Re: Worthwhile to scan outgoing?
On Mon, Jun 21, 2010 at 11:39:33AM -0400, Adam Moffett wrote: > My philosophy in the past has always been not to scan outgoing > emails because my users are not likely to be spamming. > > However, a couple of issues recently with spambots and SMTP AUTH > with weak passwords has me reconsidering that stance. > > Is anyone here currently scanning their outgoing mail with SA? Good > results? Bad results? We are scanning both ways without problems - very low false positive rate. The reason: it happened once or twice that some spam came from inside our network with the resulting risk that our domain could be blacklisted. We use spamassassin in combination with the following filters on smtp-level: - clamav with sanesecurity signatures which stops a lot of spam even before it reach spamassassin. - spamhaus' blacklisting which also block a lot of spam at an early stage. - several checks in exim. - spamassassin which only get into the action after the email has passed the first filters. Regards Johann -- Johann Spies Telefoon: 021-808 4599 Informasietegnologie, Universiteit van Stellenbosch "What? know ye not that your body is the temple of the Holy Ghost which is in you, which ye have of God, and ye are not your own? For ye are bought with a price: therefore glorify God in your body, and in your spirit, which are God's." I Corinthians 6:19,20
Re: Whitelist on List-ID
On Thu, Jan 21, 2010 at 09:08:05PM -0700, LuKreme wrote: > You shouldn't be sending ANY mailinglists through SpamAssassin. Why not? A lot of mailing lists are used by spammers. Regards Johann -- Johann Spies Telefoon: 021-808 4599 Informasietegnologie, Universiteit van Stellenbosch "He that giveth unto the poor shall not lack: but he that hideth his eyes shall have many a curse." Proverbs 28:27
Re: Googlegroups related spam
Hallo Per,
>
> I have three rules that would have helped you catch some of those
> (I didn't check all of your examples):
>
> # google group URL contains ..
> uri NN_GOOGLE_GROUP_DD m'www\.google\.com/.*\.\..*/group/'i
> describe NN_GOOGLE_GROUP_DD Link to a Google group contains '..'
> scoreNN_GOOGLE_GROUP_DD 4
>
> # google group url contains question mark
> uri NN_GOOGLE_GROUP_QM m'google\.com/.*group/[^?]{6,}\?[^?]{6}'i
> describe NN_GOOGLE_GROUP_QM Highly suspect link to a google group
> scoreNN_GOOGLE_GROUP_QM 4
>
> uri __GOOGLEGROUPS_15 m'http://[^.]{15}\.googlegroups\.com'i
> uri __GOOGLEGROUPS_NUM m'http://[^.]*[0-9][^.]*\.googlegroups\.com'i
> meta NN_GOOGLEGROUPS_15 __GOOGLEGROUPS_15 && __GOOGLEGROUPS_NUM
> describe NN_GOOGLEGROUPS_15 Contains a suspicious googlegroups URI.
> scoreNN_GOOGLEGROUPS_15 2
>
>
> /Per Jessen, Zürich
Thanks. To me it is special to get help from Zürich. I have a
daughter and son staying there.
Regards
Johann (Stellenbosh, South Africa)
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"Peace I leave with you, my peace I give unto you; not
as the world giveth, give I unto you. Let not your
heart be troubled, neither let it be afraid."
John 14:27
Re: Googlegroups related spam
On Tue, Feb 24, 2009 at 02:51:36PM +0100, Karsten Bräckelmann wrote: > More seriously, unless you provide raw samples [1], including the rules > hit on your system, there's probably not much else to say. > You can download them at ftp://g...@ftp.sun.ac.za/pespos.tar.gz . Use password 'tydelik'. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Peace I leave with you, my peace I give unto you; not as the world giveth, give I unto you. Let not your heart be troubled, neither let it be afraid." John 14:27
Googlegroups related spam
The following link describes a problem we are experiencing: http://www.joewein.net/blog/2009/01/21/google-groups-spam-abuse-reporting-broken/ It seems to me the only way to counter that type of spam is to do a curl or wget on each url in a message an submit the content thereof to Spamassassin. But you can't do that on 20 emails per day and I am not sure how to handle such a process from exim. I am sure I am not the only one having to deal with this kind of spam. How do you counter it? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Thy word is a lamp unto my feet, and a light unto my path." Psalms 119:105
Re: spam bypass spamassassin
On Wed, Sep 03, 2008 at 09:18:53AM -0300, Rejaine Monteiro wrote: > > Why this spam scored with 5.1 (requered 5.0) bypass spamassassin?? > > (clamdscan: 0.93/8144. spamassassin: 3.2.5. > Clear:RC:0(aaa.bbb.ccc.ddd):SA:1(5.1/5.0):. > Processed in 2.490743 secs); 03 Sep 2008 11:32:21 - > X-Spam-Status: Yes, score=5.1 required=5.0 > X-Spam-Level: + It did not bypass Spamassassin. Spamassassin did it's job by classifying the message as spam. The rest is up to your mta. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "And he said unto his disciples, Therefore I say unto you, Take no thought for your life, what ye shall eat: neither for the body, what ye shall put on. The life is more than meat, and the body is more than raiment. Consider the ravens: for they neither sow nor reap; which neither have storehouse nor barn; and God feedeth them: how much more are ye better than the fowls! Consider the lilies, how they grow: they toil not, they spin not; and yet I say unto you, that Solomon in all his glory was not arrayed like one of these. If then God so clothe the grass, which is to day in the field, and to morrow is cast into the oven; how much more will he clothe you, O ye of little faith? And seek not what ye shall eat, or what ye shall drink, neither be ye of doubtful mind. But rather seek ye the kingdom of God; and all these things shall be added unto you." Luke 12:22-24; 27-29; 31.
Re: imeout-problem - additional information
I have discovered a mistake in my exim configuration that caused exim to hand over all sizes to spamassassin. This was the same on the old and new servers, but apparently attributed greatly towards timeouts on the new server. Correcting that mistake to make exim only hand messages smaller than 100k to spamassassin, had a clear effect on the timeouts. Since that change in the configuration - about 18 hours ago, there was not one timeout. It seems that the newer version of Spamassassin handles large messages less efficiently than the older version. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "I am the vine, ye are the branches: He that abideth in me, and I in him, the same bringeth forth much fruit: for without me ye can do nothing." John 15:5
Re: imeout-problem - additional information
On Mon, Mar 10, 2008 at 05:24:24AM -0400, Daryl C. W. O'Shea wrote: > Try to roughly compare the actual amount of CPU time that the spamd > children are using on each server. 3.2 will use more resources than How do I do that? Just watching 'top' is not a reliable method I suspect. > Are the timeouts for the same zone(s)? Most of them are lookups against list.dsbl.org. A dig 146.226.86.70.list.dsbl.org that timed out according to the log, took 352 milliseconds when checked by hand. A little bit longer on the old one. > Test lookups against those zones manually. > Is your upstream (or downstream) bandwidth usage near full capacity? It is 92.5% full at the moment. > To the two servers share the same DNS setup? Yes > Is there something else running on the new server that is driving > the load average up (a common cause of the "child processing > timeout" message)? The load average on the new server is lower than that on the old server - as expected. For the past 24 hours the highest load average was 1.6. > > A little more work... review the debug output for a bunch of messages > (you'll have to separate each message's debug info from the combined > debug log). What parts of the scanning process are taking the most > amount of time? I will do that. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "What doth it profit, my brethren, though a man say he hath faith, and have not works? can faith save him? If a brother or sister be naked, and destitute of daily food, And one of you say unto them, Depart in peace, be ye warmed and filled; notwithstanding ye give them not those things which are needful to the body; what doth it profit? Even so faith, if it hath not works, is dead, being alone." James 2:14-17
Re: imeout-problem - additional information
Hello Daryl, Thanks for your reply. On Fri, Mar 07, 2008 at 02:23:13PM -0500, Daryl C. W. O'Shea wrote: > On 05/03/2008 5:44 AM, Johann Spies wrote: > > On Thu, Feb 28, 2008 at 02:44:02PM +0200, Johann Spies wrote: > >> On a new mailserver with 8Gb ram and 2xdual-core CPU's we get regular > >> messages in the log: > >> > >> Feb 28 12:52:43 mail2 spamd[32558]: prefork: child states: BIBBB > >> Feb 28 12:52:44 mail2 spamd[459]: rules: failed to run TVD_STOCK1 test, > >> skipping: > >> Feb 28 12:52:44 mail2 spamd[459]: (child processing timeout at > >> /usr/sbin/spamd line 1246. > >> Feb 28 12:52:44 mail2 spamd[459]: ) > >> > >> And every time it involves TVD_STOCK1. > > The rule doesn't look particular bad. Have you been able to capture a > sample email that causes this? Perhaps its an issue with a large > text/plain body with no line breaks. Unfortunately I do not know which messages caused the problem. > > 3.2.3 changes the way DNS timeouts are calculated (SA used to time out > its second round of DNS lookups way too early). Is the machine (or > specifically the spamd children) actually busy, or is everything sitting > rather idle. I am comparing an older server (mail1) with the new server (mail2) in this case. Both running exim, clamav and spamassassin. This statistics is over a period of about 24 hours on 7/8 March last week. mail1 mail2 SA-version 3.0.3-2sarge1 3.2.3-0.volatile1 Messages scanned 43338 22873 Timeouts (exim)0 36 --max-children 5 15 Ram4G 7G I have activated the --debug option now and so far have seen 14 dns-timeouts in the past 40 minutes on mail2. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "What doth it profit, my brethren, though a man say he hath faith, and have not works? can faith save him? If a brother or sister be naked, and destitute of daily food, And one of you say unto them, Depart in peace, be ye warmed and filled; notwithstanding ye give them not those things which are needful to the body; what doth it profit? Even so faith, if it hath not works, is dead, being alone." James 2:14-17
Re: prefork: child states: BBBBBBB
On Fri, Mar 07, 2008 at 07:04:07PM +0530, Agnello George wrote: > I see in my log the following what does it mean ?? > > Fri Mar 7 21:07:12 2008 [11800] info: prefork: child states: BBB > Fri Mar 7 21:07:12 2008 [11800] info: prefork: server reached --max-children > setting, consider raising it Spamassassin create sub-processes as necessary (children). You have a --max-children setting somewhere (in Debian it is in /etc/default/spamassassin) and it seems to be 7. This log entry says al 7 of them are Busy. See my messages a bit earlier about timeout. We are experiencing the same from time to time and nobody has tried to answer my questions about it. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Go ye therefore, and teach all nations, baptizing them in the name of the Father, and of the Son, and of the Holy Ghost: Teaching them to observe all things whatsoever I have commanded you: and, lo, I am with you alway, even unto the end of the world. Amen." Matthew 28:19,20
Re: timeout-problem - additional information
On Thu, Feb 28, 2008 at 02:44:02PM +0200, Johann Spies wrote: > On a new mailserver with 8Gb ram and 2xdual-core CPU's we get regular > messages in the log: > > Feb 28 12:52:43 mail2 spamd[32558]: prefork: child states: BIBBB > Feb 28 12:52:44 mail2 spamd[459]: rules: failed to run TVD_STOCK1 test, > skipping: > Feb 28 12:52:44 mail2 spamd[459]: (child processing timeout at > /usr/sbin/spamd line 1246. > Feb 28 12:52:44 mail2 spamd[459]: ) > > And every time it involves TVD_STOCK1. > > Is this a bug in Spamassassin or in the rule? How do I fix it? > > Version: 3.2.3-0.volatile1 (on Debian Stable). > > Defaults: OPTIONS="--create-prefs --max-children 15 --helper-home-dir" I have seen no reaction to the message quoted here. After a "score TVD_STOCK1 0" the "child processing timeout" messages stopped, but exim is still complaining from time to time (11 times so far today and 239 times yesterday): error reading from spamd socket: Connection timed out In /var/log/mail.info the message "prefork: server reached --max-children setting, consider raising it" appeared 188 times yesterday and 27 times today in the logs on the new server (spamassassin version 3.2.3-0.volatile1) with the --max-children 15 setting. On the older server (--max-children 5 and version 3.0.3-2sarge1) that has handled about double the numer of emails during the past 24 hours no such problem was reported either by exim or spamassassin. That does not make sense to me unless there is some bug in the newer version of Spamassassin. Any idea on what is going on here? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "This is the day which the LORD hath made; we will rejoice and be glad in it." Psalms 118:24
timeout-problem
On a new mailserver with 8Gb ram and 2xdual-core CPU's we get regular messages in the log: Feb 28 12:52:43 mail2 spamd[32558]: prefork: child states: BIBBB Feb 28 12:52:44 mail2 spamd[459]: rules: failed to run TVD_STOCK1 test, skipping: Feb 28 12:52:44 mail2 spamd[459]: (child processing timeout at /usr/sbin/spamd line 1246. Feb 28 12:52:44 mail2 spamd[459]: ) And every time it involves TVD_STOCK1. Is this a bug in Spamassassin or in the rule? How do I fix it? Version: 3.2.3-0.volatile1 (on Debian Stable). Defaults: OPTIONS="--create-prefs --max-children 15 --helper-home-dir" Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "These things have I written unto you that believe on the name of the Son of God; that ye may know that ye have eternal life, and that ye may believe on the name of the Son of God."I John 5:13 signature.asc Description: Digital signature
