Re: Strange Scoring Results?

At 03:30 PM 3/10/2005, Michael Holzt wrote: Now, is this scoring normal? I wonder if messages with 50 to 99% bayes should only get such low scores. Only one of those messages has 99% bayes. The others all have 50%. A message with 50% bayes is by definition undecided between spam and ham. I think th

Strange Scoring Results?

I'm operating a small companies mailserver (running Spamassassin 3.0.2 invoked by the qpsmtpd spamassassin plugin on Debian Linux), and lately i'm observing a major increase in spam that comes through the filter. When looking into this problem, i noticed that the scoring results seems to be much

Re: Telltale whois data (was: Rule for downwards writing spam)

--On Thursday, March 10, 2005 10:38 AM -0800 List Mail User <[EMAIL PROTECTED]> wrote: There is no DNS, but you can often get the data by directly querying whois.internic.net But that's not scalable if every mail server queries the registry's whois server. It's worse if the mail servers don't ca

Re: Telltale whois data (was: Rule for downwards writing spam)

>... >--On Thursday, March 10, 2005 7:23 AM -0800 List Mail User ><[EMAIL PROTECTED]> wrote: > >> They mostly use Joker, who has *very* good policies for killing >> domains like this. You should complain and file at wdprs.internic.net. >> >> They create about a dozen new domains a week,

Re: making sa-learn ignore custom headers

On Thu, Mar 10, 2005 at 01:12:08PM -0500, Joe Flowers wrote: > Is there a way to make sa-learn ignore custom (non-SA) headers? RTFM bayes_ignore_header -- Randomly Generated Tagline: Fry: Leela, Bender, we're going grave-robbing. Bender: I'll get my kit! pgpxBDSdBpPM7.pgp Description: PGP s

Re: Whitelist IP Address

[EMAIL PROTECTED] wrote: > Ideally there'd be a way to only look at Received headers that were > added by the server you're running on, or (going back a bit at a > time) added by trusted perimeter hosts. I did that. For a variety of legacy reasons, one of the filter servers here is the very last

Re: Whitelist IP Address

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler writes: > At 12:38 PM 3/10/2005, Mikael Hakman wrote: > >However, in my previous comment, I didn't express myself precisely enough. > >I didn't mean "block" or "let through" rather "execute test and set > >specified score if the test tu

Re: Whitelist IP Address

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] writes: > Justin Mason wrote: > > It's extremely trivial to add as a normal regexp rule: > > > > header MY_WHITELIST_1 Received =~ /\[111.222.11.22\]/ > > score MY_WHITELIST_1-5 > > Mikael Hakman writes: > >> Wouldn't

making sa-learn ignore custom headers

SA 3.02 Is there a way to make sa-learn ignore custom (non-SA) headers? Thanks! Joe

RE: Whitelist IP Address

Justin Mason wrote: > It's extremely trivial to add as a normal regexp rule: > > header MY_WHITELIST_1 Received =~ /\[111.222.11.22\]/ > score MY_WHITELIST_1-5 > Mikael Hakman writes: >> Wouldn't you all agree that blocking or letting through emails sent >> from or relayed by specifi

Re: Whitelist IP Address

At 12:38 PM 3/10/2005, Mikael Hakman wrote: However, in my previous comment, I didn't express myself precisely enough. I didn't mean "block" or "let through" rather "execute test and set specified score if the test turns true" so that the final decision what to do with the mail could be affected

Re: Whitelist IP Address

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It's extremely trivial to add as a normal regexp rule: header MY_WHITELIST_1 Received =~ /\[111.222.11.22\]/ score MY_WHITELIST_1-5 That's the main reason we haven't added it yet ;) - --j. Mikael Hakman writes: > Wouldn't you all agr

Re: Whitelist IP Address

Of course Matt, any decent SMTP server allows you to configure it so that it refuses or lets through mail sent directly from certain IP hosts or subnets with addresses being taken from communication level (source of TCP connect request incoming to the server). When it comes to IP subnets of rela

Re: SA addr tests need to be updated

You already got a couple of responses but let me pile on. On 3/10/2005 3:17 AM, [EMAIL PROTECTED] wrote: > However, I still believe it is perfectly legal to refuse mail if > - the HELO matches my own MX, or lists one of my IPs I do this too. My local networks get an immediate exception to all

Telltale whois data (was: Rule for downwards writing spam)

--On Thursday, March 10, 2005 7:23 AM -0800 List Mail User <[EMAIL PROTECTED]> wrote: They mostly use Joker, who has *very* good policies for killing domains like this. You should complain and file at wdprs.internic.net. They create about a dozen new domains a week, but have been

Re: Whitelist IP Address

At 05:39 AM 3/10/2005, Mikael Hakman wrote: Wouldn't you all agree that blocking or letting through emails sent from or relayed by specified IP addresses and subnets is quite a basic functionality? In a sense it is more basic than doing the same with DNS names and SMTP addresses because all thos

Re: Obvious spam (from subject) getting through

Matthew the antidrug.cf on www.rulesemporium.com? But that should be part of the base SA 3 set (20_drugs.cf). If you can put up the full email on a web/ftpsite I can run again my setup which has lots of SARE rules and I'll drop back the rules I hit. -- Martin Hepworth Snr Systems Administrator

Obvious spam (from subject) getting through

Hi Anyone got a rule to catch e-mails I've been getting with this subject? Subject: intelligent XANAA, V1CODD1N, S0MMA, CODE1NE, V1AAGRRA, C1AAL1S, Z0L0FT, \/AL1IUM & MANY MORE AT CHEEAP added happen Only rule that has much effect is a SARE subject rule I've just added to my collection, but it

Re: I can't autolearn bayes databases with spam - continuation

At 05:33 AM 3/10/2005, mw wrote: 3) I added the following lines to local.cf : rewrite_subject 1 subject_tag *SPAM* use_terse_report0 auto_learn 1 Now, if I run spamassassin -D --lint I find the statements : config: SpamAssassin f

Re: Rule for downwards writing spam

>>From [EMAIL PROTECTED] Thu Mar 10 06:20:20 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >list-help: >list-unsubscribe: >List-Post: >List-Id: >Delivered-To: mailing list u

Re: multiple hosts for spamc -d ?

Quoting email builder <[EMAIL PROTECTED]>: > > >>> Some postings a while back led me to believe that I could specify > > >>> multiple hosts for the -d option of spamc. I understood that it > > >>> would operate basically on a fallback basis (not load balancing). > > >>> However, I can't seem to g

Re: [sa-list] Re: How to tell what message a spamd child is running on.

On Thu, Mar 10, 2005 at 08:31:18AM -0500, Dan Mahoney, System Admin wrote: > Actually, my experience has been that the child in this case doesn't > respond to kill -TERM, even after larger delays like five minutes with > repeated kill'ing. Kill -9 seems to cause another process to pop up with >

Re: SA3.0.2 + amavisd-new ignoring $sa_tag_level_deflt ?

On Thu, 10 Mar 2005 11:02:50 +0100, Paolo Cravero as2594 <[EMAIL PROTECTED]> wrote: > Hi, > I'm testing a setup with amavisd-new (latest download version) and SA > 3.0.2 on RedHat ES3. This setup serves as a laboratory for upgrading our > SA 2.64 servers. > > I would like to have amavisd-new to ad

Re: RCVD_IN_BSP_TRUSTED

> >On 09/03/2005 11:55:32, Alana Craig ([EMAIL PROTECTED]) wrote: > > Hello > > > > > > > > I would like to include your contact information in an address book I am > > creating for myself. Please enter your particulars using the link you see > > below: > > > > > > > > http://www.bebo.com/fr1/10076

Rule for downwards writing spam

Hi I've put together the following rule to try and catch the read-downwards type spam shown below. Could someone with a decent size corpus check it for me please? :-) (or if you see any obvious errors or improvements; it seems to work here) 8< body__UOLCC_DOWN1 /read\sd[o0]wn/i body

Re: SA addr tests need to be updated

>>>... >>> ..." >>> >Now, these are the rules > >However, I still believe it is perfectly legal to refuse mail if >- the HELO matches my own MX, or lists one of my IPs >or >- the MAIL FROM pretends to be one of my users > >I am currently refusing this stuff at the MTA level and suggest to >au

Re: [sa-list] Re: How to tell what message a spamd child is running on.

On Mon, 7 Mar 2005 [EMAIL PROTECTED] wrote: Would it be sufficient to simply not process large messages for that user? The distro procmailrc.example file shows how set a limit on message size processed in your .procmailrc: :0fw: * < 256000 | spamassassin sets a limit of 256K, or you could pick a mu

Re: [sa-list] Re: How to tell what message a spamd child is running on.

On Mon, 7 Mar 2005, Theo Van Dinter wrote: On Mon, Mar 07, 2005 at 09:25:48PM -0500, Dan Mahoney, System Admin wrote: what message a child is chewing on. No clear indication of where such a message would be stored, or some way to just send a spamd child a sigusr2 and have it return the message unp

Re: Whitelist IP Address

I was quite shocked to find out that you couldnt whitelist an IP Address. It seems like a very simple and expected feature. Since I have no experience in regex and very little perl experience, I will just tell our users to deal with the tagged spam coming from our own webserver. Hopefully this wil

RE: I can't autolearn bayes databases with spam - continuation

If you still have this, it is not going to work, as I said. bayes_auto_learn_threshold_nonspam 0.1 bayes_auto_learn_threshold_spam 7.0 -Original Message- From: mw [mailto:[EMAIL PROTECTED] Sent: Thursday, March 10, 2005 5:33 AM To: users@spamassassin.apache.org Subject: I

Re: Whitelist IP Address

Wouldn't you all agree that blocking or letting through emails sent from or relayed by specified IP addresses and subnets is quite a basic functionality? In a sense it is more basic than doing the same with DNS names and SMTP addresses because all those names ultimately resolve to IP numbers. A

I can't autolearn bayes databases with spam - continuation

Many thanks for all previous mailing lists referring to problems with autolearn=spam. I've taken into account your remarks and first of all I've fed my bayesian databases. Now, this my resulat of sa-learn --dump -magic command : 0.000 0 3 0 non-token data: bayes db vers

Re: RCVD_IN_BSP_TRUSTED

It looks to me like a probably legit birthday cards site, sending what is supposed to be a legit request. Now, from the name of the user, and the targeted address, it appears to be a spammer/scammer misusing the site to try to harvest contact info. Since the sender (birthdayalarm.com) is bonded,

SA3.0.2 + amavisd-new ignoring $sa_tag_level_deflt ?

Hi, I'm testing a setup with amavisd-new (latest download version) and SA 3.0.2 on RedHat ES3. This setup serves as a laboratory for upgrading our SA 2.64 servers. I would like to have amavisd-new to add X-Spam-* headers to all messages, so I set the following: $sa_tag_level_deflt = -999; #

Re: Whitelist IP Address

Matt Kettler wrote: At 07:49 PM 3/9/2005, Mike Carlson wrote: How do you whitelist an IP address? I want to allow all email from a specific IP address to pass through the filter without being tagged as spam. I added all 4 IP addresses of the server to the trusted networks list, but that didnt se

Re: Whitelist collection project

On Wednesday, March 9, 2005, 6:20:10 PM, Robert Menschel wrote: > Tuesday, March 8, 2005, 8:44:43 PM, Daryl wrote: >>> Assumption: This activity will focus only on public newsletters, >>> services, etc., which normally do not contain any private >>> information. Therefore there will not be any pri

Re: SA addr tests need to be updated

Now, these are the rules However, I still believe it is perfectly legal to refuse mail if - the HELO matches my own MX, or lists one of my IPs I guess you mean at the MTA level, not by checking Received headers. or - the MAIL FROM pretends to be one of my users This isn't always appropriate: -

RCVD_IN_BSP_TRUSTED

Return-path: <[EMAIL PROTECTED]> Envelope-to: [EMAIL PROTECTED] Delivery-date: Wed, 09 Mar 2005 11:59:11 + Received: from isaiah.qub.ac.uk ([143.117.143.16] helo=mailhub1.qub.ac.uk) by staffmail-b.qub.ac.uk with esmtp (Exim 4.34) id 1D8zqJ-00048U-Ov for [EMAIL PROTECTED]

Re: SA addr tests need to be updated

>> >> RFC2821 Section 4.1.4 >> "... >>The SMTP client MUST, if possible, ensure that the domain parameter >>to the EHLO command is a valid principal host name (not a CNAME or MX >>name) for its host. If this is not possible (e.g., when the client's >>address is dynamically assigne

Re: Whitelist collection project

On Wednesday, March 9, 2005, 6:20:49 PM, Robert Menschel wrote: > Wednesday, March 9, 2005, 1:00:33 AM, Jeff Chan wrote: >>> Goal: There are public newsletters, services, etc., which a) do not >>> spam, and b) can easily be mistaken as spam by SpamAssassin for a >>> variety of reasons (overly aggr

Re: ENC: Take that!

Let's all call to see how he is doing! - Original Message - From: "jdow" <[EMAIL PROTECTED]> To: Sent: Wednesday, March 09, 2005 8:23 PM Subject: Re: ENC: Take that! | From: "Jeff Chan" <[EMAIL PROTECTED]> | | > On Wednesday, March 9, 2005, 5:38:15 PM, List User wrote: | > > BTW.

Re[2]: Whitelist collection project

Hello Daryl, [BTW, thanks to you and others for the direct response/cc in addition to the list posting. I get the list by digest, and so list-only responses don't get to me until the digest is released.] Wednesday, March 9, 2005, 6:55:50 PM, you wrote: >> DCWOS> Don't forget about the new whitel

Re: ENC: Take that!

From: "Jeff Chan" <[EMAIL PROTECTED]> > On Wednesday, March 9, 2005, 5:38:15 PM, List User wrote: > > BTW. the listed telephone > > number is the company where the spammer works as a programmer - so this is > > clearly an attempt to make "extra" money). > > Hmm, I wonder how his employer feels abo

Re: Whitelist collection project

Robert Menschel wrote: Hello Daryl, Tuesday, March 8, 2005, 8:44:43 PM, you wrote: DCWOS> Robert Menschel wrote: DCWOS> Summary: A group of volunteers will maintain a collected/distributed whitelist, using SpamAssassin's whitelist_from_rcvd capabilities, similar to (but in the opposite direction a

Re: URIBL_SBL Weirdness

On Wednesday, March 9, 2005, 8:20:33 AM, Jeff Chan wrote: > What this means is that the nameserver for gov.ru is listed > in SBL. > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13545 >> Ref: SBL13545 >> >> 213.59.0.0/23 is listed on the Spamhaus Block List (SBL) >> >> 26-Feb-2005 02:47 GMT

Re: ENC: Take that!

On Wednesday, March 9, 2005, 5:38:15 PM, List User wrote: > BTW. the listed telephone > number is the company where the spammer works as a programmer - so this is > clearly an attempt to make "extra" money). Hmm, I wonder how his employer feels about him using company (their phones) property for p

Re[2]: Whitelist collection project

Hello Chris, Wednesday, March 9, 2005, 7:30:20 AM, you wrote: >>Summary: A group of volunteers will maintain a collected/distributed >>whitelist, using SpamAssassin's whitelist_from_rcvd capabilities, >>similar to (but in the opposite direction as) William Stearns' >>collected/distributed blackli

Re[2]: Whitelist collection project

Hello Jeff, Wednesday, March 9, 2005, 1:00:33 AM, you wrote: >> Goal: There are public newsletters, services, etc., which a) do not >> spam, and b) can easily be mistaken as spam by SpamAssassin for a >> variety of reasons (overly aggressive custom rules, wrongly taught >> Bayes system, paid adve

Re[2]: Whitelist collection project

Hello Daryl, Tuesday, March 8, 2005, 8:44:43 PM, you wrote: DCWOS> Robert Menschel wrote: DCWOS> >> Summary: A group of volunteers will maintain a collected/distributed >> whitelist, using SpamAssassin's whitelist_from_rcvd capabilities, >> similar to (but in the opposite direction as) William

Re: ENC: Take that!

Daniel, Regarding the domain "dftphildeutschv-munged.net", since this morning one of the name servers "fujins-munged.com" has been delisted by planetdomain, and "miftrue-munged.com" has been placed on "HOLD" bu Namebay (i.e. expect deletion or full suspention within 15 days maximum

Re: Whitelist IP Address

At 07:49 PM 3/9/2005, Mike Carlson wrote: How do you whitelist an IP address? I want to allow all email from a specific IP address to pass through the filter without being tagged as spam. I added all 4 IP addresses of the server to the trusted networks list, but that didnt seem to do it. Pretty muc

Whitelist IP Address

How do you whitelist an IP address? I want to allow all email from a specific IP address to pass through the filter without being tagged as spam. I added all 4 IP addresses of the server to the trusted networks list, but that didnt seem to do it. --Mike

Re: SA addr tests need to be updated

>Justin Mason wrote: > >>Eric A. Hall writes: >> >> >>>SA 3.0.2 currently performs a handful of tests against HELO greetings that >>>contain an IP address. These tests don't currently fire when an "address >>>literal" is used in the HELO greeting, but they should. >>> >>> >> >>actually, that'