Re: A mail seems to bypass spamd (3rd try)

On Mon, 2004-07-26 at 16:12, JGrotepass wrote: > Hello List, > as a new "SA" user I am pretty happy with our current implementation. Here > the configuration: > - QMAIL -> via modified qmail-queue calls-> > - SA (Vers. 2.63) (spamd) -> to > - Sophos-Mailmonitor -> to > - Exchange Server > > Platfo

Re: Syntax error on line 1 near eval:

On Monday, July 26, 2004, 4:00:53 PM, David Groce wrote: > I am cross posting, but I need to find an answer quick. I finally removed > my rpm installation of Spamassassin and installed via CPAN, which allowed me > to install the SpamCopURI plugin as well. When I run spamain --lint, I > get an

Syntax error on line 1 near eval:

I am cross posting, but I need to find an answer quick. I finally removed my rpm installation of Spamassassin and installed via CPAN, which allowed me to install the SpamCopURI plugin as well. When I run spamain --lint, I get an error on the SpamCopURI.cf Specifically: Failed to compile URI

Re: Spamd dying

On Monday, July 26, 2004, 9:13:16 AM, Fred Fred wrote: > Loren Wilton wrote: >> Since you are using spamcop, I'd guess you could drop sc_top200. I >> think those two are related. > Not related, sc_top200 is the top 200 senders of spam based on IP address, > targetting recent hijacked high utilize

Re: URL obfuscation circumvents SURBL checks

On Monday, July 26, 2004, 12:32:43 PM, Ryan Thompson wrote: > Ben Poliakoff wrote to [EMAIL PROTECTED]: >> If you add "http://"; to "MUNGEDgaming-money.com" both SA 2.63 with >> SpamCopURI and SA 3.0rc2 register SURBL hits (the domain is listed in >> several SURBL zones). But the bare domain name

Re: Modifying the envelope information

nadim wrote to [EMAIL PROTECTED]: On Monday 26 July 2004 10:45 pm, Daniel Quinlan wrote: > nadim <[EMAIL PROTECTED]> writes: > > > > I'm also very interrested by an answer as I want my daughters spam (6 > > years old) to be routed to me. > > If it's a six-year-old's email, you really want some sort

RE: A mail seems to bypass spamd (3rd try)

http://wiki.apache.org/spamassassin/NoProcessOnOverload - dan -- Dan Kohn -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of JGrotepass Sent: Monday, July 26, 2004 14:01 To: [EMAIL PR

Re: A mail seems to bypass spamd (3rd try)

On Mon, 26 Jul 2004 23:01:29 +0200 "JGrotepass" <[EMAIL PROTECTED]> wrote: > ... Search? What kind of keywords. I'm pretty new in this list so I have > no idea what kind of Subject or keyword I should use for this specific > behavior. Look for my thread with subject: Subject: some emails are

Re: Modifying the envelope information

On Monday 26 July 2004 10:45 pm, Daniel Quinlan wrote: > nadim <[EMAIL PROTECTED]> writes: > > I'm also very interrested by an answer as I want my daughters spam (6 > > years old) to be routed to me. > > If it's a six-year-old's email, you really want some sort of parental > mail filtering system w

Re: A mail seems to bypass spamd (3rd try)

Dimitrios wrote: On Mon, 26 Jul 2004 22:12:32 +0200 "JGrotepass" <[EMAIL PROTECTED]> wrote: Does anybody has an idea why SA does not touch this mail? i've had the exact same problem. One or two emails per month go through to my inbox, without a single SA header. the weird thing is, i'm using a co

Re: Where's Spamd?

On Mon, Jul 26, 2004 at 01:45:47PM -0700, David Groce wrote: > I found it in a bugtraq on redhat's site and someone recommended it there. > My next issue is when I run spamd and my local delivery command in postfix > is > /usr/bin/spamc -f | /usr/local/bin/maildrop > My maillogs report the followin

Re: A mail seems to bypass spamd (3rd try)

On Mon, 26 Jul 2004 22:12:32 +0200 "JGrotepass" <[EMAIL PROTECTED]> wrote: > Does anybody has an idea why SA does not touch this mail? i've had the exact same problem. One or two emails per month go through to my inbox, without a single SA header. the weird thing is, i'm using a completely diffe

Re: Modifying the envelope information

nadim <[EMAIL PROTECTED]> writes: > I'm also very interrested by an answer as I want my daughters spam (6 > years old) to be routed to me. If it's a six-year-old's email, you really want some sort of parental mail filtering system where EVERY sender or EVERY email is okayed by you. A spam filter

RE: Where's Spamd?

I found it in a bugtraq on redhat's site and someone recommended it there. My next issue is when I run spamd and my local delivery command in postfix is /usr/bin/spamc -f | /usr/local/bin/maildrop My maillogs report the following: spamd[23040]: Scalar found where operator expected at (eval 31) lin

Re: Modifying the envelope information

Bob McClure Jr wrote: On Mon, Jul 26, 2004 at 02:16:24PM -0600, Scott C. Villinski wrote: I've got SA running with Postfix and it's working just fine. However, I wanted to modify spamd so that any detected SPAM would be routed to a different user. How can I go about modifying the envelope info

Re: Modifying the envelope information

On Mon, Jul 26, 2004 at 02:16:24PM -0600, Scott C. Villinski wrote: > I've got SA running with Postfix and it's working just fine. However, I > wanted to modify spamd so that any detected SPAM would be routed to a > different user. How can I go about modifying the envelope information? > Righ

A mail seems to bypass spamd (3rd try)

Hello List, as a new "SA" user I am pretty happy with our current implementation. Here the configuration: - QMAIL -> via modified qmail-queue calls-> - SA (Vers. 2.63) (spamd) -> to - Sophos-Mailmonitor -> to - Exchange Server Platform: Solaris 2.9 The qmail-queue is modified as follows: /usr/local

Re: Where's Spamd?

On Mon, Jul 26, 2004 at 01:22:48PM -0700, David Groce wrote: > found the answer, need the > export LANG=en_US > > Ran throught the install just fine. > Thanks again for the help. Wow! That's sufficiently obscure. See also http://www.rhil.net/docs/faq.html#funny_chars I guess you can disregard

Re: Where's Spamd?

On Mon, Jul 26, 2004 at 01:16:02PM -0700, David Groce wrote: > I looked in /root/.cpan/build and there wasn't a > Mail-Spamassasin2.63.tar.gz, just a Mail-SpamAssassin-SpamCopURI.tar.gz. So > I was going to force a reinstall from CPAN, and it chugged through it and > asked for the administrator ad

Re: Modifying the envelope information

On Monday 26 July 2004 10:16 pm, Scott C. Villinski wrote: > I've got SA running with Postfix and it's working just fine. However, I > wanted to modify spamd so that any detected SPAM would be routed to a > different user. How can I go about modifying the envelope information? > Right now I'm a

RE: Where's Spamd?

found the answer, need the export LANG=en_US Ran throught the install just fine. Thanks again for the help. -Original Message- From: David Groce [mailto:[EMAIL PROTECTED] Sent: Monday, July 26, 2004 1:16 PM To: Bob McClure Jr; Spam Assassin List Subject: RE: Where's Spamd? I looked in /

Modifying the envelope information

I've got SA running with Postfix and it's working just fine. However, I wanted to modify spamd so that any detected SPAM would be routed to a different user. How can I go about modifying the envelope information? Right now I'm able to modify the headers, but Postfix still routes the message

RE: Where's Spamd?

I looked in /root/.cpan/build and there wasn't a Mail-Spamassasin2.63.tar.gz, just a Mail-SpamAssassin-SpamCopURI.tar.gz. So I was going to force a reinstall from CPAN, and it chugged through it and asked for the administrator address to include in the report, but then I received the following err

Re: Where's Spamd?

