Mailing List Archive

On 2021-01-26 23:04, Joe Acquisto-j4 wrote:

> Any suggestions?

does it lint if local.cf is empty or non exists ?

> On 2021-01-26 23:04, Joe Acquisto-j4 wrote:
>
>> Any suggestions?
>
> does it lint if local.cf is empty or non exists ?

Just renamed local.cf and get the same results. Now I am more confused. Too late for more coffee.

>> On 2021-01-26 23:04, Joe Acquisto-j4 wrote:
>>
Any suggestions?
>>
>> does it lint if local.cf is empty or non exists ?
>
> Just renamed local.cf and get the same results. Now I am more confused. Too
> late for more coffee.

spamd was stopped at the time.

On Tue, 26 Jan 2021 17:04:17 -0500
Joe Acquisto-j4 wrote:


> Ran lint (spamassassin -D --lint) and noticed numerous (20-30 ?)
> "__E_LIKE_LETTER," in sequence, followed by
> "__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__KHOP_NO_FULL_NAME,__LOWER_E,"
> with "__LOWER_E," repeated a similar number of times.

What happens without the -D? If you have a concern about what's showing
in the debug you would need to post something more complete. But having
many __E_LIKE_LETTER hits is normal.

On Tue, 26 Jan 2021, Joe Acquisto-j4 wrote:

>>> On 2021-01-26 23:04, Joe Acquisto-j4 wrote:
>>>
> Any suggestions?
>>>
>>> does it lint if local.cf is empty or non exists ?
>>
>> Just renamed local.cf and get the same results. Now I am more confused. Too
>> late for more coffee.
>
> spamd was stopped at the time.

Are you using Amavis by any chance? Try restarting that.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
Tomorrow: the 54th anniversary of the loss of Apollo 1

>On Tue, 26 Jan 2021 17:04:17 -0500
> Joe Acquisto-j4 wrote:
>
>
>> Ran lint (spamassassin -D --lint) and noticed numerous (20-30 ?)
>> "__E_LIKE_LETTER," in sequence, followed by
>>
> "__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_S
> UBJECT,__KHOP_NO_FULL_NAME,__LOWER_E,"
>> with "__LOWER_E," repeated a similar number of times.
>
> What happens without the -D? If you have a concern about what's showing
> in the debug you would need to post something more complete. But having
> many __E_LIKE_LETTER hits is normal.

Without -D it seems to run clean. I did just find referenced to the repeats and quickly realized its functionality was beyond what I could deal with at the moment.

> On Tue, 26 Jan 2021, Joe Acquisto-j4 wrote:
>
>>>> On 2021-01-26 23:04, Joe Acquisto-j4 wrote:
>>>>
>> Any suggestions?
>>>>
>>>> does it lint if local.cf is empty or non exists ?
>>>
>>> Just renamed local.cf and get the same results. Now I am more confused. Too
>>> late for more coffee.
>>
>> spamd was stopped at the time.
>
> Are you using Amavis by any chance? Try restarting that.
>
>
> --
> John Hardin KA7OHZ

clamd. I restarted it, but not clamd.milter, with no difference. I did not restart spamd after that.

On 26 Jan 2021, at 17:04, Joe Acquisto-j4 wrote:

> running version 3.42.

Presumably you meant 3.4.2...

Unless that's a distro-patched variant, such as the ones RH and Debian
produce, you should update to 3.4.4. There are significant security,
performance, bugfix, and functionality improvements in the 2 latest
"minor" releases, as their will be in the soon-to-come 3.4.5, which
should be the terminal release for the 3.4 branch.

> I added a rule in local.cf and restarted spamd. (systemctl restart
> spamd.service) It hit. Changed the score on it and an existing rule
> and did a restart and they it but neither score changed.

That's not how it SHOULD work...

> Ran lint (spamassassin -D --lint) and noticed numerous (20-30 ?)
> "__E_LIKE_LETTER," in sequence, followed by
> "__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__KHOP_NO_FULL_NAME,__LOWER_E,"
> with "__LOWER_E," repeated a similar number of times.
>
> Any suggestions?

Did the lint actually fail?

The many "__E_LIKE_LETTER" and "__LOWER_E" hits are normal. Those
subrules are part of the MIXED_ES metarule that was designed to catch a
particular family of bogus extortion spams (the ones claiming to have
recorded the victim consuming pornography and asking for ransom in
cryptocurrency.) The target spams typically try to avoid Bayes by using
a mix of Unicode characters that look like ASCII characters, notably
variations on lower case 'e'. MIXED_ES has been scoring well in RuleQA
for a surprisingly long time, although it MAY carry some risk that we
miss because our submissions don't include a lot of non-English ham.

It is possible that spamd and the spamassassin script are running as
different users and that means that it is possible that they are using
different per-user rules.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

>> On Tue, 26 Jan 2021, Joe Acquisto-j4 wrote:
>>
>> On 2021-01-26 23:04, Joe Acquisto-j4 wrote:
>>>>>
>>> Any suggestions?
>>>>>
>>>>> does it lint if local.cf is empty or non exists ?
>>>>
>>>> Just renamed local.cf and get the same results. Now I am more confused. Too
>>>> late for more coffee.
>>>
>>> spamd was stopped at the time.
>>
>> Are you using Amavis by any chance? Try restarting that.
>>
>>
>> --
>> John Hardin KA7OHZ
>
> clamd. I restarted it, but not clamd.milter, with no difference. I did not
> restart spamd after that.

Seems like operator error and confusion. Apparently I did not save one of the edits I made to local.cf.

Sorry for the bother.

> On 26 Jan 2021, at 17:04, Joe Acquisto-j4 wrote:
>
>> running version 3.42.
>
> Presumably you meant 3.4.2...
>
> Unless that's a distro-patched variant, such as the ones RH and Debian
> produce, you should update to 3.4.4. There are significant security,
> performance, bugfix, and functionality improvements in the 2 latest
> "minor" releases, as their will be in the soon-to-come 3.4.5, which
> should be the terminal release for the 3.4 branch.
>
. . .
>
> Did the lint actually fail?
>

No. I am a bit puzzled by what Benny Pedersen suggested, running lint without local.cf. Never tried it, or read anything,
but presume the inference is it should have failed?

> The many "__E_LIKE_LETTER" and "__LOWER_E" hits are normal. Those
> subrules are part of the MIXED_ES metarule that was designed to catch a
> particular family of bogus extortion spams (the ones claiming to have
> recorded the victim consuming pornography and asking for ransom in
> cryptocurrency.) The target spams typically try to avoid Bayes by using
> a mix of Unicode characters that look like ASCII characters, notably
> variations on lower case 'e'. MIXED_ES has been scoring well in RuleQA
> for a surprisingly long time, although it MAY carry some risk that we
> miss because our submissions don't include a lot of non-English ham.

Thanks for helping me get the gist of that.

> It is possible that spamd and the spamassassin script are running as
> different users and that means that it is possible that they are using
> different per-user rules.

I'll check that, should not be the case, but, never know what I might have hacked and forgotten.

In any case, the problem is resolved, for now, all (I think) operator malfunction. Don't "multi task" as well these days.

joe a.

>
> --
> Bill Cole
> bill@scconsult.com or billcole@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire

On 2021-01-27 01:04, Joe Acquisto-j4 wrote:

> No. I am a bit puzzled by what Benny Pedersen suggested, running lint
> without local.cf. Never tried it, or read anything,
> but presume the inference is it should have failed?

it was unclear to me if you added rules to local.cf that did not lint or
did, so to know more i liked to show spamassassin --llnt results

hope all is okay now

On 1/26/2021 5:04 PM, Joe Acquisto-j4 wrote:
> running version 3.42.
>
> I added a rule in local.cf and restarted spamd. (systemctl restart spamd.service) It hit. Changed the score on it and an existing rule and did a restart and they it but neither score changed.
>
> Ran lint (spamassassin -D --lint) and noticed numerous (20-30 ?) "__E_LIKE_LETTER," in sequence, followed by "__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__KHOP_NO_FULL_NAME,__LOWER_E," with "__LOWER_E," repeated a similar number of times.
>
> Any suggestions?
>
1,  Double-check that the file was properly changed.
2. If a? body rules?, you probably should do a sa-compile.
3. Use the magical powers of grep to see if there's a duplicate score
for the rule somewhere.