll see what RedHat does about this.

Thanks a lot!

Regards,

Gerald

Docs confusion and missing dependency on EL9

[Gerald Vogt]

Hi,

for testing I tried to install spamassassin 4.0.1 on EL9 (AlmaLinux 
9.4). I have noticed some dependencies are not mentioned on the INSTALL 
page:


I have had to install perl-ExtUtils-MakeMaker.noarch to run Makefile.PL
I have had to install perl-Archive-Tar.noarch to run sa-update.

Those two are nowhere mentioned.

It also took me a while to find the instructions how to install.

I started at https://spamassassin.apache.org/index.html

where "Click here to get started using SpamAssassin! " looked promising.

But at

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/StartUsing

I have spent considerable time to look for where to download and how to 
actually install spamassassin, but eventually gave up. Only now I have 
found some instructions on the SingleUserUnixInstall page.


So I have circled back and checked the Download link from the top. There 
I can download the tar, get hints on Upgrading but still nothing on 
installation.


The Wiki and FAQ links from the top are not helpful either.

So eventually, I have found it on "Docs", pointing to the INSTALL file.

From experience, that it not really the first place I would look.

I would think the "Get Started" page should have a link to the Download 
and INSTALL page at the beginning. Downloading and installing seem to be 
the obvious first steps to get started.


The Download page should have a link for INSTALL like it already has for 
the Upgrade.


And I would say "Where to download" and "How to install" are pretty 
common FAQs, too.


I hope this helps.

Thanks,

Gerald

Re: BayesStore MariaDB on EL9

[Bill Cole]

On 2024-06-18 at 14:58:15 UTC-0400 (Tue, 18 Jun 2024 20:58:15 +0200)
Gerald Vogt 
is rumored to have said:


Hi,

for a test, I have increased the column length of token to binary(32) 
and used a test file to import containing a single token.


This time it went through. However, as I suspected, the token length 
is not 5 byte. Token line from backup:


t   1   0   1718024618  027121926a

Hex representation of content in database:

MariaDB [spamassassin]> select hex(token) from bayes_token\G
*** 1. row ***
hex(token): 
027121C2926A

1 row in set (0.000 sec)

Compared:

Original 02 71 2192 6a
Database 02 71 21 C2 92 6A

C2 92 is the UTF-8 encoding of U+0092, thus basically the token is 
written in UTF-8 into the database.


That's odd... What is the character set of the database?

Running sa-learn with DBI_TRACE=2 I can also see that it looks like it 
actually has the UTF-8 encoding already in there during parameter 
binding:


Binding parameters: INSERT INTO bayes_token
   (id, token, spam_count, ham_count, atime)
   VALUES ('43','^Bq!j','1','0','1718024618')
   ON DUPLICATE KEY UPDATE spam_count = 
GREATEST(spam_count + '1', 0),
   ham_count = GREATEST(ham_count 
+ '0', 0),
   atime = GREATEST(atime, 
'1718024618')


Thus, I would say it's not an issue with the database.

Any idea?

Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.


First: upgrade to 4.0.1

There were substantial changes in how encoding was handled between 3.4.6 
and 4.0, and there is a substantial likelihood that any problem with 
encoding would not occur in 4.0 or later.


I don't know exactly what the cause of the problem is (i.e. why is SA 
trying to write UTF-8 to the database?) but I'm quite sure that an 
official fix for 3.4.x will never happen.






Thanks,

Gerald

On 18.06.24 17:09, Gerald Vogt wrote:

Hi!

I am trying to use a mariadb database as bayesstore, but it fails to 
load tokens. Whenever it tries to insert something into bayes_token 
it fails with an error


dbg: bayes: _put_token: SQL error: Data too long for column 'token' 
at row 1


The table has been created as mentioned in

https://github.com/apache/spamassassin/blob/trunk/sql/bayes_mysql.sql

but the 5 byte binary isn't big enough. I have tried with sa-learn 
--restore as well as learning some spam mails. bayes_token remains 
empty.


MariaDB [spamassassin]> show create table bayes_token\G
*** 1. row ***
    Table: bayes_token
Create Table: CREATE TABLE `bayes_token` (
   `id` int(11) NOT NULL DEFAULT 0,
   `token` binary(5) NOT NULL,
   `spam_count` int(11) NOT NULL DEFAULT 0,
   `ham_count` int(11) NOT NULL DEFAULT 0,
   `atime` int(11) NOT NULL DEFAULT 0,
   PRIMARY KEY (`id`,`token`),
   KEY `bayes_token_idx1` (`id`,`atime`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci
1 row in set (0.000 sec)

Any idea what goes wrong here?

Thanks,

Gerald





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: BayesStore MariaDB on EL9

[Gerald Vogt]

Hi,

for a test, I have increased the column length of token to binary(32) 
and used a test file to import containing a single token.


This time it went through. However, as I suspected, the token length is 
not 5 byte. Token line from backup:


t   1   0   1718024618  027121926a

Hex representation of content in database:

MariaDB [spamassassin]> select hex(token) from bayes_token\G
*** 1. row ***
hex(token): 027121C2926A
1 row in set (0.000 sec)

Compared:

Original 02 71 2192 6a
Database 02 71 21 C2 92 6A

C2 92 is the UTF-8 encoding of U+0092, thus basically the token is 
written in UTF-8 into the database.


