You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Stefan Walk <st...@fachschaft.physik.tu-darmstadt.de> on 2007/11/18 21:54:12 UTC
Is it possible to detect/undo report_safe?
Hi,
I'm kind of annoyed because there are, for a few of my email addresses,
several spamassassins at work, and they all use report_safe. On the final
machine (mine), there's a spamassassin running too. So, to prevent a message
from ending up in my mail client encapsulated in 5 spamassassin "envelopes",
i want to undo the effects of the report_safe setting on the previous
machines. Is there a way to detect (in ways of a script) that a mail has been
processed by report safe, or yet better, a done way to undo it? I've heard
sa-learn does it, so i'd guess it has been done ...
Regards,
Stefan
Re: Is it possible to detect/undo report_safe?
Posted by Anthony Peacock <a....@chime.ucl.ac.uk>.
Hi Stefan,
Stefan Walk wrote:
> Theo Van Dinter wrote:
>> On Mon, Nov 19, 2007 at 10:21:12AM +0100, Matus UHLAR - fantomas wrote:
>>
>>>> machines. Is there a way to detect (in ways of a script) that a mail has been
>>>> processed by report safe, or yet better, a done way to undo it? I've heard
>>>> sa-learn does it, so i'd guess it has been done ...
>>>>
>> "spamassassin -d"
>>
> Thanks. But it seems spamassassin -d only removes the markup that "my"
> spamassassin did, not those from others (they mangle the headers too, it's
> X-TUD-HRZ-MailScanner: Found to be clean
> X-TUD-HRZ-MailScanner-SpamCheck: not spam (whitelisted),
> X-TUD-IAP-MailScanner: Found to be clean
> X-TUD-IAP-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
That markup is added by MailScanner not SpamAssassin. SpamAssasin can't
automatically remove that markup, it only removes markup it has added
'natively'.
--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
"A CAT scan should take less time than a PET scan. For a CAT scan,
they're only looking for one thing, whereas a PET scan could result in
a lot of things." - Carl Princi, 2002/07/19
Re: Is it possible to detect/undo report_safe?
Posted by Stefan Walk <st...@physik.tu-darmstadt.de>.
Theo Van Dinter wrote:
> On Mon, Nov 19, 2007 at 10:21:12AM +0100, Matus UHLAR - fantomas wrote:
>
>>> machines. Is there a way to detect (in ways of a script) that a mail has been
>>> processed by report safe, or yet better, a done way to undo it? I've heard
>>> sa-learn does it, so i'd guess it has been done ...
>>>
>
> "spamassassin -d"
>
Thanks. But it seems spamassassin -d only removes the markup that "my"
spamassassin did, not those from others (they mangle the headers too, it's
X-TUD-HRZ-MailScanner: Found to be clean
X-TUD-HRZ-MailScanner-SpamCheck: not spam (whitelisted),
X-TUD-IAP-MailScanner: Found to be clean
X-TUD-IAP-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
etc ... they don't add an X-Spam-Checker-Version either. Anything i can
do about that?
Regards,
Stefan
Re: Is it possible to detect/undo report_safe?
Posted by Stefan Walk <st...@fachschaft.physik.tu-darmstadt.de>.
On Tuesday 20 November 2007 19:25:27 Karsten Bräckelmann wrote:
> Both, the rewritten Subject (see [DEL]) and the X-TUD-*-SpamScore [1]
> header should be sufficient on it's own to identify a previously
> encapsulated mail. Based on that, just treat the mail differently,
> un-wrapping if need be. It should be fairly easy to come up with a hack
> that does this un-wrapping [2], or use an existing tool.
Thanks. Regarding "existing tool", are there some popular ones? I tried
munpack, but it doesn't seem to have an option to leave the headers
intact ... ruby/tmail silently drops headers with unencoded 8-bit chars, etc.
Will have a look at gmime, but it seems that there should be probably some
premade thing for this ;)
Regards,
Stefan
Re: Is it possible to detect/undo report_safe?
Posted by Stefan Walk <st...@fachschaft.physik.tu-darmstadt.de>.
On Tuesday 20 November 2007 17:59:39 Theo Van Dinter wrote:
> Well, yes and no. "-d" only removed 1 level of encapsulation. If you have
> a multiply-encapsulated message, you need to run the unencapsulator
> multiple times. :)
>
> As far as your markup versus their markup ... It generally shouldn't
> matter, especially for report_safe, whereby as long as the message looks
> appropriate, the original message is wripped out of the MIME part and the
> markup in the headers/etc are ignored..
That's what i tried. http://nopaste.com/p/apfnviQKX is the mail i tested
with, it's encapsulated twice.
et@eve:~/tmp> spamassassin -d < spammail > removed_once
et@eve:~/tmp> curl -F file=@removed_once nopaste.com/a
http://nopaste.com/p/a22grbeYo
That's the result after one run of spamassassin -d ... one level has been
removed, all right.
et@eve:~/tmp> spamassassin -d < removed_once > removed_twice
et@eve:~/tmp> curl -F file=@removed_twice nopaste.com/a
http://nopaste.com/p/ab7CeZEp1
et@eve:~/tmp> diff -u removed_once removed_twice
--- removed_once 2007-11-20 17:14:09.000000000 +0000
+++ removed_twice 2007-11-20 17:15:50.000000000 +0000
@@ -63,7 +63,6 @@
URIBL_OB_SURBL 3.01, URIBL_SC_SURBL 4.50, URIBL_WS_SURBL 2.14)
X-TUD-IAP-MailScanner-SpamScore: sssssssssssssssssssssssss
X-TUD-IAP-MailScanner-To: stefan.walk@gmail.com
-X-Spam-Status: Yes
This is a multi-part message in MIME format...
All it did was remove the X-Spam-Status header, not the encapsulation.
Am I doing something wrong?
Regards,
Stefan
Re: Is it possible to detect/undo report_safe?
Posted by Theo Van Dinter <fe...@apache.org>.
On Tue, Nov 20, 2007 at 05:48:36PM +0100, Stefan Walk wrote:
> > "spamassassin -d"
> >
> Thanks. But it seems spamassassin -d only removes the markup that "my"
> spamassassin did, not those from others (they mangle the headers too, it's
Well, yes and no. "-d" only removed 1 level of encapsulation. If you have a
multiply-encapsulated message, you need to run the unencapsulator multiple
times. :)
As far as your markup versus their markup ... It generally shouldn't matter,
especially for report_safe, whereby as long as the message looks appropriate,
the original message is wripped out of the MIME part and the markup in the
headers/etc are ignored..
--
Randomly Selected Tagline:
I dance, I dance, I dance, around a Mexican hat. I dance, I dance,
I dance, and that is the end of that. Or is it? I guess I'll keep
singing, my cell phone appears to be ringing...
- Homer Simpson, The Simpsons, "Brake My Wife, Please"
Re: Is it possible to detect/undo report_safe?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2007-11-20 at 17:48 +0100, Stefan Walk wrote:
> Thanks. But it seems spamassassin -d only removes the markup that "my"
> spamassassin did, not those from others (they mangle the headers too, it's
> X-TUD-HRZ-MailScanner: Found to be clean
> X-TUD-HRZ-MailScanner-SpamCheck: not spam (whitelisted),
> X-TUD-IAP-MailScanner: Found to be clean
> X-TUD-IAP-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
>
> etc ... they don't add an X-Spam-Checker-Version either. Anything i can
> do about that?
It may be SA checking the original mail, but it does not appear to be SA
actually encapsulating the mail.
FWIW, I believe the TUD HRZ does generate these encapsulated reports
only for spam scoring 15+ points. Anything below that merely gets header
markup added. Well, plus that ridiculously ugly (generally speaking)
Subject rewriting...
Both, the rewritten Subject (see [DEL]) and the X-TUD-*-SpamScore [1]
header should be sufficient on it's own to identify a previously
encapsulated mail. Based on that, just treat the mail differently,
un-wrapping if need be. It should be fairly easy to come up with a hack
that does this un-wrapping [2], or use an existing tool.
Anyway, even with a "badly trained Bayes" on their end, as you stated, a
score of 15+ probably should be sufficient to dump the mail right away,
or maybe to have a look at the (remaining) Subject only...
guenther
[1] HRZ in my case, IAP for you ;)
[2] Done that myself using gmime, to unwrap some double encapsulated
messages for further processing.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Is it possible to detect/undo report_safe?
Posted by Stefan Walk <st...@fachschaft.physik.tu-darmstadt.de>.
Sent before with the wrong from address ... sorry if this comes through
twice.
Theo Van Dinter wrote:
> On Mon, Nov 19, 2007 at 10:21:12AM +0100, Matus UHLAR - fantomas wrote:
>
>>> machines. Is there a way to detect (in ways of a script) that a mail has been
>>> processed by report safe, or yet better, a done way to undo it? I've heard
>>> sa-learn does it, so i'd guess it has been done ...
>>>
>
> "spamassassin -d"
>
Thanks. But it seems spamassassin -d only removes the markup that "my"
spamassassin did, not those from others (they mangle the headers too, it's
X-TUD-HRZ-MailScanner: Found to be clean
X-TUD-HRZ-MailScanner-SpamCheck: not spam (whitelisted),
X-TUD-IAP-MailScanner: Found to be clean
X-TUD-IAP-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
etc ... they don't add an X-Spam-Checker-Version either. Anything i can
do about that?
Regards,
Stefan
Re: Is it possible to detect/undo report_safe?
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, Nov 19, 2007 at 10:21:12AM +0100, Matus UHLAR - fantomas wrote:
> > machines. Is there a way to detect (in ways of a script) that a mail has been
> > processed by report safe, or yet better, a done way to undo it? I've heard
> > sa-learn does it, so i'd guess it has been done ...
"spamassassin -d"
--
Randomly Selected Tagline:
"...Deep Hack Mode--that mysterious and frightening state of
consciousness where Mortal Users fear to tread."
(By Matt Welsh)
Re: Is it possible to detect/undo report_safe?
Posted by Stefan Walk <st...@physik.tu-darmstadt.de>.
Theo Van Dinter wrote:
> Oh, also, if mails are coming in w/ "X-Spam-Status: Yes" or whatever,
> you could always choose to just block those mails via the MTA/etc.
>
> IMO, if someone else is telling you that the mail is spam, why bother
> accepting it?
>
Because i don't trust the other servers (false positive rate is too
high, mainly because the bayesian filter there isn't properly trained).
Thanks for the spamassassin -d hint.
Regards,
Stefan
Re: Is it possible to detect/undo report_safe?
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, Nov 19, 2007 at 10:21:12AM +0100, Matus UHLAR - fantomas wrote:
> > machines. Is there a way to detect (in ways of a script) that a mail has been
> > processed by report safe, or yet better, a done way to undo it? I've heard
> > sa-learn does it, so i'd guess it has been done ...
Oh, also, if mails are coming in w/ "X-Spam-Status: Yes" or whatever,
you could always choose to just block those mails via the MTA/etc.
IMO, if someone else is telling you that the mail is spam, why bother
accepting it?
--
Randomly Selected Tagline:
Intaxication: Euphoria at getting a tax refund, which lasts only until
you realize it was your money to start with.
- Washington Post
Re: Is it possible to detect/undo report_safe?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 18.11.07 21:54, Stefan Walk wrote:
> I'm kind of annoyed because there are, for a few of my email addresses,
> several spamassassins at work, and they all use report_safe. On the final
> machine (mine), there's a spamassassin running too. So, to prevent a message
> from ending up in my mail client encapsulated in 5 spamassassin "envelopes",
> i want to undo the effects of the report_safe setting on the previous
> machines. Is there a way to detect (in ways of a script) that a mail has been
> processed by report safe, or yet better, a done way to undo it? I've heard
> sa-learn does it, so i'd guess it has been done ...
can't you somehow kick them into balls?
munpack can do that probably. However, it's bad idea to do repeated SA
checks, especially on mail "preprocessed" by another SA.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.