[SAtalk] Bayes Inappropriate file type error
Hey all, Got a question about Bayes. I have run into this a few times now and not sure what is causing it. When I run a sa-learn command, if I am training something or maintenance, I get this error: Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/O: tie failed: I nappropriate file type or format Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/W: tie failed: I nappropriate file type or format Cannot open bayes databases /var/spool/MailScanner/spamassassin/bayes_* R/W: tie failed: I nappropriate file type or format What is this saying and how to I fix it? Chris --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Auto White-Lists
I'm new to using spamassassin and have a question about auto white-listing. I have a file, auto-whitelist.db in my /var/spool/spamassassin directory however its empty. The file was created 6 days ago when I installed spamassassin. Should something be in this file? There are also two other files, auto-whitelist.dir and auto-whitelist.pag both are 12.2k. I've also created a small manual auto-whitelist.cf file and placed it in my /etc/mail/spamassassin dir with the rest of my .cf files. SA doesn't give me any complaints about this but I see no where that its being checked, for instance I have the following line: WHITELIST_FROM [EMAIL PROTECTED] I have my spam threashold set to 8.0, and the latest mail from this address was given a 7.4. I'd think that since I have it in a manual whitelist that it would automatically be given a clean bill of health. Guess I've got a lot to learn. Thanks for any advice. Chris -- Regards Chris A 100% Microsoft free computer Registered Linux User 283774 http://counter.li.org 8:34pm up 21 days, 6:13, 8 users, load average: 0.47, 0.36, 0.43 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Newbie - spamc d spamass milter questions
Ok so... I progressed. Pulling spamc from the /etc/procmailrc and placing it into the various /usr/home/user/.procmailrc accounts works. This is not that bad as I only have a dozen email address to cover here. there must be a way to place spamc in the /etc/procmailrc account for system wide use ? Ok so first I need to go reset ownerships of the .spamassassin directories and files in all the directories because running spamassassin from the /etc/procmailrc ran as root and created all the directories and files as root. I then will place a .procmailrc in each one to run spamc.. ONCE im done will all that I will let that run a while and make sure all that works then move on to spamass milter.. (in case I have trouble with the milter I still have the spamc setup and running) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Stephens Sent: Thursday, May 09, 2002 6:38 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Newbie - spamc d spamass milter questions So I have been using Spamassassin from procmail for my own personal server for a while. This is fine as I get 40 emails a day through it. Just using: :0fw | spamassassin -P -S -a In the procmailrc file for site wide mail handling. I have decided to try using spamass milter and spamd spamc.. Im on FreeBSD 4.4 / Sendmail 8.12.3 / The current Procmail and current spamassassin. Its compiled and happy. Im using a antivirus scanner milter now so all the milter stuff is in and working. I replace the spamassassin -P -S -a in the procmailrc with spamc Start the spamd with " spamd -d -c -a -i 216.122.xxx.xxx -A 216.122.xxx.xxx " as it would not start without a IP address then complained about a unauthrozied address trying to connect. This does not detach from my starting it as other daemons I have used do. However it appears to run. I have 2 stupid problems I get May 9 03:05:03 xxx spamd[10771]: connection from xymox1.com [ 216.122.xxx.xxx ] at port 2462 May 9 03:05:03 xxx spamd[11089]: Still running as root: user not specified, not found, or set to root. Fall back to nobody. It does not process mail. Its dead at this point. When I send mail through it. I am sending a email to a alias so the real user ID is not the to:, im not sure how spamD tries to determin which user to become but that seems to not work. OR I am doing something stupid :) Exactly how do I start this daemon from the command line and have it detach ?.. Once I have these things working correctly I will progress to the spamass milter. WHAT am I doing wrong ??.. Thank you in advance.. ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Newbie - spamc d spamass milter questions
Wow I had given up on getting a answer to my question !!! Thanks Craig.. Interesting I didn't know there were variables available to Procmail. There was discussion on the list of late of a new list. I have noticed that some newbie questions like mine get skipped over while much or esoteric question get debated like tweaking spamd into C and how to handle 250,000 emails a day. While these questions and debate are QUITE important I think its important to not skip over the super simple questions like mine. However I really do appreciate the lists, im not complaining, just pointing out mabey a development list might be a good idea separate from a support list. The list seems mostly centered on development now anyway. I have decided that using spamc in the users directory gives me more control over things anyway. Im also not sure I want a milter because it does then apply to all users. SO I think im happy with just dropping the spamc in each user directory where I want it. This also causes less system load as only the accounts that really need it use it. So I am a happy spamassassin user right now :) I would like a spamd in C however :) -Original Message- From: Craig R Hughes [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 11, 2002 12:13 PM To: Chris Cc: [EMAIL PROTECTED] Subject: RE: [SAtalk] Newbie - spamc d spamass milter questions Chris wrote: C> there must be a way to place spamc in the /etc/procmailrc account for C> system wide use ? The way I do it is by using spamc's -u flag, and passing it the username (which might be available in a number of ways depending on how procmail's being invoked). My spamc invocation line is: :0fw | /usr/bin/spamc -u $CYRUSER where I have the username in that CYRUSER variable. C ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] CPAN or RPM's?
I run an redhat 8x system and installed SA the other day via CPAN. I didn't know what CPAN was at the time but it was the only obvious installation instructions I could find, so I followed them and it all seems to be working well. Now as I look more closely at CPAN I now see it's a perl replacement (or at least I think it is) for the RPM method. Bearing in mind the comments on whether or not RH will release another non-commerical version, I'm wondering if sticking with the CPAN installation is a better idea than pulling everything out and going back to compiling my own RPM and installing that way. This is probably an open question but I'm wondering what others opinions are? I'm not sure I like having two completely different software distribution mechanisms on my machine, but I'm also concerned that RPM's and RH may go away in the near future. Lastly, I think SA is absolutely great so far, but I do find there is a lack of material explaining how to configure it, how to alter it's default config, flags for the local.rc for enabling/disabling features (RBL's for instance), teaching your filters, dealing with false positives (none so far!), logging, what are "evil rules" and general management. I'm finding a lot by simply reading this list, but I wonder if I'm simply looking in the wrong places? Any help or thoughts are appreciated. Chris --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] CPAN or RPM's?
I reached that conclusion based on a posting on this site yesterday. It's a surprise and frankly I find it hard to believe.. ANYWAY.. we are completely focused on the wrong part of my question which is CPAN verses RPMs. Let's not worry about RH EOL and look at the main question of my initial post. - Original Message - From: "Terry Milnes" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 15, 2003 12:43 PM Subject: Re: [SAtalk] CPAN or RPM's? > I don't know how you arrive at that conclusion, versions prior to 7.1 > have reached end of life. RH states that there will be no errata > released for those versions. > > http://www.redhat.com/support/errata/archives/ > > They also state that versions up to 9 will reach end of life at the end > of this year, I didn't see anything that indicates the end of life means > continuing support: > > http://www.redhat.com/apps/support/errata/ > > I have seen no announcements for a new free RedHat release, in fact it > has been quite the opposite. > > tm > > Bill Polhemus wrote: > > I think this thing about RH "dropping" their boxed sets is really, really > > overblown. They will continue to make updates available, and they will > > release new distributions. You just won't be buying them in stores. > > > > William L. Polhemus, Jr. P.E. > > Polhemus Engineering Company > > Katy, Texas USA > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Chris > > Sent: Wednesday, October 15, 2003 9:37 AM > > To: [EMAIL PROTECTED] > > Subject: [SAtalk] CPAN or RPM's? > > > > Bearing in mind the comments on > > whether or not RH will release another non-commerical version, I'm wondering > > if sticking with the CPAN installation is a better idea than pulling > > everything out and going back to compiling my own RPM and installing that > > way. > > > > > > > > > > --- > > This SF.net email is sponsored by: SF.net Giveback Program. > > SourceForge.net hosts over 70,000 Open Source Projects. > > See the people who have HELPED US provide better services: > > Click here: http://sourceforge.net/supporters.php > > ___ > > Spamassassin-talk mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > > > > > > --- > This SF.net email is sponsored by: SF.net Giveback Program. > SourceForge.net hosts over 70,000 Open Source Projects. > See the people who have HELPED US provide better services: > Click here: http://sourceforge.net/supporters.php > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] CPAN or RPM's?
Ok, cool. So now let's get back to the original question!! One thing to add is that there definitely needs to be more published notes on installing via RPM's if that's the preferred method for some people. I'm definitely more comfortable with RPM's and am new to CPAN which leaves me a little exposed which I don't like. - Original Message - From: "Terry Milnes" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 15, 2003 5:16 PM Subject: Re: [SAtalk] CPAN or RPM's? > No RedHat will still be called Redhat,they are still going to be in the > software business but will not be giving out a product for free anymore. > > Fedora is a project, Redhat a product: > > http://fedora.redhat.com/ > > The point here is there will be no more updates to existing "RedHat > Linux Distributions" after april 30 2004, most versions reaching EOL > at the end of this year, (of course they could change their policy). > > "Red Hat Enterprise Linux" support policy is still 5 years after version > release. > > In otherwords I doubt we will see a Redhat 10. I assume it will be a > Fedora n, I would also assume that the concern that started this thread > with regards to RPM support is unfounded. > > tm > > E R wrote: > > That might be because it might not be called RedHat anymore, it's the > > Fedora Project > > > > > > Terry Milnes wrote: > > > >> I don't know how you arrive at that conclusion, versions prior to 7.1 > >> have reached end of life. RH states that there will be no errata > >> released for those versions. > >> > >> http://www.redhat.com/support/errata/archives/ > >> > >> They also state that versions up to 9 will reach end of life at the > >> end of this year, I didn't see anything that indicates the end of life > >> means continuing support: > >> > >> http://www.redhat.com/apps/support/errata/ > >> > >> I have seen no announcements for a new free RedHat release, in fact it > >> has been quite the opposite. > >> > >> tm > >> > >> Bill Polhemus wrote: > >> > >>> I think this thing about RH "dropping" their boxed sets is really, > >>> really > >>> overblown. They will continue to make updates available, and they will > >>> release new distributions. You just won't be buying them in stores. > >>> > >>> William L. Polhemus, Jr. P.E. > >>> Polhemus Engineering Company > >>> Katy, Texas USA > >>> > >>> -Original Message- > >>> From: [EMAIL PROTECTED] > >>> [mailto:[EMAIL PROTECTED] On Behalf Of > >>> Chris > >>> Sent: Wednesday, October 15, 2003 9:37 AM > >>> To: [EMAIL PROTECTED] > >>> Subject: [SAtalk] CPAN or RPM's? > >>> > >>> Bearing in mind the comments on > >>> whether or not RH will release another non-commerical version, I'm > >>> wondering > >>> if sticking with the CPAN installation is a better idea than pulling > >>> everything out and going back to compiling my own RPM and installing > >>> that > >>> way. > >>> > >>> > >>> > >>> > >>> --- > >>> This SF.net email is sponsored by: SF.net Giveback Program. > >>> SourceForge.net hosts over 70,000 Open Source Projects. > >>> See the people who have HELPED US provide better services: > >>> Click here: http://sourceforge.net/supporters.php > >>> ___ > >>> Spamassassin-talk mailing list > >>> [EMAIL PROTECTED] > >>> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > >>> > >>> > >>> > >> > >> > >> > >> --- > >> This SF.net email is sponsored by: SF.net Giveback Program. > >> SourceForge.net hosts over 70,000 Open Source Projects. > >> See the people who have HELPED US provide better services: > >> Click here: http://sourceforge.net/supporters.php > >> ___ > >> Spamassassin-talk mailing list > >> [EMAIL PROTECTED] > >> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > > > > > > > > > > --- > This SF.net email is sponsored by: SF.net Giveback Program. > SourceForge.net hosts over 70,000 Open Source Projects. > See the people who have HELPED US provide better services: > Click here: http://sourceforge.net/supporters.php > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] CPAN or RPM's?
So if I decided to bail on CPAN and stick with RPM's. Does anyone have any instructions to: a) deinstall the CPAN modules currently loaded b) create/install the RPM modules needed for SA, sendmail and procmail? Chris --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Spamassassin updates
> rpmbuild -ta Mail-Spamassassin-2.60.tar.gz Thanks for that tip. Running it produced: perl-Mail-SpamAssassin-2.60-1.i386.rpm spamassassin-tools-2.60-1.i386.rpm spamassassin-2.60-1.i386.rpm What does perl-Mai do? I assume all three need to be installed? --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Default settings?
I noticed on: http://au.spamassassin.org/doc/Mail_SpamAssassin_Conf.html That.. use_dcc ( 0 | 1 ) (default: 1) Whether to use DCC, if it is available. But it's not defined whether 0 or 1 is ON? I'm assuming 1 is ON, but I'm concerned I may be wrong. This is also true of: use_pyzor ( 0 | 1 ) (default: 1) Whether to use Pyzor, if it is available. Could anyone let me know which it is, and perhaps the web page should be updated with this info? Chris
[SAtalk] Bayes not seeming to learn?
I switched over to RPM's from CPAN (i'll send a not later on what I did and what I found by doing it) but now I notice that bayes doesn't seem to learn. sa-learn --dumpUse of uninitialized value in numeric lt (<) at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm line 1281.0.000 0 0 0 non-token data: bayes db version0.000 0 0 0 non-token data: nspam0.000 0 0 0 non-token data: nham0.000 0 0 0 non-token data: ntokens0.000 0 0 0 non-token data: oldest atime0.000 0 0 0 non-token data: current scan-count0.000 0 0 0 non-token data: last expiry atime even after running sa-learn --ham /a-ham-folder I'm a little concered about the first line and suspect it's an error. I tried to sa-learn --rebuild but that didn't seem to do any good either. Suggestions? I know there was a thread about this earlier this week, but I went and deleted the messages (DOH!).. Is there an archive somewhere? Chris
[SAtalk] Using SPAMD ?
Quick question. I have the usual line in my .procmailrc file of :0fw: spamassassin.lock* < 256000| spamassassin Which I *think* calls spamc? I don't have spamd running on my system and SA is working so I assume it's either calling spamc or on demand calling spamd. Can anyone clarify what the above line is doing with regard to spamc or spamd and also help me change the configuration to use spamd by default? Chris
Re: [SAtalk] Using SPAMD ?
> Looks like you really need to go back and actually read the docs, and > readme file etc, and come back and have another go. spamassassin is > spamassassin. spamc is spamc. That's actually part of the problem. I've had a hard time finding anything I can read except the readme's and the perldoc. If you can point me at some good URL's for reading I'll gladly do that. > In particular check out the man pages for spamassassin, spamc, and spamd. Checked out spamassassin before. It doesn't really explain the roles of spamc or spamd or how they relate. Perhaps a good candidate for a future whitepaper? > To use spamd you need to have spamd running all the time - usually by > starting it in one of your system init scripts. I use redhat so I copied > the sample redhat init script over, customized it, and use that to make > sure spamd starts when the server boots. Yep, it does that. > Then you'll want to change your procmail file to call spamc instead of > spamassassin. (It's faster to include the full path to spamc by the way) OK, so by calling spamc does it call the running spamd in the background? Can someone explain the relationship of them or point me in a direction of good reading. --- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Using SPAMD ?
Dan, > Client/server is a concept it sounds like Chris (apologies if I > attribute part of the above to the wrong person) may not have run into. Thanks for the compliment that I'm too young to have known about client/server, but unfortunately I'm old enough to have been in the industry when the major client/server push came about.. so yep, all too familier with that. What I'm struggling with, and I think others are too, is the lack of documentation in obvious areas, i.e. on the product homepage. I know there's install notes in the tarballs, perldocs and some notes on the web that can be found by google, but you really have to hunt these down. The product needs to be documented on how it works, how to install it and basic trouble shooting on the product home page. It's obviously a great product and has made a great job of catching spam at my home, and therefore I'm going to be more inclined to suggest my customers take a serious look at it, but it needs improvement in these soft areas. I would like to help with that if possible, right now I don't know enough about how it works. Anyway, thanks for the age compliment! Chris --- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Bayes error when running sa-learn - FIXED!
I just thought I'd let you know how I fixed a bayes error that I was getting when running sa-learn --dump Use of uninitialized value in numeric lt (<) at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm line 1281. 0.000 0 0 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest atime 0.000 0 0 0 non-token data: current scan-0.000 0 0 0 non-token data: last expiry atime First of all I decided to use RPM's instead of CPAN and had to re-install. In order to uninstall CPAN perl modules I (at the suggestion of Landy - thanks!) installed webmin (http://www.webmin.com) which seemed to be only way to uninstall a perl module. After a few minutes of clicking all perl modules were gone. I then built rpm's from the source using: rpmbuild --rebuild /usr/src/redhat/SRPMS/spamassassin-2.60-1.src.rpm Which placed the three modules into: /usr/src/redhat/RPMS/i386 (It's a Redhat 8.0 system). Check out Charles helpful email at: http://www.mail-archive.com/[EMAIL PROTECTED]/msg23144.html Then ran: rpm -Uvh perl-Mail-SpamAssassin-2.60-1.i386.rpm spamassassin-2.60-1.i386.rpm spamassassin-tools-2.60-1.i386.rpm to install them avoiding all conflicts. When running: spamassassin -D --lint (I took a wild guess here and assumed -D would be debug). I was seeing a strange Bayes error in the middle: debug: bayes: DB_File module not installed, cannot use Bayes So a quick search of rpmfind.net showed that I needed "perl-DB_file" which was a module I'd deleted under CPAN. Downloaded that from here: http://rpmfind.net/linux/rpm2html/search.php?query=perl-DB_file installed it and then ran sa-learn --dump again to find it was clean this time. then ran sa-learn --spam --mbox SPAM which worked.. and now I have a DB again. sa-learn --dump 0.000 0 2 0 non-token data: bayes db version 0.000 0 15 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 1581 0 non-token data: ntokens 0.000 0 1066032191 0 non-token data: oldest atime 0.000 0 1066575968 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction co unt So.. looks like that error is *possibly* caused by not having the perl-DB module installed and I got into the bind by uninstalling the CPAN modules and going via RPMs, but my install and all dependancies weren't complete. I only found this out by guessing at the -D option for spamassissin --lint. Would be nice to see this documented on the product home page. ;-) Thought I'd share the good news in case anyone else was also in a bind and also for documentation purposes. Chris --- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] documentation (was: Using SPAMD ?)
> Fire up a browser. Point it to http://www.spamassassin.org . Look > to the upper right of the screen. Notice it says "documentation". > Follow that link. Thanks. I just found that this afternoon. Interesting though, I could have sworn that the site in question used to have a some text on it saying "this site has been superceded by news.spamassassin.org".. or something to that effect. So I hadn't spent much time looking at the site you mention because I thought the news site was the new home page. Looking again this afternoon (when I first found the documentation link) I now don't see that verbal redirector. Either I was seeing things or it changed.. either way, now I see the docs which have been hugely helpful. Thanks, Chris --- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] help with sa-learn
I had trouble with sa-learn too and it was permission problems in the end. Make sure you are running the command as the person you want to check rather than root. Also, use the debug flag (-D) and then you'll get a lot more info. - Original Message - From: "Joseph P. Wetstein" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 23, 2003 8:55 AM Subject: [SAtalk] help with sa-learn > > When I do a: "sa-learn --mbox --spam kill" I get: > > Learned from 0 message(s) (127 message(s) examined). > > > When I do sa-learn --dump all I get: > > 0.000 0 0 0 non-token data: bayes db version > 0.000 0 0 0 non-token data: nspam > 0.000 0 0 0 non-token data: nham > 0.000 0 0 0 non-token data: ntokens > 0.000 0 0 0 non-token data: oldest atime > 0.000 0 0 0 non-token data: current scan-count > 0.000 0 0 0 non-token data: last expiry atime > > > the file 'kill' is a mailbox file with many messages in it. Why isn't it > working? > > > > -- > Joseph P. Wetstein, P.E. > [EMAIL PROTECTED] > (707) 202-0600 fax > PP/ASEL & KA3VJY [Tech+] > > > > --- > This SF.net email is sponsored by: The SF.net Donation Program. > Do you like what SourceForge.net is doing for the Open > Source Community? Make a contribution, and help us add new > features and functionality. Click here: http://sourceforge.net/donate/ > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] 0 messages
I had the same problem for a while. > No matter what I do, I get something like: > > ~/Mail >sa-learn --spam --mbox spam > Learned from 0 message(s) (1927 message(s) examined). > ~/Mail >sa-learn --ham --mbox /var/spool/mail/mark > Learned from 0 message(s) (111 message(s) examined). > > It always "learns from 0 messages", whatever that means, and my spam > filtering doesn't change (I'm at about 70% filtering). Am I doing > something wrong? What is suppose to happen? Try these couple of things. a) run it with the debug flag -d sa-learn -D --spam --mbox spam b) try fully qualifying the paths in case you aren't in the right place sa-learn -D --spam --mbox /home/user/spam c) when you've run it in debug make sure that you don't see errors about the ability to right the files. There could be two problems here. - you might need to install perl-DB_file module so it knows how to write the files. Make sure you have that module installed. - permissions! check your permissions under the user directory, i.e. /home/user/.spamassassin and make sure the ownership of the directory and all files within it are to the user in question and are writable to that user. d) as Brian said, it won't relearn messages you've learnt already. Try those things.. but above all, remember the -D option is your friend! Chris --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] spamassassin and razor won't work together
I am new to spamassassin, and tried to figure this out by myself, but unfortunately failed. I am trying to use spamassassin with razor enabled, but running spamassassin -tD < sample-spam.txt always shows: debug: Razor2 is available debug: Razor2 is available debug: entering helper-app run mode razor2 check skipped: Permission denied Can't locate object method "new" via package "Razor2::Client::Agent" at /usr/lib/perl5/site_perl/5.6.0/Mail/SpamAssassin/Dns.pm line 382. Running Razor on its own works: razor-check -d < sample-spam.txt Razor-Log: Computed razorhome from env: /home/www/.razor Razor-Log: Found razorhome: /home/www/.razor Jun 29 16:51:59.228886 check[6595]: [ 8] razor-check finished successfully. I already tried reinstalling both packages, same result. The only strange thing that happened during installation is that some dependency tried to install perl 5.8 (I am running 5.6). I interrupted that (no traces of perl 5.8 on my machine). Any Ideas? Thanks a lot Chris --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Running SA as a user app?
Can anybody point me to a project/FAQ similar to this:? 1. Perl script fetches POP mail from a distant server 2. mail is fed to SA, running as a standalone module in my user account 3. SA spits out results back to perl script. 4. Script deletes offending mail. I don't have root access. I don't need a MTA. =0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0 Chris Fortune Fortune's Web Computer Services Nelson, BC, Canada V1L 2W3 ph#: 250 505-5012 email: [EMAIL PROTECTED] website: http://cfortune.kics.bc.ca/ =0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0 --- Sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Failed to run header SpamAssassin tests
Hello, Im getting the following error message when running spamd, -- (chris)(ralph|.spamassassin)$ Failed to run header SpamAssassin tests, skipping some: syntax error at (eval 15) line 59, near ") ~" syntax error at (eval 15) line 67, near ") ~" syntax error at (eval 15) line 552, near "; }" -- I have no idea where to fix this. Any help would be appreciated. Also, I cannot tell if what is wrong with my test rules, I never get any matches no matter where I put them. How can I tell where the rules are being read from?? - header THIS_IS_A_TEST Subject =~ /this is a test/i score THIS_IS_A_TEST28 ------ Thanks, Chris --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Filter error with spamd and spamc in exim.
I've been using spamassassin for a couple weeks now, and it works perfectly except for messages from a certain mailing list, which fail to be delivered and just sit in the mail spool. Exim displays the following when I try to force the queue: 2002-10-31 16:08:17 1874Q3-0006Qi-00 == clinta@localhost R=spamcheck_router T=spamcheck defer (-24): Filter process failure 2002-10-31 16:08:17 186zQ6-00060E-00 == clinta@localhost R=spamcheck_router T=spamcheck defer (-24): Filter process failure 2002-10-31 16:08:18 186LEK-0002My-00 == clinta@localhost R=spamcheck_router T=spamcheck defer (-24): Filter process failure 2002-10-31 16:08:19 185wPd-KW-00 == clinta@localhost R=spamcheck_router T=spamcheck defer (-24): Filter process failure 2002-10-31 16:08:19 185sGt-te-00 == clinta@localhost R=spamcheck_router T=spamcheck defer (-24): Filter process failure 2002-10-31 16:08:20 187LHt-00080t-00 == clinta@localhost R=spamcheck_router T=spamcheck defer (-24): Filter process failure This is what is sent to my maillog: Oct 31 15:48:31 Fear-Linux spamd[32118]: logmsg: processing message <[EMAIL PROTECTED]> for mail:8, expecting 46895 bytes. Oct 31 15:48:31 Fear-Linux spamd[32118]: processing message <[EMAIL PROTECTED]> for mail:8, expecting 46895 bytes. Oct 31 15:48:32 Fear-Linux spamd[32118]: logmsg: bad protocol: header error: (Content-length mismatch: 46895 vs. 46889) Oct 31 15:48:32 Fear-Linux spamd[32118]: bad protocol: header error: (Content-length mismatch: 46895 vs. 46889) Oct 31 15:48:31 Fear-Linux spamc[32116]: failed sanity check, 256008 bytes claimed, 0 bytes seen I have no idea how to fix this; I'd like to be able to fix the problem instead of just going around it with exim in case future messages have the same problem. I also had one other message from a different source that did this as well. Thanks Chris [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Misc: Bigevil Updates, WAS RE: [SAtalk] what can we do with those spam mails
"holdontrynow.com" is actually in my list to add. I'm sorry to say that at my fastest, additions to Bigevil will take at least 2 days. With sooo many people using, and a promise of ZERO FPs, I need to test overnight. Sometimes I like to test more if the update was signifigant. I search for all sorts of typos and such every update, then run on my own system, then finally I post it. I've got some projects at work that are cutting into my spare time. Also, I'm simply not getting much spam that isn't already hitting bigevil! I'm stunned at this. In the last 3 days spam coming into my spamtrap is incredibly LOW! I have to check against my maillog for 553 denials to see if the traffic is the same. Maybe they are taking my domain off their lists :( I'm only using company email, I have no spamtrap emails out there. For the last 3 days I have only 20 domains to add! This includes those sent to me by list members!!! Something is wrong with me because that makes me sad! Don't go crazy sending me new domains to add just yet! I have some ideas ;) On another note: Is anyone still getting the G.Bush look alike V-drug spam??? I think I finally got a rule to nail that sucker and now I'm not getting any :( --Chris (Where is my spam?) Santerre > -Original Message- > From: Ralf Guenthner [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 7:22 AM > To: Sönke Ruempler > Cc: [EMAIL PROTECTED] > Subject: Re: [SAtalk] what can we do with those spam mails > > > Hi > > How about a URI rule testing for the holdontrynow.com link?? > > Cheers > Ralf G. > > > Sönke Ruempler wrote: > > > hi list, > > > > I wonder if i can to something against these spam messages: > > > > Return-Path: <[EMAIL PROTECTED]> > > Delivered-To: [EMAIL PROTECTED] > > Received: from 62.116.172.149 (68.116.240.99:4887) > > by mail.city-map.de (62.116.172.149:25) with [XMail 1.17 > (Linux/Ix86) ESMTP > > Server] > > id for <[EMAIL PROTECTED]> from > <[EMAIL PROTECTED]>; > > Thu, 15 Jan 2004 04:46:01 +0100 > > Received: from [101.183.240.64] by 68.116.240.99 with HTTP; > > Wed, 14 Jan 2004 20:51:19 -0700 > > From: "Sherman Rosa" <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: confiscate cosponsor gnat > > Mime-Version: 1.0 > > X-Mailer: huh > > Date: Thu, 15 Jan 2004 06:58:19 +0300 > > Reply-To: "Sherman Rosa" <[EMAIL PROTECTED]> > > Content-Type: multipart/alternative; > > boundary="3285634181104916874" > > Message-Id: <[EMAIL PROTECTED]> > > X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on > > blah.topconcepts.net > > X-Spam-Status: No, hits=0.0 required=4.0 tests=HTML_MESSAGE > autolearn=no > > version=2.60 > > > > --3285634181104916874 > > Content-Type: text/plain; charset=us-ascii > > Content-Transfer-Encoding: 8bit > > > > neumann epiphany acs attenuate padlock extensible > > mistress indigo nowise sinclair mousy rich cosec athens > bludgeon amber > > kieffer arraign coinage agee curium alienate cavalier > dispersible dick > > > > --3285634181104916874 > > Content-Type: text/html; charset=us-ascii > > Content-Transfer-Encoding: 8bit > > > > > > > > > > Message > > > > > > > > face=Arial size=2> > > http://www.holdontrywow.com/m2/index.php?AFF_ID=m4";> > > Hello, > > > > I finally was able to lose the weight I have > > been struggling to lose for years! > > > > And I couldn't believe how simple it was! > > Amazing patch makes you shed the pounds! > > It's Guaranteed to work or your money back! > > > > > > > > > > > > > > > > > > > > > > > > > > http://www.holdontrywow.com/homepage/";>Not > > intreseted > > fiberboard discomfit ambrosial alaska fatuous lineprinter > bock narrow > > integrand orphanage filth handmaiden auctioneer > > elsewhere accompany parakeet agglutinate finance > multinomial edgy felicitous > > dowling cottonwood melodic detonate blanket marinate cheesy > breeches junior > > borderland lumbar maraud lucille inroad chub scornful cute > > music paradigmatic guam meantime charlemagne correct > muriatic propitiate > > brevity hal beehive commiserate cadaverous fatal gillette > salutary oriole > > prefatory prohibitive commit fullback loretta cancer > admiralty boatswain > > porpoise imagen chopin crumble insouciant
[SAtalk] Re: Bayes Learning
Pedro Sam <[EMAIL PROTECTED]> wrote: > Even better, give your users IMAP and give them a SPAM folder, and > you can sa-learn for them in a cron job. Most users should be able > to drag and drop their spam into the SPAM folder. I agree. But don't forget you have to also fee Bayes a corpus of Ham. Getting them to do that is somewhat more problematic... -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED]Yahoo IM: chrisnbarnes Computer Systems Manager ph: 979-845-7801 Department of Physics fax: 979-845-2590 Texas A&M University --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Re: Should I just outright block *.biz domains?
Dragoncrest <[EMAIL PROTECTED]> wrote: > Just curious, but I've never noticed once where someone sent me > legitimate mail from a .biz domain name. How about you guys? I - for one - use a .biz domain name for a legitimate business. I have a software program that I wrote to help the secretaries of dog clubs put on their events. The site is a typical "I have a product forsale" - ie. it has demos, screen shots, price list, etc. When people email me about the product, I reply using an email address with that domain name. Note that the ONLY email I send out using that address is in replies to people that contacted me first. I do not send out email to more than 1 person at a time using that address (for any reason). Ergo - .biz addresses are no more defacto spam than a .com address. -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED]Yahoo IM: chrisnbarnes Computer Systems Manager ph: 979-845-7801 Department of Physics fax: 979-845-2590 Texas A&M University --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Tripwire Update
Sorry it took so long, I was waiting to hear back from Fred. He is trapped in the North :) Veriosn 1.14 has been posted to web with Bart Schaefer's changes! Nice work Bart! http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Spamwriter
Not that I don't like this discussion, but this really is getting way off topic for Spamassassin. Can it be taken offlist now? --Chris > -Original Message- > From: Brian May [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 12:30 PM > To: Greg Cirino - Cirelle Enterprises; Bart Schaefer; > [EMAIL PROTECTED] > Subject: Re: [SAtalk] Spamwriter > > > Greg, please don't think that you know everything... > > SBC DSL FAQ states: > > Question: > Can I run dedicated servers with DSL Internet access service? > > Answer: Answer last updated: 05-02-02 > Yes, as long as you have a static IP address. The best part of DSL > Internet access service is that the larger bandwidth enables > you to have an > always on connection to the Internet. This means that you can run mail > servers, web servers or FTP sites from your home or office. > > here is the URL for you.. http://ask.sbc.com/pcbdsl/FAQ_21_155.shtm > > > - Original Message - > From: "Greg Cirino - Cirelle Enterprises" <[EMAIL PROTECTED]> > To: "Bart Schaefer" <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Wednesday, January 14, 2004 6:05 PM > Subject: Re: [SAtalk] Spamwriter > > > | Making a direct outbound connection on port 25 is not > "running an email > | server", any more than making a direct outbound connection > on port 80 is > | "running an HTTP server." > > Running any type of "Server" is a violation of every consumer > high speed > access connection TOS. > > Call it what you want, but if it serves, it's a Server > > No can do > > Unless I misunderstand what a server is, I think anything that > provides content, (web, ftp, email, telnet, ssh, etc...) is classified > as a server. > > Again, No can do > > This is not saying "you are not able to do so", that would be > rediculous, but undrestand, a consumer connection to the Internet > is just that... consumption, not delivering > > consumers receive, servers serve. > > cable subscribers, residential subscribers are consumers > Not Servers > > IMHO all consumer IP blocks should be uni directional and only > allowed input traffic. > > Unfortunately, the TC/IP protocol makes this difficult, but > not impossible > to control. > > Frankly, there is no email that needs to be delivered immediatly and > the only overloaded ISP email servers are those freebee email services > which usually get blown out by spam filters anyway. > > The Rule of Thumb: > > Just because you have cable or dsl does not mean you're an ISP or > gonna make a fortune on the internet. > > If you want into the business, build the plan, see the bank, > take the risk. > > Otherwise, you are no better than the spammer that is trying to make > a quick buck no a cable connection. > > I think that was about a half a bucks worth > > Best Regards > > Greg > > > > > > - Original Message - > From: "Bart Schaefer" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, January 14, 2004 8:25 PM > Subject: Re: [SAtalk] Spamwriter > > > | On Wed, 14 Jan 2004, Greg Cirino - Cirelle Enterprises wrote: > | > | > 40 bucks a month does not make you an ISP. > | > > | > No Hosting Servers > | > No Email Servers > | > No FTP Servers > | > > | > Just consuming. > | > | Making a direct outbound connection on port 25 is not > "running an email > | server", any more than making a direct outbound connection > on port 80 is > | "running an HTTP server." > | > | I have no objection to an ISP blocking port 25 coming *in* > to my DSL. > | > | > | > | --- > | This SF.net email is sponsored by: Perforce Software. > | Perforce is the Fast Software Configuration Management > System offering > | advanced branching capabilities and atomic changes on 50+ platforms. > | Free Eval! http://www.perforce.com/perforce/loadprog.html > | ___ > | Spamassassin-talk mailing list > | [EMAIL PROTECTED] > | https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > __
RE: [SAtalk] most rules hit (so far)
This thread is useless without pics! Oh wait, sorry. This post is useless without the spam! :) Try the new version of Tripwire (1.14) posted today. It's been beechwood aged for twice the flavor! --Chris > -Original Message- > From: Steve Thomas [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 12:29 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] most rules hit (so far) > > > Using the Tripwire set (obviously): > > X-Spam-Status: Yes, hits=30.2 required=5.0 > tests=BAYES_60,BIZ_TLD, > *big snip* > version=2.70-cvs > > > > -- > "Happiness is good health and a bad memory." > - Ingrid Bergman (1917-1982) > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Tripwire update 1.15
Fred thawd out. Added the PGP stuff that was requested. Update posted to my site. Link in sig. Who says opensource doesn't respond quickly? Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] I got him! The G.bush vdrug spammer is mine! ahahahahahha
Success! You know that spam with the ever changing domains? The one with the
George Bush look alike doctor that is selling 6 kinds of Mr. Wiggly
enhancing drugs? Well I finally got it right and tested!
Watch out for line wraps in your mail client. (should be 7 lines)
rawbody __VDRUG1 /^\\/
rawbody __VDRUG2 /^\\<\!\-\-.{10,15}\-\-\>\\<\/a\>\<\/center\>/
rawbody __VDRUG4 /^\<\/?body\>\<\/html\>/
meta MRWIGGLY (__VDRUG1 && __VDRUG2 && __VDRUG3 && __VDRUG4)
describe MRWIGGLY Mr. Wiggly enhance drug spam.
score MRWIGGLY 1.0
Yes I know I escaped some things that didn't need to be. I have a cleaner
version, but not tested yet. You guys have turned me into a testing wuss :)
I've seen no FPs. If someone has a better way of writing this one, I'm all
for it! I'm thinking lines 1,3,and 4 might be better if they end with $/
What do you think?
And I've looked at the numbers. The spam traffic is still increasing since
the begining of the year, but my MTA level denials have also increased. The
guys at the DNSRBLs are really doing a bang up job. So the amount of spams
that gets caught for me to play with have gone down.
Man this feels good!
Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] FP on MY_HTTP_ODD_PORT
We are working on a way to manage the custom rules A LOT better. Also we
will have some of the older ones for people not running the latest versions.
We will have them archived as older.
I'm not sure what Matt Y. was thinking scoring that at 2.0 :) But I suggest
lowering all custom rules that you don't fully understand to under .50 (Well
except for Bigevil!)
So the answer to your questions is.soon. We are woking on cleaning up
what we have now.
Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
> -Original Message-
> From: Alan Munday [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 15, 2004 4:17 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [SAtalk] FP on MY_HTTP_ODD_PORT
>
>
> Matt/Theo
>
> Yes it did come from the "other" wiki.
>
> This raises the question of how can we learners tell what is
> no longer valid
> from the custom rule sets?
>
> Also are there any established processes for managing them?
>
> Thanks
>
> Alan
>
> > -Original Message-
> > From: Matt Kettler [mailto:[EMAIL PROTECTED]
> > Sent: 15 January 2004 21:13
> > To: Alan Munday; [EMAIL PROTECTED]
> > Subject: Re: [SAtalk] FP on MY_HTTP_ODD_PORT
> >
> >
> > At 03:41 PM 1/15/2004, Alan Munday wrote:
> > >Just had the mail below trigger on:
> > >
> > > 2.0 MY_HTTP_ODD_PORT URI: Link to a server on
> > nonstandard port
> > >
> > >Why Vailresorts would want to go to the effort of declaring
> > port 80 in their
> > >link is a mystery.
> > >
> > >However it is clearly not a non-standard port.
> >
> > Note: when referencing add-on rules, be sure to mention where
> > they came from...
> >
> http://www.exit0.us/index.php/SaUriCustomRules?version=10
>
> That said, it looks like MY_HTTP_ODD_PORT is 100% redundant anyway..
>
> 2.6x ships with the rule WEIRD_PORT, which is better written... The
> standard weird_port rule ignores ports 80, 443 and 8080. and
> it doesn't
> score as high as 2.0.
>
> I'd suggest regarding MY_HTTP_ODD_PORT as both broken and
> obsoleted by the
> standard built-in ruleset.
>
>
> 20_uri_tests.cf:uri
> WEIRD_PORT
> m{https?://[^/\s]+?:\d+(? 50_scores.cf:score WEIRD_PORT 1.345 1.944 0.554 1.407
>
>
>
> ---
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] most rules hit (so far)
LOL, oh my! I though you were reporting an FP! That scored legit!! Ahahahah nice! I'm pretty sure in the coming months we will see this method go bye bye. $RND_CHAR stuff just isn't going to work anymore. Which is why bayes poison is our next thing to tackle. Another spam tactic ends up being a spam tag. :) --Chris > -Original Message- > From: Steve Thomas [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 4:30 PM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] most rules hit (so far) > > > > You asked for it! > > http://sthomas.net/spam.txt > > > On Thu, Jan 15, 2004 at 02:10:24PM -0500, Chris Santerre is > rumored to have said: > > > > This thread is useless without pics! > > > > Oh wait, sorry. > > > > This post is useless without the spam! :) > > > > Try the new version of Tripwire (1.14) posted today. It's > been beechwood > > aged for twice the flavor! > > > > --Chris > > > > > -Original Message- > > > From: Steve Thomas [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, January 15, 2004 12:29 PM > > > To: [EMAIL PROTECTED] > > > Subject: [SAtalk] most rules hit (so far) > > > > > > > > > Using the Tripwire set (obviously): > > > > > > X-Spam-Status: Yes, hits=30.2 required=5.0 > > > tests=BAYES_60,BIZ_TLD, > > > > > *big snip* > > > > > version=2.70-cvs > > > > > > -- > "There are two ways of constructing a software design; one > way is to make it so simple that there are obviously no > deficiencies, and the other way is to make it so complicated > that there are no obvious deficiencies. The first method is > far more difficult." > - C. A. R. Hoare > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] RE: BigEvil FP
WOW how did that one get this far!That even got past the great Bob M corpa run! :) Removed and 2.06j posted. Thanks. And feel free to email me any more. I still can't believe that one was still in there! Figures too, I had started tweaking from the beginging and I last stopped at rule 36! lol. --Chris > -Original Message- > From: Daniel Kleinsinger [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 10:10 PM > To: Chris Santerre > Subject: BigEvil FP > > > BigEvilList_37 hits on biz.yahoo.com which gave me an FP on an email > from the American Constitution Society, acslaw.org. I don't > know if I > should email you personally or the SAtalk list regarding > BigEvil FPs > > Thanks, > Daniel > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Problems running begevil and tripwire together
Wow that is weird! I think I'm running Tripwire 1.13 because they came so fast and furious I didn't get a chance to upgrade my own server today. Is there some limit to mimedefang? I haven't seen these errors but don't use mimedefang. But I run more rules then almost anyone. I only have 64 megs! SA is taking only 20 megs with all those rules loaded. Take each one out seperetly and see if they each run. I'll try to check in tomorrow. --Chris (Under 35 degrees, New Englanders just call it cold!) > -Original Message- > From: Scott Harris [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 15, 2004 5:05 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Problems running begevil and tripwire together > > > I think I've narrowed it down to this by trying different combos. > The only change I've made in the past week was to update bigevil > to 2.06i and add in the tripwire stuff (currently at 1.15). The > error is below, and I'm somewhat inclined to believe it is a memory > problem even though memory is not specifically mentioned. I've got > 512 right now, and running (what I think is) a little lean at 71 free. > I've got plenty of swap however, 1GB with only 4764k used of that. > > I'm running sendmail 8.12.10, mimedefang 2.39, and Spamassassin 2.61. > I realize that the errors are from mimedefang below, but I still > posted here because the errors didn't occur until SA started in > with the new bigevil. > > Thanks for any help. > > Scott > > > > [EMAIL PROTECTED]:/var/log# Jan 15 09:04:27 linux1 sm-mta[17033]: > i0FH4Qnm017033: > from=<[EMAIL PROTECTED]>, size=3232, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, proto=ESMTP, > daemon=MTA, relay=mail1.domain.com > Jan 15 09:04:27 linux1 mimedefang.pl[16967]: > MDLOG,i0FH4Qnm017033,mail_in,,167.112.160.33,<[EMAIL PROTECTED]> > ,<[EMAIL PROTECTED] > m>,OK > Jan 15 09:04:27 linux1 mimedefang-multiplexor: Slave 0 died > prematurely -- > check your filter rules > Jan 15 09:04:27 linux1 mimedefang-multiplexor: Reap: Idle slave 0 (pid > 16967) exited due to signal 11 (SLAVE DIED UNEXPECTEDLY) > Jan 15 09:04:27 linux1 mimedefang-multiplexor: Slave 0 resource usage: > req=4, scans=4, user=2.848, sys=0.283, nswap=0, majflt=555, > minflt=9966, > maxrss=0, bi=0, bo=0 > Jan 15 09:04:27 linux1 mimedefang[17034]: Error from > multiplexor: ERR No > response from slave > Jan 15 09:04:27 linux1 sm-mta[17033]: i0FH4Qnm017033: Milter: data, > reject=451 4.7.1 Please try again later > Jan 15 09:04:27 linux1 sm-mta[17033]: i0FH4Qnm017033: > to=<[EMAIL PROTECTED]>, > delay=00:00:00, pri=33232, stat=Please try again later > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [OT] Spam conference, I'm 0 for 2!
As you can see, I'm in my office now. I was halfway there! Its really a thrilling tail that starts with arctic temperatures, a faulty water pump or thermostat. Me in the cold with no heat for over an hour. My precious sports car on a flat bed with possible valve damage, and a HUGE tow bill because the only place that has a clue how to work on my car is 40+ miles away! So for those people I was to meet, I'm sorry I missed you! Looks like its webcast for me again. Next year I won't drive my preeeciiooouusss. :( I'm now getting hot choco intravenously. Chris (So sad to see his baby on a flatbed) Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Another BigEvil FP
This was a very nice email that I got about this domain. Sorry I haven't replied yet. I'm still looking into it. I see both ham and spam when it comes to them. I think I'm going to move it into a new sham rule "W" and watch it VERY closely. They better have changed there UBE/UCE policy, or I will put them back in. --Chris (cold, so very cold) Santerre > -Original Message- > From: JRiley [mailto:[EMAIL PROTECTED] > Sent: Friday, January 16, 2004 10:16 AM > To: Overdijk, Harrie; 'Chris Santerre' > Cc: 'Spamassassin-Talk (E-mail)' > Subject: Re: [SAtalk] Another BigEvil FP > > > They also hire marketing firms (or do it themselves) to send > UCE promoting > their wares. > I, myself have LART'd them 2 or three times. > > > > > It would be nice if this site would be removed from > BigEvilList_130 or > moved > > to BigEvilList_X/Y/Z or whatever. > > I can then remove pandasoftware.com from my whitelist and > yes, on my site > > the client virus-scanner is Panda. ;-) > > > > Yours sincerely, > > Harrie Overdijk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Tripwire breaking exim/spamd setup
This is some pretty good info. Can you trow something up on either wiki about exim users/lots of rules/long headers/and default buffer size? I'm sure others might start having this problem. good find! --Chris > -Original Message- > From: Zarjazz [mailto:[EMAIL PROTECTED] > Sent: Friday, January 16, 2004 8:35 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Tripwire breaking exim/spamd setup > > > Well it had to happen, I've been recieving some spam that > triggered LOTS > of tripwire rules and overflowing the smtp daemon header buffer. > Extracts from exim panic log below. > > 2004-01-16 13:17:08 1AhTqL-0001gb-Ax string_sprintf expansion > was longer > than 8192 > 2004-01-16 13:17:18 1AhTqa-0001jS-IR string_sprintf expansion > was longer > than 8192 > 2004-01-16 13:17:22 1AhTqj-0001lg-3q string_sprintf expansion > was longer > than 8192 > > Now I could fix this by recompiling exim with increased > buffer sizes but > AFAIK 8192 is the default in all distributions but a quick pipe of the > .cf file through sed s/FVGT_TRIPWIRE/TRIP/g seems to do the trick just > as well :) > > > Z. > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Ann: "Rules De Jour": An automated way to keep up with the latest rulesets
"Rules De Jour": An automated way to keep up with the latest rulesets. http://www.exit0.us/index.php/RulesDeJour -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases: http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Image-ONLY e-mails not filtered?
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 16, 2004 8:08 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Image-ONLY e-mails not filtered?
>
>
> FYI -- I'm noticing SPAMs which contain ONLY an image are not
> being filtered
> at all. Specifically, the HTML message only contains simple
> open/close BODY
> and HTML tags with just the IMG SRC tag in the middle - which
> in turn loads
> a spam-related promotion from somewhere... I was assuming this type of
> e-mail should be a huge red-flag and/or filtered under the
> existing "this is
> an HTML message" rules, but it doesn't appear to be.
>
> Sorry I don't know the product version as I didn't install
> this, but it's
> one of the more recent releases. Also, here's a copy of the
> message code
> that seems to be getting through every time:
>
>
> href="http://www.richdd.com?rid=**somenumber**";> src="http://www.canzzd.com/v9.gif"; border=0>
>
>
I posted a rule earlier to catch these. The second one is in TESTING, but
this first one works perfect. Watch out for line wraps when reading this in
email.
rawbody __VDRUG1 /^\\/
rawbody __VDRUG2 /^\\<\!\-\-.{10,15}\-\-\>\\<\/a\>\<\/center\>/
rawbody __VDRUG4 /^\<\/?body\>\<\/html\>/
meta MRWIGGLY (__VDRUG1 && __VDRUG2 && __VDRUG3 && __VDRUG4)
describe MRWIGGLY Mr. Wiggly enhance drug spam.
score MRWIGGLY 1.0
rawbody __VDRUG1B /^$/
rawbody __VDRUG2B /^pic is loading/
rawbody __VDRUG3B /\/(?:[a-zA-Z]|\d)\.gif\" border\=0\>\<\/a\>$/
rawbody __VDRUG4B />0pt out<\/a>$/
meta MRWIGGLY3 (__VDRUG1B && __VDRUG2B && __VDRUG3B && __VDRUG4B)
score MRWIGGLY3 1.0
ENjoy
--Chris
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] New circulation of emails
Hi Everyone, I read in a recent IT magazine about a new circulation of spam which contain a bunch of meaningless sentances (but with legitimate words) in the body of the mail (actually they are placed at the end) These spams are obvioulsy designed to confuse spam filtering software and were reported by messagelabs for getting through their spam filters.(They flagged it as a serious issue) Im running spamassassin on our email gateway and have notcied some of these getting through. Some of them I can block by body content in my local rule set. Have there been any discussions on these spams and any methods in spamassassin to stop them ? Regards Chris Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: Ann: "Rules De Jour": An automated way to keep up with the latest rulesets
On Sat, 2004-01-17 at 11:15, Bob Proulx wrote: > If this script becomes popular then there will be an impulse spike on > the servers at that time (within each timezone) every day. This has > been known to create problems in other similar cases. Better to > randomize a delay to make sure that these do not all go off at once. > > MAXDELAY=3600 > if [ ! -t 0 -a $MAXDELAY -gt 0 ] ; then > sleep $(($RANDOM % $MAXDELAY)) > fi Quite right, great idea! I've added your delay idea to the script when not running interactively. By the way, if you know how to convert all my bash-isms to POSIX, by all means share the knowledge :). Thanks. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases: http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] (OT) Spam Conference 2004 re-cap?
> -Original Message- > From: Gary Funck [mailto:[EMAIL PROTECTED] > Sent: Saturday, January 17, 2004 9:39 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] (OT) Spam Conference 2004 re-cap? > > > > > > > There was an excellent presentation by John Graham-Cumming at the > > 2004 Spam Conference about this and how your experience is what most > > people find. The issue being that spammers don't know what > tokens are > > considered hammy in your Bayes DB, so random dictionary > words tend to fail > > very easily and other "bayes poison" doesn't usually get > that far either. > > > > Any one have a pointer to a web-blog, or "trip report" > somewhere summarizing > what went on > at the Spam Conference 2004? > > OK, I'm going to give it a try. But anyone can see the whole archived webcast at www.spamconference.com under webcast. LOTS of stuff to digest. Some was just analysis on spam and such. One presenter doesn't even use any antispam software!? I'll try to cover some stuff that will help the SA community. 1) Over the years spam actually HAS NOT changed that much. Meaning people were able to find at least 10 things common with spam trhu the last 3 years. I think that was the jist of the 1st presenter anyway. 2) Bayes Chains. This was something obvious that I thought was already used. I don't use bayes so I haven't fully dived into reading on it. But apparently it will use word tokens. Well to me that is like a word rule! So guess what a bayes Chain is? Yup, more like a token for a phrase. And, SURPRISE, it is more accurate!:) Good news. 3) ANYONE who uses Bayes should view the last presentation! 1st time I've had to use my calculas since college :) But you don't need to know that stuff. But it helps show what is going on with your bayes DB. Shifting and such. Very good info. His big deal was to remove "Carrier words" from the Bayes DB. Which were words that had very low percentages, or were found in both spam/ham. Thus removing some overlap causing FPs. He doesn't go into detail as it isn't open source...I think. ALSO a GREAT idea for businesses was to feed OUTGOING ham into the DB! Builds up a custom Dictionary quick. 4) Many filters will get to 99% accuracy. The problem after that is simply users disagreeing on the email. 5) The only filter discussion was on filtering URLs! Hurray for Bigevil! (No it wasn't mentioned. Darn brightmail!) :) Unless I forgot one. A lot of discussion about the study of spam and the findings. One good thing was that a HUGE %, almost all, of spam was in english. I expected maybe some talk on linquistical analysis, but none. (Fred and Dallas are on the right track with this stuff.)And if you don't do any email with china or russia, yeah blocking would be good ;) 6) Non, sa stuff. Stopping the email at the SMTP level was discussed a lot. Some really god ideas. One was SPF (I think, sorry there was a lot!) It adds DNS records to domains. The records show all IP addresses involves with sending email for that domain. So when someone gets an email they can query the DNS record to see if the IP matchs. This caused quite the discussion of the audience ;) I like the idea. 7) non SA. One guy from Hawaii had a pretty cool idea. He uses a more inteligent Disposable email system. However it really isn't disposable It can do things like allow only the next 3 domains to use this email. Or 'lock' the address so that people who have already used can email, but no new. And of course, challenge response. 8) Non SA. Challenge response systems. were discussed.Many different kinds. Some that pay you! Lots of possible problems with these systems. The biggest being virus machines harvesting emails. I mean the ideas as far as Challenge response goes were good. But stil flawed in my eyes. They even had plans for slowly bringing the system into action. So the whole internet didn't have to change. 9) Innoculation. Nice idea. Kind of like spamcop. Community reports, and helps others. But more like a P2p setup. There was a LOT of stuff. Sorry if I missed some key points. One thing I have to say is that SA is right there with everyone else. I see about 99% caught spam WITHOUT bayes and an OLD version! Yeah it has been tweaked and custom rules up the wazoo, but still! SA was mentioned a few times of course. :) There is some other small things I still want to digest and talk to the rule writers about. Talk about becoming less reactive got me thinking on some stuff. I urge anyone with the time to view the webcasts. I understood a HELL of a lot more then last year ;) Hopefuly I'll make it next year! Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the
[SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k
I actually thawed out! And so did my car!! Yup, it actually FROZE while I was driving around 80 mph! No damage at all! Oh happy day :) So everyone in the cold go out and check your water/antifreeze ratio. And ALWAYS let your car warm-up before driving like a mad person ;) Anywho, like the subject says, these 2 files are updated. The Tripwire file is almost half the size it was before! Lots of good changes coming down the pipe for SARE. Clean up of old stuff going on now. Go easy on those auto update scripts ;) Link in sig, it's late and I'm tired. If you don't know where to find them by now, you must be under a rock (Or a Colts Fan!) ;) Go Pats! Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Image-ONLY e-mails not filtered?
> -Original Message-
> From: Fred [mailto:[EMAIL PROTECTED]
> Sent: Saturday, January 17, 2004 3:54 PM
> To: [EMAIL PROTECTED]
> Cc: Spamassassin-Talk (E-mail)
> Subject: Re: [SAtalk] Image-ONLY e-mails not filtered?
>
>
> [EMAIL PROTECTED] wrote:
> > FYI -- I'm noticing SPAMs which contain ONLY an image are not being
> > filtered at all. Specifically, the HTML message only contains simple
> > open/close BODY and HTML tags with just the IMG SRC tag in
> the middle
> > - which in turn loads a spam-related promotion from somewhere... I
> > was assuming this type of e-mail should be a huge red-flag and/or
> > filtered under the existing "this is an HTML message" rules, but it
> > doesn't appear to be.
> >
> >
> > > href="http://www.richdd.com?rid=**somenumber**";> > src="http://www.canzzd.com/v9.gif"; border=0>
> >
> >
> >
>
> Try this out for size, they are a few custom rules I have
> created myself.
>
> # Catch Image ONLY spams!
> rawbody __FVGT_rb_HTML_HAS_AHREF eval:html_tag_exists('a')
> rawbody __FVGT_rb_HTML_HAS_IMG eval:html_tag_exists('img')
> full __FVGT_rb_HTML_LEN_80_375
> /<(?:html|body).{80,375}<\/(?:body|html)>/is
> full __FVGT_rb_A_THEN_IMG / meta FVGT_m_IMAGE_ONLY_SPAM (__FVGT_rb_HTML_LEN_80_375 &&
> __FVGT_rb_HTML_HAS_AHREF && __FVGT_rb_HTML_HAS_IMG &&
> __FVGT_rb_A_THEN_IMG)
> describe FVGT_m_IMAGE_ONLY_SPAM Short HTML message with IMG
> and A HREF
> score FVGT_m_IMAGE_ONLY_SPAM 3.5
>
>
> The size of 80,375 might need to be tweaked but this rule
> does what you are
> looking for!
>
>
Just curious, but is the eval:html_tag_exists('a') rule SA 2.60 or better?
--Chris
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Ann: "Rules De Jour": An automated way to keep up with the latest rulesets
MAN, that's a lot of code for such a simple task. mine is just:
#!/bin/sh
# List of files to grab
files="
http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
http://www.merchantsoverseas.com/wwwroot/gorilla/99_FVGT_Tripwire.cf
http://www.emtinc.net/includes/popcorn.cf
http://www.emtinc.net/includes/backhair.cf
http://www.emtinc.net/includes/weeds.cf
"
# change to the spamassassin config directory
cd /etc/mail/spamassassin
# Grab all of the requested files
restart=0
for file in $files; do
if [ "$file" != "" ]; then
wget -N "$file" 2>&1 | grep saved
# Do we want SA to restart?
if [ $? = 0 ]; then
restart=1
fi
fi
done
# Restart spamassassin
if [ $restart = 1 ] ; then
/etc/init.d/spamassassin restart 2>/dev/null 1>/dev/null
echo "Restarted SpamAssassin"
fi
--
Chris Petersen
Programmer / Web Designer
Silicon Mechanics: http://www.siliconmechanics.com/
Blade Servers: http://www.siliconmechanics.com/c292/blade-server.php
1U Servers: http://www.siliconmechanics.com/c272/1u-server.php
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [WL] [SAtalk] Yikes.. rules_du_jour
All, this message tried to address most of the comments made regarding RulesDuJour so far. On Sun, 2004-01-18 at 12:50, Martin Radford wrote: > At Sun Jan 18 16:06:13 2004, Charles Gregory wrote: > > > A thought, and a suggestion: > > > > Thought: Some of the rules in 'rules du jour' look like they are fairly > > 'stable'. There is no reason to be downloading 'backhair' or 'weeds' > > everyday, is there? Aah, I see I spelled "du jour" wrong, I changed the wiki pages and script name accordingly. > > Suggestion: For frequent changers, like 'evilrules', how about setting up > HTTP provides a straightforward way to avoid repeated downloads of a > file that hasn't changed, by sending If-Modified-Since requests. > > Unfortunately wget doesn't yet support this, though it is mentioned in > its TODO file. (This is with wget 1.9.1, which is the current > version.) While wget doesn't use If-Modified-Since, it *does* support conditional downloading of files using the -N switch. Instead of using If-Modified-Since, it sends an HTTP HEAD request, then reads the Last-Modified header and uses that to determine if it should download the file or not. edit: I just noticed Martin already explained this in a followup post. In regards to excessive bandwidth, I have made every effort to ensure files are not retrieved unless they have been updated (although with enough traffic, even bandwidth used by HEAD requests will add up). Bob's suggestion of adding a random delay, when run non-interactively should help cut down on bandwidth spikes at certain times of day. Regarding rulesets going away, I just added a bit of code that fires off an email to the administrator if a ruleset file goes missing (returns 404/4XX, domain not found, etc). Regarding how large the script is, my intention was to create a single script that managed all my rulesets automatically. I wanted it to be easily configurable by newbies, yet flexible enough to handle (for instance) editing the rules stream inline. There is also a lot of debug information so people can (hopefully) understand the logic. Finally, per some suggestions, I added --lint support. If spamassassin --lint fails, the rulesets are rolled back to their original configuration (before rules_du_jour was invoked). I also changed the default behavior when running interactively to output the debug information. I put the new version (1.04) up at: http://sandgnat.com/cmos/rules_du_jour If this doesn't address somebody's issue or suggestion, yell again -- additional comments welcome. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases: http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k
Thanks for the list. Many are already in the latest update. I do look at what people send me. Because I use a bunch of DNSBLs I don't see as many spams as others. I also may have anywhere from 1-5 days lag between when I (We, you, ect,) get the spam and when I update. This is due to testing, having to complete work for my real job, and maybe some time with the family ;) I'll take a look at all of these. I prefer to have an example of each spam that I'm adding to the list. This way if someone asks, I can show them :) --Chris > -Original Message- > From: David A. Carter [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 18, 2004 12:18 PM > To: Chris Santerre > Cc: Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > Quoting Chris Santerre <[EMAIL PROTECTED]>: > > > Anywho, like the subject says, these 2 files are updated. > The Tripwire > > file > > is almost half the size it was before! > > Sorry if this is a FAQ; couldn't see a definitive answer in > the archives. I > have a very small list of domains that I get tons of spam > from which aren't > in bigevil. Should I send you my list of domains, or do you > need more than > that, such as example spam from the domains in question? > > In any case, here's my list. I didn't find any of these in > the latest bigevil: > > uri CarterEvilList_1 > /\b(?:tooshortz\.us|pharmawarehouse\.biz|timezsquarepatry\.com > |countupandlookaway\.com|56x\.com|54000 > 0x\.com|2006hosting\.com|2005hosting\.com|valuepointmeds\.biz| > holdontrywow\.com|pharmacourt\.biz|thatrxstore\.biz|pharmacyco\. > com|ezadvertising\.us)\b/i > describe CarterEvilList_1 Generated CarterEvilList_1 > score CarterEvilList_1 3.0 > > Regards; > > DaC > > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Re: [RD] Offered Rules
Inline below
> -Original Message-
> From: Robert Menschel [mailto:[EMAIL PROTECTED]
> Sent: Sunday, January 18, 2004 11:02 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Re: [RD] Offered Rules
>
>
> Here's my next set of possible rules for submission to the
> SpamAssassin
> distribution set.
>
> URI rules may tend to be more transient than other types of
> rules, since
> it's so easy for spammers to change domain names. I'm
> therefore including
> only those that hit at least 0.15% of my spam. Well, the
> pillsavings rule
> has hit several domains over several months, so that one I'll keep in,
> though it's not quite 0.15%. Ditto the href= rule.
>
> Feedback and/or mass-checks on these before formal submission are
> invited.
>
> Bob Menschel
>
>
*snip URI rules*
This is just my opinion, but I dislike putting temp rules into a distro.
Things like Paris, Hilton, Saddam playing cards, and URIs. I think a distro
could be around much longer then any of this temp things. So many people
would be wasteing CPU cycles and memory.
Some ISPs use 2.4x still. If that had a rule for the OJ simpsons case and
they had a few 1000 users :)
I'm still trying to figure out how I'm going to expire domains in bigevil!
>
> uri RM_up_hrefinuri /href=/i
> describe RM_up_hrefinuri link includes href within code
> score RM_up_hrefinuri 3.000 # 106s/0h of 92209
> corpus (74874s/17335h) 01/17/04
>
> uri RE_uwd_DefaultAsp/\/default\.asp\?id\=/i
> describe RE_uwd_DefaultAspContains a likely spammer
> default.asp link.
> score RE_uwd_DefaultAsp4.500 # type=spamp -
> 1137s/0h of 92209 corpus (74874s/17335h) 01/17/04
>
> uri RM_uwd_defaultN /\/default\d{1,5}\.htm/i
> describe RM_uwd_defaultN text points to
> sequentially numbered "default" page
> score RM_uwd_defaultN 3.000 # 1322s/2h of 92209
> corpus (74874s/17335h) 01/17/04
> # ham: 1999 (1),
> 2003: http://movies.fantasticfactory.com/dagon/default8.htm
> in ToS email.
>
>
> uri RM_uwd_UnsubscribePHP/unsubscribe\.php/i
> describe RM_uwd_UnsubscribePHPtext uri to unsubscribe link
> score RM_uwd_UnsubscribePHP3.000 # 236s/0h of 92209
> corpus (74874s/17335h) 01/17/04
>
These last four rules are SURPRISING! I would never have guessed those
results! Looks good!
--Chris
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Re: Resolving and hat-checking spamvertised URLs...
I was hoping more people would be running this by now. What is the average scan time per msg when using this? Any timeouts? I know this was being worked on for 2.70, but heck you got it here as a patch already! --Chris (Really needs to upgrade but still proving a point.) > -Original Message- > From: Jonas Eckerman [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 18, 2004 9:01 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Re: Resolving and hat-checking spamvertised URLs... > > > > My patch against SpamAssassin 2.60 (Debian/unstable: 2.60-2) > > > http://docsnyder.de/nospam/sa_check_blackhat_isps.patch.gz > > > > Just thought I tell you that I've just applied the patch to > SpamAssassin 2.62 > > (plain tar.gz-distro, no rpm/package). > > > > The patch worked fine, SpamAssassin seems to work, and so far > one mail has > > triggered a URIIP test. > > > > I've only been running with the patch for a few minutes, so I > can't know wether > > it crated any problems yet. If I do find any problems, I'll > come back and tell > > you about it. > > > > Regards > > /Jonas > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k
That is a completely different set of rules all together. Not really a set, more like a collection. Soon there will be one cf file with all the heavy hitters from the whole SARE created. Sorted in order of lethality as well. I'm trying to prune the low hanging fruit rules first. So you can go ahead and grab the 90_FVGT.cf rules. --Chris > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 11:22 AM > To: [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > Chris, > > What about > http://www.merchantsoverseas.com/wwwroot/gorilla/90_FVGT.cf file > you submitted? Is that rule set superceded by bigevil and tripwire? > > thanks, > Donald > > -Original Message- > From: Chris Santerre [mailto:[EMAIL PROTECTED] > Sent: Saturday, January 17, 2004 10:18 PM > To: Spamassassin-Talk (E-mail) > Subject: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > I actually thawed out! And so did my car!! Yup, it actually > FROZE while I > was driving around 80 mph! No damage at all! Oh happy day :) > So everyone in > the cold go out and check your water/antifreeze ratio. And > ALWAYS let your > car warm-up before driving like a mad person ;) > > Anywho, like the subject says, these 2 files are updated. The > Tripwire file > is almost half the size it was before! > > Lots of good changes coming down the pipe for SARE. Clean up > of old stuff > going on now. Go easy on those auto update scripts ;) > > Link in sig, it's late and I'm tired. If you don't know where > to find them > by now, you must be under a rock (Or a Colts Fan!) ;) Go Pats! > > Chris Santerre > System Admin and SA Custom Rules Emporium keeper > http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm > 'It is not the strongest of the species that survives, > not the most intelligent, but the one most responsive to change.' > Charles Darwin > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Exchange and autolearn
How did you setup all *SPAM* messages to get moved automatically to a Spam folder? Is it setup by the users or system-wide? I'd love to do that system-wide but it's too much to train every user to create rules, etc. so I have mail redirected to a public spam folder for periodic review by IT for FPs. Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vagabond Sent: Tuesday, January 13, 2004 5:07 PM To: 'Dan'; [EMAIL PROTECTED] Subject: RE: [SAtalk] Exchange and autolearn I do something like this - SA/spamass-milter/RH9 relaying all mail to Exchange 2000. This gives the appearance of working ... In Outlook (ie Exchange) all "*SPAM" messages are moved to a "Spam" folder. On RH9 box I have set up an IMAP account to my Windows account. Spamd runs in the context of a user account (spamd). I have another two user accounts on the linux box (spam and ham). On a regular basis (from the RH9 box) I move all messages from the exchange "spam" folder to the inbox of "spam" on the linux (same for ham). I then run (su - spamd) "sa-learn [--spam|--ham] --showdots --mbox /home/john/.mozilla/default/Inbox" which gives the appearance of learning messages... Periodically, I run sa-learn --dump magic which shows new spam/hams being added. Of course, I could be doing this all wrong ... john -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Sent: 13 January 2004 18:23 To: [EMAIL PROTECTED] Subject: [SAtalk] Exchange and autolearn Hi guys! I have a email gateway running spamassassin, amavisd-new and postfix. I am blocking a good chunk of spam. However, I am trying to figure out a good way to get the users involved in creating our own "blacklist" (I work for a private company, not a ISP) The mail gateway sits in from of our exchange server. I have created a public folder on the exchange box for the users to drag spam too. But I guess the next question is. how do I get the mail "with headers attached" from the MS box back to the mail gateway so I can autolearn? Fetchmail? Any thoughts? Is anyone else doing anything like this? Or maybe I am going about this the wrong way? Thanks in advance! Dan --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil Archive
Huh? That was posted 2 days ago! And I had tested it longer then that! IF there was an error, I would have heard about it within an hour of posting. What kind of errors in the log? ANyone else having a problem --Chris > -Original Message- > From: Carl Chipman [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 2:45 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] BigEvil Archive > > > Does anyone have an older copy of BigEvil.cf? I downloaded > todays, and my > Kerio mail server wouldn't start... > > > Carl Chipman > Nomadics, Inc. > [EMAIL PROTECTED] > http://www.nomadics.com > > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Three that got through yesterday
> -Original Message- > From: Evan Platt [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 12:36 PM > To: SpamAssassin > Subject: Re: [SAtalk] Three that got through yesterday > > > > > --On Monday, January 19, 2004 10:51 AM -0500 "Christopher X. Candreva" > <[EMAIL PROTECTED]> wrote: > > > Example - one had a subject: > > Subject: mail Real brutal other porn with see young girls most > > Yoda has turned to the dark side and started spamming. :) > > Evan > > Ahahahahahahah I can see him at the keyboard now, with a cig hanging from his mouth and a bottle of JD in one hand! OH man.I need to photoshop a pic like that! Thanks for the laugh! I needed it today as well! Sprinkler pipe in building froze and burst over the weekend. 1 CPU gone. *whew* --Chris (Pats by 10 points in Texas!) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil Archive
> -Original Message- > From: SpamTalk [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 3:32 PM > To: [EMAIL PROTECTED] > Subject: RE: [SAtalk] BigEvil Archive > > > > -Original Message- > > From: Chris Santerre [mailto:[EMAIL PROTECTED] > > Sent: Monday, January 19, 2004 2:12 PM > > To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] > > Subject: RE: [SAtalk] BigEvil Archive > > > > Huh? That was posted 2 days ago! And I had tested it longer > > then that! IF there was an error, I would have heard about it > > within an hour of posting. > > What kind of errors in the log? ANyone else having a problem > > > > --Chris > > > > > -Original Message- > > > From: Carl Chipman [mailto:[EMAIL PROTECTED] > > > Sent: Monday, January 19, 2004 2:45 PM > > > To: [EMAIL PROTECTED] > > > Subject: [SAtalk] BigEvil Archive > > > > > > > > > Does anyone have an older copy of BigEvil.cf? I > downloaded todays, > > > and my Kerio mail server wouldn't start... > > > > > > > > > Carl Chipman > > > Nomadics, Inc. > > > [EMAIL PROTECTED] > > > http://www.nomadics.com > > How often might partial downloads occur? > Maybe just zip the file, the unzip should yell if it is corrupt. > Shouldn't be hard to modify the rule_du_jure script to > accommodate zipped > .cf files/ > > There is a "#EOF" at the end of the file to make sure it is completely downloaded. Maybe that could be searched for? --Chris --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil Archive
Bah! What was that quote? Something about real men put there files on the internet and letting the world be their backup? Theo has it. :) --Chris (OH I hate EDI! Standard my #$^!) > -Original Message- > From: Gary Smith [mailto:[EMAIL PROTECTED] > Sent: Monday, January 19, 2004 4:21 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: [SAtalk] BigEvil Archive > > > Chris, > > Not to sound real bad but you should also be making your own local > copies. I have scripted the download, compare, copy if different and > then archive. I run it every hour. If there is ever a problem I can > just go to one of my archives and then recover. > > You should probably consider doing something similar. Not to say that > Chris S. would ever give you a bad file but sometimes the > transfer agent > will do this... Plus you can also check for any errors prior > to putting > the file into place (if you didn't get a status 200 then there was a > problem). > > That's just my $0.02. You mileage might vary. > > Gary Smith > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Carl > Chipman > Sent: Monday, January 19, 2004 11:45 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] BigEvil Archive > > Does anyone have an older copy of BigEvil.cf? I downloaded > todays, and > my > Kerio mail server wouldn't start... > > > Carl Chipman > Nomadics, Inc. > [EMAIL PROTECTED] > http://www.nomadics.com > > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] New Ruleset: EvilNumbers
> Lets not forget parentheses. Here is how I would have it look. > [\s(\(|\-|\)\.]+ > Well I hope it is correct. [\s\(\)\-\.]+ -- Chris Petersen Programmer / Web Designer Silicon Mechanics: http://www.siliconmechanics.com/ Blade Servers: http://www.siliconmechanics.com/c292/blade-server.php 1U Servers: http://www.siliconmechanics.com/c272/1u-server.php --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] New Ruleset: EvilNumbers
> The rules should already account for the optional ( & ) around the area > codes, the (\s|-|\.) only appeared after the area code. Maybe this will > have to change soon now that the rules are "in the wild" :) > --example-- > /\(?203\)?(\s|-|\.)(?:234(\s|-|\.)0292|286(\s|-|\.)2187)/ > --example-- My main issue with your syntax is that if you really want to not include () and multiple instances, you could use [\s\-\.] instead of (\s|-|\.). the [] syntax is *much* faster (according to various perlre things I've read) Personally, I'd go for catching as much as possible, and go with [\s\(\)\-\.]+ (heck, I would probably go as far as just doing \W+ or \W* to catch any characters the spammers might try to throw in). -- Chris Petersen Programmer / Web Designer Silicon Mechanics: http://www.siliconmechanics.com/ Blade Servers: http://www.siliconmechanics.com/c292/blade-server.php 1U Servers: http://www.siliconmechanics.com/c272/1u-server.php --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Rules_Du_Jour idea
On Mon, 2004-01-19 at 17:18, Robert Leonard III wrote: > Something I added in here, but is also an easy to do seperate cron job is to > update Razor2 and Pyzor (if being used)... 'course I'm a newbie Linux Hack > and this may be a horribly bad idea... but it helped me out once, so I > thought I'd pass the idea on :) Might be neat, but I think this sort of thing is best left to scripts specifically for each operating system. For instance, both razor and pyzor are kept up to date via apt-get on my Debian system. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases: http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Schools Slapped? FVGT
> -Original Message- > From: Scott Williams , Area4 [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 9:50 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Schools Slapped? FVGT > > > I just started using the FVGT rules and got this FP. > Do I understand this right, the rule below penalizes (scores > high) anyone > with a .us domain? > > Many schools across the country use the .k12.ss.us format > where ss is > their state two letter identifier. > > thanks > > SCott > 2.4 FVGT_u_BZ_TLD URI: FVGT - Contains a URL in the > BZ, TC, US or > WS top-level domain > Yup, this is correct. We are going thru all the rules in the SARE and will prbly rescore them all based on RM's formula. This one seems a tad high :) I would lower that to around .45-.65 for my taste. HTH --Chris --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] mdpillsource.com using trojaned machines.....
I've been tagging a lot of mdpillsource.com spam. They don't hit bigevil because there is no URI in the text format. However the spam hits a ton of other rules. One thing I noticed is this spammer must be using trojaned machines. THe last one came in from: dhcp-v53-89.cudenver.edu [132.194.53.89]) and a bunch more from possible open relays. This guy is sending from all over and at a good rate. I suggest a seperate (raw)?body rule for him. body MY_PILLSOURCE /mdpillsource\.com/ describe MY_PILLSOURCE Log on Ventures Dirtbag. score MY_PILLSOURCE 4.0 # Because no one rule should make it spam. More info: Registrant: Log On Ventures Inc. 28 Regent St. Belize City 0 Belize Registered through: International Global Media Domain Name: MDPILLSOURCE.COM Created on: 24-Nov-03 Expires on: 24-Nov-04 Last Updated on: 12-Dec-03 Administrative Contact: Ventures Inc., Log On [EMAIL PROTECTED] 28 Regent St. Belize City 0 Belize 4156341323 Fax -- 4156341323 Technical Contact: Ventures Inc., Log On [EMAIL PROTECTED] 28 Regent St. Belize City 0 Belize 4156341323 Fax -- 4156341323 Domain servers in listed order: NS0O01.GOODWEBRX.COM NS0O01.MYEFUTURE.NET Chris Santerre --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Bigevil update 2.06L
Just posted 2.60L. http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Custom Subject rules not being picked up
On Tue, 2004-01-20 at 14:41, David Logan wrote: > Thanks guys.. > Made the change and also I run spamassassin with mimedefang and I reread > the mimedefang file - now seems to work !! > Cheers. > > Example: > > header SUBJECT_VICODIN Subject =~ /\bvicodin\b/ > > describe SUBJECT_VICODIN Mentions vicodin > > score SUBJECT_VICODIN 4.0 > > (I took this example from Chris' site > http://sandgnat.com/cmos/cmos.jsp > > ) David, Are you aware that the rule you have asked about does not detect obfuscation? The rules at the cmos.jsp page which are in the top text box aren't intended to be added to your config. The rules in the bottom box are generated from the simple rules in the top box, and can detect obfuscation. FYI, -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Automated ruleset download
http://sandgnat.com/cmos/rules_du_jour I save WY to many emails :) --Chris -Original Message-From: JRiley [mailto:[EMAIL PROTECTED]Sent: Tuesday, January 20, 2004 1:52 PMTo: [EMAIL PROTECTED]Subject: [SAtalk] Automated ruleset download Just curious, if there is a script (be it perl or otherwise), that anyone has written, that will perform an automated 'download' of the different SARE (or other) SA rulesets? I wouldn't think this would too difficult to do, and have a scheduled restart of the MTA calling SA to implement it. thanks -JR
Re: [SAtalk] One that got through
On Tue, 2004-01-20 at 16:12, Jonathan Nichols wrote: > http://www.pbp.net/~jnichols/spam.txt > > It also slipped right by Mailscanner on another host, but I'm surprised > that it scored 0.0 on my SA setup (backhair, weeds, everything in > rules_du_jour) FWIW, here's what it scored on my system: X-Spam-Status: Yes, hits=8.6 required=5.0 tests=BAYES_50=0.001 HOSTED_AT_CHINANET=2 HOSTED_IN_CHINA=3 LOCAL_OBFU_ONLY_VGR=1.8 LOCAL_OBFU_VGR=1.8 autolearn=no version=2.60 The HOSTED_AT and HOSTED_IN are from a patch to SA 2.60 that was posted a few months back that looks up spamvertised urls in certain blackholes (those CHINA* scores are indeed very high; I've been meaning to lower them, but I'm not very motivated since I haven't personally seen any false positives yet) The LOCAL_OBFU are generated from http://sandgnat.com/cmos/ HTH -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Configure Alt-N Mdaemon's SpamAssassin?
On Tue, 2004-01-20 at 18:12, Evan Platt wrote: > I've talked to a few people running Alt-N Mdaemon, and I'd like to run it > at home... It appears it uses SpamAssassin (version 2.55 according to the > headers). And while I like it that it's integrated, I'd rather have more > control over it. Does anyone know if it's possible to configure the SA in > Alt-N mdaemon? I guess I could always run the Win32 version, but if it's > easier to modify the migrated version, and preferably upgrade it... > > Thanks. > > Oh, and yes, I know this is off topic. I am the same person that's annoyed > by "Can I have spamassassin delete mail"? However ... Umm.. I'll shutup now. Evan, While I don't know anything specific about Alt-N, I know I get some hits to my site from their discussion board: http://lists.altn.com/[EMAIL PROTECTED]@.ee8c9cf Might have better luck finding experienced people there. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Bigevil updated again :)
Just posted 2.06M wich contains 1 single additional entry for: oem-expert.biz Why just for one domain? Because they are doing a dictionary attack on a fellow list member resulting in a DOS. Let the larting begin! http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] how many spam/ham do I have in my bayes db?
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 4:04 PM > To: Adrian Simmons > Cc: [EMAIL PROTECTED] > Subject: Re: [SAtalk] how many spam/ham do I have in my bayes db? > > > At 03:36 PM 1/20/2004, Adrian Simmons wrote: > >Ralf Vitasek wrote: > > > > > in case you have SA 2.6x > > > then just type "sa-learn --dump magic" > >Ah, yes, exactly. And now that I re-read the man page that > seems obvious. > >I put my lack of understanding down to the non-intuitiveness > of the term > >'magic' :) Well, at least for me. > > > The above statement is rather amusing when you re-read your > original question.. > > "one could probably dump the db and go hunting for the magic numbers" > > Apparently you only subconsciously knew what the term "magic" meant :) > > > >Thanks to Ralf and Matt who both suggested this. > > YW. > I agree, "magic" is a little confusing. I suggest the devs change it to "one_ring_to_bind_them_all". That should clear it up for some. :) --Chris(Wishes to take our 1970s 'business' software for a visit to Mr. DevNull!) Santerre --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] More obfuscation
I'm not sure where the post is, but about 3 weeks ago I think Dallas put a semi-end to the spell-checker debate :) He ran one and the outcome wasn't so good. --Chris > -Original Message- > From: Charles Gregory [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 4:37 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] More obfuscation > > > > I'm starting to see mail with TEXT obfuscation, such as: >I heard you need viagrPa. > Note the capital P thrown in to our favorite 'v' word. > It is really beginning to look like we need a genuine > spelling checker, or > some sort of 'approximation' technology, if such exists. There is no > 'pattern' I can think of to defeat this mis-spelling spam in any other > way. > > - Charles > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [OT] - The current state spam.
> -Original Message- > From: Fred [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 9:39 AM > To: AltGrendel; Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] [OT] - The current state spam. > > > AltGrendel wrote: > > On Tue, 2004-01-20 at 18:28, Fred wrote: > >> > >> I can not imagine what it would be like to work for an > abuse dept. at > >> an internet company and receive hundreds or thousands of complaints > >> about customers computers being hijacked or turned into > spam zombies. > >> > > Non-original joke: > > > > I think that job is usually assigned to /Dave/Null. > > > That's what I'm all worked up about. If these large > broadband providers > were more pro-active a lot of things would be different. > Take the following events for example: > Massive DDOS attacks which take down large sites like > yahoo.com and many > others. > Massive Habeas forgery causing mass-confusion on why people > are seeing spam. > (majority cable / dsl zombies) > Preventing those people who choose to use our computers without our > permission and knowledge. > Most people I know have to pay for their cable & DSL > connection and they pay > way too much money for it. > > Maybe a simple solution would to be making the cable / dsl > customers receive > a new IP address every 2 hours? > I am sure this will anger many but would make spam advertised > sites go down > much faster. > > Give all cable / dsl a private IP address and allow real IP > if requested. > Those who are not familiar with the internet tend to get > themselves into > trouble by accident. Protected behind a private IP would > protect them from > many of the issues I'm upset about. That alone would have > helped to prevent > spread of Blaster type worms. Why leave un-knowing people in > front of the > defenses when they don't even know a war is being waged. > > From a litle research I find that cable & dsl are being used > for hosting the > spam content as well as DNS hosting for their domains and > also for sending > the spam messages. If we take out that massive source of zombies the > spammers would be in deep trouble. They would be force to > pay for hosting, > or hack into companies / schools which would make them more > likely to be > caught. Or funnier yet, hack modems for hosting, that'll be the day! > > If I'm going after a website for spamming me I target the following in > order: > Step 1: Whois records, against valid contact information. > Many registrars > say they will suspend a domain for invalid contact records. > Step 2: Next comes DNS servers. Check the domain name on the > dns servers > and attempt step 1. > Step 3: Netblock of website. Most times I find a massive > listing of cable / > dsl zombies used for hosting website. > Step 4: Netblock of DNS provider. Same results of step 3 found. > Step 5: Get mad and give up. Re-think attack and plan new methods. > > > Frederic Tarasevicius > I also try the same. Some ISPs are useless to try to talk to, Above.net. THey will end up blacklisting the complainee! (Is that a word?) :) I'm trying to find some stats on spam origins. Particularly by ISP. I see very little spam coming from cox.net cable modems vs. a buttload from Comcast. Would be nice to know the biggest ones and start a movement one at a time to get this problem fixed. If I've learned anything from this list, its a group has a far better chance of getting things done then 1 person. Consider me with you Fred. --Chris --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] BigEvil Scoring
Yes: http://www.exit0.us/index.php/RulesDuJourMungeScripts On Wed, 2004-01-21 at 09:16, Rose, Bobby wrote: > Is there an easy way of changing the BigEvil Scores without modifying > bigevil.cf which gets updated a lot? And without duplicating them into > local.cf. > > -=B > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases: http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [OT] - The current state spam.
Yeah, we have had this same conversation on another list a week ago. We are saying by DEFAULT and ISP should block the ports, BUT it should be removed if asked, and FREE of charge. I'm sure the percentage of users who would request it would be like 5%. THen it would be easy to monitor traffic (not data) of those 5%. ISPs used to complain about the costs of hardware vs. traffic. I'd say this would help them in the long run. DON't raise my broadband bill, decrease the spam traffic on your net! --Chris > -Original Message- > From: James [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 10:58 AM > To: [EMAIL PROTECTED] > Subject: RE: [SAtalk] [OT] - The current state spam. > > > Not to flame anyone, but I sure do hope my isp never blocks ports. I > don't pay for obstructed internet access. I do run a small > mail server > from my home dsl connection. I allow family members to use > that to send > to/from. The local cable provider here (Brighthouse) just > about blocks > all inbound ports. This is fine for the normal internet user, but for > those of us who know what we are doing this hurts us. If my > isp were to > block ports, that would hinder on what I am doing. I don't have a > professional dsl line (3x as much as residential) and in > order for me to > get a professional line, I would need to buy a professional phone > service from the phone co (again, 3x the price). A whole lot > of bloat I > don't need nor want. My modem has a very good firewall built in and > uses nat. This is the normal, default setup. The isp doesn't provide > any solutions in overriding it, but is allowed. I use an internal > router with nat instead of the modem's built in. I think > this is a much > better way of blocking ports than isp's blocking ports. If > isp's set up > this feature properly, then allow us advanced users to "unlock" so to > speak, this is more desirable IMHO. This technology obviously > exists and > I think is a much better option. > > Thanks, > James > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Pierre Thomson > Sent: Wednesday, January 21, 2004 10:13 AM > To: Chris Santerre > Cc: Spamassassin-Talk (E-mail) > Subject: RE: [SAtalk] [OT] - The current state spam. > > It's not strictly a spam measurement, but www.senderbase.org has > excellent real-time lists of outbound mail volume by ISP and > IP address. > > Pierre > > > -Original Message- > From: Chris Santerre [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 10:08 AM > To: 'Fred'; AltGrendel; Spamassassin-Talk (E-mail) > Subject: RE: [SAtalk] [OT] - The current state spam. > > ... > I'm trying to find some stats on spam origins. Particularly by ISP. I > see > very little spam coming from cox.net cable modems vs. a buttload from > Comcast. Would be nice to know the biggest ones and start a > movement one > at > a time to get this problem fixed. If I've learned anything from this > list, > its a group has a far better chance of getting things done then 1 > person. > > Consider me with you Fred. > > --Chris > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Popcorn & Backhair have been combined into 1 Set
On Wed, 2004-01-21 at 15:40, Jennifer Wheeler wrote: > I will update the page when I get some free time in the hopes of making > this change more clear. I left Popcorn on there for now, but like I > said, if you use Backhair version 1.1 (just posted it) you no longer > (sniff sniff...) need Popcorn... So if I grab Jennifer's backhair I don't need any popcorn? There must be some hidden meaning there. I've removed popcorn from the default list of thinggies to snag in RulesDeJour. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [WL] [SAtalk] Yikes.. rules_du_jour
On Mon, 2004-01-19 at 22:11, Jay Levitt wrote: > One problem: If a spamassassin --lint fails (because if you, oh, had > outdated directives in your sa-mimedefang.cf file), then once you correct > that, on the next run, rules_du_jour won't update anything, because it > thinks everything is up to date. Jay, Version 1.06 will now re-apply any changes that are pending (due to, for example, the scenario above). Also, check out the example munge scripts I put up: http://www.exit0.us/index.php/RulesDuJourMungeScripts Finally, as of today (version 1.06b) RulesDuJour includes ANTIDRUG and EVILNUMBER configured by default. POPCORN has been removed from the default config. Thanks to whoever added configs for ANTIDRUG and EVILNUMBER to the wiki. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Another one for BigEvil
aaap :) Just send them to me offlist. However FP reports you might want to copy here. As I remove them from the NEXT update. But people might want to remove them right away. They still trickle in now and then. --Chris (bored today for some reason) > -Original Message- > From: AltGrendel [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 10:20 AM > To: SA-Talk > Subject: Re: [SAtalk] Another one for BigEvil > > > On Wed, 2004-01-21 at 09:33, Rubin Bennett wrote: > > Sneaky bastard... got through with a 4.7 > > Chris: > > Would you prefer that we email you this stuff offlist? I have > a few too, > but I don't want to contribute to the line noise on this list. > > -- > AltGrendel <[EMAIL PROTECTED]> > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [OT] - The current state spam.
I agree and disagree :) How many times have you heard this: "I don't understand, I have antivirus software." "When was the last time you updated it?" "Update?" :-) I know tons of people with broadband connections that might be on only a few times a week. Some don't even notice their cpu is slower. I also know some pretty intelligent people that despite what they try, still end up with trojans and viruses from their kid's downloads. I say that your average middle class family will just never fully understand how to handle a computer on the net. They are busy scratching out a living. It needs to be made safer by the people who understand it. I can only effect my immediate family/friends. And despite my best efforts, they still get whacked now and then. Airbags make me safer. But there wasn't anyway in hell I was going to install them myself :) --Chris > -Original Message- > From: Keith Dowell [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 11:43 AM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] [OT] - The current state spam. > > > I made this point on a mimedefang list. Some people didn't > really like it. > > Computers are too complicated for people to be responsible some said. > > So I tried equating it to maintaining your car in that, if > your car smokes > and causes pollution - it is NOT the manufacturers > responsibility to come > fix your car. It's your responsibility to take it to the > nearest mechanic. > If it smokes too much the police might just have to remove > you from the road > for other peoples safety. > > What I got in return to that was - Yeah sure, but doesn't relate. Auto > manufacturers don't put out buggy cars like microsoft puts out buggy > software. > > Hmm... good point - but doesn't microsoft put out these things called > patches? Is it not the users responsibility to maintain their software > (vehicle) but obtaining these patches (tune up). > > I don't see how this doesn't equate. It's the same friggin > thing. If you are > going to put yourself on the internet then you should be held > accountable > for what happens to your computer. It isn't microsoft/linux 's > responsibility to educate users. It's their own > responsibility to educate > themselves or suffer the consequences. You have to think of > this in terms of > the dsl/cable connections. Everyone is now "always on" which > in essence > makes them like a little open node on the internet. The > government is NOT > responsible, NOR the ISP, NOR the software manufacturer for > maintaining > safety of these little nodes. I'm sorry, but I will not see > this any other > way. The government doesn't know their head from their ass as > far as the > internet, the ISP should only be responsible for shutting the > nodes down > originating from their own network, and the software > manufacturers should > make patches available when they fix bugs. The USER is/SHOULD BE held > responsible to secure, maintain, upgrade, etc etc their > little node. Too > complicated? Then they don't need to be on the net all the > time (or period > for that matter as far as I'm concerned). Or they need to > hire a mechanic > "PC-TECH". > > All this really becomes is a whole debate of how responsible > should a user > be? > > I agree - the user should have responsibility. No one is/can > or should be > responsible to go out and hold every little users hand, and > assist them with > every little nuance of owning a computer. Maybe that sounds a > bit harsh, but > I still say it's like maintaining your car. All of this > knowledge and info > is freely available (some even in little paper books or cd's called > manuals). > > If you're stupid and don't read the "owners manual" for your > car, never > change the oil, wear your tires bald, never change the > windshield wipers, > and people force you to quit driving the vehicle, it's your OWN fault. > > If you don't RTFM, do a little research, (my god - it is NOT > THAT FRIGGIN > HARD) get the basics of owning a computer, and get your > little node shut > down because your a friggin idiot spewing crap out on the > net, because your > computers infected, because it got hacked, because you had no > protection, > etc etc, yadda, yadda - then it's your OWN fault. > > Think logically here folks. > > - Original Message - > From: "Pedro Sam" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, January 20,
[SAtalk] New tax Phish?
I'm just got 2 of these. I'm not sure if the product is legit, but it does look like it is. It was sent from yourdeals47.com. Which screams spam, and is listed in a few RBLs. I'm thinking we will start seeing a lot more spam with "Taxes" in it now. If this product is legit and not a scam, then why oh why on earth would they hire a spammer. Also the products website is no where to be found in the email source. Only thru a redirect. I'm thinking the product website should be larted just for hiring the spammers! mesg attached. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin - Message-ID: <[EMAIL PROTECTED]> From: GHD TaxAct Info <[EMAIL PROTECTED]> To: Lisa Serrano <[EMAIL PROTECTED]> Subject: *SPAM* Prepare your Taxes Online for Free Date: Wed, 21 Jan 2004 12:18:31 -0500 X-Mailer: Internet Mail Service (5.5.2653.19) <http://bf.mocda2.com/bannerfarm/60230/woman1.gif> <http://tr.yourdeals43.com/go/?rid=4002&aoent=1&uid=4324-2466559-39&srgadv=2 > Fast, Easy, & Affordable! Plan your tax strategy, prepare your return, & file fast?all for just $8.95! <http://tr.yourdeals43.com/go/?rid=4003&aoent=1&uid=4324-2466559-39&srgadv=2 > TaxACT Online Standard is your free tax software solution brought to you by 2nd Story Software, the trusted value leader in tax software. Complete your tax return over the web faster and easier than ever! TaxACT includes commonly used forms and schedules, and reflects all of the latest tax laws. And, best of all, it's FREE! TaxACT prepares & calculates your federal tax return quickly and allows you to print your return for free?all you have to do is mail it to the IRS. Or, to get your refund faster, e-file your return with TaxACT for only $7.95*. Plus, you can complete your state returns with TaxACT State Editions. Get Started Today! Click to register & start your return <http://tr.yourdeals43.com/go/?rid=4004&aoent=1&uid=4324-2466559-39&srgadv=2 > Start Now! <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://bf.mocda2.com/bannerfarm/60230/woman3.jpg> <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://bf.mocda2.com/bannerfarm/60230/woman4.jpg> <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://tr.yourdeals43.com/go/?rid=4005&aoent=1&uid=4324-2466559-39&srgadv=2 > Trusted by Millions ? Over 8 million TaxACT returns filed. ? Developed by expert tax accountants and CPAs. <http://tr.yourdeals43.com/go/?rid=4006&aoent=1&uid=4324-2466559-39&srgadv=2 > Simple to Use ? Convenient online format ? Easy to understand interview questions ? User-friendly interface ? If you can browse the web, you can do your own taxes with TaxACT. <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://bf.mocda2.com/bannerfarm/60230/spacer.gif> <http://tr.yourdeals43.com/opened/?uid=4324-2466559-39> <http://tr.yourdeals43.com/[EMAIL PROTECTED]&uid=4324 -2466559-39&src=11> --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] RulesDuJour; minor change
On Wed, 2004-01-21 at 18:23, Erik Slooff wrote: > Hi Chris, > > Small change for RulesDuJour: when sa is not in path lint will not succeed > (line 313). Maybe you could add a variable that contains the path to sa in > the settings? > > Erik > Will do. Should have it up tomorrow, along with some other changes. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k
Soon there will be one place to go ;) > -Original Message- > From: Frank Pineau [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 8:51 PM > To: Spamassassin-Talk (E-mail) > Subject: Re: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k > > > > >http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm > > > Thanks for the great ruleset! > > I just have one niggling little request (and this really > applies to anyone who > produces public rulesets): > > PLEASE include the download link (or some other referring > link so we know where > it came from) in the comments of the ruleset itself. It's > really a pain to > track down the link in my e-mail archives whenever I want to > see if there's an > update or whatever. :-) > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Rules Du Jour v 1.07b
Here is a consolidated reply to a bunch of Rules Du Jour messages: btw, version 1.07b is released. > From: > Erik Slooff > <[EMAIL PROTECTED]> > To: > [EMAIL PROTECTED] >Subject: > [SAtalk] > RulesDuJour; > minor change > Date: > Wed, 21 Jan 2004 > 19:23:24 +0100 > > Small change for RulesDuJour: when sa is not in path lint will not > succeed > (line 313). Maybe you could add a variable that contains the path to > sa in > the settings? > Just installed your Rules Du Jour script on a solaris box and I > thought you may want to let people know that > they need to install the gnu grep for this to work correct. The grep > that comes with solaris does not work. > Also if one thing I forgot to mention before. > Solaris tail does not have a -n option its just -# that works for all > versions of tail. On Wed, 2004-01-21 at 11:20, Robert Leonard III wrote: > Have Rules_Du_Jour update itself! Of course it would be nice if it could > keep it's modified settings (/etc/mail/spamassasin, and [EMAIL PROTECTED], > etc...).. but perhaps that would complicate things.. perhaps a .conf file > that the rulesdujour reads, so that we can make global changes that new > versions won't overwrite? Since version 1.07: - You may configure the spamassassin --lint command - The default "version grep" was replaced with a perl "poor man's grep" command (still flexible, yet should be more portable) - tail and head commands now use -# syntax (instead of -n #) - Rules Du Jour notifies you if an update is available (it does not automagically install the new version) - I've implemented a way to keep your local settings when an updated version of rules_du_jour is available: http://www.exit0.us/index.php/MyRulesDuJour - I moved the download urls: http://sandgnat.com/rdj/rules_du_jour and http://sandgnat.com/rdj/my_rules_du_jour -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases: http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] v+word problem
Very interesting. Notice the attempt to get confuse the url. Not sure if that is attempted at my old bigevil mining scripts. I'll add plus66.com into bigevil for next update. MrWiggly rule is only for that one type V-drug spam. It has had NO false positives to date. So I'm jacking my score up to 5.0 for that rule. --Chris > -Original Message- > From: John Fleming [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 22, 2004 8:53 AM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] v+word problem > > > BTW, I AM using BigEvil and Anti_Drug... > > - Original Message - > From: "WA9ALS - John" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, January 22, 2004 7:19 AM > Subject: [SAtalk] v+word problem > > > > I received a dreaded v word spam that got past MRWIGGLY > with a tiny spam > > score (0.1), even with my ultaconservative threashhold of > 2.4, using Bayes > > and networks etc. Trying to put the message here for > analysis bounces > back > > to me. Where can I put it so that someone could look at it > and tell me > what > > I can do to remedy these getting through? > > > > I guess I can put it on a website: http://wa9als.com/spamtest.htm > > > > Thanks for any tips! - John > > > > > > > > > > --- > > The SF.Net email is sponsored by EclipseCon 2004 > > Premiere Conference on Open Tools Development and Integration > > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > > http://www.eclipsecon.org/osdn > > ___ > > Spamassassin-talk mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Rules Du Jour v 1.07b
On Thu, 2004-01-22 at 14:49, Smart,Dan wrote: > Chris: > Great job on the scripts. I have modified the munging on Tripwire (set name > to TW) and BigEvil (comment out WXYZ). How do I add these custom munges to > my_rules_du_jour? Dan, I'm going to suggest that you ignore the warning in my_rules and configure it as a custom ruleset, eg: MY_TRIPWIRE and MY_BIGEVIL (~ at indices 1000 and 1001, not 0 and 1). When working on my_rules_du_jour, I kept going back and forth trying to decide how this sort of thing should be done. The two options I was considering were A) allow you to set just the one variable in my_rules for the ruleset that is otherwise configured in the stock rules or B) have you re-create the whole ruleset config in my_rules. I went with (B) because I didn't like splitting the configuration of that ruleset across 2 files. If there are enough request to do (A) I'd definately reconsider. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Surprise mail from myself
> -Original Message- > From: Brad Hazledine [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 4:44 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Surprise mail from myself > > > > Has anyone written a rule that catches mail supposedly sent > by yourself to > yourself? > > Example here... > > Received: from WIN-SYEZX91ADBP ([61.50.222.200]) > by fargo.caledoncard.com (8.12.10/8.12.10) with SMTP id > i0L6pDT5006761 > for <[EMAIL PROTECTED]>; Wed, 21 Jan > 2004 01:51:14 > -0500 > Message-ID: <[EMAIL PROTECTED]> > From: "[EMAIL PROTECTED]" > <[EMAIL PROTECTED]> > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > > I whitelist everything from our own domain due to the fact > that reports > were constantly getting marked as spam for one reason or another. > Therefore this triggers the whitelist and the spam gets through. > It is starting to become more frequent. > > I have tried to write a rule that says "if it is from > yourself to yourself > but not received from your server then clobber it". > > However, the rule seems to pick up the "by > fargo.caledoncard.com" in the > header and thinks that all is well. > > If anyone out there has encountered this and found a way > around it then I > would appreciate some input. > > Thanks. > > Brad > header __CS_FROM_ME From =~ /[EMAIL PROTECTED]/i header __CS_TO_ME To =~ /[EMAIL PROTECTED]/i meta CS_SPAM_TRICK __CS_FROM_ME && __CS_TO_ME describe CS_SPAM_TRICK Spammer forged From + To my domain. score CS_SPAM_TRICK 114.11 # Silly, isn't it? Change to your own email addy. Might want to change the score ;) Chris Santerre System Admin "You should never, never doubt what nobody is sure about."- Willy Wonka --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Multi-line matching workarounds?
> -Original Message-
> From: sckot [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 21, 2004 3:45 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Multi-line matching workarounds?
>
>
> Some archive searching has revealed that multi-line
> matching isn't
> available yet. Is there another way to rework this rule that I'm
> missing, using meta rules perhaps? It would single-handedly
> get a lot of
> spam that I get, which is consistantly of the form of three "ambiguous
> product pitch:\nurl\n\n"s. My email address appears in the third URL,
> and the first two are mostly numeric.
>
> rawbody L_3_Part_Pitch_Spam
> /.*:\nhttp:\/\/[a-z]{2}[0-9]\.\w{1,20}\.com\/([0-9]*\/)*[a-z]{1,20}\.
> htm(l)?\n\n.*:\nhttp:\/\/[a-z]{2}[0-9]\.\w{1,20}\.com\/([0-9]*
> \/)*[a-z]
> {1,20}\.htm(l)?\n\n.*:\nhttp:\/\/[a-z]{2}[0-9]\.\w{1,20}\.com\
> /([EMAIL PROTECTED]
> *\/)*\/.htm(l)?/
> describe L_3_Part_Pitch_SpamMail has six lines, three are URLS
>
> Thanks,
> sckot Vokes
>
I tried similar things, but the \n never worked right. I think rawbody
doesn't see them. The only way to do this is with an EVAL function. Not a
bad idea to look at the overall length of email and see what percentage of
it is html link. SA has a rule like this, but might need some tweaking for
smaller emails?
--Chris (Already having a day from hell.) Santerre
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Rules Du Jour v 1.07b
On Thu, 2004-01-22 at 22:57, Smart,Dan wrote: > That works great! Thanks. > > I added the following command for SA_RESTART "/usr/sbin/postfix stop && > sleep 15 && /etc/init.d/spamassassin restart && /usr/sbin/postfix start" > but it doesn't seem to work, even though it works for command line. > > I also need to make sure postfix starts if the SA_RESTART fails. Are you running Rules Du Jour as root? Might want to try editing the rules_du_jour script and find the line where SA_RESTART is called; remove the "> /dev/null" redirect. Run it interactively and see if there's anything interesting being dumped to the console. As for "postfix start" even if "spamassassin restart" fails, use ";" instead of "&&". -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Help: How to add files of tests?
On Thu, 2004-01-22 at 21:50, Evan Platt wrote: > Ok, I'm running SA under Alt-N Mdaemon. AFAICT, it's a standard install, > albeit Windows. It's got a Spamassassin.dll file - Is there anywhere to > update this? I did a yahoo /google but turned up blank. I don't know if you can update the SA engine inside Alt-N. > I'd like to add some of the rules that appear here from time to time, > bigevil.cf, etc. I'm pretty sure this is possible with the SA embedded inside Mdaemon. > Where would I add, say big_evil.cf? Are there any other recommended files I > download and install? Maybe this helps: http://lists.altn.com/[EMAIL PROTECTED]@.ee9117d/1 > I know i've been lurking here a while and helping out with the occasional > "Please RTFM, SA doesn't delete messages", I was more passive, but now that > the mail server I downloaded and my run for my home domain uses SA, I'll > probably be more active. :) Always good to have another helpful person around! -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Recent List Archive
On Thu, 2004-01-22 at 17:13, Carl Chipman wrote: > Ok, I delete the messages from earlier in the month that had the "string of > 10 or more random character groupings" I went to go check the archive > (provided by clicking on the link at the bottom of an e-mail) but it seems > the archive only shows till Dec 2003. Any way to see the archives from > January? http://news.gmane.org/gmane.mail.spam.spamassassin.general/cutoff=40042 -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases: http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] thank you guys
Why does it take your SA 69 seconds to process an email? Our systems take about 3 seconds, using network tests and bayes with Postfix/amavisd-new. Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Kinghorn Sent: Friday, January 23, 2004 5:32 AM To: Spamassassin-Talk (E-mail) Subject: [SAtalk] thank you guys To all the contributors of SPAMASSASSIN, exiscan & sa-exim... Thank you all here are some stats for the last 4 weeks This is for 4 domains. Total number of emails processed by the spam filter : 200942 Number of spams : 91592 ( 45.58%) Number of clean messages:109350 ( 54.42%) Average message analysis time : 69.27 seconds Average spam analysis time : 84.67 seconds Average clean message analysis time : 56.37 seconds Average message score : 4.37 Average spam score : 15.17 Average clean message score : -4.68 Total spam volume : 282 Mbytes Total clean volume : 1119 Mbytes keep up the good work PS...the new spamstats.pl works like a charm with exim...thanks to the developer of that too. you guys rule. CYA Tom --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil PF
I'm sure this is an FP left over from my pull from initial scripts. I don't remember adding them by hand. They check out as legit. They will be removed from next update. (Which was meant for last Sat. but something came up. --Chris > -Original Message- > From: Paul Barbeau [mailto:[EMAIL PROTECTED] > Sent: Friday, January 23, 2004 3:02 PM > To: Spamassassin List > Subject: [SAtalk] BigEvil PF > > > I am getting a lot of BigEvilList_72 > (http://www.exclaimer.co.uk) FP as one > of my group clients get mail from lawyer that uses this > product. Can someone > provide some feed back on why this is a rule so insted of > just deleting it i > know have an educated answer to my client > > Thank > Paul > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] too much spam...
Your Bayes must be hosed if what you think is spam gets BAYES_00. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Diaguila Sent: Monday, January 26, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: [SAtalk] too much spam... Greetings Using SA Ver. 2.63 with Mimedefang, and still quite a bit of spam is getting through. Have all the current BigEvil, ect... As an example, a rule is in place in local.cf header SUBJECT_ENCODED_MY_TEST Subject:raw =~ /=\?.*\?=/i describe SUBJECT_ENCODED_MY_TEST Subject begins with =? scoreSUBJECT_ENCODED_MY_TEST 5.0 When a message comes in: Subject: =?ISO-8859-1?b?V2UgaGF2ZSB3aGF0IHlvdSBuZWVkIC0gQ2hlYXBlc3QgcHJlc2NyaXB0a W8vbnMgb24gdGhlIGludGVybmV0?= Content-Type: multipart/alternative; boundary="=_NextPart_000_0CAC_A6ABA171.138272BD" X-Spam-Score: 3.422 BAYES_00,FORGED_OUTLOOK_TAGS,HTML_50_60,HTML_IMAGE_ONLY_02,HTML_MESSAGE, HTML_TAG_BALANCE_BODY,RM_rb_ANCHOR,RM_rb_BODY,RM_rb_HTML,SUBJECT_ENCODED _MY_TEST X-Scanned-By: MIMEDefang 2.30 (www . roaringpenguin . com / mimedefang) ??? thanks... Paul --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] bigevil_54 smonitor
"Negative Ghostrider, the pattern is full." :) There is a '\b' before that. So it is bound. Should not hit that rule ever. Go ahead. Send yourself an email with that in it. Try it if you don't think so. :) Then again, maybe I should mark them as spammersOh, but that is for another list ;) --Chris > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, January 23, 2004 11:50 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] bigevil_54 smonitor > > > > > smonitor in bigevil_54 would include csmonitor.com which > is the Christian Science Monitor which I presume was > not meant to be included with nefarious spammers. > > Anthony > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Re: W32.Novarg.A@mm virus
Christopher X. Candreva <[EMAIL PROTECTED]> wrote: > I suggest simply installing clamav and additionally passing mail > through it. Clam runs as a daemon and is actually much faster than > SpamAssassin. > > Clamav was catching Novarg here almost immediately (I have a cron job > that checks for virus updates once an hour). Let me 2nd this - on the server I run for my dept, we have had ZERO messages get through with this virus. Otoh, I spent 2 hours on the phone with a dozen or so friends explaining to them how to get this off of their machines (sometimes it isn't fun being the "helpdesk to the community"). -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED] Yahoo IM: chrisnbarnes Computer Systems Manager ph: 979-845-7801 Department of Physics fax: 979-845-2590 Texas A&M University --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] bigevil_54 smonitor
Doh! *humble appologise* You are correct sir! Removed in next update. Don't ask what is taking so long for the next update. You don't want to know :) --Chris > -Original Message- > From: Kelson Vibber [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 27, 2004 12:02 AM > To: Chris Santerre; '[EMAIL PROTECTED]'; > [EMAIL PROTECTED] > Subject: Re: [SAtalk] bigevil_54 smonitor > > > On Monday 26 January 2004 10:53 am, Chris Santerre wrote: > > There is a '\b' before that. So it is bound. Should not hit > that rule ever. > > Go ahead. Send yourself an email with that in it. Try it if > you don't think > > so. :) > > That's right - a '\b' followed by a 'c' > > Collapse all the alternatives out and you get > /\bc(smonitor)\.(com)\b/ which > would indeed match csmonitor.com > > > -- > Kelson Vibber > SpeedGate Communications, > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Rules Du Jour v 1.07b
Dan, On Fri, 2004-01-23 at 09:04, Smart,Dan wrote: > This command works every time from command line, but not passed as a param > from SA_RESTART. > "postfix stop ; sleep 15 ; /etc/init.d/spamassassin restart ; postfix start" > > It runs the postfix stop and then quits. Any idea why? I can create a sed > that patches the rules_du_jour each time putting the commands in one at a > time in the restart if block, which does work, but passing it as the > SA_RESTART parameter would be really nice. I changed the line that runs $SA_RESTART to use: sh -c "$SA_RESTART" instead of just $SA_RESTART This should do the trick, methinks. (Version 1.07e is up) -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Load multiple .cf files (antidrug, backhair, etc) from user_prefs
Did you know that you can: mv ~/.spamassassin/user_prefs ~/.spamassassin/user_prefs.cs mkdir ~/.spamassassin/user_prefs mv ~/.spamassassin/user_prefs.cs ~/.spamassassin/user_prefs/ cp backhair.cf ~/.spamassassin/user_prefs/ cp antidrug.cf ~/.spamassassin/user_prefs/ Then always call spamassassin like so: spamassassin -x SA will read all the *.cf files in ~/.spamassassin/user_prefs/ just like it does for the system-wide /etc/mail/spamassassin/. Hope this comes in handy for those of you who use user_prefs but don't administer the machine SA runs on. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases: http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [OT] Working with FPs from the other end.
I had recently received an FP from a *new* invoice confirmation notice from a MAJOR computer equipment supplier. I was bummed at the fact that I would have to try to work around the FP. Then I looked at what it hit, and some were just things they shouldn't do. Like HTML only! So I wrote a nice email to my Account rep. Listing each major rule that hit, how many points, and what they might try to fix it. He forwarded it on to the right people. I talked to him today on a different matter and he informed me that they were EXTREMELY happy with the info I told them. They had no idea they were doing things that were considered spammy. They are working on fixing all the hits they got. Surprising for such a large technical corporation. (Like CDW, but not them.) Anyway, sometimes the best way to fight a bunch of FPs is to educate the legit senders. I thought I would share that success story :-) Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] sa-learn from other computers in a cluster
Ok, we're probably not using a "cluster" in the truest since of the word. We have 1 main Linux box as a server (houses the /home directories, runs sendmail/SA, apache, etc). Runs LDAP which acts as the authorative user directory. Users do not have shell access to this machine. We have 4-5 other Linux boxes that users have shell access to - these make an LDAP connection for authentication. /home is NFS mounted from the main server. Situation: a user wants to run sa-learn on a corpus of ham/spam in their ~/mail directory (eg. ~/mail/Spam). However, since SA isn't installed on their interactive machine, sa-learn isn't there. My question - do we need to install SA on each Linux machine, or is there some minor bits (the sa-learn module, DB_File, etc) we can simply copy over? -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED] Yahoo IM: chrisnbarnes Computer Systems Manager ph: 979-845-7801 Department of Physics fax: 979-845-2590 Texas A&M University --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] tweaking .procmailrc to make things smoother
I am attaching my current .procmailrc (it's not long). I would like to tweak this to help make things run both faster and smoother for me. 1) instead of just checking the subject line for messages with the SA markup from my ISP (which is redunant), I would simply like to use promail to remove their markup completely - rewriting the subject without it. I have looked at other examples, but they never seem to be quite right. if sub starts out with *SPAM rewrite sub without the *SPAM* 2) Instead of simply moving messages with a score of 9 or higher into the ~/mail/Spam/Filtered mailbox, I would rather a) run sa-learn on that message b) dump that message into /dev/null. -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED] Yahoo IM: chrisnbarnes Computer Systems Manager ph: 979-845-7801 Department of Physics fax: 979-845-2590 Texas A&M University begin 666 .procmailrc M(R!S970@6"U3<&%M+5-T871U4W!A;2U,979E;#HN7"I<*EPJ7"I<*EPJ M7"I<*EPJ7"I<*EPJ"E-P86T*"[EMAIL PROTECTED](%Y3=6)J96-T.BY<6U-P86U="E!R (;V)A8FQE"@H` ` end --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] bigevil; chicknpox; weeds...
On Mon, 2004-01-26 at 13:06, Douglas Kirkland wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Monday 26 January 2004 07:28, Thorsten Schacht wrote: > > Hey, > > > > What is your opinion to that cf's? > > Does it make sence to take them all, or maybe only parts of them? > > Is it a good solution to install them whithout realy knowing how the rules > > are build? > > Only for private or also good at company? > > > You could put the rules in and set the score to .01 to see what is happening > with the rules. I know somebody posted a way to set all the scores to this > value with a regex expression. Here's some line noise that can accomplish that task: perl -ne '(m/^(\s*score\s+\S+\s+)([\d\.]+)(.*$)/i && print "$1 0.01 $3\n") || print;' < tripwire.cf > trial_tripwire.cf input file is tripwire.cf output file is trial_tripwire.cf (with all scores set to 0.01) copy trial_tripwire.cf to your /etc/mail/spamassassin Repeat for each ruleset you are trying out. HTH. -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Bigevil and thoughts....
I received a report of an FP in bigevil. The domain was playaudiomessage.com. A quick google shows tons of hits in news.admin.net-abuse.sightings. It had been my hope the bigevil would be ZERO fp. However I'm not going to let the fact that a domain may be used 90% by spammers and 10% by legit sway me now. Even going to www.playaudiomessage.com should raise eyebrows! Nice reporting feature they have on the site, huh? So I'm going to go the way easynet did. (No not shutdown!) I'm going to leave them in until they clean up there act. When I see no reports of spam containing there URL for a certain period of time, then I will remove. I've started a small list of these to check on in a few weeks. So if you receive a legit email with this domain hitting bigevil, I'm not sorry. Do a search under "groups" in google. Take those results and feel free to report them to playaudiomessage.com. But by the looks from their website, they don't want to hear from you anyway. They stay. Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] CBL?
It's great, I run it at the MTA level and it drops tons of junk without any false positives to date (after about 4 months usage). Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Wilder Sent: Monday, January 26, 2004 5:50 PM To: Spamassassin List Subject: [SAtalk] CBL? Anybody taken a look at the DNS RBL at http://cbl.abuseat.org/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
