Re: [SAtalk] Newbie

[mikea]

On Fri, Aug 08, 2003 at 09:12:36AM -0400, Jean-Paul Natola wrote:
> Now that i have this info,  is there any kind of Content filter  that is linux 
> based,  if so , 
> 
> can it run on the same box as SA?

SA is a *fine* content filter! It can filter on the headers, of 
course, but also can filter on the body. See "body", "full", and 
"rawbody" in `man Mail::SpamAssassin::Conf`.

My hat's off to the developers!

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Newbie

[mikea]

On Fri, Aug 08, 2003 at 02:35:38PM -0400, Jean-Paul Natola wrote:
> Well here's the scenario, (and no comments from the anti-windoze )
> we have a windows 2000 network

> active directory etc.. I will be deploying an exchange server (free
> for non-profits) a few macs here as well.

> I cannot get a discounted SPAM or FIREWALL we are very tight 
> here.

> My plan is ipcop between the isp and us, SA between IPcop and mail
> server. I am even considering using ISA (again free for non-profits)
> as another line of defense as well.

> all comments thoughts and critiques are welcomed :)

See if you can get someone to donate a junker 486 or Pentium and
a couple of Ethernet NICs. These frequently are available for not
very much at all, and lots of places will let non-profits have 
their discards. It doesn't need to be very fast to move a lot of 
traffic from one NIC to the other, using ipfw or iptables to 
filter packets. 

Install Linux or FreeBSD. These can be obtained free. 

Use this machine as a firewall. Iptables or ipfw will serve you 
well. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] joe-jobs anyone?

[mikea]

On Wed, Aug 20, 2003 at 07:30:23PM -0600, Bob Proulx wrote:
> Erick Calder wrote:
> > I'm getting a bunch of mails from MAILER-DAEMONs around the world
> > complaining mostly that [EMAIL PROTECTED] does not exist.
> > these are generated by dictionary spammers who are using my e-mail address
> > for the reply-to header.
> 
> Are you sure they are spammers?  I am getting hammered myself with
> similar things.  But almost all of the mail I am getting are generated
> by the SOBIG virus.  Perhaps what you are seeing is really the fallout
> of that virus and not truly the work of spammers in this case.
> 
> Interesting how spammers are siblings to viruses.

Siblings perhaps, but more likely they're different aspects of the 
same people.  

I say that because there is an increasingly large, and increasingly
compelling, set of evidence that Sobig.*, just to choose one example,
can be used -- and *IS* being used -- as a spam engine on infected 
machines. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Dealing With Huge Mail Floods/High CPU Loads (was Re: kernel panics and the .spamassassin/bayes_ stuff)

[mikea]

On Sat, Aug 23, 2003 at 10:19:54PM -0700, Kai MacTane wrote:

> Hi. I can't speak to your issue with Bayes file corruption, but I have 
> recently had to deal with huge amounts of mail spiking my CPU. (Admittedly, 
> this isn't hard, since my mail server is a Pentium (that's Pentium I, 
> pre-MMX) at 133 MHz with 64 MB of RAM (and it's also running Apache, MySQL, 
> and a few other things).

> A while back, my DSL was down for 5 days. I *do* have a secondary MX, which 
> promptly tried to deliver 5000 delayed messages. My user delivery is a bit 
> customized, using a couple of extra Perl scripts in addition to spamc/spamd 
> calls. My CPU load was going through the roof as Qmail tried to deliver 
> everything as quickly as possible. kswapd, in particular, was going nuts 
> trying to handle the continual page-swaps.

> I found that dropping my concurrencylocal to 5, or even to 3, helped things 
> immeasurably. The load wavered between 3 and 5, and messages were delivered 
> around one per second.

> I realize your problem is already in the past, but in case you (or anyone 
> else on this list) ever runs into the same problem again, I wanted to 
> advise on this method of dealing with it.

I agree emphatically: keeping a low concurrencylocal means that you
aren't trying to fit ten kilos of stuff into a box that's good for
seven kilos max, as I found out about 3 months ago in essentially
the same circumstances. It may take a while to chew through the input,
but as long as the mail is processed faster than the mean interarrival 
time, you're OK in the long run. 

The idea is to instantiate only as many processes as will fit into
available RAM; swapping is *much* slower than just keeping it all in
RAM, and will come close to reducing your machine to a useless stone.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] filter identifying vaild word as masked

[mikea]

On Wed, Aug 27, 2003 at 11:37:26AM -0500, Robin Witkop-Staub wrote:
> I was trying the following filter found on the suggested script sharing
> page.  For some reason it was tagging emails that had the word "pizza" in
> them.  Why?
> 
> body RAVEN_MaskedWordsF
> /\b(?:excIusive|GiangBiang|sIut|ganigbainged|duides|hairdciore|ExcIude|pIz)/i
 ^^^
> describe RAVEN_MaskedWordsFmasked spam word(s)
> scoreRAVEN_MaskedWordsF10.0

/pIz/i matches "pizza". /pIz/ does not match "pizza". If you want case
sensitivity, then remove the "i" modifier at the end of the pattern.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] problem finding error in filter.cf

[mikea]

On Tue, Sep 02, 2003 at 09:06:33AM -0500, Robin Witkop-Staub wrote:
> I am getting the following error in my maillog but cant determine from the
> error where exactly I should be looking for the error:
> 
> Sep  1 02:10:44 mail spamd[3420]: Failed to compile body SpamAssassin tests,
> skipping: ^I(syntax error at (eval 24) line 298, near "0bscene" syntax error
> at (eval 24) line 303, near "} }" )
> 
> 
> Aug 30 02:11:38 mail spamd[14341]: Failed to compile body SpamAssassin
> tests, skipping: ^I(Global symbol "@se" requires explicit package name at
> (eval 24) line 338,  line 74. syntax error at (eval 24) line 5772,
> near "; }" )

Have you tried 
`spamassassin --lint`
or
`spamassassin -D --lint` 
to check your rules for correct formation?

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Improving SA with real messages

[mikea]

On Tue, Sep 02, 2003 at 02:03:36PM -0600, Karl Larsen wrote:
> 
>   I just got spamd and spamc working with procmail in Red Hat 9 
> Linux. There are still a few spam messages getting through. I'm saving 
> them in a file /home/karl/mail/spam. Is there any way I can help SA do 
> better if I put these messages somewhere else?

sa-learn --showdots --spam --file /home/karl/mail/spam

>- Karl Larsen k5di Las Cruces,NM Az ScQRPions -

Smaller is better, even if I *do* use an R-390 to listen.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964, WN5EGO in 1963


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] osirusoft gone mad?

[mikea]

On Wed, Sep 03, 2003 at 07:11:34PM +0200, Ralf G. R. Bergs wrote:
> Martin Radford schrieb:
> [...]
> >>4) I am new to spamassassin.  What parameter should I use in my 
> >>configuration to cause spamassassin to stop using osirusoft open relay?
> > 
> > See the news article at http://news.spamassassin.org/
> 
> The instructions given there can't work, IMHO, because they're incomplete:
> 
>  >Here are the lines to disable the rules. Add these in a file called
>  >/etc/mail/spamassassin/no-osiru.cf.
> 
> Where does SA know that it is supposed to read this file? I guess you 
> need to either tell SA to read the file or to include the configuration 
> statements to your local.cf.
> 
> Or did I misunderstand something?

It is my understanding that spamassassin reads *everything* in 
this directory as input. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] osirusoft still working?

[mikea]

On Fri, Sep 05, 2003 at 01:25:38PM +0100, Darren Coleman wrote:
> What's exactly the problem with Osirusoft at the moment then?  Have they
> actually "blacklisted the entire Internet" (accidentally?) or is that
> just an overexaggeration?
> 
> Should I be zero'ing all of their tests?

Joe Jared set the Osirusoft DNSbl server(s) to return "127.0.0.2",
which means "it's listed!", to _any_ query. This was not an 
accident, and the effect is that if you're blocking based on 
results from Osirusoft, you'll see no mail. If you're _scoring_
based on Osirusoft, you'll see a hit on the Osirusoft rule(s)
for every mail. 

You _should_ be zeroing all their tests, unless you really want 
false positives. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Can base64 encoded messages learnable by sa-learn?

[mikea]

On Thu, Sep 04, 2003 at 07:10:37PM -0500, Thomas Cameron wrote:

> From: "Matt Tencati" <[EMAIL PROTECTED]>

> > I've been looking into the same situation actually. I haven't
> > gotten far enough to try yet because of different things I've
> > seen. Domino changes the headers around somewhat, especially the
> > X-headers - converting them to X_ headers. I'm not sure if it even
> > keeps them on a forwarded message (since I had a user forward me a
> > false positive and I had no X_SPAM_* headers from SA).

> Yeah, my customer paid a Notes developer to suck out many of the lines of
> the original message and create a text file.  Unfortunately, the only way he
> knows to to get that to the Linux host is to forward it.  Not good.

> > I'm looking into a method to archive (or log) all messages on the
> > Linux box prior to delivery to Domino. Anyone have an easy way
> > to do that either with SA or sendmail? I thought I had seen a
> > document somewhere allowing mail to be delivered to a SPAM or HAM
> > mailbox as well as the original recipients but can't find it now.

If you use MailScanner to drive SpamAssassin, you can have it archive
all or selected messages. We do that here. You can also have it mail
(all or selected) (spam or non-spam or some combination) messages to 
(one or multiple) mailboxes in a form suitable for input to sa-learn.
It's pretty slick, and the only reason I can't use it is that I'm 
stuck with a set of badly-done M$ DNS servers that I have no control 
over. *sigh*

> I have asked him if there's any way to make Notes dump the messages to plain
> text files on the Notes server and then manually copy them to the Linux
> server.  Then run sa-learn --file --spam on them.

If it turns out that there _is_, I'm *EXTREMELY* interested -- because 
every time I fight with Notes/Domino, it wins. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: R: [SAtalk] Website spammer with number

[mikea]

On Tue, Sep 16, 2003 at 01:14:07PM +0200, Andrea Riela wrote:
> Hi
> 
> >  # Domain name starts with number(s)
> <...>
> >  # Domain name ends with number(s)
> <...>
> 
> And domain name with number(s) like:
> Getit4less
> Hotxxxmail4u
> ...??

Be aware that scoring mail-IDs this way may cause false positives, and
*will* score some valid addresses higher.

As an example, you might score mail from my work address higher,
because our twenty-year-old naming scheme uses mail-IDs like
UDSD007, where U indicates the agency, DSD the division, and 007
is sequentially assigned to that division of that agency. When we
formulated the scheme, electronic mail was decidedly uncommon, and
hardly anyone outside academia used TCP/IP.

I've already been caught by SA rules at more than one site because
my mail-ID matches /\w[0-9]{1,}/. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] The Verisign folly

[mikea]

On Tue, Sep 16, 2003 at 07:42:22PM +0100, [EMAIL PROTECTED] wrote:
> 
> > I'm sure ICANN has already gotten an earful. I, for one, and going to
> > leave ICANN alone so that they can concentrate on a course of action
> > against Verisign.
> >
> They have already responded in a letter to VeriSign:
> 
> "To restore the data integrity and predictability of the DNS
> infrastructure, the IAB believes it would be best to return the .com and
> .net TLD servers to the behavior specified by the DNS protocols."
> 
> http://www.iab.org/Documents/icann-vgrs-response.html

That is not, as it happens, a response to the current DNS follies; it 
is a response from January 2003 to an announcement by VeriSign that 
they would be changing the way DNS works with respect to queries that
contain non-ASCII octets. 

: Subject: Re: Request for Advice on VGRS IDN Announcement
: To: "M. Stuart Lynn" <[EMAIL PROTECTED]>
: Cc: Leslie Daigle <[EMAIL PROTECTED]>,
:   Chuck Gomes <[EMAIL PROTECTED]>,
:   Brad Verd <[EMAIL PROTECTED]>,
:   Masanobu Katoh <[EMAIL PROTECTED]>,
:  Steve Crocker <[EMAIL PROTECTED]>,
:  Vint Cerf <[EMAIL PROTECTED]>,
:  Louis Touton <[EMAIL PROTECTED]>,
:  Andrew McLaughlin <[EMAIL PROTECTED]>,
:  [EMAIL PROTECTED]
: Date: Sat, 25 Jan 2003 10:19:37 +1100
: 
: [snip]
: To restore the data integrity and predictability of the DNS
: infrastructure, the IAB believes it would be best to return the .com
: and .net TLD servers to the behavior specified by the DNS protocols.
: VeriSign should, of course, be free to continue to distribute its
: plug-in in other ways, and we hope with them that the deployment of
: IDN-capable systems is as rapid as possible.

Under the circumstances, it is plausible to infer that VeriSign's
failure "to return the .com and .net TLD servers to the behavior
specified by the DNS protocols" is manifest, if not blatant.

I *hope* that ICANN, prompted by the IAB and the IETF in general, will
remove VeriSign's authority to operate the .com and .net TLDs for this
transgression, which totally eclipses the deviation addressed in the 
IAB's letter. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Trying to add my own custom test...

[mikea]

On Thu, Sep 18, 2003 at 09:55:12AM -0700, Mitch (WebCob) wrote:
> What am I missing?
> 
> I tacked this on to the end of 20_head_tests.cf (note key info obscured to
> protect the innocent, but the pattern match works in a test perl script - is
> there another way to test a rule?)
> 
> header MY_CLIENTS X-CustomHeader =~ /^MY PATTERN$/
> describe MY_CLIENTS   Message contains login or user information
> authenticating local user
> score MY_CLIENTS -10.0
> 
> Doesn't seem to run - are all X-headers available for testing? Or do I have
> to add support somewhere else?

Erm ... 

You really ought to leave 20_head_tests.cf unchanged, since it is 
subject to complete replacement when you upgrade or reinstall SA. 

Put it in /etc/mail/spamassassin/.cf, for arbitrary . 

As to the ruleset, something like this might work: 

header ODOT_  ALL =~ /X-CustomHeader:\s*MY_PATTERN$/
or 
header MY_CLIENTS X-CustomHeader =~ /\s^MY_PATTERN$/
or
header MY_CLIENTS X-CustomHeader =~ /\s.*MY_PATTERN$/

Note that even those require your pattern to be the very last thing
on the line. Even one character following it will cause the match
to fail. You might want to allow trailing whitespace, thus:

header MY_CLIENTS X-CustomHeader =~ /\s.*MY_PATTERN\s*$/

unless you can be *sure* that there never will be any. 

I don't see how this: 

header MY_CLIENTS X-CustomHeader =~ /^MY PATTERN$/

would ever work, because you're matching on /^MY PATTERN$/,
which has to start at the beginning of the line, and 
X-CustomHeader should be at the beginning of the line. 

But I may be all wet and talking out my ... hat, let's say.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Spam not

[mikea]

On Mon, Sep 22, 2003 at 12:07:06PM -0400, Alicia Forsythe wrote:
> The following spam is making it through.  When I test this same mail, it
> scores over 20 points.  Why is it still getting through?  
> 
> 
> Return-path: <[EMAIL PROTECTED]>
> Received: from 209.118.212.3
>   ([200.167.37.247])
>   by ns1.mshs.com; Fri, 19 Sep 2003 13:13:40 -0400
> Received: from [161.218.62.177] by 209.118.212.3 id 3CI87rF9OkOj; Fri,
> 19 Sep 2003 20:03:18 +0500
> Message-ID: <[EMAIL PROTECTED]>
> From: "Terrance Schmitz" <[EMAIL PROTECTED]>
> Reply-To: "Terrance Schmitz" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] 
> Subject: Discreet Online Pharmacy! clsc
> Date: Fri, 19 Sep 03 20:03:18 GMT
> X-Mailer: Microsoft Outlook Express 5.00.2615.200
> MIME-Version: 1.0
> Content-Type: multipart/related;
>   type="multipart/alternative";
>   boundary="DAA12_A.6C5F4C170D8D"
> X-Priority: 3
> X-MSMail-Priority: Normal

[snip]

Check your whitelists. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Better logging?

[mikea]

On Tue, Sep 23, 2003 at 09:32:15PM +0200, Jim Knuth wrote:
> Hallo Erik Slooff,
> 
> am Dienstag, 23. September 2003, 20:18:08, schriebst Du:
> 
> >> > You need to pass the logfile name of your mail-daemon, e.g.
> >> > ./spamstats0.4b5.pl /var/log/mail
> >> > I use spamd, and it works.
> >> 
> >> > Markus
> >> 
> >> you have an link for this script? Thank you.
> >> 
> > First hit after googling for spamstats and perl:
> > http://freshmeat.net/projects/spamstats/?topic_id=245
> 
> thank you, but this site is not attainable

Wirklich?

Works fine for me just now. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Dumb question: where to get DB_File

[mikea]

On Wed, Sep 24, 2003 at 12:00:55PM -0500, Chris Barnes wrote:
> I am about to upgrade fro SA2.6 (pre-rc1) to SA2.6 final release.  I see
> in the docs that if I want to continue to use Bayes, I have to install
> DB_File and run "sa-learn --import".
> 
> Ok, doesn't sound too bad.
> 
> But where do I get DB_File?  (RH 8)



More particularly, for Perl 5.0*, 



and other URLs from that set of pages for Perl 5.8.0.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Sendmail error help...

[mikea]

On Thu, Sep 25, 2003 at 12:15:10PM -0400, Matt Chapman wrote:
> sendmail[2427]: h8PG5C9C002427: smtpout.mac.com [17.250.248.97] did not
> issue MAIL/EXPN/VRFY/ETRN during connection to MTA
> 
> This is showing up all the time.  This is me at my .mac account trying
> to send to my domain which is relayed via my
> sendmail/mimedefang/spamassassin config.  Mail works well except for a
> few domains like mac.com, att.com bellsouth.com etc...
> 
> Any ideas.  I have read that this is because the sending server did not
> issue the full command needed???  Is it a sendmail.mc config issue?

Odds are pretty good that your .mac account is connecting to port 25
and then disconnecting without issuing any one of the commands above.
Try doing a telnet to port 25 on your machine, followed by a QUIT. 
I think you'll see exactly the same thing from that connection. 

If you really want to see what's causing the problem, you'll need to
capture the packets from the session with some sort of packet trace.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Forged mail pretending to be from MS

[mikea]

On Tue, Sep 30, 2003 at 10:03:41AM -0400, Jeff Koch wrote:
> 
> Can someone explain what triggers 'FORGED_MUA_OUTLOOK'. We're using 2.55 
> and have seen some cases where for reasons we cannot explain this is 
> getting triggered and with the default scoring of 3.5 legit mails are 
> getting spam filtered.
> 
> One case was some perfectly good emails that had gone through five reply 
> cycles between a client and his customer - both use Outlook. The second 
> occurs on all email being sent to us from one client who uses Roadrunner as 
> their ISP in Tampa.

I also have seen FORGED_MUA_OUTLOOK triggered on perfectly valid mail,
and have had to change the score to zero. I'll try to find the mail in
my archives, but don't expect it will be anytime soon.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] required value met, but spam not flagged

[mikea]

On Wed, Oct 01, 2003 at 08:55:08AM -0700, John Schneider wrote:
> I have been working too much lately, so my eyes might be a little
> crossed But, the following message seems to have met the required value
> for spam, but was not flagged:
> 
> Received: from supply.erhouse.com ([211.217.250.70])
>  by server.com (8.12.8/8.11.6) with ESMTP id h91FMGUx066014
>  for <[EMAIL PROTECTED]>; Wed, 1 Oct 2003 08:22:29 -0700 (PDT)
>  (envelope-from [EMAIL PROTECTED])
> Received: from beloit ([211.158.44.35]) by supply.erhouse.com with Microsoft
> SMTPSVC(5.0.2195.6713);
>   Thu, 2 Oct 2003 00:18:39 +0900
> Date: Wed, 1 Oct 2003 15:16:31 GMT
> From: "Steven Hirsch"<[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: confirmation 
> Mime-Version: 1.0
> Content-Type: text/html; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Message-ID: <[EMAIL PROTECTED]>
> X-OriginalArrivalTime: 01 Oct 2003 15:18:39.0992 (UTC)
> FILETIME=[4B044F80:01C3882F]
> X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
>  server.com
> X-Spam-Level: ***
> X-Spam-Status: No, hits=8.0 required=8.0 tests=BAYES_90,FORGED_HOTMAIL_RCVD,
>  HTML_FONT_INVISIBLE,HTML_IMAGE_ONLY_02,HTML_MESSAGE,MIME_HTML_ONLY,
>  MY_DOMAIN_ENDS_NUMS,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBL autolearn=no 
>  version=2.60
> 
> Can anyone offer any insight I might have missed with my low-levels of
> sleep? 

Whitelisted? 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] spamd and -a option in 2.60?

[mikea]

On Mon, Oct 06, 2003 at 03:30:17PM -0400, Rob Mangiafico wrote:

> Actually, when I type "spamd --help" from the command line with our newly 
> installed 2.60 software, I get:
> ---
> Insecure directory in $ENV{PATH} while running with -T switch at 
> /usr/lib/perl5/5.6.0/Cwd.pm line 85.

Perhaps you should investigate the permissions of the directories in
the PATH environment variable? Is one of them group- or world-writable
when it shouldn't be?

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Hangs with 2.55 after forged_rcvd_trail (spamd)

[mikea]

On Mon, Oct 06, 2003 at 09:56:37PM +0200, Alexander Newald wrote:
> Hello,
> 
> I have hangs for about 20-30 sec. after the fullowing lines are displayed
> (debug mode) using spamd:
> 
> debug: forged_rcvd_trail: entry 1: by=sourceforge.net from=sourceforge.net
> mismatches=0
> debug: forged_rcvd_trail: entry 2: by=sourceforge.net from=sourceforge.net
> mismatches=0
> debug: forged_rcvd_trail: entry 3: by=sourceforge.net from=yahoo.com
> mismatches=0
> 
> The problem seems not to be bound to these domain names.
> 
> I'm using spamd (started with /usr/bin/spamd -u
> vhost -x --virtual-config-dir=/var/spool/mail/vhost/.spamassassin/\%u -a -c 
> -H /var/spool/mail/vhost/.spamassassin/ -m 10 -d)
> 
> I can't find any error in sorting spam and none spam and the overall mail
> prozessing seems to work fine - except the hang.
> 
> Any hints?

The 30 seconds is about right for a DNSbl timeout. Look in your mail
log for indications that something is timing out; check the config
file(s) to be sure you aren't querying any dead DNSbl servers.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Is there a way to reject a message before it arrives?

[mikea]

On Thu, Oct 09, 2003 at 11:56:29AM -0300, Fabiano Bonin wrote:
> I am using SpamAssassin sice yesterday and i put it in production today,
> site wide.
> It's amazing.
> It's filtering 95% on my daily messages, and all blocked messages are
> really spams.
> 
> BUT, in my particular point of view, spam generates 2 big problems:
> 
> 1 - Lots of crap in our mailboxes
> 2 - Lots of internet traffic
> 
> Today, SpamAssassin is solving problem number 1 greatly, but problem
> number 2 is unsolved, since i will continue to receive all this crap all
> day (i just will not see it), and the internet traffix will continue
> suffering.
> 
> If there was a way to reject the spam in the mail server (returning the
> rejection to the sender), maybe the spammers will remove our addresses
> from its lists, and the traffic will decrease.
> 
> Is this step possible? If yes, where can i find more documentation?

The RFC does permit a REJECT (or equivalent) in the DATA phase of the
SMTP session, IIRC. That lets you kill the session as soon as the 
filter (probably a milter, to be able to do this) sees something that
matches some rejection criterion. Getting the sender's machine to 
stop sending, just because you send it a REJECT, may be harder. Lots
of spam-senders are b0rk3n and don't fully implement SMTP session
controls. If you can get your mailer to actually send a packet with
the RESET bit set, that could help. 

Of course, I probably am wrong about part, and possibly all, of this.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] funky subject

[mikea]

On Thu, Oct 09, 2003 at 08:47:50AM -0600, Eric wrote:
> anyone see a problem with this rule
> header funky subject =~ /[A-Za-z][0-9][A-Za-z]
> for catching subjects like g00d dTbt c0ns0lidati0n pr0graAm
> 
> so far its caught only spam but I noticed one spam had an ID number that
> could possibly be an issue if a company uses
> mixed alphanumerics in its quotes or support issue numbering in a subject.
> any comments?

I think I wouldn't use it by itself with a high score, but I'd 
certainly use it as part of a set of meta-rules. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Not identifying spam

[mikea]

On Fri, Oct 10, 2003 at 03:54:42PM +0200, [EMAIL PROTECTED] wrote:
> Hi
> I have some mail in my mailbox that I think is SPAM but spamassassin does
> not.
> All mail look almost the same, there is some text and two urls and some
> junk at the bottom and all mail ends with Thanks, bye
> Is there a way to stop this? some mail get SA points as low as below 3.
> 
> This sample gets X-Spam-Status: No, hits=3.6 tagged_above=3.0 required=6.0
> tests=HTML_40_50,
>  HTML_MESSAGE, HTTP_USERNAME_USED, MIME_LONG_LINE_QP, USERPASS

Do you have Bayesian filtering enabled? Have you run sa-learn to tell
the Bayesian filter routines that this is spam? 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] bad day

[mikea]

On Mon, Oct 13, 2003 at 10:24:27AM -0400, Scott Blomquist wrote:
> 
> 
> Simon Byrnand wrote:
> 
> >>We run around 50%. And that's by count. With the MS worms flying in we
> >>have noticably more spam by volume than real mail.
> > 
> > 
> > Our current stats are 57% Spam, 43% ham. And thats not counting viruses,
> > which get blocked before spamassassin even runs.
> > 
> > Kinda makes you wonder where the world is heading when more email is junk
> > than legitimate :/
> > 
> > Regards,
> > Simon
> 
> Here are the stats from my last several weeks:
> Week ending   13-Sep  20-Sep  27-Sep  4-Oct   11-Oct
> Clean 61116099565861755490
> Spam  798276268432947710555
>   
> Total 14093   13725   14090   15652   16045
>   
> Pct Clean 43% 44% 40% 39% 34%
> Pct SPAM  57% 56% 60% 61% 66%
> 
> It is getting progressively worse.

Here are some Fridays. Ignore the "rejected by ruleset" column;
I added a bunch of rules to it Oct 9. The "total mails undelivered" 
column tells the tale -- the more so, now that the virus count column
is negligible. 

 Mails   spamassassin   rejected  scanner   total mails
 Total   says 'spam'by rulesetsays virusundelivered
 Oct  10  5534  1221 (22.06%)  952 (17.20%)   47 ( 0.85%)  2220 (40.12%)
 Oct   3  6007  1930 (32.13%)  309 ( 5.14%)   56 ( 0.93%)  2295 (38.21%)
 Sep  26  6214  2109 (33.94%)  304 ( 4.89%)   75 ( 1.21%)  2488 (40.04%)
 Sep  19  6373  1966 (30.85%)  373 ( 5.85%)  158 ( 2.48%)  2497 (39.18%)
 Sep  12  5478  1760 (32.13%)  333 ( 6.08%)   13 ( 0.24%)  2106 (38.44%)
 Sep   5    1450 (26.10%)  447 ( 8.05%)  363 ( 6.53%)  2260 (40.68%)

The "undelivered" fraction appears to be roughly constant over the 6
Fridays in this sample, but it has been rising over the past several
months.

Those not familiar with the story of "Nadine" should have a careful 
look at Michael Rathbun's site 
 
or one of its mirrors for a tale of Things Gone Horribly Wrong. 

Another of his sites, ,
shows spam rates there over the past 30+ months, and should 
prove both instructing and horrifying. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Consonant and Vowel Pairs or Sequences

[mikea]

On Mon, Oct 13, 2003 at 04:02:05PM -0400, Larry Gilson wrote:
> Does anyone know of a list of either:
> 1) existing/allowed consonant/vowel pairs or sequences
> 2) non-existing/not-allowed consonant/vowel pairs or sequences
> 
> For the English language preferably.

I'd google on "English digraph frequency"; I did it, and got lots 
of hits, some of which look pretty promising. 

-- 
Mike Andrews, cryptanalyst
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Automatic Unsubscribe

[mikea]

On Tue, Oct 14, 2003 at 08:28:24AM -0500, Leon Oosterwijk wrote:
> All, 
> 
> I would like some feedback from you all on the following idea. What if
> spamassassin followed unsubscribe links for all emails that came through
> it's filter for emails that are obviously spam. This way people would
> automatically get unsubbed from some of these lists. 

And a fair number would note the address as "live and read", and 
sell it at an increased price over just a "doesn't bounce" address.

Bad idea. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Fan Mail!!! LOL We shut one down!

[mikea]

On Tue, Oct 14, 2003 at 08:33:03AM -0700, Patrick Morris wrote:
> I got one of these, too, last night, from a machine at a Korean ISP, and 
> I've been trying to figure what I did.
> 
> Somehow I feel less special now. :)
> 
> Chris Santerre wrote:
> 
> >Did anyone else get a nasty email this morning? I did! This weekend ROCKED for my 
> >SA config. Jennifer, if you were here I'd kiss you and the deaf cat ;) Your rules 
> >bring a huge smile to my logs! Now check out this fan mail:

Lots of people on other lists got them, too. Mostly spamfighters, but
not all. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] reporting the spam 'hosts"

[mikea]

On Tue, Oct 14, 2003 at 03:25:14PM -0500, David B Funk wrote:

> 2) Virus/worm hijacked PCs. We're seeing lots of PCs on cable modems
>   that have "remote control" trojan/worms on them that are being
>   used by spammers as open proxies (for both SMTP & HTTP).
>   So you may be able to get a few of these shut down but
>   there are thousands of them.

> Sigh.

One estimate from a quite knowledgable, reasonable, and conservative
source puts the number at over 450,000. I suspect even that is low. 

*SIGH* indeed. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Sendmail STMP & NDR

[mikea]

On Mon, Oct 20, 2003 at 02:01:49PM -0500, Mike Carlson wrote:
> This is a bit OT, but I figured I could get an answer here.
>  
> We are having a problem with our backend server filling up the root mailbox
> with NDRs of users that are no longer with the company and I am trying to get
> my brain wrapped around the whole SMTP process.
>  
> When sendmail relays a messages to our backend server (Lotus Notes), does the
> server queue it up, then spit back an NDR to the from address of the original
> email, or is the NDR error send back during the SMTP transaction?
>  
> I thought that when the front end server relays it back to the back end the
> server the backend server accepts it, then determines if the user if valid
> and if the server is supposed to accept email for that user and then sends an
> NDR back to the originating sender or is it different for each type of mail
> server?
>  
> The problem that we are running into is that all the NDRs and errors fill up
> roots (Postmaster) mailbox and the /var/ runs out of space and then we have
> issues with sendmail. I changed the alias for postmaster to another external
> address in hopes of eliviating the problem until we can get it figured out.
>  
> Any ideas would be appreciated.

I run a similar, if not identical config: 

inbound mail -> firewall SMTP proxy -> MailScanner -> Lotus Notes. 

Are the NDRs and errors filling up the root mailbox on the MailScanner
box, or on the outbound SMTP proxy, or somewhere else? 

Here's what I get, in all its refulgent and resplendent glory, when I 
send mail from outside to a nonexistant address at work.

In my case, the NDN was generated by Notes, and went directly from
Notes to the outbound SMTP proxy in the firewall. I intentionally left
all the headers in, so that you could see the inbound and outbound
SMTP paths, and that they are different.

: From MAILER-DAEMON  Mon Oct 20 14:22:19 2003
: Received: from odot.okladot.state.ok.us (odot.okladot.state.ok.us [192.149.244.9])
:   by mikea.ath.cx (8.12.3/8.12.3) with ESMTP id h9KJMJPt096044
:   for <[EMAIL PROTECTED]>; Mon, 20 Oct 2003 14:22:19 -0500 (CDT)
: Received: from notes9c.okladot.state.ok.us (notes9a.okladot.state.ok.us 
[10.36.36.31])
:   by odot.okladot.state.ok.us (AIX4.3/8.9.3/8.9.2) with ESMTP id OAA35464
:   for <[EMAIL PROTECTED]>; Mon, 20 Oct 2003 14:22:44 -0500
: Date: Mon, 20 Oct 2003 14:21:19 -0500
: From: [EMAIL PROTECTED]
: To: mikea <[EMAIL PROTECTED]>
: Subject: DELIVERY FAILURE: User doesnotexistanywhereinthisdomain ([EMAIL PROTECTED]) 
not
:  listed in public Name & Address Book
: Message-ID: <[EMAIL PROTECTED]>
: References: <[EMAIL PROTECTED]>
: Mime-Version: 1.0
: User-Agent: Mutt/1.2.5.1i
: X-ODOT-MailScanner-Information: Please contact the Help Desk for more information
: X-ODOT-MailScanner: This E-mail appears to be clean
: X-ODOT-MailScanner-SpamCheck: not spam, spamassassin (score=-32.3,
:   required 5, BAYES_01 -6.60, EMAIL_ATTRIBUTION -6.50, IN_REP_TO -3.20,
:   QUOTED_EMAIL_TEXT -3.20, REPLY_WITH_QUOTES -6.50,
:   USER_AGENT_MUTT -6.30)
: X-MIMETrack: Itemize by SMTP Server on Notes9c/ODOT(Release 5.0.12  |February 13, 
2003) at
:  10/20/2003 02:23:06 PM,
:   Serialize by Router on Notes9c/ODOT(Release 5.0.12  |February 13, 2003) at
:  10/20/2003 02:23:06 PM,
:   Serialize complete at 10/20/2003 02:23:06 PM
: Content-Type: multipart/report; report-type=delivery-status; 
boundary="==IFJRGLKFGIR14200UHRUHIHD"
: Status: RO
: Content-Length: 5072
: Lines: 118
: 
: --==IFJRGLKFGIR14200UHRUHIHD
: Content-Type: text/plain; charset=us-ascii
: Content-Transfer-Encoding: 7bit
: 
: Your message
: 
:   Subject: Re: [SAtalk] Sendmail STMP & NDR
: 
: was not delivered to:
: 
:   [EMAIL PROTECTED]
: 
: because:
: 
:   User doesnotexistanywhereinthisdomain ([EMAIL PROTECTED]) not listed in public 
Name & Address Book
: 
: 
: --==IFJRGLKFGIR14200UHRUHIHD
: Content-Type: message/delivery-status
: 
: Reporting-MTA: dns;notes9c.okladot.state.ok.us
: 
: Final-Recipient: rfc822;[EMAIL PROTECTED]
: Action: failed
: Status: 5.1.1
: Diagnostic-Code: X-Notes; User doesnotexistanywhereinthisdomain ([EMAIL PROTECTED]) 
not listed in public Name & Address Book
: 
: --==IFJRGLKFGIR14200UHRUHIHD
: Content-Type: message/rfc822
: 
: Received: from isdmon2.okladot.state.ok.us ([10.36.36.54])
:   by notes9c.okladot.state.ok.us (Lotus Domino Release 5.0.12)
:   with ESMTP id 2003102014230607:6615 ;
:   Mon, 20 Oct 2003 14:23:06 -0500 
: Received: from odot.okladot.state.ok.us (odot [192.149.244.18])
:   by isdmon2.okladot.state.ok.us (8.12.6/8.12.6) with ESMTP id h9KJLPDX087133
:   for <[EMAIL PROTECTED]>; Mon, 20 Oct 2003 14:21:25 -0500 (CDT)
:   (envelope-from [EMAIL PROTECTED])
: Received: from mikea.ath.cx (wsip-68-15-203-64.ok.ok.cox.net [68.15.203.6

Re: [SAtalk] perhaps more of a mailscanner question?

[mikea]

On Fri, Oct 24, 2003 at 09:43:12AM -0700, ian douglas wrote:
> Right now I have MailScanner configured to delete high scoring spam so it
> doesn't end up in my user's mailbox, but what about the 'bounce' option?
> 
> I'd *really* like to find a way to spoof a 550 error or a 'user unknown' error
> that bounces back, just in case the people on the other end ARE cleaning their
> lists. I know, I know, a long shot, I still get Email for non-existant Email
> addresses, and starting now to get Email to truncated Email accounts ... I used
> to have [EMAIL PROTECTED] and [EMAIL PROTECTED] as addresses and now I'm getting spam
> at "[EMAIL PROTECTED]" and "[EMAIL PROTECTED]" /shrug
> 
> Anyhow know a good way to spoof an error message like that? Open to any
> suggestions ;o)

So where's it going to bounce back to? 

The faked envelope address? 

The faked "From:" address? 

The faked "Reply-To:" address? 

The faked "Errors-To:" address?

Somewhere else (Specify:__)?

It's A Bad Idea. A _REALLY_ Bad Idea. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] [RD] Trojaned machines

[mikea]

On Thu, Oct 23, 2003 at 10:41:25AM -0400, Chris Santerre wrote:

> Why are some URI rules written normally like this:
> uri name /regex/ 
> and others:
> uri name m{regex}
> uri name [EMAIL PROTECTED]@

> What is up with the m's?

They're equivalent. Have a look in, f'rex, _Programming Perl_
or _Perl in a Nutshell_, both from O'Reilly. 

THe "m" is superfluous, but it's the "match" operator. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Broken Rule

[mikea]

On Wed, Oct 29, 2003 at 11:36:59AM -0500, Tobin wrote:
> Hello,
> 
> I was wondering if anyone could help me fix a broken rule. Im getting a
> error 
> 
> "Failed to compile body spamassassin tests, skipping:
> (syntax error at /ect/mail/spamassassin/local.cf, rule Porn, line 1,
> near "/)
> 
> and
> 
> "Failed to compile body spamassassin tests, skipping:
> (syntax error at /ect/mail/spamassassin/20_compensate.cf,
> rule_ORIG_MESSAGE_LINE, line 106, near ";
> 
> I have tried replacing the rules, reading old post but I can come to a
> conclusion. Any help would be greatly appreciated. 

It would help immensely if you posted the ruleset. Possibly the 
ruleset before and after it wold be good, too, in case something
in one of them is b0rk3n but isn't showing up for some reason.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA-LEARN Actually Crashes System!

[mikea]

On Wed, Oct 29, 2003 at 11:58:35AM -0800, Justin Mason wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> Bill Polhemus writes:
> > I am running SA 2.60 installed from the RPMs on Red Hat 9, on an AMD 2100+
> > based system with a half-gig of RAM.
> 
> Could you post the output of "rpm -qa"?  And you're not using any
> hand-compiled components, it's all RPMs, right?
> 
> BTW I'm running SpamAssassin 2.60 on a Red Hat 9 machine with an AMD
> 2100+ as well.  Only 256 megs of RAM here though ;)
> 
> > Even worse, it makes hash out of the filesystems, and it takes several hard
> > resets before I get rid of the "kernel panic" messages!
> 
> !!! That's serious.
> 
> Several hard resets being required, could be a sign that either (a) the
> filesystems are *seriously* corrupt, or (b) there's some bad hardware --
> typically RAM in my experience.
> 
> No user-level software like SpamAssassin can screw something up so badly
> that several hard resets are required to fix it -- that's kernel-level
> breakage ;)
> 
> It could be that "sa-learn" is somehow imposing more load than the machine
> usually gets.

And, speaking as someone who has fought hardware to a draw LotsAndLots
of times, and won a few matches, I think it might be worth your while
to see if the processor is being cooled properly. I have, in the past,
seen machines (including some of mine and some at work) die of heat
overload while doing a "make -j 8 buildworld" in FreeBSD. 

Multiple threads can cause the CPU to run really busy, which means
that it gets _really_ _hot_, and if the fan isn't quite doing the
job, or the cooling vents are clogged with dust (or, in one case, cat
hair), Things Just Stop Dead.

The multiple resets could very well correspond to the time the CPU 
requires to cool down to normal operating temperature again.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Significant increase in spam lately

[mikea]

On Thu, Oct 30, 2003 at 01:01:49PM -0500, Colin A. Bartlett wrote:
> Chris Santerre Sent: Thursday, October 30, 2003 12:01 PM
> 
> > My ratio has been about the same. ~55% average spam.
> 
> My SA server, which is used by my own company and another small ISP, is
> currently receiving about 75% SPAM. And, yes, I too have noticed (casually)
> a marked increase in spam in the last six weeks.

I guess we're really lucky, here at WeBuildHighways: 

 Mails   spamassassin   rejected  scanner   total mails
 Total   says 'spam'by rulesetsays virusundelivered
 Oct  29  6833  2060 (30.15%)  748 (10.95%)   33 ( 0.48%)  2841 (41.58%)
 Oct  28  6747  1775 (26.31%)  774 (11.47%)   23 ( 0.34%)  2572 (38.12%)
 Oct  27  6642  1876 (28.24%)  651 ( 9.80%)   51 ( 0.77%)  2578 (38.81%)
 Oct  26  2392   921 (38.50%)  358 (14.97%)   22 ( 0.92%)  1301 (54.39%)
 Oct  25  2685  1196 (44.54%)  410 (15.27%)   28 ( 1.04%)  1634 (60.86%)
 Oct  24  5814  1502 (25.83%)  688 (11.83%)9 ( 0.15%)  2199 (37.82%)
 Oct  23  6757  1744 (25.81%)  663 ( 9.81%)   32 ( 0.47%)  2439 (36.10%)
 Oct  22  6199  1625 (26.21%)  792 (12.78%)   52 ( 0.84%)  2469 (39.83%)

Compare with 

 Sep   9  6605  1785 (27.02%)  411 ( 6.22%)  439 ( 6.65%)  2635 (39.89%)
 Sep   8  7100  1551 (21.85%)  456 ( 6.42%) 1017 (14.32%)  3024 (42.59%)
 Sep   7  2734  1053 (38.51%)  181 ( 6.62%)  390 (14.26%)  1624 (59.40%)
 Sep   6  2764  1144 (41.39%)  196 ( 7.09%)  303 (10.96%)  1643 (59.44%)
 Sep   5    1450 (26.10%)  447 ( 8.05%)  363 ( 6.53%)  2260 (40.68%)
 Sep   4  6629  1815 (27.38%)  499 ( 7.53%)  412 ( 6.22%)  2726 (41.12%)
 Sep   3  6194  1543 (24.91%)  471 ( 7.60%)  651 (10.51%)  2665 (43.03%)
 Sep   2  6910  1400 (20.26%)  427 ( 6.18%)  703 (10.17%)  2530 (36.61%

Looks pretty much the same, or maybe a _little_ heavier. Weekends are 
lighter, of course, because we do almost no business then. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] stats script

[mikea]

I have, from time to time, published stats generated by my 
mailstats2.pl Perl script. Pretty much every time I get
mail remarking on how pretty the output is and asking for
a copy. 

Since I can't put it up on the corporate webserver at work,
I'll offer to post it if:
1)   Anyone is interested, and 
2)   Nobody objects. 

It's 181 lines of not-particularly-pretty Perl, about half of which
is comments and whitespace. 

I'm asking in advance, since it's not *directly* SA-related, and
I didn't want to start a flurry of program-posting that'd wind me
up in lots of killfiles or get people complaining to my ISP.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] stats script, by (fairly) popular demand

['mikea']

There are probably some adjustments to be made. 

Use at your own risk. Enjoy. 

If you improve on it, please make the improvements available 
to the list. 

Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 

#!/usr/bin/perl
#
#   program to produce total mail item / spam (%) / discarded (%) / cleaned
#   stats for each of a set of /var/log/maillog*gz files and for the set
#   as a whole.

#   Uses strings inserted into maillog files by MailScanner and SpamAssassin
#   to determine number of messages that are spam (SpamAssassin) the number
#   of dangerous attachments (MailScanner) that were cleaned. Also notes number 
#   of messages discarded (sendmail).

#   Computes percentages and totals for each maillog*gz file read, and over 
#   all maillog*gz files read.

#   total is the number of matches to /from=/
#   spam is the number of matches to /is spam/
#   discarded is the numnber of matches to /ruleset=/
#   cleaned is the number of matches to /Cleaned/

#   Reads directory "/var/log" and only selects files
#   that match /maillog*.gz/

#   22Aug2003 added support for output of ClamAV antivirus/worm scanner
#   use / FOUND\s$/ as pattern to match it. 
#   

#   We'd like to put out *this* report: 
#   
#  Mails  spamassassin   rejected scanner  total mails
#  Total  says "spam"by ruleset   says virus   undelivered  .
#   Aug 18  5033  1076 (21.38%)  297 (5.90%)0 (0.00%)  1373 (27.28%)
#   Aug 19  6777  1459 (21.53%)  399 (5.89%)0 (0.00%)  1858 (27.42%)
#   Aug 20  7765  1630 (20.99%)  479 (6.17%)  175 (2.25%)  2284 (29.41%)
#   Aug 21  6555  1310 (19.98%)  476 (7.26%)  759(11.58%)  2545 (38.83%)
#   Aug 22  5342  1189 (22.26%)  416 (7.79%)  431 (8.07%)  2036 (38.11%)
#   Aug 23  2515  1226 (48.75%)  233 (9.26%)  134 (5.33%)  1593 (63.34%)
#   Aug 24  2359   995 (42.18%)  166 (7.04%)  211 (8.94%)  1372 (58.16%)
#   Aug 25  5580  1156 (20.72%)  444 (7.96%)  636(11.40%)  2236 (40.07%)

use IO::File;
use POSIX qw(tmpnam);
use FileHandle;

my $path = "/var/log";

#   formats for static headers

format HEADER0 = 
Mail Statistics; 
Produced by isdmon2:/home/mikea/bin/mailstats.pl; Run by isdmon2:/etc/crontab
.

format HEADER1 = 
 Mails   spamassassin   rejected  scanner   total mails
.
format HEADER2 = 
 Total   says 'spam'by rulesetsays virusundelivered
.

STDOUT->format_name("HEADER0");
write STDOUT;
STDOUT->format_name("HEADER1");
write STDOUT;
STDOUT->format_name("HEADER2");
write STDOUT;

# print "Mail Statistics;\n Produced by isdmon2:/home/mikea/bin/mailstats.pl;\n Run by 
isdmon2:/etc/crontab \n\n\n";

opendir (DIR,$path) or die "opendir failed for $path: $! \n";

@files = readdir(DIR);

@files = grep  /^maillog/ , @files;

@files = grep  /\.gz$/ , @files ;

@files = sort @files;

# total,spam,ruleset, cleaned, undelivered
my $tt = 0; $st = 0; $dt = 0; $ct = 0; $ut = 0; #totals

#  grand total percentages: 
#  %spam %ruleset  %undelivered
my $stp ; my $dtp ; my $utp ;

$numfiles = @files;

for ( $fileno =0; $fileno < $numfiles; $fileno++)
{

#   straight from the Perl Cookbook, 
#   section 7.5 Creating Temporary Files

#   Try new temporary filenames until we get one that
#   doesn't already exist

do  { $name = tmpnam() }
until $FH = IO::File->new($name, O_RDWR|O_CREAT|O_EXCL);

$filename = "$path/"[EMAIL PROTECTED];

system "zcat $filename > $name";
open (FH, "$name");
@wholefile = ;

#   print "$wholefile[0] \n";

#   grab the date and time (items 1 and 2)
#   from the first line of the log, which is $wholefile[0])

($mo, $da, $junk) = split ' ', $wholefile[0], 3;
#
#print "mo = $mo \n";
#print "da = $da \n";
#print "\$wholefile[0] = $wholefile[0]\n";

my $t = grep /from=/, @wholefile;   # total
my $s = grep /is spam/, @wholefile; # spam
my $d = grep /ruleset/, @wholefile; # ruleset
my $c = grep /Cleaned/, @wholefile; # cleaned
my $v = grep / FOUND  $/, @wholefile;   # virus found by ClamAV
my $u = $s + $d + $v;   # undelivered

my $sp = (100*$s)/$t unless $t == 0;
my $dp = (100*$d)/$t unless $t == 0;
my $up = (100*$u)/$t unless $t == 0;
my $vp = (100*$v)/$t unless $t == 0;

my $spf = sprintf("%-5.2f",$sp);
my $d

Re: [SAtalk] stats script, by (fairly) popular demand

['mikea']

On Thu, Oct 30, 2003 at 02:45:39PM -0800, Kenneth Porter wrote:
> --On Thursday, October 30, 2003 2:26 PM -0600 'mikea' <[EMAIL PROTECTED]>
> wrote:
> 
> > my $s = grep /is spam/, @wholefile; # spam
> 
> This doesn't work with my copy of SA, which is using spamc/spamd. Instead of
> "is spam", I get "identified spam".

Well, as I wrote in an earlier message, some tweaks will be necessary.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: stats script

[mikea]

On Thu, Oct 30, 2003 at 04:33:35PM -0800, Kelsey Cummings wrote:
> On Thu, Oct 30, 2003 at 03:37:02PM -0600, Chris Barnes wrote:
> > mikea <[EMAIL PROTECTED]> wrote:
> > > I have, from time to time, published stats generated by my
> > > mailstats2.pl Perl script. Pretty much every time I get
> > > mail remarking on how pretty the output is and asking for
> > > a copy.
> > 
> > It looks like it requires Posix - does that mean sendmail (or exim,
> > or...) users wouldn't be able to use it?
> > 
> > (sorry, I'm just not familiar with Posix)
> 
> Chris, that's Posix, as in the syscal spec.  Not to be confused with
> Postfix.

It just requires some Perl packages; they're available through 
<http://search.cpan.org>.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Ideas on dealing with Joe Job?

[mikea]

On Wed, Jun 25, 2003 at 05:13:32PM +0100, Jim Ford wrote:
> On Tue, Jun 24, 2003 at 03:30:40PM -0700, Abigail Marshall wrote:
> 
> > As to proving where it comes from, I'm just not sure it's
> > worth the effort on an individual basis -- a lot of time &
> > expense involved.  That's another thing the big ISP's could
> 
> Any pointers as to how to trace email from the headers - they're pretty
> cryptic to a non IT professional like myself? If fact it would be useful to
> have a reference explaining the meaning of all the headers - sort of a
> 'Newbies Guide to Headers', or maybe an RFC!

Hi! This is my maiden post here, but folks here who also are on the
MailScanner list will know my name -- and I see that the esteemed
Dr. Khera is here, too. He'll be glad to know that I now have a more
capable machine running MailScanner and SPamAssassin, and that he can
stop throttling stuff back when he sends to my day job.

I was one of the targets of a pretty intense joe-job between
2002/09/25 and 2002/11/06, and have 11987 messages archived to show
it. The bounces were of no real benefit, of course, and the ISPs
from which the bounces came weren't especially helpful, either. The
*REAL* help came from the people who complained to me and/or asked to
be removed from my mailing list; they, with only a few exceptions,
accepted my explanation and sent me the full headers of the mail about
which they were complaining.

It really, really helped to have a prepared explanation saved as a 
file, so that when I responded to a gripe, I could just :r the file
into my edit session inside mutt. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] spamd/spamc

[mikea]

On Fri, Jun 27, 2003 at 08:06:27AM +0300, Hannu Liljemark wrote:
> On Thu, Jun 26, 2003 at 11:57:00PM +0300, Vasantha Narayanan wrote:
> 
> > The documentation seems to indicate, spamd and spamc are
> > included in the distribution.  But I can't find it.  Can you 
> > please tell me where it is?  Do I need to build it first?
> 
> Look in places like /usr/bin, /usr/local/bin, /opt/perl/bin.
> Use your normal UNIX file locating tools such as locate and find,
> depending on the system. They are created as part of the
> configuring and make process and then installed with make
> install.
> 
> > We use MailScanner to scan messages.  To use SpamAssassin,
> > in MailScanner.conf, I would set "use spamassassin" to yes. 
> > How would I make MailScanner use spamc instead of SpamAssassin?
> 
> Someone who actually knows about this correct me if I'm wrong,
> but last time I looked at MailScanner it was like MIMEDefang when
> it comes to SpamAssassin: it uses the SpamAssassin's perl modules
> directly and doesn't use spamc/spamd. 

That is entirely correct. It *just* *works* -- damn fine combination, 
too. Highly recommended. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Conflicting scores in SA/MailScanner

[mikea]

On Fri, Jun 27, 2003 at 07:45:04AM -0500, Richard Humphrey wrote:
> Ok, thanks for the info.I think i will just disable SA being called
> through procmail and let MailScanner handle it. Is this the correct way
> of doing it?  I have one more question regarding MailScanner and SA. If
> I set it to have MailScanner call SA, does SA still use the rules in
> local.cf or does it use MailScanners configuration files. In other
> words, if I have custom rules, wherte should they be put so that they
> still work when MailScanner calls SA?

The default location for SpamAssassin local rules on my FreeBSD boxes 
appears to be /etc/mail/spamassassin/local.cf. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] New (to me) spam technique

[mikea]

On Mon, Jun 30, 2003 at 03:22:39PM +0100, Darren Coleman wrote:
> It would be nice, although ultimately unworkable I guess, if SA could be
> engineered to ignore anything which isn't humanly-visible in an email.
> i.e. when spammers insert fake PGP signatures in  color="White"> tags to lower their score - SA should ignore it.
> 
> The problem with this, I guess, is that not only would it be near
> impossible to catch every permutation of "hiding content", but you would
> also potentially miss glaring spam signatures that are hidden.. e.g.
> 

I disagree strongly here. 

IMHO there should be SA rules to find -colored text on 
-colored background; I'd score this up very high indeed.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Getting Spamassassin and a Anti-Virus working

[mikea]

On Mon, Jul 07, 2003 at 09:21:27AM -0700, Christopher Lyon wrote:
> I was looking to get spamassassin and an anti virus program, sophos,
> openantivirus, or anything that would work in conjunction with
> spamassassin as a mail gateway. I have a production mail server and I
> want to create just a SMTP relay to protect the production mail server
> and have spamassassin and some anti-virus software protect that system
> from mail coming in from the internet. 
> 
> 
> Can anybody point me in the right direction to how I can get this
> working?

Have you looked into MailScanner? It can call multiple antivirus
scanners, put files in quarantine based on regular expression matches,
check mail sources against DNSBLs, and invoke SpamAssassin and mark
mail as ham/spam based on that score. Rather a nice package, all in
all, and very successful at my day job.



-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bayesian filtering question

[mikea]

On Mon, Jul 07, 2003 at 11:45:59AM -0700, Matthew Thomas wrote:
> Greetings,
> 
> I'm using 2.53 spamassassin (with Mimedefang and sendmail).  I've got my
> bayes database seeded.  When I test spam using "spamassassin -tD <
> sample-spam", I get accurate bayes information.  But I have yet to see the
> bayes result to show up on a tagged incoming spam.  Do I have something
> configured incorrectly(is there a flag I need to switch to turn it on system
> wide)?  Should most of the tagged spams also have a bayes test line in the
> spam report?  Everything else is working well, I just can't tell if incoming
> spams are being bayes filtered.

This has been asked in the past, and the answer I remember is that at
least one spam has to score above 20 to cause Bayesian scoring to
become active. There may be a requirement for at least one non-spam to
score below -5, too.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bayes Error

[mikea]

On Mon, Jul 07, 2003 at 02:50:46PM -0500, Richard Humphrey wrote:
> I posted this a week or so ago and didnt get much in the way of a
> response. Figured I would try again.
> I enabled bayes in /etc/mail/spamassassin/local.cf and when I run
> spamassassin -D --lint as any user, I get the following error:
> 
> Cannot open bayes_path /home/richard/.spamassassin/bayes R/O:
> Inappropriate ioctl for device
> 
> Anyone know how to fix this?

No. More info could be useful: 

Does /home/richard exist? If yes, what are its permissions?

Does /home/richard/.spamassassin exist? If yes, what are its
permissions?

Does /home/richard/.spamassassin/bayes exist? If yes, what are its
permissions?

What are the permissions on the two directories above, if they both
exist?

Is any part of /home/richard/.spamassassin/bayes an NFS mount to
another machine, or is it all on the machine where you are running
`spamassassin -D --lint`?

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] How to do? Linux/Spam Assasin running as a gateway spam filter f or another mail server.

[mikea]

On Tue, Jul 08, 2003 at 11:42:33AM +0930, [EMAIL PROTECTED] wrote:
> Hi All,
> I've got spam assassin working like a dream on our small sendmail box.
> works like a bought one.what i want to do is setup a gateway arrangment
> for an Exchange Server (everyone shudders, i know).
> 
> like so:
> 
> Internet  ->  Linux Sendmail with SpamAssasin ->  Exchange Server  
> 
> has anybody attempted such a thing?  i've been searching google for quite a
> while and not found any howtos...on the sendmail box i'm attempting:
> 
> 1.  that i don't need to create accounts for everyone on the exchange
> server?
> 2.  that it sholdn't deliver to the linux box at all, but simply scan and
> forward.  
> 3.  no mail will be deleted, but will simply have the spam score in the
> message header and the Spam in the subject line.  then the users of the
> exchange server will be able to filter based on Spam Score or the subject
> line or whatever.  
> 4.  I don't need to scan outgoing mail but i guess that wouldn't hurt as
> well.

I'm using MailScanner to run SpamAssassin on a FreeBSD box here, 
between our firewall's inbound SMTP proxy and our Lotus Notes 
cluster, doing exactly this. As I have it, it does (1), (2), and (3)
above. 

Here's the .mc file I feed to make to create my sendmail.cf:

: divert(0)dnl
: VERSIONID(`Mike Andrews 06Dec2002 1550 CST')dnl
: OSTYPE(bsd4.4)dnl
: DOMAIN(generic)dnl
: FEATURE(access_db, `hash -T -o /etc/mail/access')dnl
: FEATURE(blacklist_recipients)dnl
: FEATURE(local_lmtp)dnl
: FEATURE(accept_unresolvable_domains)dnl
: FEATURE(`use_cw_file')dnl
: define(`confCW_FILE', `-o /etc/mail/sendmail.cw')dnl
: define(`confMAX_MIME_HEADER_LENGTH', `1024/1024')dnl was 256/128
: define(`confNO_RCPT_ACTION', `add-to-undisclosed')dnl
: define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')dnl
: define(`MAIL_HUB', `relay:[10.36.36.33]')dnl 
: define(`SMART_HOST', `relay:[10.36.36.33]')dnl suggested by Rob MacGregor
: define(`LOCAL_RELAY', `relay:[10.36.36.33]')dnl suggested by Rob MacGregor
: MASQUERADE_AS(`ODOT.ORG')dnl
: MASQUERADE_DOMAIN(`okladot.state.ok.us')dnl
: FEATURE(`masquerade_entire_domain')dnl 
: MAILER(local)dnl
: MAILER(smtp)dnl

The firewall is set up to feed all inbound mail to this box; there are
two sendmail processes running on the box: one to put the incoming
mail in the "in" mail directory, and one to take processed mail out
of the "out" mail directory. The bridge between them is MailScanner,
which reads mail from "in", runs SpamAssassin and various virus
scanners on that mail, quarantines files with names which match
certain regular expressions (.exe, .bat, .com, .cmd, .scr, .pif, and
so on), replaces quarantined files with attachments explaining what
was quarantined, and then puts the processed mail in "out".

I am absolutely satisfied with this setup. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Definition of scores...

[mikea]

On Tue, Jul 08, 2003 at 11:22:59AM -0400, VonEssen, John wrote:
> In 50_scores.cf there are different formats of scores:
> 
> score SCORE_NAME 0.0 3.017 0.0 2.635
> 
> or
> 
> score SCORE_NAME 1.0
> 
> What is the difference and what do the extra fields mean? I would like
> to change the weighting of some dcc and rbl scores.

man Mail::SpamAssassin::Conf

Look for "score SYMBOLIC".

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Unlearning a spam learned as ham?

[mikea]

On Wed, Jul 09, 2003 at 08:45:13AM -0500, Thomas Cameron wrote:
> All -
> 
> There was a spam message in my inbox when I ran sa-learn --ham on it.  What
> is the best way to unlearn it as ham and learn it as spam?  Can I just stick
> it in my spam mbox and run sa-learn --spam on it, or do I need to do more?

`sa-learn --forget` looks like a good start. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] tricky spam

[mikea]

On Thu, Jul 10, 2003 at 11:53:01AM -0300, German Staltari wrote:
> Hi, i've attahced a very tricky SPAM mail that has been scored with 0.8
> points, what can be done with this kind of SPAM?.

First and foremost, you can feed it to the Bayesian classifier as spam
using sa-learn. That will cause all the "interesting" and obfuscatory
misspellings to be recognized and stored as tokens for use in scanning
later mail. 

This is, of course, yet another arms race. I've recently seen spam 
consists of nothing but attachments, so that they show up empty 
when using mutt to read them, until one types "v" to see all the 
attachments. From time to time, one of the mroe enterprising 
spammers sends mail with nothing *but* images, so that I either 
have to classify as spam all such mail or to run OCR software 
on the images and pass the resultant text through SA. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] sa-learn question

[mikea]

On Thu, Jul 10, 2003 at 02:47:50PM -0400, Wendell Smith wrote:
> I am trying to feed sa-learn some spam/ham and I was wondering
> something...
> 
> Can I feed sa-learn ONE file that contains a large number of emails? I
> ask this because I use Evolution and sort my mail into folders. Now
> instead of saving each mail one-at-a-time I want to highlight all of
> them and then save them all into one file. 
> 
> Will feeding sa-learn this file work with the desired results? 

If the files are in mailbox (mbox) format, this should work; I know
it works well with files in mbox format because that's what I use
myself. If they're not, then try it and see if it works. If it doesn't
for some reason, then you might try splitting the consolidated files
into directories, one file per message in the directory, and then run
"sa-learn --dir" against the directory.

Someone else may have a better idea; I hope so.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] sa-learn seg faulting

[mikea]

On Fri, Jul 11, 2003 at 01:02:01PM -0400, Fred Bacon wrote:
> Hi, I'm running spamassassin 2.54 on a Redhat 7.3 distribution.
> 
> I have my users place unmarked spam into a shared IMAP folder on our
> server.  Every night I have a cron job learn the contents of the folder
> as spam.  On occasion (perhaps once every two to three weeks), a message
> in the folder will cause sa-learn to seg fault.  When this happens, I
> have to rerun sa-learn by hand in debug mode to discover the offending
> message and delete it.
> 
> Has anyone else seen this sort of behavior?  Would it help to send one
> of the troublesome messages to the list the next time it occurs?

I haven't seen anything like that; it sounds ugly, and I'm pretty
sure that the developers would like to know about *anything* that
can cause their code to break repeatably. I *know* that if I were
a developer, and someone found a guaranteed bust, I'd want to know 
about it, ja, you betcha, for _sure_.

> On a side note, I've also been seeing a spate of empty spam messages
> recently.  In addition, we have received a number of messages about a
> request for quote on a Differential Warp Generator.  Either there's a
> serious looney running around, or someone is definitely cleaning their
> mailing list. :-)

The Time Travel Spammer has been doing his thing again. Either he's 
a frothing, but sincere, loon or he's a stranded, and sincere, time-
traveler. I'll put my money on #1, but I'll also look for ads with

 All the
 Talk
 Of the 
 Market

against a 10% background cut of a mushroom cloud, just in case. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] asian fonts induce false negatives?

[mikea]

On Fri, Jul 11, 2003 at 09:59:22AM -0700, Support wrote:
> Hi,
> 
>  I have a user who gets SPAM with scores of around -6.0 points.  One thing
> I've noticed is that they have asian characters(and some english). Could
> this be inducing a false negative? 
> 
> Also one side question. how exactly is a negative score accumulated?  Are
> there negative points added to the overall score?

You might want to less (or more or grep) through 
the rules. There are a bunch with negative scores. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Getting SA to score certain words higher

[mikea]

On Tue, Jul 15, 2003 at 05:08:31PM +0100, Huw Jenkins wrote:
> Hi there list,
> I'm fairly new to SA so forgive my ignorance. I've installed
> SpamAssasssin and it works very nicely. I've got my threshold set pretty
> high as we're an ISP and I don't want and False Negatives. I've noticed that
> certain pension spam doesn't get in, yet kiddie porn spam falls just under
> my threshold (sometime quite far below). Is there a file of words and there
> associated scores? I'd like to ramp up words like Lolita etc.
> 
> I may be going about this the completely wrong way! Please tell me if I am
> ;-)

Since you're an ISP, people are paying you to provide transit and 
mail service for them, and to make sure you don't throw away mail 
they want. It seems to me that you can't afford any false _positives_:
non-spam mail that gets tossed or quarantined because you think that
it is spam. 

False negatives just wind up as spam in the user's mailbox; the user
can gripe about that, and you can afford a little of it. 

But false _positives_ will make your subscribers *REALLY* upset.

Run the kiddie porn spam through sa-learn --spam, making sure that
you also run some ham through sa-learn --ham, and you'll see better
results once the Bayesian analyser starts working. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Getting Razor error

[mikea]

On Tue, Jul 15, 2003 at 07:50:57PM -0400, Dragoncrest wrote:
>  Nobody knows anything about this error?
> 
> At 04:22 PM 7/14/03 -0400, Dragoncrest wrote:
> >Just viewing my mail logs today because i started getting fetchmail
> >errors saying I had duplicate processes running which usually singals
> >that I've got a stuck email somewhere.  In the process of checking the
> >mail logs I saw this pop up as SA was trying to process a message it
> >later identified as spam.
> >
> >Jul 14 15:18:46 dragoncrest spamd[6040]: razor2 check skipped: Bad file
> >descriptor Died at
> >/usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm line 420,
> > chunk 1.
> >
> >Anybody know what this is?  I'm guessing it has to do with DNS
> >resolution, but I'm unsure.  Can anyone give me some insight into this
> >and if I need to be worried about it?

Erm ... _no_, actually. What's in the vicinity of line 420 of 
/usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm 
on the machine with the problem? 

In the Mail-SpamAssassin-2.43 Dns.pm I have on my home system, it 
appears to be code related to razor2, with an intriguing note in
lines 403-405. This appears to be the area in which your Dns.pm 
is giving up the ghost, or so I suspect.

Is it possible that your firewall is blocking razor2 access from 
inside the protected network?

What is the level of the SpamAssassin code you are running? 

 374   my $rc =
 375 Razor2::Client::Agent->new('razor-check')
 376 ; # everything's in the module!
 377 
 378   if ($rc) {
 379 my %opt = (
 380 debug  => ($Mail::SpamAssassin::DEBUG->{enabled} and
 381  $Mail::SpamAssassin::DEBUG->{razor} < -2), 
 382 foreground => 1,
 383 config => $self->{conf}->{razor_config}
 384 );
 385 $rc->{opt} = \%opt;
 386 $rc->do_conf() or die $rc->errstr;
 387 
 388 my @msg = ($fulltext);
 389 my $objects = $rc->prepare_objects( [EMAIL PROTECTED] )
 390   or die "error in prepare_objects";
 391 $rc->get_server_info() or die $rc->errprefix("checkit");
 392 my $sigs = $rc->compute_sigs($objects)
 393   or die "error in compute_sigs";
 394 
 395 # 
 396 # if mail is whitelisted, its not spam, so abort.
 397 #   
 398 if ( $rc->local_check( $objects->[0] ) ) {
 399   $response = 0;
 400 }
 401 else {
 402   if (!$rc->connect()) {
 403 # provide a better error message when servers are unavailable,
 404 # than "Bad file descriptor Died".
 405 die "could not connect to any servers\n";
 406   }
 407   $rc->check($objects) or die $rc->errprefix("checkit");
 408   $rc->disconnect() or die $rc->errprefix("checkit");
 409   $response = $objects->[0]->{spam};
 410 }
 411   }
 412   else {
 413 warn "undefined Razor2::Client::Agent\n";
 414   }
 415   
 416   alarm 0;
 417 };
 418 
 419 alarm 0;# just in case

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Getting Razor error

[mikea]

On Wed, Jul 16, 2003 at 04:51:27PM -0400, Dragoncrest wrote:
> 
> >Erm ... _no_, actually. What's in the vicinity of line 420 of
> >/usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm
> >on the machine with the problem?
> 
>  I've got the same thing you do on like 420 that you have on Line 
> 407.  In fact what you have and what I have (I've got SA v2.55) are almost 
> 100% identical.
> 
> >lines 403-405. This appears to be the area in which your Dns.pm
> >is giving up the ghost, or so I suspect.
> 
>  Well, not the same line numbers, but yes.
> 
> >Is it possible that your firewall is blocking razor2 access from
> >inside the protected network?
> 
>  Nope.  Cause from what I've seen in the logs it doesn't bomb out 
> all the time.  It seems to do it at random.  If it did it every time I'd be 
> paniced.  But since it seems to be random, I was curious if it was 
> something to worry about or not and if it was how to fix it.

Since it is sporadic, I suspect that it is related to connectivity
and/or congestion issues at (a/the) razor2 server(s). This suspicion
is strengthened in my mind by the comment in the code about providing
a better diagnostic than "Bad file descriptor" when the server is
unavailable.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] spamd 2.60-cvs

[mikea]

On Thu, Jul 17, 2003 at 03:51:00PM -0500, Hill, John wrote:
> Error on start up:
> 
> Use of uninitialized value in scalar assignment at
> /usr/local/lib/perl5/site_perl/5.8.0/Mail/Spamassassin/Util.pm line 154
> 
> Latest spamd-cvs Slackware 8.1 perl 5.8.0 kernel 2.4.21.
> 
> It works but I get this message when I stop then start it.
> 
> I have looked in the docs and the archives but cannot find this error
> mentioned.

When I got that, it turned out to be a malformed rule in my 
/etc/mail/spamassassin/local.cf

You might have a look. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Problem with DCC; Insecure path

[mikea]

On Fri, Jul 18, 2003 at 01:20:42PM +0200, Henrik Larsson wrote:
> Hi
> 
> I know this is properly not a pure Spamassassin issue as you can se below,
> but since all the Spamassasin experts is here, I would take the liberty to
> asking the question anyway.
> 
> Please don't flame me to much if this is this is way off topic.
> 
> I have recently installed DCC to add this to my checks with Spamassassin and
> Amavisd-new.
> 
> But the DCC checks are not running when Amavisd-new is handlig the mail. The
> debug log from Amavis is below:
> -- cut
[snip]
> debug: running full-text regexp tests; score so far=1.5
> debug: Current PATH is:
> /usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/dcc/
> bin
[snip]
> DCC -> check failed: Insecure $ENV{PATH} while running with -T switch at
> /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Dns.pm line 577.
> -- cut

You might want to check permissions on the files in $PATH, since that 
seems to be what it's gritching about. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] kind of sad

[mikea]

On Mon, Jul 21, 2003 at 03:13:59PM -0400, Chris Santerre wrote:
> I got a spam today that came from "YOUNGIL ELEMENTARY SCHOOL" in Korea. They
> are starting them early I guess :)
>  
> It was a "how to lose 20 lb" spam. 

The Korean government is said to have done "cookie-cutter" installs
at all schools through the country, in which only the hostname, IP
number, and other similar data vary from machine to machine.

All were configured as open proxies and/or relays. 

They're "working on it". 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SPAM rule for big@boss.com

[mikea]

On Tue, Jul 22, 2003 at 01:34:18PM -0400, [EMAIL PROTECTED] wrote
about spam from "[EMAIL PROTECTED]":
> 
> just wondering--
> 
> does anyone know what virus causes that one?

That's SoBig.A, according to Symantec's website. 

The more recent SoBig flavors are a little less predictable.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] adding a DNSBL to local.cf

[mikea]

I'm looking at adding a local DNSBL, served out of one of the 
nameservers here. 

Let's say that I want to look up an IP address, a.b.c.d, on 
my server bl.odot.org, and want to add 5 points for entries 
that map to 127.0.0.4. 

Here:

#==
header ODOT_RCVD_BL_LISTED  rbleval:check_rbl('ODOT_BL', 'bl.odot.org')
describe ODOT_RCVD_BL_LISTED(LOCAL RULE) Check Received chain for open proxy or 
other bad stuff
tflags ODOT_RCVD_BL_LISTED net
#==
header ODOT_BL_ENTRYrbleval:check_rbl_results_for('ODOT_BL','127.0.0.4')
describe ODOT_BL_ENTRY  A host in the Received headers is listed in BL as open proxy 
or other severe problem
score ODOT_BL_ENTRY 5 5 5 5
#==

is what I've got in /etc/mail/spamassassin/local.cf. 

I know the rules there are being seen, because other rules in that
file are being used in scoring.   

There doesn't seem to be much in the perldoc on building rulesets for
checking DNSbls and scoring the results. What I have, above, is based
on lots of inference and examination of the rules in 20_headers..

I _think_ that the rules are constructed like this in the general 
case, but would really appreciate guidance: 

#==
header CHECK_DNSBL_NAME rbleval:check_rbl('RESULT_NAME', 'DNSBL_SERVER_NAME')
describe CHECK_DNSBL_NAME   Insert CHECK_DNSBL_NAME description here
tflags CHECK_DNSBL_NAME net
#==
header CHECK_RESULTSrbleval:check_rbl_results_for('RESULT_NAME', '127.0.0.4')
describe CHECK_RESULTS  Insert CHECK_RESULTS description here 
score CHECK_RESULTS 5 5 5 5
#==

and that the result of the check in "header CHECK_DNSBL_NAME" is
saved in RESULT_NAME for comparison with 127.0.0.4 in "header
CHECK_RESULTS", with a match causing the score to be increased by 5.

Am I close? I ask because I don't see any DNS lookups to cbl.odot.org.

Anyone?

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] adding a DNSBL to local.cf

[mikea]

On Tue, Jul 22, 2003 at 11:44:38AM -0700, Justin Mason wrote:

> It works like:

>  header CHECK_DNSBL_NAMErbleval:check_rbl('setname', 'zone')
>  describe CHECK_DNSBL_NAME  Insert CHECK_DNSBL_NAME description here
>  tflags CHECK_DNSBL_NAMEnet

>  header CHECK_RESULTS   rbleval:check_rbl_results_for('setname', '127.0.0.4')
>  describe CHECK_RESULTS Insert CHECK_RESULTS description here
>  score CHECK_RESULTS5 5 5 5

> The setname must match between the two -- as it's used to match one with
> the other.   SpamAssassin must be running without the -L switch.

> If *any* A record exists in the zone, CHECK_DNSBL_NAME will fire -- so
> you may need to set its score to 0.001 so it does not incur a hit,
> if you don't want it to.  Then CHECK_RESULTS will run after that
> and examine the exact IP returned.

> Note that your example used bl.odot.org and cbl.odot.org; this could
> explain the failure assuming it wasn't a typo ;)

> BTW, in 2.60, it looks like someone renamed
> rbleval:check_rbl_results_for() -- it now seems to be called
> rbleval:check_rbl_sub().  (this was probably not a good idea for backwards
> compat reasons.)

A-*Ha*! And then each header is checked against the DNSbl named 
'zone', I take it, with IP addresses of the form a.b.c.d being 
reversed to d.c.b.a first, so that the lookup is done against
d.c.b.a.zone.

TYVM. My search for doc on this apparently sidestepped something  
important. Got a pointer? 

The "cbl"/"bl" thing was a typo, actually. Too much hurry. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Pyzor not working?

[mikea]

On Wed, Jul 23, 2003 at 12:13:03AM +0200, Jim Knuth wrote:
> Hi, what mean this?
> This is the output from "spamassassin -lint -D < sample-spam.txt"
> 
> 
> debug: executable for pyzor was found at /usr/bin/pyzor
> debug: Pyzor is available: /usr/bin/pyzor
> debug: entering helper-app run mode
> debug: leaving helper-app run mode
> Pyzor -> check failed: no response

It appears to me (I could be wrong) that SA is trying to check the 
mail against a Pyzor server, and that it got no response to its 
query. Perhaps your firewall blocked the outbound packet? 

> 
> 
> The header show this:
> 
> X-Spam-Level: 
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> X-Pyzor: Reported 0 times.
> 

A consequence of the failed check. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Help. SA is not learning

[mikea]

On Wed, Jul 23, 2003 at 12:42:34AM -0400, Daniel Carrera wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> I'm trying to teach SA.  I just fed it a about 7,000 spam messages and it 
> claims to have only learned from 11.  Here is the output:
> 
> dcarrera ~$ # The following step takes about 1.5 hours.
> dcarrera ~$ sa-learn --spam --showdots --mbox spam_borrowed_10 
> ...
> Learned from 11 messages.
> dcarrera ~$ grep 'Subject: ' spam_borrowed_10 | wc -l
> 6972
> dcarrera ~$
> 
> 
> Does anyone know what's going on?

How many of the input spam messages had it been fed as spam earlier?
ISTR someone mentioning that SA keys on Message-ID, and if you're
using spam from an archive to supplement spam you received at your
installation there might well be some overlap.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Block an entire Network?

[mikea]

On Wed, Jul 23, 2003 at 07:00:34PM -0700, Jim Blevins wrote:
> How does one go about blacklisting an entire network, say for example
> [EMAIL PROTECTED] does not seem to work?

In my sendmail access file (`input to makemap hash accesshttp://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] reporting idea

[mikea]

On Fri, Jul 25, 2003 at 12:50:02PM -0400, [EMAIL PROTECTED] wrote:
> i dont know how useful this would be, but i was thinking of a spam 
> reporting tool that did the following:
>   sends a message to root/webmaster/whatever of the mailing ip
>   traceroutes the ip, and finds the location facility and/or isp -- then 
> mails root/webmaster and all whois contacts for that company
> 
> emails would say something to the effect of:
>   unsolicited bulk mail has come from your server, or a server on your 
> network
>   please take the appropriate actions to secure your machine, if this 
> were a hack, or prevent your customer from doing this in the future
>   should another message be received from this ip, it will be 
> immediately listed on dns blocking lists
>   should further messages be sent through your network, your entire 
> address block will listed on dns blocking lists
> 
> i'm just really fucking sick of some of these spams i've been getting 
> lately.  the bulk of them lately have been coming from companies that 
> use level3.net

Bad idea, I think.

Certainly you should not mail the whois contacts using an automated
tool, and I think it is not entirely wise to mail other mailboxes
using such a tool if there is no human in the loop.

Possibly root/webmaster/whatever at the mailing IP won't exist; the
only one that is RFC-required to exist is postmaster (in any mixture
of upper and lower case), and then it's required only if the owner
intended it to send mail. If the machine has been trojaned by SoBig or
its ilk, the trojan includes an SMTP engine for sending spam, but may
not be listening for new connectoins on TCP port 25.

In general, I think that automatically mailing *anyone* in a given
domain because of spam apparently sent from or through that domain is
an idea whose time is not going to come.

A little perspective here:

I used to run [EMAIL PROTECTED], until April 2001; they were respectable
but overworked then, and we tried our damnedest to handle complaints
in as timely and Internet-friendly a fashion as we could. We were
hampered by management to an unbelievable extent, and by shotgun
complaints from spamcop and other automated complaint tools to a
point that we tended to work them last, because they generally were
misdirected. I've been on the working end of an abuse desk. It is no
fun at all, and it is unbelievably frustrating.

Before that, I was the assistant manager of the IT division at a large
state agency in the US midwest (WeBuildHighways) with about 3000 Email
boxes; I retired from there after 25 years. I'm back there now, as a
consultant, doing the anti-virus and anti-spam stuff for them. I'm 
also security@ and abuse@ there. Someone else is postmaster@ and 
webmaster@, thank @PANTHEON.

I used to try to complain about every spam that hit my home mailbox,
and about every spam that my users forwarded to me at work. But I see
50 to 60 at home, and 2000 at work, *per day*, and can't report them
all by hand. I need an automated tool myself, but it *must* have a
human in the loop, for sanity-checking. Spamcop is not sufficient 
IMHO; YMMV.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Impotence!!

[mikea]

On Tue, Aug 12, 2003 at 12:32:58PM +0100, [EMAIL PROTECTED] wrote:
> Hi Everyone
> 
> I receive a daily email from a financial mailing list, it is never usually 
> identified as spam, however, they today made the mistake of capitalising the subject 
> line of the email, but the really killer was the (apparent) reference to 
> 'impotence'; this sent it over the edge with an extra 2.9 points!
> 
> Strange thing is, I can't find any reference to impotence in the email, nor the HTML 
> source code.
> 
> See attached.

> > Content analysis details:   (8.60 points, 5 required)
> > LOW_INTEREST   (2.0 points)  BODY: Lower Interest Rates
> > NO_FEE (0.2 points)  BODY: No Fees
> > IMPOTENCE  (2.9 points)  BODY: Impotence cure
   ^ 
> > OFFERS_ETC (0.8 points)  BODY: Stop with the offers, coupons, discounts
> > etc!
> > HTML_40_50 (1.1 points)  BODY: Message is 40% to 50% HTML
> > HTML_MESSAGE   (0.1 points)  BODY: HTML included in message
> > HTML_FONT_BIG  (0.3 points)  BODY: FONT Size +2 and up or 3 and up
> > SUBJ_ALL_CAPS  (1.1 points)  Subject is all capitals
> > CLICK_BELOW(0.1 points)  Asks you to click below

[snip]

> SEX TIP FOR INVESTORS
> Pfizer shareholders all know there's a growing market for the 
> treatment of erectile dysfunction. Futura Medical is a share 
    ^^^
> that could benefit. 
> http://www.fool.com/m.asp?i=960707

[snip]

The marked text in the body triggered the "IMPOTENCE" rule. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin since 1964


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Delete spam mails

[mikea]

On Fri, Nov 07, 2003 at 12:09:58PM -0500, Roberto Salazar wrote:
> Hi:
> 
> I have Spamassasin with Postfix working . This server is a Gateway for 
> others internal mail servers (in these are the users accounts).
> 
> I need that spamassasin erase spam  mails directly (DELETE FILTER ) in my
> server gateway and don't send mail to users (report of points) (FLAGS
> FILTER).
> It's posible?
> Can you help me?

It's not possible. SpamAssassin evaluates a piece of mail, and returns
a "spam"/"not-spam" result to the caller. The caller decides what
to do, based on the result. SpamAssassin does _not_ delete any mail
itself.

You have many options: Procmail, MailScanner, the SpamAssassin milter,
and others.

I use MailScanner, which calls SpamAssassin, ClamAV, and other tools
to process mail, and I am happy with the results. I am considering
using the SpamAssassin milter, so that I can cut spam off in the DATA
phase of the SMTP transaction, but that will come later.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] BIG HUGE EVIL RULE NEWS!!!!

[mikea]

On Wed, Dec 03, 2003 at 11:48:03AM -0500, Vee Persaud wrote:
> 
> How can I tell that SA is actually using these rules (located in 
> /etc/mail/spamassassin/bigevil.cf) ?

Feed your MTA a mail designed to match one or more of the rules, and  
look for the match in your logs.  

Ir just put the rules in place and wait a bit. My first hit came
within about 3 minutes after I put the rules in place. *sigh*

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] BIG HUGE EVIL RULE NEWS!!!!

[mikea]

On Wed, Dec 03, 2003 at 07:17:28PM -0500, Rick Macdougall wrote:
> Peter P. Benac wrote:
> 
> > I have been using Emacs for almost 20 years.  Is there any other editor  :)
> > 
> > :s/old stuff/newstuff/g   only works if you only have one instance of "old
> > stuff" per line!!
> 
> H?
> 
> What you talking about Willis?
> 
> :s/old stuff/newstuff/g will replace ALL instances of old stuff with new 
> stuff on the current line, not just one instance.
> 
> :1,$ s/old stuff/newstuff/g will replace all instances of old stuff with 
> newstuff in the entire file.
> 
> Flame war ON!

Ah! The editor wars begin anew!

I'll just go start some popcorn. 

As for me, I don't open my eggs on the big _or_ the little end. 

I crack 'em around the equator. 

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Spam Statistics

[mikea]

On Thu, Dec 04, 2003 at 09:10:01AM -0500, Rubin Bennett wrote:
> WEhat are you all seeing for spam vs. ham stats out there?  I just ran
> my list statistics script and here's what I'm experiencing (much WORSE
> than the current "accepted" statistics of about 50/50):
> 
> Stats since the 1st of the month (that's right, 4 days only!!!)
> Total messages: 50467
> Clean Messages:   12800
> Spam Messages:37667
> 
> That's 3 spams for every ham that comes in.  And (according to our
> grumbling customers) there's a lot of spam that manages to squeak
> through still...  I just installed the popcorn and BigEvil rules on this
> server- should be interesting to see how we do now.
> 
> Fscking spammers.

ObQuirk: Ability not in evidence, M'Lud.

I think we're a little better off, but it still isn't pretty. 

  Mails   spamassassin   rejected  scanner   total mails
  Total   says 'spam'by rulesetsays virusundelivered
  Dec   3  7510  2807 (37.38%)  683 ( 9.09%)   16 ( 0.21%)  3506 (46.68%)
  Dec   2  7302  3118 (42.70%)  598 ( 8.19%)9 ( 0.12%)  3725 (51.01%)
  Dec   1  7095  2630 (37.07%)  536 ( 7.55%)0 ( 0.00%)  3166 (44.62%)
* Nov  30  3178  1874 (58.97%)  283 ( 8.90%)0 ( 0.00%)  2157 (67.87%) *
* Nov  29  3244  1987 (61.25%)  300 ( 9.25%)0 ( 0.00%)  2287 (70.50%) *
H Nov  28  3942  2310 (58.60%)  413 (10.48%)0 ( 0.00%)  2723 (69.08%) H
H Nov  27  3826  2259 (59.04%)  425 (11.11%)0 ( 0.00%)  2684 (70.15%) H
  Nov  26  6238  2608 (41.81%)  639 (10.24%)0 ( 0.00%)  3247 (52.05%)

"*" indicates weekend, "H" indicates holiday.

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Spam Statistics

[mikea]

On Thu, Dec 04, 2003 at 08:09:31AM -0800, Gary Funck wrote:
> 
> > From: [EMAIL PROTECTED]
> > 
> > Assuming my minor tweaks to the original script I saw posted here are
> > correct, here are my latest spam stats.. *sheesh*
> > 
> > Mail Statistics;
> >  Mails   spamassassin   rejected  scanner   total mails
> >  Total   says 'spam'by rulesetsays virusundelivered
> >  Nov  30 35940  4667 (12.99%) 18606 (51.77%)   11 ( 0.03%) 23284 (64.79%)
> >  Nov  23 52163  6150 (11.79%) 32346 (62.01%)   13 ( 0.02%) 38509 (73.82%)
> >  Nov  16 63159  6703 (10.61%) 35874 (56.80%)   12 ( 0.02%) 42589 (67.43%)
> >  Nov   9 64511  7384 (11.45%) 33678 (52.21%)   11 ( 0.02%) 41073 (63.67%)
> >  Nov   2 52982  7196 (13.58%) 23345 (44.06%)   35 ( 0.07%) 30576 (57.71%)
> 
> Tony, what does "rejected by ruleset" indicate above? It looks like the
> rulesets are throwing out 4x to 5x the volume of messages that SA detects.

It appears that Tony's running a (tweaked) version of my mailstats2.pl
script. Unless he has changed that part, "rejected by ruleset" is
SMTP sessions that were rejected because sendmail's access.DB had the
domain or IP with "REJECT".

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Odd Behaviour

[mikea]

On Thu, Dec 04, 2003 at 01:10:17PM -0500, Owen Becker wrote:
> This is somewhat interesting. A fair number of mails are getting through with:
> 
> X-Spam-Status: No, hits=-89.6 required=6.0 tests=BAYES_99,BIZ_TLD,
> CASHCASHCASH,DATE_IN_PAST_06_12,HTML_70_80,HTML_FONTCOLOR_BLUE,
> HTML_FONT_BIG,HTML_FONT_INVISIBLE,HTML_MESSAGE,MIME_HTML_ONLY,
> MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,
> USER_IN_ALL_SPAM_TO autolearn=no version=2.60
> 
> Shouldn't X-Spam-Status be set to yes for this?

Depends. Does any header talk about the mail item being whitelisted?

What's the score for "USER_IN_ALL_SPAM_TO"?

How about posting _all_ the headers for the spam?

-- 
Mike Andrews
[EMAIL PROTECTED]
Tired old sysadmin 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk