Re: TROUBLE in child_init_hook: BDB no dbS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David F. Colwell writes: > ... but as I am a user and not a developer I feel I have uncovered as > much as I can. As Paul Jacobson indicated on 2/2/05 the problem may be > with SA's db calls and the BerkeleyDB docs certainly suggest it is > possible. I am posting to [EMAIL PROTECTED] because it > has had threads on this subject, users@spamassassin.apache.org does not > appear to have any. > I can see that any rebuilding of db's would give temporary relief as it > would clear the lockers, but they would eventually re-congest. > > Is this a problem for amavis or SA developers? amavis. we don't use the BerkeleyDB module, we use DB_File, and use our own locking subsystem. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCO0IxMJF5cimLx9ARAsYcAJ9+4ln/5M+jWJ4AEOif7kbChS0C/QCfWbh+ erH7yAniUZ0xGtjbQ6jIM5o= =rwb1 -END PGP SIGNATURE-
Re: spamassassin build failure on x86_64
On Wed, 16 Mar 2005, Theo Van Dinter wrote: > On Wed, Mar 16, 2005 at 01:33:21PM -0800, Dan Hollis wrote: > > I'm getting errors building the rpm on x86_64: > Yeah, we haven't quite worked that out yet. Things are being linked against > things they shouldn't be. :( > For the time being, you can apply the patch attached to bug 4090: > http://bugzilla.spamassassin.org/show_bug.cgi?id=4090 > It disables the build of libspamc.so, which shouldn't be an issue for most > people. It looks like fedora's spamassassin 3.0.2 rpm builds properly on x86_64 without errors, maybe someone can look at their rpm and see what's different? http://download.fedora.redhat.com/pub/fedora/linux/core/development/SRPMS/spamassassin-3.0.2-2.src.rpm -Dan
Re: spamassassin build failure on x86_64
On Fri, Mar 18, 2005 at 01:09:30PM -0800, Dan Hollis wrote: > It looks like fedora's spamassassin 3.0.2 rpm builds properly on x86_64 > without errors, maybe someone can look at their rpm and see what's > different? Yeah, they basically took the libspamc.so build out, which is the same as my patch. I don't know if anyone's using libspamc.so (we don't need it for spamc, it's statically linked in,) so that may just be a valid solution. -- Randomly Generated Tagline: "I had a linguistics professor who said that it's man's ability to use language that makes him the dominant species on the planet. That may be. But I think there's one other thing that separates us from animals. We aren't afraid of vacuum cleaners." - Jeff Stilson pgpUeoRY4I40H.pgp Description: PGP signature
Re: Testing Bayes (auto)-learning
Paul Boven chello.nl> writes:
> Yes, they're forwarding the messages as attachements, and yes, I'm
> stripping them out of the message/rfc822 attachements before feeding
> them to Bayes. And in all the tests I've done so far this seems to work,
> but now that we've upgraded to SA3.0.2 I can't peek 'under the hood'
> anymore to see if things are still being learned as they should.
On a related note, if I grab messages from a maildir after
spamassassin has "quarantined" them ("The original message has
been attached to this so you can view it... yadda yadda") is
sa-learn smart enough to realize that the spam is contained in
the attachment? Or is this the same situation as a user-forward,
where I would need to write something to strip it out?
And as an aside, I'm curious about "peeking under the hood" too,
but in my case it's because I'm curious how many messages have
been trained. (In order to find out how soon the filter is going
to think the corpus is large enough to start using its bayes
rules.)
TIA. -g.
SquirrelMail plugin for SpamAssassin w/ SQL
Greetings, I've been in communication with Paul Lesneiwski of SquirrelMail, and he brought my attention to the SquirrelMail plugin, SquirrelSAP, that was announced for SpamAssassin with SQL on this list. I am the author of the SpamAssassin+SQL plugin (http://www.squirrelmail.org/plugin_view.php?id=167). I have been developing this plugin for around two years. I was hoping we would be able to work together to keep from duplicating effort. Is this something would be considered? -- Randy Smith http://perlstalker.amigo.net/
Re: Testing Bayes (auto)-learning
Greg Abbas wrote:
>Paul Boven chello.nl> writes:
>
>
>>Yes, they're forwarding the messages as attachements, and yes, I'm
>>stripping them out of the message/rfc822 attachements before feeding
>>them to Bayes. And in all the tests I've done so far this seems to work,
>>but now that we've upgraded to SA3.0.2 I can't peek 'under the hood'
>>anymore to see if things are still being learned as they should.
>>
>>
>
>On a related note, if I grab messages from a maildir after
>spamassassin has "quarantined" them ("The original message has
>been attached to this so you can view it... yadda yadda") is
>sa-learn smart enough to realize that the spam is contained in
>the attachment?
>
>
sa-learn is smart enough to undo any changes made by spamassassin
itself, so if you use SA to do your tagging, sa-learn will undo it prior
to learning.
However, if you use a tool like amavis, mimedefang, or mailscanner and
use that tool's own encapsulation methods instead of SA's, then sa-learn
won't undo it.
RE: Spammers Target Secondary MX hosts?
Very interesting discussion.
I run a secondary MX without SA, which normally forwards everything to the
primary, IOW a store-and-forward relay. The secondary gets a steady stream of
spam all day long, about 1/3 as much as the primary. I tried the trick with a
tertiary entry matching the primary, but it didn't reduce the spam at the
secondary very much.
SA on the primary penalizes mail coming via the secondary with 2.0 points.
Obviously SA won't be running if the primary is down, and if we ever get a long
primary outage I can disable this rule on restart.
To eliminate backscatter, I copy the LDAP-generated sendmail "access" database
from the primary to the secondary twice a day. Thus the secondary will not
accept mail for nonexistent addresses. The time lag isn't a problem, since the
secondary only gets legitimate mail when the primary is down, which is almost
never.
Pierre
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, March 18, 2005 1:40 PM
To: [EMAIL PROTECTED]; users@spamassassin.apache.org
Subject: RE: Spammers Target Secondary MX hosts?
Kelson wrote:
> Larry Starr wrote:
>> On Friday 18 March 2005 08:17, Alexander Bochmann wrote:
>>> there are many setups where
>>> the ISP or someone else runs a backup MX for his
>>> customer's domains as a service. With this configuration,
>>> the secondary MX will usually not know about valid users
>>> in the destination domain.
>>
>> That, in fact, is the setup that I am operating and, yes, most of
>> what comes through my secondary MX, at my ISP, is SPAM. Some time
>> ago I implemented a rule that adds a (small) spam score for mail
>> received via my secondary MX.
>
> I'm on the flip side of that: we provide secondary MX services for
> some of our customers, and I've started adding a small bonus score
> for mail being sent *to* them through our server. I've also added
> meta-rules to treat certain rules more harshly.
>
> The really annoying thing, from our standpoint, is the backscatter we
> have to process:
>
> 1. Spammer sends to secondary MX (us).
> 2. We filter out some of the more obvious spam (for the most part
> using our regular criteria).
> 3. We relay what's left to the primary MX.
> 4. Primary MX rejects mail to nonexistant users and mail that trips
> their own spam filters.
> 5. We generate DSNs that go to third parties or nonexistant hosts,
> contributing to backscatter and cluttering up our outbound queue.
>
> The backscatter becomes a real problem in the legitimate relay
> situation, because it's basically unavoidable. If the spam is sent
> directly to you, you can accept it, discard it, or reject it, and it
> stops. But if you're relaying to someone, and *they* reject it, now
> you have to decide whether to generate a DSN or not. We've actually
> set up a separate queue for bounces that aren't delivered
> immediately, so that it won't bog down normal mail.
Two solutions occur to me:
1) Allow a way for the secondary MX to tell whether the primary MX is "up" - if
it is, don't accept any connections
2) Allow a way for the secondary MX to tell what email addresses on the primary
MX are valid (LDAP occurs to me)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
Re: Spammers Target Secondary MX hosts?
I just had the reverse problem. Working for a large company using Exchange for outbound business email we were always hitting one company's secondary MX which was broken (sent back rejections). Our servers just liked the second MX better than the primary MX for some reason. When I manually telneted into both the primary and the secondary MX I noticed the secondary responded much faster than the primary to commands. So maybe the primary just could not respond quick enough to our email server so it flipped to the secondary which was much faster. (just guessing here) > Hi all, > I've been noticing it lately that almost 90% of emails come in through > our secondary MX host are spams, I just want to know if there's an > explanation for this, my guess is that the spammers spam the secondary > MX host intentionally for some reason I can't understand, maybe hoping > the secondary host will configured with less care? > > Many thanks, > > Yang >
Re: Spammers Target Secondary MX hosts?
From: "Yang Xiao" <[EMAIL PROTECTED]>
> Hi all,
> I've been noticing it lately that almost 90% of emails come in through
> our secondary MX host are spams, I just want to know if there's an
> explanation for this, my guess is that the spammers spam the secondary
> MX host intentionally for some reason I can't understand, maybe hoping
> the secondary host will configured with less care?
Wow, it's been awhile since this floated through the list the last time.
The theory among the spammers is that the secondary and tertirary
MX machines are less well protected. "They're backups, afterall.
They're not used every day."
Most canny anti-spammers are aware of this and may actually have the
secondaries nailed down a little tighter than the primaries.
{^_-}
Re: Can I delete spam messages after they have been learned
On Fri, Mar 18, 2005 at 11:57:43PM +, Nigel Wilkinson wrote: > my spam directory used for bayes learning now holds over 3000 emails. If I > delete them then next time I run sa-learn will I loose everything > spamassassin has learnt. Also, same question for ham. When you sa-learn a message, the appropriate tokens are stored in the bayes_toks database. The original message is unnecessary after that point, unless you wanted to keep spam/ham around in case you wanted to start over with your database. -- Randomly Generated Tagline: A person's language is an index of his mind. pgpTa2QWIxbca.pgp Description: PGP signature
TROUBLE in child_init_hook: BDB no dbS
Has anyone else been getting these lately? It has shut down my incoming mail. amavis[23480]: TROUBLE in child_init_hook: BDB no dbS: Lock table is out of available locker entries, No such file or directory. at (eval 36) line 25. Mark Martinec's mailing of 8/20/04 11:07 AM suggested the following test: [EMAIL PROTECTED] log]# db_stat -c -h /var/amavis/db 801729 Last allocated locker ID. 2147M Current maximum unused locker ID. 5 Number of lock modes. 1000Maximum number of locks possible. 1000Maximum number of lockers possible. 1000Maximum number of lock objects possible. 500 Number of current locks. 502 Maximum number of locks at any one time. 1000Number of current lockers. 1000Maximum number of lockers at any one time. 2 Number of current lock objects. 5 Maximum number of lock objects at any one time. 178546 Total number of locks requested. 124717 Total number of locks released. 0 Total number of lock requests failing because DB_LOCK_NOWAIT was set. 92 Total number of locks not immediately available due to conflicts. 0 Number of deadlocks. 0 Lock timeout value. 0 Number of locks that have timed out. 0 Transaction timeout value. 0 Number of transactions that have timed out. 440KB The size of the lock region.. 121 The number of region locks granted after waiting. 4359883 The number of region locks granted without waiting. Mark's mailing of 1/8/05 7:18 suggests: What version of Berkeley libdb you have? It is reported at startup, e.g.: [98011]: Creating db in /var/amavis/db/; BerkeleyDB 0.26, libdb 4.2 The last time the 'Lock table is out of available locker entries' was reported it was with some 3.x version of libdb and an upgrade to 4.2 helped. I have 4.2.52 Mark et al of 2/2/05 6:49 PM had several ideas. I now have enable_db=0 for expediency but hope to resolve this. after restarting amavisd, postfix and spamassassin ... [EMAIL PROTECTED] log]# /usr/src/amavisd/amavisd-new-2.2.1/amavisd-nanny BDB no dbN 1: Lock table is out of available locker entries No such file or directory at /usr/src/amavisd/amavisd-new-2.2.1/amavisd-nanny line 78. exited The documentation for BerkeleyDB, trouble shooting section, acknowledges the excessive locking problems... "file:///usr/src/db-4.2.52/docs/ref/debug/common.html" directs us to "file:///usr/src/db-4.2.52/docs/ref/transapp/put.html" ... but as I am a user and not a developer I feel I have uncovered as much as I can. As Paul Jacobson indicated on 2/2/05 the problem may be with SA's db calls and the BerkeleyDB docs certainly suggest it is possible. I am posting to [EMAIL PROTECTED] because it has had threads on this subject, users@spamassassin.apache.org does not appear to have any. I can see that any rebuilding of db's would give temporary relief as it would clear the lockers, but they would eventually re-congest. Is this a problem for amavis or SA developers? Thanks. Dave
Can I delete spam messages after they have been learned
Hi folks my spam directory used for bayes learning now holds over 3000 emails. If I delete them then next time I run sa-learn will I loose everything spamassassin has learnt. Also, same question for ham. Cheers Nigel pgpLufxE7wurH.pgp Description: PGP signature
Re: Network Tests
On Friday, March 18, 2005, 8:40:45 AM, Matt Kettler wrote: > 3) experiment to see which specific network tests are slow by setting > their score to 0 one at a time. In particular try setting the score of URIBL_SBL to 0 since its style of SBL lookups is significantly slower than SURBL lookups, and its FP (false positive rate) is higher. (URIBL_SBL needs to resolve the NS records of the URI domain and check them against SBL using another DNS resolution. That initial resolution of the wild domain can potentially be quite slow since it uses various external name servers, potentially including ones that belong to spammers.) Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Is spamassassin 3.0.2 wrked for any one just after install or upgrade
It worked well for us, actually, better. To give some light on the subject, specificly the SURBLS made a HUGE difference in our case. For the users with not enough spam on their servers, pop a website on goggle for indexing that contains one of their e-mail addresses and they'll have plenty :-D. Seriously tho, just watch what comes the best you can, and train accordingly. For those cases where this is a clean domain, there isn't much you can do to start. Training based upon what someone else thinks is spam may hurt your bayes more than help. As long as you are using dns tests to start with, that should help quite a bit. Thanks, JamesDR crisppy fernandes wrote: Dev community, This is to know from developers community is spamassassin wrked for anyone just after upgrade or install. Everyday one or other new user complaints abt this behaviour that spamassassin after upgrade to 3.0.x version not seems to wrk. After checking the man documents or wiki we come to know that , made it learn 200 spam and ham then it will wrk. But even then it actually not wrk. Corpus are not exact things to check for validity as per sa-learn documentation. Then is there any other easy way. using which a novice can wrk with spamassassin without any need to bother abt learning and all. After going through documentation i am able to understand that it learn automatically on basis of its different rules. But what about users who dont have big load of spams on their servers. Simply here i want to point out is spamassassin.org should provide any procedure which will make users wrk easy and they feel happy using this s/w. -/Crisppyf smime.p7s Description: S/MIME Cryptographic Signature
Re: Can I delete spam messages after they have been learned
Nigel Wilkinson wrote: > Hi folks > > my spam directory used for bayes learning now holds over 3000 emails. > If I delete them then next time I run sa-learn will I loose everything > spamassassin has learnt. Also, same question for ham. You can delete them. Sa-learn stores everything it needs to know about the message in your bayes_seen and bayes_toks files. The only situation where you'd need the files again is if you wanted to wipe out your bayes database and rebuild it from scratch.
spamd and spamassassin appear to have different results
The rule header __CF_NOT_TO_ME To !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i header __CF_NOT_CC_ME Cc !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i meta CF_NOT_FOR_ME__CF_NOT_TO_ME && __CF_NOT_CC_ME score CF_NOT_FOR_ME 0.01 describe CF_NOT_FOR_ME Neither To nor Cc me The mail: Date: Fri, 18 Mar 2005 09:05:50 -0500 From: "TINY Video Camera" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: A TINY digital video camera from DigiVu This Advertisment was brought to you by Newageoptin... The SA result: X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: X-Spam-Status: No, score=-0.6 required=0.5 tests=ALL_TRUSTED,CF_NOT_FOR_ME, HTML_30_40,HTML_MESSAGE,URIBL_SBL autolearn=ham version=3.0.2 And that's not right. It _is_ for me. The CF_NOT_FOR_ME rule should not have triggered. What I like even less about this is that if I send that message through spamassassin -D I get the results I expect (CF_NOT_FOR_ME does _not_ trigger). debug: is spam? score=-0.371 required=0.5 debug: tests=ALL_TRUSTED,URIBL_SBL debug: subtests=__CF_NOT_CC_ME,__HAS_SUBJECT,__UNUSABLE_MSGID Date: Fri, 18 Mar 2005 09:05:50 -0500 From: "TINY Video Camera" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: A TINY digital video camera from DigiVu X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: X-Spam-Status: No, score=-0.4 required=0.5 tests=ALL_TRUSTED,URIBL_SBL autolearn=ham version=3.0.2 Spamassassin does what I think it should; spamc/spamd fails me. I am beginning to get the bad feeling that spamd is not working correctly. But what if anything can I / should I do about it? Should I adjust all of our user procmail files to call spamassassin directly instead of using spamc/spamd? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts & Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
RE: Spammers Target Secondary MX hosts?
--On Friday, March 18, 2005 2:55 PM -0500 Pierre Thomson <[EMAIL PROTECTED]> wrote: I tried the trick with a tertiary entry matching the primary, but it didn't reduce the spam at the secondary very much. It would be useful to figure out why this is so. Did you use the same host name for both primary and tertiary? Or same resolved IP address? Does sendmail do any optimization like dropping candidate hosts found more than once in the MX list? Could it be that some ratware also makes this optimization? I only have the one IP but I can create many hostnames in my domain to point to the same mail server and use that technique. Yet another reason to switch to IPv6, so we'll have a glut of extra addresses to hide within.
Re: Please help with subject rule
On Fri, 18 Mar 2005 09:37:09 -0500, Bowie Bailey <[EMAIL PROTECTED]> wrote:
> From: Roman Serbski [mailto:[EMAIL PROTECTED]
> >
> > Dear all,
> >
> > Could you please help me with one SA subject rule that sometimes works
> > and sometimes doesn't.
> >
> > SpamAssassin 3.0.2 with qmail-scanner 1.25st.
> >
> > Everything works like a charm but we receive a lot of spam messages
> > from yahoo.com group with [expoforum_kg] subject. I created a rule in
> > 20_head_tests.cf to score all messages containing [expoforum_kg] in a
> > subject. I know I shouldn't use global cf rules but I was just
> > testing.
> >
> > 20_head_tests.cf:
> >
> > header EXPO_SUCKERS Subject =~ /\b(?:[a-z]([-_.
> > =~\/:,[EMAIL PROTECTED]&+;\"\'<>\\])\1{0,2}){4,}/i
> > describe EXPO_SUCKERS Subject: contains [expoforum_kg]
> >
> >
> > This is an example of successful detection:
> >
> > subj='[expoforum_kg] A D V E R T I S E - TO - M I L L I O N S'
> >
> > This is an example of unsuccessful detection:
> >
> > subj='[expoforum_kg] Paid ontime 50% profit'
>
> The problem is that your rule is matching the expanded text seen in the
> first subject rather than the '[expoforum_kg]' that you seem to expect. Try
> this rule instead:
>
> header EXPO_SUCKERS Subject =~ /\b\[expoforum_kg\]\b/i
Thank you Bowie,
I tried your advise but it didn't work. :(
Sat, 19 Mar 2005 11:51:04 KGT:16213: from='Neomarketing
<[EMAIL PROTECTED]>', subj='[expoforum_kg] E M A I L - M I L L I O
N S - N O W !', via SMTP from 66.94.237.28
Sat, 19 Mar 2005 11:51:06 KGT:16213: uvscan: finished scan in 1.884296 secs
Sat, 19 Mar 2005 11:51:23 KGT:16213: SA: REPORT hits = -0.8/3.5
1.3 GAPPY_SUBJECT Subject: contains G.a.p.p.y-T.e.x.t
0.5 TARGETED BODY: Targeted Traffic / Email Addresses
Sat, 19 Mar 2005 11:51:23 KGT:16213: SA: required_hits 3.5 /
sa_quarantine +2.1 / sa_delete +4.2
Sat, 19 Mar 2005 11:51:23 KGT:16213: SA: finished scan in 17.650532
secs - hits=-0.8
Sat, 19 Mar 2005 11:51:23 KGT:16213: p_s: finished scan in 0.061538 secs
20_head_tests.cf:
header EXPO_SUCKERS Subject =~ /\b\[expoforum_kg\]\b/i
describe EXPO_SUCKERS Subject: contains [expoforum_kg]
spamassassin --lint -D doesn't show any errors.
Anything else to check?
Thank you for your time.
Re: plugins and parrallelization
Justin Mason wrote:
> yeah -- as discussed in the Plugin pod docs, the life-cycle of the objects
> you have access to there is:
I'm currently trying to work this so the LDAP session is maintained for
the lifetime of the module. TCP sessions are pretty expensive, and having
hundreds or even thousands of dead sessions lying around in timeout mode
(not uncommon for busy sites) is going to be very undesirable.
I'm storing the session variables (such as login status) as part of $self,
and storing message variables with $permsgstatus. But where do I put the
logout/disconnect code? DESTROY seems to get called after every message
("seems to" but I'm fairly blurry at this point), which causes the session
to get killed after every message. Where am I supposed to put this stuff?
Thanks
--
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Please help with subject rule
On Fri, 18 Mar 2005 06:39:13 -0800, Evan Platt <[EMAIL PROTECTED]> wrote: > Unless I'm missing the point... [EMAIL PROTECTED] > would be a much better solution. :) Thanks. :) It doesn't work. I tried to unsubscribe, received a confirmation message from yahoogroups, confirmed unsubscription but still receive spam from expoforum_kg. I even tried to contact yahoo antispam - they refused to close this account which is used for spam only. Roman
Re: spamd and spamassassin appear to have different results
Vicki Brown <[EMAIL PROTECTED]> writes: > The rule > header __CF_NOT_TO_ME To !~ /(?:[EMAIL PROTECTED]|[EMAIL > PROTECTED])/i > header __CF_NOT_CC_ME Cc !~ /(?:[EMAIL PROTECTED]|[EMAIL > PROTECTED])/i > meta CF_NOT_FOR_ME__CF_NOT_TO_ME && __CF_NOT_CC_ME > score CF_NOT_FOR_ME 0.01 > describe CF_NOT_FOR_ME Neither To nor Cc me Easier: header CF_NOT_FOR_METoCc !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i score CF_NOT_FOR_ME 0.01 describe CF_NOT_FOR_ME Neither To nor Cc me > Spamassassin does what I think it should; spamc/spamd fails me. 98% likely to be the issue: you forgot to restart spamd Daniel -- Daniel Quinlan http://www.pathname.com/~quinlan/
OT: Re: Spammers Target Secondary MX hosts?
On Friday, March 18, 2005, 2:13:23 PM, jdow jdow wrote: > From: "Yang Xiao" <[EMAIL PROTECTED]> >> Hi all, >> I've been noticing it lately that almost 90% of emails come in through >> our secondary MX host are spams, I just want to know if there's an >> explanation for this, my guess is that the spammers spam the secondary >> MX host intentionally for some reason I can't understand, maybe hoping >> the secondary host will configured with less care? > Wow, it's been awhile since this floated through the list the last time. > The theory among the spammers is that the secondary and tertirary > MX machines are less well protected. "They're backups, afterall. > They're not used every day." > Most canny anti-spammers are aware of this and may actually have the > secondaries nailed down a little tighter than the primaries. We're applying more RBLs to our backup server than our primary MXer. What was the trick for making a mail server delay or reject responses the first time an IP connects? I've heard this is very effective against spamware/zombies, etc. We're using Postfix, so this is definitely off topic. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: spamd and spamassassin appear to have different results
From: "Daniel Quinlan" <[EMAIL PROTECTED]>
> Vicki Brown <[EMAIL PROTECTED]> writes:
>
> > The rule
> > header __CF_NOT_TO_ME To !~
/(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i
> > header __CF_NOT_CC_ME Cc !~
/(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i
> > meta CF_NOT_FOR_ME__CF_NOT_TO_ME && __CF_NOT_CC_ME
> > score CF_NOT_FOR_ME 0.01
> > describe CF_NOT_FOR_ME Neither To nor Cc me
>
> Easier:
>
> header CF_NOT_FOR_METoCc !~
/(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i
> score CF_NOT_FOR_ME 0.01
> describe CF_NOT_FOR_ME Neither To nor Cc me
>
> > Spamassassin does what I think it should; spamc/spamd fails me.
>
> 98% likely to be the issue: you forgot to restart spamd
Not having read the first part of this I do note there is not any blanket
way to say it's only related to not starting spamd. There is still the
3.0x bug related to spamd children. The FIRST time a child runs a message
it reads rules properly. Every time after the first time it does not pick
up the per user rule scores. It picks up the user rules but not the
scores. I *WISH* this could be repaired.
{^_^}
Re: spamd and spamassassin appear to have different results
"jdow" <[EMAIL PROTECTED]> writes: > Not having read the first part of this I do note there is not any blanket > way to say it's only related to not starting spamd. There is still the > 3.0x bug related to spamd children. The FIRST time a child runs a message > it reads rules properly. Every time after the first time it does not pick > up the per user rule scores. It picks up the user rules but not the > scores. I *WISH* this could be repaired. I didn't really read your reply except the last sentence, but I really wish I had an ice cream cone. -- Daniel Quinlan http://www.pathname.com/~quinlan/
Re: Spammers Target Secondary MX hosts?
[EMAIL PROTECTED] wrote:
Kelson wrote:
Larry Starr wrote:
On Friday 18 March 2005 08:17, Alexander Bochmann wrote:
there are many setups where
the ISP or someone else runs a backup MX for his
customer's domains as a service. With this configuration,
the secondary MX will usually not know about valid users
in the destination domain.
That, in fact, is the setup that I am operating and, yes, most of
what comes through my secondary MX, at my ISP, is SPAM. Some time
ago I implemented a rule that adds a (small) spam score for mail
received via my secondary MX.
I'm on the flip side of that: we provide secondary MX services for
some of our customers, and I've started adding a small bonus score
for mail being sent *to* them through our server. I've also added
meta-rules to treat certain rules more harshly.
The really annoying thing, from our standpoint, is the backscatter we
have to process:
1. Spammer sends to secondary MX (us).
2. We filter out some of the more obvious spam (for the most part
using our regular criteria).
3. We relay what's left to the primary MX.
4. Primary MX rejects mail to nonexistant users and mail that trips
their own spam filters.
5. We generate DSNs that go to third parties or nonexistant hosts,
contributing to backscatter and cluttering up our outbound queue.
The backscatter becomes a real problem in the legitimate relay
situation, because it's basically unavoidable. If the spam is sent
directly to you, you can accept it, discard it, or reject it, and it
stops. But if you're relaying to someone, and *they* reject it, now
you have to decide whether to generate a DSN or not. We've actually
set up a separate queue for bounces that aren't delivered
immediately, so that it won't bog down normal mail.
Two solutions occur to me:
1) Allow a way for the secondary MX to tell whether the primary MX is "up" - if
it is, don't accept any connections
2) Allow a way for the secondary MX to tell what email addresses on the primary
MX are valid (LDAP occurs to me)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
MIMEDefang can do both of these... I use it on my secondary MX server to
check for valid users on the primary server. as a safety, if the
primary MX server is down, it'll accept and queue the mail. if it can't
validate the user on the primary server, yet the server is up, it'll
fail with user unknown.
alan
Re: OT: Re: Spammers Target Secondary MX hosts?
Jeff Chan wrote: On Friday, March 18, 2005, 2:13:23 PM, jdow jdow wrote: From: "Yang Xiao" <[EMAIL PROTECTED]> Hi all, I've been noticing it lately that almost 90% of emails come in through our secondary MX host are spams, I just want to know if there's an explanation for this, my guess is that the spammers spam the secondary MX host intentionally for some reason I can't understand, maybe hoping the secondary host will configured with less care? Wow, it's been awhile since this floated through the list the last time. The theory among the spammers is that the secondary and tertirary MX machines are less well protected. "They're backups, afterall. They're not used every day." Most canny anti-spammers are aware of this and may actually have the secondaries nailed down a little tighter than the primaries. We're applying more RBLs to our backup server than our primary MXer. What was the trick for making a mail server delay or reject responses the first time an IP connects? I've heard this is very effective against spamware/zombies, etc. We're using Postfix, so this is definitely off topic. Jeff C. I think you're thinking of Greylisting. It'll reject mail from a certain triple (sender/receiver/ip) the first time it comes in, record it in some form (database/filesystem/etc) and apply certain time delays so if the mail from the same triple comes back after a specified timeout, it'll be accepted. alan
Re: OT: Re: Spammers Target Secondary MX hosts?
On Saturday, March 19, 2005, 4:36:42 AM, alan premselaar wrote: > I think you're thinking of Greylisting. > It'll reject mail from a certain triple (sender/receiver/ip) the first > time it comes in, record it in some form (database/filesystem/etc) and > apply certain time delays so if the mail from the same triple comes back > after a specified timeout, it'll be accepted. Yep, a couple that I was pointed to are: http://isg.ee.ethz.ch/tools/postgrey/ http://policyd.sourceforge.net/ Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Spamd -S option in 3.x?
Is there a way to stop processing once the message is seen as spam? Version 2.6 had the -S option, but that no longer works.
Re: Spamd -S option in 3.x?
At 07:55 AM 3/19/2005, MIKE YRABEDRA wrote: Is there a way to stop processing once the message is seen as spam? Version 2.6 had the -S option, but that no longer works. No, that feature has been dead since at least 2.30. The flag may have been accepted, but it's been dead for a LONG time. The problem is it causes FPs unless you re-order the rules so all the negative-scoring rules run first. Doing that causes SA to have to scan the body twice, negating any speed and all benefit to the -S option.
Re: spamd and spamassassin appear to have different results
At 12:49 AM 3/19/2005, Vicki Brown wrote: The rule header __CF_NOT_TO_ME To !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i header __CF_NOT_CC_ME Cc !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i meta CF_NOT_FOR_ME__CF_NOT_TO_ME && __CF_NOT_CC_ME score CF_NOT_FOR_ME 0.01 describe CF_NOT_FOR_ME Neither To nor Cc me The mail: Date: Fri, 18 Mar 2005 09:05:50 -0500 From: "TINY Video Camera" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: A TINY digital video camera from DigiVu This Advertisment was brought to you by Newageoptin... The SA result: X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com X-Spam-Level: X-Spam-Status: No, score=-0.6 required=0.5 tests=ALL_TRUSTED,CF_NOT_FOR_ME, HTML_30_40,HTML_MESSAGE,URIBL_SBL autolearn=ham version=3.0.2 And that's not right. It _is_ for me. The CF_NOT_FOR_ME rule should not have triggered. What I like even less about this is that if I send that message through spamassassin -D I get the results I expect (CF_NOT_FOR_ME does _not_ trigger). Question - Is there any chance that your MTA, MDA or MUA re-wrote the To: header, causing it to actually be different in each place? Some mail tools will add the local domain to a username-only To: header. They also will commonly insert a To: header containing the envelope recipient if no To: header exists. You might want to add some -0.01 scored riles that look for several different combinations, so you can try to debug what's going on: header L_TO_EXISTS exists:To score L_TO_EXISTS -0.01 header L_CC_EXISTS exists:Cc score L_CC_EXISTS -0.01 header L_TO_CFCLTo =~/[EMAIL PROTECTED]/i score L_TO_CFCL -0.01 header L_TO_GMAIL To =~/[EMAIL PROTECTED]/i score L_TO_GMAIL-0.01 header L_TO_VLB To =~/[EMAIL PROTECTED]/i score L_TO_VLB -0.01 And be sure to spamassassin --lint it (should run without any messages), and restart spamd after adding the rules.
Re: DCC License Change
Matt Kettler wrote: > Justin Mason wrote: > >Well, I guess this gives us a good reason to finally get around to > >writing our own hashing subsystem... > > Unfortunately that might not be a workable option Justin. The reason DCC > is changing license is because it's infringing on a broad patent of > using hashes to automatically detect spam based on volume of duplicates. > It's not because the author really wants to change the license, it's > ultimately because he HAS to change the license. > > http://www.rhyolite.com/pipermail/dcc/2004/002468.html > > The license change is a part of an agreement with the patent owner, so > any similar system implemented by SA would end up going the same path as > DCC. > > You might be able to do a razor-ish system of listing based on reports, > but you might find this patent still applies, or some other patent applies. > > Run it through ASF legal, and proceed accordingly. I am reading the archive and I can't agree completely with that statement. Although I agree the patent is involved. http://www.rhyolite.com/pipermail/dcc/2005/002570.html I see several important points there. 1. "I have some other ideas, but they depend on things that cost money like a feed of the (formerly free) SBL from Spamhaus." 2. "The new ideas can't be free because they are likely to cost money in fees to third parties." 3. "The agreement includes a promise to me to not sue or try to collect royalties Patent 6,330,590 from organizations covered by the new, restricted license." I agree that he sounds like he does not want the license change and feels forced into it. It could not have been an easy decision for him. But previously he stated that it was not infringing. http://www.rhyolite.com/pipermail/dcc/2004/002465.html There he states that he does not believe DCC to be infringing on the patent. Note however that the date of the message is well before the license change. So it is possible he was convinced otherwise. It is also possible that the his plans included code that would in the future would need a license. I am just speculating. In any case it is a shame to see things take this turn of direction. DCC will be missed. Bob
spamd rules ans scores
At 23:25 -0800 03/18/2005, jdow wrote:
>Not having read the first part of this I do note there is not any blanket
>way to say it's only related to not starting spamd. There is still the
>3.0x bug related to spamd children. The FIRST time a child runs a message
>it reads rules properly. Every time after the first time it does not pick
>up the per user rule scores. It picks up the user rules but not the
>scores. I *WISH* this could be repaired.
>
>{^_^}
FERVENT agreement here. This bug is driving me nutso. According to the
bugzilla thread, it's been repaired but where's the patch update?
--
Vicki Brown ZZZ
Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process,
Scripts & Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X
http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA
___ '---''(_/--' `-'\_) ___
Best way to disable a test from running?
I could give it a score of 0 but I'd like to simply say "don't even test against it". I'm getting tired of seeing ALL_TRUSTED. We run SMTP; they connect directly to us; there are no interim hosts. I could edit the underlying rule file but then I'd have to do that after any update. is there an "off switch" I've missed seeing? -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts & Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: spamd and spamassassin appear to have different results
At 10:55 -0500 03/19/2005, Matt Kettler wrote: >And be sure to spamassassin --lint it (should run without any messages), >and restart spamd after adding the rules. I realize that this is standard canonical advice and I will make the necessary assumption that it's not really being directed at me but... I am s tired of seeing this reminder. I KNOW about this now. Honest. I only have to be told once. lint; HUP; edit; lint; HUP. I'm about to script the [EMAIL PROTECTED]&&* infernal thing. Why can't spamd re-read the system rules file if it's been changed? That's not difficult to test for (quickly). I'll take an option to do this PLEASE. -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts & Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
Re: spamd and spamassassin appear to have different results
At 23:02 -0800 03/18/2005, Daniel Quinlan wrote: >Easier: > > header CF_NOT_FOR_METoCc !~ /(?:[EMAIL PROTECTED]|[EMAIL > PROTECTED])/i Well, yeah, at least shorter and arguably cleaner but I was a) playing with meta rules and b) at one point had this idea that I might actually do something with the individual NOT_TO and NOT_CC information... I did switch to the shorter test above (last night) and the problem seems to be gone as far as my mailbox is concerned, which brings me back to my initial question: Why do spamd and spamassassin appear to have different results? Why does spamassassin seem to have no problems understanding header __CF_NOT_TO_ME To !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i header __CF_NOT_CC_ME Cc !~ /(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])/i meta CF_NOT_FOR_ME__CF_NOT_TO_ME && __CF_NOT_CC_ME and doing "the right thing" but spamd does appear to have problems and do the wrong thing. Is there something wrong with the header or meta rules above? Or is there something wrong with spamd? (We've passed the "get Vicki's configuration working" general tech support question and have now moved into the area of understanding and debugging the workings of SA and friends). -- Vicki Brown ZZZ Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process, Scripts & Philtres zz /,`.-'`'-. ;-;;,_ Perl, WWW, Mac OS X http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA ___ '---''(_/--' `-'\_) ___
