{Spam?} Re: [MAILSCANNER] HTML Table SPAM?
Martin Hepworth
martinh at SOLID-STATE-LOGIC.COM
Tue Mar 29 13:49:46 IST 2005
Devon
Ok, you've got the ALL_TRUSTED firing wrong as it can do. Read the
documentation on how the internal_networks and trusted_networks should
be set and make these changes to spam.assassin.prefs.conf
Looks like the URI-RBL's are running so that's fine.
What extra rules have you got for spamassassin in
/etc/mail/spamassassin? I've got alot from
www.rulesemporium.com/rules.htm and also the
www.rulesemporium.com/other-rules.htm.
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Devon Harding wrote:
> I'm sure everything is enable. Here is the result of the spamassassin test:
>
> debug: SpamAssassin version 3.0.2
> debug: Score set 0 chosen.
> debug: running in taint mode? yes
> debug: Running in taint mode, removing unsafe env vars, and resetting PATH
> debug: PATH included '/usr/kerberos/sbin', keeping.
> debug: PATH included '/usr/kerberos/bin', keeping.
> debug: PATH included '/usr/local/sbin', keeping.
> debug: PATH included '/usr/local/bin', keeping.
> debug: PATH included '/sbin', keeping.
> debug: PATH included '/bin', keeping.
> debug: PATH included '/usr/sbin', keeping.
> debug: PATH included '/usr/bin', keeping.
> debug: PATH included '/usr/X11R6/bin', keeping.
> debug: PATH included '/root/bin', which doesn't exist, dropping.
> debug: Final PATH set to:
> /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin
> debug: diag: module installed: DBI, version 1.40
> debug: diag: module installed: DB_File, version 1.810
> debug: diag: module installed: Digest::SHA1, version 2.10
> debug: diag: module installed: IO::Socket::UNIX, version 1.21
> debug: diag: module installed: MIME::Base64, version 3.03
> debug: diag: module installed: Net::DNS, version 0.48
> debug: diag: module installed: Net::LDAP, version 0.32
> debug: diag: module installed: Razor2::Client::Agent, version 2.67
> debug: diag: module installed: Storable, version 2.13
> debug: diag: module installed: URI, version 1.35
> debug: ignore: using a test message to lint rules
> debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre
> debug: config: read file /etc/mail/spamassassin/init.pre
> debug: using "/usr/share/spamassassin" for default rules dir
> debug: config: read file /usr/share/spamassassin/10_misc.cf
> debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
> debug: config: read file /usr/share/spamassassin/20_body_tests.cf
> debug: config: read file /usr/share/spamassassin/20_compensate.cf
> debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
> debug: config: read file /usr/share/spamassassin/20_drugs.cf
> debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
> debug: config: read file /usr/share/spamassassin/20_head_tests.cf
> debug: config: read file /usr/share/spamassassin/20_html_tests.cf
> debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
> debug: config: read file /usr/share/spamassassin/20_phrases.cf
> debug: config: read file /usr/share/spamassassin/20_porn.cf
> debug: config: read file /usr/share/spamassassin/20_ratware.cf
> debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
> debug: config: read file /usr/share/spamassassin/23_bayes.cf
> debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
> debug: config: read file /usr/share/spamassassin/25_hashcash.cf
> debug: config: read file /usr/share/spamassassin/25_spf.cf
> debug: config: read file /usr/share/spamassassin/25_uribl.cf
> debug: config: read file /usr/share/spamassassin/30_text_de.cf
> debug: config: read file /usr/share/spamassassin/30_text_fr.cf
> debug: config: read file /usr/share/spamassassin/30_text_nl.cf
> debug: config: read file /usr/share/spamassassin/30_text_pl.cf
> debug: config: read file /usr/share/spamassassin/50_scores.cf
> debug: config: read file /usr/share/spamassassin/60_whitelist.cf
> debug: using "/etc/mail/spamassassin" for site rules dir
> debug: config: read file /etc/mail/spamassassin/local.cf
> debug: using "/root/.spamassassin" for user state dir
> debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file
> debug: config: read file /etc/MailScanner/spam.assassin.prefs.conf
> debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
> debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x95a7894)
> debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
> debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa188d04)
> debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
> debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa1549dc)
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x95a7894)
> implements 'parse_config'
> debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa188d04)
> implements 'parse_config'
> debug: bayes: 31538 tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks
> debug: bayes: 31538 tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen
> debug: bayes: found bayes db version 3
> debug: Score set 3 chosen.
> debug: ---- MIME PARSER START ----
> debug: main message type: text/plain
> debug: parsing normal part
> debug: added part, type: text/plain
> debug: ---- MIME PARSER END ----
> debug: metadata: X-Spam-Relays-Trusted:
> debug: metadata: X-Spam-Relays-Untrusted:
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x95a7894)
> implements 'parsed_metadata'
> debug: is Net::DNS::Resolver available? yes
> debug: Net::DNS version: 0.48
> debug: trying (3) w3.org...
> debug: looking up NS for 'w3.org'
> debug: NS lookup of w3.org succeeded => Dns available (set
> dns_available to hardcode)
> debug: is DNS available? 1
> debug: decoding: no encoding detected
> debug: URIDNSBL: domains to query:
> debug: all '*From' addrs: ignore at compiling.spamassassin.taint.org
> debug: Running tests for priority: 0
> debug: running header regexp tests; score so far=0
> debug: registering glue method for check_hashcash_double_spend
> (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa188d04))
> debug: registering glue method for check_for_spf_helo_pass
> (Mail::SpamAssassin::Plugin::SPF=HASH(0xa1549dc))
> debug: SPF: message was delivered entirely via trusted relays, not required
> debug: registering glue method for check_hashcash_value
> (Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa188d04))
> debug: all '*To' addrs:
> debug: registering glue method for check_for_spf_softfail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0xa1549dc))
> debug: SPF: message was delivered entirely via trusted relays, not required
> debug: registering glue method for check_for_spf_pass
> (Mail::SpamAssassin::Plugin::SPF=HASH(0xa1549dc))
> debug: registering glue method for check_for_spf_helo_softfail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0xa1549dc))
> debug: registering glue method for check_for_spf_fail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0xa1549dc))
> debug: registering glue method for check_for_spf_helo_fail
> (Mail::SpamAssassin::Plugin::SPF=HASH(0xa1549dc))
> debug: running body-text per-line regexp tests; score so far=-3.174
> debug: running uri tests; score so far=-3.174
> debug: registering glue method for check_uridnsbl
> (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x95a7894))
> debug: bayes corpus size: nspam = 1308, nham = 1457
> debug: tokenize: header tokens for *F = "U*ignore
> D*compiling.spamassassin.taint.org D*spamassassin.taint.org
> D*taint.org D*org"
> debug: tokenize: header tokens for *m = " 1112095616 lint_rules "
> debug: tokenize: header tokens for *RT = " "
> debug: tokenize: header tokens for *RU = " "
> debug: cannot use bayes on this message; not enough usable tokens found
> debug: bayes: not scoring message, returning undef
> debug: bayes: 31538 untie-ing
> debug: bayes: 31538 untie-ing db_toks
> debug: bayes: 31538 untie-ing db_seen
> debug: Razor2 is available
> debug: entering helper-app run mode
> Razor-Log: Computed razorhome from env: /root/.razor
> Razor-Log: Found razorhome: /root/.razor
> Razor-Log: read_file: 16 items read from /root/.razor/razor-agent.conf
> Mar 29 06:27:06.633104 check[31538]: [ 2] [bootup] Logging initiated
> LogDebugLevel=9 to stdout
> Mar 29 06:27:06.637619 check[31538]: [ 5] computed
> razorhome=/root/.razor, conf=/root/.razor/razor-agent.conf,
> ident=/root/.razor/identity-ruvCQ8G6h1
> Mar 29 06:27:06.640472 check[31538]: [ 8] Client supported_engines: 4 8
> Mar 29 06:27:06.644630 check[31538]: [ 8] prep_mail done: mail 1
> headers=93, mime0=1376
> Mar 29 06:27:06.648077 check[31538]: [ 5] read_file: 1 items read from
