m to make an exception for you.
(Or change to another range of addresses as previously
mentioned.)
> Thanks for your helo anyway.
Herb Martin
> -Original Message-
> From: Xueron Nee [mailto:[EMAIL PROTECTED]
> Sent: Thursday, August 31, 2006 10:31 AM
> To
owSpam, HighSpam"
to take different actions based on these.
Again, this is MTA specific.
--
Herb Martin
ifferences -- it seems Some received headers,
and oddly the SpamAssassin score report (probably due to length)
are dropped, some re-ordering is done.
Generally the headers are there (unless one needs something
peculiar to those received headers.)
--
Herb Martin
is desired) and then remove any 'extras'
that I do not wish to send.
A simple perl script (just a couple of lines) will split
the message(s) back into individual messages that can
be properly used for feeding Bayes or other classifiers.
Herb Martin, MCSE, MVP
[EMAIL PROTECTED] ht
ISTING (best done outside of SA,
and actually BEFORE SA in the email receiving process)
--
Herb Martin
st of Windows AND most of the
useful things (to me) from Linux/GNU.
And the loads are practically the same as those the
rest of your use -- no hacking around for every upgrade
or point release.
--
Herb Martin, MCSE, MVP
[EMAIL PROTECTED] http://LearnQuick.Com
512 388 7339 -or- 1 800 MCSE PRO
se of uninitialized value in sprintf at
/usr/lib/perl5/site_perl/5.8/Mail/SpamAssassin/Plugin/DCC.pm line 535.
Are these likely problems on my end (out of date DCC or Pyzor?),
problems with the rules, or something else?
(I can't run CPAN to check Pyzor or DCC right at the moment...)
--
Herb Martin
isting) or perhaps just consider that
these will count in the Bayes weight.
--
Herb Martin
ns as a (near) service in the mode
of Linux etc (i.e., Spamd and SpamC or whatever
client you use to query the running instance.)
CygWin is a surprising delight. Must of the best
of both Linux and all of the features Windows.
My setup is to actually run Exim as the email server
but that is just my choice and others would work
--
Herb Martin
b
etc.), and NOT to environment variables (%username%)
nor to positional parameters (%1 %2 etc.).
[Of course positional parameters would make no sense
on the command line anyway.]
--
Herb Martin
>
> -Original Message-
> From: Steven Manross [mailto:[EMAIL PROTECTED]
> Sent
some time ago. but some of the guilty outscatters
> were large
> ISPs that I can't just block.
We do blocking ONLY on multiple criteria so perhaps using
a positive here along WITH a subject (or other) filter
on various return mail keywords would work.
I believe this would work
nstructions
to humans for contacting you with (legitimate) complaints,
in case you should make a mistake.
--
Herb Martin
all
HAM for anyone?
Ideas?
--
Herb Martin
Bowie
> Hmmm Maybe I could capture an optional match for a
> quote and then use that match later to pair the quote (or lack thereof).
I may attempt that later today.
Good idea but perhaps easier (maybe even faster)
would be to just write an extra META rule and
'or' them.
--
Herb Martin
Bowie Bailey wrote:
> > ...and yet I have never seen one of these "fake" real names without
> > the quotes, probably because these are always in this format:
> >
> > "Firstname Lastname" <[EMAIL PROTECTED]>
> >
> > Removing the quotes will however simplify the whole thing though.
>
> I was
the quotes will however simplify the
whole thing though.
--
Herb Martin
Try this (with your names of course):
header __HM_USER To =~
/"[^"]*"\s*<(herb|martin)[EMAIL PROTECTED]@[EMAIL PROTECTED]>/i
header __HM_REALNAME To =~ /"[^"]*(herb|hm|martin)[^"]*"\s*
is under Solaris 2.8/SPARC, running Perl 5.6.1.
Net::DNS > .49 and < .53 was broken (for SA at least.)
Maybe .52 was ok, but I didn't test and don't remember.
Current .53 or higher is fine.
--
Herb Martin
[EMAIL PROTECTED] http://LearnQuick.Com
512 388 7339 -or- 1 800 MCSE PRO
Accelerated MCSE Seminars
eren't installed on this machine. As I recall, SA
> needs to see them during the build process, but trying to
> install Mail::SpamAssassin again just tells me that
> SpamAssassin is up to date. How to proceed?
What about using clean and force in CPAN?
e.g., "force install
imple Perl script for creating such
an object and checking some "data" in a file or
variable.
--
Herb Martin
or so that we must review. These are
not exact figures and might be off by 50% or so (low
probably), but the percenctage is correct.
And (I didn't mention) that our users have SpamBayes
on their system so if anything gets through it is
almost always caught there -- and we have them
"for
> Serious? Do I disable until fixed?
You didn't give your SpamAssassin version nor actually
mention which whitelist file you used...
There are two new files for (near features in) SpamAssassin
3.10, and the old file for previous versions.
Look on the SARE site and see which ones fit your version
of SpamAssassin.
--
Herb Martin
> On Sonntag, 25. September 2005 08:54 Herb Martin wrote:
> > [detailed description snipped]
> > If a message gets by all this and is spammy then drop it
> into one of
> > two "spam catch accounts" for review.
>
> Seems to me most of this is "hand
han 'normal' spam threshold) AND there is NO
greylist flag (it hasn't been greylisted yet) then
RUN the greylist check now, after the SA check.
The idea is that there is no point in SA checking something
that will be greylisted anyway -- and there is no point
in greylisting something "twice".
--
Herb Martin
rding" their
email or using "other SMTP servers" with their email
address -- probably such (random) forwarding/sending
by users will be "unauthorized" as well.
--
Herb Martin
then
drop it into one of two "spam catch accounts" for review.
There are two such accounts, one for likely spam
and the other for "high score" spam. This division
makes review much easier.
I hope that is clear -- it is difficult to state plainly
since much of this is predicated on previous tests...
--
Herb Martin
t;master/null.zone"; }; zone
Why not just a single Whitelist zone checked before
your blacklists, and thus bypassing them?
This is what we do first (in Exim) -- accept whitelist
and only check RBLs if the whitelist is not matched.
Only takes one zone and it's a easier to add entries
to that.
--
Herb Martin
works and it will ADD to my defense
in depth.
This thing is actually running in my production SA, and
adding/subtracting score based on it's classification.
It's not suitable for everyone yet since it is still
crude (idiosyncratic to my systems) and has to call an
external executable (which is unsuitable for high volume
mail systems.)
--
Herb Martin
> From: Michael Monnerie [mailto:[EMAIL PROTECTED]
> On Samstag, 24. September 2005 17:48 Herb Martin wrote:
> > But again, since almost no legitimate email is ever greylisted only
> > almost nothing DESIRABLE EVER gets delayed.
>
> That depends on your setup. Here, we b
(which will
LOSE a lot of email otherwise.)
Pick any "good" criteria for rejecting email and
turn it into a good but safe method by using greylisting.
Also note that having our SMTP server check RBLs and
then having SpamAssassin score them AGAIN if the mail
gets through, costs VERY LITTLE: we run a local caching
DNS server so those resolutions are only going on the
net just once.
--
Herb Martin
ave done an
> override on my caching DNS server where I nullify the lookups
> for these RBLs. I base this on research I did lookups on
It's simpler to just build another whitelist than override
the server (unless that is what you mean.)
--
Herb Martin
ers), and practically all spam caught.
Greylisting is cool. Combined with things like RBLs
and other "spammy suspicious" checks it is nothing
but a big win.
--
Herb Martin
s solid enough itself.)
Due diligence but upgrade when you can.
--
Herb Martin
what check for several things:
1) To: Has a label or "real name" with quotes
AND contains (in various alias versions)
2) To: "real name" between the quotes DOES NOT match one
of my First name, Last name, company name, or
nicknames/aliases
ssin/*.cf
You will generally find that the default scores are in
50_scores.cf so you may be specific and change the grep
to only search that file (but I don't always remember
this so may just search them all out of laziness.)
--
Herb Martin
alter the
scores to disable them.
REMEMBER: After changing your configs to always
spamassassin --lint
(I really appreciate the SARE folks who taught me
this rule, --lint is your friend.)
--
Herb Martin
is VERY important to also train some
VALID emails from the real source that such phishes
are targetting.
This puts the real mails words in as tokens an means
that the words in both types will not be strong indicators
of spam (or ham) and other differences will be used to
make the estimate.
--
Herb Martin
)
defined in the registry.
As to using the 25 length specifier it really doesn't
matter to me, since if someone uses a "short GUID" they
probably are up to no good as well.
--
Herb Martin
> -Original Message-
> From: Maurice Lucas [mailto:[EMAIL PROTECTED]
> Sent:
en
such alarms and those timeouts (in Exim waiting on SpamD.)
This correlation was done with quick visual checks so I cannot
swear to it in court, but it seemed quite likely.
My SA runs many RAZOR, DCC, PYZOR and many DNSBL/URIBL checks.
--
Herb Martin
m etc.) files.
(I have a long list prep'ed for a regex or for Exim if
anyone wants it posted again.)
--
Herb Martin
26,974,379,824,381,952 ways to spell the V word:
http://cockeyed.com/lessons/ (click on vword, then
click on vword.html
Frankly I believe that 600 Pentillion (U.S.) is low.
--
Herb Martin
imary for other zones,
and of course doesn't hold every possible zone.)
So if your zone is mydomain.com with spam.mydomain.com being a
resource record in that zone, then every DNS server that holds
mydomain.com (i.e., is authoritative for mydomain.com) will
have that record replicated to it (if everything is working
reasonable ok.)
--
Herb Martin
.
You should generally point clients to ONE CONSISTENT (set of)
DNS servers which return all the correct answers the client
will ever need. If the DNS server (set) doesn't know the
answer it must forward or recurse to find it.
> Seems like the DNS server is not the problem, but FWIW, the
> zone file for mydomain.com has these entries:
>
> spamA 10.10.10.105
> spamA 10.10.10.106
--
Herb Martin
do as good or better job of running
DNS securely (than you can do) then that probably
doesn't matter. (You did say you are not an expert.)
--
Herb Martin
://www.surbl.org/lists.html
[URIs: lastrez.com]
1.0 DIGEST_MULTIPLE Message hits more than one network digest check
0.9 FM_NO_STYLE FM_NO_STYLE
Subject: * SPAM *_29.2 McDonÂld's bomber jailed
--
Herb Martin
o of these that run 1-2 MB and cannot run them without
SpamD getting unreliable (slow, sluggish etc.)
--
Herb Martin
or evidence of
such in the logs.
We are still manually reviewing the Spam trapped at the
server.
Nothing bounces. Very little spam is ever accepted.
And 95% of the Spam we trap is scores above 25 points.
Almost none is scored below 15 points.
We have practically none in the "trough" between Spam
and Ham -- it is all classifying cleanly which really
lets SpamAssassin shine.
--
Herb Martin
sockets and it would help a great deal if I could interactively test such
sockets.
--
Herb Martin
fer overflow, disguised as a Job
spam, disguised as a Political?
This strategy of multi-levels of disguise is
intriguing -- I have only seen it personally a few
times.
--
Herb Martin
es
mail means that even less gets through; less requires
review by users.
(We check Spam=yes AND_NOT Already_Greylisted to avoid
unnecessary checks although that would not really hurt
if the same IP/sender/rcpt is used.)
--
Herb Martin
any of my Exim, SysLog (messages), nor SpamD logs.
(I am only replying because your message quotes me below...)
> On 04/08/2005, at 3:46 PM, Herb Martin wrote:
> > (I was not watching this closely until late last night, and
> the only
> > reason I posted without firm evidence wa
> -Original Message-
> From: Steven Dickenson [mailto:[EMAIL PROTECTED]
> On Aug 3, 2005, at 9:52 PM, Herb Martin wrote:
>
> >> The message I am seeing in /var/log/exim_main.log is:
> >> spam acl condition: cannot parse spamd output
> >> H=(mails
logs further and maybe pinpoint the issue.
BTW, I only spam check files <200k in size.
And I am running a pre-release of SpamAssassin 3.10
--
Herb Martin, MCT, MCSD, MCSE, MVP
[EMAIL PROTECTED] http://LearnQuick.Com
512 388 7339 -or- 1 800 MCSE PRO
Accelerated MCSE in a Week Seminars
week
should make you happy.
Improved thread handling and for me it works even in pre-Release.
--
Herb Martin
> -Original Message-
> From: jdow [mailto:[EMAIL PROTECTED]
> Sent: Sunday, July 31, 2005 12:14 PM
> To: users@spamassassin.apache.org
> Subject: Re: unwanted breakthrough
>
> From: "Herb Martin" <[EMAIL PROTECTED]>
>
> > * -3.5 HM_URIBL_
> > Looking over the scores, BODY_ENH seems to score 0 when
> network tests
> > are
> enabled,
> > so it would miss during network problems
> >
> > Wolfgang Hamann
>
> WHAT SARE rules are you running. Some are good for drug spam
> and some are not.
I am running ALL of the following in addition
etter.
My security principles include (but are not limited to):
1) Stop as much as possible at the outer perimeter
(earlier the better)
2) Defense in depth
For us, the virus scanning happens before the Spam tests;
early is good.
--
Herb Martin
L Prevent SC-SC2 double score
* -2.5 HM_URIBL_SC_XS Prevent SC-XS double score
--
Herb Martin
nd NOT the clear version and
score MUCH higher in those cases.)
The theory is that if you wish to talk anatomy or
medical treatment then perhaps that is acceptable, but
if you are trying to hide the fact the message contains
those words, then that is a virtually certain spam sign.
(Except on lists like this. )
--
Herb Martin
> From: Loren Wilton [mailto:[EMAIL PROTECTED]
>
> > ul 30 19:13:29 rvm spamd[88566]: checking message
> > <[EMAIL PROTECTED]> for
> [EMAIL PROTECTED]:0.
> > Jul 30 19:13:29 rvm spamd[88566]: Argument "CHECK" isn't numeric in
> > subroutine entry at
> > /usr/lib/perl5/5.6.1/i386-freebsd/IO/So
r "dns is available" -- if that says "no",
> it's probably Net::DNS acting up.
>
I had to go back to .49 and reports say .53 works.
.49 < version < .53 seems that version is very likely to
cause problems.
--
Herb Martin
to output
$parser->extract_nested_messages(0); # Extract messages whole?
$entity = $parser->parse(\*STDIN); # Parse an input filehandle
--
Herb Martin
> -Original Message-
> From: David B Funk [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 28, 2005 6:15 PM
> To: users@spamassassin.apache.org
> Subject: Re: Trying to id spam
>
> On Thu, 28 Jul 2005, Rick Macdougall wrote:
>
> > Dr Robert Young wrote:
> >
> > > We had a very short spam
ess to
our users -- better to just force everyone to
compress or zip if they
have a legitimate reason to send
executables.
Herb Martin[EMAIL PROTECTED] http://LearnQuick.ComAccelerated MCSE in a
Week Seminars
Sent: Thursday, July 28, 2005 3:13
PMTo: users@spamassassin.apache.orgSubject: Re: Trying
to id spam
Andy
From: Loren Wilton
[mailto:[EMAIL PROTECTED] Sent: Thursday, July 28, 2005 7:50
AMTo: users@spamassassin.apache.orgSubject: Re:
Relearning/routing spam/ham with Outlook client
This is a very common question, there are a number of solutions detailed
in the Wiki, complete
> -Original Message-
> From: Kai Schaetzl [mailto:[EMAIL PROTECTED]
>
> Herb Martin wrote on Tue, 26 Jul 2005 21:21:25 -0500:
> > When forwarding a batch of missed spam (or ham) from
> > Outlook back to
> > SpamAssassin the best way seems to be for our us
and I am sort of jammed up for the next couple of
days, so it might be the weekend before the thing gets written
unless there is a module that does all of the real work.
BTW, it it doesn't exist (seems unlikely) this would benefit
many others.
Looks like it was right under my nose in
> Mail::SpamAssassin::Message ? ;)
>
> You can also read through PerMsgStatus which has code to wrip
> out an encapsulated message.
Thanks.
Right under my nose -- but better to feel silly than
to have to re-invent the code.
--
Herb Martin
ess it that someone has such,
or even that I am looking right at it in the search
results but overlooking the module.
Other methods (for my users) include opening each
email separate, choosing menu: Action->Resend, filling
in a "to address" (for each message) and answer a number
o
e?)
>
> I throw them out:
>
> uri PROLO_REDIR_ADTECH_CHECK1 /^http:\/\/adserver\.adtech\.de\//
> score PROLO_REDIR_ADTECH_CHECK1 8.0
> describe PROLO_REDIR_ADTECH_CHECK1 PROLO_REDIR-ADTECH CHECK, Body
I suggest a case-insensitive /i switch on the regex.
Checking https:// , this site d
duced
(or eliminated.)
--
Herb Martin
Joanne wrote:
> No to both of them, Herb.
>
> Place them into the /etc/mail/spamassassin (or
> /etc/spamassassin depending on where the local.cf file is.)
> Make a new file and put them into that file. It's cleaner
> than getting local.cf all cluttered.
That seems a good variation on the oth
ot; (later) alphabetical
name, so 70_sare_unsub.cf could be rescored in
70_sare_unsub_scores.cf or just 71_sare_unsub.cf
The main (included) spamassassin scores are in the 50.cf
file so that is follows after the 10-40xxx default test files.
--
Herb Martin
> From: Kai Schaetzl [mailto:[EMAIL PROTECTED]
> > Andrew Ott wrote on Mon, 11 Jul 2005 17:37:42 -0600:
>
> > Also is there any way to see the count of spam and ham
> messages that
> > are in the bayes database, I can't seem to find any info on
> that. I
> > want to make sure there are a lot
it would only be suitable for small email
domains and a custom solution for each location (e.g, no
general set of rules everyone could download.)
And then, if there is no advantage to spammers or even
reason for this practice -- they might just stop doing it.
(But even that seems a small victory. )
--
Herb Martin
75 matches
Mail list logo