On Mon, Jul 26, 2004 at 12:42:41PM -0700, David Groce wrote: > After sending my last reply, I find now that there is no spamc either > At least not in /usr/bin where it used to live. Any ideas? As per my answer to your previous reply, see if you can find where it was built and copy it to the

Re: Where's Spamd?

On Mon, Jul 26, 2004 at 12:41:04PM -0700, David Groce wrote: > Thanks for the file, I did find the file called spamassassin.rpmsave in > /etc/rc.d/init.d. I first tried to use your spamassasin file you sent and > it would run and die in an instant, no spamd process running. So I did some > lookin

RE: Where's Spamd?

After sending my last reply, I find now that there is no spamc either At least not in /usr/bin where it used to live. Any ideas? -Original Message- From: Bob McClure Jr [mailto:[EMAIL PROTECTED] Sent: Monday, July 26, 2004 12:23 PM To: Spam Assassin List Subject: Re: Where's Spamd?

Re: AWL Problem?

On Mon, Jul 26, 2004 at 12:45:43PM -0600, Ryan Thompson wrote: > >Received: from cm218-254-187-100.hkcable.com.hk > >(cm218-254-187-100.hkcable.com.hk [218.254.187.100]) > > > >And SA 2.63 scored it like this: > > > >X-Spam-Status: No, hits=-40.4 required=7.0 > >tests=AWL,BAYES_99,DRUGS_ERECTILE,

RE: Where's Spamd?

Thanks for the file, I did find the file called spamassassin.rpmsave in /etc/rc.d/init.d. I first tried to use your spamassasin file you sent and it would run and die in an instant, no spamd process running. So I did some looking around and I found a spamd.old file I had made when I made a change

Re: SA 3.0 ALL_TRUSTED rule

Daniel Quinlan <[EMAIL PROTECTED]> wrote on 07/26/2004 12:41:42 PM: > Andy Jezierski <[EMAIL PROTECTED]> writes: > > > I've been noticing that the ALL_TRUSTED rule is being triggered on quite a > > few messages that are not coming from trusted networks. I've never had any > > entries specifie

Re: URL obfuscation circumvents SURBL checks

Ben Poliakoff wrote to [EMAIL PROTECTED]: [ resending in case the original message was blocked - apologies for the duplication ] Are others seeing a lot of spam that contain this sort of thing: Not any that make it through. :-) > Collect $20 to play our internet casino with, no deposit is > n

Re: Where's Spamd?

On Mon, Jul 26, 2004 at 12:07:34PM -0700, David Groce wrote: > I'm working on removing my RPM install of Spamassassin, and installing from > CPAN. I did the removal, and I successfully installed both Spamassassin and > SpamCopURI (the real motivator behind this move) so now I'm looking to get > Sp

Re: Bayes poisining?

[EMAIL PROTECTED] wrote to [EMAIL PROTECTED]: > Hi > > I have had a spam get thru which scored very low on bayes - not > surprisingly - the mail was a few mangled lines, a URL and the a "ton" > of lines of a random extract from some document. > > My question is this: with the vast majority of t

URL obfuscation circumvents SURBL checks

[ resending in case the original message was blocked - apologies for the duplication ] Are others seeing a lot of spam that contain this sort of thing: > Collect $20 to play our internet casino with, no deposit is necessary! > Type in: MUNGEDgaming-money.com into your address bar, >

Where's Spamd?

I'm working on removing my RPM install of Spamassassin, and installing from CPAN. I did the removal, and I successfully installed both Spamassassin and SpamCopURI (the real motivator behind this move) so now I'm looking to get Spamd to run as well as always run on startup, but I can't even find a

Re: AWL Problem?

[EMAIL PROTECTED] wrote to [EMAIL PROTECTED]: Hi all, Had a question about AWL. Does it just look at the From header or does it look at the sending IP as well? http://wiki.apache.org/spamassassin/AutoWhitelist 1.2. How Does It Work? The algorithm works using a database of entries. Each entry has a

Bayes.pm: oops! still tied to Bayes DBs, untie'ing

Hi all, Since moving to MIMEDefang, I'm getting "oops! still tied to Bayes DBs, untie'ing" quite frequently (a few hundred times a day or so). It occurs fairly predictably when MIMEDefang is restarted, but also occurs during normal use. I did look at the relevant code in Bayes.pm (3.0.0-pre2), and

Re: Newbie questions

On 26 Jul 2004, at 06:27, nadim wrote: Hi guys, thank you for your quick answers. I'll try to give you the details you are missing. On Monday 26 July 2004 01:31 am, John Andersen wrote: The fact that these rcvd rules showed up ONLY when you ran it again suggests all the tests are not running by d

AWL Problem?

Hi all, Had a question about AWL. Does it just look at the From header or does it look at the sending IP as well? Asking because I just start receiving spam from this server with my email address as the From: Received: from cm218-254-187-100.hkcable.com.hk (cm218-254-187-100.hkcable.com.hk [218

Re: SA 3.0 ALL_TRUSTED rule

Andy Jezierski <[EMAIL PROTECTED]> writes: > I've been noticing that the ALL_TRUSTED rule is being triggered on quite a > few messages that are not coming from trusted networks. I've never had any > entries specified for trusted networks, has something changed in SA3? > Couldn't find anything in

Bayes poisining?

Hi I have had a spam get thru which scored very low on bayes - not surprisingly - the mail was a few mangled lines, a URL and the a "ton" of lines of a random extract from some document. My question is this: with the vast majority of the mail looking like legitimate content, can I still safely tr

Re: Spamd dying

Loren Wilton wrote: > Since you are using spamcop, I'd guess you could drop sc_top200. I > think those two are related. Not related, sc_top200 is the top 200 senders of spam based on IP address, targetting recent hijacked high utilized pc's for spamming. The list is generated from the Top 200 sp

SA 3.0 ALL_TRUSTED rule

I've been noticing that the ALL_TRUSTED rule is being triggered on quite a few messages that are not coming from trusted networks. I've never had any entries specified for trusted networks, has something changed in SA3? Couldn't find anything in the docs. Anyone have any ideas? Here's a samp

Re: Yahoo forged rules on legit email

On Fri, 23 Jul 2004 19:22:18 +0200 Marc Kool <[EMAIL PROTECTED]> wrote: > John Hardin wrote: > > > Personally, I think it's a bad idea these days to accept SMTP from > > dynamic IP addresses in the first place. It shouldn't have even gotten > > as far as SpamAssassin - a DNSBL should have rejected

Re: Quick start guide for CPAN

Kenneth Porter wrote: --On Friday, July 23, 2004 4:05 PM -0700 Jeff Chan <[EMAIL PROTECTED]> wrote: OK I heard that Linux had an automatic installer like FreeBSD ports, though I forgot what it was called. :-) Not automatic, and only some distros use RPM (notably Red Hat and Mandrake). Note th

Re: Quick start guide for CPAN

Bob McClure Jr wrote: I've not used portinstall enough to know how well it handles dependencies. One of my clients has their stuff hosted on FreeBSD machines, so that is my only exposure to the ports. I wind up not using them much because they don't keep very current stuff there. They have Perl v

RE: [RDJ] Is it broken?

Are you getting lint errors with HTML code in them? Chris T. posted something about deleting files that corrects this problem. I'll see if I can find the post. --Chris >-Original Message- >From: Gary Smith [mailto:[EMAIL PROTECTED] >Sent: Monday, July 26, 2004 12:02 AM >To: Edward Shornoc

Re: Newbie questions

Hi guys, thank you for your quick answers. I'll try to give you the details you are missing. On Monday 26 July 2004 01:31 am, John Andersen wrote: > The fact that these rcvd rules showed up ONLY when you ran it > again suggests all the tests are not running by default in your > normal setup. I o

Re: further spam detection algorithms

> A quite interesting HTML code to cheat the filters > > http://www=2espyware-killer-software=2ecom/cgi-bin/rd=2ecgi= > ?IvC7R3lvJb">http://www=2espyware-killer-software=2ecom/cgi-bin/rd=2ecgi?=Iv C7R3lvJb > > space substituted by "3d" > dot (.) substituted by "=2e" > ? substituted by "=?" This is

Re: Spamd dying

> I am still using the following, which looks like an overkill. > > 70_sare_adult.cf > 70_sare_bayes_poison_nxm.cf > 51 70_sare_header_abuse.cf > 70_sare_oem.cf > 70_sare_random.cf > 70_sare_specific.cf > 70_sare_spoof.cf > 70_sc_top200.cf > 99_FVGT_Tripwire.cf > 99_sare_fraud_post25x.cf > antidrug

Re: further spam detection algorithms

Justin Mason said: In the technology, when a mail comes in it is first cleared of the HTML tags so words like viagra is brought to its original clear text form. Then on this cleared message the entropy type compression that you have suggested is carried out and the ratio of similarity is matche

RE: Spamd dying

> -Original Message- > From: Jeff Chan [mailto:[EMAIL PROTECTED] > > Did you remember to get rid of sa-blacklist and bigevil.cf? > If you're hopefully using ws.surbl.org instead, then you > don't need them and they're very large in memory. > > Jeff C. > -- Morning Jeff. Yip, removed t

Re: Spamd dying

On Monday, July 26, 2004, 12:01:56 AM, Thomas Kinghorn wrote: > Hi List > Does anyone know of memory leaks with SA 2.63? > My server keeps running out of memory: > Jul 25 13:33:56 rb-mx-1 kernel: Out of Memory: Killed process 15754 (spamd). > Jul 25 13:38:39 rb-mx-1 kernel: Out of Memory: Killed

Re: further spam detection algorithms

Justin Mason said: >> In the technology, when a mail comes in it is first cleared of the HTML >> tags so words like viagra is brought to its original >> clear text form. Then on this cleared message the entropy type >> compression that you have suggested is carried out and the ratio of >> similar

Spamd dying

Hi List Does anyone know of memory leaks with SA 2.63? My server keeps running out of memory: Jul 25 13:33:56 rb-mx-1 kernel: Out of Memory: Killed process 15754 (spamd). Jul 25 13:38:39 rb-mx-1 kernel: Out of Memory: Killed process 13622 (spamd). Jul 25 13:45:10 rb-mx-1 kernel: Out of Memory: K

Re: Can someone spell out what info SA wants from a MTA?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Haar writes: > I'm the author of Qmail-Scanner - a MTA-level content-filter for Qmail, and > I want to check that Q-S will totally support all the cool new options in > SA-3.0 :-) > > Obviously SA wants to be passed a complete e-mail message -

Re: further spam detection algorithms

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rakesh writes: > Lucas, > > The concept seems to be interesting, but BrightMail one of the biggest > Spam Control company, uses a combination of these two tests (Entropy and > HTML test). Which they call it as BrightSig2 technology and is > unfort

Can someone spell out what info SA wants from a MTA?

Hi there I'm the author of Qmail-Scanner - a MTA-level content-filter for Qmail, and I want to check that Q-S will totally support all the cool new options in SA-3.0 :-) Obviously SA wants to be passed a complete e-mail message - that's easy - what I'm concerned about is other "meta info" - like

RE: [RDJ] Is it broken?

I still haven't been able to pull a good update from our production servers since before last weekend (10 days or so). I think I have tracked down the problem to being part of the randomization of the RDJ script which will cause it to run more than once in a 24 hour period (because of it's randomi

ANNOUNCE: How to report false positives in ob.surbl.org to OutBlaze

We've updated the SURBL Lists document to add information about how to contact OutBlaze with reports about false positives in ob.surbl.org: http://www.surbl.org/lists.html "Please report false positives found in the ob list to postmaster at outblaze dot com. Be sure to include a supporting e

Re: [RDJ] Is it broken?

Matt Yackley wrote: Hi all, While SARE is discussing the possibility of using mirrors and several folks are offering, I just want to throw a little info out there... One of the more recent examples cited to us by the fine folks hosting rulesemporium.com was the usage for July 14th, over 2.5 GB of d