Re: Image spam
Craig Baird wrote: Since the first of the year, we've seen a barrage of image spam. Some of it gets nailed by SA, but a lot of it seems to get through. Most of it has a text/plain part with random or non-sensical text. It also has a text/html part, also with random text. Then, the actual spam (usually a stock spam) is contained in a 15k-20k .gif image. I've found that many of these hit very few rules, and due to the random text, Bayes appears to be ineffective. I'm using SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has anyone come up with a good way to stop these? I've been seeing this also. In fact, these are the only spam getting through presently (although the total amount of spam I get is very small). I did notice that for one that got through it scored only 2 or 3 points. I tested it manually, maybe 8 hours later, and it scored 16.5 points being listed on blacklists as well as razor or pyzor, so it's good to see that people are reporting. -- Good day, eh. Chris
Re: Image spam
Hello. From: Craig Baird <[EMAIL PROTECTED]> Subject: Image spam Date: Thu, 26 Jan 2006 10:21:14 -0700 > Since the first of the year, we've seen a barrage of image spam. Some of it > gets nailed by SA, but a lot of it seems to get through. Most of it has a > text/plain part with random or non-sensical text. It also has a text/html > part, also with random text. Then, the actual spam (usually a stock spam) is > contained in a 15k-20k .gif image. I've found that many of these hit very > few > rules, and due to the random text, Bayes appears to be ineffective. I'm > using > SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has > anyone come up with a good way to stop these? > > Craig Your SA is old, so I recommend upgrade SA 3.1.0. And, it seems to me that some rules failed to detect the image spam's characteristics. Especially, HTML_FONT_SIZE_*** rules don't seem to work correctly. ## --- rule examples --- meta ___HTMLIMG HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 || HTML_IMAGE_ONLY_32 || HTML_IMAGE_RATIO_02 rawbody HTML_FONT_SIZE_TINY2 //i describe HTML_FONT_SIZE_TINY2 score HTML_FONT_SIZE_TINY2 0.5 meta IMGONLYHTML1 HTML_FONT_SIZE_TINY2 && ___HTMLIMG && BAYES_99 rawbody ___OBSCURED_TEXT1 /^(,|\!)($| \w)/ rawbody ___OBSCURED_TEXT2 /\w (,|\!) \w/ meta IMGONLYHTML2 ___OBSCURED_TEXT1 && ___OBSCURED_TEXT2 && ___HTMLIMG && BAYES_99 ## --- rule examples --- There are several types of image only spams. I wrote two types image spams in a hurry. -- Nothing but a peace sign. MATSUDA Yoh-ichi(yoh) mailto:[EMAIL PROTECTED] http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: SpamAssassin logo (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "Michele Neylon:: Blacknight.ie" writes: > [EMAIL PROTECTED] wrote: > > > > This came up separately, and is worth getting into the archives ;) > > The higher-res SpamAssassin logo can be found in various formats here: > > > > http://spamassassin.apache.org/logo/ > > > > I'm creating this wiki page: > > > > http://wiki.apache.org/spamassassin/LogoDetails > > > > right now to hold further details. (I thought I'd done this before, > > but it seems not. ;) > > > > --j. > > Justin > Excellent! > What are the license / usage details? good question. if I recall correctly, it's under the same license as SpamAssassin itself -- ASL2. Nothing online seems to contradict that ;) - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh CVS iD8DBQFD2WVAMJF5cimLx9ARAtS+AJ9cXS7ZUEPhJJv7bUP5gNEH7afrxwCcDK1L yTqJl4a4mZQ42orn00i0JfI= =ndTq -END PGP SIGNATURE-
Re: Spam filter logging
From: "Nathaniel Dell" <[EMAIL PROTECTED]>
Is it possible to see date time and sender information for email that is
filtered?
Yes.
{^_^} (I'm sure this is not the answer you wanted. But it does answer
the question you asked. And actually, it is very hard not to see
that information if you don't use one of those infernal things
like amavis etc.)
Re: No X-Spam-Status (sa_tag_level_deflt = -100.0)
> why would you leave $mydomain blank? I tested a lot, and read there was(?) a bug and it was recommended to leave it blank. Never heard of a bug of that sort. > set > $mydomain = 'client4.local.FQDN'; > and add > @local_domains_maps = ( [".$mydomain"] ); > > X=Spam headers are only added for recipient domains that are included in > @local_domains_maps. Thanks a lot, it took me days to find this out. Now I get : X-Spam-Status: No, score=0.009 tagged_above=-100 required=6.31 tests=[AWL=0.010, NO_RELAYS=-0.001] X-Spam-Score: 0.009 X-Spam-Level: How can I add a comment, which host made the entry. I would like to have something like: X-Spam-Status by ... You can modify the X-Virus-Scanned line: X-Virus-Scanned: Debian amavisd-new at client4.local.FQDN it's the $X_HEADER_LINE setting. The only configurable header field is the X-Virus-Scanned ($X_HEADER_TAG, $X_HEADER_LINE), other are not configurable, you will have to modify the program. Be sure to only use allowed characters as the header field head. Read the amavisd.conf-sample file: http://www.xmission.com/~jmcrc/amavisd.conf.html For other amavisd-new related questions, you should join the amavis user's list: https://lists.sourceforge.net/lists/listinfo/amavis-user Al Gary V _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Re: No X-Spam-Status (sa_tag_level_deflt = -100.0)
Am Freitag, 27. Januar 2006 00:06 schrieb Gary V: > >set > >$mydomain = 'client4.local.FQDN'; > >and add > >@local_domains_maps = ( [".$mydomain"] ); > > Actually, your domain name is read from /etc/mailname in the > 05-node_id file so you could actually just get rid of it here. > > It would have been nice if the Debian package maintainers added > a few common settings in the 50-user file like: > @local_domains_maps = ( [".$mydomain"] ); I checked this now with my SuSE-9.2-System and the "large" /etc/amavisd.conf contained these entries. With the SuSE-machine I have the problem, that i see X-Spam-Status _only_ if mails are sent within the local network, but I don't see a line with X-Spam-Status and mails from the internet. I am unsure if this is really a problem with local mails, but I didn' define any white- or blacklists and spam is moved to /var/spool/amavis/virusmails, so with the SuSE-machine "something" seems to work. Any ideas? > I hate the new format they have devised. I wrote a little something > about it but the setup is confusing enough that I don't even know if my > findings are accurate: > > http://www200.pair.com/mecham/spam/debian-amavisd-new_2.3.3.html I read this, but it won't help me with my old Suse-system. galerkin.suse.de:spamassassin-3.0.4-1.3 galerkin.suse.de:perl-spamassassin-3.0.4-1.3 g168.suse.de:amavisd-new-2.1.2-5 A long time ago with SuSE 8.x everything worked fine, but these configuration-changes can be nightmare for a _user_. Thank you again! Al
RE: No X-Spam-Status (sa_tag_level_deflt = -100.0)
/etc/default/spamassassin ENABLED=1 OPTIONS="--create-prefs --max-children 5 --helper-home-dir" PIDFILE="/var/run/spamd.pid" You do not need spamd when running amavisd-new. This should be ENABLED=0 in main.cf: content_filter = smtp:[127.0.0.1]:10024 Should be more like: content_filter = smtp-amavis:[127.0.0.1]:10024 localhost:10025 inetn - n - - smtpd -o content_filter= and in master.cf, your amavisd-new settings should be more like: smtp-amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks See: http://www200.pair.com/mecham/debian-postfix-2.2-amavisd/master.cf and http://www.ijs.si/software/amavisd/README.postfix.txt WOW, I also see that these critical settings are nowhere to be found in any of the configuration files, so they should also be added and configured in 50-user: $max_servers = 2; # number of pre-forked children (default 2) $max_requests = 20; # retire a child after that many accepts (default 10) $child_timeout=5*60; # abort child if it does not complete each task in # approximately n sec (default: 8*60 seconds) Who knows what else they have left out. I am going to have to spend some time looking for things they have left out. Their mess is even bigger than I thought. Gary V _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Re: No X-Spam-Status (sa_tag_level_deflt = -100.0)
Am Donnerstag, 26. Januar 2006 23:40 schrieb Gary V: > Did you ask on the amavis user's list? No, I asked at the german lists Postfixbuch-users, debian and suse. I head no idea, which is the right list to ask. > why would you leave $mydomain blank? I tested a lot, and read there was(?) a bug and it was recommended to leave it blank. > set > $mydomain = 'client4.local.FQDN'; > and add > @local_domains_maps = ( [".$mydomain"] ); > > X=Spam headers are only added for recipient domains that are included in > @local_domains_maps. Thanks a lot, it took me days to find this out. Now I get : X-Spam-Status: No, score=0.009 tagged_above=-100 required=6.31 tests=[AWL=0.010, NO_RELAYS=-0.001] X-Spam-Score: 0.009 X-Spam-Level: How can I add a comment, which host made the entry. I would like to have something like: X-Spam-Status by ... > See: > http://www.ijs.si/software/amavisd/#faq-spam > > and start reading from: > "No spam-related headers inserted?" Thanks for this link. I read there, that my question above is amavis related, but maybe you can answer it in a line. Al
Re: SpamAssassin logo (fwd)
[EMAIL PROTECTED] wrote: > > This came up separately, and is worth getting into the archives ;) > The higher-res SpamAssassin logo can be found in various formats here: > > http://spamassassin.apache.org/logo/ > > I'm creating this wiki page: > > http://wiki.apache.org/spamassassin/LogoDetails > > right now to hold further details. (I thought I'd done this before, > but it seems not. ;) > > --j. Justin Excellent! What are the license / usage details? Michele -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
RE: No X-Spam-Status (sa_tag_level_deflt = -100.0)
$mydomain = ''; why would you leave $mydomain blank? $sa_tag_level_deflt = -100.0; # add spam info headers if at, or above that level set $mydomain = 'client4.local.FQDN'; and add @local_domains_maps = ( [".$mydomain"] ); Actually, your domain name is read from /etc/mailname in the 05-node_id file so you could actually just get rid of it here. It would have been nice if the Debian package maintainers added a few common settings in the 50-user file like: @local_domains_maps = ( [".$mydomain"] ); I hate the new format they have devised. I wrote a little something about it but the setup is confusing enough that I don't even know if my findings are accurate: http://www200.pair.com/mecham/spam/debian-amavisd-new_2.3.3.html I wouldn't fault anyone who might be confused or have problems with this setup. Gary V _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Re: hapaxes and chi2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill Sickles writes: > Hi, > I have searched the [EMAIL PROTECTED] and [EMAIL PROTECTED] archives but > didn't come up with a lot on this topic. Sorry if I missed something > obvious but I am wondering if anyone is using hapaxes. Through googling I > did see some references to a user or two turning this off as the database > got too large (and slow?) so I am looking for some current opinions. My > current database is 10M, learning to journal, bayes_journal_max_size > 204800, bayes_expiry_max_db_size 30. Currently I am not seeing any > performance issues. Before I turn on hapaxes I am wondering what I might > expect in terms of machine resource consumption (CPU/memory) and > successful spam hit rates as this feature claims to increase hit rates. > I realize that I will need more disk (8 to 10 times current size). Also > has anyone noticed an increase in FP's since this feature uses > words/tokens that only occur once. > > Is anyone using chi-squared combining? The few references I did hit in my > searching seemed to have this turned on with hapaxes. Everyone is using chi-squared combining, and hapaxes. They both improve matters quite a lot -- especially hapaxes, and they've been default settings since the initial release of SpamAssassin 2.50. I'm not sure it's even possible to turn them off anymore without hacking the source ;) - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh CVS iD8DBQFD2VXJMJF5cimLx9ARAmQuAKCshWoZPObDhaRC0EfUuMjNlHpJigCaAgdR fkAqYRFKFupXYSSfdVswYXM= =wncR -END PGP SIGNATURE-
SpamAssassin logo (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This came up separately, and is worth getting into the archives ;) The higher-res SpamAssassin logo can be found in various formats here: http://spamassassin.apache.org/logo/ I'm creating this wiki page: http://wiki.apache.org/spamassassin/LogoDetails right now to hold further details. (I thought I'd done this before, but it seems not. ;) - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh CVS iD8DBQFD2VVQMJF5cimLx9ARAh3nAJwMYeH3KoeW51rNUFngyxZYcgfoDQCeN2O7 f/8l5ySaAiPS//2k2CuHFLY= =0pNW -END PGP SIGNATURE-
RE: No X-Spam-Status (sa_tag_level_deflt = -100.0)
Hi, I asked other mailinglists already and nobody could help me with my problem, since it works sometimes. Did you ask on the amavis user's list? What I am missing in a mail-header is something like this: X-Spam-Status: No, hits=-5.895 tagged_above=-20 required=5 tests=ALL_TRUSTED, (from another system). I have similiar problemes with different Linux distris, with SuSE it works a little bit better, here I am discussing an uptodate Debian-Sid-System. Detailed versions you see below. For spam-reasons I use FQDN instead of the existing configuration. Please let me know which Info you need too. Received: from localhost (localhost.localdomain [127.0.0.1]) by client4.local.FQDN (Postfix) with ESMTP id 621E57359 for <[EMAIL PROTECTED]>; Thu, 26 Jan 2006 15:48:51 +0100 (CET) $mydomain = ''; why would you leave $mydomain blank? $sa_tag_level_deflt = -100.0; # add spam info headers if at, or above that level set $mydomain = 'client4.local.FQDN'; and add @local_domains_maps = ( [".$mydomain"] ); X=Spam headers are only added for recipient domains that are included in @local_domains_maps. See: http://www.ijs.si/software/amavisd/#faq-spam and start reading from: "No spam-related headers inserted?" Gary V _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
No X-Spam-Status (sa_tag_level_deflt = -100.0)
Hi, I asked other mailinglists already and nobody could help me with my problem, since it works sometimes. What I am missing in a mail-header is something like this: X-Spam-Status: No, hits=-5.895 tagged_above=-20 required=5 tests=ALL_TRUSTED, (from another system). I have similiar problemes with different Linux distris, with SuSE it works a little bit better, here I am discussing an uptodate Debian-Sid-System. Detailed versions you see below. For spam-reasons I use FQDN instead of the existing configuration. Please let me know which Info you need too. From [EMAIL PROTECTED] Thu Jan 26 15:48:51 2006 Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by client4.local.FQDN (Postfix) with ESMTP id 621E57359 for <[EMAIL PROTECTED]>; Thu, 26 Jan 2006 15:48:51 +0100 (CET) Received: from client4.local.FQDN ([127.0.0.1]) by localhost (client4.local.FQDN [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03668-01 for <[EMAIL PROTECTED]>; Thu, 26 Jan 2006 15:48:49 +0100 (CET) Received: by client4.local.FQDN (Postfix, from userid 0) id 30C397357; Thu, 26 Jan 2006 15:48:49 +0100 (CET) Date: Thu, 26 Jan 2006 15:48:49 +0100 To: [EMAIL PROTECTED] Subject: Test User-Agent: nail 11.25 7/29/05 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <[EMAIL PROTECTED]> From: root <[EMAIL PROTECTED]> X-Virus-Scanned: Debian amavisd-new at client4.local.FQDN Jan 26 15:48:49 client4 postfix/pickup[4727]: 30C397357: uid=0 from= Jan 26 15:48:49 client4 postfix/cleanup[6041]: 30C397357: message-id=<[EMAIL PROTECTED]> Jan 26 15:48:49 client4 postfix/qmgr[4728]: 30C397357: from=<[EMAIL PROTECTED]>, size=451, nrcpt=1 (queue active) Jan 26 15:48:51 client4 postfix/smtpd[6050]: connect from localhost.localdomain[127.0.0.1] Jan 26 15:48:51 client4 postfix/smtpd[6050]: 621E57359: client=localhost.localdomain[127.0.0.1] Jan 26 15:48:51 client4 postfix/cleanup[6041]: 621E57359: message-id=<[EMAIL PROTECTED]> Jan 26 15:48:51 client4 postfix/qmgr[4728]: 621E57359: from=<[EMAIL PROTECTED]>, size=952, nrcpt=1 (queue active) Jan 26 15:48:51 client4 postfix/smtpd[6050]: disconnect from localhost.localdomain[127.0.0.1] Jan 26 15:48:51 client4 amavis[3668]: (03668-01) Passed CLEAN, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, mail_id: SmG+YV9el+WD, Hits: 0.015, 2238 ms Jan 26 15:48:51 client4 postfix/smtp[6043]: 30C397357: to=<[EMAIL PROTECTED]>, orig_to=, relay=127.0.0.1[127.0.0.1], delay=2, status=sent (250 2.6.0 Ok, id=03668-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as 621E57359) Jan 26 15:48:51 client4 postfix/qmgr[4728]: 30C397357: removed Jan 26 15:48:51 client4 postfix/local[6052]: 621E57359: to=<[EMAIL PROTECTED]>, relay=local, delay=0, status=sent (delivered to command: procmail -a "$EXTENSION") Jan 26 15:48:51 client4 postfix/qmgr[4728]: 621E57359: removed /etc/amavis/conf.d/50-user use strict; $mydomain = ''; $sa_tag_level_deflt = -100.0; # add spam info headers if at, or above that level 1; # insure a defined return grep -r tag_level_deflt /etc/amavis/conf.d/ /etc/amavis/conf.d/20-debian_defaults:#$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level /etc/amavis/conf.d/20-debian_defaults:$sa_tag_level_deflt = -100.0; /etc/amavis/conf.d/50-user:$sa_tag_level_deflt = -100.0; # add spam info headers if at, or above that level /etc/default/spamassassin ENABLED=1 OPTIONS="--create-prefs --max-children 5 --helper-home-dir" PIDFILE="/var/run/spamd.pid" aptitude search postfix | cut -c-30 p bld-postfix p gforge-mta-postfix i postfix p postfix-dev p postfix-doc p postfix-gld p postfix-ldap p postfix-mysql p postfix-pcre p postfix-pgsql p postfix-policyd p postfix-smtpguard v postfix-tls i webmin-postfix aptitude search amavis | cut -c-30 v amavis p amavis-ng p amavis-ng-milter-helper p amavis-stats i amavisd-new p amavisd-new-milter aptitude search spam | cut -c-30 v libmail-spamassassin-perl p spamass-milter i A spamassassin p spambayes i spamc p spamoracle p spamoracle-byte p spampd p spamprobe p sylpheed-claws-gtk2-spamas p sylpheed-claws-spamassassi p usermin-spamassassin i webmin-spamassassin apt-cache policy postfix postfix: Installiert:2.2.4-1.0.1 Mögliche Pakete:2.2.4-1.0.1 Versions-Tabelle: 2.2.8-7 0 500 ftp://ftp.at.debian.org sid/main Packages 500 ftp://ftp.freenet.de sid/main Packages *** 2.2.4-1.0.1 0 900 ftp://ftp.at.debian.org etch/main Packages 900 ftp://ftp.freenet.de etch/main Packages 100 /var/lib/dpkg/status apt-cache policy amavisd-new amavisd-new: Installiert:1:2.3.3-2 Mögliche Pakete:1:2.3.3-2 Versions-Tabelle: 1:2.3.3-4 0 500 ftp://ftp.at.debian.org sid/main Packages
Re: Image spam
Craig Baird wrote:
> Since the first of the year, we've seen a barrage of image spam. Some of it
> gets nailed by SA, but a lot of it seems to get through. Most of it has a
> text/plain part with random or non-sensical text. It also has a text/html
> part, also with random text. Then, the actual spam (usually a stock spam) is
> contained in a 15k-20k .gif image. I've found that many of these hit very
> few
> rules, and due to the random text, Bayes appears to be ineffective. I'm
> using
> SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has
> anyone come up with a good way to stop these?
Hmm, I don't have much trouble getting the RBLs and Bayes to help out on these.
Here's my most recent image-only stock pump-and-dump spam.
Received: from HSI-KBW-082-212-042-044.hsi.kabelbw.de
(HSI-KBW-082-212-042-044.hsi.kabelbw.de [82.212.42.44])
by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id k0C9hPEn022507
for <[EMAIL PROTECTED]>; Thu, 12 Jan 2006 04:43:25 -0500
Subject: {SPAM}{!} America's Microcaps
Date: Thu, 12 Jan 2006 10:43:20 -
X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=17.571, required 5,
autolearn=spam, BAYES_80 2.00, EXTRA_MPART_TYPE 1.09,
HELO_DYNAMIC_IPADDR 4.20, HTML_90_100 0.11, HTML_IMAGE_ONLY_04 3.60,
HTML_MESSAGE 0.00, INFO_GREYLIST_NOTDELAYED -0.00,
MIME_HTML_MOSTLY 1.10, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_XBL 3.90,
RELAY_DE 0.01)
SA 3.1.0 with the RelayCountry enabled (affects bayes performance somewhat).
SpamAssassin Socket Problems
I'm using Fedora Core 4 and Perl 5.8.6. After upgrading Perl (from RPM), SpamAssassin doesn't work at all(tried v. 3.0 -> 3.1). It seems to be the only Perl based application affected. I'm using Milter and get this error: Jan 25 12:31:35 spamwall spamd[1939]: prefork: sysread(9) not ready, wait max 300 secs Then I switched to TCP Socket from UNIX and nothing happens at all except: Jan 26 11:31:52 spamwall spamd[15003]: server successfully spawned child process, pid 15156 Then..nothing. SpamAssassin works from spamc just fine (like when calling from procmail). It seems to be only when it's called from a socket, like with spamass-milter. I have seen this problem multiple times on lists..but there has been no solution. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: New RDJ configs..
Martin Hepworth wrote:
Why?
In /etc/mail/spamsassassin/RulesDuJour the filename is correct with the .cf
at the end not the .2?
Sorry for the rapid fire response.
As for "why?":
The script doesn't currently autodetect the filename being downloaded.
If no filename is set, the CF_FILE var is empty. The line that is
causing your issue is:
[ -f ${TMPDIR}/${CF_BASENAME}.2 ] && mv -f
${TMPDIR}/${CF_BASENAME}.2 ${SA_DIR}/${CF_FILE};
Since CF_FILE is empty, it simply moves CF_BASENAME.2 to SA_DIR/
(instead of SA_DIR/CF_FILE)
HTH
signature.asc
Description: OpenPGP digital signature
Re: New RDJ configs..
Martin Hepworth wrote:
Hi all (and Chris Thielen specifically)
I'm try to create some new RDJ config sets ... here's an example
JG_badhosts=9006;
CF_URLS[9006]="http://files.grayonline.id.au/rules/local_badhosts.
cf";
CF_NAMES[9006]="James Gray's badhost rules";
PARSE_NEW_VER_SCRIPTS[9006]="${PERL} -ne 'print if
/^\s*#.*(version|rev|revision
|,v)[:\.\s]*[0-9]/i ;' | sort | tail -1";
#CF_MUNGE_SCRIPTS[9006]="nothing for this ruleset.";
(watch those line breaks!)
Anyway when IO run RDJ with this In the trusted ruleset I get the following
file in /etc/mail/spamsassassin
local_badhosts.cf.2
(NB the .2 at the end of filename)
Why?
In /etc/mail/spamsassassin/RulesDuJour the filename is correct with the .cf
at the end not the .2?
Hi Martin,
Add a CF_FILES[9006]="local_badhosts.cf" to your conf file; that should
do the trick. Give that a shot and let me know.
Chris
signature.asc
Description: OpenPGP digital signature
Image spam
Since the first of the year, we've seen a barrage of image spam. Some of it gets nailed by SA, but a lot of it seems to get through. Most of it has a text/plain part with random or non-sensical text. It also has a text/html part, also with random text. Then, the actual spam (usually a stock spam) is contained in a 15k-20k .gif image. I've found that many of these hit very few rules, and due to the random text, Bayes appears to be ineffective. I'm using SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has anyone come up with a good way to stop these? Craig
Re: Spam as attachments
Jim Maul a écrit : > > Exactly. Since spam is not very black and white (like viruses) it is > very difficult to detect. Especially since one persons ham is anothers > spam. Deleting these messages entirely could be dangerous. Now if you > tag at a certain score, and delete at a much higher score, this may be a > workable solution. even this is risky. If a sender uses a broken MUA (malformed html or mime, invalid headers, bad/unnecessary quoted-printable, NO_REAL_NAME, ...) and relays via a "bad" ISP (listed in many BLs, adds advertizing footers that resemble those found in spam, ... etc), then the score can get higher than one excepts. And if one adds rules that seem so natural, the situation can get worst. I remember adding rules to catch '&' in URIs. This seemed great until I got an FP. I then looked more at my rule and found a bug. Or perhaps just put all spam into a separate folder > that can be searched for false positives. > yes, I prefer this. If needed, one can use a script to run SA, possibly with a different config, adding "unsafe" rules, to sort the spam into few groups, and deal with each group.
RE: Spam filter logging
Nathaniel Dell wrote: > Is it possible to see date time and sender information for email that > is filtered? SpamAssassin doesn't filter. This will depend entirely on what you're using to filter (which in turn is using SpamAssassin) But the answer is probably "yes, check your logs" -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Spam filter logging
Is it possible to see date time and sender information for email that is filtered?
RE: spamassassin --lint -D question
We are running Spamassassin as a regular user. Could someone please tell me the correct way to call spamassassin --lint -D ? Thanks Shane When running as root, I use: sudo -H -u username spamassassin --lint -D or su username -c 'spamassassin --lint -D' Gary V _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
RE: Spamassassin Stats
Hi James, This is a paragraph of log ! Sun Jan 29 11:51:45 2006 [388] info: spamd: connection from hostname_of_machine [ip_of_machine_who_send_a_mail_to_spamd] at port 39798 Sun Jan 29 11:51:45 2006 [388] info: spamd: checking message <[EMAIL PROTECTED]> for nobody:0 Sun Jan 29 11:51:45 2006 [388] info: spamd: clean message (0.3/6.5) for nobody:0 in 0.0 seconds, 1403 bytes. Sun Jan 29 11:51:45 2006 [388] info: spamd: result: . 0 - AWL scantime=0.0,size=1403,user=nobody,uid=0,required_score=6.5,rhost=remote_hos t_ip,raddr= ip_of_machine_who_send_a_mail_to_spamd,rport=39798,mid=,autolearn=disabled -Original Message- From: James Lay [mailto:[EMAIL PROTECTED] Sent: Thursday, January 26, 2006 5:10 PM To: users@spamassassin.apache.org Subject: Re: Spamassassin Stats On Thu, 26 Jan 2006 10:02:26 -0500 Matt Kettler <[EMAIL PROTECTED]> wrote: > Vahric MUHTARYAN wrote: > > > > Hi Everybody > > > > I'm very new spamassassin I want to get spamassassin stats with > > sa-stats.pl but it's not working ... > > > > Spamd command is like this -s /var/log/spamd.log > > > > But I'm getting an error , is there any style configuration for > > getting stats correctly? > > > Depends.. the -s with a filename is not supported by all SA versions.. > what SA are you using? > > SA versions older than 3.0.0 require a syslog facility name. They will > NOT accept a filename. > I agree.try: head /var/log/spamd.log tail /var/log/spamd.log or even: cat /var/log/spamd.log If you don't see anything exciting, the issue may lie above as Vahric states. James
RE: Spamassassin Stats
Hi I'm using 3.1.0 -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thursday, January 26, 2006 5:02 PM To: Vahric MUHTARYAN Cc: users@spamassassin.apache.org Subject: Re: Spamassassin Stats Vahric MUHTARYAN wrote: > > Hi Everybody > > I'm very new spamassassin I want to get spamassassin stats with > sa-stats.pl but it's not working ... > > Spamd command is like this -s /var/log/spamd.log > > But I'm getting an error , is there any style configuration for > getting stats correctly? > Depends.. the -s with a filename is not supported by all SA versions.. what SA are you using? SA versions older than 3.0.0 require a syslog facility name. They will NOT accept a filename.
Fw: spamassassin --lint -D question
Since we are running amavisd-new, this works: /usr/local/sbin/amavisd debug-sa Thanks Shane - Original Message - From: [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Thursday, January 26, 2006 10:13 AM Subject: spamassassin --lint -D question We are running Spamassassin as a regular user. Could someone please tell me the correct way to call spamassassin --lint -D ? Thanks Shane
Re: bayes_seen and bayes_toks DB size
On Thu, Jan 26, 2006 at 10:52:20AM +0100, Steven Moix wrote: > I'm currently running a mail server with Postfix + amavsid-new + SA > 3.1 with a global bayesian filtering and auto-learn enabled. It works > perfectly except that since some days I notice that my bayes_seen and > bayes_toks databases are not growing anymore...let's have a look at > the current status (size in bytes, date, file): Yeah, that's perfectly fine. Berkeley DB expands the file when it needs to, but preallocates space to be more efficient for new entries. This works well, but makes it difficult to get the space back since the DB file stays the same size even if you delete all the entries -- which is why SA has to build a new DB, copy over entries, then delete and swap, whenever we do an expire. > I also tried to increse the "bayes_expiry_max_db_size" from 15 to > 50 but it didn't change anything... That setting tells SA to let more tokens go into the DB, but we leave managing the DB file to Berkeley DB so it'll expand when it has to expand. -- Randomly Generated Tagline: "Aiee!" - Linux kernel error message pgpFT334WTwaj.pgp Description: PGP signature
spamassassin --lint -D question
We are running Spamassassin as a regular user. Could someone please tell me the correct way to call spamassassin --lint -D ? Thanks Shane
Re: Spamassassin Stats
On Thu, 26 Jan 2006 10:02:26 -0500 Matt Kettler <[EMAIL PROTECTED]> wrote: > Vahric MUHTARYAN wrote: > > > > Hi Everybody > > > > I’m very new spamassassin I want to get spamassassin stats with > > sa-stats.pl but it’s not working ... > > > > Spamd command is like this -s /var/log/spamd.log > > > > But I’m getting an error , is there any style configuration for > > getting stats correctly? > > > Depends.. the -s with a filename is not supported by all SA versions.. > what SA are you using? > > SA versions older than 3.0.0 require a syslog facility name. They will > NOT accept a filename. > I agree.try: head /var/log/spamd.log tail /var/log/spamd.log or even: cat /var/log/spamd.log If you don't see anything exciting, the issue may lie above as Vahric states. James
Re: Spamassassin Stats
Vahric MUHTARYAN wrote: > > Hi Everybody > > I’m very new spamassassin I want to get spamassassin stats with > sa-stats.pl but it’s not working ... > > Spamd command is like this -s /var/log/spamd.log > > But I’m getting an error , is there any style configuration for > getting stats correctly? > Depends.. the -s with a filename is not supported by all SA versions.. what SA are you using? SA versions older than 3.0.0 require a syslog facility name. They will NOT accept a filename.
Spamassassin Stats
Hi Everybody I’m very new spamassassin I want to get spamassassin stats with sa-stats.pl but it’s not working ... Spamd command is like this -s /var/log/spamd.log But I’m getting an error , is there any style configuration for getting stats correctly? ./sa-stats.pl -t < /var/log/spamd.log SpamAssassin statistics for today (Jan 29) à Don’t worry about time it’s wrong I know J but logs are also Jan29 -- No ham (clean) messages found in logfile. No spam (identified) messages found in logfile. Due to the above, not enough information is available to calculate global statistics. Username: Total: Ham: Spam: % Spam: Username: Avg. ham score: Avg. spam score: Thanks Vahric
Re: Spam as attachments
mouss wrote: Jim Maul a écrit : Well for one, it eliminates the possibility of false negatives being deleted. you mean False Positives. Yes of course, my mistake. The OP probably doesn't know that no filter can detect all spam, and just spam. Any filter will have some amount of: - False positives: ham classified as spam - False negatives: missed spam It takes sometime to tweak SA to minimize these, if ever possible. Exactly. Since spam is not very black and white (like viruses) it is very difficult to detect. Especially since one persons ham is anothers spam. Deleting these messages entirely could be dangerous. Now if you tag at a certain score, and delete at a much higher score, this may be a workable solution. Or perhaps just put all spam into a separate folder that can be searched for false positives. -Jim
bayes_seen and bayes_toks DB size
Hello all, I'm currently running a mail server with Postfix + amavsid-new + SA 3.1 with a global bayesian filtering and auto-learn enabled. It works perfectly except that since some days I notice that my bayes_seen and bayes_toks databases are not growing anymore...let's have a look at the current status (size in bytes, date, file): 20548 Jan 26 10:29 bayes_journal 323584 Jan 26 10:27 bayes_seen (That's exactly 316x1024) 5242880 Jan 26 10:27 bayes_toks (That's exactly 5120x1024) The bayes_journal file is rotating from 0 to 102400 bytes according to the "bayes_journal_max_size 102400" directive and every time it hits it's maximal size the date on the bayes_seen and bayes_toks files gets updated so something is happening to these files. I think that I have reached a point where the old tokens are simply beeing replaced with new ones from the bayes_journal and that's why the file size doesn't increment anymore...am I right? I also tried to increse the "bayes_expiry_max_db_size" from 15 to 50 but it didn't change anything... Thanks Steven
