R: R: R: R: Relay Checker Plugin (code review please?)
Most of these static customers are legitimate business networks running their own mail server, and have neither the need nor desire to relay their mail through Comcast's SMTP servers. I think your general idea is very good, but you're reaching a little too far with this one. 'No need nor desire', that's not really any good excuse. Use a relay or find your mail rejected, I'd say. He doesn't need any excuse. From his point of view (and from mine too), you would need it. There is no RFC stating that mail not conforming to your requirements have to be dropped. I well understand adding reasonable penalty scrores to them, not stopping them at once. However, the customer is your. So... --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED] -- Andreas
disable meta rules
Hi All, I am want to disable all tests but bayes to do some benchmark of bayes classify. So I changed all rules' score to 0. It seems that it's currect. But I saw some line like this: [18176] info: rules: meta test RCVD_DOUBLE_IP_LOOSE has dependency 'RCVD_DOUBLE_IP_SPAM' with a zero score [18176] info: rules: meta test DIGEST_MULTIPLE has dependency 'RAZOR2_CHECK' with a zero score [18176] info: rules: meta test DIGEST_MULTIPLE has dependency 'DCC_CHECK' with a zero score [18176] info: rules: meta test DIGEST_MULTIPLE has dependency 'PYZOR_CHECK' with a zero score [18176] info: rules: meta test DRUGS_MANYKINDS has dependency 'DRUGS_ERECTILE' with a zero score [18176] info: rules: meta test DRUGS_MANYKINDS has dependency 'DRUGS_DIET' with a zero score [18176] info: rules: meta test DRUGS_MANYKINDS has dependency 'DRUGS_PAIN' with a zero score [18176] info: rules: meta test DRUGS_MANYKINDS has dependency 'DRUGS_SLEEP' with a zero score [18176] info: rules: meta test DRUGS_MANYKINDS has dependency 'DRUGS_MUSCLE' with a zero score [18176] info: rules: meta test DRUGS_MANYKINDS has dependency 'DRUGS_ANXIETY' with a zero score .. Score of these meta rules are 0, too. But it seems that these meta tests were still available. Is it right? -- Xueron Nee [EMAIL PROTECTED]
Text::Wrap warn
Hi, When I run spamassassin, there always a warn message about Text::Wrap [18288] warn: (?:(?=[\s,]))* matches null string many times in regex; marked by -- HERE in m/\G(?:(?=[\s,]))* -- HERE \Z/ at /usr/lib/perl5/5.8.5/Text/Wrap.pm line 46. I remember that this occurs when I upgrade spamassassin from 3.1.5 to 3.1.7 too. system: redhat as 4 update 3 perl: 5.8.5 spamassassin: 3.1.7 What's the matter? -- Xueron Nee [EMAIL PROTECTED]
Domain Keys
Hi, When i send a mail from my local office ID to yahoo it is bouncing back with Greeting failed Is this due to domain key verification ? regards
Re: TVD tests?
On Thu, 02 Nov 2006 10:28:18 +, [EMAIL PROTECTED] (Justin Mason) wrote: Nigel Frankcom writes: On Thu, 2 Nov 2006 01:47:31 -0500, Dylan Bouterse [EMAIL PROTECTED] wrote: In the 80_additional.cf file I have a list of TVD* rules that are not explained on the http://spamassassin.apache.org/tests_3_1_x.html page (I'm running SA 3.1.7 and up to date with sa-update). Are these new rules added to SA? Most of the scores rank pretty high and I'm seeing them pop up in FPs more and more. Dylan I Think the TVD rules are to do with gif spams. If your users use Outlook and stationary then FP's can be high unless you balance the scores with whitelisting and/or don't scan local users. also, if you've got some definitely-nonspam samples you can share that FP on those rules, I'd be keen to get them so we can avoid FPs in future. --j. Personally I've had no problems with them, internal mail bypasses SA anyway and the TVD tagged mail I do see are most definitely spam. Nigel
Processed Spam, what to do?
Hi :) I successfully processed ham and spam emails with sa-learn, throught spam and ham mail accounts, now, i will wait for users to send me new spam messages to rich the bayesian filter. What is the best to do with the old processed spam messages? deleted them o re-apply the learn on them with the new messages? Thanks -- View this message in context: http://www.nabble.com/Processed-Spam%2C-what-to-do--tf2559659.html#a7133188 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: BIG increase in spam today
Chris [EMAIL PROTECTED] wrote in message I usually come home from work to find about 60-80 spam's in my spam folder. Today upon bringing up the mailer there were over 400! Looks like a large bonnet attack or something. Has anyone else noticed this? I've not finished looking at the Ash's to see where they're from, but I do notice that there are about 25-30 with the same subject in each group. Yes Chris I did notice.. my server was attacked with spam yesterday morning.. it was coming from several different ip, so fast I could not keep it quiet
R: BIG increase in spam today
Chris [EMAIL PROTECTED] wrote in message I usually come home from work to find about 60-80 spam's in my spam folder. Today upon bringing up the mailer there were over 400! Looks like a large bonnet attack or something. Has anyone else noticed this? I've not finished looking at the Ash's to see where they're from, but I do notice that there are about 25-30 with the same subject in each group. Yes Chris I did notice.. my server was attacked with spam yesterday morning.. it was coming from several different ip, so fast I could not keep it quiet Confirmed. A friend of mine had this problem too (It isn't me, I swear! :) ) The worse is that he uses the simple antispam engine embedded into MDaemon... His server seemed simply unable to handle the big quantity of inbound messages. This happened yesterday and today morning (CET). Now it seems that the mail flux stopped. I wonder what effect are the senders tring to obtain... DoS? --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED]
Re: BIG increase in spam today
On 11/2/06, Debbie D [EMAIL PROTECTED] wrote: Yes Chris I did notice.. my server was attacked with spam yesterday morning.. it was coming from several different ip, so fast I could not keep it quiet There's been a lot of chatter about this: http://it.slashdot.org/article.pl?sid=06/11/01/1321226 Actually, it's getting to the extent that some at work are raising questions as to whether our SA setup will be able to maintain adequate protection from this growing onslaught. However, I have a feeling that even the appliance vendors are going to be equally hard pressed to deal with it. Amos
bayes_journal
I installed spamassassin-3.1.3. I have bayes_seen and bayes_toks, but I have not bayes_journal. Why? Can you help me? Thank Andrea
Re: BIG increase in spam today
Am Donnerstag, 2. November 2006 16:04 schrieb Amos: (...) Actually, it's getting to the extent that some at work are raising questions as to whether our SA setup will be able to maintain adequate protection from this growing onslaught. Amos Only AFTER adequate initial RBL filtering. Spamhaus does a great job here. Michael.
R: BIG increase in spam today
On 11/2/06, Debbie D [EMAIL PROTECTED] wrote: Yes Chris I did notice.. my server was attacked with spam yesterday morning.. it was coming from several different ip, so fast I could not keep it quiet There's been a lot of chatter about this: http://it.slashdot.org/article.pl?sid=06/11/01/1321226 Actually, it's getting to the extent that some at work are raising questions as to whether our SA setup will be able to maintain adequate protection from this growing onslaught. However, I have a feeling that even the appliance vendors are going to be equally hard pressed to deal with it. Use greylisting: if they're bots, they will not even reach your SA. Greylisting is a force. Use the Force! --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED] Amos
RulesduJour How often is too often?
I have it set to go about about every six hours yet blacklist_uri always seems to have an update. Is there any reason I couldn't up it to like every four hours? Would that stress the rules servers a bit too much? How often does everyone else update?
Re: Relay Checker Plugin (code review please?)
I've attached the patch file this time.. give it a go.. Use this command to patch your file. patch RelayChecker.patch and it should work.. This is just the patch for the .pm file.. the other one was simply adding in the default score values.. Thanks, Billy - Original Message - From: Dylan Bouterse [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, November 01, 2006 11:28 PM Subject: RE: Relay Checker Plugin (code review please?) I did a couple of times. :( -Original Message- From: Billy Huddleston [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 01, 2006 9:20 PM To: Dylan Bouterse; users@spamassassin.apache.org Subject: Re: Relay Checker Plugin (code review please?) You may want to download new RelayChecker.pm file... you may have messed it up previously.. If you still have problems let me know.. - Original Message - From: Dylan Bouterse [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, November 01, 2006 6:39 PM Subject: RE: Relay Checker Plugin (code review please?) -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 01, 2006 5:05 PM To: Dylan Bouterse Cc: users@spamassassin.apache.org Subject: RE: Relay Checker Plugin (code review please?) On Wed, 1 Nov 2006, Dylan Bouterse wrote: # headerRELAY_CHECKER eval:relay_checker() # describe RELAY_CHECKER Check relay for DNS/Hostname issues. to: if ($nordns) { and when I run --lint I get the following errors: /etc/mail/spamassassin/RelayChecker.pm line 44, near 27 @@ ...how exactly did you apply the patch? From the contents of that error message it looks like you just inserted the patch text into the source file... Take a look at man patch. (Sorry if you did do that, but that error message is really suggestive of improper procedure.) I have never used the patch command and was not aware of it. Thank you for pointing me in the right direction. I was able to patch my RelayChecker.cf file using the patch command and the provided patch for that file but I am getting errors when trying to patch the RelayChecker.pm file. [EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch RelayChecker.pm missing header for unified diff at line 3 of patch patching file RelayChecker.pm Hunk #3 succeeded at 102 with fuzz 1. missing header for unified diff at line 77 of patch can't find file to patch at input line 77 Perhaps you should have used the -p or --strip option? The text leading up to this was: -- | if (! defined($name)) { | # the PTR record leads to a host that doesn't resolve in DNS | Mail::SpamAssassin::Plugin::dbg(RelayChecker: badrdns); |- $badrdns = 1; |+ $badrdns = $badrdns_score; | } | else { | Mail::SpamAssassin::Plugin::dbg(RelayChecker: name is $name); @@ -96,7 +123,7 @@ | # the hostname in the PTR record does resolve, but that hostname | # doesn't have $ip as one of its IP addresses | Mail::SpamAssassin::Plugin::dbg(RelayChecker: baddns); |-$baddns = 1; |+$baddns = $baddns_score; | } | else { | ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@ -124,7 +151,7 @@ |# in hex or decimal form ... or the entire thing in decimal |# probably a spambot since this is an untrusted relay |Mail::SpamAssassin::Plugin::dbg(RelayChecker: ipinhostname); |- $ipinhostname = 1; |+ $ipinhostname = $ipinhostname_score; |} | if ($hostname =~ | /(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+ $/ -- RelayChecker.patch Description: Binary data
Re: R: BIG increase in spam today
Greylisting is not always good... The greylisting insert delay in delevery and sometimes the email have to be delever fast. For example: on some public wireless network, you have to register to have access to the internet. You can access internet without authentification for 15 minutes. In this 15 minutes, you have to register in the captive portal and then go confirm your inscription by clicking in a link received by email. If the greylisting insert more then 15 minutes of delay... I think technologies like SPF have a better futur.François Rousseau2006/11/2, Giampaolo Tomassoni [EMAIL PROTECTED] : On 11/2/06, Debbie D [EMAIL PROTECTED] wrote: Yes Chris I did notice.. my server was attacked with spam yesterday morning.. it was coming from several different ip, so fast I could not keep it quiet There's been a lot of chatter about this: http://it.slashdot.org/article.pl?sid=06/11/01/1321226 Actually, it's getting to the extent that some at work are raising questions as to whether our SA setup will be able to maintain adequate protection from this growing onslaught. However, I have a feeling that even the appliance vendors are going to be equally hard pressed to deal with it.Use greylisting: if they're bots, they will not even reach your SA.Greylisting is a force.Use the Force! ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100MAI inviare una e-mail a:NEVER send an e-mail to: [EMAIL PROTECTED] Amos
Re: RulesduJour How often is too often?
At 07:38 AM 11/2/2006, you wrote: I have it set to go about about every six hours yet blacklist_uri always seems to have an update. Is there any reason I couldn't up it to like every four hours? Would that stress the rules servers a bit too much? How often does everyone else update? Well considering it's called rules du jour, and I seem to recall Jour is day, and the instructions say do NOT use more than once a day... I update once a day. :-D
RE: RulesduJour How often is too often?
Oops, I musta missed that part. Hmm.. Maybe I could make a copy of dujour that just looked for updates to blacklist_uri. -Original Message- From: Evan Platt [mailto:[EMAIL PROTECTED] Sent: Thursday, November 02, 2006 7:44 AM To: users@spamassassin.apache.org Subject: Re: RulesduJour How often is too often? At 07:38 AM 11/2/2006, you wrote: I have it set to go about about every six hours yet blacklist_uri always seems to have an update. Is there any reason I couldn't up it to like every four hours? Would that stress the rules servers a bit too much? How often does everyone else update? Well considering it's called rules du jour, and I seem to recall Jour is day, and the instructions say do NOT use more than once a day... I update once a day. :-D
Re: bayes_journal
On Thu, Nov 02, 2006 at 02:08:46PM +0100, Andrea Bencini wrote: I have bayes_seen and bayes_toks, but I have not bayes_journal. Why? The journal goes away when its data is synced into the DB. -- Randomly Selected Tagline: Direct from the Ministry of Silly Walks. pgpm0Uu7Gw5DD.pgp Description: PGP signature
R: RulesduJour How often is too often?
I have it set to go about about every six hours yet blacklist_uri always seems to have an update. Is there any reason I couldn't up it to like every four hours? Would that stress the rules servers a bit too much? How often does everyone else update? /ME: Once per day. Also note that there are 1-3 updates per month and that, in example, SARE rules are mainly meant to discover a wide range of spam flavors. They seldom ship rules for specific threats. A daily update is going to be really enough, I guess. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED]
Re: TVD tests?
On Thu, Nov 02, 2006 at 06:53:27AM +, Nigel Frankcom wrote: In the 80_additional.cf file I have a list of TVD* rules that are not explained on the http://spamassassin.apache.org/tests_3_1_x.html page I Think the TVD rules are to do with gif spams. If your users use Outlook and stationary then FP's can be high unless you balance the scores with whitelisting and/or don't scan local users. FWIW, TVD_ are simply rules that I wrote (initials). Some of them happen to focus on the graphic spams, others focus on other things. :) FPs are dependent on the type of mail you receive of course. -- Randomly Selected Tagline: For a while, all that stood between America and annihilation was a man with a drinking problem. - Some program on the Learning Channel pgpO12gsXqWcK.pgp Description: PGP signature
Re: Text::Wrap warn
On Thu, Nov 02, 2006 at 05:19:53PM +0800, Xueron Nee wrote: [18288] warn: (?:(?=[\s,]))* matches null string many times in regex; marked by -- HERE in m/\G(?:(?=[\s,]))* -- HERE \Z/ at /usr/lib/perl5/5.8.5/Text/Wrap.pm line 46. What's the matter? http://wiki.apache.org/spamassassin/TextWrapError -- Randomly Selected Tagline: It is easier to confess a defect then to claim a quality. - Max Beerbohm pgpBydpLPsXxU.pgp Description: PGP signature
R: R: BIG increase in spam today
Greylisting is not always good... The greylisting insert delay in delevery and sometimes the email have to be delever fast. For example: on some public wireless network, you have to register to have access to the internet. You can access internet without authentification for 15 minutes. In this 15 minutes, you have to register in the captive portal and then go confirm your inscription by clicking in a link received by email. If the greylisting insert more then 15 minutes of delay... Yes, this is a well-known argument. The fact is that smtp is designed for reliability, not for low latency. Smtp isn't probably well-suited fora subscription system with such a tight time window. I think technologies like SPF have a better futur. Greylisting is present, not future. SPF is actually not that common... Probably, SPF WILL have a better future. Come on: use the Force! :) François Rousseau 2006/11/2, Giampaolo Tomassoni [EMAIL PROTECTED] : On 11/2/06, Debbie D [EMAIL PROTECTED] wrote: Yes Chris I did notice.. my server was attacked with spam yesterday morning.. it was coming from several different ip, so fast I could not keep it quiet There's been a lot of chatter about this: http://it.slashdot.org/article.pl?sid=06/11/01/1321226 Actually, it's getting to the extent that some at work are raising questions as to whether our SA setup will be able to maintain adequate protection from this growing onslaught. However, I have a feeling that even the appliance vendors are going to be equally hard pressed to deal with it.Use greylisting: if they're bots, they will not even reach your SA.Greylisting is a force.Use the Force! ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100MAI inviare una e-mail a:NEVER send an e-mail to: [EMAIL PROTECTED] Amos
Re: disable meta rules
On Thu, Nov 02, 2006 at 05:14:22PM +0800, Xueron Nee wrote: I am want to disable all tests but bayes to do some benchmark of bayes classify. So I changed all rules' score to 0. It seems that it's currect. Sure. You can also just remove the rule files, it would be easier. But I saw some line like this: [18176] info: rules: meta test RCVD_DOUBLE_IP_LOOSE has dependency 'RCVD_DOUBLE_IP_SPAM' with a zero score .. Score of these meta rules are 0, too. But it seems that these meta tests were still available. Is it right? The rules are defined, and the dependencies have a score of 0, so it tells you so. -- Randomly Selected Tagline: I'd rather work on a OS made by programmers needing marketing, than a OS made by marketing needing programmers. - Unknown pgpy44ViVTTVQ.pgp Description: PGP signature
Re: R: BIG increase in spam today
On Thursday 02 November 2006 08:42, François Rousseau wrote: Greylisting is not always good... The greylisting insert delay in delevery and sometimes the email have to be delever fast. For example: on some public wireless network, you have to register to have access to the internet. You can access internet without authentification for 15 minutes. In this 15 minutes, you have to register in the captive portal and then go confirm your inscription by clicking in a link received by email. If the greylisting insert more then 15 minutes of delay... I use policyd and give my users the ability to optout (or optin depending on the domain settings) of greylisting if they choose. They can do it through a plugin in SquirrelMail so, if they choose, they can turn it off for a few minutes to get instant delivery and turn it back on when they are done or just leave it off. It seems to work well enough here. I have to agree with others in this thread that, in general, the more you can safely stop before it hits your filtering system, the happier you'll be. I think technologies like SPF have a better futur. I don't know. I've seen too many problems with SPF and mail forwarding from hosting providers. [snip] -- Randy Smith http://perlstalker.amigo.net/ Work is the miracle by which talent is brought to the surface and dreams become reality. - Gordon B. Hinckley pgp9538h8Ezzd.pgp Description: PGP signature
Re: Text::Wrap warn
