Re: Question - How many of you run ALL your email through SA?
Marc Perkel wrote: OK - it's interesting that of all of you who responded this is the only person who is doing it right. I find it interesting that what seemed like a friendly question turned out to be a quiz. -- Chris Purves All science is either physics or stamp collecting. - Ernest Rutherford
Re: Should I use greylisting
Magnus Holmgren wrote: On Friday 26 January 2007 03:21, uNiXpSyChO wrote: Chris Purves wrote: Personally, I didn't like the added delay for first-time mails, which is why I chose to greylist only on blocklists, but for a minimal effort my spam was significantly reduced. Hope that helps. what are you using to greylist based on blocklists? Judging from his presence on the Exim-related mailing lists he is probably using the Exim MTA and its ACL facilities. Yes, that's what I'm doing. Exim + greylistd. -- Chris
Re: Should I use greylisting
Matthew Bickerton wrote: I have been thinking about implementing Greylisting. However, I am worried about blocking/long delays with e-mails from mail farms (gmail, yahoo etc.) You could compromise by greylisting based on blocklists (such as spamhaus, etc.). This would free up some resources by rejecting a fair amount of mail that would otherwise go to spamassassin. For my setup (consisting of two users), greylisting with this method eliminates half of spam that would have otherwise gone to spamassassin. (about 250/500 per week). It also means that you can greatly increase the greylist time to several hours or even a day since it would be unlikely that legit e-mail would be greylisted, but if it was it would still get through, although quite delayed. Of course if you are using blocklists for blocking...then that wouldn't help. You can also add a whitelist to bypass the greylisting for large mail servers. Personally, I didn't like the added delay for first-time mails, which is why I chose to greylist only on blocklists, but for a minimal effort my spam was significantly reduced. Hope that helps. -- Chris
How to deal with mailing list spam?
I was wondering what is the best way to deal with spam that comes through on mailing lists? For mailing lists like spamassassin I whitelist all mail because I expect to see examples of spam, but for other lists, is it a good idea to run 'sa-learn --spam'? What about reporting those spam to razor/pyzor or spamcop? -- Chris
Re: URIBL
Jon Bjorn Njalsson wrote: Is it possible to have SA find URL in a mail and lookup the ipaddress for the URL and check if that ipaddress is listed in some rbl zone and score acordingly. Example, I reveice lot of spam containing URL like http://www.thesillyguy.info or thenopers.info and these sites all resolve to the same ipaddress 216.40.47.17. Instead of writing rules based on these sites is it possible to write a rule based on the ipaddress ? Your e-mail hit the following rules for me: * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: thenopers.info thesillyguy.info] * 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: thenopers.info thesillyguy.info] I have 'loadplugin Mail::SpamAssassin::Plugin::URIDNSBL' set in init.pre. -- Chris
Re: bayes poisoning
maillist wrote: I see a few emails every-now-and-then about bayes poisoning, and am wondering what is means. From what I understand, it is some message that gets learned (only through autolearn?) that has certain characteristics that throw the bayes system off. From what I've seen there are generally two ways it is referred to: 1. random text or phrases thrown into spam to make it look like spam and ham look more alike: This is an imagined problem. 2. spam incorrectly leanred as ham or ham incorrectly learned as spam: Enough of these (either from manual or auto learning) and your Bayes database will be useless. -- Chris
Re: CF files not formatted correctly; ASCII vs Binary?
John Rudd wrote: Clay Davis wrote: Can someone give me an idea what is causing this and of its causing a problem with my SA config? I am using wget to ftp download several of the SARE rules on a weekly basis. When I look at the rule on the SARE site, its formatting looks normal (spaces, tabs, indents, etc.); however, after an ftp download to my PC and opening it in Notepad, its all run together and all the formatting is gone. Is this a result of ASCII vs binary? Am I fouling SA up? It's most likely a case of Windows vs Unix end-of-line format. That _would_ be fixed if you ftp'ed in text/ascii mode instead of binary mode ... but you can also fix it if you have a simple unix2dos program on your PC. I don't know if SA under windows chokes on the file format differences, though. You might want to look into a text file editor that can deal with both formats. Probably vim can do it (which you'd probably need to use with cygwin). You can run Vim directly in Windows. I use it often for viewing files authored in *nix as the original poster is doing and for regex. http://www.vim.org/download.php#pc -- Chris
Re: Does AWL cancel Manual Whitelist?
skuba wrote: If my auto white list is on, does it mean that the manual white list won't work? Or could both be ON at the same time? See http://wiki.apache.org/spamassassin/AutoWhitelist for explanation of AWL. -- Chris
Re: New advice spam
Steve Lake wrote: Those razor2 and pyzor checks look interesting, but I haven't seen them on any of my emails that get filtered. Is that something special you have to setup, or is it a default feature of SA? The spamassassin wiki, as well as manual pages are full of information about razor and pyzor. -- Chris
Re: Simple mail from Dynamic IP listed as spam
Martin von Gagern wrote: Now I realized that mail I send will be marked by such a setup as spam. There are mostly two rules that hit: HELO_DYNAMIC_IPADDR and RCVD_IN_SORBS_DUL. The latter one only happens some times, I guess it's a timeout issue, because it can happen or not for the very same mail. I'm connected through DSL with a dynamic IP, and using Thunderbird to send mails through an IMP called GMX using SASL authentication. I would be glad for suggestions on how I can get my regular email through the increasing number of SpamAssassin setups out there. You can't reliably send mail from a dynamic IP. It will be rejected by many mail servers whether they are running SpamAssassin or not. -- Chris
Re: Confused with sa-update
Sujit Choudhury wrote: I have run sa-update. The rules used to be in /usr/share/spamassassin SARE rules + local.cf in /etc/mail/spamassassin directory. However spamassassin -D --lint now shows the following: [28874] dbg: config: using /etc/mail/spamassassin for site rules pre files [28874] dbg: config: using /var/lib/spamassassin/3.001007 for sys rules pre fi les [28874] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassass in_org.pre [28874] dbg: config: using /var/lib/spamassassin/3.001007 for default rules di r [28874] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassass There is no mention of rules in /usr/share/spamassassin. I wonder whether I have a made a mistake. There's no mistake. From the wiki http://wiki.apache.org/spamassassin/RuleUpdates NOTE: Once the /var/lib/spamassassin/spamassassin version directory exists, spamassassin expects to find all rules underneath that directory, so make sure that the first time you run sa-update it completes successfully (see below for information about running in debug mode). -- Chris
Re: Over Zealous Checks for Nigerian 419 Scams
Rick Mallett wrote: What's the proper way to submit material for the ham corpus? I have never done it myself, by I found this in the wiki: http://wiki.apache.org/spamassassin/UploadedCorpora -- Chris
Re: Installed FuzzyOCR - What am I missing?
Evan Platt wrote: At 02:56 PM 11/28/2006, you wrote: Last month there was a discussion thread on this list about that exact topic. Search either the Apache list archives or the GMANE archives. For example see: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200610.mbox/[EMAIL PROTECTED] Thanks to everyone especially Decoder, I think I'm up and running. png is the only one not working. Any reason NOT to assign 10 points to fuzzy ocr tripped words? The defaults are already quite high, and don't forget that more points are added for more words found. I think the default is one point for every word matched, but requiring that at least two words are found. Since most of the drug spams have several words, you are usually over 10 points anyway. I mean I wouldn't add 10 points just because someone typed the V word in an e-mail to me, but I can't think of an instance where I'd expect a GIF message with it in it. Someone might send you a copy of a comic strip about an old guy visiting the doctor. You might miss out on some poor taste humour. -- Chris
Re: Cronjob with sa-learn
Markus Braun wrote: Hello, i tried to create a cron job to add spam messages as spamemails. The following command : 0 1 * * * vmail sa-learn --spam /var/opt/vmail/.info/oliver/Maildir/.spam/cur *.* But i get this retourn: archive-iterator: readdir found no mail in 'domain1.de' directory archive-iterator: readdir found no mail in 'domain2.de' directory Learned tokens from 7 message(s) (460 message(s) examined) I think you want: sa-learn --spam /var/opt/vmail/.info/oliver/Maildir/.spam/cur/* -- Chris
Re: Bayes autolearn issue
Jason Frisvold wrote: Greetings, I noticed tonight that my bayes_vars table has a large number of entries for users that are not on my system at all. It seems that SA is autolearning bayes for non domain users? Is that a known issue? SA will learn bayes for whatever user you call it with. How do you determine what user calls spamc? -- Chris
Re: Problem Adding the X-Spam-Status: header
Magnus Holmgren wrote:
On Monday 27 November 2006 16:27, Odhiambo Washington wrote:
After I migrated from 2.64 to 3.1.7, I seem to have lost a very
important functionality that I need with SA - adding the X-Spam-Status:
header.
Believe me, I have RTFMed already the Mail::SpamAssassin::Conf...
From my local.cf, I have the following:
[meta-cut]
. but I don't see the header being added. Here is a typical example:
X-Spam-Score: -0.2 (/)
X-Spam-Report: Start Spam/Junk Filter results
Filter analysis score is (-0.2/2.0)
-0.2 BAYES_40 BODY: Bayesian spam probability is 20
to 40% [score: 0.3295]
End Spam/Junk Filter results
You seem to be running Exim with Exiscan. The add_header options in local.cf
are of no consequence - everything is controlled from the ACL configuration.
If you want to configure the headers freely from local.cf, use the SA-Exim
add-on.
If you don't want to use sa-exim, you can add the headers in the exim acl:
Something like:
warn
message = X-Spam-Status: Yes
spam = nobody
condition = ${if {$spam_score_int}{49}{1}{0}}
condition = ${if {$message_size}{100k}{1}{0}}
warn
message = X-Spam-Status: No
spam = nobody
condition = ${if {$spam_score_int}{50}{1}{0}}
condition = ${if {$message_size}{100k}{1}{0}}
--
Chris
Re: postgres database
Tom Allison wrote: To set up SQL for Bayes look at: /usr/share/doc/spamassassin/sql or http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeBayes To set site-wide bayes with sql, either: 1. Always call spamc or spamassassin with the same user 2. set 'bayes_sql_override_username' in local.cf (from perldoc Mail::SpamAssassin::Conf) 3. perhaps a different way that's not obvious to me Also, per-user configuration files are a separate issue from Bayes. You could set up per-user Bayes with sql and still have site-wide configuration. How will spamassassin know what user I want to pull the data from? Do I have to provide this on the spamc command line? Spamassassin user is determined by: spamc: if spamd is started by root, then spamc runs as whatever user calls spamc. If spamassassin is integrated in your MTA, then it might be your MTA user or your MTA might be set up to use the user for delivery. Both spamd and spamc allow for setting a specific '-u'. This is explained in the manual pages for spamd and spamc. site-wide: you can set site-wide options in local.cf, so that no matter what user calls spamc, the same bayes database is used. 'perldoc Mail::SpamAssassin::Conf' gives information about this, as well there are good site-wide docs in the spamassassin wiki. sql: If you are using sql for bayes, then I don't think the site-wide configuration in local.cf will work. Instead you can specify the username to use for bayes sql in local.cf. So, if you went to use bayes sql database as a specific user, there are 4 ways, as described as above: 1. set '-u' for spamd 2. set '-u' for spamc 3. have your MTA always call spamc with the same user (the previous three will have no effect when using 'spamassassin' or 'sa-learn' commands, so you would need to again specify the user when using those commands) 4. set 'bayes_sql_override_username' in local.cf (this will work for spamc, spamassassin, and sa-learn, but only for bayes. AWL and user prefs are not affected by this. -- Chris
Re: razor-agent.log being placed in root directory
Gary V wrote: I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris This may be an indication there is no razor-agent.conf. Assuming root owns the log file, as root, run 'razor-admin -create' twice in a row. The log should move to the /root/.razor directory (the home directory of whatever user runs the command). To prevent logging for user 'root', edit /root/.razor/razor-agent.conf and change debuglevel to 0. To control logging on a site wide basis, you could copy /root/.razor/razor-agent.conf to /etc/razor/razor-agent.conf. If other users use razor, you should run 'razor-admin -create' twice as those users too. If you report spam to the razor servers, then you also need to run 'razor-admin register'. Thanks, everyone for your suggestions, but it still doesn't make sense. My setup is that spamd is run by root, and spamc is called by the user to whom mail is being delivered. For this reason I don't want .razor directories created for every user. From 'man spamd': -H directory, --helper-home-dir=directory Specify that external programs such as Razor, DCC, and Pyzor should have a HOME environment variable set to a specific directory. The default is to use the HOME environment variable setting from the shell running spamd. By specifying no argument, spamd will use the spamc caller's home directory instead. Setting this should set the razor home directory when using spamc. My spamd options are: --max-children=3 --helper-home-dir=/etc/spamassassin/helper-home-dir -s /var/log/spamassassin/spamd.log -x -Q This setup works for pyzor, because if I remove all the files from helper-home-dir and restart spamd, a .pyzor directory will be created. It seems to me that spamd is not properly setting the razor home environment. -- Chris
Re: postgres database
Tom Allison wrote: Rick Macdougall wrote: Tom Allison wrote: I was reading through the man pages about the use of a database for the storage of bayesian tokens. Is this a list that is global to the mail server, or something that is distinct for each user of that mail server? In other words -- will I have the exact same bayesian history in my token library as my myspace living teenagers, or will this be seperated by user? Hi, Up to you really and the interface to SA that you use. Regards, Rick I didn't see it in the perldocs. Can you identify the parameter setting and/or the specific package that I would have to manipulate? I am not able to have per-user configuration files. To set up SQL for Bayes look at: /usr/share/doc/spamassassin/sql or http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeBayes To set site-wide bayes with sql, either: 1. Always call spamc or spamassassin with the same user 2. set 'bayes_sql_override_username' in local.cf (from perldoc Mail::SpamAssassin::Conf) 3. perhaps a different way that's not obvious to me Also, per-user configuration files are a separate issue from Bayes. You could set up per-user Bayes with sql and still have site-wide configuration. -- Chris
Re: razor-agent.log being placed in root directory
Gary V wrote: Gary V wrote: I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris This may be an indication there is no razor-agent.conf. Assuming root owns the log file, as root, run 'razor-admin -create' twice in a row. The log should move to the /root/.razor directory (the home directory of whatever user runs the command). To prevent logging for user 'root', edit /root/.razor/razor-agent.conf and change debuglevel to 0. To control logging on a site wide basis, you could copy /root/.razor/razor-agent.conf to /etc/razor/razor-agent.conf. If other users use razor, you should run 'razor-admin -create' twice as those users too. If you report spam to the razor servers, then you also need to run 'razor-admin register'. Thanks, everyone for your suggestions, but it still doesn't make sense. My setup is that spamd is run by root, and spamc is called by the user to whom mail is being delivered. For this reason I don't want .razor directories created for every user. From 'man spamd': -H directory, --helper-home-dir=directory Specify that external programs such as Razor, DCC, and Pyzor should have a HOME environment variable set to a specific directory. The default is to use the HOME environment variable setting from the shell running spamd. By specifying no argument, spamd will use the spamc caller's home directory instead. Setting this should set the razor home directory when using spamc. My spamd options are: --max-children=3 --helper-home-dir=/etc/spamassassin/helper-home-dir -s /var/log/spamassassin/spamd.log -x -Q This setup works for pyzor, because if I remove all the files from helper-home-dir and restart spamd, a .pyzor directory will be created. It seems to me that spamd is not properly setting the razor home environment. -- Chris The problem: Razor-Log: Computed razorhome from env: /etc/spamassassin/helper-home-dir/.razor Razor-Log: No razorhome found, using all defaults Hi Gary, I appreciate the help. I increased the debuglevel from 3 to 10 in /etc/razor/razor-agent.conf, then reading from /razor-agent.log I see: Nov 24 14:28:52.764664 check[6495]: [ 5] computed razorhome=, conf=/etc/razor/razor-agent.conf, ident=identity So, it looks to me that spamd is not passing the home environment variable to razor. -- Chris
Re: razor-agent.log being placed in root directory - solved
Gary V wrote: Gary V wrote: I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris This may be an indication there is no razor-agent.conf. Assuming root owns the log file, as root, run 'razor-admin -create' twice in a row. The log should move to the /root/.razor directory (the home directory of whatever user runs the command). To prevent logging for user 'root', edit /root/.razor/razor-agent.conf and change debuglevel to 0. To control logging on a site wide basis, you could copy /root/.razor/razor-agent.conf to /etc/razor/razor-agent.conf. If other users use razor, you should run 'razor-admin -create' twice as those users too. If you report spam to the razor servers, then you also need to run 'razor-admin register'. Thanks, everyone for your suggestions, but it still doesn't make sense. My setup is that spamd is run by root, and spamc is called by the user to whom mail is being delivered. For this reason I don't want .razor directories created for every user. From 'man spamd': -H directory, --helper-home-dir=directory Specify that external programs such as Razor, DCC, and Pyzor should have a HOME environment variable set to a specific directory. The default is to use the HOME environment variable setting from the shell running spamd. By specifying no argument, spamd will use the spamc caller's home directory instead. Setting this should set the razor home directory when using spamc. My spamd options are: --max-children=3 --helper-home-dir=/etc/spamassassin/helper-home-dir -s /var/log/spamassassin/spamd.log -x -Q This setup works for pyzor, because if I remove all the files from helper-home-dir and restart spamd, a .pyzor directory will be created. It seems to me that spamd is not properly setting the razor home environment. -- Chris The problem: Razor-Log: Computed razorhome from env: /etc/spamassassin/helper-home-dir/.razor Razor-Log: No razorhome found, using all defaults After creating the /root/.razor files, copy the .razor directory to the helper home. cp -r /root/.razor/ /etc/spamassassin/helper-home-dir/ Okay, this is what finally fixed it. I didn't actually copy the directory, but instead created an empty .razor directory. When I restarted spamd, it created razor-agent.log server.c101.cloudmark.com.conf servers.catalogue.lst servers.discovery.lst servers.nomination.lst in that directory. I thought that razor would create the .razor directory itself, but it wouldn't do that. I actually ran 'razor-admin -create -home=/etc/spamassassin/helper-home-dir' earlier, but without the .razor as you suggested in your other mail. Thanks again for the help. -- Chris
Re: R: pyzor server address
Giampaolo Tomassoni wrote: b) leave the servers file as is, lower the pyzor's timeout and increase the maximum retries: I've been told that many short-time attempts are better that a single, long-lasting, one. So, in your local.cf, try using something like: use_pyzor 1 pyzor_timeout 3 pyzor_max 10 pyzor_max is the number of reports on the pyzor server required to get a positive match, not number of retries. It seems to be poorly named. -- Chris
razor-agent.log being placed in root directory
I noticed today that razor-agent.log is placed in the root directory. I have --helper-home-dir=/etc/spamassassin/helper-home-dir set as a spamd option, but the log is not being written to there. How can I fix this problem? Thanks. -- Chris
Re: Someone explain sa-update to me
Alain Wolf wrote: On 10.11.2006 07:14, * Steve Lake wrote: Judging from the replies on this list, it's a good idea to run sa-update about once a week. But I don'tk now how. I looked at the man file, but that doesn't tell me what options I need for a standard update. Can anyone help me? Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community For a standard update just run sa-update without any options. If sa-update finds an update, you will also need to restart spamd if you are using the daemon. See the wiki for more details: http://wiki.apache.org/spamassassin/RuleUpdates -- Chris
Re: Someone explain sa-update to me
Tuc at T-B-O-H.NET wrote: If sa-update finds an update, you will also need to restart spamd if you are using the daemon. See the wiki for more details: http://wiki.apache.org/spamassassin/RuleUpdates Maybe run a script like this... (UNTESTED*) #!/bin/sh SAUPDATE=/usr/local/bin/sa-update SAUPDATECLI= STOPSPAMD=/usr/local/etc/rc.d/sa-spam.sh stop RESTARTSPAMD=/usr/local/etc/rc.d/sa-spam.sh start SLEEP=10 MAILUPDATE=[EMAIL PROTECTED] MAILERR=[EMAIL PROTECTED] MAILPROG=/bin/mail MAILPROGUPDATECLI= -s \update-sa-learn refreshed rules\ MAILPROGUPDATEERR= -s \update-sa-learn bad exit\ $SAUPDATE $SAUPDATECLI sarc=$? if [ $sarc -eq 0 ] then $STOPSPAMD sleep $SLEEP $RESTARTSPAMD echo SA-UPDATE updated rules|$MAILPROG $MAILPROGUPDATECLI $MAILUPDATE exit fi if [ $sarc -eq 1 ] then exit fi if [ $sarc -ge 4 ] then echo SA-UPDATE exited with $sarc|$MAILPROG $MAILPROGUPDATEERR $MAILERR exit fi or you could drop something like this in cron.hourly or cron.daily: #!/bin/sh sa-update /etc/init.d/spamassassin restart echo Spamassassin rules updated. -- Chris
Re: Creating a signature of an email
Paul Aviles wrote: Hi there, is there a way to create a signature or rule more or less automatically based on new spam you get? I used MessageLabs in the past and for those new messages you got they asked to forward the headers of the email to a particular account so that they could create a signature for those emails. Reporting your spam to razor and pyzor sounds like what you want. -- Chris
Re: How to set up Razor
David Baron wrote: Installed it off Debian Sid. How do I get SA to make use of it? less /usr/share/doc/razor/README.Debian -- Chris
Re: AWL Rule not Kicking in
Magnus Anderson wrote: Hi, I have enabled AWL on my SpamAssassin configuration - local.cf # Store AWL in MySQL auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList user_awl_dsnDBI:mysql:spamassassin:localhost user_awl_sql_username spamassassin user_awl_sql_password xx user_awl_sql_table awl - v310.cf # AWL - do auto-whitelist checks # loadplugin Mail::SpamAssassin::Plugin::AWL It stores and reads AWL scores from the MySQL DB, so it does work. But I never see any single thing about AWL scores in my incomming emails that I get. Not even in the ones that are tagged as SPAM. You shouldn't expect to see AWL often with spam, because you don't often receive multiple spam from the same sender. For me AWL hits for 3% of spam and 50% of ham. What I understand I don't have to enable it in my user_prefs file any longer since it's on by default to be used. Do I need any certain amount of records from one address before it's kicking in, or what? You only need one existing record for the awl to kick in. I can't seem to find anything in the Wiki about this either, so if someone could be so kind to point me in the right direction I would be happy. When I first set up AWL with SQL, I tried sending several messages to myself to see if it would kick in, but it never did. Then I sent myself a message with a URL that I knew would trigger a rule and then I saw it working. The reason I didn't see it before was because every message had the same spam score, so no AWL adjustment was needed. To test the AWL you need to receive two e-mail from the same sender that will produce different spam scores. -- Chris
Re: script for reporting ham/spam/resending?
Leon Kolchinsky wrote: Thanks Cris, What about resending false positives, after all filters learned that this is a ham, how should I resend these messages (on Cyrus system) to the original recipients? Any sample code would be very welcome :) If I understand you correctly, your setup takes all your users spam and puts it into one maildir where you can accesss it. Now you have identified false positives and have learned them as ham, but you need to get those messages back into your users accounts. Probably the most straightforward method would be to write a scipt that checks the Envelope-to header and moves the file to that users inbox. Personally, I don't manage users spam. I give them imap folders for learn-spam and learn-ham then have a script that checks those folders and runs sa-learn. Spam is deleted once it is learned and ham is moved back to the inbox. For myself I also have report and revoke scripts that do the same, but instead of using sa-learn they use spamassasin -r or -k. -- Chris
Re: how to show exact score for the tests in the headers
Leon Kolchinsky wrote: Hello All, I'm running a system with Cyrus+Postfix+Amavisd-new+SA+ClamAV. I've seen on this list that there is a possibility to show in the SA headers the exact score for all tests scored for particular message, like this: No, hits=-0.8 required=5.0 tests=BAYES_00=-2.599, DK_POLICY_SIGNSOME=0.001,DNS_FROM_RFC_ABUSE=0.2, FORGED_MUA_MOZILLA=1.593,SPF_PASS=-0.001 autolearn=no version=3.1.7 My current SA headers look like this: X-Spam-Status: Yes, hits=15.8 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_99, HTML_FONTCOLOR_RED, HTML_FONTCOLOR_UNSAFE, HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, RCVD_IN_SORBS_WEB, RCVD_IN_XBL X-Spam-Level: *** How should I change the configs (local.cf, amavis.conf, etc.?) so it looks like in the upper example? To get the list of rules hit and their individual scores, add the following line to local.cf: add_header all Report _REPORT_ Run 'perldoc Mail::SpamAssassin::Conf' for details. -- Chris
Re: script for reporting ham/spam/resending?
Leon Kolchinsky wrote: Hello All, I'm running Cyrus as my IMAP server (Cyrus+Postfix+Amavis_ClamAV+Spamassassin+Web-Cyradm). I've wrote a script for reporting spam to Razor DB and teaching with it Bayesian DB, revoking false positives from Razor DB and teaching Bayesian DB with false positives. It looks like this (didn't test it yet, waiting for your suggestions), had to do it this way (for i in *.) cause Razor manual says that more than one non-mbox mail cannot be read from stdin: #!/bin/bash ###Razor stuff### ##Revoking cd /ham_folder/ chmod 644 *. for i in *.; do echo Revoking $i su vscan -c (/usr/lib/razor-revoke $i) done echo Razor Revoke Completed! ###Reporting### cd /spam_folder/ chmod 644 *. for i in *.; do echo Reporting $i su vscan -c (/usr/lib/razor-report $i) done echo Razor Reporting Completed! ###Bayesian stuff### su vscan -c (sa-learn --showdots --spam /spam_folder/) su vscan -c (sa-learn --showdots --ham /ham_folder/ ###Cleaning spam folder from learned emails### su cyrus -c (/usr/lib/cyrus/bin/ipurge -d0 -f user/spamkiller/spam) End of the script### What I'm missing is a proper way of resending false positives (located now in /ham_folder/). Should I also add the sender to a whitelist? If yes how? How should I remove SA headers (how exactly?) and resend ham in the proper way? You're making it a lot harder for yourself. Take a look at the manual pages 'man 3 spamassassin' spamassassin -r ... This performes bayes learning and reports message to razor, pyzor, DCC, and spamcop. spamassassin -k ... This learns as ham and revokes message with razor. -- Chris
Re: SpamAssassin confusion and upgrading
Louis Li wrote: Hello, I'm novice in Linux and I wish to add SpamAssassin to my current Fedora 3 server, I'm currently using my ISP mail accounts and I have tested with SAproxy in Windows and it works fine. However when I installed the bundled SpamAssassin (3.0.4), I couldn't find any settings to key in my ISP email server address it should connect to (just like in SAproxy) Now here comes the questions: 1. Does SpamAssassin work just like SAproxy in Fedora 3? Does it work as standalone mail proxy or have to work with mail servers+procmail together? SpamAssassin scans mail for spam. You need to give messages to spamassassin and then decide what you want to do with them when spamassassin is finished. If you want to something like SAproxy, then you will need to install an e-mail proxy that can call spamassassin. The spamassassin wiki has some information: http://wiki.apache.org/spamassassin/MailProxy Some e-mail clients can also be configured to run messages through spamassassin: http://wiki.apache.org/spamassassin/IntegratedInMua I don't use spamassassin in either of the above methods, so I don't think I can be of much help to you, but there are lots of ways to do it. -- Chris
Re: bayes_auto_learn_threshold_nonspam
Adam Katz wrote: Is there a way to set the bayes auto-learn thresholds to ignore the score modifications from bayes and whitelists? It seems silly to teach SA that a spam whose only flag was BAYES_20 is ham, or that spam from a whitelisted friend's virus-infected computer is ham. (Maybe this is done already? I don't see mention of this on the wiki or list archives.) Running grep noautolearn /usr/share/spamassassin/* returns the list of tests with noautolearn set. GTUBE AWL USER_IN_BLACKLIST USER_IN_WHITELIST USER_IN_DEF_WHITELIST USER_IN_BLACKLIST_TO USER_IN_WHITELIST_TO USER_IN_MORE_SPAM_TO USER_IN_ALL_SPAM_TO USER_IN_DKIM_WHITELIST USER_IN_DEF_DKIM_WL ENV_AND_HDR_DKIM_MATCH USER_IN_SPF_WHITELIST USER_IN_DEF_SPF_WL ENV_AND_HDR_SPF_MATCH SUBJECT_IN_WHITELIST SUBJECT_IN_BLACKLIST No Bayes in this list. If your bayes database is well trained, then I don't see why it shouldn't be used to determine and train more spam or ham. My current workaround is to set USER_IN_WHITELIST to the same value as BAYES_00 and set large thresholds like: bayes_auto_learn_threshold_nonspam = [0 - 5 - BAYES_00] bayes_auto_learn_threshold_spam = [required_score + 5 + BAYES_99] (I see no reason to auto-train within five points of the 0-required_score range) I would love to not have to worry about the whitelist or bayes scores when auto-learning. My proposal is to ignore bayesian scores in determining auto-learn threshold and give an option (like bayes_auto_learn_ignores_whitelist 1) to ignore the whitelist altogether (conceivably, it doesn't matter -- that's its purpose, after all). I suspect this has been debated and decided in the past, but if you want to disable autolearn for specific rules, then add noautolearn to the tflags line: /usr/share/spamassassin/23_bayes.cf tflags BAYES_00 nice learn noautolearn tflags BAYES_05 nice learn noautolearn tflags BAYES_20 nice learn noautolearn tflags BAYES_40 nice learn noautolearn tflags BAYES_50 learn noautolearn tflags BAYES_60 learn noautolearn tflags BAYES_80 learn noautolearn tflags BAYES_95 learn noautolearn tflags BAYES_99 learn noautolearn -- Chris
Re: Simple script that rejects mail from spammers
sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. The backgroung is as follows: Once I found that our MX is nearly down. Running top exposed a lot of spamd instances, cosuming almost all CPU time. Examining maillog showed, that one of our subscribers sent about 4000 messages within approximately 15 minutes, and all them were spam. I manually banned that subscriber in /etc/mail/access and informed their personel about possible zombie infection. Now I have script that runs from cron and instantly blocks hosts that have sent us more than some maximum number of spam messages within last hour (or any duration of your choice). The script is availble from http://sa-russian.narod.ru/block_spammers.bash Understanding of some fundamentals of BASH scripting is expected. The only MTA supported is sendmail. Look at the comments inside the script to tailor it to your installation. Best regargs, Alan M. Makoev Have a look at fail2ban. I believe it can do the same thing (as well as more): http://fail2ban.sourceforge.net/wiki/index.php/Main_Page -- Chris
Re: Can someone explain what this header info means?
Thomas Lindell wrote: Tests=AWL, Bayes_00 means it matched on Auto whitelist and bayes_00 and was determained to be valid. Auto white list is a list of approved senders and or content. At least I believe that's all correct unless someone cares to chime in Auto white list is score averaging based on a specific sender. See the wiki for more details: http://wiki.apache.org/spamassassin/AutoWhitelist -- Chris
Re: domainkeys unverified - solved
Chris Purves wrote: I just got the domainkeys plugin set up, but it's not working the way I expect. In messages from Yahoo I see: 0.0 DK_SIGNED Domain Keys: message has an unverified signature but I never see DK_VERIFIED Is there something I need to configure? I didn't apply the patch, because I'm assuming it's been incorporated into 3.1.4. In the end, with the help of Mark Martinec, I was able to determine that the problem was with my ISP provided DNS namerservers not allowing full TXT records to be returned (they were truncated). I installed bind9 and used localhost as my primary nameserver and now I can get DK_VERIFIED. Symptoms for this problem were: DK_VERIFIED does not fire for Yahoo! e-mails (multiple part TXT record) DK_VERIFIED does fire for Gmail e-mail (single part TXT record) Perl modules Mail::DomainKeys and Mail::DKIM will fail during make test -- Chris
Re: domainkeys unverified - solved
Mark wrote: -Original Message- From: Chris Purves [mailto:[EMAIL PROTECTED] Sent: vrijdag 27 oktober 2006 23:20 To: users@spamassassin.apache.org Subject: Re: domainkeys unverified - solved In the end, with the help of Mark Martinec, I was able to determine that the problem was with my ISP provided DNS namerservers not allowing full TXT records to be returned (they were truncated). Symptoms for this problem were: DK_VERIFIED does not fire for Yahoo! e-mails (multiple part TXT record) Interesting. nslookup -q=txt lima._domainkey.yahoogroups.com k=rsa; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL10WHRWMSb9Tnl+k4Kzpc18rDCTpDT1pbK0xwkd ZIZkaP8NB75qa/S57xccZlIwbI22Ooy/IY+8WxQtvE2z4W LLNOf9hkMeicUH48TGkEoCAcaSjJz/b3NMrOy9l1U7gQIDAP// I get two parts, too. Is that their correct public key, when concatinated? Though I do not get both parts in random order, I wonder if I would not have the same issue, then. What you get is correct. In my case, when it's not working I get: [EMAIL PROTECTED]:~$ nslookup -q=txt lima._domainkey.yahoogroups.com Server: 64.59.184.13 Address:64.59.184.13#53 Non-authoritative answer: lima._domainkey.yahoogroups.com text = k=rsa\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL10WHRWMSb9Tnl+k4Kzpc18rDCTpDT1pbK0xwkdZIZkaP8NB75qa/S57xccZlIwbI22Ooy/IY+8WxQtvE2z4W Authoritative answers can be found from: [EMAIL PROTECTED]:~$ I'm missing the second part of the Answer and Authority is empty. Using dig -t txt ... the Additional section is also emtpy. -- Chris
Re: domainkeys unverified - solved
Peter H. Lemieux wrote: Chris Purves wrote: In the end, with the help of Mark Martinec, I was able to determine that the problem was with my ISP provided DNS namerservers not allowing full TXT records to be returned (they were truncated). Was this something that the ISP cooked up, or was it intrinsic to the DNS server software they are using? If the latter, it would be good to know which server they were running. It might be a useful addition to the FAQ/wiki. I still have to contact them, but I'll post back with my results. -- Chris
Re: Spamassassin hinter einem Mail Relay Server
Martin Kolb wrote: Hi all, I'm running a Spamassassin on a Debian Etch System in a Server, located in a computer center behind a mail relay server. Every incoming mail has to pass this mailrelay. So, I believe (maybe it's not the problem?) that my spamassasin now thinks that all that mail is not spam, because it's delivered by the local network. Usually my spamassassin classifies spam mails with a score about 2.0 to 3.0 - only a few times higher. So, is there any possibility to tell spamassassin those circumstances? (Perhaps telling him that this mailrelay is bad at all...?) Or does anyone has another idea (except decreasing spam score to a dangerous level...)? I also trained the spamassasin now with thousands of those incoming spam mails... I also updated regularly. Have a look at the wiki page for improving performance: http://wiki.apache.org/spamassassin/UsingSpamAssassin -- Chris
Re: [Fwd: We know it'll be sent flying, read an announcement]
Anders Norrbring wrote: Anders Norrbring skrev: The below found junk didn't even trigger my spamassassin to tag it at all, yet my lower level is set to 1.6 points in Amavis... Any ideas on how to fight that sucker? * 0.6 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words * 0.8 SARE_GIF_ATTACH FULL: Email has a inline gif * 0.7 MY_CID_AND_STYLE SARE cid and style * 1.7 SARE_GIF_STOX Inline Gif with little HTML I hit the following for 3.9 points. -- Chris
Re: Spamassassin effectiveness, BAYES_99
R Lists06 wrote: From: Benny Pedersen i have changed bayes scores to catch most spam here, and changed threshold to learn spam / ham with less range so it more accurate and prevents bayes poinson on the same time, just have them at scores so spam is still autolearned, and ham is still autolearned, check that you don't have whitelist with -100 for spam mails :) if you use whitelist from or whitelist at all make sure it will not trigger the bayes ham learnning on its own if your bayes have nearly same count of spam / ham msgs its good manualy learn helps aswell -- Im not sure I am following the whitelist comments above. What do you mean and how do we prevent whitelisting from triggering the bayes on its own. If you have bayes auto-learning enabled, you can disable it for messages that are in your whitelist. It is especially useful for the spamassassin mailing list, which often contains examples of spam, so you whitelist the mailing list, but you don't want those message to be auto-learned as ham. In your local.cf: whitelist_from_rcvd [EMAIL PROTECTED] apache.org # SA List bayes_ignore_from [EMAIL PROTECTED] perldoc Mail::SpamAssassin::Conf for more bayes_ignore info -- Chris
Re: a
On Friday 20 October 2006 02:53, Angel L. Mateo wrote: Hello, I am using spamassassin with postfix and amavis on a debian sarge server. The versions I use are: * postfix: 2.1.5 * amavisd-new * spamassassin: 3.1.0a The problem I have is that emails sent by one of my users is always tagged as spam, although messages aren't spam. The spamassassin flags in the received email are: X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at telemat.um.es X-Spam-Status: Yes, hits=9.5 tagged_above=0.0 required=5.0 tests=ALL_TRUSTED, AWL X-Spam-Level: * X-Spam-Flag: YES As you can see, the only matching tests are: * ALL_TRUSTED: because the mail has only pass through trusted servers (in fact, just my mail server). * AWL: auto whitelist. According to the documentation, I think that this is just a history of the score of his mails. Why could be the reason for this wrong tagging? As far as I can guess, the problem could be the AWL (I think that this user is the same that had a problem some months ago with a worm virus sending a lot of emails), but I run: spamassassin --remove-addr-from-whitelist=hisemail And the problem was still there. Any help? Do you use global AWL or per user? If it's per user then perhaps you ran spamassassin --remove-addr-from-whitelist=hisemail from your root account, in which case only e-mails sent to the root account will have the AWL reset. -- Take care, Chris
Re: how to set trusted_networks for dynamic ip host
On Wednesday 18 October 2006 17:03, Daryl C. W. O'Shea wrote: Chris Purves wrote: How do I properly set trusted_networks when my mail server has a dynamic IP address? Assuming your dynamically address mail server is your only mail server, and SA actually sees your public address, auto detection will probably work fine. That is my configuration and I tested it, and the auto detection looks to be working. When I send myself a mail from gmail, it listed the gmail server as untrusted and sending a message to myself from myself triggered ALL_TRUSTED. If it's NATed and SA sees the internal private address, then use that address in your config. Thanks, I wasn't sure if setting a private IP would work or not. -- Take care, Chris
Re: how to set trusted_networks for dynamic ip host
On Wednesday 18 October 2006 18:15, Christopher Martin wrote:
If you are using dhclient, you should try:
man dhclient
man dhclient.conf
This will depend on what flavour of Linux you're on, different ones might
not use the ISC client.
Here is a config example which shows how to run a script:
timeout 60;
retry 60;
reboot 10;
select-timeout 5;
initial-interval 2;
reject 192.33.137.209;
interface ep0 {
send host-name andare.fugue.com;
send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
send dhcp-lease-time 3600;
supersede domain-name fugue.com rc.vix.com home.vix.com;
prepend domain-name-servers 127.0.0.1;
request subnet-mask, broadcast-address, time-offset,
routers, domain-name, domain-name-servers, host-name; require subnet-mask,
domain-name-servers;
script /etc/dhclient-script;
media media 10baseT/UTP, media 10base2/BNC;
}
alias {
interface ep0;
fixed-address 192.5.5.213;
option subnet-mask 255.255.255.255;
}
Hope that helps!
-Original Message-
From: John D. Hardin [mailto:[EMAIL PROTECTED]
Sent: Thursday, 19 October 2006 9:00 AM
To: Chris Purves
Cc: users@spamassassin.apache.org
Subject: Re: how to set trusted_networks for dynamic ip host
On Wed, 18 Oct 2006, Chris Purves wrote:
How do I properly set trusted_networks when my mail server has a
dynamic IP address?
Have your /etc/ppp/ip-up.local script (assuming your link is PPP or
PPPoE) generate a small SA config file in /etc/mail/spamassassin with
the appropriate trusted networks information and have it restart SA
(assuming you're using spamc/spamd). It will run whenever your link
comes up or your IP address changes.
There are similar facilities available for DHCP clients (i.e. a script
that is run when the link comes up or an IP address is reassigned) - I
don't remember the details off the top of my head, but man dhcpcd
may help.
--
John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
--
-
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
--
-
13 days until Halloween
Thanks John and Christopher, I think I will play around with a dhcp script
when I have a bit more time.
--
Take care,
Chris
Re: domainkeys unverified
On Tuesday 17 October 2006 20:49, Chris Purves wrote: On Tuesday 17 October 2006 12:52, Mark Martinec wrote: It is a waste of time working with versions of Mail::DomainKeys so old, there will be numerous false-positive signature failures. Okay, I installed Mail::DomainKeys 0.88 from CPAN. I sent a message directly from a Yahoo account to my mail server and now I see: * 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails * 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK * 0.0 DK_SIGNED Domain Keys: message has an unverified signature Still no DK_VERIFIED After sending myself a mail from gmail I see: * 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails * 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK * 0.0 DK_SIGNED Domain Keys: message has an unverified signature * -0.0 DK_VERIFIED Domain Keys: signature passes verification So, it looks like everything is working with the spamassassin plugin and Mail::DomainKeys. Upgradding from 0.80 to 0.88 definitely helped. -- Take care, Chris
sa-update with cron
I'm running sa-update from a bash script in /etc/cron.hourly but I keep getting the following every time the script runs: run-parts: /etc/cron.hourly/sa-update exited with return code 1 I believe this is because sa-update only returns error code 0 when something has been updated so that you can append restart spamd command. I tried appending 2/dev/null to the command in order to get rid of the error code, but that didn't make a difference. I don't have much experience with redirecting bash outputs, so any help would be appreciated. -- Take care, Chris
how to set trusted_networks for dynamic ip host
How do I properly set trusted_networks when my mail server has a dynamic IP address? -- Chris
domainkeys unverified
I just got the domainkeys plugin set up, but it's not working the way I expect. In messages from Yahoo I see: 0.0 DK_SIGNED Domain Keys: message has an unverified signature but I never see DK_VERIFIED Is there something I need to configure? I didn't apply the patch, because I'm assuming it's been incorporated into 3.1.4. -- Chris
Re: domainkeys unverified
On Tuesday 17 October 2006 12:52, Mark Martinec wrote: It is a waste of time working with versions of Mail::DomainKeys so old, there will be numerous false-positive signature failures. Okay, I installed Mail::DomainKeys 0.88 from CPAN. I sent a message directly from a Yahoo account to my mail server and now I see: * 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails * 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK * 0.0 DK_SIGNED Domain Keys: message has an unverified signature Still no DK_VERIFIED -- Take care, Chris
Re: Which release of spamassassin should I use on a Debian sarge system?
On Sunday 15 October 2006 04:10, Matthias Haegele wrote: Chris Purves schrieb: I definitely recommend that you upgrade your spamassassin. The version currently in volatile is 3.1.5. I can't comment as to the differences ^ it seems that currently only 3.1.4 is available through volatile-sloppy, but thx for your tip, i was not aware of sloppy too ... Thanks for catching my mispassing my test. ;-) -- Take care, Chris
Re: Which release of spamassassin should I use on a Debian sarge system?
On October 13, 2006 06:42 am, Bart Veltman wrote: Currently I am using spamassassin version 3.0.3 on a Debian 3.1 sarge (stable release) linux system. According to Debian this version is stable but is more than a year old. Which version should I use, or must I use, to maintain a stable environment? Still go on with version 3.0.3 or upgrade to a newer version? You can also get newer versions of spamassassin from debian-volatile, which maintains packages that update often (such as spamassassin, antivirus, etc). You would need to add the following to your sources.list (although you'll probably want a closer mirror http://www.debian.org/devel/debian-volatile/volatile-mirrors): deb http://gulus.usherbrooke.ca/debian-volatile stable/volatile-sloppy main deb-src http://gulus.usherbrooke.ca/debian-volatile stable/volatile-sloppy main I definitely recommend that you upgrade your spamassassin. The version currently in volatile is 3.1.5. I can't comment as to the differences between using backports, as others have suggested, or volatile. You'll have to research that yourself. If you use volatile, you won't need to update your preferences file, since there is a very small subset of packages in that repository. -- Take care, Chris
Received.pm bug?
I have filed a bug report with Debian several months ago about received.pm not properly identifying HELO in some instances (which causes SPF to not work), but there hasn't been any action yet. Could a few people have a look at the report and give me your feedback as to whether you think this is a bug or not? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357696 -- Chris
Re: warn: reporter: razor2 report failed
On Tuesday 04 April 2006 08:47, Chris wrote: Maybe its my imagination, but it seems ever since the razor license was changed I get two or three of these when manually reporting a spam. The whole error is: warn: reporter: razor2 report failed: No such file or directory reporter: razor2 had unknown error during authenticate at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/Razor2.pm line 209, GEN2 line 1. at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/Razor2.pm line 322. 1 message(s) examined. After two or three tries it reports the message correctly. Anyone else seen this or know of any reason for it? I see it all the time. It's intermittent. I have no explanation, but expect it is network related. -- Good day, eh. Chris
Re: SPF Error: cannot get HELO, cannot use SPF
mouss wrote: Chris Purves a écrit : [snip] What spamc calls EnvelopeFrom is the top header of the message: Return-path: [EMAIL PROTECTED] I am guessing that exim calls spamc before it adds this header so that spamc has less information to work with than when running the tests. I'm sorry for the very long e-mail...I hope someone has a suggestion as to what I can do now. I am using sa-exim inbetween exim and SA. The Return-Path is added by the MTA when handing mail to something external (mostly for delivery). whether it'll give it to SA or not depends on how SA is integrated. I have finally solved the return path problem. I am using sa-exim to call spamassassin from exim. sa-exim adds its own return path header, so I needed only to add the following line to local.cf: envelope_sender_header X-SA-Exim-Mail-From -- Good day, eh. Chris
Re: Why does SPF need HELO to verify? - Problem with Received.pm
On Friday 10 March 2006 19:11, Chris Purves wrote: What I would like to know is, why does the SPF plugin need HELO, when it can use the from information from the Received header? I found a discussion on the exim mailing list where it states that the header does not show HELO information if the reverse entry matches. http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20031117/msg00116. html I have done some more digging and I believe that the problem lies not with the SPF plugin, but with the Received.pm file. I believe that it is not properly reading the HELO information from the header. You can see below that it specifies helo=. From spamd.log: Sun Mar 12 16:55:11 2006 [2311] dbg: received-header: parsed as [ ip=66.111.4.28 rdns=out4.smtp.messagingengine.com helo= by=aurora.northfolk.ca ident= [EMAIL PROTECTED] intl=0 id=1FIMM3-bJ-5k auth= ] Sun Mar 12 16:55:11 2006 [2311] dbg: received-header: relay 66.111.4.28 trusted? no internal? no Sun Mar 12 16:55:11 2006 [2311] dbg: received-header: parsed as [ ip=10.202.2.149 rdns=mysql-sessions.internal helo=frontend1.internal by=frontend1.messagingengine.com ident= envfrom= intl=0 id=690F5D3B608 auth= ] Sun Mar 12 16:55:11 2006 [2311] dbg: received-header: relay 10.202.2.149 trusted? no internal? no Sun Mar 12 16:55:11 2006 [2311] dbg: received-header: parsed as [ ip=10.202.2.152 rdns= helo=frontend3.messagingengine.com by=frontend1.internal ident= envfrom= intl=0 id=auth= ] Sun Mar 12 16:55:11 2006 [2311] dbg: received-header: relay 10.202.2.152 trusted? no internal? no Sun Mar 12 16:55:11 2006 [2311] dbg: spf: checking HELO (helo=, ip=66.111.4.28) Sun Mar 12 16:55:11 2006 [2311] dbg: spf: cannot get HELO, cannot use SPF The actual received headers are: Received: from out4.smtp.messagingengine.com ([66.111.4.28]) by aurora.northfolk.ca (envelope-from [EMAIL PROTECTED]) with esmtp (Exim 4.50) id 1FIMM3-bJ-5k for [EMAIL PROTECTED]; Sun, 12 Mar 2006 16:55:38 +0800 Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149]) by frontend1.messagingengine.com (Postfix) with ESMTP id 690F5D3B608 for [EMAIL PROTECTED]; Sun, 12 Mar 2006 03:55:08 -0500 (EST) Received: from frontend3.messagingengine.com ([10.202.2.152]) by frontend1.internal (MEProxy); Sun, 12 Mar 2006 03:55:08 -0500 Received: by frontend3.messagingengine.com (Postfix, from userid 99) id 6112A387; Sun, 12 Mar 2006 03:55:07 -0500 (EST) I am using the custom recevied header described at http://wiki.apache.org/spamassassin/EnvelopeSenderInReceived, so I would expect it to play nice with spamassassin. I am running the spamassassin 3.1.0a-2 Debian package. Can someone confirm if this is a problem with Received.pm, or suggest how I can test it seperately on my mail. This just may be driving me insane... Thanks. -- Good day, eh. Chris
Re: hash sharing
On Monday 13 March 2006 02:31, Daniel Nielsen wrote: Currently I have spamassassin 3.1.0 working very nicely with exim4 and courier imap. I am not using razor, pyzor or DCC. My question is is one preferable over the other and should I use more then one of these options? I use all three. Often messages will show on one before the others. Be aware that there are legal restrictions to using razor and DCC. -- Good day, eh. Chris
Why does SPF need HELO to verify?
I have found that most mail I receive has received headers as: Received: from sesame.csx.cam.ac.uk ([131.111.8.41]) by aurora.northfolk.ca (envelope-from [EMAIL PROTECTED]) with esmtp (Exim 4.50) id 1FHfBB-0006Bq-GL for [EMAIL PROTECTED]; Fri, 10 Mar 2006 18:49:22 +0800 But in my spamd.log I see: Fri Mar 10 18:49:06 2006 [15923] dbg: spf: checking EnvelopeFrom (helo=, ip=131.111.8.41, [EMAIL PROTECTED]) Fri Mar 10 18:49:06 2006 [15923] dbg: spf: cannot get HELO, cannot use SPF What I would like to know is, why does the SPF plugin need HELO, when it can use the from information from the Received header? I found a discussion on the exim mailing list where it states that the header does not show HELO information if the reverse entry matches. http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20031117/msg00116.html Is this something that exim does differently than other MTA's or is it a problem with the SPF plugin? Mail from this list looks like: Received: from hermes.apache.org ([209.237.227.199] helo=mail.apache.org) by aurora.northfolk.ca (envelope-from [EMAIL PROTECTED]) with smtp (Exim 4.50) id 1FHele-00069Q-UO for [EMAIL PROTECTED]; Fri, 10 Mar 2006 18:23:19 +0800 In which case SPF works fine. What are others doing about this? Thanks. -- Good day, eh. Chris
Re: CheapTickets newsletter triggering SARE_BAYES plus others
Loren Wilton wrote: The other rule is looking for a really standard spammer trick: FONT/FONT. Interesting. How is this helpful to spammers? -- Good day, eh. Chris
Re: Spamassassin does not learn
Egoitz Aurrekoetxea Aurre wrote: First of all I don't understand how spamd and spamc work... I use spampd to act as smtp proxy for spamassassin, and I've uninstalled the exim4 fro the machine. Could anyone give me a link or an explanation of this? I'm very newbie; I've got the default configuration for spamassassin and spampd. I think I don't use spamc... what's the really use of spamc? must it work together in the machine with an mta? I tell this because its an smtp proxy in wich I have clamsmtp and spampd this last obviously runs with spamassassin but nothing else... what should I do? Spamc works with spamd. Spamc is the command that actually checks the message. spamc some_message will scan some_message the same as spamassassin some_message would. The difference is that spamc works with spamd which has already loaded spamassassin into memory, so it is faster than using the spamassassin command. I recommend installing sa-exim (apt-get install sa-exim), which will nicely tie spamassassin into exim4 and allow you to reject messages with high spam scores. -- Good day, eh. Chris
Re: Spamassassin does not learn
Matt Kettler wrote: Egoitz Aurrekoetxea wrote: Hi everybody, I'm using Spamassassin 3.0.3 on a Debian machine running spampd proxy. When I check my receiving mail's headers I see that when talks about autolearn always says no or failed, what could be the reason? 1) are you using spamd? 2) do you call spamc as root? 3) do you pass -u to either spamc or spamd? Default Debian configuration is to run spamd as root and call spamc as Debian-exim...I was using this without problems. I suspect a permissions problem when creating/accessing the bayes database. I think Debian-exim has /var/spool/exim4 as home directory, so spamassassin will try to create /var/spool/exim4/.spamassassin. Check that Debian-exim as read-write access. There should be errors in spamd.log if it's a permission problem. Of course, Matt's suggestion is better... -- Good day, eh. Chris
Re: SPF Error: cannot get HELO, cannot use SPF
jdow wrote:
From: Chris Purves [EMAIL PROTECTED]
X-Spam-Report:
* 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
* -1.3 AWL AWL: From: address is in the auto white-list
But if I run the same message from a user account with spamassassin
-t
... I get:
-100 USER_IN_WHITELIST From: address is in the user's white-list
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
-0.0 SPF_PASS SPF: sender matches SPF record
It looks like SPF and whitelisting (I have spamassassin set in
whitelist_from_rcvd) are not being run when SA is called from exim, but
it works when calling spamassassin manually.
Any suggestions?
One, does the user account have a user whitelist entry?
Not the user account, but local.cf
Two, are you using per user AWL.
Yes
Three, did you restart spamassassin or whatever service is running
spamassassin?
But, of course. ;-)
OK, and a fourth would involve making sure both spamassassin and spamd
are running with the same set of rules. USER_IN_WHITELIST is an eval
in 60_whitelist.cf under 3.05. I see no reason it would have changed much
with 3.10, logically. So one might presume the spamd is running with a
set of options such that it bypasses reading the /usr/share/spamassassin
directory for the stock shared rules. Are you using one of the options
that redirects the source for the rules with spamd?
I am running different versions of spamassassin (including spamd) and
spamc in order to keep a stable Debian system. Spamassassin is version
3.1.0 and spamc is version 3.0.3; however, I haven't noticed any
problems with any other rules. Network and local tests appear to be
working fine with this setup.
I'm not using any options like that to my knowledge. Besides -d
spamassassin is running with the following options:
-u Debian-exim --create-prefs --max-children 5 --helper-home-dir=/var/s
pool/spamassassin/ -s /var/log/spamassassin/spamd.log
Fifth, is the directory readable by the account you are using for spamd?
Sixth, is the account you are using for testing the same as the account
for the live case you mention? (I suppose this one should have been
question zero. I just sort of presumed this was the case. But sometimes
the obvious questions are ones people overlook because fer shure it's
OK. {^_-})
I'll answer the fifth and sixth question together. I found that with
the defaul setup spamd was being run as root. Under this situation I
could manually call spamc with a local user and user Debian-exim (which
according to spamd.log is the user that normally calls spamc) and the
results shows the SPF results as well as the whitelist entry. As you
can see from above I swtiched the spamd user to Debian-exim. Manually
calling spamc (using sudo -u Debian-exim ...) under this situation works
fine, but when called directly from exim, still no good.
The only thing I can think of trying is downgrading spamassassin to
3.0.3 to match spamc and see if that works. I don't want to upgrade
spamc, because it wants to upgrade too many other packges.
--
Good day, eh.
Chris
Re: SPF Error: cannot get HELO, cannot use SPF
Matthias Fuhrmann wrote: On Sat, 25 Feb 2006, Chris Purves wrote: hI, I am not getting SPF_ hits for most messages that I expect should pass SPF. On one message when I run through spamassassin with debug I see: [5959] dbg: spf: checking HELO (helo=, ip=66.111.4.28) [5959] dbg: spf: cannot get HELO, cannot use SPF [5959] dbg: spf: checking EnvelopeFrom (helo=, ip=66.111.4.28, [EMAIL PROTECTED]) [5959] dbg: spf: cannot get HELO, cannot use SPF if i'm totaly wrong just ignore my mail :) but did you got by any chance similiar entries in your syslog like: Dec 18 00:05:44 machine spamd[6429]: Can't locate LMAP/CID2SPF.pm in @INC (@INC contains: lib ../lib ... /opt/gnu/lib/perl5/site_perl/5.8.3/Mail/SPF/Query.pm line 1749, GEN16 line 2073. Thanks, but I'm not seeing anything like that. -- Good day, eh. Chris
Re: SPF Error: cannot get HELO, cannot use SPF
Chris Purves wrote: Chris Purves wrote: I am not getting SPF_ hits for most messages that I expect should pass SPF. On one message when I run through spamassassin with debug I see: [5959] dbg: spf: checking HELO (helo=, ip=66.111.4.28) [5959] dbg: spf: cannot get HELO, cannot use SPF [5959] dbg: spf: checking EnvelopeFrom (helo=, ip=66.111.4.28, [EMAIL PROTECTED]) [5959] dbg: spf: cannot get HELO, cannot use SPF The received header looks like: Received: from out4.smtp.messagingengine.com ([66.111.4.28]) by aurora.northfolk.ca with esmtp (Exim 4.50) id 1FCneI-0001Q8-Hs for [EMAIL PROTECTED]; Sat, 25 Feb 2006 08:51:09 +0800 I found another clue... In one of my e-mails sent to this list, the header shows: X-Spam-Report: * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO * -1.3 AWL AWL: From: address is in the auto white-list But if I run the same message from a user account with spamassassin -t ... I get: -100 USER_IN_WHITELIST From: address is in the user's white-list 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -0.0 SPF_PASS SPF: sender matches SPF record It looks like SPF and whitelisting (I have spamassassin set in whitelist_from_rcvd) are not being run when SA is called from exim, but it works when calling spamassassin manually. Any suggestions? I believe I have found what is causing the problem, but don't yet know how to fix it. I added -D spf to spamd options. In spamd.log I see: Mon Feb 27 11:44:32 2006 [20290] info: spamd: connection from localhost.localdomain [127.0.0.1] at port 58443 Mon Feb 27 11:44:32 2006 [20290] info: spamd: processing message [EMAIL PROTECTED] for Debian-exim:102 Mon Feb 27 11:44:32 2006 [20290] dbg: spf: checking HELO (helo=mail.apache.org,ip=209.237.227.199) Mon Feb 27 11:44:32 2006 [20290] dbg: spf: query for /209.237.227.199/mail.apache.org: result: none, comment: SPF: domain of sender mail.apache.org does not designate mailers Mon Feb 27 11:44:32 2006 [20290] dbg: spf: cannot get Envelope-From, cannot use SPF Mon Feb 27 11:44:32 2006 [20290] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender Mon Feb 27 11:44:32 2006 [20290] dbg: spf: spf_whitelist_from: could not find useable envelope sender Mon Feb 27 11:44:40 2006 [20290] info: spamd: clean message (0.1/5.0) for Debian-exim:102 in 7.8 seconds, 3480 bytes. Mon Feb 27 11:44:40 2006 [20290] info: spamd: result: . 0 - FORGED_RCVD_HELO scantime=7.8,size=3480,user=Debian-exim,uid=102,required_score=5.0,rhost=localhost .localdomain,raddr=127.0.0.1,rport=58443,mid=[EMAIL PROTECTED],aut olearn=unavailable Mon Feb 27 11:44:40 2006 [20280] info: prefork: child states: II The I run sudo -u Debian-exim spamc ... on the same message. This is what is in spamd.log: Mon Feb 27 11:48:50 2006 [20290] info: spamd: connection from localhost.localdomain [127.0.0.1] at port 58451 Mon Feb 27 11:48:50 2006 [20290] info: spamd: processing message [EMAIL PROTECTED] for Debian-exim:102 Mon Feb 27 11:48:50 2006 [20290] dbg: spf: checking HELO (helo=mail.apache.org,ip=209.237.227.199) Mon Feb 27 11:48:51 2006 [20290] dbg: spf: query for /209.237.227.199/mail.apache.org: result: none, comment: SPF: domain of sender mail.apache.org does not designate mailers Mon Feb 27 11:48:51 2006 [20290] dbg: spf: checking EnvelopeFrom (helo=mail.apache.org, ip=209.237.227.199, [EMAIL PROTECTED]) Mon Feb 27 11:48:51 2006 [20290] dbg: spf: query for [EMAIL PROTECTED]/209.237.227.199/mail.apache.org: result: pass, comment: Please see http://spf.pobox.com/why.html?sender=users-return-38258-chris%3Dnorthfolk.ca%40spamassassin.apache.orgip=209.237.227.199receiver=aurora.northfolk.ca: spamassassin.apache.org MX mail.apache.org A 209.237.227.199 Mon Feb 27 11:48:51 2006 [20290] dbg: spf: def_whitelist_from_spf: [EMAIL PROTECTED] is not in DEF_WHITELIST_FROM_SPF Mon Feb 27 11:48:51 2006 [20290] dbg: spf: whitelist_from_spf: [EMAIL PROTECTED] is not in user's WHITELIST_FROM_SPF Mon Feb 27 11:49:03 2006 [20290] info: spamd: clean message (-99.9/5.0) for Debian-exim:102 in 12.7 seconds, 4019 bytes. Mon Feb 27 11:49:03 2006 [20290] info: spamd: result: . -99 - AWL,FORGED_RCVD_HELO,SPF_PASS,USER_IN_WHITELIST scantime=12.7,size=4019,user=Debian-exim,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=58451,mid=4 [EMAIL PROTECTED],autolearn=unavailable Mon Feb 27 11:49:03 2006 [20280] info: prefork: child states: II So...when called by exim, spamc cannot find EnvelopeFrom, but when called by me after the message has been delivered it can find EnvelopeFrom and complete the SPF check. I expect this is also the reason that whitelist_from_rcvd doesn't work. What spamc calls EnvelopeFrom is the top header of the message: Return-path: [EMAIL PROTECTED] I am guessing that exim calls spamc before it adds this header so that spamc has less information to work with than when running the tests
Re: SPF Error: cannot get HELO, cannot use SPF
On Sat, February 25, 2006 4:18 pm, jdow said: From: Chris Purves [EMAIL PROTECTED] Chris Purves wrote: I am not getting SPF_ hits for most messages that I expect should pass SPF. On one message when I run through spamassassin with debug I see: [5959] dbg: spf: checking HELO (helo=, ip=66.111.4.28) [5959] dbg: spf: cannot get HELO, cannot use SPF [5959] dbg: spf: checking EnvelopeFrom (helo=, ip=66.111.4.28, [EMAIL PROTECTED]) [5959] dbg: spf: cannot get HELO, cannot use SPF The received header looks like: Received: from out4.smtp.messagingengine.com ([66.111.4.28]) by aurora.northfolk.ca with esmtp (Exim 4.50) id 1FCneI-0001Q8-Hs for [EMAIL PROTECTED]; Sat, 25 Feb 2006 08:51:09 +0800 I found another clue... In one of my e-mails sent to this list, the header shows: X-Spam-Report: * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO * -1.3 AWL AWL: From: address is in the auto white-list But if I run the same message from a user account with spamassassin -t ... I get: -100 USER_IN_WHITELIST From: address is in the user's white-list 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -0.0 SPF_PASS SPF: sender matches SPF record It looks like SPF and whitelisting (I have spamassassin set in whitelist_from_rcvd) are not being run when SA is called from exim, but it works when calling spamassassin manually. Any suggestions? One, does the user account have a user whitelist entry? Not the user account, but local.cf Two, are you using per user AWL. Yes Three, did you restart spamassassin or whatever service is running spamassassin? But, of course. ;-) -- Good day, eh. Chris
SPF Error: cannot get HELO, cannot use SPF
I am not getting SPF_ hits for most messages that I expect should pass SPF. On one message when I run through spamassassin with debug I see: [5959] dbg: spf: checking HELO (helo=, ip=66.111.4.28) [5959] dbg: spf: cannot get HELO, cannot use SPF [5959] dbg: spf: checking EnvelopeFrom (helo=, ip=66.111.4.28, [EMAIL PROTECTED]) [5959] dbg: spf: cannot get HELO, cannot use SPF The received header looks like: Received: from out4.smtp.messagingengine.com ([66.111.4.28]) by aurora.northfolk.ca with esmtp (Exim 4.50) id 1FCneI-0001Q8-Hs for [EMAIL PROTECTED]; Sat, 25 Feb 2006 08:51:09 +0800 There is no HELO in the received header, explaining the spamassassin message, but what can I do about it? Is it a problem with my server while receiving, or does it have to do with the server sending? -- Good day, eh. Chris
Re: (OT, but relevant) Playing with AOL?
jdow wrote: Of course, if AOL gets away with this then they are not a common carrier anymore. So they become responsible for their content. Sue them for any bad content and throw their charges in their face as evidence that they are not a carrier, they are a content service. Nail their sorry backsides to the nearest Sequoia half way up. se·quoi·a Pronunciation Key (s-kwoi) n. 1. See redwood. red·wood Pronunciation Key (rdwd) n. 1. 1. A very tall, evergreen, coniferous tree (Sequoia sempervirens) native to the coastal ranges of southern Oregon and central and northern California, having small seed-bearing cones with peltate scales and unflattened branches. 2. The soft reddish wood of this tree. Also called sequoia. -- Good day, eh. Chris
Re: SPF Error: cannot get HELO, cannot use SPF
Chris Purves wrote: I am not getting SPF_ hits for most messages that I expect should pass SPF. On one message when I run through spamassassin with debug I see: [5959] dbg: spf: checking HELO (helo=, ip=66.111.4.28) [5959] dbg: spf: cannot get HELO, cannot use SPF [5959] dbg: spf: checking EnvelopeFrom (helo=, ip=66.111.4.28, [EMAIL PROTECTED]) [5959] dbg: spf: cannot get HELO, cannot use SPF The received header looks like: Received: from out4.smtp.messagingengine.com ([66.111.4.28]) by aurora.northfolk.ca with esmtp (Exim 4.50) id 1FCneI-0001Q8-Hs for [EMAIL PROTECTED]; Sat, 25 Feb 2006 08:51:09 +0800 I found another clue... In one of my e-mails sent to this list, the header shows: X-Spam-Report: * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO * -1.3 AWL AWL: From: address is in the auto white-list But if I run the same message from a user account with spamassassin -t ... I get: -100 USER_IN_WHITELIST From: address is in the user's white-list 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -0.0 SPF_PASS SPF: sender matches SPF record It looks like SPF and whitelisting (I have spamassassin set in whitelist_from_rcvd) are not being run when SA is called from exim, but it works when calling spamassassin manually. Any suggestions? -- Good day, eh. Chris
Re: Several problems with SA 3.1
Eduardo Gimeno wrote: 2.-SA was classifying mail properly, attending to ^X-Spam-Status: .*Yes, into spam and ham folders. Since yesterday, all legitimate (ham) mail is going directly to SPAM folder, without any mark. What has changed??? I noticed the headers were including the tag: X-Spam-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00, FORGED_RCVD_HELO,HTML_MESSAGE autolearn=ham version=3.1.0 I suspected that the YES from baYES_00 was being filtered with the rule .*Yes, and I changed the rule to ^X-Spam-Status: Yes. Now it works, but I don't understand why I had to do this change. Regular expressions are greedy. They will always match the largest value they can. ^X-Spam-Status: .*Yes means match X-Spam-Status: at the beginning of the line then as many characters as possible then Yes. I am surprised that it's not case sensative, though. Since the location of Yes is well defined, it's better not to use .* and keep a single space. But I also don't see that this has anything to do with spamassassin, since filing mail should be the job of the MTA. -- Good day, eh. Chris
Re: Several problems with SA 3.1
Eduardo Gimeno wrote: Thanks for the reply. I found the sample .procmailrc file at some documentation page... I would expect it beign case sensitive to... Well, then I leave the rule as ^X-Spam-Status: Yes. Anyhow this way it is working. I wonder why this changed from one day to other... What about the EXITCODE? Is 67 right? Is #67 causing all the outgoing (and deferred) mail? Should I change it to $? as seen on other examples? Sorry, I only know about regular expressions... :-) I'm sure someone else on this list that is more knowledgeable than me will be able to help you with that. -- Good day, eh. Chris
Re: Post your top 10 from sa-stats
On Friday 03 February 2006 21:58, John Fleming wrote: Using the latest file from rules emporium, I made the file execuatable, then: ./sa-stats-1.0.txt -l /var/log/spamassassin/ -f spamd.log For help: ./sa-stats-1.0.txt -h Thanks for your response! I am running 3.0.3 on Debian Sarge (stable). The logs I have to use are /var/log/mail.log or /var/log/syslog. Using the other sa-stats.pl (that works fine), I use the log mail.log. However, when I run sa-stats.txt, I everything is empty. It must not be getting the right log?? THANKS! -John # perl ./sa-stats-1.0.txt -l /var/log/syslog.log Try: # perl ./sa-stats-1.0.txt -l /var/log/ -f syslog.log I found that you need to specify both the directory and the log file separately. But then you can read in several files at once. -- Good day, eh. Chris
Re: spamassissin filter very broken
On Saturday 04 February 2006 01:10, Jeff Portwine wrote: Hello... I am a complete newbie with Spamassassin, so I hope you will all bear with me. The job of fixing our spam filter has fallen on me, as the person who used to handle everything relating to our mail server recently left my company. We're running spamassassin 3.0.2 with perl 5.8.4, and exim 3.35 on Debian. I run spamassassin 3.1 on Debian Sarge. You can pin the spamassassin package in apt to testing and keep everything else as stable. Also, the sa-exim makes plugging spamassassin into exim very easy. -- Good day, eh. Chris
Re: Post your top 10 from sa-stats
John Fleming wrote: Wrong tool. Visit http://www.rulesemporium.com/ and find the sa-stats.pl on their site. It is the one most of us are using. It gives individual score breakdowns. The name coincidence is regrettable. I have the other sa-stats.pl working well on my system. But I'm apparently not pointing the other version from RE to the log file correctly, as the results are all zero. Major perl inexperience here - Would someone pleez send me their config lines for the RE version? Using the latest file from rules emporium, I made the file execuatable, then: ./sa-stats-1.0.txt -l /var/log/spamassassin/ -f spamd.log For help: ./sa-stats-1.0.txt -h -- Good day, eh. Chris
Re: How to check if SPF is working
Matt Kettler wrote: Chris Purves wrote: Matt Kettler wrote: Chris Purves wrote: I am running spamassassin 3.1.0 on Debian Sarge and I just installed the correct packages to get rid of missing .pm file errors from spamd.log during SPF checking. Now I am seeing: Wed Feb 1 12:20:12 2006 [9646] error: no response in spamd.log for most messages. I believe that it is related to SPF checking. How can I test if SPF checking is working on my system? This message should hit SPF_PASS. Check your X-Spam-Status and see. There haven't been any SPF_* hits for any messages. Then SPF isn't working, try running the copy of this message that comes to you direct (with a return-path of evi-inc.com, instead of apache.org) through spamassassin -D and see if SPF prints anything helpful. Okay, here's the output from debug: [31302] dbg: spf: message was delivered entirely via trusted relays, not required [31302] dbg: spf: message was delivered entirely via trusted relays, not required [31302] dbg: spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping [31302] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [31302] dbg: spf: spf_whitelist_from: could not find useable envelope sender Return-path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on aurora.northfolk.ca X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable version=3.1.0 X-Spam-Report: * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] It says that it doesn't run spf checks for trusted networks...so I guess it's time to set that. I set for my local network in local.cf then run again with debug: [31337] dbg: spf: checking HELO (helo=xanadu.evi-inc.com, ip=208.39.141.86) [31337] dbg: spf: query for /208.39.141.86/xanadu.evi-inc.com: result: none, comment: SPF: domain of sender xanadu.evi-inc.com does not designate mailers [31337] dbg: spf: checking EnvelopeFrom (helo=xanadu.evi-inc.com, ip=208.39.141.86, [EMAIL PROTECTED]) [31337] dbg: spf: query for [EMAIL PROTECTED]/208.39.141.86/xanadu.evi-inc.com: result: pass, comment: Please see http://spf.pobox.com/why.html?sender=mkettler%40evi-inc.comip=208.39.141.86receiver=aurora.northfolk.ca: 208.39.141.80/28 contains 208.39.141.86 [31337] dbg: spf: def_whitelist_from_spf: [EMAIL PROTECTED] is not in DEF_WHITELIST_FROM_SPF [31337] dbg: spf: whitelist_from_spf: [EMAIL PROTECTED] is not in user's WHITELIST_FROM_SPF Return-path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on aurora.northfolk.ca X-Spam-Level: X-Spam-Status: No, score=-3.2 required=5.0 tests=AWL,BAYES_00, FORGED_RCVD_HELO,SPF_PASS autolearn=unavailable version=3.1.0 X-Spam-Report: * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO * -0.0 SPF_PASS SPF: sender matches SPF record * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] * -0.7 AWL AWL: From: address is in the auto white-list And now it works. Thanks for your help, Matt. I feel a little stupid now, since I should have been able to figure that out for myself. I don't know how to get the output from spamassassin to write to a file. The only way I have been able to get the info so far is to run at now and have the output mailed to me. Thanks again. -- Good day, eh. Chris
Re: How to check if SPF is working
Matt Kettler wrote: Chris Purves wrote: I am running spamassassin 3.1.0 on Debian Sarge and I just installed the correct packages to get rid of missing .pm file errors from spamd.log during SPF checking. Now I am seeing: Wed Feb 1 12:20:12 2006 [9646] error: no response in spamd.log for most messages. I believe that it is related to SPF checking. How can I test if SPF checking is working on my system? This message should hit SPF_PASS. Check your X-Spam-Status and see. There haven't been any SPF_* hits for any messages. -- Good day, eh. Chris
Re: Post your top 10 from sa-stats
Gene Heskett wrote: On Thursday 02 February 2006 00:36, jdow wrote: Wrong tool. Visit http://www.rulesemporium.com/ and find the sa-stats.pl on their site. It is the one most of us are using. It gives individual score breakdowns. The name coincidence is regrettable. From an earlier posting by Dallas Engelken SA 3.0.x - http://www.rulesemporium.com/programs/sa-stats.txt SA 3.1.x - http://www.rulesemporium.com/programs/sa-stats-1.0.txt -- Good day, eh. Chris
How to check if SPF is working
I am running spamassassin 3.1.0 on Debian Sarge and I just installed the correct packages to get rid of missing .pm file errors from spamd.log during SPF checking. Now I am seeing: Wed Feb 1 12:20:12 2006 [9646] error: no response in spamd.log for most messages. I believe that it is related to SPF checking. How can I test if SPF checking is working on my system? -- Good day, eh. Chris
Re: Query.pm error
On Sunday 29 January 2006 10:27, Chris Purves wrote: Hello, I am receiving the following error in spamd.log: Sun Jan 29 07:33:07 2006 [30924] error: Can't locate Mail/SPF/Query.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8/usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/SPF.pm line 272, GEN39 line 111. I have no Query.pm file anywhere. I am running spamassassin 3.1.0 on Debian Sarge with spamc 3.0.3. aptitude install libmail-spf-query-perl That created: /usr/share/perl5/Mail/SPF/Query.pm I expect that should solve my problem. -- Good day, eh. Chris
Query.pm error
Hello, I am receiving the following error in spamd.log: Sun Jan 29 07:33:07 2006 [30924] error: Can't locate Mail/SPF/Query.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8/usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/SPF.pm line 272, GEN39 line 111. I have no Query.pm file anywhere. I am running spamassassin 3.1.0 on Debian Sarge with spamc 3.0.3. -- Good day, eh. Chris
Re: My posting bounced as spam
On Sun, January 29, 2006 6:44 am, Al Bogner said: The question was: What do I have to do to get a more detailed analysis in each header? add the following line to your local.cf file: add_header all Report _REPORT_ More information can be found with: perldoc Mail::SpamAssassin::Conf I am also interested in the spamanalysis of _my_ mail, which you see at the mentioned url. Your e-mail was bounced, because in it you included the name of a certain URI which begins with 'z' and ends with '.info'. -- Good day, eh. Chris
Re: Image spam
Craig Baird wrote: Since the first of the year, we've seen a barrage of image spam. Some of it gets nailed by SA, but a lot of it seems to get through. Most of it has a text/plain part with random or non-sensical text. It also has a text/html part, also with random text. Then, the actual spam (usually a stock spam) is contained in a 15k-20k .gif image. I've found that many of these hit very few rules, and due to the random text, Bayes appears to be ineffective. I'm using SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has anyone come up with a good way to stop these? I've been seeing this also. In fact, these are the only spam getting through presently (although the total amount of spam I get is very small). I did notice that for one that got through it scored only 2 or 3 points. I tested it manually, maybe 8 hours later, and it scored 16.5 points being listed on blacklists as well as razor or pyzor, so it's good to see that people are reporting. -- Good day, eh. Chris
Re: Continuing Exim 4.60 SpamAssassin 3.1.0 Problems
George R. Kasica wrote: Help needed please! We are trying to upgrade from exim 3.36 and SA 3.0.4 to Exim 4.60 and SA 3.1 and are having no end of difficulties here. We just decided to pull SA 3.1 out and go back to 3.0.4 as we cannot get it to scan each message, not time out or crash and not use up all the CPU cycles. without SA running load with a w is generally 2 with it up and going 10, 12 or higher is not unusual and causes many problems. 3.0.4 does not have this problem. We have cut our rules files down from the SARE set we are running to the stock set from the 3.1 install with little difference - it still times out and skips mail scans here for no obvious reason. The latest glitch is that we are sending out multiple copies of e-mails I'm thinking due to system load caused by SA 3.1 messing up Exim. I'm using Exim 4.5 with SA 3.1 with no problems. I also use sa-exim which really simplifies the integration of SA. -- Good day, eh. Chris
Re: spam scores low (Sendmail + smtp-vilter + SA )
Mike Sassaman wrote: Mike Sassaman wrote: Post a sample list of rules that hit one of these negative scoring spams. Without a list of hits there's no really way to say what's going wrong. I'd love to! Could you tell me how to find which rules are being hit for a given message? That information does not appear in the headers added to my messages like it seems to for other people. Can I enable that somewhere? As Bowie Bailey suggested, add: add_header all Report _REPORT_ to your local.cf file. This add a report in the header of every message scanned by spamassassin. perldoc Mail::SpamAssassin::Conf has information about this. -- Good day, eh. Chris
Re: spam scores low (Sendmail + smtp-vilter + SA )
Mike Sassaman wrote: Last but not least I added the line: add_header all Report _REPORT_ so that I can see what rules are being hit. Unfortunately I am still not seeing these headers added to the messages. The only headers I get are these: X-SMTP-Vilter-Version: 1.1.9 X-SMTP-Vilter-Spam-Backend: spamd X-Spam-Score: 2.0 X-Spam-Level: ** X-Spam-Threshold: 4.0 X-Spam-Probability: 0.5 and in the case of the spam threshold being met: X-Spam-Status: spam Before I made the changes to local.cf I deleted my bayes db's so everything would be learned afresh. Despite these changes, most spam continues to receive low scores. Does anyone have a theory about why I am not seeing the Report headers? (I know the local.cf file is being read because when I changed the required score from 5 to 4, that change is reflected in the headers.) Run perldoc Mail::SpamAssassin::Conf and make sure the format is correct. It's definitely correct for 3.1. It's very strange...I don't have a theory. -- Good day, eh. Chris
Re: spamd: pyzor: check failed: internal error
Daryl C. W. O'Shea wrote: On 03/01/2006 5:19 AM, Chris Purves wrote: [EMAIL PROTECTED] wrote: I'm getting the errormessage below; Who can help ? Wolfgang Jan 2 09:25:58 saxophon spamd[13330]: spamd: connection from localhost [127.0.0.1] at port 40156 Jan 2 09:25:58 saxophon spamd[13330]: spamd: checking message [EMAIL PROTECTED] for exim:502 Jan 2 09:26:00 saxophon spamd[13330]: internal error Jan 2 09:26:00 saxophon spamd[13330]: pyzor: check failed: internal error I get this a lot, and I've posted myself about this, but so far no help. This was actually discussed numerous times during the fall. Sorry, that's my misatke. I realised after I had sent the above message that it's a different pyzor error that I posted about. I didn't mean to suggest that this list was no help for this problem which has indeed been previously discussed. -- Good day, eh. Chris
Re: SA suddenly giving lots of FP's?
