[SAtalk] SA in the news: Reason

2003-10-31 Thread Kenneth Porter
The November issue of Reason (http://www.reason.com/) has an article by Wendy Grossman (http://www.pelicancrossing.net/) on spam that mentions SA quite favorably. The article should appear on the Reason website once the December issue is released. -

Re: [SAtalk] using spamd/spamc to reject SMTP connection

2003-10-31 Thread Kenneth Porter
--On Friday, October 31, 2003 3:27 PM -0600 Bob Apthorpe <[EMAIL PROTECTED]> wrote: > You could track the IP addresses of systems sending you spam from your > mail logs, drop those into a sendmail access list, then reject (5xx) or > tempfail (4xx) those systems for an hour or so, and reject more >

RE: [SAtalk] New virus W32.MIMAIL.C

2003-10-31 Thread Yackley, Matt
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Stephane Lentz > Sent: Friday, October 31, 2003 7:10 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [SAtalk] New virus W32.MIMAIL.C > > On Fri, Oct 31, 2003 at 12:10:23PM -0500

Re: [SAtalk] "Failed to run BAYES_NN SpamAssassin test, skipping" problems

2003-10-31 Thread Greg Earle
> Could it be quotas? Nope, no quotas in use. It's definitely gagging on attemping to sync the journal. I put in some debug statements, and when BayesStore.pm sees that the journal is larger than 102400 bytes and goes to sync it, out pops the errors. I clamped a "truss" on "spamd" and all I see

Re: [SAtalk] New virus W32.MIMAIL.C

2003-10-31 Thread Stephane Lentz
On Fri, Oct 31, 2003 at 12:10:23PM -0500, [EMAIL PROTECTED] wrote: > Here's some info > http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] > > I'm using the following in local.cf to score these messages high enough > to be rejected. > > header W32_MIMAIL_C Subject =~ /our private photos/ >

[SAtalk] Announce: Update to obfuscated rule generator

2003-10-31 Thread Chris Thielen
Hi, I just put a new version of the obufscated rule generator online (up to 0.00.0.0001b already!). I got some good advice from Wolfram (Thanks!). It seems (from my small testing) that the speed of the rules is much improved due to using character classes. The generated rules are also significa

Re: [SAtalk] spamd "unable to find user"?

2003-10-31 Thread Theo Van Dinter
On Thu, Oct 30, 2003 at 09:43:10PM -0500, [EMAIL PROTECTED] wrote: > wondering why spamd is even looking for users, since all it's presumably > supposed to do is tag spam. Is this something I can get spamd to stop > even looking for, since it's only supposed to scan for relay? all it does is tag

Re: [SAtalk] Using MRTG to display highest connection counts

2003-10-31 Thread Mark
- Original Message - From: "Kelsey Cummings" <[EMAIL PROTECTED]> To: "Mark" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, October 31, 2003 2:00 AM Subject: Re: [SAtalk] Using MRTG to display highest connection counts > On Thu, Oct 30, 2003 at 02:17:35PM +, Mark wrote: > >

[SAtalk] maillog 153 Seconds

2003-10-31 Thread Eric
What would cause spam to be identified (as shown in maillog) in 153 seconds most spam are detected under 1 second ? --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it h

[SAtalk] About FORGED_IMS_TAGS

2003-10-31 Thread Daniel C. Sobral
I hope this is the right list to post this to. If not, please advise. I have just upgraded to SA 2.60 yesterday, and suddenly I'm getting a lot of false positives. Three I got myself were all triggered by FORGED_IMS_TAGS. The guy next to me received a lot more, all FORGED_IMS_something (I didn'

Re: [SAtalk] spamd processing time excessive

2003-10-31 Thread Eric
what is typical in your maillog? --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://

[SAtalk] help

2003-10-31 Thread Thomas Kinghorn
> Hi List. > > I am still trying to come to grips with regex's. > > I am using the one below to score variations on "SEX" > > \b[Ss][ ./_*-]*[Ee][ ./_*-]*[Xx]\b > > Is this syntax correct. > I have tested using various mails and so far no false positives HOWEVER, > my colleague complained that

[SAtalk] Spamassassin setup for qmail system-wide filetering of onlyincomming emails

2003-10-31 Thread Hemant Jena
* Spamassassin setup for qmail - system wide mail delivery DOES NOT WORK! However, it works for indivdual user. I read an article "How to use Spamassassin together with Qmail" at http://www.magma.com.ni/~jor

Re: [SAtalk] Postfix Spamtrap Configuration

2003-10-31 Thread Patrick von der Hagen
Mark Hepler wrote: [...] does anyone know of a website that has an example of setting up a spamtrap like this with postfix ? I don't know about postfix, but since you mention courier I'd suggest a slightly different approach. If your users use IMAP it might be easier to have them copy their mail

Re: [SAtalk] using spamd/spamc to reject SMTP connection

2003-10-31 Thread Bob Apthorpe
On Fri, 31 Oct 2003 11:30:29 -0800 "Josiah DeWitt" <[EMAIL PROTECTED]> wrote: > I just installed SpamAssassin and got it working, but it just drops or > marks spam after it has already accepted it. While this /dev/null type > behavior is great, I would rather discourage spammers by refusing the >

[SAtalk] Doesn't obey my whitelist_from

2003-10-31 Thread Dr Aldo Medina
Debain Sarge with Spamassassin deb 2.60-2. Even when I have in my /etc/spamassassin/local.cf file the following line: whitelist_from [EMAIL PROTECTED] Mail like the following is always marked as spam: Return-path: <[EMAIL PROTECTED]> Envelope-to: [EMAIL PROTECTED] Delivery-date: Fri, 31 Oct 2

[SAtalk] Postfix Spamtrap Configuration

2003-10-31 Thread Mark Hepler
I have a mail server setup running: postfix, maildrop, courier anomy sanitizer, spamassassin 2.6 (spamc/spamd)and I want to setup a spamtrap account that users can forward spam that was not identified as such by SA to for learning. the spamassassin docs mention the use of an alias to pipe the

Re: [SAtalk] using spamd/spamc to reject SMTP connection

2003-10-31 Thread Matt Kettler
look at spamass-milter or a similar milter-level plugin to sendmail. They can generally be configured to issue a 5xx level error at the end of the SMTP DATA phase if the SA score is over some threshold level. At 02:30 PM 10/31/2003, Josiah DeWitt wrote: I just installed SpamAssassin and got it w

Re: [SAtalk] "Failed to run BAYES_NN SpamAssassin test, skipping" problems

2003-10-31 Thread Justin Mason
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Could it be quotas? - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Exmh CVS iD8DBQE/ossiQTcbUG5Y7woRAvyVAJ9v6PJceNXKeQ1E/qG7SatQDEh3SACglxHn J+zi/HNImGHN/2ipFoBobUE= =G/Bi -END PGP SIGNATURE- -

Re: [SAtalk] "Failed to run BAYES_NN SpamAssassin test, skipping" problems

2003-10-31 Thread Greg Earle
Justin Mason wrote: >> Update: >> >> If I run >> >> # su courier -c "/usr/perl5/bin/sa-learn --showdots --rebuild" >> >> to rebuild the SA database, the "bayes_journal" file gets rotated/removed(?) >> and I stop getting the "Failed to run BAYES_NN ... " error messages ... >> >> ... for awhile.

Re: [SAtalk] using spamd/spamc to reject SMTP connection

2003-10-31 Thread Kelsey Cummings
On Fri, Oct 31, 2003 at 11:30:29AM -0800, Josiah DeWitt wrote: > I just installed SpamAssassin and got it working, but it just drops or marks spam > after it has already accepted it. While this /dev/null type behavior is great, I > would rather discourage spammers by refusing the connection peri

Re: [SAtalk] using spamd/spamc to reject SMTP connection

2003-10-31 Thread Patrick Morris
In most cases I can think of, spamc doesn't get the message until after the connection is already finished. A milter is the only way I can think of you can get a result from SA before Sendmail's finished receiving the mail, and all the milters I'm aware of are capable of just the sort of behav

[SAtalk] Practical limits on white/black lists

2003-10-31 Thread Adam Lanier
Is there a practical limit on the number of entries you can put in a white/black list? At what point does the number of entries begin to affect performance? -- Adam Lanier Bernard L. Madoff Investment Securities LLC 212.230.2491 signature.asc Description: This is a digitally signed message par

RE: [SAtalk] Log Question...

2003-10-31 Thread Larry Gilson
> -Original Message- > From: Dan Tappin [mailto:[EMAIL PROTECTED] > Sent: Friday, October 31, 2003 11:19 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Log Question... > > > Below is a snippet from a recent post to the list: > > > Oct 30 14:12:40 ns1 MailScanner[3201]: Message h9UMAPR

RE: [SAtalk] Rule for reverse lookup similarities

2003-10-31 Thread Larry Gilson
> -Original Message- > From: Chris Santerre [mailto:[EMAIL PROTECTED] > Sent: Friday, October 31, 2003 10:21 AM > To: 'Patrick Morris'; Steven Manross > Cc: SA Mailing list > Subject: RE: [SAtalk] Rule for reverse lookup similarities > > > > > > > Steven Manross wrote: > > > > >I'm

RE: [SAtalk] Rule for reverse lookup similarities

2003-10-31 Thread Larry Gilson
> -Original Message- > From: Bob Apthorpe > Sent: Friday, October 31, 2003 1:03 PM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] Rule for reverse lookup similarities > --snip-- > The big problem is when ISPs don't differentiate their static > allocations from their dynamic allocatio

[SAtalk] using spamd/spamc to reject SMTP connection

2003-10-31 Thread Josiah DeWitt
I just installed SpamAssassin and got it working, but it just drops or marks spam after it has already accepted it. While this /dev/null type behavior is great, I would rather discourage spammers by refusing the connection period. I was wondering if there is a way of using spamd/spamc to reject

RE: [SAtalk] New kind of spam

2003-10-31 Thread Covington, Chris
Autoresponder list spam? That's a good idea actually, until the list finds out which address is causing these bounce spams. The best part of the idea is that it could potentially be unintentional (someone could've let their domain expire and pool.com bought it up and auto-replies). Chris > This

Re: [SAtalk] Re: bayesian pollution

2003-10-31 Thread hank
On Fri, Oct 31, 2003 at 11:56:38AM -0600, Chris Barnes wrote: > Somebody was watching "The ScreenSavers" last night, right? Chances are someone was, but not I. I'll check their website for related information. --- This SF.net email is sponsore

Re: [SAtalk] How filter ...

2003-10-31 Thread Bob Apthorpe
On Thu, 30 Oct 2003 13:57:51 -0500 Matt Kettler <[EMAIL PROTECTED]> wrote: > At 10:23 AM 10/30/2003, Andrea Riela wrote: > >Hi folks, > > > >How could I filter this type of spam: > > > >Penis > >P.enis > >Pe.nis > >Pen.is > >Peni.s > > This regex should work for a custom rule to match those patte

[SAtalk] sa-learn error

2003-10-31 Thread Mike Hyde
I am running into the following running sa-learn --dump: Use of uninitialized value in numeric lt (<) at /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin/BayesStore.pm line 1281. 0.000 0 0 0 non-token data: bayes db version 0.000 0 0 0 non-to

Re: [SAtalk] "Failed to run BAYES_NN SpamAssassin test, skipping" problems

2003-10-31 Thread Justin Mason
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Earle writes: >Update: > >If I run > ># su courier -c "/usr/perl5/bin/sa-learn --showdots --rebuild" > >to rebuild the SA database, the "bayes_journal" file gets rotated/removed(?) >and I stop getting the "Failed to run BAYES_NN ... " error messa

[SAtalk] Design and

2003-10-31 Thread Matt Van Gordon
secondsystems[1].htm Description: Binary data

Re: [SAtalk] Rule for reverse lookup similarities

2003-10-31 Thread Bob Apthorpe
On Fri, 31 Oct 2003 09:47:07 -0700 "Steven Manross" <[EMAIL PROTECTED]> wrote: [...] > I see everyone's concerns, and they are duly noted. Yes, real > businesses have IPs in dynamic/DSL ranges for real reasons. No doubt the huge price difference between 'residential-class' and 'business-class' s

Re: [SAtalk] AWL

2003-10-31 Thread Jeremy Hein
Thanks, but I realized that I was using redhat's service spamassassin start command and the script sent spamd the -a command. Thanks again for your help. Jeremy On Thu, 2003-10-30 at 23:10, Matt Kettler wrote: > At 08:13 PM 10/30/03 -0800, Jeremy Hein wrote: > >I added use_auto_whitelist 0 to > >

Re: [SAtalk] Rule for reverse lookup similarities

2003-10-31 Thread Bob Apthorpe
On Thu, 30 Oct 2003 19:50:49 -0800 Patrick Morris <[EMAIL PROTECTED]> wrote: > Steven Manross wrote: > > >I'm seeing a few/lot of spam that has a reverse lookup name that is like the > >originating IP. > > > >i.e. If it were 192.168.52.45 that was the originating IP, the reverse > >lookup might

RE: [SAtalk] Rule for reverse lookup similarities

2003-10-31 Thread Chris Santerre
*snip* > > Shouldn't users on dynamically-assigned IPs be sending their mail > through their ISP's mail server? Yes, but there are arguments against it. Can't remember them, but they exhist ;) > > The big problem is when ISPs don't differentiate their static > allocations from their dynamic al

Re: [SAtalk] New kind of spam

2003-10-31 Thread Marcio Merlone
BTW, I just got it replying this message :( To: "Fred" <[EMAIL PROTECTED]> Cc: "Ken Gordon" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> On Fri, 31 Oct 2003 14:50:50 -0200 Marcio Merlone <[EMAIL PROTECTED]> wrote: > On Thu, 30 Oct 2003 23:07:28 -0500 > "Fred" <[EMAIL PROTECTED]> wrote: > >

[SAtalk] Re: bayesian pollution

2003-10-31 Thread Chris Barnes
[EMAIL PROTECTED] wrote: > My question concerns recent reports of Spam that are appended with > large messages. Some of these messages are movie reviews or other > random articles which, I fear, may 'pollute' our token database in a > way that makes it less effective. I am seeking recommendation

RE: [SAtalk] Log Question...

2003-10-31 Thread Dan Tappin
Ahhh... that would explain it. I did not realize that. Nevermind... Thanks Matt, Dan > -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Friday, October 31, 2003 10:30 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [SAtalk] Log Question... > > >

Re: [SAtalk] Rule for reverse lookup similarities

2003-10-31 Thread Fred I-IS.COM
Steven Manross wrote: > For all interested.. I'm *NOT* looking to give this type of rule 5 > points. > > I want to give it something like .3 - .6 (but will play with it), as > noted by many, this isn't an indication of spam, but an indicator of a > possible spam-source. I believe that people who

[SAtalk] New virus W32.MIMAIL.C

2003-10-31 Thread Christopher . Rhodes1
Here's some info http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] I'm using the following in local.cf to score these messages high enough to be rejected. header W32_MIMAIL_C Subject =~ /our private photos/ describe W32_MIMAIL_CKeep your viruses. score W32_MIMAIL_C 150 Does anyone

Re: [SAtalk] Log Question...

2003-10-31 Thread Matt Kettler
At 11:18 AM 10/31/2003, Dan Tappin wrote: Below is a snippet from a recent post to the list: > Oct 30 14:12:40 ns1 MailScanner[3201]: Is there a config option to have these triggered rules logged like that? My maillog simply has mail identified or not identified as spam. It would be great to

RE: [SAtalk] Rule for reverse lookup similarities

2003-10-31 Thread Steven Manross
For all interested.. I'm *NOT* looking to give this type of rule 5 points. I want to give it something like .3 - .6 (but will play with it), as noted by many, this isn't an indication of spam, but an indicator of a possible spam-source. I believe that people who don't own their own IP ranges, ca

RE: [SAtalk] Log Question...

2003-10-31 Thread spamassassin-talk
This may be useful to you or others. I have a solution compatible with exim and log this info to a separate file using exim_system_filter. if "$h_X-Spam-Checker-Version:" contains "XXX.suptech.com" then logfile /var/log/exim/exim_spamdlog logwrite "$tod_log $message_id X-Spam-Lev

Re: [SAtalk] New kind of spam

2003-10-31 Thread Marcio Merlone
On Thu, 30 Oct 2003 23:07:28 -0500 "Fred" <[EMAIL PROTECTED]> wrote: > I received one of these when I replied to a message from this list. > (...) > > Ken Gordon wrote: > > This looks to me to be a new, creative approach to spamming: (...) > > For more information on how you can backorder a doma

Re: [SAtalk] Error Line 1242 - Could someone please read this..

2003-10-31 Thread Evan Platt
--On Friday, October 31, 2003 7:29 AM -0800 "Nichols, William" <[EMAIL PROTECTED]> wrote: > > I get the error below, and haven't really been able to track it down (I > am not a Perl wiz like many of you :-P) > > If someone has seen this or can help me out that would be great. This is > Spama

[SAtalk] Log Question...

2003-10-31 Thread Dan Tappin
Below is a snippet from a recent post to the list: > Oct 30 14:12:40 ns1 MailScanner[3201]: Message h9UMAPR07828 from > 61.59.154.73 () > to userdomain.com is spam, SpamAssassin (score=28.325, required > 5, BAYES_99 > 6.00, FORGED_AOL_RCVD 4.10, FORGED_MUA_OUTLOOK 2.57, > FORGED_OUTLOOK_HTML 1.00,

[SAtalk] header: "Lid-Tracking: "

2003-10-31 Thread Eric J Bowser
Hi Guys, Has anybody ever seen this header before? I can find nothing about it on Google, and I can't ever remember seeing it until receiving two seemingly unrelated spams today that had it. If somebody can confirm that there is no valid place for this header, I'll start scoring on it... Thanks

[SAtalk] Error Line 1242 - Could someone please read this..

2003-10-31 Thread Nichols, William
I get the error below, and haven't really been able to track it down (I am not a Perl wiz like many of you :-P)   If someone has seen this or can help me out that would be great.  This is Spamassassin 2.6     Argument "[EMAIL PROTECTED]"?" isn't numeric in numeric lt (<) at /usr/lib/perl5/s

RE: [SAtalk] Rule for reverse lookup similarities

2003-10-31 Thread Frank Pineau
> > This is a *very* common naming convention for ISPs that > > assign dynamic > > IPs. You'll get a *lot* of false positives if you score based on that. > > > Be very careful. This isn't just dynamic IP's. When I install business DSL for my customers, the PTR record is always like that whe

[SAtalk] spamd processing time excessive

2003-10-31 Thread Eric
most of my emails process by spamd under a second but some are taking 150 seconds what would cause this. the box is only used for email. thanks for any input --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net

RE: [SAtalk] Rule for reverse lookup similarities

2003-10-31 Thread Chris Santerre
> > Steven Manross wrote: > > >I'm seeing a few/lot of spam that has a reverse lookup name > that is like the > >originating IP. > > > >i.e. If it were 192.168.52.45 that was the originating IP, > the reverse > >lookup might be 192-168-52-45-clients.domain.com > > > > > This is a *very* com

[SAtalk] bayesian pollution

2003-10-31 Thread hank
Greetings, I am currently running a multi-user system in which mail is filtered using a centralized database of tokens. While I realize it is not the ideal solution for filtering, I am in the process of implementing a system that will allow users to submit Spam/Ham samples to their own separated

[SAtalk] Re: How can I mark all mails with specific words in the subject as spam?

