Re: PDF rule not matching -- split line content type?

The rawbody rule finds the text/html part as non-empty, so __TVD_BODY is false, making the TVD_PDF_FINGER01 rule false. On Tue, Aug 14, 2007 at 10:16:42PM -0700, Jo Rhett wrote: > Can someone clue me in on why this rule isn't matching? > > Jo Rhett wrote: > >So I've been getting a metric ton of P

Re: PDF rule not matching -- split line content type?

rawbody __TVD_BODY /\S{4}/ true header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i true mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i false mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i maybe

Re: PDF rule not matching -- split line content type?

Can someone clue me in on why this rule isn't matching? Jo Rhett wrote: So I've been getting a metric ton of PDF spam. Investigating the rule that is supposed to match this, I see rawbody __TVD_BODY /\S{4}/ header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i meta

Re: So lets change it to "sa-update doesn't"

Gene Heskett wrote: So what needs to be used in place of "saupdates.openprotect.com"? I might add that rulesdujour seems to work, but I've not regularly abused their site since the DDOS started. Darryl does a good job of providing all the sare rulesets via sa-update. All the details are on th

Re: Rule for PDF and eCard Spam Needed

Robert - elists wrote: I don't use alternative files that I am aware of anyways... just stock clamav the ecard stuff is not the normal clamav virus databases. And... I hear ya, yet clamav plugin *integration* into SA scores as I understand it, where stock clamav quarantines We use amavis w

Re: So lets change it to "sa-update doesn't"

On Tuesday 14 August 2007, Kai Schaetzl wrote: >Gene Heskett wrote on Tue, 14 Aug 2007 14:46:55 -0400: >> [18342] dbg: dns: query failed: 3.2.3.saupdates.openprotect.com => >> NXDOMAIN [18342] dbg: channel: no updates available, skipping channel >> [18342] dbg: diag: updates complete, exiting with

RE: Rule for PDF and eCard Spam Needed

> > Apparently with alternate virus files, which I had not yet tested. > Someone mentioned that earlier today and I'm investigating it. > > -- > Jo Rhett Jo I don't use alternative files that I am aware of anyways... just stock clamav And... I hear ya, yet clamav plugin *integration* into SA

Re: Rule for PDF and eCard Spam Needed

On Aug 14, 2007, at 2:31 PM, Kai Schaetzl wrote: What can be done to get these tested and included in the main ruleset? What is "these"? I don't see that you offered any rules catching that stuff. So, what do you want the developers or anyone to test? People refer to rulesets they've create

Re: Rule for PDF and eCard Spam Needed

On Aug 14, 2007, at 2:22 PM, Robert - elists wrote: You might consider the clamav integration into SA, as clamav is catching all the ecard ones Apparently with alternate virus files, which I had not yet tested. Someone mentioned that earlier today and I'm investigating it. -- Jo Rhett Ne

Re: fake MX records

Marc Perkel wrote on Tue, 14 Aug 2007 14:52:22 -0700: > So what do you attribute my success in getting rid of all bot spam to? As I don't know your setup this would be pure speculation. However, as *I* am not using fake MXs, but several other MTA techniques and see not much Botnet spam either I

Re: Scoring question

Rick Zeman wrote: > Does this score: > > 0.001 BAYES_50Bayesian spam probability is 40 to 60% > > seem to be rather low for something with a 50% probablity of being spam? > No, as it has a 50% probability of being nonspam too. 50% is the "exactly undecided" mark.

Re: Sample eCard Rules...

Jared Hall wrote: > Some quick eCard rules: > > headerJARED_ECARD Subject =~ /You\'ve received > (a|an) (greeting|postcard| > ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague| > family member|friend|mate|neighbor|neighbour|partner|school friend|

Re: fake MX records

On 8/14/2007 5:52 PM, Marc Perkel wrote: Kai Schaetzl wrote: Marc Perkel wrote on Tue, 14 Aug 2007 07:13:16 -0700: I'm using it on 1600 domains and it definitely works. I get not bot spam at all. I doubt that this is because you have a fake low MX. Kai So what do you attribut

Re: So lets change it to "sa-update doesn't"

On 8/14/2007 2:46 PM, Gene Heskett wrote: On Tuesday 14 August 2007, Daryl C. W. O'Shea wrote: On 8/14/2007 6:31 AM, Kai Schaetzl wrote: Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick & dirty way to determine which .pre file (or local.cf, there are 3 of those too)

