Re: "bout u" campaign
Hi, >>> The ENA_BAD_SPAM rule is a combination of 2 different types (reputation >>> and >>> content) rules with an AND between them. For example (this is is about >>> one-third of the rule): >> >> Is it usable like this? > > Try it out with a score of 0.001 and see what you think. It should have > been valid. Just drop it in and run: > > spamassassin -D --lint 2>&1 | /bin/grep -Ei '(failed|undefined > dependency|score set for non-existent rule)' | /bin/grep ENA_ By "usable" I meant have you included enough of the rule for it to really be effective? I let it run for the day, and it's just not anchored well enough to provide any meaningful benefit. It's hitting on jcpenny, vresp.com, constantcontact, sendgrid, facebook, etc.
Re: low scoring spam
On Friday 14 July 2017 at 15:29:38, Charles Amstutz wrote: > Hello, > > I keep having spam come through that hits on almost zero rules, (or very > few) . I get this is definitely possibly, but it's annoying as its > obviously spam. I guess my question is, if what we have in place isn't > hitting on much, then aside from learning it to Bayes, what do we do? I don't think we can really answer that until we know "what you have in place". We either need to see some examples of spam (DON'T paste here - put on pastebin or similar and then provide a link) with all the headers so we can see what scores you're getting, or we at least need to know what configuration you have so we might be able to suggest anything that seems missing. You help us and we might be able to help you :) The more information you give us, the better we understand what the question is. Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics Please reply to the list; please *don't* CC me.
low scoring spam
Hello, I keep having spam come through that hits on almost zero rules, (or very few) . I get this is definitely possibly, but it's annoying as its obviously spam. I guess my question is, if what we have in place isn't hitting on much, then aside from learning it to Bayes, what do we do? Even that isn't enough it seems as it learns it to Bayes_50 and not Bayes_99. Even Bayes_99 is not enough to catch it as spam typically if it doesn't trip anything else. (as it only 3.5 for Bayes_99 and many users are set to default to 4 or 5)
Re: reason why sendmail w/ SA3.4.1 scantime=15.0, delay=00:01:06 w/ SquirrelMail?
On Fri, 14 Jul 2017 10:00:45 +0200 Matus UHLAR - fantomas wrote: > >Robert Kudybawrote: > >> Jul 13 23:04:05 storm spamd[13378]: spamd: processing message > >> <9ca00a710c6bfad3d60dd424cd79ac19.squirrel@our-domain> for > >> root:1001 Jul 13 23:04:20 storm spamd[13378]: spamd: clean message > >> (-101.5/5.0) for root:1001 in 15.0 seconds, 1193 bytes. Jul 13 > >> 23:04:20 storm spamd[13378]: spamd: result: . -101 - > >> ALL_TRUSTED,BAYES_00,PYZOR_CHECK,USER_IN_WHITELIST scantime=15.0 > >> [...] > > > >Hitting PYZOR_CHECK is scary. > > not at all. well, it MAY cause some delay but the default pyzor > timeout is 3.5 seconds It's hitting ALL_TRUSTED so I think he probably means it's that's it's scary that his own mail hit PYZOR_CHECK. It's probably an empty body or just a standard signature. If you use pyzor it's a good idea to run, at very least, echo "" | pyzor local_whitelist Possibly with --homedir= or --local-whitelist set as appropriate, or run it as any unix user and copy ~/.pyzor/whitelist to the equivalent location that's used by SA.
Re: "bout u" campaign
On 07/13/2017 05:26 PM, Alex wrote: Hi, Are you paying for DCC? I think we're over their limit and they blacklisted us long ago, lol. I have my own DCC server joined into the DCC network. https://www.dcc-servers.net/dcc/ So you only provide spam services for your own users? Or do you pay? Our DCC server was setup 6+ years ago by a previous mail sysadmin before I started working at my current job. We don't budget or pay anything annually for DCC. We are peered with another DCC server in their network. All I know is that we must keep our current IP address the same to maintain the peering. I have one DCC server that I point my 8 mail filters to. I am classifying about 10K ham and 8K spam each day which I also use in the masscheck processing (currently on hold). Since I have started doing this Through autolearn? It is otherwise extremely time-intensive. Actually I have found some rule combinations and score thresholds that are definitely ham/spam. I have built an iRedMail VM with no RBLs, postscreen, or other MTA optimizations and disabled some things in amavis-new so spam will get to SA. Ham comes from a subset of my primary SA filters based on SHORTCIRCUIT rules and very low scoring messages. I setup Inbox rules to move certain messages into ham/spam folders. I have to login once a day and spend a few minutes quickly reviewing the unread messages and marking them as read. My masscheck and SA learning uses the read folder (Maildir cur directory). Yep. Again my block threshold is 6.0 in MailScanner and I have less default trust for FREEMAIL senders. I also have meta rules based on FREEMAIL and other hits that add to the score based on combinations I have seen over the years. Adjusting many of the default rules disrupts the score balance created by masschecks, no? Correct. Before I knew about the masscheck processing and what it does, I used to adjust the scores on most of the rules which was time consuming just like re-actively creating rules for new spam campaigns. A few months ago I removed most of my custom scores on default SA rules and I use meta rules to combine hits on certain rules to add some points. I want to avoid having to juggle scores around, in addition to already worrying about writing rules that ultimately have the same effect as existing metas. 2.2 ENA_DIGEST_FREEMAILFreemail account hitting message digest spam seen by the Internet (DCC, Pyzor, or Razor). Are you worried about overlap between the checksum systems? I've enabled DCC again today, and remembered what I don't like about it. Do you have DCC_CHECK at its default 1.1 score? That's quite high for something described as "bulk mail" when bulk mail is already scored very close to 5.0. If you follow my logical separation of rules into reputation-based and content-based then DCC, RAZOR, and PYZOR are going to fall into the content side. You still have the reputation rules that will lower the score and offset these DIGEST rules. Plus with many SHORTCIRCUIT'd senders based on whitelist_auth and whitelist_from_rcvd, the trusted/safe bulk senders with a valid unsubscribe process will pass through fine. How much more effective do you find DCC than PYZOR? That's already scored at 1.4. Haven't really had to worry about this with SHORTCIRCUIT'ing and whitelist_auth on the envelope-from domain (SPF_PASS + non-human account domains). I have no idea. I just analyzed my mail scoring and noticed combinations like DCC and FREEMAIL are common in my spam. That's a good combination. The ENA_BAD_SPAM rule is a combination of 2 different types (reputation and content) rules with an AND between them. For example (this is is about one-third of the rule): Is it usable like this? Try it out with a score of 0.001 and see what you think. It should have been valid. Just drop it in and run: spamassassin -D --lint 2>&1 | /bin/grep -Ei '(failed|undefined dependency|score set for non-existent rule)' | /bin/grep ENA_ You can also run the first section and check for a zero return code. I have a config distribution script that runs the first part above and will not send it out if the return code is not zero. /etc/mail/spamassassin/99_mailspike.cf shortcircuit RCVD_IN_MSPIKE_H5 on score RCVD_IN_MSPIKE_H4 -3.2 score RCVD_IN_MSPIKE_H3 -2.2 score RCVD_IN_MSPIKE_H2 -1.2 score RCVD_IN_MSPIKE_WL -0.82 score RCVD_IN_MSPIKE_BL 1.2 score RCVD_IN_MSPIKE_L2 0.2 score RCVD_IN_MSPIKE_L3 1.2 score RCVD_IN_MSPIKE_L4 2.2 score RCVD_IN_MSPIKE_L5 3.2 The default scores for these rules are all almost 0 when bayes and network tests are enabled. I've adjusted the L[2-5] rules from 0.2 to 1.2. Took a quick look at a handful of L5 mail and anything higher would be problematic. Hope this is helpful. Thanks, as always. -- David Jones -- David Jones
Re: reason why sendmail w/ SA3.4.1 scantime=15.0, delay=00:01:06 w/ SquirrelMail?
Robert Kudybawrote: Over the past few days sending mail via SquirrelMail has become glacial. The load on the server is under 1. I've restarted the SA, sendmail and dovecot processes several times. Here are some logs I can provide any settings if desired. tried to run a message through "spamassassin -D" ? that should give you debug/timing info. Jul 13 23:03:24 storm sendmail[14504]: v6E33EOQ014504: Authentication-Warning: our-domain: apache set sender to me@our-domain using -f Jul 13 23:03:39 storm sendmail[14504]: v6E33EOQ014504: from=me@our-domain, size=535, class=0, nrcpts=1, msgid=<9ca00a710c6bfad3d60dd424cd79ac19.squirrel@our-domain>, relay=apache@localhost On 14.07.17 06:10, Andrzej A. Filip wrote: n*5s delay *may* indicate unresponsive DNS host(s)/resolver(s) in /etc/hots you apparently mean in /etc/resolv.conf How long does it take to get SMTP greeting message when you start "/usr/sbin/sendmail -bs" as a non root user? [ Is it sendmail startup or message processing? ] [...] Jul 13 23:04:05 storm spamd[13378]: spamd: processing message <9ca00a710c6bfad3d60dd424cd79ac19.squirrel@our-domain> for root:1001 Jul 13 23:04:20 storm spamd[13378]: spamd: clean message (-101.5/5.0) for root:1001 in 15.0 seconds, 1193 bytes. Jul 13 23:04:20 storm spamd[13378]: spamd: result: . -101 - ALL_TRUSTED,BAYES_00,PYZOR_CHECK,USER_IN_WHITELIST scantime=15.0 [...] Hitting PYZOR_CHECK is scary. not at all. well, it MAY cause some delay but the default pyzor timeout is 3.5 seconds -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are