Re: Greeting card
On Tue, Jul 31, 2007 at 10:03:30AM +0200, Rocco Scappatura wrote: > It is possible to block the spam sent by GreetingCards.com which invites > the receiver to access an URL and browse the ecard? > > I mean that spam which has subject similar to: > > You've received a greeting ecard from a Colleague! > Since we started using Clamav most (almost all) of those spam are refused. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Have not I commanded thee? Be strong and of a good courage; be not afraid, neither be thou dismayed; for the LORD thy God is with thee whithersoever thou goest."Joshua 1:9
Re: PDFInfo plugin with SA 3.1.7
Hallo John, On Thu, Jul 12, 2007 at 08:19:04AM -0700, John Rudd wrote: > > > >I have this in /var/lib/clamav at the moment: > > > > drwxr-xr-x 2 clamav clamav4096 2007-07-12 14:22 > > clamav-29a2fe02977a1d4c26abf3fd199d1e70 > > -rw-r--r-- 1 clamav clamav 995915 2007-07-11 22:48 daily.cvd > > -rwxrwxr-- 1 clamav clamav 0 2007-07-12 14:15 .dbLock > > -rw-r--r-- 1 clamav clamav 9351789 2007-07-11 22:48 main.cvd > > -rw-r--r-- 1 clamav clamav 294979 2007-07-12 15:05 MSRBL-Images.hdb > > -rw-r--r-- 1 clamav clamav 228436 2007-07-12 15:05 MSRBL-SPAM.ndb > > -rw-r--r-- 1 clamav clamav 180868 2007-07-12 10:26 phish.ndb.gz > > -rw-r--r-- 1 clamav clamav 115449 2007-07-12 10:26 scam.ndb.gz > > > Those are the ones you're getting from Sanesecurity. They're gzipped. > In order to actually have ClamAV _USE_ them, you need to gunzip them. Thanks. That is what I was not sure of. > > This also make me wonder if you're actually testing the files before you > put them into production. If you're not, that's a rather bad idea. At > 2am this morning, I had a non-usable phish.ndb come through. If you're > using clamd, that could have caused clamd to crash. > > > Here's the script I use for importing from MSRBL and Sanesecurity. I > run it out of cron with -all, on the hour. You'll probably need to > modify some bits of the first few lines (down to the rsync binary location): The script I have downloaded also do some testing. I think the reason why those files were not unzipped was that the script was looking for the unzipped files before finishing it's task. It is working now and I like it. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Let your character be free from the love of money, being content with what you have; for He Himself has said, "I will never desert you, nor will I ever forsake you." Hebrews 13:5
Re: PDFInfo plugin with SA 3.1.7
On Thu, Jul 12, 2007 at 11:54:51AM +0200, Robert Schetterer wrote: > > > Hi, after having good results in the beginning > with pdfinfo , > no one of the following pdf spam was catched/marked > > i am now using > clam and Sanesecurity to eleminate pdf spam. I have tried that, but clamav did not pick up one when scanning a bunch of the pdf-spam. I have used one of the downloadscripts on Sanesecurity. Do I have to do some other configurations to activate the databasis for Clamav? I have this in /var/lib/clamav at the moment: drwxr-xr-x 2 clamav clamav4096 2007-07-12 14:22 clamav-29a2fe02977a1d4c26abf3fd199d1e70 -rw-r--r-- 1 clamav clamav 995915 2007-07-11 22:48 daily.cvd -rwxrwxr-- 1 clamav clamav 0 2007-07-12 14:15 .dbLock -rw-r--r-- 1 clamav clamav 9351789 2007-07-11 22:48 main.cvd -rw-r--r-- 1 clamav clamav 294979 2007-07-12 15:05 MSRBL-Images.hdb -rw-r--r-- 1 clamav clamav 228436 2007-07-12 15:05 MSRBL-SPAM.ndb -rw-r--r-- 1 clamav clamav 180868 2007-07-12 10:26 phish.ndb.gz -rw-r--r-- 1 clamav clamav 115449 2007-07-12 10:26 scam.ndb.gz Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Many, O LORD my God, are thy wonderful works which thou hast done, and thy thoughts which are for us..." Psalms 40:5
Re: Is Bayes Dead? Have the spammers won?
On Thu, Mar 22, 2007 at 09:55:07AM -0700, Marc Perkel wrote: > Maybe I'm doing something wrong but with the various methods of bayes > poisoning going on I've found that bayes is just lowering the score of > spam and causing more spam to get through. Where bayes used to be the > centerpiece of spam filtering now I have turned it off to increase accuracy. > > Anyone else seeing this or is there some new tricks that I'm missing out on? We had to lower our bayesian filter's score from 7.2 to something like 6.4 (8.0 threshold) as a result of the image spam but it still doing a good job. My experience with fuzzyocr was not good enough to implement it on all our mail servers. Exim had regular problems with the feedback from Spamassassin when fuzzyocr was active and recently Spamassassin died because of some problem fuzzyocr had with some mails - so I disabled it on the one server I was trying it out. The result is more image spam. Maybe it is time to rebuild the bayesian database with "clean" spam excluding image spam and a lot of ham messages. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Jesus said unto her, I am the resurrection, and the life; he that believeth in me, though he were dead, yet shall he live; And whosoever liveth and believeth in me shall never die.John 11:25,26
Re: HAM and SPAM mailboxes
On Mon, Mar 05, 2007 at 10:58:00AM -0300, Luis Hernán Otegui wrote: > OK, Chris, I think I'll go on with you suggestion. I seems simpler, and a > lower > load for my busted servers. However, I'm not a Perl Guru myself, so, mind if > you could clarify what did you ment with "In that case, Perl's > Mail::Box::Manager is your friend." > > How do I extract the original mail from the forwarded one? I have written a small program in Ocaml which I use for that purpose. It extracts emails that was forwarded as attachments and put them in to a separate diretory from where it can be processed. At the moment the directories are hardcoded but I can adapt it for more generic situations there is a need for. If someone is interested, let me know and I will try and make it available. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "The LORD is my light and my salvation; whom shall I fear? the LORD is the strength of my life; of whom shall I be afraid?" Psalms 27:1
Re: Problem synchronizing database of two spamassassins
On Tue, Nov 07, 2006 at 11:22:31AM +0100, Angel L. Mateo wrote: > I am running site-wide bayes, not individual bayes databases. I am also interested in the answer to your question. Do you stop spamd when copying the files or restart it after you have done so? We have three mail servers an they started out with the same Bayesian database, and we use the same feedback to feed sa-learn on all three of them. Other than that I do not sync them. I also see difference in the scores from the different machines on the same message. Would it be possible to rsync the databases while spamd are running? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Jesus said unto her, I am the resurrection, and the life; he that believeth in me, though he were dead, yet shall he live." John 11:25
mcafee-spamassassin-rules
We are using Mcafee's anti-virus product on our mailservers and we mirror their files from ftp.nai.com on an hourly basis. Today I saw something that I did not realise they provide: mcafee-spamassassin-perl-1.0.2620-1.5002.i386.rpm mcafee-spamassassin-rules-1.0.2620-2620.5002.i386.rpm I thought that if they provide updated rules on a daily basis, I can just as well try and use those rules. However, they were written for version 2.6 and 3.0.3-2sarge1 is complaining about those rules. Is there a way to utilize their updates with the later versions of spamassassin? Or do I have to use there version of spamassassin to do so? Would that be advisable? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "If a man abide not in me, he is cast forth as a branch, and is withered; and men gather them, and cast them into the fire, and they are burned." John 15:6
FuzzyOcrPlugin with 3.0.3?
Can I use this plugin with Spamassassin 3.0.3? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch
Re: Running on Debian stable
On Sun, Sep 03, 2006 at 04:52:24PM -0400, Miles Fidelman wrote: > Thanks Gary! > > Any advantages to installing from testing? Seems like backports would > be just a bit safer. After trying out backports' 3.1.3 I have gone back to 3.0.3. I had regular entries in /var/log/mail.info like this: Aug 23 13:17:48 mail2 spamd[23582]: child processing timeout at /usr/sbin/spamd line 1086, and this coincided with entries in /var/log/exim4/paniclog: spam acl condition: cannot parse spamd output Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "If any of you lack wisdom, let him ask of God, who gives to all men generously and without reproach, and it will be given to him." James 1:5
Re: Exim: spam acl condition: cannot parse spamd output (more information)
On Wed, Aug 23, 2006 at 02:28:38PM +0200, Johann Spies wrote: > I have just upgraded my Spamassassin on Debian Stable to 3.1.3 > (backports) from 3.0.3 and I get this message in Exim's paniclog: > > spam acl condition: cannot parse spamd output At the same time the /var/log/exim4/paniclog reports the above line, I see the following in /var/log/mail.info: Aug 23 13:17:48 mail2 spamd[23582]: child processing timeout at /usr/sbin/spamd line 1086, line 55245. Aug 23 13:22:08 mail2 spamd[8182]: child processing timeout at /usr/sbin/spamd line 1086, line 97113. Aug 23 13:22:08 mail2 spamd[8182]: child processing timeout at /usr/sbin/spamd line 1086, line 97113. Aug 23 13:23:19 mail2 spamd[8706]: child processing timeout at /usr/sbin/spamd line 1086, So it seems to be a spamd-problem. Is this a known bug? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "For God hath not appointed us to wrath, but to obtain salvation by our Lord Jesus Christ, Who died for us, that, whether we wake or sleep, we should live together with him." I Thessalonians 5:9,10
Exim: spam acl condition: cannot parse spamd output
I have just upgraded my Spamassassin on Debian Stable to 3.1.3
(backports) from 3.0.3 and I get this message in Exim's paniclog:
spam acl condition: cannot parse spamd output
That is not the case with every message. Does
My Exim4-acl's:
warn message = X-Spam-Score: $spam_score ($spam_bar)
condition = ${if <{$message_size}{100k}{1}{0}}
hosts = ! +relay_from_hosts
spam = spamd:true
warn message = X-Spam-Status: YES
hosts = ! +relay_from_hosts
condition = ${if <{$message_size}{100k}{1}{0}}
condition = ${if >{$spam_score_int}{80}{1}{0}}
spam = spamd:true
warn message = X-Spam-Status: NO
hosts = ! +relay_from_hosts
condition = ${if <{$message_size}{100k}{1}{0}}
condition = ${if <{$spam_score_int}{80}{1}{0}}
spam = spamd:true
warn message = X-Spam-Flag: YES
hosts = ! +relay_from_hosts
condition = ${if <{$message_size}{100k}{1}{0}}
condition = ${if >{$spam_score_int}{80}{1}{0}}
spam = spamd:true
warn message = X-Spam-Flag: NO
hosts = ! +relay_from_hosts
condition = ${if <{$message_size}{100k}{1}{0}}
condition = ${if <{$spam_score_int}{80}{1}{0}}
spam = spamd:true
warn message = X-Spam-Report: \n $spam_report
hosts = ! +relay_from_hosts
condition = ${if <{$message_size}{100k}{1}{0}}
spam = spamd:true
# reject messages that score more than 8
deny message = Message viewed as spam. (scored $spam_score) \n \
If you are convinced that it was not spam, please send \n \
it again and this time CC it to [EMAIL PROTECTED] or \n \
contact [EMAIL PROTECTED] to find out why it was marked as \n\
spam. The system administrator will require the following \n \
information: sender address, recipient's address and time.
hosts = ! +relay_from_hosts
spam = spamd:true
condition = ${if eq{$acl_m0}{t}{yes}{no}}
condition = ${if <{$message_size}{100k}{1}{0}}
condition = ${if >{$spam_score_int}{80}{1}{0}}
log_message = SPAM: Message viewed as spam. (scored $spam_score)
Any idea what is causing this?
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"For God hath not appointed us to wrath, but to obtain
salvation by our Lord Jesus Christ, Who died for us,
that, whether we wake or sleep, we should live
together with him."
I Thessalonians 5:9,10
Re: Bug in sa-learn (Debian :3.0.3-2sarge1)
On Mon, Jul 24, 2006 at 02:28:14PM -0500, Stuart Johnston wrote: > This is just a warning that you can ignore. If it bothers you, the best > solution would be to upgrade to 3.1.3. Alternately, you could try this on > your lib/Mail/SpamAssassin/HTML.pm: Thanks Stuart! Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Look not every man on his own things, but every man also on the things of others."Philippians 2:4
Bug in sa-learn (Debian :3.0.3-2sarge1)
I have found this in the archives, but I did not find a solution yet.
On a mailserver that I have upgraded to Debian Sarge, the following
warning appears when I am running sa-learn:
Parsing of undecoded UTF-8 will give garbage when decoding entities at
/usr/share/perl5/Mail/SpamAssassin/HTML.pm line 182.
I have found the following patch but it does not apply successfully
using "patch":
--- lib/Mail/SpamAssassin/HTML.pm (revision 178588)
+++ lib/Mail/SpamAssassin/HTML.pm (working copy)
@@ -107,6 +107,15 @@
],
marked_sections => 1);
+ # enable UTF-8 mode,
+ # http://search.cpan.org/~gaas/HTML-Parser-3.45/Parser.pm#$p-%3Eutf8_mode ,
+ # if we're running perl 5.8 and HTML::Parser supports it. bug 4046.
+ if ($] >= 5.008 && $self->can("utf8_mode")) {
+if (!eval { $self->utf8_mode(); 1; }) {
+ dbg ("html: failed to enable UTF-8 mode (perl ver $] h:p ver
$HTML::Parser::VERSION)");
+}
+ }
+
$self;
}
How do I solve this?
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"Be not deceived; God is not mocked; for whatsoever a
man soweth, that shall he also reap."
Galatians 6:7
Re: BAYES_99 makes lots of false-positive
On Thu, Jul 13, 2006 at 03:17:05PM +0800, Joshua, C.S. Chen wrote: > Hello folks, > My users speak Chinese. I found that spamassassin seems not working well > about chinese chset (utf8 or big5) on the bayes issue. Many normal mails > (almost) get BAYES_99 score although the real spam also get BAYES_99. It > looks like foreign language like Chinese is very easy to be high bayes > scored. > I have setup ok_locales all but it doesn't help the false-positive problem. > > And another question: just wonder what if I do sa-learn --dump? Am I > supposed to see the phrase that SA has learned? some key phrases, words > in the spam mails? If so, can I see some chinese phrases? Do you use chinese emails to "feed" the spamfilter both ham and spam regularly? That would probably be the best way to improve the accuracy of the Bayesian filter. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Let your character be free from the love of money, being content with what you have; for He Himself has said, "I will never desert you, nor will I ever forsake you." Hebrews 13:5
Re: Which Operating Systems Do You Use and Why?
On Thu, Apr 06, 2006 at 12:12:25PM -0700, Ask List wrote: >linux and unix is unix. So I would like to hear users experiences using >different operating systems. Pros/Cons/Problems/Headaches/etc. The >operating systems I'm most interested in are Debian, Ubuntu, Gentoo, >Slackware, FreeBSDs, and OpenSolaris. Debian, Ubuntu, Gentoo and Slackware (add about 100 other Linux distributions) are not different operating systems. They all use the Linux kernel and software and in many cases the same version of it. They are just different distributions of the same operating system. And by the way, we use Debian here. Regards. Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "But seek ye first the kingdom of God, and his righteousness; and all these things shall be added unto you." Matthew 6:33
Re: SA scores
On Wed, Mar 29, 2006 at 01:32:48PM +0200, Belette wrote: >hello there ! > >IS there a way to get SA scores using a shell command : > >e.g. : ># spam -score < mail.txt ># .045 > >i need this coz i do not want to filter all mails, i just need a score, >without writing SA header inside it spamc -R < mail.txt Regars Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will direct your paths." Proverbs 3:5,6
Re: SORBS unreasonable: Accusation retracted
On Mon, Feb 27, 2006 at 04:24:27AM -0500, Greg Allen wrote: > I noticed you did not say your mailing list was a confirmed opt-in. > > If it does not do a confirmed opt-in, you should fix that. Otherwise you > will not stay delisted long. Could get expensive too at $50 a pop. > > > > > On enquiry on why we were blacklisted, it came to light that it was > > blacklisted on false accounts - a valid mailing list related to one of > > our academic departments on campus. New information came to light and I retract my insinuation that SORBS was unreasonable: Apparently the owner(s) of the spesific mailing list populated the list with names harvested from the internet. Apologies to SORBS. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "All we like sheep have gone astray; we have turned every one to his own way; and the LORD hath laid on him the iniquity of us all." Isaiah 53:6
SORBS unreasonable
One of our email-servers is blacklisted by SORBS and they want us to pay $50 to get the server taken of the list. On enquiry on why we were blacklisted, it came to light that it was blacklisted on false accounts - a valid mailing list related to one of our academic departments on campus. However, no reasoning whith them is possible and they insist that it was spam. Here are quotes from their answers: "I am referring this to the SORBS admin who received the spam. It doesn't appear that there is any relationship with the spammer. Where the sender obtained the addresses is not known at this time." "As I suspected, the recipient does not know the sender, so it is indeed UBE. Where the sender obtained the address is unknown. It certainly was not sent to a confirmed opt- in list, so it is spam and the listing is not in error. In order to be delisted, follow the instructions on the Spam DB FAQ http://www.dnsbl.sorbs.net/faq/spamdb.shtml Send confirmation of your US$50 donation to [EMAIL PROTECTED]" It seems a bit harsh to me to blacklist a server on account of one such incident. We are not in a position to verify the facts because we do not have the email address of the "SORBS admin who received the spam". We have three email-gateways and have a very good record as far as fighting spam is concerned. Now some of our email gets refused because one administrator received an email of which he thought that it must be spam! How do the members of this list handle situations like that? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "All we like sheep have gone astray; we have turned every one to his own way; and the LORD hath laid on him the iniquity of us all." Isaiah 53:6
Re: SpamdForkScaling error
Hallo Tim, On Mon, Nov 21, 2005 at 06:08:19PM -0900, Tim Jordan wrote: > This is my first post to the SA mailing list. I hope I'm proceeding > correctly. I noticed that my mail server seems to be running slow. I > tailed the syslog and found the error below. I included the syslog > entry for the test message I sent to my email server. > > I'm hoping someone can advise so I can learn the cause and solution of > this problem. > > > Nov 21 17:32:45 mail spamd[1579]: prefork: syswrite(6) failed, > > retrying... at > > /usr/local/share/perl/5.8.7/Mail/SpamAssassin/SpamdForkScaling.pm line > > 554. > > Nov 21 17:33:20 mail last message repeated 7 times Who is the owner of "spamd" ? Does that owner have all the necessary permissions to write in the directory where spamd wants to work? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Can two walk together, except they be agreed?" Amos 3:3
Re: SpamCop listing internal hotmail servers?
On Wed, Sep 07, 2005 at 07:04:39PM -0700, John Rudd wrote: > > On Sep 7, 2005, at 6:23 PM, Michele Neylon:: Blacknight.ie wrote: > > >Greg Allen wrote: > >>Spamcop users are idiots too. When you have end users pushing > >>the 'this is spam' button when they get an email that they > >>don't like from their own friends or family, well... you get Spamcop. > > > >That's a lovely generalisation and bears little relation to reality. > > From where I stand, he's right on the mark. Spamcop is run by morons, To insult other system administrators will not help to build a better society. I have recently received mail from Spamcop to inform me that spam was sent from a mail server inside our network. On further investigation we discovered that one of the servers inside our network for which our mail gateway relay email, was poorly setup as an open relay and this server had indeed been used by spammers to send out some 2+ emails per day for a day or three. So I am grateful to Spamcop helping us to identify a problem that could cause us serious problems if it went on undetected. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Submit yourselves therefore to God. Resist the devil, and he will flee from you."James 4:7
The owner of the spamd-process
If you look at the following output of "top" you will see that some spamd processes runs under the ownership of "spamd" and others under "root". I would like to know why? 16930 root 9 0 37908 37M 16548 S18.7 0.9 0:10 spamd 16927 root 11 0 83720 81M 16296 S10.7 2.1 0:28 spamd 16929 spamd 10 0 74332 72M 16404 S 6.7 1.9 0:22 spamd 16931 spamd 9 0 38288 37M 16540 S 4.9 0.9 0:07 spamd 16928 spamd 9 0 42340 41M 16364 S 3.5 1.0 0:13 spamd I have in /etc/init.d/spamassassin: NAME=spamd SNAME=spamassassin DESC="SpamAssassin Mail Filter Daemon" PIDFILE="/var/run/$NAME.pid" PNAME="spamd" Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "My son, do not despise the LORD's discipline and do not resent his rebuke, because the LORD disciplines those he loves, as a father the son he delights in." Proverbs 3:11,12
Re: memory-usage going BOOM
On Wed, May 04, 2005 at 07:05:17PM +0200, Patrick von der Hagen wrote:
> Hi all,
>
> I've been using SpamAssassin 3.0.2 for quite some time (about three
> month) on my mailservers and so far I didn't notice any problems. Load
> and message-throughput have been quite constant.
>
> However, yesterday one of my servers went BANG, due to lack of memory.
> First I suspected Bind9, but when the memory dropped low again this
> afternoon I found that SpamAssassin consumed an extreme amount of memory.
> Right after launching spamd, each child uses about 30MB of memory, but
> after some time it they reach 200MB each, some still more.
I had the same happening on three different servers. In my case I had
4Gb of ram on each of them with two 3.2 CPU's on each server.
In the end I started using the following script (as a cron job) which
kills a spamd-child when it grows bigger than 200 bytes in memory:
ps flax | grep [s]pamd | \
awk '{if($7 > 200) print "kill " $3}' | /bin/sh
It seems to work.
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"Do not repay anyone evil for evil. Be careful to do
what is right in the eyes of all men."
Romans 12:17
Re: Whitelising IP's?
On Tue, Feb 22, 2005 at 07:30:26AM -0600, Larry Rosenman wrote: > Johann Spies wrote: > > On Fri, Feb 18, 2005 at 11:02:15AM -0500, Chris Santerre wrote: > >> > >> Absolutely! But without knowing how you are blocking, I can't say > >> anymore. > > > > I am using exim4 with exiscan and refuse to accept mail identified as > > spam. > > > > Regards > > Johann > > So, don't run those IP's through the spam check. > > See !hosts= > I know I can do that. I was just thinking that it might not be a wise thing to do and it seems if some other administrators on this list agree. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "All scripture is given by inspiration of God, and is profitable for doctrine, for reproof, for correction, for instruction in righteousness; That the man of God may be perfect, thoroughly furnished unto all good works." II Timothy 3:16,17
Re: Whitelising IP's?
On Fri, Feb 18, 2005 at 11:02:15AM -0500, Chris Santerre wrote: > > Absolutely! But without knowing how you are blocking, I can't say anymore. I am using exim4 with exiscan and refuse to accept mail identified as spam. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "The LORD bless thee, and keep thee; The LORD make his face shine upon thee, and be gracious unto thee; The LORD lift up his countenance upon thee, and give thee peace." Numbers 6:24-26
Whitelising IP's?
I have received the following request: "We request to be on your whitelist. We are double opt-in only. We operate using several different upstream providers, and the complete list of our ip address blocks can be found at " Apparently they provide mailing-list services and our spamfilter has refused some of their mailing-list-related mail. As far as I understand spamassassin's whitelisting it does not work with "ip address blocks" but with the sender addresses or domains. If I would do what this person requested I can do it in exiscan by just not referring email coming from that IP range to spamassassin. That opens up a gateway for people who spoof thos IP addresses to bypass the spamfilter. Now my questions: How would administrators on this list would handle a request like this? Should I ask particulars on a mailing list basis to do the whitelisting? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "All we like sheep have gone astray; we have turned every one to his own way; and the LORD hath laid on him the iniquity of us all." Isaiah 53:6
Thanks - Re: Less spam blocked with 3.02 - AWL-related?
Thanks to everybody who responded to my email. I have learnt a lot, added a few filters, removed some and removed the awl-option. > Average spam blocked per minute for the last > > Day WeekMonth Year (Since April-June last year) > mail1 5.946.217.678.20 > mail2 5.045.956.486.69 > mail3 4.954.67* 6.236.85 > > * mail3 was down for a few hours during the week. > The effect: Now: Day WeekMonth Year (Since April-June last year) mail1 8.747.257.448.17 mail2 6.044.875.996.65 mail3 6.285.385.776.80 This is more like the pattern I was seeing with 2.63/2.64. My next step would be to write something that would analyse my logs to see exactly what the rules are doing - and to try razor. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "But as many as received him, to them gave he power to become the sons of God, even to them that believe on his name"John 1:12
Re: Less spam blocked with 3.02 - AWL-related?
Thanks! I am learning every day. Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "For by him were all things created, that are in heaven, and that are in earth, visible and invisible, whether they be thrones, or dominions, or principalities, or powers; all things were created by him, and for him." Colossians 1:16
Re: Less spam blocked with 3.02 - AWL-related?
On Mon, Feb 14, 2005 at 12:07:44PM +0100, Sander Holthaus - Orange XL wrote:
> > debug: diag: module installed: MIME::Base64, version 2.12
>
> You should upgrade that one
This on a Debian Woody system. I have installed it from
www.backports.org and it is the latest one available for Debian.
>
> > debug: diag: module installed: Net::DNS, version 0.48
> > debug: diag: module not installed: Net::LDAP ('require' failed)
> > debug: diag: module not installed: Razor2::Client::Agent
> > ('require' failed)
> > debug: diag: module installed: Storable, version 1.014
> > debug: diag: module installed: URI, version 1.18
>
> You should probably upgrade this one as well
Same here.
> > debug: config: read file /etc/spamassassin/70_sare_header_x264_x30.cf
>
> This one is not intended for 3.x, already included in the base distribution.
>
> > debug: config: read file /etc/spamassassin/70_sare_header_x30.cf
>
> This one is not intended for 3.x, already included in the base distribution.
Thanks.
> In general, you might try replacing those SARE 2 and 3 rulesets will other
> rulessets that will hit more on spam and less on ham. See
> www.rulesemporium.com for more rulesets.
I have installed them after visiting www.rulesemporium.com. It is not
easy to see there which rules "will hit mor on spam and less on ham".
> Also, check you memory usage, spamd will tend to get very large when
> using many rule-sets (50MB is not uncommon if you're running with
> many extra rules-sets)
I have had problems with 2.63 and 2.64 at one stage, but not at the
moment.
> Also, consider using Razor (and if you have
> the resources, DCC and Pyzor). They will hit on a lot of spam. For
> me at least, Razor the second best test after Bayes.
>
Thanks. I have not used Razor in the past because I was cautious to
stretch my resources too far. I will probably try it out now.
Thank you for taking the trouble to help me.
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"God be merciful unto us, and bless us; and cause his
face to shine upon us." Psalms 67:1
Re: Less spam blocked with 3.02 - AWL-related?
On Fri, Feb 11, 2005 at 10:17:37AM -0500, Matt Kettler wrote: > I don't understand how you read that to think you should put a server IP > after test. Perhaps you should read it again, but this time realize that > the "13 servers" in the description is a misnomer. > > Clearly "domain.tld" should give it away. Clearly "localhost" or any IP > does not fit the parameter requirements. > > Put a domain.tld so SA can query an NS record. Unless you actualy have an > NS record for localhost, your existing configuration is invalid. (And > please read that carefully, I said an NS record, as in a record for the > domain localhost, not that localhost runs a nameserver) > > You also left off the end.. > > "Please note, the DNS test queries for NS records. " > > > You can't do an NS record query on anything but a domain name.. ie: there > is no ns record for xanadu.evi-inc.com or 208.39.141.94, but there is an NS > record for evi-inc.com. The reason being xanadu is a host, not a domain. You have convinced me. I clearly did not understand the documentation correctly. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "God be merciful unto us, and bless us; and cause his face to shine upon us." Psalms 67:1
Re: Less spam blocked with 3.02 - AWL-related?
nd. debug: Current PATH is: /home/spamd/bin:/usr/local/bin:/usr/bin:/bin:/usr/games debug: DCC is not available: no executable dccproc found. debug: Pyzor is not available: pyzor not found debug: Running tests for priority: 500 debug: RBL: success for 1 of 1 queries debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a565dc) implements 'check_post_dnsbl' debug: running meta tests; score so far=-5.125 debug: running header regexp tests; score so far=-3.408 debug: running body-text per-line regexp tests; score so far=-3.408 debug: running uri tests; score so far=-3.408 debug: running raw-body-text per-line regexp tests; score so far=-3.408 debug: running full-text regexp tests; score so far=-3.408 debug: Running tests for priority: 1000 debug: running meta tests; score so far=-3.408 debug: running header regexp tests; score so far=-3.408 debug: running body-text per-line regexp tests; score so far=-3.408 debug: running uri tests; score so far=-3.408 debug: running raw-body-text per-line regexp tests; score so far=-3.408 debug: running full-text regexp tests; score so far=-3.408 debug: is spam? score=-3.408 required=8 debug: tests=ALL_TRUSTED,BAYES_20,MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,SARE_TOCC_NONE debug: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__SANE_MSGID,__SARE_CC_NONE,__SARE_HTML_HAS_MSG,__SARE_TO_NONE,__UNUSABLE_MSGID Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "God be merciful unto us, and bless us; and cause his face to shine upon us." Psalms 67:1
Re: Less spam blocked with 3.02 - AWL-related?
On Thu, Feb 10, 2005 at 10:57:20AM -0500, Chris Santerre wrote: > > 1) Nice rulesets ;) > 2) Please tell me you are using net-tests. SURBL? (might want to increase > those scores.) Yes, I am using them and they appear regularly in the logs. skip_rbl_checks 0 dns_available test: localhost 146.232.128.10 146.232.128.1 > 3) Stop using AWL. Seriously, I found it did more harm then good and got big > too fast. This is what I suspected. > 4) Can you share the output from a --lint with us? $ spamassassin --lint [EMAIL PROTECTED]:~$ I use it regularly when changing any configuration. Thanks for your commentary. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Make a joyful noise unto the LORD, all ye lands. Serve the LORD with gladness; come before his presence with singing. Know ye that the LORD he is God; it is he that hath made us, and not we ourselves; we are his people, and the sheep of his pasture." Psalms 100:1-3
Less spam blocked with 3.02 - AWL-related?
I have upgraded spamassassin on three mail (2.63 -> 3.02 on two and 2.64 -> 3.02 on the other) servers about two weeks ago. On the old system I have disabled AWL and Auto-learn because they corrupted my bayesian database on at least one occasion. I have decided to try out AWL with 3.02. At first I did not use any extra rules but installed the following after a week: 70_sare_bayes_poison_nxm.cf 70_sare_html2.cf 99_sare_fraud_post25x.cf 70_sare_html0.cf 70_sare_html3.cf evilnumbers.cf 70_sare_html1.cf 70_sare_html_eng.cf I have experienced less false positives with the new one. Complaints came down from about 6 per week to maybe 1 in the last two weeks. But the feedback from users about spam received increased and the following statistics shows that something is not working as effectively as it was previously: Average spam blocked per minute for the last Day WeekMonth Year (Since April-June last year) mail1 5.946.217.678.20 mail2 5.045.956.486.69 mail3 4.954.67* 6.236.85 * mail3 was down for a few hours during the week. The three servers started out with the same bayesian database and are trained with the same spam/ham on a nearly daily basis. I am suspecting AWL to be the culprit but I am not sure how to determine it other than switching it of for a period. Any commentary? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "I was glad when they said unto me, Let us go into the house of the LORD." Psalms 122:1
Re: Bayes questions
On Thu, Jan 27, 2005 at 11:29:31AM +0100, Johan Segernäs wrote: > If I have confirmed spam with BAYES_50 but not high enough for spamassassin > to autolearn as spam, should I add this to a spam-bucket and force into > bayes-db or is it waste of time? As I understand it the BAYES_SCORE plays no part in the auto-learn decision. Yes you can feed it to sa-learn - should if it is spam. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Come now, and let us reason together, saith the LORD; though your sins be as scarlet, they shall be as white as snow; though they be red like crimson, they shall be as wool." Isaiah 1:18
Re: 3.02 on Debian Woody?
On Thu, Jan 20, 2005 at 03:12:44AM -0700, Bob Proulx wrote: > Johann Spies wrote: > > Mail-Followup-To: Johann Spies <[EMAIL PROTECTED]>, > > users@spamassassin.apache.org, > > [EMAIL PROTECTED] > > Please pick only one of these two aliases to the same list. Otherwise > we all see duplicate messages. Apologies, I was not aware of the fact that I replied to two aliases. > > Yes, I am using the one form www.backports.org and installing > > libnet-dns-perl from the same source did not seem to get my netwrork > > tests going. > > It should have. That makes me think something else unrelated is the > problem. Run SA with debugging enabled. What does it say? In > particular you should see something like this. > > spamassassin -tD < message 2>&1 | pager > > debug: is Net::DNS::Resolver available? yes > debug: Net::DNS version: 0.48 > debug: trying (3) colorado.edu... > debug: looking up NS for 'colorado.edu' > debug: NS lookup of colorado.edu succeeded => Dns available (set > dns_available to hardcode) > debug: is DNS available? 1 > > If you are seeing something significantly different then I believe the > problem is that you have multilple versions of Net::DNS installed and > are not actually using the packaged version at all. > > locate Net/DNS.pm > /usr/lib/perl5/Net/DNS.pm > > You may have other older versions hiding out in other locations. Thanks. On two of the machines I could only get it working after using db-make-perl to build a libnet-dns-perl from CTAN and installing it. Somehow the one from www.backports.org did not work there. On the first one, on which I had surbl working with 2.6.4 previously, I did not have to do that. Thanks for the -tD-tip. I will remember it for the future. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Neither is there salvation in any other; for there is none other name under heaven given among men, whereby we must be saved." Acts 4:12
Re: 3.02 on Debian Woody?
On Wed, Jan 19, 2005 at 10:48:18PM -0900, John Andersen wrote: > On Wednesday 19 January 2005 10:44 pm, Johann Spies wrote: > > I could only get the network tests to work after installing Net::DNS > > using CPAN. I would prefer however to do it the Debian way. > > CPAN is the Debian way. Its every distro's way. > > Spamassassin is a perl app, and installing the whole thing > via cpan makes more sense than any other method. Its also > easier to keep things up to date that way. > > Regardless of distro, I ALWAYS install S.A. with Cpan. And what do I do when a lot of tests fail? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Neither is there salvation in any other; for there is none other name under heaven given among men, whereby we must be saved." Acts 4:12
Re: 3.02 on Debian Woody?
On Wed, Jan 19, 2005 at 10:48:18PM -0900, John Andersen wrote: > On Wednesday 19 January 2005 10:44 pm, Johann Spies wrote: > > I could only get the network tests to work after installing Net::DNS > > using CPAN. I would prefer however to do it the Debian way. > > CPAN is the Debian way. Its every distro's way. > > Spamassassin is a perl app, and installing the whole thing > via cpan makes more sense than any other method. Its also > easier to keep things up to date that way. > > Regardless of distro, I ALWAYS install S.A. with Cpan. > Thanks. I will keep it as a last option. I am first going to try out dh-make-perl. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Neither is there salvation in any other; for there is none other name under heaven given among men, whereby we must be saved." Acts 4:12
Re: 3.02 on Debian Woody?
On Thu, Jan 20, 2005 at 01:17:08AM -0700, Bob Proulx wrote: > > Your own backport? Or one from somewhere else? > > > I could only get the network tests to work after installing Net::DNS > > If www.backports.org then you should have gotten the libnet-dns-perl > modules from there too. Yes, I am using the one form www.backports.org and installing libnet-dns-perl from the same source did not seem to get my netwrork tests going. > I recommend using the www.backports.org packaging. Put the following > in your /etc/apt/sources.list line. > > deb http://www.backports.org/debian stable spamassassin > > Then: > > sudo apt-get update > sudo apt-get install spamassassin libnet-dns-perl libmail-spf-query-perl Thanks for your reply. I have added libmail-spf-query-perl and it also installed two extra packages. But the network tests does not seem to be working... I will now try the dh-make-perl option suggested by others. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Neither is there salvation in any other; for there is none other name under heaven given among men, whereby we must be saved." Acts 4:12
3.02 on Debian Woody?
I have installed Spamassassin 3.02 on one of my three mail servers which runs on Debian Woody with a backport of Exim4. I previously had 2.64 running on this machine with the Surbl checking working (after help from this list). I could only get the network tests to work after installing Net::DNS using CPAN. I would prefer however to do it the Debian way. Is there a way to get this working using Debian packages? And which packages should be installed then? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Neither is there salvation in any other; for there is none other name under heaven given among men, whereby we must be saved." Acts 4:12
Re: Training byessian filter in a gatway situation.
On Wed, Jan 12, 2005 at 12:43:34PM +, Anthony Metcalf wrote: > > As the server my mail client interacts with is not the one spam > filtering, I would like to set up two accounts on the gateway box, ham > and spam, so I can farward mail to those accounts, and have spamassassin > learn what is ham and spam from them. > > How do I go about this? > > System Steup: > > Internet<-->gateway(linux,postfix, amavisd, clamav, f-prot, > spamassassin)<-->internal server(winodows, exchange) > I have SA running on three servers that forms an email gateway. I don't scan outgoing mail for spam. I have requested users to send spam that got through to me by attaching the spam to the email. Those messages are saved in the "spam" folder and a cron job unpacks them into seperate messages in a maildir folder named "nuwespam". The same program unpacks the attached "hams" from "xham" to "ham". When I come across individual spams I save them in the "nuwespam" folder directly. The program unpacking the attachements will only handle attachments of the RFC822 standard and ignore the rest. I have written it in Ocaml. Unfortunately it was developed for this spesific situation and not really suitable for distribution. If I have time and there is a need for it, I might try and adapt it to be more generic and more useful for other users as well. The three servers then collect the "nuwespam" and "ham" folders on a daily basis and feed them to sa-learn. >From time to time I select ham message from emails I receive to save to the "ham" folder because the feedback I get from users are normally more spam than ham. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Wherefore let him that thinketh he standeth take heed lest he fall."I Corinthians 10:12
Re: Catching Windows executables as attachments
On Thu, Sep 09, 2004 at 11:13:49AM -0500, ROY,RHETT G wrote: > You could block them with your MTA (Postfix, Qmail etc). In exim with exiscan-acl: deny message = $found_extension files are not accepted here \n \ If you have questions please contact [EMAIL PROTECTED] demime = com:vbs:bat:pif:scr:exe Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Draw near to God and he will draw near to you. Cleanse your hands, you sinners; and purify your hearts, you double minded." James 4:8
