OT: simscan won't pass through SA tagged spam?
Sorry for the OT post, but the simscan list appears to be completely dead and I need to figure this out. I've used simscan in the past with no problems; I just can't figure out what's happening to spam scoring higher than 6.0 but less than 12.0, so anybody who's familiar with the latest simscan clues would be greatly appreciated; I then reinstalled it again, with --enable-spam=yes, per-domain and passthrough, but while simscan appears to be rejecting spam fine, it's NOT passing spam higher than SA's required_score (6.0) but lower than simscan's spam_hits (12.0). I have no idea what's happening to that spam (6.0-11.9), but I assume it's being rejected, although for all I know it's being deleted. This used to work fine on an older server running an older version of simscan. Can somebody clue me in to what the correct options are? Or is passthrough simply broken in this version of simscan? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am =
Re: remove SURBL rules
On Wed, 17 Dec 2008, LuKreme wrote: On 16-Dec-2008, at 23:57, ram wrote: http://www.surbl.org/usage-policy.html I did the 'request a quote'. For 3,000 users and 550,000 emails a day (hey, i was just making up numbers here) the cost is US$600/year. If you're a non-profit it's $500/year. Considering that includes SUPPORT, that's stupidly cheap. Which prices are unreasonable? How many BLs does SA use? If they all started charging that, it could certainly add up, especially to a small operation in this economy. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am =
URIBL_BLACK
Of the fair amount of false negatives that get through, more than 90% of them appear to hit on URIBL_BLACK. I have incrementally increased it recently to a score of 5.0 (I hit on 6.0). The stuff that's still getting through seems to be hitting on only URIBL_BLACK. I am very tempted to bump the score of it to 6.0 or higher, as it would drastically reduce spam, but I'd like to get any false positive feedback on doing that first. I haven't seen any so far, but I figure others must be doing this. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: New free blacklist: BRBL - Barracuda Reputation Block List
On Tue, 23 Sep 2008, McDonald, Dan wrote: On Tue, 2008-09-23 at 17:21 -0400, [EMAIL PROTECTED] wrote: Getting back to the subject...can anyone enlighten us to the efficacy of this DNSBL? For example, how does it compare to zen.spamhaus.org, It hits significantly more spam than zen.spamhaus.org On my primary mx, today I had 94 mails that hit a zen list but not brbl, 591 that hit a zen list and brbl, and 8042 that hit brbl but not zen. I am checking -lastexternal addresses only. Looking through the 2400 or so domains that were marked as spam, I didn't see any obvious false positives. Looking through the 631 domains that did not have enough points to be classed as spam, I didn't see more than one or two that shouldn't have been blocked. granted, i did not look through the emails themselves, just the domain name. I'm currently scoring it 1.0, and might raise it up to 2.0 in a couple of days if nobody starts squawking I was actually hoping to use it like I use zen.spamhaus.org and dul.sorbs.net and just reject emails listed on those. It is very rare that I get a false positive from either, but their efficacy isn't what it used to be, either. So, I just configured my tcpserver to invoke rblsmtpd using b.barracudacentral.org as well as the other two, and after only a few seconds, the difference was astounding. Here is perhaps 2 minutes worth of stats: $ grep -c sorbs bl_stats 9 $ grep -c spamh bl_stats 228 $ grep -c barracud bl_stats 1321 I thought maybe something was broken and it was rejecting everything, but that doesn't appear to be the case. However, it may take a day or more to find out of the false positive ratio of this dnsbl is too high to use it like this. Has anyone else done this? If so, what does the FP situation look like? James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: New free blacklist: BRBL - Barracuda Reputation Block List
On Wed, 24 Sep 2008, [EMAIL PROTECTED] wrote: I was actually hoping to use it like I use zen.spamhaus.org and dul.sorbs.net and just reject emails listed on those. It is very rare that I get a false positive from either, but their efficacy isn't what it used to be, either. So, I just configured my tcpserver to invoke rblsmtpd using b.barracudacentral.org as well as the other two, and after only a few seconds, the difference was astounding. Here is perhaps 2 minutes worth of stats: $ grep -c sorbs bl_stats 9 $ grep -c spamh bl_stats 228 $ grep -c barracud bl_stats 1321 Replying to myself, after I sent this, it occurred to me that the query order is a huge factor...rblsmtpd stops scanning after the first hit. Here is what I got when I put zen in front of barracuda and ran it for maybe 30 seconds: $ grep -c barracud bl_stats2 22 $ grep -c spamh bl_stats2 355 $ grep -c sorbs bl_stats2 3 In other words, zen is probably actually more effective by itself than barracudacentral. Nonetheless, it helps a lot. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: New free blacklist: BRBL - Barracuda Reputation Block List
Getting back to the subject...can anyone enlighten us to the efficacy of this DNSBL? For example, how does it compare to zen.spamhaus.org, varius DUL type lists, etc. I would love to reject more before SA gets involved. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Rule for Russian character sets
We're suddenly getting a ton of spam with koi8-r encoding...I tried to do a custom rule for it like this: header SUBJ_RUSS_CHAR Subject =~/koi8-r/i describe SUBJ_RUSS_CHAR has Russian char encoding score SUBJ_RUSS_CHAR3.5 The short headers for these spams look like this: Subject: [koi8-r] ??? The raw Subject header, like this: Subject: =?koi8-r?B?9/zkINDSxcTQ0snR1MnKINPFzcnOwdI=?= I would think the rule would catch it either way...what am I missing? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: Rule for Russian character sets
On Thu, 14 Feb 2008, Per Jessen wrote: [EMAIL PROTECTED] wrote: We're suddenly getting a ton of spam with koi8-r encoding...I tried to do a custom rule for it like this: header SUBJ_RUSS_CHAR Subject =~/koi8-r/i describe SUBJ_RUSS_CHAR has Russian char encoding score SUBJ_RUSS_CHAR3.5 The short headers for these spams look like this: Subject: [koi8-r] ??? The raw Subject header, like this: Subject: =?koi8-r?B?9/zkINDSxcTQ0snR1MnKINPFzcnOwdI=?= I would think the rule would catch it either way...what am I missing? I think this should work: header SUBJ_RUSS_CHAR Subject:raw =~ /koi8-r/i That did it, thanks! James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Spamd not scoring after sa-update
I just performed a routine sa-update (just on stock SA rules, no SARE) and the scores are no longer appearing in the message headers, and spam isn't being filtered. The log shows the following: Jul 10 09:26:39 mail spamd[37580]: spamd: result: . 0 - SARE_DIPLOMA2 scantime=0.6,size=40476,user=simscan,uid=0,required_score=6.0,rhost=localhost.pil.net,raddr=127.0.0.1,rport=2009, mid=[EMAIL PROTECTED],autolearn=no The files look fine James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: Email scoring way too high... what's wrong?
He's hitting on 2 different DUL rules, because he's sending directly from his DSL IP to your S/A server. You need to whitelist his IP address, or otherwise have it bypasss S/A scanning. On Tue, 5 Dec 2006, John Tice wrote: I have a new client whose mail is scoring way high... several others on the same server, different domains, score in negative numbers. Mail sent through a mail script on this domain scores -1.0. I believe they're using verizon dsl, windows xp w/ outlook or outlook express. This is just going from one domain to another on the same server (cpane). I'll send headers if you need them. Do they have a misconfigured router? John pts rule name description -- -- 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings 0.0 BOTNET_IPINHOSTNAMEHostname contains its own IP address 1.0 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3651] 0.7 HTML_MESSAGE BODY: HTML included in message 3.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [71.254.35.168 listed in dnsbl.sorbs.net] 3.0 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [71.254.35.168 listed in combined.njabl.org] 0.0 BOTNET_CLIENT Hostname looks like a client hostname 5.0 BOTNET Any Botnet rule hit James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Recommended latest Perl version
I've been running SA on 5.6.1, but I'm building a new FreeBSD box and its prefered version is 5.8. I noticed that in the SA docs, it mentions performance problems with 5.8. FreeBSD has version 5.6.2 in ports, but I seem to recall that one shouldn't use perl versions that ended in even numbers, as they were considered development versions. What it the best, latest version of Perl that should be used with SA? I didn't see it in the FAQ. TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: Am I wasting my time with SpamCop?
On Wed, 2 Aug 2006, Andrzej Adam Filip wrote: Steven W. Orr [EMAIL PROTECTED] writes: On Wednesday, Aug 2nd 2006 at 13:50 -0700, quoth Derek Harding: =On Wed, 2006-08-02 at 16:37 -0400, Tom Ray wrote: = Anyone serious about stopping SPAM should not use SpamCop. They have no = real checking method, it's like AOL's spam blocking method...they just = let users submit what they think is spam and then block it. It's = pointless. There's not even a way to contact anyone at SpamCop to fix a = falsely listed server or what not. = =Spamcop has its problems, some very serious, however the above Hold on there Bullwinkle! I have been religiously using spamcop in the hopes that the reports that are sent out get used by at least some of the ISPs. Am I wrong about this? They help keep *good* ISPs clean. Bad ISPs care very little. I assume I receive 1% of received spam from good ISPs. It is not a bad idea to post copies of spamcop.net submitted spam (after munging) to NANAS with spamcop.net report link. I like to think that I'm a good ISP, but I've had at least one of my servers listed a few times by them. They delist in 24 hours, but there are still people who reject using SpamCop as a BL. I do not recommend this. Spamcop lists any server that bounces email into one of their spam traps. I contacted them via their newsgroups and they are adamant that no server should ever bounce email or have any kind of autoreply. While I agree that bouncing (as opposed to rejecting) email because it is detected as spam or a virus is very bad, they're basically insisting that you violate RFCs 2821 and 3464. If you have customer autoresponders, you're SOL. If you host mailing lists that uses an autoreply confirmation (itself an anti-spam measure), you're SOL. They insist that this is bad behavior. I insist that it's neccessary for my business and in compliance with all applicable RFCs. I use them in SA...2.0 score, which I lowered from 3.5 when I notice that yahoo groups were listed. But the only BLs I reject against are sbl-xbl, which catches a big chunk with virtually no false positives. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
BL hits on wrong host
I've seen this before, but it's been a while. An AOL user who's on Verizon DSL, sends an email that trips two DNS BLs in SA. This user's Verizon DSL IP is listed for being an open relay, which it may or may not be, since this is presumably a dynamic IP The mail is then relayed through AOL's network, which is NOT listed in said BLs. Shouldn't these BLs only hit on the last Received: host? Or does this only apply to DUL-type BLs? James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
3.1.2 issue with UnixNFSSafe.pm ?
A couple of days after an upgrade from 3.0.4 to 3.1.2, I'm noticing that it seems alot slower. I turned off most network tests, including DCC, Pyzor and Razor and it still looks like there's an issue. I raised max children from 15 to 25, yet it still seems to be spending most of it's time at 25, and smtp connections are stacking up behind it and occasionally spamd is so overwhelmed a spam gets through with no checks. CPU also spikes up to over 20.0 at times, on a dual Xeon server with maybe a thousand mailboxes. In the logs, the only thing I see that's showing an issue with SA is this: May 31 07:53:52 mail spamd[59117]: Use of uninitialized value in subtraction (-) at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Locker/UnixNFSSafe.pm line 102, GEN108 line 46. Could this be causing children to hang? They seem to take forever to exit... thanks! James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
RE: 3.1.2 issue with UnixNFSSafe.pm ?
On Wed, 31 May 2006, Bowie Bailey wrote: [EMAIL PROTECTED] wrote: A couple of days after an upgrade from 3.0.4 to 3.1.2, I'm noticing that it seems alot slower. I turned off most network tests, including DCC, Pyzor and Razor and it still looks like there's an issue. I raised max children from 15 to 25, yet it still seems to be spending most of it's time at 25, and smtp connections are stacking up behind it and occasionally spamd is so overwhelmed a spam gets through with no checks. CPU also spikes up to over 20.0 at times, on a dual Xeon server with maybe a thousand mailboxes. In the logs, the only thing I see that's showing an issue with SA is this: May 31 07:53:52 mail spamd[59117]: Use of uninitialized value in subtraction (-) at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Locker/UnixNFSSafe.pm line 102, GEN108 line 46. Could this be causing children to hang? They seem to take forever to exit... Sounds like it could be a memory issue. Check your memory usage and see if you are going into swap. If so, lower max children until it stops using swap. Once SA starts using swap memory, performance goes way down. The network tests are unlikely to be the culprit. Usually, excessive memory use is caused by having one or two really large add-on rule sets. According to top, it most definitely does not look like a memory issue...more CPU than anything: last pid: 21486; load averages: 30.71, 27.04, 21.48up 1+18:19:37 11:10:07750 processes: 22 running, 727 sleeping, 1 zombie CPU states: 86.0% user, 0.0% nice, 13.6% system, 0.4% interrupt, 0.0% idle Mem: 662M Active, 948M Inact, 297M Wired, 56M Cache, 199M Buf, 48M Free Swap: 4000M Total, 4000M Free James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
RE: 3.1.2 issue with UnixNFSSafe.pm ?
On Wed, 31 May 2006 [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: A couple of days after an upgrade from 3.0.4 to 3.1.2, I'm noticing that it seems alot slower. I turned off most network tests, including DCC, Pyzor and Razor and it still looks like there's an issue. Is it possible that you're locking on a Bayes write? Try disabling Bayes temporarily. If that fixes it, move to a SQL-based Bayes instead of DBM. Ugh...I have seen some locking errors while I wasn't before. WOuld simply turning off auto-learning accomplish the same thing? If it needs to be turned off altogether, will just commenting out bayes_path in local.cf do it? I don't see any other reference in the docs... James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: 3.1.2 issue with UnixNFSSafe.pm ?
On Wed, 31 May 2006, Theo Van Dinter wrote: On Wed, May 31, 2006 at 11:12:03AM -0400, [EMAIL PROTECTED] wrote: May 31 07:53:52 mail spamd[59117]: Use of uninitialized value in subtraction (-) at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Locker/UnixNFSSafe.pm line 102, GEN108 line 46. Hrm. That's not good. Seems like there's a race condition in there. :( 1) If you can open a bz ticket about that, we ought to prod the code and try to eliminate the race. Will do. 2) If the files are on local disk, switch to using the flock method instead. It's much better, imo. Wow, I didn't even know that was a config option (didn't see it in the docs). I just switched it and so far, it appears to have done the trick, although the condition was coming and going, so I'll keep an eye on it. Thanks again! James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: 3.1.2 issue with UnixNFSSafe.pm ?
On Wed, 31 May 2006 [EMAIL PROTECTED] wrote: On Wed, 31 May 2006, Theo Van Dinter wrote: On Wed, May 31, 2006 at 11:12:03AM -0400, [EMAIL PROTECTED] wrote: May 31 07:53:52 mail spamd[59117]: Use of uninitialized value in subtraction (-) at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Locker/UnixNFSSafe.pm line 102, GEN108 line 46. Hrm. That's not good. Seems like there's a race condition in there. :( 1) If you can open a bz ticket about that, we ought to prod the code and try to eliminate the race. Will do. 2) If the files are on local disk, switch to using the flock method instead. It's much better, imo. Wow, I didn't even know that was a config option (didn't see it in the docs). I just switched it and so far, it appears to have done the trick, although the condition was coming and going, so I'll keep an eye on it. It appeared to have fixed the race condition from what I could see...cpu was down, number of children, smtp connections, etc. However, about 12 minutes ago, the spamd parent died for the second time since the upgrade. Here is all I could find in the maillog: May 31 12:59:44 mail spamd[35583]: spamd: result: Y 12 - BAYES_80,FORGED_RCVD_HE LO,HTML_40_50,HTML_MESSAGE,RCVD_IN_DSBL,URIBL_JP_SURBL,URIBL_SBL scantime=0.9,si ze=2585,user=simscan,uid=0,required_score=6.0,rhost=localhost.pil.net,raddr=127. 0.0.1,rport=4599,mid=[EMAIL PROTECTED],bayes=0.930576978197 612,autolearn=no May 31 12:59:49 mail qmail: 1149094789.960550 new msg 289788 May 31 12:59:49 mail qmail: 1149094789.960823 info msg 289788: bytes 14074 from [EMAIL PROTECTED] qp 35721 uid 1003 May 31 12:59:49 mail spamc[35739]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused May 31 12:59:49 mail spamc[35744]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused May 31 12:59:50 mail qmail: 1149094790.217124 starting delivery 70430: ms (deliveries continued, without filtering) James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
3.1.2 spamd dies without warning
I upgraded from 3.0.4 yesterday without too much trouble...once I got 3.1.2 online, I noticed a nice reduction in false negatives, and cpu remained low (holiday here in US). This morning, spamd died with no warning, except of course a huge increase in spam. Nothing in /var/log/messages, and only this in maillog: May 30 08:19:27 mail spamd[83175]: spamd: result: Y 44 - BAYES_99,EXTRA_MPART_TY PE,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR2,HTML_90_100,HTML_IMAGE_ONLY_08,HTML_MES SAGE,HTML_SHORT_LINK_IMG_1,INFO_TLD,MIME_HTML_MOSTLY,RAZOR2_CF_RANGE_51_100,RAZO R2_CF_RANGE_E4_51_100,RAZOR2_CHECK,RCVD_IN_NJABL_DUL,URIBL_JP_SURBL,URIBL_OB_SUR BL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=1.5,size=13627,user=simscan,uid=0,requ ired_score=6.0,rhost=localhost.pil.net,raddr=127.0.0.1,rport=2895,mid=000c01c68 [EMAIL PROTECTED],bayes=0.9998609,autolearn=spam May 30 08:19:34 mail spamc[83329]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused May 30 08:19:34 mail spamc[83359]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused It took me about an hour and a half to notice it. I restarted spamd and it's going ok at moderate cpu use. Here are my flags with which I start spamd: /usr/local/bin/spamd -m 15 -d -x -r /var/run/spamd.pid The only changes I made with the upgrade were that I enabled SPF, DCC and Pyzor. When building the new version, it did complain about an outdated razor2 software, but as it was only a warning (and I'd never had problems with it before), I didn't bother to UG. Any ideas as to the possible cause? James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: 3.1.2?
On Thu, 27 Apr 2006, Theo Van Dinter wrote: On Wed, Apr 26, 2006 at 05:32:45PM -0400, Joe Flowers wrote: Any educated guesses on when 3.1.2 will be released? From a selfish point of view, I'm trying to kill several upgrades with one stone. I was hoping to get it out this month, but I think it'll probably be next early month before it's all ready to go. ie: hopefully a week or two, depending on how much time people have to create/review patches, etc. Any word on this? Same motivations here... :-/ James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: DO NOT Filter this list!!!
On Thu, 16 Feb 2006, mouss wrote: Matt Kettler a ?crit : Philip Prindeville wrote: Well, I could whitelist the list sender, but the MAIL FROM: includes a monotonically increasing integer... so it's never the same string twice. That's sort of shoots us in the foot, doesn't it? ;-) Not really: whitelist_from_spf [EMAIL PROTECTED] doesn't this require always_trust_envelope_sender 1 (as well as correctly setting trusted_networks)? bayes_ignore_to users@spamassassin.apache.org bayes_ignore_to spamassassin-users@incubator.apache.org bayes_ignore_from [EMAIL PROTECTED] Wouldn't a simple: whitelist_tousers@spamassassin.apache.org Accomplish pretty much the same thing? James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
False positives received from localhost
I've had a couple of these since upgrading to 3.0.4. Headers with NO IP address in it, just this: Received: from localhost by (our server) I assume that if it's not a bug on my end, some users and/or servers are sending out from 127.0.0.1, which in turn sets off: RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL Strange that qmail would not put an IP address in the received from: headrs, though... James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: Is Bayes Really Necessary?
On Thu, 26 May 2005, Joe Zitnik wrote: I think points can be made for both sides of the argument. The thing that makes bayes different, is that a well trained bayes database is specific to your environment. If you're a law firm, your learned ham is going to be heavy in legalese, medical related org, heavy in that terminology. Because spam and ham is learned specific to your environment, it can make a big difference. Jake Colman [EMAIL PROTECTED] 5/26/2005 10:08 AM Given the rather complete set of rules that ship with SA and which can expanded with SARE, does bayes learning really help? Won't the rules catch pretty much everything anyway? Bayes definitely helps, but auto-learn can cause problems. Perhaps a better question would be, Is autolearn really neccessary? James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Spam with BAYES_00
(running 3.0.2) Nearly all spam that gets through is being tagged as BAYES_00 since I started using sbl_xbl at the smtp level (before that, alot more was hitting). I've been using the same corpus with daily manual additions of my own, and also using 70_sare_bayes_poison_nxm.cf to prevent this kind of thing, but it looks like the auto-learn has been learning some of the wrong stuff. I also run sa-learn --force-expire every night via cron. Ideas? I'm wondering if training alot more SPAM than HAM could cause this (still well over the minimum amount of ham). James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Subroutine redefined errors in mail log?
I'm suddenly getting errors on both custom and built-in rules in my maillog: Feb 6 23:20:28 mail spamd[66363]: Subroutine PORN_16_body_test redefined at /usr/local/share/spamassassin/20_porn.cf, rule PORN_16, line 10, GEN139 line 208. Feb 6 23:20:28 mail spamd[66363]: Subroutine SARE_BIGRMEMBER_body_test redefined at /etc/mail/spamassassin/70_sare_adult.cf, rule SARE_BIGRMEMBER, line 10, GEN139 line 208. Feb 6 23:20:28 mail spamd[66363]: Subroutine SARE_ADULT1_body_test redefined at /etc/mail/spamassassin/70_sare_adult.cf, rule SARE_ADULT1, line 10, GEN139 line 208. Feb 6 23:20:28 mail spamd[66363]: Subroutine SARE_ADULT2_body_test redefined at /etc/mail/spamassassin/70_sare_adult.cf, rule SARE_ADULT2, line 10, GEN139 line 208. Feb 6 23:20:28 mail spamd[66363]: Subroutine __DRUGS_ERECTILE_C_body_test redefined at /usr/local/share/spamassassin/20_drugs.cf, rule __DRUGS_ERECTILE_C, line 10, GEN139 line 208. What does this even mean? --lint doesn't show any errors... James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Custom rule not being recognized
I just created a rule for the most common spams that have been making it through SA, but for some reason, it's not showing up in the tests: body SEE_ATTACH /See attachment message.html/i describe SEE_ATTACH body contains See attachment message.html score SEE_ATTACH 5.0 --lint shows no problems James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: Custom rule not being recognized
On Mon, 7 Feb 2005, Alex Broens wrote: [EMAIL PROTECTED] wrote: On Mon, 7 Feb 2005 [EMAIL PROTECTED] wrote: I just created a rule for the most common spams that have been making it through SA, but for some reason, it's not showing up in the tests: body SEE_ATTACH /See attachment message.html/i describe SEE_ATTACH body contains See attachment message.html score SEE_ATTACH 5.0 --lint shows no problems (replying to my own post) I found out what the problem is, and it seems like it should be considered a bug in SA. The text in question is in the second line of the body of the message, and it seems it is being ignored by SA, because if I insert a couple of LFs to move it down, the rule kicks in. I had tried changing it from body to header (also tried rawbody) and that didn't work. Here is a look at the offending message, sans the html attachment: have you tried escaping the period? body SEE_ATTACH /See attachment message\.html/i Yes, I did...that didn't fix the problemonly inserting the LFs worked. It was like SA did not recognize the first two lines of the body at all. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: {Spam?} Re: Outgoing mail scanning
This is old news...I got nailed with the Matt's FormMail.pl hack a couple of years ago...the solution is to use the NMS (Not Matt's Scripts) drop-in replacement: http://nms-cgi.sourceforge.net/ AFAIK, the NMS version is imune to these hacks, if implemented properly. On Mon, 7 Feb 2005, Rakesh wrote: Hi all, Since this specific post involves the FormMail.pl, I thought you guys might be interested in this article and its suggestions http://www.linuxexposed.com/Articles/Hacking/The-FormMail-Hack-Explained.html regards Rakesh EB wrote: Hi Kenneth: But did you change the /etc/rc.d/init.d/sendmail file to point elsewhere? Because it's pointing to the /usr/sbin/sendmail now and it's expecting it as a daemon. Karen On Fri, 04 Feb 2005 15:18:10 -0600, Kenneth Andresen [EMAIL PROTECTED] wrote: Hello Filip, Thank you for your script! I have been looking up several alternative paths now, and yours seem to be the better way to go. I had not noticed before that /usr/sbin/sendmail in fact only was a symlink. I have been testing your script, and it is necessary for me to modify it. This is what I did: I stored your script on my own local machine, added execute permissions, and made the symlink /usr/sbin/sendmail point to that file. I edited the script with the sendmail variable to point to /etc/alternatives/mta (which points to the true sendmail executable on all my redhat based systems) Then I tried to execute the following from command line: echo -e test\ntest | mail -s test [EMAIL PROTECTED] that gave the result 2.6/5.0... The mail was sent, without any modification, but that's likely because I did it on the command line. Anyway, the script has been of great help, and I will likely have a filter in place some time next week. Best regards, Kenneth On Mon, 2005-01-31 at 17:43, Andrzej Adam Filip wrote: Kenneth Andresen wrote: How is it possible to make such a sendmail wrapper script? Any links to examples? No but you can modify the script below to fit your needs: #!/bin/sh # temporary directory TMPDIR=/tmp # temporary working file name - unix time and process ID TMPFILE=`/bin/date +%s`.$$ # temporary working file full path TMPPATH=$TMPDIR/$TMPFILE # true sendmail path SENDMAIL=/usr/sbin/sendmail # directory to keep classified as spam messages QUARANTINEDIR=/var/spool/quarantine # remove temporary file in case of problems trap rm -f $TMPPATH 0 1 2 3 15 # copy input to temporary file cat - $TMPPATH # use spamc to check if it is a spam spamc -c $TMPPATH if [ $? = 0 ] ; then # No spam or spamc error $SENDMAIL $@ $TMPPATH EXITCODE=$? rm $TMPPATH exit $EXITCODE else # classified as spam mv $TMPPATH $QUARANTINEDIR/$TMPFILE echo $@ $QUARANTINEDIR/$TMPFILE.options fi -- regards, Rakesh B. Pal, Project Leader, Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. == I came, I saw, I conquered == James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: SA being overwhelmed?
This is strange...you're quoting me, and the subject of an email I posted, but the body of the message is somebody else's...I don't even run postfix, I run qmail. In any case, I seem to have alleviated the inundation for now. I was running rblsmtpd against sbl-xbl.spamhaus.org, but I hadn't patched it to recognize A records, only the default TXT. As soon as I applied the patch and restarted tcpserver, most of the spam is now refused before SA has to even deal with it. A godsend! On Sat, 5 Feb 2005, Thomas Arend wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Freitag, 4. Februar 2005 22:49 schrieb [EMAIL PROTECTED]: It looks like spamassassin is trying to parse the Postfix master.cf file. Yes, it looks like. The machine was running fine for several months. This morning I copied over some custom rules from the SARE site, but that was it, I just copied them over. Now SA is not flagging any mail. Any suggestions? Our secondary mx box is picking up the load right now. Check your file system. Check the files in /etc/mail/spamassassin with grep. Check the copied files. Thomas Shane - -- icq:133073900 http://www.t-arend.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCBIgcHe2ZLU3NgHsRAlDLAJ93tURWQkJYvok2xF1EINS47YNCywCfQMLy X/LQc5Uu09jDGqHvG6CueQk= =xk5P -END PGP SIGNATURE- James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
SA 3.x files in root FS
Upgraded to 3.0.2 a couple of weeks ago, and just noticed that the root FS was nearly full. I had seen this problem in the past with bayes files growing out of control, but have been doing a sa-learn --force-expire daily which helps keep that under control. However, now I noticed that two other files that hadn't been a problem in the past: /root/.razor/razor-agent.log and /root/.spamassassin/auto-whitelist I deleted the razor-agent.log and put a cron job in to delete it nightly, but I am not sure whether I should do this with the auto-whitelist file...does spamd consult this file every time? What's the best way to keep it under control? Not to quibble, but why doesn't the SA default to putting all these files under /var or at least /usr ? Filling up the root FS can cause big problems... Thanks, James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: BAYES_99 = 1.9?
On Mon, 17 Jan 2005, Thomas Arend wrote: With network test enabled bayes scores lower. This is a problem when the network test don't fire when the spammer uses a new server. Therefore I have raised the bayes scores for bayes_99. I seldom get bayes_90 so I didn't raise the scores for bayes_90. Rational, I suppose, but I use the network tests and still found it neccessary to bump the bayes 9x up to get decent results after upgrading from 2.63 the other day. BTW, it looks like bayes_90 has been deprecated. When I run a lint on my local.cf, I get: warning: score set for non-existent rule BAYES_90 James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =