Re: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)

Mitch (WebCob) wrote: Your missing the case where the mail is not coming from a private network or a nated server. I experience this problem (as mentioned in the bug report) from roaming users who are connecting through authenticated SMTP to their mail server, and relaying to me. I'd have to trust

Re: [WL] Re[2]: [WL] Re: [SAtalk] unfakeable Habeas watermark?

On Sun, 18 Jan 2004, Ian Southam wrote: > CG> carry a few spammers. Would we want to whitelist the AOL mail servers? |-P > Pick on the right people, AOL for their size generate very little spam. I still wouldn't whitelist them. ;-) > Now adelphia.net, level3 .. :-). Do I hear an earthlink?

[SAtalk] Re: Looking for comments on this rule: EMAIL in URL

On Sun, 18 Jan 2004 23:51:00 -0500, Tim B <[EMAIL PROTECTED]> writes: > ack just shoot my copy and past cleanup. > > uri MY_EMAILINURL_1/https?:([EMAIL PROTECTED])/i This an be subject to a mild denial of service attack. You probably mean to use '[EMAIL PROTECTED]' and '[^.]' instead of '.'

RE: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)

Your missing the case where the mail is not coming from a private network or a nated server. I experience this problem (as mentioned in the bug report) from roaming users who are connecting through authenticated SMTP to their mail server, and relaying to me. I'd have to trust all the IP pools of e

Re: [SAtalk] Looking for comments on this rule: EMAIL in URL

ack just shoot my copy and past cleanup. uri MY_EMAILINURL_1/https?:([EMAIL PROTECTED])/i Tim B wrote: because a lot of spam contains some email address in an embedded uri that I'm seeing. I threw together this rule: uri MY_EMAILINURL_1 /https?:([EMAIL PROTECTED])/i describe M

[SAtalk] Looking for comments on this rule: EMAIL in URL

because a lot of spam contains some email address in an embedded uri that I'm seeing. I threw together this rule: uri MY_EMAILINURL_1 /https?:([EMAIL PROTECTED])/i describe MY_EMAILINURL_1Contains what appears to be an Email Address in URL score MY_EMAILINURL_1 1.5

Re: [SAtalk] Ann: "Rules De Jour": An automated way to keep up with the latestrulesets

OK, I think this is a great idea.. However, I'm having a problem getting it running correctly on my FreeBSD box. Running FreeBSD 5.2 running Bash 2.05 and GNU wget 1.8.2. Everything works perfectly, but when I open the rule files, the have a dos ^M at the end of every line. Any insight as to

[SAtalk] Re: Is my spamtrap working?

Paul Fielding wrote: > However, when I look at the datestamp on the files in the .spamassassin > directory before and after processing the spam or ham, the datestamps haven't > changed. I can see that the database is getting use - whenever I check the > datestamp it has been quite recently updated

[SAtalk] Re: [RD] Offered Rules

Here's my next set of possible rules for submission to the SpamAssassin distribution set. URI rules may tend to be more transient than other types of rules, since it's so easy for spammers to change domain names. I'm therefore including only those that hit at least 0.15% of my spam. Well, the pill

RE: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)

At 05:49 PM 1/18/04 -0800, Mitch \(WebCob\) wrote: Problem with this fix is it only fixes things for my users locally - when my users send mail to someone else, they would have to set the same networks as trusted. This is untrue.. What ALL affected admins must do is set trusted_networks to is _the

Re: [SAtalk] 2.62 Problems

On Sun, Jan 18, 2004 at 09:13:23PM -0600, Mike Loiterman wrote: > You'll be happy to know that I just rebuilt SA from 5.6.1 and > everything works without hacking stuff up. I guess nobody will be > around to debug for 5.005 anymore! :) > Just one other question...do I have to rebuild pyzor and

RE: [SAtalk] 2.62 Problems

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter wrote: > On Sun, Jan 18, 2004 at 02:10:12PM -0600, Mike Loiterman wrote: >> Hrmm...I guess I would just build SA with that perl? Like perl5.6 >> Makefile.PL? I might mess with that later...Would I gain any

[SAtalk] How to re-process a whole /var/spool/mail/inbox file...

We have over 200 email accounts on our system. We were using outdated rules that was allowing hundreds of spam messages in each mail account, per day, slip by. Some of the users check their mail only once or twice a week (sometimes less). Over 95 percent of the messages in the boxes are

RE: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k

Thanks for the list. Many are already in the latest update. I do look at what people send me. Because I use a bunch of DNSBLs I don't see as many spams as others. I also may have anywhere from 1-5 days lag between when I (We, you, ect,) get the spam and when I update. This is due to testing, ha

[SAtalk] Forgery rules for outblaze/mail.com & rambler.ru

Hi, Based on SPAM-L posts from admins at Outblaze (Suresh) and rambler.ru, I conjured up a few simple rules to detect forgeries from these domains: header RAA_FORGED_FROM_OUTBLAZE Received =~ /\.mr\.outblaze\.com/ describe RAA_FORGED_FROM_OUTBLAZE Received line forged to implicate

RE: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)

You remember correctly. I posted this bug report and Theo said a fix is pending in 2.70 - I don't know how many messages that will cause to go missing in the meantime - not sure how big a problem it is OR how they prioritize those things... Personally I'm with you - I think it's a BIG problem with

RE: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)

> >DynaBlock was adding 4.00 and if I remember correctly spamassassin had a > >problem where it was ignoring the fact that I was using my ISP's server. > > That is a bug. SA is supposed to skip dynablock checks on the first IP.. > > Anyone who's copy of SA is incorrectly checking dynablock against

Re: [SAtalk] Newbie queries, install and configuration

Hi, On Sat, 17 Jan 2004 15:44:14 +0200 "Hylton Conacher (ZR1HPC)" <[EMAIL PROTECTED]> wrote: > My query is this: Can I use SA if I am using Mozilla as my MTA to send > and receive my POP email ie no sendmail, qmail, fetchmail, just Mozilla > and sorting it into my local folders on Mozilla? Ye

Re: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)

At 08:23 PM 1/18/04 -0500, Gerry Doris wrote: My ip is listed in SORBS for the simple reason that it is in a dynamic block of addresses administered by my ISP. SORBS just states that I should use my ISP mail server which I already do. Since SORBS only adds 0.10 to the spamassassin total I'm not co

Re: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)

On Sun, 18 Jan 2004, Matt Kettler wrote: snip.. > 1) work with the RBL to get de-listed > > 2) change ISPs to move your IP to a different block. > > And that's about it.. The fact that SA notices that a source IP is listed, > even though you use a legitimate mail relay, is NOT a bug. It's > in

Re: [SAtalk] RE: New User

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 18 January 2004 16:37, Kevin Hoffer wrote: > I just started using spam assassin today. I think everythings working > good, but I have a question. It is set to 5.0 to say spam or no spam and > I have gotten messages that are at like 12.3 and s

RE: [SAtalk] [RD] antidrug 0.2 available

Whoops. I announced the previous rev the day before I announced 0.2, so I didn't think I needed to repost the link http://mywebpages.comcast.net/mkettler/sa/antidrug.cf At 07:17 PM 1/18/04 -0500, you wrote: From where? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]

[SAtalk] RE: New User

I just started using spam assassin today. I think everythings working good, but I have a question. It is set to 5.0 to say spam or no spam and I have gotten messages that are at like 12.3 and so on. How can I get it to just dump them instead of sending them through when they are that high. Kevin

RE: [SAtalk] [RD] antidrug 0.2 available

>From where? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Kettler Sent: Saturday, January 17, 2004 12:06 AM To: Spamassassin-Talk Subject: [SAtalk] [RD] antidrug 0.2 available Fixes a few minor issues: 1) corrected spelling of sildenafil citrate

Re: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)

At 11:22 PM 1/18/04 +0100, PieterB wrote: What's the best practice preventing this? Changing SpamAssassin in some way, masquerading/munging Received-headers, or something else? 1) work with the RBL to get de-listed 2) change ISPs to move your IP to a different block. And that's about it.. The fac

Re: [WL] [SAtalk] Yikes.. rules_du_jour

All, this message tried to address most of the comments made regarding RulesDuJour so far. On Sun, 2004-01-18 at 12:50, Martin Radford wrote: > At Sun Jan 18 16:06:13 2004, Charles Gregory wrote: > > > A thought, and a suggestion: > > > > Thought: Some of the rules in 'rules du jour' look like t

Re[4]: [SAtalk] what can we do with those spam mails

Hello Martin, Sunday, January 18, 2004, 3:58:34 AM, you wrote: >> L_MIME_BOUND_MANY_DIG -- 153s/0h of 92209 corpus (74874s/17335h) 01/17/04 MR> I've already modified the repeat counts for number of digits in MR> L_MIME_BOUND_MANY_DIG, since it's not constant: MR> header L_MIME_BOUND_MANY_DIG

[SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)

I have the same problem as listed on http://blog.f12.no/roller/page/anders/20040104#spamassassin_tweaking_2 Because Spamassassin scans all the received headers for RBLs, and not just checks if the one host connecting and delivering the mail is in the RBL (like most mailser

RE: [WL] [SAtalk] Yikes.. rules_du_jour

> > > > My wget client checks for a newer file, or did I miss your point? > > wget "cheats". It issues a "HEAD" command, and checks the timestamp. > If it turns out that it needs the file, then it issues a > "GET" command for it. > > This obviously saves downloading the file multiple times, bu

Re: [SAtalk] Re: Is my spamtrap working?

Quoting Bryan Hoover <[EMAIL PROTECTED]>: > The spamassassin run won't be able to use Bayes for testing a mail, as > the debug output says, until there's 200 each of spam, ham. And though > I've only used sa-learn for Bayes training, I assume the linked spamtrap > outline is sound, Bayes learning

Fwd: [SAtalk] Filtering per-recipient

Hi group, Got SA working, and I want to test it out on only a few users. I have SA set up to run when called from Amavisd, which is called by postfix, which is set up as a relay. Currently it is set up to put a ***SPAM*** tag on every email that is suspicios to every email that passes through i

Re: [WL] [SAtalk] Yikes.. rules_du_jour

At Sun Jan 18 20:41:08 2004, Scott Harris wrote: > > HTTP provides a straightforward way to avoid repeated > > downloads of a file that hasn't changed, by sending > > If-Modified-Since requests. > > > > Unfortunately wget doesn't yet support this, though it is > > mentioned in its TODO file.

Re: [SAtalk] Spamwriter

On Wed, 14 Jan 2004, Bob Apthorpe moaned: > ISPs don't need to charge customers for the privilege of unfiltered > outbound port 25 access; all I ask is that they tell customers it's > blocked and require them to specifically ask for it to be unblocked rather > than give it to them unblocked by defa

RE: [WL] [SAtalk] Yikes.. rules_du_jour

> > HTTP provides a straightforward way to avoid repeated > downloads of a file that hasn't changed, by sending > If-Modified-Since requests. > > Unfortunately wget doesn't yet support this, though it is > mentioned in its TODO file. (This is with wget 1.9.1, which > is the current > ve

Re: [SAtalk] New Ruleset Available!!! TRIPWIRE! You don't want to miss this o ne!

On Tue, 13 Jan 2004, Chris Santerre yowled: > "But what about PGP sigs?" > Taken care of! > > "But what about Embedded images?" > Taken care of! > > "But what about forwarded emails?" > Taken care of! > > "But what about certain yahoo groups?" > Guess? Taken care of! "But what about sourc

RE: [SAtalk] Selective filtering

Mark Look at this howto: http://advosys.ca/papers/postfix-filtering.html Check the section on filtered domains. You can put domain.com or [EMAIL PROTECTED] selectively in this file. Alan > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Mark S

[SAtalk] Re: 2.62 Problems

On Sunday 18 January 2004 20:16 CET Mike Loiterman wrote: > Anyone else seeing problems like this when they start 2.62 > > [12:39:50 [EMAIL PROTECTED]: /home/mike]# /usr/local/etc/rc.d/spamass.sh > start Can't use subscript on split at > /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin.

RE: [SAtalk] 2.62 Problems

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter wrote: > On Sun, Jan 18, 2004 at 01:16:26PM -0600, Mike Loiterman wrote: >> Anyone else seeing problems like this when they start 2.62 >> >> [12:39:50 [EMAIL PROTECTED]: /home/mike]# >> /usr/local/etc/rc.d/

Re: [SAtalk] 2.62 Problems

On Sun, Jan 18, 2004 at 01:26:59PM -0600, Mike Loiterman wrote: > So should I just comment out the line or should I wait from a fix? Comment out the line. -- Randomly Generated Tagline: I bet Einstein turned himself all sorts of colors before he invented the lightbulb. -- Home

Re: [SAtalk] 2.62 Problems

On Sun, Jan 18, 2004 at 01:16:26PM -0600, Mike Loiterman wrote: > Anyone else seeing problems like this when they start 2.62 > > [12:39:50 [EMAIL PROTECTED]: /home/mike]# /usr/local/etc/rc.d/spamass.sh > start Can't use subscript on split at > /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAs

[SAtalk] 2.62 Problem

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone else seeing this in 2.62 when the start up: [12:39:50 [EMAIL PROTECTED]: /home/mike]# /usr/local/etc/rc.d/spamass.sh start Can't use subscript on split at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin.pm line 100, near "1]" BEG

[SAtalk] 2.62 Problems

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anyone else seeing problems like this when they start 2.62 [12:39:50 [EMAIL PROTECTED]: /home/mike]# /usr/local/etc/rc.d/spamass.sh start Can't use subscript on split at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin.pm line 100, near

[SAtalk] Filtering per-recipient

Forgot to add a subject when I first sent this . . . Sorry about that. _ Hi group, Got SA working, and I want to test it out on only a few users. I have SA set up to run when called from Amavisd, which is called by postfix, which is set up as a relay. Currently it is set u

[SAtalk] (no subject)

Hi group, Got SA working, and I want to test it out on only a few users. I have SA set up to run when called from Amavisd, which is called by postfix, which is set up as a relay. Currently it is set up to put a ***SPAM*** tag on every email that is suspicios to every email that passes through it.

[SAtalk] Re: spamassassin on Gateway server (MX)

Carl R. Friend <[EMAIL PROTECTED]> wrote: > Does anyone here know how a zombie machine reacts to a 5xx reject? > Since most spam now arrives via zombies, I'd think we'd want to be > careful about possibly hosing some poor innocent's machine. 4xx-ing > the messages (an old favourite of mine befor

Re: [WL] [SAtalk] Yikes.. rules_du_jour

At Sun Jan 18 16:06:13 2004, Charles Gregory wrote: > A thought, and a suggestion: > > Thought: Some of the rules in 'rules du jour' look like they are fairly > 'stable'. There is no reason to be downloading 'backhair' or 'weeds' > everyday, is there? > > Suggestion: For frequent changers, like

Re[2]: [WL] Re: [SAtalk] unfakeable Habeas watermark?

CG> carry a few spammers. Would we want to whitelist the AOL mail servers? |-P Pick on the right people, AOL for their size generate very little spam. Now adelphia.net, level3 .. :-). -- Ian --- The SF.Net email is sponsored by Eclipse

Re: [SAtalk] Ann: "Rules De Jour": An automated way to keep upwith the latest rulesets

Why not just run --lint on the downloaded file and then check the exit status of the command? If it's non-zero, then you know there was an error. Victor Jack L. Stone wrote: Chris: I made a few little changes to your script to have it use a "tmp" file, then ask is the --lint was okay to go forwa

Re: [SAtalk] SpamAssassin 2.62 is released!

On Sat, 2004-01-17 at 16:13, Theo Van Dinter wrote: > SpamAssassin is a mail filter which uses advanced statistical > and heuristic tests to identify spam (also known as unsolicited > commercial/bulk email). > > Downloading > --- > > Pick it up from: > > http://SpamAssassin.org/release

[SAtalk] Re: common patterns / improving bigevil

On Sun, 18 Jan 2004 17:41:00 +0100, PieterB <[EMAIL PROTECTED]> writes: > Hi, > > I have an idea, similar to Scott A Crosby's datamining application. > I didn't use a datamining/analysis program, but used the Bayes > database. For example if you use: > > sa-learn --dump all | grep "^0\.999

Re: [SAtalk] common patterns / improving bigevil

TopPost: I for one believe this would be a VERY good idea as it should then be able to customize the rules to a set that apply more to each of us. Would it not? I've noticed several have mentioned that the bigevil rules makes up a lot of the "hits" whereas that is not the case for my domains and

Re: [SAtalk] UPDATES Tripwire 1.16 and Bigevil 2.06k

Quoting Chris Santerre <[EMAIL PROTECTED]>: > Anywho, like the subject says, these 2 files are updated. The Tripwire > file > is almost half the size it was before! Sorry if this is a FAQ; couldn't see a definitive answer in the archives. I have a very small list of domains that I get tons of spa

Re: *****SPAM***** Re: [SAtalk] common patterns / improving bigevil

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yep it sounds like a great idea. One problem when you list so many evil domains and some code is you get caught as spam. Douglas On Sunday 18 January 2004 08:41, PieterB wrote: > Spam detection software, running on the system "", has > identified

Re: [WL] Re: [SAtalk] unfakeable Habeas watermark?

At first glance, you would think that a habeas 'whitelist' would be good, but you have to realize that in many cases, an individual habeas customer may be using a 'major' ISP, which could either be abused, or actually carry a few spammers. Would we want to whitelist the AOL mail servers? |-P No,

RE: [WL] [SAtalk] Yikes.. rules_du_jour

(Didn't mean to go offlist with my reply. Here it is again) > On Sat, 17 Jan 2004, Jonathan Nichols wrote: > > rules_du_jour is kind of neat, but I hope it's not going to drive up > > Chris & Jennifer's bandwidth bills or som 'em over a quota. :P > > A thought, and a suggestion: > > Thought: So

Re: [SAtalk] common patterns / improving bigevil

Hi, I have an idea, similar to Scott A Crosby's datamining application. I didn't use a datamining/analysis program, but used the Bayes database. For example if you use: sa-learn --dump all | grep "^0\.999 *[0-9]* *0 [0-9]*" sa-learn will show all Bayes entries which are clearly a sign o

Re: [SAtalk] Ann: "Rules De Jour": An automated way to keep upwith the latest rulesets

Chris: I made a few little changes to your script to have it use a "tmp" file, then ask is the --lint was okay to go forward. Only problem, it's not suitable for unattended updates via cron because of the lint check and interactive "yes" need to go ahead. If no "yes" within 30 sec, it quits. Needs

Re: [WL] [SAtalk] Yikes.. rules_du_jour

On Sat, 17 Jan 2004, Jonathan Nichols wrote: > rules_du_jour is kind of neat, but I hope it's not going to drive up > Chris & Jennifer's bandwidth bills or som 'em over a quota. :P A thought, and a suggestion: Thought: Some of the rules in 'rules du jour' look like they are fairly 'stable'. Ther

Re: [SAtalk] Razor issue on Debian

At 03:02 PM 1/18/04 +0100, Erik van der Meulen wrote: I get: debug: Razor Agents 1.20, protocol version 2. razor 1.20 is a very old version of razor, and 1.x versions are no longer supported by SA. try getting razor 2.36 and applying the taint-safeness patch. --

[SAtalk] Re: Resolving and hat-checking spamvertised URLs...

> My patch against SpamAssassin 2.60 (Debian/unstable: 2.60-2) > http://docsnyder.de/nospam/sa_check_blackhat_isps.patch.gz Just thought I tell you that I've just applied the patch to SpamAssassin 2.62 (plain tar.gz-distro, no rpm/package). The patch worked fine, SpamAssassin seems to work,

[SAtalk] Razor issue on Debian

Dear group - I have a working SA 2.62 configuration (Debian 3, but with a non-deb manual installation of SA) and I cannot seem to get Razor to work. If I run the Wikki test: spamassassin -P -t -D < /tmp/spam I get things like this: debug: Razor2 is not available I do have the razor.deb ins

Re: [SAtalk] Ann: "Rules De Jour": An automated way to keep up with the latest rulesets

I ussuaky will download the file to another file name in the SA config directory, than cat them all together and run lint on them *just in case*. If lint fails I do not switch to the new file. Steve Chris Petersen wrote: MAN, that's a lot of code for such a simple task. mine is just: #!/bin

Re: [SAtalk] Re: Filter rule f. invalid HTML tags?

At Sun Jan 18 02:02:13 2004, Robert Menschel wrote: > > YahooGroups mailing list email HTML seems to frequently include lines > like: > > arialADVERTISEMENT > > > < 1999,1999,Yahoo! Terms of > > Service. > > They're not standard HTML, but if they appear regularly in ham, the rule You'll p

Re: Re[2]: [SAtalk] what can we do with those spam mails

At Sun Jan 18 02:21:14 2004, Robert Menschel wrote: > > MR> header L_MIME_BOUND_MANY_DIG Content-Type =~ /boundary=\"\d{19,}\"/ > MR> header L_MSGID_SPAM1 Message-Id =~ /<[EMAIL PROTECTED]>/ > MR> rawbody L_TITLE_MESSAGE m{Message} > MR> rawbody L_CONVERTED m{

[SAtalk] A new automatic tool for finding common patterns in spam

I'm putting up a demo/prototype of some new techniques I'm building for datamining and analysis. This tool scans two large corpi of 500mb or more of email to identify any substrings that occurs frequently in one but infrequently in the other. You can choose the limits for 'frequently' and 'infrequ

[SAtalk] Re: Is my spamtrap working?

Paul Fielding wrote: > > Quoting Bryan Hoover <[EMAIL PROTECTED]>: > > > You could set these scripts' spamassassin, sa-learn commands with -D, > > and use standard error redirection to a text file. The output will tell > > you which Bayes database it's using. You'd see such like: > > I did this

Re: [SAtalk] Re: Is my spamtrap working?

Quoting Bryan Hoover <[EMAIL PROTECTED]>: > You could set these scripts' spamassassin, sa-learn commands with -D, > and use standard error redirection to a text file. The output will tell > you which Bayes database it's using. You'd see such like: I did this and learned a few things. The fo