Re: yet another uribl evasion example

> would it be reasonable to add a rule to check for anomalies in URLs? > what's the best (TM) way? SARE, at least at the moment. Loren

Re: Uri rules

Hello martin, Sunday, June 12, 2005, 4:58:35 AM, you wrote: ms> Has the behaviour of the uri rule been changed at some point to match the ms> whole of the URL? I have just noticed I am getting some FP when one of my ms> uri rules matches against the URL rather than URI. Not that I'm aware of. T

Re: yet another uribl evasion example

Hello mouss, Monday, June 13, 2005, 8:15:27 AM, you wrote: m> I just got the spam below (headers removed except few). m> would it be reasonable to add a rule to check for anomalies in URLs? m> what's the best (TM) way? 1) As has been suggested, upgrade. 2) Grab the SARE header rules file, whic

Re: Fw: SpamAssassin assistance

Jim Schueler wrote on Monday, June 13, 2005 1138 > I should have been more specific in my original request. The stock rule to > detect HELO forgery is exactly what I'm looking for. Am new to SA so I don't know how these tests really work or why none were displayed in your spample. But here are

Re: yet another uribl evasion example

Theo Van Dinter wrote: On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote: however, it doesn't trigger surbl checks, since the '&' is considered as the end of the url. What version are you running? This was fixed in 3.0.4. thanks for the reply. I am running 3.0.3. time to upgrade...

Re: DNS lookup fails

--On Sunday, June 12, 2005 12:49 AM +0100 "Michele Neylon:: Blacknight" <[EMAIL PROTECTED]> wrote: Kenneth Porter wrote: Why are you listing anything besides 127.0.0.1? That's only useful if your local nameserver is down. In that case just make another resolve.conf to install until you fix you

Re: yet another uribl evasion example

- Original Message - From: "Michele Neylon:: Blacknight" <[EMAIL PROTECTED]> > Niek wrote: > > Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50, > > you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51. > > Upgrading is not needed for sa 3.0.4

Re: Fw: SpamAssassin assistance

You can see that 69.244.154.112 is listed in dnsbl.sorbs.net. Not sure which MTA you are using but an rbl check might have found this and rejected it at the MTA. I run rbl checks using sendmail 8.13.3 and reject nearly 50% of mail based on a combination of rbl checks and a fairly large access

RE: couple of issues

It got tagged using this test but others keep coming in. is there anything else i can do to the spamcop_uri file to make it fire? other people on this list are tagging the same spam that in my system is going thru thanks David B Funk wrote: > On Thu, 9 Jun 2005, Kern, Tom wrote: > >> Perhaps,

Re: yet another uribl evasion example

Niek wrote: > Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50, > you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51. > Upgrading is not needed for sa 3.0.4 afaik. > > Niek Baakman > 0.51 gives me the same problems :)

Re: yet another uribl evasion example

On Mon, Jun 13, 2005 at 09:42:35PM +0200, wolfgang wrote: > - 3.0.4 appears to bring new challenges (Net::DNS version and such) 3.0.4 should be a drop-in replacement for earlier versions. People seem to be having issues if they also upgrade Net::DNS, but there's no requirement to do so. 3.0.4 fi

Re: Boost up Spamassassin option

> On another paw, more memory is generally a good way to speed up the > spamassassin operation. A good DNS setup is also required so that you > do not get delays in DNS lookups. Do not select DNS tests for sites > that no longer exist. That is a major slow down. > sorry, i cant follow you, where ca

Re: yet another uribl evasion example

On 6/13/2005 9:42 PM +0200, wolfgang wrote: - 3.0.4 appears to bring new challenges (Net::DNS version and such) Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50, you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51. Upgrading is not needed for sa 3.0

Re: yet another uribl evasion example

In an older episode (Monday 13 June 2005 21:20), Raymond Dijkxhoorn wrote: > Any reason not wanting to upgrade to 3.0.4 ? yes. - our spamchecker machines' distributor is slow with upgrades while i can patch existing 3.0.2 code on them. - 3.0.4 appears to bring new challenges (Net::DNS version a

Re: yet another uribl evasion example

Hi! On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote: however, it doesn't trigger surbl checks, since the '&' is considered as the end of the url. What version are you running? This was fixed in 3.0.4. can the fix be applied to 3.0.3? Any reason not wanting to upgrade to 3.0.4 ?

Re: yet another uribl evasion example

In an older episode (Monday 13 June 2005 18:10), Theo Van Dinter wrote: > On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote: > > however, it doesn't trigger surbl checks, since the '&' is considered > > as the end of the url. > > What version are you running? This was fixed in 3.0.4. can t

Re: Fw: SpamAssassin assistance

I should have been more specific in my original request. The stock rule to detect HELO forgery is exactly what I'm looking for. -Jim On Mon, 13 Jun 2005 13:53:40 -0400, Steven Dickenson wrote > Jim Schueler wrote: > > My users have been getting particularly insidious emails containing a > >

Re: Rmail. How to filter spamassassin tags.

Thank you Evan! Thank you Justin! ...If you would, please let me know of any Rmail groups.

RE: Advice for a weekend spam assassin?

Stuart Johnston wrote: > James Bucanek wrote: >> >> When I installed SA, I also installed Pyzor (there was some > reason I couldn't get Razor or DCC to compile, but I can't > remember what that is now). >> >> I was all set to configure it, when I just became totally > c

Re: Fw: SpamAssassin assistance

Jim Schueler wrote: My users have been getting particularly insidious emails containing a windows virus that purports to come from the system administrator. [snip] I would expect this test would be part of the distributed SpamAssassin configuration files. Can anybody recommend an approach

Re: Advice for a weekend spam assassin?

James Bucanek wrote: When I installed SA, I also installed Pyzor (there was some reason I couldn't get Razor or DCC to compile, but I can't remember what that is now). I was all set to configure it, when I just became totally confused. The only documentation I could find was the man pages, i

Re: Rmail. How to filter spamassassin tags.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 fwiw, this kind of question, usually regarding SpamAssassin headers, comes up all the time on MH-specific groups I'm on -- so it certainly would not be OT for an rmail group I think. (I'm an MH person, not an rmail user, so can't help you.) - --j.

Re: Fw: SpamAssassin assistance

Jim Schueler wrote: > My users have been getting particularly insidious emails containing a > windows virus that purports to come from the system administrator. > > One email header contains the following entry: > > I would expect this test would be part of the distributed SpamAssassin >

RE: Spamassassin 3.0.4 Reporter.pm error

> Quoting wolfgang <[EMAIL PROTECTED]>: > > > Apparently, downgrading Net::DNS to 0.49 seems to fix this problem. > > Can anyone else comment on this? > > Doing just that worked for me here. > I had to do the same. 0.5x didn't work at all. I didn't see anything about it in the Net-DNS Bug Lis

Re: Rmail. How to filter spamassassin tags.

At 02:49 AM 6/13/2005, you wrote: Where would there be basic instructive details for users with rather spotty levels of expertise, little expertise, no expertise about how to compose, setup dotfiles for filtering Rmail spamassassin tags? Probably in a rmail group? It wouldn't need to be spamas

Fw: SpamAssassin assistance

My users have been getting particularly insidious emails containing a windows virus that purports to come from the system administrator. One email header contains the following entry: Received: from motorcityinteractive.com (pcp09017048pcs.watrfd01.mi.comcast.net [69.244.154.112])

Re: SpamAssassin milter and logs

Tim Boyer wrote: > Matt - > > I'll take your word for it, but... why? All MIMEDefang is doing is calling > SpamAssassin, right? Once control is passed to SpamAssassin, shouldn't it > be doing the logging? At the level SA is being called by MIMEDefang, SA is not a program, it is just a library.

Re: Can't write into world-writable directories?

Peter Guhl wrote: Sendmail, Spamass-Milter. After installing spamass-milter it is set to run as root but it has a security fallback; it doesn't use root all the time. Maybe that's causing this behaviour that it writes into /root/.spamassassin but using the user "spamd". Likely so. I would set

RE: Uri rules

> Has the behaviour of the uri rule been changed at some point > to match the > whole of the URL? I have just noticed I am getting some FP > when one of my > uri rules matches against the URL rather than URI. > To prevent FP would be very difficult, I think to match the > whole of the URL > with ur

Per-domain Spam Statistics

I run a qmail-scanner server (1.24) with SA 2.64 and clamav. Redhat 7.3. Was wondering if there are any scripts that can easily (or not so) integrate into my current setup that will parse the qmail logs and give me spam filtering stats per each domain we filter for. -- Matthew Yette Senior Engin

Re: OT : How to 'nomail' this list

On Mon, Jun 13, 2005 at 10:06:22AM -0400, Theo Van Dinter wrote: > On Mon, Jun 13, 2005 at 08:56:04AM -0400, Ugo Bellavance wrote: > > I want to interact with this list via nntp (gmane), but since this list > > is member-only, I must subscribe to post. I didn't find the way to set > > the opti

Re: Boost up Spamassassin option

Some scores have negative values. Some of the negative values are big enough to make 30 into a negative score. This is a discussion that comes up quite often. And it's been decided every time that no change should be made. On another paw, more memory is generally a good way to speed up the spamas

Re: OT : How to 'nomail' this list

* Ugo Bellavance <[EMAIL PROTECTED]> [2005-06-13 14:57]: > Hi, > I want to interact with this list via nntp (gmane), but since this list > is member-only, I must subscribe to post. I didn't find the way to set > the option not to receive messages from the list. > A hint? Ugo, if they use

Re: yet another uribl evasion example

On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote: > however, it doesn't trigger surbl checks, since the '&' is considered > as the end of the url. What version are you running? This was fixed in 3.0.4. -- Randomly Generated Tagline: Farfignewton.. the cookie of the stars.. pgpsZrzZT49i

yet another uribl evasion example

I just got the spam below (headers removed except few). this hasn't been caught at reception time. It now triggers RCVD_IN_BL_SPAMCOP_NET. however, it doesn't trigger surbl checks, since the '&' is considered as the end of the url. debug: URIDNSBL: domains to query: ins.com nusv.com

Re: Boost up Spamassassin option

On Mon, Jun 13, 2005 at 05:06:45PM +0200, Stefan Ewert wrote: > does anyone know about a option which speeds up spamassassin extremly: Used to exist in 2.4, didn't work and cause a bigger performance drag than it provided anyway, so we took it out. There's talk about a new way to add it back in s

Re: OT : How to 'nomail' this list

Theo Van Dinter wrote: On Mon, Jun 13, 2005 at 08:56:04AM -0400, Ugo Bellavance wrote: I want to interact with this list via nntp (gmane), but since this list is member-only, I must subscribe to post. I didn't find the way to set the option not to receive messages from the list.

Boost up Spamassassin option

Hi, does anyone know about a option which speeds up spamassassin extremly: order the tests: fastest first, getting slower , slowest is the last test in the list (dns perhaps, razor, pyzor, dcc). and now: stop testing the mail, as soon as spamscore is greater than needed to be marked as a spam

Re: Antwort: What means "sysread(9) not ready"?

On Monday 13 June 2005 05:39, Nico Prenzel wrote: > size=2>of course I mean > sysread(8) a > typo :-)  Please do not post in html only format. There are those of us who do not enable the display of html for reasons of security, particularly on *this* list. -- Cheers, Gene "There are four boxe

Re: OT : How to 'nomail' this list

On Mon, Jun 13, 2005 at 08:56:04AM -0400, Ugo Bellavance wrote: > I want to interact with this list via nntp (gmane), but since this list > is member-only, I must subscribe to post. I didn't find the way to set > the option not to receive messages from the list. I don't believe this is poss

OT : How to 'nomail' this list

Hi, I want to interact with this list via nntp (gmane), but since this list is member-only, I must subscribe to post. I didn't find the way to set the option not to receive messages from the list. A hint? Thanks, Ugo

Re: Can't write into world-writable directories?

On Thu, 2005-06-09 at 11:05 -0400, Steven Dickenson wrote: > Peter Guhl wrote: > > Well, still... somehow I don't get why the software is running as spamd > > and tries to write into /root. I wouldn't say anything if the sofware > > inwvolved wasn't designed to cooperate (spamd, spamass-milter). Bu

Re: SA/RDJ/Bogus Virus Warnings Problem

On Monday June 13 2005 7:46 am, Dimitri Yioulos wrote: > On Sunday June 12 2005 7:07 pm, Chris Thielen wrote: > > Hi Tim, Dimitri, > > > > Sorry to resurrect such an old thread! I'm a bit concerned with the 500 > > error code being downloaded into the SA_DIR. > > > > Tim Jackson wrote: > > >>Lint

Re: SA/RDJ/Bogus Virus Warnings Problem

On Sunday June 12 2005 7:07 pm, Chris Thielen wrote: > Hi Tim, Dimitri, > > Sorry to resurrect such an old thread! I'm a bit concerned with the 500 > error code being downloaded into the SA_DIR. > > Tim Jackson wrote: > >>Lint output: config: SpamAssassin failed to parse line, skipping: > >> confi

Re: Sa stats using rrdtool?

Ronan, Do you have a sample of what they look like, the graphs? on 6/13/05 8:01 AM, Ronan McGlue at [EMAIL PROTECTED] wrote: > MIKE YRABEDRA wrote: >> on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote: >> >> >>> Hi >>> >>> Try MailGraph :) That's what I'm using for my servers..

Re: Sa stats using rrdtool?

MIKE YRABEDRA wrote: on 6/13/05 8:01 AM, Ronan McGlue at [EMAIL PROTECTED] wrote: MIKE YRABEDRA wrote: on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote: Hi Try MailGraph :) That's what I'm using for my servers.. Google for mailgraph, first hit :) See ya Looks good, but

Re: Sa stats using rrdtool?

on 6/13/05 8:01 AM, Ronan McGlue at [EMAIL PROTECTED] wrote: > MIKE YRABEDRA wrote: >> on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote: >> >> >>> Hi >>> >>> Try MailGraph :) That's what I'm using for my servers.. >>> Google for mailgraph, first hit :) >>> >>> See ya >> >> >> >>

Re: Sa stats using rrdtool?

MIKE YRABEDRA wrote: on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote: Hi Try MailGraph :) That's what I'm using for my servers.. Google for mailgraph, first hit :) See ya Looks good, but I think I passed it over because I am not using postfix. I am using Communigate Pro. Ho

Re: Sa stats using rrdtool?

on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote: > Hi > > Try MailGraph :) That's what I'm using for my servers.. > Google for mailgraph, first hit :) > > See ya Looks good, but I think I passed it over because I am not using postfix. I am using Communigate Pro. However, my spamd

Rmail. How to filter spamassassin tags.

Where would there be basic instructive details for users with rather spotty levels of expertise, little expertise, no expertise about how to compose, setup dotfiles for filtering Rmail spamassassin tags?... the ideal would be instructive details that explain line by line, expression by expression w

RE: Sa stats using rrdtool?

Hi Try MailGraph :) That's what I'm using for my servers.. Google for mailgraph, first hit :) See ya -Original Message- From: MIKE YRABEDRA [mailto:[EMAIL PROTECTED] Sent: Monday, June 13, 2005 12:04 PM To: users@spamassassin.apache.org Subject: Sa stats using rrdtool? Hello, I have

Sa stats using rrdtool?

Hello, I have googled far and wide and kind not find an answer. Does anyone know of a solution that will process a spamd log and then output the stats using rrdtool? There are tons of things using mrtg, but even by the developers opinion, mrtg is dead, rrd will take it's place.

Frequent database breakage - recovery?

Hi, my bayesian databases are frequently broken (why, I'm not sure - spamassassin is called via amavisd-new, the training takes place via sa-lean and nothing else is accessing the databases). I've included db_recover to my amavisd-new startup script, to migitate the breakages. Somehow db_recover

Antwort: What means "sysread(9) not ready"?

of course I mean sysread(8) a typo :-) 

What means "sysread(9) not ready"?

Hello forum, i got the following lines in my log many times. I use debain 3.1 and SA (current trunk)! Mon Jun 13 07:59:19 2005 [18985] dbg: prefork: sysread(8) not ready, wait max 0 secs If no one knows, I'll open a bug ticket.

[SPAM] Passing parameters to a plugin

I have written a plugin that determines a spam according the the recipient address. I accept email to [EMAIL PROTECTED] where hexval is the expiry time of the address as a hex'd epoch time. My questions may be better served on the devel list, but I'm new here :) Here's my rule: header TIMED_RE

Re: SA/RDJ/Bogus Virus Warnings Problem

On Sun, 12 Jun 2005 18:07:39 -0500 Chris Thielen <[EMAIL PROTECTED]> wrote: > Sorry to resurrect such an old thread! I'm a bit concerned with the > 500 error code being downloaded into the SA_DIR. I think you may be able to let this one die peacefully. I checked my configuration and it looks lik