Re: consensus on SPF
On Tue, 14 Dec 2004, Clarke Brunt wrote: it seems to me that a 'fail' result is a perfectly good reason to reject a message outright, which is what I do (without it even being passed to SpamAssassin). How many users do you have? Do none of them have vanity addresses? Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ LYME REGIS TO LANDS END INCLUDING THE ISLES OF SCILLY: SOUTHWEST 4 OR 5. RAIN AT TIMES. MODERATE OR POOR. MODERATE.
Re: Debugging lack of network tests
On Tue, 14 Dec 2004, Matt Kettler stated: At 06:27 PM 12/14/2004, Nix wrote: dig doesn't use the local nameserver unless you're looking up a name there: it queries remote nameservers directly. No it does not. By default, dig uses the nameservers in resolv.conf. Check your dig output sometime. I did, but I must have misread it (repeatedly!). My apologies for spreading misinformation :( (Maybe this was true in the BIND 8 days? hmm...) -- `The sword we forged has turned upon us Only now, at the end of all things do we see The lamp-bearer dies; only the lamp burns on.'
Re: consensus on SPF
From: Clarke Brunt [EMAIL PROTECTED] jdow wrote: Even more to the point SPF is NOT a reason to accept or reject mail. All it does is verify the domain from which it originated. That is a tool for SCORING spam not for outright elimination of messages that have bad SPF records and accepting those that have good SPF records. It is perfectly legitimate for a spammer to build his own SPF record and get approved by such mal-configured tools. All the SPF record does is give you confidence of the veracity of one hop in the chain. I agree that a 'pass' result from an SPF test does nothing to show that a message isn't spam (so I go on the use SpamAssassin on it), but it seems to me that a 'fail' result is a perfectly good reason to reject a message outright, which is what I do (without it even being passed to SpamAssassin). After all, a 'fail' result means that the owner of the domain from which the message purports to come has gone to some trouble to set up an SPF record saying mail from my domain will only ever arrive at your mail server directly from the following list of servers..., please feel free to reject any which pretends to be from my domain but which comes from _other_ servers. It's more than one hop in the chain - it's the _last_ hop, from _somewhere_ to my mail server, the one that I can be certain of without looking at headers, because I can _see_ what IP address is talking to my server. We've just had one of the cases wherein a failed SPF record is no help at all float by our eyes. Rejecting on one single criterion is generally a bad idea. SPF in itself does not prove a whole lot due to the way ISPs set themselves up. The chief thing SPF does is clutter up name server traffic to prove something of little or no use when scoring spam. Now, if we all had a nice government imposed encrypted stamp to place on our email to validate it would even that prove squat? (In the mobile user's case, however, he could help make his SPF more meaningful and everyone else's if he tunneled email in through a secure route even as relatively insecure as smtp auth on a port other than 25. A ppp tunnel to his system'd work even better if slower.) {^_^}
Re: consensus on SPF
From: Kevin W. Gagel [EMAIL PROTECTED] From: jdow [EMAIL PROTECTED] From: Clarke Brunt [EMAIL PROTECTED] Jonathan Nichols wrote: ---snip--- Even more to the point SPF is NOT a reason to accept or reject mail. All it does is verify the domain from which it originated. That is a tool for SCORING spam not for outright elimination of messages that have bad SPF records and accepting those that have good SPF records. It is perfectly legitimate for a spammer to build his own SPF record and get approved by such mal-configured tools. All the SPF record does is give you confidence of the veracity of one hop in the chain. The intent of SPF was to provide a mechanism to verify that the sending server and the claimed domain the mail was from was the same. A failure allows the email admin to do what they want at that point. Discard, reject, bounce or send it through a tagging system like SA. In other words it was designed to allow you to reject IF you want to. So yes, it is a reason to accept or reject - IF that is what they want to do. I don't because it has not yet gained the widespread acceptance needed to help me reduce my workload. But I have published records to help others reject mail claiming to come from my domain. In fact since publishing the records I have not had complaints coming to me about forged spam. So I think its starting to gain acceptance and doing what its inteded to do. All well and good. But if you perform an engineering analysis on its failure mechanisms it's not really telling you much of anything that is useful given the vagaries of the Internet today. People have not figured out everything you have to go through to make your own SPF records safe and useable for yourself when legitimate recipients may be overreacting to erroneous SPF records. At the moment any serious reliance on SPF failure will up your false positive rate. IMOAO the false positive is a FAR greater annoyance than the missed spam. And if the false positive results in rejected emails this can be both very expensive and exquisitely annoying to users. If YOU are the only user than you have performed your own analysis and accept the risks. If it is part of a large ISP you might want to rethink your employer's risks in summarily rejecting emails solely on the basis of a failed SPF record at a time that this is fairly well expected to happen on quite legitimate emails. {^_^}
Re: need a rule to whitelist spamassassin users group
From: David B Funk [EMAIL PROTECTED] On Tue, 14 Dec 2004, Andy Norris wrote: In that case, this leads to another question -- how, then, to reliably whitelist eBay? I would imagine they are a big target of forgers? I tried def_whitelist_from_rcvd [EMAIL PROTECTED] ebay.com but that didn't work. Now I just have whitelist_from [EMAIL PROTECTED] yes . With those caveats, def_whitelist_from_rcvd works just fine, I've got a local config file with hundreds of them to make sure that all sorts of potentially troublesome messages get properly delivered (EG lists like this one, Yahoo groups messages, Airline notices, etc). FYI, whitelist_from_rcvd entry for this list looks like: whitelist_from_rcvd [EMAIL PROTECTED] apache.org By using the wild-card for the mail host ([EMAIL PROTECTED]) it works for lots of apache.org projects lists. ;) My eBay entries looks like: def_whitelist_from_rcvd [EMAIL PROTECTED]ebay.com def_whitelist_from_rcvd [EMAIL PROTECTED] ebay.com def_whitelist_from_rcvd [EMAIL PROTECTED]emailebay.com def_whitelist_from_rcvd [EMAIL PROTECTED] emailebay.com Of course, for the spamassassin lists I found something like what I did in procmail is best: ---9--- :0 fw: spamassassin.lock * 25 * !^List-Id: .*(spamassassin\.apache.\org) | /usr/bin/spamc -t 150 ---9--- {^_^}
Re: need a rule to whitelist spamassassin users group
From: David B Funk [EMAIL PROTECTED] On Tue, 14 Dec 2004, jdow wrote: Of course, for the spamassassin lists I found something like what I did in procmail is best: ---9--- :0 fw: spamassassin.lock * 25 * !^List-Id: .*(spamassassin\.apache.\org) | /usr/bin/spamc -t 150 ---9--- {^_^} Ahh, I see. OK spammers, to blast Jane with spam just forge a spamassassin.apache.org List-Id header in your messages. It'll then waltz right past her filter. ;) The whole reason for the complexity of whitelist_from_rcvd is the work that it does to make it immune to header forgeries. That changes to another indicator or a set of indicators once the spammers attempt that List-Id: thing. Meantime it is an easy trick. {^_-}Joanne
Error Message -- uninitialized value
I just upgraded to 3.0.1 and I periodically see this in my logs: Dec 15 03:05:14 prime spamd[57032]: Use of uninitialized value in numeric lt () at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Plugin/SPF.pm line 204, GEN49 line 333. Dec 15 03:05:14 prime spamd[57032]: Use of uninitialized value in concatenation (.) or string at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Plugin/SPF.pm line 205, GEN49 line 333. Dec 15 03:05:14 prime spamd[57032]: Use of uninitialized value in numeric lt () at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Plugin/SPF.pm line 204, GEN49 line 333. Dec 15 03:05:14 prime spamd[57032]: Use of uninitialized value in concatenation (.) or string at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Plugin/SPF.pm line 205, GEN49 line 333. D Any one else get this? -Dan -- Let me tell you something about regrowing your dead wife Lucy, Harry. It's probably illegal, potentially dangerous, and definitely crazy. -Harry nods- Vincent Spano, as Boris in Creator. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: consensus on SPF
At 11:55 PM 12/13/2004 -0500, Peter Matulis wrote: Hi, I have heard that SPF is controversial among mail administrators. Why is that? I think mostly because people view it as a general purpose anti-spam tool. With such a perspective, it's easy to poke holes in and declare it useless. Spammers can just register their own domain and publish SPF records... etc... Of course, they are right. But they are attacking the obvious. SPF isn't intended to stop people from sending spam, it's intended to stop forgery, or at least make it more difficult. IMO, it's actually more powerful against viruses than spam, but it does act as a good weapon against joe-jobs, and helps against phishers posing as ebay.com. In the long run, this can also make it's impacts on spammers, as sender domain whitelists and blacklists can be made more readily. Imagine a day where you can verify that an email from [EMAIL PROTECTED] passed through hotmails servers. This is what SPF offers. It's not a tool to bring global spamming to a halt, but it's easy, simple, and makes certain aspects of email more usefl. Of course, there's other arguments too.. Redirectors, forwarding services, etc, but these have their solutions. (Hint: SPF at each stage, and when you remail, use a return path that points at your own servers like a mailing list does. Poof, problem solved.) How many people use it (on this mailing list)? At present I publish SPF records, but I don't yet check SPF records on inbound mail. Note: sorry for the late mail, this was in my outbox since this morning.. I forgot to send.. Since then, several in this thread have made the classic anti-spf argument that I mention here.. ie: jdow wrote: The chief thing SPF does is clutter up name server traffic to prove something of little or no use when scoring spam. A true argument, but utterly missing the point, unfortunately.
Exchange 2003 And Spamassassin
Hi We are running a Exchange 5.5 and Exchange 2003 mixed mode environment. Since introducing Exchange 2003 servers we do not get any message headers from the spamassassin relay sent to users on the Exchange 2003 box. ive seen other people experiencing this but my question is if Exchange 2003 is supported by Spamassassin and if so if there is anyone that has found a solution to this. Thanks Jan
Re: consensus on SPF
[Sorry I'm not replying to the original mail, I seem to have missed it] At 12/14/2004 10:01 AM +, someone wrote: Hi, I have heard that SPF is controversial among mail administrators. Why is that? How many people use it (on this mailing list)? My main beef is that SPF breaks forwarding for domains which wrongly assume that no one would want to forward their mail legitimately. Eg. someone from AOL sends mail to one of our hosting clients, whose setup forwards the mail to a 3rd party server. If the 1st (aol) and 3rd party uses SPF, the mail would get flagged/rejected. Essentially if you set up restrictive SPF records for your domain, you're saying that no one is allowed to forward your messages (except the servers you specify). Perhaps that is desirable to some, but IMHO this _breaks_ SMTP. At 12/15/2004 03:13 AM -0500, Matt Kettler wrote: Of course, there's other arguments too.. Redirectors, forwarding services, etc, but these have their solutions. (Hint: SPF at each stage, and when you remail, use a return path that points at your own servers like a mailing list does. Poof, problem solved.) Poof, problem created. What am I supposed to do with a message that gets returned to my remailer address? Keep track of where it came from just in case? For how long? No mail server I know of does this currently, nor is there any formal spec, RFC, etc. that establishes a precedent. I'm not trying to pick an argument, nor will I respond to one on-list. This discussion has been hacked to death on Postfix list and probably many others. More on a personal level, why does the SPF @ pobox.com site look like a corporate advertisement for a product? Why do we need a bunch of clipart images to sell something like a mail protocol if it's really such a good idea? Why do I get the feeling someone wants to make $$$ off this? What happened to the list of issues that people have with SPF that used to be on that site? All that just rubs me the wrong way. SPF has already been adopted by AOL, Earthlink and Google. Shouldn't your company be next? Sounds like marketing talk, not geek-speak. Cheers, -Max
Re: sa-stats error
Ronan wrote: I actually never knew about this until i was having a hoke around... anyway cant get it to run.. ./sa-stats.pl -l /var/log/syslog -H -T 5 -u Error in option spec: top|T:25 Error in option spec: SCALAR(0x4c9a68) bash-2.03$ i presume this is to do with the per user count but it even flags when i run bash-2.03$ ./sa-stats.pl -l /var/log/syslog Error in option spec: top|T:25 Error in option spec: SCALAR(0x4c9a38) and even bash-2.03$ ./sa-stats.pl Error in option spec: top|T:25 Error in option spec: SCALAR(0x4c9a20) any hints? thanks. does anyone here use sa-stats.pl? Has the above rror been seen by anyone else? ronan -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN
Re: blank subject and contents
We're getting hit with a lot of emails with blank subject lines and blank contents. Could be some kind of address verification robot. Is SA supposed to filter these? If not, does anyone have some custom rules that would do it? My theory is this is the result of some newbie spammer that doesn't know how to drive the spam tool and screwed up the configuration. SA doesn't have a blank message rule, but SARE does. Don't recall which ruleset it is in, but someone (maybe Bob) posted the rule last week. Loren
Re: consensus on SPF
From: Matt Kettler [EMAIL PROTECTED] At 11:55 PM 12/13/2004 -0500, Peter Matulis wrote: ie: jdow wrote: The chief thing SPF does is clutter up name server traffic to prove something of little or no use when scoring spam. A true argument, but utterly missing the point, unfortunately. I'm not advocating getting rid of it now. I am advocating using it with full knowledge of what happens when it doesn't do what it should for idiot anti-spam reasons. The law of unintended consequences stomps you on the foot too often. This is a heavy triphammer. {^_^}
Re: Exchange 2003 And Spamassassin
Jan Exchange is stripping the headers off. No doubt theres a stting buried somewhere where you can tell it not to, but I have seen this problem before in Ex-2000 (for passing emails to a folder dor sa-learn to pick up). Never found a solution, but then I'm not an exchange admin/user so..probably something to do with group policies.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jan Englund wrote: Hi We are running a Exchange 5.5 and Exchange 2003 mixed mode environment. Since introducing Exchange 2003 servers we do not get any message headers from the spamassassin relay sent to users on the Exchange 2003 box. ive seen other people experiencing this but my question is if Exchange 2003 is supported by Spamassassin and if so if there is anyone that has found a solution to this. Thanks Jan ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: sa-stats error
D.W.T.Baines wrote: Hello Ronan, We use sa-stats.pl here but I haven't seen that error even when running it with exactly the same args as shown below. I wonder if the problem could be related to the version of perl or of Getopt::Long you are using. We are using perl 5.8, not sure off hand what the version of Getopt::Long is. well thanks anyway - im pretty sure its the latest version from cpan... Im just looking for new ways to get stats on our spam scores, preferably with pretty graphs so i can show my boses etc... do you mind if I ask what sort of stats you are using, obviously including sa-stats.pl... maybe thgeres a package out there ive overlooked ronan Regards, David - David Baines Mail and Server Support Team Academic and Administrative Computing Services The Open University, Walton Hall, Milton Keynes MK7 6AA, UK -Original Message- From: Ronan [mailto:[EMAIL PROTECTED] Sent: 15 December 2004 08:53 Cc: spam Subject: Re: sa-stats error Ronan wrote: I actually never knew about this until i was having a hoke around... anyway cant get it to run.. ./sa-stats.pl -l /var/log/syslog -H -T 5 -u Error in option spec: top|T:25 Error in option spec: SCALAR(0x4c9a68) bash-2.03$ i presume this is to do with the per user count but it even flags when i run bash-2.03$ ./sa-stats.pl -l /var/log/syslog Error in option spec: top|T:25 Error in option spec: SCALAR(0x4c9a38) and even bash-2.03$ ./sa-stats.pl Error in option spec: top|T:25 Error in option spec: SCALAR(0x4c9a20) any hints? thanks. does anyone here use sa-stats.pl? Has the above rror been seen by anyone else? ronan -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN
A change in tact
Hii I am using Spamassassin with URI, Razor and DCC checks to catch spams. After implementing URI checks my life had became easier. But ever since the SURBLs and URI checks became popular means of trapping spams the spammers have devised a ne way to send their mails in. Recently some of the spams had started slipping in through my setup and as every spam that appeared in my boss's inbox my pant was on fire. I found that earlier the urls in these spam mails were pointed to the ad servers or the spammer's website to request images or links. But in these mails that slipped in the links were of geocities.com or tripod or other free webhosting service providers. Earlier I thought tht these links might be forged and actually might be pointing to some other spammers website, but these links actually point to geocities and on visiting the link u get HTML redirection to the spammers site. As sample of such spam is as follows If you can make a woman laugh you can do anything with her. http://www.geocities.com/brenda_paul_100/ So the question is how do we tackle this scenario. Either we blacklist free hosting sites like geocities.com in SURBL and get false positives, or we make a humble request to these free webhosting companies to stop new registrations and crack down on the ids and hope that the webhosting company will really do this or we find out an intermediate way, which i was trying to think of but couldn't make my grey cells work on it. So I am making my last resort. Asking the experts to help me out. So how do we tackle this ? regards Rakesh
Re: A change in tact
On Wednesday, December 15, 2004, 2:37:57 AM, Rakesh Rakesh wrote: So the question is how do we tackle this scenario. Either we blacklist free hosting sites like geocities.com in SURBL and get false positives, or we make a humble request to these free webhosting companies to stop new registrations and crack down on the ids and hope that the webhosting company will really do this or we find out an intermediate way, which i was trying to think of but couldn't make my grey cells work on it. So I am making my last resort. Asking the experts to help me out. So how do we tackle this ? Pleasae report the abuse to the hosting providers. It's their job to police their service. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
spamd vs spamass-milter
currently i'm using procmailrc to start spamd since i have a couple users who dont want their mails checked by SA, now i'm looking into spamass-milter. Is their a option within the milter api to exclude certain users from SA or is their another workaround to do so ? many thanks matt
Bypassing spam checking when using Postfix
I use Suse Openexchange as our mail server and I have amavis installed for virus scanning and spamassassin. I have a problem where when people send mail using SMTP Auth spamassassin penalises them because they are sending from a dynamic IP address etc... Currently I am having to whitelist their addresses which also allows some spam through. How do other people get around this problem? I can't see a way of getting Postfix to add a custom header for email received via SMTP Auth. If I could do this then I could write a custom spamassassin rule to whitelist these emails. I am currently looking into having TLS configured in Postfix listening on a different port which sends the mail to a second copy of amavis which when it finishes sends it back to postfix without going via spamassassin. This just seems a bit over complicated.
RE: A change in tact
So the question is how do we tackle this scenario. Either we blacklist free hosting sites like geocities.com in SURBL and get false positives, or ...So how do we tackle this ? My experience with Geocities is that: (1) It often takes them one or two full business days to get a kiddie pron site taken down. These were sites where you instantly know you were looking at 3-12 year olds nudes at first glance at the home page. Egregious cases like this should be taken down in hours or minutes, not days. Maybe they need a special emergency address for reporting this stuff? (2) New sites pop up as quickly as the old sites are taken down. I simply don't have time to keep up. Geocities need to do a better job (3) At least 50% of the e-mails with the term geocities that run through my server is one of these spams (but not all are pron) Having said all of this... Here are some conclusions: (A) We CANNOT list these free sites in SURBL because SURBL **MUST** always be set it and forget it. The minute that this kind of stuff gets listed in SURBL, I'm forced to do much more carefully audit a mountain of SURBL-blocked e-mail which I don't have time to audit! (B) Someone gave me some contact info off line that I will pursue to get this to the attention of someone higher up both with Geocities and with law enforcement. Final thought: If these additional avenues don't produce results with a few weeks, I am going to send ALL of my clients an e-mail explaining the situation to them and telling them: Geocities cannot seem to police their kiddie pron spamming to a reasonable extent and, therefore, and mail going through my server which mentions the word Geocities will now be quarantined for review and will be released if legitimate within 24 hours. Therefore expect delays for any e-mail that mentions Geocities (I'll include the stats in this e-mail to back me up.) Rob McEwen
Re: Watches and pain relief
Hi On Mon, Dec 13, 2004 at 04:43:28PM -0800, jdow wrote: I've seen another variant about by Matthew Newton that makes a bunch of rules for both subject and body separately. I generally don't do this as the body rules will match the subject line, so there's really no need, other than as a score amplifier. I usually only make subject rules when a body rule isn't appropriate. He's also done separate regular and gappy-text rules, but doesn't pick up on character-sub obfuscations.. It is a decent set however.. One good rule I've seen that Matthew Newton wrote is this one: rawbody UOLCC_WATCH_BODY /^(Do you )?[Ww]ant (a )?(cheap )?([Ww]ristw|[Ww])atch\?\s*$/m describe UOLCC_WATCH_BODY Body asks if you want a watch score UOLCC_WATCH_BODY 1.5 Very targeted, but effective with low risk of FPs. Here is the full set of his stuff I am running. So far it has hit no ham. I've recently updated some of these to try and match a few that were slipping through. The UOLCC_WATCH_BODY has now been modified to accept rolex in the place of cheap, as one like that arrived the other day. The UOLCC_HTM_HTML_URL one is slightly less picky about which characters can appear in the proverb line and the name line, just looking for more than 8 words and less than 15 words. I figured out that it's more the repeated URLs that will be unique to the spam, rather than the formatting of the two text lines. Oh, and the URL can now contain 0-9 and -, too. Didn't realise that the body test checks the subject, too, but I don't suppose it can hurt with both tests. Current set below. Matthew - headerUOLCC_ROLEX_SUB1 Subject =~ /\brolex\b/i describe UOLCC_ROLEX_SUB1 Subject contains the word 'rolex' score UOLCC_ROLEX_SUB1 0.5 headerUOLCC_ROLEX_SUB2 Subject =~ /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i describe UOLCC_ROLEX_SUB2 Subject contains a gappy version of 'rolex' score UOLCC_ROLEX_SUB2 1.5 body UOLCC_ROLEX_BODY1 /\brolex\b/i describe UOLCC_ROLEX_BODY1 Body contains the word 'rolex' score UOLCC_ROLEX_BODY1 0.5 body UOLCC_ROLEX_BODY2 /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i describe UOLCC_ROLEX_BODY2 Body contains a gappy version of 'rolex' score UOLCC_ROLEX_BODY2 1.5 rawbody UOLCC_WATCH_BODY /^(Do\syou\s)?[Ww]ant\s(a\s)?(rolex\s|cheap\s)?[Ww](ristw)?atch\?\s*$/m describe UOLCC_WATCH_BODY Body asks if you want a watch score UOLCC_WATCH_BODY 2 full UOLCC_HTM_HTML_URL /\n(http:\/\/[a-z0-9-]+\.[a-z]{3,4}\/[0-9a-f]{5,35}\/[[:alnum:]]{5,20}=?\.htm)\s*\n\s*\n\s*([^\s]+)(\s+[^\s]+){6,}\n\s*\n[^\s,.]+(\s[^\s,.]+){0,15}\n\s*\n\1l/s describe UOLCC_HTM_HTML_URL Matches pattern of spam mail (.htm .html) score UOLCC_HTM_HTML_URL 3.5 full UOLCC_BBONE/\n[bB1 ]{8,20}\n[bB1 ]{8,20}\n/s describe UOLCC_BBONEContains two code lines with b, B and 1 score UOLCC_BBONE2 body UOLCC_CAPWORD_TEST /([A-Z][a-z]{3,}\s{1,2}){15,}/s describe UOLCC_CAPWORD_TEST String of words that all begin with caps letter score UOLCC_CAPWORD_TEST 1.2 - -- Matthew Newton [EMAIL PROTECTED] UNIX Systems Administrator, Network Support Section, Computer Centre, University of Leicester, Leicester LE1 7RH, United Kingdom
Re: spamd vs spamass-milter
[EMAIL PROTECTED] wrote: currently i'm using procmailrc to start spamd since i have a couple users who dont want their mails checked by SA, now i'm looking into spamass-milter. Is their a option within the milter api to exclude certain users from SA or is their another workaround to do so ? many thanks matt Matt, I'm not all that familiar with spamass-milter, however I can say that you can do what you want to do with MIMEDefang (another milter) alan
Re: A change in tact
Rob McEwen wrote: Final thought: If these additional avenues don't produce results with a few weeks, I am going to send ALL of my clients an e-mail explaining the situation to them and telling them: Geocities cannot seem to police their kiddie pron spamming to a reasonable extent and, therefore, and mail going through my server which mentions the word Geocities will now be quarantined for review and will be released if legitimate within 24 hours. Therefore expect delays for any e-mail that mentions Geocities (I'll include the stats in this e-mail to back me up.) Well even i think that has to be the final resort, but one thing wanted to know. How much of similar kind of mails are you guys recieving ? Is it just the begining or are we already in the middle of it. Rakesh
Attachment size rule?
Does anyone know how I could write a rule based on an attachment size? I'm getting a lot of spams with this specific file attached. It's always named differently, the the size is exactly the same each time. --pat-- -- Pat Traynor [EMAIL PROTECTED]
Re: Exchange 2003 And Spamassassin
I use SA as a border gateway to Exchange 5.5, 2000, and 2003 servers in a dozen or so locations. I have no problem with headers or any other aspect of spamassassin. Exchange does not strip headers, however Outlook and Outlook Express do! But... Are you using your 5.5 server as an SMTP bridgehead to your Exchange 2003 infrastructure? If so, there lies your problem. In many cases (depending on configuration), the entire SMTP envelope will end up being replaced with an X.400 address to accomodate internal site routing. This is a total rewrite of the header and could be the cause of your problem. If you are using Exchange 5.5 as a gateway to an Exchange 2003 mail system, then the problem will go away once you finish your upgrade. Also (just a semantics thing) Spamassassin is simply a tool to score email. Your linux/unix MTA, likely using sendmail or postfix, is a managed relay host consistent with all RFC's. It is not up to Spamassassin to support Exchange or any other product except for Perl perhaps. Microsoft, on the other hand, has a ways to go on correctly adhering to RFC's. So the question should be, does Exchange work properly with Spamassassin? Am I nit-picky or what??? RO Jan Englund wrote: Hi We are running a Exchange 5.5 and Exchange 2003 mixed mode environment. Since introducing Exchange 2003 servers we do not get any message headers from the spamassassin relay sent to users on the Exchange 2003 box. ive seen other people experiencing this but my question is if Exchange 2003 is supported by Spamassassin and if so if there is anyone that has found a solution to this. Thanks Jan
RE: Exchange 2003 And Spamassassin
I am running Exchange 2003 with a FreeBSD box running SA as the front end relay and I am getting all my headers. If I right click on the message on outlook and click Options it has all the scores and everything in there. It also worked fine with Exchange 2k. I didn't do anything special to get it to work, it just has. I have about a dozen rules in Outlook that move messages based on the scores in the headers as well. If the email is coming into the Exchange 5.5 box and then getting sent to the Exchange 2k3 box from the 5.5 box, I would guess the 5.5 box is stripping the headers when it moves it to the other server. I'm not sure if you can tell the connectors to not munge the headers or not but I would guess that's where the problem lies. --Mike From: Martin Hepworth [mailto:[EMAIL PROTECTED] Sent: Wed 12/15/2004 3:20 AM To: Jan Englund Cc: users@spamassassin.apache.org Subject: Re: Exchange 2003 And Spamassassin Jan Exchange is stripping the headers off. No doubt theres a stting buried somewhere where you can tell it not to, but I have seen this problem before in Ex-2000 (for passing emails to a folder dor sa-learn to pick up). Never found a solution, but then I'm not an exchange admin/user so..probably something to do with group policies.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Jan Englund wrote: Hi We are running a Exchange 5.5 and Exchange 2003 mixed mode environment. Since introducing Exchange 2003 servers we do not get any message headers from the spamassassin relay sent to users on the Exchange 2003 box. ive seen other people experiencing this but my question is if Exchange 2003 is supported by Spamassassin and if so if there is anyone that has found a solution to this. Thanks Jan ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
RE: A change in tact
-Original Message- From: Rakesh [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 15, 2004 5:38 AM To: users@spamassassin.apache.org Subject: A change in tact Hii I am using Spamassassin with URI, Razor and DCC checks to catch spams. After implementing URI checks my life had became easier. But ever since the SURBLs and URI checks became popular means of trapping spams the spammers have devised a ne way to send their mails in. Recently some of the spams had started slipping in through my setup and as every spam that appeared in my boss's inbox my pant was on fire. I found that earlier the urls in these spam mails were pointed to the ad servers or the spammer's website to request images or links. But in these mails that slipped in the links were of geocities.com or tripod or other free webhosting service providers. Earlier I thought tht these links might be forged and actually might be pointing to some other spammers website, but these links actually point to geocities and on visiting the link u get HTML redirection to the spammers site. As sample of such spam is as follows If you can make a woman laugh you can do anything with her. http://www.geocities.com/brenda_paul_100/ So the question is how do we tackle this scenario. Either we blacklist free hosting sites like geocities.com in SURBL and get false positives, or we make a humble request to these free webhosting companies to stop new registrations and crack down on the ids and hope that the webhosting company will really do this or we find out an intermediate way, which i was trying to think of but couldn't make my grey cells work on it. So I am making my last resort. Asking the experts to help me out. So how do we tackle this ? This has been discussed. The simple answer is, a proxy lookup to SURBL. So squid checking SURBL listings for a URL before going to it. This way on the redirect would die to a page saying Blocked for spamming Geocities takes forever. I've been given a small corpa of this kind of spam. I'm trugging thru it slowly. But I think I might be able to come up with a SA rule for it. Not sure yet. Geocities could have a script to look for redirect code. IF it is against their AUP to use this tactic...then they should clean the dog poop from their own backyard ;) --Chris
Re: [sa-list] A change in tact
On Wed, 15 Dec 2004, Rakesh wrote: I think for the four or five large free website providers, a hook could be added to spamassassin -r that reports them specifically (although spamcop already does this, they'll only be advised of the actual site if you're using a full-blown spamcop account, not the anon thing). -Dan Hii I am using Spamassassin with URI, Razor and DCC checks to catch spams. After implementing URI checks my life had became easier. But ever since the SURBLs and URI checks became popular means of trapping spams the spammers have devised a ne way to send their mails in. Recently some of the spams had started slipping in through my setup and as every spam that appeared in my boss's inbox my pant was on fire. I found that earlier the urls in these spam mails were pointed to the ad servers or the spammer's website to request images or links. But in these mails that slipped in the links were of geocities.com or tripod or other free webhosting service providers. Earlier I thought tht these links might be forged and actually might be pointing to some other spammers website, but these links actually point to geocities and on visiting the link u get HTML redirection to the spammers site. As sample of such spam is as follows If you can make a woman laugh you can do anything with her. http://www.geocities.com/brenda_paul_100/ So the question is how do we tackle this scenario. Either we blacklist free hosting sites like geocities.com in SURBL and get false positives, or we make a humble request to these free webhosting companies to stop new registrations and crack down on the ids and hope that the webhosting company will really do this or we find out an intermediate way, which i was trying to think of but couldn't make my grey cells work on it. So I am making my last resort. Asking the experts to help me out. So how do we tackle this ? regards Rakesh -- If you aren't going to try something, then we might as well just be friends. We can't have that now, can we? -SK Dan Mahoney, December 9, 1998 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Attachment size rule?
At 09:33 AM 12/15/2004, Pat Traynor wrote: Does anyone know how I could write a rule based on an attachment size? I'm getting a lot of spams with this specific file attached. It's always named differently, the the size is exactly the same each time. Not easily. You could probably write a plugin to do it, but most of the SA code tries fairly hard to remove attachments from the message before feeding it to the rules. This might be a better job for mimedefang, mailscanner, or similar. Razor might also be effective, as e4 does treat each mime part as a separate element, and can identify the recurring attachment as spam. Since SA supports Razor already, this would be pretty easy to add...
Re: consensus on SPF
At 03:24 AM 12/15/2004, Max Paperno wrote: At 12/15/2004 03:13 AM -0500, Matt Kettler wrote: Of course, there's other arguments too.. Redirectors, forwarding services, etc, but these have their solutions. (Hint: SPF at each stage, and when you remail, use a return path that points at your own servers like a mailing list does. Poof, problem solved.) Poof, problem created. What am I supposed to do with a message that gets returned to my remailer address? Keep track of where it came from just in case? For how long? No mail server I know of does this currently, nor is there any formal spec, RFC, etc. that establishes a precedent. I'm not trying to pick an argument, nor will I respond to one on-list. This discussion has been hacked to death on Postfix list and probably many others. No need for storage, just use a return path that encodes the original sender in the user name. Lots of legitimate newsletters use this technique so they can unsubscribe bounces. Heck, even THIS LIST does it for the recipient address: Return-Path: [EMAIL PROTECTED] It would be straightforward to use the same trick to encode the actual return path based on the original sender. Yes, this does mean implementing it, but no it doesn't create the storage system you suggest, and there's plenty of precedent for this kind of encoding technique.
Re: consensus on SPF
At 04:05 AM 12/15/2004, jdow wrote: From: Matt Kettler [EMAIL PROTECTED] At 11:55 PM 12/13/2004 -0500, Peter Matulis wrote: ie: jdow wrote: The chief thing SPF does is clutter up name server traffic to prove something of little or no use when scoring spam. A true argument, but utterly missing the point, unfortunately. I'm not advocating getting rid of it now. I am advocating using it with full knowledge of what happens when it doesn't do what it should for idiot anti-spam reasons. The law of unintended consequences stomps you on the foot too often. This is a heavy triphammer. That's a good point. You definitely should proceed with caution. But that doesn't
Custom rules in SA 3.x
I now use SA 2.64 with lots of custom rules, most of them from SARE. I've read in a post here (can't find the posting) that in SA 3.x some of the custom rules are included. Whcih rules are included and which should I continue using i SA 3.x? //kim
Re: Attachment size rule?
On Wed, Dec 15, 2004 at 11:40:43AM -0500, Matt Kettler wrote: Not easily. You could probably write a plugin to do it, but most of the SA code tries fairly hard to remove attachments from the message before feeding it to the rules. A plugin could do it rather trivially. There's no way using the normal rules to do it, even if attachments were included for the non-full rules. -- Randomly Generated Tagline: All cast members of the 7th Guest stayed at the luxurious Bates Motel where 'Showering is Always an Adventure'. - From the 7th Guest pgpbXUMwCcbP0.pgp Description: PGP signature
Re: Attachment size rule?
Pat Traynor wrote: Does anyone know how I could write a rule based on an attachment size? I'm getting a lot of spams with this specific file attached. It's always named differently, the the size is exactly the same each time. --pat-- What kind of contents are there in the attachment ? Are they mails related to kazakhistan and other countries economy ? Rakesh
Re: consensus on SPF
On Tue, 14 Dec 2004, jdow wrote: Why not configure your MTA to relay mail ONLY on encrypted authenticated sessions, and deliver locally (after some anti-spam checks) on plain sessions, all this done at port 25? Setup an alternative mailer port for your machine on a different port number? Actually, port 25 is NOT supposed to be used for an end-user client to submit mail to a server. Port 587 was designated the submission port some time ago, and should be used for all end-user to SMTP server connections. This is WHY port 25 is being blocked or redirected. Depoly SPF, use the submission port to talk to your own mail server, problem solved. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Exit0.us wiki is officially back online.
Yes, after much struggle, the wiki is back on line. First and foremost, I'd like to thank Matt and infotex.com for hosting the site. Chris Santerre also has my thanks for acting as a go-between to get me in touch with Matt. They really stepped up to the plate as far as I'm conserned. They have my eternal thanks. Second, if you are/were involved with the wiki in any way, please check it out. Most (95%), but not all, of the pages transfered properly. Any grey links are pages that need to be rebuilt, I will be trying to get them in the meantime. Also, this is from an older version, so some links and data may be old/incorrect. Keep in mind that it is a wiki, you can email me with corrections if you want, but it'd probably be faster to make thc changes yourself. Be responsible and play nice. Happy spam hunting.
Re: [sa-list] Re: Error Message -- uninitialized value
On Wed, Dec 15, 2004 at 12:48:19PM -0500, Dan Mahoney, System Admin wrote: prime# perl -MCPAN -e shell prime# grep VERSION /usr/local/lib/perl5/site_perl/5.6.1/Mail/SPF/Query.pm $VERSION = 1.997; So I'm a little baffled. Perhaps you have multiple versions installed that SA is finding? I was just guessing based on the code. -- Randomly Generated Tagline: The quickest way to double your money is to fold it in half and put it back in your pocket. - Zen Musings pgpkYCp09Sh1f.pgp Description: PGP signature
bayes_seen file size becoming large : 160 MB
Hi, The file size of the bayes database on a server is becoming large : bayes_seen is 160 MB and bayes_toks is 8 MB. This mail server processes around 3 mails a day, as a relay. I did not configure any bayes_expiry_max_db_size, so it should be set to default (15), and the only bayes-related configuration directives in my local.cf are : bayes_auto_learn1 bayes_auto_learn_threshold_nonspam 0.1 bayes_auto_learn_threshold_spam 12.0 Is it normal to have such large file sizes ? The fine manual says that with such settings, the file size should stay around 8 MB, but do these 8 MB represent the normal size of the bayes_toks file, or the normal size of the bayes_seen one ? Today, spamd stopped working with the following error : Dec 15 04:25:15 server spamc[18803]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused I did not understand why it died. Manually restarting spamd solved the problem but I think it could happen again, and it might be related to some lack of resources due to the bayes file size ? Some more info : su spam -s /bin/sh -c sa-learn --dump magic -D (...) debug: bayes: 6765 tie-ing to DB file R/O /home/spam/.spamassassin/bayes_toks debug: bayes: 6765 tie-ing to DB file R/O /home/spam/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: Score set 2 chosen. 0.000 0 3 0 non-token data: bayes db version 0.000 0 405891 0 non-token data: nspam 0.000 0 948334 0 non-token data: nham 0.000 0 287829 0 non-token data: ntokens 0.000 0 1103037764 0 non-token data: oldest atime 0.000 0 1103107296 0 non-token data: newest atime 0.000 0 1103107219 0 non-token data: last journal sync atime 0.000 0 1103105595 0 non-token data: last expiry atime 0.000 0 43200 0 non-token data: last expire atime delta 0.000 0 161098 0 non-token data: last expire reduction count debug: bayes: 6765 untie-ing debug: bayes: 6765 untie-ing db_toks debug: bayes: 6765 untie-ing db_seen I am using postfix 1.1.12, SA 3.0.1, MIME-Base64-3.05, DB_File-1.809, and db4-4.0.14-20 (RedHat 9) on a postfix+SA relay. The bayes database is common to all users, and located on the spam user's home directory. SA is invoked with spamd -d -c -u spam and /usr/bin/spamc -t 180 -s 50 -e /usr/sbin/sendmail -i -f ${sender} -- ${recipient} Many thanks to whoever has any clue on how I could shrink the bayes files without loosing them, if they need to (--force-expire does not reduce their sizes). I would particularly be interested in the right bayes_expiry_max_db_size setting I should use for a server handling around 3 mails daily.
Re: [sa-list] Re: [sa-list] Re: Error Message -- uninitialized value
On Wed, 15 Dec 2004, Theo Van Dinter wrote: On Wed, Dec 15, 2004 at 12:48:19PM -0500, Dan Mahoney, System Admin wrote: prime# perl -MCPAN -e shell prime# grep VERSION /usr/local/lib/perl5/site_perl/5.6.1/Mail/SPF/Query.pm $VERSION = 1.997; So I'm a little baffled. Perhaps you have multiple versions installed that SA is finding? I was just guessing based on the code. Nope, that was why I pasted in my locate. That's pretty definitely the only version installed. -Dan -- Pika Pika Pika! -Pikachu, of Pokemon fame. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: SA 3.01
On Wed, 15 Dec 2004 18:12:06 +, Gavin Pearce [EMAIL PROTECTED] wrote: We have presently upgraded the server that we run SA on Dual Operton 2.2Ghz 2GB DDR Memory SCSI U320 Raid5 Array Running Freebsd 5.3 Qmail Spammassassin 3.01 - Standard conf And we have had nothing but problems with it, it just chews up all its memory, till it runs out and I have to reboot to correct it. Anyone any thoughts. I've got a FreeBSD 5.3 box running SA out of the ports (along with Sendmail, MIMEDefang and ClamAV) and haven't seen any memory usage problems. The box only has 512 MB of RAM, so I'd expect to hit them sooner :) You're sure that it's SA that's the problem? What are you using to track memory usage? -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche
bayes_seen file size becoming large : 160 MB
Hi, The file size of the bayes database on a server is becoming really large : bayes_seen is 160 MB and bayes_toks is 8 MB. This mail server processes around 3 mails a day, as a relay. I did not configure any bayes_expiry_max_db_size, so it should be set to default (15), and the only configuration directives in my local.cf are : bayes_auto_learn1 bayes_auto_learn_threshold_nonspam 0.1 bayes_auto_learn_threshold_spam 12.0 I do not understand how these bayes files can be so large, the fine manual says that with such settings, the file size should stay around 8MB. Or do these 8 MB represent the normal size of the bayes_toks file, not the bayes_seen one ? Some more info : su spam -s /bin/sh -c sa-learn --dump magic -D (...) debug: bayes: 6765 tie-ing to DB file R/O /home/spam/.spamassassin/bayes_toks debug: bayes: 6765 tie-ing to DB file R/O /home/spam/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: Score set 2 chosen. 0.000 0 3 0 non-token data: bayes db version 0.000 0 405891 0 non-token data: nspam 0.000 0 948334 0 non-token data: nham 0.000 0 287829 0 non-token data: ntokens 0.000 0 1103037764 0 non-token data: oldest atime 0.000 0 1103107296 0 non-token data: newest atime 0.000 0 1103107219 0 non-token data: last journal sync atime 0.000 0 1103105595 0 non-token data: last expiry atime 0.000 0 43200 0 non-token data: last expire atime delta 0.000 0 161098 0 non-token data: last expire reduction count debug: bayes: 6765 untie-ing debug: bayes: 6765 untie-ing db_toks debug: bayes: 6765 untie-ing db_seen Today, spamd stopped working with the following error : Dec 15 04:25:15 server spamc[18803]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused I did not understand why it died. Manually restarting spamd solved the problem but I think it could happen again, and it might be related to some lack of resources due to the bayes file size ? I am using postfix 1.1.12, SA 3.0.1, MIME-Base64-3.05, DB_File-1.809, and db4-4.0.14-20 (RedHat 9) on a postfix+SA relay. The bayes database is common to all users, and located on the spam user's home directory. SA is invoked with spamd -d -c -u spam and /usr/bin/spamc -t 180 -s 50 -e /usr/sbin/sendmail -i -f ${sender} -- ${recipient} Many thanks to whoever has any clue on how I could shrink the bayes files without loosing them. I would particularly be interested on the right bayes_expiry_max_db_size setting I should configure for a server handling around 3 mails daily.
RE: Custom rules in SA 3.x
-Original Message- From: Kim Leandersson [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 15, 2004 11:36 AM To: users@spamassassin.apache.org Subject: Custom rules in SA 3.x I now use SA 2.64 with lots of custom rules, most of them from SARE. I've read in a post here (can't find the posting) that in SA 3.x some of the custom rules are included. Whcih rules are included and which should I continue using i SA 3.x? bigevil, antidrug, and backhair are no longer needed with SA 3.x. Bowie
Re: spamd vs spamass-milter
On Wed, 15 Dec 2004 [EMAIL PROTECTED] wrote: currently i'm using procmailrc to start spamd since i have a couple users who dont want their mails checked by SA, now i'm looking into spamass-milter. Is their a option within the milter api to exclude certain users from SA or is their another workaround to do so ? many thanks matt Check out milter-spamc. It hooks into your sendmail access-db and lets you define sender/recipient lists that are enabled/disabled from milter scanning. See: http://www.milter.info/milter-spamc/index.shtml I use a slightly different approach. I hacked a version of miltrassassin so that it looks for a particular macro value. If that macro is set, it skips scanning that message. That way I can add any rules that I want to look for various values in a message (EG a particular header as well as sender/recipient contents) to control milter processing. Dave -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Per user rules and scores
For various reasons Loren and I must use the per user scores and rules. I'm noticing that it is using my rules. But it is refusing to use my scores. What might be wrong with the setup? {^_^}
Re: consensus on SPF
On Wed, 15 Dec 2004, Christopher X. Candreva wrote: On Tue, 14 Dec 2004, jdow wrote: Why not configure your MTA to relay mail ONLY on encrypted authenticated sessions, and deliver locally (after some anti-spam checks) on plain sessions, all this done at port 25? [snip..] Actually, port 25 is NOT supposed to be used for an end-user client to submit mail to a server. Port 587 was designated the submission port some time ago, and should be used for all end-user to SMTP server connections. This is WHY port 25 is being blocked or redirected. Depoly SPF, use the submission port to talk to your own mail server, problem solved. Total agreement with this, but try to actually deploy it, client issues galore. Eudora will not let you set any port other than 25 for outgoing SMTP. Outlook will let you set an alternate SMTP port but if you do it breaks TLS. etc... -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Yum update of SA from 2.63 to 3.0x
Does anyone have a good yum update repository to upgrade SA to 3.x (from 2.63)? Is an update like that recommended? -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED]Yahoo IM: chrisnbarnes
Re: Yum update of SA from 2.63 to 3.0x
--On Wednesday, December 15, 2004 3:11 PM -0600 Chris Barnes [EMAIL PROTECTED] wrote: Does anyone have a good yum update repository to upgrade SA to 3.x (from 2.63)? Is an update like that recommended? I haven't used Red Hat's SA packages for some time. Just grab the tarball from the SA site and rebuild it into an RPM with the command line provided on the download page. I've been using that from RH7.2 through FC2, now with SA 3.0. (Have to get around to upgrading to 3.0.1, but might wait for 3.0.2.)
Re: SA 3.01
Rob MacGregor wrote: On Wed, 15 Dec 2004 18:12:06 +, Gavin Pearce [EMAIL PROTECTED] wrote: We have presently upgraded the server that we run SA on Dual Operton 2.2Ghz 2GB DDR Memory SCSI U320 Raid5 Array Running Freebsd 5.3 Qmail Spammassassin 3.01 - Standard conf And we have had nothing but problems with it, it just chews up all its memory, till it runs out and I have to reboot to correct it. Anyone any thoughts. I've got a FreeBSD 5.3 box running SA out of the ports (along with Sendmail, MIMEDefang and ClamAV) and haven't seen any memory usage problems. The box only has 512 MB of RAM, so I'd expect to hit them sooner :) You're sure that it's SA that's the problem? What are you using to track memory usage? I suspect that its my setup the system passes any message it recieves through and SA and passes it onto the next mailserver. I think the way im running child processes is part of the problem, I'm running 50 and having to get the system to restart each child after processes 2 messages to keep the memory usage down. Here my spamd setup exec /usr/local/bin/spamd -H $HOMEDIR \ --username=qmailq \ --max-conn-per-child=2 \ -A 127.0.0.1 -m 50 21
Re: Yum update of SA from 2.63 to 3.0x
Kenneth Porter [EMAIL PROTECTED] wrote: I haven't used Red Hat's SA packages for some time. Just grab the tarball from the SA site and rebuild it into an RPM with the command line provided on the download page. I've been using that from RH7.2 through FC2, now with SA 3.0. (Have to get around to upgrading to 3.0.1, but might wait for 3.0.2.) No dice - downloaded and when I ran the: rpmbuild -tb Mail-SpamAssassin-3.0.1.tar.gz I got: warning: Installed (but unpackaged) file(s) found: /usr/lib/perl5/5.8.3/i386-linux-thread-multi/perllocal.pod Wrote: /usr/src/redhat/RPMS/i386/spamassassin-3.0.1-1.i386.rpm SA isn't running at all now. Just as a test I tried to issue a sa-learn --dump magic and got the following output: Use of uninitialized value in numeric eq (==) at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Conf/Parser.pm line 678. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Conf/Parser.pm line 707. === the above were repeated many times === unknown type for RCVD_IN_4: 18 at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin.pm line 1671. -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED]Yahoo IM: chrisnbarnes