[sniffer] Re: SNF4SA - Message Sniffer Antispam Plugin for SpamAssassin

2009-05-15 Thread Dan Horne 
Sorry, forgot to CC all:

No the weight=1 issue is not yet resolved.  In fact, I have been able to
determine that snf4sa is actually querying snfserver properly.  I
removed the old plugin so only snf4sa is loaded by SA.  I then tailed
the sniffer log and see items like this continuing to scroll by:

s u='20090515130114' m='/tmp/snf4sa/dL5Q6vQZ9G' s='52' r='2266218'
m s='52' r='2266218' i='906' e='949' f='m'/
p s='0' t='44' l='65536' d='56'/
g o='0' i='67.23.34.175' t='u' c='0.936317' p='-0.0474465'
r='Normal'/
/s

Note the path to the temp file /tmp/snf4sa/
That tells me that everything is working properly except the returning
of the score to SA.

I have tried running test messages through SA manually and the SNF4SA
headers get inserted properly, but I haven't yet run through a message
that sniffer identified as spam.  I will attempt to get one of those and
run it through SA manually to see if SNF4SA returns the correct weight
when it identifies the spam.

I will also join the amavisd-new list and see if anyone there can shed
some light.

Dan Horne
TAIS
Director of Operations
www.taisweb.net
supp...@taisweb.net 
828.252.TAIS (8247)


 -Original Message-
 From: Pete McNeil [mailto:madscient...@armresearch.com]
 Sent: Thursday, May 14, 2009 6:27 PM
 To: Alban Deniz
 Cc: Dan Horne
 Subject: Re: [sniffer] Re: SNF4SA - Message Sniffer Antispam Plugin
for
 SpamAssassin
 
 Alban Deniz wrote:
 
 snip/
   1) I'll look at the SA3 and SNF4SA plugins to see if I can
determine the
   reason for the timeout, and a solution. Pete mentioned that one
major
   difference is that SNF4SA uses a TCP connection to communicate
with
   SNFServer, while SA3 uses SNFClient.
 
 
  The only possibility I can think of is that the snf4sa plugin
doesn't
  wait long enough when running under amavisd-new. The timeout in
snf4sa
  is set to 1 second, which is long enough when snf4sa is run by the
  spamassassin command line. It might not be long enough when running
  under amavisd-new. I don't think this is the problem. However, if
you
  don't mind trying a longer timeout, here's how to change it: Edit
  snf4sa.pm, changing line 72 from
 
 
  $self-{SNF_Timeout} = 1;
 
 
  to
 
 
  $self-{SNF_Timeout} = 10;
 
 
  Of course, a 10 second delay to process an email is unacceptable;
this
  would simply point us in the right direction. Please let me know if
  can try this.
 Hey guys...
 
 The timeout used in the SNFClient is on the order of 30 seconds--- 10
to
 get a connection, 20 more to get an answer. When a system is busy it
can
 take a few seconds for other requests that have already started to be
 processed. The overall throughput is much higher than the individual
 message timeout may suggest.
 
 I recommend allowing at least 10 seconds -- though 30 might be more
 appropriate.
 
 Note also that I've seen SA itself take as long as 10-15 seconds to
 process a message (depending on conditions) and it is roughly nominal
to
 see it take 1 - 3 seconds per message in many configurations. SNF is
 usually much quicker -- but we can't make assumptions about what else
 may be happening on the system at any moment -- especially during
 start-up conditions where incoming messages might be queued elsewhere
 and ready to cause a rush.
 
 Also -- isn't it reasonable that if SNF4SA does timeout it should
 provide a 0 weight instead of 1 ??
 
 Is that issues resolved?
 
 Thanks for keeping me in the loop.
 
 _M



#
This message is sent to you because you are subscribed to
  the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to  sniffer-requ...@sortmonster.com

[sniffer] Re: SNF4SA - Message Sniffer Antispam Plugin for SpamAssassin

2009-05-15 Thread Dan Horne 
OK, I found a message that Sniffer identified as spam and ran it through
SA manually and following are results:

[mail:/home/vmail/taisweb.net/archive_received/Maildir] 9:22am#
spamassassin --siteconfigpath=/usr/local/etc/mail/spamassassin -x -t
.jlee/new/1237155804.M27154P10624V005CI0051B175_0.mail.taisweb.net,S
=3981
Return-Path: sys...@blogsuccess.com
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on
mail.taisweb.net
X-Spam-GBUdb-Analysis:  2, 67.131.25.27, Ugly c=0 p=0 Source New
X-Spam-Status: No, score=-1.8 required=5.0
tests=HABEAS_ACCREDITED_COI,SNF4SA,
URIBL_GREY autolearn=disabled version=3.2.1
X-Spam-SNF-Result: 62 (Obfuscation Techniques)
X-Spam-DCC: CollegeOfNewCaledonia: mail.taisweb.net 1189; Body=1 Fuz1=1
Fuz2=1
X-Spam-Level: 
X-Spam-MessageSniffer-Rules: 
62-469556-2307-2317-m
62-469556-4261-4271-m
62-469556-0-5994-f
X-Spam-MessageSniffer-Scan-Result: 
X-Original-To: archive_received+j...@taisweb.net
Delivered-To: archive_received+j...@taisweb.net
Received: from localhost (localhost.taisweb.net [127.0.0.1])
by mail.taisweb.net (Postfix) with ESMTP id D7B292B2C87
for j...@taisweb.net; Sun, 15 Mar 2009 18:23:23 -0400 (EDT)
X-Virus-Scanned: amavisd-new at taisweb.net
Received: from mx1.rmslink.net (mx1.rmslink.net [68.118.154.10])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.taisweb.net (Postfix) with ESMTP id 65A522B2C92
for j...@taisweb.net; Sun, 15 Mar 2009 18:23:20 -0400 (EDT)
Received: from platinum-smtp.infusionsoft.com
(blogsuccess.platinum-smtp.infusionsoft.com [67.131.25.27])
by mx1.rmslink.net (Postfix) with ESMTP id 1EBDC39824
for j...@taisweb.net; Sun, 15 Mar 2009 18:23:19 -0400 (EDT)
Received: from gil (unknown [10.3.0.124])
by smtp29.infusionsoft.com (Postfix) with ESMTP id 1B41B20841874
for j...@taisweb.net; Sun, 15 Mar 2009 18:23:19 -0400 (EDT)
Date: Sun, 15 Mar 2009 18:23:19 -0400 (EDT)
From: Jack Humphrey listrespo...@blogsuccess.com
Sender: sys...@blogsuccess.com
To: j...@taisweb.net
Message-ID: 1429329783.1408551237155799111.javamail.tom...@gil
Subject: J, this is BIG news!
Errors-To: sys...@blogsuccess.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
BatchId: 27269
X-BatchId: 27269
X-campaignid: infusion_blogsuccess27269
X-InfApp: blogsuccess
X-BBounce: blogsuccess_3812781
X-InfContact: 235195
X-InfSent: 3812781
Package: platinum
X-inf-package: platinum
X-inf-source: MailBatchFulfillRequest
X-MinStatusFlags: Double Opt-In
X-MaxStatusFlags: Double Opt-In
X-inf-uflags: Double Opt-In
X-inf-iflags: Double Opt-In
X-Virus-Scanned: ClamAV 0.94.2/9110/Sun Mar 15 01:06:44 2009 on
mx1.rmslink.net
X-Virus-Status: Clean

[SNIP.../]

Content preview:  J, I have some news to share with you. Some BIG news
Mike
  Filsaime has announced that he is GIVING AWAY 5000 Home Study courses
of Butterfly
   Marketing. [...] 

Content analysis details:   (-1.8 points, 5.0 required)

 pts rule name  description
 --
--
-8.0 HABEAS_ACCREDITED_COI  RBL: Habeas Accredited Confirmed Opt-In or
Better
[67.131.25.27 listed in
sa-accredit.habeas.com]
 6.0 SNF4SA Message Sniffer
 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: infusionsoft.com]

So the SNF4SA plugin is correctly returning the weight when run manually
through SA.  I will report this to the amavisd-new list to see if anyone
has any ideas.


Dan Horne
TAIS
Director of Operations
www.taisweb.net
supp...@taisweb.net 
828.252.TAIS (8247)


 -Original Message-
 From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of
 Dan Horne
 Sent: Friday, May 15, 2009 9:23 AM
 To: Message Sniffer Community
 Subject: [sniffer] Re: SNF4SA - Message Sniffer Antispam Plugin for
 SpamAssassin
 
 Sorry, forgot to CC all:
 
 No the weight=1 issue is not yet resolved.  In fact, I have been able
to
 determine that snf4sa is actually querying snfserver properly.  I
 removed the old plugin so only snf4sa is loaded by SA.  I then tailed
 the sniffer log and see items like this continuing to scroll by:
 
 s u='20090515130114' m='/tmp/snf4sa/dL5Q6vQZ9G' s='52' r='2266218'
 m s='52' r='2266218' i='906' e='949' f='m'/
 p s='0' t='44' l='65536' d='56'/
 g o='0' i='67.23.34.175' t='u' c='0.936317' p='-0.0474465'
 r='Normal'/
 /s
 
 Note the path to the temp file /tmp/snf4sa/
 That tells me that everything is working properly except the returning
 of the score to SA.
 
 I have tried running test messages through SA manually and the SNF4SA
 headers get inserted properly, but I haven't yet run through a message
 that sniffer identified as spam.  I will attempt to get one of those
and
 run it through SA manually