Re: Spam scores not in log
From: Evan Platt [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Sent: 2005 November, 24, Thursday 23:41
Subject: Re: Spam scores not in log
At 06:58 PM 11/24/2005, you wrote:
For some reason I am not getting the spam scores in the mail log. I am getting the start
and stop of spamassassin. any suggestions?
I can't help you likely, but a few details people who can are going to need: How you
call spamassassin, what system, what MTA, and possibly what version of spamassassin you
are running. And anything else you can think of that would be a detail to help others
help you. :)
He has to be using the spamd approach to get anything in the log. Then he
should see log entries with the rules that hit. But the scores themselves
are not in the logs. A typical entry looks (modulo obfuscation) like this:
Nov 21 14:32:50 X spamd[31336]: result: . -138 -
BAYES_00,MSGID_FROM_MTA_ID,NOT_TO_ME,USER_IN_WHITELIST,WHITELIST_NTDEV
scantime=2.1,size=3276,mid=[EMAIL PROTECTED],bayes=4.09517114957625e-06,autolearn=disabled
{^_^}
SpamScore Email
Hello, i am new on this list. I have a problem. I installed exim4, courier and spamassassin. But every email i sent it out, is marked bei spam. e.g. Spam Score 1.6 Can i turn it of or is some configuration error? Thanks a lot marcus _ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden!
Sql don't work ??
Hi
I want use SpamAssassin 3.0.4 with Sql for put a personalized Tag.
I run spamd with daemontools :
/usr/bin/spamd -q -x -c -m5 -H
i don't have information into local.cf
my sql.cf:
user_scores_dsn DBI:mysql:SpamAssassin:localhost
user_scores_sql_username SpamAssassin
user_scores_sql_password XXX
user_scores_sql_custom_querySELECT preference,value from userpref
WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username =
CONCAT('%',_DOMAIN_) ORDER BY username ASC
The access to the database work (tested in local)
Table:
mysql select * from userpref;
+---++++
| username | preference |
value | prefid |
+---++++
| $GLOBAL | required_hits |
4.9| 1 |
| $GLOBAL | subject_tag|
*SPAM* | 2 |
| $GLOBAL | rewrite_header Subject |
*SPAM* | 3 |
| $GLOBAL | score USER_IN_WHITELIST|
-150 | 4 |
| $GLOBAL | score USER_IN_BLACKLIST|
150| 5 |
| $GLOBAL | report_safe|
1 | 6 |
| $GLOBAL | use_razor2 |
0 | 7 |
| $GLOBAL | ok_locales | en
fr | 8 |
| $GLOBAL | ok_languages | en
fr | 9 |
| $GLOBAL | skip_rbl_checks|
0 | 10 |
| $GLOBAL | use_auto_whitelist |
1 | 11 |
| $GLOBAL | auto_whitelist_path|
/var/spool/spamassassin/auto-whitelist | 12 |
| $GLOBAL | auto_whitelist_file_mode |
0666 | 13 |
| $GLOBAL | whitelist_from |
[EMAIL PROTECTED] | 14 |
| $GLOBAL | blacklist_from |
[EMAIL PROTECTED] | 15 |
| $GLOBAL | rewrite_subject|
1 | 16 |
| $GLOBAL | defang_mime|
1 | 17 |
| $GLOBAL | use_terse_report |
0 | 18 |
| $GLOBAL | dns_available |
yes| 19 |
| $GLOBAL | bayes_auto_learn |
1 | 20 |
| $GLOBAL | bayes_auto_learn_threshold_non |
0.5| 21 |
| $GLOBAL | bayes_auto_learn_threshold_spa |
7.5| 22 |
| %mydomain.com | required_hits |
5.0| 23 |
| %mydomain.com | subject_tag|
***NON-SOLLICITE***UNSOLICITED*** | 24 |
| %mydomain.com | rewrite_header Subject |
***NON-SOLLICITE***UNSOLICITED*** | 25 |
when i start in debug, i don't see sql errors ...
But when mydomain.com receive a email, the required_hits are at 4.9 and
not 5.0 and the tag are
SPAM ...
anyone can help me for understand why that's don't work ?
Thanks bye
Re: check_whitelist
Where does one get the check_whitelist tool? It's in the tools subdirectory of the tarball. I used CPAN to install SpamAssassin (3.0.1) and a find on the system does not locate the tool. Are you sure you did 3.0.1 not 3.1.0? check in ~/.cpan/ and find where CPAN unpacked the SA tarball when building and installing to find it, otherwise just download the tarball and grab it out of that. I did mean the 3.1.0, and I did download the tarball and get it from there. Thanks. = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
SORBS
It seems they have taken leave of their database. The Earthlink mailers
have somehow gotten listed in their DUL listings. They are quite positively
not DUL based. If SORBS can get this screwed up I'd suggest lowering their
scores in the rules files.
===8---
[EMAIL PROTECTED] ~]$ dig 209.93.86.209.dnsbl.sorbs.net
; DiG 9.3.1 209.93.86.209.dnsbl.sorbs.net
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 48703
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 10, ADDITIONAL: 10
;; QUESTION SECTION:
;209.93.86.209.dnsbl.sorbs.net. IN A
;; ANSWER SECTION:
209.93.86.209.dnsbl.sorbs.net. 3133 IN A 127.0.0.10
;; AUTHORITY SECTION:
dnsbl.sorbs.net.60337 IN NS rbldns3.sorbs.net.
dnsbl.sorbs.net.60337 IN NS rbldns4.sorbs.net.
dnsbl.sorbs.net.60337 IN NS rbldns5.sorbs.net.
dnsbl.sorbs.net.60337 IN NS rbldns6.sorbs.net.
dnsbl.sorbs.net.60337 IN NS sorbs-sql1.vix.com.
dnsbl.sorbs.net.60337 IN NS rbl1.oregonstate.edu.
dnsbl.sorbs.net.60337 IN NS rbl2.oregonstate.edu.
dnsbl.sorbs.net.60337 IN NS sorbs.bl.xs4all.nl.
dnsbl.sorbs.net.60337 IN NS rbldns0.sorbs.net.
dnsbl.sorbs.net.60337 IN NS rbldns2.sorbs.net.
;; ADDITIONAL SECTION:
rbl1.oregonstate.edu. 54249 IN A 128.193.0.30
rbl2.oregonstate.edu. 54249 IN A 128.193.0.130
sorbs.bl.xs4all.nl. 54249 IN A 194.109.9.11
rbldns0.sorbs.net. 3157IN A 203.15.51.34
rbldns2.sorbs.net. 3157IN A 209.209.1.20
rbldns3.sorbs.net. 3157IN A 209.142.2.10
rbldns4.sorbs.net. 3157IN A 194.134.64.74
rbldns5.sorbs.net. 3157IN A 194.134.35.168
rbldns6.sorbs.net. 3157IN A 194.134.35.204
sorbs-sql1.vix.com. 3157IN A 204.152.186.189
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 25 14:01:27 2005
;; MSG SIZE rcvd: 472
[EMAIL PROTECTED] ~]$ host 209.86.93.209
209.93.86.209.in-addr.arpa domain name pointer pop08.earthlink.net.
[EMAIL PROTECTED] ~]$
===8---
Idiots!
{^_-}
Re: SORBS
...
It seems they have taken leave of their database. The Earthlink mailers
have somehow gotten listed in their DUL listings. They are quite positively
not DUL based. If SORBS can get this screwed up I'd suggest lowering their
scores in the rules files.
===8---
[EMAIL PROTECTED] ~]$ dig 209.93.86.209.dnsbl.sorbs.net
; DiG 9.3.1 209.93.86.209.dnsbl.sorbs.net
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 48703
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 10, ADDITIONAL: 10
;; QUESTION SECTION:
;209.93.86.209.dnsbl.sorbs.net. IN A
;; ANSWER SECTION:
209.93.86.209.dnsbl.sorbs.net. 3133 IN A 127.0.0.10
...
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 25 14:01:27 2005
;; MSG SIZE rcvd: 472
[EMAIL PROTECTED] ~]$ host 209.86.93.209
209.93.86.209.in-addr.arpa domain name pointer pop08.earthlink.net.
[EMAIL PROTECTED] ~]$
===8---
Idiots!
{^_-}
Actually, it seems to be at least part Earthlink's fault; SORBS
(properly) assumes that a very low TTL means the IP can and is intended to
change relatively often, and Earthlink is now using a 1/2 hour TTL for these
servers.
% dig pop08.earthlink.net any @itchy.earthlink.net
; DiG 9.3.0 pop08.earthlink.net any @itchy.earthlink.net
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 13978
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;pop08.earthlink.net. IN ANY
;; ANSWER SECTION:
pop08.earthlink.net.1800IN A 209.86.93.209
;; AUTHORITY SECTION:
earthlink.net. 1800IN NS itchy.earthlink.net.
earthlink.net. 1800IN NS scratchy.earthlink.net.
;; ADDITIONAL SECTION:
itchy.earthlink.net.1800IN A 207.69.188.196
scratchy.earthlink.net. 1800IN A 207.69.188.197
;; Query time: 27 msec
;; SERVER: 207.69.188.196#53(itchy.earthlink.net)
;; WHEN: Fri Nov 25 14:46:19 2005
;; MSG SIZE rcvd: 128
So there is at least some idiocy at both ends. Why should a static
mail server need a 1/2 hour TTL? Try asking Earthlink. SORBS will list any
host with a TTL of less than 1/2 *day* as dynamic (seems reasonable to me,
but I don't make the rules). See the FAQ and note the reuirement for a TTL
of at least 43200 seconds.
http://www.us.sorbs.net/faq/dul.shtml
Paul Shupak
[EMAIL PROTECTED]
Re: SORBS
From: List Mail User [EMAIL PROTECTED]
...
It seems they have taken leave of their database. The Earthlink mailers
have somehow gotten listed in their DUL listings. They are quite positively
not DUL based. If SORBS can get this screwed up I'd suggest lowering their
scores in the rules files.
===8---
[EMAIL PROTECTED] ~]$ dig 209.93.86.209.dnsbl.sorbs.net
; DiG 9.3.1 209.93.86.209.dnsbl.sorbs.net
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 48703
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 10, ADDITIONAL: 10
;; QUESTION SECTION:
;209.93.86.209.dnsbl.sorbs.net. IN A
;; ANSWER SECTION:
209.93.86.209.dnsbl.sorbs.net. 3133 IN A 127.0.0.10
...
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 25 14:01:27 2005
;; MSG SIZE rcvd: 472
[EMAIL PROTECTED] ~]$ host 209.86.93.209
209.93.86.209.in-addr.arpa domain name pointer pop08.earthlink.net.
[EMAIL PROTECTED] ~]$
===8---
Idiots!
{^_-}
Actually, it seems to be at least part Earthlink's fault; SORBS
(properly) assumes that a very low TTL means the IP can and is intended to
change relatively often, and Earthlink is now using a 1/2 hour TTL for these
servers.
No, that is an improper assumption. They are using this as a means of
randomizing access to the dozen or so mail servers for earthlink.net.
They do this for all their mail servers for many different networks
that have come to be owned by Earthlink/Mindspring. This helps distribute
the load on their mail servers in spite of the cheap trick Outlook
Express uses of cacheing the IP address rather than performing a lookup
every time.
% dig pop08.earthlink.net any @itchy.earthlink.net
; DiG 9.3.0 pop08.earthlink.net any @itchy.earthlink.net
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 13978
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;pop08.earthlink.net. IN ANY
;; ANSWER SECTION:
pop08.earthlink.net.1800IN A 209.86.93.209
;; AUTHORITY SECTION:
earthlink.net. 1800IN NS itchy.earthlink.net.
earthlink.net. 1800IN NS scratchy.earthlink.net.
;; ADDITIONAL SECTION:
itchy.earthlink.net.1800IN A 207.69.188.196
scratchy.earthlink.net. 1800IN A 207.69.188.197
;; Query time: 27 msec
;; SERVER: 207.69.188.196#53(itchy.earthlink.net)
;; WHEN: Fri Nov 25 14:46:19 2005
;; MSG SIZE rcvd: 128
So there is at least some idiocy at both ends. Why should a static
mail server need a 1/2 hour TTL? Try asking Earthlink. SORBS will list any
host with a TTL of less than 1/2 *day* as dynamic (seems reasonable to me,
but I don't make the rules). See the FAQ and note the reuirement for a TTL
of at least 43200 seconds.
http://www.us.sorbs.net/faq/dul.shtml
How about making sure the access to their mail servers is not all
directed to one address? They rather repeatedly get individual mail
servers that overload. Or if a mail server goes down it assures DNS
cached results do not hang around forever. If the DNS cache built
into aberrant email programs is told to flush every half hour they
get slightly fewer customer problem reports. (The problem goes away
of itself in a half an hour.) They MUST work with the deranged
Microsoft products and other products that exhibit this behavior.
So they try to defend against the customer support overload these
products cause.
Their DUL test is based on rather a rather arrogant (fits with their
web site attitude) and stupid test and assumption heavy on the first
three letters of assumption.
I tried to send a poor dweeb on the FC4 list a heads up about SpamAssassin
not being a computer security tool. He'd configured to block based on
SORBS DUL. So, he loses. I face no loss about it. So I am amused at
SORBS' sudden lapse of careful thought processes.
{^_^}
Re: SORBS
I've got to agree that the TTL criteria doesn't necessarily reflect reality... at least in these parts. Using SORBS' self-help system, I can delist my residential cable IP which is pseudo-static but I cannot delist my business DSL IP which is static (and 3 times the price). Of course, my business DSL provider could be less brain dead and not set a 30 min TTL for their entire forward zone (and 1 day for their reverse zone), but I suspect there are lots of people out there in the same situation. Too bad the telco is the only game in town. At least their DNS servers haven't been rooted this week (yet, anyway). Daryl
Re: SORBS
On Friday 25 November 2005 19:09, Daryl C. W. O'Shea wrote: I've got to agree that the TTL criteria doesn't necessarily reflect reality... at least in these parts. Using SORBS' self-help system, I can delist my residential cable IP which is pseudo-static but I cannot delist my business DSL IP which is static (and 3 times the price). Of course, my business DSL provider could be less brain dead and not set a 30 min TTL for their entire forward zone (and 1 day for their reverse zone), but I suspect there are lots of people out there in the same situation. Too bad the telco is the only game in town. At least their DNS servers haven't been rooted this week (yet, anyway). I'm sure glad you added the (yet, anyway) qualification Daryl, cause they do get it, regularly. I'd think they were on a monthly exlax schedule at times. Whats worse, they rely on us, the users, to alert them that their winderz box has been rooted, again. I scan my firewalls logs daily for portsentry hits from their addresses send them nastygrams when I find one. 1 being all portsentry allows before it shuts it off I don't have a dns. Again. But since I got rid of the speedstream router I was using, my firewall box hasn't been touched since. Portsentry is a nice little utility. Like a German Shepard with a short temper and sharp teeth. Rather nice feeling that... Thats not all that sleeping with one eye open here though. Come to think of it, M$ must have fixed that hole finally, its been 6 months or so since the last attackalert was logged. Do ya 'spose? Daryl -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) 99.36% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: SORBS
Daryl C. W. O'Shea [EMAIL PROTECTED] writes: Of course, my business DSL provider could be less brain dead and not set a 30 min TTL for their entire forward zone (and 1 day for their reverse zone), but I suspect there are lots of people out there in the same situation. Where the provider allows the domain owner to control the DNS for the domain, eg via a web page, it makes sense to have a low TTL in order to speed the propagation of any changes the customer may make.
