Re: Unsubscribe "noisy" subscriber - Was: FW: ****SPAM(7.2)**** rule didn't fire
I talked to Dave Hill's brother on Friday (he is the "listed" "zone contact" for dailyhills.com in 'whois'. He is Dennis Hills, he promised to speak to his brother that day, so the problem will hopefully have finally ended. Obviously Dave Hills is an enthusiast - he even has a page on his web site which show SA stats for his site, but also obviously, he doesn't keep up with his email (in defence, his web page notes that he moved about five weeks ago). Let's all hope the bounces have ended. Paul Shupak [EMAIL PROTECTED]
Unsubscribe "noisy" subscriber - Was: FW: ****SPAM(7.2)**** rule didn't fire
Hi, Could someone please remove the subscriber, which constantly sends messages the the one below back to the list ?? The subscriber seesm to be [EMAIL PROTECTED] - I've contacted the person before, because I'm tired of seeing these rejected mails from his system being posted back to the list, but aparently the problem hasn't been solved... Regards, /Brian -Original Message- From: Vicki Brown [mailto:[EMAIL PROTECTED] Sent: 17. marts 2005 02:04 To: users@spamassassin.apache.org Subject: ****SPAM(7.2)**** rule didn't fire SpamAssassin, running on "mail.dailyhills.com", has identified this incoming email as possible spam. The original message has been attached to this email so you can view it (if it isn't spam). If you have any questions, contact [EMAIL PROTECTED] for details. Content preview: Ok. What totally minless dumb thing did I do that I just can't see? This rule is in my /etc/mail/spamassassin/local.cf body CF_BAD_URL4 /www\.(vdrugz|gh6)\.net/i score CF_BAD_URL4 10.0 describe CF_BAD_URL4 .net Junk site [...] Content analysis details: (7.2 points, 5.0 required) pts rule name description -- -- -0.0 SPF_PASS SPF: sender matches SPF record 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0001] 2.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: gh6.net] 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: gh6.net] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: gh6.net] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: gh6.net] 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: gh6.net] -5.5 AWLAWL: From: address is in the auto white-list -- -- --- Begin Message --- Ok. What totally minless dumb thing did I do that I just can't see? This rule is in my /etc/mail/spamassassin/local.cf body CF_BAD_URL4 /www\.(vdrugz|gh6)\.net/i score CF_BAD_URL4 10.0 describe CF_BAD_URL4 .net Junk site I received a piece of mail containing the string http://www.gh6.net/ Yet the rule did not fire >Subject: Prescription Drugs >Date: Thu, 17 Mar 2005 07:39:25 +0700 >X-Priority: 3 >X-Spam-Flag: YES >X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com >X-Spam-Level: *** >X-Spam-Status: Yes, score=3.0 required=0.5 tests=FORGED_RCVD_HELO > autolearn=no version=3.0.2 > >Online pharmacy - Visit our online store and save. > >Save up to 80% compared to normal rates. > >All popular drugs are available! > >- World wide shipping >- No Doctor Visits >- No Prescriptions >- Next Day Priority Shipping >- Discreet Packaging >- Buy in Bulk and Save! > >We make it easier and faster than ever to get the prescriptions you >need. > >Go here: http://www.gh6.net/ -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts & Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___ --- End Message ---
Re: rule didn't fire
Loren, While true for vdrugz.net-munged, gh6.net-munged does not always use a www. prefix. Also, now gh6.net-munged is caught by the SBL, 4 SURBLs, and completewhois (if you use it). I get 14.6 points for just the bare domain name. vdrugz.net-munged is caught by the SBL and 4 SURBLs and gives me 12.5 points. So by now any rule is redundant (though it might have helped yesterday or a few days ago). Paul Shupak [EMAIL PROTECTED]
Re: rule didn't fire
Hi! gh6.net-munged, don't the SURBLs have this one yet? Another from the taiwanmedialtd.com-munged group (two new domains a day - time for Spamhaus to take notice; Also they seem to hace given up on the Turkish address as on last week). gh6 .net is listed in about every SURBL list. If you have other new ones to report please use the submission form or check on the SURBL checker: http://www.rulesemporium.com/cgi-bin/uribl.cgi Thanks, Raymond.
Re: rule didn't fire
gh6.net-munged, don't the SURBLs have this one yet? Another from the taiwanmedialtd.com-munged group (two new domains a day - time for Spamhaus to take notice; Also they seem to hace given up on the Turkish address as on last week). Paul Shupak [EMAIL PROTECTED]
Re: rule didn't fire
From: "Vicki Brown" <[EMAIL PROTECTED]>
> >Did you restart spamd?
>
> N.
Good, bad, or indifferent the rule may be this is probably the reason
it did not fire at all. Restart spamd after changing rules.
service spamassassin restart
That works for Mandrake, RedHat, and I believe for SUSE. Debian is
a little different I suspect.
{^_^}
Re: [SPAM-TAG] rule didn't fire
At 18:12 -0800 03/16/2005, Jeff Chan wrote: > >Don't make a rule, use SURBLs. This one is listed five times >over: Well, yes, good idea. But. As you're already aware, I'm (somehow) not able to do that. Different thread... Besides, it's actually only a coincidental detail as to which rule didn't fire. Thgis happened to be a rule for a URL. The basic question is "I have a rule; it didn't fire. I'm confused." :( (nevertheless I am indebted to Matt Kettler - I had missed the existence of uri rules). -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts & Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: rule didn't fire
Vicki Brown wrote: At 17:57 -0800 03/16/2005, Loren Wilton wrote: Ok. What totally minless dumb thing did I do that I just can't see? How are you running SA? spamd -d -c at system startup then, from procmailrc, I push each message through | /usr/local/bin/spamc -s 256000 -t 60 Did you restart spamd? N. I don't use spamd, but if memory serves, you'll need to at least HUP spamd to re-read the config file... a restart of spamd would guarantee it. check the man pages for specifics. alan
Re: rule didn't fire
At 17:57 -0800 03/16/2005, Loren Wilton wrote:
>> Ok. What totally minless dumb thing did I do that I just can't see?
>
>How are you running SA?
spamd -d -c
at system startup
then, from procmailrc, I push each message through
| /usr/local/bin/spamc -s 256000 -t 60
>Did you restart spamd?
N.
> In many setups SA is persistant, and needs to be explicitly reloaded in
>some way or other to reload the modified rules.
Oh that would be truly disgustable. You say "In many setups". What's the
best way to ensure that I am _not_ ne of those setups?
>
>Did you run spamassassin --lint from the console
yes. No errors.
>It would be better to use "(?:" rather than just "(". Without the ?: the
>parends form a capturing group, which is very slow. With the (?: the group
>is just a grouping indicator, which is fast.
Thanks. Performance improvement hints are always appreciated.
>
>Also, it wouldn't hurt to make sure that there aren't more letters before
>the www or after the net, to make sure that you are seeing what you really
>think you are seeing.
Well, I don't really care, actually, for this pattern. There's probably a /
in front (specifically http://) and a / or a space or whoknowswhat after.
But few things that aren't URLs have this look about them and I figure the
www. and the .net are sufficient to ensure it's actually a URL and not the
middle of something else.
Your point is well taken for "dictionary word" patterns of course.
--
Vicki Brown ZZZ
Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process,
Scripts & Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X
http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA
___ '---''(_/--' `-'\_) ___
Re: rule didn't fire
At 08:03 PM 3/16/2005, Vicki Brown wrote: Ok. What totally minless dumb thing did I do that I just can't see? This rule is in my /etc/mail/spamassassin/local.cf body CF_BAD_URL4 /www\.(vdrugz|gh6)\.net/i score CF_BAD_URL4 10.0 describe CF_BAD_URL4 .net Junk site I received a piece of mail containing the string Yet the rule did not fire try a uri rule instead of a body rule.
Re: [SPAM-TAG] rule didn't fire
On Wednesday, March 16, 2005, 5:03:42 PM, Vicki Brown wrote: > Ok. What totally minless dumb thing did I do that I just can't see? > This rule is in my /etc/mail/spamassassin/local.cf > body CF_BAD_URL4 /www\.(vdrugz|gh6)\.net/i > score CF_BAD_URL4 10.0 > describe CF_BAD_URL4 .net Junk site > I received a piece of mail containing the string >http://www.gh6.net/ > Yet the rule did not fire Don't make a rule, use SURBLs. This one is listed five times over: gh6.net on lists [sc][ws][ob][ab][jp], See: http://www.surbl.org/lists.html Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: rule didn't fire
> Ok. What totally minless dumb thing did I do that I just can't see?
How are you running SA? Did you restart spamd? In many setups SA is
persistant, and needs to be explicitly reloaded in some way or other to
reload the modified rules.
Did you run spamassassin --lint from the console on your rules to make sure
that you don't have an error somewhere? An earlier error can cause the rest
of the file to be ignored.
> This rule is in my /etc/mail/spamassassin/local.cf
>
> body CF_BAD_URL4 /www\.(vdrugz|gh6)\.net/i
It would be better to use "(?:" rather than just "(". Without the ?: the
parends form a capturing group, which is very slow. With the (?: the group
is just a grouping indicator, which is fast.
Also, it wouldn't hurt to make sure that there aren't more letters before
the www or after the net, to make sure that you are seeing what you really
think you are seeing. In sum:
> body CF_BAD_URL4 /\bwww\.(?:vdrugz|gh6)\.net\n/i
Loren
rule didn't fire
Ok. What totally minless dumb thing did I do that I just can't see? This rule is in my /etc/mail/spamassassin/local.cf body CF_BAD_URL4 /www\.(vdrugz|gh6)\.net/i score CF_BAD_URL4 10.0 describe CF_BAD_URL4 .net Junk site I received a piece of mail containing the string http://www.gh6.net/ Yet the rule did not fire >Subject: Prescription Drugs >Date: Thu, 17 Mar 2005 07:39:25 +0700 >X-Priority: 3 >X-Spam-Flag: YES >X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com >X-Spam-Level: *** >X-Spam-Status: Yes, score=3.0 required=0.5 tests=FORGED_RCVD_HELO > autolearn=no version=3.0.2 > >Online pharmacy - Visit our online store and save. > >Save up to 80% compared to normal rates. > >All popular drugs are available! > >- World wide shipping >- No Doctor Visits >- No Prescriptions >- Next Day Priority Shipping >- Discreet Packaging >- Buy in Bulk and Save! > >We make it easier and faster than ever to get the prescriptions you >need. > >Go here: http://www.gh6.net/ -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts & Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
