Another indicator is the presence of http://www.wbegeds.com/ in the HTML
portion. Something for inclusion in the BigEvil list, I guess.
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your sk
I'm attaching a sample of something that on first inspection looks like a
variant of the RND_UC_CHAR spam. The HTML part is different, but most
interesting is all the Bayes poison after the tag in the HTML part.
This seems like it should be easy to check for. What rule would one use to
count t
Just a quick note to let everyone know that I figured out my problem after
reading the spamd source.
It turns out that my /usr/local/bin/procmail had the setuid bit set on it
and it was owned by root therefore spamc was running as root rather than
as the user which resulted in spamd not reading th
Though his friends and family getting scored sounds very possibly like
some Bayes corruption going on because of the false negative
autolearn(ing) -- not a good thing.
Granted though, as the scoring from friends and family was not posted,
Bayes may not have had anything to do with it.
Hmm,
Robert Menschel wrote:
>
> I'm hoping someone can help me with mass-check, or more specifically with
> hit-frequencies.
>
> I've installed Cygwin on my W/XP-H box. Within Cygwin I've installed SA,
> not to use for mail filtering (that happens on my servers), but
> specifically for mass-check.
>
On Wed, 31 Dec 2003, Rich Puhek wrote:
> Would something like "excessive" instances of /(\w)\1/ work?
Yes, that sounds like a good idea. Which leads back to the request I made
previously for a mechanism to COUNT the number of occurences of a match,
for 'excessive' use of something that is legitim
Theo Van Dinter wrote:
> There's been discussion about having to have both the original and
> recomputed score over/under the spam/ham autolearn score before it'll
> actually autolearn, but we haven't really done anything with that yet.
I think that would be a good modification. Right now there a
I'm running the latest release (2.61) on FreeBSD with the standard
sendmail+procmail config using spamc/spamd and it seems that user_prefs
are not working. I've tried setting up whitelists/blacklists and played
with the threshold value but it only acts on the standard values listed in
local.cf
Her
> On Wed, 31 Dec 2003 21:25:25 -0500,
> jennifer <[EMAIL PROTECTED]> (j) writes:
j> Thanks Martin. Remedied!
j> Jennifer
j> P.S. Watchin' Cirque du Soleil on Bravo these people are inhuman!
What?! You're not watching the History of Sex?! ;-)
Anyway, thanks to you
Hello Daniel,
Tuesday, December 30, 2003, 1:28:29 PM, you wrote:
DE> I recently added some personal rules to my user_prefs and tested them
DE> by running a few mail messages through spamassassin. They seem to
DE> work fine, but I'm still getting the spam and the rules aren't getting
DE> trigger
Hello pjh,
Tuesday, December 30, 2003, 3:24:01 PM, you wrote:
p> Is it true then, that if I do not use sa-learn, that
p> no Bayesian filtering occurs?
No, it is not true.
Bayesian filtering will take place if
a) the option is on by default or specifically in *.cf or user_prefs, and
b) at least
Thanks Martin. Remedied!
Jennifer
P.S. Watchin' Cirque du Soleil on Bravo these people are inhuman!
> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED] On Behalf Of Martin Radford
> Sent: Wednesday, December 31, 2003 9:08 PM
> To: jennifer
> Cc:
I'm hoping someone can help me with mass-check, or more specifically with
hit-frequencies.
I've installed Cygwin on my W/XP-H box. Within Cygwin I've installed SA,
not to use for mail filtering (that happens on my servers), but
specifically for mass-check.
Directory structure:
C:\cygwin
/hom
- Original Message -
From: "Martin Radford" <[EMAIL PROTECTED]>
> At Thu Jan 1 00:53:48 2004, jennifer wrote:
>
> > Bill Landry contacted me with some nice edits on Chickenpox. More
> > punctuation included (in addition to "."), and the set is now doubled to
> > include the subject.
>
On Wed, Dec 31, 2003 at 08:03:19AM -0800, Regis Wilson wrote:
> It seems incredibly easy to me to write an eval routine that extracts the
> email address of the To: field, extracts the part before the "@", and then
> finds that substring in the subject.
Yup. already have a rule for that. The ver
On Tue, Dec 30, 2003 at 05:17:54PM -0700, pjh wrote:
> I'm frustrated because I'm not getting unambiguous answers to my questions :-)
> Again, if I (as an end user) didn't use sa-learn at all, would Bayesian
> filtering occur
> on my incoming email (presumeably because of a default or generic
> mod
On Wed, Dec 31, 2003 at 03:39:12PM +0100, Csaba Kiss wrote:
> debug: auto-learn: currently using scoreset 3. recomputing score based
> on scoreset 1.
