sa-compile and SARE
Hi, please excuse me if the archives already answer the question and I overlooked it. I am going to upgrade to 3.2.0 this week but remember reading that sa-compile will not work with SARE rules currently. If I understand it correctly when using sa-compile it will be used for all rules so you cannot use sa-compile for the working rules and have others not compiled? Therefore the question: Someone wrote all SARE rules would be updated these days so they are compatible with sa-compile. Is there some new status? Kind regards, JP
RCVD_IN_WHOIS_INVALID false-positives?
Recently I seem to be getting more than the usual batch of FPs, which I've tracked to be due to RCVD_IN_WHOIS_INVALID giving 2.2 points. According to the explanation, it reports an IP on an invalid block - RCVD_IN_WHOIS_INVALID RBL: CompleteWhois: sender on invalid IP * block [202.96.189.57 listed in combined-HIB.dnsiplists.completewhois.com] According to whois info, this ip address is in China and there's nothing wrong with it. Is anyone using the CompleteWhois info? /Per Jessen, Zürich
Re: Tag Level for spam
Matt Kettler schrieb: Martin Hochreiter wrote: Hi! Is there something like a recommended tag level when to treat a mail as spam? (I actually use 1.7 as tag level for amavis/spamassassin) 5.0 is the recommended default. This level will tune SA to treat false positives (nonspam tagged as spam) as roughly 100 times worse than false negatives (spam that isn't tagged). Lowering the threshold will reduce the false negatives, thus catching more spam, but will also increase your false positive rate. If you look at the STATISTICS*.txt files, you can see what kind of effects lowering the threshold should have on these numbers. For example, set3 (bayes and network tests enabled) on SA 3.2: http://svn.apache.org/repos/asf/spamassassin/branches/3.2/rules/STATISTICS-set3.txt Shows these numbers for 5.0: # SUMMARY for threshold 5.0: # Correctly non-spam: 67508 99.94% # Correctly spam: 117303 98.51% # False positives:42 0.06% # False negatives: 1780 1.49% But these for 2.0: # SUMMARY for threshold 2.0: # Correctly non-spam: 66745 98.81% # Correctly spam: 118903 99.85% # False positives: 805 1.19% # False negatives: 180 0.15% Note that at 2.0, the number of missed spams has gone down by a factor of almost 10, from 1780 to 180. However, the number of false positives has increased by a factor of more than 19, from 42 to 805. Your exact results might be a little better, or rarely a little worse, depending on your use of whitelists, how aggressively you train bayes, what add-on rules you have, etc. However, these results should be typical for a stock config with no use of manual whitelists, no AWL, and relatively light bayes training. Thx, Matt for your detailed explanations. @all: Do you think it would be useful to adjust the Bayes_80 - Bayes_100 scores, to higher scores (e.g. 4.5 for bayes_100)? (Since they never where wrong here, i use well trained bayes cause every misclassified mail is relearned, even bayes_80 spammails are relearned ...) -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
RE: SpamAssassin timed out and was killed
Hi You sure about that MailScanner versionm or is it a typo? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: leiw [mailto:[EMAIL PROTECTED] Sent: 16 May 2007 03:45 To: users@spamassassin.apache.org Subject: SpamAssassin timed out and was killed Hello, The following package for my company mail-gateway: Centos 4.4 spamassassin-3.2.0-1.el4.rf clamd-0.90.2-1.el4.rf MailScanner-perl-MIME-Base64-3.05-5 postfix-2.2.10-1.RHEL4.2 I was checked the maillog that always show the following message: May 16 10:29:01 mailgateway MailScanner[7437]: SpamAssassin timed out and was killed, failure 6 of 10 Is my computer not enough RAM to process spamassassin ? Thanks -- View this message in context: http://www.nabble.com/SpamAssassin-timed- out-and-was-killed-tf3762251.html#a10634766 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
Upgrade to 3.2.0 failed = Malformed UTF-8 character @Bayes.pm line 362
Hello, We have upgraded from 3.1.7 to 3.2.0. Now we get a lot of errors like this : May 16 10:45:01 mimedefang-multiplexor[22448]: Slave 2 stderr: art byte) in substitution iterator at /u sr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuati on byte 0xa9, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAs sassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa8, with no preceding start by te) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF- 8 character (un May 16 10:45:01 mimedefang-multiplexor[22448]: Slave 2 stderr: expected continuation byte 0xa9, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xb4, with no preceding start byte) in substitution i terator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpect ed continuation byte 0xa0, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8. 0/Mail/SpamAssa May 16 10:45:01 xxx mimedefang-multiplexor[22448]: Slave 2 stderr: ssin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa8, with no preceding start byte) in substitution iterator at /usr/lib/p erl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa9, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/B ayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa8, with no preceding start byte) in s ubstitution ite We are rollbacking to 3.1.7. The system use perl 5.8.0 with LANG=en_US and has never used utf8. all test passed successfully and none failed during make test. spamassassin --lint is OK. What does it mean ? Thank you for your help
RE: Upgrade to 3.2.0 failed = Malformed UTF-8 character @Bayes.pm line 362
Hi Common problem with perl 5.8.8 and the SARE rules. In Messages.pm in the spamassassin perl library add a line like the following after use warnings;... use bytes; -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Hamel Gilles - Brandt Appliances [mailto:[EMAIL PROTECTED] Sent: 16 May 2007 10:25 To: users@spamassassin.apache.org Subject: Upgrade to 3.2.0 failed = Malformed UTF-8 character @Bayes.pm line 362 Hello, We have upgraded from 3.1.7 to 3.2.0. Now we get a lot of errors like this : May 16 10:45:01 mimedefang-multiplexor[22448]: Slave 2 stderr: art byte) in substitution iterator at /u sr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuati on byte 0xa9, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAs sassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa8, with no preceding start by te) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF- 8 character (un May 16 10:45:01 mimedefang-multiplexor[22448]: Slave 2 stderr: expected continuation byte 0xa9, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xb4, with no preceding start byte) in substitution i terator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpect ed continuation byte 0xa0, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8. 0/Mail/SpamAssa May 16 10:45:01 xxx mimedefang-multiplexor[22448]: Slave 2 stderr: ssin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa8, with no preceding start byte) in substitution iterator at /usr/lib/p erl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa9, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/B ayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa8, with no preceding start byte) in s ubstitution ite We are rollbacking to 3.1.7. The system use perl 5.8.0 with LANG=en_US and has never used utf8. all test passed successfully and none failed during make test. spamassassin --lint is OK. What does it mean ? Thank you for your help ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
False negative problem
Hello everyone, I m running through a problem generating false negatives : I m getting e-mails sent to [EMAIL PROTECTED] from [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on srvmail.carax.com X-Spam-Level: X-Spam-Status: No, score=-93.1 required=5.0 tests=BAYES_50,HTML_90_100, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,URIBL_JP_SURBL, URIBL_SBL,USER_IN_WHITELIST autolearn=no version=3.1.4 [...] To: [EMAIL PROTECTED] Subject: Online MedHelp From: Doctor Fern [EMAIL PROTECTED] [EMAIL PROTECTED] is in the whitelist using whitelist_from in local.cf . How can I fix that problem ? -- Cedric BUSCHINI
Re: False negative problem
On Wed, May 16, 2007 11:02, Cedric BUSCHINI wrote: Hello everyone, I m running through a problem generating false negatives : I m getting e-mails sent to [EMAIL PROTECTED] from [EMAIL PROTECTED] [EMAIL PROTECTED] is in the whitelist using whitelist_from in local.cf . How can I fix that problem ? Don't use whitelist_from for addresses at your domain. whitelist_from_rcvd is safer. Even better, analyse why you have to whitelist that sender, and solve the issue in a better way.
Re: False negative problem
Cedric BUSCHINI wrote: Hello everyone, I m running through a problem generating false negatives : I m getting e-mails sent to [EMAIL PROTECTED] from [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on srvmail.carax.com X-Spam-Level: X-Spam-Status: No, score=-93.1 required=5.0 tests=BAYES_50,HTML_90_100, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,URIBL_JP_SURBL, URIBL_SBL,USER_IN_WHITELIST autolearn=no version=3.1.4 [...] To: [EMAIL PROTECTED] Subject: Online MedHelp From: Doctor Fern [EMAIL PROTECTED] [EMAIL PROTECTED] is in the whitelist using whitelist_from in local.cf . How can I fix that problem ? do not *EVER* use whitelist_from for ANYTHING, except as an absolute last resort. whitelist_from offers absolutely no protection against forgery, and is particularly dangerous to use for whitelisting your own domain, use whitelist_from_rcvd instead. This takes two parameters, the second of which checks the reverse DNS lookup of the MTA delivering the mail to your server.
Re: Does anyone catch this....
Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner cheers Matt Thanks to everyone who replied - I'll look and the Clam signatures matt
Re: Spamd
I am trying to compile from source files. On 5/15/07, .rp [EMAIL PROTECTED] wrote: On 14 May 2007 at 15:07, Sunil Chelaramani wrote: Hello Group/Everyone, I am trying to setup SPAMD on Fedora Core but no luck. I would appreciate if anyone can point to the documentation which guides though step-by-step to get started with Spamd :-) I will appreciate any help. -- Are you trying to compile and install from source or with a premade RPM package?
RE: Upgrade to 3.2.0 failed = Malformed UTF-8 character @Bayes.pm line 362
Yes, you are right, we use SARE rules. But, I am not sure that my problem is the same as http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5440 or http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5437 Why these errors are triggered in Bayes.pm, SARE rules aren't dependant with Bayes ? -Message d'origine- De : Martin.Hepworth [mailto:[EMAIL PROTECTED] Envoyé : mercredi 16 mai 2007 11:38 À : Hamel Gilles - Brandt Appliances; users@spamassassin.apache.org Objet : RE: Upgrade to 3.2.0 failed = Malformed UTF-8 character @Bayes.pm line 362 Hi Common problem with perl 5.8.8 and the SARE rules. In Messages.pm in the spamassassin perl library add a line like the following after use warnings;... use bytes; -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Hamel Gilles - Brandt Appliances [mailto:[EMAIL PROTECTED] Sent: 16 May 2007 10:25 To: users@spamassassin.apache.org Subject: Upgrade to 3.2.0 failed = Malformed UTF-8 character @Bayes.pm line 362 Hello, We have upgraded from 3.1.7 to 3.2.0. Now we get a lot of errors like this : May 16 10:45:01 mimedefang-multiplexor[22448]: Slave 2 stderr: art byte) in substitution iterator at /u sr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuati on byte 0xa9, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAs sassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa8, with no preceding start by te) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF- 8 character (un May 16 10:45:01 mimedefang-multiplexor[22448]: Slave 2 stderr: expected continuation byte 0xa9, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xb4, with no preceding start byte) in substitution i terator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpect ed continuation byte 0xa0, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8. 0/Mail/SpamAssa May 16 10:45:01 xxx mimedefang-multiplexor[22448]: Slave 2 stderr: ssin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa8, with no preceding start byte) in substitution iterator at /usr/lib/p erl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa9, with no preceding start byte) in substitution iterator at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/B ayes.pm line 362. Malformed UTF-8 character (unexpected continuation byte 0xa8, with no preceding start byte) in s ubstitution ite We are rollbacking to 3.1.7. The system use perl 5.8.0 with LANG=en_US and has never used utf8. all test passed successfully and none failed during make test. spamassassin --lint is OK. What does it mean ? Thank you for your help ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
RE: tracking down problem messages
Jean-Paul Natola wrote: Ok I was able to track them and found that they are timing out after about 5 mins- spamd is timing them out- I'm assuming its large messages that it is timing out on- what rule/acl would I need and WHERE would I enter it to tell SA to ignore or not to scan anything over 1 meg. This is a parameter to spamc, the -s parameter does this, and by default spamc will not send anything over 500k to spamd. So is it possible spamc is either A) not being called- or the B) the default 500k setting somehow got corrupted?
Black Lists
Do I need special configurations to query dns black lists ?
Re: Black Lists
Daniel Aquino schrieb: Do I need special configurations to query dns black lists ? http://wiki.apache.org/spamassassin/UsingNetworkTests Additionally i would suggest a dns-cache like pdns-recursor ... -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
RE: tracking down problem messages
On Wed, 16 May 2007, Jean-Paul Natola wrote:
Jean-Paul Natola wrote:
Ok I was able to track them and found that they are timing out after about
5
mins- spamd is timing them out- I'm assuming its large messages that it is
timing out on- what rule/acl would I need and WHERE would I enter it to
tell SA to ignore or not to scan anything over 1 meg.
This is a parameter to spamc, the -s parameter does this, and by default
spamc will not send anything over 500k to spamd.
So is it possible spamc is either A) not being called- or the B) the default
500k setting somehow got corrupted?
Also, looking back in the archive, it looks like the following:
condition = ${if {$message_size}{500k}{1}{0}}
could be placed under the spam checking ACL. Not quite sure where the ACL
is as I do not use Exim.
P.s. You would substitue 500k for what ever size you want to scan.
BAYES_99 triggered on every message
SpamAssassin version 3.1.8 assembled via cpan Every message gets BAYES_99, even when a) the message has no body b) I have cleaned the database with sa-learn --clean (Still BAYES_99 while the bayes should be off!) The bayes database is in a MySQL instance, and the connection works (-D --lint sees it). I tried to google and found one similar question out there, but no answers. So it is not a systematic error in some version but something more rare. I have used SA for years, and this thing appeared when I installed SA once more again via cpan, while earlier versions installed with Debian Sarge worked ok. Also earlier versions installed via cpan on top of Red Hat 7.3 worked ok.
Problems with live.com alerts service
Interesting approach by M$... offering an alerts service for PayPal, which is supposed to be secure, and then using mailservers which don't resolv to anything... This came up today (the user deleted the mail, and then decided to give me a call, so all I have are the mail logs): May 16 11:48:15 nahuel postfix/smtpd[12083]: 653578CFB9: client=unknown[207.46.117.145] May 16 11:48:15 nahuel postfix/cleanup[18085]: 653578CFB9: message-id=BY2ACNMSB [EMAIL PROTECTED] May 16 11:48:16 nahuel postfix/qmgr[2166]: 653578CFB9: from=[EMAIL PROTECTED], size=10459, nrcpt=1 (queue active) May 16 11:48:16 nahuel amavis[18092]: (18092-05) loaded policy bank MYNETS May 16 11:48:16 nahuel amavis[18092]: (18092-05) ESMTP::10024 /var/lib/amavis/amavis-20070516T114453-18092: [EMAIL PROTECTED] - [EMAIL PROTECTED] SIZE=10459 Received: from nahuel.biol.unlp.edu.ar ([127.0.0.1]) by localhost (nahuel.biol.unlp.edu.ar [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for [EMAIL PROTECTED]; Wed, 16 May 2007 11:48:16 -0300 (ART) May 16 11:48:16 nahuel amavis[18092]: (18092-05) Checking: tVqyWG7HIQ2H MYNETS [207.46.117.145] [EMAIL PROTECTED] - [EMAIL PROTECTED] May 16 11:48:16 nahuel amavis[18092]: (18092-05) p003 1 Content-Type: multipart/alternative May 16 11:48:16 nahuel amavis[18092]: (18092-05) p001 1/1 Content-Type: text/plain, size: 900 B, name: May 16 11:48:16 nahuel amavis[18092]: (18092-05) p002 1/2 Content-Type: text/html, size: 7268 B, name: May 16 11:48:16 nahuel postfix/smtpd[12083]: disconnect from unknown[207.46.117.145] May 16 11:48:16 nahuel amavis[18092]: (18092-05) SPAM-TAG, [EMAIL PROTECTED] -[EMAIL PROTECTED], Yes, score=7.328 tagged_above=-100 required=5 tests=[BAYES_99=3.5, BOTNET_NORDNS=0.5, FAKE_HELO_MSN=2.358, HTML_70_80=0.144, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.234, SARE_UNI=0.591] I've obfuscated the user's name in the previous transcription. Apart from the BAYES_99 scoring, the server's IP doesn't resolve, so it got tagged as spam. Here is what I got from dnsstuff.com: IP address: 207.46.117.145 Reverse DNS:[No reverse DNS entry per cpipsdnsp01.phx.gbl.] Reverse DNS authenticity: [Unknown] ASN:8075 ASN Name: MICROSOFT-CORP---MSN-AS-BLOCK IP range connectivity: 2 Registrar (per ASN):ARIN Country (per IP registrar): US [United States] Country Currency: USD [United States Dollars] Country IP Range: 207.46.0.0 to 207.46.255.255 Country fraud profile: Normal City (per outside source): Redmond, Washington Country (per outside source): US [United States] Private (internal) IP? No IP address registrar: whois.arin.net Known Proxy?No Link for WHOIS: 207.46.117.145 If I look for the server's supposed name, b03.alerts.msn.com, I get this: No ALL records exist for b03.alerts.msn.com, and b03.alerts.msn.com does not exist. [Neg TTL=86400 seconds] Any ideas on how to whitelist these? Thanks, Luix -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. -
Re: BAYES_99 triggered on every message
On Wed, May 16, 2007 at 06:38:12PM +0300, Jari Fredriksson wrote: Every message gets BAYES_99, even when a) the message has no body Bayes uses the header as well. b) I have cleaned the database with sa-learn --clean (Still BAYES_99 while the bayes should be off!) Then you're not doing what you think you're doing. As usual, run with -D and figure out what's going on. -- Randomly Selected Tagline: French fries are MURDER - Mr. Potato Head pgpgOqOwZGZcx.pgp Description: PGP signature
Re: BAYES_99 triggered on every message
Perhaps a dumb comment on my part, but have you tried to delete the table entries from the mySQL database and are you sure you are using the SA user? Doesn't sa-learn --clean only clear the Berkeley dbs and you appear to state that you are using mySQL. Best Jari Fredriksson wrote: SpamAssassin version 3.1.8 assembled via cpan Every message gets BAYES_99, even when a) the message has no body b) I have cleaned the database with sa-learn --clean (Still BAYES_99 while the bayes should be off!) The bayes database is in a MySQL instance, and the connection works (-D --lint sees it). I tried to google and found one similar question out there, but no answers. So it is not a systematic error in some version but something more rare. I have used SA for years, and this thing appeared when I installed SA once more again via cpan, while earlier versions installed with Debian Sarge worked ok. Also earlier versions installed via cpan on top of Red Hat 7.3 worked ok. begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Bayes Auto Learn
Is spam assassin smart enough to not auto-learn (bayesian) spam if the default tests allready detect it as spam... ? What I'm wondering is if the other tests have allready deamed it to be spam, then why would you want to increase the size of your bayesian db... Bayesian I believe would be better applied to messages that appear to be slipping past the other tests...
sa-compile error
I've set up sa-compile successfully on two of our three servers. The third gives this error: Insecure dependency in mkdir while running with -T switch at /usr/bin/sa-compile line 321, $fh line 1. Googling around, there are references to editing a perl .pm file, but this error points to the sa-compile source itself. How do I fix this?
Re: Bayes Auto Learn
Daniel Aquino wrote: Is spam assassin smart enough to not auto-learn (bayesian) spam if the default tests allready detect it as spam... ? What I'm wondering is if the other tests have allready deamed it to be spam, then why would you want to increase the size of your bayesian db... Bayesian I believe would be better applied to messages that appear to be slipping past the other tests... It has to know which is which. So you would train (Ideally) equally on both. If you trained nothing but ham, it would think everything in the world was ham, other way around for spam. -- Thanks, James
Re: BAYES_99 triggered on every message
Craig Carriere wrote: Perhaps a dumb comment on my part, but have you tried to delete the table entries from the mySQL database and are you sure you are using the SA user? Doesn't sa-learn --clean only clear the Berkeley dbs and you appear to state that you are using mySQL. Best --clean created lots of load to my MySql and -D --lint told that there is no enough corpus to use bayes. So I think --clean is not for only Berkeley.
ALL_TRUSTED Overriding Bayes
Hi gang: I am getting a bunch of messages that are passing through my SA setup with the following scores: pts rule name description -- -- 0.0 SUBJ_FOR_ONLY Subject contains For Only -3.3 ALL_TRUSTEDDid not pass through any untrusted hosts 0.0 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 0.0 HTML_90_100BODY: Message is 90% to 100% HTML 0.5 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.6 SARE_UNSUB38D RAW: SARE_UNSUB38D As you can see, Bayes knows they are spam but the ALL_TRUSTED rule is discounting enough to counter. What's the best way to nail these bastards? Thanks, Clay
Re: ALL_TRUSTED Overriding Bayes
On Wed, 16 May 2007, Clay Davis wrote: Hi gang: I am getting a bunch of messages that are passing through my SA setup with the following scores: pts rule name description -- -- 0.0 SUBJ_FOR_ONLY Subject contains For Only -3.3 ALL_TRUSTEDDid not pass through any untrusted hosts 0.0 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 0.0 HTML_90_100BODY: Message is 90% to 100% HTML 0.5 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.6 SARE_UNSUB38D RAW: SARE_UNSUB38D As you can see, Bayes knows they are spam but the ALL_TRUSTED rule is discounting enough to counter. What's the best way to nail these bastards? How do you have your trusted/internal networks set up? According to your SA install, the message came from a 100% trusted source (i.e. all received headers were trusted).
Re: Bayes Auto Learn
Daniel Aquino wrote: Is spam assassin smart enough to not auto-learn (bayesian) spam if the default tests allready detect it as spam... ? What I'm wondering is if the other tests have allready deamed it to be spam, then why would you want to increase the size of your bayesian db... Bayesian I believe would be better applied to messages that appear to be slipping past the other tests... Because you might get a similar message that doesn't trip the same SA tests, and doesn't score 5 points. Maybe the exact wording SA looked for only hits one variation of the message, but other parts are substantially similar from one run to the next. Maybe the first message came from a source that triggers a whole mess of RBLs, but the second one comes from a clean source. Maybe the spammer rotates in a new URL with the same sales pitch, and the new URL hasn't made it into any SURBLs yet. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: sa-compile error
Steven Stern wrote: I've set up sa-compile successfully on two of our three servers. The third gives this error: Insecure dependency in mkdir while running with -T switch at /usr/bin/sa-compile line 321, $fh line 1. Googling around, there are references to editing a perl .pm file, but this error points to the sa-compile source itself. How do I fix this? Please open a bug at http://issues.apache.org/SpamAssassin/ and be sure to include the command line parameters that trigger this. Thanks, Daryl
Re: test=none
Martin Hochreiter wrote: Daryl C. W. O'Shea schrieb: --- trusted_networks 80.123.XXX.XXX trusted_networks 80.122.XXX.XXX internal_networks 192.168.1.0/24 internal_networks 192.168.2.0/24 internal_networks 127.0.0.1 --- I am using the SuSE rpm spamassassin-3.1.8-9.2 (OpenSuSE 10.1) - I am really not a specialist in configuring spamassassin so I am using almost the default values from the SuSE config. I inserted those trusted/internal networks lines because I get often these ALL_TRUSTED Headers - maybe thats the wrong solution for it. I printed a little network topology of my net - can anybody tell me please, what really should be mentioned in local.conf (trusted_networks, internal_networks)? 192.168.2.0(net) --- 80.123.XXX.XXX ~~~VPN~~~ 80.122.XXX.XXX --- 192.168.1.0 (net)- 192.168.1.104 (mailserver) Imap4-SSL and Smtp is portforwarded from the firewall to the mailserver. Something like the following might work (I'm not 100% clear on what mail is being scanned and from who/where): trusted_networks 192.168.1.0/24 192.168.2.0/24 80.122.0.0/15 127.0.0.1 internal_networks 192.168.1.0/24 192.168.2.0/24 80.122.0.0/15 127.0.0.1 Daryl
Re: sa-compile fails Make
If this is still an issue please open a bug at http://issues.apache.org/SpamAssassin/. Thanks, Daryl Daniel J McDonald wrote: When I run sa-compile, it breaks while trying to run make: [EMAIL PROTECTED] ~]$ sudo sa-compile [32101] info: generic: base extraction starting. this can take a while... [32101] info: generic: extracting from rules of type body_0 100% [===] 36.75 rules/sec 00m28s DONE 100% [===] 30.40 bases/sec 01m37s DONE [32101] info: body_0: 2404 base strings extracted in 126 seconds [...] re2c -i -b -o scanner13.c scanner13.re /usr/bin/perl5.8.7 Makefile.PL PREFIX=/tmp/.spamassassin32101UQHVCjtmp/ignored INSTALLSITEARCH=/var/lib/spamassassin/compiled/3.002000 Writing Makefile for Mail::SpamAssassin::CompiledRegexps::body_0 make cp body_0.pm blib/lib/Mail/SpamAssassin/CompiledRegexps/body_0.pm /usr/bin/perl5.8.7 /usr/lib/perl5/5.8.7/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.8.7/ExtUtils/typemap body_0.xs body_0.xsc mv body_0.xsc body_0.c make: *** No rule to make target `/usr/lib/perl5/5.8.7/i386-linux/CORE/EXTERN.h', needed by `body_0.o'. Stop. command failed! at /usr/bin/sa-compile line 276. I have the proper version of re2c mentioned in the FAQ, but this symptom does not match at all. [EMAIL PROTECTED] ~]$ rpm - -b -e -F -i -q -t -U -V [EMAIL PROTECTED] ~]$ rpm -q re2c re2c-0.12.0-0.1.20060mlcs4 I've tried sa-compile on several flavors of Mandriva linux and have had similar results. This particular one is: [EMAIL PROTECTED] ~]$ uname -a Linux ca.austinenergy.com 2.6.12-29mdk #1 Wed Jan 3 12:05:41 MST 2007 i686 AMD Athlon(tm) XP 2400+ unknown GNU/Linux [EMAIL PROTECTED] ~]$ sudo cat /etc/mandriva-release Mandriva Linux Corporate Server release 2006.0 (Official) for i586 The package is from cooker, recompiled for Corporate Server 4: [EMAIL PROTECTED] ~]$ rpm -q perl-Mail-SpamAssassin perl-Mail-SpamAssassin-3.2.0-0.1.20060mlcs4 Any thoughts for getting sa-compile to work would be most appreciated.
Re: sa-compile and SARE
Koopmann, Jan-Peter wrote: Hi, please excuse me if the archives already answer the question and I overlooked it. I am going to upgrade to 3.2.0 this week but remember reading that sa-compile will not work with SARE rules currently. If I understand it correctly when using sa-compile it will be used for all rules so you cannot use sa-compile for the working rules and have others not compiled? Therefore the question: Someone wrote all SARE rules would be updated these days so they are compatible with sa-compile. Is there some new status? 70_sare_stocks.cf is the only ruleset that has been updated since the release of 3.2.0. I don't believe the update was to fix any UTF8 issues, nor do I know if there are any issues with this ruleset. Daryl
Re: sa-compile and SARE
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daryl C. W. O'Shea wrote: Koopmann, Jan-Peter wrote: Hi, please excuse me if the archives already answer the question and I overlooked it. I am going to upgrade to 3.2.0 this week but remember reading that sa-compile will not work with SARE rules currently. If I understand it correctly when using sa-compile it will be used for all rules so you cannot use sa-compile for the working rules and have others not compiled? Therefore the question: Someone wrote all SARE rules would be updated these days so they are compatible with sa-compile. Is there some new status? 70_sare_stocks.cf is the only ruleset that has been updated since the release of 3.2.0. I don't believe the update was to fix any UTF8 issues, nor do I know if there are any issues with this ruleset. Daryl No, the 70_sare_stocks.cf was re-scored and a couple rules were removed from it and had nothing to do with the UTF-8 issue. I've just about gotten the rule sets that are causing that issue fixed. Look for them in the next day or so. Of course, this all depends on other factors. 8*) - -- -Doc Penguins: Do it on the ice. 8:44am up 4 days, 16:55, 17 users, load average: 0.18, 0.30, 0.37 SARE HQ http://www.rulesemporium.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGS4khqOEeBwEpgcsRAjfDAJ9sbli0jlFgKqQ4WoAPQpcqGKOCSACgjovy D5ivgPBXU8tovTrN3sBA9lA= =qzAK -END PGP SIGNATURE-
Re: ALL_TRUSTED Overriding Bayes
On Wed, 16 May 2007, Clay Davis wrote: I only have one internal network 10.0.0.0 (mask: 255.255.255.0). I have attached a few of the message that scored like this. Do you have any trusted_networks or internal_networks set up in SA's local.cf? If not, SA would be trying to guess your internal/trusted networks and by the looks is guessing incorrectly. Here is the link in the wiki that describes the trust path: http://wiki.apache.org/spamassassin/TrustPath?highlight=%28network%29
