Title: Message
Hi,
I checked the
archives looking for solutions to individual user preferences not being read
from mysql even though the @GLOBAL settings were but did not find any posts that
actually solved the problem.
I can verify that
@GLOBAL read from mysql is working. I'm running
Problem is paranoia about blocking legit mail (not so much on my part but my
bosses).
Basic scenario is UK business, 500 or so staff, 20,000 or so inbound
messages a week.
Doing a real basic grep on the last four weeks logs there's been around
12,500 connections from around six of the most
At 11:23 AM 11/5/2003, Tom Meunier wrote:
Matt, thanks for this. It's a great resource. However, I'm wondering
why the following were scored as zero and thus don't have numbers to
support their efficacy or lack thereof:
0.000 0. 0.0.500 0.110.00 RCVD_IN_SORBS_BLOCK
--On Thursday, November 6, 2003 1:05 PM +1100 Zlatko Hristov is rumoured to
have written:
I am trying to setup SA on Qmail gateway/relay server. All the mailboxes
are on Exchange, Qmail does filtering only with qmailscanner and SA.
Can I setup qmailscanner/qmail so it will copy or send or delete
--On Wednesday, November 5, 2003 9:42 AM -0800 Posts is rumoured to have
written:
I checked the archives looking for solutions to individual user
preferences not being read from mysql even though the @GLOBAL settings
were but did not find any posts that actually solved the problem.
I can verify
My spam assassin is still 2.60-rc6:
X-Spam-Status: No, hits=-4.8 required=5.0 tests=BAYES_00,CLICK_BELOW
autolearn=ham version=2.60-rc6
So
cpan install Mail::SpamAssassin
CPAN: Storable loaded ok
Going to read /home/kreme/.cpan/Metadata
Database was generated on Sun, 02 Nov 2003
On Tue, Nov 04, 2003 at 02:55:43PM -0500, Steve Heggood wrote:
Could someone recommend a set of blaclists used in
sendmail.mc that are producing good results?
CBL (cbl.abuseat.org)
SPEWS (l1.spews.dnsbl.sorbs.net)
Sorbs (dnsbl.sorbs.net)
SBL (sbl.spamhaus.org)
Blacholes (blackholes.easynet.nl)
Haha this guy Doctor Electron is a morong oops I defamed him...
His paper The Smart Gateway: Port-to-Local-Host Address Mapping was
also entertaining
tm.
Matthew Cline wrote:
http://www.angelfire.com/space/netcensus/ispassassin.html
Hmmm... The article claims that SA itself
Hello Paul,
Wednesday, November 5, 2003, 10:15:17 AM, you wrote:
PH Problem is paranoia about blocking legit mail (not so
PH much on my part but my bosses).
Paul, my MTA blocked email returns messages like this:
550 5.7.1 SPAM Domain blocked - See
http://nospam.ourdomain.com/
The text on the
A friend found an interesting occurance in his log files. Looking
more closely we have found at least two cases of this. Basically here
is the sequence at the end of this message.
In a nutshell a not too common address got hit from one IP address,
then a few seconds later from another IP
Hi,
Can I setup qmailscanner/qmail so it will copy or send or delete the
message with Spam status=yes header?
Yes it's possible, but you have to tweak Qmail-Scanner (QS) code a
little bit. We have QS sending all SA tags Spam to a mail box where we
create a database of spam.
We applied
Hi all,
recently I've noticed this fault: when my MTA receives mail identified as spam
(score 7.0) from a specific external distribution list, SA tags the message,
and instead of discarding the message (as set by the CommuniGate rule), it
delivers it to the recipient (a user of mine who is
On Wed, 5 Nov 2003 15:26:55 +0100 (CET), Tom Kuppens
[EMAIL PROTECTED] posted to spamassassin-talk:
I just installed spamassassin 2.60 and everything worked fine. However I
to get spamassassin running I need the perl HTML parser 3.24 (or older)
and on the machine I'm using (and I'm not
On Thu, 6 Nov 2003 02:25:52 -0700, [EMAIL PROTECTED] (Bob Proulx) posted to
spamassassin-talk:
In a nutshell a not too common address got hit from one IP address,
then a few seconds later from another IP address, then a few seconds
later from a third IP address. The first two were blocked
As has been discussed previously, when forwarding an email within most
MUAs you lose a lot of the header information of the original email, and
you will also teach bayes that spam looks like the headers that are
produced by your MUA. This happens to be a pretty bad idea.