Running sa-learn with DBI_TRACE=2 I can also see that it looks like it 
actually has the UTF-8 encoding already in there during parameter binding:


Binding parameters: INSERT INTO bayes_token
   (id, token, spam_count, ham_count, atime)
   VALUES ('43','^Bq!j','1','0','1718024618')
   ON DUPLICATE KEY UPDATE spam_count = GREATEST(spam_count 
+ '1', 0),
   ham_count = GREATEST(ham_count + 
'0', 0),
   atime = GREATEST(atime, 
'1718024618')


Thus, I would say it's not an issue with the database.

Any idea?

Running spamassassin-3.4.6-5.el9.x86_64 on AlmaLinux 9.4.

Thanks,

Gerald

On 18.06.24 17:09, Gerald Vogt wrote:

Hi!

I am trying to use a mariadb database as bayesstore, but it fails to 
load tokens. Whenever it tries to insert something into bayes_token it 
fails with an error


dbg: bayes: _put_token: SQL error: Data too long for column 'token' at 
row 1


The table has been created as mentioned in

https://github.com/apache/spamassassin/blob/trunk/sql/bayes_mysql.sql

but the 5 byte binary isn't big enough. I have tried with sa-learn 
--restore as well as learning some spam mails. bayes_token remains empty.


MariaDB [spamassassin]> show create table bayes_token\G
*** 1. row ***
    Table: bayes_token
Create Table: CREATE TABLE `bayes_token` (
   `id` int(11) NOT NULL DEFAULT 0,
   `token` binary(5) NOT NULL,
   `spam_count` int(11) NOT NULL DEFAULT 0,
   `ham_count` int(11) NOT NULL DEFAULT 0,
   `atime` int(11) NOT NULL DEFAULT 0,
   PRIMARY KEY (`id`,`token`),
   KEY `bayes_token_idx1` (`id`,`atime`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci
1 row in set (0.000 sec)

Any idea what goes wrong here?

Thanks,

Gerald

BayesStore MariaDB on EL9

[Gerald Vogt]

Hi!

I am trying to use a mariadb database as bayesstore, but it fails to 
load tokens. Whenever it tries to insert something into bayes_token it 
fails with an error


dbg: bayes: _put_token: SQL error: Data too long for column 'token' at row 1

The table has been created as mentioned in

https://github.com/apache/spamassassin/blob/trunk/sql/bayes_mysql.sql

but the 5 byte binary isn't big enough. I have tried with sa-learn 
--restore as well as learning some spam mails. bayes_token remains empty.


MariaDB [spamassassin]> show create table bayes_token\G
*** 1. row ***
   Table: bayes_token
Create Table: CREATE TABLE `bayes_token` (
  `id` int(11) NOT NULL DEFAULT 0,
  `token` binary(5) NOT NULL,
  `spam_count` int(11) NOT NULL DEFAULT 0,
  `ham_count` int(11) NOT NULL DEFAULT 0,
  `atime` int(11) NOT NULL DEFAULT 0,
  PRIMARY KEY (`id`,`token`),
  KEY `bayes_token_idx1` (`id`,`atime`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci
1 row in set (0.000 sec)

Any idea what goes wrong here?

Thanks,

Gerald

Re: Sv: Re: Question about a rule

[Laurent S.]

I'd also strongly recommend adding boundaries: /\b(blah1|blah2|blah3)\b/i

Otherwise, you might have a whole *pano*ply of words that will make 
legit mails marked a spam. You need to be super sure about poison pills 
rules, or in french - *pillu*le empoisonnée.

Good luck.

On 18.06.24 13:35, Axb wrote:
> You need to enclose in brackets
> body LOCAL_BLAH   /(blah1|blah2|blah3)/i
> 
> On 6/18/24 13:05, Anders Gustafsson wrote:
>> Sure:
>>
>> body LOCAL_PORN_RULE   
>> /kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
>> score LOCAL_PORN_RULE 8
>> describe LOCAL_PORN_RULE   This catches peter's porn spam
>>
>> Sorry again for mailing directly. No idea why it suggests the user and not 
>> users@
>>
> 

Re: Sv: Re: Question about a rule

[Axb]

You need to enclose in brackets
body LOCAL_BLAH   /(blah1|blah2|blah3)/i

On 6/18/24 13:05, Anders Gustafsson wrote:

Sure:

body LOCAL_PORN_RULE   
/kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Sorry again for mailing directly. No idea why it suggests the user and not 
users@

Re: Sv: Re: Question about a rule

[Matus UHLAR - fantomas]

On 18.06.24 14:05, Anders Gustafsson wrote:

body LOCAL_PORN_RULE   
/kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Sorry again for mailing directly. No idea why it suggests the user and not 
users@



I guess that the "sexikäs" causes troubles.
Do you use SA 4.0 ? That should be compatible with utf-8. 




Matus UHLAR - fantomas  2024-06-18 14:00 >>>

On 18.06.24 13:50, Anders Gustafsson wrote:

body LOCAL_PORN_RULE   /word1|word2.|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Funny thing is that it seems to trigger on messages that contain none of those 
words. I have removed the
actual words so that my message will not be regarded ass spam ??

Wonder if it is that last word that matches some regexp??


This can happen in case of incorrect regular expression.
Maybe uf you posted it here, we could see the error.

run spamassassin -D < mail 2>/tmp/mail.err
and you should be able to see which string matched

Finally, SA recommends using multiple rules with small scores instead of
single rule with huge score.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]