Re: [SAtalk] Having trouble coding a local rule

[David B Funk]

On Mon, 29 Dec 2003, Peter Kiem wrote:

> Hi David,
>
> > So you either need to change your rule to match the header from address or
> > code it to look for the envelope from address.
>
> What is the rule for matching envelope from address?

That is mail system dependent, as there is no standard requirement for
envelope from address to be present within a message. The example that
you posted had a 'Return-Path:' header that looked like the envelope
from.
Often times the envelope from is imbedded within a 'Received:' header.

You will have to look at an example of your mesages -as presented to SA-.
(IE SA may not 'see' the same thing that shows up in your INBOX.)

I use SA with sendmail and a milter. I had to modify the milter to get it
to synthesize headers that presented the envelope sender & envelope
recipients so that I could use them in filtering & white/black list rules.

Dave

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] A different approach to spam

[Ivar Snaaijer]

Make the
spammer pay:

In the article it is mentioned that it seems a Microsoft idea, but I
doubt that directly. Not that there are no good ideas coming from
Redmond, just never new ones. 
 The link again (to copy yourself) :
http://news.bbc.co.uk/2/hi/technology/3324883.stm 

What would be the implications (probably will take time to check
validity in SA) so the receiving end is paying too, only to check if it
is valid, how would it work, prior art, comments ?

Ivar. 

Re: [SAtalk] A different approach to spam

[Matthew Cline]

On Monday 29 December 2003 01:07 am, Ivar Snaaijer wrote:
> Make the spammer pay :

> In the article it is mentioned that it seems a Microsoft idea, but I
> doubt that directly. Not that there are no good ideas coming from
> Redmond, just never new ones.
>  The link again (to copy yourself) :
> http://news.bbc.co.uk/2/hi/technology/3324883.stm

> What would be the implications (probably will take time to check
> validity in SA) so the receiving end is paying too, only to check if it
> is valid, how would it work, prior art, comments ?

SpamAssassin already has something like this, called HashCash 
(http://www.hashcash.org/).  While the receiving end pays to do a check, the 
sending end has to spend a *lot* more time on the computations, slowing 
things down on the sending end.  Microsoft has put a twist on it by creating 
an algorithm who's quickness depends upon the speed of the computer's memory 
(RAM), rather than the speed of the CPU.  This means that old computers will 
be able to do the check about a quickly as new computers (since memory access 
speeds haven't changed that much), so people won't have to upgrade their 
computer hardware just to be able to perform the checks on their email.

-- 
Give a man a match, and he'll be warm for a minute, but set him on
fire, and he'll be warm for the rest of his life.

Advanced SPAM filtering software: http://spamassassin.org



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Detailed explanation of rules?

[Gordon Royle]

I have been using an outdated system-wide version of SpamAssassin for the
last few months, but more and more spam was getting through. So the last few
days, I have been working on getting the latest version of SA installed in
my own personal area, and despite careful perusal of the documentation, I
still have a few unanswered questions..

Firstly, I can bring up the list of tests, but is there any way that I can
find out more explanation of the tests? There are really two aspects to this
question - the brief descriptions of the tests often refer to technical
details about mail delivery that I (as a user, not administrator) have never
needed to know about - for example FAKE_HELO_AOL refers to "Host HELO did
not match rDNS". Is there anywhere that gives a basic explanation of what
this means with respect to SpamAssassin? In addition, there are some things
that I can understand, but cannot figure out any reason for the points
assigned to them - for example why is HTML_00_10 worth a point, while
HTML_20_30 worth only 0.69 points?

Secondly, I am recently getting a lot of Spam that uses constructs of the
following form:

Banned CD Gov

where words are separated by non-existent tags...  the only rule that it
fired was HTML_MESSAGE. Is this right or should there be one..

I am using v2.61 just installed, all defaults except for a couple of
whitelist/blacklist entries in user_prefs..

Thanks

Gordon



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] remove markup question and bayes question

[Matt Kettler]

At 01:25 PM 12/28/03 -0800, S. M. C. Butler wrote:
 Can anyone tell me how to use the --remove-markup command in SA? I have
a whole folder of spam and I'd like to remove the SA markups so that I
can use this with sa-learn (next time my bayes DB goes awol..)
As a part of this thread that was overlooked by all participants:

You do NOT need to remove SpamAssassin markups before running mail through 
sa-learn.

sa-learn is a part of the spamassassin toolkit, and is inherently aware of 
spamassassin's own markups. No special treatment needed. See the FAQ.

However, any other markups you might need to strip, or use 
bayes_ignore_header statements. (ie: MailScanner users need this because 
MailScanner uses different header names to stuff SA tagging info into).

However, if you still feel the need for the --remove-markup command...

First, you need an RFC 822 file with a single email in it, not a mbox.

Then do

spamassassin --remove-markup < marked-spam.txt >unmarked-spam.txt





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] whitelist question

[Matt Kettler]

At 02:08 PM 12/28/03 -0800, S. M. C. Butler wrote:
whitelist_from [EMAIL PROTECTED], [EMAIL PROTECTED], root,
Super-User
but unix system messages like the one below still get trapped as spam. I
thought that the whitelist_from took precedence over everything else, am
I missing something?
Appreciate any insight.
Ditch the commas.. they don't belong there and will cause the line to be 
misinterpreted or ignored as a syntax error.

You want either of the following syntaxes

whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED] root Super-User

or:

whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from root
whitelist_from Super-User
As always, be sure to run spamassassin --lint after changing your config files. 



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Detailed explanation of rules?

[Matt Kettler]

At 09:21 PM 12/29/03 +0800, Gordon Royle wrote:
Firstly, I can bring up the list of tests, but is there any way that I can
find out more explanation of the tests? There are really two aspects to this
question - the brief descriptions of the tests often refer to technical
details about mail delivery that I (as a user, not administrator) have never
needed to know about - for example FAKE_HELO_AOL refers to "Host HELO did
not match rDNS". Is there anywhere that gives a basic explanation of what
this means with respect to SpamAssassin?


Unfortunately most of SA is written by people who are system administrators 
and mail system experts by trade. This means that their natural writing 
style is a bit technical. I've been trying to help populate the wiki with 
some FAQ material of a low-tech sort, as have others, but it's a work in 
progress at best.

http://wiki.spamassassin.org/w/

In specific about your question, programs delivering mail to a mailserver 
normally "greet" the server prior to delivering mail with a HELO command 
(or EHLO). Following the command is a text string to identify the machine 
making the delivery, and normally this is the full domain name of the 
machine delivering mail.

The server receiving the mail makes a note of this HELO, but also makes a 
note of the IP address of the machine delivering mail. It also uses a 
reverse-DNS lookup to try to find out what the DNS system thinks the name 
of the machine delivering mail is.

In a normal exchange, these match. For example, look at this exchange of 
mail noted by one of sourceforge.net's mailserver's one of your ISP's 
servers dropped your message off:

Received: from cumulus.netspace.net.au ([203.10.110.72] 
helo=mail.netspace.net.au)
by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.24)

In this case, a netspace server connected to c8-sf-mx1.sourceforge.net. It 
then stated it's name with: "HELO mail.netspace.net.au".

Sourceforge's mailserver noted the source IP address of the server that 
connected, 203.10.110.72. It then ran a reverse DNS lookup on it, and got 
cumulus.netspace.net.au. Since many servers have multiple names, this minor 
discrepancy isn't surprising.. the reverse DNS can only map to one of the 
many names it has.

On the otherhand, discrepancies like HELO mail.aol.com, coming from an IP 
address that reverses to something like 
"chello080108078056.15.11.vie.surfer.at" is quite suspicious. An AOL 
mailserver should resolve as being part of AOL, and certainly not some ISP 
in austria.




 In addition, there are some things
that I can understand, but cannot figure out any reason for the points
assigned to them - for example why is HTML_00_10 worth a point, while
HTML_20_30 worth only 0.69 points?


How scores are assigned is in the FAQ:

http://wiki.spamassassin.org/w/HowScoresAreAssigned

Some more "conceptual" discussion of the mass-check/GA system is also 
mentioned in this one:
http://wiki.spamassassin.org/w/VirusScannerTypeUpdates







---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Detailed explanation of rules?

[Tom Meunier]

Hi Gordon,

> 
> Firstly, I can bring up the list of tests, but is there any 
> way that I can find out more explanation of the tests? 

http://www.spamassassin.org/tests.html

There 
> are really two aspects to this question - the brief 
> descriptions of the tests often refer to technical details 
> about mail delivery that I (as a user, not administrator) 
> have never needed to know about - for example FAKE_HELO_AOL 
> refers to "Host HELO did not match rDNS". Is there anywhere 
> that gives a basic explanation of what this means with 
> respect to SpamAssassin?

You'd really need to understand how SMTP conversations work.  In your
example:
When one mailer speaks to another, the first thing it says is "HELO" and
announces its name.  The receiving server can then do a DNS lookup on
the IP address of the sending server (which can't be forged) to find out
what its true name is supposed to be.  Note that this is one of the most
misconfigured DNS records, on a global scale - it doesn't HAVE TO be
configured to make your mail server work, so many neophyte DNS or mail
admins don't know or bother to configure it, and in addition many ISPs
will not allow their customers control over their reverse DNS records.
So if my mailserver at 169.254.230.105 begins the conversation with HELO
FOO.COM but you ask your DNS server who  169.254.230.105 is and it
returns SOMETHING.ELSE.COM it will return this test as positive.

Since there are varying levels of understanding, and so many tests, it
would be a pretty big task to document all of this to a level that would
suffice for everyone.  So the answer is "Ask your mail admin" or "ask
here on this list".  I've tried explaining your example to people who
administer mailservers for a living, and they don't get it.  (Sad...)
However, the short explanation given there is enough for any competent
email administrator to know EXACTLY what it means.

 In addition, there are some things 
> that I can understand, but cannot figure out any reason for 
> the points assigned to them - for example why is HTML_00_10 
> worth a point, while HTML_20_30 worth only 0.69 points?

The developers ran half a million mail messages through spamassassin,
and it turns out that HTML_00_10 is a better indicator of spam than
HTML_20_30 is.  Many of the tests come out that way, counter to what we
would think at first glance.

> 
> Secondly, I am recently getting a lot of Spam that uses 
> constructs of the following form:
> 
> Banned CD Gov

That'll be nailed by Jennifer's Most Excellent Rules.
Popcorn/Backhair/Weeds.  Save them into the directory where your
local.cf is, and restart spamd if you use it.
http://www.emtinc.net/spamhammers.htm

-tom


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] how to setup bayesian filtering spamassassin

[Imtiaz Shaik]

Hi,
 
I have slackware 9 box, with sendmail server 
configured and spamassassin version 2.60. the problem is, I want to configure 
bayesian filters for the same, I tried with the help available on 
spamassassin.org site, but no luck, please can anybody helpme  with 
step by step setup of bayesian filtering in spamassassin version 
2.60.
 
Thanks in advance for your help.
 
Regards,
 
Imtiaz

Re: [SAtalk] rule modification

[Matt Kettler]

At 12:57 PM 12/28/2003, skumm wrote:
How and where do i modify the rules relating to html in the message body? 
If it is there period i want marked as spam, so I want to change it's 
weight to something like 10 if html exists in the message
You don't need to modify the rules themselves to do this... just add a 
score statement for the rule in question to your local.cf:

score HTML_MESSAGE 10.0



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Rule to block Paris Hilton spam

[Stephane Lentz]

Hi, 

it seems that there are many spam lately offering to view the
Paris Hilton video.
I tried to devise a rule to spot such spam but with no success
(either with 2.55 or 2.60 - upgrade to 2.61 planned) 
Anybody came up with some solution ? 
My rule was : 
uri LOCAL_HILTON  /special-selections\.com/
describe LOCAL_HILTON Paris-Hilton-Video
score LOCAL_HILTON 100.0

But it does not work on most spam I received (base64 encodage + header trick ?). 

base64 sample body 

aGV5DQoNCkNvbWUgY2hlY2sgb3V0IHRoZSBQYXJpcyBIaWx0b24gczN4IHRh
cGVzIGFsbCBmb3IgZnJlZS4NCg0KIGh0dHA6Ly93d3cuc3BlY2lhbC1zZWxl
Y3Rpb25zLmNvbQ==

If I do a base64 -d on these lines and copy the output in  a message
the rule is triggered. 

X-Spam-Status: Yes, hits=100.0 required=5.0 tests=LOCAL_HILTON autolearn=no
version=2.60


For spam I received the Spam-status for such message was : 
X-Spam-Status: No, hits=4.3 required=5.0 tests=DATE_IN_PAST_03_06,
HTML_MIME_NO_HTML_TAG,MIME_BASE64_TEXT,MIME_HTML_NO_CHARSET,
MIME_HTML_ONLY autolearn=no version=2.60

Strange ? 
Full spam message with headers available if needed. 

Any help is welcome 

Regards, 

SL/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] RE: Bigevil 2.05d posted and regex question....

[Chris Santerre]

> -Original Message-
> From: Scott A Crosby [mailto:[EMAIL PROTECTED]
> Sent: Saturday, December 27, 2003 7:49 PM
> To: Chris Santerre
> Cc: Spamassassin-Talk (E-mail)
> Subject: Re: Bigevil 2.05d posted and regex question
> 
> 
> On Mon, 22 Dec 2003 15:16:34 -0500, Chris Santerre 
> <[EMAIL PROTECTED]> writes:
> 
> > Updated from this weekends spam. That one Guy selling the 
> Vdrug had about 8
> > more domains. 
> > 
> > If I work the regex even further so it reads:
> > 
> > (?:domain1|domain2|domain3)\.com
> > 
> > rather then:
> > 
> > (?:domain1\.com|domain2\.com|domain3\.com)
> > 
> > Will it run even faster? Less memory? Or is it a tradeoff 
> between the two? 
> 
> It'll probably reduce memory usage, but shouldn't be expected to
> change performance much. I replied the last time you asked these
> questions with several optimizing tips that *would* help
> performance. May I suggest applying them?
> 
> Scott
> 

It has already been started in the last update 2.05k from last week.

Chris


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Rule to block Paris Hilton spam

[Chris Thielen]

Stephane Lentz said:
> Hi,
>
> it seems that there are many spam lately offering to view the
> Paris Hilton video.
> I tried to devise a rule to spot such spam but with no success
> (either with 2.55 or 2.60 - upgrade to 2.61 planned)


> Full spam message with headers available if needed.

Please post the full spam with headers.  I believe URI rules should be run
after attachments are decoded so there might be something else going on
here.

Also, another way to attack this is to look for "paris hilton".  Try the
rules generated here:
http://sandgnat.com/cmos/cmos.jsp?words=%22paris+hilton%22

Finally, FYI you hijacked another thread by replying to an unrelated
message.  Next time simply send a new message to the list address instead.

--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases:
http://www.sandgnat.com/cmos/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Wrapper script to speed up sa-learn?

[Ivar Snaaijer]

Dave Kliczbor wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello out there...

I noticed that sa-learn sometimes is a bit too slow for my needs.

I call sa-learn via:
/usr/bin/sa-learn --no-rebuild --spam 
To speed the call itself up, I think about writing a script that loads
the mailfile into RAM, detaches itself from the calling process
(backgrounds itself) and then feeds sa-learn with the mail. That may
take a little longer, but I do not have to wait for it.
Now I want to ask a few things:
1) Does such a script already exist? (If yes, where can I find it?)
2) What problems may I run into? (memory consumption etc.)
3) Any additional hints?
 

[...]

1.
do not know (and with hindsight, yes)
2.
do not know
3.
I could be stating the obvious here but why not run it with & at the end ?
My guess is that on most systems preloading the file into ram will not 
deliver significant gains as I suspect SA to already do some 'buffering' 
for itself.
If your mail file is locked and you want to circumvent this you have 
copy it first in a temp file see example script.

salearnscript (3 lines):

cp %1 /tmp/spamfile$$
/usr/bin/sa-learn --no-rebuild --spam /tmp/spamfile$$
rm /tmp/spamfile$$
run this as
salearnscript   &
Good luck.

Ivar.

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] spamd memory usage.

[Chris Santerre]

Which Version of SA are you running? I'm running a patched 2.4x version.
(Yeah I know...but it is kicking booty!!!)

With WAY more custom rules then prbly anyone else on this list I average
only 20 megs of usage. I'm using no net test in SA though. Not sure if that
matters. 

--Chris

> -Original Message-
> From: Gary Smith [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, December 24, 2003 9:24 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] spamd memory usage.
> 
> 
> 
> I was wondering how much memory spamd should be using 
> (running default rules and bigevil.cf only).  It's currently 
> using about 30mb and a decently light load day.  I'm just 
> trying to get a baseline so I can watch it grow/shrink as I 
> add/remove rules.
> 
> Gary Smith
> 
> 
> 
> 
> 
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&opÌk
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] V 2.70

[Matt Kettler]

At 09:35 PM 12/27/2003, Jim Knuth wrote:
what is the difference between V 2.61 and V 2.70?
Except for, that it is an developerversion ( I mean V 2.70):-)
I download the 2.70-cvs and 2.61 tarballs and diffed them.

Note that this is just a summary of me looking at diffs, and any errors are 
the result of my misreading or misinterpretation of the data.

1) it appears they've made spamd have a default limit of 5 children, unless 
you specify otherwise with -m.

2) the change of dynablock from easynet.nl to sorbs has NOT been applied to 
2.70-cvs (as of today) but is in 2.61

3) 2.70 no longer works with perl 5.005. It now has a require 5.006_001 
statement in the code.

4) there appear to be some significant differences in the auto-whitelist. 
Presumably to fix a few weird corner-cases that have been seen..

5) they seem to be backing out and re-writing some contributions due to 
conversion of the contributor agreement to be based on the Apache 
foundation. Some patch authors apparently did not sign the Apache 
agreements, so they need to be redone.

6) it looks like they are working on support for SPF http://spf.pobox.com/

7) HTML parsing changes, to try to prevent spammer obfuscations from 
confusing it.

8) It looks like they changed the range of legal characters when parsing 
message headers to be more strictly RFC 821 based (presumably to avoid some 
kind of obfuscation?)

9) some general misc rule tweaks. 



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] how to setup bayesian filtering spamassassin

[Matt Kettler]

At 09:55 AM 12/29/2003, Imtiaz Shaik wrote:
I have slackware 9 box, with sendmail server configured and spamassassin 
version 2.60. the problem is, I want to configure bayesian filters for the 
same, I tried with the help available on spamassassin.org site, but no 
luck, please can anybody helpme  with step by step setup of bayesian 
filtering in spamassassin version 2.60.
1) make sure you have Berkeley DB and DB::File installed. Without these, 
bayes isn't possible.

2) use sa-learn to start training. feed spam messages to sa-learn --spam 
and nonspam messages to sa-learn --ham.
If you want to train an mbox file full of messages, use the --mbox parameter.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] V 2.70

[Theo Van Dinter]

On Mon, Dec 29, 2003 at 11:10:14AM -0500, Matt Kettler wrote:
> Note that this is just a summary of me looking at diffs, and any errors are 
> the result of my misreading or misinterpretation of the data.
[...]
> 9) some general misc rule tweaks. 

10) a completely rewritten MIME parser ...  I'm fairly positive we
haven't gotten it fully integrated yet though.

:)

-- 
Randomly Generated Tagline:
We question most of the mantras around here periodically, in case
 you hadn't noticed.  :-)
  -- Larry Wall in <[EMAIL PROTECTED]>


pgp0.pgp
Description: PGP signature

Re: [SAtalk] hundreds of spamd processes spawning

[Dennis Duval]

Michael P. Varre wrote:
> I'm running spamd + vpopmail + qmailscanner + mysql +
> clamuko.  I have a problem where every once in a while
> hundreds of spamd processes are spawning.  It absolutely
> crushes the server.  I have determined it is not because
> of any large lists being sent/received to/from the box.
> I have also determined it is not a spammer.  There aren't
> really that many clients on the box, and it is dedicated
> for mail services.  No open relay, etc.
>
You should limit the number of concurrent spamd processes by using the -m
option.  I use -m 20 to limit spamd to 20 concurrent processes.  I have
found that stopping syslog will totally choke spamd regardless of the
whether or not you use the -m option.  I was using the stock init scripts
for syslog which came with the Redhat distribution.  Everytime I would stop
or restart syslog using these scripts, spamd would choke and within a minute
or so, and I would have hundreds of processes running and a locked up
system.  Restarting syslogd with the -HUP does not cause this problem.

Dennis Duval



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] A different approach to spam

[Matt Kettler]

At 05:16 AM 12/29/2003, Matthew Cline wrote:

SpamAssassin already has something like this, called HashCash
(http://www.hashcash.org/).  While the receiving end pays to do a check, the
sending end has to spend a *lot* more time on the computations, slowing
things down on the sending end.  Microsoft has put a twist on it by creating
an algorithm who's quickness depends upon the speed of the computer's memory
(RAM), rather than the speed of the CPU.  This means that old computers will
be able to do the check about a quickly as new computers (since memory access
speeds haven't changed that much), so people won't have to upgrade their
computer hardware just to be able to perform the checks on their email.
Side note, this is not included in any released version of SA.. It's a 
"comming soon" feature.

According to bugzilla bug 796 in CVS but It doesn't appear to be in the CVS 
branch that the 2.70-cvs tarballs are made from.

Using an unpacked tarball downloaded from 
http://www.spamassassin.org/devel/Mail-SpamAssassin-2.70-cvs.tar.gz this 
morning:

 Mail-SpamAssassin-2.70]$ grep -ri hashc *
 Mail-SpamAssassin-2.70]$


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Documentation question

[Mike Kuentz (2)]

What version of SA does this web page reference?  

http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html

It makes mention of deprecated items in version greater than 2.60.  

Having use_auto_whitelist in my local.cf file for SA v 2.61 gives me an
error on --lint.  

The exact error is:
Failed to parse line in SpamAssassin configuration, skipping:
use_auto_whitelist 0


Mike




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] E-mail client set-up help request

[Andrew Lazarewicz]

Hi!  I've been using spamassassin at my ISP for a while and am very happy with 
it.  Now, I've had to change my ISP, and want to run spamassassin at home 
with my e-mail client.  I set everything up as I believe that it should be, 
but it does not work.  More to the point the ".forward" command (I use Linux) 
does not work.  My suspicion is that either all of this does not work on an 
e-mail client, but it needs an e-mail server -- or -- I do not have procmail 
or perl set up correctly (I think that I do).

