Topic: spamassassin

[schotty]

Hello!

I have installed spamassassin as per pagefault.org.
I instaled user-panel and changed for all users the procmail rule (all users being just me!! Im the only one - test server).

told spamass... to move everything to junkmail and mark it as spam.

I sent myself a mail which contains :

MAKE $1,000,000 INSTANTLY
BECOME A MILLIONAIRE OVERNIGHT
YOU CAN BE RICH TOO
 
Guess what.... I got the email (am using Webmail).
So i havent dont something right... But what?

Any takers for a little help?

[schotty]

Of course I didnt mean pagefault... its not there....
I do believe though that the rpm I installed was just 1 *.rpm....
Will have to check later.

[Greg Zartman]

Schotty,

Spamassassin is a very complex filtering system with ALOT of configuration options.  There are tens, maybe even hundreds, of reasons why your message made it to your inbox.  The first thing you need to do if find out if spamassassin has actually even seen the message.   Have a look at the mail header for a tag called "X-Spam-Status."  Spamassassin sets this to yes (message is probably spam) or no (message probably isn't spam).  

The most likely reason that this message made it to your inbox is because it's spam score was below the threshold set in SA.  In a standalone mode, you’ll need to set the threshold score pretty high to nab most spam.  I highly recommend that you install Razor and point SA to the various blacklists.  

First and foremost READ THE DOCS:  http://useast.spamassassin.org/doc.html.  This is one of those apps that you can’t just “wing it” and figure everything out.

Good luck.

Regards,

Greg Zartman

[schotty]

Hello!

Well this is part of the mail header. As you can see spamass.... did see it. I believe that that the package I installed also used Razor.

I guess im gonna have to read a little about spammassas.... using the link u gave me.



Received: (qmail 26704 invoked by uid 0); 4 Jul 2003 11:23:03 -0000
Date: Fri, 4 Jul 2003 13:23:03 +0200 (MEST)
From: calumfield@gmx.de
To: calum@fieldnet.de,calum@fieldnet.tk
MIME-Version: 1.0
Subject:
X-Priority: 3 (Normal)
X-Authenticated-Sender: #0002666491@gmx.net
X-Authenticated-IP: [212.117.68.130]
Message-ID: <29723.1057317783@www67.gmx.net>
X-Mailer: WWW-Mail 1.6 (Global Message Exchange)
X-Flags: 0001
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, hits=2.2 required=8.0
   tests=AWL,LINES_OF_YELLING,NO_REAL_NAME,SIGNATURE_SHORT_SPARSE,
         SPAM_PHRASE_00_01,SUBJ_MISSING,UPPERCASE_25_50,US_DOLLARS_3
   version=2.43
X-Spam-Level: **


MAKE $1,000,000 INSTANTLY
BECOME A MILLIONAIRE OVERNIGHT
YOU CAN BE RICH TOO

--
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++

Jetzt ein- oder umsteigen und USB-Speicheruhr als Prämie sichern!

[Greg Zartman]

Looks like SA is working.  See the following header:

X-Spam-Status: No, hits=2.2 required=8.0

This says that this message as a score of 2.2, but the threshold is 8.  That's a fairly low spam score.  I'm guessing razor isn't running on your setup.  IF it were, I'd bet this message would have a much higher score.  Razor and bayes are really the backbone of SA.

Greg

[schotty]

My first "real" spam and yes it got moved to junkmail )
I believe razor is working but maybe you can read from the report otherwise??

I would like to further my knowledge in anti spamming and e-smith. If anyone has some good links then I wouöld appreciate that.
I am interested in learning how to use this spamassasin and Razor and not just having installed a bit of software that I dont have a clue about!


Cheers



SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details:   (16.20 hits, 8 required)
SPAM: MSGID_HAS_NO_AT    (0.3 points)  Message-Id has no @ sign
SPAM: INVALID_MSGID      (0.0 points)  Message-Id is not valid, according to RFC 2822
SPAM: FOR_FREE           (0.3 points)  BODY: No such thing as a free lunch (1)
SPAM: CLICK_BELOW        (0.3 points)  BODY: Asks you to click below
SPAM: SPAM_PHRASE_08_13  (1.4 points)  BODY: Spam phrases score is 08 to 13 (medium)
SPAM:                    [score: 9]
SPAM: HTML_FONT_COLOR_GREEN (0.4 points)  BODY: HTML font color is green
SPAM: BIG_FONT           (0.3 points)  BODY: FONT Size +2 and up or 3 and up
SPAM: HTML_FONT_COLOR_NAME (0.3 points)  BODY: HTML font color has unusual name
SPAM: HTML_FONT_COLOR_RED (0.3 points)  BODY: HTML font color is red
SPAM: HTML_50_70         (0.3 points)  BODY: Message is 50-70% HTML tags
SPAM: LINES_OF_YELLING   (0.2 points)  BODY: A WHOLE LINE OF YELLING DETECTED
SPAM: CLICK_HERE_LINK    (0.3 points)  BODY: Tells you to click on a URL
SPAM: PORN_4             (1.4 points)  URI: URL uses words and phrases which indicate porn (4)
SPAM: UNSUB_PAGE         (0.1 points)  URI: URL of page called "unsubscribe"
SPAM: RAZOR2_CHECK       (3.9 points)  Listed in Razor2, see http://razor.sf.net/
SPAM: RCVD_IN_BL_SPAMCOP_NET (5.0 points)  RBL: Received via a relay in bl.spamcop.net
SPAM:                    [RBL check: found 43.64.140.200.bl.spamcop.net.]
SPAM: PRIORITY_NO_NAME   (1.0 points)  Message has priority setting, but no X-Mailer
SPAM: CTYPE_JUST_HTML    (0.4 points)  HTML-only mail, with no text version

[Steven]

FYI a score of 8, in my opinion, is helofa high - I have mine set to 5 and the only false positive I've had in 2 months is from ...Microsoft

Most genuine emails will be below 2, so you can set it lower, just monitor it for a while.

Steven

[Jesper Knudsen]

I have installed SA with DCC, Pyzor and Razor but I cannot see whether they are active. I tried the email message from this thread and only got a score of 3,5

X-Spam-Status: No, hits=3.5 required=8.0
   tests=AWL,EARN_MONEY,RCVD_IN_OSIRUSOFT_COM,SUBJ_ALL_CAPS,
         UPPERCASE_25_50,US_DOLLARS_3
   version=2.55
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

How to I see whether DCC, Razor and Pyzor are active ?? I have even added new entries on the local.cf (via templates) so it looks like this:

#-------------------------------------------
#Global configuration parameters set        
#via spamassassin server-manager panel.    
#-------------------------------------------
auto_learn 1
skip_rbl_checks 0
required_hits 8
report_safe 1
rewrite_subject 1
 
#-------------------------------------------
#Custom Spamassassin scoring        
#-------------------------------------------

##Set score for entries found at spamcop.net
score RCVD_IN_BL_SPAMCOP_NET 5

#---------------------------------------------
#Global WBL entries via spamassassin          
#server-manager panel.                        
#---------------------------------------------
 
# Enable the Bayes system
use_bayes               1

# Enable or disable network checks
skip_rbl_checks         0
use_razor2              1
use_dcc                 1
use_pyzor               1

# Score for the various tests
score RAZOR2_CHECK      5

use_terse_report   0
subject_tag        [SPAM _HITS_]
dcc_path           /usr/local/bin/dccproc
pyzor_path         /usr/bin/pyzor

auto_learn_threshold_nonspam -2.0
auto_learn_threshold_spam    8.0

[Brian Read]

try "spamassassin --lint -D"

Cheers

Brian