Re: [SAtalk] 'spamassassin -d' not stripping SA reports from email
On Wed, 21 Jan 2004, Matt Kettler wrote:
At 10:41 PM 1/20/04 -0600, C. Bensend wrote:
Is the problem that I'm _forwarding_ the tagged emails from one host
to the other? I don't have the capability to bounce, I can only forward.
A forwarded message is a brand new message. That brand new message is NOT
sa tagged, even though it may contain some SA markups because the other
message was tagged.
Once you've forwarded a message, there's generaly no way to reconstruct the
original.
All new headers are created, Mime sections are changed, the body is
modified with things like forwarded message from, you mailclient may wind
up re-encoding the HTML, etc. To a reader, it looks a lot the same, but to
a mailer, it bears little resemblance to the original.
On the other hand, if you forward the message (complete with full
headers), as an attachment, and then extract that attachment at the
other end, you should be able to use that. (IE use the new message
as a 'carrier' for the one that you want to re-learn).
There is a MIME-type Message/RFC822 which is intended precisely
for this kind of job.
This does depend upon the sending mail client being able to generate a
proper MIME attachment forward. You should be able to use a tool
like metamail to automate the extraction at the receiving end.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] too much spam...
On Mon, 26 Jan 2004, Paul Diaguila wrote:
No Bayes db yet, but I would think the one rule would score it a 5
Paul
Covington, Chris wrote:
Your Bayes must be hosed if what you think is spam gets BAYES_00.
Chris
[snip..]
Greetings
Using SA Ver. 2.63 with Mimedefang, and still quite a bit of spam is
getting through. Have all the current BigEvil, ect... As an example,
a rule is in place in local.cf
header SUBJECT_ENCODED_MY_TEST Subject:raw =~ /=\?.*\?=/i
describe SUBJECT_ENCODED_MY_TEST Subject begins with =?
scoreSUBJECT_ENCODED_MY_TEST 5.0
When a message comes in:
Subject:
=?ISO-8859-1?b?V2UgaGF2ZSB3aGF0IHlvdSBuZWVkIC0gQ2hlYXBlc3QgcHJlc2NyaXB0a
W8vbnMgb24gdGhlIGludGVybmV0?=
Content-Type: multipart/alternative;
boundary==_NextPart_000_0CAC_A6ABA171.138272BD
X-Spam-Score: 3.422
BAYES_00,FORGED_OUTLOOK_TAGS,HTML_50_60,HTML_IMAGE_ONLY_02,HTML_MESSAGE,
HTML_TAG_BALANCE_BODY,RM_rb_ANCHOR,RM_rb_BODY,RM_rb_HTML,SUBJECT_ENCODED
_MY_TEST
X-Scanned-By: MIMEDefang 2.30 (www . roaringpenguin . com / mimedefang)
???
thanks...
Paul
Paul,
Look at the 'X-Spam-Score' report line.
If you read it you will see 'SUBJECT_ENCODED_MY_TEST' so that rule -did-
hit. You will -also- see 'BAYES_00' So there is a Bayes db somewhere and
it said this is not spam, so I will score this message at -5.6 which
nullified your SUBJECT_ENCODED_MY_TEST sore.
Bottom line is you do have Bayes running somewhere on your system
and it is not properly trained. Rather that writing more rules, I'd
suggest that you concentrate on getting it trained and I think that
you'll be happier.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Rules Du Jour v 1.07b
On Fri, 23 Jan 2004, Smart,Dan wrote:
Humm
This command works every time from command line, but not passed as a param
from SA_RESTART.
postfix stop ; sleep 15 ; /etc/init.d/spamassassin restart ; postfix start
It runs the postfix stop and then quits. Any idea why? I can create a sed
that patches the rules_du_jour each time putting the commands in one at a
time in the restart if block, which does work, but passing it as the
SA_RESTART parameter would be really nice.
Dan
Run it in a sub-shell, put the whole thing in parens:
(postfix stop ; sleep 15 ; /etc/init.d/spamassassin restart ; postfix start)
depending upon how that is parsed by your command processor, you may have
to escape them. EG:
\(postfix stop ; sleep 15 ; /etc/init.d/spamassassin restart ; postfix start \)
This is basically a shell-scripting issue.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Using Mail::SpamAssassin to clean a message
On Wed, 21 Jan 2004 [EMAIL PROTECTED] wrote:
I want to be able to take an email message that may contain MIME and HTML
and to strip it down to basically nothing but text. (I know that
SpamAssassin already does this in large part so that it can analyze the
message properly.) So I'm not actually using SpamAssassin to detect spam.
Instead, I just want access to a relatively clean text message to scan for
another purpose.
Here is what I have tried, without success:
[snip..]
I just want access to SpamAssassin's email cleaning code that will make it
easy for me to access the text of any arbitrary email message (e.g., a
message with MIME parts).
Why not use a tool specifically designed for that purpose? (MIMEDefang).
SA is usually configured to skip messages over a certain size so to
not waste time on large messages (most spam is under 200k bytes in size
and SA processing time goes up rapidly with increasing message size).
In an arbitrary MIME message it is not unusual to find large attachments
(images, video, sounds, etc) which would cause them to bypass SA.
Thus SA may not be the best tool for this job.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: FW: [SAtalk] How to stop this kind of stuff?
|-Original Message-
|From: Evan Platt [mailto:[EMAIL PROTECTED]
|Sent: Wednesday, January 21, 2004 15:03
|To: SpamAssassin
|Subject: Re: [SAtalk] How to stop this kind of stuff?
Real easy, this is a predictable spamhaus, Empire Towers
Go check the records on this outfit at http://www.spamhaus.org/rokso
Just add two custom rules to your SA kit:
One that hits any uri reference to opt-u1.biz hard (I give it a 8.0)
The other looks for any of optny?.us or optny?.biz (where the ? is a
digit) in the 'From' header and hits that hard too.
uri L_SPAMHAUS1 /\b(?:opt-u1\.biz|certrewards\.tc|funding-advisors\.com)\b/i
describe L_SPAMHAUS1Contains URI refering to Empire Towers Spamhaus
score L_SPAMHAUS1 8.0
header L_SPAMHAUS2 From =~ /\boptny\d\.(?:us|biz)\b/i
describe L_SPAMHAUS2Sent from Empire Towers Spamhaus
score L_SPAMHAUS2 8.0
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Selectivly disabling DYNABLOCK
On Thu, 22 Jan 2004, Peter McGarvey wrote:
Greetings all,
I have a mailserver which handles all my incomming and outgoing mail.
Outgoing mail (stuff I send) is passed to the server via ASMTP.
Incomming mail (stuff sent to me) comes in via SMTP. There is
absolutely no way my server will relay mail unless it arrives via ASMTP.
However, when I send mail to another account on my box, the global
SpamAssassin (2.61) adds 2.546 to my mail score because I happen to
catch the RCVD_IN_DYNABLOCK rule. Now, I'm happy for all SMTP mail to
face up to this rule, but I'd rather my ASMTP mail didn't.
Other than obsfucating my Received: headers to omit the IP from mail
which is sent via ASMTP, is there any way to get RCVD_IN_DYNABLOCK to
backoff?
I did think about adding trusted networks. But I don't necisarrily know
my IP. It also blunts SA somewhat if I add vast tracts of IP space.
Silly question; if it's something that you're sending out, why
SA scan it at all?
I configured our MTA to recognize locally generated messages and not
bother SA scanning them. (reduces LLuser complaints about message
sending delays ;).
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [WL] Re: [SAtalk] More obfuscation
On Tue, 20 Jan 2004, Charles Gregory wrote:
Right now, there would be no statistics, because the text obfu has just
started. But as a side note, we don't have the disk space to run Bayes for
all our users though I'm getting awfully tempted to talk the boss into
an extra disk or two. So for now, no Bayes here :-(
A site-wide Bayes isn't quite as effective as a per-user Bayes,
but still worthwhile. It will help to catch the obfu junk (and
only takes 10~20 Mbytes of disk).
So now you have no excuse, get Bayes-ing. ;)
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] trusted_networks being ignored at times?
On Wed, 21 Jan 2004, Justin Mason wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Will McCutcheon writes:
I am running SpamAssassin 2.61 with Sendmail 8.12.8 using Procmail 3.22.
[snip..]
A's IP as being in an RBL of dynamic IP's, despite my setting in
/etc/mail/spamassassin/local.cf instructing it to trust that IP. The
documentation for Mail::SpamAssassin::Conf seems to pretty clearly say
that RBL checks will never be performed on any trusted IP's, but it
certainly appears to be occurring here.
Yep -- this is a case where it will occur. This is because the
mail has gone *outside* of the trusted zone -- and the untrusted
host B could be under the control of spammer who just forged a
Received header to make it look like it came from the trusted
host A. We can't trust that.
Same for the next case btw.
- --j.
Thus, if you -can- trust server 'B' add it to your trusted_networks
list, so the whole chain will be trusted and all will be well. ;)
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Turning off Habeas?
On Tue, 20 Jan 2004, Terry Shows wrote:
Maybe it is good for -16, but in every case I looked at that passed thought
with habeas set, none of them set the violator, and every single one was
flagrantly spam.
[snip..]
The way it is now, it is just another header that can be added by a spammer,
and as long as nobody turns him in to habeas.net, he is guaranteed an easier
^^
path for his junk. (if I am missing something, please feel free to educate
me. Just be nice when you do it)
Terry.
True, have you been turning in those violators that you found?
I've turned in every one that I found and a recheck of the HIL shows
that they were listed by Habeas.
To paraphrase a theologian:
The only thing necessary for evil (spammers) to succeed is for good
to do nothing.
One quick rule hack that has worked wonders for me for this issue:
uri L_FAKE_MED_SITE
//\b(?:valuepointmeds\.biz|pharmacourt\.biz|pharmawharehouse\.biz|mypillsource\.com|gowebrx\.com|rxsourceonline\.com|getwebrx\.com)\b/i
describe L_FAKE_MED_SITEWeb site of fake meds sellers
score L_FAKE_MED_SITE 3.0
meta L_FAKE_MED_ABUSER ( L_FAKE_MED_SITE HABEAS_SWE )
describe L_FAKE_MED_ABUSER Site selling fake meds and abusing habeas
score L_FAKE_MED_ABUSER 10.0
The first part is an adaptation of BigEvil, the second part nullifies
their abuse of habeas.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] List moderation and spam removal
On Tue, 20 Jan 2004, Sean McCrohan wrote:
[snip..]
The problem is that the moderation request the list sends to me gets
wrapped in MIME, and SA (as currently installed) doesn't do a very good
job of analyzing it, in part because there's a set of instructions stuck
on the front that are the same regardless of whether the message is spam
or ham. What can I do to point SA at the right parts of the message to
pay attention to?
--Sean
Use MIMEDefang to unwrap it and then feed just the message part to SA.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] spamassassin on Gateway server (MX)
On Fri, 16 Jan 2004, Ross Vandegrift wrote:
On Thu, Jan 15, 2004 at 02:20:16AM -0600, David B Funk wrote:
If you SMTP reject the spam, it never hits your queue, so no problem
with the garbage piling up and no bombarding poor innocent 'joe-job'
victims. It's better than auto-deleting spam, as a legit message
that is accidentally mis-identified as spam gets returned to the
true sender and they can remedy the situation rather than wondering
what happened to their message.
I hope you see the contradiction in the above paragraph.
no bombarding poor innocent 'joe-job' victims
gets returned to the true sender
Easily forged, easily joe-jobbed, better to never reject.
No contradiction if you are -truely- using SMTP reject on your
incoming mail gateway.
To make sure that you understand what I'm talking about, I'll explain
what what happens in a true SMTP reject.
The remote client connects to my incoming SMTP gateway machine.
If you read RFC-2821, you'll see the SMTP protocol steps that
the remote machine and my (or any) SMTP server go thru. During
that sequence, if my server returns a '550' response code, the
transaction is terminated, the remote machine is left with the
message and my server has no responsibility for it. (IE the
message never even gets past my 'front door').
This means that it is -NOT- in my mail queue, there is nothing
for my server to even think about trying to return to somebody.
If I reject a message, the sender and recipient addresses (forged
or real) are of no consequence to my server. Think of it like having a
'smart' ip-filter on your mail server. The remote machine is prevented
from handing the message to you at all.
In the case of a legit message that FPs above my reject threshold,
the sender's mail server is left holding the message and it has the
responsibility of returning it to them, so they get their messsage back.
There is one special case where this does not work, that of the
filtering machine not being the border gateway. IE if you (or some
other party acting in your behalf such as your ISP) have some
external server that accepts everything addressed to you and then
forwards the messages in to your filter machine. Then if your filter
machine rejects the trash, the external server is stuck with the
garbage and it will try to bounce them back.
However the OP was asking about an incoming filter machine and that
was the case that I was addressing.
I had spamass-milter setup to reject for a while, and I found that my
queues were always full. As I looked into it, I realized they were
full of errors, just waiting to be crapflooded onto some poor-sod-like-me's
mail server.
If you find crap messages (ones above your reject threshold) in your
queue on the filter machine, then you are -not- doing true SMTP rejects
(regardless of what your configuration claims).
Now I have my milter set to tag spam at 6.0 and reject at 20.0.
So there is a range of spam (6-20) that will be in my queue to
be delivered. (I do that in case of FPs.)
I've been hacking sendmail stuff for almost 20 years now, started
doing anti-spam filtering in the mid-90's. At that time, doing SMTP
rejects was the only thing that was easy to do, so it is second
nature to me.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Acronym Update
--On Friday, January 16, 2004 12:13:21 -0600 Carl Chipman
[EMAIL PROTECTED] wrote:
For the new people on the list, I was wondering what the following
acronyms mean:
LART
Luser Attitiude Readjustment Tool
Reporting the offending user to [EMAIL PROTECTED]
UBE/UCE
Unsolicited Bulk Email/Unsolicited Commercial Email
(SPAM).
Are the acronoyms in the FAQ?
The defs of these and -many- other arcane net-talk terms and
abbreviations can be found in The Jargon File (proper name please)
(AKA The New Hacker's Dictionary). A work-in-progress for over
15 years with a cast of thousands. ;)
It's available in print and on line in many forms.
Home page: http://www.jargon.org/
Googleable directly with the search modifier of site:www.catb.org
EG to search for the def of 'LART' do a google search of:
LART+site:www.catb.org
It's beginnings are lost in the mists of time (some say at Stanford
SAIL lab, others claim MIT) but for the last 14 years or so it's pretty
much been the project of Eric S. Raymond (a major net persona in his own
right, check out: http://www.faqs.org/docs/artu/ ).
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] spamassassin on Gateway server (MX)
On Wed, 14 Jan 2004, Matt Kettler wrote:
At 09:56 AM 1/15/04 +0545, Pankaj wrote:
I feel I am being a bit misunderstood. I simply need to configure my MX to
have SpamAssassin running.I do not need any antivirus .
How do I do it ? Running RedHat Linux 8.1 and Sendmail 8.12.10 in it.
[snip..]
Thus, you NEED another tool to integrate it into the MTA layer.. most MTA
layer integrations are capable of calling a variety of spam and virus
scanners, but you can just neglect the virus scanner part.
However, the answer of using amavis or mailscanner to handle the
integration is good advice.. I personally use mailscanner.
Some people also use spamass-milter, which installs itself as a sendmail
milter so it's more tightly integrated, but I've heard more complaints
about it than praise.
However a sendmail milter -does- let you do something that you cannot
do with mailscanner. You can do real-time SMTP rejects of spam, not
just delete or bounce it.
If you SMTP reject the spam, it never hits your queue, so no problem
with the garbage piling up and no bombarding poor innocent 'joe-job'
victims. It's better than auto-deleting spam, as a legit message
that is accidentally mis-identified as spam gets returned to the
true sender and they can remedy the situation rather than wondering
what happened to their message.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] no subject
On Wed, 14 Jan 2004, Christopher Tarricone wrote:
The permissions on my bayes_journal and bayes_toks files keep changing. Has
anyone else encoutered this problem?
[snip..]
I look in /usr/share/spamassassin/db/ and behold! The permissions are:
[EMAIL PROTECTED] db]# ll
total 23012
-rw---1 root root 3057 Jan 14 16:49 bayes_journal
-rw---1 vpopmail vchkpw 21061632 Jan 14 16:50 bayes_seen
-rw---1 vpopmail vchkpw 10211328 Jan 14 16:50 bayes_toks
[EMAIL PROTECTED] db]#
If I do a processes listing
[EMAIL PROTECTED] db]# ps -aux |grep spam
vpopmail 3215 0.1 5.3 31940 27244 ? SJan13 1:49
/usr/bin/spamd -m 20 -s -Q -q -x -d -v -u vpopmail -F 0
root 1445 0.0 0.1 3760 568 pts/3S16:53 0:00 grep spam
[EMAIL PROTECTED] db]#
It seems to me that SpamAssassing is running as the user vpopmail so I am
not sure how the permissions are getting changed so often.
Are you doing any 'sa-learn' runs as root? (either by hand or
via some kind of automated batch/cron job)?
If the bayes_journal file rolls over during a 'sa-learn' run
it will create a new one, as root.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Bayes NFS safe?
On 15 Jan 2004, Rocky Olsen wrote:
I too would greatly appreciate any information - as we have 9 boxes
doing Spam scanning. Anyone tried this?
On Thu, 2004-01-15 at 13:31, Mike Jackson wrote:
If you have multiple SA filtering boxes, is it safe to NFS-mount a partition
with a system-wide Bayesian database and share it across all the boxes? In
our setup, we have three boxes dedicated to doing SA filtering, all running
the same version of FreeBSD, and it sure would be nice to be able to do this
because the SQL-based Bayesian filtering doesn't quite look ready for prime
time.
Mike Jackson
Technical Manager, efn.org
www.efn.org
I posted a note about this precise question a few months ago,
please check the archives.
Short answer, do-able if you honor the Berkeley-DB requriements for
access over NFS (see the sleepycat site for exact details), that you
have all the clients only reading the DB, use journaling, and do the
updates on the machine that actually has the DB stored on it.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] The CAN-SPAM act....
On Wed, 14 Jan 2004, Jonathan Nichols wrote:
Did the CAN-SPAM act really take away a citizen's right to sue spammers?
I'd like to write to this marketing company and have them provide me
with absolute proof that I signed up for *anything* at all. (they won't
be able to) I think the whole Write us to unsubscribe business is just
a big sham.
No, the spammers would -love- to hear from you. Then they have verified
proof that that particular e-mail address goes to a human who reads
and thus is valuable fodder for selling on addres lists.
I have a couple of spam-trap addreses that have never been used anywhere
-except- plugged into unsubscribe links and messages. It's rather
amusing to see where they end up getting spammed from.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] How to find values assigned to different tests?
On Tue, 13 Jan 2004, Mitch (WebCob) wrote:
I thought there was a patch that added the score to the headers... then you
didn't have to go looking - has anyone seen it lately?
m/
Depending upon how you have SA integrated into your mail system,
it may only require a change to your 'local.cf', no patch needed.
In my local.cf I have:
# Customize the report that 2.60 introduced in all messages
#
clear_report_template
report Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_
report Content analysis details: (_HITS_ points, _REQD_ required,
autolearn=_AUTOLEARN_)
report
report pts rule name description
report
report _SUMMARY_
This adds a header to each message that can look like:
X-Spam-Report: Checker-Version SpamAssassin 2.60 (1.212-2003-09-23-exp) on
hostname.icaen.uiowa.edu
Content analysis details: (5.2 points, 6.0 required, autolearn=no)
pts rule name description
2.1 BAYES_90 BODY: Bayesian spam probability is 90 to 99%
[score: 0.9569]
0.1 BIZ_TLDURI: Contains a URL in the BIZ top-level domain
3.0 L_EvilList_29 URI: Generated L_EvilList_29
So you can see which rules hit and what their contribution to the
score was.
Note that Mike Leone is using amavisd-new, which has it's own method
of adding headers to messages and will ignore the SA report template
config. Thus for amavisd-new users, there may need to be some kind
of modification to that code (but that isn't a SA issue).
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Configuring SA to be more aggressive..
On Tue, 13 Jan 2004, Mail Monitor wrote:
Hi,
We have installed SA 2.6 on linux RH 9.0 on a mail
gateway. The total mail transaction/day through this
server is 75,000 and spam mails caught by SA is around
10-15%. But spam mails are still getting through, we
have not implemented razor, bayesian rules etc. The
number of spamc processes forked is high(above 200).
Because of this milter goes into error state bypassing
SA.
Please do let us know if SA could be made stable
for this heavy load and also ways to make it more
aggressive. Any help/suggestions would be appreciated.
First thing, beef up your hardware configuration.
To handle 75,000 messages/day, you need a 1 second per message
average processing rate.
If you aren't running any network checks (No DSBL, razor, dcc, etc)
and not running any bayes, this should be easily acheivable with
reasonable hardware ( 1Ghz PIII or faster, 512Mb RAM).
My bet is that you don't have enough RAM in that box.
Once you've got a stable base config that can keep up with
your load, add Bayes (get it stable), then turn on net checks.
Bayes will add CPU/RAM demands but it will be a deterministic
increase. Net checks don't take much addtional CPU/RAM but they
introduce non-deterministic delays due to network problems and
load on the remote servers, etc.
When running with no net checks, I usually see sub-second processing
time (base SA + Bayes) but with net checks on, times vary from
sub-second to 30 seconds per message soely due to remote
delay factors (30K messages/day).
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Limitation in SA (Re: [SAtalk] Obfusticated URI?)
On Mon, 12 Jan 2004, Larry Starr wrote:
Just noticed a message with an encoded URL, that misses, the BIZ_TLD rule,
etc.
The message body contains:
a href=3dhttp://gf=2eclearmath=2ebiz/jsimp/index=2ehtml;font
face=3darialscored /fontthis way=2e
brimg src=3dhttp://K=2eclearmath=2ebiz/images/js02=2ejpg; border=3d=
0
/a
I know this wraps a bit ugly, when pasted into my mailer but, as you can see,
the punctuation, in the URI, is all hex encoded. =2e, instead of ..
I have a local rule, in the form of bigevil.cf, with the following
sub-expression, that catches the above, but there has got to be a simpler way
to do this.
uri uri MyEvilList_001 ( /\b(?:=2e){0,1}clearmath(?:\.|=2e)biz)\b\i
Does anyone know of a ruleset that handles this sort of thing, perhaps code
that decodes the =xx expressions prior to the URI matches?
Actually that is a bastardized quoted-printable (QP) encoding of a URL.
In QP the character sequence '=2E' is an encoded period, that spam-tool
is generating '=2e' intending it to be interpreted as a period.
SA is supposed to decode QP before running the various 'body' and 'uri'
rules but there's a limitation in its decoding engine. If the QP
encoding uses lower-case hex digits instead of CAPS hex digits, it
does not recognize them as QP and fails to decode them.
Strictly speaking RFC-2045 demands the usage of CAPS hex digits in
QP (see section 6.7) and the lowercase stuff should be considered
illegal.
However many popular mail clients will decode the bastardized
lowercase version and display the message to the user as the
spammer intends (section 6.7, note (1) permits this).
I can see two different ways to handle this, either make SA more
flexible and decode the bastardized QP so normal rules will hit
or write a rule that hits such bastardized QP coding as a spam-tool
signature.
Does anybody know if there are real (albeit brain-damaged) mail
clients that generate such bastardized QP encoding?
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: Limitation in SA (Re: [SAtalk] Obfusticated URI?)
On Tue, 13 Jan 2004, Justin Mason wrote:
David B Funk writes:
I can see two different ways to handle this, either make SA more
flexible and decode the bastardized QP so normal rules will hit
or write a rule that hits such bastardized QP coding as a spam-tool
signature.
Are you sure about this? If it's the case, we do need to
decode it, and it would be great to have it reported as a bug.
- --j.
I've not dissected the SA code but empirical testing indicates it.
(Take Larry's snippet, change those '=2e' to '=2E' and watch
SA properly parse it).
I had noticed the same phenomenon before but was too lazy to track
it down. ;) With Larry's query as a prod, I took the time to test
it and look up the relevant RFC.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Scoring the Habeas header ...
On Tue, 13 Jan 2004, Rich Puhek wrote:
[snip..]
Be patient. Use additional rules/tools to catch the latest spammers
(clue: most come from spam zombie processes). Report the Habeas
violators (more $$$ out of the spammers pockets!). Let's keep the Habeas
marks as a tempting target for the spammers (strong negative score), so
that they keep chomping at the bait.
--Rich
Also note that Habeas has an RBL listing all reported sources of
forged Habeas-mark messages (the Habeas Infringers List). SA
automatically queries this RBL and will ignore SWE signatures from
those sources.
Thus it is in our best interest to report all such violations as it
negates the spammers attempts to abuse SWE and will help dig a
deeper hole for them. ;)
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Sendmail/Milter/ProcMail/Spamassassin
On Mon, 12 Jan 2004, Mike Carlson wrote:
Right now I am using spamass-milter to send all the email into spamassassin
but I would like to implement a deletion process where the email gets deleted
if it gets certain score. As it stands I cannot do that right now with my
setup.
Read the documentation on the spamass-milter '-r' flag. That will do
what you want. Actually, it won't delete the spam but it will do
something better, it will SMTP reject it.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Oh Joy, another abusable URI redirector
On Fri, 9 Jan 2004, David B Funk wrote:
Oh Joy, another abusable URI redirector. Saw this in a
recent spam:
http://www.google.com/url?q=http://cardtraffic.com
Proposed rule:
uri L_URI_REDIR3/http:\/\/www\.google\.com\/url?q=http:/i
describe L_URI_REDIR3 open URI redirector #3
score L_URI_REDIR3 1.5
Me bad, forgot a whack.
uri L_URI_REDIR3/http:\/\/www\.google\.com\/url\?q=http:/i
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: Fresh WhoIs data (emails, phones, etc.) on sale!
On Fri, 9 Jan 2004, Steve Thomas wrote:
Yay. Yet another a-hole blatantly disregarding the various WHOIS directorys' terms
of use and raping it for marketing purposes. Gee, I can't wait to get three more
copies of the same spam for every domain I own...
Awww, Gee, I thought that he was being polite and offering us
fodder for practicing our rule writing skills. ;)
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] send mail and spamassasin must be on the same machime
On Thu, 8 Jan 2004, Douglas Kirkland wrote:
On Thursday 08 January 2004 09:32, Ceva wrote:
hi everybody,
does sendmail and spamassassin must be on the same machine, or they can be
on diferent machines?
They can be on different machines. You will have to call spamassassin with
spamc to get to the spamd daemon.
Douglas
Yes and no. To have sendmail spamassassin be on different machines you
do need to use some kind of intermediary agent to connect them but it
does not have to be spamc.
There are several sendmail milter daemons that can be used to connect
sendmail to spamd. They can use Unix domain sockets for direct local
connections or they can use TCP sockets to connect to other machines.
The milter daemon effectively replaces spamc, it acts as a bridge,
speaks sendmail-milter protocol on the front side and SA-spamd protocol
on the backside to connect the two systems.
Check out 'http://spamlinks.net/filter-server-addon.htm#sendmail'
for a list of sendmail anti-spam milters. Some of them are for
other kinds of anti-spam filtering engines but some of them are
for connecting to SA.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] New rule? Based on domain registry
On Sun, 4 Jan 2004, oj wrote:
Hello,
Recentry i have had problem with spam that consist of html and one image only.
The image is fetched from different domains each time. The domains have one
thing in common though. They are all registered by the same registry:
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.paycenter.com.cn
And they are an accreddited ICCAN registry. It seams like the spammers have
got their own registry. Thus they can come up with new domains all the time at
low cost. Is there any rules based on registry of domains urls?
Maybe this is a bit far fetched, but i really want this spammer gone.
regards, Ove Jansson
Yet another instance of globalization, spam-haus out-sourcing to China. ;(
I think that if you check the DNS NS records for all those spam-domains
registerd thru paycenter.com.cn, you'll find that they all have the
same DNS Naming-Server hosting. (at least all the ones that I've seen so
far do).
It would be much easier to do a NS record lookup within SA than do a
whois check. Probably take a custom eval rule, but should be do-able.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] BigEvil.cf
On Mon, 5 Jan 2004, Ed Kasky wrote:
At 08:56 AM Monday, 1/5/2004, Tom Meunier wrote -=
With bigevil.cf in /etc/mail/spamassassin, all I see that remotely relates
to the file is the following:
spamd[22495]: debug: using /usr/share/spamassassin for default rules dir
spamd[22495]: debug: using /etc/mail/spamassassin for site rules dir
Any other way to monitor the file's effectiveness?
Ed
Create a simple test mail message that contains a URL fabricated using
any one of the hosts listed in BigEvil.cf. Feed the test message to
spamc -R and look to see if the output report hits a BigEvil rule.
For example, I created a test message called 'test.txt' containing:
From: bill
To: bob
http://bigmoneymarketing.com
Now I feed it to spamc:
spamc -R test.txt
5.6/6.0
Checker-Version SpamAssassin 2.60 (1.212-2003-09-23-exp) on server15.icaen.uiowa.edu
Content analysis details: (5.6 points, 6.0 required, autolearn=no)
pts rule name description
-- --
1.9 DATE_MISSING Missing Date: header
0.6 TO_MALFORMED To: has a malformed address
3.0 BigEvilList_37 URI: Generated BigEvilList_37
Note that hit on BigEvilList_37
To see how a given rule hits, feed it to spamassassin with rule
debugging turned on.
spamassassin -D rulesrun=255 test.txt
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Assistance with bigevil.cf
On Mon, 5 Jan 2004, SAtalk Mail User wrote:
Hello all,
I am needing some assistance in regards to the output below, I have added what
I think should get parsed out of the bigevil.cf file in /etc/mail/spamassassin
directory.
Added for testing ---
uri BigEvilList_193 /\b(?:hotmail)\.com\b/i
describe BigEvilList_193Generated BigEvilList_193
score BigEvilList_193 10.0
[snip..]
Assistance would be great here. I am also using MySQL to hold the preferences
rather than the local.cf file for easy of use. So the only thing is local.cf
is the access to my MySQL server and account information.
What I did was wget the bigevil.cf and placed it into /etc/mail/spamassassin
and in /home/spam/.spamassassin directories and then restarted the spamd
process - at the end of this email is the processes that are currently running
on my system here.
This is the output of maillog from when I receive an email message.
Jan 5 15:54:54 elmo sendmail[26923]: i05LsrU6026923: from=[EMAIL PROTECTED],
size=11575, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], bodytype=7BIT,
proto=ESMTP, daemon=MTA, relay=xx.xxx.com []
Jan 5 15:54:54 elmo spamd[26916]: logmsg: connection from localhost.localdomain
[127.0.0.1] at port 54468
Jan 5 15:54:54 elmo spamd[26916]: connection from localhost.localdomain [127.0.0.1]
at port 54468
Jan 5 15:54:54 elmo spamd[26930]: debug: retrieving prefs for root from SQL server
Jan 5 15:54:54 elmo spamd[26930]: debug: Failed to parse line in SpamAssassin
configuration, skipping: report_header^I0
Jan 5 15:54:54 elmo spamd[26930]: debug: Failed to parse line in SpamAssassin
configuration, skipping: defang_mime^I0
Jan 5 15:54:54 elmo spamd[26930]: debug: Failed to parse line in SpamAssassin
configuration, skipping: blacklist_from
Jan 5 15:54:54 elmo spamd[26930]: debug: Failed to parse line in SpamAssassin
configuration, skipping: blacklist_from
Jan 5 15:54:54 elmo spamd[26930]: debug: Failed to parse line in SpamAssassin
configuration, skipping: bayes_learn_to_journal^I1
[snip..]
Start with fixing the things that SpamAssassin throws errors on.
I see lots of errors in the above log related to parsing your config
data that it's pulled out of MySQL.
It's best to test a complex system one piece at a time. I'd start by
taking MySQL out of the equation. Put your prefs into a plain text
local.cf file, test that, add in bigevil.cf, retest, when you have that
working put MySQL back in.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Having trouble coding a local rule
On Mon, 29 Dec 2003, Peter Kiem wrote:
Hi David,
So you either need to change your rule to match the header from address or
code it to look for the envelope from address.
What is the rule for matching envelope from address?
That is mail system dependent, as there is no standard requirement for
envelope from address to be present within a message. The example that
you posted had a 'Return-Path:' header that looked like the envelope
from.
Often times the envelope from is imbedded within a 'Received:' header.
You will have to look at an example of your mesages -as presented to SA-.
(IE SA may not 'see' the same thing that shows up in your INBOX.)
I use SA with sendmail and a milter. I had to modify the milter to get it
to synthesize headers that presented the envelope sender envelope
recipients so that I could use them in filtering white/black list rules.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Having trouble coding a local rule
On Mon, 29 Dec 2003, Peter Kiem wrote:
Hi,
I'm trying to add local rules to allow certain senders that always get
caught by SA to lower their scores and give them a better chance of
getting through.
The rule I added was
header LOCAL_GOOD_SENDER_11 From =~ /[EMAIL PROTECTED]/
score LOCAL_GOOD_SENDER_11 -2.0
The headers on the email are
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
[snip..]
Date: Sun, 28 Dec 2003 16:16:35 UT
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Homes for Sale - Homes for Sale Alert
X-Spam-Status: Yes, hits=5.2 tag1=-999.0 tag2=5.0 kill=5.0
tests=BigEvilList_29, HTML_70_80, HTML_FONTCOLOR_BLUE, HTML_FONTCOLOR_RED,
HTML_FONTCOLOR_UNSAFE, HTML_IMAGE_RATIO_08, HTML_MESSAGE,
HTML_RELAYING_FRAME, MIME_HTML_ONLY, NO_REAL_NAME
X-Spam-Level: *
Why isn't the local rule being activated?
Very simply, [EMAIL PROTECTED] != [EMAIL PROTECTED]
The envelope from is '[EMAIL PROTECTED]' but the Header From is '[EMAIL PROTECTED]'
They are not the same, so the rule does not match. (You coded the rule to
look at the header 'From' address).
So you either need to change your rule to match the header from address or
code it to look for the envelope from address.
Note that depending upon how SA is integrated into your mail system,
the enveope from address may not be readily available to SA.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: Having trouble coding a local rule
On Mon, 29 Dec 2003, Peter Kiem wrote:
Preferably not as if someone does forge it, then the mail goes straight
through...
Isn't that what whitelist_from_rcvd is for? man Mail::SpamAssassin::Conf
The point is I *DON'T* want to whitelist. I wanted just to lower the SA
scores with a local rule.
Actually, 'whitelist_from_rcvd' is the way to go, as it will only apply
if -both- the From address and the DNS host name of the sending system
match the rule. However looking back at your first post I see that the
DNS reverse map for the 'sneezy' system is FUBAR, so you cannot use it.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Single image spams with random info
On Tue, 23 Dec 2003, Greg Webster wrote:
We're getting a TON of these, all of similar format.
htmlbody
center!--2rdxveiyf7a8--a
href=http://www.mdv678.com?rid=1098;!--srz4f4qaLBUw--img
src=http://www.whosout.com/c2.gif; border=0/a/center
/html/body
The '2rdxveiyf7a8' and 'srz4f4qaLBUw' some random string of characters
in the same place all the time. The domains are completely random it
appears - sometimes with words (like whosout.com) or a random set of
characters.
Suggestions on how to block them? I've been adding the domains to a
special rule, but they must own hundreds of them.
One clue, all those domains are hosted by a registrar in China,
XIN NET CORP with a whois server of: whois.paycenter.com.cn.
They're all served out of a few DNS servers:
NS0.DNSIN.COM
NS1.DNSIN.COM
DNS whois based clues could be used to automate the adding of
domains to a special rule or filter list.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] We have big evil now we need big good...
On Sat, 20 Dec 2003, Gary Smith wrote:
So we implemented SA some time ago because our clients were getting too much spam.
Lately we have found that several html marked up emails have been getting marked as
spam. These ones are clearly fp's.
Some of the domains include Morningstar.com, charlesswab.com and several other
financial institutions. Some of the clients get their weekly reportings sent to
them, and it has of course the remove me tag at the bottom as well as a bunch of
html so it gets marked as spam.
I know I could just create a simple white list but it might be more useful to create
a project of good companies to fix the fp's.
Looking for feedback on the topic
Check out Habeas mark or bonded sender services. That's their whole
business, providing ways to list or indicate white-hats. Support for
them is already incorporated in SA, and buisnesses such as Ebay use
them.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] new spamming techniques are flooding me. Any suggestions?
On Thu, 18 Dec 2003, mairhtin wrote:
I am getting a new flood of spam that appears not to be even selling anything, but
merely trying to get through the filters.
Could they be trying to learn from this? I don't see how, but someone suggested
as much.
Here's a copy of the spam mail and headers :
Return-Path: [EMAIL PROTECTED]
Received: from SERCOSE01 ([200.223.153.82])
by mail.techsolutionsgroupllc.com (8.12.5/8.12.5) with SMTP id hBIHFDq2004976
for [EMAIL PROTECTED]; Thu, 18 Dec 2003 09:15:15 -0800
Received: from [200.223.153.82] by 2004hosting.orgIP with HTTP;
Thu, 18 Dec 2003 16:15:02 -0200
From: Draper Merrill [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: IXCH, the sky over
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [2004hosting.orgIP]
Date: Thu, 18 Dec 2003 12:12:02 -0600
Reply-To: Merrill [EMAIL PROTECTED]
Content-Type: multipart/alternative;
boundary=--ALT--NUPL13668734694178
Message-Id: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
mail.techsolutionsgroupllc.com
X-Spam-Level: *
X-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_IMAGE_ONLY_06,
HTML_MESSAGE autolearn=no version=2.60
Status:
Do you have any kind of network checks (DSBLs) enabled?
That IP address hit half a dozen of my net checks, including
my MTA block lists (RBL-Plus,list.dsbl.org,dnsbl.sorbs.net) so my
SA never even saw that garbage.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Trouble with bayesian classification and autolearn
On Fri, 12 Dec 2003, J. S. Greenfield wrote:
I've been experimenting with configuration of spamassassin for sitewide
use (in particular, using spamassassin 2.60 with sa-exim 3.1 and exim
4.30, under Solaris 8), and for the life of me, I can't seem to get
bayesian classification and autolearn working.
No matter what I do, my X-Spam-Status header indicates that
autolearn=no, and the bayes files never get created.
I'm currently invoking spamd as follows:
/usr/local/bin/spamd -d -c -u spamd -r ${PIDFILE}
And I have the following in my local.cf:
use_bayes 1
auto_learn 1
bayes_path /etc/mail/spamassassin/bayes
bayes_file_mode 0666
where both the bayes_path directory, and the spamd home directory (it's
parent), are owned by spamd, and world writeable, at this point, for
good measure.
[snip..]
Take a piece of spam, transfer it to the server, make it readable by
user 'spamd', login (or su) as user 'spamd' and run the following
command:
sa-learn -D --spam --file spam-example.txt
Where 'spam-example.txt' is the file that contains your example
spam message. This should produce a whole bunch of lines of output,
one of them being: Learned from 1 message(s) (1 message(s) examined).
If not, look for error messages in that bunch of stuff.
One suggestion, if you're running Bayes site wide (particularly on
a busy server) turn on journaling, it will help to avoid file locking
problems. Add the following line to your config file:
bayes_learn_to_journal 1
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] sa-learn ... R/W: tie failed!
On Wed, 10 Dec 2003, AthlonRob wrote:
Just for SG, try doing a 'sa-learn --dump magic' and see if it
likes what it sees. If you cannot even --dump magic then it's
truly corrupted, no repair, just delete and start fresh.
I got some funky output:
[EMAIL PROTECTED]:~/.spamassassin$ sa-learn --dump magic
Cannot open bayes databases /var/amavis/.spamassassin/bayes_* R/O: tie failed:
Use of uninitialized value in numeric lt () at
/usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm line 1281.
0.000 0 0 0 non-token data: bayes db version
0.000 0 0 0 non-token data: nspam
0.000 0 0 0 non-token data: nham
0.000 0 0 0 non-token data: ntokens
0.000 0 0 0 non-token data: oldest atime
0.000 0 0 0 non-token data: current scan-count
0.000 0 0 0 non-token data: last expiry atime
You've got a boat-load of stuff in that bayes_journal, so delete
the bayes_seen bayes_toks and let that journal seed you a fresh start.
I'm guessing, from the above output... that won't work for me
The bad values from the corrupt bayes_toks could cause that
perl error. (It seems that the SA database code needs a bit of
update to better defend itself from bad database values ;).
Just try completely removing those bayes_toks bayes_seen files
and do a 'sa-learn --rebuild'. It should take that bayes_journal file
and use its data to create a new database.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Content Analysis
On Tue, 9 Dec 2003, Thomas Shoaf (PromoStep) wrote:
As for correcting the items listed in my original post, I am looking for an
example of the correct content that should be included in the content of the
HTML message relating to such items appearing in the Content Analysis when
checked through the Content Checked at Lyris.
Those were MIME header errors.
Read the MIME rfc (RFC 2045) to get the official statement of how
MIME headers should be used. RFCs can be found at the IETF site.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Content Analysis
On Tue, 9 Dec 2003, Thomas Shoaf (PromoStep) wrote:
The answer to your question, Gary... We are an incentives marketing firm
with an affiliate element. Our members can send virtual promotions from
their account to friends, family, colleagues, etc; however, some email
services such as Hotmail, Yahoo, etc appear to be blocking these promotions.
So - we have a duty to ensure such promotions are delivered as perceived
by our members.
Likewise, we send various updates/newsletters to our members periodically
and we feel that a majority of such messages are not being delivered to our
members. Therefore, it pertinent for our company to check such SPAM scoring
to ensure the customers of our members receive what they send them and that
our members receive the communications from us as a company.
So we are not trying to see how much spam related content can go into an
email nor are we tring to find a way around SA... We are trying to allow our
members to communicate with their customers as well as allow our company to
communicate to our members.
Thomas,
A simple, non-technical solution to your problem is to obtain a Habeas
Warrant mark and use it (see http://www.habeas.com/).
Any site using Spamassassin will honor such a mark and pass the message
on, even if the content is muddy.
This will work for current and future versions of Spamassassin.
There is a cost associated with obtaining a Warrant mark, but since you
are -not- sending spam it should not be prohibitive. You should be
able to consider it part of the cost of doing marketing business on the
internet.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Log Help!
On Wed, 10 Dec 2003, Ryan Lumsden wrote:
Hi all.
how do I get spamd to log to a diffrent file besides messages and mail.log.
I am up2date with sa and I am running debian woody, any body have any ideas.
Thanks in advance.
Ryan
Yes, look at the man pages for syslogd and spamd. Note the usage
of the syslog facility. Pick a facility that is not already in use
on your system, tell spamd to use that particular facility and tell
your syslogd to log that facility to your desired file.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] raw/rare/folded/plain/alphed body/subject rendering streams
On Wed, 10 Dec 2003, Gary Funck wrote:
It might be convenient to view each these transformations as
operating on the output of the previous. I think you were.
By doing so, it avoids replicating the description of the
previous phase.
I meant to add the following sugested additional
transformation:
PHONEMED in this form, the words are either converted into their
phoneme form and/or spell-checked (perhpas augmented by a custom
dictionary of popular spammer spellings). The words would be
de-rooted as well.
This paragraph suggests that the spelling transformation would
proceed the ALPHED transformation.
Note that numbers are sometimes substituted for letters. Such
as Gr8t and zer0, any1, me2, all41 and 14all. This argues for
phoneming and/or spell-checking before ALPHA-ing.
What might be easier to implement would be an enhanced version of
the soundex transformation (see Text::Soundex module).
The El337 version of soundex would know about the various
grapical character to sounds mappings and return results that
would be appropriate.
The only difficulty I can see would be dealing with the ambiguity
factor. (EG is '14all' - one-for-all or Laall ).
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Writing a DNSBL rule for both SPEWS levels
On Wed, 10 Dec 2003, Matt Kettler wrote:
At 02:08 PM 12/10/2003, Justin wrote:
So that's how check_rbl and check_rbl_sub work? I always wondered about
that. So what happens if an IP exists in two subzones at the same time?
With SORBS, it's done by returning multiple results for a single query.
host 138.81.106.218.dnsbl.sorbs.net
138.81.106.218.dnsbl.sorbs.net has address 127.0.0.2
138.81.106.218.dnsbl.sorbs.net has address 127.0.0.3
OPM looks like a bit-mask system, so one result can encode 8 different
DNSBLs at once.
The MAPS RBL+ is also a bit-mask system. See http://mail-abuse.org/rbl+/
for info on what values they return, then look at the code at the
bottom of 20_dnsbl_tests.cf to see how SA uses it.
So you make one query with 'check_rbl' and then parse out the
results with 'check_rbl_sub'
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] sa-learn ... R/W: tie failed!
On Wed, 10 Dec 2003, AthlonRob wrote:
On Wed, 2003-12-10 at 19:50, Adam Denenberg wrote:
in the same directory as the bayes DB files.
Unfortunately, there are no .lock files in that directory.
[EMAIL PROTECTED]:~/.spamassassin$ sa-learn --rebuild -DD
debug: Final PATH set to: /usr/local/bin:/bin:/usr/bin
debug: using /usr/share/spamassassin for default rules dir
debug: using /etc/mail/spamassassin for site rules dir
debug: using /var/amavis/.spamassassin/user_prefs for user prefs file
debug: bayes: 10390 tie-ing to DB file R/O /var/amavis/.spamassassin/bayes_toks
Cannot open bayes databases /var/amavis/.spamassassin/bayes_* R/O: tie failed:
[snip..]
debug: lock: 10390 link to /var/amavis/.spamassassin/bayes.lock: link ok
debug: bayes: 10390 tie-ing to DB file R/W /var/amavis/.spamassassin/bayes_toks
debug: unlock: 10390 unlink /var/amavis/.spamassassin/bayes.lock
Cannot open bayes databases /var/amavis/.spamassassin/bayes_* R/W: tie failed: File
exists
debug: lock: 10390 created
/var/amavis/.spamassassin/bayes.lock.linuxbox.linux.box.10390
debug: lock: 10390 trying to get lock on /var/amavis/.spamassassin/bayes with 0
retries
debug: lock: 10390 link to /var/amavis/.spamassassin/bayes.lock: link ok
debug: bayes: 10390 tie-ing to DB file R/W /var/amavis/.spamassassin/bayes_toks
debug: unlock: 10390 unlink /var/amavis/.spamassassin/bayes.lock
Cannot open bayes databases /var/amavis/.spamassassin/bayes_* R/W: tie failed: File
exists
[EMAIL PROTECTED]:~/.spamassassin$ ls -lha
total 6.4M
drwx--3 vscansweep4.0k Dec 10 20:06 .
drwxrwxrwx6 vscansweep 12k Dec 10 19:00 ..
drwxr-xr-x2 vscansweep4.0k Dec 10 18:04 baye
-rw---1 vscansweep1.3M Dec 10 18:06 bayes_journal
-rw---1 vscansweep4.7k Dec 10 18:06 bayes_msgcount
-rw---1 vscansweep1.2M Dec 10 18:06 bayes_seen
-rw---1 vscansweep4.9M Dec 10 18:06 bayes_toks
-rw-r--r--1 vscansweep 346 Dec 10 19:00 user_prefs
:-(
Rob
Hate to say it, but it looks like your database is hosed.
Permissions are OK, it's looking at the correct files, locks are good,
etc.
those 'File Exists' errors indicate that the DB_File library found
a file with that name which contains the wrong 'magic', IE it's
not a valid dabase file.
Just for SG, try doing a 'sa-learn --dump magic' and see if it
likes what it sees. If you cannot even --dump magic then it's
truely corrupted, no repair, just delete and start fresh.
You've got a boat-load of stuff in that bayes_journal, so delete
the bayes_seen bayes_toks and let that journal seed you a fresh start.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Fishing lesson (Re: [SAtalk] DB_File
On Tue, 9 Dec 2003, Jack Gostl wrote: I sent you the error message, I'm pretty sure there was no user associated with it. There were tens of thousands of those errors in the log. I'm not sure how to pinpoint the culprit. I guess I'll have to go to each user and rebuild their database. Yes, you did but did not include the -other- lines associated with that particular spamd run which had the information that you seek. I tried to point you to what you are looking for but evidently you didn't understand. Intro to Syslog Interp 101 Think of syslog interpretation like trying to follow a converstation at a crowded party. Everybody is talking at once, you hear 'snippets' of speech, so you need to be able to thread together the groups of words to extract a complete and comprehensable converstation. On a Unix system syslog gathers gathers report messages from programs and stores them with identifying info as lines of text in a log file. Each message is only a single line of text so if the program has a lot of info to log, it will report it as multiple messages. These may (probably) will end up interspersed with reports from other programs logging at the same time on a busy system. So you need to look at the identifying info to find all the lines that relate to one specific program and it's job, to be able to thread them together for the full report. Each line in a syslog file has a standardized format: date time host program[PID]: text-of-message-from-program You need to match up the program-name and Process-ID to find all the lines of text that relate to one program job. So the line: Dec 8 23:44:53 argos spamd[766]: checking message [EMAIL PROTECTED] for (jbuser):115. Was logged on the host argos at 23:44:3, Dec 8, by the 'spamd' program with the Process-ID of 766. (Some lines may not follow this precise format; the PID is optional and a client process may not choose to provide it, if the message comes from a system level (kernel), there will not be a process name assocaited). Now looking at a snippet from a real syslog file on a mail server you would see lines like: Nov 8 01:09:44 server13 sm-mta[2541]: hA879g3Z002541: from=[EMAIL PROTECTED], size=23558, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=SMTP, daemon=MTA, relay=discovery.neiu.edu [66.99.13.30] Nov 8 01:09:44 server13 spamd[2542]: checking message [EMAIL PROTECTED] for (unknown):115. Nov 8 01:09:46 server13 spamd[2540]: clean message (-9.0/6.0) for (unknown):115 in 13.9 seconds, 7892 bytes. Nov 8 01:09:47 server13 miltrassassin[1786]: hA879T3Z002531: spamlevel=-90 Nov 8 01:09:47 server13 sm-mta[2531]: hA879T3Z002531: to=[EMAIL PROTECTED], delay=00:00:14, mailer=lrelay, pri=3580, stat=queued Nov 8 01:09:47 server13 spamd[2530]: clean message (-3.3/6.0) for (unknown):115 in 24.0 seconds, 16016 bytes. Nov 8 01:09:47 server13 miltrassassin[1786]: hA879M3Y002527: spamlevel=-33 Nov 8 01:09:47 server13 sm-mta[2527]: hA879M3Y002527: to=[EMAIL PROTECTED], delay=00:00:21, mailer=lrelay, pri=3441, stat=queued Nov 8 01:09:55 server13 sm-mta[2543]: NOQUEUE: connect from swfirewall1.andersencorp.com [65.217.82.3] Nov 8 01:09:55 server13 sm-mta[2543]: hA879t3Y002543: swfirewall1.andersencorp.com [65.217.82.3] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Nov 8 01:09:58 server13 sm-mta[2544]: NOQUEUE: connect from moon.its.uiowa.edu [128.255.56.76] Nov 8 01:09:58 server13 sm-mta[2544]: hA879w3Y002544: from=[EMAIL PROTECTED], size=17075, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=moon.its.uiowa.edu [128.255.56.76] Nov 8 01:09:58 server13 spamd[2545]: checking message [EMAIL PROTECTED] for (unknown):115. Nov 8 01:10:02 server13 spamd[2542]: clean message (-3.5/6.0) for (unknown):115 in 17.7 seconds, 24235 bytes. Nov 8 01:10:02 server13 miltrassassin[1786]: hA879g3Z002541: spamlevel=-35 Nov 8 01:10:02 server13 sm-mta[2541]: hA879g3Z002541: to=[EMAIL PROTECTED], delay=00:00:18, mailer=lrelay, pri=3859, stat=queued Nov 8 01:10:14 server13 spamd[2545]: clean message (1.4/6.0) for (unknown):115 in 15.2 seconds, 17494 bytes. Nov 8 01:10:14 server13 miltrassassin[1786]: hA879w3Y002544: spamlevel=14 Nov 8 01:10:14 server13 sm-mta[2544]: hA879w3Y002544: to=[EMAIL PROTECTED], delay=00:00:16, mailer=lrelay, pri=3919, stat=queued Note that there are a number of messages from different processes intermingled in there. If we pick out one particular spamd run (say PID[2545]) we will find: Nov 8 01:09:58 server13 spamd[2545]: checking message [EMAIL PROTECTED] for (unknown):115. Nov 8 01:10:14 server13 spamd[2545]: clean message (1.4/6.0) for (unknown):115 in 15.2 seconds, 17494 bytes. If there had been an error logged it would have been something like: Nov 8 01:10:10 server13 spamd[2545]: Use of uninitialized value in numeric eq (==) at /usr/local/ So you would use the PID to tie it to the line that has the user name, as I told you how to identify. So now that
Re: [SAtalk] Generic V-whatever drug with no GV rule hits (fwd)
On Mon, 8 Dec 2003, Matt Kettler wrote:
At 10:54 AM 12/8/2003, Christopher X. Candreva wrote:
I just opened a Bugzilla report for this:
http://bugzilla.spamassassin.org/show_bug.cgi?id=2817
(SA 2.60, Solaris, perl 5.6.1)
For the moment, I'd suggest a rule like this one that I just cooked up:
body LOCAL_GAPPY_VIAG /\bV\Wi\Wa\Wg\Wr\Wa\b/i
score LOCAL_OBFU_VIAG 1.0
Note: not heavily tested yet, but should work nicely.. it looks for the
v-word with each letter spaced off by non-word characters, such as
punctuation, spaces, etc. Note that perl considers underscore to be a word
character so this will miss that variant, but you can quickly cook a rule
to get that one.
Small enhancement suggestion, modify each one of those '\W' with '?'
thus making successive obfuscating characters optional. With your
rule there -must- be an obfuscating between each regular character,
with the '?', it will catch all permutations of normal and obfuscating
characters.
Something like:
body LOCAL_OBFU_VIAG/\bV\W?i\W?a\W?g\W?r\W?a\b/i
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Re: Generic V-whatever drug with no GV rule hits (fwd)
On 8 Dec 2003, Scott A Crosby wrote:
On Mon, 08 Dec 2003 16:43:15 -0500, Matt Kettler [EMAIL PROTECTED] writes:
Or *, to catch more than one obfuscating character..
ie: V...i..a.gr..a
As I suggested in my email, there's lots of combinations that spammers
can do to avoid the original rule. There's also lots of ways to
construct the rule to get a broader hit-base, at the expense of
greater processing time.
In theory, this isn't that much additional matching time, especially
with an automata. In practice though, these sorts of rules will kill
performance because Perl cannot apply the literal optimization,
especially if they're applied widely. (There's more than just Vx
-- most of the phrase rules need this sort of treatment.)
Scott
Scott,
If it's a bounded wild-card (.{0,6}) as opposed to unbounded (.*)
is it less of a hit? (IE reasonable thing to do).
Are there any reasonably simple ways to do this with out killing things?
(EG .? == OK, .* == BAD, .{0,n} == acceptable, for small values of 'n')
Are there any studies of the Perl matching engine for efficiency
and rules-of-thumb?
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] (no subject)
On Mon, 8 Dec 2003 [EMAIL PROTECTED] wrote:
We've got SA 2.60 running on a Solaris 8 box with SunONE Messaging
Server. It is doing spam scanning for all our users (~7000). In
order to keep the system as speedy as possible, I've configured the
bayes journal to sit on /tmp which is a memory file system.
I'd like to back up the journal periodicly to disk. Right now I have
a shell script which shuts spamd down, copies the spamassassin
directory to disk, then restarts spamd. However, during this period
of downtime (about 10-20 seconds), the MTA cannont process email. I
didn't write it, I can't change it. :(
searching through the archives and docs, I've not found anything
regarding this issue. How have others solved this problem of backing
up a live bayes journal database? Would a perl script using file
locking be a viable workaround, at least allowing the MTA to continue
processing email?
Thanks for any assistance.
cary
As long as you're using bayes_learn_to_journal, the journal file will
be the only thing that's changing frequently. (actual Bayes database
files are R/O except during expire or journal sync.) So grabbing it
live may miss a few journal entries (but that shouldn't be a major
loss). If you want to be sure that you don't hit a sync/expire during
your copy, create a .lock file before you copy and remove after
done (see SA module 'UnixLocker.pm' for grubby detals ;)
Suggestion, copy the database files to another directory in your
memory file system (RAM-2-RAM snapshot), should go fast. Then you
can copy the snapshot to a real disk at your leisure.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] DB_File
On Mon, 8 Dec 2003, Jack Gostl wrote:
My bet is that your Bayes database got trashed.
Possible, but which database? We have many users all with their own? Also,
if its a trashed Bayes db, why does the message go away when I restart
spamd?
Which ever database it was looking at when it logged those error
messages. Assocated with each message process, there should be a line
that looks like:
Dec 8 23:44:53 argos spamd[766]: checking message [EMAIL PROTECTED] for
(jbuser):115.
where 'jbuser' is the particular user-recipient of that message.
So look at the process ID of the spamd that is logging the error, find
the corresponding 'checking message' log entry and that should point you
at the offending cuprit.
If the entry says '(unknown)' then there was no user specified via the
spamc process (or milter, or what ever process called the spamd). In that
case spamd is not looking at any user's database, just the global one.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] bayes permission errors
On Sat, 6 Dec 2003, Lukreme wrote:
spamd[33762]: Cannot open bayes databases
/home/user/.spamassassin/bayes_* R/O: tie failed: Permission denied
spamd[33762]: processing message
[EMAIL PROTECTED] for kremels:5003.
spamd[33762]: clean message (0.8/5.0) for user:5003 in 0.2 seconds,
5526 bytes.
/home/user/.spamassassin $ ls -lstr
total 6338
2 -rw-rw-rw- 1 user staff 1218 Oct 6 15:28 user_prefs
2 -rw-rw-rw- 1 user staff 199 Oct 6 15:28 bayes_msgcount
4160 -rw--- 1 user staff 5111808 Dec 4 09:51 bayes_toks
2112 -rw-rw-rw- 1 user staff 2637824 Dec 4 09:51 bayes_seen
62 -rw--- 1 user staff62030 Dec 4 09:51 bayes_journal
where user is any user on the system.
$ psa spamd
postfix 565 0.0 3.3 21908 4132 ?? Is9:17PM 0:04.03
/usr/local/bin/spamd -a -c -d -u postfix (perl)
is how spamd is running.
You've got spamd running as the user postfix (that -u postfix
command line argument). Thus the user postfix needs to have write
permissions to the bayes_* files. but in that directory listing
you show:
4160 -rw--- 1 user staff 5111808 Dec 4 09:51 bayes_toks
So 'postfix' has -no- access permissions to users bayes_toks
Thus the permission errors.
You have two different options:
1) run spamd as root and be sure that you pass the correct user
name via spamc -u user for each message.
2) Set the global 'bayes_file_mode' option to 0666 so that the
spamd process always has read-write permission, regardless
of who it is run as.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Custom Rules
On Wed, 3 Dec 2003, Fred I-IS.COM wrote:
Just a minor correction,
try this:
header__BLOCKTOFFICEOUTTo =~ /[EMAIL PROTECTED]/i
header__BLOCKFOFFICEOUTFrom =~ /[EMAIL PROTECTED]/i
metaBLOCK_MY_OFFICE(__BLOCKTOFFICEOUT !__BLOCKFOFFICEOUT)
describeBLOCK_MY_OFFICENo E-mail to alias from outside
scoreBLOCK_MY_OFFICE100.0
The syntax is slightly different in my rule and I used a meta rule to
accomplish what you want.
Frederic Tarasevicius
Nayana Hettiarachchi wrote:
hi i am trying to setup a rule so that we wont get mail to our local
alias from an outside address, this is what i wrote but it doesnt seem
to work as i thought it would, can u give any advice
header BLOCKTTOFFICEOUT To = [EMAIL PROTECTED]
header BLOCKTTOFFICEOUT From != [EMAIL PROTECTED]
scoreBLOCKTTOFFICEOUT 100.0
describe BLOCKTTOFFICEOUT No Email To alias from outside
thanks
Nayana
Of course, you should realize that the message header values can be
forged to be -anything- that a spammer wants them to be, and they have
no relation to where the mail actually gets routed.
The thing that acually controls delivery is something called the
envelope recipient and can be completely different from the 'To:'
header. Depending upon how your mail system is configured
Spamassassin probably has no way to see the value of the envelope
recipient.
This sort of thing is far better handled by your MTA, which has to
deal completely with the envelope recipient address.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] spamds that don't finish
On Thu, 4 Dec 2003, Cheryl L. Southard wrote:
Hi All,
I've got two spamd processes that just wont go away. They've been
running for well over 11 hours and are taking up 100% of my cpu.
I've run truss spamd-pid but it doesn't report anything. The same
user, coincidentally, is the recipient of both e-mails, but this
user doesn't have any special rules in his user_prefs file. This user's
home directory and mail file seem accessable and there don't seem to
be any weird messages in the spamd log file
One idea, there's something in the mail that particular user is getting
that is triggering some kind of bug in SA (buffer overflow, etc). Can
you find the offending message and try feeding it to SA by hand?
With one of the RC versions of 2.60, if a message had a weird long header
it would cause the spamd to blow up. I've not seen it with the release
version of 2.60, but it doesn't mean that it couldn't happen.
I am running spamassassin 2.60 on a Solaris 9 computer with procmail.
ps -ef | grep spamd
cc 27379 2447 48 20:36:36 ? 277:37 /usr/local/bin/perl -T
/usr/local/bin/spamd -d -a -c -m 5
cc 19967 2447 48 13:14:29 ? 603:31 /usr/local/bin/perl -T
/usr/local/bin/spamd -d -a -c -m 5
root 2447 1 0 Oct 27 ? 30:17 /usr/local/bin/perl -T
/usr/local/bin/spamd -d -a -c -m 5
Can anyone suggest things I can try to figure out what is going on?
Since we have a 5 process spamd limit on our computer, these processes
are really causing a traffic jam on my mail server.
Another idea, are you using Bayes, and if so do you not have
bayes_learn_to_journal enabled?
If you are not journaling, then each spamd wants to update the bayes
database and there could be locking contention. On some types of machine
(particularly SMP) Berkeley_DB uses a spinlock which can use high CPU,
particularly if something gets stuck.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] spamds that don't finish
On Thu, 4 Dec 2003, Pete Henshall wrote:
Hi dan, list,
I think it's simply a function of load. The first system gets the bulk of
the mail thoughput. You can see that the erratic loads
tail off over the weekend. It's wierd. I have tried disabling RBL, bayes
and even removing all my third party
rules. No dice.
If it is still leaving spamds lying around with bayes disabled then I don't
know I have just set bayes_learn_to_journal 0 (thanks David Funk) and my
problem seems to have stopped maybe.
I'm sorry if I gave you the wrong impression, if you are using Bayes with
auto_learn (auto_learn 1), then you most likely -do- want
bayes_learn_to_journal set to 1. (enabled).
If you use auto_learn and disable journaling, then each spamd tries to
update the Bayes database with each new message (thus increasing the
probablilty of lock contention problems).
If you enable journaling then each spamd just appends to the end of the
journal file (no locking needed for a simple text append). Then the
database will perocially get rebuilt and incorporated in the database.
So only that occasional rebuild needs to lock the database.
As far as I am concerned spamd should NEVER have rouge spamd's coming off it
that don't have a matching spamc. (is that right??)
I'm not so sure about this. If you have bayes_learn_to_journal enabled
then a spamd child will need to be run when ever the journal file gets
full (size bayes_journal_max_size) or it's been around for more
than one day. Also, unless you've explicitly disabled it, a db expire
is done daily (which would be another spamd child).
So unless you disable all automatic Bayes maintanence operations
(learn, expire, etc), then there will be the possibility of spamd
children and potential lock contention.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Interesting about BIG HUGE EVIL RULEs
On Thu, 4 Dec 2003, Scott Harris wrote:
Because I don't have sourceforge whitelisted, 6 of the last 20 messages to
the list were labeled as spam.
Rules that hit were:
3.0 BigEvilList_70 BODY: Generated BigEvilList_70
3.0 BigEvilList_150BODY: Generated BigEvilList_150
3.0 BigEvilList_175BODY: Generated BigEvilList_175
70 and 150 hit in every one, 175 only in a few.
This is # BigEvilList Beta version 1.57a
One way to deal with this is to modify the area that the rules
search. Replace the rawbody with uri and they will only hit
against references in URLs, not just floating random text.
Most of the spammer use of those domains are inside URLs to
direct victims to spamvertizement sites, so this -should- not
reduce the effectivenss of the rules in the good fight. ;)
Of course, the better way would be to set up an effective whitelist
for this list (that's what I did some time ago).
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] What is this? Bayes poison?
On Thu, 4 Dec 2003, Kenneth Porter wrote:
I'm getting a bunch of these. Are these just intended to poison Bayes DB's?
What's the sender's objective?
Forwarded Message
Return-Path: [EMAIL PROTECTED]
Received: from 212.199.108.10.forward.012.net.il
(212.199.108.10.forward.012.net.il [212.199.108.10])
by smtp.kensingtonlabs.com (8.12.8/8.12.8) with SMTP id hB52hnEE032538
for [EMAIL PROTECTED]; Thu, 4 Dec 2003 18:43:54 -0800
Date: Tue, 18 Jun 2002 07:44:03 -0500
From: Betty Tumlinson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Get a better homeloan
Message-ID: [EMAIL PROTECTED]
MIME-Version: 1.0
X-Accept-Language: en-us, en
X-Security: MIME headers sanitized on uugw.kensingtonlabs.com
See http://www.impsec.org/email-tools/sanitizer-intro.html
for details. $Revision: 1.139 $Date: 2003-09-07 10:14:23-07
Content-Type: multipart/alternative;
boundary=224_21A3C8F2.FD632120
[snip..]
-- End Forwarded Message --
Note that message was MIME multipart/alternative, but yet I saw only
the part that was obvious Bayes poison. Is it possible that your
MIME 'sanitizer' removed the spam 'payload' component?
(Or it's just as likely that the spammer's software fubared and
didn't add the payload. ;)
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Problem with email=no content
On Tue, 2 Dec 2003, Robert Menschel wrote:
headerRM_hx_from exists:From
describe RM_hx_from From header found
score RM_hx_from 0.001
meta RM_hn_from !RM_hx_from
describe RM_hn_from From header not found
score RM_hn_from 1.00
The first rule tests for the existence of a FROM header. Score minimal
(could be a non-scoring __RM_hx_from rule for that matter).
The second rule then reverses that test, checking for the lack of a FROM
header. (There may be a better way to do this -- anyone?) Results:
RM_hx_from -- 45925s/16069h of 63136 corpus
RM_hn_from -- 1136s /0h of 63136 corpus
SA has a special 'missing-match' syntax to detect missing headers.
Here's a rule that I wrote to test for missing Message-Id: headers:
header L_MESSAGEID_MISSING Message-Id =~ /^UNSET$/ [if-unset: UNSET]
describe L_MESSAGEID_MISSING Missing Message-Id: header
scoreL_MESSAGEID_MISSING 1.5
So to cretate your rule:
headerRM_hn_from From =~ /^UNSET$/ [if-unset: UNSET]
describe RM_hn_from From header not found
score RM_hn_from 1.00
I do not know if it is any more efficient than the way that you
did it, I just copied somthing that I found in one of the distributed
rules.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] BIG HUGE EVIL RULE NEWS!!!!
On Tue, 2 Dec 2003, Chris Santerre wrote:
BIG HUGE NEWS
A major breakthrough has taken place
ALL EVILRULES FILES HAVE BEEN COMBINED!! 2622 domains into 178 rules!!!
Ramdon/tracking hosts tags removed!
They only increase spamd memory by 1 meg!!! 1 meg!
You read correctly! Every evil domain since august has been added! Remove
all you old evilrules files. Grab BigEvil.cf and place it in either your
/etc/mail/spamassassin dir and restart spamd; or into your
$home/.spamassassin dir.
I plan to just keep adding to this file!!!
http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
rule 43 hits on cauce.org ;(
That's ironic.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Adding another RBL
On Thu, 4 Dec 2003, Richard Bewley wrote:
Hi,
Now, I have the following:
header RCVD_IN_MY_BNBLeval:check_rbl('bl', 'bl.blueshore.net.',
'2')
describe RCVD_IN_MY_BNBL Listed by bl.blueshore.net
tflags RCVD_IN_MY_BNBLnet
score RCVD_IN_MY_BNBL 5.0
And it still doesn't work. I also tried it without the '2', any more ideas?
Thanks,
Richard
Richard,
Which version of SA are you using? There were changes in the DNSBL stuff
between 2.55 2.60.
If you are using 2.60, try this:
header RCVD_IN_MY_BNBL rbleval:check_rbl('bl', 'bl.blueshore.net.')
describe RCVD_IN_MY_BNBL Listed by bl.blueshore.net
tflags RCVD_IN_MY_BNBL net
score RCVD_IN_MY_BNBL 5.0
Also make sure that your perl has the NET::DNS module loaded, your
config has not disabled the network tests, your DNS server is
working correctly, etc.
Do a:
spamassassin -D --lint
and make sure that lines that look like this show up somewhere in
the output:
debug: is Net::DNS::Resolver available? yes
debug: is DNS available? 1
debug: RBL: success for 2 of 2 queries
Note that there will be a bunch of other stuff intermixed, so you
may have to look closely.
Have you tried doing a DNS lookup on that RBL by hand to make sure
that you can resove from it?
Try doing:
nslookup 2.0.0.127.bl.blueshore.net.
or:
dig 2.0.0.127.bl.blueshore.net.
Make sure that you get back a valid IP resolition.
Note that your score is rather stiff, be absolutly sure that
that RBL is -alway- good, otherwise you're going to get FPs.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] How to whitelist this mailinglist
On Thu, 27 Nov 2003, Martin Lyberg wrote:
Hi,
I want to whitelist the SA mailinglist. Is this the right way to do it:
whitelist_from_rcvd [EMAIL PROTECTED] sourceforge.net
Thanks in advance
/ Martin
Almost,
whitelist_from_rcvd [EMAIL PROTECTED] sourceforge.net
will work PROVIDED your mail system makes the envelope sender
address available to SA in a form that it understands.
Ordinarily the 'From:' address is checked, but for this list that
is set to the originator of the message and thus unpredictable.
The envelope sender is always the same [EMAIL PROTECTED]
(most mailing-list systems work this way).
You need to configure your mail system to put the envelope sender address
in one of the following headers before it hands it to SA:
Envelope-Sender
Resent-Sender
X-Envelope-From
Return-Path
Resent-From
(see EvalTests.pm for the details).
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Bayes expiry
On Tue, 25 Nov 2003, Yevgeniy Miretskiy wrote:
Hello,
sa-learn stopped learning messages. Debugging shows that it can
successfully tie Bayes db, extracts tokens, etc, but never actually
writes data to the database.
I had a db corruption issue some time ago, so, this could very
well be remnants of that.
Anyway, I'm trying to run sa-learn -D --force-expire because my db
grew to be very large (~100MB).
No matter what bayes_expiry_max_db_size is set to (I tried anything from 100K to
3Mil),
sa-learn reports, after running for quite some time:
bayes: couldn't find a good delta atime, need more token difference, skipping
expire.
here is the output of sa-learn --dump magic
0.000 0 2 0 non-token data: bayes db version
0.000 0 50976 0 non-token data: nspam
0.000 0 1050 0 non-token data: nham
0.000 02895991 0 non-token data: ntokens
0.000 0 1013932420 0 non-token data: oldest atime
0.000 0 115170 0 non-token data: newest atime
0.000 0 1069789057 0 non-token data: last journal sync atime
0.000 0 1069787463 0 non-token data: last expiry atime
0.000 0 0 0 non-token data: last expire atime delta
0.000 0 0 0 non-token data: last expire reduction count
Any suggestions on how to force expiration run in this case?
You've got a corrupted or poisoned database.
Looking at that 'non-token data: newest atime' line, you've got some
tokens in there with a date from the future. That 'non-token data: oldest
atime' date is a fair ways in the past too, so my guess is that those
bogus dates are throwing off the expire code.
Something similar to that happened to me, (dates extreme and whacko)
couldn't expire it and finally had to dump the whole kit.
Maybe worth writing some kind of DB editing tool to manually
remove bogus records, easiest just to dump it.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] bayes database size
On Wed, 26 Nov 2003, alan premselaar wrote:
I've recently noticed something I think is a little strange but I'd
like to confirm it with the list.
My bayes database seems excessively large at 967M:
-rw-rw-rw-1 defang defang61k Nov 26 16:34 bayes_journal
-rw-rw-rw-1 defang defang 624k Nov 26 15:58 bayes_seen
-rw-rw-rw-1 defang defang 967M Nov 26 15:58 bayes_toks
sa-learn --dump magic
0.000 0 2 0 non-token data: bayes db version
0.000 0 3236 0 non-token data: nspam
0.000 0 2628 0 non-token data: nham
0.000 0 121176 0 non-token data: ntokens
0.000 0 1066969971 0 non-token data: oldest atime
0.000 0 1069829904 0 non-token data: newest atime
0.000 0 1069829905 0 non-token data: last journal
sync atime
0.000 0 1069735390 0 non-token data: last expiry
atime
0.000 02764800 0 non-token data: last expire
atime delta
0.000 0 38065 0 non-token data: last expire
reduction count
is this really larger than it should be? or am i delusional?
i'm running redhat 7.3 , sendmail 8.12.10 , mimedefang 2.37 and
spamassassin 2.60
any ideas are welcome
Yes, that size seems way out of line. It should be using about 30~50
bytes per token, assuming typical token size.
According to your 'non-token data: ntokens' that bayes_toks file should
be using about 5~6 Mbytes; unless something is whacko, or you have some
-very- large tokens in there.
One possibility, the --dump magic may be looking at a different set
of files. Just to double-check do a sa-learn -D --dump magic to see
which set of files it is looking at.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] lock failed: little help PLEASE
On Wed, 26 Nov 2003, German Staltari wrote:
On Wed, 26 Nov 2003 14:30:02 -0500, JC [EMAIL PROTECTED] wrote:
I'm going to guess that you are running spamassassin as an unprivliged
user... Based on that, I would like to suggest that you run spamd and
spamc
on a port higher than 1024. That's what worked for me. Give it a try and
let
me know how it works out for ya.
Can anybody give me real help please
I really appreciate your help JC, but I think you don't understand my
problem very well.
It's a simple question:
It's possible that SA runs opportunistic expiry and sync at the same
time(so lock failed error occurs)?
TIA
German
You are running on a SMP box, so it may be that it is truely trying to
expiry and sync at the SAME time (litteraly same time). The locking code
may not be robust enough to cope with that. (SMP introduces all kinds
of interesting problems.)
Try turning off the bayes_auto_expire and run an expire by hand or cron
at slack times (say 5:00 AM?)
Also check your version of Berkeley_DB, there may be an issue with that
on SMP machines.
I'm running SA 2.60, RedHat 8.0/9.0 (up2date), fresh installs, on SMP
servers with 1GB of RAM. The bayes_journal_max_size and
bayes_expiry_max_db_size are in default state (102400/15).
bayes_learn_to_journal and bayes_auto_expire is set to 1. With this
settings, SA is doing an opportunistic journal sync aprox every 10 mins,
and an opportunistic expiry every 12h.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RD: Re: [SAtalk] Lint and SaUriCustomRules
On Wed, 26 Nov 2003, Matt Kettler wrote:
At 11:10 PM 11/26/03 +, Alan Munday wrote:
If I lint with this in the SaUriCustomRules
uri MY_YAHOO_BOUNCED /http:\/\/srd\.yahoo\.com\/drst\/.*\*
http:\/\/
describe MY_YAHOO_BOUNCED Trying to hide real URL through Yahoo redirect
score MY_YAHOO_BOUNCED0.5
I get a shed load of errors of which the first is:
Bareword found where operator expected at
/etc/mail/spamassassin/SaUriCustomRules.cf, rule MY_YAHOO_BOUNCED, line 12,
near usr
(Might be a runaway multi-line // string starting on line 1)
(Missing operator before usr?)
That rule is missing a trailing /.. at casual glance it looks like it has
one, but it does not.
The end part should be: http:\/\//
One thing that you can do which makes writing this kind of rule easier
is to specify an alternative match delimiter character (somthing other
than / ).
For example if you use ! that rule could then be written as:
uri MY_YAHOO_BOUNCEDm!http://srd\.yahoo\.com/drst/.*\*http://!
MUCH easier to see where things fit with out the flying Ws \/\/
Note that if you are going to use an alternative delimiter, the
explicit 'm' match operator becomes necessary.
FYI, my version of that rule looks like:
uri __L_URI_REDIR m!https?://.{1,170}/\*http://!i
uri __L_YAHOO_REDIR m!https?://us\.ard\.yahoo\.com/.{1,170}/\*https?://!i
meta L_URI_REDIR( __L_URI_REDIR !__L_YAHOO_REDIR )
describe L_URI_REDIRURI redirector
score L_URI_REDIR 4.5
I don't like unbounded wildcard searches (.*), as a potential
time-eater and DOS attack point, so I like to bound them with a reasonable
limit (EG: .{1,170}).
This should get anybody's abused redirector and honor valid YAHOO ones.
I hope ;)
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Way to disable auto-learn for messages with specific subject lines?
On Tue, 25 Nov 2003, Brian Knittel wrote:
Hi,
Is there a way to inhibit auto-learning when any specific rule
is matched? I noted that the auto-whitelist filters inhibit auto-
learning, but can this be extended to arbitrary other rules?
I'm my network's postmaster and I get nondeliverable message
notifications quite frequently. These messages have a specific
subject line, and I can see how to build a rule to guarantee
they're never marked as spam:
header DELIVERY_FAIL_REPORT Subject=Delivery Failure
describe DELIVERY_FAIL_REPORT Message is a delivery failure report
scoreDELIVERY_FAIL_REPORT -99
But -- since these messages also include a chunk of the
nondeliverable message, I need to disable auto-learning, otherwise
lots of juicy spam words will be seen as ham.
Any suggestions will be greatly appreciated. I suppose I could
redirect the notifications to an account that isn't filtered by
SpamAssassin, but I'd like to keep things as they are, if possible.
Thanks,
Brian Knittel
In the man page for the SpamAssassin configuration file, in the
section on bayes_auto_learn it says:
Note that certain tests are ignored when determining whether a
message should be trained upon:
- auto-whitelist (AWL)
- rules with tflags set to 'learn' (the Bayesian rules)
- rules with tflags set to 'userconf' (user white/black-listing
rules, etc)
So all you need to do is to add a 'tflags' line to your rule definition:
tflagsDELIVERY_FAIL_REPORT userconf
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Bayesian 100% on all my mail
On Tue, 25 Nov 2003, Robert Menschel wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Aaron,
Tuesday, November 25, 2003, 8:58:58 AM, you wrote:
AY ... Recently I started getting a lot of false positives with SA 2.60.
AY I noticed that all my mail was getting a bayesian score of 99 to
AY 100%. ...My best guess is that since the bayes database only holds a
AY limited number of tokens, my DB was filling up with spam tokens and
AY not enough non-spam tokens. Maybe this happened because I only get
AY about 10-20 legitimate emails a week versus about 100+ spam emails a
AY day.
In November to date, I've trained my Bayes on 683 ham and 6816 spam.
Ratio therefore seems to be about the same as yours. I haven't seen any
evidence of the problem -- Bayes is working wonderfully here.
Bob Menschel
Having had an experience similar to Aaron's I can believe that he could
be having problems with a poisoned Bayes. For example, suppose that you've
received a large number of Nigerian spams that were learned as such.
That would put spam scores on a large number of converstational words.
In a fit of pique, I had tossed a whole bunch of Nigerian spams in
my bayes. It got so bad that a test email that contained only one word
(Hi) got a Bayes 99% spam score. I had to trash the DB and start from
scratch.
So the quality of Bayes scoring does depend upon how it is trained.
It is a tool not a magic bullet, and like any tool can be misused
or abused. Spammers seem to be learning this, I'm seeing an increasing
number of spams that contain Bayes poison.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] SpamScore check
On Tue, 25 Nov 2003, Nick Tong wrote:
If so is this possible on a windows platform?
Nick Tong
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
Tong
Sent: 25 November 2003 17:12
To: [EMAIL PROTECTED]
Subject: [SAtalk] SpamScore check
Dear community,
I send out email news letters each week for my clients but I want to
offer them the ability to see if there emails will be blocked due to
there email containing a large amount of spam scoring text?
Does anyone out there know of a plug-in for spamassassin or any other
product where I can pass the text to the object and get a score back?
Many thanks
Regards,
Nick Tong
Nick,
Very easy answer, just enroll in Sender Warranted Email (SWE)
http://www.habeas.com. SpamAssassin gives a strong ham bias
to such warranted messages, thus they will not be blocked.
There is a cost for acquiring such a warrant but it should not
be a problem for somebody in the business of sending messages
in the case that those message ARE NOT SPAM.
As you appear to be in the business of sending out news letters
this could be considered a cost of doing business and thus
manageable, as you are NOT sending spam.
There, easy business solution, no technological problems, it will
work with the current and FUTURE versions of SpamAssassin, even
works from windows platforms.
You are welcome.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SpamAssassin/Milter not scan outgoing emails
On Mon, 24 Nov 2003, Chris Cook wrote:
Hello,
We are currently using Spamassassin + sendmail + spamass-milter to tag
our mail, but we would like to not have outgoing mail scanned. lda and
outgoing mail are on the same box. I have tried to just use
spamassassin+procmail but the load spawned a million procmail instances
and mail was not getting delivered.
Is there a way to tell spamassassin not to scan outgoing mail when using
spamass-milter?
Thanks,
A couple of different ideas:
1) set up a dual-config system; have the MTA listen for incoming messages
with the spamass-milter to filter them, have the MSA listen for locally
submitted messages and have it configured without the milter so it does
not filter them.
2) customize the milter as proposed by Chris Adams in his post to
comp.mail.sendmail:
http://groups.google.com/groups?q=macro++Milter+bypasshl=enlr=ie=UTF-8oe=UTF-8scoring=dselm=vpts2mdibgq53e%40corp.supernews.comrnum=2
Then set up a sendmail rule to recognize locally generated messages
and set the 'skip_check' macro.
I use the dual config setup, one daemon for incoming messages and one for
outgoing ones. I use miltrassassin and am in the process of hacking it
to add support for the 'skip_check' macro idea. (we have a local campus
listserv that spews out copious messages for the students with great
regularity and when it runs it hammers my SA server. I want to skip_check
its babbeling. ;)
I've already customized miltrassassin to add support for envelope
sender recipient passing into SA, makes whitelist construction much
easier. ;)
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Bayes File Ownership
From: Gorm Jensen [mailto:[EMAIL PROTECTED]
Sent: Friday, November 21, 2003 12:04 PM
I run sa-learn as root using SA 2.55 and 2.6 on two redhat systems.
Both systems run spamd and call spamc from procmail with -u user1 (or
user2). Because there are only two users, each system has a common
bayes database with file access permitted to both users.
Occasionally, I have discovered that the ownership of one of the bayes
files has been changed from spamd.spamd to root.root. This change
renders my bayes database unreachable because I run spamd as user
spamd.
I can't find a workaround in the docs. Is there one, or do I have to
change the ownership somehow?
Workaround that might qualify for 'kluge' catagory, but does work.
Put in your local.cf
bayes_file_mode 0666
Please no devilish jokes. ;)
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] header reports missing??
On Fri, 21 Nov 2003, Dan Tappin wrote:
I have recently installed SA 2.60 from the source code on OS X along side Tenon's
Post.Office mail server. This was a manual
upgrade from the Tenon supplied SA 2.55 release to be used with their supplied SA
'plug-in'. All is well and e-mail is being
filters via SA except SA is not adding the score headers to all mail being processed?
I was told by Tenon that the SA package that they released to their users would not
re-write headers but just simply score e-mail
for PO's own filter system.
Now that I installed SA from scratch I was hoping to fix this. I have
'always_add_headers' and 'always_add_report' set to 1 and my
'spamassassin --lint -D' output looks normal with no errors.
Does SA require a perl module to re-write the headers or am I missing something
simple here?
Thanks,
Dan
It probably depends upon how the PO+plugin stuff works.
There are two general ways to use SA; in a filter pipeline or as a
scoring stub on a tee.
In the first, the MTA feeds the message to SA on stdin and takes the
result from stdout as the new version of the message to pass on. In
this case any changes SA makes to the message will show up in what gets
delivered. All the SA config options will have an effect on the
appearance of the final message. (this is usually how postfix, qmail,
etc are configured).
In the second way, the MTA feeds a -copy- of the message to SA, looks
at what SA returns and then uses selected parts of the SA output to decide
what to do with the original message. (EG looks at just the score, think
about how a spamc -c works and would be used).
In this case it's up to the MTA (or it's agent/plugin) to decide what
if any changes to make in the message appearance, regardless of
SA config options.
I'm not familiar with PO but do know sendmail+milter systems.
That system uses the second way of connecting with SA. The milter
gets a copy of the message to pass into spamd. It can take some
of the spamd output (eg a particular header such as X-Spam-Report)
and tell sendmail to incorporate that into the original message, but
it does not have to. Thus it is up to the milter author what the
final message looks like, it could totally ignore all headers
returned by spamd and generate it's own based upon the spamd
results. (usual pracice tho -is- to pass in the SA report headers).
My guess is that the PO+plugin works like sendmail+milter and
thus that Tenon plugin may not be passing the headers back to PO.
The sendmail libmilter architecture has specific provision for
the milter to return message modifications (EG add headers or
replace the message body with a new one). If the PO plugin
architecture does not have similar functionality (EG only returns
an exit status) it may not be possible for it to add the
SA headers.
Check with the Tenon people. There should be lists associated with
MacOS X stuff, maybe somebody can tell you how the PO plugin system
works.
MacOS X -is- a Unix based system, you could use one of the more
traditional methods of incorporating SA into your environment. ;)
Dave
PS, anybody recognize the expression JLRU?
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Bayes File Ownership
On Fri, 21 Nov 2003, Gorm Jensen wrote:
I run sa-learn as root using SA 2.55 and 2.6 on two redhat systems.
Both systems run spamd and call spamc from procmail with -u user1 (or
user2). Because there are only two users, each system has a common
bayes database with file access permitted to both users.
Occasionally, I have discovered that the ownership of one of the bayes
files has been changed from spamd.spamd to root.root. This change
renders my bayes database unreachable because I run spamd as user
spamd.
I can't find a workaround in the docs. Is there one, or do I have to
change the ownership somehow?
Revisiting your message, you say: I run sa-learn as root
So you may be doing it to yourself.
When you run sa-learn it rebuilds the database as part of its operation
unless you add the option --no-rebuild. Sometimes when rebuilding
the database it creates a new bayes_toks file rather than just updating
the existing one. If that happens when you (root) are running it, the
new file is owned by root.
So I see a few possible workarounds:
1) always run sa-learn as spamd not root
2) always give sa-learn the --no-rebuild option and let spamd do the
rebuild
3) always check the bayes file ownership after a sa-learn run.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] DCC and Pyzor Problems
On Thu, 20 Nov 2003, Josh Dayberry wrote:
I would appreciate any help that can be offered to me. I was using spamd and spamc,
and everything was working fine. For some reason I upgraded spamassassin to the
newest version and now spamd and spamc won't run the dcc and pyzor tests. If I use
spamassassin however the tests are run correctly. I am not sure why it would work
with spamassassin, but not spamd. Is there anything like spamassassin -D or a way
to log what is going on when running spamc so I can figure out what the problem is?
Josh
Yes. If you had checked the man page for spamd you would see that it
too has a '-D' option for debugging.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] sa-learn and SpamAssassin headers
On Thu, 20 Nov 2003, Carlos Jorge Santos wrote:
Thanks a lot for your answer.
The problem now is that SpamAssassin (spamc to be more precise) is
called by Qmail-Scanner, which in turn adds this headers to emails:
Received: from [EMAIL PROTECTED] by mail.host-services.com by
uid 101 wi
(spamassassin: 2.60. Clear:RC:0:SA:1(11.3/8.0):.
Processed in 0.328309 secs); 19 Nov 2003 23:34:45 -
X-Spam-Status: Yes, hits=11.3 required=8.0
The header X-Spam-Status shouldn't cause any trouble to sa-learn, right?
What about the other header ? Is there any problem removing all the
Received headers ? Something like this :
bayes_ignore_header Received
Thanks again
Carlos Jorge Santos
In general you don't want to remove/ignore the Received: headers as they
often provide clues about the spammyness or hammyness of a message.
For example if a Received: header that contains a reference to
'optinsender.com' then that's a spam clue, but if it contains a reference
to your CEO/Dean/president's machine then it's a ham clue (we hope ;).
If there is one specific Received: header that is added by your local
mail system you could remove that but it is probably not necessary.
If the header is alway added to each message (both ham spam) and
you learn an adequate amount of both ham spam, then that header
should get a 'neutral' scoring value and thus be effectivly ignored.
One question, is that header added before or after the SA processing?
If after, then this is a total non-issue. ;)
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: Re[2]: [SAtalk] Sanity checking new uri rules?
On Wed, 19 Nov 2003, Chris Santerre wrote:
Thanks, I got it now. I updated my evilrules last night, and they tested
great overnight! I shall post them shortly. This should speed them up
greatly for everyone! Would this help even more?
/?:\bsomedomain\.com\b/i
would the addition of the ?: make it even faster?
No, that is specific to the capturing/clustering use of parenthsis, EG:
(?:this|that)
So if you're not clustering (|) it doesn't make any difference.
See page 182-186 of forementioned book.
LOL, the only reason I recognise the name Larry Wall is because of Theo's
sigs! :)
I guess I need to go but that book and help support the man.
--Chris Santerre
Um, have you ever done a perl -v ?
Try it and look at the Copyright line.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Perl history (was: Re: Sanity checking new uri rules?)
On Wed, 19 Nov 2003, Chris Santerre wrote:
LOL, the only reason I recognise the name Larry Wall is because of Theo's
sigs! :)
I guess I need to go but that book and help support the man.
--Chris Santerre
Mumble Mumble, kids these days, no respect for their elders.
OK, mandatory homework assignment:
http://www.faqs.org/docs/artu/ch02s01.html
Search for references to 'Larry Wall' on that page.
OBH, I spent many hours as a graduate-student-slave sweating
in front of a PDP-11/45 that looked almost exactly like the
PDP-11/35 pictured in the middle of that page.
Dave
( GreyBeard ;)
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] bayes works!
On Wed, 19 Nov 2003, Bryan Hoover wrote:
The reason I mention it - aside from being pleased - is to point out
that it appears the problem was either the old spambouncer headers, or
forgetting, wasn't (the latter being what I started out suspecting,
until I discovered the spambouncer headers). Another imperfection in my
experience analysis is that I suppose the database could have been
corrupted, as I'd gotten knocked off line several times while running
sa-learn.
Assuming that the spambouncer headers are unique to your site you
can put them in bayes_ignore_header lines in your local.cf
and not worry about them.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Negative score for SAtalk messages
On Wed, 19 Nov 2003, Marc Steuer wrote:
Hi list members,
I want to score messages from [SAtalk] with a negative score so examples
posted to the list won't be tagged as spam. This is my first venture into
regex and I've tried:
header MY_SATALK Subject =~ /\[SAtalk\]\b/
describe MY_SATALKMessage from [SAtalk]
score MY_SATALK -10
Messages with [SAtalk] in the subject aren't always matched by this rule.
Two questions:
1. Do I have the rule syntax correct?
2. Is there an alternate way to ensure SAtalk messages won't be tagged as
spam?
Thanks,
Marc
whitelist_from_rcvd [EMAIL PROTECTED] lists.sourceforge.net
Works for me and is harder for spammers to abuse.
Note that for this to work your mail system must be set up in such
a way that spamassassin can see the envelope-sender address.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Need help with a simple custom rule
On Wed, 19 Nov 2003, Robert Davidson wrote:
Hi everyone,
I set up a SpamAssassin system for a company but they alerted me to a
problem today.
They have content filtering rules to stop people from abusing their
employees. Basically any e-mails with naughty words are given 50 points
and are stuffed into quarantine.
The below rule is causing problems:
body CUSTOM_RULE_01 /\bFUCK/i
They contacted me because they were sent an MS Word document which looks
like it has previously been infected with a virus that puts ALT-F11
it's the fuck! or something into the document somewhere.
I am running SA 2.55
My question is how can I get SA to only scan the message text and not
look into attachments like .doc files and so on?
Check out MIMEDefang. It can be used to split a message into seperate
parts and then process them appropriately. (EG feed text parts to
a content filter like SA, feed binary attachments to a AV-scanner, etc).
It will add to the processing overhead of each message but it should
do what you want.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: Re[2]: [SAtalk] Sanity checking new uri rules?
On Tue, 18 Nov 2003, William Stearns wrote:
anchoring with \b = fast
OK, cool. As I'm doing full domains, I'll change:
uri WLS_URI_1 /0-go.org/i
to
uri WLS_URI_1 /\b0-go.org\b/i
in the next version.
Also escape that '.' so that it's taken as a litteral not a wild-card.
(reduces need for back-tracking ;)
IE:
uri WLS_URI_1 /\b0-go\.org\b/i
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: Re[2]: [SAtalk] Sanity checking new uri rules?
On Tue, 18 Nov 2003, Chris Santerre wrote:
uri WLS_URI_1 /^http:.*\b0-go.org\b/i
Regex confusion on my part! '\b' is bounding, but I thought that meant bound
by space??? wouldn't this above regex _NOT_ hit :
http://stuff.0-go.org/stuff
Isn't it looking for:
http://stuff. 0-go.org
I'm confused! (it's not the first time, won't be the last!)
--Chris
The \b match operator is a bit special in that it does not
match a specific character but the gap between two adjacent
characters. Think of it like the insertion cursor of a word
processor, it points between the characters, not on a character.
Sort of like ^ points to the beginning of a line, not at the
first character of the line.
If you know what the perl \w and \W character classes are,
then \b points to the boundary between two characters that are
matched by either the regex \W\w or the regex \w\W
See page 180 of the O'Reilly Programming Perl book (Third edition).
(Good book, written by a guy named Larry Wall ;)
So that WLS_URI_1 regex is looking for:
start-of-line, followed by the litteral character string http:
Possibly followed by some number of unidentified characters, the
last one of which -must- match the \W character class
(note that there could be zero of the above critters as the :
at the end of http: nicely matches the \W requirement).
Followed by the litteral character string 0-go, followed by
one random character (note that . is a wildcard), followed by
the litteral character string org followed by something that
matches \W. (Thus orga would not match here).
Boy, it takes a bunch of words to explain what that little jumble
of regex does, powerful stuff these regexes ;)
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SA LIST PROBLEM? Quoted Printable problem?
On Tue, 18 Nov 2003, Charles Gregory wrote:
Hello,
Lately on several e-mails from the list, I've been seeing an error message
in my Pine mail program that says:
[Error: Formatting error: Non-hexadecimal character in QP encoding]
More importantly, the message is *truncated* in the display.
Oddly enough, when I quote the message to reply, I see the full text.
The line in error appears to have an = at the end of line, which
looks like it was used to mark line wrapping. But Pine doesn't seem to
recognize this usage.
Here is an example line - first the quoted printable:
while(-1 !=3D (opt =3D getopt(argc,argv,-BcrRd:e:fhyp:t:s:u:xSHU:))=
)
Then the rendered version:
while(-1 != (opt = getopt(argc,argv,-BcrRd:e:fhyp:t:s:u:xSHU:)))
In Pine, it decodes the line properly up to the parentheses before the
last '=', then gives that error. Clearly Pine expects a hex code, not a
NL/CR. Now was there a code there originally, but mailman stripped it out?
Or is Pine failing to recognize a legitimate code sequence?
Red Hat 9 with whatever Pine is default for that disty.
- C
Based upon the headers of your message, it looks like you're using pine
v4.05. (look at the top-left corner of your pine display for the version
string, or invoke it as pine -v).
That's a pretty ancient version, I think that the U-Washington site is
up to version 4.58. IIRC, that got fixed somewhere around v4.3*, I'm
using 4.44 and it doesn't have that problem.
So the answer is to upgrade your pine.
http://www.washington.edu/pine/
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Proposal for a delete option to spamc
On Tue, 18 Nov 2003, Øystein Halvorsen wrote:
Our only MTA for externally received email is sendmail, which again
forwards user emails to an internal exchange server. In fact, we have
tried this out, and it works quite nicely (at least our local users are
delighted). In order to make spamc drop emails, the -D option has to be
explicitely specified, otherwise the spamc client will work exactly as
before. However, if another MTA than sendmail tries to make use of this
option, then it should of course be throroughly tested out before put into
real production.
If you are using sendmail+spamassassin as a filtering gateway in front
of some backend server (EG exchange), then I'd suggest using a sendmail
'milter' daemon rather than your spamc configuration (such as
miltrassassin).
This has the advantage of being more fault-tolerant (what happens with
your config if something breaks and causes spamc to choke on each
message?)
You can configure it to do a SMTP-reject of a spam message rather than
just silently deleting it.
That has the major advantage that the sender is notified of the
rejection (assuming that the sending system is legitimate).
Thus if something unexpected happens and you mark a legitmate message
as spam there's hope for discovery and repair rather than things just
mysteriously dissapearing. ;(
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Validate Sender Users
On Mon, 17 Nov 2003, Eduardo Alfonso wrote:
Hi
I've been trying to configure SpamAssasin to check for the existence of the user on
the local machine that is
trying to send the message and I couldn't find how to do this.
Is it possible ??
Thanx
I'm using sendmail MTA in a RedHat9 box
If I understand you correctly, what you want is something that will
examine an incoming message and try to dynamically verify that the sender
of record (mail from: [EMAIL PROTECTED] ) is indeed a valid user
at the remote system.
What you're looking for is something like this:
http://www.snert.com/Software/milter-sender/index.shtml
Altho it sounds like a good idea, it has potential problems.
If you're a low traffic site, it wouldn't be too bad, but if you
handle 10k messages a day, it would increase your network load and
could be potentially abusive of remote sites that are innocent
bystanders. (spammers often use randomly generated fake
hotmail/yahoo/msn addresses.)
Some legitimate lists send out messages with a deliberatly
invalid 'from' address (they don't want to be bothered with bounces).
This kind of system would block such messages.
Some systems have an incoming gateway that will accept -everything-
and let an internal mail server decide if the user is valid, thus
making the sender verification system useless.
Some heavily loaded systems (such as hotmail) occasionally get backed
up for hours at at time and not accept connections. This would slow
down your incoming mail from those sites, not to mention putting
addtional load on their servers.
What might be a better solution would be to interlock your MTA with
some kind of database SA. When a message gets rejected by a remote
site with a DSN, put that address in the database as invalid and
then have SA take that into consideration when scoring more messages
from that address.
You can do that by hand editing your sendmail access-db to add rejects
for specific bogus from: addresses. It might be a worthwhile project
to try to automate the process.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] whitelist_from_rcvd
On Mon, 17 Nov 2003, Martin McWhorter wrote:
I am having a problem with whitelist_from_rcvd not working.
I have Spamassassin running on a redhat 9 box with sendmail 8.12.8 as
our companies gateway MTA. I have MIMEdefang running as well, but with
the Spamassassin portion of the defang.conf commented out and
spamassassin running with the spamass-milter.
Our imap mailboxes are hosted internaly on an NT box running Iplanet
4.15 named mercury. All mail in and out goes through the
sendmail-spamassassin MTA.
In the spamassasin conf I have:
whitelist_from_rcvd [EMAIL PROTECTED] mercury.prairiegroup.com
[snip..]
whitelist_from_rcvd needs appropriate values for the trusted_networks
parameter before it works.
Given that you have a firewall configuration with internal/exteral
addresses on that SA box, it might be confused when trying to
automagically determinte trusted_networks.
Try explicitly setting trusted_networks.
Other possiblity, that Add to Address Book stuff in the 'From:'
field might be confusing SA.
Silly question, why are you scanning your outgoing messages?
(Don't you trust your users not to spam? :)
You've got two seperate interfaces on that redhat box. Set up a
sendmail w/ SA on the external IP for incoming mail and another
one w/o SA on the internal IP for outgoing mail.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Re: URI database lookup feature (was Sanity checking new uri rules?)
On Mon, 17 Nov 2003, Justin Mason wrote:
BTW, given that a URI DB cannot use regular expressions, or patterns,
would this really be useful?
Basically with a DB you only gain efficiency when looking up exact
strings. So for this to be useful against URIs, you'd have to pick out
*just* the domain part of the URI and look it up. e.g.:
http://www.stearns.org/sa-blacklist/sa-blacklist.2003111402.uri.cf
would be looked up as www.stearns.org or stearns.org.)
The parser in the Bayes routine (tokenize_line in Bayes.pm) creates 'UD:'
lookup tokens for each component of the domain name. So for the above
example, it would create:
UD:www.stearns.org
UD:stearns.org
UD:org
Thus the DB would only need to contain one entry for the lowest common
denominator [1]. IE: stearns.org.
I suspect doing this with a DB lookup may not be such a win, compared
to using a local eval test that parses a config file and creates an
in-memory hash table.
- --j.
Au contraire, a DB lookup is a big win compaired to a regex match for
speed/memory consumption. The Bayesan engine does hundreds of lookups
per message against a database that has tens (or hundreds) of thousands of
(50k~200k) entries. Other people on this list have found that using regex
matches, (EG 'evilrules') a set of just a few thousand patterns make a
major hit in processor load.
One of the big advantages of using a DB type system is that it can be
updated 'hot' on a running system. A system based upon parsing a config
file and creating an in-memory hash table would require restarting spamd
every time an update was made.
If we want to have any hope of automating such a system, it needs to be
updatable 'hot' (note how Bayes operates).
Yes, you are right in that a URI DB cannot use regular expressions or
patterns. However, if we're just looking for a 'catcher' for spammer
sites in URIs, that's probably not necessary. We just want to grab a
host/site name out of a spam and slam it in there. Ask people such as
Chris how much time he spent regexing each entry in his 'evilrules'
set. Speed of update and search are far more important IMHO.
I envision this working in a couple of possible ways, either updated from
a central site (EG the rules emporium) via wget/rsync etc, or by a local
engine that would use some kind of heuristics on suspect host names found
in potential spam (do DNS lookups, use IP that point to spammer nets,
look at 'whois' data for spammer hosting, look at DNS TTLs, etc).
Part of my motivation is a local competition. Our central campus IT
group looked at SA and then decied that it was too much work to manage,
so they spent money and bought Activestate's PureMessage product.
(Which is based upon a commercialization of SA. Many of the header
tags even match ;).
Part of our mail streams thru the central servers so I get to compair
the SA scoring against the PMX scores. Most of the time SA does a better
job (fewer FP/FN) but sometimes PMX wins and when it does it is
us usually becase of a 'sparse' spam that has just a few URL
images (and a bunch of Bayes fodder). The PMX score will be often
pushed up by a rule that is labled: KNOWN_ADVERT_URL
So my guess is that PMX already has something like this. I want it TOO!
Dave
[1] In a mathematical context, 'lowest common denominator' makes no sense.
The number 1 is always the lowest common denominator for any value.
Mathematically we're looking for the GCD ('greatest common divisor').
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Re: URI database lookup feature
On Sat, 15 Nov 2003, Carl R. Friend wrote:
On Sat, 15 Nov 2003, David B Funk wrote:
I've been thinking about that exact topic. The Bayes engine
already parses and tokenizes hostnames from URIs (the UD: tokens).
If there were a hash DB made with the spam-site hostname as key and
score,description as value (something like the sendmail access db)
then it should be pretty easy to take those UD: tokens and do a
lookup and add results to total score.
As near as I can tell, there's no current way for a rule
to return a score -- they're boolean in nature. That said,
even that would be a win for looking up domains in URIs and
whatnot.
I had assumed that it would need new code to support. That's
why I've been trying to figure out how the scoring code works.
(and trying to get the developers to notice this idea ;).
I don't think that it should be too hard to do, most of the
hooks are already there, but the devil is in the details. ;)
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Problem with spamd spinning on bayes_toks
On Fri, 14 Nov 2003, Bob Amen wrote:
We've been seeing a problem with spamd that happens at random times.
Occasionally, a spamd thread will spin, clocking up CPU time and never
finish. This causes other spamd processes to hang and eventually all
memory and swap is used up by multiple spamd and sendmail processes.
We've set limits on the number of threads of spamd and sendmail but that
doesn't help. Eventually everything stops, either because their are no
resources available or there are no more threads available and they're
all waiting for some to exit, which never happens.
We've determined that it's the Bayes DB but are not sure why. This
happens on a RH 6.2 system with Perl 5.6.1 and a Gentoo (2.4.20 kernel)
with Perl 5.8. Below is the output (very shortened) of strace and then
lsof of a spamd process that exhibited this behaviour:
[snip..]
Does anyone have any ideas or suggestions for other diagnostics that we
can try?
TIA,
Bob
You didn't say what version of SA you were running, so I'll assume it's
2.60. (or 2.55 using DB_File). DB_File is based upon the Berkekey_DB
kit (www.sleepycat.com). Usually Berkekey_DB is robust but occasionally
it has shown itself to be a bit sensitive to certain OS dependent
factors (threads implementation, file locking, shared memory, etc).
I'd go to the sleepycat site and check on the version of Berkekey_DB
that you're using to see if there are any known issues for your OS.
The sleepycat Berkekey_DB source kit comes with an extensive test
suite, you could get the kit and do a 'make test' to see if it finds
anything with your libs.
Alternatively just build a new set of libs from the source kit and
try those.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] URI database lookup feature (was Re: Sanity checking new uri rules?)
On Fri, 14 Nov 2003, Carl R. Friend wrote:
For the assembled group -- is it possible to do a DB lookup,
either in an eval() or some other mechanism, in a uri rule?
If we could do a DB lookup on URIs (or, more properly, the
domain portion of URIs) I think that'd be a win (at, of course,
the expense in human time).
I've been thinking about that exact topic. The Bayes engine
already parses and tokenizes hostnames from URIs (the UD: tokens).
If there were a hash DB made with the spam-site hostname as key and
score,description as value (something like the sendmail access db)
then it should be pretty easy to take those UD: tokens and do a
lookup and add results to total score.
It would be much faster and use less memory than the various
collections of regex spam-host rules that have been discussed
here (such as William's or Chris's evilrules ;).
(I have a 15,000 line sendmail access db that doesn't bother
it a bit ;).
Another advantage is that it would be possible to update the
database 'hot' (IE without having to kill and restart spamd,
the way that you have to do to update regex rules).
It might even be possible to automate the updating of the
database. (take hostnames found by Bayes in spam, do DNS lookup
and add if IP in spamhaus nets, in trusted DSBLs, has short TTL,
etc).
I can see one of two different implementations:
1) Have the value be just score,description and synthesize the
rule name from the hostname (EG:
spammer.com 1.2,Spamhause business site
- rule == L_URI_SPAMMER_COM
score == 1.2
description == Spamhause business site
2) have the value be a triple, name,score,description and
explicitly store all attributes:
spammer.com MEDS_SPAMHAUS,1.2,Spamhause business site
1) would be simpler to update and use up less memory,
2) would be more flexible and let you combine several different
sites into one class of rule.
Asumption, once a host matches a rule, subsequent matches on that
rule name would be ignored.
Probably should also add some kind of time-stamp to each entry to
facilitate automated updating.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Run spamd as root ?
On Thu, 13 Nov 2003, MIKE YRABEDRA wrote:
I have found that spamd will not use razor on my system because of
permissions. Is it safe to run spamd as root?
Mike,
spamd will not run as root, it is a security risk.
If you start it as root and you do not tell it who you want to run as
(IE leave off the '-u' option) it will automagically switch to user
nobody.
If you have your permissions set correctly, spamd razor can
happily run as non-root. Why not just fix your permissions?
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Razor does not work with spamd?
On Thu, 13 Nov 2003, MIKE YRABEDRA wrote:
I have been trying to get razor to work with spamd.
I know it works with ./spamassassin --lint -D
It also works with CGPSA (calls SA directly).
But it does not want to work with spamd?
Where are some places I can look , things I can try, to narrow down the
problem?
razor wants a ~/.razor directory to store its configs and
working data (servers lists etc). You've probably tested it
as either root or your personal account.
Have you tested it as the user that spamd runs as?
(EG the user-id that you have in -u user-id for your
spamd command line).
su to the spamd user-id and test razor again. It's probably
either a path or permissions error.
Other thing to try, run spamd with the '-D' flag to turn on
debugging output. (But don't run it that way for too long unless
you have a -large- disk to hold the output ;).
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] SMTP gateway/filter
On Tue, 11 Nov 2003, Larry Gilson wrote:
The preferred method is any way you prefer. ;) That is really an honest
answer. Everyone has their own preferred method and a lot of times it
depends on your specific situation. Some people will pipe to a filter shell
script, Procmail, maildrop, or spamc directly. I prefer Procmail as it
allows me to do more post SMTP processing with the message than the shell
script or a direct pipe to spamc. maildrop works well for some people but I
honestly am not familiar with it. I would like to hear from someone who has
chosen maildrop rather than Procmail just to have a comparison though.
--Larry
-Original Message-
From: Robban
Sent: Tuesday, November 11, 2003 2:58 PM
To: [EMAIL PROTECTED]
Subject: [SAtalk] SMTP gateway/filter
I'm pretty new to spamassassin and I've only done a few
spamassassin/postfix installations. My next task is to sett
up some sort of STMP gateway that filters e-mail for spam and
if approved, forwards the mail to the real mail server. The
real mail server will probably be an exchange server but we
might also end up with godd ol' sendmail. What would be the
preferred practice in setting up such a thing. Any ideas?
//robban
Larry,
I agree with the first part of your advice to Robban but completely
disagree with the Procmail part.
Robban is asking specifically for a filtering front-end to some
kind of back-end mail server (such as Exchange). Procmail would
require him to fake a delivery to each account on the SA processing
machine, which would mean that they would have to create user accounts
for every Exchange user on the SA box.
I think that Robban is looking for some kind of filtering appliance
that mail flows thru as a SMTP stream and the back end server handles
the delivery/user part.
Something like sendmail+milter, sendmail+mailscanner, postfix+spamc
or postfix+MIMEDefang would be better suited to this application.
It can process tag mail with out needing any specific user account
information.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Attachments
On Wed, 12 Nov 2003, Matt Kettler wrote:
At 01:38 PM 11/12/2003, Scott Antonivich wrote:
but can attachments be tagged as spam per user? If
so, what do I need to place in this users config file?
You'd have to create a custom rule to look for mime boundaries..
However, to do it per-user, you'll need to have per-user configs, and
per-user rules, something that most site-wide SA configurations have no
capability to do.
You'll have to be discrimiating in what kind of mime boundaries
you look for.
For example, many modern mail clients (such as Eudora, Outlook, Mozilla)
have the ability to send combo text/html or text/rtf mail as Mime
multi-part-alternative messages. Most modern clients will show such a
message as just a single-part message and give no clue as to the
internal structure.
Some systems us Mime parts for such things as PGP signatures or .vcard
signatures.
Even such things as sendmail error bounce messages often come as
multi-part mime messages.
Now what about a message that has only one part, but that part is
a Base-64 encoded jpg of a spam-ad? It would not necessarily have
any mime boundary other than the content tag in the header.
Or for that matter, a single Base-64 encoded virus, (I've seen that
too. ;(
So there's no simple definition of what constitutes an Attachment.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] order of preferences in white / black listing
On Sun, 9 Nov 2003, Tristan Nixon wrote:
Hello all,
I have a question regarding the way in which SA deals
with whitelisting blacklisting. If I want to whitelist
all but a few select entries from a domain, how would I do it.
Should the following work?
whitelist_from [EMAIL PROTECTED]
unwhitelist_from [EMAIL PROTECTED]
unwhitelist_from [EMAIL PROTECTED]
I think that should work but never tried it
I can't seem to find a way to do this. Here is my predicament,
I have been getting a whole pile of viagara spams a day, all of which
have my email address as both the To: and From: address. I have
whitelisted my own domain, but would love to be able to unwhitelist my
own email address ( I don't have much call for sending messages to
myself ). Anyone know how to do this?
Silly question, why are you whitelisting your own domain?
Is it to make sure that locally generated mail doesn't get filtered?
In that case you probably should be able to make 'whitelist_from_rcvd'
do the job, which is much harder for remote spammers to abuse.
Another option would be to set up a MSA for locally generated mail
and have it totally avoid SA processing.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: Trouble restarting spamd
On Sat, 8 Nov 2003, Debbie D wrote:
Thanks.. ut yes Ishold have stated that.. stop start..
[root admin]# /etc/rc.d/init.d/spamd stop
Shutting down spamd: ok
[root admin]# /etc/rc.d/init.d/spamd start
Starting spamd: spamdCould not create INET socket: Address already in use
IO::Socket::INET: Address already in use
Any other ideas???
The error INET: Address already in use means that there's a process
that already has that network socket open. Given that you had just done
a spamd stop the offending process is probably a spamd child process
that hasn't yet finished up a message.
Make sure that -all- spamd processes are gone before you try the start.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] [MailServer Notification]To recipient: Message matched eManager setting and action was taken.
On Mon, 10 Nov 2003 [EMAIL PROTECTED] wrote:
eManager Notification *
The following mail was blocked since it contains sensitive content.
Love the stupid -PC- double-talk here. Gee, what was the content
sensitive to? (is it sensitve to light, heat, shock...)
How about saying was blocked because it contains objectionable content
and be done with it.
Sad. A spam-blocking list cannot even discuss the kinds of things
that it's supposed to block.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] rule to whitelist Listserv (tm) list traffic
On Mon, 10 Nov 2003, Chris Barnes wrote:
I am in need of a rule that will tell SpamAssassin to whitelist all
email traffic which comes from our local Listserv (tm - www.lsoft.com)
lists.
The problem is that messages from the Listserv list have the original
author's email address in the From: line. The Listserv list address is
in a header tag of:
Sender: Name-of-list [EMAIL PROTECTED]
In other words, SA needs to look at a header tag of SENDER:, not FROM:
How would this rule look?
(my guess)
header LISTSERV_GOOD_SENDER Sender =~listserv.tamu.edu
score LISTSERV_GOOD_SENDER -100
Would that work?
Almost. It needs to be a valid perl pattern-match regex:
header LISTSERV_GOOD_SENDER Sender =~ /listserv.tamu.edu/
Only problem with that is that it will be suceptable to spammer abuse
if they ever find out about it. (note that emperical evidence points
to spammers reading this list ;().
What would be better is if you could use 'whitelist_from_rcvd' as it's
much more difficult for an external agent to abuse.
However this would require the predictable envelope-from address
being accesssable to SA.
In addition to the From: header SA looks for from address info in
the headers:
Envelope-Sender:
Resent-Sender:
X-Envelope-From:
Return-Path:
Resent-From:
Any chance you could get your listserv to put it's Sender info into
one of these?
If you are only concerned about local SA filtering of these messages,
you could customize the 'EvalTests.pm' file in your SA instalation
and add Sender: to that recognized from header list.
One other possibility depends upon how you call SA. If your method of
processing the mail has access to the envelope-sender, you could hack it
to synthesize a 'Envelope-Sender' header to pass that info in to SA.
I use spamd with sendmail and miltrassassin. I hacked the miltrassassin
code to synthesize a 'Envelope-Sender' header and it makes whitelisting
mailing lists va whitelist_from_rcvd much easier.
If you do go the whitelist_from_rcvd route be sure to set your
trusted_networks parameter.
FWIW, I prefer to use def_whitelist_from_rcvd instead of
whitelist_from_rcvd. Makes mistakes and successful forgeries less
damaging. ;)
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] Re: Abused redirector URLs ?
On Fri, 7 Nov 2003, Chr. von Stuckrad wrote:
Hi
[snip..]
The mail also contained a broken variant of the wrong/forgotten
Parameter of their Spam-Mailer: ' $RANDOM IZE '
So:
body RANDOM_IZE / \$RANDOM IZE /
score RANDOM_IZE2
describe RANDOM_IZE contains broken spamrobot parameter
Even better, sprinkle in \s? between each of those letters and
you'll catch all permutations of that garbage.
EG:
body RANDOM_SPAM_TOOL /\s\$RA\s?N\s?D\s?O\s?M\s?I\s?Z\s?E\s/
Using the \s will catch it at line breaks too. ;)
I've combined that with other popular spam-tool 'RANDOM' signatures:
body L_SPAM_TOOL_3
/\[RANDOMIZE\].{0,3}\[RANDOMIZE\]|\s\$RA\s?N\s?D\s?O\s?M\s?I\s?Z\s?E\s|\b%%RANCHAR%%\b|\b%random_word|\b%random_text/
describe L_SPAM_TOOL_3 Spam tool pattern
score L_SPAM_TOOL_3 4.4
(Now we'll see if my own rules fire on this message. ;)
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---BeginMessage---
achieve householder icosahedra corrugate bourgeoisie poets bender create postfix hustling bacchus imaginatively talking courses cranking matters hostelry bowel excommunicated polytope acclaim cries microscope abyssinia metronome scooping adjustors ternary scraps bobbins $RANDO
MIZE counsellors adject cribs miller braking medial plugs bothered ethically pounding bombard poetical braided mealtime hurdle pneumococcus tearfully branches avis exams saws expositor bakhtiari memorandum merchandising tank scholastic creature excretions menhaden $RANDOM
IZE brazenness meddle thallium hotelman playgrounds evens excise houseflies sears crate expunged huts scarcity popped boners expositions methylene plumage meandered possessor advice
schemas coverlets saxophone crosshatch coursing addictions branches pluperfect at bodhisattva craftsman brainwashes teacher hue meretricious horrible meticulous at tassel cowpoke adumbrates saturater port extemporaneous teletypewrite bodybuilder bangor pleading boaster crosswort $RANDOM
IZE hydraulic andrea plugs bosom berlin acorn hygiene practitioner excited brambly postulated excise critique plied corridors ac cottonwood adores scrolls evince bombarding teletype sardonic savers meekness bamako potatoes sates telling admiralty $RANDOMI
ZE adjustment poison excitement acculturated evenings migrated hygiene imagined additives hurrah cousins schedulers australia crossroad bahama sclerosis accoutrements banks advanced bluegrass bodhisattva
---End Message---
Re: [SAtalk] problem with Razor and spamd
On Thu, 6 Nov 2003, Peter Buonora wrote:
Ok, I am running on Solaris 8, latest version of Spamassassin, perl 5.8.
For some reason when using the 'spamassassin' executable, razor works.
When I try to switch over to spamc/spamd everything works except razor.
There isnt even anything in the logs referring to razor.
I am running spamd with the -H option and in debug mode.
I even tested just from the command line as the same user. Here are the
results from the exact same email. Any help appreciated.
It's probably either a permissions or a path issue.
'spamd' does not run as user root. It runs as the user that you have
specified on the command line with the -u username option or as nobody
if you didn't specifiy.
On the machine running spamd, 'su' to the appropriate user and try testing
again, do a:
spamassassin --lint -D
See what that shows you about razor.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: 'random' character sets
On Fri, 7 Nov 2003, Justin Mason wrote:
BTW, SpamAssassin originally started with accumulating rules. But I took
it out, as it meant a long hammy mail had a much higher chance of FP'ing,
due to containing more text.
I'd be worried that accumulating hits would reintroduce the same
problem...
- --j.
Easy way to deal with that, divide the accumulated score by a factor
based upon the message size.
EG, if I see 20 'BR' tags in a 1Kbyte message it has a high probability
of being spam but if that message is 30Kbytes then it's lower.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] installation fails [perl]
On Fri, 7 Nov 2003, Maarten J H van den Berg wrote:
I eventually found the reason for this behaviour after I noticed that root
could start it okay, but the unpriv user spamd couldn't...:
machine:~ # ls -la /usr/lib/perl5/site_perl/5.6.0/Mail/SpamAssassin
drwx--2 root root 942 Nov 7 11:45 .
Try setting your umask to 022 before doing any installs. ;)
Other good rule of thumb, always test out a new installation as the
user who will ultimatly run the stuff. Good way to catch permissions
path problems. (I ran into the exact same problem when I did my first SA
upgrade. ;)
[snip..]
I'll try to find out which step exactly triggers this. In the meantime, I
get bitten by some very lame dependancies which invariably lead to
CPAN.pm attempting to install perl 5.8 (I have 5.6). I don't understand
this. In the first place it doesn't give me any choice to skip the
install of perl 5.8 as it does with all other packages, secondly the
Spamassassin faq says perl 5.8 is to be avoided, right ?
In any case, no matter what, I'll not allow such a perl upgrade on a
production system cause I can not afford to break things.
IIRC, this was due to a bug in one of the versions of CPAN.
Try updating your CPAN
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Accumulator rules (Re: 'random' character sets)
On Fri, 7 Nov 2003, Robert Menschel wrote:
Or better: what if we specified in the rule a maximum score to accumulate
to? Maybe something like:
accumbody T_SAMPLE /(?:word1|word2|word3|word4|word5)/i,max=2.5
describe T_SAMPLE Message has medical words frequently used in spam
score T_SAMPLE 0.5
Each time any of the five words was used, it'd score 0.5, to a maximum
score of 2.5. No matter how long the message was, this rule could not by
itself cause an FP, and would work in conjunction only with other rules
to flag something as spam.
A slight modification of the above idea, rather than 'max=2.5' have
'maxhits=5'. IE that particular rule fires no more than 5 times and then
the matching engine can drop it and move on to the next rule.
The final score would be 'nhits' * score. That way the matching engine
does not need to worry about any score calculations, just tallying up
number of matches.
There should also be a default implicit 'maxhits' value to keep the
matching process moving along and not slow things down too much. ;)
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: Accumulator rules (Re: 'random' character sets)
DBF On Fri, 7 Nov 2003, Robert Menschel wrote:
Or better: what if we specified in the rule a maximum score to accumulate
to? Maybe something like:
accumbody T_SAMPLE /(?:word1|word2|word3|word4|word5)/i,max=2.5
describe T_SAMPLE Message has medical words frequently used in spam
score T_SAMPLE 0.5
Each time any of the five words was used, it'd score 0.5, to a maximum
score of 2.5. No matter how long the message was, this rule could not by
itself cause an FP, and would work in conjunction only with other rules
to flag something as spam.
DBF A slight modification of the above idea, rather than 'max=2.5' have
DBF 'maxhits=5'. IE that particular rule fires no more than 5 times and then
DBF the matching engine can drop it and move on to the next rule.
DBF The final score would be 'nhits' * score. That way the matching engine
DBF does not need to worry about any score calculations, just tallying up
DBF number of matches.
DBF There should also be a default implicit 'maxhits' value to keep the
DBF matching process moving along and not slow things down too much. ;)
OK, here's the next revision (I've put my programmer's hat on ;).
When parsing the config files and generating the rules structures,
for each rule add two new variables: 'maxhits', default to the value 1
'nhits' init to 0.
If the rule has a maxhits=n argument, set the maxhits to that value.
When running the matching engine eval for a rule, each time there's a
hit, increment nhits and decrement maxhits. if maxhits 1 terminate that
rule.
In the scoring and running the meta-rules, consider 'nhits' to be the
value of that rule. IE if == 0, then for boolean sake false, if != 0
then true, for arithmetic metas, it's the actual value of 'nhits'.
The score part, added to 'hits' is 'nhits' * score for that rule.
So if you leave maxhits = 1 for each rule (the default), you have
everything working as it does right now. The accumulating part only
kicks in if a maxhits=n argument is added to a particular rule.
Thus you would only need to modify one user-visible part of the
conf stuff, add the maxhits= argument. All other rule stuff would
still look act the same (in default).
Theoretically you need only modify two parts of the whole kit, Conf.pm
to parse the optional maxhits=n argument and the matching eval engine
to keep searching if maxhits 0 (if I understand the code correctly ;).
Probably also want to modify the report stuff.
Looking at Robert's 'T_SAMPLE' example from his previous message, you
would implement it as:
body __T_SAMPLE /(?:word1|word2|word3|word4|word5)/i,maxhits=6
meta T_SAMPLE (__T_SAMPLE)
score T_SAMPLE 0.5
describe T_SAMPLE Message has medical words frequently used in spam
meta T_SAMPLEA ( __T_SAMPLE 5 )
score T_SAMPLEA 2.0
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] How to balance spamd max children?
On Tue, 4 Nov 2003, Steven W. Orr wrote:
My ISP went down, so when it came back up aqnd my secondary mx record
kicked it all back to me I got a lot of messages from sendmail saying
Nov 4 06:58:26 saturn spamd[952]: hit max-children limit (5): waiting for
some to exit
I bumped it up to 10 (my server can well handle it) but can someone tell
me how I can tell what the current number of max sendmail connections is
so I can balance the spamd limit properly?
The standard default sendmail config puts no limit on the number
of connections. In fact, older versions of sendmail did not have
any connection limit based control, only load-average based controls.
Newer versions of sendmail have a config parameter 'MaxDaemonChildren'
that can be used to effectively limit the number of SMTP connections.
(It defaults to unset, thus no limit, you must explicitly set it
in your config to activate that feature).
Once that limit is reached sendmail will close the 'LISTEN' on port
25 thus refusing new connections.
Note that this will refuse -all- connections to port 25. Depending upon
your configuration it may affect outgoing as well as incoming messages.
If you use only one sendmail daemon and a mail client (such as Eudora
or Outlook) that connects to port 25 to send messages, sending will
be blocked while sendmail is refusing connections.
(Particular consideration if you're an ISP with customers ;).
Unix clients that call sendmail directly (such as elm, mutt, or pine)
will not be affected.
One way to work around this limitation is to run another sendmail daemon
listening on an alternate port or alias-IP-address and configure your
SMTP based clients to use that for sending out messages. (Use that as
an MSA, rather than a MTA).
Using a MSA has other advantages, you can config it to use authentication
to provide service for remote clients with out fear of open-relay abuse,
customize its filtering (don't bother to SA scan your outgoing mail),
etc.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
