> [3] gives 209.47.59.145 for the second IP.
>
> The first one is owned by Rogers@Home Canada ([4], [5]), the second by
> UUnet Canada ([6]).
Damn that's awful close to the C I own from UUnet (209.47.196.0/24)
> So far, so good. I've got everything I need to report an abuse. Anything I
> should
> SPAM: Content analysis details: (9.6 hits, 5 required)
> SPAM: EARN_PER_WEEK (4.3 points) BODY: Contains 'earn $something per
> week' SPAM: EXCUSE_14 (0.4 points) BODY: Tells you how to stop
> further SPAM SPAM: EXCUSE_10 (0.4 points) BODY: "if you do not
> wish to re
> This is such a special case that it would probably be the wrong thing to
> do to insert additional rules into the public distribution of SA just to
> take account of this. Easiest solution is just to zero the rules or, if
> this isn't acceptable, write your own regexps to handle the cases you'v
> mysql> select MAX(value) from reported;
> 53.5
> mysql> select rules from reported where value = 53.5;
> NO_REAL_NAME,PLING,PLING_PLING,TONER,CLICK_BELOW,REMOVAL_INSTRUCTIONS,EXCUS
>E_12,EXCUSE_3,DIRECT_EMAIL,OPT_IN,SENT_IN_COMPLIANCE,CALL_FREE,EMAIL_MARKETI
>NG,SECTION_301,CLICK_TO_REMOVE_2,SUB
> | OT: is it possible to add a configuration option which lists the domain
> | mailservers and their IPs? And add a test which scores rather highly for
> | mail claiming to come from domain.dom but which isn't actually from one
> | of the mailservers for domain.dom?
>
> This belongs at the MTA l
> There are really only two ideal spam indicators:
>
> (1) Who sent it.
> (2) What proportion of the people who got it, didn't want it.
>
> Unfortunately there's no way to directly apply either of those criteria.
Not true, and you just gave me an idea.
For both the ISP I help at and also the com
> That's "only" for scoring the humanmade rules; what he's talking about is
> more like letting the GA create both the rules and the scores.
A neat trick but I haven't seen *any* genetic algorithm able to both ask the
questions *and* find the answers.
As a language tool something like that w
> Has anyone taken a huge spam database and sent it through some sort of
> genetic learning program to see if spam can be identified that way?
Um.. yeah. http://www.spamassassin.org. You might be familliar with them.
Regards,
Andrew
---
Thi
This was nested deep within another thread, but I wanted to bring it to the
top in hopes of catching more eyes. :-)
On July 2, 2002 01:12 pm, Anthony Fleisher wrote:
> I did run into this problem while setting up spamd to use the DB to
> retrieve preferences. It seems that the configuration is
> I will be out of the office starting 07/02/2002 and will not return until
> 07/08/2002.
>
> I will respond to your message when I return. If you need anything that
> is of an urgent nature, please contact Leslie Branch x 2826 or Carl
> Carpenter at x 2343.
Ok guys, should I call her and ask
> I had a similar problem, and after going through the documentation I
> noticed that the problem was that I had forgotten to add the following to
> the beginning of the procmailrc file:
>
> DROPPRIVS=yes
I appreciate all your help, but all of that is done. As I said, a lot of the
DB is working
> Have you tried both -q, and -x?
$ ps -wax | grep spamd
24805 ?S 30:21 /usr/local/bin/perl /usr/local/bin/spamd -x -q -d
-L -u nobody
-q, -x, -d, -L and -u :-)
> The spamd source looks like it wants to do one or the other, but not
> both.
Weird. It sees that the mail is for ste
> >now user steve has an entry in the userpref database that asks his default
> >score to be 5.0. However SA doesn't seem to be listening:
>
> Are you running spamd with the -q option?
Yes. As I'd said entries for GLOBAL (including whitelist entries) are working
fine. It seems to me that the
I'm storing user preferences in a database. The default hit is 8.0 currently
(will shortly be back to 5.0) and spamc is getting called from procmail
(which is getting called from qmail/vpopmail) thusly:
:0fw
| /usr/local/bin/spamc -u $EXT -f
$EXT is the username and any extension they have.