Gene Heskett wrote: In that event, how do I go about telling fetchmail that the mailfile it generates in /var/spool/mail/gene is to be a verbatum copy of what was sucked in the vz's server. My fetchmailrc is comparatively clean, with no options that I know about set that would encourage the shrunken headers. There are no OPTIONS currently defined. -sanitized of course--- poll incoming.verizon.net with proto pop3 user XXX with password is gene #options OPTIONS poll pop.gmail.com with proto pop3 user ZZ with password is gene options ssl # end of file - Or is there some option I need to set to make it do verbatum sucks? I think you should confirm that it is fetchmail that is removing headers. I use fetchmail myself and haven't had any problems. In the manual page there is an --invisible option that keeps fetchmail from inserting its own received header. You could try that. -- Good day, eh. Chris
Re: SA suddenly giving lots of FP's?
On Sunday 01 January 2006 12:24, Gene Heskett wrote: On Saturday 31 December 2005 20:21, Chris Purves wrote: On Sun, January 1, 2006 3:28 am, Gene Heskett said: On Saturday 31 December 2005 13:38, Rick Macdougall wrote: Gene Heskett wrote: On Saturday 31 December 2005 12:42, Gene Heskett wrote: This morning I'm going thru my JunqueMail folder and find that about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora list, and one to the gimp-print-devel list were flaged and sorted as *SPAN*. With one exception, all were in english. Would help if you let us know what rules got hit. Content analysis details: (5.7 points, 5.0 required) pts rule name description -- -- 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3369] 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org Is that the entire header? You're missing a bunch of Received lines. FWIW, fetchmail sucks it and dumps it to /var/spool/mail/gene, kmail sucks it from there. This is due to a bug in the kmail suck from servers code of quite long duration, 3 or 4 years now. Humm, headers do seem to be getting lost! If some of the header is being removed, then that might be a problem. That could definitely trigger the FORGED_YAHOO_RCVD rule if the received header listing the Yahoo! server was removed. -- Good day, eh. Chris
Re: SA suddenly giving lots of FP's?
On Sun, January 1, 2006 3:28 am, Gene Heskett said: On Saturday 31 December 2005 13:38, Rick Macdougall wrote: Gene Heskett wrote: On Saturday 31 December 2005 12:42, Gene Heskett wrote: This morning I'm going thru my JunqueMail folder and find that about a dozen msgs to the OpenOffice list, 5 or 6 to the fedeora list, and one to the gimp-print-devel list were flaged and sorted as *SPAN*. With one exception, all were in english. Would help if you let us know what rules got hit. No doubt Rick, but I ran them thru learn-ham and manualy sorted them to the right folders, but lemme see if I can find one of them in the OOo list, brb. Yeah, here's a snip: Received: from localhost by coyote.coyote.den with SpamAssassin (version 3.1.0); Fri, 30 Dec 2005 20:39:25 -0500 From: Leah Lefler [EMAIL PROTECTED] To: users@openoffice.org Subject: *SPAM* [users] question about Base Date: Fri, 30 Dec 2005 16:04:04 -0800 (PST) Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on coyote.coyote.den X-Spam-Level: * X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_40,DNS_FROM_RFC_ABUSE, FORGED_YAHOO_RCVD,HELO_DYNAMIC_IPADDR2 autolearn=no version=3.1.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_43B5E14D.9501384C X-UID: Status: RO X-Status: RPC X-KMail-EncryptionState: N X-KMail-SignatureState: N X-KMail-MDN-Sent: Content analysis details: (5.7 points, 5.0 required) pts rule name description -- -- 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.8 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3369] 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org Is that the entire header? You're missing a bunch of Received lines. -- Good day, eh. Chris
Re: List of subjects of most common spams?
On Sat, December 31, 2005 2:00 pm, Chad said: SquirrelMail sets User-Agent: SquirrelMail/1.4.4 and not x-mailer. Either way, I wouldn't trust mail from anyone using SquirrelMail. It's webmail for nuts after all. I use Squirrelmail, and I love it :) It's my own little personal setup, so there's only a few of us using it, which really makes it good for me (easy to customize and find plugins I need or write them easily enough). For my mail lists I use gmail because it's a lot easier to use to sort them with their labels, plus it's nice to search the archives in a universal form. I confess. I use SquirrelMail too. -- Good day, eh. Chris
Re: razor/pyzor intermittent reporting error
On Mon, December 26, 2005 4:39 pm, Chris Purves said: Hello, Version: SpamAssassin version 3.1.0 running on Perl version 5.8.4 I am running the following command from a cron job: ls | sed 's/.*/spamassassin -D -r /' | sh From the output I often get for pyzor: [21322] dbg: util: executable for pyzor was found at /usr/bin/pyzor [21322] dbg: pyzor: pyzor is available: /usr/bin/pyzor [21322] dbg: info: entering helper-app run mode [21322] dbg: pyzor: opening pipe: /usr/bin/pyzor report /tmp/.spamassassin21322ISUe8htmp [21325] dbg: util: setuid: ruid=1000 euid=1000 [21322] dbg: reporter: raw exit code: 256 [21322] dbg: info: leaving helper-app run mode [21322] warn: reporter: pyzor report failed: reporter: exited with non-zero exit code 1 [21322] info: reporter: could not report spam to Pyzor When it works I get: [6376] dbg: util: executable for pyzor was found at /usr/bin/pyzor [6376] dbg: pyzor: pyzor is available: /usr/bin/pyzor [6376] dbg: info: entering helper-app run mode [6376] dbg: pyzor: opening pipe: /usr/bin/pyzor report /tmp/.spamassassin6376kzbx2utmp [6379] dbg: util: setuid: ruid=1000 euid=1000 [6376] dbg: info: leaving helper-app run mode [6376] info: reporter: spam reported to Pyzor When razor fails I see: [6376] dbg: info: entering helper-app run mode [6376] warn: reporter: razor2 report failed: No such file or directory reporter: razor2 had unknown error during authenticate at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 209, GEN2 line 1. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 322. [6376] dbg: info: leaving helper-app run mode [6376] info: reporter: could not report spam to Razor When razor works I get: [7844] dbg: info: entering helper-app run mode [7844] dbg: info: leaving helper-app run mode [7844] info: reporter: spam reported to Razor DCC and SpamCop never fail to report. Since the problem is intermittent, I am wondering if it is due to connection time-outs or errors. My server is located in China. I have set in /etc/spamassassin/local.cf: dcc_timeout 60 razor_timeout 60 pyzor_timeout 60 rbl_timeout 60 Do those settings work for reporting or only checking? I tried playing with the timeout settings, and there was no effect. Maybe I should just blame it all on the Great Firewall. -- Good day, eh. Chris
Re: List of subjects of most common spams?
On Sat, December 31, 2005 8:56 am, alex said: Sometimes simple is good, I've found when the message is from x-mailer=thebat or squirrelmail for example it is probably spam. SquirrelMail sets User-Agent: SquirrelMail/1.4.4 and not x-mailer. Either way, I wouldn't trust mail from anyone using SquirrelMail. It's webmail for nuts after all. -- Good day, eh. Chris
Re: pyzor vs SA
Gene Heskett wrote: Dec 27 22:22:31 coyote spamd[474]: spamd: processing message [EMAIL PROTECTED] for gene:500 Dec 27 22:22:31 coyote spamd[474]: internal error Dec 27 22:22:31 coyote spamd[474]: pyzor: check failed: internal error try running pyzor discover You can find documentation at: http://pyzor.sourceforge.net/ http://wiki.apache.org/spamassassin/InstallingPyzor http://wiki.apache.org/spamassassin/UsingPyzor -- Good day, eh. Chris
Re: pyzor vs SA
Gene Heskett wrote: try running pyzor discover And that returned this: [EMAIL PROTECTED] root]# pyzor discover downloading servers from http://pyzor.sourceforge.net/cgi-bin/inform-servers-0-3-x Which I assume is the desired result? Yes, but since it looks like you're running spamassassin as user gene you'll want to run pyzor discover as that user. It will make a .pyzor folder in the home directory of the user. I'm afraid I don't have any experience with calling spamassassin (or spamc) from kmail or any other user agent. Hopefully someone else will be able to shed some light on this. Good luck. -- Good day, eh. Chris
razor/pyzor intermittent reporting error
Hello, Version: SpamAssassin version 3.1.0 running on Perl version 5.8.4 I am running the following command from a cron job: ls | sed 's/.*/spamassassin -D -r /' | sh From the output I often get for pyzor: [21322] dbg: util: executable for pyzor was found at /usr/bin/pyzor [21322] dbg: pyzor: pyzor is available: /usr/bin/pyzor [21322] dbg: info: entering helper-app run mode [21322] dbg: pyzor: opening pipe: /usr/bin/pyzor report /tmp/.spamassassin21322ISUe8htmp [21325] dbg: util: setuid: ruid=1000 euid=1000 [21322] dbg: reporter: raw exit code: 256 [21322] dbg: info: leaving helper-app run mode [21322] warn: reporter: pyzor report failed: reporter: exited with non-zero exit code 1 [21322] info: reporter: could not report spam to Pyzor When it works I get: [6376] dbg: util: executable for pyzor was found at /usr/bin/pyzor [6376] dbg: pyzor: pyzor is available: /usr/bin/pyzor [6376] dbg: info: entering helper-app run mode [6376] dbg: pyzor: opening pipe: /usr/bin/pyzor report /tmp/.spamassassin6376kzbx2utmp [6379] dbg: util: setuid: ruid=1000 euid=1000 [6376] dbg: info: leaving helper-app run mode [6376] info: reporter: spam reported to Pyzor When razor fails I see: [6376] dbg: info: entering helper-app run mode [6376] warn: reporter: razor2 report failed: No such file or directory reporter: razor2 had unknown error during authenticate at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 209, GEN2 line 1. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 322. [6376] dbg: info: leaving helper-app run mode [6376] info: reporter: could not report spam to Razor When razor works I get: [7844] dbg: info: entering helper-app run mode [7844] dbg: info: leaving helper-app run mode [7844] info: reporter: spam reported to Razor DCC and SpamCop never fail to report. Since the problem is intermittent, I am wondering if it is due to connection time-outs or errors. My server is located in China. I have set in /etc/spamassassin/local.cf: dcc_timeout 60 razor_timeout 60 pyzor_timeout 60 rbl_timeout 60 Do those settings work for reporting or only checking? Thanks for your help. -- Good day, eh. Chris
