Re: [SAtalk] New kind of spam?
On Fri, 2003-01-31 at 09:49, kcorey wrote: > Thought you guys might be interested. The spammers are getting > desperate, methinks. Many spammers now include many tricks to try to surmount SpamAssassin. Why? Because SpamAssassin is easily available to use as a test for their spam. This particular trick that you forwarded is a poor one, as it creates a new signature to look for (the development version already looks for text obscured by HTML comments). The uglier case is where spammers start crafting their message to achieve the lowest possible score through tests that assign negatives. So, I might claim to be KMail and include some HTML features that get negative scores, etc. Then my spammish features won't matter because the score is offset. The only real defenses against this are: a) Razor or the like, which tells us that someone has called this spam b) Source IP and relay tests c) Bayes, which is personalized, so spammers can't tweak their score You might also have a meta-test that gets tripped when a message has tripped enough OTHER tests. That might catch this kind of skullduggery. For example, you might have a test that is true if 10 or more other tests are true. It would be interesting to see what kind of score that test would be assigned -- Aaron Sherman <[EMAIL PROTECTED]> This message granted to the Public Domain in 2023. Fight the DMCA and copyright extension! --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Received: from bowser (bowser.slooff.net[192.168.0.3])
On Fri, 2003-01-31 at 11:54, Tony Earnshaw wrote: > Luckily I have a test rig and no-one but the spammer has got hurt up to > now (apart from postings to this list, used as examples). As for the > Bayesian stuff is concerned, its trigger for learning remains on 12. Actually, I'm curious about that one. When I'm on this list (or any mail abuse list), I'm obviously going to have to all_spam_to the list to see the messages. However, does that prevent the Bayesian tests from auto-learning from the mail? Or, am I training my filters to accept spam by accepting this list? For reference, I set auto_learn to 1 for testing purposes. -- Aaron Sherman <[EMAIL PROTECTED]> This message granted to the Public Domain in 2023. Fight the DMCA and copyright extension! http://eldred.cc/ --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] New kind of spam?
Hi All, I happened to be trolling through my inbox in raw text mode, as you do, and noticed this. Thought you guys might be interested. The spammers are getting desperate, methinks. Good. May they all their fingers rot off. -Ken Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by kenlinux.bithub.org (Postfix) with ESMTP id C53B981AE for <[EMAIL PROTECTED]>; Thu, 30 Jan 2003 14:20:16 + (GMT) Received: from kencorey.com [128.121.97.216] by localhost with POP3 (fetchmail-5.9.0) for [EMAIL PROTECTED] (single-drop); Thu, 30 Jan 2003 14:20:17 + (GMT) Received: from mail_server.lankae.com ([203.115.31.211]) by kencorey.com (8.12.6) id h0UEPRVN094526 for <[EMAIL PROTECTED]>; Thu, 30 Jan 2003 07:25:29 -0700 (MST) Date: Thu, 30 Jan 2003 07:25:27 -0700 (MST) Message-Id: <[EMAIL PROTECTED]> Received: from mailme.dk (CM-lcon1-45-16.cm.vtr.net [200.83.45.16]) by mail_server.lankae.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D91W2WQ4; Thu, 30 Jan 2003 20:11:46 +0600 From: "Nicholle" <[EMAIL PROTECTED]> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject: Meet very nice Russian women MIME-Version: 1.0 Content-Type: text/html X-UIDL: 1FD!!p)Q"!97m!!9N##! X-Spam-Status: No, hits=3.2 required=5.0 tests=FROM_NAME_NO_SPACES,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2 version=2.31 X-Spam-Level: *** X-Evolution-Source: mbox:/var/spool/mail/kcorey Hi, Nicholle here, http://www.pickyourownwoman.com/?oc=2390";>A nice lady wants to correspond with you. check her out Reply with off and I won't write you again. Thanks, Nicholle --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Sendmail/Spam-milter/Spamassassin all fine - is there a simple trash option for spam
| John wrote on Fri, 31 Jan 2003 17:33:53 +1100: | | > I havent been able to find a way of using spamassassin to trash mail | > that is spam | > | | Don't trash email, quarantine it, see MailCorral | http://bsmdevelopment.com | all_spam_to [EMAIL PROTECTED] and make sure [EMAIL PROTECTED] is an address that doesn't accept mail. simple if this is what you really want :) regards greg cirino - Original Message - From: "Kai Schaetzl" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 31, 2003 5:31 PM Subject: Re: [SAtalk] Sendmail/Spam-milter/Spamassassin all fine - is there a simple trash option for spam | John wrote on Fri, 31 Jan 2003 17:33:53 +1100: | | > I havent been able to find a way of using spamassassin to trash mail | > that is spam | > | | Don't trash email, quarantine it, see MailCorral | http://bsmdevelopment.com | | | Kai | | -- | | Kai Schätzl, Berlin, Germany | Get your web at Conactive Internet Services: http://www.conactive.com | IE-Center: http://ie5.de & http://msie.winware.org | | | | | | --- | This SF.NET email is sponsored by: | SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! | http://www.vasoftware.com | ___ | Spamassassin-talk mailing list | [EMAIL PROTECTED] | https://lists.sourceforge.net/lists/listinfo/spamassassin-talk | --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Wishlist item
I just got done parsing through about 450 pieces of spam and have an observation to share with SpamAssassin's developers in hopes that this will improve their ability to track this stuff. I get a lot of mail from addresses like: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] and so on... where the username is randomly generated and modified, but the domain portion of the email is consistent. I would think that this is something that you might use to identify domains that are very highly likely to deliver spam. And I'm wondering if this domain pattern matching is something that could be done will with a bayesian statistical approach to add as a consideration to the scoring. -- If we do not change our direction we are likely to end up where we are headed. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] New kind of spam?
