I'm not quite sure I understand what is happening here:

http://www.pastebin.ca/1184943

it looks like the message is triggering rules but in the end it is
getting '0' points

--
Munroe Sollog
Systems Engineer
Digirati Consulting, Inc
sollog@digiraticonsulting.com

I'm having an increased amount of junk getting through due to it coming
from Hotmail and Yahoo's servers which makes any type of pre-filter
stuff like RBL's, Greylisting, Sender Verification useless which leaves
me to rely on Spamassassin. I cannot block hotmail and Yahoo (although
I would like to personally) as our users receive valid email from them.

I have emailed there abuse but it seems more like a blackhole.

I was advised by the Postfix mailing lists to see if anyone here can
help me out.

Important Note: I am planning on upgrading the Spam Gateway we are
operating to utilise Maia Mailguard and therefore allow easier training
of the spam filter which will hopefully help in fixing the problem
anyway but was wondering if anyone ha some tips on how to kill this junk.

I have added higher scores such as "score DRUGS_ERECTILE 7.31" but that
doesn't help with all the spam.

Examples are below.

##############################

Microsoft Mail Internet Headers Version 2.0
Received: from mx.3rdmill.com.au ([xxx.xxx.xxx.xxx]) by
3msyd1.nsw.3rdmill.com.au with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 26 Aug 2008 07:12:23 +1000
Received: from localhost (localhost.localdomain [127.0.0.1])
by mx.3rdmill.com.au (Postfix) with ESMTP id CFD6AFEAF
for ; Tue, 26 Aug 2008 07:12:24 +1000 (EST)
Received: from mx.3rdmill.com.au ([127.0.0.1]) by localhost
(3msydmxg.nsw.3rdmill.com.au [127.0.0.1]) (amavisd-maia, port 10024)
with ESMTP id 06003-05 for ; Tue, 26 Aug 2008
07:12:12 +1000 (EST)
Received: from n1.bullet.mail.re3.yahoo.com
(n1.bullet.mail.re3.yahoo.com [68.142.237.108])
by mx.3rdmill.com.au (Postfix) with SMTP id 152B8FE72
for ; Tue, 26 Aug 2008 07:12:05 +1000 (EST)
Received: from [68.142.230.28] by n1.bullet.mail.re3.yahoo.com with
NNFMP; 25 Aug 2008 21:12:02 -0000
Received: from [216.252.111.166] by t1.bullet.re2.yahoo.com with NNFMP;
25 Aug 2008 21:12:02 -0000
Received: from [127.0.0.1] by omp101.mail.re3.yahoo.com with NNFMP; 25
Aug 2008 21:12:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 710810.31677.bm@omp101.mail.re3.yahoo.com
Received: (qmail 14637 invoked by uid 60001); 25 Aug 2008 21:12:02 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;

h=X-YMail-OSG:Received:X-Mailerate:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Message-ID;

b=MoHka6GIK4EPE9h69cCWTi6GTwzEKJQsemn1tMAKkC+3aqBJ Jm6X8nUBiDj8TRgG2AkBZOVfAH7YsujX/hjWyGgrc/KMNjQtygxd/SNmVQQfZKx9FEueCSK4OAk0joY/V8LBOvvrOtSHvfnQpcgClrSsRrFJ5iTjU/30kPeZJnU=;
X-YMail-OSG:
mwVfClMVM1kM9GhmjadPth3DGxGMJJTDHLJxFCGCGWcNvZViq6 NFYpOzOSRIqsmteUiJfFKq3Q1YM3NITcYFHcFdUzAlf39soSr9 xmj2QJkMtcWnsEPpQAYZxojCTXA-
Received: from [90.54.180.225] by web57511.mail.re1.yahoo.com via HTTP;
Mon, 25 Aug 2008 14:12:02 PDT
X-Mailer: YahooMailWebService/0.7.218.2
Date: Mon, 25 Aug 2008 14:12:02 -0700 (PDT)
From: Jamie Microdissection
Reply-To: jamiemicrodissection1673096@yahoo.com
Subject: Firmer and longer erections shut
To: vavero@starmedia.com
Cc:
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <472879.14519.qm@web57511.mail.re1.yahoo.com>
X-Virus-Scanned: Maia Mailguard 1.0.2
X-Spam-Status: No, hits=0.002 tagged_above=-999 required=5.31
tests=BAYES_50=0.001, HS_INDEX_PARAM=0.001
X-Spam-Level:
Return-Path: jamiemicrodissection1673096@yahoo.com
X-OriginalArrivalTime: 25 Aug 2008 21:12:23.0984 (UTC)
FILETIME=[44ECFB00:01C906F7]



-----Original Message-----
From: Jamie Microdissection [mailto:jamiemicrodissection1673096@yahoo.com]
Sent: Tuesday, 26 August 2008 7:12 AM
To: vavero@starmedia.com
Cc:
Subject: Firmer and longer erections shut

think worm mules fly blaze.
http://groups.google.com/group/sdeli...illpewtyr2neat


##################################################

Microsoft Mail Internet Headers Version 2.0
Received: from mail.icfrith.com.au ([xxx.xxx.xxx.xxx]) by
icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
Mon, 25 Aug 2008 11:29:40 +1000
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.icfrith.com.au (Postfix) with ESMTP id 951DD2B956
for ; Mon, 25 Aug 2008 11:14:07
+1000 (EST)
X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
X-Spam-Score: 2.54
X-Spam-Level: **
X-Spam-Status: No, score=2.54 required=5.31 tests=[BAYES_50=0.001,
DCC_CHECK=2.17, HTML_MESSAGE=0.001, URI_HEX=0.368]
Received: from mail.icfrith.com.au ([127.0.0.1])
by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
(amavisd-new, port 10024)
with ESMTP id QptAnYEjlOsy for ;
Mon, 25 Aug 2008 11:14:05 +1000 (EST)
Received: from BAY0-OMC3-S10.bay0.hotmail.com
(bay0-omc3-s10.bay0.hotmail.com [65.54.246.210])
by mail.icfrith.com.au (Postfix) with ESMTP id E4D912B99C
for ; Mon, 25 Aug 2008 11:14:02
+1000 (EST)
Received: from BAY113-W51 ([65.54.168.151]) by
BAY0-OMC3-S10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Sun, 24 Aug 2008 18:29:34 -0700
Message-ID:
Content-Type: multipart/alternative;
boundary="_6d082c57-ec4b-42db-aaa6-f421809ee165_"
X-Originating-IP: [201.83.252.234]
From: Dorothy Brown
To:
Subject: Licensed pharmaceutical professionals from our pharmacy are
available 24/7 for you.
Date: Mon, 25 Aug 2008 01:29:33 +0000
Importance: High
MIME-Version: 1.0
X-OriginalArrivalTime: 25 Aug 2008 01:29:34.0525 (UTC)
FILETIME=[07D4EED0:01C90652]
Return-Path: dorothyxqsdzips@hotmail.com

--_6d082c57-ec4b-42db-aaa6-f421809ee165_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

--_6d082c57-ec4b-42db-aaa6-f421809ee165_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


--_6d082c57-ec4b-42db-aaa6-f421809ee165_--

________________________________________
From: Dorothy Brown [mailto:dorothyxqsdzips@hotmail.com]
Sent: Monday, 25 August 2008 11:30 AM
To: roslyn.holcombe@icliffs.com
Subject: Licensed pharmaceutical professionals from our pharmacy are
available 24/7 for you.
Importance: High


Attractive prices and high quality is our motto.
www.cid-1a15c26c02719644.spaces.live.com

#########################################

I get spam like this too. I'd tell you to train your bayes db better,
but no amount of learning these things seems to have any effect for
me- the next one in just just right back at BAYES_50. Mine are also
largely from Yahoo, some from Hotmail.

One thing that bothers me is how painfully obvious these are, and yet
barely trigger any rules in stock SA. Maybe a Pyzor here, a DCC there.
Rarely a DKIM hit, IIRC. For the most part they sail right though,
with virtually no non-network test hitting them, and very rarely a
network test. Even with my changes below, I'm still missing more than
I would like (mostly because they don't hit enough to pass 5.0).

First I tried the SARE rules. Most of them were ineffective, but a few
files hit often. Then I added the Botnet plugin, and it was much, much
more useful. I do *not* use the stock Botnet scores, however... too
high for my tastes. But I'm getting closer to them every day, as I
inch them back up to their stock.

The "Spam" and "Ham" listed here are how SA classifies them... not
necessarily what they actually *are*...

Ruleset Ham Spam %of Ham %of Spam
--------------------------------------------------------------------
Botnet.cf 16 857 4.79% 92.05%
70_sare_obfu1.cf 0 263 0.00% 28.25%
70_sare_genlsubj1.cf 3 113 0.90% 12.14%
99_custom_rules.cf 5 111 1.50% 11.92%
70_sare_genlsubj0.cf 0 55 0.00% 5.91%
70_sare_adult.cf 0 46 0.00% 4.94%
70_sare_header0.cf 0 14 0.00% 1.50%
70_sare_header1.cf 0 13 0.00% 1.40%
70_sare_oem.cf 2 2 0.60% 0.21%
70_sare_html0.cf 1 2 0.30% 0.21%
72_sare_redirect_post3_0_0.cf 0 0 0.00% 0.00%
70_sare_obfu0.cf 0 0 0.00% 0.00%
70_sare_bayes_poison_nxm.cf 0 0 0.00% 0.00%
70_sare_evilnum0.cf 0 0 0.00% 0.00%
70_sare_html1.cf 1 0 0.30% 0.00%


My modified stock rule scores: (slowly increasing these over time)
score DRUGS_ERECTILE 1.5
score DRUGS_MUSCLE 1.0
score RDNS_NONE 0.5
score ONLINE_PHARMACY 1.0
score TVD_VISIT_PHARMA 1.0


Then I wrote these add-on rules, almost specifically to target this
problem. The scores are arbitrary, and I'm increasing them over time.
1 and 2 are the highest-hitting by far. And yes, they do sometimes
overlap with the stock rules above. Not as often as you'd think,
though.... plenty if viagra/cialis spam isn't hitting DRUGS_ERECTILE,
and plenty of pharma spam doesn't hit those 2 either. The last one
kinda made up, and hit exactly 1 in ~2000 emails last week .

header JAKE_SUBJ1 Subject =~ /Viagra/i
describe JAKE_SUBJ1 Subject mentions Viagra
score JAKE_SUBJ1 2.5

header JAKE_SUBJ2 Subject =~ /Cialis/i
describe JAKE_SUBJ2 Subject mentions Cialis
score JAKE_SUBJ2 2.5

header JAKE_SUBJ3 Subject =~ /pharmacy/i
describe JAKE_SUBJ3 Subject mentions 'pharmacy'
score JAKE_SUBJ3 1.5

header JAKE_SUBJ4 Subject =~ /****/i
describe JAKE_SUBJ4 Subject mentions '****'
score JAKE_SUBJ4 1.5

header JAKE_SUBJ5 Subject =~ /(busty|hot)
*(blond|brunette|redhead|bitch|chick|milf)/i
describe JAKE_SUBJ5 Suject mentions a hot chick
score JAKE_SUBJ5 1.5


I also started using some 3rd party ClamAV rules... SaneSecurity has
'em, don't remember the link offhand.

If anyone knows when stock SA is gonna start catching this junk a lot
better, I'd love to hear it. I hate doing this hacky garbage to a nice
clean mail server.

Good luck,
Jake


On Mon, Aug 25, 2008 at 10:10 PM, James Robertson wrote:
> I'm having an increased amount of junk getting through due to it coming from
> Hotmail and Yahoo's servers which makes any type of pre-filter stuff like
> RBL's, Greylisting, Sender Verification useless which leaves me to rely on
> Spamassassin. I cannot block hotmail and Yahoo (although I would like to
> personally) as our users receive valid email from them.
>
> I have emailed there abuse but it seems more like a blackhole.
>
> I was advised by the Postfix mailing lists to see if anyone here can help me
> out.
>
> Important Note: I am planning on upgrading the Spam Gateway we are
> operating to utilise Maia Mailguard and therefore allow easier training of
> the spam filter which will hopefully help in fixing the problem anyway but
> was wondering if anyone ha some tips on how to kill this junk.
>
> I have added higher scores such as "score DRUGS_ERECTILE 7.31" but that
> doesn't help with all the spam.
>
> Examples are below.
>
> ##############################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mx.3rdmill.com.au ([xxx.xxx.xxx.xxx]) by
> 3msyd1.nsw.3rdmill.com.au with Microsoft SMTPSVC(6.0.3790.3959);
> Tue, 26 Aug 2008 07:12:23 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by mx.3rdmill.com.au (Postfix) with ESMTP id CFD6AFEAF
> for ; Tue, 26 Aug 2008 07:12:24 +1000 (EST)
> Received: from mx.3rdmill.com.au ([127.0.0.1]) by localhost
> (3msydmxg.nsw.3rdmill.com.au [127.0.0.1]) (amavisd-maia, port 10024) with
> ESMTP id 06003-05 for ; Tue, 26 Aug 2008 07:12:12
> +1000 (EST)
> Received: from n1.bullet.mail.re3.yahoo.com (n1.bullet.mail.re3.yahoo.com
> [68.142.237.108])
> by mx.3rdmill.com.au (Postfix) with SMTP id 152B8FE72
> for ; Tue, 26 Aug 2008 07:12:05 +1000 (EST)
> Received: from [68.142.230.28] by n1.bullet.mail.re3.yahoo.com with NNFMP;
> 25 Aug 2008 21:12:02 -0000
> Received: from [216.252.111.166] by t1.bullet.re2.yahoo.com with NNFMP; 25
> Aug 2008 21:12:02 -0000
> Received: from [127.0.0.1] by omp101.mail.re3.yahoo.com with NNFMP; 25 Aug
> 2008 21:12:02 -0000
> X-Yahoo-Newman-Property: ymail-3
> X-Yahoo-Newman-Id: 710810.31677.bm@omp101.mail.re3.yahoo.com
> Received: (qmail 14637 invoked by uid 60001); 25 Aug 2008 21:12:02 -0000
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
> s=s1024; d=yahoo.com;
> h=X-YMail-OSG:Received:X-Mailerate:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Message-ID;
> b=MoHka6GIK4EPE9h69cCWTi6GTwzEKJQsemn1tMAKkC+3aqBJ Jm6X8nUBiDj8TRgG2AkBZOVfAH7YsujX/hjWyGgrc/KMNjQtygxd/SNmVQQfZKx9FEueCSK4OAk0joY/V8LBOvvrOtSHvfnQpcgClrSsRrFJ5iTjU/30kPeZJnU=;
> X-YMail-OSG:
> mwVfClMVM1kM9GhmjadPth3DGxGMJJTDHLJxFCGCGWcNvZViq6 NFYpOzOSRIqsmteUiJfFKq3Q1YM3NITcYFHcFdUzAlf39soSr9 xmj2QJkMtcWnsEPpQAYZxojCTXA-
> Received: from [90.54.180.225] by web57511.mail.re1.yahoo.com via HTTP; Mon,
> 25 Aug 2008 14:12:02 PDT
> X-Mailer: YahooMailWebService/0.7.218.2
> Date: Mon, 25 Aug 2008 14:12:02 -0700 (PDT)
> From: Jamie Microdissection
> Reply-To: jamiemicrodissection1673096@yahoo.com
> Subject: Firmer and longer erections shut
> To: vavero@starmedia.com
> Cc:
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Message-ID: <472879.14519.qm@web57511.mail.re1.yahoo.com>
> X-Virus-Scanned: Maia Mailguard 1.0.2
> X-Spam-Status: No, hits=0.002 tagged_above=-999 required=5.31
> tests=BAYES_50=0.001, HS_INDEX_PARAM=0.001
> X-Spam-Level:
> Return-Path: jamiemicrodissection1673096@yahoo.com
> X-OriginalArrivalTime: 25 Aug 2008 21:12:23.0984 (UTC)
> FILETIME=[44ECFB00:01C906F7]
>
>
>
> -----Original Message-----
> From: Jamie Microdissection [mailto:jamiemicrodissection1673096@yahoo.com]
> Sent: Tuesday, 26 August 2008 7:12 AM
> To: vavero@starmedia.com
> Cc:
> Subject: Firmer and longer erections shut
>
> think worm mules fly blaze.
> http://groups.google.com/group/sdeli...illpewtyr2neat
>
>
> ##################################################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail.icfrith.com.au ([xxx.xxx.xxx.xxx]) by
> icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713);
> Mon, 25 Aug 2008 11:29:40 +1000
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by mail.icfrith.com.au (Postfix) with ESMTP id 951DD2B956
> for ; Mon, 25 Aug 2008 11:14:07 +1000
> (EST)
> X-Virus-Scanned: Debian amavisd-new at icfrith.com.au
> X-Spam-Score: 2.54
> X-Spam-Level: **
> X-Spam-Status: No, score=2.54 required=5.31 tests=[BAYES_50=0.001,
> DCC_CHECK=2.17, HTML_MESSAGE=0.001, URI_HEX=0.368]
> Received: from mail.icfrith.com.au ([127.0.0.1])
> by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1])
> (amavisd-new, port 10024)
> with ESMTP id QptAnYEjlOsy for ;
> Mon, 25 Aug 2008 11:14:05 +1000 (EST)
> Received: from BAY0-OMC3-S10.bay0.hotmail.com
> (bay0-omc3-s10.bay0.hotmail.com [65.54.246.210])
> by mail.icfrith.com.au (Postfix) with ESMTP id E4D912B99C
> for ; Mon, 25 Aug 2008 11:14:02 +1000
> (EST)
> Received: from BAY113-W51 ([65.54.168.151]) by
> BAY0-OMC3-S10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
> Sun, 24 Aug 2008 18:29:34 -0700
> Message-ID:
> Content-Type: multipart/alternative;
> boundary="_6d082c57-ec4b-42db-aaa6-f421809ee165_"
> X-Originating-IP: [201.83.252.234]
> From: Dorothy Brown
> To:
> Subject: Licensed pharmaceutical professionals from our pharmacy are
> available 24/7 for you.
> Date: Mon, 25 Aug 2008 01:29:33 +0000
> Importance: High
> MIME-Version: 1.0
> X-OriginalArrivalTime: 25 Aug 2008 01:29:34.0525 (UTC)
> FILETIME=[07D4EED0:01C90652]
> Return-Path: dorothyxqsdzips@hotmail.com
>
> --_6d082c57-ec4b-42db-aaa6-f421809ee165_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> --_6d082c57-ec4b-42db-aaa6-f421809ee165_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
>
> --_6d082c57-ec4b-42db-aaa6-f421809ee165_--
>
> ________________________________________
> From: Dorothy Brown [mailto:dorothyxqsdzips@hotmail.com]
> Sent: Monday, 25 August 2008 11:30 AM
> To: roslyn.holcombe@icliffs.com
> Subject: Licensed pharmaceutical professionals from our pharmacy are
> available 24/7 for you.
> Importance: High
>
>
> Attractive prices and high quality is our motto.
> www.cid-1a15c26c02719644.spaces.live.com
>
> #########################################
>
>
>
>

Munroe Sollog wrote:
> I'm not quite sure I understand what is happening here:
>
> http://www.pastebin.ca/1184943
>
> it looks like the message is triggering rules but in the end it is
> getting '0' points

Can you run the message through 'spamassassin -t -D' to get a full
summary report? (See 'man spamassassin-run' for more on -t.) I
always find that to be very useful.

If you are using spamc then simply look at the added X-Spam-Status:
header added to the mail. What does it say?

Bob

On Mon, Aug 25, 2008 at 10:40:08PM -0700, Jake Maul wrote:
> I get spam like this too. I'd tell you to train your bayes db better,
> but no amount of learning these things seems to have any effect for
> me- the next one in just just right back at BAYES_50. Mine are also
> largely from Yahoo, some from Hotmail.

Check: http://marc.info/?l=spamassassin-use...21929487811982

In 3.2.5 bayes doesn't work fully when there are DKIM/DomainKey headers.

Henrik K schrieb:
> On Mon, Aug 25, 2008 at 10:40:08PM -0700, Jake Maul wrote:
>> I get spam like this too. I'd tell you to train your bayes db better,
>> but no amount of learning these things seems to have any effect for
>> me- the next one in just just right back at BAYES_50. Mine are also
>> largely from Yahoo, some from Hotmail.
>
> Check: http://marc.info/?l=spamassassin-use...21929487811982
>
> In 3.2.5 bayes doesn't work fully when there are DKIM/DomainKey headers.
>

i just recognized
that hotmails spf is not
valid for hard discarding mail

hotmail.com. 987 IN TXT "v=spf1
include:spf-a.hotmail.com include:spf-b.hotmail.com
include:spf-c.hotmail.com include:spf-d.hotmail.com ~all"


it should be -all at the end in my understanding, with current
spf policy servers will notice a fake but dont block it

additional i noticed yahoo.com adsp dkim record is total
nonsense

dig -t txt _adsp._domainkey.yahoo.com

; <<>> DiG 9.4.2-P1 <<>> -t txt _adsp._domainkey.yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2242
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_adsp._domainkey.yahoo.com. IN TXT

;; ANSWER SECTION:
_adsp._domainkey.yahoo.com. 6408 IN CNAME rc.yahoo.com.
rc.yahoo.com. 1008 IN CNAME rc.yahoo.akadns.net.

so its also up to them to fix for beeing usable in antispam

the joke might be, that hotmail is m$ and promoted spf
and yahoo promotes dkim *g


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

On Tue, 2008-08-26 at 00:34 -0400, Munroe Sollog wrote:
> I'm not quite sure I understand what is happening here:
>
> http://www.pastebin.ca/1184943
>
> it looks like the message is triggering rules but in the end it is
> getting '0' points

See the very last two lines. They mention the rules hit. In fact, there
are no (regular) rules hit at all, but subtests only.


> dbg: config: read file /var/lib/spamassassin/3.002005/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf

Skimming through the debug output it looks like you manually put these
cf files there. That's the dir for sa-update to keep the "channels" (a
directory per rule update source). However, keeping the cf files there
rather than channels shouldn't be the problem.

The problem is, that once that dir exists, SA expects to find all rules
underneath that directory.

That effectively means, that SA on your machine knows no rules but the
SARE ones you put there manually. You can see that for yourself in your
output, where no stock rule files are read at all.

(a) If you just want to add some SARE rules, /etc/mail/spamassassin is
the dir to put them.
(b) And if you use sa-update for a third-party channel, be sure to use
sa-update for the stock rules as well. [1]

Now why do I write email, let alone public email, before I got my
coffee?

guenther


[1] I believe this is documented somewhere. Alas, I can't find it...

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

I am using sa-update for the stock rules. I run:

sa-update -D --channelfile /etc/mail/spamassassin/sa-update-channels.txt
--gpgkey 856AA88A

where sa-update-channels.txt contains:

updates.spamassassin.org
70_sare_stocks.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html1.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header1.cf.sare.sa-update.dostech.net
70_sare_header2.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_obfu1.cf.sare.sa-update.dostech.net
70_sare_obfu2.cf.sare.sa-update.dostech.net



Karsten Bräckelmann wrote:

> > On Tue, 2008-08-26 at 00:34 -0400, Munroe Sollog wrote:
> >
>
>> >> I'm not quite sure I understand what is happening here:
>> >>
>> >> http://www.pastebin.ca/1184943
>> >>
>> >> it looks like the message is triggering rules but in the end it is
>> >> getting '0' points
>> >>
>>
> >
> > See the very last two lines. They mention the rules hit. In fact, there
> > are no (regular) rules hit at all, but subtests only.
> >
> >
> >
>
>> >> dbg: config: read file /var/lib/spamassassin/3.002005/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf
>> >>
>>
> >
> > Skimming through the debug output it looks like you manually put these
> > cf files there. That's the dir for sa-update to keep the "channels" (a
> > directory per rule update source). However, keeping the cf files there
> > rather than channels shouldn't be the problem.
> >
> > The problem is, that once that dir exists, SA expects to find all rules
> > underneath that directory.
> >
> > That effectively means, that SA on your machine knows no rules but the
> > SARE ones you put there manually. You can see that for yourself in your
> > output, where no stock rule files are read at all.
> >
> > (a) If you just want to add some SARE rules, /etc/mail/spamassassin is
> > the dir to put them.
> > (b) And if you use sa-update for a third-party channel, be sure to use
> > sa-update for the stock rules as well. [1]
> >
> > Now why do I write email, let alone public email, before I got my
> > coffee?
> >
> > guenther
> >
> >
> > [1] I believe this is documented somewhere. Alas, I can't find it...
> >
> >
>

Munroe Sollog
Systems Engineer
Digirati Consulting, Inc
sollog@digiraticonsulting.com




Karsten Bräckelmann wrote:
> On Tue, 2008-08-26 at 00:34 -0400, Munroe Sollog wrote:
>
>> I'm not quite sure I understand what is happening here:
>>
>> http://www.pastebin.ca/1184943
>>
>> it looks like the message is triggering rules but in the end it is
>> getting '0' points
>>
>
> See the very last two lines. They mention the rules hit. In fact, there
> are no (regular) rules hit at all, but subtests only.
>
>
>
>> dbg: config: read file /var/lib/spamassassin/3.002005/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf
>>
>
> Skimming through the debug output it looks like you manually put these
> cf files there. That's the dir for sa-update to keep the "channels" (a
> directory per rule update source). However, keeping the cf files there
> rather than channels shouldn't be the problem.
>
> The problem is, that once that dir exists, SA expects to find all rules
> underneath that directory.
>
> That effectively means, that SA on your machine knows no rules but the
> SARE ones you put there manually. You can see that for yourself in your
> output, where no stock rule files are read at all.
>
> (a) If you just want to add some SARE rules, /etc/mail/spamassassin is
> the dir to put them.
> (b) And if you use sa-update for a third-party channel, be sure to use
> sa-update for the stock rules as well. [1]
>
> Now why do I write email, let alone public email, before I got my
> coffee?
>
> guenther
>
>
> [1] I believe this is documented somewhere. Alas, I can't find it...
>
>

Here is the -t output

http://www.pastebin.ca/1185205

Munroe Sollog
Systems Engineer
Digirati Consulting, Inc
sollog@digiraticonsulting.com




Bob Proulx wrote:
> Munroe Sollog wrote:
>
>> I'm not quite sure I understand what is happening here:
>>
>> http://www.pastebin.ca/1184943
>>
>> it looks like the message is triggering rules but in the end it is
>> getting '0' points
>>
>
> Can you run the message through 'spamassassin -t -D' to get a full
> summary report? (See 'man spamassassin-run' for more on -t.) I
> always find that to be very useful.
>
> If you are using spamc then simply look at the added X-Spam-Status:
> header added to the mail. What does it say?
>
> Bob
>

On Tue, 2008-08-26 at 07:43 -0400, Munroe Sollog wrote:
> I am using sa-update for the stock rules. I run:
>
> sa-update -D --channelfile /etc/mail/spamassassin/sa-update-channels.txt
> --gpgkey 856AA88A
>
> where sa-update-channels.txt contains:
>
> updates.spamassassin.org
> 70_sare_stocks.cf.sare.sa-update.dostech.net
[ snip ]

$ ls *.cf /var/lib/spamassassin/3.002005/
$ ls -d /var/lib/spamassassin/3.002005/*/


Something went wrong anyway. At the *very* least, you are missing the
updates_spamassassin_org.cf file in that dir. So your sa-update did not
succeed with the stock rules. Have a look at your debug output again.

Did you read the docs? Did you debug sa-update?

http://wiki.apache.org/spamassassin/RuleUpdates
"[...] so make sure that the first time you run sa-update it completes
successfully"


Double quoted full-quote below reply omitted.

guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

On Tue, 2008-08-26 at 14:02 +0200, Karsten Bräckelmann wrote:
> On Tue, 2008-08-26 at 07:43 -0400, Munroe Sollog wrote:

> > updates.spamassassin.org
> > 70_sare_stocks.cf.sare.sa-update.dostech.net
> [ snip ]
>
> $ ls *.cf /var/lib/spamassassin/3.002005/

Err, whoops. Of course, make that

$ ls /var/lib/spamassassin/3.002005/*.cf


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}