Re: SURBL and DNS wildcards
On Wednesday, November 17, 2004, 11:32:41 AM, Chris Santerre wrote: That is correct, only the reg domains go in. Yes, the goal is to list the registrar domains and also to check those in SURBL applications. The wildcarded parts of subdomains are usually ignored. We did that deliberately to ignore the entropy or unique identifiers they're trying to add in random or keyed FQDNs, and to get to the invariant part of their URI domains. http://www.surbl.org/implementation.html P.S. to Chris: Fry's does not appear to have JO:E as of 11/17. :-( Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
sa-learn --import with postgresql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ran into a problem importing into postgres. Running with -D didn't help other than pinpointing to a problem while importing msgids. postgres logs showed: 2004-11-17 16:20:41 [14205] ERROR: value too long for type character varying(200) The bayes_seen table has msgid as a varchar(200). Changing it to 'test' fixed it for me. Either spamassassin should truncate or the underlying datatype should be larger or the error should be handled better. (import failed and deleted everything) I didn't check behavior for learning a single message with a long msgid. - -- -Rupa -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBm/Y+L3Aub+krmycRAjinAJ9QT2GiloxiOJUGKj+LoApL4H107gCgna1I E1rStCZD404TtTv6jnRtpMc= =rHdq -END PGP SIGNATURE-
Re: sa-learn --import with postgresql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rupa Schomaker wrote: [snip] 2004-11-17 16:20:41 [14205] ERROR: value too long for type character varying(200) The bayes_seen table has msgid as a varchar(200). Changing it to 'test' fixed it for me. Either spamassassin should err, changing to type 'text' fixed it for me. [snip] After the import, there were 5 rows with msgid 200: 4 like: %RNDDIGIT36%RNDLCCHAR13%RNDDIGIT13%RNDLCCHAR13... 1 like: jughvuuvygvi5zRhsptNPX[lots of [EMAIL PROTECTED] of spaces]hotmail.com Note that mysql truncates long values silently so is not affected by this. Other databases most probably behave like postgres. - -- -Rupa -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBm/p5L3Aub+krmycRAl/3AJ9T1C8Rm7EnMaFdbHQQHkbPbghJiQCeJJAD 0kPV1gOlw1AB0ffIDDVJgJE= =sLKr -END PGP SIGNATURE-
Re: Insecure dependency in eval while running setuid [DOMAIN-OK]
At 08:53 -0500 11/15/2004, Matt Kettler wrote: 1) are you SURE you want allow_user_rules set? positive. Unless you trust all your users this can be a bit risky. I trust all my users. Or, to put it more specifically, I trust the three or four who might bother to edit their files and the rest are all me anyway as far as that goes. Unless you're going to put body, rawbody, header or meta statements in user_prefs, body and header, yep. That's precisely why I have allow_user_rules 2) I'd check for malformed body rules. Run spamassassin --lint to see if it can help you. Line 1669 of PerMsgStatus is where SA is executing the expressions for body rules. Did that. I got a bunch of score for a rule that doesn't exist errors. Nothing that looked serious. I'd check for add-on rules that have unescaped punctuation (ie instead of \) in /etc/mail/spamassassin/*.cf and in user_prefs. Most likely it's a typo. yeah, that's what I figured, although I haven't found it. I did toss a couple of rules. However, it's going to be a body rule that's the troublemaker. -- Vicki Brown ZZZJourneyman Sourceror: SF Bay Area, CAzz |\ _,,,---,,_ Scripts Philtres http://www.cfcl.com zz /,`.-'`'-. ;-;;,_Code, Doc, Process, QA http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW '---''(_/--' `-'\_) ___
RE: spamd logging with wrong timestamp?
Mike, adding that switch to syslog didnt seem to work. I found some other posts through google which claim that stopping syslogd and spamd and starting them again fixes this up, but it hasnt worked for me. If anyone else has any ideas, they would be greately appreciated. Thanks, Regards, Dimitry -Original Message- From: Mike Kercher [mailto:[EMAIL PROTECTED] Sent: Thursday, 18 November 2004 12:04 AM To: users@spamassassin.apache.org Subject: RE: spamd logging with wrong timestamp? Dimitry Peisakhov wrote: Hi guys, I've recently discovered that my spamd is writing to the logs with the incorrect timestamp. It looks like its using GMT to timestamp instead of the actual time on the box (11hr difference). I fixed this previously by restarting the service, but its not doing the trick now.. Anyone have ideas about this? There doesnt seem to be any switches for spamd to control timestamps or timezone config. thanks, Regards, Dimitry Peisakhov Systems Administrator HENRY WALKER ELTIN 02 8875 4721 [EMAIL PROTECTED] I had a similar problem a couple of weeks ago with a machine that had an older OS on it. sendmail was logging the correct timestamp but MailScanner was logging about 2 hours behind. The way I resolved it was to add the '-r' switch to my syslog initscript. Mike
Re: Configuring bayes lock file locations?
brian wrote: After upgrading to 3.0.1 I've been having problems with bayes. This may be a question for the mimedefang guys, but I'll start here. I have upgraded the databases, and its now reading correctly, as I get bayes scoring now. However autoupdates are failing because of lock files... In my config I have: bayes_path /var/spool/MIMEDefang Maillog is reporting: Nov 17 12:54:02 lithium mimedefang-multiplexor[35151]: Slave 0 stderr: bayes: lock: 35570 cannot create tmp lockfile /var/spool/MIMEDefang.lock.host.domain.com.35570 for /var/spool/MIMEDefang.lock: Permission denied This seems to me a spamassassin error message. It appears that I need to be able to configure where the lock file is written. /var/spool is not an option since its not a very good idea to loosen permissions here for obvious security reasons (not to mention mimedefang will tell you to sod off until you fix it). Brian, This has been discussed on the MIMEDefang list in the past. It appears to be a timing issue between MIMEDefang and the SA locking mechanisms. adding 'bayes_learn_to_journal 1' to your sa-mimedefang.cf file should resolve your problems. (at least it resolved the problem for me) hope this helps. alan
Re: Question
Jason The default SpamAssassin rules are a good start, but what extra rules are you running? There are some very good ones on www.ruleemporium.com. Also are you using any of the URI RBL's from www.surbl.org? These can help alot too. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jason Novak wrote: I've upgraded to SpamAssassin 3.0.1 and, for the most part everything seems to work ok...although there are consistently some spam messages that still seem to get through. All false negatives a run sa-learn to learn. My local.cf is configured as follows: bayes_path /var/lib/nobody/.spamassassin/bayes bayes_min_spam_num 20 bayes_auto_learn 1 auto_whitelist_path /var/lib/nobody/.spamassassin/auto-whitelist my mail log is as follows for a spam message: ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Web Based sa-learn?
Hi if you are using MailScanner to front end SA, Mailwatch can help - no cut and paste, but you can run sa-learn on the messages to 'correct' bayes view of spam. Also if you have a imap accessible email server (not Exchange 2000 of later as it mangles the headers) there are quite a few perl scripts hanging about so people can drag/drop to and spam/ham folder. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 RD wrote: Hello List, Is there any available sa-learn type script out there where I can simpy cutpaste suspected spam/ham via http? Thanks in advance. rd. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
How can I bring CPU down where Spamd takes %60 of all CPU?
Is there a way of reducing or caping CPU usage spamd by issuing commands or making changes in config? Regards Tunc
Re: How to stop this stock-spam?
Matt Kettler wrote: First, a word of warning.. 2.63 is subject to DoS if a carefully made malformed message comes in. Not a huge security risk, but I'd at least consider upgrading to 2.64 or higher in the near future. (2.64 should be an easy upgrade from 2.63.. 3.0.x might be a bit more involved, but might be useful in the longer term.) Hi Matt, Thank you, i'm aware of the issue with 2.63, and i'm planning and upgrade to 2.64. I've actually been to lazy. Will take care of this next week. Thanks for reminding me :) As for the spam, you might try some of these. Keep the scores low as these could cause problems for financial newsletters. However, in your case it looks like these are getting close to 5.0 on their own, so a heavy score isn't needed. body OTCBB /\bOTCBB\b/ score OTCBB 0.4 describe OTCBB mentions penny stocks body OTCBB2 /\bOver the Counter bulletin board\b/i score OTCBB2 0.4 describe OTCBB2 mentions penny stocks body PINK_SHEET /\bPink Sheet (?:Stocks?|trading)\b/i score PINK_SHEET0.4 describe PINK_SHEET mentions penny stocks. body INVEST_ADVICE /\bInvestment Advice\b/i score INVEST_ADVICE 0.2 describe INVEST_ADVICE offers investment advice. Note: i just wrote these, and have not tested or linted them. PINK_SHEET might have some logic errors, but I think it's ok. Thanks for these rules. They linted OK, but i just got a similar spam that got 0.0 points (see attached file). When i ran it manually a few hours later i got the following score: Content analysis details: (4.6 points, 5.0 required) pts rule name description -- -- 0.6 J_CHICKENPOX_41BODY: 4alpha-pock-1alpha 0.0 HTML_MESSAGE BODY: HTML included in message 1.8 MIME_QP_DEFICIENT RAW: Deficient quoted-printable encoding in body 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?61.33.16.183] It doesn't seem like any of the rules of yours got triggered? The spam in question is attached. Thank you / Martin Received: from aspam._mydomain.com_ (192.168.2.80 [192.168.2.80]) by exchangeserver.id.local with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id VAQVTP84; Thu, 18 Nov 2004 10:48:06 +0100 Received: by aspam._mydomain.com_ (Postfix, from userid 500) id 706CA13889; Thu, 18 Nov 2004 10:48:07 +0100 (CET) Received: from TEST-6F4NTK1WBQ (unknown [61.33.16.183]) by aspam._mydomain.com_ (Postfix) with SMTP id 4616213886; Thu, 18 Nov 2004 10:48:01 +0100 (CET) Subject: Personal Entertainment Investments Message-ID: [EMAIL PROTECTED] From: Gerald Kirk [EMAIL PROTECTED] To: Gerald Kirk [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Thu, 18 Nov 2004 07:42:53 -0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--9_FAPLsq5F1.uJAvpBBpEU0 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on aspam._mydomain.com_ X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=HTML_MESSAGE autolearn=no version=2.63 9_FAPLsq5F1.uJAvpBBpEU0 Content-Type: text/plain; format=flowed; charset=iso-8859-15 Content-Transfer-Encoding: quoted-printable 9_FAPLsq5F1.uJAvpBBpEU0 Content-Type: text/html; format=flowed; charset=iso-8859-15 Content-Transfer-Encoding: quoted-printable 9_FAPLsq5F1.uJAvpBBpEU0-- htmlPlease review this entire email about:br Motion DNAbrbr Pink Sheets Stock Symbol MTDNbr a href=http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN;http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN/a brbr Big year expected in 2005 for Motion DNAbr br Trading Symbol MTDNbr Current Price (est.) $0.025br Valued Price (est.) $1.00brbr First time investors please read this:br a href=http://www.pinksheets.com/otcguide/investors_howtobuy.jsp;http://www.pinksheets.com/otcguide/investors_howtobuy.jsp/a brbr Company officials expect to make the move to become a reporting company, due to their high expectations Motion DNA may surpass revenue projections for 2005. Currently with almost $500,000 in assets, zero debt, and increasing interest in its franchise program, company officials term the financial viability of Motion DNA as solid. All of the road blocks appear to be removed and Motion DNA expects to increase its market presence in the sports medicine industry and improve company revenues substantially, said Zig Ziegler, President of Motion DNA. We can now focus on increasing customer awareness and sales of our products and services. brbr In a move expected to provide future franchisees with access to a solid customer base, Motion DNA officials have agreed to terms with one of the nation's leading health club chains with over 430 locations in the US and Europe. Motion DNA is expected to launch its first analysis center in one of the club?s Arizona locations. Franchisees will be
Help me help someone...
http://forums.gentoo.org/viewtopic.php?p=1777629 This poor guy is having some strange issues with SpamAssassin and RulesDuJour that I can't manage to recreate. Anyone care to take a look and offer a suggestion or two? :)
'meds' spam
The only spam that's getting through on my system these days seems to have 'meds' and 'rx' in common. I would have thought that antidrug was the ruleset to pick up stuff such as this: --Spam Start--- Subject: meds saving zone your assorted meds at better than Canadian pricing A wide variety of medications for your paticular eyes...Depression-Anxiety, Muscle Relaxants, Pain Relief, Sexual Health, Sleeping Aids, drugs for weight reduction, allergy... overnight delivery for meds gorgeous service for quality rx meds at low price Internet pharmacy really makes things easier for me. Now I don't even step out of the room to get rx refilled and meds delivered to my door. --Delta --Spam End- but this message scores nothing for content, apart from BAYES_80 which is not enough to push it over the threshold... X-Spam-Score: 3.19 BAYES_80,RCVD_IN_SBL,SPF_HELO_PASS,URIBL_SBL Is there a ruleset I should be using to pick this stuff up? I've put in a custom rule to pick up meds in the subject: header PCB_MEDSSubject =~ /(?:\bmeds|meds\b)/i describePCB_MEDSSubject contains meds score PCB_MEDS5 Before I start adding body rules to pick up words like those in the message above, is there already something around that does the job? Thanks
X-NAS-* headers
One of my customers received a blank message from Korea which spoofed an invalid email address on his domain. I was looking at the message and it contained 3 distinct X-NAS message headers that I don't recognize: X-NAS-Classification: 0 X-NAS-MessageID: 43604 X-NAS-Validation: {3342587F-BB8C-4C06-B6B4-9B637E4CDC44} Does anyone have any idea what would add an X-NAS-* header? I've googled it and didn't really find anything too relevant, other than people complaining about spam messages. I would like to prevent these, and it'd be great if I could just block any message containing X-NAS in the headers, but I wanted to make sure some client or isp doesn't add them automatically. Thanks, Keith
RE: X-NAS-* headers
Hi, I may be mistaken but i think that that's a Norton AntiSpam header. Best regards. Bruno Guerreiro -Original Message- From: Keith Hackworth [mailto:[EMAIL PROTECTED] Sent: Thursday, November 18, 2004 12:31 PM To: users@spamassassin.apache.org Subject: X-NAS-* headers One of my customers received a blank message from Korea which spoofed an invalid email address on his domain. I was looking at the message and it contained 3 distinct X-NAS message headers that I don't recognize: X-NAS-Classification: 0 X-NAS-MessageID: 43604 X-NAS-Validation: {3342587F-BB8C-4C06-B6B4-9B637E4CDC44} Does anyone have any idea what would add an X-NAS-* header? I've googled it and didn't really find anything too relevant, other than people complaining about spam messages. I would like to prevent these, and it'd be great if I could just block any message containing X-NAS in the headers, but I wanted to make sure some client or isp doesn't add them automatically. Thanks, Keith
Spamassassin Starter
Dear all, I need to use some kind of antispam and decided to use spamassassin. We just installed and started it but appear not work as well. I use RedHat 7.3 + kernel 2.4.20-28.7 + sendmail 8.11.6 + procmail 3.22 + mailscanner 3.27 + Fprot 3.13b (antivirus) + Spamassassin 2.64-1. Some one can help me? Thanks and Best regards Jfabricio - IT Coordinator --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004 ** This message has been scanned for viruses and dangerous content by Greenwich International It is believed to be clean.
Re: Spamassassin Starter
Hi so whats the problem? -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 Jfabricio - Greenwich International wrote: Dear all, I need to use some kind of antispam and decided to use spamassassin. We just installed and started it but appear not work as well. I use RedHat 7.3 + kernel 2.4.20-28.7 + sendmail 8.11.6 + procmail 3.22 + mailscanner 3.27 + Fprot 3.13b (antivirus) + Spamassassin 2.64-1. Some one can help me? Thanks and Best regards Jfabricio - IT Coordinator --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004 ** This message has been scanned for viruses and dangerous content by Greenwich International It is believed to be clean. -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: 'meds' spam
At 11:35 AM 11/18/2004 +, Peter Campion-Bye wrote: I've put in a custom rule to pick up meds in the subject: header PCB_MEDSSubject =~ /(?:\bmeds|meds\b)/i describePCB_MEDSSubject contains meds score PCB_MEDS5 erm.. I'd STRONGLY suggest \b's on both, not one end. The above will match any word beginning with, or ending in meds. I'd also suggest matching medz as well as meds: /\bmed[sz]\b/i Note that \b does not require a space, so it will match meds at the start or end of a line just fine. \b is just a word boundary requirement. Punctuation also counts as a word boundary... so it will match :meds just fine too.
RES: Spamassassin Starter
Dear Martin, Thanks for yours quickly reply. I started spamd yesterday morning, but it does not stop any spam message. For example, I usually receive about 130 spams every morning. I checked this morning and the same number of spam entered on my inbox. TKS Jfabricio -Mensagem original- De: Martin Hepworth [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 18 de novembro de 2004 10:33 Para: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Assunto: Re: Spamassassin Starter Hi so whats the problem? -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 Jfabricio - Greenwich International wrote: Dear all, I need to use some kind of antispam and decided to use spamassassin. We just installed and started it but appear not work as well. I use RedHat 7.3 + kernel 2.4.20-28.7 + sendmail 8.11.6 + procmail 3.22 + mailscanner 3.27 + Fprot 3.13b (antivirus) + Spamassassin 2.64-1. Some one can help me? Thanks and Best regards Jfabricio - IT Coordinator --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004 ** This message has been scanned for viruses and dangerous content by Greenwich International It is believed to be clean. -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ** ** This message has been scanned for viruses and dangerous content by Greenwich International It is believed to be clean. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004 ** This message has been scanned for viruses and dangerous content by Greenwich International It is believed to be clean.
Re: Spamassassin Starter
On torsdag 18 november 2004, 15:58, Jfabricio - Greenwich International wrote: I started spamd yesterday morning, but it does not stop any spam message. For example, I usually receive about 130 spams every morning. I checked this morning and the same number of spam entered on my inbox. Oh, you need to include far more information than that. Just think about how you would respond to a help request, how would you start? For example, how did you integrate SpamAssassin with Sendmail? What does your procmail recipes look like? Do you see any messages in mail server logs, syslog or other logs? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: RES: Spamassassin Starter
J MailScanner does not use spamd/spamc in order to scan emails, but calls Spamassassin directly via Perl. If email is flowing and you've not stopped sendmail before the MailScanner install then that's the problem. Also MailScanner 3.x is kinda old (a couple of years at leaast), may I suggest you get the latest RPM from www.mailscanner.info and try again. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 Jfabricio - Greenwich International wrote: Dear Martin, Thanks for yours quickly reply. I started spamd yesterday morning, but it does not stop any spam message. For example, I usually receive about 130 spams every morning. I checked this morning and the same number of spam entered on my inbox. TKS ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Spamassassin Starter
Kjetil Kjernsmo wrote: On torsdag 18 november 2004, 15:58, Jfabricio - Greenwich International wrote: I started spamd yesterday morning, but it does not stop any spam message. For example, I usually receive about 130 spams every morning. I checked this morning and the same number of spam entered on my inbox. Oh, you need to include far more information than that. Just think about how you would respond to a help request, how would you start? For example, how did you integrate SpamAssassin with Sendmail? What does your procmail recipes look like? Do you see any messages in mail server logs, syslog or other logs? Best, Kjetil Hi he's using (or trying to use!) mailscanner to call SA and scan the emailand a very old version of MailScanner too.. I've asked him(?) to get the latest version... -- -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: RES: Spamassassin Starter
At 06:58 AM 11/18/2004, you wrote: Dear Martin, Thanks for yours quickly reply. I started spamd yesterday morning, but it does not stop any spam message. For example, I usually receive about 130 spams every morning. I checked this morning and the same number of spam entered on my inbox. SpamAssassin is merely going to mark the messages as spam - nothing more. Anything such as move to a seperate folder is done with other programs. They will still appear in your Inbox. Might help to post your procmail configuration appropriate config from your SpamAssassin settings to help further troubleshoot. Evan
Re: spamd logging with wrong timestamp?
I've had servers log with incorrect time before and it was due to the fact that I was in a different timezone than my server and I set my TZ environment variable to reflect my timezone and not the timezone that the server was located. So, when I restarted the server, it inheireted my TZ variable and started logging with that time and not the system time. If you might think that this is an issue, you could put the correct TZ environment info in your spamd startup/shutdown script and that way it will always be correct (or at least consistant). Mike On Thu, Nov 18, 2004 at 02:46:22PM +1100, Dimitry Peisakhov wrote: Mike, adding that switch to syslog didnt seem to work. I found some other posts through google which claim that stopping syslogd and spamd and starting them again fixes this up, but it hasnt worked for me. If anyone else has any ideas, they would be greately appreciated. Thanks, Regards, Dimitry -Original Message- From: Mike Kercher [mailto:[EMAIL PROTECTED] Sent: Thursday, 18 November 2004 12:04 AM To: users@spamassassin.apache.org Subject: RE: spamd logging with wrong timestamp? Dimitry Peisakhov wrote: Hi guys, I've recently discovered that my spamd is writing to the logs with the incorrect timestamp. It looks like its using GMT to timestamp instead of the actual time on the box (11hr difference). I fixed this previously by restarting the service, but its not doing the trick now.. Anyone have ideas about this? There doesnt seem to be any switches for spamd to control timestamps or timezone config. thanks, Regards, Dimitry Peisakhov Systems Administrator HENRY WALKER ELTIN 02 8875 4721 [EMAIL PROTECTED] I had a similar problem a couple of weeks ago with a machine that had an older OS on it. sendmail was logging the correct timestamp but MailScanner was logging about 2 hours behind. The way I resolved it was to add the '-r' switch to my syslog initscript. Mike -- /-\ | Michael Barnes [EMAIL PROTECTED] | | UNIX Systems Administrator | | College of William and Mary | | Phone: (757) 879-3930 | \-/
Re: [OT] Amavisd memory usage
On Nov 17, 2004, at 11:07 AM, Michael W Cocke wrote: Is this normal? I would have expected them to be using the same amount of memory, unless there's a leak somewhere. Try not to confuse memory usage with memory leak. It is a very common trap. Vivek Khera, Ph.D. +1-301-869-4449 x806 smime.p7s Description: S/MIME cryptographic signature
Re: How can I bring CPU down where Spamd takes %60 of all CPU?
On Thursday 18 November 2004 04:20 am, LOGS (Tunc Eresen) wrote: Is there a way of reducing or caping CPU usage spamd by issuing commands or making changes in config? Regards Tunc If you must, nice it down to a lower priority. In your startup script add a nice adjustment to the spamd launch: nice -n15 spamd . or man nice form more details. HTH, Jeremy
sender_header search algorithm
I noticed that Mail::SpamAssassin::Conf describes the search algorithm for the message sender as follows: | SpamAssassin will attempt to discover the address used in the | 'MAIL FROM:' phase of the SMTP transaction that delivered this | message, if this data has been made available by the SMTP server. | This is used in the EnvelopeFrom pseudo-header, and for various | rules such as SPF checking. | | By default, various MTAs will use different headers, such as the | following: | |X-Envelope-From |Envelope-Sender |X-Sender |Return-Path | | SpamAssassin will attempt to use these, if some heuristics (such | as the header placement in the message, or the absence of | fetchmail signatures) appear to indicate that they are safe to | use. However, it may choose the wrong headers in some mailserver | configurations. (More discussion of this can be found in bug 2142 | in the SpamAssassin BugZilla.) | | To avoid this heuristic failure, the envelope_sender_header | setting may be helpful. [...] | | If the header in question contains or characters at the start | and end of the email address in the right-hand side, as in the | SMTP transaction, these will be stripped. The existing algorithm doesn't seem to work very well (or at least it doesn't seem to work very well here; 2.64 seemed to be more reliable about this, but 3.0.1 only seems to find From). I haven't come across any significant discussion so I'm not sure what's going on here. I suggest the following order: [user-override first] Return-Path Sender Resent-Sender List-ID List-Post/-* non-standard headers (like Errors-To) From Resent-From The subset of List-* headers use different field structures (some of them use URIs) and therefore require additional pattern-matching than the simple matching. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: any rules for RelayCountry?
On 11/17/2004 12:53 PM, Martin wrote: |I'm looking to use the RelayCountry plugin data but there |doesn't seem to be any rules. Anybody know of any? Here's some rules I use, utilising the nerds.dk lists, not sure if its what you are looking for. That works perfectly, and doesn't even need/use the RelayPlugin data, which is good thing since it's causing some kind of interaction problem with the spampd wrapper with postfix. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
spamd process using to much cpu
Hello, I'm running spamassassin 3.0.1 on linux 2.4, using milter-spamc to talk with sendmail milter. I'm seeing a heavy cpu usage in some process of spamd for a long time and sometimes they just hang there until I kill them(usage goes from 80% to 97%). Also my system is reporting a high iowait load and a high disk usage that stops if a shutdown spammassassin processes. This is normal? Anyone with the same problem?? I'm running spamassassin with this flags: -d -c -m5 -H -D Any comments/ideas will be most welcome. BR, Matías.
Kill spamd spawns new processes
Hi, Today I updated spamassassin from 2.63 to 3.01 on a linux machine. My init script does not work anymore because when I kill spamd it creates five new processes. So, I cannot start the daemon again.Any help is appreciated. Here is the info. [EMAIL PROTECTED]:~# ps -ef|grep spam [EMAIL PROTECTED]:~# spamd -d -x [EMAIL PROTECTED]:~# ps -ef|grep spamd root 13272 1 75 14:50 ?00:00:03 /usr/bin/perl5.8.0 -T -w /usr/bin/spamd -d -x [EMAIL PROTECTED]:~# kill -9 13272 [EMAIL PROTECTED]:~# ps -ef|grep spamd root 13273 1 0 14:50 ?00:00:00 /usr/bin/perl5.8.0 -T -w /usr/bin/spamd -d -x root 13274 1 0 14:50 ?00:00:00 /usr/bin/perl5.8.0 -T -w /usr/bin/spamd -d -x root 13275 1 0 14:50 ?00:00:00 /usr/bin/perl5.8.0 -T -w /usr/bin/spamd -d -x root 13276 1 0 14:50 ?00:00:00 /usr/bin/perl5.8.0 -T -w /usr/bin/spamd -d -x root 13277 1 0 14:50 ?00:00:00 /usr/bin/perl5.8.0 -T -w /usr/bin/spamd -d -x Thanks. Pradeep.
Re: spamd process using to much cpu
At 04:13 PM 11/18/2004, Matias Lopez Bergero wrote: I'm seeing a heavy cpu usage in some process of spamd for a long time and sometimes they just hang there until I kill them(usage goes from 80% to 97%). Also my system is reporting a high iowait load and a high disk usage that stops if a shutdown spammassassin processes. This is normal? Anyone with the same problem?? Define for a long time... Minutes? Hours? From the sounds of it, it looks like SA is doing an opportunistic expiry on your bayes DB.. But that should only take a few minutes unless things are really haywire or your box is really slow. Try running a sa-learn -D --force-expire on the command line and see if that runs smoothly. Also, look around for bayes_toks.expirepid # files laying around next to your bayes DB.. that's a very clear sign SA is being killed while running expiry.
Spamd cpu issues.
I've been watching these messages concerning high memory and cpu usage in spamd. In fact it caused me to wait until 3.01. But I have upgraded, running now for several days. Spamd is quite well behaved, not catching as much as 2.64 was, but I am still tuning. I don't know if it matters but I'll throw this out anyway, maybe it will help someone. I don't run bayes, I don't run autowhitelist, I don't run pyzor/dcc/razor. I have never seen these issues of high memory/cpu useage. I amd handling 700/1300 messages per hour ( we are an ISP, traffic levels change daily 8^), 60% of which is spam this afternoon. This is done with three machines using spamc to connect to a master server running spamd with user prefs stored in MySQL. spamd is running with the following startup under daemontools, #!/sbin/sh PATH=/usr/bin:/usr/local/bin exec /usr/local/bin/softlimit -a 12800 \ /usr/local/bin/spamd -i 10.0.240.253 -p 1783 -A 10.0.240.0/24 \ -m 10 --max-conn-per-child=200 -u vpopmail -x -q -s stderr 21 DAve -- Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker!
Re: Kill spamd spawns new processes
At 05:04 PM 11/18/2004, Pradeep wrote: Today I updated spamassassin from 2.63 to 3.01 on a linux machine. My init script does not work anymore because when I kill spamd it creates five new processes. So, I cannot start the daemon again.Any help is appreciated. Here is the info. [EMAIL PROTECTED]:~# ps -ef|grep spam [EMAIL PROTECTED]:~# spamd -d -x [EMAIL PROTECTED]:~# ps -ef|grep spamd root 13272 1 75 14:50 ?00:00:03 /usr/bin/perl5.8.0 -T -w /usr/bin/spamd -d -x [EMAIL PROTECTED]:~# kill -9 13272 have you tried being nice and sending a normal kill (SIGTERM) instead of a -9 (SIGKILL)? kill -9 does not allow spamd any opportunity to clean up after itself. The OS just force-unloads the process by dropping it from the process list and marking all memory free and files closed. Any pending file io is left incomplete, and all children are left to their own devices. SA has no chance to notify it's children by using it's sigterm handler. You could even corrupt your bayes DB by using kill -9 on spamd. You should never kill -9 any process without doing a regular kill first, except as a truly drastic measure for a severely dangerous out-of-control process which is going to take your whole system down if you don't stop it. Kill -9 is NOT a good thing to use for general shutdown of processes, it's really only one step better than having to pull the power plug on the box.
Re: Question
Hi Martin, I think I may have found the issue...It looks like these domains were added in the auto-whitelist file which were probably decreasing the score below the standard threshold of 5. The extra rulesets you see are actually coming from ruleemporium.com.(SARE). That's why I was so confused that these messages seem to be getting through. Thank you again for the suggestion. Best Regards, Jason Martin Hepworth wrote: Jason The default SpamAssassin rules are a good start, but what extra rules are you running? There are some very good ones on www.ruleemporium.com. Also are you using any of the URI RBL's from www.surbl.org? These can help alot too. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jason Novak wrote: I've upgraded to SpamAssassin 3.0.1 and, for the most part everything seems to work ok...although there are consistently some spam messages that still seem to get through. All false negatives a run sa-learn to learn. My local.cf is configured as follows: bayes_path /var/lib/nobody/.spamassassin/bayes bayes_min_spam_num 20 bayes_auto_learn 1 auto_whitelist_path /var/lib/nobody/.spamassassin/auto-whitelist my mail log is as follows for a spam message: ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: despamassassining
On Nov 11 at 20:31, Matt Kettler spoke: Besides adjusting your administrator with a clue-by-four, you can run it through spamassassin --remove-markup Well I can't use perl on this site. I'm trying to pipe it throgh `reformime -s 1.2 -e | formail -b`. This only affects the date in the envelope. -Hanspeter
Re: Kill spamd spawns new processes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler writes: At 05:04 PM 11/18/2004, Pradeep wrote: Today I updated spamassassin from 2.63 to 3.01 on a linux machine. My init script does not work anymore because when I kill spamd it creates five new processes. So, I cannot start the daemon again.Any help is appreciated. Here is the info. [EMAIL PROTECTED]:~# ps -ef|grep spam [EMAIL PROTECTED]:~# spamd -d -x [EMAIL PROTECTED]:~# ps -ef|grep spamd root 13272 1 75 14:50 ?00:00:03 /usr/bin/perl5.8.0 -T -w /usr/bin/spamd -d -x [EMAIL PROTECTED]:~# kill -9 13272 have you tried being nice and sending a normal kill (SIGTERM) instead of a -9 (SIGKILL)? kill -9 does not allow spamd any opportunity to clean up after itself. The OS just force-unloads the process by dropping it from the process list and marking all memory free and files closed. Any pending file io is left incomplete, and all children are left to their own devices. SA has no chance to notify it's children by using it's sigterm handler. You could even corrupt your bayes DB by using kill -9 on spamd. You should never kill -9 any process without doing a regular kill first, except as a truly drastic measure for a severely dangerous out-of-control process which is going to take your whole system down if you don't stop it. Kill -9 is NOT a good thing to use for general shutdown of processes, it's really only one step better than having to pull the power plug on the box. yep -- in fact, it's pretty much equivalent to pulling the power plug on that process. kill -15 is a lot safer. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBnSqtMJF5cimLx9ARAqQPAKCU8wD1IRh7JF9K1/bj6IsWNqaVwQCglb5n 6A15a16H/jQY6429QJiV33c= =KDgj -END PGP SIGNATURE-
Re: Kill spamd spawns new processes
At 06:05 PM 11/18/2004, Justin Mason wrote: Kill -9 is NOT a good thing to use for general shutdown of processes, it's really only one step better than having to pull the power plug on the box. yep -- in fact, it's pretty much equivalent to pulling the power plug on that process. kill -15 is a lot safer. Agreed.. Which is why it's only one step better than pulling the plug on the whole box :) I also found this useful website which goes quite in-depth on the matter: http://www.speculation.org/garrick/kill-9.html
Re: more spamassassin + bayes + postgres stuff
On Thu, Nov 18, 2004 at 06:53:19AM -0800, Rupa Schomaker wrote: Some questions: Is bytea really necessary? If I follow the path of the patch, the bytea change was done prior to adding the index. Since the tokens are binary data it is probably more correct through, especially if one has a encoding other than SQL_ASCII set for the DB... Yes, as far as I can tell from the documentation. The fact that we're storing the binary value makes it necessary. If I'm misinformed, then feel free to point out where in the documentation. What do you use to benchmark changes? I'm willing to experiment but would like to have some reproducable results for ya... It's not really ready for real world consumption and time has been short for getting it ready. You can read a little about it here: http://wiki.apache.org/spamassassin/BayesBenchmark Hopefully, I'll get some free time soon and get it into the SA tree. Michael pgpJMAsaasTJ1.pgp Description: PGP signature
RE: Spamd cpu issues.
We ran the 3-beta for a while and recently built out a machine to start building up our bayes and for a 1:1 comparison of spam scores. We are running SURBL, multiple SARE rules and AWL/Bayes with MySQL. The spamd and MySQL processes are running on a shared box for right now. Box specs are 2.8ghz, 1gb ram (Dell 2400n). The front end is 2 boxes (we actual have 4 nodes) that call spamc twice (once for local 2.6.x version and then for the 3.01 version on the remote box). The memory on here has been pretty consistent on the pre-prod box. The two machines that are sending email to the server are doing about 30k messages each per day. Anyways, I think that this is a fairly hard hit server for what we do and haven't seen any significant memory issues yet. We are building out a production environment (to include MySQL mirroring) on a set of beefy machines that all of the front-end relays will use as there backend spamd processes. So far the results have been extremely promising for us. Please note that the high memory listed is also the result of copying 4gb of files to the box. Anyhow, here are the results from the top: 15:26:46 up 3 days, 19:50, 2 users, load average: 0.38, 0.14, 0.18 81 processes: 77 sleeping, 4 running, 0 zombie, 0 stopped CPU states: cpuusernice systemirq softirq iowaitidle total 30.0%0.0%0.0% 0.0% 0.0%4.0% 66.0% Mem: 1025988k av, 837276k used, 188712k free, 0k shrd, 35888k 553064k actv, 196020k in_d, 12052k in_c Swap: 1052248k av, 302896k used, 749352k free 475508k cached PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 7624 nobody16 0 50792 38M 1888 S18.0 3.8 0:31 0 spamd 7584 nobody16 0 48840 37M 1900 R10.0 3.6 0:26 0 spamd 7628 nobody15 0 48564 37M 1900 S 1.0 3.7 0:27 0 spamd 1 root 15 0 116 7656 S 0.0 0.0 0:03 0 init 2 root 15 0 00 0 SW0.0 0.0 0:03 0 keventd 3 root 15 0 00 0 SW0.0 0.0 0:00 0 kapmd 4 root 34 19 00 0 SWN 0.0 0.0 0:00 0 ksoftirqd/ 7 root 15 0 00 0 SW0.0 0.0 0:00 0 bdflush 5 root 15 0 00 0 SW0.0 0.0 0:10 0 kswapd 6 root 15 0 00 0 RW0.0 0.0 0:02 0 kscand 8 root 15 0 00 0 SW0.0 0.0 0:00 0 kupdated 9 root 25 0 00 0 SW0.0 0.0 0:00 0 mdrecovery 13 root 15 0 00 0 SW0.0 0.0 1:42 0 kjournald 68 root 25 0 00 0 SW0.0 0.0 0:00 0 khubd 927 root 15 0 00 0 SW0.0 0.0 0:00 0 kjournald 3052 root 15 0 244 224 160 S 0.0 0.0 0:41 0 syslogd 3056 root 22 0604 0 S 0.0 0.0 0:00 0 klogd 3082 rpc 15 0764 0 S 0.0 0.0 0:00 0 portmap 3101 rpcuser 25 0804 0 S 0.0 0.0 0:00 0 rpc.statd 3112 root 15 0 164 148 108 S 0.0 0.0 0:00 0 mdadm 3127 root RT 0 252 152 116 S 0.0 0.0 0:00 0 auditd 3179 root 24 0524 0 S 0.0 0.0 0:00 0 apmd 3217 root 15 0 256 208 144 S 0.0 0.0 0:00 0 rpc.dracd 3268 root 15 0 312 7664 S 0.0 0.0 0:00 0 sshd 3362 root 25 0 1404 0 S 0.0 0.0 0:00 0 mysqld_saf 3391 mysql 15 0 18428 7972 1340 S 0.0 0.7 0:00 0 mysqld 3436 mysql 24 0 18428 7972 1340 S 0.0 0.7 0:00 0 mysqld 3437 mysql 24 0 18428 7972 1340 S 0.0 0.7 0:00 0 mysqld 3438 mysql 24 0 18428 7972 1340 S 0.0 0.7 0:00 0 mysqld 3439 mysql 24 0 18428 7972 1340 S 0.0 0.7 0:00 0 mysqld 3443 mysql 15 0 18428 7972 1340 S 0.0 0.7 0:00 0 mysqld 3444 mysql 15 0 18428 7972 1340 S 0.0 0.7 0:00 0 mysqld 3445 mysql 24 0 18428 7972 1340 S 0.0 0.7 0:00 0 mysqld 3446 mysql 15 0 18428 7972 1340 S 0.0 0.7 0:07 0 mysqld 3456 root 15 0564 0 S 0.0 0.0 0:00 0 gpm 3471 root 15 0 3288 8460 S 0.0 0.0 0:00 0 httpd 3480 nobody15 0 472 208 124 S 0.0 0.0 0:00 0 proftpd 3489 root 15 0 172 14892 S 0.0 0.0 0:00 0 crond 3512 xfs 15 0 1904 6032 S 0.0 0.0 0:00 0 xfs 3521 daemon15 0 196 168 124 S 0.0 0.0 0:00 0 atd 3531 root 18 0524 0 S 0.0 0.0 0:00 0 mingetty 3532 root 18 0524 0 S 0.0 0.0 0:00 0 mingetty 3533 root 18 0524 0 S 0.0 0.0 0:00 0 mingetty 3534 root 18 0524 0 S 0.0 0.0 0:00 0 mingetty 3535 root 19 0524 0 S 0.0 0.0
script error?
Hi list, this is probably some easy configuration issue, but it's now almost 1am and I just spent the last 4 hours upgrading my system so by now I wouldn't see a solution if it hit me in the face. I have everything working, except for spamassassin. I had it working earlier, but I decided to get the newest version of SA from CPAN and now when I try to start spamd I get the following error: ERROR! spamassassin script is v3.00, but using modules v3.01! which is great in not telling me anything useful about what is wrong. Can anybody point me in the right direction? Any help would be GREATLY appreciated TIA Stefan
Re: Kill spamd spawns new processes
Matt Kettler wrote: At 06:05 PM 11/18/2004, Justin Mason wrote: Kill -9 is NOT a good thing to use for general shutdown of processes, it's really only one step better than having to pull the power plug on the box. yep -- in fact, it's pretty much equivalent to pulling the power plug on that process. kill -15 is a lot safer. Agreed.. Which is why it's only one step better than pulling the plug on the whole box :) I also found this useful website which goes quite in-depth on the matter: Pssh, kill -15 is for wimps :) Regards, Rick