Re: rule for empty text + GIF or PDF ?

[SM]

At 20:33 13-08-2007, Jo Rhett wrote:
In specific, the original question referenced SARE rulesets and thus 
the obvious assumption was that it was a SARE rule, and I had done 
the search and hadn't found the rule so I needed to know which SARE 
ruleset that I wasn't currently downloading provided this.


The original question was posted by clsgis.  In his answer, Theo Van 
Dinter mentioned that a rule for PDF has been available via sa-update 
for weeks.  Jo Rhett asked where in reply to that message.


Had the person included the information that it was not a SARE 
ruleset but a normal SA ruleset, then I would have understood.


I provided the rule name and description together with a link to the 
RuleUpdates webpage on the SpamAssassin Wiki as it explains how to 
locate the rules downloaded by sa-update.  The webpage also has an 
example of how to use sa-update and how to debug if there is a 
problem doing updates.


I assumed that the threaded discussion conveyed the fact that I was 
referring to a rule available from the updates.spamassassin.org channel.


Regards,
-sm 

Re: rule for empty text + GIF or PDF ?

[Jo Rhett]

Kai Schaetzl wrote:

Jo Rhett wrote on Sat, 11 Aug 2007 09:31:05 -0700:

No, I didn't.  I asked where a given rule was.  I was given a reference 
to a page that described how to set up sa-update.


You were given the exact name of the rule, that reference to sa-update was 
an additional courtesy as it is easy to know from reading documentation or 
this list to know where the rules are stored, anyway. It would have 
probably answered all your remaining questions if there were any left. If 
you had cared to read it. If you know the name of the rule you can easily 
check if it's available for you or not. That was *exactly* what you wanted 
to know. Quoting yourself: Where?.


Where, as in Where can I find it.  Not where can I start at the 
beginning.  Saying that if I opened an encyclopedia I would eventually 
find the answer is also true but not helpful.


In specific, the original question referenced SARE rulesets and thus the 
obvious assumption was that it was a SARE rule, and I had done the 
search and hadn't found the rule so I needed to know which SARE ruleset 
that I wasn't currently downloading provided this.


Had the person included the information that it was not a SARE ruleset 
but a normal SA ruleset, then I would have understood.


Anyway, the ruleset simply doesn't work.  I've got a dozen good examples 
of empty PDF messages that the rule doesn't hit.  I'll send 
documentation later tonight after I finish other work.


--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness

Re: rule for empty text + GIF or PDF ?

[Kai Schaetzl]

Gene Heskett wrote on Sat, 11 Aug 2007 23:43:38 -0400:

 1: sa-update is NOT pulling new PDFInfo.pm or pdfinfo.cf files even when they 
 are available.

of course not!

 2: spamassassin --lint -D ignores these rules when we install them by hand.

which means you probably haven't installed PDFInfo correctly?

 Now is the question sufficiently illuminated?

Not at all. This is your first posting in this thread. This thread is about 
rule for empty text + GIF or PDF. Your posting is about how do I install or 
make use of PDFInfo. So, please go ahead and post a new thread and include all 
the information that is necessary for others to help you. If you did that 
already elsewhere, then please keep going there. But please don't hijack 
threads 
with completely different topics and pretend it fits.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: rule for empty text + GIF or PDF ?

[Jo Rhett]

Kai Schaetzl wrote:

Jo Rhett wrote on Fri, 10 Aug 2007 20:30:37 -0700:


Thank you for the very useless reference to sa-update.


Please, don't do this! You got a nice answer that exactly answered your 
question.


No, I didn't.  I asked where a given rule was.  I was given a reference 
to a page that described how to set up sa-update.


This is exactly identical to giving someone a reference to how to 
program in c when they've asked a very specific question about a 
function.  Perhaps it wasn't intended as an insult, but as an answer its 
utterly worthless.


FYI I have seen several other threads with people complaining that 
sa-update is not providing the PDF updates, so this is apparently a 
common problem.


--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness

Re: rule for empty text + GIF or PDF ?

[Bob Proulx]

Jo Rhett wrote:
 No, I didn't.  I asked where a given rule was.  I was given a reference 
 to a page that described how to set up sa-update.

That page not only described how to set up sa-update it also described
where the files were stored.  Also SM included the name of the rule
that was expected to catch pdf spam.  Those two things were the two
key pieces of information that answered the question.

 This is exactly identical to giving someone a reference to how to 
 program in c when they've asked a very specific question about a 
 function.  Perhaps it wasn't intended as an insult, but as an answer its 
 utterly worthless.

