Re: Message to list rejected because it's too spamful!
From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> On 3/18/2006 10:34 PM, jdow wrote: From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> On 3/18/2006 9:03 PM, jdow wrote: Yah know, that does suggest there should be a "whitelist_to" option for those who setup honeypot accounts. (That way, Theo, spam COULD be sent to this list. I'm pretty sure SpamAssassin already has a similar feature. I think it's called whitelist_to. :) man Mail::Spamassassin::Conf Doesn't show it unless I scanned too fast. Which I did. So consider it a wry comment about the spam scanning at Apache.org. One would THINK they would be consuming their own coffee and using SpamAssassin, wouldn't one? So there is no THEORETICAL reason they cannot allow spam to the SA list or simply spammy message portions for "whyinelldidthisgetthrough?" Sure there is. Any spam that is accepted gets sent to the list moderators, who I would assume (theoretically) would rather not have it. THAT begs for a whole host of smart replies and observations I think I will leave for others to make or assume. In any case, paste bot, etc., works fine, if not better. 20 seconds out of the way - it ain't worth it. Data lost until someone else complains. I just build a rule and go on my way. Sometimes the rule works well, sometimes not. By the time I know which it is the SARE crew has rules for it. But if I catch a problem in SpamAssassin I do like to let folks know, such as that bug in the special code for QMAIL headers that came up a little bit ago. Broach it here first to see if others have experience with the bug then BZ it, if I can survive the GUI from Hades itself. {o.o}<- opinionated as ever. {^_-}
Re: Message to list rejected because it's too spamful!
On 3/18/2006 10:34 PM, jdow wrote: From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> On 3/18/2006 9:03 PM, jdow wrote: Yah know, that does suggest there should be a "whitelist_to" option for those who setup honeypot accounts. (That way, Theo, spam COULD be sent to this list. I'm pretty sure SpamAssassin already has a similar feature. I think it's called whitelist_to. :) man Mail::Spamassassin::Conf Doesn't show it unless I scanned too fast. Which I did. So consider it a wry comment about the spam scanning at Apache.org. One would THINK they would be consuming their own coffee and using SpamAssassin, wouldn't one? So there is no THEORETICAL reason they cannot allow spam to the SA list or simply spammy message portions for "whyinelldidthisgetthrough?" Sure there is. Any spam that is accepted gets sent to the list moderators, who I would assume (theoretically) would rather not have it. In any case, paste bot, etc., works fine, if not better.
Re: Message to list rejected because it's too spamful!
From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> On 3/18/2006 9:03 PM, jdow wrote: Yah know, that does suggest there should be a "whitelist_to" option for those who setup honeypot accounts. (That way, Theo, spam COULD be sent to this list. I'm pretty sure SpamAssassin already has a similar feature. I think it's called whitelist_to. :) man Mail::Spamassassin::Conf Doesn't show it unless I scanned too fast. Which I did. So consider it a wry comment about the spam scanning at Apache.org. One would THINK they would be consuming their own coffee and using SpamAssassin, wouldn't one? So there is no THEORETICAL reason they cannot allow spam to the SA list or simply spammy message portions for "whyinelldidthisgetthrough?" {^,-}
Re: Message to list rejected because it's too spamful!
On 3/18/2006 9:03 PM, jdow wrote: Yah know, that does suggest there should be a "whitelist_to" option for those who setup honeypot accounts. (That way, Theo, spam COULD be sent to this list. I'm pretty sure SpamAssassin already has a similar feature. I think it's called whitelist_to. :)
Re: Message to list rejected because it's too spamful!
From: "jdow" <[EMAIL PROTECTED]> From: "Philip Prindeville" <[EMAIL PROTECTED]> Matt Kettler wrote: Philip Prindeville wrote: Grrr... Can we enable whitelisting for list members? Read the archives, in short, no, because it's a blanket server that covers ALL ASF email, not just this list. There's no way that you can add a rule that says if the message is going to users@spamassassin.apache.org and the Subject begins with [SPAMFUL] then you could score it as -100.0? Yah know, that does suggest there should be a "whitelist_to" option for those who setup honeypot accounts. And while my mind is fertile (as in full of ) today I just flashed on the concept of a modified SpamAssassin tool as a "RepeatAssassin" for mailinglists. If an issue has come up before it fires off the WHOLE thread to the (hapless) repeat poster to bring him up to speed automatically. It should be pretty easy with a clever enough tweak on Bayes and rules (I think I better exit stage left, FAST!>{O,o})
Re: Message to list rejected because it's too spamful!
From: "Philip Prindeville" <[EMAIL PROTECTED]> Theo Van Dinter wrote: On Sat, Mar 18, 2006 at 04:05:03PM -0500, Matt Kettler wrote: Philip Prindeville wrote: Grrr... Can we enable whitelisting for list members? Read the archives, in short, no, because it's a blanket server that covers ALL ASF email, not just this list. Generally, instead of posting spam examples here (which is discouraged anyway: http://wiki.apache.org/spamassassin/DoYouWantMySpam), you could post it up on the web somewhere (http://sial.org/pbot/spamassassin/ for instance) and then point to it from your mail. :) Actually, I *didn't* post spam. I put it on Pastebin, and sent a link I did however include some excerpts from the spam inline... And apparently it caused the triggers... I'll send the message as a bounce to you and Matt out-of-band. I very seldom bother to post spam samples, including some rather clever innovative tricks. Your approach violates the 20 second half of The Rule. {^_^}
Re: Message to list rejected because it's too spamful!
From: "Philip Prindeville" <[EMAIL PROTECTED]> Matt Kettler wrote: Philip Prindeville wrote: Grrr... Can we enable whitelisting for list members? Read the archives, in short, no, because it's a blanket server that covers ALL ASF email, not just this list. There's no way that you can add a rule that says if the message is going to users@spamassassin.apache.org and the Subject begins with [SPAMFUL] then you could score it as -100.0? Yah know, that does suggest there should be a "whitelist_to" option for those who setup honeypot accounts. (That way, Theo, spam COULD be sent to this list. This avoids running afoul of the "20-20" rule. "If something is 20' or 20 seconds out of the way it gets avoided unless the need is REALLY important." A spamassassin_samples mailing list might be generated for the purpose. Then posting the spam is only a couple second out of the way and it will happen, even if it gets ignored.) {^_^}
Re: Huge size of bayes_journal
From: "MJ" <[EMAIL PROTECTED]> >You can and probably should remove the journal file. These are unlearned tokens, so they aren't affecting the classification of mail. The journal is >so huge that it might take days to learn, and it also indicates that you are accumulating new material fairly quickly. So losing the current journal >file shouldn't hurt anything. Hi Loren Wilton, Are you sure that it will not have any adverse effect on my system, I am not in the position to take any chance? Rename it and see if the system runs OK. If it does, delete it. {^_^}
AWL maintenance
I know there are varying opinions on whether the AutoWhiteList option is a good idea or not, and I'm starting to have my doubts, but bare with me as I attempt to describe problems I am having even maintaining it at what I would consider an acceptable level as an administrator. Firstly, I'm using spamassassin-3.0.2-1, if it matters. Generally, I am pleased with the AWL feature, but as an administrator, better and more functional tools for maintaining it are really necessary (and I hope I'm missing something and someone here can lend advice, if so). Firstly, documentation describes two ways to adjust things in the autowhitelist for your installation (and the documentation is really poor, at best). The problem comes with how these adjustments are implemented. Let me give an example of an email that is firing your AWL and adjusting scores below a spam threshold because of it. If this adjustment is radical, when I go through my logs to tweak the AWL, I would like to be able to adjust it, but you simply cannot under the current implementation, unless I am missing something. I'm not even going to get into some of the features missing in using 'spamassassin -R' on an email, but removing every instance of every single email address from whatever email you pass to it is ludicrous. It removes senders, receivers; it removes everything in the entire email that even looks like an email address. It doesn't even care that the initial placement of the sender in the AWL list actually looked at the email to determine what it was.. it just removes every single email address in that email from the AWL list. Why doesn't it use the same logic it used to add or compare that sender to the AWL list when you do a removal with -R? The concept that it doesn't is really ludicrous. The second thing it does that is improper is that the AWL list is NOT just based on an 'email address', it is based on an email address TIED to a #.# IP range. Where is the argument that allows one to specify this IP? Am I missing it? The -R argument, as I have experienced it, removes EVERY SINGLE instance of that email-address "FROM" sender, without regard to the FACT that that address could have numerous IP pairs associated with it. So, without further complaining, someone please point me in the right direction with regard to how to make intelligent adjustments to the AWL. I have written scripts which parse out the proper email addresses and IPs, but I can only pass an 'email address' to the removal portion of spamassassin, and as I have stated, that removes every single instance of that email address, regardless of whether or not it has 1 or 100 entries in the AWL with different IP blocks associated to it. (And, by the way, if anyone else is writing scripts to pass to spamassassin to adjust the AWL intelligently and for their specific installations, I can give alot of advice on what is just plain 'odd' behaviour from spamassassin when it parses an email message after being passed the '-R' argument. Many of them are certainly bugs, but I can get around them if someone can explain how I can inform spamassassin to delete a specific emailaddress+IP pair instead of every single emailaddress it matches). Alternatively, the options which allow a "+100" adjustment to the AWL for a specific email address, I have not played with much, but I would think the same question/problem would arise. What IP, in the #.# format the autowhitelist uses, does that refer to, or does it just add 100 to them all? Thanks for any help, -- View this message in context: http://www.nabble.com/AWL-maintenance-t1304878.html#a3476947 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: bayes_dump_to_trusted_networks
On Saturday 18 March 2006 4:38 pm, Theo Van Dinter wrote: > On Sat, Mar 18, 2006 at 04:27:34PM -0600, Chris wrote: > > However, this always results in an empty trust.cf file. I'm running it > > from the ~/.spamassassin folder where my bayes files are located. > > Could someone point out what I'm doing wrong. I'm running SA 3.1.0 and > > the > > bayes_dump_to_trusted_networks script is from the SA 3.1.0 tools > > source. > > That script will no longer work (SA 3.0 and later). It just hasn't been > removed from the tools dir yet (about to be fixed). > > Sorry. Well, I guess that explains it, thanks Theo. -- Chris Registered Linux User 283774 http://counter.li.org 18:01:02 up 18 days, 22:04, 1 user, load average: 0.00, 0.05, 0.07 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk pgpECEZg82Wa7.pgp Description: PGP signature
Re: ALL TRUSTED - not natted - getting negative scored spam
On 3/18/06, mouss <[EMAIL PROTECTED]> wrote: > Terry a écrit : > > Actually, > > > > I got the ALL_TRUSTED I think but I cannot get the x-spam-status > > header to show up to even start debugging. > > What tells you you "got the ALL_TRUSTED" if you don't get a header? > > SA is being called from > > amavisd. I have these settings in amavisd.conf: > > > > $sa_tag_level_deflt = undef; > > $sa_tag2_level_deflt = 5.0; > > $sa_kill_level_deflt = 5.0; > > $sa_dsn_cutoff_level = 9; > > $sa_quarantine_cutoff_level = 20; > > > > The first one says I should get headers no matter what, no? Only > > relevant header I am getting is: > > X-Virus-Scanned: amavisd-new at domain.org > > > > Any ideas? > > > > amavisd only adds spam headers for mail destined to "local domains" (as > configured in amavisd.conf). This was the problem. I have several domains and the one I was testing was not in that my domain list. haha, thanks.
Re: SA v3.1.1 --X-Spam Headers Gone & SA Results Broken
On Sat, 2006-03-18 at 15:00 -0500, Theo Van Dinter wrote: > On Sat, Mar 18, 2006 at 01:40:23PM -0500, czar wrote: > > [17437] dbg: config: using "/var/lib/spamassassin/3.001001" for sys > > rules pre files > > [17437] dbg: config: using "/var/lib/spamassassin/3.001001" for default > > rules dir > > It looks like you tried to run sa-update but it wasn't able to complete (no > update rule files). You can remove the /var/lib/spamassassin directory and > that'll fix that. Alternately, you could run "sa-update -D" and look at what > is failing and work on fixing that instead/as well. > > (I'd suggest removing the directory and debugging with "sa-update -D > --updatedir > /tmp/updates" so the files goto a different area) > Theo, You are the-man! After running ''sa-update -D'' I was able to see exactly what was going wrong. The problem was a recently install firewall (APF) was blocking port 8090 being used to ''wget'' the updates. So I removed /var/lib/spamassassin (after a backup) and ran ''sa-update -D'' again to see all the lovely files downloading. Next I run ''cat gtube.txt|spamassassin'' and FINALLY I see: --- Subject: ***SPAM*** Test spam mail (GTUBE) Date: Wed, 23 Jul 2003 23:30:00 +0200 Message-Id: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) X-Spam-Level: ** X-Spam-Status: Yes, score=997.4 required=5.0 tests=BAYES_00,GTUBE,NO_RECEIVED, NO_RELAYS autolearn=no version=3.1.1 --- Thank you! P.S. Don't forget to restart spamassassin, if with cpanel /scripts/restartsrv_spamd did the trick. -- Regards, Czar pHanGuYe * * Czar <[EMAIL PROTECTED]> Czarism Systems, Inc. * * Encrypted E-mail Preferred PGP KeyID: 0x443C42A6 * * The God is up high, the Czar is far away http://Czarism.com * * signature.asc Description: This is a digitally signed message part
Re: bayes_dump_to_trusted_networks
On Sat, Mar 18, 2006 at 04:27:34PM -0600, Chris wrote: > However, this always results in an empty trust.cf file. I'm running it from > the ~/.spamassassin folder where my bayes files are located. Could someone > point out what I'm doing wrong. I'm running SA 3.1.0 and the > bayes_dump_to_trusted_networks script is from the SA 3.1.0 tools source. That script will no longer work (SA 3.0 and later). It just hasn't been removed from the tools dir yet (about to be fixed). Sorry. -- Randomly Generated Tagline: "Before his State of the Union speech, the president's niece was arrested for trying to fill a fake prescription for the anti-anxiety drug Xanax. If you're not familiar with Xanax, the best way to describe it is, after taking three or four with a wine cooler, you become a really, really compassionate conservative."- Bill Maher, Politically Incorrect pgpb9Witoflcp.pgp Description: PGP signature
bayes_dump_to_trusted_networks
Trying to use this tool with the following syntax: sa-learn --dump | ./bayes_dump_to_trusted_networks > trust.cf However, this always results in an empty trust.cf file. I'm running it from the ~/.spamassassin folder where my bayes files are located. Could someone point out what I'm doing wrong. I'm running SA 3.1.0 and the bayes_dump_to_trusted_networks script is from the SA 3.1.0 tools source. I've run sa-learn --dump > bayes.dump before running ./bayes_dump_to_trusted_networks bayes.dump --minham 3 > trust.cf and still get an empty trust.cf file. -- Chris Registered Linux User 283774 http://counter.li.org 16:00:02 up 18 days, 20:03, 2 users, load average: 0.27, 0.27, 0.29 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk pgpLPiRFyxjOJ.pgp Description: PGP signature
Re: Message to list rejected because it's too spamful!
Philip Prindeville wrote: >>> >>> >> you can do that and more, but you'll first need to crack the ASF servers ;-p >> >> >> > > And there's no way to get the admin on that system to tweak the local rules? Erm.. No... Remember, this is a COMMON server that serves the lists for many, if not ALL ASF projects. Spamassassin is a tiny speck in the corner of the ASF universe. Prior to being an ASF project, SA was hosted on sourceforge.net. SourceForge didn't give any of the SA team administrative access to their global mailserver config, why should the ASF? Just because Theo, Justin, Dan, etc volunteer on on small ASF project doesn't mean they should have administrative rights to the ASF's mail systems, allowing them to make changes that affect many projects beyond their own. The other side is you could ask an ASF admin to change some things, but generally they have bigger fish to fry like keeping the FTP mirrors up and running smoothly. Again, Read the Fine Archives. This has ALL been discussed before.
Re: Message to list rejected because it's too spamful!
On Sat, Mar 18, 2006 at 02:41:46PM -0700, Philip Prindeville wrote: > >>>Read the archives, in short, no, because it's a blanket server that covers > >>>ALL > >>>ASF email, not just this list. > > And there's no way to get the admin on that system to tweak the local rules? As Matt stated earlier, this has already been covered before on the list (search the archives for more info). There's no point in rehashing everything again. -- Randomly Generated Tagline: We are Pentium of Borg. Division is futile. You will be approximated. (seen in someone's .signature) pgpsIrZzY29SZ.pgp Description: PGP signature
Re: Message to list rejected because it's too spamful!
mouss wrote: >Philip Prindeville a écrit : > > >>Matt Kettler wrote: >> >> >> >> >>>Philip Prindeville wrote: >>> >>> >>> >>> >>> Grrr... Can we enable whitelisting for list members? >>>Read the archives, in short, no, because it's a blanket server that covers >>>ALL >>>ASF email, not just this list. >>> >>> >>> >>> >>There's no way that you can add a rule that says if the message >>is going to users@spamassassin.apache.org and the Subject begins >>with [SPAMFUL] then you could score it as -100.0? >> >> >> > >you can do that and more, but you'll first need to crack the ASF servers ;-p > > > And there's no way to get the admin on that system to tweak the local rules? -Philip
Re: Message to list rejected because it's too spamful!
Philip Prindeville a écrit : > Matt Kettler wrote: > > >>Philip Prindeville wrote: >> >> >> >>>Grrr... Can we enable whitelisting for list members? >>> >>> >> >>Read the archives, in short, no, because it's a blanket server that covers ALL >>ASF email, not just this list. >> >> > > > There's no way that you can add a rule that says if the message > is going to users@spamassassin.apache.org and the Subject begins > with [SPAMFUL] then you could score it as -100.0? > you can do that and more, but you'll first need to crack the ASF servers ;-p
Re: Message to list rejected because it's too spamful!
Theo Van Dinter wrote: >On Sat, Mar 18, 2006 at 04:05:03PM -0500, Matt Kettler wrote: > > >>Philip Prindeville wrote: >> >> >>>Grrr... Can we enable whitelisting for list members? >>> >>> >>Read the archives, in short, no, because it's a blanket server that covers ALL >>ASF email, not just this list. >> >> > >Generally, instead of posting spam examples here (which is discouraged >anyway: http://wiki.apache.org/spamassassin/DoYouWantMySpam), you could >post it up on the web somewhere (http://sial.org/pbot/spamassassin/ >for instance) and then point to it from your mail. > >:) > > > Actually, I *didn't* post spam. I put it on Pastebin, and sent a link I did however include some excerpts from the spam inline... And apparently it caused the triggers... I'll send the message as a bounce to you and Matt out-of-band. -Philip
Re: Message to list rejected because it's too spamful!
Matt Kettler wrote: >Philip Prindeville wrote: > > >>Grrr... Can we enable whitelisting for list members? >> >> > >Read the archives, in short, no, because it's a blanket server that covers ALL >ASF email, not just this list. > > There's no way that you can add a rule that says if the message is going to users@spamassassin.apache.org and the Subject begins with [SPAMFUL] then you could score it as -100.0? -Philip
Re: Message to list rejected because it's too spamful!
On Sat, Mar 18, 2006 at 04:05:03PM -0500, Matt Kettler wrote: > Philip Prindeville wrote: > > Grrr... Can we enable whitelisting for list members? > Read the archives, in short, no, because it's a blanket server that covers ALL > ASF email, not just this list. Generally, instead of posting spam examples here (which is discouraged anyway: http://wiki.apache.org/spamassassin/DoYouWantMySpam), you could post it up on the web somewhere (http://sial.org/pbot/spamassassin/ for instance) and then point to it from your mail. :) -- Randomly Generated Tagline: Captain! Someone has snorted all the dilithium crystals. pgpL0oQ9W5iG9.pgp Description: PGP signature
RE: rules for IP addresses without reverse DNS records?
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > > I had the same problem. I wound up implementing > milter-greylist in a way that > greylists these hosts, but lets most systems past. I'm not > sure if you're using > sendmail or not, but I found this VERY helpful. > I do something similar -- and using Exim to run the greylist test I add a header for each of these criteria which can cause greylisting. So it is possible to either right a rule against these added headers (when later SA checks the emails that pass greylisting) or perhaps just consider that these will count in the Bayes weight. -- Herb Martin
Re: Message to list rejected because it's too spamful!
Philip Prindeville wrote: > Grrr... Can we enable whitelisting for list members? Read the archives, in short, no, because it's a blanket server that covers ALL ASF email, not just this list.
Re: rules for IP addresses without reverse DNS records?
mouss wrote: > Matt Kettler a écrit : >> I had the same problem. I wound up implementing milter-greylist in a way that >> greylists these hosts, but lets most systems past. I'm not sure if you're >> using >> sendmail or not, but I found this VERY helpful. >> >> The selective greylisting is possible due to milter-greylist's use of ACLs, >> and >> a configurable default action. Most folks whitelist certain hosts, and use a >> default of greylist. I do the opposite. I greylist selected patterns, then >> whitelist the rest. > > You can also greylist and/or greetpause hosts with a hostname that looks > dynamic. I find this safer than using a dul list. you can also restrict > dul lookup to hosts that look dynamic (which is helpful in the case of > sirbs duhl, which lists static IPs). Yes, I do that too. I greylist: no RDNS RDNS looks dynamic IP in APNIC IP in LACNIC RDNS ends in selected country codes "troublesome" IP blocks that can't be blacklisted due to containing some legitimate mail sources. See: http://xanadu.evi-inc.com/greylist.conf.censored Note: I censored out a lot of semi-sensitive stuff, such as whitelists based on business relationships, spamtrap addresses, etc with X's. (I'll probably pull that file down after a few days, so if you really want to look at it, do so now)
Message to list rejected because it's too spamful!
Grrr... Can we enable whitelisting for list members? The original message was received at Sat, 18 Mar 2006 13:57:43 -0700 from media.redfish-solutions.com [192.168.1.5] - The following addresses had permanent fatal errors - (reason: 552 spam score (12.2) exceeded threshold) - Transcript of session follows - ... while talking to asf.osuosl.org.: >> DATA >>> >>> <<< 552 spam score (12.2) exceeded threshold 554 5.0.0 Service unavailable The whole point is to share information about identifying spam, right? How to do that when the messages themselves get flagged? -Philip
Re: rules for IP addresses without reverse DNS records?
Matt Kettler a écrit : > I had the same problem. I wound up implementing milter-greylist in a way that > greylists these hosts, but lets most systems past. I'm not sure if you're > using > sendmail or not, but I found this VERY helpful. > > The selective greylisting is possible due to milter-greylist's use of ACLs, > and > a configurable default action. Most folks whitelist certain hosts, and use a > default of greylist. I do the opposite. I greylist selected patterns, then > whitelist the rest. You can also greylist and/or greetpause hosts with a hostname that looks dynamic. I find this safer than using a dul list. you can also restrict dul lookup to hosts that look dynamic (which is helpful in the case of sirbs duhl, which lists static IPs).
Re: ALL TRUSTED - not natted - getting negative scored spam
Bill Randle a écrit : > On Sat, 2006-03-18 at 09:54 -0600, Terry wrote: > >>Actually, >> >>I got the ALL_TRUSTED I think but I cannot get the x-spam-status >>header to show up to even start debugging. SA is being called from >>amavisd. I have these settings in amavisd.conf: >> >>$sa_tag_level_deflt = undef; > > ... > >>The first one says I should get headers no matter what, no? Only >>relevant header I am getting is: >>X-Virus-Scanned: amavisd-new at domain.org >> >>Any ideas? > > > I'm not sure about setting $sa_tag_level_deflt to undef. I usually set > it to -99.0 to force the header to always get inserted. undef is better (-99 is just arbitrary).
Re: ALL TRUSTED - not natted - getting negative scored spam
Terry a écrit : > Actually, > > I got the ALL_TRUSTED I think but I cannot get the x-spam-status > header to show up to even start debugging. What tells you you "got the ALL_TRUSTED" if you don't get a header? SA is being called from > amavisd. I have these settings in amavisd.conf: > > $sa_tag_level_deflt = undef; > $sa_tag2_level_deflt = 5.0; > $sa_kill_level_deflt = 5.0; > $sa_dsn_cutoff_level = 9; > $sa_quarantine_cutoff_level = 20; > > The first one says I should get headers no matter what, no? Only > relevant header I am getting is: > X-Virus-Scanned: amavisd-new at domain.org > > Any ideas? > amavisd only adds spam headers for mail destined to "local domains" (as configured in amavisd.conf).
Re: SA v3.1.1 --X-Spam Headers Gone & SA Results Broken
On Sat, Mar 18, 2006 at 01:40:23PM -0500, czar wrote: > [17437] dbg: config: using "/var/lib/spamassassin/3.001001" for sys > rules pre files > [17437] dbg: config: using "/var/lib/spamassassin/3.001001" for default > rules dir It looks like you tried to run sa-update but it wasn't able to complete (no update rule files). You can remove the /var/lib/spamassassin directory and that'll fix that. Alternately, you could run "sa-update -D" and look at what is failing and work on fixing that instead/as well. (I'd suggest removing the directory and debugging with "sa-update -D --updatedir /tmp/updates" so the files goto a different area) -- Randomly Generated Tagline: "They won't run unix, but look on the bright side, they won't run Windows either." - Martha Driscoll talking about 286s pgpelGuX0uUpV.pgp Description: PGP signature
Re: Huge size of bayes_journal
MJ a écrit : > Hi Gary, > > >>The user 'clamav' should have a home dir of /var/amavis otherwise I > > wouldn't > >>think the spamassasin files would end up in /var/amavis/.spamassassin. > > >>what does this say? >>cat /etc/passwd | grep clamav > > > clamav:x:1005:103::/home/clamav:/bin/false > I guess amavisd-new is running as clamav. > > >>To run sa-learn as this user (who does not have a shell), I would run: > > sudo -H -u clamav sa-learn --sync --force-expire > > You want me to try above command? > yes, if you have sudo. otherwise, use your imagination: 1- change the login shell to a valid one, purge the file, and then change the login shell back to /bin/false. 2- cp the file to $user/.spamassassin/ for some user with a valid shell, purge as this user, then rename the resulting file to the original one.
Re: Changes to SATest.pm to get SA 3.1.1 "make test" working on FreeBSD jails.
On Sat, Mar 18, 2006 at 07:13:33PM +, Craig McLean wrote: > I've tinkered with t/SATest.pm to help get "make test" working correctly > in jails on FreeBSD. What's the best way to get this to the committers? > bugzilla? the dev list? All patches should go through Bugzilla. FYI: Any "decently sized" patches will also require the submitter to file a CLA via http://www.apache.org/licenses/ for licensing reasons. Thanks! :) -- Randomly Generated Tagline: "To win, you must treat a pressure situation as an opportunity to succeed, not an opportunity to fail." - Gardner Dickinson pgpFY8mE634aY.pgp Description: PGP signature
Re: SA v3.1.1 --X-Spam Headers Gone & SA Results Broken
On Sat, 18 Mar 2006, czar wrote: hI, [...] > # I try the CPAN test install of Mail::SpamAssassin, this MIGHT be the > problem? > $ perl -MCPAN -e shell > $ test Mail::SpamAssassin > [...] > t ../masses/parse-rules-for-masses line 86, line 55. > Malformed UTF-8 character (unexpected non-continuation byte 0x2d, this reminds me to the perl 5.8 / utf-8 problem described in : http://spamassassin.apache.org/dist/INSTALL Note for Perl 5.8 Users (incl Red Hat 8) Perl 5.8 now uses Unicode internally by default, which causes trouble for SpamAssassin (and almost all other reasonably complex pieces of perl code!). [...] Setting the LANG environment variable before any invocation of SpamAssassin sometimes seems to help fix it, like so: export LANG=en_US dont blame me, if i'm wrong, just an idea :) regards, Matthias
Re: rules for IP addresses without reverse DNS records?
Dave Augustus wrote: > Anyone point me in the right direction? > > I am just thinking of increasing the spam level counter based on whether > they have a reverse IP address. I have tried to reject these outiright > based on this criteria but that would cause too many false positives. Slightly OT, as I don't have a SA based solution off the top of my head: I had the same problem. I wound up implementing milter-greylist in a way that greylists these hosts, but lets most systems past. I'm not sure if you're using sendmail or not, but I found this VERY helpful. The selective greylisting is possible due to milter-greylist's use of ACLs, and a configurable default action. Most folks whitelist certain hosts, and use a default of greylist. I do the opposite. I greylist selected patterns, then whitelist the rest. This simple bit of milter-greylist config will do it: # enable posix extended regex syntax instead of posix basic syntax extendedregex #greylist unresolvable hosts acl greylist domain /\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/ # set a default to whitelist anything not grelyisted acl whitelist default I also find it helpful to start off whitelisting all my servers and clients, then follow up with a greylist of anything with an envelope from of my domain. This knocks down a lot of viruses. Since milter-greylist applies it's ACL's in order, you can do white-grey-default white. If anyone wants to see my config I can post it up somewhere (with the whitelist bits censored out)
Re: rules for IP addresses without reverse DNS records?
On Sat, 18 Mar 2006, Dave Augustus wrote: > > Anyone point me in the right direction? > > I am just thinking of increasing the spam level counter based on whether > they have a reverse IP address. I have tried to reject these outiright > based on this criteria but that would cause too many false positives. this thread will help you: http://www.gossamer-threads.com/lists/spamassassin/users/11783?search_string=Reverse%20DNS%20Check;#11783 just have a look at the rule named: MY_NO_PTR regards, Matthias
Changes to SATest.pm to get SA 3.1.1 "make test" working on FreeBSD jails.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Folks, I've tinkered with t/SATest.pm to help get "make test" working correctly in jails on FreeBSD. What's the best way to get this to the committers? bugzilla? the dev list? Thanks, C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEHFvdMDDagS2VwJ4RApahAJ98tcChJ3G1idPFELiAqdZvMDpwOQCeMHA6 E7p0sXcZEEbZvNmrtpOwp5M= =X4NH -END PGP SIGNATURE-
SA v3.1.1 --X-Spam Headers Gone & SA Results Broken
Hopefully some one could help me out with this SpamAssassin v3.1.1 upgrade issue. Currently my Red Hat Linux server is using CPanel which automatically updates via CPAN when a new release is announced (/scripts/cpup). Yet for some reason this latest release of SA has caused the whole package to become unstable. I second that v3.1.1 was //downloaded// and //installed// I noticed that spam was no longer detected and all of the X-Spam headers (except X-Spam-Checker-Version: SpamAssassin 3.1.1) went missing. == Logs and Messages == # This message is pure spam, yet the result is always 0! $ cat /var/log/maillog spamd: connection from localhost [127.0.0.1] at port 44453 spamd[8484]: spamd: setuid to john succeeded spamd[8484]: spamd: processing message <01c64ab8$0af71280 [EMAIL PROTECTED]> for john:32005 spamd[8484]: spamd: clean message (0.0/5.0) for john:32005 in 1.6 seconds, 4353 bytes. spamd[8484]: spamd: result: . 0 - scantime=1.6,size=4353,user=john,uid=32005,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=44453,mid=<[EMAIL PROTECTED]>,autolearn=ham --- # GTUBE also fails $ cat gtube.txt|spamassassin X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on zenith.serverorb.net Subject: Test spam mail (GTUBE) Message-ID: <[EMAIL PROTECTED]> Date: Wed, 23 Jul 2003 23:30:00 +0200 From: Sender <[EMAIL PROTECTED]> To: Recipient <[EMAIL PROTECTED]> Precedence: junk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --- # I try the CPAN test install of Mail::SpamAssassin, this MIGHT be the problem? $ perl -MCPAN -e shell $ test Mail::SpamAssassin [...] t ../masses/parse-rules-for-masses line 86, line 55. Malformed UTF-8 character (unexpected non-continuation byte 0x2d, immediately after start byte 0xea) in substitution (s///) at ../masses/parse-rules-for-masses line 96, line 55. [...] t/prefs_include.Not found: qp-encoded-desc = Invalid Date: header =ae =af =b0 foo t/prefs_include.NOK 1# Failed test 1 in t/SATest.pm at line 592 t/prefs_include.FAILED test 1 Failed 1/2 tests, 50.00% okay --- # Oh, and here is --lint $ spamassassin --lint -D [17437] dbg: logger: adding facilities: all [17437] dbg: logger: logging level is DBG [17437] dbg: generic: SpamAssassin version 3.1.1 [17437] dbg: config: score set 0 chosen. [17437] dbg: util: running in taint mode? yes [17437] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [17437] dbg: util: PATH included '/usr/local/jdk/bin', which doesn't exist, dropping [17437] dbg: util: PATH included '/usr/kerberos/bin', keeping [17437] dbg: util: PATH included '/usr/local/bin', keeping [17437] dbg: util: PATH included '/bin', keeping [17437] dbg: util: PATH included '/usr/bin', keeping [17437] dbg: util: PATH included '/usr/X11R6/bin', keeping [17437] dbg: util: PATH included '/usr/local/bin', keeping [17437] dbg: util: PATH included '/usr/X11R6/bin', keeping [17437] dbg: util: PATH included '/home/czar/bin', keeping [17437] dbg: util: final PATH set to: /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/X11R6/bin:/home/czar/bin [17437] dbg: dns: is Net::DNS::Resolver available? yes [17437] dbg: dns: Net::DNS version: 0.57 [17437] dbg: diag: perl platform: 5.008 linux [17437] dbg: diag: module installed: Digest::SHA1, version 2.11 [17437] dbg: diag: module installed: Net::Ident, version 1.20 [17437] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [17437] dbg: diag: module installed: IO::Socket::SSL, version 0.97 [17437] dbg: diag: module installed: Time::HiRes, version 1.87 [17437] dbg: diag: module installed: DBI, version 1.50 [17437] dbg: diag: module installed: Getopt::Long, version 2.32 [17437] dbg: diag: module installed: LWP::UserAgent, version 2.033 [17437] dbg: diag: module installed: HTTP::Date, version 1.47 [17437] dbg: diag: module installed: Archive::Tar, version 1.29 [17437] dbg: diag: module installed: IO::Zlib, version 1.04 [17437] dbg: diag: module installed: DB_File, version 1.806 [17437] dbg: diag: module installed: HTML::Parser, version 3.50 [17437] dbg: diag: module installed: MIME::Base64, version 3.07 [17437] dbg: diag: module installed: Net::DNS, version 0.57 [17437] dbg: diag: module installed: Net::SMTP, version 2.29 [17437] dbg: diag: module installed: Mail::SPF::Query, version 1.997 [17437] dbg: diag: module installed: IP::Country::Fast, version 309.002 [17437] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [17437] dbg: ignore: using a test message to lint rules [17437] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [17437] dbg: config: read file /etc/mail/spamassassin/init.pre [17437] dbg: config: read file /etc/mail/spamassassin/v310.pre [17437] dbg: config: using "/var/li
rules for IP addresses without reverse DNS records?
Anyone point me in the right direction? I am just thinking of increasing the spam level counter based on whether they have a reverse IP address. I have tried to reject these outiright based on this criteria but that would cause too many false positives. I am already using alot of rules via rules_du_jour. Thanks, Dave
Re: ALL TRUSTED - not natted - getting negative scored spam
On 3/18/06, Bill Randle <[EMAIL PROTECTED]> wrote: > On Sat, 2006-03-18 at 09:54 -0600, Terry wrote: > > Actually, > > > > I got the ALL_TRUSTED I think but I cannot get the x-spam-status > > header to show up to even start debugging. SA is being called from > > amavisd. I have these settings in amavisd.conf: > > > > $sa_tag_level_deflt = undef; > ... > > The first one says I should get headers no matter what, no? Only > > relevant header I am getting is: > > X-Virus-Scanned: amavisd-new at domain.org > > > > Any ideas? > > I'm not sure about setting $sa_tag_level_deflt to undef. I usually set > it to -99.0 to force the header to always get inserted. > >-Bill Setting that didn't work either.
RE: Huge size of bayes_journal
Hi Gary, >The user 'clamav' should have a home dir of /var/amavis otherwise I wouldn't >think the spamassasin files would end up in /var/amavis/.spamassassin. >what does this say? >cat /etc/passwd | grep clamav clamav:x:1005:103::/home/clamav:/bin/false >To run sa-learn as this user (who does not have a shell), I would run: sudo -H -u clamav sa-learn --sync --force-expire You want me to try above command? Hmm, I don't know at this point. It is strange that the files are owned by 'clamav'. Due to the fact that they are, I assumed you were running amavisd-new as user 'clamav'. What do you have $daemon_user and $daemon_group set to in amavisd.conf? What does this say?: cat /etc/passwd | grep amavis >I would set up a cron job to run this daily as it seems you have disabled >auto expire and sync as noted. You can't do that without manually cleaning >up on a regular basis. You can do that if you do. I didn't change anything related to auto expire or sync in amavisd.conf, infact another machine with same configuration doesn't have such a huge bayes_* files. The settings would be in local.cf, not amavisd.conf. If the other machine has the same configuration, are the same files on that machine also owned by 'clamav'? Any idea how to resolve this issue. Many thanks, Mohammad Junaid. Gary V _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Re: ALL TRUSTED - not natted - getting negative scored spam
On Sat, 2006-03-18 at 09:54 -0600, Terry wrote: > Actually, > > I got the ALL_TRUSTED I think but I cannot get the x-spam-status > header to show up to even start debugging. SA is being called from > amavisd. I have these settings in amavisd.conf: > > $sa_tag_level_deflt = undef; ... > The first one says I should get headers no matter what, no? Only > relevant header I am getting is: > X-Virus-Scanned: amavisd-new at domain.org > > Any ideas? I'm not sure about setting $sa_tag_level_deflt to undef. I usually set it to -99.0 to force the header to always get inserted. -Bill
Re: Tasks run as root in SpamAssassin 3.1.0
On Tue, Mar 14, 2006 at 06:11:34PM -0500, Theo Van Dinter wrote: > spamd is designed to really not do a lot in the parent (which runs as > root), and farm processing and such out to the children (which setuid() > to the appropriate user). > > - accept connection and figure out enough to setuid to appropriate user > (assuming -u isn't used) Thanks for the help; I'm just still a little curious about this one part, because we are using -u. In this case, the root process hands off the connection to a non-root child pretty much right away, right? In other words, since we're using -u, there's no code running as root that's going to look at the mail being processed, is there? Thanks again, --Brett
Re: ALL TRUSTED - not natted - getting negative scored spam
Terry wrote: > Actually, > > I got the ALL_TRUSTED I think but I cannot get the x-spam-status > header to show up to even start debugging. SA is being called from > amavisd. I have these settings in amavisd.conf: > > $sa_tag_level_deflt = undef; > $sa_tag2_level_deflt = 5.0; > $sa_kill_level_deflt = 5.0; > $sa_dsn_cutoff_level = 9; > $sa_quarantine_cutoff_level = 20; > > The first one says I should get headers no matter what, no? Only > relevant header I am getting is: > X-Virus-Scanned: amavisd-new at domain.org > > Any ideas? Amavis does it's own markups by default.. If I recall correctly there's something about "fast spamassassin" you can turn off to change how this is done, but I'm no amavis expert.
Re: ALL TRUSTED - not natted - getting negative scored spam
Actually, I got the ALL_TRUSTED I think but I cannot get the x-spam-status header to show up to even start debugging. SA is being called from amavisd. I have these settings in amavisd.conf: $sa_tag_level_deflt = undef; $sa_tag2_level_deflt = 5.0; $sa_kill_level_deflt = 5.0; $sa_dsn_cutoff_level = 9; $sa_quarantine_cutoff_level = 20; The first one says I should get headers no matter what, no? Only relevant header I am getting is: X-Virus-Scanned: amavisd-new at domain.org Any ideas? On 3/18/06, Matt Kettler <[EMAIL PROTECTED]> wrote: > Terry wrote: > > I am not on a natted machine but it is firewalled. So, I set > > trusted_networks to my local machine IP because that's really the only > > one I trust. I am still, after setting this, getting spams with > > negative scores. What am I missing? > > > > > Are the negative scoring messages still matching ALL_TRUSTED? or are > they getting negative scores something else? > > Can you post an X-Spam-Status header as a sample? >
RE: Huge size of bayes_journal
Hi Gary, >The user 'clamav' should have a home dir of /var/amavis otherwise I wouldn't >think the spamassasin files would end up in /var/amavis/.spamassassin. >what does this say? >cat /etc/passwd | grep clamav clamav:x:1005:103::/home/clamav:/bin/false >To run sa-learn as this user (who does not have a shell), I would run: sudo -H -u clamav sa-learn --sync --force-expire You want me to try above command? >I would set up a cron job to run this daily as it seems you have disabled >auto expire and sync as noted. You can't do that without manually cleaning >up on a regular basis. You can do that if you do. I didn't change anything related to auto expire or sync in amavisd.conf, infact another machine with same configuration doesn't have such a huge bayes_* files. Any idea how to resolve this issue. Many thanks, Mohammad Junaid.
Re: Huge size of bayes_journal
On Samstag, 18. März 2006 11:51 MJ wrote: > No, there is another user for daemon with a false shell, can't be use > to login as a normal user. The user 'clamav' should have a home dir of /var/amavis otherwise I wouldn't think the spamassasin files would end up in /var/amavis/.spamassassin. what does this say? cat /etc/passwd | grep clamav To run sa-learn as this user (who does not have a shell), I would run: sudo -H -u clamav sa-learn --sync --force-expire I would set up a cron job to run this daily as it seems you have disabled auto expire and sync as noted. You can't do that without manually cleaning up on a regular basis. You can do that if you do. But as noted, I think you are in a bit of a pickle now. The files are so hugh that I'm not sure how your system will handle it when the sync and expire are performed. One thing I'm reasonably confident of, the procedure will slow your system down for a considerable period of time. Gary V _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Re: 3.1.1 Upgrade Problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter wrote: > On Fri, Mar 17, 2006 at 08:18:35PM -0800, Dan Kohn wrote: >> Anything else to try? > > Nothing comes to mind. It looks like a bug in IO::Zlib or perl on > your platform. > > Anyone else on FreeBSD having simliar problems? FBSD 5.2.1-RELEASE, SA3.1.1 on Perl 5.8.7 with IO::ZLib 1.04, no problems here. C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEHBe5MDDagS2VwJ4RAumaAJwI9XcBKyAo6gqgCKGNTj4Mv9voiwCgpxz+ okblmXCtsvUmuY7fD6dS4l4= =7KKS -END PGP SIGNATURE-
RE: Huge size of bayes_journal
>You can and probably should remove the journal file. These are unlearned tokens, so they aren't affecting the classification of mail. The journal is >so huge that it might take days to learn, and it also indicates that you are accumulating new material fairly quickly. So losing the current journal >file shouldn't hurt anything. Hi Loren Wilton, Are you sure that it will not have any adverse effect on my system, I am not in the position to take any chance? Many thanks. Regards, ___ Mohammad Junaid
Re: Huge size of bayes_journal
Title: RE: Huge size of bayes_journal You can and probably should remove the journal file. These are unlearned tokens, so they aren't affecting the classification of mail. The journal is so huge that it might take days to learn, and it also indicates that you are accumulating new material fairly quickly. So losing the current journal file shouldn't hurt anything. Loren
RE: Huge size of bayes_journal
Title: RE: Huge size of bayes_journal Hi Theo, I manage to switch to that user and executed the sa-learn command but since it has it' own home directory it created new .spamassassin directory under it's home directory. Actually "/var/amavisd/.spamassassin" which has these files is not a home directory for any user. So how to tell sa-learn command to read from this location? I am afraid that my filesystem soon will be full. Mohammad Junaid.
Re: Huge size of bayes_journal
On Samstag, 18. März 2006 11:51 MJ wrote: > No, there is another user for daemon with a false shell, can't be use > to login as a normal user. su -l $USER_AMAVIS_RUNS_AS -s /bin/bash That way you can run as the user with bash. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import" // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpi5QH04VMnq.pgp Description: PGP signature
Re: Huge size of bayes_journal
On Sat, Mar 18, 2006 at 01:51:45PM +0300, MJ wrote: > Thanks for you quick response. :) > >The "#" implies you're running as root. Is that the same user as > amavis runs as? > > No, there is another user for daemon with a false shell, can't be use to > login as a normal user. You need to somehow access that user's database files. The usual method would be switch to the appropriate user and run the previously stated sa-learn command, then look at the debug output. Another possibility is to use another user and setting bayes_path to access those files, but that may lead to ownership/permission issues, generally if an expire occurs. If amavis has a "spamassassin debug" option, you could enable that, and then look at the logs to see what the problem is, but the output may be very large before you see the problem. > >This isn't the same path as you posted before, so I'm not surprised > >those files didn't change. > You mean which path? My bayes_* files are under /var/amavis/.spamassassin. Exactly. As shown in the debug output you sent previously, by running as root, sa-learn was using the files in /.spamassassin which isn't the same as /var/amavis/.spamassassin. -- Randomly Generated Tagline: Dying is the leading cause of death in the world. pgpI5NuD0HfAj.pgp Description: PGP signature
RE: Huge size of bayes_journal
Hi Theo van Dinter, Thanks for you quick response. >The "#" implies you're running as root. Is that the same user as amavis runs as? No, there is another user for daemon with a false shell, can't be use to login as a normal user. >This isn't the same path as you posted before, so I'm not surprised those files didn't change. You mean which path? My bayes_* files are under /var/amavis/.spamassassin. Many thanks for your time. ___ Mohammad Junaid
Re: Huge size of bayes_journal
On Sat, Mar 18, 2006 at 01:07:30PM +0300, MJ wrote: > I did but still the same size, following is the output. > bash-2.03# /usr/local/bin/sa-learn -D --sync The "#" implies you're running as root. Is that the same user as amavis runs as? [...] > [17329] dbg: bayes: tie-ing to DB file R/O //.spamassassin/bayes_toks > [17329] dbg: bayes: tie-ing to DB file R/O //.spamassassin/bayes_seen This isn't the same path as you posted before, so I'm not surprised those files didn't change. > Do you need me to send amavisd.conf? usually they (mailing list of > amavisd-new) suggest to post SA related issues to this list and not on > Amavisd-new list. Not specifically related to this thread, but just as a "FWIW", the general policy here is that unless the problem is reproducable with the standard SpamAssassin tools (spamassassin, spamc/spamd, etc,) you'd need to talk to the third parties involved (amavis, qmail-scanner, spamass-milter, etc.) -- Randomly Generated Tagline: Bit - The increment by which programmers slowly go mad. pgp2rC8wkD6jf.pgp Description: PGP signature
RE: Huge size of bayes_journal
Hi Theo Van Dinter >I don't know if amavisd does something special wrt bayes, Do you need me to send amavisd.conf? usually they (mailing list of amavisd-new) suggest to post SA related issues to this list and not on Amavisd-new list. >As the appropriate user, run "sa-learn -D --sync" and see what happens. I did but still the same size, following is the output. = bash-2.03# /usr/local/bin/sa-learn -D --sync [17329] dbg: logger: adding facilities: all [17329] dbg: logger: logging level is DBG [17329] dbg: generic: SpamAssassin version 3.1.0 [17329] dbg: config: score set 0 chosen. [17329] dbg: util: running in taint mode? yes [17329] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [17329] dbg: util: PATH included 'PATH', which is not absolute, dropping [17329] dbg: util: PATH included '/usr/sbin', keeping [17329] dbg: util: PATH included '/usr/bin', keeping [17329] dbg: util: PATH included '/export/home/mg1', keeping [17329] dbg: util: final PATH set to: /usr/sbin:/usr/bin:/export/home/mg1 [17329] dbg: dns: is Net::DNS::Resolver available? yes [17329] dbg: dns: Net::DNS version: 0.52 [17329] dbg: dns: name server: 212.119.64.2, family: 2, ipv6: 0 [17329] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [17329] dbg: config: read file /etc/mail/spamassassin/init.pre [17329] dbg: config: read file /etc/mail/spamassassin/v310.pre [17329] dbg: config: using "/usr/local/share/spamassassin" for sys rules pre files [17329] dbg: config: using "/usr/local/share/spamassassin" for default rules dir [17329] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_advance_fee.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_anti_ratware.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_body_tests.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_compensate.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_fake_helo_tests.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_head_tests.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_html_tests.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_meta_tests.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_net_tests.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_ratware.cf [17329] dbg: config: read file /usr/local/share/spamassassin/20_uri_tests.cf [17329] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_accessdb.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_antivirus.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_es.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_pl.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_domainkeys.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_hashcash.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_replace.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_textcat.cf [17329] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf [17329] dbg: config: read file /usr/local/share/spamassassin/30_text_de.cf [17329] dbg: config: read file /usr/local/share/spamassassin/30_text_fr.cf [17329] dbg: config: read file /usr/local/share/spamassassin/30_text_it.cf [17329] dbg: config: read file /usr/local/share/spamassassin/30_text_nl.cf [17329] dbg: config: read file /usr/local/share/spamassassin/30_text_pl.cf [17329] dbg: config: read file /usr/local/share/spamassassin/30_text_pt_br.cf [17329] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf [17329] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf [17329] dbg: config: read file /usr/local/share/spamassassin/60_whitelist.cf [17329] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_spf.cf [17329] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_subject.cf [17329] dbg: config: using "/etc/mail/spamassassin" for site rules dir [17329] dbg: config: read file /etc/mail/spamassassin/cyberia.cf [17329] dbg: config: read file /etc/mail/spamassassin/local.cf [17329] dbg: config: using "//.spamassassin/user_prefs" for user prefs fi
Re: Huge size of bayes_journal
On Sat, Mar 18, 2006 at 12:07:35PM +0300, MJ wrote: > I am running postfix 2.2.4 on Solaris 8 with amavisd-new.2.3.2, I don't know if amavisd does something special wrt bayes, > reaching to 3.4 GB. I have read that this file should not be more than > few KB, Can anyone help what could be the reason? As the appropriate user, run "sa-learn -D --sync" and see what happens. > -rw--- 1 clamav clamav 3441876576 Mar 18 12:01 bayes_journal > -rw--- 1 clamav clamav 167813120 Mar 18 12:01 bayes_seen > -rw--- 1 clamav clamav 336117760 Mar 18 12:01 bayes_toks These are all extremely large. It looks like auto-expire and/or auto-sync may be disabled. -- Randomly Generated Tagline: Cold Boot: What a programmer puts on feet in winter. pgpH62mAeCS3d.pgp Description: PGP signature
Re: blacklist not working
Matt Kettler wrote: > [EMAIL PROTECTED] wrote: > >> Well, then how do I get SA to read the headers and exclude >> some IP addresses? Surely there is a command for that - or a >> box to fill out - or a custom config. I need something to exclude >> all those bothersome emails from Japan, Nigeria, China, etc. >> >> > The normal way to do this in SA would be to use the RelayCountry plugin, > and add on rules that match the countries you want to tag. > > RelayCountry automatically identifies what countries the IP's in the > received: path are from. > > Once RelayCountry is loaded you can just add rules with country codes: > > header RELAY_CN *X*-*Relay*-*Countries*=~/\bCN\b/ > describe RELAY_CN Relayed through china > score RELAY_CN 1.0 > > > header RELAY_KR *X*-*Relay*-*Countries*=~/\bKR\b/ > describe RELAY_KR Relayed through Korea > score RELAY_KR 1.0 > Erk! How'd those *'es get in there.. Evil conversion from HTML bold-text styles I guess.. Here they are corrected: header RELAY_CN X-Relay-Countries=~/\bCN\b/ describe RELAY_CN Relayed through china score RELAY_CN 1.0 header RELAY_KR X-Relay-Countries=~/\bKR\b/ describe RELAY_KR Relayed through Korea score RELAY_KR 1.0
Huge size of bayes_journal
Hi, I am running postfix 2.2.4 on Solaris 8 with amavisd-new.2.3.2, SpamAssassin 3.1.0 and Clamav 0.8.7.1 as an AV/AS gateway to my main email system. The problem is that in our "/var/amavis/.spamassassin" directory most of the files are increasing specially "bayes_jornal" is reaching to 3.4 GB. I have read that this file should not be more than few KB, Can anyone help what could be the reason? Here is the ls -l output for this directory. == bash-2.03# ls -l /var/amavis/.spamassassin -rw--- 1 clamav clamav 335904768 Mar 18 12:01 auto-whitelist -rw--- 1 clamav clamav 6 Mar 18 12:01 auto-whitelist.mutex -rw--- 1 clamav clamav 2196 Mar 18 12:01 bayes.mutex -rw--- 1 clamav clamav 3441876576 Mar 18 12:01 bayes_journal -rw--- 1 clamav clamav 167813120 Mar 18 12:01 bayes_seen -rw--- 1 clamav clamav 336117760 Mar 18 12:01 bayes_toks == Thanks, Mohammad Junaid.
Re: blacklist not working
On Sat, Mar 18, 2006 at 04:04:10AM -0500, Matt Kettler wrote: > Admittedly it would be somewhat nice for SA to have this feature, but > really you're 100% better off doing it at the MTA or firewall layer if > you're going to do all the work of maintaining an IP address list. FWIW, there is the AccessDB plugin. -- Randomly Generated Tagline: It is pitch black. You have been eaten by a Grue. Your score is 0 out of 400. pgpUaOjRuZgVA.pgp Description: PGP signature
Re: blacklist not working
[EMAIL PROTECTED] wrote: > Well, then how do I get SA to read the headers and exclude > some IP addresses? Surely there is a command for that - or a > box to fill out - or a custom config. I need something to exclude > all those bothersome emails from Japan, Nigeria, China, etc. > The normal way to do this in SA would be to use the RelayCountry plugin, and add on rules that match the countries you want to tag. RelayCountry automatically identifies what countries the IP's in the received: path are from. Once RelayCountry is loaded you can just add rules with country codes: header RELAY_CN *X*-*Relay*-*Countries*=~/\bCN\b/ describe RELAY_CN Relayed through china score RELAY_CN 1.0 header RELAY_KR *X*-*Relay*-*Countries*=~/\bKR\b/ describe RELAY_KR Relayed through Korea score RELAY_KR 1.0 If you want a long list of them, here's a post I made on the subject in some archive (one I didn't even know existed) http://www.nabble.com/Re%3A-What-countries-to-block--p1456069.html > How to filter out emails from IP addresses and IP address ranges? > Is there ANY program that will do it? > Any MTA has this built-in.. Firewalls work too. Admittedly it would be somewhat nice for SA to have this feature, but really you're 100% better off doing it at the MTA or firewall layer if you're going to do all the work of maintaining an IP address list.
Re: blacklist not working
Well, then how do I get SA to read the headers and exclude some IP addresses? Surely there is a command for that - or a box to fill out - or a custom config. I need something to exclude all those bothersome emails from Japan, Nigeria, China, etc. How to filter out emails from IP addresses and IP address ranges? Is there ANY program that will do it? Sean > [EMAIL PROTECTED] wrote: > > It's in the configuration screens. It's the second screen under cpanel. > > Do you mean to say that I cannot enter an IP address into the > > "blacklist_from" boxes? > > > > No, because blacklist_from will blacklist email with matching text in the From: > header. > > The IP address won't appear in the From: header, unless they format their email > address that way. >