You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jason Bertoch <ja...@i6ix.com> on 2010/02/23 15:03:53 UTC
RetrunPath and Bayes Poisoning
Are there any internal checks that disable Bayes autolearn when these
artificial whitelist rules match? I'd disabled these rules in versions
prior to 3.3.0 but, with all the discussion on the matter, I thought I'd
leave them in to see the "new and improved" version. Unfortunately, I'm
still seeing false positives and am concerned that they are pushing the
scores low enough to poison my Bayes database.
/Jason
Re: RetrunPath and Bayes Poisoning
Posted by Jason Bertoch <ja...@i6ix.com>.
On 2/23/2010 9:20 AM, Michael Scheidell wrote:
>> Unfortunately, I'm still seeing false positives and am concerned that
>> they are pushing the scores low enough to poison my Bayes database.
>>
> you can edit the tflags and add noautolearn
>
> example:
> 72_active.cf:tflags RCVD_IN_RP_CERTIFIED net nice
> 72_active.cf:tflags RCVD_IN_RP_SAFE net nice
>
> becomes:
> 72_active.cf:tflags RCVD_IN_RP_CERTIFIED net nice noautolearn
> 72_active.cf:tflags RCVD_IN_RP_SAFE net nice noautolearn
Nice, I didn't realize it worked like that. To make this permanent, do
I need to set the score to zero and copy the rules to a different name
in local.cf, or will a second tflags declaration in local.cf simply
override the one in 72_active.cf?
/Jason
Re: RetrunPath and Bayes Poisoning
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2010-02-23 at 09:28 -0500, Bowie Bailey wrote:
> Michael Scheidell wrote:
> > you can edit the tflags and add noautolearn
> Are these settings cumulative? The man page doesn't specify.
Nope. tflags is of type CONF_TYPE_HASH_KEY_VALUE, so there's exactly one
tflags value per rule name.
> tflags RULENAME nice net
> tflags RULENAME noautolearn
>
> what happens? Does everything get set or do I only get 'noautolearn'?
The latter wins and overwrites the former.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: RetrunPath and Bayes Poisoning
Posted by Jason Bertoch <ja...@i6ix.com>.
On 2/23/2010 9:35 AM, Michael Scheidell wrote:
>
> why not just do tflags RULENAME nice net noautolearn
>
> (oh.. and to find them, grep '^tflags.*RCVD_IN' *.cf
>
> some interesting ones. not sure why they rate a net nice:
Grepping for 'autolearn' turns up the built-in whitelist and blacklist
rules. I wonder, why wasn't it applied to the RP and DNSWL rules as
well? Perhaps I should request a rule change. Thoughts?
/Jason
Re: RetrunPath and Bayes Poisoning
Posted by Bowie Bailey <Bo...@BUC.com>.
Michael Scheidell wrote:
> On 2/23/10 9:28 AM, Bowie Bailey wrote:
>> Michael Scheidell wrote:
>>
>>> On 2/23/10 9:03 AM, Jason Bertoch wrote:
>>>
>>>> Are there any internal checks that disable Bayes autolearn when these
>>>> artificial whitelist rules match? I'd disabled these rules in
>>>> versions prior to 3.3.0 but, with all the discussion on the matter, I
>>>> thought I'd leave them in to see the "new and improved" version.
>>>> Unfortunately, I'm still seeing false positives and am concerned that
>>>> they are pushing the scores low enough to poison my Bayes database.
>>>>
>>>>
>>> you can edit the tflags and add noautolearn
>>>
>>> example:
>>> 72_active.cf:tflags __RCVD_IN_DNSWL nice net
>>>
>>>
>>> becomes:
>>> 72_active.cf:tflags __RCVD_IN_DNSWL nice net noautolearn
>>>
>> Are these settings cumulative? The man page doesn't specify.
>>
>> If I do this:
>>
>> tflags RULENAME nice net
>> tflags RULENAME noautolearn
>>
>> what happens? Does everything get set or do I only get 'noautolearn'?
>>
>>
> why not just do tflags RULENAME nice net noautolearn
>
> (oh.. and to find them, grep '^tflags.*RCVD_IN' *.cf
If I can just add 'noautolearn' in my local.cf, then I don't have to
worry about what is currently set in the distributed rules. And if an
update adds or removes a setting, it will happen automatically without
me having to mess with it.
--
Bowie
Re: RetrunPath and Bayes Poisoning
Posted by Michael Scheidell <li...@secnap.com>.
On 2/23/10 9:28 AM, Bowie Bailey wrote:
> Michael Scheidell wrote:
>
>> On 2/23/10 9:03 AM, Jason Bertoch wrote:
>>
>>> Are there any internal checks that disable Bayes autolearn when these
>>> artificial whitelist rules match? I'd disabled these rules in
>>> versions prior to 3.3.0 but, with all the discussion on the matter, I
>>> thought I'd leave them in to see the "new and improved" version.
>>> Unfortunately, I'm still seeing false positives and am concerned that
>>> they are pushing the scores low enough to poison my Bayes database.
>>>
>>>
>> you can edit the tflags and add noautolearn
>>
>> example:
>> 72_active.cf:tflags __RCVD_IN_DNSWL nice net
>>
>>
>> becomes:
>> 72_active.cf:tflags __RCVD_IN_DNSWL nice net noautolearn
>>
> Are these settings cumulative? The man page doesn't specify.
>
> If I do this:
>
> tflags RULENAME nice net
> tflags RULENAME noautolearn
>
> what happens? Does everything get set or do I only get 'noautolearn'?
>
>
why not just do tflags RULENAME nice net noautolearn
(oh.. and to find them, grep '^tflags.*RCVD_IN' *.cf
some interesting ones. not sure why they rate a net nice:
RCVD_IN_IADB_OPTOUTONLY net nice?
describe is: IADB: Scrapes addresses, pure opt-out only
or
describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing
controls in place
I would think a POSITIVE score for someone who we know violates federal
can-spam laws (scrapes addresses. violation of us federal can-spam laws)
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: RetrunPath and Bayes Poisoning
Posted by Bowie Bailey <Bo...@BUC.com>.
Michael Scheidell wrote:
> On 2/23/10 9:03 AM, Jason Bertoch wrote:
>>
>> Are there any internal checks that disable Bayes autolearn when these
>> artificial whitelist rules match? I'd disabled these rules in
>> versions prior to 3.3.0 but, with all the discussion on the matter, I
>> thought I'd leave them in to see the "new and improved" version.
>> Unfortunately, I'm still seeing false positives and am concerned that
>> they are pushing the scores low enough to poison my Bayes database.
>>
> you can edit the tflags and add noautolearn
>
> example:
> 72_active.cf:tflags __RCVD_IN_DNSWL nice net
>
>
> becomes:
> 72_active.cf:tflags __RCVD_IN_DNSWL nice net noautolearn
Are these settings cumulative? The man page doesn't specify.
If I do this:
tflags RULENAME nice net
tflags RULENAME noautolearn
what happens? Does everything get set or do I only get 'noautolearn'?
--
Bowie
Re: RetrunPath and Bayes Poisoning
Posted by Michael Scheidell <sc...@secnap.net>.
On 2/23/10 9:03 AM, Jason Bertoch wrote:
>
> Are there any internal checks that disable Bayes autolearn when these
> artificial whitelist rules match? I'd disabled these rules in
> versions prior to 3.3.0 but, with all the discussion on the matter, I
> thought I'd leave them in to see the "new and improved" version.
> Unfortunately, I'm still seeing false positives and am concerned that
> they are pushing the scores low enough to poison my Bayes database.
>
you can edit the tflags and add noautolearn
example:
72_active.cf:tflags __RCVD_IN_DNSWL nice net
becomes:
72_active.cf:tflags __RCVD_IN_DNSWL nice net noautolearn
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________