Re: spamassassin bug

> On Mon, 11 Jan 2010, Warren Togami wrote: >> Try wiping out /var/lib/spamassassin/*, does spamassassin work then? On 11.01.10 08:28, Rich Shepard wrote: > I don't have a spamassassin directory in /var/lib/. FreeBSD uses /var/db/spamassassin. Or do: # grep LOCAL_STATE_DIR `whichspamassassin s

Re: Interesting Low Scoring SPAM with odd script

Christian Brel wrote: > http://pastebin.com/m66a5a2ae > > Anyone seen script like that? Yeah, I saw a couple of those last week. /Per Jessen, Zürich

Re: pill image spam learns to walk

Jason Haar wrote: >They aren't triggering (enough) network rule matches, contain a >bayes-killer, and even FuzzyOCR can't manage the swirly image trick >they pull. Has anyone come up with a way to fight these? Jason, thanks for the cheerful Subject. I needed that today. :) I'm catching all of th

Re: pill image spam learns to walk

Kai Schaetzl wrote: Ted Mittelstaedt wrote on Mon, 11 Jan 2010 15:27:07 -0800: It simply means that sites WITHOUT a PTR are still fully compliant mailers. This has nothing to do with RFC-compliance, but with policy, well accepted policy. Policy that should be handled in SA and not the MTA

Re: pill image spam learns to walk

Ted Mittelstaedt wrote on Mon, 11 Jan 2010 15:27:07 -0800: > It simply means that sites WITHOUT a PTR are still fully compliant mailers. This has nothing to do with RFC-compliance, but with policy, well accepted policy. If you can't understand that I can't help. No need to shoot this out. Kai

Re: pill image spam learns to walk - best way to block it - hostkarma

For what it's worth my Lunk Email Filter service block 100% of virus generated spam such as this pill image spam. But anyone can tap into this for free by doing 2 things. First - add tarbaby.junkemailfilter.com as you highest numbered MX record. Second - use the hostkarma.junkemailfilter.com b

Re: [sa] segmentation fault on startup

If it was me I'd build gdbm and then build perl 5.8.8 and make sure it's only using gdbm, not Berkeley DB (if he has that on his system) Ted Charles Gregory wrote: I don't know that it applies to specifically spamassassin, but I used to run into considerable nuisance with seg faults on Solari

Re: pill image spam learns to walk

Kai Schaetzl wrote: Ted Mittelstaedt wrote on Mon, 11 Jan 2010 09:42:25 -0800: This is the WRONG way to do this It's the right way. The FP rate is almost zero and it encourages the few offending ones to quickly add rDNS, really quick. * The reason this is NOT mandated anywhere is because

Re: Fake mailing list spam

On Mon, 11 Jan 2010, LuKreme wrote: : I never subscribed to the list in question. I am, in fact, not : subscribed to any googlelists on this account. I'm not an expert on googlegroups headers, but these 'look right'. So I'm inclined to agree that this is just an abused group and not spam that is

Re: pill image spam learns to walk

Alex wrote on Mon, 11 Jan 2010 12:38:29 -0500: > Just to clarify, you're referring to this, right: > > Received: from mx.sourceforge.net by mailsrv1.trimble.co.nz > (envelope-from > How would add the rule you are suggesting? It would be specific to > sourceforge.net, and have a table where its

Re: spamassassin bug -- RESOLVED!

How come that you messed this up with regards to that arbitrary rules directory? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com

Re: pill image spam learns to walk

Ted Mittelstaedt wrote on Mon, 11 Jan 2010 09:42:25 -0800: > This is the WRONG way to do this It's the right way. The FP rate is almost zero and it encourages the few offending ones to quickly add rDNS, really quick. > * The reason this is NOT mandated anywhere is because if it was then > sites

Re: pill image spam learns to walk

Terry Carmen wrote on Mon, 11 Jan 2010 12:08:16 -0500: > Unless you changed the headers, it looks like it came from an IP with no > reverse DNS entry. Yeah, his own delivery chain. Not really a candidate for blocking ;-) Kai -- Get your web at Conactive Internet Services: http://www.conactive

