Re: Email / Inbox Speed Problems

Hi, I really hate to respond to this because it's so off-topic (how long did it take you to write that email, anyway?), but you're s missing the point that I just can't let it go, and it's slow on a late Friday night. > Yet, you open up a new Mac and what's inside?  A PC motherboard and > pro

Re: Spamassassin not tagging some emails

Hi, > SpamAssassin DOES NOT bypass scanning, if the internal or trusted > networks contain the server in it. Hmm.. thanks for correcting me. How would you, then, go about preventing SA from scanning the localhost or a specific domain without whitelisting that domain or range? Thanks, Alex

hostkarma/uribl_black disparity

Hi, Over the past few days I have been investigating more closely email that wasn't tagged that I thought should have been, and vice-versa, using various factors, such as URIBL_BLACK and JMF_W. I'm very surprised that obvious hosts are on the URIBL_BLACK list, like receiveeweek.com. Even more int

Re: Spamassassin not tagging some emails

Hi, On the message that should have been scanned: > The emails that has not been tagged at all: [...] > From: "Angus - 3idea" > To: Are you forwarding this spam from your internal account to this other internal supp...@3idea.com account? It also looked like there was no external mail server i

Re: Elena wants an iron cast oven

Hi, > http://englishrussia.com/?p=2137 > > plenty of abandoned scrap metal already in Russia. Maybe they could blow it up like the brain surgeons did to that dead whale that was littering the beach in Oregon? # The Infamous Exploding Whale http://www.youtube.com/watch?v=8Vmnq5dBF7Y Alex

Re: Elena wants an iron cast oven

Hi, >> What's the business model of this scam? I can't believe they really want >> millions of iron cast ovens from all around the world. Maybe I should >> answer and ask directly ;D > > Long time since I've last seen one of these... > > My impression was, they want money of course. The victim fal

Re: Constant Contact

Hi, >> rawbody  __CCM_UNSUB >> /"https?:..visitor\.constantcontact.com\/[^<>]{60,200}>SafeUnsubscribe > Ouch!  Rawbody, that hurts. Do you mean that it's much more resource-intensive than a regular "body" check? When is it necessary (or possible) to use it over the URIDetail substitute you menti

Re: Downloading sandbox rules

Hi, Sorry, just after I sent this I saw the message from yesterday about using svn. Thanks, Alex On Sat, Oct 17, 2009 at 1:24 PM, MySQL Student wrote: > Hi, > > I'd like to download a few of the rules from the SVN sandbox for > testing without using svn for this. It used

Downloading sandbox rules

Hi, I'd like to download a few of the rules from the SVN sandbox for testing without using svn for this. It used to be possible by clicking "Download" but in the last week or so the site was updated and that option is no longer available. Do I have to use svn now for this? http://svn.apache.org/v

Re: Is there a WANTS_MY_INFO rule?

Hi, > In order to confirm you Web-Mail identity, you are to provide the > following data; > > First Name: > Last Name: > Username/ID: > Password: > Date of Birth: Try John Hardin's fillform: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/?sortby=date Regards, Alex

Re: Constant Contact

Hi, >> How is Constant Contact better than (say) GNU mailman for that purpose? I >> don't understand the concept of sending internal mail via an external third >> party... In addition to what's already been mentioned, CC also provides a nice template that people can drop their message into and cl

Re: Constant Contact

Hi, >> Does anybody here know anything about the legitimacy of Constant >> Contact ? > > Sometimes abused, but too legit to outright block based on sending IP, imo. In addition to constantcontact, can I add the following to the list of hosts I'd like

Re: sneaky pharma spam shooting past standard rules

Hi, > smtpd_helo_restrictions = permit_mynetworks, >        reject_invalid_helo_hostname, >        reject_non_fqdn_helo_hostname, >        permit I'm currently using reject_non_fqdn_sender and reject_non_fqdn_recipient. I wanted to be sure I should use the two helo restrictions you've listed abov

Re: sneaky pharma spam shooting past standard rules

Hi, > With this: > >      Received: from public30108.xdsl.centertel.pl (HELO > marcin-8963fd6f) (79.163.117.156) > > my postfix setup would have simply dropped it on the floor at the > HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't > talk to it. Kurt, can you explain how y

Re: Mismarked Ham

Hi, >> I'm not sure which of those scored what. [...] > > Seconded. I do see quite a few custom rules. How much did they score? My apologies; I hadn't realized so much of it was non-standard. It's otherwise obviously not very possible to help without knowing what the rules are for if you haven't

Re: Mismarked Ham

Hi, > What makes you think any of the rules are incorrect? A score of 6.1 is not > 100% (or even 99%, IIRC) spam. Incorrect in that at least one of the rules fired when they should not have, making the valid email to be marked as spam. > there's a couple of things here. > > First, for some reaso

Mismarked Ham

Hi, I thought I would look through the quarantine for "BAYES_00" to see if there were any mis-marked messages or if bayes was not firing correctly, and I have found a few, although not how I expected it would be. Instead of finding BAYES_00 in spam, I've found it in ham that was pushed over the t

Re: Hostkarma whitelist needs something..

Hi, >  http://www.impsec.org/jhardin/antispam/ This should be: http://www.impsec.org/~jhardin/antispam/ (note the missing tilde :-) Regards, Alex

Re: .cn Oddity

Hi, >> We use some rules if we talk open about it and say hey this spammer is >> stupid look here, then it will take less then 12 hours and that gap is >> closed and we loose a valuable trick. > > yes its the way it is, spammers can also read maillists and adapt there > spamming rules to get bypas

Re: Valid mail from blacklisted dynamic IPs

Hi, >> I have a set of users that are authorized to use the mail server via >> pop-before-smtp, but SA catches the mail they send through the system >> as spam because they are on blacklisted Verizon or Comcast IPs: > > why are they not using smtp authentication? I think you're referring to SASL?

Re: Valid mail from blacklisted dynamic IPs

Hi, >> I also don't understand how SPF_SOFTFAIL could happen when there >> wasn't any SPF record to test to begin with. > > http://www.openspf.org/ > i have no spf either > http://old.openspf.org/wizard.html?mydomain=junc.org&submit=Go! :) But it's sent from cron, so the host is "localhost". I d

Re: Valid mail from .cn

Hi, > Could you ask them to provide ham samples for the automated masschecks? >  We currently have none in the corpus so we cannot test the safety of rules > against Chinese language mail. Yes, I know how important that is. I recall you mentioning that a few days ago. I think it would be quite di

Fwd: SA needs a new paradigm for rule structure

Hi, I sent this message more than an hour ago, and it looks like it's yet to hit the list. Resending. Thanks, Alex -- Forwarded message -- From: MySQL Student Date: Fri, Oct 9, 2009 at 2:34 PM Subject: Re: SA needs a new paradigm for rule structure To: SA Mailing list

Valid mail from .cn

Hi, Some portion of our users are from China. I hoped someone could help me troubleshoot the best way to permit a user from .cn to forward mail without improperly being tagged as spam, yet still block the majority of spam from .cn. Here's the SA report: X-Spam-Report: * 0.1 RELAYCOUNTRY

Re: SA needs a new paradigm for rule structure

Hi, >> What we need are rules that combine a lot of simple rules into concepts >> and then combine those rules into rules that score - and score big. As >> an example, [...] > > Yes, SA definitely needs that and sorely lacks this ultimate feature! Can I respectfully add to this that John Hardin h

Re: Valid mail from blacklisted dynamic IPs

Hi, > Does your pop-before-smtp method cause your MTA to indicate they've been > authed in the Received: header? I don't believe so. There doesn't appear to be anything additional in the header relating to pop-b4-smtp. I'm using postfix. Perhaps off-topic, but ideas on how to do this, if you thin

Valid mail from blacklisted dynamic IPs

Hi, I have a set of users that are authorized to use the mail server via pop-before-smtp, but SA catches the mail they send through the system as spam because they are on blacklisted Verizon or Comcast IPs: X-Spam-Status: Yes, hits=5.4 tag1=-300.0 tag2=5.0 kill=5.0 use_bayes=1 tests=BAYES_50, BO

Re: Subject Rewrite Based on Score

Hi, > It still is spawning a Perl process per message. You can do away with > that processing hog, if you use the add_header rule I mentioned before > and have SA do it instead. You may be right. I'll have to investigate doing this for this specific user only. Thanks for the info. Thanks, Alex

Re: Subject Rewrite Based on Score

Hi, > That sounds overly complicated and like a lot of wasted cycles. Calling > a Perl script for each message? What you just described sounds a hell of > lot like this light-weight SA configuration: Yes, I should have mentioned that it is a copy of the mail that users receive and only visible by

Re: Subject Rewrite Based on Score

Hi, >  I actually would be doing that but the filter does not know how to >  handle int(), so I would have to build a filter for all possible number >  combinations, but if I could just get SA to do the basic math for me and >  write a header or subject I can filter off of that. We do something s

Re: SpamAssassin Ruleset Generation

Hi, > Other than the sought rules, all the rules are manually generated? Is there > any statistics on how frequently are new rules/regex adopted by > spamassasssin? Who are the people who write them? Any details related to Information on Justin Mason's SOUGHT rules is here: http://taint.org/2007

Re: Uppercase E-mail in Latin America

Hi, > doesnt it appear to everyone else that this has the (slim to none) makings > of a new urban legend? I have to admit that when Warren posted this, I went to snopes to check, and there was nothing there :-) Regards, Alex

Re: OT bad news

Hi, > It's a shame that, living in Denver, I will be *just* out of range of > hearing the screams as the mailspools fill with viruses, malware, and > massive payloads of Spanish Prinsoner spams. Awe, c'mon now. Yes, I agree SA is a better solution, but Microsoft didn't get to be a multi-billion-d

Re: .cn Oddity

Hi All, Regarding the .cn oddity, I added these to my rules, and of about 79k messages today so far, I have the following: uri LOC_URI_CN m;^https?://[^/?]+\.cn\b; uri T_CN_8_URL /[\/.]+\w{8}\.cn(?:$|\/|\?)/i LOC_URI_CN: 2926 T_CN_8_URL: 1634 HTH, Alex

Re: Hostkarma white list

Hi, > For those of you getting spam from IPs/Hostnames on my hostkarma > white list, if you could email me a list of false hits (IP or host name) I > could probable clean out the bad entries in the white list pretty quick. I'm not sure this is the best approach. I have a procmail recipe that filt

Re: Hostkarma Blacklist Climbing the Charts

Hi, > header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') > describe RCVD_IN_JMF_W Sender listed in JMF-WHITE > tflags RCVD_IN_JMF_W net nice > score RCVD_IN_JMF_W -5 Hopefully my comment isn't out of place with the current discussion of JMF/Hostkarma. I think this is not onl

Re: Sought regex problem

Hi, >> [13204] dbg: config: read >> file /var/lib/spamassassin/3.002005/sought_rules_yerp_ >> org/20_sought.cf [13204] warn: config: invalid regexp for rule >> __SEEK_D52BRW: > >  grep doesn't find   __SEEK_D52BRW in my copy of the rules. This was from the sa-update when I submitted the bug repor

Sought regex problem

Hi, I posted bug 6198 a few weeks ago, and there have been no comments or fixes on it in two weeks, and I'm unsure what to do next. It's either not a bug and I'm doing something wrong or it's not significant enough to bother with the focus on v3.3. Thought someone might have some ideas here? I'm

Re: New money/fraud spam

Okay, my bad, please ignore. Damn google auto-complete. Alex On Sun, Sep 27, 2009 at 6:46 PM, MySQL Student wrote: > Hi John, > > Another batch of money spam attached. Everything is the same as the last time. > > Thanks, > Alex >

New money/fraud spam

Hi John, Another batch of money spam attached. Everything is the same as the last time. Thanks, Alex money-spam-092709.gz Description: GNU Zip compressed data

Re: Re-running SA on an mbox

Hi, > Try using a local SA setup for stripping the headers. By local, I mean > don't use your main production SA - run a separate copy with its own > (cut down) configuration and all data base accesses and UBL calls etc > turned off. Much better idea, thanks. Thanks for the script, too. Best, Al

Re: Re-running SA on an mbox

Hi, It's certainly not a fast operation, but using the following will split an mbox into individual messages: export FILENO=0 mkdir msgs formail -s sh -c 'cat - >msgs/$FILENO' < mbox-name.mbox I also created a loop that would strip all the SA headers from the messages: for file in *; do ech

Re: Re-running SA on an mbox

Hi, > IIRC you previously mentioned using Pine. Just in case you're not aware > the default format for Pine/Alpine is MBX, an extended version of > MBOX. You can tell the difference because MBX mailboxes start with a > dummy email that's hidden by the software. It seems that if you save messages

Re: Re-running SA on an mbox

> but this will invalidtate dkim headers if this headers is signed, are > spamassassin aware of this problem ? (in general) Are you saying there is a bug? > mutt -f mbox > > in mutt save to another folder if missclassified Yes, I use pine for that, but would like to eliminate as many of the FNs

Re: Re-running SA on an mbox

Hi, >> Thank you all for your help. The "mbox split" suggestion is a good >> one. I'll follow that route and post my experience later. > > formail -s is the way to go. I thought about that as a component of procmail. Sounds great. Thanks, Alex

Re: Re-running SA on an mbox

Hi, >> You probably want "spamassassin --mbox". :) >> It won't modify the messages in-place, but you can do something like >> "spamassassin --mbox infile > outfile". > > My apologies if it wasn't clear, but these messages have already been Wait, my mistake. I read that too fast. Does that work, a

Re: Re-running SA on an mbox

Hi, > You probably want "spamassassin --mbox". :) > It won't modify the messages in-place, but you can do something like > "spamassassin --mbox infile > outfile". My apologies if it wasn't clear, but these messages have already been marked by SA. Some are ham, and the rest are FPs that I'd like t

Re: Re-running SA on an mbox

Hi, > Do you just want to re-scan the whole mbox and see what rules hit now > for research reasons? That's a good start, but I'd like to see if I can break out the ham to train bayes. > There's no way to (directly) get SA to modify email that's already in an > mbox file. The mass-check and sa-le

Re-running SA on an mbox

Hi, I have an mbox with about a 100 messages in it from a few days ago. The mbox is a combination of spam and ham. What is the best way to run SA through these messages again, so I can catch the ones that have URLs in them that weren't on the blacklist at the time they were received? Must I break

Re: Problems with high spam

Hi, > also if using amavisd make its temp dir on ram speed up scanning and it > considered safe, mta have it on disk for the backup :) How about mounting /var with noatime? Does anyone do that? Do you think it helps? What Linux filesystem is best suited for this? ext4? Thanks, Alex

URIBL_BLACK vs RCVD_IN_JMF_W

Hi, I have been going through about 15MB of email generated from a procmail recipe searching for RCVD_IN_JMF_W, and you would not believe how many also match URIBL_BLACK or URIBL_GREY. Call me naive, but are there really that many providers that are unaware their clients are sending spam? (okay, r

Re: URL rule creation question

>>> \s is the proper way to represent whitespace. >> >> lol, yes, I know that; I was actually trying to match 's' and the >> slash is the start of the pattern match. > > I wasn't referring to the beginning of the RE. Yeah, I realized that just after I sent this, if anyone cares :-) Thanks again,

Re: JMF whitelist and RAZOR conflict

Hi, >> I have several emails that are tagged with RCVD_IN_JMF_W, >> SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: >> http://pastebin.com/m4a4d990e > > why accept SPF_SOFTFAIL ? > > cant this be solved ? I don't understand. I'm still learning how the SPF rules work. Shouldn't I be adding points

Re: URL rule creation question

Hi, > The 'doubleheadedrover' domain currently shows up in Razor(E8), > uribl_black, surbl_jp, and invaluement. > > But it wasn't in all of those when he first started posting about it. Yes, that's correct. Thanks for your help. That's already caught a few. I have another that I thought you could

Re: JMF whitelist and RAZOR conflict

Hi, >> http://pastebin.com/m4a4d990e >> >> Is the criteria for being listed on the JMF_W simply that it contains >> a domain that is whitelisted, despite whether it contains another URL >> that is blacklisted? > > I'm not sure what you are saying here, it's not as if the people > running the white

JMF whitelist and RAZOR conflict

Hi, I have several emails that are tagged with RCVD_IN_JMF_W, SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: http://pastebin.com/m4a4d990e Is the criteria for being listed on the JMF_W simply that it contains a domain that is whitelisted, despite whether it contains another URL that is blackli

URL rule creation question

Hi all, I've seen this pattern in spam quite a bit lately: href="http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69 .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66. 62.2e.6a.61.7a.65.72.74.2e.68.

Shortcircuit info

Hi all, I'm trying to understand how shortcircuit works to ease some of the load on the severs. First, does anyone have any recommended metas that they use in their environment that might help? Can I add shortcircuit to an existing rule, or does the rule have to be designed to be used with shortc

Re: 3.3.0 alpha 2 on production mail servers / clusers ???

