Re: Differing scores on spamassassin checks
I would like to thank everyone for your responses, they have been great. This maillist has not failed to help me improve things everytime I use it. So this particular server has virtual domains and virtual users in a folder hierarchy there under all owned by 'vmail' user. I have done the following: 1) Installed a SiteWideBayesSetup config _without_ the 0777 set which seems to work for all virtual users regardless of their virtual domain. 2) Config'd mail folders to be created in the mail folder hierarchy under each user called .SpamLearn with a subfolder of .Learned. 3) Setup a cron to run periodically under user 'vmail' perusing all .SpamLearn folders and running sa-learn using the 'vmail' user on those found subsequently moving them to the corresponding .Learned folders. In this way, any user can move a mail to their .SpamLearn folder and it will get learned. Have I had too many beers ? or not enough ? The problem I immediately see is that I get one big bayes of everyone and a 'one for all, all for one' bayes config. I would like to configure SA to be able to deal with the virtual users individually somehow but don't know if it can (and requires source analysis). In any event, it seems to be working pretty well and most all of the spam is apparently getting caught. And no 'root' involvement... Thanks to all respondents.
Re: Differing scores on spamassassin checks
Well, now I am more thoroughly confused than usual. #:) On 4/15/18 2:04 PM, RW wrote: On Sun, 15 Apr 2018 13:39:31 -0500 Computer Bob wrote: Update: For this location, it is ok to have a central bayes database, so I turned off AWL, adjusted local.cf to contain: bayes_path /Central_Path/bayes_db/bayes bayes_file_mode 0777 Don't set 0777. If that's still in the wiki someone with access should remove it. So is the SiteWideBayesSetup ok to run without the 0777 ? All setting bayes_path buys you here is the ability to run sa-learn and spamassassin as root, something you should *never* do anyway. This seems contrary to https://wiki.apache.org/spamassassin/SiteWideBayesSetup does it not ? Why should sa-learn not be run as root ? If you run spamd as the unix user spamd, with "-u spamd", then spamd look for files in ~spamd which is where it was finding them when you (correctly) ran spamassassin as spamd. The /etc/init.d/spamassassin init script is not starting spamd with -u, it is only -D but clearly mail processing in the logs show: Apr 16 17:31:13 M1-2 spamd[3926]: spamd: connection from localhost [127.0.0.1]:49938 to port 783, fd 5 Apr 16 17:31:13 M1-2 spamd[3926]: spamd: setuid to spamd succeeded <---changing here*** Apr 16 17:31:13 M1-2 spamd[3926]: spamd: processing message for spamd:1001 Apr 16 17:31:13 M1-2 postfix/smtpd[4248]: disconnect from mail.microcenter.com[66.194.187.30] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Apr 16 17:31:19 M1-2 spamd[3926]: spamd: clean message (1.7/4.0) for spamd:1001 in 6.0 seconds, 30321 bytes. This setup is running all virtual users and virtual domains via mysql and the logs show mail traversing the spamd daemon. The spamd daemon is running as user spamd and does seem to be using the SiteWide files specified.
Re: Differing scores on spamassassin checks
Here is a root scan: https://pastebin.com/qdXMRzKb Here is the same run under spamd: https://pastebin.com/SvvYptYv On 4/15/18 11:34 AM, Computer Bob wrote: Greeting all, * *I have had some issues with spam getting low scores and in troubleshooting I have found that if I run a command line check with "spamassassin -D -x < test" on a mail in question, I get a very high score when run under user root. When run under user spamd it gets a low passing score. This is on obvious spam mail. Any advice on how to determine what is the difference ? * *
Differing scores on spamassassin checks
Greeting all, * *I have had some issues with spam getting low scores and in troubleshooting I have found that if I run a command line check with "spamassassin -D -x < test" on a mail in question, I get a very high score when run under user root. When run under user spamd it gets a low passing score. This is on obvious spam mail. Any advice on how to determine what is the difference ? * *
Re: Scoring Issues
Thank you, Yes, DCC Razor and Pyzor are installed and running. I will look into your other suggestions and let you know. On 1/30/18 1:37 PM, David Jones wrote: On 01/30/2018 11:47 AM, Computer Bob wrote: Also: I modified the following SA local.cf items: --- # Add *SPAM* to the Subject header of spam e-mails # rewrite_header Subject *SPAM* < Uncommented # Use Bayesian classifier (default: 1) # use_bayes 1 < Uncommented # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 1 < Uncommented # Set headers which may provide inappropriate cues to the Bayesian # classifier # # bayes_ignore_header X-Bogosity # bayes_ignore_header X-Spam-Flag # bayes_ignore_header X-Spam-Status --- I added the following: --- #dcc use_dcc 1 dcc_path /usr/local/bin/dccproc #pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor #razor use_razor2 1 razor_config /etc/razor/razor-agent.conf -- I also copied the current KAM.cf to the /etc/spamassassin folder. Any further suggestions ? Did you actually install DCC, Razor, and Pyzor? Are you seeing any DCC, RAZOR, and PYZOR rule hits in your mail logs? Train your Bayes properly so you see BAYES_XX hits in your mail logs and bump up your BAYES_XX scores a little on both ends. Search the SA archives for recent tuning suggestions: - Add senderscore.org RBL - Add Lashback RBL Adjust MailSpike scores on the whitelist (negative) side: http://mailspike.org/usage.html If you are running Postfix as your MTA definitely enable postscreen with RBL weighting: https://lists.gt.net/spamassassin/users/199347 Enable greylisting in your MTA like SQLgrey.
Re: Scoring Issues
Also: I modified the following SA local.cf items: --- # Add *SPAM* to the Subject header of spam e-mails # rewrite_header Subject *SPAM* < Uncommented # Use Bayesian classifier (default: 1) # use_bayes 1 < Uncommented # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 1 < Uncommented # Set headers which may provide inappropriate cues to the Bayesian # classifier # # bayes_ignore_header X-Bogosity # bayes_ignore_header X-Spam-Flag # bayes_ignore_header X-Spam-Status --- I added the following: --- #dcc use_dcc 1 dcc_path /usr/local/bin/dccproc #pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor #razor use_razor2 1 razor_config /etc/razor/razor-agent.conf -- I also copied the current KAM.cf to the /etc/spamassassin folder. Any further suggestions ? On 1/30/18 11:31 AM, Computer Bob wrote: Follow-up, I did a dist-upgrade to Ubuntu 16.04 LTS and the process whacked the SA bad. Removal and purging of SA was necessary and a fresh reinstall brought it back. It is currently "factory fresh". Still my problems persist, I am pursuing this via the Amavis mail list as command line calls to SA seem to indicate that it is ok.
Re: Scoring Issues
Follow-up, I did a dist-upgrade to Ubuntu 16.04 LTS and the process whacked the SA bad. Removal and purging of SA was necessary and a fresh reinstall brought it back. It is currently "factory fresh". Still my problems persist, I am pursuing this via the Amavis mail list as command line calls to SA seem to indicate that it is ok.
Re: Scoring Issues
My understanding is that spamassassin is configured for razor and uribl. amavisd-new is configured to call spamassassin so is spamassassin not doing the sub calls ? I see no docs on configuring razor directly in amavis. If you could tell me what to look for it would be appreciated. On 1/26/18 4:20 PM, John Hardin wrote: On Fri, 26 Jan 2018, b...@inter-control.com wrote: Oh, here is the X-SPAM status from the command line: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on M1-2.dettenwanger.inter-control.com X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Bob RAZOR and URIBL hits. Is amavis perhaps configured to disable network tests? On 1/26/18 2:48 PM, David Jones wrote: On 01/26/2018 02:39 PM, b...@inter-control.com wrote: The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Re: Scoring Issues
Ok, I will look now, what am I looking for ? On 1/26/18 4:20 PM, John Hardin wrote: On Fri, 26 Jan 2018, b...@inter-control.com wrote: Oh, here is the X-SPAM status from the command line: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on M1-2.dettenwanger.inter-control.com X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Bob RAZOR and URIBL hits. Is amavis perhaps configured to disable network tests? On 1/26/18 2:48 PM, David Jones wrote: On 01/26/2018 02:39 PM, b...@inter-control.com wrote: The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Re: Scoring Issues
I did not think so, but will check another day. 15 hours is enough for today. On 1/26/18 4:20 PM, John Hardin wrote: On Fri, 26 Jan 2018, b...@inter-control.com wrote: Oh, here is the X-SPAM status from the command line: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on M1-2.dettenwanger.inter-control.com X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Bob RAZOR and URIBL hits. Is amavis perhaps configured to disable network tests? On 1/26/18 2:48 PM, David Jones wrote: On 01/26/2018 02:39 PM, b...@inter-control.com wrote: The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no