Re: Fake mailing list spam

LuKreme wrote on Mon, 11 Jan 2010 13:14:06 -0700: > I never subscribed to the list in question. I am, in fact, not > subscribed to any googlelists on this account. Report the abuse to Google and reject any mail from @listserv.bounces.google.com So, Google allows non-opt-in mailing lists like

Re: Fake mailing list spam

On Mon 11 Jan 2010 09:14:06 PM CET, LuKreme wrote google, seem this maillist have a spammer connected on this maillist where you recieve the spam from a valid maillist at google, so report it as spam to them I never subscribed to the list in question. I am, in fact, not subscribed to any goo

exchange bounces from chrisrobin.hundredacrewood.local

Original-Envelope-ID: c=US;a= ;p=HUNDREDACREWOOD;l=CHRISROBIN-100111200457Z-1594 Reporting-MTA: dns; chrisrobin.hundredacrewood.local Final-Recipient: RFC822; imceaex-_o=hundredacrewood_ou=first+20administrative+20group_cn=recipients_cn=spamassassin849bbb2d4bc147862176109e81ca5068034...@wil

RE: spamassassin bug

On Mon, 11 Jan 2010, Rich Shepard wrote: So I found and downloaded v320.pre into /etc/mail/spamassassin/rules and still get the error. What have I missed in getting SA to see the new .pre file is now present and calls for the check_main to be run? Putting them into the rules subdirectory unde

Re: Fake mailing list spam

On Jan 11, 2010, at 12:38, Benny Pedersen wrote: google, seem this maillist have a spammer connected on this maillist where you recieve the spam from a valid maillist at google, so report it as spam to them I never subscribed to the list in question. I am, in fact, not subscribed to any

RE: spamassassin bug -- RESOLVED!

On Mon, 11 Jan 2010, Benny Pedersen wrote: mv /etc/mail/spamassassin/rules /etc/mail/spamassassin no ? Benny: You and Larry gave me the solution. I found v320.pre and put it in /etc/mail/spamassassin/rules. Then, based on your suggestion above, I copied it up one directory level to /etc/mai

RE: spamassassin bug

On Mon, 11 Jan 2010, Rosenbaum, Larry M. wrote: It looks like you are missing the v320.pre file, which contains Larry, Yes, that's true. I have v310.pre and v312.pre. loadplugin Mail::SpamAssassin::Plugin::Check along with several other important loadplugin lines. So I found and downl

RE: spamassassin bug

On Mon 11 Jan 2010 08:45:40 PM CET, "Rosenbaum, Larry M." wrote check: no loaded plugin implements 'check_main': cannot scan! at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PerMsgStatus.pm line 164. What plugin do I need to have loaded to resolve this error? It looks like you are missing

RE: spamassassin bug

> check: no loaded plugin implements 'check_main': cannot scan! at > /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/PerMsgStatus.pm > line > 164. > >What plugin do I need to have loaded to resolve this error? It looks like you are missing the v320.pre file, which contains loadplugin Mai

Re: About upgrading

On Mon, 11 Jan 2010, RW wrote: I do wonder whether there's any real-basis to the idea that autoexpiry isn't "industrial-strength". I don't use expiry any more, but when I did, it didn't seem like a big deal at 200,000 tokens, and it's O(N) so millions of tokens shouldn't be too bad either. I

Re: spamassassin bug

On Mon, 11 Jan 2010, Benny Pedersen wrote: no do not copy, edit the files in there place where thay got installed Benny, OK. where is your pre files located ? if thay are in /etc/mail/spamassassin/rules ? /etc/mail/spamassassin/rules output from --lint tells where thay should be

Re: Fake mailing list spam

On Mon 11 Jan 2010 08:19:13 PM CET, LuKreme wrote I have been bouncing these to gmail, but I know that's useless. Not sure what do do since I don't want to scan mailing-lists. send this mail to maillist-owner and or abuse at google, seem this maillist have a spammer connected on this maillis

Re: spamassassin bug

On Mon 11 Jan 2010 08:07:12 PM CET, Rich Shepard wrote Should I copy the .pre files to /usr/share/spamassassin? no do not copy, edit the files in there place where thay got installed spamassassin 2>&1 -D --lint | less I can post the results, but the final error still is: check: no loaded p

Fake mailing list spam

Since I, like I suppose a lot of people, exempt mailing lists from spam checks, I've seen a lot of these messages getting through in the last few days: I have been bouncing these to gmail, but I know that's useless. Not sure what do do since I don't want to scan

Re: About upgrading

On Mon, 11 Jan 2010 08:54:20 -0500 Jeff Mincy wrote: > You have an exclusive lock when doing expiration. Expiration > presumably takes longer on larger volumes, but it is still pretty > fast. Running expiration daily or weekly should be more than > sufficient. AFAIK the exclusive lock is only

Re: spamassassin bug

On Mon, 11 Jan 2010, Benny Pedersen wrote: rules dir error Benny, Should I copy the .pre files to /usr/share/spamassassin? spamassassin 2>&1 -D --lint | less I can post the results, but the final error still is: check: no loaded plugin implements 'check_main': cannot scan! at /usr/li

Re: spamassassin bug

On Mon 11 Jan 2010 07:01:04 PM CET, Rich Shepard wrote In /etc/mail/spamassassin/rules/ I have init.pre, v310.pre, and v312.pre files. which would be a non-default location. Almost all SA-related files are in /etc/mail/spamassassin/; that's where the Slackware package installs everything. If th

Re: spamassassin bug

On Mon, 11 Jan 2010, David Michaels wrote: find / -name spamassassin -print /etc/mail/spamassassin /etc/mail/spamassassin/blib/script/spamassassin /etc/mail/spamassassin/spamassassin /opt/src/slackbuilds/spamassassin /usr/bin/spamassassin /usr/share/spamassassin Rich

Re: spamassassin bug

Quoting "Rich Shepard" : On Mon, 11 Jan 2010, Kai Schaetzl wrote: In /etc/mail/spamassassin/rules/ I have init.pre, v310.pre, and v312.pre files. which would be a non-default location. Kai, Almost all SA-related files are in /etc/mail/spamassassin/; that's where the Slackware package in

Re: spamassassin bug

On Mon, 11 Jan 2010, Kai Schaetzl wrote: In /etc/mail/spamassassin/rules/ I have init.pre, v310.pre, and v312.pre files. which would be a non-default location. Kai, Almost all SA-related files are in /etc/mail/spamassassin/; that's where the Slackware package installs everything. If this

Re: pill image spam learns to walk

On 01/11/2010 12:57 PM, Terry Carmen wrote: exactly every (or any) domain Should be "exactly *matches* every (or any) domain" -- Terry Carmen CNY Support, LLC 315.382.3939 http://cnysupport.com

Re: pill image spam learns to walk

On 01/11/2010 12:42 PM, Ted Mittelstaedt wrote: Terry Carmen wrote: On 01/11/2010 05:22 AM, Jason Haar wrote: Hi there We've been getting a few of these leaking through in the past couple of weeks. http://pastebin.com/m574da717 They aren't triggering (enough) network rule matches, contain a

Re: pill image spam learns to walk

Terry Carmen wrote: On 01/11/2010 05:22 AM, Jason Haar wrote: Hi there We've been getting a few of these leaking through in the past couple of weeks. http://pastebin.com/m574da717 They aren't triggering (enough) network rule matches, contain a bayes-killer, and even FuzzyOCR can't manage the

Re: pill image spam learns to walk

HI, >        *  1.0 FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam >        *  1.0 FORGED_TBIRD_IMG_ARROW Likely forged Thunderbird image spam > > and you could add, say 4.0, for each mail coming thru your SF.net alias > and not coming from SF. Just to clarify, you're referring to thi

Re: pill image spam learns to walk

Hi, > Unless you changed the headers, it looks like it came from an IP with no > reverse DNS entry. > > This is easy enough to stop dead in it's tracks at your MTA. If there isn't > any reverse DNS, the chances of it being a legitimate mail server are pretty > slim. Yes, but not enough to categor

Re: spamassassin bug

Rich Shepard wrote on Mon, 11 Jan 2010 08:07:40 -0800 (PST): > In /etc/mail/spamassassin/rules/ I have init.pre, v310.pre, and > v312.pre files. which would be a non-default location. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com

Re: pill image spam learns to walk

On 01/11/2010 05:22 AM, Jason Haar wrote: Hi there We've been getting a few of these leaking through in the past couple of weeks. http://pastebin.com/m574da717 They aren't triggering (enough) network rule matches, contain a bayes-killer, and even FuzzyOCR can't manage the swirly image trick th

Re: About upgrading

Hi, Thanks for the information on bayes and sa-learn. Very helpful. Best, Alex >   I suppose you could take the ntokens value before, and subtract it >   from the after value to see how many tokens were expired, right? It >   would be interesting to see how many tokens are expired on a regular >

Re: spamassassin bug

Quoting "Rich Shepard" : On Mon, 11 Jan 2010, Warren Togami wrote: Try wiping out /var/lib/spamassassin/*, does spamassassin work then? Warren, I don't have a spamassassin directory in /var/lib/. Rich Sorry but I must insert a smiley... :)

Re: spamassassin bug

On Mon, 11 Jan 2010, Warren Togami wrote: Try wiping out /var/lib/spamassassin/*, does spamassassin work then? Warren, I don't have a spamassassin directory in /var/lib/. Rich

Re: spamassassin bug

On 01/11/2010 11:07 AM, Rich Shepard wrote: At the suggestion of a local user I ran 'sa-update -D' to bring my Slackware-12.2 system running SA-3.2.5 up to date. Instead, I just dug myself a hole and fell in by running the above. Sigh. What I see as a result is: [6753] error: check: no loaded

spamassassin bug

At the suggestion of a local user I ran 'sa-update -D' to bring my Slackware-12.2 system running SA-3.2.5 up to date. Instead, I just dug myself a hole and fell in by running the above. Sigh. What I see as a result is: [6753] error: check: no loaded plugin implements 'check_main': cannot sc

REMINDER: 3.3.0 final cut January 15th, 2010

This is a reminder that the 3.3.0 final cut is scheduled for Friday, January 15th. http://tinyurl.com/yd8n96m Please review the bugs. Only priority P1 bugs are considered blockers for 3.3.0. Warren Togami wtog...@redhat.com On 12/29/2009 07:27 AM, Justin Mason wrote: +1. I expect there'll

Re: pill image spam learns to walk

On 11/01/2010 14:55, Charles Gregory wrote: On Mon, 11 Jan 2010, Mike Cardwell wrote: : I just copied and pasted that out of pastebin into a little project I've : been working on. Here's the result: : http://spamalyser.com/v/6xnb26gp/mime Question: What does spamalyzer do with an HTML message pa

Re: hostkarma false positive

On Mon, 11 Jan 2010 06:46:55 -0800 Marc Perkel wrote: > > > Christian Brel wrote: > > On Mon, 11 Jan 2010 09:35:37 +0100 > > Michael Monnerie wrote: > > > > > >> Another FP on hostkarma: > >> > >> bsmtp5.bon.at[195.3.86.187] > >> > >> Please investigate and fix. And put them on YELLOW, they

Re: hostkarma false positive

On Mon, 2010-01-11 at 06:46 -0800, Marc Perkel wrote: > Christian Brel wrote: > > It's also listed in: > > 195.3.86.187BLACKLISTED:ips.backscatterer.org > Backscatterer.org isn't a real blacklist. They have us blacklisted as > well. Anyone using them is making a serious mistake. It

Re: pill image spam learns to walk

On Mon, 11 Jan 2010, Mike Cardwell wrote: : I just copied and pasted that out of pastebin into a little project I've : been working on. Here's the result: : http://spamalyser.com/v/6xnb26gp/mime Question: What does spamalyzer do with an HTML message part? It is of concern (naturally) that implant

Re: hostkarma false positive

Christian Brel wrote: On Mon, 11 Jan 2010 09:35:37 +0100 Michael Monnerie wrote: Another FP on hostkarma: bsmtp5.bon.at[195.3.86.187] Please investigate and fix. And put them on YELLOW, they are an ISP here in Austria. Please check bsmtp[1-9] also. It's also listed in: 195.3.86.1

Re: hostkarma false positive

Fixed Michael Monnerie wrote: Another FP on hostkarma: bsmtp5.bon.at[195.3.86.187] Please investigate and fix. And put them on YELLOW, they are an ISP here in Austria. Please check bsmtp[1-9] also.

Re: pill image spam learns to walk

scores these new tests on 3.3.0 * 1.0 FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam * 1.0 FORGED_TBIRD_IMG_ARROW Likely forged Thunderbird image spam and you could add, say 4.0, for each mail coming thru your SF.net alias and not coming from SF. Kai -- Get your

Re: About upgrading

From: Alex Date: Sat, 9 Jan 2010 21:13:24 -0500 >   sa-learn --dump magic gives: >       0.000          0          3          0  non-token data: bayes db version >       0.000          0      57538          0  non-token data: nspam >       0.000          0      74876        

Re: hostkarma false positive

Folks, can you please report this to these lists. This mailing list is *not* for reporting FPs on RBLs! Thanks. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com

Re: pill image spam learns to walk

- "Mike Cardwell" wrote: | On 11/01/2010 10:22, Jason Haar wrote: | > Hi there | > | > We've been getting a few of these leaking through in the past couple | of | > weeks. | > | > http://pastebin.com/m574da717 | > | > They aren't triggering (enough) network rule matches, contain a | > bayes-k

Re: Documentation spamc -L is wrong

On Sunday January 10 2010 09:06:21 Cecil Westerhof wrote: > Later on in the manpage it says: > EXIT CODES >By default, spamc will use the 'safe fallback' error recovery > method. That means, it will always exit with an exit code if 0, even if > an error was encountered. If any e

Re: pill image spam learns to walk

> http://pastebin.com/m574da717 > They aren't triggering (enough) network rule matches, contain a > bayes-killer, and even FuzzyOCR can't manage the swirly image trick >... I've yet to see one score under 10 here, but I have some additional rule in place: * 4.5 BL_CUDA RBL: Relay in BARRAC

Re: pill image spam learns to walk

On 11/01/2010 10:22, Jason Haar wrote: Hi there We've been getting a few of these leaking through in the past couple of weeks. http://pastebin.com/m574da717 They aren't triggering (enough) network rule matches, contain a bayes-killer, and even FuzzyOCR can't manage the swirly image trick they

pill image spam learns to walk

Hi there We've been getting a few of these leaking through in the past couple of weeks. http://pastebin.com/m574da717 They aren't triggering (enough) network rule matches, contain a bayes-killer, and even FuzzyOCR can't manage the swirly image trick they pull. Has anyone come up with a way to fi

Re: hostkarma false positive

On Mon, 11 Jan 2010 09:35:37 +0100 Michael Monnerie wrote: > Another FP on hostkarma: > > bsmtp5.bon.at[195.3.86.187] > > Please investigate and fix. And put them on YELLOW, they are an ISP > here in Austria. Please check bsmtp[1-9] also. > It's also listed in: 195.3.86.187BLACKLISTED:

Re: hostkarma false positive

On 11.1.2010 10:35, Michael Monnerie wrote: > Another FP on hostkarma: > > bsmtp5.bon.at[195.3.86.187] > > Please investigate and fix. And put them on YELLOW, they are an ISP here > in Austria. Please check bsmtp[1-9] also. > Hello. Your PGP key has expired, my software says. Just FYI. -- ht

hostkarma false positive

Another FP on hostkarma: bsmtp5.bon.at[195.3.86.187] Please investigate and fix. And put them on YELLOW, they are an ISP here in Austria. Please check bsmtp[1-9] also. -- mit freundlichen Grüssen, Michael Monnerie, Ing. BSc it-management Internet Services http://it-management.at Tel: 0660 / 4