Re: A good stats script?
on 1/18/05 6:12 PM, MIKE YRABEDRA at [EMAIL PROTECTED] wrote: What is a good script that folks are using to generate SA stats off a mail log? I am mainly looking for one that reports on the rulesets that are catching the spam too. I don't think sa-stats.pl does that? ++ Mike Yrabedra (President) 323 Incorporated Our Sites: MacDock.com MacAgent.com iTuneAgent.com MacSurfShop.com ++ W: http://www.323inc.com/ P: 770.382.1195 F: 734.448.5164 E: [EMAIL PROTECTED] I: ichatmacdock ++ Whatever you do, work at it with all your heart, as working for the Lord, not for men. ~Colossians 3:23 {{{ ++
Re: BAYES_99 = 1.9?
On Mon, 17 Jan 2005, Thomas Arend wrote: With network test enabled bayes scores lower. This is a problem when the network test don't fire when the spammer uses a new server. Therefore I have raised the bayes scores for bayes_99. I seldom get bayes_90 so I didn't raise the scores for bayes_90. Rational, I suppose, but I use the network tests and still found it neccessary to bump the bayes 9x up to get decent results after upgrading from 2.63 the other day. BTW, it looks like bayes_90 has been deprecated. When I run a lint on my local.cf, I get: warning: score set for non-existent rule BAYES_90 James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: A good stats script?
On Tue, 18 Jan 2005, MIKE YRABEDRA wrote: on 1/18/05 6:12 PM, MIKE YRABEDRA at [EMAIL PROTECTED] wrote: What is a good script that folks are using to generate SA stats off a mail log? I am mainly looking for one that reports on the rulesets that are catching the spam too. I don't think sa-stats.pl does that? Nope...not that I'm aware of...but, then again, I don't use all of the options available. -- Mike Burger http://www.bubbanfriends.org Visit the Dog Pound II BBS telnet://dogpound2.citadel.org or http://dogpound2.citadel.org To be notified of updates to the web site, visit http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a message to: [EMAIL PROTECTED] with a message of: subscribe
Re: BAYES_99 = 1.9?
At 08:37 PM 1/18/2005, [EMAIL PROTECTED] wrote: BTW, it looks like bayes_90 has been deprecated. When I run a lint on my local.cf, I get: warning: score set for non-existent rule BAYES_90 Yes, several of the old ranges in 2.64 no longer exist.. For 3.x they changed the ranging a bit, creating some new ones, merging together others.. For example, BAYES_90 went away, as did 01,10, 30, 44, 56, and 70. However, 95 and 05 were added. Basically before there was a lot of splitting of hairs, particularly near 50, that was largely useless. Bayes 40,44,50 and 56 all had more-or-less the same score. Zero, or damn close to it. So they made them all into the new BAYES_50... It would also appear that they found that 10% away from the extremes (10 and 90) were not as useful as 5% (05 and 95). I suspect this was all done after some graphing of frequency... In on my experience, the vast majority of mail winds up in 01, 99 or 50, so it makes sense to coalesce some of the other ranges...
Re: spamassassin process a single message for 10 minutes !
I seem to remember there was a problem or design feature where something like Net::DNS was using about 4 file handles per URL that it looked up. Must have been about 250 URLs in that spam, at a guess. Personally, I'd be inclined to submit a bug. :-) Loren - Original Message - From: Christian Recktenwald [EMAIL PROTECTED] To: Stefano Catani [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Tuesday, January 18, 2005 8:48 AM Subject: Re: spamassassin process a single message for 10 minutes ! On Tue, Jan 18, 2005 at 10:56:22AM +, Stefano Catani wrote: here is the message: http://mail.units.it/6474 it contains a lot of email addresses and stops our mailserver these are the times on a dual PIII 1GHz (SpamAssassin 3.0.2) time spamc 6474 real9m59.995s user0m0.000s sys 0m0.000s similar result here: real10m0.067s user0m0.010s sys 0m0.000s single PIII 1GHz 750MB SA 3.0.0 spamd (according to top) does not eat significantly CPU. I called strace on the spamd process: ... select(0, NULL, NULL, NULL, {1, 2}) = 0 (Timeout) open(/etc/protocols, O_RDONLY)= -1 EMFILE (Too many open files) open(/var/lib/misc/protocols.db, O_RDWR|O_LARGEFILE) = -1 EMFILE (Too many open files) ... this is reported endlessly so there seems to be a file handle problem. According to lsof: lsof | grep ^spamd | awk '{print $1,$2}' | sort | uniq -c NrOF PID 37 spamd 20696 126 spamd 20698 129 spamd 20699 130 spamd 20700 1055 spamd 20701 38 spamd 26284 This surely is insane. Process 20701 which is the actually scanning child process has openend 933 UDP sockets: spamd 20701 root 1023u IPv4 555058UDP *:38796 and 85 handles on bayes_toks: spamd 20701 root 136u REG 58,2 5226496 656011 /home/chris/.spamassassin/bayes_toks I'd guess the UDP sockets are from DNS lookups f. sender verify. HTH, Chris -- Christian Recktenwald : : citecs GmbH: [EMAIL PROTECTED] Unternehmensberatung fuer : voice +49 711 601 2090 : Boeblinger Strasse 189 EDV und Telekommunikation : fax +49 711 601 2092 : D-70199 Stuttgart
Re: Memory problems with SA 3.0.1?
3.0.2 is better than 3.0.1 in this regard, so the first thing I'd do is upgrade. That may not be a complete solution, so if you are using spamd, I'd set ---max_con_per_child to something reasonably low, like 20..50 or so. There are still a couple of things that can eat memory and already have bugs assigned, so will probably be fixed in a while. But limiting the number of connections per spamd child should help a lot. Also with spamd, what is the max number of children? With your low email rate, I'd probably limit the number of children to 4..5 or so, probably no more than 10. Loren - Original Message - From: [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, January 18, 2005 8:53 AM Subject: Memory problems with SA 3.0.1? Are there any memory problems for SA version 3.0.1? We recently upgraded to 2 gigs of memory on the server and SA just gobbled up the memory. We dip down to under 20 megs here and there and 30-40 megs the rest of the time. I lowered the number of processes from 15 to 10 and according to top the RSS is reading at least 50 megs per process. When I stop and start SA I obviously gain back a lot of memory, but soon goes back down. Im running this on Fedora Core 2 with qmail, I average 25-35 emails a minute with spikes to 300 emails a minute. I just dont know if SA is suppose to take up that much memory. Any suggestions on what to look for? Or is there like a memory leak in this version? Thanks Robert Bartlett Digital Phoenix
Re: Memory problems with SA 3.0.1?
Are you referring to whats in the spamd line? Currently it is m10 Hmm I thought that was max con per child, so where do I edit that value? Thanks Robert 3.0.2 is better than 3.0.1 in this regard, so the first thing I'd do is upgrade. That may not be a complete solution, so if you are using spamd, I'd set ---max_con_per_child to something reasonably low, like 20..50 or so. There are still a couple of things that can eat memory and already have bugs assigned, so will probably be fixed in a while. But limiting the number of connections per spamd child should help a lot. Also with spamd, what is the max number of children? With your low email rate, I'd probably limit the number of children to 4..5 or so, probably no more than 10. Loren - Original Message - From: [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, January 18, 2005 8:53 AM Subject: Memory problems with SA 3.0.1? Are there any memory problems for SA version 3.0.1? We recently upgraded to 2 gigs of memory on the server and SA just gobbled up the memory. We dip down to under 20 megs here and there and 30-40 megs the rest of the time. I lowered the number of processes from 15 to 10 and according to top the RSS is reading at least 50 megs per process. When I stop and start SA I obviously gain back a lot of memory, but soon goes back down. Im running this on Fedora Core 2 with qmail, I average 25-35 emails a minute with spikes to 300 emails a minute. I just dont know if SA is suppose to take up that much memory. Any suggestions on what to look for? Or is there like a memory leak in this version? Thanks Robert Bartlett Digital Phoenix
Re: Memory problems with SA 3.0.1?
Thanks for the response. Yes it is: --max-conn-per-child=number I set it to 20. Will see how it works. Default is 200. Thanks again for the help. I will look into the upgrade to 3.0.2. Thanks again! Robert -m10 is 10 max children. In 3.x each child gets reused more than once before it is thrown away to reduce overhead of startup/shutdown. However, this has the drawback that if a child sucks up a lot of memory doing one spam, it has that memory until it goes away. By default that is a pretty long time (measured in number of mails processed). Cutting down the number of mails processed by each child before it restarts gets the memory returned faster. I think the --max_con_per_child goes on the same command line, but I could be wrong, not having used it myself. You can find it in the wiki or in the archives here. Theo has mentioned it frequently if you want to do an archive search. Loren
Spamd/spamc user issue
I'm having a problem getting spamd to work properly as any other user but root. I have it running as user spamd which I have created. I was originally getting create errors for user_prefs for /root. I set my procmailrc file to DROPPRIVS=yes and that cleared that as I had created a /home/spamd during useradd. Now, I get them for other users: Cannot write to /home/listuser/.spamassassin/u ser_prefs: Permission denied I assume because spamd is running as user spamd and mail coming for listuser is being scanned and invoked by that user? Please help if you can. Thanks. -- JAV
(was Re: DIGEX) dnsreports.com/dnsstuff.com
From [EMAIL PROTECTED] Tue Jan 18 15:55:21 2005 Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk ... From: Matt Kettler [EMAIL PROTECTED] ... No listing in any blacklists: http://www.dnsstuff.com/tools/ip4r.ch?ip=164.109.26.27 I don't know about digex, but dnsstuff.com is listed in SPEWS level 1 and level 2, completewhois.org and whois.rfc-ignnorant.org. BTW. I personally don't trust anyone with a disconnected telephone number, and they seem to probe my own address space quite often (both DNS and SMTP testing), always tracing back to a dial-up account or a proxy somewhere (with those irritating ad's saying this is not abuse - example from one of their relay tests: to=[EMAIL PROTECTED]. At least that's what the email triggered on my SA report (and of course spamhaus is on rfci's abuse list, like many anti-spam organizations are on either the abuse and/or the postmaster lists - they can't afford to devote a human to processing the mail-bombing that occurs, though I believe ISPs can't justify the same excuse - they are run-for-profit concerns, and that should be just one of the costs of doing business). ... Paul Shupak
What to do with X-Antiabuse?
I've had spam making it through SA 3.02 with the X-Antiabuse headers in the mail. Anyone have any ideas on how to prevent minus scores on those rule hits? --JM -- [EMAIL PROTECTED] http://blogs.galaxycow.com/vermyndax Because this E mail address is transmission exclusive use, message it does not reply, fish prayer it is to call it does.
RBL definitions
I recently upgraded from version 2 to 3 and my performance has gone to pot. It may just be that I need a much stronger computer for this version but I suspect it may be doing a lot of RBL checking. In version 2, I had all net checking turned off in local.cf. I think something is being checked now and I can't figure out where to find it. Here's a header excerpt: X-Spam-Report: * 0.0 RCVD_BY_IP Received by mail server with no name* 0.6 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should* 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO* 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML* 0.0 HTML_MESSAGE BODY: HTML included in message* 1.5 MPART_ALT_DIFF BODY: HTML and text parts are different* 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist* [URIs: dnek.com]* 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist* [URIs: dnek.com]* 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist* [URIs: dnek.com]* 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist* [URIs: dnek.com]* 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist* [URIs: dnek.com] What blocklists are these? How do I tell my version which RBL's I want it to check? I think it's checking too many. or am I on the wrong track? I read a performance hit about losing local DNS listings for the blacklists. maybe that would help but I'd still need to know what lists to reference. Frank M. CookAssociation Computer Services, Inc.http://www.acsplus.com
Re: A good stats script?
At 08:22 PM 1.18.2005 -0500, MIKE YRABEDRA wrote: on 1/18/05 6:12 PM, MIKE YRABEDRA at [EMAIL PROTECTED] wrote: What is a good script that folks are using to generate SA stats off a mail log? I am mainly looking for one that reports on the rulesets that are catching the spam too. I don't think sa-stats.pl does that? Well, you might be interested in this report from sa-stats.pl showing 4+ hours of scans by SA. Most of my filtering is done by 3 or 4 other layers at the MTA, so this is all that gets through to the SA that I use for the final filtering layer. Most is ham at this point. The top half is for spams and the bottom for ham: http://www.sage-american.com/spamstats.html HTH.. Happy trails, Jack L. Stone System Admin Sage-american
very handy new whois tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Determines which domains are vhosted at a given IP address. e.g. xanexMUNGED.com, at 200.139.97.122, gives: http://whois.webhosting.info/200.139.97.122 200.139.97.122 - IP hosts 27 Total Domains ... Showing 1 - 27 out of 27 Domain Name 1 0RDERNOW_MUNGED.COM. 2 BFEAR_MUNGED.COM. 3 CAHLA_MUNGED.COM. 4 CKIR_MUNGED.COM. 5 DANOY_MUNGED.COM. 6 DEOV_MUNGED.COM. 7 HEDJ_MUNGED.COM. 8 HENTS_MUNGED.COM. 9 HOKZ_MUNGED.COM. 10 JEOU_MUNGED.COM. 11 KABET_MUNGED.COM. 12 KEEJ_MUNGED.COM. 13 KUEV_MUNGED.COM. 14 NEATA_MUNGED.COM. 15 NEPEL_MUNGED.COM. 16 ONRIX_MUNGED.COM. 17 OTSY_MUNGED.COM. 18 QUOA_MUNGED.COM. 19 QWILD_MUNGED.COM. 20 RAEQ_MUNGED.COM. 21 REKZ_MUNGED.COM. 22 SELYN_MUNGED.COM. 23 SIMPLY-RX_MUNGED.COM. 24 TEGLI_MUNGED.COM. 25 TEITT_MUNGED.COM. 26 ULOH_MUNGED.COM. 27 VEEZA_MUNGED.COM. (yes, munged) - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFB7eHGMJF5cimLx9ARAigWAJ95A/xv8gaI9UfEx3e5GHUFuvu6NwCcDBKc Koa0/k/DXOWGZT4ERrnuBJs= =+Sqr -END PGP SIGNATURE-
Re: very handy new whois tool
This tool has been abused is known (and blocked) by many spammers (unfortunately). Paul Shupak P.S. It is still always worth a try though.
Re: very handy new whois tool
On Tue, Jan 18, 2005 at 08:27:50PM -0800, Justin Mason wrote: Determines which domains are vhosted at a given IP address. Not very reliable though. They get most of the 400+ that work is hosting on 1 IP, 0 of the 80+ on 3 other IPs, and only 2 of the 10+ I have on my personal server. -- Randomly Generated Tagline: This life is a test. It is only a test. Had this been an actual life, you would have received further instructions as to what to do and where to go. pgpbxc7roBLis.pgp Description: PGP signature
Re: DIGEX
I got a spam for an Acura dealer in Houston Tx from them. They are not going to get ANY mail into my mailbox as a result. The tone of their mail also indicated that they are arrogant pieces of dog droppings. If Digex appears in the email they are boosted to a rather high number. They are NOT well behaved. {^_^} - Original Message - From: Matt Kettler [EMAIL PROTECTED] At 02:42 AM 1/18/2005, jdow wrote: Spam really did come from 164.109.26.27. Is DigiEx not marked in any of the BLs around? Why would digex be listed? AFAIK they are an fairly well behaved nowdays. I mean, sure they were notorious in the 1990's, but recently? No listing in any blacklists: http://www.dnsstuff.com/tools/ip4r.ch?ip=164.109.26.27 No matches for that IP in google groups: http://groups-beta.google.com/groups?q=164.109.26.27 No digex zone at blackholes.us: http://www.blackholes.us/ However the hostname does reflect that this is honda's marketing listserv: Host name: ebizmail.honda.com IP address: 164.109.26.27 Alias(es): None The only SBL entries for the whole digex ISP are: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL22573SBL22573 and http://www.spamhaus.org/sbl/sbl.lasso?query=SBL17550SBL17550 , both of which are single IP listings related to them hosting gevalia's main website. Spamhaus claims they contract out spam runs to folks like Eddy Marin, but they do not claim that they spam via the digex network. http://www.spamhaus.org/sbl/sbl.lasso?query=SBL22573 Digging in google groups on NANAS I really find very few reports on them, and all the ones I do find are webhosting complaints, not spamming complaints. Although, really, digex is now owned by MCI.. so maybe they've turned back downhill...
Re: What to do with X-Antiabuse?
At 10:48 PM 1/18/2005, Vermyndax wrote: I've had spam making it through SA 3.02 with the X-Antiabuse headers in the mail. Anyone have any ideas on how to prevent minus scores on those rule hits? Care to be specific about which rule hit's you're talking about? AFAIK SA does not have any rules that score negative for X-Antiabuse headers. In fact, the only negative scoring rules in 3.x I know of are: ALL_TRUSTED BAYES_00-BAYES_40 USER_IN_* (whitelists of various sorts) RCVD_IN_BSP_* HABEAS_USER HASHCASH_* SPF_PASS (trivial score) SPF_HELO_PASS (trivial score) And of course the AWL can take any score at all...
Re: DIGEX
At 12:10 AM 1/19/2005, jdow wrote: I got a spam for an Acura dealer in Houston Tx from them. They are not going to get ANY mail into my mailbox as a result. The tone of their mail also indicated that they are arrogant pieces of dog droppings. If Digex appears in the email they are boosted to a rather high number. They are NOT well behaved. Hmm, well, have you reported the incident to digex? Have you reported it to honda? or are you too upset to handle a simple issue simply? If you've not reported to digex, then how can you know how well behaved digex is? Even the most adamant anti-spam ISP can have a bad customer. What differentiates good ISP from bad is how they handle the abuse reports. (ie: which goes to /dev/null, your email, or the offending customer account? Do they at least offer to mediate the dispute and contact them?) ie, take your ISP, earthlink. I get quite a few spams from earthlink nodes. However, they rapidly disconnect spammers. I don't blocklist earthlink for this reason. Also, it's not just an accura dealer that sent you that email, that would appear to be a mailhub for all of honda's marketing. I got one from Honda about 2 years ago via a different host (I am a Honda owner). I told them to get lost and they did. Never heard from 'em again. Are you sure you're not over-reacting here? Are you certain you've never dropped that email address to them? (That includes business card in the fishbowl situations... Those raffles come at a cost of marketing and they make no claims to the contrary) That said, I'd love to know how Digex and/or Honda handles your complaint. It's always important to know which ISPs are responsive and which aren't.
Re: very handy new whois tool
--On Tuesday, January 18, 2005 11:38 PM -0500 Theo Van Dinter [EMAIL PROTECTED] wrote: Not very reliable though. They get most of the 400+ that work is hosting on 1 IP, 0 of the 80+ on 3 other IPs, and only 2 of the 10+ I have on my personal server. Check out the latest ntop (http://ntop.org). This is a network traffic monitor. One of its features is DNS sniffing. It builds a database of forward resolutions, and uses that to report the forward names of addresses found in traffic. If you run it at a big aggregation point, like a university gateway, you should build up a pretty good database to resolve virtual hosts from IP addresses.
Re: spamassassin process a single message for 10 minutes !
Using debug (spamd -D) i've found it takes a long time on URIDNSBL: this is during startup: debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x89f1cc0) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8a43440) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x89f1cc0) implements 'parse_config' debug: config: SpamAssassin failed to parse line, skipping: !__UNUSABLE_MSGID) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a10224) inhibited further callbacks this is during massage check: debug: URIDNSBL: query for cuni.cz took 5 seconds to look up (multi.surbl.org.:cuni.cz) debug: URIDNSBL: query for line.ru took 5 seconds to look up (multi.surbl.org.:line.ru) debug: URIDNSBL: query for petritsch.net took 4 seconds to look up (multi.surbl.org.:petritsch.net) debug: URIDNSBL: query for apollo.lv took 3 seconds to look up (multi.surbl.org.:apollo.lv) debug: URIDNSBL: query for flexnet.com.br took 4 seconds to look up (multi.surbl.org.:flexnet.com.br) debug: URIDNSBL: query for lcpc.fr took 5 seconds to look up (multi.surbl.org.:lcpc.fr) debug: URIDNSBL: query for lauchringen.de took 4 seconds to look up (multi.surbl.org.:lauchringen.de) debug: URIDNSBL: query for blackbox.at took 4 seconds to look up (multi.surbl.org.:blackbox.at) debug: URIDNSBL: query for haifa.ac.il took 4 seconds to look up (multi.surbl.org.:haifa.ac.il) debug: URIDNSBL: query for videotron.ca took 4 seconds to look up (multi.surbl.org.:videotron.ca) debug: URIDNSBL: query for land.ru took 4 seconds to look up (multi.surbl.org.:land.ru) debug: URIDNSBL: query
Mail::SpamAssassin usage
List: I am not sure if this is the proper place for this question, so let me apologize in advance and the put on my asbestos underwear Is there any way to load more than just scores from SQL? Or flush blacklists/whitelists from the prefs? I am running SA inside of MimeDefang (MD). I have re-written the SA calls from MD to init the SA object with username. I have a custom SQL setup, etc and all is good. BUT... (there's always a big but [sic]) The first MD thread loads the conf from the database. Subsequent calls to my modified spam_assassin_init() [an MD function that I blatantly stole massive code from] checks if an SA object exists and, if so, calls load_scoresonly_sql(username). Eg: // in init if (!defined($SATester)) { $SATester = Mail::SpamAssassin-new( { local_tests_only= 1, dont_copy_prefs = 1, LOCAL_RULES_DIR = $LOCAL_RULES_DIR, userprefs_filename = $opts-{config}, )); $SATester-init(1); $SATester-compile_now(1); } else { $SATester-load_scoresonly_sql($username) } Question: Is this even right? Looking at the docs, it seams that I shouldn't be specifying the userpref_filename if I want to switch users. MD does it so... Also complie_now(1) won't read the user prefs, but then you can only use scores only - am I understanding this correctly? Should I be using copy_config(). If so, how do I load up parts of the config to modify? (e.g. the user's goodies from the database) As it stands, it works (almost) great, the user's scores from the db over-ride the scores from the initialized thread (which are the scores for the first user when it was initialized). However, additive goodies like blacklist_from don't go away, only scores are changed for the general blacklist score. I could tell my users whitelists blacklists are global like I have since installing SA years ago :-) I've tried to modify SpamAssassin.pm with an hack routine clear_blacklist_from() which is: sub clear_blacklist_from { my $self = shift; $self-{blacklist_from} = {}; } If this works, swell, but then I still need to re-load the user's config, which I don't see a routine for reloading the config. I've been digging through the SA code for a few days now - anyone have pointers? Thanks. -Tony This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.
Re: Verizon hosting spammers :)
And now Verison is sending out spam to get people to join verison.com. They are going into my black list at the procmail level ASAP except for a VERY few verison addresses. {`,'}A pissed off Joanne. - Original Message - From: Martin Hepworth [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: 2005 January, 17, Monday 01:37 Subject: Re: Verizon hosting spammers :) It's true, Verizon have apparently blocked all email from RIPE, APNIC allocated addresses (Europe and Asia Pac) starting Dec 22 2004. Apparently MessageLabs took 2 whole days to get onto their whitelist. http://www.theregister.co.uk/2005/01/14/verizon_email_block/ D'oh... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Menno van Bennekom wrote: Yes, I think they host a lot of spammers. I only get spam/virus mails from Verizon here (Netherlands) so I blocked dsl-verizon.net in postfix and it that means about 100 spams/viruses less per day. If they want to sent real mail they still can do so through the smtp-servers of their provider. There was a funny message on the net lately, about Verizon planning to block all European mail-traffic because of spam. We had a good laugh about that over here. Menno van Bennekom Brief header I'm not too interested in. Received: from mail.printosh.hu (241.75-228-195.hosting.adatpark.hu [195.228.75.241]) by moglobal.com (8.12.5/8.12.5) with ESMTP id j0E5Lj1E012550 for [EMAIL PROTECTED]; Fri, 14 Jan 2005 00:21:47 -0500 Received: from [195.228.75.61] (HELO 195.228.75.41) by mail.printosh.hu (CommuniGate Pro SMTP 4.1.8) with SMTP id 152241; Fri, 14 Jan 2005 06:20:51 +0100 Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From: Low-Cost Term Life [EMAIL PROTECTED] HTML code showing verizon site. Should we block all mysite pages? /sniker/ a onmouseover=window.status='See Your Savings!';return true; href=http://mysite.verizon.net/resoxfmz/1.htm;img border=0 src=http://pws.prserv.net/maxlife/EBA.jpg; width=620 height=393/a!-- n bugtwtms sucxjdta uvjezwpb --/ppfont face=Microsoft Sans Serif size=1 a href=http://mysite.verizon.net/resoxfmz/ServiceBasic.htm;Legal/a a href=http://mysite.verizon.net/resoxfmz/1.htm;Privacy/a /fontfont face=Microsoft Sans Serif color=#4e4e4e size=1 a href=http://mysite.verizon.net/resoxfmz/ServiceBasic.htm;Preferences/a / fontfont face=Microsoft Sans Serif size=1nbsp;/font/p!-- k hdfkzxgx tyhgmzrl hx--pfont color=#FFspan style=font-size: 1ptgt;gt; gt;gt; Will they give the child a good religious upbringing? That's our religion, isn't it? How ya doin'?/span/font/p Chris Santerre System Admin and SARE/SURBL Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Memory problems with SA 3.0.1?
Robert theres a patch (well two actually) that help for 3.01 and 3.02 here http://bugzilla.spamassassin.org/show_bug.cgi?id=3983 does alot of what the 3.10 will do - limits spawning of new processes. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 [EMAIL PROTECTED] wrote: Are there any memory problems for SA version 3.0.1? We recently upgraded to 2 gigs of memory on the server and SA just gobbled up the memory. We dip down to under 20 megs here and there and 30-40 megs the rest of the time. I lowered the number of processes from 15 to 10 and according to top the RSS is reading at least 50 megs per process. When I stop and start SA I obviously gain back a lot of memory, but soon goes back down. Im running this on Fedora Core 2 with qmail, I average 25-35 emails a minute with spikes to 300 emails a minute. I just dont know if SA is suppose to take up that much memory. Any suggestions on what to look for? Or is there like a memory leak in this version? Thanks Robert Bartlett Digital Phoenix ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: RBL definitions
Frank you got a local cachine name server on the machine? That helps. I also turn off alot of the pure RBL's and only use the URIRBL's by adding this to my local.cf # don't do all the RBL's just spamhause XBL score __RCVD_IN_NJABL 0.0 score RCVD_IN_NJABL_DUL 0.0 score RCVD_IN_NJABL_MULTI 0.0 score RCVD_IN_NJABL_PROXY 0.0 score RCVD_IN_NJABL_RELAY 0.0 score RCVD_IN_NJABL_SPAM 0.0 score RCVD_IN_NJABL_CGI 0.0 score __RCVD_IN_SORBS 0.0 score RCVD_IN_SORBS_HTTP 0.0 score RCVD_IN_SORBS_MISC 0.0 score RCVD_IN_SORBS_SMTP 0.0 score RCVD_IN_SORBS_SOCKS 0.0 score RCVD_IN_SORBS_WEB 0.0 score RCVD_IN_SORBS_BLOCK 0.0 score RCVD_IN_SORBS_ZOMBIE 0.0 score RCVD_IN_SORBS_DUL 0.0 score __RFC_IGNORANT_ENVFROM 0.0 score DNS_FROM_RFC_DSN 0.0 score DNS_FROM_RFC_POST 0.0 score DNS_FROM_RFC_ABUSE 0.0 score DNS_FROM_RFC_WHOIS 0.0 score DNS_FROM_RFC_BOGUSMX 0.0 score RCVD_IN_DSBL 0.0 score DNS_FROM_AHBL_RHSBL 0.0 score HABEAS_INFRINGER 0.0 score HABEAS_USER 0.0 score RCVD_IN_BSP_TRUSTED 0.0 score RCVD_IN_BSP_OTHER 0.0 score __SENDERBASE 0.0 score SB_NEW_BULK 0.0 score SB_NSP_VOLUME_SPIKE 0.0 score RCVD_IN_RSL 0.0 score RCVD_IN_MAPS_RBL 0.0 score RCVD_IN_MAPS_DUL 0.0 score RCVD_IN_MAPS_RSS 0.0 score RCVD_IN_MAPS_NML 0.0 make the scores zero turn off the rule (doesn't even run it). This may help quite alot -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Frank M. Cook wrote: I recently upgraded from version 2 to 3 and my performance has gone to pot. It may just be that I need a much stronger computer for this version but I suspect it may be doing a lot of RBL checking. In version 2, I had all net checking turned off in local.cf. I think something is being checked now and I can't figure out where to find it. Here's a header excerpt: X-Spam-Report: * 0.0 RCVD_BY_IP Received by mail server with no name * 0.6 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should * 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO * 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.5 MPART_ALT_DIFF BODY: HTML and text parts are different * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: dnek.com] * 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: dnek.com] * 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: dnek.com] * 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: dnek.com] * 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: dnek.com] What blocklists are these? How do I tell my version which RBL's I want it to check? I think it's checking too many. or am I on the wrong track? I read a performance hit about losing local DNS listings for the blacklists. maybe that would help but I'd still need to know what lists to reference. Frank M. Cook Association Computer Services, Inc. http://www.acsplus.com ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: A good stats script?
At 05:55 AM 1.19.2005 -0500, Mike Yrabedra wrote: Jack, Thanks for the info. Where would I get this version of the script? Will it work on a regular spamd log? Mike: Yes, it works on a spamd log. In fact, I re-direct all spamd info to /var/log/spamd.log and run the script against that pure file. I downloaded that script while SA-3.0 was going through shake-down through various stages of RCs. I noted the file is dated July 2004, so suspect I got it from a tarball. If you or anyone can't locate it needs a copy, I guess it would be okay if I posted it for download. Let me know. Happy trails, Jack L. Stone System Admin Sage-american
Re: (was Re: DIGEX) dnsreports.com/dnsstuff.com
At 10:44 PM 1/18/2005, List Mail User wrote: I don't know about digex, but dnsstuff.com is listed in SPEWS level 1 and level 2, completewhois.org and whois.rfc-ignnorant.org. BTW. I personally don't trust anyone with a disconnected telephone number, and they seem to probe my own address space quite often (both DNS and SMTP testing), always tracing back to a dial-up account or a proxy somewhere (with those irritating ad's saying this is not abuse - example from one of their relay tests: to=[EMAIL PROTECTED]. At least that's what the email triggered on my SA report (and of course spamhaus is on rfci's abuse list, like many anti-spam organizations are on either the abuse and/or the postmaster lists - they can't afford to devote a human to processing the mail-bombing that occurs, though I believe ISPs can't justify the same excuse - they are run-for-profit concerns, and that should be just one of the costs of doing business). I find that entire complaint amusing. So, you consider open relay tests mailbombs... Why are you accepting them in the first place?
German court rules e-mail blocking 'illegal'.
Not sure how this will work itself out (or how old this story is) but it's probably worth noting and keeping an eye on... The Higher Regional Court now has ruled that blocking email by content is unlawful as it is considered confidential in German law. Blocking is only allowed when, say, a viral attack is imminent. http://www.theregister.co.uk/2005/01/18/german_email_blocking/ Anyone know enough German (or is German) who can translate the ruling that's linked in the above article? The Google translated version is a tad hard to decipher. -Joe K. Systems Administrator Network Executive Software, Inc. 888-604-5573 / postmaster(at)netex(dot)com
Re: German court rules e-mail blocking 'illegal'.
Hi, there is a pretty good summary linked within the article : http://www.heise.de/english/newsticker/news/55210 This decision deals with filtering the email of a person who had left the university and tried to stay in contact with his former co-workers. The universitiy did not want thjis, and thus blocked all email containing the former employees name. This has got nothing to do with spam filtering, unless somebody complains that he/she wants to read all the nonsense 8-) Cheers, C-Store Hard- und Software GmbH Christoph Peter Düstere Straße 20 37073 Göttingen http://www.c-store.de [EMAIL PROTECTED] - Original Message - From: Kang, Joseph S. [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, January 19, 2005 3:52 PM Subject: German court rules e-mail blocking 'illegal'. Not sure how this will work itself out (or how old this story is) but it's probably worth noting and keeping an eye on... The Higher Regional Court now has ruled that blocking email by content is unlawful as it is considered confidential in German law. Blocking is only allowed when, say, a viral attack is imminent. http://www.theregister.co.uk/2005/01/18/german_email_blocking/ Anyone know enough German (or is German) who can translate the ruling that's linked in the above article? The Google translated version is a tad hard to decipher. -Joe K. Systems Administrator Network Executive Software, Inc. 888-604-5573 / postmaster(at)netex(dot)com
RE: German court rules e-mail blocking 'illegal'.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 19, 2005 9:06 AM To: Kang, Joseph S. Cc: users@spamassassin.apache.org Subject: Re: German court rules e-mail blocking 'illegal'. As far as i understood this is that mails must get forwarded even if they are spam or not, there is only one exception: virus mails, they are permitted to drop without forwarding. Spamassassin shouldnt have this problem unless you drop the mails on a MTA level. SA shouldn't have this problem. However, the larger issue of whether or not any sort of SPAM filtering solution is considered legal is my concern. If the mail must get forwarded, then the mail must get forwarded. Any sitewide SPAM blocking implementation (with or without SA) could be challenged since it blocks messages based on content. I guess the point is a moot one for me since I'm in the US. -JK
RE: Verizon hosting spammers :)
LOL FWIW, the site mentioned in my original post is still UP!! After reading what verizon wireless did with the bluetooth cell phones(1), I've pretty much given up hope that ANYONE in upper managment of any verizon company has a clue! --Chris (1) http://www.nuclearelephant.com/papers/v710.html -Original Message- From: jdow [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 19, 2005 4:32 AM To: users@spamassassin.apache.org Subject: Re: Verizon hosting spammers :) And now Verison is sending out spam to get people to join verison.com. They are going into my black list at the procmail level ASAP except for a VERY few verison addresses. {`,'}A pissed off Joanne. - Original Message - From: Martin Hepworth [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: 2005 January, 17, Monday 01:37 Subject: Re: Verizon hosting spammers :) It's true, Verizon have apparently blocked all email from RIPE, APNIC allocated addresses (Europe and Asia Pac) starting Dec 22 2004. Apparently MessageLabs took 2 whole days to get onto their whitelist. http://www.theregister.co.uk/2005/01/14/verizon_email_block/ D'oh... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Menno van Bennekom wrote: Yes, I think they host a lot of spammers. I only get spam/virus mails from Verizon here (Netherlands) so I blocked dsl-verizon.net in postfix and it that means about 100 spams/viruses less per day. If they want to sent real mail they still can do so through the smtp-servers of their provider. There was a funny message on the net lately, about Verizon planning to block all European mail-traffic because of spam. We had a good laugh about that over here. Menno van Bennekom Brief header I'm not too interested in. Received: from mail.printosh.hu (241.75-228-195.hosting.adatpark.hu [195.228.75.241]) by moglobal.com (8.12.5/8.12.5) with ESMTP id j0E5Lj1E012550 for [EMAIL PROTECTED]; Fri, 14 Jan 2005 00:21:47 -0500 Received: from [195.228.75.61] (HELO 195.228.75.41) by mail.printosh.hu (CommuniGate Pro SMTP 4.1.8) with SMTP id 152241; Fri, 14 Jan 2005 06:20:51 +0100 Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From: Low-Cost Term Life [EMAIL PROTECTED] HTML code showing verizon site. Should we block all mysite pages? /sniker/ a onmouseover=window.status='See Your Savings!';return true; href=http://mysite.verizon.net/resoxfmz/1.htm;img border=0 src=http://pws.prserv.net/maxlife/EBA.jpg; width=620 height=393/a!-- n bugtwtms sucxjdta uvjezwpb --/ppfont face=Microsoft Sans Serif size=1 a href=http://mysite.verizon.net/resoxfmz/ServiceBasic.htm;Legal/a a href=http://mysite.verizon.net/resoxfmz/1.htm;Privacy/a /fontfont face=Microsoft Sans Serif color=#4e4e4e size=1 a href=http://mysite.verizon.net/resoxfmz/ServiceBasic.htm;Pr eferences/a / fontfont face=Microsoft Sans Serif size=1nbsp;/font/p!-- k hdfkzxgx tyhgmzrl hx--pfont color=#FFspan style=font-size: 1ptgt;gt; gt;gt; Will they give the child a good religious upbringing? That's our religion, isn't it? How ya doin'?/span/font/p Chris Santerre System Admin and SARE/SURBL Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: (was Re: DIGEX) dnsreports.com/dnsstuff.com
From [EMAIL PROTECTED] Wed Jan 19 06:57:31 2005 Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm .. Subject: Re: (was Re: DIGEX) dnsreports.com/dnsstuff.com A message (from [EMAIL PROTECTED]) was received at 19 Jan 2005 14:21:48 +. The following addresses had delivery problems: [EMAIL PROTECTED] Permanent Failure: 554_Service_unavailable;[EMAIL PROTECTED];[EMAIL PROTECTED] This explains much... about Plectere.com's intolerance of relay checks.. using rfc-ignorant as a SMTP block layer critera clearly indicates that Plectere is on the extreme side. Perhaps they are a subcontractor for Verizon and implemented the blockade of all of europe I readily admit to being on the extreme side. I also refuse, Hotmail, MSN and most cable providers (with a significant whitelist for friends and relatives). I don't believe in jumping the artificial hoops created by some service providers to get a valid complaint filed (and for comcast, totally ignored in most cases - P.S. I am a comcast customer, though I would never use their internet service). And no, Verizon has never been one of my customers, but I bet you actually use either hardware of software I designed for some other large companies (do you use any *nix, or Intel chipset based motherboards?). Paul Shupak
RE: A good stats script?
-Original Message- From: MIKE YRABEDRA [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 18, 2005 8:22 PM To: SATalk Subject: Re: A good stats script? on 1/18/05 6:12 PM, MIKE YRABEDRA at [EMAIL PROTECTED] wrote: What is a good script that folks are using to generate SA stats off a mail log? I am mainly looking for one that reports on the rulesets that are catching the spam too. I don't think sa-stats.pl does that? One of the SARE ninjas has a great script for this. http://www.rulesemporium.com/programs/sa-stats.txt Ninja-D, your KungFu is good! --Chris
Re: German court rules e-mail blocking 'illegal'.
I had the same thought when initially setting up our system. Our university has pretty strict rules regarding content-filtering. I got around it by having SA tag spam (using X-Spam-Status, no subject re-write), then a procmail in each users folder autmagically puts these into a Spam-folder. All users have been informed of this and are thereby free to do what they will with Spam-folder content. Some (including myself) have crontabs that remove old spam after a pre-determined number of days, weeks, or months. Also nice 'cause my backupserver skips .Spam- and .Trash-folders. ;-) -Roger
New to SA, problems with production speed
This is my first post here, and liable to be a doozie! Running SA 3.0.2 with Sendmail 8.12.11, hooked in with spamass-milter 0.2.0, all under Solaris 9. I also have SPF-Milter installed from spf.pobox.com. SPF is the first milter, SA is the second in the sendmail.cf file. Sendmail running only as MTA with user delivery responsibilities. I was able to build and install SA and the milter on a test machine (running same config, except Solaris 8). Test machine was loaded with gcc 3.3.2. We are starting SA and the spamass-milter program using the following script: #!/sbin/sh # # From: [EMAIL PROTECTED] (Scott Griffith, ISES-LLC) # To: [EMAIL PROTECTED], spamassassin-talk@lists.sourceforge.net # Subject: Re: [Spamassassin-talk] SysV-style startup script # Date: Sat, 24 Nov 2001 12:09:16 -0700 # # In case there are any Solaris folks out there who aren't comfortable # with their own rc scripts, here's what I've been using for Solaris 7 # from day 1 with no problems. Filename: # # /etc/rc2.d/S78spamd #PATH=$PATH:/usr/bin:/usr/local/bin:/sbin:/bin:/usr/sbin PATH=$PATH:/usr/local/bin:/usr/bin:/sbin:/bin:/usr/sbin DAEMON=/usr/local/sbin/spamass-milter SOCKET=/var/run/spamass.sock DESC=Sendmail milter plugin for SpamAssassin case $1 in 'start') if [ -x /usr/bin/spamd -o -x /usr/local/bin/spamd ] then spamd -d -m 20 -u obscured --syslog-socket=inet --nouser-config fi $DAEMON -p $SOCKET -i 192.168.obscured ;; 'stop') /usr/bin/pkill -9 -x -u obscured '(spamd)' /usr/bin/pkill -9 -x -u 0 'spamass-milter' rm $SOCKET ;; *) echo Usage: $0 { start | stop } exit 1 ;; esac exit 0 I had good success passing occasional messages through SA to test mail accounts and it seems to work just as expected. On the test machine, I was able to change /etc/mail/spamassassin/local.cf to match our needs and local configuration. Our only intent is to let SA tag the X-Spam* headers, providing no change to subject or body of the messages. The problem I am having now is that under a production load (~30,000 SMTP connections per day), it looks like spamd/spamc handoff is slowing to a crawl and consuming great amounts of memory. The first 2-3 emails that come in after starting process within 2-5 seconds each, and after about 20 messages, the time spamd takes to process gets up into 100+ seconds. With a steady volume of mail coming in, everything eventually chokes down, as sendmail itself starts backing up tremendously. The only thing that I did out of the ordinary was that I compiled everything on our test machine, tar'd up the directories that everything was built into, untar'd on the production machine, and ran make install. I did it this way because in our situation, compiling on the production sendmail machine is frowned upon. This very well could be the reason of my slowdown problems, and before I go fight the but I have to be able to compile in production, I wanted to see if anyone had any ideas about what could be causing the slowdowns. I know it's a LONNG first post, and thanks to any/all that can muddle through and reply.
Re: New to SA, problems with production speed
Leonard know issue with sa 3.0x and spamc/spamd. Will ne Fixed with 3.10 work around is lower number of children allowed or apply following patches.. http://bugzilla.spamassassin.org/show_bug.cgi?id=3983 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 [EMAIL PROTECTED] wrote: This is my first post here, and liable to be a doozie! Running SA 3.0.2 with Sendmail 8.12.11, hooked in with spamass-milter 0.2.0, all under Solaris 9. I also have SPF-Milter installed from spf.pobox.com. SPF is the first milter, SA is the second in the sendmail.cf file. Sendmail running only as MTA with user delivery responsibilities. I was able to build and install SA and the milter on a test machine (running same config, except Solaris 8). Test machine was loaded with gcc 3.3.2. We are starting SA and the spamass-milter program using the following script: #!/sbin/sh # # From: [EMAIL PROTECTED] (Scott Griffith, ISES-LLC) # To: [EMAIL PROTECTED], spamassassin-talk@lists.sourceforge.net # Subject: Re: [Spamassassin-talk] SysV-style startup script # Date: Sat, 24 Nov 2001 12:09:16 -0700 # # In case there are any Solaris folks out there who aren't comfortable # with their own rc scripts, here's what I've been using for Solaris 7 # from day 1 with no problems. Filename: # # /etc/rc2.d/S78spamd #PATH=$PATH:/usr/bin:/usr/local/bin:/sbin:/bin:/usr/sbin PATH=$PATH:/usr/local/bin:/usr/bin:/sbin:/bin:/usr/sbin DAEMON=/usr/local/sbin/spamass-milter SOCKET=/var/run/spamass.sock DESC=Sendmail milter plugin for SpamAssassin case $1 in 'start') if [ -x /usr/bin/spamd -o -x /usr/local/bin/spamd ] then spamd -d -m 20 -u obscured --syslog-socket=inet --nouser-config fi $DAEMON -p $SOCKET -i 192.168.obscured ;; 'stop') /usr/bin/pkill -9 -x -u obscured '(spamd)' /usr/bin/pkill -9 -x -u 0 'spamass-milter' rm $SOCKET ;; *) echo Usage: $0 { start | stop } exit 1 ;; esac exit 0 I had good success passing occasional messages through SA to test mail accounts and it seems to work just as expected. On the test machine, I was able to change /etc/mail/spamassassin/local.cf to match our needs and local configuration. Our only intent is to let SA tag the X-Spam* headers, providing no change to subject or body of the messages. The problem I am having now is that under a production load (~30,000 SMTP connections per day), it looks like spamd/spamc handoff is slowing to a crawl and consuming great amounts of memory. The first 2-3 emails that come in after starting process within 2-5 seconds each, and after about 20 messages, the time spamd takes to process gets up into 100+ seconds. With a steady volume of mail coming in, everything eventually chokes down, as sendmail itself starts backing up tremendously. The only thing that I did out of the ordinary was that I compiled everything on our test machine, tar'd up the directories that everything was built into, untar'd on the production machine, and ran make install. I did it this way because in our situation, compiling on the production sendmail machine is frowned upon. This very well could be the reason of my slowdown problems, and before I go fight the but I have to be able to compile in production, I wanted to see if anyone had any ideas about what could be causing the slowdowns. I know it's a LONNG first post, and thanks to any/all that can muddle through and reply. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: German court rules e-mail blocking 'illegal'.
Joe K. wrote: Anyone know enough German (or is German) who can translate the ruling that's linked in the above article? As I am lacking the time for a full translation: the core of the ruling is that the university had, under German law, no right to block all mail originating from or sent to a specific (former) employee, because action of filtering violates the Brief- und Fernmeldegeheimnis (which translates roughly to letter and telecommunications secrecy, AFAIK). It was noted that this does *not* imply that filtering spam is illegal, because ISPs implementing spam filters do so with the approval/consent of their customers. In this special case, the former university employee was not notified of the action taken (neither were his communication partners) and when he finally found out about the process, he did not agree and insisted on receiving and sending mail without interference. Disclaimer: I am not a lawyer, and if my summary of the case is misleading or just plain wrong, it is all my fault. Mea culpa. ;-) -- Mit freundlichen Grüßen / Yours sincerely Dipl. Inform. Ralph Seichter HORUS-IT Ahornweg 10 D-57635 Oberirsen Tel +49 2686 987880 Fax +49 2686 987889 http://horus-it.de/
Ebay acting as a list server?
Hi, in an ISP setting there seem to be two cases where machines other than the official mail server send mails FROM a local address - valid clients who send mails from their local system to the mailserver (and authenticate in one way or another to do so) - spammers who believe that a forged local address will bypass spam checking Consequently I started to refuse mail from non authenticated senders using local mail addresses. It turned out soon that ebay sends valid mail, FROM a local address, TO the same local address, with an ebay HELO address - I had to create an exemption for that case. Is anyone aware of other sites that do the same thing? Wolfgang Hamann
spamassassin works, spamc / d doesn't? I have it working on other servers...
Cant see what Im doing wrong. I ran spamd like: spamd -x -d -r /var/run/spamassassin.pid --socketpath=/var/run/spamassassin.sock --sql-config OR spamd -d -r /var/run/spamassassin.pid --socketpath=/var/run/spamassassin.sock --sql-config spamc -x -c -U /var/run/spamassassin.sock -u sysop /root/.cpan/build/Mail-SpamAssassin-3.0.2/sample-spam.txt give me : 0/0 Running spamassassin works normally!?!?!? Ive done this before on 3.01 and it worked (different server) cant see any difference what have I overlooked? Thanks! m/
Re: newbie question about adding rules
Put your rules in /etc/mail/spamassassin they wont get written over From: [EMAIL PROTECTED] Date: Wed, 19 Jan 2005 13:57:30 -0600 To: users@spamassassin.apache.org Subject: newbie question about adding rules I am looking at adding some rulesets from SARE and we are planning on putting them in the /usr/share/spamassassin directory (I know they get overwritten when upgrading...). I don't see anywhere that spamassassin is calling the sets in that directory, which I believe is default? If I add these new rulesets to the share dir, what config changes do I need to make, or do I just need to HUP it? Thanks for your patience... this is my second day with spamassassin... Kyle Reynolds 972-731-4731 [EMAIL PROTECTED]
Re: newbie question about adding rules
At 02:57 PM 1/19/2005, [EMAIL PROTECTED] wrote: I am looking at adding some rulesets from SARE and we are planning on putting them in the /usr/share/spamassassin directory (I know they get overwritten when upgrading...). I don't see anywhere that spamassassin is calling the sets in that directory, which I believe is default? If I add these new rulesets to the share dir, what config changes do I need to make, or do I just need to HUP it? I'd strongly suggest NOT putting them in /usr/share/spamassassin.. they won't get over-written when you upgrade, they'll get obliterated. The SA install process executes rm -f /usr/share/spamassassin/* It also makes it more difficult to restore SA to a stock condition when debugging problems. Normally all you need to do is rename /etc/mail/spamassassin/. But if you've added files to /usr/share, you'll have to manually back them out. /usr/share/spamassassin is very much intended to only contain the default ruleset, with no modifications or additions. A preferable location would be to add the files to /etc/mail/spamassassin/ SA will read all .cf files from that directory, not just local.cf, so you don't even need to do anything special like append them to local.cf. Just copy em in. That said, once you add files or change files in either place all you should need to do is HUP or restart spamd (if you use spamd) or any apps that call the SA API directly (if you use one of those such as MailScanner).