through the suboptimal default SA install. Can someone point me
in the right direction?
Thanks,
Fred
--
View this message in context:
http://spamassassin.1065346.n5.nabble.com/Using-alternate-SA-in-individual-user-account-tp100540.html
Sent from the SpamAssassin - Users mailing list archive
,
Fredmailto:[EMAIL PROTECTED]
I have been using it for 6 month and it is very helpful and accurate when used
as a plugin for spamassassin.
Fred Stein
Network Administrator
The Hill School
717 E. High Street
Pottstown, PA 19464
[EMAIL PROTECTED]
www.thehill.org
-Original Message-
From: Blaine Fleming [mailto
://www.austinenergy.com
I am getting the same make test errors on Centos 3.0, fedora 2, and
Centos 4.2
Fred Stein
Network Administrator
The Hill School
717 E. High Street
Pottstown, PA 19464
[EMAIL PROTECTED]
www.thehill.org
perhaps that's not the way...
If you are using Windows and want to edit .cf files, I recomment
Crimson Editor. It's free and installs easily, add a shortcut to your
sent to folder and easily open files in Crimson in any format. It
even has a cute dog icon ;)
--
Best regards,
Fred
? This has rules updated by more people and more frequently than you might find with some of our SARE rules. We're all busy with day jobs and the like, things have been quiet around here and I think everyone is getting excited about 3.2 coming soon to a server near you!
--
Best regards,
Fred
release, start the
mass-checks as outlined on the wiki page and send away when we are
done?
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
3.2 and sa-update to get those of my rules that are performing
good.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
Hello R,
Tuesday, January 23, 2007, 12:53:00 PM, you wrote:
Thanks, if anyone out there running some or a lot of the FRED rules with a
lot of success or should we only run certain ones in general
Bottom line is, I don't know how aggressive or not the rulesets are etc
Please advise
Hello Justin,
Thursday, January 18, 2007, 9:22:14 AM, you wrote:
Hi all --
we're going to be starting the mass-checks for 3.2.0 RSN. These will be
used to generate an up-to-date score set for that release.
Should we run sa-update before we begin the mass-check? I'm just
curious if or
to deal with this problem?
This message is also cluttering the output from mass-check making it
difficult to keep an eye on the progress.
Thank you,
--
Best regards,
Fred mailto:[EMAIL PROTECTED]
find documentation of this? Any suggestions would be greatly
appreciated.
As a side note, have you seen the reverse engineer sha1 and md5 search engine
yet?
http://md5.rednoize.com/
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
Hello Dan,
Sunday, January 14, 2007, 1:52:36 PM, you wrote:
I got a hit on SARE_FORGED_BANKOFA. It's a 3 pointer (using sa-update).
I updated this rule just now!
Thanks for the notice!
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
this, but this is all I can see from looking at my
filter.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
server (or the name of the machine spamassassin is
running on) and then ding someone HELO'ing as that?
For all those interested, I opened a ticket for enhancement based on
this idea. See: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5227
--
Best regards,
Fred
or earlier.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
bet might be the use of a new
config item / plugin. something like:
ifplugin mxhelo
mx_helo_name mx.host.tld host.tld d.d.d.d
headerHELO_AS_ME eval:check_for_my_mx()
score HELO_AS_ME 0.1
endif
I'll create a ticket for enhancement.
--
Best regards,
Fred
passing SA is considered
spam by the time I'm done writing rules after it's already entered my
system. I block at 6.0 and use no RBL's. I do write custom rules
daily.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
Hello Alan,
Wednesday, November 29, 2006, 8:23:14 PM, you wrote:
-0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64
I'm curious about P0F_UNIX could you share this rule with me? And any
similar fingerprint rules? Thanks!
--
Best regards,
Fred
swear this isn't how it always worked.
--
Best regards,
Fred
SOME_RULE
meta SOME_FOO_RULE(!__FOO1 __FOO2 SOME_RULE)
else
body SOME_RULEb /[s5][oO]m[e3] f[o0][o0]/i
meta SOME_FOO_RULE(!__FOO1 __FOO2 !SOME_RULEb)
endif
This would most likely only benefit 3rd party rule developers but who
knows?
--
Best regards,
Fred T
looks like gibberish, (high-ascii) characters.
With full rules being replaced with rawbody in 3.2, what would be the
best way to write a rule to catch the attached message.
--
Best regards,
Fred mailto:[EMAIL PROTECTED]
B0043097815.MSG
Description: Binary data
/SpamAssassin/show_bug.cgi?id=4691
If accepted / it would allow for rules to use a tflags multiple
keyword to indicate the rule looks for multiple matches.
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
if the message is going
to get -100 from the whitelist. In the end, the message is still
only going to get 4 points from the forgery. I suggest if you feel
comfortable with this, just add a score line to your local.cf and
give it any score you feel comfortable with ;)
--
Best regards,
Fred
on my server. So just cause it says it hit 8.18% of ham,
doesn't really mean those hits were really on ham, only what SA
thought was HAM... hth
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
FB_SAVE_LEO 31s/0h of 111691 corpus (74068s/37623h DOC)
03/22/06
Watch for line wraps!
--
Best regards,
Fredmailto:[EMAIL PROTECTED]
Well I am looking at list
and Google and I didnt read nothing about how to change this
configuration..
Where I change this?
Any
help?
The most funny is that when
I receive a message outside my Email server or from my web mail ( IMP
HORDE) everything work fine.. This just happens when
More troubles..
Iam using Spamassassin last one, user at sql, qmail
and qmailscan 1.25st.
When i receive email outside from my email server,
everything is working fine..
But when i send from a client and using my email
server. the spamassassin is using the recipient username and email in
Craig Zeigler wrote:
I have been getting hundreds of these messages per day and don't know
how to stop them. The bayes is only come back at 60%.
They are the messages advertising drugs with a random subject (yes, I
know, one of the many) The filename is Part 1.1.jpg. There is no virus
that I
There are not any updates available yet, the SA
devs are working to make this feature available, at this time, everything is
still being setup and tested for when this goes live. The commands are
there but the back end isn't entirely ready yet. Other channels are if /
when other
I made changes to the spoof set, no more 104 points for any rules.
I added meta's to check for whitelist_from, if whitelist_from hits AND
sare_forged_(ebay|paypal|etc) then we score 100 points. This way, if
people don't whitelist then the spoof will only score 4.0 from our
ruleset.. If it's a
List Mail User wrote:
They should hit a well trained BAYES
They get some from bayes but not enough, I hand feed every one I get into my
bayes and each new run always comes up with less bayes score.
The past few I received got:
BAYES_60
BAYES_60
BAYES_80
BAYES_95 - I think this one was a few
jdow wrote:
Well, you sort of got it. But the from IS paypal.com, it claims. And
there is no appropriate paypal received from.
The Spoof rules look specifically for paypaL.com in the from line, this guy
used paypaI notice I not L, I'll include this mis-spelling in the next
update of the spoof
and doesn't contain any
rules for
these variants.
It's got %FROM_NAME, but not %NAME_FROM. It doesn't have anything
close to %NAME_TO.
Perhaps Fred Tarasevicius needs to make an update.
Adding NAME_FROM is easy:
header __RANDH_7B ALL =~ /%FROM_NAME/
rawbody __RANDR_7B /%FROM_NAME
Title: Out of Office AutoReply: *SPAM* Re: Stupid spammer rule
Can we have this account removed from the
list...
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, October 25, 2005 5:47 PM
Subject: Out of Office AutoReply: *SPAM* Re:
[17344] warn: config: failed to parse line, skipping: razor_timeout 10
joe wrote:
I am running SpamAssassin version 3.1.0 running on Perl version 5.8.5
When I run the spamassassin -D --lint, I am receiving an error but I
can not find the reason in the debug. Can someone point out my
Just a heads up we updated the spoof ruleset to include 33 new bank spoofs.
Data collected from phish archive websites and suggestions from fellow users
aided in this update.
http://www.rulesemporium.com/rules/70_sare_spoof.cf
Fred
#357
Pierre Thomson wrote:
Bottom line: SARE_FORGED_EBAY is working just fine!
I have to agree with what you said, my lil FORGED_EBAY rule has been working
good for a year and a half here!
Fred
Thijs Koetsier | Exception IT wrote:
X-Spam-Status: Yes, score=5.4 required=5.0
tests=AWL,BAYES_00,HTML_60_70,
HTML_BADTAG_00_10,HTML_MESSAGE,HTML_NONELEMENT_00_10,
HTML_TAG_EXIST_MARQUEE,HTML_TAG_EXIST_TBODY,MIME_BOUND_NEXTPART,
MIME_BOUND_RKFINDY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
Bret Miller wrote:
You would think that whitelist should be given a lower number than
-1.0. Otherwise, how does it counteract the many other rule additons.
How about adding:
score USER_IN_WHITELIST -20
score USER_IN_WHITELIST_TO -20
to your local.cf so that it does actually whitelist.
Thijs Koetsier | Exception IT wrote:
So, now that I've replaced by 50_scores.cf (thanks Fred), I'm getting
the 150 warnings back. They're all of the type:
Redownload the spamassassin package and extract that file again. It sounds
like you have an older version of that file.
I have been seeing a large increase in spam overall, I wouldn't be so sure
if it's anything you caused.
