RE: Odd behaviour under load.

On Fri, 8 May 2009, John Hardin wrote: ... my SMTP front end ("Mail Avenger") has a bug that prevents me from properly using 'spamc' You can probably work around it, though, by playing some PATH games and getting Mail Avenger to see a shell script named "spamassassin" (that actually runs

Re: Rule to detect same address in sender and receiver

Quite late here, so my logic might be a little bit fuzzy or blurred... On Sat, 2009-05-09 at 03:20 +0200, Benny Pedersen wrote: > meta __SPF_NOT_PASS (!SPF_PASS) > meta __NOT_LOCAL_TRUSTED (!NO_RELAYS || !ALL_TRUSTED) Equivalent to ! ( NO_RELAYS && ALL_TRUSTED ) Probably not what you intended.

Re: Rule to detect same address in sender and receiver

On Fri, May 8, 2009 14:47, McDonald, Dan wrote: > I would rather have: > blacklist_unless_auth @gmail.com > blacklist_unless_auth @yahoo.* meta __SPF_NOT_PASS (!SPF_PASS) meta __NOT_LOCAL_TRUSTED (!NO_RELAYS || !ALL_TRUSTED) meta BLACKLIST_SPF (__SPF_NOT_PASS && __NOT_LOCAL_TRUSTED) describe BLAC

Re: mcafee sees drop in spam?

Chris Hoogendyk wrote: The first quarter ended just over a week ago. Actually, it ended over a month ago. Michael Scheidell wrote: > looks like mcafee sees a 20% drop in spam? > wonder what that is about. I'm not seeing a drop in ATTEMPTED spam I see a recent (late april or early may) increa

Re: [SA] Stacked word sentences.

On Fri, 2009-05-08 at 19:09 -0400, Adam Katz wrote: > Finally, IIRC, some of the fuzzy checksum mechanisms go by patterns > that take a keen interest in paragraph structure like that (or at > least one was mentioned as well-loved at the last MIT Spam > Conference), so make sure you're using Razor2,

Re: [SA] Stacked word sentences.

On Fri, 8 May 2009, Adam Katz wrote: John Hardin wrote: rawbody __TWO_WORD_LINES /^\S\+\s\+\S\+$/ tflags __TWO_WORD_LINES multiple metaSTACKED_TEXT (__TWO_WORD_LINES > 10) Likely somewhat FP-prone... I think quite FP-prone; think about emailed system logs, lists, invoices, etc. Your ex

Re: Best way to invoke SA?

John Hardin a écrit : > On Wed, 6 May 2009, Adam Katz wrote: > >> SpamAssassin does not need to run on your outbound server. > > It could be argued that doing so is useful to detect intrusions that > result in a spambot being installed on the local network. > For that to be really helpful, one

Re: [SA] Stacked word sentences.

John Hardin wrote: > rawbody __TWO_WORD_LINES /^\S\+\s\+\S\+$/ > tflags __TWO_WORD_LINES multiple > metaSTACKED_TEXT (__TWO_WORD_LINES > 10) > > Likely somewhat FP-prone... I think quite FP-prone; think about emailed system logs, lists, invoices, etc. Your example used lots of real words, s

Re: Stacked word sentences.

On Fri, 8 May 2009, John Hardin wrote: On Fri, 8 May 2009, fchan wrote: I'm getting this new spam which they use stacking of words to make a sentence and I would like make a rule against it. How does spamassassin handle this type of stuff? Can I use rawbody? san-serif">We're interested

Re: Stacked word sentences.

On Fri, 8 May 2009, fchan wrote: I'm getting this new spam which they use stacking of words to make a sentence and I would like make a rule against it. How does spamassassin handle this type of stuff? Can I use rawbody? san-serif">We're interested in hearing your thoughts on these articles,

Stacked word sentences.

I'm getting this new spam which they use stacking of words to make a sentence and I would like make a rule against it. How does spamassassin handle this type of stuff? Can I use rawbody? Below is a sample of this: We're interested in hearing your thoughts on these articles, and learning abo

Re: Turn on verbose logging in the headers

On Fri, 2009-05-08 at 15:16 -0500, Tim Connolly wrote: > I’m running a CentOS5.2 box with Cpanel. How you actually incorporate the settings mentioned below will be left as an exercise to the reader, or a cpanel support thingy. :) > How do I turn on verbose logging so that within each message head

Turn on verbose logging in the headers

I'm running a CentOS5.2 box with Cpanel. How do I turn on verbose logging so that within each message header I see each rules results?

RE: Odd behaviour under load.

On Fri, 8 May 2009, Charles Gregory wrote: As a side note, for people wondering why my SA is so slow, I thought I would mention that my SMTP front end ("Mail Avenger") has a bug that prevents me from properly using 'spamc', so all load issues are compounded buy having to use 'spamassassin'. Fo

Re: custom scores not working

On Thu, 2009-05-07 at 15:40 +0200, Karsten Bräckelmann wrote: > On Thu, 2009-05-07 at 07:28 -0600, LuKreme wrote: > > > > with 3.2.5 i can't get custom scores working. > > > i usually added them in /etc/mail/spamassassin/x_90_scores.cf > > > > This is NOT how you add custom scores to SA. > > Uh

RE: Odd behaviour under load.

On Fri, 8 May 2009, Mark wrote: Okay, working from the idea that indeed the connecting client is timing out waiting for the "250 OK" after sending the message, I would think DNS lookups are the most costly, time-wise. So, I would examine the RBL lookups first: it only takes the presence of one

RE: Odd behaviour under load.

On Fri, 8 May 2009, John Hardin wrote: I suspect the sender is timing out waiting for the "250 OK" after sending the message, hence my (humorous) "100 Please hold..." suggestion. (Jeeze, SM, lighten up!) (nod) I should not have said "data command". Apologies again. And I can see a busy list s

Re: [sa] RE: Odd behaviour under load.

On Fri, 8 May 2009, Mark wrote: Headers are part of the DATA stream. Hence, at the time a connecting server is awaiting your "354 Start Input" reply to their DATA command My apologies. I have misled with the phrase 'data command'. I was referring to the response that the sending server exp

Re: mcafee sees drop in spam?

Maybe it's an old story. I saw a drop last fall but it's come back since then. Jason Staudenmayer wrote: -Original Message- From: Michael Scheidell [mailto:scheid...@secnap.net] Sent: Friday, May 08, 2009 10:57 AM To: SpamAssassin Users List Subject: mcafee sees drop in spam? loo

Re: mcafee sees drop in spam?

Randy wrote: Michael Scheidell wrote: looks like mcafee sees a 20% drop in spam? wonder what that is about. I'm not seeing a drop in ATTEMPTED spam (I see MORE ATTEMPTED spam). Mostly this new 'blank email with a png' in it. Sanesecurity rules seem to be keeping up with it for the most p

Re: mcafee sees drop in spam?

Martin Hepworth wrote: Spamcop stats don't show this - yes the number of picture spams is going up, but not spam generally. http://www.spamcop.net/spamgraph.shtml?spamyear -- Martin Hepworth Oxford, UK 2009/5/8 Michael Scheidell > looks like mcafee sees a 20

RE: Odd behaviour under load.

Hi John, At 06:50 08-05-2009, John Hardin wrote: I suspect the sender is timing out waiting for the "250 OK" after sending the message, hence my (humorous) "100 Please hold..." suggestion. (Jeeze, SM, lighten up!) There has already been such a proposal. Someone might take your humorous sugge

RE: Odd behaviour under load.

-Original Message- From: John Hardin [mailto:jhar...@impsec.org] Sent: vrijdag 8 mei 2009 15:52 To: Mark Cc: users@spamassassin.apache.org Subject: RE: Odd behaviour under load. > On Fri, 8 May 2009, Mark wrote: > > > From: Charles Gregory [mailto:cgreg...@hwcn.org] > > > > Do yahoo and p

Re: mcafee sees drop in spam?

Spamcop stats don't show this - yes the number of picture spams is going up, but not spam generally. http://www.spamcop.net/spamgraph.shtml?spamyear -- Martin Hepworth Oxford, UK 2009/5/8 Michael Scheidell > looks like mcafee sees a 20% drop in spam? > > wonder what that is about. I'm not se

RE: mcafee sees drop in spam?

-Original Message- From: Randy [mailto:rramsd...@livedatagroup.com] Sent: Friday, May 08, 2009 11:13 To: SpamAssassin Users List Subject: Re: mcafee sees drop in spam? Michael Scheidell wrote: > looks like mcafee sees a 20% drop in spam? > > wonder what that is about. I'm not seeing a dr

Re: mcafee sees drop in spam?

Michael Scheidell wrote: looks like mcafee sees a 20% drop in spam? wonder what that is about. I'm not seeing a drop in ATTEMPTED spam (I see MORE ATTEMPTED spam). Mostly this new 'blank email with a png' in it. Sanesecurity rules seem to be keeping up with it for the most part. I wonder w

Re: mcafee sees drop in spam?

> looks like mcafee sees a 20% drop in spam? > Sorry, someone asked me for the reference to the mcafee story: McAfee Reports Huge Drop in Spam ­ Ellen Messmer, Network World May 05, 2009 Global e-mail spam volumes have dropped 20% for the first quarter this year compared with the same period

RE: mcafee sees drop in spam?

> -Original Message- > From: Michael Scheidell [mailto:scheid...@secnap.net] > Sent: Friday, May 08, 2009 10:57 AM > To: SpamAssassin Users List > Subject: mcafee sees drop in spam? > > > looks like mcafee sees a 20% drop in spam? > > wonder what that is about. I'm not seeing a drop

mcafee sees drop in spam?

looks like mcafee sees a 20% drop in spam? wonder what that is about. I'm not seeing a drop in ATTEMPTED spam (I see MORE ATTEMPTED spam). Mostly this new 'blank email with a png' in it. Sanesecurity rules seem to be keeping up with it for the most part. I wonder what they are using to count

Re: The weirdest problem I have ever met

John Hardin wrote: spamassassin --remove-addr-from-whitelist=problemacco...@clientdomain.com An additional note (since, IIRC, the OP said he did this already): Make sure to run this for the same user as that wich scans the mail when it get's the ridicilously high score. Regards /Jonas --

Re: Odd behaviour under load.

Mark wrote: Do yahoo and python.org enforce a shorter time-out? Highly doubtful. RFC 2821, Section 4.5.3.2 ("Timeouts") gives you a 2 minutes window while awaiting the "354 Start Input" reply to a DATA command. Wich is of course irrelevant since SpamAssassin must be called after the client

Re: Flooded by a SPAM always containing the same picture

On Fri, 2009-05-08 at 09:27 -0400, Randy wrote: > Also they changed the name > and image ( slightly ) . Now the image is "Gibas.png" or at least, they > are using this too. > They're using a variety of names these days, but all following the fprm you quote: PersonalName.png. I've decoupled my ima

RE: Odd behaviour under load.

On Fri, 8 May 2009, Mark wrote: From: Charles Gregory [mailto:cgreg...@hwcn.org] Do yahoo and python.org enforce a shorter time-out? Highly doubtful. RFC 2821, Section 4.5.3.2 ("Timeouts") gives you a 2 minutes window while awaiting the "354 Start Input" reply to a DATA command. ...are y

Re: Flooded by a SPAM always containing the same picture

Ned Slider wrote: Ned Slider wrote: Martin Gregorie wrote: On Wed, 2009-05-06 at 02:08 +0100, Ned Slider wrote: I had one sneak through today which didn't hit any rules at all (it hits a few DNSBLs now but not when I received it). It contained an inline png: Content-Type: image/png Content-

Re: Flooded by a SPAM always containing the same picture

Ned Slider wrote: Martin Gregorie wrote: On Wed, 2009-05-06 at 02:08 +0100, Ned Slider wrote: I had one sneak through today which didn't hit any rules at all (it hits a few DNSBLs now but not when I received it). It contained an inline png: Content-Type: image/png Content-Transfer-Encoding:

Re: Rule to detect same address in sender and receiver

On Fri, 2009-05-08 at 12:05 +0200, Benny Pedersen wrote: > On Thu, May 7, 2009 14:11, Matus UHLAR - fantomas wrote: > > On 07.05.09 03:59, jida...@jidanni.org wrote: > >> Ah ha, you can use something like > > > >> header FROM_SAME_AS_TO ALL=~/\nFrom: ([^\n]+)\n.*To: \1/sm > >> > add spf to your dom

Re: Rule to detect same address in sender and receiver

On Thu, May 7, 2009 14:11, Matus UHLAR - fantomas wrote: > On 07.05.09 03:59, jida...@jidanni.org wrote: >> Ah ha, you can use something like > >> header FROM_SAME_AS_TO ALL=~/\nFrom: ([^\n]+)\n.*To: \1/sm >> > add spf to your domain >> But see e.g., http://david.woodhou.se/why-not-spf.html > > di

RE: Odd behaviour under load.

-Original Message- From: Charles Gregory [mailto:cgreg...@hwcn.org] Sent: donderdag 7 mei 2009 21:58 To: SpamAssassin Users List Subject: Odd behaviour under load. > Do yahoo and python.org enforce a shorter time-out? Highly doubtful. RFC 2821, Section 4.5.3.2 ("Timeouts") gives you a 2 m

Re: Rule to detect same address in sender and receiver

On Wed, May 6, 2009 21:59, jida...@jidanni.org wrote: > Ah ha, you can use something like > header FROM_SAME_AS_TO ALL=~/\nFrom: ([^\n]+)\n.*To: \1/sm nice rule, but its not the envelope >> add spf to your domain > But see e.g., http://david.woodhou.se/why-not-spf.html why-spf.html -- http:/