Re: blacklist_from exceptions
On 2/8/2012 6:53 PM, Benny Pedersen wrote: Den 2012-02-08 21:07, Rejaine Monteiro skrev: blacklist_from *@somedomain.com whitelist_to myu...@mydomain.com when you use blacklist_from you must use unblacklist_from not whitelist_to perldoc Mail::SpamAssassin::Conf everyone can write email to a to addr and thus the whitelist is not working well blacklist_from *@example.org unblacklist_from myu...@example.org untested :) It may work, but it solves the wrong problem. The problem is to blacklist the entire domain, but allow it through for one RECIPIENT. -- Bowie
Re: SPF and DKIM tests by default?
On 02/08, email builder wrote: Hello, I have a server where I never customized any of the SA rules/tests (SA v.3.3.1). The server does run sa-update every day. Is this the right place to look to know what tests the server should be running? https://spamassassin.apache.org/tests_3_0_x.html At the top of that page, it says Tests Performed: v3.0.x which is not the version you are running. https://spamassassin.apache.org/tests_3_3_x.html contains tests for 3.3. I don't know when they get updated, maybe only when 3.3.0 was released. I wouldn't trust it much. Run: sa-update -D 21| grep DIR That will output something like: Feb 9 12:08:49.609 [20855] dbg: generic: Perl 5.010001, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin On this system, sa-update downloads rules to /var/lib/spamassassin, so I guess you're looking for the LOCAL_STATE_DIR. That directory will contain a directory related to your SA version, something like 3.003001, which will contain updates_spamassassin_org, which will contain the files defining all the rules. Although that doesn't necessarily tell you which are enabled by default. Some require configuration changes. I believe for SPF you *should* be doing the detecting at your MTA (mail server software) and inserting a header for spamassassin to use: Received-SPF. (Because SPF is supposed to use the envelope from, which is not necessarily included in a header.) From that page, it seems that SPF checks are normal but DKIM is not. Is this right? Contrary to that, this page suggests that DKIM test are enabled by default in version 3.3: https://wiki.apache.org/spamassassin/Plugin/DKIM I don't have anything in my /etc/spamassassin/local.cf related to DKIM, and I'm getting DKIM rule hits, so I agree that DKIM is enabled by default (although I'm running trunk / v3.4.0 which is unreleased). I believe SPF tests are also enabled by default, but won't do quite the right thing unless you're inserting the Received-SPF header at your MTA. Also, where can I look to verify the tests/rules currently in place on the server? (per-user rules are not implemented) I looked in /usr/share/spamassassin and there are a few files with spf and dkim in their names. Does that mean those tests are active? Using the official Debian / Ubuntu packages, that directory contains the rules installed by the spamassassin package, which are only used if you do not run sa-update. Which would obviously be sub-optimal. ls *spf* -rw-r--r-- 1 root root 3100 Mar 15 2010 25_spf.cf -rw-r--r-- 1 root root 3584 Mar 15 2010 60_whitelist_spf.cf ls *dkim* -rw-r--r-- 1 root root 4407 Mar 15 2010 25_dkim.cf -rw-r--r-- 1 root root 9288 Mar 15 2010 60_adsp_override_dkim.cf -rw-r--r-- 1 root root 6455 Mar 15 2010 60_whitelist_dkim.cf Those are related, although their presence doesn't indicate anything about defaults. None of the SPF or DKIM rules are particularly highly ranked in spamassassin rule QA, so I wouldn't actually expect significant improvements in accuracy from it: http://ruleqa.spamassassin.org/?daterev=20120204 They both have some substantial flaws. -- Every man, woman and child on the face of this earth is at the mercy of chaos. - a maxwell smart movie http://www.ChaosReigns.com
Re: blacklist_from exceptions
Den 2012-02-09 17:59, Bowie Bailey skrev: It may work, but it solves the wrong problem. The problem is to blacklist the entire domain, but allow it through for one RECIPIENT. in that case it needs to be solved with a plugin or outside of spamassassin, if user_prefs is with more then one user, with amavisd its possible pr recipient to black/white/sender-score in ldap//sql databases or native in amavis.conf who will make that pluing ?
Re: blacklist_from exceptions
user_prefs won't work for me, because my server only filters messages and then redirects them to an internal server (so I don't have mailboxes here) . one solution that I posted it seemed to work fine. may not the better solution but this ok for what we need Em 09-02-2012 19:12, Benny Pedersen escreveu: Den 2012-02-09 17:59, Bowie Bailey skrev: It may work, but it solves the wrong problem. The problem is to blacklist the entire domain, but allow it through for one RECIPIENT. in that case it needs to be solved with a plugin or outside of spamassassin, if user_prefs is with more then one user, with amavisd its possible pr recipient to black/white/sender-score in ldap//sql databases or native in amavis.conf who will make that pluing ?
RE: Getting high spam score for email server hosted on AWS instance
The cluster with which I am facing problem is different one. The node for which I am getting high spam score has the following details: cloudemail5.cpgtest.ostinet.net (184.72.247.145) Can you please explain now? Thanks Ashish -Original Message- From: Michael Scheidell [mailto:michael.scheid...@secnap.com] Sent: Wednesday, February 08, 2012 7:28 PM To: users@spamassassin.apache.org Subject: Re: Getting high spam score for email server hosted on AWS instance On 2/8/12 6:41 AM, Sharma, Ashish wrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 no, since the ip address in question is, by definition, an unroutable ip, and should never be seen in a received list (I am just guessing: Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by You have a microsoft cluster, where microsoft thought it would be a good idea to use 169.254.0.0/16 ip addresses?) Bring this up with microsoft, have them 'fix' this. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
RE: Getting high spam score for email server hosted on AWS instance
The cluster with which I am facing problem is different one. The node for which I am getting high spam score has the following details: cloudemail5.cpgtest.ostinet.net (184.72.247.145) Can you please explain now? Thanks Ashish -Original Message- From: Joe Sniderman [mailto:joseph.snider...@thoroquel.org] Sent: Wednesday, February 08, 2012 10:53 PM To: users@spamassassin.apache.org Subject: Re: Getting high spam score for email server hosted on AWS instance On 02/08/2012 08:57 AM, Michael Scheidell wrote: On 2/8/12 6:41 AM, Sharma, Ashish wrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 no, since the ip address in question is, by definition, an unroutable ip, and should never be seen in a received list (I am just guessing: Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by That should not be a problem in and of itself... 169.254.0.0/16 is intended for link-local.. (see RFCs 5735 and 3330) It might or might not be less than ideal to use addresses in 169.254.0.0/16 for the communication between one machine and a smarthost on a LAN, but far from illegal. 169.254.0.0/16 is also notably *not* mentioned in the wiki for RCVD_ILLEGAL_IP: http://wiki.apache.org/spamassassin/Rules/RCVD_ILLEGAL_IP All that said, RCVD_ILLEGAL_IP _used to_ hit on IPs 169.254.0.0/16, but AFAIK that changed with 3.3. See also: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6460 And: http://svn.apache.org/viewvc/spamassassin/branches/3.3/rules/20_head_tests.cf?view=markup#l423 # must keep it in sync with http://www.iana.org/assignments/ipv4-address-space/ header RCVD_ILLEGAL_IP X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?=\d+\.\d+\.\d+\.\d+ )(?:0|2(?:2[4-9]|[3-5]\d)|192\.0\.2|198\.51\.100|203\.0\.113)\./ describe RCVD_ILLEGAL_IP Received: contains illegal IP address IOW, 196.254.0.0/16 no longer matches as of 3.3 You have a microsoft cluster, where microsoft thought it would be a good idea to use 169.254.0.0/16 ip addresses?) Its really not that horrible an idea.. Bring this up with microsoft, have them 'fix' this. Or better yet, the OP should bring it up with whoever is running the test spamassassin instance and get them to upgrade it. -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Spamassassin 3.3.2 for Ubuntu LTS
Il 08/02/2012 19:18, Benny Pedersen ha scritto: aptitude install python-software-properties add-apt-repository ppa:patrickdk/general-lucid aptitude update aptitude install spamassassin spamc sa-update sa-compile /etc/init.d/spamassassin restart sa-compile needs Mail::SpamAssassin::Plugin::Rule2XSBody in v320.pre else sa-compile is wasted cpu time :-) Yes, I know :-) Thanks -- Alessio Cecchi is: @ ILS - http://www.linux.it/~alessice/ on LinkedIn - http://www.linkedin.com/in/alessice Assistenza Sistemi GNU/Linux - http://www.cecchi.biz/ @ PLUG - ex-Presidente, adesso senatore a vita, http://www.prato.linux.it @ LOLUG - Socio http://www.lolug.net
Re: Getting high spam score for email server hosted on AWS instance
On 02/10/2012 02:16 AM, Sharma, Ashish wrote: The cluster with which I am facing problem is different one. The node for which I am getting high spam score has the following details: cloudemail5.cpgtest.ostinet.net (184.72.247.145) No other Received lines? -- Joe Sniderman joseph.snider...@thoroquel.org