Re: Score 9.9 by configuration?
Whats the issue here? Adding the scores comes to 10.2, but i haven't looked at the score set to determine what the exact precision was on each of those decimals. This is the score chart: 0.1 1.8 0.1 0.1 0.1 0.1 0.1 0.1 0.1 0.1 0.1 0.1 -2.6 -0.6 0.7 0.7 0.7 0.7 0.7 0.7 0.7 0.7 0.7 0.7 0.7 0.7 0.7 0.7 0.7 TOTAL: 10.2 I guess I'm missing the problem here. (other than at first glance calculation is incorrect by .3) Thanks, JamesDR Hanspeter Roth wrote: Hello, I have attached a message that has got 9.9 points. Is this score assinged by the default or by a custom configuration? -Hanspeter - Forwarded message from Drew Tomlinson - From: Drew Tomlinson To: FreeBSD Questions freebsd-questions@freebsd.org Subject: SPAM(9.9) shutdown -r Hangs After Upgrading to 4.10 Date: Sun, 07 Nov 2004 16:08:16 -0800 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on boogey.rootshell.be X-Spam-Level: * X-Spam-Status: Yes, score=9.9 required=4.0 tests=BAYES_00,FVGT_TRIPWIRE_BF, FVGT_TRIPWIRE_CB,FVGT_TRIPWIRE_DJ,FVGT_TRIPWIRE_FX,FVGT_TRIPWIRE_II, FVGT_TRIPWIRE_KB,FVGT_TRIPWIRE_NP,FVGT_TRIPWIRE_PF,FVGT_TRIPWIRE_SB, FVGT_TRIPWIRE_SK,FVGT_TRIPWIRE_TK,FVGT_TRIPWIRE_UH,FVGT_TRIPWIRE_XB, FVGT_TRIPWIRE_XC,FVGT_TRIPWIRE_XF,LOCAL_OBFU_GENERIC,SARE_HEAD_XBEEN, TW_BF,TW_CB,TW_DJ,TW_DR,TW_II,TW_SB,TW_SK,TW_UH,TW_XB,TW_XC,TW_XF autolearn=no version=3.0.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_418EB903.359B433A Content-Length: 15125 Lines: 334 Checker-Version SpamAssassin 3.0.0 (2004-09-13) on boogey.rootshell.be Content analysis details: (9.9 points, 4.0 required, autolearn=no) pts rule name description 0.1 TW_XC BODY: Odd Letter Triples with XC 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body 0.1 TW_BF BODY: Odd Letter Triples with BF 0.1 TW_II BODY: Odd Letter Triples with II 0.1 TW_UH BODY: Odd Letter Triples with UH 0.1 TW_DJ BODY: Odd Letter Triples with DJ 0.1 TW_XF BODY: Odd Letter Triples with XF 0.1 TW_XB BODY: Odd Letter Triples with XB 0.1 TW_SK BODY: Odd Letter Triples with SK 0.1 TW_CB BODY: Odd Letter Triples with CB 0.1 TW_SB BODY: Odd Letter Triples with SB 0.1 TW_DR BODY: Odd Letter Triples with DR -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] -0.6 SARE_HEAD_XBEENMailng list header found, frequent ham sign 0.7 FVGT_TRIPWIRE_CB FVGT_TRIPWIRE_CB 0.7 FVGT_TRIPWIRE_PF FVGT_TRIPWIRE_PF 0.7 FVGT_TRIPWIRE_UH FVGT_TRIPWIRE_UH 0.7 FVGT_TRIPWIRE_II FVGT_TRIPWIRE_II 0.7 FVGT_TRIPWIRE_XC FVGT_TRIPWIRE_XC 0.7 FVGT_TRIPWIRE_NP FVGT_TRIPWIRE_NP 0.7 FVGT_TRIPWIRE_KB FVGT_TRIPWIRE_KB 0.7 FVGT_TRIPWIRE_SK FVGT_TRIPWIRE_SK 0.7 FVGT_TRIPWIRE_XB FVGT_TRIPWIRE_XB 0.7 FVGT_TRIPWIRE_BF FVGT_TRIPWIRE_BF 0.7 FVGT_TRIPWIRE_DJ FVGT_TRIPWIRE_DJ 0.7 FVGT_TRIPWIRE_FX FVGT_TRIPWIRE_FX 0.7 FVGT_TRIPWIRE_SB FVGT_TRIPWIRE_SB 0.7 FVGT_TRIPWIRE_XF FVGT_TRIPWIRE_XF 0.7 FVGT_TRIPWIRE_TK FVGT_TRIPWIRE_TK Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by boogey.rootshell.be (Postfix) with ESMTP id 4A1002D55F for [EMAIL PROTECTED]; Mon, 8 Nov 2004 01:08:31 +0100 (CET) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 15C6257BA6; Mon, 8 Nov 2004 00:08:19 + (GMT) (envelope-from [EMAIL PROTECTED]) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 7CE5616A4EA; Mon, 8 Nov 2004 00:08:17 + (GMT) Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 335AB16A4CE for freebsd-questions@freebsd.org; Mon, 8 Nov 2004 00:08:11 + (GMT) Received: from relay04.roc.ny.frontiernet.net (relay04.roc.ny.frontiernet.net [66.133.131.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id A005D43D48 for freebsd-questions@freebsd.org; Mon, 8 Nov 2004 00:08:10 + (GMT) (envelope-from [EMAIL PROTECTED]) Received: from filter02.roc.ny.frontiernet.net (filter02.roc.ny.frontiernet.net [66.133.131.177]) by relay04.roc.ny.frontiernet.net (Postfix) with ESMTP id 262D110285 for freebsd-questions@freebsd.org; Mon, 8 Nov 2004 00:08:10 + (UTC) Received: from relay04.roc.ny.frontiernet.net ([66.133.131.37]) [66.133.131.177]) (amavisd-new, port 10024) with LMTP id 14623-07-8 for freebsd-questions@freebsd.org;
RE: spamassassin and web based mail !
There is always a way; however, do you have the resources to program such an effort? You might be able to modify an Open Source Proxy Server, but even then it will be a effort. You are still missing the major point here. Spammers don't go to Cybercafés to send spam. Why should they go to a cybercafé when they can use there own connections and sit in the comfort of their own home and use Yahoo, MSN or Hotmail. Remember these idiots think they have a legal right to spam the world, so they aren't going to hide in your Cybercafé. I'd be more concerned about Script kiddies, and wannabe hackers using your cybercafé to upload their dirty work, and a good virus scanner can fix that. Regards, Pete Peter P. Benac, CCNA Celtic Spirit Network Solutions Providing Network and Systems Project Management and Installation and Web Hosting. Phone: 919-618-2557 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! -Original Message- From: Cigan Segun [mailto:[EMAIL PROTECTED] Sent: Sunday, November 14, 2004 2:35 PM To: users@spamassassin.apache.org Subject: Re:spamassassin and web based mail ! Is there any way a LINUX box can be configured to solve the problem of checking the mail contents of every http that passes through the linux box? Regards. Cigan. Moving house? Beach bar in Thailand? New Wardrobe? Win £10k with Yahoo! Mail to make your dream a reality.
Re: SA 3.01 + DCC + Pyzor
At 05:06 PM 11/14/2004 +0100, Johan Barelds wrote: At this moment i use the SuSE 9.2 distro. I noticed that DCC and Pyzor are broken if beeing called from SA. (Nov 14 17:00:07 beast dccproc[4795]: missing message body; fatal error) I also read the docu from SA3.01 and found this: -- There is an issue if you run spamd using the standard perl installation on Mac OS X and certain *BSD-flavored UNIX platforms. spamd will change effective uid to the user calling spamd for security reasons. Before calling out to any external programs (DCC and Pyzor, as of 3.0.0,) spamd will fork() and change the real uid to the same as the effective uid. Unfortunately, the default perl in at least Mac OS X, does not allow perl programs to change the real uid so for security reasons the spamd child will die. To fix this issue, either disable the DCC and Pyzor rules, or install a different version of perl which supports setuid() calls. -- Question: is this the cause that DCC and Pyzor won't run wit SA3.01 on SuSE9.2? Highly doubtful. SuSE is Linux-based. It is not a BSD-flavored Unix platform. (Anything based on the Linux kernel is inherently not based on a BSD kernel. If it were, it would cease to be Linux.)
Re: Sensible way to use SpamCop reporting?
On Fri, 12 Nov 2004, Larry stipulated: You could comment out the spamcop_to_address in your configuration file. Then SA will report to the generic spamcop address. Your reports won't be given as much weight (whatever that means) but you won't get the confirmation emails either. ... and you won't have to dive around a webform confirming every single one by hand? Excellent. I did once completely automate this using a script that fired everything in my spam folder to spamcop, grepped 'sc?id' out of all the spamcop replies, opened lynx with a command script which searched for Send Spam Report and hit the link. Worked quite well until I realised I was complaining to myself, about myself ;) (abuse@ comes to me, and I was firing abuse@ mails to spamcop as they obviously contained spam content). Plus with all the spam I get, it brought my machine to it's knees on several occasions ;) O -- Via Net.Works UK Ltd Local Touch Global Reach Owen McShane Systems Administrator http://www.vianetworks.co.uk Tel +44 (0)1925 48
Re: Score 9.9 by configuration?
On Nov 14 at 21:28, Matt Kettler spoke: Defintiely custom. FVGT_TRIPWIRE_* are add-on rules, and are not a part of the standard SA set. TW_* are also add-on rules. In fact, I suspect they are a duplicate of the same ruleset, but with different names. LOCAL_OBFU generic is a local customization. And a heavy hitter at 1.8 points. SARE_HEAD_XBEEN is an add-on. The only standard rule in the list of hits is BAYES_00, a nonspam rule. Ok, thanks for explaining. If add-ons are added should the `required' level be increased in order to prevent to much false positives? As for James's concern about 9.9 vs 10.2 score, that much is easily Well this is some 3%. This doesn't bother me. What bothers me is that a non-spam message is tagged 9.9 while the required level is 4.0. This is some 200%. [...] Round numbers are just that.. Adding lots of round numbers makes for a lot of rounding error. Is that to say if there are lots of items which may produce rounding errors the `required' level should be increased accordingly? -Hanspeter
Re: Score 9.9 by configuration?
At 12:55 PM 11/15/2004 +0100, you wrote: Ok, thanks for explaining. If add-ons are added should the `required' level be increased in order to prevent to much false positives? Really it depends on what the FP ratio of the added rules are like. Usualy not, or only very slightly, as most add-ons are mass-checked for FPs and the scores and/or rules are adjusted accordingly. The biggest problem I saw with that message is it had two versions of tripwire, both running at the same time. One older version with roughly 0.7 as a score, one newer one with roughly 0.1 as a score. The current version has names and scores consistent with the low-scoring version. http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf If you took away the 15 FVGT_TRIPWIRE_* hits the score of the message would have gone down by about 10.5 points. Find the duplicates and remove them. My guess is the server has both tripwire.cf (old) and 99_FVGT_Tripwire.cf (new) installed in /etc/mail/spammassassin. You could compensate for the misconfig by increasing score thresholds, but in this case, poor performance would ensue. Round numbers are just that.. Adding lots of round numbers makes for a lot of rounding error. Is that to say if there are lots of items which may produce rounding errors the `required' level should be increased accordingly? No.. That error is in Jame's hand calculation of 10.2, not in SA's calculation of 9.9. It doesn't affect the required thresholds or anything else. What I'm saying is if you hand-add the rounded numbers SA prints in the report you can get a different score than SA does. It could be quite a bit higher or lower, because you're working from a bunch of rounded numbers. Don't be surprised by this, because you're not adding the real scores out of the .cf files. When SA computes the score, it uses all 4 decimal places. SA only rounds when it prints things in the reports, and that's just to keep the report from getting cluttered.
Re: Insecure dependency in eval while running setuid
At 09:51 AM 11/13/2004 -0800, Vicki Brown wrote: 2004-11-13 17:32:05 [54661] i: error: Insecure dependency in eval while running setuid at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 1669, GEN12 line 37._ No such file or directory, continuing I have upgraded to SA 3.0.1 snip what problems should I be looking for? 1) are you SURE you want allow_user_rules set? Unless you trust all your users this can be a bit risky. Unless you're going to put body, rawbody, header or meta statements in user_prefs, unset that. (score statements are fine) 2) I'd check for malformed body rules. Run spamassassin --lint to see if it can help you. Line 1669 of PerMsgStatus is where SA is executing the expressions for body rules. No such file or directory is slightly concerning message here, as it implies the regex is either intentionally or accidentally trying to access files outside of SA. I'd check for add-on rules that have unescaped punctuation (ie instead of \) in /etc/mail/spamassassin/*.cf and in user_prefs. Most likely it's a typo. However, it's going to be a body rule that's the troublemaker.
RE: spamassassin and web based mail !
Spammers don't go to Cybercafés to send spam. Oh yes they do ! We see lots of phishing and 419 / lottery scams coming from Cybercafes. The average spammer likes to work from home, the average scammer likes the anonymity of Cybercafes. Cigan - you have a very difficult problem. If you scan content sent to Yahoo / Hotmail, the spammers will change to another webmail service or abuse badly configured cgi scripts. In any case a mail filtering program like SpamAssassin is configured to work on *email* rather than http streams. Hats off to you for attempting to address the problem. I would hazard a guess that asking for ID and visibly writing down the name against a machine / IP address would probably be a technologicaly simple approach, which would be a very strong deterent and would result in the criminal fraternity going elsewhere. Martin -Original Message- From: Peter P. Benac [mailto:[EMAIL PROTECTED] Sent: 15 November 2004 01:20 To: 'Cigan Segun'; users@spamassassin.apache.org Subject: RE: spamassassin and web based mail ! There is always a way; however, do you have the resources to program such an effort? You might be able to modify an Open Source Proxy Server, but even then it will be a effort. You are still missing the major point here. Spammers don't go to Cybercafés to send spam. Why should they go to a cybercafé when they can use there own connections and sit in the comfort of their own home and use Yahoo, MSN or Hotmail. Remember these idiots think they have a legal right to spam the world, so they aren't going to hide in your Cybercafé. I'd be more concerned about Script kiddies, and wannabe hackers using your cybercafé to upload their dirty work, and a good virus scanner can fix that. Regards, Pete Peter P. Benac, CCNA Celtic Spirit Network Solutions Providing Network and Systems Project Management and Installation and Web Hosting. Phone: 919-618-2557 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! -Original Message- From: Cigan Segun [mailto:[EMAIL PROTECTED] Sent: Sunday, November 14, 2004 2:35 PM To: users@spamassassin.apache.org Subject: Re:spamassassin and web based mail ! Is there any way a LINUX box can be configured to solve the problem of checking the mail contents of every http that passes through the linux box? Regards. Cigan. Moving house? Beach bar in Thailand? New Wardrobe? Win £10k with Yahoo! Mail to make your dream a reality. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
SA 3.01 + DCC + Pyzor
I noticed that DCC and Pyzor are broken if beeing called from SA. (Nov 14 17:00:07 beast dccproc[4795]: missing message body; fatal error) I get missing message body; fatal error on occasion. It is my guess this means there is no text in the body of the message. I don't think it means DCC is broken. For the Pyzor issue, this may be of help: https://sourceforge.net/mailarchive/forum.php?thread_id=5955026forum_id=8711 _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
RE: Message is checked but not marked
Vickie: I've had the same problem. It has to do with procmail and the -t 60. The spamc -t 60 doesn't actually kill the spamd process, it simply cuts the connection between spamc and spamd. The normal action of procmail and spamc is to deliver if there is a spamc error. This has to be turned off by using the -x command. I tried to document my config on my weblog http://webpages.charter.net/bhamdan/ Dan -Original Message- From: Vicki Brown [mailto:[EMAIL PROTECTED] Sent: Saturday, November 13, 2004 11:51 AM To: users@spamassassin.apache.org Subject: Message is checked but not marked I have upgraded to SA 3.0.1 spamd is running as spamd -d -c /etc/mail/spamassassin/local.cf contains allow_user_rules 1 my user prefs file contains use_terse_report1 ok_languagesen report_safe 0 According to my Procmail log, the message in question message went through SA. procmail: Executing /usr/local/bin/spamc,-s,256000,-t,60 procmail: [14951] Sat Nov 13 00:55:49 2004 Yet it has no headers added. I read perldoc Mail::SpamAssassin::Conf I am not actively removing headers. I should see X-Spam-Level, X-Spam-Status and X-Spam-Checker-Version yet I do not. Can someone suggest what I might be doing wrong or where to look? Received: from 24.221.172.174 ([61.109.80.34]) by cfcl.com (8.12.6/8.12.6) with SMTP id iAD8safC014888; Sat, 13 Nov 2004 00:54:43 -0800 (PST) (envelope-from [EMAIL PROTECTED]) From: Wilfred Oneill [EMAIL PROTECTED] Reply-To: Wilfred Oneill [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Fioricet, Soma, Buspar, Prozac, and more Prescribed Online and Shipped to Your Door [NoSpam-OK] Message-ID: [EMAIL PROTECTED] Date: Sat, 13 Nov 2004 12:39:33 +0400 MIME-Version: 1.0 Content-Type: multipart/related; boundary=--279549920567187 X-UIDL: OD8!/Hn!I1f!c4~! x-html!x-stuff-for-pete base= src= id=1 charset=/macintoshhtml body p align=leftfont size=2 face=Geneva, Arial, Helvetica, sans-serifstrongDO NOT MISS YOUR OPPORTUNITY TO BUY THE MEDICATIONS FOR THE CHEAPEST PRICES!!!/strong/font/p -- Vicki Brown ZZZJourneyman Sourceror: SF Bay Area, CAzz |\ _,,,---,,_ Scripts Philtres http://www.cfcl.com zz /,`.-'`'-. ;-;;,_Code, Doc, Process, QA http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW '---''(_/--' `-'\_) ___
RE: Spam with ``=?utf-8?q?'' in From/To/Subject
-Original Message- From: Dave Sill [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 9:19 AM To: users@spamassassin.apache.org Subject: Spam with ``=?utf-8?q?'' in From/To/Subject I'm getting lots of messages with UTF-8 encoding specified in the header, e.g.: From: =?utf-8?q?Hubert Lfa?= [EMAIL PROTECTED] To: =?utf-8?q?Eustace Oiw?= [EMAIL PROTECTED] Subject: =?utf-8?q?Economize 65 % or mo?= =?utf-8?q?re on our prescript?= =?utf-8?q?ions?= I tried adding rules (SA 2.63) to match utf-8 in these fields, but they don't work--apparently SA is decoding them before applying the rules. There's no rawheader tag, and full seems to only include the body. Is there any way to match these messages? I could upgrade this system to 3.0 if that would help. I believe raw or rawbody will work here. Although it will slow the scans down using raw. I pretty much gave up on using this as a spam flag. So much more to tag on. I'd forget that one and move on. HTH --Chris
Re: Spam with ``=?utf-8?q?'' in From/To/Subject
On Mon, Nov 15, 2004 at 09:19:08AM -0500, Dave Sill wrote: rules. There's no rawheader tag, and full seems to only include the body. Actually, there is a raw header specification: header RULE Subject:raw =~ /.../ and yes, full will only do the body since it's short for full body. ;) -- Randomly Generated Tagline: I know it's weird, but it does make it easier to write poetry in perl.:-) -- Larry Wall in [EMAIL PROTECTED] pgp3J87XII5zF.pgp Description: PGP signature
Re: Score 9.9 by configuration?
On Nov 15 at 08:38, Matt Kettler spoke: If you took away the 15 FVGT_TRIPWIRE_* hits the score of the message would have gone down by about 10.5 points. I'm trying to advise the admin. But I don't know his plans... Find the duplicates and remove them. My guess is the server has both tripwire.cf (old) and 99_FVGT_Tripwire.cf (new) installed in /etc/mail/spammassassin. I forgot to mention spamassassin is running on a different server. I have no access on that server. (/etc/mail/spamassassin is not shared.) You could compensate for the misconfig by increasing score thresholds, but in this case, poor performance would ensue. My ~/.procmailrc is processed bye the mail setup. But how could I increase the `required' threshold in some kind of ~/.spamassassinrc? (Procmail is restricted. It can't pipe. So I can't pipe to spamassassin again.) -Hanspeter
Recognising foreign charactersets?
Hi, Does anybody know if SA can be trained to recognise and deal with mail as spam based on the characterset it's using? ie. lately I've been getting a lot of chinese (big5) that is spam. I've added checks myself but I'd like to know if SA is capable of this or not. This message was sent using IMP, the Internet Messaging Program.
RE: Score 9.9 by configuration?
|-Original Message- |From: Hanspeter Roth [mailto:[EMAIL PROTECTED] |Sent: 15 November 2004 16:13 |To: users@spamassassin.apache.org |Subject: Re: Score 9.9 by configuration? | | On Nov 15 at 08:38, Matt Kettler spoke: | | If you took away the 15 FVGT_TRIPWIRE_* hits the score of |the message | would have gone down by about 10.5 points. | |I'm trying to advise the admin. But I don't know his plans... | | Find the duplicates and remove them. My guess is the server has both | tripwire.cf (old) and 99_FVGT_Tripwire.cf (new) installed in | /etc/mail/spammassassin. | |I forgot to mention spamassassin is running on a different |server. I have no access on that server. (/etc/mail/spamassassin is not |shared.) | | You could compensate for the misconfig by increasing score |thresholds, | but in this case, poor performance would ensue. | |My ~/.procmailrc is processed bye the mail setup. But how |could I increase the `required' threshold in some kind of |~/.spamassassinrc? |(Procmail is restricted. It can't pipe. So I can't pipe to |spamassassin again.) | You could zero out the rules u don't wish to use, so they wont trigger further false positives, in your .spamassassin/user_prefs file assuming you have one in your home directory. Martin
Re: SA 3.01 + DCC + Pyzor
Op maandag 15 november 2004 16:07, schreef D.J. Fan: I get missing message body; fatal error on occasion. It is my guess this means there is no text in the body of the message. I don't think it means DCC is broken. I *know* that dcc isn't broken. It only doesn't work when called from SA. In my case it isn't occasional: -- Nov 15 16:27:44 beast dccproc[28963]: missing message body; fatal error Nov 15 16:31:01 beast dccproc[29636]: missing message body; fatal error Nov 15 16:39:49 beast dccproc[1791]: missing message body; fatal error Nov 15 16:43:52 beast dccproc[4044]: missing message body; fatal error Nov 15 16:46:46 beast dccproc[5186]: missing message body; fatal error Nov 15 16:48:18 beast dccproc[6466]: missing message body; fatal error Nov 15 17:03:56 beast dccproc[13719]: missing message body; fatal error Nov 15 17:03:57 beast dccproc[13726]: missing message body; fatal error Nov 15 17:03:58 beast dccproc[13732]: missing message body; fatal error Nov 15 17:06:14 beast dccproc[14279]: missing message body; fatal error Nov 15 17:08:32 beast dccproc[16140]: missing message body; fatal error Nov 15 17:08:32 beast dccproc[16141]: missing message body; fatal error Nov 15 17:13:21 beast dccproc[18538]: missing message body; fatal error Nov 15 17:16:28 beast dccproc[19461]: missing message body; fatal error Nov 15 17:18:12 beast dccproc[20943]: missing message body; fatal error Nov 15 17:18:16 beast dccproc[20953]: missing message body; fatal error Nov 15 17:18:16 beast dccproc[20952]: missing message body; fatal error Nov 15 17:19:34 beast dccproc[21129]: missing message body; fatal error Nov 15 17:29:05 beast dccproc[25884]: missing message body; fatal error Nov 15 17:29:38 beast dccproc[25900]: missing message body; fatal error Nov 15 17:29:38 beast dccproc[25902]: missing message body; fatal error Nov 15 17:33:40 beast dccproc[28136]: missing message body; fatal error Nov 15 17:34:11 beast dccproc[28303]: missing message body; fatal error Nov 15 17:38:35 beast dccproc[30524]: missing message body; fatal error Nov 15 17:42:10 beast dccproc[32460]: missing message body; fatal error Nov 15 17:42:22 beast dccproc[32473]: missing message body; fatal error Nov 15 17:57:39 beast dccproc[7228]: missing message body; fatal error Nov 15 18:15:12 beast dccproc[15108]: missing message body; fatal error Nov 15 18:21:43 beast dccproc[18225]: missing message body; fatal error Nov 15 18:23:30 beast dccproc[19482]: missing message body; fatal error -- I happens not-stop. It looks to me that SA doesn't send the message body to dcc. Anyone any clues? -- Kind Regards / Met vriendelijke groet, Johan Barelds Good-IT! Tel.+31(0)70-3965230Strijplaan 320 Mob.+31(0)6-542537502285 HZ Rijswijk(ZH) [EMAIL PROTECTED] http://www.good-it.com
Re: Spam with ``=?utf-8?q?'' in From/To/Subject
Excellent, thanks everyone. The :raw did the trick. I'm upgrading to 3.0, too. -Dave
Re: Score 9.9 by configuration?
On Nov 15 at 16:57, Martin spoke: You could zero out the rules u don't wish to use, so they wont trigger further false positives, in your .spamassassin/user_prefs file assuming you have one in your home directory. This were perfect if it were not unsafe. Doesn't ~/.spamassassin/user_prefs require allow_user_rules=1 ? It is not recommended. Is there a way to make allow_user_rules safe? -Hanspeter
RE: Score 9.9 by configuration?
Don't remember if you need to do this by user or not. But, if you put the zeros in local.cf, it will do the same thing, but for everybody. Dan -Original Message- From: Hanspeter Roth [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 2:23 PM To: users@spamassassin.apache.org Subject: Re: Score 9.9 by configuration? On Nov 15 at 16:57, Martin spoke: You could zero out the rules u don't wish to use, so they wont trigger further false positives, in your .spamassassin/user_prefs file assuming you have one in your home directory. This were perfect if it were not unsafe. Doesn't ~/.spamassassin/user_prefs require allow_user_rules=1 ? It is not recommended. Is there a way to make allow_user_rules safe? -Hanspeter
SpamAssassin running slow
I'm running SpamAssassin 3.0.1 on a Compaq Alpha running Tru64-Unix, sendmail 8.12.10. I have been running SA for about 6 - 8 months on a few test accounts with great success. I tried to set it up so it would filter all of my system email for about 2500 accounts. When I set it up email in the queue start to back up. For instance when I started it I had 20 items in the queue and after I started SA the number went to 130 in about 30 minutes. Anything I sent then appeared to be being worked on but they couldn't be sent. After I stopped SA then everything cleared out of the queue in about 10 minutes. Any help would be appreciated. Paul Crittenden Computer System Manager Simpson College email: [EMAIL PROTECTED] Phone: (515)961-1680 You don't have to attend every argument you're invited to.
RE: SA 3.01 + DCC + Pyzor
Johan Barelds wrote:
I *know* that dcc isn't broken.
It only doesn't work when called from SA.
In my case it isn't occasional:
--
Nov 15 16:39:49 beast dccproc[1791]: missing message body; fatal error
--
I happens not-stop.
It looks to me that SA doesn't send the message body to dcc.
Anyone any clues?
What user is SA running as?
What permissions does that user have to the temporary directory where SA spools
the message body? (usually /tmp)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Re: SpamAssassin running slow
At 04:52 PM 11/15/2004, Paul Crittenden wrote: I'm running SpamAssassin 3.0.1 on a Compaq Alpha running Tru64-Unix, sendmail 8.12.10. I have been running SA for about 6 - 8 months on a few test accounts with great success. I tried to set it up so it would filter all of my system email for about 2500 accounts. When I set it up email in the queue start to back up. For instance when I started it I had 20 items in the queue and after I started SA the number went to 130 in about 30 minutes. Anything I sent then appeared to be being worked on but they couldn't be sent. After I stopped SA then everything cleared out of the queue in about 10 minutes. How are you calling SA? just as spamassassin in procmail, or are you using spamd, or an integration tool like mimedefang? How you call SA is a VERY critical detail to performance. It's hard to make suggestions other than broad generic suggestions: if you're using any add-on rulesets, consider deleting all the large ones (any .cf file over 256k can be a problem and should be carefully tested for load impact on your system prior to deployment) if you have limited CPU power and ram, consider disabling the AWL and/or bayes. if you have slow network access consider disabling RBLs. There's lots of specific suggestions however: if you're calling spamassassin via procmail, switch to using spamc in procmail and start spamd. spamc/spamd is MUCH faster than plain spamassassin. if you're using spamd, tune the -m parameter to suit the amount of memory you have. Too many children and you exhaust memory and swap. Too few and you're not going as fast as you could.
Re: Score 9.9 by configuration?
You could zero out the rules u don't wish to use, so they wont trigger further false positives, in your .spamassassin/user_prefs file assuming you have one in your home directory. This were perfect if it were not unsafe. Doesn't ~/.spamassassin/user_prefs require allow_user_rules=1 ? It is not recommended. Is there a way to make allow_user_rules safe? -Hanspeter Hi, they will be safe if - the prefs are read form a sql database rather than a text file and - the front end that writes to the database restricts the data that can be inserted. Unfortunately there are a few settings where order matters, and sql usually returns stuff in no particular order Wolfgang
WrongMX Plugin
Good afternoon,
For those interested, I've uploaded to the Wiki, and attached for your
convenience, a plugin to detect when an email was sent to a secondary or
lower preference MX server when a higher preference MX server was likely
to have been available (the message was passed to the higher preference
MX within 30 seconds).
Net::DNS is required.
It is also required that your servers' clocks are somewhat accurately set.
Daryl
package WrongMX;
use strict;
use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
use Net::DNS;
our @ISA = qw(Mail::SpamAssassin::Plugin);
sub new {
my ($class, $mailsa) = @_;
$class = ref($class) || $class;
my $self = $class-SUPER::new($mailsa);
bless ($self, $class);
$self-register_eval_rule(wrongmx);
return $self;
}
sub wrongmx {
my ($self, $permsgstatus) = @_;
my $MAXTIMEDIFF = 30;
return 0 if $self-{main}-{local_tests_only}; # in case plugins ever get
called
# if a user set dns_available to no we shouldn't be doing MX lookups
return 0 unless $permsgstatus-is_dns_available();
# avoid FPs (and wasted processing) by not checking when all_trusted
return 0 if $permsgstatus-check_all_trusted;
# if there is only one received header we can bail
my $times_ref = ($permsgstatus-{received_header_times});
return 0 if (scalar(@$times_ref) 2); # if it only hit one server were done
# next we need the recipient domain's MX records... who's the recipient
my $recipient_domain;
if ($self-{main}-{username} =~ /\@(\S+\.\S+)/) {
$recipient_domain = $1;
} else {
foreach my $to ($permsgstatus-all_to_addrs) {
next unless defined $to;
$to =~ tr/././s; # bug 3366?
if ($to =~ /\@(\S+\.\S+)/) {
$recipient_domain = $1;
last;
}
}
}
return 0 unless defined $recipient_domain; # no domain means no MX records
# Now we need to get the recipient domain's MX records.
# We'll resolve the hosts so we can look for IP overlaps.
my $res = Net::DNS::Resolver-new;
my @rmx = mx($res, $recipient_domain);
my %mx_prefs;
if (@rmx) {
foreach my $rr (@rmx) {
unless (exists $mx_prefs{$rr-exchange} $mx_prefs{$rr-exchange}
$rr-preference) {
$mx_prefs{$rr-exchange} = $rr-preference;
}
my @ips = $permsgstatus-lookup_a($rr-exchange);
next unless @ips;
foreach my $ip (@ips) {
unless (exists $mx_prefs{$ip} $mx_prefs{$ip} $rr-preference) {
$mx_prefs{$ip} = $rr-preference;
}
}
}
} else {
return 0; # no recipient domain MX records found, no way to check MX flow
}
# get relay hosts
my @relays;
foreach my $rcvd (@{$permsgstatus-{relays_trusted}},
@{$permsgstatus-{relays_untrusted}}) {
push @relays, $rcvd-{by};
}
return 0 if (!scalar(@relays)); # this probably won't happen, but whatever
# Bail if we don't have the same number of relays and times, or if we have
# fewer preferences than times (or relays).
return 0 if (scalar(@relays) != scalar(@$times_ref) || scalar(@$times_ref)
scalar(keys(%mx_prefs)));
# Check to see if a higher preference relay passes mail to a lower
# preference relay within $MAXDELAY seconds. If we do decide that a message
# has done this, wait till AFTER we lookup the sender domain's MX records
# to return 1 since there may be MX overlaps that we'll bail on... see below.
# We could do the sender domain MX lookups first, but we might as well save
# the overhead if we're going to end up bailing anyway ($hits == 0).
# We'll go through backwards so that we can detect weird local configs
# that pass mail from the primary MX to the secondary MX for spam/virus
# scanning, or even final delivery. See BACKWARDS comment below.
# We'll resolve the 'by' hosts found to see if they match any of our
# resolved MX hosts' IPs.
my $hits = 0;
my $last_pref;
my $last_time;
foreach (my $i = $#relays; $i = 0; $i--) {
my $MX = 0;
if (exists($mx_prefs{$relays[$i]})) {
$MX = $relays[$i];
} else {
my @ips = $permsgstatus-lookup_a($relays[$i]);
next unless @ips;
foreach my $ip (@ips) {
if ( exists $mx_prefs{$ip} ) {
$MX = $ip;
last;
}
}
}
if ($MX) {
if (defined ($last_pref) defined ($last_time)) {
# BACKWARDS -- uncomment the next line if you need to pass mail from a
# higher pref MX to a lower MX (for virus scanning/etc) AND back,
# before SA sees it... this opens you up to FNs with forged headers
# last if ($mx_prefs{$MX} $last_pref);
$hits++ if ($mx_prefs{$MX} $last_pref
($last_time - $MAXTIMEDIFF = @$times_ref[$i] @$times_ref[$i]
= $last_time + $MAXTIMEDIFF) ); # within max time diff
}
$last_pref = $mx_prefs{$MX};
$last_time = @$times_ref[$i];
}
last if $hits;
}
# Determine the sender's domain.
# Don't bail if we can't determine the sender since it's probably spam.
my $sender_domain;
Spamassassin 3.0.1 Child Process Memory Usage
Hello, I recently installed version 3.0.1 - here are my particulars: qmail-scanner 1.24 FreeBSD 5.3-RELEASE i386 spamd invoked with: -H -c -d -m 3 -r pidfile My question is this: why do the child perl processes as displayed by ps ux continually increase their memory usage? I am using the default rule set only. I reduced the number of children from 5 (default apparently) to 3 because each child process requires 23.5 MB of memory immediately after start-up (plus another 23.5 MB for the parent process). From there they grow in memory seemingly for every message they scan. They grow to ~26.5 MB in the first 4 hours, and I have quite light mail traffic (300-400 messages per day). Am I missing something? This seems like bad behavior but maybe there is some type of garbage collection done or somesuch that has not occurred yet... Thanks, MST
[Fwd: problems with CHARSET_FARAWAY_HEADER rule being triggered]
[resending] Hi, It's been awhile since i've participated on the list. I've just attempted to scour the entire net trying to find some information on this, but I Haven't found anything. I've just installed SpamAssassin 3.01 in conjunction with MIMEDefang 2.48 on a redhat enterprise server 3.0 machine. The problem I'm encountering is that even with ok_languages en ja and ok_locales en ja in my config file, mails that arrive with a japanese (iso-2022-jp) subject are triggering the CHARSET_FARAWAY_HEADERS rule. I'm running the same setup on a redhat 9 machine with version 3.0 of SpamAssassin and 2.45 of MIMEDefang with the same configuration options and i'm not experiencing this problem. Is it possible that something broke in the 3.01 update? for the time being, I've set the CHARSET_FARAWAY_HEADER score to really low (so i can see if it's being triggered, but so it won't push the score up) but i'd like to be able to set it back since we ocassionally get UCE with chinese or other foreign charsets in the subject or header. The bayes database doesn't currently have enough emails trained to be active. the system i'm not having the problem with, has an active bayes database. any assistance will of course be greatly appreciated. Thanks, alan
Idea for better scoring
I run a small ISP and have installed SpamAssassin to stop spam. It catches a lot of spam. It's especially good at filtering out the worst, most offensive mail, but a good deal of spam still gets through the filter, even after a user's bayes db gets big enough to start adding the bayes tests. I've noticed that a lot of the spam that makes it to my inbox has scores of between 4 and 4.9 -- mail that has scored positive on at least 5-10 rules, and that SA should be able to file as spam without worrying that it's a false positive, but doesn't. The flaw, IMO, is the additive scoring. Sure, a lot of these rules triggered in isolation should only add .3 or .1 to the final score. But the probability that an item is spam should go sky high when, say, five substantially different .2 and .1 rules all came back positive for a single message. The statistics should bear this out as a useful test. Without ditching the current scoring altogether in favor of a multiplicative model (a la bayes), what if there were a post-analysis scoring step that just took into account the total number of positive rules (or rule families, if there is such a division)? Instead of looking at each test as though it occurred in isolation, this can put all the tests into sharper context without throwing away a lot of scoring code. I'm sure perceptron can come up with a more accurate gradation, but I imagine it would look something like this: 0 rules - 0.0 1 rule - 0.0 2 rules - 0.0 3 rules - 0.0 4 rules - 1.0 5 rules - 2.0 6 rules - 3.0 7-10 rules - 4.0 10+ rules - 5.0 Thoughts? -tom