I'm running 2.43, and thankfully it has a rule for that: OBFUSCATING_COMMENT /[^\s>][^\s<]/ Score 2.083. -Steve -Original Message- From: kcorey [mailto:[EMAIL PROTECTED]] Sent: Friday, January 31, 2003 6:49 AM To: [EMAIL PROTECTED] Subject: [SAtalk] New kind of spam? Hi All, I happened to be trolling through my inbox in raw text mode, as you do, and noticed this. Thought you guys might be interested. The spammers are getting desperate, methinks. Good. May they all their fingers rot off. -Ken Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by kenlinux.bithub.org (Postfix) with ESMTP id C53B981AE for ; Thu, 30 Jan 2003 14:20:16 + (GMT) Received: from kencorey.com [128.121.97.216] by localhost with POP3 (fetchmail-5.9.0) for kcorey@localhost (single-drop); Thu, 30 Jan 2003 14:20:17 + (GMT) Received: from mail_server.lankae.com ([203.115.31.211]) by kencorey.com (8.12.6) id h0UEPRVN094526 for <[EMAIL PROTECTED]>; Thu, 30 Jan 2003 07:25:29 -0700 (MST) Date: Thu, 30 Jan 2003 07:25:27 -0700 (MST) Message-Id: <[EMAIL PROTECTED]> Received: from mailme.dk (CM-lcon1-45-16.cm.vtr.net [200.83.45.16]) by mail_server.lankae.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D91W2WQ4; Thu, 30 Jan 2003 20:11:46 +0600 From: "Nicholle" <[EMAIL PROTECTED]> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject: Meet very nice Russian women MIME-Version: 1.0 Content-Type: text/html X-UIDL: 1FD!!p)Q"!97m!!9N##! X-Spam-Status: No, hits=3.2 required=5.0 tests=FROM_NAME_NO_SPACES,CTYPE_JUST_HTML,MSG_ID_ADDED_BY_MTA_2 version=2.31 X-Spam-Level: *** X-Evolution-Source: mbox:/var/spool/mail/kcorey Hi, Nicholle here, http://www.pickyourownwoman.com/?oc=2390";>A nice lady wants to correspond with you. check her out Reply with off and I won't write you again. Thanks, Nicholle --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Adult content - newby question
With the addition of some stricter porn rules, SA can be used to identify adult emails and then you can use procmail to either quarantine or delete them. Currently SA is fairly modest about the "adult content" rules, it's really only tuned to try to trap porn site advertisements. Most "adult conversations" and most adult jokes pass through it, although some of them do get hit as collateral damage. In the ideal world the default SpamAssassin configuration should only hit unsolicited advertisements, and jokes from your friends would always pass through. But since it's a customizable regex pattern engine, you can easily add your own rules that bump up the score on nearly any adult phrase. A quick sample rule would be something like this: body ADULT_WORD1 /\bfucking\b/i score ADULT_WORD1 5.0 You could add a bunch more to that and wind up making SA into some kind of "adult content" filter. At 10:45 AM 1/31/2003 -0600, Ray Olson wrote: I am looking for a mail filter to block adult content at the MTA level. Will Spam Assassin do this? If yes where can I look for setup info? Thanks for the help Ray --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Received: from bowser (bowser.slooff.net [192.168.0.3])
On Fri, 31 Jan 2003 the voices made Tony Earnshaw write: TE> If there had been a you-must-expect-spam-from-our-posters warning on TE> this list, I would have expected it as something natural. As it was, it TE> took me by surprise. In future it won't :-) This is a list about a product that battles spam, did you really expect this list to be free from "why did this [included/attached text] get such a low score"-questions? And regarding to your setup, did you really expect there to be no false positives at all? -- /\___/\ /\___/\ \_@ @_/ \_@ @_/ +--oOO-(_)-OOo--oOO-(_)-OOo--+ | Per scientiam ad libertatem! // Through knowledge towards freedom! | +---ôôô---ôôôôôô---ôôô---+ \O/ \O/ (c)1998-2003 [EMAIL PROTECTED] \O/ \O/ --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] New way of OBFUSCATING_COMMENT's
Bart Schaefer wrote on Fri, 31 Jan 2003 09:50:49 -0800 (PST): > The MSword ones definitely do; if you use the Word menus to send a > document (not as an attachment), Word converts to multipart/alternative > and its XML goop will appear in the text/html body part. > Well, but you can detect Word files and distinguish from those tags which are not XML compliant, anyway. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] New way of OBFUSCATING_COMMENT's
Aaron Sherman wrote on 31 Jan 2003 11:53:03 -0500: > Is it not done because of overhead concerns? Certainly, it would be > expensive. > Possibly, but it could also reduce the processing overhead in other cases. Wouldn't it be enough to detect if an XML compliant renderer would be able to make sense out of a document? F.i. just doesn't make any sense if there is no DTD attached. It's legal to use unknown HTML tags, but barely done for obvious purposes. So, if there's no rendering information for those obfuscating tags one could assign a score. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Sendmail/Spam-milter/Spamassassin all fine - is there a simple trash option for spam
