problems with spf and spamassassin
Hello, I am running spamassassin 3.0.1 on debian and I am having problems with SPF records. The relevant TXT records are: terminus:/var/log# host -t TXT anize.org. anize.org TXT v=spf1 a mx ~all terminus:/var/log# host -t TXT terminus.anize.org terminus.anize.org TXT v=spf1 a -all When i send a message via my smtp server (terminus) to myself I get a SPF_HELO_FAIL from spamassassin. I do not understand what I have done wrong. I have included the headers of the message below. Does anyone know why the SPF_HELO_FAIL is happening and or why I am not getting a SPF_PASS? Thanks in advance... The headers of the message are: From: [EMAIL PROTECTED] Subject: this is a test Date: November 25, 2004 10:49:35 PM EST To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost [127.0.0.1]) by terminus.anize.org (Postfix) with ESMTP id 9522DB4483; Thu, 25 Nov 2004 22:49:37 -0500 (EST) Received: from terminus.anize.org ([127.0.0.1]) by localhost (terminus [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 02282-01; Thu, 25 Nov 2004 22:49:37 -0500 (EST) Received: from [192.168.10.32] (user-10bj7dq.cable.mindspring.com [64.185.157.186]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by terminus.anize.org (Postfix) with ESMTP id 4B59FB446E for [EMAIL PROTECTED]; Thu, 25 Nov 2004 22:49:37 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v619) Content-Transfer-Encoding: 7bit Message-Id: [EMAIL PROTECTED] Content-Type: text/plain; charset=US-ASCII; format=flowed X-Mailer: Apple Mail (2.619) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at anize.org X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on terminus.anize.org X-Spam-Bayesscore: 0. X-Spam-Level: X-Spam-Spamtokens: 0.984-16--1h-8s--0d--H*p:U*dfc, 0.982-2058--233h-1089s--0d--H*Ad:U*dfc, 0.966-1351--328h-798s--0d--H*r:[EMAIL PROTECTED], 0.952-1691--640h-1108s--0d--HTo:U*dfc, 0.946-12--5h-8s--0d--H*F:U*dfc X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,SPF_HELO_FAIL autolearn=no version=3.0.1 X-Spam-Hamtokens: 0.000-15--938h-0s--0d--H*x:Apple, 0.000-15--938h-0s--0d--H*UA:Apple, 0.000-15--927h-0s--0d--HMime-Version:framework, 0.000-15--927h-0s--0d--HMime-Version:Message, 0.000-15--927h-0s--0d--HMime-Version:Apple, 0.000-15--925h-0s--0d--H*MI:11D9 X-Spam-Pyzor: Reported 0 times. --dfc Douglas F. Calvert http://anize.org/dfc/ .::. GPG Key: 0xC9541FB2 A mystic in the sense that I am still mystified by things...
Using SA with virtual/sql mailboxes?
Hiya, I am just building up a new POP server for our users to replace our ageing old mail server. I already have a separate machine doing Spam Assassin, which is run on a system wide basis and I just redirect certain domain names that want filtering via it. On this new server, I am running postfix, courier-imap, postfixadmin, and all the user info is stored in mysql. The webmail interface is squirrelmail although the users won't necessarily be using it (i.e. Most use POP3). The users mailboxes live in /usr/local/virtual, and not in the /etc/passwd file. How does one use SA in a setup like this? I don't want it system wide as I want it to be opt in by the users. In addition I want to tell spamc when run to connect to my existing separate SA server. At the moment I'm doing this on the old server within the users .procmailrc file but am unsure which way to go with this new setup. In addition, if there was a premade web page interface to let the users enable/disable SA filtering that would be helpful. Cheers Gav
Re: sa-learn ham
I agree, autolearn in conjunction with the odd manual insert works very well here, although I'm still having troubles blocking the variation of those ridicoulous drugs/rx msgs. 0.000 01781758 0 non-token data: nspam 0.000 0 319835 0 non-token data: nham Cheers Gav . While i would *not* recommend running on autolearning exclusively, it is working incredibly well here with the occasional manual sa-learn here and there. sa-learn --dump magic shows the following for my system: 0.000 0 1105 0 non-token data: nspam 0.000 0 28077 0 non-token data: nham Thats like a 1:25 ratio of ham:spam and it is quite rare that i see any bayes scores that arent bayes_0 or bayes_99. Of course, your mileage may and probably will vary. -Jim
Re: whitelist by M-ID and PGP?
On Thu, 2004-11-25 at 18:35, Daniel Quinlan wrote: Mathias Koerber [EMAIL PROTECTED] writes: There are two tests I would like to use to whitelist incoming email. a) If it's References: or In-Reply-To: header matches a Message-ID of a mail sent out through my server. This would require The main reason I haven't checked this in is because it's defeatable by spammers. In what way? a) recording M-IDs of outgoing emails ina formail -D manner b) expiring M-IDs from that list based on available database-size and/or time in the DB c) checking incoming email against that list See http://bugzilla.spamassassin.org/show_bug.cgi?id=1314 But that also wants to consider M-IDs of mails received and listed as non-spam. IMHO, a more restrictive set (only M-IDs sent from the local site are checked against) would be better and much harder to defeat. Any other mails would have to pass other tests anyway. b) if incoming PGP/GPG-signed email has a matching public key in a keyring accessible by SpamAssassin (or MailScanner) Seems like a waste of time. ;-) Why? That way I can strongly identify users I know would not spam.. Has anyone implemented anything like this? Any hints on how to best go about this? Or any other opinion on these (eg why these may be bad ideas)? I have the former... it needs to be turned into a plugin. That's the only way to do it now. right, now I need to learn how to create plugins. -- [EMAIL PROTECTED]
Re: whitelist by M-ID and PGP?
Mathias Koerber [EMAIL PROTECTED] writes: In what way? Reply to mailing list messages. But that also wants to consider M-IDs of mails received and listed as non-spam. IMHO, a more restrictive set (only M-IDs sent from the local site are checked against) would be better and much harder to defeat. Any other mails would have to pass other tests anyway. The code just predates our ability to figure out local site messages (via the ALL_TRUSTED rule), I'd use ALL_TRUSTED today. Why? That way I can strongly identify users I know would not spam.. Users of PGP are not the same set of people getting their mail occasionally flagged as false positives. -- Daniel Quinlan http://www.pathname.com/~quinlan/
Re: No NS resolving, but Net::DNS OK
At 09:28 AM 11/26/2004 +0100, Sven Ehret wrote: debug: NS lookup of cingular.com failed horribly = Perhaps your resolv.conf isn't pointing at a valid server? debug: All NS queries failed = DNS unavailable (set dns_available to override) debug: is DNS available? 0 Name resolving per se works: [EMAIL PROTECTED]:~ nslookup intel.com -sil Server: 192.168.0.1 Address:192.168.0.1#53 Double-check your resolv.conf. Are there any servers in there which aren't valid? Nslookup tends to be nice and try every server in resolv.conf. SA tends to be in a hurry and tends to only use the first one in the list. try dig @192.168.0.1 for each IP in the resolv.conf.
Missed spam
This spam went through with a score of 0. I'm using 3.01 with most of the sare rulesets. Any ideas on how to catch these? Thanks, Jerry http://www.syslog.org Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED], [EMAIL PROTECTED] Delivery-date: Thu, 25 Nov 2004 14:53:39 -0500 Received: from [222.76.179.18] (helo=irishlover.net) by stelesys.com with smtp (Exim 4.43 (FreeBSD)) id 1CXPgN-000EzG-OE; Thu, 25 Nov 2004 14:53:39 -0500 Message-ID: [EMAIL PROTECTED] Date: Thu, 25 Nov 2004 21:24:31 + From: abe pasquino [EMAIL PROTECTED] User-Agent: fostering Program V Mail Client 5.0 MIME-Version: 1.0 To: thurman rand [EMAIL PROTECTED] Subject: internet rx refill-great deals on meds Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit overnight delivery for orders meds hotline--low priced meds Over 600 meds available for sexual health, allergy, asthma, sleeping disorder, obesity, pain relief, sexual health, anxiety relief and hypertension. lower price the pharmacy could offfer http://Lu.Yr.goodofurs.com/?Bdyqebamvl9Pq9Nb1Cld778629Rl=233166Hwk It is really FAST and EASY for me. Just get the rx refilled online with internet pharmacy. Virginia `Hark!' said The Vengeance. `Listen, then! Who comes?'As if a train of powder laid from the outermost bound of the Saint Antoine Quarter to the wine-shop door, hada bitter day, he wore no coat, but carried one slung over his shoulder. His shirt-sleeves were rolled up, too,jttmaille51 nurkanvaltaukset 01 nostrilsmarjukka apulaisverotarkastajalle
Re: Missed spam
Jerry Bell wrote: This spam went through with a score of 0. I'm using 3.01 with most of the sare rulesets. Any ideas on how to catch these? Thanks, Jerry http://www.syslog.org Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED], [EMAIL PROTECTED] Delivery-date: Thu, 25 Nov 2004 14:53:39 -0500 Received: from [222.76.179.18] (helo=irishlover.net) by stelesys.com with smtp (Exim 4.43 (FreeBSD)) id 1CXPgN-000EzG-OE; Thu, 25 Nov 2004 14:53:39 -0500 Message-ID: [EMAIL PROTECTED] Date: Thu, 25 Nov 2004 21:24:31 + From: abe pasquino [EMAIL PROTECTED] User-Agent: fostering Program V Mail Client 5.0 MIME-Version: 1.0 To: thurman rand [EMAIL PROTECTED] Subject: internet rx refill-great deals on meds Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit overnight delivery for orders meds hotline--low priced meds Over 600 meds available for sexual health, allergy, asthma, sleeping disorder, obesity, pain relief, sexual health, anxiety relief and hypertension. lower price the pharmacy could offfer http://Lu.Yr.goodofurs.com/?Bdyqebamvl9Pq9Nb1Cld778629Rl=233166Hwk It is really FAST and EASY for me. Just get the rx refilled online with internet pharmacy. Virginia `Hark!' said The Vengeance. `Listen, then! Who comes?'As if a train of powder laid from the outermost bound of the Saint Antoine Quarter to the wine-shop door, hada bitter day, he wore no coat, but carried one slung over his shoulder. His shirt-sleeves were rolled up, too,jttmaille51 nurkanvaltaukset 01 nostrilsmarjukka apulaisverotarkastajalle Umm..i dont see any SA headers..you sure this message was actually scanned? -Jim
Re: Missed spam
I'm using SA through exim/exiscan, and I've got it set up to only report if it is spam. Guess I should change that. The SA logs showing it getting a score of 0. SA is working really well for me the other 99% of the time. Jerry Jerry Bell wrote: This spam went through with a score of 0. I'm using 3.01 with most of the sare rulesets. Any ideas on how to catch these? Thanks, Jerry http://www.syslog.org Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED], [EMAIL PROTECTED] Delivery-date: Thu, 25 Nov 2004 14:53:39 -0500 Received: from [222.76.179.18] (helo=irishlover.net) by stelesys.com with smtp (Exim 4.43 (FreeBSD)) id 1CXPgN-000EzG-OE; Thu, 25 Nov 2004 14:53:39 -0500 Message-ID: [EMAIL PROTECTED] Date: Thu, 25 Nov 2004 21:24:31 + From: abe pasquino [EMAIL PROTECTED] User-Agent: fostering Program V Mail Client 5.0 MIME-Version: 1.0 To: thurman rand [EMAIL PROTECTED] Subject: internet rx refill-great deals on meds Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit overnight delivery for orders meds hotline--low priced meds Over 600 meds available for sexual health, allergy, asthma, sleeping disorder, obesity, pain relief, sexual health, anxiety relief and hypertension. lower price the pharmacy could offfer http://Lu.Yr.goodofurs.com/?Bdyqebamvl9Pq9Nb1Cld778629Rl=233166Hwk It is really FAST and EASY for me. Just get the rx refilled online with internet pharmacy. Virginia `Hark!' said The Vengeance. `Listen, then! Who comes?'As if a train of powder laid from the outermost bound of the Saint Antoine Quarter to the wine-shop door, hada bitter day, he wore no coat, but carried one slung over his shoulder. His shirt-sleeves were rolled up, too,jttmaille51 nurkanvaltaukset 01 nostrilsmarjukka apulaisverotarkastajalle Umm..i dont see any SA headers..you sure this message was actually scanned? -Jim
My IP listed in dnsbl.sorbs.net
I was messing around with fetchmail yesterday seeing if I could get it to work for the first time. After playing with it for a few hours and seeing that it was working I happened to notice one of my crontab messages was in the right folder, but marked as spam. Looking at the headers and spam report I saw this: X-Spam-Prev-Subject: Cron [EMAIL PROTECTED] /etc/rc.d/init.d/spamassassin restart X-Spam-DCC: dcc3mcgill cpollock 1275; Body=17 Fuz1=471 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on cpollock X-Spam-Level: *** X-Spam-Status: Yes, score=7.0 required=5.0 tests=BAYES_50,NO_DNS_FOR_FROM, PYZOR_CHECK,RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4742] * 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 1.6 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records * 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [69.68.226.5 listed in dnsbl.sorbs.net] I'm using Sprint DSL, not a dial-up connection. I've contacted sorbs about this and am awaiting an answer. I've quit using fetchmail for now. Any ideas on why this happened? -- Chris Registered Linux User 283774 http://counter.li.org 9:27am up 22 days, 13:55, 1 user, load average: 0.21, 0.12, 0.03 There's another way to survive. Mutual trust -- and help. -- Kirk, Day of the Dove, stardate unknown
Re: Missed spam
Jerry Bell wrote: I'm using SA through exim/exiscan, and I've got it set up to only report if it is spam. Guess I should change that. The SA logs showing it getting a score of 0. SA is working really well for me the other 99% of the time. Jerry Jerry Bell wrote: This spam went through with a score of 0. I'm using 3.01 with most of the sare rulesets. Any ideas on how to catch these? Thanks, Jerry http://www.syslog.org Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED], [EMAIL PROTECTED] Delivery-date: Thu, 25 Nov 2004 14:53:39 -0500 Received: from [222.76.179.18] (helo=irishlover.net) by stelesys.com with smtp (Exim 4.43 (FreeBSD)) id 1CXPgN-000EzG-OE; Thu, 25 Nov 2004 14:53:39 -0500 Message-ID: [EMAIL PROTECTED] Date: Thu, 25 Nov 2004 21:24:31 + From: abe pasquino [EMAIL PROTECTED] User-Agent: fostering Program V Mail Client 5.0 MIME-Version: 1.0 To: thurman rand [EMAIL PROTECTED] Subject: internet rx refill-great deals on meds Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit overnight delivery for orders meds hotline--low priced meds Over 600 meds available for sexual health, allergy, asthma, sleeping disorder, obesity, pain relief, sexual health, anxiety relief and hypertension. lower price the pharmacy could offfer http://Lu.Yr.goodofurs.com/?Bdyqebamvl9Pq9Nb1Cld778629Rl=233166Hwk It is really FAST and EASY for me. Just get the rx refilled online with internet pharmacy. Virginia `Hark!' said The Vengeance. `Listen, then! Who comes?'As if a train of powder laid from the outermost bound of the Saint Antoine Quarter to the wine-shop door, hada bitter day, he wore no coat, but carried one slung over his shoulder. His shirt-sleeves were rolled up, too,jttmaille51 nurkanvaltaukset 01 nostrilsmarjukka apulaisverotarkastajalle Umm..i dont see any SA headers..you sure this message was actually scanned? -Jim Content analysis details: (6.1 points, 5.0 required) pts rule name description -- -- 1.9 DATE_MISSING Missing Date: header 2.0 FROM_NO_LOWER 'From' has no lower-case characters -0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50% [score: 0.4638] 1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100 [cf: 100] 1.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) I am running 2.64 with no extra rules. Had this been received at my system, the bayes score would most likely have been higher as well. -Jim
Re: My IP listed in dnsbl.sorbs.net
On 11/26/2004 4:42 PM +0200, Chris wrote: I'm using Sprint DSL, not a dial-up connection. I've contacted sorbs about this and am awaiting an answer. I've quit using fetchmail for now. Any ideas on why this happened? That sorbs sublist considers most cable/dsl connections as DUL. Niek -- Use plain text: http://www.geoapps.com/nomime.shtml Learn to quote:http://www.netmeister.org/news/learn2quote2.html Avoid disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers
Re: Missed spam
I wonder if my bayes db has been poisoned to the point of thinking this is ham? In the logs, it autolearned this one as ham, so I suspect that may be the case. Jerry Bell wrote: I'm using SA through exim/exiscan, and I've got it set up to only report if it is spam. Guess I should change that. The SA logs showing it getting a score of 0. SA is working really well for me the other 99% of the time. Jerry Jerry Bell wrote: This spam went through with a score of 0. I'm using 3.01 with most of the sare rulesets. Any ideas on how to catch these? Thanks, Jerry http://www.syslog.org Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED], [EMAIL PROTECTED] Delivery-date: Thu, 25 Nov 2004 14:53:39 -0500 Received: from [222.76.179.18] (helo=irishlover.net) by stelesys.com with smtp (Exim 4.43 (FreeBSD)) id 1CXPgN-000EzG-OE; Thu, 25 Nov 2004 14:53:39 -0500 Message-ID: [EMAIL PROTECTED] Date: Thu, 25 Nov 2004 21:24:31 + From: abe pasquino [EMAIL PROTECTED] User-Agent: fostering Program V Mail Client 5.0 MIME-Version: 1.0 To: thurman rand [EMAIL PROTECTED] Subject: internet rx refill-great deals on meds Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit overnight delivery for orders meds hotline--low priced meds Over 600 meds available for sexual health, allergy, asthma, sleeping disorder, obesity, pain relief, sexual health, anxiety relief and hypertension. lower price the pharmacy could offfer http://Lu.Yr.goodofurs.com/?Bdyqebamvl9Pq9Nb1Cld778629Rl=233166Hwk It is really FAST and EASY for me. Just get the rx refilled online with internet pharmacy. Virginia `Hark!' said The Vengeance. `Listen, then! Who comes?'As if a train of powder laid from the outermost bound of the Saint Antoine Quarter to the wine-shop door, hada bitter day, he wore no coat, but carried one slung over his shoulder. His shirt-sleeves were rolled up, too,jttmaille51 nurkanvaltaukset 01 nostrilsmarjukka apulaisverotarkastajalle Umm..i dont see any SA headers..you sure this message was actually scanned? -Jim Content analysis details: (6.1 points, 5.0 required) pts rule name description -- -- 1.9 DATE_MISSING Missing Date: header 2.0 FROM_NO_LOWER 'From' has no lower-case characters -0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50% [score: 0.4638] 1.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100 [cf: 100] 1.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) I am running 2.64 with no extra rules. Had this been received at my system, the bayes score would most likely have been higher as well. -Jim
Re: My IP listed in dnsbl.sorbs.net
Chris wrote: I was messing around with fetchmail yesterday seeing if I could get it to work for the first time. After playing with it for a few hours and seeing that it was working I happened to notice one of my crontab messages was in the right folder, but marked as spam. Looking at the headers and spam report I saw this: X-Spam-Prev-Subject: Cron [EMAIL PROTECTED] /etc/rc.d/init.d/spamassassin restart X-Spam-DCC: dcc3mcgill cpollock 1275; Body=17 Fuz1=471 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on cpollock X-Spam-Level: *** X-Spam-Status: Yes, score=7.0 required=5.0 tests=BAYES_50,NO_DNS_FOR_FROM, PYZOR_CHECK,RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4742] * 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 1.6 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records * 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [69.68.226.5 listed in dnsbl.sorbs.net] I'm using Sprint DSL, not a dial-up connection. I've contacted sorbs about this and am awaiting an answer. I've quit using fetchmail for now. Any ideas on why this happened? Id say its because you have a dynamic ip address. You might want to send all mail out through your isp's mail servers instead. -Jim
Re: My IP listed in dnsbl.sorbs.net
A) Is your ip dynamic? B) Has your isp listed all it's IP as being res/dynamic? (Most, if not all, ISP's will list their DSL/Cable ip's as being dynamic for some reason or another (lazyness imo), my home one is listed as dynamic, however, it's static (I paid for it) the big reason is their policies.) C) Good luck having it unlisted. Thanks, JamesDR Chris wrote: I was messing around with fetchmail yesterday seeing if I could get it to work for the first time. After playing with it for a few hours and seeing that it was working I happened to notice one of my crontab messages was in the right folder, but marked as spam. Looking at the headers and spam report I saw this: X-Spam-Prev-Subject: Cron [EMAIL PROTECTED] /etc/rc.d/init.d/spamassassin restart X-Spam-DCC: dcc3mcgill cpollock 1275; Body=17 Fuz1=471 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on cpollock X-Spam-Level: *** X-Spam-Status: Yes, score=7.0 required=5.0 tests=BAYES_50,NO_DNS_FOR_FROM, PYZOR_CHECK,RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4742] * 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 1.6 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records * 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [69.68.226.5 listed in dnsbl.sorbs.net] I'm using Sprint DSL, not a dial-up connection. I've contacted sorbs about this and am awaiting an answer. I've quit using fetchmail for now. Any ideas on why this happened? smime.p7s Description: S/MIME Cryptographic Signature
Re: Missed spam
Jerry Bell wrote: I wonder if my bayes db has been poisoned to the point of thinking this is ham? In the logs, it autolearned this one as ham, so I suspect that may be the case. You say it scored 0 points..does this mean it triggered no rules or the + - rules totaled up to 0? Regardless of bayes poisoning, you should still see *some* rules. Its possible i suppose that it could have triggered bayes_50 and produced no score. Either way, it looks like there may be a bigger problem with this message. Its rare the a message comes through that doesnt trigger *any* rules. I'd try running it through your installation of SA again and see if it scores differently this time. -Jim
Re: Missed spam
When I run it manually, this is what I get: X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on db.stelesys.com X-Spam-Status: No, score=0.1 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.1 X-Spam-Level: What's this best way to get it out of the AWL and bayes? Thanks for the help! It looks like its in the whitelist and scoring low in bayes. Jerry Bell wrote: I wonder if my bayes db has been poisoned to the point of thinking this is ham? In the logs, it autolearned this one as ham, so I suspect that may be the case. You say it scored 0 points..does this mean it triggered no rules or the + - rules totaled up to 0? Regardless of bayes poisoning, you should still see *some* rules. Its possible i suppose that it could have triggered bayes_50 and produced no score. Either way, it looks like there may be a bigger problem with this message. Its rare the a message comes through that doesnt trigger *any* rules. I'd try running it through your installation of SA again and see if it scores differently this time. -Jim
Re: My IP listed in dnsbl.sorbs.net
On Friday 26 November 2004 09:54 am, Jim Maul wrote: I'm using Sprint DSL, not a dial-up connection. I've contacted sorbs about this and am awaiting an answer. I've quit using fetchmail for now. Any ideas on why this happened? Id say its because you have a dynamic ip address. You might want to send all mail out through your isp's mail servers instead. All msgs do go through EL, AFAIK, here are two headers, the first from a msg not marked as spam, the second the headers from the msg tagged by sorbs: Status: R Return-Path: [EMAIL PROTECTED] Received: from chris.localdomain ([69.68.226.5]) by bunting.mail.pas.earthlink.net (EarthLink SMTP Server) with ESMTP id 1cxqfG3Jo3NZFmR2 for [EMAIL PROTECTED]; Thu, 25 Nov 2004 12:30:04 -0800 (PST) Received: by chris.localdomain (Postfix) id 383C9584005; Thu, 25 Nov 2004 14:30:03 -0600 (CST) Delivered-To: [EMAIL PROTECTED] Received: by chris.localdomain (Postfix, from userid 0) id 16568584002; Thu, 25 Nov 2004 15:30:03 -0500 (EST) From: [EMAIL PROTECTED] (Cron Daemon) To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by chris.localdomain (Postfix) with ESMTP id ACD7E584002 for [EMAIL PROTECTED]; Thu, 25 Nov 2004 19:30:58 -0500 (EST) Status: R Received: from pop.earthlink.net [207.217.121.215] by localhost with POP3 (fetchmail-6.1.0) for [EMAIL PROTECTED] (single-drop); Thu, 25 Nov 2004 18:30:58 -0600 (CST) Received: from chris.localdomain ([69.68.226.5]) by mx-a065b05.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1cxu014b33NZFpL1 for [EMAIL PROTECTED]; Thu, 25 Nov 2004 16:30:09 -0800 (PST) Received: by chris.localdomain (Postfix) id 46D0B584005; Thu, 25 Nov 2004 18:30:08 -0600 (CST) Delivered-To: [EMAIL PROTECTED] Received: by chris.localdomain (Postfix, from userid 0) id 239B7584002; Thu, 25 Nov 2004 19:30:08 -0500 (EST) From: [EMAIL PROTECTED] (Cron Daemon) To: [EMAIL PROTECTED] I can see there is quite a bit of difference between the 1st set of headers, (not marked as spam) and the 2nd set which was. I guess that since I used fetchmail to do the pickup from EL, which placed the mail in /var/spool/mail then SA was ran against that rather than having Kmail do the pickup and filtering it directly to my 'cron' folder is what made the difference. So, what would be the work around to not get tagged by sorbs for this? Thanks for any help -- Chris Registered Linux User 283774 http://counter.li.org 10:06am up 22 days, 14:34, 1 user, load average: 0.09, 0.10, 0.08 The best way to accelerate a Macintoy is at 9.8 meters per second per second.
Re: My IP listed in dnsbl.sorbs.net
On Friday 26 November 2004 10:18 am, Ron McKeating wrote: Hmmm, but I have my own domain, and I want all my email to come from my domain, my isp will not route email from my domain (ntl) through their mail servers, they want my to use my [EMAIL PROTECTED] account. I want to use my [EMAIL PROTECTED] account. I really do disagree with this wholesale blacklisting of people who are perfectly responsible internet users, who happen to have their own mail-server on their cable lines. Ron -Jim However, I do not run a mail server, the offending msg came from the fact that every 4hrs I restart spamd and have the output of the crontab mailed to me. I also have the results of the rootkit hunter cronjob mailed to me daily. Is the problem caused by the fact that the mail is sent from chris.localdomain to EL? -- Chris Registered Linux User 283774 http://counter.li.org 10:20am up 22 days, 14:48, 1 user, load average: 0.16, 0.22, 0.14 Stealing a rhinoceros should not be attempted lightly.
Re: Missed spam
Jerry Bell wrote: When I run it manually, this is what I get: X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on db.stelesys.com X-Spam-Status: No, score=0.1 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.1 X-Spam-Level: What's this best way to get it out of the AWL and bayes? Thanks for the help! It looks like its in the whitelist and scoring low in bayes. You can re-learn it as something else (spam) and it will be corrected in bayes. You can also choose to --forget it and it will be gone from the database completely. As far as the AWL goes, im not sure. I dont use whitelists. You may just be able to remove the whitelist files themselves. -Jim
RE: My IP listed in dnsbl.sorbs.net
Id say its because you have a dynamic ip address. You might want to send all mail out through your isp's mail servers instead. Hmmm, but I have my own domain, and I want all my email to come from my domain, my isp will not route email from my domain (ntl) through their mail servers, they want my to use my [EMAIL PROTECTED] account. [cut] I happen to agree with you as I have the same problem. (Telewest Cable). That said, out of interest (madness?) I put them on my own domain on the SMTP checks, rejecting if in a BL. Looking at the logs, out of 450 drops, 2 were valid email. For the responsible, who can run a mail server, I agree it's a pain but I can easily justify with those stats too. A way round this would be to use SPF, and maybe give this a weighting the same of the DNS, tho the moral of the story is, if you don't like the way a BL blacklists (five-ten and dnsl.sorbs are the same in this respect) don't use them!. Ta Chris ___ The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. ___
Re: spamd process using to much cpu
problem solved. the thing was the LANG variable, it as set to en_US.UTF-8, I set to en_US and that was the end of the problem. :-X RB, Matías ps. it is still geting to much spam trought, where should i read to solve this?? Matías López Bergero wrote: Hello Matt, Thank you for ur answer, Matt Kettler dijo: At 04:13 PM 11/18/2004, Matias Lopez Bergero wrote: I'm seeing a heavy cpu usage in some process of spamd for a long time and sometimes they just hang there until I kill them(usage goes from 80% to 97%). Also my system is reporting a high iowait load and a high disk usage that stops if a shutdown spammassassin processes. This is normal? Anyone with the same problem?? Define for a long time... Minutes? Hours? Less than a minute, but wen it hangs, it hangs there until i kill it. I haved noticed that this spamd process hanging is ocurring with the same user almost all the times. That means anything to you? From the sounds of it, it looks like SA is doing an opportunistic expiry on your bayes DB.. But that should only take a few minutes unless things are really haywire or your box is really slow. Try running a sa-learn -D --force-expire on the command line and see if that runs smoothly. Also, look around for bayes_toks.expirepid # files laying around next to your bayes DB.. that's a very clear sign SA is being killed while running expiry. I'm going to try that. Thanks again! BR, Matías.
Re: long scanning time
Rainer Bendig aka Ny wrote: I am using spamassassin Version 3.0.1-1 from debian unstable and i am invoking spamc via my ~/.procmailrc as postet here: And for a 8593 bytes large e-Mail it need 6.3 seconds to scan (spamd syslog message) The neg of the bottle is not the hardware, its overhead for spamscanning... P4 2.8 GHz, 1024 Megs of RAM I have almost the same system, Xeon 2.80GHz, 1,5GB of memory, and I was experiencing the same problem until I read this: http://wiki.apache.org/spamassassin/Utf8Performance Maybe it helps you. BR, Matías.
bayes_xx rules - stupid newbie question
[off topic from the rest of my post: wow spamd uses a lot of memory! I limited it to 5 processes because each one is 22-26 megs!] Okay, I can't seem to find anything on the bayes_xx rules (bayes_20, bayes_50, etc) via google. My apologies but I cannot find a reasonable FM to read, basically. I'm using 3.01 now, and on the plus side of things, 100% of the mail that SA is marking as spam is spam - NO false positives thus far. Hooray for that. On the minus side, no matter how many times I send some messages to my Learn Spam folder (where it's processed and emptied nightly), certain messages I get many times a day still are not marked as spam. Mostly rolex watch spams, but there are others as well. On all of these messages, I've noticed rules like BAYES_00, BAYES_20, etc., which I'm assuming are score droppers that reduce the spam score of an email. How can I find out what triggers these rules, and stop it from happening on these emails? Where is the bayes database even stored by default? (I certainly haven't changed it, so it should be there). I'm sure this is an elementary retard question, but I swear to you helpful readers I've googled and can't find squat. Any help would be appreciated. Thanks. Steve
TIMING [total 846599 ms] ???
Hi I've just noticed two messages tonight which for some reason kept up my SpamAssassin 2.64 for nearly 15 and 7 Minutes respectively!!? My log shows for those two messages: Nov 26 19:30:40 mindblow amavisd[3846]: (03846-09) TIMING [total 846599 ms] - SMTP LHLO: 5 (0%), SMTP pre-MAIL: 3 (0%), SMTP p re-DATA-flush: 8 (0%), SMTP DATA: 79 (0%), body hash: 3 (0%), mime_decode: 47 (0%), get-file-type: 29 (0%), decompose_part: 3 (0%), parts: 0 (0%), AV-scan-1: 852 (0%), SA msg read: 8 (0%), SA parse: 7 (0%), SA check: 845092 (100%), write-header: 16 (0% ), fwd-bsmtp: 3 (0%), fwd-connect: 147 (0%), fwd-mail-from: 38 (0%), fwd-rcpt-to: 8 (0%), write-header: 16 (0%), fwd-data: 90 (0%), fwd-data-end: 123 (0%), fwd-rundown: 4 (0%), unlink-1-files: 19 (0%), rundown: 1 (0%) Nov 26 19:37:20 mindblow amavisd[3846]: (03846-09-2) TIMING [total 400053 ms] - SMTP pre-DATA-flush: 8 (0%), SMTP DATA: 400044 (100%), unlink-0-files: 1 (0%), rundown: 1 (0%) The first spent all the sime on SA - while it seems the second apparently got some SMTP timeout... (might be related to the first one?) The first message is a quite big Spammail, containing of only about 4 Lines of body but being of size 28k It's a HTML Mail with lots of bayes poisoning and opening and closing tags... Might those VERY long lines be a Problem for SA? When using -D on spamassassin to check it directly, it gets with normal speed until it reaches this: debug: running raw-body-text per-line regexp tests; score so far=8.789 There it stays for ages, using 100% cpu Any known problem? I'd be happy to provide the mail in question to anyone interested. Thanks a lot! Matt
Re: long scanning time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Matias Lopez Bergero, *, Matias Lopez Bergero wrote on Fri Nov 26, 2004 at 04:27:20PM -0300: http://wiki.apache.org/spamassassin/Utf8Performance Maybe it helps you. No it didn't. I am not running on UTF8 ... my System is still set to [EMAIL PROTECTED]:~$ locale [EMAIL PROTECTED] LC_CTYPE=[EMAIL PROTECTED] LC_NUMERIC=[EMAIL PROTECTED] LC_TIME=[EMAIL PROTECTED] LC_COLLATE=[EMAIL PROTECTED] LC_MONETARY=[EMAIL PROTECTED] LC_MESSAGES=[EMAIL PROTECTED] LC_PAPER=[EMAIL PROTECTED] LC_NAME=[EMAIL PROTECTED] LC_ADDRESS=[EMAIL PROTECTED] LC_TELEPHONE=[EMAIL PROTECTED] LC_MEASUREMENT=[EMAIL PROTECTED] LC_IDENTIFICATION=[EMAIL PROTECTED] LC_ALL= - -- - - Rainer 'Ny' Bendig | http://UnresolvedIssue.org | GPG-Key: 0xCC7EA575 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBp5TptpAZoWtAN98RAqgiAJ9MQXd6CMkRUlWDMPAfeoFu182XdwCfRl2y SQD8fWFkicsq3/FLUXJxkjo= =zUfK -END PGP SIGNATURE-
RE: TIMING [total 846599 ms] ???
debug: running raw-body-text per-line regexp tests; score so far=8.789 There it stays for ages, using 100% cpu Any known problem? I'd be happy to provide the mail in question to anyone interested. Time for you to upgrade. If the problem still exists in 3.0.1, please let us know. :) Dallas
Re: TIMING [total 846599 ms] ???
Dallas L. Engelken wrote: debug: running raw-body-text per-line regexp tests; score so far=8.789 There it stays for ages, using 100% cpu Any known problem? I'd be happy to provide the mail in question to anyone interested. Time for you to upgrade. If the problem still exists in 3.0.1, please let us know. :) Dallas Yeah I know, but since I need to update amavis aswell for that I'm a bit cautious and will first have to test the whole setup on a test machine, which at the moment I just dont have time for But if you want I can send you the msg so that you can test it on 301 if you're interested Matt