Does spamassassin work with an e-mail client -- I connect now to Earthlink 
over a cable connection.

Thank you!  - Andy
-- 
Andrew Lazarewicz
 [EMAIL PROTECTED] -- http://alum.mit.edu/www/alaz



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Fwd: Rude Rape actions

[Evan Platt]

--On Sunday, December 28, 2003 10:40 AM -0800 Raquel Rice
<[EMAIL PROTECTED]> wrote:

> 
> Being a woman talking with other women about non-computer things,
> often.

Ahh.. Good thinking outside the box there Evan. :(

Sorry, my bad.

Perhaps something with the domain names involved then adding a higher score?

Evan


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] bayes.lock getting killed on a LONG sa-learn run

[Kris Deugau]

Larry Rosenman wrote:
> I just had my nice Bayes DB killed on a sa-learn that had 1300+
> messages in it.
> 
> What seemed to happen is the bayes.lock file got deleted by some
> spamd process EVEN THOUGH sa-learn WAS STILL ALIVE.

Most programs that use a separate file as a lock indicator (rather than
kernel-level file locking) have an explicit method to break that lock
"in case something else failed and left a stale lockfile around".  This
make sure that if a process that created a lock dies unexpectedly and
leaves the lock in place, other processes don't have to wait forever for
the "real" file to be "unlocked".

What I've done on the system-wide Bayes on the server here is to set 
bayes_learn_to_journal to 1, and always run sa-learn with --no-rebuild;
then set up a daily cron job to sync the journal.

So far, I've yet to see any major problems.  (~1 month with SA2.6x, ~3
with 2.5x.)

IMHO, kernel-level file locks are far cleaner, but I don't know whether
you can even do that cleanly with files accessed through DB_File.  :/

-kgd
-- 
"Sendmail administration is not black magic.  There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
   - Unknown


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] False positives

[Christopher X. Candreva]

On Sun, 28 Dec 2003, schafer wrote:

>
>
> > People have no insentive to help
> > rude people Stop being a jerk and you'll likely get more help.
>
> I did not know spamassassin is home-brew. I thought I was dealing with
> one of dozens of commercial outfits, and whom in my experience respond much
> better to "squeeky wheels" than "pretty please", being their main focus is
> often the bottom line. In my experience, "being a jerk" works when dealing
> with commercial software outfits.
>
> Thanks for taking the time to answer my email.

As someone who owns his own ISP and frequently does support, I can tell you
that rude messages go to the BOTTOM of the queue. Especially if they are
from people who aren't paying customers.

My grandfather used to say -- and someone else on the list quoted to you --
you catch more flies with honey than with vinegar.

Just something to think about.

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Sendmail line

[Kris Deugau]

"Robt. Miller" wrote:
[snip Q&A re: how to set up a sendmail milter for calling SA]
>  Is it ok to do it this way? Somebody said I should use mimedefang.
> I'm not clear on the advantages of either.

spamc doesn't know anything about getting called as a sendmail "milter"
plugin- assuming you get the syntax correct in the sendmail
configuration, and get spamd running to provide the socket required,
you'll just end up with error messages in your mail log.

The simplest way to get SA running with sendmail is to call spamassassin
or spamc from your global /etc/procmailrc, or from individual
~/.procmailrc files, as per the examples in the SA documentation.  In
most cases this is the best way to call SA with *any* MTA, as it allows
clean and simple per-user SA configurations.

If you don't want to bother with per-user preferences, SA can be called
from a number of milter programs in various ways;  I'd recommend
MIMEDefang (http://www.mimedefang.org) if you are willing to do a little
Perl hacking to get things working *exactly* as you want.

I haven't used amavis;  but many people on this list seem to be happy
with it and I think it's a little easier to set up than MIMEDefang.

A number of people are also using spamass-milter;  which is a sendmail
milter designed to handle the sole task of calling SpamAssassin.  My own
brief experience with it was pretty bad;  YMMV.

-kgd
-- 
"Sendmail administration is not black magic.  There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
   - Unknown


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] False positives

[Evan Platt]

--On Monday, December 29, 2003 12:43 PM -0500 "Christopher X. Candreva"
<[EMAIL PROTECTED]> wrote:

> As someone who owns his own ISP and frequently does support, I can tell
> you that rude messages go to the BOTTOM of the queue. Especially if they
> are from people who aren't paying customers.

(Also a ISP here, but not an owner). But I second that. As a matter of
fact, a rude message from a non paying non customer may even get deleted.

i.e. a spam complaint where our domain is being clearly forged: A polite
"Hey, you have a spammer..." will get a reply almost all the time. A "You
idiots are spamming me. Quit it! You are ! I will report you to
the Internet Police" will almost always get forwarded to our Layer 2 Lead,
Dave Null.

> My grandfather used to say -- and someone else on the list quoted to you
> -- you catch more flies with honey than with vinegar.

 

If there's ONE thing I learned - it's you can be a TAD rude. IF YOU PAY.
However if you have free software, you better be nice. :)

To quote Mr. Schafer:

> I did not know spamassassin is home-brew. I thought I was dealing with
> one of dozens of commercial outfits, and whom in my experience respond
> much better to "squeeky wheels" than "pretty please", being their main 
> focus is often the bottom line. In my experience, "being a jerk" works
> when dealing with commercial software outfits.

When you pay, that may be the case, but since you weren't a paying
customer,  see above.

Evan



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [WL] Re: [SAtalk] Fwd: Rude Rape actions

[Charles Gregory]

On Sun, 28 Dec 2003, Evan Platt wrote:
> >Yow, how am I supposed to stop spam like this? There isn't anything to filter
> >on except the word 'adult'. I guess 'rape' works  as well.. But I'm not really
> >inclined to filter messages with the word rape in them, nor give them a 3+ 
> >score.
> When's the last legit message you've hade with 'rape' in the subject?
> Give it a 3.0

When you are filtering for just yourself, this is fine. But when you are
running a server, you have to be aware that some people might actually
want to talk about rape or viag... or whatever. So you look for the odd
*phrases* used by spammers: I *would* block 'rude rape actions', and watch
for other combinations

- C



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Rule to block Paris Hilton spam

[Stephane Lentz]

Hi Chris, 

On Mon, Dec 29, 2003 at 09:58:33AM -0600, Chris Thielen wrote:
> Stephane Lentz said:
> > Hi,
> >
> > it seems that there are many spam lately offering to view the
> > Paris Hilton video.
> > I tried to devise a rule to spot such spam but with no success
> > (either with 2.55 or 2.60 - upgrade to 2.61 planned)
> 
> 
> Please post the full spam with headers.  I believe URI rules should be run
> after attachments are decoded so there might be something else going on
> here.

=> Thanks for the info. Two samples of such spam are now available at
http://milter.free.fr/spam/ (hilton-sample1.txt & hilton-sample2.txt 
files)

I did some tests with SA 2.61 : these messages trigger the 
HTML_MIME_NO_HTML_TAG test. 

> Also, another way to attack this is to look for "paris hilton".  Try the
> rules generated here:
> http://sandgnat.com/cmos/cmos.jsp?words=%22paris+hilton%22

=> Thanks for the link. i will check it out. I was willing to avoid the 
matching "Paris Hilton" if possible as I live in Paris and some of my
colleagues may book some rooms in Hilton hotels (one never knows) 

> Finally, FYI you hijacked another thread by replying to an unrelated
> message.  Next time simply send a new message to the list address instead.
> 
=> Sorry for that ! Bad MUA sequences ...

Regards, 

SL/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] postfix

[gentian]

Hi list, 
 
I am thinking to use Postfix together with 
SpamAssassin and Amavisd. I guess maybe that is not the right list to ask this 
question but probably any of you has encountered this issue before.
 
With 
postconf -e "mynetworks=." 
i can setup which machines are allowed to relay 
mail to my server, but as I am opened to internet, I do not want to allow 
relaying based on the IP address of the sender but based on my domain name. So 
every email that is sent to my domain.edu is allowed to be relayed, anything 
else is rejected. 
 
Does anybody know this ?
 
Gentian

Re: [SAtalk] False positives

[Alan Fullmer]

Seriously, There are some issues you need to work through.   (Personal
Issues)

I switched to Spamassassin over a year ago, and have not looked back.  It is
by far the most accurate I have ever seen.  Not to mention customizable, and
very very powerful.

I really think you are from some company that is in "competition" and just
can't admit you are being beat.

Relax, we are all in this together.  We all fight spam.


My suggestion is to adjust your settings accordingly.


Alan Fullmer Owner / Administrator [EMAIL PROTECTED] Xnote Communications
www.xnote.com
www.zoobuh.com -- 


- Original Message - 
From: "schafer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 26, 2003 12:00 AM
Subject: [SAtalk] False positives


> To Spamassassin:
>
> My publication is double-opted in by 15,000 families with children with
> autism.  We are routinely victimized by incompetent software like
> spamassassin because of false positives.  This is just as intolerable as
> spam.  It is worse than spam because it victimizes the innocent in the
name
> of stopping spam.  (And it may even be a violation of the Americans With
> Disabilities Act which prohibits discrimination against the disabled) It
is
> rank hypocricy.
> False positives are intolerable and commercial products that allow them
> should be outlawed as much as spam should be.
>
> I do not know if this is the right place to complain as I could not find
an
> email address that offers feedback to the company.  This arrogance stinks,
> too.  As if software developers don't need public feedback about their
junky
> products.
>
> This piece of junk software rates my publication 99%-100% likely to be
spam.
>
> "* 3.0 -- BODY: Bayesian classifier says spam probability is 99 to 100%"
>
> Ha! What crap.  The offending email is also parked at this website page:
>
> http://home.doitnow.com/~edit/index.htm
>
> Lenny Schafer
> Schafer Autism Report
>
> Exhibit:
>
>  Start SpamAssassin results
> 7.10 points, 5.5 required;
> * -0.1 -- Message-Id indicates the message was sent from MS Exchange
> * 0.9 -- BODY: No such thing as a free lunch (3)
> * 0.5 -- BODY: No Fees
> * 0.5 -- BODY: Possible porn - Hot, Nasty, Wild, Young
> * 0.1 -- BODY: HTML link text says "click here"
> * 0.1 -- BODY: HTML font color is red
> * 0.2 -- BODY: FONT Size +2 and up or 3 and up
> * 0.1 -- BODY: HTML font color not within safe 6x6x6 palette
> * 1.5 -- BODY: Message is 20% to 30% HTML
> * 0.1 -- BODY: HTML has "tbody" tag
> * 0.2 -- BODY: JavaScript code
> * 0.1 -- BODY: HTML font color is blue
> * 3.0 -- BODY: Bayesian classifier says spam probability is 99 to 100%
> [score: 0.9988]
> * 0.2 -- BODY: HTML contains unsafe auto-executing code
> * 2.9 -- BODY: HTML has very strong "shouting" markup
> * 0.4 -- URI: Uses %-escapes inside a URL's hostname
> * 0.7 -- URI: Includes a link to a likely spammer email address
> * 0.0 -- Asks you to click below
> * -4.3 -- AWL: Auto-whitelist adjustment
>  End of SpamAssassin results
>
>
>
>
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] postfix

[Ralf Hildebrandt]

* gentian <[EMAIL PROTECTED]>:

> With 
> postconf -e "mynetworks=." 

> i can setup which machines are allowed to relay mail to my server,
> but as I am opened to internet, I do not want to allow relaying based
> on the IP address of the sender but based on my domain name. So every
> email that is sent to my domain.edu is allowed to be relayed,
> anything else is rejected.
> 
> Does anybody know this ?

This is what postfix does by default. Read the docs more carefully.

-- 
Ralf Hildebrandt (Im Auftrag des Referat V a)   [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-916
Referat V a - Kommunikationsnetze - AIM.  ralfpostfix


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] postfix

[Dan Wilder]

On Mon, Dec 29, 2003 at 02:11:39PM -0500, gentian wrote:

> Hi list, 
> 
> I am thinking to use Postfix together with SpamAssassin and Amavisd. I guess
> maybe that is not the right list to ask this question but probably any of you
> has encountered this issue before.
> 
> With postconf -e "mynetworks=." i can setup which machines are allowed to
> relay mail to my server, but as I am opened to internet, I do not want to
> allow relaying based on the IP address of the sender but based on my domain
> name. So every email that is sent to my domain.edu is allowed to be relayed,
> anything else is rejected. 

"relaying" in this case means handling mail for recipients who aren't
in your domain.  You probably _do_ want to allow relaying from some hosts,
that is, if you send mail out from more than one machine on your
local network.  So you put mynetworks entries for every network or
host who is allowed to send mail via postfix on your server, to third 
parties.  This can include offsite networks or hosts if you wish.

Incoming mail addressed to recipients in your domain is allowed, but
this isn't considered "relaying".

You _don't_ want to allow relaying based on sender domain name.  It's too
easy to forge "from" address.

-- 
Dan Wilder <[EMAIL PROTECTED]> 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] False positives

[Charles Gregory]

Hello!

If I may toss in my own two cents:

1) In general, responsible service providers make it a user OPTION
(opt-IN) to use spamassassin, and allow users to set their own 'comfort
level', to minimize what THEY consider to be false positives. 

2) Spamassassin on its own does not block or delete ANYTHING. The person
who installs spamassassin has to create a separate mechanism to 
delete/block mail that is scored 'positive' by SpamAssassin. I would also
consider it a 'responsible' thing for service providers to offer this
choice to their customers, as we do, allowing them to TEST for false
positives before they start deleting mail.

3) While I do not particularly like the style of 'whitelisting' in
spamassassin, it does have it. And this helps prevent false postives for
list mail. Personally, I've added a separate user-friendly
whitelist option which runs under procmail before spamassassin even runs,
with good results.

In general, if these guidelines are followed, anyone who chooses to opt-in
to a mailing list should be able to receive the contents no matter *what*
they may be.

I can only offer sympathies for the number of systems that are not
properly set-up. But this is not the fault of spamassassin, it is a lack
of awareness on the part of system administrators..

- Charles



On Sun, 28 Dec 2003, Morris Jones wrote:
> That's a tough one Lenny.
> 
> There is no company that produces Spamassassin.  It's a free open source
> collaboration by individuals who contribute their time.  It's not a
> commercial product.
> 
> The Bayesian classifier in Spamassassin is trained by the user, and by
> very high scoring spam.  Spamassassin doesn't come with any training that
> would give your email any score at all.
> 
> Hopefully there will be better solutions to the spam problem in the next
> few years.  Meanwhile we're all being handicapped by it.
> 
> Best regards,
> Mojo
> 
> On Thu, 25 Dec 2003, schafer wrote:
> 
> > To Spamassassin:
> > 
> > My publication is double-opted in by 15,000 families with children with
> > autism.  We are routinely victimized by incompetent software like
> > spamassassin because of false positives.  This is just as intolerable as
> > spam.  It is worse than spam because it victimizes the innocent in the name
> > of stopping spam.  (And it may even be a violation of the Americans With
> > Disabilities Act which prohibits discrimination against the disabled) It is
> > rank hypocricy.
> > False positives are intolerable and commercial products that allow them
> > should be outlawed as much as spam should be.
> > 
> > I do not know if this is the right place to complain as I could not find an
> > email address that offers feedback to the company.  This arrogance stinks,
> > too.  As if software developers don't need public feedback about their junky
> > products.
> > 
> > This piece of junk software rates my publication 99%-100% likely to be spam.
> > 
> > "* 3.0 -- BODY: Bayesian classifier says spam probability is 99 to 100%"
> > 
> > Ha! What crap.  The offending email is also parked at this website page:
> > 
> > http://home.doitnow.com/~edit/index.htm
> > 
> > Lenny Schafer
> > Schafer Autism Report
> > 
> > Exhibit:
> > 
> >  Start SpamAssassin results
> > 7.10 points, 5.5 required;
> > * -0.1 -- Message-Id indicates the message was sent from MS Exchange
> > * 0.9 -- BODY: No such thing as a free lunch (3)
> > * 0.5 -- BODY: No Fees
> > * 0.5 -- BODY: Possible porn - Hot, Nasty, Wild, Young
> > * 0.1 -- BODY: HTML link text says "click here"
> > * 0.1 -- BODY: HTML font color is red
> > * 0.2 -- BODY: FONT Size +2 and up or 3 and up
> > * 0.1 -- BODY: HTML font color not within safe 6x6x6 palette
> > * 1.5 -- BODY: Message is 20% to 30% HTML
> > * 0.1 -- BODY: HTML has "tbody" tag
> > * 0.2 -- BODY: JavaScript code
> > * 0.1 -- BODY: HTML font color is blue
> > * 3.0 -- BODY: Bayesian classifier says spam probability is 99 to 100%
> > [score: 0.9988]
> > * 0.2 -- BODY: HTML contains unsafe auto-executing code
> > * 2.9 -- BODY: HTML has very strong "shouting" markup
> > * 0.4 -- URI: Uses %-escapes inside a URL's hostname
> > * 0.7 -- URI: Includes a link to a likely spammer email address
> > * 0.0 -- Asks you to click below
> > * -4.3 -- AWL: Auto-whitelist adjustment
> >  End of SpamAssassin results
> > 
> > 
> > 
> > 
> > ---
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> > ___
> > Spamassassin-talk mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> > 
> 
> -- 
> Morris Jones <*>
> Monrovia, CA
> [EMAIL PROTECTED]
> http://www.whiteoaks.com
> 
> 
> 
> ---

Re: [SAtalk] Rule to block Paris Hilton spam

[Chris Thielen]

Stephane Lentz said:
> => Thanks for the info. Two samples of such spam are now available at
> http://milter.free.fr/spam/ (hilton-sample1.txt & hilton-sample2.txt
> files)

Stephane,

I glanced at the spamassassin source just now.  I may be wrong, but it
appears that the URI tests only matches on attributes of "background",
"href", "src", "action". The URL in the spam was html text and not a link
of sorts.  You may consider changing your rule to a BODY rule instead of a
URI rule.

>
> I did some tests with SA 2.61 : these messages trigger the
> HTML_MIME_NO_HTML_TAG test.

For your reference, here is what my installation (2.61) reported for the
first example (ignore the date_in_future):
 1.8 LOCAL_OBFU_ONLY_SX BODY: Obfuscated 'sex' in body
 1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100
[cf: 100]
 5.4 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 0.9971]
 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.6 MIME_HTML_NO_CHARSET   RAW: Message text in HTML without charset
 1.0 MIME_BASE64_TEXT   RAW: Message text disguised using base64 encoding
 1.0 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 3.5 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
 2.9 DCC_CHECK  Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
 3.3 DATE_IN_FUTURE_12_24   Date: is 12 to 24 hours after Received: date
 0.1 RCVD_IN_SORBS  RBL: SORBS: sender is listed in SORBS
[211.148.196.239 listed in dnsbl.sorbs.net]
 1.2 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag


>
>> Also, another way to attack this is to look for "paris hilton".  Try the
>> rules generated here:
>> http://sandgnat.com/cmos/cmos.jsp?words=%22paris+hilton%22
>
> => Thanks for the link. i will check it out. I was willing to avoid the
> matching "Paris Hilton" if possible as I live in Paris and some of my
> colleagues may book some rooms in Hilton hotels (one never knows) 

I'm not quite sure how to interpret your statement about being "willing to
avoid the matching ..." so I will expclicitly state what the link does.  I
understand you do not wish to match the unobfuscated paris hilton.  The
rules generated by the link above will match *ONLY* obfuscated "paris
hilton".  It will not match "Paris Hilton" or any case permutations such
as "PARIS hilton".  It *will* match obfuscated versions such as "PAR1S
H1LTON" (and a couple other permutations).

Another possible way to attack this is to look for obfuscated paris or
obfuscated hilton only (removing the quotes will generate 4 rules instead
of 2).  See: http://sandgnat.com/cmos/cmos.jsp?words=paris+hilton .

--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases:
http://www.sandgnat.com/cmos/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] False Positive, possible bug?

[Simon Matthews]

Matt,

Thanks for the suggestion.

I checked in the logfiles and it looks like the 192.168.10 domain is 
already treated as trusted (ie. spamassassin infers automatically that it 
is trusted).

I see lines in the logfile such as:
debug: received-header: relay 192.168.10.250 trusted? yes
Simon

At 02:28 PM 12/29/03 -0500, Matt Kettler wrote:
At 12:17 PM 12/28/2003, Simon Matthews wrote:
Specifically, the RCVD_IN_DYNABLOCK
check. Note that 192.168.10.250 is a local (within the LAN) relay.
If you're going to use 192.168.*.* networks, add them to your 
trusted_networks statement and it should clear things up a bit.

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Relay trusted when it should not be?

[Simon Matthews]

Matt,

At 02:28 PM 12/29/03 -0500, Matt Kettler wrote:
At 12:17 PM 12/28/2003, Simon Matthews wrote:
Specifically, the RCVD_IN_DYNABLOCK
check. Note that 192.168.10.250 is a local (within the LAN) relay.
If you're going to use 192.168.*.* networks, add them to your 
trusted_networks statement and it should clear things up a bit.
Your comment made me look into the issue a little more and I see that a 
mail server is listed as "trusted" when I don't think it should be. In the 
email below, the relay on 205.158.62.78 is listed as "trusted" in my logs. 
Surely this is an error? Certainly, this is not a server under my control.

Here are the headers again:

Return-Path: 
X-Original-To: 
Delivered-To: 
Received: from mail.paxonet.com (postoffice.coreel.com [192.168.10.250])
by coremail.paxonet.com (Postfix) with ESMTP id 989285730C
for <>; Fri, 19 Dec 2003 16:02:35 -0800 (PST)
Received: from smtp1.us4.outblaze.com (205-158-62-78.outblaze.com
[205.158.62.78])
by mail.paxonet.com (Postfix) with SMTP id 86ED987432
for <>; Fri, 19 Dec 2003 16:02:35 -0800 (PST)
Received: (qmail 16891 invoked from network); 20 Dec 2003 00:02:34 -
Received: from unknown (HELO Arnold) (:[EMAIL PROTECTED])
  by 205-158-62-78.outblaze.com with SMTP; 20 Dec 2003 00:02:34 -
Message-ID: <[EMAIL PROTECTED]>
Reply-To: "Arnold Matthews" 
From: "Arnold Matthews" 
To: "Ed Matthews" ,
"Simon (work) Matthews" 
Subject: Noises
Date: Fri, 19 Dec 2003 23:38:47 -
MIME-Version: 1.0
X-Security: MIME headers sanitized on coremail
See http://www.impsec.org/email-tools/sanitizer-intro.html
for details. $Revision: 1.139 $Date: 2003-09-07 10:14:23-07
Content-Type: multipart/mixed;
boundary="=_NextPart_000_0007_01C3C689.3F78B3C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
[Rest of the email is deleted]

Simon





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] False positives

[John Beamon]

He's gone, folks.  He had no interest in getting real assistance, and he 
never came back.  The list has been most helpful in pointing out that 
his own subscribers use SA voluntarily, train it themselves, and failed 
to whitelist this web-app travesty of an "email" message.  (I 
particularly like seeing the "* 0.5 -- BODY: Possible porn - Hot, Nasty, 
Wild, Young" rating on a children's autism mailing list...)  We can all 
go back to our jobs, shell scripting kick-ban cron jobs on our Quake 
servers for fun and profit.  Have a nice day.

-j

schafer wrote:
To Spamassassin:

My publication is double-opted in by 15,000 families with children with
autism.  We are routinely victimized by incompetent software like
spamassassin because of false positives.  This is just as intolerable as
spam.  It is worse than spam because it victimizes the innocent in the name
of stopping spam.  (And it may even be a violation of the Americans With
Disabilities Act which prohibits discrimination against the disabled) It is
rank hypocricy.
False positives are intolerable and commercial products that allow them
should be outlawed as much as spam should be.
I do not know if this is the right place to complain as I could not find an
email address that offers feedback to the company.  This arrogance stinks,
too.  As if software developers don't need public feedback about their junky
products.
This piece of junk software rates my publication 99%-100% likely to be spam.

"* 3.0 -- BODY: Bayesian classifier says spam probability is 99 to 100%"

Ha! What crap.  The offending email is also parked at this website page:

http://home.doitnow.com/~edit/index.htm

Lenny Schafer
Schafer Autism Report
Exhibit:

 Start SpamAssassin results
7.10 points, 5.5 required;
* -0.1 -- Message-Id indicates the message was sent from MS Exchange
* 0.9 -- BODY: No such thing as a free lunch (3)
* 0.5 -- BODY: No Fees
* 0.5 -- BODY: Possible porn - Hot, Nasty, Wild, Young
* 0.1 -- BODY: HTML link text says "click here"
* 0.1 -- BODY: HTML font color is red
* 0.2 -- BODY: FONT Size +2 and up or 3 and up
* 0.1 -- BODY: HTML font color not within safe 6x6x6 palette
* 1.5 -- BODY: Message is 20% to 30% HTML
* 0.1 -- BODY: HTML has "tbody" tag
* 0.2 -- BODY: JavaScript code
* 0.1 -- BODY: HTML font color is blue
* 3.0 -- BODY: Bayesian classifier says spam probability is 99 to 100%
[score: 0.9988]
* 0.2 -- BODY: HTML contains unsafe auto-executing code
* 2.9 -- BODY: HTML has very strong "shouting" markup
* 0.4 -- URI: Uses %-escapes inside a URL's hostname
* 0.7 -- URI: Includes a link to a likely spammer email address
* 0.0 -- Asks you to click below
* -4.3 -- AWL: Auto-whitelist adjustment
 End of SpamAssassin results


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Bigevil 2.05m updated + question for devs

[Chris Santerre]

Greetings I hope everyone had a great holiday. I've updated Bigevil to
version 2.05m. I've been tweaking the rules as I add more. So this update is
actually smaller in size with more evil domains! Yeah!

14 rules tweaked so far. Obviously many more to go. Taking a while as I'm
being VERY carefull about which domains I tweak. They are:

BigEvilList_106,BigEvilList_111,BigEvilList_116,
BigEvilList_132,BigEvilList_141,BigEvilList_142,
BigEvilList_154,BigEvilList_163,BigEvilList_173,
BigEvilList_20,BigEvilList_21,BigEvilList_22,
BigEvilList_23,BigEvilList_54

Anywho, I have been checking lots of these against RBLs and many show up in
sorbes and such. Spam didn't come from these places, only images hosted
there. I was wondering if possibly in the future, SA could check the URI
links against RBLs? They all seem to be using the same servers to host now
after they are blacklisted. This way they still get use out of the hosted
boxes. Just a thought.

I've got a HUGE project that needs to get done by the first week of Jan. So
the next few updates won't be daily ;)

http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf

Enjoy!

I actually got what looked like BigEvil poison over the holiday!!!
AHAHAHAHAHAHAHAH

Chris Santerre 
System Admin and SA Custom Rules Emporium keeper 
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 
"A little nonsense now and then, is relished by the wisest men." - Willy
Wonka 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] bayes.lock getting killed on a LONG sa-learn run

[Scott Lambert]

On Mon, Dec 29, 2003 at 12:20:33PM -0500, Kris Deugau wrote:
> IMHO, kernel-level file locks are far cleaner, but I don't know whether
> you can even do that cleanly with files accessed through DB_File.  :/

Kernel locks don't work so well with NFS shared directories.

-- 
Scott LambertKC5MLE   Unix SysAdmin
[EMAIL PROTECTED]  



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bigevil 2.05m updated + question for devs

[Andrew_Hoying]

I get:

Illegal octal digit '8' ignored at /etc/mail/spamassassin/bigevil.cf, rule
BigEvilList_14, line 1.
Illegal octal digit '8' ignored at /etc/mail/spamassassin/bigevil.cf, rule
BigEvilList_14, line 1.

On a lint of this ruleset.

SpamAssassin 2.61 on SuSE 9.0

Andrew Hoying



   
 Chris Santerre
 <[EMAIL PROTECTED] 
 ntsOverseas.com>   To 
 Sent by:  "Spamassassin-Talk (E-mail)"
 spamassassin-talk <[EMAIL PROTECTED] 
 [EMAIL PROTECTED] e.net>  
 ceforge.netcc 
   
   Subject 
 12/29/2003 01:12  [SAtalk] Bigevil 2.05m updated +
 PMquestion for devs   
   
   
   
   
   
   




Greetings I hope everyone had a great holiday. I've updated Bigevil to
version 2.05m. I've been tweaking the rules as I add more. So this update
is
actually smaller in size with more evil domains! Yeah!

14 rules tweaked so far. Obviously many more to go. Taking a while as I'm
being VERY carefull about which domains I tweak. They are:

BigEvilList_106,BigEvilList_111,BigEvilList_116,
BigEvilList_132,BigEvilList_141,BigEvilList_142,
BigEvilList_154,BigEvilList_163,BigEvilList_173,
BigEvilList_20,BigEvilList_21,BigEvilList_22,
BigEvilList_23,BigEvilList_54

Anywho, I have been checking lots of these against RBLs and many show up in
sorbes and such. Spam didn't come from these places, only images hosted
there. I was wondering if possibly in the future, SA could check the URI
links against RBLs? They all seem to be using the same servers to host now
after they are blacklisted. This way they still get use out of the hosted
boxes. Just a thought.

I've got a HUGE project that needs to get done by the first week of Jan. So
the next few updates won't be daily ;)

http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf

Enjoy!

I actually got what looked like BigEvil poison over the holiday!!!
AHAHAHAHAHAHAHAH

Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
"A little nonsense now and then, is relished by the wisest men." - Willy
Wonka


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bigevil 2.05m updated + question for devs

[Chris Thielen]

Chris Santerre said:

> Anywho, I have been checking lots of these against RBLs and many show up
> in
> sorbes and such. Spam didn't come from these places, only images hosted
> there. I was wondering if possibly in the future, SA could check the URI
> links against RBLs? They all seem to be using the same servers to host now
> after they are blacklisted. This way they still get use out of the hosted
> boxes. Just a thought.

A while back there was a patch posted to SA-Talk that did just that for
Debian's SpamAssassin 2.60 package.  I was running it until I upgraded to
SA 2.61.  It worked quite well although the scores that were included with
the patch were pretty aggressive.

Ref: http://thread.gmane.org/gmane.mail.spam.spamassassin.general/33572

Based on my personal results, I think this would be worthwhile merging
into the official SA distribution.  I wonder if Florian would be willing
to submit a bug report to bugzilla with his patch against 2.70 CVS (cc'ed,
but it looks like his email address may have expired).

--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|[EMAIL PROTECTED]) :
http://www.sandgnat.com/cmos/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bigevil 2.05m updated + question for devs

[Florian L. Klein]

Hi!

On Mon, Dec 29, 2003 at 02:30:57PM -0600, Chris Thielen wrote:
> Chris Santerre said:
> 
> > I was wondering if possibly in the future, SA could check the URI
> > links against RBLs? They all seem to be using the same servers to host now
> > after they are blacklisted. This way they still get use out of the hosted
> > boxes. Just a thought.
> 
> A while back there was a patch posted to SA-Talk that did just that for
> Debian's SpamAssassin 2.60 package.  I was running it until I upgraded to
> SA 2.61.  It worked quite well although the scores that were included with
> the patch were pretty aggressive.

I made them a bit aggressive for testing and adjusted them from time to
time. That is, for "extreme-blackhat" ISPs like Chinanet as well as
SBL-listed hosts I kept the scores between 3 and 4, but I scored down
"darkhat" ISPs like Verio.

> Based on my personal results, I think this would be worthwhile merging
> into the official SA distribution.  I wonder if Florian would be willing
> to submit a bug report to bugzilla with his patch against 2.70 CVS

Within the next few days I'll need a new patch against 2.60 (on
Debian Sarge) anyway and I can submit it of course. ;-)

Yet it is still very useful to run a DNS server on the same machine, as
the number of DNS queries per email is a bit less than after the initial
patch but still very high.

/.
DocSnyder.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Relay trusted when it should not be?

[Matt Kettler]

At 02:50 PM 12/29/2003, Simon Matthews wrote:
Your comment made me look into the issue a little more and I see that a 
mail server is listed as "trusted" when I don't think it should be. In the 
email below, the relay on 205.158.62.78 is listed as "trusted" in my logs. 
Surely this is an error? Certainly, this is not a server under my control.
In this context "trusted" means that SA can trust that the message really 
passed through that IP address, and that it can't be a forgery. It does not 
mean that the server is "trusted" to not send spam.

Since your own server wrote a header declaring it got the message from " 
205.158.62.78" SA trusts the fact the message did in fact come from there 
at some point.

Basically the "trusted" part has to do with things like DNS whitelists.. 
For these tests, SA must only use addresses that it can "trust" the mail 
really went through. Otherwise it'd be easy for a spammer to add a bunch of 
forged Received: headers and have one of them be a bondedsender listed IP 
address, or some other such thing.





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bigevil 2.05m updated + question for devs

[Bill Landry]

Chris, check the "uri BigEvilList_14" line, you have a couple of dots "." in
front of the escape character "\" instead of behind it.  That's what's
causing the "Illegal octal digit" warning when you --lint the new BigEvil.cf
file.

Bill
- Original Message - 
From: "Chris Santerre" <[EMAIL PROTECTED]>
To: "Spamassassin-Talk (E-mail)" <[EMAIL PROTECTED]>
Sent: Monday, December 29, 2003 12:12 PM
Subject: [SAtalk] Bigevil 2.05m updated + question for devs


> Greetings I hope everyone had a great holiday. I've updated Bigevil to
> version 2.05m. I've been tweaking the rules as I add more. So this update
is
> actually smaller in size with more evil domains! Yeah!
>
> 14 rules tweaked so far. Obviously many more to go. Taking a while as I'm
> being VERY carefull about which domains I tweak. They are:
>
> BigEvilList_106,BigEvilList_111,BigEvilList_116,
> BigEvilList_132,BigEvilList_141,BigEvilList_142,
> BigEvilList_154,BigEvilList_163,BigEvilList_173,
> BigEvilList_20,BigEvilList_21,BigEvilList_22,
> BigEvilList_23,BigEvilList_54
>
> Anywho, I have been checking lots of these against RBLs and many show up
in
> sorbes and such. Spam didn't come from these places, only images hosted
> there. I was wondering if possibly in the future, SA could check the URI
> links against RBLs? They all seem to be using the same servers to host now
> after they are blacklisted. This way they still get use out of the hosted
> boxes. Just a thought.
>
> I've got a HUGE project that needs to get done by the first week of Jan.
So
> the next few updates won't be daily ;)
>
> http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
>
> Enjoy!
>
> I actually got what looked like BigEvil poison over the holiday!!!
> AHAHAHAHAHAHAHAH
>
> Chris Santerre
> System Admin and SA Custom Rules Emporium keeper
> http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
> "A little nonsense now and then, is relished by the wisest men." - Willy
> Wonka
>
>
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] False positives

[Evan Platt]

--On Monday, December 29, 2003 1:53 PM -0600 John Beamon
<[EMAIL PROTECTED]> wrote:

> He's gone, folks.  He had no interest in getting real assistance, and he
> never came back.  

I thought he replied with..

> I did not know spamassassin is home-brew. I thought I was dealing with
> one of dozens of commercial outfits, and whom in my experience respond
> much better to "squeeky wheels" than "pretty please", being their main 
> focus is often the bottom line. In my experience, "being a jerk" works
> when dealing with commercial software outfits.

Evan


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Bigevil 2.05m updated + question for devs

[Chris Santerre]

Argh!!! Just found it and fixed! Stupid fingers. I tell myself I should
NEVER add more to it after I have tested and ready to update. But more spam
comes in right before I post it. SO I figure adding a few more IPs couldn't
hurt. Stupid typo I had a '.\'nstead of a '\.'

I need to listen to myself next time :)

2.50n, sorry. 

--Chris

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 29, 2003 3:23 PM
> To: Chris Santerre
> Cc: Spamassassin-Talk (E-mail);
> [EMAIL PROTECTED]
> Subject: Re: [SAtalk] Bigevil 2.05m updated + question for devs
> 
> 
> 
> 
> 
> 
> I get:
> 
> Illegal octal digit '8' ignored at 
> /etc/mail/spamassassin/bigevil.cf, rule
> BigEvilList_14, line 1.
> Illegal octal digit '8' ignored at 
> /etc/mail/spamassassin/bigevil.cf, rule
> BigEvilList_14, line 1.
> 
> On a lint of this ruleset.
> 
> SpamAssassin 2.61 on SuSE 9.0
> 
> Andrew Hoying
> 
> 
> 
>   
>  
>  Chris Santerre   
>  
>  <[EMAIL PROTECTED]
>  
>  ntsOverseas.com> 
>   To 
>  Sent by:  "Spamassassin-Talk 
> (E-mail)"
>  spamassassin-talk 
> <[EMAIL PROTECTED] 
>  [EMAIL PROTECTED] e.net> 
>  
>  ceforge.net  
>   cc 
>   
>  
>   
>  Subject 
>  12/29/2003 01:12  [SAtalk] Bigevil 2.05m 
> updated +
>  PMquestion for devs  
>  
>   
>  
>   
>  
>   
>  
>   
>  
>   
>  
>   
>  
> 
> 
> 
> 
> Greetings I hope everyone had a great holiday. I've updated Bigevil to
> version 2.05m. I've been tweaking the rules as I add more. So 
> this update
> is
> actually smaller in size with more evil domains! Yeah!
> 
> 14 rules tweaked so far. Obviously many more to go. Taking a 
> while as I'm
> being VERY carefull about which domains I tweak. They are:
> 
> BigEvilList_106,BigEvilList_111,BigEvilList_116,
> BigEvilList_132,BigEvilList_141,BigEvilList_142,
> BigEvilList_154,BigEvilList_163,BigEvilList_173,
> BigEvilList_20,BigEvilList_21,BigEvilList_22,
> BigEvilList_23,BigEvilList_54
> 
> Anywho, I have been checking lots of these against RBLs and 
> many show up in
> sorbes and such. Spam didn't come from these places, only 
> images hosted
> there. I was wondering if possibly in the future, SA could 
> check the URI
> links against RBLs? They all seem to be using the same 
> servers to host now
> after they are blacklisted. This way they still get use out 
> of the hosted
> boxes. Just a thought.
> 
> I've got a HUGE project that needs to get done by the first 
> week of Jan. So
> the next few updates won't be daily ;)
> 
> http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
> 
> Enjoy!
> 
> I actually got what looked like BigEvil poison over the holiday!!!
> AHAHAHAHAHAHAHAH
> 
> Chris Santerre
> System Admin and SA Custom Rules Emporium keeper
> http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
> "A little nonsense now and then, is relished by the wisest 
> men." - Willy
> Wonka
> 
> 
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 
> 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Bigevil 2.05m updated + question for devs

[Chris Santerre]

Yeah. I have learned my lesson. Tested > Fresh!

2.50p was posted at 3:50 PM EST. 

> -Original Message-
> From: Bill Landry [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 29, 2003 3:48 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [SAtalk] Bigevil 2.05m updated + question for devs
> 
> 
> Chris, check the "uri BigEvilList_14" line, you have a couple 
> of dots "." in
> front of the escape character "\" instead of behind it.  That's what's
> causing the "Illegal octal digit" warning when you --lint the 
> new BigEvil.cf
> file.
> 
> Bill
> - Original Message - 
> From: "Chris Santerre" <[EMAIL PROTECTED]>
> To: "Spamassassin-Talk (E-mail)" 
> <[EMAIL PROTECTED]>
> Sent: Monday, December 29, 2003 12:12 PM
> Subject: [SAtalk] Bigevil 2.05m updated + question for devs
> 
> 
> > Greetings I hope everyone had a great holiday. I've updated 
> Bigevil to
> > version 2.05m. I've been tweaking the rules as I add more. 
> So this update
> is
> > actually smaller in size with more evil domains! Yeah!
> >
> > 14 rules tweaked so far. Obviously many more to go. Taking 
> a while as I'm
> > being VERY carefull about which domains I tweak. They are:
> >
> > BigEvilList_106,BigEvilList_111,BigEvilList_116,
> > BigEvilList_132,BigEvilList_141,BigEvilList_142,
> > BigEvilList_154,BigEvilList_163,BigEvilList_173,
> > BigEvilList_20,BigEvilList_21,BigEvilList_22,
> > BigEvilList_23,BigEvilList_54
> >
> > Anywho, I have been checking lots of these against RBLs and 
> many show up
> in
> > sorbes and such. Spam didn't come from these places, only 
> images hosted
> > there. I was wondering if possibly in the future, SA could 
> check the URI
> > links against RBLs? They all seem to be using the same 
> servers to host now
> > after they are blacklisted. This way they still get use out 
> of the hosted
> > boxes. Just a thought.
> >
> > I've got a HUGE project that needs to get done by the first 
> week of Jan.
> So
> > the next few updates won't be daily ;)
> >
> > http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
> >
> > Enjoy!
> >
> > I actually got what looked like BigEvil poison over the holiday!!!
> > AHAHAHAHAHAHAHAH
> >
> > Chris Santerre
> > System Admin and SA Custom Rules Emporium keeper
> > http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
> > "A little nonsense now and then, is relished by the wisest 
> men." - Willy
> > Wonka
> >
> >
> > ---
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  
> Sign up for IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> > ___
> > Spamassassin-talk mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> >
> 
> 
> 
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bigevil 2.05m updated + question for devs

[David B Funk]

On Mon, 29 Dec 2003, Chris Santerre wrote:

> Anywho, I have been checking lots of these against RBLs and many show up in
> sorbes and such. Spam didn't come from these places, only images hosted
> there. I was wondering if possibly in the future, SA could check the URI
> links against RBLs? They all seem to be using the same servers to host now
> after they are blacklisted. This way they still get use out of the hosted
> boxes. Just a thought.

Most RBLs are focused on the sources of SMTP traffic, not so much on
the HTTP side. One spammer trick is to use a DNS server for a web site
that has a short Time-To-Live that rotates thru a whole battery of
addresses of trojaned PCs to relay out their HTTP garbage. Thus the
actual IP address of a spammer URL may not tell you much.

It would probably be more effective to check the "whois" registration
info for a host/domain name to see who owns the name. There are a
modest number (200) of people/organizations that are responsible for
80%~90% of all spam.
(See: http://www.spamhaus.org/rokso/ Registry of known spammers)

See: http://spamlinks.net/research.htm for more info on identifying
spammer spoor. (spamlinks.net is a good general spam info resource)

DNS info can often be used to get clues, A host with a very short TTL
(less than 200 seconds) is usually a strong spam flag. Spammers who buy
bulk blocks of host names will often register them thru the same
hosting service thus the NS records will point to the same provider.

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: False positives

[Bob George]

Evan Platt <[EMAIL PROTECTED]> wrote:
> [...]
> I thought he replied with..
>
>> I did not know spamassassin is home-brew. [...]

I think that was a quote from a personal email to Chris, to which he then Cc:'d
the list in response.

I got almost the exact same reply from a direct email I sent Lenny (Schafer).
Wait, maybe THAT was spam! :)

Sounds like he got annoyed, posted, then left once he understood (more-or-less)
what was going on.

- Bob



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Relay trusted when it should not be?

[Simon Matthews]

Matt,

On Mon, 29 Dec 2003, Matt Kettler wrote:

> At 02:50 PM 12/29/2003, Simon Matthews wrote:
> >Your comment made me look into the issue a little more and I see that a 
> >mail server is listed as "trusted" when I don't think it should be. In the 
> >email below, the relay on 205.158.62.78 is listed as "trusted" in my logs. 
> >Surely this is an error? Certainly, this is not a server under my control.
> 
> In this context "trusted" means that SA can trust that the message really 
> passed through that IP address, and that it can't be a forgery. It does not 
> mean that the server is "trusted" to not send spam.
> 
> Since your own server wrote a header declaring it got the message from " 
> 205.158.62.78" SA trusts the fact the message did in fact come from there 
> at some point.
> 
> Basically the "trusted" part has to do with things like DNS whitelists.. 
> For these tests, SA must only use addresses that it can "trust" the mail 
> really went through. Otherwise it'd be easy for a spammer to add a bunch of 
> forged Received: headers and have one of them be a bondedsender listed IP 
> address, or some other such thing.

I think I found the problem. The relay that calls itself
"mail.paxonet.com" is the machine that receives the mail from non-local
servers. Yet, within the LAN (where SA runs), this name resolves to a
192.168. address.  Thus, SA thinks that mail.paxonet.com is actually only
a local relay.

I used the "clear_trusted_networks" before manually setting 
"trusted_networks" and it now seems to work properly. 

Thanks for you help. It showed me what to look for and with this, I was 
able to fix the problem.

