I was looking into spam solutions for debian's bug processing and list
processing systems. Apparently they use some spam processing now but
spamassassin seems to be an excellent choice to improve it and bring
it up to date. I especially like the inclusion of razor; I believe the
debian list proces
Can any one tell me what creates this file in user directories? I do not
have auto-whitelisting turned on as far as I know.
Thanks!
-
Michael Norton
Curricula Coordinator/Network Administrator
Interface Computer School
http://michael.interface-net.com
__
On Tue, Feb 05, 2002 at 03:56:16PM +1100, Daniel Pittman wrote:
> On 04 Feb 2002, Craig Hughes wrote:
> > On Mon, 2002-02-04 at 13:38, Daniel Pittman wrote:
>
> [...]
>
> > I'm still somewhat baffled about why things weren't working in the
> > first place with that particular example though, but
On 04 Feb 2002, Craig Hughes wrote:
> Oh, I assumed that Amavis was inserting that if it was unregistered or
> something. I just did a search on that "This safeguard blah blah blah"
> string, and it gets a bunch of hits from SPAM sent to mailing lists.
> Might be worth a rule for that I suppose.
Craig,
I confirm that the lines were not added by Amavis (amavis policy is
NOT to change anything in the email body, just addan header line, and
quarantine the email if it includes a virus).
I beleive the spammer used a non registered version of spam program
that included the lines.
Olivier
>
On 04 Feb 2002, Craig Hughes wrote:
> On Mon, 2002-02-04 at 13:38, Daniel Pittman wrote:
[...]
> I'm still somewhat baffled about why things weren't working in the
> first place with that particular example though, but perhaps by
> tinkering with the regex we've now magically made it work.
Wel
866 is. 855 and 844 are planned to be.
I work for a long distance company, and have had to hold the hands of
many of our customers as they reprogrammed their PBXes to realize that
866 shouldn't be restricted as if it actually cost them something...
-Original Message-
From: Craig Hughes
Well as regular readers will know, Justin Mason, our fearless leader,
has fearlessly buggered off and left me in charge, but we forgot to
think through some of the details of how I'd continue to run the GA to
update the scores which SA depends on. I think I have a possible
solution to this proble
Oh, I assumed that Amavis was inserting that if it was unregistered or
something. I just did a search on that "This safeguard blah blah blah"
string, and it gets a bunch of hits from SPAM sent to mailing lists.
Might be worth a rule for that I suppose.
C
On Mon, 2002-02-04 at 18:57, Olivier Ni
Craig,
In the first MIME part, it contains many lines of dashes. I am not
MIME expert, but I think that is a valid part?
Olivier
> - --=_oA8UEqqH_jqVoQDft_MA
> Content-Type: text/plain
> Content-Transfer-Encoding: 8bit
>
> - -
There's no way to create a rule which could possibly cover that
message. The only content is a URL, which itself shows no signs of
spaminess. It could easily have just bee a friend of yours emailing you
a link to something...
C
On Mon, 2002-02-04 at 18:37, Olivier Nicole wrote:
> Hello,
>
> T
Hello,
That looks like spam to me, while it get thru.
Best regards,
Olivier
--- Start of forwarded message ---
X-Coding-System: undecided-unix
Mail-from: From [EMAIL PROTECTED] Tue Feb 5 03:47:56 2002
Return-Path: <[EMAIL PROTECTED]>
Received: from virtualpets.co.za (jhbd1-170.ibi.co
Ok, in theory I think I've applied the patch... Webmake should rebuild
the site and deploy it in the next hour or so.
C
On Mon, 2002-02-04 at 17:49, Jason Haar wrote:
> On Mon, Feb 04, 2002 at 05:29:17PM -0800, Craig Hughes wrote:
> > I think -F1 is the default, isn't it? Since you're probably
On Mon, Feb 04, 2002 at 05:29:17PM -0800, Craig Hughes wrote:
> I think -F1 is the default, isn't it? Since you're probably more
Err - duh. I meant "-F 0" :-)
Sheezh, too many brain cells firing at once here!
> familiar with what such people might want to hear (I don't use that
> config, and
If you are getting spam with spamassassin-sightings in the headers, it's
probably because lots of folks forward spam to
[EMAIL PROTECTED]
SpamAssassin isn't "doing something" to the messages.
Trying to move this to -talk, please remove -sightings from the CC list.
On Mon, 4 Feb 2002, Landy Roma
I think -F1 is the default, isn't it? Since you're probably more
familiar with what such people might want to hear (I don't use that
config, and am liable to misdocument things), want to knock something up
and forward a patch?
Thanks,
C
On Mon, 2002-02-04 at 15:36, Jason Haar wrote:
> It appea
Hmm, that's the behavior you should get with -F 1: any chance there's
some old version of a lib hanging around somewhere?
# fgrep -rn add_From_line Mail/SpamAssassin
Mail/SpamAssassin/NoMailAudit.pm:40: $self->{add_From_line} =
$opts{add_From_line};
Mail/SpamAssassin/NoMailAudit.pm:43: if (!def
On Mon, 2002-02-04 at 13:38, Daniel Pittman wrote:
> Better that you do:
>
> } elsif (/^([^\x00-\x1f\x7f-\xff :]+):\s*(.*)$/) {
>
> or
>
> } elsif (/^([^\x00-\x1f\x7f-\xff :]+):\s?(.*)$/) {
>
> ...depending on personal taste. That way the space is still removed if
> it's present.
Based on rea
On Mon, Feb 04, 2002 at 04:57:05PM -0500, CertaintyTech - Ed Henderson wrote:
| I've noticed an additional header has been added to my emails since
| upgrading to SA 2.01. There is an additional pseudo-header like:
|
| From [EMAIL PROTECTED] Thu Jan 31 17:47:22 2002
|
| added usually before the
On Mon, 2002-02-04 at 13:35, Daniel Pittman wrote:
> On Mon, 4 Feb 2002, peter green wrote:
> >> 2) That *is* an invalid RFC822/2822 date. The specification for the
> >> time does NOT allow for the ``local differential'' (+) and the
> >> timezone (GMT) to be specified simultaneously. Further,
Patches, as always, gratefully accepted :)
C
On Mon, 2002-02-04 at 13:03, Jason Haar wrote:
> On Tue, Feb 05, 2002 at 09:33:00AM +1300, Jason Haar wrote:
> > How about "body MIME_EXPLANATION"?
>
> With language issues rearing it's ugly head (or beautiful ;-), we could do
> the job "properly" -
This seems actually in the last month or so to have been a very big
shift. Definitely a good idea to include some of these things in the
non-spam corpus, possibly an even better idea to drop the
CTYPE_JUST_HTML rule altogether. It used to be a pretty good one, but
it seems like it may no longer
I called it MIME_NULL_BLOCK in the end actually.
C
On Mon, 2002-02-04 at 12:33, Jason Haar wrote:
> On Mon, Feb 04, 2002 at 12:13:22AM -0800, Craig Hughes wrote:
> > How about:
> >
> > body CORRECT_FOR_EXCHANGE /This message is in MIME format/
> > score CORRECT_FOR_EXCHANGE -2.6
> >
On Mon, 4 Feb 2002, peter green wrote:
> * Daniel Pittman <[EMAIL PROTECTED]> [020203 14:18]:
> > Most messages that I get, these days, matches the "missing date" test,
> > and ends up with something like:
> >
> > X-Mail-Format-Warning: Bad RFC822 header formatting in Date: Sun, 3 Feb 2002
>14:3
Hi,
My roommate drew a comic about my experience installing SpamAssassin. Check
it out:
http://www.idiom.com/~etuttle/aa-funnies-01a.gif
I think it will be up on www.eatmycomix.com soon.
Har har,
Ethan
___
Spamassassin-talk mailing list
[EMAIL PR
On Mon, Feb 04, 2002 at 09:36:01AM -0800, Craig Hughes wrote:
| On Mon, 2002-02-04 at 09:04, Scott Walde wrote:
| > Please also notice: I'm looking for either '-'es or ' 'es in the phone
| > number as the spam I got was in the format 1 877 555 1212 not
| > 1-877-555-1212. Might we also want to l
It appears quite a few sites are getting caught with that "-F" option - or
more to the point - the lack of it.
Could the docs be changed so that in areas referencing site-wide
configurations of SA, that there be warnings that if you are using SA in
relay-mode (like with Qmail-Scanner :-), then "s
I've noticed an additional header has been added to my emails since
upgrading to SA 2.01. There is an additional pseudo-header like:
>From [EMAIL PROTECTED] Thu Jan 31 17:47:22 2002
added usually before the Delivered-To: header. I have set the spamd option
"-F 0" but this has no affect. Any i
On Mon, 4 Feb 2002, Jost Krieger wrote:
> On Sun, Feb 03, 2002 at 01:29:31PM -0800, Craig Hughes wrote:
>> Yeah, I'd seen this claim of non-compliant headers in a few places
>> that seemed OK to me too -- The regex it's checking is pretty nasty
>> though. I'll see if I can figure out what jm was t
On Mon, 4 Feb 2002, peter green wrote:
> * peter green <[EMAIL PROTECTED]> [020204 07:23]:
>> * Daniel Pittman <[EMAIL PROTECTED]> [020203 14:18]:
>> > X-Mail-Format-Warning: Bad RFC822 header formatting in Date: Sun, 3
>> > Feb 2002 14:31:08 + (GMT)
>> >
>> > Of course, that's /not/ an inval
On 03 Feb 2002, Craig Hughes wrote:
> No, not really any way to avoid this... it's a fairly important part
> of NoMailAudit.pm
So, using SpamAssassin means a risk of corrupted email. Hrm. Ah, well, I
guess you pay for what you get. :/
> I've looked again and again at the relevant lines and can't
On Tue, Feb 05, 2002 at 09:33:00AM +1300, Jason Haar wrote:
> How about "body MIME_EXPLANATION"?
With language issues rearing it's ugly head (or beautiful ;-), we could do
the job "properly" - but I don't know if SA is up to it.
You could record the boundary string for MIME messages, and ignore
On Mon, Feb 04, 2002 at 02:41:35PM -0600, Donald Greer wrote:
>The current scoring for HTML_Only mail may be just a little high.
> I've recieved reports that some newsletters (which are html-only) are
> being rejected as spam. Specifically I allow my users to signup to news
> letters from
Folks,
The current scoring for HTML_Only mail may be just a little high.
I've recieved reports that some newsletters (which are html-only) are
being rejected as spam. Specifically I allow my users to signup to news
letters from "cluebie.com" (see "http://austintx.cluebie.com"; if you
wa
On Mon, Feb 04, 2002 at 12:13:22AM -0800, Craig Hughes wrote:
> How about:
>
> body CORRECT_FOR_EXCHANGE /This message is in MIME format/
> score CORRECT_FOR_EXCHANGE -2.6
> describe CORRECT_FOR_EXCHANGE Correct for MIME 'null block'
Great - but I think the name could be made more g
I helped a friend get SA installed this morning, and so far he's loving it
(5 correct positives caught so far in 4 hours.) While we were chatting
though, he had a question I didn't know how to answer: How does one go
about getting rules updates?
My answer was that you'd wait for a new SA releas
Oh, the HEADER NAME is in block caps. I thought it was just the
domain. Yeah, yer hosed if the header name is capitalized other than
"From". Same problem crops up in a variety of other situations too.
It's bug #19 in bugzilla:
http://bugzilla.spamassassin.org/show_bug.cgi?id=19
C
On Mon, 20
>From reading the code:
* just noticed Mail::SpamAssassin::Conf::add_to_addrlist() where it's
converting the glob-patterns to regexs as it reads them in. Missed that
in previous scans of the code.
* before I changed it yesterday, the comparison was between the
lowercased addr from the email and
It's weighted though for the length of the message. There is/was a bug
with super-short messages where the weights would be really big, and I
recently checked in an attempt at fixing this. Try the latest CVS and
see how it fares. I think probably a good thing to do would be to
manually scan the
LAST UPDATE (I hope!)
The whitelist matching *IS* glob-type. .*@domain.dom is wrong. Lots of
debugging confirms this.
Also, more debugging confirms that the whitelist_from entries *ARE* being
taken from SQL. It appears that it's not matching for some other reason.
(maybe because the passp
Following on from my own message... I've checked the
scores file and the scores for spam phrases look well
out of scale - the lowest is 330 and the highest is about
30,000. This means that the spam phrase score will *always*
be either over 100 or 0 (I'm finding it hits on a lot of non spam
messag
If I want to configure more relay lists (ORDB, e.g.), how should I scale down
the score? Or wouldn't you do that at all?
On a similar note, you might want to add
header X_OSIRU_NOCONFeval:check_rbl_results_for('relay', '127.0.0.7')
describe X_OSIRU_NOCONF DNSBL: sender subscribes to newslet
> Hmm, it seems that it's trying to match an actual perl regexp, so you'll
> want
> .*@PASSPORT.COM
just an update:
I have changed all my whitelist_from entries in the SQL table to be
.*@domain.dom instead of *@domain.dom.
.*@reply.pm0.com is one of them. However mail from this domain isn't g
This message came out with a spam phrase score well over 100 (2,198 for 'for
your')
... pushing it over the edge as a false positive. I had another one do
something similar today. It seems
in the latest CVS the spam phrase stuff is broken.