Matthew Lenz wrote:
so much spam is getting in since I switched to sarge. anyone else
have this problem? it looks like the tests are working but stuff
that is so obviously spam is
Run spamassassin --lint on this server and fix the errors you have and then
once all is running well, go back and try rulesDuJour. You'll get better
results for sure :)
Thijs Koetsier | Exception wrote:
Hi,
No, I did not.
I just re-installed Rules Du Jour and am using Spamassassin 3 on this
Matthew Yette wrote:
For those who went from 3.0.4 to the latest release candidate, would
you say it's a worthy upgrade? Where do you see the largest benefits?
Is it overall a good move if you're currently pretty satisfied with
3.0.4?
Matt
I love the new ReplaceTags plugin, I would
Which version of Net::DNS are you using?
Florian Effenberger wrote:
Hello,
after fixing the first problem with my SA 3.1.0 installation due to
Theos help (thanks again!), I have another one. Atfer starting up SA,
I receive
# /etc/init.d/spamassassin start
Starting SpamAssassin Mail
Florian Effenberger wrote:
I suppose it is 0.34. What is the Perl command to find this out?
Go into CPAN and issue:
i Net::DNS
It'll respond with the version number. I was looking for a 1-liner to do
this and don't know perl good enough to be more help.
Martin Hepworth wrote:
Looking in /usr/local/share/spamassassin/25_uribl.cf the black and
grey URI-RBLs are in their by default you so you'll need those.
I don't have URIBL-BLACK or GREY in my 25_uribl.cf file, I checked the
sources and it wasn't there either...
You have a permissions problem, plus you are running duplicate rules..
Remove the tripwire.cf file as you are using a newer version called
99_FVGT_Tripwire.cf
That file was updated months ago with a new name, now it's called
88_FVGT_Tripwire.cf I'm not sure why we changed that but we had good
Mike Jackson wrote:
For instance, they show the last updated
date on 70_sare_random.cf as 2004-05-17, while you and I both have
the date as 2005-06-01.
Yes we are aware of this issue, the site has changed owners a couple times
and during those transitions we had to change the way we updated
saying the page is out-dated but the links point to the current
rulesets. As you said, the page that reflects them needs work. All our
released rules are always placed on that page, it's just we often get lazy
and don't update the page when we update the rules.
Fred
George Georgalis wrote:
Argument REPORT isn't numeric in
subroutine entry at /usr/share/perl/5.6.1/IO/Socket/INET.pm line 223,
GEN3 line 58. 2005-09-07 13:49:11.026387500 Argument REPORT isn't
numeric in subroutine entry at
/usr/share/perl/5.6.1/IO/Socket/INET.pm line 223, GEN3 line 58.
I am also attaching the actual message which it fails on. File
failingmessage.txt.
Does anyone else think it's kind of bad that Symantec is sending a
newsletter with it's entire subscribed base in the CC field? I wonder if
they have heard of BCC or mailing list software?
You need to set the option in MIMEDefang to allow network tests to run in
SpamAssassin. I'm fairly sure it's in your mimedefang-filter file. Check
with the MIMEDefang folks if you need more help.
Montse Seisdedos wrote:
Hello:
I use mimedefang+spamassassin+clanv kit.
I can't get these
I forgot to reply all when I sent this, the group should have access to this
trick too.
Steve Roemen wrote:
Thanks, this should do the trick.
Steve
on 06/17/05 12:37 Fred wrote the following:
One possible work around to this would be create a meta rule that
fires when more than one person
Ronan McGlue wrote:
is there an 'easy' way to get a grpahical representation of how well
SA is doing??
preferably something flashy with lots of primary colours for the
managment elite??
I use MIMEDefang with GraphDefang, it's easy to add your own graph features,
I recommend it!
martin smith wrote:
I had a rule I was working on, it works on the example u pasted, be
interested if this works, if not if you could send me a sample to
work on.
Use at your own risk has I havent checked it that well for FP's
Martin,
I checked your rule for FPs for you, the results are:
I am checking it now, I will have results in a few minutes.
wrote:
Have you run it through the corpus tests?
Hamie wrote:
How do you count 'unknown users'? Accurately I mean...
Assuming you don't accept email in the first place if the user is
unknown (Or you might I guess, but it seems like un-necessary
processing to me) most spammers that I can see in our logs just keep
re-trying again again
Kevin Peuhkurinen wrote:
Having gotten the spam under control, I found that I was getting
bombed with tons of bounces as well. So I made up a quick ruleset
to stop undeliverables due to the german spam, using Raymond's
ruleset as a starting point. You can get it here:
I was working on
jimsheffer wrote:
config: SpamAssassin failed to parse line, skipping: rewrite_subject 0
config: SpamAssassin failed to parse line, skipping:
always_add_headers 1 config: SpamAssassin failed to parse line,
skipping: auto_learn 1
Those 3 config options are no longer supported.
In the readme
Ben Hanson wrote:
Shortly after the first of the year, I noticed the percentage of spam
messages for our organization dropped consistently by 10-15%.
Ben
I see between 83-85% spam.
We use SARE rules + my own home-brew rules + the new BLACK uribl lists +
unreleased SARE rules.
In the past 24
Chris Santerre wrote:
Long answer: Multiple meta rules. Take to much computational effort.
The regex isn't slick for these type of rules either.
The multiple meta rules are the easiest approach to doing this. I have a
number of rulesets which use this trick to count different things. Not
George Breahna wrote:
Not sure why this is happening but I just received an e-mail that I
use ONLY with go daddy. The e-mail is: [EMAIL PROTECTED]
I receive occasional spam to my e-mail used only for whois with Network
Solutions, i wouldn't accuse them of selling my addy but I would think it's
Post your e-mail address to some public newsgroups, get yourself active on
anyplace that posts live e-mail addresses, if you built it (your name
everywhere) they (spammers) will come.
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400
Johnson, S wrote:
Steve Lake wrote:
I'm curious. How well does SA do with handling phishing spam and is
there stuff built into it to identify and nail these kind of emails?
I'm just curious because I heard that in just the past 5 months
Netcraft has logged over 5600 unique phishing sites on the net, so I
Chris Lear wrote:
I've removed the SARE forged rules now altogether, and
most of the remaining spam scores under 50 (just one 52.9 yesterday).
Chris
Nope no citibank here, just making a generic rule like the rest, if you give
me some info on what's wrong with it, I'll gladly fix it. Just
wolfgang wrote:
In an older episode (Saturday 30 April 2005 14:45), Theo Van Dinter
wrote:
=3d is quoted-printable encoding for =, =2e for ., etc...
SA handles proper encoding (it handles a lot of non-proper encoding
as well), but doesn't make guesses if the MIME part says there is no
Slightly off topic but does Sendmail 8.12 add a subject when one is not
present?
Matt Kettler wrote:
Russell P. Sutherland wrote:
Is there a test that one can construct that would
assign a weight to a message that is missing
a certain header, completely? In my case, no Subject
line at all.
francois.baert wrote:
Hello,
Spamassassin-3.0.2 running on redhat9.0
spamassassin --lint gives a list of warning like this:
warning: description for REMOVE_PAGE is over 50 chars
warning: description for FROM_WEBMAIL_END_NUMS6 is over 50 chars
...ie
lint: 171 issues detected.
What does
the comments at the top of the rulefile before added
them to their systems!
Fred
Chris Santerre wrote:
Am Mittwoch, 22. Dezember 2004 12:42 schrieb Martin Hepworth:
Thomas
what extra rules above the standard SA ones have you got? Any from
www.rulesemporium.com ?
None of these have been tested yet. Use at your own risk. Do not
operate while under heavy medication.
Install ClamAV and it'll help you with viruses, SA is a mail filter which
does not do virus checking.
Oliver Thalmann wrote:
is it possible in spamassassin (via regexp ?) to test for a
sandwiched X-Message-Info: header between Received: headers ?
There is a default rule since 3.0 which looks for X-Message-Info, it's
scored pretty high too, which version of SA are you using?
Kris Deugau wrote:
I'ld also like to drop, bounce, whatever mail that has certain words
in the subject, such as rolex, penis, viagra, etc.
*VERY*, **VERY** dangerous in an ISP environment!! I would STRONGLY
recommend AGAINST this. It has far too much potential to backfire on
you.
We use
in false negatives.
--
Fred W. Bacon [EMAIL PROTECTED]
Rigid Rotor
Kai Schaetzl wrote:
For about 48 hours I see an increase in attempts to unload spam to our
clients.
For the past 12 months I have seen endless attempts to send mail to invalid
addresses. I get 1,000 per hour, every hour for every day of the working
week. Off hours is slightly lower, during
Here is the rule from 3.0
header __SANE_MSGID MESSAGEID =~ /^[^\\ [EMAIL PROTECTED]\\
\t\n\r\x0b\x80-\xff]+\s*$/m
header __HAS_MSGID MESSAGEID =~ /\S/
header __MSGID_COMMENT MESSAGEID =~ /\(.*\)/m
meta INVALID_MSGID __HAS_MSGID !(__SANE_MSGID || __MSGID_COMMENT)
describe INVALID_MSGID
Brett Romero wrote:
I sent the following message through SA 3.0 on Windows.
snip
The following were returned:
UPPERCASE_25_50 0.10 message body is 25-50% uppercase
MISSING_SUBJECT 1.40 Missing Subject: header
ALL_TRUSTED -2.80 Did not pass through any untrusted hosts
78 matches
Mail list logo
