Re: I need professional help
Thanks, Bob. I've added zen.spamhaus.org to my list. --pat-- On Sun, 13 Jul 2014, Bob Proulx wrote: Pat Traynor wrote: I'm using Postfix for mail. I've done some research and implemented several changes in my main.cf file with directives such as smtpd_recipient_restrictions smtpd_sender_restrictions smtpd_helo_restrictions and the like. The smtpd_recipient_restrictions is a superset of all of the others. I put all of my restrictions there. It might be good to pastebin the entirety of your smtpd_recipient_restrictions section. You don't mention DNSBLs. If you are not using them then that would be a large lever to improve your anti-spam efforts. I highly recommend doing at least this in smtpd_recipient_restrictions: reject_rbl_client zen.spamhaus.org You can read about the zen DNSBL here: http://www.spamhaus.org/zen/ Bob --pat-- -- Pat Traynor p...@ssih.com
Re: I need professional help
Wow - that's a lot of good info, and I thank you for taking the time to explain it. The mailq and postcat utilities work as you outlined. I've pastbin'd the first part of one of the spams here: http://pastebin.com/Feete78K I only included the envelope and the first few lines of the message, as I'm sure the rest is worthless. This spam was associated with a gmail rejection. The address j...@talismansigns.com forwards to a gmail account. There were six other similar ones, as well as four more spams that weren't rejected by gmail, but spam nonetheless. I deleted them all. btw - if it helps any, here is my postfix main.cf file, with the comments stripped: http://pastebin.com/kpJehe3Z Thanks again for all your help! --pat-- On Sun, 13 Jul 2014, Bob Proulx wrote: Pat Traynor wrote: Benny Pedersen wrote: but you can pastebin the rejected msg if possible then ask how to make that spam tagged before leveing your ip, possible do remove permit_mynetworks in postfix so only authed senders can spam, if that happens, then close that domain Pardon my ignorance, but is pastebin an external site for this sort of thing? The problem with discussing spam on any mailing list is is that it will be spam and will therfore be rejected by the anti-spam on the mailing list or on user's systems. Talking about the details of spam can therefore be difficulit. One typical solution is to take the message to be discussed and to post it to a pastebin site and then post just the URL to the message. That way anyone interested may look and then comment. There are many pastebin sites on the internet. http://pastebin.com/ is probably the best known. But there are many others. I don't think it really matters which one you would use. Note also that you can set an expiration such that the posting will automatically expire when you choose. I usually expire these types of pastes after one month. However, I'm not seeing rejected messages. I'll just get a call from one of my clients saying they're not getting email. I'll send a test message to them, and see this in the maillog: Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been temporarily rate limited. Please visit http://www.google.com/mail/help/bulk_mail.html to review our Bulk Email Senders Guidelines. At the same time that you see this happening if you look in your mail queue you will probably find other messages that are spam and are being rejected by google. You can look at those messages and determine details of the message. mailq ... look for mail addresses that are being rejected ... ... observe the queueid of the message ... postcat -q CB64C1BC3 | less That will emit the message along with other details to stdout where it can be browsed. Here I prefer the 'less' pager. But it could easily be redirected to a file (postcat -q CB64C1BC3 spamfile) and so forth. If you know a message is spam then you can delete it from the queue as spam with postsuper -d CB64C1BC3 and reduce the impact of the retries upon your site's reputation. The important things for me to look at are the originating client system that sent the message to your system. For example a spam that I am looking at. named_attribute: log_message_origin=unknown[123.64.199.228] named_attribute: log_helo_name=example.com recipient: hostmas...@example.net Postfix reports that the message came from 123.64.199.228, has no reverse DNS, the client system said it was regx.com (it's not, so I redacted it here) and the recipient address was to the hostmaster at a domain that I have obscured since it was forged. Things like the HELO name can be a clue. It is clearly a spammer if they say they are localhost, literally example.{com,net,org}, 127.0.0.1, other things. I like looking at the envelope information. Following that will be the standard mail headers. The first will be the one inserted by your system. That is the only one you can trust. Assume that all other headers inserted by other systems are forgeries. Trust only your own system's headers. And then the body of the message. The body is good for Bayes training. But otherwise the body is not so interesting. I find the envelope information to be the most useful. I suspect that if you look that you will find that you do have many samples of spam in your mailq. If you have not been looking it may be perhaps a lot! I have a cron task that runs periodically and does a brute force mailq piped to grep of custom patterns looking for some egregious things that I want to look for and if there is a hit then I am notified. Then I look, observe, learn, decide what I am going to do about it, do it, tune the ad-hoc grep patterns. Just to keep me on top of new types of spam that are causing problems. for your own domains, start with spf / dkim / dmarc and then only accept spf pass in mta stage, from that point
Re: I need professional help
Thanks. Spam fluctuates - sometimes I'll go hours without a spam and sometimes I'll get 15 in the course of five minutes. But since I added spamhaus, it *seems* like less spam is coming through. I'll have to give it a whole day before I'm sure, but at least it's promising. --pat-- On Mon, 14 Jul 2014, Matthew Newton wrote: Hi, On Mon, Jul 14, 2014 at 05:44:41AM -0400, Pat Traynor wrote: Thanks, Bob. I've added zen.spamhaus.org to my list. For what it's worth, looking at the last 7 days of logs here, of the total rejections: 75% was rejected due to being listed on Spamhaus lists, whilst 3% was rejected because of SpamAssassin (the rest will be address unknown, ClamAV, etc). SpamAssassin does a great job scoring mail, but it is best used in the right place. Testing against Spamhaus first makes its life much easier! Note that Spamhaus has limits on its free use - http://www.spamhaus.org/organization/dnsblusage/ Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk --pat-- -- Pat Traynor p...@ssih.com
Re: I need professional help
Thanks, Bob. I've implemented a couple of your suggestions immediately and will read through some of the other ones, as well as Jim's article for ideas on further improvements. --pat-- On Mon, 14 Jul 2014, Bob Proulx wrote: Pat Traynor wrote: I've pastbin'd the first part of one of the spams here: http://pastebin.com/Feete78K The IP address of the message appears to me to be 185.45.193.123 out of Dubai. It is not listed in most of the DNSBLs that I checked. It is listed in dnsbl.sorbs.net however. That would be how it would get through the first line of defense. If the IP address doesn't trigger anything then there is only the content left. The spamassassin header says: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS autolearn=ham version=3.3.1 I am hoping that pulls some comments from others on the list. The Bayes classifies it as non-spam. The points are so low that it is triggers an autolearn as non-spam. This indicates to me that the Bayes engine is not receiving enough feedback. It needs to be trained on error to be effective. I think from your description that these errors are not being corrected. No feedback exists. Therefore Bayes can't learn from its mistakes. Without being able to learn from mistakes, train on error, it will be poor at classifying mail. Unfortunately I don't know what to suggest to you on correcting this problem since you are in the middle and without easy access to the humans who can train the Bayes on error. I can only note that it needs training. And since this appears to be at the global MTA stage in a milter that it will always be less effective globally than an individualized Bayes database. btw - if it helps any, here is my postfix main.cf file, with the comments stripped: http://pastebin.com/kpJehe3Z This is more of a matter of style but a long time ago a posting by Jim Seymour taught me this. http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt You'll observe that all of my anti-UCE checks are under smtpd_recipient_restrictions, instead of having a separate smtpd_client_restrictions, etc. This is because, unless you have set smtpd_delay_reject = no (default is yes), no rejecting takes place until after RCPT TO anyway. It's easier, cleaner and more predictable when all of the anti-UCE stuff is under recipient restrictions. (Except for reject_unauth_pipelining under Postfix 2.x. See FAQ Q16/A16. There are also possible performance issues doing things this way. See Understanding The Order In Which Restrictions Are Applied for more info.) Please search down into the document for the excellent section Understanding The Order In Which SMTPD Restrictions Are Applied which explains this in greater detail. The entire article is packed with useful information. And so I now put all of my restrictions under the one check smtpd_recipient_restrictions and avoid the duplication of having multiple checks. Both are okay. A matter of style. But I like having everything in smtpd_recipient_restrictions because then it is simpler and harder to leave something out. Also reject_unauth_pipelining needs to be a data restriction. You have a long list of DNSBLs listed. reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client rabl.nuclearelephant.com, That is quite a few. I think that can be trimmed down. I try to use the smallest number of DNS lookups possible for the least load on all of the servers. The Spamhaus ZEN list includes the XBL (exploits) list which includes the sbl-xbl.spamhaus.org and cbl.abuseat.org lists for example. And ZEN includes dul.dnsbl.sorbs.net. And dsn.rfc-ignorant.org is dead now. I am not familiar with the others. Perhaps someone on the mailing list will review the DNSBLs and make a suggestion. Otherwise I pretty much feel exactly the same as the top voted up answer from Justin Scott here. http://serverfault.com/questions/13670/which-anti-spam-dns-blacklists-should-used I hope you have configured a local caching nameserver in order to cache the DNS queries? You also have at least one obsolete feature. Remove it. It is replaced by the reject_rbl_client bl.spamcop.net above. maps_rbl_domains = bl.spamcop.net I am not personally using reject_non_fqdn_helo_hostname nor using reject_invalid_helo_hostname. Perhaps I should look into those. I do have a custom check_helo_access map. I will leave them in my example below without comment since you already had them. Using your pastebin list as a starting point I think this following might be okay. Just my
I need professional help
I run a web server, and for many of my hosting customers, I'll forward their email to other mail servers. My own mail is stored on my server, and spam has always been an annoyance, but some external mail servers sometimes stop accepting mail from me, as it contains so much spam. The problem is that email administration isn't my forte, and I've done all that I can with my limited skill set, but massive amounts of spam still get through and are forwarded. This is a common message in my maillog from gmail: Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. I'm using Postfix for mail. I've done some research and implemented several changes in my main.cf file with directives such as smtpd_recipient_restrictions smtpd_sender_restrictions smtpd_helo_restrictions and the like. None of it has made much of a dent. With all this in place and spamassassin, I still get 40-70 spams/day, so I can imagine how much is being forwarded. I'm running Spamassassin 3.3.2, and although that isn't the very latest, I can't believe that an upgrade would make that massive a difference. So my question is - are there any trustworthy Linux administrators out there that I could hire that could look over my setup and figure out what I'm doing so wrong? --pat-- -- Pat Traynor p...@ssih.com
Re: I need professional help
On Sun, 13 Jul 2014, Antony Stone wrote: Have you been able to identify whether the unsolicited mail which has been thus detected is: - genuine email (possibly of a marketing variety, but still deliberately sent) from your hosting customers It's absolutely not from MY customers. I don't let anyone relay their outgoing email through me. So if you host example.com through me and have a gmail account, mail going to example.com will be forwarded to there, but if you have a mass emailing, you'll have to send it through your provider, e.g. Verizon, perhaps. Some email does appear to come from legitimate sources, for example, I'll get an email offering loans, and the sender is lo...@getaloan.com. or - actual spam which is being unwittingly sent out by compromised (or at least poorly-secured) systems? I see a LOT of that. The same spam email hits me multiple times from a domain name that sounds completely unrelated to the subject. --pat-- -- Pat Traynor p...@ssih.com
Re: I need professional help
On Sun, 13 Jul 2014, Benny Pedersen wrote: but you can pastebin the rejected msg if possible then ask how to make that spam tagged before leveing your ip, possible do remove permit_mynetworks in postfix so only authed senders can spam, if that happens, then close that domain Pardon my ignorance, but is pastebin an external site for this sort of thing? However, I'm not seeing rejected messages. I'll just get a call from one of my clients saying they're not getting email. I'll send a test message to them, and see this in the maillog: Jul 13 13:44:46 ssih postfix/smtp[12079]: D8CB212684E8: host gmail-smtp-in.l.google.com[74.125.29.27] said: 421-4.7.0 [204.12.61.116 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from y our IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. w18si12235074qay.49 - gsmtp (in reply to end of DATA command) for your own domains, start with spf / dkim / dmarc and then only accept spf pass in mta stage, from that point you can begin whitelist if needed, but keep the whitelist in spf since a single ip can have a million domains :) I'm sorry, this is the beyond my level of expertise that I was referring to. --pat-- -- Pat Traynor p...@ssih.com
Re: I need professional help
On Sun, 13 Jul 2014, Antony Stone wrote: It's absolutely not from MY customers. I don't let anyone relay their outgoing email through me. On Sunday 13 July 2014 at 16:35:14, Pat Traynor wrote: I run a web server, and for many of my hosting customers, I'll forward their email to other mail servers. Now I'm confused. Sorry, my fault. By their mail, I meant incoming mail addressed to them. --pat-- -- Pat Traynor p...@ssih.com
Re: Which IP is tested by the RBLs?
Thanks, everyone for all the good info. Lots to digest, but I now have a few options to persue. --pat-- -- Pat Traynor p...@ssih.com
Which IP is tested by the RBLs?
My PC is connected via a Verizon dynamically-allocated IP address, which is on several RBLs. If I send mail directly from my PC to my linux mail server, spamassassin flags it. This is generally not a big deal for me, as I usually use a mail client on the server itself. However, from time to time, I'll use a mail client on my PC just for convenience. What I want to know is this... If I send an email from my PC to someplace remote, it first gets accepted by my linux mail server and then moves on from there. If the destination machine is running spamassassin, does it test the original IP address of my Verizon-connected PC, or does it test the IP address of my linux server? --pat-- -- Pat Traynor p...@ssih.com
Getting scores for non-spam
In the headers of messages that are not reported as spam, I get information like this: X-Spam-Status: No, score=3.8 required=4.0 tests=BAYES_50,HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_BRBL_LASTEXT,RP_MATCHES_RCVD, SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.2 Is there an option that would allow me to see how each of these tests affected the total score? A way to see the individual scores of those tests? Thanks. --pat-- -- Pat Traynor p...@ssih.com
Re: Getting scores for non-spam
Thanks all for the good info! --pat-- -- Pat Traynor p...@ssih.com
Where is plugin directory on a personal install?
Upgrading the ancient spamassassin on my server is looking to be a scary proposition, so I did my own personal install. It's working fine, but a lot of spam is still coming through, and I'd like to so some tweaking. Where is the plugin directory if you do your own personal install? I can't find a Plugin directory anywhere in my home directory, aside from the one in the folder where I initially extracted Spamassassin to do the make and install. It doesn't use *that*, does it? --pat-- -- Pat Traynor p...@ssih.com
Can I install upgraded Spamassassin without uninstalling old?
Here's my situation: I lease a host from a provider. They initially did all my setup, and I do the simple maintenance I need. A short time ago, the spam increased dramatically. Others on this list reported it, and a common suggested problem was that the installed Spamassassin was badly out of date. Mine is 3.0.4, and I probably fall into that category. I called my co-hosting provider and asked to have Spamassassin upgraded. They told me that to do this would require an upgrade to my Fedora core, which would require an upgrade to this, and to that, and I'd then need to reinstall those... Bottom line is that the whole ordeal will cost me thousands of dollars, which I simply don't have. My gut feeling is that a SA upgrade *could* be done, but they see an opportunity to get some cash out of me, and they know they've got me by the short hairs. I do a lot of my own installations without any problem, but the thing is that I've got a couple dozen customers using Spamassassin, and if I crash and burn on the upgrade, it won't be a pretty situation. So... I was wondering if it's possible to install an alternate version of Spamassassin and verify that it's working properly before burning my bridge on the outdated (but working) version I've currently got installed. Thanks for any advice. --pat-- -- Pat Traynor p...@ssih.com
Re: Can I install upgraded Spamassassin without uninstalling old?
On Wed, 1 Jun 2011, Mihamina Rakotomandimby wrote: It possible. But this, of course, depends on your skills. For example, if you ever need a newer Perl library/module, you will also need to install it. My perl installation is at the latest version as of about a month ago (5.3.12), and I'm comfortable installing modules. Why wont you try on a Virtual machine first? Install the old Fedora and try it out. Well, THAT is probably well beyond my capabilities - getting a server completely installed to the point of it accepting outside mail. Thanks for the ideas! --pat-- -- Pat Traynor p...@ssih.com
Re: Can I install upgraded Spamassassin without uninstalling old?
On Wed, 1 Jun 2011, Michael Scheidell wrote: On 6/1/11 7:37 AM, Pat Traynor wrote: My perl installation is at the latest version as of about a month ago (5.3.12), and I'm comfortable installing modules. I believe for current versions of SA, the minimum perl is 5.8.8 See, this is why I really shouldn't be left alone in front of a keyboard. My perl installation is 5.12.3, NOT 5.3.12. Sigh... --pat-- -- Pat Traynor p...@ssih.com
Re: Can I install upgraded Spamassassin without uninstalling old?
On Wed, 1 Jun 2011, Michael Scheidell wrote: On 6/1/11 8:43 AM, Pat Traynor wrote: See, this is why I really shouldn't be left alone in front of a keyboard. My perl installation is 5.12.3, NOT 5.3.12. Sigh... it should be 'safe' to backup the ../site_perl* and ../lib/perl5* libraries, and try to upgrade the perl modules first. newer pm's SHOULD work with old SA. look at upgrading file and tar/pax as well. Sounds good. I'll look into that and tread carefully. --pat-- -- Pat Traynor p...@ssih.com
Learing spam/ham with Pine
This is certainly a newbie question for all of you out there, but I really don't know where I should be asking this. I've been running Spamassassin on my linux server for some time, and I use Pine to read my mail. I suspect that Spamassassin isn't learning from spam that's coming through if I don't alert it to false positives or missed spam, but I simply don't know how to do that. Can someone tell me (or point me to instructions) on what steps I should take to do this? I would imagine some of it involves redirecting spam from my inbox to a spam file. I'm not looking for something that's site-wide. This is just for my account. Thanks for any help. --pat-- -- Pat Traynor p...@ssih.com
Re: Learing spam/ham with Pine
On Wed, 3 Nov 2010, John Hardin wrote: Take a look under http://www.impsec.org/antispam/ for some scripting for user-directed training in that sort of environment. Each user needs a SpamAssassin-HAM and SpamAssassin-SPAM folder. Thanks for the reply! I'm getting a not found at that address. --pat-- -- Pat Traynor p...@ssih.com
Re: Learing spam/ham with Pine
Thanks, John. I'm teaching spamassassin now! --pat-- On Wed, 3 Nov 2010, John Hardin wrote: On Wed, 3 Nov 2010, Pat Traynor wrote: On Wed, 3 Nov 2010, John Hardin wrote: Take a look under http://www.impsec.org/antispam/ for some scripting for user-directed training in that sort of environment. Each user needs a SpamAssassin-HAM and SpamAssassin-SPAM folder. Thanks for the reply! I'm getting a not found at that address. Dangit. Insufficient caffiene. Try this: http://www.impsec.org/~jhardin/antispam/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 4 days until Daylight Saving Time ends in U.S. - Fall Back --pat-- -- Pat Traynor p...@ssih.com
Outsource my mail?
Our primary business is website design. We also run our own web server, and for some of our clients, we store their mail and run it through Spamassassin. Over the years, processing the mail has become about 90% of what our server is doing during the day, and probably 99% at night. I'm afraid that the web server is starting to suffer because of that. I was thinking that perhaps I should split off the mail to its own seperate server, but I can't justify doubling what I'm paying to my co-hosting provider just for mail. Are there any companies that offer mail storage services with Spamassassin? What I'd like is that if I'm hosting xyzzy.com, I'd like to have mail.xyzzy.com point to this 3rd party provider and have them handle everything. --pat-- -- Pat Traynor [EMAIL PROTECTED]
Shouldn't this porn be flagged?
I've just switched to a new hosting provider who has installed a fairly standard Spamassassin for me. It seems like a lot of spam is getting through. I just looked at this one: Subject: Innocent Asian Babe Hairy Pussy Fucking X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on ssih.com X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=4.0 tests=BIZ_TLD,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.0.2 Cute Amateur Spreading Legs And Pussy Asian Chick Gets Machine Fucked By Blond Lesbian Babes sharing a stud Nude Short Haired Amateur Fucks Doggystyle On Sofa Drunk blowjob in toilet This seems like a lot of relatively standard porn terms that haven't been recognized. Is this normal? Do I have to add my own rules to catch this sort of stuff? --pat-- -- Pat Traynor [EMAIL PROTECTED]
connect(AF_INET) to spamd failed
Last night, I had to do a minor hardware upgrade on my server. Later that night when I checked my mail, I had about 20 spams, when I'd normally get one or two during that time. Overnight, I got about another 30. From the headers, I can see that spamd *is* running and generating scores, but LOTS of spam is slipping through. I tried re-booting this morning, and looking at my syslog, I see this soon after bootup: Mar 22 07:29:49 ssih spamc[375]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 22 07:29:49 ssih spamc[375]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 22 07:29:50 ssih spamc[375]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 22 07:29:50 ssih spamc[375]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 22 07:29:49 ssih spamc[374]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 22 07:29:49 ssih spamc[374]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 22 07:29:50 ssih spamc[374]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 22 07:29:50 ssih spamc[374]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 22 07:29:51 ssih spamc[375]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 22 07:29:51 ssih spamc[375]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 22 07:29:51 ssih spamc[374]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 22 07:29:51 ssih spamc[374]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 22 07:29:53 ssih spamc[375]: connection attempt to spamd aborted after 3 retries Mar 22 07:29:53 ssih spamc[375]: connection attempt to spamd aborted after 3 retries Mar 22 07:29:53 ssih spamc[374]: connection attempt to spamd aborted after 3 retries Mar 22 07:29:53 ssih spamc[374]: connection attempt to spamd aborted after 3 retries Mar 22 07:29:57 ssih spamc[390]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 22 07:29:57 ssih spamc[390]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Mar 22 07:29:58 ssih spamc[390]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 22 07:29:58 ssih spamc[390]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Mar 22 07:29:59 ssih spamc[390]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 22 07:29:59 ssih spamc[390]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Mar 22 07:30:00 ssih spamc[390]: connection attempt to spamd aborted after 3 retries Mar 22 07:30:00 ssih spamc[390]: connection attempt to spamd aborted after 3 retries --pat-- -- Pat Traynor [EMAIL PROTECTED]
Might spamd be loading my machine?
Lately, I've been having rather high load averages lately on my web/mail server. From what I can tell, the html traffic hasn't gone up that much, so I've got to assume that it's mail-related. Here's the beginning of a top that I just ran, sorted by memory usage. 4:17pm up 3 days, 4:55, 4 users, load average: 7.92, 6.89, 6.63 106 processes: 103 sleeping, 1 running, 2 zombie, 0 stopped CPU states: 10.1% user, 3.5% system, 0.0% nice, 86.2% idle Mem: 517672K av, 438920K used, 78752K free, 169292K shrd, 122232K buff Swap: 705424K av, 0K used, 705424K free 129348K cached PID USER PRI NI SIZE RSS SHARE STAT LIB %CPU %MEM TIME COMMAND 1737 lordenv_ 0 0 27736 27M 9472 D 0 0.0 5.3 0:06 spamd 1739 lordenv_ 2 0 24744 24M 9656 D 0 0.1 4.7 0:05 spamd 1740 root 5 0 24660 24M 9692 S 0 0.0 4.7 0:04 spamd 1736 root 2 0 24100 23M 9756 S 0 0.0 4.6 0:03 spamd 1738 ebccs 10 0 23948 23M 9776 D 0 0.1 4.6 0:03 spamd 320 root 0 0 21904 21M 9932 S 0 0.0 4.2 0:03 spamd spamd has all the top marks. Is this normal for spamd? If not, is there anything I can do about it? I just added use_auto_whitelist 0 to my local.cf file, but it didn't change anything when I HUP killed spamd. I have 13 users using spamassassin to filter their mail, if that matters. --pat-- -- Pat Traynor [EMAIL PROTECTED]
Attachment size rule?
Does anyone know how I could write a rule based on an attachment size? I'm getting a lot of spams with this specific file attached. It's always named differently, the the size is exactly the same each time. --pat-- -- Pat Traynor [EMAIL PROTECTED]
Re: 80K file attachments
On Tue, 23 Nov 2004, Raymond Dijkxhoorn wrote: Spam? Virus! :) Is anyone else seeing this, and is there a rule set that I could put into place to take care of it? Your virus scanner should take care of them, most likely its W32/[EMAIL PROTECTED] Well, my email doesn't get any further than my Linux box, so I'm not in any danger of being infected. But I provide email storage for others who are using SpamAssassin, and I like to eliminate whatever I can before it gets to them. The virus doesn't bother me. It's the emails themselves. As far as I'm concerned, this is spam, and I'd like SA to intercept them. --pat-- -- Pat Traynor [EMAIL PROTECTED]