Authenticated SMTP and RBLs
Hi, I manage 2 smtp servers, one for outgoing and uses smtp authentication. Other incoming and scans mail using SA. Our users some times send mails from dialup ips which are black listed, but the mails always come via our authenticated smtp server. Now when one of the customers send a mail to our incoming server from a blacklisted ip, via authenticated smtp, it gets rejected by SA, because of black listed. SA logs show RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_ NJABL_PROXY,RCVD_IN_PBL,RCVD_IN_SBL,RCVD_IN_XBL scantime=3.4,size=1687,user=simscan,uid=510,required _score=6.5,rhost=localhost.localdomain,raddr=127.0.0.1,rport=34074,mid=[EMAIL PROTECTED] om,autolearn=disabled The first Received: line in the offending mails show from unknown (HELO [220.226.6.139]) ([EMAIL PROTECTED]@[220.226.6.139]) (envelope-sender [EMAIL PROTECTED]) by myserver.com (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for [EMAIL PROTECTED]; 12 Sep 2007 07:04:37 - My question is how can our dialup users send mails when they are from a blacklisted IPs. raj
Re: List of 600,000 IP addresses of virus infected computers
Marc Perkel wrote: If you're keen to share your development, why don't you explain to us how it works? /Per Jessen, Zürich The details are a little to complex for this forum but the new trick is mostly based on the fact that spam bots general don't issue the QUIT command and when combined with other factors allows me to catch spam bots on the first try. Perhaps someone can turn this into a rule for SA to add some points. The mail-server that detects the missing QUIT could easily add a header which SA would then pick up on. But it might depend on what those other factors are. /Per Jessen, Zürich
Re Authenticated SMTP and RBLs
Hi raj, your server should not say SMTP in that case but ESMTPA, so that SA knows it was auth'd message. Out of the many qmail patch packages I have seen, only one seems to do that Wolfgang Rajkumar S wrote: Hi, I manage 2 smtp servers, one for outgoing and uses smtp authentication. Other incoming and scans mail using SA. Our users some times send mails from dialup ips which are black listed, but the mails always come via our authenticated smtp server. Now when one of the customers send a mail to our incoming server from a blacklisted ip, via authenticated smtp, it gets rejected by SA, because of black listed. SA logs show RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_ NJABL_PROXY,RCVD_IN_PBL,RCVD_IN_SBL,RCVD_IN_XBL scantime=3.4,size=1687,user=simscan,uid=510,required _score=6.5,rhost=localhost.localdomain,raddr=127.0.0.1,rport=34074,mid=[EMAIL PROTECTED] om,autolearn=disabled The first Received: line in the offending mails show from unknown (HELO [220.226.6.139]) ([EMAIL PROTECTED]@[220.226.6.139]) (envelope-sender [EMAIL PROTECTED]) by myserver.com (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for [EMAIL PROTECTED]; 12 Sep 2007 07:04:37 - My question is how can our dialup users send mails when they are from a blacklisted IPs. raj
Re: Authenticated SMTP and RBLs
Rajkumar S wrote: Hi, I manage 2 smtp servers, one for outgoing and uses smtp authentication. Other incoming and scans mail using SA. Our users some times send mails from dialup ips which are black listed, but the mails always come via our authenticated smtp server. Now when one of the customers send a mail to our incoming server from a blacklisted ip, via authenticated smtp, it gets rejected by SA, because of black listed. SA logs show If you're using SA 3.2.0 or later add the MSA server IP to msa_networks (and be sure to configure trusted_networks accordingly). Daryl
Perl error after upgrade to 3.2.3
Apologies if I am asking in the wrong place, since I can see that there are several possible reasons. We have just upgraded to SpamAssassin 3.2.3 on an elderly 386 box running Red Hat 9. At the same time I used CPAN to upgrade any out-of-date perl modules. Now, when SA starts, we get the following error: Starting SpamAssassin daemon... [23172] error: Can't locate Sys/Syslog/Win32.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.8.8/i686-linux /usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/5.8.8/i686-linux /usr/local/lib/perl5/5.8.8 /usr/local/lib/perl5/site_perl) at (eval 11) line 2. [23172] error: BEGIN failed--compilation aborted at (eval 11) line 2. done. The error comes up twice, but SA does in fact start, and appears to be functioning normally. Does anyone know why it suddenly wants to load a Win32 module? Jon Jon Armitage System Administrator, 365 Media Group
SpamAssassin wins 2007 InfoWorld Best of Open Source Software award
I'm happy to announce that we have won an InfoWorld Best Of Open Source Software BOSSIE Award, as the winner in the anti-spam category for 2007! more info here: http://www.infoworld.com/archives/t.jsp?N=sV=91650 --j.
FW: List of 700,000 IP addresses of virus infected computers
On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. Jason
Re: Perl error after upgrade to 3.2.3
Hi; I've seen this as well. I did a cpan upgrade and upgraded all perl mods on a BSD, but not SA which was at 3.2.3. I think that may be due to an issue with Sys:Syslog v0.20 SA seems to be working fine, as you say. [96054] error: Can't locate Sys/Syslog/Win32.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/5.8.8/BSDPAN /usr/local/lib/perl5/site_perl/5.8.8/mach /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.8.8/mach /usr/local/lib/perl5/5.8.8) at (eval 14) line 2. [96054] error: BEGIN failed--compilation aborted at (eval 14) line 2. rgds n Jonathan Armitage wrote: Apologies if I am asking in the wrong place, since I can see that there are several possible reasons. We have just upgraded to SpamAssassin 3.2.3 on an elderly 386 box running Red Hat 9. At the same time I used CPAN to upgrade any out-of-date perl modules. Now, when SA starts, we get the following error: Starting SpamAssassin daemon... [23172] error: Can't locate Sys/Syslog/Win32.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.8.8/i686-linux /usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/5.8.8/i686-linux /usr/local/lib/perl5/5.8.8 /usr/local/lib/perl5/site_perl) at (eval 11) line 2. [23172] error: BEGIN failed--compilation aborted at (eval 11) line 2. done. The error comes up twice, but SA does in fact start, and appears to be functioning normally. Does anyone know why it suddenly wants to load a Win32 module? Jon Jon Armitage System Administrator, 365 Media Group
RE: SpamAssassin wins 2007 InfoWorld Best of Open Source Software award
Congrats!! Really happy to hear that! Best Regards, Simon Teh Network and System Administrator National Advanced IPv6 Centre of Excellence, School of Computer Science, Universiti Sains Malaysia -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 12, 2007 8:33 PM To: users@SpamAssassin.apache.org Subject: SpamAssassin wins 2007 InfoWorld Best of Open Source Software award I'm happy to announce that we have won an InfoWorld Best Of Open Source Software BOSSIE Award, as the winner in the anti-spam category for 2007! more info here: http://www.infoworld.com/archives/t.jsp?N=sV=91650 --j.
Re: FW: List of 700,000 IP addresses of virus infected computers
Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. Jason +1 It's a waste of time. Other subjects posted by M. Perkel: The best way to use Spamassassin is to not use Spamassassin and the very humorous, What changes would you make to stop spam? - United Nations Paper, there are dozens of other equally off topic and troll-like posts here by M. Perkel. It's clearly turned from plain ignorance of the rules of this list to marketing his junk list now, and that really doesn't belong here. Ken -- Ken Anderson Pacific.Net
Re: FW: List of 700,000 IP addresses of virus infected computers
I back Ken and Jason on this one. It's a waste of time. -Jeff Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. Jason
Re: FW: List of 700,000 IP addresses of virus infected computers
On Wed, 12 Sep 2007 at 08:40 -0500, [EMAIL PROTECTED] confabulated: Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. Jason +1 It's a waste of time. Other subjects posted by M. Perkel: The best way to use Spamassassin is to not use Spamassassin and the very humorous, What changes would you make to stop spam? - United Nations Paper, there are dozens of other equally off topic and troll-like posts here by M. Perkel. It's clearly turned from plain ignorance of the rules of this list to marketing his junk list now, and that really doesn't belong here. Ken -- Ken Anderson Pacific.Net +1 Mr. Perkel has been warned before (at least twice that I can recall) about bringing his off-topic stuff to this list. -- _|_ (_| |
Re: SpamAssassin wins 2007 InfoWorld Best of Open Source Software award
On Wed, 12 Sep 2007 at 13:32 +0100, [EMAIL PROTECTED] confabulated: I'm happy to announce that we have won an InfoWorld Best Of Open Source Software BOSSIE Award, as the winner in the anti-spam category for 2007! more info here: http://www.infoworld.com/archives/t.jsp?N=sV=91650 Awesome! Congrats to all who have aided in the development! -- _|_ (_| |
RE: List of 700,000 IP addresses of virus infected computers
-Original Message- From: Jason Bertoch [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 12, 2007 8:54 AM To: users@spamassassin.apache.org Subject: FW: List of 700,000 IP addresses of virus infected computers On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. Marc's topic is better suited for Spam-L. Good luck with it there :) This is a Spamassassin specific list. If the topic doesn't pertain directly to SA in some way, it doesn't belong. (We make exceptions when discussing how freaking creepy that old pink ninja was!) --Chris (13 days until Halo flu.)
RE: SpamAssassin wins 2007 InfoWorld Best of Open Source Softwar e award
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 12, 2007 8:33 AM To: users@spamassassin.apache.org Subject: SpamAssassin wins 2007 InfoWorld Best of Open Source Software award I'm happy to announce that we have won an InfoWorld Best Of Open Source Software BOSSIE Award, as the winner in the anti-spam category for 2007! more info here: http://www.infoworld.com/archives/t.jsp?N=sV=91650 Congrats! But...um... who the heck was the competition? :) --Chris
Scan Time Problem After Upgrade
We began upgrading to 3.2.3 from 3.2.1. There are 5 machines. On the first machine prior to the upgrade the average scan time for a message was 2 to 4 seconds, fairly consistent at 2.5 or so seconds. After upgrading the same systems now have a scan time of 7 or more seconds. Not sure if this was a message related issue so we upgraded the second machine that was running the same way. Again, after the upgrade the scan times doubled our more. We then downgraded back to 3.2.1 on the first machine and the scan times went back to the lower time. Everything looks like it's configured the same way. Anyone know what we may be experiencing? GA -- View this message in context: http://www.nabble.com/Scan-Time-Problem-After-Upgrade-tf4429657.html#a12636664 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: List of 600,000 IP addresses of virus infected computers
Per Jessen wrote: Marc Perkel wrote: If you're keen to share your development, why don't you explain to us how it works? /Per Jessen, Zürich The details are a little to complex for this forum but the new trick is mostly based on the fact that spam bots general don't issue the QUIT command and when combined with other factors allows me to catch spam bots on the first try. Perhaps someone can turn this into a rule for SA to add some points. The mail-server that detects the missing QUIT could easily add a header which SA would then pick up on. But it might depend on what those other factors are. /Per Jessen, Zürich It might be a good rule for SA except for one problem. SA doesn't have any way to detect the lack of the QUIT. Even in Exim the message being received is done after the last period is sent. So you can't attach any kind of information about quit to the message. What I'm doing is using Exim's ACL variables in the NOTQUIT acl to feed information into my blacklist database so that my servers and anyone using my blacklists know to just rop the connection the next time. Generally I have already detected the message as possible spam by that point but when I combine it with the lack of a quit then it gets promoted to blacklist status.
Suggestion to developers
SpamAssassin is a really great product. But, it is perl-based and checks every message with a lot of (all) rules (, always!). Volume of spam is constantly increasing, as well as CPU and memory load that SA creates on servers. As a SA user, I would be happy to have the following possibility in the next version: 1. Add an option which will allow to limit number of rules run against every message. I.e., if the limit of spam points is reached to required_score, stop further checking and process the message as a spam. I think, not all users really interested in gathering all statistics about all spam messages. 2. According to (1), it makes sense to sort all rules from lightweight to heavyweight (including ones which require internet queries) and make checking in this order. This could allow to lower SA footprint. Thanks. -- View this message in context: http://www.nabble.com/Suggestion-to-developers-tf4429767.html#a12637043 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SpamAssassin wins 2007 InfoWorld Best of Open Source Software award
Justin Mason wrote: I'm happy to announce that we have won an InfoWorld Best Of Open Source Software BOSSIE Award, as the winner in the anti-spam category for 2007! more info here: http://www.infoworld.com/archives/t.jsp?N=sV=91650 --j. Well deserved, all. Outstanding product, you do not know how much SA has helped me out. TC
Re: FW: List of 700,000 IP addresses of virus infected computers
Duane Hill schrieb: On Wed, 12 Sep 2007 at 08:40 -0500, [EMAIL PROTECTED] confabulated: Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. Jason +1 It's a waste of time. Other subjects posted by M. Perkel: The best way to use Spamassassin is to not use Spamassassin and the very humorous, What changes would you make to stop spam? - United Nations Paper, there are dozens of other equally off topic and troll-like posts here by M. Perkel. It's clearly turned from plain ignorance of the rules of this list to marketing his junk list now, and that really doesn't belong here. Ken -- Ken Anderson Pacific.Net +1 Mr. Perkel has been warned before (at least twice that I can recall) about bringing his off-topic stuff to this list. -- _|_ (_| | +1 first off all my apologies for my faux pas from Yesterday (OT Posting about Net Etiquette) but it is some how realy a oxymoron to get spamed with OT Mails from a Spam Identification Software Technical Mailinglist if i want to learn about MX or DBL or generall Themes about Spamprevention i will find a appropriate Source Matthias
debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
I've somehow made it onto spam list that isn't being picked up by RBLs or by bayes. All messages have a url that looks like this (where X's are all digits): http://aero-dog.com/1-23-28276-45381XXX.html All messages are originating from 206.131.x.x and I have been submitting them to spamcop. A sample message is here: http://bubba.org/spam/newspam1.txt Any suggestions for detecting this? My bayes has been pretty much spot on for months, so this has me puzzled. Thanks, Brian
Summary - Handling Spam Surges
Here is summary of all the responses. Thanks to all who resonded, your suggestions have been very helpful. We will - reduce the number of SA max-children - look at ratelimit in exim - only spam scan messages under a certain size Aaron Wolfe We reduce the messages bound for SA to less than 10% of our traffic by a combination of postfix UCE checks, a couple very accurate RBLs, selective greylisting and our own whitelist. When the surges/DOS happen, they tend to increase the number of messages thrown away but rarely effect the volume running through SA. Dave Funk With only 2GB of memory you could die in swapping hell with max-children=150. Each SA process will take 30~60Mbyes of RSS (depending upon addition of optional rules plugins). This means that 150 children could take 5GB of ram, thus hitting your swap hard. Either add more RAM or reduce that max-children. To prevent melt-down from surges/DoS attacks some kind of incoming SMTP rate limiting is the way to go (with that small a setup). This would be done by your Exim config, ask the Exim list for suggestions on this. Michael Scheidell Handle it in the MTA. Best to block all unknown recipients at least. The rest of what to do in the MTA depends on what MTA you have. Once the MTA is finished with it then pass it to SA. If under attack, only thing you can do to help SA is disable network tests till its done. Visit the mailing list or FAQ's of the MTA you are using for more help on this. (example: smtp connection limiting, session tarpiting, even some firewall rules to limit concurrent connections might help) === Thanks Paul
Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
On Wednesday 12 September 2007 17:04:40 Brian Wilson wrote: I've somehow made it onto spam list that isn't being picked up by RBLs or by bayes. All messages have a url that looks like this (where X's are all digits): http://aero-dog.com/1-23-28276-45381XXX.html All messages are originating from 206.131.x.x and I have been submitting them to spamcop. A sample message is here: http://bubba.org/spam/newspam1.txt Any suggestions for detecting this? My bayes has been pretty much spot on for months, so this has me puzzled. Thanks, Brian Result here: 1.7 SARE_RECV_IP_206131Spam passed through possible spammer relay 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 3.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.9279] 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: frosty-saver.com] -- Benjamin E. Zeller Ing.-Büro Hohmann Bahnhofstr. 34 D-82515 Wolfratshausen Tel.: +49 (0)8171 347 88 12 Mobil: +49 (0)160 99 11 55 23 Fax: +49 (0)8171 910 778 mailto: [EMAIL PROTECTED] www.ibh-wor.de pgpmz454nPo2W.pgp Description: PGP signature
RE: Suggestion to developers
In order to implement something like this, you would need to know the order of rules processing (which perhaps there is one - but I don't know it). You would need to be careful if you have rules which will assign negative scores which typically do so after other rules have already given positive ones. Every SA implementation would be unique, so SA would have to be modified to rules some specific rule sets first before any others (maybe it does now?) and you would then want to make certain your custom scores go into those files. In my own implementation, I put my custom rules into a unique .cf file which I have created so I can distinguish it from other rule sets. The out-of-the-box SA wouldn't run this file first (unless SA can be modified to read a designated file before it reads others). -Original Message- From: Crocomoth [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 12, 2007 9:42 AM To: users@spamassassin.apache.org Subject: Suggestion to developers SpamAssassin is a really great product. But, it is perl-based and checks every message with a lot of (all) rules (, always!). Volume of spam is constantly increasing, as well as CPU and memory load that SA creates on servers. As a SA user, I would be happy to have the following possibility in the next version: 1. Add an option which will allow to limit number of rules run against every message. I.e., if the limit of spam points is reached to required_score, stop further checking and process the message as a spam. I think, not all users really interested in gathering all statistics about all spam messages. 2. According to (1), it makes sense to sort all rules from lightweight to heavyweight (including ones which require internet queries) and make checking in this order. This could allow to lower SA footprint. Thanks. -- View this message in context: http://www.nabble.com/Suggestion-to-developers-tf4429767.html#a12637043 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Suggestion to developers
Of course, this would not be simple to implement this, but, I think, as SA becomes more heavy, developers will be forced to find ways of scissoring. To preserve nagative scores, SA could run these rules first. And, while sorting, SA should take into account possible dependencies between rules - read all rules from all config files and build a forest of rule trees. I think, SA does this anyways and all custom rules will be included into a set of rules in memory. Sort order, for simplicity, could be from rules with high score to ones with low score. And even this could help greatly. Skip Brott wrote: In order to implement something like this, you would need to know the order of rules processing (which perhaps there is one - but I don't know it). You would need to be careful if you have rules which will assign negative scores which typically do so after other rules have already given positive ones. Every SA implementation would be unique, so SA would have to be modified to rules some specific rule sets first before any others (maybe it does now?) and you would then want to make certain your custom scores go into those files. In my own implementation, I put my custom rules into a unique .cf file which I have created so I can distinguish it from other rule sets. The out-of-the-box SA wouldn't run this file first (unless SA can be modified to read a designated file before it reads others). -Original Message- From: Crocomoth [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 12, 2007 9:42 AM To: users@spamassassin.apache.org Subject: Suggestion to developers SpamAssassin is a really great product. But, it is perl-based and checks every message with a lot of (all) rules (, always!). Volume of spam is constantly increasing, as well as CPU and memory load that SA creates on servers. As a SA user, I would be happy to have the following possibility in the next version: 1. Add an option which will allow to limit number of rules run against every message. I.e., if the limit of spam points is reached to required_score, stop further checking and process the message as a spam. I think, not all users really interested in gathering all statistics about all spam messages. 2. According to (1), it makes sense to sort all rules from lightweight to heavyweight (including ones which require internet queries) and make checking in this order. This could allow to lower SA footprint. Thanks. -- View this message in context: http://www.nabble.com/Suggestion-to-developers-tf4429767.html#a12637043 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/Suggestion-to-developers-tf4429767.html#a12638411 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Suggestion to developers
The most effective way I've found to lower the SA footprint is to limit the mail that gets to it by using some triage on the MTA side. SA as a standalone tool might benefit from some kind of triage functionality to kill messages immediately as per a blacklist rule. The blacklist rule(s) would be run against the messages before the normal ruleset was applied. If any of the blacklist rules were triggered, the message would be dropped without further scanning. I am not sure that messages after positive blacklist check will be dropped. As far as I see, SA just adds 100 points to this message and continues checking. And I am not sure about the order of rules in checking process. -- View this message in context: http://www.nabble.com/Suggestion-to-developers-tf4429767.html#a12638431 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
I've somehow made it onto spam list that isn't being picked up by RBLs or by bayes. All messages have a url that looks like this (where X's are all digits): http://aero-dog.com/1-23-28276-45381XXX.html All messages are originating from 206.131.x.x and I have been submitting them to spamcop. A sample message is here: http://bubba.org/spam/newspam1.txt Any suggestions for detecting this? My bayes has been pretty much spot on for months, so this has me puzzled. Thanks, Brian Result here Content analysis details: (12.7 points, 5.0 required) pts rule name description -- -- 1.6 SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal characters 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.9391] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 91] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 91] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: frosty-saver.com] 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: frosty-saver.com] 1.0 DIGEST_MULTIPLEMessage hits more than one network digest check 0.0 SUBJECT_NEEDS_ENCODING SUBJECT_NEEDS_ENCODING
Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
On Wed, 12 Sep 2007, Brian Wilson wrote: I've somehow made it onto spam list that isn't being picked up by RBLs or by bayes. All messages have a url that looks like this (where X's are all digits): http://aero-dog.com/1-23-28276-45381XXX.html All messages are originating from 206.131.x.x and I have been submitting them to spamcop. A sample message is here: http://bubba.org/spam/newspam1.txt Any suggestions for detecting this? My bayes has been pretty much spot on for months, so this has me puzzled. The sample was older so that is probably why it is being picked up, but the newer samples from here are not getting scored from RBL's. I added this URI rule to pick these up: uri FROSTY_SAVER_URI /^http\:\/\/[\S\-]+\/[\d\-]+.html/ score FROSTY_SAVER_URI 10 I'm sure someone will complain that they have a better regex, but it's working for me. Brian
FW: FW: List of 700,000 IP addresses of virus infected computers
On Wednesday, September 12, 2007 10:51 AM Marc Perkel wrote: Why don't you add me to your black hole list? I've added you to mine. That way you don't have to see what I post. I'm happy not seeing what you post. And - don't bother replying because I won't get it. Can we please do something about this guy?!? Jason
Re: FW: List of 700,000 IP addresses of virus infected computers
I just got this personal email from him: Why don't you add me to your black hole list? I've added you to mine. That way you don't have to see what I post. I'm happy not seeing what you post. And - don't bother replying because I won't get it. I don't believe warnings are in order any longer for him. It's time he's cut off. -Jeff Duane Hill wrote: On Wed, 12 Sep 2007 at 08:40 -0500, [EMAIL PROTECTED] confabulated: Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. Jason +1 It's a waste of time. Other subjects posted by M. Perkel: The best way to use Spamassassin is to not use Spamassassin and the very humorous, What changes would you make to stop spam? - United Nations Paper, there are dozens of other equally off topic and troll-like posts here by M. Perkel. It's clearly turned from plain ignorance of the rules of this list to marketing his junk list now, and that really doesn't belong here. Ken -- Ken Anderson Pacific.Net +1 Mr. Perkel has been warned before (at least twice that I can recall) about bringing his off-topic stuff to this list. -- _|_ (_| |
Re: List of 600,000 IP addresses of virus infected computers
Per Jessen wrote: Perhaps someone can turn this into a rule for SA to add some points. The mail-server that detects the missing QUIT could easily add a header which SA would then pick up on. But it might depend on what those other factors are. Part of the problem here is that a QUIT is a session oriented issue, where a single SMTP session may have multiple messages. Consider a session where the spambot generates 10 messages in one SMTP connection. If you want to track this message didn't have an SMTP-QUIT, then your MTA can't release the message UNTIL all 10 of the messages have been submitted. That could dramatically increase the number of open files for an MTA, which could in turn lead to a denial of service vulnerability. This entirely prevents being able to do Spam filtering _during_ the SMTP session, as well (ie. have a milter which runs the message through spam assassin at the DATA phase of the SMTP session, and gives an accept/temp-fail/reject response based upon the content of the DATA). Since the rule depends upon the QUIT, but the QUIT can't happen before SA has to be finished scanning the message, that means that _every_ message will have the lack of SMTP-QUIT rule trigger. I can see it being part of a hosts reputation score (what percentage of connections does it generate a quit?), or part of a blacklist, but I think it would break too many receiver-sites if you tried to do it as a direct SA rule.
Re: debbie-dealz / frosty-saver / got-hyrda / aero-dog spam
On Wed, 12 Sep 2007, Brian Wilson wrote: uri FROSTY_SAVER_URI /^http\:\/\/[\S\-]+\/[\d\-]+.html/ score Escape that period. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ --- 5 days until the 220th anniversary of the signing of the U.S. Constitution
Re: Authenticated SMTP and RBLs
Hi, while setting proper trust relatios can solve the problem for mails internal to the system, without that auth'd bit in the received header everybody outside the system will still see the message as coming from a dialup and passing through a potential open relay Wolfgang Hamann Rajkumar S wrote: Hi, I manage 2 smtp servers, one for outgoing and uses smtp authentication. Other incoming and scans mail using SA. Our users some times send mails from dialup ips which are black listed, but the mails always come via our authenticated smtp server. Now when one of the customers send a mail to our incoming server from a blacklisted ip, via authenticated smtp, it gets rejected by SA, because of black listed. SA logs show If you're using SA 3.2.0 or later add the MSA server IP to msa_networks (and be sure to configure trusted_networks accordingly). Daryl
Re: FW: List of 700,000 IP addresses of virus infected computers
On Wed, 12 Sep 2007, Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. FWIW, +1 -- Jon Trulson mailto:[EMAIL PROTECTED] #include std/disclaimer.h No Kill I -Horta
spamassassin management by file deletion
I use a domain managed by HOSTROUTE, which has installed spamassassin as a mail filter. My filespace is limited to 10MB, of which some 7.7MB are currently devoted to spamassassin. Thus, I need to prune this quickly to maintain service. As I do not maintain the system, I cannot manage spamassassin in the usual ways. Instead, I think that I am limited to deleting files and altering the user_prefs file. The following files are present in my .spamassassin directory: auto-whitelist, bayes_journal, bayes_seen, bayes_toks, users_prefs As I have been unable to find documentation covering a situation like this, I would very much appreciate any insights that you could offer. Thank you, Colin -- View this message in context: http://www.nabble.com/spamassassin-management-by-file-deletion-tf4431882.html#a12643646 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamassassin management by file deletion
newby 23 wrote: I use a domain managed by HOSTROUTE, which has installed spamassassin as a mail filter. My filespace is limited to 10MB, O_o That sounds awfully low, even for cheap-to-free hosting. According to http://www.hostroute.co.uk/hostingplans.html, the smallest plan is 20M; you might want to contact them and see why you apparently only have 10M. of which some 7.7MB are currently devoted to spamassassin. Thus, I need to prune this quickly to maintain service. As I do not maintain the system, I cannot manage spamassassin in the usual ways. Instead, I think that I am limited to deleting files and altering the user_prefs file. Hmm. Do you have shell access? It's not necessary, but it'll make things easier if you do. The following files are present in my .spamassassin directory: auto-whitelist, bayes_journal, bayes_seen, bayes_toks, users_prefs How big are each of those files? You'll probably want to disable the AWL and delete auto-whitelist; it tends to grow without bound and while *I've* never had functional trouble from it, quite a few others on this list have reported problems of one kind or another aside from the disk usage. (I wrote a script a long time ago to actually clean out old entries, and trim the file size - google for trim_whitelist. Note that you pretty much REQUIRE shell access to use this.) You'll probably also want to fiddle with the Bayes directive that controls how large the Bayes data files get; while it works on number of tokens rather than disk size it can be give a rough estimate of disk use. The default bayes_expiry_max_db_size of 150,000 tokens may be too large, but it looks like you can't make it much smaller. Running man Mail::SpamAssassin::Conf from a shell on your webhost should give you details on configuration directives, but I'm pretty sure the same listing is available on the SA site somewhere under the Docs link. Over the longer term, you can delete bayes_journal and bayes_seen; those are not critical to proper operation of the Bayes subsystem. However, if you remove bayes_seen, you'll end up re-learning messages over and over again if regularly re-learn a folder that you don't empty. -kgd
Re: Authenticated SMTP and RBLs
On Wednesday September 12 2007 20:36:50 [EMAIL PROTECTED] wrote: while setting proper trust relatios can solve the problem for mails internal to the system, without that auth'd bit in the received header everybody outside the system will still see the message as coming from a dialup and passing through a potential open relay If you have a dedicated MTA for mail submission, the msa_networks allows for describing such topology, so the auth bit in received header field is not needed. The idea is that MSA itself guarantees that it is only willing to accept mail from internal hosts or from authenticated users (but does not act as an MX), so whatever comes through MSA is guaranteed to be from our users. Mark
Re: Suggestion to developers
Crocomoth wrote: SpamAssassin is a really great product. But, it is perl-based and checks every message with a lot of (all) rules (, always!). Volume of spam is constantly increasing, as well as CPU and memory load that SA creates on servers. As a SA user, I would be happy to have the following possibility in the next version: 1. Add an option which will allow to limit number of rules run against every message. I.e., if the limit of spam points is reached to required_score, stop further checking and process the message as a spam. I think, not all users really interested in gathering all statistics about all spam messages. 2. According to (1), it makes sense to sort all rules from lightweight to heavyweight (including ones which require internet queries) and make checking in this order. This could allow to lower SA footprint. SA 3.2.x already does this, you just need to know how. Read the docs on the shortcircuit plugin, and the priority option for rules: Shortcircuit allows you to define when to bail out http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_Shortcircuit.html And priority, documented in the Rule definitions and privileged settings section of the Conf manpage, allows you to tell SA what order to run rules in. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings Note however that over-using priority on the rules can be detrimental to your performance, forcing SA to scan through the message many times.
RE: Suggestion to developers
How would you account for negative scoring rules? (if your message hit's score=5 it may soon be socre=-2 after a negative scoring rule is applied). The most effective way I've found to lower the SA footprint is to limit the mail that gets to it by using some triage on the MTA side. SA as a standalone tool might benefit from some kind of triage functionality to kill messages immediately as per a blacklist rule. The blacklist rule(s) would be run against the messages before the normal ruleset was applied. If any of the blacklist rules were triggered, the message would be dropped without further scanning. -Original Message- From: Crocomoth [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 12, 2007 10:42 AM To: users@spamassassin.apache.org Subject: Suggestion to developers SpamAssassin is a really great product. But, it is perl-based and checks every message with a lot of (all) rules (, always!). Volume of spam is constantly increasing, as well as CPU and memory load that SA creates on servers. As a SA user, I would be happy to have the following possibility in the next version: 1. Add an option which will allow to limit number of rules run against every message. I.e., if the limit of spam points is reached to required_score, stop further checking and process the message as a spam. I think, not all users really interested in gathering all statistics about all spam messages. 2. According to (1), it makes sense to sort all rules from lightweight to heavyweight (including ones which require internet queries) and make checking in this order. This could allow to lower SA footprint. Thanks. -- View this message in context: http://www.nabble.com/Suggestion-to-developers-tf4429767.html#a12637043 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Suggestion to developers
Henrik Krohns writes: On Wed, Sep 12, 2007 at 08:53:10AM -0700, Crocomoth wrote: The most effective way I've found to lower the SA footprint is to limit the mail that gets to it by using some triage on the MTA side. SA as a standalone tool might benefit from some kind of triage functionality to kill messages immediately as per a blacklist rule. The blacklist rule(s) would be run against the messages before the normal ruleset was applied. If any of the blacklist rules were triggered, the message would be dropped without further scanning. I am not sure that messages after positive blacklist check will be dropped. As far as I see, SA just adds 100 points to this message and continues checking. And I am not sure about the order of rules in checking process. http://wiki.apache.org/spamassassin/ShortcircuitingRuleset Yep, as Henrik notes, the shortcircuiting plugin implements this. We previously tried an automated method which rearranged the rule orderings automatically, and shortcircuited without any admin intervention -- but the automated approach just didn't work as well as the shortcircuit-plugin approach; it wound up slower overall, due to the overhead of frequent checking. --j.
Re: FW: List of 700,000 IP addresses of virus infected computers
2007/9/12, Marc Perkel [EMAIL PROTECTED]: I just added you to my blackhole list. So, You've just added Gmail to it. A Wise one, eh? -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: FW: List of 700,000 IP addresses of virus infected computers
2007/9/12, Jon Trulson [EMAIL PROTECTED]: On Wed, 12 Sep 2007, Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. FWIW, +1 -- Jon Trulson mailto:[EMAIL PROTECTED] #include std/disclaimer.h No Kill I -Horta OK, count me in... -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: FW: List of 700,000 IP addresses of virus infected computers
On Wed, 12 Sep 2007, Luis Hernán Otegui wrote: 2007/9/12, Marc Perkel [EMAIL PROTECTED]: I just added you to my blackhole list. So, You've just added Gmail to it. A Wise one, eh? I suspect Marc thinks blackhole list == kill file. If not, then he just severely damaged the credibility of his RBLs. Marc - appearing in your RBLs doesn't depend on being polite to you, does it? You might want to start using the more-commonly-recognized term kill file to avoid confusion... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault. --- 5 days until the 220th anniversary of the signing of the U.S. Constitution
Re: List of 700,000 IP addresses of virus infected computers
That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were BL, but the numbers were so high from SA anyway, they were well over the limit. The rest were BR and again the numbers were so high SA caught them on its own. SHRUG Tuc/TBOH
Re: List of 700,000 IP addresses of virus infected computers
Tuc at T-B-O-H wrote: That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were BL, but the numbers were so high from SA anyway, they were well over the limit. The rest were BR and again the numbers were so high SA caught them on its own. SHRUG Tuc/TBOH So - no false positives?
Re: List of 700,000 IP addresses of virus infected computers
I've been running virus.txt for 23 hours. 23368 messages, only 11 hits. All were Drug messages that were picked up by SA anyway. Still, no false positives, FYI. Jared Hall General Telecom, LLC. On Wednesday 12 September 2007 22:08, Tuc at T-B-O-H wrote: That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were BL, but the numbers were so high from SA anyway, they were well over the limit. The rest were BR and again the numbers were so high SA caught them on its own. SHRUG Tuc/TBOH
Re: FW: List of 700,000 IP addresses of virus infected computers
Luis Hernán Otegui wrote: 2007/9/12, Jon Trulson [EMAIL PROTECTED]: On Wed, 12 Sep 2007, Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. FWIW, +1 -- Jon Trulson mailto:[EMAIL PROTECTED] #include std/disclaimer.h No Kill I -Horta OK, count me in... I'm quite sad to have to agree with most everyone on this list about his posts. They are off topic, and not relevant to Spamassassin. I do however feel sorry for him. He seems to be lost to his friends. +1 -=Aubrey=-
Re: FW: List of 700,000 IP addresses of virus infected computers
On Wednesday 12 September 2007, Jason Bertoch wrote: Is there any chance we can get a moderator on this, please? This is clearly not a SA topic and I'm weary of insults, flames, and advertisements from Marc. You guys are almost as good as smurf amplifiers. Don't feed the trolls and instead of 30 off topic posts we'd have 3. This is not a new concept. -- Phil Barnett AI4OF SKCC #600
Re: List of 700,000 IP addresses of virus infected computers
Tuc at T-B-O-H wrote: That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were BL, but the numbers were so high from SA anyway, they were well over the limit. The rest were BR and again the numbers were so high SA caught them on its own. SHRUG Tuc/TBOH So - no false positives? No false anything really. SA had scored the others so low BEFORE adding in your score that the WH didn't mean anything to the score. Likewise, SA scored the BL/BR ones so high BEFORE adding in your score that your score didn't mean anything. So, to me, its basically just tagging along with the big boys and every once and a while giving its .02 where the big boys already came to a decision. What I was hoping it would be was that extra little bit , that hanging chad shall we say, that pushed it over the line one way or the other on a much greater percentage of processed messages. This was on my personal mail server ONLY, my production one processes around 57250 emails a day, of which 52000 are thrown out before they are even checked (KNOWN spam just by the receiving email address), 3500 are identified by SA as spam (Some false positives), 250 are passed as clean (Of which I'd say 25% are still spam), and the rest aren't even run through SA before reaching the user due to the users not being happy with the results of SA scans. Tuc/TBOH
Re: List of 700,000 IP addresses of virus infected computers
Tuc at T-B-O-H.NET wrote: Tuc at T-B-O-H wrote: That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were BL, but the numbers were so high from SA anyway, they were well over the limit. The rest were BR and again the numbers were so high SA caught them on its own. SHRUG Tuc/TBOH So - no false positives? No false anything really. SA had scored the others so low BEFORE adding in your score that the WH didn't mean anything to the score. Likewise, SA scored the BL/BR ones so high BEFORE adding in your score that your score didn't mean anything. So, to me, its basically just tagging along with the big boys and every once and a while giving its .02 where the big boys already came to a decision. What I was hoping it would be was that extra little bit , that hanging chad shall we say, that pushed it over the line one way or the other on a much greater percentage of processed messages. This was on my personal mail server ONLY, my production one processes around 57250 emails a day, of which 52000 are thrown out before they are even checked (KNOWN spam just by the receiving email address), 3500 are identified by SA as spam (Some false positives), 250 are passed as clean (Of which I'd say 25% are still spam), and the rest aren't even run through SA before reaching the user due to the users not being happy with the results of SA scans. But, if you were to use the WH and BL/BR lists as pre-filters to reduce spam assassin's load, what difference would it make to your mail server load? And, in that cases, how many errors would you get? I think that might be Marc's actual goal here. Not to tip the balance on questionable email, but to keep you from having to scan stuff that is definitely ham and definitely spam.
Re: List of 700,000 IP addresses of virus infected computers
Tuc at T-B-O-H.NET wrote: Tuc at T-B-O-H wrote: That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were BL, but the numbers were so high from SA anyway, they were well over the limit. The rest were BR and again the numbers were so high SA caught them on its own. SHRUG Tuc/TBOH So - no false positives? No false anything really. SA had scored the others so low BEFORE adding in your score that the WH didn't mean anything to the score. Likewise, SA scored the BL/BR ones so high BEFORE adding in your score that your score didn't mean anything. So, to me, its basically just tagging along with the big boys and every once and a while giving its .02 where the big boys already came to a decision. What I was hoping it would be was that extra little bit , that hanging chad shall we say, that pushed it over the line one way or the other on a much greater percentage of processed messages. This was on my personal mail server ONLY, my production one processes around 57250 emails a day, of which 52000 are thrown out before they are even checked (KNOWN spam just by the receiving email address), 3500 are identified by SA as spam (Some false positives), 250 are passed as clean (Of which I'd say 25% are still spam), and the rest aren't even run through SA before reaching the user due to the users not being happy with the results of SA scans. But, if you were to use the WH and BL/BR lists as pre-filters to reduce spam assassin's load, what difference would it make to your mail server load? And, in that cases, how many errors would you get? I think that might be Marc's actual goal here. Not to tip the balance on questionable email, but to keep you from having to scan stuff that is definitely ham and definitely spam. Hi, Unfortunately, I don't know how to tell this given that Mark provided SA rules for processing. If this was something I could implement at the sendmail level, before it got to SA (pre-filter), then it may make a difference to AT MOST what seems to be about 5% of my email. But since SA has to run ANYWAY, then if anything it slows the server down since it needs to make an additional DNS call. Tuc/TBOH
How to analyze scan time
Hello, I have recently change my SA server for another really similar server but many software version have change between the 2 servers (include SA 3.1.7 -- 3.2.3) My old server scan the messages much faster (around 3-4 seconds vs 7.5-10 seconds). This is not a critical issue for me because I'm still under the limit of my server but I'm curious to know why it take longer to scan and what part of my scan take longer. Of course, I also want to find a way to optimize my scan process. What I search it's a way to know, for exemple, that my clamav scan have take 2 seconds, the rules processing have take X seconds, the X module have take X seconds, ... Any idea? --- SA 3.2.3 from source Debian Etch Thanks, François Rousseau
Spam fighting technology techniques not welcome on Spamassassin list?
OK - Think about it people. People here are saying that spam fighting techniques are NOT WELCOME in the Spam Assassin list. Don't you people realize how absolutely stupid that sounds? I am sitting here with my mouth open in disbelief that anyone even suggest such a thing. So the observation that spam bots don't issue a quit command and that using that I can track 700k virus infected computers and no one here has had a false positive on either the white list or the black list. If this were scaled up you could track EVERY virus infected computer. And the argument is - that this subject is off topic in this forum makes me feel spooky. Is it George Orwell or the Twilight ZoNe?
Re: List of 700,000 IP addresses of virus infected computers
Tuc at T-B-O-H.NET wrote: Tuc at T-B-O-H.NET wrote: Tuc at T-B-O-H wrote: That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were BL, but the numbers were so high from SA anyway, they were well over the limit. The rest were BR and again the numbers were so high SA caught them on its own. SHRUG Tuc/TBOH So - no false positives? No false anything really. SA had scored the others so low BEFORE adding in your score that the WH didn't mean anything to the score. Likewise, SA scored the BL/BR ones so high BEFORE adding in your score that your score didn't mean anything. So, to me, its basically just tagging along with the big boys and every once and a while giving its .02 where the big boys already came to a decision. What I was hoping it would be was that extra little bit , that hanging chad shall we say, that pushed it over the line one way or the other on a much greater percentage of processed messages. This was on my personal mail server ONLY, my production one processes around 57250 emails a day, of which 52000 are thrown out before they are even checked (KNOWN spam just by the receiving email address), 3500 are identified by SA as spam (Some false positives), 250 are passed as clean (Of which I'd say 25% are still spam), and the rest aren't even run through SA before reaching the user due to the users not being happy with the results of SA scans. But, if you were to use the WH and BL/BR lists as pre-filters to reduce spam assassin's load, what difference would it make to your mail server load? And, in that cases, how many errors would you get? I think that might be Marc's actual goal here. Not to tip the balance on questionable email, but to keep you from having to scan stuff that is definitely ham and definitely spam. Hi, Unfortunately, I don't know how to tell this given that Mark provided SA rules for processing. If this was something I could implement at the sendmail level, before it got to SA (pre-filter), then it may make a difference to AT MOST what seems to be about 5% of my email. But since SA has to run ANYWAY, then if anything it slows the server down since it needs to make an additional DNS call. Tuc/TBOH I gave you rules for SA because this is the SA forum. In the Exim forum I posted the Exim rules. I manage to route over 99% of the email I process around SpamAssassin. But I am running off my own data so that makes a big difference. If the system were scaled up it would catch far more stuff.
Re: Spam fighting technology techniques not welcome on Spamassassin list?
Please do not feed the trolls. Marc Perkel wrote: OK - Think about it people. People here are saying that spam fighting techniques are NOT WELCOME in the Spam Assassin list. Don't you people realize how absolutely stupid that sounds? I am sitting here with my mouth open in disbelief that anyone even suggest such a thing. Correct. The SpamAssassin users lists is for discussing issues with Apache SpamAssassin application. It is not a general venue for spam discussion. Such discussions are appropriate for the SPAM-L list. On behalf of the entire Apache SpamAssassin PMC, please knock it off. Daryl