Many people believe that because email is ephemeral (aka the net has
no memory) that it is much better to place answers in documentation
pages such as on the web rather than to place answers in email.
Otherwise the same answers will need to be posted again and again and
any incorrect answers will remain in the archives forever possibly
misleading those that look them up later.  Also most people consider
having documentation available to be superior to having an email
archive of questions and answers.

A common trend these days is to document an answer on a web page and
simply refer to the web page when answering questions.  This way
incorrect answers can be corrected on the web page when in the future
other people look up the same information.  The answer you were given
was following that best practice.

On the documentation page you were pointed to you must have missed
this section which answers your question.

  Installed Updates

  When updates are downloaded, they are put into a directory under the
  local state dir (default /var/lib/spamassassin/spamassassin version)
  similar to:

  /var/lib/spamassassin
  `-- 3.001004
  |-- updates_spamassassin_org
  `-- updates_spamassassin_org.cf

  The files from the update go into updates_spamassassin_org, and the
  *.cf files are then included by updates_spamassassin_org.cf, which
  also keeps track of what update version is installed. Therefore, if it
  is desired to change the update directory, the .cf and the update
  directory will exist there.

There is the answer to your question.  The files are stored in
/var/lib/spamassassin under a versioned directory under the
subdirectory there.

SM wrote:
 TVD_PDF_FINGER01  Mail matches standard pdf spam fingerprint

That is the key piece of information.  Using 'grep' to find which file
contains that rule is now trivial.  On my Debian Stable Etch system
running the backports spamassassin with sa-update (justifying the
older version number) shows:

  grep -l -r TVD_PDF_FINGER01 /var/lib/spamassassin
  /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf

 FYI I have seen several other threads with people complaining that 
 sa-update is not providing the PDF updates, so this is apparently a 
 common problem.

The sa-update rules catch most of the pdf spam here but I do see a few
pdf spams slip through the rules because they are not perfect.  Rarely
are spam rules 100% perfect and seeing some corner cases slip through
is not unusual.  It is a process of continual improvement.

Bob

Re: rule for empty text + GIF or PDF ?

[Kai Schaetzl]

Jo Rhett wrote on Sat, 11 Aug 2007 09:31:05 -0700:

 No, I didn't.  I asked where a given rule was.  I was given a reference 
 to a page that described how to set up sa-update.

You were given the exact name of the rule, that reference to sa-update was 
an additional courtesy as it is easy to know from reading documentation or 
this list to know where the rules are stored, anyway. It would have 
probably answered all your remaining questions if there were any left. If 
you had cared to read it. If you know the name of the rule you can easily 
check if it's available for you or not. That was *exactly* what you wanted 
to know. Quoting yourself: Where?.

 Perhaps it wasn't intended as an insult

Are you talking about your own response?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: rule for empty text + GIF or PDF ?

[Gene Heskett]

On Saturday 11 August 2007, Bob Proulx wrote:
Jo Rhett wrote:
 No, I didn't.  I asked where a given rule was.  I was given a reference
 to a page that described how to set up sa-update.

That page not only described how to set up sa-update it also described
where the files were stored.  Also SM included the name of the rule
that was expected to catch pdf spam.  Those two things were the two
key pieces of information that answered the question.

 This is exactly identical to giving someone a reference to how to
 program in c when they've asked a very specific question about a
 function.  Perhaps it wasn't intended as an insult, but as an answer its
 utterly worthless.

Many people believe that because email is ephemeral (aka the net has
no memory) that it is much better to place answers in documentation
pages such as on the web rather than to place answers in email.
Otherwise the same answers will need to be posted again and again and
any incorrect answers will remain in the archives forever possibly
misleading those that look them up later.  Also most people consider
having documentation available to be superior to having an email
archive of questions and answers.

A common trend these days is to document an answer on a web page and
simply refer to the web page when answering questions.  This way
incorrect answers can be corrected on the web page when in the future
other people look up the same information.  The answer you were given
was following that best practice.

On the documentation page you were pointed to you must have missed
this section which answers your question.

  Installed Updates

  When updates are downloaded, they are put into a directory under the
  local state dir (default /var/lib/spamassassin/spamassassin version)
  similar to:

  /var/lib/spamassassin
  `-- 3.001004

  |-- updates_spamassassin_org

  `-- updates_spamassassin_org.cf

  The files from the update go into updates_spamassassin_org, and the
  *.cf files are then included by updates_spamassassin_org.cf, which
  also keeps track of what update version is installed. Therefore, if it
  is desired to change the update directory, the .cf and the update
  directory will exist there.

