Re: New Install - Tons of Spam Getting Through
On Thu, 18 Aug 2016 20:59:29 -0500 Jerry Malcolm wrote: > understood why I can't get a report headers at all. I could modify > james to get the modified msg returned with the headers and replace > the original msg with the updated msg. But I don't see that as > necessary. In other words, this is NOT a james issue. I can get > report headers now if I really need to by saving a message to a file > and running spamc. It's not quite the same because it's not contemporaneous, and network test results can change dramatically within minutes of delivery. If you search the spamd log file for an email's message-id, you can get a list of the rules that the email hit.
Re: New Install - Tons of Spam Getting Through
On 19/08/2016 11:58, Axb wrote: Question: Does it also support adding 3rd party (native Perl) plugins? or are you tied to the precomplied collection delivered by JAM? Jams product runs with Perl - so any perl plugins provided for Spamassassin should work on the windows versions too. FYI: if you have a windows environment available, why not download the free version: http://www.jam-software.com/spamassassin/download.shtml, install and take a look around. (The free version is SA as we know it without Jam's 'special' tailoring that the paying users get). Many subscribers just don't have the patience and *instead of just ignoring the thread*, display a tendency to preach or worse, overwhelm the beginner with info they can't process. Yeah, and thats the problem. "Instead of ignoring the thread" they feel it necessary to waste their, and everyone elses time with non-relevant and sometimes hostile drivvle. People should just turn off, have a drink, take 5 or unsubscribe if they dont like what they read. Not everyone will have the same opinion and no one has THE only opinion in the world. Back to topic
Re: New Install - Tons of Spam Getting Through
Question: Does it also support adding 3rd party (native Perl) plugins? or are you tied to the precomplied collection delivered by JAM? As to the list's hostility, imo, most of the beginner's questions could be answered by reading the docs or using a search machine. Instead, many new users expect somebody else to do drop everything and help them do their job. Many subscribers just don't have the patience and instead of just ignoring the thread, display a tendency to preach or worse, overwhelm the beginner with info they can't process. It's also becoming increasingly hard to get beginners to provide the correct information to help them so when crystal ball quota is exceeded, the tone can become uncomfortable... Axb Diclaimer: This is my personal opinion and does not reflect the project's policy or anything else. On 08/19/2016 11:39 AM, Groach wrote: FYI I and many others use Jam's windows port of Spamassassin. It is exactly the same as the linux version in what it can and cant do. Users can modify with plugins, rules, scoring overrides etc just the same as you do on linux. Spamd, spamc, spamassassin... all the same. The only thing that is different are (obviously) program paths and how you refer to them 9but as a windows user you would come to know that and learn you way around it when reading linux-orientated manuals). On 18/08/2016 20:10, Jerry Malcolm wrote: Thanks for the quick response. I'll try to reply with what I know. But I purchased a package "SpamAssassin In A Box" from JAM Software. I ran the installer, and that's it. I'm sorry that I don't know more. But I don't know much about the inner workings. I was just hoping it would work. Spamassassin doesn't 'just work' *sufficiently* straight after install. You will need to tweak (turn off and turn on) things to make it optimum. As a purchasers of Jams paid product, you can contact Jam support directly and they will help advise you on what you need to do to "get it working". The have been useful to me and others. (You will also get more direct help instead of having to endure the constant incessant bickering and sniping and the _"Im right, he's wrong"_ chest-beating that this mailing list tends to to be populated with especially between the users that assume that those who are asking the questions for help because they have a lack of knowledge dont have the right to ask the basic because they are not knowledgable enough.)
Re: New Install - Tons of Spam Getting Through
FYI I and many others use Jam's windows port of Spamassassin. It is exactly the same as the linux version in what it can and cant do. Users can modify with plugins, rules, scoring overrides etc just the same as you do on linux. Spamd, spamc, spamassassin... all the same. The only thing that is different are (obviously) program paths and how you refer to them 9but as a windows user you would come to know that and learn you way around it when reading linux-orientated manuals). On 18/08/2016 20:10, Jerry Malcolm wrote: Thanks for the quick response. I'll try to reply with what I know. But I purchased a package "SpamAssassin In A Box" from JAM Software. I ran the installer, and that's it. I'm sorry that I don't know more. But I don't know much about the inner workings. I was just hoping it would work. Spamassassin doesn't 'just work' *sufficiently* straight after install. You will need to tweak (turn off and turn on) things to make it optimum. As a purchasers of Jams paid product, you can contact Jam support directly and they will help advise you on what you need to do to "get it working". The have been useful to me and others. (You will also get more direct help instead of having to endure the constant incessant bickering and sniping and the _"Im right, he's wrong"_ chest-beating that this mailing list tends to to be populated with especially between the users that assume that those who are asking the questions for help because they have a lack of knowledge dont have the right to ask the basic because they are not knowledgable enough.)
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 8:34 PM, jdow wrote:
On 2016-08-18 17:11, RW wrote:
On Thu, 18 Aug 2016 18:14:47 -0500
Jerry Malcolm wrote:
I'm still trying to see why I'm not getting the report back. I've
gone all the way back to the source code that does the streaming of
the spamd invocation on port 783. I can't seem to find the
documentation anywhere on the format of the data I should read back
on port 783 from spamd. It looks like I'm getting two text lines
back on the read: SPAMD/1.1 0 EX_OK
Spam: True ; 7.7 / 5.0
This a waste of time. Just try sending a file to spamd with spamc and
look at the output. If the header is missing them SA is probably not
picking up the config. If it is then the problem is with James.
My guess is that James adds the x-spam-status header itself.
And I suppose the following line in local.cf is insufficient for
James' needs?
rewrite_header Subject *SPAM* _SCORE(00)_ **
Then all he need to do is look for the string "*SPAM* _SCORE("
in the title of the message and sort it into the spam bucket.
{o.o}
This discussion has gotten way off track from the original question. I
asked about too much spam not getting scored above the threshold in SA.
Someone asked for the REPORT header. But I was not getting the report
header inserted in my emails. So I went to the JAMES code and realized
they were using the CHECK command in spamd. The SA docs say that CHECK
returns the modified mail body. But I ran -c on spamc, and it does NOT
return the mail body, just a summary line. So JAMES is working just as
designed. It simply adds it's own spam headers to its original message
based on the summary statement it gets back from spamd. Any headers
that are generated inside spamd are not returned by spamd with CHECK.
So basically, it's now understood why I can't get a report headers at
all. I could modify james to get the modified msg returned with the
headers and replace the original msg with the updated msg. But I don't
see that as necessary. In other words, this is NOT a james issue. I
can get report headers now if I really need to by saving a message to a
file and running spamc. Fixing my dns to use recursive improved the
scores of obvious spam. So the problem is not as bad as it was. I
still need to write some code to integrate my uncaught-spam folders in
the james repository with spamd LEARN command, and I think everything
will be resolved.
Re: New Install - Tons of Spam Getting Through
On 2016-08-18 17:11, RW wrote:
On Thu, 18 Aug 2016 18:14:47 -0500
Jerry Malcolm wrote:
I'm still trying to see why I'm not getting the report back. I've
gone all the way back to the source code that does the streaming of
the spamd invocation on port 783. I can't seem to find the
documentation anywhere on the format of the data I should read back
on port 783 from spamd. It looks like I'm getting two text lines
back on the read: SPAMD/1.1 0 EX_OK
Spam: True ; 7.7 / 5.0
This a waste of time. Just try sending a file to spamd with spamc and
look at the output. If the header is missing them SA is probably not
picking up the config. If it is then the problem is with James.
My guess is that James adds the x-spam-status header itself.
And I suppose the following line in local.cf is insufficient for James' needs?
rewrite_header Subject *SPAM* _SCORE(00)_ **
Then all he need to do is look for the string "*SPAM* _SCORE(" in the
title of the message and sort it into the spam bucket.
{o.o}
Re: New Install - Tons of Spam Getting Through
On Thu, 18 Aug 2016 18:14:47 -0500 Jerry Malcolm wrote: > I'm still trying to see why I'm not getting the report back. I've > gone all the way back to the source code that does the streaming of > the spamd invocation on port 783. I can't seem to find the > documentation anywhere on the format of the data I should read back > on port 783 from spamd. It looks like I'm getting two text lines > back on the read: SPAMD/1.1 0 EX_OK > Spam: True ; 7.7 / 5.0 This a waste of time. Just try sending a file to spamd with spamc and look at the output. If the header is missing them SA is probably not picking up the config. If it is then the problem is with James. My guess is that James adds the x-spam-status header itself.
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 2:15 PM, Bowie Bailey wrote: On 8/18/2016 3:05 PM, Jerry Malcolm wrote: On 8/18/2016 1:45 PM, Bowie Bailey wrote: On 8/18/2016 2:21 PM, li...@rhsoft.net wrote: Am 18.08.2016 um 20:18 schrieb Jerry Malcolm: This is the X-Spam-Status header I got back on an uncaught spam. No, hits=0.3 required=5.0. The spam was selling an all-in-one charger we need the *report* header By default, the report header is only added to messages marked as spam. To add it to all messages, add this line to your local.cf file: add_header all Report _REPORT_ On a linux box, this would be in /etc/mail/spamassassin. I have no idea where it would be on your "SpamAssassin In a Box". Once you find and update the file, you will need to restart whatever SpamAssassin or Spamd service is running on your system to have it re-load the configuration. I see the local.cf file, it is already configured with 'all report'. But I looked at a msg that was flagged a spam. It doesn't have a report header either. I guess it's possible that the JAMES invoker mailet is stripping the headers. But I don't see any obvious code that appears to be removing headers. Are there any other options that might be controlling whether SA adds that header? Why don't you put your local.cf file on pastebin so we can see how it is set up? I doubt anyone here is going to know anything about the JAMES mailer. I'm still trying to see why I'm not getting the report back. I've gone all the way back to the source code that does the streaming of the spamd invocation on port 783. I can't seem to find the documentation anywhere on the format of the data I should read back on port 783 from spamd. It looks like I'm getting two text lines back on the read: SPAMD/1.1 0 EX_OK Spam: True ; 7.7 / 5.0 followed by a blank line and then a null. I believe I read in the spamd doc that it should return the entire message back, apparently modified with headers that you add. I'm not seeing it. I looked through all of the options for spamd and didn't see anything obvious that says whether to send the message back or not. Currently, my MTA code just parses the two lines above and adds headers based on that info to the original message. But if you are adding additional headers such as reports, etc., I'm not seeing the modified message coming back to me. What am I missing? Can you point me to a link to documentation on the in/out data flows over port 783 to spamd? The following info is written to the socket followed by the message itself: CHECK SPAMC/1.2\r\n\r\n This is the Windows Service entry for spamd: SpamAssassin deamon. Starting parameters: --allow-tell --syslog="spamdLog.txt" --max-spare=2 --max-children=20 --timeout-child=85
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 5:39 PM, Benny Pedersen wrote: On 2016-08-18 21:08, Jerry Malcolm wrote: Hmm. I do not have any forwarding statements. Is there a way via command line (e.g. nslookup, etc) that I can determine if BIND is recursing or forwarding? I assume that might be in the SA report header. But see my previous response that I can't seem to ever get report headers... Yuck... dig localhost does it say nameserver 127.0.0.1 where it queueryd it ? :=) if yes it works next dig +trace ipv4.google.com shows recursing, did it break ?, time outs ?, any problems ? if you have ipv6 dig +trace ipv6.google.com if that works aswell be happy All the dig queries seemed to work fine.
Re: New Install - Tons of Spam Getting Through
On 2016-08-18 21:08, Jerry Malcolm wrote: Hmm. I do not have any forwarding statements. Is there a way via command line (e.g. nslookup, etc) that I can determine if BIND is recursing or forwarding? I assume that might be in the SA report header. But see my previous response that I can't seem to ever get report headers... Yuck... dig localhost does it say nameserver 127.0.0.1 where it queueryd it ? :=) if yes it works next dig +trace ipv4.google.com shows recursing, did it break ?, time outs ?, any problems ? if you have ipv6 dig +trace ipv6.google.com if that works aswell be happy
Re: New Install - Tons of Spam Getting Through
On 2016-08-18 20:48, Jerry Malcolm wrote:
|allow-recursion { any; }; |But it lists other options such as
allow-query, allow-query-cache, etc. Is recursion the only one that
might be affecting SA? Or should I enable other options?
this is safe if you only listen to 127.0.0.1
if you use it on wan you will be openresolver, do not do this, but use
trusted acl
do not add forwarders to options section, forwarders is ok, but only pr
zone
in /etc/resolv.conf only one line
nameserver 127.0.0.1
sycces
Re: New Install - Tons of Spam Getting Through
On 2016-08-18 20:36, Jerry Malcolm wrote: ok, I discovered the hidden ctrl-u fn in Tbird to show the full source. Updated pastebin: http://pastebin.com/eRurR7Mv DBL_SPAM: 6.50 URIBL_SBL_CSS: 6.50 URIBL_BLACK: 7.50 ABUSE_SURBL: 5.50 FUZZY_DENIED: 8.54 ONCE_RECEIVED: 0.10 DCC_BULK: 2.00 MIME_GOOD: -0.10 even fuzzy hits :=) that should be simple to get marked as spam with spamassassin try installing dcc ?
Re: New Install - Tons of Spam Getting Through
On 18 Aug 2016, at 15:08, Jerry Malcolm wrote:
On 8/18/2016 1:50 PM, li...@rhsoft.net wrote:
Am 18.08.2016 um 20:48 schrieb Jerry Malcolm:
This is encouraging. I looked up how to set recursion in Bind. It
looks like it's just requires adding a field to the options:
|allow-recursion { any; }; |But it lists other options such as
allow-query, allow-query-cache, etc. Is recursion the only one that
might be affecting SA? Or should I enable other options?
sorry but *no*
it means nothing else than *remove* any forwaridng statements
the stuff above is just to limit which clients are allowed to make
recursive queries
Hmm. I do not have any forwarding statements. Is there a way via
command line (e.g. nslookup, etc) that I can determine if BIND is
recursing or forwarding?
If BIND is forwarding to a server that can't do DNSBL lookups (which are
a critical piece of SA catching the spam you shared) then "nslookup
2.0.0.127.zen.spamhaus.org" will return no records. If it is recursing
(and your server isn't handling a large volume of mail) then you should
get back 3 address records pointing to 127.0.0.2, 127.0.0.4, and
127.0.0.10
I assume that might be in the SA report header. But see my previous
response that I can't seem to ever get report headers... Yuck...
In a report header you'd see something like URIBL_BLOCKED.
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 3:05 PM, Jerry Malcolm wrote: On 8/18/2016 1:45 PM, Bowie Bailey wrote: On 8/18/2016 2:21 PM, li...@rhsoft.net wrote: Am 18.08.2016 um 20:18 schrieb Jerry Malcolm: This is the X-Spam-Status header I got back on an uncaught spam. No, hits=0.3 required=5.0. The spam was selling an all-in-one charger we need the *report* header By default, the report header is only added to messages marked as spam. To add it to all messages, add this line to your local.cf file: add_header all Report _REPORT_ On a linux box, this would be in /etc/mail/spamassassin. I have no idea where it would be on your "SpamAssassin In a Box". Once you find and update the file, you will need to restart whatever SpamAssassin or Spamd service is running on your system to have it re-load the configuration. I see the local.cf file, it is already configured with 'all report'. But I looked at a msg that was flagged a spam. It doesn't have a report header either. I guess it's possible that the JAMES invoker mailet is stripping the headers. But I don't see any obvious code that appears to be removing headers. Are there any other options that might be controlling whether SA adds that header? Why don't you put your local.cf file on pastebin so we can see how it is set up? I doubt anyone here is going to know anything about the JAMES mailer. -- Bowie
Re: New Install - Tons of Spam Getting Through
On 08/18/2016 08:48 PM, Jerry Malcolm wrote:
On 8/18/2016 1:35 PM, Joe Quinn wrote:
On 8/18/2016 2:27 PM, Jerry Malcolm wrote:
I haven't figured out a way to get Thunderbird to allow me to
copy/paste the headers. But I did look at all of the headers. There
are no headers in the email with names like you mentioned. There is
only the X-Spam-Status header and X-Spam-Flag header that appear to
be anywhere related to SA.
If you're not seeing a breakdown of the spam test, you should
configure SA to add it if you can. Run "man Mail::SpamAssassin::Conf"
for information on how to add that report.
I'm running ISC BIND in my server. But it only serves my own
domains' records. I guess it forwards to my Peer1 host DNS servers
to resolve anything that is not local. Is that what you are
referring to? What would I do to get around this problem?
Set it to resolve recursively instead of by forwarding. A recursive
resolver will seek out unknown answers by itself instead of asking an
upstream resolver that's being shared and rate-limited. There's
documentation elsewhere that describes how to do this, as it varies by
what named you are using.
This is encouraging. I looked up how to set recursion in Bind. It
looks like it's just requires adding a field to the options:
|allow-recursion { any; }; |But it lists other options such as
allow-query, allow-query-cache, etc. Is recursion the only one that
might be affecting SA? Or should I enable other options?
Jerry,
Considering you've paid for "SpamAssassin in a Box" and that it probably
doesn't support the full feature set which is developed for *nix
systems, it may be wiser you contact JAM Software's support and get them
to walk you through a sensible setup.
Once you've gone through the basics and got your feet wet, you may
suddenly feel comfortable to start tuning.
The SpamAssassin Docs and Wiki are full of helpful info which should
help you go through the bits of internals you need to do your job.
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 21:08 schrieb Jerry Malcolm:
On 8/18/2016 1:50 PM, li...@rhsoft.net wrote:
Am 18.08.2016 um 20:48 schrieb Jerry Malcolm:
This is encouraging. I looked up how to set recursion in Bind. It
looks like it's just requires adding a field to the options:
|allow-recursion { any; }; |But it lists other options such as
allow-query, allow-query-cache, etc. Is recursion the only one that
might be affecting SA? Or should I enable other options?
sorry but *no*
it means nothing else than *remove* any forwaridng statements
the stuff above is just to limit which clients are allowed to make
recursive queries
Hmm. I do not have any forwarding statements. Is there a way via
command line (e.g. nslookup, etc) that I can determine if BIND is
recursing or forwarding? I assume that might be in the SA report
header. But see my previous response that I can't seem to ever get
report headers... Yuck...
on a proper operating system i would ask for the content of
/etc/resolv.conf - nobody but you can find out which nameserver your SA
is using and how this nameserver is configured
just because you are runnign named on your box don't mean this is the
nameserver applications running on this host are using
Re: New Install - Tons of Spam Getting Through
On Thu, 18 Aug 2016, Jerry Malcolm wrote: On 8/18/2016 12:16 PM, John Hardin wrote: There are also potential DNS issues that may contribute. In addition to describing your environment, perhaps you could post the X-Spam-Status header from a couple of the low-scoring spams. John, This is the X-Spam-Status header I got back on an uncaught spam. No, hits=0.3 required=5.0. The spam was selling an all-in-one charger. D'oh. If it's not scored spammy the rule hits won't be there. Can you post the X-Spam_Status header from a message that scored as spammy? What kind of DNS issues? I lease a server from Peer1 and use their name servers. That's part of the problem. Your DNSBL and URIBL lookups are being aggregated with others' and are probably exceeding the free query limits. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control enables genocide while doing little to reduce crime. --- 6 days until the 1937th anniversary of the destruction of Pompeii
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 21:05 schrieb Jerry Malcolm: I see the local.cf file, it is already configured with 'all report'. But I looked at a msg that was flagged a spam. It doesn't have a report header either. I guess it's possible that the JAMES invoker mailet is stripping the headers. But I don't see any obvious code that appears to be removing headers. Are there any other options that might be controlling whether SA adds that header? you *really* should ask somewhere at a james-list and re-consider using a MTA practically nobody knows as wel as some "out-of-the-box" stuff and then run on a windows server you have a 1-ot-of-10 setup at best!
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 1:50 PM, li...@rhsoft.net wrote:
Am 18.08.2016 um 20:48 schrieb Jerry Malcolm:
This is encouraging. I looked up how to set recursion in Bind. It
looks like it's just requires adding a field to the options:
|allow-recursion { any; }; |But it lists other options such as
allow-query, allow-query-cache, etc. Is recursion the only one that
might be affecting SA? Or should I enable other options?
sorry but *no*
it means nothing else than *remove* any forwaridng statements
the stuff above is just to limit which clients are allowed to make
recursive queries
Hmm. I do not have any forwarding statements. Is there a way via
command line (e.g. nslookup, etc) that I can determine if BIND is
recursing or forwarding? I assume that might be in the SA report
header. But see my previous response that I can't seem to ever get
report headers... Yuck...
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 1:45 PM, Bowie Bailey wrote: On 8/18/2016 2:21 PM, li...@rhsoft.net wrote: Am 18.08.2016 um 20:18 schrieb Jerry Malcolm: This is the X-Spam-Status header I got back on an uncaught spam. No, hits=0.3 required=5.0. The spam was selling an all-in-one charger we need the *report* header By default, the report header is only added to messages marked as spam. To add it to all messages, add this line to your local.cf file: add_header all Report _REPORT_ On a linux box, this would be in /etc/mail/spamassassin. I have no idea where it would be on your "SpamAssassin In a Box". Once you find and update the file, you will need to restart whatever SpamAssassin or Spamd service is running on your system to have it re-load the configuration. I see the local.cf file, it is already configured with 'all report'. But I looked at a msg that was flagged a spam. It doesn't have a report header either. I guess it's possible that the JAMES invoker mailet is stripping the headers. But I don't see any obvious code that appears to be removing headers. Are there any other options that might be controlling whether SA adds that header?
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 20:48 schrieb Jerry Malcolm:
This is encouraging. I looked up how to set recursion in Bind. It
looks like it's just requires adding a field to the options:
|allow-recursion { any; }; |But it lists other options such as
allow-query, allow-query-cache, etc. Is recursion the only one that
might be affecting SA? Or should I enable other options?
sorry but *no*
it means nothing else than *remove* any forwaridng statements
the stuff above is just to limit which clients are allowed to make
recursive queries
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 1:35 PM, Joe Quinn wrote:
On 8/18/2016 2:27 PM, Jerry Malcolm wrote:
I haven't figured out a way to get Thunderbird to allow me to
copy/paste the headers. But I did look at all of the headers. There
are no headers in the email with names like you mentioned. There is
only the X-Spam-Status header and X-Spam-Flag header that appear to
be anywhere related to SA.
If you're not seeing a breakdown of the spam test, you should
configure SA to add it if you can. Run "man Mail::SpamAssassin::Conf"
for information on how to add that report.
I'm running ISC BIND in my server. But it only serves my own
domains' records. I guess it forwards to my Peer1 host DNS servers
to resolve anything that is not local. Is that what you are
referring to? What would I do to get around this problem?
Set it to resolve recursively instead of by forwarding. A recursive
resolver will seek out unknown answers by itself instead of asking an
upstream resolver that's being shared and rate-limited. There's
documentation elsewhere that describes how to do this, as it varies by
what named you are using.
This is encouraging. I looked up how to set recursion in Bind. It
looks like it's just requires adding a field to the options:
|allow-recursion { any; }; |But it lists other options such as allow-query,
allow-query-cache, etc. Is recursion the only one that might be affecting SA?
Or should I enable other options?
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 2:21 PM, li...@rhsoft.net wrote: Am 18.08.2016 um 20:18 schrieb Jerry Malcolm: This is the X-Spam-Status header I got back on an uncaught spam. No, hits=0.3 required=5.0. The spam was selling an all-in-one charger we need the *report* header By default, the report header is only added to messages marked as spam. To add it to all messages, add this line to your local.cf file: add_header all Report _REPORT_ On a linux box, this would be in /etc/mail/spamassassin. I have no idea where it would be on your "SpamAssassin In a Box". Once you find and update the file, you will need to restart whatever SpamAssassin or Spamd service is running on your system to have it re-load the configuration. -- Bowie
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 20:27 schrieb Jerry Malcolm: On 8/18/2016 1:17 PM, li...@rhsoft.net wrote: Am 18.08.2016 um 20:10 schrieb Jerry Malcolm: Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 useless without any headers which would show the matching rules including major mistakes like URIBL_BLOCKED but even passing that "non-email" to SA would hit URIBL_ABUSE_SURBL, PYZOR_CHECK, URIBL_DBL_SPAM, URIBL_BLACK and URIBL_SBL_A so i guess you are using some DNS forwarder which does *not* work for a inbound spamfilter I haven't figured out a way to get Thunderbird to allow me to copy/paste the headers seriously? "view -> source code" or however the menus are called in english
Re: New Install - Tons of Spam Getting Through
On Thu, 18 Aug 2016, Jerry Malcolm wrote: Thanks for the quick response. I'll try to reply with what I know. But I purchased a package "SpamAssassin In A Box" from JAM Software. I hate to say this, but - perhaps you should be asking JAM *first*... Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 That's just the rendered body. We need to see all the message headers too. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- 6 days until the 1937th anniversary of the destruction of Pompeii
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 1:23 PM, Benny Pedersen wrote: On 2016-08-18 20:10, Jerry Malcolm wrote: Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 MISSING_DATE: 1.00 DCC_BULK: 2.00 MISSING_TO: 2.00 MISSING_MID: 2.50 MISSING_SUBJECT: 2.00 was what it scored as in pastebin, rspamd tested, sure its possible not better with spamassasssin :=) for more help, full email please, redact the recipient only ok, I discovered the hidden ctrl-u fn in Tbird to show the full source. Updated pastebin: http://pastebin.com/eRurR7Mv
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 2:27 PM, Jerry Malcolm wrote: I haven't figured out a way to get Thunderbird to allow me to copy/paste the headers. But I did look at all of the headers. There are no headers in the email with names like you mentioned. There is only the X-Spam-Status header and X-Spam-Flag header that appear to be anywhere related to SA. If you're not seeing a breakdown of the spam test, you should configure SA to add it if you can. Run "man Mail::SpamAssassin::Conf" for information on how to add that report. I'm running ISC BIND in my server. But it only serves my own domains' records. I guess it forwards to my Peer1 host DNS servers to resolve anything that is not local. Is that what you are referring to? What would I do to get around this problem? Set it to resolve recursively instead of by forwarding. A recursive resolver will seek out unknown answers by itself instead of asking an upstream resolver that's being shared and rate-limited. There's documentation elsewhere that describes how to do this, as it varies by what named you are using.
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 1:17 PM, li...@rhsoft.net wrote: Am 18.08.2016 um 20:10 schrieb Jerry Malcolm: Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 useless without any headers which would show the matching rules including major mistakes like URIBL_BLOCKED but even passing that "non-email" to SA would hit URIBL_ABUSE_SURBL, PYZOR_CHECK, URIBL_DBL_SPAM, URIBL_BLACK and URIBL_SBL_A so i guess you are using some DNS forwarder which does *not* work for a inbound spamfilter I haven't figured out a way to get Thunderbird to allow me to copy/paste the headers. But I did look at all of the headers. There are no headers in the email with names like you mentioned. There is only the X-Spam-Status header and X-Spam-Flag header that appear to be anywhere related to SA. I'm running ISC BIND in my server. But it only serves my own domains' records. I guess it forwards to my Peer1 host DNS servers to resolve anything that is not local. Is that what you are referring to? What would I do to get around this problem?
Re: New Install - Tons of Spam Getting Through
On 2016-08-18 20:10, Jerry Malcolm wrote: Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 MISSING_DATE: 1.00 DCC_BULK: 2.00 MISSING_TO: 2.00 MISSING_MID: 2.50 MISSING_SUBJECT: 2.00 was what it scored as in pastebin, rspamd tested, sure its possible not better with spamassasssin :=) for more help, full email please, redact the recipient only
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 20:18 schrieb Jerry Malcolm: This is the X-Spam-Status header I got back on an uncaught spam. No, hits=0.3 required=5.0. The spam was selling an all-in-one charger we need the *report* header What kind of DNS issues? I lease a server from Peer1 and use their name servers. don't do that - just install a *recursing* local resolver like unbound and point only to 127.0.0.1 - anything else won't work for a inbound mailserver because you hit RBL limits when you share the nameserver with a unknown amount of other people
Re: New Install - Tons of Spam Getting Through
On 2016-08-18 2:10 PM, Jerry Malcolm wrote: Thanks for the quick response. I'll try to reply with what I know. But I purchased a package "SpamAssassin In A Box" from JAM Software. I ran the installer, and that's it. I'm sorry that I don't know more. But I don't know much about the inner workings. I was just hoping it would work. I am running Windows Server 2008 r2. I purchased the latest version of SpamAssassin In A Box yesterday, Full x64. It had a build date of April 2016. I can't find the SpamAssassin version number. But I'm assuming it had close to the latest build as of April. I am a hosting server environment with several domains and several ids per domain. I am running the Apache JAMES 3.0 mail server, using the JAMES-provided mailet to invoke SA. I have been a JAMES user for over 10 years. I understand the training of Bayes. But I'm having a problem with that. I have been asking on the JAMES forum about how to run sa-learn if I'm using a mySQL JAMES repository for mail. No responses as yet. So I don't know how I can train Bayes at this time. The SpamAssassin In a Box install asked me if I wanted them to install a pre-defined Bayes ruleset. I did, but clue how old it is. So first question that I can't seem to get a response to from JAMES is there any code that I can use that allows sa-learn to work with JAMES db? Or do I have to write code that will take every spam I want to train with and write it to an MBOX file and run sa-learn that way? I'm really surprised if I'm the first JAMES user that needs to run sa-learn. The second question... in the interim is there a 'better' set of Bayes rules that I can just download and install until I can get the first issue resolved and can start training myself? Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 Hi, We are going to need the full headers, not just the email body. Regards, Rick
Re: New Install - Tons of Spam Getting Through
On 8/18/2016 12:16 PM, John Hardin wrote: On Thu, 18 Aug 2016, Jerry Malcolm wrote: I installed the latest SpamAssassin In a Box yesterday (Win Server 2008 r2). I kept all of the defaults. It is up and running. But I'm getting a huge amount of spam, and I mean 'obvious' spam mentioning body parts in the subject line that are getting low scores (averaging about 15 uncaught spams per hour per user inbox). It's still catching some spam. So I assume it just a scoring issue. I tried running sa-update. It said no updates were available. I'm fairly certain that SA is better at recognizing spam that it is currently doing on my system. Is there something else I need to do in order to get it to begin recognizing obvious spam? Hopefully 15 uncaught spams per hour is not considered the acceptable norm. Be aware that Bayes scoring doesn't kick in until you've actually provided some training to allow it to recognize your particular email traffic. There are also potential DNS issues that may contribute. In addition to describing your environment, perhaps you could post the X-Spam-Status header from a couple of the low-scoring spams. John, This is the X-Spam-Status header I got back on an uncaught spam. No, hits=0.3 required=5.0. The spam was selling an all-in-one charger. What kind of DNS issues? I lease a server from Peer1 and use their name servers. Thanks.
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 20:10 schrieb Jerry Malcolm: Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 useless without any headers which would show the matching rules including major mistakes like URIBL_BLOCKED but even passing that "non-email" to SA would hit URIBL_ABUSE_SURBL, PYZOR_CHECK, URIBL_DBL_SPAM, URIBL_BLACK and URIBL_SBL_A so i guess you are using some DNS forwarder which does *not* work for a inbound spamfilter
Re: New Install - Tons of Spam Getting Through
Thanks for the quick response. I'll try to reply with what I know. But I purchased a package "SpamAssassin In A Box" from JAM Software. I ran the installer, and that's it. I'm sorry that I don't know more. But I don't know much about the inner workings. I was just hoping it would work. I am running Windows Server 2008 r2. I purchased the latest version of SpamAssassin In A Box yesterday, Full x64. It had a build date of April 2016. I can't find the SpamAssassin version number. But I'm assuming it had close to the latest build as of April. I am a hosting server environment with several domains and several ids per domain. I am running the Apache JAMES 3.0 mail server, using the JAMES-provided mailet to invoke SA. I have been a JAMES user for over 10 years. I understand the training of Bayes. But I'm having a problem with that. I have been asking on the JAMES forum about how to run sa-learn if I'm using a mySQL JAMES repository for mail. No responses as yet. So I don't know how I can train Bayes at this time. The SpamAssassin In a Box install asked me if I wanted them to install a pre-defined Bayes ruleset. I did, but clue how old it is. So first question that I can't seem to get a response to from JAMES is there any code that I can use that allows sa-learn to work with JAMES db? Or do I have to write code that will take every spam I want to train with and write it to an MBOX file and run sa-learn that way? I'm really surprised if I'm the first JAMES user that needs to run sa-learn. The second question... in the interim is there a 'better' set of Bayes rules that I can just download and install until I can get the first issue resolved and can start training myself? Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 Thanks, Jerry On 8/18/2016 11:59 AM, Axb wrote: On 08/18/2016 06:47 PM, Jerry Malcolm wrote: I installed the latest SpamAssassin In a Box yesterday (Win Server 2008 r2). I kept all of the defaults. It is up and running. But I'm getting a huge amount of spam, and I mean 'obvious' spam mentioning body parts in the subject line that are getting low scores (averaging about 15 uncaught spams per hour per user inbox). It's still catching some spam. So I assume it just a scoring issue. I tried running sa-update. It said no updates were available. I'm fairly certain that SA is better at recognizing spam that it is currently doing on my system. Is there something else I need to do in order to get it to begin recognizing obvious spam? Hopefully 15 uncaught spams per hour is not considered the acceptable norm. There's lots you can do (if you can, running on Windows) As you give us no details what your setup looks like, it's anybody's guess what your setup looks like Please look at https://svn.apache.org/repos/asf/spamassassin/trunk/rulesrc/sandbox/emailed/sa-list-template.txt and tell us something about your setup to help *us* help *you" - No virus found in this message. Checked by AVG - www.avg.com Version: 2016.0.7752 / Virus Database: 4647/12832 - Release Date: 08/18/16
Re: New Install - Tons of Spam Getting Through
On Thu, 18 Aug 2016, Jerry Malcolm wrote: I installed the latest SpamAssassin In a Box yesterday (Win Server 2008 r2). I kept all of the defaults. It is up and running. But I'm getting a huge amount of spam, and I mean 'obvious' spam mentioning body parts in the subject line that are getting low scores (averaging about 15 uncaught spams per hour per user inbox). It's still catching some spam. So I assume it just a scoring issue. I tried running sa-update. It said no updates were available. I'm fairly certain that SA is better at recognizing spam that it is currently doing on my system. Is there something else I need to do in order to get it to begin recognizing obvious spam? Hopefully 15 uncaught spams per hour is not considered the acceptable norm. Be aware that Bayes scoring doesn't kick in until you've actually provided some training to allow it to recognize your particular email traffic. There are also potential DNS issues that may contribute. In addition to describing your environment, perhaps you could post the X-Spam-Status header from a couple of the low-scoring spams. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Journalism is about covering important stories. With a pillow, until they stop moving. -- David Burge --- 6 days until the 1937th anniversary of the destruction of Pompeii
Re: New Install - Tons of Spam Getting Through
On 08/18/2016 06:47 PM, Jerry Malcolm wrote: I installed the latest SpamAssassin In a Box yesterday (Win Server 2008 r2). I kept all of the defaults. It is up and running. But I'm getting a huge amount of spam, and I mean 'obvious' spam mentioning body parts in the subject line that are getting low scores (averaging about 15 uncaught spams per hour per user inbox). It's still catching some spam. So I assume it just a scoring issue. I tried running sa-update. It said no updates were available. I'm fairly certain that SA is better at recognizing spam that it is currently doing on my system. Is there something else I need to do in order to get it to begin recognizing obvious spam? Hopefully 15 uncaught spams per hour is not considered the acceptable norm. There's lots you can do (if you can, running on Windows) As you give us no details what your setup looks like, it's anybody's guess what your setup looks like Please look at https://svn.apache.org/repos/asf/spamassassin/trunk/rulesrc/sandbox/emailed/sa-list-template.txt and tell us something about your setup to help *us* help *you"
New Install - Tons of Spam Getting Through
I installed the latest SpamAssassin In a Box yesterday (Win Server 2008 r2). I kept all of the defaults. It is up and running. But I'm getting a huge amount of spam, and I mean 'obvious' spam mentioning body parts in the subject line that are getting low scores (averaging about 15 uncaught spams per hour per user inbox). It's still catching some spam. So I assume it just a scoring issue. I tried running sa-update. It said no updates were available. I'm fairly certain that SA is better at recognizing spam that it is currently doing on my system. Is there something else I need to do in order to get it to begin recognizing obvious spam? Hopefully 15 uncaught spams per hour is not considered the acceptable norm. Thanks. Jerry
