sa-learn in an Exchange 2010 environment
Hi, I have searched thoroughly for any information on the above constellation, but have not found anything useful. We have spamassassin running on a gateway server delivering mail to users on an exchange 2010 server. Sometimes spam gets through, and I would like for users to be able to send that spam to sa-learn. I set up a forwaring scheme and that works fine. But reading around on the internets, people seem to warn about that kind of setup, because From-fields on the forwarded mails belong to users and that can mark them as spammers. People recommends to either redirect the spam to sa-learn or move it to a public folder and have some sort of IMAP-mechanism pick it up and deliver it to sa-learn. There are a number of problems with those recommendations on exchange 2010: You can no longer resend mail that was not directly sent to you (or some other rule, the gist is that most spam cannot be resent), and there is no longer IMAP access to public folders (I am led to believe). The forwarding method is very convenient and uses a method that users are already intimate with, so there is no need to teach them new things. So my question is: Can I continue doing this? How bad is it that the users' names gets marked adversely in the bayesian database, when all outgoing mail is whitelisted because of trusted sources? Lars
Re: RelayCountry Plugin
Le 19/05/2011 04:46, John Hardin a écrit : Sure. Well, not a _single_ rule, but you can achieve what you want... First, write a rule that hits on all messages and assign it a positive score: meta RELAYCOUNTRY_ALL__HAS_RCVD describe RELAYCOUNTRY_ALLRelayed through any country score RELAYCOUNTRY_ALL1.00 Then write a RelayCountry rule for the "trusted" countries, and assign it an offsetting negative score: header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/ describe RELAYCOUNTRY_GOOD Relayed through trusted country score RELAYCOUNTRY_GOOD -1.00 That could be simplified: header __RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/ meta RELAYCOUNTRY_NOTGOOD __HAS_RCVD && !RELAYCOUNTRY_GOOD [except of course that you might find some legit French senders, for example, relaying via servers elsewhere in Europe, so the list of "good" countries might need to be a bit longer than you initially think] John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: RelayCountry Plugin
On Wed, 18 May 2011, Rapitharian wrote: I am finding that every day I get Spam sent to my users from several new countries. This requires me to have to write new rules for these countries. The list is getting quite long. What I would like to know is: is there a way to write a rule to award points to countries not listed? Sure. Well, not a _single_ rule, but you can achieve what you want... First, write a rule that hits on all messages and assign it a positive score: meta RELAYCOUNTRY_ALL__HAS_RCVD describe RELAYCOUNTRY_ALLRelayed through any country score RELAYCOUNTRY_ALL1.00 Then write a RelayCountry rule for the "trusted" countries, and assign it an offsetting negative score: header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/ describe RELAYCOUNTRY_GOOD Relayed through trusted country score RELAYCOUNTRY_GOOD -1.00 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If Microsoft made hammers, everyone would whine about how poorly screws were designed and about how they are hard to hammer in, and wonder why it takes so long to paint a wall using the hammer. --- 160 days since the first successful private orbital launch (SpaceX)
RelayCountry Plugin
I am currently using the Relay Country plugin for SpamAssassin. I have written rules similar to the ones found on the wiki page for the plugin. Example: header RELAYCOUNTRY_FR X-Relay-Countries=~/FR/ describeRELAYCOUNTRY_FR Relayed through France score RELAYCOUNTRY_FR 0.1 I am finding that every day I get Spam sent to my users from several new countries. This requires me to have to write new rules for these countries. The list is getting quite long. What I would like to know is: is there a way to write a rule to award points to countries not listed? For my case I get legit mail from the following country codes: US, CA, and FR. If the countries the mail is relayed through is not one of these, I would like to Bump the SA score by; 1.0 point. Can I do this? If so how? I have not found a way, via regular expressions to say; not this, or this, or this. It seems regular expressions always work in the affirmative not the negative. I believe I may have found the answer (So thank you for hanging in there, I am reading.) Would this be the correct rule? Example: header RELAYCOUNTRY_UCF X-Relay-Countries!~/US|CA|FR/ describeRELAYCOUNTRY_UCF Relayed through Country other than US, CA, and FR score RELAYCOUNTRY_UCF 1.0 Points I am not sure about: UCF at the end of RELAYCOUNTRY_. Does this need to be a valid country code? or is it only part of the rule name? Is the "!~/US|CA|FR/" the right way to say Not US or CA or FR? Thanks in advance for all your help. -Rap -- View this message in context: http://old.nabble.com/RelayCountry-Plugin-tp31652314p31652314.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: X-Spam-Status: Yes, score=18.4 - Still delivered.
Joseph Brennan wrote: > > The reason the SMTP standard requires this is ensure that a delivery > status > notice does not generate another delivery status notice. > Thanks Joseph. You're right, seems a bit daft. Nevermind, at least I know it's not broken now! Will continue to score as usual on <> senders. Pete -- View this message in context: http://old.nabble.com/X-Spam-Status%3A-Yes%2C-score%3D18.4---Still-delivered.-tp31591656p31651611.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: X-Spam-Status: Yes, score=18.4 - Still delivered.
snowweb wrote: It seems that if the sender is <> Exim always delivers it to the inbox, regardless of the how it was classified. Apparently this is because mailservers sending notification of undeliverable mail, identify themselves in this way (for some reason which appears a bit daft to me) The reason the SMTP standard requires this is ensure that a delivery status notice does not generate another delivery status notice. and therefore, everything from <> is automatically delivered to the inbox. That's the daft part! That's not logical at all. Apply the spam score the same as for any other message, if you can. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: DKIM Checks
>> Looking at the X-Spam-Report on various messages and I never see that >> its looked at. I see that SPF is checked and scored. Any idea why >> its not checking the DKIM signatures? > > Check the file v312.pre and see if the "loadplugin" line for DKIM is > commented out. If it is, uncomment it. > That appears to have fixed it. Thanks.
RE: DKIM Checks
> From: Matt [mailto:lm7...@gmail.com] > Sent: Wednesday, May 18, 2011 11:32 AM > To: users > Subject: DKIM Checks > > I am running spamassassin-3.2.5-1.el5 on 64 bit CentOS. > > sa-update -D seems to indicate that the DKIM libraries are installed. > ... > May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: > Mail::DKIM, version 0.39 > ... > Looking at the X-Spam-Report on various messages and I never see that > its looked at. I see that SPF is checked and scored. Any idea why > its not checking the DKIM signatures? Check the file v312.pre and see if the "loadplugin" line for DKIM is commented out. If it is, uncomment it.
Re: major upgrade of spamassassin
The answers to all your questions *should* be in http://svn.apache.org/repos/asf/spamassassin/branches/3.3/UPGRADE (Which is one of the first links on the SpamAssassin downloads page.) You can copy your old local.cf over and run "spamassassin --lint" to verify it's okay. I don't know the situation with bayes data without reading over that document myself. On 05/18, Lucio Chiappetti wrote: > We are in the process of doing a long awaited and overdue upgrade of > our servers (from Suse 9.2 to 11.4), which involves upgrading the > (bundled) spamassassin (used with sendmail and amavis milter) from > 3.0 to 3.3. > > - the new bundled spamassassin has a very simple local.cf. > We had a local.cf (inherited from a nationwide working group > for academic networks) which did things like tuning BAYES_00 to _99 > scores, defining local networks, adding razor, pyzor and dcc) > > can we just insert the old keywords in the new one safely ? > > - what about the bayes databases and awlst ? > > - can we just move the old ones in the new distribution, or is > this forbidden by some format change or other incompatibility ? > > - and even if we could, is it wise doing it, or is it better to > train bayes afresh (e.g. from a corpus of the latest month spam, > and ham from the folder of selected/volunteer users) ? > > -- "it's not how good you are, it's how bad you want it" - no fear http://www.ChaosReigns.com
major upgrade of spamassassin
We are in the process of doing a long awaited and overdue upgrade of our servers (from Suse 9.2 to 11.4), which involves upgrading the (bundled) spamassassin (used with sendmail and amavis milter) from 3.0 to 3.3. - the new bundled spamassassin has a very simple local.cf. We had a local.cf (inherited from a nationwide working group for academic networks) which did things like tuning BAYES_00 to _99 scores, defining local networks, adding razor, pyzor and dcc) can we just insert the old keywords in the new one safely ? - what about the bayes databases and awlst ? - can we just move the old ones in the new distribution, or is this forbidden by some format change or other incompatibility ? - and even if we could, is it wise doing it, or is it better to train bayes afresh (e.g. from a corpus of the latest month spam, and ham from the folder of selected/volunteer users) ?
DKIM Checks
I am running spamassassin-3.2.5-1.el5 on 64 bit CentOS. sa-update -D seems to indicate that the DKIM libraries are installed. May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: Digest::SHA1, version 2.11 May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: HTML::Parser, version 3.55 May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: Net::DNS, version 0.59 May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: NetAddr::IP, version 4.043 May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: Time::HiRes, version 1.9717 May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: Archive::Tar, version 1.76 May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: IO::Zlib, version 1.04 May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: Digest::SHA1, version 2.11 May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: MIME::Base64, version 3.07 May 18 10:25:02.682 [15134] dbg: diag: [...] module installed: DB_File, version 1.814 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: Net::SMTP, version 2.29 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: Mail::SPF, version v2.007 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: IP::Country::Fast, version 604.001 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: Razor2::Client::Agent, version 2.83 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: Net::Ident, version 1.23 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: IO::Socket::INET6, version 2.67 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: IO::Socket::SSL, version 1.39 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: Compress::Zlib, version 2.033 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: Mail::DKIM, version 0.39 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: DBI, version 1.616 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: Getopt::Long, version 2.35 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: LWP::UserAgent, version 6.02 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: HTTP::Date, version 6.00 May 18 10:25:02.683 [15134] dbg: diag: [...] module installed: Encode::Detect, version 1.01 Looking at the X-Spam-Report on various messages and I never see that its looked at. I see that SPF is checked and scored. Any idea why its not checking the DKIM signatures?
Re: Trouble starting Spamassassin
On 5/18/2011 1:20 AM, john ffitch wrote: Thank you. Removing the "defined" clear one error but I still get May 18 12:17:36.306 [5489] warn: Use of uninitialized value $opt{"syslog-socket"} in lc at /usr/bin/spamd line 444. child process [5491] exited or timed out without signaling production of a PID file: exit 255 at /usr/bin/spamd line 2588. so does not work. I am reluctant to install a rc1 in a live system ==John ffitch 3.3.2-rc1 actually works while 3.3.1 does not. By my download counts, it appears at least 200 people are running my 3.3.2-rc1 RPMS and I have heard no complaints. Warren
Re: Trouble starting Spamassassin
Thank you. Removing the "defined" clear one error but I still get May 18 12:17:36.306 [5489] warn: Use of uninitialized value $opt{"syslog-socket"} in lc at /usr/bin/spamd line 444. child process [5491] exited or timed out without signaling production of a PID file: exit 255 at /usr/bin/spamd line 2588. so does not work. I am reluctant to install a rc1 in a live system ==John ffitch
Re: Trouble starting Spamassassin
John, > I am sure i am doing something trivially wrong. A new server and > Spamassassin installed from source. When I attempt top start spamd I > get > > Starting spamd ..done > Spamd restarted on water2 > defined(%hash) is deprecated at > /usr/lib/perl5/site_perl/5.12.1/Mail/SpamAssassin/Dns.pm line 757. > (Maybe you should just omit the defined()?) > May 18 11:44:02.886 [4223] warn: Use of uninitialized value > $opt{"syslog-socket"} in lc at /usr/bin/spamd line 444. > child process [4225] exited or timed out without signaling production of a > PID file: exit 255 at /usr/bin/spamd line 2588. > > Not had any problems with SA before so I have no experience Please see: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6590 In short: newer versions of Perl requires SA fixes that are in 3.3.2(-rc or SVN) or in SVN trunk. Mark
Trouble starting Spamassassin
I am sure i am doing something trivially wrong. A new server and Spamassassin installed from source. When I attempt top start spamd I get Starting spamd ..done Spamd restarted on water2 defined(%hash) is deprecated at /usr/lib/perl5/site_perl/5.12.1/Mail/SpamAssassin/Dns.pm line 757. (Maybe you should just omit the defined()?) May 18 11:44:02.886 [4223] warn: Use of uninitialized value $opt{"syslog-socket"} in lc at /usr/bin/spamd line 444. child process [4225] exited or timed out without signaling production of a PID file: exit 255 at /usr/bin/spamd line 2588. Not had any problems with SA before so I have no experience ==John ffitch
Re: Spamassasin - SQLITE as storage database
On Wed, May 18, 2011 at 11:26, Mark Martinec wrote: > On Wednesday May 18 2011 09:42:55 monolit wrote: >> >> do you have any experience with usage of SQLITE database as storage for >> >> Spamassassin? Spamassassin uses Berkeley DB, but I need to replace it. >> >> I could not find any manual, guide or just phorum discussion about >> >> colaboration Sapmassassin with SQLITE. I apreciate each advice. >> > >> Thanks for your post. Unfortunately my boss wants to use just SQLITE. > >> Lawrence @ Rogers wrote: >> > I have no experience with this, but I do have experience with using >> > MySQL with InnoDB tables. The performance is actually much better than >> > Berkley DBs. > > Bear in mind that MySQL with InnoDB (as well PostgreSQL) offer > fine-grained locking at a record level, which SQLite does not > (the last time I checked). It is very likely that SpamAssassin > could use SQLite as user preferences database (i.e. read-only) > with no problems, it is also very likely that the usage of > SQLite for a r/w database such as Bayes and AWL will cause > lock contention on a busy server. iirc, Matt Sergeant looked into using SQLite early on, but abandoned it due to the locking-related issues. --j.
Re: Spamassasin - SQLITE as storage database
On Wednesday May 18 2011 09:42:55 monolit wrote: > >> do you have any experience with usage of SQLITE database as storage for > >> Spamassassin? Spamassassin uses Berkeley DB, but I need to replace it. > >> I could not find any manual, guide or just phorum discussion about > >> colaboration Sapmassassin with SQLITE. I apreciate each advice. > > > Thanks for your post. Unfortunately my boss wants to use just SQLITE. > Lawrence @ Rogers wrote: > > I have no experience with this, but I do have experience with using > > MySQL with InnoDB tables. The performance is actually much better than > > Berkley DBs. Bear in mind that MySQL with InnoDB (as well PostgreSQL) offer fine-grained locking at a record level, which SQLite does not (the last time I checked). It is very likely that SpamAssassin could use SQLite as user preferences database (i.e. read-only) with no problems, it is also very likely that the usage of SQLite for a r/w database such as Bayes and AWL will cause lock contention on a busy server. Mark
Re: Spamassasin - SQLITE as storage database
Thanks for your post. Unfortunately my boss wants to use just SQLITE. Lawrence @ Rogers wrote: > > On 17/05/2011 12:06 PM, monolit939 wrote: >> Hello, >> >> do you have any experience with usage of SQLITE database as storage for >> Spamassassin? Spamassassin uses Berkeley DB, but I need to replace it. I >> could not find any manual, guide or just phorum discussion about >> colaboration Sapmassassin with SQLITE. I apreciate each advice. >> >> Thanks a lot > I have no experience with this, but I do have experience with using > MySQL with InnoDB tables. The performance is actually much better than > Berkley DBs. > > Regards, > Lawrence > > -- View this message in context: http://old.nabble.com/Spamassasin---SQLITE-as-storage-database-tp31637392p31644523.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.