The whole message reads:
I have no idea what he i
I'll just call it .
C
On Mon, 2002-02-04 at 09:04, Scott Walde wrote:
> On 4 Feb 2002, Craig Hughes wrote:
>
> > Yeah, I just looked it up online:
>
> Sorry, hit send before I saw this.
>
> > I'll cover all of those prefixes in a single rule and rescore with the
> > GA.
>
> Please also notic
I'm attempting to get spamassassin running on our primary mail server for
our company and am not having much luck.
The system is:
FreeBSD 4.5-STABLE
Sendmail 8.12.2
spamassassin 2.01
spamass-milter 0.1.1
I've installed spamass-milter and have spamd running, things will work
for about 5 to 10
On 4 Feb 2002, Craig Hughes wrote:
> Yeah, I just looked it up online:
Sorry, hit send before I saw this.
> I'll cover all of those prefixes in a single rule and rescore with the
> GA.
Please also notice: I'm looking for either '-'es or ' 'es in the phone
number as the spam I got was in the fo
After running about a week of tests, I noticed the following missed very often.
1. German spams (not much you could do about it, and I'm not ready to run GA here
myself very often).
2. Spanish and South American spams (they *do* hit the US, don't they).
3. 419s. Has someone special rules for the
On 4 Feb 2002, Craig Hughes wrote:
> I don't think 866, 855, 844, etc are toll free numbers. 877, 888 and
> 800 are it AFAIK. Does make sense to add 877 to the 888 rule though,
> and to make the - into a [\-\s]
I made a mistake. 811 is reserved for special use. The others are all
reserved or
> I don't think 866, 855, 844, etc are toll free numbers. 877, 888 and
> 800 are it AFAIK. Does make sense to add 877 to the 888 rule though,
> and to make the - into a [\-\s]
866 is a toll-free area code.
Regards,
Andrew
___
Spamassassin-talk maili
On Sun, Feb 03, 2002 at 01:29:31PM -0800, Craig Hughes wrote:
> Yeah, I'd seen this claim of non-compliant headers in a few places that
> seemed OK to me too -- The regex it's checking is pretty nasty though.
> I'll see if I can figure out what jm was trying to do there and fix it.
Forgive me, I
Yeah, I just looked it up online:
What is a Toll Free Number?
This probably seems a little basic, but a toll free number is a
telephone number that can be called at no cost to the caller, because
the recipient pays for the cost of the call. Also referred to as 800
numbers after the origina
At 08:27 AM 2/4/2002 -0800, Craig Hughes wrote:
>I don't think 866, 855, 844, etc are toll free numbers. 877, 888 and
>800 are it AFAIK. Does make sense to add 877 to the 888 rule though,
>and to make the - into a [\-\s]
866 *is* toll free in the USA, just like 800, 888, 877.
reb
___
I don't think 866, 855, 844, etc are toll free numbers. 877, 888 and
800 are it AFAIK. Does make sense to add 877 to the 888 rule though,
and to make the - into a [\-\s]
C
On Mon, 2002-02-04 at 07:59, Scott Walde wrote:
> The following one got through. I changed CALL_888 to:
>
> body CALL_8
The following one got through. I changed CALL_888 to:
body CALL_888
/(?:call|dial).{1,15}8(?:88|77|66|55|44|33|22|11)[\-\s][\dA-Z]+[\-\s]?[\dA-Z]+/i
(I suppose I could add '00' and lose the CALL_1_800 test, but 1-800 is
scored higher than 888.)
and it triggers now. The message still only sco
Greetings
I'm trying to arginate the spam/uce/ flow that, daily threaths my
Center.
Our Mail Server is a good-old unix server running THE postfix (thanks to
Wietse!) and I wish to enforce its anti-uce filtering with SpamAssassin
butI've found no hints almost anyware on how to configure Pos
On Mon, Feb 04, 2002 at 09:39:16AM -0500, Edward Fang wrote:
> One of our users who is heavy into Debian Linux (Ben Collins - giving
> credit) found a problem where SA would start tagging Bad RFC822 header
> formatting into the headers if there was a tab/nospace in the Subject line.
> He changed t
Thanks Ed,
I already had something similar checked in to CVS.
C
On Mon, 2002-02-04 at 06:39, Edward Fang wrote:
>
> One of our users who is heavy into Debian Linux (Ben Collins - giving
> credit) found a problem where SA would start tagging Bad RFC822 header
> formatting into the headers if th
On Mon, 4 Feb 2002, Edward Fang wrote:
> In the file perl5/Mail/SpamAssassin/NoMailAudit.pm (whereever you
> installed this), you will find these lines (starting at around 118 in my
> file):
>
> } elsif (/^([^\x00-\x1f\x7f-\xff :]+): (.*)$/) {
> $hdr = $1; $val = $2;
> $val =~ s/\
One of our users who is heavy into Debian Linux (Ben Collins - giving
credit) found a problem where SA would start tagging Bad RFC822 header
formatting into the headers if there was a tab/nospace in the Subject line.
He changed the regex for it, and it looks like it works. I'm submitting
this to
* peter green <[EMAIL PROTECTED]> [020204 07:23]:
> * Daniel Pittman <[EMAIL PROTECTED]> [020203 14:18]:
> > X-Mail-Format-Warning: Bad RFC822 header formatting in Date: Sun, 3 Feb 2002
>14:31:08 + (GMT)
> >
> > Of course, that's /not/ an invalid RFC822 date, it's SpamAssassin[1]
> > decidin
* Daniel Pittman <[EMAIL PROTECTED]> [020203 14:18]:
> Most messages that I get, these days, matches the "missing date" test,
> and ends up with something like:
>
> X-Mail-Format-Warning: Bad RFC822 header formatting in Date: Sun, 3 Feb 2002
>14:31:08 + (GMT)
>
> Of course, that's /not/ an
On Mon, Feb 04, 2002 at 12:09:40AM -0800, Craig Hughes wrote:
> No, it really is looking for actual control characters. The regular
> expression in question will match if it sees a string which starts with
> 'http://' then features a control character (ascii <= 0x1f except CR and
> LF) before it
Got some nice feedback from Theo Van Dinter on my RPMs, and have built
new ones based on his suggestions using the 2.01 distribution. They're
in the usual place http://www.hughes-family.org/spamassassin/
Specifically, these should fix the following problems:
* Updated for 2.01 release
* Changes
On Mon, 2002-02-04 at 02:34, Matt Sergeant wrote:
Not much of a DoS attack to launch it against your own email server, and
leave the trace in your own user file ;-)
Well, I could get user-level access to your mail server through some
other method, then discover you're running SA, edi
> -Original Message-
> From: Craig Hughes [mailto:[EMAIL PROTECTED]]
>
> On Mon, 2002-02-04 at 00:07, Jeremy Zawodny wrote:
> > The docs are right that this is probably a security flaw.
>
> What's the flaw? As long as we're not doing "use re
> 'eval'" in the
> code, of
Yeah, it couldn't hurt, but it should still match
C
On Mon, 2002-02-04 at 02:30, Matt Sergeant wrote:
Perhaps the RE just needs /s added on the end. Not entirely sure though
without further testing.
Matt.
--
<:->Get a smart net
> -Original Message-
> From: Jeremy Zawod
Perhaps the RE just needs /s added on the end. Not entirely sure though
without further testing.
Matt.
--
<:->Get a smart net
> -Original Message-
> From: Jeremy Zawodny [mailto:[EMAIL PROTECTED]]
> Sent: 04 February 2002 08:02
> To: Craig Hughes
> Cc: Daniel Pittman; [EMAIL PROTECTED]
I already added that to our ruleset here. One of the biggest things I'm
working on is balancing out the GA by adding rules that subtract from the
spam score. I think that'll help the GA big time. But I'm way behind at the
moment - processing 30,000 emails a day to check if they're spam or not is a
Should be able to take care of that with
lang fr body CORRECT_FOR_EXCHANGE /Ce message est en format MIME/
in a 30_rules_fr.cf file
or however you might see it in french. By the way, if you'd like to
produce a 30_text_fr.cf with french translations of the descriptions,
I'd be happy to rol
Hi,
> body CORRECT_FOR_EXCHANGE /This message is in MIME format/
> score CORRECT_FOR_EXCHANGE -2.6
> describe CORRECT_FOR_EXCHANGE Correct for MIME 'null block'
Some mailer program do use a message in French for this lines (or at
least I have received in the past email that have suc
On Mon, 2002-02-04 at 00:07, Jeremy Zawodny wrote:
> The docs are right that this is probably a security flaw.
What's the flaw? As long as we're not doing "use re 'eval'" in the
code, of course.
The relevant line of code is this:
if ($addr =~ /$regexp/i) { return 1; }
72 matches
Mail list logo
