Re: Score 0.001

I would suggest that if Debian is modifying the default config from 5 to 6.31, then probably they should not be doing that. as a packager, I fix bugs (and file upstream bug reports), but it's usually linuxy nonportability things that are clearly bugs (test ==, hardcoded lists of accepted

Re: Score 0.001

Thomas Barth writes: > Am 2024-05-11 21:54, schrieb Bill Cole: >> I have no idea who the Debian "spam analysts" are but I am certain >> that they are not doing any sort of data-driven dynamic adjustments >> of scores based on a threshold of 6.3 nor are they (obviously) >> adjusting that

Re: Defining what the default welcomelist means

Bill Cole writes: > On 2024-04-12 at 18:56:15 UTC-0400 (Fri, 12 Apr 2024 18:56:15 -0400) > Greg Troxel > >> Bill Cole writes: >> >>> 1. We serve our users: receivers, not senders. Senders claiming FPs >>> need the support of a corroborating would-be re

Re: Defining what the default welcomelist means

jdow writes: > One pesky detail still exists. There is a very broad fuzzy area where > my spam is your ham and vice versa. You could probably drive yourself > to an early grave trying to get the perfect Bayes training plus > perfect rule set. spam is bulk and unsolicited. So yes the same

Re: Defining what the default welcomelist means

Also, I'm not sure you said this, but I would say: default whitelist is dkim only This means All existing entries are converted to dkim as well as we can, not worrying if they break. We'll prune ones that don't work as dkim, and add a signing domain as we figure it out, as

Re: Defining what the default welcomelist means

I see it very slightly differently, but mostly agree Bill Cole writes: > 1. We serve our users: receivers, not senders. Senders claiming FPs > need the support of a corroborating would-be receiver. Agreed. Or maybe we take requests to add only from receivers. > 2. If senders have FPs on

Re: [UPDATE] Changes to Validity Reputation Data Through DNS

H Tom Bartel writes: > Starting March 1, 2024, we will allow up to 10,000 requests per user over a > 30-day time period. After the 10,000 requests, users must create a > MyValidity account to continue using this free service. Upon the creation > of a MyValidity account, you will receive

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

Thomas Cameron writes: > Yeah, the weird thing is, when I check the forwarded email on GMail, I > see in the headers that both the original sending email server (call > it mail.somedomain.com) and the relay server (call it > mail.myassociation.org) put DKIM signatures in the message. That's

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

"Thomas Cameron via users" writes: > I actually set up SPF, DMARC, and DKIM on the non-profit's email > server. It works fine if I send email from the server. > > The rub is, I want all emails to presid...@example.org to be forwarded > to presidents_real_addr...@gmail.com. Since the forward

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

"Thomas Cameron via users" writes: > I built email servers for a non-profit I volunteer for. If email comes > into the server for presid...@myassociation.org, I would normally just > create an alias in /etc/aliases so that emails to president@ get > forwarded to the president's "real" email

Re: proper use of internal_networks?

"Dan Mahoney (Gushi)" writes: > Hey there all, > > Recently, we noticed that one of our system's "cron" mails started > getting caught by our spam filter (because it had lots of hostnames in > it about failed ssh logins, which the uribl plugin didn't like). > > This system is listed (v4 and v6)

Re: Too many dots?

Alex writes: > Also, the KAM rules are designed to be used in conjunction with the stock > rules, so it also seemed somewhat punitive to award so many points and to > be expected to offset them for a completely benign email. My experience is that many of the KAM rules are unreasonably

Re: sane max value for message size in 2023?

AJ Weber writes: > I realize this is very much an "it depends", but recently I'm getting > a lot of messages bypassing spamc because they're a few KB over the > default, 500KB limit (spamassassin 3.4.x). That is way way too small now. I would go to at least 8 MB.

Re: Ensuring SPF/DKIM for @gmail.com

J Doe writes: > I am currently using SpamAssassin 4.0.0 and I had a question on how I > can ensure that any e-mail from @gmail.com has a valid SPF and DKIM > signature. You should phrase what you want more carefully. What I think you said is: I want that if mail comes in with a From: of

Re: Welcome/unwelcome list not working correctly.

Grant Keller writes: > I don't think the query result order masters here, from what I could > gather in the spamassassin source, the welcome list is built in 2 > steps: > 1. Create the list using the whitelist_from values. > 2. Remove from that list everything in unwhitelist_from I guess you

Re: Welcome/unwelcome list not working correctly.

Grant Keller writes: > | gvk | unwhitelist_from| grant.kel...@sonic.com | 7421538 | > | gvk | whitelist_from | grant.kel...@sonic.com | 7526210 | What do you think that means? What's the fourth column? Note that we are in transition from white to welcome, but

Re: mystery score definition

Henrik K writes: > On Fri, May 12, 2023 at 07:12:35AM -0400, Greg Troxel wrote: >> Henrik K writes: >> >> > From what I've seen, it's very uncommon to use this format. Why rely on >> > some vague previously defined score, which can change at any time? Just

Re: mystery score definition

Henrik K writes: > From what I've seen, it's very uncommon to use this format. Why rely on > some vague previously defined score, which can change at any time? Just set > a static score you like and fits your system. It's not vague; it's the score which is defined by the distributed rules.

Re: mystery score definition

Matus UHLAR - fantomas writes: > On 11.05.23 10:58, Greg Troxel wrote: >>I am seeing a lot of "claim your prize from X", where X is a known >>company, coming from fresh foo.autos domains. I bet y'all are seeing >>this too. Until these get on blocklists they don't

mystery score definition

I am seeing a lot of "claim your prize from X", where X is a known company, coming from fresh foo.autos domains. I bet y'all are seeing this too. Until these get on blocklists they don't score that high. One rule that does hit is OBFU_UNSUB_UL which is defined in 72_active.cf as meta, and

Re: DKIM absence

Matus UHLAR - fantomas writes: > On 02.05.23 08:37, Thomas Johnson wrote: >> If there’s no dkim signature, you can’t check for dkim records in >> dns. The selector for a dkim signature is arbitrary - there’s no >> one dns lookup you can do to see all possible dkim records for a >> domain. > > a

Re: DKIM absence

> Right, because you need to grovel out the selector from the > DKIM-Signature line. Groan. > > That you can't mark a domain as requiring DKIM at the top-level seems > to be a design flaw in the protocol. Yes, but I think the way that is fixed is spelled DMARC.

Re: FP on KAM_SOMETLD_ARE_BAD_TLD

Alan writes: > A lovely message from a reputable sender with a penchant for fancy > email formatting has CSS rules expressed in JSON, presumably so it can > adjust for the mail client or some such. > > A segment contains the text: > > "items":[{"type":"Input.Date","id":"date"}]} > > The

Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

Bill Cole writes: > It can happen, particularly when a listed domain changes the way they > send email. I'm not sure I understand exactly what Dropbox is doing > here or how it is possible for a user to masquerade as PayPal, but I > suspect this is a new service of some sort. It seems to be a

Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

A quick grep shows: 4.00/updates_spamassassin_org/60_welcomelist_auth.cf:def_welcomelist_auth *@*.dropbox.com so the code is operating as designed. It seems that either dropbox is compromised, or dropbox is allowing user-generated content to go out under their domain. Either way it

DKIMWL functional?

I got spam which hit DKIMWL_WL_HIGH (from smartbrief). I went to find out how to report this as obviously they should not be on HIGH, and found that https://www.dkimwl.org/ gets me A Database Error Occurred Error Number: 1146 Table 'bladmin.dkimwl_magnitude_monthly' doesn't exist

Re: adobe phishing?

Kris Deugau writes: > Greg Troxel wrote: >> One of my users got mail that really looks like a phish. They are >> unaware of having an adobe account. It is DKIM signed, but looks a bit >> spammy in terms of the content (low-quality HTML markup, missing >> text/plain

adobe phishing?

One of my users got mail that really looks like a phish. They are unaware of having an adobe account. It is DKIM signed, but looks a bit spammy in terms of the content (low-quality HTML markup, missing text/plain content). Is anyone else seeing this? Opinions on if it's real, if adobe is

Re: TxRep records unreliably on MySQL

"Matt Anton via users" writes: > Here's what I'm having on the SQL spamassassin db: > > Thanks, much easier! >> 1) txrep seems not 100% baked. I suggest reading the code to see how >> this happened. > > What code are you talking about? The perl source

Re: TxRep records unreliably on MySQL

"Matt Anton via users" writes: > After an upgrade to SA-4.0.0 I decided to give TxRep a try after using > AWL since it was introduced. > I set up TxRep accordingly to SA’s documentation with a mysql-5.7.40 > server, give it a first try by sending an email to the box where SA is > running and

Re: Espoofer - An Email Spoofing Testing Tool That Aims To Bypass SPF/DKIM/DMARC And Forge DKIM Signatures

It would be great if someone(tm) went through the blackhat pdf and wrote rules for all the evasions, and fixed the MTAs etc.

Re: Whitelist or add negative values for score

The other thing that should be done for j...@company.com is that company.com should sign their mail with DKIM, and then you can welcomelist_from_dkim *@company.com I find that many companies I deal with that produce semi-spammy mail (most big companies :-) have DKIM signatures and I can

Re: [ANNOUNCE] Apache SpamAssassin 4.0.0 available

Benny Pedersen writes: > Kenneth Porter skrev den 2022-12-20 04:59: >> RPM status for Red Hat distros: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=2154501 >> >> https://bodhi.fedoraproject.org/updates/FEDORA-2022-e341ba52a1 >> >>

Re: Whitelist or add negative values for score

Joey J writes: > I'm trying to see if there is a "best way" to provide negative scoring for > a certain persons email. That's easy. There are many ways, but not best way. > As an example if j...@company.com is communicating with paypal or other real > banking institutions, then at times

Re: New Release Candidate 4.0.0-rc4 Testers Needed

On 12/14/22 10:51 AM, Kevin A. McGrail wrote: Excellent news!  Please let us know more about the WL/BL changes and open a bugzilla bug. My other post about this has the info, but I just wrote a bug entry that is probably more succinct and coherent now that I understand better.

Re: New Release Candidate 4.0.0-rc4 Testers Needed

"Kevin A. McGrail" writes: >> I am finding that short-circuiting seems not to be working, but this is >> not new and I am not 100% clueful about it. However in trying to figure >> things out I am running into things I do not understand and think that >> at least a bit more doc clarity would

Re: New Release Candidate 4.0.0-rc4 Testers Needed

Greg Troxel writes: > The wiki page in the release notes says: > > In SpamAssassin version 4.0.0 all rules, functions, command line > options and modules that contain "whitelist" or "blacklist" have > been renamed to contain "welcomelist&q

Re: New Release Candidate 4.0.0-rc4 Testers Needed

I am finding that short-circuiting seems not to be working, but this is not new and I am not 100% clueful about it. However in trying to figure things out I am running into things I do not understand and think that at least a bit more doc clarity would help. I have a fairly normal installation,

Re: New Release Candidate 4.0.0-rc4 Testers Needed

"Kevin A. McGrail" writes: > I have it in production. Thanks - I just reinstalled, re-ran sa-update for base and KAM rules, and so far it's looking good modulo a few nits: UPGRADE says: - All rules, functions, command line options and modules that contain "whitelist" or "blacklist"

Re: New Release Candidate 4.0.0-rc4 Testers Needed

Sidney Markowitz writes: > I know a number of you have been looking at the release candidates for > the 4.0.0 release and have been helpful in finding issues with them. > > We have just announced a new release candidate 4 that looks very close > to ready for the full 4.0.0 release. > > We could

Re: Mial hits MISSING rules despite presence of headers

"Kevin A. McGrail" writes: > #2 Work on the code so that short circuiting or at least the scoring > behaves as with 3.4.6. As penance for ranting I went back and re-read everything more carefully, but feel free to ignore me if I am being unhelpful. I don't think a -2 shortcircuit rule makes

Re: Mial hits MISSING rules despite presence of headers

Bill Cole writes: > On 2022-12-04 at 09:57:09 UTC-0500 (Sun, 04 Dec 2022 09:57:09 -0500) > Greg Troxel > is rumored to have said: > >> Putting on my CS pedant hat, I guess the big question is if there is a >> violation of a previously published specification. &

Re: Mial hits MISSING rules despite presence of headers

"Kevin A. McGrail" writes: > I think that will have to go to discussion since if the rules don't short > circuit the way they used to, other rules outside of the ones we control > are going to act oddly. The one that was reported was with validity for > example. > > What happens if I have a

Re: spamassassin sometimes suddenly ends scanning

Henrik K writes: >> I see occasional coredumps (as in perl.core). It is often enough to be >> annoying (beyond worrisome that it happens at all), but not reproducible >> and no apparent pattern. > > Try memtester/memtest86, atleast if it's not a proper server with ECC > memory.. I am pretty

Re: spamassassin sometimes suddenly ends scanning

Wolfgang Breyha writes: > It doesn't finish any other rules and doesn't display final results at all. > > And then I start it simply again and everything is fine. > > Has anybody else seen this odd behavior? I see occasional coredumps (as in perl.core). It is often enough to be annoying

Re: spam subject marking

Greg Troxel writes: > I did just get a bounce message in reply to a message I sent here, > complaining that my message failed DKIM (maybe the list munged it) and > SPF (ok; the list is not in general authorized to send mail from my > domain) and therefore was being reject

Re: spam subject marking

"Grant Taylor via users" writes: > On 11/15/22 1:16 PM, Marc wrote: >> Hmmm, good point, not really thought about this even. Are email >> clients complaining about this? > > Few email clients are testing DKIM. Some servers are testing > DKIM. Some systems are mis-treating DKIM failure as

Re: PBL and rejects

Alex writes: > I'm hoping I can ask this question here. Somehow the PBL considered the IP > addresses given to us by our ISP (I can share this if needed) as ineligible > to send email, resulting in any recipient domain that checks the PBL to > reject our email, AIUI, PBL is supposed to be for

Re: Gmail confidential mode

Alex writes: > What do you know about "Gmail confidential mode" emails? I'm starting to > see a few of these come in to users now, and not sure how to treat them. > They are sent through gmail, but require a one-time passcode sent to the > recipient, Did you actually look at them? What do

Re: More Sendgrid trouble?

Kris Deugau writes: > The Bayes result is not great, but the USER_IN_DEF_*_WL hits between > them account for most of that negative score anyway. With dkim-signed spam, I think the only two paths forward are: - hope they fix their apparently compromised system - take them out the default

Re: More Sendgrid trouble?

Kris Deugau writes: > Is anyone else seeing intermittent FNs on mail sent through Sendgrid > where the nominal sender has a default welcomelist_* entry? > > Today's spample is a Mcafee scam email, pretty clearly sent through > Intuit's Sendgrid account based on the rDNS. On testing in my

Re: subscribe to blacklist for domains

Vincent Lefevre writes: > On 2022-08-13 14:05:43 -0400, joe a wrote: >> On 8/13/2022 12:38 PM, Martin Gregorie wrote: >> . . . >> > 2) There's no mandatory need to REJECT spam. It has always been up to >> > the recipient to decide whether to return it to the sender or not. >> >> Agreed in

Re: Understanding FORGED_GMAIL_RCVD and other rules

Nikolaos Milas writes: > I am trying to understand what is wrong with these mails and they > trigger the "FORGED_GMAIL_RCVD" rule. What is wrong with them is that they have a From: of gmail and do not have a gmail DKIM signature. They are in fact forged -- even if the user that owns the

Re: IPv6 issue

I agree with what Grant said. Also, I wonder how much greylisting would help, and if you were already doing that. The data I posted is for a machine that already does greylisting in general, with varying times depending on inclusion in various RBLs and local data. I find that delaying

Re: IPv6 issue

Ted Mittelstaedt writes: > For unrelated reasons I had to turn off IPv6 on my incoming mailserver. > > Spam plummeted. Like by 80% at least. Both uncaught and caught spam did. > > When IPv6 was on, the mailserver had all PTR and and MX records to > allow it to receive incoming mail via

Re: Microsoft to block Office VBA macros by default

Alex writes: > I'm just curious if this announcement has changed anyone's thinking > about how we should be handling docx/xlsx/etc attachments in email? > This obviously doesn't prevent someone from emailing a document with a > malicious macro, but is this going to provide sufficient protection

Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)

Bill Cole writes: > On 2022-03-04 at 09:18:08 UTC-0500 (Fri, 04 Mar 2022 09:18:08 -0500) > Greg Troxel > is rumored to have said: > >> Greg Troxel writes: >> >>> With stock scores, sendgrid gets >>> >>> 2.1 URIBL_GREY

Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)

Greg Troxel writes: > With stock scores, sendgrid gets > > 2.1 URIBL_GREY Contains an URL listed in the URIBL greylist > [URIs: sendgrid.net] > 1.5 KAM_SENDGRID Sendgrid being exploited by scammers > > and I find 3.6 a bi

Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)

CC: trimmed as my message is not an abuse report. You asked about outright blocking, but you didn't ask if people thought that was wise. I received a piece of ham today, and the received line added by my MTA is: Received: from o1678989x80.outbound-mail.sendgrid.net

false hits on FORM_FM

This morning i found a lot of ham in my maybe-spam inboxes (1-4 points). I found that this rule was hitting: * 4.0 FROM_FMBLA_NEWDOM From domain was registered in last 7 days and the common pattern in the messages was that the From: addresses were all @gmail.com. All of the messages

Re: OT - Hotmail/Outlook.com marking most of our email as Junk

Cian ApacheBugzilla writes: >> However, the shared IP comment is worth paying attention to > > Ah, so you think I should get a dedicated IP? I had read mixed things I meant tha you should understand what's going on. > I'm a little confused which way you mean this. If I understand >

Re: OT - Hotmail/Outlook.com marking most of our email as Junk

Your mail is in html. That will get it some points; I suggest text/plain :-) Many will say I'm just being a curmudgeon about this. Attempting to recover content and continuing: Cian writes: > I am also having a world of trouble getting my emails to Outlook > users. For reference, my

Re: False "bad domain" positive

Alan writes: > I've got someone who posted text from MS Office into an email (wish I > could ban that). The text contained a numbered list. The fourth list > item started with "Date & Time". The 4 and following period were in a > span element with a margin to separate it from the text but no

Re: Add header, not beginning with X?

"joea- lists" writes: > Nutshell: I want to add "Reply-to: (some address)" to messages without same. Please do explain why. It sounds like a clear standards violation because Reply-To may only be set by the sender. > While it seems feasible to do this in postfix, I wanted to explore >

Re: CONTENT_AFTER_HTML: better not discuss formatting!!

John Hardin writes: > On Mon, 7 Feb 2022, Greg Troxel wrote: > >> and then I got a reply back with the content he was trying to send etc. >> But, it had: >> >> * 2.5 CONTENT_AFTER_HTML More content after HTML close tag >> >> but one was onl

CONTENT_AFTER_HTML: better not discuss formatting!!

(Instances of html have been changed to htnl in this message to avoid tripping the rule I'm talking about.) A legit message arrived at my server, for me and another user, and it scored 8 for them and I think about 11 for me. This is really unusual. The big issues were: Sent by sendgrid:

Re: getting spamass-milter to work with remote spamd (on CentOS8)

Marc writes: >> On 06.02.22 14:02, Marc wrote: >> >Thanks! Got it to work with this: >> >EXTRA_FLAGS=" -D xx.xxx.xxx -- -p 34219" >> >> the man page for spamass-milter says: >> >> -D host >> Connects to a remote spamd server on host, instead of using >> one >>

Re: Hits on item with " No description available"

I followed my own advice about egrep -R and found this immediately it's in 3.004006/updates_spamassassin_org/72_active.cf and it is ##{ FSL_HELO_NON_FQDN_1 header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i ##} FSL_HELO_NON_FQDN_1 with score score

Re: Hits on item with " No description available"

"Joe Acquisto-j4" writes: > Where can I get some idea of what the rule below actually checks for? I > noticed some normally passed email was flagged as SPAM. > > Started seeing it sometime after making some configuration changes to local > settings on postfix, attempting to isolate a

Re: Txrep, add-addr-to-whitelist

Hey Peter: Your mailserver appears to be a bit aggressive and is blocking mail from people on the list who are replying to you: : host acemail1.ace.net.au[150.101.236.36] said: 553 5.3.0 Rejected 71.19.148.97 by clients-b.blocked.rbl (in reply to MAIL FROM command)

Re: Txrep, add-addr-to-whitelist

"Peter" writes: > New to TXrep, the manual says the add-addr-to-whitelist command should add > -100, but for me it doesn't do anything - nor does add-addr-to-blacklist. > > It comes back with SpamAssassin TxRep: 1 with either the white or > blacklist. > > While the server is new, I want to be

Re: SPF_NONE scoring

Philip Prindeville writes: > I'm looking at the 0.001 scoring for SPF_NONE and scratching my head. This > was discussed a bit in early 2015, but maybe it needs revisiting with new > perspective. > > Surely no one who cares about maintaining their reputation by > protecting themselves against

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

Philip Prindeville writes: >> That looks very familiar. I was having timeouts, and saw that in the >> logs, on certain messages. I ended up nuking and rebuilding my TXREP >> database and then things were ok. >> >> That doesn't explain why we can't find the rule, which is a good >> question.

Re: Seeing "check: exceeded time limit in ..." and need to resolve it

Philip Prindeville writes: > Ah, the rule _eval_tests_type11_pri0_set1() took 4:20. > > Why can't I even find the rule? That looks very familiar. I was having timeouts, and saw that in the logs, on certain messages. I ended up nuking and rebuilding my TXREP database and then things were ok.

Re: Fw: spam from gmail.com

Arne Jensen writes: > Den 11-11-2021 kl. 20:21 skrev Greg Troxel: >> It's a really interesting question what DNSWL_MED ought to be for score. >> Given what MED is supposed to be: >> >>MediumRare spam occurrences, corrected promptly. >> >>

Re: Fw: spam from gmail.com

Arne Jensen writes: > Den 12-11-2021 kl. 00:43 skrev Loren Wilton: >> I have to admit I'd never paid much attention to the RCVD_IN_DNSWL_* >> scores on spam before. > [...] >> Looking at spam for last month, [...] >> >> But I do have 12 pretty blatent spams that hit RCVD_IN_DNSWL_HI. >> It

Re: Fw: spam from gmail.com

Philipp Ewald writes: > You can report it. Gmail is on DNSWL > > @gmail.com> > RCVD_IN_DNSWL_MED=-2.3 > > https://www.dnswl.org/?page_id=17 I tried to find gmail being on DNSWL_MED and I haven't been able to. There are google.com servers on DNSWL_NONE. Can someone explain what addresses are

Re: spam from gmail.com

Bill Cole writes: >> I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which >> sort of nulls that out. > > Also: the DNSWL rules in the default ruleset are mis-scored, based > apparently on a Perceptron run early in the history of SA and DNSWL. I > don't know exactly how to fix

Re: Fw: spam from gmail.com

Matus UHLAR - fantomas writes: >>>It would be really nice if there were an easy way to exclude a domain >>>from whitelist checks. > > On 11.11.21 17:24, Benny Pedersen wrote: >>add >> >>freemail_whitelist gmail.com >> >>to local.cf >> >> its not a whitelist, more a skip gmail.com as a freemail

Re: Fw: spam from gmail.com

Philipp Ewald writes: > You can report it. Gmail is on DNSWL > > @gmail.com> > RCVD_IN_DNSWL_MED=-2.3 > > https://www.dnswl.org/?page_id=17 > > As far as i know DNSWL is used by default I've ended up giving a point each to FREEMAIL_FROM and TO_GMAIL, which sort of nulls that out. It would be

Re: timeouts on processing some messages, started October 24

I have captured a bad message. It seems innocuous; it's from me at a host in my domain, to me, basically From: g...@foo.lexort.com To: g...@lexort.com and has a body "foo", no DKIM headers, just Received, Subject, Message-Id. Processing this with my normal config results in the timeout. I

Re: timeouts on processing some messages, started October 24

Bill Cole writes: > It would generally be a bad idea to increase the Postfix timeout, as > that passes the problem back upstream as senders will generally time > out at 300s as well. > > So, add '--timeout-child=295' to your spamd arguments if you want to > make spamd timeout faster than

Re: timeouts on processing some messages, started October 24

> postfix is waiting 300s > SA thinks it can spend 300s processing > postfix gives up 1s before SA is done The default spamd child timeout is 300s. The default postfix content milter timeout is 300s. Each is a reasonable choice, but really postfix's timeout should be longer. I set in

timeouts on processing some messages, started October 24

I have a systeem with postfix and spamassassin 3.4.6 via spamd. It's been generally running well. I noticed mail from one of my other systems timing out and 471, and that caused me to look at the logs. I have KAM rules, some RBL adjustments, a bunch of local rules for my spam, but really

Re: handle_user and connect to spamd failed

Linkcheck writes: >> instruct spamd to connect to 127.0.0.1 > > Sorry, I'm not sure where to do that. I've tried as noted in the OP; I > can't find anywhere else (remembering I've dropped spamfilter.sh). I'm fuzzy on the details but hope this helps. What's going on is basically spamd

Re: CVD_IN_DNSWL_HI ?

David B Funk writes: > The other thing you should do is to report false-positives to the > dnswl.org site. > See: https://www.dnswl.org/?page_id=17 That's great advice. I have found over the years that DNSWL is well run, and I'm confident that if a listed machine is emitting spam and it's

Re: Message-ID with IPv6 domain-literal

Grant Taylor writes: > On 9/21/21 2:00 PM, Greg Troxel wrote: >> You are missing that SA is not a standards conformance test suite. It >> is a tool to guess if a message is spam. Bill said that some forms of >> Message-ID are correlated with spamminess.

Re: Message-ID with IPv6 domain-literal

Grant Taylor writes: > What am I missing? You are missing that SA is not a standards conformance test suite. It is a tool to guess if a message is spam. Bill said that some forms of Message-ID are correlated with spamminess. So whether the form that is correlated is compliant to the spec

Re: TLD rules catch non-domain data

Kenneth Porter writes: >> *  5.0 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, >> *  .guru, .casa, .online, .cam, .shop, .club & .date TLD >> Abuse > > The KAM rule was just recently fixed. If you have an example that's > still tripping it, post it to a pastebin and

Re: Score for certain spam

Alan writes: > It's sent to the bit bucket, not done in the MTA. In this case, each > account can set individual thresholds and has an individual set of > local rules, so that might be why. I'd prefer to 550 them as well, > although I suspect the majority of sources just don't care. Lately the

Re: Score for certain spam

Alan writes: > I manage email for a couple of hundred domains, so a fair bit of stuff > that arrives to my inbox are spam complaints (they're supposed to open > tickets or use the support mailbox but... users). I flag anything over > 5.0 as spam, but it still comes to my inbox. Anything over

Re: Score for certain spam

David Bürgin writes: [all the other replies sound 100% sensible to me] > In your experience, what is a good ‘certain spam’ threshold? By that I > mean the score above which messages are virtually always spam, no false > positives. There is no certainty; there is only probability. So you

Re: Question about whitelisting of naadac.org

Lukasz Maik writes: [not sure what the relationship of ricoh-europe is to a US .org is] > Sure, please find full tests results here: > https://www.mail-tester.com/test-bw02eaxrt > > We've lost a point for not having DKIM/DMARC authentication, which is > unfortunately not supported by our

Re: DKIM_* scores

Matus UHLAR - fantomas writes: > I noticed that pure existence of DKIM signature can push score under zero: > > DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, > > ...so the cumulative score is -0.2. > > I'm aware that we don't have many rules with negative scores, but

Re: Another evil number

RW writes: >> You can reach out >>to our Customer Support Team+1 (800) 781 - 2511. > > Is it common in the US to put 800 in brackets like that? In my > experience brackets normally go around either country codes or area > codes, digits that may be optional. Yes, it common. The proper form

Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others

John Hardin writes: > On Thu, 27 May 2021, Greg Troxel wrote: > >> The other problem on a small number of messages was >> RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but >> getting a message of 1-1.5 kB from an address in .edu is to me not at >>

Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others

"Bill Cole" writes: > That rule does not now exist in trunk and IT NEVER HAS, according to the > Subversion history. > > It is not in the current KAM channel rules and I see no evidence in my logs > of any such rule ever hitting within the past 3 months. Totally my fault. I added it to

Recent experience with RCVD_IN_SORBS_NR_SPAM and others

I lost track of checking my spam folders recently for almost a week (I filter to a maybe-spam folder on scores that are lower than what doctrine says, splitting into really-ham, iffy, and really-spam -- it was the iffy I didn't look at). On checking, I refiled a bunch of ham that had from 2 to 6

Re: txrep_autolearn range - how does the range influence autolearning

Lucas Rolff writes: > Thanks for the notes about sa-learn, txrep outgoing and the autolearn itself. > In my particular case, I'll only use it as an inbound filter, since I > handle outbound very differently (I let other people take care of the > filtering using an external relay); For inbound

Re: txrep_autolearn range - how does the range influence autolearning

Lucas Rolff writes: > I’m currently configuring a new setup for passing through all emails, > and I opted for SA as my filtering – one thing I also configured are > txrep ( https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TxRep > ) > > One thing I saw in the docs is that

  1   2   3   >