RE: [SAtalk] [RD] Trojaned machines

[Chris Santerre]

> -Original Message-
> From: Keith C. Ivey [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 22, 2003 8:14 PM
> To: [EMAIL PROTECTED]
> Cc: Chris Santerre
> Subject: Re: [SAtalk] [RD] Trojaned machines
> 
> > 
> > This smells of a trojaned box for spamming. I'm thinking of
> > writing a rule that looks for http links with IP addresses and a
> > port number. I'm thinking the FP rate would be low. 
> > 
> > It is tough to remember everything SA looks for. Does 2.60 have
> > something like this? Comments?
> 
> Look at the NORMAL_HTTP_TO_IP and WEIRD_PORT tests in 
> 20_uri_test.cf.
> 
> -- 
> Keith C. Ivey <[EMAIL PROTECTED]>
> Washington, DC
> 

Ah!! Thanks! I'm going to spend some time reading all the rules in 2.60 now.
Save myself some headaches. That file raised a few regex questions:

Why are some URI rules written normally like this:
uri name /regex/ 
and others:
uri name m{regex}
uri name [EMAIL PROTECTED]@

What is up with the m's?

-Chris (back to regex 101) Santerre


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD]Spammer uses address in hosted domain

[Marc Steuer]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Justin
Mason
Sent: Thursday, October 23, 2003 12:19 PM
To: Marc Steuer
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] [RD]Spammer uses address in hosted domain 

>>Hi list-members,
>>
>>How should SA be configured to handle the following situation?
>>
>>An account in one of my hosted domains received a spam message with his 
>>own e-mail address as the counterfeit "from" and "reply-to" addresses.  
>>The hosted domain is included SA's "whitelist_from", to avoid the 
>>possibility that "valid" messages between domain accounts would be 
>>tagged as spam.  SA correctly identified the message as a potential 
>>spam, however, the -100 score for the whitelist_from entry overwhelmed 
>>the other scores.

>It's a FAQ.  Use whitelist_from_rcvd.

OK, I've looked at the FAQ and the conf.cf file for instructions on how to
use whitelist_from_rcvd.

It appears that the syntax of the rule should be:

Whitelist_from_rcvd [EMAIL PROTECTED] mydomain.com  

This would catch messages with received headers that are set to
[EMAIL PROTECTED], if the messages were sent to users at my domain by
other than my own mail server.

Do I understand this correctly?

Marc   



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] spamd -m stable?

[Hannu Liljemark]

On Thu, Oct 23, 2003 at 10:41:11PM -0700, Cheryl L. Southard wrote:

> Normally, spamd takes about 30 seconds to complete, but when it's
> in swapping-hell it takes approximately 550 seconds, and since
> each one takes 20MB of memory, quite a few (up to MAX_DAEMON_CHILDREN,
> I suppose) can start up and our mail server runs out of memory.

Normally 30s? That's crazy... what kind of Sun is running spamd?
If it's a modern system and up to the task, perhaps the problem is
elsewhere. If you're doing dns checks with SpamAssassin, make sure
the nameservers defined in resolv.conf are correct - scans could
take 30s if the first nameserver times out or something else.


-- 
(Mr.) Hannu Liljemark  |  Appelsiini Finland Oy  |  http://appelsiini.com


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA + MySQL

[Matt Brown]

On Thursday 23 October 2003 07:08 pm, Michael Bellears wrote:
> My debug output indicates that sql prefs are being fetched for user
> 'spamd' rather than recipient of e-mail:
>
> debug: retrieving prefs for spamd from SQL server
>
> MySQL Logs indicate that prefs are being queried on user spamd or
> default (@GLOBAL)
>
> Query   select preference, value  from userpref where username =
> 'spamd' or username = 'GLOBAL' or username = '@GLOBAL' order by username
> asc
>
> Spamd:
> /usr/bin/perl /usr/sbin/spamd -D -m 10 -a -v -x -q -u vpopmail -H
> /home/vpopmail/ -d --pidfile=/var/run/spamd.pid
>
> Any ideas as to why sa is not attemtping to extract prefs based on
> recips address?

How are you calling spamc? Be sure to use the -u option to pass the username 
associated with the email being scanned. Something like this:

/usr/bin/spamc -f -u $username

--
Matt Brown
LAMP Host


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] IP Blocks to kill at the firewall?

[Colin A. Bartlett]

ian douglas Sent: Friday, October 24, 2003 2:20 AM

> Am I the only one who's received a half dozen copies of this reply from
Chris
> from the mailing list?

Nope, I got 8 copies of the same reply as well. I compared the headers on a
bunch and it looks like the first two hops have the same datestamp on all
the copies. Here is where it is different.

Message 8:
Received: from imf01aec.mail.bellsouth.net ([205.152.59.49])
  by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.22)
  Thu, 23 Oct 2003 18:06:35 -0700

Message 7:
Received: from imf13aec.mail.bellsouth.net ([205.152.59.61])
  by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.22)
  Fri, 24 Oct 2003 01:12:49 -0700

Weird. Different mailservers at bellsouth.net keep sending the same message?

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] spamass-milter error

[Hannu Liljemark]

On Wed, Oct 22, 2003 at 11:27:10AM -0500, Mike Carlson wrote:

> I am getting this in my logs when I send a test message.
>  
> Oct 22 11:39:23 hades sendmail[2157]: h9MGZNQk002157: Milter
> (spamassassin): timeout before data read
> Oct 22 11:39:23 hades sendmail[2157]: h9MGZNQk002157: Milter
> (spamassassin): to error state

Try MIMEDefang, miltrassassin or MailScanner instead.


-- 
(Mr.) Hannu Liljemark  |  Appelsiini Finland Oy  |  http://appelsiini.com


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD]Consonant and Vowel Pairs or Sequences

[Chris Santerre]

> 
> Update of OBFU chr's rule.

I think we can call them Fred's OBFU rules now. You did much more work on
them then I did. Heck, you looked at a bunch of dictionaries. I can't even
spell dictionary! :-)


> 
> rawbody  __FVGT_rb_ATTACHMENT /Content-Disposition: attachment/i
> body  __FVGT_b_OBFU_J  /j(b|c|f|g|w)/i
> body  __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
> body  __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i
> body  __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i
> body  __FVGT_b_OBFU_V  /(f|g|q|w)v/i
> body  __FVGT_b_OBFU_X  /(c|g|j|k|q|s|v|z)x/i
> body  __FVGT_b_OBFU_Z  /(f|j|k|p|q|x)z/i
> meta  FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER +
> __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + 
> __FVGT_b_OBFU_X +
> __FVGT_b_OBFU_Z && !__FVGT_rb_ATTACHMENT) > 1)
> describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter 
> combinations
> score  FVGT_m_MULTI_ODD 1.4
> 
> 

So So So very nice. Have you run this past an email written in MS.Word? I've
seen some FP's on mine. I'm thinking you might need to add one more meta
that checks to make sure it wasn't written in Word. I have a rule I can send
you somewhere. You don't want to check the obvious stuff for word docs, as
spammers can fake that. 

I'll test against this tomorrow and see. 


> This one is less likely to cause false positves when a 
> message contains a
> double-forwarded attachment.
> That's the only issues I've seen here.
> 

Nice thinking!


> Is this rule syntax legal?  I didn't know I could combine an 
> additive rule
> with a ! and have it all work ;)
> 

Define "legal" ;)  Looks OK to me!

--Chirs Santerre
 


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA + MySQL

[Kris Deugau]

Michael Bellears wrote:
> My debug output indicates that sql prefs are being fetched for user
> 'spamd' rather than recipient of e-mail:
[snip]
> Spamd:
> /usr/bin/perl /usr/sbin/spamd -D -m 10 -a -v -x -q -u vpopmail -H
> /home/vpopmail/ -d --pidfile=/var/run/spamd.pid

How is spamc getting called?  You may need to add the -u {user} argument
to make sure spamc tells spamd to look up the right set of preferences.

By default, IIRC, the correct user is *supposed* to be autmogically
detected (assuming it isn't overridden by something else)...  but I
don't know what conditions that's attached to.

-kgd
-- 
 hm. I've lost a machine.. literally _lost_. it responds to
ping, it works completely, I just can't figure out where in my
apartment it is.


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] A way to disociate analyze and scoring phase.

[Nigel Metheringham]

On Thu, 2003-10-23 at 10:44, Matt Kettler wrote:
> What did you want to dissociate them for anyway? 

Doing this would allow receipt time (single) scanning of mail along with
per-user decisions as to whether to accept/reject/markup the mail.

Nigel.
-- 
[ Nigel Metheringham   [EMAIL PROTECTED] ]
[ - Comments in this message are my own and not ITO opinion/policy - ]



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] [RD] yahoo redirect

[Jeremy Zawodny]

On Fri, Oct 24, 2003 at 02:58:06PM -0700, Justin Mason wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> Chris Santerre writes:
> >The default rule in 2.60 is (May wrap in your email viewer):
> >
> >uri  YAHOO_REDIR
> >/^https?\:\/\/rd\.yahoo\.com\/(?:[0-9]{4,}|partner\b|dir\b)/i
> >describe YAHOO_REDIR Has Yahoo Redirect URI
> 
> The idea was to avoid FPing on the "new" redirectors Yahoo! put in
> place.  It's now clear those new redirectors are as broken as the
> old ones.

Yahoo is well aware of the SA rules.  Any new redirectors they add
will not trigger those rules and not be open to abuse either.

Jeremy
-- 
Jeremy D. Zawodny |  Perl, Web, MySQL, Linux Magazine, Yahoo!
<[EMAIL PROTECTED]>  |  http://jeremy.zawodny.com/


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] [RD] Taking another shot at my obfu chars rules

[Fred I-IS.COM]

Here is the latest update for those who are interested, attached is the
"Freds OBFU" rules.
This version does not FP on PGP signatures.
Also using Character Classes and included the set of Subject OBFU rules.

*Chris, feel free to post this one to your site!

Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/


Obfu.cf
Description: Binary data

[SAtalk] Checking whitelist

[Jason Staudenmayer]

How would one go about viewing the entries in your auto-whitlist and
manually changing it?

Thnx J


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] yahoo redirect

[Patrick Morris]

Unless I'm reading this regex incorrectly:

/^https?\:\/\/rd\.yahoo\.com\/(?:[0-9]{4,}|partner\b|dir\b)/i

it's pretty specific about looking for "http[s]://rd.yahoo.com".

Colin A. Bartlett wrote:

Can anyone hazard a guess as to why a message with an image and several
links in this fashion did not match the test YAHOO_REDIR...
http://srd.yahoo.com/drst/accomplished/*http://www.grestccd.com/k.jpg";>
An image-only spam like this slipped through my SA with only these tests
matched:
 BAYES_44
 HTML_FONT_INVISIBLE
 HTML_IMAGE_ONLY_02
 HTML_MESSAGE
 MIME_HTML_ONLY
 MSGID_FROM_MTA_HEADER
 RCVD_IN_RFCI
cheers,
Colin
Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz


---
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
 





---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] SA Rules, Old blackholes.2mbit.com resurrected as dnsbl.ahbl.org , http://www.ahbl.org

[SpamAssassin]

SA Rules, Old blackholes.2mbit.com resurrected as dnsbl.ahbl.org ,
http://www.ahbl.org

# SpamAssassin local.cf for AHBL BlackList / BlockList
# "Old blackholes.2mbit.com resurrected as AHBL (dnsbl.ahbl.org)"
# URL: http://www.ahbl.org
headerRCVD_IN_AHBL eval:check_rbl('AHBL',
'dnsbl.ahbl.org.')
describe  RCVD_IN_AHBL AHBL: sender is listed in BlackList /
BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL 0.5
tflagsRCVD_IN_AHBL net

headerRCVD_IN_AHBL_UNKNOWN_1   eval:check_rbl_sub('AHBL',
'127.0.0.1')
describe  RCVD_IN_AHBL_UNKNOWN_1   AHBL: Unknown Category 1 in BlackList
/ BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_UNKNOWN_1   0.01
tflagsRCVD_IN_AHBL_UNKNOWN_1   net

headerRCVD_IN_AHBL_SMTPeval:check_rbl_sub('AHBL',
'127.0.0.2')
describe  RCVD_IN_AHBL_SMTPAHBL: Open SMTP relay in BlackList /
BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_SMTP0.5
tflagsRCVD_IN_AHBL_SMTPnet

headerRCVD_IN_AHBL_PROXY   eval:check_rbl_sub('AHBL',
'127.0.0.3')
describe  RCVD_IN_AHBL_PROXY   AHBL: Open Proxy server in BlackList
/ BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_PROXY   0.5
tflagsRCVD_IN_AHBL_PROXY   net

headerRCVD_IN_AHBL_SPAMeval:check_rbl_sub('AHBL',
'127.0.0.4')
describe  RCVD_IN_AHBL_SPAMAHBL: Spam Source in BlackList /
BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_SPAM0.5
tflagsRCVD_IN_AHBL_SPAMnet

headerRCVD_IN_AHBL_RTB eval:check_rbl_sub('AHBL',
'127.0.0.5')
describe  RCVD_IN_AHBL_RTB AHBL: Real-Time Blocked in BlackList
/ BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_RTB 0.01
tflagsRCVD_IN_AHBL_RTB net

headerRCVD_IN_AHBL_FORMMAILeval:check_rbl_sub('AHBL',
'127.0.0.6')
describe  RCVD_IN_AHBL_FORMMAILAHBL: Abuseable Form Mail in
BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_FORMMAIL0.5
tflagsRCVD_IN_AHBL_FORMMAILnet

headerRCVD_IN_AHBL_SPAM_SUPPORTeval:check_rbl_sub('AHBL',
'127.0.0.7')
describe  RCVD_IN_AHBL_SPAM_SUPPORTAHBL: Spam Supporter in BlackList /
BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_SPAM_SUPPORT0.5
tflagsRCVD_IN_AHBL_SPAM_SUPPORTnet

headerRCVD_IN_AHBL_I_SPAM_SUPPORT  eval:check_rbl_sub('AHBL',
'127.0.0.8')
describe  RCVD_IN_AHBL_I_SPAM_SUPPORT  AHBL: Indirect Spam supporter in
BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_I_SPAM_SUPPORT  0.5
tflagsRCVD_IN_AHBL_I_SPAM_SUPPORT  net

headerRCVD_IN_AHBL_ENDUSER eval:check_rbl_sub('AHBL',
'127.0.0.9')
describe  RCVD_IN_AHBL_ENDUSER AHBL: End User (non mail system) in
BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_ENDUSER 0.5
tflagsRCVD_IN_AHBL_ENDUSER net

headerRCVD_IN_AHBL_SOS
eval:check_rbl_sub('AHBL-notfirsthop', '127.0.0.10')
describe  RCVD_IN_AHBL_SOS AHBL: Shoot On Sight in BlackList /
BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_SOS 0.5
tflagsRCVD_IN_AHBL_SOS net

headerRCVD_IN_AHBL_RFCI_PA eval:check_rbl_sub('AHBL',
'127.0.0.11')
describe  RCVD_IN_AHBL_RFCI_PA AHBL: Missing Postmaster or Abuse
Address in BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_RFCI_PA 0.5
tflagsRCVD_IN_AHBL_RFCI_PA net

headerRCVD_IN_AHBL_5XXIeval:check_rbl_sub('AHBL',
'127.0.0.12')
describe  RCVD_IN_AHBL_5XXIAHBL: Does not properly handle 5xx
errors in BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_5XXI0.5
tflagsRCVD_IN_AHBL_5XXInet

headerRCVD_IN_AHBL_RFCI_MISC   eval:check_rbl_sub('AHBL',
'127.0.0.13')
describe  RCVD_IN_AHBL_RFCI_MISC   AHBL: Other Non-RFC Compliant in
BlackList / BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_RFCI_MISC   0.5
tflagsRCVD_IN_AHBL_RFCI_MISC   net

headerRCVD_IN_AHBL_MISCeval:check_rbl_sub('AHBL',
'127.0.0.127')
describe  RCVD_IN_AHBL_MISCAHBL: Misc (other) in BlackList /
BlockList dnsbl.ahbl.org
score RCVD_IN_AHBL_MISC0.5
tflagsRCVD_IN_AHBL_MISCnet



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] spamass-milter

[David B Funk]

On Thu, 23 Oct 2003, Mark Merchant wrote:

> not sure if this is a spamassassin or milter issue, but here goes.
>
> i've been running spammassassin 2.54 & spamass-milter for 6 months or
> so. yesterday i decided to upgrade to 2.6 ( via cpan ).
>
> now, the spamass-milter daemon seems to stop running every few
> minutes.
>
> is spamassassin 2.60 not comapatible with milter anymore?
> did the install whack something unobvious?
>
> anyone have any experience?

I cannot speak for spamass-milter but I was using miltrassassin
with 2.5* and had no trouble with the upgrade to 2.60
(at least not from miltrassassin, now bayes... ;).

So the general milter interface to 2.60 works, there may be
a problem with spamass-milter tho. Have you checked for an
update to it?

Dave

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Final-Recipient: rfc822; unknown

[Walter]

Hello All,

I hope somebody can help me here because the postfix list and the amavis list couldn't 
hlp  me

I get every day 700 emails generated on my system by the mail-deamon saying:
from: Mail Delivery System
subject:Undelivered Mail Returned to Sender

Bolow is my standard (postfix) message:

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to 

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The Mail deamon program

: No recipients specified

In the attached text file it is saying:

Reporting-MTA: dns; mail.mydoman.com
Arrival-Date: Mon, 20 Oct 2003 02:50:25 +0200 (CEST)

Final-Recipient: rfc822; unknown
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Mail-deamon; No recipients specified

How can I stop this? I checked already my log files and I see that it comes
from the apache deamon and the amount of bounced email is always the same
exactly 700. Also it is always on a different time.

one part from the log I see that apache is doing this.

Oct 23 04:49:55 mydomain postfix/pickup[15007]: A50F77F77E: uid=48
from=
Oct 23 04:49:55 mydomain postfix/cleanup[15096]: A50F77F77E:
message-id=<[EMAIL PROTECTED]>
Oct 23 04:49:55 mydomain postfix/cleanup[15096]: A50F77F77E: to=,
relay=cleanup, delay=0, status=bounced (No recipients specified)
Oct 23 04:49:55 mydomain postfix/cleanup[14975]: A6E097F785:
message-id=<[EMAIL PROTECTED]>
Oct 23 04:49:55 mydomain postfix/qmgr[10882]: A6E097F785: from=<>,
size=1971, nrcpt=1 (queue active)
Oct 23 04:49:55 mydomain postfix/local[15036]: A6E097F785:
to=<[EMAIL PROTECTED]>, orig_to=<[EMAIL PROTECTED]>, relay=local,
delay=0, status=sent (mailbox)

Hope that somebody can help me

With Regards
Walter


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [OT] What is next step?

[Satya]

On Oct 24, 2003 at 22:06, Larry Gilson wrote:

>business because they tighten the grips.  One thing they can do is to only
>allow "business" customers to send and receive SMTP messages outside their
>mail servers.  Mail servers have to be registered with the ISP and have
>valid MX, A, and PTR records.

Leaving people like me, who know what they're doing (for some value
of), high and dry.

>  What if we asked the ISPs to check for open
>relays and shut down SMTP access until the problem is resolved?  Then

That might work.

>further restrict "residential" customers to their relay servers and that the
>header From match the MAIL FROM envelope.  What if we asked legislation to

See above.

Anyone who asks me to get a business-class connection is invited to
send donations to pay my bills. :-)

-- 
Satya. http://www.thesatya.com/>
Junk: stuff we throw away.  Stuff: junk we keep.


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] IP Blocks to kill at the firewall?

[Terry Milnes]

This is a spammers wet dream come true, send out 15,000,000 'IMPORTANT' 
emails, use a bell smtp server and it reaches the end user 8 times so he 
doesn't miss the valuable message.

The same problem has been occuring at sympatico.ca as well, another 
"Bell" company.  It started about 3 weeks ago. One of my clients called 
to complain, the tech support rep. apologized and said their mail 
systems have a virus, nothing they can do about it, don't worry it won't 
affect your system..

Gotta love those tech support guys

tm

Colin A. Bartlett wrote:
ian douglas Sent: Friday, October 24, 2003 2:20 AM


Am I the only one who's received a half dozen copies of this reply from
Chris

from the mailing list?


Nope, I got 8 copies of the same reply as well. I compared the headers on a
bunch and it looks like the first two hops have the same datestamp on all
the copies. Here is where it is different.
Message 8:
Received: from imf01aec.mail.bellsouth.net ([205.152.59.49])
  by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.22)
  Thu, 23 Oct 2003 18:06:35 -0700
Message 7:
Received: from imf13aec.mail.bellsouth.net ([205.152.59.61])
  by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.22)
  Fri, 24 Oct 2003 01:12:49 -0700
Weird. Different mailservers at bellsouth.net keep sending the same message?

cheers,
Colin
Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: Re: [OT] What is next step?

[Chris Barnes]

VonEssen, John <[EMAIL PROTECTED]> wrote:
> All this relies on many assumptions. We assume spammers regularly
> harvest addresses off usenet. We also assume that they clean their
> list when address appears to be bad. Has anybody tested this?

Just for grins, I just began trying it.

As we know, alot of people using things like [EMAIL PROTECTED]
I would assume that any spammer worth their salt could write a program
to strip out the munging.

Other more clever might use something like [EMAIL PROTECTED]
While better, a spammer could still nuke that.  My presumption is that a
spammer's software would look for mixed case in the address and yank out
the uppercase stuff.

So I just changed my address for this newsgroup to [EMAIL PROTECTED]
It's a perfectly legit address with no anti-spam munging at all - it's
just using mixed case in odd places.  Let's see how many spams I get
addresses to the messed up address or (harder to measure) if my amount
of spam goes down.


--

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Chris Barnes   AOL IM: CNBarnes
[EMAIL PROTECTED]Yahoo IM: chrisnbarnes
Computer Systems Manager   ph: 979-845-7801
Department of Physics fax: 979-845-2590
Texas A&M University





---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: Amavisd-new and logging untrusted relays... was: RE: [SAtalk] [OT ] What is next step?

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Stewart, John writes:
> Clueless hacker wrote:
> > > Is there any way to get this _RELAYSUNTRUSTED_ data into the
> > > Mail::SpamAssassin object somehow? Then I think I could 
> > hack amavisd-new to
> > > log this relay information.
> 
> jm wrote:
> > Hmm -- I suppose you could do
> > 
> > my $untrusted = $per_msg_status->_get_tag ("_RELAYSUNTRUSTED_");
> > 
> > to get that -- but it's currently not officially unsupported ;)
> 
> "Not officially unsupported"... that must mean it's officially supported...
> WHOOO!! ;-P

er oops ;)

> Alas, this function doesn't seem to be returning anything for me. This is
> the code I did in amavisd. The last 3 lines are the ones I added to the
> spam_scan($$) function within amavisd:
> 
> $spam_level  = $per_msg_status->get_hits;
> $sa_required = $per_msg_status->get_required_hits; # not used
> $sa_tests= $per_msg_status->get_names_of_tests_hit;
> $spam_report = $per_msg_status->get_report;
> # Attempt to log untrusted relays
> my $untrusted = $per_msg_status->_get_tag ("_RELAYSUNTRUSTED_");
> do_log(1, "SPAM LEVEL=$spam_level, RELAYS=$untrusted");  
> 
> Unfortunately, the $untrusted variable always seems to be blank. This is
> what I see in the logs:

my bad. try

  my $untrusted = $per_msg_status->_get_tag ("RELAYSUNTRUSTED");

no _'s.

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQE/mAojQTcbUG5Y7woRAv2iAKC5ZuzYo1RQKdWSU2I7ztmY3Q6FEwCgrxgZ
00dytzPq+sbCM9y1ud9Ciqc=
=R37G
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] 5.0 spampoints

[Tim B]

Jeffrey Schilperoord wrote:
What is the easyest way to change the 5.0 spampoints to a higher level ?

greetings Jeffrey Schilperoord

in your /etc/mail/spamassassin/local.cf file add/change the line
required_hits 5  to whatever you want it to be.


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Cannot open bayes databases...: tie failed:

[Juha Nieminen]

On Thu, 23 Oct 2003, Theo Van Dinter wrote:

> in that case, if you run sa-learn with -D, you should see it try to do
> the upgrade, the error happens, and the upgrade fails.

  I actually saw that there's a new option --import in sa-learn and I ran
it with that (actually "sa-learn -D --import"). I wasn't too hopeful, but
I wanted to try anything.

  It fixed the databases! It's working now! Wow!

  I suppose this might be a valuable experience in case someone else
is having the same problem.

  (Btw, "sa-learn --rebuild" afterwards deleted the obsolete old files
in ~/.spamassassin, which is cool too (because I wasn't sure which of
those files where simply remnants of earlier versions).)

- Warp



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: [AMaViS-user] Amavisd-new and logging untrusted relays...

[Mark Martinec]

John,

| - The "action" routine would run through the hashes and compute the average
| spam levels for each IP, ...
|...
| I guess I need to sort out what a good criteria would be for action. Would
| average spam level be an adequate way to determine a "bad" IP? ...

Don't use 'average' on datasets that are not uniform or gaussian in their
nature, but can easily be skewed (e.g. a single whitelisted score of -100
will bump the average way out). Much better measure is the median value
(the middle element in the sorted list, you don't need to actually sort it
to get it).

  Mark


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [AMaViS-user] [SAtalk] RE: Amavisd-new and logging untrusted relays... was: RE: [SAtalk] [OT ] What is next step?

[Mark Lawrence]

Is anyone else also getting some emails lately two or three times? As far
as I know I am only subscribed to one of these lists...

Perhaps one list is actually subscribed to the other?

cheers.
-- 
Mark Lawrence ([EMAIL PROTECTED])



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] some questions to per user prefs

[Andreas Vogt]

Hi all,

I read all the docs but still have some questions.

At the moment I'm using spamassassin 2.60 together with sendmail and  
spamass-milter. My /etc/mail/spamassassin/local.cf uses global settings  
for all users, also for global bayes.

Users (about 600) aren't shell-users (/etc/passwd) but have lokal dirs for  
vpopmail-like system.

Now I consider to have

a) per user definitions in sql or like vpopmail options in users  
directories.


b) a possibility for our users to claim a mail as spam and feeding it back  
to bayes (and with spamassassin -r also to razor/pyzor)


Concerning a):

  - as long as there is no special user pref in sql, SA uses @GLOBAL.
What happens if sql server is'n running? What preferences then will
take effect?

How can I set setting for all users of a domain?
Can I write in SQL a setting for user '@some.domain.de' ?
Is thsi overwritte by per user definition in SQL?

 - How can I realize a per user bayes, if also exists an sql entry for  
this user?
   SA should use global bayes for all others.

 Is this better done by a vpopmail like setting in loakl users  
directories?
 What will then used as fall back setting, if there is no user pref?
 Can I also have per user bayes and a fallback global one?


Conc. b):

  Mail is accepted by sendmail, then sent by uucpdom  mailer to our  
special software, then maisl will be stored in mail folders.
  So there are some changes in headers from all this sending and  
forwarding.
  If users now forward a mail as spam to a special lokal user, do i have  
to delete/coorect these headers for bayes filter? What about arzor/pyzor?

  I noticed SA to delete own headers when reporting a mail as spam, but  
safe reports aren't set back to their original appearings like when mail  
comes in. So, is it best to NOT report an already recognized spam?

 If I want to have my users use their very own bayes database, how can i  
setup a mail address for reporting spam and learning 'their' bayes system?

 (Well, I don't trust my users to correctly identify spam. I fear them  
reporting old mailing lists, they just don't want to get but forgot to  
unsubscribe. So I don't want a global bayes feedback ;-) .)


Would be nice to get some opinions, hints or even URLS to find more about  
that.

thank you
Andreas













---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Final-Recipient: rfc822; unknown

[Walter]

Hello All,

I hope somebody can help me here because the postfix list and the amavis list couldn't 
hlp  me

I get every day 700 emails generated on my system by the mail-deamon saying:
from: Mail Delivery System
subject:Undelivered Mail Returned to Sender

Bolow is my standard (postfix) message:

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to 

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The Mail deamon program

: No recipients specified

In the attached text file it is saying:

Reporting-MTA: dns; mail.mydoman.com
Arrival-Date: Mon, 20 Oct 2003 02:50:25 +0200 (CEST)

Final-Recipient: rfc822; unknown
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Mail-deamon; No recipients specified

How can I stop this? I checked already my log files and I see that it comes
from the apache deamon and the amount of bounced email is always the same
exactly 700. Also it is always on a different time.

one part from the log I see that apache is doing this.

Oct 23 04:49:55 mydomain postfix/pickup[15007]: A50F77F77E: uid=48
from=
Oct 23 04:49:55 mydomain postfix/cleanup[15096]: A50F77F77E:
message-id=<[EMAIL PROTECTED]>
Oct 23 04:49:55 mydomain postfix/cleanup[15096]: A50F77F77E: to=,
relay=cleanup, delay=0, status=bounced (No recipients specified)
Oct 23 04:49:55 mydomain postfix/cleanup[14975]: A6E097F785:
message-id=<[EMAIL PROTECTED]>
Oct 23 04:49:55 mydomain postfix/qmgr[10882]: A6E097F785: from=<>,
size=1971, nrcpt=1 (queue active)
Oct 23 04:49:55 mydomain postfix/local[15036]: A6E097F785:
to=<[EMAIL PROTECTED]>, orig_to=<[EMAIL PROTECTED]>, relay=local,
delay=0, status=sent (mailbox)

Hope that somebody can help me

With Regards
Walter



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Bayesian autolearning not following thresholds

[Jeremy M. Dolan]

I've noticed with SA 2.60, Bayesian autolearning seems to learn a lot
of messages incorrectly. As an example, the four spams I've recieved
in the last few hours:

   % cat spam|grep ^X-Spam-Stat
   X-Spam-Status: Yes (score: 25.4/6.5), autolearn=spam, version=2.60,
   X-Spam-Status: Yes (score: 12.6/6.5), autolearn=ham, version=2.60,
   X-Spam-Status: Yes (score: 23.9/6.5), autolearn=spam, version=2.60,
   X-Spam-Status: Yes (score: 31.1/6.5), autolearn=no, version=2.60,

Possibly relevant lines from my ~/.spamassassin/user_prefs:

   required_hits   6.5

   bayes_auto_learn1
   bayes_auto_learn_threshold_nonspam 6.5 # default -2.0  (0.1 in 2.60)
   bayes_auto_learn_threshold_spam 6.6# default 15.0 (12.0 in 2.60)
   bayes_ignore_header Status
   bayes_ignore_header Content-Length
   bayes_ignore_header Lines

   clear_headers
   add_header all Status _YESNO_ (score: _HITS_/_REQD_), autolearn=_AUTOLEARN_, 
version=_VERSION_, tests=_TESTSSCORES_

I do notice the exception to expected "bayes_auto_learn_threshold_spam"
behavior in the Mail::SpamAssassin::Conf man page (at least three
points must come from the header, and three from the body), but even
that can't explain why the second message was learned as ham.