Hi, > On Saturday August 29 2009 19:47:32 R-Elists wrote: >> have many, or any of you folks on the list migrated your production servers >> to the 3.3.0 alpha 2 or later release? > > We are certainly one of them (actually running CVS head, > which is pretty close to alpha2). About 1000 users here.

Re: Porn-portal spammers

Hi, > I am getting rather tired from messages spamming porn-portals. They typically > originate from hotmail.com, and advertise a porn-portal based on > google.com/groups, google.com/reader, groups.yahoo.com, pipes.yahoo.com, > spaces.live.com, docs.google.com, sites.google.com and livejournal.com

Re: Converting spam to email message

Hi, >> I thought I understood, but I'm still having trouble converting a >> message in the quarantine back into a normal email message that I can >> forward on to a recipient. Does anyone know how to do this? > > Maybe I missed something, but SpamAssassin doesn't have a quarantine. > > http://wiki

Converting spam to email message

Hi all, I thought I understood, but I'm still having trouble converting a message in the quarantine back into a normal email message that I can forward on to a recipient. Does anyone know how to do this? Thanks so much. Best regards, Alex

Google/Yahoo Spam

Hi all, I'm seeing an increase in Google Reader and yahoo groups/personals/profile spam. Here's an example of the Google Reader spam: http://pastebin.com/m1021fc5f Any ideas on how to catch this one? For the Yahoo spam (with links to yahoo sites ending in '/1', I've created these: uriLO

Training spam as ham and forwarding

Hi SA users, I have a few messages found in the quarantine that I need to train as ham because they were marked as spam incorrectly. To do this, I added the following to the top of the file so it becomes a normal email: From DUMMY-LINE Thu Jan 1 00:00:00 1970 Is this correct? (without the lead

Re: lottery message scored hammy by bayes

Hi, > If you're using autolearning, what are your learning thresholds? What do you recommend for thresholds? I'm considering using autolearning, but very concerned about corrupting the database. I think I would use something like +15 for spam. There are FNs on occasion in the 2.x range with low

Re: spam mail with flagged style images

Hi, > mimeheader LOC_CTYP_IMG  ((Content-Type =~ /image\/png/) || > (Content-Type =~ /image\/jpg/) || (Content-Type =~ /image\/jpeg/) || I thought this passed through my --lint, but I only caught it the second time. I was looking around for the (new) right way to do it, and found this in 80_addit

Re: spam mail with flagged style images

Hi, >> mimeheader AS_090508_CTYP_PNG Content-Type =~ /image\/png/ >> mimeheader AS_090508_CTYP_JPG Content-Type =~ /image\/jpg/ >> mimeheader AS_090508_CTYP_JPEG Content-Type =~ /image\/jpeg/ > > All scored the same. Can be written as a single rule. I've spent some time and tried to r

Junkmailfilter rules

Hi, I've been using the junkmailfilter rules for a few days now, and it's doing quite well. It occurred to me that I might be able to use the RCVD_IN_JMF_W rule filter whitelisted domain mail, and use that to train bayes ham. Would this work? There of course would be mail from constantcontact.com

Re: spam mail with flagged style images

Hi, > Text added to e-mail is a bogus one, never repeated, same as the old styled > spam mail with attached images. The OCR doesn't detect nothing, I understand > because of flagged effect. Also, image file name changes, if it have. A few of these have slipped through on my systems, but for the m

Re: gpgkey failures with sa-update

Hi, > list.  No errors reported then, and I've now forgotten the url. www.yerp.org > now gets me a webmail login screen, so obviously that wasn't it.  Toss that > url to me and I'll replay it again. You should be able to search through your browser history, no? With Firefox v3.5, you can also ju

Re: Assistence needed with spamassasin under RedHat 5.2

Hi, > spamassasin.  I have a test message which is genuine.  Running this through > spamassasin with -t (test) mode as described below gives the output below: > > Running : spamassassin -t /tmp/rose2 gives at the bottom the following > (edited for privacy) report. Try adding some debugging output

Re: sa-update: stuck at 795855?

