Allow User Rules
I am curretly using 3.1.3 and I am having a problem with the allow_user_rules. I have it as the line in my local.cf. and my users have .spamassassin in their home dir. Each has it own user_prefs with their required_score, but my system required_score is over riding them. How can I get that working? www.britishscifiexchange.com www.magigames.net
Re: Percentage of email that is spam after filtering?
Marc Perkel wrote: Kelly Jones wrote: I know that most (90%+) email sent now is spam, but what are the numbers for people who use spam filtering? I realize it varies by user, sensitivity to false positives, tools used, etc, but do people who use spam filtering find that only 10% of the messages they receive are spam? 25%? 50%? higher? I'd like something quasi-official if possible, so I can tell my bosses: according to this report, even with diligent spam filtering, xx% of the email people receive is still spam. If fewer than xx% of your email is spam, we're ahead of the curve. Well, I'm in the spam filtering business and it varies creatly per domain. I have a few domain that only 1 in 10,000 messages are good. By those with the worst spam tend to need my services more. I'm not in the spam filtering business - I just maintain about 40 domains on 10 different servers, and run basic filtering on each. At a guess (if anything, it'll be a low guess, because I'm not going to overestimate), I manage to block, delete, or mark approximately 70% of the spam that attempts to get into my servers. 33,104 emails entered into the server (approximately 2000 a day are blocked immediately with rblsmtpd - it varies day by day, this last 30 hours it was only 1,600) in the last 17 days. (adding those in, it was probably about 65,000 spams) Of those 33104, 22311 were marked or deleted as spam, and another 227 were zapped by ClamAV. Thus, from the original, we know we've tagged 67% of the incoming email as spam. If you add in the immediately blocked emails (of which, I've received zero false positive reports, and zero reports of 'didn't get my email' - and this company complains CONSTANTLY about any email issues), then the percentage of emails blocked/marked is 83.9% of total incoming. Mind you, that means that I'm missing a lot of spam - of those 11,000 emails that were left, probably half to three quarters were spam, but that's a lot better than they would see if they were with just about any other mail provider. (most hosting companies are CRAP for filtering). Bookworm Computing
Re: Percentage of email that is spam after filtering?
Kelly Jones wrote: I know that most (90%+) email sent now is spam, but what are the numbers for people who use spam filtering? I realize it varies by user, sensitivity to false positives, tools used, etc, but do people who use spam filtering find that only 10% of the messages they receive are spam? 25%? 50%? higher? I'd like something quasi-official if possible, so I can tell my bosses: according to this report, even with diligent spam filtering, xx% of the email people receive is still spam. If fewer than xx% of your email is spam, we're ahead of the curve. Well, I'm in the spam filtering business and it varies creatly per domain. I have a few domain that only 1 in 10,000 messages are good. By those with the worst spam tend to need my services more.
Percentage of email that is spam after filtering?
I know that most (90%+) email sent now is spam, but what are the numbers for people who use spam filtering? I realize it varies by user, sensitivity to false positives, tools used, etc, but do people who use spam filtering find that only 10% of the messages they receive are spam? 25%? 50%? higher? I'd like something quasi-official if possible, so I can tell my bosses: according to this report, even with diligent spam filtering, xx% of the email people receive is still spam. If fewer than xx% of your email is spam, we're ahead of the curve.
RE: R: pyzor server address
From: Chris Purves [mailto:[EMAIL PROTECTED] > Giampaolo Tomassoni wrote: > > > > b) leave the servers file as is, lower the pyzor's timeout and > increase the maximum retries: > > I've been told that many short-time attempts are better > that a single, long-lasting, > > one. So, in your local.cf, try using something like: > > > > use_pyzor 1 > > pyzor_timeout 3 > > pyzor_max 10 > > > > pyzor_max is the number of reports on the pyzor server required to get a > positive match, not number of retries. It seems to be poorly named. Oh, my! That's why it was so difficult to me to see a pyzor score... Thanks Chris. I was probably misleaded by a Hein's post in the pyzor list: he asserted that "few retries with a shorter timeout are more effective than a single longer timeout". I probably presumed that there had to be a retry max count in the pyzor conf and didn't even read the perldoc... Thanks again, giampaolo > > -- > Chris >
Re: R: pyzor server address
Giampaolo Tomassoni wrote: b) leave the servers file as is, lower the pyzor's timeout and increase the maximum retries: I've been told that many short-time attempts are better that a single, long-lasting, one. So, in your local.cf, try using something like: use_pyzor 1 pyzor_timeout 3 pyzor_max 10 pyzor_max is the number of reports on the pyzor server required to get a positive match, not number of retries. It seems to be poorly named. -- Chris
Re: getting "and" operator work
vertito wrote: > /[\s']((mountain.*clouds)|(clouds.*mountain))[\s',-]/i > > great, the above works on making "mountain" and "clouds" both true. > > does the below differs from the above? > > /\bmountain\b|\bclouds\b/i > Absolutely. That second string is an OR operation. It will match mountain, OR clouds, and requires a "word boundary" at the beginning and end. You need a whitespace, punctuation mark, or end/beginning of string. ie: it won't match "cloudspray" or "airmountain", but will match "mountain, " or "-clouds". It's actually quite similar to how your CF_BAD_SUBJ12 would work if you removed the errant \ in front of the |. However, there are some subtle differences in what boundaries this rule will accept. It requires a specific set of possible boundaries, and isn't zero-width so it won't match anything starting with "mountain" or "clouds". Really in regexes there is no such thing as an AND operation. It's just not something natural to do in a regex. So in the first chunk, John faked an And. What you really have is two expressions that are ORed together. (mountain.*clouds) will match anything containing mountain, followed by clouds, with any number of characters in between them (.*). (clouds.*mountain) will look for clouds first.. By ORing the two together, you've got the equivalent of an AND, because it will match anything containing both words, no matter which order they come in.
RE: getting "and" operator work
/[\s']((mountain.*clouds)|(clouds.*mountain))[\s',-]/i great, the above works on making "mountain" and "clouds" both true. does the below differs from the above? /\bmountain\b|\bclouds\b/i thanks in advance. -Original Message- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Friday, November 24, 2006 9:33 PM To: vertito Cc: users@spamassassin.apache.org Subject: Re: getting "and" operator work vertito wrote: > header CF_BAD_SUBJ12 Subject =~ /[\s']mountain\|clouds[\s',-]/i > score CF_BAD_SUBJ12 8.0 > describe CF_BAD_SUBJ12 Drug spam > > with the above example, how do you make make a subject rule with the > words > > mountain > > AND (operator) > > clouds > > > in a way if both words exist in a subject line without case sensitive, > it will be tagged as spam with high score of 8. > > mountain\|clouds = does this mean, one of two words is true (OR operator) > makes a score of 8? > > how to do this with "AND" operator? > First of all, having the \ in there means you're not looking for "mountain" OR "clouds". It means you're looking for "mountain" followed by "|" followed by "clouds". The backslash makes the next character a literal instead of an operator. For AND, you want something like this: /[\s']((mountain.*clouds)|(clouds.*mountain))[\s',-]/i (or you may want something other than ".*" between the two instances)
Re: razor-agent.log being placed in root directory - solved
Gary V wrote: Gary V wrote: I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris This may be an indication there is no razor-agent.conf. Assuming root owns the log file, as root, run 'razor-admin -create' twice in a row. The log should move to the /root/.razor directory (the home directory of whatever user runs the command). To prevent logging for user 'root', edit /root/.razor/razor-agent.conf and change debuglevel to 0. To control logging on a site wide basis, you could copy /root/.razor/razor-agent.conf to /etc/razor/razor-agent.conf. If other users use razor, you should run 'razor-admin -create' twice as those users too. If you report spam to the razor servers, then you also need to run 'razor-admin register'. Thanks, everyone for your suggestions, but it still doesn't make sense. My setup is that spamd is run by root, and spamc is called by the user to whom mail is being delivered. For this reason I don't want .razor directories created for every user. From 'man spamd': -H directory, --helper-home-dir=directory Specify that external programs such as Razor, DCC, and Pyzor should have a HOME environment variable set to a specific directory. The default is to use the HOME environment variable setting from the shell running spamd. By specifying no argument, spamd will use the spamc caller's home directory instead. Setting this should set the razor home directory when using spamc. My spamd options are: --max-children=3 --helper-home-dir=/etc/spamassassin/helper-home-dir -s /var/log/spamassassin/spamd.log -x -Q This setup works for pyzor, because if I remove all the files from helper-home-dir and restart spamd, a .pyzor directory will be created. It seems to me that spamd is not properly setting the razor home environment. -- Chris The problem: Razor-Log: Computed razorhome from env: /etc/spamassassin/helper-home-dir/.razor Razor-Log: No razorhome found, using all defaults After creating the /root/.razor files, copy the .razor directory to the helper home. cp -r /root/.razor/ /etc/spamassassin/helper-home-dir/ Okay, this is what finally fixed it. I didn't actually copy the directory, but instead created an empty .razor directory. When I restarted spamd, it created razor-agent.log server.c101.cloudmark.com.conf servers.catalogue.lst servers.discovery.lst servers.nomination.lst in that directory. I thought that razor would create the .razor directory itself, but it wouldn't do that. I actually ran 'razor-admin -create -home=/etc/spamassassin/helper-home-dir' earlier, but without the .razor as you suggested in your other mail. Thanks again for the help. -- Chris
Re: razor-agent.log being placed in root directory
Gary V wrote: Gary V wrote: I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris This may be an indication there is no razor-agent.conf. Assuming root owns the log file, as root, run 'razor-admin -create' twice in a row. The log should move to the /root/.razor directory (the home directory of whatever user runs the command). To prevent logging for user 'root', edit /root/.razor/razor-agent.conf and change debuglevel to 0. To control logging on a site wide basis, you could copy /root/.razor/razor-agent.conf to /etc/razor/razor-agent.conf. If other users use razor, you should run 'razor-admin -create' twice as those users too. If you report spam to the razor servers, then you also need to run 'razor-admin register'. Thanks, everyone for your suggestions, but it still doesn't make sense. My setup is that spamd is run by root, and spamc is called by the user to whom mail is being delivered. For this reason I don't want .razor directories created for every user. From 'man spamd': -H directory, --helper-home-dir=directory Specify that external programs such as Razor, DCC, and Pyzor should have a HOME environment variable set to a specific directory. The default is to use the HOME environment variable setting from the shell running spamd. By specifying no argument, spamd will use the spamc caller's home directory instead. Setting this should set the razor home directory when using spamc. My spamd options are: --max-children=3 --helper-home-dir=/etc/spamassassin/helper-home-dir -s /var/log/spamassassin/spamd.log -x -Q This setup works for pyzor, because if I remove all the files from helper-home-dir and restart spamd, a .pyzor directory will be created. It seems to me that spamd is not properly setting the razor home environment. -- Chris The problem: Razor-Log: Computed razorhome from env: /etc/spamassassin/helper-home-dir/.razor Razor-Log: No razorhome found, using all defaults Hi Gary, I appreciate the help. I increased the debuglevel from 3 to 10 in /etc/razor/razor-agent.conf, then reading from /razor-agent.log I see: Nov 24 14:28:52.764664 check[6495]: [ 5] computed razorhome=, conf=/etc/razor/razor-agent.conf, ident=identity So, it looks to me that spamd is not passing the home environment variable to razor. -- Chris
Re: razor-agent.log being placed in root directory
After creating the /root/.razor files, copy the .razor directory to the helper home. cp -r /root/.razor/ /etc/spamassassin/helper-home-dir/ Note that this is functionally equivilent to: razor-admin -create -home=/etc/spamassassin/helper-home-dir/.razor Gary V _ Get FREE company branded e-mail accounts and business Web site from Microsoft Office Live http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/
Who wants my spam - seriously!
As you all know I'm in the spam blocking business and looking to share my information with others to help them block spam for everyone. I'm currently feeding my spam to several people now. So - looking to expand this now that I feel like I'm not losing the spam battle anymore. (Thanks to FuzzyOCR and other new tricks). So - let me describe my setup. I actually do most of my spam filtering with Exim rules. Using Exim I can identify a huge amount of both spam and ham without having to use SA, which is expensive resource wise. However SA is still very important to my setup as it gets whatever I can't get using Exim rules. I do front end filtering for about 3000 domains. Mail comes in, I clean it, and forward it onto the destination server. In the process I reject millions of spams a day. But what I'm doing is capturing some of the spam and feeding it to others who provide blacklist services to everyone else. This seems to be working well and I want to expand it. What I have is several feeds depending on what kind of spam you are looking for. One feed is mostly from virus infected zombies suitable for blacklisting the server. Another feed is spam that I have determined using SA that often comes from servers like gmail, yahoo, comcast and hotmail. This feed isn't suitable for IP based blacklists but is good for mining URI blacklists and message fingerprinting. One think I'm doing is just bouncing the easy stuff. If the server is already listed at spamhaus I don't see any reason to forward it. Much of this spam is from servers not already listed on the other high quality lists. So this is "new" spam. Perhaps the reciently infected or exploited and not easilly trapped. The volume of spam is about 200,000 message per day. I also enhance the headers storing the sending host's IP address in a separate header for blacklist mining. There are also headers giving detailed information as to why the message was classified as spam. So - here's the deal. If you are running a service where you provide a world accessible black list to the general public then I want to give you this feed for free. Many of you are better at processing this than I am. If you are running a commercial spam filtering service for your customers only then I want to sell you the feed for a reasonable cost. No feed is 100% perfect. But the IP based zombie feed is very close. The other spam feed is also very good too but will have more FPs than the first list. I don't send all my spam, just the stuff that has a very high score. You are welcome to do your own checking to verify the feed. I am also able to extract specific parts like just lists of IP addresses that should be blocked. And I'm open to suggestions about how to better provide data. Feedback welcome.
Re: razor-agent.log being placed in root directory
Gary V wrote: I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris This may be an indication there is no razor-agent.conf. Assuming root owns the log file, as root, run 'razor-admin -create' twice in a row. The log should move to the /root/.razor directory (the home directory of whatever user runs the command). To prevent logging for user 'root', edit /root/.razor/razor-agent.conf and change debuglevel to 0. To control logging on a site wide basis, you could copy /root/.razor/razor-agent.conf to /etc/razor/razor-agent.conf. If other users use razor, you should run 'razor-admin -create' twice as those users too. If you report spam to the razor servers, then you also need to run 'razor-admin register'. Thanks, everyone for your suggestions, but it still doesn't make sense. My setup is that spamd is run by root, and spamc is called by the user to whom mail is being delivered. For this reason I don't want .razor directories created for every user. From 'man spamd': -H directory, --helper-home-dir=directory Specify that external programs such as Razor, DCC, and Pyzor should have a HOME environment variable set to a specific directory. The default is to use the HOME environment variable setting from the shell running spamd. By specifying no argument, spamd will use the spamc caller's home directory instead. Setting this should set the razor home directory when using spamc. My spamd options are: --max-children=3 --helper-home-dir=/etc/spamassassin/helper-home-dir -s /var/log/spamassassin/spamd.log -x -Q This setup works for pyzor, because if I remove all the files from helper-home-dir and restart spamd, a .pyzor directory will be created. It seems to me that spamd is not properly setting the razor home environment. -- Chris The problem: Razor-Log: Computed razorhome from env: /etc/spamassassin/helper-home-dir/.razor Razor-Log: No razorhome found, using all defaults After creating the /root/.razor files, copy the .razor directory to the helper home. cp -r /root/.razor/ /etc/spamassassin/helper-home-dir/ This will at least give some readable files. I can't advise you on security issues, so I'll let you determine if the directory and files should be writable. You can place razor-agent.conf there also (provided you delete /etc/razor/razor-agent.conf), or you can use /etc/razor/razor-agent.conf instead. You can debug razor by starting up spamd in non-daemon mode and use the '-D razor2' argument. Then use spamc from another terminal session. I only tried it with one normal user, you should probably try it with several. Gary V _ MSN Shopping has everything on your holiday list. Get expert picks by style, age, and price. Try it! http://shopping.msn.com/content/shp/?ctId=8000,ptnrid=176,ptnrdata=200601&tcode=wlmtagline
Re: getting "and" operator work
vertito wrote: header CF_BAD_SUBJ12 Subject =~ /[\s']mountain\|clouds[\s',-]/i score CF_BAD_SUBJ12 8.0 describe CF_BAD_SUBJ12 Drug spam with the above example, how do you make make a subject rule with the words mountain AND (operator) clouds in a way if both words exist in a subject line without case sensitive, it will be tagged as spam with high score of 8. mountain\|clouds = does this mean, one of two words is true (OR operator) makes a score of 8? how to do this with "AND" operator? First of all, having the \ in there means you're not looking for "mountain" OR "clouds". It means you're looking for "mountain" followed by "|" followed by "clouds". The backslash makes the next character a literal instead of an operator. For AND, you want something like this: /[\s']((mountain.*clouds)|(clouds.*mountain))[\s',-]/i (or you may want something other than ".*" between the two instances)
getting "and" operator work
header CF_BAD_SUBJ12 Subject =~ /[\s']mountain\|clouds[\s',-]/i score CF_BAD_SUBJ12 8.0 describe CF_BAD_SUBJ12 Drug spam with the above example, how do you make make a subject rule with the words mountain AND (operator) clouds in a way if both words exist in a subject line without case sensitive, it will be tagged as spam with high score of 8. mountain\|clouds = does this mean, one of two words is true (OR operator) makes a score of 8? how to do this with "AND" operator?
Re: Bayes - Autoexpiry, bayes_seen, and bayes_tok
It's not "fixed", it's only hack-fixed. There is no real expiry of bayes_seen, nor the AWL, in SA 3.1.x. It's now safe to delete bayes_seen, you won't corrupt your whole bayes DB if you do that. That's the only fix I know of that's been applied. See http://issues.apache.org/SpamAssassin/show_bug.cgi?id=2975 >From the bottom: - 'We need to do something, but a full seen expiry system isn't going to happen for 3.1.' 'I still like the idea of just letting bayes_seen be optional. If people want to trim it, let them delete the file and have it be recreated. IIRC, the only place that's an issue is when going r/o w/ the DB where it requires the file right now.' Jason Frisvold wrote: > No takers on this? Have I hit upon a FAQ question? I swear I looked > and searched and I didn't find suitable answers... > > On 11/23/06, Jason Frisvold <[EMAIL PROTECTED]> wrote: >> Greetings, >> >> Just a few quick questions. First, I noticed that prior to 3.1.0 >> bayes_seen was not auto expiriing. That bug is marked as fixed, so is >> it safe to say that bayes_seen is now expiring automatically and that >> a 20+ meg bayes_seen file is valid? >> >> Next, the bayes_tok database is over 3 Gig at this point. I'd like to >> cut that down a bit as the machine is having considerable trouble >> dealing with it. So I have a few questions concerning this. >> >> First, can I modify the expiry time, causing an earlier expiration? >> If so, what are the consequences of such an action? >> >> Second, does the autoexpire run for every instance of spamassassin? >> ie, does it run every time a message is processed? If not, how does >> it determine when to run it? Would it be better to disable auto >> expire and create a cron job that runs later in the evening to deal >> with auto expire? >> >> I noticed in the wiki that when forcing an expire, you should stop >> spamassassin first. Is this strictly necessary? What are the >> consequences of not doing this? >> >> Any other suggestions for increasing the speed of the database? >> >> Thanks! >> >> -- >> Jason 'XenoPhage' Frisvold >> [EMAIL PROTECTED] >> > >
Re: postgres database
Tom Allison wrote: Rick Macdougall wrote: Tom Allison wrote: I was reading through the man pages about the use of a database for the storage of bayesian tokens. Is this a list that is global to the mail server, or something that is distinct for each user of that mail server? In other words -- will I have the exact same bayesian history in my token library as my myspace living teenagers, or will this be seperated by user? Hi, Up to you really and the interface to SA that you use. Regards, Rick I didn't see it in the perldocs. Can you identify the parameter setting and/or the specific package that I would have to manipulate? I am not able to have per-user configuration files. To set up SQL for Bayes look at: /usr/share/doc/spamassassin/sql or http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeBayes To set site-wide bayes with sql, either: 1. Always call spamc or spamassassin with the same user 2. set 'bayes_sql_override_username' in local.cf (from perldoc Mail::SpamAssassin::Conf) 3. perhaps a different way that's not obvious to me Also, per-user configuration files are a separate issue from Bayes. You could set up per-user Bayes with sql and still have site-wide configuration. -- Chris
Re: postgres database
Rick Macdougall wrote: Tom Allison wrote: I was reading through the man pages about the use of a database for the storage of bayesian tokens. Is this a list that is global to the mail server, or something that is distinct for each user of that mail server? In other words -- will I have the exact same bayesian history in my token library as my myspace living teenagers, or will this be seperated by user? Hi, Up to you really and the interface to SA that you use. Regards, Rick I didn't see it in the perldocs. Can you identify the parameter setting and/or the specific package that I would have to manipulate? I am not able to have per-user configuration files.
Re: postgres database
Tom Allison wrote: I was reading through the man pages about the use of a database for the storage of bayesian tokens. Is this a list that is global to the mail server, or something that is distinct for each user of that mail server? In other words -- will I have the exact same bayesian history in my token library as my myspace living teenagers, or will this be seperated by user? Hi, Up to you really and the interface to SA that you use. Regards, Rick
Re: Bayes - Autoexpiry, bayes_seen, and bayes_tok
No takers on this? Have I hit upon a FAQ question? I swear I looked and searched and I didn't find suitable answers... On 11/23/06, Jason Frisvold <[EMAIL PROTECTED]> wrote: Greetings, Just a few quick questions. First, I noticed that prior to 3.1.0 bayes_seen was not auto expiriing. That bug is marked as fixed, so is it safe to say that bayes_seen is now expiring automatically and that a 20+ meg bayes_seen file is valid? Next, the bayes_tok database is over 3 Gig at this point. I'd like to cut that down a bit as the machine is having considerable trouble dealing with it. So I have a few questions concerning this. First, can I modify the expiry time, causing an earlier expiration? If so, what are the consequences of such an action? Second, does the autoexpire run for every instance of spamassassin? ie, does it run every time a message is processed? If not, how does it determine when to run it? Would it be better to disable auto expire and create a cron job that runs later in the evening to deal with auto expire? I noticed in the wiki that when forcing an expire, you should stop spamassassin first. Is this strictly necessary? What are the consequences of not doing this? Any other suggestions for increasing the speed of the database? Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
postgres database
I was reading through the man pages about the use of a database for the storage of bayesian tokens. Is this a list that is global to the mail server, or something that is distinct for each user of that mail server? In other words -- will I have the exact same bayesian history in my token library as my myspace living teenagers, or will this be seperated by user?
Re: razor-agent.log being placed in root directory
Gary V wrote: I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris This may be an indication there is no razor-agent.conf. Assuming root owns the log file, as root, run 'razor-admin -create' twice in a row. The log should move to the /root/.razor directory (the home directory of whatever user runs the command). To prevent logging for user 'root', edit /root/.razor/razor-agent.conf and change debuglevel to 0. To control logging on a site wide basis, you could copy /root/.razor/razor-agent.conf to /etc/razor/razor-agent.conf. If other users use razor, you should run 'razor-admin -create' twice as those users too. If you report spam to the razor servers, then you also need to run 'razor-admin register'. Thanks, everyone for your suggestions, but it still doesn't make sense. My setup is that spamd is run by root, and spamc is called by the user to whom mail is being delivered. For this reason I don't want .razor directories created for every user. From 'man spamd': -H directory, --helper-home-dir=directory Specify that external programs such as Razor, DCC, and Pyzor should have a HOME environment variable set to a specific directory. The default is to use the HOME environment variable setting from the shell running spamd. By specifying no argument, spamd will use the spamc caller's home directory instead. Setting this should set the razor home directory when using spamc. My spamd options are: --max-children=3 --helper-home-dir=/etc/spamassassin/helper-home-dir -s /var/log/spamassassin/spamd.log -x -Q This setup works for pyzor, because if I remove all the files from helper-home-dir and restart spamd, a .pyzor directory will be created. It seems to me that spamd is not properly setting the razor home environment. -- Chris
Re: Newbie Question
Andrew Sykes wrote: > Matt, > > Thank you, that makes things a lot clearer, is there any way to utilise > forwarded messages or is it a lost cause? > In general, no... In some situations you can make use of how a particular mail client does its forwarding, but you'd need to really look at what the specific mail client does. Another option is to have them forward the message as an attachment, and have a script strip off the attachment and feed that to sa-learn.. however, not all clients do forward as attachment.
Re: sa-learn treating spam as ham
Patrick Sherrill wrote: > Sorry, last email was a poor example. Try this one. > > Before sa-learn: > > X-Spam-Status: No, score=4.201 required=4.9 tests=[BAYES_50=0.001, > HELO_DYNAMIC_IPADDR=4.2] > > After sa-learn: > > X-Spam-Status: No, score=-0.2 required=4.8 tests=BAYES_40 > autolearn=ham version=3.1.0 > > The difference in required score is conf differences between SA and > Amavis-new. > > Pat... Yes indeed.. are you sure both are using the same bayes database?
RE: RBL checks and -lastexternal
If you're using sendmail, you can blacklist using cn.countries.nerd.dk at the sendmail level, and use See http://blue-labs.org/howto/access_hints.php for tips on how to use sendmail's access file to whitelist senders (and recipients) who might otherwise be blocked by rbls. Connect:your.friend.cn OK (or their mail server's IP) in /etc/mail/access to override the rbl. See http://blue-labs.org/howto/access_hints.php for the details. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: Matt Hampton [mailto:[EMAIL PROTECTED] > Sent: 24 November 2006 10:27 > To: Jeremy Fairbrass > Cc: users@spamassassin.apache.org > Subject: Re: RBL checks and -lastexternal > > Jeremy Fairbrass wrote: > > I want to block all emails that come from an IP in China > (where the IP is > > the one connecting to me), *BUT* I want to exclude a > particular server in > > China that is used by a friend who I trust, for example. > How could I do > > that? > > Do you managed the MTA? If you do this would be an ideal > case for using > the zz.countries.nerd.dk as a RBL and then whitelist the server at MTA > level. > > Well, I guess I could make a meta rule that combines my > > zz.countries.nerd.dk rules with something else that > prevents those rules > > from working if the trusted IP is found within the Received > header or > > something - but that would be fiddly, and would be a > nuisance if I had a > > whole bunch of IPs that I wanted to whitelist. It would > obviously be much > > easier if I could simply trust/exclude from testing all the > IPs listed in > > trusted_networks. > > > matt >
Re: Newbie Question
Matt, Thank you, that makes things a lot clearer, is there any way to utilise forwarded messages or is it a lost cause? Thanks Andrew On Fri, 2006-11-24 at 10:22 -0500, Matt Kettler wrote: > Andrew Sykes wrote: > > Hi, > > > > I'm writing some code to integrate SpamAssassin with Apache JAMES. > > > > I want to setup an address to allow me to pipe spam into sa-learn. I > > have a prototype of this working fine, but would like to allow various > > webmail client users to be able to forward spam messages to this > > address. > > > > As I have very limited understanding of how SA works, I don't want to > > end up blocking the forwarding addresses. > > > > If I whitelist the forwarding addresses, can I then simply pipe a > > forwarded spam from that address into sa-learn or is there more to it? > > > > There's MUCH more to it.. In fact, whitelisting won't really affect what > sa-learn does at all. > > Generally speaking, forwarded messages are mostly useless to sa-learn. > Exactly how useless depends a bit on the mail client.. > > SA tokenizes MANY mail headers, including Received:, not just From: and > To. All the headers in a forwarded message are completely new, thus the > sa-learn process will be learning the headers generated by forwarding, > and not spam. > > SA also tokenizes the body of the message. However, most mail clients > substantially modify the body of the message when you forward. > Generally speaking they only preserve one of the mime sections in a > multipart/alternative message. Spammers FREQUENTLY have text/plain > sections which are dissimilar from the text/html. By forwarding you're > loosing all but one mime section (generally text/html is kept). > > On top of this, most mail clients also insert "Forwarded message:" type > text into the body, and add Fwd: to the subject. > > SA also tokenizes the in-body mime headers describing how the message > was encoded. However, when you forward, the mail client doing the > forward re-encodes things its own way. What might have been base64 > encoded may now be quoted-printable, 8 bit, or 7 bit. > > So, fundamentally, as far as bayes is concerned the forwarded message is > a completely different message than the original spam. > > You can try this sometime by taking an original spam, and a forwarded > version of it and feed them both to spamassassin or sa-learn with "-D > bayes" added. This will cause the debug output to list all the tokens > used. Take a look at the tokens. .some are the same, but many are different. > > > > > > > -- Kind Regards Andrew Sykes <[EMAIL PROTECTED]> Sykes Development Ltd http://www.sykesdevelopment.com
Re: sa-learn treating spam as ham
Patrick Sherrill wrote: Sorry, last email was a poor example. Try this one. Before sa-learn: X-Spam-Status: No, score=4.201 required=4.9 tests=[BAYES_50=0.001, HELO_DYNAMIC_IPADDR=4.2] After sa-learn: X-Spam-Status: No, score=-0.2 required=4.8 tests=BAYES_40 autolearn=ham version=3.1.0 The difference in required score is conf differences between SA and Amavis-new. Im confused. First, why are the lines different? Whats this tests=[BAYES_50=0.001,HELO_DYNAMIC_IPADDR=4.2] thing? And why does 1 line have autolearn= and the other doesnt have any autolearn? The top is not a standard SA header while the bottom one is. And also, if autolearn ignores the bayes_ scores, and BAYES_40 is the only test listed, then the message score should be 0.0 from what the autolearner sees. Is the default autolearn threshold for ham 0.0? God i hope not. I've set my ham autolearn threshold to -0.5 to avoid this. you may want to also. Regardless, there is something weird going on and it doesnt have anything to do with sa-learn. -Jim
Re: sa-learn treating spam as ham
Sorry, last email was a poor example. Try this one. Before sa-learn: X-Spam-Status: No, score=4.201 required=4.9 tests=[BAYES_50=0.001, HELO_DYNAMIC_IPADDR=4.2] After sa-learn: X-Spam-Status: No, score=-0.2 required=4.8 tests=BAYES_40 autolearn=ham version=3.1.0 The difference in required score is conf differences between SA and Amavis-new. Pat... - Original Message - From: "Matt Kettler" <[EMAIL PROTECTED]> To: "Patrick Sherrill" <[EMAIL PROTECTED]> Cc: Sent: Friday, November 24, 2006 9:15 AM Subject: Re: sa-learn treating spam as ham Patrick Sherrill wrote: 'sa-learn --spam addspam' seems to add the sender to AWL and mark the message as ham. Any clues on what I may be doing incorrectly? (SA 3.1.0) sa-learn doesn't add the message to the AWL... however *EVERY* message you receive is added to it. That said, being in the AWL doesn't mean it's whitelisted The AWL isn't a whitelist, but has some whitelist and blacklist behaviors. It's really a history-tracking score averager. Can you post and X-Spam-Status the message got when it was received, and one after it was sa-learned? Pat... [EMAIL PROTECTED] CocoNet Corporation SW Florida's First ISP
Re: sa-learn treating spam as ham
Before sa-learn: X-Spam-Status: No, score=-0.74 required=4.9 tests=[BAYES_20=-0.74] After sa-learn: X-Spam-Status: No, score=-0.7 required=4.8 tests=BAYES_20 autolearn=ham version=3.1.0 Pat - Original Message - From: "Matt Kettler" <[EMAIL PROTECTED]> To: "Patrick Sherrill" <[EMAIL PROTECTED]> Cc: Sent: Friday, November 24, 2006 9:15 AM Subject: Re: sa-learn treating spam as ham Patrick Sherrill wrote: 'sa-learn --spam addspam' seems to add the sender to AWL and mark the message as ham. Any clues on what I may be doing incorrectly? (SA 3.1.0) sa-learn doesn't add the message to the AWL... however *EVERY* message you receive is added to it. That said, being in the AWL doesn't mean it's whitelisted The AWL isn't a whitelist, but has some whitelist and blacklist behaviors. It's really a history-tracking score averager. Can you post and X-Spam-Status the message got when it was received, and one after it was sa-learned? Pat... [EMAIL PROTECTED] CocoNet Corporation SW Florida's First ISP
Re: Newbie Question
Andrew Sykes wrote: > Hi, > > I'm writing some code to integrate SpamAssassin with Apache JAMES. > > I want to setup an address to allow me to pipe spam into sa-learn. I > have a prototype of this working fine, but would like to allow various > webmail client users to be able to forward spam messages to this > address. > > As I have very limited understanding of how SA works, I don't want to > end up blocking the forwarding addresses. > > If I whitelist the forwarding addresses, can I then simply pipe a > forwarded spam from that address into sa-learn or is there more to it? > There's MUCH more to it.. In fact, whitelisting won't really affect what sa-learn does at all. Generally speaking, forwarded messages are mostly useless to sa-learn. Exactly how useless depends a bit on the mail client.. SA tokenizes MANY mail headers, including Received:, not just From: and To. All the headers in a forwarded message are completely new, thus the sa-learn process will be learning the headers generated by forwarding, and not spam. SA also tokenizes the body of the message. However, most mail clients substantially modify the body of the message when you forward. Generally speaking they only preserve one of the mime sections in a multipart/alternative message. Spammers FREQUENTLY have text/plain sections which are dissimilar from the text/html. By forwarding you're loosing all but one mime section (generally text/html is kept). On top of this, most mail clients also insert "Forwarded message:" type text into the body, and add Fwd: to the subject. SA also tokenizes the in-body mime headers describing how the message was encoded. However, when you forward, the mail client doing the forward re-encodes things its own way. What might have been base64 encoded may now be quoted-printable, 8 bit, or 7 bit. So, fundamentally, as far as bayes is concerned the forwarded message is a completely different message than the original spam. You can try this sometime by taking an original spam, and a forwarded version of it and feed them both to spamassassin or sa-learn with "-D bayes" added. This will cause the debug output to list all the tokens used. Take a look at the tokens. .some are the same, but many are different.
RE: razor-agent.log being placed in root directory
I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris This may be an indication there is no razor-agent.conf. Assuming root owns the log file, as root, run 'razor-admin -create' twice in a row. The log should move to the /root/.razor directory (the home directory of whatever user runs the command). To prevent logging for user 'root', edit /root/.razor/razor-agent.conf and change debuglevel to 0. To control logging on a site wide basis, you could copy /root/.razor/razor-agent.conf to /etc/razor/razor-agent.conf. If other users use razor, you should run 'razor-admin -create' twice as those users too. If you report spam to the razor servers, then you also need to run 'razor-admin register'. Gary V _ Get free, personalized commercial-free online radio with MSN Radio powered by Pandora http://radio.msn.com/?icid=T002MSN03A07001
Newbie Question
Hi, I'm writing some code to integrate SpamAssassin with Apache JAMES. I want to setup an address to allow me to pipe spam into sa-learn. I have a prototype of this working fine, but would like to allow various webmail client users to be able to forward spam messages to this address. As I have very limited understanding of how SA works, I don't want to end up blocking the forwarding addresses. If I whitelist the forwarding addresses, can I then simply pipe a forwarded spam from that address into sa-learn or is there more to it? Thanks a lot for your help. -- Kind Regards Andrew Sykes <[EMAIL PROTECTED]> Sykes Development Ltd http://www.sykesdevelopment.com
Re: sa-learn treating spam as ham
Patrick Sherrill wrote: > 'sa-learn --spam addspam' seems to add the sender to AWL and mark the > message as ham. Any clues on what I may be doing incorrectly? (SA 3.1.0) sa-learn doesn't add the message to the AWL... however *EVERY* message you receive is added to it. That said, being in the AWL doesn't mean it's whitelisted The AWL isn't a whitelist, but has some whitelist and blacklist behaviors. It's really a history-tracking score averager. Can you post and X-Spam-Status the message got when it was received, and one after it was sa-learned? > Pat... > [EMAIL PROTECTED] > CocoNet Corporation > SW Florida's First ISP > > >
sa-learn treating spam as ham
'sa-learn --spam addspam' seems to add the sender to AWL and mark the message as ham. Any clues on what I may be doing incorrectly? (SA 3.1.0) Pat... [EMAIL PROTECTED] CocoNet Corporation SW Florida's First ISP
Passing on spam bounces to sa-learn
Is there anyone who has a working scenario in where double bounces are stripped from the two bounce messages (thus containing only the original spam mesage) and fed to sa-learn? These got tagged as spam the first time they arrived on the server, but since they double bounced, I wanna put them in the bayes database aswell! Any ideas? Best regards -- Kim Christensen "How embarrassing - a house full of condiments and no food"
Re: [solved] onnection attempt to spamd aborted after 3 retries
forget about it... I modified the source code in line: #define MAX_CONNECT_RETRIES 3 to #define MAX_CONNECT_RETRIES 30 And recompiled spamc binary... Works fine now... Rejaine Monteiro escreveu: Sometimes, I give this errors: Nov 24 10:26:44 server spamc[31357]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Nov 24 10:26:45 server spamc[31357]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Nov 24 10:26:46 server spamc[31357]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Nov 24 10:26:47 server spamc[31357]: connection attempt to spamd aborted after 3 retries But how can I increase attempts to connect to spamd at 127.0.0.1 to more than 3 times (20 times for example)? This would go to give time to a software monitor (like Nagios or MON) to solve the problem. Thanks...
trouble with rules_du_jour
I am running amavisd 2.44 chrooted on OpenBSD 4.0. I am running rules_du_jour.sh and even though I specify my SA_DIR (inside /etc/rulesdujour/config) as /var/amavisd/etc/mail/spamassassin I keep getting errors because I have score modifications for non-existent rules inside /etc/mail/spamassassin/local.cf. When I comment them out the errors do not appear. Why is it reading that file? -- _ |_)__|_ _ ._ |\/| _._|_ |o _ | (/_|_(/_| | |(_| |_|_|||_> __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: razor-agent.log being placed in root directory
I beleive razor log files and config go into the homedir of the user running spamassassin. For me, Í run SA as user spamassassin and that user's homedir is /var/lib/spamassassin. There is a .razor dir there, wheere all the files are. -Sietse From: Chris Purves Sent: Fri 24-Nov-06 0:50 To: users@spamassassin.apache.org Subject: razor-agent.log being placed in root directory I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris
connection attempt to spamd aborted after 3 retries
Sometimes, I give this errors: Nov 24 10:26:44 server spamc[31357]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Nov 24 10:26:45 server spamc[31357]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused Nov 24 10:26:46 server spamc[31357]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Nov 24 10:26:47 server spamc[31357]: connection attempt to spamd aborted after 3 retries But how can I increase attempts to connect to spamd at 127.0.0.1 to more than 3 times (20 times for example)? This would go to give time to a software monitor (like Nagios or MON) to solve the problem. Thanks...
Re: RBL checks and -lastexternal
Yeah I do manage the MTA, but I do still want to pass those emails to SpamAssassin for checking - I just don't want SA to run the DNSBL tests against those whitelisted IPs, but I do still want SA to run all it's other tests against the email, as it might still be spam anyway. All I could do at the MTA level, is tell the MTA not to pass the email over to SA at all, which is not what I want. Another example might be: say I wanted to add the server of my ISP to trusted_networks. The server doesn't generate spam itself, but it could possibly still have spam passing through it to me from elsewhere. This fits within the description of the correct usage of trusted_networks at http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html: "A trusted host could conceivably relay spam, but will not originate it, and will not forge header data." And at the same time, I want to exclude that server from the DNSBL tests, including the nerd.dk ones I run. Having the server added to trusted_networks means that most of the DNSBL tests won't be run against the server's IP, but the -lastexternal tests still will be. I wish there were some way of completely whitelisting an IP (at SA level) from all DNSBL tests, regardless of -lastexternal etc. I wonder if such functionality will be possible with SA 3.20? As a side note, I think a number of other SA rules could also fire on ham in the above scenario - eg. there are some rules in SA that look for a HELO name with no dots in it within X-Spam-Relays-Untrusted, such as the __HELO_NO_DOMAIN rule. If I were to (for example) add my ISP's server to trusted_networks, and another customer of that ISP sent an email to me through the ISP's server, most likely this rule (__HELO_NO_DOMAIN) would fire if that other user's computer used a single-word machine name with no dots in it - know what I mean? And that would cause an FP. Likewise with many of the rules in 20_fake_helo_tests.cf which also search for certain strings within X-Spam-Relays-Untrusted, and could conceivably hit on ham emails passed from an end-user to his own server which I might have added to trusted_networks. Right? Wouldn't it be better, therefore, to have those rules in 20_fake_helo_tests.cf (and also the __HELO_NO_DOMAIN rule) use X-Spam-Relays-External instead of X-Spam-Relays-Untrusted?? - Jeremy "Matt Hampton" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Jeremy Fairbrass wrote: >> I want to block all emails that come from an IP in China (where the IP is >> the one connecting to me), *BUT* I want to exclude a particular server in >> China that is used by a friend who I trust, for example. How could I do >> that? > > Do you managed the MTA? If you do this would be an ideal case for using > the zz.countries.nerd.dk as a RBL and then whitelist the server at MTA > level. > > Well, I guess I could make a meta rule that combines my >> zz.countries.nerd.dk rules with something else that prevents those rules >> from working if the trusted IP is found within the Received header or >> something - but that would be fiddly, and would be a nuisance if I had a >> whole bunch of IPs that I wanted to whitelist. It would obviously be much >> easier if I could simply trust/exclude from testing all the IPs listed in >> trusted_networks. > > > matt >
Re: RBL checks and -lastexternal
Jeremy Fairbrass wrote: > I want to block all emails that come from an IP in China (where the IP is > the one connecting to me), *BUT* I want to exclude a particular server in > China that is used by a friend who I trust, for example. How could I do > that? Do you managed the MTA? If you do this would be an ideal case for using the zz.countries.nerd.dk as a RBL and then whitelist the server at MTA level. Well, I guess I could make a meta rule that combines my > zz.countries.nerd.dk rules with something else that prevents those rules > from working if the trusted IP is found within the Received header or > something - but that would be fiddly, and would be a nuisance if I had a > whole bunch of IPs that I wanted to whitelist. It would obviously be much > easier if I could simply trust/exclude from testing all the IPs listed in > trusted_networks. matt
BayesStore/SQL.pm
What is $self->_userid in seen_put() and the like? The uid of the process running SpamAssassing (i.e.: amavis) or the message destinating user? If the first, how can I get the message destinating user from subclasses of BayesStore/SQL.pm? I mean, in many SQL.pm functions it seems to me that the context about the message under process is not available. I would need to get the destinating mailbox (thereby the destinating user). Is there any way to obtain this? Thanks, --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED]
Re: translation help please
Am 24.11.2006 um 04:22 schrieb Chris: This was tossed into my spam folder tonight but it was during my NANAS report run. I'm not sure if its a reply from abuse@ or just a spam: Neither. It's instructions on how to use the website galeon.com configuring the browser to work with cookies, etc. Charlie -- Charlie Clark Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-938-5360 GSM: +49-178-782-6226
Re: RBL checks and -lastexternal
Okay, thanks for the explanation. I was hoping to have a way of whitelisting certain servers from all DNSBL tests - but they are servers that are not within my control, not my own local server, and thus inappropriate to add them to internal_networks. And I don't want to remove my own server from trusted_networks as that would have other negative consequences. Basically, I have some custom rulesets that I want to use to check the connecting IP against the zz.countries.nerd.dk countries list. But I don't want to check all of the IPs that the emails have passed through - I only want to check the IP that connected to my own server - hence, I should use -lastexternal, right??! But at the same time, I'd like to have the ability to whitelist certain other servers so that they are not included in this country check. Eg. maybe I want to block all emails that come from an IP in China (where the IP is the one connecting to me), *BUT* I want to exclude a particular server in China that is used by a friend who I trust, for example. How could I do that? Well, I guess I could make a meta rule that combines my zz.countries.nerd.dk rules with something else that prevents those rules from working if the trusted IP is found within the Received header or something - but that would be fiddly, and would be a nuisance if I had a whole bunch of IPs that I wanted to whitelist. It would obviously be much easier if I could simply trust/exclude from testing all the IPs listed in trusted_networks. Any ideas? Cheers, Jeremy "Matt Kettler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Jeremy Fairbrass wrote: >> Hi all, >> It says at >> http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#network_test_options >> that when an IP address is added to a 'trusted_networks' entry (eg. in >> local.cf), "DNS blacklist checks will never query for hosts on these >> networks". >> >> However, from what I can see (using SA 3.1.5), if I have a check_rbl rule >> and the set name ends with -lastexternal, then SA will still do a DNSBL >> lookup on the "lastexternal" IP address even though that IP address is >> added >> to my trusted_networks. Surely it should not do this? >> >> Is this correct, and is there any way around it, such that any IP address >> added to trusted_networks is NEVER checked by a check_rbl rule, >> regardless >> of whether -lastexternal is used or not? >> > > Technically, that documentation is mistaken, slightly. > > Trusted hosts are immune to MOST DNSBL tests. However in -notfirsthop > and -lastexternal only members of internal_networks are immune. > > If you really need a host to be immune to ALL dnsbl checks, it needs to > be in both. > > If you have a server that you operate and want it to be able to receive > mail from dynamic IPed hosts, make it a member of trusted_networks, but > not a member of internal_networks. This will cause the "lastexternal" > test to apply to the server, not the dynamic hosts, and the server > itself will not be checked against other RBLs. > > > >> Cheers, >> Jeremy