Re: Scanning Outbound emails

>I'm definitely looking for other technologies to accurately filter >outgoing spam. It's clearly a whole different problem than incomming spam. Clamsmtp with the Sanesecurity+Third-Party signatures, would be one option and I know a couple of universities that have used this and got good results

custom rules - escape which characters?

Hi list, when creating a custom rule, what characters have to be escaped? For example this scustom rule http://www.novell.com/communities/node/4630/whitelisting-ip-address-spamassassin escapes both [ and ], while in common regex on only [ must be escaped http://www.regular-expressions.info/chara

RE: Scanning Outbound emails

-Original Message- From: Liam R. MacInnes Sent: 05/05/2010 10:47:07 pm To: ram Cc: users@spamassassin.apache.org Subject: Re: Scanning Outbound emails On 2010-05-05, at 5:09 AM, ram wrote: > > On Wed, 2010-05-05 at 10:44 +0300, Alans wrote: > On my servers I just add the score heade

Re: SOUGHT FP on Twitter notices

On Wed, 2010-05-05 at 15:39 -0700, Kelson Vibber wrote: > We're seeing FPs Twitter's "So-and-so is now following you on Twitter" > notices, pushed over by JM_SOUGHT_3's 4 points. It appears to be > matching on __SEEK_O1OO80, which contains a large chunk of Twitter's > email footer. > > If I we

Re: Checking if SPF is being used

On Wed, 5 May 2010, Michael Scheidell wrote: [snip..] > and/or, your spf records are borked. > > host -t txt ukgrid.net > ukgrid.net descriptive text "v=spf1 +mx +a:alpha.ukgrid.net -all" > > > > > what is a +mx record? what is a +a:alpha.ukgrid.net

SOUGHT FP on Twitter notices

We're seeing FPs Twitter's "So-and-so is now following you on Twitter" notices, pushed over by JM_SOUGHT_3's 4 points. It appears to be matching on __SEEK_O1OO80, which contains a large chunk of Twitter's email footer. If I were to guess, it's probably due to the phishing campaign that's bee

RE: Scanning Outbound emails

> > In particular, I find these two paragraphs from > Mail::SpamAssassin::Conf to be contradictory: > > Trusted relays that accept mail directly from > dial-up connections > (i.e. are also performing a role of mail submission > agents - MSA) > should not be listed i

Re: Checking if SPF is being used SOLVED

Hi, thanks a lot for your help, its seems to be working great now. I sent a message from a server not defined in the domain SPF using my email address and it got a failed spam scored based on "SPF_FAIL" :) Great :) thanks to everyone who commented, Andy.

RE: Scanning Outbound emails

> ... except, after checking their site just now, you now get a > personalized reporting address once you've signed up. *sigh* AFAIK, the reporting e-mail addresses are all of the form /^submit.\...@spam\.spamcop\.net$/ .

Re: Scanning Outbound emails

On 2010-05-05, at 5:09 AM, ram wrote: > > On Wed, 2010-05-05 at 10:44 +0300, Alans wrote: > On my servers I just add the score header and let the mail go but send a copy > to a program. If more > than 10 occur in 30 minutes from the same customer , the customers > account is temporarily blocked

user_pref override options

What options can't be overridden in user prefs? I would like to disable RBL checks and possible use a separate mysql bayes database for one user. But it would be generally nice if know if there are options that are global that can't overridden.

Re: [sa] odd FPs

Charles Gregory writes: > On Tue, 4 May 2010, Greg Troxel wrote: >> Thanks - I did pretty much understand the tests. What I'm boggled >> about is that they suddenly started firing, and then now suddenly do >> not. > > This is perfectly consistent with the explanation I offered at the > beginnin

Re: Checking if SPF is being used

ok for the header bitty, Im using envelope_sender_header Return-path Which I think should be appropriate for exim, and Im sticking it in the user_prefs in the home dir of the user that spamd runs as. Is that the right config file? thanks Andy.

Re: Checking if SPF is being used

Thanks, I was meaning I dont know if I can test spamassassin to see if it now correctly scores email. If I can get another server to relay some mail I guess, right now I cant think of one Quoting Benny Pedersen : On ons 05 maj 2010 17:45:20 CEST, wrote Im not sure if I can test this,

Re: Checking if SPF is being used

On ons 05 maj 2010 17:45:20 CEST, wrote Im not sure if I can test this, obviously running spamassassin from the command line isnt going to be able check against the sending host of the mail (as there is none). http://old.openspf.org/wizard.html?mydomain=ukgrid.net&submit=Go! -- xpoint htt

Re: Scanning Outbound emails

On 5/5/2010 5:38 AM, Alans wrote: Thanks ram, Actually we are seeking a solution to our problem which is sending spam through our network. We are about to close port 25 and tell customers to switch to our smtp relay and scan it with spamassasin (I still don't know if possible or no!). We want

Re: Checking if SPF is being used

On ons 05 maj 2010 17:15:56 CEST, wrote So I think that proves it is using SPF doesnt it? yes If you´d agree then my next question is why did it delivery mail with a spoofed email address of a domain that it is hosted on our mail server? Im using good question, was it ? read perldoc M

Re: Scanning Outbound emails

Jari Fredriksson wrote: If my SA sends an email to SpamCop with a spam as an attachment, and that gets rejected by my ISP and a feedback sent to me.. it would be a problem. To me. *headdesk* Ah, right. We're not keen on being a smarthost for customers already running their own mail systems i

Re: Checking if SPF is being used

Hi Micheal, ok I have to come clean on a little error here which Ive just been thinking over, which by coincidence I have noticed attempting to mail Benny. Benny's email server bounced my mail due to an SPF error, which I have never seen myself on my mail nor reported by anyone using this

Re: Scanning Outbound emails

On 5.5.2010 17:44, Charles Gregory wrote: > On Wed, 5 May 2010, Jari Fredriksson wrote: >> There is one special group that will suffer from that decision: namely >> SpamAssassin users within your network. >> If they do report their spam to SpamCop using SpamAssassin's own report >> mechanism, they

Re: Scanning Outbound emails

On 5.5.2010 17:39, Kris Deugau wrote: > Jari Fredriksson wrote: >> On 5.5.2010 15:38, Alans wrote: >>> We are about to close port 25 and tell customers to switch to our >>> smtp relay >>> and scan it with spamassasin (I still don't know if possible or no!). >>> >>> We want to reject all spam emails

Re: Checking if SPF is being used

On 5/5/10 11:15 AM, a.sm...@ukgrid.net wrote: So I think that proves it is using SPF doesnt it? If you´d agree then my next question is why did it delivery mail with a spoofed email address of a domain that it is hosted on our mail server? Im using exim and Im looking at an example of this t

Re: Checking if SPF is being used

From this maillist the x-spam-status is: No, score=-11.1 required=4.8 tests=BAYES_00,RCVD_IN_DNSWL_HI, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,RDNS_NONE,SPF_PASS autolearn=unavailable version=3.3.1 Hehe, this is another server which is on Spamassassin 3.1.1, seems it is using SPF on this box

Re: Checking if SPF is being used

On ons 05 maj 2010 16:33:39 CEST, wrote tests_pri_-400: 4 (0.0%), tests_pri_0: 2040 (23.4%), check_spf: 76 (0.9%), check_razor2: 1643 (18.9%), check_pyzor: 0.39 (0.0%), tests_pri_500: 2506 (28.8%) i see check spf there, but might fail on missing perl module Mail::SPF So its using SPF afte

Re: Scanning Outbound emails

On Wed, 5 May 2010, Jari Fredriksson wrote: There is one special group that will suffer from that decision: namely SpamAssassin users within your network. If they do report their spam to SpamCop using SpamAssassin's own report mechanism, they are screwed Why not just add a negative-scoring

Re: Scanning Outbound emails

On Wed, 5 May 2010, Bernd Petrovitsch wrote: Why shouldn't it be possible? SpamAssassin doesn't care where the mail comes from Well, actually, it DOES. The test DOS_DIRECT_TO_MX being an example. Which brings me back to the slightly confused feeling that I still get over 'trusted_networks

Re: Scanning Outbound emails

Jari Fredriksson wrote: On 5.5.2010 15:38, Alans wrote: We are about to close port 25 and tell customers to switch to our smtp relay and scan it with spamassasin (I still don't know if possible or no!). We want to reject all spam emails and send notification back to sender about his/her activit

Re: Scanning Outbound emails

On Wed, 2010-05-05 at 10:44 +0300, Alans wrote: Hi all, Can we use spamassasin in ISP environment to scan outbound emails? ram wrote: Yes. But separate out your inbound & outbound scans. FWIW I can say with authority that this is not necessary. It may simplify your mail system depending o

Re: Checking if SPF is being used

Hi Benny, do you mean in the general perl envrionment? From that I have the following available regarding mail: Actually I just realised I didnt run the test command against a real mail, Ive just rerun it and I get loads of SPF stuff, starting like this: May 5 15:30:31.372 [12084] dbg:

Re: [sa] odd FPs

On Tue, 4 May 2010, Greg Troxel wrote: Thanks - I did pretty much understand the tests. What I'm boggled about is that they suddenly started firing, and then now suddenly do not. This is perfectly consistent with the explanation I offered at the beginning of this thread. A legitimate Google M

Re: Checking if SPF is being used

On ons 05 maj 2010 15:51:31 CEST, wrote thanks for the info. As I mentioned in a follow up I have the plugin listed to load in my init.pre. But as you rightly guessed SPF isnt loaded, as per the spamassassin -D -t msg test you described. any spf from @inc ? -- xpoint http://www.unicom.com

Re: Checking if SPF is being used

Hi Benny, thanks for the info. As I mentioned in a follow up I have the plugin listed to load in my init.pre. But as you rightly guessed SPF isnt loaded, as per the spamassassin -D -t msg test you described. So what can be missing? I must admit to finding the configuration files quite con

Re: Checking if SPF is being used

On ons 05 maj 2010 14:53:06 CEST, wrote No, score=1.8 required=4.8 tests=BAYES_00,HTML_MESSAGE, MIME_HTML_ONLY,MISSING_MID,RDNS_NONE,URIBL_BLACK autolearn=no version=3.3.0 no spf, and 3.3.1 is latest :) Anyone give me any clues? spamassassin 2>&1 -D -t msg | grep spf | less perldoc Ma

Re: Scanning Outbound emails

On 5.5.2010 15:38, Alans wrote: > We are about to close port 25 and tell customers to switch to our smtp relay > and scan it with spamassasin (I still don't know if possible or no!). > > We want to reject all spam emails and send notification back to sender about > his/her activity. There is one

RE: Scanning Outbound emails

; We want to reject all spam emails and send notification back to sender about > his/her activity. That part of the job is for your MTA, not for spamassassin. -- Regards Frank __ NOD32 5087 (20100505) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com

Re: Checking if SPF is being used

PS in my init.pre SPF is loaded: loadplugin Mail::SpamAssassin::Plugin::SPF Quoting a.sm...@ukgrid.net:

Re: spamd[18549]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": use_auto_whitelist 1

ram wrote: > > i still see this errors > > May 5 10:28:03.484 [3153] dbg: config: warning: score set for > non-existent rule SHORTCIRCUIT > May 5 10:28:03.485 [3153] dbg: config: warning: score set for > non-existent rule SUBJ_RE_NUM > May 5 10:28:03.485 [3153] dbg: config: warning: score set

Re: Scanning Outbound emails

Hi, On Wed, May 05, 2010 at 03:38:01PM +0300, Alans wrote: ... > We are about to close port 25 and tell customers to switch to our smtp relay > and scan it with spamassasin (I still don't know if possible or no!). As Bernd Petrovitsch already told you: Yes, that's possible. To close port 25 is a

RE: Scanning Outbound emails

On Mit, 2010-05-05 at 15:38 +0300, Alans wrote: [...] > Actually we are seeking a solution to our problem which is sending spam > through our network. > We are about to close port 25 and tell customers to switch to our smtp relay > and scan it with spamassasin (I still don't know if possible or no!

Checking if SPF is being used

Hi, how can I check if SpamAssassin is checking SPF? I ask because we have had instances of spam being delivered using a spoofed email address that is from a domain actually hosted on our mail server, which shouldn´t happen if SPF is being used (SPF is configured in DNS for the domain i

Re: Repeated spamd dying due to SIGCHLD signal 11

Hi, An update it looks like the problem may well be this Perl bug that affects Perl 5.10.1 in the FreeBSD ports tree... http://rt.perl.org/rt3//Public/Bug/Display.html?id=69973 thanks Andy.

RE: Scanning Outbound emails

ked and we manually check. Thanks Ram __ NOD32 5087 (20100505) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com

Re: Scanning Outbound emails

On Wed, 2010-05-05 at 10:44 +0300, Alans wrote: > Hi all, > > Can we use spamassasin in ISP environment to scan outbound emails? > > Regards, > Alans > Yes. But separate out your inbound & outbound scans. For outbound Disable all IP based rules because they will cause FP's. Also we have oft

Re: Low-scoring discount ED spam

--On Wednesday, May 05, 2010 11:29 AM +0200 Matus UHLAR - fantomas wrote: do you wipe bayes database often? If not, it's not needed to retrain on all messages, since they are not forgotten. I don't recall ever deleting the DB. It's my understanding that sa-learn remembers which messages it'

Repeated spamd dying due to SIGCHLD signal 11

Hi, I have a problem on one server that I see several times an hour this problem logged by spamd Wed May 5 10:04:43 2010 [88823] info: spamd: handled cleanup of child pid [90622] due to SIGCHLD: DIED, signal 11 (000b) And in the main messages file a corresponding error regarding the pe

Re: Low-scoring discount ED spam

> --On Tuesday, May 04, 2010 4:22 AM +0100 RW > wrote: > >> Are you training BAYES? A lot of these are hitting BAYES_50 or even >> BAYES_00. On 03.05.10 20:06, Kenneth Porter wrote: > I've been copying them into my "Uncaught" folder which is run with > "sa-learn --spam --mbox" each night. > >

Re: Scanning Outbound emails

Hi! On Mit, 2010-05-05 at 10:44 +0300, Alans wrote: [...] > Can we use spamassasin in ISP environment to scan outbound emails? Yes. Bernd -- Bernd Petrovitsch Email : be...@petrovitsch.priv.at LUGA : http://www.luga.at

Scanning Outbound emails

Hi all, Can we use spamassasin in ISP environment to scan outbound emails? Regards, Alans