You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Arvinn Løkkebakken <ar...@whitebird.no> on 2005/04/11 15:54:00 UTC
about SPF
I have two questions about the SPF plugin in SA.
What is the difference between FAIL and SOFTFAIL on Helo? When running
SA with bayes and network FAIL scores close to zero while SOFTFAIL gives
a solid 3.1. Does FAIL hit a lot of ham? According to my stats,
SPF_HELO_FAIL gets triggered about as often as SPF_HELO_SOFTFAIL does.
But I haven't looked to deep after false positives.
Next question. On my qmail-scanner server (in the middle between
front-end MX and bakend final destination) only the Helo SPF checks gets
triggered. I have a few thousand hits of SPF_HELO_* every day but zero
of the other SPF checks.
My front-end MX servers are running Qmail and trusted_network and
internal_network is set properly. Does it have to do with format of the
Received headers created by Qmail?
Maybe someone has an URL to some detailed documentation on the SPF
plugin? That would really do :)
Arvinn
RE: about SPF
Posted by martin smith <ma...@ntlworld.com>.
M>
M>Martin, the mail didn't go through the same server. Is it possible
M>that you've omitted 212.250.162.17 from your list of trusted_networks?
M>This would cause an SPF failure.
M>
M>When I set my trusted_networks to 212.250.162.0/24 and run these
M>messages through, they both get SPF_PASS.
M>
M>This is under 3.1, but 3.0 shouldn't be any different.
M>
M>
M>Daryl
M>
Hi Daryl
Found the problem. It wasn't so much what I didn't have set it was what I
did have set, I had trusted_networks 209.237.227.199, not sure when I set
the spamassassin server in there but took that entry out and now I am
getting SPF_PASS on most of them now.
Wouldn't have thought it would have had that effect but you live and learn.
Many thanks for your assistance Daryl.
Martin
Re: about SPF
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
martin smith wrote:
> M>
> M>Could you please forward a few complete messages that
> M>incorrectly get an SPF fail with the patch applied.
> M>
> M>The patch has no effect on SPF_HELO tests.
> M>
> M>
> M>Daryl
> M>
> Looks like I have to put mail.apache.org as a trusted server for this list
> to pass the spf test, the email direct from you passed but the one via the
> list failed:-
Direct:
> Return-Path: <xx...@dostech.ca>
> Received: from mta10-winn.mailhost.ntl.com (smtpout18.mailhost.ntl.com
> [212.250.162.18])
> by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
> j3C78AP5020927
> for <xx...@marti.mine.nu>; Tue, 12 Apr 2005 08:08:10 +0100
Via list:
> Return-Path: <us...@spamassassin.apache.org>
> Received: from mta09-winn.mailhost.ntl.com (smtpout17.mailhost.ntl.com
> [212.250.162.17])
> by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
> j3C78Wvx020936
> for <xx...@marti.mine.nu>; Tue, 12 Apr 2005 08:08:33 +0100
Martin, the mail didn't go through the same server. Is it possible that
you've omitted 212.250.162.17 from your list of trusted_networks? This
would cause an SPF failure.
When I set my trusted_networks to 212.250.162.0/24 and run these
messages through, they both get SPF_PASS.
This is under 3.1, but 3.0 shouldn't be any different.
Daryl
RE: about SPF
Posted by martin smith <ma...@ntlworld.com>.
M>
M>Could you please forward a few complete messages that
M>incorrectly get an SPF fail with the patch applied.
M>
M>The patch has no effect on SPF_HELO tests.
M>
M>
M>Daryl
M>
Looks like I have to put mail.apache.org as a trusted server for this list
to pass the spf test, the email direct from you passed but the one via the
list failed:-
Return-Path: <xx...@dostech.ca>
Received: from mta10-winn.mailhost.ntl.com (smtpout18.mailhost.ntl.com
[212.250.162.18])
by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
j3C78AP5020927
for <xx...@marti.mine.nu>; Tue, 12 Apr 2005 08:08:10 +0100
X-Envelope-From: spamassassin@dostech.ca
Received: from aamta07-winn.mailhost.ntl.com ([212.250.162.8])
by mta10-winn.mailhost.ntl.com with ESMTP
id
<20050412070810.LCVJ12495.mta10-winn.mailhost.ntl.com@aamta07-winn.mailhost.
ntl.com>
for <xx...@ntlworld.com>; Tue, 12 Apr 2005 08:08:10 +0100
Received: from smtp.film-tech.net ([66.98.221.156])
by aamta07-winn.mailhost.ntl.com with ESMTP
id
<20...@smtp.film-tech.net>
for <xx...@ntlworld.com>; Tue, 12 Apr 2005 08:08:06 +0100
Received: from d141-175-19.home.cgocable.net (d141-175-19.home.cgocable.net
[24.141.175.19])
(authenticated user xxx@smtp.film-tech.net)
by smtp.film-tech.net (smtp.film-tech.net [66.98.221.156])
(Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R)
with ESMTP id 12-md50000000258.tmp
for <ma...@ntlworld.com>; Tue, 12 Apr 2005 02:08:00 -0500
Received: from [192.168.123.141] (athlon.hamilton.dostech.net
[192.168.123.141] (may be forged))
(authenticated bits=0)
by d141-175-19.home.cgocable.net (8.12.8/8.12.8) with ESMTP id
j3C77tM4024697
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Tue, 12 Apr 2005 03:07:57 -0400
Message-ID: <42...@dostech.ca>
Date: Tue, 12 Apr 2005 03:08:04 -0400
From: "Daryl C. W. O'Shea" <xx...@dostech.ca>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: martin smith <xx...@ntlworld.com>
CC: Spamassassin <us...@spamassassin.apache.org>
Subject: Re: about SPF
References:
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARcvEzyhlCU2onpe4D+jkPsKAAAAQ
AAAAjv3Tr0E/5k2eRfeK+mniywEAAAAA@ntlworld.com>
In-Reply-To:
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARcvEzyhlCU2onpe4D+jkPsKAAAAQ
AAAAjv3Tr0E/5k2eRfeK+mniywEAAAAA@ntlworld.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: xxx@smtp.film-tech.net
X-MDRemoteIP: 24.141.175.19
X-Return-Path: xxxxx@dostech.ca
X-MDaemon-Deliver-To: marti@ntlworld.com
X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on marti.mine.nu
X-Spam-Level:
X-Spam-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00,SPF_PASS
autolearn=ham
X-UIDL: SXH"!KW_!!>8n"!L=U!!
Return-Path: <us...@spamassassin.apache.org>
Received: from mta09-winn.mailhost.ntl.com (smtpout17.mailhost.ntl.com
[212.250.162.17])
by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
j3C78Wvx020936
for <xx...@marti.mine.nu>; Tue, 12 Apr 2005 08:08:33 +0100
X-Envelope-From:
users-return-25781-marti=ntlworld.com@spamassassin.apache.org
Received: from aamta01-winn.mailhost.ntl.com ([212.250.162.8])
by mta09-winn.mailhost.ntl.com with ESMTP
id
<20050412070833.XIVK6951.mta09-winn.mailhost.ntl.com@aamta01-winn.mailhost.n
tl.com>
for xxxxx@ntlworld.com>; Tue, 12 Apr 2005 08:08:33 +0100
Received: from mail.apache.org ([209.237.227.199])
by aamta01-winn.mailhost.ntl.com with SMTP
id
<20...@mail.apache.org>
for <xx...@ntlworld.com>; Tue, 12 Apr 2005 08:08:33 +0100
Received: (qmail 54938 invoked by uid 500); 12 Apr 2005 07:08:10 -0000
Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: <ma...@spamassassin.apache.org>
list-unsubscribe: <ma...@spamassassin.apache.org>
List-Post: <ma...@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 54925 invoked by uid 99); 12 Apr 2005 07:08:10 -0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
tests=SPF_PASS
Received-SPF: pass (hermes.apache.org: domain of spamassassin@dostech.ca
designates 66.98.221.156 as permitted sender)
Received: from smtp.film-tech.net (HELO smtp.film-tech.net) (66.98.221.156)
by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 12 Apr 2005 00:08:06 -0700
Received: from d141-175-19.home.cgocable.net (d141-175-19.home.cgocable.net
[24.141.175.19])
(authenticated user xxx@smtp.film-tech.net)
by smtp.film-tech.net (smtp.film-tech.net [66.98.221.156])
(Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R)
with ESMTP id 12-md50000000258.tmp
for <us...@spamassassin.apache.org>; Tue, 12 Apr 2005 02:08:00 -0500
Received: from [192.168.123.141] (athlon.hamilton.dostech.net
[192.168.123.141] (may be forged))
(authenticated bits=0)
by d141-175-19.home.cgocable.net (8.12.8/8.12.8) with ESMTP id
j3C77tM4024697
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Tue, 12 Apr 2005 03:07:57 -0400
Message-ID: <42...@dostech.ca>
Date: Tue, 12 Apr 2005 03:08:04 -0400
From: "Daryl C. W. O'Shea" <xx...@dostech.ca>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: martin smith <xx...@ntlworld.com>
CC: Spamassassin <us...@spamassassin.apache.org>
Subject: Re: about SPF
References:
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARcvEzyhlCU2onpe4D+jkPsKAAAAQ
AAAAjv3Tr0E/5k2eRfeK+mniywEAAAAA@ntlworld.com>
In-Reply-To:
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAARcvEzyhlCU2onpe4D+jkPsKAAAAQ
AAAAjv3Tr0E/5k2eRfeK+mniywEAAAAA@ntlworld.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: dos@smtp.film-tech.net
X-MDRemoteIP: 24.141.175.19
X-Return-Path: xxxxx@dostech.ca
X-MDaemon-Deliver-To: users@spamassassin.apache.org
X-Virus-Checked: Checked
X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on marti.mine.nu
X-Spam-Level:
X-Spam-Status: No, score=-5.5 required=5.0 tests=AWL,BAYES_00,SPF_FAIL
autolearn=unavailable
X-UIDL: +jm!!*1T!!`T_"!DAc"!
Re: about SPF
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
martin smith wrote:
> M>I had the same problem. It turns out that if the email is being
> M>relayed through trusted or internal hosts, SA will skip the
> M>SPF checks on the belief that it cannot trust that one of
> M>those hosts hasn't
> M>changed the envelope headers. I ended up opening an enhancement
> M>request to allow an option to get SA to run the SPF checks if
> M>the admin
> M>is sure that the envelope headers are not being altered. This will
> M>appear in 3.1, but there is a patch you can get if you want it
> M>earlier. See http://bugzilla.spamassassin.org/show_bug.cgi?id=4140
> M>
>
> I applied the patch last night, now every email from this list comes up with
> SPF_FAIL, some also come up with SPF_HELO_PASS, will remove the patch when I
> get back from work, since it doesn't seem to be working correctly.
>
> Martin
Could you please forward a few complete messages that incorrectly get an
SPF fail with the patch applied.
The patch has no effect on SPF_HELO tests.
Daryl
RE: about SPF
Posted by martin smith <ma...@ntlworld.com>.
M>I had the same problem. It turns out that if the email is being
M>relayed through trusted or internal hosts, SA will skip the
M>SPF checks on the belief that it cannot trust that one of
M>those hosts hasn't
M>changed the envelope headers. I ended up opening an enhancement
M>request to allow an option to get SA to run the SPF checks if
M>the admin
M>is sure that the envelope headers are not being altered. This will
M>appear in 3.1, but there is a patch you can get if you want it
M>earlier. See http://bugzilla.spamassassin.org/show_bug.cgi?id=4140
M>
I applied the patch last night, now every email from this list comes up with
SPF_FAIL, some also come up with SPF_HELO_PASS, will remove the patch when I
get back from work, since it doesn't seem to be working correctly.
Martin
Re: Removing SA headers
Posted by Matt Kettler <mk...@evi-inc.com>.
Mike Jackson wrote:
>
> As written, the rule would try to lock the spamassassin program, which
> might cause weird issues, and since it doesn't include the 'c' option
> it would simply throw away the message after removing the headers.
>
Thanks for the catch Mike. It's the details of what :0: vs :0 vs :0fc:
vs :0fw: do that I always forget about procmail. However, since I don't
even use procmail that's not very surprising :)
Re: Removing SA headers
Posted by Mike Jackson <mj...@barking-dog.net>.
> Something like this inserted after your main call to SA:
> :0:
> * ^X-Spam-Status: No
> | spamassassin -d
Change the first line from:
:0:
to:
:0fc
As written, the rule would try to lock the spamassassin program, which might
cause weird issues, and since it doesn't include the 'c' option it would
simply throw away the message after removing the headers.
Re: Need for a new rule?
Posted by Craig McLean <cr...@craig.dnsalias.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andreas Davour wrote:
[snip]
| Are there any rule for this? Would one be hard do design? I haven't seen
| anything about is in the documentation. OR, I haven't understood what
| I've read...
I just wrote a bunch of obfu-rules with negative lookaheads and made
meta-rules out of them, nails anything like this because there is
generally no need to people to spell dollar with 2 |'s (or "will",
"overall" etc.)
Anyway, the attached might help a bit (with apologies for all the SA
installs which it may trigger)... Pointers, corrections etc. welcome as
always.
Regards,
Craig.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFCXZmkMDDagS2VwJ4RAohYAKDx631Ya2sxgwJ76vLCHFKgYwTLEQCeMkxE
IdzMVRyuNtJb+XR8x27k22Y=
=+tzz
-----END PGP SIGNATURE-----
Re: Need for a new rule?
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, April 13, 2005, 1:42:10 PM, Stuart Johnston wrote:
> body L_STOX2 /st0ck\d{2}\s{0,4}\@\s{0,4}yahoo.com/i
FWIW, the st0ckNN @ yahoo.com spammer seems to have changed
back to 4 digits:
> If you wish to stop future mailings, or if you fee| you have been
> wrongful|y p|aced in our membership, p|ease go here or send a blank
> e mail with No Thanks in the subject to st0ck1007 @yahoo.com
So it's time to adjust/modify that filter again.
(I guess he was behind on his reading. Hi spammy! ;-)
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Need for a new rule?
Posted by Stuart Johnston <st...@ebby.com>.
Andreas Davour wrote:
>
> The following message have many characteristics in common with much spam
> I've been getting lately. It's about investments, often shares, stock
> options or oil. One odd thing about those messages is that they all,
> like the one quoted below, have the letter 'l' substituted for the pipe
> character i.e. '|'.
>
> Are there any rule for this? Would one be hard do design? I haven't seen
> anything about is in the documentation. OR, I haven't understood what
> I've read...
>
> /Andreas
There have been several threads about this specific spammer in the last
few months. Some of them with this exact question - mostly the answer
is no.
> e mail with No Thanks in the subject to st0ck62 @ yahoo.com
It is much easier to match on this email address with something like:
body L_STOX2 /st0ck\d{2}\s{0,4}\@\s{0,4}yahoo.com/i
Re: Need for a new rule?
Posted by John Hardin <jo...@aproposretail.com>.
On Wed, 2005-04-13 at 13:22, Andreas Davour wrote:
> The following message have many characteristics in common with much spam
> I've been getting lately. It's about investments, often shares, stock
> options or oil. One odd thing about those messages is that they all,
> like the one quoted below, have the letter 'l' substituted for the pipe
> character i.e. '|'.
>
> Are there any rule for this? Would one be hard do design?
There are several tools available to generate obfuscated-word rules for
you. Here's the one I made:
http://www.impsec.org/email-tools/obfusc.pl
It reads a wordlist file containing data like:
million 1.0
and generates SA rulesets like:
# million @ 1.0
describe OBFU_WRD_071 obfuscated "million"
body OBFU_WRD_071 /\b(?!million)(?:m|([\/\|]\\\/[\|\\])|&\#(?:77|109);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);)(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[o0\xA9\xAE\xBC\xBD\xD2-\xD6\xD8\xF0\xF2-\xF6\xF8]|&o[a-z]+;|([(][)]))(?:[n\xD1\xF1]|(\|\\\|)|&\#(?:78|110);)/i
score OBFU_WRD_071 1.0
I've posted it here before, but thought it was worth a refresh given the
obfu questions that are popping up lately.
It doesn't catch obfuscations that include too many letters (e.g.
milllion) but could easily be altered to do so by adding a + after each
of the (?:gibberish) submatches. That would probably increase false
positives a bit.
--
John Hardin
Development and Technology group (Seattle)
CRS Retail Systems, Inc.
3400 188th Street SW, Suite 185
Lynnwood, WA 98037
voice: (425) 672-1304
fax: (425) 672-0192
email: jhardin@crsretail.com
web: http://www.crsretail.com
-----------------------------------------------------------------------
When freedom gives way to tyranny, it is not because tyranny comes
dressed as a wolf. Rather, it comes dressed as a shepherd,
pointing out other wolves. Go *read* the Patriot Act.
-----------------------------------------------------------------------
35 days until Revenge of the Sith
RE: Need for a new rule?
Posted by martin smith <ma...@ntlworld.com>.
M>-----Original Message-----
M>From: Andreas Davour [mailto:ante@Update.UU.SE]
M>Sent: 13 April 2005 21:23
M>Cc: users@spamassassin.apache.org
M>Subject: Need for a new rule?
M>
M>
M>The following message have many characteristics in common with much
M>spam I've been getting lately. It's about investments, often shares,
M>stock options or oil. One odd thing about those messages is that they
M>all, like the one quoted below, have the letter 'l' substituted for
M>the pipe character i.e. '|'.
M>
M>Are there any rule for this? Would one be hard do design? I haven't
M>seen anything about is in the documentation. OR, I haven't understood
M>what I've read...
M>
M>/Andreas
I have a couple of rules I have written to catch these spams, still catching
plenty right now but who knows how long for:-
body MS_Hide_Yahoo /(?: \@yahoo\.com\b|\@ yahoo.com\b)/i score MS_Hide_Yahoo
4.5 describe MS_Hide_Yahoo Attempt to hide yahoo email address
body __MS_Oil_Stock1 /\bo.l and gas\b/i
body __MS_Oil_Stock2 /(?:\b\(?EOGI|\b\(?MOGI|\b\(?TDCP|\b\(?MEGJ)/i
body __MS_Oil_Stock3 /(?:\bEmerson|\bmontana|\bAdeptrader|\bAtheletic)/i
uri __MS_Oil_Stock4 /http\:\/\/finance\.yahoo\.com/i
body __MS_Ins_Stock1
/(?:\bGRDX|\b3DIcon|\bConclusion|\binvestments?|\bmarket value)/i
body __MS_Ins_Stock2 /(?:\bPenny St.ck|\bBuy Low|\bCurrent Price)/i
body __MS_Ins_Stock3
/(?:jeff.[0-9]{1,4}\@\b|\bst(?:0|o)cks?[0-9]{0,4}\@\b|\bNo Thanks)/i
body __MS_Ins_Stock4 /(?:\bst0ck|\bprice \$|\bdollars)/i
meta MS_Stock ((__MS_Oil_Stock1 + __MS_Oil_Stock2 + __MS_Oil_Stock3 +
__MS_Oil_Stock4 + __MS_Ins_Stock1 + __MS_Ins_Stock2 + __MS_Ins_Stock3 +
__MS_Ins_Stock4) > 2)
score MS_Stock 5.0
describe MS_Stock Investment Stock Spam
Make allowance for word-wrap, not sure how legible they will be.
Martin
Need for a new rule?
Posted by Andreas Davour <an...@Update.UU.SE>.
The following message have many characteristics in common with much spam
I've been getting lately. It's about investments, often shares, stock
options or oil. One odd thing about those messages is that they all,
like the one quoted below, have the letter 'l' substituted for the pipe
character i.e. '|'.
Are there any rule for this? Would one be hard do design? I haven't seen
anything about is in the documentation. OR, I haven't understood what
I've read...
/Andreas
-------------------------------------------------------------------
>From szpqknp@ansun.net Wed Apr 13 14:31:31 2005
Return-Path: <sz...@ansun.net>
X-Original-To: ante@update.uu.se
Delivered-To: ante@update.uu.se
Received: from localhost (localhost [127.0.0.1])
by Psilocybe.Update.UU.SE (Postfix) with ESMTP id B092238015;
Wed, 13 Apr 2005 14:31:31 +0200 (CEST)
Received: from Psilocybe.Update.UU.SE ([127.0.0.1])
by localhost (Psilocybe [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 02475-01-2; Wed, 13 Apr 2005 14:31:29 +0200 (CEST)
Received: from 130.238.19.25 (unknown [221.127.33.157])
by Psilocybe.Update.UU.SE (Postfix) with SMTP id 0E66138014;
Wed, 13 Apr 2005 14:31:20 +0200 (CEST)
Received: from story
(IPSN-180-793.boss-it.com [207.183.238.26] (may be forged))
by armoire.boss-it.com (MOS 3.6.9-GR) with ESMTP id DUP56382 (AUTH story-00)
; Wed, 13 Apr 2005 18:25:11 +0600 (IST)
Date: Wed, 13 Apr 2005 13:28:11 +0100
From: "Arline Mckinney" <sz...@ansun.net>
Subject: Market alerts generate the investor's leading edge
To: <lt...@update.uu.se>
References: <NR...@arumc.org>
In-Reply-To: <NR...@arumc.org>
Message-ID: <64...@story.boss-it.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7Bit
Date: Wed, 13 Apr 2005 14:31:20 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
Psilocybe.Update.UU.SE
X-Spam-Level: ****
X-Spam-Status: No, score=4.5 required=5.0 tests=RCVD_HELO_IP_MISMATCH,
RCVD_NUMERIC_HELO autolearn=no version=3.0.2
The Oil and Gas Advisory
Now that Oil and Gas has entered a long-term bul| market,
our specia|ty in pinpointing the hottest companies of the few remaining
undervalued energy plays has produced soaring returns.
Emerson Oil and Gas (EOGI) is an energy developer in the US "Oi| Be|t"
and in Canada's most highly coveted reservoirs with generating
potential of Millions per week.
Breaking NEws!!!
Emerson Oi| and Gas Identifies Lease 0pp0rtunity in South Texas
Providing 0pp0rtunity
for 22-Well Re-entry in Fie|d with Strong Producing History and Large
Recoverab|e Reserves
South Texas in a |arge existing field that was discovered and dril|ed
by major oil companies
in the 1970s.The field is established with substantial recoverab|e
reserves, estimated at over
3.9 mil|ion barre|s of oi| and about 2 bil|ion cubic ft. of gas in the
two pay zones.
Symbol - EOGI
Price - .065
The value of EOGI's shares wi|| skyrocket:
1. Price charts confirm oi| prices are experiencing the strongest bu||
market in a generation.
2. Natural Gas prices have tripled in the last two years.
3. With multip|e projects in high-gear and the expanding production on
reserves worth multi-mi|lions, EOGI is se||ing for |ess than 1/4 the
va|ue of its assets.
4. Emerson Oil and Gas specializes in using new techno|ogy to turn
unproductive oil and gas deposits into profitab|e enterprises.
Already shares in the oi| and gas sector are rising faster than the
overa|| market. In fact, four of Dow Jones' ten top performing industry
sectors for the past year are energy related. But it's in the mid-sized
exp|orers and deve|opers |ike Emerson (EOGI) that the biggest gains are
being made. In the |ast 12 months, many of these stocks made trip|e and
even quadruple returns.
Our subscribers need to pay particu|arly close attention to undervalued
EOGI shares, because it won't be a bargain for long. This small company
with a comparab|y smal| market va|ue, is sitting on a bonanza of oi|
and gas reserves - an unrecognized bonus for investors especia||y with
the dai|y jump in energy prices.
But a|| that wi|l change in a few short weeks, as these reserves move
into production, bringing an exp|osion of cash that is expected to
capture the attention of the market, and have an equal|y explosive
effect on the share price.
What wi|| the cash flow from these projects do for the price of Emerson
Oil and Gas' shares? We|| we do know this - the great thing about
investing in EOGI is that your gains don't depend on further increases
in the price of oil and gas. Even if energy prices stay f|at, or
dec|ine
slight|y, you wi|l still make a very healthy return. Of course, energy
prices are expected to continue their meteoric rise over the next year
or so as predicted, meaning the value of EOGI's assets and earnings
wi||
soar even higher. In that case, the reward for investors wil| be
staggering.
Overa||, we consider EOGI to be one of the |ast outstanding energy
p|ays in the oil and gas sector. Once this discovery has been realized,
EOGI shares wi|| surge sharp|y on heavy investor attention. We have
identified this discovery for immediate accumu|ation. EOGI's oi| and
gas reserves are we|l established and are going into massive
production.
Early investors wil| secure optimum gains, and any additional news in
this
area will rea||y turn up the heat, causing us to revise our targets
upward in next week's bulletin.
Oil and Gas Advisory (OGA) is not a investment expert. Certain
statements contained in this news|etter may be future-|ooking
statements within the meaning of The Private Securities Litigation
Reform Act of 1995.
Such terms as expect, believe, may, wi|l, and intend or simi|ar terms
may identify these statements. Past-performance is not an indicator of
future-resu|ts. This is not an expert to acquire or se|| securities.
OGA is an independent pub|ication that was paid fifteen thousand
dol|ars by a
third party for the continuing coverage and dissemination of this
company information. Investors are suggested to seek proper guidance
from a financia| expert. Investors should use the information provided
in this
newsletter as a starting point for gathering additiona| information on
the profi|ed company to a||ow the investor to form their own opinion
regarding investment.
If you wish to stop future mailings, or if you fee| you have been
wrongfu|ly placed in our membership, please go here or send a blank
e mail with No Thanks in the subject to st0ck62 @ yahoo.com
--
A: Because it fouls the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
Re: Removing SA headers
Posted by ".rp" <pr...@moveupdate.com>.
On 12 Apr 2005 at 13:51, Matt Kettler wrote:
> No, you can use a procmail rule to funnel the non-spam messages into
> spamassassin -d, which will remove the markup.
>
Thank you, that is what I did,
:0fw:clearSA.lck
* ^X-Spam-Status: No
| spamassassin -d
Re: Removing SA headers
Posted by Matt Kettler <mk...@evi-inc.com>.
.rp wrote:
>SA 2.64
>sendmail 8.13
>procmail
>
>SA is being called in the system wide procmail and not as a milter.
>I would like to strip the SA X- headers for those emails that are not
>considered spam. Is formail the only way to do this?
>
>
>
No, you can use a procmail rule to funnel the non-spam messages into
spamassassin -d, which will remove the markup.
Take a look around at some of the procmail rules for funneling spam into
/dev/null and change it to funnel nonspam into spamassassin -d.
Something like this inserted after your main call to SA:
:0:
* ^X-Spam-Status: No
| spamassassin -d
WARNING: I'm not a procmail user, so I'm not sure that's 100% correct,
but it's the general idea
Re: Removing SA headers
Posted by Andy Jezierski <aj...@stepan.com>.
".rp" <pr...@moveupdate.com> wrote on 04/12/2005 12:28:29 PM:
> SA 2.64
> sendmail 8.13
> procmail
>
> SA is being called in the system wide procmail and not as a milter.
> I would like to strip the SA X- headers for those emails that are not
> considered spam. Is formail the only way to do this?
>
Perhaps the following added to your local.cf
remove_header { spam | ham | all } header_name
Headers can be removed from the specified type of messages
(spam,
ham, or "all" to remove from either). All headers begin with
"X-Spam-" (so "header_name" will be appended to "X-Spam-").
See also "clear_headers" for removing all the headers at once.
Note that X-Spam-Checker-Version is not removable because the
ver-
sion information is needed by mail administrators and
developers to
debug problems. Without at least one header, it might not even
be
possible to determine that SpamAssassin is running.
Andy
Removing SA headers
Posted by ".rp" <pr...@moveupdate.com>.
SA 2.64
sendmail 8.13
procmail
SA is being called in the system wide procmail and not as a milter.
I would like to strip the SA X- headers for those emails that are not
considered spam. Is formail the only way to do this?
Re: about SPF
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
Arvinn Løkkebakken wrote:
> I have two questions about the SPF plugin in SA.
> What is the difference between FAIL and SOFTFAIL on Helo? When running
> SA with bayes and network FAIL scores close to zero while SOFTFAIL
> gives a solid 3.1. Does FAIL hit a lot of ham? According to my stats,
> SPF_HELO_FAIL gets triggered about as often as SPF_HELO_SOFTFAIL does.
> But I haven't looked to deep after false positives.
>
Scores for all tests are determined by automated processes.
> Next question. On my qmail-scanner server (in the middle between
> front-end MX and bakend final destination) only the Helo SPF checks
> gets triggered. I have a few thousand hits of SPF_HELO_* every day but
> zero of the other SPF checks.
> My front-end MX servers are running Qmail and trusted_network and
> internal_network is set properly. Does it have to do with format of
> the Received headers created by Qmail?
>
I had the same problem. It turns out that if the email is being
relayed through trusted or internal hosts, SA will skip the SPF checks
on the belief that it cannot trust that one of those hosts hasn't
changed the envelope headers. I ended up opening an enhancement
request to allow an option to get SA to run the SPF checks if the admin
is sure that the envelope headers are not being altered. This will
appear in 3.1, but there is a patch you can get if you want it
earlier. See http://bugzilla.spamassassin.org/show_bug.cgi?id=4140
Kevin