I've been wondering about
I believe this is possible, but I have no idea how. It has recently
come to our attention that Spamcop is doing preemptive blocking of new
IP addresses that come online sending email. While I see the theory
behind this, there are MANY legitimate sites that need to use Dynamic
DNS for their mail
Hi list,
I've tried to install SpamAssassin 2.60 in vain on several boxes, the
error that always happens is this (when trying to start spamd) :
Can't locate Mail/SpamAssassin/Conf.pm in @INC (@INC contains: ../lib
/usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/5.6.0/i586-linux
Newbie Question...
I was wondering if anyone has any tricks to save me a little time. I
have just recently rebuild SA and could not bring over my old bayes
database so I have to start from scratch. Is there anyway to collect
emails from my users Groupwise accounts without having to manually open
You can use a meta rule to look for a combination of rules returning true.
Using this with either custom rules or the existing rules may do what you
are looking for.
I'm not positive on the exact syntax, both something like this might work.
metaMY_MULTI_RBL RCVD_IN_BL_SPAMCOP_NET
Danita Zanre Sent: Thursday, November 06, 2003 8:56 AM
I'd like a way to offset if they are hit by both rules.
Unless I lower the point values quite dramatically, many of these emails
are being blocked by virtue of the compounded scores and other sundry
hits. Being a simple soul, I need
-Original Message-
From: Danita Zanre [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 06, 2003 8:56 AM
To: [EMAIL PROTECTED]
Subject: [SAtalk] Offsetting rules?
I believe this is possible, but I have no idea how. It has recently
come to our attention that Spamcop is doing
At 11:42 AM 11/6/03 +0100, Euro Cocolo wrote:
recently I've noticed this fault: when my MTA receives mail identified as
spam (score 7.0) from a specific external distribution list, SA tags the
message, and instead of discarding the message (as set by the CommuniGate
rule), it delivers it to
We are set up the same way. This is what I do:
Have a folder called ham in my outlook
I periodically drag ham to that folder
I then have an outlook rule that I only run on demand
This rule is set to redirect all messages in that folder to an e-mail
alias pointing to an mbox located on the SA box
It's from all over - I actually have an anti-spam service for my
clients, and so the potential is that it is multiple sites a day that
could be affected.
Of course the real solution to this one is to get Spamcop to back off
on this particular listing. I find it outrageous myself. Even in the US
My system has only two scoring options for the Razor2 matches.. 0-50, and
51-100.. I'd like to score those with a confidence of 90+ higher than those
with at 51..
What is the syntax to add to my local.cf files to allow this to happen.. or
can it happen?
Thanks!
Tom,
IANABE (I am not a bayesian expert) but with a naive understanding of the
algorithm, I think I can see value in learning an email that's already
scored at 1.000.
There were obviously a lot of spammy tokens in that email which bumped the
score to 1. However, even an email that scores 1 can
Thanks to all who replied. I should have metioned I was using
qmail-scanner 1.20rc3. There is an apparent bug in the sub spamassassin
routine that incorrectly removes invalid command line characters. I've
not fully tested it but it seems to solve my immediate problem.
The lines:
Since I'm stupid, you'll want to test this thoroughly.
In 20_body_checks.cf you'll find:
bodyRAZOR2_CF_RANGE_11_50 eval:check_razor2_range('11','50')
bodyRAZOR2_CF_RANGE_51_100 eval:check_razor2_range('51','100')
tflags RAZOR2_CF_RANGE_11_50 net
tflags RAZOR2_CF_RANGE_51_100
I noticed something last night regarding this certain spam, the unsub IP is
the same for all! I noticed my evilrules was hitting on 203.197.204.157. Did
a quick search:
This has ALL the makings of a spamhost. The main page is just a image for,
Cris inc. - mail worldwide. which would be odd since
I've recently seen a bit of spam (not caught by SA as I run it) with the
following as the contents of the plain text portion of the email:
snip
This message contains an HTML formatted message but your email client
does not support the display of HTML. Please view this message in a
different
Found in a Nov. 1 posting to the SpamCop discussion list:
SpamCop now implements pre-emptive blocking of hosts. This is based on
non-SUBE points (mail volume) alone, and is not related to complaints. If
a host has no mail volume within the past 7 days except for a 1 day or
less period where
On Thu, Nov 06, 2003 at 08:06:57AM -0800, Robert Leonard III wrote:
My system has only two scoring options for the Razor2 matches.. 0-50, and
51-100.. I'd like to score those with a confidence of 90+ higher than those
with at 51..
What is the syntax to add to my local.cf files to allow this
--On Wednesday, November 05, 2003 10:29 PM -0500 Bill Baker
[EMAIL PROTECTED] wrote:
I received 3 identical spams from the same e-mail address that did not
get classified as spam. I tried to do a sa-learn --spam on the message,
and it said it learned from 1 message, but when I tried to
I agree with the fact that the lock is not needed on spamc, but I don't
understand why this would produce an error. There are a lot of individuals
that use the lock with both spamassassin and spamc as a load control. Is it
possible that by using DROPPRIVS=yes removes the permissions necessary
On Thu, 6 Nov 2003, Robert Leonard III wrote:
My system has only two scoring options for the Razor2 matches.. 0-50, and
51-100.. I'd like to score those with a confidence of 90+ higher than those
with at 51..
What is the syntax to add to my local.cf files to allow this to happen.. or
can it
Jeff Lasman wrote:
I've recently seen a bit of spam (not caught by SA as I run it) with the
following as the contents of the plain text portion of the email:
snip
This message contains an HTML formatted message but your email client
does not support the display of HTML. Please view this
VSNL is, I believe, the largest ISP in India or at least in the top 2.
I'd tread lightly on blocking them if you do business with India at all.
-tom
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Chris Santerre
Sent: Thursday, November 06, 2003
On Nov 6, 2003 at 11:35, Chris Santerre wrote:
the same for all! I noticed my evilrules was hitting on 203.197.204.157. Did
a quick search:
This has ALL the makings of a spamhost. The main page is just a image for,
Cris inc. - mail worldwide. which would be odd since the site is in India!
That
On Wed, Nov 05, 2003 at 07:40:24PM -0500, Terry Milnes is rumored to have said:
Haha this guy Doctor Electron is a morong oops I defamed him...
As any lawyer (I'm not one) would tell you, the truth is an absolute defense. If what
you say is true, it can't be considered
On Thu, Nov 06, 2003 at 08:48:44AM -0800, Bart Schaefer wrote:
Found in a Nov. 1 posting to the SpamCop discussion list:
SpamCop now implements pre-emptive blocking of hosts. This is based on
non-SUBE points (mail volume) alone, and is not related to complaints. If
a host has no mail
On Thu, 6 Nov 2003 08:44:02 -0800
Jeff Lasman [EMAIL PROTECTED] wrote:
I've recently seen a bit of spam (not caught by SA as I run it) with
the following as the contents of the plain text portion of the email:
snip
This message contains an HTML formatted message but your email client
does
OK, I've been out voted ;)
Here is a link to the latest spam/ham stats for rules on the Emporium. These
are BEFORE the update. So newer rules aren't included. Maybe next week. Also
MY_DOMAIN and MY_OBFUT are having problems, I need to fix. Which you can
tell by the ratio.
The idea is that
At 11:44 AM 11/6/2003, Jeff Lasman wrote:
My question is simply is this okay to filter on? Or does anyone have
any experience of any legitimate email coming with this?
Lots of legitimate HTML newsletters come with this. It's pretty much a
standard thing to do.
On Thursday 06 November 2003 09:19 am, Satya wrote:
I would say pretty much everyone can block that IP at the firewall
if they wanted to. I'm thinking on blocking the whole /16 block, as
we don't do business with India.
Er, please don't. VSNL is (one of) India's largest ISPs. It'd be like
On Nov 6, 2003 at 11:35, Chris Santerre wrote:
the same for all! I noticed my evilrules was hitting on
203.197.204.157. Did
a quick search:
This has ALL the makings of a spamhost. The main page is
just a image for,
Cris inc. - mail worldwide. which would be odd since the
site is
Jeff Lasmanm Sent: Thursday, November 06, 2003 11:44 AM
snip
This message contains an HTML formatted message but your email client
does not support the display of HTML. Please view this message in a
different mail client or forward this email to a web-based mail system.
/snip
My question
Title: Message
Hello, I have
spamassassin installed with MailScanner on a redhat linux 9 box, acting as a
spam/virus relay. The mail is not ever stored on the spam relay box, it
just scans for viruses and spam, and then forward the mail on to the appropriate
mail server (it serves multiple
Tom Meunier [EMAIL PROTECTED] wrote:
If it's already 100% sure that it's spam, how is it helpful to train
it that it's spam? It's not like it's going to be 110% sure that it's
spam. It's already trained!
Not trying to be a wise-ass, I've just seen this question come up
fairly often, and
A thought on spammers oft-used sets of 'random' character lists in
emails...an example:
--
gnqplleqhzblll
u
wfjmvfe upvxoi lwhm
xqs
flckwrtsmufx irwajksqsnw er wcfjgfmk jugxfq
--
Seems to me that some tests can be made from these...
body 10_CONSONENTS /[bcdfghjklmnpqrstvwxz]{10}/
score
Hi,
I want to integrate SpamAssassin into another program using libspamc... is
this API documented somewhere?
I found the protocol info at
http://www.spamassassin.org/full/2.6x/dist/spamd/README.spamd , but I browsed
the site and the list archives looking for the specific functions in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Euro Cocolo writes:
Hi all,
recently I've noticed this fault: when my MTA receives mail identified as spam
(score 7.0) from a specific external distribution list, SA tags the message,
and instead of discarding the message (as set by the
There is an excellent set of rules being tested now. Just more tweaking
needed. Your set is different. I'll give them a go and see how it pans out!
--Chris
-Original Message-
From: Greg Webster [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 06, 2003 1:59 PM
To: [EMAIL PROTECTED]
Hi
I'm sorry my English
I configured my SpamAssassin and Postfix with the following script filter:
#!/bin/sh
INSPECT_DIR=/var/spam
SENDMAIL=/usr/sbin/sendmail.postfix
SPAMASSASSIN=/usr/bin/spamc
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Thielen writes:
Tom,
IANABE (I am not a bayesian expert) but with a naive understanding of the
algorithm, I think I can see value in learning an email that's already
scored at 1.000.
There were obviously a lot of spammy tokens in that
Hallo und guten Abend Edward,
danke für die Email, die Du am 05.11.2003 um 02:15 schriebst - you wrote:
Jim Knuth wrote:
of course, I use Debian too. Why read SA in two folders (configs)?
What is with /etc/mail/spamassassin/local.cf ? Ignore? Can I delete this?
No, you cannot delete that,
RedHat 6.2, Perl 5.6.1, SpamAssassin 2.55
Hello,
This morning I came into the office to find that qmail-scanner had gone
insane and lots all nights emails for me. I rebooted the system to try to
get everything back to ground zero. The problem was that the spamd init
script decided to hang and
At 11:18 AM -0500 11/6/03, Larry Gilson wrote:
I agree with the fact that the lock is not needed on spamc, but I don't
understand why this would produce an error. There are a lot of individuals
that use the lock with both spamassassin and spamc as a load control. Is it
possible that by using
angstrom
Armstrong
Bergstrom
birthplace
birthplaces
bremsstrahlung
corkscrew
Dijkstra
downstream
hardscrabble
jockstrap
Knightsbridge
lengthly
lengths
lengthwise
Lindstrom
Longstreet
Nietzsche
nightclub
Nordstrom
offspring
postscript
postscripts
Rothschild
sportswriter
sportswriting
strengths
I'm wondering if it is possible to provide per-user bayes learning without
having accounts on the SA server for each user. Has anyone done anything
like this?
I'm running it with amavisd-new, and am running it with site-wide bayes. The
spams/hams to learn come from a public folder, and generally
Thanks for clarifying Pete!
--Larry
-Original Message-
From: Pete Hanson [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 06, 2003 2:52 PM
To: Larry Gilson; [EMAIL PROTECTED]
Subject: RE: [SAtalk] lock problems with SPAMC
At 11:18 AM -0500 11/6/03, Larry Gilson wrote:
I
Here's my init script (copied from the recommended RedHat
script from SA
tarball)
#!/bin/sh
#
# spamassassin This script starts and stops the spamd daemon
#
# chkconfig: 2345 80 30
#
# description: spamd is a daemon process which uses
SpamAssassin to check
# email
Hallo und guten Abend Edward,
danke für die Email, die Du am 06.11.2003 um 22:16 schriebst - you wrote:
Jim Knuth wrote:
Hallo und guten Abend Edward,
danke für die Email, die Du am 05.11.2003 um 02:15 schriebst - you wrote:
Jim Knuth wrote:
of course, I use Debian too. Why read SA
Jim Knuth wrote:
Hallo und guten Abend Edward,
danke für die Email, die Du am 05.11.2003 um 02:15 schriebst - you wrote:
Jim Knuth wrote:
of course, I use Debian too. Why read SA in two folders (configs)?
What is with /etc/mail/spamassassin/local.cf ? Ignore? Can I delete this?
No, you
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Santerre writes:
OK, I've been out voted ;)
Here is a link to the latest spam/ham stats for rules on the
Emporium. These
are BEFORE the update. So
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bob Proulx writes:
A friend found an interesting occurance in his log files. Looking
more closely we have found at least two cases of this. Basically here
is the sequence at the end of this message.
In a nutshell a not too common address got hit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Santerre writes:
OK, I've been out voted ;)
Here is a link to the latest spam/ham stats for rules on the Emporium. These
are BEFORE the update. So newer rules aren't included. Maybe next week. Also
MY_DOMAIN and MY_OBFUT are having problems, I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Kettler writes:
Spamcop was historically a donation required service, and that status
kept it out of the default test set. Spamcop now is merely a donations
accepted service, so I suspect it will eventually work it's way into the
test set.. I
Hi
I just got a spam message which fakes two links 'into yahoo.com'
by using an unrestricted redirector on a yahoo webserver.
I think I have seen those a while ago.
Did somebody create/collect 'uri-rules' for known redirectors
which can be abused this way?
I created the following rule for them
We have spam
assassin running, some users didnt get spam before hand and I wanted to know if
there is a ignore_usr option to completely ignore specified email addresses?
Thanks
Ok, I am running on Solaris 8, latest version of Spamassassin, perl 5.8.
For some reason when using the 'spamassassin' executable, razor works.
When I try to switch over to spamc/spamd everything works except razor.
There isnt even anything in the logs referring to razor.
I am running spamd
Hi all,
I am currently picking up mail from a load of pop3 accounts, passing them by
spamassissin into local pop3 boxes on our mail server
fetchmailprocmail(spamd)courier-pop3
Any suggestions on how I can add some antivirus into the mix, as another
procmail recipe perhaps?
--
Rick
Kitty5
Justin Mason wrote:
CPAN thinks of them both as 2.60, and doesn't differentiate between finals
and RC's.
Update with a tarball.
Great. We'll have to avoid using rcN designations in future I think...
I think that there was some discussion about changing the CPAN indexer to use
the 'version'
Rick [Kitty5] Sent: Thursday, November 06, 2003 7:33 AM
I am currently picking up mail from a load of pop3 accounts, passing them
by
spamassissin into local pop3 boxes on our mail server
fetchmailprocmail(spamd)courier-pop3
Any suggestions on how I can add some antivirus into the mix, as
Paul M wrote:
We have spam assassin running, some users didnt get spam before hand and
I wanted to know if there is a ignore_usr option to completely ignore
specified email addresses? Thanks
I think all_spam_to in local.cf is what you probably want. From
Mail::SpamAssassin::Conf:
whitelist_to
Chr. von Stuckrad [EMAIL PROTECTED] wrote:
I created the following rule for them
# Special abused yahoo-redirector
uri YAHOO_REDIR /srd.yahoo.com\/drst\/illuminating\/\*http:/
score YAHOO_REDIR 2
describe YAHOO_REDIRcontains url of an abused unrestricted redirector
The
A few days ago I posted that basic script I used to feed emails into
bayes via email, there is a small bug in that the first one will work
but ones afterwards won't because ripmime doesn't overwrite the files.
If you haven't already fixed it, just change the script so it either
clears the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Keith C. Ivey writes:
The illuminating part is just a random word. It will be
different in the next message. I'd make it
uri YAHOO_REDIR /srd.yahoo.com\/drst\/.*\*http:/
Actually, it doesn't need those at all. e.g.:
On Thu, Nov 06, 2003 at 08:48:44AM -0800, Bart Schaefer wrote:
Found in a Nov. 1 posting to the SpamCop discussion list:
SpamCop now implements pre-emptive blocking of hosts. This is based on
non-SUBE points (mail volume) alone, and is not related to complaints. If
a host has no mail
Justin Mason [EMAIL PROTECTED] wrote:
Actually, it doesn't need those at all. e.g.:
http://srd.yahoo.com/*http://taint.org
Sorry, I should have checked more thoroughly. Interestingly
(though really not surprisingly), this works too:
http://srd.yahoo.com/*http:/taint.org
But this
Hi Mike,
Thanks for the tip. I did not know about the dictionary. I have had a rule
testing the following:
4c-1/2v-3c
/[0-9bcdfghjklmnpqrstvwxz]{4,}[aeiouy]{1,2}[0-9bcdfghjklmnpqrstvwxz]{3,}/i
This would yield 52 FPs.
Varying the combination results in the following:
5c-1/2v-3c - 2 FP
Sounds more like you need to fix a Postfix configuration problem rather than
masking the problem by not sending notifications. Was your configuration
working during tests, before you put it into production?
You might want to look at SecuritySage for some configuration details.
81 matches
Mail list logo
