Re: Ensuring Custom Rules Are Scored Properly

Andrew Wilkinson wrote: I'm experimenting with Fedora 8 and a miltered sendmail configuration running as a mail gateway (smf-sav, smf-spf, milter-greylist, clamav-milter, spamass-milter). I've configured spamassassin's local.cf with a custom rule. It's a simple regex which checks the 'Receiv

Re: no uribl

Karsten Bräckelmann wrote: On Tue, 2008-03-18 at 20:00 -0400, Matt Kettler wrote: Arvid Ephraim Picciani wrote: urm, i just figured those geocity sites are all on the URIBL. but sa doesn't seem to check those. any hint how to add it? It should be on by default if you've got a re

Re: no uribl

On Tue, 2008-03-18 at 20:00 -0400, Matt Kettler wrote: > Arvid Ephraim Picciani wrote: > > urm, i just figured those geocity sites are all on the URIBL. but sa > > doesn't > > seem to check those. any hint how to add it? > > It should be on by default if you've got a reasonably recent version o

Ensuring Custom Rules Are Scored Properly

I'm experimenting with Fedora 8 and a miltered sendmail configuration running as a mail gateway (smf-sav, smf-spf, milter-greylist, clamav-milter, spamass-milter). I've configured spamassassin's local.cf with a custom rule. It's a simple regex which checks the 'Received' header on inbound mai

Re: no uribl

Arvid Ephraim Picciani wrote: urm, i just figured those geocity sites are all on the URIBL. but sa doesn't seem to check those. any hint how to add it? It should be on by default if you've got a reasonably recent version of Net::DNS installed. However, make sure your /etc/mail/spamassassin

Pyzor not working in SA3.2.2?

I have a SA3.2.2 box and an SA3.2.4 box. Installing (via the INSTALL doc included with the dist) the latest version of Pyzor on both boxes, -D --lint tests feeding it a spam message fires the pyzor rules perfectly. However, only the 3.2.4 box seems to use it in production. The 3.2.2 box isn't fi

Re: no uribl

On Wednesday 19 March 2008 01:00:27 Matt Kettler wrote: > It should be on by default if you've got a reasonably recent version of > Net::DNS installed. hum. i think so. its debian so there is no way to say how they split up things, but i have libnet-dns-perl installed. > However, make sure your /

no uribl

urm, i just figured those geocity sites are all on the URIBL. but sa doesn't seem to check those. any hint how to add it? thank you -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani

Bayes not running but no errors

Hello there, I've been trying to get my bayesian filter working for a while now and haven't had any success so I was hoping someone might be able to point me in the right direction. Simply it's not scoring, it leanrs, but doesn't put a score on any mail. It has more than enough tokens learne

Re: How can I catch these?

Loren Wilton wrote: Hi, I'm kinda getting tired of reporting these mails (both to my local SA and to SpamCop), and so are my customers. My problem is that the spammers are using a large ISP's mail server, and that particular ISP (as all the others here in Argentina) don't bother checking the abus

Re: ways to react faster to spam attacks

On Tue, 18 Mar 2008, Arvid Ephraim Picciani wrote: The SARE "oem software" rules shoudl catch this sort of stuff just dandy. 0.9 SARE_OEM_PRODS_FEW SARE_OEM_PRODS_FEW 0.4 SARE_PRODUCTS_02 SARE_PRODUCTS_02 not enough :( any aditional rules i could add? I think the SOUGHT dynamical

Re: How can I catch these?

On Tue, 18 Mar 2008, Loren Wilton wrote: tests=[BAYES_99=3.5, DCC_CHECK=2.17, HTML_MESSAGE=0.001, You could probably take bayes_99 up to very nearly 5 points quite safely IF your bayes database is well trained. And if you're vexed by spams from Argentinian ISPs that BAYES is train

Re: ways to react faster to spam attacks

On Tuesday 18 March 2008 23:28:09 Loren Wilton wrote: > >> And that one has a geocities url, which shoudl be good for an automatic > >> 2-3 > >> points or more. > > > > It's changing too fast :/ > > I meant a rule against http://(?:www\.)geocities\b or the like, not against > the specific site on g

Re: How can I catch these?

Luis Hernán Otegui wrote: Hi, I'm kinda getting tired of reporting these mails (both to my local SA and to SpamCop), and so are my customers. My problem is that the spammers are using a large ISP's mail server, and that particular ISP (as all the others here in Argentina) don't bother checking th

Re: ways to react faster to spam attacks

And that one has a geocities url, which shoudl be good for an automatic 2-3 points or more. It's changing too fast :/ I meant a rule against http://(?:www\.)geocities\b or the like, not against the specific site on geocities. That should be good for about 2 points and help a lot with a re

Re: ways to react faster to spam attacks

> The SARE "oem software" rules shoudl catch this sort of stuff just dandy. > > Loren 0.9 SARE_OEM_PRODS_FEW SARE_OEM_PRODS_FEW 0.4 SARE_PRODUCTS_02 SARE_PRODUCTS_02 not enough :( any aditional rules i could add? -- best regards/Mit freundlichen Grüßen Arvid Ephraim Piccia

Re: How can I catch these?

tests=[BAYES_99=3.5, DCC_CHECK=2.17, HTML_MESSAGE=0.001, You could probably take bayes_99 up to very nearly 5 points quite safely IF your bayes database is well trained. Loren

Re: How can I catch these?

Hi, I'm kinda getting tired of reporting these mails (both to my local SA and to SpamCop), and so are my customers. My problem is that the spammers are using a large ISP's mail server, and that particular ISP (as all the others here in Argentina) don't bother checking the abuse reports. What drive

Re: ways to react faster to spam attacks

On Tuesday 18 March 2008 23:08:03 Loren Wilton wrote: >On Tuesday 18 March 2008 02:47:00 James E. Pratt wrote: >> Like these? >rather like this >http://rafb.net/p/L5BnTY79.html > not really "free" software. rather warez sales. >The SARE "oem software" rules shoudl catch this sort of stuff just dan

Re: ways to react faster to spam attacks

err way way worse. this babelfish translation of the same spam just got autolearned as ham http://rafb.net/p/99iIHK53.html And that one has a geocities url, which shoudl be good for an automatic 2-3 points or more. Loren

Re: ways to react faster to spam attacks

On Tuesday 18 March 2008 02:47:00 James E. Pratt wrote: Like these? rather like this http://rafb.net/p/L5BnTY79.html not really "free" software. rather warez sales. The SARE "oem software" rules shoudl catch this sort of stuff just dandy. Loren

Re: from field with double @'s

On 18/03/2008 4:40 AM, Glenn Terjesen wrote: Problem is that [EMAIL PROTECTED] is in a whitelist so the spam gets through. Can anyone hint me a way to create a rule that catch these mails ? As everyone else has said, don't whitelist yourself. But you may be able t

any way to stop these tiny zip spams?

...we're getting around 15,000 per day at the moment: emails containing one line of text and a <1Kbyte zip attachment (filename varies) - which contains a spammy HTML file. http://pastebin.com/m493f478c I don't expect it'll last long as a delivery system, but currently only RBL rules have any

make test hangs at spamd_hup.t

I started with Mail-SpamAssassin-3.2.4.tar... The make looked OK, no error messages. The "make test" works fine until we get to the spamd_hup test, then I get the message: "Maybe you need to kill a running spamd process?" And there it sits. What more info do you need to help me figure this out?

Re: Slow processing with 3.2.4

We have local DNS servers and cache/have feeds to some of the blacklists to help with the network testing processing. This is what we have observed too. We have watched top for observing memory use, CPU use (user versus idle versus wait), and slow network tests will cause the spamd childs to ke

collecting for sa-learn

I've got an issue with collecting email to be used with sa-learn. My setup is MailScanner which scans email and sends it to another server if everything checks out. The problem is collecting false negative email to be used with sa-learn. If it's made it through, it doesn't stay on the server.

Re: How to catch gibberish spam before URIBL lists it?

Loren Wilton wrote: > >>TW_AQ,TW_BM,TW_BX,TW_GP,TW_HM,TW_LP,TW_MQ,TW_PX,TW_QD,TW_QL,TW_TR,TW_WF, > >>TW_ZX, > > > >What ruleset are those rules in? > > Tripwire. Available at SARE in "other rules". > > Beware, these are english-biased rules and will FP on other languages. Thanks for the pointer

RE: Why can't I change value of required_score ?

Apologies, I meant to send this to the qmail-toaster list... :( > -Original Message- > From: James E. Pratt [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 18, 2008 2:38 PM > To: [EMAIL PROTECTED] > Subject: FW: Why can't I change value of required_score ? > > > > > -Original Messa

FW: Why can't I change value of required_score ?

> -Original Message- > From: James E. Pratt > Sent: Tuesday, March 18, 2008 2:36 PM > To: 'Yavuz Maslak' > Subject: RE: Why can't I change value of required_score ? > > > > > -Original Message- > > From: Yavuz Maslak [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, March 18, 2008 2

Why can't I change value of required_score ?

I use spamassassin3.2.1 and simscan1.2 My value of required_score doesn't work in /usr/local/etc/mail/spamassassin/local.cf. I couldn't change required_score's value. The server still looks at old value which I must have been set it. I checked that the server reads /usr/local/etc/mail/spamassassi

Re: languages

On Tue, 2008-03-18 at 13:20 -0400, Jean-Paul Natola wrote: > I seem to have forgotten where to put acceptable languages in SA > We just got a slew of our colleagues from Spain complaining, and when I > looked the headers I saw > > 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired

Re: Slow processing with 3.2.4

On 18/03/2008 1:39 PM, Spam Admin wrote: > Spam Admin wrote: >> Yes, the hardware is identical. The MX records are both '10', and the >> volume of mail is slightly LESS on the 3.2.4 machine over the 3.1.9 >> it's taking more time to process less mail on the newer machine. - are you running the sa

languages

Hi all, I seem to have forgotten where to put acceptable languages in SA We just got a slew of our colleagues from Spain complaining, and when I looked the headers I saw 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language I guess when I had my "little" SA disas

Re: remove spam before forwarding

Euroka wrote: Hi all, I have a postfix with a couple of virtual hosts and a /etc/postfix/virtual file with my users . some users prefer that mail from my postfix server mail.domain1.com gets forwarded to an exchange server at mail.domain2.com Now all users have a .procmailrc file in their home

Re: spamassassin windows gpgkey errors

On Thu, Mar 13, 2008 at 08:27:37AM -0500, Zach Jones wrote: > >Am attempting to update using sa-update, but no matter what command > >I try (checkonly, gpgno) I get the following error: [path]..gpg > >required but not found There is no "gpgno", it's "nogpg". --checkonly does want GPG by d

Re: SV: from field with double @'s

On 18.03.08 15:20, Glenn Terjesen wrote: > I wish I could remove the whitelist_from config but you wouldn't believe > how many bad email-signatures and bad email-servers there are out there > that our customers need to get email from.. if they are sending mail from broken servers, it's one more re

SV: from field with double @'s

Thank you for all the feedback. I wish I could remove the whitelist_from config but you wouldn't believe how many bad email-signatures and bad email-servers there are out there that our customers need to get email from.. Im gonna just create a script that removes "local" email accounts from our

Re: How can I catch these?

Hi, Matthias 2008/3/18, Matthias Haegele <[EMAIL PROTECTED]>: > Luis Hernán Otegui schrieb: > > > Hi, I'm kinda getting tired of reporting these mails (both to my local > > SA and to SpamCop), and so are my customers. My problem is that the > > spammers are using a large ISP's mail server, and t

Re: How can I catch these?

Luis Hernán Otegui schrieb: Hi, I'm kinda getting tired of reporting these mails (both to my local SA and to SpamCop), and so are my customers. My problem is that the spammers are using a large ISP's mail server, and that particular ISP (as all the others here in Argentina) don't bother checking

Re: remove spam before forwarding

2008/3/18, McDonald, Dan <[EMAIL PROTECTED]>: > > > On Tue, 2008-03-18 at 12:33 +0100, Euroka wrote: > > > How can I remove all incoming spam directely instead of first > > processing it via procmail, so domain2 doesn't get all the spam > > traffic that arrived first at domain1? > > > Use a product

Re: from field with double @'s

On 18.03.08 12:17, Glenn Terjesen wrote: > Thanks for reply but we cant use any of these plugins: > > whitelist_from_dkim, whitelist_from_spf, whitelist_from_dk, > whitelist_auth > > Because our users and our customers users send from smarthosts all over > the world wich don't have spf or dk or s

How can I catch these?

