[SAtalk] RE: *****SPAM***** Spamassassin-talk digest, Vol 1 #208 - 43 msgs

Wed, 23 Jan 2002 14:06:13 -0800 

are there any issues to upgrading from 1.5 to 20?

Peter



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, January 23, 2002 3:26 PM
To: [EMAIL PROTECTED]
Subject: *****SPAM***** Spamassassin-talk digest, Vol 1 #208 - 43 msgs


SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future, using
SPAM: the built-in mail filtering support in your mail reader.
SPAM:
SPAM: Content analysis details:   (9 hits, 7 required)
SPAM: Hit! (1.2 points)  From: does not include a real name
SPAM: Hit! (1.9 points)  BODY: /http\:\/\/[^\s\/]+\@/is
SPAM: Hit! (0.8 points)  BODY: /^[^<]{199,}$/m
SPAM: Hit! (1.1 points)  BODY: A WHOLE LINE OF YELLING DETECTED
SPAM: Hit! (-2 points)   BODY: Message text is over 500 lines long
SPAM: Hit! (2 points)    BODY: /\n\n.*mailto:\S+\?subject=/is
SPAM: Hit! (4 points)    BODY: /click below/is
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------

--10.3.1.13.69.11141.1011799497.310.22278
Content-type: text/plain; charset=us-ascii
Content-description: Masthead (Spamassassin-talk digest, Vol 1 #208)

Send Spamassassin-talk mailing list submissions to
        [EMAIL PROTECTED]

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
or, via email, send a message with subject or body 'help' to
        [EMAIL PROTECTED]

You can reach the person managing the list at
        [EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Spamassassin-talk digest..."


--10.3.1.13.69.11141.1011799497.310.22278
Content-type: text/plain; charset=us-ascii
Content-description: Today's Topics (43 msgs)

Today's Topics:

   1. RE: false positives on conference announcements (Tom Lipkis)
   2. Re: 2.0 failing for me on "make test" (Lisa Applegate)
   3. HTTP/URL rules (Bill Becker)
   4. LINE_OF_YELLING mismatch (Damian Gerow)
   5. Re: HTTP/URL rules (rODbegbie)
   6. spamd still sucking up CPU time (Cayce Will)
   7. Re: HTTP/URL rules (dman)
   8. Re: LINE_OF_YELLING mismatch (dman)
   9. incorporating DCC check (should be better than razor) (Nick Bellomy)
  10. Problem w/ CummuniGate Pro Lists (Uwe Willenbacher)
  11. Re: incorporating DCC check (should be better than
       razor) (Mark Reynolds)
  12. no issues, just thought youd like this :) (Kelly Hamlin)
  13. Re: HTTP/URL rules (Justin Mason)
  14. Re: HTTP/URL rules (Justin Mason)
  15. Re: incorporating DCC check (should be better than razor) (Justin
Mason)
  16. Re: Problem w/ CummuniGate Pro Lists (Justin Mason)
  17. the sightings list (Justin Mason)
  18. White list feature (brad)
  19. Re: spamd still sucking up CPU time (brad)
  20. Re: White list feature (Justin Mason)
  21. Re: no issues, just thought youd like this :) (Charlie Watts)
  22. 2.0 released (Justin Mason)
  23. Re: the sightings list (Ged Haywood)
  24. SPAM TRAPPING with QMAIL (Peter Mahnke)
  25. Re: SPAM TRAPPING with QMAIL (Matt Sergeant)
  26. Re: SPAM TRAPPING with QMAIL (Peter Mahnke)
  27. Subject munging bug? (Michael Moncur)
  28. SUBJECT_MISSING ? (Charlie Watts)
  29. UnityMail (Charlie Watts)
  30. interesting pills (sent at 7:57:05 to [EMAIL PROTECTED])
       (fwd) (Charlie Watts)
  31. ^M's in subject lines? (Charlie Watts)
  32. Re: interesting pills (sent at 7:57:05 to [EMAIL PROTECTED])
(fwd) (Matt Sergeant)
  33. Re: ^M's in subject lines? (Matt Sergeant)
  34. Re: interesting pills (sent at 7:57:05 to [EMAIL PROTECTED])
       (fwd) (Charlie Watts)
  35. Re: ^M's in subject lines? (Charlie Watts)
  36. Re: Subject munging bug? (Charlie Watts)
  37. FYI this didn't get picked up (Peter Mahnke)
  38. RE: FYI this didn't get picked up (Tony Hoyle)
  39. RE: FYI this didn't get picked up (Ged Haywood)
  40. Re: SPAM TRAPPING with QMAIL (rODbegbie)

--10.3.1.13.69.11141.1011799497.310.22278
Content-type: multipart/digest; boundary="__--__--"

--__--__--

Message: 1
Date: Tue, 22 Jan 2002 08:56:14 -0800 (PST)
From: Tom Lipkis <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
In-reply-to: <315E8A8BF9D1D411AD3D00508BB1B0C006EC3687@UKS040> (message from
Matt Sergeant on Tue, 22 Jan 2002 09:39:18 -0000)
Subject: RE: [SAtalk] false positives on conference announcements
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

> > Conference announcements often contain the phrase "the
> > following format"
> > when requesting submissions, which matches the
> > THE_FOLLOWING_FORM rule,
> > which has a quite high score.  Adding \W to the end of the
> > pattern prevents
> > this, and seems safe in general.
>
> \b would be better there.

Oops.  You're right.

Tom


--__--__--

Message: 2
From: Lisa Applegate <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [SAtalk] 2.0 failing for me on "make test"
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Date: 22 Jan 2002 11:28:31 -0600
Message-ID: <[EMAIL PROTECTED]>
Lines: 31
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

>>>>> "JM" == Justin Mason <[EMAIL PROTECTED]> writes:

    JM> Looks like there's a corrupted or old spamassassin.cf in /etc.
    JM> Try doing "make install" first...

Yes, I think this was the problem; although "make install" didn't fix
it, I did eradicate every single spamassassin.cf I could find on the
box.

Then I did a fresh install, and voila! everything worked just great.

In hindsight this does seem rather obvious (well, duh!) but I missed
it completely.  Heh.

Somebody else emailed me and mentioned that perl 5.6.0 was fairly
buggy and recommended that I upgrade to perl 5.6.1; I did that last
night but still had the problem.  Upgrading was still a good idea,
though.

Thanks for all of your help.  I'm a happy camper now.   :)

And thanks to everybody who makes SpamAssassin such a terrific
program.  The improvements in 2.0 are really good.  :)



Lisa
[EMAIL PROTECTED]
--
Be happy while you're living, for you're a long time dead.
        -- Scottish proverb


--__--__--

Message: 3
Date: Tue, 22 Jan 2002 12:49:15 -0500 (EST)
From: Bill Becker <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: [SAtalk] HTTP/URL rules
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>


I've noticed a new wave of spam with obfuscated URLs lately.  There seem
to be a lot of them, and they are getting pretty fancy EG:

href="http://www.g%65%6f%63%69t%69es.%63o%6d%2fto%70so%66t%77%253fh%2569%257
%34%2e%25%36%33tr%2e%2540%2565s.g%65%6f%256%33i%2574%256%39%256%35%2573.%25%
36%33om%252f%256eu%255%66%257%30%257%34%253%66hit%252e%2563%74r.@home%2ee%61
r%74h%6ci%6ek%2enet/%7eno%76i9?hit.ctr.@%6de%6db%65%72%73%2etripod%2ec%6fm/%
7ecart7"

Anything with a '%' in the FQDN part of a URL would qualify as an
obfuscated URL, no?

