Re: Bounce notification

[AxisInternet]

dvesely wrote:
> My server manager tells me that my Windows version of SpamAssasin cannot
> reject email at the SMTP level. This is only possibble in the Unix version.
> True or False?
> 
> If false, can you give me a link to instructions on enabling this feature or
> any known workaround please?

SpamAssassin, in an of itself, cannot reject messages at any level. You can
'wrap' it with other scripts or applications that can reject messages based
on their SA scores though - such as with MailScanner - www.mailscanner.info



Chris

Re: Bounce notification

[dvesely]

My server manager tells me that my Windows version of SpamAssasin cannot
reject email at the SMTP level. This is only possibble in the Unix version.
True or False?

If false, can you give me a link to instructions on enabling this feature or
any known workaround please?

Thanks,
 
Dan


Bob Proulx wrote:
> 
> dvesely wrote:
>> I have setup bounce notification for my spamassasin mail server but my
>> server
>> manager has reccomended that I do not use it. He wrote:
> 
> Right.  Best not to generate bounces to spam after you have received
> it because if you do you become a source of spam yourself.
> 
>> The most of the SPAM message will have forged FROM address, So the server
>> has to deals with returned bounce messages also. This is a processor and
>> Memory hungry task. 
> 
> The problem isn't that your server would become overloaded.  The
> problem is that your server would become a source of backscatter spam
> because of the bounced messages to forged from addresses.  *I* for one
> would blacklist your server because of this.
> 
> Search the web for backscatter spam and read about the problems that
> it causes before attempting to set up a server that bounces spam
> messages.  Rejecting at the SMTP level is the better way to go.
> 
> Bob
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Bounce-notification-tp14432035p14450828.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: spam rules

[Matt Kettler]

Yet Another Ninja wrote:
> On 12/20/2007 10:44 PM, jikke wrote:
>> Hi,
>>
>> I'm new to SpamAssassin and have checked the web on spam rules. I
>> just can't
>> seem to find the info I'm looking for. I want to create a rule where all
>> mail to [EMAIL PROTECTED] with a certain text like 'new message' is
>> passed
>> through and all other mail is considered spam. This quite a different
>> rule
>> from what I've found so far. All rules I have found just block email
>> and I
>> need a rule that actually let's just that mail through.
>>
>> Any ideas? 
>
> lots.. but for starters:
>
> header__TOHELPDESKTo =~ /[EMAIL PROTECTED]/
> body__NEWMSG/new message/i
> metaPASS_HELPDESK(__TOHELPDESK && __NEWMSG)
> scorePASS_HELPDESK-50.0
Well, that would work, but to get the affect he wants you'd also have to
heavily drop the required_score. He's not looking for a whitelist rule,
but a blacklist..

An even simpler approach would be to treat each problem separately, and
penalize anything not matching. i.e.: heavily penalize all mail that's
not to the help desk, and speparately, penalize all mail that doesn't
have "new message" in it.

header NOT_TO_HELPDESK   To !~ /[EMAIL PROTECTED]/
score NOT_TO_HELPDESK 100

body__NEWMSG/new message/i
meta  NOT_NEWSMG (!_NEWMSG)
score NOT_NEWMSG 100



But as others have said, procmail would do this much faster and lighter.
Heck, the To part can probably be dealt with at the MTA layer and save a
lot of trouble..

Re: SpamAssassin 3.2.3 looks for user_prefs in the wrong place

[Matt Kettler]

Remy PORTIER wrote:
> Hello,
>
> Thank you for your answer.
>
> I agree with you, but there is still something puzzling me.
>
> I have an old SpamAssassin 3.0.3 running on another server.
> Pretty much the same configuration (running as user spamassassin,
> allow_user_prefs 1, ...).
> This old version of SpamAssassin does manage to find the user_prefs files
> of my users.
>
> Do you know which version of SpamAssassin made this impossible (possibily
> as a consequence of a security fix) ?

The only way that's possible at all is if your using SQL or virtual
configuration dirs.

If you're using real user accounts, with real home directories, it's
impossible.

Re: Get HAM's from Exchange / Outlook

[Jason Holbrook]

Thank you for the link.

Best Regards,
Jason Holbrook
Chief Technology Integrator / Partner
Empower Information Systems
[EMAIL PROTECTED] 
weblog.empoweris.com 
www.empoweris.com 
Skype: holbrook.jason
Gtalk: jaholbrook
757-320-2667 (Direct)
757-273-9399 (office)
757-715-1944 (cell)
866-477-1544 (toll free)

 
This message is being sent by or on behalf of Empower Information Systems. It 
is intended exclusively for the individual or entity to which it is addressed.  
This communication may contain information that is proprietary, privileged or 
confidential or otherwise legally exempt from disclosure.  If you are not the 
named addressee, you are not authorized to read, print, retain, copy or 
disseminate this message or any part of it.  If you have received this message 
in error, please notify the sender Jason Holbrook immediately by e-mail [EMAIL 
PROTECTED] and delete all copies of this message.

Empower Information Systems operates under a zero spam policy. If you believe 
this message to be spam, please contact [EMAIL PROTECTED] 

- Original Message -
From: Steven Stern <[EMAIL PROTECTED]>
To: users@spamassassin.apache.org 
Sent: Thu Dec 20 17:48:37 2007
Subject: Re: Get HAM's from Exchange / Outlook

Jason Holbrook wrote:
>
> Hello all, anyone have an idea of how to get HAM’s from an exchange / 
> Outlook environment back to SA?
>
> My incoming is scanned by a SA gateway but outgoing goes straight from 
> exchange to the cloud.
>
> Best Regards,
>
> Jason Holbrook
>
> Chief Technology Integrator / Partner
>
> Empower Information Systems
>
> [EMAIL PROTECTED] 
>
> weblog.empoweris.com 
>
> www.empoweris.com 
>
> Skype: holbrook.jason
>
> Gtalk: jaholbrook
>
> 757-320-2667 (Direct)
>
> 757-273-9399 (office)
>
> 757-715-1944 (cell)
>
> 866-477-1544 (toll free)
>
I've posted a howto at

http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/

-- 
This message has been scanned for viruses and
dangerous content by Empower Information Systems, 
and is believed to be clean.

Re: Get HAM's from Exchange / Outlook

[Steven Stern]

Jason Holbrook wrote:


Hello all, anyone have an idea of how to get HAM’s from an exchange / 
Outlook environment back to SA?


My incoming is scanned by a SA gateway but outgoing goes straight from 
exchange to the cloud.


Best Regards,

Jason Holbrook

Chief Technology Integrator / Partner

Empower Information Systems

[EMAIL PROTECTED] 

weblog.empoweris.com 

www.empoweris.com 

Skype: holbrook.jason

Gtalk: jaholbrook

757-320-2667 (Direct)

757-273-9399 (office)

757-715-1944 (cell)

866-477-1544 (toll free)


I've posted a howto at

http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/

Get HAM's from Exchange / Outlook

[Jason Holbrook]

Hello all, anyone have an idea of how to get HAM's from an exchange /
Outlook environment back to SA?

My incoming is scanned by a SA gateway but outgoing goes straight from
exchange to the cloud.

 

Best Regards,

Jason Holbrook

Chief Technology Integrator / Partner

Empower Information Systems

[EMAIL PROTECTED]

weblog.empoweris.com  

www.empoweris.com

Skype: holbrook.jason

Gtalk: jaholbrook

757-320-2667 (Direct)

757-273-9399 (office)

757-715-1944 (cell)

866-477-1544 (toll free)

 

 

This message is being sent by or on behalf of Empower Information
Systems. It is intended exclusively for the individual or entity to
which it is addressed.  This communication may contain information that
is proprietary, privileged or confidential or otherwise legally exempt
from disclosure.  If you are not the named addressee, you are not
authorized to read, print, retain, copy or disseminate this message or
any part of it.  If you have received this message in error, please
notify the sender Jason Holbrook immediately by e-mail
[EMAIL PROTECTED] and delete all copies of this message.

 

Empower Information Systems operates under a zero spam policy. If you
believe this message to be spam, please contact [EMAIL PROTECTED] 

 

Re: spam rules

[Yet Another Ninja]

On 12/20/2007 10:44 PM, jikke wrote:

Hi,

I'm new to SpamAssassin and have checked the web on spam rules. I just can't
seem to find the info I'm looking for. I want to create a rule where all
mail to [EMAIL PROTECTED] with a certain text like 'new message' is passed
through and all other mail is considered spam. This quite a different rule
from what I've found so far. All rules I have found just block email and I
need a rule that actually let's just that mail through.

Any ideas? 


lots.. but for starters:

header  __TOHELPDESKTo =~ /[EMAIL PROTECTED]/
body__NEWMSG/new message/i
metaPASS_HELPDESK   (__TOHELPDESK && __NEWMSG)
score   PASS_HELPDESK   -50.0

h2h

AXB

Re: spam rules

[John D. Hardin]

On Thu, 20 Dec 2007, jikke wrote:

> I'm new to SpamAssassin and have checked the web on spam rules. I
> just can't seem to find the info I'm looking for. I want to create
> a rule where all mail to [EMAIL PROTECTED] with a certain text like
> 'new message' is passed through and all other mail is considered
> spam. This quite a different rule from what I've found so far. All
> rules I have found just block email and I need a rule that
> actually let's just that mail through.

Do you happen to already be using procmail? That would be a simpler 
solution for this problem.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 5 days until Christmas

Re: spam rules

[Evan Platt]

At 01:44 PM 12/20/2007, jikke wrote:


Hi,

I'm new to SpamAssassin and have checked the web on spam rules. I just can't
seem to find the info I'm looking for. I want to create a rule where all
mail to [EMAIL PROTECTED] with a certain text like 'new message' is passed
through and all other mail is considered spam. This quite a different rule
from what I've found so far. All rules I have found just block email and I
need a rule that actually let's just that mail through.



What do you intend to do with all that mail that's considered SPAM?

This sounds like something that would be better suited to be handled 
by your MTA or procmail than by SpamAssassin. 

spam rules

[jikke]

Hi,

I'm new to SpamAssassin and have checked the web on spam rules. I just can't
seem to find the info I'm looking for. I want to create a rule where all
mail to [EMAIL PROTECTED] with a certain text like 'new message' is passed
through and all other mail is considered spam. This quite a different rule
from what I've found so far. All rules I have found just block email and I
need a rule that actually let's just that mail through.

Any ideas? 
Thanks!

Jikke
-- 
View this message in context: 
http://www.nabble.com/spam-rules-tp14445787p14445787.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: good spamd box

[Marc Perkel]

jp wrote:
I just built a new box with the AMD Phenom 9500 processor, gigabyte am2+ 
motherboard, and 8GB ram (ram is getting cheap!). It was all under $1000 
for everything including power supply, cheesy video card, 2 sata drives.


This thing rocks so hard for spamassassin, it's amazing. 

Most of my other backend spamassassin/clamav/amavis boxes were x2 or 
dual opteron singlecore systems with 2-3GB ram, not bad when I built 
them or bought them. I ran 12 spamd processes at a time and cpu was 
close to 100%.


I just unleashed a big queue of email onto the new and old servers, and 
they are both working at full speed to catch up. It' got 24 spamd 
processes going right now and is only running 40% cpu usage. Also in a 
short period of time, it processed 700 emails, where the old server had 
processed 300. It looks like I can run a lot more spamd processes than 
24! I basically run as many processes as it takes to max out either the 
CPU or memory of the server under a load. Looks like it has hugely more 
capacity that I can tune for. Looks like this box may do the work of 
three of those.


With the low prices of multicore CPUs these days and cheap ddr2 memory, 
it's a great time to upgrade mail servers.


 
  


That's good to know. I've been using AMD 6000 X2 and 8 gigs of ram. I've 
been interested in the quad cores but haven't felt that they were ripe 
yet. Waiting for more AM2+ boards (with video on motherboard) and 
perhaps DDR3 ram. (Or the new AM3 socket that's coming.


Thanks for the review.

good spamd box

[jp]

I just built a new box with the AMD Phenom 9500 processor, gigabyte am2+ 
motherboard, and 8GB ram (ram is getting cheap!). It was all under $1000 
for everything including power supply, cheesy video card, 2 sata drives.

This thing rocks so hard for spamassassin, it's amazing. 

Most of my other backend spamassassin/clamav/amavis boxes were x2 or 
dual opteron singlecore systems with 2-3GB ram, not bad when I built 
them or bought them. I ran 12 spamd processes at a time and cpu was 
close to 100%.

I just unleashed a big queue of email onto the new and old servers, and 
they are both working at full speed to catch up. It' got 24 spamd 
processes going right now and is only running 40% cpu usage. Also in a 
short period of time, it processed 700 emails, where the old server had 
processed 300. It looks like I can run a lot more spamd processes than 
24! I basically run as many processes as it takes to max out either the 
CPU or memory of the server under a load. Looks like it has hugely more 
capacity that I can tune for. Looks like this box may do the work of 
three of those.

With the low prices of multicore CPUs these days and cheap ddr2 memory, 
it's a great time to upgrade mail servers.

 
-- 
/*
Jason Philbrook   |   Midcoast Internet Solutions - Wireless and DSL
KB1IOJ|   Broadband Internet Access, Dialup, and Hosting 
 http://f64.nu/   |   for Midcoast Mainehttp://www.midcoast.com/
*/

Re: Upgrade to 3.2.3 introduced severe slowness

[Daryl C. W. O'Shea]

Thomas Ledbetter wrote:

Hi. I recently tried upgrading our anti-spam servers to run v 3.2.3.
Previously we were using 3.1.7. When I tried to do this, performance took a
bit hit - messages take more than double the time to scan in 3.2.3 as
compared to 3.1.7.  As an example, one particular test spam message takes an
average of 2 seconds with 3.1.7, but 5.4 seconds with 3.2.3. Turning off
network tests helps, but there is still a slight  (~20%) increase in scan
time even without network tests between the 2 versions.  I tried the 'use
bytes' hack with Message.pm and I verified that 'use bytes' is the default
on most of the plugins. I tried disabling just some of the network tests by
setting their scores to '0', and that didnt seem to affect scan time at
all?!?  Can someone shed any light as to what might be the problem here? I
want to retain the network tests that we were using in 3.1.7.  Is there a
way to revert to the exact same network tests from 3.1.7 while using 3.2.3.?


While probably not the "exact same network tests", the two versions 
don't have a large difference in which network tests they do.


The difference you are seeing is that 3.2.3 fixes an issue with network 
tests timing out prematurely, thus 3.2.3 is more accurate.  If you look, 
you'll notice that 3.2.3 is taking longer to scan an individual message 
but is not spending more processor time to do it.


For most people, simply increasing the number of spamd children will 
restore your previous throughput rates.  Of course, in very, very large 
installations that may not be an option due to already being memory 
bound.  Most installations are CPU bound way before they are memory 
bound though.


Daryl

Re: Upgrade to 3.2.3 introduced severe slowness

[jp]

Add re2c to your system, and enable the rules compiling. That should 
make up for the performance difference.

On Thu, Dec 20, 2007 at 11:17:07AM -0800, Thomas Ledbetter wrote:
> 
> Hi. I recently tried upgrading our anti-spam servers to run v 3.2.3.
> Previously we were using 3.1.7. When I tried to do this, performance took a
> bit hit - messages take more than double the time to scan in 3.2.3 as
> compared to 3.1.7.  As an example, one particular test spam message takes an
> average of 2 seconds with 3.1.7, but 5.4 seconds with 3.2.3. Turning off
> network tests helps, but there is still a slight  (~20%) increase in scan
> time even without network tests between the 2 versions.  I tried the 'use
> bytes' hack with Message.pm and I verified that 'use bytes' is the default
> on most of the plugins. I tried disabling just some of the network tests by
> setting their scores to '0', and that didnt seem to affect scan time at
> all?!?  Can someone shed any light as to what might be the problem here? I
> want to retain the network tests that we were using in 3.1.7.  Is there a
> way to revert to the exact same network tests from 3.1.7 while using 3.2.3.?  
> -- 
> View this message in context: 
> http://www.nabble.com/Upgrade-to-3.2.3-introduced-severe-slowness-tp14443024p14443024.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

-- 
/*
Jason Philbrook   |   Midcoast Internet Solutions - Wireless and DSL
KB1IOJ|   Broadband Internet Access, Dialup, and Hosting 
 http://f64.nu/   |   for Midcoast Mainehttp://www.midcoast.com/
*/

Re: Bounce notification

[Bob Proulx]

Dan Vesely wrote:
> If you reject at the smtp level how are users notified?
>
> There has to be a way to notify users if they are rejected so that they can
> contact the sender to be put on the white list.

The user would get a normal bounce return.  As far as the person
receiving the bounce message there is no difference between bouncing
messages at SMTP time and bouncing them later after having received
them.  They see the same message.  The critical difference is that
rejecting at smtp time avoids many of the problems with forged
addresses.

Example of a valid bounce case:

Alice sends Bob an email message.  The MTA on Alice's server contacts
the MTA on Bob's server using SMTP.  But unfortunately the address is
mistyped and can't be delivered.  At SMTP time the MTA on Bob's
machine rejects the message with the reason being no such user.  The
MTA on Alice's machine gets the rejection at SMTP time.  The MTA
delivers the bounce message to Alice.

Example of Backscatter:

Mallory sends Bob an spam email message.  Mallory wants to fool Bob
into thinking the message came from Alice.  Mallory forges Alice's
address on the message.  The MTA on Mallory's server contacts the MTA
on Bob's server.  Bob has miss-configured his server to accept all
messages and bounce undeliverable messages later.  The MTA on Bob's
server accepts the message.  After accepting the message, possibly
after forwarding to other internal servers such as is common on many
large networks, the system determines that the message is spam.  Bob
has miss-configured the system to send a reject message.  The MTA on
Bob's server sends a bounce message to Alice.  Alice gets a message
from Bob's server.  They payload of the message is the spam body from
Mallory.  Mallory repeats this with thousands of other servers.  Alice
is overloaded with "joe-job" backscatter spam.

Specifically in the case of spam it is now best practice to silently
discard messages without generating a rejection message to avoid being
a source of backscatter spam.

The same result of backscatter is possible if the message is not spam
but is undeliverable due to an invalid address.

Example of a Potential Backscatter Avoided:

Mallory sends Bob an spam email message.  Mallory wants to fool Bob
into thinking the message came from Alice.  Mallory forges Alice's
address on the message.  The MTA on Mallory's server contacts the MTA
on Bob's server.  Bob has properly configured his server to reject
undeliverable messages as early as possible at SMTP time.  The MTA on
Mallory's server finds the message rejected during the SMTP handshake.
Bob's server does not send a rejection notice to Alice and Alice
avoids any backscatter from Bob's system.

Bob


Dan Vesely wrote:
> If you reject at the smtp level how are users notified?
>  
> There has to be a way to notify users if they are rejected so that they can
> contact the sender to be put on the white list.
>  
> Your help is appreciated.
>  
> Thanks,
>  
> Dan
> 
> -Original Message-
> From: Bob Proulx [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, December 20, 2007 9:27 AM
> To: dvesely
> Cc: users@spamassassin.apache.org
> Subject: Re: Bounce notification
> 
> dvesely wrote:
> > I have setup bounce notification for my spamassasin mail server but my
> server
> > manager has reccomended that I do not use it. He wrote:
> 
> Right.  Best not to generate bounces to spam after you have received
> it because if you do you become a source of spam yourself.
> 
> > The most of the SPAM message will have forged FROM address, So the server
> > has to deals with returned bounce messages also. This is a processor and
> > Memory hungry task. 
> 
> The problem isn't that your server would become overloaded.  The
> problem is that your server would become a source of backscatter spam
> because of the bounced messages to forged from addresses.  *I* for one
> would blacklist your server because of this.
> 
> Search the web for backscatter spam and read about the problems that
> it causes before attempting to set up a server that bounces spam
> messages.  Rejecting at the SMTP level is the better way to go.
> 
> Bob

Re: Stop tests when score is high

[Daryl C. W. O'Shea]

Kevin W. Gagel wrote:

- Original Message -

Kevin W. Gagel wrote:

Couldn't a whitelist shortcircut option be added? What I mean is a
feature that allows an admin to direct SA to check the
whitelist/blacklist first and then (if enabled) abandon further testing

if sender is listed.

AFAIK there's no reason why you can't do that already, provided you 
configure SA to do so.


Daryl


Thanks for sharing that, would mind sharing a link that can explain that so
I can look it up.


http://wiki.apache.org/spamassassin/ShortcircuitingRuleset

Re: Stop tests when score is high

[Kevin W. Gagel]

- Original Message -
>Kevin W. Gagel wrote:
>> Couldn't a whitelist shortcircut option be added? What I mean is a
>> feature that allows an admin to direct SA to check the
>> whitelist/blacklist first and then (if enabled) abandon further testing
>if sender is listed.
>
>AFAIK there's no reason why you can't do that already, provided you 
>configure SA to do so.
>
>Daryl

Thanks for sharing that, would mind sharing a link that can explain that so
I can look it up.

Thanks.

=
Kevin W. Gagel
Network Administrator
Information Technology Services
(250) 562-2131 local 5448
My Blog:
http://mail.cnc.bc.ca/blogs/gagel
My File share:
http://mail.cnc.bc.ca/users/gagel

---
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://avas.cnc.bc.ca
---

Re: Stop tests when score is high

[Daryl C. W. O'Shea]

Kevin W. Gagel wrote:

Couldn't a whitelist shortcircut option be added? What I mean is a feature
that allows an admin to direct SA to check the whitelist/blacklist first
and then (if enabled) abandon further testing if sender is listed.


AFAIK there's no reason why you can't do that already, provided you 
configure SA to do so.


Daryl

Upgrade to 3.2.3 introduced severe slowness

[Thomas Ledbetter]

Hi. I recently tried upgrading our anti-spam servers to run v 3.2.3.
Previously we were using 3.1.7. When I tried to do this, performance took a
bit hit - messages take more than double the time to scan in 3.2.3 as
compared to 3.1.7.  As an example, one particular test spam message takes an
average of 2 seconds with 3.1.7, but 5.4 seconds with 3.2.3. Turning off
network tests helps, but there is still a slight  (~20%) increase in scan
time even without network tests between the 2 versions.  I tried the 'use
bytes' hack with Message.pm and I verified that 'use bytes' is the default
on most of the plugins. I tried disabling just some of the network tests by
setting their scores to '0', and that didnt seem to affect scan time at
all?!?  Can someone shed any light as to what might be the problem here? I
want to retain the network tests that we were using in 3.1.7.  Is there a
way to revert to the exact same network tests from 3.1.7 while using 3.2.3.?  
-- 
View this message in context: 
http://www.nabble.com/Upgrade-to-3.2.3-introduced-severe-slowness-tp14443024p14443024.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: False positives with Bayes_99

[Merlin]

On Thu, 20 Dec 2007 15:18:45 +0100, "Matthias Haegele"
<[EMAIL PROTECTED]> said:
> Merlin schrieb:
> > On Thu, 20 Dec 2007 03:08:34 -0800, "Merlin" <[EMAIL PROTECTED]> said:
> >>
> >>
> >> On Thu, 20 Dec 2007 11:59:32 +0100, "Matthias Haegele"
> >> <[EMAIL PROTECTED]> said:
> >>> Merlin schrieb:
>  Hi there,
> 
>  I am running a well trusted travel community page that sends system
>  e-mails like register, notice on comments etc. to its opt-in signed up
>  users.
> 
>  Since two days all E-Mails from that server get an aditional spam score
>  of 3.5!! by Bayes_99. I looked it up and found that Spamassasin believes
>  that it is to 99% spam by training from users. I believe there is more
>  to it, as I can not believe that
>  users mark such msges as spam. I also received another e-mail from
>  another community page that was marked with Bayes_99 despite that it
>  never has before. How come?! I looked into several red lists for my
>  server, but the server is not listed anywhere. The only thing I found is
>  that the server was not set with "reverse mapping" to the correct
>  domain, but to the one the hostmaster has set before (it is a root
>  server). Changed it yesterday to the domain name but still no change
>  today. Still wrong host. Does this have something to do with Bayes_99?
> 
>  I am wondering how to get rid of this Bayes_99 thing and how to get to
>  Bayes_00 that would be more suitable for that e-mail. Do I have to
>  configure Postfix as the sending instance somehow with anything like
>  truested server lists, or with anything else I might have overlooked by
>  configuring it?
> 
>  Here is a header of a false positive:
> 
>  Subject: {SPAM 03.5} Feedback: lost password - please help
>  X-Spam: spam
>  X-Spam-score: 3.5
>  X-Spam-hits: BAYES_99 3.5, BAYES_USED global
>  X-Spam-source: IP='87.106.60.58',
>  Host='s15229619.onlinehome-server.info', Country='DE',
>    FromHeader='net', MailFrom='net'
> 
>  Thank you for any help,
> >>> afaik the bayes results comes only from manual training and autolearn?
> >>> So the reverse dns, missing Pointer record is hit by another rule ...
> >>>
> >>> Perhaps you need to retrain the messages as ham (sa-learn --ham ...).
> >>> Or if your bayes-database is completely "poisoned" start from scratch.
> >>>
> >>> Perhaps you could show the bayes_mumble ...
> >>>
>  Merlin
> >>>
> >>> -- 
> >>> Greetings & hth
> >>> MH
> >>>
> >>>
> >>> Dont send mail to: [EMAIL PROTECTED]
> >>> --
> >>>
> >>
> >> Hi,
> >>
> >> thank you for your reply. I am not the one who can train ist. I am just
> >> running the server with
> >> the community that sends the messages. It is a big problem for me as if
> >> those e-mails do get false
> >> positive no more registration might be pssible etc.
> >>
> >> The funny thing is, that e-mails with almost identical content (for
> >> example notifications on forum 
> >> replies) from other sites get even a Bayes_00 while mine get Bayes_99
> >> (that is true for the fastmail.fm e-mail
> >> provider). How come? Do you believe it has to do with the content, or
> >> the header? It must be the header as
> >> for example feedback msgs. that I receive through an online form also
> >> get marked with Bayes_99.
> >> The e-mails are sent through the PHPmailer class (opensource). I also
> >> looked there, but could not find a misconfig or so.
> 
> Hmm. If you couldnt influence the training process and therefore cant 
> rely on it,
> you probably dont want to use Bayes scores or at least lower BAYES_99?
> 
> Perhaps you would like to use a pastebin-service like
> http://pastebin.com/
> and show us some "False Positive Samples" (feel free to exchange 
> confidential parts, understandable plz).
> 
> >> Thank you for any help,
> >>
> >> Merlin
> 
> 
> -- 
> Gruesse/Greetings
> MH
> 
> 
> Dont send mail to: [EMAIL PROTECTED]
> --
> 


Thank you for your reply. I have uploaded an example of the complete
e-mail that
got a... 
Bayes_99: http://pastebin.com/db1f0425
Bayes_80: http://pastebin.com/da5a6714

This occures only since 2 days now. Most of the other mails I do get
inside my e-mail account is
with bayes_00 that even got a -2.x score. As those e-mails are extremly
important for my community
I would like to make sure that the members receive it. No idea why they
do not get a Bayes_00 as well.
Perhaps I have misconfigured the SMPT Server/ Postfix or PHPmailer or
the Linux server itself?

To make sure there is no misunderstanding, I am not running the server
that is classifying the e-mail
with Bayes_99, but the server that has sent that e-mail. 

Best regards,

Merlin

-- 
  Merlin
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
  love email again

Re: Bounce notification

[Bob Proulx]

dvesely wrote:
> I have setup bounce notification for my spamassasin mail server but my server
> manager has reccomended that I do not use it. He wrote:

Right.  Best not to generate bounces to spam after you have received
it because if you do you become a source of spam yourself.

> The most of the SPAM message will have forged FROM address, So the server
> has to deals with returned bounce messages also. This is a processor and
> Memory hungry task. 

The problem isn't that your server would become overloaded.  The
problem is that your server would become a source of backscatter spam
because of the bounced messages to forged from addresses.  *I* for one
would blacklist your server because of this.

Search the web for backscatter spam and read about the problems that
it causes before attempting to set up a server that bounces spam
messages.  Rejecting at the SMTP level is the better way to go.

Bob

Re: Is this a wiildcard ?

[Matthias Haegele]

Theo Van Dinter schrieb:

On Thu, Dec 20, 2007 at 04:57:25PM +0100, Chris wrote:

Just looking through the SA setup on a couple of my accounts, and notice
in the email filters, that this is in place :
 
Destination

$header_subject: contains "*"  Discard

Isn't * a wildcard ?  Wouldn't that rule above discard all emails ?


That isn't from a SpamAssassin config, so the meaning isn't clear.  "*" is a
glob character, so could mean "anything".  In regexp "*" means 0 or more of
the thing proceeding it, which is nothing, so it's not valid regexp.  It could
also just mean the character "*".

You'd really need to look at the docs for what you're actually looking at to
find out what it means.



Perhaps header_subject is used in exim?
Some People might mark Spam mails as "*Spam" but only "*" makes no sense 
for me ...


but thats only a guess ...

--
Gruesse/Greetings
MH


Dont send mail to: [EMAIL PROTECTED]
--

Re: Stop tests when score is high

[Kevin W. Gagel]

- Original Message -
>Paolo De Marco wrote:
>> Hi.
>> There is a way to stop tests when the score of the mail is higher then
>> a value?
>>
>Not in a general sense, but there is a shortcircuit plugin that can be
>used to stop checking when a particular rule hits.
>You can also use the rule priority to cause the trusted shortcircuit
>rules to run before the rest of the ruleset.
>
>see:
>
>http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_Shortcircuit.html
>
>
>The primary problem with doing this at a score threshold is you never
>know if a large negative-scoring rule is going to come by and drive the
>score way down. (ie: USER_IN_WHITELIST). So, if you were to stop scoring
>at 30 points, you might stop checking a message that is supposed to be
>whitelisted, if it managed to score 30 points before the whitelist rule
>matched... It's generally a recipe for mistakes, which is why this
>feature was removed from SA somewhere around SA 2.3x several years ago..

Couldn't a whitelist shortcircut option be added? What I mean is a feature
that allows an admin to direct SA to check the whitelist/blacklist first
and then (if enabled) abandon further testing if sender is listed.

=
Kevin W. Gagel
Network Administrator
Information Technology Services
(250) 562-2131 local 5448
My Blog:
http://mail.cnc.bc.ca/blogs/gagel
My File share:
http://mail.cnc.bc.ca/users/gagel

---
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://avas.cnc.bc.ca
---

Re: hits gawk program re: spamassassin

[Kevin W. Gagel]

- Original Message -
>I am trying to learn how you did your hits gawk program and how to use it
>and what the logfile should look like
>
>How do I learn more regarding your setup so I can use or change to use on
>my setup

Robert,

To use the hits report the command line is:
gawk -f hits /path/to/logfile

The -f tells gawk to get its commands from the file hits. Then use them on
the file indicated.

To learn more about gawk search google, there are enough tutorials out
there.

My setup is using spamd daemon and logging to it's own logfile. None the
less it should still work if there are other log entries because gawk is
searching only for lines that contain "result:". You can verify that it
will find what it needs by doing a grep on your logfile for that same
thing. Do it like this:
cat /var/log/maillog | grep " result: "

What should happen is that every line in your maillog that contains the
characters " results: " will be echo'd to your screen. This is what spamd
uses to log what it has found for each message.

That is the information that gawk will parse and retrieve what tests scored
and build a list of how often they scored. Since a test can only score once
in any given message, the amount of times a test scored represents how many
messages had the pattern that the particular test looks for. The gawk file
compensates for messages that did not score anything and adds them up as
well.

The theory is that if a test does not score lots for a given site then
there may not be any need for that test. Not running a test should reduce
the scan time and overall performance. 

I wrote this because of a test that scored in a single message that I was
examining. It turned out to be a blacklist that I didn't know about and if
I'd been using I would have blocked around 30,000 messages from entering my
site. Then I wondered how much time the cpu spent looking at these messages
so I wrote another one to sum up the scantimes for those particular
messages. The end result is that the messages chewed up over 60 hours of
time in just 3 weeks. So, if I stop them from entering, I improve
performance. Of course the trick is to ensure they are legitimate spam...

For those of you interested in using it, its located here:
http://mail.cnc.bc.ca/users/[EMAIL PROTECTED]/spamassassin/

=
Kevin W. Gagel
Network Administrator
Information Technology Services
(250) 562-2131 local 5448
My Blog:
http://mail.cnc.bc.ca/blogs/gagel
My File share:
http://mail.cnc.bc.ca/users/gagel

---
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://avas.cnc.bc.ca
---

Re: SpamAssassin 3.2.3 looks for user_prefs in the wrong place

[Remy PORTIER]

Hello,

Thank you for your answer.

I agree with you, but there is still something puzzling me.

I have an old SpamAssassin 3.0.3 running on another server.
Pretty much the same configuration (running as user spamassassin,
allow_user_prefs 1, ...).
This old version of SpamAssassin does manage to find the user_prefs files
of my users.

Do you know which version of SpamAssassin made this impossible (possibily
as a consequence of a security fix) ?

Regards.


Matt Kettler wrote:
> R. Portier wrote:
>> Hello,
>>
>> Context
>> ===
>> I use SpamAssassin 3.2.3 on Debian 4.0 i386
>>
>> spamd is invoked with options : -u spamassassin -m 5 -H /etc/spamassassin
>> (-D -u spamassassin -m 5 -H /etc/spamassassin when in debug mode)
>>
>> The home for user spamassassin is /none (this directory does not exist).
>>
>>
>>   
> 
>> Issue
>> =
>> The user_prefs files for my users are not taken into account by SpamAssassin.
>>   
> 
> Well, you've forced spamd to always run as the user "spamassassin" so
> that user's environment will ALWAYS be used, no matter who calls
> spamassassin.
> 
> In order for individual user prefs to occur, spamd must be running as
> root, so that it has sufficient rights to setuid itself to the user
> calling spamc.
> 
>> So SpamAssassin seems to be looking for the user_prefs file in
>> /none/.spamassassin/ !
>>
>> When spamd is running as root (options : -m 5 -H /etc/spamassassin), it
>> works properly (ie the user_prefs file is looked for in
>> /home//.spamassassin/, is found, and is properly processed).
>>
>>
>> Is it a SpamAssassin bug, or am I doing something improperly ?
>>   
> Not a bug. That's by design, and by security requirements of the OS itself.
> 
> The normal user "spamassassin" doesn't have rights to setuid itself to
> arbitrary users without a password, only root has those rights. Once
> spamd setuid's itself to "spamassassin" it can't go back and re-setuid
> itself run as someone else, as the OS would simply deny it.
> 
> 

-- 
   Rémy PORTIER  -  Département de Physique - Ecole Normale Supérieure
Ingénieur Recherche  -  24, Rue Lhomond - 75005 PARIS - France
 --oOOo---  Tél : 01.44.32.25.49
"Not everything that can be counted, counts and not everything that counts
can be counted."  --  Albert EINSTEIN

Re: Is this a wiildcard ?

[Theo Van Dinter]

On Thu, Dec 20, 2007 at 04:57:25PM +0100, Chris wrote:
> Just looking through the SA setup on a couple of my accounts, and notice
> in the email filters, that this is in place :
>  
> Destination
> $header_subject: contains "*"  Discard
> 
> Isn't * a wildcard ?  Wouldn't that rule above discard all emails ?

That isn't from a SpamAssassin config, so the meaning isn't clear.  "*" is a
glob character, so could mean "anything".  In regexp "*" means 0 or more of
the thing proceeding it, which is nothing, so it's not valid regexp.  It could
also just mean the character "*".

You'd really need to look at the docs for what you're actually looking at to
find out what it means.

-- 
Randomly Selected Tagline:
"the curls in your keyboard cord are losing electricity."
 - Today's BOFH Excuse


pgp1iwlESqucD.pgp
Description: PGP signature

Is this a wiildcard ?

[Chris]

Hi,

Just looking through the SA setup on a couple of my accounts, and notice
in the email filters, that this is in place :
 
Destination
$header_subject: contains "*"  Discard


Isn't * a wildcard ?  Wouldn't that rule above discard all emails ?

Chris.

Log Basic Message Information to Database

[J.T. Moore]

Hello,

Does anyone know of a way to log basic information about messages processed 
by Spamassassin to a database (ideally mysql)?

The fields i'm interested in logging are:

ip address of remote smtp server
score assigned to message by spamassassin
date and time message was received (processed by spamassassin)

Optionally I'd also like to be able to log:

host name of remote smtp server that was sent in HELO/ELHO command
host name of remote smtp server resolved for remote smtp servers PTR 
DNS record
email address of sender in smtp envelope
email address of recipient in smtp envelope
original message subject

This would make it easier to create and maintain a black list of remote ip 
addresses that are not allowed to establish a tcp connection to the SMTP server 
and thereby reduce the bandwidth and server resources used to process spam, i.e 
 address that have sent a lot messages receiving a score over a threshold value 
and haven't sent any messages below the threshold during a specified time 
period could be added to hosts.deny or a firewall acl.

Thanks,

J.T.

Re: False positives with Bayes_99

[John D. Hardin]

On Thu, 20 Dec 2007, Merlin wrote:

> I looked it up and found that Spamassasin believes that it is to
> 99% spam by training from users. I believe there is more to it, as
> I can not believe that users mark such msges as spam.

An unfortunate reality of system administration is that most people 
are idiots.

As a practical note, this is why it is critical to keep the corpus
around if you're doing manual training - so that you can find and fix
mistrained messages, and retrain from scratch if you need to.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 5 days until Christmas

Re: Stop tests when score is high

[OliverScott]

Not that I am aware of...

The complication with this would be the order in which tests are carrierd
out - you might have a genuine email which hits some good and some bad
tests, and if the bad tests are hit first then you might have a problem!

However it is a feature I would like to see as it could be used in
conjunction with the Short Circuit pluggin.

I am currently using short circuit to improve spam processing speed. I have
set fast tests and rules with a high accuracy to run first (using a low,
negative, priority), and when specific combinations of rules fire which
should never cause false positives, I then break out of further testing and
clasify the email as spam.
-- 
View this message in context: 
http://www.nabble.com/Stop-tests-when-score-is-high-tp14432409p14437413.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: SpamAssassin 3.2.3 looks for user_prefs in the wrong place

[Matt Kettler]

R. Portier wrote:
> Hello,
>
> Context
> ===
> I use SpamAssassin 3.2.3 on Debian 4.0 i386
>
> spamd is invoked with options : -u spamassassin -m 5 -H /etc/spamassassin
> (-D -u spamassassin -m 5 -H /etc/spamassassin when in debug mode)
>
> The home for user spamassassin is /none (this directory does not exist).
>
>
>   

>
> Issue
> =
> The user_prefs files for my users are not taken into account by SpamAssassin.
>   

Well, you've forced spamd to always run as the user "spamassassin" so
that user's environment will ALWAYS be used, no matter who calls
spamassassin.

In order for individual user prefs to occur, spamd must be running as
root, so that it has sufficient rights to setuid itself to the user
calling spamc.

> So SpamAssassin seems to be looking for the user_prefs file in
> /none/.spamassassin/ !
>
> When spamd is running as root (options : -m 5 -H /etc/spamassassin), it
> works properly (ie the user_prefs file is looked for in
> /home//.spamassassin/, is found, and is properly processed).
>
>
> Is it a SpamAssassin bug, or am I doing something improperly ?
>   
Not a bug. That's by design, and by security requirements of the OS itself.

The normal user "spamassassin" doesn't have rights to setuid itself to
arbitrary users without a password, only root has those rights. Once
spamd setuid's itself to "spamassassin" it can't go back and re-setuid
itself run as someone else, as the OS would simply deny it.

Re: False positives with Bayes_99

[Matthias Haegele]

Merlin schrieb:

On Thu, 20 Dec 2007 03:08:34 -0800, "Merlin" <[EMAIL PROTECTED]> said:



On Thu, 20 Dec 2007 11:59:32 +0100, "Matthias Haegele"
<[EMAIL PROTECTED]> said:

Merlin schrieb:

Hi there,

I am running a well trusted travel community page that sends system
e-mails like register, notice on comments etc. to its opt-in signed up
users.

Since two days all E-Mails from that server get an aditional spam score
of 3.5!! by Bayes_99. I looked it up and found that Spamassasin believes
that it is to 99% spam by training from users. I believe there is more
to it, as I can not believe that
users mark such msges as spam. I also received another e-mail from
another community page that was marked with Bayes_99 despite that it
never has before. How come?! I looked into several red lists for my
server, but the server is not listed anywhere. The only thing I found is
that the server was not set with "reverse mapping" to the correct
domain, but to the one the hostmaster has set before (it is a root
server). Changed it yesterday to the domain name but still no change
today. Still wrong host. Does this have something to do with Bayes_99?

I am wondering how to get rid of this Bayes_99 thing and how to get to
Bayes_00 that would be more suitable for that e-mail. Do I have to
configure Postfix as the sending instance somehow with anything like
truested server lists, or with anything else I might have overlooked by
configuring it?

Here is a header of a false positive:

Subject: {SPAM 03.5} Feedback: lost password - please help
X-Spam: spam
X-Spam-score: 3.5
X-Spam-hits: BAYES_99 3.5, BAYES_USED global
X-Spam-source: IP='87.106.60.58',
Host='s15229619.onlinehome-server.info', Country='DE',
  FromHeader='net', MailFrom='net'

Thank you for any help,

afaik the bayes results comes only from manual training and autolearn?
So the reverse dns, missing Pointer record is hit by another rule ...

Perhaps you need to retrain the messages as ham (sa-learn --ham ...).
Or if your bayes-database is completely "poisoned" start from scratch.

Perhaps you could show the bayes_mumble ...


Merlin


--
Greetings & hth
MH


Dont send mail to: [EMAIL PROTECTED]
--



Hi,

thank you for your reply. I am not the one who can train ist. I am just
running the server with
the community that sends the messages. It is a big problem for me as if
those e-mails do get false
positive no more registration might be pssible etc.

The funny thing is, that e-mails with almost identical content (for
example notifications on forum 
replies) from other sites get even a Bayes_00 while mine get Bayes_99

(that is true for the fastmail.fm e-mail
provider). How come? Do you believe it has to do with the content, or
the header? It must be the header as
for example feedback msgs. that I receive through an online form also
get marked with Bayes_99.
The e-mails are sent through the PHPmailer class (opensource). I also
looked there, but could not find a misconfig or so.


Hmm. If you couldnt influence the training process and therefore cant 
rely on it,

you probably dont want to use Bayes scores or at least lower BAYES_99?

Perhaps you would like to use a pastebin-service like http://pastebin.com/
and show us some "False Positive Samples" (feel free to exchange 
confidential parts, understandable plz).



Thank you for any help,

Merlin



--
Gruesse/Greetings
MH


Dont send mail to: [EMAIL PROTECTED]
--

Re: Deleting from server

[Matt Kettler]

Chris wrote:
> Can anyone let me know how to delete from server, if the score is over
> 8 please ?
>
> Any help appreciated.
>
Spamassassin itself can't delete mail, as it has no control over the
envelope. If it tried, most tools that call SA would assume it crashed
and recover the original, unscanned message, and deliver that. Obviously
not a desired effect.

However, several tools that call SA can be configured to do this based
on SA's scores..

See also this entry, which is linked from the FAQ in the wiki:

http://wiki.apache.org/spamassassin/DeletingAllMailsMarkedSpam

And for reference, the FAQ is:

http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions

Re: Stop tests when score is high

[Matt Kettler]

Paolo De Marco wrote:
> Hi.
> There is a way to stop tests when the score of the mail is higher then
> a value?
>
Not in a general sense, but there is a shortcircuit plugin that can be
used to stop checking when a particular rule hits.
You can also use the rule priority to cause the trusted shortcircuit
rules to run before the rest of the ruleset.

see:

http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_Shortcircuit.html


The primary problem with doing this at a score threshold is you never
know if a large negative-scoring rule is going to come by and drive the
score way down. (ie: USER_IN_WHITELIST). So, if you were to stop scoring
at 30 points, you might stop checking a message that is supposed to be
whitelisted, if it managed to score 30 points before the whitelist rule
matched... It's generally a recipe for mistakes, which is why this
feature was removed from SA somewhere around SA 2.3x several years ago..

Re: Deleting from server

[Matthias Haegele]

Chris schrieb:

Can anyone let me know how to delete from server, if the score is over 8
please ?

Any help appreciated.

Chris.


on amavisd-new e. g. look for:

sa_kill_level_deflt = 8.0;

maybe you need to watch:
sa_tag_level*


SA doesnt delete, tagging  that must be done by your filter (procmail, 
maildrop, amavis, whatever).
If SA tags for score 8 right, configure your filter to delete/discard 
the message ...



--
Gruesse/Greetings
MH


Dont send mail to: [EMAIL PROTECTED]
--

Re: Rise up bayes tests

[Justin Mason]

Matthias Haegele writes:
> Paolo De Marco schrieb:
> > Hi.
> > Sometimes only bayes tests hit mails, so i recieve mail whit only bayes 
> > point (for exemple: X-Spam-Status: No, score=3.5 tagged_above=-999 
> > required=5 tests=[BAYES_99=3.5])
> > Does anyone raise up the score of bayesan test? Is it safe?
> 
> afaik it is not recommended to raise the Bayes Score
> You could do it but keep in mind if bayes is "misguided" your higher 
> score hits.
> (With a well trained bayes it seems reasonable to me)
> Perhaps you could find some additional rules/network tests ...
> (sare-rules, razor, dcc, pyzor etc (watch licenses if you could use them)).
> 
> On new "few lines text" spam i often get bayes_00 so it is not always 
> useful.

Actually, that's not quite right -- it's perfectly fine to raise the
BAYES_99 score, if you feel you've trained it well enough.

--j.

Deleting from server

[Chris]

Can anyone let me know how to delete from server, if the score is over 8
please ?

Any help appreciated.

Chris.
 
 

Re: False positives with Bayes_99

[Merlin]

On Thu, 20 Dec 2007 03:08:34 -0800, "Merlin" <[EMAIL PROTECTED]> said:
> 
> 
> 
> On Thu, 20 Dec 2007 11:59:32 +0100, "Matthias Haegele"
> <[EMAIL PROTECTED]> said:
> > Merlin schrieb:
> > > Hi there,
> > > 
> > > I am running a well trusted travel community page that sends system
> > > e-mails like register, notice on comments etc. to its opt-in signed up
> > > users.
> > > 
> > > Since two days all E-Mails from that server get an aditional spam score
> > > of 3.5!! by Bayes_99. I looked it up and found that Spamassasin believes
> > > that it is to 99% spam by training from users. I believe there is more
> > > to it, as I can not believe that
> > > users mark such msges as spam. I also received another e-mail from
> > > another community page that was marked with Bayes_99 despite that it
> > > never has before. How come?! I looked into several red lists for my
> > > server, but the server is not listed anywhere. The only thing I found is
> > > that the server was not set with "reverse mapping" to the correct
> > > domain, but to the one the hostmaster has set before (it is a root
> > > server). Changed it yesterday to the domain name but still no change
> > > today. Still wrong host. Does this have something to do with Bayes_99?
> > > 
> > > I am wondering how to get rid of this Bayes_99 thing and how to get to
> > > Bayes_00 that would be more suitable for that e-mail. Do I have to
> > > configure Postfix as the sending instance somehow with anything like
> > > truested server lists, or with anything else I might have overlooked by
> > > configuring it?
> > > 
> > > Here is a header of a false positive:
> > > 
> > > Subject: {SPAM 03.5} Feedback: lost password - please help
> > > X-Spam: spam
> > > X-Spam-score: 3.5
> > > X-Spam-hits: BAYES_99 3.5, BAYES_USED global
> > > X-Spam-source: IP='87.106.60.58',
> > > Host='s15229619.onlinehome-server.info', Country='DE',
> > >   FromHeader='net', MailFrom='net'
> > > 
> > > Thank you for any help,
> > 
> > afaik the bayes results comes only from manual training and autolearn?
> > So the reverse dns, missing Pointer record is hit by another rule ...
> > 
> > Perhaps you need to retrain the messages as ham (sa-learn --ham ...).
> > Or if your bayes-database is completely "poisoned" start from scratch.
> > 
> > Perhaps you could show the bayes_mumble ...
> > 
> > > Merlin
> > 
> > 
> > -- 
> > Greetings & hth
> > MH
> > 
> > 
> > Dont send mail to: [EMAIL PROTECTED]
> > --
> > 
> 
> 
> Hi,
> 
> thank you for your reply. I am not the one who can train ist. I am just
> running the server with
> the community that sends the messages. It is a big problem for me as if
> those e-mails do get false
> positive no more registration might be pssible etc.
> 
> The funny thing is, that e-mails with almost identical content (for
> example notifications on forum 
> replies) from other sites get even a Bayes_00 while mine get Bayes_99
> (that is true for the fastmail.fm e-mail
> provider). How come? Do you believe it has to do with the content, or
> the header? It must be the header as
> for example feedback msgs. that I receive through an online form also
> get marked with Bayes_99.
> The e-mails are sent through the PHPmailer class (opensource). I also
> looked there, but could not find a misconfig or so.
> 
> Thank you for any help,
> 
> Merlin
> -- 
>   Merlin
>   [EMAIL PROTECTED]
> 
> -- 
> http://www.fastmail.fm - A no graphics, no pop-ups email service
> 



Hi,

thank you for your reply. I am not the one who can train ist. I am just
running the server with
the community that sends the messages. It is a big problem for me as if
those e-mails do get false
positive no more registration might be pssible etc.

The funny thing is, that e-mails with almost identical content (for
example notifications on forum
replies) from other sites get even a Bayes_00 while mine get Bayes_99
(that is true for the fastmail.fm e-mail
provider). How come? Do you believe it has to do with the content, or
the header? It must be the header as
for example feedback msgs. that I receive through an online form also
get marked with Bayes_99.
The e-mails are sent through the PHPmailer class (opensource). I also
looked there, but could not find a misconfig or so.

Thank you for any help,

Merlin
-- 
  Merlin
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - A no graphics, no pop-ups email service

Re: Rise up bayes tests

[Matthias Haegele]

Paolo De Marco schrieb:

Hi.
Sometimes only bayes tests hit mails, so i recieve mail whit only bayes 
point (for exemple: X-Spam-Status: No, score=3.5 tagged_above=-999 
required=5 tests=[BAYES_99=3.5])

Does anyone raise up the score of bayesan test? Is it safe?


afaik it is not recommended to raise the Bayes Score
You could do it but keep in mind if bayes is "misguided" your higher 
score hits.

(With a well trained bayes it seems reasonable to me)
Perhaps you could find some additional rules/network tests ...
(sare-rules, razor, dcc, pyzor etc (watch licenses if you could use them)).

On new "few lines text" spam i often get bayes_00 so it is not always 
useful.








--
Gruesse/Greetings
MH


Dont send mail to: [EMAIL PROTECTED]
--

Re: False positives with Bayes_99

[Matthias Haegele]

Merlin schrieb:

Hi there,

I am running a well trusted travel community page that sends system
e-mails like register, notice on comments etc. to its opt-in signed up
users.

Since two days all E-Mails from that server get an aditional spam score
of 3.5!! by Bayes_99. I looked it up and found that Spamassasin believes
that it is to 99% spam by training from users. I believe there is more
to it, as I can not believe that
users mark such msges as spam. I also received another e-mail from
another community page that was marked with Bayes_99 despite that it
never has before. How come?! I looked into several red lists for my
server, but the server is not listed anywhere. The only thing I found is
that the server was not set with "reverse mapping" to the correct
domain, but to the one the hostmaster has set before (it is a root
server). Changed it yesterday to the domain name but still no change
today. Still wrong host. Does this have something to do with Bayes_99?

I am wondering how to get rid of this Bayes_99 thing and how to get to
Bayes_00 that would be more suitable for that e-mail. Do I have to
configure Postfix as the sending instance somehow with anything like
truested server lists, or with anything else I might have overlooked by
configuring it?

Here is a header of a false positive:

Subject: {SPAM 03.5} Feedback: lost password - please help
X-Spam: spam
X-Spam-score: 3.5
X-Spam-hits: BAYES_99 3.5, BAYES_USED global
X-Spam-source: IP='87.106.60.58',
Host='s15229619.onlinehome-server.info', Country='DE',
  FromHeader='net', MailFrom='net'

Thank you for any help,


afaik the bayes results comes only from manual training and autolearn?
So the reverse dns, missing Pointer record is hit by another rule ...

Perhaps you need to retrain the messages as ham (sa-learn --ham ...).
Or if your bayes-database is completely "poisoned" start from scratch.

Perhaps you could show the bayes_mumble ...


Merlin



--
Greetings & hth
MH


Dont send mail to: [EMAIL PROTECTED]
--

False positives with Bayes_99

[Merlin]

Hi there,

I am running a well trusted travel community page that sends system
e-mails like register, notice on comments etc. to its opt-in signed up
users.

Since two days all E-Mails from that server get an aditional spam score
of 3.5!! by Bayes_99. I looked it up and found that Spamassasin believes
that it is to 99% spam by training from users. I believe there is more
to it, as I can not believe that
users mark such msges as spam. I also received another e-mail from
another community page that was marked with Bayes_99 despite that it
never has before. How come?! I looked into several red lists for my
server, but the server is not listed anywhere. The only thing I found is
that the server was not set with "reverse mapping" to the correct
domain, but to the one the hostmaster has set before (it is a root
server). Changed it yesterday to the domain name but still no change
today. Still wrong host. Does this have something to do with Bayes_99?

I am wondering how to get rid of this Bayes_99 thing and how to get to
Bayes_00 that would be more suitable for that e-mail. Do I have to
configure Postfix as the sending instance somehow with anything like
truested server lists, or with anything else I might have overlooked by
configuring it?

Here is a header of a false positive:

Subject: {SPAM 03.5} Feedback: lost password - please help
X-Spam: spam
X-Spam-score: 3.5
X-Spam-hits: BAYES_99 3.5, BAYES_USED global
X-Spam-source: IP='87.106.60.58',
Host='s15229619.onlinehome-server.info', Country='DE',
  FromHeader='net', MailFrom='net'

Thank you for any help,

Merlin
-- 
  Merlin
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/docs/quotes.html

SpamAssassin 3.2.3 looks for user_prefs in the wrong place

[R. Portier]

Hello,

Context
===
I use SpamAssassin 3.2.3 on Debian 4.0 i386

spamd is invoked with options : -u spamassassin -m 5 -H /etc/spamassassin
(-D -u spamassassin -m 5 -H /etc/spamassassin when in debug mode)

The home for user spamassassin is /none (this directory does not exist).


my /etc/procmailrc :

# SpamAssassin
:0fw
* < 20
| /usr/bin/spamc



my /etc/spamassassin local.cf :
---
required_score 5.0
rewrite_header subject *SPAM*
#
bayes_auto_learn 0
bayes_file_mode 0777
use_auto_whitelist 0
allow_user_rules 1
#
trusted_networks 129.199.112/20 129.199.96/24
internal_networks 129.199.112/20
#
dcc_path /usr/bin/dccproc
pyzor_options --homedir /etc/mail/spamassassin
razor_config /etc/mail/spamassassin/.razor/razor-agent.conf


Issue
=
The user_prefs files for my users are not taken into account by SpamAssassin.

When invoking SpamAssassin in debugging mode, I get :

(...)
Dec 20 10:56:43  spamd[10239]: prefork: ordered 10257 to accept
Dec 20 10:56:43  spamd[10239]: prefork: sysread(7) not ready, wait
max 300 secs
Dec 20 10:56:43  spamd[10257]: spamd: connection from localhost
[127.0.0.1] at port 60395
Dec 20 10:56:43  spamd[10257]: config: read_scoreonly_config:
cannot open "/none/.spamassassin/user_prefs": No such file or directory
Dec 20 10:56:43  spamd[10257]: info: user has changed
Dec 20 10:56:43  spamd[10239]: prefork: child 10257: entering state 2
Dec 20 10:56:43  spamd[10239]: prefork: new lowest idle kid: 10258
Dec 20 10:56:43  spamd[10257]: config: mkdir /none/.spamassassin
failed: mkdir /none: Permission denied at
/usr/share/perl5/Mail/SpamAssassin.pm line 1576
Dec 20 10:56:43  spamd[10257]: config: Permission denied
Dec 20 10:56:43  spamd[10257]: bayes: no dbs present, cannot tie
DB R/O: /none/.spamassassin/bayes_toks
Dec 20 10:56:43  spamd[10257]: config: score set 1 chosen.
Dec 20 10:56:43  spamd[10257]: spamd: running as uid 110
Dec 20 10:56:43  spamd[10257]: dns: name server: xxx.xxx.xxx.xxx,
LocalAddr: 0.0.0.0
Dec 20 10:56:43  spamd[10257]: message: main message type: text/plain
Dec 20 10:56:43  spamd[10257]: spamd: processing message
<[EMAIL PROTECTED]> for lambda:110
Dec 20 10:56:43  spamd[10257]: bayes: no dbs present, cannot tie
DB R/O: /none/.spamassassin/bayes_toks
Dec 20 10:56:43  spamd[10257]: received-header: parsed as [
ip=127.0.0.1 rdns=localhost helo=localhost by= ident= envfrom=
intl=0 id=0B4B457A0E auth= msa=0 ]
(...)

So SpamAssassin seems to be looking for the user_prefs file in
/none/.spamassassin/ !

When spamd is running as root (options : -m 5 -H /etc/spamassassin), it
works properly (ie the user_prefs file is looked for in
/home//.spamassassin/, is found, and is properly processed).


Is it a SpamAssassin bug, or am I doing something improperly ?


Regards.

Re: Bounce notification

[Graham Murray]

dvesely <[EMAIL PROTECTED]> writes:

> What's the best way to setup bounce notification?

The best way is to not bounce at all but reject with a 5xx code during
the SMPT conversation. Though be careful to only do this at 'border'
MTAs (those listed in the MX records for the destination domain) not on
internal servers.

Stop tests when score is high

[Paolo De Marco]

Hi.
There is a way to stop tests when the score of the mail is higher then a 
value?

Rise up bayes tests

[Paolo De Marco]

Hi.
Sometimes only bayes tests hit mails, so i recieve mail whit only bayes 
point (for exemple: X-Spam-Status: No, score=3.5 tagged_above=-999 
required=5 tests=[BAYES_99=3.5])

Does anyone raise up the score of bayesan test? Is it safe?

--
Paolo De Marco
Real Comm srl
Tel. +39 0434 923134