Re: skipping dynamic tests for ISP's own dynamic networks?
On Thu, Apr 8, 2010 at 8:25 PM, Henrik K h...@hege.li wrote: On Thu, Apr 08, 2010 at 06:31:37PM -0800, Royce Williams wrote: On Thu, Apr 8, 2010 at 5:13 PM, Henrik K h...@hege.li wrote: On Thu, Apr 08, 2010 at 04:52:00PM -0800, Royce Williams wrote: Answering myself, I have reworked our *_networks to reflect our architecture based on my re-re-re-reading. Nobody has said that my example was broken (or was any good, for that matter), so I'm operating from that. With all possible interfaces included from my dedicate MSAs in msa_networks, my customers are still subject to IMG_DIRECT_TO_MX, FSL_HELO_NON_FQDN_1, RDNS_NONE, HELO_NO_DOMAIN, DOS_DIRECT_TO_MX, HELO_LOCALHOST, and the other you look like an end user, not an MTA rules. Either my example is fundamentally broken, or everybody else is already in there ripping and gripping rules anyway, and so don't mind maintaining a similar list. Since there's no FAQ entry for this, but the reading for understanding the problem is so dense, I'm starting to doubt my own sanity. :-) As said, these checks are made on the external border. Your example does not have MSAs defined as internal. By design. From the conf document: Trusted relays that accept mail directly from dial-up connections should not be listed in internal_networks. List them only in trusted_networks. Is this incorrect? It also states that msa_networks propagates those hosts *_networks settings recursively. Which means the dial-ups will be internal too. Ah, interesting. So I should explicitly *not* put my dialup MSAs in msa_networks, and put them only in trusted_networks. Maybe I'm having a vocabulary problem. My MSAs are really also MTAs - they receive mail from the customer, do an MX lookup on the destination domain, and relay. But they are not MXes in that they do not receive mail from foreign MTAs. So maybe what I'm hearing is (thinking out loud): If I put my for-dialup MSAs in both msa_networks and internal_networks: * Everything that is in internal_networks must be included in trusted networks, per the Conf manpage. * Because of msa_networks propagation, my dialups become trusted to insert headers (bad). If I put my for-dialup MSAs only in msa_networks: * My MSAs are seen as external. * My dialups gets penalized for non-content characteristics (coming from Outlook, bad HELOs, etc.) (bad) If I put my for-dialup MSAs only in trusted_networks: * My for-dialup MSAs are seen as external. * My dialups are seen as external and therefore penalized for non-content characteristics (bad). If I put my for-dialup MSAs both in trusted_networks and internal_networks, but not msa_networks: * My dialups aren't external, so they don't get spanked for being Outlook (good). * My dialups aren't trusted, so their headers are not trusted (good). Is this correct? Royce
Re: skipping dynamic tests for ISP's own dynamic networks?
On Thu, Apr 08, 2010 at 10:26:27PM -0800, Royce Williams wrote: It also states that msa_networks propagates those hosts *_networks settings recursively. Which means the dial-ups will be internal too. Ah, interesting. So I should explicitly *not* put my dialup MSAs in msa_networks, and put them only in trusted_networks. Again, rules look for first external (non-internal) relay. Your suggestion above does not make the dial-ups internal. Maybe I'm having a vocabulary problem. My MSAs are really also MTAs - they receive mail from the customer, do an MX lookup on the destination domain, and relay. But they are not MXes in that they do not receive mail from foreign MTAs. Read and re-read msa_networks documentation. IMHO it's very clearly defined. It's just an extender for *_networks. MSA means that the relay hosts on these networks accept mail from your own users and authenticates them appropriately. These relays will never accept mail from hosts that aren't authenticated in some way. Examples of authentication include, IP lists, SMTP AUTH, POP-before-SMTP, etc. All relays found in the message headers after the MSA relay will take on the same trusted and internal classifications as the MSA relay itself, as defined by your trusted_networks and internal_networks configuration. Never include an MSA that also acts as an MX (or is also an intermediate relay for an MX) or otherwise accepts mail from non-authenticated users in msa_networks. Doing so will result in unknown external relays being trusted. So does your MSA accept mail only from your dial-up users or not? If that's the case, I don't see what's the problem here. So maybe what I'm hearing is (thinking out loud): If I put my for-dialup MSAs in both msa_networks and internal_networks: * Everything that is in internal_networks must be included in trusted networks, per the Conf manpage. * Because of msa_networks propagation, my dialups become trusted to insert headers (bad). Forget the trusted headers thing, I can't think of anything that it would make bad in this scenario. This is the configuration you want. If I put my for-dialup MSAs only in msa_networks: * My MSAs are seen as external. * My dialups gets penalized for non-content characteristics (coming from Outlook, bad HELOs, etc.) (bad) Is this even possible? If I put my for-dialup MSAs only in trusted_networks: * My for-dialup MSAs are seen as external. * My dialups are seen as external and therefore penalized for non-content characteristics (bad). Your dialup MSAs aren't external. Makes no sense. If I put my for-dialup MSAs both in trusted_networks and internal_networks, but not msa_networks: * My dialups aren't external, so they don't get spanked for being Outlook (good). * My dialups aren't trusted, so their headers are not trusted (good). You wanted dial-ups to be internal. Makes no sense.
