Re: A simple way to...
- Original Message - From: Ryan Thompson [EMAIL PROTECTED] Robin Lynn Frank wrote to users@spamassassin.apache.org: We use SA 3.0.0 with MySQL so we can extract certain AWL data and use it at the MTA level. However, since SA doesn't have an auto-blacklist feature, Hi Robin, Actually, AutoWhiteList (AWL) is a bit of a misnomer. AWL maintains average message scores for sender/class-B tuples, so, in effect, it is also an auto blacklist, because repeat spam senders will have high average scores in the AWL database. I'd like to find a relatively simple way to extract IP addresses from emails that contain spam. If it is of any importance, we invoke SA via amavisd-new. See, for instance, the check_whitelist script in the tools/ directory of the distribution. I get output like this: -4.5 (-35.6/8) -- [EMAIL PROTECTED]|ip=64.59 9.3(27.9/3) -- [EMAIL PROTECTED]|ip=65.39 The first line is for a user that sends ham, so his/her score on future messages would be pushed closer to -4.5. The second line is for a user that sends spam, so, if they sent a more hammy message later, the AWL would likely *add* points to the message, while decreasing the average slightly. It works both ways. If you want to use this at the MTA level, I could envision you wanting to grab, say, every entry over a certain average score and potentially greylist based on that or something. I'm wondering if the devs have consider changing the name associated with AWL from auto-whitelisting to something more descriptive of what AWL actually does, maybe something like auto-weight-leveling? Bill
after upgrade
Hello guys, I'm with a serious problem here, and I need some help, plz! After the upgrade from version 2.64 to version 3.0.0, SA stopped to work as before... the most of SPAM going to my server isn't marked as SPAM... So I noticed that almost all headers had a USER_IN_WHITELIST in it. --- X-Spam-Status: No, hits=-88.6 required=5.0 tests=BR_RECEIVED_SPAMMER, FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,HTML_FONT_BIG,HTML_MESSAGE, HTML_TAG_EXIST_TBODY,INVALID_DATE,MIME_BASE64_TEXT, MIME_BOUND_NEXTPART,MIME_HTML_ONLY,PLING_PLING,USER_IN_WHITELIST autolearn=no version=3.0.0 --- I've checked every configuration file as so user_prefs files and didn't found any whitelist entry. I'm using SA 3.0.0 with Qmail-scanner 1.23. This is the command line I'm using: spamd -d -v -u vpopmail -s /var/log/spamd.log Thanks in advance! Best regards -- Marcos Saint'Anna [EMAIL PROTECTED]
Re: A simple way to...
On Sat, 9 Oct 2004 15:41:37 -0600 (CST) Ryan Thompson [EMAIL PROTECTED] wrote: Robin Lynn Frank wrote to users@spamassassin.apache.org: We use SA 3.0.0 with MySQL so we can extract certain AWL data and use it at the MTA level. However, since SA doesn't have an auto-blacklist feature, Hi Robin, Actually, AutoWhiteList (AWL) is a bit of a misnomer. AWL maintains average message scores for sender/class-B tuples, so, in effect, it is also an auto blacklist, because repeat spam senders will have high average scores in the AWL database. I'd like to find a relatively simple way to extract IP addresses from emails that contain spam. If it is of any importance, we invoke SA via amavisd-new. See, for instance, the check_whitelist script in the tools/ directory of the distribution. I get output like this: -4.5 (-35.6/8) -- [EMAIL PROTECTED]|ip=64.59 9.3(27.9/3) -- [EMAIL PROTECTED]|ip=65.39 The first line is for a user that sends ham, so his/her score on future messages would be pushed closer to -4.5. The second line is for a user that sends spam, so, if they sent a more hammy message later, the AWL would likely *add* points to the message, while decreasing the average slightly. It works both ways. If you want to use this at the MTA level, I could envision you wanting to grab, say, every entry over a certain average score and potentially greylist based on that or something. Hope this helps, - Ryan Yes it does. The only thing I see that is a problem is that the IPs appear to be /16s. /24s would be a broad enough brush to paint with. Back to the drawing board. -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC http://www.paradigm-omega.com == Sed quis custodiet ipsos custodes? pgpZtWxbE2FED.pgp Description: PGP signature
Re: after upgrade
At 08:42 PM 10/9/2004 -0300, Marcos Saint'Anna wrote: SPAM... So I noticed that almost all headers had a USER_IN_WHITELIST in it. --- X-Spam-Status: No, hits=-88.6 required=5.0 tests=BR_RECEIVED_SPAMMER, FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,HTML_FONT_BIG,HTML_MESSAGE, HTML_TAG_EXIST_TBODY,INVALID_DATE,MIME_BASE64_TEXT, MIME_BOUND_NEXTPART,MIME_HTML_ONLY,PLING_PLING,USER_IN_WHITELIST autolearn=no version=3.0.0 --- I've checked every configuration file as so user_prefs files and didn't found any whitelist entry. Did you find *any* whitelist statements at all? Also be sure to scrutinize ALL the message headers when trying to check which statement is at fault. SA's whitelisting system honors more than just From: in whitelist_from*. It honors Return-Path, Sender, Resent-From and more-or-less any origin indicating header.
Re: Memory footprint of spamd 3.0
In the default /usr/share/spamassasin/10_misc.cf file, I have ok_locales all ok_languagesall Nothing related in the personalized files in /etc/mail/spamassassin, or elsewhere. On Fri, 8 Oct 2004, Michael Parker wrote: On Tue, Oct 05, 2004 at 12:25:45PM -0500, Michael Parker wrote: On Tue, Oct 05, 2004 at 10:22:42AM -0700, Morris Jones wrote: I watched a spamd child grow to 250MB yesterday on a single message. I have a suspicion that the memory usage growth is happening on a whitelist or bayes database maintenance event of some sort. Better question. Of all the folks seeing memory issues, are you using ok_languages in your config somewhere? If not, please speak up as well. Thanks Michael
Re[2]: after upgrade
Hello Matt, Thanks for your prompt reply. I've removed all whitelist_from entries from configuration files, even those from user_prefs files. I've already tried to run SA with -D option, but got no answer at all... This start happening just after the upgrade. Please note that I've read several times the INSTALL and UPGRADE instructions before do the upgrade... Best regards -- Marcos Saint'Anna [EMAIL PROTECTED] You wrote: MK At 08:42 PM 10/9/2004 -0300, Marcos Saint'Anna wrote: SPAM... So I noticed that almost all headers had a USER_IN_WHITELIST in it. --- X-Spam-Status: No, hits=-88.6 required=5.0 tests=BR_RECEIVED_SPAMMER, FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,HTML_FONT_BIG,HTML_MESSAGE, HTML_TAG_EXIST_TBODY,INVALID_DATE,MIME_BASE64_TEXT, MIME_BOUND_NEXTPART,MIME_HTML_ONLY,PLING_PLING,USER_IN_WHITELIST autolearn=no version=3.0.0 --- I've checked every configuration file as so user_prefs files and didn't found any whitelist entry. MK Did you find *any* whitelist statements at all? MK Also be sure to scrutinize ALL the message headers when trying to check MK which statement is at fault. MK SA's whitelisting system honors more than just From: in whitelist_from*. It MK honors Return-Path, Sender, Resent-From and more-or-less any origin MK indicating header.
Re: SA 3.0 - USER_IN_BLACKLIST false positive?
On 09 October 2004 18:40 -0400 Theo Van Dinter [EMAIL PROTECTED] wrote: Got me, you have to go hunting around and find out. I have no way to tell you what's on your box, but I can tell you the entries aren't from SpamAssassin itself. ;) I believe that it is a bug in SA 3.0. This is a fresh installation of SA, no blacklists have been created and the e-mail address was previously unknown. Having searched back through the archives there are a couple of other reports of this 'phenomenon'. Mike.
Re[2]: SA 3.0 - USER_IN_BLACKLIST false positive?
Hello Mike, Almost the same thing here... but it's the USER_IN_WHITELIST that's making me nuts. My configuration files have no whitelist_from... but in the detection description the USER_IN_WHITELIST is always there... Best regards -- Marcos Saint'Anna [EMAIL PROTECTED] You wrote: MZ On 09 October 2004 18:40 -0400 Theo Van Dinter [EMAIL PROTECTED] MZ wrote: Got me, you have to go hunting around and find out. I have no way to tell you what's on your box, but I can tell you the entries aren't from SpamAssassin itself. ;) MZ I believe that it is a bug in SA 3.0. This is a fresh installation of MZ SA, no blacklists have been created and the e-mail address was MZ previously unknown. MZ Having searched back through the archives there are a couple of other MZ reports of this 'phenomenon'. MZ Mike.
Re: after upgrade
On Sun, 10 Oct 2004, Kai Schaetzl wrote: Marcos Saint'Anna wrote on Sun, 10 Oct 2004 02:18:19 -0300: I've already tried to run SA with -D option, but got no answer at all... So, if you pipe one of those messages with USER_IN_WHITELIST thru spamassassin -D (not spamd!) it is *not* marked with USER_IN_WHITELIST? If so, I'd think your spamd is using a different configuration than you think or you may have some version mix. Did you run a make test before install? FWIW, that same exact thing happened to me when I first installed SA. Turns out I had more than one config file... Ed . . . . . . . . . . . . . . . Randomly generated quote: I distrust those people who know so well what God wants them to do because I notice it always coincides with their own desires. -Susan B Anthony, reformer and suffragist (1820-1906)
Re: SA 3.0 - USER_IN_BLACKLIST false positive?
Mike Zanker wrote on Sun, 10 Oct 2004 17:52:36 +0100: Yes, I am using that, but I thought USER_IN_BLACKLIST related to personal blacklists, not SURBL stuff. It does not relate to SURBL. It relates to rules, no matter in which *.cf file they are in /etc/mail/spamassassin. The rulename is relevant, not the filename. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
Re[2]: after upgrade
Hello Kai, Thanks for your reply! I've made the tests you recommended, but got no positive results at all. --- These are the installed software versions: # /usr/bin/spamc -V SpamAssassin Client version 3.0.0 # /usr/bin/spamd -V SpamAssassin Server version 3.0.0 # /usr/bin/spamassassin -V SpamAssassin version 3.0.0 --- This is the /usr/bin/spamd -d -v -u vpopmail -s /var/log/spamd.log command line results about the configuration files: [...] 2004-10-10 18:44:36 [22937] i: debug: using /etc/mail/spamassassin/init.pre for site rules init.pre 2004-10-10 18:44:36 [22937] i: debug: config: read file /etc/mail/spamassassin/init.pre 2004-10-10 18:44:36 [22937] i: debug: using /usr/share/spamassassin for default rules dir 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/10_misc.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_body_tests.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_compensate.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_drugs.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_head_tests.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_html_tests.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_meta_tests.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_phrases.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_porn.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_ratware.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/20_uri_tests.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/23_bayes.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/25_hashcash.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/25_spf.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/25_uribl.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/30_text_de.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/30_text_fr.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/30_text_nl.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/30_text_pl.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/50_scores.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/60_whitelist.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /usr/share/spamassassin/regression_tests.cf 2004-10-10 18:44:36 [22937] i: debug: using /etc/mail/spamassassin for site rules dir 2004-10-10 18:44:36 [22937] i: debug: config: read file /etc/mail/spamassassin/10_local_report.cf 2004-10-10 18:44:36 [22937] i: debug: config: read file /etc/mail/spamassassin/local.cf 2004-10-10 18:44:36 [22937] i: debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 2004-10-10 18:44:36 [22937] i: debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8404b90) 2004-10-10 18:44:36 [22937] i: debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 2004-10-10 18:44:36 [22937] i: debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8ac0bcc) 2004-10-10 18:44:36 [22937] i: debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC 2004-10-10 18:44:36 [22937] i: debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8a96b8c) [...] --- A message analyse using /usr/bin/spamc test.txt: X-Spam-Status: No, hits=-85.7 required=5.0 bayes=0.5 awl= tests=BILL_1618=1.692,BR_ADJUST_2=2,BR_CONGRESSO=3,BR_MALADIRETA=0.2, BR_REMOVER_QUOTE=0.8,BR_SPAMMER_URI=2,DRUGS_SLEEP=0.107, FORGED_MUA_OUTLOOK=3.037,FORGED_OUTLOOK_HTML=0.022,HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.158,MISSING_MIMEOLE=0,USER_IN_WHITELIST=-100, X_MSMAIL_PRIORITY_HIGH=0.267 autolearn=spam version=3.0.0 --- This is the /usr/bin/spamassassin -D -p .spamassassin/user_prefs test.txt command line results about the
Spamass-milter 0.2.0 and spamassassin 3.0
Do these 2 work together? Checked the spamass-milter site and docs and couldn't find any ref to spamassasin 3.0. -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Design/Development WebObjects Hosting Mac Consulting/Sales http://www.systame.com/
RE: Spamass-milter 0.2.0 and spamassassin 3.0
It works with one slight problem fixed in CVS already. If set, the reject threshold (-r hits) in 0.2.0 looks for hits instead of score. If you set hits to -1 (reject anything tagged as spam), 0.2.0 works fine. -Original Message- From: Randall Perry [mailto:[EMAIL PROTECTED] Sent: Sunday, October 10, 2004 12:45 PM To: users@spamassassin.apache.org Subject: Spamass-milter 0.2.0 and spamassassin 3.0 Do these 2 work together? Checked the spamass-milter site and docs and couldn't find any ref to spamassasin 3.0. -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Design/Development WebObjects Hosting Mac Consulting/Sales http://www.systame.com/