Re: Quick Postfix Question [OT]
rbl=hostkarma.junkemailfilter.com/127.0.0.1; action=OK whitelisted suggest change OK to permit_auth_destination or DUNNO rbl=hostkarma.junkemailfilter.com/127.0.0.2; action=REJECT blacklisted rbl=hostkarma.junkemailfilter.com/127.0.0.3; action=PREPEND X-Karma: yellow .. among many other things that are possible. :-)
RE: Too false negative
--[ UxBoD ]-- wrote: policyd works a treat :) V2 is also in development aswell. it's not the same. I don't know why they call it V2. As far as I know, Cami is no more involved. so I would stick with the current (which is a single C threaded program). So you still prefer policyd not policydV2.. Some questions: - Does any web interface for policyd exist? - I have different SMTP gateways, on each of which I have to install policyd. Is it possible to share a single DB between the different policyd servers? For other possible question I will refer to policyd ML. :-) Thanks, rocsca
Bayes R/W lock failed
Debian - SA 3.2.4 In my log I'found a lot message like this: Feb 28 05:42:32 server spamd[9351]: bayes: cannot open bayes databases /home/spamassassin/.spamassassin/bayes_* R/W: lock failed: File exists How can I solve this problem? local.cf rewrite_header Subject *SPAM* report_safe 0 required_score 4 use_bayes 1 bayes_auto_learn 1 bayes_auto_expire 0 bayes_learn_to_journal 1 bayes_journal_max_size 0 Could (lock failed) be the cause of: X-Spam-Status: No, hits=? required=? -- Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/ It's easier to invent the future than to predict it. -- Alan Kay
Re: What is a pid file
Process Identifier. When any process is forked (started) it will have unique number associated with it. It will also have a PPID (Parent Process Identifier) ie. what was the process that forked the child. http://en.wikipedia.org/wiki/Process_identifier Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Agnello George [EMAIL PROTECTED] wrote: while starting spamd i was recomended to use the -r switch which Write the process id to pidfile Now!! what is a pidfile ... cant find much on google can any one help me with this basic stuff !! thanks !! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: What is a pid file
Pidfile holds the PID of the forked process ie. /var/run/MailScanner.pid Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Agnello George [EMAIL PROTECTED] wrote: while starting spamd i was recomended to use the -r switch which Write the process id to pidfile Now!! what is a pidfile ... cant find much on google can any one help me with this basic stuff !! thanks !! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
What is a pid file
while starting spamd i was recomended to use the -r switch which Write the process id to pidfile Now!! what is a pidfile ... cant find much on google can any one help me with this basic stuff !! thanks !! -- Regards Agnello Dsouza www.linux-vashi.blogspot.com www.bible-study-india.blogspot.com
Re: Bayes R/W lock failed
Massimiliano Marini wrote: Debian - SA 3.2.4 In my log I'found a lot message like this: Feb 28 05:42:32 server spamd[9351]: bayes: cannot open bayes databases /home/spamassassin/.spamassassin/bayes_* R/W: lock failed: File exists How can I solve this problem? If it's sporadic, that's not a problem. SA tried to get a read-write lock on the bayes DB, presumably for autolearning or autoexpiry, but some other SA instance may have had it. Rather than block your mail queue, SA gave up. This is only a problem if it happens *every* time SA tries to autolearn, in which case your rights aren't set up to allow writing of the files, only reading. local.cf rewrite_header Subject *SPAM* report_safe 0 required_score 4 use_bayes 1 bayes_auto_learn 1 bayes_auto_expire 0 bayes_learn_to_journal 1 bayes_journal_max_size 0 Could (lock failed) be the cause of: X-Spam-Status: No, hits=? required=? no. That would be caused by a timeout or over-sized message that didn't get scanned.
increase telnet secession count
HI I want to increase the telnet secession count from default 30 sec to 120 sec how do i do this can some one help me here -- Regards Agnello Dsouza www.linux-vashi.blogspot.com www.bible-study-india.blogspot.com
Yahoo calendar invite spams
I am not really sure this is spam https://ecm.netcore.co.in/tmp/spammail_calendar.txt This looks like a simple mail to me .. but the user says it is spam. The text of the mail too is highly suspicious. Are you folks getting such mails Thanks Ram
timeout-problem
On a new mailserver with 8Gb ram and 2xdual-core CPU's we get regular messages in the log: Feb 28 12:52:43 mail2 spamd[32558]: prefork: child states: BIBBB Feb 28 12:52:44 mail2 spamd[459]: rules: failed to run TVD_STOCK1 test, skipping: Feb 28 12:52:44 mail2 spamd[459]: (child processing timeout at /usr/sbin/spamd line 1246. Feb 28 12:52:44 mail2 spamd[459]: ) And every time it involves TVD_STOCK1. Is this a bug in Spamassassin or in the rule? How do I fix it? Version: 3.2.3-0.volatile1 (on Debian Stable). Defaults: OPTIONS=--create-prefs --max-children 15 --helper-home-dir Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch These things have I written unto you that believe on the name of the Son of God; that ye may know that ye have eternal life, and that ye may believe on the name of the Son of God.I John 5:13 signature.asc Description: Digital signature
RCVD_IN_PBL and webmail
Hello,
We have a problem that is very annoying. Let me explain it.
Our organisation is using spamassassin with the check for RCVD_IN_PBL.
Now if one of our users is using webmail (exchange) and sends an email
outside the organisation, it gets points for this. (If their provider is
on the PBL)
Internally we don't check spam :
amavisd.conf
$policy_bank{'MYNETS'} = {
bypass_spam_checks_maps = [[qw( .domain.nl .domain.net )]],
final_spam_destiny = D_BOUNCE,
virus_admin_maps = ['[EMAIL PROTECTED]'],
};
But as you can see, it get bounced if it gets to many points.
How can we prevent this ?
The first IP number from the user is in the header of the mail.
Currently we use the XBL-SBL as postfix smtp block :
smtpd_client_restrictions =
reject_rbl_client sbl-xbl.spamhaus.org
What would happen if we put the PBL also in this list.
The email is already in our network, so strange things will hapen ?? :-)
Greetings, and thanks for any help..
Richard Smits
TU-Delft
Vista Obfuscation
Hi there, I'm trying to create a rule to identify \/ista (with backslash + slash). This does not seem to work: bodyWNG_OBFUVISTA /\b\\\/ista\b/i score WNG_OBFUVISTA 1 Any idea? Thanks. -- Samuel Krieg
Re: Vista Obfuscation
On Thu, 2008-02-28 at 14:26 +0100, Samuel Krieg wrote:
I'm trying to create a rule to identify \/ista (with backslash + slash).
This does not seem to work:
body WNG_OBFUVISTA /\b\\\/ista\b/i
The backslash is not a word character. Thus, the \b word boundary
requires a word immediately preceding this (rather than a non-word). In
other words, this would fire only, if there is a char before this. It
will not, if it occurs after a space or at the beginning of the string.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: --max-children setting, consider raising it
Am 2008-02-25 23:28:39, schrieb fchan: Hi, I don't mind taking RAM since I have 3GB. I can raise the amount of child processes and I wanted to find out how much RAM does each child takes so I can decide how many max children to raise it without killing my system. Also I would like to check where to raise the max-child and I was doing in my /etc/rc.d/init.d/spamd on my RedHat linux system. spamd -d -m 20 -H I'm having 20 max child processes now and curious why I'm still seeing these messages. My courier server has been setup to 100 and SA is set to 25 which works well and I see the messages too. Don't worry about it. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Pbl.spamhaus.org down?
Am 2008-02-25 16:29:41, schrieb Matus UHLAR - fantomas: On 25.02.08 11:00, Sven Rudolph wrote: Corporation(Business) is $16,800 per year, not $168,000. which is still too much for our compane for example :-S If you have 100.000 Users/Customers, it is only 1400 US$/month or 0.014 US$/User/Month. I have only 43.000 USER but the service is it worth. spamhaus is a very good service and drop per day over 14.000.000 spams where most coming from the USA Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: google running an open relay?
Helo *, Am 2008-02-26 07:36:23, schrieb Michael Scheidell: If this was too much information, my apologies So, bottom line, either they are running an open relay (since we can 'be assured that it did not originate with Google'), or they lie. I guess with a company the size of Google, we will be forced to eat our spam and love it. Reminds me of he droidbot responses I got from yahoo with DKIM signed email originating with yahoo telling me that the email didn't come from yahoo. Too bad yahoo and google are too high and mighty to actually care about spam complaints. (anyone here been on the net long enough to remember the 'bimbo' usenet spams? What was the name of that big famous company that refused to deal with them? Sorry, I don't remember, they aren't around anymore) My official E-Mail-Address (from which I am sending this message) is hit by currently 2.000 to 63.000 spams per day and I get between 50 and 3000 over verified gmail accounts. Also I am owner of (currently) 50 Mailservers worldwide with in summary 70.000 clients and I am hit by over 6million spams per day where over 150.000 coming from gmail accounts On of the biggest pigs is [EMAIL PROTECTED] or [EMAIL PROTECTED] and I have send over 800 messages to [EMAIL PROTECTED] and get only automated responses... and wieseltux is continuing to spam my E-Mail and hundreds of mailinglists... I think, I will setup a BOT to get rid of those gmal spams and hit ANY gmail/google/googlegroops employes I can find... I have done this with rejected messages from uol.com.br long time ago and it was working fine (The owner of the E-Mail has forwarded an account which he/she use on Debian-ML and the UOL has rejected those messages and created several 100.000 spams; And of course, UOL is one of the BIGGER bresilian ISP's) Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: [OT] Yahoo Deferred
Hello Michael, Am 2008-02-26 11:16:35, schrieb Michael Hutchinson: I have tried different approaches, and let us not forget I have filled out 3 whitelist forms, and received no response from Yahoo. Their service is breaking RFC's by not delivering mail. They are ignorant towards other companies trying to use their service. I have heavy issues with HOTMAIL since they reject ANY legitim messages as SPAM without any reason. All of my 50 Servers are worldwide and in different subnets. It is nearly impossible that all 50 Servers have spamed HOTMAIL, since my servers accept only authenticated SMTP from clients. I am not registered on ANY blacklists (except sorbs which is a crap service billing innocent ISP's and peoples instead of spamers) but can not send to my customers unsing HOTMAIL adresses. since hotmail.fr exist, I am looking for the FRENCH legal address and I will su them since in Europe, E-Mail is falling under the Post- Telecommunication Law, which mean, rejecting legitim messages is like, the French Post is rejection any Letters coming from the USA. And another problem is, that because of HOTMAIL I have already lost money... And you know, ISP-Business is hard! Do away with Yahoo. FullACK! ...but add at least Hotmail too! Setup mail on your own domains for your users. Even if it means creating separate home addresses if they want them. Even having two addresses at one domain for one person is better than having to deal with Yahoo. [EMAIL PROTECTED] [EMAIL PROTECTED] Most ISP's worldwide are offering an E-Mail where you can put ALIASES on it... Personally, I'd rather blacklist the whole yahoo domain, and tell our clients that Yahoo is not an acceptable email address, that they will need a real one. As I have written in a previosly message: Since I can not reach my customers using hotmail.com I reject all messages from them and leafe a message to let them know WHY. And yes, this bounces are working fine and going correctly back to the sending hotmail.com account... Now, my Cell-Phone is smoking from international calls and they do not understand WHY I can not send messages to them... A real one - that delivers and receives mail, like a mail server should. :-) In some weeks I am offering (not free but cheap) E-Mail-Accounts for 1 Euro/month and 50 MByte Mailbox with 5 Aliases... BUT ONLY FOR PEOPLES WHICH AUTHENTICATE THEM SELF WITH AN OFFICIAL ID. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: [OT] Yahoo Deferred
Hello Tom, Am 2008-02-25 11:54:24, schrieb Tony Bunce: Sorry for the Off Topic thread but I'm at a loss. Is anyone else having issues sending mail to Yahoo? I have since arround 5 weeks the same issues with hotmail.com rejecting ANY messages as spam with unknown reason. I've filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a Same here with Hotmail. I can not more reach any customers using Hotmail... paid support phone number that will fix the problem but no one list a phone number, and as much as I don't want to pay yahoo just to accept my messages I'm running out of options and the customer complaints are getting more frequent every day. To let my customers know, that there is a problem, I reject the messages from them with a reason and let them know, that they have to contact Hotmail to get this problem solved... Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Variable subject line spam.
Am 2008-02-25 15:56:50, schrieb fchan: Hi, I'm get alot of these February 77% OFF or variations (ie January 73% OFF and my guess March 75% OFF next month) thereof in the subject line for spam. The body always changes so I can't really key on this. I would like to make rule that subject line filter this type of spam. Thank you in advanced, Frank END OF REPLIED MESSAGE I get them too, but very rarely. On the other hand I get per day over 700 Backscaters of this subject which mean, Spamers are using MY E-Mail address. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Vista Obfuscation
Karsten Bräckelmann a écrit : On Thu, 2008-02-28 at 14:26 +0100, Samuel Krieg wrote: I'm trying to create a rule to identify \/ista (with backslash + slash). This does not seem to work: bodyWNG_OBFUVISTA /\b\\\/ista\b/i The backslash is not a word character. Thus, the \b word boundary requires a word immediately preceding this (rather than a non-word). In other words, this would fire only, if there is a char before this. It will not, if it occurs after a space or at the beginning of the string. guenther Hi Guenther, Thanks for your explanation. I've been used to add \b on every rule. May I replace it with (\W|^) to get nearly the same effect? Like /(\W|^)\\\/ista\b/i -- Samuel Krieg
How to properly teach SA to recognise the spam that is still getting through, despite the rules updates
Hi, Firstly: I'm new to this list and also pretty new to SA in general. I did try to find the answers to my questions in the FAQ, but haven't succeeded beyond all doubt at doing so. I do hope, however, that I'm not flogging a dead horse with my below questions (which appear at the end of the message)...:P Secondly, I'd like to say that SA is a *great* tool, and that Internet-life is much better with it, than it used to be without it! :P The situation: I run a FreeBSD 5.4-release AMD-64 based server, on which I have installed SA (identified by pkg_info as: p5-Mail-SpamAssassin-3.2.4_2) through Amavisd-new (precise version, according to pkg_info: amavisd-new-2.5.2,1), which is being invoked after mail arrives on the RX side of Sendmail. The RX daemon is split in two, and tunnels the mail locally through amavisd-new (using clamd and SA), and all mail that passes the tests gets delivered, and the rest goes directly to the quarantine. The problem: The above set-up was working fine (using SA 3.2.3) for several months, and virtually no spam got through. However, all of a sudden since some two weeks I'm getting about 100 spam mails per day again, and these seem to include spam mails that I have previously seen being filtered out... Still, by far most of the spam does get filtered out, but for some reason (perhaps spammers finding ways around SA?) more and more spam is getting through again. My approach so far: Figuring SA or the rules to be outdated (despite the twice-weekly call to sa-update from cron), I first updated SA to 3.2.4. (and performed an sa-update too), but to no real avail: the same amount of spam seemed to be getting through. I then checked into additional channels, and soon came across the SARE (based) ones. I decided to add the saupdates.openprotect.com channel, but still the same amount of spam seems to get through. The way I perform my updates are as follows: Cron call: 23 3 * * 2,5 /usr/local/bin/sa-update --allowplugins --gpgkeyfile /root/sa_pgp_keys --channelfile /root/sa_channels /usr/local/etc/rc.d/sa-spamd.sh restart /dev/null (yes, I realise spamd is not actually used by amavisd-new, but I decided to have it running anyway) My /root/sa_channels file contains the following: saupdates.openprotect.com updates.spamassassin.org Now, my questions are: 1-Am I doing anything wrong, or am I grossly overlooking something? 2-I've never tried to teach SA about which messages are spam and which are ham. From what I gather from the website, I need to set-up a mailbox with solely spam and feed that to sa-learn, and then do the same for a mailbox containing solely ham. However, how can I best go about this? Once spam is misidentified, it gets mixed in the live mailboxes with ham, so I wouldn't want to classify all of it as either ham or spam... Then, I did keep the spam messages from the last few days. Can I perhaps (manually) forward those to a local mailbox, and then run sa-learn on that mailbox, getting it successfully identified as spam, or will that not work due to the new mail headers added by the forward action from my mail client? 3-Are there perhaps other good (preferrably automatic ways) to tell SA about what is spam, and what isn't? 4-Are there perhaps other very efficient rules channels that you can recommend me to add (like using the full set of SARE rules, rather than the openprotect subset of it)? 5-Just a theory, but is it perhaps possible that SA somehow misidentified a spam message as being ham, and that all messages that are similar to that particular spam message are now being misidentified as ham, hence all getting through? Any and all feedback will be greatly appreciated, and I would like to thank you all for taking the time to read this e-mail and address the questions raised in it. With kind regards, Olaf Greve
AWL - BAYES_99/ general questions
Hi, One thing I do not understand regarding AWL and BAYES. When a message is reported to me as spam and was not marked as spam, I test is using debug before and after sa-learn. Each time I do this, BAYES_99 does hit, but they will also include AWL. 1. Does anyone understand why this happens? 2. I also noticed that when using spamassassin -D on a message, I sometimes see a nice report like below (2nd example) but other times it doesn't show report formatted. Any ideas on this one? Here are an example of two spam report headers for the same message. Before sa-learn: X-Spam-Status: No, score=3.982 tagged_above=- required=5 tests=[ADVANCE_FEE_1=0, BAYES_60=1, SUB_HELLO=2.141, UNDISC_RECIPS=0.841] X-Spam-Score: 3.982 X-Spam-Level: *** After sa-learn: Content analysis details: (5.2 points, 5.0 required) pts rule name description -- -- 2.1 SUB_HELLO Subject starts with Hello 0.8 UNDISC_RECIPS Valid-looking To undisclosed-recipients 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) -1.2 AWLAWL: From: address is in the auto white-list Thanks, Randy Ramsdell
Re: Vista Obfuscation
On Thu, 2008-02-28 at 15:02 +0100, Samuel Krieg wrote:
Karsten Bräckelmann a écrit :
On Thu, 2008-02-28 at 14:26 +0100, Samuel Krieg wrote:
I'm trying to create a rule to identify \/ista (with backslash + slash).
This does not seem to work:
body WNG_OBFUVISTA /\b\\\/ista\b/i
The backslash is not a word character. Thus, the \b word boundary
requires a word immediately preceding this (rather than a non-word). In
other words, this would fire only, if there is a char before this. It
will not, if it occurs after a space or at the beginning of the string.
Thanks for your explanation. I've been used to add \b on every rule.
May I replace it with (\W|^) to get nearly the same effect?
Like /(\W|^)\\\/ista\b/i
If you want to enforce a non-word char preceding this, the \W is fine.
However, the alternate anchor at the beginning of the string probably
will be rather useless. From the fine docs [1], body rule definitions:
All HTML tags and line breaks will be removed before matching.
I guess it pretty much depends on what you actually want to catch. You
do have a spample to run your rule against, right? Also, do you really
mean to match against the body (all textual parts), or do you mean to
trigger on the Subject only (which is part of a body rule, FWIW)?
guenther
[1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Bayes R/W lock failed
If it's sporadic, that's not a problem. SA tried to get a read-write lock on the bayes DB, presumably for autolearning or autoexpiry, but some other SA instance may have had it. Rather than block your mail queue, SA gave up. This is only a problem if it happens *every* time SA tries to autolearn, in which case your rights aren't set up to allow writing of the files, only reading. When the bayes.lock is created it remains ever, I must delete it manually and then restart /etc/init.d/spamd restart. Before spamd restart if I type netstat -at I see a lot of spamd connections. My dir: /home/spamassassin/.spamassassin -rw--- 1 spamd spamd 40169472 Feb 28 15:45 auto-whitelist -rw--- 1 spamd spamd 339832 Feb 28 15:45 bayes_journal -rw--- 1 spamd spamd 10510336 Feb 28 11:53 bayes_seen -rw--- 1 spamd spamd 83533824 Feb 28 11:53 bayes_toks Maybe the file dimensions are too big or whatelse? no. That would be caused by a timeout or over-sized message that didn't get scanned. Where I can check the size and timeout of a message? -- Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/ It's easier to invent the future than to predict it. -- Alan Kay
the perils of forgetting \b (fwd)
http://thedailywtf.com/Articles/The-Clbuttic-Mistake-.aspx 'People who make buttumptions about their regex scripts, will be embarbutted when they repeat this mbuttive mistake.' --j.
Re: AWL - BAYES_99/ general questions
Hi, One thing I do not understand regarding AWL and BAYES. When a message is reported to me as spam and was not marked as spam, I test is using debug before and after sa-learn. Each time I do this, BAYES_99 does hit, but they will also include AWL. 1. Does anyone understand why this happens? 2. I also noticed that when using spamassassin -D on a message, I sometimes see a nice report like below (2nd example) but other times it doesn't show report formatted. Any ideas on this one? If I understood you correctly.. In your samples, the first run gets 3.9 points, which is less than needed to classify the post as spam. The second run (after the learning) gets 5.2 points, which is more than needed to classify the post as spam. Your configuration prints the formatted report only for spam. There is no point in delivering reports to users for email which is not spam. The limit for spam is 5.0 points (as the report says, 5.0 required), which is the default and a pretty good value. Here are an example of two spam report headers for the same message. Before sa-learn: X-Spam-Status: No, score=3.982 tagged_above=- required=5 tests=[ADVANCE_FEE_1=0, BAYES_60=1, SUB_HELLO=2.141, UNDISC_RECIPS=0.841] X-Spam-Score: 3.982 X-Spam-Level: *** After sa-learn: Content analysis details: (5.2 points, 5.0 required) pts rule name description -- -- 2.1 SUB_HELLO Subject starts with Hello 0.8 UNDISC_RECIPS Valid-looking To undisclosed-recipients 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) -1.2 AWLAWL: From: address is in the auto white-list Thanks, Randy Ramsdell
Re: AWL - BAYES_99/ general questions
Jari Fredriksson wrote: Hi, One thing I do not understand regarding AWL and BAYES. When a message is reported to me as spam and was not marked as spam, I test is using debug before and after sa-learn. Each time I do this, BAYES_99 does hit, but they will also include AWL. 1. Does anyone understand why this happens? 2. I also noticed that when using spamassassin -D on a message, I sometimes see a nice report like below (2nd example) but other times it doesn't show report formatted. Any ideas on this one? If I understood you correctly.. In your samples, the first run gets 3.9 points, which is less than needed to classify the post as spam. The second run (after the learning) gets 5.2 points, which is more than needed to classify the post as spam. No. What I wanted to know is why do messages that are passed through sa-learn include AWL as well as BAYES_99. Notice the message did not hit AWL initially, but did so after the sa-learn process. giving a message a AWL score of -1.2 and BAYES score of 3.5 compete with each other to mark this message as spam. Your configuration prints the formatted report only for spam. There is no point in delivering reports to users for email which is not spam. Sweet thanks for this. The limit for spam is 5.0 points (as the report says, 5.0 required), which is the default and a pretty good value. Here are an example of two spam report headers for the same message. Before sa-learn: X-Spam-Status: No, score=3.982 tagged_above=- required=5 tests=[ADVANCE_FEE_1=0, BAYES_60=1, SUB_HELLO=2.141, UNDISC_RECIPS=0.841] X-Spam-Score: 3.982 X-Spam-Level: *** After sa-learn: Content analysis details: (5.2 points, 5.0 required) pts rule name description -- -- 2.1 SUB_HELLO Subject starts with Hello 0.8 UNDISC_RECIPS Valid-looking To undisclosed-recipients 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) -1.2 AWLAWL: From: address is in the auto white-list Thanks, Randy Ramsdell
Re: AWL - BAYES_99/ general questions
On Thu, 2008-02-28 at 09:21 -0500, Randy Ramsdell wrote:
Hi,
One thing I do not understand regarding AWL and BAYES. When a message is
reported to me as spam and was not marked as spam, I test is using debug
before and after sa-learn. Each time I do this, BAYES_99 does hit, but
they will also include AWL.
1. Does anyone understand why this happens?
AWL is a score averager. SA has seen that sender before.
http://wiki.apache.org/spamassassin/AutoWhitelist
Run it through SA again, and you will see the AWL score getting closer
to 0, since the score without AWL is constant. The AWL score is
negative, because previous scores have been lower.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Hostkarma List Compatibility
BTW, I appreciate it that you are interested enough in my black/white/yellow lists that you're writing code for it. If there's anything you would like me to do on my end to make it easier let me know. Also, I don't know if you can do this in Postfix or Spam Assassin but my lists do more than just IP based lookups. It also has white lists and black lists based on the host name and it's extremely effective. In Exim it's very easy to do this but it would be nice to not limit it to just Exim. The idea is that you get the forward confirmed hostname and look that up in the HostKarma list. This works very well for me and if others started doing this too I'm sure that the spam filtering community would do it better than I am.
Re: AWL - BAYES_99/ general questions
Karsten Bräckelmann wrote: On Thu, 2008-02-28 at 09:21 -0500, Randy Ramsdell wrote: Hi, One thing I do not understand regarding AWL and BAYES. When a message is reported to me as spam and was not marked as spam, I test is using debug before and after sa-learn. Each time I do this, BAYES_99 does hit, but they will also include AWL. 1. Does anyone understand why this happens? AWL is a score averager. SA has seen that sender before. http://wiki.apache.org/spamassassin/AutoWhitelist Run it through SA again, and you will see the AWL score getting closer to 0, since the score without AWL is constant. The AWL score is negative, because previous scores have been lower. guenther I understand that AWL is averaging what it has seen before and it must have seen the message as ham, but why would one have to sa-learn the message as spam multiple times. This also means that a system wide approach to improving our SPAM effectiveness requires me parse the AWL score after sa-learning the message to determine if I need to run it again. This would a monumental task and very resource intensive. Wouldn't a better approach be to set AWL to max positive if I manually learn the message as spam? Or is there a way to modify the DB to correct the previous AWL hits on this message?
Re: AWL scores high after receiving spam from myself?
On Friday 22 February 2008 23:37:29 René Berber wrote: Should I post the contents of both local.cf and user_prefs? They don't contain anything special as far as I can see, but something definitely feels wrong with my configuration. Why else would the AWL test get such scores? AWL is probably not the culprit, as I said, it follows not leads. Thank you for the reply and your time. It has been about a week now since I removed the problematic address ([EMAIL PROTECTED]) from the whitelist database and started over. Initial tests have proved positive, no wrong AWL scores. The trust path is correct by the way, no ALL_TRUSTED tests fire nor do I observe any of the symptoms described on the wiki page. But that was a week ago, and now I am back to the square one it seems. I just posted to the Dovecot mailing list and found that when retrieving the message from the remote mailserver (the one that hosts the problematic address) via getmail the AWL test got a score of over 9.5. Looking through my Received Spam folder I see lots of spams which seem to have come from me, i.e. From: [EMAIL PROTECTED]. Now as far as I understand AWL looks at both the sender address ([EMAIL PROTECTED]) and the IP the mail came from, right? So it would seem that Spamassassin on my server looks at the sender address ([EMAIL PROTECTED]) and the IP address of the server the (possible) spam comes from. In my case the only IP address that could be looked at is the IP address of the remote mailserver, i.e. that of my_mail_provider.org (85.214.xx.yy). This is clearly not the desired behaviour. That would explain why the AWL score would become ever higher with every spam (that has my address in the From: field) received on the remote mailserver and then retrieved by me on my local mailserver. The mail address/IP address pair would always be the same, no matter where the original spam originated from. I hope I could make clear what I am thinking. Am I thinking correctly? Is this what is happening? If so, how do I solve this problem? I really can't be having all legitimate mail sent to mailing lists by me end up in the Spam folder just because some spammers put my address in the From: field. I'd really appreciate any further insight on this. Andreas -- Andreas daff Ntaflos Vienna, Austria GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4 signature.asc Description: This is a digitally signed message part.
Using Name Based Hostkarma lookups in Spam Assassin
Here's something I'm doing that works really well and could be implemented in SA. And once it is done using my HostKarma list I'm hoping that this will be so successful that someone else will make an even better list than mine. This trick is most effective for whitelisting but can be used for blacklisting and what I call yellow listing. It's not an IP based lookup but rather a host name based lookup using Forward confirmed RDNS. Forward confirmed RDNS can't be spoofed. You look up the rDNS to get the host name. You then look up the host name to verify it points back to the same IP. If it does it's forward confirmed. Then you look up the host name in the hostkarma list. dig dxv05.wellsfargo.com.hostkarma.junkemailfilter.com This returns 127.0.0.1 indicating the name is whitelisted. At that point I need not do any more tests. The message is ham. The reason for adding this to SA is that if the data in the DNS is correct it is 100% accurate for matches. This not only eliminates false positives but reduces system load by skipping all other tests. And it is especially good for whitelisting because servers that send nothing but good email are stable and they don't change IP addresses and avoid detection like spammers do. It also works very well on blacklists and what I call yellow lists. Names like yahoo.com and hotmail.com are yellow listed which means that they are a mixed spam source and that the sending IP address has no information as to if it is spam or not. A yellow listed host name or IP address skips all other IP based tests and goes on to content testing. This eliminates these servers from accidentally being either white or black listed. Another thing I do is if the host name is whitelisted then after the lookup I whitelist the IP address automatically so that IP based lookups see that same information. So when a wells fargo bank server sends me an email, I detect it is white from the hostname. But after I do that the IP address is added to the white list so that other people reading my white list will see the IP and allow it on their servers. This is why my IP based white lists are so accurate. So - getting to the point. I'm doing this and it works. I'm trying to get others excited about this because I know that you will do it better than me. So I want the smart people here to think this through and improve it. -- Marc Perkel - Sales/Support [EMAIL PROTECTED] http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3401
Re: AWL - BAYES_99/ general questions
On Thu, 2008-02-28 at 10:28 -0500, Randy Ramsdell wrote:
Karsten Bräckelmann wrote:
AWL is a score averager. SA has seen that sender before.
http://wiki.apache.org/spamassassin/AutoWhitelist
Run it through SA again, and you will see the AWL score getting closer
to 0, since the score without AWL is constant. The AWL score is
negative, because previous scores have been lower.
I understand that AWL is averaging what it has seen before and it must
have seen the message as ham,
No. :) AWL does not know the concept of spam or ham, it does not know
about your required_score spam threshold. It merely knows about the
previous scores.
but why would one have to sa-learn the message as spam multiple times.
You do NOT have to, and I didn't say so. :) AWL keeps track of all
*seen* messages, as opposed to learned ones. Given the initial score of
the message, it has not been learned automatically.
To observe the AWL score it is sufficient, as I said, to run the message
through spamassassin -- this does not require sa-learn. Note that my
comment regarding this was intended to demonstrate AWL, so you can see
for yourself. I did not mean to imply you have to do it regularly. Just
this one time, so you can see how AWL behaves...
Also please note, that AWL in fact keeps track of a pair of sender and
IP address (space). IMHO, this kind of explains the confusing naming,
namely the whitelist part. It is most useful for legit senders -- if
they send a single spammy message once, AWL is there for rescue and
lower the score drastically.
The general spam on the other hand is really unlikely to ever be sent a
second time From: the same forged sender address and the same origina-
ting network. Odds are, this particular AWL entry will never ever be
used again with new incoming spam.
This also means that a system wide
approach to improving our SPAM effectiveness requires me parse the AWL
score after sa-learning the message to determine if I need to run it
again. This would a monumental task and very resource intensive.
No. See above. Also please note, that Bayes (which you train using
sa-learn) and AWL are entirely unrelated. (Bayes is a token-based
mechanism, about words in the message, and does not know about the
concept of email addresses, let alone sender.)
Wouldn't a better approach be to set AWL to max positive if I manually
learn the message as spam? Or is there a way to modify the DB to correct
the previous AWL hits on this message?
Again, see above. If you never will get spam forged to come from that
sender, it won't make a difference. Also, again, Bayes and AWL are
unrelated.
Besides, the A stands for Automatic. No need to correct anything. ;)
If you ever need to clear an AWL score (usually, because the learned
average for a *legit* sender is too high), if at all, you can do so
using 'spambuttbuttin'. Not sa-learn. See 'man spambuttbuttin-run'. [1]
guenther
[1] See another recent post by Justin. ;-)
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Reduce the spam score
On Wed, Feb 27, 2008 at 6:21 PM, Daryl C. W. O'Shea
[EMAIL PROTECTED] wrote:
On 27/02/2008 6:18 PM, Asif Iqbal wrote:
What is short of putting the sender email to white list to reduce the
score of this email. It is a valid email. Here is the report
As presented to SpamAssassin, it was not a valid email. It had no headers.
Here is the actual email
Return-Path: [EMAIL PROTECTED]
Received: (qmail 5199 invoked by uid 7801); 27 Feb 2008 20:59:37 -
Received: from NO?REVERSE?DNS (HELO corde.phxse.local) ([65.121.94.77])
(envelope-sender [EMAIL PROTECTED])
by qmail.home.net (qmail-ldap-1.03) with SMTP
for [EMAIL PROTECTED]; 27 Feb 2008 20:59:20 -
Received: from corde.phxse.local (127.0.0.1) by corde.phxse.local
(MlfMTA v3.2r9) id hon7la0171st for [EMAIL PROTECTED]; Wed, 27 Feb
2008 14:00:00 -0700 (envelope-from [EMAIL PROTECTED])
Received: from tikkes.phxse.local ([10.1.1.106])
by corde.phxse.local (SonicWALL 6.0.1.9157)
with ESMTP; Wed, 27 Feb 2008 14:00:00 -0700
Received: from jira.phxse.local ([10.1.2.6]) by tikkes.phxse.local with
Microsoft SMTPSVC(6.0.3790.1830);
Wed, 27 Feb 2008 13:59:59 -0700
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/related;
type=multipart/alternative;
boundary=_=_NextPart_001_01C87983.B69E776F
Subject: I need an A Record
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Date: Wed, 27 Feb 2008 13:59:59 -0700
Message-ID: [EMAIL PROTECTED]
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: I need an A Record
Thread-Index: Ach5g7BQY505vI3KRMel990kVHr6lA==
From: Bolt, Bill [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 27 Feb 2008 20:59:59.0396 (UTC)
FILETIME=[B6C2DE40:01C87983]
X-Mlf-Version: 6.0.1.9157
X-Mlf-UniqueId: o20080227210007333
This is a multi-part message in MIME format.
--_=_NextPart_001_01C87983.B69E776F
Content-Type: multipart/alternative;
boundary=_=_NextPart_002_01C87983.B69E776F
--_=_NextPart_002_01C87983.B69E776F
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
I deed an A record for domain and sub domain OWA.slpit.com. I control
the domain SLPIT.Com which is registered at Network Solutions. If I
need to add you as technical contact let me know. The address that we
want to point this at is 65.121.94.82. This is a link to our Web
Exchange on an ISA Server. I can be reached at the contact below.=20
=20
=20
=20
--_=_NextPart_002_01C87983.B69E776F
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
html xmlns:v=3Durn:schemas-microsoft-com:vml =
xmlns:o=3Durn:schemas-microsoft-com:office:office =
xmlns:w=3Durn:schemas-microsoft-com:office:word =
xmlns=3Dhttp://www.w3.org/TR/REC-html40;
head
meta http-equiv=3DContent-Type content=3Dtext/html; =
charset=3Dus-ascii meta name=3DGenerator content=3DMicrosoft Word 11
(filtered medium) !--[if !mso] style
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
/style
![endif]--
style
!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Times New Roman;}
a:link, span.MsoHyperlink
{color:blue;a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
--
/style
/head
body lang=3DEN-US link=3Dblue vlink=3Dpurple
div class=3DSection1
p class=3DMsoNormalfont size=3D2 face=3DArialspan =
style=3D'font-size:10.0pt; font-family:Arial'I deed an A record for
domain and sub domainnbsp; = /span/fontbfont face=3DArialspan
=
style=3D'font-family:Arial;font-weight:bold'OWA.slpit.com/span/font
=
/bfont
size=3D2 face=3DArialspan =
style=3D'font-size:10.0pt;font-family:Arial'. I control the domain
SLPIT.Com nbsp;which is registered at Network Solutions. If = I need to
add you as nbsp;technical contact let me know. The address that we =
want to point this at is /span/fontbfont face=3DArialspan =
style=3D'font-family:
Arial;font-weight:bold'65.121.94.82/span/font/bfont size=3D2 =
face=3DArialspan style=3D'font-size:10.0pt;font-family:Arial'. This
is a link to our Web = Exchange on an ISA Server. nbsp;I can be reached
at the contact below. = o:p/o:p/span/font/p
p class=3DMsoNormalfont size=3D2 face=3DArialspan =
style=3D'font-size:10.0pt;
font-family:Arial'o:pnbsp;/o:p/span/font/p
p class=3DMsoNormalfont size=3D3 face=3DTimes New Romanspan =
style=3D'font-size:
12.0pt'img width=3D530 height=3D90 id=3D_x_i1025
Malformed UTF-8 character errors
While investigating why a couple of emails took over 500 seconds to scan, I found a bunch of these errors in the log file: spamd[7586]: Malformed UTF-8 character (unexpected continuation byte 0x8e, with no preceding start byte) in pattern match (m//) at /var/lib/spamassassin/3.002004/70_sare_specific_cf_sare_sa-update_dostech_ne t/200605280300.cf, rule SARE_SPEC_REPL_OBFU1, line 1. (3,752 of them to be exact) They are being reported for these rules: SARE_SPEC_REPL_OBFU1 SARE_SPEC_REPL_OBFU2 SARE_SPEC_REPL_OBFU4 SARE_SPEC_REPL_OBFU5 SARE_SPEC_REPL_OBFU6 A bit of Googling for the error message indicates that this is a problem with UTF-8 in Perl. Is there still a problem with this ruleset? I tried to go to rulesemporium.com to make sure I have the most recent version of the file (5/28/2006?), but the site seems to be non-responsive at the moment. $ spamassassin -V SpamAssassin version 3.2.4 running on Perl version 5.8.5 -- Bowie
RE: How to properly teach SA to recognise the spam that is still getting through, despite the rules updates
Olaf Greve wrote: Hi, Firstly: I'm new to this list and also pretty new to SA in general. I did try to find the answers to my questions in the FAQ, but haven't succeeded beyond all doubt at doing so. I do hope, however, that I'm not flogging a dead horse with my below questions (which appear at the end of the message)...:P Secondly, I'd like to say that SA is a *great* tool, and that Internet-life is much better with it, than it used to be without it! :P The situation: I run a FreeBSD 5.4-release AMD-64 based server, on which I have installed SA (identified by pkg_info as: p5-Mail-SpamAssassin-3.2.4_2) through Amavisd-new (precise version, according to pkg_info: amavisd-new-2.5.2,1), which is being invoked after mail arrives on the RX side of Sendmail. The RX daemon is split in two, and tunnels the mail locally through amavisd-new (using clamd and SA), and all mail that passes the tests gets delivered, and the rest goes directly to the quarantine. The problem: The above set-up was working fine (using SA 3.2.3) for several months, and virtually no spam got through. However, all of a sudden since some two weeks I'm getting about 100 spam mails per day again, and these seem to include spam mails that I have previously seen being filtered out... Still, by far most of the spam does get filtered out, but for some reason (perhaps spammers finding ways around SA?) more and more spam is getting through again. My approach so far: Figuring SA or the rules to be outdated (despite the twice-weekly call to sa-update from cron), I first updated SA to 3.2.4. (and performed an sa-update too), but to no real avail: the same amount of spam seemed to be getting through. I then checked into additional channels, and soon came across the SARE (based) ones. I decided to add the saupdates.openprotect.com channel, but still the same amount of spam seems to get through. The way I perform my updates are as follows: Cron call: 23 3 * * 2,5 /usr/local/bin/sa-update --allowplugins --gpgkeyfile /root/sa_pgp_keys --channelfile /root/sa_channels /usr/local/etc/rc.d/sa-spamd.sh restart /dev/null (yes, I realise spamd is not actually used by amavisd-new, but I decided to have it running anyway) My /root/sa_channels file contains the following: saupdates.openprotect.com updates.spamassassin.org Now, my questions are: 1-Am I doing anything wrong, or am I grossly overlooking something? 2-I've never tried to teach SA about which messages are spam and which are ham. From what I gather from the website, I need to set-up a mailbox with solely spam and feed that to sa-learn, and then do the same for a mailbox containing solely ham. However, how can I best go about this? Once spam is misidentified, it gets mixed in the live mailboxes with ham, so I wouldn't want to classify all of it as either ham or spam... Then, I did keep the spam messages from the last few days. Can I perhaps (manually) forward those to a local mailbox, and then run sa-learn on that mailbox, getting it successfully identified as spam, or will that not work due to the new mail headers added by the forward action from my mail client? 3-Are there perhaps other good (preferrably automatic ways) to tell SA about what is spam, and what isn't? 4-Are there perhaps other very efficient rules channels that you can recommend me to add (like using the full set of SARE rules, rather than the openprotect subset of it)? 5-Just a theory, but is it perhaps possible that SA somehow misidentified a spam message as being ham, and that all messages that are similar to that particular spam message are now being misidentified as ham, hence all getting through? Any and all feedback will be greatly appreciated, and I would like to thank you all for taking the time to read this e-mail and address the questions raised in it. With kind regards, Olaf Greve Lots of questions here. I don't see you doing anything wrong, so the place to start would be with a sample spam so that we can see what you are getting and what rules are (and are not) hitting on it. -- Bowie
Re: How to properly teach SA to recognise the spam that is still getting through, despite the rules updates
Olaf Greve wrote: The way I perform my updates are as follows: Cron call: 23 3 * * 2,5 /usr/local/bin/sa-update --allowplugins --gpgkeyfile /root/sa_pgp_keys --channelfile /root/sa_channels /usr/local/etc/rc.d/sa-spamd.sh restart /dev/null (yes, I realise spamd is not actually used by amavisd-new, but I decided to have it running anyway) Lots of questions here. I don't see you doing anything wrong, so the place to start would be with a sample spam so that we can see what you are getting and what rules are (and are not) hitting on it. What is an error, is that amavis-new does not get restarted after sa-update. While the unnecessary spamd gets restarted, the actual daemon running the SA is not.. Hardly not the cause for the spam passing thru, but who knows.
RE: How to properly teach SA to recognise the spam that is still getting through, despite the rules updates
Jari Fredriksson wrote: Olaf Greve wrote: The way I perform my updates are as follows: Cron call: 23 3 * * 2,5 /usr/local/bin/sa-update --allowplugins --gpgkeyfile /root/sa_pgp_keys --channelfile /root/sa_channels /usr/local/etc/rc.d/sa-spamd.sh restart /dev/null (yes, I realise spamd is not actually used by amavisd-new, but I decided to have it running anyway) Lots of questions here. I don't see you doing anything wrong, so the place to start would be with a sample spam so that we can see what you are getting and what rules are (and are not) hitting on it. What is an error, is that amavis-new does not get restarted after sa-update. While the unnecessary spamd gets restarted, the actual daemon running the SA is not.. Hardly not the cause for the spam passing thru, but who knows. Good catch, I didn't notice that one. The command to restart spamd should be replaced with the command to restart amavisd-new. -- Bowie
Re: Vista Obfuscation
bodyWNG_OBFUVISTA/\Wista\b/i would be my suggestion--I wouldn't worry too much about the exact non-word character(s). The baddies might next do \ /ista, and the a precise rule for \/ista wouldn't catch it. --Paul Samuel Krieg wrote: Hi there, I'm trying to create a rule to identify \/ista (with backslash + slash). This does not seem to work: bodyWNG_OBFUVISTA/\b\\\/ista\b/i scoreWNG_OBFUVISTA1 Any idea? Thanks. -- Paul Douglas Franklin Computer Manager, Union Gospel Mission of Yakima, Washington Husband of Danette Father of Laurene, Miriam, Tycko, Timothy, Sarabeth, Marie, Dawnita, Anna Leah, Alexander, and Caleb
Re: Vista Obfuscation
Karsten Bräckelmann a écrit : If you want to enforce a non-word char preceding this, the \W is fine. However, the alternate anchor at the beginning of the string probably will be rather useless. From the fine docs [1], body rule definitions: All HTML tags and line breaks will be removed before matching. Actually I think (in that case) I don't need any of these \b or \W. The string I want to catch is pretty spam-explicit (spamplicit?). So I remove everything before the three backslashes and everything is fine. I guess it pretty much depends on what you actually want to catch. You do have a spample to run your rule against, right? Also, do you really mean to match against the body (all textual parts), or do you mean to trigger on the Subject only (which is part of a body rule, FWIW)? Both; subject is worth. guenther [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html Thanks for your help and advices. Sam
Re: 'Malformed UTF-8 character' errors
running on Perl version 5.8.5 upgrade, and let us know problem later if i remember unicode was a problem before 5.8.8
Re: RCVD_IN_PBL and webmail
On 28/02/2008 7:48 AM, R.Smits wrote:
Hello,
We have a problem that is very annoying. Let me explain it.
Our organisation is using spamassassin with the check for RCVD_IN_PBL.
Now if one of our users is using webmail (exchange) and sends an email
outside the organisation, it gets points for this. (If their provider is
on the PBL)
Internally we don't check spam :
amavisd.conf
$policy_bank{'MYNETS'} = {
bypass_spam_checks_maps = [[qw( .domain.nl .domain.net )]],
final_spam_destiny = D_BOUNCE,
virus_admin_maps = ['[EMAIL PROTECTED]'],
};
But as you can see, it get bounced if it gets to many points.
How can we prevent this ?
The first IP number from the user is in the header of the mail.
Either don't scan mail from OWA or configure SA to trust your OWA box
(provided that the Exchange server doesn't directly accept any mail from
the outside world).
Daryl
China TLD links
any takers on this? On Feb 27, 2008, at 2:31 PM, Chip M. wrote: The main thing that stands out (to me) is the China TLD in the URL. We block all those on sight (unless they're in the recipient's domain skip list - so far, none of my users have any China TLDs in theirs). Perhaps one of the regex gurus will whip you up a rule. :)
Re: Bayes R/W lock failed
Hi, Check your spamassassin bayes directory, in your case it's /home/spamassassin/.spamassassin/, for the bayes.lock.* files? I seen this you need to temporarily stop spamd then remove the bayes.lock.* files there. Then start spamd and it should clear this up. I think the reason for this if you stop spamd and there is bayes.lock.* there, and there shouldn't when it is stopped, when you start up and spamd needs to create a bayes.lock.* it get confused because there are another one existing and complains to you in the log. I hope this helps. Frank Debian - SA 3.2.4 In my log I'found a lot message like this: Feb 28 05:42:32 server spamd[9351]: bayes: cannot open bayes databases /home/spamassassin/.spamassassin/bayes_* R/W: lock failed: File exists How can I solve this problem? local.cf rewrite_header Subject *SPAM* report_safe 0 required_score 4 use_bayes 1 bayes_auto_learn 1 bayes_auto_expire 0 bayes_learn_to_journal 1 bayes_journal_max_size 0 Could (lock failed) be the cause of: X-Spam-Status: No, hits=? required=? -- Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/ It's easier to invent the future than to predict it. -- Alan Kay
How many use CRM114?
Slightly off-topic, but I'm curious, how many of you are using CRM114? How well does it work for you? Was it difficult to train? I've been looking at it and haven't found much except the official plugin guide and a single page saying that it works better than other learning methods. Any info would be appreciated. Thanks, Blaine
Segfaulting spamassassin
my spamd is segaulting when I start it up. I tried to strace the process and all I could see was that it was opening this file and then doing some memory mappings and then segfaulting: open(/var/lib/spamassassin/compiled/3.002003/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so,O_RDONLY) = 8 Sine this is a compiled rule... I tried to remove everything under /var/lib/spamassassin/compiled and then re-run sa-compile (after doing a sa-update), which succeeded fine, but as soon as I started up spamassassinbut it still segfaults. So I turned off rule complation now and it starts fine, but I'm wondering what I can do to fix this. I'm running 3.2.3 from volatile, and am running these channels: sa-update --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com --channel updates.spamassassin.org Thanks for any ideas, Micah
Re: How to properly teach SA to recognise the spam that is still getting through, despite the rules updates
Hi guys, Thanks for the answers! I feel really stupid now for not having realised this; I was under the impression that amavisd-new wouldn't need a restart, but sure enough check the following lines from the amavis.log file after restarting the daemon manually: Feb 28 21:15:32 servername /usr/local/sbin/amavisd[52560]: INFO: SA version: 3.2.4, 3.002004, no optional modules: Sys::Hostname::Long Mail::SpamAssassin::Plugin::DKIM Razor2::Client::Agent IP::Country::Fast Mail::DKIM Mail::DKIM::Verifier Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d Mail::SPF::Query Crypt::OpenSSL::RSA auto::Crypt::OpenSSL::RSA::new_public_key auto::Crypt::OpenSSL::RSA::new_key_from_parameters auto::Crypt::OpenSSL::RSA::get_key_parameters auto::Crypt::OpenSSL::RSA::import_random_seed Digest::SHA Error Feb 28 21:15:32 servername /usr/local/sbin/amavisd[52560]: SpamControl: init_pre_chroot done Indeed SA is loaded at amavisd-new restart time, and at least I am now certain that indeed v3.2.4 is used! Also, when looking a little bit further at some of the traces regarding killed spam, one sees entries like: Feb 28 21:27:01 servername /usr/local/sbin/amavisd[52749]: (52749-16) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED] , Yes, score=29.434 tag=2 tag2=3 kill=4.5 tests=[BAYES_99=3.5, FORGED_MUA_OUTLOOK=3.116, FS_REPLICA=1.041, FS_REPLICAWATCH=2.502, INVALID_MSGID=1.9, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, REPLICA_WATCH=3.396, SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX=1.666, SARE_SPEC_ROLEX_NOV5A=1.062, SARE_SPEC_ROLEX_REP=1.666, STOX_REPLY_TYPE=0.001, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501, URIBL_SC_SURBL=0.474], autolearn=spam, quarantine 7FeBwDzNY-LD (spam- quarantine) Feb 28 21:27:01 servername /usr/local/sbin/amavisd[52749]: (52749-16) Blocked SPAM, [81.202.20.71] [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine: spam-7FeBwDzNY-LD.gz, Message-ID: [EMAIL PROTECTED], mail_id: 7FeBwDzNY-LD, Hits: 29.434, size: 1188, Subject: Christmas Replica Watches, From: Rupert_Langley_[EMAIL PROTECTED], X-Mailer: Microsoft_Outlook_Express_6.00.2800.1106, Tests: [BAYES_99 = 3.5 ,FORGED_MUA_OUTLOOK = 3.116 ,FS_REPLICA = 1.041 ,FS_REPLICAWATCH = 2.502 ,INVALID_MSGID = 1.9 ,RCVD_IN_BL_SPAMCOP_NET = 1.96 ,RCVD_IN_PBL = 0.905 ,RCVD_IN_SORBS_DUL = 0.877 ,RDNS_DYNAMIC = 0.1 ,REPLICA_WATCH = 3.396 ,SARE_SPEC_REPLICA_OBFU = 1.812 ,SARE_SPEC_ROLEX = 1.666 ,SARE_SPEC_ROLEX_NOV5A = 1.062 ,SARE_SPEC_ROLEX_REP = 1.666 ,STOX_REPLY_TYPE =0.001,URIBL_BLACK=1.955,URIBL_JP_SURBL=1.501,URIBL_SC_SURBL=0.474], autolearn=spam, 1492 ms Clearly I now see SARE rules, which I don't think were present before, so it looks like the SARE channel is being picked up just fine too now! Same for the autolearn feature, which seems to get set properly too. Thanks guys, I'm a happy camper again, and I hope (and trust) that this should indeed aleviate the problem (I'll make the change to the crontab now). Cheers! Olafo
Re: China TLD links
Don't know if this will help but we use the list on this site to block malicious Chinese and Korean ip addresses and network blocks via iptables - http://www.okean.com/ JP Kelly [EMAIL PROTECTED] 2/28/2008 12:36:12 PM any takers on this? On Feb 27, 2008, at 2:31 PM, Chip M. wrote: The main thing that stands out (to me) is the China TLD in the URL. We block all those on sight (unless they're in the recipient's domain skip list - so far, none of my users have any China TLDs in theirs). Perhaps one of the regex gurus will whip you up a rule. :)
sa-update errors
Hi all new to the forum. Question I recently tried to do an sa-update on a server that we collocate which means I did not install spam assassin. When I did the update I got the following error below. Could this mean that Spam Assassin was installed incorrectly? and what can I do to correct the problem. Thanks in advanced: [EMAIL PROTECTED] spamassassin]# sa-update plugin: failed to parse plugin (from @INC): Bareword Mail::SpamAssassin::Constants::CHARSETS_LIKELY_TO_FP_AS_CAPS not allowed while strict subs in use at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/HeaderEval.pm line 967. Compilation failed in require at (eval 87) line 1. plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::HeaderEval: Can't locate object method new via package Mail::SpamAssassin::Plugin::HeaderEval at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/HeaderEval.pm line 39. plugin: failed to parse plugin (from @INC): CHARSETS_LIKELY_TO_FP_AS_CAPS is not exported by the Mail::SpamAssassin::Constants module Can't continue after import errors at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22 BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/MIMEEval.pm line 22. Compilation failed in require at (eval 89) line 1. plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::MIMEEval: Can't locate object method new via package Mail::SpamAssassin::Plugin::MIMEEval at (eval 90) line 1. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 101) line 10, near } 1 (Missing operator before 1?) rules: failed to run header tests, skipping some: syntax error at (eval 101) line 6, at EOF Global symbol $plugin requires explicit package name at (eval 101) line 7. syntax error at (eval 101) line 11, near ; } Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 102) line 10, near } 1 (Missing operator before 1?) rules: failed to run header tests, skipping some: syntax error at (eval 102) line 6, at EOF Global symbol $plugin requires explicit package name at (eval 102) line 7. syntax error at (eval 102) line 11, near ; } Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 103) line 10, near } 1 (Missing operator before 1?) rules: failed to run header tests, skipping some: syntax error at (eval 103) line 6, at EOF Global symbol $plugin requires explicit package name at (eval 103) line 7. syntax error at (eval 103) line 11, near ; } Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 104) line 10, near } 1 (Missing operator before 1?) rules: failed to run header tests, skipping some: syntax error at (eval 104) line 6, at EOF Global symbol $plugin requires explicit package name at (eval 104) line 7. syntax error at (eval 104) line 11, near ; } Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2669. Number found where operator expected at (eval 105) line
Re: [OT] Yahoo Deferred
I have heavy issues with HOTMAIL since they reject ANY legitim messages as SPAM without any reason. All of my 50 Servers are worldwide and in different subnets. It is nearly impossible that all 50 Servers have spamed HOTMAIL, since my servers accept only authenticated SMTP from clients. Not nearly impossible. I work daily with people who run servers exactly like that, yet spam of all sorts is spewing from their mail queues. Most of the ones I see are SMTP accounts with weak passwords. The spammers authenticate as the users and bam, the server is a spam source. With Hotmail, make sure that you have a reverse DNS record for your server's sending IP, that the A record for that name resolves to the same IP, and that your SMTP banner greeting lists the same name. Also, if you use SPF records, do not use the PTR option - they reject mail from domains that contain that option.
Segfaulting when using compiled rules
my spamd is segaulting when I start it up. I tried to strace the process and all I could see was that it was opening this file and then doing some memory mappings and then segfaulting: open(/var/lib/spamassassin/compiled/3.002003/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so,O_RDONLY) = 8 Sine this is a compiled rule... I tried to remove everything under /var/lib/spamassassin/compiled and then re-run sa-compile (after doing a sa-update), which succeeded fine, but as soon as I started up spamassassinbut it still segfaults. So I turned off rule complation now and it starts fine, but I'm wondering what I can do to fix this. I'm running 3.2.3 from volatile, and am running these channels: sa-update --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com --channel updates.spamassassin.org Thanks for any ideas, Micah
Re: [OT] Yahoo Deferred
Not nearly impossible. I work daily with people who run servers exactly like that, yet spam of all sorts is spewing from their mail queues. Most of the ones I see are SMTP accounts with weak passwords. The spammers authenticate as the users and bam, the server is a spam source. With Exim this can be substantially limited with a ratelimit. http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html#SECTratelimiting I use something like this. warn ratelimit = 200 / 1h / per_rcpt / strict delay = 10s log_message = Sender $sender_address rate $sender_rate / $sender_rate_period excedes limit delayed 10 seconds It does not work as well when using webmail since messages all appear to come from 127.0.0.1. I did find a plugin for Squirrelmail that limits max recipients and messages sent per day and per account which works well though. Unfortunately, in my environment it's mostly Linux boxes running Plesk, which uses Qmail as its MTA. Since users can set their own passwords, you end up with lousy passwords like password or 12345. The only password restrictions are dictionary checks, which don't do much to prevent stupidity.
Re: China TLD links
JP Kelly wrote: any takers on this? On Feb 27, 2008, at 2:31 PM, Chip M. wrote: The main thing that stands out (to me) is the China TLD in the URL. We block all those on sight (unless they're in the recipient's domain skip list - so far, none of my users have any China TLDs in theirs). Perhaps one of the regex gurus will whip you up a rule. :) * Both should be run through a manual sa-learn. ( It would have caught the first example ) * As Chip wrote earlier, each message has China based links in them. Mark those. * If this is a company server, I would certainly not have an issue with blocking or adding a high score for the word Whore and could do something with the word Schoolgirl. Randy Ramsdell
Where can I find out about domain keys?
A friend tells me that some mail I sent to him at xtra.co.nz (now a Yahoo subsidiary) was flagged as spam. He sent me the headers, but all it shows is: X-Apparently-To: [EMAIL PROTECTED] via hhh.hhh.hhh.hhh; Thu, 21 Feb 2008 15:46:00 -0800 X-YahooFilteredBulk: 77.75.108.10 X-Originating-IP: [77.75.108.10] Authentication-Results: mta105.tnz.mail.aue.yahoo.com from=gregorie.org; domainkeys=neutral (no sig) I wrapped the lines to suit the e-mail. These are the only indications of why my mail was treated as spam. What is this domainkeys of which they speak? Can anybody point me at an explanation? Words or a URL would be equally good. Thanks, Martin
Re: China TLD links
On 28/02/2008 5:04 PM, Randy Ramsdell wrote: * If this is a company server, I would certainly not have an issue with blocking or adding a high score for the word Whore and could do something with the word Schoolgirl. Maybe it's just my manufacturing background, but I'd block half of our corporate mail (internal and between us and suppliers and customers) if I were to block whore. IMHO single word (and very short phrase) content filters are whoreable. Of course, now that I've used the word whore three times and quoted it once I'm sure I'll get a deluge of bounces (not rejects) from people running Microsoft's Antigen for SMTP. http://daryl.dostech.ca/blog/2008/02/22/microsoft-antigen-brain-dead-content-filter/ Daryl
-max-child setting not obeyed?
Hi, I have set my --max-child to 30 but I look at my logs and it appears that this is not obeyed. Here is my spamd options: SPAMDOPTIONS=-d -m 30 -H Here is what I see in the logs: Feb 28 10:57:29 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:29 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:29 s1 spamd[15740]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45480 Feb 28 10:57:29 s1 spamd[15740]: spamd: checking message [EMAIL PROTECTED] for qscand:510 Feb 28 10:57:31 s1 spamd[15740]: spamd: identified spam (106.3/8.0) for qscand:510 in 2.8 seconds, 862 bytes. Feb 28 10:57:31 s1 spamd[15740]: spamd: result: Y 106 - BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DIGEST_MULTIPLE,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPEURIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL scantime=2.8,size=862,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45480,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam Feb 28 10:57:32 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:32 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:32 s1 spamd[15740]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45485 Feb 28 10:57:32 s1 spamd[15740]: spamd: checking message [EMAIL PROTECTED] for qscand:510 Feb 28 10:57:32 s1 spamd[15592]: spamd: identified spam (27.6/8.0) for qscand:510 in 8.3 seconds, 1725 bytes. Feb 28 10:57:32 s1 spamd[15592]: spamd: result: Y 27 - BAYES_99,BOTNET,DATE_IN_PAST_06_12,DNS_FROM_RFC_DSN,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL scantime=8.3,size=1725,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45475,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:33 s1 spamd[15592]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45491 Feb 28 10:57:33 s1 spamd[15592]: spamd: checking message (unknown) for qscand:510 Feb 28 10:57:33 s1 spamd[15742]: spamd: identified spam (34.2/8.0) for qscand:510 in 8.0 seconds, 2605 bytes. Feb 28 10:57:33 s1 spamd[15742]: spamd: result: Y 34 - AWL,BAYES_50,MANHOOD,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL scantime=8.0,size=2605,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45477,mid=(unknown),bayes=0.49,autolearn=spam Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:33 s1 spamd[15742]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45492 Feb 28 10:57:33 s1 spamd[15742]: spamd: checking message [EMAIL PROTECTED] for qscand:510 Feb 28 10:57:34 s1 spamd[15739]: spamd: identified spam (26.1/8.0) for qscand:510 in 9.9 seconds, 1642 bytes. Feb 28 10:57:34 s1 spamd[15739]: spamd: result: Y 26 - BAYES_99,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL scantime=9.9,size=1642,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45476,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam Feb 28 10:57:35 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:35 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:35 s1 spamd[15739]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45493 Feb 28 10:57:35 s1 spamd[15739]: spamd: checking message [EMAIL PROTECTED] for qscand:510 Feb 28 10:57:35 s1 spamd[15591]: spamd: identified spam (102.3/8.0) for qscand:510 in 8.1 seconds, 784 bytes. Feb 28 10:57:35 s1 spamd[15591]: spamd: result: Y 102 - BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL scantime=8.1,size=784,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45479,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=unavailable It appears I hit 5 child processes as shown child states: B but it doesn't want to go higher for some reason. Why is it stopping at 5 child processes when in spamd I specify 30. Thank you, Frank
Re: Where can I find out about domain keys?
At 14:26 28-02-2008, Martin Gregorie wrote: I wrapped the lines to suit the e-mail. These are the only indications of why my mail was treated as spam. What is this domainkeys of which they speak? Quoting Yahoo: DomainKeys is yet another way Yahoo! brings untold misery and grief to email forgers everywhere. Without boring you with too many details, it's an Internet standard developed in large part at Yahoo! that lets us confirm whether emails are really from their claimed domain. Regards, -sm
Re: -max-child setting not obeyed?
On Thursday 28 February 2008, fchan wrote: Hi, I have set my --max-child to 30 but I look at my logs and it appears that this is not obeyed. Here is my spamd options: SPAMDOPTIONS=-d -m 30 -H Here is what I see in the logs: Feb 28 10:57:29 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:29 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:29 s1 spamd[15740]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45480 Feb 28 10:57:29 s1 spamd[15740]: spamd: checking message [EMAIL PROTECTED] for qscand:510 Feb 28 10:57:31 s1 spamd[15740]: spamd: identified spam (106.3/8.0) for qscand:510 in 2.8 seconds, 862 bytes. Feb 28 10:57:31 s1 spamd[15740]: spamd: result: Y 106 - BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DIGEST _MULTIPLE,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RAZOR2_C F_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CH ECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPEURIBL_BLACK,URIBL_JP_SU RBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL scantime=2.8,size=862,user=qscand,uid=510,required_score=8.0,rhost=localhos t.localdomain,raddr=127.0.0.1,rport=45480,mid=0cc401c87a3a$d4d54e60$1501a8c [EMAIL PROTECTED],bayes=1.00,autolearn=spam Feb 28 10:57:32 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:32 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:32 s1 spamd[15740]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45485 Feb 28 10:57:32 s1 spamd[15740]: spamd: checking message [EMAIL PROTECTED] for qscand:510 Feb 28 10:57:32 s1 spamd[15592]: spamd: identified spam (27.6/8.0) for qscand:510 in 8.3 seconds, 1725 bytes. Feb 28 10:57:32 s1 spamd[15592]: spamd: result: Y 27 - BAYES_99,BOTNET,DATE_IN_PAST_06_12,DNS_FROM_RFC_DSN,DOS_OE_TO_MX,HTML_MESSAG E,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,U RIBL_JP_SURBL scantime=8.3,size=1725,user=qscand,uid=510,required_score=8.0,rhost=localho st.localdomain,raddr=127.0.0.1,rport=45475,mid=1ec901c87a3a$d2527410$bd3680 [EMAIL PROTECTED],bayes=1.00,autolearn=spam Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:33 s1 spamd[15592]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45491 Feb 28 10:57:33 s1 spamd[15592]: spamd: checking message (unknown) for qscand:510 Feb 28 10:57:33 s1 spamd[15742]: spamd: identified spam (34.2/8.0) for qscand:510 in 8.0 seconds, 2605 bytes. Feb 28 10:57:33 s1 spamd[15742]: spamd: result: Y 34 - AWL,BAYES_50,MANHOOD,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_5 1_100,RAZOR2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL _SC_SURBL scantime=8.0,size=2605,user=qscand,uid=510,required_score=8.0,rhost=localho st.localdomain,raddr=127.0.0.1,rport=45477,mid=(unknown),bayes=0.49,auto learn=spam Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:33 s1 spamd[15742]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45492 Feb 28 10:57:33 s1 spamd[15742]: spamd: checking message [EMAIL PROTECTED] for qscand:510 Feb 28 10:57:34 s1 spamd[15739]: spamd: identified spam (26.1/8.0) for qscand:510 in 9.9 seconds, 1642 bytes. Feb 28 10:57:34 s1 spamd[15739]: spamd: result: Y 26 - BAYES_99,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCV D_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL scantime=9.9,size=1642,user=qscand,uid=510,required_score=8.0,rhost=localho st.localdomain,raddr=127.0.0.1,rport=45476,mid=1ed001c87a3a$d2527410$bd3680 [EMAIL PROTECTED],bayes=1.00,autolearn=spam Feb 28 10:57:35 s1 spamd[15535]: prefork: child states: B Feb 28 10:57:35 s1 spamd[15535]: prefork: server reached --max-children setting, consider raising it Feb 28 10:57:35 s1 spamd[15739]: spamd: connection from localhost.localdomain [127.0.0.1] at port 45493 Feb 28 10:57:35 s1 spamd[15739]: spamd: checking message [EMAIL PROTECTED] for qscand:510 Feb 28 10:57:35 s1 spamd[15591]: spamd: identified spam (102.3/8.0) for qscand:510 in 8.1 seconds, 784 bytes. Feb 28 10:57:35 s1 spamd[15591]: spamd: result: Y 102 - BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DOS_OE _TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL, RDNS_NONE,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SB L,URIBL_SC_SURBL scantime=8.1,size=784,user=qscand,uid=510,required_score=8.0,rhost=localhos t.localdomain,raddr=127.0.0.1,rport=45479,mid=0cbd01c87a3a$d4d0ba80$1501a8c [EMAIL PROTECTED],bayes=1.00,autolearn=unavailable It appears I hit 5 child processes as shown child states: B but it doesn't want to go higher for
Re: -max-child setting not obeyed?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/28/2008 05:16 PM, fchan wrote: | Hi, | I have set my --max-child to 30 but I look at my logs and it appears | that this is not obeyed. | | Here is my spamd options: | SPAMDOPTIONS=-d -m 30 -H | | Here is what I see in the logs: | Feb 28 10:57:29 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:29 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:29 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45480 | Feb 28 10:57:29 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:31 s1 spamd[15740]: spamd: identified spam (106.3/8.0) for | qscand:510 in 2.8 seconds, 862 bytes. | Feb 28 10:57:31 s1 spamd[15740]: spamd: result: Y 106 - | BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DIGEST_MULTIPLE,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPEURIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=2.8,size=862,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45480,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:32 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:32 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:32 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45485 | Feb 28 10:57:32 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:32 s1 spamd[15592]: spamd: identified spam (27.6/8.0) for | qscand:510 in 8.3 seconds, 1725 bytes. | Feb 28 10:57:32 s1 spamd[15592]: spamd: result: Y 27 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DNS_FROM_RFC_DSN,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=8.3,size=1725,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45475,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15592]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45491 | Feb 28 10:57:33 s1 spamd[15592]: spamd: checking message (unknown) for | qscand:510 | Feb 28 10:57:33 s1 spamd[15742]: spamd: identified spam (34.2/8.0) for | qscand:510 in 8.0 seconds, 2605 bytes. | Feb 28 10:57:33 s1 spamd[15742]: spamd: result: Y 34 - | AWL,BAYES_50,MANHOOD,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=8.0,size=2605,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45477,mid=(unknown),bayes=0.49,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15742]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45492 | Feb 28 10:57:33 s1 spamd[15742]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:34 s1 spamd[15739]: spamd: identified spam (26.1/8.0) for | qscand:510 in 9.9 seconds, 1642 bytes. | Feb 28 10:57:34 s1 spamd[15739]: spamd: result: Y 26 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=9.9,size=1642,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45476,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:35 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:35 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:35 s1 spamd[15739]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45493 | Feb 28 10:57:35 s1 spamd[15739]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:35 s1 spamd[15591]: spamd: identified spam (102.3/8.0) for | qscand:510 in 8.1 seconds, 784 bytes. | Feb 28 10:57:35 s1 spamd[15591]: spamd: result: Y 102 - | BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=8.1,size=784,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45479,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=unavailable | | | It appears I hit 5 child processes as shown
Re: -max-child setting not obeyed?
On 28/02/2008 6:16 PM, fchan wrote: Hi, I have set my --max-child to 30 but I look at my logs and it appears that this is not obeyed. Here is my spamd options: SPAMDOPTIONS=-d -m 30 -H Does whatever you start spamd with actually use those options? Are you sure (check the command line of the running spamd using top, etc)? It appears I hit 5 child processes as shown child states: B but it doesn't want to go higher for some reason. Why is it stopping at 5 child processes when in spamd I specify 30. I would be extremely surprised to find that spamd is actually being started with an -m 30 option (unless an -m 5 option follows it). Daryl
Re: -max-child setting not obeyed?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/28/2008 05:16 PM, fchan wrote: | Hi, | I have set my --max-child to 30 but I look at my logs and it appears | that this is not obeyed. | | Here is my spamd options: | SPAMDOPTIONS=-d -m 30 -H | | Here is what I see in the logs: | Feb 28 10:57:29 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:29 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:29 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45480 | Feb 28 10:57:29 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:31 s1 spamd[15740]: spamd: identified spam (106.3/8.0) for | qscand:510 in 2.8 seconds, 862 bytes. | Feb 28 10:57:31 s1 spamd[15740]: spamd: result: Y 106 - | BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DIGEST_MULTIPLE,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPEURIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=2.8,size=862,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45480,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:32 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:32 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:32 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45485 | Feb 28 10:57:32 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:32 s1 spamd[15592]: spamd: identified spam (27.6/8.0) for | qscand:510 in 8.3 seconds, 1725 bytes. | Feb 28 10:57:32 s1 spamd[15592]: spamd: result: Y 27 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DNS_FROM_RFC_DSN,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=8.3,size=1725,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45475,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15592]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45491 | Feb 28 10:57:33 s1 spamd[15592]: spamd: checking message (unknown) for | qscand:510 | Feb 28 10:57:33 s1 spamd[15742]: spamd: identified spam (34.2/8.0) for | qscand:510 in 8.0 seconds, 2605 bytes. | Feb 28 10:57:33 s1 spamd[15742]: spamd: result: Y 34 - | AWL,BAYES_50,MANHOOD,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=8.0,size=2605,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45477,mid=(unknown),bayes=0.49,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15742]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45492 | Feb 28 10:57:33 s1 spamd[15742]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:34 s1 spamd[15739]: spamd: identified spam (26.1/8.0) for | qscand:510 in 9.9 seconds, 1642 bytes. | Feb 28 10:57:34 s1 spamd[15739]: spamd: result: Y 26 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=9.9,size=1642,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45476,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:35 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:35 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:35 s1 spamd[15739]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45493 | Feb 28 10:57:35 s1 spamd[15739]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:35 s1 spamd[15591]: spamd: identified spam (102.3/8.0) for | qscand:510 in 8.1 seconds, 784 bytes. | Feb 28 10:57:35 s1 spamd[15591]: spamd: result: Y 102 - | BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=8.1,size=784,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45479,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=unavailable | | | It appears I hit 5 child processes as shown
Re: -max-child setting not obeyed?
Hi, Thank you Steve for this. I found that /etc/sysconfig/spamassassin had the other SPAMOPTIONS so I updated my -m 20 there and it appears to take. Here is my current ps auwxf|grep spam: root 27678 0.9 2.0 43672 39268 ?Ss 16:08 0:03 /usr/bin/spamd -x -u spamd -m 20 -H /home/spamd -d -r /var/run/spamd.p id spamd27709 5.4 2.2 48564 44000 ?S16:08 0:16 \_ spamd child spamd27710 1.1 2.1 45416 40852 ?S16:08 0:03 \_ spamd child Before -m 20 or any other settings will not appear after spamd. I see these server reached --max-children setting, consider raising it during spam attacks. Thank you, Frank -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/28/2008 05:16 PM, fchan wrote: | Hi, | I have set my --max-child to 30 but I look at my logs and it appears | that this is not obeyed. | | Here is my spamd options: | SPAMDOPTIONS=-d -m 30 -H | | Here is what I see in the logs: | Feb 28 10:57:29 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:29 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:29 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45480 | Feb 28 10:57:29 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:31 s1 spamd[15740]: spamd: identified spam (106.3/8.0) for | qscand:510 in 2.8 seconds, 862 bytes. | Feb 28 10:57:31 s1 spamd[15740]: spamd: result: Y 106 - | BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DIGEST_MULTIPLE,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPEURIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=2.8,size=862,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45480,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:32 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:32 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:32 s1 spamd[15740]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45485 | Feb 28 10:57:32 s1 spamd[15740]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:32 s1 spamd[15592]: spamd: identified spam (27.6/8.0) for | qscand:510 in 8.3 seconds, 1725 bytes. | Feb 28 10:57:32 s1 spamd[15592]: spamd: result: Y 27 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DNS_FROM_RFC_DSN,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=8.3,size=1725,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45475,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15592]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45491 | Feb 28 10:57:33 s1 spamd[15592]: spamd: checking message (unknown) for | qscand:510 | Feb 28 10:57:33 s1 spamd[15742]: spamd: identified spam (34.2/8.0) for | qscand:510 in 8.0 seconds, 2605 bytes. | Feb 28 10:57:33 s1 spamd[15742]: spamd: result: Y 34 - | AWL,BAYES_50,MANHOOD,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL | scantime=8.0,size=2605,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45477,mid=(unknown),bayes=0.49,autolearn=spam | | Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:33 s1 spamd[15742]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45492 | Feb 28 10:57:33 s1 spamd[15742]: spamd: checking message | [EMAIL PROTECTED] for qscand:510 | Feb 28 10:57:34 s1 spamd[15739]: spamd: identified spam (26.1/8.0) for | qscand:510 in 9.9 seconds, 1642 bytes. | Feb 28 10:57:34 s1 spamd[15739]: spamd: result: Y 26 - | BAYES_99,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL | scantime=9.9,size=1642,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45476,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=spam | | Feb 28 10:57:35 s1 spamd[15535]: prefork: child states: B | Feb 28 10:57:35 s1 spamd[15535]: prefork: server reached --max-children | setting, consider raising it | Feb 28 10:57:35 s1 spamd[15739]: spamd: connection from | localhost.localdomain [127.0.0.1] at port 45493 | Feb 28 10:57:35 s1 spamd[15739]: spamd: checking message | [EMAIL
Re: How to properly teach SA to recognise the spam that is still getting through, despite the rules updates
Olaf Greve wrote: Hi, Firstly: I'm new to this list and also pretty new to SA in general. I did try to find the answers to my questions in the FAQ, but haven't succeeded beyond all doubt at doing so. I do hope, however, that I'm not flogging a dead horse with my below questions (which appear at the end of the message)...:P Secondly, I'd like to say that SA is a *great* tool, and that Internet-life is much better with it, than it used to be without it! :P The situation: I run a FreeBSD 5.4-release AMD-64 based server, on which I have installed SA (identified by pkg_info as: p5-Mail-SpamAssassin-3.2.4_2) through Amavisd-new (precise version, according to pkg_info: amavisd-new-2.5.2,1), which is being invoked after mail arrives on the RX side of Sendmail. The RX daemon is split in two, and tunnels the mail locally through amavisd-new (using clamd and SA), and all mail that passes the tests gets delivered, and the rest goes directly to the quarantine. The problem: The above set-up was working fine (using SA 3.2.3) for several months, and virtually no spam got through. However, all of a sudden since some two weeks I'm getting about 100 spam mails per day again, and these seem to include spam mails that I have previously seen being filtered out... Still, by far most of the spam does get filtered out, but for some reason (perhaps spammers finding ways around SA?) more and more spam is getting through again. My approach so far: Figuring SA or the rules to be outdated (despite the twice-weekly call to sa-update from cron), I first updated SA to 3.2.4. (and performed an sa-update too), but to no real avail: the same amount of spam seemed to be getting through. I then checked into additional channels, and soon came across the SARE (based) ones. I decided to add the saupdates.openprotect.com channel, but still the same amount of spam seems to get through. The way I perform my updates are as follows: Cron call: 23 3 * * 2,5 /usr/local/bin/sa-update --allowplugins --gpgkeyfile /root/sa_pgp_keys --channelfile /root/sa_channels /usr/local/etc/rc.d/sa-spamd.sh restart /dev/null (yes, I realise spamd is not actually used by amavisd-new, but I decided to have it running anyway) My /root/sa_channels file contains the following: saupdates.openprotect.com updates.spamassassin.org Now, my questions are: 1-Am I doing anything wrong, or am I grossly overlooking something? It's hard to say.. can you post an X-Spam-Status from one of the missed messages? It's not perfect, but there's a lot we can tell from glancing at that.. things like BAYES_00 or ALL_TRUSTED are signs of specific problems... 2-I've never tried to teach SA about which messages are spam and which are ham. From what I gather from the website, I need to set-up a mailbox with solely spam and feed that to sa-learn, and then do the same for a mailbox containing solely ham. However, how can I best go about this? Once spam is misidentified, it gets mixed in the live mailboxes with ham, so I wouldn't want to classify all of it as either ham or spam... Then, I did keep the spam messages from the last few days. Can I perhaps (manually) forward those to a local mailbox, and then run sa-learn on that mailbox, getting it successfully identified as spam, or will that not work due to the new mail headers added by the forward action from my mail client? You can't forward a message and then feed it to sa-learn. When you forward a message, the content might look similar when rendered in a mail client, but it's *vastly* different when you look at the complete, raw message. 3-Are there perhaps other good (preferrably automatic ways) to tell SA about what is spam, and what isn't? SA has an autolearner built in and enabled by default, but it's not perfect. 4-Are there perhaps other very efficient rules channels that you can recommend me to add (like using the full set of SARE rules, rather than the openprotect subset of it)? 5-Just a theory, but is it perhaps possible that SA somehow misidentified a spam message as being ham, and that all messages that are similar to that particular spam message are now being misidentified as ham, hence all getting through? Possible.. although it would generally take a lot of mislearning.. Seeing a low scoring BAYES_XX rule in the X-Spam-Status would suggest this problem.. Any and all feedback will be greatly appreciated, and I would like to thank you all for taking the time to read this e-mail and address the questions raised in it.
Re: AWL - BAYES_99/ general questions
Randy Ramsdell wrote: Hi, One thing I do not understand regarding AWL and BAYES. When a message is reported to me as spam and was not marked as spam, I test is using debug before and after sa-learn. Each time I do this, BAYES_99 does hit, but they will also include AWL. 1. Does anyone understand why this happens? I assume you're asking about while the AWL appears. That's normal. The first thing to realize is the AWL is *NOT* a whitelist. It's a sender-based score averager. It has both white and blacklist effects. If the current message scores higher than the past average for a sender, the AWL will take points off, trying to split the difference between the past and current scores. Since you just sa-learned a message from a sender that's probably never sent to you before, the score now is almost gaurnteed to be higher than the first pass through, resulting in a negative AWL score. However, that's not a problem. Note this message, even with the AWL, didn't fall below the spam tag threshold. The AWL doesn't work on a good vs bad senders basis, so just because it scores negative, it doesn't mean the AWL thinks the message is nonspam.. in your example, it just thought it was less spammy, but still spam. You might want to read this wiki article for a better discussion of the AWL's behaviors: http://wiki.apache.org/spamassassin/AwlWrongWay 2. I also noticed that when using spamassassin -D on a message, I sometimes see a nice report like below (2nd example) but other times it doesn't show report formatted. Any ideas on this one? SA won't generate a formatted report for a message below the spam tag level. You can force it to do so by adding -t. Here are an example of two spam report headers for the same message. Before sa-learn: X-Spam-Status: No, score=3.982 tagged_above=- required=5 tests=[ADVANCE_FEE_1=0, BAYES_60=1, SUB_HELLO=2.141, UNDISC_RECIPS=0.841] X-Spam-Score: 3.982 X-Spam-Level: *** After sa-learn: Content analysis details: (5.2 points, 5.0 required) pts rule name description -- -- 2.1 SUB_HELLO Subject starts with Hello 0.8 UNDISC_RECIPS Valid-looking To undisclosed-recipients 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) -1.2 AWLAWL: From: address is in the auto white-list Thanks, Randy Ramsdell
Re: AWL - BAYES_99/ general questions
Randy Ramsdell wrote: Karsten Bräckelmann wrote: On Thu, 2008-02-28 at 09:21 -0500, Randy Ramsdell wrote: Hi, One thing I do not understand regarding AWL and BAYES. When a message is reported to me as spam and was not marked as spam, I test is using debug before and after sa-learn. Each time I do this, BAYES_99 does hit, but they will also include AWL. 1. Does anyone understand why this happens? AWL is a score averager. SA has seen that sender before. http://wiki.apache.org/spamassassin/AutoWhitelist Run it through SA again, and you will see the AWL score getting closer to 0, since the score without AWL is constant. The AWL score is negative, because previous scores have been lower. guenther I understand that AWL is averaging what it has seen before and it must have seen the message as ham, but why would one have to sa-learn the message as spam multiple times. The sa-learn doesn't count as having been seen. However, it has been seen twice. It was seen once when it first arrived, and a second time when you manually invoked spamassassin on it (after sa-learning it).
Re: Where can I find out about domain keys?
On Thursday 28 February 2008 23:26:49 Martin Gregorie wrote: What is this domainkeys of which they speak? http://www.rfc-editor.org/rfc/rfc4870.txt http://www.rfc-editor.org/rfc/rfc4871.txt http://www.dkim.org/info/dkim-faq.html http://www.dkim.org/ Mark
Re: sa-update errors
On 18/02/2008 7:29 AM, Arthur Dent wrote: Gentle Bump... I thought that the approved place to alter scores was in /etc/mail/spamassassin/local.cf so I have not gone rooting around trying to give these rules scores which surely they should have by default? What exactly do you mean. The two halfs of the sentence make no sense when combined. Are these new rules? Obsolete rules? Altered rules? Why the sudden error? I can't remember right now what exactly you have to break to cause these errors. Does your channel file sare-sa-update-channels.txt, include the channel updates.spamassassin.org? Have you recently attempted an upgrade of SpamAssassin? Daryl Or have I misunderstood something? Thanks... Mark On Thu, Feb 14, 2008 at 02:27:40PM -, Arthur Dent wrote: Hello all, I run a bog-standard out-of-the-box (Fedora 8) SA (v.3.2.4) installation. Every night I run: sa-update --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A /sbin/service spamassassin restart as a cron job. Never been a problem before. But this morning I find this in my root email: rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at
Re: Yahoo calendar invite spams
On Thu, 2008-02-28 at 11:25 -0800, SM wrote: At 04:35 28-02-2008, ram wrote: I am not really sure this is spam https://ecm.netcore.co.in/tmp/spammail_calendar.txt This looks like a simple mail to me .. but the user says it is spam. The text of the mail too is highly suspicious. It is spam. Regards, -sm I dont understand the intent in this spam ? What does the spammer want ?
Re: Spamassassin per user blacklisting is not working
On 29/02/2008 12:52 AM, devi_sreem wrote: Here it says username='qscand' I am not sure why spamd is not transferring the email account as the username to variable _USERNAME_ Are you calling spamc with a -u username parameter? Daryl
Re: SA gets slow.
On 29/02/2008 12:35 AM, Shahzad Abid, Network Engineer, I.T., HO. wrote: Dear List I am running qmail + SA + Clamav on FC 5, my problem is when ever concurrent smtp connections cross 30+ SA gets slow and take too much time to process mails through qmailscaner qmail-queue.log === Fri, 29 Feb 2008 09:51:50 PKT:8005: +++ starting debugging for process 8005 (ppid=8002) by uid=508 Fri, 29 Feb 2008 10:11:50 PKT:8005: w_c: elapsed time from start 1199.846234 secs Fri, 29 Feb 2008 10:11:50 PKT:8005: g_e_h: no sender and no recips, from via SMTP from 202.76.109.59. Dropping. Fri, 29 Feb 2008 10:11:50 PKT:8005: -- Process 8005 finished. Total of 1199.88143 secs = To remove this problem I kill all qmail-smtp processes. I need its permanent solution. Make sure you're not hitting swap (30 concurrent instances of SA may take over 1GB of memory). Swap thrashing will destroy message throughput. Daryl
SA gets slow.
Dear List I am running qmail + SA + Clamav on FC 5, my problem is when ever concurrent smtp connections cross 30+ SA gets slow and take too much time to process mails through qmailscaner qmail-queue.log === Fri, 29 Feb 2008 09:51:50 PKT:8005: +++ starting debugging for process 8005 (ppid=8002) by uid=508 Fri, 29 Feb 2008 10:11:50 PKT:8005: w_c: elapsed time from start 1199.846234 secs Fri, 29 Feb 2008 10:11:50 PKT:8005: g_e_h: no sender and no recips, from via SMTP from 202.76.109.59. Dropping. Fri, 29 Feb 2008 10:11:50 PKT:8005: -- Process 8005 finished. Total of 1199.88143 secs = To remove this problem I kill all qmail-smtp processes. I need its permanent solution. -- Regards, Shahzad Abid
Is http://www.rulesemporium.com?
Hi All, First Im realy dont know this is the right forum to ask my doubts? I was not able to access http://www.rulesemporium.com? is this working are moved some where? www.rulesemporium.com resolved to 72.52.4.74, but ping failed for me, Thanks in advance Regards, a.Johnson
Spamassassin per user blacklisting is not working
Hi, I have been trying to make spamassassin work aginst SQL user preferences wothout any luck. My local.cf contains. user_scores_dsn DBI:mysql:spamassassin:mysql_socket=/var/lib/mysql/mysql.sock user_scores_sql_username username user_scores_sql_password password user_scores_sql_custom_querySELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username = '@GLOBAL' ORDER BY username ASC I am running spamd with following switches /usr/bin/spamd -q -x -u spamd -H /home/spamd -d -D -r /var/run/spamassassin/spamd.pid the debug message from spamd says Feb 29 04:47:37 sreedevi spamd[4100]: debug: Conf::SQL: executing SQL: SELECT preference, value FROM userpref WHERE username = 'qscand' OR username = '@GLOBAL' ORDER BY username ASC Feb 29 04:47:37 sreedevi spamd[4100]: debug: retrieving prefs for qscand from SQL server Here it says username='qscand' I am not sure why spamd is not transferring the email account as the username to variable _USERNAME_ Please suggest me on this. Sincerely, Sreedevi. -- View this message in context: http://www.nabble.com/Spamassassin-per-user-blacklisting-is-not-working-tp15752610p15752610.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Yahoo calendar invite spams
Hi Ram, At 21:46 28-02-2008, ram wrote: I dont understand the intent in this spam ? The intent of the spam is to get the recipient to read the message and go to the Yahoo calender link. Spam are generally crafted in such a way to evade filtering. If you want to filter this message based on URI only, you would be blocking Yahoo calendar invites. What does the spammer want ? It looks like a work from home scam. Regards, -sm
Re: Spamassassin per user blacklisting is not working
I am running spamd. When a mail is being sent to mail account [EMAIL PROTECTED] it is automatically taking the user qscand, as you know it the user is of qmail scanner. I am running spamd with -u spamd /usr/bin/spamd -q -x -u spamd -H /home/spamd -d -D Sincerely, Sreedevi. -- View this message in context: http://www.nabble.com/Spamassassin-per-user-blacklisting-is-not-working-tp15752610p15752830.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Good rules for SA
Dear List How to determine good rules for SA, I am using following rules. 70_sare_adult.cf 70_sare_html2.cf 70_sare_uri.cf FuzzyOcr.old 70_sare_bayes_poison_nxm.cf 70_sare_html3.cf 70_sare_uri_eng.cf FuzzyOcr.pm 70_sare_evilnum0.cf 70_sare_html4.cf 70_sare_uri_x31.cf FuzzyOcr.preps 70_sare_evilnum0.cf.sig 70_sare_html.cf 70_sare_whitelist.cf FuzzyOcr.scansets 70_sare_evilnum1.cf 70_sare_html_eng.cf 70_sare_whitelist_pre30.cf FuzzyOcr.words 70_sare_evilnum2.cf 70_sare_html_x30.cf 70_sare_whitelist_rcvd.cf init.pre 70_sare_genlsubj0.cf 70_sare_obfu0.cf 70_sare_whitelist_spf.cf INSTALL 70_sare_genlsubj1.cf 70_sare_obfu1.cf 71_sare_redirect_pre3.0.0.cf local.cf 70_sare_genlsubj2.cf 70_sare_obfu2.cf 72_sare_redirect_post3.0.0.cf Logging.pm 70_sare_genlsubj3.cf 70_sare_obfu3.cf 88_FVGT_Bayes_Poison.cfmangled.cf 70_sare_genlsubj4.cf 70_sare_obfu4.cf 88_FVGT_body.cfRelayChecker.cf 70_sare_genlsubj.cf 70_sare_obfu.cf 88_FVGT_headers.cf RelayChecker.pm 70_sare_genlsubj_eng.cf 70_sare_obfu_x31.cf 88_FVGT_rawbody.cf RelayChecker.tar 70_sare_genlsubj_x30.cf 70_sare_oem.cf 88_FVGT_subject.cf RelayChecker.txt 70_sare_header0.cf 70_sare_random.cf 88_FVGT_Tripwire.cfRulesDuJour 70_sare_header2.cf 70_sare_ratware.cf 88_FVGT_uri.cf sa-update-keys 70_sare_header3.cf 70_sare_specific.cf backhair.cfspamassassin-default.rc 70_sare_header4.cf 70_sare_specific_rolex.cf Botnet-0.6.tar spamassassin-helper.sh 70_sare_header.cf70_sare_spoof.cf Botnet.cf spamassassin-spamc.rc 70_sare_header_eng.cf70_sare_stocks.cf Botnet.pm tripwire.cf 70_sare_header_x264_x30.cf 70_sare_unsub.cf Botnet.txt v310.pre 70_sare_header_x30.cf70_sare_uri0.cf chickenpox.cf v312.pre 70_sare_header_x31.cf70_sare_uri1.cf COPYINGv320.pre 70_sare_highrisk.cf 70_sare_uri2.cf FuzzyOcr weeds_2.cf 70_sare_html0.cf 70_sare_uri3.cf fuzzyocr-3.5.1-devel.tar.gzweeds.cf 70_sare_html1.cf 70_sare_uri4.cfFuzzyOcr.cf = Please identify which rules are bad? -- Regards, Shahzad Abid
Re: Good rules for SA
On 29/02/2008 1:28 AM, Shahzad Abid wrote: Dear List How to determine good rules for SA, I am using following rules. Well, I think you just answered your question about why your installation of SA is running slow. :) You need to review the descriptions of the rulesets to see if they're even intended for (or beneficial to) your version of SA. See: http://www.rulesemporium.com/rules.htm Daryl 70_sare_adult.cf 70_sare_html2.cf 70_sare_uri.cf FuzzyOcr.old 70_sare_bayes_poison_nxm.cf 70_sare_html3.cf 70_sare_uri_eng.cf FuzzyOcr.pm 70_sare_evilnum0.cf 70_sare_html4.cf 70_sare_uri_x31.cf FuzzyOcr.preps 70_sare_evilnum0.cf.sig 70_sare_html.cf 70_sare_whitelist.cf FuzzyOcr.scansets 70_sare_evilnum1.cf 70_sare_html_eng.cf 70_sare_whitelist_pre30.cf FuzzyOcr.words 70_sare_evilnum2.cf 70_sare_html_x30.cf 70_sare_whitelist_rcvd.cf init.pre 70_sare_genlsubj0.cf 70_sare_obfu0.cf 70_sare_whitelist_spf.cf INSTALL 70_sare_genlsubj1.cf 70_sare_obfu1.cf 71_sare_redirect_pre3.0.0.cf local.cf 70_sare_genlsubj2.cf 70_sare_obfu2.cf 72_sare_redirect_post3.0.0.cf Logging.pm 70_sare_genlsubj3.cf 70_sare_obfu3.cf 88_FVGT_Bayes_Poison.cfmangled.cf 70_sare_genlsubj4.cf 70_sare_obfu4.cf 88_FVGT_body.cfRelayChecker.cf 70_sare_genlsubj.cf 70_sare_obfu.cf 88_FVGT_headers.cf RelayChecker.pm 70_sare_genlsubj_eng.cf 70_sare_obfu_x31.cf 88_FVGT_rawbody.cf RelayChecker.tar 70_sare_genlsubj_x30.cf 70_sare_oem.cf 88_FVGT_subject.cf RelayChecker.txt 70_sare_header0.cf 70_sare_random.cf 88_FVGT_Tripwire.cfRulesDuJour 70_sare_header2.cf 70_sare_ratware.cf 88_FVGT_uri.cf sa-update-keys 70_sare_header3.cf 70_sare_specific.cf backhair.cfspamassassin-default.rc 70_sare_header4.cf 70_sare_specific_rolex.cf Botnet-0.6.tar spamassassin-helper.sh 70_sare_header.cf70_sare_spoof.cf Botnet.cf spamassassin-spamc.rc 70_sare_header_eng.cf70_sare_stocks.cf Botnet.pm tripwire.cf 70_sare_header_x264_x30.cf 70_sare_unsub.cf Botnet.txt v310.pre 70_sare_header_x30.cf70_sare_uri0.cf chickenpox.cf v312.pre 70_sare_header_x31.cf70_sare_uri1.cf COPYINGv320.pre 70_sare_highrisk.cf 70_sare_uri2.cf FuzzyOcr weeds_2.cf 70_sare_html0.cf 70_sare_uri3.cf fuzzyocr-3.5.1-devel.tar.gzweeds.cf 70_sare_html1.cf 70_sare_uri4.cfFuzzyOcr.cf = Please identify which rules are bad?
Re: Spamassassin per user blacklisting is not working
On 29/02/2008 1:18 AM, devi_sreem wrote: I am running spamd. When a mail is being sent to mail account [EMAIL PROTECTED] it is automatically taking the user qscand, as you know it the user is of qmail scanner. Oh yeah, qmail scanner. Sorry, I won't touch that -- I'm not sure if it'll do per-user prefs or not. You may want to look for help on the qmail-scanner-general list or wait a few hours for someone here to help (or point you at that list). Daryl
spamassassin: not scanning mails on port 783
HI I had installed my Spamassassin on a linux box ( cent os ) to scan mails from a windows Smatermail server and so far it was working good, but suddenly it started giving the following error : Fri Feb 29 00:12:49 2008 [27218] info: spamd: handled cleanup of child pid 19811 due to SIGCHLD Fri Feb 29 00:19:18 2008 [27218] warn: prefork: retrying syswrite(): Resource temporarily unavailable at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/SpamdForkScaling.pm line 729. Fri Feb 29 00:19:18 2008 [27218] warn: prefork: syswrite(16) to 15822 failed on try 2 at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/SpamdForkScaling.pm line 697. Fri Feb 29 00:19:19 2008 [27218] warn: prefork: retrying syswrite(): Resource temporarily unavailable at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/SpamdForkScaling.pm line 729. Fri Feb 29 00:19:19 2008 [27218] warn: prefork: syswrite(16) to 15822 failed on try 3 at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/SpamdForkScaling.pm line 697. i then killed the spamd daemon and restarted spamd with the following command /usr/bin/spamd -d -u spamassassin -c -i -A 216.185. -H --max-children=7 --max-conn-per-child=128 -s /var/log/spamd.log --virtual-config-dir=/vhome/%u/spamassassin -r /var/run/spamassassin/spamd.pid -r /var/run/spamassassin/spamd.pid ( following are my logs ) Fri Feb 29 00:28:21 2008 [20110] info: prefork: child states: II Fri Feb 29 00:28:53 2008 [20110] info: spamd: server killed by SIGTERM, shutting down Fri Feb 29 00:28:54 2008 [20180] info: logger: removing stderr method Fri Feb 29 00:28:57 2008 [20182] info: spamd: server started on port 783/tcp (running version 3.2.4) Fri Feb 29 00:28:57 2008 [20182] info: spamd: server pid: 20182 Fri Feb 29 00:28:57 2008 [20182] info: spamd: server successfully spawned child process, pid 20187 Fri Feb 29 00:28:57 2008 [20182] info: spamd: server successfully spawned child process, pid 20188 Fri Feb 29 00:28:57 2008 [20182] info: prefork: child states: IS Fri Feb 29 00:28:57 2008 [20182] info: prefork: child states: II But now the mails are not being scanned , any idea why is this happening ? thanks a lot !! -- Regards Agnello Dsouza www.linux-vashi.blogspot.com www.bible-study-india.blogspot.com
RE: SA gets slow.
Dear List I am running qmail + SA + Clamav on FC 5, my problem is when ever concurrent smtp connections cross 30+ SA gets slow and take too much time to process mails through qmailscaner qmail-queue.log === Fri, 29 Feb 2008 09:51:50 PKT:8005: +++ starting debugging for process 8005 (ppid=8002) by uid=508 Fri, 29 Feb 2008 10:11:50 PKT:8005: w_c: elapsed time from start 1199.846234 secs Fri, 29 Feb 2008 10:11:50 PKT:8005: g_e_h: no sender and no recips, from via SMTP from 202.76.109.59. Dropping. Fri, 29 Feb 2008 10:11:50 PKT:8005: -- Process 8005 finished. Total of 1199.88143 secs = To remove this problem I kill all qmail-smtp processes. I need its permanent solution. Shahzad Abid Shahzad Get a bigger server(s)? ;- No, seriously, block the bad emails with a greet delay, validrcptto, rblsmtpd and other tools before you hand off to SA - rh
Re: Good rules for SA
On 29/02/2008 2:07 AM, Shahzad Abid wrote: Dear Daryl What rule sets you are using? The ones that come with SpamAssassin and the updates.spamassassin.org update channel. Daryl