Would something like this be hard to detect with a regex?

Regards,
Bill



--__--__--

Message: 4
Message-Id: <[EMAIL PROTECTED]>
Date: Tue, 22 Jan 2002 13:05:09 -0500
To: [EMAIL PROTECTED]
From: Damian Gerow <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: [SAtalk] LINE_OF_YELLING mismatch
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

We get daily statistics from our mail servers, and the following message
comes up with a hit on LINE_OF_YELLING:

---
To: [EMAIL PROTECTED]
Subject: Mail stats From mailer.sentex.ca

Statistics from Mon Jan 21 01:00:00 2002
  M   msgsfr  bytes_from   msgsto    bytes_to  msgsrej msgsdis  Mailer
  3     4983     185531K     5097     196908K     1116       0  amavis
  4      114      11377K        0          0K        0       0  local
=============================================================
  T     5097     196908K     5097     196908K     1116       0
  C     5097                 5097                 1116
---

This is spamassassin 1.5, with the updated/fixed spamassassin.cf file.



--__--__--

Message: 5
Message-ID: <004c01c1a373$f18d2450$66aa403f@RAGING>
From: "rODbegbie" <[EMAIL PROTECTED]>
To: "Bill Becker" <[EMAIL PROTECTED]>,
        <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] HTTP/URL rules
Date: Tue, 22 Jan 2002 13:17:44 -0500
Organization: Arsecandle Industries, Inc.
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

Perhaps something that looks for a "%" symbol between "http://"; and the next
"/" (or whitespace).  I'm no regex wiz, but would

http://[\w\.-]*%[\w\.-]*/?

do the job?

rOD.

--
"To me, clowns aren't funny. In fact, they're kind of scary.
 I've wondered where this started and I think it goes back
 to the time I went to the circus, and a clown killed my dad."


----- Original Message -----
From: "Bill Becker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 22, 2002 12:49 PM
Subject: [SAtalk] HTTP/URL rules


>
> I've noticed a new wave of spam with obfuscated URLs lately.  There seem
> to be a lot of them, and they are getting pretty fancy EG:
>
>
href="http://www.g%65%6f%63%69t%69es.%63o%6d%2fto%70so%66t%77%253fh%2569%257
%34%2e%25%36%33tr%2e%2540%2565s.g%65%6f%256%33i%2574%256%39%256%35%2573.%25%
36%33om%252f%256eu%255%66%257%30%257%34%253%66hit%252e%2563%74r.@home%2ee%61
r%74h%6ci%6ek%2enet/%7eno%76i9?hit.ctr.@%6de%6db%65%72%73%2etripod%2ec%6fm/%
7ecart7"
>
> Anything with a '%' in the FQDN part of a URL would qualify as an
> obfuscated URL, no?
>
> Would something like this be hard to detect with a regex?
>
> Regards,
> Bill
>
>
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>



--__--__--

Message: 6
Mime-Version: 1.0
Message-Id: <p05100305b87373cadb86@[63.169.164.8]>
Date: Tue, 22 Jan 2002 15:14:25 -0500
To: Spam Assassin <[EMAIL PROTECTED]>
From: Cayce Will <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Subject: [SAtalk] spamd still sucking up CPU time
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

Even with the spamassassin.cf fix in place,  spamd processes
occasionally don't close and start to monopolize the CPU.  I'm not
sure if it is related but in the procmail log I'm seeing this:

procmail: Timeout, terminating "spamc"
procmail: Rescue of unfiltered data succeeded


It sounds like spamd is initiated by spamc but spamd goes into an
infinite loop and never gets back to spamc so it times out?

I believe I'm using 1.5 and I'm calling spamd like this:

spamd -dl local6

--
---------------------------
Cayce C. Will
Systems Administrator
DeepNet Communications, LLC
989-727-3865
http://www.deepnet.com
http://www.deepnet.net
http://shop.deepnet.com


--__--__--

Message: 7
Date: Tue, 22 Jan 2002 15:54:49 -0500
From: dman <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [SAtalk] HTTP/URL rules
Message-ID: <20020122205449.GA4884@localhost>
Mail-Followup-To: [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.3.25i
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

On Tue, Jan 22, 2002 at 12:49:15PM -0500, Bill Becker wrote:
|
| I've noticed a new wave of spam with obfuscated URLs lately.  There seem
| to be a lot of them, and they are getting pretty fancy EG:
|
|
href="http://www.g%65%6f%63%69t%69es.%63o%6d%2fto%70so%66t%77%253fh%2569%257
%34%2e%25%36%33tr%2e%2540%2565s.g%65%6f%256%33i%2574%256%39%256%35%2573.%25%
36%33om%252f%256eu%255%66%257%30%257%34%253%66hit%252e%2563%74r.@home%2ee%61
r%74h%6ci%6ek%2enet/%7eno%76i9?hit.ctr.@%6de%6db%65%72%73%2etripod%2ec%6fm/%
7ecart7"
|
| Anything with a '%' in the FQDN part of a URL would qualify as an
| obfuscated URL, no?
|
| Would something like this be hard to detect with a regex?

Perhaps a better solution would be to translate the escapes back to
plain ascii before running the message through the current set of
tests?

-D

--

"...In the UNIX world, people tend to interpret `non-technical user' as
meaning someone who's only ever written one device driver."
    --Daniel Pead



--__--__--

Message: 8
Date: Tue, 22 Jan 2002 15:57:06 -0500
From: dman <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [SAtalk] LINE_OF_YELLING mismatch
Message-ID: <20020122205706.GB4884@localhost>
Mail-Followup-To: [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.3.25i
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

On Tue, Jan 22, 2002 at 01:05:09PM -0500, Damian Gerow wrote:
| We get daily statistics from our mail servers, and the following message
| comes up with a hit on LINE_OF_YELLING:

I also saw a message that hit LINE_OF_YELLING, and the only thing I
could figure was that a line containing just "Hi!" triggered it.

I had another interesting thought ... posts to this list are likely to
trigger a number of tests due to the nature of the data we're
discussing.  No solution in mind (other than to explicitly look for
this list in my filter) though.

-D

--

I can do all things through Christ who strengthens me.
        Philippians 4:13



--__--__--

Message: 9
From: Nick Bellomy <[EMAIL PROTECTED]>
To: Spam Assassin <[EMAIL PROTECTED]>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: 22 Jan 2002 15:00:41 -0600
Message-Id: <1011733241.7503.36.camel@debianbase>
Mime-Version: 1.0
Subject: [SAtalk] incorporating DCC check (should be better than razor)
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

Has anyone on the SA dev-team looked at DCC (Distributed Checksum
Clearinghouse) http://www.rhyolite.com/anti-spam/dcc/ ?  Its similar to
razor but may prove to be a better alternative.

Just thought I'd toss it out there.

--Nick





--__--__--

Message: 10
Date: Tue, 22 Jan 2002 13:51:40 -0800
From: Uwe Willenbacher <[EMAIL PROTECTED]>
Reply-To: Uwe Willenbacher <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Message-ID: <153376663.1011707499@[10.0.0.107]>
In-Reply-To: <[EMAIL PROTECTED]>
References:  <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: [SAtalk] Problem w/ CummuniGate Pro Lists
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

Hello,

Seems there is a problem with SpammAssassin and CommuniGate Pro list(s).
Individual messages get checked perfectly, however mail delivered to lists
has *all* header info removed (see sample)

The actual message to the list is just fine, just the distribution is
messed up...Any idea if that is a CommuniGate (List/Group delivery) or a
SpamAssassin problem?

======== begin broken message =========
Return-Path: <[EMAIL PROTECTED]>
Received: from [EMAIL PROTECTED]
  by prowillen.com (CommuniGate Pro GROUP 3.5.3)
  with GROUP id 60455; Tue, 22 Jan 2002 13:36:50 -0800
Reply-To: [EMAIL PROTECTED] (User Name)
Received: by domain.com (CommuniGate Pro PIPE 3.5.3)
  with PIPE id 60454; Tue, 22 Jan 2002 13:36:50 -0800
X-Spam-Status: Scanner Called
Subject: *****SPAM*****
X-Spam-Status: Yes, hits=6 required=5 tests=INVALID_MSGID,FROM_AND_TO_SAME
    ,MISSING_HEADERS
X-Spam-Flag: YES
Date: Tue, 22 Jan 2002 13:36:50 -0800
Message-ID: <[EMAIL PROTECTED]>

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future, using
SPAM: the built-in mail filtering support in your mail reader.
SPAM:
SPAM: Content analysis details:   (6.1 hits, 5 required)
SPAM: Hit! (2 points)    Message-Id is not valid, according to RFC-2822
SPAM: Hit! (1.8 points)  From and To the same address
SPAM: Hit! (2.3 points)  Missing one of From:, To: or Date: headers
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------
======== end broken message ==========

Any ideas?

- Uwe Willenbacher

P.S.: This happens with SpamAssassin 1.5 and 2.0 (the latest)



--__--__--

Message: 11
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 23 Jan 2002 06:21:53 +0800
To: Nick Bellomy <[EMAIL PROTECTED]>,
   Spam Assassin <[EMAIL PROTECTED]>
From: Mark Reynolds <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] incorporating DCC check (should be better than
  razor)
In-Reply-To: <1011733241.7503.36.camel@debianbase>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>


I've looked at it.

I can't help thinking that it will have
similar problems to the razor solution.
Complexity of installation is what puts me
off the most for both of them.

So I'm in the process of setting up a simpler
system, using DNS block lists, distributed checksums,
distributed anonymous voting systems, and automated
email analysis.

Of course SA will be able to use it :-)

mark


At 03:00 PM 22/01/02 -0600, Nick Bellomy wrote:
>Has anyone on the SA dev-team looked at DCC (Distributed Checksum
>Clearinghouse) http://www.rhyolite.com/anti-spam/dcc/ ?  Its similar to
>razor but may prove to be a better alternative.
>
>Just thought I'd toss it out there.
>
>--Nick
>
>
>
>
>_______________________________________________
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>
>

---
Mark Reynolds        Reynolds Technology Pty Ltd
Phone 1300 656 424   http://www.reynolds.net.au
Phone 08 9474 1211   mailto:[EMAIL PROTECTED]
Fax   08 9474 9592   PO Box 945 South Perth 6951 WA
Pager 08 9480 5884   19 Lyall St South Perth 6151 WA
ABN 73 078 831 740   ACN 078 831 740




--__--__--

Message: 12
Message-ID: <001201c1a39c$6b824650$ac722241@fizz>
From: "Kelly Hamlin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Date: Tue, 22 Jan 2002 18:27:55 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_000F_01C1A372.82539700"
Subject: [SAtalk] no issues, just thought youd like this :)
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

This is a multi-part message in MIME format.

------=_NextPart_000_000F_01C1A372.82539700
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

this was in a piece of spam i received earlier, which nither =
spamassassin or mailscanner tagged as spam.

This messsage was sent using the trial version of the=20
1st Class Mail Server software.  You can try it for free
at http://www.1cis.com/download/1cismail.asp

Is this unsolicited email?  Instructions for reporting unsolicited
email can be found at at http://www.1cis.com/articles/spam.asp


------=_NextPart_000_000F_01C1A372.82539700
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>this was in a piece of spam i received =
earlier,=20
which nither spamassassin or mailscanner tagged as spam.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>This messsage was sent using the trial version of the <BR>1st Class =
Mail=20
Server software.&nbsp; You can try it for free<BR>at=20
http://www.1cis.com/download/1cismail.asp<BR><BR>Is this unsolicited=20
email?&nbsp; Instructions for reporting unsolicited<BR>email can be =
found at at=20
http://www.1cis.com/articles/spam.asp<BR></DIV></BODY></HTML>

------=_NextPart_000_000F_01C1A372.82539700--



--__--__--

Message: 13
To: "rODbegbie" <[EMAIL PROTECTED]>
Cc: "Bill Becker" <[EMAIL PROTECTED]>,
        [EMAIL PROTECTED]
Subject: Re: [SAtalk] HTTP/URL rules
In-Reply-To: Message from "rODbegbie" <[EMAIL PROTECTED]>
   of "Tue, 22 Jan 2002 13:17:44 CDT."
<004c01c1a373$f18d2450$66aa403f@RAGING>
From: [EMAIL PROTECTED] (Justin Mason)
Date: Wed, 23 Jan 2002 11:16:09 +1100
Message-Id: <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>


"rODbegbie" said:

> Perhaps something that looks for a "%" symbol between "http://"; and the
next
> "/" (or whitespace).  I'm no regex wiz, but would
> http://[\w\.-]*%[\w\.-]*/?
> do the job?

yep, I added something to catch this last night. ;)

--j.


--__--__--

Message: 14
To: [EMAIL PROTECTED]
Subject: Re: [SAtalk] HTTP/URL rules
In-Reply-To: Message from dman <[EMAIL PROTECTED]>
   of "Tue, 22 Jan 2002 15:54:49 CDT." <20020122205449.GA4884@localhost>
From: [EMAIL PROTECTED] (Justin Mason)
Date: Wed, 23 Jan 2002 11:19:55 +1100
Message-Id: <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>


dman said:

> Perhaps a better solution would be to translate the escapes back to
> plain ascii before running the message through the current set of
> tests?

well, the obfuscation process itself, is a good sign of spam, so we don't
want to miss that ;)

--j.


--__--__--

Message: 15
To: Nick Bellomy <[EMAIL PROTECTED]>
Cc: Spam Assassin <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] incorporating DCC check (should be better than razor)
In-Reply-To: Message from Nick Bellomy <[EMAIL PROTECTED]>
   of "22 Jan 2002 15:00:41 MDT." <1011733241.7503.36.camel@debianbase>
From: [EMAIL PROTECTED] (Justin Mason)
Date: Wed, 23 Jan 2002 11:20:50 +1100
Message-Id: <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>


Nick Bellomy said:

> Has anyone on the SA dev-team looked at DCC (Distributed Checksum
> Clearinghouse) http://www.rhyolite.com/anti-spam/dcc/ ?  Its similar to
> razor but may prove to be a better alternative.

It looks good, but is in C whereas SpamAssassin is in perl.

patches to add support for it would be nice though ;)

--j.


--__--__--

Message: 16
To: Uwe Willenbacher <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] Problem w/ CummuniGate Pro Lists
In-Reply-To: Message from Uwe Willenbacher <[EMAIL PROTECTED]>
   of "Tue, 22 Jan 2002 13:51:40 -0800." <153376663.1011707499@[10.0.0.107]>
From: [EMAIL PROTECTED] (Justin Mason)
Date: Wed, 23 Jan 2002 11:22:28 +1100
Message-Id: <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>


Uwe Willenbacher said:

> Seems there is a problem with SpammAssassin and CommuniGate Pro list(s).
> Individual messages get checked perfectly, however mail delivered to lists
> has *all* header info removed (see sample)
>
> The actual message to the list is just fine, just the distribution is
> messed up...Any idea if that is a CommuniGate (List/Group delivery) or a
> SpamAssassin problem?

It's an SpamAssassin problem -- SpamAssassin assumes that mails should
be sent with a "From " line at the top, which is the case for most unix
MTAs and setups, but not all :(

SpamAssassin 2.0 adds a new flag, -F, which allows you to override
the default behaviour.  -F0 should fix this.

--j.


--__--__--

Message: 17
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED] (Justin Mason)
Date: Wed, 23 Jan 2002 11:41:42 +1100
Message-Id: <[EMAIL PROTECTED]>
Subject: [SAtalk] the sightings list
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

BTW folks -- if a spam is missed, please bounce it to
<[EMAIL PROTECTED]> .

Now, the new stuff.  I would prefer if it was bounced -- not forwarded;
'bouncing', or 'redistribution' etc. will preserve the headers in the
header-part of the message, whereas forwarding moves them into the body
part, surrounded by arbitrary text or MIME strings, where SpamAssassin
can't see them unless I manually edit the message.

--j.

--
'Justin Mason' => { url => 'http://jmason.org/', blog =>
'http://taint.org/' }


--__--__--

Message: 18
Date: Tue, 22 Jan 2002 18:21:26 -0800 (PST)
From: brad <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: [SAtalk] White list feature
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>


I have a user defined in the local.cf as allspam_to and all of the time
when his name is in the to: field it works perfectly, but if he is listed
in the bcc: or cc: fields it does not catch it.

Suggestions?

Here is an example:



To: "'Glissmeyer, Elaine'" <[EMAIL PROTECTED]>
Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: *****SPAM***** Realtor
Date: Tue, 22 Jan 2002 19:49:13 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain
X-Spam-Status: Yes, hits=6.4 required=6.0
tests=SUPERLONG_LINE,CLICK_BELOW,FREQ_SPAM_PHRASE version=2.0
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.0 (devel $Id: SpamAssassin.pm,v
1.57 2002/01/15 04:30:12 jmason Exp $)
X-Spam-Report:   6.36 hits, 6 required;
  *  0.8 -- BODY: Contains a line >=199 characters long
  *  4.0 -- BODY: Asks you to click below
  *  1.6 -- Contains phrases frequently found in spam
            [score:  11, hits: click below, credit card, for]
            [your, instructions this, please click, this]
            [mail, web site, your mail]


This is an example when it does work in the to: filed.

Delivered-To: [EMAIL PROTECTED]
Received: (cpmta 1033 invoked from network); 22 Jan 2002 17:47:38 -0800
Received: from 64.58.181.7 (HELO mail.trackmy.com)
  by smtp.c000.snv.cp.net (209.228.32.59) with SMTP; 22 Jan 2002 17:47:38
-0800
X-Received: 23 Jan 2002 01:47:38 GMT
Received: from www ([192.168.100.9]) by mail.trackmy.com
          (Post.Office MTA v3.5.3 release 223 ID# 0-63030U1200L300S0V35)
          with SMTP id com for <[EMAIL PROTECTED]>;
          Tue, 22 Jan 2002 17:41:15 -0800
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Subject: HomeSearch Results For: Bill And Carol Lane
Content-Type: text/html
Date: Tue, 22 Jan 2002 17:41:15 -0800
Message-ID: <[EMAIL PROTECTED]@www>
X-Spam-Status: No, hits=-90.3 required=6.0
tests=NO_REAL_NAME,SUPERLONG_LINE,HTTP_WITH_EMAIL_IN_URL,MAILTO_LINK,FREQ_SP
AM_PHRASE,CTY
PE_JUST_HTML,USER_IN_ALL_SPAM_TO version=2.0






--__--__--

Message: 19
Date: Tue, 22 Jan 2002 18:25:43 -0800 (PST)
From: brad <[EMAIL PROTECTED]>
To: Cayce Will <[EMAIL PROTECTED]>
cc: Spam Assassin <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] spamd still sucking up CPU time
In-Reply-To: <p05100305b87373cadb86@[63.169.164.8]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

Are you sure that it is a spamd issue?  I was having the same problem and
it was a locking issue with procmail.  I removed the spam.lock statement
and then my issue went away.

Depending on your site email volume, (mine was 100k per day) you may
choose to disable network checks like the rbl / razor by involking spamd
with the -L flag.

It has reduced my average san times from 7 seconds down to 1 second.  The
other thing you might try is spamd -L -D and watch the debug messages on
the console.  It has really helped me out a bunch of times.

brad


On Tue, 22 Jan 2002, Cayce Will wrote:

> Even with the spamassassin.cf fix in place,  spamd processes
> occasionally don't close and start to monopolize the CPU.  I'm not
> sure if it is related but in the procmail log I'm seeing this:
>
> procmail: Timeout, terminating "spamc"
> procmail: Rescue of unfiltered data succeeded
>
>
> It sounds like spamd is initiated by spamc but spamd goes into an
> infinite loop and never gets back to spamc so it times out?
>
> I believe I'm using 1.5 and I'm calling spamd like this:
>
> spamd -dl local6
>
> --
> ---------------------------
> Cayce C. Will
> Systems Administrator
> DeepNet Communications, LLC
> 989-727-3865
> http://www.deepnet.com
> http://www.deepnet.net
> http://shop.deepnet.com
>
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>



--__--__--

Message: 20
To: brad <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] White list feature
In-Reply-To: Message from brad <[EMAIL PROTECTED]>
   of "Tue, 22 Jan 2002 18:21:26 -0800."
<[EMAIL PROTECTED]>
From: [EMAIL PROTECTED] (Justin Mason)
Date: Wed, 23 Jan 2002 13:38:37 +1100
Message-Id: <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>


brad said:

> I have a user defined in the local.cf as allspam_to and all of the time
> when his name is in the to: field it works perfectly, but if he is listed
> in the bcc: or cc: fields it does not catch it.

This should be caught in 2.0 -- but Bcc cannot be handled, since his
email will never appear in the headers :(

The only way to catch *that* will be at the MTA level, where SpamAssassin
is simply not called for that user.  SpamAssassin simply won't be able
to see his email addr.

--j.


--__--__--

Message: 21
Date: Wed, 23 Jan 2002 00:57:43 -0700 (MST)
From: Charlie Watts <[EMAIL PROTECTED]>
To: Kelly Hamlin <[EMAIL PROTECTED]>
Cc: "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Subject: Re: [SAtalk] no issues, just thought youd like this :)
In-Reply-To: <001201c1a39c$6b824650$ac722241@fizz>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

On Tue, 22 Jan 2002, Kelly Hamlin wrote:

> this was in a piece of spam i received earlier, which nither
> spamassassin or mailscanner tagged as spam.
>
> This messsage was sent using the trial version of the
> 1st Class Mail Server software.  You can try it for free
> at http://www.1cis.com/download/1cismail.asp
>
> Is this unsolicited email?  Instructions for reporting unsolicited
> email can be found at at http://www.1cis.com/articles/spam.asp

1cis.com is a customer of ours; They make an e-mail server for Windows.

They allow you to download a trial version that puts that footer on
messages.

On the one hand, it's just a mail server. A moderate number of folks are
using it for legit purposes ...

On the other hand, I don't feel too bad about spamassassin tagging
messages sent with the "trial" version ... if you are legit, you won't
like those "using the trial version" tags, so you'll buy it.

--
Charlie Watts
[EMAIL PROTECTED]
Frontier Internet, Inc.
http://www.frontier.net/



--__--__--

Message: 22
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED] (Justin Mason)
Date: Wed, 23 Jan 2002 19:03:18 +1100
Message-Id: <[EMAIL PROTECTED]>
Subject: [SAtalk] 2.0 released
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

OK, it's now up there as the new stable version.  Here's the change log:

  - some spamc/spamd command line arg semantics changed (hence the major
    # change)

  - config file split up into a directory of files.  Also, config file
    locations are now legal by the FHS. (hence the major number change)

  - auto-whitelisting: regular correspondents who send non-spam mail
    are eventually added to a personal whitelist.

  - new spam-phrase analysis module, which uses analysis of spam mails
    to determine common phrases, providing another way to get spam
    points from the text.

  - "rawbody" config item added, which allows a more sensible way to
    scan text bodies.  "body" now cleans up whitespace and removes NLs
    for plain-text matching.

  - Mail::Audit, Mail::Internet, Net::SMTP dependencies removed.  also
    provides a nice speedup ;)

  - and of course, lots of new tests and a new GA score set.

All at http://spamassassin.org/downloads.html ,

--j.

--
'Justin Mason' => { url => 'http://jmason.org/', blog =>
'http://taint.org/' }


--__--__--

Message: 23
Date: Wed, 23 Jan 2002 09:12:23 +0000 (GMT)
From: Ged Haywood <[EMAIL PROTECTED]>
To: Justin Mason <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] the sightings list
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

Hi Justin,

On Wed, 23 Jan 2002, Justin Mason wrote:

> BTW folks -- if a spam is missed, please bounce it to
> <[EMAIL PROTECTED]> .
>
> Now, the new stuff.  I would prefer if it was bounced -- not forwarded;
> 'bouncing', or 'redistribution' etc. will preserve the headers in the
> header-part of the message, whereas forwarding moves them into the body
> part, surrounded by arbitrary text or MIME strings, where SpamAssassin
> can't see them unless I manually edit the message.

The problems I've come across are that (1) some of the stuff I try to
send that way gets bounced straight back by the Sourceforge server
because it has dubious executable-type stuff in there and (2) some of
the messages contain such garbage that my MUA (Pine) can't parse them
well enough to bounce, forward or anything so about the only thing I
can do is save them to a file and attach it.

Any suggestions?

73,
Ged.



--__--__--

Message: 24
Date: 23 Jan 2002 11:07:55 -0000
Message-ID: <[EMAIL PROTECTED]>
From: "Peter Mahnke" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
References:
In-Reply-To:
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Subject: [SAtalk] SPAM TRAPPING with QMAIL
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

Does anyone know how to setup a spam trapping email account with a QMAIL
installation?

Preferably with keeping a copy of the message.

Thanks,

Peter


--__--__--

Message: 25
Message-ID: <06c901c1a3fd$307e9520$a064020a@stare6nhm1hq2c>
From: "Matt Sergeant" <[EMAIL PROTECTED]>
To: "Peter Mahnke" <[EMAIL PROTECTED]>,
        <[EMAIL PROTECTED]>
References:  <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] SPAM TRAPPING with QMAIL
Date: Wed, 23 Jan 2002 11:00:37 -0000
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

----- Original Message -----
From: "Peter Mahnke" <[EMAIL PROTECTED]>


> Does anyone know how to setup a spam trapping email account with a QMAIL
> installation?
>
> Preferably with keeping a copy of the message.

Do you mean a honeypot, or do you mean how do I setup qmail to use
SpamAssassin?

Matt.



--__--__--

Message: 26
Date: 23 Jan 2002 11:51:30 -0000
Message-ID: <[EMAIL PROTECTED]>
From: "Peter Mahnke" <[EMAIL PROTECTED]>
To: "Matt Sergeant" <[EMAIL PROTECTED]>
CC: <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] SPAM TRAPPING with QMAIL
References:   <>
In-Reply-To:  <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

I guess a honeypot.

What I want to do is have an account where people can forward SPAM mail
that they decide is actually spam.  That account will automagically process
it and forward it to Razor.  It would also be nice to keep a copy in a
qmail maildir.

I have tried to play with the .qmail-default file, but with no sucess.

Thanks,

Peter
On Wed, 23 Jan 2002 11:00:37 -0000, "Matt Sergeant"
<[EMAIL PROTECTED]> wrote :

> ----- Original Message -----
> From: "Peter Mahnke" <[EMAIL PROTECTED]>
>
>
> > Does anyone know how to setup a spam trapping email account with a QMAIL
> > installation?
> >
> > Preferably with keeping a copy of the message.
>
> Do you mean a honeypot, or do you mean how do I setup qmail to use
> SpamAssassin?
>
> Matt.
>
>
>
>


--__--__--

Message: 27
From: "Michael Moncur" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Date: Wed, 23 Jan 2002 05:16:25 -0700
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Importance: Normal
In-Reply-To: <[EMAIL PROTECTED]>
Subject: [SAtalk] Subject munging bug?
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

I've received two spam messages today that were properly scored and flagged
by
SpamAssassin, but weren't filtered correctly by MS Outlook because the
subject
wasn't munged. (I only turned on subject munging because Outlook can't seem
to
spot the "X-Spam-Flag" header 100% of the time.)

Below are the headers from one of the messages - it's easy to tell what
happened. The message had two subject headers. SpamAssassin is munging the
second one, but Outlook is using the first one as the subject of the
message.
The other message had the same problem.

Is it possible for SA to check for multiple subject headers? Since the two
messages had similar "From" headers and RFC822 problems, they were probably
generated by the same piece of spamware, and since many people rely on
subject
munging, this could make them pass right through filters.

(I'm using SA 2.0 from the CVS build a couple of days ago. Will upgrade to
the
release today.)

Received: from unknown (HELO 3621QDnv4?) (unknown)
  by unknown with SMTP; 22 Jan 2002 14:42:56 -0000
DATE: 22 Jan 02 6:53:33 AM
FROM: [EMAIL PROTECTED]
Message-ID: <77Kzv01N73Oi2WG>
SUBJECT: Re: your adult website...
X-Mail-Format-Warning: Bad RFC822 header formatting in Bcc:
Subject: [*SPAM*] Re: your adult website...
X-Spam-Status: Yes, hits=13.8 required=5.0

--
michael moncur   mgm at starlingtech.com   http://www.starlingtech.com/
"An ignorant person is one who doesn't know what you have just found out."
                -- Will Rogers



--__--__--

Message: 28
Date: Wed, 23 Jan 2002 05:59:03 -0700 (MST)
From: Charlie Watts <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: [SAtalk] SUBJECT_MISSING ?
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

In the style of the other _MISSING tests, what about a SUBJECT_MISSING
one?

(Too many false pozzies?)

header SUBJECT_MISSING                  Subject =~ /^UNSET$/ [if-unset:
UNSET]
describe SUBJECT_MISSING                Missing Subject: header

--
Charlie Watts
[EMAIL PROTECTED]
Frontier Internet, Inc.
http://www.frontier.net/




--__--__--

Message: 29
Date: Wed, 23 Jan 2002 06:07:04 -0700 (MST)
From: Charlie Watts <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: [SAtalk] UnityMail
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

Anybody get any false positives on "X-Mailer: UnityMail" ?

I got a bunch of these over the weekend.

Looks safe to add to RATWARE to me ...

--
Charlie Watts
[EMAIL PROTECTED]
Frontier Internet, Inc.
http://www.frontier.net/



--__--__--

Message: 30
Date: Wed, 23 Jan 2002 06:16:23 -0700 (MST)
From: Charlie Watts <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="6602920-427797030-1011791783=:692"
Subject: [SAtalk] interesting pills (sent at 7:57:05 to
[EMAIL PROTECTED])
 (fwd)
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to [EMAIL PROTECTED] for more info.

--6602920-427797030-1011791783=:692
Content-Type: TEXT/PLAIN; charset=US-ASCII

I'm forwarding this to -talk as well as -sightings because it has some
interesting things.

First, the URL munging is ... strange.

Second, look at the Message-ID and that line at the bottom of the message.

Anybody seen this before?

--
Charlie Watts
[EMAIL PROTECTED]
Frontier Internet, Inc.
http://www.frontier.net/

--6602920-427797030-1011791783=:692
Content-Type: MESSAGE/RFC822; CHARSET=US-ASCII
Content-ID: <[EMAIL PROTECTED]>
Content-Description: interesting pills (sent at 7:57:05 to
[EMAIL PROTECTED]) (fwd)

Return-Path: <[EMAIL PROTECTED]>
Received: from frontier.net (EXIP-T-011-p-106-173.tmns.net.au
[139.134.106.173])
        by cadmium.frontier.net (Postfix) with SMTP
        id C1A507A63D; Tue, 22 Jan 2002 13:57:12 -0700 (MST)
Received: from frontier.net ([192.168.13.4])
        by smtp-relay.frontier.net (8.11.0/8.11.0) with ESMTP id b2fcdeb39
        for <[EMAIL PROTECTED]>; Wed, Jan 2002  7:57:05
Message-Id: <ZWFuZGFqb2huc3RvbkBmcm9udGllci5uZXQ=$[EMAIL PROTECTED]>
Date: Wed, Jan 2002  7:57:05
From: [EMAIL PROTECTED]
Mime-Version: 1.0
To: <[EMAIL PROTECTED]>
Subject: interesting pills (sent at 7:57:05 to [EMAIL PROTECTED])
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, hits=3.0 required=5.0 tests=NO_REAL_NAME,FROM_AND_TO_SAME
version=2.0


Balding?  There's a pill that can help!

PROPECIA ® is a medical breakthrough — the first pill that effectively
treats male pattern hair loss on the vertex (at top of head) and
anterior mid-scalp area.

Read more at the following URL:

http://www.aff20021.jan.co.fr|https.viagra.goopt.com/explore/vga/index.
html

#bM#ZWFuZGFqb2huc3RvbkBmcm9udGllci5uZXQ=#eM#

--6602920-427797030-1011791783=:692--


--__--__--

Message: 31
Date: Wed, 23 Jan 2002 06:31:50 -0700 (MST)
From: Charlie Watts <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: [SAtalk] ^M's in subject lines?
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

I'm seeing more and more spam with embedded ^M's in the subject lines.

I'm trying to figure out if this is even legal. If it isn't, I'll just
block it in postfix ...



Spamassassin does the right thing with these - it doesn't see the ^M's as
ending the headers and starting the body.

Pine and the maildrop filter both assume that these ^M's are the end of
the headers ...
And so additional headers after the Subject: are considered body ...



My problem is that Spamassassin is tagging the messages correctly, but my
maildrop and pine filters don't see the X-Spam-Status header ... because
they think it is body. Is this a pine/maildrop bug?

--
Charlie Watts
[EMAIL PROTECTED]
Frontier Internet, Inc.
http://www.frontier.net/



--__--__--

Message: 32
Message-ID: <091701c1a414$c4790050$a064020a@stare6nhm1hq2c>
From: "Matt Sergeant" <[EMAIL PROTECTED]>
To: "Charlie Watts" <[EMAIL PROTECTED]>,
        <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] interesting pills (sent at 7:57:05 to
[EMAIL PROTECTED]) (fwd)
Date: Wed, 23 Jan 2002 13:49:24 -0000
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

----- Original Message -----
From: "Charlie Watts" <[EMAIL PROTECTED]>


> I'm forwarding this to -talk as well as -sightings because it has some
> interesting things.
>
> First, the URL munging is ... strange.
>
> Second, look at the Message-ID and that line at the bottom of the message.

Very odd. I'm assuming the Message-ID and the last line are used for
tracking, plain and simple (not that I can decode it, but it's fairly
obvious). Some email clients will set in-reply-to with the message-id of the
parent, so you can track if someone replies.

The URL munging though doesn't make any sense to me. I can't get the link to
display, neither in IE or Mozilla. Is it exploiting some client bug that I'm
not aware of? The characters in that URL are (in hex) 14 02 14 05 14, which
is DC4 STX DC4 ENQ DC4 according to man ascii, which is also Ctrl-N, Ctrl-B,
Ctrl-N, Ctrl-E, Ctrl-N. Not sure if that does anything - it certainly
doesn't for me on a terminal window.

Interestingly iconv reports it as an error (because US-ASCII never *really*
defined those lower numbered characters, from what I can tell (the actual
standard is payware), it starts at 0x20), so it might be worth investigating
Text::Iconv based checks for errors in the character set? But then there are
a *lot* of broken clients out there who'll give us the wrong charset
information.

Really really strange.



--__--__--

Message: 33
Message-ID: <091d01c1a414$ead91140$a064020a@stare6nhm1hq2c>
From: "Matt Sergeant" <[EMAIL PROTECTED]>
To: "Charlie Watts" <[EMAIL PROTECTED]>,
        <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] ^M's in subject lines?
Date: Wed, 23 Jan 2002 13:50:28 -0000
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

----- Original Message -----
From: "Charlie Watts" <[EMAIL PROTECTED]>


> I'm seeing more and more spam with embedded ^M's in the subject lines.
>
> I'm trying to figure out if this is even legal. If it isn't, I'll just
> block it in postfix ...

It's legal assuming the next line is a continuation - i.e. it starts with
whitespace.

Matt.
--
<:->get a SMart net</:->



--__--__--

Message: 34
Date: Wed, 23 Jan 2002 06:52:35 -0700 (MST)
From: Charlie Watts <[EMAIL PROTECTED]>
To: Matt Sergeant <[EMAIL PROTECTED]>
Cc: "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Subject: Re: [SAtalk] interesting pills (sent at 7:57:05 to
[EMAIL PROTECTED])
 (fwd)
In-Reply-To: <091701c1a414$c4790050$a064020a@stare6nhm1hq2c>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

On Wed, 23 Jan 2002, Matt Sergeant wrote:
> The URL munging though doesn't make any sense to me. I can't get the
> link to display, neither in IE or Mozilla. Is it exploiting some
> client bug that I'm not aware of? The characters in that URL are (in
> hex) 14 02 14 05 14, which is DC4 STX DC4 ENQ DC4 according to man
> ascii, which is also Ctrl-N, Ctrl-B, Ctrl-N, Ctrl-E, Ctrl-N. Not sure
> if that does anything - it certainly doesn't for me on a terminal
> window.

Agreed. I can't get it, or any portion of it, to do anything interesting.

I must wish them luck ... spamming without providing contact info seems a
waste of time.

--
Charlie Watts
[EMAIL PROTECTED]
Frontier Internet, Inc.
http://www.frontier.net/



--__--__--

Message: 35
Date: Wed, 23 Jan 2002 07:01:48 -0700 (MST)
From: Charlie Watts <[EMAIL PROTECTED]>
To: Matt Sergeant <[EMAIL PROTECTED]>
Cc: "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Subject: Re: [SAtalk] ^M's in subject lines?
In-Reply-To: <091d01c1a414$ead91140$a064020a@stare6nhm1hq2c>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

On Wed, 23 Jan 2002, Matt Sergeant wrote:
> > I'm seeing more and more spam with embedded ^M's in the subject lines.
> >
> > I'm trying to figure out if this is even legal. If it isn't, I'll just
> > block it in postfix ...
>
> It's legal assuming the next line is a continuation - i.e. it starts with
> whitespace.

This is something different, then.

If I do this (The ^M's in the second message are created by typing
"Control-v, Enter") to send two messages:

220 cadmium.frontier.net ESMTP : NO UCE, NO UBE, NO SPAM
helo me
250 cadmium.frontier.net
mail from: <[EMAIL PROTECTED]>
250 Ok
rcpt to: <[EMAIL PROTECTED]>
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: first line
    second line
    third line

.
250 Ok: queued as 6FC567A5B1
mail from: <[EMAIL PROTECTED]>
250 Ok
rcpt to: <[EMAIL PROTECTED]>
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: first line^Msecond line^Mthird line

.
250 Ok: queued as 1986E7A568
quit
221 Bye


The first one looks like this:

Return-Path: <[EMAIL PROTECTED]>
Received: from me (localhost [127.0.0.1])
        by cadmium.frontier.net (Postfix) with SMTP id 6FC567A5B1
        for <[EMAIL PROTECTED]>; Wed, 23 Jan 2002 06:54:53 -0700 (MST)
Subject: first line
    second line
    third line
Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 23 Jan 2002 06:54:53 -0700 (MST)
From: [EMAIL PROTECTED]
To: undisclosed-recipients:;
X-Spam-Status: No, hits=2.2 required=5.0 tests=NO_REAL_NAME,UNDISC_RECIPS
version=2.1

And the second one:

Return-Path: <[EMAIL PROTECTED]>
Received: from me (localhost [127.0.0.1])
        by cadmium.frontier.net (Postfix) with SMTP id 1986E7A568
        for <[EMAIL PROTECTED]>; Wed, 23 Jan 2002 06:55:19 -0700 (MST)
Subject: first line

Message-Id: <[EMAIL PROTECTED]>
Date: Wed, 23 Jan 2002 06:55:19 -0700 (MST)
From: [EMAIL PROTECTED]
To: undisclosed-recipients:;
X-Spam-Status: No, hits=3.2 required=5.0
tests=NO_REAL_NAME,SUBJECT_NEWLINE,UNDISC_RECIPS version=2.1


I take back my statement that Pine handles them incorrectly, though. It
looks like it's doing fine, but maildrop is handling them wrong. I'll bug
the author.

Gracias ...

--
Charlie Watts
[EMAIL PROTECTED]
Frontier Internet, Inc.
http://www.frontier.net/





--__--__--

Message: 36
Date: Wed, 23 Jan 2002 07:06:50 -0700 (MST)
From: Charlie Watts <[EMAIL PROTECTED]>
To: Michael Moncur <[EMAIL PROTECTED]>
Cc: "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Subject: Re: [SAtalk] Subject munging bug?
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

On Wed, 23 Jan 2002, Michael Moncur wrote:

> Below are the headers from one of the messages - it's easy to tell
> what happened. The message had two subject headers. SpamAssassin is
> munging the second one, but Outlook is using the first one as the
> subject of the message. The other message had the same problem.

According to RFC2822, only one Subject: header is allowed.

Pine, at least, when displaying messages with multiple Subject: headers,
does this:

Subject: first
Subject: second

will get displayed as:

Subject: first, second

Perhaps spamassassin should (optionally?!) fold multiple Subject: headers
into one?

I'd like to just bounce non-RFC compliant mail, but can't figure out how
to get postfix to check for two Subject headers ... anybody have general
thoughts?

--
Charlie Watts
[EMAIL PROTECTED]
Frontier Internet, Inc.
http://www.frontier.net/



--__--__--

Message: 37
Date: 23 Jan 2002 14:53:04 -0000
Message-ID: <[EMAIL PROTECTED]>
From: "Peter Mahnke" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
References:
In-Reply-To:
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Subject: [SAtalk] FYI this didn't get picked up
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

do people on this list want this?

what is a better place for this?

should I send it right to razor?

Peter

Date: Tue, 22 Jan 2002 20:42:47 -0800 (PST)
From: john ugo <[EMAIL PROTECTED]>
Subject: We need help
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Status: No, hits=1 required=5 tests=FROM_ENDS_IN_NUMS

From: MR JOHN YOUNG UGO
23rd January, 2002

Dear Sir,

My name is MR JOHN YOUNG UGO the eldest son of Rt.
General JEREMAIAH.  J. T. UGO who wacontacting you in a benevolent spirit;
utmost
confidence and trust to enable us provide a solution
to a money transfer of $60M that is presently putting
my entire family into great disarray.  You may be
quite surprised at my sudden contact to you but do not
despair.

I got your contact from a business site on the
Internet and following the information I gathered
about you, I was convinced that you could be of
assistance to me. So, I decided to contact you at once
due to the urgency required for us to immediately
transfer the said funds out of the country.

During the time my father was in the government with
the late General Sani Abacha as the head of state,they
were both involved in several deals that yielded
Billions of Dollars. The prominent amongst the deals
was monies that emanated from funds set aside for the
importation of Arms and Ammunitions to boost the
Nigerian Defense.

Funds set to embark on an oversea Campaign to counter
the United Statepower, and monies set aside to rehabilitate the ailing
Nigerian Petroleum Refineries and the National
Electric Power Authority which supplies Electricity to
the entire nation. If you are conversant with world
news, you would understand better.

During this period my father was able to make some
good money for himself and kept in his private bank
accounts. The then head of state General Sani Abacha
transferred his share of the money through a Lebanese
businessman, Chagoury and a Jewish businessman, Mark
rissar to bank accounts overseas. Unfortunately, all
the secrets were revealed by the investigation
agencies set up by the successive governmentthe various accounts to the
Federal Government
Treasury.

Out of the money my father made, he left the sum of
N50 Million (Fifty Million Naira) in the CBN escrow
account for further transfer into a foreign account
and a sum of $60M (Sixty Million Dollars) was kept in
a Private security firm here in Nigeria. Through the
ConfessionMillion were recovered by the investigating agency
from the CBN escrow account.  But were unable to
discover the $60M, which he kept in the vaults.

The reason is because no names were used to lodge in
the funds. Instead, he used PERSONAL IDENTIFICATION
NUMBERS (PIN) and declared the contents as Bearer
Bonds and Treasury Bills. Also the firm issued him
with a certificate of deposit of the consignments.
Note that I have this information in my custody. Right
now, my father has been arrested and detained for
interrogation.

As the eldest son of my Father, I believe that I owe
the entire family an obligation to ensure that the
$60M is successfully transferred abroad for investment
purposes.  With the present situation, I cannot do it
all by myself. It is based on this that I am making
this contact with you. I have done a thorough homework
and fine-tuned the best way to create you as the
beneficiary to the funds and effect the transfer
accordingly.

It is rest assured that the modalities I have resolved
to finalize the entire project guarantees our safety
and the successful transfer of the funds.  So, you
will be absolutely right when you say that this
project is riskexploiting us on the pretence of trying to help my
father. As it is said,  free and viable. If you are capable
and willing to assist,  contact me at once via email
for more details.

Believe me, there is no one else we can trust again.
All my fatherss made by the Abachas and most
of the Abachas action to put a stop to the self
succession bid of the Abachas the estwhile
Minister of the Federal Capitthat you know your true friendas.  So long as
you keep
everything to yourself, we would definitely have no
problems.

For your assistance, I am ready to give you as much as
20% of the total funds after transfer and invest a
reasonable percentage into any viable business you may
suggest. Please, I need your assistance to make this
happen and please; do not undermine it because it will
also be a source of up liftment to you.  You have
nothing to loose in assisting us instead, you have so
much to gain.

Awaiting your urgent and positive response.

BEST REGARDS,

MR JOHN YOUNG UGO

l territory Abuja in the
late General Sani Abacha
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/




--__--__--

Message: 38
Mailbox-Line: From [EMAIL PROTECTED]  Wed Jan 23 14:55:47 2002
Message-ID: <[EMAIL PROTECTED]>
From: Tony Hoyle <[EMAIL PROTECTED]>
To: 'Peter Mahnke' <[EMAIL PROTECTED]>,
        [EMAIL PROTECTED]
Subject: RE: [SAtalk] FYI this didn't get picked up
Date: Wed, 23 Jan 2002 15:00:37 -0000
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>


> -----Original Message-----
> From: Peter Mahnke [mailto:[EMAIL PROTECTED]]
> Sent: 23 January 2002 14:53
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] FYI this didn't get picked up
>
>
> do people on this list want this?
>
> what is a better place for this?
>
> should I send it right to razor?
>
Standard nigerian scam...  At one point you were supposed to forward these
to the FBI but I suspect there are so many now that they've stopped
reading them.

They're getting quite creative now...  changing the phrases used randomly
to avoid things like SA.  'Nigerian defense' is a likely match in this case.

Tony


--__--__--

Message: 39
Date: Wed, 23 Jan 2002 15:12:50 +0000 (GMT)
From: Ged Haywood <[EMAIL PROTECTED]>
To: Tony Hoyle <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: RE: [SAtalk] FYI this didn't get picked up
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

Hi there,

On Wed, 23 Jan 2002, Tony Hoyle wrote:

> Standard nigerian scam...  At one point you were supposed to forward these
> to the FBI but I suspect there are so many now that they've stopped
> reading them.

The FBI don't even seem to be interested when I give them the names
and addresses of the crooks.  I suppose they do have a lot on their
plates at the moment.

73,
Ged.



--__--__--

Message: 40
Message-ID: <001101c1a421$d23d3ff0$3a816041@smoking>
From: "rODbegbie" <[EMAIL PROTECTED]>
To: "Peter Mahnke" <[EMAIL PROTECTED]>,
   "Matt Sergeant" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
References:   <> <[EMAIL PROTECTED]>
Subject: Re: [SAtalk] SPAM TRAPPING with QMAIL
Date: Wed, 23 Jan 2002 10:22:50 -0500
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: [EMAIL PROTECTED]
Precedence: bulk
List-Help:
<mailto:[EMAIL PROTECTED]?subject=help>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,
        <mailto:[EMAIL PROTECTED]?subject=subscribe>
List-Id: Talk about SpamAssassin <spamassassin-talk.lists.sourceforge.net>
List-Unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/spamassassin-talk>,

<mailto:[EMAIL PROTECTED]?subject=unsubscribe>
List-Archive:
<http://www.geocrawler.com/redir-sf.php3?list=spamassassin-talk>

The problem with this is the "Forwarding".  When a user does that, the
headers are no-longer correct, and the message is changed.  Now, a version
of the email with "Forwarded Message" headers inside is reported to Razor.

I do have a honeytrap-ish account.  The .qmail-default file reads:

|/usr/bin/razor-report
|mailsubj spam [EMAIL PROTECTED]
./Maildir/.Spam.oldnews/

It use it for old account I used to use on USENET.  The mail is
automatically razor-reported and submitted to Spamcop, then dumped in a
folder.

HTH,

rOD.

--
C is for Cookie.  That's good enough for me.


----- Original Message -----
From: "Peter Mahnke" <[EMAIL PROTECTED]>
To: "Matt Sergeant" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, January 23, 2002 6:51 AM
Subject: Re: [SAtalk] SPAM TRAPPING with QMAIL


> I guess a honeypot.
>
> What I want to do is have an account where people can forward SPAM mail
> that they decide is actually spam.  That account will automagically
process
> it and forward it to Razor.  It would also be nice to keep a copy in a
> qmail maildir.
>
> I have tried to play with the .qmail-default file, but with no sucess.
>
> Thanks,
>
> Peter
> On Wed, 23 Jan 2002 11:00:37 -0000, "Matt Sergeant"
> <[EMAIL PROTECTED]> wrote :
>
> > ----- Original Message -----
> > From: "Peter Mahnke" <[EMAIL PROTECTED]>
> >
> >
> > > Does anyone know how to setup a spam trapping email account with a
QMAIL
> > > installation?
> > >
> > > Preferably with keeping a copy of the message.
> >
> > Do you mean a honeypot, or do you mean how do I setup qmail to use
> > SpamAssassin?
> >
> > Matt.
> >
> >
> >
> >
>
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>






--__--__----
--10.3.1.13.69.11141.1011799497.310.22278
Content-type: text/plain; charset=us-ascii
Content-description: Digest Footer

_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


--10.3.1.13.69.11141.1011799497.310.22278--

End of Spamassassin-talk Digest


_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to