Re: Memory usage question
At 09:26 PM 9/16/2004, Robert Bartlett wrote: I remember someone saying something about memory usage per email that spamd uses to scan? But cannot find the email, what is the estimated amount of memory used per SA scan? I also have clamav set up Varies a lot depending on your configuration (bayes vs no bayes, add on rules, etc). If I start spamd on my system (don't normaly use it because I use MailScanner which calls the API directly) it pops up with a RSS of 26mb. I use bayes with an enlarged database size (200k tokens, instead of 150k) , and a few add-on rules. A 200k token bayes db should be about 10mb based on info in the manpage, so disabling bayes and using only stock rules could take spamd down to as little as 15mb, however, I've not got the ability to test that right now. Chris S reported his spamd swelling to 45mb with a huge version of bigevil.cf he was testing.
RE: Memory usage question
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thursday, September 16, 2004 6:43 PM To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: Re: Memory usage question At 09:26 PM 9/16/2004, Robert Bartlett wrote: I remember someone saying something about memory usage per email that spamd uses to scan? But cannot find the email, what is the estimated amount of memory used per SA scan? I also have clamav set up Varies a lot depending on your configuration (bayes vs no bayes, add on rules, etc). If I start spamd on my system (don't normaly use it because I use MailScanner which calls the API directly) it pops up with a RSS of 26mb. I use bayes with an enlarged database size (200k tokens, instead of 150k) , and a few add-on rules. A 200k token bayes db should be about 10mb based on info in the manpage, so disabling bayes and using only stock rules could take spamd down to as little as 15mb, however, I've not got the ability to test that right now. Chris S reported his spamd swelling to 45mb with a huge version of bigevil.cf he was testing. Thanks for the reply! Here is the deal, we are currently deciding what we want to do next. Currently we have a Celeron 2.4 gig system with 256 megs of ram and a 40 gig hdd. In the past week or so our system has come to a halt, under 3 megs available, due to a bunch of emails coming in at once. At one point we hit 60 emails in a span of 5 minutes. It is a system we are renting at a colo. So Im heading this project up trying to decide to either rent out cabinet space and build our own systems and do it that way, or just upgrade the current system. Currently we are running Fedora Core 1 with clamav. I do not believe we have bayes running, I assume we don't since I do not know how this would be set up. We also use Rules De Jour with all rules available except Big Evil, we are using RBL. I know that when I restart spamd it shows this: 99.9 9.5 29068 24300 (24300 being RSS) I also use vpopmail for virtual domain setup.
Re: URI obfuscation check
Update on the previous, interestingly the HTML renderer in The Bat! 1.62q did not make the link clickable, but the plaintext message renderer did. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: URI obfuscation check
Jeff Chan wrote to SpamAssassin Users: Update on the previous, interestingly the HTML renderer in The Bat! 1.62q did not make the link clickable, but the plaintext message renderer did. That's because the HTML did not actually contain a link (anchor); just the plaintext URI. Many plaintext renderers will, however, link anything that looks like a URI. - Ryan -- Ryan Thompson [EMAIL PROTECTED] SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America
Re: Speak to me of Bayes and scoring in SA 3.0
On 16 Sep 2004 13:39:30 -0700, Daniel Quinlan [EMAIL PROTECTED] wrote: I think we could use a better way to merge Bayesian results into the SpamAssassin score, though. Hm. An idea that just occurred to me, that would have been prohibitively expensive with the GA but maybe isn't with the perceptron model: Rather than divide the score sets by with/without Bayes, have multiple score sets and use the Bayes probability to choose which score set to apply. (I.e., there is no direct score for Bayes itself.) A Bayes probability of, say, 0.45 - 0.55 would use the same score set as without Bayes, on the assumption that in that range Bayes is unable to contribute to the decision. My intuition, which may be wrong, would be that such an arrangement would cause a big increase in the score values of a small number of rules in the score sets for near-zero and near-one probability, though not the same rules in each set.
New spammer trick?
Hi, I just got a nigerian spam with a huge Reply-To: line! Never seen that trick before, but I suppose it works with quite a few of the recipients. Should we create a new rule for that? I can't think of a legitimate reason to have more than one address in the Reply-To line, right? Here goes a sample: From: chukwuelofu [EMAIL PROTECTED] To: undisclosed-recipients: ; Subject: I want to be your future partner/Response Reply-To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], ... From The Desk Top Of Prof. Chukwu Elofu, MD/CEO Financial Consultant, Federal Republic Of Nigeria. ATTN: I have interest of investing in your country as such I decided to establish contact with you for assistance as soon as I am able to transfer my funds for this ... -- o _ _ _ --- __o __o /\_ _ \\o (_)\__/o (_) -o) - _`\,__`\,__(_) (_)/_\_| \ _|/' \/ /\\ (_)/ (_) (_)/ (_) (_)(_) (_)(_)' _\o__\_v Local Area Network in Australia: the LAN down under.
After starting spamd, spamc fails to connect to it and spamd stops running!?
Will anyone please help me? I've recently had a working sitewide install of spamassassin stop working and it's very upsetting! :( Many thanks. hugh -- My problem: As far as I can tell spamd starts correctly, spamc then tries and fails to connect to it and spamd stops running shortly after... [EMAIL PROTECTED] perl-5.6.1]# /etc/init.d/spamassassin start Starting spamd:[ OK ] [EMAIL PROTECTED] perl-5.6.1]# netstat -lnp | grep spamd tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN 7148/spamd -d -a -q [EMAIL PROTECTED] perl-5.6.1]# ps -aef | grep spam spamd 7148 1 78 11:40 ?00:00:07 /usr/bin/spamd -d -a -q -x -u sp root 7163 21623 0 11:40 pts/000:00:00 grep spam [EMAIL PROTECTED] perl-5.6.1]# ps -aef | grep spam spamd 7148 1 66 11:40 ?00:00:07 /usr/bin/spamd -d -a -q -x -u sp root 7169 21623 0 11:40 pts/000:00:00 grep spam [EMAIL PROTECTED] perl-5.6.1]# ps -aef | grep spam spamd 7148 1 60 11:40 ?00:00:07 /usr/bin/spamd -d -a -q -x -u sp [EMAIL PROTECTED] perl-5.6.1]# ps -aef | grep spam spamd 7148 1 56 11:40 ?00:00:07 /usr/bin/spamd -d -a -q -x -u sp root 7175 21623 0 11:40 pts/000:00:00 grep spam [EMAIL PROTECTED] perl-5.6.1]# ps -aef | grep spam spamd 7148 1 56 11:40 ?00:00:07 /usr/bin/spamd -d -a -q -x -u sp root 7181 21623 0 11:40 pts/000:00:00 grep spam lynn 7184 7183 0 11:40 ?00:00:00 /usr/bin/spamc -f [EMAIL PROTECTED] perl-5.6.1]# ps -aef | grep spam lynn 7184 7183 0 11:40 ?00:00:00 /usr/bin/spamc -f root 7187 21623 0 11:40 pts/000:00:00 grep spam -- My setup: Red Hat 7.3 SA 2.64 (site wide install using /etc/procmailrc - see below) Perl 5.6.1 -- Contents of /etc/procmailrc: DROPPRIVS=yes :0fw | /usr/bin/spamc -f -- From /var/log/maillog Sep 17 11:20:24 wibble spamc[6273]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Sep 17 11:20:25 wibble spamc[6273]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Sep 17 11:20:26 wibble spamc[6273]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Sep 17 11:20:27 wibble spamc[6273]: connection attempt to spamd aborted after 3 retries
configuring sa+amavisd on a domain level
Hi I would like to know if it is possible to have a per domain configuration using spamassassin 2.64 + amavisd p10 on a single server. I mean having one pair of spamassassin 2.64 + amavisd p10 processes handling with domain1 and domain2 for example , another pair handling with for domain3 etc etc . Thanks for the help. - alain -
Re: After starting spamd, spamc fails to connect to it and spamd stops running!?
Declan, Running both with -p 15505 returns the same error. Any more ideas? Many thanks... hugh - Original Message - From: Declan Moriarty [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 17, 2004 12:54 AM Subject: Re: After starting spamd, spamc fails to connect to it and spamd stops running!? On Fri, Sep 17, 2004 at 12:02:18PM +0100, [EMAIL PROTECTED] enlightened us thusly Will anyone please help me? I've recently had a working sitewide install of spamassassin stop working and it's very upsetting! :( Many thanks. They both accept a -p option for the port With Best Regards, Declan Moriarty
Re: Memory usage question
Thanks for the reply! Here is the deal, we are currently deciding what we want to do next. Currently we have a Celeron 2.4 gig system with 256 megs of ram and a 40 gig hdd. In the past week or so our system has come to a halt, under 3 megs available, due to a bunch of emails coming in at once. At one point we hit 60 emails in a span of 5 minutes. It is a You don't sound like you have a huge mail rate. But if you are using addon rules, you may be getting in the area of doubling or more the original number of rules, so you should probably at least double the memory requirement per spamassassin process (or process driver). My suggestion is that that machine is plenty fast enough for you, but I would at least double the memory on it. If its cheap I'd take it up to a gig or more and be done with it. Loren
RE: Memory usage question
At 06:56 PM 9/16/2004 -0700, Robert Bartlett wrote: Thanks for the reply! Here is the deal, we are currently deciding what we want to do next. Currently we have a Celeron 2.4 gig system with 256 megs of ram and a 40 gig hdd. In the past week or so our system has come to a halt, under 3 megs available, due to a bunch of emails coming in at once. At one point we hit 60 emails in a span of 5 minutes. Are you using the -m parameter of spamd to limit the number of children it will spawn? I'd suggest something like -m 6 to start with.
Re: New spammer trick?
Hi Loren, I suspect that is more of a broken spammer than a new trick. Maybe both? :-) I can't see what good that line is going to do for the spammer. Well, whoever replys to the spammer, telling him no matter what mails his reply (usually including the quoted original mail) to everyone in the reply-to Line and therefore spreads it even further. Andy. -- o _ _ _ --- __o __o /\_ _ \\o (_)\__/o (_) -o) - _`\,__`\,__(_) (_)/_\_| \ _|/' \/ /\\ (_)/ (_) (_)/ (_) (_)(_) (_)(_)' _\o__\_v Ceterum censeo Microsoftem esse delendam!
RE: Memory usage question
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 6:12 AM To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: RE: Memory usage question At 06:56 PM 9/16/2004 -0700, Robert Bartlett wrote: Thanks for the reply! Here is the deal, we are currently deciding what we want to do next. Currently we have a Celeron 2.4 gig system with 256 megs of ram and a 40 gig hdd. In the past week or so our system has come to a halt, under 3 megs available, due to a bunch of emails coming in at once. At one point we hit 60 emails in a span of 5 minutes. Are you using the -m parameter of spamd to limit the number of children it will spawn? I'd suggest something like -m 6 to start with. Yeah it is setup for 50: -d -c -a -m50 -u user -v -H -d, --daemonizeDaemonize -c, --create-prefs Create user preferences files -a, --auto-whitelist, --whitelist Use auto-whitelists -u username, --username=username Run as username -v, --vpopmail Enable vpopmail config -H dir Specify a different HOME directory, path optional
RE: Memory usage question
-Original Message- From: Robert Bartlett [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 9:24 AM To: users@spamassassin.apache.org Subject: RE: Memory usage question -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 6:12 AM To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: RE: Memory usage question At 06:56 PM 9/16/2004 -0700, Robert Bartlett wrote: Thanks for the reply! Here is the deal, we are currently deciding what we want to do next. Currently we have a Celeron 2.4 gig system with 256 megs of ram and a 40 gig hdd. In the past week or so our system has come to a halt, under 3 megs available, due to a bunch of emails coming in at once. At one point we hit 60 emails in a span of 5 minutes. Are you using the -m parameter of spamd to limit the number of children it will spawn? I'd suggest something like -m 6 to start with. Yeah it is setup for 50: -d -c -a -m50 -u user -v -H -d, --daemonizeDaemonize -c, --create-prefs Create user preferences files -a, --auto-whitelist, --whitelist Use auto-whitelists -u username, --username=username Run as username -v, --vpopmail Enable vpopmail config -H dir Specify a different HOME directory, path optional Yeah, bring that 50 down a little :) Maybe 10. More memory NEVER hurt anyone! Currently with BigEvil I'm running 51 megs for spamd!!! But the record on a production server is something like 145. I think it was a crazy german ;) Your memory usage looks pretty normal. I haven't updated BE in a while. Plan on doing this afternoon. For the remaining people using BE, WTH is wrong with you? :-) --Chris
RE: After starting spamd, spamc fails to connect to it and spamd stops running!?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 7:02 AM To: users@spamassassin.apache.org Subject: After starting spamd, spamc fails to connect to it and spamd stops running!? Will anyone please help me? I've recently had a working sitewide install of spamassassin stop working and it's very upsetting! :( Many thanks. hugh -- My problem: *snip* -- My setup: Red Hat 7.3 SA 2.64 (site wide install using /etc/procmailrc - see below) Perl 5.6.1 -- Contents of /etc/procmailrc: DROPPRIVS=yes :0fw | /usr/bin/spamc -f -- From /var/log/maillog Sep 17 11:20:24 wibble spamc[6273]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Sep 17 11:20:25 wibble spamc[6273]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Sep 17 11:20:26 wibble spamc[6273]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Sep 17 11:20:27 wibble spamc[6273]: connection attempt to spamd aborted after 3 retries It might be a permissions problem. Can you call spamc with the -u and a particular user with permissions? --Chris
Re: After starting spamd, spamc fails to connect to it and spamd stops running!?
On Fri, Sep 17, 2004 at 12:02:18PM +0100, [EMAIL PROTECTED] wrote: Will anyone please help me? I've recently had a working sitewide install of spamassassin stop working and it's very upsetting! :( Wotcher Hugh :) Do you have any monitoring task scanning port 783 ? There's a bug in spamd in 2.6x, whereby opening a socket and closing it without a transaction makes it crash. Failing that, try using the -D option for debug messages and see if anything shows up there. Nick
RE: Memory usage question
At 09:23 AM 9/17/2004, Robert Bartlett wrote: Are you using the -m parameter of spamd to limit the number of children it will spawn? I'd suggest something like -m 6 to start with. Yeah it is setup for 50: -d -c -a -m50 -u user -v -H 50 is a LOT of spamd's... even at the low-end of 15mb each that's 750mb of memory allocation. Since your box has 256mb of physical ram, I'd limit it to maximum of 256mb/15mb = 17 spamd's at the highest. I'd really suggest using something much lower like 10 unless you add some ram.
Re: Memory usage question
On Fri, Sep 17, 2004 at 10:42:20AM -0400, Matt Kettler wrote: Since your box has 256mb of physical ram, I'd limit it to maximum of 256mb/15mb = 17 spamd's at the highest. I'd really suggest using something much lower like 10 unless you add some ram. Even this seems to be dangerous (sometimes). We just had a crash of the spamd-server, seemingly by being hit with lots of maximally large mails at the same time. So a system with 1G Memory (+2GSwap) DualPentium4 simply stopped completely just by crowding its space with max 32 copies of spamd (each forking with near 50M). The system was to slow to reboot correctly and had to be 'reset' and fsck-ed. So you have to watch closely, if the system is as small as the above. Better invest in lots of memory... Stucki -- Christoph von Stuckrad * * |nickname |[EMAIL PROTECTED]\ Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459| Fachbereich Mathematik, EDV|\ *|if online|Tel(else):+49 30 77 39 6600| Arnimallee 2-6/14195 Berlin* * |on IRCnet|Fax(alle):+49 30 838-75454/
EIP in 3.0 rc5 on FC2
Hello all, I was wondering is someone can help me out? 3.0 RC1 was real stable for me. Should I downgrade or do I need to update additional software. This machine is RH FC2 with all security updates, and patches. Thanks, Jeff Sep 16 15:23:21 mail1 kernel: [ cut here ] Sep 16 15:23:21 mail1 kernel: kernel BUG at mm/rmap.c:410! Sep 16 15:23:21 mail1 kernel: invalid operand: [#1] Sep 16 15:23:21 mail1 kernel: Modules linked in: wcfxo(U) wcfxs(U) zaptel(U) crc_ccitt ip_conntrack_irc ip_nat_ftp ip_conntrack_ftp ipt_state ipt_multiport ipt_esp ipt_ah ipt_TOS ipt_tcpmss ipt_mark ipt_REJECT ipt_owner ipt_MASQUERADE ipt_limit ipt_LOG iptable_nat iptable_mangle iptable_filter ip_tables ip_conntrack md5 ipv6 e1000 dm_mod uhci_hcd ehci_hcd button battery asus_acpi ac ext3 jbd ata_piix sata_promise libata sd_mod scsi_mod Sep 16 15:23:21 mail1 kernel: CPU:0 Sep 16 15:23:21 mail1 kernel: EIP:0060:[0215464a]Not tainted Sep 16 15:23:21 mail1 kernel: EFLAGS: 00010246 (2.6.8-1.521) Sep 16 15:23:21 mail1 kernel: EIP is at page_remove_rmap+0x17/0x8f Sep 16 15:23:21 mail1 kernel: eax: 2002006c ebx: 03971d60 ecx: 03f71d40 edx: 03971d60 Sep 16 15:23:21 mail1 kernel: esi: edi: 2000 ebp: 3a0f415c esp: 2182dbfc Sep 16 15:23:21 mail1 kernel: ds: 007b es: 007b ss: 0068 Sep 16 15:23:21 mail1 kernel: Process spamd (pid: 8465, threadinfo=2182d000 task=754e60b0) Sep 16 15:23:21 mail1 kernel: Stack: 0214d1c2 4b8eb005 3000 00855000 023c9cf4 00855000 00858000 3513f00c Sep 16 15:23:21 mail1 kernel:023c9cf4 0214d25f 3000 00855000 3513f00c 00858000 023c9cf4 Sep 16 15:23:21 mail1 kernel:0214d2b6 3000 2182dca4 00855000 36f6da50 00858000 0214d3c1
RE: EIP in 3.0 rc5 on FC2
I had similar problems, not related to SA though, and found that the mm application was trying to allocate randomly high memory locations. Turned out to be a bad memory chip. Using the Fedora core 2 boot disk I did a memtest86... Might be worth the extra hour... From: jeff jones [mailto:[EMAIL PROTECTED] Sent: Fri 9/17/2004 8:04 AM To: users@spamassassin.apache.org Subject: EIP in 3.0 rc5 on FC2 Hello all, I was wondering is someone can help me out? 3.0 RC1 was real stable for me. Should I downgrade or do I need to update additional software. This machine is RH FC2 with all security updates, and patches. Thanks, Jeff Sep 16 15:23:21 mail1 kernel: [ cut here ] Sep 16 15:23:21 mail1 kernel: kernel BUG at mm/rmap.c:410! Sep 16 15:23:21 mail1 kernel: invalid operand: [#1] Sep 16 15:23:21 mail1 kernel: Modules linked in: wcfxo(U) wcfxs(U) zaptel(U) crc_ccitt ip_conntrack_irc ip_nat_ftp ip_conntrack_ftp ipt_state ipt_multiport ipt_esp ipt_ah ipt_TOS ipt_tcpmss ipt_mark ipt_REJECT ipt_owner ipt_MASQUERADE ipt_limit ipt_LOG iptable_nat iptable_mangle iptable_filter ip_tables ip_conntrack md5 ipv6 e1000 dm_mod uhci_hcd ehci_hcd button battery asus_acpi ac ext3 jbd ata_piix sata_promise libata sd_mod scsi_mod Sep 16 15:23:21 mail1 kernel: CPU:0 Sep 16 15:23:21 mail1 kernel: EIP:0060:[0215464a]Not tainted Sep 16 15:23:21 mail1 kernel: EFLAGS: 00010246 (2.6.8-1.521) Sep 16 15:23:21 mail1 kernel: EIP is at page_remove_rmap+0x17/0x8f Sep 16 15:23:21 mail1 kernel: eax: 2002006c ebx: 03971d60 ecx: 03f71d40 edx: 03971d60 Sep 16 15:23:21 mail1 kernel: esi: edi: 2000 ebp: 3a0f415c esp: 2182dbfc Sep 16 15:23:21 mail1 kernel: ds: 007b es: 007b ss: 0068 Sep 16 15:23:21 mail1 kernel: Process spamd (pid: 8465, threadinfo=2182d000 task=754e60b0) Sep 16 15:23:21 mail1 kernel: Stack: 0214d1c2 4b8eb005 3000 00855000 023c9cf4 00855000 00858000 3513f00c Sep 16 15:23:21 mail1 kernel:023c9cf4 0214d25f 3000 00855000 3513f00c 00858000 023c9cf4 Sep 16 15:23:21 mail1 kernel:0214d2b6 3000 2182dca4 00855000 36f6da50 00858000 0214d3c1
Re: EIP in 3.0 rc5 on FC2
On Fri, 2004-09-17 at 11:04, jeff jones wrote: Hello all, I was wondering is someone can help me out? 3.0 RC1 was real stable for me. Should I downgrade or do I need to update additional software. This machine is RH FC2 with all security updates, and patches. Thanks, Jeff Sep 16 15:23:21 mail1 kernel: [ cut here ] Sep 16 15:23:21 mail1 kernel: kernel BUG at mm/rmap.c:410! Sep 16 15:23:21 mail1 kernel: invalid operand: [#1] Sep 16 15:23:21 mail1 kernel: Modules linked in: wcfxo(U) wcfxs(U) zaptel(U) crc_ccitt ip_conntrack_irc ip_nat_ftp ip_conntrack_ftp ipt_state ipt_multiport ipt_esp ipt_ah ipt_TOS ipt_tcpmss ipt_mark ipt_REJECT ipt_owner ipt_MASQUERADE ipt_limit ipt_LOG iptable_nat iptable_mangle iptable_filter ip_tables ip_conntrack md5 ipv6 e1000 dm_mod uhci_hcd ehci_hcd button battery asus_acpi ac ext3 jbd ata_piix sata_promise libata sd_mod scsi_mod Sep 16 15:23:21 mail1 kernel: CPU:0 Sep 16 15:23:21 mail1 kernel: EIP:0060:[0215464a]Not tainted Sep 16 15:23:21 mail1 kernel: EFLAGS: 00010246 (2.6.8-1.521) Sep 16 15:23:21 mail1 kernel: EIP is at page_remove_rmap+0x17/0x8f Sep 16 15:23:21 mail1 kernel: eax: 2002006c ebx: 03971d60 ecx: 03f71d40 edx: 03971d60 Sep 16 15:23:21 mail1 kernel: esi: edi: 2000 ebp: 3a0f415c esp: 2182dbfc Sep 16 15:23:21 mail1 kernel: ds: 007b es: 007b ss: 0068 Sep 16 15:23:21 mail1 kernel: Process spamd (pid: 8465, threadinfo=2182d000 task=754e60b0) Sep 16 15:23:21 mail1 kernel: Stack: 0214d1c2 4b8eb005 3000 00855000 023c9cf4 00855000 00858000 3513f00c Sep 16 15:23:21 mail1 kernel:023c9cf4 0214d25f 3000 00855000 3513f00c 00858000 023c9cf4 Sep 16 15:23:21 mail1 kernel:0214d2b6 3000 2182dca4 00855000 36f6da50 00858000 0214d3c1 If failed to mention I am currently running SA3.0 rc5 on RedHat FC2 with all the patches and security updates. And that SA3.0 rc1 was real stable for me. If you need any other info please let me know. Thanks, Jeff
rule idea for catching 'zombie spam relays' and question of my logic
I found this type of rule to be very helpful in catching 'zombie spam relay' emails from specific 'problem' networks. The problem I faced with an all inclusive ban on these networks was that our customer's connect to our SMTP servers from all around the world. Banning Dynamic, DSL, Cable, or Dialup connections at the SMTP level was not an option, because that would prevent our customers from establishing a valid SMTP connection to us. Luckily, our Spam Assassin configuration is set up to bypass Spam Assassin processing when a customer has authenticated themselves for the SMTP connection. So 'local to local' and 'local to remote' deliveries are not scanned, and are not affected by these rules. I can safely assume any mail running through Spam Assassin is from a remote sender intended for a local customer. When Spam Assassin receives an email (at least under my setup), the first line of that email is always the Received line added by our SMTP server. With this in mind, I created a number of rules like this, which are based on the dynamic / cable / dialup / DSL hosts names of large ISPs: describeSKM_SPAM_HOST_3 Received via Insecure Networks - *.user.veloxzone.com.br fullSKM_SPAM_HOST_3 /^[^\n]+\.user\.veloxzone\.com\.br\b/i score SKM_SPAM_HOST_3 0.1 describeSKM_SPAM_HOST_25Received via Insecure Networks - *.pool*.interbusiness.it fullSKM_SPAM_HOST_25 /^[^\n]+\.pool\d+\.interbusiness\.it\b/i score SKM_SPAM_HOST_250.1 This rule will match hosts like 123-123-123-123.pool54321.interbusiness.it in the first line of the email (which is our SMTP Received line). In my logic, there is no valid reason that a remote sender would connect directly to our SMTP server from their dynamic/DSL/cable IP to send our customer's an email ... I think ? Valid 'remote to local' emails being sent from these DSL/cable/dialup IP would normally be relayed via their own network's SMTP server, which would then be delved to us by a host that didn't match the dynamic/DSL/cable custom rule. Right? It would either be a 'zombie' spam relay', or some one who setup a SMTP server on a dynamic IP (which just isn't what valid businesses do ... )? So far I have had 100% spam, 0% ham marked by these rules. Does anyone see any error in this logic? I would like to begin automatically deleting emails that match these rules, but I am curious if there are obscure cases where a non-authenticated SMTP connection (remote to local), delivering a valid email, would be connecting from these dynamic/DSL/cable IPs? Thanks in advance, Shane P.S. If there isn't some sort of error in this logic, I will be happy to post the full set of rules which match the 20-30 major 'zombie relay' networks that we receive Spam from.
Re: Memory usage question
On Friday 17 September 2004 07:05, Chris Santerre wrote: Yeah, bring that 50 down a little :) Maybe 10. More memory NEVER hurt anyone! Currently with BigEvil I'm running 51 megs for spamd!!! But the record on a production server is something like 145. I think it was a crazy german ;) Your memory usage looks pretty normal. I haven't updated BE in a while. Plan on doing this afternoon. For the remaining people using BE, WTH is wrong with you? :-) Chris I know it's not needed but with 3.0rc4 running big evil and a few other custom rules spamd is at 53 megs and I have 5 children processes that are each eating about 56 megs apiece. I wondered if it was true but each child shows slightly different memory usage so they are reading separately. My system has 1 gig of ram and almost 4 gigs of swap. It doesn't use the swap much though. I run my system just for me right now so no other users and it filterers out about 1000 spams a day out of a total of 2000 emails a day or so at peak. I'm also running the surbl lists on this server. I upgraded from an older spamassassin install and just haven't gotten around to cleaning out the old files yet. Hey though since I went to spamassassin 3.0 I have only had about 2 or 3 emails get through in the last 2 or 3 months. With 1000 spam emails a day that's not bad. -- -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- Brook Humphrey Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107 http://www.webmedic.net, [EMAIL PROTECTED], [EMAIL PROTECTED] Holiness unto the Lord -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
RE: Memory usage question
-Original Message- From: Robert Bartlett [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 10:12 AM To: users@spamassassin.apache.org Subject: RE: Memory usage question -Original Message- From: Brook Humphrey [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 10:04 AM To: users@spamassassin.apache.org Subject: Re: Memory usage question On Friday 17 September 2004 07:05, Chris Santerre wrote: Yeah, bring that 50 down a little :) Maybe 10. More memory NEVER hurt anyone! Currently with BigEvil I'm running 51 megs for spamd!!! But the record on a production server is something like 145. I think it was a crazy german ;) Your memory usage looks pretty normal. I haven't updated BE in a while. Plan on doing this afternoon. For the remaining people using BE, WTH is wrong with you? :-) Chris I know it's not needed but with 3.0rc4 running big evil and a few other custom rules spamd is at 53 megs and I have 5 children processes that are each eating about 56 megs apiece. I wondered if it was true but each child shows slightly different memory usage so they are reading separately. My system has 1 gig of ram and almost 4 gigs of swap. It doesn't use the swap much though. I run my system just for me right now so no other users and it filterers out about 1000 spams a day out of a total of 2000 emails a day or so at peak. I'm also running the surbl lists on this server. I upgraded from an older spamassassin install and just haven't gotten around to cleaning out the old files yet. Hey though since I went to spamassassin 3.0 I have only had about 2 or 3 emails get through in the last 2 or 3 months. With 1000 spam emails a day that's not bad. -- -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~ `'~- Brook Humphrey Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107 http://www.webmedic.net, [EMAIL PROTECTED], [EMAIL PROTECTED] Holiness unto the Lord -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~ `'~- Were do you change the count again? I keep forgetting. (I mean what file do I edit to lower m50, Im going to try m10 until we upgrade our memory) Nevermind, I found it
Bayes user mysql and SA3.0 RC5
I checked the doc's archive however, I can not find a solution to my problem. What I am trying to do is have different users in Mysql bayes db. I am using Spamd with the following start options: -d -c -m6 -H -i0.0.0.0 -A192.168.0 -D -x -s /var/log/spamd.log When I do a spamassassin --lint -D it lint's ok. I have this setup on another machine under cygwin, and it works ok. I am communicating through spamc and am passing the user that I want spamd to use for the bayes db (user prefs aren't important here, just want to get bayes setup) with x I got rid of the user not found errors. Is there any way I can have spamd use the user that spamc passes it? Etc [EMAIL PROTECTED] As of yet it's using root to connect to the mysql db. Any thoughts? Need more info? Thanks, James
Re: Bayes user mysql and SA3.0 RC5
Quoting James [EMAIL PROTECTED]: I checked the doc's archive however, I can not find a solution to my problem. What I am trying to do is have different users in Mysql bayes db. I am using Spamd with the following start options: -d -c -m6 -H -i0.0.0.0 -A192.168.0 -D -x -s /var/log/spamd.log When I do a spamassassin --lint -D it lint's ok. I have this setup on another machine under cygwin, and it works ok. I am communicating through spamc and am passing the user that I want spamd to use for the bayes db (user prefs aren't important here, just want to get bayes setup) with x I got rid of the user not found errors. Is there any way I can have spamd use the user that spamc passes it? Etc [EMAIL PROTECTED] As of yet it's using root to connect to the mysql db. using -x disables user config so you should remove that parameter from the startup script. If you are getting user not found errors without the -x then there is something else wrong and i unfortunately do not know what it is. -Jim
Re: How long for changes to mail list settings to take effect?
On Wednesday 15 September 2004 10:55, Dougie Nisbet wrote: Yesterday I changed my list settings to Digest mode. I'm still getting individual emails. Does anyone know how long it takes for the change to take effect? Dougie Ok, perhaps I'm looking in the wrong place. Is it http://wiki.apache.org/spamassassin/MailingLists I should be looking at? Can't see anything there about how to change my subscription to the list or to unsubscribe. How do I modify or delete my subscription? I see from the full headers from my mails that there's a header field entitled: list-unsubscribe: mailto:[EMAIL PROTECTED] I'll give that a go. But if possible I'd prefer a digest mode. I can't really keep up with the traffic but I don't want to lose the flow of developments completely. Oh well. Ho Hum. If my email to the unsubscribe works, then, BFN.
dnsbl tests apparently not running
I'm running spamassassin 3.0rc4 on OpenBSD sparc64. Dnsbl tests don't appear to be running, and when running make test, I get: t/dnsbl.skipped all skipped: no reason given I had originally checked the option to skip network checks during the test, but ran make clean and selected the option to do the tests the second time around. And, in any event, the checks should be working when SA itself is run, right? I checked and RBL checks etc. aren't disabled in my user_prefs or in local.cf. I'm not 1000% sure they're not being run, but relatively certain from looking at the SA markup in messages I've received. Any good way to test this or figure out why it might be happening? Running SA on a mailbox or message in debug mode does not appear to show any dnsbl tests happening. Also, the SPF plugin is enabled, but when I send messages from a host not authorized to send mail for my domain, I don't see any SA markup about SPF checks failing in the received messages.
Re: dnsbl tests apparently not running
On Fri, Sep 17, 2004 at 03:17:52PM -0700, Will Yardley wrote: And, in any event, the checks should be working when SA itself is run, right? I checked and RBL checks etc. aren't disabled in my user_prefs or As usual, run with -D it tells you what's going on. Running SA on a mailbox or message in debug mode does not appear to show any dnsbl tests happening. You have Net::DNS installed and the debug output shows it's available? We can't really give you any feedback unless you share more information (perhaps the -D output...) -- Randomly Generated Tagline: He's NOT the Messiah, he's a very naughty boy! - MP pgpAxDICsUjhe.pgp Description: PGP signature
Re: dnsbl tests apparently not running
On Fri, Sep 17, 2004 at 06:20:47PM -0400, Theo Van Dinter wrote: On Fri, Sep 17, 2004 at 03:17:52PM -0700, Will Yardley wrote: Running SA on a mailbox or message in debug mode does not appear to show any dnsbl tests happening. You have Net::DNS installed and the debug output shows it's available? It's not installed. Sorry for not noticing that in the debug output. Shouldn't the SA build test process be a little more verbose about this, though, and at least spit out some warnings about missing Perl modules? While the dnsbnl tests may not be necessary for SA to work, it's certainly a lot more effective with them. (and yes, I realize that if I installed it from CPAN, it would probably work better, and I'll consider that in the future). mitch% perl -MNet::DNS Can't locate Net/DNS.pm in @INC (@INC contains: /usr/libdata/perl5/sparc64-openbsd/5.8.2 /usr/local/libdata/perl5/sparc64-openbsd/5.8.2 /usr/libdata/perl5 /usr/local/libdata/perl5 /usr/local/libdata/perl5/site_perl/sparc64-openbsd /usr/libdata/perl5/site_perl/sparc64-openbsd /usr/local/libdata/perl5/site_perl /usr/libdata/perl5/site_perl /usr/local/lib/perl5/site_perl .). BEGIN failed--compilation aborted. Installing now...
Re: dnsbl tests apparently not running
On Fri, Sep 17, 2004 at 03:30:36PM -0700, Will Yardley wrote: Shouldn't the SA build test process be a little more verbose about this, though, and at least spit out some warnings about missing Perl modules? While the dnsbnl tests may not be necessary for SA to work, it's certainly a lot more effective with them. That's just it though -- it's optional, as you've stated. Just because it makes SA more effective doesn't make it required. ;) -- Randomly Generated Tagline: Holy DNS batman, you aren't on my list! - Error message pgpTlTYMDAYCR.pgp Description: PGP signature
Re: rule idea for catching 'zombie spam relays' and question of my logic
Loren Wilton wrote: In my logic, there is no valid reason that a remote sender would connect directly to our SMTP server from their dynamic/DSL/cable IP to send our customer's an email ... I think ? Valid 'remote to local' emails being sent from these DSL/cable/dialup IP would normally be relayed via their own network's SMTP server, which would then be delved to us by a host that didn't match the dynamic/DSL/cable custom rule. Right? It would either be a 'zombie' spam relay', or some one who setup a SMTP server on a dynamic IP (which just isn't what valid businesses do ... )? I think your reasoning is generally sound. I think though that it is probably possible for someone to have a 'valid business' with a small server (or maybe even single machine) on a DSL or the like connection. I would hope though that it wouldn't be dynamic IP. Although I suppose it might be if their telco has problems giving out fixed IP addresses. I'm not sure how DNS would manage to resolve foobar.com down to them if the ip address keeps changing though. My guess is that you could potentially be locking out some few mom-n-pop businesses from your network. I think I'd balance that against locking out the zombies and plain stupid spammers, and probably come down on the side of doing it anyway. On the plus side, any legitimate service run on those addresses can _still_ send its outgoing email through the ISP's mail servers (even if they have their own local mail server, it can still be configured to send outgoing email through their ISP instead of direct to the target mail servers). So, the mom'n'pop businesses have no excuse, except maybe their own ineptitude, which is not (in my book) an acceptable excuse. They'll also have to remember to factor their ISP into their SPF plan, too. On the minus side, for the general case (which may not apply to the original poster): you might have some of your own employees set up to send their email straight from home to work (esp. if it's a laptop, where one SMTP server set up is easier for roaming than having 1 account with multiple SMTP servers based upon where the user happens to be sitting at that point in time). There are ways to dealing with those people (SMTP-AUTH, message submission port, 2nd server, VPN, etc.), but you still have to factor them into your plan if they exist in your set up. Otherwise ... you're right: there's no good reason to accept messages sent from dynamic IP address blocks. Even if they are a mom'n'pop type legit business, they can send it through their ISP's SMTP server instead of connecting directly to you.
