Re: [sa] Re: First run score: 25.7 Second: 2.6
I've used SA/spamd.exe for a while because it calculates very high scores on spams. -I thought- Then spams have appeared in people's inboxes and I needed to examine. I've used another batch file to log spamd spam scores. The commandline is: C:\NET\SpamAssassinWin32-EX\winspamc.exe C:\NET\SpamAssassinWin32-EX\realspam3.txt | Find X-Spam-Status: recover.log I ran the same command in a few seconds. Here are the newest results: 16.07.2010, 12:07:48 RESTARTED X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:08:13 OK X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:08:21 OK X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:09:44 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:09:57 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:10:00 OK X-Spam-Status: Yes, score=24.4 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:10:13 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, OK means SA is alive, RESTARTED means spamd.exe crashed or port 783 non-responsive restarted. On Thu, Jul 15, 2010 at 7:20 PM, Charles Gregory cgreg...@hwcn.org wrote: On Thu, 15 Jul 2010, Emin Akbulut wrote: spamassassin.exe always calculates the same/correct score. Good... Goood. pamd second run reports only a few tests. Is it OK? I mean spamd runs all test but only adds which one increases score to it's report? Or these tests are processed tests list only? First run has tons of tests, second run has only 5 tests. I am presuming, by your description that the exact same *unmodified* file is passing through spamc/spamd all three times, and that there are no other variables. The spamc calls are literalyl one after the other, with no change of userid or other change that would possibly lead toa different set of configuration files being read. So this means that it is spamd itself that is 'different' on the second execution. You are going to need to enable verbose logging for spamd and do these three tests and see what messages appear in the logs (presumably) showing a failure to load config files on the second run. Is it possiblt that the file LOCKING on your system prevents spamd from accessing certain files under certain circumstances? What happens if you run ANY other messaeg through spamc as the 'second' run, and then run the third one on the orignial file? Is spamd sensitie to it being the same messaeg or just messes up on 8whatever* the second message would happen to be? Timing or content? - C
Re: spamc client always returning 0/0
Karsten Bräckelmann-2 wrote: Check your logs. spamd likely logged the failure. And btw, spamc also logs in some cases, like refused connection attempts to spamd. You will find your previous attempts without spamd running being logged. Thanks. That solved my problem. It has thrown the following error in log that it has exceeded the max message size: Jul 14 22:23:55 myserver spamc[15527]: skipped message, greater than max message size (512000 bytes) After increasing max message size in /etc/mail/spamassassin/spamc.conf, am able to get spam score for my email message. As you'd pointed rightly, both spamc and spamd log statements are logged here (/var/log/maillog). Karsten Bräckelmann-2 wrote: Also, try something like this. echo | spamc -x; echo $? And this was really helpful to debug. -- View this message in context: http://old.nabble.com/spamc-client-always-returning-0-0-tp29173280p29181721.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamc client always returning 0/0
Karsten Bräckelmann-2 wrote: Check your logs. spamd likely logged the failure. And btw, spamc also logs in some cases, like refused connection attempts to spamd. You will find your previous attempts without spamd running being logged. For my email message spamc -c /root/mailmessage.txt, am getting a spam score of 2.5/5.0 and spamc is printing the following statements in the log: 1) Jul 16 00:34:52 myserver spamd[9957]: spamd: connection from myserver [127.0.0.1] at port 53626 2) Jul 16 00:34:52 myserver spamd[9957]: spamd: setuid to root succeeded 3) Jul 16 00:34:52 myserver spamd[9957]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody 4) Jul 16 00:34:52 myserver spamd[9957]: spamd: checking message 23671010.1276784893828.javamail.ad...@user01 for root:99 5) Jul 16 00:35:00 myserver spamd[9957]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-whitelist.lock.myserver.9957 for /.spamassassin/auto-whitelist.lock: No such file or directory 6) Jul 16 00:35:00 myserver spamd[9957]: spamd: clean message (2.5/5.0) for root:99 in 7.7 seconds, 1303511 bytes. 7) Jul 16 00:35:00 myserver spamd[9957]: spamd: result: . 2 - HTML_FONT_SIZE_LARGE,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_DATE,NO_RECEIVED,NO_RELAYS scantime=7.7,size=1303511,user=root,uid=99,required_score=5.0,rhost=myserver,raddr=127.0.0.1,rport=53626,mid=23671010.1276784893828.javamail.ad...@user01,autolearn=no 8) Jul 16 00:35:00 myserver spamd[9952]: prefork: child states: II What does . 2 mean in the 7th line above? For the command echo | spamc -x; echo $?, it is showing Y 6 in the same 7th line of spamd result? Does this represent/mean anything? -- View this message in context: http://old.nabble.com/spamc-client-always-returning-0-0-tp29173280p29181819.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [sa] Re: First run score: 25.7 Second: 2.6
Emin Akbulut wrote: I've used SA/spamd.exe for a while because it calculates very high scores on spams. -I thought- Then spams have appeared in people's inboxes and I needed to examine. I've used another batch file to log spamd spam scores. The commandline is: C:\NET\SpamAssassinWin32-EX\winspamc.exe C:\NET\SpamAssassinWin32-EX\realspam3.txt | Find X-Spam-Status: recover.log I ran the same command in a few seconds. Here are the newest results: 16.07.2010, 12:07:48 RESTARTED X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:08:13 OK X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:08:21 OK X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:09:44 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:09:57 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:10:00 OK X-Spam-Status: Yes, score=24.4 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 12:10:13 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, Still looks like some sort of DNS based issue. Anyway, could you please paste the raw mail? I'll feed our spamd with it. Since we use the same binaries, this should give a first advice if it's really the SpamAssassin which is causing the problem. As already started, you could also try to enable debug output for Spamd, just start the executable with --debug --syslog=spamd.log parameter. Daniel -- View this message in context: http://old.nabble.com/First-run-score%3A-25.7-Second%3A-2.6-tp29161519p29181827.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamc client always returning 0/0
On Fri, 2010-07-16 at 02:39 -0700, Gnanam wrote: What does . 2 mean in the 7th line above? Its a summary result: '.' means not spam. SA replaces '.' with 'Y' if it is spam. The number is the score truncated to an integer. Martin
Re: spamc client always returning 0/0
Martin Gregorie-2 wrote: Its a summary result: '.' means not spam. SA replaces '.' with 'Y' if it is spam. The number is the score truncated to an integer. Thanks for that update. I've another question with spamc. The spamc option -s max_size, --max-size=max_size in man spamc says: The maximum message size is 256 MB. So, email messages that are greater than 256 MB can never be tested with SA? Or is there any tweaks to get around this? -- View this message in context: http://old.nabble.com/spamc-client-always-returning-0-0-tp29173280p29182105.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamc client always returning 0/0
Gnanam wrote: The maximum message size is 256 MB. So, email messages that are greater than 256 MB can never be tested with SA? Or is there any tweaks to get around this? You need to scan mails that are greater than 256MB?! -- View this message in context: http://old.nabble.com/spamc-client-always-returning-0-0-tp29173280p29182193.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: BLACKLISTED mails
El 13/07/10 17:22, Giampaolo Tomassoni escribió: I don't think that's going to help - it's not going to tell us why it's blacklisted. Also I suspect those headers aren't added by SA alone. AFAIK BLACKLISTED isn't added by SA like that - blacklist rule should show up in tests=[], which is empty. And the score isn't consistent 64 and -5. Yeah, it is amavisd stuff. In the default amavisd config file there is an @blacklist_sender_maps defining an array of blacklisted sender's regular expressions. This default is a bit crude, since it may occasionally lead to FPs because it only looks for the local part of the email address. OK, I'll check this. Thank you. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Re: spamc client always returning 0/0
Daniel Lemke wrote: Gnanam wrote: The maximum message size is 256 MB. So, email messages that are greater than 256 MB can never be tested with SA? Or is there any tweaks to get around this? You need to scan mails that are greater than 256MB?! Reason I'm asking this is that sometimes email attachment(s) size may be on the higher side, that it would easily exceed 256 MB limit. -- View this message in context: http://old.nabble.com/spamc-client-always-returning-0-0-tp29173280p29182291.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamc client always returning 0/0
Gnanam wrote: Daniel Lemke wrote: Gnanam wrote: The maximum message size is 256 MB. So, email messages that are greater than 256 MB can never be tested with SA? Or is there any tweaks to get around this? You need to scan mails that are greater than 256MB?! Reason I'm asking this is that sometimes email attachment(s) size may be on the higher side, that it would easily exceed 256 MB limit. I think we live in some sort of parallel universes ;) Beside several other reasons why it would be totally insane sending an email of that size, it's nothing you need SpamAssassin to check for because it's definitely no spam. If you ever get a spam message of that size, please call Guiness ;) Daniel -- View this message in context: http://old.nabble.com/spamc-client-always-returning-0-0-tp29173280p29182412.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamc client always returning 0/0
Daniel Lemke wrote: I think we live in some sort of parallel universes ;) Beside several other reasons why it would be totally insane sending an email of that size, it's nothing you need SpamAssassin to check for because it's definitely no spam. If you ever get a spam message of that size, please call Guiness ;) Hope I'll not exceed this 256 MB limit. -- View this message in context: http://old.nabble.com/spamc-client-always-returning-0-0-tp29173280p29182552.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamc client always returning 0/0
On Fri, 2010-07-16 at 04:18 -0700, Gnanam wrote: Daniel Lemke wrote: I think we live in some sort of parallel universes ;) Beside several other reasons why it would be totally insane sending an email of that size, it's nothing you need SpamAssassin to check for because it's definitely no spam. If you ever get a spam message of that size, please call Guiness ;) Hope I'll not exceed this 256 MB limit. Don't forget that if you default spamd to --max-children (5) and you're simultaneously scanning five max-sized messages, thats at least 1.3 GB of RAM occupied by spamd and its children. I trust you've got enough swap space configured, i.e. 2 x RAM, and that you've got a high enough setting for --timeout-child. Martin
spamc max size limit (was: Re: spamc client always returning 0/0)
On Fri, 2010-07-16 at 03:40 -0700, Gnanam wrote:
Daniel Lemke wrote:
The maximum message size is 256 MB.
So, email messages that are greater than 256 MB can never be tested with
SA? Or is there any tweaks to get around this?
You need to scan mails that are greater than 256MB?!
Reason I'm asking this is that sometimes email attachment(s) size may be on
the higher side, that it would easily exceed 256 MB limit.
Whoa, slow down, dude. I'm with Daniel here.
Fact is, spam even larger than 512 kB is rare. Sure, they do exist, and
this topic comes up here every now and then. However, they still are a
rare occurrence, and it is not worth the trouble raising the limit to an
arbitrarily large number.
The limit exists for two reasons. First, *really* large spam simply
doesn't exist, and mail that size just is ham. And second, scanning
really large messages will slow down SA and hog resources.
It's a trade-off. Not even scanning those rare, huge spam. Versus a
dramatically increased need for resources.
Don't think of the max size limit as which size *mail* do I get, but
which size *spam* do I see. Ham exceeding the threshold will just be
passed along un-scanned.
Really, think about it. How much spam exceeding 1 MB do you get? One a
year? How much ham? Plenty, due to creative folks tossing around huge
images?
So, set your max size limit to something sane, say 1 MB, and live with
that single spam per year sneaking through unprocessed. Sparing your
servers the load of processing all the bulk of huge messages.
Oh, and another one. Any chance, these huge messages might be Cc'ed to
more folks on your site? Awesome, so we just multiplied the resources
needed. If there are max 5 children, all fed with a piece of ham that
easily exceeds 256 MB concurrently, will your server die a slow and
horrible death of hitting swap?
IMHO, if you are ever to raise the threshold to anything above 10 MB, do
test it extensively before going into production.
Bottom line: Keep your max size limit sane. No kidding.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc client always returning 0/0
On Fri, 16 Jul 2010, Gnanam wrote: Daniel Lemke wrote: Gnanam wrote: The maximum message size is 256 MB. So, email messages that are greater than 256 MB can never be tested with SA? Or is there any tweaks to get around this? You need to scan mails that are greater than 256MB?! Reason I'm asking this is that sometimes email attachment(s) size may be on the higher side, that it would easily exceed 256 MB limit. I sure hope you mean kB, not MB. Someone who is sending 256+MB attachments via email needs to have their attitude adjusted with a Louisville Slugger. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- Today: the 65th anniversary of the dawn of the Atomic Age
Re: First run score: 25.7 Second: 2.6
On Fri, 16 Jul 2010, Emin Akbulut wrote: X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, X-Spam-Status: Yes, score=24.4 required=6.3 tests=HTML_IMAGE_ONLY_32, (liberally snipped) There are commas at the end of these lines, implying you have trimmed the rest of the list of tests that account for the different scores. Go back and assemble the FULL logs, so that we can see the difference in what tests fire and what tests don't. Now if I have to GUESS on insufficient data, I would suspect that the 'port' of spamd to Windows(?) does not properly tidy up its children when finished. The fact that it crashes certainly points in this direction. May I presume that you did a 'full' memory test? To verify this situation, try running the same test as before, but leave a one minute gap between each run/test (and with no other spamd calls during that time interval!) so that we can see what happens when the spamd children have time to properly terminate. - C Ps. I'm not researching this deeply, so I may trip over some minor aspect of spamd coding/behaviour that the developers will call me on, I'm sure. :)
Re: First run score: 25.7 Second: 2.6
-Original Message- From: Charles Gregory Now if I have to GUESS on insufficient data, I would suspect that the 'port' of spamd to Windows(?) does not properly tidy up its children when finished. The fact that it crashes certainly points in this direction. May I presume that you did a 'full' memory test? The port is running fine, did a test with the same message: First run: 17,4, triggered autolearn spam Any run after this: 19,4 You may want to start spamd from console instead of using this batch stuff. Not sure if this causes the problem, but it's another source of error. But what would REALLY help: Open the console Locate your spamd.exe type: spamd.exe -D --syslog=spamd.log Now scan your mail a few times. Open the spamd.log located beside your spamd.exe and copy the whole content to http://pastebin.com/ This will give us a good chance to identify the problem. Daniel JAM Software GmbH Gesch?ftsf?hrer: Joachim Marder Max-Planck-Str. 22 * 54296 Trier * Germany Tel: 0651-145 653 -0 * Fax: 0651-145 653 -29 Handelsregister Nr. HRB 4920 (AG Wittlich) http://www.jam-software.de
Re: First run score: 25.7 Second: 2.6
In my first post, SA addition to message is included. I am including all header lines this time; I noticed SA has added first lines in one result, and has added lines somewhere in the middle in other result. :P I've restarted spamd after test # 1. TEST1.TXT: It takes less than 2 seconds -- X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on WebServer X-Spam-Level: * X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, HTML_IMAGE_RATIO_02,HTML_MESSAGE,LOCALPART_IN_SUBJECT,MIME_HTML_ONLY, MISSING_DATE,MISSING_MID,RDNS_NONE,TO_NO_BRKTS_NORDNS_HTML autolearn=no version=3.3.1 Received: from [41.251.163.175] ([41.251.150.113]) by izsmmmo.com with MailEnable ESMTP; Tue, 13 Jul 2010 13:29:35 +0300 From: SexMeds from USA ferdi.to...@izsmmmo.com To: ferdi.to...@izsmmmo.com Subject: ferdi.tosun, special 70% bonus for you. was climatological causes its has Content-Type: text/html; charset=utf-8 MIME-Version: 1.0 Return-Path: ferdi.to...@izsmmmo.com TEST2.TXT: This one takes more than 4 seconds. -- Received: from localhost by WebServer with SpamAssassin (version 3.3.1); Fri, 16 Jul 2010 17:26:36 +0300 From: SexMeds from USA ferdi.to...@izsmmmo.com To: ferdi.to...@izsmmmo.com Subject: ferdi.tosun, special 70% bonus for you. was climatological causes its has X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on WebServer X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=22.7 required=6.3 tests=HTML_IMAGE_ONLY_32, HTML_IMAGE_RATIO_02,HTML_MESSAGE,LOCALPART_IN_SUBJECT,MIME_HTML_ONLY, MISSING_DATE,MISSING_MID,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_XBL, RDNS_NONE,TO_NO_BRKTS_NORDNS_HTML,T_SURBL_MULTI1,T_SURBL_MULTI2, T_SURBL_MULTI3,T_SURBL_MULTI4,URIBL_AB_SURBL,URIBL_DBL_SPAM,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=unavailable version=3.3.1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4C406C1C.11A6 I also have a monitoring logs; here are the last 1 hour: -- 16.07.2010, 16:35:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 16:40:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 16:45:00 OK X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 16:50:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 16:55:00 OK X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 17:00:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 17:05:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 17:10:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 17:15:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 17:20:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 17:25:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 17:30:00 OK X-Spam-Status: Yes, score=22.7 required=6.3 tests=HTML_IMAGE_ONLY_32, 16.07.2010, 17:35:00 OK X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, On Fri, Jul 16, 2010 at 5:11 PM, Charles Gregory cgreg...@hwcn.org wrote: On Fri, 16 Jul 2010, Emin Akbulut wrote: X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, X-Spam-Status: No, score=2.6 required=6.3 tests=HTML_IMAGE_ONLY_32, X-Spam-Status: No, score=5.5 required=6.3 tests=HTML_IMAGE_ONLY_32, X-Spam-Status: Yes, score=24.4 required=6.3 tests=HTML_IMAGE_ONLY_32, (liberally snipped) There are commas at the end of these lines, implying you have trimmed the rest of the list of tests that account for the different scores. Go back and assemble the FULL logs, so that we can see the difference in what tests fire and what tests don't. Now if I have to GUESS on insufficient data, I would suspect that the 'port' of spamd to Windows(?) does not properly tidy up its children when finished. The fact that it crashes certainly points in this direction. May I presume that you did a 'full' memory test? To verify this situation, try running the same test as before, but leave a one minute gap between each run/test (and with no other spamd calls during that time interval!) so that we can see what happens when the spamd children have time to properly terminate. - C Ps. I'm not researching this deeply, so I may trip over some minor aspect of spamd coding/behaviour that the developers will call me on, I'm sure. :)
Re: First run score: 25.7 Second: 2.6
On Fri, 2010-07-16 at 10:11 -0400, Charles Gregory wrote: Now if I have to GUESS on insufficient data, I would suspect that the 'port' of spamd to Windows(?) does not properly tidy up its children when finished. The fact that it crashes certainly points in this direction. May I presume that you did a 'full' memory test? To verify this situation, try running the same test as before, but leave a one minute gap between each run/test (and with no other spamd calls during that time interval!) so that we can see what happens when the spamd children have time to properly terminate. You might also do a pair of test runs with the same set of test data and the options shown: - one with --max-children=1 which should force sequential scans using the same child. This will pick up any cruft being left in the child process by the previous message. - one with --max-children=1 and --max-conn-per-child=1 which should force a newly spawned child to be used for every message. Any differences between the two runs would point to left-over cruft being the problem. Martin
Re: First run score: 25.7 Second: 2.6
I've stopped the mail server MTA during I was testing, so spamd has checked only one message at same time. It looks totaly random : ) Is the only difference between spamassassin.exe spamd.exe their very own User_Prefs config files? On Fri, Jul 16, 2010 at 5:54 PM, Martin Gregorie mar...@gregorie.orgwrote: Any differences between the two runs would point to left-over cruft being the problem. Martin
Re: png images
On 16.7.2010 4:04, Peter Lowish wrote: I am wondering if someone has a rule to deal with the current spam being sent with just a small png attachment the name of which changes There is no text in the email, just the attachment – the subject line is always different header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i meta L_MIME_NO_TEXT (__CTYPE_MULTIPART_ANY !__ANY_TEXT_ATTACH) scoreL_MIME_NO_TEXT 5.00 describe L_MIME_NO_TEXT No text body parts endif header L_PAYLOAD_CTYPE_RTF Content-Type =~ /\bname=.+\.rtf/i describe L_PAYLOAD_CTYPE_RTF Payload is an RTF document, no text part scoreL_PAYLOAD_CTYPE_RTF 5.0 header L_PAYLOAD_CTYPE_HTML Content-Type =~ /\bname=.+\.html/i describe L_PAYLOAD_CTYPE_HTML Payload is an HTML document, no text part scoreL_PAYLOAD_CTYPE_HTML 5.0 header L_PAYLOAD_CTYPE_PNG Content-Type =~ /\bname=.+\.png/i describe L_PAYLOAD_CTYPE_HTML Payload is a PNG image, no text part scoreL_PAYLOAD_CTYPE_HTML 5.0 -- http://www.iki.fi/jarif/ I use PGP. If there is an incompatibility problem with your mail client, please contact me. Q: What do you call a half-dozen Indians with Asian flu? A: Six sick Sikhs (sic). signature.asc Description: OpenPGP digital signature
Re: First run score: 25.7 Second: 2.6
On Fri, 2010-07-16 at 18:07 +0300, Emin Akbulut wrote: I've stopped the mail server MTA during I was testing, so spamd has checked only one message at same time. It looks totaly random : ) Is the only difference between spamassassin.exe spamd.exe their very own User_Prefs config files? No. spamassassin processes one message and quits - its meant to be used in a script or a procmail recipe. spamd is a server that processes many messages sent to it by spamc during its lifetime. Spamc does the following for every message: receives a message to scan via stdin opens a connection to spamd sends the message to spamd receives the annotated message back from spamd closes the connection writes the annotated message to stdout IOW, if you develop a script or pipeline using spamasassin you can replace it with spamc and the script will work just as before but faster (assuming you've started spamd!) Martin
disable trusted_networks and internal_networks
Hello, Our webmail server is on the same server as sendmail and spamassassin. I would like to filter outbound webmail but can't because the most recent versions of spamassassin have 127.0.0.1 trusted by default. How can I override this? Or is that a bad idea for other reasons? Thanks in advance, Cliff
Re: disable trusted_networks and internal_networks
On fre 16 jul 2010 20:31:21 CEST, Cliff Hayes wrote How can I override this? Or is that a bad idea for other reasons? score all_trusted 0.01 score no_relays 0.01 but as i can see you use mimedefang with have independice networking setup for what not to scan if its sent to mimedefang its scanned in sa -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: First run score: 25.7 Second: 2.6
I knew what you mentioned, I mean do they use same engine, algorithm, you name it... I think that If both use same Perl code then the only remaining diffrence is User_Prefs like things... BTW, I want to thank you all who spent time and answered us here, passionately : ) I felt I'm not alone here and live with same addiction to both solve own other's problems. Thank you people!!! On Fri, Jul 16, 2010 at 7:34 PM, Martin Gregorie mar...@gregorie.orgwrote: On Fri, 2010-07-16 at 18:07 +0300, Emin Akbulut wrote: I've stopped the mail server MTA during I was testing, so spamd has checked only one message at same time. It looks totaly random : ) Is the only difference between spamassassin.exe spamd.exe their very own User_Prefs config files? No. spamassassin processes one message and quits - its meant to be used in a script or a procmail recipe. spamd is a server that processes many messages sent to it by spamc during its lifetime. Spamc does the following for every message: receives a message to scan via stdin opens a connection to spamd sends the message to spamd receives the annotated message back from spamd closes the connection writes the annotated message to stdout IOW, if you develop a script or pipeline using spamasassin you can replace it with spamc and the script will work just as before but faster (assuming you've started spamd!) Martin
How to block a network
I receive a large number of spams from network IPs belonging to SharkTech, 70.39.69.99 or so and so on. They advertise romantic encounters with people born prior to 50 years ago, small increment auxions, ability to borrow money using house as collateral, and other scams. Examples are here: http://igor.chudov.com/tmp/spam011.txt I am being hit pretty badly and feel annoyed. How can I write a rule to blacklist a whole IP subnet. Any ideas? If anyone knows what I am doing wrong so that these spams do not score, please let me know. I am using Ubuntu Lucid, which is pretty recent.
Re: How to block a network
Block? In your MTA. Reject them based on the connecting IP.
On Fri, 2010-07-16 at 14:07 -0500, Igor Chudov wrote:
I receive a large number of spams from network IPs belonging to
SharkTech, 70.39.69.99 or so and so on.
I am being hit pretty badly and feel annoyed.
How can I write a rule to blacklist a whole IP subnet.
spamassassin -D spam.msg 21 | grep X-Spam-Relays-Untrusted
Write a rule, that hits on that. Every relay is enclosed in square
brackets, so using /[^\]]+/ instead of /.+/ will prevent deep parsing,
if you want to match the rdns or helo, for example.
header SHARKTECH X-Spam-Relays-Untrusted =~ /^\[ ip=70\.39\.69\./
Changing the RE part for the IP to actually match the entire
70.39.64.0/18 network, or whatever you feel appropriate, is left as an
exercise to the OP. :)
Another option might be to use a wildcard blacklist, with the rDNS of
the sender. See the docs for details.
blacklist_from_rcvd * rdns.example.net
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: First run score: 25.7 Second: 2.6
On Fri, 2010-07-16 at 21:50 +0300, Emin Akbulut wrote: I knew what you mentioned, I mean do they use same engine, algorithm, you name it... That's a developer question, but I'd be surprised if it doesn't. The Linux spamd executable is just a Perl script with the usual executable script's first line, '#!/usr/bin/perl -T -w' Martin
Re: How to block a network
On 16/07/10 20:07, Igor Chudov wrote:
I receive a large number of spams from network IPs belonging to
SharkTech, 70.39.69.99 or so and so on.
They advertise romantic encounters with people born prior to 50 years
ago, small increment auxions, ability to borrow money using house as
collateral, and other scams. Examples are here:
http://igor.chudov.com/tmp/spam011.txt
I am being hit pretty badly and feel annoyed.
How can I write a rule to blacklist a whole IP subnet.
Any ideas?
If anyone knows what I am doing wrong so that these spams do not
score, please let me know. I am using Ubuntu Lucid, which is pretty
recent.
To score in SpamAssassin, you could try something like:
header RCVD_FROM_70_39_69 Received =~ /\[70\.39\.69\.\d{1,3}/
score RCVD_FROM_70_39_69 1.0
describeRCVD_FROM_70_39_69 Received from 70.39.69.0/24
Obviously this is easier for /16, /24 subnets etc.
However, I would not bother scoring these hits in SA, but would rather
block at the MTA level. Assuming you are running Postfix (as you're
using Ubuntu), you can create a cidr format table to blacklist/whitelist
IP addresses in cidr notation at the smtp level. For example, add to
your smtpd_recipient_restrictions:
check_client_access
cidr:/etc/postfix/client.cidr
and create an /etc/postfix/client.cidr file like so:
# /etc/postfix/client.cidr
#
# See http://www.postfix.org/cidr_table.5.html
# *** No need to postmap this table ***
#
# Black/Whitelist for client IP addresses
#
70.39.69.99 REJECT
70.39.69.0/24 REJECT
and issue 'postfix reload' to pick up the changes.
Hope that helps.
Re: [sa] How to block a network
On Fri, 16 Jul 2010, Igor Chudov wrote: I receive a large number of spams from network IPs belonging to SharkTech, 70.39.69.99 or so and so on. Does UBuntu use 'iptables' firewall? Throw it in there, and forget even the wasted initial SMTP connections. - C
Re: [sa] How to block a network
On Fri, 16 Jul 2010, Charles Gregory wrote: On Fri, 16 Jul 2010, Igor Chudov wrote: I receive a large number of spams from network IPs belonging to SharkTech, 70.39.69.99 or so and so on. Does UBuntu use 'iptables' firewall? Throw it in there, and forget even the wasted initial SMTP connections. Better still, do what I would do and tarpit them. http://www.impsec.org/~jhardin/antispam/spammer-firewall -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws aren't enacted to control guns, they are enacted to control people: catholics (1500s), japanese peasants (1600s), blacks (1860s), italian immigrants (1911), the irish (1920s), jews (1930s), blacks (1960s), the poor (always) --- Today: the 65th anniversary of the dawn of the Atomic Age
Re: spamc max size limit (was: Re: spamc client always returning 0/0)
Karsten Bräckelmann-2 wrote: Bottom line: Keep your max size limit sane. No kidding. Thank you very much for your valuable comment/recommendation on this. That makes sense. -- View this message in context: http://old.nabble.com/spamc-client-always-returning-0-0-tp29173280p29189631.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Stability of spamassassin command-line tool
Thank you all experts for your valuable ideas/opinions on this topic. -- View this message in context: http://old.nabble.com/Stability-of-spamassassin-command-line-tool-tp29171831p29189632.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
