Re: info needed
Need a gui interface for a linux enviroment , need to be able to lets custoemrs see that thier spam is getting blocked and how much is being blocked and allow them to modify thier own settings as they need. On Wed, 2005-05-11 at 19:09 -0700, Robert Menschel wrote: Hello Philip, Wednesday, May 11, 2005, 4:10:19 PM, you wrote: PW Please can somone indicate if they about any gui frontends for PW spamassassin except websuers prefs. PW I require a front end to handle rules , header , subject and PW content filtering , configuration and reporting on spam PW activity. It might help if you specify what type of system you need a gui for. I know that cPanel offers a web-oriented Linux gui with some of that capability. Bob Menschel
Re: Godaddy selling e-mails ?
Jeff Chan wrote: George Breahna wrote: Not sure why this is happening but I just received an e-mail that I use ONLY with go daddy. The e-mail is: [EMAIL PROTECTED] In it I have receivedSPAM! Is Go Daddy selling our e-mails to the lowest of the lowest ? Does your address appear in a domain registration? The registrations are public after all. I am sure that is what you are seeing. Look at the whois data on your account. On my machine I use the whois command. whois top-consulting.net I will avoid posting your address again here. But it matches the one you just posted. This is public information and hard to avoid. If you whois me you get my information too. I get a lot of spam solely because of the whois information. I even get paper mail spam to that address that I know is only due to that listing. So this is not just an electronic problem. Bob
[SARE] obfu rule set update
RM Monday, May 9, 2005, 11:30:36 AM, Devon wrote: DH Many thanks to Bob on the recent SARE rules release. This DH caught those HTML Table SPAMS!!! RM But I notice there was no description on those report lines. I'll RM have that fixed by the weekend. With the help of several SARE mass-checkers, we not only have the description lines fixed, but a number of additional rules. Should be even better at catching the current series of obfuscations and table spams. Updated 70_sare_obfu.cf, obfu0.cf, and obfu1.cf (obfu.cf contains both obfu0.cf and obfu1.cf as one file). Bob Menschel
Re: SPAM with low readibility
Hello Martin, Wednesday, May 11, 2005, 2:48:27 PM, you wrote: MGD Now for my serious questions ... MGD (1) Is there a simple rule to detect the incomprehensible ... MGD hint: for the most part, those letters have code values that are greater MGD than 128. MGD In the same line of thinking, is there a way for the scripts to detect MGD the character set when specified? IOW could someone code a filter rule MGD that tested for Russian? Check the SARE rules files, specifically 70_sare_genlsubj_eng.cf and 70_sare_header_eng.cf -- I think you'll find some samples there you can adapt. Bob Menschel
RE: [SARE] obfu rule set update
Trying to Update this morning gives: Lint output: warning: description exists for non-existent rule SARE_OBFU_SPL_ORDERING lint: 1 issues detected. please rerun with debug enabled for more information. Cheers, Chris -Original Message- From: Robert Menschel [mailto:[EMAIL PROTECTED] Sent: 12 May 2005 07:17 To: users@spamassassin.apache.org Subject: [SARE] obfu rule set update RM Monday, May 9, 2005, 11:30:36 AM, Devon wrote: DH Many thanks to Bob on the recent SARE rules release. This caught DH those HTML Table SPAMS!!! RM But I notice there was no description on those report lines. I'll RM have that fixed by the weekend. With the help of several SARE mass-checkers, we not only have the description lines fixed, but a number of additional rules. Should be even better at catching the current series of obfuscations and table spams. Updated 70_sare_obfu.cf, obfu0.cf, and obfu1.cf (obfu.cf contains both obfu0.cf and obfu1.cf as one file). Bob Menschel -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner is part of the Mail Filtering service from Nexent Internet. ___ The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. ___
Re: my internal server is making records in the AWL
Arvinn Løkkebakken wrote: How can that happen? Anybody else here with the same experience? Are we talking about a bug here? I would really like to know if this is a problem in my setup or if others are experiencing the same.. Arvinn
Re: spamd - limiting processes
At 05:51 AM 5/11/2005, Marco Herrn wrote: It seems that the --max-children option doesn't do as one expects, since spamd now uses a preforking. And it seems that the processes are not limited at all. Are you sure? Are there more than 5 spamd's in ps ax? You are right. There are only 5 of them. It seems the other I saw where many concurrent spamc processes. You mentioned there being more than 32 db connections, I just want to check if it's really 32 spamd's running, or if there are 5 spamd's running and someone's not closing SQL connections. Hmm, the only process also accessing the database is exim. I do not know how exim is doing this, what wouldn't think that exim is that inefficient. I noticed that the database also produces a significant load on my system. So I will now try to investigate what postgresql is doing here. Thanks Marco
Re: my internal server is making records in the AWL
Arvinn Løkkebakken wrote: Arvinn Løkkebakken wrote: How can that happen? Anybody else here with the same experience? Are we talking about a bug here? I would really like to know if this is a problem in my setup or if others are experiencing the same.. Arvinn What's the problem? Looks like, in your example, the user wasn't found in the AWL table, and was added. The mail scored some 23 pts, and was added to the awl table with that score. AWL isn't a whitelist nor a black list. http://wiki.apache.org/spamassassin/AwlWrongWay http://wiki.apache.org/spamassassin/AutoWhitelist -- Thanks, James Rallo Trusswood Inc. [EMAIL PROTECTED] www.Trusswood.DynDns.org Tele: (321) 383-0366 Fax: (321) 383-0362
SA/RDJ/Bogus Virus Warnings Problem
Godd morning/evening to all. I've had RDJ fetching rules updates successfully until just recently. It seems that some part of my set-up now chokes on downloading and installing Tim Jackson's Bogus Virus Warnings ruleset. Here's some output: Subject: RulesDuJour/plymouth: Tim Jackson's (et al) bogus virus warnings RuleSet has been updated X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to: [EMAIL PROTECTED] X-First1-MailScanner-Information: Please contact the ISP for more information X-First1-MailScanner: Found to be clean X-MailScanner-From: [EMAIL PROTECTED] Status: RO Tim Jackson's (et al) bogus virus warnings has changed on plymouth. Version line: The following rules had errors: Tim Jackson's (et al) bogus virus warnings had an unknown error: curl exit code: 18 curl: (18) transfer closed with 80982 bytes remaining to read 200 ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/blacklist.cf /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.2; mv -f /etc/mail/spamassassin/RulesDuJour/blacklist.cf.20050512-0157 /etc/mail/spamassassin/blacklist.cf; mv -f /etc/mail/spamassassin/bogus-virus-warnings.cf /etc/mail/spamassassin/RulesDuJour/bogus-virus-warnings.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/bogus-virus-warnings.cf.20050512-0158 /etc/mail/spamassassin/bogus-virus-warnings.cf; mv -f /etc/mail/spamassassin/blacklist-uri.cf /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/blacklist-uri.cf.20050512-0158 /etc/mail/spamassassin/blacklist-uri.cf; Lint output: config: SpamAssassin failed to parse line, skipping: html config: SpamAssassin failed to parse line, skipping: head config: SpamAssassin failed to parse line, skipping: titleError 500 Internal Server Error [timj.co.uk]/title ... If I take Bogus Virus Warnings out of my RDJ config file (ie. I don't use RDJ to download and install), I have no problems. I recently sent a message to Tim, but haven't gotten a response. Does anyone have any idea what's going on here? Thanks. Dimitri
Re: SA/RDJ/Bogus Virus Warnings Problem
On Thu, May 12, 2005 at 07:48:40AM -0400, Dimitri Yioulos wrote: If I take Bogus Virus Warnings out of my RDJ config file (ie. I don't use RDJ to download and install), I have no problems. I recently sent a message to Tim, but haven't gotten a response. Does anyone have any idea what's going on here? Which rules_du_jour version are you using ? I use wget not curl, so I can't interpret your errors, other to say that whatever server you are getting bogusvirus from has some internal error resulting in the 500 result code. But bogusvirus is now mirrored on the rules emporium, and rules_du_jour version 20 will get it from there (and did so this morning for me). Nick
Re: SA/RDJ/Bogus Virus Warnings Problem
On Thu, 12 May 2005 07:48:40 -0400 Dimitri Yioulos [EMAIL PROTECTED] wrote: I've had RDJ fetching rules updates successfully until just recently. It seems that some part of my set-up now chokes on downloading and installing Tim Jackson's Bogus Virus Warnings ruleset. Please feel free to contact me directly off-list if you think there's something up with my ruleset. I recently sent a message to Tim, but haven't gotten a response. I may be missing it in my ocean of e-mails in which case I apologise, but I don't appear to have a recent mail from you in my inbox. The following rules had errors: Tim Jackson's (et al) bogus virus warnings had an unknown error: curl exit code: 18 curl: (18) transfer closed with 80982 bytes remaining to read 200 Did this by any chance happen on Sunday morning, when my host apparently had a weird crash? Someone else the other day had the same thing. Lint output: config: SpamAssassin failed to parse line, skipping: html config: SpamAssassin failed to parse line, skipping: head config: SpamAssassin failed to parse line, skipping: titleError 500 Internal Server Error [timj.co.uk]/title ... This bothers me a lot (and it looks like a generalised problem) and I am cc'ing Chris the RDJ maintainer. Chris, how is it that a download which has had a 500 error is managing to get saved to disk as a ruleset which SA then tries to use? Surely any 5xx error should mean that the downloaded page is discarded? Or did I screw something up? (a page with the title of Error 500 certainly *should* have been sent with a HTTP 500 code) Anyway, Dimitri, as someone else has observed, thanks to the SARE hosts there is now a new URL for bogus-virus-warnings on rulesemporium.com, which you are welcome to use and which means it's not my fault if it doesn't work ;) http://www.rulesemporium.com/rules/bogus-virus-warnings.cf A recent RDJ update did include an update to this URL. Tim
rule edit
I am having trouble with a custom rule and wondered if anyone know why this didnt work. I have pasted an error from sa-learn and also the rule below. I am running Redhat 9 and Spamassassin 3.0.3 invalid regexp for rule VIRUS_SOBER5: /*** Attachment-Scanner: Status OK/i body VIRUS_SOBER5 /*** Attachment-Scanner: Status OK/i describe VIRUS_SOBER5 Body contains the string *** Attachment-Scanner: Status OK score VIRUS_SOBER5 5 thanks in advance for not making fun of my inexperience, Robert Peace he would say instead of goodbyepeace my brother.
SA Performance under Solaris -w- Sendmail
I've been experiencing and documenting a pretty severe performance problem with SA versions 3.0.1 through 3.1x (nightly) under Solaris 8 and 9, Perl 5.8.3. We're running Sendmail 8.12.11, and I've tried milters MimeDefang and Spamass-milter. I initially thought this problem was related to the round-robin forking of spamd, but find that the 3.1 nightly exhibits the same behavior (using the new pre-forking algorithms), regardless of the number of spamd children (which MimeDefang doesn't appear to use anyway). My problem is that when running a test load of about 350 messages through a test box (serially, so we're only talking 1 message at a time), I see the CPU load peg out frequently, around 90% of the time. At other times during this cycle, the CPU load is between 30 and 70 % which I'd call acceptable. In our production environment, in which processing is not serial (multiple sendmail threads running), the CPU load kills the machine dead in short order. When MimeDefang is used as the milter, I see a fairly even spread of CPU usage between user, system, and wait times. With the spamass-milter, I see almost all of the CPU consumed by user processing. The SA results look much better when we use spamass-milter / spamd, as I think MimeDefang doesn't round the scores up. I'm wondering if there's some kind of Perl or Solaris tuning that I might need to do in order to not kill the CPU so bad. I've tried niceing spamd, but that really didn't do much for the problem. Anyone have any ideas or suggestions of places to look? Thanks!
RE: rule edit
you'll need to escape the * so body VIRUS_SOBER5 /\*\*\* Attachment-Scanner: Status OK/I HTH Richard From: Robert Swan [mailto:[EMAIL PROTECTED] Sent: 12 May 2005 14:00 To: spamassassin-users@incubator.apache.org Subject: rule edit I am having trouble with a custom rule and wondered if anyone know why this didn't work. I have pasted an error from sa-learn and also the rule below. I am running Redhat 9 and Spamassassin 3.0.3 invalid regexp for rule VIRUS_SOBER5: /*** Attachment-Scanner: Status OK/i body VIRUS_SOBER5 /*** Attachment-Scanner: Status OK/i describe VIRUS_SOBER5 Body contains the string *** Attachment-Scanner: Status OK score VIRUS_SOBER5 5 thanks in advance for not making fun of my inexperience, Robert Peace he would say instead of goodbyepeace my brother. --- This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses. For further information contact [EMAIL PROTECTED]
Re: rule edit
On Thu, 12 May 2005 09:00:10 -0400 Robert Swan [EMAIL PROTECTED] wrote: I am having trouble with a custom rule and wondered if anyone know why this didn't work. I have pasted an error from sa-learn and also the rule below. body VIRUS_SOBER5 /*** Attachment-Scanner: Status OK/i You need to escape the asterisks, i.e.: body VIRUS_SOBER5 /\*\*\* Attachment-Scanner: Status OK/i Tim
Re: rule edit
hi Robert, In an older episode (Thursday 12 May 2005 15:00), Robert Swan wrote: I am having trouble with a custom rule and wondered if anyone know why this didn't work. I have pasted an error from sa-learn and also the rule below. I am running Redhat 9 and Spamassassin 3.0.3 invalid regexp for rule VIRUS_SOBER5: /*** Attachment-Scanner: Status OK/i I assume, you want to detect the *** showing up in a mail. try this: body VIRUS_SOBER5 /\*\*\* Attachment-Scanner: Status OK/i IMHO, you need to read more about regular expressions in perl, the character * has a special meaning, so you need to escape it if you want it to be matched by a regular expression.
Re: SA/RDJ/Bogus Virus Warnings Problem
On Thursday May 12 2005 8:20 am, Tim Jackson wrote: On Thu, 12 May 2005 07:48:40 -0400 Dimitri Yioulos [EMAIL PROTECTED] wrote: I've had RDJ fetching rules updates successfully until just recently. It seems that some part of my set-up now chokes on downloading and installing Tim Jackson's Bogus Virus Warnings ruleset. Please feel free to contact me directly off-list if you think there's something up with my ruleset. I recently sent a message to Tim, but haven't gotten a response. I may be missing it in my ocean of e-mails in which case I apologise, but I don't appear to have a recent mail from you in my inbox. The following rules had errors: Tim Jackson's (et al) bogus virus warnings had an unknown error: curl exit code: 18 curl: (18) transfer closed with 80982 bytes remaining to read 200 Did this by any chance happen on Sunday morning, when my host apparently had a weird crash? Someone else the other day had the same thing. Lint output: config: SpamAssassin failed to parse line, skipping: html config: SpamAssassin failed to parse line, skipping: head config: SpamAssassin failed to parse line, skipping: titleError 500 Internal Server Error [timj.co.uk]/title ... This bothers me a lot (and it looks like a generalised problem) and I am cc'ing Chris the RDJ maintainer. Chris, how is it that a download which has had a 500 error is managing to get saved to disk as a ruleset which SA then tries to use? Surely any 5xx error should mean that the downloaded page is discarded? Or did I screw something up? (a page with the title of Error 500 certainly *should* have been sent with a HTTP 500 code) Anyway, Dimitri, as someone else has observed, thanks to the SARE hosts there is now a new URL for bogus-virus-warnings on rulesemporium.com, which you are welcome to use and which means it's not my fault if it doesn't work ;) http://www.rulesemporium.com/rules/bogus-virus-warnings.cf A recent RDJ update did include an update to this URL. Tim Hi, Tim. Thanks for your response (and that of Nick). I'm taking the liberty of posting this on the SA list just in case I'm the one futzing up the send to you. I am, indeed, using the latest incarnation of RDJ. As I mentioned, I've used the SA/RDJ combination for some time, and it's worked fine, save for the period when I'd been blacklisted for inadvertently downloading Bogus Virus (I'm sure I was testing at the time; I'm happy you reinstated me). SInce reinstatement, I've had this problem. I did update SA recently, but it seems to me I was having the problem prior to that. My logs also seem to suggest that it's not an SA problem, though I'm by no means an SA expert. Other than that, I'm not sure what I can add. Oh yes, if I wget Bogus Virus, I seem to be OK. But, of course, that defeats the purpose of RDJ. Regards, Dimitri
RE: rule edit
Thanks all Robert Peace he would say instead of goodbyepeace my brother. From: Robert Swan Sent: Thursday, May 12, 2005 9:00 AM To: spamassassin-users@incubator.apache.org Subject: rule edit I am having trouble with a custom rule and wondered if anyone know why this didnt work. I have pasted an error from sa-learn and also the rule below. I am running Redhat 9 and Spamassassin 3.0.3 invalid regexp for rule VIRUS_SOBER5: /*** Attachment-Scanner: Status OK/i body VIRUS_SOBER5 /*** Attachment-Scanner: Status OK/i describe VIRUS_SOBER5 Body contains the string *** Attachment-Scanner: Status OK score VIRUS_SOBER5 5 thanks in advance for not making fun of my inexperience, Robert Peace he would say instead of goodbyepeace my brother.
Re: SA Performance under Solaris -w- Sendmail
[EMAIL PROTECTED] wrote: I've been experiencing and documenting a pretty severe performance problem with SA versions 3.0.1 through 3.1x (nightly) under Solaris 8 and 9, Perl 5.8.3. What is the simplest way for me to see this problem? I use CSW packages for sendmail, MD, SA, perl and others. Running Solaris 9 on a small V210 with dual sparc CPU and 2Gb ram. I have not seen any large spikes in CPU usage, but my volumes may be too low. I would like to simulate your test with MD. I have spamass-milter available if needed. Also, I have a single 360Mhz sparc Solaris 8 or 10 box with plenty of ram available for testing, but it may be too far away from production horsepower. I also have a dual 450Mhz sparc Solaris 10 with plenty of ram that I can use for testing. Actually, that one may be the simplest for me to use for a test. Alex
Re: SpamCopURI not working
This is killing me here dozens of spams this morning getting through (with bayes, RDJ+SARE, razor, dcc). Without the SpamCopURI working, my detection rate plummets. Any ideas why SpamCopURI would only be querying multi.surbl.org even though all of them are configured in my spamcop_uri.cf? I'm using SA 2.6.4, but with a somewhat old version of perl... other than that, everything is pretty up to date. Tried the latest Net::DNS, but no change. thanks!! johnS -Original Message- From: Stewart, John Sent: Tuesday, May 10, 2005 11:33 AM To: 'Jeff Chan'; SpamAssassin Users Subject: RE: SpamCopURI not working, was RE: More Messed Up www URLs Jeff Chan wrote: Have you tried spamassassin -D some_message and spamassassin --lint? SA lints fine... running it in debug mode, it appears to not be checking anything but the multi records. See below. I've grepped through /usr/share/spamassassin and /etc/mail/spamassasin, and the only URI_RBL reference I find in any .cf file is in /etc/mail/spamassasin/spamcop_uri.cf, which is the config file included with SpamCopURI-0.25 (which has rules and scores for 7 different _URI_RBL's). The only one I'm seeing *ever* hit in my logfiles is SPAMCOP_URL_RBL. This is really killing my spam scanning performance...! [...] debug: using /usr/share/spamassassin for default rules dir debug: using /etc/mail/spamassassin for site rules dir debug: using /var/amavis/.spamassassin for user state dir debug: using /var/amavis/.spamassassin/user_prefs for user prefs file [...] debug: Razor2 results: spam? 0 highest cf score: 0 debug: running raw-body-text per-line regexp tests; score so far=0 debug: running uri tests; score so far=0 debug: uri tests: Done uriRE debug: checking url: http://www.achat-montre-rolex.net./ debug: querying for achat-montre-rolex.net.multi.surbl.org debug: Query failed for achat-montre-rolex.net.multi.surbl.org debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 2 debug: no match debug: checking url: http://www.achat-montre-rolex.net./ debug: returning cached data : achat-montre-rolex.net.multi.surbl.org - ARRAY(0x9b20414) debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 4 debug: no match debug: checking url: http://www.achat-montre-rolex.net./ debug: returning cached data : achat-montre-rolex.net.multi.surbl.org - ARRAY(0x9b20414) debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 32 debug: no match debug: checking url: http://www.achat-montre-rolex.net./ debug: returning cached data : achat-montre-rolex.net.multi.surbl.org - ARRAY(0x9b20414) debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 64 debug: no match debug: checking url: http://www.achat-montre-rolex.net./ debug: returning cached data : achat-montre-rolex.net.multi.surbl.org - ARRAY(0x9b20414) debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 16 debug: no match debug: checking url: http://www.achat-montre-rolex.net./ debug: returning cached data : achat-montre-rolex.net.multi.surbl.org - ARRAY(0x9b20414) debug: Receieved match prefix: 127.0.0 debug: Receieved mask: 8 debug: no match debug: running full-text regexp tests; score so far=0 debug: Razor2 is available [...] I'll also attach the full debug run. It just seems like SA is not testing all the surbl.org servers. johnS debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin/X11', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: Final PATH set to: /bin:/usr/bin:/usr/local/bin:/usr/bin/X11:/usr/X11R6/bin debug: using /usr/share/spamassassin for default rules dir debug: using /etc/mail/spamassassin for site rules dir debug: using /var/amavis/.spamassassin for user state dir debug: using /var/amavis/.spamassassin/user_prefs for user prefs file debug: bayes: 30299 tie-ing to DB file R/O /var/amavis/bayes_toks debug: bayes: 30299 tie-ing to DB file R/O /var/amavis/bayes_seen debug: bayes: found bayes db version 2 debug: Score set 3 chosen. debug: Initialising learner debug: received-header: parsed as [ ip=10.64.16.58 rdns=spaminator.heurikon.com helo= by=c3po.heurikon.com ident= ] debug: received-header: ignoring localhost handover debug: received-header: ignoring localhost handover debug: received-header: parsed as [ ip=10.64.49.2 rdns=frankfurterINT.heurikon.com helo=bratwurst.heurikon.com by=spaminator.heurikon.com ident= ] debug: received-header: parsed as [ ip=128.255.17.47 rdns=server07.icaen.uiowa.edu helo=server07.icaen.uiowa.edu by=bratwurst.heurikon.com ident= ] debug: received-header: parsed as [ ip=128.255.17.51 rdns=server11.icaen.uiowa.edu helo=server11.icaen.uiowa.edu by=server07.icaen.uiowa.edu ident= ] debug: received-header: parsed as [ ip=128.255.17.30 rdns=d-is00.icaen.uiowa.edu
Re: [SPAM-TAG] Re: SpamCopURI not working
On Thursday, May 12, 2005, 7:02:47 AM, John Stewart wrote: This is killing me here dozens of spams this morning getting through (with bayes, RDJ+SARE, razor, dcc). Without the SpamCopURI working, my detection rate plummets. Any ideas why SpamCopURI would only be querying multi.surbl.org even though all of them are configured in my spamcop_uri.cf? I'm using SA 2.6.4, but with a somewhat old version of perl... other than that, everything is pretty up to date. Tried the latest Net::DNS, but no change. thanks!! johnS Please see my previous response. multi is the only list that should be checked. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: my internal server is making records in the AWL
James R wrote: Arvinn Løkkebakken wrote: Arvinn Løkkebakken wrote: How can that happen? Anybody else here with the same experience? Are we talking about a bug here? I would really like to know if this is a problem in my setup or if others are experiencing the same.. Arvinn What's the problem? Looks like, in your example, the user wasn't found in the AWL table, and was added. The mail scored some 23 pts, and was added to the awl table with that score. AWL isn't a whitelist nor a black list. http://wiki.apache.org/spamassassin/AwlWrongWay http://wiki.apache.org/spamassassin/AutoWhitelist I know perfectly well what AWL is. My question doesn't have anything to do with the score. It's not right behaviour. Read subject and logs again. The mail was relayed to my scanner through my relay wich is internal. The log says so too. It's NOT right behaviour to then make a record in AWL with the /16 network that my internal server belongs to, instead of the /16 network, which of the ip that sent the mail to my relay, belongs to. If this was right behaviour, all records in AWL would have been from the same network. Get it? Arvinn
Suddenly load average of 15-18???
All -
spamc is suddenly bringing my mail server to its knees.
Running RHEL 4 with the spamassassin-3.0.1-0.EL4 (supplied by Red Hat) and
spamass-milter-0.3.0-3 (I made that RPM) along with razor-agents-2.67-0,
dcc-1.3.0-0 and pyzor-0.4.0-0.
All of a sudden about two days ago spamc processes were chewing up the
machine - sendmail was actually rejecting messages because the load average
was so high! This is a machine that is only used for about 6 users... It
only handles around a thousand to two thousand messages a day. I am the
only admin on it and nothing has changed.
Here is my local.cf:
--- begin ---
required_score 5
report_safe 1
rewrite_header subject **SPAM** _SCORE_
ok_languages en
ok_locales en
use_dcc 1
use_pyzor 1
use_razor2 1
whitelist_from_rcvd [EMAIL PROTECTED]
whitelist_from_rcvd [EMAIL PROTECTED]
score ALL_TRUSTED 0 0 0 0
--- end ---
Here are the relevant lines from my sendmail.mc:
--- begin ---
INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=,
T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name},
{if_addr}')dnl
INPUT_MAIL_FILTER(`clamav-milter',
`S=local:/var/run/clamav/clamav-milter.sock, F=T,T=S:4m;R:4m;E:10m')
--- end ---
I have no idea why it is doing this... It was working fine and then this
happened sort of out of the blue. Any pointers?
Thanks!
Thomas
Re: my internal server is making records in the AWL
Arvinn Løkkebakken wrote: James R wrote: Arvinn Løkkebakken wrote: Arvinn Løkkebakken wrote: How can that happen? Anybody else here with the same experience? Are we talking about a bug here? I would really like to know if this is a problem in my setup or if others are experiencing the same.. Arvinn What's the problem? Looks like, in your example, the user wasn't found in the AWL table, and was added. The mail scored some 23 pts, and was added to the awl table with that score. AWL isn't a whitelist nor a black list. http://wiki.apache.org/spamassassin/AwlWrongWay http://wiki.apache.org/spamassassin/AutoWhitelist I know perfectly well what AWL is. My question doesn't have anything to do with the score. It's not right behaviour. Read subject and logs again. The mail was relayed to my scanner through my relay wich is internal. The log says so too. It's NOT right behaviour to then make a record in AWL with the /16 network that my internal server belongs to, instead of the /16 network, which of the ip that sent the mail to my relay, belongs to. If this was right behaviour, all records in AWL would have been from the same network. Get it? Arvinn Sorry, with out all of the information you'll find it hard for anyone to help you. What version of SA are you using? What is calling spamd? What mail software? I've looked at 3 other systems, and none have the internal private ip address in the AWL. I'm using the 192.168 range of IPS locally, and on the other systems. Your subject was also vague, and a bunch of logs with out all of the info is also very vague. I'm running 3.0.3 btw, MySQL, AWL, Bayes, user_prefs. However, I do see my *public* ip address in the AWL, your ip address in the logs you gave, if i'm not mistaken, is a public ip address. Even with my trusted networks set, i still see those trusted server's ip addresses end up in the AWL, which to me, isn't a bug. tho, I could be completely wrong. -- Thanks, James
Re: Suddenly load average of 15-18???
Take a look at the switches you have in /etc/init.d/spamassassin change
them to only run 5 processess and to die off after 15 or twenty scans.
-m5 --max-conn-per-child=5
Steve
Thomas Cameron wrote:
All -
spamc is suddenly bringing my mail server to its knees.
Running RHEL 4 with the spamassassin-3.0.1-0.EL4 (supplied by Red Hat)
and spamass-milter-0.3.0-3 (I made that RPM) along with
razor-agents-2.67-0, dcc-1.3.0-0 and pyzor-0.4.0-0.
All of a sudden about two days ago spamc processes were chewing up the
machine - sendmail was actually rejecting messages because the load
average was so high! This is a machine that is only used for about 6
users... It only handles around a thousand to two thousand messages a
day. I am the only admin on it and nothing has changed.
Here is my local.cf:
--- begin ---
required_score 5
report_safe 1
rewrite_header subject **SPAM** _SCORE_
ok_languages en
ok_locales en
use_dcc 1
use_pyzor 1
use_razor2 1
whitelist_from_rcvd [EMAIL PROTECTED]
whitelist_from_rcvd [EMAIL PROTECTED]
score ALL_TRUSTED 0 0 0 0
--- end ---
Here are the relevant lines from my sendmail.mc:
--- begin ---
INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-greylist.sock')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=,
T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name},
{if_addr}')dnl
INPUT_MAIL_FILTER(`clamav-milter',
`S=local:/var/run/clamav/clamav-milter.sock, F=T,T=S:4m;R:4m;E:10m')
--- end ---
I have no idea why it is doing this... It was working fine and then
this happened sort of out of the blue. Any pointers?
Thanks!
Thomas
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.9 - Release Date: 5/12/2005
SA 3.0.3 SURBL problem
Hello,
SpamAssassin 3.0.3 on Fedora Core 2.
I'm trying to set up SURBL from the instructions at www.surbl.org
I've added:
urirhssub URIBL_JP_SURBL multi.surbl.org.A 64
body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL')
describe URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html
tflagsURIBL_JP_SURBL net
score URIBL_JP_SURBL3.0
to /etc/mail/spamassassin/local.cf
SpamAssassin -D --lint says:
config: SpamAssassin failed to parse line, skipping: urirhssub
URIBL_JP_SURBL multi.surbl.org.A 64
Failed to run URIBL_JP_SURBL SpamAssassin test, skipping:
(Can't locate object method check_uridnsbl via package
Mail::SpamAssassin::PerMsgStatus at
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/PerMsgStatus.pm line 2340.)
Any assistance would be greatly appreciated!
Regards,
Mick
Re: SA Performance under Solaris -w- Sendmail
[EMAIL PROTECTED] wrote: I've been experiencing and documenting a pretty severe performance problem with SA versions 3.0.1 through 3.1x (nightly) under Solaris 8 and 9, Perl 5.8.3. This may not be much help. I put 573 messages in a subfolder and ran the following script. I watched `prstat -n 10 2` and the typical and highest output follows. It seemed fine to me. The script, MD and everything was on a V210, which is also my courier-imap server and exports the home directories. While the script was dumping messages, courier was fine. Also clamav was running from clamav-milter and MD also runs clamav using clamd.sock. Should I disable clamav for this test? Are you running MD with embedded perl? That may not help for your tests, but it should help in production. Have you considered using the CSW packages from www.blastwave.org? Everything that you need should be available there and I do recommend MIMEDefang instead of spamass-milter. Maybe the CSW packages are compiled differently from what you have. Also, you did not give a summary of your hardware. My small V210 is dual CPU with 2Gb ram with RAID1 for most directories, including /export/home and using Solaris Volume Manager. --- The script: #!/bin/sh cd /export/home/amoore/Maildir/.Mail.Hold/cur for file in `ls` do cat $file |/opt/csw/lib/sendmail -f [EMAIL PROTECTED] [EMAIL PROTECTED] done --- A couple of outputs from prstat: [EMAIL PROTECTED] /]# prstat -n 10 2 PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 7039 defang 47M 40M cpu1300 0:01:36 20% mimedefang-mult/1 6097 root 6136K 4744K sleep 590 0:01:56 0.5% fam/1 28308 defang 15M 10M sleep 590 0:00:11 0.3% clamd/3 217 root 124M 123M sleep 590 1:26:55 0.2% automountd/2 10506 root 4656K 4336K cpu0590 0:00:00 0.2% prstat/1 7466 root 14M 3184K sleep 490 0:00:01 0.2% sendmail/1 8345 defang 37M 31M sleep 590 0:00:21 0.2% mimedefang-mult/1 11068 root 108M 106M sleep 590 0:05:30 0.1% nscd/22 11022 amoore 7264K 4336K sleep 540 0:00:00 0.1% sendmail/1 17701 root 6360K 5032K sleep 590 0:00:20 0.1% authdaemond/1 Total: 117 processes, 253 lwps, load averages: 0.67, 0.46, 0.25 [EMAIL PROTECTED] /]# prstat -n 10 2 PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 7039 defang 48M 40M run 90 0:01:41 21% mimedefang-mult/1 9387 defang 38M 28M run 110 0:00:01 3.8% mimedefang-mult/1 11066 defang 38M 26M sleep 500 0:00:00 1.6% mimedefang-mult/1 6097 root 6136K 4744K sleep 590 0:01:56 0.6% fam/1 28308 defang 15M 10M sleep 590 0:00:11 0.5% clamd/3 11172 defang 37M 17M cpu0290 0:00:00 0.4% mimedefang-mult/1 11047 root 15M 5352K sleep 590 0:00:00 0.2% sendmail/1 7466 root 14M 3184K sleep 380 0:00:01 0.2% sendmail/1 8357 defang 4240K 1344K sleep 590 0:01:22 0.2% mimedefang/6 11168 amoore 7248K 4320K sleep 390 0:00:00 0.1% sendmail/1 Total: 130 processes, 271 lwps, load averages: 0.88, 0.51, 0.27 [EMAIL PROTECTED] /]# --- The MD process that seemed to do most of the work: May 12 10:00:09 mcsrv5 mimedefang-multiplexor[8345]: [ID 638987 mail.info] Slave 0 resource usage: req=500, scans=500, user=184.580, sys=8.680, nswap=0, majflt=0, minflt=0, maxrss=0, bi=0, bo=0 -- Alex
Re: Suddenly load average of 15-18???
Usually a high load average means that a spamd child suddenly (or possibly slowly) got fat, and you are out of memory and thrashing to beat the band. The two most common causes of this seem to be Bayes expiry runs and Awl expiry runs. Sometimes though it can seemingly happen from some unknown sequence of mail messages. How many children are you running? What is the max lifetime (messages processed) per child? Limiting to probably 5 children, or maybe even less in your case with so few users, and limiting to maybe 20-100 connections per child will probably work around your problems. Oh, I'm assuming you have at least 512M or so. If not, you might want to cut down to only a couple of children, and definitely go with the lower number of connections per child. Loren
RE: [SPAM-TAG] RE: SpamCopURI not working, was RE: More Messed Up www URLs
Your configuration and installation are fine. multi.surbl.org is the only list that should be checked, as it's the combined list with all other SURBL lists included: http://www.surbl.org/lists.html#multi Aha! I think I've found the problem. The behaviour for SpamCopURI must have changed between 0.14 and 0.25. I suspect that with the new version, it moved to using the multi server instead of querying them individually. It's a very cool DNS hack... however, it appears to be a problem with our forwarding nameserver. We've got a firewall box which also is our external DNS server, and forwarding nameserver for our internal boxes (of which our SA box is one). So, when querying achat-montre-rolex.net.ob.surbl.org, it gets 127.0.0.2 just fine. However, when querying achat-montre-rolex.net.multi.surbl.org, the firewall appears to decide that the answer is within a zone it has authority over, and rejects it (returning NXDOMAIN to the internal DNS servers). I'm going to look into figuring out how to allow these queries through properly; I'm sure that's the problem. thank you! johnS
Re: Uncatched spam and rules weith modification..
Robert Menschel [EMAIL PROTECTED] Cc: SPAMassassin Users users@spamassassin.apache.org Date: Wed, 11 May 2005 19:07:50 PDT Subject: Re: Uncatched spam and rules weith modification.. Hello Frederic, FG X-spam-status: No, hits=5.312 tagged_above=-999 required=6.31 tests=BAYES_99, FG RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO that does score high enough to be classified as spam, but you or your administrator have raised the required score from 5.0 to 6.31. It is what is put in Amavisd config. I will maybe lower it a bit. If your Bayes database is reliable and stable, bump the score for BAYES_99. In fact I forgot to uprgrade to SA 3.0.3 which bumbs bayes a lot. But from my own mail it seems that bayes_99 never hits a false positive. Or look into adopting some of SARE's rules files, at http://www.rulesemporium.com (or other custom files available via the wiki). I have most of sare rules, but I have not seen a set for stock ads.. THanks for the advice f.g.
RE: [SARE] obfu rule set update
At 09:19 AM 5.12.2005 +0100, Chris Russell wrote: Trying to Update this morning gives: Lint output: warning: description exists for non-existent rule SARE_OBFU_SPL_ORDERING lint: 1 issues detected. please rerun with debug enabled for more information. Cheers, Chris Am running FBSD-4.11 and SA-3.03_3 I find that same problem. Also, when I open the rule with an editor, I see the file is filled with those DOS carriage returns - ^M When I remove them, then the --lint sees 9 problems. Happy trails, Jack L. Stone System Admin Sage-american
Re: SA Performance under Solaris -w- Sendmail
[EMAIL PROTECTED] wrote: I've been experiencing and documenting a pretty severe performance problem with SA versions 3.0.1 through 3.1x (nightly) under Solaris 8 and 9, Perl 5.8.3. Ran the test differently and got different results. I sent the 573 messages from a different host. Both the send and the processing in MD finished in a fraction of the time required for my earlier test. Everything still seemed fine. What do you think? highest and typical prstat output: [EMAIL PROTECTED] tmp]$ prstat -n 18 2 PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 13757 defang 40M 32M run 330 0:00:16 7.0% mimedefang-mult/1 9387 defang 41M 33M run 320 0:00:28 5.6% mimedefang-mult/1 13734 defang 40M 32M run 320 0:00:17 5.6% mimedefang-mult/1 13732 defang 40M 31M run 330 0:00:17 5.2% mimedefang-mult/1 13738 defang 40M 31M run 550 0:00:17 4.7% mimedefang-mult/1 13835 defang 40M 31M run 290 0:00:15 4.7% mimedefang-mult/1 13736 defang 40M 31M run 320 0:00:16 4.4% mimedefang-mult/1 13851 defang 40M 31M run 390 0:00:14 4.3% mimedefang-mult/1 13854 defang 39M 31M cpu0490 0:00:11 3.3% mimedefang-mult/1 15675 defang 38M 28M sleep 530 0:00:02 3.2% mimedefang-mult/1 28308 defang 15M 11M sleep 590 0:00:21 2.3% clamd/4 16192 root 2280K 1064K sleep 590 0:28:27 0.4% nfsd/5 7466 root 14M 3184K run 300 0:00:02 0.4% sendmail/1 232 root 3816K 1376K sleep 590 0:03:27 0.4% syslogd/15 17701 root 6544K 5216K sleep 590 0:00:22 0.3% authdaemond/1 8345 defang 37M 31M sleep 590 0:00:23 0.3% mimedefang-mult/1 15620 amoore 4672K 4360K cpu1590 0:00:00 0.2% prstat/1 6097 root 6136K 4744K sleep 590 0:02:16 0.2% fam/1 Total: 138 processes, 297 lwps, load averages: 6.47, 2.95, 1.21 [EMAIL PROTECTED] tmp]$ prstat -n 18 2 PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 9387 defang 44M 36M cpu0100 0:00:59 22% mimedefang-mult/1 28308 defang 15M 11M sleep 590 0:00:23 1.0% clamd/4 16062 root 15M 5368K sleep 470 0:00:01 0.9% sendmail/1 8357 defang 4632K 2152K sleep 590 0:01:30 0.5% mimedefang/3 13854 defang 41M 32M sleep 590 0:00:15 0.3% mimedefang-mult/1 13757 defang 40M 32M sleep 590 0:00:20 0.3% mimedefang-mult/1 13835 defang 40M 32M sleep 590 0:00:19 0.2% mimedefang-mult/1 13851 defang 40M 31M sleep 590 0:00:17 0.2% mimedefang-mult/1 13738 defang 40M 32M sleep 590 0:00:20 0.2% mimedefang-mult/1 13732 defang 40M 32M sleep 590 0:00:21 0.2% mimedefang-mult/1 13736 defang 41M 32M sleep 590 0:00:19 0.2% mimedefang-mult/1 16048 amoore 4672K 4368K cpu1590 0:00:00 0.2% prstat/1 13734 defang 40M 32M sleep 590 0:00:21 0.2% mimedefang-mult/1 28314 defang 6688K 2336K sleep 590 0:00:03 0.2% clamav-milter/3 15675 defang 38M 29M sleep 590 0:00:05 0.2% mimedefang-mult/1 6097 root 6136K 4744K sleep 590 0:02:16 0.1% fam/1 17700 root 4056K 2728K sleep 590 0:00:03 0.1% authdaemond/1 8345 defang 37M 31M sleep 590 0:00:23 0.1% mimedefang-mult/1 Total: 120 processes, 262 lwps, load averages: 3.26, 3.02, 1.42 [EMAIL PROTECTED] tmp]$ / log for MD process that did most of the work: May 12 10:47:05 mcsrv5 mimedefang-multiplexor[8345]: [ID 638987 mail.info] Slave 1 resource usage: req=500, scans=500, user=233.180, sys=10.460, nswap=0, majflt=0, minflt=0, maxrss=0, bi=0, bo=0 Alex
Re: SA 3.0.3 SURBL problem - resolved
Mick Szucs wrote: SpamAssassin 3.0.3 on Fedora Core 2. I'm trying to set up SURBL from the instructions at www.surbl.org Thank you to Martin Hepworth who pointed out that the plugin needs to be loaded via /etc/mail/spamassassin/init.pre: $ cat /etc/mail/spamassassin/init.pre # URIDNSBL - look up URLs found in the message against several DNS # blocklists. # loadplugin Mail::SpamAssassin::Plugin::URIDNSBL If this is documented somewhere, I couldn't find it. Seems that the RPM I'm running from didn't include init.pre, though the tarball distribution does. Thanks! Mick
RE: spammer is using html code for spamming
M-Original Message- MFrom: Eddy Beliveau [mailto:[EMAIL PROTECTED] MSent: 12 May 2005 16:49 MTo: users@spamassassin.apache.org MSubject: spammer is using html code for spamming M MHi! M MI'm using spamassassin 2.64 with success M MI'm having problem catching some specific spammer. M MHe is using html codes to generate his page Each row of text Mis composed of word segments generated from many table row M MIs there some rule who can catch this kind of spammers ? M MThanks, MEddy M M Sa p To 80 OF R'eta il Pri ces With ED-D M ve U % F rugs! M M I have a rule which tagged this, if u want to give it a go. body MS_Body_Hide_DRUG /\b(?:R[!a-z]?eta il|P[!a-z]?ri ces|V.?I RA|C[!a-z]?I S|(?:V|U)L AM|U[!a-z]?LTRAM|S[!a-z]?MA)\b/I score MS_Body_Hide_DRUG 2.5 describe MS_Body_Hide_DRUG Trying to hide prescription drugs Martin
SQL Question
I've been looking through the SA SQL docs and can only see references to spamc/spamd use of SQL. Can I just confirm that SQL can be used with spamassassin as well? Thanks Alan
Re: [SARE] obfu rule set update
Am running FBSD-4.11 and SA-3.03_3 I find that same problem. Also, when I open the rule with an editor, I see the file is filled with those DOS carriage returns - ^M When I remove them, then the --lint sees 9 problems. Strange. SA normally doesn't care beans about dos CRs in the rules files. I edit them that way all the time with no problems. It does sound like we screwed up and got a misspelling or missing rule into the final file. I suspect Bob will have it fixed reasonably soon, although perhaps not until this evening. Loren
RE: spammer is using html code for spamming
Whoops outlook capitalised this wrong with an I instead of i at the end. This is what it should have been; body MS_Body_Hide_DRUG /\b(?:R[!a-z]?eta il|P[!a-z]?ri ces|V.?I RA|C[!a-z]?I S|(?:V|U)L AM|U[!a-z]?LTRAM|S[!a-z]?MA)\b/i
Re: SQL Question
On Thu, May 12, 2005 at 05:16:19PM +0100, Alan Munday wrote: I've been looking through the SA SQL docs and can only see references to spamc/spamd use of SQL. Can I just confirm that SQL can be used with spamassassin as well? Only for Bayes and AWL, userprefs in SQL requires the use of spamd. Michael pgpZIWYenfgv1.pgp Description: PGP signature
RE: [SOLVED] Re: Suddenly load average of 15-18???
From: Thomas Cameron [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 11:38 AM To: spamassassin-users; spamass-milt-list@nongnu.org Subject: [SOLVED] Re: Suddenly load average of 15-18??? OK, this is a weird solution... I rebooted the server and all the problems went away. It's chuffing along happily now. Memory leak, maybe? What kind of hardware? Are you scanning zips? I had to just start blocking zip attachments all together until these virii settle down a bit. .jon
Re: SQL Question
Michael Parker wrote the following on 12/05/2005 17:37: On Thu, May 12, 2005 at 05:16:19PM +0100, Alan Munday wrote: I've been looking through the SA SQL docs and can only see references to spamc/spamd use of SQL. Can I just confirm that SQL can be used with spamassassin as well? Only for Bayes and AWL, userprefs in SQL requires the use of spamd. Michael Michael Thanks, though I can't seem to find the Docs that cover bayes/AWL setup on the Wiki or apache site. Are there any docs that are considered definitive around? Alan
Re: Suddenly load average of 15-18???
On Thu, 2005-05-12 at 11:19 -0400, Stephen M. Przepiora wrote: Take a look at the switches you have in /etc/init.d/spamassassin change them to only run 5 processess and to die off after 15 or twenty scans. -m5 --max-conn-per-child=5 Steve I just tried that and as soon as I restarted everything the load shot up to ~ 6. I had to kill everything and remove the SA milter. I'd like to figure out what the root cause is rather than band-aid the symptom. Anyone have any ideas why this would suddenly start? Thomas
Re: Suddenly load average of 15-18???
On Thu, 2005-05-12 at 08:31 -0700, Loren Wilton wrote: Usually a high load average means that a spamd child suddenly (or possibly slowly) got fat, and you are out of memory and thrashing to beat the band. The two most common causes of this seem to be Bayes expiry runs and Awl expiry runs. Sometimes though it can seemingly happen from some unknown sequence of mail messages. Is there something I should/could do about these expiry runs? It seems odd that it's been like this for a couple of days now... How could I know that this was the issue? How many children are you running? What is the max lifetime (messages processed) per child? Limiting to probably 5 children, or maybe even less in your case with so few users, and limiting to maybe 20-100 connections per child will probably work around your problems. My rc file has this: SPAMDOPTIONS=-d -c -m5 --max-conn-per-child=5 -H I just added the --max-conn-per-child=5 per Stephen Przepiora's suggestion but that didn't seem to help. Oh, I'm assuming you have at least 512M or so. If not, you might want to cut down to only a couple of children, and definitely go with the lower number of connections per child. Yes, I have 512M. As I said - this has been working flawlessly since the server was installed several weeks ago. It just suddenly went bonkers a couple of days ago. Thomas
Re: Suddenly load average of 15-18???
Hi, Thomas Cameron schrieb: I just tried that and as soon as I restarted everything the load shot up to ~ 6. I had to kill everything and remove the SA milter. I'd like to figure out what the root cause is rather than band-aid the symptom. Anyone have any ideas why this would suddenly start? Do you use the sa-blacklist? I've recently had problems with it. My load was getting very high. Thomas Greets Christoph signature.asc Description: OpenPGP digital signature
Re: Suddenly load average of 15-18???
On Thu, 2005-05-12 at 18:10 +0200, Christoph Petersen wrote: Hi, Thomas Cameron schrieb: I just tried that and as soon as I restarted everything the load shot up to ~ 6. I had to kill everything and remove the SA milter. I'd like to figure out what the root cause is rather than band-aid the symptom. Anyone have any ideas why this would suddenly start? Do you use the sa-blacklist? I've recently had problems with it. My load was getting very high. I have done nothing past the initial installation and adding spamass- milter... This is about as vanilla an installation as you can get. Thomas
[SOLVED] Re: Suddenly load average of 15-18???
OK, this is a weird solution... I rebooted the server and all the problems went away. It's chuffing along happily now. Memory leak, maybe? Thomas
[OT]Appropriate OS and other software to work with SA
Currently I am running my mailserver on a windows box. I have just bought a new server and will probably be running CentOS on it. I would like to migrate my mailserver onto this linux box so that hopefully I will be able to get a faster, more stable system. I'm looking for advice as to what the 'standard' setup is for a linux based mailserver if there is such a thing. I'm looking for a comprehensive mailserver setup with pop3, smtp, imap supporting multiple domains, users and aliases, with the ability to make filtering rules, rules to backup all messages, SA integration with mysql. I have heard of things like procmail and milter and other things, but don't really know anything about them. I know I have a lot of learning to do as the only experience I have of linux so far is cygwin. Is there a standard combination programs used as a mailserver as I hope? Thanks for your help, Ben
RE: [SOLVED] Re: Suddenly load average of 15-18???
On Thu, 2005-05-12 at 11:46 -0500, Jon Dossey wrote: From: Thomas Cameron [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 11:38 AM To: spamassassin-users; spamass-milt-list@nongnu.org Subject: [SOLVED] Re: Suddenly load average of 15-18??? OK, this is a weird solution... I rebooted the server and all the problems went away. It's chuffing along happily now. Memory leak, maybe? What kind of hardware? Are you scanning zips? I had to just start blocking zip attachments all together until these virii settle down a bit. .jon It's just a plain Jane P-III 800MHz with 512MB memory on a 7-disk RAID 5 Ultra 160 SCSI array. I have not disabled scanning of zip files. It is running just fine now. Very odd. Thomas
Re: Suddenly load average of 15-18???
On Thu, 2005-05-12 at 10:53 -0500, Dan Nelson wrote: In the last episode (May 12), Thomas Cameron said: spamc is suddenly bringing my mail server to its knees. Running RHEL 4 with the spamassassin-3.0.1-0.EL4 (supplied by Red Hat) and spamass-milter-0.3.0-3 (I made that RPM) along with razor-agents-2.67-0, dcc-1.3.0-0 and pyzor-0.4.0-0. All of a sudden about two days ago spamc processes were chewing up the machine - sendmail was actually rejecting messages because the load average was so high! This is a machine that is only used for about 6 users... It only handles around a thousand to two thousand messages a day. I am the only admin on it and nothing has changed. What's the average processing time for a message, and are you using any -i flags on your spamass-milter commandline? Grep your maillog for in .* seconds, to get the timings. If they're all under 10 seconds or so and you're not using -i, check for things like mail loops, or large outgoing mail bursts. It was up around 50-60 seconds per message. I rebooted the machine and it has cleared up. Thanks for the help! Thomas
Re: SQL Question
Alan Munday wrote: Thanks, though I can't seem to find the Docs that cover bayes/AWL setup on the Wiki or apache site. Are there any docs that are considered definitive around? Look at http://spamassassin.apache.org/full/3.0.x/dist/doc/ for file names that end in SQL. Kevin
Re: [OT]Appropriate OS and other software to work with SA
Ben Wylie wrote: Currently I am running my mailserver on a windows box. I have just bought a new server and will probably be running CentOS on it. I would like to migrate my mailserver onto this linux box so that hopefully I will be able to get a faster, more stable system. I'm looking for advice as to what the 'standard' setup is for a linux based mailserver if there is such a thing. I'm looking for a comprehensive mailserver setup with pop3, smtp, imap supporting multiple domains, users and aliases, with the ability to make filtering rules, rules to backup all messages, SA integration with mysql. I have heard of things like procmail and milter and other things, but don't really know anything about them. I know I have a lot of learning to do as the only experience I have of linux so far is cygwin. Is there a standard combination programs used as a mailserver as I hope? Thanks for your help, Ben Add ClamAV to your list: http://www.clamav.net -- Thanks, James
Re: SQL Question
Kevin Peuhkurinen wrote the following on 12/05/2005 18:03: Alan Munday wrote: Look at http://spamassassin.apache.org/full/3.0.x/dist/doc/ for file names that end in SQL. Kevin Thanks, they did not come up when googling. Alan
Re: SQL Question
On Thu, May 12, 2005 at 05:47:26PM +0100, Alan Munday wrote: Thanks, though I can't seem to find the Docs that cover bayes/AWL setup on the Wiki or apache site. Are there any docs that are considered definitive around? sql/README.bayes sql/README.awl is the definitive documentation. You can also find things on the wiki and the SQL presentation here: http://people.apache.org/~parker/presentations/ Michael pgp3kQ9onA5cQ.pgp Description: PGP signature
Re: SQL Question
Kevin Peuhkurinen wrote: Look at http://spamassassin.apache.org/full/3.0.x/dist/doc/ for file names that end in SQL. Kevin Actually, scratch that. Those are not the documents I was thinking they were.Instead, download the latest copy of SA and you will find a folder in the distribution called sql. In there, there is some README files that describe how to set everything up.
Re: SA Performance under Solaris -w- Sendmail
Thanks for your efforts and tests. I think I found the problem. The production server we are trying to run on only has 128mb of memory. I can't believe we got a machine with that little, but it happened. I might try running only 2 children of SPAMD, refreshing the processes every 5 messages or so to see if that will work, but I'd say the machine is a little light on the horsepower. Thanks again! Alex S Moore [EMAIL PROTECTED] 05/12/2005 12:04 PM To [EMAIL PROTECTED] cc users@spamassassin.apache.org Subject Re: SA Performance under Solaris -w- Sendmail [EMAIL PROTECTED] wrote: I've been experiencing and documenting a pretty severe performance problem with SA versions 3.0.1 through 3.1x (nightly) under Solaris 8 and 9, Perl 5.8.3. Ran the test differently and got different results. I sent the 573 messages from a different host. Both the send and the processing in MD finished in a fraction of the time required for my earlier test. Everything still seemed fine. What do you think? highest and typical prstat output: [EMAIL PROTECTED] tmp]$ prstat -n 18 2 PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 13757 defang 40M 32M run 33 0 0:00:16 7.0% mimedefang-mult/1 9387 defang 41M 33M run 32 0 0:00:28 5.6% mimedefang-mult/1 13734 defang 40M 32M run 32 0 0:00:17 5.6% mimedefang-mult/1 13732 defang 40M 31M run 33 0 0:00:17 5.2% mimedefang-mult/1 13738 defang 40M 31M run 55 0 0:00:17 4.7% mimedefang-mult/1 13835 defang 40M 31M run 29 0 0:00:15 4.7% mimedefang-mult/1 13736 defang 40M 31M run 32 0 0:00:16 4.4% mimedefang-mult/1 13851 defang 40M 31M run 39 0 0:00:14 4.3% mimedefang-mult/1 13854 defang 39M 31M cpu0 49 0 0:00:11 3.3% mimedefang-mult/1 15675 defang 38M 28M sleep 53 0 0:00:02 3.2% mimedefang-mult/1 28308 defang 15M 11M sleep 59 0 0:00:21 2.3% clamd/4 16192 root 2280K 1064K sleep 59 0 0:28:27 0.4% nfsd/5 7466 root14M 3184K run 30 0 0:00:02 0.4% sendmail/1 232 root 3816K 1376K sleep 59 0 0:03:27 0.4% syslogd/15 17701 root 6544K 5216K sleep 59 0 0:00:22 0.3% authdaemond/1 8345 defang 37M 31M sleep 59 0 0:00:23 0.3% mimedefang-mult/1 15620 amoore 4672K 4360K cpu1 59 0 0:00:00 0.2% prstat/1 6097 root 6136K 4744K sleep 59 0 0:02:16 0.2% fam/1 Total: 138 processes, 297 lwps, load averages: 6.47, 2.95, 1.21 [EMAIL PROTECTED] tmp]$ prstat -n 18 2 PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 9387 defang 44M 36M cpu0 10 0 0:00:59 22% mimedefang-mult/1 28308 defang 15M 11M sleep 59 0 0:00:23 1.0% clamd/4 16062 root15M 5368K sleep 47 0 0:00:01 0.9% sendmail/1 8357 defang 4632K 2152K sleep 59 0 0:01:30 0.5% mimedefang/3 13854 defang 41M 32M sleep 59 0 0:00:15 0.3% mimedefang-mult/1 13757 defang 40M 32M sleep 59 0 0:00:20 0.3% mimedefang-mult/1 13835 defang 40M 32M sleep 59 0 0:00:19 0.2% mimedefang-mult/1 13851 defang 40M 31M sleep 59 0 0:00:17 0.2% mimedefang-mult/1 13738 defang 40M 32M sleep 59 0 0:00:20 0.2% mimedefang-mult/1 13732 defang 40M 32M sleep 59 0 0:00:21 0.2% mimedefang-mult/1 13736 defang 41M 32M sleep 59 0 0:00:19 0.2% mimedefang-mult/1 16048 amoore 4672K 4368K cpu1 59 0 0:00:00 0.2% prstat/1 13734 defang 40M 32M sleep 59 0 0:00:21 0.2% mimedefang-mult/1 28314 defang 6688K 2336K sleep 59 0 0:00:03 0.2% clamav-milter/3 15675 defang 38M 29M sleep 59 0 0:00:05 0.2% mimedefang-mult/1 6097 root 6136K 4744K sleep 59 0 0:02:16 0.1% fam/1 17700 root 4056K 2728K sleep 59 0 0:00:03 0.1% authdaemond/1 8345 defang 37M 31M sleep 59 0 0:00:23 0.1% mimedefang-mult/1 Total: 120 processes, 262 lwps, load averages: 3.26, 3.02, 1.42 [EMAIL PROTECTED] tmp]$ / log for MD process that did most of the work: May 12 10:47:05 mcsrv5 mimedefang-multiplexor[8345]: [ID 638987 mail.info] Slave 1 resource usage: req=500, scans=500, user=233.180, sys=10.460, nswap=0, majflt=0, minflt=0, maxrss=0, bi=0, bo=0 Alex
Re: Suddenly load average of 15-18???
symptom. Anyone have any ideas why this would suddenly start? Running Awl? Running Bayes? Since it starts immediately, it sounds like a large expiry run for one or the other of them. If you aren't running either, then this may be the area where nobody really knows what is going wrong. Loren
RE: [SOLVED] Re: Suddenly load average of 15-18???
From: Thomas Cameron [mailto:[EMAIL PROTECTED] To: spamassassin-users Subject: RE: [SOLVED] Re: Suddenly load average of 15-18??? On Thu, 2005-05-12 at 11:46 -0500, Jon Dossey wrote: From: Thomas Cameron [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 11:38 AM To: spamassassin-users; spamass-milt-list@nongnu.org Subject: [SOLVED] Re: Suddenly load average of 15-18??? OK, this is a weird solution... I rebooted the server and all the problems went away. It's chuffing along happily now. Memory leak, maybe? What kind of hardware? Are you scanning zips? I had to just start blocking zip attachments all together until these virii settle down a bit. .jon It's just a plain Jane P-III 800MHz with 512MB memory on a 7-disk RAID 5 Ultra 160 SCSI array. I have not disabled scanning of zip files. It is running just fine now. Very odd. This may only be a temporary fix. Personally, rebooting a linux machine to solve a problem just isn't acceptable. Did you try restarting spamd before rebooting? I'd go through your maillog, and check the spamassassin processing times, and see if you can pinpoint where the processing time shoots up. Then, go through your mqueue and take a look at the offending message. .jon
Re: Suddenly load average of 15-18???
Is there something I should/could do about these expiry runs? It seems odd that it's been like this for a couple of days now... How could I know that this was the issue? Um, this isn't my area of expertise. I suspect Matt or Justin will be along with a workable suggestion fairly soon. I'm pretty sure that there is some logging to indicate when an expiry run happens, but I don't know precisely what to look for. At least with bayes there is a way you can turn off the auto-expire and then use a cron job to schedule a manual expiry once a day/week/whatever. I'm not sure if similar functionality exists for awl. Did you happen to notice if all of your spamd children get fat at once, or if just one of them got really huge? All of them gettiing big might indicate something changed with your rules files. A single fat child would be more indicitave of an expiry run. Loren
RE: [SOLVED] Re: Suddenly load average of 15-18???
On Thu, 2005-05-12 at 12:20 -0500, Jon Dossey wrote: This may only be a temporary fix. Personally, rebooting a linux machine to solve a problem just isn't acceptable. Did you try restarting spamd before rebooting? Several times. I restarted the entire mail suite - sendmail, clam, SA, milter-greylist, etc. I'd go through your maillog, and check the spamassassin processing times, and see if you can pinpoint where the processing time shoots up. Then, go through your mqueue and take a look at the offending message. It wasn't just one message. It was every message. Thomas
Re: Suddenly load average of 15-18???
On Thu, 2005-05-12 at 09:31 -0700, Loren Wilton wrote: Is there something I should/could do about these expiry runs? It seems odd that it's been like this for a couple of days now... How could I know that this was the issue? Um, this isn't my area of expertise. I suspect Matt or Justin will be along with a workable suggestion fairly soon. I'm pretty sure that there is some logging to indicate when an expiry run happens, but I don't know precisely what to look for. OK, I'll look for that. At least with bayes there is a way you can turn off the auto-expire and then use a cron job to schedule a manual expiry once a day/week/whatever. I'm not sure if similar functionality exists for awl. I don't know either. Did you happen to notice if all of your spamd children get fat at once, or if just one of them got really huge? All of them gettiing big might indicate something changed with your rules files. A single fat child would be more indicitave of an expiry run. Loren It didn't really look like any of them were really fat... The machine's drives just started hammering and the load average shot up. It's all cleared up now after a reboot. Thomas
Re: spammer is using html code for spamming
Many thanks, I'll give it a try Thanks again Eddy - Original Message - From: martin smith [EMAIL PROTECTED] To: Spamassassin users@spamassassin.apache.org; 'Eddy Beliveau' [EMAIL PROTECTED] Sent: Thursday, May 12, 2005 12:30 PM Subject: RE: spammer is using html code for spamming Whoops outlook capitalised this wrong with an I instead of i at the end. This is what it should have been; body MS_Body_Hide_DRUG /\b(?:R[!a-z]?eta il|P[!a-z]?ri ces|V.?I RA|C[!a-z]?I S|(?:V|U)L AM|U[!a-z]?LTRAM|S[!a-z]?MA)\b/i
Re: SQL Question
Kevin Peuhkurinen wrote the following on 12/05/2005 18:12: Actually, scratch that. Those are not the documents I was thinking they were.Instead, download the latest copy of SA and you will find a folder in the distribution called sql. In there, there is some README files that describe how to set everything up. That's better thanks Alan
Re: SA 3.0.3 SURBL problem - resolved
If this is documented somewhere, I couldn't find it. Seems that the RPM I'm running from didn't include init.pre, though the tarball distribution does. init.pre is a standard part of the distro. If the RPM is missing it, it is broken, and you should probably point that out to the maintainer thereof. But be sure it is missing. There is currently a problem that if you have an old init.pre, a new version of SA won't overload it with the new version, which has just a whole bunch more loadplugin lines. Loren
Re: Transport endpoint is not connected?
David Gibbs wrote: I ran spamd in debug mode for a while, hoping that I could catch one of the messages slipping by ... and I did. Anyone? This is happening more frequently ... and I can't find a pattern. david
RE: [OT]Appropriate OS and other software to work with SA
I would recommend FreeBSD + Qmail as MTA. My company runs an e-mail outsourcing business and this combination has done wonders for us. -George On 5/12/2005 12:54 PM, Ben Wylie wrote: Currently I am running my mailserver on a windows box. would like to migrate my mailserver onto this linux box so that hopefully I will be able to get a faster, more stable system. Is there a standard combination programs used as a mailserver as I hope? No. The UNIX model is historically based on writing smallish tools (I said historically) that are called upon for specific tasks. What this has produced is what you are running into: there are options for just about every function in a complex system, but its really up to you to figure out which features you want and what components provide them. For a mail system, you need to pick a transfer agent (SMTP server), a delivery store, and the retrieval agents (pop and IMAP servers), along with whatever glue components you might also need to tie these together. The granddaddy MTA is sendmail, but there are lots of others to choose from, including postfix, qmail, exim and more. For POP/IMAP, there is Cyrus, UW imapd, Courier and others. If you need to do some kind of message filtering, you might want to use hooks provided by the MTA itself (as with sendmail's milter interface, and postfix filters), or you might want to use filters that manipulate messages in the delivery store (as with procmail). If you need to get something up and running rights now, your best would probably be starting with commercial package like Communigate Pro (http://www.stalker.com/content/solutions.htm) that offers all of the functions, but is also extensible, and then test with other technologies on a different box when you aren't under pressure to make something work. If you're just looking to kick some tires, it is pretty easy to get UW imapd working (it sits on top of existing *NIX mail spool directoriess), and postfix is an easy MTA to configure. You can play with calling in stuff like procmail or postfix filters pretty easy from there.
Re: [SOLVED] Re: Suddenly load average of 15-18???
Thomas Cameron wrote: On Thu, 2005-05-12 at 12:20 -0500, Jon Dossey wrote: I'd go through your maillog, and check the spamassassin processing times, and see if you can pinpoint where the processing time shoots up. Then, go through your mqueue and take a look at the offending message. It wasn't just one message. It was every message. I think what he's getting at is that one message can consume enough CPU and memory to bog down processing all the other ones, too. I saw this with spamd and large attachments, before I started bypassing large messages around spamassassin.
Re: Subscribing to spam lists
Johnson, S wrote: Anyone know the best way to subscribe to receive all the spam I can possibly get? A post to the alt.test newsgroup used to be highly effective; don't know if it still is today. Subscribing to Ameritech DSL might work. ;) My [EMAIL PROTECTED] email account gets more spam than I've ever seen anywhere else. What's highly suspicious is that it started getting spam before I even started using it.
RE: [SPAM-TAG] RE: SpamCopURI not working, was RE: More Messed Up www URLs
However, when querying achat-montre-rolex.net.multi.surbl.org, the firewall appears to decide that the answer is within a zone it has authority over, and rejects it (returning NXDOMAIN to the internal DNS servers). I'm going to look into figuring out how to allow these queries through properly; I'm sure that's the problem. FYI, this was it. Our firewall (a Symantec/Raptor box) is also our DNS forwarder for internal domains. It thought it was authoritative for all 127.0.0.X data, and was returning NXDOMAIN for anything in the 127.0.0.X range (other than 127.0.0.2, curiously). A small config change on the DNS daemon on that box changed it so that it thinks it is only authoritative for 127.0.0.1. All is well, and the surbl.org servers are hitting like crazy now! thanks! johnS
Atomic Grouping but not Possessive Quantifiers?
i tried writing a couple of regexps using the possessive quantifiers '++' and '*+' and spamassassin --lint threw up the error invalid regexp for rule, but was fine when i switched it to use atomic grouping. Does SA not support possessive quantifiers? or was it just a mistake in the lint checking? -Rocky -- __ what's with today, today? Email: [EMAIL PROTECTED] PGP:http://rocky.mindphone.org/rocky_mindphone.org.gpg signature.asc Description: Digital signature
Error starting spamd (v3.000002, but using modules v3.000003!)
I've just installed spamassassin on this new server and have tried to launch spamd using the /etc/init.d/spamassassin script but I get this error: Starting spamd: ERROR! spamassassin script is v3.02, but using modules v3.03! What is causing this? Redhat Enterprise Linux SA installed using CPAN, no previous install of sa on this system. -- Kevin W. Gagel Postmaster for College of New Caledonia (250) 562-2131 loc. 448 (250) 561-5848 loc. 448 [EMAIL PROTECTED] http://www.cnc.bc.ca Anti-Spam info at: http://avas.cnc.bc.ca --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: Atomic Grouping but not Possessive Quantifiers?
Rocky Olsen wrote:
i tried writing a couple of regexps using the possessive quantifiers '++'
and '*+' and spamassassin --lint threw up the error invalid regexp for
rule, but was fine when i switched it to use atomic grouping. Does SA not
support possessive quantifiers? or was it just a mistake in the lint
checking?
-Rocky
AFAIK Perl doesn't support possessive Quantifiers, therefore SA does
not. The particular message you see is simply generated by SA when it
finds perl doesn't know how to evaluate your regex.
From Parser.pm:
--
sub is_regexp_valid {
my ($self, $name, $re) = @_;
if (eval { ( =~ m{$re}); 1; }) {
return 1;
} else {
warn invalid regexp for rule $name: $re\n;
$self-{conf}-{errors}++;
return 0;
}
}
Someone more educated on perl might be able to point out that it is
supported in perl versions higher than 5.x.x, but I'm not aware of any
import of this Java feature to perl.
Either way, your regex syntax should only be limited by what your copy
of perl supports, not by SA.
Re: Atomic Grouping but not Possessive Quantifiers?
AFAIK Perl doesn't support possessive Quantifiers, therefore SA does not. Is this the same as greedy? Aren't Perl regexes always greedy unless you use +?, *?, or ??
Re: Atomic Grouping but not Possessive Quantifiers?
Ah crap, you are right, perl doesn't have possessive quantifiers.
thx
-Rocky
On Thu, May 12, 2005 at 05:56:01PM -0400, Matt Kettler wrote:
Rocky Olsen wrote:
i tried writing a couple of regexps using the possessive quantifiers '++'
and '*+' and spamassassin --lint threw up the error invalid regexp for
rule, but was fine when i switched it to use atomic grouping. Does SA not
support possessive quantifiers? or was it just a mistake in the lint
checking?
-Rocky
AFAIK Perl doesn't support possessive Quantifiers, therefore SA does
not. The particular message you see is simply generated by SA when it
finds perl doesn't know how to evaluate your regex.
From Parser.pm:
--
sub is_regexp_valid {
my ($self, $name, $re) = @_;
if (eval { ( =~ m{$re}); 1; }) {
return 1;
} else {
warn invalid regexp for rule $name: $re\n;
$self-{conf}-{errors}++;
return 0;
}
}
Someone more educated on perl might be able to point out that it is
supported in perl versions higher than 5.x.x, but I'm not aware of any
import of this Java feature to perl.
Either way, your regex syntax should only be limited by what your copy
of perl supports, not by SA.
--
__
what's with today, today?
Email: [EMAIL PROTECTED]
PGP:http://rocky.mindphone.org/rocky_mindphone.org.gpg
signature.asc
Description: Digital signature
Re: Atomic Grouping but not Possessive Quantifiers?
no, possessive quantifiers/atomic grouping discard saved states to back tracking will not occur for what was matched. -Rocky On Thu, May 12, 2005 at 03:00:18PM -0700, Mike Jackson wrote: AFAIK Perl doesn't support possessive Quantifiers, therefore SA does not. Is this the same as greedy? Aren't Perl regexes always greedy unless you use +?, *?, or ?? -- __ what's with today, today? Email: [EMAIL PROTECTED] PGP:http://rocky.mindphone.org/rocky_mindphone.org.gpg signature.asc Description: Digital signature
URIDNSBL Scores
Hi. I am migrating spamassassin from my perimeter firewall to another server to lighten the load on the firewall. I have installed SA3.0 on the new machine and have done some testing. I am getting different results on each SA install. Configuration for both machines: Windows 2000 all hotfixes and services packs installed, same amount of memory, cpu etc,. SA 3.0 on each. Spamassassin is called through Guinevere 2.17, the Groupwise Av scanner integration. If I run the same email through each install, the firewall implementation will pick up scores from the URIDNSBL tests and add it to the total where the SA implementation behind the firewall will not. I have included the relevant portions of each SA run from the two installs. The first is the machine behind the firewall, and the second is the firewall machine. As you can see there is a large difference in the scores. Is this a timing issue, perhaps? If so, where do I increase the time for dnsbl look ups. What else could it be? Thanks for any help anyone can give me. Scott Schaffer Machine behind the firewall results - debug: bayes: score = 0.505530427067805 debug: bayes: 276 untie-ing debug: bayes: 276 untie-ing db_toks debug: bayes: 276 untie-ing db_seen debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2954eac) implements ' check_tick' debug: URIDNSBL: domain blahblahcutie.info listed (URIBL_AB_SURBL): 127.0.0.10 2 debug: URIDNSBL: domain blahblahcutie.info listed (URIBL_WS_SURBL): 127.0.0.10 2 debug: URIDNSBL: domain blahblahcutie.info listed (URIBL_SC_SURBL): 127.0.0.10 2 debug: URIDNSBL: query for blahblahcutie.info took 2 seconds to look up (multi.s urbl.org.:blahblahcutie.info) debug: URIDNSBL: queries completed: 2 started: 2 debug: URIDNSBL: queries active: at Thu May 12 15:14:52 2005 debug: running raw-body-text per-line regexp tests; score so far=0.001 debug: running full-text regexp tests; score so far=0.001 debug: DCCifd is not available: no r/w dccifd socket found. debug: Running tests for priority: 500 debug: URIDNSBL: queries completed: 1 started: 1 debug: URIDNSBL: queries active: A=1 at Thu May 12 15:14:52 2005 debug: RBL: success for 1 of 1 queries debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2954eac) implements ' check_post_dnsbl' debug: URIDNSBL: queries completed: 0 started: 0 debug: URIDNSBL: queries active: A=1 DNSBL=1 at Thu May 12 15:14:52 2005 debug: waiting 2 seconds for URIDNSBL lookups to complete debug: URIDNSBL: queries completed: 0 started: 0 debug: URIDNSBL: queries active: A=1 DNSBL=1 at Thu May 12 15:14:52 2005 debug: running meta tests; score so far=0.001 debug: running header regexp tests; score so far=0.001 debug: running body-text per-line regexp tests; score so far=0.001 debug: running uri tests; score so far=0.001 debug: URIDNSBL: queries completed: 0 started: 0 debug: URIDNSBL: queries active: A=1 DNSBL=1 at Thu May 12 15:14:53 2005 debug: running raw-body-text per-line regexp tests; score so far=0.001 debug: running full-text regexp tests; score so far=0.001 debug: Running tests for priority: 1000 debug: running meta tests; score so far=0.001 debug: running header regexp tests; score so far=0.001 debug: running body-text per-line regexp tests; score so far=0.001 debug: running uri tests; score so far=0.001 debug: URIDNSBL: queries completed: 0 started: 0 debug: URIDNSBL: queries active: A=1 DNSBL=1 at Thu May 12 15:14:53 2005 debug: running raw-body-text per-line regexp tests; score so far=0.001 debug: running full-text regexp tests; score so far=0.001 - firewall machine results -- debug: bayes: score = 0.505912963129377 debug: bayes: 96 untie-ing debug: bayes: 96 untie-ing db_toks debug: bayes: 96 untie-ing db_seen debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x292e8b8) implements ' check_tick' debug: URIDNSBL: domain blahblahcutie.info listed (URIBL_AB_SURBL): 127.0.0.10 2 debug: URIDNSBL: domain blahblahcutie.info listed (URIBL_WS_SURBL): 127.0.0.10 2 debug: URIDNSBL: domain blahblahcutie.info listed (URIBL_SC_SURBL): 127.0.0.10 2 debug: URIDNSBL: query for blahblahcutie.info took 3 seconds to look up (multi.s urbl.org.:blahblahcutie.info) debug: URIDNSBL: queries completed: 2 started: 2 debug: URIDNSBL: queries active: at Thu May 12 15:13:53 2005 debug: running raw-body-text per-line regexp tests; score so far=0.001 debug: running full-text regexp tests; score so far=0.001 debug: DCCifd is not available: no r/w dccifd socket found. debug: Running tests for priority: 500 debug: URIDNSBL: queries completed: 2 started: 2 debug: URIDNSBL: queries active: at Thu May 12 15:13:53 2005 debug: RBL: success for 1 of 1 queries debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x292e8b8) implements ' check_post_dnsbl'
Re: SA Performance under Solaris -w- Sendmail
[EMAIL PROTECTED] wrote: The production server we are trying to run on only has 128mb of memory. I can't believe we got a machine with that little, but it happened. I might try running only 2 children of SPAMD, refreshing the processes every 5 messages or so to see if that will work, but I'd say the machine is a little light on the horsepower. Glad to hear that you found the problem. I do not know about horsepower, but 128Mb of memory sounds hopeless or at least very limiting: Alex
Re: Error starting spamd (v3.000002, but using modules v3.000003!)
On Thu, May 12, 2005 at 02:45:56PM -0700, Kevin W. Gagel wrote: I've just installed spamassassin on this new server and have tried to launch spamd using the /etc/init.d/spamassassin script but I get this error: Starting spamd: ERROR! spamassassin script is v3.02, but using modules v3.03! What is causing this? You are using the script from 3.0.2 but the perl modules from 3.0.3. You really want them to match. -- Randomly Generated Tagline: If it's too loud, you're too old. pgp3KoHIACrox.pgp Description: PGP signature
Re: Error starting spamd (v3.000002, but using modules v3.000003!)
On Thu, May 12, 2005 at 02:45:56PM -0700, Kevin W. Gagel wrote: I've just installed spamassassin on this new server and have tried to launch spamd using the /etc/init.d/spamassassin script but I get this error: Starting spamd: ERROR! spamassassin script is v3.02, but using modules v3.03! What is causing this? You are using the script from 3.0.2 but the perl modules from 3.0.3. You really want them to match. I found the problem. It seems I had install 3.0.2 but have not finished with it. So when I got back to it today and installed sa I thought I was installing for the first time. The upgrade went ok but for some reason it left behind a spamd in the /usr/bin which was version 3.0.2 and it installed the new one in the /usr/local/bin Once I deleted the /usr/bin/spamd everything went fine. Thanks for answering. -- Kevin W. Gagel Postmaster for College of New Caledonia (250) 562-2131 loc. 448 (250) 561-5848 loc. 448 [EMAIL PROTECTED] http://www.cnc.bc.ca Anti-Spam info at: http://avas.cnc.bc.ca --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Navigating the node tree
Anyone have any sample code for walking the message node tree and looking at the properties on each node?
Re: Navigating the node tree
On Thu, May 12, 2005 at 04:36:47PM -0700, Bret Miller wrote: Anyone have any sample code for walking the message node tree and looking at the properties on each node? find_parts() basically does this, but it only looks at the content-type, but you can use it as a basis. -- Randomly Generated Tagline: I can't live the button-down life like you. I want it all! The terrifying lows, the dizzying highs, the creamy middles! -- Homer Simpson Lisa's Rival pgpekH0ET0UdG.pgp Description: PGP signature
Re: spammer is using html code for spamming
He is using html codes to generate his page Each row of text is composed of word segments generated from many table row Nasty little guy, isn't he? Is there some rule who can catch this kind of spammers ? The new SARE obfu rules have some good ones for this guy, but there is currently a problem with the file, and you may want to wait till this evening or so to download it. Loren
Re: [SARE] obfu rule set update
At 09:23 AM 5.12.2005 -0700, Loren Wilton wrote: Am running FBSD-4.11 and SA-3.03_3 I find that same problem. Also, when I open the rule with an editor, I see the file is filled with those DOS carriage returns - ^M When I remove them, then the --lint sees 9 problems. Strange. SA normally doesn't care beans about dos CRs in the rules files. I edit them that way all the time with no problems. Loren I have found that the DOS carriage breaks will clobber some perl scripts and perhaps PHP, can't remember for sure. I just avoid using an editor that adds 'em. Happy trails, Jack L. Stone System Admin Sage-american
Re[2]: [SARE] obfu rule set update
Hello Jack, Chris, Thursday, May 12, 2005, 8:46:40 AM, you wrote: JLS At 09:19 AM 5.12.2005 +0100, Chris Russell wrote: Trying to Update this morning gives: Lint output: warning: description exists for non-existent rule JLS SARE_OBFU_SPL_ORDERING lint: 1 issues detected. please rerun with debug enabled for more JLS information. JLS Am running FBSD-4.11 and SA-3.03_3 JLS I find that same problem. Also, when I open the rule with an editor, I see JLS the file is filled with those DOS carriage returns - ^M JLS When I remove them, then the --lint sees 9 problems. Fixed. I did a --lint before publishing, but apparently missed the description line problem? Don't know how/why. Also fixed problem with my ftp client that wasn't stripping the ^M. Bob Menschel
Re[2]: Uncatched spam and rules weith modification..
Hello Frederic, Thursday, May 12, 2005, 8:40:17 AM, you wrote: FG X-spam-status: No, hits=5.312 tagged_above=-999 required=6.31 FG tests=BAYES_99, FG RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO that does score high enough to be classified as spam, but you or your administrator have raised the required score from 5.0 to 6.31. FG It is what is put in Amavisd config. I will maybe lower it a bit. If you're not getting FPs, then cautious lowering is viable. If your Bayes database is reliable and stable, bump the score for BAYES_99. FG In fact I forgot to uprgrade to SA 3.0.3 which bumbs bayes a lot. FG But from my own mail it seems that bayes_99 never hits a false positive. Then definitely bump Bayes, at least until you upgrade to 3.0.3 or 3.1 Or look into adopting some of SARE's rules files, at http://www.rulesemporium.com (or other custom files available via the wiki). FG I have most of sare rules, but I have not seen a set for stock ads.. Should be in the BML set, through that hasn't been updated in a long while and might not help against the current set. Those that have been using obfuscations should start getting hit by the new obfuscation rule set files. Bob Menschel
Re: Atomic Grouping but not Possessive Quantifiers?
Rocky Olsen wrote: no, possessive quantifiers/atomic grouping discard saved states to back tracking will not occur for what was matched. Sounds like you might be able to use (?pattern) to do what you want. See perldoc perlre. -- Keith C. Ivey [EMAIL PROTECTED] Washington, DC
[SARE] Whitelist validation
I've received some whitelist submissions for 70_sare_whitelist.cf, from a mailing service used by several retailers. I've checked over these entries, and verified that nobody on my email server is receiving spam from them. But before they get added to the next release of the whitelist rule set, I'd like a much broader perspective. Does anyone know of any recent spam coming from any of the following companies? whitelist_from_rcvd [EMAIL PROTECTED] Improvements whitelist_from_rcvd [EMAIL PROTECTED] 1-800-Flowers.com whitelist_from_rcvd [EMAIL PROTECTED] The Safety Zone whitelist_from_rcvd [EMAIL PROTECTED]Home Focus whitelist_from_rcvd [EMAIL PROTECTED]Staples (Canada) whitelist_from_rcvd [EMAIL PROTECTED]Staples (Contract Div) whitelist_from_rcvd [EMAIL PROTECTED] Disney Direct whitelist_from_rcvd [EMAIL PROTECTED] Alsto's whitelist_from_rcvd [EMAIL PROTECTED]Ambrosia Wine whitelist_from_rcvd [EMAIL PROTECTED]Walter Drake Bob Menschel
Re: Atomic Grouping but not Possessive Quantifiers?
Hehe, yeah, (?) is atomic grouping ;) On Thu, May 12, 2005 at 10:21:57PM -0400, Keith Ivey wrote: Rocky Olsen wrote: no, possessive quantifiers/atomic grouping discard saved states to back tracking will not occur for what was matched. Sounds like you might be able to use (?pattern) to do what you want. See perldoc perlre. -- Keith C. Ivey [EMAIL PROTECTED] Washington, DC -- __ what's with today, today? Email: [EMAIL PROTECTED] PGP:http://rocky.mindphone.org/rocky_mindphone.org.gpg signature.asc Description: Digital signature
Re: Subscribing to spam lists
From: David Brodbeck [EMAIL PROTECTED]
Johnson, S wrote:
Anyone know the best way to subscribe to receive all the spam I can
possibly get?
A post to the alt.test newsgroup used to be highly effective; don't
know if it still is today.
Subscribing to Ameritech DSL might work. ;) My [EMAIL PROTECTED]
email account gets more spam than I've ever seen anywhere else. What's
highly suspicious is that it started getting spam before I even started
using it.
Loren's lwilton account received spam before it was even created. It
certainly had spam waiting in the mailbox when we got home from where
he signed up for Earthlink. Dictionary Attacks is likely the answer.
The lwilton name had existed on a different name for quite some years.
So it got prepended to all sorts of email addresses as well as the
Earthlink address by the dictionary aficionados. That is likely what
happened to yours. (Mine is so short random letters will get to it.)
There is one obvious account I have that seldom gets spam. I never
use it for posting. I use it for signing up where I don't want to listen
to their junk mail that goes with other services. Of course, the very
name is off-putting to spammers. Just put junkmail after my usual
address. Of course, it goes through all the same filters as the other
aliases I have and ends up in the same account. So it's no big deal
if it starts acquiring additional spam. It'll just skew my long term
statistics a little. Now the account with a name like spuzzwickie
can be expected to remain clean if used VERY selectively. But, why
not feed it through the filters, too?
{^_-}
Re: Suddenly load average of 15-18???
From: Thomas Cameron [EMAIL PROTECTED]
On Thu, 2005-05-12 at 08:31 -0700, Loren Wilton wrote:
Usually a high load average means that a spamd child suddenly (or
possibly
slowly) got fat, and you are out of memory and thrashing to beat the
band.
The two most common causes of this seem to be Bayes expiry runs and Awl
expiry runs. Sometimes though it can seemingly happen from some unknown
sequence of mail messages.
Is there something I should/could do about these expiry runs? It seems
odd that it's been like this for a couple of days now... How could I
know that this was the issue?
How many children are you running? What is the max lifetime (messages
processed) per child? Limiting to probably 5 children, or maybe even
less
in your case with so few users, and limiting to maybe 20-100 connections
per
child will probably work around your problems.
My rc file has this:
SPAMDOPTIONS=-d -c -m5 --max-conn-per-child=5 -H
I just added the --max-conn-per-child=5 per Stephen Przepiora's
suggestion but that didn't seem to help.
Oh, I'm assuming you have at least 512M or so. If not, you might want
to
cut down to only a couple of children, and definitely go with the lower
number of connections per child.
Yes, I have 512M. As I said - this has been working flawlessly since
the server was installed several weeks ago. It just suddenly went
bonkers a couple of days ago.
I read your solved remark with some bemusement. Hammering the machine
over the head to solve this sort of problem is just not the way it's
done in the 'nix world. I suspect you have not really found the reason
yet. If you administer that machine with KDE or GNOME running and have
five spamds allowed you are overloading the machine driving it into
virtual memory thrashing. Cut down the number of spamds to perhaps 3,
-m3. Each spamd here with 3.02 gets up to about 60 megabytes before
it is harvested by max connections and a new one created. Five of those
uses up a lot of memory, to be sure. I have X running here. But I have
a gigabyte of memory in the machine. I mostly manage to stay out of
swap so VM doesn't thrash.
The thing you really needed to do and seem to have not done is isolate
exactly what is causing the problem. Hammering it with a reboot just
means you get to reboot often. If you spend the time to figure out what
resource was exhausted on your machine and what was the chief villain
with regards to exhausting that resource then you can work to mitigate
the problem. And you can enjoy many year long uptimes unless you have
to update the kernel. It saves wear and tear on you, freeing you to
apply the same principles to solve other problems that might appear.
It also frees the time to be proactive about the problems that might
appear.
As my first paragraph implies I suspect memory is the resource and
spamd coupled with KDE or GNOME might be the problem. It is quite
sufficient to drive the machine to the edge. And any OS gets pokey
when you get to the edge. The machine that has SA 2.63 on it is a
66 MHz Pentium with 256 megs of memory. It takes a nearly couple
minutes to scan a message. It sits in console mode. It handles DNS
and the firewall as well as the email. It can handle the 1200 to
1500 emails per day that Loren and I were getting while I was still
on that machine. I have since installed 3.02 on a spare Linux
machine, my pet computer toy, and put my email filtering over on
it. I get on the order of a total of 1000 messages a day. It handles
them at under 1.5% of its potential It has a gigabyte of memory so
X's requirements are not a threat to the email filtering. Everything
runs fast. I also tuned the number of spamds and connections per
spamd to use only a reasonable chunk of the machine. (I untuned it
recently to test a fix for a scoring bug in 3.02. It probably is
time to reduce the -m value. I don't NEED it as high as I have it
now. {^_-})
Again, study what causes the problem. Experiment gently if you must
to characterize it properly. Then solve it. Don't reboot. That just
defers the problem. It's like paying blackmail money. The blackmailers
never go away. And it's a constant drain.
1) What resource is becoming saturated? It's not always obvious when
you first look at the problem. Dig to find the real bottleneck. (If a
small 66MHz machine can handle nearly the volume I believe you cited
then time is not where you want to look on a machine ten times faster.)
2) Find what is consuming overmuch of that resource.
3) Mitigate the excessive resource usage.
4) Live happily ever after or at least until the next crisis, which
most likely will not be a repeat of this one.
This is one of the tricks of old age guile that allows us old folks to
defeat youth and enthusiasm. {^_-}
{^_^}
Re: Suddenly load average of 15-18???
From: Thomas Cameron [EMAIL PROTECTED]
On Thu, 2005-05-12 at 09:31 -0700, Loren Wilton wrote:
Is there something I should/could do about these expiry runs? It
seems
odd that it's been like this for a couple of days now... How could I
know that this was the issue?
Um, this isn't my area of expertise. I suspect Matt or Justin will be
along
with a workable suggestion fairly soon. I'm pretty sure that there is
some
logging to indicate when an expiry run happens, but I don't know
precisely
what to look for.
OK, I'll look for that.
At least with bayes there is a way you can turn off the auto-expire and
then
use a cron job to schedule a manual expiry once a day/week/whatever.
I'm
not sure if similar functionality exists for awl.
I don't know either.
Loren's suggestion is likely a very good one. top is a nice way to find
out WHAT is consuming the time. I do note that I do not use automatic
learning or whitelisting here. (Me paranoid. Me not trust 'em. So me
feed salearn manually. Me get outstanding results. Me happy. {^_-})
Did you happen to notice if all of your spamd children get fat at once,
or
if just one of them got really huge? All of them gettiing big might
indicate something changed with your rules files. A single fat child
would
be more indicitave of an expiry run.
Loren
It didn't really look like any of them were really fat... The machine's
drives just started hammering and the load average shot up.
It's all cleared up now after a reboot.
For how long? You did not SOLVE the problem. You paid it's blackmail.
{^_-}
