[sniffer] Re: SNF4SA - Message Sniffer Antispam Plugin for SpamAssassin

2009-05-15 Thread Dan Horne 
Sorry, forgot to CC all:

No the weight=1 issue is not yet resolved.  In fact, I have been able to
determine that snf4sa is actually querying snfserver properly.  I
removed the old plugin so only snf4sa is loaded by SA.  I then tailed
the sniffer log and see items like this continuing to scroll by:







Note the path to the temp file /tmp/snf4sa/
That tells me that everything is working properly except the returning
of the score to SA.

I have tried running test messages through SA manually and the SNF4SA
headers get inserted properly, but I haven't yet run through a message
that sniffer identified as spam.  I will attempt to get one of those and
run it through SA manually to see if SNF4SA returns the correct weight
when it identifies the spam.

I will also join the amavisd-new list and see if anyone there can shed
some light.

Dan Horne
TAIS
Director of Operations
www.taisweb.net
supp...@taisweb.net 
828.252.TAIS (8247)


> -Original Message-
> From: Pete McNeil [mailto:madscient...@armresearch.com]
> Sent: Thursday, May 14, 2009 6:27 PM
> To: Alban Deniz
> Cc: Dan Horne
> Subject: Re: [sniffer] Re: SNF4SA - Message Sniffer Antispam Plugin
for
> SpamAssassin
> 
> Alban Deniz wrote:
> 
> 
> > > 1) I'll look at the SA3 and SNF4SA plugins to see if I can
determine the
> > > reason for the timeout, and a solution. Pete mentioned that one
major
> > > difference is that SNF4SA uses a TCP connection to communicate
with
> > > SNFServer, while SA3 uses SNFClient.
> >
> >
> > The only possibility I can think of is that the snf4sa plugin
doesn't
> > wait long enough when running under amavisd-new. The timeout in
snf4sa
> > is set to 1 second, which is long enough when snf4sa is run by the
> > spamassassin command line. It might not be long enough when running
> > under amavisd-new. I don't think this is the problem. However, if
you
> > don't mind trying a longer timeout, here's how to change it: Edit
> > snf4sa.pm, changing line 72 from
> >
> >
> > $self->{SNF_Timeout} = 1;
> >
> >
> > to
> >
> >
> > $self->{SNF_Timeout} = 10;
> >
> >
> > Of course, a 10 second delay to process an email is unacceptable;
this
> > would simply point us in the right direction. Please let me know if
> > can try this.
> Hey guys...
> 
> The timeout used in the SNFClient is on the order of 30 seconds--- 10
to
> get a connection, 20 more to get an answer. When a system is busy it
can
> take a few seconds for other requests that have already started to be
> processed. The overall throughput is much higher than the individual
> message timeout may suggest.
> 
> I recommend allowing at least 10 seconds -- though 30 might be more
> appropriate.
> 
> Note also that I've seen SA itself take as long as 10-15 seconds to
> process a message (depending on conditions) and it is roughly nominal
to
> see it take 1 - 3 seconds per message in many configurations. SNF is
> usually much quicker -- but we can't make assumptions about what else
> may be happening on the system at any moment -- especially during
> start-up conditions where incoming messages might be queued elsewhere
> and ready to cause a rush.
> 
> Also -- isn't it reasonable that if SNF4SA does timeout it should
> provide a 0 weight instead of 1 ??
> 
> Is that issues resolved?
> 
> Thanks for keeping me in the loop.
> 
> _M



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to

[sniffer] Re: SNF4SA - Message Sniffer Antispam Plugin for SpamAssassin

2009-05-15 Thread Dan Horne 
OK, I found a message that Sniffer identified as spam and ran it through
SA manually and following are results:

[mail:/home/vmail/taisweb.net/archive_received/Maildir] 9:22am#
spamassassin --siteconfigpath=/usr/local/etc/mail/spamassassin -x -t
.jlee/new/1237155804.M27154P10624V005CI0051B175_0.mail.taisweb.net,S
=3981
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on
mail.taisweb.net
X-Spam-GBUdb-Analysis:  2, 67.131.25.27, Ugly c=0 p=0 Source New
X-Spam-Status: No, score=-1.8 required=5.0
tests=HABEAS_ACCREDITED_COI,SNF4SA,
URIBL_GREY autolearn=disabled version=3.2.1
X-Spam-SNF-Result: 62 (Obfuscation Techniques)
X-Spam-DCC: CollegeOfNewCaledonia: mail.taisweb.net 1189; Body=1 Fuz1=1
Fuz2=1
X-Spam-Level: 
X-Spam-MessageSniffer-Rules: 
62-469556-2307-2317-m
62-469556-4261-4271-m
62-469556-0-5994-f
X-Spam-MessageSniffer-Scan-Result: 
X-Original-To: archive_received+j...@taisweb.net
Delivered-To: archive_received+j...@taisweb.net
Received: from localhost (localhost.taisweb.net [127.0.0.1])
by mail.taisweb.net (Postfix) with ESMTP id D7B292B2C87
for ; Sun, 15 Mar 2009 18:23:23 -0400 (EDT)
X-Virus-Scanned: amavisd-new at taisweb.net
Received: from mx1.rmslink.net (mx1.rmslink.net [68.118.154.10])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.taisweb.net (Postfix) with ESMTP id 65A522B2C92
for ; Sun, 15 Mar 2009 18:23:20 -0400 (EDT)
Received: from platinum-smtp.infusionsoft.com
(blogsuccess.platinum-smtp.infusionsoft.com [67.131.25.27])
by mx1.rmslink.net (Postfix) with ESMTP id 1EBDC39824
for ; Sun, 15 Mar 2009 18:23:19 -0400 (EDT)
Received: from gil (unknown [10.3.0.124])
by smtp29.infusionsoft.com (Postfix) with ESMTP id 1B41B20841874
for ; Sun, 15 Mar 2009 18:23:19 -0400 (EDT)
Date: Sun, 15 Mar 2009 18:23:19 -0400 (EDT)
From: Jack Humphrey 
Sender: sys...@blogsuccess.com
To: j...@taisweb.net
Message-ID: <1429329783.1408551237155799111.javamail.tom...@gil>
Subject: J, this is BIG news!
Errors-To: sys...@blogsuccess.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
BatchId: 27269
X-BatchId: 27269
X-campaignid: infusion_blogsuccess27269
X-InfApp: blogsuccess
X-BBounce: blogsuccess_3812781
X-InfContact: 235195
X-InfSent: 3812781
Package: platinum
X-inf-package: platinum
X-inf-source: MailBatchFulfillRequest
X-MinStatusFlags: Double Opt-In
X-MaxStatusFlags: Double Opt-In
X-inf-uflags: Double Opt-In
X-inf-iflags: Double Opt-In
X-Virus-Scanned: ClamAV 0.94.2/9110/Sun Mar 15 01:06:44 2009 on
mx1.rmslink.net
X-Virus-Status: Clean

[SNIP.../]

Content preview:  J, I have some news to share with you. Some BIG news
Mike
  Filsaime has announced that he is GIVING AWAY 5000 Home Study courses
of Butterfly
   Marketing. [...] 

Content analysis details:   (-1.8 points, 5.0 required)

 pts rule name  description
 --
--
-8.0 HABEAS_ACCREDITED_COI  RBL: Habeas Accredited Confirmed Opt-In or
Better
[67.131.25.27 listed in
sa-accredit.habeas.com]
 6.0 SNF4SA Message Sniffer
 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: infusionsoft.com]

So the SNF4SA plugin is correctly returning the weight when run manually
through SA.  I will report this to the amavisd-new list to see if anyone
has any ideas.


Dan Horne
TAIS
Director of Operations
www.taisweb.net
supp...@taisweb.net 
828.252.TAIS (8247)


> -Original Message-
> From: Message Sniffer Community [mailto:snif...@sortmonster.com] On
Behalf Of
> Dan Horne
> Sent: Friday, May 15, 2009 9:23 AM
> To: Message Sniffer Community
> Subject: [sniffer] Re: SNF4SA - Message Sniffer Antispam Plugin for
> SpamAssassin
> 
> Sorry, forgot to CC all:
> 
> No the weight=1 issue is not yet resolved.  In fact, I have been able
to
> determine that snf4sa is actually querying snfserver properly.  I
> removed the old plugin so only snf4sa is loaded by SA.  I then tailed
> the sniffer log and see items like this continuing to scroll by:
> 
> 
> 
> 
>  r='Normal'/>
> 
> 
> Note the path to the temp file /tmp/snf4sa/
> That tells me that everything is working properly except the returning
> of the score to SA.
> 
> I have tried running test messages through SA manually and the SNF4SA
> headers get inserted properly, but I haven't yet run through a message
> that sniffer identified as spam.  I will attempt to get one of those
and
> run it through SA manually to see if SNF4SA returns the correct weight
> when it identifies the spam.
> 
> I will also join the amavisd-new list and see if anyone there can shed
> some light.
> 
> Dan Horne
> TAIS
> Director of Operations
> www.taisweb.net
> supp...@taisweb.net
> 828.252.TAIS (8247)
> 
> 
> >