I think it would be useful to have a (non-default) mode where simply
any message over the user's "required_hits" is autolearn=spam, and
everything else is autolearn=ham. Then the user only needs to
occasionally intervene (something as simple as a hot-key in their MUA)
to move and relearn anything SA got wrong.

Any info on the behavior I'm seeing would be appreciated.

-- 
Jeremy M. Dolan  
PGP: 1024D/3C68A1BA 9470 210C A476 FFBB 6D11  0223 0D1C ABFC 3C68 A1BA


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] spamassassin letting spoofed-domain-name AWL thru?

[Ervan Darnell]

I've read thru the mailing list for issues related to bad AWL scores, 
but I don't see anything about this:

I'm confused whether AWL works by hard IP, DNS name from Received:, reverse lookup,  
email from: line,    How the heck do you dump the AWL database to even tell what 
it's doing?

My problem seems to be that the spammer is forging my domain and email address, which 
triggers AWL (example follows, with "@" replaced).  I can't see any reason the 
spammer's hard IP (211.21.93.134) would be in my AWL.  "dewey" doesn't appear in 
"strings auto-whitelist".  "ip=211.21" does appear in "strings", but the rest of the 
line has no obvious relation to this spam.

Offending email:

X-Original-To: ervan [at] kelvinist.com 
Delivered-To: ervan [at] kelvinist.com 
Received: from kelvinist.com (unknown [211.21.93.134]) 
by kelvinist.com (Postfix) with ESMTP id 6B1DF41BA 
for ; Mon, 20 Oct 2003 23:51:24 -0700 (PDT) 
Received: from 775-HERMES [192.168.0.97] by kelvinist.com with eSMTP; 
Tue, 21 Oct 2003 14:54:45 +0800 
Message-ID: <[EMAIL PROTECTED]> 
From: "dewey"  
To:  
Subject: Corne as much as a pr0n star with these pills! 
Date: Tue, 21 Oct 2003 14:54:45 +0800 
MIME-Version: 1.0 
Content-Type: text/html; charset="ISO-8859-1" 
X-Priority: 3 
X-Mailer: mailer 
ABC-Tracking:  
X-Spam-Checker-Version: SpamAssassin 2.60-rc5 (1.205-2003-09-16-exp) on 
www.kelvinist.com 
X-Spam-Level: * 
X-Spam-Status: No, hits=1.3 required=5.1 tests=AWL,[...]
X-Spam-Report: 
[]
* -6.2 AWL AWL: Auto-whitelist adjustment 
==
Ervan Darnell 
[EMAIL PROTECTED]



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] spamd -m stable?

[Rick Macdougall]

On Thu, Oct 23, 2003 at 10:41:11PM -0700, Cheryl L. Southard wrote:


Normally, spamd takes about 30 seconds to complete, but when it's
in swapping-hell it takes approximately 550 seconds, and since
each one takes 20MB of memory, quite a few (up to MAX_DAEMON_CHILDREN,
I suppose) can start up and our mail server runs out of memory.
30 seconds is the default timeout for DNS connections.  Check that you 
are not running an older version of SA without ORBS etc scored to 0

Regards,

Rick



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] Popcorn, Backhair, and Weeds

[Larry Gilson]

I have been testing the HTML obfuscation with the pattern match for the junk
within the tags ranging from 1 to 5.

  full  MY_FULL_OBFU_HTML  /[\s>]\w+<[\w\s\/\$&;]{1,6}>\w+/

This is the results of my testing.

  {1} have not noticed false positives
  {2} false positives with 
  {3} false positives with 
  {4} false positives with 
  {5} have not noticed false positives
  {6} false positives with 

This is not to say that either {1} or {5} do not produce false positives but
that I have not noticed them.

The percentage of false positives have not been great.  They are consistent
with certain messages.  For example, a Travelocity notification will always
trigger on {3}.  The worst of all the above is {2}.  White lists can help
avoid most of the false positives.

To try to curb the FPs for tests within the {1,5} range, I will experiment
with the following rule:

  full  MY_FULL_OBFU_HTML  /([\s>]\w+<[\w\s\/\$&;]{1,6}>\w+){2,}/

Please let me know if there is a better way to write this rule.


Regards,
Larry



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] [RD] Domain has digits - test rules

[Patrick Morris]

You're going to get a *lot* of meaningless hits on some of these -- any 
mail from level3.net, for example. They'd score a hit on your rules, and 
they're a pretty decent-sized ISP with a *lot* of legit servers 
(including a few of mine).  You'd also get automatic hits for sending 
mails from servers named, oh, smtp1.mydomain.com and smtp2.mydomain.com, 
which is a very common naming convention for sites with multiple servers.

I'd be interested to see what a GA test showed on these, but I suspect 
you'd get almost as many FPs as you would legitimate hits (if not more) 
on a lot of these rules.

Fred I-IS.COM wrote:

I'll have to admin, I was bored this morning.  I created a set of rules to
look for domains that include numbers.
IE:  www.domain3.com
IE: www.domain3domain.com
Etc..
 




smime.p7s
Description: S/MIME Cryptographic Signature

This message is intended only for the use of the person(s) listed above as the 
intended recipient(s), and may contain information that is PRIVILEGED and 
CONFIDENTIAL.  If you are not an intended recipient, you may not read, copy, or 
distribute this message or any attachment. If you received this communication in 
error, please notify us immediately by e-mail and then delete all copies of this 
message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the 
Internet is not secure. Do not send confidential or sensitive information, such as 
social security numbers, account numbers, personal identification numbers and 
passwords, to us via ordinary (unencrypted) e-mail.

RE: [SAtalk] [RD] Popcorn, Backhair, and Weeds

[Keith C. Ivey]

Larry Gilson <[EMAIL PROTECTED]> wrote:

>   full  MY_FULL_OBFU_HTML  /[\s>]\w+<[\w\s\/\$&;]{1,6}>\w+/

It seems to me that you'd want to catch the obfuscating pesudo-
comments with '!' as well.  Have you tried it with '[^>]' as 
the character class, so that you'll match regardless of what's 
in the angle brackets?

Also, why do you require whitespace or '>' before the first 
sequence of word characters?  What if there's a '-' or a '(' 
there instead.  Have you tried leaving it off completely, in 
which case the '+' after the '\w' is unnecessary (in fact, the 
'+' after the last '\w' isn't doing anything now).  Then the 
regex would look like this:

   /\w<[^>]{1,6}>\w/

I still think you're going to get too many FPs, though.  This 
problem may be something better tackled during the HTML 
analysis.  There could be a counter for bad tags (perhaps 
separate ones for tags that are illegally formed and those that 
are simply unrecognized).  Then a series of eval tests could 
use the count.  Avoiding FPs for XML documents could be a 
problem though.

> To try to curb the FPs for tests within the {1,5} range, I will experiment
> with the following rule:
> 
>   full  MY_FULL_OBFU_HTML  /([\s>]\w+<[\w\s\/\$&;]{1,6}>\w+){2,}/

That will only match when one word is interrupted by more than 
one obfuscating pseudo-tag.

-- 
Keith C. Ivey <[EMAIL PROTECTED]>
Washington, DC



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] IP Blocks to kill at the firewall?

[Tom Meunier]

Okay, this is the sixth copy of this email that I've gotten.  Is it me,
is it sourceforge, or is it maybelline?

(Yeah, I know it's sourceforge, but I wanted to kvetch)

-tom 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Chris Trudeau
> Sent: Thursday, October 23, 2003 4:18 PM
> To: John L; [EMAIL PROTECTED]
> Subject: Re: [SAtalk] IP Blocks to kill at the firewall?
> 
> Found this linked from the Emporium :)
> 
> http://www.stearns.org/sa-blacklist/sa-blacklist.current
> 
> 
> You can probably use this...
> 
> CT
> 


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] [RD] yahoo redirect

[Keith C. Ivey]

Jeremy Zawodny <[EMAIL PROTECTED]> wrote:

> Yahoo is well aware of the SA rules.  Any new redirectors they
> add will not trigger those rules and not be open to abuse
> either.

I'm not sure what you mean.  The problem is that new 'srd' 
redirectors don't trigger the current rules but are open to 
abuse (and spammers are using them), so any new rule is likely 
to be much less specific.

Are you saying Yahoo will get it right next time, and they'll 
check to see what the current state of the SA rules is when 
they decide on their URL format?

-- 
Keith C. Ivey <[EMAIL PROTECTED]>
Washington, DC



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] IP Blocks to kill at the firewall?

[Tom Meunier]

Sweet.  27 hours for that to show up.  (And looking at headers it's the
ISP anyway, heh) 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Tom Meunier
> Sent: Friday, October 24, 2003 8:47 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [SAtalk] IP Blocks to kill at the firewall?
> 
> Okay, this is the sixth copy of this email that I've gotten.  
> Is it me, is it sourceforge, or is it maybelline?
> 
> (Yeah, I know it's sourceforge, but I wanted to kvetch)
> 
> -tom 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > Chris Trudeau


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: [OT] What is next step?

[Chris Santerre]

HI, I'm on top! More below ;)


> Hi,
> 
> On Thu, 23 Oct 2003 13:13:34 -0400 Scott Blomquist 
> <[EMAIL PROTECTED]> wrote:
> 
> > Also along this thread for everyone esp. Chris,
> > A minor word of caution when you junp into the spam-l mailing list.
> > Spend a Lng time lurking before you start posting. The 
> folks there 
> > are mostly front line high level BOFH admins and can get a 
> bit unruly 
> > and venomous. If your up for a real adventure Google on 
> NANAE in usnet 
> > groups. Don't forget your NOMEX underwear.
> 
> Very true. Read the FAQs and lurk for a while, then lurk some more.
> There's a lot of good information there but there are also some very
> high-strung people (abuse work does that to you after a 
> while) and they
> don't suffer fools gladly. Example: You will be mercilessly (and
> justifiably) pummeled for suggesting that challenge/response 
> systems are
> a viable spam defense tool[*]. Lurk and absorb. And don't top 
> post... :)
> 
> Have fun!
> 
> -- 
> Bob Apthorpe
> 

LOL, yeah I noticed there is a different 'feel' to the spam-l list ;) That's
why I actually read the whole FAQ and some archives. They are exatcly what I
was looking for though. I'm learning lots. 

I did actually post but it never showed up? I replied directly to a post
and was refused delivery to them due to inproper rDNS :-)  (working on
that.)

I top post for fun! I like to see who sends in the RF paper quotes,
netiquete FAQs, and other general posting natzisms :-)

--Chris "Top posting clown" Santerre
*Puts on Nomex Long Johns*


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Building SA 2.60, errors

[Martin Radford]

At Fri Oct 24 19:38:50 2003, Matt Kettler wrote:

> goes. There's serious discussion about dumping support for any perl under 
> 5.6 in future releases. Apparently trying to make SA work under 5.00x, 

There's a statement in SA 2.60's README that says:

"The SpamAssassin 2.6x release series will be the last set of releases to
officially support perl versions earlier than perl 5.6.0."

I've seen a comment on this list (probably from one of the developers)
that stated that it was quite likely that the Perl 5.005 support may
well be the first thing ripped out of the codebase for 2.70.

Given that none of the developers use 5.005 regularly (the reason why
we currently get so many minor bugs that hit 5.005 users), it seems
unlikely that that SA 2.70 will work under 5.005 even if the current
compatibility code isn't removed by then.

Martin
-- 
Martin Radford  |   "Only wimps use tape backup: _real_ 
[EMAIL PROTECTED] | men just upload their important stuff  -o)
Registered Linux user #9257 |  on ftp and let the rest of the world  /\\
- see http://counter.li.org |   mirror it ;)"  - Linus Torvalds _\_V


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] perhaps more of a mailscanner question?

[Scott Blomquist]

Ian,
Who are you going to bounce it to? 99.9% of all the crud that falls 
into my server has forged FROM: and Rely-to: addresses. Just let your 
old friend Dave Null read it and forget about it.

my $0.02
Scott
ian douglas wrote:

Right now I have MailScanner configured to delete high scoring spam so it
doesn't end up in my user's mailbox, but what about the 'bounce' option?
I'd *really* like to find a way to spoof a 550 error or a 'user unknown' error
that bounces back, just in case the people on the other end ARE cleaning their
lists. I know, I know, a long shot, I still get Email for non-existant Email
addresses, and starting now to get Email to truncated Email accounts ... I used
to have [EMAIL PROTECTED] and [EMAIL PROTECTED] as addresses and now I'm getting spam
at "[EMAIL PROTECTED]" and "[EMAIL PROTECTED]" /shrug
Anyhow know a good way to spoof an error message like that? Open to any
suggestions ;o)
-id


--
Scott V. Blomquist,A-SA-CN-NRKTINLC(tm)  #2598
  ITI/Bear&CoRochester, VT
802-767-3174(v)   802-767-3726(f)
"Any technology sufficiently advanced is indistinguishable from Magic."
 A. C. Clarke


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] 5.0 spampoints

[Carl R. Friend]

> Jeffrey Schilperoord wrote:
> > What is the easyest way to change the 5.0 spampoints to a higher level ?
> 
> in your /etc/mail/spamassassin/local.cf file add/change the line
> required_hits 5  to whatever you want it to be.

   Be careful changing that one if you're running spamd -- it's a
site-wide change.  If you're a one-user site, that's fine, but if
you're running SA for multiple users you probably want to make the
change in your .spamassassin/user_prefs file.  If you're running a
site with hundreds of users, it'd be best to keep the per-user bits
in a MySQL database and make per-user tweaks there (also if you
don't have home directories mounted or want to run spamd as "nobody").

++-+
| Carl Richard Friend (UNIX Sysadmin)| West Boylston   |
| Minicomputer Collector / Enthusiast| Massachusetts, USA  |
| mailto:[EMAIL PROTECTED]+-+
| http://users.rcn.com/crfriend/museum   | ICBM: 42:22N 71:47W |
++-+


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] help with sa-learn

[Bill Polhemus]

IIRC, it should be

Sa-learn --spam --mbox kill


William L. Polhemus, Jr. P.E.
Polhemus Engineering Company
Katy, Texas USA



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joseph
P. Wetstein
Sent: Thursday, October 23, 2003 7:56 AM
To: [EMAIL PROTECTED]
Subject: [SAtalk] help with sa-learn


When I do a: "sa-learn --mbox --spam kill" I get:

Learned from 0 message(s) (127 message(s) examined).





---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Totally whitelisting someone?

[Paul Hutchings]

I've stuffed up :-)

I was playing with filtering only inbound email and to cut a long story
short before I got it setup quite right I sent some test messages out and
back in using the GTUBE string, of course it flagged these as spam and (I
guess) because of the horribly high score blacklisted my address :-(

I've now got things working so that outbound mail isn't checked, but
anything I send to mailing lists (like this) gets marked as spam when my
copy comes back in to my address (because it's from my email address).

I've ran "spamassassin --add-addr-to-whitelist" and it is reducing the
scores, but the GTUBE test has such a high score that the adjustment doesn't
seem to be enough!

I hope that makes sense, TIA for any advice!

regards,
Paul


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] need help sizing a dedicated server

[Martin Radford]

At Fri Oct 24 21:19:29 2003, AltGrendel wrote:
> 
> On Fri, 2003-10-24 at 15:27, Joshua A. Fiske wrote:
> > Hello all,
> > 
> > I have seen requests for help sizing servers on this list before, but
> > never anything that comes close to the size of the server that I (think)
> > that I need.  Here is my situation.
> > 
> > I need to scan the mail that comes from two large qmail installations
> > (whole site scanning).  The volume of this mail is approx. 150,000
> > messages per day.  
> > 
> > I have tested these two setups with limited success:
> > 
> > SETUP #1:
> >   - 1x POWER4 @ 1.1GHz
> >   - 1 GB RAM
> >   - 150K messages per day absolutely swamped this machine
> > 
> > SETUP #2:
> >   - 2x POWER4 @ 1.1GHz
> >   - 1 GB RAM
> >   - 150K messages per day elevated load average to ~32

I'm not a mail administrator, but if the load average is being pushed
up this high, I'm wondering whether the problem might be that the load
is very bursty, and that the system is intermittently get bogged down.
Might it be worth trying to smooth the load somewhat and see if
throughput actually goes up?  (Like on motorways, where slowing the
speed limit from 70mph to 50mph at peak hours results in smoother
traffic flow and hence more throughput.)

> Pack as much RAM into those puppies as you can afford. For a gateway,
> RAM is #1 with drive space being a close #2.

I'd think it's not necessarily "more drive space" but perhaps "faster
disks" and "more disks" to keep throughput high and disk contention
low. 

Martin
-- 
Martin Radford  |   "Only wimps use tape backup: _real_ 
[EMAIL PROTECTED] | men just upload their important stuff  -o)
Registered Linux user #9257 |  on ftp and let the rest of the world  /\\
- see http://counter.li.org |   mirror it ;)"  - Linus Torvalds _\_V


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Procmail help PLEASE - really nobody knows ?

[Peter Rosa]

Hello list's friends.

I'm sorry for writting same message third time, but please be patient with
me - I have about 200 spam messages a day so I REALLY need to block them.

I have FreeBSD box with sendmail+spamassassin+procmail. As it comes more and
more spam messages I realize to prepare rules for spam deletion. I have done
3 months work on spam mesgs+senders+scores analysis. Now I'm ready to do it,
but I'm not familiar with procmail.

I want to write rules, which will do following:
1. check if the X-Spam-Level is more than 15
2. retrieve the sender domain from Form: header
3. compare sender domain against freemails.txt, where are all big freemail
   sites listed, as it is bad idea to stop (e.g.) whole yahoo.com
4. if sender is not there, add sender domain to the ACCESS database with
   "REJECT 550 Stop Spam"
5. delete the spam message
6. spams marked with score 10 should be resent to [EMAIL PROTECTED]



Please help me with these rules, because I can not make them work - it's
only an idea:

ACCESS=/etc/mail/access
FREEMAILS=/etc/mail/freemails.txt
AWK=/usr/bin/awk
TEST=/bin/test
EGREP=/usr/bin/egrep
FMAIL=/usr/local/bin/formail
STOP_SPAM="550 Stop Spam"

DOMAIN=`${FMAIL} -x From: | ${AWK} -F@ '{ print $2 }' | ${AWK} -F '>' \
'{ print $1 }'`
IS_FREEMAIL=`${EGREP} ${DOMAIN} ${FREEMAILS} | wc -l`

#score 15+ = add domain to access dbase and delete
:0 h :
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
* ? eval ${TEST} ${IS_FREEMAIL} -gt 0
| echo ${DOMAIN} ${STOP_SPAM} >> ${ACCESS} ;

:0 A
/dev/null

:0 h :
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
! [EMAIL PROTECTED]


The problem is, I can not make work neighter the simplest last rule. It is
invoked 25 times and dies with "Too many hops (26)" message. I think it's
simple loop, so I try for 3 days to make it work while looking around whole
internet to find the solution. The first rule I have written by my own also
can not work.

PLEASE, HELP ME.

Peter Rosa

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Extending the AWL concepts to URIs found in Spam Bod y

[Chris Santerre]

> 
> * Justin Mason <[EMAIL PROTECTED]> [2003-10-23 21:19]:
> > Alex Pleiner writes:
> > > Wouldn't the URIs mentioned in Spam be good keys for some kind of
> > > auto-whitelisting with a similar mechanism as for AWL?
> 
> > They already are in SpamAssassin 2.60.  They're tokenized heavily,
> > and it gives appreciably good results in terms of improved accuracy.
> 
> Thanks for that information. Could you please go a bit more 
> into detail
> and give me some hints where to find it in the code?
> 
> If I understand you correctly, there is no need for an additional
> auto-whitelisting URIs within the spam body. Does this mean, that even
> evilrules.cf [1] is redundant?
> 
> Alex

I actually thought the same when I read Justin's response. But then I got to
thinking about this topic. It was slightly discussed before. I'd like to see
it discussed further. 

Bayes Token vs(or with) a single rule vs(or with) a white/black list. 

Here is how I believe it works, I could be wrong. A Bayes token will help
the overall Bayes score for "spammyness". Then it will give out a single
point amount to add. Now weighing the URIs heavier is very nice. The
question remains, do you score just off of "spammyness" or would a solid
rule be good to add with it?

My theory is that an ABL (autoblacklist) or evilrules is very much worth it.
While Bayes will score the "Spammyness", a ABL or single rule will simply
add more points to known domains. The idea of evilrules was that if you got
one of those domains, you might as well add 5 points because it is verified
spam and won't be ham. (Unless I screwed it up ;) 

So while bayes will say a spam is "very spammy", evilrules would say, "This
is 99.9% spam certainty" Making a ABL would just automate what I do by hand.
My idea again being that the ABL would only read from spam scored very high.
So little FP's. Then it could start scoring high (1.0). 

I'm *gulp* willing to look at code as well and play around. (Did I just say
that?!) 

Also, I'm still fighting for the people that can't use Bayes for some
reason. There out there. HOld on guys, I'm pulling for ya! :-)

--Chris Santerre


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] yahoo redirect

[Chris Santerre]

> > 
> > /^https?\:\/\/w*\.yahoo\.com\/.*\/\*http/i
> > 
> > I _think_ that should do it. Someone want to double check 
> > that for me? :)
> > 
> > --Chris Santerre
> 
> 
> I made mine much more general:
> 
> describe MY_URI_REDIRECTMY: Redirect
> uri  MY_URI_REDIRECT/http:\/\/.*\/\*http:\/\//i
> scoreMY_URI_REDIRECT4.0
> 
> I don't know if I open myself up for a potential problem but 
> I have not had
> any FPs yet.
> 
> 
> --Larry

I was thinking the same, but I think I've only seen this with yahoo. I could
be wrong. Can you run a grep of a spamtrap to see which domains this hit? 

Might not even matter. Heck you might be able to even do this:
uri  MY_URI_REDIRECT//\*http:\/\//i

--Chris Santerre


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Whitelist / Rule Question...

[Martin Radford]

At Sat Oct 25 03:18:30 2003, Larry Gilson wrote:
> 
> I get username in the body also.  While trying to personalize a message the
> spammer uses an alias/username for an introduction.  An example would be a
> person with an address of [EMAIL PROTECTED]
> 
> #--- Begin Example ---#
> Hello Dude,

The problem with rules like this is that some people have usernames
that are "real" names, while others don't.  For example, my username
on my home box is martin.  So if I got a message beginning

 Hello, martin

I don't know whether it's a "hello, username" mail, or someone I know
who simply didn't bother to capitalise my first name.

Of course, if the first part of my address was "mr1267", 

 Hello, mr1267

would stand out as being spammy.  So the effectivemess of "hello,
username" rules depends on the format of usernames at your site.

Martin
-- 
Martin Radford  |   "Only wimps use tape backup: _real_ 
[EMAIL PROTECTED] | men just upload their important stuff  -o)
Registered Linux user #9257 |  on ftp and let the rest of the world  /\\
- see http://counter.li.org |   mirror it ;)"  - Linus Torvalds _\_V


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Procmail help PLEASE - really nobody knows ?

[Patrick Morris]

Peter Rosa wrote:

Hello list's friends.

I'm sorry for writting same message third time, but please be patient with
me - I have about 200 spam messages a day so I REALLY need to block them.
 

You'd probably have more luck un a procmail list, since that's where 
your problem really lies.  That said -- yes, it looks like you're 
generating a mail loop when you redeliver to [EMAIL PROTECTED] 
(assuming the mail passes through procmail again at that point).  There 
are plenty of ways around that, such as adding custom headers to check 
for, etc -- but again, a procmail list would be a better place to get 
tips on how to do that.

You'll also get a lot more help by logging procmail's results and 
passing the results along with your problem.  That'll give an indication 
of where things are breaking, and why.





---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD]Spammer uses address in hosted domain

[Marc Steuer]

Ahhh...  Mail from and to that uses the same e-mail address would score
104.11 <== I guess this should be sufficiently high to overcome the -100
from the white_list entry.

Looks like it would work.  And, I agree with you that it could be considered
for a SA "standard" rule.

Thanks for your help Chris. 

-Original Message-
From: Chris Santerre [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 23, 2003 11:57 AM
To: 'Marc Steuer'; [EMAIL PROTECTED]
Cc: Jennifer Wheeler (E-mail)
Subject: RE: [SAtalk] [RD]Spammer uses address in hosted domain




> -Original Message-
> From: Marc Steuer [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 23, 2003 10:35 AM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] [RD]Spammer uses address in hosted domain
> 
> 
> Hi list-members,
> 
> How should SA be configured to handle the following situation?
> 
> An account in one of my hosted domains received a spam
> message with his own
> e-mail address as the counterfeit "from" and "reply-to" 
> addresses.  The
> hosted domain is included SA's "whitelist_from", to avoid the 
> possibility
> that "valid" messages between domain accounts would be tagged 
> as spam.  SA
> correctly identified the message as a potential spam, 
> however, the -100
> score for the whitelist_from entry overwhelmed the other scores.
> 
> Suggestions?
> 
> Marc
> 

Basically you could use the following:

header __CS_FROM_ME  From =~ /[EMAIL PROTECTED]/i
header __CS_TO_ME To =~ /[EMAIL PROTECTED]/i
meta CS_SPAM_TRICK __CS_FROM_ME && __CS_TO_ME
describe CS_SPAM_TRICK Spammer forged From + To my domain. score
CS_SPAM_TRICK 104.11 # Silly, isn't it?

(That's 2 underscores at the beginning of the rule name!)

That would work for a single person.

I could write one for _MY_ site wide use, as my internal mail stays
internal. Just by dropping the "dude@" part.  But I'm not sure it would work
for people without a gateway, who work off the server that scans.  For that
kind of situation, you might want to add a header key, or add some more meta
rules to make it work. 

I'm surprised this hasn't been made a standard rule in SA that is scored 0.
Then give users option to score it higher. 


Chris Santerre 
System Admin and SA Custom Rules Emporium keeper 
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 
"A little nonsense now and then, is relished by the wisest men." - Willy
Wonka 



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] [RD] REPOST - Taking another shot at my obfu chars rules

[Fred I-IS.COM]

Fred I-IS.COM wrote:
> Here is the latest update for those who are interested, attached is
> the "Freds OBFU" rules.
> This version does not FP on PGP signatures.
> Also using Character Classes and included the set of Subject OBFU
> rules. 
> 
> *Chris, feel free to post this one to your site!
> 


Last set was missing a rule, this one is better.

Obfu.cf
Description: Binary data

Re: [SAtalk] Building SA 2.60, errors

[Bob Apthorpe]

On Sat, 25 Oct 2003 15:57:18 +0100 (BST) Martin Radford <[EMAIL PROTECTED]> wrote:
Hi,

> At Fri Oct 24 19:38:50 2003, Matt Kettler wrote:
> 
> > goes. There's serious discussion about dumping support for any perl under 
> > 5.6 in future releases. Apparently trying to make SA work under 5.00x, 
> 
> There's a statement in SA 2.60's README that says:
> 
> "The SpamAssassin 2.6x release series will be the last set of releases to
> officially support perl versions earlier than perl 5.6.0."
> 
> I've seen a comment on this list (probably from one of the developers)
> that stated that it was quite likely that the Perl 5.005 support may
> well be the first thing ripped out of the codebase for 2.70.
> 
> Given that none of the developers use 5.005 regularly (the reason why
> we currently get so many minor bugs that hit 5.005 users), it seems
> unlikely that that SA 2.70 will work under 5.005 even if the current
> compatibility code isn't removed by then.

Maybe the easiest solution is to install perl 5.8.1 under /opt
(/opt/bin/perl, etc...), and install SA and the prerequisite modules
there. The downside is remembering which perl interpreter to use for
SA-related functions.

-- Bob


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [OT] What is next step?

[Larry Gilson]

> -Original Message-
> From: Satya [mailto:[EMAIL PROTECTED] 
> Sent: Saturday, October 25, 2003 8:22 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [SAtalk] [OT] What is next step?
> 
> 
> On Oct 24, 2003 at 22:06, Larry Gilson wrote:
> 
> >business because they tighten the grips.  One thing they can 
> do is to 
> >only allow "business" customers to send and receive SMTP messages 
> >outside their mail servers.  Mail servers have to be registered with 
> >the ISP and have valid MX, A, and PTR records.
> 
> Leaving people like me, who know what they're doing (for some 
> value of), high and dry.
> 
> >  What if we asked the ISPs to check for open
> >relays and shut down SMTP access until the problem is resolved?
> 
> That might work.
> 
> >further restrict "residential" customers to their relay servers and 
> >that the header From match the MAIL FROM envelope.  What if we asked 
> >legislation to
> 
> See above.
> 
> Anyone who asks me to get a business-class connection is 
> invited to send donations to pay my bills. :-)

The point here is not so much a "business" or "residential" classification
but making the ISP own up to the usage policy.  If an ISP allows
"residential" customers to have mail servers, then they should perform the
same checks as they would for "business" class users.  The mail server would
need to be registered with the ISP and the ISP must make provisions for
creating an appropriate PTR record in DNS.

There is a larger question here though.  How far are we willing to go to
really help reduce spam?  Will we be willing to give up some freedoms?
Where do we draw the line?

--Larry



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: spamass-milter error (Hannu Liljemark)

[John Kelly]

I also updated from 2.54 to 2.60 via CPAN and use spamass-milter 
(version 0.1.3a) on an RH9 box.  No problems at all.  Fwiw, there is a 
newer version of spamass-milter (v 0.2.0).

How do you call spamass-milter?  What options?

Mine is from rc.local with  /usr/local/sbin/spamass-milter -f -r 20 -p 
/var/run/spamass.sock

If you're starting it from init.d you might try chkconfig --del 
spamass-milter and add something similar to above to rc.local instead.  
(Please bear in mind I'm no linux expert!)

Cheers

John



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] [OT] What is next step?

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Satya writes:
>On Oct 24, 2003 at 22:06, Larry Gilson wrote:
>
>>business because they tighten the grips.  One thing they can do is to only
>>allow "business" customers to send and receive SMTP messages outside their
>>mail servers.  Mail servers have to be registered with the ISP and have
>>valid MX, A, and PTR records.
>
>Leaving people like me, who know what they're doing (for some value
>of), high and dry.

>>further restrict "residential" customers to their relay servers and that the
>>header From match the MAIL FROM envelope.  What if we asked legislation to
>
>See above.
>
>Anyone who asks me to get a business-class connection is invited to
>send donations to pay my bills. :-)

Agreed BTW.

If ISPs really want to do this -- and really, in some cases it does seem
like a good idea given the worm onslaught! -- they should *not* tie it to
"business-class" deals.

Just tell the users that they can mail support to turn off the port 25
block, no questions asked -- *regardless* of what deal they're on, how
much they're paying, etc.

99.9% of the worm victims will never need to -- and the worms will fail;
the 0.1% of us will immediately do so -- and we know how to run a virus
scanner.

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQE/mt9LQTcbUG5Y7woRApSDAJ9GTaqgHa0xjhJM7EVVuReS3FXDVQCffJ42
3Ru/uEHinehp/cw002TGSPs=
=kqXA
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Re: [OT] What is next step?

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Chris Barnes writes:
>VonEssen, John <[EMAIL PROTECTED]> wrote:
>> All this relies on many assumptions. We assume spammers regularly
>> harvest addresses off usenet. We also assume that they clean their
>> list when address appears to be bad. Has anybody tested this?
>
>Just for grins, I just began trying it.
>
>As we know, alot of people using things like [EMAIL PROTECTED]
>I would assume that any spammer worth their salt could write a program
>to strip out the munging.
>
>Other more clever might use something like [EMAIL PROTECTED]
>While better, a spammer could still nuke that.  My presumption is that a
>spammer's software would look for mixed case in the address and yank out
>the uppercase stuff.
>
>So I just changed my address for this newsgroup to [EMAIL PROTECTED]
>It's a perfectly legit address with no anti-spam munging at all - it's
>just using mixed case in odd places.  Let's see how many spams I get
>addresses to the messed up address or (harder to measure) if my amount
>of spam goes down.

I will bet it'll be used, but will arrive lowercased in most cases.

I have seen addresses munged as follows (perl code to illustrate):

s/nospam//i;
s/spam//i;
tr/A-Z/a-z/;

Also note: some spamware will skip any addresses that contain any
of these strings:

spam
abuse
postmaster
.gov
ftc

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQE/muAkQTcbUG5Y7woRAr/FAKCHRL5wGQkkTKuWUaPzYz22pqIz1wCfRuW4
pGuXM7MGP3Xu2XEAePUJvdk=
=YS+F
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Swap Space

[Kai Schaetzl]

Simon Byrnand wrote on Sun, 19 Oct 2003 09:15:37 +1300 (NZDT):

> Spamd using 800MB of ram is a bug, and one which I've never encountered
> yet in months of using spamd, so it's probably something to do with your
> particular config.(perhaps a bug or corrupt installation of your
> version of Perl ?)
>

It started to happen in the RC status of 2.60. Twice for now, each on a 
different but similar system. Everything there is just fine, it could just 
be that I should update some Perl modules, but there's nothing the 
installation and test barks about. I'm still waiting for getting it 
reproed a third time, now for three weeks. So, it's nothing which 
frequently happens and I wouldn't have cared if it had happened only once.


Kai

-- 

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org





---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] base64 false positives

[Philip Tucker]

Title: base64 false positives






I'm seeing several false positives where rules such as the following are matching in Base64-encoded blocks:


MLM

HGH

UPPERCASE_25_50


e.g., I have messages where the entire body is a base64-encoded JPEG, and it matches on these because the letters "HGH" and "MLM" show up in the block.

Since these are body tests, not raw-body, they should not apply to the raw Mime, right?  Is this something that's fixed in 2.60?

--

Philip Tucker

Zix Research Center

Anti-Spam Team Lead

214.370.2068

Re: [SAtalk] spamd -m stable?

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Kris Deugau writes:
>"Cheryl L. Southard" wrote:
>> Does anyone know if the "-m" flag is now more stable?  We've since
>> upgraded to Spamassassin 2.54 and Solaris 9.
>
>I don't recall hearing any bugs specific to -m, but I though I saw some
>odd behaviour reported on Solaris.

There were some bugs in 2.4x where x < 5, but 2.5x and 2.6x have
been very stable -- they use a totally different child-counting
method.

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQE/mtweQTcbUG5Y7woRAvIOAJ9ifIfYtDLeUgPgXzovRiaWYY2csQCg6K2d
/LeiXnkbJED5HJmPhfTXxMA=
=6JgS
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] [RD] yahoo redirect

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Jeremy Zawodny writes:
>On Fri, Oct 24, 2003 at 02:58:06PM -0700, Justin Mason wrote:
>> Chris Santerre writes:
>> >The default rule in 2.60 is (May wrap in your email viewer):
>> >
>> >uri YAHOO_REDIR
>> >/^https?\:\/\/rd\.yahoo\.com\/(?:[0-9]{4,}|partner\b|dir\b)/i
>> >describe YAHOO_REDIRHas Yahoo Redirect URI
>> 
>> The idea was to avoid FPing on the "new" redirectors Yahoo! put in
>> place.  It's now clear those new redirectors are as broken as the
>> old ones.
>
>Yahoo is well aware of the SA rules.  Any new redirectors they add
>will not trigger those rules and not be open to abuse either.

Hi Jeremy --

yep, that was the idea I thought ;)

However, the new (?) srd.yahoo.com, which is not covered by that rule, is
now being actively abused by spammers.   That's the issue...

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQE/mtW0QTcbUG5Y7woRAg9dAKDPzOHYTnnonwAhNZNZl9JG6saajwCg7vMb
SP9qOqJZbZBxxz+8b/u/wVw=
=gHu5
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: [OT] What is next step?

[Patrick Morris]

AltGrendel wrote:

I agree with that. I see addresses at my client that haven't existed in
5+ years. No one should kid themselves that spam lists are cleaned or
that they learn from being blocked at the firewall.
 

According to my most recent spam statistics, two out of the top three 
spam recipients here have been *dead* for over five years.

I suspect the third on thie list, my boss, is brain dead -- maybe 
there's some sort of correlation there.


This message is intended only for the use of the person(s) listed above as the 
intended recipient(s), and may contain information that is PRIVILEGED and 
CONFIDENTIAL.  If you are not an intended recipient, you may not read, copy, or 
distribute this message or any attachment. If you received this communication in 
error, please notify us immediately by e-mail and then delete all copies of this 
message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the 
Internet is not secure. Do not send confidential or sensitive information, such as 
social security numbers, account numbers, personal identification numbers and 
passwords, to us via ordinary (unencrypted) e-mail.

RE: [SAtalk] [OT] What is next step?

[Chris Santerre]

> 
> AT&T aborts plan to block e-mail
> 
> http://www.msnbc.com/news/983380.asp?vts=102220031806
> 
> I thought this was an interesting article in light of this thread.
> 
> --Larry

" The request "was drafted but may have been sent out prematurely," said
AT&T spokesman Gary Morgenstern. "

Ya think?! :) 

That was one of the first things I read on the spam-l list, and I was like
WTF are they thinking? Why don't they concentrate more on their own DSL
spammers. 

>From what I gathered, that was actually the SECOND email, they had sent. The
first one was to vague for people to get. 

--Chris


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] IP Blocks to kill at the firewall?

[Vivek Khera]

> "JL" == John L <[EMAIL PROTECTED]> writes:

JL> Does anybody have a good list of SPAMMER IP's they'd like to share for
JL> blocking at the firewall?

JL> We have one mail server we're hosting that is just getting crushed
JL> running SA.

The best strategy is to reduce what gets sent to SA, and then to rate
limit the number of simultaneous SA processes running.

For reducing what gets in, there are quite a few things you can do in
your MTA, before the message enters your system:

1) reject mail for non-existent addresses.  do not accept then bounce
   them.

2) reject mail FROM non-existent domains.  these messages are a)
   non-bounceable, and b) non-replyable.

3) reject mail if the remote server claims to be you.  eg, if your
   host name is foo.example.com and your IP is 10.10.10.9, then if the
   HELO greeting is either one of them, reject the mail.  Naturally,
   exempt your local host from this test.

If you're a bit more bold, try these:

4) reject mail if the HELO name in the SMTP transaction is not FQDN or
   is an IP address.

5) use a DNSBL such as DSBL.  This only lists open relays/proxies, and
   there is pretty much never a good reason to accept mail from these
   sources.

6) consider using the SBL at the MTA level.  it is fairly
   conservative, but they do occasionally list things you may not
   agree with.  they are not as much the shoot first, never ask
   questions type of list, but they still tend to shoot first ;-)

7) implement a gray-listing mechanism: temporary reject the initial
   connection from any IP address, then allow it after some period of
   time.

whatever passes these tests can then be accepted into your system and
scanned by SA.

with these simple rules, I *reject* nearly 75-90% of the mail
attempted to be sent to my servers daily.  Most of the rejects are to
bogus addresses (ie, dictionary attack) and/or with bad HELO greeting
claiming to be me.  I end up scanning just a few thousand messages per
day.

One more thing you may wish to do is bypass scanning of mailing list
mail.  For me, this reduces scanning load by nearly 50%, since most of
my mail is list mail.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.Khera Communications, Inc.
Internet: [EMAIL PROTECTED]   Rockville, MD   +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera   http://www.khera.org/~vivek/


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Re: [OT] What is next step?

[Simon Byrnand]

>
> I will bet it'll be used, but will arrive lowercased in most cases.
>
> I have seen addresses munged as follows (perl code to illustrate):
>
>   s/nospam//i;
>   s/spam//i;
>   tr/A-Z/a-z/;
>
> Also note: some spamware will skip any addresses that contain any
> of these strings:
>
>   spam
>   abuse
>   postmaster
>   .gov
>   ftc

Some perhaps, but certainly not all. I regularly receive spam to abuse@
and postmaster@ which unfortunately I have to have listed in all_spam_to
in case someone actually forwards me a spam report... :(

Regards,
Simon




---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bayesian autolearning not following thresholds

[Theo Van Dinter]

On Fri, Oct 24, 2003 at 11:38:04PM -0500, Jeremy M. Dolan wrote:
> I think it would be useful to have a (non-default) mode where simply
> any message over the user's "required_hits" is autolearn=spam, and
> everything else is autolearn=ham. Then the user only needs to
> occasionally intervene (something as simple as a hot-key in their MUA)
> to move and relearn anything SA got wrong.
> 
> Any info on the behavior I'm seeing would be appreciated.

Sure.  read the man page (Mail::SpamAssassin::Conf), and run with -D.
It will illuminate things. :)

-- 
Randomly Generated Tagline:
Anyone who is spending $999,999,999,999,999 doesn't really care about
 the cents.
  -- Larry Wall in <[EMAIL PROTECTED]>


pgp0.pgp
Description: PGP signature

[SAtalk] Dan Zachary is out of the office.

[Dan_Zachary]

I will be out of the office starting  09/26/2003 and will not return until
11/04/2003.

I am attending a missions conference and may not be able to respond as
quickly as normal.

If you have spam related questions, please send your inquiry to
[EMAIL PROTECTED]



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: [OT] What is next step?

[VonEssen, John]

So it is clear spammers don't clean their lists.

This might indicate that tying up spammer resources will not have much of an effect. 
They already are wasting a ton of resources with invalid addresses, a few more won't 
push them over the top. Apparently, even with extremely low delivery success rates, 
spammers are still able to make money.

Maybe the resource war will work, but only if a huge amount of people/organizations 
participate. Even then it still might not matter.

I personally feel that domain registrar's can have a big impact in all of this. All 
money-making spam has to link up with some sort of commission system. If you look 
through email source, you eventually find these url's (with valid domains) that point 
to web marketing companies, aka people who pay the commissions to spammers.

I noticed a lot of spam which uses internetbankroll.com, I tried to see if 
www.bestregistrar.com would revoke that domain since the company obviously promotes 
and rewards spamming. Even though spam was a violation of their usage policy, 
bestregistrar.com told be point blank that they will never revoke a domain, unless for 
non-payment. They just point the clause in their policy to look good.

If spammers and their commission partners loss the ability to operate with domain 
names, it makes things difficult very difficult.

John


-Original Message-
From: E R [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 23, 2003 1:31 PM
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] Re: [OT] What is next step?


if I may point out an anecdote, I left a dialup isp 7 years ago, when I worked for 
them as a consultant 2 years ago, they recreated my account.
The first 100 or so emails to that address were spam...  Apparently that address was 
still selling well after 4-5 years of deletion...

Alan Hodgson wrote:

On Thu, Oct 23, 2003 at 11:13:52AM -0400, VonEssen, John wrote:
  
We also assume that they clean their list when address appears to be bad.


I've seen no evidence of this.  The only thing I've seen for certain is
that the older an E-mail address is (once it has gotten on at least one
spammer's list), the more spam it gets.  Regardless of whether it's bounced
or not.  Spammers are still selling each other E-mail addresses I haven't
used in 4 years.

  


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] 5.0 spampoints

[Bob Apthorpe]

Hi,

On Wed, 22 Oct 2003 16:22:33 +0200 "Jeffrey Schilperoord"
<[EMAIL PROTECTED]> wrote:

> What is the easyest way to change the 5.0 spampoints to a higher level ?

Add something like

required_hits   6.5

to ~/.spamassassin/user_prefs

-- 
Bob Apthorpe


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] milter timeout

[Hannu Liljemark]

On Mon, Oct 20, 2003 at 03:32:21PM +0100, Alan J Fitton wrote:

> Using SpamAssassin 2.60 through spamass-milter on a 512/256kbit ADSL
> connection (possible cause for timeouts?)

Try MIMEDefang, MailScanner or miltrassassin instead. spamass-milter
isn't the best choice if you want a stable milter.


-- 
(Mr.) Hannu Liljemark  |  Appelsiini Finland Oy  |  http://appelsiini.com


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] 2.60 on RH9

[Steve Heggood]

I had exactly the same problem.  I am building a new server on
RH9 and will migrate from RH8.  I copied over the Makefile from
the previous RH8 install, typed make and it compiled although I was
leery of it.  I ran make test which was 100% successful,
installed, but not on-line yet.  Wasn't able to understand why
perl generated such a botched-up Makefile, so I tabled it as an
exercise for my tidy-up phase.  I could post a diff on the Makefiles
if the maintainers have an interest.
-- 
Steve Heggood <[EMAIL PROTECTED]>


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Error in mail logs relating to SPAMD

[andrew]

 Hi,

 Thought i'd throw this in the mix to see if
 someone knows a fix. Running sendmail
 spamassassin & milter.

 I am seeing this in my log file & would like to
 correct it. All three above programs are started with
 init scripts.
 The error i am seeing relates to spamd & it is as follows
 Still running as root: user not specified with -u, not
 found, or not set to root. Fall back to nobody.
 I did try n add this in the init script for spam
 assassin under the
 SPAMDOPTIONS"-d -c -a -m5 -H"
 adding the -u=spamd option gives errors saying
 cannot find directory  even though i created user &
is in user path of /home/user.
 What am i missing here

 Regards
 Andrew



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] filter by recieved time question

[lindsay adams]

is there a spamassassin rule that allows me to score based on the time 
of day the server receives the message?

i know about date_in _future and date_in_past, but,

1 receive on avg 126 spams caught by spamassassin a day. and about 80 
of them always seem to arrive in my email in the wee dark hours.

none of them are legitimate.

there is the possibility that one of my australian relatives will send 
me an email, so i would like to score based on receive time.
all of the emails that my relatives send have scored less than .5 in 
the past, so they have gotten through.
i want to score anything that the server receives (for me) between 11pm 
and 6 am as something.

frankly, i have no idea how to do this.

is this something i can do in spamassassin? or is there a procmail way 
of doing things?
if you think the answer is procmail based, and not SA, then just point 
me to your favorite procmail tutorial and don't type out the entire 
answer (unless you reallly want to, and then you can direct reply)

thank you all very much for any pointers.
i just haven't figured out how to write all the spamassassin rules 
beyond the most basic regexp

l



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] spamass-milter

[Scott Rothgaber]

Hannu Liljemark wrote:

now, the spamass-milter daemon seems to stop running every few
minutes.
Run this every minute from cron until you find the problem. Nutscrape 
has wrapped a couple of these lines.

#!/bin/sh
PATH=/bin:/usr/bin
PID=`ps -ax | grep spamass-milter | grep -v grep | cut -c 1-5 |
tr -d " "`
if [ ! $PID ]
then
  echo "Re-starting milter."
  /usr/local/sbin/spamass-milter -p /var/run/spamass-milter.sock -f -r 20
  kill -1 `head -1 /var/run/sendmail.pid`
fi
Have you tried running the milter with increased logging?
Yes, add `-d 3' to the command line. Look closely at the message size. 
Is milter puking on empty messages (no body at all)?



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] 2.60 on RH9

[Marcos A. Pendas]

I got this error message while trying to build SA 2.60 on a RedHat 8.0
machine with perl 5.8. Check the LANG environment variable. On my machine it
was set to en_US.utf8. I changed it to LANG=en_US and that cleared up the
problem. Just to be safe I also set LC_ALL=en_US. The INSTALL file talks
about potential problems with this setting on Linux systems running perl
5.8.

Marcos A. Pendas


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 7:59 PM
To: sa list
Subject: [SAtalk] 2.60 on RH9




I've tried compiling SA 2.60 from both both source and cpan and I keep
getting the following errors:

Checking if your kit is complete...
Looks good

Warning: I could not locate your pod2man program. Please make sure,
 your pod2man program is in your PATH before you execute 'make'

Writing Makefile for Mail::SpamAssassin
Makefile written by ExtUtils::MakeMaker 6.03
Makefile:94: *** missing separator.  Stop.

First off, pod2man is installed:

[EMAIL PROTECTED] rpm]# find / -name pod2man
/usr/bin/pod2man

and it is in my path:

[EMAIL PROTECTED] rpm]# echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/cyko/bin:/usr/sbin:/usr/lo
cal/sbin

Any ideas on how to fix this?

:Patrick Lahni
 [EMAIL PROTECTED]

-
This mail sent through IMP: http://horde.org/imp/



---
This SF.net email is sponsored by: The SF.net Donation Program. Do you like
what SourceForge.net is doing for the Open Source Community?  Make a
contribution, and help us add new features and functionality. Click here:
http://sourceforge.net/donate/
___
Spamassassin-talk mailing list [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] How do I ensure that SpamAssassin is auto-learning both ham and s pam?

[Tony White]

Title: Message



The subject says it 
all.  I know the defaults on this, and have not changed them.  I'm 
fairly certain that SA is autolearning spam -- because of the growth of the 
bayes_seen and bayes_toks databases.  But I'm not sure about ham at 
all.  Currently, I'm not sending outgoing mail from our internal Exchange 
server through our external gateway (and SA).  So, how would it be 
autolearning ham?
 
Any info 
appreciated.  TIA.
 
Tony

Re: [SAtalk] How do I ensure that SpamAssassin is auto-learning both ham and s pam?

[Patrick Morris]

Tony White wrote:

The subject says it all.  I know the defaults on this, and have not 
changed them.  I'm fairly certain that SA is autolearning spam -- 
because of the growth of the bayes_seen and bayes_toks databases.  But 
I'm not sure about ham at all.  Currently, I'm not sending outgoing 
mail from our internal Exchange server through our external gateway 
(and SA).  So, how would it be autolearning ham?
If you're running 2.60, use "sa-learn --dump magic".  Spam, as well as 
ham, can be learned from incoming mail as well as outgoing.



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Totally whitelisting someone?

[Matt Kettler]

At 04:56 PM 10/25/03 +0100, Paul Hutchings wrote:
I've ran "spamassassin --add-addr-to-whitelist" and it is reducing the
scores, but the GTUBE test has such a high score that the adjustment doesn't
seem to be enough!
I hope that makes sense, TIA for any advice!


1) this issue should be fixed in 2.60.. it has a change to the AWL so that 
it ignores GTUBE.

2) do a --remove-addr-from-whitelist, instead of an add... this will 
completely reset the AWL for the address passes. add will only give a bonus 
as if a -100 scoring email was sent, and compared to the +1,000 of gtube, 
this is nothing.



---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [2.6] RE: [SAtalk] 2.60 on RH9

[Charles Gregory]

On Sat, 25 Oct 2003, Marcos A. Pendas wrote:
> Warning: I could not locate your pod2man program. Please make sure,
>  your pod2man program is in your PATH before you execute 'make'
> First off, pod2man is installed:
> /usr/bin/pod2man
> Any ideas on how to fix this?

Weird as this sounds, symlink it to the *first* directory in your path.
In your case:

ln -s /usr/bin/pod2mna /usr/local/bin/pod2man

I had a similar bug occur one time on a solaris 'make' of 'amanda', when
it couldn't find my gcc compiler until I pulled the above trick. Don't ask
why this works (if it does this time). The script looked like it should
handle the whole path properly.. Like I said: "Weird".. :-)

- Charles





---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk