Re: Fwd: [mailop] SORBS Closing.

[J Doe]

On 2024-06-05 04:44, Rob McEwen via users wrote:


 From "Frido Otten" mailto:fr...@0tten.nl>>


So is there anything that needs to be done to prevent false positives
happening right after the shutdown?



They said they were emptying the zone files, not actually "listing the
world" - so this shouldn't cause false any positives - but might cause
some false negatives, especially for anyone who was overly relying on
SORBS in their spam filtering? But yet - after some years - lists like
this - once they've been dead for many many years - do /sometimes/ "list
the world" as a final push to get others to stop using them - if that
even ever happens with SORBS? And if it ever did, I doubt that would
happen anytime soon.

But definately make sure that your spam filter is ONLY ever acting on
specific and valid SORBS return codes - and NOT treating ANY query being
resolved that isn't NXDOMAIN - as a listing. Anyone */misusing/* SORBS
in that way - might one day have a very bad day. But that's a general
truth for all DSNBLs - make sure your rules/setup for its usage only
treat it as a valid listing when specific return codes are returned,
that match that DNSBL's instructions, and thus */NOT/* taking action
just because /some /IP address was resolved by the query.

/(I think any built-in/default SpamAssassin rules for SORBS - already
does all of this correctly.)/

Rob McEwen, invaluement


Hi Rob and list,

Speaking as a small user of SORBS via SpamAssassin 4.0, I assume the
correct response to disable use of SORBS is to place the following in my
local.cf file:

dns_query_restriction deny sorbs.net

Is that correct and is there any additional portions of local.cf I need
to configure so that I am no longer consulting SORBS ?

Thanks,

- J

"deadline shrunk" in logs ?

[J Doe]

Hi list,

Sometimes when I am checking my e-mail server logs, SA will note
"deadline shrunk":

May 27 12:56:07 server spamd[29305]: async: aborting after 4.253 s,
deadline shrunk: DNSBL, A/106.55.47.104.dnsbl.sorbs.net, rules:
RCVD_IN_SORBS_DUL, __RCVD_IN_SORBS

What does the expression "deadline shrunk" mean ?

Thanks,

- J

Re: Multiple REFUSED logs with sorbs.net ?

[J Doe]

On 2024-05-17 23:13, Noel Butler wrote:


On 18/05/2024 08:14, J Doe wrote:


Hello,

I make use of SpamAssassin 4.0.0 on a low volume e-mail server.  I also
run my own validating resolver with Bind 9.18.27 on the e-mail server.

The only piece of software I have in my e-mail stack that uses SORBS is
SpamAssassin.  I have noticed in my resolver logs multiple entries where
a query of SORBS results in REFUSED results.

Here is an example entry:

10-May-2024 05:34:39.024 lame-servers: info: REFUSED unexpected
RCODE resolving 'rbldns10.sorbs.net/A/IN': 108.59.172.201#53

While some queries succeed and SpamAssassin appears to be able to use
SORBS, there are always *multiple* REFUSED results only for sorbs.net.

Am I exceeding the number of free queries that SORBS allows ?  If so, do
I need to register with SORBS (similar to how SpamHaus requires
registration to use their DQS service) ?  If so, how do I update my SA
configuration ?

Thanks,

- J



SORBS has been ultra sensitive like that for a few years now, it allows
lookups, then it doesn't, seconds later it does, I suspect an ill
configured DoS protection mechanism that's overly paranoid, but good
luck getting anyone their to listen.


Hi Noel,

Thank you for your reply ... ok, good to know this is expected behaviour
for SORBS.  Like you said, perhaps it is a DoS response ... maybe when
it gets a lot of look ups in a short period of time from an IP it then
throttles subsequent queries ?

- J

Multiple REFUSED logs with sorbs.net ?

[J Doe]

Hello,

I make use of SpamAssassin 4.0.0 on a low volume e-mail server.  I also
run my own validating resolver with Bind 9.18.27 on the e-mail server.

The only piece of software I have in my e-mail stack that uses SORBS is
SpamAssassin.  I have noticed in my resolver logs multiple entries where
a query of SORBS results in REFUSED results.

Here is an example entry:

10-May-2024 05:34:39.024 lame-servers: info: REFUSED unexpected
RCODE resolving 'rbldns10.sorbs.net/A/IN': 108.59.172.201#53

While some queries succeed and SpamAssassin appears to be able to use
SORBS, there are always *multiple* REFUSED results only for sorbs.net.

Am I exceeding the number of free queries that SORBS allows ?  If so, do
I need to register with SORBS (similar to how SpamHaus requires
registration to use their DQS service) ?  If so, how do I update my SA
configuration ?

Thanks,

- J

Re: localhost lookups ?

[J Doe]

On 2024-02-24 00:26, Matija Nalis wrote:

On Fri, Feb 23, 2024 at 06:43:53PM -0500, J Doe wrote:

23-Feb-2024 18:33:02.422 queries: info: (localhost.ca): query:
localhost.ca IN  +E(0) (127.0.0.1)

23-Feb-2024 18:33:02.422 queries: info: (localhost): query: localhost IN
 +E(0) (127.0.0.1)



What's interesting is that this is happening on a mail server that has
a: .ca TLD.  It _looks_ like SA is appending this TLD to: localhost,
queries for it and it fails and then it queries correctly for:
localhost, which succeeds.


And what does "ping localhost" (running with the same user as SA) say?
I'd guess it might have the same behaviour, in which case it is not
SA-related...


I'd like this spurious lookup for: localhost.ca to stop ... has anyone
seen something similar - either: localhost.ca or: localhost.tld for a
mail server with another TLD (ie: mail.com -> localhost.com) ?

If others have seen this, is it result of a configuration parameter ?


I've seen it in the past with misconfigured /etc/hosts (missing
localhost entry) so search (or domain) from /etc/resolv.conf was
being used as it would be for any unqualied host name...

(it also might be a permission problem on those files, or
chroot / SElinux / Apparmor, or /etc/nsswitch.conf etc)



Hi Matija,

Thank you for your quick reply.  You were absolutely right - this was an
issue with my: /etc/resolv.conf and _not_ SA.

Everything looks like it's working correctly and the: localhost.ca
lookup is no longer happening.

- J

localhost lookups ?

[J Doe]

Hello,

I am running SA 4.0.0 on a low volume mail server.

When SA begins evaluating a message to determine whether or not it's
spam, I see the following DNS queries on my caching resolver:


23-Feb-2024 18:33:02.364 queries: info: (localhost.ca): query:
localhost.ca IN  +E(0) (127.0.0.1)

23-Feb-2024 18:33:02.365 queries: info: (localhost.ca): query:
localhost.ca IN A +E(0) (127.0.0.1)

23-Feb-2024 18:33:02.422 queries: info: (localhost.ca): query:
localhost.ca IN A +E(0) (127.0.0.1)

23-Feb-2024 18:33:02.422 queries: info: (localhost.ca): query:
localhost.ca IN  +E(0) (127.0.0.1)

23-Feb-2024 18:33:02.422 queries: info: (localhost): query: localhost IN
 +E(0) (127.0.0.1)

23-Feb-2024 18:33:02.423 queries: info: (localhost): query: localhost IN
A +E(0) (127.0.0.1)


... so an initial lookup for A and  records about: localhost.ca, a
second attempt at resolving this and then a switch to querying for the A
and  records of: localhost.

The reason the query for: localhost.ca happens twice is because the
domain: localhost.ca is non-resolvable ... there are no DNS records
about it (A/AAA, etc.).

What's interesting is that this is happening on a mail server that has
a: .ca TLD.  It _looks_ like SA is appending this TLD to: localhost,
queries for it and it fails and then it queries correctly for:
localhost, which succeeds.

I'd like this spurious lookup for: localhost.ca to stop ... has anyone
seen something similar - either: localhost.ca or: localhost.tld for a
mail server with another TLD (ie: mail.com -> localhost.com) ?

If others have seen this, is it result of a configuration parameter ?

Thanks,

- J

Support for RHSBL ?

[J Doe]

Hi,

I was wondering if SpamAssassin supports custom RHSBL (Right-Hand Side 
Block Lists) ?


The reason I ask is I had a previous mail server running Postfix 3.x and 
I made use of my own RHSBL.  An example of this is with the following:


/etc/postfix/main.cf
. . .
smtpd_helo_restrictions = . . .
reject_rhsbl_helo rhsbl.dnsxl=127.0.0.[2..11],
. . .

. . . so reject domain names during HELO via the zone rhsbl.dnsxl served 
by the mail server's DNS.


I read about DNSBL support in the SpamAssassin man notes, which is 
different, but I didn't see if I could wire up my own RHSBL with SA.


Thanks,

- J

Re: Ensuring SPF/DKIM for @gmail.com

[J Doe]

On 2023-07-25 19:39, Benny Pedersen wrote:


J Doe skrev den 2023-07-26 01:20:
 
its a one liner with welcomelist_auth


Hi Benny,

Thanks for your reply - perfect: welcomelist_auth is exactly what I was 
looking for!


- J

Ensuring SPF/DKIM for @gmail.com

[J Doe]

Hi,

I am currently using SpamAssassin 4.0.0 and I had a question on how I 
can ensure that any e-mail from @gmail.com has a valid SPF and DKIM 
signature.


I am aware that the following can be easily fooled, because it is not 
checking SPF and DKIM:


welcomelist_from *@gmail.com

... so to ensure valid SPF and DKIM, I believe I would need:

welcomelist_from_spf  *@gmail.com
welcomelist_from_dkim *@gmail.com

... or *two* entries.

Is that correct ?

Thanks,

- J

Re: Assistance with rule

[Joey J]

I haven't written many of these with Meta, but wanted to make sure how this
works.
If the meta FROM_TEST from FROM_TEST_EMAIL && FROM_TEST_IP is false, does
that mean the next line score will not be added/executed?
In my mind, I feel like (top down logic ) the score will happen all the
time.

Also, does this look like the right idea?

Thanks!!

header FROM_TEST_EMAIL From =~ /user@test\.com/i
header FROM_TEST_IP Received =~ /from 1\.2\.3\.4/i
meta FROM_TEST from FROM_TEST_EMAIL && FROM_TEST_IP
score FROM_TEST -1.0

On Fri, Apr 28, 2023 at 11:48 AM Matus UHLAR - fantomas 
wrote:

> On 28.04.23 11:04, Joey J wrote:
> >I have this rule which I thought looked good, but doesn't seem to ever
> kick
> >in.
>
> >header FROM_TEST_IP_AND_EMAIL From =~ /sender@sender\.com/i && Received
> =~ /from 138\.193\.30\.7/
>
> >I was hoping to find the senders email address, then if it's found, see
> the
> >sending IP, if that matches gives a negative score.
> >
> >Is there a better way?
> >
> >Also is there some kind of rule tester you can use where you put a rule,
> >put some headers and see what it evaluates?
>
> you must create two separate rules and a meta rule for that.
>
> I also recommend using X-Spam-Relays-Trusted pre-paresed pseudo-header:
>
> https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> You have the right to remain silent. Anything you say will be misquoted,
> then used against you.
>


-- 
Thanks!
Joey

Re: FROM_RETURNPATH_MISMATCH

[Joey J]

Thank you all.

Someone internally must have seen that rule and added it, I think I'm going
to pull it out as it has way too many false positives.
I took the assumption (we know) that it was one of the base rules.

On Fri, Apr 28, 2023 at 11:43 AM Matus UHLAR - fantomas 
wrote:

> On 28.04.23 10:58, Joey J wrote:
> >I'm trying to understand why SA keeps scoring this rule, when the sender
> >only has their from address, no reply to etc, nothing helping me to
> >understand why.
> >
> >I'm guessing here, but this would be where the reply to differs from the
> >from?
> >
> >Any assistance appreciated.
>
> I don't see FROM_RETURNPATH_MISMATCH in spamassassin rules, perhaps you
> fetched it from 3rd
> party source?
>
> maybe from here:
>
>
> https://www.lexo.ch/blog/2018/07/solved-spf-setting-does-not-apply-to-return-path-causing-more-spam-and-phishing-e-mails-spamassassin-postfix/
>
> however, that is quite complicated regex and quite possibly wrong,.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Despite the cost of living, have you noticed how popular it remains?
>


-- 
Thanks!
Joey

Assistance with rule

[Joey J]

Hello all,

I have this rule which I thought looked good, but doesn't seem to ever kick
in.
header FROM_TEST_IP_AND_EMAIL From =~ /sender@sender\.com/i && Received =~
/from 138\.193\.30\.7/
score FROM_TEST_IP_AND_EMAIL -8.0

I was hoping to find the senders email address, then if it's found, see the
sending IP, if that matches gives a negative score.

Is there a better way?

Also is there some kind of rule tester you can use where you put a rule,
put some headers and see what it evaluates?


-- 
Thanks!
Joey

FROM_RETURNPATH_MISMATCH

[Joey J]

Hello All,

I'm trying to understand why SA keeps scoring this rule, when the sender
only has their from address, no reply to etc, nothing helping me to
understand why.

I'm guessing here, but this would be where the reply to differs from the
from?

Any assistance appreciated.

-- 
Thanks!
Joey

Re: Rule Help - not sure what is wrong with my syntax

[Joey J]

Thanks to everyone's suggestions.

I will try to respond to everyone in this 1 message:

This was intended for people who get both filtering inbound and outbound
form the mail gateway.
At times certain legit content gets flagged on the way OUT, so this was to
try and add a little negative score, so it would say, OK we know we send
this guy, lets say the word million etc.
We didn't want to simply whitelist the TO address, because in theory if
computers get hacked, they could potentially send out malicios
attachments/links etc, so we want to allow something that scores a very
high score, we won't allow that to go out, but if its a moderate score,
make sure it doesn't get rejected.

In respect to Henrik K, i tried using the rule but SA with lint didn't like
the evaluation of the header you suggested.
I was able to try it a litte different and got this to work, should anyone
else want to use it:

header TO_SPECIFIC_DOMAIN To:addr =~ /\@(test\.com|test\.net)$/
describe TO_SPECIFIC_DOMAIN Mail sent to test.com or test.net email
addresses
score TO_SPECIFIC_DOMAIN -2.0

*As always, thank you to everyone who helps support this list!*

On Thu, Jan 12, 2023 at 9:57 PM John Hardin  wrote:

> On Thu, 12 Jan 2023, John Hardin wrote:
>
> > On Thu, 12 Jan 2023, Martin Gregorie wrote:
> >
> >>  On Wed, 2023-01-11 at 18:39 -0500, Joey J wrote:
> >>>  Hello All,
> >>>
> >>>  I created this rule to check for email addresses matching a list to
> >>>  get
> >>>  added some negative value.
> >>>  I also tried it with just domains so it would be more efficient, but I
> >>>  can't seem to get them to run.
> >>>  Any suggestions?
> >>
> >>  Use a database to store addresses you accept mail from. Apart from the
> >>  database, you'll need a Perl module to let SA look up addresses in the
> >>  database.
> >
> > Simpler as it involves no new coding: a local DNS server and a DNSBL
> lookup
> > rule with a negative score. There are instructions for setting such up
> for
> > local blacklists, that works equally well for a local whitelist.
>
> Ah, whoops. I had it in my head that emailBL had been implemented. Never
> mind!
>
>
> --
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>   jhar...@impsec.org pgpk -a jhar...@impsec.org
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>The difference is that Unix has had thirty years of technical
>types demanding basic functionality of it. And the Macintosh has
>had fifteen years of interface fascist users shaping its progress.
>Windows has the hairpin turns of the Microsoft marketing machine
>and that's all.-- Red Drag Diva
> ---
>   5 days until Benjamin Franklin's 317th Birthday
>


-- 
Thanks!
Joey

Rule Help - not sure what is wrong with my syntax

[Joey J]

Hello All,

I created this rule to check for email addresses matching a list to get
added some negative value.
I also tried it with just domains so it would be more efficient, but I
can't seem to get them to run.
Any suggestions?

header TO_SPECIFIC_EMAIL eval:check_to_specific_email()
describe TO_SPECIFIC_EMAIL Mail to a specific email address

score TO_SPECIFIC_EMAIL -2

sub check_to_specific_email {
my ($self) = @_;
my $to = lc($self->get('To:addr'));
my $list_of_address = qr/us...@example.com|us...@example.com|
us...@example.com/;
if ($to =~ $list_of_address) {
return 1;
}
return 0;
}




This version was to simply check for the domain matches, but can't seem to
get it to work


header TO_SPECIFIC_DOMAIN eval:check_to_specific_domain()
describe TO_SPECIFIC_DOMAIN Mail to specific email domain

score TO_SPECIFIC_DOMAIN -2

sub check_to_specific_domain {
my ($self) = @_;
my $to = lc($self->get('To:addr'));
if ($to =~ /\@example1\.com$|\@example2\.com$|\@example3\.com$/) {
return 1;
}
return 0;
}






-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Joey J]

Hello All,

This is the best I can grab header wise, Names/IP's have changed here to
protect privacy.
Know the following:
The senders real server (1.2.3.4), (1.2.3.4 is the SPF match) sends the
mail to the gateway, and the gateway blocked it as shown.
Yes, legit going to paypal.

Based on your response, will assist in making the best choice.

Thanks everyone!


Dec 19 19:39:42 mgw postfix/smtpd[1070732]: connect from
Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: Anonymous TLS connection
established from Sender.MailServer.com[1.2.3.4]: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: 1270980A01: client=
Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/cleanup[1070437]: 1270980A01: message-id=<
mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com
>
Dec 19 19:39:42 mgw postfix/qmgr[5368]: 1270980A01:
from=, size=673334, nrcpt=1 (queue active)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: disconnect from
Sender.MailServer.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1
quit=1 commands=7
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: new mail
message-id=<
mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com
>#012
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: virus
detected: Heuristics.Phishing.Email.SpoofedDomain (clamav)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: SA
score=3/5 time=4.186 bayes=0.00 autolearn=no autolearn_force=no
hits=ClamAVHeuristics(3),AWL(-0.969),BAYES_00(-1.9),BIGNUM_EMAILS_MANY(2.999),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: notify
 (rule: Block outgoing Spam, 342C580C8D)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: block
mail to  (rule: Block outgoing Spam)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D:
processing time: 5.04 seconds (4.186, 0.664, 0)
Dec 19 19:39:47 mgw postfix/lmtp[1070520]: 1270980A01: to=<
recipi...@paypal.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=5.2,
delays=0.06/0/0.05/5.1, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED
(A760963A1044E2E16D))
Dec 19 19:39:47 mgw postfix/qmgr[5368]: 1270980A01: removed




On Thu, Dec 22, 2022 at 2:24 AM Matus UHLAR - fantomas 
wrote:

> On 21.12.22 15:48, Joey J wrote:
> >Thank you for pointing me in the better direction.
> >Since not many people are typing these types of email , I could do the one
> >off rule and it would be manageable.
> >But in better seeing the welcomelist_from_spf option, I think this will be
> >my first try.
>
> welcomelist_auth does the same as welcomelist_from_spf and
> welcomelist_from_dkim
> both.
>
> Note that SPF is related to envelope from address and if it's different
> from
> header From:, it won't help you much.
>
> You haven't provided example of mail (headers) we are talking about.
> Without it, we can only guess what your problem really is and what the
> solution should be.
>
>
> >On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:
> >> The other thing that should be done for j...@company.com is that
> >> company.com should sign their mail with DKIM, and then you can
> >>
> >>   welcomelist_from_dkim *@company.com
> >>
> >> I find that many companies I deal with that produce semi-spammy mail
> >> (most big companies :-) have DKIM signatures and I can welcomelist on
> >> that, without welcomelisting forgeries.
> >>
> >> You can of course use _rcvd for the IP address.  DKIM is just nicer if
> >> you can get them to do it.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 2B|!2B, that's a question!
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Joey J]

Kris & Greg,

Thank you for pointing me in the better direction.
Since not many people are typing these types of email , I could do the one
off rule and it would be manageable.
But in better seeing the welcomelist_from_spf option, I think this will be
my first try.

I appreciate all of your points and it makes us all better evaluate what we
are doing and consider efficiency and effectiveness.

Thanks!!

On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:

> The other thing that should be done for j...@company.com is that
> company.com should sign their mail with DKIM, and then you can
>
>   welcomelist_from_dkim *@company.com
>
> I find that many companies I deal with that produce semi-spammy mail
> (most big companies :-) have DKIM signatures and I can welcomelist on
> that, without welcomelisting forgeries.
>
> You can of course use _rcvd for the IP address.  DKIM is just nicer if
> you can get them to do it.
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Joey J]

Thanks Everyone.
Within all of the responses, I will try to reply here.
1. The legit sender will talk about big numbers because of the real things
he is involved with so big numbers is still a valid method to score, just
not in this case.
2. The SPF record is set to fail on no match, however this does not
automatically say, ok it's the approved source everything is ok, let them
spam out, SA will still score content, and simply not score for bad SPF.
3. The goal is to say for user j...@company.com, if we can confirm the
source is their mail server IP, the lets add some negative value, lets say
-2, to allow message that might be scored such as the above #1 because they
are legit.

Unless there is something I'm missing, I'm not sure how to better explain
it.
Yes, I can provide the full headers, but I thought the spam info was enough
to provide the SA aspect of the scoring.

This is why I thought of the extra rule based on email address and IP
combo, almost confirming its legit, to add ot the negative score.



On Wed, Dec 21, 2022 at 1:12 PM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 2022-12-21 at 12:02:27 UTC-0500 (Wed, 21 Dec 2022 18:02:27 +0100)
> Matus UHLAR - fantomas 
> is rumored to have said:
> [...]>
> > On 21.12.22 11:19, Henrik K wrote:
> >> It will pass welcomelist_auth, since there is SPF_PASS, which you
> missed:
> >>
> >> SPF_PASS   -0.001 SPF: sender matches SPF record
> >
> > I understood KAM_DMARC_STATUS as failing SPF alignment.
>
>KAM_DMARC_STATUS  0.01  Test Rule for DKIM or SPF Failure with Strict
> Alignment
>
> Note that 'or' is not 'and' in that description. The message in question
> had a bad DKIM signature.
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Joey J]

Thanks to Bill and Matus for your responses.

Basically, the client is talking about real money transactions, airplanes,
paypal etc, but he is a legit sender with these often flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3 times,
there are more of the buzz words that SA looks at based on rules.

We can't whitelist j...@company.com because of course everyone pretending to
be him will more than likely get whitelisted and you know the rest.
This is why I thought if user j...@company.com from ip 1.2.3.4 condition
would allow me to add some negative score to get over the total flagging it
as spam.

You guys would know better than I as to which would be the best method, I
like scoring it some and going to -100.

Within the reject to the user it had the following:

Spam detection results:  3

ClamAVHeuristics3 ClamAV heuristic test:
Phishing.Email.SpoofedDomain (clamav)

AWL-0.969 Adjusted score from AWL reputation of From:
address

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

BIGNUM_EMAILS_MANY  2.999 Lots of email addresses/leads, over and over

DKIM_INVALID  0.1 DKIM or DK signature exists, but is not valid

DKIM_SIGNED   0.1 Message has a DKIM or DK signature, not
necessarily valid

HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
background

HTML_MESSAGE0.001 HTML included in message

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
Alignment

SPF_HELO_NONE   0.001 SPF: HELO does not publish an SPF Record

SPF_PASS   -0.001 SPF: sender matches SPF record

T_FILL_THIS_FORM_SHORT   0.01 Fill in a short form with personal information
URIBL_BLOCKED   0.001 ADMINISTRATOR NOTICE: The query to URIBL was
blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block



On Tue, Dec 20, 2022 at 6:14 AM Matus UHLAR - fantomas 
wrote:

> On 19.12.22 20:05, Joey J wrote:
> >I'm trying to see if there is a "best way" to provide negative scoring for
> >a certain persons email.
> >As an example if j...@company.com is communicating with paypal or other
> real
> >banking institutions, then at times within the email chain, SA will tag it
> >as spam.
>
> do you have an example?
>
> >I want to see if there is if email is from j...@company.com AND is from IP
> >address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> >those legitimate types of messages through.
>
> there are techniques like SPF and DKIM to authenticate e-mail.
> In such case you should be able to "welcomelist_auth j...@company.com"
> without
> providing outgoing mailserver IP
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Joey J]

Actually, what would be the format, in respect to header for that rule?
so
header welcomelist_from_rcvd   j...@company.com [1.2.3.4]

On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel  wrote:

>
> Joey J  writes:
>
> > I'm trying to see if there is a "best way" to provide negative scoring
> for
> > a certain persons email.
>
> That's easy.  There are many ways, but not best way.
>
> > As an example if j...@company.com is communicating with paypal or other
> real
> > banking institutions, then at times within the email chain, SA will tag
> it
> > as spam.
>
> It's really not clear what your issue is.
>
> > I want to see if there is if email is from j...@company.com AND is from
> IP
> > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> > those legitimate types of messages through.
> > I couldn't find an example on how to accomplish this dual criteria check.
> > Any assistance is apreciated.
>
> welcomelist_from_rcvd   j...@company.com [1.2.3.4]
>
> should work, but -100.  It would be nice if welcomelist_* could take a
> score, but it you are sure you want *your* SA to not mark it as spam,
> -100 is the way to spell that.
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Joey J]

Thanks,
So welcomelist_from_rcvd j...@company.com [1.2.3.4]
Is saying if it's received from j...@company.com and the IP combination?
And then simply score it
 welcomelist_from_rcvd score -2
I will try that thank you!

On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel  wrote:

>
> Joey J  writes:
>
> > I'm trying to see if there is a "best way" to provide negative scoring
> for
> > a certain persons email.
>
> That's easy.  There are many ways, but not best way.
>
> > As an example if j...@company.com is communicating with paypal or other
> real
> > banking institutions, then at times within the email chain, SA will tag
> it
> > as spam.
>
> It's really not clear what your issue is.
>
> > I want to see if there is if email is from j...@company.com AND is from
> IP
> > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> > those legitimate types of messages through.
> > I couldn't find an example on how to accomplish this dual criteria check.
> > Any assistance is apreciated.
>
> welcomelist_from_rcvd   j...@company.com [1.2.3.4]
>
> should work, but -100.  It would be nice if welcomelist_* could take a
> score, but it you are sure you want *your* SA to not mark it as spam,
> -100 is the way to spell that.
>


-- 
Thanks!
Joey

Whitelist or add negative values for score

[Joey J]

Hello All,

I'm trying to see if there is a "best way" to provide negative scoring for
a certain persons email.
As an example if j...@company.com is communicating with paypal or other real
banking institutions, then at times within the email chain, SA will tag it
as spam.

I want to see if there is if email is from j...@company.com AND is from IP
address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
those legitimate types of messages through.
I couldn't find an example on how to accomplish this dual criteria check.
Any assistance is apreciated.

-- 
Thanks!
Joey

How to incorporate network blocks

[Joey J]

Hello All,

I'm trying to see if there is a way to incorporate network ranges into SA
to essentially flag messages.

I know I can use iptables and reject it before getting to SA, but in some
cases we would have legit email get flagged within these bigger blocks.

I'm trying to incorporate:
feeds.dshield.org/block.txt
spamhaus.org/drop/drop.lasso
ciarmy.com/list/ci-badguys.txt
openbl.org/lists/base.txt

Thanks!

-- 
Thanks!
Joey

Re: Block IP's for certain domains based on list

[Joey J]

Most of the users servers I'm referring to are on the other side of our
mail gateway, so we know where they are sending from (through our gateway)
but when the client's domain is used on an inbound message, we would be
able to simply reject, knowing it's not the users servers sending it.

I agree don't re-invent, but some clients have many providers that send
email on their behalf making it more complicated.

On Fri, Jul 22, 2022 at 10:08 AM Reindl Harald 
wrote:

>
>
> Am 21.07.22 um 22:58 schrieb Joey J:
> > Hello,
> >
> > Is there a way for me to block mail that claims its from a certain
> > domain, based on my own valid ip address list?
> >
> > Example:
> >
> > myserver.com - IP address 1.2.3.4
> > If a messages comes in from any server other than 1.2.3.4 for domain
> > myserver.com reject it?
>
> SPF
>
> > I know SPF/DKIM/DMARC would also help here, but trying to almost make my
> > own ACL
>
> why reinvent the wheel?
>
> such lists go outdated over time and are only asking for touble
>


-- 
Thanks!
Joey

Block IP's for certain domains based on list

[Joey J]

Hello,

Is there a way for me to block mail that claims its from a certain domain,
based on my own valid ip address list?

Example:

myserver.com - IP address 1.2.3.4
If a messages comes in from any server other than 1.2.3.4 for domain
myserver.com reject it?

I know SPF/DKIM/DMARC would also help here, but trying to almost make my
own ACL.

Thanks

-- 
Thanks!
Joey

Re: RBL via Spamassasin configuration

[Joey J]

Hello All, not sure where I'm going wrong.

in my custom.cf I have
#RBL's
header RCVD_IN_ZENSPAMHAUS eval:check_rbl('zenspamhaus-lastexternal',
'zen.spamhaus.org.')
describe RCVD_IN_ZENSPAMHAUS Relay is listed in zen.spamhaus.org
tflags RCVD_IN_ZENSPAMHAUS net
score RCVD_IN_ZENSPAMHAUS 5.0

if I query DNS, I get the expected answer from local caching:
dig +short TXT 2.0.0.127.zen.spamhaus.org
"https://www.spamhaus.org/sbl/query/SBL2";
"https://www.spamhaus.org/query/ip/127.0.0.2";

When I send a test message using Access the Portal – Blocklist Tester |
Spamhaus <https://blt.spamhaus.com/>
It goes through, and upon inspection of the email headers, the rule name
nor points shows anywhere.
I must be missing something.
Any suggestions?

Thanks


On Tue, Jun 28, 2022 at 5:28 PM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 2022-06-28 at 14:38:16 UTC-0400 (Tue, 28 Jun 2022 14:38:16 -0400)
> Joey J 
> is rumored to have said:
>
> > Hello All,
> >
> > In trying to setup RBL's with SA, I wanted to make sure the proper way
> > to
> > do it.
> > I have seen some samples like this
> > header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
> > 'b.barracudacentral.org.')
> > describe RCVD_IN_BARRACUDACEN Relay is listed in
> > b.barracudacentral.org
> > tflags RCVD_IN_BARRACUDACEN net
> > score RCVD_IN_BARRACUDACEN 4.0
>
> That looks right. Definitive documentation can be had with 'perldoc
> Mail::SpamAssassin::Plugin::DNSEval' and 'perldoc
> Mail::SpamAssassin::Conf'
>
> > Is this actually going out and doing a DNS query or reading from the
> > header
> > of the message?
>
> It does both...
>
> SA analyzes the Received headers in a message to find relevant SMTP
> handoffs, with relevant settings in trusted_networks, internal_networks,
> and msa_networks. For DNSBLs, typically the "last external" Recceived
> heasder is the key: the latest one written by a trusted machine,
> documenting a handoff from a machine which is not in any of those
> special sets. It tests the IP address of that last external machine to
> handle the message. DNSEval looks up that IP address in the DNSBL.
>
> > I think I want to actually do the DNS query and I will cache locally
> > to
> > avoid issues and increase performance.
>
> The proper way to do this is to run a local caching recursive resolver
> (e.g. Unbound or BIND, NOT dnsmasq) on the same machine as the MTA and
> use that for all DNS lookups. Using more distant DNS servers can result
> in latency delays and using forwarding of any sort will cause blocking
> by DNSBL services. Any DNS server that filters or modifies responses to
> 'protect' user personal computers is unfit for use with email.
>
> > Also if someone has a list of these rules, that they use and could
> > share
> > that would be great.
>
> There are many in the standard ruleset. I think we do a reasonably good
> job of curating them, and they should all be safe to use as designed.
> Note that some DNSBLs are explicitly NOT intended for use on a mail
> server that accepts initial submission from end users.
>
> > The last part of my question is, here we score and then based on
> > scoring
> > the next part can either quarantine the message or deliver it, but is
> > there
> > a way from SA to simply say reject it right there?
> > (I think the answer is no, it simply scores it, but wanted to be sure)
>
> SpamAssassin itself has no capacity to handle the disposition of email.
> It only scores messages and reports those scores to whatever tool is
> using it.
>
> Hence, if you are accepting or quarantining mail based on a SA score,
> there's Something Else making that disposition decision. It might be a
> milter (MIMEDefang, MailMunge, spamass-milter, or amavisd-milter,) or a
> Postfix content_filter script or a SMTP proxy (many amavisd systems) or
> an Exim config stanza (not sure if that's an 'acl' or a 'router' in Exim
> jargon.)   It is that 'glue' between the MTA and SA which implements the
> handling decision for scored messages.
>
> Generally it is a good idea to reject messages that you are not going to
> deliver. As a backstop for false positives rejection alerts the sender
> to the problem, in contrast to the silent death of quarantining.
> Quarantining (or worse, discarding) borderline messages may seem good in
> that it doesn't give any feedback to spammers, but in practice there's
> no evidence that they use the sort of feedback they get from rejections
> in any way. The simplest way they might do so in theory, washing bad
> addresses out of their lists, would actually be GOOD if they all did it.
>
>
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>


-- 
Thanks!
Joey

Re: RBL via Spamassasin configuration

[Joey J]

Thank you, this makes sense, I will look through the mentioned resource.

On Tue, Jun 28, 2022 at 5:28 PM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 2022-06-28 at 14:38:16 UTC-0400 (Tue, 28 Jun 2022 14:38:16 -0400)
> Joey J 
> is rumored to have said:
>
> > Hello All,
> >
> > In trying to setup RBL's with SA, I wanted to make sure the proper way
> > to
> > do it.
> > I have seen some samples like this
> > header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
> > 'b.barracudacentral.org.')
> > describe RCVD_IN_BARRACUDACEN Relay is listed in
> > b.barracudacentral.org
> > tflags RCVD_IN_BARRACUDACEN net
> > score RCVD_IN_BARRACUDACEN 4.0
>
> That looks right. Definitive documentation can be had with 'perldoc
> Mail::SpamAssassin::Plugin::DNSEval' and 'perldoc
> Mail::SpamAssassin::Conf'
>
> > Is this actually going out and doing a DNS query or reading from the
> > header
> > of the message?
>
> It does both...
>
> SA analyzes the Received headers in a message to find relevant SMTP
> handoffs, with relevant settings in trusted_networks, internal_networks,
> and msa_networks. For DNSBLs, typically the "last external" Recceived
> heasder is the key: the latest one written by a trusted machine,
> documenting a handoff from a machine which is not in any of those
> special sets. It tests the IP address of that last external machine to
> handle the message. DNSEval looks up that IP address in the DNSBL.
>
> > I think I want to actually do the DNS query and I will cache locally
> > to
> > avoid issues and increase performance.
>
> The proper way to do this is to run a local caching recursive resolver
> (e.g. Unbound or BIND, NOT dnsmasq) on the same machine as the MTA and
> use that for all DNS lookups. Using more distant DNS servers can result
> in latency delays and using forwarding of any sort will cause blocking
> by DNSBL services. Any DNS server that filters or modifies responses to
> 'protect' user personal computers is unfit for use with email.
>
> > Also if someone has a list of these rules, that they use and could
> > share
> > that would be great.
>
> There are many in the standard ruleset. I think we do a reasonably good
> job of curating them, and they should all be safe to use as designed.
> Note that some DNSBLs are explicitly NOT intended for use on a mail
> server that accepts initial submission from end users.
>
> > The last part of my question is, here we score and then based on
> > scoring
> > the next part can either quarantine the message or deliver it, but is
> > there
> > a way from SA to simply say reject it right there?
> > (I think the answer is no, it simply scores it, but wanted to be sure)
>
> SpamAssassin itself has no capacity to handle the disposition of email.
> It only scores messages and reports those scores to whatever tool is
> using it.
>
> Hence, if you are accepting or quarantining mail based on a SA score,
> there's Something Else making that disposition decision. It might be a
> milter (MIMEDefang, MailMunge, spamass-milter, or amavisd-milter,) or a
> Postfix content_filter script or a SMTP proxy (many amavisd systems) or
> an Exim config stanza (not sure if that's an 'acl' or a 'router' in Exim
> jargon.)   It is that 'glue' between the MTA and SA which implements the
> handling decision for scored messages.
>
> Generally it is a good idea to reject messages that you are not going to
> deliver. As a backstop for false positives rejection alerts the sender
> to the problem, in contrast to the silent death of quarantining.
> Quarantining (or worse, discarding) borderline messages may seem good in
> that it doesn't give any feedback to spammers, but in practice there's
> no evidence that they use the sort of feedback they get from rejections
> in any way. The simplest way they might do so in theory, washing bad
> addresses out of their lists, would actually be GOOD if they all did it.
>
>
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>


-- 
Thanks!
Joey

RBL via Spamassasin configuration

[Joey J]

Hello All,

In trying to setup RBL's with SA, I wanted to make sure the proper way to
do it.
I have seen some samples like this
header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
'b.barracudacentral.org.')
describe RCVD_IN_BARRACUDACEN Relay is listed in b.barracudacentral.org
tflags RCVD_IN_BARRACUDACEN net
score RCVD_IN_BARRACUDACEN 4.0

Is this actually going out and doing a DNS query or reading from the header
of the message?
I think I want to actually do the DNS query and I will cache locally to
avoid issues and increase performance.

Also if someone has a list of these rules, that they use and could share
that would be great.

The last part of my question is, here we score and then based on scoring
the next part can either quarantine the message or deliver it, but is there
a way from SA to simply say reject it right there?
(I think the answer is no, it simply scores it, but wanted to be sure)

Thanks!



-- 
Thanks!
Joey

Re: Linting of local.cf

[J Doe]

On 2022-04-15 09:21, Benny Pedersen wrote:


On 2022-04-15 03:52, J Doe wrote:


Out of curiosity - why doesn't SpamAssassin lint automatically when it
reloads local.cf ?


i ask in reverse, do you want spamd to be down on lint fails ?

we have not seen default rules never have zerro lint fails from 
upstream, so apache.org is doing well :=)


i have answered what spamd does if lint fails imho, it continue with 
remaining rules that is not lint failing, so lint errors is not yet 
hardfailing, should this be changed ?


Hi Benny and Reindl,

That's an interesting point.  I guess the use case I was thinking of is 
if I added an address or domain for a particularly egregious spammer, 
but made a typo in the SA syntax, I would want to know about it on load 
so that it didn't continue to slip through.


On the other hand, as Reindl notes, I can adjust the startup script 
myself or have a wrapper for it.


Thanks for your replies!

- J

Re: Linting of local.cf

[J Doe]

On 2022-04-14 21:45, Loren Wilton wrote:

Is there a tool I can use to do a manual lint of the local.cf file ?


At command prompt:    spamassassin --lint


    Loren



Hi Benny and Loren,

Thanks for you replies.  I just tried that and it successfully found 
another mistake I had made in local.cf


$ spamassassin --lint
...
warn: config: failed to parse line, skipping, in
"/etc/spamassassin/local.cf": blakclist_from u...@example.com

Out of curiosity - why doesn't SpamAssassin lint automatically when it 
reloads local.cf ?


Thanks again,

- J

Re: Linting of local.cf

[J Doe]

On 2022-04-14 21:09, Benny Pedersen wrote:


On 2022-04-15 02:42, J Doe wrote:


Because I did not see any warnings or errors on restart, I was wondering:

** Does SpamAssassin lint the local.cf file on re-load ?


it does just not load lines with are lint fails, it runs without this 
line then


Hi Benny,

Ok, I was thinking that's what would happen.

Is there a tool I can use to do a manual lint of the local.cf file ?

Thanks,

- J

Linting of local.cf

[J Doe]

Hello,

I use SpamAssassin 3.4.2 with Perl 5.26.1 on Ubuntu 18.04 LTS (from a 
package).


The other day I was updating the local.cf file to add an address that I 
wanted to block (in this case I will use a fictional e-mail address of 
u...@example.com).


I entered a new line in local.cf like this:

blacklist_fro u...@example.com

... and restarted the service.  The service restarted and there were no 
errors emitted.  However, as you can see in the line above, the keyword 
is actually missing an "m".  The line should have started with:


blacklist_from

Because I did not see any warnings or errors on restart, I was wondering:

** Does SpamAssassin lint the local.cf file on re-load ?

** If it does, I am assuming that an incorrect keyword is ignored (in 
this case, SpamAssassin ignores the mistake and therefore would not 
block e-mail from u...@example.com).  Is there a way to manually lint 
local.cf to catch mistakes that I have made with keywords ?


Thanks,

- J

Re: RCVD_IN_DNSWL_HI false positives

[Daniel J. Luke]

On May 13, 2021, at 12:14 AM, Michael B Allen  wrote:
> It is not completely trivial setup a caching name server. I literally
> have two accounts so it's at least a serious nuisance.

It's pretty simple to install unbound and set it up on most systems.

> Sending false positives that allows SPAM though is a bad way to enforce 
> policy.

It sounds like they've tried other options but didn't get a response from 
abusive users so this is the 'last resort' option.

-- 
Daniel J. Luke

Re: BCC Rule and Subject change for specific rule

[Joey J]

Thanks for the follow up.

I understand what you are saying.
This is SA within ProxMox Mail gateway, I added my custom rule via SA which
is working, just this additional function.

On Mon, Jan 4, 2021 at 8:23 PM John Hardin  wrote:

> On Mon, 4 Jan 2021, Joey J wrote:
>
> > If I'm understanding things correctly, there is a way for me to BCC spam
> > messages which lets say score 10 and send a BCC to an email address, but
> > I'm trying to do it within only 1 rule, as well as modify the subject.
> >
> > What I don't want is a BCC sent for every messages which is scored a 10,
> > but only the specific rule.
> >
> > Is there a way for me to accomplish this set of actions?
>
> You can't BCC the message within SpamAssassin, as SA only scores messages.
> The MTA or glue layer (what ties SA into your MTA) is what determines
> *delivery* of the message based on SA's score.
>
> Potentially, your MTA or glue layer could be configured to look for a
> specific scored rule name appearing in the header that lists rule hits and
> if found deliver the message to another destination.
>
> But specifically how to do that depends on your MTA and/or your glue. What
> are you using?
>
> I'm pretty sure SA only allows setting the subject tag by language, not
> based on rule hits. You may beable to modify the subject in the MTA/glue
> at the same point you do the extra delivery.
>
> --
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>   jhar...@impsec.org pgpk -a jhar...@impsec.org
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>News flash: Lowest Common Denominator down 50 points
> ---
>   219 days since the first private commercial manned orbital mission
> (SpaceX)
>


-- 
Thanks!
Joey

BCC Rule and Subject change for specific rule

[Joey J]

Hello All,

If I'm understanding things correctly, there is a way for me to BCC spam
messages which lets say score 10 and send a BCC to an email address, but
I'm trying to do it within only 1 rule, as well as modify the subject.

What I don't want is a BCC sent for every messages which is scored a 10,
but only the specific rule.

Is there a way for me to accomplish this set of actions?

Thanks!

-- 
Thanks!
Joey

How to Block messages from display name not matching expected sender email address

[Joey J]

Hello,



I'm trying to figure out how to write a rule that looks for matches of
certain names against the display name, and then insuring its from a list
of valid email addresses.



So a phishing email come in from "Boss Man"



So I want to check if the display name is "Boss Man" and if so, make sure
the sending email address is boss...@realcompany.com or boss...@company2.com,
otherwise score it with 10.



Also, would there be a way to forward that email to a specific user, not
send it to the original recipient?



Thanks

-- 
Thanks!
Joey

Re: txrep duplicated key with postgresql

[Daniel J. Luke]

I uploaded a patch for postgresql on 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7218 a while ago - but I 
haven't had time to clean it up into something that should be included into a 
release.

It might serve as inspiration for someone else before I end up having time to 
get to it, though.

> On Dec 9, 2019, at 4:00 PM, Martin Gregorie  wrote:
> 
> On Mon, 2019-12-09 at 11:41 -0800, John Hardin wrote:
>> This sounds more like the "does that tuple already exist?" logic is 
>> failing, causing it to think it needs to create a new entry, which
>> the unique key is (correctly) preventing.
>> 
>> You don't lightly bypass unique keys. They are there for a reason.
>> 
> Fair enough. Since this is the first reference I remember seeing to
> using PostgreSQL with TxRef I assumed that Benny's cry for help was due
> to a difference in the way it handled duplicate keys compared with the
> database that normally supports it.
> 
> Martin
> 

-- 
Daniel J. Luke

Re: DNS and RBL problems

[Daniel J. Luke]

On Sep 14, 2018, at 3:26 PM, Kevin A. McGrail  wrote:
> On 9/14/2018 3:22 PM, Alex wrote:
>> I wish it were that easy. /etc/resolv.conf is set up to use 127.0.0.1,
>> which is bind configured as a my local caching resolver.
> Sinister issues like this are hard.  I'll try and escalate our plans for
> rsync access.

Alex - have you looked at bad checksum counters on the host? (netstat -s) - 
I've seen strange issues before with broken network hardware (or bugs in 
switch/router code) caused changes to packets as they passed through the 'bad' 
device. The first hints were those counters increasing at the same time as the 
mysterious issue happening.

-- 
Daniel J. Luke

Re: Make test fails on macOS High Sierra - help needed

[Daniel J. Luke]

On Sep 8, 2018, at 8:48 PM, Sidney Markowitz  wrote:
> Macports install of db48 should work for that, but I haven't tried it.

I use this (with a perl I built myself outside of macports) and I can confirm 
it works.
-- 
Daniel J. Luke

Question regarding auto-learning

[J Doe]

Hello,

I have a question regarding autolearning and Bayes functionality.

From reading the documentation, it appears that to train the Bayesian filter I 
require a minimum of 1,000 pieces of ham and 1,000 pieces of spam.  I am 
currently collecting spam on one of my servers via a spam trap address and 
slowly reaching that number.  I was wondering, though, if I can use auto 
learning (bayes_auto_learn 1), before training the database ?

When autolearn fires on messages at the moment, it is correctly detecting ham 
and spam based on the default ham and spam thresholds:

bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 12.0

Can this be used before training the database or is it more often used to 
supplement (on an ongoing basis), a database that has already be trained ?

Thanks,

- J

Re: Method of setting score for a custom rule to be the required_score ?

[J Doe]

> On Jun 27, 2018, at 6:20 AM, Daniele Duca  wrote:
> Hi, 
> 
> I'd say that a better solution would be to use shortcircuit:
> body __BODY_TEST1 . . .
> body __BODY_TEST2 . . .
> meta CUSTOM_RULE1(__BODY_TEST1 && __BODY_TEST2)
> shortcircuit CUSTOM_RULE1 spam
> 
> At least that saves computing power because other rules would not be 
> processed once a rule is shortcircuited
Hi John and Daniele,

Thank you for your replies.

John - I’d love to submit a patch, but Perl is not one of the languages I speak 
. . . but if that changes in the near future, I’ll submit one.

Daniele - I like your solution in the fact that you mention processing is 
short-circuited - since mail that meets my rules is already satisfied, 
additional work by SA is not needed.

I went back to “man Mail::SpamAssassin::Conf” and can see mention of the 
shortcircuit plugin . . . is there more documentation (perhaps in another man 
or perldoc), where the shortcircuit keyword is mentioned ?

Thanks again,

- J

Re: Method of setting score for a custom rule to be the required_score ?

[J Doe]

> On Jun 26, 2018, at 12:13 AM, John Hardin  <mailto:jhar...@impsec.org>> wrote:
> 
>> Hello,
>> 
>> I was wondering if it is possible to assign a score to a custom rule that 
>> will evaluate to the value that required_score is set to.
>> 
>> My thinking here is that if this rule ever passes, it should not add a small 
>> value to the score but push the score up to the value
>> that required_score is set to.  This way, if the custom rule ever matches, 
>> it automatically scores the amount required to flag
>> the message as spam because the score applied is the value of required_score.
>> 
>> I am wondering if it’s possible to do something like this:
>> 
>>   body __BODY_TEST1 . . .
>>   body __BODY_TEST2 . . .
>>   meta CUSTOM_RULE1(__BODY_TEST1 && __BODY_TEST2)
>>   describe CUSTOM_RULE1 My custom rule
>>   score CUSTOM_RULE1 %required_score
>> 
>> …where that last %required_score is the part I am curious about.
>> 
>> If it’s not possible to do this directly, is there a way to achieve the same 
>> effect that is used by SA rule writers ?
> 
> That's called a "poison pill rule", and generally you don't worry about 
> hitting the required score exactly, you just set it to something large - like 
> 10 or 100.

Hi John,

Ok, good to know.

Is it possible with the SA grammar to have variables ?  I was thinking I’d have 
something like the following in my: /etc/spamassassin/local.cf

POISON_PILL = 100

…and then all the poison pill rules would reference that:

score CUSTOM_RULE1 %POISON_PILL

…with the advantage being that if I did want to vary the score assigned to all 
these rules, I could change it in one place ?

Thanks,

- J

Method of setting score for a custom rule to be the required_score ?

[J Doe]

Hello,

I was wondering if it is possible to assign a score to a custom rule that will 
evaluate to the value that required_score is set to.

My thinking here is that if this rule ever passes, it should not add a small 
value to the score but push the score up to the value
that required_score is set to.  This way, if the custom rule ever matches, it 
automatically scores the amount required to flag 
the message as spam because the score applied is the value of required_score.

I am wondering if it’s possible to do something like this:

body __BODY_TEST1 . . .
body __BODY_TEST2 . . .
meta CUSTOM_RULE1(__BODY_TEST1 && __BODY_TEST2)
describe CUSTOM_RULE1 My custom rule
score CUSTOM_RULE1 %required_score

…where that last %required_score is the part I am curious about.

If it’s not possible to do this directly, is there a way to achieve the same 
effect that is used by SA rule writers ?

Thanks,

- J

Re: Question regarding trusted_networks

[J Doe]

Hi everyone,

Thank you for the feedback.  I am still uncertain, however, if I have to 
explicitly define the trusted_networks/internal_networks parameters manually in 
my case (where SA is running on same host as MTA) ?

Ignoring the --debug I note that --lint does warn if I manually specify my MTA 
here and implies that the IP of the MTA that SA is running on is automatically 
added to this list.

I note though that man Mail::SpamAssassin::Conf under the trusted_networks 
setting says:

"MXes for your domain(s) and internal relays should _also_ be specified 
using the "internal_networks” setting . . . “

In the same section the algorithm that is used when neither trusted_networks or 
internal_networks are specified is listed, but there’s no information about 
whether SA automatically grabs the IP address of the host it is running on when 
that host also is the MTA.

My question is:

   1. Do I have to manually specify trusted_networks and internal_networks to 
list the IPv4/IPv6 address of my MTA or because SA is running on the same host 
as the MTA this is automatically picked up ?

A SIDE QUESTION - is there a way, like postconf, to dump the parameters that SA 
is using when it has already parsed local.cf and is running ?

Thanks again,

- J

Question regarding trusted_networks

[J Doe]

Hello,

I am currently using SpamAssassin 3.4.1 on Ubuntu Linux 16.04.4 LTS.  I have SA 
running on a server with Postfix as the MTA on the same server.

I have a question regarding the trusted_networks configuration parameter (man 
Mail::SpamAssassin::Conf).  I manually added this to a custom local.cf file and 
linted it:

/etc/spamassassin/local.custom.cf:
trusted_networks 1.2.3.4

$ spamassassin --lint --config-file=/etc/spamassassin/local.custom.cf

This displays:

Jun 15 18:31:02.893 [8327] warn: netset: cannot include 1.2.3.4/32 as it 
has already been included

This lead me to believe that when SpamAssassin loads, it automatically adds the 
IP address of the host it is running on (along with localhost, which is 
mentioned in man).  As a result, I removed the trusted_networks entry and a 
subsequent lint produces no warnings or errors.

When I then ran lint and added the --debug flag:

$ spamassassin --debug --lint 
--config-file=/etc/spamassassin/local.custom.cf

…I see the following in the output:

Jun 15 18:39:23.422 [8422] dbg: config: trusted_networks are not 
configured; it is recommended that you configure trusted_networks manually

My question is:

— Should I manually set trusted_networks to have the IP address of the host it 
is running on and ignore the warning from --lint or …
— Should I not set trusted_networks and ignore the warning from --debug ?

Thanks,

- J

Re: Sa-update failed

[Herbert J. Skuhra]

On Fri, Dec 15, 2017 at 04:26:45AM -0700, @lbutlr wrote:
> FreeBSD system on 11.2-RELEASE with all packages updates as of this morning
> (including a complete recompile of SA from ports).

FreeBSD 11.1-RELEASE! You probably upgraded from 10.x and
executed 'make delete-old-libs'!? Did you install packages for 10.x?
Wrong pkg url? You have to rebuild gpg.

> # sa-update --refreshmirrors -v -D
> […]
> Shared object "libreadline.so.8" not found, required by "gpg"
> gpg: process '/usr/local/bin/gpg' finished: exit 1
> error: GPG validation failed!
> The update downloaded successfully, but the GPG signature verification
> failed.
> 
> I can manually link libreadline.so to libreadline.so.8, and run
> sa-update successfully, but I’m concerned that is going to come back
> and bite me.

Temporarily install misc/compat10x and rebuild all ports.

This is not a SA issue and should be discussed on a FreeBSD mailing
list.

-- 
Herbert

Re: getting help with SA sysadmin

[Daniel J. Luke]

On Sep 15, 2017, at 12:24 PM, David Jones  wrote:
> You kinda have to work backwards through the scripts to find what is 
> generating the scores-set0 file and turning it into 72_scores.cf.  I am 
> grep'ing through the work dir on the SA server now but it contains a lot of 
> files.  I need to find the large dirs and exclude them.

you may have already done this, but if you modify the scripts to not overwrite 
(or save a copy) of the intermediate files (which may clue into exactly where 
the problem is being introduced). ie. runGA lines 57-59, 124-132 (for 
50_scores.cf)

another 'easy' test I would try would be to set numcpus in runGA to 1 just in 
case the problem is that somewhere there are multiple writers overwriting parts 
of the same file

-- 
Daniel J. Luke

Re: getting help with SA sysadmin

[Daniel J. Luke]

score RCVD_IN_MSPIKE_BL 0.001 0.010 0.001 0.010
-score RCVD_IN_MSPIKE_H2 0.001 -2.800 0.001 -2.800
-score RCVD_IN_MSPIKE_H3 0.001 -0.010 0.001 -0.010
-score RCVD_IN_MSPIKE_H4 0.001 -0.010 0.001 -0.010
-score RCVD_IN_MSPIKE_H5 0.001 -1.000 0.001 -1.000
-score RCVD_IN_MSPIKE_L2 0.001 0.001 0.001 0.001
-score RCVD_IN_MSPIKE_L3 0.001 0.001 0.001 0.001
-score RCVD_IN_MSPIKE_L4 0.001 0.001 0.001 0.001
-score RCVD_IN_MSPIKE_L5 0.001 0.001 0.001 0.001
-score RCVD_IN_MSPIKE_WL 0.001 -0.010 0.001 -0.010
-score RCVD_IN_MSPIKE_ZBI0.001 0.001 0.001 0.001
-score RP_MATCHES_RCVD   -1.050 -0.001 -1.050 -0.001
-score SHARE_50_50   2.121 1.818 2.121 1.818
-score SPOOFED_FREEM_REPTO   2.498 1.368 2.498 1.368
-score SPOOFED_FREEM_REPTO_CHN   1.000 1.000 1.000 1.000
-score STATIC_XPRIO_OLE  1.997 0.001 1.997 0.001
-score STOCK_LOW_CONTRAST2.030 2.347 2.030 2.347
-score STOCK_TIP 1.000 1.000 1.000 1.000
-score STYLE_GIBBERISH   2.800 3.093 2.800 3.093
-score SURBL_BLOCKED 0.001 0.001 0.001 0.001
-score SYSADMIN  1.000 1.000 1.000 1.000
-score THIS_AD   0.596 2.200 0.596 2.200
-score TO_EQ_FM_DIRECT_MX2.497 0.622 2.497 0.622
-score TO_EQ_FM_DOM_SPF_FAIL 0.001 0.001 0.001 0.001
-score TO_EQ_FM_SPF_FAIL 0.001 0.001 0.001 0.001
-score TO_IN_SUBJ0.099 0.099 0.099 0.099
-score TO_NO_BRKTS_FROM_MSSP 0.001 0.001 0.001 0.001
-score TO_NO_BRKTS_HTML_IMG  0.001 2.000 0.001 2.000
-score TO_NO_BRKTS_HTML_ONLY 1.997 0.001 1.997 0.001
-score TO_NO_BRKTS_MSFT  2.497 0.001 2.497 0.001
-score TO_NO_BRKTS_NORDNS_HTML   0.398 0.001 0.398 0.001
-score TO_NO_BRKTS_PCNT  2.497 0.001 2.497 0.001
-score TVD_SPACE_ENCODED 2.497 0.001 2.497 0.001
-score TVD_SPACE_ENC_FM_MIME 1.997 0.001 1.997 0.001
-score TVD_SPACE_RATIO_MINFP 2.497 0.001 2.497 0.001
-score TW_GIBBERISH_MANY 1.000 1.000 1.000 1.000
-score UC_GIBBERISH_OBFU 1.000 1.000 1.000 1.000
-score URI_DATA  1.000 1.000 1.000 1.000
-score URI_GOOGLE_PROXY  0.710 1.378 0.710 1.378
-score URI_ONLY_MSGID_MALF   0.001 1.191 0.001 1.191
-score URI_OPTOUT_3LD1.000 1.000 1.000 1.000
-score URI_PHISH 3.995 3.999 3.995 3.999
-score URI_TRY_3LD   0.195 0.001 0.195 0.001
-score URI_TRY_USME  0.001 0.001 0.001 0.001
-score URI_WPADMIN   3.396 3.014 3.396 3.014
-score URI_WP_DIRINDEX   1.000 1.000 1.000 1.000
-score URI_WP_HACKED 2.996 3.000 2.996 3.000
-score URI_WP_HACKED_2   1.187 1.764 1.187 1.764
-score XPRIO 2.248 2.249 2.248 2.249
-score XPRIO_SHORT_SUBJ  1.000 1.000 1.000 1.000
+score ADVANCE_FEE_3_NEW_FRM_MNY  0.001 2.296 0.001 2.296
+score ADVANCE_FEE_4_NEW_FRM_MNY  2.799 2.141 2.799 2.141
+score ADVANCE_FEE_4_NEW_MONEY3.200 2.508 3.200 2.508
+score ADVANCE_FEE_5_NEW_FRM_MNY  3.199 3.099 3.199 3.099
+score ADVANCE_FEE_5_NEW_MONEY2.976 0.558 2.976 0.558
+score AXB_X_FF_SEZ_S 3.600 3.399 3.600 3.399
+score BODY_SINGLE_URI0.001 1.607 0.001 1.607
+score BODY_SINGLE_WORD   2.602 0.001 2.602 0.001
+score COMPENSATION   0.001 0.000 0.001 0.000
+score DEAR_BENEFICIARY   0.483 1.470 0.483 1.470
+score DEAR_EMAIL 3.499 2.715 3.499 2.715
+score DX_TEXT_01 2.699 2.599 2.699 2.599
+score FROM_MISSP_DYNIP   1.536 2.399 1.536 2.399
+score FROM_MISSP_EH_MATCH1.685 1.263 1.685 1.263
+score HK_NAME_MR_MRS 4.085 2.994 4.085 2.994
+score HK_SCAM_N3 2.799 2.699 2.799 2.699
+score HTML_FONT_TINY 2.194 2.648 2.194 2.648
+score KHOP_DYNAMIC   3.030 1.997 3.030 1.997
+score LIST_PARTIAL_SHORT_MSG 2.499 2.276 2.499 2.276
+score MILLION_USD3.157 2.189 3.157 2.189

> You kinda have to work backwards through the scripts to find what is 
> generating the scores-set0 file and turning it into 72_scores.cf.  I am 
> grep'ing through the work dir on the SA server now but it contains a lot of 
> files.  I need to find the large dirs and exclude them.

-- 
Daniel J. Luke

Re: getting help with SA sysadmin

[Daniel J. Luke]

On Sep 15, 2017, at 9:46 AM, David Jones  wrote:
> 3. I have narrowed down the problem to the general area of a perl Makefile 
> which builds a custom garescorer.c file which does some statistical analysis 
> to determine the best score for rules in the 72_scores.cf.  These 
> 72_scores.cf are excluded from 50_scores.cf (static scores) and are currently 
> incomplete making these rules default to 1.0.  Most of theses missing rules 
> should be much higher than 1.0 causing SA to allow spam through on most 
> installations that don't have an optimized MTA in front of SA.
> 
> https://wiki.apache.org/spamassassin/InfraNotes2017#mkupdates
> 
> ~/svn/trunk/build/mkupdates/mkupdate-with-scores
> 
> masses -> perl Makefile.PL && make (complete build of SA and test)
> - perl hit-frequencies
> - garescorer - compiles and runs it, requires build/pga   
><--- THE PROBLEM IS NEAR HERE

where are hit-frequencies and garescorer?

> I think the problem is somewhere behind line 127 and 128 which does many 
> things/steps:

line 127 and 128 of mkupdate-withscores? (that just looks like it's building a 
version of SpamAssassin from trunk svn? maybe you are referring to something 
else?)

-- 
Daniel J. Luke

Re: DNS again

[Daniel J. Luke]

On Jun 3, 2016, at 12:51 PM, Daniel J. Luke  wrote:
>> if the first hop in dns is 127.0.0.1 it works
> 
> that's not how +trace works

oh, nevermind - you are right. It will query for the root servers from your 
configured resolvers.

-- 
Daniel J. Luke

Re: DNS again

[Daniel J. Luke]

On Jun 3, 2016, at 12:30 PM, Benny Pedersen  wrote:
> dig +trace ipv4.google.com
> 
> if the first hop in dns is 127.0.0.1 it works

that's not how +trace works

from the manpage:

   When tracing is enabled, dig makes iterative queries to resolve
   the name being looked up. It will follow referrals from the root
   servers, showing the answer from each server that was used to
   resolve the lookup.

