Re: [SAtalk] reverse scoring question

[Pedro Sam]

On December 02, 2003 06:49 pm, Gary Smith wrote:
> nor the general readme. ÂI have installed SA on a server for a NPO that
> generates a very large amount of email traffic. ÂIt has done a good job of
> filtering a lot of the spam for us thus far. 
> The big problem is this NPO sends emails back and forth that discuss in
> some graphic detail some things that by default causes SA to assume that
> it's spam. ÂI know I can white list IP's and accounts but sometimes these
> come from a variety of places. Â 
> The question:
> What I was wondering if I can create a new rule that filteres on a specific
> piece of text (like the normal rules) but apply a negative score value.
> ÂThis would allow the NPO to tell the se

Though I am not a professional mail administrator, sounds like the proper way 
is for you to accomplish this is to insert a specific header into your mail, 
and then have your MDA deliver mail with that header and bypass SA 
altogether.

This is similar to how I filter this mailing list, by using procmail to filter 
SATalk by a unique header that SATalk carries.

Pedro

-- 
Your true value depends entirely on what you are compared with.


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] bayes permission errors

[David B Funk]

On Sat, 6 Dec 2003, Lukreme wrote:

> spamd[33762]: Cannot open bayes databases
> /home/user/.spamassassin/bayes_* R/O: tie failed: Permission denied
> spamd[33762]: processing message
> <[EMAIL PROTECTED]> for kremels:5003.
> spamd[33762]: clean message (0.8/5.0) for user:5003 in 0.2 seconds,
> 5526 bytes.
>
> /home/user/.spamassassin $ ls -lstr
> total 6338
> 2 -rw-rw-rw-  1 user  staff 1218 Oct  6 15:28 user_prefs
> 2 -rw-rw-rw-  1 user  staff  199 Oct  6 15:28 bayes_msgcount
> 4160 -rw---  1 user  staff  5111808 Dec  4 09:51 bayes_toks
> 2112 -rw-rw-rw-  1 user  staff  2637824 Dec  4 09:51 bayes_seen
>62 -rw---  1 user  staff62030 Dec  4 09:51 bayes_journal
>
> where user is any user on the system.
>
> $ psa spamd
> postfix   565  0.0  3.3 21908 4132  ??  Is9:17PM   0:04.03
> /usr/local/bin/spamd -a -c -d -u postfix (perl)
>
> is how spamd is running.

You've got spamd running as the user "postfix" (that "-u postfix"
command line argument). Thus the user postfix needs to have write
permissions to the bayes_* files. but in that directory listing
you show:

> 4160 -rw---  1 user  staff  5111808 Dec  4 09:51 bayes_toks

So 'postfix' has -no- access permissions to "user"s bayes_toks
Thus the permission errors.

You have two different options:
1) run spamd as root and be sure that you pass the correct user
   name via "spamc -u user" for each message.
2) Set the global 'bayes_file_mode' option to 0666 so that the
   spamd process always has read-write permission, regardless
   of who it is run as.

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] bigevil.cf + rsync? - Windows version - sort of

[Barry Porter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/12/2003 02:01,  Gary Smith wrote:

> There are some freeware dll's that you can use to do the FTP/wget so
you don't have to do the shell.  I don't see where you restart/reload
the service???

I have done a google for both recode and wget as dll's but have come up
with nothing other than a virus warning about wget.dll being used in an
irc flood virus.

The reason for not restarting the spamd service is that I don't have
spamd running on Windows.

The WinspamC implementation does not work well with Mercury/32 so I use
spamassassin in serial mode.

- --
Regards
Barry


What has four legs and an arm? A happy pit bull.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3-nr1 (Windows XP)

iD8DBQE/0uEr3wKVPLs2unURAgYJAJ4gFMoEOLozTChiy+/L19oCWSfKUACfVDKQ
M5rQUTQwjsGbJloaGkZkS0o=
=Y5dV
-END PGP SIGNATURE-


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] bigevil.cf + rsync? - Windows version - sort of

[Chris Thielen]

Barry Porter said:
> I have done a google for both recode and wget as dll's but have come up
> with nothing other than a virus warning about wget.dll being used in an
> irc flood virus.

Barry,
http://www.gnu.org/software/wget/wget.html
should link you to
ftp://sunsite.dk/projects/wget/windows/
where you can snag win32 binaries for wget

HTH.


--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases:
http://www.sandgnat.com/cmos/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] bigevil.cf + rsync? - Windows version - sort of

[Chris Thielen]

Chris Thielen said:
> Barry,
> http://www.gnu.org/software/wget/wget.html
> should link you to
> ftp://sunsite.dk/projects/wget/windows/
> where you can snag win32 binaries for wget

Just ignore me... I shouldn't have jumped in and posted without reading
the whole thread.  Sorry!

--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases:
http://www.sandgnat.com/cmos/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Delete mail with a score above n

[Bob Apthorpe]

On Thu, 04 Dec 2003 10:59:13 -0800 Mike D <[EMAIL PROTECTED]> wrote:

> Does anyone know how to config spamassassin to delete messages with a score
> above a certain threshold?

This question gets asked every 3-5 days and really ought to be in the FAQ.

Answers generally focus on:

a) procmail

b) how SpamAssassin only tags but doesn't delete mail, and 

c) how automatically deleting mail is probably a really bad idea

d) how this question is better answered by using the mailing list
archive. :)

hth,

-- Bob


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] bigevil.cf + rsync?

[Peter Kiem]

Hi,

> Peter, if your still listening what character set are you running?

Sorry, been away for the weekend.  I was using my SquirrelMail at the
time for posting so not sure.  It should have just been plain text!

-- 
Regards,
+-+-+
| Peter Kiem.^.   | E-Mail: <[EMAIL PROTECTED]> |
| Zordah IT /V\   | Mobile: +61 0414 724 766|
|   IT Consultancy &  /(   )\ | WWW   : www.zordah.net  |
|   Internet Services  ^^-^^  | ICQ   : "Zordah" 81 |
+-+-+
   My current spamtrap address is [EMAIL PROTECTED]



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Why didnt't he obfuscation rules hit on this message?

[Rubin Bennett]

Return-Path: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
From: "Timprice" <[EMAIL PROTECTED]>
Date: Sat, 06 Dec 2003 21:50:06 -0100
To: [EMAIL PROTECTED]
Subject: [EMAIL PROTECTED] --> 78% D.1.SC0.UNT!! xvjtk crbqap
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=iso-8859-1
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
tux.thatitguy.com
X-Spam-Level: ***
X-Spam-Status: No, hits=3.1 required=5.0
tests=DATE_IN_PAST_06_12,HTML_40_50,
HTML_FONTCOLOR_UNSAFE,HTML_FONT_BIG,HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY autolearn=no version=2.60
X-Evolution-Source: imap://[EMAIL PROTECTED]/

malpbgqe wownvqycyp qdiwgn dnsswp
tagirbpr
Did you know [EMAIL PROTECTED] That the normal cost for
V1@GRA is $20, per dose?
hutguyq aciyza xizud mnujrwoomh ojscidre
We are running a hot special!! TODAY Its only an amazing $1.66Shipped
world wide!

http://goandbuyit.com/discounts/index.php?pid=evaph3770>DISC0UNT
0RDER
mzgqdmi udiiaytti nusoyoiim xnvkiziho
mrowygkut
yeqpiorkjr scgzwm xlobydgghb xhlxqam hatiki
jqsha sgjan mavai wxdrpfi wwnlmmha
http://goandbuyit.com/discounts/>o p t - o u t
-- 
Rubin Bennett <[EMAIL PROTECTED]>
RB Technologies


signature.asc
Description: This is a digitally signed message part

RE: [SAtalk] SA, Razor and unkempt perl

[Erick Calder]

Mark, sounds like you need Razor2::Client::Agent installed.  
you can either install it as a perl module via the CPAN module or if you prefer 
to keep things in RPM format you can use the cpan2rpm tool to make the module 
before installing.
 
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Mark 
NortonSent: Friday, December 05, 2003 3:48 PMTo: 
'[EMAIL PROTECTED]'Subject: [SAtalk] SA, Razor 
and unkempt perl

I'm running RedHat 7.2, SA 2.60 and 
Razor 2.36. When I do a 'spamassassin -D -lint', I see the following 
output:
 
debug: entering helper-app run 
mode
razor2 check skipped: Illegal seek 
Can't locate object method "new" via package "Razor2::Client::Agent" at 
/usr/lib/perl5/site_perl/5.6.0/Mail/SpamAssassin/Dns.pm line 
392.
debug: leaving helper-app run 
mode
 
After reading some of the other 
posts, I get the idea that this has to do with how the perl modules got 
installed. Can someone please point me in the right direction?
 
Thanks!
 
Mark 
Norton
[EMAIL PROTECTED]
 
 

[SAtalk] report_safe ?

[Erick Calder]

I've recently upgraded to Shriek which comes with 2.44.  my user_prefs used
to include a line like:

report_safe 0

but now I get an error like this:

> Dec  3 23:40:45 beowulf spamd[13358]: debug: Failed to parse line in
> SpamAssassin configuration, skipping: report_safe 0

in the current docs I find neither any mention of this setting nor an
alternative... wtf?

- ekkis



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] spamds that don't finish

[Erick Calder]

Cheryl, I'm having the same problem (see posting "spamd piling up - just
killing me") on a Shriek (RH9) box running 2.44.  2.44 is the latest
available from RH but it's been suggested to me that I should upgrade to
2.60 (unfortunately I can't do that at present since Theo Van Dinter's site
is not making the .src files available) but if you have the same problem
then it's not a 2.44 issue.

I'm not sure but I think the problems started with my upgrade to Shriek and
I too seem to have most troubles with a single user whose account looks
distinctly unremarkable.

I'd love to hear whether you figured it out or have any other ideas as to
how to troubleshoot.

1k thx - ekkis

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Cheryl L. Southard
Sent: Saturday, December 06, 2003 2:15 PM
To: [EMAIL PROTECTED]
Subject: Re: [SAtalk] spamds that don't finish


Hi,

Well, I gotten another 4 more of these spamd processes stuck on my
mail server since yesterday, all with the same user.  In running the
solaris pstack program, it appears that the spamd processes are stuck
in  the ham_func5 and memcopy routines called from ham_expand_table
and ham_split_page.

I've told my user to move his .spamassassin directory away and start up
a new set of bayes databases.  Perhaps this will alleviate the problem.

Cheryl

On Thu, Dec 04, 2003 at 07:21:51AM -0800, Cheryl L. Southard wrote:
> Hi All,
>
> I've got two spamd processes that just wont go away.  They've been
> running for well over 11 hours and are taking up 100% of my cpu.
> I've run "truss " but it doesn't report anything.  The same
> user, coincidentally, is the recipient of both e-mails, but this
> user doesn't have any special rules in his user_prefs file.  This user's
> home directory and mail file seem accessable  and there don't seem to
> be any weird messages in the spamd log file
>
> I am running spamassassin 2.60 on a Solaris 9 computer with procmail.
>
> > ps -ef | grep spamd
>   cc 27379  2447 48 20:36:36 ?   277:37 /usr/local/bin/perl -T
/usr/local/bin/spamd -d -a -c -m 5
>   cc 19967  2447 48 13:14:29 ?   603:31 /usr/local/bin/perl -T
/usr/local/bin/spamd -d -a -c -m 5
> root  2447 1  0   Oct 27 ?   30:17 /usr/local/bin/perl -T
/usr/local/bin/spamd -d -a -c -m 5
>
> Can anyone suggest things I can try to figure out what is going on?
> Since we have a 5 process spamd limit on our computer, these processes
> are really causing a traffic jam on my mail server.
>
> Thanks,
>
> Cheryl
>
> --
> Cheryl Southard
> [EMAIL PROTECTED]
>
>
> --__--__--

--
Cheryl Southard
[EMAIL PROTECTED]


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Bayes scoring

[Michael Satterwhite]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm looking at the standard scoring of the BAYES rules and I see

50_scores.cf:score BAYES_80 0 0 5.300 2.862
50_scores.cf:score BAYES_90 0 0 4.027 3.002
50_scores.cf:score BAYES_99 0 0 5.200 3.008

if I'm reading this correctly more points are given for classifying a message 
as 80% probable than for 90% probable - actually more is given for 80% than 
for 99%. Looking at the spam messages I have, this seems to be true.