Hi, I'm kinda getting tired of reporting these mails (both to my local SA and to SpamCop), and so are my customers. My problem is that the spammers are using a large ISP's mail server, and that particular ISP (as all the others here in Argentina) don't bother checking the abuse reports. What drives

Re: from field with double @'s

From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> The above is almost OK. The only error is not having doublequotes around the text part ([EMAIL PROTECTED]), which should be quoted because it has a @ in it. Other than that, having a @ in the text part is normal for Outlook and maybe others. Outl

Re: from field with double @'s

Glenn Terjesen wrote: Thanks for reply but we cant use any of these plugins: whitelist_from_dkim, whitelist_from_spf, whitelist_from_dk, whitelist_auth Because our users and our customers users send from smarthosts all over the world wich don't have spf or dk or sends via exs internet providers

Re: remove spam before forwarding

On Tue, 2008-03-18 at 12:33 +0100, Euroka wrote: > How can I remove all incoming spam directely instead of first > processing it via procmail, so domain2 doesn't get all the spam > traffic that arrived first at domain2? Use a product designed for a forwarding MTA like amavisd-new. It will quara

remove spam before forwarding

Hi all, I have a postfix with a couple of virtual hosts and a /etc/postfix/virtual file with my users . some users prefer that mail from my postfix server mail.domain1.com gets forwarded to an exchange server at mail.domain2.com Now all users have a .procmailrc file in their home directory that

RE: from field with double @'s

Thanks for reply but we cant use any of these plugins: whitelist_from_dkim, whitelist_from_spf, whitelist_from_dk, whitelist_auth Because our users and our customers users send from smarthosts all over the world wich don't have spf or dk or sends via exs internet providers mta. -Opprinnelig

Re: ways to react faster to spam attacks

err way way worse. this babelfish translation of the same spam just got autolearned as ham http://rafb.net/p/99iIHK53.html -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani

Getting Mail::SPF tests

I'm trying to get 3.2.4 up and going with amavisd/dual sendmail, and trying to incorporate Mail::SpamAssassin::Plugin::SPF. To attempt a test, I'm intentionally spoofing an email address whose domain has an SPF record and sending it through a test machine. I've added X-Envelope-Sender to the he

Re: ways to react faster to spam attacks

On Tuesday 18 March 2008 02:47:00 James E. Pratt wrote: > Like these? rather like this http://rafb.net/p/L5BnTY79.html not really "free" software. rather warez sales. problem: the url isnt blocked by any blocklist becouse its different in every mail. -- best regards/Mit freundlichen Grüßen Arv

Re: ways to react faster to spam attacks

James E. Pratt wrote: -Original Message- From: Arvid Ephraim Picciani [mailto:[EMAIL PROTECTED] Sent: Monday, March 17, 2008 4:43 PM To: users@spamassassin.apache.org Subject: ways to react faster to spam attacks greetings. most of the spam we get (like 90%) is the usual internet noise.

spamassassin windows gpgkey errors

Hi, Am attempting to update using sa-update, but no matter what command I try (checkonly, gpgno) I get the following error: [path]..gpg required but not found I found 2 text files in the directory with gpg keys, attempted to import them with the sa-update import [path] entry, get sam

Re: from field with double @'s

On 18/03/2008 4:40 AM, Glenn Terjesen wrote: > Problem is that [EMAIL PROTECTED] is in a > whitelist so the spam gets through. > Can anyone hint me a way to create a rule that catch these mails ? Remove the user (or the [EMAIL PROTECTED]) from whitelist_from. If you mu

Re: from field with double @'s

On 18.03.08 09:40, Glenn Terjesen wrote: > Dunno if this topic has bin talked about before but we keep getting spam > through with double @'s in the From: field. > X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on SERVERNAME > X-Spam-Status: No, score=-81.7 required=5.0 tests=MISSING_DAT

from field with double @'s

Hello, Dunno if this topic has bin talked about before but we keep getting spam through with double @'s in the From: field. Example: Header src: X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on SERVERNAME X-Spam-Status: No, score=-81.7 required=5.0 tests=MISSING_DATE, R