Infinite Monkeys and spamassassin

Ewald Beekman E.H.Beekman at AMC.UVA.NL
Thu Mar 20 19:33:12 GMT 2003


Thanks everybody for the help so far,
My systems didn't have Net::DNS so that was a good tip;
Julian, perhaps you could add that to your webpage
"MailScanner Installation Guide -- SpamAssassin" ?

i added the monkey rules to /etc/mail/spamassassin/local.cf
so it now looks like:

dns_available yes
header RCVD_IN_INFINITE_MONKEYS         rbleval:check_rbl('relay', 'proxies.relays.monkeys.com.')
describe RCVD_IN_INFINITE_MONKEYS       Received via a relay in proxies.relays.monkeys.com
tflags RCVD_IN_INFINITE_MONKEYS         net
score RCVD_IN_INFINITE_MONKEYS          5.00

The strange thing is that in some mails i now see it flagged by SpamAssassin:

Mar 20 19:59:41 sukke MailScanner[3982]: Message h2KIxZr1005344 from 212.85.0.129 (brian_salserj88 at hotmail.com) to amc.uva.nl is spam, ORDB-RBL, SpamAssassin (score=23.7, vereist 5, ALL_CAP_PORN, CLICK_BELOW, DATE_IN_FUTURE_06_12, EXCUSE_3, FAKED_UNDISC_RECIPS, FORGED_HOTMAIL_RCVD, FROM_ENDS_IN_NUMS, INVALID_DATE_TZ_ABSURD, ONLY_COST, RCVD_IN_DSBL, RCVD_IN_INFINITE_MONKEYS, REMOVE_PAGE, SPAM_PHRASE_08_13, SUPERLONG_LINE, SUPPLIES_LIMITED, TO_HAS_SPACES, TO_MALFORMED)

But other mails MailScanner finds it in the Infinite-Monkeys, but SpamAssassin doesn't

Mar 20 20:09:38 sukke MailScanner[3982]: Message h2KJ9Rqu006131 from 200.170.149.193 (eonsexxynnickab at aol.com) to amc.uva.nl is spam, Infinite-Monkeys,
SpamAssassin (score=13.1, vereist 5, BIG_FONT, CLICK_BELOW, CLICK_BELOW_CAPS, COMPLETELY_FREE, CTYPE_JUST_HTML, FORGED_AOL_RCVD, FREE_ACCESS, HOT_NASTY, HTML_50_70, HTML_COMMENT_UNIQUE_ID, HTML_FONT_COLOR_MAGENTA, MSG_ID_ADDED_BY_MTA_2, OPT_IN, PORN_4, REMOVE_PAGE, SPAM_PHRASE_05_08, TRACKER_ID)

Ewald...

On Tue, Mar 18, 2003 at 02:17:08PM -0800, Brian May wrote:
> /etc/mail/spamassassin/local.cf
>
> everything in /usr/share/spamassassin/ get over written during upgrades...
> local.cf is never touched.
>
>
> ----- Original Message -----
> From: "Desai, Jason" <jase at SENSIS.COM>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Tuesday, March 18, 2003 5:50 AM
> Subject: Re: Infinite Monkeys and spamassassin
>
>
> Is this the typical way of adding new tests to spamassassin?  Would it make
> more sense to put these lines in MailScanner's spam.assassin.prefs.conf?  Or
> is there some limitation with this specific test that it has to go in
> 20_head_tests.cf?
>
> The advantage of putting it in spam.assassin.prefs.conf is that when you
> upgrade spamassassin, you don't need to remember to update the
> 20_head_test.cf file.  The advantage of putting it in the 20_head_test.cf
> file would be that other applications that use spamassassin can use the same
> rule.
>
> So where do people normally put new spamassassin rules?
>
> Jason
>
> > -----Original Message-----
> > From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> > Sent: Tuesday, March 18, 2003 4:56 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: [MAILSCANNER] Infinite Monkeys and spamassassin
> >
> >
> > Take a look at /usr/share/spamassassin/20_head_tests.cf. You
> > need to create
> > a new rule something along these lines:
> >
> > header RCVD_IN_INFINITE_MONKEYS  rbleval:check_rbl('relay',
> > 'proxies.relays.monkeys.com.')
> > describe RCVD_IN_INFINITE_MONKEYS Received via a relay in
> > proxies.relays.monkeys.com
> > tflags RCVD_IN_INFINITE_MONKEYS  net
> >
> > score RCVD_IN_INFINITE_MONKEYS        5.00
> >
> > This will have to go in the SpamAssassin configuration file
> > (other people
> > on the list will be able to give you an exact location).
> >
> > At 09:25 18/03/2003, you wrote:
> > >Spam which slips through (score less than 5) is often
> > identified by the
> > >Infinite-Monkeys RBL. Because i wanted this to add to the
> > score i told
> > >spamassassin to also do RBL checks (skip_rbl_checks 0), but
> > apparently
> > >spamassassin doesn'r use the Infinite-Monkeys list because
> > the score stays
> > >low?
> > >
> > >  X-AMC-SpamCheck: spam, Infinite-Monkeys, SpamAssassin
> > (score=3.3, vereist 5,
> > >         BIG_FONT, HTML_50_70, HTML_WITH_BGCOLOR,
> > MIME_HTML_NO_CHARSET,
> > >         MISSING_MIMEOLE, SPAM_PHRASE_00_01, USER_AGENT_OE, WEB_BUGS)
> > >  X-AMC-SpamScore: sss
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >

--
Ewald Beekman, Security Engineer, Academic Medical Center,
dept. ADB/ICT Computer & Network Services, The Netherlands
## Your mind-mint is:
Does the name Pavlov ring a bell?



More information about the MailScanner mailing list