2003-10-31 Thread Gerhard Hofmann
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says... > > You could add a second header with Procmail easily. Or just add > X-Spam-Status to any messages which don't already have it. > > :0fhw > * ! ^X-Spam-Status: > * ^Subject: \/(fr33|h0t|w0m3n) > | formail -I "X-Spam-Status: Yes (S

Re: [SAtalk] Understanding AWL processing

2003-10-31 Thread Jay Levitt
> Each day I see a new message by this guy and add a new rule to find his > tracking codes. Your original un-munged e-mail address was in that base64 > text of that header. Since only a spam or two a day gets through from him, it's probably not worth it - one of the disadvantages of being a one-p

[SAtalk] Re: spamassassin configuration

2003-10-31 Thread Nancy McGough
On 31 Oct 2003 Sarvesh Singhal ([EMAIL PROTECTED]) wrote: > I tried putting the following in .forward file but does not works > > "|IFS=' ' && exec /usr/bin/procmail || exit 75 #username" This is not the way to invoke procmail in RedHat 7.3 (or in most modern Linuxes). I have step-by-step inst

[SAtalk] spamassassin configuration

2003-10-31 Thread Sarvesh Singhal
I tried putting the following in .forward file but does not works "|IFS=' ' && exec /usr/bin/procmail || exit 75 #username" With Regards, Sarvesh Singhal --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net

[SAtalk] spamAssassin config

2003-10-31 Thread Sarvesh Singhal
Hi all, - I have recently installed spamassassin 2.60 rpm on my redhat 8.0 with sendmail server running on it. -- I believe I have to configure my .forward and /etc/procmailrc file to process incoming mails by spamd Can anybody please tell me the steps to follow further With Regards, Sarvesh Si

[SAtalk] Problems with RCVD_IN_NJABL_DIALUP

2003-10-31 Thread web4.hm - Peter Padberg
Hi folks! I installed the SA2.60 on mine webserver and now I have a question: I have 2 qmail-servers: 81.3.4.66 and 81.3.4.67 They work on two diffrent machines. Only on 81.3.4.67 is the SA installed. On 81.3.4.66 works only qmail without SA. Now I write an empty Email from *.66 to *.67 It loo

[SAtalk] Re: tok_put atime uninitialized

2003-10-31 Thread era
On Thu, 30 Oct 2003 14:53:09 -0800, Kenneth Porter <[EMAIL PROTECTED]> posted to gmane.mail.spam.spamassassin.general: > In other code (MIMEDefang) I've seen the use of a positional > parameter list (eg. "()") on functions to ensure that enough > values are passed. Does it make sense for SA

Re: [SAtalk] "rewrite_subject" doesn't work?

2003-10-31 Thread Pedro Sam
I use spamd/spamc with the following in my user_prefs file: rewrite_subject 1 subject_tag [SA _HITS_] and the subject is retagged to something like "[SA 12.35] This is spam" Pedro PS: have you tried "lint"ing your configuration, and restarted spamd? On October 30, 2003 11:56 pm, [EMAIL PROTECT

[SAtalk] "report_safe 1" breaks MIME messages

2003-10-31 Thread Ralf G. R. Bergs
Hi there, I'm pretty sure this has already been discussed here, but I can't find anything appropriate in the mail archives... :-( I've just received a message (erroneously) tagged as spam by my SpamAssassin installation (SpamAssassin 2.60 (1.212-2003-09-23-exp)). When I tried to open this mess

Re: [SAtalk] AWL

2003-10-31 Thread Matt Kettler
At 08:13 PM 10/30/03 -0800, Jeremy Hein wrote: I added use_auto_whitelist 0 to /etc/mail/spamassassin/local.cf but it still subtracts AWL in my report. Maybe I'm writing to the wrong config file? How do I find out where the right one is and how do I find out if spamassassin is using that option. 1)