Re: Earthlink emails

[Ramprasad]

On Thu, 2006-09-28 at 11:05 -0700, Loren Wilton wrote:
> > Apparently they have removed SPF records after publishing them once.
> > Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids
> > whenever there is a spam attack on my servers
> 
> SPF can be a pain for a number of reasons that have been discussed 
> endlessly.  I suspect Dirtlink found them to be effectively useless.
> 
> Why not try using domainkeys instead?
> 
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>   s=dk20050327; d=earthlink.net;
>   b=FB4IOaniCvpDwkx5cYm2jFWe8LB9zRfxL9FHzbhv1JHyGSVrA0o4mttb3jjbU4C3;
>   
> h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
> 
> Loren

Darn,
I dont want to again get into SPF debates. 

Assume I am using domain keys and catching all spams forged from
earthlink , still I am scanning the mails. 

Anyway that is already happening today. SA is catching spams from
earthlink( forged ?) but when you scan a huge number of mails you would
like to be able to reject forged mails straight after "mail from:". 
That is what SPF lets you do and that works. 
   
   No wonder a lot of spammers have stopped forging hotmail or msn
because most of those mails dont even get thru the MTA. And a majority
of the forged spams I still get is from earthlink or yahoo.

Thanks
Ram

Re: Earthlink emails

[Ramprasad]

On Thu, 2006-09-28 at 19:11 -0700, jdow wrote:
> From: "Ramprasad" <[EMAIL PROTECTED]>
> 
> > On Tue, 2006-09-26 at 21:28 -0700, jdow wrote:
> >> Before you blame Earthlink note that it has NOT gone through Earthlink
> >> servers.
> >> 
> >> relay2.corp.good-sam.com is the receiving email server.
> >> 
> >> It's a forged email, at a guess. (It also has mangled headers. Newlines
> >> are missing. MAYBE it would do better if you sent it plain text. HTML
> >> tends to mangle things.
> >> {^_^}
> > 
> > Nobody would blame earthlink for the mail , But Most of the spams to my
> > clients come from earthlink.net.( sometimes as high as 20% of spams
> > Yahoo comes in next with ~10% )
> 
> How do you determine this? Is it by a legitimate domain keys tested
> Earthlink SMTP or does it simply say it came from Earthlink? I see
> a lot of mail that SAYS it came from Earthlink. But there is not a
> single Earthlink name in any of the Received headers. It's forged.
> 
I am going by envelope from only. Obviously can be forged



> > I have written to them several times that their domain is being forged
> > heavily by spammers but they refuse to take any action 
> 
> Explain how they can take any action? How can Earthlink stop it? They
> do sue in particularly blatent cases. But if it's some other ISP with
> a user forging Earthlink names what on Earth do you expect Earthlink
> to do?
> 
> > Apparently they have removed SPF records after publishing them once.
> > Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids
> > whenever there is a spam attack on my servers 
> 
> They went to domain keys. It seems to be better for the Earthlink
> situation.
> {^_^}

Why not SPF ??
DK is a resource HOG. And I cant do that easily in postfix ,( I know you
will point to dk-milter )

What is the point accepting the mail and the entire data and then
scanning for DK when It should have ideally been rejected after 
"mail from:"

So I let SA do the testing .. which catches the spams but eats resources
of my servers. When you receive 3-5 million mails a day you tend to
bother more about resources

Thanks
Ram

Re: Earthlink emails

[jdow]

From: "Ramprasad" <[EMAIL PROTECTED]>


On Tue, 2006-09-26 at 21:28 -0700, jdow wrote:

Before you blame Earthlink note that it has NOT gone through Earthlink
servers.

relay2.corp.good-sam.com is the receiving email server.

It's a forged email, at a guess. (It also has mangled headers. Newlines
are missing. MAYBE it would do better if you sent it plain text. HTML
tends to mangle things.
{^_^}


Nobody would blame earthlink for the mail , But Most of the spams to my
clients come from earthlink.net.( sometimes as high as 20% of spams
Yahoo comes in next with ~10% )


How do you determine this? Is it by a legitimate domain keys tested
Earthlink SMTP or does it simply say it came from Earthlink? I see
a lot of mail that SAYS it came from Earthlink. But there is not a
single Earthlink name in any of the Received headers. It's forged.


I have written to them several times that their domain is being forged
heavily by spammers but they refuse to take any action 


Explain how they can take any action? How can Earthlink stop it? They
do sue in particularly blatent cases. But if it's some other ISP with
a user forging Earthlink names what on Earth do you expect Earthlink
to do?


Apparently they have removed SPF records after publishing them once.
Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids
whenever there is a spam attack on my servers 


They went to domain keys. It seems to be better for the Earthlink
situation.
{^_^}

Re: Setting up DKIM and DomainKeys mail signing and verification

[Mark Martinec]

Henrik,

> I do however have a small problem:
> My usesrs submit their messages for relaying on port 25 like normal
> incoming messages - meaning that they will be verified before they are
> signed, causing the verification to fail.

No, if you follow my setup. Mail from mynetworks and from authenticated
users (preferably SASL, possibly pop-before-smtp or other method) will
follow a separate path from other (incoming) mail. It will not be seen
by a verifying milter, but will given to the signing milter after a
content filter.

> Is there a way to skip verification for authorized users/users
> in mynetworks?

If you are talking about verifying by milter, then yes: either
the milter would not even be invoked by MTA (my suggested setup),
or alternatively, it could base its decision on client IP address
if available (as Noel Jones had in mind).

If you are talking about verifying by a SpamAssassin plugins
for DK and DKIM, then avoiding verification for authorized
or local users is a bit more involved, and not covered in my
text. Ideally I think the SA should use or not use DK/DKIM plugins
based on the same decision as it does for invoking SPF and DUL
check, i.e. skip these checks for locally originating mail.
Alternatively, DK/DKIM rules could be conditionalized.

> Or could the verification be performed AFTER the signing (as 
> only mails from trusted users are send through signing anyway)?

Verification should be performed as early as possible/convenient.

> > It could probably rather easily be changed to sending the
> > non-locally submitted mails through the verification AFTER the content

On Thursday September 28 2006 21:58, Noel Jones wrote:
> This looses the client information, and thinks localhost submitted all
> the mail.  Mail with forged sender address (or from a mail list) would
> be signed.

Not necessarily. If mail path through the system is kept separate
for incoming mail and mail originating from local users (mynetworks
or authenticated), then milters need not have the information about
original client's IP address - just invoking the required milters
on each path suffices, or the information may be passed as
milter macros.

> But you shouldn't sign mail after the content_filter,
> mail should only be signed at the point it first enters your network.

I disagree. If mail processing within our site is trustworthy (presumably
we know what we are doing to mail originating at our site, perhaps adding
some headers, maybe converting to 7bit and fixing some common problems
in mail header introduced by some submitting MUAs), then mail should be
signed as a last stage before it leaves the site, otherwise local processing 
could break a signature.

In http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim I state:

  Verifying signatures should be performed early, before any local mail
  transformations get a chance of invalidating signature, e.g. by performing
  MIME conversions to quote-printable, by fixing syntactically invalid mail
  header, by editing/inserting/removing certain header fields, or by a local
  mailing list modifying mail text, e.g. by appending footnotes.

  Signing outgoing mail should be performed late, after mail sanitation, after
  conversion to 7-bit characters (to avoid later uncontrollable changes by a
  relaying or receiving MTA), and after adding header fields by a content
  filter. Similar applies to local mailing lists, which may be rewriting
  messages, requiring them to be re-signed by the domain hosting a mailing
  list, just before being sent out.

Btw, the document has been updated since being posted here.
(new version of dkim-milter 0.5.2 came out meanwhile, updated FreeBSD
ports for both milters came out meanwhile, added more example SA rules).

> My command line (which works here but may not be correct for everyone)
> looks something like this
> # dk-filter -H -S mailgate -M {auth_author} -o Received -s ...

I wouldn't exempt Received header fields from signature,
after all these are vital pieces of information to the recipient
when investigating problems.

  Mark

RE: local.cf auto learn configs and defaults?

[Email Lists]

-> 
-> You can clear the AWL for a sender like this:
-> 
-> spamassassin --remove-addr-from-whitelist [EMAIL PROTECTED]
-> 
-> ([EMAIL PROTECTED] is the sender)
-> 
-> Make sure you do this as the user who is having the problem.
-> 
-> > Thanks and kind regards
-> 
-> If this doesn't help, post the headers from one of the messages so
-> that we can see which rules are hitting.
-> 
-> --
-> Bowie

Can this removal be a wildcard? 

[EMAIL PROTECTED]

Remember the test rule created was for a whole functional domain

 - rh


--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

Re: Setting up DKIM and DomainKeys mail signing and verification

[Noel Jones]

On 9/28/06, Henrik Ostergaard <[EMAIL PROTECTED]> wrote:

This sounds promissing! But I have distributed, moving users and therefore
uses pop-before-smtp for authentication, which means that my IP list is in a
hash table, which is not in CIDR format. :-(


Your best choice is to set up SASL authentication.  I don't think
these milters will play nice with pop-before-smtp.  At best you would
have to restart the milter evertime someone checked their mail.


I came to think of something else - the approach described in the original
post suggests all mails are verified, but only authenticated mails are
signed.


No, the program chooses which to do based on parameters already
discussed.  Authorized clients get signed, all others get verified.


It could probably rather easily be changed to sending the
non-locally submitted mails through the verification AFTER the content
filter. Ie in master.cf moving the lines
 -o milter_default_action=accept
 -o milter_macro_daemon_name=MTA
 -o smtpd_milters=inet:127.0.0.1:4442,inet:127.0.0.1:4443

from the section
  smtp  inet  n   -   -   -   -   smtpd
to the section
  localhost:10025 inet  n  -  n   -   10  smtpd



This looses the client information, and thinks localhost submitted all
the mail.  Mail with forged sender address (or from a mail list) would
be signed.


Will this approach break the signatures if (when) the content filter
(amavis) adds headers?


Amavisd-new adds the headers on top so as to not break signatures.
Also using the -H option when signing tells dk-filter which headers to
use when verifying.  But you shouldn't sign mail after the
content_filter, mail should only be signed at the point it first
enters your network.

This is way off topic for this list, post any followup questions to
the amavis-users or postfix-users list.

--
Noel Jones

Re: Setting up DKIM and DomainKeys mail signing and verification

[Henrik Ostergaard]

Noel Jones wrote:
> 
> # dk-filter -H -S mailgate -M {auth_author} -o Received -s
> /var/db/certificates/domainkey.private -d example.com  -i
> /var/db/domainkey.clients -u milter -l -p inet:[EMAIL PROTECTED]
> 
> and the /var/db/domainkey.clients file is a list of networks that
> should be signed, in CIDR notation:
> # cat /var/db/domainkey.clients
> 127.0.0.1
> 192.168.0.0/16
> 10.0.0.0/8
> 

This sounds promissing! But I have distributed, moving users and therefore
uses pop-before-smtp for authentication, which means that my IP list is in a
hash table, which is not in CIDR format. :-(

I could maybe hack pop-before-smtp to trick generating a flat table each
time there is any changes - but then I will probably have to restart
dk-filter (and dkim-filter)..

I came to think of something else - the approach described in the original
post suggests all mails are verified, but only authenticated mails are
signed. It could probably rather easily be changed to sending the
non-locally submitted mails through the verification AFTER the content
filter. Ie in master.cf moving the lines
 -o milter_default_action=accept
 -o milter_macro_daemon_name=MTA
 -o smtpd_milters=inet:127.0.0.1:4442,inet:127.0.0.1:4443

from the section
  smtp  inet  n   -   -   -   -   smtpd
to the section
  localhost:10025 inet  n  -  n   -   10  smtpd

Will this approach break the signatures if (when) the content filter
(amavis) adds headers?

Regards

Henrik ?stergaard
-- 
View this message in context: 
http://www.nabble.com/Setting-up-DKIM-and-DomainKeys-mail-signing-and-verification-tf2259401.html#a6553221
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: local.cf auto learn configs and defaults?

[Bowie Bailey]

Email Lists wrote:
> >
> > Its probably an AWL score, but without showing us a list of the
> > tests hit on one of these emails all we can do is throw straws in
> > the air and guess.
> > Loren
> >
> 
> Ok, a box of straws will be on the way immediately...
> 
> Any special colors?   ;->
> 
> I appreciate your time and that of Daniel T. Staal so far...
> 
> ...as it confirms what I thought... yet I still needed to ask
> 
> What is AWL?  :-) yeah, ill search yet am certainly looking for
> insight. 

AWL is the Auto White List (although it would be more properly called a
score averager).  What it does is weight the spam scores towards the
sender's previous scores.  In this case, it may be providing a rather
high positive score to the emails since your rule caused him to have
high scores previously.

If you look at the message headers, you should see AWL listed if this
is what is causing the high score.

> Oh, how do I properly blow away (from the command line) any saved
> settings that SA or sa-learn or whatever is looking at that is has
> learned without frying my systems?

You can clear the AWL for a sender like this:

spamassassin --remove-addr-from-whitelist [EMAIL PROTECTED]

([EMAIL PROTECTED] is the sender)

Make sure you do this as the user who is having the problem.

> Thanks and kind regards

If this doesn't help, post the headers from one of the messages so
that we can see which rules are hitting.

-- 
Bowie

Re: Setting up DKIM and DomainKeys mail signing and verification

[Noel Jones]

On 9/28/06, Henrik Ostergaard <[EMAIL PROTECTED]> wrote:

My usesrs submit their messages for relaying on port 25 like normal incoming
messages - meaning that they will be verified before they are signed,


The same dk-filter command usually provides both signing and
verification, deciding which to do based on {client IP or
authenticated user} -AND- the correct domain name.  You must specify
IPs to sign and the domain name.
Use the -i option of dk-filter to specify which IPs should be signed
rather than verified, this usually corresponds what is listed in
postfix mynetworks. When mail arrives from one of those clients, AND
the domain matches, the mail will be signed rather than verified.  See
"man dk-filter" for more info.

My command line (which works here but may not be correct for everyone)
looks something like this (all one line - replace example.com with
your domain name, adjust paths as appropriate):

# dk-filter -H -S mailgate -M {auth_author} -o Received -s
/var/db/certificates/domainkey.private -d example.com  -i
/var/db/domainkey.clients -u milter -l -p inet:[EMAIL PROTECTED]

and the /var/db/domainkey.clients file is a list of networks that
should be signed, in CIDR notation:
# cat /var/db/domainkey.clients
127.0.0.1
192.168.0.0/16
10.0.0.0/8

--
Noel Jones

RE: duplicate emails

[Steve Ingraham]

Loren Wilton wrote:
>I did notice one possible problem in that debug output.  There was an 
>'inappropriate ioctl for device' message in the whitelist stuff near
the 
>end.

>This is something that has been a problem for other and has been
discussed 
>before, but I don't recall what the usual fix is to solve this problem.
I 
>don't think it is causing your duplicate emails, but there is a minor
nit 
>there that is probably making AWL not work right.

Thanks for the information Loren, it appears that email is delivering
normally again.  I definitely would not know enough of what I was doing
to start changing anything with this issue.  I feel shell shocked for
now and want to leave well enough alone now that things are functioning
again.  I really do think I need an expert to look over my
configuration.  Who knows what I may have screwed up?  I will say that I
don't know for sure.

As a note, I "think" I may know what could have caused my problems with
duplicate emails.  I do believe that when I ran the RDJ script and
attempted to update the rules this bogged down the email server.  As
Jake mentioned the other day, this caused delivery problems with qmail.
Once I stopped the update; removed all of the rules out of
/etc/mail/spamassassin and rebooted the server (I still cannot start
spamassassin by using /etc/init.d/spamassassin restart), email started
delivering normally.  It appears that the server resources were being
maxed out.

On another note, I believe I had a compounding problem with our internal
email server running Exchange 2000 that coincided with the above
problem.  The C: drive on that server filled up and thus stopped the
Microsoft Exchange MTA Stack service that evidently delivers mail from
non-Exchange systems.

Here is Microsoft's description of the function of the Exchange MTA
Stack service:

The Microsoft Exchange MTA Stacks service (MTA) routes messages through
X.400 and gateway connectors to non-Exchange messaging systems. In a
mixed environment with servers running Exchange Server 5.5 in the local
routing group, the MTA is also used to transfer messages between
Exchange Server 2003 and Exchange Server 5.5. This occurs because
Exchange Server 5.5 MTAs communicate with each other in the local site
directly through RPCs. Exchange Server 2003 must rely on this
communication method for backward compatibility.

The executable file of the Microsoft Exchange MTA Stacks service is
EMSMTA.exe, which is located in the \Program Files\Exchsrvr\bin
directory. This service depends on System Attendant and maintains its
own specific message queues outside the Exchange store in the \Program
Files\Exchsrvr\Mtadata directory. The registry key is
HKEY_Local_Machine\System\CurrentControlSet\Services\MSExchangeMTA.
 
Note

You should leave the Microsoft Exchange MTA Stacks service running, so
that server monitors in their default configuration do not report a
server running Exchange Server as unavailable.

These two things I think were Cause 1 and Cause 2 of my failure, at
least I think they were.  I will say that stopping the RDJ update and
removing all unnecessary rule sets out of /etc/mail/spamassassin helped
get the system delivering again, furthermore, once I freed up space on
the Exchange 2000 machine and restarted the MTA Stack service things
started going back to normal.

Of course this brings me right back to my original reason for starting
this process this week.  Our users are getting a lot of spam in their
mailboxes that I was trying to block from getting through by updating
rules in spamassassin.  George, I have included some of the things you
mentioned that I could put in the blacklist file.  I have also removed
all rules except 70_sare_adult.cf, 70_sare_bayespoison_nmx.cf,
random.cf, 70_sare_evilnum0.cf from /etc/mail/spamassassin.  I would
appreciate any information on whether these rules are beneficial for me
to keep.  I would also like to know if there are others that I have
removed or do not have that I need to put into this folder.

I need an education on these systems.  I would welcome anyone interested
in contacting me in regards to helping with my education.  I also still
feel the need to have an expert pair of eyes look over my system as I am
not totally convinced that everything is configured properly.

Thanks to everyone for their help,
Steve Ingraham

RE: local.cf auto learn configs and defaults?

[Email Lists]

-> 
-> Its probably an AWL score, but without showing us a list of the tests hit
-> on
-> one of these emails all we can do is throw straws in the air and guess.
-> 
-> Loren
-> 

Ok, a box of straws will be on the way immediately...

Any special colors?   ;->

I appreciate your time and that of Daniel T. Staal so far...

...as it confirms what I thought... yet I still needed to ask

What is AWL?  :-) yeah, ill search yet am certainly looking for insight.

Oh, how do I properly blow away (from the command line) any saved settings
that SA or sa-learn or whatever is looking at that is has learned without
frying my systems?

Thanks and kind regards

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

Re: local.cf auto learn configs and defaults?

[Loren Wilton]

After awhile I removed all of it and restarted everything yet the test
domain I did this with at first is still getting really high spam scores 
and

is causing me a problem cause it is a secondary mail account live domain
etc.


Its probably an AWL score, but without showing us a list of the tests hit on 
one of these emails all we can do is throw straws in the air and guess.


   Loren

Re: duplicate emails

[Loren Wilton]

I did notice one possible problem in that debug output.  There was an 
'inappropriate ioctl for device' message in the whitelist stuff near the 
end.


This is something that has been a problem for other and has been discussed 
before, but I don't recall what the usual fix is to solve this problem.  I 
don't think it is causing your duplicate emails, but there is a minor nit 
there that is probably making AWL not work right.


   Loren

Re: sa-learn and "Caught" spams

[Kelson]

Daniel Staal wrote:
Depends on the setup.  For instance, given the explanations above, I'll 
start a system to automatically learn from my 'checkspam' folder, but 
not my 'highspam' folder.  I have procmail automatically sort my spam by 
score, so I can pay extra attention to low-scoring spam.  (Which is more 
likely to be ham which was misplaced than the high-scoring spam.)


So, since I *already* have them separated out, I can avoid the 
double-check.  ;)


But the final score alone doesn't determine whether something gets 
autolearned.


As Matt pointed out, there are a number of different factors, including 
the mix of head/body tests and the current Bayes score -- and it acts on 
what the score would have been if Bayes had been disabled.


So unless you've filtered on the "autolearn=(ham|spam|no)" tag in the 
X-Spam-Status header, you could be missing some high-scoring spam that 
hasn't already been learned.


You could probably filter your training folder to remove any messages 
where X-Spam-Status contains "autolearn=spam" (assuming, of course, that 
your server takes full control of that header).  That should be 
relatively fast and cut down on the resources used to identify duplicates.


--
Kelson Vibber
SpeedGate Communications 

Re: Earthlink emails

[Loren Wilton]

Apparently they have removed SPF records after publishing them once.
Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids
whenever there is a spam attack on my servers


SPF can be a pain for a number of reasons that have been discussed 
endlessly.  I suspect Dirtlink found them to be effectively useless.


Why not try using domainkeys instead?

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
 s=dk20050327; d=earthlink.net;
 b=FB4IOaniCvpDwkx5cYm2jFWe8LB9zRfxL9FHzbhv1JHyGSVrA0o4mttb3jjbU4C3;
 
h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;

   Loren

RE: no tokens ? How can that be ?

[Bret Miller]

> I came across a situation that seems non-intuitive;
>
> Two emails this am were spam, but hit BAYES_00.  So they were
> (presumably) learned as Ham somewhere along the way.

Not a valid presumption. The tokens may have been learned as ham from
other messages, but there is no implication that this particular message
was learned as ham.

>
> So far so good...
>
> Doing  ' sa-learn -forget ./message.txt ' gets me : Forgot
> tokens 0 from message(s) (1 message(s) examined)
>
> What kind of situation can cause this ? I was under the
> impression that Bayes_00 meant it was explicitly learned as
> spam, so there must be related tokens.

So this particular message hadn't been learned at all. How about
learning it as spam instead?

Bret

no tokens ? How can that be ?

[Michael Grey]

I came across a situation that seems non-intuitive;

 

Two emails this am were spam, but hit BAYES_00.  So they
were (presumably) learned as Ham somewhere along the way.

So far so good…

 

Doing  ‘ sa-learn –forget ./message.txt ‘
gets me : Forgot tokens 0 from message(s) (1 message(s) examined)

 

 

What kind of situation can cause this ? I was under the
impression that Bayes_00 meant it was explicitly learned as spam, so there must
be related tokens.

 

 

Thanks

 

Michael Grey

 

 

Re: local.cf auto learn configs and defaults?

[Daniel T. Staal]

On Thu, September 28, 2006 1:08 pm, Email Lists said:

> #   Use Bayesian classifier (default: 1)
> #
> # use_bayes 1
>
> #   Bayesian classifier auto-learning (default: 1)
> #
> # bayes_auto_learn 1
>
> Please notice that they are commented out and have never been put in
> service.

Since those are the default values, commenting them out doesn't have much
effect.  You would have to uncomment and change them to deactivate those
features.

Daniel T. Staal

---
This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---

RE: update rules

[Bret Miller]

> I just install a new version of spamassassin.
> What do I need to do, so it learns everything?

You may wish to run sa-update:

Or install additional add-on rules:
http://wiki.apache.org/spamassassin/CustomRulesets

Or run sa-learn against a recent set of ham (non-spam) and spam
messages. The bayes engine, if enabled, requires a minimum of 200 each
of ham and spam before it begins to function on incoming e-mail.

Or if you run network tests, you may wish to look at www.uribl.com for
additional tests you can add.

I could go on, but this would be a good start. Then it's just a matter
of watching to see what's getting through the filter and finding some
rules to stop those messages.

Bret

update rules

[Benjamin Adams]

I just install a new version of spamassassin.
What do I need to do, so it learns everything?

RE: local.cf auto learn configs and defaults?

[Email Lists]

-> I placed with some rules some time back because I didn't like to see list
-> emails from this one person with very poor judgement and taste in his
-> signature lines decisions...
-> 
-> Looked like this and I added them to my local.cf
-> 
-> #
->header LOCAL_DEMONSTRATION_ALL  ALL =~ /thatjerksdomsin\.com/i
->score LOCAL_DEMONSTRATION_ALL   9.9
-> #
-> 
-> I did a test domain first and it worked. Then I went live with the real
-> domain.
-> 
-> After awhile I removed all of it and restarted everything yet the test
-> domain I did this with at first is still getting really high spam scores
-> and
-> is causing me a problem cause it is a secondary mail account live domain
-> etc.
-> 
-> Also, in my local.cf
-> 
-> #   Use Bayesian classifier (default: 1)
-> #
-> # use_bayes 1
-> 
-> #   Bayesian classifier auto-learning (default: 1)
-> #
-> # bayes_auto_learn 1
-> 
-> Please notice that they are commented out and have never been put in
-> service.
-> 
-> What I am wondering, is this though, how do I check besides here to see
-> if
-> bayes or auto_learn is on somewhere else
-> 
-> Would I just look at the headers? Is that the only way and the only other
-> place to look?
-> 
-> I know something is learned and stored somewhere.
-> 
-> How do I clear this? Can I do it selectively or does it all have to be
-> dusted. I never knowingly turned on any learning.
-> 
-> Let me know if you need more info...
-> 
-> Thanks and kind regards
-> 
->  - rh

I usually do not reply to my own yet I have more data/info for you

In /home/spamd/.spamassassin it looks like this

-rw---  1 spamd spamd 10473472 Sep 28 10:20 auto-whitelist
-rw---  1 spamd spamd 3624 Sep 28 10:20 bayes_journal
-rw---  1 spamd spamd  5177344 Sep 28 10:20 bayes_seen
-rw---  1 spamd spamd  5386240 Sep 28 10:20 bayes_toks

So obviously something is happening. I have used spamassassin for a long
time, it is just now that I am trying to learn more and get into the nuts
and bolts for all involved.

Any pointers to what to search for on google or where to make changes would
be appreciated.

I know where the spamassassin site it, I am just not familiar with the
terminologies so I can do better searching and researching please.

Thanks again

 - rh

--
Robert - Abba Communications
  Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

local.cf auto learn configs and defaults?

[Email Lists]

I placed with some rules some time back because I didn't like to see list
emails from this one person with very poor judgement and taste in his
signature lines decisions...

Looked like this and I added them to my local.cf

#
   header LOCAL_DEMONSTRATION_ALL  ALL =~ /thatjerksdomsin\.com/i
   score LOCAL_DEMONSTRATION_ALL   9.9
#

I did a test domain first and it worked. Then I went live with the real
domain.

After awhile I removed all of it and restarted everything yet the test
domain I did this with at first is still getting really high spam scores and
is causing me a problem cause it is a secondary mail account live domain
etc.

Also, in my local.cf 

#   Use Bayesian classifier (default: 1)
#
# use_bayes 1

#   Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1

Please notice that they are commented out and have never been put in
service.

What I am wondering, is this though, how do I check besides here to see if
bayes or auto_learn is on somewhere else

Would I just look at the headers? Is that the only way and the only other
place to look?

I know something is learned and stored somewhere.

How do I clear this? Can I do it selectively or does it all have to be
dusted. I never knowingly turned on any learning.

Let me know if you need more info...

Thanks and kind regards

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net
 

Re: duplicate emails

[François Rousseau]

I have alreay have a similar problem but with another mail server (ModusMail).It's not exactly the same problem and I'm not sure if that will help you.The user start downloading the email and the connection reset so the client have to redownload from the start...  The email server only note the downloaded email a the end, so if the connection crash before the end, the server consider no message as "read".
But the message are already in the user client, so they received it in loop.  In my case, the problem was some badly formated email (empty one with strange message-id).  I have create a perl script to filter those emails.
Francois Rousseau2006/9/28, Steve Ingraham <[EMAIL PROTECTED]>:
Mark Adams wrote:What is your exchange server hosting? pop3? I have noted problems beforewith clients recieving duplicate emails when connections timeout and theserver does not know how far the client application has gone through
the download of the mailbox - causing it to start downloading again. Areany of the clients remote from the server? (this is where i noted theproblem most, notably on mobile internet devices especially on high
speed trains etc..)All clients are networked desktop machines.  There are no remoteconnections.Steve Ingraham

RE: sa-learn and "Caught" spams

[Bowie Bailey]

Mike Woods wrote:
> Bowie Bailey wrote:
> > 
> > You don't have to figure out what has and has not already been
> > learned.  Just filter everything into directories for ham and spam
> > learning and feed the entire directory to sa-learn.  Once you have
> > learned the messages, you can either delete them, or move them to
> > an archive directory.  Using this method, nothing is ever learned
> > twice.  Also, (if you do your sorting properly) nothing is ever
> > learned incorrectly.
> 
> That's basicly what I have in mind!

You can put this:

bayes_auto_learn 0

into your local.cf for global usage, or into a user's user_prefs as a
single user setting.  This will completely turn off the auto learning.
Then you can sort the messages and learn them manually without having
to worry about what auto-learn is doing.

(This is for SA 3.1x, earlier versions may have a slightly different
config setting)

-- 
Bowie

Re: sa-learn and "Caught" spams

[Mike Woods]

Bowie Bailey wrote:

> Why would you feed things through again and again?  My point was that
> if you turn off auto-learning, you have complete control over what is
> learned. 

I wouldn't, but when you said "Then you can feed everything to sa-learn 
and not worry about it"

I assumed that's what you meant :D

> You don't have to figure out what has and has not already
> been learned.  Just filter everything into directories for ham and
> spam learning and feed the entire directory to sa-learn.  Once you
> have learned the messages, you can either delete them, or move them to
> an archive directory.  Using this method, nothing is ever learned
> twice.  Also, (if you do your sorting properly) nothing is ever
> learned incorrectly.

That's basicly what I have in mind!

--
Mike Woods
Systems Administrator

RE: really slow spamd scan

[Sietse van Zanen]

DNS time-outs are usually 10 seconds.
14-10 = 4, which is normal.
I would  check if your DNS tests run smoothly and do not time out somewhere.
 
-Sietse


From: Justin MasonSent: Thu 28-Sep-06 17:00To: John D. HardinCc: Deephay; Olivier Nicole; users@spamassassin.apache.orgSubject: Re: really slow spamd scan 
"John D. Hardin" writes:
>On Thu, 28 Sep 2006, Deephay wrote:
>
>> On 9/28/06, Olivier Nicole <[EMAIL PROTECTED]> wrote:
>> > > I am quite new to SA (a week of SA life), and the SA is working, the
>> > > thing is, SA is incredibly slow on my server (2.8GHZ CPU + 2GB Memory
>> > > + Qmail + Qmail-scanner).  Here's a typical scan log:
>> > >
>> > > result: . 0 - SPF_PASS scantime=14.7,size=1689  ...
>> >
>> > Hi,
>> >
>> > Problem is not that it is slow.
>> >
>> > That SA takes 14 seconds to deliver a message is not an issue, email
>> > is not a real time process anyway and transiting email from one
>> > gateway to another can take minutes or hours.
>>
>> The scantime=14.7 does not mean the scan time of spamassassin?
>
>It does. 14.7 seconds to scan the message.
>
>> > Problem would be is SA would make high CPU load on your server.
>> >
>> > 14 seconds may be just the delay for the various network tests to
>> > respond.
>>
>> You mean the test form SA?
>
>Yes. The various DNS and URI blocklist lookups and Razor/Pyzor/DCC all
>take time to complete.
>
>A system snapshot (load average, running processes, memory consumption
>including swap) taken during processing of a message would help us
>determine whether there *is* a problem. If fifteen seconds is the high
>end of what you are seeing, you do not have a problem.
>
>> I have googled for this kind of situations and I found I am the
>> slowest. If I stop the spamd, the delivery will be much faster.
>
>If you are worried about a fifteen second delay in delivery of email
>you need to tune your users' expectations, *NOT* SpamAssassin.
>
>I've said it before and I'll say it again: Email is a best-effort,
>non-guaranteed store-and-forward messaging system. It is not Instant
>Messaging. It is not a general-purpose file transfer utility. Delays
>will happen.

In fairness, though, I would agree that 14 seconds is pretty
long for most cases.  On my pretty old 1.5ghz server, I get
this kind of distribution:

number  seconds
401 0 - 1
280 1 - 2
185 2 - 3
110 3 - 4
 46 4 - 5
 36 5 - 6
 34 6 - 7
 15 7 - 8
 13 8 - 9
 17 9 - 10
  4 10 - 11
  9 11 - 12
  8 12 - 13
  4 13 - 14
  4 14 - 15
 20 15 seconds or more

IOW, a large majority complete in under 4 seconds.  See the wiki
for speed-up tips.

--j.

RE: sa-learn and "Caught" spams

[Bowie Bailey]

Mike Woods wrote:
> > Why not simply turn off autolearning?  Then you can feed everything
> > to sa-learn and not worry about it.
> 
> Feeding everything through sa-learn again and again would take huge
> amounts of time, if i take the spam folders of me and one of the
> directors there are over 100,000 messages so learning them just the
> once seems to make some sense to me :D

Why would you feed things through again and again?  My point was that
if you turn off auto-learning, you have complete control over what is
learned.  You don't have to figure out what has and has not already
been learned.  Just filter everything into directories for ham and
spam learning and feed the entire directory to sa-learn.  Once you
have learned the messages, you can either delete them, or move them to
an archive directory.  Using this method, nothing is ever learned
twice.  Also, (if you do your sorting properly) nothing is ever
learned incorrectly.

-- 
Bowie

Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5

[Donald Craig]

And Theo Van Dinter pointed out:
You're not by chance using the opendns.{com,org} folks for DNS, are you?

Of course.  I'm an idiot.  I switched to OpenDNS a couple of weeks back.
Time to return from whence I came.  Thank you,
Don Craig
 
I'm getting matches whenever I have an embedded URL
on URIBL_AB_SURBL and URIBL_PH_SURBL -
unless the URL is actually in URIBL_SBL, in which case the
logic for all the flavors of URIBL_XX_SURBL seems
to work correctly.  I have verified the
absence of the incorrectly matching URLs from SURBL
with lookups in http://www.rulesemporium.com/cgi-bin/uribl.cgi

This is SpamAssassin 3.1.5, all was fine in 3.1.2.

For now I have set both those tests to 0.00.

Don Craig

Re: really slow spamd scan

[Justin Mason]

"John D. Hardin" writes:
>On Thu, 28 Sep 2006, Deephay wrote:
>
>> On 9/28/06, Olivier Nicole <[EMAIL PROTECTED]> wrote:
>> > > I am quite new to SA (a week of SA life), and the SA is working, the
>> > > thing is, SA is incredibly slow on my server (2.8GHZ CPU + 2GB Memory
>> > > + Qmail + Qmail-scanner).  Here's a typical scan log:
>> > >
>> > > result: . 0 - SPF_PASS scantime=14.7,size=1689  ...
>> >
>> > Hi,
>> >
>> > Problem is not that it is slow.
>> >
>> > That SA takes 14 seconds to deliver a message is not an issue, email
>> > is not a real time process anyway and transiting email from one
>> > gateway to another can take minutes or hours.
>>
>> The scantime=14.7 does not mean the scan time of spamassassin?
>
>It does. 14.7 seconds to scan the message.
>
>> > Problem would be is SA would make high CPU load on your server.
>> >
>> > 14 seconds may be just the delay for the various network tests to
>> > respond.
>>
>> You mean the test form SA?
>
>Yes. The various DNS and URI blocklist lookups and Razor/Pyzor/DCC all
>take time to complete.
>
>A system snapshot (load average, running processes, memory consumption
>including swap) taken during processing of a message would help us
>determine whether there *is* a problem. If fifteen seconds is the high
>end of what you are seeing, you do not have a problem.
>
>> I have googled for this kind of situations and I found I am the
>> slowest. If I stop the spamd, the delivery will be much faster.
>
>If you are worried about a fifteen second delay in delivery of email
>you need to tune your users' expectations, *NOT* SpamAssassin.
>
>I've said it before and I'll say it again: Email is a best-effort,
>non-guaranteed store-and-forward messaging system. It is not Instant
>Messaging. It is not a general-purpose file transfer utility. Delays
>will happen.

In fairness, though, I would agree that 14 seconds is pretty
long for most cases.  On my pretty old 1.5ghz server, I get
this kind of distribution:

number  seconds
401 0 - 1
280 1 - 2
185 2 - 3
110 3 - 4
 46 4 - 5
 36 5 - 6
 34 6 - 7
 15 7 - 8
 13 8 - 9
 17 9 - 10
  4 10 - 11
  9 11 - 12
  8 12 - 13
  4 13 - 14
  4 14 - 15
 20 15 seconds or more

IOW, a large majority complete in under 4 seconds.  See the wiki
for speed-up tips.

--j.

RE: duplicate emails

[Steve Ingraham]

Mark Adams wrote:
What is your exchange server hosting? pop3? I have noted problems before
with clients recieving duplicate emails when connections timeout and the
server does not know how far the client application has gone through
the download of the mailbox - causing it to start downloading again. Are
any of the clients remote from the server? (this is where i noted the
problem most, notably on mobile internet devices especially on high
speed trains etc..)


All clients are networked desktop machines.  There are no remote
connections.

Steve Ingraham

Re: really slow spamd scan

[John D. Hardin]

On Thu, 28 Sep 2006, Deephay wrote:

> On 9/28/06, Olivier Nicole <[EMAIL PROTECTED]> wrote:
> > > I am quite new to SA (a week of SA life), and the SA is working, the
> > > thing is, SA is incredibly slow on my server (2.8GHZ CPU + 2GB Memory
> > > + Qmail + Qmail-scanner).  Here's a typical scan log:
> > >
> > > result: . 0 - SPF_PASS scantime=14.7,size=1689  ...
> >
> > Hi,
> >
> > Problem is not that it is slow.
> >
> > That SA takes 14 seconds to deliver a message is not an issue, email
> > is not a real time process anyway and transiting email from one
> > gateway to another can take minutes or hours.
>
> The scantime=14.7 does not mean the scan time of spamassassin?

It does. 14.7 seconds to scan the message.

> > Problem would be is SA would make high CPU load on your server.
> >
> > 14 seconds may be just the delay for the various network tests to
> > respond.
>
> You mean the test form SA?

Yes. The various DNS and URI blocklist lookups and Razor/Pyzor/DCC all
take time to complete.

A system snapshot (load average, running processes, memory consumption
including swap) taken during processing of a message would help us
determine whether there *is* a problem. If fifteen seconds is the high
end of what you are seeing, you do not have a problem.

> I have googled for this kind of situations and I found I am the
> slowest. If I stop the spamd, the delivery will be much faster.

If you are worried about a fifteen second delay in delivery of email
you need to tune your users' expectations, *NOT* SpamAssassin.

I've said it before and I'll say it again: Email is a best-effort,
non-guaranteed store-and-forward messaging system. It is not Instant
Messaging. It is not a general-purpose file transfer utility. Delays
will happen.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Insofar as the police deter by their presence, they are very, very
  good. Criminals take great pains not to commit a crime in front of
  them. -- Jeffrey Snyder
---

Re: duplicate emails

[Mark Adams]

> 
> This morning I am receiving emails but not sure everything is "normal"
> yet.  My belief is that there are multiple problems with our domain that
> is causing my email problems.  I would more than welcome any and all
> assistance.  Thank you.
> 
>

What is your exchange server hosting? pop3? I have noted problems before
with clients recieving duplicate emails when connections timeout and the
server does not know how far the client application has gone through
the download of the mailbox - causing it to start downloading again. Are
any of the clients remote from the server? (this is where i noted the
problem most, notably on mobile internet devices especially on high
speed trains etc..)

Not sure if this will help.

Regards,
Mark

RE: [qmailtoaster] duplicate emails

[Steve Ingraham]

 

Jake Vickers wrote:

Steve, in looking at what I
was doing late last night, I did not specify the port for the telnet
connection. It was my outbound firewall that was causing the no route to host.
Apologize for this.
If email is working now, keep an eye on it. Are
all of your clients set up to use the Exchange as the inbound/outbound server?

 

Apology is not necessary.  I appreciate
the efforts by all.  It just concerned me because coincidently I had recent
DNS problems.  To answer your question, yes, the clients are using Outlook
and mail is routed through Microsoft Exchange 2000.  I also have just
placed (in July) a new server running Windows 2003 Server and Exchange
2003.  I have moved several mailboxes to the new Exchange 2003 server
including my account.  So all the clients email is relayed from qmail to
either the old Exchange 2000 server or the new Exchange 2003 server.

 

Steve Ingraham

Re: Move to Junk Email

[Theo Van Dinter]

On Thu, Sep 28, 2006 at 09:43:22AM -0400, Shue, Daniel G. wrote:
> this with event sink, or do I need to take my question to an Exchange
> newsgroup?

I would highly recommend that since you'll be more likely to get an
answer.  1) It's not a question about SpamAssassin, 2) the super vast
majority of people on this list don't use Exchange.

-- 
Randomly Selected Tagline:
"Disclaimer: Author is an admited Linux Crackpot, and you should not take
 financial advice from anyone with such horrendous spelling." - Tim Dion


pgpUCxzFXcY2x.pgp
Description: PGP signature

RE: duplicate emails

[Steve Ingraham]

Matt Kettler wrote:
>First, I'd have Jake try his telnet again, but this time use port 25 to
>connect to: (note the extra 25 on the end)

>telnet 204.87.111.225 25


>*I* can do this just fine. I get back:

>220 dellapp02.occa.state.ok.us ESMTP

>Jake should to. If he can't, the problem isn't in your network, it is
in
>his.

You are the second person to reply similarly.  As I mentioned I had some
problems a couple of weeks ago that made me concerned about Jake's
inability to dig to my mx record but I do not believe my DNS
configuration is the problem.

Steve Ingraham

Move to Junk Email

[Shue, Daniel G.]

I have seen some info of SA working with Exchange and using event sinks.
However, what I want to do may be a little different.  I want to be able
to take any spam that our Linux box running SA tags as spam (either by
header or preferably subject) that gets forwarded to our Exchange 2003
server be moved automatically into the Outlook Junk Email folder, with
out creating custom rules on everyone's PC.  Can you do something like
this with event sink, or do I need to take my question to an Exchange
newsgroup?

Thanks,

Daniel


This email and any files transmitted with it are confidential and intended for 
use only by the individual or entity named above.  If you are not the intended 
recipient or the employee or agent responsible for delivering this message to 
the intended recipient, you are hereby notified that any disclosure, 
dissemination, distribution, copying of this communication, or unauthorized use 
is strictly prohibited.  Please notify us immediately by reply email and then 
delete this message from your system.   Please note that any views or opinions 
presented in this email are solely those of the author and do not necessarily 
represent those of Randolph County Government.  This email and any file 
attachments have been scanned for potential viruses; however, the recipient 
should check this email for the presence of viruses and/or malicious code.  
Randolph County accepts no liability for any damage transmitted via this email.

Re: duplicate emails

[Matt Kettler]

Steve Ingraham wrote:
>
> I want to thank Jake, Andrew, George, Eric, Loren, Jimmy and anyone
> else who has sent information to help me with my email problems the
> last couple of days. Despite all of your good advice our domain is
> still having email problems. I am not exactly sure what the root of
> the problem is exactly.
>
> I received an email to [EMAIL PROTECTED]
>  that appears to have only gone to
> that account so Jake may be the only one reading this aware of his
> comments. In it he states that he was unable to connect to remote host
> when he digs our MX okcca.net. I have included the contents of his
> message here:
>
> Jake Vickers wrote:
>
> Hey Steve. I've been in those shoes before To get email working,
> for now take out all of your SA rules. Then run spamassassin -D --lint
> to parse everything and make sure all is okay.
> I am trying to do as much trouble shooting without actually logging
> into your machine as I can from here. Here is my first problem
> Your DNS is wrong, or you have a network problem somewhere:
>

>
>
> [EMAIL PROTECTED] ~]# telnet 204.87.111.225
> Trying 204.87.111.225...
> telnet: connect to address 204.87.111.225: No route to host
> telnet: Unable to connect to remote host: No route to host
>
>
> As you can see, I cannot get to your IP address at all.
>
> As Jake suggested, I moved everything except local.cf and init.pre out
> of /etc/mail/spamassassin and ran spamassassin –D –lint. I am not sure
> what I am looking for in the returns from this action.
>
Stop looking at your spamassassin configuration. Stop looking at your
email configuration. Start looking at routers and firewalls.

The "no route to host" can only be caused by a router or firewall
somewhere in the path from Jake's machine to 204.87.111.225. Possibly
even a router on Jake's end.

First, I'd have Jake try his telnet again, but this time use port 25 to
connect to: (note the extra 25 on the end)

telnet 204.87.111.225 25


*I* can do this just fine. I get back:

220 dellapp02.occa.state.ok.us ESMTP

Jake should to. If he can't, the problem isn't in your network, it is in
his.

Re: duplicate emails

[Rick Macdougall]

Steve Ingraham wrote:
mail.okcca.net. 21592   IN  A   204.87.111.225 

;; Query time: 2 msec 
;; SERVER: 216.55.144.5#53(216.55.144.5) 
;; WHEN: Wed Sep 27 21:16:14 2006 
;; MSG SIZE  rcvd: 48 

[EMAIL PROTECTED] ~]# telnet 204.87.111.225 
Trying 204.87.111.225... 
telnet: connect to address 204.87.111.225: No route to host 
telnet: Unable to connect to remote host: No route to host 

 


Concerning Jake's comment about not being able to dig to my mx record on
okcca.net, I was having some problems with DNS for several weeks but was
under the assumption that they were corrected.  I have sent information
on my DNS settings directly to Jake for okcca.net.  I will not include
that information here but if anyone desires to see that information also
please let me know.



Hi,

Your DNS, at least for resolving your domain, is correct.

Jake should have tried

telnet 204.87.111.225 smtp (or 25)

which works just fine.

telnet 204.87.111.225 smtp
Trying 204.87.111.225...
Connected to dellapp02.occa.state.ok.us (204.87.111.225).
Escape character is '^]'.
220 dellapp02.occa.state.ok.us ESMTP
quit
221 dellapp02.occa.state.ok.us
Connection closed by foreign host.

As for your other problems, I don't have anything more to offer over my 
first response.


Regards,

Rick

Re: Earthlink emails

[Ramprasad]

On Tue, 2006-09-26 at 21:28 -0700, jdow wrote:
> Before you blame Earthlink note that it has NOT gone through Earthlink
> servers.
> 
> relay2.corp.good-sam.com is the receiving email server.
> 
> It's a forged email, at a guess. (It also has mangled headers. Newlines
> are missing. MAYBE it would do better if you sent it plain text. HTML
> tends to mangle things.
> {^_^}

Nobody would blame earthlink for the mail , But Most of the spams to my
clients come from earthlink.net.( sometimes as high as 20% of spams
Yahoo comes in next with ~10% )

 I have written to them several times that their domain is being forged
heavily by spammers but they refuse to take any action 

Apparently they have removed SPF records after publishing them once.
Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids
whenever there is a spam attack on my servers 


Thanks
Ram

Re: sa-learn and "Caught" spams

[Mike Woods]

Why not simply turn off autolearning?  Then you can feed everything to
sa-learn and not worry about it.


Feeding everything through sa-learn again and again would take huge
amounts of time, if i take the spam folders of me and one of the
directors there are over 100,000 messages so learning them just the once
seems to make some sense to me :D

---
Mike Woods
Systems Administrator

RE: Spamassassin headers

[KimSorensen]

Email Lists-2 wrote:
> 
> 
> Kim
> 
> Please forgive, I had my email client set wrong and it didn't wrap your
> .cf
> file in the email so... it was uncommented. My fault.
> 
> Interesting though... maybe you just didn't stop and restart the service?
> 
> :-)
> 
>  -rh
> 
> --
> Robert - Abba Communications
>Computer & Internet Services
>  (509) 624-7159 - www.abbacomm.net
> 
> 
> 

Thanks for your replys :)

spamassassin -D --lint shows no fails
I did a reboot of the hole OS.
My amavisd conf looks like this: $sa_spam_subject_tag = 'SPAM '; 

Still my tags are wrong :(

Anyone have a example of an amavisd conf file with non defaults tags?





-- 
View this message in context: 
http://www.nabble.com/Spamassassin-headers-tf2338119.html#a6542581
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Setting up DKIM and DomainKeys mail signing and verification

[Henrik Ostergaard]

Thanks for a splendid howto!

I do however have a small problem:
My usesrs submit their messages for relaying on port 25 like normal incoming
messages - meaning that they will be verified before they are signed,
causing the verification to fail. If I set up the DNS record to enforce
signing, this will most probably be a problem - otherwise I just have an
innoying 'verification failed' header field.

Is there a way to skip verification for authorized users/users in
mynetworks? Or could the verification be performed AFTER the signing (as
only mails from trusted users are send through signing anyway)?

Regards

Henrik ?stergaard

-- 
View this message in context: 
http://www.nabble.com/Setting-up-DKIM-and-DomainKeys-mail-signing-and-verification-tf2259401.html#a6541418
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.