DCC Troubles

I am getting this continuously in my maillog log file running exim and sa. dccproc[18723]: open(/var/dcc/map): Permission denied I have DCC installed. [EMAIL PROTECTED] ~]# rpm -qa | grep dcc -i dcc-1.3.57-0.rhel4 Any idea what is wrong? Matt

Re: Get Magic Statistics From Mail::SpamAssassin

On Tue, Aug 14, 2007 at 02:46:00PM -0400, Daniel Aquino wrote: > I'm writing a perl script to train sa. > > And I'm wondering how I can get the statics that "sa-learn --dump magic" > would give me ? FWIW, if you're writing perl you should feel free to edit sa-learn and see how it's done. :) (hi

Re: Rule for PDF and eCard Spam Needed

On Tue, 14 Aug 2007, Diego Pomatta wrote: > and this ruleset for postcards&ecards -> > http://www.impsec.org/~jhardin/antispam/postcards.cf We're starting to get into whack-a-mole territory with the postcard spams. There will be another update out tonight. -- John Hardin KA7OHZ

Re: Using SpamAssassin to parse Received headers

> Hey folks, > > This is a question about using SpamAssassin's perl > interface, not about filtering mail. > > I'm using 3.2.2 (soon to be 3.2.3) on OpenBSD, built > from source. In addition to using SA to filter my email, > I'd also like to take advantage of SA's ability to parse > Received

Re: fake MX records

Kai Schaetzl wrote: Marc Perkel wrote on Tue, 14 Aug 2007 07:13:16 -0700: I'm using it on 1600 domains and it definitely works. I get not bot spam at all. I doubt that this is because you have a fake low MX. Kai So what do you attribute my success in getting rid of all bot spa

Re: So lets change it to "sa-update doesn't"

Gene Heskett wrote on Tue, 14 Aug 2007 14:46:55 -0400: > [18342] dbg: dns: query failed: 3.2.3.saupdates.openprotect.com => NXDOMAIN > [18342] dbg: channel: no updates available, skipping channel > [18342] dbg: diag: updates complete, exiting with code 1 > > So, we're back to my subject line, sa-

Re: Rule for PDF and eCard Spam Needed

Jo Rhett wrote on Tue, 14 Aug 2007 13:27:20 -0700: > Well first I don't think many of us want to waste CPU cycles trying > to analyze the contents of PDF files. Right, and not only of PDFs. That's why "many of us" reject this stuff already at MTA for technical reasons and thus rarely see this

RE: Rule for PDF and eCard Spam Needed

> > Just to make it clear what I and others keep saying on this topic: > I'm using 4 different systems that have various 3.x versions of > spamassassin, all of which use sa-update, and none of which are doing > an adequate job of catching gif, pdf or ecard spam. It's upwards of > 20 an hour on se

Re: mail in quarantine have diferent hits from spamc

Rejaine Monteiro wrote on Tue, 14 Aug 2007 16:28:20 -0300: > Content analysis details: (2.8 points, 5.0 required) Without the other details there is no comparison possible. One possible explanation for the difference: your message also hit network tests. These may not have been carried out wi

Re: Rule for PDF and eCard Spam Needed

Jo Rhett escribió: I think that rules which did a better job on these messages would be greatly appreciated. On Aug 14, 2007, at 12:42 PM, Diego Pomatta wrote: I use PDFinfo plugin from http://rulesemporium.com/plugins.htm Well first I don't think many of us want to waste CPU cycles trying

Re: Scoring question

Rick Zeman schrieb: Does this score: 0.001 BAYES_50Bayesian spam probability is 40 to 60% seem to be rather low for something with a 50% probablity of being spam? SA 3.2.1 run within Maia with autolearning on. Tnx BAYES_50 means that bayes thinks that its 50% chance to be ham a

Using SpamAssassin to parse Received headers

Hey folks, This is a question about using SpamAssassin's perl interface, not about filtering mail. I'm using 3.2.2 (soon to be 3.2.3) on OpenBSD, built from source. In addition to using SA to filter my email, I'd also like to take advantage of SA's ability to parse Received headers for my

Re: Scoring question

On 8/14/2007 3:49 PM, Rick Zeman wrote: Does this score: 0.001 BAYES_50Bayesian spam probability is 40 to 60% seem to be rather low for something with a 50% probablity of being spam? Anything higher would seem to be a little high for something with a 50% probability of being ham.

Re: Rule for PDF and eCard Spam Needed

Interesting Tech Republic article, Putting a stop to PDF spam which mentions the pdfinfo plugin for SA.

Scoring question

Does this score: 0.001 BAYES_50Bayesian spam probability is 40 to 60% seem to be rather low for something with a 50% probablity of being spam? SA 3.2.1 run within Maia with autolearning on. Tnx -- Rick Zeman Manager of Information Technology Melwood Horticultural Training Center 30

Re: Rule for PDF and eCard Spam Needed

Jo Rhett escribió: On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SA

Re: Rule for PDF and eCard Spam Needed

Jo Rhett wrote: On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE

Re: So lets change it to "sa-update doesn't"

On Tuesday 14 August 2007, Daryl C. W. O'Shea wrote: >On 8/14/2007 6:31 AM, Kai Schaetzl wrote: >> Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: >>> Ok, is there a quick & dirty way to determine which .pre file (or >>> local.cf, there are 3 of those too) is actually running the show? >> >>

Re: So lets change it to "sa-update doesn't"

On 8/14/2007 2:18 PM, Gene Heskett wrote: On Tuesday 14 August 2007, Daryl C. W. O'Shea wrote: On 8/14/2007 6:31 AM, Kai Schaetzl wrote: Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick & dirty way to determine which .pre file (or local.cf, there are 3 of those too)

mail in quarantine have diferent hits from spamc

Hi does *not always happen, but sometimes I got this: *this is a spam in my quarantine folder... *** Qmail-Scanner Quarantine Envelope Details Begin *** spamassassin: 3.1.7. SPAM Found. Processed in 2.719401 secs) Quarantine-Description: SPAM content refused by this network (5.8/5.0) *** Q

Re: Rule for PDF and eCard Spam Needed

On Aug 14, 2007, at 8:22 AM, Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE rules for the g

PDF rule not matching -- split line content type?

So I've been getting a metric ton of PDF spam. Investigating the rule that is supposed to match this, I see rawbody __TVD_BODY /\S{4}/ header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i meta __TVD_MIME_ATT __TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF m

[no subject]

I'm currently using: my $spam_assassin = Mail::SpamAssassin->new({ site_rules_filename => '/etc/mail/spamassassin/', dont_copy_prefs => 1 }); Would this be the correct way to initialize SA ? I have been testing back and forth between my script and sa-learn and it appears that they are not u

R: Get Magic Statistics From Mail::SpamAssassin

> Da: Daniel Aquino [mailto:[EMAIL PROTECTED] > > I'm writing a perl script to train sa. > > And I'm wondering how I can get the statics that "sa-learn --dump magic" would give me ? > > Thanks! Which statistics? "sa-learn --dump magic" only gives some infos about the bayes db status. See: x

Get Magic Statistics From Mail::SpamAssassin

I'm writing a perl script to train sa. And I'm wondering how I can get the statics that "sa-learn --dump magic" would give me ? Thanks!

3.2.3 TIME out

Hi all, I was told that 3.2.3 had the fixes for the timing out issues- Is there ANYTHING else I'm missing to correct this? Here's my netstat output; Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp42546 0 localhost.783

Re: So lets change it to "sa-update doesn't"

On Tuesday 14 August 2007, Daryl C. W. O'Shea wrote: >On 8/14/2007 6:31 AM, Kai Schaetzl wrote: >> Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: >>> Ok, is there a quick & dirty way to determine which .pre file (or >>> local.cf, there are 3 of those too) is actually running the show? >> >>

Re: So lets change it to "sa-update doesn't"

On 8/14/2007 6:31 AM, Kai Schaetzl wrote: Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: Ok, is there a quick & dirty way to determine which .pre file (or local.cf, there are 3 of those too) is actually running the show? all the files in /etc/mail/spamassassin No, that is something

[EMAIL PROTECTED] strikes again

The original message was received at Tue, 14 Aug 2007 11:50:13 -0400 from localhost.localdomain [127.0.0.1] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)) (expanded from:

Public.pm

Hi List, Does anyone encounter this error and how do you fix it? Use of uninitialized value in string eq at /usr/lib/perl5/vendor_perl/5.8.8/Mail/DomainKeys/Key/Public.pm line 67, line 319. Thanks

Sample eCard Rules...