There is the answer to your question.  The files are stored in
/var/lib/spamassassin under a versioned directory under the
subdirectory there.

SM wrote:
 TVD_PDF_FINGER01  Mail matches standard pdf spam fingerprint

That is the key piece of information.  Using 'grep' to find which file
contains that rule is now trivial.  On my Debian Stable Etch system
running the backports spamassassin with sa-update (justifying the
older version number) shows:

  grep -l -r TVD_PDF_FINGER01 /var/lib/spamassassin
  /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf

 FYI I have seen several other threads with people complaining that
 sa-update is not providing the PDF updates, so this is apparently a
 common problem.

The sa-update rules catch most of the pdf spam here but I do see a few
pdf spams slip through the rules because they are not perfect.  Rarely
are spam rules 100% perfect and seeing some corner cases slip through
is not unusual.  It is a process of continual improvement.

Bob

We're missing the point here Bob, so let me repeat myself, or re-word it:

1: sa-update is NOT pulling new PDFInfo.pm or pdfinfo.cf files even when they 
are available.

2: spamassassin --lint -D ignores these rules when we install them by hand.

Ergo, we are pretty well convinced its not working.  Grepping our logs for 
mentions gets me this, and that log is for the last week:

[EMAIL PROTECTED] ~]# grep PDFInfo /var/log/maillog
Aug  8 11:02:34 coyote spamd[557]: Use of uninitialized value in pattern match 
(m//) at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/PDFInfo.pm 
line 329.

The only error all week, and spamassassin --lint -D didn't report it.

It looks like a typu to me but then I'm a perl dummy.  Or maybe just a dummy.

Now is the question sufficiently illuminated?

Thanks for any clues thrown our way, we seem to not have any.

-- 
Cheers, Gene
There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
Make a wish, it might come true.

Re: rule for empty text + GIF or PDF ?

[Jo Rhett]

Theo Van Dinter wrote:

Sure, one for PDF has been available via sa-update for weeks.


Where?  I'm using sa-update and almost all of the sare rulesets, and I'm 
getting a metric ton of these.  Searching rulesemporium for empty or 
pdf gets nothing.


--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness

Re: rule for empty text + GIF or PDF ?

[Jo Rhett]

SM wrote:

At 19:39 10-08-2007, Jo Rhett wrote:
Where?  I'm using sa-update and almost all of the sare rulesets, and 
I'm getting a metric ton of these.  Searching rulesemporium for 
empty or pdf gets nothing.


TVD_PDF_FINGER01  Mail matches standard pdf spam fingerprint

http://wiki.apache.org/spamassassin/RuleUpdates


Thank you for the very useless reference to sa-update.  As my original 
e-mail said, I'm running sa-update (and it works) and I'm also using 
sa-update to get about 40 SARE channels, and those work.


I don't see any sare channels that deal with PDF empty text spam.

--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness

rule for empty text + GIF or PDF ?

[clsgis]

I'm seeing a huge spam run from well distributed bots.  Multi part MIME
messages
with an empty (three blank lines) text/plain part, *no* text/html part, and
an
attachment in GIF or PDF format.

I want to give those a really high score.  False positives when there is no
text in
the message are acceptable.  Hoping someone has a rule to do it.

I looked through all the rules in share/spamassassin/*.cf.  There are some
tests
like MPART_ALT_DIFF (eval:multipart_alternative_difference('99', '100'))
which seem to be looking for a text/html part, so they don't apply.

I looked up that rule and the explanation is  explanation of the rule goes
here
not exactly helpful, and it's not obvious what the arguments to
multipart_alternative_difference
mean or do.

I've searched on every combination of spamassassin rule text no html I
could think of.
No useful hits.



-- 
View this message in context: 
http://www.nabble.com/rule-for-empty-text-%2B-GIF-or-PDF---tf4238805.html#a12061080
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: rule for empty text + GIF or PDF ?

[Theo Van Dinter]

On Wed, Aug 08, 2007 at 01:19:47PM -0700, clsgis wrote:
 I want to give those a really high score.  False positives when there is no
 text in
 the message are acceptable.  Hoping someone has a rule to do it.

Sure, one for PDF has been available via sa-update for weeks.

-- 
Randomly Selected Tagline:
Marriage is like pi - natural, irrational, and very important. - Lisa Hoffman


pgphbolN6AkxN.pgp
Description: PGP signature