Bayes giving false positives
Hi! I have a problem with bayes' scoring. It gave BAYES_99=3.5 to a mail which is not a spam. Unfortunately with this addition it reached my required score so it got classified as spam. How can i fix this behavior? Only auto learning is enabled with the default threshold, no one could possibly feed it false data. Thanks
More Sophisticated Score Adjustments?
Hi, Is there any way to adjust groups of tests like increasing all HTML_IMAGE_ONLY_* tests by +1.0? Mike
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Hi! ... while talking to mx.junkemailfilter.com.: 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.net.: 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.org.: 451 Temporary local problem - please try later ... while talking to dummy1.junkemailfilter.com.: 451 Temporary local problem - please try later ... while talking to dummy2.junkemailfilter.com.: 451 Temporary local problem - please try later ... while talking to dummy3.junkemailfilter.com.: 451 Temporary local problem - please try later ... while talking to dummy4.junkemailfilter.com.: 451 Temporary local problem - please try later [EMAIL PROTECTED]... Deferred: 451 Temporary local problem - please try later http://openrbl.org/client/#70.112.27.10 ok - that's a different IP and that IP is blocked on my list and 4 other lists. Based on your logs it doesn't look like it give up after a 550 error. I think you have a spam problem. You also had a look WHY they were listed? ASPEWS = crap, i dont even count that one. Wonder why they even still list ASPEWS at all Spamhaus = ZEN = Dynamic space, correct. SORBS = Dynamic space, correct NJABL = Dynamic space, correct I think i would be wise to check your OWN list and and let us know why it ended up there, i didnt see any good reason yet in the information provided why YOU would list it. Its your list, you offered to let people test it so you tell us whats wrong please. And not say 'you have a spam problem'. Marc, YOU have a problem with this list. And i truely hope people will not start blocking mail with this, like someone else stated allready. OTOH, this is not really a topic for the spamassassin list is it ? Bye, Raymond.
Re: Why doesn't Spamassassin bounce spam?
From: Jari Fredriksson [EMAIL PROTECTED] jdow wrote: From: WLamotte [EMAIL PROTECTED] Sorry if this is an obvious question but why isn't there an option for Spamassassin to bounce spam? Sure it does a good job at filtering spam but I don't want it from my web(mail)server to my inbox. I want my web- or mailserver to bounce suspected spam. Is this a feature that could be implemented? TIA, Because there are people like me who submit sites that bounce spam to me to SpamHaus, SpamCop, and others? There is no way to bounce spam, is a good general rule to follow. There is nothing in the message, usually, that tells you precisely who sent the spam. The return path, reply to, and sender or from fields are all forgeable. Sites that bounce spam after the receipt transaction is over are aiding spammers rather than helping poor sods who have been hacked. Having been a victim of a forged From: address hack, a Joe Job, I can tell you reliably that I will crawl through the wires back to the MTA that bounced back to me and rip the CPU out of the hard drive. And if the operator is nearby I will rip his heart out through his mouth. {o.o} Joanne hates idiots who bounce and thus commit joe jobs. 'Nuf said? That is understandable, all people can't manage their anger. Backscatter still is no SPAM. I beg your pardon? If it is back scatter of spam then it fits all three of the criteria for spam: unsolicited, commercial, email. And since the commercial portion is optional, as in the phish email spam, the mere fact that it is unsolicited and it is email makes it spam. If you insist on bulk being in there it becomes bulk because of the other idiots (perhaps like you) who facilitate backscatter spam. Have a despicable day, since that is the way you seem to like it. {^_^}
Troubles writing rules
Dear list, I'm trying to add my own rules to spamassassin. I put them in /etc/spamassassin/local.cf as it is explained in http://wiki.apache.org/spamassassin/WritingRules I'm testing with the default newbie rule : body LOCAL_DEMONSTRATION_RULE /test/ score LOCAL_DEMONSTRATION_RULE 1.000 describe LOCAL_DEMONSTRATION_RULE This is a simple test rule The problem is that the rule doesn't seems to be parsed. For example, here are the spamassassin headers for an email that contains test in the subject : X-Spam-Score: -0.167 X-Spam-Level: X-Spam-Status: No, score=-0.167 required=5 tests=[AWL=0.386, BAYES_00=-2.599, RCVD_IN_SORBS_DUL=2.046] Any good advices on this ? Thanks. -- Emmanuel Lesouef CRBN | DSI t : 0231069671 m : [EMAIL PROTECTED]
Re: Troubles writing rules
Emmanuel Lesouef wrote: body LOCAL_DEMONSTRATION_RULE /test/ score LOCAL_DEMONSTRATION_RULE 1.000 describe LOCAL_DEMONSTRATION_RULE This is a simple test rule The problem is that the rule doesn't seems to be parsed. For example, here are the spamassassin headers for an email that contains test in the subject : X-Spam-Score: -0.167 X-Spam-Level: X-Spam-Status: No, score=-0.167 required=5 tests=[AWL=0.386, BAYES_00=-2.599, RCVD_IN_SORBS_DUL=2.046] Any good advices on this ? Yes, if you want to match 'test' in the Subject, you need a header rule: header LOCAL_DEMONSTRATION_RULE/test/ score LOCAL_DEMONSTRATION_RULE1.000 describeLOCAL_DEMONSTRATION_RULEThis is a simple test rule AFAIK there are four different types of rules: body, rawbody, header and full.
Re: Troubles writing rules
Le lundi 18 juin 2007 à 10:37 +0200, Arne Hoffmann a écrit : Emmanuel Lesouef wrote: body LOCAL_DEMONSTRATION_RULE /test/ score LOCAL_DEMONSTRATION_RULE 1.000 describe LOCAL_DEMONSTRATION_RULE This is a simple test rule The problem is that the rule doesn't seems to be parsed. For example, here are the spamassassin headers for an email that contains test in the subject : X-Spam-Score: -0.167 X-Spam-Level: X-Spam-Status: No, score=-0.167 required=5 tests=[AWL=0.386, BAYES_00=-2.599, RCVD_IN_SORBS_DUL=2.046] Any good advices on this ? Yes, if you want to match 'test' in the Subject, you need a header rule: header LOCAL_DEMONSTRATION_RULE/test/ score LOCAL_DEMONSTRATION_RULE1.000 describeLOCAL_DEMONSTRATION_RULEThis is a simple test rule AFAIK there are four different types of rules: body, rawbody, header and full. In fact, I already tested that. It doesn't work either. I'm thinking about my local.cf is not read. Does it helps if I say I'm using Amavis ? -- Emmanuel Lesouef CRBN | DSI t : 0231069671 m : [EMAIL PROTECTED]
Re: Troubles writing rules
Emmanuel Lesouef wrote: Yes, if you want to match 'test' in the Subject, you need a header rule: header LOCAL_DEMONSTRATION_RULE/test/ score LOCAL_DEMONSTRATION_RULE1.000 describeLOCAL_DEMONSTRATION_RULEThis is a simple test rule AFAIK there are four different types of rules: body, rawbody, header and full. In fact, I already tested that. It doesn't work either. Well, I was too fast and didn't think. Sorry. It has to be: header LOCAL_DEMONSTRATION_RULESubject =~ /test/ score LOCAL_DEMONSTRATION_RULE0.001 describeLOCAL_DEMONSTRATION_RULEThis is a simple test rule I'm thinking about my local.cf is not read. Try with: spamassassin -D --local testmail.txt 21 | grep local.cf
Re: Troubles writing rules
Le lundi 18 juin 2007 à 10:49 +0200, Arne Hoffmann a écrit : Emmanuel Lesouef wrote: Yes, if you want to match 'test' in the Subject, you need a header rule: header LOCAL_DEMONSTRATION_RULE/test/ score LOCAL_DEMONSTRATION_RULE1.000 describeLOCAL_DEMONSTRATION_RULEThis is a simple test rule AFAIK there are four different types of rules: body, rawbody, header and full. In fact, I already tested that. It doesn't work either. Well, I was too fast and didn't think. Sorry. It has to be: header LOCAL_DEMONSTRATION_RULESubject =~ /test/ score LOCAL_DEMONSTRATION_RULE0.001 describeLOCAL_DEMONSTRATION_RULEThis is a simple test rule I'm thinking about my local.cf is not read. Try with: spamassassin -D --local testmail.txt 21 | grep local.cf Ok, moving forward ;) Thanks for your help. Here is more infos : adele:~# spamassassin -D --local testmail.txt 21 | grep local.cf [1875] dbg: config: read file /etc/spamassassin/local.cf So, when invoking spamassassin from the command line, the local.cf is read. Let's try another command : adele:~# spamassassin -D --local testmail.txt 21 | grep LOCAL_DEMONSTRATION_RULE [1892] dbg: rules: ran header rule LOCAL_DEMONSTRATION_RULE == got hit: test [1892] dbg: check: tests=AWL,BAYES_00,LOCAL_DEMONSTRATION_RULE,NO_RECEIVED,NO_RELAYS LOCAL_DEMONSTRATION_RULE,NO_RECEIVED,NO_RELAYS autolearn=unavailable So, the local.cf file is read when using the CLI but not when Amavis invokes SA. -- Emmanuel Lesouef CRBN | DSI t : 0231069671 m : [EMAIL PROTECTED]
Environment variables in local.cf, individual bayes_path
Hello, I have to use individual bayes-dbs for virtual users and domains (everything is stored in a mysql-db). The user_prefs are stored in the mysql-db, too. Because there are no local users, I can't use ~/.spamassassin/bayes For example, if I use the domain dschung.de or dschung.com, I would like to set bayes_path to /var/syscpvmail/.spamassassin/dschung.de or .com/bayes. For security reasons, it isn't allowed to set bayes_path through the user_prefs. I have to use spamc - spamd, so I can't call spamassassin directly. So I thought, I could use environment variables in the bayes_path option in the local.cf. I've tried bayes_path /var/syscpvmail/.spamassassin/_DOMAIN_/bayes but _DOMAIN_ won't be substituted. I also tried to set a enviroment variables with maildrop just befor spamc is called, (`DOMAIN=$(echo $LOGNAME | cut -s -d@ -f2)`), and I set bayes_path in local.cf to /var/syscpvmail/.spamassassin/$DOMAIN/bayes, but this won't be substituted at all. I've searched already the web, but can't find any solution for my problem. I'm using spamassassin 3.1.8 and maildrop 2.0.2. Hope, someone can help me :) Regards, Gregor Dschung
Commandline option to check cf file
Hi, I have been downloading SARE rules via RDJ all this while. But since last week we have had files with site unavailable try later etc in the cf files I manually have to find and download these files on all my servers What I plan to do is to download all files to a temporary location , verify if proper and then move them to configpath How can I check if a cf file is a proper ruleset file and not some HTML 404 page ?? Thanks Ram
sa-update channel file
Hi Friends, I am using Spamassassin 3.2.0. I update my rules regularly and setup a cronjob to update my rules. I use the following command to update my rules : sa-update --channelfile -channels.txt --nogpg In my channels.txt file I have the following list : update.spamassassin.org 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_html_eng.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_header_eng.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net My question is, I am using update.spamassassin.org as well as other sources to update my rules. Is it possible default rules from update.spamassassin.org and other rules can conflict at any point. May be same rules set up in both places but scored different... then what? Is it ok if I remove all other sources and only depend on update.spamassassin.org to update my rules? TIA Diptanjan -- View this message in context: http://www.nabble.com/sa-update-channel-file-tf3939376.html#a11173013 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
what happened to DATE_IN_PAST_48_96 ??
Hi, DATE_IN_PAST_48_96 was taken out since 3.2.x. Why?? What happens with spam between 48 and 96 hours in the past? thanks. Anne
Re: Troubles writing rules
Emmanuel Lesouef wrote: So, the local.cf file is read when using the CLI but not when Amavis invokes SA. I don't know too much about amavisd-new, but on my machines amavis does read /etc/spamassassin/local.cf. But the file has to be readable for the user that amavisd-new runs as. You could also put your rule into user_prefs. If your amavisd-new runs as user amavis and $HOME is /var/lib/amavis, then put the rule in /var/lib/amavis/.spamassassin/user_prefs. If that doesn't work, you might want to ask on [EMAIL PROTECTED]
Re: Troubles writing rules
header LOCAL_DEMONSTRATION_RULE/test/ score LOCAL_DEMONSTRATION_RULE1.000 describeLOCAL_DEMONSTRATION_RULEThis is a simple test rule AFAIK there are four different types of rules: body, rawbody, header and full. Yes, if you want to match 'test' in the Subject, you need a header rule: Generally true, but not in this case. The subject is prepended to the body, so either a header rule for Subject or a body rule will hit on it. (But not a rawbody rule, I believe.) To the OP: did you restart SA so it will pick up the new rules you wrote? In your case that would probably mean restarting Amvis, unless it has some command to restart SA internally. Loren
Re: Commandline option to check cf file
ram schrieb: Hi, I have been downloading SARE rules via RDJ all this while. But since last week we have had files with site unavailable try later etc in the cf files I manually have to find and download these files on all my servers What I plan to do is to download all files to a temporary location , verify if proper and then move them to configpath afaik that is exactly what the RulesDuJour script does ... (If the --lint fails no changes are made) How can I check if a cf file is a proper ruleset file and not some HTML 404 page ?? spamassassin --lint? cmiiw Thanks Ram -- Greetings hth MH Dont send mail to: [EMAIL PROTECTED] --
Re: sa-update channel file
diptanjan schrieb: Hi Friends, Hi! My question is, I am using update.spamassassin.org as well as other sources to update my rules. Is it possible default rules from update.spamassassin.org and other rules can conflict at any point. May be same rules set up in both places but scored different... then what? The last applied rule wins, afaik. (That depends on your environment, ...) further info man spamassassin (at: Configuration Files) TIA Diptanjan -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: sa-update channel file
On Mon, Jun 18, 2007 at 03:16:22AM -0700, diptanjan wrote: My question is, I am using update.spamassassin.org as well as other sources to update my rules. Is it possible default rules from update.spamassassin.org and other rules can conflict at any point. It depends what you mean by conflict. There is nothing stopping channels from overriding other channel's rules, scores, etc. That said, it's expected that channels are unique onto themselves (ie: they don't trample on other people's rules, only set scores for their own rules, don't assume what rules are available on the client (though you can generally assume updates.spamassassin.org rules are available), etc.) May be same rules set up in both places but scored different... then what? Whichever rule is loaded last wins. Is it ok if I remove all other sources and only depend on update.spamassassin.org to update my rules? That's up to you. Personally, I only use the SA updates and don't include any third party rules. Other people swear by them. YMMV. -- Randomly Selected Tagline: modem, adj.: Up-to-date, new-fangled, as in Thoroughly Modem Millie. An unfortunate byproduct of kerning. [That's sic!] pgpGeG54guVOq.pgp Description: PGP signature
Re: Commandline option to check cf file
On Mon, Jun 18, 2007 at 03:03:36PM +0530, ram wrote: I have been downloading SARE rules via RDJ all this while. But since last week we have had files with site unavailable try later etc in the cf files You may be interested in using sa-update which doesn't have this problem. -- Randomly Selected Tagline: I love drag queens, you can take 'em to dinner and then dancing, and if you get a flat on the way home, they can help you fix it. - Dave Attell, Insomniac Miami pgpMlyJ30dv1R.pgp Description: PGP signature
Re: More Sophisticated Score Adjustments?
On Mon, Jun 18, 2007 at 02:37:27AM -0400, Michael B Allen wrote: Is there any way to adjust groups of tests like increasing all HTML_IMAGE_ONLY_* tests by +1.0? No and yes. There is no concept of a rule group, nor can you apply score updates to a glob/regex -- so you have to specify each rule w/ its own score line. However, yes, you can do a relative adjustment, see perldoc Mail::SpamAssassin::Conf, look at score. :) -- Randomly Selected Tagline: MSDOS didn't get as bad as it is overnight -- it took over ten years of careful development. - [EMAIL PROTECTED] pgpkIOY24CZTk.pgp Description: PGP signature
Re: Bayes giving false positives
On Mon, Jun 18, 2007 at 08:22:28AM +0200, Gregorics Tamás wrote: I have a problem with bayes' scoring. It gave BAYES_99=3.5 to a mail which is not a spam. Unfortunately with this addition it reached my required score so it got classified as spam. How can i fix this behavior? Only auto learning is enabled with the default threshold, no one could possibly feed it false data. sa-learn --ham auto-learn does a good job, but learn on error is always recommended. -- Randomly Selected Tagline: lp1 on fire (One of the more obfuscated kernel messages) pgpcudjDF8Mo4.pgp Description: PGP signature
RE: what happened to DATE_IN_PAST_48_96 ??
-Original Message- From: Anne [mailto:[EMAIL PROTECTED] Sent: Monday, June 18, 2007 6:21 AM To: users@spamassassin.apache.org Subject: what happened to DATE_IN_PAST_48_96 ?? Hi, DATE_IN_PAST_48_96 was taken out since 3.2.x. Why?? What happens with spam between 48 and 96 hours in the past? thanks. Anne Looks like it got lost, or was decided its not efficient. (it only added at most a half a point) If you want to add it back in, use this in local.cf header DATE_IN_PAST_48_96 eval:check_for_shifted_date('-96', '-48') describe DATE_IN_PAST_48_96 Date: is 48 to 96 hours before Received: date score DATE_IN_PAST 0.383 0.501 0.400 0.379 _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
RE: mailing list being tagged
-Original Message- From: Jerry Durand [mailto:[EMAIL PROTECTED] Sent: Monday, June 18, 2007 8:10 AM To: users@spamassassin.apache.org Subject: mailing list being tagged I've started having a mailing list tagged as spam. In the past the list always received scores like -90 to -100. The list provider also provides our backup MX, so his network is trusted. I have had them whitelisted for some time whitelist_from_spf [EMAIL PROTECTED] Maybe spf failure? Did they just change the name of one of their hosts? Maybe spf dns timed out. If that happened, maybe the whitelisting would fail, and the 'forged yahoo', etc would take over. host -t txt theatrical.net theatrical.net descriptive text v=spf1 mx a:spf.prxy.net -all mirror# host spf.prxy.net spf.prxy.net has address 209.177.145.124 spf.prxy.net has address 209.177.145.7 spf.prxy.net has address 209.177.145.20 Begin forwarded message: From: pinky estell [EMAIL PROTECTED] Date: June 17, 2007 10:43:58 PM PDT To: Stagecraft [EMAIL PROTECTED] Subject: *** JUNK MAIL *** stagecraft Reply-To: Stagecraft [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from murder ([unix socket]) by smtp.interstellar.com (Cyrus v2.2.12-OS X 10.4.8) with LMTPA; Sun, 17 Jun 2007 22:44:18 -0700 Received: from localhost (localhost [127.0.0.1]) by smtp.interstellar.com (Postfix) with ESMTP id 4D74E4258C6 for [EMAIL PROTECTED]; Sun, 17 Jun 2007 22:44:18 -0700 (PDT) Received: from smtp.interstellar.com ([127.0.0.1]) by localhost (interstellar.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubmcjrjq7xng for [EMAIL PROTECTED]; Sun, 17 Jun 2007 22:44:16 -0700 (PDT) Received: from prxy.net (mail.prxy.net [209.177.145.7]) by smtp.interstellar.com (Postfix) with ESMTP id 9EE2C4258BF for [EMAIL PROTECTED]; Sun, 17 Jun 2007 22:44:16 -0700 (PDT) Received: by prxy.net (CommuniGate Pro PIPE 4.2.10) with PIPE id 46668846; Sun, 17 Jun 2007 22:45:13 -0700 X-Sieve: CMU Sieve 2.2 X-Virus-Scanned: amavisd-new 2.5.0 (20070423) at interstellar.com X-Spam-Flag: YES X-Spam-Score: 2.517 X-Spam-Level: ** X-Spam-Status: Yes, score=2.517 tagged_above=0 required=2 tests= [ALL_TRUSTED=-1.8, BAYES_00=-2.599, DKIM_POLICY_SIGNSOME=0, DK_POLICY_SIGNSOME=0, FORGED_YAHOO_RCVD=2.297, LOCALPART_IN_SUBJECT=2.02, REPTO_QUOTE_YAHOO=2.599] X-Scanned-By: RAE MPP/ClamAV http://raeinternet.com/mpp X-Scanned-By: This message was scanned by MPP Free Edition (www.messagepartners.com)! X-Listserver: CommuniGate Pro LIST 4.2.10 List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Id: stagecraft.theatrical.net List-Archive: http://theatrical.net:8100/Lists/stagecraft/List.html Message-Id: [EMAIL PROTECTED] Sender: Stagecraft [EMAIL PROTECTED] Precedence: list In-Reply-To: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Original-Message-Id: [EMAIL PROTECTED] For info, archives UNSUBSCRIBE, see http:// stagecraft.theprices.net/ --- So I just graduated from Cornish Collage of the Arts in Seattle, and I'm looking into moving to California. I'm considering both L.A. and San Francisco, and was wondering if anyone had any suggestions as to which one I should move to. I'm a TD major but I really want to work in props right now. I really no nothing about either one of the cities, I just know that I want to experience theater in other cities and stay on the west side of the states. -Pinky Estell __ __ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/ _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Troubles writing rules
Le lundi 18 juin 2007 à 03:45 -0700, Loren Wilton a écrit : header LOCAL_DEMONSTRATION_RULE/test/ score LOCAL_DEMONSTRATION_RULE1.000 describeLOCAL_DEMONSTRATION_RULEThis is a simple test rule AFAIK there are four different types of rules: body, rawbody, header and full. Yes, if you want to match 'test' in the Subject, you need a header rule: Generally true, but not in this case. The subject is prepended to the body, so either a header rule for Subject or a body rule will hit on it. (But not a rawbody rule, I believe.) To the OP: did you restart SA so it will pick up the new rules you wrote? In your case that would probably mean restarting Amvis, unless it has some command to restart SA internally. Loren Great ! Works like a charm. I had to restart amavis in order to force the local.cf rules to be taken care of. Thanks all. -- Emmanuel Lesouef CRBN | DSI t : 0231069671 m : [EMAIL PROTECTED]
Re: Troubles writing rules
Arne Hoffmann wrote: Emmanuel Lesouef wrote: body LOCAL_DEMONSTRATION_RULE /test/ score LOCAL_DEMONSTRATION_RULE 1.000 describe LOCAL_DEMONSTRATION_RULE This is a simple test rule The problem is that the rule doesn't seems to be parsed. Yes, if you want to match 'test' in the Subject, you need a header rule: header LOCAL_DEMONSTRATION_RULE/test/ score LOCAL_DEMONSTRATION_RULE1.000 describeLOCAL_DEMONSTRATION_RULEThis is a simple test rule First, Arne, that header rule is invalid, you forgot to specify what header to match. If you want to match subject headers, but not the body: header LOCAL_DEMONSTRATION_RULE Subject =~ /test/ If you wanted to match all headers header LOCAL_DEMONSTRATION_RULE ALL =~ /test/ Second, body rules *WILL* match the subject line of a message. Therefore you do NOT need a header rule. (99.9% of body rules are looking for common message text that could appear in either the body or the subject. Rather than forcing the ruleset to be doubled-up with both body and subject rules looking for the same text, body rules were made to match both) Finally, Emmanuel's real probem is that he didn't restart amavis after modifying his local.cf. Anyone using spamd, or a tool like amavis that uses the perl API, will need to restart it in order for local.cf to be re-parsed. This has the positive side-effect of letting you run spamassassin --lint on your rules after editing them before they go live, but the real purpose is to save the overhead of constantly checking or re-reading this file.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
On Sun, 17 Jun 2007, Marc Perkel wrote: Shane Williams wrote: Here's the failed for the last 4 hours message... - Transcript of session follows - ... while talking to mx.junkemailfilter.com.: 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.net.: 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.org.: 451 Temporary local problem - please try later ... while talking to dummy1.junkemailfilter.com.: 451 Temporary local problem - please try later ... while talking to dummy2.junkemailfilter.com.: 451 Temporary local problem - please try later ... while talking to dummy3.junkemailfilter.com.: 451 Temporary local problem - please try later ... while talking to dummy4.junkemailfilter.com.: 451 Temporary local problem - please try later [EMAIL PROTECTED]... Deferred: 451 Temporary local problem - please try later ok - that's a different IP and that IP is blocked on my list and 4 other lists. Based on your logs it doesn't look like it give up after a 550 error. I think you have a spam problem. This is a personal mail server, so I know exactly who sends mail on it, and we don't have a spam problem (unless you mean all the spam we're fighting to keep out). Of course, since it's a dynamic address, I can't be certain that other users of this address haven't sent spam, but as others have pointed out, the only other blacklists 70.112.27.10 is listed on are dynamic or dialup lists only, so there's no indication that it's been a previous spam source. So, unless you're intending to block dynamic IPs as part of your method, I'd say this is a false-positive situation. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Shane Williams wrote: On Sun, 17 Jun 2007, Marc Perkel wrote: Shane Williams wrote: Here's the failed for the last 4 hours message... - Transcript of session follows - ... while talking to mx.junkemailfilter.com.: 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.net.: 550-REJECTED - 70.112.27.10 is blacklisted at hostkarma.junkemailfilter.com 550 (127.0.0.2); 70.112.27.10 ... while talking to mx.junkemailfilter.org.: 451 Temporary local problem - please try later ... while talking to dummy1.junkemailfilter.com.: 451 Temporary local problem - please try later ... while talking to dummy2.junkemailfilter.com.: 451 Temporary local problem - please try later ... while talking to dummy3.junkemailfilter.com.: 451 Temporary local problem - please try later ... while talking to dummy4.junkemailfilter.com.: 451 Temporary local problem - please try later [EMAIL PROTECTED]... Deferred: 451 Temporary local problem - please try later ok - that's a different IP and that IP is blocked on my list and 4 other lists. Based on your logs it doesn't look like it give up after a 550 error. I think you have a spam problem. This is a personal mail server, so I know exactly who sends mail on it, and we don't have a spam problem (unless you mean all the spam we're fighting to keep out). Of course, since it's a dynamic address, I can't be certain that other users of this address haven't sent spam, but as others have pointed out, the only other blacklists 70.112.27.10 is listed on are dynamic or dialup lists only, so there's no indication that it's been a previous spam source. So, unless you're intending to block dynamic IPs as part of your method, I'd say this is a false-positive situation. Shane - your listing has nothing to do with dynamic IPs. The way you got listed is that your server hit my high MX records when all of my lower MX records were working. What I'm still investigating is why that happened. And it's a problem I intend to fix because I don't want any false positives in the list. Is there any reason your server would try MX records in an unusual order?
Troubleshooting SA: regex time_t 3 min delays
Hi all. I was trying to shave down the 7+ minutes it takes for Postfix/amavisd/SA to process a single message today ahem and wondered about the two biggest choke points I could identify. *feeding a test message to spamassassin: # su - vscan -c 'spamassassin -D sample-nonspam.txt 21' | timestamp ** versions: FC4 SpamAssassin version 3.1.7 running on Perl version 5.8.3 amavisd-new-2.4.3 There is a 3 minute delay each at two points: processing the regex rules and one called 'time_t'. Any advice or links to push me in the right direction? Is it normal? Thanks. -Peter REGEX = 13:57:28.380 65.608 0.002 [12521] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?=[?])u=(.*?)(?:$|[#])'i 14:00:02.774 220.003 154.395 [12521] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa8b0720) implements 'finish_parsing_end' = TIME_T = 14:00:17.937 235.166 0.000 [12521] dbg: eval: time_t from date=987801124, rcvd= 20 Apr 2001 17:12:04 -0400 14:03:17.105 414.333 179.168 [12521] dbg: eval: all '*To' addrs: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] =
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
On Mon, 18 Jun 2007, Marc Perkel wrote: Shane - your listing has nothing to do with dynamic IPs. The way you got listed is that your server hit my high MX records when all of my lower MX records were working. What I'm still investigating is why that happened. And it's a problem I intend to fix because I don't want any false positives in the list. Is there any reason your server would try MX records in an unusual order? As others have mentioned, there are reasons (internet congestion, for instance), but I gather what you really want to know is whether there's something unusual about my configuration that would cause this to happen. The answer to that is no. I'm running sendmail on a gentoo server. No crazy configs, I don't run my own DNS, and frankly I don't know why my sendmail would try high MXs before low ones, but apparently it does. I'd say any system that requires you to investigate to this extent with blocked senders on a one-on-one basis has problems, and I would once again recommend that you test any system by tagging mails before actually rejecting them so that you learn about false-positives rather than assuming there aren't any unless someone reports it (which would be hard to do, since you're blocking them). Since this is now way OT for the SA list, I'm not going to respond on the list anymore, and since you're blacklist rejects my emails, I'm guessing this is the end of the conversation for me. Good luck. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
-Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Monday, June 18, 2007 9:31 AM To: Shane Williams Cc: Daryl C. W. O'Shea; users@spamassassin.apache.org Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it? Shane Williams wrote: On Sun, 17 Jun 2007, Marc Perkel wrote: Shane Williams wrote: [...] Shane - your listing has nothing to do with dynamic IPs. The way you got listed is that your server hit my high MX records when all of my lower MX records were working. What I'm still investigating is why that happened. And it's a problem I intend to fix because I don't want any false positives in the list. Is there any reason your server would try MX records in an unusual order? I don't know what his reason is but had I attempted to send mail to your server last Friday I could easily have ended up hitting one of your higher MXs. I had a problem with Verizon where I would loose my connection for seconds to a min and everything would be fine for seconds to a min or two. This went on for hours, it was like someone flicking a light switch. If exim couldn't connect to your lower mx servers during one of these episodes it would have rolled up the list as it should since Verizon has yet to inform my mail server they are having transient network problems and to consider any connection issues to be temporary and please try again. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Shane Williams wrote: This is a personal mail server, so I know exactly who sends mail on it, and we don't have a spam problem (unless you mean all the spam we're fighting to keep out). Of course, since it's a dynamic address, I can't be certain that other users of this address haven't sent spam, but as others have pointed out, the only other blacklists 70.112.27.10 is listed on are dynamic or dialup lists only, so there's no indication that it's been a previous spam source. So, unless you're intending to block dynamic IPs as part of your method, I'd say this is a false-positive situation. Shane, I found the bug and fixed it. It was dynamic IP related where I was returning temp errors in certian cases. Your IP has been removed also and sorry about that but this is still something I'm testing.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Rick Cooper wrote: I don't know what his reason is but had I attempted to send mail to your server last Friday I could easily have ended up hitting one of your higher MXs. I had a problem with Verizon where I would loose my connection for seconds to a min and everything would be fine for seconds to a min or two. This went on for hours, it was like someone flicking a light switch. If exim couldn't connect to your lower mx servers during one of these episodes it would have rolled up the list as it should since Verizon has yet to inform my mail server they are having transient network problems and to consider any connection issues to be temporary and please try again. Rick Rick, it does take multiple hits to get listed and I did add code that if you hit all the high ones in sucession that it only counts as one. However, having said that, this is experimental and there's a possibility that it's just not going to work. I do believe that there's information to be had by looking at hosts who hit high numbered MX records when low numbered MX servers are available. I'm just trying to figure out how to extract this information. So - I ask the question - I think we can all agree that there's information to be had. How do we extract this in a useful form an avoid false positives?
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Marc Perkel wrote: Rick Cooper wrote: I don't know what his reason is but had I attempted to send mail to your server last Friday I could easily have ended up hitting one of your higher MXs. I had a problem with Verizon where I would loose my connection for seconds to a min and everything would be fine for seconds to a min or two. This went on for hours, it was like someone flicking a light switch. If exim couldn't connect to your lower mx servers during one of these episodes it would have rolled up the list as it should since Verizon has yet to inform my mail server they are having transient network problems and to consider any connection issues to be temporary and please try again. Rick Rick, it does take multiple hits to get listed and I did add code that if you hit all the high ones in sucession that it only counts as one. However, having said that, this is experimental and there's a possibility that it's just not going to work. I do believe that there's information to be had by looking at hosts who hit high numbered MX records when low numbered MX servers are available. I'm just trying to figure out how to extract this information. So - I ask the question - I think we can all agree that there's information to be had. How do we extract this in a useful form an avoid false positives? If you're going to do this, I would suggest that instead of counting to X hits on your low priority MX's and then blacklisting the IP, do this: Count on all of your MX's, and look for a ratio between hits on low priority MX's and hits on high priority MX's. IFF the high priority MX hit rate is 0, then just do a simple count on the hits against the low priority MX's. IF the highr priority MX hit rate is 0, then do (low priority hit rate) / (high priority hit rate), and look for a number = something like 10. That way, senders that might sequentially try your servers, due to problems, or even just because they roll through the servers over time, wont get tagged.
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
John Rudd wrote: If you're going to do this, I would suggest that instead of counting to X hits on your low priority MX's and then blacklisting the IP, do this: Count on all of your MX's, and look for a ratio between hits on low priority MX's and hits on high priority MX's. IF the high priority MX hit rate is 0, then just do a simple count on the hits against the low priority MX's. IF the highr priority MX hit rate is 0, then do (low priority hit rate) / (high priority hit rate), and look for a number = something like 10. That way, senders that might sequentially try your servers, due to problems, or even just because they roll through the servers over time, wont get tagged. That's a good suggestion. You have me thinking. I'm using Exim and it has the RateLimit logic. Rather than a ratio I could maybe create a time window where if they hit the proper MX then it bypasses the improper MX tests for a fixed number of seconds.
bayes returning undef for all emails
Hello, Bayes is returning undef for all mails passing through our server. Spamassassin 3.2.0, amavisd-new 2.5.0, perl 5.8.8, mysql 5.0.42 and bayes is on InnoDB. sunny ~ # grep -i bayes /etc/mail/spamassassin/*.cf|grep -v secrets.cf /etc/mail/spamassassin/local.cf:# Use Bayesian classifier (default: 1) /etc/mail/spamassassin/local.cf:# use_bayes 1 /etc/mail/spamassassin/local.cf:# Bayesian classifier auto-learning (default: 1) /etc/mail/spamassassin/local.cf:bayes_auto_learn 0 /etc/mail/spamassassin/local.cf:bayes_auto_expire 0 /etc/mail/spamassassin/local.cf:# Set headers which may provide inappropriate cues to the Bayesian /etc/mail/spamassassin/local.cf:bayes_ignore_header X-Bogosity /etc/mail/spamassassin/local.cf:bayes_ignore_header X-Spam-Flag /etc/mail/spamassassin/local.cf:bayes_ignore_header X-Spam-Status Some messages not getting scored by bayes is understandable but bayes is not scoring for any email. Database corruption? How likely is that? Any suggestions, pointers, RTFMs highly appreciated. su amavis -c 'DBI_TRACE=2 /usr/bin/spamassassin -D bayes /var/amavis/test' 2.log 21 gives (with lots of deletions to keep the mail to a reasonable length. Also edited mysql username and password): DBI 1.55-nothread default trace level set to 0x0/2 (pid 5205) at DBI.pm line 271 via SQL.pm line 44 [5205] dbg: bayes: using username: amavis - DBI-connect(DBI:mysql:spamassassin:localhost, dbuser, , HASH(0x177a470)) - DBI-install_driver(mysql) for linux perl=5.008008 pid=5205 ruid=102 euid=102 install_driver: DBD::mysql version 3.0008 loaded from /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux/DBD/mysql.pm - install_driver= DBI::dr=HASH(0x28b66a0) !! warn: 0 CLEARED by call to connect method [...] [5205] dbg: bayes: database connection established [...] [5205] dbg: bayes: found bayes db version 3 [...] [5205] dbg: bayes: Using userid: 3 [...] [5205] dbg: bayes: corpus size: nspam = 1668, nham = 1649 [5205] dbg: bayes: header tokens for *p = U* D*mail.caf.com.tr D*caf.com.tr D*com.tr D*tr [5205] dbg: bayes: header tokens for *F = U* D*mail.caf.com.tr D*caf.com.tr D*com.tr D*tr [5205] dbg: bayes: header tokens for To = U*eray.aslan D*caf.com.tr D*com.tr D*tr [5205] dbg: bayes: header tokens for MIME-Version = [5205] dbg: bayes: header tokens for *c = multipart/mixed; =_ NHxtPHrt _ HHH _ _ . [5205] dbg: bayes: header tokens for *x = Microsoft Office Outlook, Build 11.0.6353 [5205] dbg: bayes: header tokens for X-MimeOLE = Produced By Microsoft MimeOLE V6.00.2900.2180 [5205] dbg: bayes: header tokens for *m = 20050925191650 D930E6923 mail caf com tr [5205] dbg: bayes: header tokens for X-Relay-Countries = TR [5205] dbg: bayes: header tokens for X-Spam-Relays-External = [ ip=195.174.218.167 rdns= helo=KAHVE by=mail.caf.com.tr ident= envfrom= intl=0 id=D930E6923 auth= msa=0 ] [5205] dbg: bayes: header tokens for X-Spam-Relays-Internal = [ ip=127.0.0.1 rdns=mail.caf.com.tr helo=localhost by=mail.caf.com.tr ident= envfrom= intl=1 id=49C481B07F auth= msa=0 ] [ ip=127.0.0.1 rdns= helo=mail.caf.com.tr by=localhost ident= envfrom= intl=1 id=12605-08 auth= msa=0 ] [5205] dbg: bayes: header tokens for *RT = [ ip=127.0.0.1 rdns=mail.caf.com.tr helo=localhost by=mail.caf.com.tr ident= envfrom= intl=1 id=49C481B07F auth= msa=0 ] [ ip=127.0.0.1 rdns= helo=mail.caf.com.tr by=localhost ident= envfrom= intl=1 id=12605-08 auth= msa=0 ] [5205] dbg: bayes: header tokens for *RU = [ ip=195.174.218.167 rdns= helo=KAHVE by=mail.caf.com.tr ident= envfrom= intl=0 id=D930E6923 auth= msa=0 ] [5205] dbg: bayes: header tokens for *r = KAHVE (unknown [195.174.218 ip*195.174.218.167 ]) (using TLSv1 cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.caf.com.tr (Postfix) [EMAIL PROTECTED]; [5205] dbg: bayes: header tokens for *r = KAHVE (unknown [195.174.218 ip*195.174.218.167 ]) (using TLSv1 cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.caf.com.tr (Postfix) [EMAIL PROTECTED]; mail.caf.com.tr ([127.0.0 ip*127.0.0.1 ]) by localhost (mail.caf.com.tr [127.0.0 ip*127.0.0.1 ]) (amavisd-new, port 10024) id 12605-08; [5205] dbg: bayes: tok_get_all: token count: 145 - prepare for DBD::mysql::db (DBI::db=HASH(0x28d1fe0)~0x28d1ed0 'SELECT RPAD(token, 5, ' '), spam_count, ham_count, atime FROM bayes_token WHERE id = ? AND token IN (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)') dbd_st_prepare calling count_params (counting params emulation) - prepare= DBI::st=HASH(0x28e2cd0) at SQL.pm line 892 - execute for DBD::mysql::st (DBI::st=HASH(0x28e2cd0)~0x2a4fc40 '3' '�.j�f' '.GW.�' 'QJ+�1' '���|.' '..�.�' '�.�s.' '��^�' 'q' 'uq..3' '.���*' '.�(�^' '�.yL.' '.ΨI.' 'K��.~' '�Xgt�' '.�ù�'
RE: bayes returning undef for all emails
Ok, you asked for itg. RTFM!. Dan snip Some messages not getting scored by bayes is understandable but bayes is not scoring for any email. Database corruption? How likely is that? Any suggestions, pointers, RTFMs highly appreciated. /snip
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
-Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Monday, June 18, 2007 10:00 AM To: Rick Cooper Cc: users@spamassassin.apache.org Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it? Rick Cooper wrote: I don't know what his reason is but had I attempted to send mail to your server last Friday I could easily have ended up hitting one of your higher MXs. I had a problem with Verizon where I would loose my connection for seconds to a min and everything would be fine for seconds to a min or two. This went on for hours, it was like someone flicking a light switch. If exim couldn't connect to your lower mx servers during one of these episodes it would have rolled up the list as it should since Verizon has yet to inform my mail server they are having transient network problems and to consider any connection issues to be temporary and please try again. Rick Rick, it does take multiple hits to get listed and I did add code that if you hit all the high ones in sucession that it only counts as one. However, having said that, this is experimental and there's a possibility that it's just not going to work. I do believe that there's information to be had by looking at hosts who hit high numbered MX records when low numbered MX servers are available. I'm just trying to figure out how to extract this information. So - I ask the question - I think we can all agree that there's information to be had. How do we extract this in a useful form an avoid false positives? I am probably over sensitive to blacklists of this nature because of past problems. I had an issue where someone could not deliver a reply to a customer once and when I investigated I found the (actually two) server was on a blacklist I had never heard of. I let our ISP know that apparently their entire address space was on the list and the owner (someone I have known since the early eighties) investigated and found the entire att address space (their carrier) was on this black list and att knew all about it. Apparently this person wanted them to pay him $50,000 to be removed in less than one year. Granted few people probably use the list but it still worries me when some one uses a list maintained by a guy and even more so if it's fully automated. Personally a relatively few mails on our servers make it to RBL portion (I also use exim) and get dumped for other reasons, right now the biggest is probably non FQDN (or bracketed dotted quad) helo. I would say number two is attempting to send mail heloing as part of our domain space when the host is not part of our network, and three is attempting to send mail to our addresses from a host not allowed to send mail from our addresses. I also seem to see a lot of localhost/localhost.localdomain and 127.0.0.1. I would like to see a lot more hardfail SPF hits and less SPF none. I still believe there are too many people who (subconsciously or otherwise) get a thrill out of fighting spam and the world would be much better off to move to taking responsibility for the mails they send. DKIM is about the closest thing to what I would like. You can have all the anti-spam laws in the world but proving responsibility is always the biggest problem. I would like to see a light weight service similar to DNS used to validate emails, quick and simple. It could be distributed like DNS and do you approve this mail, yes or no, like sender verification only without the smtp overhead. Last one that touches it is responsible, through the chain. The current, base, smtp spec simply wasn't developed in a time where anyone considered today's enviroment. There has to be a better way than trying to catch spam as that does nothing toward trying to stop it. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
7min delay after loading Mail::SpamAssassin::Plugin::Check
Investigating 12 minute/message processing time - SA hangs on Mail::SpamAssassin::Plugin::Check. I've commented out / disabled (pyzor / razor / dcc) as well as everything except 'check main' in v320.pre. I removed all of the rulesdujour as well. How can I isolate this to figure it out? Any ideas / pointers would be greatly appreciated... -Peter Farrell -Cardiff, Wales SpamAssassin version 3.2.0 running on Perl version 5.8.5 CentOS 4.4 Amavisd 2.5.1 # su vscan -c 'spamassassin -D sample-nonspam.txt 21' | timestamp 15:57:12.258 41.529 0.002 [1691] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC 15:57:12.289 41.560 0.031 [1691] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC 15:57:12.300 41.570 0.011 [1691] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC 15:57:12.310 41.581 0.010 [1691] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC 15:57:12.322 41.592 0.012 [1691] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC 15:57:12.339 41.610 0.017 [1691] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC 16:04:22.982 472.252 430.643 [1691] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA 16:04:22.983 472.253 0.000 [1691] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E 16:04:22.983 472.253 0.000 [1691] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 16:04:22.984 472.254 0.001 [1691] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 16:04:22.984 472.254 0.000 [1691] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA
RE: mailing list being tagged
At 05:14 AM 6/18/2007, Michael Scheidell wrote: Maybe spf failure? Did they just change the name of one of their hosts? Maybe spf dns timed out. If that happened, maybe the whitelisting would fail, and the 'forged yahoo', etc would take over. I passed this on to the person who runs the servers. For now I've had to whitelist his list without SPF, I hope to get that back to normal soon. -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
Rick Cooper wrote: I am probably over sensitive to blacklists of this nature because of past problems. I had an issue where someone could not deliver a reply to a customer once and when I investigated I found the (actually two) server was on a blacklist I had never heard of. I let our ISP know that apparently their entire address space was on the list and the owner (someone I have known since the early eighties) investigated and found the entire att address space (their carrier) was on this black list and att knew all about it. Apparently this person wanted them to pay him $50,000 to be removed in less than one year. Granted few people probably use the list but it still worries me when some one uses a list maintained by a guy and even more so if it's fully automated. Personally a relatively few mails on our servers make it to RBL portion (I also use exim) and get dumped for other reasons, right now the biggest is probably non FQDN (or bracketed dotted quad) helo. I would say number two is attempting to send mail heloing as part of our domain space when the host is not part of our network, and three is attempting to send mail to our addresses from a host not allowed to send mail from our addresses. I also seem to see a lot of localhost/localhost.localdomain and 127.0.0.1. I would like to see a lot more hardfail SPF hits and less SPF none. I still believe there are too many people who (subconsciously or otherwise) get a thrill out of fighting spam and the world would be much better off to move to taking responsibility for the mails they send. DKIM is about the closest thing to what I would like. You can have all the anti-spam laws in the world but proving responsibility is always the biggest problem. I would like to see a light weight service similar to DNS used to validate emails, quick and simple. It could be distributed like DNS and do you approve this mail, yes or no, like sender verification only without the smtp overhead. Last one that touches it is responsible, through the chain. The current, base, smtp spec simply wasn't developed in a time where anyone considered today's enviroment. There has to be a better way than trying to catch spam as that does nothing toward trying to stop it. Rick Rick - I totally understand where you are coming from. I've had similar problems with people blacklisting my servers. But what I'm trying to do here is develop new tricks for fighting spam. I've found my most accurate methods of detecting spam is based on differences in the behaviour of spammers as compared to normal email. When I see something that's a clear difference I try to find a way to use it. That's what I'm doing here.
Re: Troubleshooting SA: regex time_t 3 min delays
Three minutes for regex processing is very much NOT normal, unless you are running on a 66mhz box or the like. First question: are you thrashing? That is the number one reason for slow SA processing, you have run out of memory for one reason or another. If the 3 minutes is CPU time and you aren't thrashing, you have a bad regex that is getting looped up. Probably something with a number of *'s and backtracking in it. While it is possible this could be a release or SARE rule that has found some creative way to fail on your system, I would be more inclined to suspect a locally-crafted rule. There is some technique that can be used to time the individual rules, but I'm not sure what it is. Loren
Re: My Newly Expanded DNS Blacklist - Who wants to try it?
At 06:18 AM 6/18/2007, Shane Williams wrote: So, unless you're intending to block dynamic IPs as part of your method, I'd say this is a false-positive situation. Our mail and web server is on a business dynamic address, has been for years and serves several domains. We block (554 error) dynamic servers trying to connect to us and would expect the same from anyone we tried to directly connect to. ALL our outgoing mail is relayed through our ISP's mail server using AUTH. Each domain has an SPF record that lists our ISP as the only valid source of mail from us. Works fine except for the short time Internic started deep-scanning headers and message bodies with Zen, then they blocked lots of people they shouldn't have. We used to use several RBLs, but Zen seems pretty good and saves time. The few dynamic addresses that get by Zen seem to be caught by SA. Good work guys! -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Bayes isn't working
Greetings, It seems to be a common question but I haven't yet been able to figure out what's wrong on my end with this. SpamAssassin itself is working, it's detecting and flagging messages based on the built in rules, but Bayes seems to be non-functioning. I'm using SA 3.2.0, Perl 5.8.8, using Qmail and vpopmail on Debian. As I've stated everything is working well except the Bayes part. So far I've managed to run ~2500 messages through sa-learn over the course of the last week or so, and I've yet to see a single log entry with a BAYES rule match of any kind. After running sa-learn I do have created in /etc/mail/spamassassin the bayes_seen and bayes_toks files, but I don't have the bayes_msgcount. I've followed the directions in the Wiki for SiteWideBayesSetup. When I run spamassassin --lint I get no errors. I confess to being not yet familiar enough with the debug output to know if anything is wrong in spamassassin -D --lint, but I do see where Bayes is being loaded in the output. I'm sure I'm missing some simple something somewhere, but I haven't been able to figure out just what an I come across some conflicting information online. Included below is output of spamassassin -D --lint and also the relevant parts of my local.cf file. Thanks for any and all help, Rob Wright [EMAIL PROTECTED] from /etc/mail/spamassassin/local.cf: use_bayes 1 bayes_path /etc/mail/spamassassin/bayes bayes_file_mode 0770 bayes_auto_learn 1 bayes_auto_learn_threshold_spam 9 bayes_min_ham_num 100 (I can post the entire file if necessary) --- --- spamassassin -D --lint [24761] dbg: logger: adding facilities: all [24761] dbg: logger: logging level is DBG [24761] dbg: generic: SpamAssassin version 3.2.0 [24761] dbg: config: score set 0 chosen. [24761] dbg: util: running in taint mode? yes [24761] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [24761] dbg: util: PATH included '/usr/local/sbin', keeping [24761] dbg: util: PATH included '/usr/local/bin', keeping [24761] dbg: util: PATH included '/usr/sbin', keeping [24761] dbg: util: PATH included '/usr/bin', keeping [24761] dbg: util: PATH included '/sbin', keeping [24761] dbg: util: PATH included '/bin', keeping [24761] dbg: util: PATH included '/usr/bin/X11', keeping [24761] dbg: util: final PATH set to: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 [24761] dbg: dns: no ipv6 [24761] dbg: dns: is Net::DNS::Resolver available? yes [24761] dbg: dns: Net::DNS version: 0.59 [24761] dbg: diag: perl platform: 5.008008 linux [24761] dbg: diag: module installed: Digest::SHA1, version 2.11 [24761] dbg: diag: module installed: HTML::Parser, version 3.56 [24761] dbg: diag: module installed: Net::DNS, version 0.59 [24761] dbg: diag: module installed: MIME::Base64, version 3.07 [24761] dbg: diag: module installed: DB_File, version 1.814 [24761] dbg: diag: module installed: Net::SMTP, version 2.31 [24761] dbg: diag: module not installed: Mail::SPF ('require' failed) [24761] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [24761] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [24761] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [24761] dbg: diag: module not installed: Net::Ident ('require' failed) [24761] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [24761] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [24761] dbg: diag: module installed: Compress::Zlib, version 2.004 [24761] dbg: diag: module installed: Time::HiRes, version 1.86 [24761] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [24761] dbg: diag: module not installed: Mail::DKIM ('require' failed) [24761] dbg: diag: module installed: DBI, version 1.53 [24761] dbg: diag: module installed: Getopt::Long, version 2.35 [24761] dbg: diag: module installed: LWP::UserAgent, version 2.033 [24761] dbg: diag: module installed: HTTP::Date, version 1.47 [24761] dbg: diag: module installed: Archive::Tar, version 1.32 [24761] dbg: diag: module installed: IO::Zlib, version 1.05 [24761] dbg: diag: module not installed: Encode::Detect ('require' failed) [24761] dbg: ignore: using a test message to lint rules [24761] dbg: config: using /etc/mail/spamassassin for site rules pre files [24761] dbg: config: read file /etc/mail/spamassassin/init.pre [24761] dbg: config: read file /etc/mail/spamassassin/v310.pre [24761] dbg: config: read file /etc/mail/spamassassin/v312.pre [24761] dbg: config: read file /etc/mail/spamassassin/v320.pre [24761] dbg: config: using /var/lib/spamassassin/3.002000 for sys rules pre files [24761] dbg: config: using /var/lib/spamassassin/3.002000 for default rules dir [24761] dbg: config: read file /var/lib/spamassassin/3.002000/updates_spamassassin_org.cf [24761] dbg: config: using /etc/mail/spamassassin for site rules dir [24761] dbg: config: read file
Re: Bayes isn't working
Rob Wright wrote: So far I've managed to run ~2500 messages through sa-learn over the course of the last week or so, and I've yet to see a single log entry with a BAYES rule match of any kind. From your own logs: [24761] dbg: bayes: not available for scanning, only 0 ham(s) in bayes DB 100 ... which tells me it hasn't learned the minimum of 100 ham messages that you've told it to need before Bayes will kick in. Maybe post a dump of sa-learn --dump magic too?
Re: Bayes isn't working
Hi Rob, At 10:23 18-06-2007, Rob Wright wrote: [24761] dbg: bayes: DB journal sync: last sync: 1182182134 [24761] dbg: bayes: not available for scanning, only 0 ham(s) in bayes DB 100 http://wiki.apache.org/spamassassin/BayesNotWorking Regards, -sm
Re: Bayes giving false positives
Gregorics Tamás wrote: I have a problem with bayes' scoring. It gave BAYES_99=3.5 to a mail which is not a spam. Unfortunately with this addition it reached my required score so it got classified as spam. How can i fix this behavior? Tweak the autolearn thresholds a little. Only auto learning is enabled with the default threshold, This statement ... no one could possibly feed it false data. ... is in direct conflict with this one, IME. The default thresholds *can* allow incorrect autolearning of very hammy spam, or spammy ham. I'm not sure what the defaults are now, but I've run with 12 and -0.1 for quite a while with very little trouble - previously, the default autolearn-as-ham threshold of 0.1 actually got a few very low-scoring spams learned as ham. (around about SA2.55, IIRC) And I *have* seen nominally legitimate email scoring in the 12-15 range on occasion. :( -kgd
New patch for rules_du_jour re HTML redirect pages
It seems as if the problem HTML redirect page is hiding somewhere when rules_du_jour gets to its SA lint check, and it doesn't show up until the rollback is done, so the patch I sent earlier isn't effective. I'll need to read the code more thoroughly and don't have time now, so here's a quicker-n-dirtier patch which will zap the problem file after SA --lint has failed so it'll run properly next time. cut here --- /root/rules_du_jour.orig2007-06-17 21:01:24.0 -0500 +++ /var/lib/spamassassin/rules_du_jour 2007-06-18 12:37:44.0 -0500 @@ -907,6 +907,8 @@ [ ${SEND_THE_EMAIL} ] echo -e ${MESSAGES} | sh -c ${MAILCMD} -s \RulesDuJour Run Summary on ${HOSTNAME}\ ${MAIL_ADDRESS}; fi +grep -il 'META HTTP-EQUIV' ${TMPDIR}/*|xargs -n1 rm -f + cd ${OLDDIR}; exit; cut here rules_du_jour will still fail, but this will clean up the mess and next time (hopefully) it'll run properly. I'm plumb out of time to figure this out today so I'll revisit it later and submit a better patch. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: Bayes isn't working
On Monday 18 June 2007 12:36, ian douglas wrote: Rob Wright wrote: So far I've managed to run ~2500 messages through sa-learn over the course of the last week or so, and I've yet to see a single log entry with a BAYES rule match of any kind. From your own logs: [24761] dbg: bayes: not available for scanning, only 0 ham(s) in bayes DB 100 ... which tells me it hasn't learned the minimum of 100 ham messages that you've told it to need before Bayes will kick in. Maybe post a dump of sa-learn --dump magic too? Thanks Ian. I had run some ham through sa-learn so that's odd. After receiving your messages I ran the sa-learn --dump magic and I get this: sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 2099 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 188955 0 non-token data: ntokens 0.000 0 1181845178 0 non-token data: oldest atime 0.000 0 1182181807 0 non-token data: newest atime 0.000 0 1182182134 0 non-token data: last journal sync atime 0.000 0 1182182158 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count So, I went back to where my ham is and re-ran sa-learn on that with this result (after first using --forget): sa-learn --ham -C /etc/mail/spamassassin --showdots --spam --no-sync Maildir/new Learned tokens from 108 message(s) (108 message(s) examined) I ran sa-learn --sync, then restarted spamassassin and get this: sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 2100 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 188955 0 non-token data: ntokens 0.000 0 1181845178 0 non-token data: oldest atime 0.000 0 1182181807 0 non-token data: newest atime 0.000 0 1182189220 0 non-token data: last journal sync atime 0.000 0 1182182158 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count spamassassin -D --lint still shows: [14187] dbg: bayes: not available for scanning, only 0 ham(s) in bayes DB 100 So, then, spamassassin isn't seeing the ham that I'm feeding it? Why would it see the spam but not the ham? Thanks Rob
Re: Problem with sa-update and ImageInfo
Hi Daryl, Thanks for getting back to me. But... I don't have 3.2 installed. Daryl C. W. O'Shea wrote: Anthony, You were getting the warnings about the plugin being loaded twice since it was being loaded twice. You had added a loadplugin line for your local copy of ImageInfo in v312.pre and SA was loading the copy included with SA 3.2 via v320.pre. So... not a bug. Regards, Daryl -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ I'm in shape. - ROUND is a shape
Re: Bayes isn't working
On Mon, Jun 18, 2007 at 01:06:52PM -0500, Rob Wright wrote: So, I went back to where my ham is and re-ran sa-learn on that with this result (after first using --forget): sa-learn --ham -C /etc/mail/spamassassin --showdots --spam --no-sync Maildir/new What's with the -C ? sa-learn --dump magic No -C? 0.000 0 2100 0 non-token data: nspam 0.000 0 0 0 non-token data: nham spamassassin -D --lint still shows: [14187] dbg: bayes: not available for scanning, only 0 ham(s) in bayes DB 100 So, then, spamassassin isn't seeing the ham that I'm feeding it? Why would it see the spam but not the ham? My guess is that you're learning into a different DB than the one you're trying to scan from. Do a learn with -D and then a dump with -D and compare. -- Randomly Selected Tagline: Are you all right? -Leela Ah, it's nothing a a law suit won't cure. -Bender pgpbBdjhOmJkv.pgp Description: PGP signature
Re: Bayes isn't working
On Mon, 18 Jun 2007, Rob Wright wrote: sa-learn --ham -C /etc/mail/spamassassin --showdots --spam --no-sync Maildir/new So, then, spamassassin isn't seeing the ham that I'm feeding it? Why would it see the spam but not the ham? --ham *and* --spam ? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A sword is never a killer, it is but a tool in the killer's hands. -- Lucius Annaeus Seneca (Martial) 4BC-65AD --- Today: SWMBO's Birthday
Re: Bayes isn't working
On Mon, 18 Jun 2007 20:06:52 +0200, Rob Wright [EMAIL PROTECTED] wrote: sa-learn --ham -C /etc/mail/spamassassin --showdots --spam --no-sync Maildir/new Don't use the --spam flag when learning ham
PayPal DomainKeys/DKIM whitelisting - update
With the PayPal transitioning its service for European customers from UK to Luxemburg, it is beginning to use new sending address, which may not be in people's whitelist, so here is my update to facilitate legitimate PayPal mail reaching its customers (I'm including ebay entries for good measure): whitelist_from_dkim [EMAIL PROTECTED] paypal.com whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] It seems their legitimate mail need a little help, because Bayes sometimes confuses them with phishing, because DCC hits on them, and because MIME_QP_LONG_LINE is firing. Their DK signature verifies just fine with recent versions of Mail::DKIM through a Mail::SpamAssassin::Plugin::DKIM plugin, which needs to be enabled. Note that Plugin::DomainKeys is not needed, the Plugin::DKIM can cope with both signature types (with historic DomainKeys, and the DKIM (RFC 4871). I'd welcome contributions/updates to the above list of popular, genuine and well-intending sending domains protecting their mail with DK or DKIM, perhaps eventually evolving in some form of a reputation list. For completeness, here are my current rules to add few score points to yahoo and gmail mail which fails verification: header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR header __L_FROM_Y1 From:addr =~ [EMAIL PROTECTED] header __L_FROM_Y2 From:addr =~ [EMAIL PROTECTED](ar|br|cn|hk|my|sg)$}i header __L_FROM_Y3 From:addr =~ [EMAIL PROTECTED](id|in|jp|nz|uk)$}i header __L_FROM_Y4 From:addr =~ [EMAIL PROTECTED](ca|de|dk|es|fr|gr|ie|it|pl|se)$}i meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4 header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED] meta L_UNVERIFIED_YAHOO !DKIM_VERIFIED __L_FROM_YAHOO !__L_VIA_ML priority L_UNVERIFIED_YAHOO 500 scoreL_UNVERIFIED_YAHOO 2.5 meta L_UNVERIFIED_GMAIL !DKIM_VERIFIED __L_FROM_GMAIL !__L_VIA_ML priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 Mark
Re: Bayes isn't working
On Monday 18 June 2007 13:15, John D. Hardin wrote: On Mon, 18 Jun 2007, Rob Wright wrote: sa-learn --ham -C /etc/mail/spamassassin --showdots --spam --no-sync Maildir/new So, then, spamassassin isn't seeing the ham that I'm feeding it? Why would it see the spam but not the ham? --ham *and* --spam ? I *just* noticed that I did this. That is not what I was doing previously when it was not working. I've corrected this and now we do appear to be learning the spam and ham correctly at least. I'll keep watching and see what happens. Thanks, Rob
uridnsbl_skip_domain
25_uribl.cf contains a number of domains to skip via the uridnsbl_skip_domain command. Is there a command comparable to unwhitelist_from that would apply to the uridnsbl? Jason A. Bertoch Network Administrator [EMAIL PROTECTED] ElectroNet Intermedia Consulting 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
Re: Troubleshooting SA: regex time_t 3 min delays
Thanks for the response - unfortunately - there aren't any local, custom rules. I even removed all of the RulesDuJour whilst testing. I blew away SA today and am re-installing via CPAN - I think it may be something to do w/ my Perl installation as a whole... Plausible??? I've reinstalled 3 times w/ the same appalling results 10-15 minute scanning... the SA and Amavis builds are by the book! Plus I've got other working machines that provide the basis of the limited configuration options... I'm just about at the end of my tether... I remember when I was settling dependencies for Amavisd, I had lots of problems w/ Math::Pari, bignum, all the RSA stuff and did a few 'forced' installs in the build directory. I've been fighting w/ these machines for 3 weeks now and it's the only variable that I've not explored... RE: the 66mhz - no it's a Poweredge PIII w/ 512 of ram - all it does is filter SA, act as a backup SQUID proxy, an infrequent SSL apache pass through and backup MX. thanks again., all the best. -Peter Farrell On 18/06/07, Loren Wilton [EMAIL PROTECTED] wrote: Three minutes for regex processing is very much NOT normal, unless you are running on a 66mhz box or the like. First question: are you thrashing? That is the number one reason for slow SA processing, you have run out of memory for one reason or another. If the 3 minutes is CPU time and you aren't thrashing, you have a bad regex that is getting looped up. Probably something with a number of *'s and backtracking in it. While it is possible this could be a release or SARE rule that has found some creative way to fail on your system, I would be more inclined to suspect a locally-crafted rule. There is some technique that can be used to time the individual rules, but I'm not sure what it is. Loren
Re: uridnsbl_skip_domain
On Mon, Jun 18, 2007 at 03:01:42PM -0400, Jason Bertoch wrote: 25_uribl.cf contains a number of domains to skip via the uridnsbl_skip_domain command. Is there a command comparable to unwhitelist_from that would apply to the uridnsbl? Not really. At that point you may as well just write a uri rule (more specifically, you could write a rule using the URIDetail plugin and target the actual domain instead of the uri as a whole). -- Randomly Selected Tagline: What's the difference between the Spice Girls and a porno movie? A porno movie has better music.- Phil Spector pgpEwj5Xs4MXI.pgp Description: PGP signature
Re: New patch for rules_du_jour re HTML redirect pages
At 10:52 AM Monday, 6/18/2007, Lindsay Haisley wrote -= --lint has failed so it'll run properly next time. cut here --- /root/rules_du_jour.orig2007-06-17 21:01:24.0 -0500 +++ /var/lib/spamassassin/rules_du_jour 2007-06-18 12:37:44.0 -0500 @@ -907,6 +907,8 @@ [ ${SEND_THE_EMAIL} ] echo -e ${MESSAGES} | sh -c ${MAILCMD} -s \RulesDuJour Run Summary on ${HOSTNAME}\ ${MAIL_ADDRESS}; fi +grep -il 'META HTTP-EQUIV' ${TMPDIR}/*|xargs -n1 rm -f + cd ${OLDDIR}; exit; cut here rules_du_jour will still fail, but this will clean up the mess and next time (hopefully) it'll run properly. I'm plumb out of time to figure this out today so I'll revisit it later and submit a better patch. This worked here on the second go-round! Thanks! Ed Kasky ~ Randomly Generated Quote (121 of 568): It is only as we develop others that we permanently succeed. - Harvey S. Firestone
Re: PayPal DomainKeys/DKIM whitelisting - update
Hi Mark, At 11:18 18-06-2007, Mark Martinec wrote: For completeness, here are my current rules to add few score points to yahoo and gmail mail which fails verification: header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i It's funny, I created similar rules a few weeks back. :-) I'm still verifying how effects they are. Regards, -sm
Re: Problem with sa-update and ImageInfo
Anthony Peacock wrote: Hi Daryl, Thanks for getting back to me. But... I don't have 3.2 installed. Which I would have known if I read the debug output, rather than just trying the config files. I'll try it out with 3.1.8. Daryl
Re: Troubleshooting SA: regex time_t 3 min delays
Peter, I blew away SA today and am re-installing via CPAN - I think it may be something to do w/ my Perl installation as a whole... Plausible??? Can't say, my first suspects would be DNS resolver or complex regexps. I've reinstalled 3 times w/ the same appalling results 10-15 minute scanning... the SA and Amavis builds are by the book! Plus I've got other working machines that provide the basis of the limited configuration options... I'm just about at the end of my tether... Try the following patch (adds some debug logging) and repeat your exercise with: su vscan -c 'spamassassin -t -D test.msg' 21 | timestamp --- Mail/SpamAssassin/Plugin/Check.pm~ Fri Jun 8 14:55:28 2007 +++ Mail/SpamAssassin/Plugin/Check.pm Wed Jun 13 18:23:59 2007 @@ -578,4 +578,5 @@ } } + dbg(rules: finished run body rule '.$rulename.'); '; } @@ -891,4 +892,7 @@ $self-{test_log_msgs} = (); '; +$evalstr .= ' + dbg(rules: about to run eval rule $rulename); +' if would_log('dbg'); # only need to set current_rule_name for plugin evals Is the message suspicious in any way (like: very long, or many addresses in a mail header, ...)? Mark
Re: Bayes isn't working
At 11:15 AM 6/18/2007, Theo Van Dinter wrote: My guess is that you're learning into a different DB than the one you're trying to scan from. Do a learn with -D and then a dump with -D and compare. I had this problem with the default install on OS X, Apple in their infinite wisdom has two different folders, one that SA learns to and one that SA reads from. This is fixed by deleting one and putting in a link to the other. -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Problem with sa-learn in exmh 2.7.2
Mon Jun 18 09:30:59 EDT 2007 The ArchiveIterator perl module is producing an error message. I tried to find a solution with the SpamAssassin user group. There was some user correspondence on this bug, but the proposed patch already seems to be incorporated as of SpamAssassin version 3.1.8. My system is a Mac PowerBook G4 running OS X v 10.4.9. I have exmh 2.7.2 with nmh 1.2 (+ spamassassin v 3.2.0) installed and working fine in all other respects. It seems to be a problem with the ArchiveIterator not recognizing the standard input from within exmh. Could someone tell me whether sa-learn is still functioning? I would be grateful for any advice. The exmh log follows. 09:04:55 (3.153) Bogo spam 09:04:55 (0.005) Marking 1 msg as SPAM 09:04:55 (0.032) Bogo {spamprog=sa-learn --spam,} message=\1332\, action=\refile\ 09:04:55 (0.018) exec {sa-learn --spam /Users/hardy/Mail/inbox/1332} 09:05:06 (10.770) Learned tokens from 1 message(s) (1 message(s) examined) archive-iterator: invalid (undef) format in target list, 2 at /Library/Perl/5.8.6/Mail/SpamAssassin/ArchiveIterator.pm line 455, STDIN line 1. 09:05:06 (0.018) Bogo refile spam to junk 09:05:06 (0.003) = junk 09:05:06 (0.007) {cur: 1332 = } 09:05:06 (0.001) Writing /Users/hardy/Mail/inbox/.mh_sequences 09:05:06 (0.051) 09:05:06 (0.034) Changes pending; End of folder On the SpamAssassin user site, I found the following: if sa-learn is called without a target (e.g. for stdin input), the message is warned: archive-iterator: invalid (undef) format in target list, 2 at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/ArchiveIterator.pm line 727, STDIN line 1. A simple solution right now is to specify '-' as the target when using stdin. OBS: 3.1.8 is not available in bugzilla yet. In my case, the error message states that the error is on line 455. Can you advise on how to achieve the proposed solve: a simple solution right now is to specify '-' as the target when using stdin? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Matthew P. Hardy, PhD Population Council Senior Scientist Adjunct FacultyThe Rockefeller University Tele.(212) 327-8754 1230 York Ave. FAX(212) 327-7678 New York, NY 10021 Skype (213) 984-4962 or hardymp (online) e-mail [EMAIL PROTECTED] Web www.popcouncil.org/staff/bios/Hardy_M/hardy_m.html
Re: Problem with sa-learn in exmh 2.7.2
On Mon, Jun 18, 2007 at 04:33:31PM -0400, Hardy, Matthew wrote: The ArchiveIterator perl module is producing an error message. I tried to find a solution with the SpamAssassin user group. There was some user correspondence on this bug, but the proposed patch already seems to be incorporated as of SpamAssassin version 3.1.8. archive-iterator: invalid (undef) format in target list, 2 at /Library/Perl/5.8.6/Mail/SpamAssassin/ArchiveIterator.pm line 455, STDIN https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5336 It missed the 3.1.9 release, unfortunately, but will be out in a as of yet non-planned 3.1.10 release. how to achieve the proposed solve: a simple solution right now is to specify '-' as the target when using stdin? Sure. Specify - as the target when you run sa-learn. :) ie: instead of piping to sa-learn your options, pipe to sa-learn your options -. -- Randomly Selected Tagline: Yeah ... You can give pilots guns ... or here's an idea: Why don't you make damn sure the airport is secure!?!? - Lewis Black, The Daily Show 2002.07.17 pgpxk4vwUXmKs.pgp Description: PGP signature
Re: Environment variables in local.cf, individual bayes_path
Hi, I've overlooked the spamd-option --virtual-conf-dir. But unfortunatly, I can't use this option with sql-support for the user_prefs (-q). Does someone have an idea? Perhaps, the only solution is to write a script, which extracts the user_prefs from the sql-db and write them to the user_prefs-file located in the virtual-conf-dir-folder... Regards, Gregor Dschung Gregor Dschung schrieb: Hello, I have to use individual bayes-dbs for virtual users and domains (everything is stored in a mysql-db). The user_prefs are stored in the mysql-db, too. Because there are no local users, I can't use ~/.spamassassin/bayes For example, if I use the domain dschung.de or dschung.com, I would like to set bayes_path to /var/syscpvmail/.spamassassin/dschung.de or .com/bayes. For security reasons, it isn't allowed to set bayes_path through the user_prefs. I have to use spamc - spamd, so I can't call spamassassin directly. So I thought, I could use environment variables in the bayes_path option in the local.cf. I've tried bayes_path /var/syscpvmail/.spamassassin/_DOMAIN_/bayes but _DOMAIN_ won't be substituted. I also tried to set a enviroment variables with maildrop just befor spamc is called, (`DOMAIN=$(echo $LOGNAME | cut -s -d@ -f2)`), and I set bayes_path in local.cf to /var/syscpvmail/.spamassassin/$DOMAIN/bayes, but this won't be substituted at all. I've searched already the web, but can't find any solution for my problem. I'm using spamassassin 3.1.8 and maildrop 2.0.2. Hope, someone can help me :) Regards, Gregor Dschung
Folks using amavisd-new and SA...
Just a quick question to those that are using those two together. I have: $max_servers = 10; $max_requests = 15; in amavisd.conf. But the box's load average seems to be hovering around 2.00 all the time. Sometimes a little lower, sometimes higher. Quax 500mhz Xeon, ultra 160gb disks, 1gb RAM. It's a PowerEdge 6350. What do you guys have set for max_servers stuff and what kind of hardware? What kind of performance are you seeing? And how well have you found amavisd-new, postfix and SpamAssassin to interact? (note: please don't tell me to switch to mailscanner yet. hah.) This setup has been working well for quite a while but I'm almost wondering if it's time to upgrade. Has greylisting helped you out at all? Thanks! -- Jonathan
Re: Folks using amavisd-new and SA...
On Mon, 2007-06-18 at 17:38 -0700, Jonathan Nichols wrote: Just a quick question to those that are using those two together. I have: $max_servers = 10; $max_requests = 15; in amavisd.conf. But the box's load average seems to be hovering around 2.00 all the time. Sometimes a little lower, sometimes higher. Make sure your Postfix config allows 10 concurrent connections (master.cf): smtp-amavis unix - - n - 10 smtp If that 10 is a 2 that's the problem. What do you guys have set for max_servers stuff and what kind of hardware? What kind of performance are you seeing? I have it set at 2 for a hobby server and 4 for a low-load server. And how well have you found amavisd-new, postfix and SpamAssassin to interact? Been running great for me for a few years. Has greylisting helped you out at all? Yep, if your users will put up with the delay. Derek
RE: Folks using amavisd-new and SA...
Just a quick question to those that are using those two together. I have: $max_servers = 10; $max_requests = 15; in amavisd.conf. But the box's load average seems to be hovering around 2.00 all the time. Sometimes a little lower, sometimes higher. That is low for a quad CPU system. You want to keep load under 2.00 *per CPU*. Quax 500mhz Xeon, ultra 160gb disks, 1gb RAM. It's a PowerEdge 6350. What do you guys have set for max_servers stuff and what kind of hardware? What kind of performance are you seeing? Question: how many messages per day pass through SpamAssassin? And how well have you found amavisd-new, postfix and SpamAssassin to interact? Excellent. (note: please don't tell me to switch to mailscanner yet. hah.) I never would. This setup has been working well for quite a while but I'm almost wondering if it's time to upgrade. Question: on average how long does it take amavisd-new/SpamAssassin to process a message? Has greylisting helped you out at all? It can make a hugh difference. If you decide to go with it you should look at some form of selective greylisting. I also use a short (59 second) delay. Thanks! -- Jonathan _ Dont miss your chance to WIN $10,000 and other great prizes from Microsoft Office Live http://clk.atdmt.com/MRT/go/aub0540003042mrt/direct/01/
Re: what happened to DATE_IN_PAST_48_96 ??
Anne wrote: Hi, DATE_IN_PAST_48_96 was taken out since 3.2.x. Why?? What happens with spam between 48 and 96 hours in the past? Looks like it was dropped due to its horribly poor performance. I can't confirm why it was dropped, but I can point to strong evidence the rule was worthless. In the 3.1.x set0 mass-checks it had a S/O of 0.649, which isn't significantly different from the whole set's S/O of 0.700. In essence, the rule seemed to match spam and nospam with more-or-less equal probability. To the extent it differed from the distribution of the test data, it favored matching nonspam. (ie: the S/O of the rule is less than the S/O of the test data) Sidenote: S/O is the Spam/overall hit ratio. If you multiply by 100, you've got what percentage of the email the rule matched was actually spam.
ImageInfo in two .pre files
I happened to notice that I had the above plugin uncommented in v312.pre and v320.pre. I haven't noticed any problems but could this cause the plugin to be loaded twice? -- Chris KeyID 0xE372A7DA98E6705C pgpJO3yXMQv94.pgp Description: PGP signature
Re: sa-update channel file
Thank you friends for your valuable inputs. Diptanjan Matthias Haegele-2 wrote: diptanjan schrieb: Hi Friends, Hi! My question is, I am using update.spamassassin.org as well as other sources to update my rules. Is it possible default rules from update.spamassassin.org and other rules can conflict at any point. May be same rules set up in both places but scored different... then what? The last applied rule wins, afaik. (That depends on your environment, ...) further info man spamassassin (at: Configuration Files) TIA Diptanjan -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] -- -- View this message in context: http://www.nabble.com/sa-update-channel-file-tf3939376.html#a11188156 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.