Simon




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: False positives

[Bob George]

John Beamon <[EMAIL PROTECTED]> wrote:
> [...] (I particularly like seeing the "* 0.5 -- BODY: Possible porn - Hot,
> Nasty, Wild, Young" rating on a children's autism mailing list...)

Having read through the web page (apparently the email was the SAME HTML
page -- argh!), I do wonder what flagged that particular match.

That said, if you think THAT is fun, you should try running a Section 508
(accessibility) validator against his page. Talk about ADA non-compliance! :)

My take is that Lenny's just a dedicated volunteer devoted to his cause who
forgot that other dedicated volunteers are equally dedicated to theirs. In his
reply to me, he mentioned he's not a web developer, nor particularly technical.
I don't think he's guilty of much more than poor manners and a bit of
self-righteousness.

I can imagnine the frustration of a non-technical, legitimate mailing list
owner trying desperately to get (what they deem) important messages out,
without having to become expert in spam-fighting techniques. Those folks are
victims of spam too.

- Bob



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Having trouble coding a local rule

[Simon Byrnand]

At 10:44 29/12/2003 +1000, Peter Kiem wrote:
> Just a guess ... because the "From" address is not
> "[EMAIL PROTECTED]"?
I thought the from rule worked on the envelope sender of the email and not
the easily forged from header :(
You mean on the easily forged envelope sender instead of the easily forged 
from header ? :)

Envelope sender is just as easily forged as the head from address, both are 
provided by the original SMTP sender...

*Everything* on an email is trivially forgable except for the transit 
header added by the *final* mailserver, which includes the ip address of 
the server immediately prior to it.

Once you realise this, you can see how whitelisting is easy to fool...(and 
why spammers have a field day including bogus headers...)

Regards,
Simon


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: False positives

[Jennifer Wheeler]

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of Bob George
> Sent: Monday, December 29, 2003 4:20 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Re: False positives
> 
> John Beamon <[EMAIL PROTECTED]> wrote:
> > [...] (I particularly like seeing the "* 0.5 -- BODY: Possible porn
-
> Hot,
> > Nasty, Wild, Young" rating on a children's autism mailing list...)
> 
> Having read through the web page (apparently the email was the SAME
HTML
> page -- argh!), I do wonder what flagged that particular match.
> 
> That said, if you think THAT is fun, you should try running a Section
508
> (accessibility) validator against his page. Talk about ADA
non-compliance!
> :)
> 
> My take is that Lenny's just a dedicated volunteer devoted to his
cause
> who
> forgot that other dedicated volunteers are equally dedicated to
theirs. In
> his
> reply to me, he mentioned he's not a web developer, nor particularly
> technical.
> I don't think he's guilty of much more than poor manners and a bit of
> self-righteousness.

Yep.  I googled him and he's the father of an autistic child who is very
active in promoting awareness and research.  Easy to see where the
hyperdrive comes from.  Still... mix in a compassion sandwich in other
areas of your life will ya, Len!?  ;)  I know...  not here, quake
server, etc.  :)

Jennifer


> 
> I can imagnine the frustration of a non-technical, legitimate mailing
list
> owner trying desperately to get (what they deem) important messages
out,
> without having to become expert in spam-fighting techniques. Those
folks
> are
> victims of spam too.
> 
> - Bob
> 
> 
> 
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Rule to block Paris Hilton spam

[Stephane Lentz]

Hi again, 

On Mon, Dec 29, 2003 at 01:41:17PM -0600, Chris Thielen wrote:
> Stephane Lentz said:
> > => Thanks for the info. Two samples of such spam are now available at
> > http://milter.free.fr/spam/ (hilton-sample1.txt & hilton-sample2.txt
> > files)
> 
> Stephane,
> 
> I glanced at the spamassassin source just now.  I may be wrong, but it
> appears that the URI tests only matches on attributes of "background",
> "href", "src", "action". The URL in the spam was html text and not a link
> of sorts.  You may consider changing your rule to a BODY rule instead of a
> URI rule.

=> The URI rule works in some cases (no splitting of base64 representation
of the URL).  
I think I understand the problem better now after some further tests .
Test messages :
- Content-Transfer-Encoding: base64
- just include  http://special-selections.com URL (base64
encoded) as body

The problem is really related to base64 decoding & URI matching.

The rule uri LOCAL_HILTON  /special-selections\.com/ :

- gets triggered if the base64 string (in the body) is in one line :
aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5jb20K
- does not match if the base64 string is splitted accross several
lines
aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5
jb20K

or

aHR0cDovL3NwZWNpYWwtc2VsZWN
0aW9ucy5jb20K

Is it a new spammer trick (base64 body with URL base64 representation
splitted  across several lines) ?
I guess the work-around is a rawbody rule (right ?) 
I got no success with a body rule.

> >
> > => Thanks for the link. i will check it out. I was willing to avoid the
> > matching "Paris Hilton" if possible as I live in Paris and some of my
> > colleagues may book some rooms in Hilton hotels (one never knows) 
> 
> I'm not quite sure how to interpret your statement about being "willing to
> avoid the matching ..." so I will expclicitly state what the link does.  I
> understand you do not wish to match the unobfuscated paris hilton.  The
> rules generated by the link above will match *ONLY* obfuscated "paris
> hilton".  It will not match "Paris Hilton" or any case permutations such
> as "PARIS hilton".  It *will* match obfuscated versions such as "PAR1S
> H1LTON" (and a couple other permutations).
> 
> Another possible way to attack this is to look for obfuscated paris or
> obfuscated hilton only (removing the quotes will generate 4 rules instead
> of 2).  See: http://sandgnat.com/cmos/cmos.jsp?words=paris+hilton .
> 
> --
=> Thanks for the clarifications. 

regards, 

SL/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Rule to block Paris Hilton spam

[Chris Santerre]

I offer this in UNTESTED form. TEsting overnight ;)

Your email viewer will wrap these lines. SHould be 3 lines:

rawbody hilton_b64
/(?:aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(?:khl|jxr)|aGV5DQoNCk
NvbWUgY2hlY2sgb3V0)/
describe hilton_b64 Base 64 encoded paris hilton spam
score hilton_b64 .01



> -Original Message-
> From: Stephane Lentz [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 29, 2003 5:14 PM
> To: Chris Thielen
> Cc: [EMAIL PROTECTED]
> Subject: Re: [SAtalk] Rule to block Paris Hilton spam
> 
> 
> Hi again, 
> 
> On Mon, Dec 29, 2003 at 01:41:17PM -0600, Chris Thielen wrote:
> > Stephane Lentz said:
> > > => Thanks for the info. Two samples of such spam are now 
> available at
> > > http://milter.free.fr/spam/ (hilton-sample1.txt & 
> hilton-sample2.txt
> > > files)
> > 
> > Stephane,
> > 
> > I glanced at the spamassassin source just now.  I may be 
> wrong, but it
> > appears that the URI tests only matches on attributes of 
> "background",
> > "href", "src", "action". The URL in the spam was html text 
> and not a link
> > of sorts.  You may consider changing your rule to a BODY 
> rule instead of a
> > URI rule.
> 
> => The URI rule works in some cases (no splitting of base64 
> representation
> of the URL).  
> I think I understand the problem better now after some further tests .
> Test messages :
> - Content-Transfer-Encoding: base64
> - just include  http://special-selections.com URL (base64
> encoded) as body
> 
> The problem is really related to base64 decoding & URI matching.
> 
> The rule uri LOCAL_HILTON  /special-selections\.com/ :
> 
> - gets triggered if the base64 string (in the body) is in one line :
> aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5jb20K
> - does not match if the base64 string is splitted accross several
> lines
> aHR0cDovL3NwZWNpYWwtc2VsZWN0aW9ucy5
> jb20K
> 
> or
> 
> aHR0cDovL3NwZWNpYWwtc2VsZWN
> 0aW9ucy5jb20K
> 
> Is it a new spammer trick (base64 body with URL base64 representation
> splitted  across several lines) ?
> I guess the work-around is a rawbody rule (right ?) 
> I got no success with a body rule.
> 
> > >
> > > => Thanks for the link. i will check it out. I was 
> willing to avoid the
> > > matching "Paris Hilton" if possible as I live in Paris 
> and some of my
> > > colleagues may book some rooms in Hilton hotels (one 
> never knows) 
> > 
> > I'm not quite sure how to interpret your statement about 
> being "willing to
> > avoid the matching ..." so I will expclicitly state what 
> the link does.  I
> > understand you do not wish to match the unobfuscated paris 
> hilton.  The
> > rules generated by the link above will match *ONLY* 
> obfuscated "paris
> > hilton".  It will not match "Paris Hilton" or any case 
> permutations such
> > as "PARIS hilton".  It *will* match obfuscated versions 
> such as "PAR1S
> > H1LTON" (and a couple other permutations).
> > 
> > Another possible way to attack this is to look for 
> obfuscated paris or
> > obfuscated hilton only (removing the quotes will generate 4 
> rules instead
> > of 2).  See: http://sandgnat.com/cmos/cmos.jsp?words=paris+hilton .
> > 
> > --
> => Thanks for the clarifications. 
> 
> regards, 
> 
> SL/
> 
> 
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: False positives

[JRiley]

> Yep.  I googled him and he's the father of an autistic child who is very
> active in promoting awareness and research.  Easy to see where the
> hyperdrive comes from.  Still... mix in a compassion sandwich in other
> areas of your life will ya, Len!?  ;)  I know...  not here, quake
> server, etc.  :)
>
> Jennifer
>
>
> >
> > I can imagnine the frustration of a non-technical, legitimate mailing
> list
> > owner trying desperately to get (what they deem) important messages
> out,
> > without having to become expert in spam-fighting techniques. Those
> folks
> > are
> > victims of spam too.
> >
> > - Bob
> >

While I'm sure most of us can empathize with Len's plight, and understand
his frustration when his 'legitimate' list emails are being blocked by spam
filtration systems doing their jobs and filtering those list emails, I find
it hard to sympathize with someone that claims to be trying to put out
positive information to help autistic children, and spits venom when his
efforts are thwarted by a system that is simply doing its job.
If he truly wanted to correct his problems he would understand that his real
issue's are:
a) the physical makeup of his mailing list messages
b) content makeup
c) general understanding of how email and spam systems work
I find it hard to believe someone that puts out an information report as he
suggests he does on something as important as autism, wouldn't first do a
little research into how the system hes berading actually works, and what he
can do to correct it.
And no, spitting venom at a group of users of said system, is not considered
positive research.

JR.

> >
> >
> > ---
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  Sign up for
> IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys
> admin.
> > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> > ___
> > Spamassassin-talk mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>
>
>
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] False Positive, possible bug?

[Matt Kettler]

At 12:17 PM 12/28/2003, Simon Matthews wrote:
Specifically, the RCVD_IN_DYNABLOCK
check. Note that 192.168.10.250 is a local (within the LAN) relay.
If you're going to use 192.168.*.* networks, add them to your 
trusted_networks statement and it should clear things up a bit. 



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] WhiteLists: manual interaction with AWL

[Matt Kettler]

At 05:32 PM 12/29/2003, Shane Wegner wrote:
The sender address has manually been whitelisted for some
time and the first message he sent got a score of -100, and
the score has been falling.  Does anyone know why the
auto-whitelist would penalise a manually whitelisted
address by 25 points?


What version are you using? Older versions (ie: 2.4x and maybe 2.5x) would 
consider whitelists when doing averaging. A user with an average of 0 would 
get +50 out of the AWL if a message scoring -100 came in.

Newer versions should do their scoring evaluation without respect for the 
user configured whitelists, but might count def_whitelist_* commands (which 
you should NOT be using anyway).

In general I'd suggest reading the AWL FAQ for an understanding of HOW the 
AWL works in the first place, so you can make sense of it's behaviors..

http://wiki.spamassassin.org/w/AutoWhitelist

and also read the "wrong way AWL" article

http://wiki.spamassassin.org/w/AwlWrongWay







---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Documentation question

[Theo Van Dinter]

On Mon, Dec 29, 2003 at 12:09:36PM -0500, Mike Kuentz (2) wrote:
> What version of SA does this web page reference?  
> 
> http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html

apparently 2.70. :(

-- 
Randomly Generated Tagline:
"It is our job to protect the magic smoke ..."  - Prof. Michaelson


pgp0.pgp
Description: PGP signature

Re: [SAtalk] Re: Having trouble coding a local rule

[Peter Kiem]

> Once you realise this, you can see how whitelisting is easy to fool...

Which is exactly why I didn't want a whitelisting solution, just a
reduction in spam scoring.

-- 
Regards,
+-+-+
| Peter Kiem.^.   | E-Mail: <[EMAIL PROTECTED]> |
| Zordah IT /V\   | Mobile: +61 0414 724 766|
|   IT Consultancy &  /(   )\ | WWW   : www.zordah.net  |
|   Internet Services  ^^-^^  | ICQ   : "Zordah" 81 |
+-+-+
   My current spamtrap address is [EMAIL PROTECTED]


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] sa-learn summary, what does it mean?

[Barton L. Phillips]

When I run sa-learn it shows a summary with:
Learned from xx message(s) (yy message(s) examined).
Sometimes the learned xx is less than the examined yy. My question is 
what do these two numbers mean. I took a quick look at the code but it 
is quite circuitous and I was hoping someone just knew the answer.

PS. really enjoyed the FLAME on the "false positives" HA HA.

--

Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] sa-learn summary, what does it mean?

[Matt Kettler]

At 03:50 PM 12/29/03 -0800, Barton L. Phillips wrote:
Learned from xx message(s) (yy message(s) examined).
Sometimes the learned xx is less than the examined yy. My question is what 
do these two numbers mean. I took a quick look at the code but it is quite 
circuitous and I was hoping someone just knew the answer.
Litteraly what it says... You gave SA YY messages as input, but only xx of 
them were learned. If xx is less than yy, some of the messages you tried to 
train were ignored.

The ignored input is usually the result of messages that have already been 
learned by the auto learner, or some previous feeding of sa-learn.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] whitelist_from_rcvd question with unresolveable domains

[Mike Batchelor]

I need to make some entries in whilist_from_rcvd. But the only hostnames in 
the Received: header that I can trust, are not resolveable. Does that 
matter?  Is it a simple pattern/string match, or does SA also try to 
resolve the hostname?

Like this:

whitelist_from_rcvd [EMAIL PROTECTED] NTDOMAIN.private.dns

Should that work?

---
"The avalanche has already begun. It is too late for the pebbles to vote."
-- Kosh
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] el1t3 h@ck0rz dictionary needed..

[Evan Platt]

Th1s ju5t 1n...

"We
Do what   V1aqra can.t"http://breadboard.esp ¡£9aln
up t0 3" 1n length 1n Just Weekshttp://accusal.esp .become thlcker and fu1lerhttp://armonk.esp ¡£Mu1tlp1e, m0re explos1ve
0rqasmshttp://actualization.esp .Endless
stay1n9 Powerhttp://bored.esp ¡£Say g0od6ye
T0 premal1ure ejaculat1onhttp://tattoos.esp.b0ost test0sterone leve1shttp://humiliates.esp ¡£increase C0nfidence And
vitalityhttp://potpourri.esp P1ease Vls1t 
our we6 slte HTtp://mIco543.COM/yT4/http://adventure.esp>http://creaming.esp>http://polarograph.esp>evinceadvisementadvancementsadvertises


that made me laugh... :)

Evan


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Annoying false positive & WTF is up with sf.net?

[Jonathan Nichols]

I tried to paste in a spam sample, and sourceforge.net rejected it with 
this message:

<[EMAIL PROTECTED]>: host
mail.sourceforge.net[66.35.250.206] said: 550-This message matches a
blacklisted regular expression ([Vv] *[Ii] *[Aa] 550 *[Gg] *[Rr] 
*[Aa]) (in
reply to end of DATA command)

Hrm. Anyway. http://www.pbp.net/~jnichols/samplespam.txt is a sample of 
a false positive that I got over the weekend. I got 5 nearly identical 
emails, all of them slipped through. It even learned it as ham.

Notice that the spammers are now resorting to composing one gigantic 
spelling error in order to get past Bayes. Maybe we should put a spell 
checker into SpamAssassin.. ;) Hey, it would take care of some of these 
types of spams..

-Jonathan



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: False positives

[Keith C. Ivey]

Bob George <[EMAIL PROTECTED]> wrote:

> John Beamon <[EMAIL PROTECTED]> wrote:
> > [...] (I particularly like seeing the "* 0.5 -- BODY: Possible porn - Hot,
> > Nasty, Wild, Young" rating on a children's autism mailing list...)
> 
> Having read through the web page (apparently the email was the SAME HTML
> page -- argh!), I do wonder what flagged that particular match.

The offending sentence is "We are an online discussion group in 
GA for parents and caregivers of children and young adults with 
disabilities."  Sounds really pornographic, doesn't it?

John Beamon may have found it amusing, but I imagine that 
having his newsletter incorrectly classified as porn was one of 
the things that set the guy off.  The fact that "young adults" 
is recognized as a porn phrase is an actual bug in 
SpamAssassin, and it should be fixed.

I reported it a while back and submitted a suggested patch, but 
nothing seems to have happened:

http://bugzilla.spamassassin.org/show_bug.cgi?id=2619

-- 
Keith C. Ivey <[EMAIL PROTECTED]>
Washington, DC



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: False positives

[JRiley]

From: "Keith C. Ivey" <[EMAIL PROTECTED]> wrote:

> Bob George <[EMAIL PROTECTED]> wrote:
>
> > John Beamon <[EMAIL PROTECTED]> wrote:
> > > [...] (I particularly like seeing the "* 0.5 -- BODY: Possible porn -
Hot,
> > > Nasty, Wild, Young" rating on a children's autism mailing list...)
> >
> > Having read through the web page (apparently the email was the SAME HTML
> > page -- argh!), I do wonder what flagged that particular match.
>
> The offending sentence is "We are an online discussion group in
> GA for parents and caregivers of children and young adults with
> disabilities."  Sounds really pornographic, doesn't it?
>
> John Beamon may have found it amusing, but I imagine that
> having his newsletter incorrectly classified as porn was one of
> the things that set the guy off.  The fact that "young adults"
> is recognized as a porn phrase is an actual bug in
> SpamAssassin, and it should be fixed.
>
> I reported it a while back and submitted a suggested patch, but
> nothing seems to have happened:
>
> http://bugzilla.spamassassin.org/show_bug.cgi?id=2619
>
> -- 
> Keith C. Ivey <[EMAIL PROTECTED]>
> Washington, DC

There are several other hits on this gentlemans specific mailing that would
get it snagged even by the most un-draconian of filters.
The one hit you described was actually on the low side of the scoring for
this message.
And being as such, unfortunate as it is, 'young adults' is a legitimate
phrase to filter on.
-JR
>  Start SpamAssassin results
> 7.10 points, 5.5 required;
> * -0.1 -- Message-Id indicates the message was sent from MS Exchange
> * 0.9 -- BODY: No such thing as a free lunch (3)
> * 0.5 -- BODY: No Fees
> * 0.5 -- BODY: Possible porn - Hot, Nasty, Wild, Young
> * 0.1 -- BODY: HTML link text says "click here"
> * 0.1 -- BODY: HTML font color is red
> * 0.2 -- BODY: FONT Size +2 and up or 3 and up
> * 0.1 -- BODY: HTML font color not within safe 6x6x6 palette
> * 1.5 -- BODY: Message is 20% to 30% HTML
> * 0.1 -- BODY: HTML has "tbody" tag
> * 0.2 -- BODY: JavaScript code
> * 0.1 -- BODY: HTML font color is blue
> * 3.0 -- BODY: Bayesian classifier says spam probability is 99 to 100%
> [score: 0.9988]
> * 0.2 -- BODY: HTML contains unsafe auto-executing code
> * 2.9 -- BODY: HTML has very strong "shouting" markup
> * 0.4 -- URI: Uses %-escapes inside a URL's hostname
> * 0.7 -- URI: Includes a link to a likely spammer email address
> * 0.0 -- Asks you to click below
> * -4.3 -- AWL: Auto-whitelist adjustment
>  End of SpamAssassin results

- Original Message - 
From: "Keith C. Ivey" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 29, 2003 11:10 PM
Subject: Re: [SAtalk] Re: False positives


> Bob George <[EMAIL PROTECTED]> wrote:
>
> > John Beamon <[EMAIL PROTECTED]> wrote:
> > > [...] (I particularly like seeing the "* 0.5 -- BODY: Possible porn -
Hot,
> > > Nasty, Wild, Young" rating on a children's autism mailing list...)
> >
> > Having read through the web page (apparently the email was the SAME HTML
> > page -- argh!), I do wonder what flagged that particular match.
>
> The offending sentence is "We are an online discussion group in
> GA for parents and caregivers of children and young adults with
> disabilities."  Sounds really pornographic, doesn't it?
>
> John Beamon may have found it amusing, but I imagine that
> having his newsletter incorrectly classified as porn was one of
> the things that set the guy off.  The fact that "young adults"
> is recognized as a porn phrase is an actual bug in
> SpamAssassin, and it should be fixed.
>
> I reported it a while back and submitted a suggested patch, but
> nothing seems to have happened:
>
> http://bugzilla.spamassassin.org/show_bug.cgi?id=2619
>
> -- 
> Keith C. Ivey <[EMAIL PROTECTED]>
> Washington, DC
>
>
>
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: False positives

[Gary Funck]

> From: JRiley
> Sent: Monday, December 29, 2003 9:43 PM
>
[...]
> >
> > The offending sentence is "We are an online discussion group in
> > GA for parents and caregivers of children and young adults with
> > disabilities."  Sounds really pornographic, doesn't it?
[...]
>
> There are several other hits on this gentlemans specific mailing
> that would
> get it snagged even by the most un-draconian of filters.
> The one hit you described was actually on the low side of the scoring for
> this message.
> And being as such, unfortunate as it is, 'young adults' is a legitimate
> phrase to filter on.
>

Out of a corpus of 80,000 spam messages collected over the past 5 months
(sigh),
I show the following hits on "young adults":

teen and young adult white and Asian women maintain good bone health
Young adults who get mononucleosi=
girls will develop PCOS in young adulthood.  Participants receive
which girls will develop PCOS in young adulthood. Participants receive

This simple grep won't find variously encoded forms for "young adult", but
I did try the base64 forms of "young adult" and "Young adult" and saw zero
hits.

I'm sure who ever came up with that pattern in the first place had a good
reason
at the time, but it looks like this phrase occurs rather rarely in spam, and
not in porn context.




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk