Re: Running on Debian stable
Hi Loren, On Thu, 17 Aug 2006, Loren Wilton wrote: For the main rules files you basically can't do this. It would theoreticaly be possible, but it would take someone a lot of work to figure out what could be done and then do it. It is far easier to update the whole package, which will insure that all of the new rules in that package will work as they should. Thanks for this; I was hoping the separation between program and rules is akin to virus scanners and their definitions. But, as I'm too new to SA to tweak with this, I'll leave it as-is and stick with upgrading SA as a whole instead of in pieces. :) Thanks! Ray
Re: Running on Debian stable
Hi Michel, On Fri, 18 Aug 2006, Michel Vaillancourt wrote: Hi, Ray. I'm a Debian admin as well. However, my experience has been that for Spamassassin in particular, don't use the .deb package. Instead, run the CPAN install process; I have it set as a CRON job that fires monthly. You'll find that it is no worse than using packages, and for SA at least, 10 times more effective. Hmmm, thanks! Can you be a bit more specific? Why is it 10 times more effective? Does doing it with the .deb package have disadvantages I don't know about (other than relying on backports.org, etc. ). Thanks! Ray
RE: Running on Debian stable
Hi Gary and others, On Fri, 18 Aug 2006, Gary V wrote: read this, it may validate your choice to stay stable: http://www200.pair.com/mecham/spam/kernel.html No, I'll definitely stay with stable. I have dabbled with testing for a bit and it was fun learning about Debian and breaking it and fixing it again. But unfortunately, Debian isn't a hobby, but also my work machine and more time I spend fixing it is less time for work...even if I justify it by saying I am learning about Debian. I tied an imaginery string around my finger to stop me from going to anything other than stable. As for Magnus' message, I have also tried pinning. It works, but it is a bigger step than using something like backports.org. I broke my system and went up to testing as a solution last time; realized my mistake and went downt to stable and trying to tempt myself again. Granted, many pin successfully...but I'm not a good enough Debian sysadmin to succeed with pinning. Yes, once you are using 3.1.1 or greater, run 'sa-update' - you will get a complete set of up-to-date rules. ... Thanks for the instructions; I will give that a try. My upgrade with backports.org went successful and I did it before reading Michel's message about using CPAN to install SA. It's catching 25% of the spam now, instead of 0%...I've seen a few messages about boosting its accuracy; I'll look into that next. Thank you all for your help! Ray
Re: Registrar RBL: nomination and scoring
On Sun, 13 Aug 2006, David Cary Hart wrote: If someone can figure out the mechanics, I have a volunteer (working on her MBA) who is great at crafting policy. I also have the mirrors and structure. I am willing to add the zone. My first listing would be Gandi. I have beta versions of this available, one for a URIRBL and one for a plugin. The URIRBL version supports trust levels (assigned however is appropriate) and query based on trust levels (so you can choose score based on trust level). The plugin version also checks the domain of the envelope sender and header From: address, but does not support trust levels. Contact me directly if you'd like to test either. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- 30 days until Talk Like a Pirate day
MySQL, DBI, transactions problem
Hello, I'm trying to setup Spamassassin to use mysql for bayes storage. However I'm experiencing problems with DBI complaining about Transactions not supported by database at /usr/lib/perl5/DBI.pm line 670. I know that this is not strictly a spamassassin issue, but maybe someone from this list came upon such problem. Here's my setup: OS: debian unstable libdbi-perl - 1.51-2 mysql: 5.0.24 ~# spamassassin -V SpamAssassin version 3.1.4 running on Perl version 5.8.8 /etc/spamassassin/local.cf: bayes_store_module Mail::SpamAssassin::BayesStore::MySQL bayes_sql_dsn DBI:mysql:spamassassin:localhost bayes_sql_username username bayes_sql_password password Regards, Dimitar
RE: Running on Debian stable
Hi Gary and others, Thanks for the instructions; I will give that a try. My upgrade with backports.org went successful and I did it before reading Michel's message about using CPAN to install SA. It's catching 25% of the spam now, instead of 0%...I've seen a few messages about boosting its accuracy; I'll look into that next. Thank you all for your help! Ray As far as SpamAssassin goes, I don't believe there is a significant difference in what a .deb package provides and what installing from source provides (which is essentially what CPAN does, bringing dependencies with it). I think you would find the program files and rules would be the same for a given version. The CPAN modules may be available a week or two before a .deb package is, but that is the only real difference. The .deb package may also install more dependencies that CPAN would. The .deb package also installs an initscript, so there are advantages. Mixing both methods is often a bad thing however. How does your setup catch spam? At what score is a message considered spam and what do you do with it? Are you using DCC/Razor2/Pyzor? Are they (along with other network based tests) working? What rules are hitting when you get somthing you think should have been marked as spam, but isn't? Are you hitting rules like ALL_TRUSTED when you should not be? Maybe you should post examples of local.cf and user_prefs. To see if anything is going on as far as net tests go, you can break out debugging info and try stuff like: spamassassin --lint --debug area=1,dns Here you would want to see: dbg: dns: is Net::DNS::Resolver available? yes spamassassin --lint --debug area=1,uri spamassassin --lint --debug area=1,razor2 spamassassin --lint --debug area=1,dcc spamassassin --lint --debug area=1,pyzor Gary _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Userprefs Spamassassin 2.55
Hi people,
I have do use an old Version of Spamassassin (2.55) with a new version
of Confixx (which should not realy be the problem...)
However, the database is set, data is within the database, but no user
prefs are used!!
Where is the configuration error?
I'm runnig a SuSE 9.1 System
Spamd is running with wollowing Options:
/usr/sbin/spamd -d -x -q -L
/etc/mail/spamassassin/local.cf looks like this (remove comments):
-
required_hits 5.0
rewrite_subject 1
subject_tag *SPAM*
report_safe 1
use_terse_report0
use_bayes 1
auto_learn 1
skip_rbl_checks 0
use_razor2 1
use_dcc 1
use_pyzor 1
ok_languagesall
ok_locales all
all_spam_to [EMAIL PROTECTED]
user_scores_dsn
DBI:mysql:confixx:localhost;mysql_socket=/var/lib/mysql/mysql.sock
user_scores_sql_usernameconfixx
user_scores_sql_passwordpassword
user_scores_sql_table spampref
-
Table spampref looks like this:
-
CREATE TABLE `spampref` (
`username` varchar(100) NOT NULL default '',
`preference` varchar(30) NOT NULL default '',
`value` varchar(100) NOT NULL default '',
`prefid` int(11) NOT NULL auto_increment,
`server_id` varchar(32) NOT NULL default 'foo',
PRIMARY KEY (`prefid`,`server_id`),
KEY `username` (`username`),
KEY `prefid` (`prefid`)
) TYPE=MyISAM AUTO_INCREMENT=137 ;
-
Some example data inside...
-
INSERT INTO `spampref` VALUES ('web34p1', 'rewrite_subject', '1', 39,
'foo');
INSERT INTO `spampref` VALUES ('web34p1', 'required_hits', '1', 40,
'foo');
INSERT INTO `spampref` VALUES ('web34p1', 'report_header', '1', 41,
'foo');
INSERT INTO `spampref` VALUES ('web34p1', 'defang_mime', '0', 42,
'foo');
INSERT INTO `spampref` VALUES ('web34p1', 'use_terse_report', '1', 43,
'foo');
-
Here an example mail header for a recieved mail where you can see that
the prefs have not been applied (require hits should be 1.0)!
-
Return-Path: [EMAIL PROTECTED]
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: by XX.serverkompetenz.net (Postfix, from userid 670)
id 7423166403D; Sun, 20 Aug 2006 19:24:58 +0200 (CEST)
Received: from fmmailgate02.web.de (fmmailgate02.web.de
[217.72.192.227])
by XX.serverkompetenz.net (Postfix) with ESMTP id 271DD664038
for [EMAIL PROTECTED]; Sun, 20 Aug 2006 19:24:58 +0200 (CEST)
Received: from mx30.web.de (mx30.dlan.cinetic.de [172.20.6.145])
by fmmailgate02.web.de (Postfix) with ESMTP id 207AA14DFBFB
for [EMAIL PROTECTED]; Sun, 20 Aug 2006 19:25:03 +0200 (CEST)
Received: from [212.25.75.41] (helo=carco-east.com)
by mx30.web.de with smtp (WEB.DE 4.107 #114)
id 1GEr2k-0007oC-00
for [EMAIL PROTECTED]; Sun, 20 Aug 2006 19:25:02 +0200
Received: by 192.168.93.59 with SMTP id knNyEMA;
for [EMAIL PROTECTED]; Sun, 20 Aug 2006 10:24:42 -0700
Message-ID: [EMAIL PROTECTED]
Reply-To: foo [EMAIL PROTECTED]
From: foo [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: news ieteve
Date: Sun, 20 Aug 2006 10:24:42 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary==_NextPart_000_0001_01C6C442.D9EF6BB0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Status: No, hits=0.7 required=5.0
tests=HTML_30_40,HTML_MESSAGE
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-UIDL: *P!!DWL!SgR!!S'+!
Status: RO
-
Any Idea whats going wrong?
Thanks,
Haiko
Re: Userprefs Spamassassin 2.55
On Sun, Aug 20, 2006 at 09:37:36PM +0200, H. Etzel wrote: I have do use an old Version of Spamassassin (2.55) with a new version of Confixx (which should not realy be the problem...) However, the database is set, data is within the database, but no user prefs are used!! Where is the configuration error? I don't think anyone here is going to be able to help you with such an old version of SpamAssassin (2.55 was from 5/2003). I would recommend upgrading to a more recent version (3.1.4 is the latest) and going from there. -- Randomly Generated Tagline: So many pedestrians... so little time. pgpBXomsFQnX5.pgp Description: PGP signature
Is there a new spambot army on the march?
We are getting HAMMERED with a dictionary attack that is on a scale we have never experienced before. We have recipient verification on our edge servers, so basically it's all just bouncing off us, but it has been impacting us as we've already had to up the maximum number of simultaneous SMTP connections 4-fold to handle the increased load. I'm starting to track the IPs, and so far after 30 minutes have found over 5000 separate IPs - so this Spambot army is pretty big. Is it only us, or are others seeing it too? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Is there a new spambot army on the march?
On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote: We are getting HAMMERED with a dictionary attack that is on a scale we have never experienced before. We have recipient verification on our edge servers, so basically it's all just bouncing off us, but it has been impacting us as we've already had to up the maximum number of simultaneous SMTP connections 4-fold to handle the increased load. I'm starting to track the IPs, and so far after 30 minutes have found over 5000 separate IPs - so this Spambot army is pretty big. Is it only us, or are others seeing it too? I may have a server side solution using spamikaze but first what is the SMTP server software taht you are using? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! New Brunswick kick out the Harper Puppet and VOTE LIBERAL on 18 Sept 2006 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Is there a new spambot army on the march?
On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote: We are getting HAMMERED with a dictionary attack that is on a scale we have never experienced before. Yeah. I had 260k user unknown entries per day last week (that's over 3 per second for a whole day straight). The weekends are always lighter, with only 110k so far today -- around 8800 different IPs so far. -- Randomly Generated Tagline: But you have to allow a little for the desire to evangelize when you think you have good news. - Larry Wall pgp5YLtoapXXh.pgp Description: PGP signature
Re: Is there a new spambot army on the march?
Theo Van Dinter wrote: On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote: We are getting HAMMERED with a dictionary attack that is on a scale we have never experienced before. Yeah. I had 260k user unknown entries per day last week (that's over 3 per second for a whole day straight). The weekends are always lighter, with only 110k so far today -- around 8800 different IPs so far. We're getting around 60/sec for over 24 hours now :-( It ain't getting in, but the logs are filling my disk ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Is there a new spambot army on the march?
The Doctor wrote: I may have a server side solution using spamikaze but first what is the SMTP server software taht you are using? We're using Qmail with assorted patches - like the recipient checking one. I think the only solution that would improve our situation would be getting these (6.5K now) IPs into the RBLs - or into our tcpserver ACL list. (I'm not really looking for a solution - more just wondering if anyone else was seeing the same thing.) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Userprefs Spamassassin 2.55
On Sun, August 20, 2006 22:35, Theo Van Dinter wrote: On Sun, Aug 20, 2006 at 09:37:36PM +0200, H. Etzel wrote: I have do use an old Version of Spamassassin (2.55) with a new version of Confixx (which should not realy be the problem...) However, the database is set, data is within the database, but no user prefs are used!! Where is the configuration error? I don't think anyone here is going to be able to help you with such an old version of SpamAssassin (2.55 was from 5/2003). I would recommend upgrading to a more recent version (3.1.4 is the latest) and going from there. later versions have the same problem as 2.55 have with mysql prefs :/( spamassassin need better virtual prefs for hosts that does not use unix accounts one way of doing it could be to make mta send only one recipient at a time, and make sure that spamc using this as recipient user in mysql, this way it should work, but it will be terible slow if its to more then one recipient -- Benny
Re: MySQL, DBI, transactions problem
On Sun, August 20, 2006 20:21, Dimitar G. Katerinski wrote: I'm trying to setup Spamassassin to use mysql for bayes storage. However I'm experiencing problems with DBI complaining about Transactions not supported by database at /usr/lib/perl5/DBI.pm line 670. yep see bug http://bugs.gentoo.org/show_bug.cgi?id=143107 I know that this is not strictly a spamassassin issue, but maybe someone from this list came upon such problem. Here's my setup: OS: debian unstable libdbi-perl - 1.51-2 mysql: 5.0.24 ~# spamassassin -V SpamAssassin version 3.1.4 running on Perl version 5.8.8 /etc/spamassassin/local.cf: bayes_store_module Mail::SpamAssassin::BayesStore::MySQL change to sql there, mysql does not work, sql does i downgrade to mysql 4.1.20 on gentoo, i do not know if that is needed on debian bayes_sql_dsn DBI:mysql:spamassassin:localhost bayes_sql_username username bayes_sql_password password -- Benny
Re: Is there a new spambot army on the march?
From: Jason Haar [EMAIL PROTECTED]
Theo Van Dinter wrote:
On Mon, Aug 21, 2006 at 11:23:19AM +1200, Jason Haar wrote:
We are getting HAMMERED with a dictionary attack that is on a scale we
have never experienced before.
Yeah. I had 260k user unknown entries per day last week (that's
over 3 per second for a whole day straight). The weekends are always lighter,
with only 110k so far today -- around 8800 different IPs so far.
We're getting around 60/sec for over 24 hours now :-(
It ain't getting in, but the logs are filling my disk ;-)
5 MILLION a day! Who hates Trimble Navigation THAT much? (IMAO they're
fairly good guys. I used to do GPS related work - satellite and ground.)
{^_-} Joanne
Re: Is there a new spambot army on the march?
On Mon, Aug 21, 2006 at 11:49:54AM +1200, Jason Haar wrote: The Doctor wrote: I may have a server side solution using spamikaze but first what is the SMTP server software taht you are using? We're using Qmail with assorted patches - like the recipient checking one. I think the only solution that would improve our situation would be getting these (6.5K now) IPs into the RBLs - or into our tcpserver ACL list. (I'm not really looking for a solution - more just wondering if anyone else was seeing the same thing.) Who knows?? I know I am using spamikaze to turf the beggars. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! New Brunswick kick out the Harper Puppet and VOTE LIBERAL on 18 Sept 2006 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Under heavy load mail is not processed by spamc (usng fetchmail procmail)
Greetings, I am using fetchmail 6.3.4 and sendmail 8.13.6 on MacOS X 10.3.9 to download and deliver mail, and spamd/spamc 3.1.3 run from procmail. Under a heavy load (typically when we download a whole weekend's worth of spam first thing Monday morning) most mail is not passed through to spamc by procmail and instead is directly delivered. There are no timeouts logged from sendmail, and there are no X-Spam headers added to the messages in question. During a light load spamassassin functions normally. # cat /etc/procmailrc DROPPRIVS=yes SHELL=/bin/sh LOGABSTRACT=no :0fw: spamassassin.lock * 256000 | /usr/bin/spamc -U /tmp/spamd.sock -x Here is the command kicking off spamd: /usr/bin/spamd -d -x -r /var/tmp/spamd.pid --socketpath=/tmp/spamd.sock The following is a log example of a mesage not parsed by spamassasin: Aug 21 08:43:48 localhost sendmail[1857]: k7KNDlee001857: from=[EMAIL PROTECTED] cable.net, size=35758, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] ... Aug 21 08:44:54 localhost sendmail[1858]: k7KNDlee001857: to=[EMAIL PROTECTED], delay=00:01:07, xdelay=00:01:06, mailer=local, pri=65963, dsn=2.0.0, stat=Sent The following is a log example of a message successfully parsed by spamassassin: Aug 21 08:45:04 localhost sendmail[2231]: k7KNF43P002231: from=[EMAIL PROTECTED] y.com, size=35702, class=0, nrcpts=1, msgid=[EMAIL PROTECTED] om, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] ... Aug 21 08:46:14 localhost sendmail[2232]: k7KNF43P002231: to=[EMAIL PROTECTED] om.au, delay=00:01:10, xdelay=00:01:10, mailer=local, pri=65899, dsn=2.0.0, stat=Sent I'm pulling my hair out over this, any assistance will be appreciated. Thanks in advance, Damon
DCC in SA 3.1.3
Does SA support DCC anymore? The directives I used a few versions back do not work anymore. THanks, LDB
Re: MySQL, DBI, transactions problem
On Sun, August 20, 2006 20:21, Dimitar G. Katerinski wrote: I'm trying to setup Spamassassin to use mysql for bayes storage. However I'm experiencing problems with DBI complaining about Transactions not supported by database at /usr/lib/perl5/DBI.pm line 670. yep see bug http://bugs.gentoo.org/show_bug.cgi?id=143107 In my case it helped reinstalling DBD::mysql, after upgrading DBI. (Mail::SpamAssassin::BayesStore::MySQL, DBD::mysql 3.0006, DBI 1.52) Didn't investigate further. Mark
Re: DCC in SA 3.1.3
On Mon, August 21, 2006 02:54, LDB wrote: Does SA support DCC anymore? The directives I used a few versions back do not work anymore. yes, enable the plugin, if its still not, ask again where you provide more info on with version of dcc and sa you are running i only guesing here, you have a sa where dcc is disabled since there was a licensense problem with, but its still free if i remember -- Benny
Re: Is there a new spambot army on the march?
jdow wrote: We're getting around 60/sec for over 24 hours now :-( It ain't getting in, but the logs are filling my disk ;-) 5 MILLION a day! Who hates Trimble Navigation THAT much? (IMAO they're fairly good guys. I used to do GPS related work - satellite and ground.) I guess that's my point. I was wondering if this was within the normal range of dictionary attacks. I've been tracking (in realtime) the IPs sending to non-existent addresses for the past 2 hours, and we are now over 10K separate IP addresses. Sounds like those MS06-040 trojans release last week found their mark :-( Running the addresses through GeoIP shows they are all over the world. I guess we just weather the storm :-/ -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: DCC in SA 3.1.3
Benny Pedersen wrote: On Mon, August 21, 2006 02:54, LDB wrote: Does SA support DCC anymore? The directives I used a few versions back do not work anymore. yes, enable the plugin, if its still not, ask again where you provide more info on with version of dcc and sa you are running i only guesing here, you have a sa where dcc is disabled since there was a licensense problem with, but its still free if i remember Thank you Benny .. Now, I understand .. LDB
Re: Is there a new spambot army on the march?
On 8/20/2006 8:37 PM, jdow wrote: From: Jason Haar [EMAIL PROTECTED] We're getting around 60/sec for over 24 hours now :-( It ain't getting in, but the logs are filling my disk ;-) 5 MILLION a day! Who hates Trimble Navigation THAT much? (IMAO they're fairly good guys. I used to do GPS related work - satellite and ground.) If it was Garmin, I'd say it's just a user trying to get tech support. Have fun Jason! :) Daryl
Re: Is there a new spambot army on the march?
Yeah, I've been getting hammered by these too. I've configured Postfix to do HELO checks and the vast majority (95%) are failing at the MTA. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 T: 416-247-7740 F: 416-247-7503 smime.p7s Description: S/MIME cryptographic signature