John wrote on Fri, 31 Jan 2003 17:33:53 +1100: > I havent been able to find a way of using spamassassin to trash mail > that is spam > Don't trash email, quarantine it, see MailCorral http://bsmdevelopment.com Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] A new test idea
Sendmail and many other MTAs (not qmail though) add a Message-Id header if
a message it handles does not have one. The only messages I see that lack
Message-Id are direct-to-MX spam from shoddy malware. Messages that are
sent normally by regular folks will have a Message-Id by the time it
arrives at the destination. I think this would be a useful rule, since you
can easily identify a Message-Id that was added by your own MTA (it has
your domain in it). Pseudo-code would go something like this:
if (Message-Id contains mydomain && (From|EnvelopeSender) contains
foreigndomain) {
Spamscore += 1.5
}
What do you think? This would not work on a sendmail/MIMEdefang/SA setup,
since sendmail doesn't get to add the Message-Id until after the Milter has
had a go at the message. But for people using SA via .forward, this should
work pretty well.
---
"The avalanche has already begun. It is too late for the pebbles to vote."
-- Kosh
---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] New way of OBFUSCATING_COMMENT's
On 31 Jan 2003, Jason Kohles wrote: > On Fri, 2003-01-31 at 12:23, Bob Apthorpe wrote: > > On 31 Jan 2003 12:04:17 -0500 > > Jason Kohles <[EMAIL PROTECTED]> wrote: > > > > > There are also many webservers that provide the ability to define your > > > own tags (Roxen's RXML, and IIS front-page extensions for example). > > > > True, but do those show up in email? Should they? (rhetorical questions > > answered only by looking through a different mail corpus than mine.) > > > I have a lot of this stuff in my non-spam corpus mainly from webserver > mailing lists and web project discussions for projects that use these > features. A small amount of whitelisting should allow valid list traffic if SA started flagging non-standard tags. And that would be great if everyone had the knowledge, willingness, and control to create custom rules. Is it worth investigating modules like HTML::Clean or HTML::Tagset to detect HTML mail crapped up[1] with non-standard tagging or excessive commenting? Compare the size of: - raw HTML content - content w/o comments - content w/o comments & non-standard tags - content w/o any tagging Provided the overhead isn't huge, you should get nice numerical metrics for comment fraction, non-standard tag fraction, and content/HTML ratio. Throw in invisible text fraction for good measure. Worse comes to worse, one could extend these modules to recognize common proprietary tagging to let the Microsoft dross through unscathed. I don't know if that's really necessary though. Does SA really need a full-blown HTML analyzer built in? I suspect that once you strip invisible text and all HTML tagging, the resulting content will be unambiguously spam or ham, or completely empty. See: http://search.cpan.org/author/SBURKE/HTML-Tree-3.17/lib/HTML/Tree/Scanning.pod http://search.cpan.org/dist/HTML-Clean/ http://search.cpan.org/author/SBURKE/HTML-Tree-3.17/ http://search.cpan.org/author/SBURKE/HTML-Tagset-3.03/Tagset.pm -- Bob [1] Insert tiresome snarky comment about HTML in email being crap enough here. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Received: from bowser (bowser.slooff.net [192.168.0.3])
fre, 2003-01-31 kl. 23:18 skrev Tony L. Svanstrom: > TE> If there had been a you-must-expect-spam-from-our-posters warning on > TE> this list, I would have expected it as something natural. As it was, it > TE> took me by surprise. In future it won't :-) > This is a list about a product that battles spam, did you really expect this > list to be free from "why did this [included/attached text] get such a low > score"-questions? I didn't expect anything special. Certainly not Swedes who invariably write reasonable English - makes a pleasant change :-) > And regarding to your setup, did you really expect there to be no false > positives at all? They weren't false positives at all. At least, not for 2.50. They were all spam that I'd have irritated myself over, had I received them from any other source. Still, this list's now been given carte blanche, so go ahead and post a few yourself, Tony. Best, Tony -- Tony Earnshaw When all's said and done ... there's nothing left to say or do. e-post: [EMAIL PROTECTED] www:http://www.billy.demon.nl --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] A new test idea
On Fri, Jan 31, 2003 at 02:48:01PM -0800, Mike Batchelor wrote: > arrives at the destination. I think this would be a useful rule, since you > can easily identify a Message-Id that was added by your own MTA (it has > your domain in it). Pseudo-code would go something like this: So it this somehow different than the MSG_ID_ADDED_BY_MTA* rules? -- Randomly Generated Tagline: "I'm a lesbian trapped in a man's body." - W. Smith msg12223/pgp0.pgp Description: PGP signature
Re: [SAtalk] Repeat
