Re: extreme measures, postmaster.rfci comcast.net
(sorry for forwarding an off-list post onto the list.. but) List Mail User [EMAIL PROTECTED] Matt, From your lack of response, I can guess you're probably not interested in what I have to say (you can just delete this if so, and I promise to never send you uninvited email again). Paul, I have an interest in continuing our discourse, however you still do not accept mail from my ISP. Thus, I cannot correspond with you on this matter. If you wish to continue our conversation, please do so with an email address I can reply to. I strongly dislike wasting my time writing replies to your messages only to get bounces back. Also, please in future mails please cite only abuse caused by properly relayed mail from comcast's MTA's, not stuff directly sent from clients that would be easily cleaned up by using a dynablock type list. (ie: the spamhaus reference you included is all client nodes, take a look) http://www.spamhaus.org/sbl/listings.lasso?isp=comcast.net
Re: ALL_TRUSTED alteration
On the same topic... The SpamAssassin documentation doesn't describe this possibility, so this is why I ask the list for some clarification. I have a mix of private and public addresses on my network which can send email. I have the public addresses listed in trusted_networks like this: trusted_networks69.39.96.0/20 trusted_networks12.149.230.0/24 trusted_networks12.25.52.0/23 I'd like to add the private addresses we use too, but I'm not sure if that would open up to more spam. If I added 10.0.0.0/8 as a trusted network, I'm afraid it could let it spam sent from other organizations' private networks that relay through their normal public network mail servers or firewalls. Sort of like setting 192.168.0.0 might let in every infected computer's email behind simple home nat boxes. Which networks does trusted_networks apply to, as an internet path is really a whole bunch of networks? TIA, Jason On Thu, Jan 20, 2005 at 09:42:44AM -0500, Bowie Bailey wrote: From: Martin Hepworth [mailto:[EMAIL PROTECTED] Craig Zeigler wrote: I am getting very obvious spam through my SA filters. The only thing I think is that the value for ALL_TRUSTED is pushing it below the threshold. Where do I go to alter this test's effect on the spam count? I have searched through all of the .cf files in /usr/share/spamassassin and /etc/mail/spamassasin and can't figure it out. using SA version 3.0.1 add the following line to /etc/mail/spamassassin/local.cf score ALL_TRUSTED 0.0 This will turn off that rule completely. True, but a better idea is to configure SA so that the trust path works properly. Add some lines like the following to /etc/mail/spamassassin/local.cf to specify the networks and mailservers you control. trusted_networks 192.168.1.10 trusted_networks 172.16. You can add either networks, or single hosts. I prefer to add networks so that I don't have to reconfigure if I add or move a mailserver. These settings specify to SA which mailservers should be trusted. If you don't specify, it has to guess, and it doesn't work well with NATed networks. For more info: $ man Mail::SpamAssassin::Conf Bowie -- /* Jason Philbrook | Midcoast Internet Solutions - Internet Access, KB1IOJ| Hosting, and TCP-IP Networks for Midcoast Maine http://f64.nu/ | http://www.midcoast.com/ */
Re: ALL_TRUSTED alteration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Philbrook writes: On the same topic... The SpamAssassin documentation doesn't describe this possibility, so this is why I ask the list for some clarification. I have a mix of private and public addresses on my network which can send email. I have the public addresses listed in trusted_networks like this: trusted_networks69.39.96.0/20 trusted_networks12.149.230.0/24 trusted_networks12.25.52.0/23 I'd like to add the private addresses we use too, but I'm not sure if that would open up to more spam. If I added 10.0.0.0/8 as a trusted network, I'm afraid it could let it spam sent from other organizations' private networks that relay through their normal public network mail servers or firewalls. Sort of like setting 192.168.0.0 might let in every infected computer's email behind simple home nat boxes. Which networks does trusted_networks apply to, as an internet path is really a whole bunch of networks? trust extends outwards from the receiver, so once a message passes through a single untrusted relay, all relays *before* that point are also considered untrusted. so this is safe. - --j. TIA, Jason On Thu, Jan 20, 2005 at 09:42:44AM -0500, Bowie Bailey wrote: From: Martin Hepworth [mailto:[EMAIL PROTECTED] Craig Zeigler wrote: I am getting very obvious spam through my SA filters. The only thing I think is that the value for ALL_TRUSTED is pushing it below the threshold. Where do I go to alter this test's effect on the spam count? I have searched through all of the .cf files in /usr/share/spamassassin and /etc/mail/spamassasin and can't figure it out. using SA version 3.0.1 add the following line to /etc/mail/spamassassin/local.cf score ALL_TRUSTED 0.0 This will turn off that rule completely. True, but a better idea is to configure SA so that the trust path works properly. Add some lines like the following to /etc/mail/spamassassin/local.cf to specify the networks and mailservers you control. trusted_networks 192.168.1.10 trusted_networks 172.16. You can add either networks, or single hosts. I prefer to add networks so that I don't have to reconfigure if I add or move a mailserver. These settings specify to SA which mailservers should be trusted. If you don't specify, it has to guess, and it doesn't work well with NATed networks. For more info: $ man Mail::SpamAssassin::Conf Bowie -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFB8HvgMJF5cimLx9ARAsfnAJ9bXdCJylDXTG/KCOyiOZIZsa/H+wCgkPhb i9zpSh3jPA1RnJBBf1BSdI8= =QA0F -END PGP SIGNATURE-
Re: 3.02 on Debian Woody?
On Thursday 20 January 2005 12:03 am, Johann Spies wrote: Regardless of distro, I ALWAYS install S.A. with Cpan. And what do I do when a lot of tests fail? Resolve the dependencies. -- _ John Andersen pgpNndQ1AgUCt.pgp Description: signature
SA 3.0.2 with Razor DCC
Title: SA 3.0.2 with Razor DCC Hi List. I have recently installed razor dcc and found that Razor is working great but DCC gives errors. Here is a snippet from a debug: snip debug: DCCifd is not available: no r/w dccifd socket found. debug: Current PATH is: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin debug: executable for dccproc was found at /bin/dccproc debug: DCC is available: /bin/dccproc debug: entering helper-app run mode debug: setuid: helper proc 14861: ruid=501 euid=501 debug: DCC: got response: missing SMTP header lines; fatal error debug: leaving helper-app run mode debug: DCC - check failed: no X-DCC returned (did you create a map file?): missing SMTP header lines; fatal error snip Any advise on how to rectify this would be appreciated. Platform: Exim-4.44, Spamassassin 3.0.2, latest sa-exim patch, latest exiscan patch, ClamAv. OS: Redhat 8 Thanks Tom
urirbl and wildcard records
Hi, in addition to SURBL, I have my own urirbl. Now I see advertized hosts like Lcm.Vs.topguidance.com, Scoj.Cs.topguidance.com and so on. Obviously, they use a wildcard record (for example, spamassassin.vs.topguidance.com resolves). OK, now I have a wildcard record for topguidance.com, and it works as exüected. Question: Do the official blacklists (spamhaus, surbl) take care of this trick? Rainer
Re: urirbl and wildcard records
At 03:16 AM 1/21/2005, Rainer Sokoll wrote: in addition to SURBL, I have my own urirbl. Now I see advertized hosts like Lcm.Vs.topguidance.com, Scoj.Cs.topguidance.com and so on. Obviously, they use a wildcard record (for example, spamassassin.vs.topguidance.com resolves). OK, now I have a wildcard record for topguidance.com, and it works as exüected. Question: Do the official blacklists (spamhaus, surbl) take care of this trick? From what I understand they only list the domain+tld and the client side only queries that. ie: for both xyz.example.com and abc.example.com, SA queries example.com.multi.surbl.org
Re: SA 3.0.2 with Razor DCC
On Fri, 2005-01-21 at 08:34 +0200, Thomas Kinghorn [MTNNS -Rosebank] wrote: debug: DCC - check failed: no X-DCC returned (did you create a map file?): missing SMTP header lines; fatal error snip (did you create a map file?) DCC seems not be configured yet. If you plan to use the public servers, do this: cd $DCC_HOME (where dcc resides) cdcc info map.txt cdcc new map; load map.txt Any advise on how to rectify this would be appreciated. Laurent. -- Laurent Luyckx [EMAIL PROTECTED]
Re: urirbl and wildcard records
On Friday, January 21, 2005, 12:20:38 AM, Matt Kettler wrote: At 03:16 AM 1/21/2005, Rainer Sokoll wrote: in addition to SURBL, I have my own urirbl. Now I see advertized hosts like Lcm.Vs.topguidance.com, Scoj.Cs.topguidance.com and so on. Obviously, they use a wildcard record (for example, spamassassin.vs.topguidance.com resolves). OK, now I have a wildcard record for topguidance.com, and it works as exüected. Question: Do the official blacklists (spamhaus, surbl) take care of this trick? From what I understand they only list the domain+tld and the client side only queries that. ie: for both xyz.example.com and abc.example.com, SA queries example.com.multi.surbl.org Yes, for SURBLs on both the data and application sides we try to reduce the host portion of the URI down to domain names that would be registered. There are several reasons for this but the main is to ignore the extra subdomains/levels/hostnames that spammers sometimes add. This is described more on the SURBL site, for example at: http://www.surbl.org/implementation.html in the FAQ, etc. http://www.surbl.org/faq.html Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Performance Problems
Tom Known issue with spamdspawning too many children on SA 3.0.x. You can 1)reduce the number of children with the -m parameter. Alot of people have this to soemthing like 10 by default. If you reduce it to 5 or even 2 it should sort the problem 2) patch the source http://bugzilla.spamassassin.org/show_bug.cgi?id=3983 3) wait for 3.10 which will have a fix for this. Most people find 1) is a good option, but alot have also done 2). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 J Thomas Hancock wrote: I'm having a weird memory issue with one of our mail proxies that I am hoping to get some help with. We currently have 2 mail proxies that are set up identically. They run Fedora Core 3, postfix 2.1.4, and SA 3.0.X. SA was installed via perl's MCPAN. We are using a Foundry ServerIron to load balance incoming mail between them. I am using a stock rule set with razor2, and pyzor. I am not using Bayes. Postfix is set to only feed SA messages 60Kb or smaller. The hardware is also identical. Mail proxy 1 is working fine with no problems. Mail proxy 2 has been running fine until recently. I have noticed a single spamd child process will start consuming a lot of memory (up to 900MB or more) and CPU usage. This will bring the machine to a crawl. Sometimes there is more than one renegade process. The processes will generally happen after spamd has been running for 20 minutes or so. To my knowledge, no changes have been made to the server for a month prior to this problem. I updated SA from 3.0.1 to 3.0.2. I have done an up2date on the server. I have copied the *.cf files from the first mail proxy to the problem machine in case there was some configuration discrepancy. I have rebooted the machine. The problem persists. Does anyone have any advice on how I should tackle this problem? Any help would be much appreciated. Thank you, Tom ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
GroupWise-Mails...
Hello Mails ending in Novell GroupWise don't seem to be useful for sa-learn. Does somebody have some experience or solutions to that problem? Could the same POP3-Solution described in sa-learn with lotus notes do it's job here too? More for GroupWise professionals would be the question how to turn forwarded spam (forwarding as attachment in GroupWise sends you the headers too - so far so good...) into single mails resembling the original as close as possible... Regards Peter
GroupWise-Mails...
Hello Mails ending in Novell GroupWise don't seem to be useful for sa-learn. Does somebody have some experience or solutions to that problem? Could the same POP3-Solution described in sa-learn with lotus notes do it's job here too? More for GroupWise professionals would be the question how to turn forwarded spam (forwarding as attachment in GroupWise sends you the headers too - so far so good...) into single mails resembling the original as close as possible... Regards Peter
Re: GroupWise-Mails...
*** Before acting on this email or opening any attachment you are advised to read the disclaimer at the end of this email *** http://wiki.apache.org/spamassassin/ResendingMailWithHeaders?action=highlightvalue=groupwise http://wiki.apache.org/spamassassin/ResendingMailWithHeaders?action=highlightvalue=groupwise http://wiki.apache.org/spamassassin/ResendingMailWithHeaders?action=highlightvalue=groupwise http://wiki.apache.org/spamassassin/ResendingMailWithHeaders?action=highlightvalue=groupwise Cheers JG Peter Guhl [EMAIL PROTECTED] 01/21/05 09:29am Hello Mails ending in Novell GroupWise don't seem to be useful for sa-learn. Does somebody have some experience or solutions to that problem? Could the same POP3-Solution described in sa-learn with lotus notes do it's job here too? More for GroupWise professionals would be the question how to turn forwarded spam (forwarding as attachment in GroupWise sends you the headers too - so far so good...) into single mails resembling the original as close as possible... Regards Peter *** Disclaimer *** The information contained in this E-Mail and any subsequent correspondence may be subject to the Export Control Act (ECA) 2002. The content is private and is intended solely for the recipient(s). For those other than the recipient any disclosure, copying, distribution, or action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If received in error please return to sender immediately. Under the laws of England misuse of information that is subject to the ECA 2002, is a criminal offence.
Re: GroupWise-Mails...
On Fri, 2005-01-21 at 10:56, Jon Gerdes wrote: *** Before acting on this email or opening any attachment you are advised to read the disclaimer at the end of this email *** http://wiki.apache.org/spamassassin/ResendingMailWithHeaders?action=highlightvalue=groupwise http://wiki.apache.org/spamassassin/ResendingMailWithHeaders?action=highlightvalue=groupwise http://wiki.apache.org/spamassassin/ResendingMailWithHeaders?action=highlightvalue=groupwise http://wiki.apache.org/spamassassin/ResendingMailWithHeaders?action=highlightvalue=groupwise Cheers JG Thanks! Thanks! Thanks! Thanks! ;-) Sorry for sending the question several times... PEBKAC-Error in my Mailsoftware ;-) Regards Peter
Bayes autolearnong of forwarded messages
Dear All, I'm using SA3.01 with bayes autolearn ans manual learning via sa-learn. I've set spam an ham box to my users. My users use POP access so i can't retrieve spam/ham from their mailbox. So I'm setting up a script that remove the hearders added by the forward, is it sufficient for bayes learning ? Users forward multiple attachement of spam/ham message in one single forwarded message, is it a problem ? Thanks and excuse my very bad english ;-)
[OT] Dcc help
Title: [OT] Dcc help Hi List I am running SA-3.0.2 with Exim. I have installed Razor and I am trying to install dcc as per the instructions in the SpamAssassin :INSTALL file. However, I cannot seem to get dcc to read. I have done: $ cd $DCC_HOME $ cdcc info map.txt $ cdcc new map; load map open(/var/dcc/map): File exists ? $ Here are the logs. snip debug: DCCifd is not available: no r/w dccifd socket found. debug: Current PATH is: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin debug: executable for dccproc was found at /bin/dccproc debug: DCC is available: /bin/dccproc debug: entering helper-app run mode debug: setuid: helper proc 14861: ruid=501 euid=501 debug: DCC: got response: missing SMTP header lines; fatal error debug: leaving helper-app run mode debug: DCC - check failed: no X-DCC returned (did you create a map file?): missing SMTP header lines; fatal error snip Does anyone have a howto for SpamAssassin? Thanks Tom
RE: SA 3.0.2 with Razor DCC
On Fri, 2005-01-21 at 12:01 +0200, Thomas Kinghorn [MTNNS -Rosebank] wrote: Hi Laurent. Did what you said. Got the following: [EMAIL PROTECTED] spamassassin]$ cd $DCC_HOME [EMAIL PROTECTED] xadmin]$ cdcc info map.txt [EMAIL PROTECTED] xadmin]$ cdcc new map; load map.txt open(/var/lib/dcc/map): File exists ? [EMAIL PROTECTED] xadmin]$ Move the map file to another name and do what I said in my previous mail. Laurent. -Original Message- From: Laurent Luyckx [mailto:[EMAIL PROTECTED] Sent: 21 January 2005 10:28 AM To: Thomas Kinghorn [MTNNS -Rosebank] Cc: [EMAIL PROTECTED] Subject: Re: SA 3.0.2 with Razor DCC On Fri, 2005-01-21 at 08:34 +0200, Thomas Kinghorn [MTNNS -Rosebank] wrote: debug: DCC - check failed: no X-DCC returned (did you create a map file?): missing SMTP header lines; fatal error snip (did you create a map file?) DCC seems not be configured yet. If you plan to use the public servers, do this: cd $DCC_HOME (where dcc resides) cdcc info map.txt cdcc new map; load map.txt Any advise on how to rectify this would be appreciated. Laurent. -- Laurent Luyckx [EMAIL PROTECTED] -- Laurent Luyckx [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Performance Problems
Possibly you have a large auto-whitelist? Loren
amavisd-new and report_safe
Hi all, when calling SA from amavisd-new, how can I control report_safe? Rainer
Another missed spam question
Since upgrading v2.64 to 3.0.2, I have a much higher false negative rate. I posted one a couple of days ago that involved a trusted issue. I just got a medication-spam this morning that ONLY triggered bayes_99, although it mentioned sexual health, anxiety and others I would've thought would've triggered more rules. Is a lot of reconfiguration usually necessary when upgrading 2.64 to 3.0? I thought I understood that 3.0 incorporated several of the rulesets that were previously separate, and besides, I haven't removed any old rulesets yet anyway. Any comments? Tnx!
Re: Another missed spam question
Is a lot of reconfiguration usually necessary when upgrading 2.64 to 3.0? I thought I understood that 3.0 incorporated several of the rulesets that were previously separate, and besides, I haven't removed any old rulesets yet anyway. Some is necessary. Shouldn't be a huge amount. You need to muck with the assorted local.cf options that have changed name and/or shape. If you have a NATed host, you need to set up trusted networks. (You should have had it before, but it is important now.) You need to make sure that all of the spare Perl parts are the appropriate versions. And if you are running SARE rules, you will need to fiddle around a little bit and make sure that you have a rule collection that is appropriate for 3.0+. Of course you should run lint to make sure things are really working, and probably also run spamassassin -D to make sure that all of your rule files are getting picked up. Loren
Re: Another missed spam question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Freitag, 21. Januar 2005 14:30 schrieb John Fleming: Since upgrading v2.64 to 3.0.2, I have a much higher false negative rate. I posted one a couple of days ago that involved a trusted issue. I just got a medication-spam this morning that ONLY triggered bayes_99, although it mentioned sexual health, anxiety and others I would've thought would've triggered more rules. Another case for my magic eye. Maybe I will find it some day. Some times they come trough. Spamer react on filters. Do you use network tests? Spamer changed the servers frequently. Is a lot of reconfiguration usually necessary when upgrading 2.64 to 3.0? I thought I understood that 3.0 incorporated several of the rulesets that were previously separate, and besides, I haven't removed any old rulesets yet anyway. I have upgraded three server fom 2.63 to 3.0.x. Normaly there are only small changes in the configuration for now unsupported options. The ammount of reconfiguration depneds on your installation. Any comments? Tnx! Keep your body informed. Garbage in - garbage out. Thomas - -- icq:133073900 http://www.t-arend.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFB8RCFHe2ZLU3NgHsRAp4IAJ9Ssms7Cj357sCmsrDDCOL9Ac93DgCdFapR VKhrq4CNSbQIFCc13e9PVFU= =JnPW -END PGP SIGNATURE-
Re: GroupWise-Mails...
At 04:29 AM 1/21/2005, Peter Guhl wrote: Hello Mails ending in Novell GroupWise don't seem to be useful for sa-learn. Does somebody have some experience or solutions to that problem? Could the same POP3-Solution described in sa-learn with lotus notes do it's job here too? More for GroupWise professionals would be the question how to turn forwarded spam (forwarding as attachment in GroupWise sends you the headers too - so far so good...) into single mails resembling the original as close as possible... If you dig around in the groupwise interface you can find an attachment named mime.822.. it's the undadulterated message and that works pretty well. I believe mime.822 is only visible if you view the message using the right-click menu instead of open it. I've been trying to figure out a good way to get users to be able to forward that attachment, but without saving it to disk first I've had no luck, GW seems to be smart about it and forwards the grouwise mangled version.
RE: extreme measures, postmaster.rfci comcast.net
Matt Kettler wrote: Also, please in future mails please cite only abuse caused by properly relayed mail from comcast's MTA's, not stuff directly sent from clients that would be easily cleaned up by using a dynablock type list. (ie: the spamhaus reference you included is all client nodes, take a look) http://www.spamhaus.org/sbl/listings.lasso?isp=comcast.net Their SBL does NOT list all Comcast dynablocks. I use their SBL, and have had to manually block large ranges of Comcast space because Spamhaus doesn't pick them up. For example, 68.85.198.87. They're listen in their XBL, but NOT their SBL. Now that I know about their XBL, I can start using it (I think they set that up after I had configured the main parts of my mail server). -Don
RE: extreme measures, postmaster.rfci comcast.net
At 09:53 AM 1/21/2005, Don Levey wrote: http://www.spamhaus.org/sbl/listings.lasso?isp=comcast.net Their SBL does NOT list all Comcast dynablocks. I use their SBL, and have had to manually block large ranges of Comcast space because Spamhaus doesn't pick them up. For example, 68.85.198.87. They're listen in their XBL, but NOT their SBL. My point exactly. Really, that post was in response to an off-list discussion, so it would be hard to follow without recapping several large off-list emails. My argument was not against using SBL. It was against using SBL's top 10 as a reason to create a categoric block of all netspace owned by an ISP when SBL is only listing client nodes not servers.
RE: Performance Problems
I think I recall reading somewhere that the bug that you mention effects people using Bayes and/or huge auto-whitelists. Or perhaps the bayes/auto-whitelist bug gives similar symptoms. Or more than likely I've just gone crazy 8^) My auto-whitelist is 15 domains and I am not using bayes. I currently have max processes set to 45. That is the maximum number of child processes I can spawn and not use any virtual memory. So perhaps I should try setting the number of processes to 35 or so? The puzzling part to me is the fact that I am only seeing this problem on 1 out of 2 identically configured machines. Thank you, Tom -Original Message- From: Martin Hepworth [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 3:17 AM To: J Thomas Hancock Cc: users@spamassassin.apache.org Subject: Re: Performance Problems Tom Known issue with spamdspawning too many children on SA 3.0.x. You can 1)reduce the number of children with the -m parameter. Alot of people have this to soemthing like 10 by default. If you reduce it to 5 or even 2 it should sort the problem 2) patch the source http://bugzilla.spamassassin.org/show_bug.cgi?id=3983 3) wait for 3.10 which will have a fix for this. Most people find 1) is a good option, but alot have also done 2). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300
Re: spamassassin-3.0.2 doesnt recognize spam mails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Sonntag, 16. Januar 2005 14:00 schrieb Zé: Em Sábado, 15 de Janeiro de 2005 16:04, Matt Kettler escreveu: At 10:54 AM 1/15/2005, Zé wrote: I use mandrake with kde-3.3.2. After i installed spamassassin-spamc-3.0.2-1mdk stoped classifing spam emails. No more spam mails were recognized. Have you checked that SA is working at all by running spamassassin --lint? It should run silently. If it complains, your config needs fixing. What about running a mail through SA on the command line, does that work? I run spamassassin --lint and didnt got any issue. It happens this, when using spamassassin-3.0.0 all goes fine, after i intall spamassassin-3.0.2 spammail stops being treated as spam. Other weird behaviour is that now with spamassassin-3.0.2 the email that comes from hotmail (throught the Hotway is a POP3-HTTPMail gateway daemon), and the email that comes normally to my POP account in not anymore checked, so im getting spam emails to there. Any help? Is spamd runnung? try telnet localhost 783 to test. How do you start spamd? Have you updated spamd. Do you have an old spamd on the system or an old spamc? Thomas - -- icq:133073900 http://www.t-arend.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFB8R67He2ZLU3NgHsRAu8XAJ4w/eClXOuSCgHuSd194Mt/z426cACggFJc WR2B6/oiWTEGrDsGVaRFqek= =/bEQ -END PGP SIGNATURE-
Re: GroupWise-Mails...
From within the e-mail in GroupWise, go to FileAttachmentsView, and that will show the message with the Mime.822 attachment at the top. That will show the e-mail in it's unmangled form. Matt Kettler [EMAIL PROTECTED] 01/21 9:31 AM At 04:29 AM 1/21/2005, Peter Guhl wrote: Hello Mails ending in Novell GroupWise don't seem to be useful for sa-learn. Does somebody have some experience or solutions to that problem? Could the same POP3-Solution described in sa-learn with lotus notes do it's job here too? More for GroupWise professionals would be the question how to turn forwarded spam (forwarding as attachment in GroupWise sends you the headers too - so far so good...) into single mails resembling the original as close as possible... If you dig around in the groupwise interface you can find an attachment named mime.822.. it's the undadulterated message and that works pretty well. I believe mime.822 is only visible if you view the message using the right-click menu instead of open it. I've been trying to figure out a good way to get users to be able to forward that attachment, but without saving it to disk first I've had no luck, GW seems to be smart about it and forwards the grouwise mangled version.
Help analyzing the determination of spam
Nice subject! I attached a message to this email that got an incredibly low spam score. When I run the message through spamassassin -t it gets a spam score as I would expect. I know I don't have much more details, but can anyone give me ideas why? Content analysis details: (2.7 points, 5.0 required) pts rule name description -- -- -2.8 ALL_TRUSTEDDid not pass through any untrusted hosts 0.2 HTML_IMAGE_RATIO_04BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: powerfulquotes2.com] 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: powerfulquotes2.com imn6.cc] Microsoft Mail Internet Headers Version 2.0 Received: from spamfilter.lastar.com ([192.168.70.12]) by server24.ctg.com with Microsoft SMTPSVC(6.0.3790.80); Fri, 21 Jan 2005 03:46:45 -0500 Received: from localhost (localhost [127.0.0.1]) by spamfilter.lastar.com (Postfix) with ESMTP id 76A46EFCE5 for [EMAIL PROTECTED]; Fri, 21 Jan 2005 03:46:45 -0500 (EST) Received: from spamfilter.lastar.com ([127.0.0.1]) by localhost (spamfilter [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04164-05 for [EMAIL PROTECTED]; Fri, 21 Jan 2005 03:46:42 -0500 (EST) Received: from server11.lastar.com (server11.lastar.com [192.168.70.10]) by spamfilter.lastar.com (Postfix) with SMTP id A9393EFCE0 for [EMAIL PROTECTED]; Fri, 21 Jan 2005 03:46:42 -0500 (EST) Received: from pim-120-68.powerfulquotes2.com ([206.81.120.68]) by server11.lastar.com (SMSSMTP 4.0.5.66) with SMTP id M2005012103464112067 for [EMAIL PROTECTED]; Fri, 21 Jan 2005 03:46:42 -0500 Received: from powerfulquotes2.com (10.10.60.148) by pim-120-68.powerfulquotes2.com with ESMTP; 21 Jan 2005 02:46:38 -0600 X-ClientHost: 0970971081081011100640990970981081011151160311104609909 X-MailingID: 1526307 From: Road to Recovery [EMAIL PROTECTED] To: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Walk away from drugs and get your life back. Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit Message-Id: [EMAIL PROTECTED] Date: Fri, 21 Jan 2005 03:46:42 -0500 (EST) X-Virus-Scanned: amavisd-new at lastar.com X-Spam-Status: No, hits=0.772 tagged_above=-999.99 required=2 tests=ALL_TRUSTED, BAYES_00, HTML_80_90, HTML_IMAGE_RATIO_04, HTML_MESSAGE, MIME_HTML_ONLY, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK, URIBL_OB_SURBL, URIBL_WS_SURBL X-Spam-Level: Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 21 Jan 2005 08:46:46.0016 (UTC) FILETIME=[BD0CD000:01C4FF95] HTML BODY BGCOLOR=#FF LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0 div align=center TABLE WIDTH=600 BORDER=0 CELLPADDING=0 CELLSPACING=0 TR TD a href=http://IMN6.cc/tc/index.php?k=IZZ+16265m=1526307ds=http://dyn.IMN6.cccs=http://IMN6.ccu=425043140lid=4dn=cablestogo.comsi=2;IMG SRC=http://IMN6.cc/tc/cb/dtx/pic_01.jpg; WIDTH=219 HEIGHT=400 ALT= border=0/a/TD TD a href=http://IMN6.cc/tc/index.php?k=IZZ+16265m=1526307ds=http://dyn.IMN6.cccs=http://IMN6.ccu=425043140lid=4dn=cablestogo.comsi=2;IMG SRC=http://IMN6.cc/tc/cb/dtx/pic_02.gif; WIDTH=104 HEIGHT=115 ALT= border=0/abr a href=http://IMN6.cc/tc/index.php?k=IZZ+16265m=1526307ds=http://dyn.IMN6.cccs=http://IMN6.ccu=425043140lid=4dn=cablestogo.comsi=2;IMG SRC=http://IMN6.cc/tc/cb/dtx/pic_05.jpg; WIDTH=104 HEIGHT=285 ALT= border=0/a/TD TD a href=http://IMN6.cc/tc/index.php?k=IZZ+16265m=1526307ds=http://dyn.IMN6.cccs=http://IMN6.ccu=425043140lid=4dn=cablestogo.comsi=2;IMG SRC=http://IMN6.cc/tc/cb/dtx/pic_03.gif; WIDTH=243 HEIGHT=115 ALT= border=0/abr a href=http://IMN6.cc/tc/index.php?k=IZZ+16265m=1526307ds=http://dyn.IMN6.cccs=http://IMN6.ccu=425043140lid=4dn=cablestogo.comsi=2;IMG SRC=http://IMN6.cc/tc/cb/dtx/pic_06.gif; WIDTH=243 HEIGHT=73 ALT= border=0/abr table width=243 border=0 cellpadding=0 cellspacing=0 bgcolor=#E1DFD5 tr tdIMG SRC=http://IMN6.cc/tc/cb/dtx/pic_09.gif; WIDTH=3 HEIGHT=155 ALT= border=0br/td tdIMG SRC=http://IMN6.cc/tc/cb/dtx/pic_09.gif; WIDTH=240 HEIGHT=1 ALT= border=0br a
Read emails header - bayes
Hello, Igot spamassaim working and nowi´m trying to check if bayes is working, I manually feed bayes database with about 1 spams already marked as spam by spamassasim, now I´m looking at the headers of new emails and have no idea of what to look to check if bayes is working. Angelo
Re: Read emails header - bayes
On Fri, Jan 21, 2005 at 01:54:10PM -0300, [EMAIL PROTECTED] wrote: I got spamassaim working and now i?m trying to check if bayes is working, I manually feed bayes database with about 1 spams already marked as spam by spamassasim, now I?m looking at the headers of new emails and have no idea of what to look to check if bayes is working. Initially, you have to feed the bayes-db with ham too. You should see bayes almon the other tests in X-Spam-Status. Rainer
network tests
Do you use network tests? how is this controlled in version 3? We had the network tests turned off in version 2 but after upgrading to version 3 it is taking 45 seconds to process each message and the reports show network testing is being done even though our local.cf says they are turned off. Frank M. Cook Association Computer Services, Inc. http://www.acsplus.com
Re: extreme measures, postmaster.rfci comcast.net
Their SBL does NOT list all Comcast dynablocks. I use their SBL, and have had to manually block large ranges of Comcast space because Spamhaus doesn't pick them up. For example, 68.85.198.87. They're listen in their XBL, but NOT their SBL. you can use sbl-xbl.spamhaus.org and test both lists with one check. what cf file do I need to edit to have spamassassin do this? Frank M. Cook Association Computer Services, Inc. http://www.acsplus.com
RE: Help analyzing the determination of spam
From: Jason Gauthier [mailto:[EMAIL PROTECTED] I attached a message to this email that got an incredibly low spam score. When I run the message through spamassassin -t it gets a spam score as I would expect. I know I don't have much more details, but can anyone give me ideas why? Content analysis details: (2.7 points, 5.0 required) pts rule name description -- - -2.8 ALL_TRUSTEDDid not pass through any untrusted hosts This looks like your problem. You have not given SA enough information about your network for it to determine which mailservers are yours and which are on the Internet. You need to add trusted_networks entries to your local.cf to fix this problem. From the Mail::SpamAssassin::Conf man page: trusted_networks ip.add.re.ss[/mask] ... (default: none) What networks or hosts are 'trusted' in your setup. Trusted in this case means that relay hosts on these networks are considered to not be potentially operated by spammers, open relays, or open proxies. A trusted host could conceivably relay spam, but will not originate it, and will not forge header data. DNS blacklist checks will never query for hosts on these networks. MXes for your domain(s) and internal relays should also be speci- fied using the internal_networks setting. When there are 'trusted' hosts that are not MXes or internal relays for your domain(s) they should only be specified in trusted_networks. If a /mask is specified, it's considered a CIDR-style 'netmask', specified in bits. If it is not specified, but less than 4 octets are specified with a trailing dot, that's considered a mask to allow all addresses in the remaining octets. If a mask is not specified, and there is not trailing dot, then just the single IP address specified is used, as if the mask was /32. Examples: trusted_networks 192.168/16 127/8 # all in 192.168.*.* and 127.*.*.* trusted_networks 212.17.35.15 # just that host trusted_networks 127. # all in 127.*.*.* This operates additively, so a trusted_networks line after another one will result in all those networks becoming trusted. To clear out the existing entries, use clear_trusted_networks. So just add a trusted_networks entry for your network, or one for each of your mailservers and the ALL_TRUSTED rule should start firing properly again. Bowie
Re: AWL test score way off?
At 10:40 AM 1/21/2005, [EMAIL PROTECTED] wrote: According to: http://spamassassin.apache.org/tests_3_0_x.html The rule AWL should always hit 1, but I just found that it's hitting 5.1. I am not overriding it in local.cf, and there are no user-configs allowed. The rule is not listed at all in 50_scores.cf so I take it that it's hard coded in SA 3.0.2 (which I just upgraded to from 2.63)? The AWL rule has a dynamic score, and the score entered in the tests page on the website is a placeholder only. The AWL's score can take ANY value. Positive, negative, large, small... Since AWL is supposed to mean Auto WhiteList, I'm trying to figure out what the correct behavior is... http://wiki.apache.org/spamassassin/AutoWhitelist http://wiki.apache.org/spamassassin/AwlWrongWay
Re: Read emails header - bayes
At 11:54 AM 1/21/2005, [EMAIL PROTECTED] wrote: I got spamassaim working and now i´m trying to check if bayes is working, I manually feed bayes database with about 1 spams already marked as spam by spamassasim, now I´m looking at the headers of new emails and have no idea of what to look to check if bayes is working. Look for X-Spam-Status headers containing BAYES_## where ## is 00, 50, 95, 99, etc. Also, make sure you train SA on some ham (nonspam) as well... SA's bayes engine can't distinguish between spam and ham unless it's seen some of both.
Help analyzing the determination of spam
At 10:55 AM 1/21/2005, Jason Gauthier wrote: Nice subject! I attached a message to this email that got an incredibly low spam score. When I run the message through spamassassin -t it gets a spam score as I would expect. I know I don't have much more details, but can anyone give me ideas why? Content analysis details: (2.7 points, 5.0 required) pts rule name description -- -- -2.8 ALL_TRUSTEDDid not pass through any untrusted hosts ALL_TRUSTED would be why. That REALLY should never hit for mail from the outside. Usualy this is caused by having a NATed mailserver, or some other IP configuration that confuses the automatic trust path code. Look into manually declaring trusted_networks in your config. Only add local mailservers that add Received: headers to the list of trusted hosts. (Note: Don't try to use trusted networks as an IP based whitelist mechanism, it's not. Trusted here means trusted to generate non-forged Received: headers, and has subtle implications on a lot of rules.)
Re: GroupWise-Mails...
There is a handy tool for saving folders at a time to you hard-drive http://www.novell.com/coolsolutions/tools/2000.html might be useful to obtain al the mime attachments. Matt Kettler [EMAIL PROTECTED] 01/21/05 09:31AM At 04:29 AM 1/21/2005, Peter Guhl wrote: Hello Mails ending in Novell GroupWise don't seem to be useful for sa-learn. Does somebody have some experience or solutions to that problem? Could the same POP3-Solution described in sa-learn with lotus notes do it's job here too? More for GroupWise professionals would be the question how to turn forwarded spam (forwarding as attachment in GroupWise sends you the headers too - so far so good...) into single mails resembling the original as close as possible... If you dig around in the groupwise interface you can find an attachment named mime.822.. it's the undadulterated message and that works pretty well. I believe mime.822 is only visible if you view the message using the right-click menu instead of open it. I've been trying to figure out a good way to get users to be able to forward that attachment, but without saving it to disk first I've had no luck, GW seems to be smart about it and forwards the grouwise mangled version.
Nigerian spams hit BAYES_00
Using SpamAssassin 3.0.2 on Solaris 2.6, Perl 5.8.6. For some reason, I'm getting BAYES_00 scores on a lot of our Nigerian scam mail (and sometimes lottery scams). Most other spam scores at reasonably high Bayes values (like 95, 80, or at worst 50). Most of the training has been done with autolearning using the default autolearn parameters, but I have also manually trained some spam, including lots of Nigerian spam (probably dozens of them). Here is some data: # sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 3560 0 non-token data: nspam 0.000 0 104457 0 non-token data: nham 0.000 0 660517 0 non-token data: ntokens 0.000 0 1106229013 0 non-token data: oldest atime 0.000 0 1106331575 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1106284398 0 non-token data: last expiry atime 0.000 0 55318 0 non-token data: last expire atime delta 0.000 0 277915 0 non-token data: last expire reduction count bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn dbi:mysql:spamdb bayes_auto_learn1 bayes_auto_expire 0 (done once a day by cron) bayes_expiry_max_db_size 50 I have the sa-users list mail whitelisted. Could that be throwing off the Bayes data? I see USER_IN_WHITELIST has the noautolearn parameter set. Here's a debug output from a Nigerian message I manually scanned a few days ago: debug: bayes corpus size: nspam = 3009, nham = 80430 debug: tokenize: header tokens for X-Envelope-From = [EMAIL PROTECTED] debug: tokenize: header tokens for *F = U*ian_elsworth D*sapibon.com D*com debug: tokenize: header tokens for X-Originating-IP = 195.166.238.114 debug: tokenize: header tokens for Bcc = debug: tokenize: header tokens for Message-id = 18688558e3e5f39da1a45ce72e56d102 sapibon com debug: tokenize: header tokens for MIME-version = 1.0 debug: tokenize: header tokens for *x = Merak Web Mail 5.1.0 debug: tokenize: header tokens for Content-type = text/plain; charset=us-ascii debug: tokenize: header tokens for Content-transfer-encoding = 7bit debug: tokenize: header tokens for *RT = debug: tokenize: header tokens for *RT = debug: tokenize: header tokens for *RU = [ ip=68.157.93.133 rdns=liveradio.sapibon.com helo=mail.sapibo n.com by=emroute2.cind.ornl.gov ident= envfrom= intl=0 [EMAIL PROTECTED] auth= ] [ ip=127.0.0.1 rdns=localhost helo=localhost by=mail.sapibon.com ident= envfrom= intl=0 id=UGHFF auth= ] debug: tokenize: header tokens for *r =localhost ([127.0.0 ip*127.0.0.1 ]) by mail.sapibon.com (Mera k 7.0.1) id UGHFF; debug: tokenize: header tokens for *r =localhost ([127.0.0 ip*127.0.0.1 ]) by mail.sapibon.com (Mera k 7.0.1) id UGHFF; mail.sapibon.com (liveradio.sapibon.com [68.157.93 ip*68.157.93.133 ]) by emro ute2.cind.ornl.gov (PMDF V6.2-X27 #30899) ESMTPS id [EMAIL PROTECTED] johnsonck @ornlmail.ornl.gov (ORCPT [EMAIL PROTECTED]); debug: bayes: tok_get_all: Token Count: 328 debug: bayes token 'encourage' = 6.61665231828803e-05 debug: bayes token 'Ian' = 0.0001289858547111 debug: bayes token 'naturally' = 0.000215977519068647 debug: bayes token 'IAN' = 0.000314436002337814 debug: bayes token 'NUMBER' = 0.000358427714856762 debug: bayes token 'UD:bbc.co.uk' = 0.000471516213847502 debug: bayes token 'H*r:sk:0IAK00A' = 0.000511893434823977 debug: bayes token 'UD:stm' = 0.00057173219978746 debug: bayes token 'news.bbc.co.uk' = 0.000639714625445898 debug: bayes token 'instability' = 0.000639714625445898 debug: bayes token 'UD:news.bbc.co.uk' = 0.000639714625445898 debug: bayes token 'newsbbccouk' = 0.000639714625445898 debug: bayes token 'H*r:Merak' = 0.000852614896988907 debug: bayes token '849' = 0.00114225053078556 debug: bayes token 'decree' = 0.00121995464852608 debug: bayes token '1,400' = 0.00127790973871734 debug: bayes token 'tobacco' = 0.00127790973871734 debug: bayes token 'THROUGH' = 0.00137595907928389 debug: bayes token 'H*RU:sk:mail.sa' = 0.00149030470914127 debug: bayes token 'seize' = 0.00162537764350453 debug: bayes token 'farming' = 0.00184879725085911 debug: bayes token 'invaded' = 0.00232900432900433 debug: bayes token 'relocate' = 0.00243438914027149 debug: bayes token 'tractors' = 0.0075774647887324 debug: bayes token 'programe' = 0.00881967213114754 debug: bayes token 'Robert' = 0.00898242781809268 debug: bayes token 'H*r:sk:mail.sa' = 0.0131219512195122 debug: bayes token 'TELEPHONE' = 0.0131219512195122 debug: bayes token 'reported' = 0.020717855380927 debug: bayes token 'robert' = 0.0230435753994182 debug: bayes token 'defying' = 0.0256190476190476 debug: bayes token 'Zimbabwean' = 0.967326875775477 debug: bayes token 'zimbabwean' = 0.967326875775477 debug: bayes token
Re: GroupWise-Mails...
Yep, I'm doing it, and yep I know I need to write it up for wiki. In a nutshell, I use AmavisD with Postfix, and have Amavis quarantine kills to a discrete account. Within that account, I created a GW shared folder for users to move spams into (I review quarantines on occasion myself for hams). I use Nick's imap-sa-learn.pl (http://tirian.magd.ox.ac.uk/~nick/code/) to make an IMAP connection from my SA relay server to teach Bayes. We get about 14M emails per year (on average) but I try to make a regular habit of feeding ham and spam from the quarantine account into the shared folder. It all gets sucked up, learned, then deleted by Nick's code. Success to date has been incredible; I rarely, if ever, gets hams quarantined and my complaint level from users has dropped to statistically insignificant levels. I had made an offer to Novell to make a presentation on this system at Brainshare '05 (I've made BS presentations before), complete with diagrams, details, and how-tos, but I never got a response. Odd, considering it's all done on SuSE, something in which they've shown interest lately... (sigh, eyeroll, shrug) Greg Amy Hartford (CT) Hospital Peter Guhl [EMAIL PROTECTED] 1/21/2005 4:31:18 AM Hello Mails ending in Novell GroupWise don't seem to be useful for sa-learn. Does somebody have some experience or solutions to that problem? Could the same POP3-Solution described in sa-learn with lotus notes do it's job here too? More for GroupWise professionals would be the question how to turn forwarded spam (forwarding as attachment in GroupWise sends you the headers too - so far so good...) into single mails resembling the original as close as possible... Regards Peter
RE: Nigerian spams hit BAYES_00
Rosenbaum, Larry M. wrote: ... For some reason, I'm getting BAYES_00 scores on a lot of our Nigerian scam mail (and sometimes lottery scams) ... I could blow away my Bayes database and start over, but I suspect I'd just run into the same problem again. Any ideas? Lower your BAYES_00 score? (Towards zero, that is) Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
RE: Nigerian spams hit BAYES_00
|-Original Message- |From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf |Of Rosenbaum, Larry M. |Sent: 21 January 2005 18:47 |To: users@spamassassin.apache.org |Subject: Nigerian spams hit BAYES_00 | |Using SpamAssassin 3.0.2 on Solaris 2.6, Perl 5.8.6. | |For some reason, I'm getting BAYES_00 scores on a lot of our |Nigerian scam mail (and sometimes lottery scams). Most other |spam scores at reasonably high Bayes values (like 95, 80, or |at worst 50). Most of the training has been done with |autolearning using the default autolearn parameters, but I |have also manually trained some spam, including lots of |Nigerian spam (probably dozens of them). Here is some data: | |# sa-learn --dump magic |0.000 0 3 0 non-token data: bayes |db version |0.000 0 3560 0 non-token data: nspam |0.000 0 104457 0 non-token data: nham |0.000 0 660517 0 non-token data: ntokens |0.000 0 1106229013 0 non-token data: oldest atime |0.000 0 1106331575 0 non-token data: newest atime |0.000 0 0 0 non-token data: last |journal sync atime |0.000 0 1106284398 0 non-token data: last |expiry atime |0.000 0 55318 0 non-token data: last |expire atime delta |0.000 0 277915 0 non-token data: last |expire reduction count | Your ratio of ham to spam shows you have a lot more ham than spam trained, are you sure its not been learning spam has ham, so poisening your bayes database. Martin
RE: Help analyzing the determination of spam
Thanks all, That does help quite a bit. We'll see how the weekend goes! Jason -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Friday, January 21, 2005 12:24 PM To: Jason Gauthier; SPAMASSASSIN Subject: Help analyzing the determination of spam At 10:55 AM 1/21/2005, Jason Gauthier wrote: Nice subject! I attached a message to this email that got an incredibly low spam score. When I run the message through spamassassin -t it gets a spam score as I would expect. I know I don't have much more details, but can anyone give me ideas why? Content analysis details: (2.7 points, 5.0 required) pts rule name description -- -- -2.8 ALL_TRUSTEDDid not pass through any untrusted hosts ALL_TRUSTED would be why. That REALLY should never hit for mail from the outside. Usualy this is caused by having a NATed mailserver, or some other IP configuration that confuses the automatic trust path code. Look into manually declaring trusted_networks in your config. Only add local mailservers that add Received: headers to the list of trusted hosts. (Note: Don't try to use trusted networks as an IP based whitelist mechanism, it's not. Trusted here means trusted to generate non-forged Received: headers, and has subtle implications on a lot of rules.)
amavisd-new versus milter
Hi, on most of my mailservers, SA is called via spamass-milter. On one machine, I call SA from amavisd-new. The latter causes headaches to me, since I am confused about what configuration directives have to be in amvisd.conf or in local.cf (I've read the FAQ). So here is my question: what are the cons and pros for amavisd-new or milter for you? Rainer
Re: Nigerian spams hit BAYES_00
Your ratio of ham to spam shows you have a lot more ham than spam trained, are you sure its not been learning spam as ham, so poisening your bayes database. I can't say I've looked at very many of the 100,000 hams. I have a quarantine area where I can skim through the spam and borderline stuff, but I don't keep a copy of the ham. However, to be learned as ham, the Nigerian messages would have to score below 0.5, and I don't think that's likely. Of course, there could be other messages that have some of the same tokens as Nigerian messages and that are being scored as ham. But they might actually BE ham. Lower your BAYES_00 score? (Towards zero, that is) That's what I'm doing unless I can find something better.