Can some of you experts explain this one to me?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/05GvjeziQOokQnARArSqAKCA2J1iu0k01Wg/bP7x/Iq80T3VHwCfSU+U
GMr0mzdqnwffM1SbQ+Id2Mk=
=z8up
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] report_safe ?

[Theo Van Dinter]

On Sun, Dec 07, 2003 at 12:24:16PM -0800, Erick Calder wrote:
> I've recently upgraded to Shriek which comes with 2.44.  my user_prefs used
> to include a line like:
>   report_safe 0
> in the current docs I find neither any mention of this setting nor an
> alternative... wtf?

report_safe was introduced in 2.50.  2.44, at this point, is ancient.
You should upgrade to 2.60.

If you don't want to do that, you can look at defang_mime, report_header,
and use_terse_report.

-- 
Randomly Generated Tagline:
"There ought to be limits to freedom." - George W. Bush (Gov. of Texas)


pgp0.pgp
Description: PGP signature

Re: [SAtalk] Bayes scoring

[Theo Van Dinter]

On Sun, Dec 07, 2003 at 02:46:39PM -0600, Michael Satterwhite wrote:
> Can some of you experts explain this one to me?

http://spamassassin.taint.org/faq/index.cgi?req=show&file=faq01.005.htp

-- 
Randomly Generated Tagline:
"The highest patriotism is not a blind acceptance of official policy, but
 a love of one's country deep enough to call her to a higher standard."
 - George McGovern


pgp0.pgp
Description: PGP signature

RE: [SAtalk] report_safe ?

[Erick Calder]

ah!! now I get it.  I _was_ running 2.60 before "upgrading" to Shriek, which
actually downgraded my SA installation to 2.44 - grr.

may I suggest you add a note at http://spamassassin.kluge.net/RPMS/ that the
single .src there will produce the 3 binaries (for morons like me to whom
such things are not immediately evident)?

-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Sunday, December 07, 2003 12:46 PM
To: Erick Calder
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] report_safe ?


On Sun, Dec 07, 2003 at 12:24:16PM -0800, Erick Calder wrote:
> I've recently upgraded to Shriek which comes with 2.44.  my user_prefs
used
> to include a line like:
>   report_safe 0
> in the current docs I find neither any mention of this setting nor an
> alternative... wtf?

report_safe was introduced in 2.50.  2.44, at this point, is ancient.
You should upgrade to 2.60.

If you don't want to do that, you can look at defang_mime, report_header,
and use_terse_report.

--
Randomly Generated Tagline:
"There ought to be limits to freedom." - George W. Bush (Gov. of Texas)



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: spamd piling up - just killing me

[Erick Calder]

ok.  I'm now running 2.60 but with same results.  curiously, as with
Cheryl's problem, I mostly seem to have one user with the problem... and
from what I can tell there is nothing remarkable about that user's
account...

any help would be most appreciated.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Malte
S. Stretz
Sent: Saturday, December 06, 2003 4:51 AM
To: [EMAIL PROTECTED]
Subject: [SAtalk] Re: spamd piling up - just killing me


On Saturday 06 December 2003 07:13 CET Erick Calder wrote:
> I have a problem that's making me miserable.
>
> I'm running spamassassin-2.44-11.8.x on a shriek (RH9) box and am having
> a problem:  spamd processes get spawned whenever a mail arrives but for a
> particular user, they never seem to finish. therefore I end up with a
> bunch of spamd instances that consume 100% of my cpu and make my box
> unusable.

That's probably an old bug in an old SpamAssassin. You should upgrade to
version 2.60. RPMs are available via the download link on the SpamAssassin
site.

Cheers,
Malte

--
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
  
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
  



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: One persistent spammer defeating SA.

[Bryan Hoover]

Robert Nicholson wrote:
> 
> I've got a mailbox full of messages that got past SA
> 
> They are all from the same spammer.

What sort of stuff is in the messages?

And if it's a bulk send -- that is, a real spammer, as opposed to
someone targeting only you (which would be, most likely, for the most
part (or largely), evil) -- DCC and/or Razor should catch it -
otherwise, as you mention, Bayes.

> From: Taking Applications <[EMAIL PROTECTED]>
> Subject:Do you have what it takes to be wealthy?
> Date:   December 6, 2003 2:20:08 PM CST
> To:   Robert David Nicholson <[EMAIL PROTECTED]>
> Reply-To: <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>



> 
> Do we have a way of dealing with the spammer who's Reply-To's always
> look the same?

Yes.  The spammer must be dealt with.

That reply-to could be trapped with a match on one or more addresses
with no comma separation.  Your email being the motivation for my
introduction to Perl regular expressions, I have little (until now,
zero) experience with such, but I'd say finding the end point of the
reply-to header would be the ugly part of such a rule.

I pulled most of the following bit from the wdvl web development site's
Perl regular expressions section:

/[EMAIL PROTECTED](\.org|\.net)\s+,\$/ig

It matches - or tries to match - on an email address, followed by a
comma.  But what's needed is one or more comma delimited email
addresses, so I just repeated the pattern:

/[EMAIL PROTECTED](\.org|\.net)\s+,[EMAIL PROTECTED](\.org|\.net)\$/ig

Oh, but it's supposed to be *absent* a separating comma - so I removed
the comma:

/^reply-to:[EMAIL PROTECTED](\.org|\.net)[EMAIL PROTECTED](\.org|\.net)\$/igm

Assuming the above is even close, it goes matching across newlines (the
added 'm' modifier is intended to ignore (though not sure in what sense
- ignore, or just doesn't terminate matching attempt?) newlines) into
whatever header fields (or body) follow the reply-to (delimit, I
suppose, with a newline preceeded by a comma, a newline followed by a
comma, or just a newline, but no immediately following, space delimted
email address pattern), and it does not cover addresses enclosed in <>
like <[EMAIL PROTECTED]> -- would that be ^\<|\w+ etcetera?  

I imagine there's a lot it doesn't cover, but I'm satisfied with my
little Perl regex excursion for the time being.

> Is Bayes the only way of handling these?

It's a pattern.  Does Bayes tokenize patterns?  It would be really cool
if it did - something along the lines of xml abstraction I mean - whoa.

Bryan
> 
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click

-- 
Nothing in the world has more potential for beauty than woman.  Nothing
has more potential to destroy it, than the world. - (Anonymous)

http://www.wecs.com/content.htm

This signature file is generated by Pick-a-Tag !
Written by Jeroen van Vaarsel
http://www.google.com/search?hl=en&ie=ISO-8859-1&q=pick-a-tag



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Bayes and qmailscanner

[Jennifer Fountain]

I am having a bit of a time trying to get bayes working with
qmail/qmailscanner.  My server is acting like a relay server for my
domain and does not have mailboxes.  Does anyone have any information
that they can share with point me in the right direction?


***

Thank you

Jennifer Fountain


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: spamd piling up - just killing me

[Malte S. Stretz]

On Sunday 07 December 2003 22:56 CET Erick Calder wrote:
> ok.  I'm now running 2.60 but with same results.  curiously, as with
> Cheryl's problem, I mostly seem to have one user with the problem... and
> from what I can tell there is nothing remarkable about that user's
> account...

Are those processes really zombies or does the user probably just receive 
loads of mail? Have you tried limiting the number of children via the -m 
switch?

Cheers,
Malte

-- 
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
  
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
  



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: spamd piling up - just killing me

[Erick Calder]

> Are those processes really zombies or does the user probably
> just receive loads of mail?

they're not really zombies since they're eating up all available cpu. and
the user doesn't get that much mail but when he does the processes run
forever.