> BA> > I guess I will try to ask this question again, last time I was attacked for > BA> > asking. > > A, were people not nice to you? Bad, bad, bad Internet... > > BA> No, last time you were roundly chastised for being a right, honorable > BA> bastard to anyone who tried to help you or get any specifics about your > BA> particular setup, sa *spits coffee all over keyboard and falls off chair laughing* Oh, I should know better than to read this list while drinking coffee in the morning... ;) --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Spam Sorting and Purging
I have spamassasin 2.43 running and I am quite pleased.. I have around 3000 users whose email is being sorted into a mail folder with procmail. the mail can be checked with a web interface (imp/horde) for false positives. however many of my customers are either too stupid or just dont care to look. i need an easy way to scan all of the mail folder files to get rid of messages older than two weeks... any ideas ?? thanks.. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Postfix - Don't Scan Outbound
On Fri, 2003-01-31 at 13:12, Ray Dzek wrote: > I want to take the functionallity of the 3 boxes I have now (Inbound Postfix > +SA, Sendmail Outbound Relay, and Postfix + POP3) and cut that all down to > one box. The transport mappings and aliases required to get the Mac users > onto the POP3 box are killing me and as you can imagine not all that fun to > maintain. 1. It sounds like you should investigate a different protocol. Can cc:mail do IMAP? Have you tried putting the Mac users on IMAP and seeing if they still crash cc:Mail? Splitting users as you have is messy at best, as you've seen. 2. Outbound mail filtering should not be a problem. Unless I misunderstand, mail sent to "[EMAIL PROTECTED]" should not go through your filters because it's not bound for an internal delivery. Filtering should only be happening on delivery, no? You may end up filtering internal user 1's message to internal user 2, but you can fix that with a more_spam rule. -- Aaron Sherman <[EMAIL PROTECTED]> This message granted to the Public Domain in 2023. Fight the DMCA and copyright extension! http://eldred.cc/ --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Postfix - Don't Scan Outbound
This is actually a common question about Postfix. The answer is no, you can't do anything within Postfix itself to make an inbound/outbound distinction. The best answer is apparently to run a separate postfix server on the same box. The document on www.spamassassin.org about making Postfix work with spamassassin mentions how you do this. Ray Dzek wrote: Hi. My name's Ray and I am a cc:Mail Admin. I know, I know. I'm not proud of it. But it took a lot of courage for me to stand before you and admit that to the group. To make a long story short... No I cannot use anything else currently. The Mac users are crashing the cc:Mail <--> Pop3 service almost daily. I am moving them to a RH Linux POP3 server. I want to take the functionallity of the 3 boxes I have now (Inbound Postfix +SA, Sendmail Outbound Relay, and Postfix + POP3) and cut that all down to one box. The transport mappings and aliases required to get the Mac users onto the POP3 box are killing me and as you can imagine not all that fun to maintain. So .. I will have one box that will filter inbound mail and relay to cc:Mail, relay outbound mail for the cc:Mail Gateway, and also be the new POP3 server for the Mac users. But I want the outbound mail to go out unfiltered. Is that something I ask about SA or Postfix? Do I just alter SA to not scan mail from my domain? or do I run 2 instances of Postfix .. one inbound and one outbound on the same box? Thank in advance to all those more wise in these arcane matters. Ray --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Received: from bowser (bowser.slooff.net [192.168.0.3])
Being the "joker" that was the cause of this thread I can only support the response of others that such a reaction to a posting in *this* list amazes me a bit. Just wanted to share as much info as necessary and that obviously will sometimes create false negatives My mail was not meant to offending, but If so please give me and others guidelines on how to circumvent your interpretations of what if offending and what not ;-) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On > Behalf Of Tony Earnshaw > Sent: vrijdag 31 januari 2003 12:32 > To: [EMAIL PROTECTED] > Subject: [SAtalk] Received: from bowser (bowser.slooff.net > [192.168.0.3]) > > > This joker/subscriber set off my automatic smtp 550 mail > refusal system > under SA 2.50-CVS, so that particular posting from this list got > refused. His SA 2.43 accepted it. > > I hope the list software doesn't kick me off for one 550. > I've put it in > the whitelist, now - so it shouldn't happen any more. > > I've gzipped his offending mail and attached it, so that > people can see > *why* it was refused (it got 9.1 points, trigger is 5.0). If the list > strips attachments, so be it. > > B.t.w., even though this was refused with a 550, SA-Exim puts it in a > cesspit, so that it can be examined at leisure. cron mails a list of > refused stuff to root each day, with the relevant details. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Error: Can't locate object method "handle_auto_report"...
On Fri, Jan 31, 2003 at 03:49:34PM +0100, Enno Lenze wrote: > Can't locate object method "handle_auto_report" via package > "Mail::SpamAssassin: > :PerMsgStatus" (perhaps you forgot to load > "Mail::SpamAssassin::PerMsgStatus"?) > at /usr/bin/spamassassin line 231. > procmail: Program failure (70) of "/usr/bin/spamassassin" > procmail: Rescue of unfiltered data succeeded > > i googled for this, but i doidn't find anything. > > does anyoneknow, how to fix it? Let me guess, you upgraded SA recently? The above almost always happens due to an upgrade and some form of mismatched code (scripts and modules, modules and rules, etc.) -- Randomly Generated Tagline: "If I were in the President's place, I would not get the opportunity to resign. I would be lying in a pool of my own blood hearing Mrs. Armey standing over me saying, 'How do I reload this damn thing?'" - Dick Armey msg12229/pgp0.pgp Description: PGP signature
Re: [SAtalk] Received: from bowser (bowser.slooff.net [192.168.0.3])
On 31 Jan 2003, Tony Earnshaw wrote: > This joker/subscriber set off my automatic smtp 550 mail refusal system > [...] > I've gzipped his offending mail and attached it, so that people can see > *why* it was refused (it got 9.1 points, trigger is 5.0). A 5.0 trigger is much too low (IMO) for generating an SMTP-level refusal. Even though that's the default level for tagging as spam, SA is just not _that_ accurate -- particularly if, as appears to be the case from your other postings, you're applying Bayesian analysis site-wide. Everything I've read so far about Bayes scoring indicates that it's best applied at the individual user level. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] MS Outlook vcalendar doohickeys
Is there anything that can be done to stop it, or On Thu, 30 Jan 2003, Jerry Rasmussen wrote: > I believe it is the MIME Defang that causes this problem. > > -Original Message- > From: Johnny L. Wales [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 30, 2003 5:11 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] MS Outlook vcalendar doohickeys > > Hiya! > > I'm getting complaints from users because Microsoft Outlook VCalendar > messages are becoming just a wee little bit malformed, and thus not > working at all. :) That is, instead of outlook taking some sort of > action > which asks the person if they are going to attend a particular meeting > and > updating their calendar, they simply see some text which is confusing > and > frightening to them. This is a little sample of it: > > X-UIDL: WI$!!p=L"!Y!D"!e0[!! > > BEGIN:VCALENDAR > PRODID:-//Microsoft Corporation//Outlook 10.0 MIMEDIR//EN > VERSION:2.0 > METHOD:REQUEST > BEGIN:VEVENT > ATTENDEE;ROLE=REQ-PARTICIPANT;RSVP=TRUE:MAILTO:[EMAIL PROTECTED] > ATTENDEE;ROLE=REQ-PARTICIPANT;RSVP=TRUE:MAILTO:[EMAIL PROTECTED] > ATTENDEE;ROLE=REQ-PARTICIPANT;RSVP=TRUE:MAILTO:[EMAIL PROTECTED] > DTSTART:20030203T19Z > DTEND:20030203T193000Z > LOCATION:QA (QC) Lab > TRANSP:OPAQUE > SEQUENCE:0 > UID:04008200E00074C5B7101A82E008F0245FC142C8C201 > 100 > 06042D61B6398D14295A7EAAB0153791B > DTSTAMP:20030130T153415Z > > > etc. Now, this is supposed to invite all the people to whom it is sent > to > come to a meeting, then let them click a button that RSVPs the organizer > and updates their calendar. > > Does anyone know what needs to be done to make these things work? > > > Why these people can't use Pine and Yahoo! Calendar like everyone else > is > beyond me... ;) > > -- Johnny Wales Book Systems, Inc. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Error: Can't locate object method "handle_auto_report"...
On Fri, Jan 31, 2003 at 04:36:04PM +0100, Enno Lenze wrote: > Yes. i updated it with apt-get, then icompile the current stable version, > then the newest, without fixing the problem. What you want to do is blow away the scripts, rules, and modules. Then reinstall. -- Randomly Generated Tagline: It makes sense to me. But then, I'm the guy that originally proposed it. :-) -- Larry Wall in <[EMAIL PROTECTED]> msg12232/pgp0.pgp Description: PGP signature
Re: [SAtalk] Error: Can't locate object method "handle_auto_report"...
On Fri, Jan 31, 2003 at 10:30:05AM -0500, Theo Van Dinter wrote: > Let me guess, you upgraded SA recently? The above almost always happens > due to an upgrade and some form of mismatched code (scripts and modules, > modules and rules, etc.) Yes. i updated it with apt-get, then icompile the current stable version, then the newest, without fixing the problem. bye, enno -- : [http://www.handverbrennung.de] [ICQ #126972554] : :--: :Herrmann's Law: Wer einen spelling flame beginnt hat verloren.: : Key fingerprint = 4B48 C13D D55C 76AC 6BD9 B3A4 3E65 359F 45C8 6402 : msg12233/pgp0.pgp Description: PGP signature
[SAtalk] [Fwd: Information DecoFinder]
5.30 points, 5 required;
* -0.4 -- Forwarded email
* 0.3 -- BODY: HTML font face is not a commonly used face
* 1.2 -- BODY: Javascript to open a new window
* 0.3 -- BODY: HTML font color not within safe 6x6x6 palette
* 0.3 -- BODY: HTML font color is red
* 1.0 -- BODY: Message is 50% to 60% HTML
* 0.0 -- BODY: HTML included in message
* 0.3 -- BODY: FONT Size +2 and up or 3 and up
* 0.2 -- BODY: HTML font color is blue
* 0.2 -- BODY: HTML font color is missing hash (
* 0.3 -- BODY: HTML font color is gray
* 0.4 -- BODY: HTML font color is yellow
* 0.2 -- BODY: JavaScript code
* 0.2 -- BODY: Includes a URL link to send an email
* -0.2 -- Email came from some known mailing list software
* 1.0 -- Headers indicate a non-spam MUA (Ximian)
The original message did not contain plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
--- Begin Message ---
I'm running the cvs version of sa (updated a few days ago) and the
attached spam received this scoring:
X-Spam-Status: No, hits=1.8 required=4.0
tests=BAYES_60,HTML_60_70,HTML_FONT_BIG,HTML_FONT_COLOR_BLUE,
HTML_FONT_COLOR_GRAY,HTML_FONT_COLOR_NOHASH,
HTML_FONT_COLOR_RED,HTML_FONT_COLOR_UNSAFE,
HTML_FONT_COLOR_YELLOW,HTML_FONT_FACE_ODD,HTML_JAVASCRIPT,
HTML_MESSAGE,HTML_WIN_OPEN,MAILTO_LINK,MIME_HTML_ONLY,
MSG_ID_ADDED_BY_MTA_3,NO_REAL_NAME version=2.50-cvs
It is most certainly spam, but the score is VERY low. I did sa-forget
and sa-learn-spam it, which brought the score up through BAYES, but I
was wondering if it makes sense to catch this in other ways.
I was thinking that perhaps the regexp:
m{href="?(http://[^\/]+\/.*)\1{3,}}i
would be good, but the back-tracking overhead is non-trivial (perhaps
wildly so). For those who don't recognize this construct, it matches the
SAME URL (up to the host part) repeated 4 or more times. 4 is arbitrary,
here and you could have something like the YELLING tests where you
detect 2, 4, 8 and 16 of the same URL-prefix separately. Again, not sure
of the overhead.
--
Aaron Sherman <[EMAIL PROTECTED]>
This message (c) 2003 by Aaron Sherman,
and granted to the Public Domain in 2023.
Fight the DMCA and copyright extension!
--- Begin Message ---
Title: ANN SPECIAL JARDIN
Si
vous ne parvenez pas à lire ce message , cliquez
ici
''Le
moteur de recherche et de
référencement de la décoration''
Pour
que vos produits et votre entreprise soient présentés
à 54
532 nouveaux prescripteurs , journalistes et acheteurs
et vus par 220 000 visiteurs par an.
