You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris Santerre <cs...@MerchantsOverseas.com> on 2004/08/16 20:39:39 UTC
RE: Spamassassin, rules_du_jour, and SARE only catching 50% of sp
am
>-----Original Message-----
>From: Rob Blomquist [mailto:rob.blomquist@verizon.net]
>Sent: Monday, August 16, 2004 1:41 AM
>To: SpamAssassin
>Subject: Spamassassin, rules_du_jour, and SARE only catching
>50% of spam
>
>
>I have been running SA for about 6 months without out much
>trouble, having it
>catch 98 or 99% of my spam (20-40 a day), but recently, I have
>run into some
>problems with the Bayesian filters getting corrupted, and
>digging around for
>some new rules, I adjusted my rules, and now all sorts of easy
>to catch spam
>are not getting caught.
>
>I am invoking SA (spamassassin-3.0.0-0.pre4.2.3mdk) from
>Kmail, by passing it
>through spamc running rules_du_jour and my_rules_du_jour and
>using the rules:
>SARE_RATWARE, SARE_BAYES_POISON_NXM, SARE_SPOOF, SARE_OEM, BOGUSVIRUS,
>SARE_ADULT. Now, not only is this list getting a bit
>unweildly, taking about
>a minute to process all uploads, but it is doing a crummy job
>of filtering.
>
>My old list (trimmed default for rules_du_jour) seemed to run
>better with the
>basic list, but all those seem to have been depreciated for
>the SARE stuff.
>
>Does anyone have any ideas on what SARE lists are truly
>working for them? Or
>how I could use SA for better results with Kmail?
>
>Rob
>--
Can you give us an example of an easy one that got thru? With headers?
--Chris
Re[2]: Spamassassin, rules_du_jour, and SARE only catching 50% of sp am
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Rob,
Tuesday, August 17, 2004, 10:28:19 PM, you wrote:
RB> On Tuesday 17 August 2004 7:27 am, Robert Menschel wrote:
>> I agree with Loren's statement about the version difference. You have
>> Bayes enabled (per autolearn=no), but no BAYES results. It's possible you
>> lost your Bayes database.
RB> It did get borked from a nasty uncaught message. I got rid of the two bayes
RB> files in ~/.spamassassin about a week ago, before upgrading. Tonight, I
RB> uninstalled all the packages ran rpm -qa |grep spamassassin searching for
RB> more, then I deleted ~/.spamassassin. And reinstalled SA 3.00. We shall see
RB> if that fixes it. But not a lot of mail tonight.
Good luck.
>> I also don't see any network tests in your results. I find network tests
>> make the difference in 1/3 to 2/3 of my spam.
RB> I have no flipping idea what you are talking about.
Network tests are those which query network servers to determine whether
they might think the current email is spam(ish). See
the links under "Make use of other anti-spam projects" at
http://wiki.apache.org/spamassassin/FrontPage
>> Header-0 and Header-1 should have kicked two of the three you posted over
>> your threshold.
RB> I am having another problem when RDJ attempts to ---lint the
RB> rulesets, I get a ton of errors:
RB> Lint output: warning: description for SARE_RECV_IP_212164 is over 50 chars
RB> warning: description for SARE_MSGID_EMPTY is over 50 chars
RB> warning: description for RM_hm_ShortMsgid12 is over 50 chars
RB> warning: description for SARE_MULT_HEAD_LC is over 50 chars
RB> warning: description for RM_hm_EmtyMsgid is over 50 chars
RB> warning: description for SARE_TOCC_CONS6s is over 50 chars
RB> warning: description for SARE_RECV_IP_080178 is over 50 chars
RB> warning: description for SARE_FROM_NUM_8DIG is over 50 chars
RB> warning: description for T_RATWARE_ERROR_04 is over 50 chars
RB> warning: description for SARE_RECV_SUSP_3 is over 50 chars
RB> What do I do with this? Why the problems?
All of those but T_RATWARE_ERROR_04 are caused by long descriptions in
the (current) HTML and HEADER rule sets. I've already corrected those in
my development copies, and hope to publish the corrections soon. Jesse is
working on Ratware, so that problem should go away soon also.
(I realize "soon" isn't soon enough for those who have already migrated
to the not-yet-in-production 3.0.0.)
Chris T -- is it possible to enhance RDJ so it examines the --lint
output, and maybe have a switch that allows processing to continue if the
only output are warnings?
Bob Menschel
Re: Spamassassin, rules_du_jour, and SARE only catching 50% of sp
am
Posted by Chris Thielen <cm...@someone.dhs.org>.
Hi Rob,
> I am having another problem when RDJ attempts to ---lint the rulesets, I get a
> ton of errors:
>
> Attempting to --lint the rules.
<snip>
> Lint output: warning: description for SARE_RECV_IP_212164 is over 50 chars
> warning: description for SARE_MSGID_EMPTY is over 50 chars
> warning: description for RM_hm_ShortMsgid12 is over 50 chars
> warning: description for SARE_MULT_HEAD_LC is over 50 chars
> warning: description for RM_hm_EmtyMsgid is over 50 chars
<snip>
> What do I do with this? Why the problems?
The problem is that these rules designed for 2.6x have not yet been
updated for 3.0. As a stopgap measure, you could follow the
instructions that Alex Pleiner put together. See post at:
http://article.gmane.org/gmane.mail.spam.spamassassin.general/53127/match=+munge+scripts
--
Chris Thielen
Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/
Keep up to date with the latest third party SpamAssassin Rulesets:
http://www.exit0.us/index.php/RulesDuJour
Re: Spamassassin, rules_du_jour, and SARE only catching 50% of sp am
Posted by jdow <jd...@earthlink.net>.
From: "Rob Blomquist" <ro...@verizon.net>
> On Tuesday 17 August 2004 7:27 am, Robert Menschel wrote:
>
> > I agree with Loren's statement about the version difference. You have
> > Bayes enabled (per autolearn=no), but no BAYES results. It's possible
you
> > lost your Bayes database.
> It did get borked from a nasty uncaught message. I got rid of the two
bayes
> files in ~/.spamassassin about a week ago, before upgrading. Tonight, I
> uninstalled all the packages ran rpm -qa |grep spamassassin searching for
> more, then I deleted ~/.spamassassin. And reinstalled SA 3.00. We shall
see
> if that fixes it. But not a lot of mail tonight.
You HAVE retrained the Bayes database, haven't you?
{^_^}
Re: Spamassassin, rules_du_jour, and SARE only catching 50% of sp am
Posted by Rob Blomquist <ro...@verizon.net>.
On Tuesday 17 August 2004 7:27 am, Robert Menschel wrote:
> I agree with Loren's statement about the version difference. You have
> Bayes enabled (per autolearn=no), but no BAYES results. It's possible you
> lost your Bayes database.
It did get borked from a nasty uncaught message. I got rid of the two bayes
files in ~/.spamassassin about a week ago, before upgrading. Tonight, I
uninstalled all the packages ran rpm -qa |grep spamassassin searching for
more, then I deleted ~/.spamassassin. And reinstalled SA 3.00. We shall see
if that fixes it. But not a lot of mail tonight.
> I also don't see any network tests in your results. I find network tests
> make the difference in 1/3 to 2/3 of my spam.
I have no flipping idea what you are talking about.
> Header-0 and Header-1 should have kicked two of the three you posted over
> your threshold.
I am having another problem when RDJ attempts to ---lint the rulesets, I get a
ton of errors:
Attempting to --lint the rules.
No files updated; No restart required.
Rules Du Jour Run Summary:RulesDuJour Run Summary on Timmy:
SARE Spoof Ruleset for SpamAssassin has changed on Timmy.
Version line: # Version: 1.06.06
SARE General Subject Ruleset 0 for SpamAssassin has changed on Timmy.
Version line: # Version: 01.03.01
SARE General Subject Ruleset 1 for SpamAssassin has changed on Timmy.
Version line: # Version: 01.03.01
SARE html0 Ruleset for SpamAssassin has changed on Timmy.
Version line:
SARE html1 Ruleset for SpamAssassin has changed on Timmy.
Version line: # Version: 01.02.06
SARE HEADER Ruleset 1 for SpamAssassin has changed on Timmy.
Version line: # Version: 01.02.00
SARE HEADER Ruleset 2 for SpamAssassin has changed on Timmy.
Version line: # Version: 01.02.00
***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is: mv
-f /etc/mail/spamassassin/70_sare_spoof.cf /root/tmp/70_sare_spoof.cf.2; mv
-f /root/tmp/70_sare_spoof.cf.20040817-2226 /etc/mail/spamassassin/70_sare_spoof.cf;
mv
-f /etc/mail/spamassassin/70_sare_genlsubj0.cf /root/tmp/70_sare_genlsubj0.cf.2;
rm -f /etc/mail/spamassassin/70_sare_genlsubj0.cf; mv
-f /etc/mail/spamassassin/70_sare_genlsubj1.cf /root/tmp/70_sare_genlsubj1.cf.2;
rm -f /etc/mail/spamassassin/70_sare_genlsubj1.cf; mv
-f /etc/mail/spamassassin/70_sare_html0.cf /root/tmp/70_sare_html0.cf.2; rm
-f /etc/mail/spamassassin/70_sare_html0.cf; mv
-f /etc/mail/spamassassin/70_sare_html1.cf /root/tmp/70_sare_html1.cf.2; rm
-f /etc/mail/spamassassin/70_sare_html1.cf; mv
-f /etc/mail/spamassassin/70_sare_header1.cf /root/tmp/70_sare_header1.cf.2;
rm -f /etc/mail/spamassassin/70_sare_header1.cf; mv
-f /etc/mail/spamassassin/70_sare_header2.cf /root/tmp/70_sare_header2.cf.2;
rm -f /etc/mail/spamassassin/70_sare_header2.cf;
Lint output: warning: description for SARE_RECV_IP_212164 is over 50 chars
warning: description for SARE_MSGID_EMPTY is over 50 chars
warning: description for RM_hm_ShortMsgid12 is over 50 chars
warning: description for SARE_MULT_HEAD_LC is over 50 chars
warning: description for RM_hm_EmtyMsgid is over 50 chars
warning: description for SARE_TOCC_CONS6s is over 50 chars
warning: description for SARE_RECV_IP_080178 is over 50 chars
warning: description for SARE_FROM_NUM_8DIG is over 50 chars
warning: description for T_RATWARE_ERROR_04 is over 50 chars
warning: description for SARE_RECV_SUSP_3 is over 50 chars
razor2 check skipped: No such file or directory Died
at /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Dns.pm line 410.
lint: 10 issues detected. please rerun with debug enabled for more
information.
What do I do with this? Why the problems?
Rob
--
Mountlake Terrace, WA
USA
Re[2]: Spamassassin, rules_du_jour, and SARE only catching 50% of sp am
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Rob,
Monday, August 16, 2004, 9:55:35 PM, you wrote:
>> Can you give us an example of an easy one that got thru? With headers?
RB> Good idea!
RB> I also note that my message headers claim to be running 2.63, but rpm claims I
RB> am running spamassassin-3.0.0-0.pre4.2.3mdk. Sigh.
RB> I have also added SARE HTML 0 and 1, Header 0 and 1 and SARE_GENLSUBJ-0 and 1
RB> thanks to Bob's comments. But I would love to hear yours.
I agree with Loren's statement about the version difference. You have
Bayes enabled (per autolearn=no), but no BAYES results. It's possible you
lost your Bayes database.
I also don't see any network tests in your results. I find network tests
make the difference in 1/3 to 2/3 of my spam.
Header-0 and Header-1 should have kicked two of the three you posted over
your threshold.
Bob Menschel
Re: Spamassassin, rules_du_jour, and SARE only catching 50% of sp am
Posted by Loren Wilton <lw...@earthlink.net>.
> I also note that my message headers claim to be running 2.63, but rpm
claims I
> am running spamassassin-3.0.0-0.pre4.2.3mdk. Sigh.
I think this is your key right here. You probably have a messed up
installation that is half one thing and half another, and it probably isn't
real happy with the results. Certianly 2.63 and 3.0 are going to be real
unhappy about sharing a bayze database, since the format changed.
I would start with a seek-and-destroy mission to eradicate 2.63, and then
probably redo the 3.0 installation.
Loren
Re: Spamassassin, rules_du_jour, and SARE only catching 50% of sp am
Posted by Rob Blomquist <ro...@verizon.net>.
On Monday 16 August 2004 11:39 am, you wrote:
> >-----Original Message-----
> >From: Rob Blomquist [mailto:rob.blomquist@verizon.net]
> >Sent: Monday, August 16, 2004 1:41 AM
> >To: SpamAssassin
> >Subject: Spamassassin, rules_du_jour, and SARE only catching
> >50% of spam
> >
> >
> >I have been running SA for about 6 months without out much
> >trouble, having it
> >catch 98 or 99% of my spam (20-40 a day), but recently, I have
> >run into some
> >problems with the Bayesian filters getting corrupted, and
> >digging around for
> >some new rules, I adjusted my rules, and now all sorts of easy
> >to catch spam
> >are not getting caught.
> >
> >I am invoking SA (spamassassin-3.0.0-0.pre4.2.3mdk) from
> >Kmail, by passing it
> >through spamc running rules_du_jour and my_rules_du_jour and
> >using the rules:
> >SARE_RATWARE, SARE_BAYES_POISON_NXM, SARE_SPOOF, SARE_OEM, BOGUSVIRUS,
> >SARE_ADULT. Now, not only is this list getting a bit
> >unweildly, taking about
> >a minute to process all uploads, but it is doing a crummy job
> >of filtering.
> >
> >My old list (trimmed default for rules_du_jour) seemed to run
> >better with the
> >basic list, but all those seem to have been depreciated for
> >the SARE stuff.
> >
> >Does anyone have any ideas on what SARE lists are truly
> >working for them? Or
> >how I could use SA for better results with Kmail?
> >
> >Rob
> >--
>
> Can you give us an example of an easy one that got thru? With headers?
Good idea!
I also note that my message headers claim to be running 2.63, but rpm claims I
am running spamassassin-3.0.0-0.pre4.2.3mdk. Sigh.
I have also added SARE HTML 0 and 1, Header 0 and 1 and SARE_GENLSUBJ-0 and 1
thanks to Bob's comments. But I would love to hear yours.
Rob
Return-Path: <bg...@verizon.net>
Received: from [206.46.170.12] ([192.168.1.4]) by mta019.verizon.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id <20040816140824.DIKX135.mta019.verizon.net@[206.46.170.12]>;
Mon, 16 Aug 2004 09:08:24 -0500
Received: from 206.46.170.12 (222.138.197.142) by sc024pub.verizon.net
(MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id
<4-31500-159-31500-351-1-1092665276> for mta019.verizon.net; Mon, 16 Aug 2004
09:08:25 -0500
X-Message-Info: 5H720LVhyzlk79ijDlEB8ALK070aGEcrfV850
Received: from physiognomy.bgallagh@verizon.net
(ko28924.h151134103.gd-pz.nxr.bgallagh@verizon.net [56.70.194.43])
by skylinebaghdad.bgallagh@verizon.net
id LCAA6419420; Wed, 18 Aug 2004 06:58:05 +0200
[thornyHost SMTP Relay 9.0202]
Reply-To: "Cassandra Solis" <bg...@verizon.net>
From: "Cassandra Solis" <bg...@verizon.net>
To: "Bgallagh" <bg...@verizon.net>
Subject: hereditary
Date: Wed, 18 Aug 2004 03:50:05 -0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--212941132929621495"
Message-Id: <20040816140824.DIKX135.mta019.verizon.net@[206.46.170.12]>
X-UID:
Status: R
X-Status: N
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on Timmy
X-Spam-Level: ***
X-Spam-Status: No, hits=3.1 required=5.0 tests=HTML_50_60,HTML_IMAGE_ONLY_04,
HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,NORMAL_HTTP_TO_IP
autolearn=no version=2.63
Email loading... $
---Pharmacy graphic here---
Buy Your M-E-D-I-C-I-N-E here.
cheap destabilize offenbach phi squatted palindrome allow standish ortega
martini corruptible cowpea averring suppose abscissa quito boniface decoy
trevelyan enthusiastic institute fleeing those bandit dogberry incapacity
bumptious interrogate salon asphalt dutch your derision ferris apprehension
taylor
another....
Return-Path: <le...@cosmeticdoctor.com>
Received: from p508FD511.dip0.t-ipconnect.de ([192.168.1.1])
by mta005.verizon.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id
<20...@p508FD511.dip0.t-ipconnect.de>
for <ro...@verizon.net>; Mon, 16 Aug 2004 14:54:31 -0500
Received: from p508FD511.dip0.t-ipconnect.de (80.143.213.17) by
sc002pub.verizon.net (MailPass SMTP server v1.1.1 - 121803235448JY)
with SMTP id <3-30639-118-30639-7398-1-1092686056> for mta005.verizon.net;
Mon, 16 Aug 2004 14:54:34 -0500
Received: from cosmeticdoctor.com (mail.cosmeticdoctor.com [38.113.1.60])
by p508FD511.dip0.t-ipconnect.de (Postfix) with ESMTP id CCAE429221
for <ro...@verizon.net>; Mon, 16 Aug 2004 14:44:41 -0500
Message-ID: <00...@cosmeticdoctor.com>
From: "Extraordinarily A. Soars" <le...@cosmeticdoctor.com>
To: Rob <ro...@verizon.net>
Subject: Re: Sohcking Pron Carotons
Date: Mon, 16 Aug 2004 14:44:41 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0036_AF22CCEF.22ABF9D3"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
X-Virus-Scanned: Norton
X-UID:
Status: R
X-Status: N
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on Timmy
X-Spam-Level: *
X-Spam-Status: No, hits=1.4 required=5.0 tests=HTML_50_60,HTML_FONT_FACE_BAD,
HTML_IMAGE_ONLY_12,HTML_MESSAGE autolearn=no version=2.63
Hlelo, what's a nice girl like you doing in...?
Best Sex Hentai
a lovely porno graphic here.
What the eye deos not admire the heart deos not desire.
Hyvasti T,w
and a third, and I promise, the end:
Return-Path: <KH...@hotmail.com>
Received: from ar50.lsanca1-4.27.119.91.lsanca1.dsl-verizon.net
([192.168.1.3]) by mta017.verizon.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id
<20...@ar50.lsanca1-4.27.119.91.lsanca1.dsl-verizon.net>;
Mon, 16 Aug 2004 06:33:30 -0500
Received: from ar50.lsanca1-4.27.119.91.lsanca1.dsl-verizon.net (4.27.119.91)
by sc019pub.verizon.net (MailPass SMTP server v1.1.1 - 121803235448JY)
with SMTP id <1-1007-218-1007-152027-2-1092656007> for mta017.verizon.net;
Mon, 16 Aug 2004 06:33:31 -0500
X-Message-Info: 570xBGJkB5TQQlAKY802XJ2ALbMEwnJRMuluCbeb3U
Received: from hotmail.com (156.217.56.145) by ylg7-ton653.hotmail.com with
Microsoft SMTPSVC(9.4.2535.5571);
Mon, 16 Aug 2004 08:36:50 -0400
Received: from hotmail.com (hotmail.com 84.212.76.130)
by hotmail.com (8.12.10/8.12.9) with ESMTP id kpr49EIFF217
for <ro...@verizon.net>; Mon, 16 Aug 2004 08:37:50 -0400 (EST)
(envelope-from KHCHINBKFPLUEK@hotmail.com)
Received: from EO3887450758 (modemcable9.1075-055.vd.hotmail.com
192.15.200.24)
(authenticated bits=6)
by hotmail.com (8.12.10/8.12.9) with ESMTP id qst110HF558nck786
for <ro...@verizon.net>; Mon, 16 Aug 2004 07:40:50 -0500 (EST)
(envelope-from KHCHINBKFPLUEK@hotmail.com)
Message-ID: <97...@Y76121521007>
From: "Trey Benitez" <KH...@hotmail.com>
To: <Rob.anderson>
Subject: sorry, one more thing
Date: Mon, 16 Aug 2004 14:40:50 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--61455841073473722410"
X-UID:
Status: R
X-Status: N
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on Timmy
X-Spam-Level: ****
X-Spam-Status: No, hits=4.7 required=5.0 tests=BIZ_TLD,CLICK_BELOW,
FORGED_HOTMAIL_RCVD,HTML_70_80,HTML_IMAGE_ONLY_02,
HTML_LINK_CLICK_HERE,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,
TO_MALFORMED autolearn=no version=2.63
another lovely sex graphic
no thanks of future campaigns - click here - please allow 48 hours.
--
Mountlake Terrace, WA
USA