headers
Jan Pieter Cornet | 7 Aug 2008 17:03
Picon
Picon
Favicon

Re: SpamAssassin regexp question

Sorry for the slow reply... but I had to react (omg! somebody
on the intarweb is r0ng!)

On Wed, Jul 30, 2008 at 11:59:57AM -0400, Joseph Brennan wrote:
>> # This mail was sent by...
>> rawbody UAH_SENTBY1 /^This email was sent by:$/
>> score UAH_SENTBY1 1.0
>> rawbody UAH_SENTBY2 /^Unsubscribe: http:.+\/accounts$/
>> score UAH_SENTBY2 1.0
>> 
>> When I ran command line spamassassin against a copy of the message, the
>> tests did not hit.  When I changed it to this:
>> 
>> # This mail was sent by...
>> rawbody UAH_SENTBY1 /\nThis email was sent by:\n/
>> score UAH_SENTBY1 1.0
>> rawbody UAH_SENTBY2 /\nUnsubscribe: http:.+\/accounts\n/
>> score UAH_SENTBY2 1.0
>> 
>> they did.  What's the difference?  Thanks...
> 
> The symbols ^ and $ do not always mean start and end of line.  They
> mean start and end of the chunk perl is working with, which can be
> changed by redefining $/.  SpamAssassin seems to read the whole
> message in one chunk, so that it can match across lines.

This is... an oversimplification.

The ^ and $ symbols match at the beginning and end (respectively)
of the string. When you are reading from a file handle, strings are
(Continue reading)

Permalink | Reply | 2 comments |
headers
Jim McCullars | 7 Aug 2008 19:30
Favicon

Re: SpamAssassin regexp question


On Thu, 7 Aug 2008, Jan Pieter Cornet wrote:

> >> # This mail was sent by...
> >> rawbody UAH_SENTBY1 /^This email was sent by:$/
> >> score UAH_SENTBY1 1.0
> >> rawbody UAH_SENTBY2 /^Unsubscribe: http:.+\/accounts$/
> >> score UAH_SENTBY2 1.0
> >>
> >> When I ran command line spamassassin against a copy of the message, the
> >> tests did not hit.  When I changed it to this:
> >>
> >> # This mail was sent by...
> >> rawbody UAH_SENTBY1 /\nThis email was sent by:\n/
> >> score UAH_SENTBY1 1.0
> >> rawbody UAH_SENTBY2 /\nUnsubscribe: http:.+\/accounts\n/
> >> score UAH_SENTBY2 1.0
> >>
> >> they did.  What's the difference?  Thanks...
> >
> So far, you are correct. However, spamassassin presents the "body"
> rules with the message _per_paragraph_ (see Mail::SpamAssassin::Conf,
> search for "body SYMBOLIC_TEST_NAME). Line breaks and html tags
> are removed. "rawbody" tests are presented per line.

   That's what I thought, which is why I was using the rawbody tests, and
I could never figure out why the test didn't work.  Can you shed any light
on my specific case?  Thanks...

Jim McCullars
(Continue reading)

Permalink | Reply | 1 comment |
headers
Jan Pieter Cornet | 7 Aug 2008 22:49
Picon
Picon
Favicon

Re: SpamAssassin regexp question

On Thu, Aug 07, 2008 at 12:30:17PM -0500, Jim McCullars wrote:
> On Thu, 7 Aug 2008, Jan Pieter Cornet wrote:
> 
> > >> # This mail was sent by...
> > >> rawbody UAH_SENTBY1 /^This email was sent by:$/
> > >> score UAH_SENTBY1 1.0
> > >> rawbody UAH_SENTBY2 /^Unsubscribe: http:.+\/accounts$/
> > >> score UAH_SENTBY2 1.0
> > >>
> > >> When I ran command line spamassassin against a copy of the message, the
> > >> tests did not hit.  When I changed it to this:
> > >>
> > >> # This mail was sent by...
> > >> rawbody UAH_SENTBY1 /\nThis email was sent by:\n/
> > >> score UAH_SENTBY1 1.0
> > >> rawbody UAH_SENTBY2 /\nUnsubscribe: http:.+\/accounts\n/
> > >> score UAH_SENTBY2 1.0
> > >>
> > >> they did.  What's the difference?  Thanks...
> > >
> > So far, you are correct. However, spamassassin presents the "body"
> > rules with the message _per_paragraph_ (see Mail::SpamAssassin::Conf,
> > search for "body SYMBOLIC_TEST_NAME). Line breaks and html tags
> > are removed. "rawbody" tests are presented per line.
> 
>    That's what I thought, which is why I was using the rawbody tests, and
> I could never figure out why the test didn't work.  Can you shed any light
> on my specific case?  Thanks...

Err, no. I assumed that your second tests would never hit, since
(Continue reading)

Permalink | Reply | 0 comments |
headers
jef moskot | 8 Aug 2008 08:52
Picon

mimedefang.sh does nothing

I just installed MIMEDefang from ports on a FreeBSD 7.0 machine.  Followed
the instructions and now I want to test the config (with sendmail).

Trying to send a message yields this
"Milter (mimedefang): local socket name /var/spool/MIMEDefang/mimedefang.sock unsafe"
in /var/log/maillog.

Makes sense, because as it turns out, mimedefang isn't running.

So, I cd to /usr/local/etc/rc.d and attempt to run mimedefang.sh (which is
just an unmodified copy of mimedefang.sh-dist).

# ./mimedefang.sh start

Nothing happens.  No mimedefang processes start, no complaints, I can't
find error messages in various log files, etc.

mimedefang.sh looks reasonable and is not entirely braindead:

# ./mimedefang.sh
Usage: ./mimedefang.sh
[fast|force|one](start|stop|restart|rcvar|reload|reread|status|poll)

I haven't made any significant modifications (just changed the email
addresses in mimedefang-filter) to any of the conf files, since I'm not
that far along yet.

Is there somewhere I might get some feedback as to what's going on (or not
going on)?
(Continue reading)

Permalink | Reply | 2 comments |
headers
Daniel O'Connor | 8 Aug 2008 09:35
Picon
Favicon

Re: mimedefang.sh does nothing

On Fri, 8 Aug 2008, jef moskot wrote:
> I just installed MIMEDefang from ports on a FreeBSD 7.0 machine. 
> Followed the instructions and now I want to test the config (with
> sendmail).
>
> Trying to send a message yields this
> "Milter (mimedefang): local socket name
> /var/spool/MIMEDefang/mimedefang.sock unsafe" in /var/log/maillog.
>
> Makes sense, because as it turns out, mimedefang isn't running.
>
> So, I cd to /usr/local/etc/rc.d and attempt to run mimedefang.sh
> (which is just an unmodified copy of mimedefang.sh-dist).
>
> # ./mimedefang.sh start
>
> Nothing happens.  No mimedefang processes start, no complaints, I
> can't find error messages in various log files, etc.
>
> mimedefang.sh looks reasonable and is not entirely braindead:
>
> # ./mimedefang.sh
> Usage: ./mimedefang.sh
> [fast|force|one](start|stop|restart|rcvar|reload|reread|status|poll)
>
> I haven't made any significant modifications (just changed the email
> addresses in mimedefang-filter) to any of the conf files, since I'm
> not that far along yet.
>
> Is there somewhere I might get some feedback as to what's going on
(Continue reading)

Permalink | Reply | 1 comment |
headers
jef moskot | 8 Aug 2008 09:51
Picon

Re: mimedefang.sh does nothing

On Fri, 8 Aug 2008, Daniel O'Connor wrote:
> As with every FreeBSD rc.d script - you need to enable it in rc.conf
> before it will run.

Ah, that was definitely it.  Guess I'm just used to ports doing all the
heavy lifting for me.  My brain must be atrophied.

At any rate, after adding

mimedefang_enable="YES"

to /etc/rc.conf it's working fine.  Well, actually there are some other
issues, but now I'm in the game.

Thanks!

Jeffrey Moskot
System Administrator
jef <at> math.miami.edu
Permalink | Reply | 0 comments |
headers
jef moskot | 8 Aug 2008 17:11
Picon

customizing quarantine notification

I'm trying to send the admin notifications of quarantines that have more
useful Subject lines than "MIMEDefang Quarantine Report".

I've got this in my filter_end right now:

    my ($code, $category, $action) = message_contains_virus();

    if ($action eq 'quarantine') {
        action_quarantine_entire_message();

        $QuarantineSubject = $VirusName;

        send_quarantine_notifications();
        action_discard();
    }

The $QuarantineSubject thing actually works, although what I'd really like
is both the name of the virus and the name of the sender (and a little bit
of hard-coded text).  It's easy to visually process what's going on when
you see that lined up in an inbox, and I've got filters built into my
mail client which file things away for future study.

Anyway, I'm just not sure what the grammar for slapping strings together
is in that context.

Also, what's up with the delay in send_quarantine_notifications?  I'd
prefer an immediate response (at least while I'm still debugging), but
those messages don't get delivered until some time later.  Are they
hanging around in a queue somewhere or is a bunch of data being reaped at
a later time to fire off those messages?
(Continue reading)

Permalink | Reply | 2 comments |
headers
Joseph Brennan | 8 Aug 2008 17:36
Favicon

Re: customizing quarantine notification


jef moskot <jef <at> math.miami.edu> wrote:

>         $QuarantineSubject = $VirusName;

> The $QuarantineSubject thing actually works, although what I'd really like
> is both the name of the virus and the name of the sender (and a little bit
> of hard-coded text).  . . .
> Anyway, I'm just not sure what the grammar for slapping strings together
> is in that context.

$QuarantineSubject = "$VirusName from $Sender";

And if you get the name of the virus in a variable, that too.

> Also, what's up with the delay in send_quarantine_notifications?  I'd
> prefer an immediate response (at least while I'm still debugging), but
> those messages don't get delivered until some time later.  Are they
> hanging around in a queue somewhere or is a bunch of data being reaped at
> a later time to fire off those messages?

MD puts them into the client-mqueue, so they get mailed when the queue
runner runs.  One solution would be to run that very very frequently
during debugging.  It's the sendmail with the -Ac option.

Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
(Continue reading)

Permalink | Reply | 1 comment |
headers
jef moskot | 8 Aug 2008 18:43
Picon

Re: customizing quarantine notification

On Fri, 8 Aug 2008, Joseph Brennan wrote:
> $QuarantineSubject = "$VirusName from $Sender";

Perfect.  Thank you for tolerating my newbishness.

> MD puts [quarantine notifications] into the client-mqueue, so they get
> mailed when the queue runner runs.  One solution would be to run that
> very very frequently during debugging.  It's the sendmail with the -Ac
> option.

I found the notifications hiding there just a little while ago.  I've been
kicking the queue repeatedly, but thanks to your help, I can stop
experimenting with the Subject line.  More trial, less error.

Now I'm looking into modifying the body of the messages.  For some reason,
the first few lines of the header are missing their newlines.

Jeffrey Moskot
System Administrator
jef <at> math.miami.edu
Permalink | Reply | 0 comments |
headers
jef moskot | 12 Aug 2008 16:20
Picon

pure whitelisting

I've got some domains I need whitelisted in /etc/mail/access and I don't
want MIMEDefang to look at them either.  I don't want them virus-scanned
or spam-assassined or sanity-checked in any way.

This is a policy thing, not a logic thing.

I've seen some discussion in the list about how the access file can be
farmed in some way and a few references to how someone must have posted
some info somewhere, but I couldn't find anything.

We need to have the domains in the access table, by the way, because we do
some RBL-checking directly from sendmail.

Any suggestions?

Jeffrey Moskot
System Administrator
jef <at> math.miami.edu
Permalink | Reply | 9 comments |

Gmane