RE: spamd crashing...
-Original Message- From: Rejaine Monteiro [mailto:[EMAIL PROTECTED] Sent: maandag 27 november 2006 12:03 To: Jeff Funk Cc: users@spamassassin.apache.org Subject: Re: spamd crashing... What you use to monitor and restarts spamd when failed? I'm have some crashes too, so I'm using monit to do this. My problems are : spamd daemon stop works or tcp port 783 is not responding. Spamd crashing is, seen from the program itself, rather unlikely. A child crashing? Maybe; but the parent? Sound more like your perl itself is unstable (core-dumping and such; any such indication in your system logs). I recently saw this posted: ... @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi Never understood why Linux does this anyway (I'm on FreeBSD). Probably because someone thought it might be a cool idea to include stuff from an older installation in the INC path. Never mind that xs stuff compiled for a previous version can seriously instablize your system. At any rate, I would start looking in this direction first. My spamd, the old 2.54 I used for ages, and the new 3.0.17, has never ever crashed; and I mean it. The only real reason I think the parent process could potentially crash (not on signal 11) is because the main accept loop might not have an eval around it or some such. But I'm pretty sure they took care of that. - Mark
Re: Why won't imageinfo.pm work with SA 3.17? - access
On Mon, November 27, 2006 00:04, Michael W Cocke wrote: /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 What am I missing? cleanup perl install so only latest is working ? make sure all perl modules is compiled to the latest perl on gentoo this is simply using perl-cleaner all -- This message was sent using 100% recycled spam mails.
Mail Delivery
Hi there, I'm running Fedora core 5 with postfix spamassassin and amavis. The mail is being delivered to the mailbox and not the maildir. Can someone please help me. Thanks Maccie
Re: Why won't imageinfo.pm work with SA 3.17? - access
On Mon, 27 Nov 2006 01:16:42 -0500, you wrote: loadplugin Mail::SpamAssassin::Plugin::ImageInfo ImageInfo.pm That was it, thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Mail Delivery
Maccie Roux schrieb: Hi there, I'm running Fedora core 5 with postfix spamassassin and amavis. The mail is being delivered to the mailbox and not the maildir. Can ^^ someone please help me. Mailbox (the users Mailbox or Inbox)? or mbox (the format)? maildir (the email-format)? You are using an pop3/imap server (courier,cyrus, ...) and the mail is not physically delivered where you expected it to be? Im not sure if i understood your question right ...? Are you using any additional filtersoftware like procmail,maildrop, ... Thanks Maccie hth MH, a little confused http://en.wikipedia.org/wiki/Maildir
RE: getting and operator work
so cloudy mountainers will still be catched by ORing both of 2 expression, that would produce AND expression, is that right? so 2 expressions ORred together will have the same result as single ANDed expression, right? thanks for all feedbacks as the experession is now working with my server rule. appreciated. -Original Message- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 4:33 AM To: Matt Kettler Cc: vertito; users@spamassassin.apache.org Subject: Re: getting and operator work Matt Kettler wrote: Really in regexes there is no such thing as an AND operation. It's just not something natural to do in a regex. I would argue, at a deeper level of language/grammar theory, that this isn't true. Instead, AND is implied by concatenation. X.*Y.*Z says X and Y and Z all have to be present. The catch is that an order is implied by the concatenation, where we don't always assume an order to AND and OR operators in other contexts (and the | operator in regex's doesn't impose order, the way concatenation does). Which leads to: So in the first chunk, John faked an And. What you really have is two expressions that are ORed together. The thing that I ORed was the order of the elements, not the ANDing of elements. The ANDing of the elements is a natural consequence of the concatenation. The first chunk says maintain and clouds. The second chunk says clouds and mountain.
Re: getting and operator work
John Rudd wrote: Matt Kettler wrote: Really in regexes there is no such thing as an AND operation. It's just not something natural to do in a regex. I would argue, at a deeper level of language/grammar theory, that this isn't true. Instead, AND is implied by concatenation. No it's not. Concatenation is order-specific. AND is order non-specific. X.*Y.*Z says X and Y and Z all have to be present. No, it says X and then Y and then Z must all be present in that order The catch is that an order is implied by the concatenation, Agreed where we don't always assume an order to AND and OR operators in other contexts (and the | operator in regex's doesn't impose order, the way concatenation does). Of course we don't assume order in AND and OR operators. By definition these operators are not order specific. Anything else isn't an AND or OR. Which leads to: So in the first chunk, John faked an And. What you really have is two expressions that are ORed together. The thing that I ORed was the order of the elements, not the ANDing of elements. No, you created an AND equivalent by ORing two concatenations. The ANDing of the elements is a natural consequence of the concatenation. No it's not. Again, concatenation may be andish in nature, but it's order specific. Therefore it is not an AND. period. The first chunk says maintain and clouds. The second chunk says clouds and mountain. No, the first chunk says mountain then clouds the second chunk says clouds then mountain.
Re: Interesting text content in the new spams
[EMAIL PROTECTED] wrote: anybody recall that ELIZA program from ages ago? It would be interesting to see her response to those utterances :) I forwaded the utterances to [EMAIL PROTECTED] and got this: Original Message Subject: Re: Spam utterances Date: Mon, 27 Nov 2006 14:37:03 +0100 From: Eliza [EMAIL PROTECTED] To: Jonas Eckerman [EMAIL PROTECTED] References: [EMAIL PROTECTED] Is something troubling you? I am not interested in names. Jonas Eckerman [EMAIL PROTECTED] wrote: Raquo Areas Bugs. Open total a bug Tracking Support or Requests in Tech Patches. Release archive is raquo of Areas? Framework gd Engine Details Developers Beta Intended Audience. In Create Newscreate Farm Mapcreate or Projectnew am Wantedmy? Statistics currently Browse Most! Of feeds available for this About by or the from. Activity Percentile last week View list of feeds available is. Language a License gnu of. Patches Patch Feature a Request. Details Developers Beta Intended Audience Education Technology. Education Technology or Other Topic English Unix name Registered. Language License gnu? Va Software Ostg Source Group all Rights Reserved or Find. Projectnew Wantedmy Statussite is. Areas in Bugs open total bug Tracking Support. Va Software Ostg Source Group all Rights Reserved or Find. Bug or Tracking Support Requests or Tech Patches am Patch in. Audience or Education Technology Other Topic English Unix. Support in Requests Tech Patches Patch Feature Request. Kolmafia sw Test Automation Framework gd. System of os Written an language of License gnu General Public. License gnu General Public gpl. Create Newscreate is Farm of Mapcreate Projectnew am Wantedmy Statussite Status web! Sprites a Release archive raquo of Areas Bugs? Open total a bug Tracking Support or Requests in Tech Patches. Book Search is Advanced log in Create is. Va Software Ostg Source Group in all Rights. Latest a News new or Graphics and Sprites Release archive. Va Software Ostg Source Group in all Rights. Intended Audience Education. -- Jonas Eckerman, FSDB http://www.fsdb.org/ End Message -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
RE: optional score in local.cf is not working
Hi, I've moved to a new syntax style of amavisd.conf for 2.4.4 version (modified sample file) and now all is working. Restarted amavis and it read the local.cf config now. Best Regards, Leon Kolchinsky -Original Message- From: Mark Martinec [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 10:54 PM To: users@spamassassin.apache.org Subject: Re: optional score in local.cf is not working On Sunday November 26 2006 20:25, Matt Kettler wrote: Erm.. are you sure? I thought amavisd-new called SA directly at the API layer, not via spamd... I didn't even realize amavis *could* use spamd, every amavis person I've talked to on the list isn't using it. amavisd-new can't call spamd, there is no configuration option to do so, and no code to support it. spamc/spamd could be used (if desired/needed) by implementing the usual SA standalone setup, and disabling spam checking in amavisd. Mark
Re: Bayes - Autoexpiry, bayes_seen, and bayes_tok
On 11/26/06, Matt Kettler [EMAIL PROTECTED] wrote: Erm.. That's not half old and half new...That's all the same age, because that's an almost completely empty database. It's only got the learning from ONE message in it. There are only 72 tokens, and they're all the same age (oldest and newest atime are the same, therefore all tokens are the same age) Yeah, I understand the output now.. It seems my problems are a tad bigger since I do per-user bayes rather than global bayes... -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: getting and operator work
vertito wrote: so cloudy mountainers will still be catched by ORing both of 2 expression, that would produce AND expression, is that right? /[\s']((mountain.*clouds)|(clouds.*mountain))[\s',-]/i will NOT match cloudy mountaineers. It will fail because of the [\s',-] at the end which REQUIRES a space, comma, dash or single quote. It would match cloudy mountain. /((mountain.*clouds)|(clouds.*mountain))/i WILL match cloudy mountaineers.. There are no restrictions on what characters come before or after the expression. so 2 expressions ORred together will have the same result as single ANDed expression, right? You can create the equivalent of an AND by ORing together two of the right expressions, yes. a AND b can be expressed as: (a THEN b) OR (b THEN a). a.*b will match a followed by b, with any number of any kind of character in between. It's half of an AND, in that it requires both to be present, but is order-specific in nature. If you want to match either order, you'd need to OR together a.*b and b.*a. Hence: /(a.*b)|(b.*a)/ The [\s',-] or \b's can be added to the beginning and end to force various kinds of word boundaries, if you wish to avoid matching substrings. I personally prefer \b for normal text. I'd only use something like [\s',-] if I wanted to restrict what kinds of things are a word boundary.. ie: If I wanted to exclude period, colon, and other punctuation other than the ones in the expression. This kind of thing can be useful in a few cases where the kinds of punctuation that can be used are restricted, such as URLs or email addresses, but is not useful in general text processing.
RE: Interesting text content in the new spams
Given that spammers read this list to figure out how to defeat us... Why don't we just secure a copy of ratware and engineer a retro-virus for it? There are plenty of ratware copies floating around. ;) Its not that hard to get good phrases. Spammers can use spamassasin for that! Bayes, and some of the work done with Bayes chains, is really all you need. Just pull out the ham tokens. It still ain't going to help them that much. --Chris
False positives with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL
Hello All, I see a lot of FP with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL from particulars users. This is very strange because a lot of those are coming from users on my server (server with static IP and not a relay server). I've seen this user sending to himself and getting RCVD_IN_DSBL=2.6, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046 Why is this happening? Is it recommended to lower score for these tests? What scores are recommended? Anyone have similar problems? Here is one such example: - Return-Path: [EMAIL PROTECTED] Received: from mydomain.ac.il ([unix socket]) by mydomain.ac.il (Cyrus v2.2.3) with LMTP; Mon, 27 Nov 2006 09:56:21 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mydomain.ac.il (Postfix) with ESMTP id 87CA6129288 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:21 +0200 (IST) X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] X-Quarantine-ID: 3zezHgDJGyFg X-Spam-Flag: YES X-Spam-Score: 5.317 X-Spam-Level: * X-Spam-Status: Yes, score=5.317 tag=-999 tag2=5 kill=5 tests=[AWL=0.119, BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, HTML_90_100=0.113, HTML_MESSAGE=0.001, RCVD_IN_DSBL=2.6, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] Received: from mydomain.ac.il ([127.0.0.1]) by localhost (mydomain.ac.il [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3zezHgDJGyFg for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:17 +0200 (IST) Received: from IBM-707AC13EF89 (unknown [82.166.48.182]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mydomain.ac.il (Postfix) with ESMTP id D17F019F2C for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:13 +0200 (IST) MIME-Version: 1.0 Message-Id: [EMAIL PROTECTED] Date: Mon, 27 Nov 2006 09:51:23 +0200 (Jerusalem Daylight Time) Content-Type: Multipart/related; type=multipart/alternative; boundary=Boundary-00=_NTPDBHK0 X-Mailer: IncrediMail (5002253) From: Billie Eilam [EMAIL PROTECTED] References: [EMAIL PROTECTED] X-FID: EAF615C8-5C8C-11D4-AF90-0050DAC67E11 X-Priority: 3 To: Vidergor [EMAIL PROTECTED] Subject: RE: Leon Kolchinsky
Problem Adding the X-Spam-Status: header
Hi, I am unable to figure this for a moment, so a third eye is needed. After I migrated from 2.64 to 3.1.7, I seem to have lost a very important functionality that I need with SA - adding the X-Spam-Status: header. Believe me, I have RTFMed already the Mail::SpamAssassin::Conf... From my local.cf, I have the following: cut clear_report_template report Start Spam/Junk Filter results report Filter analysis score is (_HITS_/_REQD_) report _SUMMARY_ report Content preview: _PREVIEW_ report End Spam/Junk Filter results clear_headers add_header spam Flag _YESNOCAPS_ add_header all Status _YESNO_ score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_ required_score 4.0 rewrite_header subject SPAM: (_HITS_/_REQD_): report_safe 0 /cut . but I don't see the header being added. Here is a typical example: X-Spam-Score: -0.2 (/) X-Spam-Report: Start Spam/Junk Filter results Filter analysis score is (-0.2/2.0) -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3295] End Spam/Junk Filter results Something is definately amiss, but I can't spot it! -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Horse sense is the thing a horse has which keeps it from betting on people. -- W. C. Fields
Re: Interesting text content in the new spams
Chris Santerre writes: Given that spammers read this list to figure out how to defeat us... Why don't we just secure a copy of ratware and engineer a retro-virus for it? There are plenty of ratware copies floating around. ;) Its not that hard to get good phrases. Spammers can use spamassasin for that! Bayes, and some of the work done with Bayes chains, is really all you need. Just pull out the ham tokens. actually SpamAssassin will just give them hex strings instead of readable tokens. They'd have to use bogofilter instead ;) --j.
RE: False positives with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL
Might be because of this header: Received: from IBM-707AC13EF89 (unknown [82.166.48.182]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mydomain.ac.il (Postfix) with ESMTP id D17F019F2C for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:13 +0200 (IST) [EMAIL PROTECTED] root]# nslookup 82.166.48.182 Server: 10.10.21.4 Address:10.10.21.4#53 Non-authoritative answer: 182.48.166.82.in-addr.arpa name = 82-166-48-182.barak-online.net. Seems to be a DYN IP. That probably hits the SORBS and other black lists. If this IP is one of your users, you'll probably need to add their networks to the all_trusted list. -Sietse PS: Please set your text mark-up from lef to right. Reading English is very inconvenient in the Arabic right to left. The scroll bar on the left is kind of handy though. :-) From: Leon Kolchinsky Sent: Mon 27-Nov-06 16:19 To: users@spamassassin.apache.org Subject: False positives with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL Hello All, I see a lot of FP with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL from particulars users. This is very strange because a lot of those are coming from users on my server (server with static IP and not a relay server). I've seen this user sending to himself and getting RCVD_IN_DSBL=2.6, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046 Why is this happening? Is it recommended to lower score for these tests? What scores are recommended? Anyone have similar problems? Here is one such example: - Return-Path: [EMAIL PROTECTED] Received: from mydomain.ac.il ([unix socket]) by mydomain.ac.il (Cyrus v2.2.3) with LMTP; Mon, 27 Nov 2006 09:56:21 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mydomain.ac.il (Postfix) with ESMTP id 87CA6129288 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:21 +0200 (IST) X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] X-Quarantine-ID: 3zezHgDJGyFg X-Spam-Flag: YES X-Spam-Score: 5.317 X-Spam-Level: * X-Spam-Status: Yes, score=5.317 tag=-999 tag2=5 kill=5 tests=[AWL=0.119, BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, HTML_90_100=0.113, HTML_MESSAGE=0.001, RCVD_IN_DSBL=2.6, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] Received: from mydomain.ac.il ([127.0.0.1]) by localhost (mydomain.ac.il [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3zezHgDJGyFg for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:17 +0200 (IST) Received: from IBM-707AC13EF89 (unknown [82.166.48.182]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mydomain.ac.il (Postfix) with ESMTP id D17F019F2C for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:13 +0200 (IST) MIME-Version: 1.0 Message-Id: [EMAIL PROTECTED] Date: Mon, 27 Nov 2006 09:51:23 +0200 (Jerusalem Daylight Time) Content-Type: Multipart/related; type=multipart/alternative; boundary=Boundary-00=_NTPDBHK0 X-Mailer: IncrediMail (5002253) From: Billie Eilam [EMAIL PROTECTED] References: [EMAIL PROTECTED] X-FID: EAF615C8-5C8C-11D4-AF90-0050DAC67E11 X-Priority: 3 To: Vidergor [EMAIL PROTECTED] Subject: RE: Leon Kolchinsky
Re: False positives with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL
Leon, I see a lot of FP with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL from particulars users. This is very strange because a lot of those are coming from users on my server (server with static IP and not a relay server). http://wiki.apache.org/spamassassin/TrustPath http://wiki.apache.org/spamassassin/DynablockIssues (in particuular, search there for: smtpd_sasl_authenticated_header yes) Mark
Re: Problem Adding the X-Spam-Status: header
Sorry, I seem to have missed one more point. I need to be able to add two headers: X-Spam-Flag: X-Spam-Status: Thanks for bearing with me confused. * On 27/11/06 18:27 +0300, Wash wrote: | Hi, | | I am unable to figure this for a moment, so a third eye is needed. | | After I migrated from 2.64 to 3.1.7, I seem to have lost a very | important functionality that I need with SA - adding the X-Spam-Status: | header. | Believe me, I have RTFMed already the Mail::SpamAssassin::Conf... | | From my local.cf, I have the following: | | | cut | clear_report_template | report Start Spam/Junk Filter results | report Filter analysis score is (_HITS_/_REQD_) | report _SUMMARY_ | report Content preview: _PREVIEW_ | report End Spam/Junk Filter results | | clear_headers | add_header spam Flag _YESNOCAPS_ | add_header all Status _YESNO_ score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ | add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_ | | required_score 4.0 | rewrite_header subject SPAM: (_HITS_/_REQD_): | report_safe 0 | /cut | | | . but I don't see the header being added. Here is a typical example: | | | X-Spam-Score: -0.2 (/) | X-Spam-Report: Start Spam/Junk Filter results | Filter analysis score is (-0.2/2.0) | -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% | [score: 0.3295] | End Spam/Junk Filter results | | | | Something is definately amiss, but I can't spot it! -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ ... the Mayo Clinic, named after its founder, Dr. Ted Clinic ... -- Dave Barry
RE: Problems running Spam Assassin
Hi, I changed it to 2 days. I've also setup a script that checks for double bounce emails in the queue and deletes them automatically. The specific EX_TEMPFAIL i was getting was due to quota issues on some accounts. Seems that if the master user for a domain is over quota then any [EMAIL PROTECTED] emails get stuck in the queue rather than rejected. I'm going to make another script that checks for these emails in the queue and notifys me automatically. Now everything seems to be running smoothly. I've had the [SPAM] added to subjects for over a week now, I'm happy that it's filtering spam and not legit mail. Now I'm having trouble getting it to delete mails marked as spam rather than just add the [SPAM] to the subject. I've added the lines:- :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* almost-certainly-spam :0: * ^X-Spam-Status: Yes probably-spam To my procmailrc, files containing emails called almost-certainly-spam and probably-spam have appeared in /var/spool/mqueue/, I thought they would have gone in /var/spool/mail? Either way I'm still getting emails coming through with [SPAM] in the subject despite the lines I've added. Not sure what to do now? Please help. Sietse van Zanen wrote: These mails stay there for 5 days. At least if you set up sendmail according to RFC's. that's the whole idea of SMTP store and forward. If address is unavailable, keep trying for a while before giving up. You can set the grace time to any period you like btw. -Sietse From: CosmicPerl Sent: Tue 21-Nov-06 16:48 To: users@spamassassin.apache.org Subject: Re: Problems running Spam Assassin Hi All, Ok, I've figured that having define(`confSEPARATE_PROC', `True') in my SendMail config was what was causing the flushing of the mail queue to create such a huge server load as it was spawning a new sendmail, procmail, and spamassassin child for each message in the mqueue. So I've disabled this, but I still cannot figure out why mail aimed at non existant uses is still staying in the message queue and not being rejected?? Any help would be very much appreciated. CosmicPerl wrote: Hi, It appears that as I was accepted to the mailing list after making my first post, my post did not hit the list. Here is my original full post below:- CosmicPerl wrote: Hi, I installed the latest SpamAssassin on my server. At first all my tests looked good, apart from load. So I setup spamc and spamd and everything seemed great, for a short while at least. A day later my mqueue had about 1500 messages in it, most with the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL. This seems to be coming up if the mailbox is full or the email is to an address that doesn't exist. It seemed that about every hour or so Sendmail was trying to flush out these messages, causing 1000's of processes to be started and making the server freeze up. Despite my Sendmail config having define(`confMAX_DAEMON_CHILDREN', `12')dnl In my procmailrc file I have:- DROPPRIVS=yes :0fw: spamassassin.lock * 256000 | spamc The SpamAssassin daemon was started with /usr/bin/spamd -d -u nobody At some point all mail stopped coming in. When I looked at the maillog file it had lots of lines like:- mkdir /root/.spamassassin: Permission denied Which I guess was causing the problem. This wasn't a problem before so I'm not sure why it happened. Any clues? Basically I need to set things up so that when sendmail trys to flush I don't get my server falling over. Emails that are sent to addresses that don't exist that are currently getting the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL be delete from the queue automatically. Ideally I'd like to give each different virtual server I have it's own possibly spam folder. I'm using Webmin and have a 100 or so Virtual servers so if anyone knows a good automated way of doing this that would be great. Either way I can't have things go down again otherwise I'll loose all my clients! And SpamAssassin working again. At first it was just marking emails with [spam] in the subject. Then Yesterday It then also started changing the message to an attachment and having Spam detection software, running on the system ns.cosmicsitehosting.com, has identified this incoming email as possible spam... in the message text. I've no idea what was changed so that this started happening. I didn't think I changed anything. Then last night it stopped sending any emails. Please help! Thanks in advance. Oh by the way my local.cf file contains required_hits 10 rewrite_header Subject [SPAM] report_safe 1 use_bayes 1 skip_rbl_checks 1 use_pyzor 1 Can anyone help with this? -- View this message in context: http://www.nabble.com/Problems-running-Spam-Assassin-tf2664618.html#a7473573 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. -- View this message
Re: Problems running Spam Assassin
Hi, But I want users to be able to setup config directories. Do I need to start spamd in a different way? Do I need to run it as root, or is that to big a security hole? You shouldn't accept mails for invalid addresses, then they won't be in the queue at all. Sounds great, but how do I do that? I figured out the report_safe thing. Thanks in advance. Theo Van Dinter-2 wrote: On Tue, Nov 21, 2006 at 07:21:22AM -0800, CosmicPerl wrote: The SpamAssassin daemon was started with /usr/bin/spamd -d -u nobody At some point all mail stopped coming in. When I looked at the maillog file it had lots of lines like:- mkdir /root/.spamassassin: Permission denied Which I guess was causing the problem. This wasn't a problem before so I'm not sure why it happened. Any clues? You're telling spamd to run as user nobody, but haven't told it to stop using user config directories. So when mail comes in for root, root calls spamd, spamd can't access root's home dir, and you get the error message. Emails that are sent to addresses that don't exist that are currently getting the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL be delete from the queue automatically. You shouldn't accept mails for invalid addresses, then they won't be in the queue at all. And SpamAssassin working again. At first it was just marking emails with [spam] in the subject. Then Yesterday It then also started changing the message to an attachment and having Spam detection software, running on the system ns.cosmicsitehosting.com, has identified this incoming email as possible spam... in the message text. I've no idea what was changed so that this started happening. I didn't think I changed anything. Then last night it stopped sending any emails. your config enables report_safe, which causes SA to encapsulate the original message as an attachment. Oh by the way my local.cf file contains [...] report_safe 1 -- Randomly Selected Tagline: She's got a mortgage on my body and a lease on my soul. -- View this message in context: http://www.nabble.com/Problems-running-Spam-Assassin-tf2664618.html#a7562313 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
SA does not use DB_File [auf Viren überprüft]
Hi! # sa-learn -D --spam --mbox spam [...] [336066] dbg: bayes: DB_File module not installed, cannot use bayes [336066] dbg: config: score set 1 chosen. [336066] dbg: learn: initializing learner [336066] dbg: bayes: bayes journal sync starting [336066] dbg: bayes: bayes journal sync completed [336066] dbg: bayes: expiry starting [336066] dbg: bayes: DB_File module not installed, cannot use bayes [...] [336066] dbg: bayes: DB_File module not installed, cannot use bayes Learned tokens from 0 message(s) (1 message(s) examined) ERROR: the Bayes learn function returned an error, please re-run with -D for more information # find / -name DB_File* /opt/mail/lib/5.8.2/aix-thread-multi/auto/DB_File /opt/mail/lib/5.8.2/aix-thread-multi/auto/DB_File/DB_File.so /opt/mail/lib/5.8.2/aix-thread-multi/auto/DB_File/DB_File.bs /opt/mail/lib/5.8.2/aix-thread-multi/DB_File.pm # from /opt/mail/bin/spamassassin my $PREFIX = '/opt/mail'; my $DEF_RULES_DIR = '/opt/mail/share/spamassassin'; my $LOCAL_RULES_DIR = '/etc/opt/mail/spamassassin'; my $LOCAL_STATE_DIR = '/var/opt'; use lib '/opt/mail/lib/site_perl/5.8.2'; # echo $PERL5LIB /opt/mail/lib:/opt/mail/lib/site_perl/5.8.2: How can I tell SA to use the installed DB_File? Hans
RE: Percentage of email that is spam after filtering?
Out of total mail hitting our server 12.99% is legit and delivered. You read correctly, 12.99%!! 65% is rejected at MTA w/ RBLs 21% is caught by Spamassassin and not delivered. 12.99% is legit and delivered. 0.01% is spam that sneaks thru and delivered HTH, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
Re: Percentage of email that is spam after filtering?
Chris Santerre wrote: Out of total mail hitting our server 12.99% is legit and delivered. You read correctly, 12.99%!! 65% is rejected at MTA w/ RBLs I wonder what percentage of this 65% is legit and blocked. 21% is caught by Spamassassin and not delivered. 12.99% is legit and delivered. 0.01% is spam that sneaks thru and delivered HTH, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
Re: getting and operator work
Matt Kettler wrote: /((mountain.*clouds)|(clouds.*mountain))/i WILL match cloudy mountaineers.. There are no restrictions on what characters come before or after the expression. Actually, it wont catch cloudy mountaineers because the expression specifies clouds not cloud nor cloudy. If you want to catch cloudy mountaineers, then the expression should say: /((mountain.*cloud)|(cloud.*mountain))/i
Re: getting and operator work
Matt Kettler wrote: John Rudd wrote: Matt Kettler wrote: Really in regexes there is no such thing as an AND operation. It's just not something natural to do in a regex. I would argue, at a deeper level of language/grammar theory, that this isn't true. Instead, AND is implied by concatenation. No it's not. Concatenation is order-specific. AND is order non-specific. I'd have to break out a textbook (which means _find_ my textbooks on the material) to continue the discussion meaningfully. I'm just glad anyone at all replied to the question meaningfully :-}
RE: Percentage of email that is spam after filtering?
On Mon, 2006-11-27 at 08:43 -0800, Bret Miller wrote: I'd like something quasi-official if possible, so I can tell my bosses: according to this report, even with diligent spam filtering, xx% of the email people receive is still spam. If fewer than xx% of your email is spam, we're ahead of the curve. This is typical for us for a single day. This is post MTA/dnsbl blocks, that is, actual messages received. This was also a holiday week so (legitimate) traffic is light. On this particular day, we had one (reported) false-positive (.023% FP rate). Recently, the stock-spams have been slipping through a lot and, in general, have skewed our false-negative ratio up. Nothing reported as a false-negative on this day though. Spam/Ham CATEGORY TOTAL% of FLT MSGS -- Total filtered msgs: 4384 Ham: 118026.92 % Spam: 320473.08 % signature.asc Description: This is a digitally signed message part
Re: Percentage of email that is spam after filtering?
Jim Maul wrote: Chris Santerre wrote: Out of total mail hitting our server 12.99% is legit and delivered. You read correctly, 12.99%!! According to mrtg, the average across my servers is 85% spam on a good day, 99% on a bad day. Currently we are looking at 86%. It's Monday, lots of business legitimate mail going back and forth. 79% blocked by the MTA 7% more caught by SA 15% delivered (18,324 messages since midnight, we don't spam filter for everyone, we do use MTA rules for everyone) 65% is rejected at MTA w/ RBLs I wonder what percentage of this 65% is legit and blocked. With an average of 200k to 260k messages a day, I have had two clients who could not receive legitimate messages in the last six months. The first client needed a single message, the second client needed three. So in the last six months that makes our average... really small. I'll bet I have 10 times that number of users go pull a message from quarantine because SA hit a FP. DAve 21% is caught by Spamassassin and not delivered. 12.99% is legit and delivered. 0.01% is spam that sneaks thru and delivered HTH, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
RE: Percentage of email that is spam after filtering?
-Original Message- From: Jim Maul [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 12:12 PM To: Chris Santerre Cc: users@spamassassin.apache.org Subject: Re: Percentage of email that is spam after filtering? Chris Santerre wrote: Out of total mail hitting our server 12.99% is legit and delivered. You read correctly, 12.99%!! 65% is rejected at MTA w/ RBLs I wonder what percentage of this 65% is legit and blocked. Really... do we really need to rehash this everytime someone says they use an RBL? Well I can tell you I get maybe 5 a YEAR reported, and I bypass the filter for. Then I inform the vendor/customer of their listing. They are EXTREMELY happy that I told them. Otherwise they would have no clue. 5 mails have to be resent a year, or 65% of all useless mail allowed to come into my system. The math is easy. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
Re: Percentage of email that is spam after filtering?
Chris Santerre wrote: -Original Message- From: Jim Maul [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 12:12 PM To: Chris Santerre Cc: users@spamassassin.apache.org Subject: Re: Percentage of email that is spam after filtering? Chris Santerre wrote: Out of total mail hitting our server 12.99% is legit and delivered. You read correctly, 12.99%!! 65% is rejected at MTA w/ RBLs I wonder what percentage of this 65% is legit and blocked. Really... do we really need to rehash this everytime someone says they use an RBL? Well I can tell you I get maybe 5 a YEAR reported, and I bypass the filter for. Then I inform the vendor/customer of their listing. They are EXTREMELY happy that I told them. Otherwise they would have no clue. 5 mails have to be resent a year, or 65% of all useless mail allowed to come into my system. The math is easy. whoa hey now calm down dont throw the gloves off just yet. I wasnt trying to start a war here, just trying to show the other sides of things. Im sure others here appreciate both sides of the story - especially when there could be unforeseen side affects with harmful consequences. Its all with good intentions, i swear! Jim
Converting bayes DB to MySQL
I'm in the process of converting my Bayes DB setup from in users' home directories (since I'm setting up a separate SpamAssassin server, and accessing Bayes via NFS is causing insane amounts of I/O). After a bunch of fiddling, I have a MySQL server set up properly, tables created, and a spamassassin user set up so I can populate the database. I have 432 users, with about 1.6 GB of Bayes data to import (from sa-learn --backup). I started the import last Friday around 10am, and it's still running (Monday at 1pm), on user 379. My question is this: is this normal? I don't really have any SQL administration experience, so this is all very new to me. For what it's worth, I'm using InnoDB instead of MyISAM tables. smime.p7s Description: S/MIME Cryptographic Signature
Re: Are these critical errors - when SA starts
On Mon, Nov 27, 2006 at 09:50:11PM +0300, Odhiambo Washington wrote: I have wiped clean my SA install and reinstalled. However, whenever I start spamd, I see the following errors (3.1.7): Those aren't errors, they're informational messages. I can't say anything about the SARE ones, but: Mon Nov 27 21:46:16 2006 [87772] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'PYZOR_CHECK' means you don't have the Pyzor plugin loaded, which is fine, if you're not using Pyzor. -- Randomly Selected Tagline: Lotus won't work, it uses a bunch of db files (Microsoft pre-1998) We reorganized Exchange 2000 to scale by using multiple DB files! (Microsoft in 2000). pgpLb3QZmRasV.pgp Description: PGP signature
How to remove from the list
I finally solved a problem i was having with SpamAssassin and would like to remove myself from the list. how do I go about doing that?
Re: How to remove from the list
On Mon, Nov 27, 2006 at 02:11:22PM -0500, Bradley Walker wrote: I finally solved a problem i was having with SpamAssassin and would like to remove myself from the list. how do I go about doing that? In the headers of every email: list-unsubscribe: mailto:[EMAIL PROTECTED] :) -- Randomly Selected Tagline: Mickey Mouse wears a Dan Quayle watch. pgpuVG1RkbZtd.pgp Description: PGP signature
Re: How to remove from the list
At 11:11 AM 11/27/2006, you wrote: I finally solved a problem i was having with SpamAssassin and would like to remove myself from the list. how do I go about doing that? From the headers: list-unsubscribe: mailto:[EMAIL PROTECTED]
What to do about Domain Spoofing
I own a domain name, which has a small webpage attached. It would seem by the flurry of mail delivery reports I'm getting that the domain has been added to one of the current stock pump 'n' dump scams. As I'm concerned about possible blacklisting, what should I do. Is there a good basic guide on what to do out there ? (I can't find anything close) Here's an example from one recent one: Received: by ns.worldnetnames.co.uk (Postfix, from userid 1004) id F16408ED59; Mon, 27 Nov 2006 18:45:56 + (GMT) X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on ns.worldnetnames.co.uk X-Spam-Level: * X-Spam-Status: Yes, score=9.5 required=5.5 tests=BAYES_99,EXTRA_MPART_TYPE, HTML_IMAGE_ONLY_32,HTML_MESSAGE,RCVD_IN_XBL autolearn=no version=3.1.3 X-Spam-Report: * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry * 1.1 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [84.36.131.75 listed in sbl-xbl.spamhaus.org] Received: from iaym (unknown [84.36.131.75]) by ns.worldnetnames.co.uk (Postfix) with SMTP id 2A2A08ECF1 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 18:45:40 + (GMT) Received: from vsglv ([84.36.86.118]) by iaym with Microsoft SMTPSVC(6.0.3790.211); Fri, 24 Nov 2006 20:48:08 +0200 Should I send email to abuse@ for either the 84.36.86.118 or the 84.36.131.75 domains ? Any help greatfully appreciated. -- Paul Hurley http://www.paulhurley.co.uk/ The knack of flying is learning how to throw yourself at the ground and miss. Hitchhikers Guide to the Galaxy
Re: Converting bayes DB to MySQL
Dan Bongert wrote: I'm in the process of converting my Bayes DB setup from in users' home directories (since I'm setting up a separate SpamAssassin server, and accessing Bayes via NFS is causing insane amounts of I/O). After a bunch of fiddling, I have a MySQL server set up properly, tables created, and a spamassassin user set up so I can populate the database. I have 432 users, with about 1.6 GB of Bayes data to import (from sa-learn --backup). I started the import last Friday around 10am, and it's still running (Monday at 1pm), on user 379. My question is this: is this normal? I don't really have any SQL administration experience, so this is all very new to me. For what it's worth, I'm using InnoDB instead of MyISAM tables. Thats probably normal, import takes awhile with SQL since its a lot of inserts and updates. Michael
Re: Percentage of email that is spam after filtering?
On Nov 25, 2006, at 7:41 AM, John Tice wrote: spams per week. In the past week I've had two spams get through and one false positive. And the FP almost doesn't count because was borderline spammy and had a forged rcvd. I guess if you must have zero FP for a diverse group then you naturally have to give vermin a lot latitude, but I'd be cracking on the IT department pretty hard. On my personal mail, the amount of spam seeping through the filters is small. On our help desk (which includes our abuse desk) at work, we only do greylisting since obviously any abuse from our network needs to be able to get reported :-( This leads to a *lot* of crap in our abuse@ address, but there is damned little we can do about it, unfortunately. It really depends on circumstances how much you can filter. smime.p7s Description: S/MIME cryptographic signature
Custom Rulset Help
Hi There, Im slowly getting there with custom rulesets... Would someone be able to check this out and offer any help if i have it incorrect? Email is coming in with the subject Name wrote:, where Name is a persons name. Subject =~ /\b[a-z]+\s+wrote:/i Thanks in advance
Re: Converting bayes DB to MySQL
Michael Parker wrote: Dan Bongert wrote: I'm in the process of converting my Bayes DB setup from in users' home directories (since I'm setting up a separate SpamAssassin server, and accessing Bayes via NFS is causing insane amounts of I/O). After a bunch of fiddling, I have a MySQL server set up properly, tables created, and a spamassassin user set up so I can populate the database. I have 432 users, with about 1.6 GB of Bayes data to import (from sa-learn --backup). I started the import last Friday around 10am, and it's still running (Monday at 1pm), on user 379. My question is this: is this normal? I don't really have any SQL administration experience, so this is all very new to me. For what it's worth, I'm using InnoDB instead of MyISAM tables. Thats probably normal, import takes awhile with SQL since its a lot of inserts and updates. That's good--I was hoping this wouldn't be a performance issue once the system goes into production, though I guess we'll see about that. smime.p7s Description: S/MIME Cryptographic Signature
Re: Custom Rulset Help
Simon wrote: Hi There, Im slowly getting there with custom rulesets... Would someone be able to check this out and offer any help if i have it incorrect? Email is coming in with the subject Name wrote:, where Name is a persons name. Subject =~ /\b[a-z]+\s+wrote:/i Thanks in advance That'll work, but (assuming you're using SA 3.1.1+) you'll save yourself some effort if you just run sa-update to get the latest rules from the default channel. Daryl
rbl insight and wisdom please
Hopefully this hasn't been rehashed to death on this list yet has there ever been a general consensus as to which rbl's and similar lists are best to use if you are going to engineer your mail systems with such? Anyone care to share their implementations as well as current best and worst practices please? Thanks - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: rbl insight and wisdom please
On Mon, 27 Nov 2006 12:42:40 -0800, R Lists06 [EMAIL PROTECTED] wrote: Hopefully this hasn't been rehashed to death on this list yet has there ever been a general consensus as to which rbl's and similar lists are best to use if you are going to engineer your mail systems with such? Anyone care to share their implementations as well as current best and worst practices please? Thanks - rh Personally I use zen.spamhaus.org and relays.ordb.org - they've worked well for me. Zen used to be sbl-xbl. Others advocate not using any rbls at all. hth Nigel
Re: rbl insight and wisdom please
On Mon, 27 Nov 2006, Quinn Comendant wrote: I'm using the following with qmail's rblsmtpd: -r zen.spamhaus.org -r bl.spamcop.net -r relays.ordb.org -r cbl.abuseat.org Agreed except for spamcop - a lot of people have a low opinion of their trustworthiness as an all-or-nothing RBL. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 28 days until Christmas
permissions for the bayes_*
I am trying to figure out something: When spamd is being run WITHOUT -u johndoe, then presumably, it is running as root, yes? So, who should own the files in --siteconfigpath? Especially those that require modification, like the bayes* and auto_whitelist files? I am running a setup where spamc is invoked from a global procmailrc for certain users. However, I see in the logs (I am logging spamd activities via syslog rule) the following: Tue Nov 28 00:01:08 2006 [96179] info: spamd: connection from localhost [127.0.0.1] at port 2537 Tue Nov 28 00:01:08 2006 [96179] info: spamd: setuid to janedoe succeeded Tue Nov 28 00:01:08 2006 [96179] warn: bayes: failed rename /usr/local/etc/mail/spamassassin/bayes_journal \ to /usr/local/etc/mail/spamassassin/bayes_journal.old Tue Nov 28 00:17:43 2006 [59320] info: spamd: connection from localhost [127.0.0.1] at port 4938 Tue Nov 28 00:17:43 2006 [59320] info: spamd: setuid to johndoe succeeded Tue Nov 28 00:17:43 2006 [59320] info: spamd: processing message [EMAIL PROTECTED] for argus:1575 Tue Nov 28 00:17:45 2006 [59320] warn: bayes: cannot write to /usr/local/etc/mail/spamassassin/bayes_journal, bayes db update ignored: Permission denied This happens at every instance that spamc is invoked for a user. Here is how the procmail rule invokes spamc: cut # PART I - Spam Filter stuff DROPPRIVS = yes LOGFILE=/tmp/quarantine_procmail.log_`/bin/date +%Y%m%d` VERBOSE=on LOGABSTRACT=all :0fwE * 256000 | /usr/local/bin/spamc -u $LOGNAME :0e { EXITCODE=$? } :0: * ^X-Spam-Status: Yes $SPAMFILE /cut DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ My theology, briefly, is that the universe was dictated but not signed. -- Christopher Morley
Loads of 'xxx wrote:' Spam
All, I have started to receive a LARGE amount of spam with the subject line of someone's name wrote:. Inside the email is a stock tip with different stocks... Has anyone else seen this? Is there a rule I can use to block this? The names change ALL the time, so it would have to be something dynamic. Does anyone have something I could use? Thanks Steve
Re: permissions for the bayes_*
On Tue, Nov 28, 2006 at 12:23:30AM +0300, Odhiambo Washington wrote: When spamd is being run WITHOUT -u johndoe, then presumably, it is running as root, yes? The parent is, the children run as the user calling spamc. So, who should own the files in --siteconfigpath? Especially those that require modification, like the bayes* and auto_whitelist files? there are, by default, no files in the site config dir that need modification by users. it's all config files. if you're trying to setup a sitewide bayes/awl, then you'll need to have the files writable by everyone, basically. Tue Nov 28 00:01:08 2006 [96179] warn: bayes: failed rename /usr/local/etc/mail/spamassassin/bayes_journal \ to /usr/local/etc/mail/spamassassin/bayes_journal.old I would suggest moving the bayes/awl files to a different directory and granting permission there to the whole dir. you don't want to open your site config dir up to all your users. alternately, use sql. -- Randomly Selected Tagline: Jack- she's two. You could surprise her with a piece of old bread. - From Just Shoot Me pgpRt0nNtzsef.pgp Description: PGP signature
Re: Loads of 'xxx wrote:' Spam
On Mon, Nov 27, 2006 at 01:27:47PM -0800, Steve Berg wrote: I have started to receive a LARGE amount of spam with the subject line of someone's name wrote:. Inside the email is a stock tip with different stocks... Yep. Has anyone else seen this? Is there a rule I can use to block this? The names change ALL the time, so it would have to be something dynamic. Does anyone have something I could use? As has been the suggestion for the past X months, run sa-update. :) -- Randomly Selected Tagline: One of my youngest employees once said `How does it feel managing someone young enough to letch after your daughter?' I replied `How does it feel to make insinuating remarks about the daughter of the guy who writes your annual review?' - Steve Simmons in [EMAIL PROTECTED] pgp0n06NQn60I.pgp Description: PGP signature
Re: rbl insight and wisdom please
Quinn Comendant wrote: I'm using the following with qmail's rblsmtpd: -r zen.spamhaus.org -r bl.spamcop.net -r relays.ordb.org -r cbl.abuseat.org I believe the abuseat.org list is incorporated into the zen.spamhaus list. At least it was with the sbl-xbl and xbl lists. I do find it very hard to determine if a list is malfunctioning and honest emails are blocked until clients start complaining. It has happened before with me using other blocklists. One idea just popped into my head: you can grep your logs for all IP addresses you trust (mail from the IPs of trusted users and their recipients) and run that list of IPs against an DNSRBL you are considering using. You can test a DNSRBL by reversing an IP and appending the RBL domain, so for 111.122.133.144, you might execute: dig 144.133.122.111.zen.spamhaus.org A | grep -v '^;' And if there is anything returned, the IP is on the list. Quinn On Mon, 27 Nov 2006 12:42:40 -0800, R Lists06 wrote: Hopefully this hasn't been rehashed to death on this list yet has there ever been a general consensus as to which rbl's and similar lists are best to use if you are going to engineer your mail systems with such? Anyone care to share their implementations as well as current best and worst practices please? Thanks - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: permissions for the bayes_*
* On 27/11/06 16:31 -0500, Theo Van Dinter wrote: | On Tue, Nov 28, 2006 at 12:23:30AM +0300, Odhiambo Washington wrote: | When spamd is being run WITHOUT -u johndoe, then presumably, it is | running as root, yes? | | The parent is, the children run as the user calling spamc. | | So, who should own the files in --siteconfigpath? Especially those that | require modification, like the bayes* and auto_whitelist files? | | there are, by default, no files in the site config dir that need modification | by users. it's all config files. | | if you're trying to setup a sitewide bayes/awl, then you'll need to have the | files writable by everyone, basically. | | Tue Nov 28 00:01:08 2006 [96179] warn: bayes: failed rename /usr/local/etc/mail/spamassassin/bayes_journal \ | to /usr/local/etc/mail/spamassassin/bayes_journal.old | | I would suggest moving the bayes/awl files to a different directory and | granting permission there to the whole dir. you don't want to open your site | config dir up to all your users. I get the point now. I've been fighting with this far too long ;) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ About the time we think we can make ends meet, somebody moves the ends. -- Herbert Hoover
Re: Loads of 'xxx wrote:' Spam
Theo Van Dinter writes: On Mon, Nov 27, 2006 at 01:27:47PM -0800, Steve Berg wrote: I have started to receive a LARGE amount of spam with the subject line of someone's name wrote:. Inside the email is a stock tip with different stocks... Yep. Has anyone else seen this? Is there a rule I can use to block this? The names change ALL the time, so it would have to be something dynamic. =20 Does anyone have something I could use? As has been the suggestion for the past X months, run sa-update. :) we've got to make this a more prominent FAQ somehow... --j.
Re: rbl insight and wisdom please
On Mon, 27 Nov 2006 13:06:58 -0800, Quinn Comendant [EMAIL PROTECTED] wrote: I'm using the following with qmail's rblsmtpd: -r zen.spamhaus.org -r bl.spamcop.net -r relays.ordb.org -r cbl.abuseat.org I do find it very hard to determine if a list is malfunctioning and honest emails are blocked until clients start complaining. It has happened before with me using other blocklists. One idea just popped into my head: you can grep your logs for all IP addresses you trust (mail from the IPs of trusted users and their recipients) and run that list of IPs against an DNSRBL you are considering using. You can test a DNSRBL by reversing an IP and appending the RBL domain, so for 111.122.133.144, you might execute: dig 144.133.122.111.zen.spamhaus.org A | grep -v '^;' And if there is anything returned, the IP is on the list. Quinn On Mon, 27 Nov 2006 12:42:40 -0800, R Lists06 wrote: Hopefully this hasn't been rehashed to death on this list yet has there ever been a general consensus as to which rbl's and similar lists are best to use if you are going to engineer your mail systems with such? Anyone care to share their implementations as well as current best and worst practices please? Thanks - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net Did you know that zen uses cbl anyway? Nigel
Re: Loads of 'xxx wrote:' Spam
On Mon, Nov 27, 2006 at 09:48:03PM +, Justin Mason wrote: As has been the suggestion for the past X months, run sa-update. :) we've got to make this a more prominent FAQ somehow... Yeah, I keep coming across people on IRC and such that don't know about sa-update, even though it's been out for months. I suggest we add a section to the next release announcements about it. -- Randomly Selected Tagline: Chutzpah -- Does your BBS take collect calls? pgpJYwFlcEsgo.pgp Description: PGP signature
RE: Percentage of email that is spam after filtering?
Like other posters, I don't have real stats on the amount of spam that makes it past the filters, other than my own mailbox. I typically get from 2-3 spam messages per day, on rare occasions, maybe 6-10. We use blacklisting, the SARE rules, ImageInfo, FuzzyOCR and local custom rules. Our overall stats for the last 24 hours are: Msgs %total %after rbl total incoming messages: 84620 100% -- rejected (cbl.abuseat.org, list.dsbl.org): 57624 68% -- viruses (ClamAV):1830.2%0.7% spam (blocked):22294 26% 83% possible spam (sent to user mailbox):2520.3%0.9% clean (sent to user mailbox): 18282.2%6.8% So, bottom line, of all the incoming mail, only 2.5% is actually delivered to a customer mailbox. -Bill
Bayes - Optimizing the database
Greetings, After struggling a bit with Bayes in general and trying to figure out a way to make things run a bit faster, I've done some serious digging and I want to clarify a few things before I make a mess of my Bayes DB... I have everything currently set up to use a MySQL database. The bayes_token table is about 3GB in size and tends to be the slowest link in the system. (AWL isn't too far behind, but I think I have a viable strategy for dealing with that monster) First, some quick assumptions. Please correct me if I'm wrong. All of the bayes_ tables are directly related via the id field. bayes_token contains the actual tokens for bayesian processing and bayes_seen contains the message ids of messages bayes has already processed for tokens, presumably to reduce cpu usage? I *think* bayes_vars merely contains the magic data used by bayes, and I have no idea what bayes_expire is for. Am I correct thus far? Now, given that, I can directly map my users to an entry in bayes_vars and identify their id. With that, I can purge non-existant users from the system. Simple enough. Now, for other users, can I trust the last_expire field in bayes_vars and formulate something to force-expire at periodic intervals based on that value? I realize that spamc/spamd already expire when necessary, but I think I'd rather run this on a nightly basis during off-peak hours, and serialize it so that only a single user is being expired at a time. Is that a reasonable move to reduce overall cpu usage on the system? Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Loads of 'xxx wrote:' Spam
Theo Van Dinter wrote: On Mon, Nov 27, 2006 at 09:48:03PM +, Justin Mason wrote: As has been the suggestion for the past X months, run sa-update. :) we've got to make this a more prominent FAQ somehow... Yeah, I keep coming across people on IRC and such that don't know about sa-update, even though it's been out for months. I suggest we add a section to the next release announcements about it. Since its right off the home page and there is a tab for it labeled 'Docs', this would be an excellent place: http://spamassassin.apache.org/doc.html -- Craig smime.p7s Description: S/MIME Cryptographic Signature
RE: Loads of 'xxx wrote:' Spam
[EMAIL PROTECTED] wrote: Theo Van Dinter writes: On Mon, Nov 27, 2006 at 01:27:47PM -0800, Steve Berg wrote: I have started to receive a LARGE amount of spam with the subject line of someone's name wrote:. Inside the email is a stock tip with different stocks... Yep. Has anyone else seen this? Is there a rule I can use to block this? The names change ALL the time, so it would have to be something dynamic. =20 Does anyone have something I could use? As has been the suggestion for the past X months, run sa-update. :) we've got to make this a more prominent FAQ somehow... Too bad you can't have a sticky thread on a mailing list... :) -- Bowie
RE: Percentage of email that is spam after filtering?
At 02:00 PM Monday, 11/27/2006, Bill Randle wrote -= Like other posters, I don't have real stats on the amount of spam that makes it past the filters, other than my own mailbox. I typically get from 2-3 spam messages per day, on rare occasions, maybe 6-10. We use blacklisting, the SARE rules, ImageInfo, FuzzyOCR and local custom rules. Our overall stats for the last 24 hours are: Msgs %total %after rbl total incoming messages: 84620 100% -- rejected (cbl.abuseat.org, list.dsbl.org): 57624 68% -- viruses (ClamAV):1830.2%0.7% spam (blocked):22294 26% 83% possible spam (sent to user mailbox):2520.3%0.9% clean (sent to user mailbox): 18282.2%6.8% So, bottom line, of all the incoming mail, only 2.5% is actually delivered to a customer mailbox. -Bill I thought I was the only one experiencing those numbers: Our overall stats since Sunday 4:00 am: Msgs %total %after rbl total incoming messages:5535 100% -- rejected (cbl.abuseat.org, list.dsbl.org): 4366 78% -- Sendmail Reject - Pre-Greeting Traffic: 3336% -- viruses (ClamAV): 230.4%0.5% spam (blocked): 4017.2%9.1% clean (sent to user mailbox):4127.4%9.4% Ed Kasky ~ Randomly Generated Quote (512 of 521): Whenever you fall, pick something up. --Oswald Avery
RE: Loads of 'xxx wrote:' Spam
On Mon, 27 Nov 2006, Bowie Bailey wrote: As has been the suggestion for the past X months, run sa-update. :) we've got to make this a more prominent FAQ somehow... Too bad you can't have a sticky thread on a mailing list... :) Many mailing list managers allow you to send a greeting message to new subscribers. Perhaps sending a SA FAQ as part of this would be a good idea? Along with a prominent **READ THIS BEFORE POSTING** notice at the very top... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 28 days until Christmas
Re: Problem Adding the X-Spam-Status: header
On Monday 27 November 2006 16:27, Odhiambo Washington wrote: After I migrated from 2.64 to 3.1.7, I seem to have lost a very important functionality that I need with SA - adding the X-Spam-Status: header. Believe me, I have RTFMed already the Mail::SpamAssassin::Conf... From my local.cf, I have the following: [meta-cut] . but I don't see the header being added. Here is a typical example: X-Spam-Score: -0.2 (/) X-Spam-Report: Start Spam/Junk Filter results Filter analysis score is (-0.2/2.0) -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3295] End Spam/Junk Filter results You seem to be running Exim with Exiscan. The add_header options in local.cf are of no consequence - everything is controlled from the ACL configuration. If you want to configure the headers freely from local.cf, use the SA-Exim add-on. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp70FU1iXs9h.pgp Description: PGP signature
Re: Percentage of email that is spam after filtering?
Ed Kasky wrote: At 02:00 PM Monday, 11/27/2006, Bill Randle wrote -= Like other posters, I don't have real stats on the amount of spam that makes it past the filters, other than my own mailbox. I typically get from 2-3 spam messages per day, on rare occasions, maybe 6-10. We use blacklisting, the SARE rules, ImageInfo, FuzzyOCR and local custom rules. Our overall stats for the last 24 hours are: Msgs %total %after rbl total incoming messages: 84620 100% -- rejected (cbl.abuseat.org, list.dsbl.org): 57624 68% -- viruses (ClamAV):1830.2%0.7% spam (blocked):22294 26% 83% possible spam (sent to user mailbox):2520.3%0.9% clean (sent to user mailbox): 18282.2%6.8% So, bottom line, of all the incoming mail, only 2.5% is actually delivered to a customer mailbox. -Bill I thought I was the only one experiencing those numbers: Our overall stats since Sunday 4:00 am: Msgs %total %after rbl total incoming messages:5535 100% -- rejected (cbl.abuseat.org, list.dsbl.org): 4366 78% -- Sendmail Reject - Pre-Greeting Traffic: 3336% -- viruses (ClamAV): 230.4%0.5% spam (blocked): 4017.2%9.1% clean (sent to user mailbox):4127.4%9.4% Similar numbers here since 6am this morning on one of our 4 MX's Received88952 100.00% RBL Reject 61965 69.66% Clam167 0.19% Spam Reject 49115.52% Spam Pass 599 0.67% Clean 13580 15.27% Bear in mind that this particular machine is also the outbound MX for another mailserver for Yahoo, AOL, Sympatico, etc for scanning purposes, so the Clean number is going to be a little high. We are also very proactive about infected local users (we're an ISP) so out Clam numbers are a lot lower than say a year ago when we weren't scanning. Regards, Rick
Re: Percentage of email that is spam after filtering?
Vivek Khera wrote: On my personal mail, the amount of spam seeping through the filters is small. On our help desk (which includes our abuse desk) at work, we only do greylisting since obviously any abuse from our network needs to be able to get reported :-( This leads to a *lot* of crap in our abuse@ address, but there is damned little we can do about it, unfortunately. It really depends on circumstances how much you can filter. FWIW, I've had great success running SA on two role accounts I handle, and another that I support wearing my sysadmin hat - with the tagging threshold set to 8 instead of the default 5. Some spam still slips through, but about the only things that have FPed in the last four years or so were forwarded spam from spamfilter customers. g A bit of procmail before calling SA has pretty much eliminated that for the customers that regularly forward spam, and a periodic scan of the spam folder traces the very rare few others. This is still running with SA2.64, with the SURBL patch. -kgd
Zogby polls ignore SpamAssassin users
I get notifications of new Zogby political polls that head straight to my spam folder. I've tried emailing Zogby about it but have been ignored. Perhaps they don't want the opinions of people who use SA. Here's a typical report: Content analysis details: (5.3 points, 5.0 required) pts rule name description -- -- 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 1.8 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5013] 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist [URIs: zogby.com] 0.0 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers 1.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 0.3 AWLAWL: From: address is in the auto white-list The first item apparently comes from the first Received header: Received: from unknown (HELO 64.9.81.21) (64.9.81.19) by mailto.zogby.com with SMTP; 12 Oct 2006 01:28:32 - Another big score is from Content-type: text/html, but the content is just a big DIV (no DOCTYPE/HTML/BODY wrappers). Anyone have any suggestions on how to get Zogby to fix their notifications to not be so spammy? Or are SA users destined to be politically under-represented in polls? Of course, maybe this is compensated for by over-representation of savvy SA users who know how to white-list the notifications, leaving less-techno-savvy users under-represented.
1.1 GB of bayes data ... excessive?
My bayes data totals 1.1 GB. Is this okay? [EMAIL PROTECTED]/0 ~]$du -sk /home/vpopmail/.spamassassin/ 1107724 /home/vpopmail/.spamassassin/ [EMAIL PROTECTED]/1 ~]$ll /home/vpopmail/.spamassassin/ total 1107708 drw--- 2 vpopmail vchkpw28672 Nov 26 04:14 . drwx-- 9 vpopmail vchkpw 4096 Nov 9 22:35 .. -rw--- 1 vpopmail vchkpw 42053632 Nov 27 16:40 auto-whitelist -rw--- 1 vpopmail vchkpw6 Nov 27 16:40 auto-whitelist.mutex -rw--- 1 vpopmail vchkpw33072 Nov 26 04:14 bayes_journal -rw--- 1 vpopmail vchkpw80005 Nov 27 16:40 bayes.mutex -rw--- 1 vpopmail vchkpw 20881408 Nov 26 04:14 bayes_seen -rw--- 1 vpopmail vchkpw 5074944 Nov 26 04:14 bayes_toks -rw--- 1 vpopmail vchkpw 2682880 Nov 22 04:55 bayes_toks.expire10078 -rw--- 1 vpopmail vchkpw 1478656 Nov 7 05:19 bayes_toks.expire10096 -rw--- 1 vpopmail vchkpw 4743168 Nov 22 00:38 bayes_toks.expire10138 -rw--- 1 vpopmail vchkpw 4714496 Nov 22 00:49 bayes_toks.expire10148 -rw--- 1 vpopmail vchkpw 2506752 Nov 20 13:45 bayes_toks.expire10150 -rw--- 1 vpopmail vchkpw 1388544 Nov 7 05:08 bayes_toks.expire10151 -rw--- 1 vpopmail vchkpw 1159168 Nov 22 10:45 bayes_toks.expire10216 -rw--- 1 vpopmail vchkpw 2629632 Nov 20 12:19 bayes_toks.expire10222 -rw--- 1 vpopmail vchkpw 2297856 Nov 22 12:33 bayes_toks.expire1028 -rw--- 1 vpopmail vchkpw 2695168 Nov 24 03:08 bayes_toks.expire10287 -rw--- 1 vpopmail vchkpw 4665344 Nov 21 21:58 bayes_toks.expire1033 -rw--- 1 vpopmail vchkpw 2617344 Nov 20 11:50 bayes_toks.expire10392 -rw--- 1 vpopmail vchkpw 2547712 Nov 22 06:49 bayes_toks.expire10458 -rw--- 1 vpopmail vchkpw 2883584 Nov 23 20:39 bayes_toks.expire1050 -rw--- 1 vpopmail vchkpw 2232320 Nov 24 13:39 bayes_toks.expire10610 -rw--- 1 vpopmail vchkpw 2330624 Nov 18 16:35 bayes_toks.expire1062 -rw--- 1 vpopmail vchkpw 2473984 Nov 22 06:55 bayes_toks.expire10679 -rw--- 1 vpopmail vchkpw 2859008 Nov 23 21:28 bayes_toks.expire10752 -rw--- 1 vpopmail vchkpw 2564096 Nov 23 21:39 bayes_toks.expire10754 -rw--- 1 vpopmail vchkpw 4640768 Nov 22 00:56 bayes_toks.expire10793 -rw--- 1 vpopmail vchkpw 2461696 Nov 24 11:09 bayes_toks.expire10866 -rw--- 1 vpopmail vchkpw 2220032 Nov 24 13:45 bayes_toks.expire10884 -rw--- 1 vpopmail vchkpw 2658304 Nov 20 14:21 bayes_toks.expire1097 -rw--- 1 vpopmail vchkpw 1511424 Nov 7 05:19 bayes_toks.expire11036 -rw--- 1 vpopmail vchkpw 2871296 Nov 20 16:04 bayes_toks.expire11065 -rw--- 1 vpopmail vchkpw 2408448 Nov 24 09:09 bayes_toks.expire11396 -rw--- 1 vpopmail vchkpw 4456448 Nov 21 21:14 bayes_toks.expire11552 -rw--- 1 vpopmail vchkpw 1220608 Nov 24 12:38 bayes_toks.expire11594 -rw--- 1 vpopmail vchkpw 1191936 Nov 22 11:58 bayes_toks.expire11606 -rw--- 1 vpopmail vchkpw 2662400 Nov 20 11:50 bayes_toks.expire11746 -rw--- 1 vpopmail vchkpw 2359296 Nov 6 03:53 bayes_toks.expire11752 -rw--- 1 vpopmail vchkpw 2506752 Nov 20 13:06 bayes_toks.expire1181 -rw--- 1 vpopmail vchkpw 2596864 Nov 20 13:12 bayes_toks.expire1183 -rw--- 1 vpopmail vchkpw 2215936 Nov 24 13:27 bayes_toks.expire11852 -rw--- 1 vpopmail vchkpw 2584576 Nov 1 19:45 bayes_toks.expire11860 -rw--- 1 vpopmail vchkpw 2600960 Nov 1 20:07 bayes_toks.expire11861 -rw--- 1 vpopmail vchkpw 2637824 Nov 1 20:44 bayes_toks.expire11862 -rw--- 1 vpopmail vchkpw 4628480 Nov 21 23:54 bayes_toks.expire1204 -rw--- 1 vpopmail vchkpw 2174976 Nov 20 12:07 bayes_toks.expire1208 -rw--- 1 vpopmail vchkpw 2441216 Nov 22 10:45 bayes_toks.expire12129 -rw--- 1 vpopmail vchkpw 1351680 Nov 7 05:25 bayes_toks.expire12200 -rw--- 1 vpopmail vchkpw 2371584 Nov 24 09:14 bayes_toks.expire12239 -rw--- 1 vpopmail vchkpw 2293760 Nov 24 12:16 bayes_toks.expire12271 -rw--- 1 vpopmail vchkpw 2404352 Nov 20 12:30 bayes_toks.expire12293 -rw--- 1 vpopmail vchkpw 2310144 Nov 22 09:01 bayes_toks.expire12302 -rw--- 1 vpopmail vchkpw 2658304 Nov 1 21:07 bayes_toks.expire12305 -rw--- 1 vpopmail vchkpw 4694016 Nov 22 01:01 bayes_toks.expire12319 -rw--- 1 vpopmail vchkpw 1171456 Nov 22 14:07 bayes_toks.expire12365 -rw--- 1 vpopmail vchkpw 2727936 Nov 20 15:53 bayes_toks.expire12389 -rw--- 1 vpopmail vchkpw 2863104 Nov 20 14:44 bayes_toks.expire12409 -rw--- 1 vpopmail vchkpw 2723840 Nov 20 13:51 bayes_toks.expire12467 -rw--- 1 vpopmail vchkpw 2854912 Nov 23 21:56 bayes_toks.expire12529 -rw--- 1 vpopmail vchkpw 2310144 Nov 6 03:48 bayes_toks.expire12876 -rw--- 1 vpopmail vchkpw 2457600 Nov 1 17:26 bayes_toks.expire1291 -rw--- 1 vpopmail vchkpw 2572288 Nov 24 06:52 bayes_toks.expire13002 -rw--- 1 vpopmail vchkpw 4800512 Nov 18 17:08 bayes_toks.expire13122 -rw--- 1 vpopmail vchkpw 2494464 Nov 24 11:14 bayes_toks.expire13191 -rw---
Re: Problem Adding the X-Spam-Status: header
Magnus Holmgren wrote: On Monday 27 November 2006 16:27, Odhiambo Washington wrote: After I migrated from 2.64 to 3.1.7, I seem to have lost a very important functionality that I need with SA - adding the X-Spam-Status: header. Believe me, I have RTFMed already the Mail::SpamAssassin::Conf... From my local.cf, I have the following: [meta-cut] . but I don't see the header being added. Here is a typical example: X-Spam-Score: -0.2 (/) X-Spam-Report: Start Spam/Junk Filter results Filter analysis score is (-0.2/2.0) -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3295] End Spam/Junk Filter results You seem to be running Exim with Exiscan. The add_header options in local.cf are of no consequence - everything is controlled from the ACL configuration. If you want to configure the headers freely from local.cf, use the SA-Exim add-on. If you don't want to use sa-exim, you can add the headers in the exim acl: Something like: warn message = X-Spam-Status: Yes spam = nobody condition = ${if {$spam_score_int}{49}{1}{0}} condition = ${if {$message_size}{100k}{1}{0}} warn message = X-Spam-Status: No spam = nobody condition = ${if {$spam_score_int}{50}{1}{0}} condition = ${if {$message_size}{100k}{1}{0}} -- Chris
Re: 1.1 GB of bayes data ... excessive?
On Mon, Nov 27, 2006 at 03:17:50PM -0800, Quinn Comendant wrote: -rw--- 1 vpopmail vchkpw 2682880 Nov 22 04:55 bayes_toks.expire10078 -rw--- 1 vpopmail vchkpw 1478656 Nov 7 05:19 bayes_toks.expire10096 [...] -rw--- 1 vpopmail vchkpw 2383872 Nov 6 03:42 bayes_toks.expire9845 -rw--- 1 vpopmail vchkpw 1155072 Nov 22 12:10 bayes_toks.expire9983 This indicates that Bayes is trying to expire, and however you're calling SA is killing off the expiry, so the temp file is left around. Stop doing that. ;) (you can remove the .expire* files, assuming you're not currently running an expire) -- Randomly Selected Tagline: Q: Don't you know who our President is? A: A working class man who started out with nothing in life but two strong hands and a brain, and now has to make due with just the hands. - http://slashdot.org/comments.pl?sid=189485cid=15602732 pgpHL5OzQbk8Z.pgp Description: PGP signature
Re: 1.1 GB of bayes data ... excessive?
On Mon, 27 Nov 2006, Quinn Comendant wrote: My bayes data totals 1.1 GB. Is this okay? Not generally, no. -rw--- 1 vpopmail vchkpw 4743168 Nov 22 00:38 bayes_toks.expire10138 -rw--- 1 vpopmail vchkpw 4714496 Nov 22 00:49 bayes_toks.expire10148 -rw--- 1 vpopmail vchkpw 2506752 Nov 20 13:45 bayes_toks.expire10150 -rw--- 1 vpopmail vchkpw 1388544 Nov 7 05:08 bayes_toks.expire10151 -rw--- 1 vpopmail vchkpw 1159168 Nov 22 10:45 bayes_toks.expire10216 ...etc ad nauseum. It looks like your expire runs are being terminated prematurely, probably due to timeouts. Either increase your timeouts, or turn off auto-expiry and schedule expiry using a cron job outside of SA. You'll probably have to do a manual expiry to get it back to a reasonable state. I suggest you do that first, then see if the timeouts are then adequate with the smaller db before you increase them. Search the list archives for bayes expiry timeout or bayes expire timeout for more info. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 28 days until Christmas
Re: rbl insight and wisdom please
Well I'll be darned...you're right. Zen uses CBL. Q On Mon, 27 Nov 2006 21:50:47 +, Nigel Frankcom wrote: Did you know that zen uses cbl anyway?
Why no bayes?
I NEVER get any bayes_?? in my headers Why? Running: Amavisd-new spamassassin-3.1.7 amavisd-new-2.4 I am storing bayes in SQL as I need it available for more than one server. sa-learn --dump magic shows: 0.000 0 3 0 non-token data: bayes db version 0.000 0 10950 0 non-token data: nspam 0.000 0 40395 0 non-token data: nham 0.000 0 120716 0 non-token data: ntokens 0.000 0 1130788224 0 non-token data: oldest atime 0.000 0 1131330249 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1143487659 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count Thanks, Dave
Re: 1.1 GB of bayes data ... excessive?
Ok, now down to 53 MB. ;P I've run sa-learn --force-expire and removed the *.expire* files. I'll turn off auto-exire and just run a daily cron script until I learn why auto-exire might have been failing. Any ideas how to increase the timeout for the spamc processes so they will be alive long enough to finish an auto-exipre run? I'm running spamc via simscan via qmail-smtpd. \_ /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true \_ /var/qmail/bin/simscan \_ spamc -u [EMAIL PROTECTED] Thanks! Quinn On Mon, 27 Nov 2006 15:28:43 -0800 (PST), John D. Hardin wrote: My bayes data totals 1.1 GB. Is this okay? Not generally, no. -rw--- 1 vpopmail vchkpw 4743168 Nov 22 00:38 bayes_toks.expire10138 -rw--- 1 vpopmail vchkpw 4714496 Nov 22 00:49 bayes_toks.expire10148 -rw--- 1 vpopmail vchkpw 2506752 Nov 20 13:45 bayes_toks.expire10150 -rw--- 1 vpopmail vchkpw 1388544 Nov 7 05:08 bayes_toks.expire10151 -rw--- 1 vpopmail vchkpw 1159168 Nov 22 10:45 bayes_toks.expire10216 ...etc ad nauseum. It looks like your expire runs are being terminated prematurely, probably due to timeouts. Either increase your timeouts, or turn off auto-expiry and schedule expiry using a cron job outside of SA. You'll probably have to do a manual expiry to get it back to a reasonable state. I suggest you do that first, then see if the timeouts are then adequate with the smaller db before you increase them. Search the list archives for bayes expiry timeout or bayes expire timeout for more info.
Re: 1.1 GB of bayes data ... excessive?
On Mon, 27 Nov 2006, Quinn Comendant wrote: Ok, now down to 53 MB. ;P I've run sa-learn --force-expire Did you note how long that took to complete? That's about how long your timeout should be... Any ideas how to increase the timeout for the spamc processes so they will be alive long enough to finish an auto-exipre run? I'm running spamc via simscan via qmail-smtpd. Sorry, no. I don't do qmail or simscan. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 28 days until Christmas
Re: RelayChecker (now Botnet ) 0.4
On Thu, 23 Nov 2006, John Rudd wrote: I've changed RelayChecker's name to Botnet (since that's its real purpose: identify potential botnet submitted messages). Here's the 0.4 release. ... So, let me know what you think. Let me know if you find any bugs, what your hit/miss/fp stats are (one person said 78% accuracy with 1% fp's), Does the program skip over those IPs in the trusted_networks array or IP's that are added from the POPAuthPlugin Plugin? http://wiki.apache.org/spamassassin/POPAuthPlugin Rob
Re: Problem Adding the X-Spam-Status: header
On Tuesday 28 November 2006 00:22, Chris Purves wrote: Magnus Holmgren wrote: On Monday 27 November 2006 16:27, Odhiambo Washington wrote: You seem to be running Exim with Exiscan. The add_header options in local.cf are of no consequence - everything is controlled from the ACL configuration. If you want to configure the headers freely from local.cf, use the SA-Exim add-on. If you don't want to use sa-exim, you can add the headers in the exim acl: Something like: Off topic! :-) warn message = X-Spam-Status: Yes spam = nobody condition = ${if {$spam_score_int}{49}{1}{0}} condition = ${if {$message_size}{100k}{1}{0}} warn message = X-Spam-Status: No spam = nobody condition = ${if {$spam_score_int}{50}{1}{0}} condition = ${if {$message_size}{100k}{1}{0}} Not quite. If he wants to have the X-Spam-Status described in the OP, he would have to do like this: # local.cf: clear_report_template report _YESNO_ score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ # exim.conf, DATA ACL somewhere, with Exim 4.61 or later: warn condition = ${if {$message_size}{100k}} spam = nobody:true add_header = X-Spam-Status: $spam_report spam = nobody add_header = X-Spam-Flag: YES With earlier versions of Exim, without the add_header modifier, the size check has to be duplicated. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpjTFHZ5H0nt.pgp Description: PGP signature
Re: RelayChecker (now Botnet ) 0.4
Rob Mangiafico wrote: On Thu, 23 Nov 2006, John Rudd wrote: I've changed RelayChecker's name to Botnet (since that's its real purpose: identify potential botnet submitted messages). Here's the 0.4 release. ... So, let me know what you think. Let me know if you find any bugs, what your hit/miss/fp stats are (one person said 78% accuracy with 1% fp's), Does the program skip over those IPs in the trusted_networks array or IP's that are added from the POPAuthPlugin Plugin? http://wiki.apache.org/spamassassin/POPAuthPlugin Rob It skips over the IPs in trusted_networks, but I have no knowledge of how it interacts with the POPAuthPlugin plugin.
Re: Why no bayes?
On Nov 27, 2006, at 3:51 PM, Dave Augustus wrote: I NEVER get any bayes_?? in my headers I have a similar problem running SA in my user accounts on a commercial server. I have SA 3.1.1 installed on 3 different accounts, accessing the same MySQL Bayes DB. I get bayes_?? headers in email sent to one of the two accounts, but NOT the other two. I cannot figure out what the difference is, as the config files are bytewise identical and all three accounts can access the DB from the command line without problem. I've had this problem for six months, and don't even know what tools to use to start debugging it with. SA version 3.1.1 installed in ~/sausr and ~/saetc Evan
Re: Why no bayes?
On Mon, Nov 27, 2006 at 04:51:51PM -0800, Evan Dorn wrote: command line without problem. I've had this problem for six months, and don't even know what tools to use to start debugging it with. -D ? -- Randomly Selected Tagline: We are used to a deep-rooted Arab tradition of democracy where results are first declared, then elections are conducted and votes brought in to affirm it. - Talal Salman, editor of the As-Safir newspaper in Lebanon pgpV6Ua3Q2pgP.pgp Description: PGP signature
Re: Loads of 'xxx wrote:' Spam
On Monday 27 November 2006 4:27 pm, John D. Hardin wrote: On Mon, 27 Nov 2006, Bowie Bailey wrote: As has been the suggestion for the past X months, run sa-update. :) we've got to make this a more prominent FAQ somehow... Too bad you can't have a sticky thread on a mailing list... :) Many mailing list managers allow you to send a greeting message to new subscribers. Perhaps sending a SA FAQ as part of this would be a good idea? Along with a prominent **READ THIS BEFORE POSTING** notice at the very top... -- I haven't read the rest of my mail tonight so this may be suggested later, but how about once a month a short post from Theo or one of the other SA Admins that contains the top 10 FAQ's and answers? Just a thought. -- Chris pgp6P61UlFzcs.pgp Description: PGP signature
Re: HTML Validator
--On Friday, March 10, 2006 5:08 PM -0800 Kenneth Porter [EMAIL PROTECTED] wrote: Anyone know of a good validator that can be run over a MIME part to report on the quality of the HTML? This might be used as a go/no-go filter at milter level, or it could be used as an SA plugin to assign a variable score based on the quality of the HTML. For mailing lists catering to newbies who love HTML and can't understand why us old-timers hate it, we can set the list to exclude all invalid HTML. Sure, we'll accept your HTML. But only if it's really HTML. Not that crap that most MUA's write. I was trying to remember a web page I found that counseled not to use DOCTYPE and HTML tags around email to escape spam filters (pretty weird advice IMO) and I ran across indications that AOL is rejecting mail that fails to pass validation: http://www.petefreitag.com/item/307.cfm http://info.aol.co.uk/about/spam/mailer-daemon.adp http://postmaster.info.aol.com/errors/554hvufo.html http://www.clickz.com/showPage.html?page=3490146
Re: RelayChecker (now Botnet ) 0.4
John Rudd wrote: Rob Mangiafico wrote: On Thu, 23 Nov 2006, John Rudd wrote: I've changed RelayChecker's name to Botnet (since that's its real purpose: identify potential botnet submitted messages). Here's the 0.4 release. ... So, let me know what you think. Let me know if you find any bugs, what your hit/miss/fp stats are (one person said 78% accuracy with 1% fp's), Does the program skip over those IPs in the trusted_networks array or IP's that are added from the POPAuthPlugin Plugin? http://wiki.apache.org/spamassassin/POPAuthPlugin Rob It skips over the IPs in trusted_networks, but I have no knowledge of how it interacts with the POPAuthPlugin plugin. The POPAuth plugin just dynamically adjusts your trusted_networks config, so anything that pays attention to your trusted_networks config will work just as well with the POPAuth plugin. Daryl
Re: RelayChecker (now Botnet ) 0.4
On Mon, 27 Nov 2006, Daryl C. W. O'Shea wrote: John Rudd wrote: Rob Mangiafico wrote: On Thu, 23 Nov 2006, John Rudd wrote: I've changed RelayChecker's name to Botnet (since that's its real purpose: identify potential botnet submitted messages). Here's the 0.4 release. ... So, let me know what you think. Let me know if you find any bugs, what your hit/miss/fp stats are (one person said 78% accuracy with 1% fp's), Does the program skip over those IPs in the trusted_networks array or IP's that are added from the POPAuthPlugin Plugin? http://wiki.apache.org/spamassassin/POPAuthPlugin Rob It skips over the IPs in trusted_networks, but I have no knowledge of how it interacts with the POPAuthPlugin plugin. The POPAuth plugin just dynamically adjusts your trusted_networks config, so anything that pays attention to your trusted_networks config will work just as well with the POPAuth plugin. Great, thanks for confirming. Didn't want to score it that high until I knew we'd be avoiding our own users. Been running it for a few hours, got a few 1000 hits so far, sorted by score, and have not found a false positive yet. So far so good! I think I'll score it at 3 instead of 5 for now. Rob
Re: Problems running Spam Assassin
Hi, Thanks for the reply. I want users to have the option to have their own spamassassin configuration. Is it best just to start spamd without -u? I've got over 100 virtual servers, I don't want to setup folders and permissions for each user. What's the easiest and safest way? How would you do it? Thanks Magnus Holmgren wrote: On Sunday 19 November 2006 18:04, CosmicPerl wrote: Hi, I installed the latest SpamAssassin on my server. At first all my tests looked good, apart from load. So I setup spamc and spamd and everything seemed great, for a short while at least. A day later my mqueue had about 1500 messages in it, most with the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL. This seems to be coming up if the mailbox is full or the email is to an address that doesn't exist. It seemed that about every hour or so Sendmail was trying to flush out these messages, causing 1000's of processes to be started and making the server freeze up. Despite my Sendmail config having define(`confMAX_DAEMON_CHILDREN', `12')dnl In my procmailrc file I have:- DROPPRIVS=yes :0fw: spamassassin.lock * 256000 | spamc The SpamAssassin daemon was started with /usr/bin/spamd -d -u nobody At some point all mail stopped coming in. When I looked at the maillog file it had lots of lines like:- mkdir /root/.spamassassin: Permission denied Which I guess was causing the problem. This wasn't a problem before so I'm not sure why it happened. Any clues? I guess you might get some problem if you run spamd with -u nobody but without --nouser-config (either spamd will try to access the users' home directories as nobody, or it will try to access the home directory of nobody - I'm not sure, but in either case it will work badly. If you want per-user preferences together with -u you must either use -x --virtual-config-dir, make all users' .spamassassin directories readable (and writable, if you want bayes and/or AWL) by the spamd user (should be a special user - the nobody user isn't supposed to have any particular access to any files), or use a database. See README.spamd for security considerations if you have any untrusted users with shell access. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) -- View this message in context: http://www.nabble.com/Problems-running-Spam-Assassin-tf2664618.html#a7572889 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: RelayChecker (now Botnet ) 0.4
On Mon, 27 Nov 2006, Rob Mangiafico wrote: Great, thanks for confirming. Didn't want to score it that high until I knew we'd be avoiding our own users. Been running it for a few hours, got a few 1000 hits so far, sorted by score, and have not found a false positive yet. So far so good! I think I'll score it at 3 instead of 5 for now. Spoke too soon on the false positives. Had it hit an ebay and amazon email for a user. Headers below: --- X-Spam-Status: No, score=1.3 required=2.0 tests=AWL,BOTNET,BOTNET_CLIENT, BOTNET_CLIENTWORDS,HTML_MESSAGE,SARE_MLB_Stock1 autolearn=no version=3.1.7 Received: from mx29.sjc.ebay.com (mxpool14.ebay.com [66.135.197.20]) by XXX (8.11.6/8.11.6) with ESMTP id kAS2PGV00414 for XXX; Mon, 27 Nov 2006 21:25:16 -0500 Received: from sj-besreco005 (sj-besreco005.sjc.ebay.com [10.6.173.26]) by mx29.sjc.ebay.com (8.13.5/8.13.5) with ESMTP id kAS2Osc2008401 for XXX; Mon, 27 Nov 2006 19:25:10 -0700 DomainKey-Signature: a=rsa-sha1; s=dk; d=ebay.com; c=nofws; q=dns; h=message-id:from:to:subject:mime-version:content-type:x-ebay-mailtracker; b=q1DrZV4UR2bgq/PC6kcApV2x0JAGRxJP01yYnDopXUQ04IscKir1u23dejHaoHqtU k/GytJw9BHgzHZyNCdVSVzFFLKyUQ+tRn41WQa98NKnqBOAMxZehJiqr6M95lxgrq99 HAJjn4nueU5JS8XV36+AIRnPS85SAbe85xx9vY8= --- --- X-Spam-Report: * 0.6 NO_REAL_NAME From: does not include a real name * 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address * 0.0 BOTNET_CLIENT Hostname looks like a client hostname * 2.0 BOTNET Any Botnet rule hit Received: from smtp-out-4101.amazon.com (207-171-180-184.amazon.com [207.171.180.184]) by XXX (8.11.6/8.11.6) with ESMTP id kAS2XrV04185 for XXX; Mon, 27 Nov 2006 21:33:53 -0500 X-Amazon-Corporate-Relay: smtp-out-4101.sea5.amazon.com X-AMAZON-TRACK: XXX Received: from smtp-in-1001.vdc.amazon.com by smtp-out-4101.amazon.com with ESMTP (peer crosscheck: smtp-in-1001.vdc.amazon.com) Received: from ors-pots-na-1101.vdc.amazon.com (ors-pots-na-1101.vdc.amazon.com [10.130.42.37]) by smtp-in-1001.vdc.amazon.com (8.12.10/8.12.10) with ESMTP id kAS2Xii0009995; Tue, 28 Nov 2006 02:33:44 GMT Received: by ors-pots-na-1101.vdc.amazon.com --- Thoughts? Rob
Re: Problems running Spam Assassin
Hi, Thanks for the reply. I want users to have the option to have their own spamassassin configuration. Is it best just to start spamd without -u? I've got over 100 virtual servers, I don't want to setup folders and permissions for each user. What's the easiest and safest way? How would you do it? Thanks Hi again, While I'm next to no help to you in getting it set up, Dale's suggestion of Maia Mailguard is a great one. It enables both site-wide configuration also individual user mailboxes for classifying spam, rescuing false positives etc... all within a web interface. -- Bye for now, Terry Allen ___ hEARd Postal Address: hEARd, 26B Glenning Rd, Glenning Valley, NSW 2261, Australia Internet - WWW: http://heard.com.au http://itavservices.com EMAIL: [EMAIL PROTECTED] Phone: Australia - 02 4388 1400 / International - + 61 2 43881400 Mobile: Australia - 04 28881400 / International - 61 4 28881400 --- Non profit promotion for new music - since 1994 ---
Re: getting and operator work
John Rudd wrote: Matt Kettler wrote: John Rudd wrote: Matt Kettler wrote: Really in regexes there is no such thing as an AND operation. It's just not something natural to do in a regex. I would argue, at a deeper level of language/grammar theory, that this isn't true. Instead, AND is implied by concatenation. No it's not. Concatenation is order-specific. AND is order non-specific. I'd have to break out a textbook (which means _find_ my textbooks on the material) to continue the discussion meaningfully. I'm just glad anyone at all replied to the question meaningfully :-} The key is that in boolean algebra, AND has the commutative property. This means that A and B is the same as B and A.
Bayes autolearn issue
Greetings, I noticed tonight that my bayes_vars table has a large number of entries for users that are not on my system at all. It seems that SA is autolearning bayes for non domain users? Is that a known issue? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: RelayChecker (now Botnet ) 0.4
So - what does botnet do and do I want it?
Re: RelayChecker (now Botnet ) 0.4
Thoughts? Other than the fact I tend to agree with its conclusions by looking at those hostnames, I suppose it means that the plugin needs some special case exceptions for ebay, paypal, and amazon. Maybe it will need to run after domainkeys (if that is running) to help verify that the paypal/ebay path isn't too obviously spoofed. (Although that check can be done fairly well simply with a regex.) Loren
Re: Loads of 'xxx wrote:' Spam
Chris wrote: On Monday 27 November 2006 4:27 pm, John D. Hardin wrote: On Mon, 27 Nov 2006, Bowie Bailey wrote: As has been the suggestion for the past X months, run sa-update. :) we've got to make this a more prominent FAQ somehow... Too bad you can't have a sticky thread on a mailing list... :) Many mailing list managers allow you to send a greeting message to new subscribers. Perhaps sending a SA FAQ as part of this would be a good idea? Along with a prominent **READ THIS BEFORE POSTING** notice at the very top... -- I haven't read the rest of my mail tonight so this may be suggested later, but how about once a month a short post from Theo or one of the other SA Admins that contains the top 10 FAQ's and answers? Just a thought. I ran sa-update earlier, have URIBL, razor, etc.. and I'm still getting these slipping through. It's tempting to add +3 to wrote: in the subject.
mangled drug spam again
This drug spam seems pretty simple http://ecm.netcore.co.in/tmp/spammail1.txt but is not caught by my sare (mangled.cf) MANGLED* rulesets am I missing something here Thanks Ram
Re: rbl insight and wisdom please
On Mon, Nov 27, 2006 at 12:42:40PM -0800, R Lists06 wrote: Hopefully this hasn't been rehashed to death on this list yet has there ever been a general consensus as to which rbl's and similar lists are best to use if you are going to engineer your mail systems with such? Anyone care to share their implementations as well as current best and worst practices please? Use policyd-weight to reduce false positives. Cheers, Henrik