Difference in spam score for seperate email machines with same version of Spamassassin
Hi, I have two machines that contain spamassassin. On first machine(this is an old installation, 2-3 months old ), I had installed Spamassassin(3.3.1) from rpmforge repository by using yum (followed http://wiki.centos.org/HowTos/Amavisd) , while on the second I had manually installed Spamassassin(3.3.1, 1 week old installation) by using spamassassin rpm. Following are the spam headers of a same email that I send to both servers and I am getting different spam scores, I want to know why? First machine:(Spamassassin 3.3.1, old installation, 2-3 months old ) X-Spam-Status: No, score=5.269 tag=-999 tag2=6.9 kill=6.9 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_TO_NO_BRKTS_FREEMAIL=0.01, URIBL_JP_SURBL=1.25] autolearn=no Second Machine:(Spamassassin 3.3.1, new installation, 1 week old ) X-Spam-Status: No, score=1.859 tag=-999 tag2=6.9 kill=6.9 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_TO_NO_BRKTS_FREEMAIL=0.01, URIBL_JP_SURBL=1.948] autolearn=no As can be seen BAYES and RAZOR2 rules are not getting hit in new installation, but logs show the modules are getting loaded fine. Can anybody give me some idea of this kind of behavior? Thanks in advance Ashish Sharma
Re: Difference in spam score for seperate email machines with same version of Spamassassin
On søn 28 nov 2010 12:22:55 CET, Sharma, Ashish wrote Can anybody give me some idea of this kind of behavior? its well dokumented that bayes needs training, if no training is done it takes time to autolearn it, ask same question in 90 days and problem might at that time be gone :) if bayes at that time does not work lets take it from there options to consider from your server is, do i need manuel training ? spam evolves much in 90 days time, so unless you have 180 days of good coorpus to train from it will be pointless to help bayes do the right thing -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
RE: Difference in spam score for seperate email machines with same version of Spamassassin
Benny, Thanks for the reply. But what about the Razor2 rules not getting hit? Any suggestions on that? Thanks Ashish Sharma -Original Message- From: Benny Pedersen [mailto:m...@junc.org] Sent: Sunday, November 28, 2010 5:14 PM To: users@spamassassin.apache.org Subject: Re: Difference in spam score for seperate email machines with same version of Spamassassin On søn 28 nov 2010 12:22:55 CET, Sharma, Ashish wrote Can anybody give me some idea of this kind of behavior? its well dokumented that bayes needs training, if no training is done it takes time to autolearn it, ask same question in 90 days and problem might at that time be gone :) if bayes at that time does not work lets take it from there options to consider from your server is, do i need manuel training ? spam evolves much in 90 days time, so unless you have 180 days of good coorpus to train from it will be pointless to help bayes do the right thing -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
RE: Difference in spam score for seperate email machines with same version of Spamassassin
On søn 28 nov 2010 17:10:03 CET, Sharma, Ashish wrote But what about the Razor2 rules not getting hit? Any suggestions on that? no more then setup account so reporing works -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
RE: Difference in spam score for seperate email machines with same version of Spamassassin
Benny, I am unable to understand, can you please explain what you just mentioned. Maybe I am a newbie that's why I could not understand what you said. Thanks Ashish Sharma -Original Message- From: Benny Pedersen [mailto:m...@junc.org] Sent: Sunday, November 28, 2010 10:28 PM To: users@spamassassin.apache.org Subject: RE: Difference in spam score for seperate email machines with same version of Spamassassin On søn 28 nov 2010 17:10:03 CET, Sharma, Ashish wrote But what about the Razor2 rules not getting hit? Any suggestions on that? no more then setup account so reporing works -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
RE: Difference in spam score for seperate email machines with same version of Spamassassin
On søn 28 nov 2010 18:02:36 CET, Sharma, Ashish wrote Maybe I am a newbie that's why I could not understand what you said. man razor-admin razor-admin -discover razor-admin -register razor-admin -create read more examples in man page if unsure what to do dont do anything, its like postfix main.cf that are filled with default errors when postconf -d is good makeing main.cf empty solves it for postfix so the more one configure the more error one do :=) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Difference in spam score for seperate email machines with same version of Spamassassin
On 11/28/10, Benny Pedersen wrote: On søn 28 nov 2010 18:02:36 CET, Sharma, Ashish wrote Maybe I am a newbie that's why I could not understand what you said. man razor-admin razor-admin -discover razor-admin -register razor-admin -create read more examples in man page if unsure what to do dont do anything, its like postfix main.cf that are filled with default errors when postconf -d is good makeing main.cf empty solves it for postfix so the more one configure the more error one do :=) -- Since you are using amavisd-new and the home directory of the amavis user is /var/amavis: yum install perl-Razor-Agent su amavis -c 'razor-admin -create' su amavis -c 'razor-admin -create' su amavis -c 'razor-admin -register' # disable razor logging (set debuglevel = 0 in /var/amavis/.razor/razor-agent.conf) sed -i 's/= 3/= 0/' /var/amavis/.razor/razor-agent.conf -- Gary V
Phishing Attack: An Open Letter to the Anti-Spam and Mailbox Operator Community By Matt Blumberg CEO Chairman, Return Path
I’m sure many of you are familiar with the targeted ESP phishing attack that has been ongoing for almost a year now and has led to multiple known ESP system breaches. Return Path was recently a victim of this same attack. So far, we have three blog posts on our client/marketer blog about this – you can read them here from November 24, November 25, and November 26. http://www.returnpath.net/blog/intheknow/2010/11/security-alert-phishing-attack-aimed-at-esps http://www.returnpath.net/blog/intheknow/2010/11/security-alert-update-on-esp-phishing-attack http://www.returnpath.net/blog/intheknow/2010/11/security-alert-phishing-attack-update In short, a relatively small list of our clients’ email addresses was taken from us, meaning those addresses are now the targets of the phishing campaign that are intended to compromise those client systems. To be sure, many of those addresses have been targets of this campaign and others like it for months prior to the attack on the Return Path system, since this campaign is specifically seeking out and attacking the email marketing and ESP community. But we are assuming, and behaving as if, any fresh campaigns are likely somehow linked to the data breach on our end. Data was taken from us, and that security hole is now closed. However, some of our clients that are being attacked send mail from IP addresses that are Certified by Return Path. Since we jumped on this issue on the Wednesday before Thanksgiving, we have identified two sending system compromises of two of our clients. Our monitoring caught these compromises, and the compromised IPs have been removed from the Certified list. As you might expect, investigating a data breach of this kind takes a tremendous amount of post-hoc forensic work, so it’s taken us a little while to get our arms around exactly what happened. That part isn’t particularly interesting. Here’s what those two compromises looked like, what we’ve done about them, what we’re doing to monitor more aggressively for future compromises, and what we’d like to ask of you. [more] http://www.returnpath.net/blog/received/2010/11/phishing-attack-an-open-letter-to-the-anti-spam-and-mailbox-operator-community/ -- Neil Schwartzman Senior Director Security Strategy, Receiver Services Tel: (303) 999-3217 AIM: returnpathcanuk http://www.returnpath.net/blog/received/ Help the poor help themselves. Fund a small business with micro-loans at http://www.kiva.org/team/returnpath