> -- I just don't have time to fuss with this kind of stuff, which takes a
> LONG time for me as a newbie to deal with, so I just ripped SA out and am
> going with what I know works: my own procmail recipes. They only get
> 70-75% of the spam (which means a dozen or two get through), but it's
> b
My brother sent this to me and I thought I'd pass it on here since it seems
relevant. Personally I don't use the blacklists because I don't want the
extra network overhead/slowdowns but some of you may.
Regards,
Andrew
-- Forwarded Message --
Subject: Fwd: Re: SPEWS?
Date:
> I want to score FSCK more highly, and flag it as spam if it appears in
> the subject line. Can someone point me to the section in the docs that
> addresses this? I can't figure it out.
How to score it has already been answered, but I'm curious: Is the word "fsck"
even used outside the tech c
I received a spam with a forged From: coming from a good email address at my
company today. Headers below for anyone interested.
Regards,
Andrew
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
>From [EMAIL PROTECTED] Fri May 31 18:56:31 2002
Return-Path: <[EMAIL PROTECTED]>
De
> If you're using spamd, you can't put rules in user_prefs, for security
> reasons, unless you turn on the option which lets you do that. But the
> option creates security holes. You can, however, put extra rules in
> /etc/mail/spamassassin/local.cf and they will be used for everyone.
>
> Be sur
On May 17, 2002 06:22 pm, Daniel Quinlan wrote:
> FROM_AND_TO_SAME - I mail myself notes
Agreed, or sometimes I sent to myself when I have a BCC mailing
> VERY_SUSP_RECIPS and VERY_SUSP_CC_RECIPS - people use large
> internal To and Cc all the time
This isn't just for internal stu
> "last" received? or "first"? (meaning to say, the oldest). anyway,
> yeah, that's probably accurate enough. Subject should also be a good one,
> except for the few spams that put your name (or what they think your name
> is) into the subject. You could also check reply-to or mailer-agent (o
> heh, it all looks good to me. I think I'm just not quite sure what you're
> up to (that, and understores in field names confuse me for some reason ;).
It's just an old habit. When I learned SQL I was taught (mostly from the big
SQL books) and of course the little black book of normalization,
> wouldn't it be easier to integrate this into spamd? You'd already have
> your db client set up that way.
You're absolutely correct. duh on my part. :-)
> Sounds like you've got it right.. You'd need two tables, something like:
>
> Create Table messages (
> m_id bigint primary key
> Also, if you guys ever need any help, I'd love to lend a hand. I've been
> curious about writing a spam reporting system, and it might make a great
> plugin for spamassassin (then again, I've had nothing but trouble when
> trying to analyze message headers to figure out how to detect forged
> h
> 2. Use an external mail class to parse your email and split out just the
> text and html parts to pass to SpamAssassin. A huge part of the load on
> SA is in doing nasty slow regexps across the "rawbody" tests when the
> email contains large MIME attachments.
Do you have a document giving an ex
> If it's yanked out, all I ask is that the upgrade docs make this clear
> so that I can put some of 'em back in my local site-wide whitelist.
I would humbly suggest BIG FLASHY LETTERS explaining this -- it is a very
important point.
Regards,
Andrew
> test FROM_EGROUPS ok
> [EMAIL PROTECTED]
> test FROM_EGROUPS fail [EMAIL PROTECTED]
>
> (note: always write tests ;-)
What are these tests?
Regards,
Andrew
___
Have big pipes? SourceForge.net is looking for download mirrors.
> Yes, I know how RAV with qmail works. But I'm trying to avoid this as I
> need qmail-scanner for what I am trying to do here (ie SpamAssassin
> globally).
I also run spamassassin globally via procmail. I've never played with
qmail-scanner but procmail may be an option in case there's somethi
> some debugging problems where viruses that are found do not get logged to
> quarantine.log. this is just what I've found from testing for the last
> hour. i'd really like to give RAV a try.. has anyone else tried it?