   If @server is also specified, it affects only the initial query
   for the root zone name servers.

> make sure /etc/resolv.conf only have one single line with nameserver 
> 127.0.0.1 nothing more nothing less

good advise.

> drop unbound if it cant make it right, replace it with bind9

either works fine if configured correctly (and not so well if configured 
incorrectly).

-- 
Daniel J. Luke

Re: understanding HELO_DYNAMIC_IPADDR

[Daniel J. Luke]

On May 13, 2016, at 4:24 PM, David Jones  wrote:
> This is a very simple concept and yet most mail admins don't know it or 
> follow it.

indeed.

I haven't measured in a while, but the equivalent of postfix's 
'reject_unknown_client_hostname' was the single most-effective anti-spam 
measure I ever took (I had to stop using it to outright reject mail because of 
too many false positives, though).

-- 
Daniel J. Luke

Re: understanding HELO_DYNAMIC_IPADDR

[Daniel J. Luke]

On May 13, 2016, at 2:26 PM, Kim Roar Foldøy Hauge  wrote:
> This is NOT a practical solution. You can't expect administrators to know 
> about this problem, some styles of hostnames not playing well with SA.

Note that this isn't just a 'spamassassin' issue. You will likely experience 
delivery problems to many hosts as long as your dns or rdns 'looks like' a 
dynamic system.

While you are at it, make sure your forward and reverse dns match.

-- 
Daniel J. Luke

Re: spamd running much slower than spamassassin?

[Daniel J. Luke]

On Mar 29, 2016, at 10:41 AM, Daniel J. Luke  wrote:
> On Mar 28, 2016, at 8:57 PM, Bill Cole 
>  wrote:
>> On 28 Mar 2016, at 14:42, Daniel J. Luke wrote:
>>> On Mar 24, 2016, at 12:10 PM, Daniel J. Luke  wrote:
>>>> /usr/bin/time spamassassin < spam.msg
>>>>  7.92 real 1.85 user 0.13 sys
>>>> 
>>>> /usr/bin/time spamc -U /var/run/spamd.sock < spam.msg
>>>>   126.44 real 0.00 user 0.00 sys
>>> 
>>> well, it looks like it's DNS related, somehow.
>> 
>> The 2 minute pause had me thinking that, but nothing jumped out as a 
>> specific explanation and nothing yet does...
>> 
>>> I'm still confused as to why 'spamassassin' doesn't have a problem but 
>>> 'spamd' does. I'm running SA 3.4.1 with perl5.22.1. I've tried both 
>>> downgrading Net::DNS to 0.83 and upgrading it to 1.05_2
>>> 
>>> Any thoughts would be appreciated.
>> 
>> You haven't mentioned your platform, that I've seen, but it may be relevant, 
>> e.g. historically FreeBSD jails can't do real loopback (not sure on 10.2...) 
>> EL6/7 derivatives have SELinux on by default, etc...
>> 
>> So: more clues please?
> 
> Sorry, this is a Mac OS X 10.11.4 system, perl5.22.1 is self-built 
> (perlbrew). I'm not sure exactly when this started, I noticed it after I 
> upgraded to 10.11.4 from 10.11.3, but it may have been happening before. What 
> else would be helpful to know? 

OK, I figured this out (using fs_usage -f network ), I traced this down to 
spamd waiting on mDNSResponder. Turning up mDNSResponder logging gave me the 
answer that it was 'unhappy' with ::1 as a resolver address for some reason.

Setting this up so only '127.0.0.1' is used instead makes spamd work like 
normal again.

I /think/ this is regression in 10.11.4, but as I said before, I'm not entirely 
sure (I only noticed things were slow after the upgrade, they could have been 
slow for a little while before).

-- 
Daniel J. Luke

Re: spamd running much slower than spamassassin?

[Daniel J. Luke]

On Mar 28, 2016, at 8:57 PM, Bill Cole 
 wrote:
> On 28 Mar 2016, at 14:42, Daniel J. Luke wrote:
>> On Mar 24, 2016, at 12:10 PM, Daniel J. Luke  wrote:
>>> /usr/bin/time spamassassin < spam.msg
>>>   7.92 real 1.85 user 0.13 sys
>>> 
>>> /usr/bin/time spamc -U /var/run/spamd.sock < spam.msg
>>>126.44 real 0.00 user 0.00 sys
>> 
>> well, it looks like it's DNS related, somehow.
> 
> The 2 minute pause had me thinking that, but nothing jumped out as a specific 
> explanation and nothing yet does...
> 
>> I'm still confused as to why 'spamassassin' doesn't have a problem but 
>> 'spamd' does. I'm running SA 3.4.1 with perl5.22.1. I've tried both 
>> downgrading Net::DNS to 0.83 and upgrading it to 1.05_2
>> 
>> Any thoughts would be appreciated.
> 
> You haven't mentioned your platform, that I've seen, but it may be relevant, 
> e.g. historically FreeBSD jails can't do real loopback (not sure on 10.2...) 
> EL6/7 derivatives have SELinux on by default, etc...
> 
> So: more clues please?

Sorry, this is a Mac OS X 10.11.4 system, perl5.22.1 is self-built (perlbrew). 
I'm not sure exactly when this started, I noticed it after I upgraded to 
10.11.4 from 10.11.3, but it may have been happening before. What else would be 
helpful to know? 

-- 
Daniel J. Luke

Re: spamd running much slower than spamassassin?

[Daniel J. Luke]

On Mar 24, 2016, at 12:10 PM, Daniel J. Luke  wrote:
> /usr/bin/time spamassassin < spam.msg 
>7.92 real 1.85 user 0.13 sys
> 
> /usr/bin/time spamc -U /var/run/spamd.sock < spam.msg
> 126.44 real 0.00 user 0.00 sys

well, it looks like it's DNS related, somehow. The first (and longest) pause is 
between these two log messages (spamd -D):
Mar 28 13:53:47 lintilla spamd[1532]: dns: LocalAddr: [0.0.0.0]:48704, name 
server: [127.0.0.1]:53, module IO::Socket::IP
Mar 28 13:54:48 lintilla spamd[1532]: dns: resolver socket rx buffer size is 
196724 bytes, local port 48704

The second pause is during the adsp lookup. 

On the box, I'm running unbound (listening on 127.0.0.1 and ::1). It's the only 
nameserver available in /etc/resolv.conf and I've tried both with and without 
setting dns_server in my local.cf

I'm still confused as to why 'spamassassin' doesn't have a problem but 'spamd' 
does. I'm running SA 3.4.1 with perl5.22.1. I've tried both downgrading 
Net::DNS to 0.83 and upgrading it to 1.05_2

Any thoughts would be appreciated.
-- 
Daniel J. Luke

spamd running much slower than spamassassin?

[Daniel J. Luke]

I recently noticed that spamd was running /much/ slower than usual. 

With a test message:

/usr/bin/time spamassassin < spam.msg 
7.92 real 1.85 user 0.13 sys

/usr/bin/time spamc -U /var/run/spamd.sock < spam.msg
 126.44 real 0.00 user 0.00 sys


spamassassin -D timing < spam.msg
Mar 24 12:02:54.767 [79829] dbg: timing: total 7030 ms - init: 1003 (14.3%), 
b_tie_ro: 10 (0.1%), parse: 2.3 (0.0%), extract_message_metadata: 59 (0.8%), 
get_uri_detail_list: 7 (0.1%), tests_pri_-1000: 39 (0.5%), compile_gen: 111 
(1.6%), compile_eval: 25 (0.4%), tests_pri_-950: 2.2 (0.0%), tests_pri_-900: 
2.8 (0.0%), tests_pri_-400: 80 (1.1%), check_bayes: 76 (1.1%), b_tokenize: 13 
(0.2%), b_tok_get_all: 12 (0.2%), b_comp_prob: 2.3 (0.0%), b_tok_touch_all: 47 
(0.7%), b_finish: 1.00 (0.0%), tests_pri_0: 5770 (82.1%), check_spf: 49 (0.7%), 
poll_dns_idle: 0.03 (0.0%), dkim_load_modules: 20 (0.3%), check_dkim_signature: 
1.30 (0.0%), check_dkim_adsp: 3.5 (0.1%), check_dcc: 150 (2.1%), check_razor2: 
5012 (71.3%), check_pyzor: 271 (3.9%), tests_pri_500: 50 (0.7%), 
tests_pri_1000: 14 (0.2%), total_txrep: 11 (0.2%), check_txrep_msg_id: 2.2 
(0.0%), update_txrep_msg_id: 0.02 (0.0%)

spamd running with -D timing - spamc -U /var/run/spamd.sock < spam.msg
Mar 24 12:06:17 lintilla spamd[79885]: timing: total 130906 ms - 
read_scoreonly_config: 444 (0.3%), signal_user_changed: 12 (0.0%), b_tie_ro: 9 
(0.0%), parse: 3.0 (0.0%), extract_message_metadata: 60281 (46.0%), 
get_uri_detail_list: 5.0 (0.0%), tests_pri_-1000: 38 (0.0%), compile_gen: 28 
(0.0%), compile_eval: 27 (0.0%), tests_pri_-950: 1.32 (0.0%), tests_pri_-900: 
1.73 (0.0%), tests_pri_-400: 90 (0.1%), check_bayes: 79 (0.1%), b_tokenize: 13 
(0.0%), b_tok_get_all: 12 (0.0%), b_comp_prob: 2.6 (0.0%), b_tok_touch_all: 49 
(0.0%), b_finish: 1.04 (0.0%), tests_pri_0: 69951 (53.4%), 
check_dkim_signature: 1.71 (0.0%), check_dkim_adsp: 60184 (46.0%), check_spf: 
240 (0.2%), poll_dns_idle: 215 (0.2%), check_dcc: 4325 (3.3%), check_razor2: 
5004 (3.8%), check_pyzor: 0.25 (0.0%), tests_pri_500: 6 (0.0%), tests_pri_1000: 
12 (0.0%), total_txrep: 10 (0.0%), check_txrep_msg_id: 2.3 (0.0%), 
update_txrep_msg_id: 0.02 (0.0%), rewrite_mail: 1.12 (0.0%), copy_config: 41 
(0.0%)

So, I guess extract_message_metadata and check_dkim_adsp are causing the 
problem when running under spamd - but I'm not sure why that would be / where I 
should look next to troubleshoot and fix.
-- 
Daniel J. Luke

Re: DNS lookups - bug with recursive lookups, or shoddy bind config?

[Chris J]

On 04/01/2016 20:48, Joe Quinn wrote:

By the way, have you considered subscribing to the dev@ list and
contributing to SA? You ran through this issue pretty much perfectly,
other than the bad luck with our Bugzilla's results on Google.


Time is my main issue (that and being a rather rusty with perl) :-) 
Although looking at the archives, it's fairly low traffic so yes, I'll 
throw a subscription in and see how it goes.


Cheers,

Chris

Re: DNS lookups - bug with recursive lookups, or shoddy bind config?

[Chris J]

On 04/01/2016 20:39, Quanah Gibson-Mount wrote:


If you're using Net::DNS 1.01 or later, you must patch SA.  There is an
entire thread dedicated to this issue.





7265 is only required for 1.03 (not necessary for 1.01, 1.02, or 1.04).



Magic - thanks. Google wouldn't spit out that Bugzilla issue - only 
found old threads about DNSBL not working, and couldn't see anything on 
the SA wiki about it.


http://wiki.apache.org/spamassassin/DnsBlocklists only makes reference 
to "make sure Net::DNS is installed".


Thanks for the pointer to the right bug :-)

Cheers,

Chris

DNS lookups - bug with recursive lookups, or shoddy bind config?

[Chris J]

Before I raise this on Bugzilla, I just want to run this past people as 
I'm quite happy that I've failed to configure something, but can't see what.


In short, RBL blacklists haven't been working and I've finally, with 
tcpdump, traced it to SpamAssassin not requesting recursive queries.


The setup is:
Linux - Debian Jessie 8.2
Bind - 9.9.5-9+deb8u3-Debian
SpamAssassin - installed from CPAN, 3.4.1
Perl - 5.20.2
Net::DNS - 1.01

Bind running locally, /etc/resolv.conf pointing to 127.0.0.1.

When running spamassassin -D dns < spam.test > /dev/null, all the DNS 
blacklist queries return 0 results, taking an extract:


Jan  4 20:13:11.853 [21025] dbg: dns: attempt 1/1, trying connect/sendto 
to [127.0.0.1]:53
Jan  4 20:13:11.854 [21025] dbg: dns: providing a callback for id: 
60328/IN/A/123.119.167.104.DnSBl.iNpS.DE

[...]
Jan  4 20:13:11.914 [21025] dbg: dns: dns reply 60328 is OK, 0 answer 
records


However, that entry does have a record:
$ host 123.119.167.104.DnSBl.iNpS.DE
123.119.167.104.dnsbl.inps.de has address 127.0.0.2
$

Looking at tcpdump, it shows me this from SpamAssassin:

20:17:28.932550 IP localhost.20171 > localhost.domain: 51533 [1au] A? 
123.119.167.104.dNsbL.InPS.de. (58)

20:17:28.932622 IP localhost.domain > localhost.20171: 51533 0/2/3 (150)

But with host, I get:

20:18:16.828275 IP localhost.56176 > localhost.domain: 16674+ A? 
123.119.167.104.DnSBl.iNpS.DE. (47)
20:18:16.845783 IP localhost.domain > localhost.56176: 16674 1/2/2 A 
127.0.0.2 (179)


I've done some poking, and the '+' after the query number marks it as 
recursive. I can confirm this with "dig +norecurse".


Looking through the code, and looking at things from Google, it appears 
Net::DNS should be doing recursive queries by default, but the code 
that's doing the query is Net::DNS::Packet. I've made a change to 
DnsResolver.pm (line 578) as below, and now SpamAssassin is doing 
recursive queries, and my DNS blacklists work:


$domain =~ s{ ( [\000-\037\177-\377\\] ) }
{ $1 eq '\\' ? "\\$1" : sprintf("\\%03d",ord($1)) }xgse;

$packet = Net::DNS::Packet->new($domain, $type, $class);
#CEJ: set RD bit to force recursion
$packet->header->rd(1);

With this, the DNS debug log now says:

Jan  4 20:24:14.250 [21122] dbg: dns: providing a callback for id: 
53008/IN/A/123.119.167.104.dNSBl.iNps.dE
Jan  4 20:24:14.309 [21122] dbg: dns: dns reply 53008 is OK, 1 answer 
records
Jan  4 20:24:14.309 [21122] dbg: dns: hit 
 127.0.0.2


Now I'm doubtful I've found a bug as I'm sure I'd see more problems 
having spent a while searching interwebs. It could be my Bind config? 
But the SA wiki just says the default config of Bind from the Debian 
releases should be good 
(https://wiki.apache.org/spamassassin/CachingNameserver ).


Let me know if any more information (config files, etc) are needed and I 
can supply.


Regards,

Chris

Re: Bayer Filter Not Working

[Herbert J. Skuhra]

On Sat, 5 Jul 2014 09:11:13 -0700 (PDT)
John Hardin wrote:
> 
> This appears to be a bit of odd coding in the Bayes DBM module. It's
> passing a message to logger with unused arguments.
> 
> I haven't done a deep analysis, but you might try this patch:
> 
> Index: lib/Mail/SpamAssassin/BayesStore/DBM.pm
> ===
> --- lib/Mail/SpamAssassin/BayesStore/DBM.pm   (revision 1607964)
> +++ lib/Mail/SpamAssassin/BayesStore/DBM.pm   (working copy)
> @@ -812,7 +812,7 @@
>return 0 if ($conf->{bayes_journal_max_size} == 0);
> 
>my @vars = $self->get_storage_variables();
> -  dbg("bayes: DB journal sync: last sync: ".$vars[7],'bayes','-1');
> +  dbg("bayes: DB journal sync: last sync: ".$vars[7]);
> 
>## Ok, should we do a sync?
> 
> 
> Of course, this might just relocate where in logger the taint error
> occurs.
> 
> The ultimate cause might be the stringpaste of $vars[7], which has
> been retrieved unchanged from the Bayes database and thus might be
> considered tainted (assuming it's treated as a string and not as a
> number).

With this patch the error is gone.

Thanks.

--
Herbert

Re: Bayer Filter Not Working

[Herbert J. Skuhra]

On Sat, 05 Jul 2014 16:02:29 +0200
Mark Martinec wrote:

> On 2014-07-05 14:18, Herbert J. Skuhra wrote:
> 
> >>>>> Jun 24 13:47:53.167 [3245] warn: plugin: eval failed: Insecure
> >>>>> dependency in sprintf while running with -T switch at
> >>>>> /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Logger.pm line 241.
> >>>>> Jun 24 13:47:53.168 [3245] dbg: config: score set 0 chosen.
> >>>>> 
> >>>>> That seems to be the last time Bayes is referenced in a spamassassin
> >>>>> -D ―lint
> 
> > So, I can only reproduce this issue on FreeBSD (and not on Fedora
> > 20, Arch Linux) because only FreeBSD runs spamassassin in taint mode.
> > 
> > Is this a bug in Logger.pm? Or simply switch off taint mode? Any comments?
> 
> The bug is not in the logger, but is a routine that calls it.
> 
> Which Bayes database backend are you using? The bug must be specific
> to that one.

I was using DBM and I cannot reproduce this issue with BDB and SDBM.

> >> I could resolve this issue by setting $sa_debug from 1-> 0 in
> >> amavisd.conf.
> >> This is abviously a workaround and not a proper fix.
> 
> For the time being please stick to that workaround until the
> problem is investigated.
> 
> > Or simply switch off taint mode?
> 
> Please don't, that would not be a right thing to do.
> 
> Looks like the kind of a thing appropriate to open a
> problem report in the SpamAssassin's bugzilla.

I can do later.

Someone else already reported this issue on this list back in February
(Subject: -D turns off Bayes in in 3.4.0?).

Thanks.

--
Herbert

Re: Bayer Filter Not Working

[Herbert J. Skuhra]

On Thu, 03 Jul 2014 12:05:34 +0200
Herbert J. Skuhra wrote:

> Den 01.07.2014 23:05, skrev Herbert J. Skuhra:
> > On Tue, 01 Jul 2014 09:37:17 +0200
> > Herbert J. Skuhra wrote:
> > 
> >> Den 25.06.2014 00:42, skrev Bruce Sackett:
> >> > I apologize, I’m sure it’s been covered, but I have not been
> >> > successful finding results in searches on the web or through the
> >> > history of the list.  I get no BAYES results in the headers, so I
> >> > don’t see any working.  The part that gets me is below:
> >> >
> >> > Jun 24 13:47:53.165 [3245] dbg: bayes: tie-ing to DB file R/O
> >> > /var/lib/amavis/.spamassassin/bayes_toks
> >> > Jun 24 13:47:53.166 [3245] dbg: bayes: tie-ing to DB file R/O
> >> > /var/lib/amavis/.spamassassin/bayes_seen
> >> > Jun 24 13:47:53.167 [3245] dbg: bayes: found bayes db version 3
> >> > Jun 24 13:47:53.167 [3245] warn: plugin: eval failed: Insecure
> >> > dependency in sprintf while running with -T switch at
> >> > /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Logger.pm line 241.
> >> > Jun 24 13:47:53.168 [3245] dbg: config: score set 0 chosen.
> >> >
> >> > That seems to be the last time Bayes is referenced in a spamassassin
> >> > -D ―lint
> >> >
> >> > Has anyone else run into this?  I am using an Ubuntu 12.04 server, if
> >> > that makes any difference.
> >> 
> >> I have the same problem on FreeBSD:
> >> 
> >> Jul  1 05:33:51.765 [43144] dbg: bayes: learner_new
> >> self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x805b09f78),
> >> bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
> >> Jul  1 05:33:51.778 [43144] dbg: bayes: learner_new: got
> >> store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x806108798)
> >> Jul  1 05:33:51.779 [43144] dbg: bayes: tie-ing to DB file R/O
> >> /var/amavis/.spamassassin/bayes_toks
> >> Jul  1 05:33:51.779 [43144] dbg: bayes: tie-ing to DB file R/O
> >> /var/amavis/.spamassassin/bayes_seen
> >> Jul  1 05:33:51.779 [43144] dbg: bayes: found bayes db version 3
> >> Jul  1 05:33:51.779 [43144] warn: plugin: eval failed: Insecure
> >> dependency in sprintf while running with -T switch at
> >> /usr/local/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Logger.pm line
> >> 241.
> >> Jul  1 05:33:51.799 [43144] warn: plugin: eval failed: Insecure
> >> dependency in sprintf while running with -T switch at
> >> /usr/local/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Logger.pm line
> >> 241.
> >> 
> >> Running 'sa-learn --force-expire' seems to resolve the issue
> >> temporally.
> >> 
> >> Jul  1 09:35:06.084 [49647] dbg: bayes: learner_new
> >> self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x805b09f78),
> >> bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
> >> Jul  1 09:35:06.097 [49647] dbg: bayes: learner_new: got
> >> store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x806108798)
> >> Jul  1 09:35:06.098 [49647] dbg: bayes: tie-ing to DB file R/O
> >> /var/amavis/.spamassassin/bayes_toks
> >> Jul  1 09:35:06.098 [49647] dbg: bayes: tie-ing to DB file R/O
> >> /var/amavis/.spamassassin/bayes_seen
> >> Jul  1 09:35:06.098 [49647] dbg: bayes: found bayes db version 3
> >> Jul  1 09:35:06.099 [49647] dbg: bayes: DB journal sync: last sync: 0
> >> Jul  1 09:35:06.570 [49647] dbg: bayes: DB journal sync: last sync: 0
> >> Jul  1 09:35:06.570 [49647] dbg: bayes: corpus size: nspam = 120857,
> >> nham = 664988
> >> 
> >> After a while the error returns. Do I have to wipe my bayes DB?
> > 
> > I wiped my bayes DB and learned more than 200 spam and ham messages
> > each.
> > While nham and nspam were below 200 message error was gone. But now it
> > is back.
> > 
> > % spamassassin -t < OvwTlDIfJxAe
> >  [...]
> >  3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
> > [score: 1.]
> >  [...]  
> >  0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to
> > 100%
> > [score: 1.]
> >  [...]
> > 
> > Running the same command with the "-D" switch the error appears and I
> > don't see the BAYES score. There is also no BAYES score in the amavisd
> > log. :-(
> 
> I could resolve this issue by setting $sa_debug from 1-> 0 in
> amavisd.conf.
> This is abviously a workaround and not a proper fix.

So, I can only reproduce this issue on FreeBSD (and not on Fedora
20, Arch Linux) because only FreeBSD runs spamassassin in taint mode.

Is this a bug in Logger.pm? Or simply switch off taint mode? Any comments?

--
Herbert

Re: Bayer Filter Not Working

[Herbert J. Skuhra]

Den 01.07.2014 23:05, skrev Herbert J. Skuhra:

On Tue, 01 Jul 2014 09:37:17 +0200
Herbert J. Skuhra wrote:


Den 25.06.2014 00:42, skrev Bruce Sackett:
> I apologize, I’m sure it’s been covered, but I have not been
> successful finding results in searches on the web or through the
> history of the list.  I get no BAYES results in the headers, so I
> don’t see any working.  The part that gets me is below:
>
> Jun 24 13:47:53.165 [3245] dbg: bayes: tie-ing to DB file R/O
> /var/lib/amavis/.spamassassin/bayes_toks
> Jun 24 13:47:53.166 [3245] dbg: bayes: tie-ing to DB file R/O
> /var/lib/amavis/.spamassassin/bayes_seen
> Jun 24 13:47:53.167 [3245] dbg: bayes: found bayes db version 3
> Jun 24 13:47:53.167 [3245] warn: plugin: eval failed: Insecure
> dependency in sprintf while running with -T switch at
> /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Logger.pm line 241.
> Jun 24 13:47:53.168 [3245] dbg: config: score set 0 chosen.
>
> That seems to be the last time Bayes is referenced in a spamassassin
> -D ―lint
>
> Has anyone else run into this?  I am using an Ubuntu 12.04 server, if
> that makes any difference.

I have the same problem on FreeBSD:

Jul  1 05:33:51.765 [43144] dbg: bayes: learner_new
self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x805b09f78),
bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
Jul  1 05:33:51.778 [43144] dbg: bayes: learner_new: got
store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x806108798)
Jul  1 05:33:51.779 [43144] dbg: bayes: tie-ing to DB file R/O
/var/amavis/.spamassassin/bayes_toks
Jul  1 05:33:51.779 [43144] dbg: bayes: tie-ing to DB file R/O
/var/amavis/.spamassassin/bayes_seen
Jul  1 05:33:51.779 [43144] dbg: bayes: found bayes db version 3
Jul  1 05:33:51.779 [43144] warn: plugin: eval failed: Insecure
dependency in sprintf while running with -T switch at
/usr/local/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Logger.pm line
241.
Jul  1 05:33:51.799 [43144] warn: plugin: eval failed: Insecure
dependency in sprintf while running with -T switch at
/usr/local/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Logger.pm line
241.

Running 'sa-learn --force-expire' seems to resolve the issue 
temporally.


Jul  1 09:35:06.084 [49647] dbg: bayes: learner_new
self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x805b09f78),
bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
Jul  1 09:35:06.097 [49647] dbg: bayes: learner_new: got
store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x806108798)
Jul  1 09:35:06.098 [49647] dbg: bayes: tie-ing to DB file R/O
/var/amavis/.spamassassin/bayes_toks
Jul  1 09:35:06.098 [49647] dbg: bayes: tie-ing to DB file R/O
/var/amavis/.spamassassin/bayes_seen
Jul  1 09:35:06.098 [49647] dbg: bayes: found bayes db version 3
Jul  1 09:35:06.099 [49647] dbg: bayes: DB journal sync: last sync: 0
Jul  1 09:35:06.570 [49647] dbg: bayes: DB journal sync: last sync: 0
Jul  1 09:35:06.570 [49647] dbg: bayes: corpus size: nspam = 120857,
nham = 664988

After a while the error returns. Do I have to wipe my bayes DB?


I wiped my bayes DB and learned more than 200 spam and ham messages 
each.

While nham and nspam were below 200 message error was gone. But now it
is back.

% spamassassin -t < OvwTlDIfJxAe
 [...]
 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 [...]  
 0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 
100%

[score: 1.]
 [...]

Running the same command with the "-D" switch the error appears and I
don't see the BAYES score. There is also no BAYES score in the amavisd
log. :-(


I could resolve this issue by setting $sa_debug from 1-> 0 in 
amavisd.conf.

This is abviously a workaround and not a proper fix.

--
Herbert

Re: Bayer Filter Not Working

[Herbert J. Skuhra]

On Tue, 01 Jul 2014 09:37:17 +0200
Herbert J. Skuhra wrote:

> Den 25.06.2014 00:42, skrev Bruce Sackett:
> > I apologize, I’m sure it’s been covered, but I have not been
> > successful finding results in searches on the web or through the
> > history of the list.  I get no BAYES results in the headers, so I
> > don’t see any working.  The part that gets me is below:
> > 
> > Jun 24 13:47:53.165 [3245] dbg: bayes: tie-ing to DB file R/O
> > /var/lib/amavis/.spamassassin/bayes_toks
> > Jun 24 13:47:53.166 [3245] dbg: bayes: tie-ing to DB file R/O
> > /var/lib/amavis/.spamassassin/bayes_seen
> > Jun 24 13:47:53.167 [3245] dbg: bayes: found bayes db version 3
> > Jun 24 13:47:53.167 [3245] warn: plugin: eval failed: Insecure
> > dependency in sprintf while running with -T switch at
> > /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Logger.pm line 241.
> > Jun 24 13:47:53.168 [3245] dbg: config: score set 0 chosen.
> > 
> > That seems to be the last time Bayes is referenced in a spamassassin
> > -D ―lint
> > 
> > Has anyone else run into this?  I am using an Ubuntu 12.04 server, if
> > that makes any difference.
> 
> I have the same problem on FreeBSD:
> 
> Jul  1 05:33:51.765 [43144] dbg: bayes: learner_new
> self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x805b09f78),
> bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
> Jul  1 05:33:51.778 [43144] dbg: bayes: learner_new: got
> store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x806108798)
> Jul  1 05:33:51.779 [43144] dbg: bayes: tie-ing to DB file R/O
> /var/amavis/.spamassassin/bayes_toks
> Jul  1 05:33:51.779 [43144] dbg: bayes: tie-ing to DB file R/O
> /var/amavis/.spamassassin/bayes_seen
> Jul  1 05:33:51.779 [43144] dbg: bayes: found bayes db version 3
> Jul  1 05:33:51.779 [43144] warn: plugin: eval failed: Insecure
> dependency in sprintf while running with -T switch at
> /usr/local/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Logger.pm line
> 241.
> Jul  1 05:33:51.799 [43144] warn: plugin: eval failed: Insecure
> dependency in sprintf while running with -T switch at
> /usr/local/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Logger.pm line
> 241.
> 
> Running 'sa-learn --force-expire' seems to resolve the issue temporally.
> 
> Jul  1 09:35:06.084 [49647] dbg: bayes: learner_new
> self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x805b09f78),
> bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
> Jul  1 09:35:06.097 [49647] dbg: bayes: learner_new: got
> store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x806108798)
> Jul  1 09:35:06.098 [49647] dbg: bayes: tie-ing to DB file R/O
> /var/amavis/.spamassassin/bayes_toks
> Jul  1 09:35:06.098 [49647] dbg: bayes: tie-ing to DB file R/O
> /var/amavis/.spamassassin/bayes_seen
> Jul  1 09:35:06.098 [49647] dbg: bayes: found bayes db version 3
> Jul  1 09:35:06.099 [49647] dbg: bayes: DB journal sync: last sync: 0
> Jul  1 09:35:06.570 [49647] dbg: bayes: DB journal sync: last sync: 0
> Jul  1 09:35:06.570 [49647] dbg: bayes: corpus size: nspam = 120857,
> nham = 664988
> 
> After a while the error returns. Do I have to wipe my bayes DB?

I wiped my bayes DB and learned more than 200 spam and ham messages each.
While nham and nspam were below 200 message error was gone. But now it
is back.

% spamassassin -t < OvwTlDIfJxAe
 [...]
 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 [...]  
 0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]
 [...]

Running the same command with the "-D" switch the error appears and I
don't see the BAYES score. There is also no BAYES score in the amavisd
log. :-(

Any ideas?

Thanks.

--
Herbert

Re: Bayer Filter Not Working

[Herbert J. Skuhra]

Den 25.06.2014 00:42, skrev Bruce Sackett:

I apologize, I’m sure it’s been covered, but I have not been
successful finding results in searches on the web or through the
history of the list.  I get no BAYES results in the headers, so I
don’t see any working.  The part that gets me is below:

Jun 24 13:47:53.165 [3245] dbg: bayes: tie-ing to DB file R/O
/var/lib/amavis/.spamassassin/bayes_toks
Jun 24 13:47:53.166 [3245] dbg: bayes: tie-ing to DB file R/O
/var/lib/amavis/.spamassassin/bayes_seen
Jun 24 13:47:53.167 [3245] dbg: bayes: found bayes db version 3
Jun 24 13:47:53.167 [3245] warn: plugin: eval failed: Insecure
dependency in sprintf while running with -T switch at
/usr/local/share/perl/5.14.2/Mail/SpamAssassin/Logger.pm line 241.
Jun 24 13:47:53.168 [3245] dbg: config: score set 0 chosen.

That seems to be the last time Bayes is referenced in a spamassassin -D 
—lint


Has anyone else run into this?  I am using an Ubuntu 12.04 server, if
that makes any difference.


I have the same problem on FreeBSD:

Jul  1 05:33:51.765 [43144] dbg: bayes: learner_new 
self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x805b09f78), 
bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
Jul  1 05:33:51.778 [43144] dbg: bayes: learner_new: got 
store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x806108798)
Jul  1 05:33:51.779 [43144] dbg: bayes: tie-ing to DB file R/O 
/var/amavis/.spamassassin/bayes_toks
Jul  1 05:33:51.779 [43144] dbg: bayes: tie-ing to DB file R/O 
/var/amavis/.spamassassin/bayes_seen

Jul  1 05:33:51.779 [43144] dbg: bayes: found bayes db version 3
Jul  1 05:33:51.779 [43144] warn: plugin: eval failed: Insecure 
dependency in sprintf while running with -T switch at 
/usr/local/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Logger.pm line 
241.
Jul  1 05:33:51.799 [43144] warn: plugin: eval failed: Insecure 
dependency in sprintf while running with -T switch at 
/usr/local/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Logger.pm line 
241.


Running 'sa-learn --force-expire' seems to resolve the issue temporally.

Jul  1 09:35:06.084 [49647] dbg: bayes: learner_new 
self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x805b09f78), 
bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
Jul  1 09:35:06.097 [49647] dbg: bayes: learner_new: got 
store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x806108798)
Jul  1 09:35:06.098 [49647] dbg: bayes: tie-ing to DB file R/O 
/var/amavis/.spamassassin/bayes_toks
Jul  1 09:35:06.098 [49647] dbg: bayes: tie-ing to DB file R/O 
/var/amavis/.spamassassin/bayes_seen

Jul  1 09:35:06.098 [49647] dbg: bayes: found bayes db version 3
Jul  1 09:35:06.099 [49647] dbg: bayes: DB journal sync: last sync: 0
Jul  1 09:35:06.570 [49647] dbg: bayes: DB journal sync: last sync: 0
Jul  1 09:35:06.570 [49647] dbg: bayes: corpus size: nspam = 120857, 
nham = 664988


After a while the error returns. Do I have to wipe my bayes DB?

--
Herbert

Re: My Mad Plan's Achillies heel?

[j...@j4computers.com]

>>> On 3/29/2012 at 7:17 PM, "j...@j4computers.com"  
>>> wrote:
>>  If you trust those ISPs to not forge headers, then add them to the trusted 
>> list too, and that will push the checking boundary back to where they 
>> received the message from.
>> 
>> -- 
>>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ 
>>   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org 
>>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>> ---
> 
> Truly?   Very Interesting.  And just as I was having so much "fun" coming up 
> with custom rules.

How far can this go?  

The "last hop" is my own local network address, the box that fetches the mail 
and feeds it to 
spamassassin.  The "next to last" would the the "ISP" (misnomer, this is 
actually a mail host provider, not my
connectivity provider).  The "third" down the line would be the "source" (the 
IP that sent it to my "mailbox"
that I fetch from).

Re: My Mad Plan's Achillies heel?

[j...@j4computers.com]

> If you trust those ISPs to not forge headers, then add them to the trusted 
> list too, and that will push the checking boundary back to where they 
> received the message from.
> 
> -- 
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ 
>   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org 
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---

Truly?   Very Interesting.  And just as I was having so much "fun" coming up 
with custom rules.

Re: My Mad Plan's Achillies heel?

[j...@j4computers.com]

>> Hmm, I use fetchmail to grab mail from various accounts.
> add the ip address (last received) from each account to trusted_networks 
> in local.cf.
> 
> 
>>   S .  .  . the actual source or "IP of interest" will not be the 
> connection IP.
>

Thanks, but the "last received" will always be the same ones, as I fetch mail
from various accounts and "drop" them into the spamassassin box.

The IP of the actual source of the message is far down the list of IP's.  To 
block by
IP, in this case, I would have to implement that at the ISP's server.  I was 
dis satisfied
with their SPAM solutions so went with SA.   The ISP continues to accept mail 
for my
accounts and I fetch them, and feed them to SA, then it gets delivered to my 
mail
system.

My Mad Plan's Achillies heel?

[j...@j4computers.com]

Continuing my learning curve with spamassassin, I find a fly in the ointment.

Some SPAM continues to slip thru.   I thought, oh well, I'll just block by IP.  

Hmm, I use fetchmail to grab mail from various accounts.   S .  .  . the 
actual source or "IP of interest" will not be the connection IP.

So, best course?   These emails all have the same format, but cover a range of 
subjects.   I'd have thought that Bayes would have learned, by now, as I have 
submitted close to a dozen via spamassassin -r < text.file

Re: submitting samples - empty link

[j...@j4computers.com]

However, this link ->  http://gtmp.org/doku.php/pub_sa-postfix.en.html

says there is nothing to see here . . . move along . . . move along . . . 

>>> "j...@j4computers.com"  03/27/12 10:27 AM >>>
And, if I had read a bit further, I would have seen the bit about setting up 
postfix alias(s) for just this purpose.

Sorry for the bother.   Still, suggestions welcome.

>>> "j...@j4computers.com"  03/27/12 10:23 AM >>>
I see that, to report SPAM and have spamassassin "learn",  I can do 
"spamassassin -r < message.txt".

However, it is not clear what form "message.txt" should take.   Since, by the 
time my mail client receives the missed SPAM, it has been altered from its 
"native" internet email form, I will have to save it as text and submit it.   

I can rather handily view the "message source" which includes the "mail hop" 
info as well as the message body.  (aka Mime.822 ?).   I suspect that would be 
Too Much Information.

Guidance?

Re: submitting samples

[j...@j4computers.com]

And, if I had read a bit further, I would have seen the bit about setting up 
postfix alias(s) for just this purpose.

Sorry for the bother.   Still, suggestions welcome.

>>> "j...@j4computers.com"  03/27/12 10:23 AM >>>
I see that, to report SPAM and have spamassassin "learn",  I can do 
"spamassassin -r < message.txt".

However, it is not clear what form "message.txt" should take.   Since, by the 
time my mail client receives the missed SPAM, it has been altered from its 
"native" internet email form, I will have to save it as text and submit it.   

I can rather handily view the "message source" which includes the "mail hop" 
info as well as the message body.  (aka Mime.822 ?).   I suspect that would be 
Too Much Information.

Guidance?

submitting samples

[j...@j4computers.com]

I see that, to report SPAM and have spamassassin "learn",  I can do 
"spamassassin -r < message.txt".

However, it is not clear what form "message.txt" should take.   Since, by the 
time my mail client receives the missed SPAM, it has been altered from its 
"native" internet email form, I will have to save it as text and submit it.   

I can rather handily view the "message source" which includes the "mail hop" 
info as well as the message body.  (aka Mime.822 ?).   I suspect that would be 
Too Much Information.

Guidance?

Re: sa-update

[j...@j4computers.com]

>>> On 3/26/2012 at 11:21 PM, Duane Hill  wrote:
> On Tuesday, March 27, 2012 at 02:48:08 UTC, jer...@fluxlabs.net confabulated:
> 
>> Sa-update should reload SA, therefore reloading rules. What error are you 
> getting ?
> 
> You  have to reload spamd after sa-update if any rules were updated to
> activate the changes.
> 

Thanks.  I will setup a cron job, I guess, to do the update  

Re: sa-update

[j...@j4computers.com]

>>> On 3/26/2012 at 10:48 PM, Jeremy McSpadden  wrote:
> Sa-update should reload SA, therefore reloading rules. What error are you 
> getting ?
> 
> 
> --
> Jeremy McSpadden

Running "/usr/sbin/spamassassin reload"  produces

"warn: archive-iterator: unable to open reload: No such file or directory"

This is SUSE SLES10, there is no "/etc/init.d/spamassassin"  (the example sited 
in docs), which is why I attempted the above.

sa-update

[j...@j4computers.com]

After running sa-update, will restarting spamd load the new rulesets?  I see 
references to "spamassassin reload"  but that seems to present an error message.

Re: spamfilter:dummy - not found

[j...@j4computers.com]

>>>> Ralf Hildebrandt  03/26/12 9:40 AM >>>
>* j...@j4computers.com :
>> SpamAssassin Server version 3.2.4
>>   running on Perl 5.8.8
>>   with SSL support (IO::Socket::SSL 0.97)
>>   with zlib support (Compress::Zlib 1.35)
>> 
>> Had it working, but . . . now seeing in /var/log/mail  'transport
unavailable'. . . .'spamfilter.dummy . . . no such file or directory' 
(paraphrased)
>> 
>> Was seeing this, but a reboot resolved it.   I am not sure what
'spamfilter.dummy' refers to (ahem . . .), 
>
>A postfix transport
>
>> but it is identical to a typo I had in /var/postifx/master.cf when
>> setting up.  Since changed to "spamassassin".
>> 
>> Surely, it cannot be "looking back in time" and must have some other
significance?
>
>The old queuefiles still contain the old reference to the typoed
>transport name
>
>postsuper -r ALL
>postfix flush
>
>-- 
>Ralf Hildebrandt   Charite Universitätsmedizin Berlin
>ralf.hildebra...@charite.deCampus Benjamin Franklin
>http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
>Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Ah, so it is *not* telling me my current setup is "broken", but is
trying to process "old" mail?

joe a.

spamfilter:dummy - not found

[j...@j4computers.com]

SpamAssassin Server version 3.2.4
  running on Perl 5.8.8
  with SSL support (IO::Socket::SSL 0.97)
  with zlib support (Compress::Zlib 1.35)

Had it working, but . . . now seeing in /var/log/mail  'transport unavailable'. 
. . .'spamfilter.dummy . . . no such file or directory'  (paraphrased)

Was seeing this, but a reboot resolved it.   I am not sure what 
'spamfilter.dummy' refers to (ahem . . .), but it is identical to a typo I had 
in
/var/postifx/master.cf when setting up.  Since changed to "spamassassin".

Surely, it cannot be "looking back in time" and must have some other 
significance?

joe a.

Re: Mangled headers?

[j...@j4computers.com]

. . .
> 
> Must be a configuration issue?

Working now after some fiddling and a reboot.   Odd that stopping and starting 
postfix and spamd did not seem to "see" the changes, but it worked after a 
reboot.

Mangled headers?

[j...@j4computers.com]

My first effort at Spamassassin.  Just installed on SUSE SLES10 (SP3):

SpamAssassin Server version 3.2.4
  running on Perl 5.8.8
  with SSL support (IO::Socket::SSL 0.97)
  with zlib support (Compress::Zlib 1.35)

Basically seems to work - "spamassassin -tD < test messages"  seems to create 
good output.  But, what do I know?

In any event, the mail it passes seems to be mangled.  In my mail client,  the 
message is arrives, but I do not see the header info, no subject, no body.  
There is a BC, to me.

I trapped a sample message, and this is what I see (quotes added):

"
0003cafd


4f6f133f

MAIL FROM: SIZE=295
RCPT TO: ORCPT=rfc822;j...@mydomain.com 
Received: from my-host.mydomain.com ([192.168.x.xxx])
by FS-Blah with ESMTP; Sun, 25 Mar 2012 08:44:47 -0400
Received: by my-host.mydomain.com (Postfix, from userid 1000)
id D81B3112B80; Sun, 25 Mar 2012 08:44:46 -0400 (EDT)
Message-Id: <20120325124446.d81b3112...@my-host.mydomain.com>
Date: Sun, 25 Mar 2012 08:44:46 -0400 (EDT)
From: m...@gmail.com "

Must be a configuration issue?

dccproc/dccifd error

[Herbert J. Skuhra]

Hi,

I am using perl-5.10.1, amavisd-new 2.7.0, Mail-SpamAssassin-3.3.2 and 
dcc-dccd-1.3.140.

When I receive and scan a message with a 'X-DCC-xxx-Metrics'-header the 
following error is logged to maillog:

Dec 23 01:04:53 mx dccproc[81847]: unrecognized "many" usage: [-VdAQCHER]  [-h 
homedir] [-m map] [-w whiteclnt] [-T tmpdir][-a IP-address] [-f env_from] 
[-t targets] [-x exitcode][-c type,[log-thold,][spam-thold]] [-g 
[not-]type] [-S header][-i infile] [-o outfile] [-l logdir] [-B 
dnsbl-option][-L ltype,facility.level] ; fatal error

After modifying DCC.pm the error is gone:

--- DCC.pm.bak  2011-12-22 23:03:34.0 +0100
+++ DCC.pm  2011-12-22 23:22:11.0 +0100
@@ -859,7 +859,7 @@
   }
   if ($tag eq "dcc:") {
# query instead of report if there is an X-DCC header from upstream
-   unshift(@opts, '-Q', 'many') if defined $permsgstatus->{dcc_raw_x_dcc};
+   unshift(@opts, '-Q') if defined $permsgstatus->{dcc_raw_x_dcc};
   } else {
# learn or report spam
unshift(@opts, '-t', 'many');

Is this the correct fix? Or is my setup broken?

Thanks.

-- 
Herbert

Re: --virtual-config-dir without -u

[Brian J. Murrell]

On 11-10-16 03:37 PM, RW wrote:
> 
> Could you not just run a script from cron that does chown ${USER}:spamd
> and chmod g+rw on all the files in the virtual home directories.

You seem to have gotten lost in minor details and lost sight on the
original problem which is that of being able to run spamd in such a way
that it setuids to the user receiving the mail (i.e. run as root, so
without -u) but also looks for the user_state dir (i.e. which is usually
~/.spamassassin) somewhere other than the user's $HOME
(--virtual-config_dir).  These two concepts, for some strange reason,
seem to be mutually exclusive.

If we can solve that, issues like permissions, etc. are easy to resolve.

Cheers,
b.




signature.asc
Description: OpenPGP digital signature

Re: --virtual-config-dir without -u

[Brian J. Murrell]

On 11-10-16 03:12 PM, RW wrote:
> 
> Not if you set --virtual-config-dir.

Right.  But such a change (i.e. a different $HOME on the server than on
any other machine) is still on the "transparent to users" change that I
am looking for -- the change that requires no user re-training and no
increase in help desk calls.

It really doesn't seem like it should be so difficult to point
spamassassin to a directory structure other than $HOME to find the
user_state directories.

I'm quite surprised that I am the first person who wants to be able to
do this.  Or rather achieve this kind of configuration.  If in fact
there is another way to achieve it than using the --virtual-config-dir
than I am open to suggestions.

To recap, I simply want to have the user_state (i.e. typically
~/.spamassassin) dirs somewhere other than $HOME on the server but have
those dirs and their files owned by their respective users and therefor
need to have spamd run as the recipient in order to be able to read (and
write in the case of the bayes and autowhitelist, etc. files) them while
allowing the users to read/write them also.  Is this in fact impossible
to do?

Cheers,
b.



signature.asc
Description: OpenPGP digital signature

Re: --virtual-config-dir without -u

[Brian J. Murrell]

On 11-10-16 02:08 PM, Martin Gregorie wrote:
> Yep. A brainfart on my part.

No worries.  :-)

> OK - if the MTA runs spamc (Postfix does this via a service defined as
> part of its configuration - others MTAs have a similar ability) the -u
> facility can be used to select the preference file much as it does now,

AFAICT the -u parameter just tells spamd what user to run as but spamd
will still look for .spamassassin in that (spamc -u specifed) users
$HOME.  So that doesn't really put my any further ahead than I am now.

Besides, some users want to have procmail rules before (and/or after)
spamc is run so pushing spamc into the MTA doesn't really work.

> but procmail isn't needed and you'd run a POP server (I like Dovecot 0-
> zero maintenance: it Just Works) that users use to collect their mail
> and their MUA can sort mail into spam folders, etc. on their local
> machines.

I like to give users MUA-independent methods of sorting (and otherwise
processing) mail, hence the need for .procmail.  That reduces the load
on per MUA mail handling support.

> That only leaves user preferences. Put them where spamd expects to find
> them, and add a symlink to the user's NFS mount point on the server.

Yeah.  I have been considering an approach like this where $HOME on the
server is a local dir with the .spamassassin dir in it and a symlink to
their automounted $HOME like:

$ ls -la $HOME
drwx--   4 brian brian4096 2011-10-16 08:52 .spamassassin
lrwxrwxrwx   1 brian brian  35 2011-10-16 09:17 real_HOME ->
/autohome/brian

and /autohome is an automount dir mounting the $HOME from the user's
machine to the server.

But then anyone logging into the server needs to know this and know that
their $HOME on the server is different than their local, native $HOME.
It seems like I really shouldn't need to go through these gyrations just
to be able to point spamassassin to a different directory tree for their
"state dir" (i.e. what is usually their ~/.spamassassin) dir.

> Of course, this assumes that all the procmail recipe does is to run
> spamc, but you haven't said it does anything else.

Indeed, it doesn't for some users which is why I need to keep procmail
in the loop.  But also, giving spamc to the MTA does not yet prove to
solve anything anyway.

Cheers,
b.



signature.asc
Description: OpenPGP digital signature

Re: --virtual-config-dir without -u

[Brian J. Murrell]

On 11-10-16 01:31 PM, Martin Gregorie wrote:
>
> Have you thought of running spamc remotely? This way you could avoid the
> need to login the the server just to process mail.

Hrm.  I'm not sure I follow.  The server receives the mail and the
server delivers it to the user's mailbox but on the way it passes
through spamd by way of a call to spamc -- all on the server.

> spamc takes -d -p and -u options, which should do exactly what you want:
>   -d gives the host name (default is localhost)
>   -p is the port (default 783)
>   -u is the username

Right.  But since I have spamc being called from procmail, they are all
running as the effective user anyway and thus the -u is moot (and
wouldn't work for any value other than the current user anyway).

> This way you can go on calling spamc from the procmail recipe so it
> would remain invisible to the users.

Sure, but the problem is in being able to provide spamd with a directory
outside of the users $HOME for his .spamassassin dir.

> You'd store user preferences on the server as individual files

Which is what I want to do, outside of their usual $HOME which actually
lives on their own machine and is NFS mounted on the server (currently).

> or in a
> MySQL database as others have described.

Yeah, just not interested in doing that much re-engineering when simply
being able to provide spamd with a different path for ~/.spamassassin
should suffice.

> The worst case would be that
> your users may have to log in to the server to change their preferences,

Well, they will get their ~/.spamassassin dir as an NFS mount from the
server, so same difference really.

> unless, that is, you go the MySQL way and provide, say, a simple PHP
> script to maintain them via an in-house Apache web server.

Yeah, not going there.  It's overkill and too much work to achieve what
I want.  I do appreciate the suggestions though.

b.



signature.asc
Description: OpenPGP digital signature

Re: --virtual-config-dir without -u

[Brian J. Murrell]

On 11-10-16 12:16 PM, Christian Grunfeld wrote:
> 
> You should have spamd running as root,

But I do that already.  That is what is causing the problem with the new
switch (--virtual-config-dir=...):

spamd: cannot use --virtual-config-dir without -u

> then it can setuid to the
> calling spamc uid which must be the user you want (%l).

Right.  All of that is in place currently with the existing
~/.spamassassin scheme.  That all works.

> So you must
> call spamc with the -u modifier instead of spamd !

I don't call spamd from the deliver end.  Each user has a .procmailrc
which pipes the mail through "spamc" so spamc is already being called by
the recipients effective user-ID.

> Another way is to have user_prefs and/or bayes in SQL.

Indeed, however that involves a user [re-]education.  I want to effect
the current user interaction (i.e. using ~/.spamassassin) transparently
to the users.

b.



signature.asc
Description: OpenPGP digital signature

--virtual-config-dir without -u

[Brian J. Murrell]

Hi,

In my network, users have their home dirs on their local machines (for
performance) which are automounted to the mail server for purposes of
spamd accessing their ~/.spamassassin dirs.

This of course fails when a machine is turned off so I want to move
users' ~/.spamassassin dirs to the server and create a symlink in each
users' ~ to link back to the server-hosted .spamassassin dir as such:
$ ls -l ~/.spamassassin
lrwxrwxrwx 1 brian brian 35 2011-10-16 09:17 /home/brian/.spamassassin
-> /net/mail/home/spamassassin/brian/

But to achieve this and make spamd use this /home/spamassassin/%l dir on
the machine "mail" it seems I need to add the "--virtual-config-dir"
option to spamd.  But that option requires I also use -u and then I
don't get spamd running as %l for access to the files in
/home/spamassassin/%l which are owned by %l.

Anyone got any ideas how I can achieve my goal here of simply relocating
~/.spamassassin dirs to the mail server and yet also having spamd run as
the user receiving the mail?

Much thanks in advance for any ideas.

Cheers,
b.



signature.asc
Description: OpenPGP digital signature

Re: DNSBL checks only on last untrusted host

[Daniel J McDonald]

On Fri, 2010-08-20 at 20:34 +0200, Jacek Politowski wrote:
> On Fri, Aug 20, 2010 at 04:11:34PM +0200, Benny Pedersen wrote:
> 
> I'd really like limit SpamAssassin's "RCVD_*" DNSBL checks only to
> hosts that directly deliver e-mails to our servers, but it seems I'm
> missing something in SA documentation (I can hardly believe there is
> no such possibility in SA).

change: 
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop',
'bl.spamcop.net.', '(?i:spamcop)')
to:
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop-lastexternal',
'bl.spamcop.net.', '(?i:spamcop)')



-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Re: X-Spam-Version-Checker reports 3.2.3 but running 3.3.1 - Why?

[Daniel J McDonald]

On Wed, 2010-08-04 at 14:18 -0700, Happy Chap wrote:
> Hi,
> 
> I've just upgraded from SpamAssassin 3.2.3 to 3.3.1 and it all appeared to
> install correctly. However, X-Spam-Version-Checker is still coming up as
> 3.2.3 after restarting spamd. Can anyone suggest what I've done wrong?

I think that's a mailscanner bug...  There has been some discussion on
this list about this in the past...



-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

me.com as freemail?

[Daniel J McDonald]

I notice that me.com (Apple's "mobile me") is now offering a "free 60
day trial" for their mail solution.  About half the mail from me.com has
been spam here lately, so I've added it to my local list of freemail
domains.  Anyone seen anything similar?

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Re: How do I filter out phishing email?

[Daniel J McDonald]

On Wed, 2010-04-14 at 11:18 -0700, yongke wrote:
> I installed all the channels in your post but I still get the same score!  Is
> there anything else I can do? 

Are you running with compiled rules?  Then you need to recompile them.

Are you running a daemonized spamd or amavisd instance?  You will need
to restart it to load the new rules



>  The commands I used are:
[...]
> sa-update --channelfile sa-update-channels.txt --gpgkeyfile
> sa-update-keys.txt

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Re: What happened to SOUGHT rules' server?

[j]

> I've been having the same problem from several locations/ISPs, since
> mid-Saturday.
> "500 Can't connect to yerp.org:80 (connect: timeout)"
> 
> Dave

Anyone figure this out? I have received the same yerp.org down errors and it's 
screwing up my SA royally. I guess this is "what we get" when we rely on 
external sources to help us at no charge.. :(

Re: Whitelists in 3.3.0

[Daniel J McDonald]

On Fri, 2010-01-29 at 09:18 -0500, Bowie Bailey wrote:
> McDonald, Dan wrote:
> >
> > Please excuse the top-post. This truly brain-damaged mua does not
> > allow me to edit the body.
> >
> > Easiest way to disable whitelists is:
> >
> > grep -E score\ RCVD.+-
> > /var/lib/spamassassin/updates_spamassassin_org/50_scores.cf | cut -d\ 
> > -f1-3 > /etc/mail/spamassassin/no-whitelists.cf
> >
> 
> Does 3.3.0 get rid of the version number in that path, or did you just
> forget to include it? 

I forgot...  was transcribing from screen to iPhone.  So the path does
need to be updated.

>  I haven't gotten around to upgrading yet.
> 
> Nice command line magic there!  It took me a bit to figure out how it
> worked.  

It helps that whitelists are disabled in ruleset #1, so we can count on
a zero in that position.

As a one-liner, it is something that can be tacked on the end of a
script that calls sa-update (or in the middle, if you follow up your
sa-update with an sa-compile). Just watch out for the two spaces in the
cut command `cut -d\  -f1-3`

>I never would have thought of doing it that way.

cut is one of my favorite tools.

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Re: is bayes enabled by default?

[Herbert J. Skuhra]

At Sun, 17 Jan 2010 11:57:45 -0800 (PST),
tonjg wrote:
> 
> 
> 
> Herbert J. Skuhra wrote:
> > 
> > 
> > It would show disabled if use_bayes or use_bayes_autolearn is off.

Sorry, use_bayes_autolearn is wrong. :-) 
 
> thanks but in what file would it show this instruction?
> I looked in procmailrc, local.cf and 23_bayes.cf - couldn't find anything
> which told me whether bayes was enabled or disabled.

You can set use_bayes and bayes_auto_learn to 1 in your local.cf.

-Herbert

Re: is bayes enabled by default?

[Herbert J. Skuhra]

At Sun, 17 Jan 2010 10:57:55 -0800 (PST),
tonjg wrote:
> 
> 
> I have sa version 3.2.5
> my autolearn setting always shows as 'no'. Will this eventually come on by
> itself or do I need to turn it on?
> thanks for any advice.

http://wiki.apache.org/spamassassin/AutolearningNotWorking

It would show disabled if use_bayes or use_bayes_autolearn is off.

Have you trained enough spam/ham messages?

Check bayes_min_ham_num/bayes_min_spam_num and
bayes_auto_learn_threshold_spam/bayes_auto_learn_threshold_nonspam.  

-Herbert

Re: hostkarma false positive

[Daniel J McDonald]

On Mon, 2010-01-11 at 06:46 -0800, Marc Perkel wrote:

> Christian Brel wrote: 
> > It's also listed in:
> > 195.3.86.187BLACKLISTED:ips.backscatterer.org  
> Backscatterer.org isn't a real blacklist. They have us blacklisted as
> well. Anyone using them is making a serious mistake.

It's probably worth a point or so for blocking useless bounces:

meta RCVD_IN_BACKSCATTER_RELAY  (__BOUNCE_FROM_DAEMON && __RCVD_IN_BACKSCATTER) 
&& ! __RCVD_IN_UCEWHITE
tflags RCVD_IN_BACKSCATTER_RELAYnet
describe RCVD_IN_BACKSCATTER_RELAY  received from a host that does a lot of 
backscatter
score   RCVD_IN_BACKSCATTER_RELAY   1.30


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Re: FH_DATE_PAST_20XX

[Herbert J. Skuhra]

At Thu, 31 Dec 2009 17:53:24 -0800 (PST),
John Hardin wrote:
> 
> On Fri, 1 Jan 2010, Mike Cardwell wrote:
> 
> > I just received some HAM with a surprisingly high score. The following 
> > rule triggered:
> >
> > *  3.2 FH_DATE_PAST_20XX The date is grossly in the future.
> >
> > Yet the date header looks fine to me:
> >
> > Date: Fri, 1 Jan 2010 00:46:45 GMT
> >
> > In /usr/share/spamassassin/72_active.cf I find:
> >
> > header   FH_DATE_PAST_20XX  Date =~ /20[1-9][0-9]/ [if-unset: 2006]
> >
> > Doesn't look particularly sane to me... I have given that rule a score 
> > of 0 in my local.cf for now.
> 
> Agree, that should probably be [2-9][0-9].

What about

header   FH_DATE_PAST_20XX  Date =~ /(201[1-9])|(20[2-9][0-9])/

and

##{ FH_DATE_IS_200X
header   FH_DATE_IS_200XDate =~ /200[0-9]/ [if-unset: 2006]
describe FH_DATE_IS_200XThe date is not 200x.
##} FH_DATE_IS_200X

-Herbert

Re: habeas - tainted white list

[Daniel J McDonald]

On Fri, 2009-12-18 at 12:53 +, Christian Brel wrote:
> On Fri, 18 Dec 2009 06:49:41 -0600
> Daniel J McDonald  wrote:
> 
> > On Fri, 2009-12-18 at 08:49 +, Christian Brel wrote:
> > > On Fri, 18 Dec 2009 03:44:32 -0500
> > > "Daryl C. W. O'Shea"  wrote:
> > > 
> > > > Please stop beating the -4 and -8 horse.  We agree.
> > > > 
> > > > Daryl
> > > > 
> > > > 
> > > 
> > > Then fix it and show who really is in charge of this project?
> > > 
> > It's been fixed.  Don't you know how to use bugzilla?
> > 
> > http://svn.apache.org/viewvc/spamassassin/trunk/rules/50_scores.cf?r1=891460&r2=891459&pathrev=891460
> > 
> > The new scores will come out in 3.3.0, RC1 is very soon...
> > 
> 
> +score RCVD_IN_RP_CERTIFIED 0.0 -3.0 0.0 -3.0
> +score RCVD_IN_RP_SAFE 0.0 -2.0 0.0 -2.0
> 
> This is 'fixed'? 

Have you read the bugzilla entry?  huge discussion about how to fix it
properly.  You also ignored the five rules removed and replaced by these
two.


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Re: habeas - tainted white list

[Daniel J McDonald]

On Fri, 2009-12-18 at 08:49 +, Christian Brel wrote:
> On Fri, 18 Dec 2009 03:44:32 -0500
> "Daryl C. W. O'Shea"  wrote:
> 
> > Please stop beating the -4 and -8 horse.  We agree.
> > 
> > Daryl
> > 
> > 
> 
> Then fix it and show who really is in charge of this project?
> 
It's been fixed.  Don't you know how to use bugzilla?

http://svn.apache.org/viewvc/spamassassin/trunk/rules/50_scores.cf?r1=891460&r2=891459&pathrev=891460

The new scores will come out in 3.3.0, RC1 is very soon...

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Re: sa 3.3 problem with spec file?

[Daniel J McDonald]

On Tue, 2009-12-15 at 14:21 +0100, Kai Schaetzl wrote:
> I just built and make tested the beta of SA 3.3 with good success and 
> wanted to build the rpm from it now. I get an error:
>  error: line 38: Illegal char '-' in version: Version: 3.3.0-beta1
> 
> Seems that Version: %{version} doesn't like hyphens.

or alpha characters of any sort.
> What's the best way to overcome this? Change to _ for instance?

No, you have to convince it that everything is numeric.  Here's what I
did in a similar situation:
%define beta p1
Summary:The ISC DHCP (Dynamic Host Configuration Protocol)
server/relay 
agent/client
Name:   dhcp
Epoch:  2
Version:3.1.2
Release:%mkrel 1
License:Distributable
Group:  System/Servers
URL:http://www.isc.org/dhcp.html
Source0:ftp://ftp.isc.org/isc/%{name}/%{name}-%{version}%{beta}.tar.gz
Source1:
ftp://ftp.isc.org/isc/%{name}/%{name}-%{version}%{beta}.tar.gz.asc

> 
> Kai
> 


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com