> Have you tried limiting the number of children via the -m switch?

the default used on the Shriek init.d uses -m5 but if you look at top:

  PID USER PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
17983 fc25   0 17848 6156 4 R19.9  3.9  43:49   0 spamd
18911 fc25   0 17920 9724 4 R19.9  6.1  33:07   0 spamd
19103 fc25   0 17912 6560 4 R19.9  4.1  21:49   0 spamd
19274 fc25   0 18060 7412 4 R19.5  4.7  15:12   0 spamd
19210 fc25   0 18108 6744 4 R19.2  4.2  18:01   0 spamd

you see how long they run and how busy they are.

I did find this, which offers no resolution but at least verifies the
problem exists in other platforms:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg25302
.html

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Malte
S. Stretz
Sent: Sunday, December 07, 2003 3:07 PM
To: [EMAIL PROTECTED]
Subject: [SAtalk] Re: spamd piling up - just killing me


On Sunday 07 December 2003 22:56 CET Erick Calder wrote:
> ok.  I'm now running 2.60 but with same results.  curiously, as with
> Cheryl's problem, I mostly seem to have one user with the problem... and
> from what I can tell there is nothing remarkable about that user's
> account...

Are those processes really zombies or does the user probably just receive
loads of mail? Have you tried limiting the number of children via the -m
switch?

Cheers,
Malte

--
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
  
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
  



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: spamd piling up - just killing me

[Charles Gregory]

On Sunday 07 December 2003 22:56 CET Erick Calder wrote:
> ok.  I'm now running 2.60 but with same results.  curiously, as with
> Cheryl's problem, I mostly seem to have one user with the problem... and
> from what I can tell there is nothing remarkable about that user's
> account...

My favorite gremlin for mysterious crashes and hangs is the LINEBUF
parameter in procmailrc. Make sure their other rules (particularly
whitelist rules before spamc call) are not too big for the buffer

-Charles




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] amavisd-new & spamassassin = no headers. Ugh!

[Bill Randle]

On Sat, 2003-12-06 at 20:10, [EMAIL PROTECTED] wrote:
> Greetings all!
> 
> Detailed thread is here: 
> http://forums.gentoo.org/viewtopic.php?t=93771&start=0&sid=5b9753497d3d65e947679654382eea37
> 
> Basically, I have installed amavisd-new and SpamAssassin 2.60 on a box 
> that serves as a gateway machine. 
> 
> For the life of me, I can *not* get it to add the headers & subjet line! 
> It's driving me nuts. Everything worked fine on a standalone test machine. 
> :(
> 
> Postfix *is* listening on the correct ports and if I tail the mail.log, it 
> does appear that stuff is being scanned, but no headers are ever added.
> 
> If anybody has a moment and wants to take a look at the URL above, I'd 
> appreciate it. 

I'm using Postfix + amavisd-new + clamav + spamassassin and it's working
great, including adding the headers. Here's some things to check:
  1. in amavisd.conf, set $sa_spam_modifies_subj = 0. The default is to
 modify the subject, and I'm not sure if this is mutually exclusive
 with adding headers, so I set it 0, just to be safe.
  2. in your spamassassin local.cf file, make sure you have:
report_safe 0
report_header 1
  3. make sure you don't have multiple spamassassin .cf or user_prefs
 files that might override one another.
  4. make sure you are actually getting some incoming spam with a score
 greater than 1.0 ($sa_tag_level_deflt); if it's less than that, no
 headers will be added
  5. in amavisd.conf, set $log_level = 2 for more logging. This should
 show both SPAM and SPAM-TAG in the mail log file. This will help
 verify spam is detected and tagged at the requested level.

-Bill




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Adding another RBL

[Richard Bewley]

Hmm, it looks as though this would be the problem:

debug: is Net::DNS::Resolver available? no
debug: is DNS available? 0

Now, the next question, how do I go about installing Net::DNS, do I have to
use CPAN?

