From: Balzi Andrea
snippers
I've try it, but now I've the follow use:
Tasks: 83 total, 2 running, 81 sleeping, 0 stopped, 0 zombie
Cpu0 : 0.0% user, 1.3% system, 1.7% nice, 97.0% idle
Cpu1 : 0.0% user, 1.3% system, 0.0% nice, 98.7% idle
Cpu2 : 0.0% user,
One of the problems now with bayes is that image spam is causing bayes
to be useless. We need a new plan to avoid bayes poisoning. Poisoning is
caused when messages are learned where the text of the message is a
nonspam type text and the spam is in the image.
Bayes needs to be smarter
tflag FUZZY_OCR noautolearn
Is this something we can do now that works?
Do we put this in any .cf file or a particular one?
- rh
--
Robert - Abba Communications
Computer Internet Services
(509) 624-7159 - www.abbacomm.net
Just looked over the bug fix list for 3.1.6 and it doesn't seem
like anything *major* that would suggest that I should make the leap. I'm
right now running 3.1.5 on my box. Is there other improvements, such as
rules and the like, that would make this a preferable upgrade? Or
Blame the plaintiffs, blame what some might consider to be
less-than-stellar legal advice given Spamhaus, but don't blame the
court for following the law.
--
Best regards,
Robert Braver
Why blame the plaintiffs?
Fortunately or unfortunately as the case may be, law is subject to
Someone want to explain Greylisting?
Here is an example that references a coupla websites
http://qmail.jms1.net/scripts/jgreylist.shtml
- rh
--
Robert - Abba Communications
Computer Internet Services
(509) 624-7159 - www.abbacomm.net
It appears that my email address is now being used as a from address in
many spam emails to many addresses. Over the past week, I have gotten 150+
postmaster: mail delivery failure -each day-.
Does anyone have suggestions on how to handle this? They're all
semi-standard 'delivery failure'
Uh. Yeah. Is it just me, or are all the dumb answers coming up today?
Or, perhaps, run spamassassin and don't worry about changing your e-mail
constantly? Duh?
--
Jo Rhett
Network/Software Engineer
Net Consonance
It's you Jo.
Yet we apologize Jo, we are all having a really
I need some help here..
Last Mon, Tues Wed I had severe inflow of spam, always at 12.30p EST,
Wed
it didn't stop till almost 5p. The server seems to not be very cooperative
when the queue grows over 200 or so.
I have max child set to 15 (up from 5) and not sure what else I can offer
Okay, I'll answer.
I am convinced that spam (in all its forms) will continue to be a
problem until spammers start dying for what they are doing. That will
change the risk/benefit analysis rather strongly towards the negative.
--
John Hardin KA7OHZICQ#15735746
I reviewed greylisting as a solution in the past, we couldn't accept it due to
delay and I also read not all email servers will resend properly. So there is a
chance few legitimate emails will never get redelivered. When you are running
a business shop, such delays or exceptions
It's also a good trick to cause a denial of service.
Regards,
-sm
Maybe... under extremely special circumstances, yet more realistically not.
Well programmed software can rate limit itself when things look hokey...
- rh
--
Robert - Abba Communications
Computer Internet Services
hat it looks like to me is a way of blacklisting competition to try to
stear business their way. The only way to get off their lists is to pay
them money. It looks more like extortion to me.
Marc
After reading their EN website, http://www.uceprotect.net/en/
...maybe you could be the one
Right. And rate limiting limits the real service. Thus, you have ...
oh yeah, DENIAL OF SERVICE.
THINK! It's not hard.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Don't assume Jo.
You do not know specifically what I was talking about rate limiting and why
or how.
We
Um, yes. Well, I've seen it DoSed by just attempts to deliver to an
address that doesn't exist. User not found after RCPT TO is the exact
same traffic load. That was very modern hardware, and it happened just
a few weeks ago.
Think about it. It doesn't require you to stretch your brain
Yes, I know. I'm actually one of the supertechs you refer to. Er, at
least top of the food chain in that regard :-)
Law enforcement in Santa Clara is excellent, but they have to focus on
the big fish. This is small stuff to them. It's also just small enough
to fall under the radar of
I don't use rulesdujour because it seems like too much hackery.
sa-update (included with spamassassin) does it all very cleanly, and is
supported by the team. (sa-update is newer than rdj, so it's not really
rdj's fault)
Frankly, I subscribed to almost every single ruleset on the
My incoming servers know literally nothing about which users have valid
addresses and which do not. All these servers do is accept or reject
inbound mail based on a (long) list of SMTP-level rules and forward the
messages that are accepted to another machine for SA and virus scanning.
If
This is a personal colo box with very light load. 1gb of memory and
an AMD XP1800+ processor... old, old technology.
The daemons are consistently around 70mb apiece, and there are
usually 5-7 running. Low limit is 2, upper limit is 10.
Load average is always 0 across the board. This
Hi,
explain to your customers that giving you a list of mail accounts is
beneficial to them
Wolfgang Hamann
I see your point yet...
What specific kind of customers?
If if is part of your policy and procedure from start to finish it shouldnt
be a big deal...
Meaning, if they are
This is the whole point. If the message hasn't been Received: by a local
server, it is by definition not in your network.
By feeding messages to SA without a local Received: header, you are
explicitly telling SA that the message is still in some other network,
not yours. So what's SA
Plussed addressing helps here. I hate web forms that refuse to let me put
a
plus sign in my email address. (Typically a result of over-zealous input
filtering.)
I probably subscribe to 100 lists. Re-subscribing them all every time a
subscribed address was spammed would be murder.
Well, ya
Greetings
I pulled down a large subset of all the sare filters today on a test mail
server...
-rw-r--r-- 1 root root 53868 Apr 20 02:00 70_sare_adult.cf
-rw-r--r-- 1 root root 3839 Jun 1 2005 70_sare_bayes_poison_nxm.cf
-rw-r--r-- 1 root root 24298 Oct 5 2005 70_sare_evilnum0.cf
When you folks are adding, deleting or updating spamassassin .cf files...
After the changes are implemented and you have --lint do you folks shutdown
your main SMTP process before you run something like
/etc/init.d/spamassassin restart
And then bring back up your smtp?
Or do you just restart
It depends from your MTA + SA setup.
I use postfix + amavis + SA. Postfix is configured to pre- and post-queue
messages around amavis. Postfix and amavis comm by inet/unix socks. SA is
run embedded into amavis.
As a result, this confs allow restarting amavis (cf.: SA) without loosing
Actually, by definition they are supposed to match A to PTR and PTR to A.
Just because everyone doesn't do it perfectly does not mean it is correct to
not do reverse DNS or to not do it correctly.
There are variations on best practices. Oh well...
RFC 1123 says you should not reject based
This suggestion has been superceded, or perhaps better elucidated, by
later RFC's, particularly RFC 2181, section 10.2.
Nowadays many of us have reverse-DNS delegation in place since as an
end-user we have no control over the in-addr.arpa records for our
particular IP subnet. For
RFC 1123 says you should not reject based upon HELO
Bah. If some mechine I don't control tries to HELO
whatever.impsec.org I'm absolutely going to tell them to go away.
--
John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
what program is doing the rejection
If you are having problems with memory after downloading the rules,
you just need to be careful that you use the right ones. Read the
descriptions of the rules carefully and only use the ones that you
think would be useful. Any time you add more rules, the spamd
children will take up more
From: Benny Pedersen
i have changed bayes scores to catch most spam here, and changed threshold
to
learn spam / ham with less range so it more accurate and prevents bayes
poinson on the same time, just have them at scores so spam is still
autolearned, and ham is still autolearned, check
Greetings,
If anyone on the list is using latest SA, clamav qmail-scanner with the
Qmail MTA can you please hit me with an email offlist?
I will be glad to share a synopsis of what I am trying to find out and
implement once I get there with this list.
I haven't been able to find it anywhere
On a certain box we ran a successful current sa-update
Later on, I went back and ran
sa-update -D
in it was this
[7317] dbg: diag: module not installed: Mail::SPF::Query ('require' failed)
[7317] dbg: diag: module not installed: IP::Country::Fast ('require' failed)
[7317] dbg: diag: module
Like a text-file based (it's not a security hole?!) or a ldap-replica on
mail-server?
I'm searching for more examples and other ideas and find this patch for
qmail:
http://qmail.jms1.net/patches/validrcptto.cdb.shtml
I don't no if this patch is really necessary.. but it's a sugestion
On spamhaus or spamcop? This thread is getting confusing. Personally I
drop on a spamhaus sbl-xbl hit at the smtp point. To date I've not had
a complaint/problem. Though my userbase is pretty static in
send/receives.
I don't have much faith in spamcop.
Nigel
Are you saying that you do
Hopefully this hasn't been rehashed to death on this list yet has there ever
been a general consensus as to which rbl's and similar lists are best to use
if you are going to engineer your mail systems with such?
Anyone care to share their implementations as well as current best and worst
When looking up required_score info, as most know, it say that the default
is 5.0 and that it is considered aggressive in various circumstances
Used to be called required_hits
When I first started using SA I was told that as an ISP going in the 4.0
range give or take a little was an excellent
Is there a URL on the net where one can go and enter an email address and
that server will send a known SA count or random very spammy email to that
address to test for various things like SA markup or SA markup total or even
smtp rejection and verification based upon SA markup etc?
Thanks
-
You have a yahoo account? Send yourself a gtube message:
http://spamassassin.apache.org/gtube/
or even smtp rejection and verification based upon SA markup etc?
Well, considering spamassassin cannot reject messages, thats up to
your MTA.
But see above.
Thanks for the info.
I
Those of you that have some good data can you please share some excellent
numbers that you base your SMTP rejection based on SA scores and otherwise
please?
All I have here are SA averages and im not quite sure that is the right
vector to base the rejection scores on.
Thanks in advance.
- rh
Dec 12 12:16:30 ga : Initial Connect - tarpitting: 124.240.124.222 14526 -
x.x.x.x 25 *
snip
Dec 12 16:19:20 ga : Persist Activity: 124.240.124.222 14526 - x.x.x.x 25
*
Three spambot threads stuck for *hours*!
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
You didn't read what I actually said.
I didn't say the domain didn't look right. I said the IP address
registration didn't look right.
nslookup ebay.com
Name: ebay.com
Address: 66.135.192.87
whois 66.135.192.87
OrgName:eBay, Inc
OrgID: EBAY
Address:
With all due respect to all involved.
Is sa-update broken or is this just a prolonged and poorly thought up global
name for a thread?
- rh
--
Robert - Abba Communications
Computer Internet Services
(509) 624-7159 - www.abbacomm.net
No.
But it does work better if you install all needed dependencies and
follow the instructions. Without dependencies it doesn't run (who
would have guessed?), and without following the instructions the
result may not be what you expected.
-thh
Thanks, the context of my question was
Recently there was a thread on BAYES_00 and how folks were considering or
changing the score on this etc
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.]
Ive searched and cannot locate it (the thread) somehow.
Can someone help
I changed my ham script to:
nice -n15 sa-learn -L --ham --no-rebuild --single | spamassassin -d
This did not work.
Why on earth are there two different functions for the letter d in
spamassassin?
Meaning
spamassassin -D
spamassassin -d
do or are associate with two different
No, your SA won't be broken. IIRC SA won't apply anything if there's a
failure. At least my SA is still running fine here after my attempted
update this morning. I didn't restart after the failure so in theory
at least SA should still be running off the old set even if the new
set did cause
Greetings
Seeking some list wisdom please?
We have some well functioning boxes running SA out there
Most run RHEL 4 or CentOS 4
I am wondering where to go to find out specifically for each perl module if
we have the latest greatest and most stable version(s) etc
Please note the sa-update
So how did you install in the first place?
Yes, installing these would cause them to start working.
I recommend installing using CPAN, as it is portable, reliable,
picks up its pre-requsites very well and you are not dependent
on some Distro specific packager.
If you have the latest
Design and engineering?
You want Spamassassin to work or not? You install what it
needs.
What does that have to do with engineering?
If you start managing library installation on a library by library
basis you are opening a can of worms. You select the packages
you need to get the
Greetings
My SA 3.1.7 installs run as user spamd
My /home/spamd/.spamassassin directory looks like this
-rw--- 1 spamd spamd 5210112 Jan 21 14:25 auto-whitelist
-rw--- 1 spamd spamd 60864 Jan 21 14:25 bayes_journal
-rw--- 1 spamd spamd 2711552 Jan 21 14:18 bayes_seen
-rw---
Maybe interesting for those that use dynablock.njabl.org (as I do at the
MTA-level).
Got an email last friday from njabl about dynablock.njabl.org, it's no
longer maintained by njabl but is now only a copy of the pbl.spamhaus.org
list. Eventually the dynablock.njabl.org zone will be
We are using 3.17 on this particular server
In reading the docs on autowhitelist it told me about v310.pre and this
setting
# AWL - do auto-whitelist checks
#
loadplugin Mail::SpamAssassin::Plugin::AWL
do I need to comment out this below in the v310.pre or leave it alone and
add the below
I only found one reference to this error searching the net
Use of uninitialized value in string eq at /etc/mail/spamassassin/Botnet.pm
line 564, GEN16 line 7
This appears to be the line of code in Botnet.pm although I could be wrong
Mail::SpamAssassin::Plugin::dbg(Botnet: miss ( . $tests
_
From: night duke
Hi i'm trying to use spamassassin with qmail but i was unable to use them
together.
Anyone can help me?.
Thanks.
Until you get to know it well this can and will help
http://www.qmailrocks.org http://www.qmailrocks.org/
I guess the bottom line is what are qmail folks doing for training?
I had never thought about it before yet I haven't had the need to sa-learn
anything until recently
When processing using sa-learn in a qmail Maildir should one use an
options below
--mboxInput
From: Theo
(note: I don't use qmail)
maildir is typically one file per message in a directory. In that
situation,
just pointing at the directory would be appropriate, sa-learn will use all
messages in the directory.
Yup.
That's why I figure that going to the appropriate
Is it ok to sa-learn train forwarded messages that end up in my local
account mailboxes from accounts on remote servers (out of my admin control)
that are spam?
- rh
--
Robert - Abba Communications
Computer Internet Services
(509) 624-7159 - www.abbacomm.net
By fred rules, do you mean by Fred Tarasevicius
Which specific fred rules are the best by experience?
Thanks!
- rh
--
Robert - Abba Communications
Computer Internet Services
(509) 624-7159 - www.abbacomm.net
I'd use 00_FVGT_File001.cf which is a new file Fred. This combines a
lot of his older 88_FVGT* cf files into one.
--
-Doc
Thanks, if anyone out there running some or a lot of the FRED rules with a
lot of success or should we only run certain ones in general
Bottom line is, I
My rules are very aggressive, but they can and possibly will cause
FP's!! As soon as 3.2 is released, those rules of mine that survive
the rescoring and mass-check runs will be included in the stock rules!
Frederic Tarasevicius
Good lookin' out Frederic
Will you please keep us posted
Apologies for not finding it in my searching yet...
I think it is my sometimers kickin' in... ;-
I am looking for info on the granularity knob control for number of extra
spamd daemons on startup.
...AND if one has enough processors and ram memory, how to know how many
extra to have
Can anyone comment on the true importance of this command and option below?
sa-learn --sync
my simple research is telling me that if you don't do this at some regular
interval, that your training isn't fully put into action when journaling
starts.
I haven't found much mention of it on the www
I didn't quite parse that. But man sa-learn, it has many an
informational
statement about how it all works.
In short, by default, it stores token timestamp updates. Whenever the
journal
goes over a certain size, SA will automatically sync it for you.
Thank you Theo and Matt for the
If a person was logged in as user spamd
And was in the /home/spamd directory and accidentally did this command
sa-learn --spam --showdots *
would sa-learn actually do anything and fry the spamassassin database?
I know it will try, yet will it succede at anything in this accident?
Or?
- rh
I don't know about fry the DB, but sa-learn will happily attempt to
learn
from whatever files/directories matched '*'. Likely, it'll see them all
as
messages w/ no headers, so a lot of body tokens.
The question of course is, does this matter, which is hard to say. If the
tokens are
In the circumstance of using sa-learn
Is it ok to have
sa-learn --spam --showdots *
sa-learn --ham --showdots *
running as two different processes on two different datasets at the same
time with SA 3.1.7 ?
or is it better to do serially ?
- rh
--
Robert - Abba Communications
Computer
If you're using a DBM file (as opposed to SQL), you can only have 1
process
writing the DB at any given point. So you can run both commands, but one
of
them will be sitting there waiting for the write lock until the other one
is
done.
I'd probably just specify both ham and spam sets
There's a couple of ways, but a simple one is:
sa-learn --ham ... --spam ...
where ... are the files you want to learn.
I see
I take it you have done this...
And one can use wildcards doing this without problem?
- rh
--
Robert - Abba Communications
Computer Internet Services
I looked briefly at the changelog info
I was wondering, are there any external rulesets that we should not use or
change out of from 3.17 to 3.18 upgrade because some of the external rules
were pulled into SA?
Thanks and kind regards
- rh
--
Robert
May I ask...
Whis is this thread named as such.
Does Google help fund SA efforts in one or multiple ways?
If so, may I ask how or directions to already posted docs on it?
- rh
--
Robert - Abba Communications
Computer Internet Services
(509) 624-7159 - www.abbacomm.net
Yes, if you Goole for Google Summer of Code+spamassassin
you'll get a bunch of relevant hits. ;)
For example, check out:
http://wiki.apache.org/spamassassin/SummerOfCode2006
Thank you
I was hoping for meaningful and relevant info from someone of authority and
in the know from the SA
1) are you using bayes_path ?
2) have you set bayes_file_mode 0777 in your local.cf?
If you use bayes_path in a multi-user environment, you *MUST* set
bayes_file_mode 0777 in local.cf.
Also, make sure that /var/.spamassassin has world rwx privileges.
Doesn't this create a potential
However, all blackberry messages also hit base64 text and excess
base64 which puts them right on the edge. Anything that hits any
other rule will cause a problem.
And frankly I disagree with the logic that rules that hit wrongly
shouldn't be fixed unless it raises the score about 5.0.
It's very simple. Tag messages above your soft limit and put them in a
different folder. Check the folder periodically for false positives.
Try to identify why they are FP.
Look carefully at all of your normal mail, and confirm where it normally
scores.
Lower your score limit to the
Hm. Your experience differs from mine. I tried using bayes, spent
hundreds of hours training bayes with lots of good mail from
archives, and lots of bad mail, and never got better than .5% (point-
five or .005) difference in spam detection. So we stopped using it.
In comparison, we've
Greetings
I have stable long term SA setups integrated with qmail-scanner-queue.pl
The way I have it setup, I have qmail-scanner-queue.pl take the incoming
mail and hand it to SA 3.1.8 for scoring.
If the score is equal to or above a certain number it does an SMTP
rejection.
In this setup we
F: Theo Van Dinter
No. Especially not for a maintenance release upgrade
(major.minor.maintenance).
Hm
Will we need to retrain for the upcoming 3.2.0 ?
Im not sure if that is considered major or not
--
Robert - Abba Communications
http://www.abbacomm.net/
127/8 is now always trusted.
Remove that trusted_networks 127/8 line and all should be well.
Phil
Are you saying we should remove the entry 127.0.0.1 from the
trusted_networks ?
What about if in the internal_networks entry ?
Is this for 3.2.0 only or is it in 3.1.8 too?
Isn't this
I have upgraded spamassassin from 3.1.7 to 3.1.8 and have a easy
quiestion,
When I look at the headers it still shows that Spamassassin 3.1.7 is
installed / running
Why is that? I did the following -- downloaded Mail-SpamassAssin-
3.1.8.tar.gz and installed
by perl Makefile.PL / make /
I've just spotted a major flaw then that's going to hit me when this
changes.
Not being an ISP, I have no idea what my users' IP addresses are at any
given time. They authenticate when using SMTP so that I will accept and
forward the mail but may well be using an ISP dial-up or DSL
Dean Manners said:
sa-learn --clear
Make sure you have a ham/spam pile ready to re-train your db's after
clearing.
Hmm so if someone does this
sa-learn --clear
Q: when that command is completed, should one restart SA or are we good to
go immediately after for training etc?
- rh
Are you sure of this? Have you also trained these ham messages to
counter this effect? Not too long ago we were in the same situation.
I have autolearn enabled but I have adjusted the thresholds to avoid
This is quite possible. I have heard other stories of people using
things
+1
If Marc is bouncing spams, even when domains who refuse to play the SAV
game are involved, he's being even more abusive than I had thought.
Daryl
I'm confused, Rick said he was rejecting in the smtp session above a certain
score too...
Bounce, reject... etc...
Are you talking
Greeting,
Can lines be combined in a situation like this...
whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com whitelist_from_rcvd
[EMAIL PROTECTED] hisotherdomain.com
does this work or should this be done?
can they be combined into one statement or should they be separate?
Any other tips
Matt Kettler wrote:
Separate.
*snip*
In general, for options that you can do many of on one line, you only
put the option name itself once, you don't repeat it.
Thanks
What I was getting at is what if there are multiple sending hosts...
Obviously the thing that changed was the last
Greetings,
I would appreciate it if the list admins would make it so that mistake
(emails with wrong sending email address) would bounce instead of being
allowed to make it to the list please?
Comments?
-rh
--
Abba Communications Internet
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net
Jason wrote:
Thanks Jim and John, that helps a lot. I'm glad that qmail is like this
by default because otherwise my setup would be to blame. :) I'm using
qmail to handle incoming and outgoing mail for my domain but using a
very old lan based mail server to actually deliver mail to our users
Any recipe recommendations?
--
Doc,
Score the rule high and reject the email before accepted.
We do it in some of our installations using a patched older version of
qmail-scanner-queue.pl
If you need more website references, hit me off list...
- rh
--
Abba Communications Internet
You use sendmail.
http://www.google.com/search?hl=enq=reject+spam+during+sendmail+smtp+sessio
n+for+spamassassin+scoring
http://wiki.apache.org/spamassassin/DeletingAllMailsMarkedSpam
http://wiki.apache.org/spamassassin/IntegratedInMta
We use qmail, specific qmail patches, ClamAV,
89 matches
Mail list logo