Some quick eCard rules: header JARED_ECARD Subject =~ /You\'ve received (a|an) (greeting|postcard| ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague| family member|friend|mate|neighbor|neighbour|partner|school friend|school mate|school\-mate|worshippe

Re: Rule for PDF and eCard Spam Needed

Doc Schneider wrote: Loren Wilton wrote: PDFinfo plugin from SARE helps a lot with the pdf mess. I found that ClamAV catches most all those greeting card spamscam viruses. But the PDFInfo from SARE works GREAT! ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL signatures

RE: PDFAssassin

-Original Message- From: Bob Pierce [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 14, 2007 11:00 AM To: users@spamassassin.apache.org Subject: PDFAssassin Is anybody using the PDFAssassin module from http://blog.atmail.com/?p=61 I didn't think I saw it talked about on the list yet.

Re: disable spamhaus rbl?

Kai Schaetzl wrote: Diego Pomatta wrote on Tue, 14 Aug 2007 10:37:27 -0300: I always considered it to be more efficient this way, would this be correct? It's a matter of trust. If you trust the RBL to produce an insignificant amount of false positives for you then rejecting at MTA le

Re: Rule for PDF and eCard Spam Needed

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton wrote: > PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also > published a number of rules that catch them, I believe. You can get > them form one of the standard SA update channels. > > I suppose we ought to publish s

RE: warning - score undef for rule 'MISSING_SUBJECT'...

> The first time I run sa-update after a v3.2.3 install, I get > the following warnings: > > rules: score undef for rule 'MISSING_SUBJECT' in '' > 'MISSING_SUBJECT' at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm > line 2140. > rules: score undef for rule 'EMPTY_MESS

Re: Rule for PDF and eCard Spam Needed

PDFinfo plugin from SARE helps a lot with the pdf mess. Theo has also published a number of rules that catch them, I believe. You can get them form one of the standard SA update channels. I suppose we ought to publish some SARE rules for the greeting cards, although our experience is they te

warning - score undef for rule 'MISSING_SUBJECT'...

The first time I run sa-update after a v3.2.3 install, I get the following warnings: rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_M

PDFAssassin

Is anybody using the PDFAssassin module from http://blog.atmail.com/?p=61 I didn't think I saw it talked about on the list yet. I'm looking for a good solution for catching PDF spam. Are there any better suggestions for catching PDF? Thanks again, Bob

Re: fake MX records

Marc Perkel wrote on Tue, 14 Aug 2007 07:13:16 -0700: > I'm using it on 1600 domains and it definitely works. I get not bot spam > at all. I doubt that this is because you have a fake low MX. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive

Re: So lets change it to "sa-update doesn't"

On Tuesday 14 August 2007, Kai Schaetzl wrote: >Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: >> Ok, is there a quick & dirty way to determine which .pre file (or >> local.cf, there are 3 of those too) is actually running the show? > >all the files in /etc/mail/spamassassin > Ok, I'll star

Re: disable spamhaus rbl?

Diego Pomatta wrote on Tue, 14 Aug 2007 10:37:27 -0300: > I always considered it to be more efficient this way, would this be correct? It's a matter of trust. If you trust the RBL to produce an insignificant amount of false positives for you then rejecting at MTA level is the best thing you can

Re: fake MX records

Kshatriya wrote: On Tue, 14 Aug 2007, ram wrote: The page says the primary MX should not be accepting connections at all. Has anyone else tried this , will this cause delay in my mail It almost doesn't work anymore. Better try adaptive greylisting, with some whitelists so you don't notice

Rule for PDF and eCard Spam Needed

Can someone recommend a SAR(E) to mitigate the influx of the PDF and eCard spams until I can learn the bayes? (haven't been tuned into the list for a while... sorry.) Thanks, Clay

RE: disable spamhaus rbl?

> After reading all the replies I was left wondering.. > These kind of rules are not used when spamd is started with the -L > (--local) switch, right? > I use *rblsmtpd* (http://cr.yp.to/ucspi-tcp/rblsmtpd.html) to > query spamhaus at smtp time. (qmail - tcpserver) > /usr/local/bin/rblsmtpd -b -C

Re: what happened after 3.1.8?

Matt Kettler <[EMAIL PROTECTED]> wrote on 08/13/2007 08:09:19 PM: > Jean-Paul Natola wrote: > > Since its not in the ports tree yet- ( that's how I usually upgrade) > > FYI, 3.2.3 is now in the FreeBSD ports tree. Andy

Re: disable spamhaus rbl?

Fletcher Mattox escribió: Spamhaus has determined that my query rate is too high to continue using their servers for free. So they have, apparently, blocked my queries at their router, which incurs a 5 second timeout. How do I tell SpamAssassin to stop using all spamhaus servers, including zen?

R: a small explanation on rule FORGED_RCVD_HELO

> -Messaggio originale- > Da: Matt Kettler [mailto:[EMAIL PROTECTED] > Inviato: martedì 14 agosto 2007 13.38 > A: Claude Frantz > Cc: users@spamassassin.apache.org > Oggetto: Re: a small explanation on rule FORGED_RCVD_HELO > > Claude Frantz wrote: > > Matt Kettler wrote: > > > >> It looks

Re: fake MX records

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kshatriya schrieb: > On Tue, 14 Aug 2007, ram wrote: > >> The page says the primary MX should not be accepting connections at all. >> Has anyone else tried this , will this cause delay in my mail > > It almost doesn't work anymore. Better try adaptiv

Re: fake MX records

On Tue, 14 Aug 2007, ram wrote: The page says the primary MX should not be accepting connections at all. Has anyone else tried this , will this cause delay in my mail It almost doesn't work anymore. Better try adaptive greylisting, with some whitelists so you don't notice too much of delays.

RE: fake MX records

> -Original Message- > From: ram [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 14, 2007 6:07 AM > To: users@spamassassin.apache.org > Subject: fake MX records > > > http://wiki.apache.org/spamassassin/OtherTricksthis page mentions > setting up fake MXes > > Is this method rel

Re: a small explanation on rule FORGED_RCVD_HELO

Claude Frantz wrote: > Matt Kettler wrote: > >> It looks for a HELO doesn't match against the reverse DNS for the IP >> address. > > Please note the case of clients connected to the network via NAT and > using dynamic IP addresses. In the general case, such clients do not > known about the IP addre

RE: disable spamhaus rbl?

You almost got it right! Try score __RCVD_IN_ZEN 0.0 score RCVD_IN_SBL 0.0 score RCVD_IN_XBL 0.0 score RCVD_IN_PBL 0.0 score URIBL_SBL 0.0 Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: Fletcher Mattox [mailto:[EMAIL PROT

Re: So lets change it to "sa-update doesn't"

Gene Heskett wrote on Tue, 14 Aug 2007 00:15:24 -0400: > Ok, is there a quick & dirty way to determine which .pre file (or local.cf, > there are 3 of those too) is actually running the show? all the files in /etc/mail/spamassassin > >No, that is something you put yourself there. > Sorry Kai, t

Re: a small explanation on rule FORGED_RCVD_HELO

Claude Frantz wrote on Tue, 14 Aug 2007 11:11:31 +0200: > Please note the case of clients connected to the network via NAT and > using dynamic IP addresses. In the general case, such clients do not > known about the IP address to which one their local address is > translated using NAT. Such cli

fake MX records

http://wiki.apache.org/spamassassin/OtherTricksthis page mentions setting up fake MXes Is this method relevant today too with a lot of spam being relayed through proper smtp channels The page says the primary MX should not be accepting connections at all. Has anyone else tried this , will t

Re: a small explanation on rule FORGED_RCVD_HELO

Matt Kettler wrote: It looks for a HELO doesn't match against the reverse DNS for the IP address. Please note the case of clients connected to the network via NAT and using dynamic IP addresses. In the general case, such clients do not known about the IP address to which one their local addr

Re: more than one mx record whitelist_from_rcvd option

On 8/14/2007 2:23 AM, Gokhan ALKAN wrote: hi all ; i have used "whitelist_from_rcvd" option for spamassassin and it works successfully if domain has only one mx record . for instance i have domain.com and it has only one mx record . the below line is used users who have email address "[EM

Re: how to stop the spam assassin

it depends on which distro have you used . you can use stop/start script to stop spamassin. or you can see spamassassin prcocess with ps command and kill . you can see pid of spamassassin with below command and you can kill spamassassin # ps auwx | grep "spamd" | grep -v "grep" # kill -9 spam

how to stop the spam assassin

Hi, I am running SA 3.1.7. I need to upgrade it. I have to stop the current running SA. how to stop the service? -- Sg

whitelist_from_rcvd more than one mx record

hi all ; i have used "whitelist_from_rcvd" option for spamassassin and it works successfully if domain has only one mx record . for instance i have domain.com and it has only one mx record . the below line is used users who have email address "[EMAIL PROTECTED]". whitelist_from_rcvd