Re: Uptick in false negatives - filter check?
On 11/7/2013 6:00 PM, Owen Mehegan wrote: Thanks in advance for any advice anyone can offer! fwiw, of the 4 spam examples, ivmURI had blacklisted one or more domains in ALL 4 out of 4 samples at least several minutes BEFORE those spams hit your server (some days or weeks before). In a large portion of those (1/2 or more), I'm fairly sure that ivmURI was the ONLY URI/domain blacklist to have the domain blacklisted at the time the message hit your network. (I'm unable to verify if DBL had caught it at that time and/or some of those could have been a game of inches where ivmURI and other lists had just listed it moments before and it would be somewhat of a propagation issue... but, overall, I think if I provided the date/times that these were blacklisted on ivmURI... that assertion would check out and the raw data would be rather impressive!) If you keep seeing these, check the domains on multirbl.valli.org ...and you'll see in real time what I'm talking about! -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
RE: custom rules header check please
Thank you and Benny for your help. I put those in place and all looks well. We had one captured this morning but wondered if you can explain in the log below which seems as if it has been deleted, yet then allowed: Nov 8 10:05:04 plesk3 spamd[11926]: spamd: result: Y 9 - AEXP_ALL,DCC_CHECK,RCVD_IN_HOSTKARMA_BL,UNPARSEABLE_RELAY scantime=0.7,size=18986,user=qscand,uid=10002,required_score=5.0,rhost=local host,raddr=127.0.0.1,rport=47 653,mid=shov1hc5576j48ym3pyut8fb2ak1d...@gateway.gov.local,autolearn=disab led Nov 8 10:05:04 plesk3 qmail-scanner-queue.pl: qmail-scanner[18522]: SA:SPAM-DELETED:RC:0(41.215.42.242):SA:1(9.1/5.0): 0.874234 18933 gateway.confirmat...@gateway.gov.uk u...@domain.com Could_not_process_Online_Submission_for_Reference_475/RA1997980 shov1hc5576j48ym3pyut8fb2ak1d...@gateway.gov.local Submission_RA1997980.zip:10086 Nov 8 10:05:04 plesk3 spamdyke[18489]: ALLOWED from: gateway.confirmat...@gateway.gov.uk to: u...@domain.com origin_ip: 41.215.42.242 origin_rdns: mail.domain.com auth: (unknown) encryption: (none) reason: 250_ok_1383905104_qp_18522 Kind Regards, Christoph From: Bowie Bailey [mailto:bowie_bai...@buc.com] Sent: 07 November 2013 15:50 To: users@spamassassin.apache.org Subject: Re: custom rules header check please On 11/7/2013 10:40 AM, emailitis.com wrote: I am getting lots of Spam which shows on the maillog as: Nov 7 10:50:39 plesk3 qmail-scanner-queue.pl: qmail-scanner[6974]: Clear:RC:0(217.92.121.114):SA:1(5.9/5.0): 9.209114 16127 fr...@aexp.com mailto:fr...@aexp.com Or Nov 7 10:15:36 plesk3 spamdyke[26254]: ALLOWED from: administrator+98453-927...@dcbltd.exvm.com mailto:administrator+98453-927...@dcbltd.exvm.com to: u...@domain.com mailto:u...@domain.com origin_ip: 193.133.125.41 origin_rdns: mta18.evmailer.com auth: (unknown) encryption: (none) reason: 250_ok_1383819336_qp_26270 I want to write some custom rules that can capture part of this (because on the actual emails, the sender often purports to be from someone totally different). Will the following work in my custom_rules.cf?: header AEXP_ALL ALL =~ /aexp\.com/i score AEXP_ALL 4 header EXVM_ALL ALL =~ /exvm\.com/i score AEXP_ALL 4 That will work, but you should watch for false positives. I would suggest anchoring it a bit as a first step. header AEXP_ALL ALL =~ /\baexp\.com\b/i This will catch any emails that have the string aexp.com anywhere in the header. The \b represents a word boundary so that mailto:u...@aexp.com u...@aexp.com or blah.aexp.com will match, but naexp.com will not. -- Bowie
Re: Rule to delete emails with empty subject.
On Fri, 8 Nov 2013 00:10:01 -0600 Sergio wrote: Hi all, I tried this rule to stop emails with an empty subject, but it didn't work: header SUBJECT_EMPTY SUBJECT =~ /^$/i describe SUBJECT_EMPTY EMPTY SUBJECT scoreSUBJECT_EMPTY 11 Any hint on what is wrong? I pasted this into my local.cf and it worked for me.
Re: custom rules header check please
On 11/8/2013 6:59 AM, emailitis.com wrote: Thank you and Benny for your help. I put those in place and all looks well. We had one captured this morning but wondered if you can explain in the log below which seems as if it has been deleted, yet then allowed: Nov 8 10:05:04 plesk3 spamd[11926]: spamd: result: Y 9 - *AEXP_ALL*,DCC_CHECK,RCVD_IN_HOSTKARMA_BL,UNPARSEABLE_RELAY scantime=0.7,size=18986,user=qscand,uid=10002,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=47 653,mid=shov1hc5576j48ym3pyut8fb2ak1d...@gateway.gov.local,autolearn=disabled Nov 8 10:05:04 plesk3 qmail-scanner-queue.pl: qmail-scanner[18522]: SA:*SPAM-DELETED*:RC:0(41.215.42.242):SA:1(9.1/5.0): 0.874234 18933 gateway.confirmat...@gateway.gov.uk u...@domain.com Could_not_process_Online_Submission_for_Reference_475/RA1997980 shov1hc5576j48ym3pyut8fb2ak1d...@gateway.gov.local Submission_RA1997980.zip:10086 Nov 8 10:05:04 plesk3 spamdyke[18489]: *ALLOWED*from: gateway.confirmat...@gateway.gov.uk to: u...@domain.com origin_ip: 41.215.42.242 origin_rdns: mail.domain.com auth: (unknown) encryption: (none) reason: 250_ok_1383905104_qp_18522 Can't really help you with that one. Spamd marked it as spam. Then it looks like qmail-scanner-queue.pl deleted it. And then spamdyke allowed it. I'm not familiar with either qmail-scanner-queue.pl or spamdyke, so I don't know how they work or exactly how to interpret their log entries. I'm assuming the spamdyke entry is referring to the same message, but I'm not sure since that log line doesn't give the message id. There is something in the qmail-scanner-queue.pl line that says Could_not_process_Online_Submission_for_Reference_475/RA1997980. That might be relevant. -- Bowie
spamc -L apparently not working properly
Hey there, I am using Debian Wheezy here (therefore, Exim + Dovecot for e-mail), and I am still deciding how to run SpamAssassin. I am divided between running it by directly calling spamassassin, or by running spamd and calling spamc. Both methods are going to be used via my .procmailrc. Well, but so far I have been testing spamd + spamc because it is the Debian recommended way. I still haven't enabled it via .procmailrc, and just did tests by calling spamc via CLI. However, I am seeing a strange behavior when I try to feed spamd with a false-negative message. Here's what I am doing: # spamc -c spam.file 0.0/5.0 # spamc -L spam spam.file (successful message saying that the spam was learned) # spamc -c spam.file 0.0/5.0 I have already updated my Bayesian database, restarted the spamd service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? I am running spamd with the following options: --create-prefs --max-children 5 --helper-home-dir --allow-tell And the version I am using is: SpamAssassin version 3.3.2 running on Perl version 5.14.2 Comments and suggestions are appreciated. Thanks! -- Sergio
Re: spamc -L apparently not working properly
On Fri, 8 Nov 2013, Sergio Durigan Junior wrote: I am using Debian Wheezy here (therefore, Exim + Dovecot for e-mail), and I am still deciding how to run SpamAssassin. I am divided between running it by directly calling spamassassin, or by running spamd and calling spamc. Both methods are going to be used via my .procmailrc. Not directly addressing your other questions but: running spamassassin directly is only really suitable for *very* low-traffic environments, as that will parse and compile all of the rules and other config *per message*, which is a lot of overhead. spamc+spamd is strongly recommended for production use. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The more you believe you can create heaven on earth the more likely you are to set up guillotines in the public square to hasten the process. -- James Lileks --- 3 days until Veterans Day
Scoring in user_prefs
I would like to add a score in user_prefs based on the To header (I have an email that collects several email addresses and I want to add some spamishness indicators). Does the user_prefs understand the same syntax as the local.cf file? And what would be the best way to say: If the to field is u...@example.com add 1.0 top the spam score header __TO_EXAMPLE To =~ /user\@example.com/ score __TO_EXAMPLE 1.0 ? -- It was intended that when Newspeak had been adopted once and for all and Oldspeak forgotten, a heretical thought...should be literally unthinkable, at least so far as thought is dependent on words.
Re: spamc -L apparently not working properly
On Friday, November 08 2013, John Hardin wrote: Not directly addressing your other questions but: running spamassassin directly is only really suitable for *very* low-traffic environments, as that will parse and compile all of the rules and other config *per message*, which is a lot of overhead. spamc+spamd is strongly recommended for production use. Thanks a lot for the input, John. I guess I will end up using spamd and spamc, after all. I'll just wait for the answer to my question, and then I'll set everything up here. Regards, -- Sergio
RP_MATCHES_RCVD
Some spam has been matching the rule RP_MATCHES_RCVD which is worth -2.8 points. I wanted to look at this rule, so I went to /usr/local/etc/mail/spamassassin and gripped for the name, but no hits. Where's the rule defined? I thought there was a rules folder, but the only one I can find it one in the source for SA 3.0 (`locate 10_misc.cf`). # find /usr/local -name *cf | grep -v postfix /usr/local/etc/mail/spamassassin/local.cf /usr/local/etc/mail/spamassassin/whitelist.cf # /usr/local/share/spamassassin contains a template, a txt file of the public key., and a file named languages, no rules. /usr/share/spamassassin does not exist SpamAssasin version is 3.3.2 -- He was Igor, son of Igor, nephew of several Igors, brother of Igors and cousin of more Igors than he could remember without checking up in his diary. Igors did not change a winning formula. {Footnote: Especially if it was green, and bubbled.}
Re: Scoring in user_prefs
LuKreme wrote: I would like to add a score in user_prefs based on the To header (I have an email that collects several email addresses and I want to add some spamishness indicators). Does the user_prefs understand the same syntax as the local.cf file? And what would be the best way to say: If the to field is u...@example.com add 1.0 top the spam score header __TO_EXAMPLE To =~ /user\@example.com/ score __TO_EXAMPLE 1.0 If you want to put full rules in user_prefs files, you'll need to set allow_user_rules in the main configuration. man Mail::SpamAssassin::Conf and scroll down to the RULE DEFINITIONS AND PRIVILEGED SETTINGS section. -kgd
Re: RP_MATCHES_RCVD
LuKreme wrote: Some spam has been matching the rule RP_MATCHES_RCVD which is worth -2.8 points. I wanted to look at this rule, so I went to /usr/local/etc/mail/spamassassin and gripped for the name, but no hits. There was a thread on this rule not too long ago; check the list archives and in the meantime score it down or disable it completely. A fair bit of spam hits this here. :( It's also been scored down in more recent rule updates; as of a few minutes ago it looks like it's *way* down: score RP_MATCHES_RCVD -1.501 -0.001 -1.501 -0.001 Run sa-update regularly to get rule and score updates. # find /usr/local -name *cf | grep -v postfix /usr/local/etc/mail/spamassassin/local.cf /usr/local/etc/mail/spamassassin/whitelist.cf # SA stock rules haven't been shipped in the tarball for quite a while, and IIRC most packages don't include them any more either. They're downloaded by sa-update. spamassassin -D --lint 21 |grep LOCAL_STATE should show the path they're under. On most systems where SA is installed from package, this looks something like /var/lib/spamassassin. -kgd
Re: spamc -L apparently not working properly
On Fri, 8 Nov 2013, Sergio Durigan Junior wrote: # spamc -c spam.file 0.0/5.0 # spamc -L spam spam.file (successful message saying that the spam was learned) # spamc -c spam.file 0.0/5.0 I have already updated my Bayesian database, restarted the spamd service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? Try using sa-learn to train Bayes. The big thing to keep in mind is that the user running the training needs to be the same user that spamd is running as; if not, depending on your bayes database config, you may be training a different Bayes database than the one spamd is reading. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 3 days until Veterans Day
Re: RP_MATCHES_RCVD
On Fri, 8 Nov 2013, Kris Deugau wrote: LuKreme wrote: Some spam has been matching the rule RP_MATCHES_RCVD which is worth -2.8 points. I wanted to look at this rule, so I went to /usr/local/etc/mail/spamassassin and gripped for the name, but no hits. There was a thread on this rule not too long ago; check the list archives Yeah, I thought we'd killed that in favor of a subrule. I guess we never actually pulled the trigger on that change... Mark? and in the meantime score it down or disable it completely. A fair bit of spam hits this here. :( I'd score it as -0.001 (advisory), as there may still be other meta rules using it rather than the unscored subrule so you don't want to completely disable it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 3 days until Veterans Day
Re: spamc -L apparently not working properly
On Friday, November 08 2013, John Hardin wrote: On Fri, 8 Nov 2013, Sergio Durigan Junior wrote: # spamc -c spam.file 0.0/5.0 # spamc -L spam spam.file (successful message saying that the spam was learned) # spamc -c spam.file 0.0/5.0 I have already updated my Bayesian database, restarted the spamd service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? Try using sa-learn to train Bayes. I don't think sa-learn can help with spamd. Its own manpage mention that, for spamd users, spamc -L is the way to go. The big thing to keep in mind is that the user running the training needs to be the same user that spamd is running as; if not, depending on your bayes database config, you may be training a different Bayes database than the one spamd is reading. Hm, really? I thought spamd kept a global Bayes database, and that everyone calling spamc -L would end up feeding this database, and not some local one. -- Sergio
Re: spamc -L apparently not working properly
On Fri, November 8, 2013 2:39 pm, Sergio Durigan Junior wrote: I don't think sa-learn can help with spamd. Its own manpage mention that, for spamd users, spamc -L is the way to go. Hm, really? I thought spamd kept a global Bayes database, and that everyone calling spamc -L would end up feeding this database, and not some local one. It depends on how spamc is called. If spamd is running as root and spamc is called with the -u flag, then spamd will su to the named user, and will then use that user's local database (and local prefs, if allow_user_prefs is enabled). spamc -L -u would work on the local database; spamc -L (without -u) would work on the database applicable to the spamd user. It all depends on whether you want your users to have individual databases tailored to their own spam/ham, or a global database. --- Amir
Re: spamc -L apparently not working properly
On Fri, 8 Nov 2013, Sergio Durigan Junior wrote: On Friday, November 08 2013, John Hardin wrote: On Fri, 8 Nov 2013, Sergio Durigan Junior wrote: # spamc -c spam.file 0.0/5.0 # spamc -L spam spam.file (successful message saying that the spam was learned) # spamc -c spam.file 0.0/5.0 I have already updated my Bayesian database, restarted the spamd service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? Try using sa-learn to train Bayes. I don't think sa-learn can help with spamd. Its own manpage mention that, for spamd users, spamc -L is the way to go. Not true. sa-learn is just fine for spamd with a global Bayes database, and it's recommended for administrative simplicity if you have that environment. The big thing to keep in mind is that the user running the training needs to be the same user that spamd is running as; if not, depending on your bayes database config, you may be training a different Bayes database than the one spamd is reading. Hm, really? I thought spamd kept a global Bayes database, and that everyone calling spamc -L would end up feeding this database, and not some local one. Global vs. per-user Bayes databases is a site-specific config. However, it should be consistent - spamd should be reading from and training to the bayes database of the user running spamc, so I don't off the top of my head know why it dosn't appear to be working for you. What are the Bayes database statistics before and after running spamc -L? (sa-learn --dump magic) I use a global database and sa-learn, so I don't have any direct experience with spamc -L quirks, sorry. That's why I suggested sa-learn. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 3 days until Veterans Day
Re: spamc -L apparently not working properly
On Friday, November 08 2013, Amir Caspi wrote: On Fri, November 8, 2013 2:39 pm, Sergio Durigan Junior wrote: I don't think sa-learn can help with spamd. Its own manpage mention that, for spamd users, spamc -L is the way to go. Hm, really? I thought spamd kept a global Bayes database, and that everyone calling spamc -L would end up feeding this database, and not some local one. It depends on how spamc is called. If spamd is running as root and spamc is called with the -u flag, then spamd will su to the named user, and will then use that user's local database (and local prefs, if allow_user_prefs is enabled). spamc -L -u would work on the local database; spamc -L (without -u) would work on the database applicable to the spamd user. My spamd is currently running as root, but I am thinking about changing it to run using Debian's pre-setup user (debian-spamd). Unless you guys have better recommendations. It all depends on whether you want your users to have individual databases tailored to their own spam/ham, or a global database. The problem with having a user-tailored database is that I will have to run sa-update for every user, right? Currently, Debian provides the aforementioned spamd user (debian-spamd) and runs sa-update on behalf of it. Therefore, I believe using a global database is probably better in this case. What's your opinion? -- Sergio
Re: spamc -L apparently not working properly
On Fri, November 8, 2013 2:56 pm, Sergio Durigan Junior wrote: The problem with having a user-tailored database is that I will have to run sa-update for every user, right? No, or at least, not that I've seen. If spamd is running as root, it will load the sa-update rules from the root installation (/var/lib/spamassassin); it will only su to the user when called by spamc, and then it will only load that user's local Bayes DB and local rules (if enabled); it doesn't have to load any of the main rules, which are kept in memory from when spamd was first initiated (and were loaded from the root installation). This is also why it's important to restart spamd when sa-update actually updates rules (the sa-update cron script should do this for you). At least, this is how it works on my system, which has a pretty vanilla install of SA. Even if your users are running spamassassin versus spamc, it should be able to read the rules in the root install location, as long as your users have read permission. If you're running on a virtual host platform with multiple chroot environments (e.g. cPanel, Parallels Pro Control Panel, etc.) then you may need to run sa-update for each environment, but you should still only need the one root install (and one sa-update command) for running spamd as root. What's your opinion? I would run spamd as root and initiate spamc with the -u option, to allow each user to have his/her own Bayes DB. However, again, it really depends on what kind of email system you're running, and how you want to handle spam. If you're running a corporate server, you might prefer a global DB; if you're running a server with personal users whose email characteristics vary widely, you might prefer per-user DBs. For my setup, I prefer per-user DBs. --- Amir
Re: spamc -L apparently not working properly
On Fri, 2013-11-08 at 16:09 -0200, Sergio Durigan Junior wrote: # spamc -c spam.file 0.0/5.0 # spamc -L spam spam.file (successful message saying that the spam was learned) # spamc -c spam.file 0.0/5.0 You mentioned that's a fresh install, actually not even in production yet. The Bayes sub-system requires some training (minimum of 200 ham and spam each) by default, before Bayes rules kick in for scanning. Instead of -c check only, use the -R option to print the report. You'll notice there is no BAYES_xx rule (yet). I have already updated my Bayesian database, restarted the spamd I'm curious -- what does updating your Bayes db mean? service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? In addition to required initial training: The Bayesian classifier works on a per-token (think: word) basis. Thus, depending on the tokens in the message and existing ones in the db, the impact of learning can vary quite a lot -- from hardly noticeable to clear detection. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc -L apparently not working properly
On Friday, November 08 2013, John Hardin wrote: I don't think sa-learn can help with spamd. Its own manpage mention that, for spamd users, spamc -L is the way to go. Not true. sa-learn is just fine for spamd with a global Bayes database, and it's recommended for administrative simplicity if you have that environment. Aha, interesting, thanks for explaining. Global vs. per-user Bayes databases is a site-specific config. However, it should be consistent - spamd should be reading from and training to the bayes database of the user running spamc, so I don't off the top of my head know why it dosn't appear to be working for you. What are the Bayes database statistics before and after running spamc -L? (sa-learn --dump magic) I use a global database and sa-learn, so I don't have any direct experience with spamc -L quirks, sorry. That's why I suggested sa-learn. Nice, thank you. I am more inclined to use a per-user database, and call spamc -u myuser -L spam. Let's see how that goes. -- Sergio
Re: spamc -L apparently not working properly
On Fri, 2013-11-08 at 14:45 -0700, Amir 'CG' Caspi wrote: On Fri, November 8, 2013 2:39 pm, Sergio Durigan Junior wrote: I don't think sa-learn can help with spamd. Its own manpage mention that, for spamd users, spamc -L is the way to go. Fundamentally, there is no difference between sa-learn and spamc -L. Hm, really? I thought spamd kept a global Bayes database, and that everyone calling spamc -L would end up feeding this database, and not some local one. It depends on how spamc is called. If spamd is running as root and spamc is called with the -u flag, then spamd will su to the named user, and will then use that user's local database (and local prefs, if allow_user_prefs is enabled). spamc -L -u would work on the local database; spamc -L (without -u) would work on the database applicable to the spamd user. The latter is incorrect -- spamc by default sends the effective user ID, and spamd switches users before processing the mail (assuming the daemon has been started as root). The -u user option is only necessary to change that default. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc -L apparently not working properly
On Fri, 2013-11-08 at 20:18 -0200, Sergio Durigan Junior wrote: Nice, thank you. I am more inclined to use a per-user database, and call spamc -u myuser -L spam. Let's see how that goes. The real difference between sa-learn and spamc -L is how to feed it. The spamc way expects a single message on STDIN, which usually is most applicable for integration with your MUA. It also easily enables mail storage and SA to be on different machines. sa-learn expects the message(s) as file name. Requires direct access of the mail storage, but enables training of entire mail folders with a single command. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Rule to delete emails with empty subject.
On Fri, 2013-11-08 at 00:10 -0600, Sergio wrote: I tried this rule to stop emails with an empty subject, but it didn't work: The rule is fine, though the score is a tiiiny bit excessive. You'll have to elaborate on trying and doesn't work. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc -L apparently not working properly
On Fri, November 8, 2013 3:24 pm, Karsten Bräckelmann wrote: The latter is incorrect -- spamc by default sends the effective user ID, and spamd switches users before processing the mail (assuming the daemon has been started as root). The -u user option is only necessary to change that default. Whoops, you're perfectly right. On a system where spamc is run as some fixed user (e.g. nobody), you need the -u option to get the per-user options to work correctly. If spamc is being run as the receiving user already (e.g. via procmail, barring some weird setuid behavior) then you don't need the -u option (although it won't break anything if you use it, it's just unnecessary). Sorry for the incomplete info. --- Amir
Re: Scoring in user_prefs
On 08 Nov 2013, at 13:42 , Kris Deugau kdeu...@vianet.ca wrote: If you want to put full rules in user_prefs files, you'll need to set allow_user_rules in the main configuration. man Mail::SpamAssassin::Conf and scroll down to the RULE DEFINITIONS AND PRIVILEGED SETTINGS section. Thank you! -- It wasn't that her [Susan's] parents didn't believe in such things. They didn't need to believe in them. They knew they existed. They just wished they didn't.
Re: RP_MATCHES_RCVD
On 08 Nov 2013, at 13:53 , Kris Deugau kdeu...@vianet.ca wrote: SA is installed from package, this looks something like /var/lib/spamassassin. Ah, /var/db/spamassassin I would never have found them. thanks! -- Everything you read on the Internet is false -- Glenn Fleishman
Re: Scoring in user_prefs
On 08 Nov 2013, at 13:42 , Kris Deugau kdeu...@vianet.ca wrote: man Mail::SpamAssassin::Conf and scroll down to the RULE DEFINITIONS AND PRIVILEGED SETTINGS section. Oh, well, crap. Yeah, that's not going to happen. OK, time to come up with another way of doing this... ZZ er.. right. -- What if your DOPE was on fire? Impossible, sir, it's in Johnson's underwear.
Re: RP_MATCHES_RCVD
On 08 Nov 2013, at 13:53 , Kris Deugau kdeu...@vianet.ca wrote: It's also been scored down in more recent rule updates; as of a few minutes ago it looks like it's *way* down: score RP_MATCHES_RCVD -1.501 -0.001 -1.501 -0.001 I saw that after I ran sa-update, which was shortly after I posted. I've set it to -0.1 for now. -- Every absurdity has a champion to defend it.
Re: spamc -L apparently not working properly
On Friday, November 08 2013, Karsten Bräckelmann wrote: On Fri, 2013-11-08 at 16:09 -0200, Sergio Durigan Junior wrote: # spamc -c spam.file 0.0/5.0 # spamc -L spam spam.file (successful message saying that the spam was learned) # spamc -c spam.file 0.0/5.0 You mentioned that's a fresh install, actually not even in production yet. The Bayes sub-system requires some training (minimum of 200 ham and spam each) by default, before Bayes rules kick in for scanning. Instead of -c check only, use the -R option to print the report. You'll notice there is no BAYES_xx rule (yet). Thanks. I had used -R before, without much success. But yeah, I found some discussions on this list about Bayes databases, and people saying that at least 200 messages are needed before Bayes can start doing its job. BTW, one spam has just sneaked in right now. On the one hand I'm sad because of those false-negatives, but OTOH I'm happy because I'll be able to train the database faster :-). I have already updated my Bayesian database, restarted the spamd I'm curious -- what does updating your Bayes db mean? Oh, I only meant that I ran sa-learn or spamc -L. Sorry if that is a wrong nomenclature. service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? In addition to required initial training: The Bayesian classifier works on a per-token (think: word) basis. Thus, depending on the tokens in the message and existing ones in the db, the impact of learning can vary quite a lot -- from hardly noticeable to clear detection. All right. Since I don't have a good database yet (only 4 or 5 spams learned), I won't worry about it for now. Let's see when I have a bigger DB... Thanks a lot, -- Sergio
Re: spamc -L apparently not working properly
On Friday, November 08 2013, Amir Caspi wrote: What's your opinion? I would run spamd as root and initiate spamc with the -u option, to allow each user to have his/her own Bayes DB. However, again, it really depends on what kind of email system you're running, and how you want to handle spam. If you're running a corporate server, you might prefer a global DB; if you're running a server with personal users whose email characteristics vary widely, you might prefer per-user DBs. For my setup, I prefer per-user DBs. Thanks for the opinion. I was considering doing that, and your message was the final word I needed. Now everything is setup per-user, and I am feeding the Bayes DB with what I have. Thanks, -- Sergio
Re: spamc -L apparently not working properly
On Sat, 2013-11-09 at 01:34 -0200, Sergio Durigan Junior wrote: On Friday, November 08 2013, Karsten Bräckelmann wrote: You mentioned that's a fresh install, actually not even in production yet. The Bayes sub-system requires some training (minimum of 200 ham and spam each) by default, before Bayes rules kick in for scanning. Instead of -c check only, use the -R option to print the report. You'll notice there is no BAYES_xx rule (yet). Thanks. I had used -R before, without much success. But yeah, I found some discussions on this list about Bayes databases, and people saying that at least 200 messages are needed before Bayes can start doing its job. BTW, one spam has just sneaked in right now. On the one hand I'm sad because of those false-negatives, but OTOH I'm happy because I'll be able to train the database faster :-). You don't have any kind of archive of spam? If so, train on recent ones, feel free to exceed the minimum limit, but don't bother too much with old spam. It changes much faster over time than ham does. Also, at least until you reached the minimum required training, do train with identified spam, too. Same with ham. For now, keep training in a ratio somewhere between 1:1 or spam to ham ratio. service, etc. I was expecting that I'd get a high rate after feeding the spam to SpamAssassin, but that's not happening. Any suggestions? In addition to required initial training: The Bayesian classifier works on a per-token (think: word) basis. Thus, depending on the tokens in the message and existing ones in the db, the impact of learning can vary quite a lot -- from hardly noticeable to clear detection. All right. Since I don't have a good database yet (only 4 or 5 spams learned), I won't worry about it for now. Let's see when I have a bigger DB... Do train. Spam, as well as ham. If you got some recent-ish archives. Thanks a lot, You're welcome. :) -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc -L apparently not working properly
On Sat, 2013-11-09 at 01:35 -0200, Sergio Durigan Junior wrote: On Friday, November 08 2013, Amir Caspi wrote: I would run spamd as root and initiate spamc with the -u option, to allow each user to have his/her own Bayes DB. However, again, it really depends on what kind of email system you're running, and how you want to handle spam. If you're running a corporate server, you might prefer a global DB; if you're running a server with personal users whose email characteristics vary widely, you might prefer per-user DBs. For my setup, I prefer per-user DBs. You mentioned using SA from procmail, so there usually is no need for the -u user option (see that other sub-thread about this option). Running the spamd daemon as root and calling spamc as the receiving user is an easy way to get per-user Bayes databases. Keep in mind though, this requires Bayes training per user, and every user needs its own $HOME or related options. Thanks for the opinion. I was considering doing that, and your message was the final word I needed. Now everything is setup per-user, and I am feeding the Bayes DB with what I have. What I wrote above was partially triggered by this. Not the Bayes DB, which sounds like a single one to me, but one Bayes db per user. Which requires initial training per user. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc -L apparently not working properly
On Saturday, November 09 2013, Karsten Bräckelmann wrote: You don't have any kind of archive of spam? If so, train on recent ones, feel free to exceed the minimum limit, but don't bother too much with old spam. It changes much faster over time than ham does. Also, at least until you reached the minimum required training, do train with identified spam, too. Same with ham. For now, keep training in a ratio somewhere between 1:1 or spam to ham ratio. [Note: By ham I assume you mean false-positives, and not just regular e-mail.] No, (un)fortunately I don't. I've been running this server for 5 months now, and only received about 10 spams so far. I decided to start running SA now because I've received 5 spams in the last 3 days, which triggered my internal alarm. Do train. Spam, as well as ham. If you got some recent-ish archives. Will do. However, I don't have false-positives (ham) to train. As I said above, I only have about 10 spam messages, which I already used to train Bayes. Not sure if it is possible/would be good to search for recent spam archives on the net. I believe not... -- Sergio
Re: spamc -L apparently not working properly
On Sat, 9 Nov 2013, Sergio Durigan Junior wrote: [Note: By ham I assume you mean false-positives, and not just regular e-mail.] No, Train with correctly-classified ham as well. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 3 days until Veterans Day