I'm using rav-qmail with spamassassin without issue. SA and RAV don't know
> Any chance of you contributing these rules? This is something I've got
> on my todo list, which you could really help me shorten ;-)
Of course. I'm not particularly happy with the LOCAL_ISP rule since it's far
too specific, but whitelisting them is far too "risky." Same with INCIID and
M&M.
> I know this is a non-answer, but what sort of scores are your false
> positives getting?
About 5.0 to 13, depending on the type.
> If they're all tending toward 5.1-10, you might be able to raise your
> threshold rather than messing with the GA scores. I use a threshold of 7.0
> and haven't ha
> 18:15:06 up 6 days, 21:40, 3 users, load average: 15.22, 8.96, 7.77
> The server in question is a dual Pentium III 500 Mhz, 512 Mb Ram,
> /var/qmail/queue is a UW SCSIII and the storage is a Mylex, raid 5.
How much mail do you push? My little setup does about 3-4k messages/day, if
I'm read
Hello again,
I upgraded to 2.20 late last week and while the amount of spam that is getting
through has gone down *dramatically* from SA1.5, the number of false
positives has seen a (slight) increase. Ferinstance: yesterday 2086 spam
messages were received but 8 were false positives, even wit
> You're probably trying to unreg your real email address instead of
> [EMAIL PROTECTED] -- If you're still having trouble,
> let me know and I can remove you through the admin interface I think.
You are of course correct. I feel like an idiot now.
I'm lot leaving the list because I'm not using
I can't believe I'm writing a "unsubscribe me" message, but here it is.
I go to https://lists.sourceforge.net/lists/listinfo/spamassassin-talk, enter
my email address at the bottom like it says to to change settings/unsubscribe
and click "Edit Options"
What comes up next is
You must supply a v
> I guess it depends on what the focus is here, do you
> want something that works great for a largely US based
> group with mostly technical email or is there a wider
> goal? Do you go for 100% spam catching with some
> false positives or do you miss some because you never
> want a false positiv
> Is this just the journals I read or does this seem like a really big
> problem to others? I know these can be whitelisted (and in my case,
> procmail takes care of them), but if an ISP, for example, is going to
> use SA, lots of people are going to get legitmate mail filtered and will
> have to
> I recently received some personal mail with the following
> HotMail-generated ad. at the end (linebreaks are mine):
>
> MSN Photos is the easiest way to
> share and print your photos: href='http://go.msn.com/bql/hmtag3_etl_EN.asp'>Click
> Here
I actually have -ve-scoring tests for
> > I've added a test like this to catch it;
> You do realize that this is probably the *most* inefficient way, short
> of hand sorting, that you have of blocking the message?
In terms of efficiency it's not all that bad; I could use badmailfrom or any
of the other qmail coarse filters but via S
I've just seen in the last 12h a new virus coming through as a Microsoft
security update.
I've added a test like this to catch it;
header MSVIRUS To =~ /Microsoft Customer
<'customer\@yourdomain.com'>/
describe MSVIRUStemp test to find new virus
score MSVIRUS 300.0
> Yes, that might be a little high -- anyone bought a house recently, or know
> a realtor who'd like to contribute to the non-spam corpus?
I have several emails in my "notspam" folder from realtors sending details for
housing to her clients.
Regards,
Andrew
> @40003c8790cb05293484 delivery 137: deferral:
> maildrop:_Filtering_through_xfilter_spamc_-f/maildrop:_signal_0x06/
> @40003c8790cb0529480c status: local 2/20 remote 0/90
> @40003c8790da1bed3544 delivery 138: deferral:
> maildrop:_Filtering_through_xfilter_spamc_-f/maildrop:_signal_0
> Let me get this straight -- we have ignorant and the willfully abusive
> people in these countries creating or abetting spam for others to deal
> with, and *we're* supposed to be concerned about public relations?
I don't think you're getting it.
If North America (I'm from Canada) didn't have w
> (none of the "remove" rules triggered)
True, but gappy text should have been triggered. Maybe we need a gappy
remove-specific test, because there's a lot of nonspam gappy text out there
Regards,
Andrew
___
Spamassassin-talk mailing list
[EMAIL PRO
> That also encourages proper filtering rather than the breaindead method
> of matching on subject.
Many email clients cannot filter on aribitrary headers. KMail, for example
(yes this is a corner case) does not let you define which header to watch; it
has a list of commonly-used ones. I'm su
> I know there are theoretical reasons why this might make sense, but I don't
> see any benefit in the real world for scores like these. The high scores
> increase the chance of a random false positive - regardless of the size of
> the existing corpus - and if the negative ones indicate that the r
> SPAM: Hit! (4.9 points) BODY: URL of page called "remove"
> SPAM: Hit! (6.5 points) BODY: Link to a URL containing "remove"
No, not impressive. Those two scores would put a whole lot of honest opt-in
web "flyers" and likely many mailing lists in the spam bucket.
I'm strongly opposed to any
I'll get our CGI guy to do this for our domain but I am wondering if this
would be something which might be of use to enough SA users to put into SA
itself:
In your personal .spamassassin.prefs, place something like this:
Business User: Yes
Pornographer: Yes
Anti-Hotmail: Yes
...
etc
and have
The subject says it all. I am running SA2.01 on a mid-size ISP (~3000
"average joe" clients) and have been manually going through about 2500 spam
messages a day to ensure that no false positives are getting killfiled.
I get about 2-3 false positives per day, which really isn't bad. I've
modi
I am wondering if anyone would be interested in a score which is not as high
for email addresses ending in numbers if the address is an @hotmail.com
email. The *vast* majority of hotmail addresses end in numbers which tends
to knock emails over the spam score.
I'm already knocking off 0.7 p
The documentation on spam trapping isn't really all that clear, so I would
just like to verify that I am doing this right.
the email address I wish to trap is [EMAIL PROTECTED]
so, using qmail with vpopmail, I would go to the domains/domain.dom directory
and create a .qmail-nothingbutspam file
I can't set the score for the INVALID_MSGID test to zero; it's stuck at 0.2.
I've checked and rechecked the spelling in my config file and it's just not
taking the score. :-(
Also I have found that the FAKED_UNDISC_RECIPS test isn't right at all; It's a
high-scoring test but it seems to trig
> spamassassin scanning happening on a machine on my internal network
> having been relayed in from the outside the envelope recipient will look
> like [EMAIL PROTECTED] where tags is a representation of the
> original envelope recipient local and domain parts.
I had written a patch for SA1.5 and
LAST UPDATE (I hope!)
The whitelist matching *IS* glob-type. .*@domain.dom is wrong. Lots of
debugging confirms this.
Also, more debugging confirms that the whitelist_from entries *ARE* being
taken from SQL. It appears that it's not matching for some other reason.
(maybe because the passp
> Hmm, it seems that it's trying to match an actual perl regexp, so you'll
> want
> .*@PASSPORT.COM
just an update:
I have changed all my whitelist_from entries in the SQL table to be
.*@domain.dom instead of *@domain.dom.
.*@reply.pm0.com is one of them. However mail from this domain isn't g
> I don't think 866, 855, 844, etc are toll free numbers. 877, 888 and
> 800 are it AFAIK. Does make sense to add 877 to the 888 rule though,
> and to make the - into a [\-\s]
866 is a toll-free area code.
Regards,
Andrew
___
Spamassassin-talk maili
> It needs to treat the part after the *final* '@' symbol as case
> insensitive, but the part before it, possibly including more '@'
> characters, as case sensitive.
Unfortunately, I have both *@passport.com and *@PASSPORT.COM in my SQL table
for "whitelist_from". The From line is block caps so
Is there any reason I can't add *@PASSPORT.COM to the global whitelist (in
SQL)? I keep getting "confirm your email address" messages from various
@PASSPORT.COM (block caps) addresses and despite my having it in the
whitelist, it keeps getting detected as spam.
Regards,
Andrew
Also, is this
> Yes, if you check the archives I think I mentioned it a couple weeks ago,
> then someone else brought it up again just a couple days ago. Either study
> the headers and figure out why it is flawed, or just comment the rule out
> and go on.
For now I just 0'd the score for this test but I'll se
> I would be extremely happy to see SpamAssassin extended to recognize the
> routine, vaguely irritating spam that is attached to "free" email
> messages and the like.
I think I will give my regexp skills a shot at this, as it is probably the
biggest single factor which causes hotmail/msn email
* 0.8 -- Forged hotmail.com 'Received:' header found
This test seems to be plain wrong; If I send a message from hotmail, it gets
tagged with this score. Is this a known problem?
Regards,
Andrew
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
The corpus we have now may be fine for techies, but it frankly needs work for
us ISPs.
The +1 scores for tests with a GA score above 20 and 30 is a good idea, but
remember that both hotmail and msn have those goddamn "click here for
MSN|Hotmail Photos" signatures.
Actually maybe that's all we
> I'm trying to collect some interesting information for a magazine
> article on SA. I'm guessing we're up into the hundreds of thousands of
> users now (end users that is, not installed copies). Could those of you
> who have largish installations let me know how many users you service?
> Also,
> I'm wondering if spamc/spamd/w SQL would function in a system where
> SpamAssassin is used to filter mail for other hosts and then passed on.
> With still being able to take advantage of an individuals score
> preferences in SQL?
I know it's not quite the same thing but the spamc patch I wrote
I can't believe this made it in as spam, and with a high score!
(x is me censoring)
Regards,
Andrew
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 358 invoked by alias); 27 Jan 2002 12:26:01 -
Received: from unknown (HELO hotmail.com) (64.4.31.128)
by
> Nope, in fact RFC 822 requires that case in the local-part of addresses
> be preserved, with the exception that the postmaster address must be
> deliverable regardless of case. Most mailers by default do not distinguish
> case as being important, but the RFC does allow them to if they wish.
I
> Well and good, until you run across a site that distinguishes case on
> names, e.g. in Sendmail via:
>
> MODIFY_MAILER_FLAGS(`LOCAL', `+u')
>
> Which (as a rare boundary case) would allow evil spam from
> "[EMAIL PROTECTED]" with a whitelist entry for your good
> buddy "[EMAIL PROTECTED]"
Inter
It appears that the whitelist_from parameters of SpamAssassin (at least those
found in the SQL database) are case sensitive. Since email address are not
case sensitive, should the check also be case-insensitive?
Regards,
Andrew
___
Spamassassin-talk
I just installed SpamAssassin 2.01 with my vpopmail patches and PostgreSQL for
user prefs. I am also using RAV antivirus for qmail. This is for a small
dialup ISP (~2500 users).
In less than 12 hours:
incoming Spam: 975
incoming clean: 1613
outgoing virus: 38
37% of all our email is spam!
> Also, I haven't applied Andrew K's patch for spamc to handle EXT and HOST;
> I'd prefer to do that in the 2.1 devel tree.
Sounds good to me, I've only really been able to cursory test the code anyway.
It seems to work well, even when you specify environment variables which
don't exist (i.e.
Jan 15 20:22:46 2002
+++ new-Mail-SpamAssassin-2.0/spamd/spamc.c Wed Jan 23 21:01:38 2002
@@ -59,6 +59,16 @@
const int ESC_PASSTHROUGHRAW = EX__MAX+666;
+/*
+ * vpopmail-specific user definitions by
+ * Andrew Kohlsmith <[EMAIL PROTECTED]>
+ */
+#define USER_GETUID0
+#define USER
> I have been using this for about a week now and it works fine.
Thank you, this works beautifully. I had failed to mention that I did have
the seek patch already too. :-)
Now to get the SQL implementation going with my modified spamc and a quick CGI
for the users to turn on/off their filter
I'm setting up another mail system and I'd like to be able to deliver the
site-wide spam to a single maildir, while letting everything else get
delivered by vpopmail.
So far I've been unsuccessful because Procmail seems to want to either deliver
everything or nothing; it doesn't (or rather I d
> Looks interesting, but could you patch the spamc.pod documentation as
> well?
Indeed I will; I'd forgotten about the pod.
> Also I reckon it needs to be noted that this stuff depends on vpopmail
> (it does, doesn't it?)
Yes. I had originally wanted to have the environment variables that it u
74 matches
Mail list logo
