Enable emails sent from localhost
I've noticed just today that PHP has not been sending any mail at all anymore if spamassassin is enabled. (I'm running it on Ubuntu Hardy, through citadel, but everything is working fine there). I had a look at /var/log/mail.log and it appears to be blocking the emails, marking them as spam. Is there a way I can tell spamassassin to stop blocking from localhost? I know that mail sent from localhost is ok, because I created the PHP scripts myself. I want to create a rule that says everything sent from localhost is ok, don't bother checking these. I've temporary had to disable spamassassin until I can get this resolved. Any help would be much appreciated. signature.asc Description: This is a digitally signed message part
Re: Enable emails sent from localhost
On Friday 13 June 2008 12:00:18 Rob van der Linde wrote: I know that mail sent from localhost is ok, because I created the PHP scripts myself. Well... no. If SA says they're not ok, then they're not ok. You can fix your MTA to not pass outgoing mails to SA, but neither can you fix SA, nor can you fix other peoples SA. -- best regards Arvid Ephraim Picciani
Re: Enable emails sent from localhost
On Friday 13 June 2008 12:39:39 you wrote: can't you tell spamassassin to only check incoming mails, not outgoing mails? SA doesnt have outgoing and incomming. thats your MTA. Besides SA does already HAVE a rule for mails sent from yourself. ALL_TRUSTED should trigger on those mails. That doesn't completly eliminate spam checking of course, so if your mail gets scored very high, it is still flagged as spam. -- best regards Arvid Ephraim Picciani
Re: not scanning
On 12.06.08 23:15, nitin joshi wrote: I am using spamassassin as a spam filtering tool with sendmail. Spamassassin is filtering at MDA level with procmail. No other filtering or scaning tool attached with sendmail or at any other level. maybe the header come from sender or some intermediate relay. SA does not use such header... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: HELP!! spamassasssin killing my server
On 12.06.08 18:51, Matthias Leisi wrote: On the company mailserver, we take a very conservative approach, and only Spamhaus SBL+XBL are used at the MTA level. you should switch to ZEN in such case, SBL+XBL is obsolete now. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows.
Re: trusted_networks
On 12.06.08 10:25, John Hardin wrote: On Thu, 12 Jun 2008, Matus UHLAR - fantomas wrote: You may put other servers, not under your control, to trusted_networks, if you trust them not to originate spam. ^ Matus, I believe that assertion is incorrect... Yes, it is. I was searching for best wording and it appeared already trusted means does not forge headers when talking about trusted_networks option. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
Re: trusted_networks
On Thursday 12 June 2008 2:16 am, Matus UHLAR - fantomas wrote: you should put at least your MX backups into trusted_networks AND internal_networks, if there are any. You may put other servers, not under your control, to trusted_networks, if you trust them not to originate spam. trusted_networks and internal_networks are used to define borders for checking SPF, blacklists and other network stuff. For example, most blacklists are checked on last external relay which means your mailserver or MX backup On 12.06.08 18:00, Chris wrote: Hmm, I'm on DSL, so, should I place my IP in trusted_networks? If so, how would I go about that since being a dynamic IP it changes every so often. For instance, I did have this trusted_networks 192.168/16 71.48.160.0/20, however, looking at the received line of the post I initally made, my IP is now 71.51.96.186. The received line also shows this: Received: from [71.51.96.186] ([71.51.96.186:27915] helo=[192.168.2.2]) by mailrelay.embarq.synacor.com (envelope-from [EMAIL PROTECTED]) Do you relay incoming mail to yourself through your external IP? Why? Should I put the IP for mailrelay.embarq.synacor.com on the trusted_networks line? That comes out to be 208.47.184.3. I also had this as internal_networks internal_networks 71.48.160.0/20, is that correct? I would be careful about that and not to trust whole ISP's dyamic IP range. (Yes, as an ISP I have to do that until we enforce SMTP authentication from dynamic ranges). -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: Spam getting scored but not tagged -- redux
For what it's worth, this appears to be happening on _every_ message that comes through. In other words, no spam at all is getting tagged, and we're running on RBLs, etc., alone. So I'd appreciate any and all suggestions. :) Thanks. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Thu, 12 Jun 2008, Chris St. Pierre wrote: About a year ago, I started this thread: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200708.mbox/[EMAIL PROTECTED] I kind of forgot about the issue, but it's cropping up again; we're now on 3.2.4, and still having the problem. New logs: Jun 12 08:04:02 vostok spamd[1299]: spamd: setuid to spamd succeeded Jun 12 08:04:02 vostok spamd[1299]: spamd: processing message [EMAIL PROTECTED] for spamd:402 Jun 12 08:04:04 vostok spamd[18567]: spamd: identified spam (16.0/5.0) for spamd:402 in 1.7 seconds, 1982 bytes. Jun 12 08:04:06 vostok spamd[18567]: spamd: result: Y 16 - AWL,BAYES_99,EMPTY_MESSAGE,HTML_IMAGE_ONLY_12,HTML_IMAGE_RATIO_06,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_SHORT_LINK_IMG_2,MIME_HTML_ONLY,NWU_RCVD_INVALID_PTR2,RCVD_IN_NJABL_SPAM,RDNS_NONE,URIBL_RHS_DOB scantime=1.7,size=1982,user=spamd,uid=402,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=35145,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=no Jun 12 08:04:06 vostok spamd[18567]: spamd: accidental fork: 18567 != 1299 at /usr/bin/spamd line 1645. Jun 12 08:04:08 vostok spamd[1299]: spamd: identified spam (16.2/5.0) for spamd:402 in 5.3 seconds, 1982 bytes. Jun 12 08:04:08 vostok spamd[1299]: spamd: result: Y 16 - AWL,BAYES_99,EMPTY_MESSAGE,HTML_IMAGE_ONLY_12,HTML_IMAGE_RATIO_06,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_SHORT_LINK_IMG_2,MIME_HTML_ONLY,NWU_RCVD_INVALID_PTR2,RCVD_IN_NJABL_SPAM,RDNS_NONE,URIBL_RHS_DOB scantime=5.3,size=1982,user=spamd,uid=402,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=35145,mid=[EMAIL PROTECTED],bayes=1.00,autolearn=no Jun 12 08:04:08 vostok spamd[1299]: spamd: connection from localhost.localdomain [127.0.0.1] at port 35155 Jun 12 08:04:08 vostok spamd[1299]: spamd: setuid to spamd succeeded Jun 12 08:04:08 vostok spamd[1299]: spamd: processing message [EMAIL PROTECTED] for spamd:402 Any other ideas? Thanks! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
Re: Spam getting scored but not tagged -- redux
On 12.06.08 16:22, Chris St. Pierre wrote: About a year ago, I started this thread: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200708.mbox/[EMAIL PROTECTED] I kind of forgot about the issue, but it's cropping up again; we're now on 3.2.4, and still having the problem. New logs: How do you use spamassassin, from procmail/maildrop? milter? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: Spam getting scored but not tagged -- redux
On Fri, 13 Jun 2008, Matus UHLAR - fantomas wrote: How do you use spamassassin, from procmail/maildrop? milter? I call it from Postfix thusly: -- main.cf: -- smtpd_recipient_restrictions = ... check_recipient_access hash:/etc/postfix/spamassassin -- /etc/postfix/spamassassin: -- # only filter email *to* our domain, not from it nebrwesleyan.eduFILTER spamassassin: -- master.cf -- spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -u spamd -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
Re: sa-update failed, dns: query failed: 3.2.3.updates.spamassassin.org = no nameservers
I thought so, too. But ---8--- ; DiG 9.3.4 3.2.3.updates.spamassassin.org ANY ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 8343 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;3.2.3.updates.spamassassin.org.IN ANY ;; ANSWER SECTION: 3.2.3.updates.spamassassin.org. 3553 IN TXT 667074 ;; AUTHORITY SECTION: spamassassin.org. 3553IN NS a.auth-ns.sonic.net. spamassassin.org. 3553IN NS b.auth-ns.sonic.net. spamassassin.org. 3553IN NS c.auth-ns.sonic.net. spamassassin.org. 3553IN NS ns.hyperreal.org. spamassassin.org. 3553IN NS ns1.kluge.net. ;; ADDITIONAL SECTION: a.auth-ns.sonic.net.103038 IN A 209.204.159.20 b.auth-ns.sonic.net.103038 IN A 64.142.88.72 c.auth-ns.sonic.net.103038 IN A 69.9.186.104 ns.hyperreal.org. 59617 IN A 209.237.226.90 ns1.kluge.net. 172111 IN A 67.91.233.27 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 13 16:35:00 2008 ;; MSG SIZE rcvd: 263 ---8--- dig definitely works. cat /etc/resolv.conf ---8--- search site #nameserver 10.10.1.32 nameserver localhost ---8--- It is my own nameserver. very perplex. Chris On Thu, Jun 12, 2008 at 12:01:55PM -0400, Theo Van Dinter wrote: My guess is that your assertion that DNS is working is false. :) What does dig 3.2.3.updates.spamassassin.org ANY return for you? Ought to be a TXT record and then numerous NS records for spamassassin.org. Perhaps your resolv.conf has multiple nameservers and the first one is having issues? Are you using someone else's DNS server which may be manipulating the results? Are you going through a firewall or DNS proxy which may not allow or mishandles certain requests? Have you run tcpdump/etc and watched the traffic to see what's going on? On Thu, Jun 12, 2008 at 08:25:06AM +0200, Vinogratzky wrote: Nobody has a hint? Chris On Mo, Jun 02, 2008 at 04:56:25 +0200, Vinogratzky wrote: Hi, i have a installation of spamassassin with postfix and amavis. sa-update brings up an error: dns: query failed: 3.2.3.updates.spamassassin.org = no nameservers which is strange. DNS is working. Here is the -D output: ---8--- [3496] dbg: logger: adding facilities: all [3496] dbg: logger: logging level is DBG [3496] dbg: generic: SpamAssassin version 3.2.3 [3496] dbg: config: score set 0 chosen. [3496] dbg: dns: no ipv6 [3496] dbg: dns: is Net::DNS::Resolver available? yes [3496] dbg: dns: Net::DNS version: 0.59 [3496] dbg: generic: sa-update version svn540384 [3496] dbg: generic: using update directory: /var/lib/spamassassin/3.002003 [3496] dbg: diag: perl platform: 5.008008 linux [3496] dbg: diag: module installed: Digest::SHA1, version 2.11 [3496] dbg: diag: module installed: HTML::Parser, version 3.55 [3496] dbg: diag: module installed: Net::DNS, version 0.59 [3496] dbg: diag: module installed: MIME::Base64, version 3.07 [3496] dbg: diag: module installed: DB_File, version 1.814 [3496] dbg: diag: module installed: Net::SMTP, version 2.29 [3496] dbg: diag: module not installed: Mail::SPF ('require' failed) [3496] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [3496] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [3496] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [3496] dbg: diag: module not installed: Net::Ident ('require' failed) [3496] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [3496] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [3496] dbg: diag: module installed: Compress::Zlib, version 1.42 [3496] dbg: diag: module installed: Time::HiRes, version 1.86 [3496] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [3496] dbg: diag: module not installed: Mail::DKIM ('require' failed) [3496] dbg: diag: module not installed: DBI ('require' failed) [3496] dbg: diag: module installed: Getopt::Long, version 2.35 [3496] dbg: diag: module installed: LWP::UserAgent, version 2.033 [3496] dbg: diag: module installed: HTTP::Date, version 1.47 [3496] dbg: diag: module installed: Archive::Tar, version 1.30 [3496] dbg: diag: module installed: IO::Zlib, version 1.04 [3496] dbg: diag: module not installed: Encode::Detect ('require' failed) [3496] dbg: gpg: Searching for 'gpg' [3496] dbg: util: current PATH is: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/bin:/root/bin [3496] dbg: util: executable for gpg was found at /usr/bin/gpg [3496] dbg: gpg: found /usr/bin/gpg [3496] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
Re: sa-update failed, dns: query failed: 3.2.3.updates.spamassassin.org = no nameservers
I suspect Net::DNS cannot parse nameserver localhost. Try nameserver 127.0.0.1 instead, --j. Vinogratzky writes: I thought so, too. But ---8--- ; DiG 9.3.4 3.2.3.updates.spamassassin.org ANY ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 8343 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;3.2.3.updates.spamassassin.org.IN ANY ;; ANSWER SECTION: 3.2.3.updates.spamassassin.org. 3553 IN TXT 667074 ;; AUTHORITY SECTION: spamassassin.org. 3553IN NS a.auth-ns.sonic.net. spamassassin.org. 3553IN NS b.auth-ns.sonic.net. spamassassin.org. 3553IN NS c.auth-ns.sonic.net. spamassassin.org. 3553IN NS ns.hyperreal.org. spamassassin.org. 3553IN NS ns1.kluge.net. ;; ADDITIONAL SECTION: a.auth-ns.sonic.net.103038 IN A 209.204.159.20 b.auth-ns.sonic.net.103038 IN A 64.142.88.72 c.auth-ns.sonic.net.103038 IN A 69.9.186.104 ns.hyperreal.org. 59617 IN A 209.237.226.90 ns1.kluge.net. 172111 IN A 67.91.233.27 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 13 16:35:00 2008 ;; MSG SIZE rcvd: 263 ---8--- dig definitely works. cat /etc/resolv.conf ---8--- search site #nameserver 10.10.1.32 nameserver localhost ---8--- It is my own nameserver. very perplex. Chris On Thu, Jun 12, 2008 at 12:01:55PM -0400, Theo Van Dinter wrote: My guess is that your assertion that DNS is working is false. :) What does dig 3.2.3.updates.spamassassin.org ANY return for you? Ought to be a TXT record and then numerous NS records for spamassassin.org. Perhaps your resolv.conf has multiple nameservers and the first one is having issues? Are you using someone else's DNS server which may be manipulating the results? Are you going through a firewall or DNS proxy which may not allow or mishandles certain requests? Have you run tcpdump/etc and watched the traffic to see what's going on? On Thu, Jun 12, 2008 at 08:25:06AM +0200, Vinogratzky wrote: Nobody has a hint? Chris On Mo, Jun 02, 2008 at 04:56:25 +0200, Vinogratzky wrote: Hi, i have a installation of spamassassin with postfix and amavis. sa-update brings up an error: dns: query failed: 3.2.3.updates.spamassassin.org = no nameservers which is strange. DNS is working. Here is the -D output: ---8--- [3496] dbg: logger: adding facilities: all [3496] dbg: logger: logging level is DBG [3496] dbg: generic: SpamAssassin version 3.2.3 [3496] dbg: config: score set 0 chosen. [3496] dbg: dns: no ipv6 [3496] dbg: dns: is Net::DNS::Resolver available? yes [3496] dbg: dns: Net::DNS version: 0.59 [3496] dbg: generic: sa-update version svn540384 [3496] dbg: generic: using update directory: /var/lib/spamassassin/3.002003 [3496] dbg: diag: perl platform: 5.008008 linux [3496] dbg: diag: module installed: Digest::SHA1, version 2.11 [3496] dbg: diag: module installed: HTML::Parser, version 3.55 [3496] dbg: diag: module installed: Net::DNS, version 0.59 [3496] dbg: diag: module installed: MIME::Base64, version 3.07 [3496] dbg: diag: module installed: DB_File, version 1.814 [3496] dbg: diag: module installed: Net::SMTP, version 2.29 [3496] dbg: diag: module not installed: Mail::SPF ('require' failed) [3496] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [3496] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [3496] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [3496] dbg: diag: module not installed: Net::Ident ('require' failed) [3496] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [3496] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [3496] dbg: diag: module installed: Compress::Zlib, version 1.42 [3496] dbg: diag: module installed: Time::HiRes, version 1.86 [3496] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [3496] dbg: diag: module not installed: Mail::DKIM ('require' failed) [3496] dbg: diag: module not installed: DBI ('require' failed) [3496] dbg: diag: module installed: Getopt::Long, version 2.35 [3496] dbg: diag: module installed: LWP::UserAgent, version 2.033 [3496] dbg: diag: module installed: HTTP::Date, version 1.47 [3496] dbg: diag: module installed: Archive::Tar, version 1.30 [3496] dbg: diag: module installed: IO::Zlib, version 1.04 [3496] dbg: diag: module not installed: Encode::Detect ('require' failed) [3496] dbg: gpg: Searching for 'gpg' [3496] dbg: util: current PATH is:
problem with spam report--could it be a bug?
I was told by Kintera, our email service, to email this address regarding a problem I'm having with my spam score report. A report is generated with each test email we send to ourselves via Kintera. The report lists things that may trigger high spam scores. I was given the report below for an email newsletter I send every month (I've never had a problem before) and have an unusually high score because, presumably, of the word Rolex. That word does not appear anywhere in the coding of my message. I've even removed all instances of the word role and watch but nothing changes the score. Am I misinterpreting the report or could there be a bug in the spamassassin software that is generating incorrect results? Thank you for any guidance you can provide. Sincerely, Amy Marcott The report below identifies areas of your eMail that might trigger spam blocking software for your recipients by simulating the process typically used by most ISPs. If an ISP identifies this mail as spam, it could cause your recipient not to receive your mailing. As a guideline, a score of 2.2 or lower should be received successfully in most cases (Yahoo typically blocks items with a score of 2.3 or higher, and Hotmail will block scores of 2.4 or higher.) For the highest success rate, a score of 2.0 or lower is recommended. *NOTE: The scores above do not reflect any guarantee of mail delivery or acceptance by email providers. They are provided only as general guidelines. Information on current spam scores is available on ISP websites or for more information on SpamAssassin visit: http://www.spamassassin.org http://www.spamassassin.org/ Score Summary Your spam score is: 4.5 points Score Details: pts rule name description -- -- -1.4 ALL_TRUSTEDPassed through trusted hosts only via SMTP 3.1 FRT_ROLEX BODY: ReplaceTags: Rolex 1.2 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN) 0.0 HTML_MESSAGE BODY: HTML included in message 1.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. _ Amy Marcott Web Writer/Editor MIT Alumni Association 201 Vassar Street Building W59-200 Cambridge, MA 02139-4307 617.324.0106 [EMAIL PROTECTED] http://alum.mit.edu/ http://alum.mit.edu
Re: problem with spam report--could it be a bug?
I was told by Kintera, our email service, to email this address regarding a problem I'm having with my spam score report. A report is generated with each test email we send to ourselves via Kintera. The report lists things that may trigger high spam scores. I was given the report below for an email newsletter I send every month (I've never had a problem before) and have an unusually high score because, presumably, of the word Rolex. That word does not appear anywhere in the coding of my message. I've even removed all instances of the word role and watch but nothing changes the score. Am I misinterpreting the report or could there be a bug in the spamassassin software that is generating incorrect results? Your test message seems to be html, so you should be looking at the raw html with a text editor (such as emacs), rather than in some html renderer or editor. It's possible that the offending word rolex is somehow in the html source but not rendered. It is also possible that there is a bug in the SA rule and that it's falsing. The rule is FRT_ROLEX, which is defined as: ##{ FRT_ROLEX ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FRT_ROLEX /inter SP2post P2\b(?!rolex)ROLEX/i describe FRT_ROLEX ReplaceTags: Rolex endif ##} FRT_ROLEX So it may be detecting a set of html tags which looks like an attempte to spell out rolex. See http://wiki.apache.org/spamassassin/ReplaceTags http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_ReplaceTags.html Your spam score is: 4.5 points -1.4 ALL_TRUSTEDPassed through trusted hosts only via SMTP 3.1 FRT_ROLEX BODY: ReplaceTags: Rolex 1.2 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN) 0.0 HTML_MESSAGE BODY: HTML included in message 1.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts The ALL_TRUSTED rule is firing for kintera's test, but that means that the message was only handled by trustworthy senders. So it will likely not fire when the mail arrives, and thus your score is higher than you think. The mail is probably only in html, rather than being multipart/alternative with the same content in plain text. Fixing that problem would help. (I use to get some newsletters from MIT Alumni Association, but unsubscribed because they were html only.) Without you posting the draft mail, or somehow making it available, I do not expect that anyone will be able to help you beyond advice like the above. In your case (being at MIT) I would recommend that you call SIPB and ask for help.
Re: problem with spam report--could it be a bug?
On 12.06.08 13:45, Amy Marcott wrote: I was told by Kintera, our email service, to email this address regarding a problem I'm having with my spam score report. A report is generated with each test email we send to ourselves via Kintera. The report lists things that may trigger high spam scores. I was given the report below for an email newsletter I send every month (I've never had a problem before) and have an unusually high score because, presumably, of the word Rolex. That word does not appear anywhere in the coding of my message. I've even removed all instances of the word role and watch but nothing changes the score. Am I misinterpreting the report or could there be a bug in the spamassassin software that is generating incorrect results? could you please upload the raw message somewhere? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: Spam getting scored but not tagged -- redux
In v310.pre, we had this: loadplugin Mail::SpamAssassin::Plugin::Pyzor ...amongst many other loadplugin lines. Through trial-and-error, I've determined that commenting out the Pyzor line (along with the pyzor config lines in local.cf) solves the problem. Unfortunately, I really _liked_ Pyzor, and would like to be able to run it. Thoughts? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Fri, 13 Jun 2008, Chris St. Pierre wrote: On Fri, 13 Jun 2008, Matus UHLAR - fantomas wrote: How do you use spamassassin, from procmail/maildrop? milter? I call it from Postfix thusly: -- main.cf: -- smtpd_recipient_restrictions = ... check_recipient_access hash:/etc/postfix/spamassassin -- /etc/postfix/spamassassin: -- # only filter email *to* our domain, not from it nebrwesleyan.eduFILTER spamassassin: -- master.cf -- spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -u spamd -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
Re: HELP!! spamassasssin killing my server
Matus UHLAR - fantomas schrieb: On 12.06.08 18:51, Matthias Leisi wrote: On the company mailserver, we take a very conservative approach, and only Spamhaus SBL+XBL are used at the MTA level. you should switch to ZEN in such case, SBL+XBL is obsolete now. We use a local feed, so querying SBL and XBL separately is not an issue. For some obscure non-technical reason, we can currently not switch to anything else (nor do we really need to, since queries only run local). -- Matthias
Re: trusted_networks
Hmm, I'm on DSL, so, should I place my IP in trusted_networks? No. Your IP address does not relay mail to you. For instance, I did have this trusted_networks 192.168/16 71.48.160.0/20, however, looking at the received line of the post I initally made, my IP is now 71.51.96.186. trusted_networks is assumed to have *mail servers* relaying mail to you. Not each and every client machine in your ISP's address space. Not yours, nor your neigbors. The received line also shows this: Received: from [71.51.96.186] ([71.51.96.186:27915] helo=[192.168.2.2]) by mailrelay.embarq.synacor.com (envelope-from [EMAIL PROTECTED]) Should I put the IP for mailrelay.embarq.synacor.com on the trusted_networks line? That comes out to be 208.47.184.3. I also had this as internal_networks internal_networks 71.48.160.0/20, is that correct? Yes, if that mailrelay.embarq.synacor.com is your ISP's mx receiving mail sent to you. I did $ host -t mx embarqmail.com and it said embarqmail.com mail is handled by 10 smtp.embarq.synacor.com. $ host mailrelay.embarq.synacor.com mailrelay.embarq.synacor.com has address 208.47.184.3 $ host smtp.embarq.synacor.com smtp.embarq.synacor.com has address 208.47.184.2 I don't understand what is this mailrelay, it might be the sending server, but that mx host smtp at least should be trusted. Better to put those both to your trusted_networks, I guess.
Re: problem with spam report--could it be a bug?
Hi Amy, At 10:45 12-06-2008, Amy Marcott wrote: I was told by Kintera, our email service, to email this address regarding a problem I'm having with my spam score report. A report Usually, it's up to your email service provider to deal with such questions. http://spamassassin.apache.org/users.html is generated with each test email we send to ourselves via Kintera. The report lists things that may trigger high spam scores. I was given the report below for an email newsletter I send every month (I've never had a problem before) and have an unusually high score because, presumably, of the word Rolex. That word does not appear anywhere in the coding of my message. I've even removed all instances of the word role and watch but nothing changes the score. Am I misinterpreting the report or could there be a bug in the spamassassin software that is generating incorrect results? If you are not an end-user, post a link to the message including full headers and the spam score report. If it was a bug in the SpamAssassin software, it can be fixed. That doesn't mean that it will solve your problem unless your email service provider and the receiving ends update their software to include the bug fix. Regards, -sm
spamassassin horribly low scores?
I put SA on my server and have had it running for a while now (couple months). I have been training it with ham and spam this whold time time and am probably up to a couple hundred messages of ham and a couple thousand messages of spam. What I am seeing is a TON of email that is obvious spam (to me) get scored and fail several checks, but the scores are so insanely low that it still gets through. One message in particular might fail 4 or 5 spam checks, but each only adds .1 or .2 to the score for a total of .8 or something. Each of these checks are obvious spam to me, like enhancement and drugs and the like. I've been adjusting the scores to straight up 10 for the checks as I see them, but so far I'm up to 20 or so checks that I've modified and I just see this to be a never ending battle. What would be GREAT is a global switch for things like AM_DOCTOR, and MEDS_OK. By setting those two things to no, then if the system would bump up every single check that relates to medicine or medical things to like a 4.0 score then that would solve 99% of my issues. Why do these checks carry such low scores? I mean I understand being cautious, but for an erectile fail to score .2??? On what planet does that make sense? The system would have to fail on 20 levels as well as having a very low total threshold to cause issues with that low of a score. -- View this message in context: http://www.nabble.com/spamassassin-horribly-low-scores--tp17830923p17830923.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: can we make AWL ignore mail from self to self?
You've presented good logic for acceping mail from self to self. But you haven't explained by using the AWL for mail from self to self is better than not having it. On Jun 2, 2008, at 4:02 AM, Jonas Eckerman wrote: Because it can help discriminate between spam and ham addressed from self to self. Heres an example: StupidWebService send self-self addressed ham from relay 1.2.3.4 EvilSpammer send self-self addressed spam from relay 5.6.7.8 (wich, unfortunately, belongs to a big ISP so the relay doesn'ät get blocked). One day StupidWebService send a ham that triggered a bunch of positive hits (including BAYES_99). Since mail from [EMAIL PROTECTED] has a negative score in the AWL, the mail gets though all right. One day EvilSpammer manages to send a mail that doesnät hit any positive rules, but does hit BAYES_00. Since [EMAIL PROTECTED] has a high positive score in the AWL, the mail still gets flagged as spam. If the AWL ignore mail from self-self, the two mails in the above example would have been misclassified. Indeed. I submit you are right. FYI: I still haven't had another misclassification since the first, so I'm beginning to think that this was a lark. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: MailChannles SPAMMING List Members?
On 12-Jun-08, at 9:41 PM, mouss wrote: if it really came from them, it's probably an isolated/unsupported initiative from a marketer gone crazy. report the problem to their abuse team (or anyone in their tech team). In all companies I worked for, I've seen few guys coming up with bad good ideas/initiatives. Most of the time, these were stopped during internal discussions, but sometimes such initiatives were only discovered later thanks to a complaint. so do complain, but provide evidence (message with full headers). Hi Dave, Mouss, and others, I can confirm that this is an instance of a marketer gone crazy, rather than a spam campaign: - Desmond found Dave's name when he was looking for people in the EDUCAUSE group who know about email. - Dave's email address was taken from Mary Baldwin College's staff directory (http://academic.mbc.edu/cis/search/facstaff/ namesearch.asp). It was not taken from the SA mailing list. - The message to Dave was a one-to-one correspondence - it was not part of a bulk mail-out. Regards, Ken -- Ken Simpson CEO MailChannels - Reliable Email Delivery http://blog.mailchannels.com 604 685 7488 tel
Re: trusted_networks
On Friday 13 June 2008 11:56 am, Jari Fredriksson wrote: Should I put the IP for mailrelay.embarq.synacor.com on the trusted_networks line? That comes out to be 208.47.184.3. I also had this as internal_networks internal_networks 71.48.160.0/20, is that correct? Yes, if that mailrelay.embarq.synacor.com is your ISP's mx receiving mail sent to you. I did $ host -t mx embarqmail.com and it said embarqmail.com mail is handled by 10 smtp.embarq.synacor.com. $ host mailrelay.embarq.synacor.com mailrelay.embarq.synacor.com has address 208.47.184.3 $ host smtp.embarq.synacor.com smtp.embarq.synacor.com has address 208.47.184.2 I don't understand what is this mailrelay, it might be the sending server, but that mx host smtp at least should be trusted. Better to put those both to your trusted_networks, I guess. Thank you, now my trusted_networks line looks like this: trusted_networks 192.168/16 208.47.184.3 208.47.184.2 Is that correct? Do I need the 192.168/16 entry? -- Chris KeyID 0xE372A7DA98E6705C pgpF9A1Knerc1.pgp Description: PGP signature
Re: trusted_networks
Thank you, now my trusted_networks line looks like this: trusted_networks 192.168/16 208.47.184.3 208.47.184.2 Is that correct? Do I need the 192.168/16 entry? I don't have it, my 10/8 lan network.. in my trusted. I think your can throw it away.
Re: trusted_networks
On Friday 13 June 2008 7:09 pm, Jari Fredriksson wrote: Thank you, now my trusted_networks line looks like this: trusted_networks 192.168/16 208.47.184.3 208.47.184.2 Is that correct? Do I need the 192.168/16 entry? I don't have it, my 10/8 lan network.. in my trusted. I think your can throw it away. Thanks, I'll discard it then, appreciate the help. Chris -- Chris KeyID 0xE372A7DA98E6705C pgpo8bYR9pHz2.pgp Description: PGP signature
Can't locate Log/Agent.pm in @INC
I sent a post with the above subject about a week and a half ago and Justin Mason stated that its apparently a Razor problem. I sent the same post to the Razor list and received 'no' replies. I don't doubt Justin at all, however, with no replies from the Razor list I'm turning back to the SA list in the hopes that someone could give me a clue on what to check. Neither SA or Razor appear to be affected in any way at all, I guess it's just annoying to see this everytime I stop and start SA. The below is from when I ran SA-Update after upgrading to 3.2.5 awhile ago. Jun 13 19:36:25 localhost spamassassin: spamd startup succeeded Jun 13 19:36:28 localhost spamd[3256]: Can't locate Log/Agent.pm in @INC (@INC contains: lib /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl) at (eval 1365) line 2. Jun 13 19:36:28 localhost spamd[3256]: Can't locate Log/Agent.pm in @INC (@INC contains: lib /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl) at (eval 1365) line 2. Jun 13 19:36:28 localhost spamd[3256]: BEGIN failed--compilation aborted at (eval 1365) line 2. I will try posting the above again to the Razor list and see if I get any replies. Chris -- Chris KeyID 0xE372A7DA98E6705C pgpjxxNdm5tMp.pgp Description: PGP signature
Can't locate Log/Agent.pm - Additional note
One item of interest that I forgot. The below is from a message I posted to the Razor list back on the 4th of June: I have the razor plug-in enabled and razor-admin -v reports the version to be: Razor Agents 2.84, protocol version 3 If I go and disable the razor plug-in and stop and start spamassassin I still see the above: # Razor2 - perform Razor2 message checks. # # Razor2 is disabled here because it is not available for unlimited free # use. It is currently free for personal use, subject to capacity # constraints. See the Cloudmark SpamNet Service Policy for more details. # # loadplugin Mail::SpamAssassin::Plugin::Razor2 Using a test message that with Razor enabled it received this score: 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] After disabling the razor plugin there are no razor checks performed: 1.2 INVALID_DATE Invalid Date: header (not RFC 2822) 2.9 DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting 3.2 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 3.1 MSGID_YAHOO_CAPS Message-ID has [EMAIL PROTECTED] 4.2 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant) 1.0 FREEMAIL_FROM From-address is freemail domain -0.0 NO_RELAYS Informational: message was not relayed via SMTP 1.4 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date 2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or Body than From 2.3 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers -6.4 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.0 HTML_MESSAGE BODY: HTML included in message -0.0 DCC_CHECK_NEGATIVE Not listed in DCC [cpollock 1117; Body=2 Fuz1=2 Fuz2=2] 1.7 SARE_SPEC_ROLEX Rolex watch spam 2.5 L_UNVERIFIED_YAHOO L_UNVERIFIED_YAHOO 1.0 SAGREY Adds 1.0 to spam from first-time senders I did this to ensure that I had in fact disabled razor checks in SA. Again stopping and starting SA I get the same output with the plug-in disabled: Jun 4 18:02:13 localhost spamd[7788]: spamd: server killed by SIGTERM, shutting down Jun 4 18:02:13 localhost spamassassin: spamd shutdown succeeded Jun 4 18:02:15 localhost spamd[9483]: logger: removing stderr method Jun 4 18:02:15 localhost spamassassin: spamd startup succeeded Jun 4 18:02:19 localhost spamd[9488]: Can't locate Log/Agent.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl) at (eval 1355) line 2. Jun 4 18:02:19 localhost spamd[9488]: Can't locate Log/Agent.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl) at (eval 1355) line 2. Jun 4 18:02:19 localhost spamd[9488]: BEGIN failed--compilation aborted at (eval 1355) line 2. I forgot to include this in the original message but I feel it's important to state that whether the Razor plug-in is enabled or not I get the same output when stopping at starting SA. -- Chris KeyID 0xE372A7DA98E6705C pgp5E70yu7T43.pgp Description: PGP signature
Re: spamassassin horribly low scores?
archaic0 wrote: I put SA on my server and have had it running for a while now (couple months). I have been training it with ham and spam this whold time time and am probably up to a couple hundred messages of ham and a couple thousand messages of spam. What I am seeing is a TON of email that is obvious spam (to me) get scored and fail several checks, but the scores are so insanely low that it still gets through. One message in particular might fail 4 or 5 spam checks, but each only adds .1 or .2 to the score for a total of .8 or something. Each of these checks are obvious spam to me, like enhancement and drugs and the like. I've been adjusting the scores to straight up 10 for the checks as I see them, but so far I'm up to 20 or so checks that I've modified and I just see this to be a never ending battle. What would be GREAT is a global switch for things like AM_DOCTOR, and MEDS_OK. By setting those two things to no, then if the system would bump up every single check that relates to medicine or medical things to like a 4.0 score then that would solve 99% of my issues. Why do these checks carry such low scores? I mean I understand being cautious, but for an erectile fail to score .2??? On what planet does that make sense? Erm, the human one? Actually, that is a real, valid answer here, if you'll allow me to explain a moment. The first thing to realize about spamassassin is that the rules aren't scored individually. They aren't. You can't look at one rule, and determine a good score for it, alone, by itself, and expect it to work well with hundreds of other rules that were each scored individually. You need to consider how the rules interact with each other. I don't have the exact data in front of me. But usually when you see a really good spam rule with a low score, it's low because in the mass-check it nearly always fired coincidentally with another rule, but that rule fired off on less of the nonspam email. So, SA picked the better of the two to throw its weight behind. In the case of DRUGS_ERECTILE, it's got a noticable non-zero false positive rate, actualy 0.7% of email it hit was nonspam. This happens because some people have personal email accounts, which may contain jokes, even a short ribbing from a friend about you needing it, or medical discussions which may mention any of these drugs in a non-spam context. And in the SpamAssassin world, 1 false positive is as bad as 100 false negatives. Your threshold of pain may be different, but that's how the ruleset is tuned. Also consider SpamAssassin has to be designed with a broad userbase in mind, from the guy swapping off-color jokes with his friends, to a rigid business environment. It's not perfect for every situation, but does surprisingly well. Regardless it would be interesting to see some samples of some troublesome spam that's not being hit. We might be able to offer some suggestions for how to handle them that is less risky than jacking scores up. The system would have to fail on 20 levels as well as having a very low total threshold to cause issues with that low of a score.
Re: trusted_networks
John Hardin wrote: On Thu, 12 Jun 2008, Matus UHLAR - fantomas wrote: You may put other servers, not under your control, to trusted_networks, if you trust them not to originate spam. ^ Matus, I believe that assertion is incorrect... Actually, that's not incorrect. You have to consider the ALL_TRUSTED rule here. hosts in trusted_networks primarily need to be trusted to not forge headers, but they also need to be trusted not to originate spam, as any message that has only touched trusted hosts will match the ALL_TRUSTED rule. Also be sure to realize there's a big difference between originating spam and relaying it to your network.
Re: make SA remove X-Spam-Flag
Arvid Ephraim Picciani wrote: Hi, just 10 minutes ago i received a false positive. First i was confused then i figured that my SA setup didn't actually flag it, but the senders SA. So, how could i tell SA to remove any X-Spam flags in case the mail has been identified as non spam? SpamAssasin removes all X-Spam-* headers when processing. Are you using an integration tool that does its own markups instead of letting SA add them (ie: MailScanner, mimedefang, etc?)
SA plugins includes/excludes
I just setup a server 2 days ago and had one active domain running in it. I still get tons of spams, the hit rate was well below 10%. Out of every 10 spams, less than 1 was tagged in average. My score to tag is 5, 8 to delete Now I focus my customizations on plugins which I hope can enhance the chance of catching spams. The followings are my plugins list, I wonder if there are any plugin which I should include/exclude to make my SA work better. Is there other technic that works well with/without SA which also greatly reduce spams? ;; /etc/mail/spamassassin/v310.pre ;; loadplugin Mail::SpamAssassin::Plugin::Pyzor #loadplugin Mail::SpamAssassin::Plugin::Razor2 #loadplugin Mail::SpamAssassin::Plugin::SpamCop loadplugin Mail::SpamAssassin::Plugin::AWL loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold #loadplugin Mail::SpamAssassin::Plugin::TextCat #loadplugin Mail::SpamAssassin::Plugin::AccessDB loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject loadplugin Mail::SpamAssassin::Plugin::DomainKeys loadplugin Mail::SpamAssassin::Plugin::MIMEHeader loadplugin Mail::SpamAssassin::Plugin::ReplaceTags ;; /etc/mail/spamassassin/v320.pre ;; loadplugin Mail::SpamAssassin::Plugin::Check loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch loadplugin Mail::SpamAssassin::Plugin::URIDetail # loadplugin Mail::SpamAssassin::Plugin::Shortcircuit loadplugin Mail::SpamAssassin::Plugin::Bayes loadplugin Mail::SpamAssassin::Plugin::BodyEval loadplugin Mail::SpamAssassin::Plugin::DNSEval loadplugin Mail::SpamAssassin::Plugin::HTMLEval loadplugin Mail::SpamAssassin::Plugin::HeaderEval loadplugin Mail::SpamAssassin::Plugin::MIMEEval loadplugin Mail::SpamAssassin::Plugin::RelayEval loadplugin Mail::SpamAssassin::Plugin::URIEval loadplugin Mail::SpamAssassin::Plugin::WLBLEval loadplugin Mail::SpamAssassin::Plugin::VBounce # loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody # loadplugin Mail::SpamAssassin::Plugin::ASN loadplugin Mail::SpamAssassin::Plugin::ImageInfo