> debug: Score set 1 chosen.
> debug: auto-learn: original score: 0.1, recomputed score: 0.001
> debug: Score set 3 chosen.
> debug: auto-learn? ye
At Thu Jan 1 00:53:48 2004, jennifer wrote:
> Bill Landry contacted me with some nice edits on Chickenpox. More
> punctuation included (in addition to "."), and the set is now doubled to
> include the subject.
Bear in mind that the subject line is incorporated as the first line
of the body when
On Tue, Dec 30, 2003 at 04:28:29PM -0500, Daniel Ellard wrote:
> I thought perhaps spamc/spamd wasn't looking at my user_prefs, but
> this doesn't seem to the problem -- my whitelist and blacklist entries
> still are working as always. The only flags to spamd are -d and -L,
> so I don't see a prob
however, if you look for a word to start with BS, and someone emails a
"check out this bs" then...you could have problems...
Adam Schneider wrote:
On 12/31/03, Casper Gasper wrote:
Things like, '4 consonants in a row are not an English word'.
Shortstop? Matchstick? :)
Seriously, thoug
Helloo all,
Bill Landry contacted me with some nice edits on Chickenpox. More
punctuation included (in addition to "."), and the set is now doubled to
include the subject.
http://www.emtinc.net/includes/chickenpox.cf
or just read about the sets
http://www.emtinc.net/spamhammers.htm
Thank you
I get a lot of spam with the username (even the whole email address) in the
subject line. To wit:
To: [EMAIL PROTECTED]
Subject: user find your auto
To: [EMAIL PROTECTED]
Subject: At last, secrets of the rich finally revealed user
To: [EMAIL PROTECTED]
Subject: [EMAIL PROTECTED], grow your manh
Hi All,
Thanks for being so patient with me :)
Is it true then, that if Bayesian filtering is active, that each user has their
own version/customized database in their home ( ~/.spamassassin) directory
and that using sa-learn is essentially modifying this particular
database?
The problem here is
Is it true then, that if I do not use sa-learn, that
no Bayesian filtering occurs?
PH
- Original Message -
From: "Martin Radford" <[EMAIL PROTECTED]>
To: "pjh" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, December 30, 2003 12:50 PM
Subject: Re: [SAtalk] user vs local prefs
Hi!
Recently my spamassassin autolearn feature went bonkers. I have problems
with the auto-ham learn. I paste here a part of the spamassassin -D output:
"[...]
debug: bayes: score = 1
[...]
debug: running meta tests; score so far=0.1
debug: auto-learn? ham=0.1, spam=7, body-hits=0.1, head-hits=0
Hi Martin,
Thanks for the response.
My main problem is that I'm struggling to build a conceptual model in my head of
how SA is working and where responsibility is delegated between
administrator settings and user settings.
I am seeing the filtering work - but I'm confused because I don't know if
I recently added some personal rules to my user_prefs and tested them
by running a few mail messages through spamassassin. They seem to
work fine, but I'm still getting the spam and the rules aren't getting
triggered. I've tracked this down to an apparent difference between
spamc and spamassassi
Kevin Roberts wrote:
>
> Hello all,
>
> I am new to the forum so forgive me if I ask a question that has been
> answered before.
>
> I am currently using the sa-learn system by forwarding a spam message that
> makes it through spamassassin to a spam only mailbox. I do the same with
> ham as wel
Roger Merchberger wrote:
Rumor has it that Charles Gregory may have mentioned these words:
[snippety]
Rule:
BODY RULENAME /a string/i
Coded Rule:
BODY RULENAME /a{1,3} s{1,3}t{1,3}r{1,3}i{1,3}n{1,3}g{1,3}/i
You get the idea. This could be quite burdensome to implement manually,
but an easy enough
Mandrake 9.2 dual boot Windoze / Linux, Dell Inspiron laptop 4150.
New to Linux, but loving it so far! Ex TRSDOS boy! but I still can't
type :-(
Would like to dump Windoze.
Running Sylpheed-Claws 0.9.8 and SpamAssassin with two isp accounts.
Using SMTP. ADSL.
Spam assassin filters on the fir
(I'm sorry for double posting. I didn't mean to post from the other
address. Maybe that first one will get snagged.)
Helloo all,
Bill Landry contacted me with some nice edits on Chickenpox. More
punctuation included (in addition to "."), and the set is now doubled to
include the subject.
http
At 03:27 PM 12/27/2003, you wrote:
Last month I offered some header rules for possible inclusion in a future
distribution. Those that passed muster have been formally submitted via
bugzilla.
I've now completed review of my "body phrase" rule set, and feel they're
ready for similar review.
Please lo
Bob Proulx wrote:
> > My normal daily email coming in scores higher than that. Heck, normal
> > emails from friends and family score at least 2.6 or higher. SO
> > something's a little whacky with SA, but I'm unsure of what it is. Anyone
> > got any ideas?
>
> What? Your friends and fami
Great, that solved it and thx for the reference site also. Seems like
there are some good resources there.
Rgds, -simon-
> -Original Message-
> From: Martin Radford [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, December 31, 2003 1:46 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> S
Err, one more time:
./sa-learn --spam --mbox fales-neg.txt
That is, don't forget the *spam*!! part!
Bryan
Bryan Hoover wrote:
>
> Dragoncrest wrote:
> >
> > Not sure what to make of this, but for some reason lately I've been
> > getting some emails getting through with either zero poin
Dragoncrest wrote:
> Not sure what to make of this, but for some reason lately I've been
> getting some emails getting through with either zero points or very low
> points scores that are obvious spam.
What you are observing is natural selection in action. All mail that
is correctly tagge
At Wed Dec 31 19:42:47 2003, pjh wrote:
>
> Hi All,
>
> Thanks for being so patient with me :)
>
> Is it true then, that if Bayesian filtering is active, that each
> user has their own version/customized database in their home (
> ~/.spamassassin) directory and that using sa-learn is essentially
Oh, that'd be:
./sa-learn --ham --mbox fales-neg.txt
That is, don't forget the 'ham' part.
Bryan
Dragoncrest wrote:
>
> Not sure what to make of this, but for some reason lately I've been
> getting some emails getting through with either zero points or very low
> points scores that are
Dragoncrest wrote:
>
> Not sure what to make of this, but for some reason lately I've been
> getting some emails getting through with either zero points or very low
> points scores that are obvious spam. Here's an example of the header on
> one of these emails.
>
> X-Spam-Status: No, hit
Not sure what to make of this, but for some reason lately I've been
getting some emails getting through with either zero points or very low
points scores that are obvious spam. Here's an example of the header on
one of these emails.
X-Spam-Status: No, hits=0.0 required=4.5 tests=BAYES_50 auto
Unfortunately the problem with SpamAssassin is that all the spam we
should be complaining to ISPs about we are simply silently accepting and
ignoring (perhaps reporting to DCC, Pyzor, Razor and Bayes...) and
/dev/null, that's it. For spammers, SA, it "only makes them stronger"
so to speak.
Maybe
At Wed Dec 31 20:48:12 2003, S. M. C. Butler wrote:
> debug: Razor2 is available
> debug: entering helper-app run mode
> razor2 check skipped: No such file or directory Insecure dependency in
> open while running with -T switch at
> /usr/local/lib/perl5/site_perl/5.8.0/sun4-solaris/Razor2/Client/C
"S. M. C. Butler" wrote:
>
>
> Hi all,
>
> I just found a new problem with razor. I'm seeing the following
>
> debug: Razor2 is available
> debug: entering helper-app run mode
> razor2 check skipped: No such file or directory Insecure dependency in
> open while running with -T switch at
Heh.
Building on Adam's perl script, this rendition will print the words it
sees which begin with rare tuples.
my (@rare_tuples) = qw/bb bc bd bf bg bh bj bk bm bn bp bq bs bt bv bw bx bz
cb cc cd cf cg cj ck cm cn cp cq cs ct cv cw cx
db dc dd df dg dj dk dl dm dn dp dq ds dt dv dx dz
eh ez
fb fc fd
> Is it a new spammer trick (base64 body with URL base64
> representation splitted across several lines) ?
It could be, but I suspect it's simply a coincidence. base64 encoding is normally done
with a forced line length for the encoded data, and it has allways been this way. When
decoding bas
Hi all,
I just found a new problem with razor. I'm seeing the following
debug: Razor2 is available
debug: entering helper-app run mode
razor2 check skipped: No such file or directory Insecure dependency in
open while running with -T switch at
/usr/local/lib/perl5/site_perl/5.8.0/sun4-solar
On 12/31/03, Jonas Eckerman wrote:
>
>On Wed, 31 Dec 2003 14:04:45 -0600, Adam Schneider wrote:
>
>> DUBIOUS WORD BEGINNINGS:
>
>One problem with this is of course acronyms and names (lots of english writing people
>have non english names, and names of products (especially software) often include
I'm testing a spam filter using RedHat Linux 9, avavis-new, and
Spamassassin. It seems to be working as I'm seeing mail flagged as spam,
but I don't see any entries in my maillog from spamassassin, and neither
does sa-stats.
I've read the FAQ and a bunch of how-to's but I don't see how to control
On Wed, 31 Dec 2003 14:04:45 -0600, Adam Schneider wrote:
> DUBIOUS WORD BEGINNINGS:
One problem with this is of course acronyms and names (lots of english writing people
have non english names, and names of products (especially software) often includes
acronym).
"WMWare" for example would ha
On Tue, 30 Dec 2003 12:13:16 -0800, Ray Dzek wrote:
> Is there some perl script or such that can tell us rules triggered
> on spamc/spamd and graph how often each rule is triggered?
If you get it to log results, a not too complex perl script could do this. If you're
using MIMEDefang, you can u
On 12/31/03, Chris Santerre wrote:
>
>Don't go crazy! Wait a little longer. A LOT of work has already been done.
>Soon. Very soon ;)
I didn't go crazy; it really did just take a few minutes. Using the word list from an
anagram-generating program, here's what I came up with. Maybe someone will f
On Wed, 31 Dec 2003 12:09:20 -0500 (EST), Charles Gregory wrote:
> Coded Rule:
> BODY RULENAME /a{1,3} s{1,3}t{1,3}r{1,3}i{1,3}n{1,3}g{1,3}/i
Another idea could be to use some less precise text matching. Check the following
modules that could all be used for matching:
Fuzzy string matching:
S
Don't go crazy! Wait a little longer. A LOT of work has already been done.
Soon. Very soon ;)
Just hate to see you do a lot of work that someone already has. Great
ruleset coming
--Chris
> -Original Message-
> From: Adam Schneider [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, December
Rumor has it that Jennifer Wheeler may have mentioned these words:
> On 12/31/03, Casper Gasper wrote:
> >
> >Things like, '4 consonants in a row are not an English word'.
>
> Shortstop? Matchstick? :)
>
> Seriously, though, looking for patterns is an interesting idea. For
> instance, English si
> -Original Message-
> From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, December 31, 2003 12:06 PM
> To: Dallas L. Engelken
> Cc: [EMAIL PROTECTED]
> Subject: Re: [SAtalk] Spell Checking the Subject Header (RESULTS)
>
>
> On Wed, Dec 31, 2003 at 12:02:50PM -0600, Dallas
On Wed, Dec 31, 2003 at 12:02:50PM -0600, Dallas L. Engelken wrote:
> spell checking hurts obfu because splitting a correctly spelled word
> with a word boundary will cause 2 or more mis spelled words...
>
> Subject: looking for xa/nax,
>
> looking: ok
> for: ok
> xa: not found
> nax: not found
> -Original Message-
> From: Chris Santerre [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, December 31, 2003 10:13 AM
> To: 'Fred'; Dallas L. Engelken;
> [EMAIL PROTECTED]
> Subject: RE: [SAtalk] Spell Checking the Subject Header (RESULTS)
>
>
> LOL, I wondered when you would chime in Fre
> On 12/31/03, Casper Gasper wrote:
> >
> >Things like, '4 consonants in a row are not an English word'.
>
> Shortstop? Matchstick? :)
>
> Seriously, though, looking for patterns is an interesting idea. For
> instance, English simply does not allow you to begin a word with "vt"
or
> "bs". Loo
Rumor has it that Charles Gregory may have mentioned these words:
[snippety]
Rule:
BODY RULENAME /a string/i
Coded Rule:
BODY RULENAME /a{1,3} s{1,3}t{1,3}r{1,3}i{1,3}n{1,3}g{1,3}/i
You get the idea. This could be quite burdensome to implement manually,
but an easy enough thing to automate 'behind
On 12/31/03, Casper Gasper wrote:
>
>Things like, '4 consonants in a row are not an English word'.
Shortstop? Matchstick? :)
Seriously, though, looking for patterns is an interesting idea. For instance, English
simply does not allow you to begin a word with "vt" or "bs". Looking for word
There is a ruleset that has been in testing for some time now. It basically
rocks. That is all I can say. It will be released soon. It will take care of
this kind of stuff. It has some FPs that are being worked out. Almost ready
:)
The creativity of people on this list never ceases to amaze me.
Oops :) my bad... I actually forgot I had that in there... that was
the start to another attempt, and midway through I got a second thought,
tried it, and forgot I did that. Haste to get my sub and powerball
ticket!
I shall get back on it ;) thx
Jen
> -Original Message-
> From: Br
I'm just talking off the top of my head here, but rather than running
words through a spell checker can't you make a linguistic analysis by
say, measuring the position of vowels in the word? I'm not sure
exactly how you'd measure that, but I'm prepared to bet that some
linguist has done resear
Wont that \n at the end of the regex match virtually ALL mail?
Brian
-Original Message-
From: Jennifer Wheeler [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 31, 2003 12:06 PM
To: 'Chris Santerre'; [EMAIL PROTECTED]
Subject: RE: [SAtalk] Rule to block Paris Hilton spam
Eureka! :)
Another idea that would work really well at the coding level:
The latest flavor of spam seems to be 'letter doubling'.
Ie. Lowwestt instead of lowest, etc, etc.
This form of obfuscation essentially creates a spelling error variant on
every rule we have out there. What would work really well, fro
Did you restart SA?
-Original Message-
From: [EMAIL PROTECTED] on behalf of Mathieu Nantel
Sent: Tue 12/30/2003 8:01 AM
To: [EMAIL PROTECTED]
Cc:
Subject: [SAtalk] Bigevil rules not being used..
Good day,
Eureka! :) believe this works, yes?? At least I think this is what
you are going for? Sorry for the wrap.
rawbody hilton_b64
/(aGV5IENvbWUgY2hlY2sgb3V0|PGh0bWw+DQo8Ym9keT4NCjxwP(khl|jxr)|aGV5DQoNCk
NvbWUgY2hlY2sgb3V0|\n)/
describe hilton_b64 Base 64 encoded paris hilton spam
score hilton_b
OK, per a suggestion I tried this rule as full. Nope still didn't see the
raw code. What am I missing? Is it possible to look for raw base64 code in
SA?
> -Original Message-
> From: Chris Santerre [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, December 30, 2003 9:35 AM
> To: 'Stephane Lentz'
LOL, I wondered when you would chime in Fred :) I think you have the
Dictionary memorized by now! Good ideas on limiting the subject matter. But
I think the numbers have to be watched closely. Or are you thinking to
ignore them and let the OBFU rules get them?
I would like to see result of that.
> Is there something I'm missing here? I was under the
> impression that SA parses
> all .cf files from the share/spamassassin folder.
>
Without more information about your setup, I am just guessing at what
might be the problem.
If you are running a program like amavisd-new, which chroot's i
At Wed Dec 31 00:17:54 2003, pjh wrote:
> My main problem is that I'm struggling to build a conceptual model
> in my head of how SA is working and where responsibility is
> delegated between administrator settings and user settings.
Some of the confusion might be caused by what you're interpretin
On Wednesday 31 December 2003 11:48 CET Paul Barbeau wrote:
> Every once and i while i get the message below however the files is on my
> hard drive in
> /usr/local/libdata/perl5/site_perl/i386-openbsd/Net/DNS/RR/.pm so i
> am not sure why i am getting it. Anyone help?
records are for IP
On Mon, 29 Dec 2003 12:20:33 -0500, Kris Deugau wrote:
> IMHO, kernel-level file locks are far cleaner, but I don't know
> whether you can even do that cleanly with files accessed through
> DB_File. :/
That might depend on your OS. If perl supports the flag O_EXLOCK on
your platform (I only k
Hi Douglas,
Douglas Kirkland schrieb :
[...]
> And the world could end. What happens if some user messes with
> somebody elses stuff? That what logs are for and boot the user. You
> are god of the servers. Oh sorry, back to the real world. Give them
> guild line in the spamc line on how it w
Hi Brad,
Brad Koehn schrieb :
>
> On Dec 30, 2003, at 5:45 PM, Hans Gerber wrote:
> >
> >>> We only want spamd to listen on '--socketpath=path'. Spamc should
> >be>> invoked from within .procmailrc.
> >>
> >> I could not get this method to work.
> >
> > It does work, afaik unix-socket should be
Every once and i while i get the message below however the files is on my
hard drive in
/usr/local/libdata/perl5/site_perl/i386-openbsd/Net/DNS/RR/.pm so i am
not sure why i am getting it. Anyone help?
Dec 31 05:28:10 hy-sm-01.hypernet.ca amavisd[30483]: (30483-08)
prolong_timer after spam_sc
76 matches
Mail list logo
