'mx' appearing in the host portion of the return address
Hi, I have a question, and possible feature request. I just installed SpamAssassin on my mail server a couple of days ago. I've been closely studying the messages that get by SA and are spam, and I've noticed something. Many of the messages that are spam that SA misses has return addresses that have 'mx' in the host part of the address. Here are examples: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] I've had an email account on the Internet for 14 years, and I have NEVER had to put anything like mx5 in an email address. The only thing I can think of that remotely resembles this is the old days of Netcom when the addresses were all ix.netcom.com. I suspect they are including these mx subzone names because they are all valid hosts in those domains (I checked with dig, and they all return a valid IP address). What is needed is a rule that checks these return addresses and, if it finds 'mx' as a subdomain, it gives it points. Regular expressions are not my strong suit, but I think it would look something like this: /[EMAIL PROTECTED]/ Hopefully everyone gets the jist. It doesn't appear there's a rule like this currently. I'm wondering if there is a way to add this type of rule? Thanks, Robert Case... Arlyle Consulting
RE: sa-update error wrong gpg key...
Hey guys..
We're seeing the same thing.. although slightly different.. this error has
only been happening for a week or so now.. everything's been fine before
that.. it seems to be with the RSA key generated on 15Jan..
An sa-update -D shows :
[/usr/local/etc/mail/spamassassin]# sa-update -D
[56267] dbg: logger: adding facilities: all
[56267] dbg: logger: logging level is DBG
[56267] dbg: generic: SpamAssassin version 3.2.4
[56267] dbg: config: score set 0 chosen.
[56267] dbg: dns: is Net::DNS::Resolver available? yes
[56267] dbg: dns: Net::DNS version: 0.62
[56267] dbg: generic: sa-update version svn607589
[56267] dbg: generic: using update directory: /var/db/spamassassin/3.002004
[56267] dbg: diag: perl platform: 5.008008 freebsd
[56267] dbg: diag: module installed: Digest::SHA1, version 2.11
[56267] dbg: diag: module installed: HTML::Parser, version 3.56
[56267] dbg: diag: module installed: Net::DNS, version 0.62
[56267] dbg: diag: module installed: MIME::Base64, version 3.07
[56267] dbg: diag: module installed: DB_File, version 1.814
[56267] dbg: diag: module installed: Net::SMTP, version 2.31
[56267] dbg: diag: module not installed: Mail::SPF ('require' failed)
[56267] dbg: diag: module not installed: Mail::SPF::Query ('require' failed)
[56267] dbg: diag: module not installed: IP::Country::Fast ('require'
failed)
[56267] dbg: diag: module installed: Razor2::Client::Agent, version 2.84
[56267] dbg: diag: module not installed: Net::Ident ('require' failed)
[56267] dbg: diag: module installed: IO::Socket::INET6, version 2.51
[56267] dbg: diag: module installed: IO::Socket::SSL, version 1.12
[56267] dbg: diag: module installed: Compress::Zlib, version 2.008
[56267] dbg: diag: module installed: Time::HiRes, version 1.9711
[56267] dbg: diag: module not installed: Mail::DomainKeys ('require' failed)
[56267] dbg: diag: module not installed: Mail::DKIM ('require' failed)
[56267] dbg: diag: module installed: DBI, version 1.601
[56267] dbg: diag: module installed: Getopt::Long, version 2.35
[56267] dbg: diag: module installed: LWP::UserAgent, version 2.033
[56267] dbg: diag: module installed: HTTP::Date, version 1.47
[56267] dbg: diag: module installed: Archive::Tar, version 1.38
[56267] dbg: diag: module installed: IO::Zlib, version 1.07
[56267] dbg: diag: module installed: Encode::Detect, version 1.00
[56267] dbg: gpg: Searching for 'gpg'
[56267] dbg: util: current PATH is:
/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
[56267] dbg: util: executable for gpg was found at /usr/local/bin/gpg
[56267] dbg: gpg: found /usr/local/bin/gpg
[56267] dbg: gpg: release trusted key id list:
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
26C900A46DD40CD5AD24F6D7DEE01987265FA05B
0C2B1D7175B852C64B3CDC716C55397824F434CE
[56267] dbg: channel: attempting channel updates.spamassassin.org
[56267] dbg: channel: update directory
/var/db/spamassassin/3.002004/updates_spamassassin_org
[56267] dbg: channel: channel cf file
/var/db/spamassassin/3.002004/updates_spamassassin_org.cf
[56267] dbg: channel: channel pre file
/var/db/spamassassin/3.002004/updates_spamassassin_org.pre
[56267] dbg: dns: 4.2.3.updates.spamassassin.org = 611820, parsed as 611820
[56267] dbg: channel: preparing temp directory for new channel
[56267] dbg: generic: update tmp directory /tmp/.spamassassin56267NDLylZtmp
[56267] dbg: generic: lint checking site pre files once before attempting
channel updates
[56267] dbg: generic: SpamAssassin version 3.2.4
[56267] dbg: config: score set 0 chosen.
[56267] dbg: dns: is Net::DNS::Resolver available? yes
[56267] dbg: dns: Net::DNS version: 0.62
[56267] dbg: ignore: using a test message to lint rules
[56267] dbg: config: using /usr/local/etc/mail/spamassassin for site rules
pre files
[56267] dbg: config: read file /usr/local/etc/mail/spamassassin/init.pre
[56267] dbg: config: read file /usr/local/etc/mail/spamassassin/v310.pre
[56267] dbg: config: read file /usr/local/etc/mail/spamassassin/v312.pre
[56267] dbg: config: read file /usr/local/etc/mail/spamassassin/v320.pre
[56267] dbg: config: using /tmp/.spamassassin56267NDLylZtmp/doesnotexist
for sys rules pre files
[56267] dbg: config: using /tmp/.spamassassin56267NDLylZtmp/doesnotexist
for default rules dir
[56267] dbg: config: using
/tmp/.spamassassin56267NDLylZtmp/doesnotexist/doesnotexist for user prefs
file
[56267] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
[56267] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
[56267] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC
[56267] dbg: pyzor: local tests only, disabling Pyzor
[56267] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
[56267] dbg: razor2: local tests only, skipping Razor
[56267] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC
[56267] dbg: reporter: local tests only, disabling SpamCop
[56267] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC
[56267] dbg: plugin: loading
spamassassin accuracy test
Hello, I decided to benchmark the accuracy of spamassassin. Is there anything special I should take into consideration before I start to flood with both ham and spam? TIA, hc Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
What's with the many nnnn.com domains in this spam?
Check this out http://jessen.ch/files/spam55.txt It's a typical spam-email with a single gif advertising drugs. The gif is loaded from a website which is listed by uribl.com. The emails has hrefs to the following '.com' domains: juxl.com - contents named 'NAMESRENTER.COM' nkhs.com - some online information portal. arpd.com - leads to website searchportal.information.com tobp.com - The Opinionated Beer Page bgys.com - for sale at sedo.com qrnn.com - ditto. gzny.com - No web site is configured at this address. Does any have an idea about the purpose in using these domains in this way? Are they random? /Per Jessen, Zürich
Re: Spamd uses over 1 gigabyte of memory in one child
Matus UHLAR - fantomas wrote: On 27.01.08 15:06, Sevrin Robstad wrote: I have used spamassassin over a year on my mail server, using James as pop/smtp and a homewritten mailet to connect to spamd through tcp. Yesterday I suddenly discovered load average peaks over 100 (!!!) on the server, and soon found this : 22617 spamd 18 0 1830m 1.6g 2156 D2 54.2 2:00.59 spamd . Yea, one instance of spamd uses 1,6 *GIGABYTE* of memory. This forces my server to swap, which makes the server dead slow. this can be caused by old perl or perl module with memory leaks. Try upgrading those, if possible -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901 Well, It turned out I was right - the custom mailet we wrote to use spamd together with the James MTA didn't use spamc and therefore it didn't limit the size of messages to be spamchecked. So, When a user had some errors which resulteted in about 150 150MB mails it's understandable that it hung -- View this message in context: http://www.nabble.com/Spamd-uses-over-1-gigabyte-of-memory-in-one-child-tp15125515p15138542.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: What's with the many nnnn.com domains in this spam?
Per Jessen writes: Check this out http://jessen.ch/files/spam55.txt It's a typical spam-email with a single gif advertising drugs. The gif is loaded from a website which is listed by uribl.com. The emails has hrefs to the following '.com' domains: MUNGEDjuxl.com - contents named 'NAMESRENTER.COM' MUNGEDnkhs.com - some online information portal. MUNGEDarpd.com - leads to website searchportal.information.com MUNGEDtobp.com - The Opinionated Beer Page MUNGEDbgys.com - for sale at sedo.com MUNGEDqrnn.com - ditto. MUNGEDgzny.com - No web site is configured at this address. Does any have an idea about the purpose in using these domains in this way? Are they random? yes -- they cause you to waste time looking them up, cause SpamAssassin to waste time performed URIBL lookups against uribl.com and surbl, and cause those services to waste time dealing with lookups in turn and performing QA to ensure they don't get listed as spammy. --j.
Re: is DOS_OUTLOOK_TO_MX too low?
For those that don't know it means Delivered direct to MX with Outlook headers. Sounds like a good rule: Outlook isn't a MTA so shouldn't be able to connect directly to MX records - except for it's configured SMTP server. I looked at our spam reports (spam that was not rejected). It looks to me like the biggest target to go for is mail supposedly from The Bat! direct to your MX. Most of the supposed The Bat! spam matches, and it is very low scoring. Most of our reported spam supposedly from Outlook has a faked Received header at the bottom, making it look as if the real origin is the next hop, as if it was the smtp server. Joseph Brennan Columbia University Information Technology
Re: No Bayes Headers (no errors in debug/logs)
On Mon, Jan 28, 2008 at 10:53:50AM -0600, Mitchell Hudson wrote: So I'm not worried about not having any training. And the spamassassin -D bayes message.txt I assumed you meant spamassassin -D bayes message.txt, but in any case I let it run for about 30 minutes and it didn't return any data, which seemed very strange. Of course, it was waiting you to give it a message. Try it again w/ the correctly described message.txt. -- Randomly Selected Tagline: I used to think I was poor. Then they told me I wasn't poor, I was needy. Then they told me it was self-defeating to think of myself as needy, I was deprived. Then they told me deprived was a bad image, I was underprivileged. Then they told me underprivileged was overused, I was disadvantaged. I still don't have a dime. But I sure have a great vocabulary.- Jules Feiffer pgpQ7cnAMpqum.pgp Description: PGP signature
Re: spamassassin accuracy test
Hard Coder wrote: Hello, I decided to benchmark the accuracy of spamassassin. Is there anything special I should take into consideration before I start to flood with both ham and spam? It's probably easiest if you have them on disk and use the mass-check utility.
Re: No Bayes Headers (no errors in debug/logs)
I did actually pull out the number of tokens and I have quite a few in there: 0.000 0 3 0 non-token data: bayes db version 0.000 0 23930 0 non-token data: nspam 0.000 0 8304 0 non-token data: nham 0.000 0 200096 0 non-token data: ntokens 0.000 0 1175826856 0 non-token data: oldest atime 0.000 0 1201535593 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1201492913 0 non-token data: last expiry atime 0.000 0 91902 0 non-token data: last expire atime delta 0.000 0 111416 0 non-token data: last expire reduction count So I'm not worried about not having any training. And the spamassassin -D bayes message.txt I assumed you meant spamassassin -D bayes message.txt, but in any case I let it run for about 30 minutes and it didn't return any data, which seemed very strange. I also tried reinstalling the perls bayes modules from cpan, which did update, but didn't correct the problem. I've sat there and watched /var/log/current for quite a while, and watched the debug info. It's so strange bayes seems to load, as in it will learn and accesses the database, adds new tokens, etc. But doesn't actually score. I've checked all my configuration files and can't find anything weird. I'm at a loss. Thanks so much for your response --Mitch Matt Kettler wrote: Matt Kettler wrote: Mitchell Hudson wrote: Hello there, I have spamassassin loaded and is running pretty well, it's supposed to be using bayes and I can't find any errors that would tell me why it's not, but it's not. When I do a debug log there are no db connection errors, in fact it's auto-learning just fine. I've put in a few thousand learning e-mails of both spam and ham so I know it's over the min limit. Basically everything looks like it's supposed to except there's no bayes header in the spamassassin headers and when I tail -f /var/log/spamd/current when it says which tests it runs bayes is never present. So basically I'm hoping there's a secret ninja option that says 'no really I would like to use bayes'. In any case thoughts would be appreciated. spamassassin -V: SpamAssassin version 3.2.0 I do use a control panel called hsphere, but it calls spamassassin like this: /usr/bin/perl -T -w /hsphere/shared/bin/spamd --max-children=2 --max-conn-per-child=5 --nouser-config --sql-config --username=vpopmail --socketpath=/var/hsphere/mail/spamd --socketowner=vpopmail --socketgroup=vchkpw --socketmode=770 --syslog-socket=none manually calling spamassassin doesn't change the no bayes issue. have you tried: sa-learn --dump magic Just to confirm there are as many messages as you think? Hit send too soon.. Another thing to try is bayes debugging. spamassassin -D bayes message.txt That should un-burry all the bayes messages from all the other debug, and generates more bayes debug than the default -D does. -- -- Mitchell Hudson Systems Administrator Front Gate Solutions 1711 S Congress Ave Austin, TX 78704 P: 512-674-9337 C: 512-587-0918 F: 512-499-0440 [EMAIL PROTECTED]
Re: is DOS_OUTLOOK_TO_MX too low?
Joseph Brennan wrote: I looked at our spam reports (spam that was not rejected). It looks to me like the biggest target to go for is mail supposedly from The Bat! direct to your MX. Most of the supposed The Bat! spam matches, and it is very low scoring. Yes - I just saw that too - like Outlook, The Bat! is a MUA and shouldn't be making direct connections to other SMTP servers. Most of our reported spam supposedly from Outlook has a faked Received header at the bottom, making it look as if the real origin is the next hop, as if it was the smtp server. Yeah - it is true that all the spammers have to do is add a good faked Received: header to bypass any work done in this area. However, there are obviously still some stupid spammers out there ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Tweaking Rules
On Mon, Jan 28, 2008 at 04:10:39PM -0600, Matt wrote: Does anyone see anything wrong with these scores? The RDNS_DYNAMIC worries me a bit since I know a few email servers hosted on dynamic looking reverse DNS's. Well, first, the scores are really aggressive. Generally speaking, you don't want single rules to make something considered spam due to the likely FP rate. score RCVD_IN_PBL 3 score RCVD_IN_XBL 5 score RDNS_NONE 5 score RCVD_IN_SORBS_DUL 3 score RDNS_DYNAMIC 3 Here are my results for these from the last weekly mass-check run: 62.565 66.5706 0.1.000 1.000.00 RCVD_IN_PBL 34.530 36.7400 0.1.000 0.970.00 RCVD_IN_SORBS_DUL 57.274 60.9301 0.15310.997 0.940.00 RCVD_IN_XBL 35.354 37.5632 0.84940.978 0.780.10 RDNS_DYNAMIC 47.812 50.6487 3.49150.936 0.660.10 RDNS_NONE IMO, the PBL is good enough for a 4.5 or so. SORBS_DUL seems similar. XBL is probably worth a 2.5, and after that I would max out at 1.5 due to the high FP rate. score SPF_FAIL 10 score SPF_SOFTFAIL 5 score SPF_NEUTRAL 2 If you wanted to give a small positive score for these, that might not be terrible. Anything over 1 is asking for trouble IMO. 5.742 6.1008 0.13330.979 0.880.00 SPF_SOFTFAIL 2.536 2.6963 0.02470.991 0.880.00 SPF_NEUTRAL 4.554 4.8255 0.31610.939 0.820.00 SPF_FAIL For completeness: 1.064 1.1314 0.00990.991 0.820.00 SPF_HELO_SOFTFAIL 3.515 0.4903 50.75810.010 0.520.00 SPF_PASS 0.000 0. 0.0.500 0.480.00 SPF_HELO_FAIL 0.000 0. 0.0.500 0.480.00 SPF_HELO_NEUTRAL 0.980 0.2159 12.92410.016 0.470.00 SPF_HELO_PASS -- Randomly Selected Tagline: You are dishonest, but never to the point of hurting a friend. pgp2fYo6N5ktg.pgp Description: PGP signature
Tweaking Rules
I have added the following to the local.cf to decrease the spam that gets through. score RCVD_IN_PBL 3 score RCVD_IN_XBL 5 score RDNS_NONE 5 score RCVD_IN_SORBS_DUL 3 score SPF_FAIL 10 score SPF_SOFTFAIL 5 score SPF_NEUTRAL 2 score RDNS_DYNAMIC 3 Does anyone see anything wrong with these scores? The RDNS_DYNAMIC worries me a bit since I know a few email servers hosted on dynamic looking reverse DNS's. Matt
One SPAM that got through
Hi, I just had this message get through :- Subject: CONTACT GLOBAL COMPANY FOR YOUR $950,000.00 My Dear Good Friend, I have Paid the fee for your Cheque Draft. But the manager of Eko Bank Benin told me that before the check will get to you that it will expire. So I told him to cash the $950,000.00. All the necessary arrangement of delivering the $950,000.00 in cash was made with GLOBAL MAX COURIER COMPANY. These are the informations they need to delivery your package to you. ATTN: DR.JOHN AGBALA EMAIL:[EMAIL PROTECTED] ) Please, Send them your contacts information to able them locate you immediately they arrived in your country with your BOX .This is what they need from you. 1. YOUR FULL NAME 2.YOUR HOME ADDRESS. 3.YOUR CURRENT HOME TELEPHONE NUMBER. 4.YOUR CURRENT OFFICE TELEPHONE. 5.A COPY OF YOUR PICTURE Please make sure you send this needed informations to the Director general of Global MAX Courier Company DR.JOHN AGBALA with the address given to you. Note. The Global Express courier company doesn't know the contents of the Box. I registered it as a Box of an Africa cloth. They don't know it contents money. This is to avoid them delaying with the Box. Don't let them know that is money that is in that Box. I am waiting for your urgent response. You can even call the Director of Global MAX Courier Company with this line +229-9300-4935. Thanks and Remain Blessed. DR. Nnoli ugo and it only scored 5.6. These are the rules it hit :- 1.23ADVANCE_FEE_2 0.00BAYES_50 0.72SARE_URGBIZ Contains urgent matter -0.00 SPF_PASS 2.08SUBJ_ALL_CAPS 1.58URG_BIZ I have my SA SPAM score to trigger on 6 and above. Do you think that is to high ? or anyone know of a ruleset to raise the score on these ? TIA Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: No Bayes Headers (no errors in debug/logs)
Mitchell Hudson wrote: I did actually pull out the number of tokens and I have quite a few in there: 0.000 0 3 0 non-token data: bayes db version 0.000 0 23930 0 non-token data: nspam 0.000 0 8304 0 non-token data: nham 0.000 0 200096 0 non-token data: ntokens 0.000 0 1175826856 0 non-token data: oldest atime 0.000 0 1201535593 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1201492913 0 non-token data: last expiry atime 0.000 0 91902 0 non-token data: last expire atime delta 0.000 0 111416 0 non-token data: last expire reduction count So I'm not worried about not having any training. And the spamassassin -D bayes message.txt I assumed you meant spamassassin -D bayes message.txt, but in any case I let it run for about 30 minutes and it didn't return any data, which seemed very strange. I meant spamassassin -D bayes message.txt. You want to feed a message in to spamassassin, not over-write it with spamassassin's output. You got no output, because you gave it no message. I also tried reinstalling the perls bayes modules from cpan, which did update, but didn't correct the problem. I've sat there and watched /var/log/current for quite a while, and watched the debug info. It's so strange bayes seems to load, as in it will learn and accesses the database, adds new tokens, etc. But doesn't actually score. I've checked all my configuration files and can't find anything weird. I'm at a loss. Try a manual message scan, as above, and see how that does.
Re: One SPAM that got through
--[ UxBoD ]-- wrote: Hi, I just had this message get through :- snip and it only scored 5.6. These are the rules it hit :- 1.23 ADVANCE_FEE_2 0.00 BAYES_50 0.72 SARE_URGBIZ Contains urgent matter -0.00 SPF_PASS 2.08 SUBJ_ALL_CAPS 1.58 URG_BIZ Looks like you might want to do some bayes training on that message. All the capitalized text should be an easy target. I have my SA SPAM score to trigger on 6 and above. Do you think that is to high ? or anyone know of a ruleset to raise the score on these ? Too high? no. Too high to expect there to be no missed spam, yes. Raising your threshold reduces false positives (nonspam tagged as spam), but it also increases your false negatives (spam that's missed). Lowering your score threshold has the opposite effect. When picking a threshold, you're making a trade-off.. Pick one based on what's important to you. Some folks run as high as 8.0, and others as low as 2.0. Both numbers are pretty extreme, but you get the idea. For reference, in the set3 mass-checks, going from 5.0 to 6.0 more halved the FPs (down to 45% of what they were at 5.0), but also increased FNs by 78%. The default 5.0 score is already pretty biased towards favoring FPs over FN's. The score assigner tries to tune the scores so at 5.0 there's roughly 100 times more FNs than FPs, while keeping both as low as possible. In practice it's more like 50 times more, but that's what it's trying for.. to quote STATISTICS-set3.txt from SA 3.2.4: # SUMMARY for threshold 5.0: # Correctly non-spam: 67508 99.94% # Correctly spam: 117303 98.51% # False positives:42 0.06% # False negatives: 1780 1.49%
Re: What's with the many nnnn.com domains in this spam?
Quoting Justin Mason [EMAIL PROTECTED]: Per Jessen writes: Check this out http://jessen.ch/files/spam55.txt It's a typical spam-email with a single gif advertising drugs. The gif is loaded from a website which is listed by uribl.com. The emails has hrefs to the following '.com' domains: MUNGEDjuxl.com - contents named 'NAMESRENTER.COM' MUNGEDnkhs.com - some online information portal. MUNGEDarpd.com - leads to website searchportal.information.com MUNGEDtobp.com - The Opinionated Beer Page MUNGEDbgys.com - for sale at sedo.com MUNGEDqrnn.com - ditto. MUNGEDgzny.com - No web site is configured at this address. Does any have an idea about the purpose in using these domains in this way? Are they random? yes -- they cause you to waste time looking them up, cause SpamAssassin to waste time performed URIBL lookups against uribl.com and surbl, and cause those services to waste time dealing with lookups in turn and performing QA to ensure they don't get listed as spammy. Given that the decoy domains are 4 or 5 letters and the actual payload domain often isn't, could that be made into some kind of rule to help ignore the decoys: 1. See many domains with 4 or 5 letters 2. See one domain with other than 4 or 5 letters 3. Check the one domain (preferentially, first, etc.) Naturally as soon as such a rule were written the storm template authors would change their template, but still, it could be useful for a while. Cheers, Jeff C.
Logging with SA/procmail standalone (no spamd)
Hi, I'm a student at Rutgers University. I've been running SA on my own mailserver (handling 3 users) for a few years now. I recently came into some new hardware, and replaced the old mailserver with a new one running Solaris 10. I'm using SpamAssassin 3.02 in the blastwave.org package. I'm using Postfix for an MTA and Procmail as MDA, with mail being filtered through SA by procmail. I can't seem to find much verbose documentation on this method - I gather that it's nowhere near as preferred as running spamd. However, I can't help but notice that SA doesn't seem to be logging anything anywhere. Spam is getting caught and dealt with by procmail (moved to .spam folder) and the SA headers are there and correct. But I was wondering if there is some way to get SA to log to a central log file? Thanks for any suggestions, Jason