> /root/.razor/servers.discovery.lst
> Mar 29 06:27:06.671355 check[31538]: [ 5] read_file: 2 items read from
> /root/.razor/servers.nomination.lst
> Mar 29 06:27:06.678582 check[31538]: [ 5] read_file: 1 items read from
> /root/.razor/servers.catalogue.lst
> Mar 29 06:27:06.682276 check[31538]: [ 9] Assigning defaults to
> folly.cloudmark.com
> Mar 29 06:27:06.685288 check[31538]: [ 9] Assigning defaults to
> joy.cloudmark.com
> Mar 29 06:27:06.687704 check[31538]: [ 9] Assigning defaults to
> shock.cloudmark.com
> Mar 29 06:27:06.715976 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.stress.cloudmark.com.conf
> Mar 29 06:27:06.723879 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.stress.cloudmark.com.conf
> Mar 29 06:27:06.757959 check[31538]: [ 5] read_file: 17 items read
> from /root/.razor/server.thrill.cloudmark.com.conf
> Mar 29 06:27:06.766103 check[31538]: [ 5] read_file: 17 items read
> from /root/.razor/server.thrill.cloudmark.com.conf
> Mar 29 06:27:06.783177 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.joy.cloudmark.com.conf
> Mar 29 06:27:06.791015 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.joy.cloudmark.com.conf
> Mar 29 06:27:06.829923 check[31538]: [ 5] read_file: 17 items read
> from /root/.razor/server.pride.cloudmark.com.conf
> Mar 29 06:27:06.838190 check[31538]: [ 5] read_file: 17 items read
> from /root/.razor/server.pride.cloudmark.com.conf
> Mar 29 06:27:06.863375 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.shock.cloudmark.com.conf
> Mar 29 06:27:06.871244 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.shock.cloudmark.com.conf
> Mar 29 06:27:06.905572 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.tension.cloudmark.com.conf
> Mar 29 06:27:06.913456 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.tension.cloudmark.com.conf
> Mar 29 06:27:06.931460 check[31538]: [ 5] read_file: 15 items read
> from /root/.razor/server.folly.cloudmark.com.conf
> Mar 29 06:27:06.938968 check[31538]: [ 5] read_file: 15 items read
> from /root/.razor/server.folly.cloudmark.com.conf
> Mar 29 06:27:06.977843 check[31538]: [ 5] read_file: 17 items read
> from /root/.razor/server.wonder.cloudmark.com.conf
> Mar 29 06:27:06.986096 check[31538]: [ 5] read_file: 17 items read
> from /root/.razor/server.wonder.cloudmark.com.conf
> Mar 29 06:27:07.023469 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.robust.cloudmark.com.conf
> Mar 29 06:27:07.031417 check[31538]: [ 5] read_file: 16 items read
> from /root/.razor/server.robust.cloudmark.com.conf
> Mar 29 06:27:07.033545 check[31538]: [ 5] 123992 seconds before
> closest server discovery
> Mar 29 06:27:07.036279 check[31538]: [ 6] shock.cloudmark.com is a
> Catalogue Server srl 5066; computed min_cf=6, Server se: C8
> Mar 29 06:27:07.038365 check[31538]: [ 8] Computed supported_engines: 4 8
> Mar 29 06:27:07.039974 check[31538]: [ 8] Using next closest server
> shock.cloudmark.com:2703, cached info srl 5066
> Mar 29 06:27:07.042332 check[31538]: [ 8] mail 1 has no subject
> Mar 29 06:27:07.046968 check[31538]: [ 6] preproc: mail 1.0 went from
> 1376 bytes to 1339
> Mar 29 06:27:07.048457 check[31538]: [ 6] computing sigs for mail 1.0, len 1339
> Mar 29 06:27:07.080809 check[31538]: [ 6] Engine (8) didn't produce a
> signature for mail 1.0
> Mar 29 06:27:07.082825 check[31538]: [ 6] skipping whitelist file
> (empty?): /root/.razor/razor-whitelist
> Mar 29 06:27:07.084261 check[31538]: [ 5] Connecting to shock.cloudmark.com ...
> Mar 29 06:27:07.291541 check[31538]: [ 8] Connection established
> Mar 29 06:27:07.293199 check[31538]: [ 4] shock.cloudmark.com >> 36
> server greeting: sn=C&srl=5066&a=l&a=cg&ep4=7542-10
> Mar 29 06:27:07.298125 check[31538]: [ 4] shock.cloudmark.com << 25
> Mar 29 06:27:07.299795 check[31538]: [ 6] cn=razor-agents&cv=2.67
> Mar 29 06:27:07.302240 check[31538]: [ 6] shock.cloudmark.com is a
> Catalogue Server srl 5066; computed min_cf=6, Server se: C8
> Mar 29 06:27:07.304321 check[31538]: [ 8] Computed supported_engines: 4 8
> Mar 29 06:27:07.306697 check[31538]: [ 8] mail 1.0 e4 sig:
> xFaZIZUVHk90OQfARnenjx5BZTMA
> Mar 29 06:27:07.308331 check[31538]: [ 5] mail 1.0 e8 got no sig
> Mar 29 06:27:07.309828 check[31538]: [ 8] preparing 1 queries
> Mar 29 06:27:07.311979 check[31538]: [ 8] sending 1 batches
> Mar 29 06:27:07.314299 check[31538]: [ 4] shock.cloudmark.com << 52
> Mar 29 06:27:07.315305 check[31538]: [ 6]
> a=c&e=4&ep4=7542-10&s=xFaZIZUVHk90OQfARnenjx5BZTMA
> Mar 29 06:27:07.513007 check[31538]: [ 4] shock.cloudmark.com >> 5
> Mar 29 06:27:07.514027 check[31538]: [ 6] response to sent.2
> p=0
> Mar 29 06:27:07.517878 check[31538]: [ 6] mail 1.0 e=4
> sig=xFaZIZUVHk90OQfARnenjx5BZTMA: sig not found.
> Mar 29 06:27:07.519031 check[31538]: [ 7] method 4: mail 1.0:
> no-contention part, spam=0
> Mar 29 06:27:07.519935 check[31538]: [ 7] method 4: mail 1: all
> non-contention parts not spam, mail not spam
> Mar 29 06:27:07.520821 check[31538]: [ 3] mail 1 is not known spam.
> Mar 29 06:27:07.522901 check[31538]: [ 5] disconnecting from server
> shock.cloudmark.com
> Mar 29 06:27:07.524449 check[31538]: [ 4] shock.cloudmark.com << 5
> Mar 29 06:27:07.525265 check[31538]: [ 6] a=q
> debug: Using results from Razor v2.67
> debug: Found Razor2 part: part=0 engine=4 ct=0 cf=0
> debug: leaving helper-app run mode
> debug: Razor2 results: spam? 0 highest cf score: 0
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x95a7894)
> implements 'check_tick'
> debug: running raw-body-text per-line regexp tests; score so far=-3.174
> debug: running full-text regexp tests; score so far=-3.174
> debug: Razor2 is available
> debug: Current PATH is:
> /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin
> debug: executable for pyzor was found at /usr/bin/pyzor
> debug: Pyzor is available: /usr/bin/pyzor
> debug: entering helper-app run mode
> debug: setuid: helper proc 31543: ruid=0 euid=0
> debug: Pyzor: got response: 217.160.253.84:24441 TimeoutError:
> debug: leaving helper-app run mode
> debug: Pyzor: couldn't grok response "217.160.253.84:24441 TimeoutError: "
> debug: DCCifd is available: /var/dcc/dccifd
> debug: entering helper-app run mode
> debug: leaving helper-app run mode
> debug: DCCifd check timed out after 10 secs.
> debug: Running tests for priority: 500
> debug: RBL: success for 1 of 1 queries
> debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x95a7894)
> implements 'check_post_dnsbl'
> debug: running meta tests; score so far=-3.174
> debug: running header regexp tests; score so far=-1.948
> debug: running body-text per-line regexp tests; score so far=-1.948
> debug: running uri tests; score so far=-1.948
> debug: running raw-body-text per-line regexp tests; score so far=-1.948
> debug: running full-text regexp tests; score so far=-1.948
> debug: Running tests for priority: 1000
> debug: running meta tests; score so far=-1.948
> debug: running header regexp tests; score so far=-1.948
> debug: using "/root/.spamassassin" for user state dir
> debug: lock: 31538 created /root/.spamassassin/auto-whitelist.mutex
> debug: lock: 31538 trying to get lock on
> /root/.spamassassin/auto-whitelist with 30 timeout
> debug: lock: 31538 link to /root/.spamassassin/auto-whitelist.mutex: link ok
> debug: Tie-ing to DB file R/W in /root/.spamassassin/auto-whitelist
> debug: auto-whitelist (db-based):
> ignore at compiling.spamassassin.taint.org|ip=none scores 0/0
> debug: AWL active, pre-score: -1.948, autolearn score: -1.948, mean:
> undef, IP: undef
> debug: DB addr list: untie-ing and unlocking.
> debug: DB addr list: file locked, breaking lock.
> debug: unlock: 31538 unlocked /root/.spamassassin/auto-whitelist.mutex
> debug: Post AWL score: -1.948
> debug: running body-text per-line regexp tests; score so far=-1.948
> debug: running uri tests; score so far=-1.948
> debug: running raw-body-text per-line regexp tests; score so far=-1.948
> debug: running full-text regexp tests; score so far=-1.948
> debug: is spam? score=-1.948 required=5
> debug: tests=ALL_TRUSTED,MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME
> debug: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__SANE_MSGID,__UNUSABLE_MSGID
>
>
> On Tue, 29 Mar 2005 09:35:59 +0100, Martin Hepworth
> <martinh at solid-state-logic.com> wrote:
>
>>Devon
>>
>>have you got network tests enabled?
>>
>>the surbl URI-RBL's wont fire up until this is on.
>>
>>What happens if you do..
>>
>>spamassassin -p <path-to>/spam.assassin.prefs.conf -D --lint
>>
>>--
>>Martin Hepworth
>>Snr Systems Administrator
>>Solid State Logic
>>Tel: +44 (0)1865 842300
>>
>>
>>Devon Harding wrote:
>>
>>>Well, Im running SA 3.0.2, Net::DNS version 0.48,
>>>Razor2::Client::Agent version 2.61 (upgrading to 2.67 as we speak..)
>>>
>>>Whats the procedure in training bayes to detect the samples as spam?
>>>
>>>
>>>On Mon, 28 Mar 2005 18:40:37 -0500, Matt Kettler <mkettler at evi-inc.com> wrote:
>>>
>>>
>>>>Devon Harding wrote:
>>>>
>>>>
>>>>
>>>>>Here is my RBL's and they still seem to get through. What can I do to stop em'?
>>>>>
>>>>>
>>>>
>>>>My strongest recommendation would be to use a version of SpamAssassin
>>>>which has SURBL capabilities.
>>>>
>>>>3.0 ships with it by default, although if your Net::DNS perl module
>>>>isn't fairly recent it will disable the URI based blacklists and only do
>>>>normal RBLs.
>>>>
>>>>2.6x can have this functionality added with the
>>>>Mail::SpamAssassin::SpamCopURI patch. (They call it a plugin, but it's
>>>>dependent on patch to EvalTests.pm that the "make install" process does
>>>>automatically.)
>>>>
>>>>I'd also recommend using Razor version 2.67. Older versions of razor may
>>>>not support e8 signatures, or may have bugs in e8.
>>>>
>>>>Lastly, if you've got bayes going, be sure to train some of the samples
>>>>as spam.
>>>>
>>>>Between the three approaches SA seems to catch all of these on my
>>>>network without much trouble (so far).
>>>>
>>>>
>>>
>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>Support MailScanner development - buy the book off the website!
>>
>>**********************************************************************
>>
>>This email and any files transmitted with it are confidential and
>>intended solely for the use of the individual or entity to whom they
>>are addressed. If you have received this email in error please notify
>>the system manager.
>>
>>This footnote confirms that this email message has been swept
>>for the presence of computer viruses and is believed to be clean.
>>
>>**********************************************************************
>>
>>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list