Re: Question about a custom rule
rawbody LR_IMAGE_TAGGED_ASP =~ /\img width\=1 height\=1 src\=.*\.asp.*/i There are a couple of things to consider here. The first is that rawbody only gives the rule a single physical line of the message, so if the target you are looking for spans lines the rule will never hit. If your target is most always on a single line you will be ok with rawbody. Sometimes you can get around this using 'full' instead of rawbody; but full messages won't be base64 and suchlike decoded. You don't need the backslash before the = sign, but it won't hurt. The area after src= is potentially of concern, both for efficiency and possible false positives. Looking for .* is almost always a bad idea, since this can take forever in certain cases based on the incoming message format. You would be better off limiting the size of the search: src=.{15,36}, for instance. Even better would be to limit what you are searching for. This is probably a cid or url, so will have a limited character set. Perhaps something like src=(?:cid:|http:\/\/)[\w\.\-]{10,40} to get past the first part. The check for the asp suffix itself is a little dangerous as you have it coded. It will hit on .asp followed by anything: .asppy, for instance. Since what you want is at the end of the url or file name, you really don't want another word-character showing up after the asp. Also, you really don't care what else might show up after that (other than not being a word character) so .* at the end of the re buys you nothing except another time sink. A better choice might be \.asp\b or \.asp\W. These will insure that you have asp with a non-word character after it. Of course, you would also like to be sure there isn't a dot after it; ie: it really is the end of the name. So \.asp[^\.\w] might be a good choice. Putting it all together, you might end up with something like /\img width\=1\sheight\=1\ssrc\=[\'\]?[\w\.]{5,40}\.asp[^\w\.]/i The \s will allow any number of spaces (or tabs) between the elements, and there is also a conditional check to allow some sort of quoting around the file name. Loren
RE: Slightly OT: How to get Outlook To stop screwing messages up
That's a new one for me. Cool. I tested it out. And sure enough... shut down Outlook 2003, made the registry hack for Outlook 2003 it suggested, started Outlook 2003, downloaded new emails and VOILA! When you view the headers, it now shows the complete original email source... looks like the pristine source! Jason J Ellingson Technical Consultant 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED] -Original Message- From: Raquel Rice [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 2:47 PM To: users@spamassassin.apache.org Subject: Re: Slightly OT: How to get Outlook To stop screwing messages up On Wed, 3 Nov 2004 13:58:10 -0500 Matt [EMAIL PROTECTED] wrote: Hi, As much as I hate Outlook, I have to support it.. ugh.. Is there anyway to get the full source and message, from outlook without having to view source, then view headers? I want the full untainted source as I can get from other quality mail programs like mozilla, and thunderbird. http://www.slipstick.com/mail1/viewheaders.htm -- Raquel I would rather live in a world where my life is surrounded by mystery than live in a world so small that my mind could comprehend it. --Henry Emerson Fosdick
Re: Questions on Spamassassin deployment
If you use amavis then you will not be able to use spamd/c. You will also loose the ability to FULLY manipulate the available headers in sa. If you write your own scripts then you can spamd/c. You will also be able to add any sa header you want. Amavis reads the spamassassin.pm and compiles it into memory, therefor some say its as fast or faster than spamd/c. I started with amavis-new and have had to switch computers out to upgrade the OS. While doing that I changed to my own scripts. I'm happier with the memory usage now and the performance. Generaly speaking (and without supporting hard data) I've seen an increase in the system performance, decrease in cpu cycles and memory used overall as well as faster scan times of my messages. The difference could be OS related but I think its because of the switch from amavis-new to my own script with the use of spamd/c. I don't use individual settings and that might have an impact. Your best bet is to try it both ways and find what works best with your setup as system configurations will determine whats best. - Original Message Follows - From: Matt Goli [EMAIL PROTECTED] To: users@spamassassin.apache.org Subject: Questions on Spamassassin deployment Date: Wed, 3 Nov 2004 15:57:26 -0600 Greetings all: I am looking for feedback and constructive criticism on how our organization is looking to deploy SpamAssassin. The solution we are looking for will only need to filter e-mail for virus and spam because all user mailboxes are currently stored on an Exchange 2000 server. Here is what we would like to do: 1 - Have all inbound and outbound e-mail filter thru two redundant Apple G5 Xserves running Mac OS 10.3.5 server using Postfix version 2.0.10 as the MTA. 2 - All e-mail will be filtered for viruses using ClamAV tied into Postfix via Amavisd. (That part is simple) 3 - How should SpamAssassin be tied in? I have read arguments both ways whether or not to use spamd/spamc or use Amavisd. Spamd/spamc I feel is more configuration, but seems to allow the use of all of SpamAssassin's built-in features, as opposed to Amavisd being easy to integrate with Spamassassin, but use of built-in Spamassassin features are limited. What is everyone else's take on that? 4 - We wish to provide per-user preferences, AWL and bayesian databases using MySQL. For using MySQL is it better to use Amavisd or spamd/spamc? Also, if we are going to have redundant e-mail filters, it would make sense to provide redundant MySQL servers. Can we run MySQL on both boxes and have SA writing back to both databases on both servers at the same time? If SA can be writing to two different MySQL servers at one time, can the two filter servers be in two different data centers, i.e. one server in New York and one in San Diego? I think that about sums up my questions, any feedback, concerns, questions or references are greatly appreciated. Thank you, --- Matt Goli, MCP Systems Support Group F+W Publications, Inc. - www.fwpublications.com Krause Publications, a division of F+W Publications, Inc. - www.krause.com = Kevin W. Gagel Network Administrator Information Technology Services (250) 561-5848 local 448 -- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. --
Re: Memory issues have forced me back to 2.64
jplesset wrote: SA 3.0.1, yes. So, because I see 11-12 processes, even with -m 3, what should I do about it? jay Hi, I'd check to make sure that you are actually running 3.x and that there are no old libraries around. I'm sure one of the devs will have better information. Regards, Rick
Re: Memory issues have forced me back to 2.64
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 jplesset writes: Hopefully . . . I'm still hovering around 11 spamd processes. it goes up to 15, drops to 9, but seems to stay around 11 or so. Guys -- we've heard this occasionally. There should never be more than (--max-children) + 1 spamd processes running; if anyone can catch a server doing otherwise, and figure out *why*, we'd much appreciate it ;) - --j. My server is much smaller than yours, and has only 256 megs of ram, so it's kind of important to keep these things in line. . . Sparc RAM is so expensive... jay Oban Lambie wrote: Rick Macdougall wrote: Oban Lambie wrote: The good news was that 3.01 was really, really good at tagging spam and I'd love to get back to it. The bad news was that no matter what I did I could not stop the memory problems and the resulting lock-ups with 3.0 AND 3.01. I've been reading and searching this group from the moment that I upgraded my mail server to 3.01 (about 10 days ago) and believe I've tried implementing every solution that has been offered for people that have posted about memory and load average problems. Maybe I've missed something, maybe I'm not getting it, maybe someone can help. Hi, Have you tried with --max-conn-per-child=20 on the spamd command line ? This will force the children to die after 20 connections and respawn, clearing up any memory leaks and freeing the memory in use by the child. Regards, Rick Ahhh, I didn't read closely enough and thought the -m switch was the same as --max-conn-per-child. Doh. Thanks Rick and Jay, I'm thinking this might work! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBiXc+MJF5cimLx9ARAgr0AKCb+H/19i7o/AoNSBKJ9geI9UNAswCfV+I0 crThdja8oTnTawEX5axu+mo= =VhO7 -END PGP SIGNATURE-
Re: Per-user capabilities
From: Loren Wilton [EMAIL PROTECTED] However you should examine what proportion of mail nowadays, arriving from the internet, *is* addressed to multiple users in the one SMTP transaction. This may appear to be a major failing, but in my experience it's just not, in real-world use. In my experience, virtually all multi-address mail that I receive (and ALL multi-address mail where all destinations are at the same ISP) are spam. Thus an acceptable solution would be to automatically tag all multi-address mail as spam. :-) The bigger the ISP the less true this will be. Since the most local ISP here is two people that's a generally good rule. If the email includes Earthlink addresses beyond the two if us it's likely spam. I'd give a modest score to multiple addressed email in general usage. That way ad hoc mailing lists that last a couple weeks would not get penalized too badly. {^_-}
Re: Memory issues have forced me back to 2.64
jplesset wrote: I'm very sure it's 3.0.1, yes. 2.xx didn't do this at all. I'm new to this forum, not sure what you mean by one of the devs. . . thank you jay Hi, Reply to the list as that is where the devs (the developers of SA) live. I'm just a user of SA, although I hope a cluefull user and I try to help out new users. If you are seeing this problem I think Justin may want to know. Regards, Rick
Re: Does (Unix sockets) spamd still pipe the mail message?
On Wed, Nov 03, 2004 at 11:43:30AM -0500, Theo Van Dinter wrote: On Wed, Nov 03, 2004 at 03:12:47PM +1300, Jason Haar wrote: It seems to me that could improve performance (a little bit) - a whole bunch of I/O could be skipped... It's the whole message. Most of the time spamc gets data from STDIN, so there's no filename to pass. That also means no dealing with permissions, Well - I'd say not really to that... I mean most SA installs are using it as part of a MTA (Qmail-Scanner, milter, etc) - so the calling process has the email on disk as a file, and then pipes it into spamc. Having spamc call a filename would remove a good chunk of IO. As far as perms go - yes you are right. But most MTAs using SA would be standalone - so having spamd running as the same userid as the MTA bits isn't much to ask. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Should ALL_TRUSTED be doing this?
Hi there I've been getting a fair amount of missed spam with SA-3.01 that looks like it would have been caught if it wasn't for ALL_TRUSTED. e.g. -2.8 ALL_TRUSTEDDid not pass through any untrusted hosts 0.2 RISK_FREE BODY: Risk free. Suuurr 0.8 HTML_FONT_FACE_CAPSBODY: HTML font face has excess capital... 0.0 HTML_MESSAGE BODY: HTML included in message 1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML /etc/mail/spamassassin/local.cf makes no explicit references to trusted or internal_networks, so that ALL_TRUSTED reference must have been auto-calculated. Can someone tell me just how that is meant to work? This spam came directly from a spammer IP to our edge mail server - and then through other internal MTAs to the end mailbox. Attached is the spam that triggered the above spamc -R report -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 Received: (qmail 28040 invoked by uid 502); 2 Nov 2004 15:01:32 +1300 Received: from 67.15.104.22 by mailsrv2.trimble.co.nz (envelope-from [EMAIL PROTECTED], uid 107) with qmail-scanner-1.24 (clamdscan: 0.80/567. trophie: 7.000-1011/228/74391. spamassassin: 3.0.1. Clear:RC:0(67.15.104.22):SA:0(4.2/5.0):. Processed in 7.612944 secs); 02 Nov 2004 02:01:32 - Received: from ev1s-67-15-104-22.ev1servers.net (HELO web10.neureal.com) (67.15.104.22) by mailsrv2.trimble.co.nz with SMTP; 2 Nov 2004 15:01:24 +1300 Received: from web10.neureal.com (localhost [127.0.0.1]) by web10.neureal.com (8.12.10/8.12.10) with ESMTP id iA221NL7000595 for [EMAIL PROTECTED]; Mon, 1 Nov 2004 21:01:23 -0500 Received: (from [EMAIL PROTECTED]) by web10.neureal.com (8.12.10/8.12.10/Submit) id iA221N24000593; Mon, 1 Nov 2004 21:01:23 -0500 Date: Mon, 1 Nov 2004 21:01:23 -0500 Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your Citi Cardmember From: Citi Cards [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 02 Nov 2004 02:01:32.0415 (UTC) FILETIME=[DFF7B8F0:01C4C07F] html head titleCiti E-mail/title meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /head xbody bgcolor=#FF text=#00 table width=600 border=0 cellpadding=0 cellspacing=0 tr td colspan=5img src=http://emailimages.citicards.com/images/ALLE/6-30-03/citi/masthead.gif; alt=Citi width=600 height=72/td /tr tr td width=2 bgcolor=#3399CCimg src=http://emailimages.citicards.com/images/ALLE/6-30-03/citi/spacer.gif; alt= width=2 height=1/td tdimg src=http://emailimages.citicards.com/images/ALLE/6-30-03/citi/spacer.gif; alt= width=15 height=1/td tdimg src=http://emailimages.citicards.com/images/ALLE/6-30-03/citi/spacer.gif; alt= width=566 height=1br font size=-1 face=Arial, Helvetica, sans-serifDear Citi Cardmembers,br br We recently reviewed your account and suspect that your CitiBank Account may have been accessed by an unauthorized third party. Protecting the security of your account and of the CitiBank Network is out primary concern. Therefore, as a preventative measure we have temporarily limited access to sensitive CitiBank Account Features.br br bClick The link below in order to regain access to your Citi Cardmember Account, simply:/b br a target=_blank href=http://ddlabs.p38media.com/; Update Your Account Online/abr br Please fill in the required informations.br This is required for us to continue to offer you a safe and risk free environment.br br NOTE : Please ignore this message if you're not Debit Citi Cardmember.br p Sincerely,brbr Account Online Managementbr /font br br font face=Verdana, Arial, Helvetica, sans-serif color=#99 size=-2 FONT FACE=ARIAL SIZE=1 COLOR=#808080 BHAVE QUESTIONS ABOUT YOUR ACCOUNT?/BBR We cannot respond to individual messages through this email address, because we are unable to verify the sender's identity. You can, however, correspond with us electronically through our secure messaging feature. Please sign-on at A target=_blankHREF=http://www.citicards.com; www.myciti.com/a and choose Contact Us from the Help/Contact Us menu. Then select the Send New Message link under Write to Customer Care. You can also call the Customer Service phone number on the back of your card.BRBR A target=_blankHREF=http://www.citibank.com/us/cards/privacy.htm; BWE ARE COMMITTED TO YOUR PRIVACY/B/ABRBR a target=_blank
Re: Memory issues have forced me back to 2.64
There should never be more than (--max-children) + 1 spamd processes running; if anyone can catch a server doing otherwise, and figure out *why*, we'd much appreciate it ;) This was a bit of a coincidence. Read this email this morning, and then 30mins ago my SA server slowed to a absolute crawl. Managed to (VERY slowly) get a ssh session going, the machine had completely run out of memory and was hitting swap very heavily. Doing a 'ps ax | grep spamd | wc -l' showed 58 processes! I have it configured to run 25 normally (this is a busy server). Sorry, I didn't have time to poke around - I had to reset the box to get mail running again. Running SA 3.0.1. Gav
Re: Does (Unix sockets) spamd still pipe the mail message?
Jason Haar wrote: On Wed, Nov 03, 2004 at 11:43:30AM -0500, Theo Van Dinter wrote: On Wed, Nov 03, 2004 at 03:12:47PM +1300, Jason Haar wrote: It seems to me that could improve performance (a little bit) - a whole bunch of I/O could be skipped... It's the whole message. Most of the time spamc gets data from STDIN, so there's no filename to pass. That also means no dealing with permissions, Well - I'd say not really to that... I mean most SA installs are using it as part of a MTA (Qmail-Scanner, milter, etc) - so the calling process has the email on disk as a file, and then pipes it into spamc. Having spamc call a filename would remove a good chunk of IO. What about those of us using spamd on another host? I would have to then access a file on a shared (NFS) volume. I can't believe that the IO of NFS would perform better than piping the message. But, I am just getting my teeth into NFS, educate me ;^) DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker!
Re: Automatic rejection
Hi, I noticed the other day that the latest version of spamass-milter (I don't know how long the feature has been there) has a cmd line option to block mail that exceeds a certain score so this might help you if you are running sendmail. What I'd really like to do is to be able to define a separate score for each domain name my SA server filters, i.e. ; Abc.com - drop any mail that exceeds a SA score of 20.0 Xyz.com - drop any mail that exceeds a score of 10.0 * - all other domains, do not drop any Anyone have any ideas how to implement this? Cheers Gav On 2/11/04 11:33 PM, Moussa Fall [EMAIL PROTECTED] wrote: Question from a newbie: can anyone point me to a location where I can find out to make spamassassin automatically reject spam? I noticed that all tagged spam are really spams and I do not want users to receive mail with scores, etc. Thank you.
Re: Does (Unix sockets) spamd still pipe the mail message?
On Wed, Nov 03, 2004 at 11:10:04PM -0500, Dave Goodrich wrote: What about those of us using spamd on another host? I would have to then access a file on a shared (NFS) volume. I can't believe that the IO of NFS would perform better than piping the message. But, I am just getting my teeth into NFS, educate me ;^) I never said remove the TCP option! :-) Obviously network-based solutions need a network based SA. I'm just saying that there would be a performance gain in dealing with files over Unix sockets instead of pipes (with local filesystems! :-). Whether that gain is worth it is arguable - and hence my question. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Problems with lint check rules_du_jour
About a week ago my rules_du_jour cron job starting failing on the lint check. I'm running SA 2.64 on a Debian sarge system kernel 2.4.25. Here's the end of the errors I get if I run rules_du_jour in foreground. Lint output: Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri snurl.com *.snurl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri snipurl.com*.snipurl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri tinyclick.com *.tinyclick.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri babyurl.com*.babyurl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri lin.kz *.lin.kz Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri *.v3.net Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri shorl.com *.shorl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri tinyurl.com*.tinyurl.com Failed to parse line in SpamAssassin configuration, skipping: open_redirect_list_spamcop_uri xurl.us Failed to compile URI SpamAssassin tests, skipping: (syntax error at /etc/spamassassin/spamcop_uri.cf, rule SPAMCOP_URI_RBL, line 1, near eval: syntax error at /usr/share/spamassassin/20_uri_tests.cf, rule URI_OFFERS, line 175, near ; } )
spam from subdomain
I am receiving spam from subdomain (example given below) of a domain listed in URBL. How to block this kind of email? -- deduct the cost for rx now value magnifier on rx meds it's far from a do-it-yourself pharmacy and leave everything to our doctors once you have ordered your medications:, allegra, claritine, carisoprodol and others no need to waste time on traditional rx refill more chargeless bonus deal like costless consultation http://Gr.Js.dinkykay.com/?UpabkhsydtNh=Jsd43476Jbjknwaan=8635Kog enjoy easy process in dealing with meds
Re: spam from subdomain
On Thursday, November 4, 2004, 2:57:14 AM, Khalid Waheed wrote: I am receiving spam from subdomain (example given below) of a domain listed in URBL. How to block this kind of email? If you mean SURBL and urirhssub, SpamAssassin and SURBLs will reduce these to the registrar domain dinkykay.com and block based on that. Gr.Js. are effectively ignored. Jeff C. __ -- deduct the cost for rx now value magnifier on rx meds it's far from a do-it-yourself pharmacy and leave everything to our doctors once you have ordered your medications:, allegra, claritine, carisoprodol and others no need to waste time on traditional rx refill more chargeless bonus deal like costless consultation http://Gr.Js.dinkykay.com/?UpabkhsydtNh=Jsd43476Jbjknwaan=8635Kog enjoy easy process in dealing with meds Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Sa-learn gives strange errors
Hi there, I have SpamAssassin running on my email gateway servers. After upgrading to 3.0.0 the following errors started appearing every time I run sa-learn: Argument 4.O isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm line 244. Argument 4.O isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm line 244. Argument 4.O isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm line 244. Argument 4.O isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm line 244. This has persisted in 3.0.1. The platform I'm using is Solaris 9, with Perl 5.8.0 installed. Apologies if this has come up before, but I've searched the lists for a solution in vain. I'd be very grateful if someone would tell me how to make this go away! Regards, Chris Denton
BAYES HAM FOLDER
just to check am i right in thinking that the ham folder is there to expliicity stop false positives coming through the filters? ie based on domain or list or email address content etc or is that just a superficial explanation...? ronan
spamc/spamd failure
Hi, On a Redhat 7.3 ( 2.4.20-28) with SA 3.0.1 : installation and filtering is good, but from time to time, each 3 or 4 days no more message is filtered, despite the spamd deamon is still active. - I try to upgrade the number of child process of spamd from 5 to 10 but keep the same problem ; there are the options I use to call spamd : OPTIONS=-d -x -m 10 -s /var/log/spamd.log - the only trace I see in the log file is something like this : Nov 4 11:54:01 x spamc[18508]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18511]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18512]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18513]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18509]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18514]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18536]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18537]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18538]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18539]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18540]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18542]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18543]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18544]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18551]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18548]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18541]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18545]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18554]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:01 x spamc[18557]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:02 x spamc[18574]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:02 x spamc[18575]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:02 x spamc[18576]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:02 x spamc[18577]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:02 x spamc[18578]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:02 x spamc[18579]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:02 x spamc[18580]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out Nov 4 11:54:02 x spamc[18581]: connect(AF_INET) to spamd at 127.0.0.=1 failed, retrying (#1 of 3): Connection timed out - these messages appeared at times the computer is not particulary loaded; this is a dedicated mail server for about 80 users - netstat -lnp | grep spamd gives : tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 20063/spamd.log so the defaut 783 port is OK - I used SA 2.6 for a long time without any problem ; I get this new problem when I upgrade to 3.0.0 so I recently try 3.0.1 but it's the same - the only thing I'm able to do in that case is to restart the deamon by : service spamassassin restart and everything restart well .. but the problem is still pending, and what to do when I'm not there ... regards -- Michel Vanbreugel CEREMADE Email : [EMAIL PROTECTED] Université Paris-Dauphine tél: 01.44.05.44.67 Place du Maréchal de Lattre fax : 01.44.05.45.99
Re: Automatic rejection
OK, now I have spamassassin, clamav, amavisd-new installed with my RH9 and postfix. They all seem to work fine together. Lots of spam are stopped now. But still some are remaining. What can I do to improve its performance, please?
RE: Automatic rejection
You probably wont stop all of them. I too am new to spamassassin and learn more each day. Look at www.rulesemporium.com for additional rules you can put in place to help block additional spam. Ron Ron Nutter [EMAIL PROTECTED] Network Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 -Original Message- From: Moussa Fall [mailto:[EMAIL PROTECTED] Sent: Thursday, November 04, 2004 8:07 AM To: users@spamassassin.apache.org Subject: Re: Automatic rejection OK, now I have spamassassin, clamav, amavisd-new installed with my RH9 and postfix. They all seem to work fine together. Lots of spam are stopped now. But still some are remaining. What can I do to improve its performance, please?
Re: SA 3.01 scoring very low
On Wed, 2004-11-03 at 21:40, Dave Goodrich wrote: Good afternoon, I just finished testing an upgrade of SA to 3.01 and my scores fell through the floor. Read the docs, tried to use the Wiki, followed everyone else's upgrade on the list. Not sure just what went wrong. X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on avhost.tls.net X-Spam-Status: No, score=0.6 required=5.0 tests=ALL_TRUSTED,DRUGS_ERECTILE, FROM_NO_LOWER,INVALID_DATE,MISSING_SUBJECT,RM_hm_EmtyMsgid autolearn=disabled version=3.0.1 You need to specify trusted_networks in local.cf, otherwise you're going to continue to hit the ALL_TRUSTED rule which can *decrease* your score by up to -3.3. If you don't specify trusted_networks then SpamAssassin infers what your trusted networks are - and the inference algorithm may not always get the correct result. For instance if your mail relay/server is on a private network and NATed thru a firewall, then the algorithm may infer incorrectly that the connecting mail server is trusted. i.e. the algorithm assumes that since you're a private address, then the next hop server must belong to you since your MX must be public. However it does not take NAT into account. Setting trusted_networks appropriately will solve this issue (I don't think SA 2.64 has the ALL_TRUSTED rule - or at least it scores low). Since you hit ALL_TRUSTED certain other DNS based tests are not run. Also is dns unavailable (dns_available no)? This may explain why you're not getting SURBL hits (which you should if dns is fully operational). Also skip_rbl_checks will do just that. Regards, - Sean
Re: BAYES HAM FOLDER
At 12:14 PM 11/4/2004 +, you wrote: just to check am i right in thinking that the ham folder is there to expliicity stop false positives coming through the filters? ie based on domain or list or email address content etc or is that just a superficial explanation...? What do you mean by ham folder? (There are lots of ideas that come to mind, but there's no such standard thing in SpamAssassin as a ham folder)
Re: Should ALL_TRUSTED be doing this?
At 04:20 PM 11/4/2004 +1300, Jason Haar wrote: I've been getting a fair amount of missed spam with SA-3.01 that looks like it would have been caught if it wasn't for ALL_TRUSTED. No, it should not. You have one of two problems: 1) SA is confused about trust. This typically happens if your outer-most mailserver is address translated and has a reserved non-routable IP address assigned. SA generally assumes the first non-reserved IP is your outside MX, but this isn't true for a lot of networks that NAT their mailservers. To fix: set trusted_networks manualy in your local.cf. Include just your mailservers in this. ie if I had two servers, one external MX numbered 192.168.1.8 and a SA scanning box at 192.168.20.8 I could do this: trusted_networks 192.168.1.8/32 trusted_networks 192.168.20.8/32 2) The other case is SA can't parse your Received: headers. If you run a message through spamassassin -D you'll see debug lines complaining about it: debug: received-header: unknown format: To fix: short term, force the score of ALL_TRUSTED to 0. score ALL_TRUSTED_0 If it's a received line starting with by, then it's this bug: http://bugzilla.spamassassin.org/show_bug.cgi?id=3600 Otherwise, create a new bug in the bugzilla, and attach a sample.
RE: Sa-learn gives strange errors
-Original Message- From: Chris Denton [mailto:[EMAIL PROTECTED] Sent: Thursday, November 04, 2004 8:46 AM To: users@spamassassin.apache.org Subject: RE: Sa-learn gives strange errors Thanks very much for your help, Candee. Most welcome; glad I could help. It was indeed 4.o rather than 4.0, which my console unhelpfully was making indistinguishable. The offending score was for STUPID_RATWARE in the French Rules custom ruleset I had downloaded some time before upgrading. Chris -Original Message- From: Candee Vaglica [mailto:[EMAIL PROTECTED] Sent: 04 November 2004 13:32 To: users@spamassassin.apache.org Subject: RE: Sa-learn gives strange errors -Original Message- From: Chris Denton [mailto:[EMAIL PROTECTED] Sent: Thursday, November 04, 2004 6:30 AM To: users@spamassassin.apache.org Subject: Sa-learn gives strange errors Hi there, I have SpamAssassin running on my email gateway servers. After upgrading to 3.0.0 the following errors started appearing every time I run sa-learn: Argument 4.O isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm line 244. Argument 4.O isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm line 244. Argument 4.O isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm line 244. Argument 4.O isn't numeric in addition (+) at /usr/local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm line 244. This has persisted in 3.0.1. The platform I'm using is Solaris 9, with Perl 5.8.0 installed. Apologies if this has come up before, but I've searched the lists for a solution in vain. I'd be very grateful if someone would tell me how to make this go away! Regards, Chris Denton There's an error in one of your config files. Check if you've scored something 4. o (instead of zero) The thread you want in the archives is: I am getting Argument isn't numeric
Re: SA 3.01 scoring very low
Sean Doherty wrote: On Wed, 2004-11-03 at 21:40, Dave Goodrich wrote: Good afternoon, I just finished testing an upgrade of SA to 3.01 and my scores fell through the floor. Read the docs, tried to use the Wiki, followed everyone else's upgrade on the list. Not sure just what went wrong. X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on avhost.tls.net X-Spam-Status: No, score=0.6 required=5.0 tests=ALL_TRUSTED,DRUGS_ERECTILE, FROM_NO_LOWER,INVALID_DATE,MISSING_SUBJECT,RM_hm_EmtyMsgid autolearn=disabled version=3.0.1 You need to specify trusted_networks in local.cf, otherwise you're going to continue to hit the ALL_TRUSTED rule which can *decrease* your score by up to -3.3. If you don't specify trusted_networks then SpamAssassin infers what your trusted networks are - and the inference algorithm may not always get the correct result. For instance if your mail relay/server is on a private network and NATed thru a firewall, then the algorithm may infer incorrectly that the connecting mail server is trusted. i.e. the algorithm assumes that since you're a private address, then the next hop server must belong to you since your MX must be public. However it does not take NAT into account. Setting trusted_networks appropriately will solve this issue (I don't think SA 2.64 has the ALL_TRUSTED rule - or at least it scores low). I will look into that, I didn't set it as I want no network to be trusted. I'll reread what I can find on that. Since you hit ALL_TRUSTED certain other DNS based tests are not run. Eh? Where do I find this out? Also is dns unavailable (dns_available no)? This may explain why you're not getting SURBL hits (which you should if dns is fully operational). I marked DNS unavailable as I don't want the DNS check, I do want DNS tests run, but only SURBL. Rereading it I think it was too late in the evening, I need to set dns_available yes to stop the dns testing, but still allow dns tests to run. My choice for leaving trusted_networks blank was this; If trusted_networks is not set and internal_networks is, the value of internal_networks will be used for this parameter. If you're running with DNS checks enabled, SpamAssassin includes code to infer your trusted networks on the fly, so this may not be necessary. I don't want any networks trusted, infered or otherwise. So I left trusted_networks and internal_networks both blank. Also skip_rbl_checks will do just that. Umm I don't follow you there, are you saying skip_rbl_checks will skip SURBL? Because if it does, I'll need to go back to 2.64. By default, SpamAssassin will run RBL checks. If your ISP already does this for you, set this to 1. Thanks, DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker!
Re: {SPAM} SA 3.01 scoring very low
On Wed, 2004-11-03 at 21:52, Matt Kettler wrote: At 04:40 PM 11/3/2004, Dave Goodrich wrote: Good afternoon, I just finished testing an upgrade of SA to 3.01 and my scores fell through the floor. Read the docs, tried to use the Wiki, followed everyone else's upgrade on the list. Not sure just what went wrong. DAve Here is a sample output of spamassassin -D test_spam (a known spam that had been caught and scored as follows, snip debug: received-header: unknown format: debug: received-header: unknown format: debug: received-header: unknown format: debug: received-header: unknown format: snip There's the cause of your problem.. SA is having problems parsing your received headers. As a result, SA is failing to properly detect a trust path, and is triggering ALL_TRUSTED, which should never happen for outside mail. In the short term, force ALL_TRUSTED to 0 Matt, does this mean that even if trusted_networks is set in local.cf, SpamAssassin will fire the ALL_TRUSTED rule even if it can't parse the received headers? i.e. Since there are no parsable received headers, SA will assume that all must have been trusted? Seems a bit aggressive to me... - Sean
Re: SA 3.01 scoring very low
On Thu, 2004-11-04 at 14:14, Dave Goodrich wrote: Sean Doherty wrote: On Wed, 2004-11-03 at 21:40, Dave Goodrich wrote: Good afternoon, I just finished testing an upgrade of SA to 3.01 and my scores fell through the floor. Read the docs, tried to use the Wiki, followed everyone else's upgrade on the list. Not sure just what went wrong. X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on avhost.tls.net X-Spam-Status: No, score=0.6 required=5.0 tests=ALL_TRUSTED,DRUGS_ERECTILE, FROM_NO_LOWER,INVALID_DATE,MISSING_SUBJECT,RM_hm_EmtyMsgid autolearn=disabled version=3.0.1 You need to specify trusted_networks in local.cf, otherwise you're going to continue to hit the ALL_TRUSTED rule which can *decrease* your score by up to -3.3. If you don't specify trusted_networks then SpamAssassin infers what your trusted networks are - and the inference algorithm may not always get the correct result. For instance if your mail relay/server is on a private network and NATed thru a firewall, then the algorithm may infer incorrectly that the connecting mail server is trusted. i.e. the algorithm assumes that since you're a private address, then the next hop server must belong to you since your MX must be public. However it does not take NAT into account. Setting trusted_networks appropriately will solve this issue (I don't think SA 2.64 has the ALL_TRUSTED rule - or at least it scores low). I will look into that, I didn't set it as I want no network to be trusted. I'll reread what I can find on that. Just set trusted_network 127.0.0.1 Since you hit ALL_TRUSTED certain other DNS based tests are not run. Eh? Where do I find this out? Check out trusted_network section of Mail::SpamAssassin::Conf i.e no RBL tests on trusted networks. I don't want any networks trusted, infered or otherwise. So I left trusted_networks and internal_networks both blank. My understanding is that if unset trusted_networks will be infered. Setting it to the loopback address and/or the host IP address will prevent this. Also skip_rbl_checks will do just that. Umm I don't follow you there, are you saying skip_rbl_checks will skip SURBL? Because if it does, I'll need to go back to 2.64. No. Just pointing out that no RBL tests will not be run. Also, Matt Kettler pointed out in this thread that reason for the ALL_TRUSTED firing may not be entirely related invalid inference of trust, but because the Received headers had unknown format in the debug output. - Sean
Re: SA 3.01 scoring very low
At 02:19 PM 11/4/2004 +, Sean Doherty wrote: Matt, does this mean that even if trusted_networks is set in local.cf, SpamAssassin will fire the ALL_TRUSTED rule even if it can't parse the received headers? i.e. Since there are no parsable received headers, SA will assume that all must have been trusted? Yes I just submitted a bug on the matter.. Currently ALL_TRUSTED fires whenever there are no untrusted relays detected.. However, it fails to check that any trusted relays exist... I opened this bug to suggest a fix for ALL_TRUSTED: http://bugzilla.spamassassin.org/show_bug.cgi?id=3949 However, the Received: path parsing bug is something I leave up to Dave to file. Really mis-parsed Received: headers is a serious bug, the fix to ALL_TRUSTED is just damage control.
Re: SA 3.01 scoring very low
Matt Kettler wrote: At 02:19 PM 11/4/2004 +, Sean Doherty wrote: Matt, does this mean that even if trusted_networks is set in local.cf, SpamAssassin will fire the ALL_TRUSTED rule even if it can't parse the received headers? i.e. Since there are no parsable received headers, SA will assume that all must have been trusted? Yes I just submitted a bug on the matter.. Currently ALL_TRUSTED fires whenever there are no untrusted relays detected.. However, it fails to check that any trusted relays exist... I opened this bug to suggest a fix for ALL_TRUSTED: http://bugzilla.spamassassin.org/show_bug.cgi?id=3949 However, the Received: path parsing bug is something I leave up to Dave to file. No need, I rechecked my test message and it had some formatting problems from being transfered off my workstation (Thunderbird) and onto the SA box. I grabbed a couple other messages right out of the Maildir and they parsed fine. I believe the issue with the headers was of my making, not a SA problem. DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker!
Re: SA 3.01 scoring very low
At 09:54 AM 11/4/2004 -0500, Dave Goodrich wrote: Yes I just submitted a bug on the matter.. Currently ALL_TRUSTED fires whenever there are no untrusted relays detected.. However, it fails to check that any trusted relays exist... I opened this bug to suggest a fix for ALL_TRUSTED: http://bugzilla.spamassassin.org/show_bug.cgi?id=3949 However, the Received: path parsing bug is something I leave up to Dave to file. No need, I rechecked my test message and it had some formatting problems from being transfered off my workstation (Thunderbird) and onto the SA box. I grabbed a couple other messages right out of the Maildir and they parsed fine. I believe the issue with the headers was of my making, not a SA problem Fair enough, thanks for the follow-up. I still think it's worth fixing ALL_TRUSTED just in case. There's at least one valid open bug regarding Received: formats.. http://bugzilla.spamassassin.org/show_bug.cgi?id=3600 And many others are possible, so it's definitely worth the preventative measures.
Re: SA 3.01 scoring very low
Sean Doherty wrote: On Thu, 2004-11-04 at 14:14, Dave Goodrich wrote: Sean Doherty wrote: I will look into that, I didn't set it as I want no network to be trusted. I'll reread what I can find on that. Just set trusted_network 127.0.0.1 Yes, this fixed it. Since you hit ALL_TRUSTED certain other DNS based tests are not run. Eh? Where do I find this out? Check out trusted_network section of Mail::SpamAssassin::Conf i.e no RBL tests on trusted networks. If you're running with DNS checks enabled, SpamAssassin includes code to infer your trusted networks on the fly, so this may not be necessary. (Thanks to Scott Banister and Andrew Flury for the inspiration for this algorithm.) This inference works as follows: This seems backwards to me. If a user does nothing, then his network will be considered trusted by default? We are an ISP, and SA is running on our toasters. I don't want any machine trusted as that leaves a door open for my smtp relay users (viruses, trojans, just bad folks) to spam local users. JMHO, but shouldn't all networks be considered untrusted unless a user specifies otherwise? DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker!
Re: SA 3.01 scoring very low
Thanks everyone, testing with several messages and comparing to 2.64 scores looks good now. Three issues, 1) My test message was munged and SA had problems parsing the headers. Used unmangled messages and SA parsed them fine. 2) Set trusted networks to 127.0.0.1, so no network is trusted. 3) set dns_available yes, this stopped the testing of dns availability, while still allowing dns tests themselves to run. Of note, setting skip_rbl_checks 1 does not stop SURBL tests, which is good. Just stops the rbl checks for smtp connections. DAve Matt Kettler wrote: At 09:54 AM 11/4/2004 -0500, Dave Goodrich wrote: Yes I just submitted a bug on the matter.. Currently ALL_TRUSTED fires whenever there are no untrusted relays detected.. However, it fails to check that any trusted relays exist... I opened this bug to suggest a fix for ALL_TRUSTED: http://bugzilla.spamassassin.org/show_bug.cgi?id=3949 However, the Received: path parsing bug is something I leave up to Dave to file. No need, I rechecked my test message and it had some formatting problems from being transfered off my workstation (Thunderbird) and onto the SA box. I grabbed a couple other messages right out of the Maildir and they parsed fine. I believe the issue with the headers was of my making, not a SA problem Fair enough, thanks for the follow-up. I still think it's worth fixing ALL_TRUSTED just in case. There's at least one valid open bug regarding Received: formats.. http://bugzilla.spamassassin.org/show_bug.cgi?id=3600 And many others are possible, so it's definitely worth the preventative measures. -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker!
Re: SA 3.01 scoring very low
On Thu, 2004-11-04 at 15:04, Dave Goodrich wrote: Check out trusted_network section of Mail::SpamAssassin::Conf i.e no RBL tests on trusted networks. If you're running with DNS checks enabled, SpamAssassin includes code to infer your trusted networks on the fly, so this may not be necessary. (Thanks to Scott Banister and Andrew Flury for the inspiration for this algorithm.) This inference works as follows: This seems backwards to me. If a user does nothing, then his network will be considered trusted by default? We are an ISP, and SA is running on our toasters. I don't want any machine trusted as that leaves a door open for my smtp relay users (viruses, trojans, just bad folks) to spam local users. JMHO, but shouldn't all networks be considered untrusted unless a user specifies otherwise? I got to agree with you there - especially given that the inference algorithm doesn't work in every environment. - Sean
Bayesian Database Lock failure
I'm having a weird problem that shows up every day about 50 times in a burst. My logs show this: Nov 4 01:11:23 [EMAIL PROTECTED] spamd[12335]: Cannot open bayes databases /var/spool/filter/bayes/bayes_* R/W: lock failed: Interrupted system call Nov 4 01:11:23 [EMAIL PROTECTED] spamd[12335]: identified spam (25.3/5.0) for filter:1001 in 17.2seconds, 923 bytes. Nov 4 01:11:23 [EMAIL PROTECTED] spamd[12335]: result: Y 25 - BAYES_99,DATE_IN_FUTURE_12_24,DNS_FROM_RFC_WHOIS,HTML_40_50,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_SUBJECT,MSGID_DOLLARS,RATWARE_ZERO_TZ,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=17.2,size=923,mid=[EMAIL PROTECTED],bayes=1,autolearn=unavailable The bayes files live on a tmpfs at /var/spool/filter. I haven't had this problem before, and it doesn't seem to be fatal to the message, just to the bayes checks. The system is SpamAssassin version 3.0.0 running on Perl version 5.8.4 called by postfix 2.1.5. The system handles around a quarter of a million messages a day, and doesn't seem to have any problems except this small error. Does anybody have ideas where to start looking for the problem? - Andrew
RE: Should ALL_TRUSTED be doing this?
At 10:06 AM 11/4/2004, Mike Carlson wrote: Do you have to add private IP addresses to the trusted_networks list? I only added the public IP Addresses that are set up for our mail server but it does have a private IP and is being NAT'd. SA is going to see the IPs as the machine running SA sees them. Set your trusted_networks based on two factors: 1) according to how SA will see the IP when it does a DNS lookup on host names in the Received: header if no IP exists. 2) according to how the IPs in the header will appear, when they do appear. For example: Received: from mail.apache.org (hermes.apache.org [209.237.227.199]) by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id iA4F3VVt006313 for [EMAIL PROTECTED]; Thu, 4 Nov 2004 10:03:31 -0500 In this case, SA's going to DNS lookup xanadu.evi-inc.com. Since SA runs inside the firewall, it's going to get a 192.168.*.* address, not 208.39.141.94. SA needs to trust that private IP, not the public one.
Re: SA 3.01 scoring very low
At 10:17 AM 11/4/2004, Sean Doherty wrote: JMHO, but shouldn't all networks be considered untrusted unless a user specifies otherwise? I got to agree with you there - especially given that the inference algorithm doesn't work in every environment. Unfortunately this only solves one aspect of the problem. SA NEEDS to have the correct trust path. Trusting nobody is just as bad as trusting everyone. Trusting nobody breaks whitelist_from_rcvd, for example.
PRocmail recipe problem and spamassassin not filtering correctly
Hi all, I use spamassassin 2.63 on fedora core 2. I have two problems : 1. Spamassassin does not flag all spam, although muy level is at 3. Sometimes he doesn't even have ONE hit on a spam message !!!. 2. I want to move the spam messages to a specific folder, how to do that ?. My procmail.log says : == From [EMAIL PROTECTED] Thu Nov 4 09:57:10 2004 Subject: A SPECIFIC SUBJECT Folder: /var/spool/mail/THE USER'S LOGIN procmail: Incomplete recipe == My local.cf in spamassassin folder is like this : == rewrite_subject 1 subject_tag [*ATTENTION SPAM*] report_safe 0 use_bayes 1 auto_learn 1 # Spam domains blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] == Here is my procmailrc file : == LOGFILE=/var/log/procmail.log :0 fw * 256000 | /usr/bin/spamc -f :0: * ^X-Spam-Level: \*\*\* == Can someone help me out ?. /hitete
Spamassassin rules and qmail-scanner
Hi, i ve downloaded a lot of rules witch sounds to detectes the spam i got. I ve saved them in /etc/spamassassin. But now i still get all the spam like before. I really new sorry but should i activate them or is spamassassin looking by each mail in the /etc/spamassassin dir and check the mail with all these rules? Second thing is a updated maildrop but qmail-scanner still want me to update it. Is there another possibilty to move the spam detected messages to a special folder? The last thing is how to use the blacklists with qmail don't know if this is the right mailing list but perhaps somebody can tell me howto use them. I hope they are called black lists. I mean the list of known spam servers. Thx for that Max
Re: PRocmail recipe problem and spamassassin not filtering correctly
At 10:53 AM 11/4/2004, [EMAIL PROTECTED] wrote: I use spamassassin 2.63 on fedora core 2. I have two problems : 1. Spamassassin does not flag all spam, although muy level is at 3. Sometimes he doesn't even have ONE hit on a spam message !!!. You're running a rather old version of SA, one which is vulnerable to a malformed message causing denial of service. If you can't upgrade to 3.x, at minumum upgrade to 2.64. As for accuracy: 1) Consider installing Net::DNS so SA can query RBLs. (this is just done with CPAN, or a distribution package) 2) Consider adding DCC or Razor http://www.rhyolite.com/anti-spam/dcc/ http://razor.sourceforge.net/ 3) if you're on 2.6x consider adding antidrug.cf (built in on 3.x) http://mywebpages.comcast.net/mkettler/sa/antidrug.cf (just wget it into /etc/mail/spamassassin and restart spamd) 4) if you're on 2.6x consider adding the surbl.org plugin (similar code built in on 3.x) http://sourceforge.net/projects/spamcopuri/ 5) if you can keep up on training, consider setting up bayes. 2. I want to move the spam messages to a specific folder, how to do that ?. Procmail rules. See the example at: http://wiki.apache.org/spamassassin/UsedViaProcmail?action=""> Which moves mail to almost-certainly-spam and probably-spam mailboxes automaticaly.
Re: SA 3.01 scoring very low
Matt Kettler wrote: At 10:17 AM 11/4/2004, Sean Doherty wrote: JMHO, but shouldn't all networks be considered untrusted unless a user specifies otherwise? I got to agree with you there - especially given that the inference algorithm doesn't work in every environment. Unfortunately this only solves one aspect of the problem. SA NEEDS to have the correct trust path. Trusting nobody is just as bad as trusting everyone. Trusting nobody breaks whitelist_from_rcvd, for example. While i agree that trusting no one doesnt really solve the problem, I dont believe it is just as bad as trusting everyone. Trusting everyone stops other rules from firing and adds atleast -2.something to every message. This seems far worse than trusting no one and breaking whitelist_from_rcvd. -Jim
RE: URIDNSBL
I have attached a snippet of the output of spamd -D that talks about URIDNSBL debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c35840) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8c36ef0) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c35840) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks Does that look correct? I don't notice any errors, but I wasn't sure about inhibited further callbacks. --Mike Carlson [EMAIL PROTECTED] http://www.uselessthoughts.com From: Mike Carlson Sent: Wed 11/3/2004 2:15 PM To: Mathieu Nantel; users@spamassassin.apache.org Subject: RE: URIDNSBL I don't have any of those tests showing up in the tagged spam. I did notice a -2.4 for not passing through untrusted hosts. I am going to have to change that score I think. I dont think I am going to give spam credit for not being sent through a known spam host. --Mike Carlson [EMAIL PROTECTED] http://www.uselessthoughts.com From: Mathieu Nantel [mailto:[EMAIL PROTECTED] Sent: Wed 11/3/2004 1:55 PM To: users@spamassassin.apache.org Subject: Re: URIDNSBL Heh, that's easy: 99% of your spam will score on either of these tests: 5.0 URIBL_SBL Contains an URL listed in the SBL blocklist 5.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 5.0 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
Re: Spamassassin rules and qmail-scanner
Max local rules normally go in /etc/mail/spamassassin where you should also find a local.cf file. make sure the user that's calling spamassassin (or spamc etc) can read the files. No comment on the qmail side of things as it's not my thing. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 [EMAIL PROTECTED] wrote: Hi, i ve downloaded a lot of rules witch sounds to detectes the spam i got. I ve saved them in /etc/spamassassin. But now i still get all the spam like before. I really new sorry but should i activate them or is spamassassin looking by each mail in the /etc/spamassassin dir and check the mail with all these rules? Second thing is a updated maildrop but qmail-scanner still want me to update it. Is there another possibilty to move the spam detected messages to a special folder? The last thing is how to use the blacklists with qmail don't know if this is the right mailing list but perhaps somebody can tell me howto use them. I hope they are called black lists. I mean the list of known spam servers. Thx for that Max ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: SA 3.01 scoring very low
Matt Kettler wrote: At 10:17 AM 11/4/2004, Sean Doherty wrote: JMHO, but shouldn't all networks be considered untrusted unless a user specifies otherwise? I got to agree with you there - especially given that the inference algorithm doesn't work in every environment. Unfortunately this only solves one aspect of the problem. SA NEEDS to have the correct trust path. Trusting nobody is just as bad as trusting everyone. Trusting nobody breaks whitelist_from_rcvd, for example. This is all becoming very confusing about what effect the trusted networks code has on the rest of SA. Possibly I have not read the conf pages correctly. internal_networks ip.add.re.ss[/mask] ... (default: none) If neither trusted_networks or internal_networks is set, no addresses will be considered local; in other words, any relays past the machine where SpamAssassin is running will be considered external. And trusted? whitelist_from_rcvd [EMAIL PROTECTED] sourceforge.net Note that this requires that internal_networks be correct. For ^^ simple cases, it will be, but for a complex network, or running with DNS checks off or with -L, you may get better results by setting that parameter. I'm confused here, if I set no trust params, then all networks are trusted by default. But if I trust no networks, then I cannot use whitelist_from_rcvd to define a trusted relay? To me that says, in order to define a trusted relay via whitelist_from_rcvd, I first must trust ALL relays, or put all the relays I have in whitelist_from_rcvd into my trusted networks as well. DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker!
Errors reading local.cf
Since I was in trying to figure out if URIDNSRBL was working I noticed a few more errors that were coming up: debug: config: SpamAssassin failed to parse line, skipping: rewrite_subject 1 debug: config: SpamAssassin failed to parse line, skipping: subject_tag (SPAM) _HITS_ debug: config: SpamAssassin failed to parse line, skipping: use_terse_report 0 debug: config: SpamAssassin failed to parse line, skipping: auto_learn 0 My /usr/local/etc/mail/spamassassin/local.cf is pretty straight forward # How many hits before a message is considered spam. required_hits 5.5 # Whether to change the subject of suspected spam rewrite_subject 1 # Text to prepend to subject if rewrite_subject is used subject_tag (SPAM) _HITS_ # Encapsulate spam in an attachment report_safe 1 # Use terse version of the spam report use_terse_report0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning auto_learn 0 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 pyzor_path /usr/local/bin/pyzor #trusted networks trusted_networks 65.203.76. trusted_networks 10.10.5.1 trusted_networks 10.10.5.10 #dns server address dns_available yes # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - english ok_languagesen es pt ja ko zh # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales en score FORGED_MUA_OUTLOOK1.5 I also have some whitelist stuff at the end that I didnt include. --Mike Carlson [EMAIL PROTECTED] http://www.uselessthoughts.com
Re: SA 3.01 scoring very low
At 11:14 AM 11/4/2004, Jim Maul wrote: While i agree that trusting no one doesnt really solve the problem, I dont believe it is just as bad as trusting everyone. Trusting everyone stops other rules from firing and adds atleast -2.something to every message. This seems far worse than trusting no one and breaking whitelist_from_rcvd While I'll concede it may not be just as bad it's still much worse than you think. LOTS of rules in SA depend on trust. Not just whitelist_from_rcvd and ALL_TRUSTED. All of these rules are broken by a broken trust path, some in ways that cause FPs, others just missing out on score: HELO_DYNAMIC_* FAKE_HELO_MAIL_COM_DOM RCVD_IN_BSP_* MSGID_FROM_MTA_ID FORGED_RCVD_* AWL trust plays into notfirsthop as well, so all these DNSBLs get broken: RCVD_IN_NJABL_DUL RCVD_IN_SORBS_DUL RCVD_IN_XBL RCVD_IN_DSBL RCVD_IN_MAPS_DUL
Re: Errors reading local.cf
At 11:28 AM 11/4/2004, Mike Carlson wrote: Since I was in trying to figure out if URIDNSRBL was working I noticed a few more errors that were coming up: debug: config: SpamAssassin failed to parse line, skipping: rewrite_subject 1 debug: config: SpamAssassin failed to parse line, skipping: subject_tag (SPAM) _HITS_ debug: config: SpamAssassin failed to parse line, skipping: use_terse_report0 debug: config: SpamAssassin failed to parse line, skipping: auto_learn 0 Those config options are obsolete and no longer supported in SA 3.0. auto_learn never existed, it's always been bayes_auto_learn. Please read the UPGRADE file for more details on the subject line stuff http://spamassassin.apache.org/full/3.0.x/dist/UPGRADE - The rewrite_subject and subject_tag configuration options were deprecated and are now removed. Instead, using rewrite_header Subject [your desired setting]. e.g. rewrite_subject 1 subject_tag SPAM(_SCORE_) becomes rewrite_header Subject SPAM(_SCORE_)
SPAMASSASSIN ON RELAY HOST ???
If I want to install spamassassin on a SENDMAIL relay host that relays to an internal machine, how do I do ?. /hitete
RE: Errors reading local.cf
So I can remove those lines and change auto_learn to bayes_auto_learn? Speaking of bayes, I also noticed this error: debug: bayes: no dbs present, cannot tie DB R/O: /tmp/spamd-648-init/.spamassassin/bayes_toks I read a thread somewhere that said I really didnt have to worry about that line. Should I be worried? Thanks, --Mike Carlson [EMAIL PROTECTED] http://www.uselessthoughts.com From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thu 11/4/2004 10:32 AM To: Mike Carlson; users@spamassassin.apache.org Subject: Re: Errors reading local.cf At 11:28 AM 11/4/2004, Mike Carlson wrote: Since I was in trying to figure out if URIDNSRBL was working I noticed a few more errors that were coming up: debug: config: SpamAssassin failed to parse line, skipping: rewrite_subject 1 debug: config: SpamAssassin failed to parse line, skipping: subject_tag (SPAM) _HITS_ debug: config: SpamAssassin failed to parse line, skipping: use_terse_report0 debug: config: SpamAssassin failed to parse line, skipping: auto_learn 0 Those config options are obsolete and no longer supported in SA 3.0. auto_learn never existed, it's always been bayes_auto_learn. Please read the UPGRADE file for more details on the subject line stuff http://spamassassin.apache.org/full/3.0.x/dist/UPGRADE - The rewrite_subject and subject_tag configuration options were deprecated and are now removed. Instead, using rewrite_header Subject [your desired setting]. e.g. rewrite_subject 1 subject_tag SPAM(_SCORE_) becomes rewrite_header Subject SPAM(_SCORE_)
Re: SPAMASSASSIN ON RELAY HOST ???
[EMAIL PROTECTED] wrote: If I want to install spamassassin on a SENDMAIL relay host that relays to an internal machine, how do I do ?. You can use one of a few available milters.It will allow your sendmail to reject messages classified as spam in SMTP session. Rejecting in response to the final dot will save your sendmail from sending bounce messages. I personally suggest you using MIMEDefang milter: http://www.mimedefang.org It also allows you to integrate anti virus software (e.g. clamav). -- Andrzej [en:Andrew] Adam Filip [EMAIL PROTECTED] [EMAIL PROTECTED] Home Page http://anfi.homeunix.net/ [ PageRank 6 ]
Re: URIDNSBL
- Original Message - From: Mike Carlson [EMAIL PROTECTED] I have attached a snippet of the output of spamd -D that talks about URIDNSBL debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c35840) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8c36ef0) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8c35840) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c75694) inhibited further callbacks Does that look correct? I don't notice any errors, but I wasn't sure about inhibited further callbacks. These can be ignored, and it looks like this output will be supressed in the next SA release, see: http://bugzilla.spamassassin.org/show_bug.cgi?id=3931. If you are impatient, you can comment out one line in your PluginHandler.pm file and these informational messages will no longer display in your debug output (see above reference bugzilla). Bill
Re: SPAMASSASSIN ON RELAY HOST ???
[EMAIL PROTECTED] wrote on 11/04/2004 10:40:19 AM: If I want to install spamassassin on a SENDMAIL relay host that relays to an internal machine, how do I do ?. /hitete Fairly easy to do. Quite a few people on the list are doing this. Personally, I use milter-spamc available at http://www.milter.infon Works quite well, I automatically reject high scoring spam, and tag/forward all other spam. Andy
Re: spamd still burning CPU in 3.0.1
We have a nice e-mail setup with 5 inbound mx boxes (Qmail + QmailScanner + ClamD), 4 spamd boxes, 2 outbound smtp, 1 imap/pop server, and a pq (problem queue) box that mx can re-route mail to if there is a customer issue. Every box is a Dual CPU: Intel(R) Xeon(TM) CPU 2.40GHz (2399.33-MHz 686-class CPU) w/ 2-4 gigs of ram. Running FreeBSD 5.2.1 Our spamd boxes are running SA 2.63. We created a spamd-beta box running 3.0 for a few e-mail boxes and LOVE the upgrades. Spamd1 - 4 handle an average of 1.5 million messages per day, 810 per minute. Each box is configured to a max child of 128, and usually hover around 70% cpu idle, and 500 megs of ram free. However when we tested 3.0 on one of the live spamd boxes, even after throttling the max-child down to say 64, the cpu's are pegged, and around 500 megs into swap. Another interesting thing I noticed, when SA 2.63 is set to 128 children it only spawns them as needed. SA 3.0 likes to spawn the full number of children no matter what! Do I stay with 2.63 (which is behind the times these days and misses too much spam) Do I add more machines? Do I wait for some memory/cpu improvements in some future version of SA. Ryan Pavely Director Research And Development Net Access Corporation Jeff Koch wrote: We have two production mailservers running SA spamd. The first handles about 5,000 incoming emails per hour, does spam filtering with SA and virus filtering with qmailscanner and forwards the filtered mail to a server handling the pop accounts. We're using SA 2.64 with Bayes, AWL, Razor and about half of the RBL's. The machine is a 2.8Ghz P4 with 1.0GB RAM and SCSI hard drive. CPU usuage runs between 25-40% and system load runs 1.50 to 2.20 with isolated spikes to 7.0. The second machine is a 2Ghz Athlon with 1.0GB RAM and an IDE drive. It does spam and virus filtering with SA 2.64 and qmailscanner and also handles POP3 sessions with vpopmail. We use Bayes, AWL, Razor and the same RBL's. It handles approx 2,500 emails per hour (with peaks of 5K emails/hour) and approx 2,000 pop3 sessions per hour (peaks of 5K pops/hour). CPU usage runs about 20% with peaks to 50% and system load averages 0.80 with peaks of 16.0. We are pretty satisfied with the above setup. We tried moving one of the servers to SA 3.0 in order to use the new MySQL Bayes features but got absolutely killed on CPU usage and system load - that lasted about a day and we reverted to 2.64. We figure that we'd have to reduce the email load on each server by 50% in order to use SA 3.0 and thereby need twice as many servers. However, we're going to wait until the SA developers take the memory and load issues seriously and fix the problem. Maybe if enough users complain they'll do some high volume production test comparisons of 3.0 with previous versions and sort out the problem. At 09:33 PM 10/27/2004, email builder wrote: email builder wrote: email builder wrote: How much email are you processing ? Well, just the other day we had an average of 48 msgs/min (max 255/min) get run through SA. Can't say today yet because can't run our stats tools until the busy hours are over cuz SA is hogging the CPU. ;) Hi, Your CPU is over loaded. At 48 a minute it should run just ok on a 2.8 Ghz machine, much over that it's going to start having problems. On our 2.4 Ghz (not HT) processor if I process over 35 a minute I start having problems with load. I have two reactions to this: 1) I like the glimmer of hope and the idea that throwing hardware at the problem can solve it 2) Throwing hardware at problems is usually avoiding fixing the *real* problem. According to other posters on this list, my load is not excessive for a modern-day 2.xGHz machine. I will have to re-read some messages, but I believe responders to my posts on the [OT] Email Servers thread quoted similar machine specs and higher load than me and said they did not have load problems. I'd love to hear that I am mistaken and that it's just a matter of too little hardware, but I am skeptical... I'd recommend upgrading to a dual server or perhaps putting in a second server with round robin DNS (or if you can do it, a load balancer). We've been thinking about a multiple-machine email solution and have been wondering about architecture. Since SA seems to be the *only* email server module that causes us grief (even amavisd-new/clamav is nicer to our machine!!), and although it seems strange not to go with a separate file server or database server machine (or to otherwise split up SMTP and IMAP, etc), I am starting to think (as you suggest) that just adding a separate SA server is going to get us the biggest performance increase. What are people's opinions and experience setting up separate/multiple SA servers? Are there any good links for reading about such setups on the wiki or anywhere else? SA is that CPU intensive, it really is. Maybe try adding RBL's in
Re: SA 3.01 scoring very low
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sean Doherty writes: On Thu, 2004-11-04 at 15:04, Dave Goodrich wrote: Check out trusted_network section of Mail::SpamAssassin::Conf i.e no RBL tests on trusted networks. If you're running with DNS checks enabled, SpamAssassin includes code to infer your trusted networks on the fly, so this may not be necessary. (Thanks to Scott Banister and Andrew Flury for the inspiration for this algorithm.) This inference works as follows: This seems backwards to me. If a user does nothing, then his network will be considered trusted by default? We are an ISP, and SA is running on our toasters. I don't want any machine trusted as that leaves a door open for my smtp relay users (viruses, trojans, just bad folks) to spam local users. JMHO, but shouldn't all networks be considered untrusted unless a user specifies otherwise? I got to agree with you there - especially given that the inference algorithm doesn't work in every environment. the idea is that an ISP *will* take the time to set that setting. ;) - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD4DBQFBimZxMJF5cimLx9ARAm7VAJdjojaKXz6t++f5BwK+ocf0jT5cAKChSgLF 7Wrsz2oohTyTjYLaJktIuA== =LLyQ -END PGP SIGNATURE-
RBLs and Spamassassin for Webmin
Hi all, I've installed NET:DNS, but do I need to put an option in local.cf in order for SA to query RBLs ?. I've got many domains in my local.cf file... === I've got a webmin interface which is correctly configured. If I manage the SA level via webmin, it doesn't make the changes in the procmailrc file. Where does the webmin module make the changes then ?. /Hitete
ulimiting spamd?
I want to limit ressource usage of spamd with ulimit, but I'm unsure about what the ulimit options mean and how they translate to the spamd situation. I think mostly of the memory limit options. F.i. with a spamd process of about 95 MB (size 96540 RSS 94M Share 2308) using these memory limits doesn't kill spamd: max locked memory (kbytes, -l) 51200 max memory size (kbytes, -m) 51200 stack size(kbytes, -s) 51200 virtual memory(kbytes, -v) unlimited If I limit virtual memory as well it gets killed, although no swap space is used, so virtual memory obviously doesn't mean the swap space but the maximum address space or so? So, what do these settings mean and how do they translate to the size/RSS/share shown in top? And what happens when more than one spamd process is running? Does each of them use 95 MB of RAM (= 190 MB used), so that a limit of 100 MB for virtual memory would prevent it from spawning a second process? (Our mail servers are usually not so heavily loaded that I see more than one spamd process.) Obviously, the useful limits are different for each system and load situation, but I would be grateful if someone with insight in this area would discuss some points and advise about some reasonable limits. Most of our machines are stacked with 512 MB of RAM (not big, but good enough) and my objective is not to troubleshoot any memory issues (we don't have any) but the very rare but nevertheless sometimes happening occurence of spamd racing away and grabbing and grabbing memory until it kills the system. Setting other limits doesn't seem to be useful? cpu time (seconds, -t) unlimited - I guess limiting this for a daemon is a bad idea? open files(-n) 1024 - doesn't seem to be much of an issue? max user processes(-u) 1000 - this can be controlled with -m, anyway. Thanks for any advice. Kai
Re: SPAMASSASSIN ON RELAY HOST ???
At 11:40 AM 11/4/2004, [EMAIL PROTECTED] wrote: If I want to install spamassassin on a SENDMAIL relay host that relays to an internal machine, how do I do ?. Generaly you need a MTA layer integration like mimedefang, MailScanner, etc. Check the wiki.
spamd and spamd child
I just installed 3.0.1 to replace 2.63 and have noticed a tremendous improvement in speed. I am using a RH 8.0 system with spamc being executed by /etc/procmailrc. I have limited the child processes to 3, and noticed that the child processes do not appear to die although their time and dates do appear to change. root 19782 1 0 Nov02 ? 00:00:21 /usr/bin/spamd -d -c -m 3 root 6162 19782 2 Nov03 ? 00:29:07 spamd child root 15840 19782 2 09:11 ? 00:04:08 spamd child root 16425 19782 2 09:51 ? 00:03:41 spamd child Is this a normal function of 3.0.1 or do I need to be concerned? Thanks, Greg Ennis
Re: RBLs and Spamassassin for Webmin
At 12:30 PM 11/4/2004, [EMAIL PROTECTED] wrote: I've installed NET:DNS, but do I need to put an option in local.cf in order for SA to query RBLs ?. No. By default, SA will use RBLS provided that Net::DNS is installed and appears to be working (it tests with a quick DNS lookup of a major domain) You only need to add an option if you want SA to skip RBL checks, or if you want to force SA to use RBLs without performing a trial lookup first.
Re: SPAMASSASSIN ON RELAY HOST ???
[EMAIL PROTECTED] writes: If I want to install spamassassin on a SENDMAIL relay host that relays to an internal machine, how do I do ?. As others have said, easy enough. I'd suggest you start without SA -- simply ensure that the relay host can deliver to your internal host(s). We maintain a copy of aliases on the relay host. Other choices are available. You can for instance find examples using LDAP. You need to figure out how you're going to keep address resolution on the relay host in sync with your internal system(s). After you've got delivery stable (and I don't want to seem like it's a big deal -- it's not that tough) *then* introduce SA. I'll second the suggestion of calling SA through MimeDefang. (Of course lots of other approaches will work)
Re: PRocmail recipe problem and spamassassin not filtering correctly
On Thu, 2004-11-04 at 09:53, [EMAIL PROTECTED] wrote: Hi all, I use spamassassin 2.63 on fedora core 2. I have two problems : 1. Spamassassin does not flag all spam, although muy level is at 3. Sometimes he doesn't even have ONE hit on a spam message !!!. 2. I want to move the spam messages to a specific folder, how to do that ?. My procmail.log says : == From [EMAIL PROTECTED] Thu Nov 4 09:57:10 2004 Subject: A SPECIFIC SUBJECT Folder: /var/spool/mail/THE USER'S LOGIN procmail: Incomplete recipe == My local.cf in spamassassin folder is like this : == rewrite_subject 1 subject_tag [*ATTENTION SPAM*] report_safe 0 use_bayes 1 auto_learn 1 # Spam domains blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] == Here is my procmailrc file : == LOGFILE=/var/log/procmail.log :0 fw * 256000 | /usr/bin/spamc -f :0: * ^X-Spam-Level: \*\*\* == Can someone help me out ?. /hitete I have been doing this and it works like a charm even with 2.63. I would advise you to use 3.0.1 it is much much faster. Some things you need to consider are the following: 1. When you set up your local.cf file you must rewrite the Subject line to identify the message as spam. In the SA 3.0.1 local.cf file Located in /etc/mail/spamassassin/ I use the following two lines (check the syntax in 2.63 becuase it is a little differnt) required_hits 5 rewrite_header Subject [SPAM] In the /etc/procmailrc file I use the following entries: MAILDIRLOG=/smile$HOME/Mail DROPPRIVS=YES :0fw * 256000 | spamc # This routine will dump your spam :0 H * ^Subject:.*\[SPAM\] $MAILDIRLOG/spam.log Please note that the directory you want to save the spam in must have proper user protections and you must drop to user privileges within procmail before you activate spamc. spamc of course requires the use of the spamd daemon. These suggestions are basic things for most on this list, but if you are new to using these tools it will save you some look up and experimenting time. Good Luck!!! Greg
PROCMAILRC problem
Here is my procmailrc : == LOGFILE=/var/log/procmail.log DROPPRIVS=yes :0fw: * 256000 | /usr/bin/spamc -f :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* HERE I'D LIKE TO DELETE THE MESSAGE THAT HAVE THAT MUCH TAGS HOW IS IT POSSIBLE ? :0: * ^X-Spam-Status: Yes $HOME/SPAM == So what I wanna do is if the mail has 10 hits it gets deleted, or else if it is spam it goes to the SPAM folder. My procmailrc isn't correct since I have these errors in logs : procmail: Couldn't determine implicit lockfile from /usr/bin/spamc procmail: Incomplete recipe What am I doing wrong ?. /Hitete
Re: Memory issues have forced me back to 2.64
Ok, this seems to be a *lot* more stable from a memory standpoint: spamd -m 3 --max-conn-per-child=3 But now I'm seeing this in my mail logs every few seconds: Nov 3 15:46:58 mail spamd[18881]: server hit by SIGCHLD Nov 3 15:46:58 mail spamd[18881]: handled cleanup of child pid 21042 Nov 3 15:46:58 mail spamd[18881]: server successfully spawned child process, pid 21219 Should I worry about it? Or is this good? It's fine but I'd try increasing your --max-conn-per-child, I found, after much experimentation, that 20 was optimal for me. Regards, Rick I've now gone over 24 hours without a lock up and am thinking that I've got the correct servers and --max-conn-per-child configured. However, I am seeing a lot of these entries in the error logs (about 1 every 30 seconds)... Nov 4 11:26:31 mail spamd[14372]: server hit by SIGCHLD Nov 4 11:26:31 mail spamd[14372]: handled cleanup of child pid 26135 Nov 4 11:26:31 mail spamd[14372]: server successfully spawned child process, pid 26615 I know Rick said not to worry about it, and I'm trying not to, but I'm wondering if anyone could explain what is happening when the SIGCHLD hits? Is it an error? Or a normal exit? Or what?
Re: PROCMAILRC problem
- Original Message - From: [EMAIL PROTECTED] :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* HERE I'D LIKE TO DELETE THE MESSAGE THAT HAVE THAT MUCH TAGS HOW IS IT POSSIBLE You could send it to /dev/null using something like: { :0 /dev/null } Pete
webuserprefs-0.5.x
Can anyone point me to a site where I can download webuserprefs-0.5? I've tried the author's site for a couple of weeks now but I can't get a response and it is not available on freshmeat.net now. Thanks, Roger -- Roger Wolvington Hydrosphere Resource Consultants, Inc. 1002 Walnut Street, Suite 200 Boulder, CO 80302 [EMAIL PROTECTED] http://www.hydrosphere.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Re: Memory issues have forced me back to 2.64
Oban Lambie wrote: I've now gone over 24 hours without a lock up and am thinking that I've got the correct servers and --max-conn-per-child configured. However, I am seeing a lot of these entries in the error logs (about 1 every 30 seconds)... Nov 4 11:26:31 mail spamd[14372]: server hit by SIGCHLD Nov 4 11:26:31 mail spamd[14372]: handled cleanup of child pid 26135 Nov 4 11:26:31 mail spamd[14372]: server successfully spawned child process, pid 26615 I know Rick said not to worry about it, and I'm trying not to, but I'm wondering if anyone could explain what is happening when the SIGCHLD hits? Is it an error? Or a normal exit? Or what? Hi, That is the child hitting the max connections and exiting, then a new child starting. Regards, Rick
Re: Memory issues have forced me back to 2.64
Oban, the log entry you see does not appear to be an error, but confirmation of what you set. Child processes are killed off after processing 3 messages. Then a new one is started. That's what you're seeing. jay Oban Lambie wrote: Ok, this seems to be a *lot* more stable from a memory standpoint: spamd -m 3 --max-conn-per-child=3 But now I'm seeing this in my mail logs every few seconds: Nov 3 15:46:58 mail spamd[18881]: server hit by SIGCHLD Nov 3 15:46:58 mail spamd[18881]: handled cleanup of child pid 21042 Nov 3 15:46:58 mail spamd[18881]: server successfully spawned child process, pid 21219 Should I worry about it? Or is this good? It's fine but I'd try increasing your --max-conn-per-child, I found, after much experimentation, that 20 was optimal for me. Regards, Rick I've now gone over 24 hours without a lock up and am thinking that I've got the correct servers and --max-conn-per-child configured. However, I am seeing a lot of these entries in the error logs (about 1 every 30 seconds)... Nov 4 11:26:31 mail spamd[14372]: server hit by SIGCHLD Nov 4 11:26:31 mail spamd[14372]: handled cleanup of child pid 26135 Nov 4 11:26:31 mail spamd[14372]: server successfully spawned child process, pid 26615 I know Rick said not to worry about it, and I'm trying not to, but I'm wondering if anyone could explain what is happening when the SIGCHLD hits? Is it an error? Or a normal exit? Or what?
Re: Frustration...
On Thu, 2004-11-04 at 13:15, Lisa Casey wrote: Hi Folks, . . There has to be a easy way to learn to use this and get it to do what I want but I can't really figure it out. Surely there are some other ISP's on these lists who might be willing to tell me how they use it. Thanks, Lisa Casey Lisa, I have been using procmail along with spamassassin and clamav to do exactly what you want. It might be a little less elegant than using a milter but it is working perfectly so I am reluctant to change. I dump the viruses, and save all of the spam to a user file and give the user a daily report of the Subject lines and From Lines. If the user wants the spam all he has to do is send an e-mail to a designated address on our system and I have a script that digs up the spam and sends it to him. I rotate the spam files daily, and keep them for 8 days which gives the user a week or so to request the spam. There are false positives, and if you dump the spam you will dump wanted mail for sure. I would also suggest that you not bounce the spam because much of it has faulty addresses. If you want to go the procmail route let me know and I will give you the particulars that I use. You are close to a solution :) Greg
Re: [OT] Frustration...
Rick Macdougall wrote: How ever, a quick look at the mimedefang page tells me you want to do something like if($hits 15) return action_discard(); or something similar after calling the spamassassin check routine. Yes, that's the way to do it. Alternatively you can use action_bounce(), which despite its name will issue an SMTP reject. Even better would be to call action_quarantine_entire_message first, so that you still have a record in the event of a false positive. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Frustration...
Hi, As a fellow newbie, I have struggled to get everything working for the past two weeks as well, and I can see you are having some of the same problem I had(still having), so here's my $0.02, hope it helps, and for the experts out there, please correct me if I'm wrong with any of my assumptions! I'm using SpamAssassin, MIMEDefang, and MailScanner with ClamAV As for writing custom SpamAssassin rules, it's basically perl RegEx. and if you are too lazy to do it yourself. look here http://wiki.apache.org/spamassassin/WritingRules and here: http://wiki.apache.org/spamassassin/CustomRulesets I find the custom rulesets are quite usefull, such as bigevil and anti-drug, they have the rules for what you have mentioned download them and drop in /etc/mail/spamassassin, that's all you need to do. IMHO, MimeDefang is useful in a much different way, such as the fiilter_sender and filter_recipient functions enables you to do a lot of different checks before any messages are even accepted. As for MailScanner, I like it's ability to convert dangerous HTML and Javascript codes and strip them, I think MIMEDefang does this as well, but I haven't look into it yet, if that's the case, I need to find a reason to run MailScanner if at all. Yang
Re: Frustration...
Lisa wrote: Also, I'm not sure how I'm supposed to feed it spam. I have Sendmail/Qpopper and most of my users pick up their mail using Outlook Express. I understand I can't just forward spam to a spam mailbox and run sa-learn on that as the forwarding will not get the original headers. We've found that the simplest solution is to set up a site-wide Bayes database and rely on Spamassassin's auto-learning feature to feed it ham and spam. Understand that this will not give you the best Bayes performance possible, but it's been working pretty well for us. When you first start using Spamassassin it will take a little while before Bayes has auto-learned the 200 hams and 200 spams it needs to get going, so you won't see any hits on Bayes until this has happened. On our system it takes about an hour for this many messages to be auto-learned. Good luck! Sandy
Re: Frustration...
Hi Lisa: Hi Lisa: Spamassassin basically justs tags emails as spam. You need other programs like procmail to actually dispose of it. We run email for about 5000 domains and around 20,000 users. We use qmail with qmail-scanner for virus scanning and then vpopmail with qmailadmin, maildrop and spamassassin for pop3 and user mail management. Qmailscanner automatically dumps emails with viruses into a holding directory. Qmailadmin allows you to pass all mail through 'maildrop' before putting it into the user's mailbox. Maildrop is a scripting program similar to procmail. We use a maildrop script to run spamassasssin against the email - if the spam flag is triggered maildrop directs the mail to a Spam account (or spam folder if we're running IMAP). Otherwise the mail goes into the user's regular pop3 box. A cron job automatically deletes virus and spam emails older than ten days. It sounds more complicated than it is but it works really well and allows us to have user configurable spam preferences and domain level bayes databases. I'm sure there are similar ways of handling things in the sendmail world. However, we switched from Sendmail to Qmail about a year ago because it just seemed easier to accomplish what we wanted with Qmail At 02:15 PM 11/4/2004, you wrote: Hi Folks, I've spent most of this week on this and am just getting frustrated. I'm Sysadmin for an ISP. I installed MIMEDefang, Spamassassin and filter::scan on my Red Hat Sendmail server as a way of dealing with my customers spam/virus (mostly the spam, it's a REAL problem). As far as I can tell, MIMEDefang/Spamassassin are working OK. I tested Spamassassin when I installed it with the sample-nonspam.txt and sample-spam.txt included. Mimeddefang adds this header to e-mail: X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1 and Spamassassin adds a SpamAssassinReport.txt as an attachment to each spam mail. But I've been reading websites for two days now and can't figure out how to do anything else with this. Basically I don't want spam coming into my users mailboxes, they don't want it. I understand there will be some amount of false positives, but I just want to drop (or bounce or whatever) the spam before it reaches the mailboxes. I'ld also like to drop, bounce, whatever mail that has certain words in the subject, such as rolex, penis, viagra, etc. I know I can do the above with MIMEDefang/Spamassassin, but I'll be darned if I can figure out how. And the more I try to figure it out, it seems, the more confused I am getting. Also, I'm not sure how I'm supposed to feed it spam. I have Sendmail/Qpopper and most of my users pick up their mail using Outlook Express. I understand I can't just forward spam to a spam mailbox and run sa-learn on that as the forwarding will not get the original headers. There has to be a easy way to learn to use this and get it to do what I want but I can't really figure it out. Surely there are some other ISP's on these lists who might be willing to tell me how they use it. Thanks, Lisa Casey Best Regards, Jeff Koch, Intersessions
Re: spamd still burning CPU in 3.0.1
Spamd1 - 4 handle an average of 1.5 million messages per day, 810 per minute. Each box is configured to a max child of 128, and usually hover around 70% cpu idle, and 500 megs of ram free. Very impressive. I have a single spamd box, running 3.0.1, with four 3gHz Xeons and 4-gigs of memory. It's handling about 150,000 messages a day with peaks in the 350/minute range. I also have around 70% cpu idle and 500 megs of memory free most of the time. I've never used any swap. However when we tested 3.0 on one of the live spamd boxes, even after throttling the max-child down to say 64, the cpu's are pegged, and around 500 megs into swap. Another interesting thing I noticed, when SA 2.63 is set to 128 children it only spawns them as needed. SA 3.0 likes to spawn the full number of children no matter what! How many spamd processes are alive (on average) on your 2.63 box? That's the number that I would choose to startup under 3.0. It's a different philosophy: 2.6 starts up children as needed, up to the max. So as mail comes in there is a performance hit to start these processes. 3.0 starts up however many you ask for at the beginning so that they're already running and ready to go. Since my spamd box is dedicated, I prefer the new prefork model. FWIW, I start up 40 children. Each one claims a memory size of about 43 meg. I'm running the standard rules plus 16 of the SARE rule sets. -- ___ Rick Beebe(203) 785-6416 Manager, Systems Network Engineering FAX: (203) 785-3481 ITS-Med Production Systems[EMAIL PROTECTED] Yale University School of Medicine Suite 124, 100 Church Street South http://its.med.yale.edu New Haven, CT 06519 ___
Directory Confusion
I'm a little confused between the difference between the contents of the /usr/share/spamassassin folder and /etc/mail/spamassassin folder. It is my understanding that /usr/share/spamassassin should only contain the default filters that come with SA and /etc/mail/spamassassin should only contain custom filters. Based on that, there should be no need to have the same filter in each directory, correct? If you have a filter in each directory, you are performing those tests twice, which inflates your score and increases your scan time. The reason I ask this is because I can not get razor to work unless 20_body_tests.cf is located in /etc/mail/spamassassin. Perhaps I got a config file pointing to a wrong directory or I have my filters confused. Another possiblility is my SA installation is not reading the filters in /usr/share/spamassass. If that is the case, how do I tell SA to include filters in that directory? The server having this issue is a mail proxy running postfix and spamc/spamd with no user accounts on it. Any help clarifying this would be greatly appreciated. Tom
Re: Frustration...
Kris Deugau wrote: I'ld also like to drop, bounce, whatever mail that has certain words in the subject, such as rolex, penis, viagra, etc. *VERY*, **VERY** dangerous in an ISP environment!! I would STRONGLY recommend AGAINST this. It has far too much potential to backfire on you. We use action_bounce to stop mail from coming in for 5,000+ accounts and all of our customers love it. You will always have 1 person who doesn't want their mail scanned no matter what. It is doable in an ISP environment but it takes some effort to get things working smoothly. Be familiar with creating nice rules, set your blocking threshold high like 6.5+ and keep a close eye on things, but it's nice when you sort all the issues out! If you have customers overseas be sure to watch out for RTBL's, we've been bit by those in the past. We've been using MIMEDefang with SA and ClamD for over a year and I would never recommend anything else. Might I also say MIMEDefang is not for the weak hearted, it can scare you if you are not prepared ;)
RE: Memory issues have forced me back to 2.64
On Thu, 4 Nov 2004, Kang, Joseph S. wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, November 04, 2004 1:10 PM To: Oban Lambie Cc: users@spamassassin.apache.org Subject: Re: Memory issues have forced me back to 2.64 BTW could you open a bug on the SpamAssassin bugzilla about that? I think we should silence those messages, as yours is about the 50th question about those ;) Actually, could you make that a configurable silence? Not sure how you were planning on approaching this so I'm just guessing. It might be nice to see on request. But, yes, silencing them would be nice for normal operations. -Joe K. It should be easy to simply syslog those kinds of messages at the LOG_DEBUG level. Then people can configure their system to either log DEBUG messages or ignore them (log INFO level messages). I have our system set up to log facility MAIL to two files, one at level INFO for long-term transaction recording and one at DEBUG that goes into a short-term rolling log so to be able to easily monitor day-to-day operations with out chewing up massive amounts of disk space. ;) -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
RE: PROCMAILRC problem
|-Original Message- |From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] |Sent: 04 November 2004 18:31 |To: users@spamassassin.apache.org |Subject: PROCMAILRC problem | |Here is my procmailrc : | |=== |=== |LOGFILE=/var/log/procmail.log |DROPPRIVS=yes | |:0fw: |* 256000 || /usr/bin/spamc -f Might be worth changing this to:- :0fw: spamc.lock * 256000 | /usr/bin/spamc Not sure what the -f suffix is for, I see no such suffix in the man pages Martin
Re: PROCMAILRC problem
On Thu, Nov 04, 2004 at 09:53:03PM -, marti wrote: || /usr/bin/spamc -f Not sure what the -f suffix is for, I see no such suffix in the man pages It's a deprecated option. It's accepted but doesn't do anything these days. fyi. -- Randomly Generated Tagline: I find this a nice feature but it is not according to the documentation. Or is it a BUG? Let's call it an accidental feature. :-) -- Larry Wall in [EMAIL PROTECTED] pgpOwjkYUmCsa.pgp Description: PGP signature
Re: Frustration...
Please, don't CC me. I subscribe to the list. Fred wrote: We use action_bounce to stop mail from coming in for 5,000+ accounts and all of our customers love it. You will always have 1 person who doesn't want their mail scanned no matter what. It is doable in an ISP environment but it takes some effort to get things working smoothly. Being able to configure just about everything on a per-user basis helps. On the system I have MD calling SA, that's not a practical option due to general system load (oldish hardware hosting ~25 domains- web/ftp/mail/etc). On another system, SA is called at delivery, and that system is about three layers deep in our mail system anyway. :/ The only thing I'm comfortable deleting outright are virus mail and spam that can be identified based solely on the sender's email address- not very many of those any more! Be familiar with creating nice rules, set your blocking threshold high like 6.5+ 6.5 on systems here would result in ~20% more FNs, and no appreciable reduction in FPs (I haven't heard of one in several months). It took a bit of tweaking at first, but except for a few specific customers, I haven't changed from the default threshold at 5. I've also been fairly aggressive about telling customers to report messages that were handled incorrectly; feedback from the people getting the mail (or not, as the case may be) is the best way to find out what's working. I've *also* had a couple of cases where a filter customer called to complain about the increase in spam to a few a week. So I check on how many messages are getting tagged on their account... 50-100/day. That made them think a bit. g -kgd -- Get your mouse off of there! You don't know where that email has been!
RE: PROCMAILRC problem
-Original Message- From: marti [mailto:[EMAIL PROTECTED] Sent: Thursday, November 04, 2004 3:53 PM To: [EMAIL PROTECTED]; Spamassassin Subject: RE: PROCMAILRC problem |-Original Message- |From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] |Sent: 04 November 2004 18:31 |To: users@spamassassin.apache.org |Subject: PROCMAILRC problem | |Here is my procmailrc : | |=== |=== |LOGFILE=/var/log/procmail.log |DROPPRIVS=yes | |:0fw: |* 256000 || /usr/bin/spamc -f Might be worth changing this to:- :0fw: spamc.lock * 256000 | /usr/bin/spamc I thought I read somewhere recently that lock files are superfluous for spamc/spamd configs. I wish I could remember where I'd read it, now! -Joe K.
Ah, the irony. [Fwd: ScanMail Message: To Sender, sensitive content found and action taken.]
System Attendant wrote: Trend SMEX Content Filter has detected sensitive content. Place = ; mimedefang@lists.roaringpenguin.com; users@spamassassin.apache.org; ; mimedefang@lists.roaringpenguin.com Sender = Kris Deugau Subject = [Mimedefang] Re: Frustration... Delivery Time = November 04, 2004 (Thursday) 16:33:14 Policy = LetterP June 26th 2003\LetterV June 26th 2003 Action on this mail = Quarantine message Warning message from administrator: Content filter has detected a sensitive e-mail. This is why you don't blindly filter for spam based on single, simple criteria... (Or filter a subscribers-only mailing list.) (No doubt cause by my reply to Lisa Casey, in which I quoted certain words she was considering using to reject mail.) -kgd -- Get your mouse off of there! You don't know where that email has been!
Re: Directory Confusion
J Thomas Hancock wrote on Thu, 4 Nov 2004 15:21:15 -0600: It is my understanding that /usr/share/spamassassin should only contain the default filters that come with SA and /etc/mail/spamassassin should only contain custom filters. correct. They are not really filters, though, but rules. Based on that, there should be no need to have the same filter in each directory, correct? If you have a filter in each directory, you are performing those tests twice, which inflates your score and increases your scan time. /usr/share/spamassassin contains the built-in set, don't touch it. You *add* custom rules in /etc/mail/spamassassin and you configure SA with local.cf in that dir. You can also override scores of the default rules with scores in /etc/mail/spamassassin. So, don't view them as exclusive, they complement and override each other. The reason I ask this is because I can not get razor to work unless 20_body_tests.cf is located in /etc/mail/spamassassin. I can't say anything about Razor, we don't use it. But this file doesn't belong there. Perhaps I got a config file pointing to a wrong directory or I have my filters confused. You can use spamassassin -D to check which files and paths are getting used. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
Re: Frustration...
Kai Schaetzl wrote: Lisa Casey wrote on Thu, 4 Nov 2004 14:15:20 -0500: I'ld also like to drop, bounce, whatever mail that has certain words in the subject, such as rolex, penis, viagra, etc. Please, do NOT bounce. You just bounce to other spam victims. If you don't bounce, what do you do ? /dev/nulling the message is not a real option since mail should never just vanish, and in the case of false positives, the sender would never get the rejection message. Regards, Rick
RE: Frustration...
Kai Schaetzl wrote: Lisa Casey wrote on Thu, 4 Nov 2004 14:15:20 -0500: I'ld also like to drop, bounce, whatever mail that has certain words in the subject, such as rolex, penis, viagra, etc. Please, do NOT bounce. You just bounce to other spam victims. Depends how you do it. If you reject during the SMTP conversation from the sending MTA, then you spare spam victims. If the mail is legit, the sending MTA will generate a non-delivery-report to the sender. On the other hand... Once you've accepted responsibility for the mail (DATA ... OK) then your options are limited. As you say, if you bounce spam after accepting it, you're annoying innocent third parties. Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Re: Frustration...
- Original Message Follows - To: users@spamassassin.apache.org Subject: Re: Frustration... Date: Thu, 04 Nov 2004 17:39:43 -0500 I'ld also like to drop, bounce, whatever mail that has certain words in the subject, such as rolex, penis, viagra, etc. Please, do NOT bounce. You just bounce to other spam victims. If you don't bounce, what do you do ? /dev/nulling the message is not a real option since mail should never just vanish, and in the case of false positives, the sender would never get the rejection message. There is an excellent write up on bounce vs discarding. For those of you wanting to read it its here: http://www.t29.dk/header_check_notes.php = Kevin W. Gagel Network Administrator Information Technology Services (250) 561-5848 local 448 -- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. --
Re: Frustration...
On Thu, 04 Nov 2004 17:39:43 -0500, Rick Macdougall [EMAIL PROTECTED] said: If you don't bounce, what do you do ? /dev/nulling the message is not a real option since mail should never just vanish, and in the case of false positives, the sender would never get the rejection message. Some definitions relating to MTA behavior: Bounce: Your MTA accepts the message, then generates a Delivery Status Notification message (aka DSN, aka bounce message) explaining why the message was not delivered, and sends it to the sender address of the undelivered message, which in the case of spam is almost certainly not the real sender in any case Reject: Your MTA does not accept the message, sending a 5XX to the sending MTA, and generates no DSN. -- snowjack(a)fastmail.fm
Re: Frustration...
Kevin W. Gagel wrote: - Original Message Follows - To: users@spamassassin.apache.org Subject: Re: Frustration... Date: Thu, 04 Nov 2004 17:39:43 -0500 I'ld also like to drop, bounce, whatever mail that has certain words in the subject, such as rolex, penis, viagra, etc. Please, do NOT bounce. You just bounce to other spam victims. If you don't bounce, what do you do ? /dev/nulling the message is not a real option since mail should never just vanish, and in the case of false positives, the sender would never get the rejection message. There is an excellent write up on bounce vs discarding. For those of you wanting to read it its here: http://www.t29.dk/header_check_notes.php Ahh, I meant bounce at the smtp level, ie a Reject 553, not a bounce after acceptance. Regards, Rick