Re: Turn OFF SA spam filtering but keep ON header examination
Hi Dianne, Good to hear from you. I need the dkim/spf lookup features of SpamAssassin. procmail will filter and dump into folders but AFAIK does not do any kind of spf or dkim verification. There are stand-along scrips that can do that but using those are above my pay grade unless someone wants to pipe in (as in *pipe* the email via procmail somewhere where a dkim/spf script can run against it and depending on the result, send it to a certain folder.) On 01/19/2018 10:05 AM, Dianne Skoll wrote: > On Thu, 18 Jan 2018 16:01:13 -0500 > Chipwrote: > >> I'm tied to a Cpanel/WHM VPS which can't be changed. > That's a problem. It's like having someone require you to play > Hungarian Rhapsody while wearing mittens. I mean sure... maybe it's > possible, but why would you try? > > Is there no possibility of a filtering machine in front of that box? > Or as others have said, use procmail which AFAIK works fine with Exim. > > Regards, > > Dianne. >
Re: Turn OFF SA spam filtering but keep ON header examination
On Thu, 18 Jan 2018 16:01:13 -0500 Chipwrote: > I'm tied to a Cpanel/WHM VPS which can't be changed. That's a problem. It's like having someone require you to play Hungarian Rhapsody while wearing mittens. I mean sure... maybe it's possible, but why would you try? Is there no possibility of a filtering machine in front of that box? Or as others have said, use procmail which AFAIK works fine with Exim. Regards, Dianne.
Re: Turn OFF SA spam filtering but keep ON header examination
yes, everything you say is accurate and correct. We are not looking for perfection in the gathering of statistics, only ballpark. No one will ever open the bogus, phishing emails because the emails are not attached to a living person. Once the statistic is collected the email is automatically deleted. Think honey pot/greylisting pot that looks at the amount of emails a never before used email address with a highly unique local-part that is not attached to a real person and has never been used to send mail on a domain that is also very unique that only accepts email for a select whitelist of addresses. What is the guess that it will be flooded with spam? That is what we are setting out to ascertain. On 01/19/2018 09:43 AM, David Jones wrote: > On 01/19/2018 08:30 AM, Chip wrote: >> Good question. >> >> Saying why I care about spf and dkim but not spam sounds contradictory, >> I know. >> >> The reason is because this project doesn't care if spam arrives, only if >> the spam or email (even authenticated properly email) is spoofed. >> > > How are you going to determine that? You need to facter in the > spamminess to determine if something spoofed or else you will need to > manually check every email and it's headers. > > Spammers can spoof Paypal or Bank Of America using their own domain > with perfect SPF and DKIM and your system would put it in the pass > folder. > > Also, compromised accounts from normally good domains will have > passing SPF and DKIM and end up in your pass folder but could be a > dangerous phishing email. >
Re: Turn OFF SA spam filtering but keep ON header examination
On 01/19/2018 08:30 AM, Chip wrote: Good question. Saying why I care about spf and dkim but not spam sounds contradictory, I know. The reason is because this project doesn't care if spam arrives, only if the spam or email (even authenticated properly email) is spoofed. How are you going to determine that? You need to facter in the spamminess to determine if something spoofed or else you will need to manually check every email and it's headers. Spammers can spoof Paypal or Bank Of America using their own domain with perfect SPF and DKIM and your system would put it in the pass folder. Also, compromised accounts from normally good domains will have passing SPF and DKIM and end up in your pass folder but could be a dangerous phishing email. -- David Jones
Re: Turn OFF SA spam filtering but keep ON header examination
Thank you! I see that shortcircuit is already enabled in 320! I think you really hit on something. Thanks again! I knew there was a simple answer. On 01/19/2018 09:35 AM, David Jones wrote: > On 01/19/2018 08:24 AM, Chip wrote: >> Ok point take - I should have mentioned earlier that *part* of the >> reason to stick with SA is because it does spf and dkim checks. My >> mistake. >> >> Moving on now, David, good suggestions! Enlighten me about the >> Shortcirtcuit plugin please. How does one activate it or use it? >> > > 1. Enable the Shorcircuit plugin simply by uncommenting it in the > v320.pre like I said below. This file will be in the same directory > as your local.cf usually /etc/mail/spamassassin. > > 2. I gave the exact 4 lines to put in your local.cf below. > > Try this and check your mail logs for a bit. Play around with SA > settings in your local.cf and see what happens. This is how you learn > SA. It's taken me years of doing this almost daily to understand how > SA works and I am not an SA guru like some on this list. > >> The manual gives an example as follows, so is it correct to simply >> put this into my local.cf and let it run? It looks like it simply >> activates by adding the line: shortcircuit TEST on. >> >> =over 4 >> >> body TEST /test/ >> describe TEST test rule that scores barely over spam threshold >> score TEST 5.5 >> priority TEST -100 >> shortcircuit TEST on >> >> >> >> On 01/19/2018 08:38 AM, David Jones wrote: >>> On 01/18/2018 05:49 PM, Chip wrote: Very well stated. Bravo! The end point here is to examine the email headers that specifically refer to dkim and spf signatures. Based on fail or pass, or some combination in concert with the sender's email address, they get moved into fail or pass folders. That's it! >>> >>> Finally we get some details! :) This is very simple then: >>> >>> 1. Enable the Shortcircuit plugin in v320.pre >>> >>> 2. Enable these SPF and DKIM rules to be shortcircuit'd in your >>> local.cf: >>> >>> shortcircuit SPF_PASS on >>> shortcircuit DKIM_VALID_AU on >>> score SPF_PASS -100 >>> score DKIM_VALID_AU -100 >>> >>> 3. Now you should see the SHORTCIRCUIT rule hit in your logs. Setup >>> a sieve rule to look for those 2 rules above to move them to the >>> pass folder. They will always be ham (score very low) and never be >>> blocked by the "glue" even with the default required_score. >>> >>> P.S. Technically, you could just set the 2 scores and not enable the >>> shortcircuit plugin. The 2 score lines in the local.cf should do >>> what you want to do. >>> >> > >
Re: Turn OFF SA spam filtering but keep ON header examination
On 01/19/2018 08:24 AM, Chip wrote: Ok point take - I should have mentioned earlier that *part* of the reason to stick with SA is because it does spf and dkim checks. My mistake. Moving on now, David, good suggestions! Enlighten me about the Shortcirtcuit plugin please. How does one activate it or use it? 1. Enable the Shorcircuit plugin simply by uncommenting it in the v320.pre like I said below. This file will be in the same directory as your local.cf usually /etc/mail/spamassassin. 2. I gave the exact 4 lines to put in your local.cf below. Try this and check your mail logs for a bit. Play around with SA settings in your local.cf and see what happens. This is how you learn SA. It's taken me years of doing this almost daily to understand how SA works and I am not an SA guru like some on this list. The manual gives an example as follows, so is it correct to simply put this into my local.cf and let it run? It looks like it simply activates by adding the line: shortcircuit TEST on. =over 4 body TEST /test/ describe TEST test rule that scores barely over spam threshold score TEST 5.5 priority TEST -100 shortcircuit TEST on On 01/19/2018 08:38 AM, David Jones wrote: On 01/18/2018 05:49 PM, Chip wrote: Very well stated. Bravo! The end point here is to examine the email headers that specifically refer to dkim and spf signatures. Based on fail or pass, or some combination in concert with the sender's email address, they get moved into fail or pass folders. That's it! Finally we get some details! :) This is very simple then: 1. Enable the Shortcircuit plugin in v320.pre 2. Enable these SPF and DKIM rules to be shortcircuit'd in your local.cf: shortcircuit SPF_PASS on shortcircuit DKIM_VALID_AU on score SPF_PASS -100 score DKIM_VALID_AU -100 3. Now you should see the SHORTCIRCUIT rule hit in your logs. Setup a sieve rule to look for those 2 rules above to move them to the pass folder. They will always be ham (score very low) and never be blocked by the "glue" even with the default required_score. P.S. Technically, you could just set the 2 scores and not enable the shortcircuit plugin. The 2 score lines in the local.cf should do what you want to do. -- David Jones
Re: Turn OFF SA spam filtering but keep ON header examination
Good question. Saying why I care about spf and dkim but not spam sounds contradictory, I know. The reason is because this project doesn't care if spam arrives, only if the spam or email (even authenticated properly email) is spoofed. We are doing checks on senders and the likelihood of a spoofed from email address/domain together with an authentic spf and/or dkim is *less* likely than a spoofed from email address without any spf/dkim. Collecting statistics, I guess you could say. On 01/19/2018 09:07 AM, RW wrote: > On Thu, 18 Jan 2018 18:49:52 -0500 > Chip wrote: > >> Very well stated. Bravo! >> >> The end point here is to examine the email headers that specifically >> refer to dkim and spf signatures. Based on fail or pass, or some >> combination in concert with the sender's email address, they get moved >> into fail or pass folders. > ... >> But that is with spamassassin still identifying spam, which is >> unnecessary in this case as this project will never attract spam - I >> know that is hard to believe in, but it won't. > > Then why do you care about spf and dkim? >
Re: Turn OFF SA spam filtering but keep ON header examination
Ok point take - I should have mentioned earlier that *part* of the reason to stick with SA is because it does spf and dkim checks. My mistake. Moving on now, David, good suggestions! Enlighten me about the Shortcirtcuit plugin please. How does one activate it or use it? The manual gives an example as follows, so is it correct to simply put this into my local.cf and let it run? It looks like it simply activates by adding the line: shortcircuit TEST on. =over 4 body TEST /test/ describe TEST test rule that scores barely over spam threshold score TEST 5.5 priority TEST -100 shortcircuit TEST on On 01/19/2018 08:38 AM, David Jones wrote: > On 01/18/2018 05:49 PM, Chip wrote: >> Very well stated. Bravo! >> >> The end point here is to examine the email headers that specifically >> refer to dkim and spf signatures. Based on fail or pass, or some >> combination in concert with the sender's email address, they get moved >> into fail or pass folders. >> >> That's it! >> > > Finally we get some details! :) This is very simple then: > > 1. Enable the Shortcircuit plugin in v320.pre > > 2. Enable these SPF and DKIM rules to be shortcircuit'd in your local.cf: > > shortcircuit SPF_PASS on > shortcircuit DKIM_VALID_AU on > score SPF_PASS -100 > score DKIM_VALID_AU -100 > > 3. Now you should see the SHORTCIRCUIT rule hit in your logs. Setup a > sieve rule to look for those 2 rules above to move them to the pass > folder. They will always be ham (score very low) and never be blocked > by the "glue" even with the default required_score. > > P.S. Technically, you could just set the 2 scores and not enable the > shortcircuit plugin. The 2 score lines in the local.cf should do what > you want to do. >
Re: Turn OFF SA spam filtering but keep ON header examination
On 01/19/2018 08:07 AM, RW wrote: On Thu, 18 Jan 2018 18:49:52 -0500 Chip wrote: Very well stated. Bravo! The end point here is to examine the email headers that specifically refer to dkim and spf signatures. Based on fail or pass, or some combination in concert with the sender's email address, they get moved into fail or pass folders. ... But that is with spamassassin still identifying spam, which is unnecessary in this case as this project will never attract spam - I know that is hard to believe in, but it won't. Then why do you care about spf and dkim? Never say never. If you have some emails addresses out there that have been around for a few years, then they will get on spammer's lists in various ways. Also, these emails being delivered to your cpanel VPS need to be direct deliveries, not forwards or bcc's in order to correctly identify SPF and DKIM. This means you must have a test domain or two in your control to point the MX records directly to this VPS. This on it's own could attract spam. Trust me. The spammers have ways of finding mail server IPs and which domains are accepted by them so they can start dictionary spam attacks. If you have a catchall mailbox setup, it will definitely get spam. Even regular/single mailboxes will get spam if the VPS is open on port 25 to the Internet. -- David Jones
Re: Turn OFF SA spam filtering but keep ON header examination
On Thu, 18 Jan 2018 18:49:52 -0500 Chip wrote: > Very well stated. Bravo! > > The end point here is to examine the email headers that specifically > refer to dkim and spf signatures. Based on fail or pass, or some > combination in concert with the sender's email address, they get moved > into fail or pass folders. ... > But that is with spamassassin still identifying spam, which is > unnecessary in this case as this project will never attract spam - I > know that is hard to believe in, but it won't. Then why do you care about spf and dkim?
Re: Turn OFF SA spam filtering but keep ON header examination
On 01/18/2018 05:49 PM, Chip wrote: Very well stated. Bravo! The end point here is to examine the email headers that specifically refer to dkim and spf signatures. Based on fail or pass, or some combination in concert with the sender's email address, they get moved into fail or pass folders. That's it! Finally we get some details! :) This is very simple then: 1. Enable the Shortcircuit plugin in v320.pre 2. Enable these SPF and DKIM rules to be shortcircuit'd in your local.cf: shortcircuit SPF_PASS on shortcircuit DKIM_VALID_AU on score SPF_PASS -100 score DKIM_VALID_AU -100 3. Now you should see the SHORTCIRCUIT rule hit in your logs. Setup a sieve rule to look for those 2 rules above to move them to the pass folder. They will always be ham (score very low) and never be blocked by the "glue" even with the default required_score. P.S. Technically, you could just set the 2 scores and not enable the shortcircuit plugin. The 2 score lines in the local.cf should do what you want to do. -- David Jones
Re: Turn OFF SA spam filtering but keep ON header examination
Chip schrieb am 19.01.2018 um 00:49: The end point here is to examine the email headers that specifically refer to dkim and spf signatures. Based on fail or pass, or some combination in concert with the sender's email address, they get moved into fail or pass folders. The right thing to do this is not SpamAssassin. Dkim and spf are designed to reject mail at mta level that does not pass validation. SpamAssassin is meant to only process mail that has not been rejected at mta level. Usually, you are able to reject 80 percent and more spam right at mta level by using block lists, smtp validation rules, dkim, spf and others. You never even accept them, so you don't need to classify them, so you don't have to move them to some spam folder, so you don't need to manually verify and delete them. It simply doesn't reach your system. If you only want to handle the dkim and spf aspect of mail delivery, install a spf policy daemon into your mail server and install a dkim milter into your mail server. I can only tell about CentOS with postfix, and here I do this: For spf: install spf policy daemon: $ yum install pypolicyd-spf (from epel repository) called from postfix main.cf (the last line does the spf check) smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, check_recipient_access hash:/etc/postfix/recipient_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org, check_policy_service unix:private/policyd-spf For dkim: Install opendkim milter: $ yum install opendkim (from epel repository) called from postfix main.cf: smtpd_milters = unix:/var/run/opendkim-postfix/sock I skipped the actual configurations of pypolicyd-spf and opendkim, but I can provide it if you are interested. This is light-weight in comparison to SpamAssassin and they are "install and configure once and it works forever" pieces of software, while SpamAssassin is something you have to actively maintain to keep it in good working shape. I cannot tell how this could work together with your cpanel, because I never used some administration panel. Such panels limit you to do only what is provided by the panel. To get more into the system the panel supports is painful or not possible - exactly the problem you are currently fighting.
Re: Turn OFF SA spam filtering but keep ON header examination
Exactly! That is why I want to stick with SA because it does know how to do spf and dkim checks whereas other systems don't unless we install software to do that. On 01/18/2018 07:31 PM, Alan Hodgson wrote: > On Thu, 2018-01-18 at 18:49 -0500, Chip wrote: >> Very well stated. Bravo! >> >> The end point here is to examine the email headers that specifically >> refer to dkim and spf signatures. Based on fail or pass, or some >> combination in concert with the sender's email address, they get moved >> into fail or pass folders. >> >> That's it! >> > > If that's literally all you want to do, then have SpamAssassin score > every message at +50 with a generic local rule, and whitelist_from_spf > or whitelist_from_dkim the ones you want to keep. SA knows how to do > SPF and DKIM. > > Then dump anything that passes SA into the pass folder, everything > else into fail.
Re: Turn OFF SA spam filtering but keep ON header examination
On Thu, 2018-01-18 at 18:49 -0500, Chip wrote: > Very well stated. Bravo! > > The end point here is to examine the email headers that specifically > refer to dkim and spf signatures. Based on fail or pass, or some > combination in concert with the sender's email address, they get moved > into fail or pass folders. > > That's it! > If that's literally all you want to do, then have SpamAssassin score every message at +50 with a generic local rule, and whitelist_from_spf or whitelist_from_dkim the ones you want to keep. SA knows how to do SPF and DKIM. Then dump anything that passes SA into the pass folder, everything else into fail.
Re: Turn OFF SA spam filtering but keep ON header examination
Very well stated. Bravo! The end point here is to examine the email headers that specifically refer to dkim and spf signatures. Based on fail or pass, or some combination in concert with the sender's email address, they get moved into fail or pass folders. That's it! I know there are other methods for doing this - procmail, mimedefang, sieve, etc. etc. etc., but I'm somewhat limited in using those because although they might be intrinsically better for this, they do not play well with the cpane/WHM VPS I use and to which I am married because there are other features of the cpanel/WHM which come into play with this project, that are attractive and not available in a home-grown smtp server box. So using what I have rather than jumping ship and starting from scratch is preferable. I have played a bit with the local.cf and see that I can move into folders depending in the outcome of the examination of the headers. But that is with spamassassin still identifying spam, which is unnecessary in this case as this project will never attract spam - I know that is hard to believe in, but it won't. So the method of using Spam Assassins built in regex procedures for examining emails is attractive. On 01/18/2018 06:24 PM, Alex Woick wrote: > Chip schrieb am 18.01.2018 um 23:43: >> yes I'm starting to see that. I may need to build a box specifically >> suited for this using procmail. I had hoped that I could stay with >> the VPS. >> >> Nevertheless, I've heard two contradictory pieces of advise here and >> would like to know which is correct or most-near correct. >> >> I'm sure there are instances where both pieces of advise work. >> >> someone said change the local.cf to a score of 999 which (I think) means >> that it will override all other spam detection rules. >> >> And then another person suggested to remove all the bundled rules. > I think it isn't clear what your final goal is. What is the goal you > want to achieve, how should the result look like? > > SpamAssassin is something that is inserted into the flow of mail, > usually on a mailserver, and does nothing else than read each mail > that is piped through it and add some headers to each mail. That's it. > It adds headers that tell how that mail was classified by > SpamAssassin: spam or not spam. > > Then, some process that comes after SpamAssassin is able to read these > headers and perform some action upon the mail: for example, it could > move mails to a "junk" folder that were classified as spam and can > leave other mail alone. If you don't implement such process, no action > will be done. > > How SpamAssassin does the classification is determined by the rules > that come with it. It will do analysis of headers, analysis of text > and may consult remote services like spamcop. > > Each rule returns a score. A positive score means the rule says this > is an indication for spam, and a negative score means the rule says > this is an indication for non-spam (ham). All scores are added, and if > the value is above 5, SpamAssassin classifies this mail as spam. If it > is below 5, it classifies the mail not as spam. If you raise this > threshold to 999, SpamAssassin will simply declare no mail as spam any > more, because there are probably never enough matching spam rules that > add up above 999. So doing this is somewhat pointless, and so I get > back to my initial question: what is the result for your users that > you want to produce after your project is finished? > > If you want SpamAssassin classify and mark mail but take no action, > simply fold SpamAssassin into your mail server and let it do the > classification. Each mail will get the SpamAssassin headers but will > be delivered as before. But you can examine the classification by > examining the headers of the mails in your mail reader. If you and > your users find the classification is fine, you can do the next step > and implement actions on the classification. >
Re: Turn OFF SA spam filtering but keep ON header examination
Chip schrieb am 18.01.2018 um 23:43: yes I'm starting to see that. I may need to build a box specifically suited for this using procmail. I had hoped that I could stay with the VPS. Nevertheless, I've heard two contradictory pieces of advise here and would like to know which is correct or most-near correct. I'm sure there are instances where both pieces of advise work. someone said change the local.cf to a score of 999 which (I think) means that it will override all other spam detection rules. And then another person suggested to remove all the bundled rules. I think it isn't clear what your final goal is. What is the goal you want to achieve, how should the result look like? SpamAssassin is something that is inserted into the flow of mail, usually on a mailserver, and does nothing else than read each mail that is piped through it and add some headers to each mail. That's it. It adds headers that tell how that mail was classified by SpamAssassin: spam or not spam. Then, some process that comes after SpamAssassin is able to read these headers and perform some action upon the mail: for example, it could move mails to a "junk" folder that were classified as spam and can leave other mail alone. If you don't implement such process, no action will be done. How SpamAssassin does the classification is determined by the rules that come with it. It will do analysis of headers, analysis of text and may consult remote services like spamcop. Each rule returns a score. A positive score means the rule says this is an indication for spam, and a negative score means the rule says this is an indication for non-spam (ham). All scores are added, and if the value is above 5, SpamAssassin classifies this mail as spam. If it is below 5, it classifies the mail not as spam. If you raise this threshold to 999, SpamAssassin will simply declare no mail as spam any more, because there are probably never enough matching spam rules that add up above 999. So doing this is somewhat pointless, and so I get back to my initial question: what is the result for your users that you want to produce after your project is finished? If you want SpamAssassin classify and mark mail but take no action, simply fold SpamAssassin into your mail server and let it do the classification. Each mail will get the SpamAssassin headers but will be delivered as before. But you can examine the classification by examining the headers of the mails in your mail reader. If you and your users find the classification is fine, you can do the next step and implement actions on the classification.
Re: Turn OFF SA spam filtering but keep ON header examination
Thanks for pointing out Sieve. I'll look into that. It's nice in that it acts on the last procedure - or right before delivery to the mail folder after all the other dirty work has been done. thanks. On 01/18/2018 05:55 PM, Larry Rosenman wrote: > On Thu, Jan 18, 2018 at 05:43:04PM -0500, Chip wrote: >> yes I'm starting to see that. I may need to build a box specifically >> suited for this using procmail. I had hoped that I could stay with the VPS. >> > I'd look at using sieve instead. Procmail has had some issues and not well > maintained. > > (My opinion FWIW)
Re: Turn OFF SA spam filtering but keep ON header examination
On Thu, Jan 18, 2018 at 05:43:04PM -0500, Chip wrote: > yes I'm starting to see that. I may need to build a box specifically > suited for this using procmail. I had hoped that I could stay with the VPS. > I'd look at using sieve instead. Procmail has had some issues and not well maintained. (My opinion FWIW) -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
Re: Turn OFF SA spam filtering but keep ON header examination
yes I'm starting to see that. I may need to build a box specifically suited for this using procmail. I had hoped that I could stay with the VPS. Nevertheless, I've heard two contradictory pieces of advise here and would like to know which is correct or most-near correct. I'm sure there are instances where both pieces of advise work. someone said change the local.cf to a score of 999 which (I think) means that it will override all other spam detection rules. And then another person suggested to remove all the bundled rules. This difference of opinion could be attributed to my lack of clarity, inexperience and what I need. I don't want detection of spam however, when I look at the rules in SpamAssassin (regex expressions, for example) for acting on header information, they are easier to write than procmail or other methods, so I wanted to stick with spamassassin since I have some basic knowledge of regex. If, setting local.cf spam detection to 999 stops the detection of, and acting on, spam, that would work. I would simply write some rules for modifying the subject and deal with the sorting elsewhere. I will try that unless someone sees this as not working. On 01/18/2018 05:34 PM, Noel wrote: > On 1/18/2018 2:09 PM, Chip wrote: >> Newbie excited to use the features of SpamAssassin for a new project >> that needs to flag inbound email for sorting into folders (this can be >> done via cpanel-level filtering) based on keywords in headers (header >> search by SA). >> >> This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and >> SpamAssassin version 3.4.1 running on Perl version 5.10.1. >> >> I would like to TURN OFF any and all Spam Identification features and >> only leave behind SpamAssassin's examination of headers and subsequent >> Subject modification based on keywords in headers (such as keywords in >> DKIM or SPF, etc) > Basically all the rules included with SpamAssassin are for spam > identification, and header modification is based on detecting mail > as spam. > > I think SA is poorly suited for your stated purpose of sorting mail > by header keywords. > > If you really really wanted to use SA for this project, you would > need to *remove* all the bundled rules and then add your own header > parsing rules in local.cf, and then SA only knows how to modify the > subject with a spam tag or not at all. > > This seems like more trouble than it's worth for an end product that > doesn't suit your needs very well. There are other established ways > to sort mail with userland imap filters, procmail, seive, etc. > > > Good luck. > > > > > -- Noel Jones >
Re: Turn OFF SA spam filtering but keep ON header examination
On 1/18/2018 2:09 PM, Chip wrote: > Newbie excited to use the features of SpamAssassin for a new project > that needs to flag inbound email for sorting into folders (this can be > done via cpanel-level filtering) based on keywords in headers (header > search by SA). > > This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and > SpamAssassin version 3.4.1 running on Perl version 5.10.1. > > I would like to TURN OFF any and all Spam Identification features and > only leave behind SpamAssassin's examination of headers and subsequent > Subject modification based on keywords in headers (such as keywords in > DKIM or SPF, etc) Basically all the rules included with SpamAssassin are for spam identification, and header modification is based on detecting mail as spam. I think SA is poorly suited for your stated purpose of sorting mail by header keywords. If you really really wanted to use SA for this project, you would need to *remove* all the bundled rules and then add your own header parsing rules in local.cf, and then SA only knows how to modify the subject with a spam tag or not at all. This seems like more trouble than it's worth for an end product that doesn't suit your needs very well. There are other established ways to sort mail with userland imap filters, procmail, seive, etc. Good luck. -- Noel Jones
Re: Turn OFF SA spam filtering but keep ON header examination
Yes I read the basic configuration. Did you read my initial request in which I said I was a newbie? Reading the "basic configuration" has no bearing on the other parts of my inquiry. Perhaps you didn't read that as well? Where I said this was a VPS with several domains? And that there where many, many files contributing to the SpamAssassin rules functions and operation? Did you read that? The basic configuration is just that - basic. I have no idea based on the numerous rules set discovered if the basic configuration will play nicely with a VPS with many domains and user preferences. I would prefer that you do not respond to my inquiries any longer as I consider you to be somewhat of a harasser. Please just exit the virtual door and stay away from my inbox. Thank you. On 01/18/2018 05:20 PM, Reindl Harald wrote: > > > Am 18.01.2018 um 23:17 schrieb Chip: >> Thank you, Sir. >> >> So in my local.cf there is a commented-out rule as follows: >> >> # Set the threshold at which a message is considered spam (default: >> 5.0) >> # >> # required_score 5.0 >> >> setting that required to 999 will over ride the standard rules system >> wide? > > it will set the value "required_score" form 5 to 999 > > did you even read that: > https://wiki.apache.org/spamassassin/BasicConfiguration > >> On 01/18/2018 05:11 PM, David Jones wrote: >>> On 01/18/2018 04:00 PM, Chip wrote: Find this tidbit of information how to find the rules that are loaded with spam assassin: spamassassin --lint -D 2>&1 | grep 'config: read file' I see many, many lines of files. I don't see myself going into all those files and replacing a score of whatever with a 999 or 0. There must be a simpler solution to turning off rules than individually editing each ruleset. >>> >>> You can easily grep and sed the output of the lint command above to >>> generate "score RULE 0.0" and append it to the local.cf. But I am >>> pretty sure this is not want you are wanting to do as it wouldn't be >>> very useful. >>> And in the local.cf there are NO rules. So I'm back to zero here. >>> >>> What specifically are you trying to do? You may want to leave all >>> rules active and simply add some new custom rules to local.cf for your >>> custom needs. >>> >>> If you don't want to block anything and just want to collect as much >>> spam and ham as possible, then set the "required_score 999" in your >>> local.cf > >
Re: Turn OFF SA spam filtering but keep ON header examination
Thank you, Sir. So in my local.cf there is a commented-out rule as follows: # Set the threshold at which a message is considered spam (default: 5.0) # # required_score 5.0 setting that required to 999 will over ride the standard rules system wide? On 01/18/2018 05:11 PM, David Jones wrote: > On 01/18/2018 04:00 PM, Chip wrote: >> Find this tidbit of information how to find the rules that are loaded >> with spam assassin: >> >> spamassassin --lint -D 2>&1 | grep 'config: read file' >> >> I see many, many lines of files. >> >> I don't see myself going into all those files and replacing a score of >> whatever with a 999 or 0. >> >> There must be a simpler solution to turning off rules than individually >> editing each ruleset. >> > > You can easily grep and sed the output of the lint command above to > generate "score RULE 0.0" and append it to the local.cf. But I am > pretty sure this is not want you are wanting to do as it wouldn't be > very useful. > >> And in the local.cf there are NO rules. >> >> So I'm back to zero here. > > What specifically are you trying to do? You may want to leave all > rules active and simply add some new custom rules to local.cf for your > custom needs. > > If you don't want to block anything and just want to collect as much > spam and ham as possible, then set the "required_score 999" in your > local.cf. >
Re: Turn OFF SA spam filtering but keep ON header examination
How better to figure other than asking here? Ummm. Isn't that what this mailing list is about? People helping others? I guess I'm at the wrong place. I'm not asking someone to do my work for me. I'm asking for some advise from people who know more than me without them getting sarcastic or insinuating that I'm lazy. I'm pretty sure there are a number of people on this list who CAN answer a simple question about turning off filtering and perhaps give some cogent advise. How would you suggest I "need to figure out basically how spamassassin works?" Go out and read books? Hire someone? Search the internet? Google? I thought I came to the place where people with more experience than myself could offer up some sage advise without being sarcastic or insinuating that I am lazy. I don't need "experts" to lead me down a dark road and abandon me and then tell me I'm lost. So if you can't simply offer some honest, good, informative advise then please buzz off. On 01/18/2018 05:07 PM, Reindl Harald wrote: > > > Am 18.01.2018 um 23:00 schrieb Chip: >> Find this tidbit of information how to find the rules that are loaded >> with spam assassin: >> >> spamassassin --lint -D 2>&1 | grep 'config: read file' >> >> I see many, many lines of files. >> >> I don't see myself going into all those files and replacing a score of >> whatever with a 999 or 0. >> >> There must be a simpler solution to turning off rules than individually >> editing each ruleset. >> >> And in the local.cf there are NO rules. >> >> So I'm back to zero here > > "local.cf" is not supposed to contain anything - it's *your* local > configuration for overrides - you really need to figure out basically > how spamassassin works not just "i am at zero, do the work of reading > manpages and google around how i set it up" outsourced to a mailing list >
Re: Turn OFF SA spam filtering but keep ON header examination
On 01/18/2018 04:00 PM, Chip wrote: Find this tidbit of information how to find the rules that are loaded with spam assassin: spamassassin --lint -D 2>&1 | grep 'config: read file' I see many, many lines of files. I don't see myself going into all those files and replacing a score of whatever with a 999 or 0. There must be a simpler solution to turning off rules than individually editing each ruleset. You can easily grep and sed the output of the lint command above to generate "score RULE 0.0" and append it to the local.cf. But I am pretty sure this is not want you are wanting to do as it wouldn't be very useful. And in the local.cf there are NO rules. So I'm back to zero here. What specifically are you trying to do? You may want to leave all rules active and simply add some new custom rules to local.cf for your custom needs. If you don't want to block anything and just want to collect as much spam and ham as possible, then set the "required_score 999" in your local.cf. -- David Jones
Re: Turn OFF SA spam filtering but keep ON header examination
Find this tidbit of information how to find the rules that are loaded with spam assassin: spamassassin --lint -D 2>&1 | grep 'config: read file' I see many, many lines of files. I don't see myself going into all those files and replacing a score of whatever with a 999 or 0. There must be a simpler solution to turning off rules than individually editing each ruleset. And in the local.cf there are NO rules. So I'm back to zero here. On 01/18/2018 04:08 PM, David Jones wrote: > On 01/18/2018 03:01 PM, Chip wrote: >> Thank you Shanew for the suggestion. >> >> I'm tied to a Cpanel/WHM VPS which can't be changed. Give that there >> are some restrictions such as the use of Exim. Exim apparently does not >> play nice with mimedefang and only partially nice with procmail - at >> least as I've tested it. I would actually prefer to use procmail, but >> it is a bit of heavy lifting to learn. >> >> The good part of Cpanel/WHM is that it has filters easily employed on a >> per email account basis that triggers off the subject line for >> allocating the email to specific folders. I just need a way to change >> the subject via SA based on what SA finds in the headers. >> >> SA does change the subject (I know, I know, changing the content of an >> email is considered a no-no but in this case we are not talking about >> legalities). In this specific use it's just for internal sorting of >> email into specific folders as appropriate based on a subject line that >> SA will create based on it's examination of the headers, and the sorting >> happens on a per account basis by /etc/vfilters created by Cpanel/WHM in >> an easy-to-use gui interface. >> >> > > Keep in mind that changing the Subject will break DKIM checks on any > downstream mail filters but if your SA instance is the "last stop" > then it won't be a problem. > >> >> On 01/18/2018 03:51 PM, sha...@shanew.net wrote: >>> I can't help but think that you'd be better of using something like >>> procmail, maildrop (part of Courier), or sieve if want you want is >>> sorting without all the overhead of checking for spam. >>> >>> But maybe I'm not understanding what you want to accomplish... >>> >>> On Thu, 18 Jan 2018, Chip wrote: >>> Newbie excited to use the features of SpamAssassin for a new project that needs to flag inbound email for sorting into folders (this can be done via cpanel-level filtering) based on keywords in headers (header search by SA). This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and SpamAssassin version 3.4.1 running on Perl version 5.10.1. I would like to TURN OFF any and all Spam Identification features and only leave behind SpamAssassin's examination of headers and subsequent Subject modification based on keywords in headers (such as keywords in DKIM or SPF, etc) 1) Can this be done, and; 2) What tweaks need to be made to SA in its configuration files to make it happen, and; 3) what else is recommended here. Thank you. >>> >> > >
Re: Turn OFF SA spam filtering but keep ON header examination
Looking in my setup I see local.cf attached to many virtfs as in: /home/virtfs/domain-name/etc/mail/spamassassin/local.cf as well as in: /etc/mail/spamassassin/local.cf When I open these files there are very little rules so can't really see what I must change here? This is a VPS with about 10 domains. On 01/18/2018 04:08 PM, David Jones wrote: > On 01/18/2018 03:01 PM, Chip wrote: >> Thank you Shanew for the suggestion. >> >> I'm tied to a Cpanel/WHM VPS which can't be changed. Give that there >> are some restrictions such as the use of Exim. Exim apparently does not >> play nice with mimedefang and only partially nice with procmail - at >> least as I've tested it. I would actually prefer to use procmail, but >> it is a bit of heavy lifting to learn. >> >> The good part of Cpanel/WHM is that it has filters easily employed on a >> per email account basis that triggers off the subject line for >> allocating the email to specific folders. I just need a way to change >> the subject via SA based on what SA finds in the headers. >> >> SA does change the subject (I know, I know, changing the content of an >> email is considered a no-no but in this case we are not talking about >> legalities). In this specific use it's just for internal sorting of >> email into specific folders as appropriate based on a subject line that >> SA will create based on it's examination of the headers, and the sorting >> happens on a per account basis by /etc/vfilters created by Cpanel/WHM in >> an easy-to-use gui interface. >> >> > > Keep in mind that changing the Subject will break DKIM checks on any > downstream mail filters but if your SA instance is the "last stop" > then it won't be a problem. > >> >> On 01/18/2018 03:51 PM, sha...@shanew.net wrote: >>> I can't help but think that you'd be better of using something like >>> procmail, maildrop (part of Courier), or sieve if want you want is >>> sorting without all the overhead of checking for spam. >>> >>> But maybe I'm not understanding what you want to accomplish... >>> >>> On Thu, 18 Jan 2018, Chip wrote: >>> Newbie excited to use the features of SpamAssassin for a new project that needs to flag inbound email for sorting into folders (this can be done via cpanel-level filtering) based on keywords in headers (header search by SA). This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and SpamAssassin version 3.4.1 running on Perl version 5.10.1. I would like to TURN OFF any and all Spam Identification features and only leave behind SpamAssassin's examination of headers and subsequent Subject modification based on keywords in headers (such as keywords in DKIM or SPF, etc) 1) Can this be done, and; 2) What tweaks need to be made to SA in its configuration files to make it happen, and; 3) what else is recommended here. Thank you. >>> >> > >
Re: Turn OFF SA spam filtering but keep ON header examination
On 01/18/2018 03:01 PM, Chip wrote: Thank you Shanew for the suggestion. I'm tied to a Cpanel/WHM VPS which can't be changed. Give that there are some restrictions such as the use of Exim. Exim apparently does not play nice with mimedefang and only partially nice with procmail - at least as I've tested it. I would actually prefer to use procmail, but it is a bit of heavy lifting to learn. The good part of Cpanel/WHM is that it has filters easily employed on a per email account basis that triggers off the subject line for allocating the email to specific folders. I just need a way to change the subject via SA based on what SA finds in the headers. SA does change the subject (I know, I know, changing the content of an email is considered a no-no but in this case we are not talking about legalities). In this specific use it's just for internal sorting of email into specific folders as appropriate based on a subject line that SA will create based on it's examination of the headers, and the sorting happens on a per account basis by /etc/vfilters created by Cpanel/WHM in an easy-to-use gui interface. Keep in mind that changing the Subject will break DKIM checks on any downstream mail filters but if your SA instance is the "last stop" then it won't be a problem. On 01/18/2018 03:51 PM, sha...@shanew.net wrote: I can't help but think that you'd be better of using something like procmail, maildrop (part of Courier), or sieve if want you want is sorting without all the overhead of checking for spam. But maybe I'm not understanding what you want to accomplish... On Thu, 18 Jan 2018, Chip wrote: Newbie excited to use the features of SpamAssassin for a new project that needs to flag inbound email for sorting into folders (this can be done via cpanel-level filtering) based on keywords in headers (header search by SA). This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and SpamAssassin version 3.4.1 running on Perl version 5.10.1. I would like to TURN OFF any and all Spam Identification features and only leave behind SpamAssassin's examination of headers and subsequent Subject modification based on keywords in headers (such as keywords in DKIM or SPF, etc) 1) Can this be done, and; 2) What tweaks need to be made to SA in its configuration files to make it happen, and; 3) what else is recommended here. Thank you. -- David Jones
Re: Turn OFF SA spam filtering but keep ON header examination
Thank you Shanew for the suggestion. I'm tied to a Cpanel/WHM VPS which can't be changed. Give that there are some restrictions such as the use of Exim. Exim apparently does not play nice with mimedefang and only partially nice with procmail - at least as I've tested it. I would actually prefer to use procmail, but it is a bit of heavy lifting to learn. The good part of Cpanel/WHM is that it has filters easily employed on a per email account basis that triggers off the subject line for allocating the email to specific folders. I just need a way to change the subject via SA based on what SA finds in the headers. SA does change the subject (I know, I know, changing the content of an email is considered a no-no but in this case we are not talking about legalities). In this specific use it's just for internal sorting of email into specific folders as appropriate based on a subject line that SA will create based on it's examination of the headers, and the sorting happens on a per account basis by /etc/vfilters created by Cpanel/WHM in an easy-to-use gui interface. On 01/18/2018 03:51 PM, sha...@shanew.net wrote: > I can't help but think that you'd be better of using something like > procmail, maildrop (part of Courier), or sieve if want you want is > sorting without all the overhead of checking for spam. > > But maybe I'm not understanding what you want to accomplish... > > On Thu, 18 Jan 2018, Chip wrote: > >> Newbie excited to use the features of SpamAssassin for a new project >> that needs to flag inbound email for sorting into folders (this can be >> done via cpanel-level filtering) based on keywords in headers (header >> search by SA). >> >> This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and >> SpamAssassin version 3.4.1 running on Perl version 5.10.1. >> >> I would like to TURN OFF any and all Spam Identification features and >> only leave behind SpamAssassin's examination of headers and subsequent >> Subject modification based on keywords in headers (such as keywords in >> DKIM or SPF, etc) >> >> 1) Can this be done, and; >> >> 2) What tweaks need to be made to SA in its configuration files to make >> it happen, and; >> >> 3) what else is recommended here. >> >> Thank you. >> >
Re: Turn OFF SA spam filtering but keep ON header examination
I can't help but think that you'd be better of using something like procmail, maildrop (part of Courier), or sieve if want you want is sorting without all the overhead of checking for spam. But maybe I'm not understanding what you want to accomplish... On Thu, 18 Jan 2018, Chip wrote: Newbie excited to use the features of SpamAssassin for a new project that needs to flag inbound email for sorting into folders (this can be done via cpanel-level filtering) based on keywords in headers (header search by SA). This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and SpamAssassin version 3.4.1 running on Perl version 5.10.1. I would like to TURN OFF any and all Spam Identification features and only leave behind SpamAssassin's examination of headers and subsequent Subject modification based on keywords in headers (such as keywords in DKIM or SPF, etc) 1) Can this be done, and; 2) What tweaks need to be made to SA in its configuration files to make it happen, and; 3) what else is recommended here. Thank you. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Turn OFF SA spam filtering but keep ON header examination
On 01/18/2018 02:33 PM, Chip wrote: That sounds doable. If I score everything 0 or 999 will things be overwritten in local.cf on update or elsewhere? The local.cf is yours to update and does not get touched by upgrades or ruleset updates. What you are suggesting sounds like a reasonable course of action. Sounds like you need to play with SA for a bit to understand how it works then setup MDA rules to sort into folders. Keep in mind, SA doesn't actually block anything. It just creates a score and whatever calls SA (known as the glue often on this mailing list) is responsible for taking action based on that score or rule hits. What is your glue? amavisd? That's where you need to start and then do some reading on the documentation for that glue. All of them will have a score required for blocking that usually takes the SA default of 5.0 or maybe 6.0 like MailScanner. If you set that required score to 999 then nothing will be blocked by the glue to let everything in for sorting. On 01/18/2018 03:29 PM, David Jones wrote: On 01/18/2018 02:09 PM, Chip wrote: Newbie excited to use the features of SpamAssassin for a new project that needs to flag inbound email for sorting into folders (this can be done via cpanel-level filtering) based on keywords in headers (header search by SA). This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and SpamAssassin version 3.4.1 running on Perl version 5.10.1. I would like to TURN OFF any and all Spam Identification features and only leave behind SpamAssassin's examination of headers and subsequent Subject modification based on keywords in headers (such as keywords in DKIM or SPF, etc) 1) Can this be done, and; 2) What tweaks need to be made to SA in its configuration files to make it happen, and; 3) what else is recommended here. Thank you. Not exactly sure what you want to disable but setting a score of 0 will disable a rule. You may need to gather up a list of all rules and score most of them 0 in your local.cf. You might just set the required score to 999 in whatever is launching spamassassin so it doesn't block anything. Then have MDA (Dovecot sieve) rules to sort into folders based on hits in the X-Spam-Status header. I do something similar for my spamassassin masscheck box where I intentionally let down my defenses at the MTA not using any RBLs and then sort messages into a Ham or Spam folder based on score and rule hits. -- David Jones
Re: Turn OFF SA spam filtering but keep ON header examination
That sounds doable. If I score everything 0 or 999 will things be overwritten in local.cf on update or elsewhere? What you are suggesting sounds like a reasonable course of action. On 01/18/2018 03:29 PM, David Jones wrote: > On 01/18/2018 02:09 PM, Chip wrote: >> Newbie excited to use the features of SpamAssassin for a new project >> that needs to flag inbound email for sorting into folders (this can be >> done via cpanel-level filtering) based on keywords in headers (header >> search by SA). >> >> This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and >> SpamAssassin version 3.4.1 running on Perl version 5.10.1. >> >> I would like to TURN OFF any and all Spam Identification features and >> only leave behind SpamAssassin's examination of headers and subsequent >> Subject modification based on keywords in headers (such as keywords in >> DKIM or SPF, etc) >> >> 1) Can this be done, and; >> >> 2) What tweaks need to be made to SA in its configuration files to make >> it happen, and; >> >> 3) what else is recommended here. >> >> Thank you. >> > > Not exactly sure what you want to disable but setting a score of 0 > will disable a rule. You may need to gather up a list of all rules > and score most of them 0 in your local.cf. > > You might just set the required score to 999 in whatever is launching > spamassassin so it doesn't block anything. Then have MDA (Dovecot > sieve) rules to sort into folders based on hits in the X-Spam-Status > header. > > I do something similar for my spamassassin masscheck box where I > intentionally let down my defenses at the MTA not using any RBLs and > then sort messages into a Ham or Spam folder based on score and rule > hits. >
Re: Turn OFF SA spam filtering but keep ON header examination
On 01/18/2018 02:09 PM, Chip wrote: Newbie excited to use the features of SpamAssassin for a new project that needs to flag inbound email for sorting into folders (this can be done via cpanel-level filtering) based on keywords in headers (header search by SA). This is a Centos 6.9 machine running cpanel/WHM 11.68.0.23 and SpamAssassin version 3.4.1 running on Perl version 5.10.1. I would like to TURN OFF any and all Spam Identification features and only leave behind SpamAssassin's examination of headers and subsequent Subject modification based on keywords in headers (such as keywords in DKIM or SPF, etc) 1) Can this be done, and; 2) What tweaks need to be made to SA in its configuration files to make it happen, and; 3) what else is recommended here. Thank you. Not exactly sure what you want to disable but setting a score of 0 will disable a rule. You may need to gather up a list of all rules and score most of them 0 in your local.cf. You might just set the required score to 999 in whatever is launching spamassassin so it doesn't block anything. Then have MDA (Dovecot sieve) rules to sort into folders based on hits in the X-Spam-Status header. I do something similar for my spamassassin masscheck box where I intentionally let down my defenses at the MTA not using any RBLs and then sort messages into a Ham or Spam folder based on score and rule hits. -- David Jones