You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by franc <fr...@gmx.net> on 2010/09/16 11:53:40 UTC
Blacklist for spam-words
Hello,
i don't know spamassassin not very well, i am using 3.2.4 on Ubuntu 8.04
LTS.
I need a textfile where i can put in blacklist-words like "Viagra",
"Chronometer", "Zeitmesser" and so on, if an email has one of this words,
this email should directly put to the "Spam"-folder.
Is this possible?
Thank you,
Regards, franc
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29726548.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
Posted by Lucio Chiappetti <lu...@lambrate.inaf.it>.
On Thu, 16 Sep 2010, franc wrote:
> I need a textfile where i can put in blacklist-words like "Viagra",
> "Chronometer", "Zeitmesser" and so on, if an email has one of this
> words, this email should directly put to the "Spam"-folder.
Are you sure you want to embark in a project like that and will have the
patience to mantain it ? It will be a real pain ...
I tried something like that with procmail rules in conjunction with
"SpamBouncer" which was a public domain procmail-based tool, but I was
quite happy when we installed a sitewide spamassassin at our institute.
Nowadays I still use procmail for some other kind of filtering, and that
includes also filtering suspect spam which leaks through spamassassin.
What I do is saving them into a few levels of separate folders according
to "residual spammosity". I check the few which go there once per day, and
feed the real spam into one collective folder, which is then fed to a
sitewide crontab which is learned by Bayes.
There are a few cases in which I add patterns which repeat often to a
procmail rule which feeds directly into such top spammosity folder. THAT,
combined somehow with the fact our spamassin uses Razor and DCC, quenches
the particular kind of spam in a few days.
http://sax.iasf-milano.inaf.it/~lucio/Procmail/
--
------------------------------------------------------------------------
Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
------------------------------------------------------------------------
Italian Research at risk. La Ricerca italiana a rischio !
see http://sax.iasf-milano.inaf.it/~lucio/WWW/Opinions/nobrain.html cfr.
Re: Blacklist for spam-words
Posted by Benny Pedersen <me...@junc.org>.
On tor 16 sep 2010 17:41:05 CEST, John Hardin wrote
> that result), you should try upgrading to the latest release. 3.2.4
> is several years stale and is not getting any rule updates. Its
> performance _will_ deteriorate over time as the nature of spam
> changes.
agree, but if the host os still have 3.2.4 as the latest, he is stock,
rules updates was imho meant to avoid that stale versions that live
longer then i do :)
not all users install from cpan or even sources
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
Hi , in you sources.list you have 2 lines
#deb http://archive.ubuntu.com/ubuntu/ hardy-backports main restricted
universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu/ hardy-backports main
restricted universe multiverse
Uncomment that lines and try to
apt-get update && apt-get upgrade
This upgrade install the spamassassin like to me
spamassassin -V
SpamAssassin version 3.2.5
running on Perl version 5.8.8
Before I use the older version 10 minutes ago I upgraded it to new version .
Or if is possible you can upgrade 8.04 LTS to 10.04 LTS but if you not
have many accounts .
I will update with cpan, leaving this not maintained hardy installation of
sa.
If i could update ubuntu to 10.04 i would do it, but i hardly think that is
possible on my vps without big problems to my customers and me..
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29735980.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
Posted by "Sergey Tsabolov ( aka linuxman )" <se...@greeklug.gr>.
Hi , in you sources.list you have 2 lines
#deb http://archive.ubuntu.com/ubuntu/ hardy-backports main restricted
universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu/ hardy-backports main
restricted universe multiverse
Uncomment that lines and try to
apt-get update && apt-get upgrade
This upgrade install the spamassassin like to me
spamassassin -V
SpamAssassin version 3.2.5
running on Perl version 5.8.8
Before I use the older version 10 minutes ago I upgraded it to new version .
Or if is possible you can upgrade 8.04 LTS to 10.04 LTS but if you not
have many accounts .
στις 16/09/2010 06:47 μμ, O/H franc έγραψε:
>
>> But before you go trying to play whack-a-mole
>> with lists of poison-pill words (and deal with the FPs that result), you
>> should try upgrading to the latest release.
>>
>
> I would like to update spamassassin, but how?
>
>
--
--------------------------------------------------------------------------------------
Don't send me documents in .doc , .docx, .xls, .ppt . , .pptx
Send it with ODF format : .odt , .odp , .ods or .pdf .
Try to use Open Document Format : http://www.openoffice.org/
Save you money& use GNU/Linux Distro http://distrowatch.com/
-----------------------------------------------------------------------------------------
Re: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
OK, i updated it with cpan after uninstalling.
But i had to change something in amavis-new, according to:
http://o-o-s.de/?p=2735
And now my sa-config is in /etc/mail/spamassassin.
Before, it was one level higher, which is really not important.
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29744006.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
Posted by Dominic Benson <do...@lenny.cus.org>.
On 17/09/10 11:21, franc wrote:
>
>> In that case, uninstalling Spamassassin from Apt (and then doing an
>> apt-get --autoremove to clear out Perl libs installed through apt/dpkg)
>> and re-installing with CPAN should be fine, and you'll be able to keep
>> it up to date.
>>
> I use aptitude, is this the same then? Will this uninstall all Perl? Because
> i need this for other things.
>
Aptitude does it by default. It won't uninstall Perl, but it will remove
Perl libraries that were brought in as dependencies of SA through
apt[itude]. As those libraries would also be installed by CPAN as
dependencies (possibly newer versions), you want them out of the way so
there is no conflict/confusion between the versions. It's the same
reason that it is a bad idea to install one way then upgrade another.
Re: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
> In that case, uninstalling Spamassassin from Apt (and then doing an
> apt-get --autoremove to clear out Perl libs installed through apt/dpkg)
> and re-installing with CPAN should be fine, and you'll be able to keep
> it up to date.
I use aptitude, is this the same then? Will this uninstall all Perl? Because
i need this for other things.
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29736988.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
Posted by "Sergios T.S.(aka linuxman)" <se...@greeklug.gr>.
στις 17/09/2010 12:55 μμ, O/H Dominic Benson έγραψε:
> On 17/09/10 10:42, franc wrote:
>> I doubt if this is possible on a VPS. At least the kernel is not
>> changeable
>> because coming from the host and is old enough (2.6.9). I guess an
>> update to
>> Lucid Lynx (10.04) will be if not unpossible but problematic.
Not is not be problematic the most of upgrade .
When in operation of upgrade ask you to change some files on host say no
keep the default not change with new files , just with this way the
upgrade not be problematic .
An one question , you use Cpanel on Ubuntu ? I know cpanel not
compatible with Debian based Distros
>>
>> So if i use CPAN and keep my Hardy Heron, there won't be problems or
>> yes?
>
> Yes, you're right, you won't be able to upgrade to Lucid. Sorry, I
> didn't notice you were using a VPS.
>
> In that case, uninstalling Spamassassin from Apt
Not need to uninstalling Spamassassin from Apt
Just open backpports sources and give one command
apt-get update && apt-get upgrade
And you upgrade to SpamAssassin to version 3.2.5
> (and then doing an apt-get --autoremove to clear out Perl libs
> installed through apt/dpkg) and re-installing with CPAN should be
> fine, and you'll be able to keep it up to date.
>
> Dominic
>
--
---------------------------------------------------------------
Don't send me documents in .doc , .docx, .xls, .ppt , .pptx .
Send it with ODF format : .odt , .odp , .ods or .pdf .
Try to use Open Document Format : http://el.openoffice.org/
Save you money and use GNU/Linux Distro http://distrowatch.com/
--------------------------------------------------------------
Re: Blacklist for spam-words
Posted by Dominic Benson <do...@lenny.cus.org>.
On 17/09/10 10:42, franc wrote:
> I doubt if this is possible on a VPS. At least the kernel is not changeable
> because coming from the host and is old enough (2.6.9). I guess an update to
> Lucid Lynx (10.04) will be if not unpossible but problematic.
>
> So if i use CPAN and keep my Hardy Heron, there won't be problems or yes?
>
Yes, you're right, you won't be able to upgrade to Lucid. Sorry, I
didn't notice you were using a VPS.
In that case, uninstalling Spamassassin from Apt (and then doing an
apt-get --autoremove to clear out Perl libs installed through apt/dpkg)
and re-installing with CPAN should be fine, and you'll be able to keep
it up to date.
Dominic
Re: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
>
> If you can, upgrade to Lucid. If you can't - and don't ever plan to
> upgrade the machine to a later Ubuntu release - then you could uninstall
> and then install via CPAN, but I would fairly strongly recommend against
> doing that if you have any intention of upgrading it in the future. In
> my experience it causes a bit of a mess!
I doubt if this is possible on a VPS. At least the kernel is not changeable
because coming from the host and is old enough (2.6.9). I guess an update to
Lucid Lynx (10.04) will be if not unpossible but problematic.
So if i use CPAN and keep my Hardy Heron, there won't be problems or yes?
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29736736.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
Posted by Dominic Benson <do...@lenny.cus.org>.
> This is just what i noticed: there is no Ubuntu package update after the
> 3.2.4-ubu1 related to:
>
> http://packages.ubuntu.com/de/hardy/spamassassin
>
> But how then to update? Can i use a package for Ubuntu Maverick (10.10) or
> is this the absolute wrong way?
>
If you add hardy-backports to your apt sources you can upgrade to 3.2.5,
but I don't know of a maintained 3.3.x package source for Hardy.
If you can, upgrade to Lucid. If you can't - and don't ever plan to
upgrade the machine to a later Ubuntu release - then you could uninstall
and then install via CPAN, but I would fairly strongly recommend against
doing that if you have any intention of upgrading it in the future. In
my experience it causes a bit of a mess!
Dominic
Re: Blacklist for spam-words
Posted by Benny Pedersen <me...@junc.org>.
On tor 16 sep 2010 18:08:46 CEST, franc wrote
> http://packages.ubuntu.com/de/hardy/spamassassin
>
> But how then to update? Can i use a package for Ubuntu Maverick (10.10) or
> is this the absolute wrong way?
ask a ubuntu maintainer, make a request for this in lunchpad seems to
me next step
if you like to get dirty hands self, you can enable dep-src from 10.10
in ubuntu 8, and make your own maintained dep file that way, when
maked, it will follow updates that way, but you will save time
upgrading whole 8.x of ubuntu
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
> Unfortunately Canonical probably is _not_ going to provide official SA
> 3.3.x packages for Ubuntu 8.x...
This is just what i noticed: there is no Ubuntu package update after the
3.2.4-ubu1 related to:
http://packages.ubuntu.com/de/hardy/spamassassin
But how then to update? Can i use a package for Ubuntu Maverick (10.10) or
is this the absolute wrong way?
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29730146.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
Posted by John Hardin <jh...@impsec.org>.
On Thu, 16 Sep 2010, franc wrote:
>> But before you go trying to play whack-a-mole with lists of poison-pill
>> words (and deal with the FPs that result), you should try upgrading to
>> the latest release.
>
> I would like to update spamassassin, but how?
The rule for reliability is "update the way you installed" - if you
installed from your distro's repository, then update from there, if you
installed from CPAN, then update from there.
Unfortunately Canonical probably is _not_ going to provide official SA
3.3.x packages for Ubuntu 8.x, so you're likely looking at either finding
a third-party repository of Ubuntu 8.x packages that includes current SA,
or uninstalling the natively-packaged SA and reinstalling from CPAN -
which means updating SA in the future will be a manual process from CPAN.
Somebody else on-list may be running Ubuntu 8.x and can offer more
specific advice, or you could ask on the Ubuntu support groups/forums
about how to update to current SA on Ubuntu 8.x
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
Tomorrow: the 223rd anniversary of the signing of the U.S. Constitution
Re: Blacklist for spam-words
Posted by Benny Pedersen <me...@junc.org>.
On tor 16 sep 2010 20:37:07 CEST, franc wrote
> yes, spamassassin is the only thing to upgrade at the moment.
> I am running Ubuntu 8.04 LTS (Hardy Heron) and i installed spamassassin with
> aptitude.
then i will suggest to try here
https://launchpad.net/hardy-backports
make a request for upgrade atleast to 3.2.5 if there is a maintainer
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
> are spamassassin the only thing you like to upgrade ?
>
> what os are you running ?, and what package managedment rpm ?, cpan ?,
> lastly dont mix cpan with rpm
yes, spamassassin is the only thing to upgrade at the moment.
I am running Ubuntu 8.04 LTS (Hardy Heron) and i installed spamassassin with
aptitude.
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29731696.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
Posted by Benny Pedersen <me...@junc.org>.
On tor 16 sep 2010 17:47:12 CEST, franc wrote
>> But before you go trying to play whack-a-mole
>> with lists of poison-pill words (and deal with the FPs that result), you
>> should try upgrading to the latest release.
> I would like to update spamassassin, but how?
42, na not this time, tell more on how you did install it in the first
time, upgrade route must not change to another way of installing
are spamassassin the only thing you like to upgrade ?
what os are you running ?, and what package managedment rpm ?, cpan ?,
lastly dont mix cpan with rpm
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
> But before you go trying to play whack-a-mole
> with lists of poison-pill words (and deal with the FPs that result), you
> should try upgrading to the latest release.
I would like to update spamassassin, but how?
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29729910.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blacklist for spam-words
Posted by John Hardin <jh...@impsec.org>.
On Thu, 16 Sep 2010, franc wrote:
> i don't know spamassassin not very well, i am using 3.2.4 on Ubuntu 8.04
> LTS.
>
> I need a textfile where i can put in blacklist-words like "Viagra",
> "Chronometer", "Zeitmesser" and so on, if an email has one of this
> words, this email should directly put to the "Spam"-folder.
>
> Is this possible?
Certainly it's possible. But before you go trying to play whack-a-mole
with lists of poison-pill words (and deal with the FPs that result), you
should try upgrading to the latest release. 3.2.4 is several years stale
and is not getting any rule updates. Its performance _will_ deteriorate
over time as the nature of spam changes.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
Tomorrow: the 223rd anniversary of the signing of the U.S. Constitution
RE: Blacklist for spam-words
Posted by Giles Coochey <gi...@coochey.net>.
> You may setup a regexp rule in the /etc/local.cf file of your SA
> installation, but a simple rule like the one you suggest may easily yield
> FPs (False Positives, ie: non-spam messages may get into your trashcan).
>
> What if a friend of yours sends you an email asking to lend your
> chronometer...
>
My favorite FP is speCIALISt
RE: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
> You're probably too late, Matus: you've got into his trash folder... ;)
> From: Matus UHLAR - fantomas [mailto:uhlar@fantomas.sk]
> > > What if a friend of yours sends you an email asking to lend your
> > > chronometer...
------^
haha, this one is good!
:-)
But anyway, i didn't put an "i" to the rule, so only "Chronometer" will fit.
And i just add 5 to the sa-score.
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29731807.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Blacklist for spam-words
Posted by Giampaolo Tomassoni <Gi...@Tomassoni.biz>.
You're probably too late, Matus: you've got into his trash folder... ;)
> From: Matus UHLAR - fantomas [mailto:uhlar@fantomas.sk]
> > > What if a friend of yours sends you an email asking to lend your
> > > chronometer...
------^
> > This is very unlikely because i have none. So even if he asked, it
> were in
> > vain :-)
> >
> > > SA goes farther than your simple idea. Have a look at how Bayes
> works, and
> > > all the available SA plugins.
>
> On 16.09.10 03:26, franc wrote:
> > I trained SA since months with all those chronometer-zeitmesser-spam
---------------------------------------------^-----------^
Re: Blacklist for spam-words
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > What if a friend of yours sends you an email asking to lend your
> > chronometer...
>
> This is very unlikely because i have none. So even if he asked, it were in
> vain :-)
>
> > SA goes farther than your simple idea. Have a look at how Bayes works, and
> > all the available SA plugins.
On 16.09.10 03:26, franc wrote:
> I trained SA since months with all those chronometer-zeitmesser-spam and
> only 5% is now set to spam.
> I want to get rid of it immediately.
were you able to filter out different kinds of spam? If you use any possible
rules (mostly those network-based), you should be able to filter out most of
spam.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
RE: Blacklist for spam-words
Posted by Benny Pedersen <me...@junc.org>.
On tor 16 sep 2010 13:59:39 CEST, Giampaolo Tomassoni wrote
>> want to get rid of it immediately.
>
> Well, you may try putting this into /etc/spamassassin/local.cf, then:
>
> describe FORBWORDS Matches some forbidden words (dangerous)
> body __FORBWORDS /\W(?:viagra|chronometer|zeitmesser)/i
> score FORBWORDS 10.0
meta FORBWORDS (__FORBWORDS && !SPF_PASS && !SPF_HELO_PASS)
fun must go on :=)
> But please then don't complain if you'll lose some messages from this
> thread... ;)
make better rules so he wont :)
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
RE: Blacklist for spam-words
Posted by Giampaolo Tomassoni <Gi...@Tomassoni.biz>.
> > SA goes farther than your simple idea. Have a look at how Bayes
> works, and
> > all the available SA plugins.
>
> I trained SA since months with all those chronometer-zeitmesser-spam
> and
> only 5% is now set to spam.
> I want to get rid of it immediately.
Well, you may try putting this into /etc/spamassassin/local.cf, then:
describe FORBWORDS Matches some forbidden words (dangerous)
body FORBWORDS /\W(?:viagra|chronometer|zeitmesser)/i
score FORBWORDS 10.0
But please then don't complain if you'll lose some messages from this
thread... ;)
Re: Identifying the real problem (was: Re: Blacklist for
spam-words)
Posted by Benny Pedersen <me...@junc.org>.
On tor 16 sep 2010 23:19:34 CEST, franc wrote
> OK, i put now till i am sure there is no more FP the threshold on -, 5, 10,
> 15 so between 5 and 10 it is delivered into the spam-folder, and with 10 it
> is bounced.
rejected please, eg dont accept and bouce
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Identifying the real problem
Posted by mouss <mo...@ml.netoyen.net>.
Le 17/09/2010 00:34, Karsten Bräckelmann a écrit :
> [snip]
>> I had in amavis-conf:
>>
>> $final_spam_destiny = D_BOUNCE;
>> $final_banned_destiny = D_BOUNCE;
>>
>> should be much better like this:
>>
>> $final_spam_destiny = D_REJECT;
>> $final_banned_destiny = D_REJECT;
>>
>> It was default with D_BOUNCE so i used this. But you are very right, the
>> bounce is old (according to the Postfixbook from heinlein) and i put reject
>> now. Thanks again!
> Thank you for fixing this. :) One less backscatter source on the net.
>
>
not sure. if his amavisd runs after mail was queued (for example, if it
was run as a content_filter in postfix), then D_REJECT will cause _his_
MTA to send a bounce, thus the backscatter.
So most probably, he is still a potential outscatter source.
Unless he is using amavisd-new to filter mail during the smtp
transaction (with the remote/foreign client), which is uncommon, the
only possible choices are pass, quarantine or discard.
Re: Identifying the real problem (was: Re: Blacklist for
spam-words)
Posted by franc <fr...@gmx.net>.
The next thing i just discovered is:
$final_bad_header_destiny = D_PASS;
with this rule, each Subject, containing 8-Bit, is sent to the quarantine
folder.
I didn't know this and now i am discovering many emails in the quarantine
which were no spam at all :-)
I commented it out:
# $final_bad_header_destiny = D_PASS;
and i think now the bad-header-mails are sent to the postbox and not to the
orkus. i hope.
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29733698.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Identifying the real problem (was: Re: Blacklist for
spam-words)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-09-16 at 15:10 -0700, franc wrote:
> > I seriously hope you just mis-worded that. Bounce!? That would be after
> > *accepting* a message, and with spam generally will be bounced to a
> > forged, innocent bystander -- not the spammer. So please, tell me you
> > actually meant to say REJECT. That is, not accept by the MX.
>
> No, i didn't know it better, i had D_BOUNCE indeed!
Well, I don't really know Amavis, so I don't know what this does
precisely, but in general...
Bounce, also known as backscatter in the context of spam -- just in case
you need more search terms. ;)
The important difference is, that REJECTing on the MX (the outside, evil
network facing SMTP) will just not ACCEPT the message. Once you accepted
a message, you take responsibility for it. You are free to review that
crap, or even route it straight to the bin bucket. It's yours, and the
ball is on your side. However, bouncing it "back" to some address you
cannot possibly know is the real sender...
> I had in amavis-conf:
>
> $final_spam_destiny = D_BOUNCE;
> $final_banned_destiny = D_BOUNCE;
>
> should be much better like this:
>
> $final_spam_destiny = D_REJECT;
> $final_banned_destiny = D_REJECT;
>
> It was default with D_BOUNCE so i used this. But you are very right, the
> bounce is old (according to the Postfixbook from heinlein) and i put reject
> now. Thanks again!
Thank you for fixing this. :) One less backscatter source on the net.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Identifying the real problem (was: Re: Blacklist for
spam-words)
Posted by franc <fr...@gmx.net>.
> I seriously hope you just mis-worded that. Bounce!? That would be after
> *accepting* a message, and with spam generally will be bounced to a
> forged, innocent bystander -- not the spammer. So please, tell me you
> actually meant to say REJECT. That is, not accept by the MX.
No, i didn't know it better, i had D_BOUNCE indeed!
I had in amavis-conf:
$final_spam_destiny = D_BOUNCE;
$final_banned_destiny = D_BOUNCE;
should be much better like this:
$final_spam_destiny = D_REJECT;
$final_banned_destiny = D_REJECT;
It was default with D_BOUNCE so i used this. But you are very right, the
bounce is old (according to the Postfixbook from heinlein) and i put reject
now. Thanks again!
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29733474.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Identifying the real problem (was: Re: Blacklist for
spam-words)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-09-16 at 14:19 -0700, franc wrote:
> OK, i put now till i am sure there is no more FP the threshold on -, 5, 10,
> 15 so between 5 and 10 it is delivered into the spam-folder, and with 10 it
> is bounced.
>
> I think after a while i will know if i can put 2,5,6.31,10 or something like
> this.
Well, I would (and actually do on a couple systems still happily running
3.2) use the default threshold of 5.
For classifying as spam, just as you do, and delivery into a dedicated
spam folder for users to review the stuff. And rescue FPs -- though
honestly, the only one I've seen in years is the occasional PayPal
general terms and conditions update.
FWIW, a threshold of 2 would be too low, and will result in FPs.
I guess I would be too paranoid to reject on a threshold of 10. I used
to think 15, but recently tend to lean towards 12 as the cut-off.
Anyway... ;)
I seriously hope you just mis-worded that. Bounce!? That would be after
*accepting* a message, and with spam generally will be bounced to a
forged, innocent bystander -- not the spammer. So please, tell me you
actually meant to say REJECT. That is, not accept by the MX.
> Thank you for the hints!
NP. And just for next time, if you're having issues with some particular
software, try to explain the issue. After figuring out the root cause,
the collective audience most likely can tell you what to do.
Asking how to do $something, which does not directly tackle your issue,
usually will only serve as a band-aid. Not a fix.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Identifying the real problem (was: Re: Blacklist for
spam-words)
Posted by franc <fr...@gmx.net>.
OK, i put now till i am sure there is no more FP the threshold on -, 5, 10,
15 so between 5 and 10 it is delivered into the spam-folder, and with 10 it
is bounced.
I think after a while i will know if i can put 2,5,6.31,10 or something like
this.
Thank you for the hints!
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29733116.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Identifying the real problem (was: Re: Blacklist for
spam-words)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-09-16 at 11:32 -0700, franc wrote:
> > ... Do you train *both*, spam *and* ham? Any chance these
> > have been trained incorrectly before? What Bayes score do they actually
> > get? The X-Spam-Status header would be sufficient to see.
> >
> > The few lines of 'sa-learn --dump magic' would be good, too. Oh, and you
> > are training Bayes as the same user SA checks the mail for, right?
>
> Yes, i trained both. By the way, i use spamassassin with amavis.
> This is my bayes result:
So you trained (manually) as the amavis user, using the system-wide
Bayes DB, right?
> ~# sa-learn --dbpath /var/lib/amavis/.spamassassin/bayes --dump magic
> 0.000 0 3 0 non-token data: bayes db version
> 0.000 0 3270 0 non-token data: nspam
> 0.000 0 8809 0 non-token data: nham
> 0.000 0 120576 0 non-token data: ntokens
You need to train on more spam.
> I know, that just some blacklisted words are really not the solution. So i
> put the threshold of spam lower in amavis conf:
>
> $sa_tag_level_deflt = undef;
> $sa_tag2_level_deflt = 6.31;
> $sa_kill_level_deflt = 15;
> $sa_dsn_cutoff_level = 25;
>
> A typical score of a "Uhren"-mail is:
>
> X-Virus-Scanned: Debian amavisd-new at ew6.org
> X-Amavis-Alert: BAD HEADER, Duplicate header field: "Cc"
> X-Spam-Flag: NO
> X-Spam-Score: 12.989
Err... a SA score of ~13 and status not spam. *sigh* See, you just
needed to identify your real problem. *THIS* is it.
The SA default spam threshold is 5. Everything exceeding that threshold
is classified spam. Five. So this example would have been caught no
problem by vanilla SA.
The scores of the individual rules have been set with that default
threshold of 5 in mind. Raising it *slightly* is OK, if you want to stay
even more on the FP-safe side. Raising it like the above shows is just
plain wrong. And it is the reason for your problem of not catching this
spam.
> X-Spam-Level: ************
> X-Spam-Status: No, score=12.989 required=15 tests=[BAYES_99=3.5,
> DNS_FROM_OPENWHOIS=1.13, HTML_MESSAGE=0.001, PYZOR_CHECK=3.7,
> RCVD_IN_PBL=0.905, RCVD_IN_SORBS_HTTP=0.001, RCVD_IN_SORBS_WEB=0.619,
> RCVD_IN_XBL=3.033, RDNS_NONE=0.1]
No URI DNSBL hits here, but that does not necessarily indicate an issue.
DNSBL hits, so DNS works for you.
BAYES_99 means, the Bayes sub-system considers it spam with a value of
0.99 or higher -- where 0.0 means ham, 0.5 neutral, and 1.0 being the
highest, pure evil spam. Bayes has sufficiently been trained with this
kind of spam.
This also means, that Bayes obviously considers the words you wanted to
blacklist as spam already -- and results in a partial score of 3.5 (of
5.0 by default, again) for Bayes alone. That's 70% there of being marked
as spam...
> So with "$sa_tag2_level_deflt = 6.31" it is ok. Before i had 15. Above 6.31
> the mails are directly put to the Spam-folder, so with IMAP, the user can
> still look at them.
Not an Amavis user -- isn't 6.31 the amavis default? Why did you raise
the threshold in the first place!? Again, that is (was) your problem.
> Anyway, do you think i need to update to 3.3.x or is 3.2 still OK?
3.2 is less effective than 3.3, but as long as you're still happy with
the results, there is no immediate need to upgrade. Using a sane spam
threshold, mind you. You would have seen pretty much the exact same
"problem" with SA 3.3 and the threshold raised to 15.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Identifying the real problem (was: Re: Blacklist for
spam-words)
Posted by franc <fr...@gmx.net>.
> ... Do you train *both*, spam *and* ham? Any chance these
> have been trained incorrectly before? What Bayes score do they actually
> get? The X-Spam-Status header would be sufficient to see.
>
> The few lines of 'sa-learn --dump magic' would be good, too. Oh, and you
> are training Bayes as the same user SA checks the mail for, right?
Yes, i trained both. By the way, i use spamassassin with amavis.
This is my bayes result:
~# sa-learn --dbpath /var/lib/amavis/.spamassassin/bayes --dump magic
0.000 0 3 0 non-token data: bayes db version
0.000 0 3270 0 non-token data: nspam
0.000 0 8809 0 non-token data: nham
0.000 0 120576 0 non-token data: ntokens
0.000 0 1279001124 0 non-token data: oldest atime
0.000 0 1284660563 0 non-token data: newest atime
0.000 0 1284653885 0 non-token data: last journal sync
atime
0.000 0 1284615337 0 non-token data: last expiry atime
0.000 0 0 0 non-token data: last expire atime
delta
0.000 0 0 0 non-token data: last expire
reduction count
I know, that just some blacklisted words are really not the solution. So i
put the threshold of spam lower in amavis conf:
$sa_tag_level_deflt = undef;
$sa_tag2_level_deflt = 6.31;
$sa_kill_level_deflt = 15;
$sa_dsn_cutoff_level = 25;
A typical score of a "Uhren"-mail is:
X-Virus-Scanned: Debian amavisd-new at ew6.org
X-Amavis-Alert: BAD HEADER, Duplicate header field: "Cc"
X-Spam-Flag: NO
X-Spam-Score: 12.989
X-Spam-Level: ************
X-Spam-Status: No, score=12.989 required=15 tests=[BAYES_99=3.5,
DNS_FROM_OPENWHOIS=1.13, HTML_MESSAGE=0.001, PYZOR_CHECK=3.7,
RCVD_IN_PBL=0.905, RCVD_IN_SORBS_HTTP=0.001, RCVD_IN_SORBS_WEB=0.619,
RCVD_IN_XBL=3.033, RDNS_NONE=0.1]
So with "$sa_tag2_level_deflt = 6.31" it is ok. Before i had 15. Above 6.31
the mails are directly put to the Spam-folder, so with IMAP, the user can
still look at them.
Anyway, do you think i need to update to 3.3.x or is 3.2 still OK?
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29731650.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Identifying the real problem (was: Re: Blacklist for spam-words)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2010-09-16 at 03:26 -0700, Franc Walter(?) wrote:
> > SA goes farther than your simple idea. Have a look at how Bayes works, and
> > all the available SA plugins.
>
> I trained SA since months with all those chronometer-zeitmesser-spam and
> only 5% is now set to spam.
> I want to get rid of it immediately.
OK, back down for a minute. This appears to be yet another case of a
user asking about a specific $thingy, which he believes would do the
trick. It might, but it is not the cure to the underlying problem. We
don't even know the problem, yet. This we need to find.
Why do I claim that? Well, the spam mentioned sounds pretty familiar.
But SA 3.2.x should not have a problem catching them.
Bayes. So you trained Bayes with them. For months. Still not much of a
difference. Well. Do you train *both*, spam *and* ham? Any chance these
have been trained incorrectly before? What Bayes score do they actually
get? The X-Spam-Status header would be sufficient to see.
The few lines of 'sa-learn --dump magic' would be good, too. Oh, and you
are training Bayes as the same user SA checks the mail for, right?
DNSBLs. And URI DNSBLs. These spams should hit quite a lot of them. They
certainly do for me. DNS works? None of these disabled in SA conf? What
DNS server are you using? If it is "my ISP's DNS" or "my home router
box", this is almost guaranteed to be your problem -- or part of it.
ISP's DNS server usually generate way too much traffic and do not get
responses by the major DNSBLs. In that case, you need a local caching
(non-forwarding) DNS resolver on your box.
And no, while a blacklist of some words *can* help, it is *not* the
solution to your problem.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
>
> What if a friend of yours sends you an email asking to lend your
> chronometer...
This is very unlikely because i have none. So even if he asked, it were in
vain :-)
> SA goes farther than your simple idea. Have a look at how Bayes works, and
> all the available SA plugins.
I trained SA since months with all those chronometer-zeitmesser-spam and
only 5% is now set to spam.
I want to get rid of it immediately.
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29726779.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Blacklist for spam-words
Posted by Per Jessen <pe...@computer.org>.
franc wrote:
>
>> You may setup a regexp rule in the /etc/local.cf file of your SA
>> installation
>
> Could you give me an example, or where to find one? In the local.cf i
> don't find RegExp-sections.
body FRANCS_RULE /regexp/
/Per Jessen, Zürich
Re: Blacklist for spam-words
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 2010-09-16 12:29, franc wrote:
>> You may setup a regexp rule in the /etc/local.cf file of your SA
>> installation
>
> Could you give me an example, or where to find one? In the local.cf i don't
> find RegExp-sections.
see http://wiki.apache.org/spamassassin/WritingRules
RE: Blacklist for spam-words
Posted by franc <fr...@gmx.net>.
> You may setup a regexp rule in the /etc/local.cf file of your SA
> installation
Could you give me an example, or where to find one? In the local.cf i don't
find RegExp-sections.
--
View this message in context: http://old.nabble.com/Blacklist-for-spam-words-tp29726548p29726801.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Blacklist for spam-words
Posted by Giampaolo Tomassoni <Gi...@Tomassoni.biz>.
> Hello,
>
> i don't know spamassassin not very well, i am using 3.2.4 on Ubuntu
> 8.04
> LTS.
>
> I need a textfile where i can put in blacklist-words like "Viagra",
> "Chronometer", "Zeitmesser" and so on, if an email has one of this
> words,
> this email should directly put to the "Spam"-folder.
>
> Is this possible?
You may setup a regexp rule in the /etc/local.cf file of your SA
installation, but a simple rule like the one you suggest may easily yield
FPs (False Positives, ie: non-spam messages may get into your trashcan).
What if a friend of yours sends you an email asking to lend your
chronometer...
SA goes farther than your simple idea. Have a look at how Bayes works, and
all the available SA plugins.
> Thank you,
>
> Regards, franc