On Thu, Nov 02, 2006 at 10:56:39AM -0500, Theo Van Dinter wrote: http://wiki.apache.org/spamassassin/TextWrapError Can you tell me, since I am not a perl guru, how to downgrade this module ? Jonathan
Re: Text::Wrap warn
On Thu, Nov 02, 2006 at 04:04:45PM +, Jonathan Allen wrote: http://wiki.apache.org/spamassassin/TextWrapError Can you tell me, since I am not a perl guru, how to downgrade this module ? For example, my system comes with version 2001.0929. So you can download the version from CPAN: http://cpan.org/modules/by-module/Text/Text-Tabs+Wrap-2001.0929.tar.gz and install it using the normal method (look at the README/INSTALL files, and then likely: perl Makefile.PL; make ; make test make install). :) According to the bugzilla ticket, apparently 2006.0711 has the problem, but 2006.0705 does not. So I'd probably grab that version. -- Randomly Selected Tagline: It was nice of you to let me reattach your arm. --Zoidber pgphypouwt6YV.pgp Description: PGP signature
Re: disable meta rules
Theo Van Dinter writes: On Thu, Nov 02, 2006 at 05:14:22PM +0800, Xueron Nee wrote: I am want to disable all tests but bayes to do some benchmark of bayes classify. So I changed all rules' score to 0. It seems that it's currect. Sure. You can also just remove the rule files, it would be easier. Or use the -C switch to use a different directory, one where you've copied the BAYES rules file previously. But I saw some line like this: [18176] info: rules: meta test RCVD_DOUBLE_IP_LOOSE has dependency 'RCVD_DOUBLE_IP_SPAM' with a zero score .. Score of these meta rules are 0, too. But it seems that these meta tests were still available. Is it right? The rules are defined, and the dependencies have a score of 0, so it tells you so. Could you file a bug at the bugzilla though? Personally, I think it's arguable that it should *not* warn about disabled rules. --j.
Re: Spam
I would like also to report the spams, but i dont wont get so much spams as i can see there. This is probably because you have an unconditional warn message = X-Spam-Report: $spam_report in your Exim configuration - check your ACL. I dont know what you exactly meen, what wrong is? But i will go on the exim4 lists. If you also add this to /etc/spamassassin/local.cf: clear_report_template report _REPORT_ you will get a format that's more suitable to put in the headers. What do you mean, whaat this two options do, i found nothing on the spamassassin site. thanks marcus _ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden!
Re: Spam
On Thu, 02 Nov 2006 16:31:26 +, Markus Braun [EMAIL PROTECTED] wrote: I would like also to report the spams, but i dont wont get so much spams as i can see there. This is probably because you have an unconditional warn message = X-Spam-Report: $spam_report in your Exim configuration - check your ACL. I dont know what you exactly meen, what wrong is? But i will go on the exim4 lists. If you also add this to /etc/spamassassin/local.cf: clear_report_template report _REPORT_ you will get a format that's more suitable to put in the headers. What do you mean, whaat this two options do, i found nothing on the spamassassin site. thanks marcus _ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden! http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#item_clear_report_template
--lint ok but still have errors
Last week I made some changes to my rules and I performed -- lint which showed no errors.. Yesterday AM there was a HUGE influx of spam and I SSH'd in when I saw the loads jumping up. The first thing I did after verifying I had loads up over 30% was shut down exim, which normally brings the loads down very quickly.. yesterday it did not.. I had to do a reboot to accomplish the task.. when I went and looked at the maillog files when things calmed down I saw the following errors when exim (and consequently spamd, clamd, SA, blahblah) started back up. If -- lint showed no errors.. whats up with this??? Nov 1 13:16:12 server spamd[31256]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'RAZOR2_CHECK' Nov 1 13:16:12 server spamd[31256]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' Nov 1 13:16:12 server spamd[31256]: rules: meta test DRUGS_ERECTILE has undefined dependency '__DRUGS_ERECTILE7' Nov 1 13:16:12 server spamd[31256]: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero score Nov 1 13:16:12 server spamd[31256]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_HEAD_SUBJ_RAND has dependency 'X_AUTH_WARN_FAKED' with a zero score Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_DATE' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_RECV' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MULT_RATW_03 has undefined dependency '__SARE_MULT_RATW_03E' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG50' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG55' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG65' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG75' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG50' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG55' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG65' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG75' Nov 1 13:16:13 server spamd[31256]: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2'
Re: --lint ok but still have errors
On Thu, 2 Nov 2006 12:03:14 -0500, Debbie D [EMAIL PROTECTED] wrote: Last week I made some changes to my rules and I performed -- lint which showed no errors.. Yesterday AM there was a HUGE influx of spam and I SSH'd in when I saw the loads jumping up. The first thing I did after verifying I had loads up over 30% was shut down exim, which normally brings the loads down very quickly.. yesterday it did not.. I had to do a reboot to accomplish the task.. when I went and looked at the maillog files when things calmed down I saw the following errors when exim (and consequently spamd, clamd, SA, blahblah) started back up. If -- lint showed no errors.. whats up with this??? Nov 1 13:16:12 server spamd[31256]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'RAZOR2_CHECK' Nov 1 13:16:12 server spamd[31256]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' Nov 1 13:16:12 server spamd[31256]: rules: meta test DRUGS_ERECTILE has undefined dependency '__DRUGS_ERECTILE7' Nov 1 13:16:12 server spamd[31256]: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero score Nov 1 13:16:12 server spamd[31256]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_HEAD_SUBJ_RAND has dependency 'X_AUTH_WARN_FAKED' with a zero score Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_DATE' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_RECV' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MULT_RATW_03 has undefined dependency '__SARE_MULT_RATW_03E' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG50' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG55' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG65' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG75' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG50' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG55' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG65' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG75' Nov 1 13:16:13 server spamd[31256]: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' Nov 1 13:16:13 server spamd[31256]: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' Not sure if this is related, but I have these appearing under --lint -D... [6209] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'PYZOR_CHECK' [6209] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' They're not causing any issues (so far), but only seem to have appeared since my upgrade to 3.1.7 There's been some discussion about scores with 0 rating popping similar so I wonder if that's related. Not much help I know, but apparently not so rare either. KR Nigel
Re: --lint ok but still have errors
Nigel Frankcom wrote: On Thu, 2 Nov 2006 12:03:14 -0500, Debbie D [EMAIL PROTECTED] wrote: Last week I made some changes to my rules and I performed -- lint which showed no errors.. Yesterday AM there was a HUGE influx of spam and I SSH'd in when I saw the loads jumping up. The first thing I did after verifying I had loads up over 30% was shut down exim, which normally brings the loads down very quickly.. yesterday it did not.. I had to do a reboot to accomplish the task.. when I went and looked at the maillog files when things calmed down I saw the following errors when exim (and consequently spamd, clamd, SA, blahblah) started back up. If -- lint showed no errors.. whats up with this??? [SNIP] Not sure if this is related, but I have these appearing under --lint -D... [6209] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'PYZOR_CHECK' [6209] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' They're not causing any issues (so far), but only seem to have appeared since my upgrade to 3.1.7 There's been some discussion about scores with 0 rating popping similar so I wonder if that's related. Not much help I know, but apparently not so rare either. Not errors, informational warnings and quite clear. This ought to be seen in SA 3.1.6+, previous versions would simply ignore these. f.i.: DIGEST_MULTIPLE is probably a meta_rule dependent on probably razor, pyzor and DCC. The rule check doesn't fail but simply throws an informational warning. IIRC, it's mentioned in the changelog somewhere. - dhawla
Re: --lint ok but still have errors
On Thu, 02 Nov 2006 22:53:38 +0530, Dhawal Doshy [EMAIL PROTECTED] wrote: Nigel Frankcom wrote: On Thu, 2 Nov 2006 12:03:14 -0500, Debbie D [EMAIL PROTECTED] wrote: Last week I made some changes to my rules and I performed -- lint which showed no errors.. Yesterday AM there was a HUGE influx of spam and I SSH'd in when I saw the loads jumping up. The first thing I did after verifying I had loads up over 30% was shut down exim, which normally brings the loads down very quickly.. yesterday it did not.. I had to do a reboot to accomplish the task.. when I went and looked at the maillog files when things calmed down I saw the following errors when exim (and consequently spamd, clamd, SA, blahblah) started back up. If -- lint showed no errors.. whats up with this??? [SNIP] Not sure if this is related, but I have these appearing under --lint -D... [6209] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'PYZOR_CHECK' [6209] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' They're not causing any issues (so far), but only seem to have appeared since my upgrade to 3.1.7 There's been some discussion about scores with 0 rating popping similar so I wonder if that's related. Not much help I know, but apparently not so rare either. Not errors, informational warnings and quite clear. This ought to be seen in SA 3.1.6+, previous versions would simply ignore these. f.i.: DIGEST_MULTIPLE is probably a meta_rule dependent on probably razor, pyzor and DCC. The rule check doesn't fail but simply throws an informational warning. IIRC, it's mentioned in the changelog somewhere. - dhawla I'm aware these are info not errors, what I find confusing is that I have Pyzor installed and (apparently) working fine. Admittedly I haven't read the 3.1.7 changelog yet (3.1.6 never made it off the test machine). Though with a little spare time and a couple of beers I'll sit down and read it now. KR Nigel
Re: --lint ok but still have errors
Thanks all for your comments I see now that this is informational only and I wont let it concern me
Re: BIG increase in spam today
Amos wrote: On 11/2/06, Debbie D [EMAIL PROTECTED] wrote: Yes Chris I did notice.. my server was attacked with spam yesterday morning.. it was coming from several different ip, so fast I could not keep it quiet There's been a lot of chatter about this: http://it.slashdot.org/article.pl?sid=06/11/01/1321226 Actually, it's getting to the extent that some at work are raising questions as to whether our SA setup will be able to maintain adequate protection from this growing onslaught. However, I have a feeling that even the appliance vendors are going to be equally hard pressed to deal with it. Amos I'm not an appliance vendor but I run a fornt end spam filtering service and it's been a struggle. Most of my spam defense isn't SA though. I'm using Exim rules to do most of the work and SA gets what's left. Right now I'm trying to reject the bayes poisoning spam before it gets to SA so that I can get my bayes back as raise my bayes scores again.
Re: R: BIG increase in spam today
What I do is sort of partial greylisting. If a connection is suspicious I give them a temp error on my lowest MX but accept them on higher MX records. So that way most MTA will try a higher MX right away and it doesn't add much of a delay. François Rousseau wrote: Greylisting is not always good... The greylisting insert delay in delevery and sometimes the email have to be delever fast. For example: on some public wireless network, you have to register to have access to the internet. You can access internet without authentification for 15 minutes. In this 15 minutes, you have to register in the captive portal and then go confirm your inscription by clicking in a link received by email. If the greylisting insert more then 15 minutes of delay... I think technologies like SPF have a better futur. François Rousseau
Re: Processed Spam, what to do?
On Thu, 2 Nov 2006, itdelany wrote: I successfully processed ham and spam emails with sa-learn, throught spam and ham mail accounts, now, i will wait for users to send me new spam messages to rich the bayesian filter. What is the best to do with the old processed spam messages? deleted them o re-apply the learn on them with the new messages? It depends on the size and whether you are doing purely manual training. I believe in keeping them around (though aged or saved in an archive directory, so that it doesn't try to re-learn them every time) in case I need to retrain from scratch for some reason. My nightly learning script (posted here, check the archives) ignores message files that haven't been modified in the last three days, and I rotate the files where users save messages-to-be-learned monthly, so that at most sa-learn only examines one month of messages per user, regardless of how large the corpus gets. 'course, I only have four users... -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The first time I saw a bagpipe, I thought the player was torturing an octopus. I was amazed they could scream so loudly. -- cat_herder_5263 on Y! SCOX --- 5 days until the campaign ads stop
Re: R: BIG increase in spam today
On Thu, 2 Nov 2006, [ISO-8859-1] Fran?ois Rousseau wrote: Greylisting is not always good... The greylisting insert delay in delevery and sometimes the email have to be delever fast. For example: on some public wireless network, you have to register to have access to the internet. You can access internet without authentification for 15 minutes. In this 15 minutes, you have to register in the captive portal and then go confirm your inscription by clicking in a link received by email. If the greylisting insert more then 15 minutes of delay... Tell the greylist software to whitelist the wifi provider's mail server. You *can* tune things like this - they are intended to be suspicious of strangers, not people or firms you know you will be communicating with - but, as with children, you need to tell them how to distinguish. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The first time I saw a bagpipe, I thought the player was torturing an octopus. I was amazed they could scream so loudly. -- cat_herder_5263 on Y! SCOX --- 5 days until the campaign ads stop
Re: Processed Spam, what to do?
I already deleted them based on Matt's answer, but your point is good.. I'll keep some of them with the 2nd learning. To backup learning files, do i only have to copy bayes_seen and bayes_toks right ? thanks John D. Hardin wrote: It depends on the size and whether you are doing purely manual training. I believe in keeping them around (though aged or saved in an archive directory, so that it doesn't try to re-learn them every time) in case I need to retrain from scratch for some reason. My nightly learning script (posted here, check the archives) ignores message files that haven't been modified in the last three days, and I rotate the files where users save messages-to-be-learned monthly, so that at most sa-learn only examines one month of messages per user, regardless of how large the corpus gets. 'course, I only have four users... -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The first time I saw a bagpipe, I thought the player was torturing an octopus. I was amazed they could scream so loudly. -- cat_herder_5263 on Y! SCOX --- 5 days until the campaign ads stop -- View this message in context: http://www.nabble.com/Processed-Spam%2C-what-to-do--tf2559659.html#a7142792 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: BIG increase in spam today
-Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: donderdag 2 november 2006 19:00 To: users@spamassassin.apache.org Subject: Re: BIG increase in spam today I'm not an appliance vendor but I run a fornt end spam filtering service and it's been a struggle. Most of my spam defense isn't SA though. I'm using Exim rules to do most of the work and SA gets what's left. Same here. A custom brewed milter-type setup of mine (a combined set of socketmap invocations, to be precise) handles the vast majority of spam at the gate. 92% (!) of all incoming spam uses an invalid HELO. 9% pretends to be me in their HELO. 83% of all spam here comes from dynamic IP space. 8% of the incoming spam uses a country-level TLD which does not match the HELO country TLD (EHLO foo.de vs. bar.uk PTR, for instance). SA gets the rest. :) - Mark
Re: Processed Spam, what to do?
On Thu, 2 Nov 2006, itdelany wrote: To backup learning files, do i only have to copy bayes_seen and bayes_toks right ? I was speaking of backing up the original messages. Backing up the bayes_* files would let you restore the database to a particular point in time, which is useful if you know that it went bad at a particular point in time. That would save you re-learning from scratch up to that point in time. You'd restore the old bayes_* files, examine the corpa (saved original messages) past that point to correct erroneus classifications (e.g. a user dropped a bunch of spams in the ham folder), and then re-learn from that point forward to bring it current. Does that make sense? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The first time I saw a bagpipe, I thought the player was torturing an octopus. I was amazed they could scream so loudly. -- cat_herder_5263 on Y! SCOX --- 5 days until the campaign ads stop
R: R: BIG increase in spam today
Da: Marc Perkel [mailto:[EMAIL PROTECTED] What I do is sort of partial greylisting. If a connection is suspicious I give them a temp error on my lowest MX but accept them on higher MX records. So that way most MTA will try a higher MX right away and it doesn't add much of a delay. Well, it's nice. But expect bots to circumvent this within few months: it's easy. Greylisting works on the assumption that no spammer would waste its precious time by attempting a second time to an smtp server, but they could attempt to a site's higher MXes soon after they get a 4xx from the lowest one... You know: they have to do their dirty work within minutes, or their efforts will be voided by reporting agents and the like (razor, pyzor, dcc, ecc...) or sometimes by the connection provider itself. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED]
R: Processed Spam, what to do?
Da: John D. Hardin [mailto:[EMAIL PROTECTED] 'course, I only have four users... Wow! I though I was the tinniest here: I got around 60 (can't get the exact number: they're too many :) ). --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED]
Re: BIG increase in spam today
Mark wrote: -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: donderdag 2 november 2006 19:00 To: users@spamassassin.apache.org Subject: Re: BIG increase in spam today I'm not an appliance vendor but I run a fornt end spam filtering service and it's been a struggle. Most of my spam defense isn't SA though. I'm using Exim rules to do most of the work and SA gets what's left. Same here. A custom brewed milter-type setup of mine (a combined set of socketmap invocations, to be precise) handles the vast majority of spam at the gate. 92% (!) of all incoming spam uses an invalid HELO. 9% pretends to be me in their HELO. Is this 9% included in the above 'invalid HELO' number? -Jim
Can't upgrade w/ RPM
Hi. I'm running FC3 on an AMD64 platform for my mail server, and I had last installed SpamAssassin 3.1.5. Well, I grabbed the tarball for 3.1.7, and did a rpmbuild -tb ... of the tarball. Worked fine. Then I tried to upgrade via RPM: # rpm -v -U /home/src/redhat/RPMS/x86_64/perl-Mail-SpamAssassin-3.1.7-1.x86_64.rpm error: Failed dependencies: perl-Mail-SpamAssassin = 3.1.5-1 is needed by (installed) spamassassin-3.1.5-1.x86_64 any ideas why this is happening and what the fix is? -Philip
Re: Can't upgrade w/ RPM
On Thu, Nov 02, 2006 at 12:00:50PM -0700, Philip Prindeville wrote: # rpm -v -U /home/src/redhat/RPMS/x86_64/perl-Mail-SpamAssassin-3.1.7-1.x86_64.rpm error: Failed dependencies: perl-Mail-SpamAssassin = 3.1.5-1 is needed by (installed) spamassassin-3.1.5-1.x86_64 any ideas why this is happening and what the fix is? upgrade spamassassin and perl-Mail-SpamAssassin at the same time. -- Randomly Selected Tagline: I thought you were dead. Yeah ... I get that a lot.- From the movie Alien: Resurrection pgpgGmABt9PSg.pgp Description: PGP signature
Re: Can't upgrade w/ RPM
Philip Prindeville wrote: Hi. I'm running FC3 on an AMD64 platform for my mail server, and I had last installed SpamAssassin 3.1.5. Well, I grabbed the tarball for 3.1.7, and did a rpmbuild -tb ... of the tarball. Worked fine. Then I tried to upgrade via RPM: # rpm -v -U /home/src/redhat/RPMS/x86_64/perl-Mail-SpamAssassin-3.1.7-1.x86_64.rpm error: Failed dependencies: perl-Mail-SpamAssassin = 3.1.5-1 is needed by (installed) spamassassin-3.1.5-1.x86_64 any ideas why this is happening and what the fix is? -Philip You cant just upgrade one of the RPM's, you need to do them all at once. spamassassin-3.1.5-1.x86_64 is using perl-Mail-SpamAssassin-3.1.5-1.x86_64.rpm so you cant upgrade one without the other. -Jim
Re: Can't upgrade w/ RPM
On Thu, 02 Nov 2006 12:00:50 -0700, Philip Prindeville [EMAIL PROTECTED] wrote: Hi. I'm running FC3 on an AMD64 platform for my mail server, and I had last installed SpamAssassin 3.1.5. Well, I grabbed the tarball for 3.1.7, and did a rpmbuild -tb ... of the tarball. Worked fine. Then I tried to upgrade via RPM: # rpm -v -U /home/src/redhat/RPMS/x86_64/perl-Mail-SpamAssassin-3.1.7-1.x86_64.rpm error: Failed dependencies: perl-Mail-SpamAssassin = 3.1.5-1 is needed by (installed) spamassassin-3.1.5-1.x86_64 any ideas why this is happening and what the fix is? -Philip Have you tried install/upgrade via yum?
RE: BIG increase in spam today
-Original Message- From: Jim Maul [mailto:[EMAIL PROTECTED] Sent: donderdag 2 november 2006 19:58 To: users@spamassassin.apache.org Subject: Re: BIG increase in spam today 92% (!) of all incoming spam uses an invalid HELO. 9% pretends to be me in their HELO. Is this 9% included in the above 'invalid HELO' number? Yes. I should have been more clear about that. 92% fails the HELO tests, for one reason or another. Of those 92%, 9% are HELOs pretending to be me (either my primary domain, or the domains I host, or address literals pretending to be me). The 8% that fails the PTR != HELO country TLD is also included in the 92%. The rest of the invalid HELOs are just non-FQDNSs (like HELO friend), or IP addresses (not inside braces, like an address literal). Then there's a complex HELO category I mark, to counter spam bursts, based on sequence heuristics within a very short time-frame, like: Nov 2 18:23:43 asarian-host sendmail[6152]: kA2HNhKN006152: -- EHLO MATTHIAS.uuuiguu.net Nov 2 18:23:46 asarian-host sendmail[6155]: kA2HNkDE006155: -- EHLO MATTHIAS.me1n93.net Nov 2 18:23:50 asarian-host sendmail[6161]: kA2HNo6N006161: -- EHLO MATTHIAS (where the third-level TLD, in caps, is the basis for the group as a total). I'm still experimenting with it (not actually blocking on it yet); but the number of FPs is zero so far (running for several weeks). Seriously, HELO tests rock! - Mark
Re: Can't upgrade w/ RPM
Jim Maul wrote: Philip Prindeville wrote: Hi. I'm running FC3 on an AMD64 platform for my mail server, and I had last installed SpamAssassin 3.1.5. Well, I grabbed the tarball for 3.1.7, and did a rpmbuild -tb ... of the tarball. Worked fine. Then I tried to upgrade via RPM: # rpm -v -U /home/src/redhat/RPMS/x86_64/perl-Mail-SpamAssassin-3.1.7-1.x86_64.rpm error: Failed dependencies: perl-Mail-SpamAssassin = 3.1.5-1 is needed by (installed) spamassassin-3.1.5-1.x86_64 any ideas why this is happening and what the fix is? -Philip You cant just upgrade one of the RPM's, you need to do them all at once. spamassassin-3.1.5-1.x86_64 is using perl-Mail-SpamAssassin-3.1.5-1.x86_64.rpm so you cant upgrade one without the other. -Jim You're right. Sorry, I spaced. I figured that the RPM container actually contained several modules, like zaptel does (it also contains zaptel-devices, zaptel-libs, etc). Is there any reason to not have a single container contain multiple packages? Since they do both need to be installed simultaneously? -Philip
Re: Can't upgrade w/ RPM
On Thu, Nov 02, 2006 at 12:38:55PM -0700, Philip Prindeville wrote: Is there any reason to not have a single container contain multiple packages? Since they do both need to be installed simultaneously? The packages are independent. spamassassin relies on perl-Mail-SpamAssassin being the same version, so if you have them both installed you need upgrade them at the same time. However, spamassassin isn't required (ie: you just want the perl modules), so it really depends on what you're doing. -- Randomly Selected Tagline: It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.- Charles Darwin pgpQ9MYLwlDx5.pgp Description: PGP signature
Re: question re. SPF checks
I'm sorry, but your query below does not parse. The envelope sender does not change depending on which host it arrives from when using Thunderbird et al. The host from which it arrives changes, but that's not part of the envelope. And yes, you can disable anything with a network profile. rtfm. Miles Fidelman wrote: I starting to set up SPF records for the domains I manage, and have run into a little snag. I hope somebody can suggest an approach: BASIC CONFIGURATION: Debian Sarge Postfix (from stable - so it's a relatively old version, 2.1 I believe) amavisd-new spamassassin clamav Postfix configured with postfix-tls (SASL) but only for MD-5 authentication of incoming SMTP For the most part, I use the machine as a list server (Sympa) and web host, but I also have three email accounts on the box. The listserver, and one of the email accounts, originate mail on the host (the email account, using pine) - so, for SPF purposes, the envelope sender is always the server, and all works just fine. But... for the other two email accounts, mail originates from desktop clients (Thunderbird). And here's the rub: - I want to apply virus and spam checks to incoming mail, but... - for SPF purposes, the envelope sender is now the dynamic IP of the desktop clients, so it's hard/impossible to put that in the SPF record - so, mail submitted from desktop clients is getting marked as failing the SPF check So... is there a way to turn off SPF checks for mail coming from authenticated clients, without turning off all the other checks (as, for example, would happen if mail was submitted via port 587)? -- Jo Rhett Network/Software Engineer Net Consonance
RE: script for reporting ham/spam/resending?
