Re: Spam scores not in log
At 06:58 PM 11/24/2005, you wrote: For some reason I am not getting the spam scores in the mail log. I am getting the start and stop of spamassassin. any suggestions? I can't help you likely, but a few details people who can are going to need: How you call spamassassin, what system, what MTA, and possibly what version of spamassassin you are running. And anything else you can think of that would be a detail to help others help you. :)
Spam scores not in log
For some reason I am not getting the spam scores in the mail log. I am getting the start and stop of spamassassin. any suggestions? Jonn
Re: Getting RHSBLs to work
At 04:42 AM 11/24/2005, Jeremy wrote: Hi all, Am I correct in assuming that in order to get RHSBL rules to work - specifically, rules which use "eval:check_rbl_from_host" - then I must first have set skip_rbl_checks to 0 in my local.cf file? I'm using SA 3.0.4. Yes, or have it not set at all. Currently I have skip_rbl_checks set to 1 and I'm finding that the RHSBL rules I have (eg. AHBL) don't appear to be working. I'm guessing this is the reason. Correct.. RHSBL's are lumped in with other RBLs, and if you have skip_rbl_checks set to 1 they all become disabled. I do know that the skip_rbl_checks rule is used for enabling or disabling all the DNSBL rules in the 20_dnsbl_tests.cf file. It disables them categoricaly. All the RBL-type evals will bail out and do nothing if that's set. The thing is this: I would like to be able to use a couple of RHSBL rules, but I would not like to use all the DNSBL rules in the 20_dnsbl_tests.cf file. That's beause my MTA does it's own DNSBL checks, so I don't need the multitude of additional DNSBL checks that SA does. I just want the RHSBL ones which I have custom added. So, what is the easiest/best way of enabling the RHSBL rules (which use "eval:check_rbl_from_host") while still disabling all the rules within 20_dnsbl_tests.cf? You have two options: 1) use score statements to disable the un-needed RBLs.. such as: score RCVD_IN_XYZ 0 2) remove 20_dnsbl_tests.cf, but that will probably cause lint warnings because of the score statements in 50_scores.cf, so you''ll have to hunt out and remove the offending score lines. Generally speaking, I'd recommend option 1. tweaking the .cf files in /usr/share/spamassassin can be a pain to recover from if you make a mistake, and the changes will be blown away if you upgrade.
Re: check_whitelist
At 01:57 PM 11/24/2005, Kevin W. Gagel wrote: Where does one get the check_whitelist tool? It's in the tools subdirectory of the tarball. I used CPAN to install SpamAssassin (3.0.1) and a find on the system does not locate the tool. Are you sure you did 3.0.1 not 3.1.0? check in ~/.cpan/ and find where CPAN unpacked the SA tarball when building and installing to find it, otherwise just download the tarball and grab it out of that.
Re: Getting RHSBLs to work
In an older episode (Thursday, 24. November 2005 10:42), Jeremy wrote: > That's beause my MTA does it's own DNSBL checks, so I don't need the > multitude of additional DNSBL checks that SA does. If I am not mistaken, SA's DNSBL checks will also score mails that have passed thru some listed host on the way to your MTA. So they would catch mails that blocking at the MTA level will not catch. If your system resources allow it, I would suggest to use DNSBL checks anyway. cheers, wolfgang
Re: Bayes mysql db error
On Nov 2, 2005, at 3:25 PM, Matthew S. Cramer wrote: On Wed, Nov 02, 2005 at 01:23:54PM -0600, Mike Loiterman wrote: spamassassin -D --lint > debug.txt 2>&1 [22511] dbg: bayes: database connection established [22511] dbg: bayes: found bayes db version 3 [22511] dbg: bayes: unable to initialize database for root user, aborting! [22511] dbg: bayes: not scoring message, returning undef [22511] dbg: bayes: opportunistic call attempt failed, DB not readable Have you tried running sa-learn with a piece of mail? I run sitewide bayes (not per-user) in MySQL and after setting up the access and making the tables, my lint was failing like your's above. Doing an sa-learn to populate the tables with some data first allowed the lint to work without any bayes errors. I had the exact same problem with sitewide bayes and running sa-learn and feeding it mail also fixed the problem... Good thing for archives, it saved me a ton of time.
check_whitelist
Where does one get the check_whitelist tool? I used CPAN to install SpamAssassin (3.0.1) and a find on the system does not locate the tool. = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: Block By Subject LIKE
Thanks all for the suggestions..! Regards .. Leonard - Original Message - From: "Jim Knuth" <[EMAIL PROTECTED]> To: Sent: Thursday, November 24, 2005 1:32 PM Subject: Re: Block By Subject LIKE Hallo und Guten Abend Leonard, Heute (am 24.11.2005 - 19:18 Uhr) schriebst Du: Hello List.. Is it possible to reject, add weight (score), etc mail by subject LIKE rules? Regards .. Leonard yes. With header_checks, like pcre or regexp -- Viele Grüße, Kind regards, Jim Knuth [EMAIL PROTECTED] ICQ #277289867 PGP: 54C9 1A46 D3B2 95B6 454D 74FA AC73 773E 1F78 066F -- Zufalls-Zitat -- Die letzten Worte des früheren französischen Präsidenten Charles de Gaulle waren: "Es schmerzt." -- Der Text hat nichts mit dem Empfänger der Mail zu tun -- Virus free. Checked by NOD32 Version 1.1304 Build 6390 24.11.2005
Re: Block By Subject LIKE
Hallo und Guten Abend Leonard, Heute (am 24.11.2005 - 19:18 Uhr) schriebst Du: > Hello List.. > Is it possible to reject, add weight (score), etc mail by subject LIKE rules? > Regards .. > Leonard yes. With header_checks, like pcre or regexp -- Viele Grüße, Kind regards, Jim Knuth [EMAIL PROTECTED] ICQ #277289867 PGP: 54C9 1A46 D3B2 95B6 454D 74FA AC73 773E 1F78 066F -- Zufalls-Zitat -- Die letzten Worte des früheren französischen Präsidenten Charles de Gaulle waren: "Es schmerzt." -- Der Text hat nichts mit dem Empfänger der Mail zu tun -- Virus free. Checked by NOD32 Version 1.1304 Build 6390 24.11.2005
Block By Subject LIKE
Hello List.. Is it possible to reject, add weight (score), etc mail by subject LIKE rules? Regards .. Leonard
Re: f-secure messaging security gateway x-series??
>... >Am Mittwoch, 23. November 2005 23:11 schrieb jdow: >> From: "Mathias Homann" <[EMAIL PROTECTED]> >> >> > "the ProofPoint Spam Detection (TM) module uses the ProofPoint >> > MLX(TM) technology for automated learning (pat.pend.)" which in >> > itself doesn't tell >> >> ^--- Somebody ought to >> check that statement out. Automated learning is something SA has >> been doing for quite a few years now so any prospective patent on >> it in an anti-spam environment should be void. But it might be a >> good idea to make sure the patent examiners are aware of this. > >another weak point of that thing is that they say it runs linux... and >i guess most of the other stuff "in there" is GPL'ed, too and i >can't for the life of me find the link to download the sources >anywhere... > >bye > MH > >-- >gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD >763C > One common misconception about the GPL is that a product having GPL'd code must make the code source public; Not true - the code source must only be made available to people to whom the binaries are distributed, i.e. people who buy the boxes. I worked for a company that did all of our major development tools based on GPL'd code - we avoided the download (and archive - see clause 3a) requirements by shipping source with the "product" to every licensee - further we wanted them to release the tools to the "public" (this was a consumer product, sold to companies who used it within their own products), but since they could ship without any GPL'd code (just code generated by the GNU toolchain and other "generated" things), they were not bound to release anything, and none of them did. For a good commercial example, look at vxWorks, an embedded OS, that makes heavy use of GPL'd code - all customers can get copies of the code and/or download it (BTW. the vxWorks kernel is neither Linux or GPL'd and is the "actual" product of the company, so most consumer devices built around vxWorks do *not* contain GPL'd code, just what the developers use does), but the public has no access. The important rule in clause 3 and demonstrated and embodied by the explanatory text: " For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. " Put simply, the people who get the binaries must have access to the code; There is no explicit or implicit requirement that anyone else have access - i.e. using GPL'd code does not mean the sources must be made public, just make available to the people who buy the product. If an individual or company is *not* a recipient of the binary containing the GPL'd code, there is no reason they should have access to its source. Also, a company creating products incorporating GPL'd code may choose to restrict distribution by providing the source on media of their choice, so long as they only charge reasonable media costs (i.e. a few dollars for the CD with the code) - it needn't be "download-able" anywhere. This is a fine point, but a very important one to the companies using GPL'd code - they don't mind (or at least are willint to allow) paying customers get access to the code, but they don't want or intend for it to become generally available. Of course, I am not a lawyer, and my interpretations may or may not represent any already made or made in the future by any legal institution or court. Paul Shupak [EMAIL PROTECTED]
Re: Blacklists and SA
Just a short note to say many thanks for everybody's help with this. Quin.
Getting RHSBLs to work
Hi all, Am I correct in assuming that in order to get RHSBL rules to work - specifically, rules which use "eval:check_rbl_from_host" - then I must first have set skip_rbl_checks to 0 in my local.cf file? I'm using SA 3.0.4. Currently I have skip_rbl_checks set to 1 and I'm finding that the RHSBL rules I have (eg. AHBL) don't appear to be working. I'm guessing this is the reason. I do know that the skip_rbl_checks rule is used for enabling or disabling all the DNSBL rules in the 20_dnsbl_tests.cf file. The thing is this: I would like to be able to use a couple of RHSBL rules, but I would not like to use all the DNSBL rules in the 20_dnsbl_tests.cf file. That's beause my MTA does it's own DNSBL checks, so I don't need the multitude of additional DNSBL checks that SA does. I just want the RHSBL ones which I have custom added. So, what is the easiest/best way of enabling the RHSBL rules (which use "eval:check_rbl_from_host") while still disabling all the rules within 20_dnsbl_tests.cf? I know one solution is to set the scores of the DNSBL rules to 0 in my local.cf - but there are so many DNSBL rules in 20_dnsbl_tests.cf that I'd prefer to find another solution if possible. Any advice would be appreciated! Cheers, Jeremy
Re: Inconsistent Spam scores?
On 11/24/05, Chad <[EMAIL PROTECTED]> wrote: > Disabling, and checking. > > I've been going over this thing on and off all night. So far, the > best change I made was the internal_networks > > It seems to work *almost* correctly now, but, as you noted, it seems > it's getting checked twice now (from your description anyway :) ) > > I'll keep you updated. > > Thanks for the help so far! > > Chad > And it gets sorted properly, there are no ALL_TRUSTED issues. Thank you! Now I guess I need to track down where this is happening. I'll plug through my postfix confs. Thanks for the info and the help! Chad
Re: Inconsistent Spam scores?
Disabling, and checking. I've been going over this thing on and off all night. So far, the best change I made was the internal_networks It seems to work *almost* correctly now, but, as you noted, it seems it's getting checked twice now (from your description anyway :) ) I'll keep you updated. Thanks for the help so far! Chad
Re: Do I need these rules?
Thats just the thing, something was wrong but the system already has 2
gigs of memory. It appear that issue has been resolved though.
Thanks
Robert
> Adding memory is generally the cheapest and simplest way to handle machine
> overload in most cases. One should also carefully trim the maximum number
> of children so that SA comfortably fits entirely in RAM without hitting
> the swap file. When SA hits the swap file it very suddenly becomes very
> very slow. Off hand I'd suspect the sa_blacklist file would be quite
> redundant with and stale relative to the various BL tests.
>
> {^_^}
> - Original Message -
> From: <[EMAIL PROTECTED]>
>
>
>> Yes server was getting overloaded. So I went through all my old rules
>> and
>> deleted them. Went from 36 rules down to 15 rules. Apparently there were
>> a
>> couple that were obsolete. Also I noticed I had a sa-blacklist.cf file
>> with thousands of email addresses I got from some site awhile back. It
>> was
>> a huge file. I also noticed the same file was being used for qmail,
>> badmailfrom file. So when I removed the sa-blacklist.cf file all of a
>> sudden I had a ton of memory available and the memory spamd used was a
>> fraction of what it was using originally. Again dont know if it was the
>> sa-blacklist.cf file. I know it wasnt the other cf files I removed
>> because
>> after I removed those the spamd processes were still using a lot of
>> resources.
>>
>> As you can tell Im not the most knowledgeable when it comes to running
>> SA
>> so thats why I was asking about these other rules I found.
>>
>> Thanks
>> Robert
>>
>>> From: <[EMAIL PROTECTED]>
>>>
I been trying to "optimize" SA on my system and decided to look at the
rules I have that SA uses. Im using qmail with SA 3.1 on Fedora Core
2.
I
started SA in debug mode and noticed a bunch of rules running in
another
folder on top of what I have in my up to date rules folder. The rules
in
this other folder are in /usr/share/spamassassin. Should I delete all
of
these rules or do they need to be there?
10_misc.cf
20_drugs.cf
20_phrases.cf
25_body_tests_es.cf
30_text_fr.cf
20_anti_ratware.cf
20_fake_helo_tests.cf
20_porn.cf
25_hashcash.cf
30_text_nl.cf
20_body_tests.cf
20_head_tests.cf
20_ratware.cf
25_spf.cf
30_text_pl.cf
20_compensate.cf
20_html_tests.cf
20_uri_tests.cf
25_uribl.cf
50_scores.cf
20_dnsbl_tests.cf
20_meta_tests.cf
23_bayes.cf
30_text_de.cf
60_whitelist.cf
Sorry if its a lot.
>>>
>>> It's not very much compared to what I run.
>>>
>>> Only you can define your "should". You know your conditions far better
>>> than any of us. Is your machine overloaded? If not then why "optimize"
>>> when it means it's very likely more spam will leak through? In my case
>>> optimize meant going to over 45 rule sets along with extensive
>>> user_prefs files. The machine spends about 141 seconds per hour
>>> filtering
>>> email. This 4% load does not materially affect its performance with
>>> anything else it does. So YMMV takes on a very strong meaning in this
>>> context.
>>>
>>> {^_^}
>>>
>>>
>>
>>
>> Robert Bartlett
>> Digital Phoenix iTechnologies
>
>
Robert Bartlett
Digital Phoenix iTechnologies
Re: Inconsistent Spam scores?
Good point. I'd noticed the different tag set. But the ALL_TRUSTED
rather distracted me when I noticed it.
{^_^}
- Original Message -
From: "Matt Kettler" <[EMAIL PROTECTED]>
(Re-post to list. For some reason the post which quoted all of chad's email
bounced back with a 10.4 score. No clue why, there's no spam quotes here,
only one URIBL listed domain mentioned in the body report. One domain alone
shouldn't be >10, even if it's listed in every URIBL in the universe)
Chad, based on the difference in hits on the two scores below, it sounds
like you're double-scanning the email. Make sure you don't have an MTA
integration that's scanning the mail before it gets to procmail.
Also, try temporarily disabling both spamc calls in your procmail.rc, see
if you still get X-Spam-Status headers.
Order of events:
The first time it's scanned, the message gets tagged a body report is
added, and the whole thing is encapsulated in a new message with new
headers, including new Received: headers that show the message as being
locally generated.
The second time around, the scan will get result because the message
headers are different. The X-Spam-Status header gets over-written, but
nothing else.
Note that in the body (first scan) several RBLs hit (XBL, spamcop and
NJABL_DUL) but the second time (X-Spam-Status) they don't fire and in their
place ALL_TRUSTED matches, suggesting a locally generated email (such as
the encapsulation).
At 09:11 PM 11/23/2005, Chad wrote:
Hello!
I've been googling and searching this list for a little over 2 hours
now and have yet to find this problem, or a fix for it. If there is
something obvious I'm missing, feel free to point me in that
direction, but here goes:
I recieve Spam from "Doctor" with the subject "Ultimate Online Pharmaceutical"
It's subject gets marked up correctly with my [SPAM] subject_rewrite,
and I have report_safe set to 1, so the message shows the score as:
Content analysis details: (9.2 points, 5.0 required)
pts rule name description
-- --
2.3 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date
0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[217.217.190.99 listed in dnsbl.sorbs.net]
1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
]
2.5 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[217.217.190.99 listed in sbl-xbl.spamhaus.org]
1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[217.217.190.99 listed in combined.njabl.org]
0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: *MUNGED*]
As noted, it's a score of 9.2 points total.
But, when I check the header, it shows:
X-Spam-Level:
X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED,
DATE_IN_FUTURE_12_24,HTML_40_50,HTML_MESSAGE,MIME_HTML_MOSTLY,
URIBL_SBL autolearn=no version=3.0.2-gr1
