Re: [SAtalk] SpamAssassin with Pyzor & DCC using Qmail-Scanner

Sat, 06 Sep 2003 10:55:08 -0700 

After testing, I am convinced this has something to do with running spam
assassin in daemon mode.  (Not a problem with SA, my configuration).  Here
is the command I am using to start the daemon:

/usr/bin/spamd --debug -x -L -u spamc

The spamc user does exist and its home directory is /opt/spamassassin.  When
I issue the spamc command manually, it does not user pyzor or dcc.  Any
thoughts?


Cheers,
  matthew


> From: Matthew Edward Porter <[EMAIL PROTECTED]>
> Date: Fri, 05 Sep 2003 16:08:40 -0500
> To: <[EMAIL PROTECTED]>
> Subject: [SAtalk] SpamAssassin with Pyzor & DCC using Qmail-Scanner
> 
> Greetings.  I apologize if this has been asked before or if there is
> documentation on this subject.  I was unable to find any via Google or mail
> archives.
> 
> I currently have qmail-scanner installed with ClamAV and SpamAssassin.  All
> the components are working properly.  Clamd and spamd is running as service
> daemons.  Clam is working perfectly.  SpamAssassin's internal checker is
> working perfectly.  Both are being called correctly from qmail-scanner.
> 
> I would like to step up SpamAssasssin's accuracy by utilizing Pyzor & DCC
> but am having sincere difficulty.  The problem is that SA is not performing
> the Pyzor & DCC checks when using QS.  It works perfectly when I execute it
> on the shell using:
> 
> spamassassin -P -t -D < 1062735534.19025.morpheus
> 
> 
> Below is a good chunk of information from log and configuration files.
> Anybody have any guesses, theories, and/or ideas?  Thanks in advance!
> 
> 
> Cheers,
>  matthew
> 
> 
> 
> 
> VERSIONS
> Qmail-Scanner: 1.20rc3
> ClamAV: 0.60
> SpamAssassin: 2.55
> 
> 
> /etc/mail/spamassassin/local.cf
> skip_rbl_checks 1
> required_hits 5
> auto_report_threshold 30
> rewrite_subject 0
> report_header 1
> use_terse_report 1
> defang_mime 0
> dns_available yes
> use_dcc 1
> dcc_add_header 1
> use_pyzor 1
> pyzor_add_header 1
> always_add_report 1
> 
> 
> SPAMASSASSIN LOG
> 2003-09-05 16:01:24.630841500 logmsg: connection from localhost [127.0.0.1]
> at port 43656
> 2003-09-05 16:01:24.645354500 logmsg: processing message
> <[EMAIL PROTECTED]> for qscand:351.
> 2003-09-05 16:01:24.649457500 debug: bayes: 29889 tie-ing to DB file R/O
> /opt/spamassassin/.spamassassin/bayes_toks
> 2003-09-05 16:01:24.650583500 debug: bayes: 29889 tie-ing to DB file R/O
> /opt/spamassassin/.spamassassin/bayes_seen
> 2003-09-05 16:01:24.651115500 debug: debug: Only 1 spam(s) in Bayes DB < 200
> 2003-09-05 16:01:24.651174500 debug: bayes: 29889 untie-ing
> 2003-09-05 16:01:24.651203500 debug: bayes: 29889 untie-ing db_toks
> 2003-09-05 16:01:24.651455500 debug: bayes: 29889 untie-ing db_seen
> 2003-09-05 16:01:24.651856500 debug: running header regexp tests; score so
> far=0
> 2003-09-05 16:01:24.663326500 debug: running body-text per-line regexp
> tests; score so far=0
> 2003-09-05 16:01:24.679329500 debug: running raw-body-text per-line regexp
> tests; score so far=0
> 2003-09-05 16:01:24.679949500 debug: running uri tests; score so far=0
> 2003-09-05 16:01:24.680139500 debug: uri tests: Done uriRE
> 2003-09-05 16:01:24.680868500 debug: running full-text regexp tests; score
> so far=0
> 2003-09-05 16:01:24.682803500 debug: all '*From' addrs: [EMAIL PROTECTED]
> 2003-09-05 16:01:24.683607500 debug: all '*To' addrs:
> [EMAIL PROTECTED]
> 2003-09-05 16:01:24.683961500 debug: forged_rcvd_trail: entry 0:
> by=metissian.com from=(undef) mismatches=0
> 2003-09-05 16:01:24.684026500 debug: forged_rcvd_trail: entry 1: by=mac.com
> from=mac.com mismatches=0
> 2003-09-05 16:01:24.686975500 debug: running meta tests; score so far=0
> 2003-09-05 16:01:24.687722500 debug: auto-learn? safety=4, ham=-2, spam=15,
> body-hits=0, head-hits=0
> 2003-09-05 16:01:24.687749500 debug: auto-learn: currently using scoreset 0.
> no need to recompute.
> 2003-09-05 16:01:24.687769500 debug: auto-learn? no: inside auto-learn
> thresholds or safety zone around required_hits
> 2003-09-05 16:01:24.687857500 debug: is spam? score=0 required=5
> tests=USER_AGENT_APPLEMAIL
> 2003-09-05 16:01:24.692358500 logmsg: clean message (0.0/5.0) for qscand:351
> in 0.1 seconds, 137145 bytes.
> 2003-09-05 16:01:24.692653500 debug: bayes: 29889 untie-ing
> 
> 
> QMAIL-SCANNER LOG
> Fri, 05 Sep 2003 16:01:24 -0500:29880: +++ starting debugging for process
> 29880 by uid=89 at Fri, 05 Sep 2003 16:01:24 -0500
> Fri, 05 Sep 2003 16:01:24 -0500:29880: setting UID to EUID so subprocesses
> can access files generated by this script
> Fri, 05 Sep 2003 16:01:24 -0500:29880: program name is
> qmail-scanner-queue.pl, version 1.20rc3
> Fri, 05 Sep 2003 16:01:24 -0500:29880: incoming SMTP connection from via
> smtp from 17.250.248.89
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: mkdir
> /var/spool/qmailscan/morpheus106279568445629880
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: start dumping incoming msg into
> /var/spool/qmailscan/working/tmp/morpheus106279568445629880
> [1062795684.26177]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: primary Content-Type of
> multipart/mixed found
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: found a top-level boundary
> definition of Apple\-Mail\-6\-736610710
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment  1: Content-Type of
> text/plain found
> Fri, 05 Sep 2003 16:01:24 -0500:29880: found C-T attachment filename
> clamdoc.pdf
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment  2: Content-Type of
> application/pdf found
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/morpheus106279568445629880 to
> /var/spool/qmailscan/working/new/morpheus106279568445629880
> [1062795684.59236]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: starting
> /usr/local/bin/reformime  -x/var/spool/qmailscan/morpheus106279568445629880/
> </var/spool/qmailscan/working/new/morpheus106279568445629880
> [1062795684.59263]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: finished
> /usr/local/bin/reformime  -x/var/spool/qmailscan/morpheus106279568445629880/
> [1062795684.6086]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Checking all attachments to see
> if they're MS-TNEF
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
> /var/spool/qmailscan/morpheus106279568445629880/clamdoc.pdf is a TNEF file?:
> 256 [1062795684.61052]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
> /var/spool/qmailscan/morpheus106279568445629880/1062795684.29882-0.morpheus
> is a TNEF file?: 256 [1062795684.61237]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Manually unpack any zip files as
> some virus scanners don't do zip under Unix!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: unpacking message took 0.02006
> seconds
> Fri, 05 Sep 2003 16:01:24 -0500:29880: unsetting QMAILQUEUE env var
> Fri, 05 Sep 2003 16:01:24 -0500:29880: g_e_h: return-path is
> "[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
> Fri, 05 Sep 2003 16:01:24 -0500:29880: from="Matthew E. Porter"
> <[EMAIL PROTECTED]>,subj=pyzor/dcc test 1,
> x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
> via smtp from 17.250.248.89
> Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: start scanning
> Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: recursively scan the
> directory /var/spool/qmailscan/morpheus106279568445629880/
> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: starting scan of directory
> "/var/spool/qmailscan/morpheus106279568445629880"...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
> scanner=clamuko_scanner,plain_text_msg=0
> Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: starting scan of directory
> "/var/spool/qmailscan/morpheus106279568445629880"...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: run /opt/clamav/bin/clamdscan -r
> --disable-summary --max-recursion=10 --max-space=1000000
> /var/spool/qmailscan/morpheus106279568445629880 2>&1
> Fri, 05 Sep 2003 16:01:24 -0500:29880: --output of clamuko was:
> /var/spool/qmailscan/morpheus106279568445629880: OK
> --
> Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: finished scan of dir
> "/var/spool/qmailscan/morpheus106279568445629880" in 0.010678 secs
> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
> scanner=spamassassin,plain_text_msg=0
> Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: run /usr/bin/spamc  -f <
> /var/spool/qmailscan/working/new/morpheus106279568445629880
> Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: overwriting
> /var/spool/qmailscan/working/new/morpheus106279568445629880 with
> /var/spool/qmailscan/working/new/morpheus106279568445629880.spamc
> Fri, 05 Sep 2003 16:01:24 -0500:29880: spamassassin: finished scan of dir
> "/var/spool/qmailscan/morpheus106279568445629880" in 0.085642 secs
> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: finished scan of
> "/var/spool/qmailscan/morpheus106279568445629880"...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: starting scan of directory
> "/var/spool/qmailscan/morpheus106279568445629880"...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '81:ILOVEYOU' = 'Virus-subject'
> = 'Love Letter Virus/Trojan'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
> subject: ILOVEYOU
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '82:message/partial.*' =
> 'Virus-content-type' = 'Message/partial MIME attachments blocked by policy'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
> content-type: message/partial.*
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '85:.{100,}' = 'Virus-date' =
> 'MIME Header Buffer Overflow'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
> date: .{100,}
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '86:.{100,}' =
> 'Virus-mime-version' = 'MIME Header Buffer Overflow '
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
> mime-version: .{100,}
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '87:.{100,}' =
> 'Virus-resent-date' = 'MIME Header Buffer Overflow'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
> resent-date: .{100,}
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:
> '90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> e.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JGQZC
> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|cxkawog@
> krovatka.net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
> to: 
> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|
> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> m|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> cite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> atka.net|[EMAIL PROTECTED]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  'eicar.com' = '69' = 'EICAR
> Test Virus'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  'happy99.exe' = '10000' =
> 'Happy99 Trojan'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  'zipped_files.exe' = '120495' =
> 'W32/ExploreZip.worm.pak virus'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
> perlscanner database...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
> to clamdoc.pdf and has extension .pdf
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
> perlscanner database
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: skipping auto-generated file
> 1062795684.29882-0.morpheus
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
> perlscanner database...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
> to clamdoc.pdf and has extension .pdf
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
> perlscanner database
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  finished scan of dir
> "/var/spool/qmailscan/morpheus106279568445629880" in 0.002922 secs
> Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: scanning message took
> 0.099788 seconds
> Fri, 05 Sep 2003 16:01:24 -0500:29880: q_r: fork off child into
> /var/qmail/bin/qmail-queue...
> Fri, 05 Sep 2003 16:01:24 -0500:29890: q_r: xstatus=0
> Fri, 05 Sep 2003 16:01:24 -0500:29880: cleanup: /bin/rm -rf
> /var/spool/qmailscan/morpheus106279568445629880/
> /var/spool/qmailscan/working/new/morpheus106279568445629880
> 05/09/2003 16:01:24:29880: all finished. Total of 0.563409 secs
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to