Re: help lowering score on a specific email list situation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/28/2009 04:32 PM, RobertH wrote: hello i have problems with the cabletv.org email list. it is hosted on a charter static and has wierd reverse dns etc etc blah. so, almost always scores as spam here is what it is tripping on... 0.7 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d 1.2 HOST_EQ_STATIC HOST_EQ_STATIC 0.7 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d 1.3 HOST_EQ_CHARTERHOST_EQ_CHARTER 1.9 TVD_RCVD_IPTVD_RCVD_IP 0.5 FROM_NOT_REPLYTO From: does not match Reply-To: -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 1.5 SAGREY Adds 1.0 to spam from first-time senders pastebin said the headers tripped the spam filter so i have to post this way... here are some headers. http://www.abbacomm.net/temp/salisthdr1.txt can someone help me formulate a good rule to reduce scoring. i tried this, yet it is obviously not working because of my faulty logic i presume. header SPEC_DOMAIN_CABLE From =~ /\...@cabletv\.org/ describe SPEC_DOMAIN_CABLE Reduce score for domain cabletv.org score SPEC_DOMAIN_CABLE -5.0 i am looking for something reliable to key on and i am certainly not a rule creation expert yet... ..and i need help from you much more expert people please? :-) thanks in advance... - rh How about whitelist_from_spf @cabletv.org (if it passes SPF tests) or whitelist_from @cabletv.org - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknOnhQACgkQeERILVgMyvBvkwCfdeDPb9o4B3A8vk2wgxEj8JAk zhEAn3EFPDcLwhs2didDppVXLnaIw99n =0RjQ -END PGP SIGNATURE-
unable to find user?
We're running Spamassasin on three machines, two Fedora 8 and one the latest CENTOS. We're trying to move all of the SA installations to CENTOS. These are MX servers that front an Exchange server. The systems are all set up using the same .cf and init.d files, but we're seeing a difference. We run a single user system -- all mail should be processed by one set of rules and bayes is handled as the user 'root' through MySQL. On CENTOS, we see this in maillog: spamd: handle_user unable to find user 'abc' for each incoming message. We do not see that message under Fedora. Aside from just ignoring it, what should be we be looking at? #ps -ef |grep spam sa-milt 8512 1 0 12:14 ?00:00:02 /usr/sbin/spamass-milter -p /var/run/spamass-milter/spamass.sock -f -u sa-milt -i 127.0.0.1,10.0.0.0/8 -r 10 -- -d localhost -p 783 root 11501 1 0 13:28 ?00:00:03 /usr/bin/spamd -d -u spamass --max-children=20 --min-children=6 --max-spare=8 -r /var/run/spamassassin/spamd.pid
Re: sa-learn from internal mail server ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/26/2008 04:14 PM, Sam Ami wrote: hi all our current setup. primary mx for all out email domains installation: qmail,spamassasin,clamav all email is inline scanned and then relayed to the internal server for delivery to users mailbox question. is it possible to use sa-learn in this situtation ? we still get a lot of spam and i'd like to teach SA if possible ny using sa-learn. any suggestions ? Here's how we handle it with Exchange http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/ - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkktzDoACgkQeERILVgMyvC/+wCeLNbijG3RpsSqzkGmhxPfS8Uk w0AAnjKWoP4EmZi7wE0kS2PvtvHCaGlF =ggNo -END PGP SIGNATURE-
Re: sa-learn with IMAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/01/2008 01:29 PM, Raymond Jette wrote: Good afternoon, I am trying to use sa-learn with a Microsoft Exchange server. The users move spam / ham message from there Inbox to a Public folder. The public folder is accessable via IMAP. How can I get the message from Exchange for sa-learn to work using IMAP? Thanks for any help you may provide. http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/ - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAki8QrYACgkQeERILVgMyvDw3QCfTNW2iyWqg198KhMH3Dw0J67S l9IAn3YMcco4yzKKz/m7eQFNGmbey89r =3Kra -END PGP SIGNATURE-
What is current version of Botnet plugin?
I've found Botnet 0.6 and references to Botnet 0.8(ebuild). What's the preferred version for this plugin?
Re: MySQL Unreliable
Marc Perkel wrote: Need a little help for MySQL users. I'm running several servers that are using a common MySQL server for bayes for all the SA servers. What I'm seeing is that MySQL is just plain unreliable. The database is often corrupted and it does so in a manner that basically causes SA to hang until it times out. I'm not sure what I'm doing wrong or if there's some my.cnf settings I'm missing. I could use some tips from those of you who are hitting MySQL hard or might suggest something other than MySQL that I should use for bayes. Thanks in advance. We use innodb for all the sa_bayes tables. Here's some tuning settings we use in my.cnf for the server: query_cache_limit = 1M query_cache_size = 12M query_cache_type = 1 innodb_additional_mem_pool_size=12M innodb_buffer_pool_size=70M innodb_log_file_size=10M
Re: Integrating Spam assasin with exchange server.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/15/2008 07:33 AM, ejml wrote: | Hello Steven, | | I'm very interesting about how I can forward the message with the header | rewritten to final user because I get only a warning spam arrival message. | Is there some parameters that I'm forgetting?. | | Thanks. | | Steven Stern wrote: | Crespillo, Matias wrote: | I apologize in advance for making a lazy question, but is there a quick | guide somewhere as to how to integrate Spam Assassin with an exchange | server? Or maybe some way to set it in a way it will get the mails | before, | filter and then forward them to exchange unchanged?. | | Thanks a lot in advance. | | We have spamassassin sitting in front of the exchange server. | | Basically, the MX record for our domains point to Linux boxes. On each | of those boxes, we're running SpamAssassin and ClamAV. SpamAssassin uses | a site wide, SQL based Bayes database local to each box, with a few | tricks to help synchronize mail reclassified by Exchange users as ham or | spam. | | Only after passing through the MX servers does mail arrive at Exchange. | (The firewall permits SMTP connections from the MX servers only.) On | Exchange, we're using Symantec AV to provide another layer of virus | protection. | | We don't forward the mail unchanged. If mail is spam, the headers are | re-written to put *SPAM?* at the front of the subject line and to make | the original message an attachment. Of course, if the mail isn't marked | as spam, it's transparent to the users. | In /etc/mail/spamassassin/local.cf: # Whether to change the subject of suspected spam ~ rewrite_header subject *SPAM _SCORE_* # Encapsulate spam in an attachment report_safe 1 - -- ~ Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFILC+ieERILVgMyvARAq8mAJ4wEBGrEpMdgD8g578WeB+hgTvPuQCcDchi i2A9Nv/TTUq82ceXfRNkEB8= =km1L -END PGP SIGNATURE-
Re: AWL Database Cleanup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/25/2008 06:32 PM, listmail wrote: | I noticed that the AWL database was getting rather large, so I used the | check_whitelist script to remove the stale entries. While this seems to have | removed a lot of entries from the database, it did not reduce the database size. | | Does anyone know what kind of a database this is, and in particular, how to do | a cleanup that will remove unused records? The database is currently located | on a RAM drive, so space is important due to scarcity as well as the potential | speed issues from letting it grow too large. | I use MySQL for the AWL database and added a timestamp, lastupdate column to the table. I then have a script that runs every night: DELETE FROM awl WHERE lastupdate = DATE_SUB(SYSDATE(), INTERVAL 2 MONTH); DELETE FROM awl WHERE count = 1 AND lastupdate = DATE_SUB(SYSDATE(), INTERVAL 1 5 DAY); - -- ~ Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIEm3seERILVgMyvARAsADAJ9F+lgHlIkzP6Ny91FzR7F1xbt81wCfTeTn SDK/TIP6FKhcpCXIBHNMrNk= =Tvf1 -END PGP SIGNATURE-
Re: AWL Database Cleanup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/25/2008 06:57 PM, listmail wrote: | This looks like a good way of dealing with the AWL database, but I don't | see anything in the documentation - did you hack in the MySQL support | yourself, or is there an option that I missed? | | For the moment, I'm trying to find a simple solution, such as locating a tool | that is capable of managing whatever database SA uses by default for the AWL. |From looking at the scripts, it appears to be something built in to Perl. | | On Fri, 25 Apr 2008 18:49:01 -0500, Steven Stern wrote | On 04/25/2008 06:32 PM, listmail wrote: | | I noticed that the AWL database was getting rather large, so I | used the | check_whitelist script to remove the stale entries. While | this seems to have | removed a lot of entries from the database, it | did not reduce the database size. | | Does anyone know what kind of | a database this is, and in particular, how to do | a cleanup that | will remove unused records? The database is currently located | on a | RAM drive, so space is important due to scarcity as well as the potential | | speed issues from letting it grow too large. | | | | I use MySQL for the AWL database and added a timestamp, lastupdate | column to the table. I then have a script that runs every night: | | DELETE FROM awl WHERE lastupdate = DATE_SUB(SYSDATE(), INTERVAL 2 | MONTH); DELETE FROM awl WHERE count = 1 AND lastupdate = | DATE_SUB(SYSDATE(), INTERVAL 1 5 DAY); | http://search.cpan.org/src/FELICITY/Mail-SpamAssassin-3.0.2/sql/README.bayes then just add a timestamp column lastupdate to AWL. - -- ~ Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIEnhqeERILVgMyvARAsnuAJ0f3cfqiYV16BCS5HdWhdMgwarbIgCfexe4 FQ9QZREmnRpZknVSlHcd0pg= =1wT/ -END PGP SIGNATURE-
Perl problem (Scalar::Util)
I'm getting the following error from various perl programs: $sa-update Use of uninitialized value in concatenation (.) or string at /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/Scalar/Util.pm line 30. OK... maybe we need an update: [EMAIL PROTECTED] ~]# perl -MCPAN -e shell cpan install Scalar::Util CPAN: Storable loaded ok Going to read /root/.cpan/Metadata Database was generated on Fri, 29 Feb 2008 15:31:08 GMT Scalar::Util is up to date. Anyone have a solution?
Re: Perl problem (Scalar::Util)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/29/2008 03:57 PM, Bill Landry wrote: | Steven Stern wrote: | I'm getting the following error from various perl programs: | | $sa-update | Use of uninitialized value in concatenation (.) or string at | /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/Scalar/Util.pm line 30. | | OK... maybe we need an update: | | | [EMAIL PROTECTED] ~]# perl -MCPAN -e shell | cpan install Scalar::Util | CPAN: Storable loaded ok | Going to read /root/.cpan/Metadata | Database was generated on Fri, 29 Feb 2008 15:31:08 GMT | Scalar::Util is up to date. | | Anyone have a solution? | | | For some reason yum perl updates on Fedora 8 cause this to happen for | me. Even though CPAN reports that you have the latest version of | Scalar:Util, you will still need to download, compile, and install | Scalar-List-Utils-1.19.tar.gz. This should resolve the issue for you, | at least it has worked for me the last few perl updates. | | GL, | | Bill | I found out this also works: ~ $cpan ~ force install Scalar::Util - -- ~ Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHyJzyeERILVgMyvARAvdWAJ9Br+Tb2elljt2QiOGIC4peiXgevgCfZ6md DVovqagwclYoUTF3q93YdR8= =dZWU -END PGP SIGNATURE-
Re: -max-child setting not obeyed?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/28/2008 05:16 PM, fchan wrote: | Hi, | I have set my --max-child to 30 but I look at my logs and it appears | that this is not obeyed. | | Here is my spamd options: | SPAMDOPTIONS=-d -m 30 -H | | Here is what I see in the logs: | Feb 28 10:57:29 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:29 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:29 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45480 | Feb 28 10:57:29 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:31 s1 spamd[15740]: spamd: identified spam (106.3/8.0) for | qscand:510 in 2.8 seconds, 862 bytes. | Feb 28 10:57:31 s1 spamd[15740]: spamd: result: Y 106 - | BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DIGEST_MULTIPLE,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPEURIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=2.8,size=862,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45480,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:32 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:32 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:32 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45485 | Feb 28 10:57:32 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:32 s1 spamd[15592]: spamd: identified spam (27.6/8.0) for | qscand:510 in 8.3 seconds, 1725 bytes. | Feb 28 10:57:32 s1 spamd[15592]: spamd: result: Y 27 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DNS_FROM_RFC_DSN,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=8.3,size=1725,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45475,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15592]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45491 | Feb 28 10:57:33 s1 spamd[15592]: spamd: checking message (unknown) for | qscand:510 | Feb 28 10:57:33 s1 spamd[15742]: spamd: identified spam (34.2/8.0) for | qscand:510 in 8.0 seconds, 2605 bytes. | Feb 28 10:57:33 s1 spamd[15742]: spamd: result: Y 34 - | AWL,BAYES_50,MANHOOD,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=8.0,size=2605,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45477,mid=(unknown),bayes=0.49,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15742]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45492 | Feb 28 10:57:33 s1 spamd[15742]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:34 s1 spamd[15739]: spamd: identified spam (26.1/8.0) for | qscand:510 in 9.9 seconds, 1642 bytes. | Feb 28 10:57:34 s1 spamd[15739]: spamd: result: Y 26 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=9.9,size=1642,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45476,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:35 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:35 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:35 s1 spamd[15739]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45493 | Feb 28 10:57:35 s1 spamd[15739]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:35 s1 spamd[15591]: spamd: identified spam (102.3/8.0) for | qscand:510 in 8.1 seconds, 784 bytes. | Feb 28 10:57:35 s1 spamd[15591]: spamd: result: Y 102 - | BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=8.1,size=784,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45479,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=unavailable | | | It appears I hit 5 child processes as shown
Re: -max-child setting not obeyed?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/28/2008 05:16 PM, fchan wrote: | Hi, | I have set my --max-child to 30 but I look at my logs and it appears | that this is not obeyed. | | Here is my spamd options: | SPAMDOPTIONS=-d -m 30 -H | | Here is what I see in the logs: | Feb 28 10:57:29 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:29 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:29 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45480 | Feb 28 10:57:29 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:31 s1 spamd[15740]: spamd: identified spam (106.3/8.0) for | qscand:510 in 2.8 seconds, 862 bytes. | Feb 28 10:57:31 s1 spamd[15740]: spamd: result: Y 106 - | BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DIGEST_MULTIPLE,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPEURIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=2.8,size=862,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45480,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:32 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:32 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:32 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45485 | Feb 28 10:57:32 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:32 s1 spamd[15592]: spamd: identified spam (27.6/8.0) for | qscand:510 in 8.3 seconds, 1725 bytes. | Feb 28 10:57:32 s1 spamd[15592]: spamd: result: Y 27 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DNS_FROM_RFC_DSN,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=8.3,size=1725,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45475,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15592]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45491 | Feb 28 10:57:33 s1 spamd[15592]: spamd: checking message (unknown) for | qscand:510 | Feb 28 10:57:33 s1 spamd[15742]: spamd: identified spam (34.2/8.0) for | qscand:510 in 8.0 seconds, 2605 bytes. | Feb 28 10:57:33 s1 spamd[15742]: spamd: result: Y 34 - | AWL,BAYES_50,MANHOOD,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=8.0,size=2605,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45477,mid=(unknown),bayes=0.49,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15742]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45492 | Feb 28 10:57:33 s1 spamd[15742]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:34 s1 spamd[15739]: spamd: identified spam (26.1/8.0) for | qscand:510 in 9.9 seconds, 1642 bytes. | Feb 28 10:57:34 s1 spamd[15739]: spamd: result: Y 26 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=9.9,size=1642,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45476,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:35 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:35 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:35 s1 spamd[15739]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45493 | Feb 28 10:57:35 s1 spamd[15739]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:35 s1 spamd[15591]: spamd: identified spam (102.3/8.0) for | qscand:510 in 8.1 seconds, 784 bytes. | Feb 28 10:57:35 s1 spamd[15591]: spamd: result: Y 102 - | BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=8.1,size=784,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45479,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=unavailable | | | It appears I hit 5 child processes as shown
Re: Expiry problem
Michael Parker wrote: On Jan 23, 2008, at 9:54 PM, Steven Stern wrote: It's finally started to remove tokens, so I think I'm OK. We use SQL bayes, so it was an easy matter to use ~ delete from bayes_token where atime UNIX_TIMESTAMP(); to clean up the stuff from the future. But now your bayes_vars table is broken/off. You might want to update those counts as well. I did that, too.
Expiry problem
We had a server go crazy last night and reset its date into August of 2277. In any case, we've resolved that, but now I can't get bayes to expire. After the clocks was correctly set, I deleted all tokens that had a lastupdate in the future, and also removed similar bayes_seen rows. I then reset the the token count in bayes_vars to the correct value. When I try to run sa-learn --force-expire, nothing gets expired and the token list keeps growing. Will this get better on its own or do I need to intervene? [14256] dbg: bayes: using username: root [14256] dbg: bayes: database connection established [14256] dbg: bayes: found bayes db version 3 [14256] dbg: bayes: Using userid: 1 [14256] dbg: config: score set 3 chosen. [14256] dbg: learn: initializing learner [14256] dbg: bayes: bayes journal sync starting [14256] dbg: bayes: bayes journal sync completed [14256] dbg: bayes: expiry starting [14256] dbg: bayes: expiry check keep size, 0.75 * max: 112500 [14256] dbg: bayes: token count: 443162, final goal reduction size: 330662 [14256] dbg: bayes: first pass? current: 1201117198, Last: 1201117194, atime: 43200, count: 1231, newdelta: 160, ratio: 268.612510154346, period: 43200 [14256] dbg: bayes: can't use estimation method for expiry, unexpected result, calculating optimal atime delta (first pass) [14256] dbg: bayes: expiry max exponent: 9 [14256] dbg: bayes: atime token reduction [14256] dbg: bayes: === [14256] dbg: bayes: 43200 528 [14256] dbg: bayes: 86400 0 [14256] dbg: bayes: 172800 0 [14256] dbg: bayes: 345600 0 [14256] dbg: bayes: 691200 0 [14256] dbg: bayes: 1382400 0 [14256] dbg: bayes: 2764800 0 [14256] dbg: bayes: 5529600 0 [14256] dbg: bayes: 11059200 0 [14256] dbg: bayes: 22118400 0 [14256] dbg: bayes: couldn't find a good delta atime, need more token difference, skipping expire [14256] dbg: bayes: expiry completed
Re: Expiry problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/23/2008 07:35 PM, Matt Kettler wrote: | Steven Stern wrote: | We had a server go crazy last night and reset its date into August of | 2277. In any case, we've resolved that, but now I can't get bayes to | expire. | | After the clocks was correctly set, I deleted all tokens that had a | lastupdate in the future, and also removed similar bayes_seen rows. I | then reset the the token count in bayes_vars to the correct value. | d | When I try to run sa-learn --force-expire, nothing gets expired and | the token list keeps growing. Will this get better on its own or do I | need to intervene? | You might need to ditch your bayes database. | | The database will, over time, partially fix itself, but right now any | one off tokens learned while the date was off are stuck in your bayes | DB until 2277. SA's expiry method is based on the age of a token, | based on when it was last accessed. That method has absolutely no way to | deal with atimes that are in the future, so it will never try to expire | those tokens. | | It can partially fix itself, because every time a token gets accessed, | its atime gets updated. So as the more common tokens get used, they'll | start rotating out as they would normally. However, any unique tokens | are stuck there. | | If you're *really* desperate to preserve the bayes DB, you could wait a | couple days, do a sa-learn --backup, use grep to remove all the lines | with absurd atimes, then use sa-learn --restore. That's a good bit of | work to go through... | | If you decide to go this route: For reference, and assuming my | scratchpad math is right, the atimes for 2277 should be around 9.6 | billion, while the ones for 2008 should be around 1.2 billion. Of | course, that's assuming the atimes are stored 64 bit and aren't wrapping | as 32 bit numbers.. However, if that were the case, they'd be wrapping | to 2004, and your expire numbers should show really high token | eliminations, not really low.. | It's finally started to remove tokens, so I think I'm OK. We use SQL bayes, so it was an easy matter to use ~ delete from bayes_token where atime UNIX_TIMESTAMP(); to clean up the stuff from the future. - -- ~ Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHmAwSeERILVgMyvARAmkBAJ4od1lX/wXYdadek1deySDYZi4SQgCfcskW dOHVuSkn5UeKZUGYJjA6J2A= =c5W9 -END PGP SIGNATURE-
Re: sa-learn error message
Theo Van Dinter wrote: On Thu, Jan 17, 2008 at 03:28:06PM -0600, Steven Stern wrote: bayes db version 0 indicates your bayes file is corrupt. It should be version 3. Do you have a backup? SQL or .db? It doesn't necessarily mean there's corruption, in fact, since the learning continued and seemed to finish ok, it's unlikely to be corruption. See http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3563 for a possible libdb issue which causes it. Thanks. I ran into this when I hosed the sa_bayes MySQL database as we were cloning one of our MX servers.
Re: Is it? Blocked by SpamAssassin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/15/2008 07:24 AM, Umar Murtaza wrote: | | | | | | | | Who exactly is blocking this email? | Can i have a settings to keep a copy/archive of this email, if it is | blocked? | | | Logs: | Jan 15 18:18:43 mailserver sendmail[20774]: m0FDIbQ2020774: | from=[EMAIL PROTECTED], size=772, class=0, nrcpts=1, | msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, | relay=20178105070.someotherdomaine.br [201.78.105.70] (may be forged) | Jan 15 18:18:43 mailserver sendmail[20774]: m0FDIbQ2020774: Milter add: | header: X-Virus-Status: Clean | Jan 15 18:18:46 mailserver sendmail[20774]: m0FDIbQ2020774: Milter add: | header: X-Spam-Flag: YES | Jan 15 18:18:46 mailserver sendmail[20774]: m0FDIbQ2020774: Milter add: | header: X-Spam-Status: Yes, score=19.3 required=5.0 | tests=BAYES_50,DCC_CHECK,\n\tHTML_MESSAGE,HTML_TAG_BALANCE_BODY,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,\n\tRCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,\n\tURIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB,URIBL_SBL | autolearn=spam\n\tversion=3.2.4 | Jan 15 18:18:46 mailserver sendmail[20774]: m0FDIbQ2020774: Milter: | data, reject=550 5.7.1 Blocked by SpamAssassin | Jan 15 18:18:46 mailserver sendmail[20774]: m0FDIbQ2020774: | to=[EMAIL PROTECTED], delay=00:00:05, pri=30772, stat=Blocked by | SpamAssassin Your system is blocking the incoming message. What milter are you using? If you are using spamass-milter, then you cannot both reject a message and keep a copy. - -- ~ Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHjLU4eERILVgMyvARAmlHAJ9LYNNMaC4csIpqOiONmKl/WsOjWgCfScRE uPcbh+ay2o9fGVCYoILoV/w= =JSBq -END PGP SIGNATURE-
Re: Get HAM's from Exchange / Outlook
Jason Bertoch wrote: On Thursday, December 20, 2007 5:49 PM Steven Stern wrote: Jason Holbrook wrote: Hello all, anyone have an idea of how to get HAM's from an exchange / Outlook environment back to SA? I've posted a howto at http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/ Steven, Would you mind elaborating on the spamiam.fetchmailrc script? What interpreter are you using and what packages are prerequisites? All you need is fetchmail, and it's probably already installed in your distro. spamiam.fetchmailrc is read by fetchmail, giving it the necessary instructions to fetch mail from a public folder on the Exchange server. ||
Re: Get HAM's from Exchange / Outlook
Jason Holbrook wrote: Hello all, anyone have an idea of how to get HAM’s from an exchange / Outlook environment back to SA? My incoming is scanned by a SA gateway but outgoing goes straight from exchange to the cloud. Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] weblog.empoweris.com http://weblog.empoweris.com/ www.empoweris.com http://www.empoweris.com Skype: holbrook.jason Gtalk: jaholbrook 757-320-2667 (Direct) 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) I've posted a howto at http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/
Re: Virus found in this message, probe?
Kenneth Porter wrote: Anyone seen these? text/plain and HTML parts, seem to have same content, saying there's a virus, please delete, and some gibberish. I'm guessing it's some kind of probe. There was a web address hidden by a malformed CSS tag.
Re: spamd throughput issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/09/2007 03:27 PM, Mark Rigby-Jones wrote: On 9 Dec 2007, at 21:03, Paweł Sasin wrote: are you using network tests? Try to evaluate spamd performance when run with the -L flag. We are running network tests. Disabling them helps somewhat, in that the emails which were already scanning relatively quickly do so even faster. However, once the number of child processes is increased, there are still a significant proportion which are taking several minutes to scan... Have you tried running a local caching name server? That can cut down on times to do repetitive name lookups. - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHXGDieERILVgMyvARAnlLAJkB8NDU7ZsYy6PhyXFAg8emyP5CDQCfc2Y7 cEwCMBwVGz4D+LnqqQlM2oA= =9QIN -END PGP SIGNATURE-
Re: Unique Blacklist Whitelist configuration or an allow only list
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/17/2007 09:35 AM, robgeo730 wrote: Hello I'm a new user, I have used the search function but wasn't able to find a situation like mine. I am fighting an uphill battle against a crappy hosting company that I can't change from. We have our mail filtered via a Barracuda device (which is working really well) that is on our MX, it then routes good email to the SMTP server. The problem is that the SMTP server needs to be accessible for our users to relay mail through it. Spammers are just doing port scans, finding our SMTP server and sending spam directly to it bypassing the Barracuda on the MX. The SMTP server has Spamassassin 2.63 on it (hosting company wants to charge $200 to put 3.x on it and we can't upgrade it ourselves) 1. Would any legitimate email be sent directly to our IP or is it just spammers who bypass the MX to send spam? I think it would just be spammers as bypassing the MX is probably a violation of the SMTP RFC. 2. Since Spamassassin is on our SMTP server can a rule be created to only allow email to be delivered to the users if it comes from the Barracuda MX? This is with the assumption that email bypassing the MX has to be spam. Keep in mind that I don't have full access to the server. I can put a rule in place and then I need to request the hosting company to restart the spamd. I appreciate any input Thanks, Wny not require SMTP authentication unless mail comes from your MX? You'd have to walk your users through enabled SMTP authentication, but that's just a one-time headache. - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHPy7ReERILVgMyvARAkhUAJ9mEPGbC7c1zRRGhYzkpIfzVjkkJgCfdD/+ 6Z9GLh1RIYaXraEC8sbv9UU= =XBhH -END PGP SIGNATURE-
Robert Sexton filter
We get many, many emails from a Robert Sexton who claims he'll do wonders with search engine placement. As fast as I add an address to the blacklist, he comes in with another. For example, from the AWL tables on one of our MX servers: +--+-+-+---+--+-+ | username | email | ip | count | totscore | lastupdate | +--+-+-+---+--+-+ | root | [EMAIL PROTECTED] | 66.174 |11 | 37.181 | 2007-08-18 13:24:14 | | root | [EMAIL PROTECTED] | 70.213 | 5 | -7.428 | 2007-10-02 10:36:15 | | root | [EMAIL PROTECTED] | 72.130 | 5 |2.525 | 2007-09-05 09:21:09 | | root | [EMAIL PROTECTED] | 75.215 | 2 |2.186 | 2007-09-19 23:56:19 | | root | [EMAIL PROTECTED] | 66.174 |13 | 35.819 | 2007-08-12 18:33:04 | | root | [EMAIL PROTECTED] | 75.213 | 3 | 17.766 | 2007-08-13 12:25:43 | | root | [EMAIL PROTECTED] | 66.174 | 2 |5.389 | 2007-08-17 22:39:47 | | root | [EMAIL PROTECTED] | 70.213 | 5 | 29.189 | 2007-08-23 22:04:17 | | root | [EMAIL PROTECTED] | 75.213 | 2 |3.428 | 2007-08-23 01:01:28 | | root | [EMAIL PROTECTED] | 75.214 |11 | 11.003 | 2007-08-24 17:14:00 | | root | [EMAIL PROTECTED] | 75.215 | 9 | 79.981 | 2007-08-21 04:13:11 | | root | [EMAIL PROTECTED] Does anyone have a rule handy that would replace my blacklist_from entries with something more versatile?
Re: Robert Sexton filter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/02/2007 11:06 AM, Theo Van Dinter wrote: On Tue, Oct 02, 2007 at 10:58:26AM -0500, Steven Stern wrote: We get many, many emails from a Robert Sexton who claims he'll do wonders with search engine placement. As fast as I add an address to the blacklist, he comes in with another. For example, from the AWL tables on one of our MX servers: Sounds like a good use of a MX block. Does anyone have a rule handy that would replace my blacklist_from entries with something more versatile? Such as? You can match all of these with a single blacklist_from. Theo: My regex experience is limited and often wrong. How would I best do that? - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHAs+XeERILVgMyvARAouRAJ0TBAyqWX+9sb06mFVYe0CazYjOJgCfVTGn i67q6OAlUkD/wd9WzLKupCY= =pFuJ -END PGP SIGNATURE-
Re: bayes_seen = 256GB
mfahey wrote: SpamAssassin-3.2.0 Freebsd6.2 The file bayes_seen has grown in size to 256GB! (274992939008) How do I cap the size limit of this file? I want to have it not grow larger then say 800mb at the most! Thanks. You can 'rm' the file or use MySQL for your backend and write a maintenance query that deletes rows over 2 weeks old.
Re: Question - How many of you run ALL your email through SA?
Marc Perkel wrote: OK - it's interesting that of all of you who responded this is the only person who is doing it right. I have to say that I'm somewhat surprised that so few people are preprocessing their email to reduce the SA load. As we all know SA is very processor and memory expensive. Personally, I'm filtering 1600 domains and I route less than 1% of incoming email through SA. SA does do a good job on the remaining 1% that I can't figure out with blacklists and whitelists and Exim tricks, but if I ran everything through SA I'd have to have a rack of dedicated SA servers. [EMAIL PROTECTED] wrote: Am Donnerstag, 16. August 2007 schrieb Marc Perkel: As opposed to preprocessing before using SA to reduce the load. (ie. using blacklist and whitelist before SA) I use: At rcpt time: callout to recipient zen.spamhaus.org- Catches 90% bl.spamcop.net list.dsbl.org callout to sender At data time: clamd (malware is rejected) spamassassin (10 Rejected, 10 add headers) I think i will lower the spamassassin scores to 8 in the near future. At the moment less then 5% spam reaches spamassasin. I had great results from grey-listing but my users didn't like having to wait 30-60-90 minutes for mail, and I understand that. When you're on the phone with someone and they say Just sent it, they expect you to have it in a matter of seconds. As I'm often in that positition, I had to support that view and remove the grey-list. I've tried aboslute RBL blocking, but I'm happier having RBL as a weighted factor counting for or against the spamminess of an email. We only process about 5,000 non-spam messages per day (out of about 45,000/day total) and are doing OK on a couple of old dual-processor systems running it through clamd and spamd with sendmail.
Re: Mail server hosted by Comcast
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/16/2007 10:43 AM, Matt wrote: I'm on Comcast and am having no problems. I set the smarthost for sendmail to smtp.comcast.net and, at least so far, have not triggered anything that would block incoming or outgoing mail. All mail from me goes through the official comcast mail server and does not appear to come from a dynamic address. If you use smtp.comcast.net as outgoing I doubt you even need reverse DNS on your IP. Just be sure you update your SPF record to include smtp.comcast.net or something. Everyone has an SPF record, right? Matt As a matter of fact, I'm trying to figure out what my SPF record should be. It should be Comcast's, but they don't seem to have published one. - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGxNfUeERILVgMyvARAmqFAJ9chrB/r8O2P59uovGKxhMgX947fwCeOLOK sdKFOpN1ZTl6ugOMcDgWxgE= =5Ti8 -END PGP SIGNATURE-
Re: Mail server hosted by Comcast
Igor Chudov wrote: I am considering a local deal related to hosting by Comcast cable (8mbps down, 1 mbps up). I am concerned, however, with me sending email and being on comcast IP range, due to bad rap that Comcast has due to spamming by Comcast hosted zombies. Do you think that my mailserver will have issues if I host it on comcast netwrk? That would be a static IP and, hopefully, I can get comcast to reverse resolve it to a hostname on one of my domains. i I'm on Comcast and am having no problems. I set the smarthost for sendmail to smtp.comcast.net and, at least so far, have not triggered anything that would block incoming or outgoing mail. All mail from me goes through the official comcast mail server and does not appear to come from a dynamic address.
Re: Sa-update question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Skip Brott wrote: Using the recommended actions from this list, I run this: sa-update --channelfile /etc/mail/spamassassin/saupdate/sare-sa-update-channels.txt -D I get this result from each channel: [29610] dbg: gpg: gpg: Signature made Mon 04 Jun 2007 08:14:08 PM CDT using DSA key ID 856AA88A [29610] dbg: gpg: [GNUPG:] SIG_ID vAQaZijSKL/MKS3+hHVCDl3GfgY 2007-06-05 1181006048 [29610] dbg: gpg: [GNUPG:] GOODSIG 3C5C05EB856AA88A Daryl C. W. O'Shea [EMAIL PROTECTED] [29610] dbg: gpg: gpg: Good signature from Daryl C. W. O'Shea [EMAIL PROTECTED] [29610] dbg: gpg: [GNUPG:] VALIDSIG ABE0C8743B87262E5FB04F2B3C5C05EB856AA88A 2007-06-05 1181006048 0 [29610] dbg: gpg: [GNUPG:] TRUST_UNDEFINED [29610] dbg: gpg: gpg: WARNING: This key is not certified with a trusted signature! [29610] dbg: gpg: gpg: There is no indication that the signature belongs to the owner. [29610] dbg: gpg: Primary key fingerprint: ABE0 C874 3B87 262E 5FB0 4F2B 3C5C 05EB 856A A88A [29610] dbg: gpg: found signature made by key ABE0C8743B87262E5FB04F2B3C5C05EB856AA88A [29610] dbg: gpg: key id 856AA88A is not release trusted error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed I assume I am not the only one who sees this error (or at least who has seen it). Has anyone successfully addressed this? Or do you simply use the --nogpg option when running it? - Skip Did you import his key with sa-update --import his.key.file.here - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGoQzJeERILVgMyvARAm19AJsEcglKuytcgFS7Ro9EjseOLJ0ilQCeNUSl LUwsW/O8YR2r1cleqOdwmDo= =V48J -END PGP SIGNATURE-
Re: not everyone is happy with SA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Rudd wrote: Further, I as the sender have no obligation to participate in your anti-spam mechanism. It's YOUR mechanism. You feed it, you configure it, your CPU cycles are spent on it. I have no obligation to participate in the program you use for deciding is this spam or not. I have no obligation to devote my time and my CPU cycles to your anti-spam program. It's rather rude for you to assume otherwise. My company's website has a click here and we'll send you your password (or something similar). You'd be amazed how many calls we get claiming it doesn't work. When I track through the logs, I find most come from people with CR systems. You can't use a CR when you're talking to a robot. These things make me sooo mad. - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGoURoeERILVgMyvARAgeSAJ9Cwu/vRWEgskKwXF5QAg4QbpDB+QCfRNU0 Ya/NuKWXYspVpCIzNvN8zxs= =oLbD -END PGP SIGNATURE-
Re: Spam PDF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wael Shahin wrote: On Wed, 2007-06-27 at 09:18 +0200, Robert Schetterer wrote: Stéphane LEPREVOST schrieb: Hi, Got one yesterday too here. Seems to be a new way for spammers ... I have two servers one is running DCC and one is not, the one that is running DCC didn't pass the message or maybe I am mistaken but it didn't go through (Maybe didn't get there at all from the first place). On the other server that is not running DCC the email went through and it was an empty email body with a PDF attachment -Message d'origine- De : Raymond Myren [mailto:[EMAIL PROTECTED] Envoyé : mercredi 27 juin 2007 08:09 ì : users@spamassassin.apache.org Objet : Spam PDF Hello, Just today I started receiving spam mails with attached .pdf files with a spam image. Any ideas how to stop this spam type? \raymond Hi Stephane, unless the mail isnt caught by other rules or bayes, i still dont know any way to mark this, so yesterday on got trough at my server too i ve asked on the list what to do aginst it , but havent got any usefull answer. Perhaps it would be easier to use clamav to filter such mails out, i think i will asked there Wael We just caught one: Content analysis details: (5.0 points, 4.0 required) pts rule name description - -- - -- 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.7404] 2.2 TVD_SPACE_RATIOBODY: TVD_SPACE_RATIO 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [201.32.227.251 listed in dnsbl.sorbs.net] 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL [201.32.227.251 listed in zen.spamhaus.org] - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGglxneERILVgMyvARAtK4AJ944YGr+IfI+3FYEkonqklmyNgj2wCeLGKK oXS7J7pypbbL/6ADur+rhAg= =Rxu9 -END PGP SIGNATURE-
Re: mySQL bayes not working correctly
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary V wrote: I'm running amavisd-new with spamassassin and setup bayes and mysql earlier today. It seems to connect to the db fine with user vscan when running spamassassin -d. I ran sa-learn --spam/ham spam.txt (full email headers too) a few times and those are the only entires in the db, the ones that I added, all other email is untouched. What's the deal? Here is my local.cf file... awl seems to work fine, but it scores mail funky sometimes. # Enable the Bayes system use_bayes 1 bayes_store_moduleMail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:bayes bayes_sql_usernamevscan bayes_sql_passwordvscan bayes_sql_override_username vscan # Enable awl auto_whitelist_factoryMail::SpamAssassin::SQLBasedAddrList user_awl_dsn DBI:mysql:bayes user_awl_sql_username vscan user_awl_sql_password vscan -- You probably ran the commands as root, so you are only looking at root's data. Add this in local.cf: bayes_sql_override_username vscan That way everyone will see the same data (site wide configuration). You want to always run spamassassin and sa-learn commands as the vscan user but adding this seting means that even if you learn spam or ham as root, vscan's data will be updated. su vscan -c 'sa-learn --spam spam.txt' Gary V As for the funky AWL values, you need to do some AWL expiry. Add a field to the AWL table that shows the last time that address got hit: ALTER TABLE awl ADD lastupdate timestamp(14) NOT NULL; UPDATE awl SET lastupdate = NOW( ) WHERE lastupdate 1; Then set up a script to clean up awl entries: /usr/bin/mysql -usa_user -psa_user_psw /usr/local/bin/trim-awl.sql USE sa_bayes; DELETE FROM awl WHERE lastupdate = DATE_SUB(SYSDATE(), INTERVAL 2 MONTH); DELETE FROM awl WHERE count = 1 AND lastupdate = DATE_SUB(SYSDATE(), INTERVAL 15 DAY); (reference: http://www200.pair.com/mecham/spam/fc4-spamassassin-sql.html) - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFGbBlSeERILVgMyvARAuQ4AJjmzxS8+XmQwclH1/2alQlx+slUAJ9m/EpM M+0aSAR00llWR5ROGdp/kw== =H68i -END PGP SIGNATURE-
Re: sa-compile error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 diptanjan wrote: Hi Friends, I am getting an error when ever I am usinf sa-compile. can you please checkout and tell me the reason behind it? # sa-compile [4846] info: generic: base extraction starting. this can take a while... [4846] info: generic: extracting from rules of type body_0 100% [===] 39.01 rules/sec 00m11s DONE 100% [===] 100.14 bases/sec 00m10s DONE [4846] info: body_0: 683 base strings extracted in 23 seconds [4846] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score cd /tmp/.spamassassin4846ilcSlDtmp cd Mail-SpamAssassin-CompiledRegexps-body_0 re2c -i -b -o scanner1.c scanner1.re Can't exec re2c: No such file or directory at /usr/bin/sa-compile line 274, $fh line 985. command failed! at /usr/bin/sa-compile line 275, $fh line 985. You need to install re2c http://re2c.org/ - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGaT0DeERILVgMyvARAhlyAJ98qUtbGMDlTT1Jn9SZIECfsJdz7wCfSUkR 8gzVwOYOytU4pzXakEZyfqI= =RLw/ -END PGP SIGNATURE-
Rulesemporium down?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My systems all were unable to connect for their daily RDJ update yesterday. I time out trying to reach http://rulesemporium.com. Does anyone know what's happening? - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGZ/oCeERILVgMyvARAn97AJ9l8c5quPSKjAKNpM6/teMD5MK7bQCfcf+q G9D0bJrX/gOz4yx7MDUNq6s= =uEUU -END PGP SIGNATURE-
Re: spamassassin upgrade
night duke wrote: Currently i have this version of spamassassin SpamAssassin version 3.1.7-deb Can i update it to the last version? Apt-get or yum or howto? Thanks I prefer to download the .tgz file from spamassassin.apache.org and create the rpm myself via rpmbuild -tb file-just-downloaded.tgz I find the installable RPMs in /usr/src/redhat/RPMS/i386 On a debian system, they may wind up elsewhere, but you'll see the location roll by as the rpm file is being built. -- Steve
Re: spamassassin upgrade
night duke wrote: I have debian... */Steven Stern [EMAIL PROTECTED]/* escribió: night duke wrote: Currently i have this version of spamassassin SpamAssassin version 3.1.7-deb Can i update it to the last version? Apt-get or yum or howto? Thanks I prefer to download the .tgz file from spamassassin.apache.org and create the rpm myself via rpmbuild -tb file-just-downloaded.tgz I find the installable RPMs in /usr/src/redhat/RPMS/i386 On a debian system, they may wind up elsewhere, but you'll see the location roll by as the rpm file is being built. -- Steve See http://spamassassin.apache.org/downloads.cgi?update=200705021400 in the Debian Users section. -- Steve
sa-compile error
I've set up sa-compile successfully on two of our three servers. The third gives this error: Insecure dependency in mkdir while running with -T switch at /usr/bin/sa-compile line 321, $fh line 1. Googling around, there are references to editing a perl .pm file, but this error points to the sa-compile source itself. How do I fix this?
Re: SA 3.2.0 install and/or upgrade
Abba Communications - www.abbacomm.net wrote: Greetings, We have looked over the 3.2.0 install and upgrade docs as best we can so far... Situation: running a Redhat 4.x or Centos 4.x server SA 3.1.8 Everything is currently run site-wide and not user configurable No MySQL in use. Question(s) when installing 3.2.0 via RPM, should it be done is an rpm -Uvh upgrade or should 3.1.8 be removed and then 3.2.0 installed from scratch? Any gotcha's that others have experienced doing this? Has anyone installed SA 3.2.0 on Redhat or CentOS 5 without problems? Feedback please? I've installed on RH EL3 and RH EL4, as well as FC5 and FC6 using -Uvh. Aside from having to upgrade a couple of perl modules (as noted by the rpm process), there were no problems. -- Steve
Help with rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to flag a type of spam that seems to be slipping through with a very low score The common factor is that all of the messages have something linke Just type www [.] pillking [.] org Just type FONT color=#ffwww/FONT [.] STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT color=#fforg/FONT/FONT Just type www [dot] pilldoc [dot] org I suspect a rule that looks for www*pill*org would work. How do I turn that into a regex? - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGG4BveERILVgMyvARAvKDAJ40E2quDemGCoFIheL8XFkgjRcWegCfSDiI hmR+79G9K1DQJHIN0lI8I6g= =yqRq -END PGP SIGNATURE-
Re: Bayes MySQL users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc Perkel wrote: Looking at the bayes_vars table and seeing 2 entries, spamd, and root. I'd like to get rid of and per user info so that all learing is common. Not sure why this is happening. What do I need to do to force everything to one user? Thanks in advance. Add to local.cf: bayes_sql_override_username root - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGBadEeERILVgMyvARAlEYAJ4wtzXlehpKtkJW6k8f/K8CTOFnGwCeKKrt HyXWHXO5vewZSUGRgho+Y7M= =Nrg9 -END PGP SIGNATURE-
Re: Bayes training question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 yossim wrote: Hi folks, Hi can i learn miss identified junk mail that is store on exchange or at the otulook clients? Can i simply copy those mails to a folder on my Linux server and run sa-learn with the required parameters? Kindly regards, Yossi Mor see http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/ - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFF1ay5eERILVgMyvARAk2JAJ4rXyGAcdzv14vcTreJmSpnNLP1LwCffXiS zoIrJH2UIIUawBbshrVJ8Sc= =4mR1 -END PGP SIGNATURE-
Re: [2] Bayes training question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 yossim wrote: Steve, I am not sure that i have anderstand the first script starting with get_ham_spam were you use fetchmail (where the data is kept?) and the last one get-ham-spam when you used wget command to get all the ham.spam emails. Kindly regards, Yossi fetchmail is used to bring the mail from the Exchange server to the Linux server via IMAP. The wget commands are used to copy the resulting ham and spam files to our other MX servers so they all get the same feedback. If you have only one MX server, then that part isn't necessary. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFF1kmOeERILVgMyvARApP3AJ9aNJjvx1O5/gO5ibAfyX0ifaWMPACeMFNC MwcShbLbfInoWs/ETsbgiKk= =i5H8 -END PGP SIGNATURE-
How do I whitelist this?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm having problems whitelisting mail sent through web sites with a from address supplied by the user. Case in point, I send an article from huffingtonpost.com to myself. I used a whitelist from huffingtonpost.com, but that doesn't reduce the spam score. The headers are: Return-Path: [EMAIL PROTECTED] Received: from tipsy.huffingtonpost.com (tipsy.huffingtonpost.com [72.3.232.108]) by mooch.sterndata.com (8.13.8/8.13.7) with ESMTP id l0V0iikW024618 for [EMAIL PROTECTED]; Tue, 30 Jan 2007 18:44:44 -0600 Received: by tipsy.huffingtonpost.com (Postfix, from userid 48) id D26494A85A6; Tue, 30 Jan 2007 18:44:43 -0600 (CST) Subject: [ HuffingtonPost.com ] Recommendation: Najaf Battle Not Sunni, Shia But Shia, Shia Mime-Version: 1.0 Content-Type: text/html; charset=utf-8 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] What should I use in local.cf to whitelist mail sent to my server by anyone through huffingtonpost.com (or for that matter, any website that has a send article feature)? - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFv+cpeERILVgMyvARAkZJAJ4z8SJ7I5CpnKzCTgsa9q+Oc18O2wCfXfi9 IjsvmtZ5WWpvv5CcBIRcVoQ= =FdwR -END PGP SIGNATURE-
Re: Should I use greylisting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew Bickerton wrote: Thanks, but does this mean I have to keep/maintain a list of all the mail farms. Keeping this list up to date sounds horrid/impossible. Matthew -Original Message- From: --[ UxBoD ]-- [mailto:[EMAIL PROTECTED] Sent: 25 January 2007 12:49 To: users@spamassassin.apache.org Subject: Re: Should I use greylisting Check out http://policyd.sourceforge.net/ then as it allows you to specify Servers/IP that should not be greylisted. Works very well. On Thu, 25 Jan 2007 12:33:19 - Matthew Bickerton [EMAIL PROTECTED] wrote: Hi, I am setting up a new server, so have a chance to make big changes to my email server. I have been thinking about implementing Greylisting. However, I am worried about blocking/long delays with e-mails from mail farms (gmail, yahoo etc.) I would very much appreciate other people's recommendations on Greylisting or other approaches to reducing the load on my server by rejecting spam early. I tried out greylisting for several months for a select group of users using greylist-milter. Their unanimous opinion was that they wanted to receive mail instantly. The 10 - 60 minute delay for first-time senders was unacceptable. The reduction in spam was not noticeable as we get great results using a combination of ClamAV ans SpamAssassin with a global bayes filter and many RDJ rules. - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFuK5OeERILVgMyvARAoUEAJ9LhlgxkvoktjH88rlFpE9B39Zy0ACfVJF9 nBF1MCNsvLkCKlOoyTVP7+Q= =CzLb -END PGP SIGNATURE-
sa-update errors with 3.1.7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - From this morning's log from three of our MX servers running SA 3.1.7. Does the channel for 3.1.7 have the wrong rules? config: configuration file /tmp/.spamassassin8654JTlidztmp/20_advance_fee.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_body_tests.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_compensate.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_dnsbl_tests.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_drugs.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_fake_helo_tests.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_head_tests.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_html_tests.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_meta_tests.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_net_tests.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_phrases.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_porn.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/20_uri_tests.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/23_bayes.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file /tmp/.spamassassin8654JTlidztmp/72_active.cf requires version 3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345. config: warning: score set for non-existent rule
Re: Google open relay?
laradji nacer wrote: Steven Stern a écrit : I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? No but gmail host personal domain not only @gmail.com . Google Apps for Your Domain (GAYD) require SMTP authentication over SSL on port 465 to pass mail from a sending system. That means that whatever's sending this mail is smart enough to handle the GAYD SMTP auth and SSL access.
Re: local.cf
Andrea Bencini wrote: I am looking for local.cf documentation to understand which are the variables to set in this file. Can you help me? Thank Andrea man Mail::SpamAssassin::Conf
Google open relay?
I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? Received: from ccim-mx2.cciminstitute.com ([10.0.2.10]) by ccim-exchange.cciminstitute.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 7 Dec 2006 16:17:53 -0600 Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by ccim-mx2.cciminstitute.com (8.13.8/8.13.6) with ESMTP id kB7MHojp020673 for x; Thu, 7 Dec 2006 16:17:50 -0600 Received: by py-out-1112.google.com with SMTP id f31so317551pyh for x; Thu, 07 Dec 2006 14:17:46 -0800 (PST) Received: by 10.35.99.17 with SMTP id b17mr4277287pym.1165529866966; Thu, 07 Dec 2006 14:17:46 -0800 (PST) Received: by 10.35.99.17 with SMTP id b17mr4277286pym.1165529866955; Thu, 07 Dec 2006 14:17:46 -0800 (PST) Received: from shawcable.net (S0106000ea6a66e9b.vc.shawcable.net [24.81.32.62]) by mx.google.com with SMTP id j7si945230nzd.2006.12.07.14.17.34; Thu, 07 Dec 2006 14:17:46 -0800 (PST) Received-SPF: pass (google.com: domain of [EMAIL PROTECTED] designates 24.81.32.62 as permitted sender) Message-ID: [EMAIL PROTECTED] Date: Thu, 07 Dec 2006 19:10:30 -0400 Reply-To: spring freeman [EMAIL PROTECTED] From: spring freeman [EMAIL PROTECTED] MIME-Version: 1.0 To: Lawanna x Cc: Laci x Subject: TotallyCardDebtFree Overnight
Re: Google open relay?
John D. Hardin wrote: On Thu, 7 Dec 2006, Steven Stern wrote: I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? Have you notified [EMAIL PROTECTED]? You betcha! And also reported through spamcop.
Re: Google open relay?
David B Funk wrote: On Thu, 7 Dec 2006, Steven Stern wrote: John D. Hardin wrote: On Thu, 7 Dec 2006, Steven Stern wrote: I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? Have you notified [EMAIL PROTECTED]? You betcha! And also reported through spamcop. Ony problem with reporting it thru spamcop is that they will very industriously drill down thru the Received: chain, breeze right thru all the Google entries, latch onto that shawcable.net IP and only send a report to them (IE not bother Google at all). This is a good thing in that they try very hard to not cause collateral damage and only send reports to the real culprits, but the down-side is that potential 'enablers' don't get notified too. If you buy into the spamcop premium service one of the things that you gain is the ability to modify their report and add such notices. Best to send it directly to Google's abuse address. Dave Spamcop sent a report to both shawcable and [EMAIL PROTECTED] I paid spamcop $25 several years ago for 25MB of reports (however that's measured) and I still have 8.3MB left in my pool. -- Steve
Re: sa-update
Thomas Bolioli wrote: when I run sa-update it puts new copies of the tests in /var/lib/spamassassin/3.001005/updates_spamassassin_org which I understand from the docs is the correct location. However, the default tests remain in /usr/share/spamassassin/ and I believe they are still being used. How is this supposed to work? Am I supposed to manually move them into /usr/share? I do not see any reference to the updated tests in the cf files anywhere. Tom IF there are files in /var/lib/spamassassin/version/updates_spamassassin_org, they'll be used instead of the ones in /usr/share/spamassassin. If you do spamassassin -D --lint, you'll see that they're picked up.
Re: rules_du_jour not working confusion?
Bazooka Joe wrote: rules_du_jour seems to fail on lint. I am trying to figure that out now but I have a different question. Has channels replaced rules_du_jour? Should I be using something else to update my sare rules? thx -bazooka ps I am using SpamAssassin 3.1.4 pps below are the lint errors if anyone has come across it before I delve into it. [snip] Do your current rules pass a lint test? -- Steve
Re: How to upgrade spamassassin in Mandrake 10.1
Fajar Priyanto wrote: Hi all, I try to upgrade my SA in mandrake 10.1. I've downloaded the latest SA and build the rpm. But, when I tried to upgrade it, it errored: rpm -Uvh spamassassin-3.1.7-1.i586.rpm perl-Mail-SpamAssassin-3.1.7-1.i586.rpm error: Failed dependencies: spamassassin = 3.0.4-0.1.101mdk is needed by (installed) spamassassin-spamd-3.0.4-0.1.101mdk perl-Mail-SpamAssassin = 3.0.4-0.1.101mdk is needed by (installed) spamassassin-tools-3.0.4-0.1.101mdk I notice that my mandrake 10.1 contains several rpms regarding SA: spamassassin-tools-3.0.4-0.1.101mdk spamassassin-3.0.4-0.1.101mdk spamassassin-spamd-3.0.4-0.1.101mdk spamassassin-spamc-3.0.4-0.1.101mdk Can someone help me how to upgrade it? Should I (forced) remove all previous SA? Thank you very much, Are you using a sql-based Bayes db? I found that the upgrade of perl-MailSpamAssassin failed with a MySQL bayes. When I removed the password for 'root'@'localhost', the upgrade succeeded. (I then put the password back.) -- Steve
Re: sa-update installation
Odhiambo Washington wrote: Hello List, I have successfully (I hope) installed and run sa-update, and I see that it installed files in /var/lib/spamassassin/3.001007/ In my FreeBSD box, I am used to the rules being in /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin. Do I just go out for a cold beer and hope that SA will be reading these rules as well? What happens when I run sa-update? Does it update the rules files in /usr/local/share/spamassassin or what? after sa-update runs, restart spamassassin and it will use the new rules in /var/lib/spamassassin. I have this as a cron job: 30 3 * * * sa-update spamassassin --lint /etc/init.d/spamassassin restart -- Steve
Re: Help with sa-learn when using Outlook 2003.
thekillerbean wrote: We currently have an Exchange 2003 server that is under heavy burden due to excessive SPAM. The company is not willing to spend $$$ to resolve the issue if it can be done on Linux - especially being that we have several Linux boxes lying idle! Hence, my plan is to implement Sendmail as a front end mail server for Exchange that will do the SPAM fighting (and possible virus scanning as well once I learn how to) then forward e-mail to Exchange. My dilemma is that since all user accounts are on Exchange, how do I bring these missed SPAM e-mail messages back to the Linux box for use with sa-learn? Cheers, tkb. See this: http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/ It shows how I set up sitewide Bayes on 3 Linux MX servers using Exchange/Outlook. -- Steve
Re: spamd error -- max-children?
Ron Freidel wrote: Hi All, We run a relatively small (amount of clients) freebsd email hosting server, was running spamassassin: 3.0.2 on a qmail server. We took on a new client who was recieving alot of spam, as their old provider kept telling them there was nothing that could be done about spam. Well, our server easily handled the spam prior to this client, then suddenly the spam level increased from around 300 a day to about 6000 a day. The server itself is a quad xeon with 1Gig of ram, I plan to upgrade the ram tomorrow. I upgraded spamassassin to 3.1.7 to take advantage of the features/fixes, and to take care of the fact that while running 3.0.2 spamassassin eventually took all available ram and swap, then died, I had to reboot anyway so did the upgrade. After the upgrade I began seeing errors like... prefork: server reached --max-children setting, consider raising it This was while running spamassassin under freebsd's stock sa-spamd.sh, and during a spam attack. I made this change... command_args=-d -m 10 -r ${pidfile} So it is now running as... /usr/local/bin/spamd -c -d -m 10 -r /var/run/spamd/spamd.pid (perl5.8.5) root Now the error has changed to... spamd[2817]: spamd: handled cleanup of child pid 9679 due to SIGCHLD spamd[2817]:Use of uninitialized value in numeric eq (==) at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/SpamdForkScaling.pm line 689 And here's line 689 687 foreach my $pid (@pids) { 688 my $k = $kids-{$pid}; 689 if ($k == PFSTATE_IDLE) { 690 $statestr .= 'I'; 691 $num_idle++; Is this truely a problem with spamassassin? Or could I have a problem elsewhere? Do I need to make an additional change in how it is running? All perl mods and cpan have been updated to latest versions, --lint contains no errors. -- This may seem dumb, but change -m 10 to -m10. My command line has -m5 with no space. Steve
Odd error (or is it an error)
The following appears periodically in my maillog. I think it has to do with an attempt to do a cpan upgrade or SpamAssassin that I had to back out and replace with the Fedora RPM. In any case, is this anything to worry about? Sep 10 11:12:30 mooch spamd[26250]: (?:(?=[\s,]))* matches null string many times in regex; marked by -- HERE in m/\G(?:(?=[\s,]))* -- HERE \Z/ at /usr/lib/perl5/5.8.8/Text/Wrap.pm line 46. -- Steve
Whitelist ebay
Lint keeps throwing out this line: whitelist_from_rcvd [EMAIL PROTECTED] Is there something special about ebay?
Re: Train from Outlook?
Christopher Mills wrote: Tell me something, is there a pluggin for outlook that would allow me to train spamassassin on the web server? Eg, messages come in, end up in my Junk Mail folder, can i somehow select them, and click a button with this 'addin' and have it find our web server and train spam assassin with the data in my local inbox? That would be a very cool addon if someone could develop it. Is Outlook talking to an Exchange server? If so, see http://sstern.ccim.com/index.php/2006/07/14/training-sitewide-spam-filters/ -- Steve
Problems after upgrade to 3.1.4
These occur with spamassassin -D --lint. RDJ is up to date, as is sa-update. [6837] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [6837] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero score [6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [6837] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [6837] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [6837] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [6837] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' [6837] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' -- Steve
Using a # character in a spam report
In our standard spam report, we have a line like report For more info, see http://our.server/infopage.html I'm adding content to the page and would like to add links to local anchors report For more info, see http://our.server/infopage.html#anchor It appears that SA treats the # as the start of a comment and leaves #anchor out of the resulting report. Is there a way to escape the #? -- Steve
Re: Using a # character in a spam report
Duane Hill wrote: On Wed, 19 Jul 2006, Steven Stern wrote: In our standard spam report, we have a line like report For more info, see http://our.server/infopage.html I'm adding content to the page and would like to add links to local anchors report For more info, see http://our.server/infopage.html#anchor It appears that SA treats the # as the start of a comment and leaves #anchor out of the resulting report. Is there a way to escape the #? I believe you should be able to use: http://our.server/infopage.html\#anchor I've escaped chars in the report before myself. Uh-oh... This is how the report comes out: http://www.ccim.com/members/help/bcastfaq.html\#spam Not quite what I wanted. -- Steve
Re: Image only spam
Jack Gostl wrote: - Original Message - *From:* Steven Stern mailto:[EMAIL PROTECTED] *Cc:* Spamass mailto:users@spamassassin.apache.org *Sent:* Thursday, July 13, 2006 6:52 PM *Subject:* Re: Image only spam Jack Gostl wrote: - Original Message - From: Steven Stern [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org mailto:users@spamassassin.apache.org Sent: Wednesday, July 12, 2006 4:31 PM Subject: Re: Image only spam Jack Gostl wrote: Thanks for the response. Take it slow with me, spamassassin has been running so well for so long that I haven't had to fiddle with it in ages and I don't remember the details. Do I add these rules to my user_prefs? Or to my /etc/mail/local.cf files? - Original Message - From: Steven Stern [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org mailto:users@spamassassin.apache.org Sent: Wednesday, July 12, 2006 9:13 AM Subject: Re: Image only spam Jack Gostl wrote: I'm running SpamAssassin version 3.0.3 running on Perl version 5.8.2 under AIX 5.3. Starting a few months ago, I have been absolutely inundated with image only spam. I've gone from catching 99% of the spam with almost no false positives to less than 85%. I asked about this awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 running on Perl version 5.8.0, and didn't see much improvement, so I left the prod machine alone. I'm sure I'm not the only one with this problem. Has anyone had any success with it? Thanks... Jack Are you using the SARE_STOCK rules from RulesDuJour at rulesemporium.com? We catch more than 99% of the image only stuff with the standard RBLs and 70_sare_stock.cf. In case you ask, these are the SARE rules we're using: TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300 SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS; -- Steve Hop over to the Rules Emporium (http://rulesemporium.com) and read about RulesDuJour. Install that and set up cron job to look for updates once a day. That's about it. It's about 30 minutes of think work up front to understand the documentation and install it. After that, set it and forget it. http://www.exit0.us/index.php?pagename=RulesDuJour I think you'll be happy with the trusted ruleset line above. wanted to tell you how this all turned out. I installed the new rules, incorrectly as Dimitri observed, and then restarted spamassassin. (spamd actually). The spam capture rate has zoomed from 85% into the high 90s. Looking back I see that we replaced our processor about a year ago, and have been exceptionally stable since then. We haven't IPLed in almost a year, which also means that spamassassin probably hasn't been started in almost as long. Obviously the new rules weren't the reason for the improvement, since they were installed wrong. So it must have been the restart. This makes me wonder, was it a corruption, or is there a cumulative effect. I wonder if anyone has any thoughts on that. I have a cron job scheduled for every Sunday sa-update spamassassin --lint /etc/init.d/spamassassin restart This will pick up updates to the basic SA rules if they update them. Is sa-update a script you wrote? And why run the --lint on a regular basis? sa-update is part of the SpamAssassin 3.1 package. See man sa-update. The string of commands executes sa-update. If it returns a non-error result, indicating it downloaded something, then the new rules are linted. I do this to make sure that there's nothing broken in any of the dozens of rules in my ruleset. If the ruleset is OK, then spamassassin is restarted to pick up the new rules from sa-update. -- Steve
Re: Image only spam
Jack Gostl wrote: - Original Message - From: Steven Stern [EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org Sent: Wednesday, July 12, 2006 4:31 PM Subject: Re: Image only spam Jack Gostl wrote: Thanks for the response. Take it slow with me, spamassassin has been running so well for so long that I haven't had to fiddle with it in ages and I don't remember the details. Do I add these rules to my user_prefs? Or to my /etc/mail/local.cf files? - Original Message - From: Steven Stern [EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org Sent: Wednesday, July 12, 2006 9:13 AM Subject: Re: Image only spam Jack Gostl wrote: I'm running SpamAssassin version 3.0.3 running on Perl version 5.8.2 under AIX 5.3. Starting a few months ago, I have been absolutely inundated with image only spam. I've gone from catching 99% of the spam with almost no false positives to less than 85%. I asked about this awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 running on Perl version 5.8.0, and didn't see much improvement, so I left the prod machine alone. I'm sure I'm not the only one with this problem. Has anyone had any success with it? Thanks... Jack Are you using the SARE_STOCK rules from RulesDuJour at rulesemporium.com? We catch more than 99% of the image only stuff with the standard RBLs and 70_sare_stock.cf. In case you ask, these are the SARE rules we're using: TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300 SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS; -- Steve Hop over to the Rules Emporium (http://rulesemporium.com) and read about RulesDuJour. Install that and set up cron job to look for updates once a day. That's about it. It's about 30 minutes of think work up front to understand the documentation and install it. After that, set it and forget it. http://www.exit0.us/index.php?pagename=RulesDuJour I think you'll be happy with the trusted ruleset line above. wanted to tell you how this all turned out. I installed the new rules, incorrectly as Dimitri observed, and then restarted spamassassin. (spamd actually). The spam capture rate has zoomed from 85% into the high 90s. Looking back I see that we replaced our processor about a year ago, and have been exceptionally stable since then. We haven't IPLed in almost a year, which also means that spamassassin probably hasn't been started in almost as long. Obviously the new rules weren't the reason for the improvement, since they were installed wrong. So it must have been the restart. This makes me wonder, was it a corruption, or is there a cumulative effect. I wonder if anyone has any thoughts on that. I have a cron job scheduled for every Sunday sa-update spamassassin --lint /etc/init.d/spamassassin restart This will pick up updates to the basic SA rules if they update them. -- Steve
Re: Image only spam
Jack Gostl wrote: I'm running SpamAssassin version 3.0.3 running on Perl version 5.8.2 under AIX 5.3. Starting a few months ago, I have been absolutely inundated with image only spam. I've gone from catching 99% of the spam with almost no false positives to less than 85%. I asked about this awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 running on Perl version 5.8.0, and didn't see much improvement, so I left the prod machine alone. I'm sure I'm not the only one with this problem. Has anyone had any success with it? Thanks... Jack Are you using the SARE_STOCK rules from RulesDuJour at rulesemporium.com? We catch more than 99% of the image only stuff with the standard RBLs and 70_sare_stock.cf. In case you ask, these are the SARE rules we're using: TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300 SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS; -- Steve
Re: Image only spam
Jack Gostl wrote: Thanks for the response. Take it slow with me, spamassassin has been running so well for so long that I haven't had to fiddle with it in ages and I don't remember the details. Do I add these rules to my user_prefs? Or to my /etc/mail/local.cf files? - Original Message - From: Steven Stern [EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org Sent: Wednesday, July 12, 2006 9:13 AM Subject: Re: Image only spam Jack Gostl wrote: I'm running SpamAssassin version 3.0.3 running on Perl version 5.8.2 under AIX 5.3. Starting a few months ago, I have been absolutely inundated with image only spam. I've gone from catching 99% of the spam with almost no false positives to less than 85%. I asked about this awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 running on Perl version 5.8.0, and didn't see much improvement, so I left the prod machine alone. I'm sure I'm not the only one with this problem. Has anyone had any success with it? Thanks... Jack Are you using the SARE_STOCK rules from RulesDuJour at rulesemporium.com? We catch more than 99% of the image only stuff with the standard RBLs and 70_sare_stock.cf. In case you ask, these are the SARE rules we're using: TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300 SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS; -- Steve Hop over to the Rules Emporium (http://rulesemporium.com) and read about RulesDuJour. Install that and set up cron job to look for updates once a day. That's about it. It's about 30 minutes of think work up front to understand the documentation and install it. After that, set it and forget it. http://www.exit0.us/index.php?pagename=RulesDuJour I think you'll be happy with the trusted ruleset line above.
Re: Bayes autolearn configuration
Richard E. Bewley, Jr. wrote: Hi, I'm using SpamAssassin version 3.1.3 running on Perl version 5.8.0. My autolearn is enabled, and I'm getting the below headers, which according to spamassassin documentation means that autolearn is enabled, but not meeting required criteria to learn. I am using the default thresholds. Can anyone shed some light on why no messages are being autolearned? My lint is clean. When I debug: [24212] dbg: bayes: database connection established [24212] dbg: bayes: found bayes db version 3 [24212] dbg: bayes: Using userid: 102 [24212] dbg: bayes: not available for scanning, only 12 spam(s) in bayes DB 100 [24212] dbg: bayes: not scoring message, returning undef [24212] dbg: bayes: DB expiry: tokens in DB: 2639, Expiry max size: 18, Oldest atime: 1117030672, Newest atime: 1151309839, Last expire: 0, Current time: 1152068718 X-Spam-Status: Yes, score=16.6 required=5.0 tests=SARE_OEM_AND_OTHER, SARE_OEM_PRODS_1,SARE_OEM_PRODS_FEW,SARE_OEM_PRO_DOL,SARE_PRODUCTS_02, SARE_PRODUCTS_03,UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL,URIBL_SC_SURBL,URI_NOVOWEL autolearn=no version=3.1.1 It appears that you do not yet have enough spam and ham in your database to enable learning. You need to use sa-learn to push some spam and ham through the system. not available for scanning, only 12 spam(s) in bayes DB 100 There are only 12 spam, but your local.cf file says not to autolearn until there are at least 100. -- Steve
Re: spamassassin-3.0.4-1.el4
Kaushal Shriyan wrote: Hi ALL I have spamassassin-3.0.4-1.el4 installed by default in RHEL4 Linux box, How do i configure spamassassin and integrate it with Sendmail Thanks and Regards Kaushal Install spamass-milter to link spamassassin and Sendmail. -- Steve
Re: spamassassin-3.0.4-1.el4
Kaushal Shriyan wrote: On 7/3/06, Steven Stern [EMAIL PROTECTED] wrote: Kaushal Shriyan wrote: Hi ALL I have spamassassin-3.0.4-1.el4 installed by default in RHEL4 Linux box, How do i configure spamassassin and integrate it with Sendmail Thanks and Regards Kaushal Install spamass-milter to link spamassassin and Sendmail. -- Steve Hi Steve Thanks for the quick turn around.I got it installed and how do i proceed and test for spams [EMAIL PROTECTED] kaushal]# rpm -qa | grep sendmail sendmail-8.13.1-2 sendmail-cf-8.13.1-2 [EMAIL PROTECTED] kaushal]# rpm -qa | grep spamass-milter spamass-milter-0.3.0-1.2.el4.rf [EMAIL PROTECTED] kaushal]# rpm -qa | grep spamassassin spamassassin-3.0.4-1.el4 [EMAIL PROTECTED] kaushal]# Thanks and Regards Kaushal Be sure to read the document files that ship with it. You'll need to modify sendmail.mc to enable the milter and make some decisions on what you want to do with spam. man spamass-milter is a good place to start, as well as /usr/share/doc/spamass-milter-0.3.1/README Please keep replies on the list. (It would be nice if they configured it to work that way by default.)
Re: spamassassin-3.0.4-1.el4
jdow wrote: From: Steven Stern [EMAIL PROTECTED] Kaushal Shriyan wrote: Hi ALL I have spamassassin-3.0.4-1.el4 installed by default in RHEL4 Linux box, How do i configure spamassassin and integrate it with Sendmail Thanks and Regards Kaushal Install spamass-milter to link spamassassin and Sendmail. Procmail also works nicely. {^_^} The OP needs to clarify if he's using SA for a few accounts on his own machine or operating an MX server fronting something else. There are many paths -- Steve
Re: ham and spam
John D. Hardin wrote: On Tue, 20 Jun 2006, Michael Di Martino wrote: How does one feed bayes ham and spam on an smpt gateway(no local deliverey). All sever does is accetp mail for one 2 domains scrub for virus and spam and then forward it to its nastly littly exchange server. Can you set up shared Exchange folders that can be exported to mbox format? If so, set up learn-ham and learn-spam folders, tell people to train to them, then periodically export them, transfer them to the SA host, and run sa-learn on them. Perhaps someone sufficiently motivated could write an sa-learn - IMAP client utility to train from arbitrary IMAP folders hosted remotely... We have trained users to put misclassified ham and spam into two public folders, should-be-spam and should-be-ham. We created an exchange user, spamiam, that has full rights to these folders. At the top of every hour, this script is run on the one MX server: # more get_ham_spam #! /bin/sh rm -f /var/spool/mail/spamiam touch /var/spool/mail/spamiam chown spamiam:mail /var/spool/mail/spamiam su spamiam -c 'fetchmail -a -K -f /usr/local/scripts/spamiam.fetchmailrc -r Public Folders/should- be-spam' cat /var/spool/mail/spamiam /var/www/html/spamstuff/should-be-spam sa-learn --spam --mbox /var/www/html/spamstuff/should-be-spam rm -f /var/spool/mail/spamiam touch /var/spool/mail/spamiam chown spamiam:mail /var/spool/mail/spamiam su spamiam -c 'fetchmail -a -K -f /usr/local/scripts/spamiam.fetchmailrc -r Public Folders/should- be-ham' cat /var/spool/mail/spamiam /var/www/html/spamstuff/should-be-ham sa-learn --ham --mbox /var/www/html/spamstuff/should-be-ham # more spamiam.fetchmailrc pollexchange..com proto imap user spamiam password x is spamiam here At 15 past each hour, the two other mail servers use wget to grab the should-be files to their local /tmp and run sa-learn. The files are included in logrotate, so they get zero'd every Sunday morning. -- Steve
sa-update: then what
I've run sa-update and have files in /var/lib/spamassassin/3.001001, 002, and 003. Am I supposed to move these somewhere? Should all but the latest directory be deleted? Is it necessary to run sa-update after installing 3.1.3? -- Steve
Re: Integrating Spam assasin with exchange server.
Crespillo, Matias wrote: I apologize in advance for making a lazy question, but is there a quick guide somewhere as to how to integrate Spam Assassin with an exchange server? Or maybe some way to set it in a way it will get the mails before, filter and then forward them to exchange unchanged?. Thanks a lot in advance. We have spamassassin sitting in front of the exchange server. Basically, the MX record for our domains point to Linux boxes. On each of those boxes, we're running SpamAssassin and ClamAV. SpamAssassin uses a site wide, SQL based Bayes database local to each box, with a few tricks to help synchronize mail reclassified by Exchange users as ham or spam. Only after passing through the MX servers does mail arrive at Exchange. (The firewall permits SMTP connections from the MX servers only.) On Exchange, we're using Symantec AV to provide another layer of virus protection. We don't forward the mail unchanged. If mail is spam, the headers are re-written to put *SPAM?* at the front of the subject line and to make the original message an attachment. Of course, if the mail isn't marked as spam, it's transparent to the users. -- Steve
Re: Bypassing scan on locally originated mail
Rich Winkel wrote: According to Andrzej Adam Filip: How do you deployed spamassassin? I use a milter ... If you're using spamass-milter, edit /etc/sysconfig/spamass-milter and add excluded addresses with the -i paramater: EXTRA_FLAGS=-i 192.168.1.0/24,127.0.0.1 -- Steve
Re: AutoWhitelist
Pablo Allietti wrote: On Sat, May 20, 2006 at 10:23:04PM +0200, Magnus Holmgren wrote: Saturday 20 May 2006 21:54 skrev Pablo Allietti: hi all, i have spamassassin for freebsd running in my system and i want to modify a score but i dont have a 50_score How i modify this score? 7.5 AWLAWL: From: address is in the auto white-list AWL is not a normal rule. Please read http://wiki.apache.org/spamassassin/AutoWhitelist. perfect. i have this in the check_auto_whitel\ist 0.2 (0.5/2) -- [EMAIL PROTECTED]|ip=201.212 1.0 (3.0/3) -- [EMAIL PROTECTED]|ip=201.160 6.9(20.8/3) -- [EMAIL PROTECTED]|ip=201.125 1.1 (6.7/6) -- [EMAIL PROTECTED]|ip=191.0 i need to remove this line is that possible? 6.9(20.8/3) -- [EMAIL PROTECTED]|ip=201.125 Are you using SQL or .db files? If SQL, it's easy. -- Steve
Re: Spamd Children
[EMAIL PROTECTED] wrote: Ok, fair enough...i downloaded and ran rpmbuild -tb Mail-SpamAssassin-3.1.1.tar.gz As descibed on the site. I don't see any changes in the version number, is there more I have to do ? That just creates the RPM files in /usr/src/redhat/RPMS. Did you install them? -- Steve
Re: Spamd Children
[EMAIL PROTECTED] wrote: Doh, no...can you point me in the direction of how to do that? on 5/12/06 8:23 AM, Steven Stern at [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: Ok, fair enough...i downloaded and ran rpmbuild -tb Mail-SpamAssassin-3.1.1.tar.gz As descibed on the site. I don't see any changes in the version number, is there more I have to do ? That just creates the RPM files in /usr/src/redhat/RPMS. Did you install them? Please don't top post and reply to the list. Thanks. cd /usr/src/redhat/RPMS/i386 (I presume) rpm -Uvh *3.1.1-1.i386.rpm Verify nothing's broken: spamassassin -D --lint Then, restart spamassassin /etc/init.d/spamassassin restart -- Steve
Re: Big Idiot Needs Instructions
Chris Edwards wrote: Hola, I have spent two days trying to figure out how to get the following to work. I have set up Spamassassin and ClamAV, I am running sendmail on the Solaris 10 platform. I would like to be able to scan for all spam and virus (in, out and relayed email). Can someone please point me in the right direction? Do I use procmail or something else. I set this particular combination up years ago on a Linux box but I have had a lot of gigo since then. You need to install spamass-milter and clamav-milter to integrate them with sendmail. -- Steve
Bayes not working
On a new SA installation that's as identical to the other 3 we have running as possible, bayes is not running. spamassassin -D --lint indicates that all is normal. The test message generates a Bayes score. sa-learn is able to talk to the mysql database: We're able to update the database using sa-learn. However, in production, spamassassin does not report any BAYES_ scores. When the spam value exceeds the threshold that would normally cause autolearning, autolearn=no changes to autolearn=unavailable. Similarly, AWL entries are not being created. Can anyone see what's wrong? [3320] dbg: config: read file /usr/share/spamassassin/23_bayes.cf [3320] dbg: bayes: using username: root [3320] dbg: bayes: database connection established [3320] dbg: bayes: found bayes db version 3 [3320] dbg: bayes: Using userid: 1 [3320] dbg: bayes: corpus size: nspam = 178, nham = 168 [3320] dbg: bayes: tok_get_all: token count: 20 [3320] dbg: bayes: score = 0.913557143318889 [3320] dbg: rules: ran eval rule BAYES_80 == got hit [3320] dbg: auto-whitelist: sql-based connected to DBI:mysql:sa_bayes:ccim-mx2 [3320] dbg: auto-whitelist: sql-based finish: disconnected from DBI:mysql:sa_bayes:ccim-mx2 [3320] dbg: check: tests=BAYES_80,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE # grep -i bayes local.cf # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn1 bayes_min_ham_num 100 bayes_min_spam_num 100 # bayes_path/var/spool/spamassassin/bayes bayes_store_module Mail::SpamAssassin::BayesStore::MySQL bayes_sql_dsn DBI:mysql:sa_bayes:ccim-mx2 bayes_sql_username spamass bayes_sql_password xxx bayes_sql_override_username root bayes_auto_expire 0 user_awl_dsnDBI:mysql:sa_bayes:ccim-mx2 # grep -i awl local.cf user_awl_dsnDBI:mysql:sa_bayes:ccim-mx2 user_awl_sql_table awl user_awl_sql_username spamass user_awl_sql_password xxx user_awl_sql_override_username root ]# ps -ef |grep spam root 2170 1 0 07:01 ?00:00:04 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid root 2247 2170 1 07:01 ?00:00:20 spamd child root 2248 2170 0 07:01 ?00:00:00 spamd child sa-milt 3264 1 0 07:15 pts/000:00:00 /bin/bash /usr/sbin/spamass-milter-wrapper -p /var/run/spamass-milter/spamass-milter.sock -P /var/run/spamass-milter.pid -i 127.0.0.1 -r 10 -- -d localhost -p 783 sa-milt 3265 3264 0 07:15 pts/000:00:00 /usr/sbin/spamass-milter -p /var/run/spamass-milter/spamass-milter.sock -P /var/run/spamass-milter.pid -i 127.0.0.1 -r 10 -- -d localhost -p 783 SpamAssassin version 3.1.1 running on Perl version 5.8.6 spamass-milter - Version 0.3.1 -- Steve
Re: Bayes not working
Andy Spiegl wrote: [3320] dbg: bayes: corpus size: nspam = 178, nham = 168 Probably because your corpus is still too small. man Mail::SpamAssassin::Conf ... bayes_min_ham_num(Default: 200) bayes_min_spam_num (Default: 200) To be accurate, the Bayes system does not activate until a certain number of ham (non-spam) and spam have been learned. The default is 200 of each ham and spam, but you can tune these up or down with these two settings. I imported a corpus of about 2 messages total and it wasn't working. I blew it all away and started from scratch thinking that was the problem. For now, local.cf has a minimum of 100 messages of each type. The current database exceeds that.
Re: Bayes not working
Michael Monnerie wrote: On Mittwoch, 10. Mai 2006 16:01 Steven Stern wrote: I imported a corpus of about 2 messages total and it wasn't working. I blew it all away and started from scratch thinking that was the problem. For now, local.cf has a minimum of 100 messages of each type. The current database exceeds that. I've had such an issue. In ancient times I had done sudo -H -u spamscanner sa-learn , but that doesn't work now. I really have to do su -l spamscanner and then sa-learn. Maybe that's your problem. Try to sa-learn --dump magic|grep token to see how many ham/spam there really are - as that user. Everything's tweaked to use root as the user. We do sitewide processing since this sits on an MX server.
errors on 3.1.1
After installing 3.1.1 by building the RPM from the .tar.gz file, I get the following in my log: Mar 11 22:51:52 mooch spamd[15660]: List::Util object version 1.14 does not match bootstrap parameter 1.18 at /usr/lib/perl5/5.8.6/i386-linux-thread-multi/XSLoader.pm line 92. Mar 11 22:51:52 mooch spamd[15660]: List::Util object version 1.14 does not match bootstrap parameter 1.18 at /usr/lib/perl5/5.8.6/i386-linux-thread-multi/List/Util.pm line 30. Mar 11 22:51:53 mooch spamd[15660]: Undefined subroutine Scalar::Util::weaken called at /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/DBI.pm line 279. I don't know what to update: cpan install List::Util List::Util is up to date (1.18). cpan install Scalar::Util:weaken Warning: Cannot install Scalar::Util:weaken, don't know what it is. Try the command i /Scalar::Util:weaken/ to find objects with matching identifiers. -- Steve
Re: errors on 3.1.1
Theo Van Dinter wrote: On Sat, Mar 11, 2006 at 10:54:50PM -0600, Steven Stern wrote: After installing 3.1.1 by building the RPM from the .tar.gz file, I get the following in my log: Hrm. None of these are SpamAssassin related, fwiw. Mar 11 22:51:52 mooch spamd[15660]: List::Util object version 1.14 does not match bootstrap parameter 1.18 at You have multiple versions of List::Util installed, 1.14 and 1.18. Mar 11 22:51:53 mooch spamd[15660]: Undefined subroutine Scalar::Util::weaken called at /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/DBI.pm line 279. DBI is looking for a function that apparently doesn't exist in Scalar::Util. cpan install List::Util List::Util is up to date (1.18). I think you will want to delete all List::Util related files, and then reinstall. Basically List::Util is an XS module, and you have one version of perl and one of the compiled XS. I can't find anything with rpm -qa |grep perl tha tlooks like list-util or anything similar. Where would the XS file be? cpan install Scalar::Util:weaken Warning: Cannot install Scalar::Util:weaken, don't know what it is. Try the command weaken is the function name, you can try install Scalar::Util. cpan tells me that's up to date, too. -- Steve
Re: bayes DBM versus SQL
Webmaster wrote: Those of you you have used both native DBM and new SQL bayesian, can you comment on benefits of one versus the other please. Much appreciated! I have three MX servers fronting our Exchange box. The fastest of the MX servers is also handling the MySQL server for both bayes and AWL. It's surprisingly fast and all three boxes are working from the same set of information so the path the mail takes doesn't affect scoring. Most of the spam comes through the non-preferred MX server. -- Steve
Re: Bayes question
M. Lewis wrote: I recently lost a hard drive and have had to setup everything again. I'm seeing a fair amount of spam that is getting through my filters. From what I can see in the headers of messages, bayes does not seem to be used at all. I'm reasonable sure this is the reason I'm seeing spam. If I do #spamassassin -t -D spam.txt I can clearly see bayes is being used. Suggestions for what to check? Thanks for any ideas. M sa-learn --dump magic What does it say? -- Steve
Re: Bayes question
M. Lewis wrote: Thanks Steve, # sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 57468 0 non-token data: nspam 0.000 0 16419 0 non-token data: nham 0.000 0 181931 0 non-token data: ntokens 0.000 0 1139892654 0 non-token data: oldest atime 0.000 0 1140583854 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1140584727 0 non-token data: last expiry atime 0.000 0 691200 0 non-token data: last expire atime delta 0.000 0 1510 0 non-token data: last expire reduction count Please keep replies on the list I was wondering if you'd had enough ham and spam to get past the minimums. Looks like you have. How about posting the output from spamassassin -D --lint -- Steve
[Fwd: re: rpm of Spam Assassin]
Original Message Subject: re: rpm of Spam Assassin Date: Fri, 10 Feb 2006 12:23:35 -0600 From: Skip [EMAIL PROTECTED] Steven, Thanks for the reply re: the rpm build of SpamAssassin 3.1.0. I also did the build on my system, but I can't find the location of where the build was sent so I can install it. When I restart spamassassin I still only am getting version 2.55. I am pretty new overall to linux, so I have been flying by the seat of my pants, so to speak. My goal is to get my spam blocking functionality as good as my current system (windows). I am forwarding all my blocked spam to see if the rules are as good and I am only catching roughly 2/3rds. Thus, I feel my first goal is the new version of spamassassin. Any help you could provide would be great. Thanks. - Skip Please keep all replies on the list. The build is in /usr/src/redhat/RPMS/i386, at least on my system. -- Steve
Re: How to delete Spam automatically
Al Bogner wrote: My hoster offers cpanel to configure spamassassin, which has only a few options to configure, like white and blacklist. But I have shell-access to my account and maybe I could try out how to delete spam automatically. It looks like amavis isn't used on this RedHat machine with kernel 2.4.21-37.0.1.EL Any ideas? Al If you can edit sendmail.mc and make a new sendmail configuration, then you could install spamass-milter. You can then set a reject condition for some spam score. -- Steve
Re: Could you scan your logs for me?
Ole Nomann Thomsen wrote: Hi, can I ask a small favor from some of you running SA with Bayes enabled: Please run the following perl-oneliner on your SA-log (mine is current): perl -ne 'if (/result:/) {$n++; $b++ if (/BAYES/);} } print $b/$n,\n; {' current (I promise it's not a rootkit :-) I get: 0.710109622411693 I suspect you really ought to see 1, always. What do you get? Thanks, Ole. 1 -- Steve
perl error
I just installed an update for Perl for Fedora 4 and now... Dec 17 11:08:02 mooch spamd[3144]: List::Util object version 1.14 does not match bootstrap parameter 1.18 at /usr/lib/perl5/5.8.6/i386-linux-thread-multi/XSLoader.pm line 92. Dec 17 11:08:02 mooch spamd[3144]: List::Util object version 1.14 does not match bootstrap parameter 1.18 at /usr/lib/perl5/5.8.6/i386-linux-thread-multi/List/Util.pm line 30. Dec 17 11:08:04 mooch spamd[3144]: Undefined subroutine Scalar::Util::weaken called at /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/DBI.pm line 279. using CPAN, I updated DBI. Scalar::Util is up to date as is List::Util -- Steve
Whitelist one, whitelist all
I have one user who insists on seeing all mail sent to her. (OK, it's my wife.) I added all_spam_to [EMAIL PROTECTED] to local.cf and that makes it work for her. However, if there are other recipients bcc'd on the the email, then the all_spam_to negative score gets applied to the message and it goes through to everyone. Is there a way around this? (Applying a patch or update to the wife is not an option.) -- Steve
Re: Whitelist one, whitelist all
Matt Kettler wrote: Steven Stern wrote: I have one user who insists on seeing all mail sent to her. (OK, it's my wife.) I added all_spam_to [EMAIL PROTECTED] to local.cf and that makes it work for her. However, if there are other recipients bcc'd on the the email, then the all_spam_to negative score gets applied to the message and it goes through to everyone. Is there a way around this? Depends on your setup. If you're filtering at the MDA layer (procmail), you'll need to start doing per-user configuration, and only have said all_spam_to in the user_prefs of the respective user, or better yet, just bypass calling SA for them entirely. If you are filtering using a site-wide configuration at the MTA layer (milter, etc), you probably can't fix this without some difficulty. The sticky issue here is there's one email, sent to two users, and SA has to either tag it or not. The usual approach to fixing this is to use a MTA layer integration that is capable of splitting-up multi-recipient messages into a bunch of single-recipient messages, bypass SA altogether for one copy, and give the others to SA. Not pretty, but some tools can do it (I forget which ones offhand). Both of the approaches involving bypassing SA will work a whole lot better than using all_spam_to anyway. all_spam_to will, for example, not prevent mail bcc'ed to your wife from getting tagged. It's just a whitelist based on what's in the To: and Cc: headers, and nothing more. While this can be useful, most of the time it's a kludge. I'm doing this via spamass-milter at the MTA stage. -- Steve
Re: Problems with AOL's TOS reports
Robert Menschel wrote: Hello Steven, Thursday, December 1, 2005, 6:57:45 PM, you wrote: SS In order to keep our mail flowing to AOL members, I've signed up through SS the AOL postmaster service to receive TOS reports. Basically, whenever SS someone reports mail from our domains as spam, AOL forwards it to me. SS Anyhow, when it arrives, SA classifies it as spam. What's the reason for SS the SARE_SPEC_CLIENT rules? Would it be a problem for other spam if I SS overrode them by whitelisting the sender ([EMAIL PROTECTED])? The reason is that people on our systems here that have not subscribed to this service are receiving spam with exactly these characteristics. I believe that some spammer (or ratware) is mimicking the AOL service's characteristics in order to get their spam through people's whitelists. When I put these rules together, I wasn't aware of AOL's service and its email characteristics, and nobody else in any of the several SARE mass-checks had any hits at all, so there was no indication through that means that this was a Bad Rule (tm). 1) If you subscribe to this service, or any domain you process mail for does, zero the score on these rules. 2) As soon as I get back from vacation, I'll zero the scores on those rules in the production files, and see if I can figure out how to identify the spammer as opposed to the service. 3) Yes, whitelist [EMAIL PROTECTED], but do so through an unforgeable means, such as SPF or RCVD. Do not use a simple whitelist from, since that's what the spammer is hoping you will do. Bob Menschel Thanks. I'm using the whitelist_from_spf successfully. -- Steve
Problems with AOL's TOS reports
In order to keep our mail flowing to AOL members, I've signed up through the AOL postmaster service to receive TOS reports. Basically, whenever someone reports mail from our domains as spam, AOL forwards it to me. (They delete the addressee from the headers, although not completely so sometimes.) Anyhow, when it arrives, SA classifies it as spam. What's the reason for the SARE_SPEC_CLIENT rules? Would it be a problem for other spam if I overrode them by whitelisting the sender ([EMAIL PROTECTED])? pts rule name description -- -- 2.2 SARE_SPEC_CLIENT_TOS2 known spammer address 1.0 NO_REAL_NAME From: does not include a real name 2.2 SARE_SPEC_CLIENT_TOS high tech impulse spam sign -0.0 SPF_PASS SPF: sender matches SPF record -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.0 HTML_MESSAGE BODY: HTML included in message 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 1.7 DNS_FROM_RFC_POST RBL: Envelope sender in postmaster.rfc-ignorant.org 1.6 FORGED_MSGID_AOL Message-ID is forged, (aol.com) -1.2 AWLAWL: From: address is in the auto white-list The headers look like this: Microsoft Mail Internet Headers Version 2.0 Received: from enoch.cciminstitute.com ([10.0.2.195]) by eve.cciminstitute.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 1 Dec 2005 18:29:18 -0600 Received: from omr-m08.mx.aol.com (omr-m08.mx.aol.com [64.12.138.20]) by enoch.cciminstitute.com (8.13.1/8.13.1) with ESMTP id jB20TD75022197; Thu, 1 Dec 2005 18:29:13 -0600 Received: from scmp-m23.mail.aol.com (scmp-m23.mail.aol.com [172.21.28.106]) by omr-m08.mx.aol.com (v107.10) with ESMTP id RELAYIN7-8438f95576; Thu, 01 Dec 2005 19:29:11 -0400 Received: from imo-d21.mx.aol.com (imo-d21.mail.aol.com [172.18.157.195]) by scmp-m23.mail.aol.com (v98.19) with ESMTP id RELAYIN2-3438f95441a; Thu, 01 Dec 2005 19:28:52 -0400 Received: from [EMAIL PROTECTED] by imo-d21.mx.aol.com (mail_out_v38_r6.3.) id f.2b7.128060a (58677) for [EMAIL PROTECTED]; Thu, 1 Dec 2005 19:28:45 -0500 (EST) From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Thu, 1 Dec 2005 19:28:45 EST Subject: *SPAM* Client TOS Notification To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_438F955B.164385DC X-Mailer: 9.0 for [EMAIL PROTECTED] X-AOL-COUNTRY-CODE: US X-Spam-Flag: YES X-AOL-IP: 172.21.28.106 X-Loop: scomp X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 (enoch.cciminstitute.com [10.0.2.195]); Thu, 01 Dec 2005 18:29:13 -0600 (CST) X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on enoch.cciminstitute.com X-Virus-Status: Clean X-Spam-Status: Yes, score=5.2 required=4.0 tests=AWL,BAYES_00, DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FORGED_MSGID_AOL,HTML_MESSAGE, NO_REAL_NAME,SARE_SPEC_CLIENT_TOS,SARE_SPEC_CLIENT_TOS2,SPF_PASS autolearn=no version=3.1.0 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on enoch.cciminstitute.com Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 02 Dec 2005 00:29:18.0390 (UTC) FILETIME=[6E99C560:01C5F6D7] =_438F955B.164385DC Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit =_438F955B.164385DC Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: from omr-m08.mx.aol.com (omr-m08.mx.aol.com [64.12.138.20]) by enoch.cciminstitute.com; X-Envelope-To: [EMAIL PROTECTED] Received: from scmp-m23.mail.aol.com (scmp-m23.mail.aol.com [172.21.28.106]) by omr-m08.mx.aol.com (v107.10) with ESMTP id RELAYIN7-8438f95576; Thu, 01 Dec 2005 19:29:11 -0400 Received: from imo-d21.mx.aol.com (imo-d21.mail.aol.com [172.18.157.195]) by scmp-m23.mail.aol.com (v98.19) with ESMTP id RELAYIN2-3438f95441a; Thu, 01 Dec 2005 19:28:52 -0400 Received: from [EMAIL PROTECTED] by imo-d21.mx.aol.com (mail_out_v38_r6.3.) id f.2b7.128060a (58677) for [EMAIL PROTECTED]; Thu, 1 Dec 2005 19:28:45 -0500 (EST) From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Thu, 1 Dec 2005 19:28:45 EST Subject: Client TOS Notification To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=part1_2b7.128060a.30c0ef3d_boundary X-Mailer: 9.0 for [EMAIL PROTECTED] X-AOL-COUNTRY-CODE: US X-AOL-IP: 172.21.28.106 X-Loop: scomp X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 (enoch.cciminstitute.com [10.0.2.195]); Thu, 01 Dec 2005 18:29:13 -0600 (CST) X-Virus-Scanned: ClamAV version
Re: Problems with AOL's TOS reports
Justin Mason wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 you should _definitely_ whitelist AOL's scomp source address -- preferably using whitelist_from_spf, as they publish a reliable SPF record for aol.net. - --j. Thanks. That did the trick: X-Spam-Status: No, score=-94.8 required=4.0 tests=AWL,BAYES_00, DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FORGED_MSGID_AOL,HTML_MESSAGE, NO_REAL_NAME,SARE_SPEC_CLIENT_TOS,SARE_SPEC_CLIENT_TOS2,SPF_PASS, USER_IN_SPF_WHITELIST autolearn=no version=3.1.0 Return-Path: [EMAIL PROTECTED]
Re: How effective is it?
John Woolsey wrote: Is SA more effective than popfile? And can you manually train it (if you have root access)? - thanx - JAW I set up popfile on clients' computers to help them both with spam and categorization, but it's not the best solution to spam. 1. Yes. It has access to more tests. Popfile is only (only?) a Bayes analysis filter. SpamAsssassin uses a wide variety of tests, some coming with the system, some self-made, and some from places like Rules Emporium. 2. Yes, but root access is not required. I set up IMAP folders should-be-spam and should-be-ham for each user and have them drag messages that are misclassified into them. A scheduled job (run as root) executes sa-learn to update Bayes filters. For example: sa-learn --spam --mbox /home/*/mail/should-be-spam sa-learn --ham --mbox /home/*/mail/should-be-ham -- Steve
Re: Error when attempting to run sa-stats
Jason Kratzer wrote: Do I need to install the module or can I run it from the install directory. I was unable to find the documentation for it. [EMAIL PROTECTED] tools]# ./sa-stats.pl Can't locate Parse/Syslog.pm in @INC (@INC contains: perl -MCPAN -e shell install Parse::Syslog That should do it. However, I get a lot of zeros from sa-stats. It's looking a /var/log/maillog, but not seeing the spam reports there. What's the trick? -- Steve
Re: Error when attempting to run sa-stats
jdow wrote: From: Steven Stern [EMAIL PROTECTED] Jason Kratzer wrote: Do I need to install the module or can I run it from the install directory. I was unable to find the documentation for it. [EMAIL PROTECTED] tools]# ./sa-stats.pl Can't locate Parse/Syslog.pm in @INC (@INC contains: perl -MCPAN -e shell install Parse::Syslog That should do it. However, I get a lot of zeros from sa-stats. It's looking a /var/log/maillog, but not seeing the spam reports there. What's the trick? Set the start and end times. sa-stats.pl --help {^_^} How odd... If I don't set start/end, it shows the same dates in the left column but puts zeros in the right. With the dates, it shows the correct info. -- Steve
Re: why doesn't this email get detected as spam?
Andreas Kotowicz wrote: attached email doesn't get any score. why is that? cheers, andreas What rules are you using? This is what I got from your email. Seems like a little bit of bayes training should catch it. result: X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO, OPTING_OUT_CAPS,SPF_PASS,URIBL_JP_SURBL,URIBL_OB_SURBL autolearn=no version=3.1.0 -- Steve