Re: bayes sync is hogging cpu
Ok, I may say something dumb, but have you tried to clear the bayes db with : sa-learn --clear --dbpath -- Fab
Re: SA gone mad, times out and stucks
Loren Wilton wrote: warn: bayes: expire_old_tokens: child processing timeout at /usr/sbin/spamd line 1086. (Spamd then takes very long to scan a mail: info: spamd: clean message (0.0/5.0) for Debian-exim:106 in 305.0 seconds, 3781 bytes.) The child is trying to run a Bayes expire, apparently on a large Bayes database that hasn't had a successful expiry run in some time. This attempt to process the Bayes database is probably taking over 300 seconds, and the child is being timed out and killed by something. As a result of being killed, it never finished the Bayes expire processing. So the next child tries to do the same thing, gets timed out and killed, the nex child tries to do the same thing... Run a manual Bayes expire run and it will probably clean up your problems. If this sort of problem starts to reoccur you might consider turning off bayes auto expire and setting up a cron run to do it once a day or so. (Or more often, depending on your mail volume.) After a forced manual Bayes expire it didn't go better. And since the --force-expire run only took 19 secs it seems unlikely the db was to huge (the whole .spamassassin folder is 52 MB where bayes_toks is 4 MB, the 44 bayes_toks.expire* are about 1 MB each). On the other side, after disabling auto expire completely (bayes_auto_expire 0), the timout problems are gone. So what could go on here? Any other ideas where to look, create detailed logs a.s.o.? Jürgen
RE: SA gone mad, times out and stucks
Jürgen Herz wrote: Loren Wilton wrote: warn: bayes: expire_old_tokens: child processing timeout at /usr/sbin/spamd line 1086. (Spamd then takes very long to scan a mail: info: spamd: clean message (0.0/5.0) for Debian-exim:106 in 305.0 seconds, 3781 bytes.) The child is trying to run a Bayes expire, apparently on a large Bayes database that hasn't had a successful expiry run in some time. This attempt to process the Bayes database is probably taking over 300 seconds, and the child is being timed out and killed by something. As a result of being killed, it never finished the Bayes expire processing. So the next child tries to do the same thing, gets timed out and killed, the nex child tries to do the same thing... Run a manual Bayes expire run and it will probably clean up your problems. If this sort of problem starts to reoccur you might consider turning off bayes auto expire and setting up a cron run to do it once a day or so. (Or more often, depending on your mail volume.) After a forced manual Bayes expire it didn't go better. And since the --force-expire run only took 19 secs it seems unlikely the db was to huge (the whole .spamassassin folder is 52 MB where bayes_toks is 4 MB, the 44 bayes_toks.expire* are about 1 MB each). On the other side, after disabling auto expire completely (bayes_auto_expire 0), the timout problems are gone. So what could go on here? Any other ideas where to look, create detailed logs a.s.o.? If your --force-expire only took 19 seconds, I would guess that you are not talking to the same database. Make sure you are logged in as the same user that is having the problem when you run the --force-expire. -- Bowie
Spamassassin headers
Hi, I have searched almost every where to solve this problem: I cant change the spam headers from ***SPAM[score]*** to SPAM: I am using Spamassassin 3.1.3 on perl 5.8.8 amavisd-new version: 2.3.3 SUSE SLES 10 My local.cf looks like this: # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # for details of what can be tweaked. # # do not change the subject # to change the subject, e.g. use # rewrite_header Subject SPAM(_SCORE_) rewrite_header Subject SPAM # Set the score required before a mail is considered spam. required_score 5.00 and my amavis.conf has this line: $sa_spam_subject_tag = 'SPAM '; no matter what i do the spam mails are tagges as ***SPAM(_SCORE_)*** e.g *** SPAM2 *** -- View this message in context: http://www.nabble.com/Spamassassin-headers-tf2338119.html#a6505938 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spamassassin headers
KimSorensen wrote: Hi, I have searched almost every where to solve this problem: I cant change the spam headers from ***SPAM[score]*** to SPAM: I am using Spamassassin 3.1.3 on perl 5.8.8 amavisd-new version: 2.3.3 SUSE SLES 10 amavis makes it's own markups.. check you amavis config, not your SA config. My local.cf looks like this: # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # for details of what can be tweaked. # # do not change the subject # to change the subject, e.g. use # rewrite_header Subject SPAM(_SCORE_) rewrite_header Subject SPAM # Set the score required before a mail is considered spam. required_score 5.00 and my amavis.conf has this line: $sa_spam_subject_tag = 'SPAM '; no matter what i do the spam mails are tagges as ***SPAM(_SCORE_)*** e.g *** SPAM2 ***
Re: bayes sync is hogging cpu
Bret Miller wrote: I used to have problems with bayes locking and journaling. When it finally corrupted the database, I decided it was time to put it into a real SQL database instead of using DB_File. Haven't had a single problem with bayes CPU or locking since. Maybe it's time you consider using MySQL? Bret Well, if it solves the problem I'm ready to try almost anything. :) The way you put your words tells me that the problem IS a corrupt database. Can we be certain? And is there any way fo fix it until I can get MySQL up 'n running? If the database is corrupted, it should say so. In my case, it wouldn't expire, learn, sync, or use the db_file database because it ended up corrupted somehow. I could have restored it from backup, but chose to simply delete it and start over with SQL. ... Bret Well, I've let sa-learn --force-expire --showdots run for 19 hours now (even on a separate machine), 100% cpu util all the time, and not a single dot has appeared on the screen. If I can't get to understand how to use db_recover, wiping is the next step. Regards, Andreas
RE: Spamassassin headers
Kim Please forgive, I had my email client set wrong and it didn't wrap your .cf file in the email so... it was uncommented. My fault. Interesting though... maybe you just didn't stop and restart the service? :-) -rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Spamassassin headers
- - I have searched almost every where to solve this problem: - - I cant change the spam headers from ***SPAM[score]*** to SPAM: - I am using Spamassassin 3.1.3 on perl 5.8.8 - amavisd-new version: 2.3.3 - SUSE SLES 10 - - My local.cf looks like this: - - # Add your own customisations to this file. See 'man - Mail::SpamAssassin::Conf' - # for details of what can be tweaked. - # - # do not change the subject - # to change the subject, e.g. use - # rewrite_header Subject SPAM(_SCORE_) - rewrite_header Subject SPAM - - # Set the score required before a mail is considered spam. - required_score 5.00 - - and my amavis.conf has this line: - - $sa_spam_subject_tag = 'SPAM '; - - no matter what i do the spam mails are tagges as ***SPAM(_SCORE_)*** e.g - *** - SPAM2 *** Kim It is also a good idea to do this after a change to check the spamassassin .cf configs before you go live with them after modifications As the root user on the server run the following command spamassassin -D --lint this will check the configs for typos and other things as I understand it etc... again, I am not the expert on the list so please listen to others that are truly experts in spamassassin whomever they may be. ;- I dont know anything in regards to what that same would be in amavis I do not use it - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
header attached
Greetings list, I have: SpamAssassin version 3.1.5 running on Perl version 5.8.3 And would like the header to be inline instead of an attachment (like it used to be with older versions of SA) E.g. When I have the notification emails sent to me when a spam is placed in quarantine, I want to see the header inline, or at least make it have a txt extension. What must I adjust to accomplist that. TIA, Eric
Infuriating gif spam...
I've been getting a _lot_ of spam recently which has been defeating my spamassassin configuration - all of it has the same general form... A message with auto-generated prose and an image. I installed FuzzyOCR and this helped, but one particular variant still slips through. The problematic spams all embed a GIF image which confuses gocr (in spite of being easily human-readable) - though I'm not sure why. Three images which defeat FuzzyOCR for me are: http://temporary.shic.dynalias.net/Evil_Spam_Samples.zip I would like to know if there is a straightforward way either (a) to configure FuzzyOCR to decode the text, or (b), assuming that is hard, a way to identify this kind of 'strange' GIF and apply a static score to them (at least as a temporary measure?) Thanks in advance for any pointers...
Re: Infuriating gif spam...
Steve [Spamassasin] wrote: I've been getting a _lot_ of spam recently which has been defeating my spamassassin configuration - all of it has the same general form... A message with auto-generated prose and an image. I installed FuzzyOCR and this helped, but one particular variant still slips through. The problematic spams all embed a GIF image which confuses gocr (in spite of being easily human-readable) - though I'm not sure why. Three images which defeat FuzzyOCR for me are: http://temporary.shic.dynalias.net/Evil_Spam_Samples.zip I would like to know if there is a straightforward way either (a) to configure FuzzyOCR to decode the text, or (b), assuming that is hard, a way to identify this kind of 'strange' GIF and apply a static score to them (at least as a temporary measure?) Thanks in advance for any pointers... There are multiple images in these gifs, and because the first image is 'junk', sending this image through gocr will yield no results. The problem is that you have to scan all images to find the text. Try this with each image: convert -append News.gif pnm:- | gocr - I have an updated version of the FuzzyOcr plugin that has this and other improvements available here: http://www.joval.info/proj/FuzzyOcr.html -- Jorge Valdes Intercom El Salvador [EMAIL PROTECTED]
Earthlink emails
Iam getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Anysuggestions?? Thanks Bryan Subject: axiom closure advocacy From: Blair [EMAIL PROTECTED] Date: Mon, 25 Sep 2006 22:17:02 -0500 To: "[EMAIL PROTECTED]" [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from jonas.corp.good-sam.com by oraclemail.corp.good-sam.com with ESMTP id 78034461159241089; Mon, 25 Sep 2006 22:24:49 -0500 Received: from relay2.corp.good-sam.com ([127.0.0.1]) by jonas.corp.good-sam.com (Netscape Messaging Server 4.15) with ESMTP id J66K5D00.QEM; Mon, 25 Sep 2006 22:24:49 -0500 Received: from localhost (unknown [127.0.0.1]) by relay2.corp.good-sam.com (Postfix) with ESMTP id ED14919734E; Mon, 25 Sep 2006 22:19:52 -0500 (CDT) Received: from relay2.corp.good-sam.com (localhost.localdomain [127.0.0.1]) by localhost.good-sam.com (Postfix) with ESMTP id AF23B197561; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) by relay2.corp.good-sam.com (Postfix) with SMTP id 36BF4197613; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: cjP2e3ogNnRAWCd1RrPAz5dlnZTe3DJGeSOW X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com X-Spam-Status: No, score=0.0 required=6.0 tests=none autolearn=disabled version=3.0.1 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: base64 attenuatebackwood altitude airline cheeky chinesedanube - This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. -
Re: Earthlink emails
bryan haase wrote: I am getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Any suggestions?? Thanks Bryan Subject: axiom closure advocacy may I suggest you start with upgrading your SA to 3.1.5 which will solve security issues and may well help with delection. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Earthlink emails
On Tue, September 26, 2006 18:24, bryan haase wrote: I am getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Any suggestions?? http://openspf.org/wizard.html?mydomain=earthlink.net SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com update to 3.1.5 if posible and enable spf check -- This message was sent using 100% recycled spam mails.
Re: Earthlink emails
On 26-Sep-06, at 12:43 PM, Benny Pedersen wrote: On Tue, September 26, 2006 18:24, bryan haase wrote: I am getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Any suggestions?? http://openspf.org/wizard.html?mydomain=earthlink.net SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com update to 3.1.5 if posible and enable spf check How does this help? Earthlink does not publish SPF records. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 smime.p7s Description: S/MIME cryptographic signature
Re: Infuriating gif spam...
Jorge Valdes wrote: There are multiple images in these gifs, and because the first image is 'junk', sending this image through gocr will yield no results. The problem is that you have to scan all images to find the text. Try this with each image: convert -append News.gif pnm:- | gocr - That works a treat... I have an updated version of the FuzzyOcr plugin that has this and other improvements available here: http://www.joval.info/proj/FuzzyOcr.html Version 2.3j works much better... I'd previously been using version 2.3b for which I had an ebuild for gentoo. One thing I have noticed, however, is a number of errors/warnings which spamd sticks into /var/log/messages when it is started: -- Sep 26 17:20:48 server spamd[25563]: Subroutine new redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 122. Sep 26 17:20:48 server spamd[25563]: Subroutine parse_config redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 132. Sep 26 17:20:49 server spamd[25563]: Subroutine finish_parsing_end redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 184. Sep 26 17:20:49 server spamd[25563]: Subroutine dummy_check redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 288. Sep 26 17:20:49 server spamd[25563]: Subroutine load_global_words redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 292. Sep 26 17:20:49 server spamd[25563]: Subroutine load_personal_words redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 315. Sep 26 17:20:49 server spamd[25563]: Subroutine max redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 343. Sep 26 17:20:49 server spamd[25563]: Subroutine within_threshold redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 351. Sep 26 17:20:49 server spamd[25563]: Subroutine fmt_time redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 388. Sep 26 17:20:49 server spamd[25563]: Subroutine check_image_hash_db redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 414. Sep 26 17:20:49 server spamd[25563]: Subroutine add_image_hash_db redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 492. Sep 26 17:20:49 server spamd[25563]: Subroutine calc_image_hash redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 539. Sep 26 17:20:49 server spamd[25563]: Subroutine debuglog redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 580. Sep 26 17:20:49 server spamd[25563]: Subroutine wrong_ctype redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 590. Sep 26 17:20:49 server spamd[25563]: Subroutine corrupt_img redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 608. Sep 26 17:20:49 server spamd[25563]: Subroutine known_img_hash redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 626. Sep 26 17:20:49 server spamd[25563]: Subroutine removedir redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 637. Sep 26 17:20:49 server spamd[25563]: Subroutine fuzzyocr_check redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 657. -- Have I somehow loaded this module twice? I didn't get these messages until I upgraded to version 2.3j from 2.3b
bayes lock buildup
Folks, (SA ver 3.1.5) I have a situation where bayes.lock and bayes_toks files begin to build up. This usually takes about 24hrs. My spamd processes begin to work harder and take more cpu, Eventually a large number of these files build up and i have a max number of spamd processes running. Left unattended my MTA begins to reject mail, basically it gets ugly. My spamd logs begin to show the following error at the onset, with the frequency growing over several hours. Sep 26 10:11:37 kady spamd[27077]: bayes: cannot open bayes databases /export/home/spamd/.spamassassin/bayes_* R/W: lock failed: File exists I have the following settings set, the lock method was what people said should alleviate the problem. I eventually attempted (with other two settings) to altogether turn off the db writes. lock_method flock use_bayes 0 bayes_auto_learn 0 It looks like people are discussing a variety of bayes related issues, with this one being another example. Does this appear to be a Berkeley db access issue? Some are advocating going to a SQL or can tuning of the spamd process alleviate it ? How can one effectively just turn off the writing to the db ? thanks for any tips -john rw--- 1 spamdother10461184 Sep 26 09:50 auto-whitelist -rw--- 1 spamdother 28 Sep 26 09:48 bayes.lock -rw--- 1 spamdother 60 Sep 26 09:50 bayes.lock.kady.education.ucsb.edu.22542 -rw--- 1 spamdother240 Sep 26 09:50 bayes.lock.kady.education.ucsb.edu.22955 -rw--- 1 spamdother 90 Sep 26 09:50 bayes.lock.kady.education.ucsb.edu.24333 -rw--- 1 spamdother 60 Sep 26 09:50 bayes.lock.kady.education.ucsb.edu.26346 -rw--- 1 spamdother261 Sep 26 09:50 bayes.lock.kady.education.ucsb.edu.2748 -rw--- 1 spamdother 73440 Sep 26 09:50 bayes_journal -rw--- 1 spamdother1310720 Sep 26 09:47 bayes_seen -rw--- 1 spamdother10551296 Sep 26 09:47 bayes_toks -rw--- 1 spamdother2228224 Sep 26 09:27 bayes_toks.expire126 -rw--- 1 spamdother2301952 Sep 26 08:03 bayes_toks.expire132 -rw--- 1 spamdother1171456 Sep 26 08:18 bayes_toks.expire133 -rw--- 1 spamdother2318336 Sep 26 08:08 bayes_toks.expire14279 -rw--- 1 spamdother1220608 Sep 26 07:53 bayes_toks.expire169 -rw--- 1 spamdother2220032 Sep 26 09:32 bayes_toks.expire18072 -rw--- 1 spamdother1163264 Sep 26 08:37 bayes_toks.expire19825 -rw--- 1 spamdother1130496 Sep 26 09:07 bayes_toks.expire20426 -rw--- 1 spamdother2252800 Sep 26 08:52 bayes_toks.expire28117 -rw--- 1 spamdother1138688 Sep 26 09:17 bayes_toks.expire3403 -rw--- 1 spamdother 598016 Sep 26 09:42 bayes_toks.expire465 -rw--- 1 spamdother1204224 Sep 26 08:22 bayes_toks.expire7931 -- John Goubeaux Systems Administrator Gevirtz Graduate School of Education UC Santa Barbara Phelps Hall 3534 805 893-8190
Received header unparseable
My firewall puts a received header on every e-mail it forwards to SA 3.1.5: Received: from f66108.upc-f.chello.nl ([80.56.66.108]) by myfirewall; Tue, 26 Sep 2006 12:35:52 -0500 (Central Daylight Time) But when my firewall can't find a DNS entry for the e-mail's last relay IP address, it just puts in a blank space: Received: from ([201.19.179.63]) by myfirewall; Tue, 26 Sep 2006 12:35:53 -0500 (Central Daylight Time) 20_head_tests.cf hits on this as an UNPARSEABLE_RELAY. SA isn't able to look up that IP address on all the network tests. I'm e-mailing Tech Support for the company that publishes the firewall software, but is there anything that can be done on the SA side? Thank you very much. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Stats of rules ?
Hi on my spamassassin server, i use a lot of rules .. personnal and downloaded. Anyone know if they have a tools for know in 24h or 48h if a rules are used or not ? thanks bye
New RPM builds for SUSE 10.1
I've made new builds for SUSE 10.1 of SpamAssassin 3.1.5, please test them if you have a chance, and send me any relevant feedback. You'll find them at http://www.norrbring.com/SuSE -- Anders Norrbring Norrbring Consulting
can't get Bayesian to work when invoked from postfix
Hi All, After having trained SA with sufficient amounts of ham spam, I have bayesian testing working. When I test it with spamassassin -D testmessage as root it works flawlessly. But, when postfix invokes spamc with user filter, bayes always fails. I tested this by running spamassassing -D tesmessage as user filter and saw some permission errors as shown in the debug output at the end of this mail. I see two things going wrong: 1. it tries to create userprefs for filter, not lethal I guess. How can I keep SA from doing this when invoked from postfix? I use it system wide, so no user prefs are needed. There's no option for spamc mentioned in the manpage to make it run system wide only. At the moment is is invoked as spamassassin unix - n n - - pipe user=filter argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f $ {sender} ${recipient} 2. More seriously, it cannot access /var/spool/spamassassin, so it can't use the bayes DB or the whitelist. But this directory is world readable and writable: mrblue:/home/oneman# ls -lh /var/spool/spamassassin/ total 4.6M -rw-rw-rw- 1 root root 12K 2006-09-26 20:07 auto-whitelist -rw-rw-rw- 1 root root 5.1K 2006-09-26 20:07 bayes_journal -rw-rw-rw- 1 root root 632K 2006-09-26 20:07 bayes_seen -rw-rw-rw- 1 root root 5.2M 2006-09-26 20:07 bayes_toks I'm probably missing the obvious, but can someone point out to me what to change so filter can access /var/spool/spamassassin ? TIA Peter Output of spamassassin debug = mrblue:#su filter [EMAIL PROTECTED]:$spamassassin -D testmsg snip debug: using /dev/null/.spamassassin for user state dir debug: mkdir /dev/null/.spamassassin failed: mkdir /dev/null: File exists at /usr/share/perl5/Mail/SpamAssassin.pm line 1453 File exists snip Cannot write to /dev/null/.spamassassin/user_prefs: Not a directory Failed to create default user preference file /dev/null/.spamassassin/ user_prefs debug: using /dev/null/.spamassassin/user_prefs for user prefs file snip debug: bayes: no dbs present, cannot tie DB R/O: /var/spool/ spamassassin/bayes_toks debug: Score set 1 chosen. debug: bayes: no dbs present, cannot tie DB R/O: /var/spool/ spamassassin/bayes_toks snip debug: open of AWL file failed: lock: 27966 cannot create tmp lockfile /var/spool/spamassassin/auto-whitelist.lock.mrblue.27966 for /var/spool/spamassassin/auto-whitelist.lock: Permission denied snip debug: auto-learning failed: lock: 27966 cannot create tmp lockfile / var/spool/spamassassin/bayes.lock.mrblue.27966 for /var/spool/ spamassassin/bayes.lock: Permission denied snip
Re: Earthlink emails
On Tue, September 26, 2006 18:44, Gino Cerullo wrote: update to 3.1.5 if posible and enable spf check How does this help? Earthlink does not publish SPF records. sorry i was to fast here :/ -- This message was sent using 100% recycled spam mails.
RE: Stats of rules ?
Noc Phibee wrote: Hi on my spamassassin server, i use a lot of rules .. personnal and downloaded. Anyone know if they have a tools for know in 24h or 48h if a rules are used or not ? If you just want to know if the rule is getting hits, you can do a simple grep against your maillog file. For more in-depth stats, try this script: http://www.rulesemporium.com/programs/sa-stats.txt Rename it to sa-stats.pl before you run it. -- Bowie
Re: Stats of rules ?
On Tue, 26 Sep 2006, Noc Phibee wrote: Anyone know if they have a tools for know in 24h or 48h if a rules are used or not ? Depending on how your SA is set up, you may be able to see the rules that are hit in /var/log/maillog -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who doesn't want to confiscate guns ---
Re: duplicate emails
At 08:53 26-09-2006, Steve Ingraham wrote: I need help with a problem. Our users are seeing some multiple duplicate emails coming from the same sender. This is not occurring with every email so there does not seem to be any pattern to which incoming emails will be duplicated and which ones won't. They are also reporting that duplicate emails are sent when they send to an outside email. Has anyone experienced this problem before? What could be causing this to occur and what can I do to stop this? I am running qmailtoaster and spamassassin as an external email gateway. There has been nothing changed with qmail but I did update some rules in SA using rules_du_jour yesterday. Would these rules updates cause this problem? If so, what would have changed? This doesn't look like a qmailtoaster or spamassassin problem. Your Exchange server or mail client may be generating the duplicates. Regards, -sm
Re: duplicate emails
SM wrote: At 08:53 26-09-2006, Steve Ingraham wrote: I need help with a problem. Our users are seeing some multiple duplicate emails coming from the same sender. This is not occurring with every email so there does not seem to be any pattern to which incoming emails will be duplicated and which ones won't. They are also reporting that duplicate emails are sent when they send to an outside email. Has anyone experienced this problem before? What could be causing this to occur and what can I do to stop this? I am running qmailtoaster and spamassassin as an external email gateway. There has been nothing changed with qmail but I did update some rules in SA using rules_du_jour yesterday. Would these rules updates cause this problem? If so, what would have changed? This doesn't look like a qmailtoaster or spamassassin problem. Your Exchange server or mail client may be generating the duplicates. Regards, -sm It can happen with qmail-scanner or simscan if the message takes to long to be scanned by spamd and the remote end hangs up. The message is delivered and the remote server tries again. There is no two-way communication between qmail-smtpd and alternate qmail-queue programs. I believe there is a patch for simscan to make sure the parent is still communicating before handing off the email to qmail-queue. Regards, Rick
Re: [qmailtoaster] duplicate emails
Steve Ingraham wrote: If anyone has a simple way of updating rules for spamassassin I would welcome your input. I still need to update the rules as I have been getting a great number of emails coming through to users. Specifically, we are getting a lot of the pharmaceutical spam and the stock spam. It's not the method of updating that is causing your resource utilization problem, but the rules themselves. Updating your SARE rules with sa-update or rules_du_jour will both have the same effect, except that sa-update will get you updates faster. To tackle the resource utilization problem you'll just have to trim down the number of rulesets you are using. Alternatively, you can cut down the number of spamd processes you are using (fewer is often better than more, even when it says to consider increasing the number) or add more memory to the machine. Daryl
Re: header attached
Toll, Eric wrote: Greetings list, I have: SpamAssassin version 3.1.5 running on Perl version 5.8.3 And would like the header to be inline instead of an attachment (like it used to be with older versions of SA) E.g. When I have the notification emails sent to me when a spam is placed in quarantine, I want to see the header inline, or at least make it have a txt extension. What must I adjust to accomplist that. I'm not exactly sure what you're looking for, ie: I'm not sure how old of a version you're referring to. See if report_safe 0 does what you want. That should give you the subject/header tag-only behavior of SA 2.3x and older.
[no subject]
Hi, Over the last week, my machine (Fedora, SA 3.1.3, qmail, qmail-scanner-queue.pl) has been recieving a fair amount of junk mail which is not being tagged as spam; in fact the total scores are negative. The messages are simply a random stream of words, with punctuation scattered in them. No HTML, no URLs being advertised, no excessive capitalisation, just meaningless text. The message headers are pretty clean too, apart from the From field being false. As such, SA is finding very little to complain about, and is even lowering the scoring because the bayes filtering deems it to be good. Any thoughts on what I can do about these messages? Even with bayes turned off, they would still fail to score more than say 2 or 3. Each message contains a different paragraph of random text, so it's not possible to pick out keywords; and the messages are coming from dialup machines, so blocking IP isn't going to be very effective. Many thanks, Peter Smith
Re: Earthlink emails
Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) That mail came from a RoadRunner zombie account in Minnesota, has nothing to do with Earthlink other than the forged headers. If that is the entire message, and there isn't an image attached, they might be a bit hard to detect and stop. I'd check if maybe they are all coming from the same broken zombie system, and if so, block it specifically. Of course, if you had net tests running you would at least get a DUL hit on this, and possibly some others. Loren - Original Message - From: bryan haase To: users@spamassassin.apache.org Sent: Tuesday, September 26, 2006 9:24 AM Subject: Earthlink emails Iam getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Anysuggestions?? Thanks Bryan Subject: axiom closure advocacy From: Blair [EMAIL PROTECTED] Date: Mon, 25 Sep 2006 22:17:02 -0500 To: "[EMAIL PROTECTED]" [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from jonas.corp.good-sam.com by oraclemail.corp.good-sam.com with ESMTP id 78034461159241089; Mon, 25 Sep 2006 22:24:49 -0500 Received: from relay2.corp.good-sam.com ([127.0.0.1]) by jonas.corp.good-sam.com (Netscape Messaging Server 4.15) with ESMTP id J66K5D00.QEM; Mon, 25 Sep 2006 22:24:49 -0500 Received: from localhost (unknown [127.0.0.1]) by relay2.corp.good-sam.com (Postfix) with ESMTP id ED14919734E; Mon, 25 Sep 2006 22:19:52 -0500 (CDT) Received: from relay2.corp.good-sam.com (localhost.localdomain [127.0.0.1]) by localhost.good-sam.com (Postfix) with ESMTP id AF23B197561; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) by relay2.corp.good-sam.com (Postfix) with SMTP id 36BF4197613; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: cjP2e3ogNnRAWCd1RrPAz5dlnZTe3DJGeSOW X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com X-Spam-Status:No, score=0.0 required=6.0 tests=none autolearn=disabled version=3.0.1 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: base64 attenuatebackwood altitude airline cheeky chinesedanube -This email transmission and any documents, files or previousemail messages attached to it may contain information that isconfidential or legally privileged. If you are not the intendedrecipient, you are hereby notified that any disclosure, copying,printing, distributing or use of this transmission is strictlyprohibited. If you have received this transmission in error,please immediately notify the sender by telephone or returnemail and delete the original transmission and its attachmentswithout reading or saving in any manner.The Evangelical Lutheran Good Samaritan Society.-
Re: [qmailtoaster] duplicate emails
I want to thank everyone who posted a reply on my inquiry. I believe Jake Vickers was right about the problem. The RAM on the email server was bogged down since yesterday when I updated the various .cf files using rules_du_jour. I had included just a handful of rules from RDJ but it appears that RDJ utilizes much too much of my server resources to use it to update my spamassassin rules. It was slowing down the server so much that simple functions were not responding. This appears to have affected the delivery of emails. In fact I noticed that my original message to these mail lists took several hours to post and were duplicated also. I resolved the problem by moving the various rules .cf files out of the /etc/mail/spamassassin folder and restarting spamassassin. RDJ uses virtually no resources, and should only run once a day or so at most anyway. Adding a whole bunch of rules files to SA on the other hand can end up using a lot of resources, especially if you add things that you shouldn't like sa_blacklist.cf. It boils down to hoe much ram you have on your server, how much ram each spamd child takes, and how many children you have running. It sounds like you went heavily into thrashing. This could be from way too many rules. It could be from way too many children. Or even from something else. But those are the two main causes. Loren
Re:
Start by training bayes that these are bad things, it will eventually get the idea and start helping rather than hurting. Are you runing net tests? It sounds like someone has a broken zombie net that is supposed to be sending out gif spams, but they forgot the images. Net tests would probably catch these easily. Loren
Re: [qmailtoaster] duplicate emails
Steve, it might help if you listed which rule sets. There are some which are obscenely large and others that are obsolete. Maybe we can prune the list for you a little. {^_^} - Original Message - From: Steve Ingraham [EMAIL PROTECTED] Steve Ingraham wrote: I need help with a problem. Our users are seeing some multiple duplicate emails coming from the same sender. This is not occurring with every email so there does not seem to be any pattern to which incoming emails will be duplicated and which ones won't. They are also reporting that duplicate emails are sent when they send to an outside email. Has anyone experienced this problem before? What could be causing this to occur and what can I do to stop this? I am running qmailtoaster and spamassassin as an external email gateway. There has been nothing changed with qmail but I did update some rules in SA using rules_du_jour yesterday. Would these rules updates cause this problem? If so, what would have changed? Jake Vickers wrote: If your system is low on resources (ie: RAM), then the spamd process can take too long, making Toaster think the mail got lost somewhere, so it resends it. Might want to check and see how much RAM you're using. I want to thank everyone who posted a reply on my inquiry. I believe Jake Vickers was right about the problem. The RAM on the email server was bogged down since yesterday when I updated the various .cf files using rules_du_jour. I had included just a handful of rules from RDJ but it appears that RDJ utilizes much too much of my server resources to use it to update my spamassassin rules. It was slowing down the server so much that simple functions were not responding. This appears to have affected the delivery of emails. In fact I noticed that my original message to these mail lists took several hours to post and were duplicated also. I resolved the problem by moving the various rules .cf files out of the /etc/mail/spamassassin folder and restarting spamassassin. If anyone has a simple way of updating rules for spamassassin I would welcome your input. I still need to update the rules as I have been getting a great number of emails coming through to users. Specifically, we are getting a lot of the pharmaceutical spam and the stock spam. Again, thanks to everyone for the posts. Steve Ingraham
Re: duplicate emails
For what it is worth, Steve, the duplicate of this message below to this list has a different message ID field and was marked as received by two mxi2.occa.state.ok.us 1 and a half hours earlier. The message I am replying to is marked as being sent by your email program: Date: Tue, 26 Sep 2006 12:13:08 -0500 The other one is marked as being sent: Date: Tue, 26 Sep 2006 10:53:32 -0500 These correspond to the Received dates for the first hop. Somebody is marking an X-OriginalArrivalTime that more or less matches the times above. Your 3.0.4 spam checker scored both the same. They seem to have a Thread-Index: header: Thread-Index: AcbhjwlJO63enV2QR4SUkJYxOIDuqQ==(This one) Thread-Index: Acbhg+rbU74bClOIRmmEHaapA2ukfQ==(Prior one) At a guess I'd suspect Exchange barfed. {^_^} - Original Message - From: Steve Ingraham [EMAIL PROTECTED] I need help with a problem. Our users are seeing some multiple duplicate emails coming from the same sender. This is not occurring with every email so there does not seem to be any pattern to which incoming emails will be duplicated and which ones won't. They are also reporting that duplicate emails are sent when they send to an outside email. Has anyone experienced this problem before? What could be causing this to occur and what can I do to stop this? I am running qmailtoaster and spamassassin as an external email gateway. There has been nothing changed with qmail but I did update some rules in SA using rules_du_jour yesterday. Would these rules updates cause this problem? If so, what would have changed? Thanks for any help that can be provided. Steve Ingraham Director of Information Services Oklahoma Court of Criminal Appeals [EMAIL PROTECTED] 405 522-5343
Re: Earthlink emails
Easy to detect. If these lines are missing it isn't from Earthlink: X-ELNK-Trace: 969e0f2de935a8bcd780f4a490ca69563f9fea00a6dd62bcb02f9df018f210f4f21462a4fe5b44a8350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 71.116.187.9 X-ELNK-AV: 0 X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000; Originating IP should check out. And if it did not start out through: Received: from [71.116.187.9] (helo=watson1) by elasmtp-banded.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1GSPvP-0005k3-7d for users@spamassassin.apache.org; Tue, 26 Sep 2006 23:17:32 -0400 Perhaps simplest look for a working Domain Key signature: DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=sHsrs3wmDYe/alXMm+V8Q+rD7M47bShf6PGpqVmFXtf+UoPnp57oCrGEcBcbmcmq; h=Received:Message-ID:From:To:References:Subject:Date:MIME-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP; {^_^} - Original Message - From: Loren Wilton [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, September 26, 2006 20:17 Subject: Re: Earthlink emails Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) That mail came from a RoadRunner zombie account in Minnesota, has nothing to do with Earthlink other than the forged headers. If that is the entire message, and there isn't an image attached, they might be a bit hard to detect and stop. I'd check if maybe they are all coming from the same broken zombie system, and if so, block it specifically. Of course, if you had net tests running you would at least get a DUL hit on this, and possibly some others. Loren - Original Message - From: bryan haase To: users@spamassassin.apache.org Sent: Tuesday, September 26, 2006 9:24 AM Subject: Earthlink emails I am getting a lot of earthlink.net emails with 4-5 random words in the body. I am at a lost how to prevent these. Any suggestions?? Thanks Bryan Subject: axiom closure advocacy From: Blair [EMAIL PROTECTED] Date: Mon, 25 Sep 2006 22:17:02 -0500 To: [EMAIL PROTECTED] [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from jonas.corp.good-sam.com by oraclemail.corp.good-sam.com with ESMTP id 78034461159241089; Mon, 25 Sep 2006 22:24:49 -0500 Received: from relay2.corp.good-sam.com ([127.0.0.1]) by jonas.corp.good-sam.com (Netscape Messaging Server 4.15) with ESMTP id J66K5D00.QEM; Mon, 25 Sep 2006 22:24:49 -0500 Received: from localhost (unknown [127.0.0.1]) by relay2.corp.good-sam.com (Postfix) with ESMTP id ED14919734E; Mon, 25 Sep 2006 22:19:52 -0500 (CDT) Received: from relay2.corp.good-sam.com (localhost.localdomain [127.0.0.1]) by localhost.good-sam.com (Postfix) with ESMTP id AF23B197561; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Received: from SHERI-PTIN5DJM8 (cpe-74-71-30-143.twcny.res.rr.com [74.71.30.143]) by relay2.corp.good-sam.com (Postfix) with SMTP id 36BF4197613; Mon, 25 Sep 2006 22:15:30 -0500 (CDT) Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: cjP2e3ogNnRAWCd1RrPAz5dlnZTe3DJGeSOW X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on relay2.corp.good-sam.com X-Spam-Status: No, score=0.0 required=6.0 tests=none autolearn=disabled version=3.0.1 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: base64 attenuatebackwood altitude airline cheeky chinesedanube -- - This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. -
Re: Infuriating gif spam...
- Original Message - From: Steve [Spamassasin] [EMAIL PROTECTED] Jorge Valdes wrote: There are multiple images in these gifs, and because the first image is 'junk', sending this image through gocr will yield no results. The problem is that you have to scan all images to find the text. Try this with each image: convert -append News.gif pnm:- | gocr - That works a treat... I have an updated version of the FuzzyOcr plugin that has this and other improvements available here: http://www.joval.info/proj/FuzzyOcr.html Version 2.3j works much better... I'd previously been using version 2.3b for which I had an ebuild for gentoo. One thing I have noticed, however, is a number of errors/warnings which spamd sticks into /var/log/messages when it is started: -- Sep 26 17:20:48 server spamd[25563]: Subroutine new redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 122. Sep 26 17:20:48 server spamd[25563]: Subroutine parse_config redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 132. Sep 26 17:20:49 server spamd[25563]: Subroutine finish_parsing_end redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 184. Sep 26 17:20:49 server spamd[25563]: Subroutine dummy_check redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 288. Sep 26 17:20:49 server spamd[25563]: Subroutine load_global_words redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 292. Sep 26 17:20:49 server spamd[25563]: Subroutine load_personal_words redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 315. Sep 26 17:20:49 server spamd[25563]: Subroutine max redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 343. Sep 26 17:20:49 server spamd[25563]: Subroutine within_threshold redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 351. Sep 26 17:20:49 server spamd[25563]: Subroutine fmt_time redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 388. Sep 26 17:20:49 server spamd[25563]: Subroutine check_image_hash_db redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 414. Sep 26 17:20:49 server spamd[25563]: Subroutine add_image_hash_db redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 492. Sep 26 17:20:49 server spamd[25563]: Subroutine calc_image_hash redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 539. Sep 26 17:20:49 server spamd[25563]: Subroutine debuglog redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 580. Sep 26 17:20:49 server spamd[25563]: Subroutine wrong_ctype redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 590. Sep 26 17:20:49 server spamd[25563]: Subroutine corrupt_img redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 608. Sep 26 17:20:49 server spamd[25563]: Subroutine known_img_hash redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 626. Sep 26 17:20:49 server spamd[25563]: Subroutine removedir redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 637. Sep 26 17:20:49 server spamd[25563]: Subroutine fuzzyocr_check redefined at /etc/mail/spamassassin/FuzzyOcr.pm line 657. -- Have I somehow loaded this module twice? I didn't get these messages until I upgraded to version 2.3j from 2.3b No problem here, these are just informational messages that only recently showed up for me with the more recent versions of the FuzzyOcr plugin, as well. However, with the two latest versions, it only gets written to the log once during start-up, not with each image file that gets scanned like I was seeing a few versions back. Bill
duplicate emails
I need help with a problem. Our users are seeing some multiple duplicate emails coming from the same sender. This is not occurring with every email so there does not seem to be any pattern to which incoming emails will be duplicated and which ones wont. They are also reporting that duplicate emails are sent when they send to an outside email. Has anyone experienced this problem before? What could be causing this to occur and what can I do to stop this? I am running qmailtoaster and spamassassin as an external email gateway. There has been nothing changed with qmail but I did update some rules in SA using rules_du_jour yesterday. Would these rules updates cause this problem? If so, what would have changed? Thanks for any help that can be provided. Steve Ingraham Director of Information Services Oklahoma Court of Criminal Appeals [EMAIL PROTECTED] 405 522-5343
duplicate emails
I need help with a problem. Our users are seeing some multiple duplicate emails coming from the same sender. This is not occurring with every email so there does not seem to be any pattern to which incoming emails will be duplicated and which ones wont. They are also reporting that duplicate emails are sent when they send to an outside email. Has anyone experienced this problem before? What could be causing this to occur and what can I do to stop this? I am running qmailtoaster and spamassassin as an external email gateway. There has been nothing changed with qmail but I did update some rules in SA using rules_du_jour yesterday. Would these rules updates cause this problem? If so, what would have changed? Thanks for any help that can be provided. Steve Ingraham Director of Information Services Oklahoma Court of Criminal Appeals [EMAIL PROTECTED] 405 522-5343
RE: [qmailtoaster] duplicate emails
Steve Ingraham wrote: I need help with a problem. Our users are seeing some multiple duplicate emails coming from the same sender. This is not occurring with every email so there does not seem to be any pattern to which incoming emails will be duplicated and which ones wont. They are also reporting that duplicate emails are sent when they send to an outside email. Has anyone experienced this problem before? What could be causing this to occur and what can I do to stop this? I am running qmailtoaster and spamassassin as an external email gateway. There has been nothing changed with qmail but I did update some rules in SA using rules_du_jour yesterday. Would these rules updates cause this problem? If so, what would have changed? Jake Vickers wrote: If your system is low on resources (ie: RAM), then the spamd process can take too long, making Toaster think the mail got lost somewhere, so it resends it. Might want to check and see how much RAM you're using. I want to thank everyone who posted a reply on my inquiry. I believe Jake Vickers was right about the problem. The RAM on the email server was bogged down since yesterday when I updated the various .cf files using rules_du_jour. I had included just a handful of rules from RDJ but it appears that RDJ utilizes much too much of my server resources to use it to update my spamassassin rules. It was slowing down the server so much that simple functions were not responding. This appears to have affected the delivery of emails. In fact I noticed that my original message to these mail lists took several hours to post and were duplicated also. I resolved the problem by moving the various rules .cf files out of the /etc/mail/spamassassin folder and restarting spamassassin. If anyone has a simple way of updating rules for spamassassin I would welcome your input. I still need to update the rules as I have been getting a great number of emails coming through to users. Specifically, we are getting a lot of the pharmaceutical spam and the stock spam. Again, thanks to everyone for the posts. Steve Ingraham