RE: SPAM tagging
Hi, Read this http://www200.pair.com/mecham/spam/amavisd-settings.html And you’ll be set. Regards, Leon Kolchinsky From: Agnello George [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 30, 2007 8:31 AM To: users@spamassassin.apache.org Subject: SPAM tagging Hi i have installed amavisd new on my postfix mailserver. Now i need to test spam , so I sent a mail with the following text in the body ( see link ) .. this is found at http://spamassassin.apache.org/gtube/ . As per the logs the mal is being blocked, but our requirement is that it should be be tagged as SPAM ( ***SPAM*** ) . Bellow is the logs ### Oct 30 11:50:08 fedora7 amavis[3784]: (03784-01) Blocked SPAM, MYNETS LOCAL [127.0.0.1 http://127.0.0.1/ ] [ 127.0.0.1 http://127.0.0.1/ ] [EMAIL PROTECTED] - [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] , Message-ID: [EMAIL PROTECTED], mail_id: itV2-9cTSct6, Hits: 1001.149, size: 807, 1698 msOct 30 11:50:08 fedora7 postfix/smtp[3749]: 80590464DE: to= [EMAIL PROTECTED], relay=127.0.0.1[ 127.0.0.1 http://127.0.0.1/ ]:10024, delay=1.8, delays=0.06/0/0.01/1.7, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=03784-01 - SPAM)Oct 30 11:50:08 fedora7 postfix/qmgr[3499]: 80590464DE: removed ## Do le me know how to tag SPAM mails -- God Bless Agnello . G .Dsouza
RE: Advice on MTA blacklist
Hello, Which spam blacklists do you use in your MTA config. (postfix) smptd_client_restrictions Currently we only use : reject_rbl_client list.dsbl.org We let spamassassin fight the rest of the spam. But the load of spam is getting to high for our organisation. Wich list is safe enough to block senders at MTA level ? Spamhaus, or spamcop ? I would like to hear some advice or maybe your current setup ? Thank you for any advice we can use . Greetings Richard I'm using reject_rbl_client zen.spamhaus.org, reject_rbl_client safe.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, and zen.spamhaus.org filtering about 98% of all rbl rejects. Regards, Leon Kolchinsky
RE: sender name same as recipient name
RE: training. I don't know. My experience w/ SA is that it just works and I haven't dealt with it at this level yet. What is strange is that SA appeared to be working fine for my client, then all of the sudden this spike in spam occurred... and as I said, 99% of the spams have the sender name same as recipient name (see original post). As Dave said it seems that your problem in whitelist configuration. Please use whitelist_from_rcvd instead of whatever you are using. Leon Kolchinsky
RE: Outbound spam filtering for a large ISP
Hello, I maintain a large webmail host (I bet you can figure out which one) for free/paid accounts that sends out tens of thousands of emails a day. We're not quite Yahoo Mail or Hotmail, but we're pretty big. We're looking to scan outbound mail using SpamAssassin and I'm hoping that someone here might have some suggestions or feedback on what the best way to configure this would be. I've seen a handful of posts about this in the archive, so I know it's come up before. My plan is to scan all outbound mail and drop all mails that match to a log file or a separate directory where they can be hand-reviewed by someone in our customer service department. We also wouldn't want to actually modify the mails on the way out-- so we wouldn't add the spamassassin mail headers. Does anyone here have practical experience or advice, tweaks, etc. that would help us to implement this sort of thing? (I know the volume will be fairly high, but a nice farm of machines all running spamd should be able to load balance that part fairly well. It's the rules I'm worried about and how to make the log/discard work the way I want.) Thanks in advance for any help you can provide. Joe Try amavisd-new list. There you could integrate your SA checks in a very efficient way (policy banks, quarantining, releasing etc.) MySQL backend is also a good idea on high load severs. Regards, Leon Kolchinsky
RE: FuzzyOcr and spamassassin 3.2.x
Hi! This is my first post. I have installed SpamAsassin 3.2.2 and i want to use FuzzyOCR Plugin, but on the plugin's page i see: Please note that the current stable release is not SA 3.2.x compatible and i don't want to use not stable version. What can I do? The are more plugins like FuzzyOCR? Thanks.** Hi, I'm using SVN version of FuzzyOcr with no problem: Just get it like this and install: # svn -r 132 co svn://svn.own-hero.net/fuzzyocr/trunk/devel Best Regards, Leon Kolchinsky
adjusting DNS_FROM_OPENWHOIS and DNS_FROM_RFC_DSN scores
Hello All, After an upgrade to SA3.2.2 I've noticed that I've started to get FP's from e-mail accounts originating at walla.com I can see that it may be wise to adjust some scores to make these FP get thru my system: score DNS_FROM_OPENWHOIS 0 score DNS_FROM_RFC_DSN 0 Do you think this is reasonable enough and I can spare these 2 scores? Below are some scores from those FP mails: -- X-Spam-Status: Yes, score=7.575 tag=-999 tag2=5 kill=5 tests=[BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, RCVD_IN_NJABL_PROXY=1.643, SUBJ_ALL_CAPS=0] X-Spam-Status: Yes, score=6.673 tag=-999 tag2=5 kill=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, SUBJ_ALL_CAPS=0] X-Spam-Status: Yes, score=5.562 tag=-999 tag2=5 kill=5 tests=[BAYES_05=-1.11, DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739] X-Spam-Status: Yes, score=6.673 tag=-999 tag2=5 kill=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, SUBJ_ALL_CAPS=0] X-Spam-Status: Yes, score=6.673 tag=-999 tag2=5 kill=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, SUBJ_ALL_CAPS=0] X-Spam-Status: Yes, score=5.514 tag=-999 tag2=5 kill=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, FB_CIALIS_LEO3=1.441, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739] X-Spam-Status: Yes, score=5.619 tag=-999 tag2=5 kill=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, SUBJ_ALL_CAPS=0] Best Regards, Leon Kolchinsky
Should I disable URIDNSBL plugin if I'm already rejecting based on BL with MTA
Hello All, I'm using BL in my main.cf config like this: smtpd_recipient_restrictions = . . reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client safe.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, . . So actually BL check already performed on the MTA level. Is it advisable to comment this line in the init.pre in my case (or there are another considerations I'm not aware of)?: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL Best Regards, Leon Kolchinsky
RE: warning - score undef for rule 'MISSING_SUBJECT'...
The first time I run sa-update after a v3.2.3 install, I get the following warnings: rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. ... (repeated several times) The update succeeds anyway. What causes these warnings? Thanks, Larry The score MISSING_SUBJECT is removed from 3.1.x and 3.2.x now. You could check your local.cf (or in some .pre file) for this score and remove it. Regards, Leon Kolchinsky
RE: MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?
They no longer hit enough spam to be worth keeping, so they were removed. Just remove the scores when you upgrade. Loren Thanks, I've suspected that :) Leon
MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?
