Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/08/2013 03:52 AM, Andrzej A. Filip wrote: On 04/08/2013 05:12 AM, Thomas Cameron wrote: [...] I want to delete any spam that scores over 10, though. I believe that I should insert a new rule between the first and second, and I want to use the X-Spam-Level header. But since it uses asterisks, which are interpreted as regex wildcards, I want to make sure I've got the right syntax. I think I would need to escape out the asterisks, right? Would it look like this? :0: * ^X-Spam-Level:.*\*\*\*\*\*\*\*\*\*\* /dev/null I believe that would match 10 asterisks or more, and redirect the e-mail to /dev/null. Am I right? I would suggest redirecting such messages to another folder/maildir. The folder should auto-purge old messages (e.g. older than 30 days). Shit does happen. I remember at least one case in which mailing list (ham) thread about spammer scored 10. Such very false positives are very unlikely/rare *but* nobody responsible is going to guarantee it will not happen to you. So, I've set up two IMAP folders, spam for messages which are in the 5-10 range and super-spam which are over 10. I've been watching them since the 7th, when I updated SA and configured it based on Warren Togami's most excellent guide at http://www.spamtips.org/p/ultimate-setup-guide.html. So far the super-spam folder is getting messages at about 10:1 over spam. I have not seen a single FP in super-spam in that time. In fact, I have not seen ANY FPs in either folder. At this point, I'm pretty comfortable just nuking that e-mail instead of wasting space with it. Currently I'm using procmail recipes for individual users, but I'm leaning heavily towards going back to spamass-milter, and rejecting everything that scores 10 or more. I'm definitely open to suggestions, though. The only argument I have seen so far is you might get a FP. While that is absolutely valid, it has not happened so far. If I use spamass-milter, the sender will get a rejection notice, so important senders which trigger FPs will be able to call me and let me know. Otherwise, I don't think the message is that important. ;-) Thoughts? Thomas
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 22.04.13 08:27, Thomas Cameron wrote: Currently I'm using procmail recipes for individual users, but I'm leaning heavily towards going back to spamass-milter, and rejecting everything that scores 10 or more. with thing like spamass-milter I found REFUSING mail (not devnulling!) sa safe. I also use score 10 as rejecting threshold. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm.
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/22/2013 03:27 PM, Thomas Cameron wrote: On 04/08/2013 03:52 AM, Andrzej A. Filip wrote: On 04/08/2013 05:12 AM, Thomas Cameron wrote: [...] I want to delete any spam that scores over 10, though. I believe that I should insert a new rule between the first and second, and I want to use the X-Spam-Level header. But since it uses asterisks, which are interpreted as regex wildcards, I want to make sure I've got the right syntax. I think I would need to escape out the asterisks, right? Would it look like this? :0: * ^X-Spam-Level:.*\*\*\*\*\*\*\*\*\*\* /dev/null I believe that would match 10 asterisks or more, and redirect the e-mail to /dev/null. Am I right? I would suggest redirecting such messages to another folder/maildir. The folder should auto-purge old messages (e.g. older than 30 days). Shit does happen. I remember at least one case in which mailing list (ham) thread about spammer scored 10. Such very false positives are very unlikely/rare *but* nobody responsible is going to guarantee it will not happen to you. So, I've set up two IMAP folders, spam for messages which are in the 5-10 range and super-spam which are over 10. I've been watching them since the 7th, when I updated SA and configured it based on Warren Togami's most excellent guide at http://www.spamtips.org/p/ultimate-setup-guide.html. So far the super-spam folder is getting messages at about 10:1 over spam. I have not seen a single FP in super-spam in that time. In fact, I have not seen ANY FPs in either folder. At this point, I'm pretty comfortable just nuking that e-mail instead of wasting space with it. Currently I'm using procmail recipes for individual users, but I'm leaning heavily towards going back to spamass-milter, and rejecting everything that scores 10 or more. I'm definitely open to suggestions, though. The only argument I have seen so far is you might get a FP. While that is absolutely valid, it has not happened so far. If I use spamass-milter, the sender will get a rejection notice, so important senders which trigger FPs will be able to call me and let me know. Otherwise, I don't think the message is that important. ;-) Thoughts? False positives in super-spam (10 SA score) should be very rare. Are you ready/willing to report spam you receive to spamcop.net, razor, pyzor, ...?
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
Andrzej A. Filip skrev den 2013-04-22 16:29: Are you ready/willing to report spam you receive to spamcop.net, razor, pyzor, ...? or dnswl, return-path ? :) -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
Re: Calling spamassassin directly yields very different results than calling spamassassin via amavis-new
On 4/20/2013 3:20 PM, Benny Pedersen wrote: Ben Johnson skrev den 2013-04-20 05:02: Yes, I believe that me and the system always execute SA commands as the amavis user. When I was using the SQL setup, I had the following in local.cf: bayes_path /var/lib/amavis/.spamassassin/bayes is amavis have homedir in /var/lib/ ? The amavis user's home directory is /var/lib/amavis. This seems to be the default on Ubuntu; I didn't change this path. in gentoo its default as /var/amavis where the .spamassassin dir is created by amavisd use user_prefs to set bayes_path does not make sense if sql is used Thanks; I did comment-out the bayes_path directive. I figured that it wouldn't matter whether it is commented or not, in the presence of SQL-related directives, but it can't hurt to comment-out this line. With the DBM setup, I had the following (I have since commented it out, while attempting to debug this Bayes issue): bayes_sql_override_username amavis +1 to this one since amavis cant use multiple sa users very easy, but depending on what amavis it being supported with complicated setups :( I only need one Bayes user, so this setup is adequate. i changed away from amavisd to clamav-milter, spampd in postfix after queue, this is working very well for me, and i hope sa 3.4.x will not break spampd :=) Hmm, I will consider your sound advice in this regard. amavis does seem to be overly memory-hungry (despite setting $max_servers = 1 and $max_requests = 1). If there is a better alternative, I'm all ears (or eyes, as the case may be). Is something more required to ensure that my mail system, which runs under the amavis user, is always reading from and writing to the same DB? nope just remember that amavis also reads .spamassassin/user_prefs if you like you can copy that user_prefs to /root/.spamassassin so you dont have to remember something :) user_prefs should ONLY be readble by that user that runs it Thanks for pointing this out. I will double-check the permissions. I'll respond to your other email momentarily. Thanks, Benny! -Ben
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/22/2013 09:03 AM, Matus UHLAR - fantomas wrote: On 22.04.13 08:27, Thomas Cameron wrote: Currently I'm using procmail recipes for individual users, but I'm leaning heavily towards going back to spamass-milter, and rejecting everything that scores 10 or more. with thing like spamass-milter I found REFUSING mail (not devnulling!) sa safe. I also use score 10 as rejecting threshold. Yeah, exactly what I had in mind.
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 04/22/2013 09:29 AM, Andrzej A. Filip wrote: False positives in super-spam (10 SA score) should be very rare. Exactly my point. Are you ready/willing to report spam you receive to spamcop.net, razor, pyzor, ...? That's an interesting question... Each user has their own spam folders, so I guess I should create a cron job per user to do so, maybe? Does anyone do that? Is it smart? TC
Re: Dev-nulling is a bad idea [Was: Verifying .procmailrc settings to delete high scoring spam messages]
On 2013/04/22 06:27, Thomas Cameron wrote:
On 04/08/2013 03:52 AM, Andrzej A. Filip wrote:
On 04/08/2013 05:12 AM, Thomas Cameron wrote:
[...]
I want to delete any spam that scores over 10, though. I believe that I
should insert a new rule between the first and second, and I want to use
the X-Spam-Level header. But since it uses asterisks, which are
interpreted as regex wildcards, I want to make sure I've got the right
syntax. I think I would need to escape out the asterisks, right?
Would it look like this?
:0:
* ^X-Spam-Level:.*\*\*\*\*\*\*\*\*\*\*
/dev/null
I believe that would match 10 asterisks or more, and redirect the e-mail
to /dev/null. Am I right?
I would suggest redirecting such messages to another folder/maildir.
The folder should auto-purge old messages (e.g. older than 30 days).
Shit does happen. I remember at least one case in which mailing list
(ham) thread about spammer scored 10.
Such very false positives are very unlikely/rare *but* nobody
responsible is going to guarantee it will not happen to you.
So, I've set up two IMAP folders, spam for messages which are in the 5-10
range and super-spam which are over 10. I've been watching them since the 7th,
when I updated SA and configured it based on Warren Togami's most excellent
guide at http://www.spamtips.org/p/ultimate-setup-guide.html.
So far the super-spam folder is getting messages at about 10:1 over spam. I
have not seen a single FP in super-spam in that time. In fact, I have not seen
ANY FPs in either folder.
At this point, I'm pretty comfortable just nuking that e-mail instead of wasting
space with it.
Currently I'm using procmail recipes for individual users, but I'm leaning
heavily towards going back to spamass-milter, and rejecting everything that
scores 10 or more.
I'm definitely open to suggestions, though. The only argument I have seen so far
is you might get a FP. While that is absolutely valid, it has not happened so
far. If I use spamass-milter, the sender will get a rejection notice, so
important senders which trigger FPs will be able to call me and let me know.
Otherwise, I don't think the message is that important. ;-)
Thoughts?
Thomas
Thomas, you are still better off using a spam folder or simply a
subject modification that allows easy spam ranking in a spam folder.
I setup a markup such that subjects look much like this:
Subject: *SPAM* 016.2 ** Do you have a mesh implant {removed]
That allows me to put anything marked *SPAM* at the start of
the subject as spam. And it allows me to sort the spam for how spammy
it is. I can then whiff through the spam in moments to find things
that were miscategorized as spam and salvage them. I (very rarely)
find ham in the spam with scores over 10 on some mailing lists. There
are some people who persist in using tools that invite spam scores
and include messages that look surprisingly spammy in their formatting.
(Source code can VERY often trigger some spam scores, for example.)
And as sure as Murphy's law seems to work with uncanny precision you
will find over the years at least one email among the spam that could
have cost you either a lot of money, a lot of time, critical information,
or lost opportunity.
I've nuked some jerks with /dev/null before it even hits spamassassin.
But I've never nuked merely on the basis of spam scores. That led me
to a job when a friend sent me a note about an opportunity he thought
I could do when he had his hands full. It was caught as spam. And I am
glad I checked and noticed his address. That pushed me to check the mail
(plain text) and discover it was legitimate despite containing a few
spammy words or phrases.
Use the mark up to make it easy for you to prioritize your spam scan. I
get 16 to 100 spams a day, depending on day of the week. A quick scan of
the spam folder costs almost no time, no frustration, and seems worth it
to me. Being able to tell T'bird to sort the mail by score REALLY makes
it go fast.
{^_^}
