On Thursday 19 October 2006 20:34, Jo Rhett took the opportunity to say:
Mark wrote:
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: donderdag 19 oktober 2006 9:56
To: Mark
Cc: users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
Matt Kettler wrote:
Yeah, it's a shame that amavis is broken out of the box.
You're still on this amavis kick. This has nothing to do with amavis.
I'm saying that when I read the code, it won't work on a normal system
NO MATTER WHAT CONFIG. Period. It can't work properly, except perhaps
Mark wrote:
We cannot really say SA's autodetection is broken, because SA is designed
to be called post-SMTP. Nor that a milter is broken per se for not adding
a Received: header, as that is the responsibility of the MTA itself. But a
milter using SA *can* be said to be broken if it's not
Chris Lear wrote:
It seems that Jo wants autodetection to:
1) comply with the documentation
2) just work for most people
3) be easily fixable in other cases
Yes.
This, it seems to me, is exactly what it does.
Show me it working properly on a out-of-the-box rpm/ports config on a
direct
Kevin Golding wrote:
FWIW I've run SpamAssassin on a bog-standard, normal, plain, old-
fashioned FreeBSD box sitting in a rack with a public IP, no NAT, no
patches, and no pixies or faeries. Auto-detection worked fine.
Just for my reference Worked fine meaning it never demonstrated a
problem
Matt Kettler wrote:
Jo Rhett wrote:
I'd love to, but the SA project didn't write the milter you're using,
and the problems you're having can't be fixed by having SpamAssassin
detect the problem without doing something even dumber to someone
else.
Sure it can! It's dead simple to determine
John Andersen wrote:
On Thursday 19 October 2006 00:00, Jo Rhett wrote:
This, it seems to me, is exactly what it does.
Show me it working properly on a out-of-the-box rpm/ports config on a
direct connect, no NAT system. (ie most people)
Amavis worked for me that way when I installed Suse
* Jo Rhett wrote (19/10/06 08:55):
Mark wrote:
We cannot really say SA's autodetection is broken, because SA is designed
to be called post-SMTP. Nor that a milter is broken per se for not adding
a Received: header, as that is the responsibility of the MTA itself. But a
milter using SA *can* be
Someone, quite probably Jo Rhett, once wrote:
Kevin Golding wrote:
FWIW I've run SpamAssassin on a bog-standard, normal, plain, old-
fashioned FreeBSD box sitting in a rack with a public IP, no NAT, no
patches, and no pixies or faeries. Auto-detection worked fine.
Just for my reference Worked
On Thursday 19 October 2006 09:55, Jo Rhett took the opportunity to say:
Mark wrote:
We cannot really say SA's autodetection is broken, because SA is designed
to be called post-SMTP. Nor that a milter is broken per se for not adding
a Received: header, as that is the responsibility of the
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: donderdag 19 oktober 2006 9:56
To: Mark
Cc: users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
Perhaps SA being focused on post-SMTP is the problem here. Why is
this the focus
Jo Rhett wrote:
Autodetection should work out of the box for out of the box
installs. Custom installations, and most especially people creating
appliances out of this, are managed by Experts who have a clue.
If you are using a milter that calls SA, you are in effect using a custom
Kevin Golding wrote:
Anyway, not conclusive but a fair range of traffic and no visible
problems. I'm just rambling to avoid real work if I'm honest. The
answer you're looking for is no, I didn't do extensive and deliberate
testing. I say auto-detection works fine based just on general testing
Magnus Holmgren wrote:
On Thursday 19 October 2006 09:55, Jo Rhett took the opportunity to say:
Mark wrote:
We cannot really say SA's autodetection is broken, because SA is designed
to be called post-SMTP. Nor that a milter is broken per se for not adding
a Received: header, as that is the
Mark wrote:
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: donderdag 19 oktober 2006 9:56
To: Mark
Cc: users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
Perhaps SA being focused on post-SMTP is the problem here. Why is
this the focus
Jo Rhett wrote:
Autodetection should work out of the box for out of the box
installs. Custom installations, and most especially people creating
appliances out of this, are managed by Experts who have a clue.
Jonas Eckerman wrote:
If you are using a milter that calls SA, you are in effect
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: donderdag 19 oktober 2006 20:36
To: Mark
Cc: users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
I reckon the focus of SA on post-SMTP is due to the fact that it
operates, by nature
Jo Rhett wrote:
... it operates, by nature, post DATA phase.
Huh? It operates when I ask it to.
While that's certainly true, if you've configured SA to scan *before*
the DATA phase, I'd be curious to see how well it's working for you.
That said, Mark seems to be missing that milters don't
-Original Message-
From: Coffey, Neal [mailto:[EMAIL PROTECTED]
Sent: donderdag 19 oktober 2006 21:03
To: users@spamassassin.apache.org
Subject: RE: ALL_TRUSTED creating a problem
That said, Mark seems to be missing that milters don't have to run
pre-DATA to be beneficial
Mark wrote:
Exactly what I said: SA works on examining a message (headers + body);
that makes it, per definition, a post-DATA phase operation.
Ah, gotcha. But not post SMTP :-)
Not post-SMTP per se, but post-DATA phase. And since the end of the DATA
completes the SMTP dialogue, you might as
Coffey, Neal wrote:
Jo Rhett wrote:
... it operates, by nature, post DATA phase.
Huh? It operates when I ask it to.
While that's certainly true, if you've configured SA to scan *before*
the DATA phase, I'd be curious to see how well it's working for you.
*giggle* yes :-) Sorry.
That
Mark wrote:
Mark is well aware of the benefits of milters. ;) In fact, I run clamav
too. But clamav isn't SA. And I was arguing the case that, since SA needs
to be done post-DATA, there's really not a whole lot of advantage you gain
from bringing it to a milter (where you then have to emulate a
Mark wrote:
Mark is well aware of the benefits of milters. ;) In fact, I run
clamav too. But clamav isn't SA.
No, but it needs the message body just like SA does, and it serves a
similar purpose in my mind: detecting email you don't really want to
receive, based on the contents of the message.
But I specifically mentioned RBL checks. Those can take a while.
Things
like Razor2, Pyzor, and dcc checks can take a good while, too. I have
Razor2 and Pyzor timeouts set to 30 seconds. And sometimes they really
need that, too.
I have all of those, all of the default RBLS and 12 RBLs
Richard Frovarp wrote:
This is partially a function of scale. Machines that handle large
numbers of messages probably don't want to hold the SMTP connection open
while the scanning takes place, even if scan time is 9 seconds. Of
course these users are possibly using a different system other
Jo Rhett wrote:
Richard Frovarp wrote:
This is partially a function of scale. Machines that handle large
numbers of messages probably don't want to hold the SMTP connection
open while the scanning takes place, even if scan time is 9 seconds.
Of course these users are possibly using a
Respectable enough, but I'm not sure why you bother having that big of
an array with that small of a mail load. I've got single machines
handling loads several times larger, all doing Clamd, a commercial
scanner, SA and more on milter during the connection time, and there are
no SMTP timeouts
Okay, out of curiosity about how many messages do these single machines
handle in an average day? 500,000/machine/day? 800,000/machine/day?
1,000,000/machine/day?
Jo Rhett wrote:
Respectable enough, but I'm not sure why you bother having that big of
an array with that small of a mail load.
1.2 - 2.7mil per day varying. Sometimes as high as 5mil during spam
floods. Modern AMD dualcore processor, 4gb of ram. Nothing special.
Richard Frovarp wrote:
Okay, out of curiosity about how many messages do these single machines
handle in an average day? 500,000/machine/day?
Matt, I'm tired and my day ended badly yesterday and started badly
today and I'm in danger of being way too bitchy (probably way past
that point already) so I'm going to keep it simple and sweet.
1. Assuming that the Received headers are sane ... isn't.
2. Decrementing the spam score is not
Jo Rhett wrote:
Daryl, this part of the conversation is academic at best. Amavisd
milter has been patched and is providing the proper received headers,
and network autodetection is still broken.
Really, that seems quite odd. I myself have never had it fail for that
case before when all the IPs
Jo Rhett wrote:
Matt, I'm tired and my day ended badly yesterday and started badly
today and I'm in danger of being way too bitchy (probably way past
that point already) so I'm going to keep it simple and sweet.
Fair enough. I hope my own short-worded nature hasn't come across too
harshly. (A
Matt Kettler wrote:
It's *really* common to separate spamd from the MTA for anyone that's
got any decent volume of mail. And that's not a few sites.
And I guess that I'm saying
1. People installing from RPMs and/or Ports (or Portage, etc) expect
things to work out of the box. Having it be
In article [EMAIL PROTECTED], Jo
Rhett [EMAIL PROTECTED] writes
These arguments are getting sillier and sillier. I'm asking why it
doesn't work in a plain-jane do-nothing normal public box not behind
a NAT. And every argument so far has been some strange configuration
that is very
Kevin Golding wrote:
In article [EMAIL PROTECTED], Jo
Rhett [EMAIL PROTECTED] writes
These arguments are getting sillier and sillier. I'm asking why it
doesn't work in a plain-jane do-nothing normal public box not behind
a NAT. And every argument so far has been some strange configuration
Anthony Peacock wrote:
Kevin Golding wrote:
In article [EMAIL PROTECTED], Jo
Rhett [EMAIL PROTECTED] writes
These arguments are getting sillier and sillier. I'm asking why it
doesn't work in a plain-jane do-nothing normal public box not behind
a NAT. And every argument so far has been
-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED]
Sent: woensdag 18 oktober 2006 8:54
To: Jo Rhett
Cc: users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
True.. and writing a milter should be an expert task. I'm sorry the
milter your
Jo Rhett wrote:
I'd love to, but the SA project didn't write the milter you're using,
and the problems you're having can't be fixed by having SpamAssassin
detect the problem without doing something even dumber to someone
else.
Sure it can! It's dead simple to determine that the last
Jo Rhett wrote:
Matt Kettler wrote:
It's *really* common to separate spamd from the MTA for anyone that's
got any decent volume of mail. And that's not a few sites.
And I guess that I'm saying
1. People installing from RPMs and/or Ports (or Portage, etc) expect
things to work out of the
Jo Rhett wrote:
Matt Kettler wrote:
Jo Rhett wrote:
You're still babbling about NAT. I could care less about NAT.
All trusted breaks for EVERYONE, and EVERYONE ends up hardcoding
trusted_networks because auto detection is completely and utterly
broken.
Fine.. We'll ignore
Jo Rhett wrote:
Matt Kettler wrote:
Jo Rhett wrote:
You're still babbling about NAT. I could care less about NAT. All
trusted breaks for EVERYONE, and EVERYONE ends up hardcoding
trusted_networks because auto detection is completely and utterly
broken.
Fine.. We'll ignore NAT. It's not
Matt Kettler wrote:
Matt Kettler wrote:
YOUR network is broken because YOUR network doesn't add Received:
headers before calling SA.. That's not EVERYONE, that's YOU.
Get your tools to add a local Received: header before you call SA, the
auto-detection code will start working.
After all, if
Bowie Bailey wrote:
Unless you specify it in the configuration, SA has no idea what
servers are local for you. In this case, it has to make a guess so it
makes the (fairly reasonable) assumption that the most recent received
header comes from a local MX.
Oh. I get it. We're trusting headers
R Lists06 wrote:
As you more than likely already know
...I would encourage you to do consider several things here as realistically
several federal and local laws are being broken here and others have
... ...
We have dealt with issues like this many times and we take
Jo Rhett wrote:
Matt Kettler wrote:
Matt Kettler wrote:
So perhaps I didn't get the Received header that will be added by this
host.
Yeah, so how did it get to SA? That's the problem. How can SA be
scanning it, if it hasn't reached this host yet?
Does this matter? SA *IS* scanning it,
Jo Rhett wrote:
Bowie Bailey wrote:
Unless you specify it in the configuration, SA has no idea what
servers are local for you. In this case, it has to make a guess so it
makes the (fairly reasonable) assumption that the most recent received
header comes from a local MX.
Oh. I get it. We're
Daryl C. W. O'Shea wrote:
SA knows *nothing* about the connection that isn't in the headers. In
your example in this thread you had two headers, one that was added
after SA saw it, and one that came in as DATA.
You believe the headers entirely? Okay, so auto detection is even more
broken
Jo Rhett wrote:
Oh. I get it. We're trusting headers to be more accurate than
getifaddrs() ? Am I supposed to agree that this makes sense?
Seriously...
Daryl C. W. O'Shea wrote:
Yeah, seriously. Especially when your cluster of 50+ SA machines don't
share the same interface as the other
Yes, I know. I'm actually one of the supertechs you refer to. Er, at
least top of the food chain in that regard :-)
Law enforcement in Santa Clara is excellent, but they have to focus on
the big fish. This is small stuff to them. It's also just small enough
to fall under the radar of
On Tue, 17 Oct 2006, Jo Rhett wrote:
Bowie Bailey wrote:
Unless you specify it in the configuration, SA has no idea what
servers are local for you. In this case, it has to make a guess so it
makes the (fairly reasonable) assumption that the most recent received
header comes from a local
Jo Rhett wrote:
Matt Kettler wrote:
Matt Kettler wrote:
YOUR network is broken because YOUR network doesn't add Received:
headers before calling SA.. That's not EVERYONE, that's YOU.
Get your tools to add a local Received: header before you call SA, the
auto-detection code will start
-Original Message-
From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED]
Sent: dinsdag 17 oktober 2006 5:37
To: Matt Kettler
Cc: Jo Rhett; Magnus Holmgren; users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
As discovered today, Jo's milter isn't adding
This is the whole point. If the message hasn't been Received: by a local
server, it is by definition not in your network.
By feeding messages to SA without a local Received: header, you are
explicitly telling SA that the message is still in some other network,
not yours. So what's SA
Mark wrote:
-Original Message-
From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED]
Sent: dinsdag 17 oktober 2006 5:37
To: Matt Kettler
Cc: Jo Rhett; Magnus Holmgren; users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
As discovered today, Jo's milter isn't adding
R Lists06 wrote:
Im a little confused in this thread now... please clarify this...
Does this mean my SA config is not correct if I do not have the ip address
of the SA box which is also the main SMTP box in the local.cf in that
trusted host config line?
*that* trusted host config line? Do
R Lists06 wrote:
Do you put the loopback 127.0.0.1 in your configs?
Yeah.
Jo Rhett wrote:
RIGHT. So why are they Trusted?
On Oct 17, 2006, at 5:59 PM, Matt Kettler wrote:
Because there *HAS* to be a local. If there isn't, then the message
isn't at your server.
This is the whole point. If the message hasn't been Received: by a
local
server, it is by definition
-
From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent:
dinsdag 17 oktober 2006 5:37
To: Matt Kettler
Cc: Jo Rhett; Magnus Holmgren; users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
As discovered today, Jo's milter isn't adding the required
received header for his
Jo Rhett wrote:
On Oct 17, 2006, at 5:59 PM, Matt Kettler wrote:
Because there *HAS* to be a local. If there isn't, then the message
isn't at your server.
This is the whole point. If the message hasn't been Received: by a local
server, it is by definition not in your network.
By feeding
Suhas (QualiSpace) wrote:
Hello,
Most of the spam emails are getting through due to ALL_TRUSTED. If
ALL_TRUSTED (is reducing the score) was not there then they might have
caught by SA. What can be the solution on this; I haven’t declared any
trusted networks yet and using the default
On Monday 16 October 2006 13:32, Suhas (QualiSpace) took the opportunity to
say:
Most of the spam emails are getting through due to ALL_TRUSTED. If
ALL_TRUSTED (is reducing the score) was not there then they might have
caught by SA. What can be the solution on this; I haven't declared any
Subject: Re: ALL_TRUSTED creating a problem
On Monday 16 October 2006 13:32, Suhas (QualiSpace) took the opportunity to
say:
Most of the spam emails are getting through due to ALL_TRUSTED. If
ALL_TRUSTED (is reducing the score) was not there then they might have
caught by SA. What can
Magnus Holmgren wrote:
A list search for ALL_TRUSTED would have given you tons of hits. You could
also have gone to the FAQ page and from there to the FixingErrors wiki page,
where you'd find a reference to ALL_TRUSTED.
Magnus, to be fair - the search will tell you that autodetection should
Jo Rhett wrote:
Magnus Holmgren wrote:
A list search for ALL_TRUSTED would have given you tons of hits. You
could also have gone to the FAQ page and from there to the
FixingErrors wiki page, where you'd find a reference to ALL_TRUSTED.
Magnus, to be fair - the search will tell you that
Jo Rhett wrote:
Magnus Holmgren wrote:
A list search for ALL_TRUSTED would have given you tons of hits. You
could also have gone to the FAQ page and from there to the
FixingErrors wiki page, where you'd find a reference to ALL_TRUSTED.
Magnus, to be fair - the search will tell you that
Matt Kettler wrote:
Jo Rhett wrote:
The autodetection is totally broken actually, and needs to be fixed.
I've added a comment to the Wiki to let people know about this.
Erm, Jo.. I assume you're referring to this:
---
''Comment: auto detection appears to be broken in
Daryl C. W. O'Shea wrote:
I've reverted this change. As discovered today, Jo's milter isn't
adding the required received header for his MX before passing the mail
to SA which is what is causing his problem.
Auto-detection works as documented, although I still recommend manual
configuration
Matt Kettler wrote:
Jo Rhett wrote:
The autodetection is totally broken actually, and needs to be fixed.
How do you propose it be fixed?
This has been brought up a few dozen times, and really it boils down to
breaking people with NATed MX servers (as it is now), or breaking people
without
Daryl C. W. O'Shea wrote:
I've reverted this change. As discovered today, Jo's milter isn't
adding the required received header for his MX before passing the mail
to SA which is what is causing his problem.
No, it wasn't. There are *NO* trusted networks in my config. I don't
even trust
Jo Rhett wrote:
Auto detection is completely and utterly broken.
...
Seriously, show me a single site with auto detection enabled that
I just wanted to apologize for my pissy attitude. It wasn't you guys,
and you didn't deserve these responses.
(the rest of this e-mail is off
Jo Rhett wrote:
You're still babbling about NAT. I could care less about NAT. All
trusted breaks for EVERYONE, and EVERYONE ends up hardcoding
trusted_networks because auto detection is completely and utterly broken.
Fine.. We'll ignore NAT. It's not your problem, I get it.
YOUR network
Matt Kettler wrote:
Jo Rhett wrote:
You're still babbling about NAT. I could care less about NAT. All
trusted breaks for EVERYONE, and EVERYONE ends up hardcoding
trusted_networks because auto detection is completely and utterly broken.
Fine.. We'll ignore NAT. It's not your problem, I get
72 matches
Mail list logo