Re: Question URIBL
Thank you Rick Your diagnostic was correct. - - - - (extract from /etc/defaults/spampd) - - - # Wether or not to do only local checks # if this is turned on, no network based checks # (like DNS-Blacklists) are done. (0/1) LOCALONLY=1 On 08.04.10 22:41, Frederic De Mees wrote: Please note that I use spampd (not spamd). This setup allows rejecting mail during the SMTP transaction in realtime. that can be achieved by using milter and other ways... just FYI. and I'm not sure if we can help you with spampd, since that's different sofrware from spamassasssin... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
CLAMAV 0.95 to be disabled
Appreciate that this is an SA list, but it tends to share a userbase with ClamAV. Apologies if mentioned, but potentially these could mean carnage to users of Clam who have not updated in a while: http://lurker.clamav.net/message/20100407.141109.2a7c287b.en.html Dear ClamAV users, this is a reminder that starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year. We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV. For more information please refer to the original announcement: http://lists.clamav.net/lurker/message/20091006.143601.d27bbd20.en.html Hope that this spares someone some blushes next week :-)
Custom rules in mysql
Hello list, I have a slight problem using custom rules with latest SA release. I am using a mysql DB to store the per user and per domain configs as described in the SA howto. Now I wanted to write a custom rule which should also be stored in the mysql DB. This does not seem to work, although allow_user_rules is set to 1 in my local.cf. If I write the rule to local.cf for example, it works. Questions: -Are custom rules only allowed flat files? -How can users create own custom rules that are only valid for certain users? thanks for any ideas and help! regards Stefan
Re: CLAMAV 0.95 to be disabled
On Fri, 2010-04-09 at 08:47 +0100, corpus.defero wrote: Appreciate that this is an SA list, but it tends to share a userbase with ClamAV. Apologies if mentioned, but potentially these could mean carnage to users of Clam who have not updated in a while: http://lurker.clamav.net/message/20100407.141109.2a7c287b.en.html Dear ClamAV users, this is a reminder that starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year. We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV. For more information please refer to the original announcement: http://lists.clamav.net/lurker/message/20091006.143601.d27bbd20.en.html Hope that this spares someone some blushes next week :-) To follow that up - another good reason to update (not sure if this is just a Ubuntu issue or has implications in Debian + others) === Ubuntu Security Notice USN-926-1 April 08, 2010 clamav vulnerabilities CVE-2010-0098 === A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: libclamav6 0.95.3+dfsg-1ubuntu0.09.04~intrepid3 Ubuntu 9.04: libclamav6 0.95.3+dfsg-1ubuntu0.09.04.1 Ubuntu 9.10: libclamav6 0.95.3+dfsg-1ubuntu0.09.10.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that ClamAV did not properly verify its input when processing CAB files. A remote attacker could send a specially crafted CAB file to evade malware detection. (CVE-2010-0098) It was discovered that ClamAV did not properly verify its input when processing CAB files. A remote attacker could send a specially crafted CAB file and cause a denial of service via application crash. Updated packages for Ubuntu 8.10: Source archives:
Re: access to Bayes in PostgreSQL DB broken
Hi Mikael, Have you looked in the sql for postgres ? Have the structure changed? I have compared the latest dump of my spamassassin database with the ddl scripts provided by spamassasin. There really were some changes. For example the table bayes_token now uses bytea instead of character(5). I have recreated the database structure and imported the previous data. One entry couldn't be imported, but the others worked fine. And bayes is running again! Thanks for the hint. Regards Marco
Re: access to Bayes in PostgreSQL DB broken
Hi Martin, On Thu, 2010-04-08 at 20:43 +0200, m...@mherrn.de wrote: Hi, I am running spamassassin with a PostgreSQL DB as bayes storage. After an upgrade from debian etch to debian lenny, this bayes storage doesn't work anymore. [..] Its highly likely that Postgres 8.3.9 can't read a database created by 7.4.x. You'll need to recreate the database with 8.3.9 and restore the latest backup. See 24.5. Migration Between Releases in the Postgres manual for more details. I already restored the latest backup of the database. The problem was, that I didn't recreate the tables. These seem to have changed. After recreating them and importing the data again, it works. Thanks for your help. Marco
How to configure spamassassin
Dear All, I have Spamassassin on my Centos 5.4. For send and receive email I use postfix and Dovecot and Sendmail version 8.13.8. Since I have installed the spamassassin I have not configured it. We are getting about 20 spams per day. I want to configure it and get it working. I did google it there are some information but all in different server, some I tried did not work. I will appreciate if anyone know how to configure it from scratch after installing it. Thanks in advance Hatspam -- View this message in context: http://old.nabble.com/How-to-configure-spamassassin-tp28190479p28190479.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to configure spamassassin
On 09/04/2010 13:43, hateSpam wrote: Dear All, I have Spamassassin on my Centos 5.4. For send and receive email I use postfix and Dovecot and Sendmail version 8.13.8. Since I have installed the spamassassin I have not configured it. We are getting about 20 spams per day. I want to configure it and get it working. I did google it there are some information but all in different server, some I tried did not work. I will appreciate if anyone know how to configure it from scratch after installing it. Thanks in advance Hatspam Look at this cool howto: http://postfixmail.com/blog/index.php/clamav-and-spamassassin-on-centos-5-postfix/ Levi
Re: How to configure spamassassin
Birta Levente wrote: On 09/04/2010 13:43, hateSpam wrote: Dear All, I have Spamassassin on my Centos 5.4. For send and receive email I use postfix and Dovecot and Sendmail version 8.13.8. Since I have You seem a little confused - are you running postfix or sendmail as your MTA? spamassassin I have not configured it. We are getting about 20 spams per day. I want to configure it and get it working. I did google it there are some information but all in different server, some I tried did not work. I will appreciate if anyone know how to configure it from scratch after installing it. Thanks in advance Hatspam Look at this cool howto: http://postfixmail.com/blog/index.php/clamav-and-spamassassin-on-centos-5-postfix/ Or refer to the CentOS documentation here: http://wiki.centos.org/HowTos#head-0facb50d5796bee0bd394636c32ffa9a997a6ab5 Specifically: http://wiki.centos.org/HowTos/postfix http://wiki.centos.org/HowTos/Amavisd Hope that helps.
Re: skipping dynamic tests for ISP's own dynamic networks?
On Fri, 9 Apr 2010 10:09:35 +0300 Henrik K h...@hege.li wrote: On Thu, Apr 08, 2010 at 10:26:27PM -0800, Royce Williams wrote: Maybe I'm having a vocabulary problem. My MSAs are really also MTAs - they receive mail from the customer, do an MX lookup on the destination domain, and relay. But they are not MXes in that they do not receive mail from foreign MTAs. Read and re-read msa_networks documentation. IMHO it's very clearly defined. It's just an extender for *_networks. I think he may have put his finger on the problem in a previous post. msa_networks defines the MSA by IP address. If SA runs on an MSA its address is unlikely to be in the received headers. In that case SA has no way of distinguishing an MSA from an MX server. I would think that in this case the dynamic address blocks would need to be explicitly defined.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
leeyc0,
After some struggle and tracing every bit of code (including tracing
installing cpan packages!), apparently it is a bug in the latest
Net::DNS::Packet::Resolver::Base send_tcp function call...
Yes, it is caused by a bug in Net::DNS::Resolver::Base (sorry, there was a
typo before about the package name).
I have to comment a line Net/DNS/Resolver/Base.pm to fix this problem.
(below is some lines in Net/DNS/Resolver/Base.pm send_tcp function)
$buf = read_tcp($sock, $len, $self-{'debug'});
# comment this line, this should be a class property but used as a function
# apparently mixed up with Net::DNS::Packet
#$self-answerfrom($sock-peerhost);
print ';; received ', length($buf), bytes\n
if $self-{'debug'};
Thanks, good work - except that I can't reproduce the problem,
and the fallback to TCP in Net::DNS 0.66 works just fine
with your first sample message.
Which version of Net::DNS are you using?
Does the SpamAssassin dkim test produce any errors?
$ prove t/dkim2.t
$ export RES_OPTIONS=debug
$ perl -MMail::DKIM::Verifier -ne '
BEGIN{$dkim=Mail::DKIM::Verifier-new_object};
s/\r?\n\z/\015\012/; $dkim-PRINT($_); END{$dkim-CLOSE;
printf(%s\n,$_-result_detail) for $dkim-signatures}' dkim-failed.eml
;; query(ns4._domainkey.iwtek.net, TXT)
;; Trying to set up a AF_INET6() family type UDP socket with srcaddr: 0.0.0.0
... done
;; setting up an AF_INET() family type UDP socket
;; send_udp(::1:53)
;; answer from ::1:53 : 478 bytes
;; HEADER SECTION
;; id = 29254
;; qr = 1opcode = QUERYaa = 0tc = 1rd = 1
;; ra = 1ad = 0cd = 0rcode = NOERROR
;; qdcount = 1 ancount = 1 nscount = 0 arcount = 0
;; QUESTION SECTION (1 record)
;; ns4._domainkey.iwtek.net.IN TXT
;; ANSWER SECTION (1 record)
ns4._domainkey.iwtek.net. 2095IN TXT v=DKIM1\; k=rsa\;
t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEnzzPme
RPW8s51DoJqu4ShXkFxLZVoSwPapc1HUGWCNBFbMvKReIYLxQoCWMC
h6E1Pv5GITqWC1LrA9dluupPHIuyu7vXMMkecq6o1e4T0J5ZspzNMa
TtPrvwlZEE5KZ5bWXuDTDjK6e24KfkPgWPg5jjMWs/fkEjPBNsNNmh
kHkXMulHb4+LkTSgDWxE6WgMc8R7KvUuY6AedeY3CUpzzBqn/UNZgu
w8Z9y7y2GPJK9lm4ERkbqZuiRB+iCDYmlSgUClWGk4cywkWK3AaAB/
7w+2xLJ2DgVDGrgxLQCVLlpHnybGrh6FN0R8mlffZy9RJpmq3raO/e YkD1t2eeWQIDAQAB
;; AUTHORITY SECTION (0 records)
;; ADDITIONAL SECTION (0 records)
;;
;; packet truncated: retrying using TCP
;; attempt to send_tcp(::1:53) (src port = 0)
;; sending 42 bytes
;; read_tcp: expecting 2 bytes
;; read_tcp: received 2 bytes
;; read_tcp: expecting 614 bytes
;; read_tcp: received 614 bytes
;; received 614 bytes
;; HEADER SECTION
;; id = 29254
;; qr = 1opcode = QUERYaa = 0tc = 0rd = 1
;; ra = 1ad = 0cd = 0rcode = NOERROR
;; qdcount = 1 ancount = 1 nscount = 4 arcount = 4
;; QUESTION SECTION (1 record)
;; ns4._domainkey.iwtek.net.IN TXT
;; ANSWER SECTION (1 record)
ns4._domainkey.iwtek.net. 2095IN TXT v=DKIM1\; k=rsa\;
t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEnzzPme
RPW8s51DoJqu4ShXkFxLZVoSwPapc1HUGWCNBFbMvKReIYLxQoCWMC
h6E1Pv5GITqWC1LrA9dluupPHIuyu7vXMMkecq6o1e4T0J5ZspzNMa
TtPrvwlZEE5KZ5bWXuDTDjK6e24KfkPgWPg5jjMWs/fkEjPBNsNNmh
kHkXMulHb4+LkTSgDWxE6WgMc8R7KvUuY6AedeY3CUpzzBqn/UNZgu
w8Z9y7y2GPJK9lm4ERkbqZuiRB+iCDYmlSgUClWGk4cywkWK3AaAB/
7w+2xLJ2DgVDGrgxLQCVLlpHnybGrh6FN0R8mlffZy9RJpmq3raO/e YkD1t2eeWQIDAQAB
;; AUTHORITY SECTION (4 records)
iwtek.net. 2029IN NS ns6.iwtek.net.
iwtek.net. 2029IN NS ns3.iwtek.net.
iwtek.net. 2029IN NS ns4.iwtek.net.
iwtek.net. 2029IN NS ns5.iwtek.net.
;; ADDITIONAL SECTION (4 records)
ns3.iwtek.net. 2095IN A 116.92.10.96
ns4.iwtek.net. 2095IN A 116.92.10.97
ns5.iwtek.net. 2095IN A 116.92.10.98
ns6.iwtek.net. 2095IN A 218.213.70.126
pass
Mark
Re: CLAMAV 0.95 to be disabled
Realize this is OT, and that even the instigation is OT :) But I'm hoping someone here just KNOWS 'rpm'. and can help... (Or can point me to the best forum for a quick answer) While attempting to use rpm on RH9 to update to a newer set of clamav packages, the rpm process locked up, and I had to kill it, and now rpm does not seem to be working at all I'm currently trying 'rpm --rebuilddb' but it's just sitting there, and I've got a feeling it has locked-up too - C
Re: CLAMAV 0.95 to be disabled
On 4/9/10 9:45 AM, Charles Gregory cgreg...@hwcn.org wrote: Realize this is OT, and that even the instigation is OT :) But I'm hoping someone here just KNOWS 'rpm'. and can help... (Or can point me to the best forum for a quick answer) While attempting to use rpm on RH9 to update to a newer set of clamav packages, the rpm process locked up, and I had to kill it, and now rpm does not seem to be working at all I'm currently trying 'rpm --rebuilddb' but it's just sitting there, and I've got a feeling it has locked-up too You've got to delete the __db.* files in /varlib/rpm before you run --rebuilddb -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: How to configure spamassassin
Thanks a lot for replies. Do I have to install Amavisd-new and ClamAV to get spamassassin working? Is there any other way to configure spamassassin with postfix not installing additional software? Ned Slider wrote: Birta Levente wrote: On 09/04/2010 13:43, hateSpam wrote: Dear All, I have Spamassassin on my Centos 5.4. For send and receive email I use postfix and Dovecot and Sendmail version 8.13.8. Since I have You seem a little confused - are you running postfix or sendmail as your MTA? spamassassin I have not configured it. We are getting about 20 spams per day. I want to configure it and get it working. I did google it there are some information but all in different server, some I tried did not work. I will appreciate if anyone know how to configure it from scratch after installing it. Thanks in advance Hatspam Look at this cool howto: http://postfixmail.com/blog/index.php/clamav-and-spamassassin-on-centos-5-postfix/ Or refer to the CentOS documentation here: http://wiki.centos.org/HowTos#head-0facb50d5796bee0bd394636c32ffa9a997a6ab5 Specifically: http://wiki.centos.org/HowTos/postfix http://wiki.centos.org/HowTos/Amavisd Hope that helps. -- View this message in context: http://old.nabble.com/How-to-configure-spamassassin-tp28190479p28191258.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to configure spamassassin
I have both on my server and both are running but I am using postfix MTA. hateSpam wrote: Thanks a lot for replies. Do I have to install Amavisd-new and ClamAV to get spamassassin working? Is there any other way to configure spamassassin with postfix not installing additional software? Ned Slider wrote: Birta Levente wrote: On 09/04/2010 13:43, hateSpam wrote: Dear All, I have Spamassassin on my Centos 5.4. For send and receive email I use postfix and Dovecot and Sendmail version 8.13.8. Since I have You seem a little confused - are you running postfix or sendmail as your MTA? spamassassin I have not configured it. We are getting about 20 spams per day. I want to configure it and get it working. I did google it there are some information but all in different server, some I tried did not work. I will appreciate if anyone know how to configure it from scratch after installing it. Thanks in advance Hatspam Look at this cool howto: http://postfixmail.com/blog/index.php/clamav-and-spamassassin-on-centos-5-postfix/ Or refer to the CentOS documentation here: http://wiki.centos.org/HowTos#head-0facb50d5796bee0bd394636c32ffa9a997a6ab5 Specifically: http://wiki.centos.org/HowTos/postfix http://wiki.centos.org/HowTos/Amavisd Hope that helps. -- View this message in context: http://old.nabble.com/How-to-configure-spamassassin-tp28190479p28191263.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to configure spamassassin
On 2010-04-09 17:31, hateSpam wrote: Thanks a lot for replies. Do I have to install Amavisd-new and ClamAV to get spamassassin working? Is there any other way to configure spamassassin with postfix not installing additional software? See: http://wiki.apache.org/spamassassin/IntegratedInMta also: http://wiki.apache.org/spamassassin/StartUsing h2 Ned Slider wrote: Birta Levente wrote: On 09/04/2010 13:43, hateSpam wrote: Dear All, I have Spamassassin on my Centos 5.4. For send and receive email I use postfix and Dovecot and Sendmail version 8.13.8. Since I have You seem a little confused - are you running postfix or sendmail as your MTA? spamassassin I have not configured it. We are getting about 20 spams per day. I want to configure it and get it working. I did google it there are some information but all in different server, some I tried did not work. I will appreciate if anyone know how to configure it from scratch after installing it. Thanks in advance Hatspam Look at this cool howto: http://postfixmail.com/blog/index.php/clamav-and-spamassassin-on-centos-5-postfix/ Or refer to the CentOS documentation here: http://wiki.centos.org/HowTos#head-0facb50d5796bee0bd394636c32ffa9a997a6ab5 Specifically: http://wiki.centos.org/HowTos/postfix http://wiki.centos.org/HowTos/Amavisd Hope that helps.
Re: How to configure spamassassin
On 4/9/10 10:31 AM, hateSpam khwaja_a...@yahoo.co.uk wrote: Thanks a lot for replies. Do I have to install Amavisd-new and ClamAV to get spamassassin working? Is there any other way to configure spamassassin with postfix not installing additional software? Yes, there are hundreds of ways to integrate spamassassin and clamav. Amavisd-new is one of the easiest to get right. * You could run the clamd milter, which requires a fairly recent version of postfix to support. * You could call spamassassin at delivery time from procmail, which requires that all of your dovecot users have actual user accounts (they might anyway) * there are plenty of other integration glue packages, such as mailzu, mailscanner, mimedefang I stumbled upon amavisd-new , and it has always been flexible enough to handle what I need, so that's what I use, but you need to go look at the various options and pick for yourself. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 Ned Slider wrote: Birta Levente wrote: On 09/04/2010 13:43, hateSpam wrote: Dear All, I have Spamassassin on my Centos 5.4. For send and receive email I use postfix and Dovecot and Sendmail version 8.13.8. Since I have You seem a little confused - are you running postfix or sendmail as your MTA?
Re: How to configure spamassassin
On Fri, 2010-04-09 at 10:50 -0500, Daniel McDonald wrote: On 4/9/10 10:31 AM, hateSpam khwaja_a...@yahoo.co.uk wrote: Thanks a lot for replies. Do I have to install Amavisd-new and ClamAV to get spamassassin working? Is there any other way to configure spamassassin with postfix not installing additional software? Yes, there are hundreds of ways to integrate spamassassin and clamav. Amavisd-new is one of the easiest to get right. * You could run the clamd milter, which requires a fairly recent version of postfix to support. * You could call spamassassin at delivery time from procmail, which requires that all of your dovecot users have actual user accounts (they might anyway) * there are plenty of other integration glue packages, such as mailzu, mailscanner, mimedefang You can also run spamc directly in a Postfix service. Slightly different approaches are given below: http://www.ivankristianto.com/os/ubuntu/linux-spam-filter-with-spamasassin/595/ http://www.xnote.com/howto/postfix-spamassassin.html NOTE: both of these merely run spamc to mark up received mail. You'll still need to separate spam from ham, either by having your users configure their MUAs to put spam in a separate mail filter or by using a procmail recipe to do the same thing - of course you can use a common recipe that's used by all mail recipients. Martin
Re: CLAMAV 0.95 to be disabled
OT - RPM On Fri, 9 Apr 2010, Daniel McDonald wrote: I'm currently trying 'rpm --rebuilddb' but it's just sitting there, and I've got a feeling it has locked-up too You've got to delete the __db.* files in /varlib/rpm before you run --rebuilddb I'm trying that now, but don't have much hope. None of the db files were modified since 2007. So I suspect the corruption is in one of the other files :( - C
Re: [sa] Re: CLAMAV 0.95 to be disabled
On Fri, 9 Apr 2010, Daniel McDonald wrote: You've got to delete the __db.* files in /varlib/rpm before you run --rebuilddb That worked. Thanks! (wiping brow with relief) - C
Re: skipping dynamic tests for ISP's own dynamic networks?
On Fri, Apr 9, 2010 at 3:46 AM, RW rwmailli...@googlemail.com wrote: On Fri, 9 Apr 2010 10:09:35 +0300 Henrik K h...@hege.li wrote: On Thu, Apr 08, 2010 at 10:26:27PM -0800, Royce Williams wrote: Maybe I'm having a vocabulary problem. My MSAs are really also MTAs - they receive mail from the customer, do an MX lookup on the destination domain, and relay. But they are not MXes in that they do not receive mail from foreign MTAs. Read and re-read msa_networks documentation. IMHO it's very clearly defined. It's just an extender for *_networks. I think he may have put his finger on the problem in a previous post. msa_networks defines the MSA by IP address. If SA runs on an MSA its address is unlikely to be in the received headers. In that case SA has no way of distinguishing an MSA from an MX server. Yes! That's what Daryl was referring to here http://old.nabble.com/ALL_TRUSTED-and-DOS_OE_TO_MX-td15659736.html ... where he says: So if (and I'll admit I don't think this occurred to me before) you're running SA on outgoing mail on your MSA right after you receive it (it's not relayed to an intermediate machine) SA can't detect the MSA and the whole msa_networks thing doesn't work. I would think that in this case the dynamic address blocks would need to be explicitly defined. That's why I starting this thread by saying that I went hunting for a mua_networks equivalent, and couldn't find one. Henrik and RW have both suggested that I should put my customer-only MSAs into msa_networks and internal_networks (which implies trusted_networks). I can state definitively that in this setup, all of the you-look-like-a-MUA rules (RDNS, Outlook, etc.) are happily applied to my dialup customers, which is consistent with RW's statement above. Royce
AWL
I have AWL enabled and it seems to be ok with helping out legitimate senders that occasionally send a spammy type message, but lately I have seen an increase where AWL is adding a negative score to a very blatant spam. So my questions are, do people feel AWL is worth having enabled? Is there a way to have the AWL rule only triggered if there is a minimum number of messages seen by that sender? --Dennis
Re: AWL
Dennis B. Hopp wrote: I have AWL enabled and it seems to be ok with helping out legitimate senders that occasionally send a spammy type message, but lately I have seen an increase where AWL is adding a negative score to a very blatant spam. So my questions are, do people feel AWL is worth having enabled? Ask 3 people and you'll get 3 different opinions... Personally, I think it is useful. Is there a way to have the AWL rule only triggered if there is a minimum number of messages seen by that sender? Not that I'm aware of. Is the AWL score enough to prevent the messages from being marked as spam, or are you seeing the negative AWL score on messages that are marked as spam? It is normal for AWL to give negative scores to spam from time to time, but for the most part, it should not be enough to push the score below the spam threshold. http://wiki.apache.org/spamassassin/AwlWrongWay -- Bowie
Re: AWL
Not that I'm aware of. Is the AWL score enough to prevent the messages from being marked as spam, or are you seeing the negative AWL score on messages that are marked as spam? It is normal for AWL to give negative scores to spam from time to time, but for the most part, it should not be enough to push the score below the spam threshold. Not usually, but I have seen a few messages that triggered BAYES_99 or BAYES_95 and then a few other rules that pushed the score to just above 5.0 (which is what I block at) and then AWL will come in with say a -0.35 and drop the overall score to 4.8. I know how AWL works and occasionally it will lower the score of a spam, but it just seems to be happening more often lately. I store my AWL in mysql so I just deleted all entries that have a count of less then 20. I think pretty much every time this happens the AWL count is low (maybe 3 or 4). --Dennis
Re: AWL
On fre 09 apr 2010 22:33:39 CEST, Dennis B. Hopp wrote Is there a way to have the AWL rule only triggered if there is a minimum number of messages seen by that sender? if AWL helping spam, then you need to prevent forged senders more in sa 3.2.5 set ifplugin Mail::SpamAssassin::Plugin::AWL use_auto_whitelist 1 # i changed it to be just 25% of what the # sender is known to be in score as bennefit, default is 0.5 auto_whitelist_factor 0.25 # for 331 auto_whitelist_distinguish_signed 1 # default 16 auto_whitelist_ipv4_mask_len 24 # auto_whitelist_ipv6_mask_len 48 endif # Mail::SpamAssassin::Plugin::AWL to devs, would be nice to have a option to say minimal count 5 in awl table so awl will not hit for the first 4 hits mysql modified here: CREATE TABLE `awl` ( `username` varchar(100) NOT NULL, `email` varchar(255) NOT NULL, `ip` varchar(40) NOT NULL, `count` int(11) NOT NULL default '0', `totscore` float NOT NULL default '0', `signedby` varchar(255) NOT NULL, `lastupdate` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, PRIMARY KEY (`username`,`email`,`signedby`,`ip`) ) ENGINE=MyISAM DEFAULT CHARSET=ascii; this way i can expire the table, added lastupdate by adding lastupdate to bayes_seen can olso expire it, as it is now we keep forever :( -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: AWL
On Fri, 9 Apr 2010, Dennis B. Hopp wrote: I know how AWL works and occasionally it will lower the score of a spam, but it just seems to be happening more often lately. Maybe the rulesets are improving and scoring spams higher than spams from the same source have historically been scoring...? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- For those who are being swayed by Microsoft's whining about the GPL, consider how aggressively viral their Shared Source license is: If you've *ever* seen *any* MS code covered by the Shared Source license, you're infected for life. MS can sue you for Intellectual Property misappropriation whenever they like, so you'd better not come up with any Innovative Ideas that they want to Embrace... --- 4 days until Thomas Jefferson's 267th Birthday
Re: skipping dynamic tests for ISP's own dynamic networks?
Royce Williams wrote: On Fri, Apr 9, 2010 at 3:46 AM, RW rwmailli...@googlemail.com wrote: msa_networks defines the MSA by IP address. If SA runs on an MSA its address is unlikely to be in the received headers. In that case SA has no way of distinguishing an MSA from an MX server. Yes! That's what Daryl was referring to here http://old.nabble.com/ALL_TRUSTED-and-DOS_OE_TO_MX-td15659736.html ... where he says: So if (and I'll admit I don't think this occurred to me before) you're running SA on outgoing mail on your MSA right after you receive it (it's not relayed to an intermediate machine) SA can't detect the MSA and the whole msa_networks thing doesn't work. *nod* I'm seeing the logic there... now I'm trying to figure out what kind of magic chicken I must have sacrificed to get things to work here. g I would think that in this case the dynamic address blocks would need to be explicitly defined. That's why I starting this thread by saying that I went hunting for a mua_networks equivalent, and couldn't find one. OK, think about this: What do you do about relay IPs outside your network, from which your customers are sending mail through your MSA via SMTP AUTH? There's a good chance they're listed on eg Spamhaus PBL - and there's *no* way you'll ever predict them. Henrik and RW have both suggested that I should put my customer-only MSAs into msa_networks and internal_networks (which implies trusted_networks). I can state definitively that in this setup, all of the you-look-like-a-MUA rules (RDNS, Outlook, etc.) are happily applied to my dialup customers, which is consistent with RW's statement above. Ahhh, here's a code comment: Mail/SpamAssassin/Conf/Parser.pm: line ~1040 # validate trusted_networks and internal_networks, bug 4760. # check that all internal_networks are listed in trusted_networks # too. do the same for msa_networks, but check msa_networks against # internal_networks if trusted_networks aren't defined So msa_networks *may* be a subset of internal, but it's not required, and not quietly forced either *unless* trusted_ isn't defined. All I can say is WorksForMe(TM). :/ I have three different systems with several different SA versions, and several integration methods... and none of them trigger on direct-to-MX-ish rules inappropriately. One is our primary mail cluster; the SA filter subcluster is used for both inbound scanning and outbound. On the outbound side, a Postfix subcluster calls SA via custom Postfix content filter (which does not generate a Received: header). Currently it's running SA3.3.1, but the trust config was set with 3.2.5 - the last update just added a machine to msa_networks when I discovered the occasional customer mail tripping the outbound filter with ... yep, direct-to-MX-ish rules. (The Speed Dial SMTP proxy running on that machine added a Received: header while streaming the message to the real MSA cluster, and the message ended up looking like direct-to-MX because there was a trusted non-MSA host in between the MUA and SA.) SA scan result: spamd: result: . 0 - AWL,BAYES_20,NO_RECEIVED,NO_RELAYS The other two are legacy all-in-one domain-hosting servers. One runs SA via amavisd-new as a Postfix content filter (post-queue; no SMTP-time rejections). The other calls SA from MIMEDefang. hmm, now that I poke and think, both systems likely pass either a real live Received: header (Postifx+Amavis) or a synthetic one (MIMEDefang) to SA. SA scan results: Amavis: X-Spam-Status: No, score=-101.378 tagged_above=- required=6.31 tests=[ALL_TRUSTED=-1.8, AWL=-1.298, BAYES_50=0.001, TVD_SPACE_RATIO=1.719, USER_IN_WHITELIST=-100] MIMEDefang: X-Spam-Score: -99.21 () req=5 BAYES_50,T_RP_MATCHES_RCVD,USER_IN_WHITELIST (Both delivered to test accounts I set up local to each system.) Here's an obfuscated version of the live config (used on all three systems): clear_trusted_networks # core servers trusted_networks 192.168.0.0/24 # legacy the first trusted_networks 192.168.1.0/26 trusted_networks 192.168.3.0/26 # legacy the second trusted_networks 192.168.4.232/29 # and third trusted_networks 192.168.5.0/26 # inherited Plesk trusted_networks 192.168.6.160/27 # colo(ish) customer server trusted_networks 192.168.7.122/32 # postini. *sigh* trusted_networks 64.18.0.0/20 # messagelabs (amsterdam) trusted_networks 195.245.231.0/24 # customer's third-party webhost I'm willing to trust # server.superhost2.nl trusted_networks91.192.36.238/32 # willing to believe UBC has someone halfway # competent running their mail systems... trusted_networks137.82.45.0/28 # observed: .1, .5, .7, .15 # rDNS shows .1 - .17 or so as MTA-ish ## internal clear_internal_networks internal_networks 192.168.0.21 internal_networks 192.168.0.22 internal_networks 192.168.0.23 internal_networks 192.168.0.24 internal_networks 192.168.0.119 # put Postini here so eg Spamhaus rules hit properly