Hi, > The problem is that the spammers test with the SA rulesets as soon > as they are released, which is why the rulesets become ineffective. I'm not sure I agree with that. If this were the case, I would have a lot less spam with scores of 50 or more, which obviously aren't even trying to do so

Re: Counting RAZOR2 hits

Hi, > You can also set your min_cf in your razor config files, which will > affect when the RAZOR2_CHECK rule fires. This does work in SpamAssassin, > as I have over-ridden the min_cf on my own system, and have done so for > years. Thanks to everyone for their great ideas thus far. I'm looking fo

Re: Barracuda RBL in first place

Hi, > So perhaps instead of adding another RBL, maybe some admins need to > consider adding in some HELO checking / rejection. Can you explain a bit more here? What are you checking for, that the host is valid? Thanks, Alex

Counting RAZOR2 hits

Hi, I thought "grep -c RAZOR2_CHECK" through my mail logs would give me a good approximation of the number of times RAZOR2 was consulted, but that doesn't seem to be the case. There are some mails that don't have it listed in the "tests=" section. I've also tried the razor-* commands, and they do

Re: Barracuda RBL in first place

Hi, >> What log script do you good people use to generate the list above ? Is it >> a home brew or one we can download so we can compare our own hits ? > > http://www.rulesemporium.com/programs/sa-stats.txt Any chance someone knows where there is a compatible one that parses amavisd instead of sp

Re: Barracuda RBL in first place

Hi, >                            Unknown user 32.00% (32.00%)            87427696 >                              Greylisted 24.88% (16.92%)            46225401 >                               Throttled 11.03% (5.64%)             15399444 >                     Relay access denied 0.01%  (0.00%)    

Post trips pastebin spam filter

Hi, I have another spam message that is very elusive, and thought someone might be able to take a look. I tried to post it to pastebin, and its spam filter apparently catches it, and prevents me from posting. It's definitely in the header. Is there something else I can do to post it, or does some

Re: Elusive spam

Hi, > 50_scores.cf:score RCVD_IN_BL_SPAMCOP_NET 0 2.188 0 1.960 # n=0 n=2 > 50_scores.cf:score RCVD_IN_XBL 0 2.896 0 3.033 # n=0 n=2 > 70_relay_country.cf:score           RELAYCOUNTRY_US 0.1 > 50_scores.cf:score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2 > 50_scores.cf:score BAYES_50 0 0 0.001 0.

Re: Elusive spam

Hi, > it hits spamhaus, and spamcop, what more do you want ? > > meta haus_cop (spamhaus && spamcop) > score haus_cop 5 X-Spam-Status: No, hits=4.8 tagged_above=-300.0 required=5.0 use_bayes=1 tests=BAYES_50, DATE_IN_PAST_03_06, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_SORBS_WEB, RCVD_IN_XBL, RELAYCOUNT

Re: Elusive spam

Hi, > Are we to make guesses on what else might be munged? > Is just example.com munged or the 172.0.0.1 also munged? Just the domain was munged. Thanks for the info. I should have been able to figure that out. Thanks, Alex

Re: Elusive spam

Hi, >> Maybe this will sound dumb but wouldn't it be perfectly >> safe to blacklist "example.com" after all, that isn't a >> domain your ever going to get mail from. > > I could be wrong, but I'm guessing the example.com is the OP's munging. Yes, that's correct. My apologies. Best, Alex

Elusive spam

Hi, I'm having trouble catching a particular type of spam, and hoped someone had some time to take a look: http://pastebin.com/d57336542 It doesn't match RAZOR2, or any of the URI lists, and it's only BAYES_50. I have a pretty well-established BAYES db, so I'm surprised it's only BAYES_50. What

Scores, razor, and other questions

Hi, After another day of hacking, I have a handful of general questions that I hoped you could help me to answer. - How can I find the score of a particular rule, without having to use grep? I'm concerned that I might find it at some score, only for it to be redefined somewhere else that I didn't

Re: RelayCountry Config

Hi, > I find ordinary header and meta rules are all I need: > > http://pastebin.com/f5e5232d1 Among those rules you have: meta RELAYCOUNTRY_MED ! RELAYCOUNTRY_HIGH && ( __RELAYCOUNTRY_AF || __RELAYCOUNTRY_AS || __RELAYCOUNTRY_EU_S || __RELAYCOUNTRY_OC_S || __RELAYCOUNTRY_AM_S ) It's p

Re: RelayCountry Config

Hi, > This is also why the plugin works and you do get the per-country rule > hits, but don't get the SA Relay-Countries header. Yes, you are correct. Thanks for the lead and the explanation. Here's a thread that talks about how to add the header for amavisd: http://www.mail-archive.com/amavis-u

Re: RelayCountry Config

Hi, >> [23760] dbg: metadata: X-Relay-Countries: >> > The --lint test is *NOT* valid for this. --lint is *ONLY* to verify your > config files are parseable. Yes, thanks, I should have known that, and I think I did. I mentioned in the previous post that I tried it with a real message, and even vie

Anti-Phishing and Spear-Phishing Version 2

Hi, Has anyone tried the phishing rules generated by Julian Field and developed by Google? It looks really neat: http://www.jules.fm/Logbook/files/anti-phishing-v2.html It's basically a list of 3.5k email addresses found in email thought to be spam. Looks to be developed by Google, so it's "saf

Re: RelayCountry Config

Hi, > I don't know if it makes a difference, but I call it Relay-Countries to > match the name of the pseudo-header used in the tests > > add_header all Relay-Countries          _RELAYCOUNTRY_ It doesn't appear to make a difference. I must be doing something else wrong. Using "spamassassin --lint

RelayCountry Config

Hi, I'm trying to configure RelayCountry. I have it installed, and SA recognizes it: # spamassassin --lint -D 2>&1|grep -i country [4278] dbg: diag: module installed: IP::Country::Fast, version 604.001 [4278] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [4278] dbg: plug

Upgrading bayes DB

Hi, I'm still working on my bayes training project, but also trying to upgrade the bayes DB due to upgrading perl and all the associated modules. I started with this output from "sa-learn --dump magic" 0.000 0 3 0 non-token data: bayes db version 0.000 0

Bayes training

Hi, We have accumulated quite a large list of whitelisted users, primarily because they were previously tagged incorrectly. I've extracted a copy of all whitelisted mail into a separate mbox. Certainly there is some spam in there as well, but assuming I only learn the ham, would it make sense to

Re: Upgrading perl modules for SA

Hi, >> check_mail: decoding2-get-file-types FAILED: 'file' utility >> (/usr/bin/file) failed, status=1 (256 ) at /usr/sbin/amavisd line > How's this a SA question? Yes, my apologies. I don't know enough about amavis yet, and thought it may be related to all the modules I upgraded, and not amavis

Upgrading perl modules for SA

Hi, I recently upgraded perl from 5.6.0 to perl-5.10.0, along with all the modules necessary for sa-3.2.5 and amavisd-new (an old version still). I'm now having a problem that I really don't understand: Jul 30 14:24:30 bigship amavis[1757]: (01757-175) TROUBLE in check_mail: decoding2-get-file-ty

Re: whitelist_from questions

Hi, I'm looking an email that appears to be one of the users from the whitelist, but instead was from: From probesqt...@segunitb1.freeserve.co.uk Mon Jul 27 19:49:19 2009 Why can't a comparison be made between the "From:" info and the actual sender? Is this because of virtual domains and/or

Re: Low Scoring Lotto Spam

Hi, >        *  3.0 RCVD_IN_UCEPROTECT2 RBL: Received via a relay in >        *      dnsbl-2.uceprotect.net >        *      [81.202.69.68 listed in dnsbl-2.uceprotect.net] >        *  2.0 RCVD_IN_UCEPROTECT3 RBL: Received via a relay in >        *      dnsbl-3.uceprotect.net >        *      [81.20

Re: whitelist_from questions

Hi, > Firstly, before you convert all these to whitelist_from_rcvd, perhaps you > ought to ask yourself whether you really need 1000 entries on your > whitelist. I'm surprised you were the first to make that very comment, so thanks. > Does mail from these addresses actually get miscategorised as

Re: Lotto/Money & email address spam

Hi, > sa-update lint checks the rules in a sandbox, and does not update the > local channel, if there are any issues. Moreover, do NOT copy these > updates to your site config dir -- but keep it in the update dir where > sa-update puts them [1]. SA knows how to use them instead of the > "install-t

Re: Lotto/Money & email address spam

Hi, >> Please don't paste examples to this list. >> >> Please post them to pastebin (or a similar service) and then include the >> link. .. Yes, understood. FWIW, I know enough to not post an entire message with headers to the list -- I'm sure half the time it would be filtered anyway. This time

Re: Lotto/Money & email address spam

>> I thought FreeMail was part of SA proper, but apparently not. Who >> maintains that, and how do I find it? > > You need three files: > http://sa.hege.li/FreeMail.pm > http://sa.hege.li/FreeMail.cf > http://sa.hege.li/freemail_domains.cf > > And it's also worthwhile to add the > 90_sare_freemail.

  1   2   >