Thanks,
Richard

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David B Funk
Sent: Thursday, December 04, 2003 1:35 AM
To: Richard Bewley
Cc: 'Matt Kettler'; [EMAIL PROTECTED]
Subject: RE: [SAtalk] Adding another RBL

On Thu, 4 Dec 2003, Richard Bewley wrote:

> Hi,
>
> Now, I have the following:
> header RCVD_IN_MY_BNBLeval:check_rbl('bl',
'bl.blueshore.net.',
> '2')
> describe RCVD_IN_MY_BNBL  Listed by bl.blueshore.net
> tflags RCVD_IN_MY_BNBLnet
> score RCVD_IN_MY_BNBL 5.0
>
> And it still doesn't work.  I also tried it without the '2', any more
ideas?
>
> Thanks,
> Richard

Richard,
Which version of SA are you using? There were changes in the DNSBL stuff
between 2.55 & 2.60.

If you are using 2.60, try this:

header RCVD_IN_MY_BNBL rbleval:check_rbl('bl', 'bl.blueshore.net.')
describe RCVD_IN_MY_BNBL   Listed by bl.blueshore.net
tflags RCVD_IN_MY_BNBL net
score RCVD_IN_MY_BNBL  5.0

Also make sure that your perl has the NET::DNS module loaded, your
config has not disabled the network tests, your DNS server is
working correctly, etc.

Do a:
  spamassassin -D --lint

and make sure that lines that look like this show up somewhere in
the output:

  debug: is Net::DNS::Resolver available? yes
  debug: is DNS available? 1
  debug: RBL: success for 2 of 2 queries

Note that there will be a bunch of other stuff intermixed, so you
may have to look closely.

Have you tried doing a DNS lookup on that RBL by hand to make sure
that you can resove from it?

Try doing:
  nslookup 2.0.0.127.bl.blueshore.net.

or:
  dig 2.0.0.127.bl.blueshore.net.

Make sure that you get back a valid IP resolition.

Note that your score is rather "stiff", be absolutly sure that
that RBL is -alway- good, otherwise you're going to get FPs.



-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{






---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Adding another RBL

[Erick Calder]

if you're running RH you can use the RPM. see
http://perl.arix.com/cpan2rpm/#prebuilt

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Richard Bewley
Sent: Sunday, December 07, 2003 5:50 PM
To: 'David B Funk'
Cc: 'Matt Kettler'; [EMAIL PROTECTED]; 'El
Mariposa'
Subject: RE: [SAtalk] Adding another RBL


Hmm, it looks as though this would be the problem:

debug: is Net::DNS::Resolver available? no
debug: is DNS available? 0

Now, the next question, how do I go about installing Net::DNS, do I have to
use CPAN?

Thanks,
Richard

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
David B Funk
Sent: Thursday, December 04, 2003 1:35 AM
To: Richard Bewley
Cc: 'Matt Kettler'; [EMAIL PROTECTED]
Subject: RE: [SAtalk] Adding another RBL

On Thu, 4 Dec 2003, Richard Bewley wrote:

> Hi,
>
> Now, I have the following:
> header RCVD_IN_MY_BNBLeval:check_rbl('bl',
'bl.blueshore.net.',
> '2')
> describe RCVD_IN_MY_BNBL  Listed by bl.blueshore.net
> tflags RCVD_IN_MY_BNBLnet
> score RCVD_IN_MY_BNBL 5.0
>
> And it still doesn't work.  I also tried it without the '2', any more
ideas?
>
> Thanks,
> Richard

Richard,
Which version of SA are you using? There were changes in the DNSBL stuff
between 2.55 & 2.60.

If you are using 2.60, try this:

header RCVD_IN_MY_BNBL rbleval:check_rbl('bl', 'bl.blueshore.net.')
describe RCVD_IN_MY_BNBL   Listed by bl.blueshore.net
tflags RCVD_IN_MY_BNBL net
score RCVD_IN_MY_BNBL  5.0

Also make sure that your perl has the NET::DNS module loaded, your
config has not disabled the network tests, your DNS server is
working correctly, etc.

Do a:
  spamassassin -D --lint

and make sure that lines that look like this show up somewhere in
the output:

  debug: is Net::DNS::Resolver available? yes
  debug: is DNS available? 1
  debug: RBL: success for 2 of 2 queries

Note that there will be a bunch of other stuff intermixed, so you
may have to look closely.

Have you tried doing a DNS lookup on that RBL by hand to make sure
that you can resove from it?

Try doing:
  nslookup 2.0.0.127.bl.blueshore.net.

or:
  dig 2.0.0.127.bl.blueshore.net.

Make sure that you get back a valid IP resolition.

Note that your score is rather "stiff", be absolutly sure that
that RBL is -alway- good, otherwise you're going to get FPs.



--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{






---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Spam that got through question

[Scott Harris]

Title: Spam that got through question






The spam attached has the following random words at the bottom:


automata childhood reflectance trevelyan tile captious hollingsworth cornstarch chinaman chicanery 


Is this to try to poison bayes or to just try and fool things to get it through or some other reason?





 <> 



--- Begin Message ---

Online Doctor
60+ Products
Mens health Womans Health
Overnight shipping get your meds to you promptly

http://vjd.tut6med5fg.com/MedPros


automata childhood reflectance trevelyan tile
captious hollingsworth cornstarch chinaman chicanery 


--- End Message ---

Re: [SAtalk] Mailer daemon mail in whitelist

[Matt Kettler]

At 11:07 AM 12/6/03 -0800, mairhtin wrote:
Great to hear! Is xanadu.evi-inc.com *YOUR* dns machine? my machine is 
named mail.techsolutionsgroupllc.com, so I suppose that the correspondant 
line would be :

whitelist_from_rcvd [EMAIL PROTECTED] mail.techsolutionsgroupllc.com

since mail.techsolutionsgroupllc.com is our DNS server as well as our mail 
server (DMZ and all that).

Am I on the right track?
Yep.. all mail out of evi comes through xanadu..

However, if your intent is to whitelist internal mail, you'll probably want 
to whitelist some substring of the names of your workstations that deliver 
mail.





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Adding another RBL

[Matt Kettler]

At 08:49 PM 12/7/03 -0500, Richard Bewley wrote:
mm, it looks as though this would be the problem:

debug: is Net::DNS::Resolver available? no
debug: is DNS available? 0
Now, the next question, how do I go about installing Net::DNS, do I have to
use CPAN?
you can do it via tarball, and most distros have a package for it, so you 
can use either of those options if CPAN is unappealing to you..

however, CPAN is a good way to go if you like CPAN.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Spam that got through question

[Matt Kettler]

At 07:15 PM 12/7/03 -0800, Scott Harris wrote:
The spam attached has the following random words at the bottom:

automata childhood reflectance trevelyan tile captious hollingsworth 
cornstarch chinaman chicanery

Is this to try to poison bayes or to just try and fool things to get it 
through or some other reason?


That's definitely bayes poison.





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bayes scoring

[Matt Kettler]

At 02:46 PM 12/7/03 -0600, Michael Satterwhite wrote:
50_scores.cf:score BAYES_80 0 0 5.300 2.862
50_scores.cf:score BAYES_90 0 0 4.027 3.002
50_scores.cf:score BAYES_99 0 0 5.200 3.008
if I'm reading this correctly more points are given for classifying a message
as 80% probable than for 90% probable - actually more is given for 80% than
for 99%. Looking at the spam messages I have, this seems to be true.
Can some of you experts explain this one to me?
Well, in set 2, bayes 80 scores higher, but in set 3 (with network checks) 
it scores lower.

However, Spamassasin scores are decidedly NOT a linear system. Due to 
interactions with hundreds of other rules, this kind of nonlinearity is 
very normal..

If you dig the archives I've posted about this quite a bit.

The basic gist is that no rule stands alone.. scoring is based on what 
combinations of rules fire off for a set of emails in the corpus. The goal 
is not to give the highest scores to the rule with the most spam, it's to 
give the scores that place the most emails in the right spam/nonspam piles. 
These often coincide, but not always, because the reality of real email is 
very complex.

 It's very likely that a nonspam message that scores 90 in bayes (ie: a 
crude joke) will trigger lots of other rules and force the GA to score that 
rule lighter to avoid FPs.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk