False Primary MX Record = MORE spam?
I spent some time recently reading the wonders of creating a false primary MX record (Nolisting). Supposedly compliant mailers automatically mail to the primary MX record first, and then upon failure retry to the secondary, delivering to the real server, while non-compliant spammers just stop in their tracks. This is supposed to reduce server load and therefore the number of messages SpamAssassin needs to examine. However, although it is working in the manner prescribed, and I notice it has introduced a short delay in receiving mail, I believe my overall mail load has increased significantly. It's not a big user base. I was seeing around 1,100 to 1,400 messages daily, and now I am seeing around 1,600 messages or more daily going through SpamAssassin. I've watched it a couple weeks just to see if this was a coincidence, but it seems constant. Here's what I'm thinking. Just for kicks, since it didn't help anyway, maybe I should reverse the two MX priorities, making my real server primary again, and leave the bogus entry as the secondary, just to see how the overall load changes again? Might be fun, or even enlightening. Does anyone have any solid experience or beliefs of the effectiveness of these sorts or things? Have spammers started targetting secondary MX records first? Ben
Re: sa-stats
As far as I'm concerned it has not been fixed, although I've seen a number of similar threads, and could have missed something else. Worked great until the very moment in time I applied the first 3.10 pre update. No problem with versions 3-3.04. Ben Steve Dimoff wrote: Did this ever get figured out? I'm running into the same problem, and not matter what options I try I always come back with zeros. Debug shows it's processing the log file. Thanks, Steve -Original Message----- From: Ben Hanson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 22, 2005 9:14 AM To: Ben O'Hara Cc: users@spamassassin.apache.org Subject: Re: sa-stats I've been running it with -s 'midnight' -e 'now'(At 11:59 - I'm aware that I might lose a minute each day, but...) Tried -s today-24 -e today and still get lots of zeros. Ben (Hanson) Ben O'Hara wrote: On 6/22/05, Ben O'Hara <[EMAIL PROTECTED]> wrote: Just realised its defaulting to running 24 hours into the future rather than the past. Is this normal behaviour? should i be passing a -s of 24 hours ago to it? Seems " -s today-24 -e today" does the trick! Ben
Re: Fedora changed SpamAssassin default level to 7?
Pretty sure the FC4 issues with network services not functioning and such are simply due to the RPM not enforcing the Perl Dependencies. I presume it is packaged with the idea that the majority of end users will in fact be rolling out their machine as a desktop, and not want to be stuck with a more involved setup. I have one FC4 machine running here at work. The default local.cf, aside from some comments, contains only three lines: required_hits 5 report_safe 0 rewrite_header Subject [SPAM] The machine I actually built SA on is fundamentally a modified RH9, and I remember I manually configured my own config files, and did indeed have to install a number of perl dependencies manually. I'm running pretty much every available module and option, and have incorporated many rule sets beyond the stock ones. I later removed the RPM and have since installed eveything from the tarballs, finding them much easier to end up with a totally functional upgrade, without issue. The Redhat/Fedora machines have been absolutely flawless in their functionality aside from the initial setup, as has SpamAssassin. Ben
Re: RDJ from cron - is it safe?
QUOTE___ /etc/init.d/spamassassin restart Shutting down spamd: [ OK ] Starting spamd: Could not create INET socket on 127.0.0.1:783: Address already in use (IO::Socket::INET: Address already in use) [FAILED] __ I got exactly this same thing randomly, and coming in to work with ten calls queued to let me know so and so had a bucket of spam on a Monday morning prompted me to comment out the auto-restart portion of the RDJ. I let it run and do nightly updates, email me the results, and then I simply manually restart if any rules prompt me to. I've thought of putting a check to see if any child processes are running, and simply loop a few times if so, as I'm pretty sure that would take care of it, but so far that seems like more energy than just restarting it by hand. Ben
Re: sa-stats
I've been running it with -s 'midnight' -e 'now'(At 11:59 - I'm aware that I might lose a minute each day, but...) Tried -s today-24 -e today and still get lots of zeros. Ben (Hanson) Ben O'Hara wrote: On 6/22/05, Ben O'Hara <[EMAIL PROTECTED]> wrote: Just realised its defaulting to running 24 hours into the future rather than the past. Is this normal behaviour? should i be passing a -s of 24 hours ago to it? Seems " -s today-24 -e today" does the trick! Ben
sa-stats
Got my first nightly stats breakdown email this morning after starting testing the 3.10pre1 version. The report states zero spam, which is true (allright devs!) but then, zero mail as well. Did any log format change that I need to be aware of? I didn't see any notes. I copied over the sa-stats.pl script to where I have a cron job execute it from, so I'm not running an old version.
RE: SpamAssassin 3.1.0pre1 PRERELEASE available!
I get 139 "errors" regarding the 70_sare_whitelist.cf entries. from 3.1pre. Has the syntax for whitelist_from_rcvd changed? Ben
Re: Gif-Only spams
Hmm, scoring certain attachments (.gif, .jpg, etc) based on a calculated checksum (md5 or otherwise). To be time efficient it would have to be an enable/disable option for older hardware, presumably. The disadvantages are cpu time, network traffic, the need for servers to store the checksum recognized. They could be generated by examining up to some maximum amount of data from images. Advantages? I remember receiving for a time a series of daily ED drug spams that seemed to have nothing in common, for weeks about a year ago. Different apparent source, different subjects. But it was always the same image. This sort of image checksum matching would have been able to cut those off after the requisite quantity had been reported. I like it. Of course, I can play devil's advocate and presume a professional spammer might theoretically use some sort of image processing automation to switch a single pixel in a bank of transparent lines at the bottom of the image (or top or sides) switched to the background color, changing checksums for each repetition of spam they spew. Ben
Spam Percentages
Shortly after the first of the year, I noticed the percentage of spam messages for our organization dropped consistently by 10-15%. We had been averaging 60 to 65% for the last year or so, ever since I began with SA, right up until then, when it dropped consistently to just over 50%. I didn't really question it, as I saw no effective change in user mail. Just before 3.0.3 was released, I suddenly noticed an increase in these numbers, and now we are averaging 70 to 72% spam incoming on weekdays. At the same time, I've seen more Nigerian type and medication type spams hitting my inbox. Since SA tagging percentages are up, and I have made no configuration changes, I'm not seeing any failure or errors necessarily, but I'm very curious if others saw a similar patern in these time frames at all, and if it's possible some network tests are returning fewer hits or something that would cause threshholds not to be hit, despite spam tagging, that would otherwise have caused my delete rules to kick in? I have pretty much everything enabled with no errors, and all the usual services (Razor, DCC, Pyzor, etc) all seem happy and responsive. This is truly more a curiosity than a need for assistance, so nobody break anything thinking too hard on this one! Ben
RE: report_safe doesn't seem to work since FC3 upgrade
Chris, I'm not running SA on FC3, although I'm using it for other things. I can verify I've had problems with FC releases and SA previously, most notably some weird core dumps on a fresh install of FC1 back with SA 2.6. I narrowed it down to an issue with Perl and installed modules, and if memory serves correctly, the problem was resolved by upgrading all of the Perl module dependencies and then reinstalling SA from the tarball rather than through CPAN. The CPAN install left certain files in directories other than were in the correct path, somehow, I think because of Redhat's swapping around of certain defaults from what others might use. Not much help, maybe, but somewhere to start. Ben
Here it comes!
Haven't seen tax spam yet.but there's definitely been more phishing in general and more drug spam as of late too. I got a very convincing paypal notice this morning Ben
Yum update of SA from 2.63 to 3.0x
When SA 3.0 became available, I upgraded from the Redhat RPM's, and had various problems with versions and functionality. I removed the RPM and upgraded via CPAN with absolutely no issues. Ben Hanson I.S. MGR Transprint USA Inc.
RE: new member
Gary Wayne, I'm Betting he's Thomas Shane. Benjamin Stephen I’m already confused. Is your name Thomas or Shane? Gary Wayne Smith
Re: different scores - spamd vs spamassassin
Chad - I only just glanced at your message, but I think you must be looking at 2 different messages, OR your spamd start is manually setting a config that is different than the default set picked up by spamassassin, which doesn't pick up on that. It's likely if you start spamd without the extra command line arguments the same message should come out with the same total. As far as bayes, I can't explain your database behavior (unless a config file changed) but I notice you have a VERY low autolearn setting, which to mean seems like it would encourage false positives as your database grows, and also you have autolearn set at zero in the .cf file, which I think turns it off. Maybe restarting spamd caused an expiry, and since your'e not autolearning anything, you lost all the old stuff. Time to start over, then. Ben
spamc Version same since RC2?
I have been waiting for the 3.0 final to post this, but I noticed the same thing, so I'm ready to pose my question.. I noticed, starting with RC3, that while the version informaiton changed for spamd and spamassassin executables, the spamc executable still reports RC2. I've been certain to check that there aren't multiple version (for instance in /usr/bin and /usr/local/bin), and today with the full blown release, I ran it from the build directories to be sure. Still rc2. Am I doing something wrong, or did the code just not change for the client on the subsequent releases? Ben Hanson I. S. MGR Transprint USA Inc [EMAIL PROTECTED]