Leon Kolchinsky wrote: Hello All, I'm running Cyrus as my IMAP server (Cyrus+Postfix+Amavis_ClamAV+Spamassassin+Web-Cyradm). I've wrote a script for reporting spam to Razor DB and teaching with it Bayesian DB, revoking false positives from Razor DB and teaching Bayesian DB with false positives. It looks like this (didn't test it yet, waiting for your suggestions), had to do it this way (for i in *.) cause Razor manual says that more than one non-mbox mail cannot be read from stdin: #!/bin/bash ###Razor stuff### ##Revoking cd /ham_folder/ chmod 644 *. for i in *.; do echo Revoking $i su vscan -c (/usr/lib/razor-revoke $i) done echo Razor Revoke Completed! ###Reporting### cd /spam_folder/ chmod 644 *. for i in *.; do echo Reporting $i su vscan -c (/usr/lib/razor-report $i) done echo Razor Reporting Completed! ###Bayesian stuff### su vscan -c (sa-learn --showdots --spam /spam_folder/) su vscan -c (sa-learn --showdots --ham /ham_folder/ ###Cleaning spam folder from learned emails### su cyrus -c (/usr/lib/cyrus/bin/ipurge -d0 -f user/spamkiller/spam) End of the script### What I'm missing is a proper way of resending false positives (located now in /ham_folder/). Should I also add the sender to a whitelist? If yes how? How should I remove SA headers (how exactly?) and resend ham in the proper way? You're making it a lot harder for yourself. Take a look at the manual pages 'man 3 spamassassin' spamassassin -r ... This performes bayes learning and reports message to razor, pyzor, DCC, and spamcop. spamassassin -k ... This learns as ham and revokes message with razor. -- Chris --- Thanks Cris, What about resending false positives, after all filters learned that this is a ham, how should I resend these messages (on Cyrus system) to the original recipients? Any sample code would be very welcome :) Regards, Leon
how to show exact score for the tests in the headers
Hello All, I'm running a system with Cyrus+Postfix+Amavisd-new+SA+ClamAV. I've seen on this list that there is a possibility to show in the SA headers the exact score for all tests scored for particular message, like this: No, hits=-0.8 required=5.0 tests=BAYES_00=-2.599, DK_POLICY_SIGNSOME=0.001,DNS_FROM_RFC_ABUSE=0.2, FORGED_MUA_MOZILLA=1.593,SPF_PASS=-0.001 autolearn=no version=3.1.7 My current SA headers look like this: X-Spam-Status: Yes, hits=15.8 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_99, HTML_FONTCOLOR_RED, HTML_FONTCOLOR_UNSAFE, HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, RCVD_IN_SORBS_WEB, RCVD_IN_XBL X-Spam-Level: *** How should I change the configs (local.cf, amavis.conf, etc.?) so it looks like in the upper example? Regards, Leon Kolchinsky
Re: BIG increase in spam today
On Wed, 1 Nov 2006, Chris wrote: I usually come home from work to find about 60-80 spam's in my spam folder. Today upon bringing up the mailer there were over 400! Looks like a large botnet attack or something. Has anyone else noticed this? I've not finished looking at the ASN's to see where they're from, but I do notice that there are about 25-30 with the same subject in each group. I've noticed a significant uptick over the last month actually - both at home and work. At work, spam is now about 95% of all inbound mail (where it was hovering in the 75-80% range for some months). Scanning is still going ok (no overloads), and still *very few* FN's. I love bayes. Secondary MX has over 12000 hosts in the greylist, whereas it was hovering around 6-7k for the last few months. So it's definitely on the rise from where I sit. At home, I've also seen an increase - approx 150 a day from around 80-90 previously. -- Jon Trulson mailto:[EMAIL PROTECTED] #include std/disclaimer.h No Kill I -Horta
Re: script for reporting ham/spam/resending?
Leon Kolchinsky wrote: Thanks Cris, What about resending false positives, after all filters learned that this is a ham, how should I resend these messages (on Cyrus system) to the original recipients? Any sample code would be very welcome :) If I understand you correctly, your setup takes all your users spam and puts it into one maildir where you can accesss it. Now you have identified false positives and have learned them as ham, but you need to get those messages back into your users accounts. Probably the most straightforward method would be to write a scipt that checks the Envelope-to header and moves the file to that users inbox. Personally, I don't manage users spam. I give them imap folders for learn-spam and learn-ham then have a script that checks those folders and runs sa-learn. Spam is deleted once it is learned and ham is moved back to the inbox. For myself I also have report and revoke scripts that do the same, but instead of using sa-learn they use spamassasin -r or -k. -- Chris
Re: how to show exact score for the tests in the headers
Leon Kolchinsky wrote: Hello All, I'm running a system with Cyrus+Postfix+Amavisd-new+SA+ClamAV. I've seen on this list that there is a possibility to show in the SA headers the exact score for all tests scored for particular message, like this: No, hits=-0.8 required=5.0 tests=BAYES_00=-2.599, DK_POLICY_SIGNSOME=0.001,DNS_FROM_RFC_ABUSE=0.2, FORGED_MUA_MOZILLA=1.593,SPF_PASS=-0.001 autolearn=no version=3.1.7 My current SA headers look like this: X-Spam-Status: Yes, hits=15.8 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_99, HTML_FONTCOLOR_RED, HTML_FONTCOLOR_UNSAFE, HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, RCVD_IN_SORBS_WEB, RCVD_IN_XBL X-Spam-Level: *** How should I change the configs (local.cf, amavis.conf, etc.?) so it looks like in the upper example? To get the list of rules hit and their individual scores, add the following line to local.cf: add_header all Report _REPORT_ Run 'perldoc Mail::SpamAssassin::Conf' for details. -- Chris
RE: script for reporting ham/spam/resending?
Hi, You're right, this is my situation exactly. Your method is good for smart (intelligent) users. This is not my case (my users here are very hard nut :)). Just thought that may be someone have such script (for resending ham to its original recipients) running and could spare it with me :) Best Regards, Leon Kolchinsky -Original Message- From: Chris Purves [mailto:[EMAIL PROTECTED] Sent: Friday, November 03, 2006 12:06 AM To: users@spamassassin.apache.org Subject: Re: script for reporting ham/spam/resending? Leon Kolchinsky wrote: Thanks Cris, What about resending false positives, after all filters learned that this is a ham, how should I resend these messages (on Cyrus system) to the original recipients? Any sample code would be very welcome :) If I understand you correctly, your setup takes all your users spam and puts it into one maildir where you can accesss it. Now you have identified false positives and have learned them as ham, but you need to get those messages back into your users accounts. Probably the most straightforward method would be to write a scipt that checks the Envelope-to header and moves the file to that users inbox. Personally, I don't manage users spam. I give them imap folders for learn-spam and learn-ham then have a script that checks those folders and runs sa-learn. Spam is deleted once it is learned and ham is moved back to the inbox. For myself I also have report and revoke scripts that do the same, but instead of using sa-learn they use spamassasin -r or -k. -- Chris
Re: how to show exact score for the tests in the headers
I'm running a system with Cyrus+Postfix+Amavisd-new+SA+ClamAV. I've seen on this list that there is a possibility to show in the SA headers the exact score for all tests scored for particular message, like this: No, hits=-0.8 required=5.0 tests=BAYES_00=-2.599, DK_POLICY_SIGNSOME=0.001,DNS_FROM_RFC_ABUSE=0.2, FORGED_MUA_MOZILLA=1.593,SPF_PASS=-0.001 autolearn=no version=3.1.7 My current SA headers look like this: X-Spam-Status: Yes, hits=15.8 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_99, HTML_FONTCOLOR_RED, HTML_FONTCOLOR_UNSAFE, HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, RCVD_IN_SORBS_WEB, RCVD_IN_XBL X-Spam-Level: *** How should I change the configs (local.cf, amavis.conf, etc.?) so it looks like in the upper example? To get the list of rules hit and their individual scores, add the following line to local.cf: add_header all Report _REPORT_ Run 'perldoc Mail::SpamAssassin::Conf' for details. -- Chris That will not help here as amavisd-new does not allow spamassassin to write headers. The problem here is an outdated amavisd-new. What distro are you running? Gary V _ Try Search Survival Kits: Fix up your home and better handle your cash with Live Search! http://imagine-windowslive.com/search/kits/default.aspx?kit=improvelocale=en-USsource=hmtagline
Re: Domain Keys
On Thursday November 2 2006 11:28, sokka wrote: When i send a mail from my local office ID to yahoo it is bouncing back with Greeting failed Is this due to domain key verification ? Not likely. Greeting is called the first status response from a SMTP server after connection establishment. Perhaps yahoo is doing some reverse test: maybe there is something wrong with your domain or SMTP server. Use tcpdump to determine what is going on. Mark
Re: BIG increase in spam today
From: Mark [EMAIL PROTECTED] From: Marc Perkel [mailto:[EMAIL PROTECTED] I'm not an appliance vendor but I run a fornt end spam filtering service and it's been a struggle. Most of my spam defense isn't SA though. I'm using Exim rules to do most of the work and SA gets what's left. Same here. A custom brewed milter-type setup of mine (a combined set of socketmap invocations, to be precise) handles the vast majority of spam at the gate. 92% (!) of all incoming spam uses an invalid HELO. 9% pretends to be me in their HELO. I presume those that pretend to be you are invalid HELO, also. Otherwise the addition produces an overflow. {^_-} 83% of all spam here comes from dynamic IP space. 8% of the incoming spam uses a country-level TLD which does not match the HELO country TLD (EHLO foo.de vs. bar.uk PTR, for instance). But the remainder is -92%. {^_-}
Re: R: BIG increase in spam today
From: Giampaolo Tomassoni [EMAIL PROTECTED] Da: Marc Perkel [mailto:[EMAIL PROTECTED] What I do is sort of partial greylisting. If a connection is suspicious I give them a temp error on my lowest MX but accept them on higher MX records. So that way most MTA will try a higher MX right away and it doesn't add much of a delay. Well, it's nice. But expect bots to circumvent this within few months: it's easy. Greylisting works on the assumption that no spammer would waste its precious time by attempting a second time to an smtp server, but they could attempt to a site's higher MXes soon after they get a 4xx from the lowest one... You know: they have to do their dirty work within minutes, or their efforts will be voided by reporting agents and the like (razor, pyzor, dcc, ecc...) or sometimes by the connection provider itself. If I were running a greylist instead of using fetchmail here I'd definitely want to gen up a tool that notices source IPs and at the third message from a source IP in 10 seconds engage the grey list response. Ditto for same message subject CRC32 hash or the like. (And if the first few are spam report it to one of the instant response BLs to reward the spammer with some instant recognition to boost his ego. {^_-}) {^_^}
Re: BIG increase in spam today
From: Mark [EMAIL PROTECTED] From: Jim Maul [mailto:[EMAIL PROTECTED] 92% (!) of all incoming spam uses an invalid HELO. 9% pretends to be me in their HELO. Is this 9% included in the above 'invalid HELO' number? Yes. I should have been more clear about that. 92% fails the HELO tests, for one reason or another. Of those 92%, 9% are HELOs pretending to be me (either my primary domain, or the domains I host, or address literals pretending to be me). The 8% that fails the PTR != HELO country TLD is also included in the 92%. The rest of the invalid HELOs are just non-FQDNSs (like HELO friend), or IP addresses (not inside braces, like an address literal). Then there's a complex HELO category I mark, to counter spam bursts, based on sequence heuristics within a very short time-frame, like: Nov 2 18:23:43 asarian-host sendmail[6152]: kA2HNhKN006152: -- EHLO MATTHIAS.uuuiguu.net Nov 2 18:23:46 asarian-host sendmail[6155]: kA2HNkDE006155: -- EHLO MATTHIAS.me1n93.net Nov 2 18:23:50 asarian-host sendmail[6161]: kA2HNo6N006161: -- EHLO MATTHIAS (where the third-level TLD, in caps, is the basis for the group as a total). I'm still experimenting with it (not actually blocking on it yet); but the number of FPs is zero so far (running for several weeks). Seriously, HELO tests rock! That still leaves that 83% dangling out in the breeze giving you a -75% ham amount. {^_-}
Re: question re. SPF checks
Well ok... if you want to pick nits :-) I guess I should have said: The listserver, and one of the email accounts, originate mail on the host (the email account, using pine) - so, for SPF purposes, the mail comes from an IP address listed in the SPF record for the domain in the envelop sender, and all works just fine. But... for the other two email accounts, mail originates from desktop clients (Thunderbird). And here's the rub: - I want to apply virus and spam checks to incoming mail, but... - for SPF purposes, the incoming mail comes from the dynamic IP of the desktop client, so it's hard/impossible to set up an SPF record to match that IP (unless one wants to pass the check for, say, all email coming from the broad range of IP addresses used by the local Comcast broadband service) - so, mail submitted from desktop clients is getting marked as failing the SPF check In any case, I've since received some answers about how to set up postfix to treat mail from authenticated clients differently that solves my problem. Miles Jo Rhett wrote: I'm sorry, but your query below does not parse. The envelope sender does not change depending on which host it arrives from when using Thunderbird et al. The host from which it arrives changes, but that's not part of the envelope. And yes, you can disable anything with a network profile. rtfm. Miles Fidelman wrote: I starting to set up SPF records for the domains I manage, and have run into a little snag. I hope somebody can suggest an approach: BASIC CONFIGURATION: Debian Sarge Postfix (from stable - so it's a relatively old version, 2.1 I believe) amavisd-new spamassassin clamav Postfix configured with postfix-tls (SASL) but only for MD-5 authentication of incoming SMTP For the most part, I use the machine as a list server (Sympa) and web host, but I also have three email accounts on the box. The listserver, and one of the email accounts, originate mail on the host (the email account, using pine) - so, for SPF purposes, the envelope sender is always the server, and all works just fine. But... for the other two email accounts, mail originates from desktop clients (Thunderbird). And here's the rub: - I want to apply virus and spam checks to incoming mail, but... - for SPF purposes, the envelope sender is now the dynamic IP of the desktop clients, so it's hard/impossible to put that in the SPF record - so, mail submitted from desktop clients is getting marked as failing the SPF check So... is there a way to turn off SPF checks for mail coming from authenticated clients, without turning off all the other checks (as, for example, would happen if mail was submitted via port 587)?
Relay Checker plugin v0.2
I've put up a new version of Relay checker, in http://people.ucsc.edu/~jrudd/spamassassin as as before: put RelayChecker.* wherever you put your plugins. Changes: 1) The score is now fixed instead of variable. default=6 2) Each test can be ignored (it says skipped, but the test is still run, it just wont trigger a hit if the option is set to non-zero) 3) I added a clienthostname check which looks for static, pool, client, user, fixed in the hostname. Defaults to being skipped. 4) You can set regular expressions for which untrusted relays to skip 5) You can set regular expressions to automatically pass the message (don't trigger the rule) if you come to an untrusted relay that matches 6) You can allow it to pass a message if the auth= field is non-empty # relaychecker_score6 # relaychecker_skip_nordns 0 # relaychecker_skip_badrdns 0 # relaychecker_skip_baddns 0 # relaychecker_skip_ipinhostname0 # relaychecker_skip_dynhostname 0 # relaychecker_skip_clienthostname 1 # relaychecker_skip_ip (regular expression) # relaychecker_pass_ip (regular expression) # relaychecker_pass_auth0 I used some of the code from Billy Huddleston's patch, but obviously went in a different fundamental direction. I expect I might, at some point, switch from using a dynamic score in the plugin, to a normal score. But that's the only change I expect to make, aside from bug fixes (if there are any), and/or a switch to using Net::DNS. Oh, and putting it into a tar file and probably making the usual copyright declaration stuff (since I work for the UC Regents, it's going to be a berkeley type declaration of ownership, and GPL for license). Again, feedback, problem reports, success or horror stories welcome. JohnR
SA TIMED OUT message debian sarge
Hi There, Using spamassassin 3.1.3-0bpo1 from backports.org on debian sarge. We did have the standard 3.0.x sarge package. Using amavis-new to call spamassassin and after upgrading spamassassin we are now getting these messages in the mail.log. Would someone please be able to assist in where to go with this one? Thanks Simon Nov 3 16:14:46 mx1 amavis[4765]: (04765-05) SA TIMED OUT, backtrace: at /usr/share/perl5/Mail/SpamAssassin/Locker.pm line 70\n\teval {...} called at /usr/share/perl5/Mail/SpamAssassin/Locker.pm line 70\n\tMail::SpamAssassin::Locker::jittery_one_second_sleep('Mail::SpamAssassin::Locker::UnixNFSSafe=HASH(0x9bd23cc)') called at /usr/share/perl5/Mail/SpamAssassin/Locker/UnixNFSSafe.pm line 83\n\tMail::SpamAssassin::Locker::UnixNFSSafe::safe_lock('Mail::SpamAssassin::Locker::UnixNFSSafe=HASH(0x9bd23cc)', '/var/amavis/var/.spamassassin/auto-whitelist', 30, 0700) called at /usr/share/perl5/Mail/SpamAssassin/DBBasedAddrList.pm line 72\n\tMail::SpamAssassin::DBBasedAddrList::new_checker('Mail::SpamAssassin::DBBasedAddrList=HASH(0xa4fcecc)', 'Mail::SpamAssassin=HASH(0x8b800bc)') called at /usr/share/perl5/Mail/SpamAssassin/AutoWhitelist.pm line 95\n\tMail::SpamAssassin::AutoWhitelist::new('Mail::SpamAssassin::AutoWhitelist', 'Mail::SpamAssassin=HA...
sa-learn training question(s)
Hey all,Recently my domain came under 'Spam attack' as my users are calling it, we have been flooded with hundreds of Spam messages. :( So over the last week I have been setting up SA (3.1.3) along with Amavis, ClamAV, postfix and dovecot. Just out of the box we have noticed a huge drop in Spam but I do have a couple of questions that I have not been able to find good answers to yet. First, I am using all the default SA settings, including those for autolearning. I have all incoming mail that is tagged as Spam delivered to a CaughtSpam IMAP box for each user. I also have a pretty nice little script I tossed together to sa-learn from a IsSpam folder that the users put Spam that is missed into. It also learns ham from a folder called IsNotSpam for when a message is marked as Spam but is not. Should I also have sa-learn from the CaughtSpam folder? I have read some places that say yes, and some that say no.Second question. It is easy to tell a user (and some of mine are non-tech folks) to put Spam in the IsSpam folder, but there isn't a way to really tell them that they need to put HAM in a certain folder, they just don't understand it. So my second question is how are people feeding sa-learn good HAM? I was toying with the idea of feeding in peoples Sent folders along with all messages from their INBOX and Trash that were marked as read (I can pull these out using mboxgrep). This would also give me a larger sample of HAM them Spam which I understand is a good thing. Can anyone poke holes in my logic on this, or point out a better source for me to scrape HAM to feed sa-learn? Many thanks in advance for any help. :)- J
Re: SA TIMED OUT message debian sarge
Simon wrote: Hi There, Using spamassassin 3.1.3-0bpo1 from backports.org on debian sarge. We did have the standard 3.0.x sarge package. Using amavis-new to call spamassassin and after upgrading spamassassin we are now getting these messages in the mail.log. Would someone please be able to assist in where to go with this one? Looks like for some reason a SA instance couldn't get a lock on the AWL database to update it before amavis killed it. Provided you don't have your bayes or AWL stored on an NFS share, you might consider switching to lock_method flock. That will speed up lock/release operations. However, it's very strange that it timed out locking the AWL.. Normally SA processes aren't in the AWL very long. Is your amavis set with an abnormally short timeout for SA?
Re: SA TIMED OUT message debian sarge
On 11/3/06, Matt Kettler [EMAIL PROTECTED] wrote: Simon wrote: Hi There, Using spamassassin 3.1.3-0bpo1 from backports.org on debian sarge. We did have the standard 3.0.x sarge package. Using amavis-new to call spamassassin and after upgrading spamassassin we are now getting these messages in the mail.log. Would someone please be able to assist in where to go with this one? Looks like for some reason a SA instance couldn't get a lock on the AWL database to update it before amavis killed it. Provided you don't have your bayes or AWL stored on an NFS share, you might consider switching to lock_method flock. That will speed up lock/release operations. However, it's very strange that it timed out locking the AWL.. Normally SA processes aren't in the AWL very long. Is your amavis set with an abnormally short timeout for SA? Hmm.. Where do find this setting in my amavis conf file? These are the current settings: $sa_tag_level_deflt = 0.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 5.0; # triggers spam evasive actions $sa_dsn_cutoff_level = 999; # spam level beyond which a DSN is not sent $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0;# only tests which do not require internet access? $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant # for SA 3.0, cf option is 'use_auto_whitelist') Thanks!
Re: sa-learn training question(s)
Jason Wellman wrote: Hey all, Recently my domain came under 'Spam attack' as my users are calling it, we have been flooded with hundreds of Spam messages. :( So over the last week I have been setting up SA (3.1.3) along with Amavis, ClamAV, postfix and dovecot. Just out of the box we have noticed a huge drop in Spam but I do have a couple of questions that I have not been able to find good answers to yet. First, I am using all the default SA settings, including those for autolearning. I have all incoming mail that is tagged as Spam delivered to a CaughtSpam IMAP box for each user. I also have a pretty nice little script I tossed together to sa-learn from a IsSpam folder that the users put Spam that is missed into. It also learns ham from a folder called IsNotSpam for when a message is marked as Spam but is not. Should I also have sa-learn from the CaughtSpam folder? I have read some places that say yes, and some that say no. YES. Those that say no clearly do not know what they're talking about. Lets face it.. if there was no point in learning tagged spam, why does the autolearner only kick in on high-scoring spam? That said, it will only learn the caught spam that wasn't already autolearned, but this is actually quite valuable as it will generally contain more of the borderline spam which is important for bayes to know about. Second question. It is easy to tell a user (and some of mine are non-tech folks) to put Spam in the IsSpam folder, but there isn't a way to really tell them that they need to put HAM in a certain folder, they just don't understand it. So my second question is how are people feeding sa-learn good HAM? That depends a lot on the user. Some are good, some not so good. Most will generally do this only when they're getting FPs, but that's still handy. I was toying with the idea of feeding in peoples Sent folders along with all messages from their INBOX and Trash that were marked as read (I can pull these out using mboxgrep). This would also give me a larger sample of HAM them Spam which I understand is a good thing. Can anyone poke holes in my logic on this, or point out a better source for me to scrape HAM to feed sa-learn? Well, doing inbox and trash, you'll autolearn any false-negatives that your user happened to read and did not move to the IsSpam.. If you don't trust them to force-feed good ham, this might not be a good idea. Sent would appear to be fine.. unless your users are really dumb and frequently reply to spam. Many thanks in advance for any help. :) - J
Re: SA TIMED OUT message debian sarge
Is your amavis set with an abnormally short timeout for SA? Hmm.. Where do find this setting in my amavis conf file? The default is 30 seconds (at least in older versions of amavisd-new). You can add: $sa_timeout = 50; As Matt says, 'lock_method flock' will also help. Are you using Pyzor? If so, changing to the mirror will also help: echo 82.94.255.100:24441 /var/lib/amavis/.pyzor/servers Gary V _ Get today's hot entertainment gossip http://movies.msn.com/movies/hotgossip?icid=T002MSN03A07001
Re: SA TIMED OUT message debian sarge
Simon wrote: On 11/3/06, Matt Kettler [EMAIL PROTECTED] wrote: Simon wrote: Hi There, Using spamassassin 3.1.3-0bpo1 from backports.org on debian sarge. We did have the standard 3.0.x sarge package. Using amavis-new to call spamassassin and after upgrading spamassassin we are now getting these messages in the mail.log. Would someone please be able to assist in where to go with this one? Looks like for some reason a SA instance couldn't get a lock on the AWL database to update it before amavis killed it. Provided you don't have your bayes or AWL stored on an NFS share, you might consider switching to lock_method flock. That will speed up lock/release operations. However, it's very strange that it timed out locking the AWL.. Normally SA processes aren't in the AWL very long. Is your amavis set with an abnormally short timeout for SA? Hmm.. Where do find this setting in my amavis conf file? These are the current settings: I believe the option is $sa_timeout Not sure what the default is, probably 30. Which should be enough to prevent that problem, unless you have a LOT of sa instances contending for the AWL database. Try adding a $sa_timeout = 60 to your Amavisd.conf and lock_method flock to your spamassassin/local.cf (if you don't use NFS for DB storage.)
Big boost in spam since upgrade
Ok, this isn't right. I upgraded my SA install to 3.1.17 day before yesterday. I cycled the server and now all of a sudden I'm getting 50% of the spam coming through that's getting completely missed. Do I need to reset something or maybe bayes or is there a change somewhere I need to do? And yes, I know about the botnet attack, but going from 99% success to 50% success just isn't right. Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community
Re: Big boost in spam since upgrade
On Fri, Nov 03, 2006 at 12:31:36AM -0500, Steve Lake wrote: Ok, this isn't right. I upgraded my SA install to 3.1.17 day before yesterday. I cycled the server and now all of a sudden I'm getting 50% of the spam coming through that's getting completely missed. Do I need to reset something or maybe bayes or is there a change somewhere I need to Do you need to run sa-update? -- Randomly Selected Tagline: You are in a twisty little maze of Sendmail rules, all confusing. - jon schatz in [EMAIL PROTECTED] pgpctrjdY9a6F.pgp Description: PGP signature
Re: Big boost in spam since upgrade
Steve Lake wrote: Ok, this isn't right. I upgraded my SA install to 3.1.17 day before yesterday. I cycled the server and now all of a sudden I'm getting 50% of the spam coming through that's getting completely missed. Do I need to reset something or maybe bayes or is there a change somewhere I need to do? And yes, I know about the botnet attack, but going from 99% success to 50% success just isn't right. What do the hits look like on the spam getting through? What kinds of spam are they, anything in common?
Re: Big boost in spam since upgrade
Steve Lake wrote: Ok, this isn't right. Agreed. I upgraded my SA install to 3.1.17 day before yesterday. I cycled the server and now all of a sudden I'm getting 50% of the spam coming through that's getting completely missed. Do I need to reset something or maybe bayes or is there a change somewhere I need to do? And yes, I know about the botnet attack, but going from 99% success to 50% success just isn't right. How did you upgrade? What version did you upgrade from? Where did you get 3.1.17 from? :) With little more than I upgraded from some older version to the newest version and I'm now unhappy with the results there's not much to offer. If I had to guess, and I have to, I'd say that (assuming the install didn't get messed up) you're probably running without network tests now. Daryl
Re: Big boost in spam since upgrade
How did you upgrade? Via the freebsd ports collection What version did you upgrade from? 3.1.5 Where did you get 3.1.17 from? :) That would be a typo. I meant 3.1.7, not 3.1.17. Must have had a finger malfunction. ;) Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community
Re: Big boost in spam since upgrade
What do the hits look like on the spam getting through? I'm seeing a wide variety of different hits. Nothing in common. I'm also seeing ham scores on obvious spam. Is this bayes poisoning and if so, how do I reset bayes to clear that? What kinds of spam are they, anything in common? They all look pretty random. Some stock spam, pump and dumps, image spam, etc. Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community