Appelez
le 33 (0)1 56 91 38 00
Le
24 FEVRIER 2003
Decofinder
adressera son
DOSSIER
SPECIAL
JARDIN
*
Mobilier
* Abris Portails
* Bacs, pots,
divers
A
54 532 prescripteurs ou acheteurs
de vos produits et de votre entreprise
>> Bouclage le 17/02/2003
Hôtels
17 378
Bars
restaurants
15
852
Architectes
2
910
Architectes
d'intérieur
6
701
Décorateurs
2 535
Journalistes et rédactions
Re: [SAtalk] New way of OBFUSCATING_COMMENT's
On Fri, 31 Jan 2003, Greg Cirino wrote: > | > | On January 1st 2002, the European countries began > > what you have below as well as bogus closing tags example: > or or... well you get the idea, does not > get checked. > > I imagine a private rule (derived from the OBFUS...ENT rule) would > also check for what you have below. > > There may need to be a list of valid html tags and a way to tell if there > is/are valid tag pairs, otherwise, "legit" html tags will be flagged. See HTML::Tagset. However, be aware that various HTML generators (especially MS Word) insert XML tags that are not legal HTML. [These are used by Word to convert back from HTML to something resembling the original internal format, if you re- open the document after saving as HTML.] So in addition to checking for tags that are missing from the HTML set, you also need to examine the format of the tag. Unfortunately I don't have an example handy ... --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] MS Outlook vcalendar doohickeys
In local.cf change mimedefang to 0 -Original Message- From: Johnny L. Wales [mailto:[EMAIL PROTECTED]] Sent: Friday, January 31, 2003 10:32 AM To: Jerry Rasmussen Cc: [EMAIL PROTECTED] Subject: RE: [SAtalk] MS Outlook vcalendar doohickeys Is there anything that can be done to stop it, or On Thu, 30 Jan 2003, Jerry Rasmussen wrote: > I believe it is the MIME Defang that causes this problem. > > -Original Message- > From: Johnny L. Wales [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 30, 2003 5:11 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] MS Outlook vcalendar doohickeys > > Hiya! > > I'm getting complaints from users because Microsoft Outlook VCalendar > messages are becoming just a wee little bit malformed, and thus not > working at all. :) That is, instead of outlook taking some sort of > action > which asks the person if they are going to attend a particular meeting > and > updating their calendar, they simply see some text which is confusing > and > frightening to them. This is a little sample of it: > > X-UIDL: WI$!!p=L"!Y!D"!e0[!! > > BEGIN:VCALENDAR > PRODID:-//Microsoft Corporation//Outlook 10.0 MIMEDIR//EN > VERSION:2.0 > METHOD:REQUEST > BEGIN:VEVENT > ATTENDEE;ROLE=REQ-PARTICIPANT;RSVP=TRUE:MAILTO:[EMAIL PROTECTED] > ATTENDEE;ROLE=REQ-PARTICIPANT;RSVP=TRUE:MAILTO:[EMAIL PROTECTED] > ATTENDEE;ROLE=REQ-PARTICIPANT;RSVP=TRUE:MAILTO:[EMAIL PROTECTED] > DTSTART:20030203T19Z > DTEND:20030203T193000Z > LOCATION:QA (QC) Lab > TRANSP:OPAQUE > SEQUENCE:0 > UID:04008200E00074C5B7101A82E008F0245FC142C8C201 > 100 > 06042D61B6398D14295A7EAAB0153791B > DTSTAMP:20030130T153415Z > > > etc. Now, this is supposed to invite all the people to whom it is sent > to > come to a meeting, then let them click a button that RSVPs the organizer > and updates their calendar. > > Does anyone know what needs to be done to make these things work? > > > Why these people can't use Pine and Yahoo! Calendar like everyone else > is > beyond me... ;) > > -- Johnny Wales Book Systems, Inc. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Problem with make test
When I do a make test for Mail-SpamAssassin-2.43 I get following results: [join@ernie Mail-SpamAssassin-2.43]$ make test PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib -I/usr/perl5/5.00503/sun4-solaris -I/usr/perl5/5.00503 -e 'use Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t t/basic_lintok t/db_awl_path...Expecting a 'cannot create tmp lockfile' warning here... Cannot create tmp lockfile ./log/awl/shouldbeinaccessible.lock : Not a directory t/db_awl_path...ok t/db_based_whitelistok t/db_based_whitelist_ipsok t/forged_rcvd...ok t/lang_pl_tests.couldn't set locale correctly t/lang_pl_tests.ok t/nonspam...ok t/razor.skipped all skipped: no reason given t/razor2skipped all skipped: no reason given t/reportheader..ok t/spam..ok t/spamd.spamd start failed at t/SATest.pm line 219. Maybe you need to kill a running spamd process? Not found: endsinnums = FROM_ENDS_IN_NUMS Not found: noreal = NO_REAL_NAME Not found: subj = Subject: *SPAM* There yours for FREE! Not found: flag = X-Spam-Flag: YES Not found: stars = X-Spam-Level: ** Not found: status = X-Spam-Status: Yes, hits= t/spamd.FAILED tests 2-7 Failed 6/7 tests, 14.29% okay t/spamd_maxchildren.spamd start failed at t/SATest.pm line 219. Maybe you need to kill a running spamd process? t/spamd_maxchildren.NOK 1 Not found: endsinnums = FROM_ENDS_IN_NUMS Not found: noreal = NO_REAL_NAME Not found: flag = X-Spam-Flag: YES Not found: stars = X-Spam-Level: ** Not found: status = X-Spam-Status: Yes, hits= t/spamd_maxchildren.NOK 15 Not found: endsinnums = FROM_ENDS_IN_NUMS t/spamd_maxchildren.NOK 16 Not found: noreal = NO_REAL_NAME t/spamd_maxchildren.NOK 17 Not found: flag = X-Spam-Flag: YES t/spamd_maxchildren.NOK 18 Not found: stars = X-Spam-Level: ** t/spamd_maxchildren.NOK 19 Not found: status = X-Spam-Status: Yes, hits= t/spamd_maxchildren.FAILED tests 1-7, 15-21 Failed 14/21 tests, 33.33% okay t/spamd_maxsize.spamd start failed at t/SATest.pm line 219. Maybe you need to kill a running spamd process? t/spamd_maxsize.ok t/spamd_parallelspamd start failed at t/SATest.pm line 219. Maybe you need to kill a running spamd process? Not found: endsinnums = FROM_ENDS_IN_NUMS Not found: noreal = NO_REAL_NAME Not found: flag = X-Spam-Flag: YES Not found: stars = X-Spam-Level: ** Not found: status = X-Spam-Status: Yes, hits= t/spamd_parallelNOK 15 Not found: endsinnums = FROM_ENDS_IN_NUMS t/spamd_parallelNOK 16 Not found: noreal = NO_REAL_NAME t/spamd_parallelNOK 17 Not found: flag = X-Spam-Flag: YES t/spamd_parallelNOK 18 Not found: stars = X-Spam-Level: ** t/spamd_parallelNOK 19 Not found: status = X-Spam-Status: Yes, hits= t/spamd_parallelFAILED tests 1-6, 15-20 Failed 12/20 tests, 40.00% okay t/spamd_portspamd start failed at t/SATest.pm line 219. Maybe you need to kill a running spamd process? Not found: subj = Subject: *SPAM* There yours for FREE! Not found: flag = X-Spam-Flag: YES Not found: status = X-Spam-Status: Yes, hits= t/spamd_portFAILED tests 2-4 Failed 3/4 tests, 25.00% okay t/spamd_stopspamd start failed at t/SATest.pm line 219. Maybe you need to kill a running spamd process? Not found: status = X-Spam-Status: Yes, t/spamd_stopFAILED test 2 Failed 1/2 tests, 50.00% okay t/strip2ok t/stripmarkup...ok t/susprecipsok t/verysusprecipsok t/whitelist_addrs...ok t/whitelist_to..ok Failed Test Stat Wstat Total Fail Failed List of Failed --- t/spamd.t76 85.71% 2-7 t/spamd_maxchildren.t 21 14 66.67% 1-7 15-21 t/spamd_parallel.t 20 12 60.00% 1-6 15-20 t/spamd_port.t 43 75.00% 2-4 t/spamd_stop.t 21 50.00% 2 2 tests skipped. Failed 5/23 test scripts, 78.26% okay. 36/119 subtests failed, 69.75% okay. *** Error code 11 make: Fatal error: Command failed for target `test_dynamic' You have mail in /var/mail//join [join@ernie Mail-SpamAssassin-2.43]$ The platform is Sun Ultra 1, Solaris 8. Regards Jon Ingason Equant Sweden A
Re: [SAtalk] Sendmail/Spam-milter/Spamassassin all fine - is therea simple trash option for spam
fre, 2003-01-31 kl. 07:33 skrev John: > I havent been able to find a way of using spamassassin to trash mail > that is spam. I've seen some indication that procmail can be used > but in my relaying enviroment I cant see that as working. spamtrap1 > seems to be for individual accounts so that also seems not the anwser > for my relay/spamchecker... any help or links(I'm happy to read) would > be great. Maybe you'd like to go back over the postings for the last day or so. For me, it seems that trashing e-mails is all too easy, though I use Exim, not Sendmail. Best, Tony -- Tony Earnshaw When all's said and done ... there's nothing left to say or do. e-post: [EMAIL PROTECTED] www:http://www.billy.demon.nl --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Received: from bowser (bowser.slooff.net [192.168.0.3])
This joker/subscriber set off my automatic smtp 550 mail refusal system under SA 2.50-CVS, so that particular posting from this list got refused. His SA 2.43 accepted it. I hope the list software doesn't kick me off for one 550. I've put it in the whitelist, now - so it shouldn't happen any more. I've gzipped his offending mail and attached it, so that people can see *why* it was refused (it got 9.1 points, trigger is 5.0). If the list strips attachments, so be it. B.t.w., even though this was refused with a 550, SA-Exim puts it in a cesspit, so that it can be examined at leisure. cron mails a list of refused stuff to root each day, with the relevant details. Best, Tony -- Tony Earnshaw When all's said and done ... there's nothing left to say or do. e-post: [EMAIL PROTECTED] www:http://www.billy.demon.nl 1044010630_001201c2c903$d36df9c0$[EMAIL PROTECTED] Description: GNU Zip compressed data
