Make SPAM ASSASSIN work for you... - Page 4

**wap3** · June 19th, 2004, 11:57 AM

On Thu 17 Jun I deleted and reapplied the filters to Chopchop>cbcog98.org
On Fri 18 Jun +8 *'s were still not being sent to dev/nul

I run the same here at home Chopchop>wap3.com
Below is one that came in this morning

CPanel Filters:
Any Header > Begins >> X-Spam-Level: ********
Any Header > Contains >> ********

When I put this in the test area it works, but there seems to be a timing/order problem with filters and SA
Could the filters be running before SA?
Are the SA headers not being added after SA and before filters?

This issue is clogging up PopFile History on the local mailservers with this trash
When our office [cbcog98] starts at 07:00 every morning at least 50 mails are retrieved with only 3-5 good ones, 3-5 that are in the point range 2.5 and 8 and have to checked manually in the quaranteened mailbox and the rest should have gone to dev/nul

This morning as so far has 23 mails, 2 PopFile classed MAIL, the rest DELETE and the ones I quickly checked are beyond the filter +8 *'s setting

Like I said when I first did this after the parent posting it worked for a month or so and the last few weeks has been failing

Thanks
--Trey Pattillo

------- BEGIN FAILED FILTERING -------------

Return-path: <wap339a

chopchop.surpasshosting.com>
Envelope-to: wap339a

chopchop.surpasshosting.com
Delivery-date: Sat, 19 Jun 2004 07:44:05 -0400
Received: from wap339a by chopchop.surpasshosting.com with local-bsmtp (Exim 4.34)
id 1BbeGS-00020g-Jb
for wap339a

chopchop.surpasshosting.com; Sat, 19 Jun 2004 07:44:05 -0400
Received: from localhost by chopchop.surpasshosting.com
with SpamAssassin (2.63 2004-01-11);
Sat, 19 Jun 2004 07:44:05 -0400
From: "Bobby Shipman" <MCUUUISRTMQMAY

yahoo.com>
To: Meyer<meyer

wap3.com>
Subject: Meds Delivered to your door step - no previous prescription required
Date: Sat, 19 Jun 2004 07:40:32 -0600
Message-Id: <1089528930.89221

paypal.com>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
chopchop.surpasshosting.com
X-Spam-Level: *************************
X-Spam-Status: Yes, hits=25.1 required=2.0 tests=BAYES_99,BIZ_TLD,
CONFIRMED_FORGED,FORGED_YAHOO_RCVD,HTML_70_80,HTML _FONTCOLOR_UNKNOWN,
HTML_MESSAGE,MIME_BOUND_NEXTPART,RCVD_IN_BL_SPAMCO P_NET,RCVD_IN_DSBL,
RCVD_IN_DYNABLOCK,RCVD_IN_NJABL,RCVD_IN_NJABL_DIAL UP,RCVD_IN_OPM,
RCVD_IN_OPM_HTTP,RCVD_IN_OPM_HTTP_POST,RCVD_IN_OPM _SOCKS,
RCVD_IN_SORBS,URI_OFFERS autolearn=spam version=2.63
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_40D42705.73983EAA"

This is a multi-part message in MIME format.

------------=_40D42705.73983EAA
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "chopchop.surpasshosting.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: ------=_NextPart_000_00YJ_09C7715BG_06G.908Q61J0
Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding:
7bit Your mailer do not support HTML messages. Switch to a better
mailer. [...]

Content analysis details: (25.1 points, 2.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us
0.1 HTML_MESSAGE BODY: HTML included in message
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.1 HTML_70_80 BODY: Message is 70% to 80% HTML
0.1 BIZ_TLD URI: Contains a URL in the BIZ top-level domain
1.0 URI_OFFERS URI: Message has link to company offers
0.9 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
1.0 RCVD_IN_OPM_HTTP RBL: OPM: sender is open HTTP CONNECT proxy
[200.78.58.155 listed in opm.blitzed.org]
1.0 RCVD_IN_OPM RBL: Received via a relay in opm.blitzed.org
[200.78.58.155 listed in opm.blitzed.org]
3.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender did non-local SMTP
[200.78.58.155 listed in dnsbl.njabl.org]
1.3 RCVD_IN_OPM_SOCKS RBL: OPM: sender is open SOCKS proxy
[200.78.58.155 listed in opm.blitzed.org]
1.0 RCVD_IN_OPM_HTTP_POST RBL: OPM: sender is open HTTP POST proxy
[200.78.58.155 listed in opm.blitzed.org]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[200.78.58.155 listed in dnsbl.sorbs.net]
0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[200.78.58.155 listed in dnsbl.njabl.org]
0.7 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?ip=200.78.58.155>]
1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?200.78.58.155>]
2.6 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address
[200.78.58.155 listed in dnsbl.sorbs.net]
0.5 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary
4.1 CONFIRMED_FORGED Received headers are forged

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.

[........... origianal message snipped due to size limitations.................

[ ........... SNIPPED image001.gif to save space in posting ..............]

DivinoAG · July 9th, 2004, 12:40 PM

Hey BigJohn. Thanks a lot for the great tutorial.

I have done all the steps for my personal website, and even tho the "bayes_seen" and "bayes_toks" files seem to have grown a lot, and I can see some info about emails that were for processing on them, the email cron sent me was not very informative. All I got was this:

Code:

Learning SPAM
Learning HAM
Done

I was expecting to see the "Learned from X message(s) (Y message(s) examined)" message, but nothing beyond those lines came.

Of course, if the learning process is working, this shouldn't be a problem, but it would be better to be able to know what is happening. Could you give any hint of what could I do?

DivinoAG · July 9th, 2004, 1:25 PM

Well, I just noticed that the script is case sensitive. My SPAM and HAM folder names were in small caps. Renamed them, and worked just fine.

Again, thanks for the tutorial.

**pseudoswede** · September 7th, 2004, 9:55 AM

When should I expect SA to start using Bayes scores?

**Bigjohn** · September 7th, 2004, 10:08 AM

Quote:

Originally Posted by pseudoswede

When should I expect SA to start using Bayes scores?

After it's scanned 500 messages in your SPAM folder.

You can also edit key scores. For example, I adjusted "numeric helo" to be a higher value (3 I think) because I've never seen a ligit email server NOT reply with it's name....

John

**SmartGuy** · November 24th, 2004, 12:05 PM

I was just thinking about this... and a great way to teach Spam Assassin is to make an e-mail you will never use. Try opajebha[at]domain.com. Then, send that e-mail out to all the great sites that love to send you spam. Move all of the e-mail you get to SPAM, as none of them will be HAM.

(I have the learnspam file to only check the inbox of the spam only e-mail address I used. You can try that too.)

And there you go.

**Bigjohn** · November 24th, 2004, 12:07 PM

Quote:

Originally Posted by SmartGuy

I was just thinking about this... and a great way to teach Spam Assassin is to make an e-mail you will never use. Try opajebha[at]domain.com. Then, send that e-mail out to all the great sites that love to send you spam. Move all of the e-mail you get to SPAM, as none of them will be HAM.

(I have the learnspam file to only check the inbox of the spam only e-mail address I used. You can try that too.)

And there you go.

but spam assassin does not concern itself with the 'to' information in a message. It analizes content and subject header, plus other headers as well. The TO address is not significant to Spam Assassin.

**SmartGuy** · November 24th, 2004, 12:22 PM

That's not the point. This is just a quick way to accumulate a lot of spam, without having to go through the trouble of logging in to horde and moving everything for a few weeks.

I rewrote my message, but can't edit it. Here are better directions, with a few new ideas.

I was just thinking about this... and a great way to teach Spam Assassin is to make an e-mail you will never use. Try oasjfme[at]domain.com. Then, sign up for whatever you want to. If you are visitor 93471239 out of 238919312, then sign on up. Go ahead, sign up for the most amazing advancement science has ever seen: all natural, completely safe, penis enlargement.

Here are the step by step directions.

1) Create an e-mail address that you will never use. oasjfme[at]domain.com is fine.
2) Delete your current filter that discards all mail that is spam, above x SA points.
3) Create a new mail filter that moves e-mail with "Any Header" that "begins with" "X-Spam-Level: ******" to "oasjfme[at]domain.com" (You can change the amount of stars to whatever you want, but this is fine for me.)
4) Edit your learnspam, replacing everything with the following. (Make sure to change username, domain.com and oasjfme to what they should be.)

Code:

#!/bin/sh
echo "Teaching Spam Assassin"
sa-learn --ham --mbox /home/username/mail/domain.com/oasjfme/inbox

This way, you know that every e-mail that is checked is real spam. Also, there is no need to login to your account every few days to move mail to HAM or SPAM.

I do not suggest putting this e-mail where someone real can find it. If someone e-mail it, it might throw off the results a little, making SA stupid. However, that won't affect much.

**Bigjohn** · November 24th, 2004, 1:33 PM

Ahh, I see your point...

but I don't think its a good idea to expose your domain name to lists of spammers that way...

June 19th, 2004, 11:57 AM	#28 (permalink)
wap3 Surpass Fan Comfy Contributor Joined in Apr 2004 Lives in South Texas USA Hosted on ChopChop 178 posts Gave thanks: 10 Thanked 7 times	On Thu 17 Jun I deleted and reapplied the filters to Chopchop>cbcog98.org On Fri 18 Jun +8 's were still not being sent to dev/nul I run the same here at home Chopchop>wap3.com Below is one that came in this morning CPanel Filters: Any Header > Begins >> X-Spam-Level: ***** Any Header > Contains >> ****** When I put this in the test area it works, but there seems to be a timing/order problem with filters and SA Could the filters be running before SA? Are the SA headers not being added after SA and before filters? This issue is clogging up PopFile History on the local mailservers with this trash When our office [cbcog98] starts at 07:00 every morning at least 50 mails are retrieved with only 3-5 good ones, 3-5 that are in the point range 2.5 and 8 and have to checked manually in the quaranteened mailbox and the rest should have gone to dev/nul This morning as so far has 23 mails, 2 PopFile classed MAIL, the rest DELETE and the ones I quickly checked are beyond the filter +8 's setting Like I said when I first did this after the parent posting it worked for a month or so and the last few weeks has been failing Thanks --Trey Pattillo ------- BEGIN FAILED FILTERING ------------- Return-path: <wap339achopchop.surpasshosting.com> Envelope-to: wap339achopchop.surpasshosting.com Delivery-date: Sat, 19 Jun 2004 07:44:05 -0400 Received: from wap339a by chopchop.surpasshosting.com with local-bsmtp (Exim 4.34) id 1BbeGS-00020g-Jb for wap339achopchop.surpasshosting.com; Sat, 19 Jun 2004 07:44:05 -0400 Received: from localhost by chopchop.surpasshosting.com with SpamAssassin (2.63 2004-01-11); Sat, 19 Jun 2004 07:44:05 -0400 From: "Bobby Shipman" <MCUUUISRTMQMAYyahoo.com> To: Meyer<meyerwap3.com> Subject: Meds Delivered to your door step - no previous prescription required Date: Sat, 19 Jun 2004 07:40:32 -0600 Message-Id: <1089528930.89221paypal.com> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on chopchop.surpasshosting.com X-Spam-Level: ************************ X-Spam-Status: Yes, hits=25.1 required=2.0 tests=BAYES_99,BIZ_TLD, CONFIRMED_FORGED,FORGED_YAHOO_RCVD,HTML_70_80,HTML _FONTCOLOR_UNKNOWN, HTML_MESSAGE,MIME_BOUND_NEXTPART,RCVD_IN_BL_SPAMCO P_NET,RCVD_IN_DSBL, RCVD_IN_DYNABLOCK,RCVD_IN_NJABL,RCVD_IN_NJABL_DIAL UP,RCVD_IN_OPM, RCVD_IN_OPM_HTTP,RCVD_IN_OPM_HTTP_POST,RCVD_IN_OPM _SOCKS, RCVD_IN_SORBS,URI_OFFERS autolearn=spam version=2.63 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_40D42705.73983EAA" This is a multi-part message in MIME format. ------------=_40D42705.73983EAA Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "chopchop.surpasshosting.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see the administrator of that system for details. Content preview: ------=_NextPart_000_00YJ_09C7715BG_06G.908Q61J0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Your mailer do not support HTML messages. Switch to a better mailer. [...] Content analysis details: (25.1 points, 2.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us 0.1 HTML_MESSAGE BODY: HTML included in message 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 0.1 HTML_70_80 BODY: Message is 70% to 80% HTML 0.1 BIZ_TLD URI: Contains a URL in the BIZ top-level domain 1.0 URI_OFFERS URI: Message has link to company offers 0.9 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers 1.0 RCVD_IN_OPM_HTTP RBL: OPM: sender is open HTTP CONNECT proxy [200.78.58.155 listed in opm.blitzed.org] 1.0 RCVD_IN_OPM RBL: Received via a relay in opm.blitzed.org [200.78.58.155 listed in opm.blitzed.org] 3.5 RCVD_IN_NJABL_DIALUP RBL: NJABL: dialup sender did non-local SMTP [200.78.58.155 listed in dnsbl.njabl.org] 1.3 RCVD_IN_OPM_SOCKS RBL: OPM: sender is open SOCKS proxy [200.78.58.155 listed in opm.blitzed.org] 1.0 RCVD_IN_OPM_HTTP_POST RBL: OPM: sender is open HTTP POST proxy [200.78.58.155 listed in opm.blitzed.org] 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS [200.78.58.155 listed in dnsbl.sorbs.net] 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org [200.78.58.155 listed in dnsbl.njabl.org] 0.7 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [<http://dsbl.org/listing?ip=200.78.58.155>] 1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml?200.78.58.155>] 2.6 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address [200.78.58.155 listed in dnsbl.sorbs.net] 0.5 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary 4.1 CONFIRMED_FORGED Received headers are forged The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. [........... origianal message snipped due to size limitations................. [ ........... SNIPPED image001.gif to save space in posting ..............] __________________ --wap3 If we removed all of the "Oxygen Thiefs" [tm] from politics, maybe the earth would not have a Greenhouse Gas problem. wap3.com on ChopChop

July 9th, 2004, 12:40 PM	#29 (permalink)
DivinoAG Registered User Fresh Surpasser Joined in Oct 2003 14 posts Gave thanks: 0 Thanked 0 times	Hey BigJohn. Thanks a lot for the great tutorial. I have done all the steps for my personal website, and even tho the "bayes_seen" and "bayes_toks" files seem to have grown a lot, and I can see some info about emails that were for processing on them, the email cron sent me was not very informative. All I got was this: Code: Learning SPAM Learning HAM Done I was expecting to see the "Learned from X message(s) (Y message(s) examined)" message, but nothing beyond those lines came. Of course, if the learning process is working, this shouldn't be a problem, but it would be better to be able to know what is happening. Could you give any hint of what could I do? __________________ Sincerely DivinoAG goersch.info Dior cgon.com.br Gotti xsibrasil.com Sync

July 9th, 2004, 1:25 PM	#30 (permalink)
DivinoAG Registered User Fresh Surpasser Joined in Oct 2003 14 posts Gave thanks: 0 Thanked 0 times	Well, I just noticed that the script is case sensitive. My SPAM and HAM folder names were in small caps. Renamed them, and worked just fine. Again, thanks for the tutorial. __________________ Sincerely DivinoAG goersch.info Dior cgon.com.br Gotti xsibrasil.com Sync

September 7th, 2004, 9:55 AM	#31 (permalink)
pseudoswede Surpass Fan Comfy Contributor Joined in Jun 2003 Lives in Denver Hosted on D9 142 posts Gave thanks: 4 Thanked 3 times	When should I expect SA to start using Bayes scores? __________________ "In the end, everything will be fine - if it is not fine, it is not the end." PseudoSwede larvez.com Dime9

November 24th, 2004, 12:22 PM	#35 (permalink)
SmartGuy Surpass Fan Excelling Contributor Joined in Jan 2004 Lives in Clinton, Massachusetts Hosted on Serenity x.x.40.51 994 posts Gave thanks: 0 Thanked 0 times	That's not the point. This is just a quick way to accumulate a lot of spam, without having to go through the trouble of logging in to horde and moving everything for a few weeks. I rewrote my message, but can't edit it. Here are better directions, with a few new ideas. I was just thinking about this... and a great way to teach Spam Assassin is to make an e-mail you will never use. Try oasjfme[at]domain.com. Then, sign up for whatever you want to. If you are visitor 93471239 out of 238919312, then sign on up. Go ahead, sign up for the most amazing advancement science has ever seen: all natural, completely safe, penis enlargement. Here are the step by step directions. 1) Create an e-mail address that you will never use. oasjfme[at]domain.com is fine. 2) Delete your current filter that discards all mail that is spam, above x SA points. 3) Create a new mail filter that moves e-mail with "Any Header" that "begins with" "X-Spam-Level: ****" to "oasjfme[at]domain.com" (You can change the amount of stars to whatever you want, but this is fine for me.) 4) Edit your learnspam, replacing everything with the following. (Make sure to change username, domain.com and oasjfme to what they should be.) Code: #!/bin/sh echo "Teaching Spam Assassin" sa-learn --ham --mbox /home/username/mail/domain.com/oasjfme**/inbox This way, you know that every e-mail that is checked is real spam. Also, there is no need to login to your account every few days to move mail to HAM or SPAM. I do not suggest putting this e-mail where someone real can find it. If someone e-mail it, it might throw off the results a little, making SA stupid. However, that won't affect much.

November 24th, 2004, 12:05 PM	#33 (permalink)
SmartGuy Surpass Fan Excelling Contributor Joined in Jan 2004 Lives in Clinton, Massachusetts Hosted on Serenity x.x.40.51 994 posts Gave thanks: 0 Thanked 0 times	I was just thinking about this... and a great way to teach Spam Assassin is to make an e-mail you will never use. Try opajebha[at]domain.com. Then, send that e-mail out to all the great sites that love to send you spam. Move all of the e-mail you get to SPAM, as none of them will be HAM. (I have the learnspam file to only check the inbox of the spam only e-mail address I used. You can try that too.) And there you go.

November 24th, 2004, 1:33 PM	#36 (permalink)
Bigjohn minor deity Super #1 Joined in Apr 2004 Lives in Georgia Hosted on XEON 7,338 posts Gave thanks: 23 Thanked 93 times	Ahh, I see your point... but I don't think its a good idea to expose your domain name to lists of spammers that way... __________________ Proud to be a Surmunity Mod! XEON PASS60 PASS61 Make a fundamental difference! My Sites: Curious about Brewing Beer? Join the community! >>>>> Some Change is GOOD! Keep your paycheck! Support the Fair Tax Get into an Art museum Victorian London It's your brain -*ON WEB* - mybrainhost.com (under development) What SHOULD Government do? Much Less than it Does!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread: