New Spam

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Wed Mar 23 12:23:21 GMT 2005


Roger

some 'odd' things I notice quickly.

the URI module is 1.19, mine is 1.35, try uopgrading the URI::URL perl
module.

I get more debug for the DNS tests ....

debug: is Net::DNS::Resolver available? yes
debug: Net::DNS version: 0.48
debug: trying (3) akamai.com...
debug: looking up NS for 'akamai.com'
debug: NS lookup of akamai.com succeeded => Dns available (set
dns_available to hardcode)
debug: is DNS available? 1

you don't seem to be getting all this. Is DNS working properly on this host?


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Roger Jochem wrote:
>>spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf -D --lint <
>
> /etc/MailScanner/email.eml
> debug: SpamAssassin version 3.0.2
> debug: Score set 0 chosen.
> debug: running in taint mode? yes
> debug: Running in taint mode, removing unsafe env vars, and resetting PATH
> debug: PATH included '/bin', keeping.
> debug: PATH included '/usr/bin', keeping.
> debug: PATH included '/sbin', keeping.
> debug: PATH included '/usr/sbin', keeping.
> debug: PATH included '/usr/local/bin', keeping.
> debug: Final PATH set to: /bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
> debug: diag: module installed: DBI, version 1.32
> debug: diag: module installed: DB_File, version 1.810
> debug: diag: module installed: Digest::SHA1, version 2.10
> debug: diag: module installed: IO::Socket::UNIX, version 1.2
> debug: diag: module installed: MIME::Base64, version 2.12
> debug: diag: module installed: Net::DNS, version 0.48
> debug: diag: module installed: Net::LDAP, version 0.32
> debug: diag: module installed: Razor2::Client::Agent, version 2.67
> debug: diag: module installed: Storable, version 2.06
> debug: diag: module installed: URI, version 1.19
> debug: ignore: using a test message to lint rules
> debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre
> debug: config: read file /etc/mail/spamassassin/init.pre
> debug: using "/usr/share/spamassassin" for default rules dir
> debug: config: read file /usr/share/spamassassin/10_misc.cf
> debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
> debug: config: read file /usr/share/spamassassin/20_body_tests.cf
> debug: config: read file /usr/share/spamassassin/20_compensate.cf
> debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
> debug: config: read file /usr/share/spamassassin/20_drugs.cf
> debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
> debug: config: read file /usr/share/spamassassin/20_head_tests.cf
> debug: config: read file /usr/share/spamassassin/20_html_tests.cf
> debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
> debug: config: read file /usr/share/spamassassin/20_phrases.cf
> debug: config: read file /usr/share/spamassassin/20_porn.cf
> debug: config: read file /usr/share/spamassassin/20_ratware.cf
> debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
> debug: config: read file /usr/share/spamassassin/23_bayes.cf
> debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
> debug: config: read file /usr/share/spamassassin/25_hashcash.cf
> debug: config: read file /usr/share/spamassassin/25_spf.cf
> debug: config: read file /usr/share/spamassassin/25_uribl.cf
> debug: config: read file /usr/share/spamassassin/30_text_de.cf
> debug: config: read file /usr/share/spamassassin/30_text_fr.cf
> debug: config: read file /usr/share/spamassassin/30_text_nl.cf
> debug: config: read file /usr/share/spamassassin/30_text_pl.cf
> debug: config: read file /usr/share/spamassassin/50_scores.cf
> debug: config: read file /usr/share/spamassassin/60_whitelist.cf
> debug: using "/etc/mail/spamassassin" for site rules dir
> debug: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf
> debug: config: read file /etc/mail/spamassassin/regras-rudnick.cf
> debug: using "/root/.spamassassin" for user state dir
> debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file
> debug: config: read file /etc/MailScanner/spam.assassin.prefs.conf
> debug: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC
> debug: plugin: registered
> Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x96a3f80)
> debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
> debug: plugin: registered
> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x96d4be4)
> debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
> debug: plugin: registered
> Mail::SpamAssassin::Plugin::Hashcash=HASH(0x96ba9cc)
> debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
> debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x96d4cf4)
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x96d4be4)
> implements 'parse_config'
> debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x96ba9cc)
> implements 'parse_config'
> debug: bayes: 22595 tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks
> debug: bayes: 22595 tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen
> debug: bayes: found bayes db version 3
> debug: Score set 3 chosen.
> debug: ---- MIME PARSER START ----
> debug: main message type: text/plain
> debug: parsing normal part
> debug: added part, type: text/plain
> debug: ---- MIME PARSER END ----
> debug: metadata: X-Spam-Relays-Trusted:
> debug: metadata: X-Spam-Relays-Untrusted:
> debug: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x96a3f80)
> implements 'extract_metadata'
> debug: metadata: X-Relay-Countries:
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x96d4be4)
> implements 'parsed_metadata'
> debug: dns_available set to yes in config file, skipping test
> debug: decoding: no encoding detected
> debug: URIDNSBL: domains to query:
> debug: is Net::DNS::Resolver available? yes
> debug: Net::DNS version: 0.48
> debug: all '*From' addrs: ignore at compiling.spamassassin.taint.org
> debug: Running tests for priority: 0
> debug: running header regexp tests; score so far=0
> debug: registering glue method for check_hashcash_double_spend
> (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x96ba9cc))
> debug: registering glue method for check_for_spf_helo_pass
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x96d4cf4))
> debug: SPF: message was delivered entirely via trusted relays, not required
> debug: registering glue method for check_hashcash_value
> (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x96ba9cc))
> debug: all '*To' addrs:
> debug: registering glue method for check_for_spf_softfail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x96d4cf4))
> debug: SPF: message was delivered entirely via trusted relays, not required
> debug: registering glue method for check_for_spf_pass
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x96d4cf4))
> debug: registering glue method for check_for_spf_helo_softfail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x96d4cf4))
> debug: registering glue method for check_for_spf_fail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x96d4cf4))
> debug: registering glue method for check_for_spf_helo_fail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0x96d4cf4))
> debug: running body-text per-line regexp tests; score so far=-3.174
> debug: running uri tests; score so far=-3.174
> debug: registering glue method for check_uridnsbl
> (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x96d4be4))
> debug: bayes corpus size: nspam = 16915, nham = 42798
> debug: tokenize: header tokens for *F = "U*ignore
> D*compiling.spamassassin.taint.org D*spamassassin.taint.org D*taint.org
> D*org"
> debug: tokenize: header tokens for *m = "  1111579447 lint_rules "
> debug: tokenize: header tokens for X-Relay-Countries = " "
> debug: tokenize: header tokens for *RT = " "
> debug: tokenize: header tokens for *RU = " "
> debug: bayes token 'H*Ad:D*org' => 0.0173548387096774
> debug: bayes token 'message' => 0.0636082163551004
> debug: bayes token 'H*F:D*org' => 0.902720711501242
> debug: bayes: score = 0.367449123126298
> debug: bayes: 22595 untie-ing
> debug: bayes: 22595 untie-ing db_toks
> debug: bayes: 22595 untie-ing db_seen
> debug: Razor2 is available
> debug: entering helper-app run mode
>  Razor-Log: Computed razorhome from env: /root/.razor
>  Razor-Log: Found razorhome: /root/.razor
>  Razor-Log: No /root/.razor/razor-agent.conf found, skipping.
>  Razor-Log: No razor-agent.conf found, using defaults.
> Mar 23 09:04:08.684766 check[22595]: [ 2] [bootup] Logging initiated
> LogDebugLevel=9 to stdout
> Mar 23 09:04:08.685113 check[22595]: [ 5] computed razorhome=/root/.razor,
> conf=, ident=/root/.razor/identity-ruhf3afFHl
> Mar 23 09:04:08.685259 check[22595]: [ 8] Client supported_engines: 4 8
> Mar 23 09:04:08.685545 check[22595]: [ 8]  prep_mail done: mail 1
> headers=93, mime0=1376
> Mar 23 09:04:08.685799 check[22595]: [ 5] read_file: 1 items read from
> /root/.razor/servers.discovery.lst
> Mar 23 09:04:08.685993 check[22595]: [ 5] read_file: 2 items read from
> /root/.razor/servers.nomination.lst
> Mar 23 09:04:08.686159 check[22595]: [ 5] read_file: 1 items read from
> /root/.razor/servers.catalogue.lst
> Mar 23 09:04:08.686375 check[22595]: [ 9] Assigning defaults to
> folly.cloudmark.com
> Mar 23 09:04:08.686489 check[22595]: [ 9] Assigning defaults to
> joy.cloudmark.com
> Mar 23 09:04:08.686610 check[22595]: [ 9] Assigning defaults to
> shock.cloudmark.com
> Mar 23 09:04:08.687211 check[22595]: [ 5] read_file: 12 items read from
> /root/.razor/server.joy.cloudmark.com.conf
> Mar 23 09:04:08.687599 check[22595]: [ 5] read_file: 12 items read from
> /root/.razor/server.joy.cloudmark.com.conf
> Mar 23 09:04:08.688071 check[22595]: [ 5] read_file: 16 items read from
> /root/.razor/server.pride.cloudmark.com.conf
> Mar 23 09:04:08.688507 check[22595]: [ 5] read_file: 16 items read from
> /root/.razor/server.pride.cloudmark.com.conf
> Mar 23 09:04:08.688948 check[22595]: [ 5] read_file: 16 items read from
> /root/.razor/server.shock.cloudmark.com.conf
> Mar 23 09:04:08.689375 check[22595]: [ 5] read_file: 16 items read from
> /root/.razor/server.shock.cloudmark.com.conf
> Mar 23 09:04:08.689830 check[22595]: [ 5] read_file: 16 items read from
> /root/.razor/server.tension.cloudmark.com.conf
> Mar 23 09:04:08.690263 check[22595]: [ 5] read_file: 16 items read from
> /root/.razor/server.tension.cloudmark.com.conf
> Mar 23 09:04:08.690712 check[22595]: [ 5] read_file: 16 items read from
> /root/.razor/server.prejudice.cloudmark.com.conf
> Mar 23 09:04:08.691145 check[22595]: [ 5] read_file: 16 items read from
> /root/.razor/server.prejudice.cloudmark.com.conf
> Mar 23 09:04:08.691282 check[22595]: [ 5] 39439 seconds before closest
> server discovery
> Mar 23 09:04:08.691408 check[22595]: [ 6] shock.cloudmark.com is a Catalogue
> Server srl 5065; computed min_cf=6, Server se: C8
> Mar 23 09:04:08.691541 check[22595]: [ 8] Computed supported_engines: 4 8
> Mar 23 09:04:08.691632 check[22595]: [ 8] Using next closest server
> shock.cloudmark.com:2703, cached info srl 5065
> Mar 23 09:04:08.691709 check[22595]: [ 8] mail 1 has no subject
> Mar 23 09:04:08.693278 check[22595]: [ 6] preproc: mail 1.0 went from 1376
> bytes to 1339
> Mar 23 09:04:08.693380 check[22595]: [ 6] computing sigs for mail 1.0, len
> 1339
> Mar 23 09:04:08.695397 check[22595]: [ 6] Engine (8) didn't produce a
> signature for mail 1.0
> Mar 23 09:04:08.695538 check[22595]: [ 6] skipping whitelist file (empty?):
> /root/.razor/razor-whitelist
> Mar 23 09:04:08.695625 check[22595]: [ 5] Connecting to shock.cloudmark.com
> ...
> Mar 23 09:04:09.160788 check[22595]: [ 8] Connection established
> Mar 23 09:04:09.160951 check[22595]: [ 4] shock.cloudmark.com >> 36 server
> greeting: sn=C&srl=5065&a=l&a=cg&ep4=7542-10
> Mar 23 09:04:09.161289 check[22595]: [ 4] shock.cloudmark.com << 25
> Mar 23 09:04:09.161343 check[22595]: [ 6] cn=razor-agents&cv=2.67
> Mar 23 09:04:09.161503 check[22595]: [ 6] shock.cloudmark.com is a Catalogue
> Server srl 5065; computed min_cf=6, Server se: C8
> Mar 23 09:04:09.161654 check[22595]: [ 8] Computed supported_engines: 4 8
> Mar 23 09:04:09.161767 check[22595]: [ 8] mail 1.0 e4 sig:
> xFaZIZUVHk90OQfARnenjx5BZTMA
> Mar 23 09:04:09.161867 check[22595]: [ 5] mail 1.0 e8 got no sig
> Mar 23 09:04:09.161949 check[22595]: [ 8] preparing 1 queries
> Mar 23 09:04:09.162082 check[22595]: [ 8] sending 1 batches
> Mar 23 09:04:09.162180 check[22595]: [ 4] shodebug: Using results from Razor
> v2.67
> debug: Found Razor2 part: part=0 engine=4 ct=0 cf=0
> debug: leaving helper-app run mode
> ck.cloudmark.com << 52
> Mar 23 09:04:09.162272 check[22595]: [ 6]
> a=c&e=4&ep4=7542-10&s=xFaZIZUVHk90OQfARnenjx5BZTMA
> Mar 23 09:04:09.682945 check[22595]: [ 4] shock.cloudmark.com >> 5
> Mar 23 09:04:09.683039 check[22595]: [ 6] response to sent.2
> p=0
> Mar 23 09:04:09.683356 check[22595]: [ 6] mail 1.0 e=4
> sig=xFaZIZUVHk90OQfARnenjx5BZTMA: sig not found.
> Mar 23 09:04:09.683432 check[22595]: [ 7] method 4: mail 1.0: no-contention
> part, spam=0
> Mar 23 09:04:09.683485 check[22595]: [ 7] method 4: mail 1: all
> non-contention parts not spam, mail not spam
> Mar 23 09:04:09.683536 check[22595]: [ 3] mail 1 is not known spam.
> Mar 23 09:04:09.683603 check[22595]: [ 5] disconnecting from server
> shock.cloudmark.com
> Mar 23 09:04:09.683716 check[22595]: [ 4] shock.cloudmark.com << 5
> Mar 23 09:04:09.683764 check[22595]: [ 6] a=q
> debug: Razor2 results: spam? 0  highest cf score: 0
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x96d4be4)
> implements 'check_tick'
> debug: running raw-body-text per-line regexp tests; score so far=-4.27
> debug: running full-text regexp tests; score so far=-4.27
> debug: Razor2 is available
> debug: Pyzor is available: /usr/local/bin/pyzor
> debug: entering helper-app run mode
> debug: setuid: helper proc 22598: ruid=0 euid=0
> debug: Pyzor: got response: 66.250.40.33:24441 (200, 'OK') 0 0
> debug: leaving helper-app run mode
> debug: DCCifd is not available: no r/w dccifd socket found.
> debug: DCC is available: /usr/local/bin/dccproc
> debug: entering helper-app run mode
> debug: setuid: helper proc 22600: ruid=0 euid=0
> debug: DCC: got response: X-DCC-xmailer-Metrics: mail.rudnick.com.br 1192;
> Body=49131 Fuz1=7421721 Fuz2=7422029
> debug: leaving helper-app run mode
> debug: DCC: Listed! BODY: 49131 of 999999 FUZ1: 7421721 of 999999 FUZ2:
> 7422029 of 999999
> debug: Running tests for priority: 500
> debug: RBL: success for 1 of 1 queries
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x96d4be4)
> implements 'check_post_dnsbl'
> debug: running meta tests; score so far=-2.101
> debug: running header regexp tests; score so far=-0.875
> debug: running body-text per-line regexp tests; score so far=-0.875
> debug: running uri tests; score so far=-0.875
> debug: running raw-body-text per-line regexp tests; score so far=-0.875
> debug: running full-text regexp tests; score so far=-0.875
> debug: Running tests for priority: 1000
> debug: running meta tests; score so far=-0.875
> debug: running header regexp tests; score so far=-0.875
> debug: running body-text per-line regexp tests; score so far=-0.875
> debug: running uri tests; score so far=-0.875
> debug: running raw-body-text per-line regexp tests; score so far=-0.875
> debug: running full-text regexp tests; score so far=-0.875
> debug: is spam? score=-0.875 required=5
> debug:
> tests=ALL_TRUSTED,BAYES_40,DCC_CHECK,MISSING_HEADERS,MISSING_SUBJECT,NO_REAL
> _NAME
> debug:
> subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__SANE_MSGID,__UNUSAB
> LE_MSGID
>
>
>
> ----- Original Message -----
> From: "Martin Hepworth" <martinh at SOLID-STATE-LOGIC.COM>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Wednesday, March 23, 2005 8:44 AM
> Subject: Re: New Spam
>
>
>
>>That means there's nothing in the input to query.
>>
>>Try with your email you originally sent to the list and post the full
>>output back here..
>>
>>spamassassin -p <path-to>/spam.assassin.prefs.conf -D --lint \
>>< youremail.eml
>>
>>
>>
>>--
>>Martin Hepworth
>>Snr Systems Administrator
>>Solid State Logic
>>Tel: +44 (0)1865 842300
>>
>>
>>Roger Jochem wrote:
>>
>>>It is active...
>>>
>>>But running in debug it shows:
>>>
>>>URIDNSBL: Domains to query:
>>>
>>>And doesn't show any domain
>>>
>>>----- Original Message -----
>>>From: "Drew Marshall" <drew at THEMARSHALLS.CO.UK>
>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>>Sent: Wednesday, March 23, 2005 7:39 AM
>>>Subject: Re: New Spam
>>>
>>>
>>>
>>>
>>>>Martin Hepworth said:
>>>>
>>>>
>>>>>Roger
>>>>>
>>>>>make sure the plugin is enabled in /etc/mail/spamassassin/init.pre
>>>>
>>>>
>>>>Hmm, close with pre.init. Take Martin's advice, much more accurate :-)
>>>>
>>>>--
>>>>In line with our policy, this message has
>>>>been scanned for viruses and dangerous
>>>>content by MailScanner, and is believed to be clean.
>>>>www.themarshalls.co.uk/policy
>>>>
>>>>------------------------ MailScanner list ------------------------
>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>'leave mailscanner' in the body of the email.
>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>>Support MailScanner development - buy the book off the website!
>>>
>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>Support MailScanner development - buy the book off the website!
>>
>>**********************************************************************
>>
>>This email and any files transmitted with it are confidential and
>>intended solely for the use of the individual or entity to whom they
>>are addressed. If you have received this email in error please notify
>>the system manager.
>>
>>This footnote confirms that this email message has been swept
>>for the presence of computer viruses and is believed to be clean.
>>
>>**********************************************************************
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list