Re: how to change score of spf
On 13.01.09 11:46, Nelson Serafica wrote: I want to enable spf. AFAIK, it was enabled by default. uncomment loading of the plugin, and you need to have Mail::SPF or Mail::SPF::Query installed (the former is preferred) However, I want to change the score. there are many rules for SPF. Do not change them unless you understand what they mean... Instead of -0.001, I want it to change to -2. So I edit local.cf and put: score SPF_PASS -2 ... and you clearly do not. positive SPF results mean NOTHING - any spammer can register a domain and create SPF for it. Only the *FAILs are useful since it means someone is (probably) spoofing. Maybe NEUTRAL can indicate anything, but PASS has non-zero score only because zero score would cause it not to appear. header SPF_PASS eval:check_for_spf_pass() describe SPF_PASS SPF: sender matches SPF record This is defined in 25_spf.cf, do not redefine it. It could cause problems if the code would change Then I update rules by doing spamassassin -D --lint. The debug says there are 1 issues detected. When I check the output of the debug, it says: [1217] warn: rules: failed to run SPF_PASS test, skipping: [1217] warn: (Can't locate object method check_for_spf_pass via package Mail::SpamAssassin::PerMsgStatus at (eval 1248) line 1288. [1217] warn: ) You apparently do not have SPF enabled or required perl modules installed. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends?
RE: Daily run output
-Original Message- From: Benny Pedersen [mailto:m...@junc.org] Sent: Monday, 12 January 2009 4:13 AM To: users@spamassassin.apache.org Subject: RE: Daily run output On Sun, January 11, 2009 03:08, Anthony Kamau wrote: 2/ Locate the line starting with 'root:' in the file '/etc/aliases' and change it to look like this: root: sysnotify root: dest1, dest2 why add unneeded new users ? -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098 I wasn't aware you could use an e-mail address in the form usern...@domain.com in the aliases file. I guess I need to read a bit more on the alias file! Cheers, AK.
Re: how to change score of spf
On Tue, 2009-01-13 at 05:09 +0100, Benny Pedersen wrote: On Tue, January 13, 2009 04:46, Nelson Serafica wrote: I tried to check Mail::SpamAssassin::PerMsgStatus in http://search.cpan.organd it point me to Mail-SpamAssassin-3.2.5.tar.gz. However, I'm already using SpamAssassin Server version 3.2.5 newer mix cpan with distro install of packages, so if your spamassassin is rpm based use cpan2rpm cpan2rpm is deprecated. use cpan2dist instead... -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Spamd processes eating processor and memory
Hi, I have a problem with my setup of SpamAssassin version 3.2.3 integrated with Exim 4.67-5. The configuration is up and running for almost a year, but only the first 4-5 months were without incident. I'm running the spamassassin integrated on the system level through the spamd. Since a while 2 spamd processes (2 out of 5) started to eat memory reaching 49-49 percent of the total system memory. Then I started to take some steps and I have disabled the bayes and the auto whitelist features. (I think that) but the problem didn't disappeared completely but the frequency of appearing get lower and lower. I have also paniclog entries from exim: spam acl condition: error reading from spamd socket: Connection timed out A week a go, the things get even worse. The spamd processes now are eating 100% processors and the mail system has become quite unstable. A basic difference between the past, and now is that the processes which eats memory were run by the root user (is this OK, that they runs with root?) The processes eating the processor are run by the debian-exim user. This is my first attempt to configure spamassassin and there could be a misconfiguration somewhere. Have you experience with a similar behavior? Any idea what could be wrong? Thanks, Jozsef
SA timeout
Hi,
Mail occasionally slows down here and the main issue we see is the very
long SA checks and SA TIMEOUTS. This forces us to drop the size mail we
scan and restart Amavis and Apamassasin otherwise the queues will grow
into the thousands. Also note that the Amavis daemons will be running at
100% or so during this. I have included a sampling of our logs and
wanted to see what people thought as to possible problems or solutions
for this. What information should I add to help diagnose this problem.
Spamassassin v. 3.1.8
We do have network checks on to catch embedded urls which catches a
large number of spam messages.
This is a normal, for us, timing log. Is 1193 ms slow as a norm?
Jan 12 18:22:10 atl02010303 amavis[24952]: (24952-08) TIMING [total 1193
ms] - SMTP EHLO: 2 (0%)0, SMTP pre-MAIL: 0 (0%)0, SMTP pre-DATA-flush: 1
(0%)0, SMTP DATA: 81 (7%)7, body_digest: 1 (0%)7, gen_mail_id: 0 (0%)7,
mime_decode: 10 (1%)8, get-file-type2: 10 (1%)9, decompose_part: 1
(0%)9, parts_decode: 0 (0%)9, AV-scan-1: 7 (1%)9, spam-wb-list: 1
(0%)10, SA msg read: 1 (0%)10, SA parse: 3 (0%)10, SA check: 926
(78%)88, update_cache: 1 (0%)88, fwd-connect: 3 (0%)88, fwd-mail-from: 1
(0%)88, fwd-rcpt-to: 1 (0%)88, write-header: 1 (0%)88, fwd-data: 1
(0%)88, fwd-data-end: 131 (11%)99, fwd-rundown: 1 (0%)99,
main_log_entry: 7 (1%)100, update_snmp: 1 (0%)100, unlink-2-files: 1
(0%)100, rundown: 0 (0%)100
Shortly after the above we start to see this.
Jan 12 18:22:49 atl02010303 amavis[25081]: (25081-06) SA TIMED OUT,
backtrace: at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DBBasedAddrList.pm
line 165\n\teval {...} called at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DBBasedAddrList.pm
line
165\n\tMail::SpamAssassin::DBBasedAddrList::remove_entry('Mail::SpamAssassin::DBBasedAddrList=HASH(0xb118eb4)',
'HASH(0xb10ca64)') called at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/AutoWhitelist.pm line
135\n\tMail::SpamAssassin::AutoWhitelist::check_address('Mail::SpamAssassin::AutoWhitelist=HASH(0xb33b358)',
'newslet...@foreclosure.com', 201.122.43.11) called at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/AWL.pm line
356\n\teval {...} called at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/AWL.pm line
352\n\tMail::SpamAssassin::Plugin::AWL::check_from_in_auto_whitelist('Mail::SpamAssassin::Plugin::AWL=HASH(0xa012814)',
'Mail::SpamAssassin::PerMsgStatus=H...
This is an example TIMING during the problem.
Jan 12 18:22:51 atl02010303 amavis[25149]: (25149-01) TIMING [total
29310 ms] - SMTP EHLO: 4 (0%)0, SMTP pre-MAIL: 0 (0%)0, mkdir tempdir: 0
(0%)0, create email.txt: 0 (0%)0, SMTP pre-DATA-flush: 2 (0%)0, SMTP
DATA: 77 (0%)0, body_digest: 1 (0%)0, gen_mail_id: 0 (0%)0, mkdir parts:
0 (0%)0, mime_decode: 12 (0%)0, get-file-type2: 11 (0%)0,
decompose_part: 1 (0%)0, parts_decode: 0 (0%)0, AV-scan-1: 8 (0%)0,
spam-wb-list: 2 (0%)0, SA msg read: 1 (0%)0, SA parse: 2 (0%)0, SA
check: 29062 (99%)100, update_cache: 1 (0%)100, fwd-connect: 4 (0%)100,
fwd-mail-from: 0 (0%)100, fwd-rcpt-to: 1 (0%)100, write-header: 1
(0%)100, fwd-data: 1 (0%)100, fwd-data-end: 105 (0%)100, fwd-rundown: 1
(0%)100, main_log_entry: 9 (0%)100, update_snmp: 1 (0%)100,
unlink-2-files: 1 (0%)100, rundown: 0 (0%)100
Another example.
Jan 12 18:23:21 atl02010303 amavis[25149]: (25149-01-2) TIMING [total
30040 ms] - SMTP pre-DATA-flush: 1 (0%)0, SMTP DATA: 39 (0%)0,
body_digest: 1 (0%)0, gen_mail_id: 0 (0%)0, mime_decode: 5 (0%)0,
get-file-type1: 9 (0%)0, parts_decode: 0 (0%)0, AV-scan-1: 6 (0%)0,
spam-wb-list: 1 (0%)0, SA msg read: 1 (0%)0, SA parse: 2 (0%)0, SA
check: 29874 (99%)100, update_cache: 2 (0%)100, post-do_spam: 1 (0%)100,
fwd-connect: 5 (0%)100, fwd-mail-from: 1 (0%)100, fwd-rcpt-to: 1
(0%)100, write-header: 1 (0%)100, fwd-data: 1 (0%)100, fwd-data-end: 79
(0%)100, fwd-rundown: 1 (0%)100,
Re: SA timeout
Hi, Mail occasionally slows down here and the main issue we see is the very long SA checks and SA TIMEOUTS. This forces us to drop the size mail we scan and restart Amavis and Apamassasin otherwise the queues will grow Could be SA stuff, could be amavisd stuff. Some things to check, make sure: Since 99% of the cpu is taken via 'SA checks', make sure you have the latest SA (3.2.5 ) , cut down on 'extra rules'. Doublecheck the DNS timeouts on the RBL's. Make sure that you disable the automatic baysian cleanups (and cronjob them at night). Use mysql for bayes and awl. Could be a lot of things. If 'top' shows a lot of cpu being used, and/or a lot of cache, reduce the number of amavisd processes started. -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: how to change score of spf
Matus UHLAR - fantomas wrote: positive SPF results mean NOTHING - any spammer can register a domain and create SPF for it. Only the *FAILs are useful since it means someone is (probably) spoofing. Maybe NEUTRAL can indicate anything, but PASS has non-zero score only because zero score would cause it not to appear. More precisely, a positive SPF result *by itself* is not an indicator of non-spam. It can be combined with other data, such as a whitelist of domain names, and be quite useful, as in the whitelist_spf and whitelist_auth rules. -- Kelson Vibber SpeedGate Communications www.speed.net
RE: Daily run output
-Original Message- From: Benny Pedersen [mailto:m...@junc.org] Sent: Monday, 12 January 2009 4:13 AM To: users@spamassassin.apache.org Subject: RE: Daily run output On Sun, January 11, 2009 03:08, Anthony Kamau wrote: 2/ Locate the line starting with 'root:' in the file '/etc/aliases' and change it to look like this: root: sysnotify root: dest1, dest2 why add unneeded new users ? -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098 I wasn't aware you could use an e-mail address in the form usern...@domain.com in the aliases file. I guess I need to read a bit more on the alias file! Cheers, AK.
Temporary 'Replacements' for SaneSecurity
Guys, I'm sure you're as sad as I am re- temporary suspension of the brilliant services offered by Steve Basford and is helpers at Sane Security. In a sick kind of way, the 'bad guys' are acknowledging the work these guys have done by DOSing them, but that doesn't help much with the daily grind. I appreciate that great progress is being mad re- getting the service back online again, but in the mean time was wondering ... has anyone found anything as effective as a temporary replacement or enhancement? Thanks Mup.
Re: dccifd check failing after update
Anyone have a clue on this one? [3963] dbg: dcc: dccifd is available: /usr/local/dcc/dccifd [3963] dbg: info: entering helper-app run mode [3963] dbg: info: leaving helper-app run mode [3963] warn: dcc: dccifd - check skipped: Broken pipe __brokenpipe__ignore__ at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/DCC.pm line 471. This is spamassassin 3.2.5 and DCC 1.3.99. DCC was just updated. It seems to work on it's own (ie: dccproc, etc.). Any ideas on how to coerce more info about this out of SA? Did you ever figure out what it was? -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Spamd skipping tests
A good percentage of our emails are not getting evaluated by SA's rules. qmail + qmail-scanner + Spamassassin 3.25 + ClamAV on FreeBSD. Supervised by daemontools. I've started spamd with debugging on, and tinkered with the various child process values: #exec spamd -D -x -u qscand -H /tmp -s /dev/stderr --min-children=4 --max-children=20 --max-conn-per-child=7 --max-spare=8 In the spamd logs, the failure point seems to be right after the content is parsed and the encoding detected. Immediately after that a properly processed message in my current config should drop right into dns tests, followed the various uri, body, rawbody etc. tests, and so on into bayes and beyond. But about 10-20% of the messages just drop right into a score of 0, with all the tests were being completely bypassed. 2009-01-13 15:36:56.112174500 [97703] dbg: message: MIME PARSER START 2009-01-13 15:36:56.112213500 Tue Jan 13 15:36:56 2009 [97703] dbg: message: MIME PARSER START 2009-01-13 15:36:56.112305500 [97703] dbg: message: parsing normal part 2009-01-13 15:36:56.112343500 Tue Jan 13 15:36:56 2009 [97703] dbg: message: parsing normal part 2009-01-13 15:36:56.112582500 [97703] dbg: message: MIME PARSER END 20092009-01-13 15:36:56.112620500 Tue Jan 13 15:36:56 2009 [97703] dbg: message: MIME PARSER END 2009-01-13 15:36:56.112997500 [97703] dbg: message: no encoding detected 2009-01-13 15:36:56.113040500 Tue Jan 13 15:36:56 2009 [97703] dbg: message: no encoding detected 2009-01-13 15:36:56.113750500 [97703] dbg: check: is spam? score=0 required=4.3 2009-01-13 15:36:56.113801500 Tue Jan 13 15:36:56 2009 [97703] dbg: check: is spam? score=0 required=4.3 2009-01-13 15:36:56.113901500 [97703] dbg: check: tests= 2009-01-13 15:36:56.113935500 Tue Jan 13 15:36:56 2009 [97703] dbg: check: tests= 2009-01-13 15:36:56.114025500 [97703] dbg: check: subtests= 2009-01-13 15:36:56.114060500 Tue Jan 13 15:36:56 2009 [97703] dbg: check: subtests= 2009-01-13 15:36:56.116594500 [97703] info: spamd: clean message (0.0/4.3) for qscand:88 in 0.0 seconds, 2590 bytes. I have even inserted silly rules that match on any character, or the character 'e', etc., but when a message is bypassed, *no* rules are evaluated. Can anyone give me any possible pointers or things to check? I am at my wits' end here...I am happy to post a spamassassin -D --lint if that helps. Thanks - John -- View this message in context: http://www.nabble.com/Spamd-skipping-tests-tp21448225p21448225.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: how to change score of spf
Nelson Serafica wrote: I want to enable spf. AFAIK, it was enabled by default. However, I want to change the score. Instead of -0.001, I want it to change to -2. So I edit local.cf http://local.cf and put: header SPF_PASS eval:check_for_spf_pass() describe SPF_PASS SPF: sender matches SPF record score SPF_PASS -2 Then I update rules by doing spamassassin -D --lint. The debug says there are 1 issues detected. When I check the output of the debug, it says: [1217] warn: rules: failed to run SPF_PASS test, skipping: [1217] warn: (Can't locate object method check_for_spf_pass via package Mail::SpamAssassin::PerMsgStatus at (eval 1248) line 1288. [1217] warn: ) I have 25_spf.cf http://25_spf.cf in my spamassassin default rules directory. Does this mean that spf is not really enabled at all? Please advise how to enable it if not and what is the proper way to change the score if my way is not correct. I tried to check Mail::SpamAssassin::PerMsgStatus in http://search.cpan.org and it point me to Mail-SpamAssassin-3.2.5.tar.gz. However, I'm already using SpamAssassin Server version 3.2.5 First, to change a rule score, all you need is a score statement. You do not need to re-declare the entire rule from scratch, and you're just wasting space in your local.cf. Also, if the rule is ever upgraded by sa-update, the copy in local.cf will over-ride it, and downgrade the rule. Second, it looks like SPF is not enabled on your system, otherwise the eval would not have errored. Check your .pre files and make sure the loadplugin statement for SPF is not commented out, and make sure you have the appropriate supporting SPF libraries installed. Third, I would *strongly* discourage assigning a significant score to SPF_PASS. I strongly support SPF, but people really need to understand its limitations when using it. Passing SPF is not a reliable indicator of nonspam. All it does is verify the sending server was authorized by the controller of the domain used in the envelope FROM. However, if a spammer controls the domain, he will obviously approve his own spam sending servers. SPF is completely self-certified, with no external authorities, so SPF is only as trustworthy as the domain it is included in. SPF by itself is only useful in the negative. Failure indicates forgery. Passing SPF indicates nothing, unless you also trust the domain owner, but that's a per-domain thing. All you can verify from passing SPF is that the sending server matches the claims of the domain owner.. but who is that, and why do you trust them? Now, if you have a particular domain in mind, things like whitelist_from_spf work well, but that's only effective because you trust the domain owner to not be a spammer. Many people confuse passing SPF with being a general-purpose whitelist criteria. It is not designed for this use, and won't work when used this way. Many of the more misguided arguments against SPF boil down to folks who expect that it needs to work as a white tool, and realize it won't work that way. SPF is a forgery detection technology, which has some uses in spam detection, but it's use as a whitelist has notable limitations.
RE: Spamd skipping tests
Can anyone give me any possible pointers or things to check? I am at my wits' end here...I am happy to post a spamassassin -D --lint if that helps. Thanks - John john basically it all depends on the qmail-scanner config and it can be semi complex and may not be correct in terms of if you reject over certain score or if you have other scanning functions happening before calling SA, like clamav etc etc also, the message could be two big and bypassed, and that is controlled in more than one place if i remember right. we disable clamav in qmail-scanner and use the clamav plugin, yet we also reject at or above a certain score in the smtp session too. we do not use the newest qmail-scanner either, and the one we use is the special patched one, ummm 1.25-st or something like that - rh