Hello All, I'm going to upgrade SA from spamassassin-3.1.7-3 to spamassassin-3.2.2-1. In my local.cf I've adjusted some optional scores and now I want to check if these scores are still intact in the new version of SA. So I went to http://spamassassin.apache.org/tests_3_1_x.html and http://spamassassin.apache.org/tests_3_2_x.html I've found that: 1) RATWARE_OUTLOOK_NONAME and MISSING_SUBJECT now missing in both (3.1.x and 3.2.x) These scores were intact for my 3.1.7 installation when I configured it. (spamassassin --lint gives no error) What happened? How these scores disappeared? Should I just remove them from my local.cf before upgrade? Best Regards, Leon Kolchinsky
RE: AMaViS/SA chrroted: Error creating a DNS resolver socket: No such file or directory
Hi, I tried to set up SA with AMaViS in a chrooted environment ($daemon_chroot_dir = $MYHOME). I (thought I) copied all necessary files to the jail but when SA is starting I get an error: Jul 10 10:44:02 TEG /usr/local/sbin/amavisd[6817]: SpamControl: initializing Mail::SpamAssassin Error creating a DNS resolver socket: No such file or directory at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 227. Jul 10 10:44:05 TEG /usr/local/sbin/amavisd[6817]: SpamControl: init_pre_fork done Any idea what is missing? Do you have this /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm File in your chrooted environment? If not, copy it to $daemon_chroot_dir//usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm Regards, Leon Kolchinsky
RE: AMaViS/SA chrroted: Error creating a DNS resolver socket: No such file or directory
I tried to set up SA with AMaViS in a chrooted environment ($daemon_chroot_dir = $MYHOME). I (thought I) copied all necessary files to the jail but when SA is starting I get an error: Jul 10 10:44:02 TEG /usr/local/sbin/amavisd[6817]: SpamControl: initializing Mail::SpamAssassin Error creating a DNS resolver socket: No such file or directory at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 227. Jul 10 10:44:05 TEG /usr/local/sbin/amavisd[6817]: SpamControl: init_pre_fork done Any idea what is missing? Do you have this /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm File in your chrooted environment? Yes: [EMAIL PROTECTED] ~]# ls -la /var/amavis/usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DnsResol ver.pm -rwxr-x--- 1 root vscan 14970 Jun 8 14:55 /var/amavis/usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DnsResol ver.pm [EMAIL PROTECTED] ~]# Can I run a perl script using DNSResolver to test things? BTW, $CHROOT/etc/resolv.conf is of course present, too. Stupid question, but $MYHOME = /var/amavis ? Also you can try to debug it with strace. Look for all the files you're missing in the jail and copy them into it. (here is a little example on how to use strace to find requirements outside the jail - http://olivier.sessink.nl/jailkit/howtos_debug_jails.html ) Best Regards, Leon Kolchinsky
RE: AMaViS/SA chrroted: Error creating a DNS resolver socket: No such file or directory
What would a perl command look like to resolve a host? Because I think it is a perl issue. Helmut I've never run amavisd-new in chroot, but may be you'll find some tips here - http://www.ijs.si/software/amavisd/README.chroot Seems to me like a resolver issue (probably need to configure FreeBSD a little different than OpenBSD). Best Regards, Leon Kolchinsky
RE: Any way to bypass authenticated users?
fc4, sendmail, sa 3.0.6, spamass-milter some clients get mail rejected from my server (which they are using to send) because sa is checking all mail. I use smtp auth - Is there any way to bypass SA if they have been authenticated? Check this howto: http://www200.pair.com/mecham/spam/bypassing.html
RE: Spamassassin 3.20 and Amavis-New
-Original Message- From: Martin Hochreiter [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 29, 2007 12:46 PM To: users@spamassassin.apache.org Subject: Re: Spamassassin 3.20 and Amavis-New @additional_perl_modules = qw( /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Locales.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Bayes.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/BodyEval.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Check.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/DNSEval.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/HTMLEval.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/HTTPSMismatch.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/ImageInfo.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/MIMEEval.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/RelayEval.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/URIEval.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm, /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/WLBLEval.pm, /usr/lib/perl5/site_perl/5.8.8/unicore/lib/gc_sc/Digit.pl, /usr/lib/perl5/site_perl/5.8.8/unicore/lib/gc_sc/SpacePer.pl, /usr/lib/perl5/site_perl/5.8.8/unicore/lib/gc_sc/Word.pl ); You got the syntax wrong, remove the commas, the qw Perl operator splits on whitespace and commas remain part of a filename. Instead of the full module file path, you may use the short Perl notation, e.g. Mail::SpamAssassin::Plugin::Bayes assuming the module is in the Perl include path. Mark Hi Mark! Thank you for your answere. I am using SuSE Rpm's so upgrading amavis is not that easy (as I were not able to find a repository yet) Not true, You can use Anders Norrbring's rpms from ftp://ftp.norrbring.com/pub/linux/inst-source His rpms (actually I always compiling his src.rpm to get the actual packages) are very good and I'm using them on my production server. Regards, Leon Kolchinsky
RE: FuzzyOCR Warnings and General Questions
I'm running Spamassassin on OpenSuse 10.2 and have just installed FuzzyOCR. It appears to be working in that it scans/detects words in the supplied test files. I noticed spamassassin --lint gives: [25313] warn: FuzzyOcr: Cannot find executable for pamthreshold [25313] warn: FuzzyOcr: Cannot find executable for tesseract Which seems fair enough as I don't have them. Is it just a spurious warning though or do I need to be concerned? Also as a general question other than adding words to the wordlist as and when, are there any Must Know tips n tricks for FuzzyOCR? cheers, Hi, Take a look here (http://www200.pair.com/mecham/spam/image_spam2.html) and use patches for netpbm 10.34 Or do the following (works for me): 1) Download latest stable version: # svn checkout https://netpbm.svn.sourceforge.net/svnroot/netpbm/stable netpbm 2) Apply this patch: diff -Naur netpbm-10.35.21/Makefile.config.in netpbm-10.35.21-patched/Makefile.config.in --- netpbm-10.35.21/Makefile.config.in 2007-01-14 16:18:25.0 +0200 +++ netpbm-10.35.21-patched/Makefile.config.in 2007-01-14 16:33:59.304432096 +0200 @@ -108,7 +108,7 @@ #OSF1: #INSTALL = $(SRCDIR)/buildtools/installosf #Red Hat Linux: -#INSTALL = install +INSTALL = install # STRIPFLAG is the option you pass to the above install program to make it # strip unnecessary information out of binaries. @@ -280,9 +280,9 @@ # compiler/linker). Build-time linking fails without it. I don't # know why -- history seems to be repeating itself. 2005.02.23. -CFLAGS_SHLIB = +# CFLAGS_SHLIB = # Solaris or SunOS with gcc, and NetBSD: -#CFLAGS_SHLIB = -fpic +CFLAGS_SHLIB = -fPIC #CFLAGS_SHLIB = -fPIC # Sun compiler: #CFLAGS_SHLIB = -Kpic @@ -350,7 +350,7 @@ # The TIFF library. See above. If you want to build the tiff # converters, you must have the tiff library already installed. -TIFFLIB = NONE +TIFFLIB = libtiff.so TIFFHDR_DIR = #TIFFLIB = libtiff.so @@ -382,7 +382,7 @@ # JPEG stuff statically linked in, in which case you won't need # JPEGLIB in order to build the Tiff converters. -JPEGLIB = NONE +JPEGLIB = libjpeg.so JPEGHDR_DIR = #JPEGLIB = libjpeg.so #JPEGHDR_DIR = /usr/include/jpeg @@ -413,7 +413,7 @@ # case, PNGLIB and PNGHDR_DIR are irrelevant, but PNGVER is still meaningful, # because the make file runs 'libpng$(PNGVER)-config'. -PNGLIB = NONE +PNGLIB = libpng.so PNGHDR_DIR = PNGVER = #PNGLIB = libpng$(PNGVER).so @@ -432,7 +432,7 @@ # # If you have 'libpng-config' (see above), these are irrelevant. -ZLIB = NONE +ZLIB = libz.so ZHDR_DIR = #ZLIB = libz.so diff -Naur netpbm-10.35.21/converter/other/fiasco/codec/dfiasco.c netpbm-10.35.21-patched/converter/other/fiasco/codec/dfiasco.c --- netpbm-10.35.21/converter/other/fiasco/codec/dfiasco.c 2007-01-14 16:18:03.0 +0200 +++ netpbm-10.35.21-patched/converter/other/fiasco/codec/dfiasco.c 2007-01-14 16:37:35.780522728 +0200 @@ -15,7 +15,7 @@ */ #include string.h - +#include stdlib.h #include config.h #include types.h diff -Naur netpbm-10.35.21/converter/other/fiasco/config.h netpbm-10.35.21-patched/converter/other/fiasco/config.h --- netpbm-10.35.21/converter/other/fiasco/config.h 2007-01-14 16:18:03.0 +0200 +++ netpbm-10.35.21-patched/converter/other/fiasco/config.h 2007-01-14 16:36:00.265043288 +0200 @@ -25,6 +25,12 @@ byte first (like Motorola and SPARC, unlike Intel and VAX). */ /* #undef WORDS_BIGENDIAN */ +/* since we don't have autoconf... */ +#include endian.h +#if __BYTE_ORDER == __BIG_ENDIAN +#define WORDS_BIGENDIAN 1 +#endif + /* Define if the X Window System is missing or not being used. */ #define X_DISPLAY_MISSING 1 diff -Naur netpbm-10.35.21/converter/other/fiasco/input/basis.c netpbm-10.35.21-patched/converter/other/fiasco/input/basis.c --- netpbm-10.35.21/converter/other/fiasco/input/basis.c2007-01-14 16:18:00.0 +0200 +++ netpbm-10.35.21-patched/converter/other/fiasco/input/basis.c 2007-01-14 16:38:10.711212456 +0200 @@ -13,7 +13,7 @@ * $Revision: 5.3 $ * $State: Exp $ */ - +#include string.h #include config.h #include types.h diff -Naur netpbm-10.35.21/converter/pbm/icontopbm.c netpbm-10.35.21-patched/converter/pbm/icontopbm.c --- netpbm-10.35.21/converter/pbm/icontopbm.c 2007-01-14 16:18:22.0 +0200 +++ netpbm-10.35.21-patched/converter/pbm/icontopbm.c 2007-01-14 16:43:50.478559968 +0200 @@ -13,6 +13,7 @@ #include string.h #include nstring.h +#include limits.h #include pbm.h /* size in bytes of a bitmap */ diff -Naur netpbm-10.35.21/converter/ppm/ppmtowinicon.c netpbm-10.35.21-patched/converter/ppm/ppmtowinicon.c --- netpbm-10.35.21/converter/ppm/ppmtowinicon.c2007-01-14 16:18:20.0 +0200 +++ netpbm-10.35.21-patched/converter/ppm/ppmtowinicon.c2007-01-14 16:46:54.505583608 +0200 @@ -12,7 +12,7 @@ #include math.h #include string.h - +#include stdlib.h #include winico.h #include ppm.h #include
RE: Pamditherbw gone, but no pamthreshhold (REPOST)
-Original Message- From: David Baron [mailto:[EMAIL PROTECTED] Sent: Monday, March 26, 2007 5:31 PM To: users@spamassassin.apache.org Subject: Pamditherbw gone, but no pamthreshhold (REPOST) Got no advice on this so reposting: Now getting loads of FuzzyOcr failed to execute pamditherbw. I have ppmtopgm but no pamtopnm and no pamthreshold. I have netpbm 2.10.0-11 from Debian Sid. So I commented out the missing stuff in FuzzyOcr.scansets, but in FuzzyOcr.preps, this was an either or situfation. I do have a ppmdither. (Also, some othe pamto thingies that are in FuzzyOcr.preps: Pamtotiff - ppm2tiff? ) How to fix it? Simply substitute ppmto's? Argument changes as well? Look here: http://www200.pair.com/mecham/spam/image_spam2.html You can grab and use patches from there. Regards, Leon
RE: [2] How can I configure spamassassin to filter spam jpgs?
-Original Message- From: Raul Dias [mailto:[EMAIL PROTECTED] Sent: Thursday, February 15, 2007 7:12 PM To: Maciej Friedel Cc: users@spamassassin.apache.org Subject: Re: [2] How can I configure spamassassin to filter spam jpgs? On Thu, 2007-02-15 at 11:01 +0100, Maciej Friedel wrote: On 02/15/07 NIbbLLe wrote: suggestions on how I can install the plugin on the Windows machine? FuzzyOCR i s write in perl. So it will work on windows too gocr is not perl. It might not work under win32 (dont know) without a posix environment like cygwin. Gocr is working on windows. -Raul Dias
RE: FuzzyOCR: pamthreshold
Pamthreshold is in 10.34 and higher versions of netpbm. Use patches from here http://www200.pair.com/mecham/spam/image_spam2.html to solve your problem. Regards, Leon Kolchinsky From: Spamassassin List [mailto:[EMAIL PROTECTED] Sent: Thursday, February 08, 2007 11:17 AM To: users@spamassassin.apache.org Subject: FuzzyOCR: pamthreshold Hi, I am running CentOS 4.4 and have netpbm installed. [EMAIL PROTECTED] textspam]# rpm -q netpbm-devel netpbm-devel-10.25-2.EL4.3 [EMAIL PROTECTED] textspam]# rpm -q netpbm-progs netpbm-progs-10.25-2.EL4.3 [EMAIL PROTECTED] textspam]# rpm -q netpbm-devel netpbm-devel-10.25-2.EL4.3 I still have the below error. Can anyone please tell me what package am i lacking of. [4292] warn: FuzzyOcr: Cannot find executable for pamthreshold Thanks Regards, Nic
RE: useful SA on Suse 9.0
-Original Message- From: Sebastian Ries [mailto:[EMAIL PROTECTED] Sent: Friday, February 02, 2007 9:10 AM To: users@spamassassin.apache.org Subject: useful SA on Suse 9.0 Hi there I have an old machine running Suse 9.0 with SA version 2.55 . For certain reasons I am not able to update the whole system but as there is too much undetected Spam I need to update SA. Does anyone have suggestion how to install an up-to date SpamAssassin on this system? Any hints are welcome! Regards Sebastian Ries This is for SA + Amavisd-new: Recompile the following src.rpm (some of the for use with FuzzyOCR), take them from OpenSuse factory: perl-MLDBM-2.01-280.src.rpm perl-Convert-UUlib-1.051-31.src.rpm perl-MLDBM-Sync-0.30-276.src.rpm perl-IO-Multiplex-1.08-14.src.rpm perl-Archive-Tar-1.30-17.src.rpm perl-Net-Server-0.94-18.src.rpm perl-IO-String-1.08-30.src.rpm perl-BerkeleyDB-0.31-12.src.rpm perl-Tie-Cache-0.17-274.src.rpm perl-MIME-tools-5.420-20.src.rpm perl-Compress-Zlib-1.42-20.src.rpm perl-Tie-IxHash-1.21-618.src.rpm perl-IO-Zlib-1.04-29.i586.src.rpm You can compile these from src.rpms taken from Anders Norrbring ftp: amavisd-new-2.4.4-4.i586.rpm perl-spamassassin-3.1.7-3.i586.rpm spamassassin-3.1.7-3.i586.rpm After you compile and install all these make sure your local.cf and amavisd.conf are of the new format (read release notes for SA 3.1) Note: - Due to the database format change, you will want to do something like this when upgrading: - stop running spamassassin/spamd (ie: you don't want it to be running during the upgrade) - run sa-learn --rebuild, this will sync your journal. if you skip this step, any data from the journal will be lost when the DB is upgraded. - upgrade SA to 3.0.0 - run sa-learn --sync, which will cause the db format to be upgraded. if you want to see what is going on, you can add the -D option. - test the new database by running some sample mails through SpamAssassin, and/or at least running sa-learn --dump to make sure the data looks valid. - put new local.cf to its location - check the syntax of SA amavisd-new # spamassassin --lint # su vscan # /usr/sbin/amavisd debug OR su - vscan -c '/usr/sbin/amavisd debug' -- DT Netsolution GmbH - Talaeckerstr. 30 - D-70437 Stuttgart Tel: +49-711-849910-36 Fax: +49-711-849910-936 WEB: http://www.dtnet.de/ email: [EMAIL PROTECTED]
RE: netpbm 2.10
-Original Message- From: David Baron [mailto:[EMAIL PROTECTED] Sent: Monday, January 22, 2007 4:38 PM To: users@spamassassin.apache.org Subject: netpbm 2.10 This version is now on Debian Sid. Do I go over to the newer function calls for FuzzyOcr or is they still not available (or does this matter)? I've installed from source 10.35.21 ver. on my SLES9 and it's working nicely so far. If you'd like my step-by-step for suse, I can send it to you. Regards, Leon Kolchinsky
RE: Spam graphing
-Original Message- From: Gary V [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 23, 2007 6:20 AM To: users@spamassassin.apache.org Subject: Re: Spam graphing I then spend the better part of the day looking for a nice graphing utility that works. I'd like it to show total messages, spam/blocked messages, and virus emails in a clean graph. Does anyone know of any or have recommendations? Possibly mailgraph http://people.ee.ethz.ch/~dws/software/mailgraph/ I have never investigated the accuracy however. It may need a minor edit if you are using a recent version of amavisd-new: http://www200.pair.com/mecham/spam/mailgraph.pl-amavis-patch.txt Gary V I agree on that. From my tests: Amavis-stats 0.1.22 and mailgraph results are very similar. Note that Rejected count in mailgraph is wrong (comparing to pflogsumm and logwatch results), but you can get Recected count from pflogsumm. Regards, Leon Kolchinsky _ Valentine’s Day -- Shop for gifts that spell L-O-V-E at MSN Shopping http://shopping.msn.com/content/shp/?ctId=8323,ptnrid=37,ptnrdata=24095tc ode=wlmtagline
RE: SA gateway
I can’t see why this should be the problem with amavisd-new? You can exclude any domain from SA checks via amavis. Look for some info here: http://www200.pair.com/mecham/spam/bypassing.html From: Maxim Cernэ [mailto:[EMAIL PROTECTED] Sent: Sunday, December 24, 2006 12:07 AM To: Michael Scheidell; users@spamassassin.apache.org Subject: Re: SA gateway Hello, Firewall mail.example.com and don't let it accept any email from anyone but spamfilter.example.com I can't do this, because there are more mail domains set on mail.example.com (e.q. example2.com) and I don't filter messages going to example2.com. Any other solution? Maybe there is some option in MTA (i'm using postfix) to allow messages to somedomain.com only from somemachine.com? I didn't find it. Max
RE: roaming users sending mail internally and dynamic IPs issue
-Original Message- From: Thomas Bolioli [mailto:[EMAIL PROTECTED] Sent: Monday, December 18, 2006 5:37 PM To: users@spamassassin.apache.org Subject: roaming users sending mail internally and dynamic IPs issue Whenever our users travel outside the internal networks and send email to each other, the emails get tagged by the below reports (yes, I cranked up the default scores because of the botnet crap out there) because they are on dyn IPs and sending direct to the receiving MTA. I see a couple of ways that this can be remedied, most of which is acceptable. a) Whitelist all of the users (or the entire domain) for every domain on the system [obviously bad since it allows spammers to spoof from headers with impunity even with SPF setup]. b) set up second machine to be a second MTA and have users send email from machine 2 which then relays to machine 1 [waste of a machine and energy to run that machine]. or c) there is some configuration I am missing. Does anyone know what I can do to fix this? Thanks, Tom * 0.7 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [xx.xx.xx.xx listed in dnsbl.sorbs.net] * 2.5 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [xx.xx.xx.xx listed in combined.njabl.org] If you using postfix+amavis+SA, there are many ways to bypass SA checks for your users: http://www200.pair.com/mecham/spam/bypassing.html Regards, Leon
RE: MSRBL
-Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: Thursday, December 14, 2006 5:55 AM To: users@spamassassin.apache.org Subject: Re: MSRBL On Wednesday 13 December 2006 11:35 am, Bret Miller wrote: Has anyone here tried MSRBL (http://www.msrbl.com/site/)? I'm running it in trial now, but thought I'd ask to see if anyone here had an opinion before doing anything serious with it. TIA, Bret Bret, on my home system I use the MSRBL-Images.hdb and MSRBL-Spam.ndb in conjunction with Clamav. I have some stats if you're interested. I'd like to see some stats, please. I'd also like to hear some opinions on FP numbers, effectiveness etc. -- Chris http://learn.to/quote Leon
RE: backup for bayesian DB
-Original Message- From: Michael Scheidell [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 12, 2006 1:29 AM To: לאון קולצ'ינסקי; users@spamassassin.apache.org Subject: RE: backup for bayesian DB -Original Message- From: Leon Kolchinsky [mailto:[EMAIL PROTECTED] Sent: Monday, December 11, 2006 8:54 AM To: users@spamassassin.apache.org Subject: backup for bayesian DB Hello All, What is the preferred to backup the following bayesiab DB files? What is the suggested frequency to make backups of the following DBase's? If you are using db files, sa-learn will do a backup of the bayes db for you. (for a flush and expire first, see 'man sa-learn') For auto-whitelist, I think all you need to do make sure you don't have it opened (maybe create the mutex yourself) and bzip or make a compressed copy. If using SQL (use sql, its less prone to corruption), use the SQL servers backup routines. How often? You need to back it up just before you lose the original... I thought of disaster recovery backup. I've read the man pages but still not clear about backing up Bayesian DB files (I don't use SQL DB for now). 1) Is the following command is legit? sa-learn --sync --showdots --backup backup.txt Is this command make backup of bayes_seen, bayes_toks, user_prefs, auto-whitelist altogether? 2) Should I stop SA(amavisd-new) from running during this backup? 3) Where can I read amore about AWL backup and .mutex files (I'm not familiar with those)? 4) Where can I find bayes expiration configuration? Didn't see it in my local.cf? What are the default values and how to change those? # ls -l /var/spool/amavis/.spamassassin/ total 14366 drwx-- 2 vscan vscan 280 Dec 11 15:18 . drwx-- 1 vscan root 456 Dec 10 11:29 .. -rw--- 1 vscan vscan 2650112 Dec 11 15:52 auto-whitelist -rw--- 1 vscan vscan6 Dec 11 15:52 auto-whitelist.mutex -rw--- 1 vscan vscan 5466 Dec 11 15:50 bayes.mutex -rw--- 1 vscan vscan74520 Dec 11 15:52 bayes_journal -rw--- 1 vscan vscan 10498048 Dec 11 15:50 bayes_seen -rw--- 1 vscan vscan 5341184 Dec 11 15:50 bayes_toks -rw-r--r-- 1 vscan vscan 1547 Oct 26 09:24 user_prefs Regards, Leon
RE: FuzzyOCR Words List
-Original Message- From: Nigel Kendrick [mailto:[EMAIL PROTECTED] Sent: Monday, December 11, 2006 11:25 AM To: users@spamassassin.apache.org Subject: FuzzyOCR Words List Hi Guys, We have recently been suffering from tons of inline image spam but this has been pretty much killed by installing FuzzyOCR. Over the last week I have been adding to the FuzzyOCR words file, and recently went on a Web search to see what other lists I could find - to my surprise there didn't seem to be much out there, which I take as either: 1) No one wants to publish their list for fear of giving the 'enemy' a heads up. or 2) No one has bothered to share yet. I can see the argument for #1, but I also remember the argument on the SARE site that you can see their rules and so can the spammers but it makes little difference. Anyway, I am happy to publish my list here for scrutiny if anyone thinks it's worth it, and at the same time perhaps others will? Any thoughts? Cheers NK Hi, Recently I've added these words to FuzzyOcr.words: GALROE VXBX VOXBOX TELECOM maku arss PRGJ May be it's a good idea to keep such updated lists or may be add to FuzzyOcr the ability to fetch updated lists from the web, but this should go to FuzzyOcr list, don't you think? Regards, Leon Kolchinsky
backup for bayesian DB
Hello All, What is the preferred to backup the following bayesiab DB files? What is the suggested frequency to make backups of the following DBase's? # ls -l /var/spool/amavis/.spamassassin/ total 14366 drwx-- 2 vscan vscan 280 Dec 11 15:18 . drwx-- 1 vscan root 456 Dec 10 11:29 .. -rw--- 1 vscan vscan 2650112 Dec 11 15:52 auto-whitelist -rw--- 1 vscan vscan6 Dec 11 15:52 auto-whitelist.mutex -rw--- 1 vscan vscan 5466 Dec 11 15:50 bayes.mutex -rw--- 1 vscan vscan74520 Dec 11 15:52 bayes_journal -rw--- 1 vscan vscan 10498048 Dec 11 15:50 bayes_seen -rw--- 1 vscan vscan 5341184 Dec 11 15:50 bayes_toks -rw-r--r-- 1 vscan vscan 1547 Oct 26 09:24 user_prefs Leon Kolchinsky
RE: Is there a way to tell spam assassin to avoid any processing of local emails?
-Original Message- From: Peter M. Abraham [mailto:[EMAIL PROTECTED] Sent: Saturday, December 09, 2006 5:30 PM To: users@spamassassin.apache.org Subject: Is there a way to tell spam assassin to avoid any processing of local emails? Peter M. Abraham Greetings: Is there a way to tell Spam Assassin (SpamAssassin 3.1.7) to skip processing emails sent from our network (public IP addresses are involved)? I do have TrustedNeworks set up, but I don't know if there is another variable that must also be set up. Thank you. Use amavis + one of the following tips here http://www200.pair.com/mecham/spam/bypassing.html Leon
RE: how to modify headers so sa-learn gives more accurate results?
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 7:15 PM To: לאון קולצ'ינסקי Cc: users@spamassassin.apache.org Subject: Re: how to modify headers so sa-learn gives more accurate results? Leon Kolchinsky wrote: Hello All, I'm using the following script for reporting Razor and teaching BAYESIAN with ham and spam messages. I have the following questions: --- 1) If I have the following in local.cf: use_bayes1 bayes_auto_learn 1 Starting from what score message automatically learned by Bayesian? 2) I do quarantine to spam mails and manually review all spam, then I put all False Positives (ham) to ham folder and all spam to spam folder and run the following script to populate Bayesian and report to Razor. Should I remove headers added like those - X-Quarantine-ID: X-Spam-Flag: X-Spam-Score: X-Spam-Level: X-Spam-Status: sa-learn will automatically ignore any headers and other markups that were added by SA, so you don't need to remove those. You can either remove X-Quarantine-ID, or use a bayes_ignore_header command to tell SA not to tokenize this. OK, Thanks, So the script should look like this now? sa-learn --showdots --bayes_ignore_header X-Quarantine-ID --bayes_ignore_header X-Amavis-Alert --ham * The problem that I can't find any bayes_ignore_header option in # man sa-learn Or any others, so learning (sa-learn) would be more accurate? Any other recommendations? Regards, Leon
RE: how to modify headers so sa-learn gives more accurate results?
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 12:36 PM To: לאון קולצ'ינסקי Cc: users@spamassassin.apache.org Subject: Re: how to modify headers so sa-learn gives more accurate results? Leon Kolchinsky wrote: OK, Thanks, So the script should look like this now? sa-learn --showdots --bayes_ignore_header X-Quarantine-ID -- bayes_ignore_header X-Amavis-Alert --ham * Erm.. bayes_ignore_header isn't a command-line option. It's a config-file option. put it in your local.cf. The problem that I can't find any bayes_ignore_header option in # man sa-learn Of course not. see man Mail::SpamAssassin::Conf Thanks, for pointing that out for me :)
how to modify headers so sa-learn gives more accurate results?
Hello All, I'm using the following script for reporting Razor and teaching BAYESIAN with ham and spam messages. I have the following questions: --- 1) If I have the following in local.cf: use_bayes1 bayes_auto_learn 1 Starting from what score message automatically learned by Bayesian? 2) I do quarantine to spam mails and manually review all spam, then I put all False Positives (ham) to ham folder and all spam to spam folder and run the following script to populate Bayesian and report to Razor. Should I remove headers added like those - X-Quarantine-ID: X-Spam-Flag: X-Spam-Score: X-Spam-Level: X-Spam-Status: Or any others, so learning (sa-learn) would be more accurate? Any other recommendations? The script: --- #!/bin/bash Revoking Ham## cd /var/spool/imap/user/spamcop/ham/ for i in *.; do echo Revoking $i cat $i | /usr/bin/razor-revoke -home=/var/spool/amavis/.razor/ done echo Revoke Completed! Reporting Spam## cd /var/spool/imap/user/spamcop/spam/ for i in *.; do echo Reporting $i cat $i | /usr/bin/razor-report -home=/var/spool/amavis/.razor/ done echo Reporting Completed! #Bayesian DB population with known ham and spam# #Ham# chmod 755 /var/spool/imap/user/spamcop/ham cd /var/spool/imap/user/spamcop/ham/ chmod 644 *. su vscan -c (sa-learn --showdots --ham *) echo ham learning completed! #Spam chmod 755 /var/spool/imap/user/spamcop/spam cd /var/spool/imap/user/spamcop/spam/ chmod 644 *. su vscan -c (sa-learn --showdots --spam *) echo spam learning completed! Best Regards, Leon Kolchinsky
RE: RE: How to extract the Reverse DNS hostname by script means?
It’s been discussed on Amavisd-new list. Look here for more info: http://marc.theaimsgroup.com/?t=116483411500019r=1w=2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, November 30, 2006 4:40 PM To: לאון קולצ'ינסקי; users@spamassassin.apache.org Subject: RE: RE: How to extract the Reverse DNS hostname by script means? Hello! Leon Kolchinsky [EMAIL PROTECTED] wrote on 19.11.2006 09:28:14: Hi Bret, According to tip from Gary V. you can reliably use whitelist_from_rcvd, You only should configure the following parameters right: trusted_networks internal_networks Best Regards, Leon Kolchinsky ... SpamAssassin will be testing the whitelist_from_rcvd against the topmost (final) received header when SA runs, so that's the one you need to look at. ... Well, does SA really check *only* topmost header? I've found that whitelist_from_rcvd works only if e-mail has *only one* received: header that fits with corresponding whitelist_from_rcvd record. If there are some additional untrusted received: headers in e-mail then whitelisting fails for me... Here is my configuration. my_server1.my_domain1.com is our SMTP server with Exim + SpamAssassin installed. my_server.my_domain.com acts as a relay for the first server (it can send both it's own mail and external mail to my_server1.my_domain1.com). my_server.my_domain.com is added in trusted_networks. For example, I have the following record in my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] my_domain.com. E-mail with the following *two* received: headers will not be whitelisted while with the *first* only will be: Received: from my_server.my_domain.com ([XXX.XXX.XXX.XXX]) by my_server1.my_domain1.com with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1Gpcaa-0003ZF-Ti for [EMAIL PROTECTED]; Thu, 30 Nov 2006 06:27:57 +0300 Received: from alien_server.alien_domain.com ([YYY.YYY.YYY.YYY]) by my_server.my_domain.com (8.13.6/8.13.4) with SMTP id kAU3ROA5001821 for [EMAIL PROTECTED]; Thu, 30 Nov 2006 06:27:50 +0300 (MSK) (envelope-from [EMAIL PROTECTED]) So, Am I missing something? Thanx in advance. Vitaly.
RE: New spam
Yes, These kind of e-mails get caught by my FuzzyOcr. It's all in the scansets configuration and words in the dictionary. Some other image spam couldn't be read by FuzzyOcr, but this is the best tool for now, that I'm aware of. -Original Message- From: Ray Anderson [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 05, 2006 5:03 AM To: users@spamassassin.apache.org Subject: New spam Hello, I've been lurking for a while and had just recently decided to try to put the FuzzyOCR on my spam filtering machine, when I found the following incredibly obfuscated stock spam (link at bottom of message) The question is this: Will FuzzyOCR find/detect the garbage in this image or is even implenting OCR pointless as the generators get more sophisticated? I wasn't sure if I could post an image, so here is a link to the headers and the image. I'll take it down tomorrow morning. Thanks! -=Ray http://www.rb-com.com/spam.php
RE: Spam from local users.
I think you should read this http://www200.pair.com/mecham/spam/bypassing.html -Original Message- From: Anders Norrbring [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 05, 2006 2:19 PM To: users@spamassassin.apache.org Subject: Re: Spam from local users. Shahzad Abid skrev: Dear All Some emails from local users are getting MARKED as (S.P.A.M.) as shown in following log. === Dec 5 17:02:57 mail spamd[355]: spamd: identified spam (8.6/2.5) for [EMAIL PROTECTED]:510 in 1.9 seconds, 2862 bytes. Dec 5 17:02:57 mail spamd[355]: spamd: result: Y 8 - AWL,BAYES_00,DEAR_SOMETHING,FH_RELAY_NODNS,FM_NO_STYLE,HTML_MESSAGE,JR_RCVD_HOST_PROBS1,JR_RCVD_HOST_PROBS2,JR_RCVD_TOO_FEW_HOPS,MISSING_SUBJECT,RELAY_CHECKER,RELAY_CHECKER_NORDNS scantime=1.9,size=2862,[EMAIL PROTECTED],uid=510,required_score=2.5,rhost=mail.ocs.com.pk,raddr=127.0.0.1,rport=52373,mid=[EMAIL PROTECTED],bayes=0.00139389667305584,autolearn=no Dec 5 17:02:57 mail spamd[3573]: prefork: child states: II Dec 5 17:02:57 mail qmail-scanner[6079]: Clear:RC:0(61.5.138.198):SA:1(8.6/2.5): 2.240486 2830 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 1165320175.6092-0.mail.ocs.com.pk:446 1165320175.6092-1.mail.ocs.com.pk:1366 orig-mail.ocs.com.pk11653201754926079:2830 == Only differance is that user comming from outside LAN. How can I resolve this problem. Regards, First I'd like to say that it's good.. ;) They're probably sending spam, so it should get tagged. But if you don't want it, just configure to not scan outgoing mails originating from localhost. -- Anders Norrbring Norrbring Consulting
RE: Percentage of email that is spam after filtering?
Hi, Really what are the tools you're using and/or suggesting to generate such reports? Regards, Leon -Original Message- From: Quinn Comendant [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 2:41 AM To: SpamAssassin Users Subject: Re: Percentage of email that is spam after filtering? What is being used to generate these summaries? Q On Mon, 27 Nov 2006 18:03:55 -0500, Rick Macdougall wrote: Ed Kasky wrote: At 02:00 PM Monday, 11/27/2006, Bill Randle wrote -= Like other posters, I don't have real stats on the amount of spam that makes it past the filters, other than my own mailbox. I typically get from 2-3 spam messages per day, on rare occasions, maybe 6-10. We use blacklisting, the SARE rules, ImageInfo, FuzzyOCR and local custom rules. Our overall stats for the last 24 hours are: Msgs %total %after rbl total incoming messages: 84620 100% -- rejected (cbl.abuseat.org, list.dsbl.org): 57624 68% -- viruses (ClamAV):1830.2%0.7% spam (blocked):22294 26% 83% possible spam (sent to user mailbox):2520.3%0.9% clean (sent to user mailbox): 18282.2%6.8% So, bottom line, of all the incoming mail, only 2.5% is actually delivered to a customer mailbox. -Bill I thought I was the only one experiencing those numbers: Our overall stats since Sunday 4:00 am: Msgs %total %after rbl total incoming messages:5535 100% -- rejected (cbl.abuseat.org, list.dsbl.org): 4366 78% -- Sendmail Reject - Pre-Greeting Traffic: 3336% -- viruses (ClamAV): 230.4%0.5% spam (blocked): 4017.2%9.1% clean (sent to user mailbox):4127.4%9.4% Similar numbers here since 6am this morning on one of our 4 MX's Received 88952 100.00% RBL Reject61965 69.66% Clam 167 0.19% Spam Reject 49115.52% Spam Pass 599 0.67% Clean 13580 15.27% Bear in mind that this particular machine is also the outbound MX for another mailserver for Yahoo, AOL, Sympatico, etc for scanning purposes, so the Clean number is going to be a little high. We are also very proactive about infected local users (we're an ISP) so out Clam numbers are a lot lower than say a year ago when we weren't scanning. Regards, Rick
RE: optional score in local.cf is not working
3) The Mail::SpamAssassin Perl API -- This allows the SpamAssassin code to be called directly by another Perl program. This is how Amavisd runs. It gets a message, calls the SpamAssassin routines, marks up the message, and sends it along. It still only loads everything once, but it is being loaded into Amavisd instead of spamd. Thank you all for clearing that up for me. I've stopped spamd and amavis still catching spam messages. So as I see it now amavisd just using SA routines via Perl API.
RE: optional score in local.cf is not working
Hi, I thought I was wrong and amavis restart didn't really helped there, but there is an update for this problem I had with configuration in local.cf not catching. It seems that only when I do /etc/init.d/amavis restart, all configs in local.cf are coming intact. I've used to an old version of amavis and SA on Suse, where you would only do changes to local.cf and spamd restart. 1) So, my question is - Is this a normal behavior? 2) For every change in local.cf should I do now only amavis restart and no spamd restart? Regards, Leon -Original Message- From: Mark Martinec [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 10:54 PM To: users@spamassassin.apache.org Subject: Re: optional score in local.cf is not working On Sunday November 26 2006 20:25, Matt Kettler wrote: Erm.. are you sure? I thought amavisd-new called SA directly at the API layer, not via spamd... I didn't even realize amavis *could* use spamd, every amavis person I've talked to on the list isn't using it. amavisd-new can't call spamd, there is no configuration option to do so, and no code to support it. spamc/spamd could be used (if desired/needed) by implementing the usual SA standalone setup, and disabling spam checking in amavisd. Mark
RE: optional score in local.cf is not working
Hi,
OK.
I did some manual tests and indeed changes in local.cf only catching then I
restart amavis.
# /etc/init.d/amavis restart
Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by SIGTERM
done
Starting virus-scanner (amavisd-new):
done
When I restart only spamd no change in local.cf is catching.
I don’t really understand why?
Mark Martinec said that amavisd-new can't call spamd
So, let me get this straight:
-
This is how I see the work of amavis+spamd+clamd:
1. As I see it amavis talk to spamd (spamassassin) and clamd (ClamAV) via
appropriate sockets or TCP ports.
In my case -
To clamd via /var/lib/clamav/clamd-socket (I can see it in amavisd.conf)
To spamd ? (I don't know how to check it)
2. Any configuration change I make to clamd and spamd take power only when I
restart the deamons themselves.
3. But according to Matt Kettler response and my testings, any change to
local.cf require amavis restart.
# /etc/init.d/amavis restart
Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by SIGTERM
done
Starting virus-scanner (amavisd-new):
done
What is going on?
Where I can validate config options of amavis to make sure the way it works?
P.S.:
This is taken from /etc/init.d/amavis:
--
AMAVISD_BIN=/usr/sbin/amavisd
AMAVIS_MILTER_BIN=/usr/sbin/amavis-milter
echo -n Starting virus-scanner (amavisd-new):
$AMAVISD_BIN start
if ! checkproc amavisd; then
rc_failed 7
fi
rc_status -v
if [ $AMAVIS_SENDMAIL_MILTER == yes ]; then
rc_reset
echo -n Starting amavis-milter:
startproc -u vscan $AMAVIS_MILTER_BIN -p
local:/var/run/amavis/amavis-milter.sock /dev/null 21
rc_status -v
This is taken from /etc/init.d/spamd:
-
# Short-Description: Start the spamassassin daemon
SPAMD_BIN=/usr/sbin/spamd
PIDFILE=/var/run/spamd.pid
startproc -p $PIDFILE $SPAMD_BIN $SPAMD_ARGS -r $PIDFILE
This is taken from /etc/amavisd.conf:
-
@av_scanners = (
### http://www.clamav.net/
['ClamAV-clamd',
\ask_daemon, [CONTSCAN {}\n, /var/lib/clamav/clamd-socket],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
-Original Message-
From: Nigel Frankcom [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 29, 2006 10:21 AM
To: users@spamassassin.apache.org
Subject: Re: optional score in local.cf is not working
On Wed, 29 Nov 2006 10:10:58 +0200, Leon Kolchinsky
[EMAIL PROTECTED] wrote:
Hi,
I thought I was wrong and amavis restart didn't really helped there, but
there is an update for this problem I had with configuration in local.cf not
catching.
It seems that only when I do /etc/init.d/amavis restart, all configs in
local.cf are coming intact.
I've used to an old version of amavis and SA on Suse, where you would only do
changes to local.cf and spamd restart.
1) So, my question is - Is this a normal behavior?
2) For every change in local.cf should I do now only amavis restart and no
spamd restart?
Regards,
Leon
-Original Message-
From: Mark Martinec [mailto:[EMAIL PROTECTED]
Sent: Sunday, November 26, 2006 10:54 PM
To: users@spamassassin.apache.org
Subject: Re: optional score in local.cf is not working
On Sunday November 26 2006 20:25, Matt Kettler wrote:
Erm.. are you sure? I thought amavisd-new called SA directly at the API
layer, not via spamd...
I didn't even realize amavis *could* use spamd, every amavis person I've
talked to on the list isn't using it.
amavisd-new can't call spamd, there is no configuration option to do so,
and no code to support it.
spamc/spamd could be used (if desired/needed) by implementing the usual SA
standalone setup, and disabling spam checking in amavisd.
Mark
As far as I am aware any setting changes in the local.cf need a
restart of spamd. Whether or not amavis does this for you I don't
know. I do recall someone recently mentioning that the Amavis doesn't
give enough time and/or wait for the return from spamd. Though this
may not be at all related to your issue.
For a simple test. Make a change and manually restart spamassassin,
then undo the change, restart just amavis and see if amavis picks it
up?
HTH
Kind regards
Nigel
RE: rbl insight and wisdom please
I'm using in my main.cf: reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, Please do not use spamcop.net it has many many false positives. Regards, Leon Kolchinsky -Original Message- From: Quinn Comendant [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 11:07 PM To: SpamAssassin Users Subject: Re: rbl insight and wisdom please I'm using the following with qmail's rblsmtpd: -r zen.spamhaus.org -r bl.spamcop.net -r relays.ordb.org -r cbl.abuseat.org I do find it very hard to determine if a list is malfunctioning and honest emails are blocked until clients start complaining. It has happened before with me using other blocklists. One idea just popped into my head: you can grep your logs for all IP addresses you trust (mail from the IPs of trusted users and their recipients) and run that list of IPs against an DNSRBL you are considering using. You can test a DNSRBL by reversing an IP and appending the RBL domain, so for 111.122.133.144, you might execute: dig 144.133.122.111.zen.spamhaus.org A | grep -v '^;' And if there is anything returned, the IP is on the list. Quinn On Mon, 27 Nov 2006 12:42:40 -0800, R Lists06 wrote: Hopefully this hasn't been rehashed to death on this list yet has there ever been a general consensus as to which rbl's and similar lists are best to use if you are going to engineer your mail systems with such? Anyone care to share their implementations as well as current best and worst practices please? Thanks - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: False positives with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL
Hi, This IP is ADSL assigned IP for one of my server users. But this is regular thing to get dynamic IP from any ISP. Regards, Leon From: Sietse van Zanen [mailto:[EMAIL PROTECTED] Sent: Monday, November 27, 2006 5:31 PM To: לאון קולצ'ינסקי; users@spamassassin.apache.org Subject: RE: False positives with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL Might be because of this header: Received: from IBM-707AC13EF89 (unknown [82.166.48.182]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mydomain.ac.il (Postfix) with ESMTP id D17F019F2C for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:13 +0200 (IST) [EMAIL PROTECTED] root]# nslookup 82.166.48.182 Server: 10.10.21.4 Address:10.10.21.4#53 Non-authoritative answer: 182.48.166.82.in-addr.arpa name = 82-166-48-182.barak-online.net. Seems to be a DYN IP. That probably hits the SORBS and other black lists. If this IP is one of your users, you'll probably need to add their networks to the all_trusted list. -Sietse PS: Please set your text mark-up from lef to right. Reading English is very inconvenient in the Arabic right to left. The scroll bar on the left is kind of handy though. :-) From: Leon Kolchinsky Sent: Mon 27-Nov-06 16:19 To: users@spamassassin.apache.org Subject: False positives with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL Hello All, I see a lot of FP with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL from particulars users. This is very strange because a lot of those are coming from users on my server (server with static IP and not a relay server). I've seen this user sending to himself and getting RCVD_IN_DSBL=2.6, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046 Why is this happening? Is it recommended to lower score for these tests? What scores are recommended? Anyone have similar problems? Here is one such example: - Return-Path: [EMAIL PROTECTED] Received: from mydomain.ac.il ([unix socket]) by mydomain.ac.il (Cyrus v2.2.3) with LMTP; Mon, 27 Nov 2006 09:56:21 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mydomain.ac.il (Postfix) with ESMTP id 87CA6129288 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:21 +0200 (IST) X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] X-Quarantine-ID: 3zezHgDJGyFg X-Spam-Flag: YES X-Spam-Score: 5.317 X-Spam-Level: * X-Spam-Status: Yes, score=5.317 tag=-999 tag2=5 kill=5 tests=[AWL=0.119, BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, HTML_90_100=0.113, HTML_MESSAGE=0.001, RCVD_IN_DSBL=2.6, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] Received: from mydomain.ac.il ([127.0.0.1]) by localhost (mydomain.ac.il [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3zezHgDJGyFg for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:17 +0200 (IST) Received: from IBM-707AC13EF89 (unknown [82.166.48.182]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mydomain.ac.il (Postfix) with ESMTP id D17F019F2C for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:13 +0200 (IST) MIME-Version: 1.0 Message-Id: [EMAIL PROTECTED] Date: Mon, 27 Nov 2006 09:51:23 +0200 (Jerusalem Daylight Time) Content-Type: Multipart/related; type=multipart/alternative; boundary=Boundary-00=_NTPDBHK0 X-Mailer: IncrediMail (5002253) From: Billie Eilam [EMAIL PROTECTED] References: [EMAIL PROTECTED] X-FID: EAF615C8-5C8C-11D4-AF90-0050DAC67E11 X-Priority: 3 To: Vidergor [EMAIL PROTECTED] Subject: RE: Leon Kolchinsky
stilldon'tt take local.cf configs
Hello All, I've trusted networks configured. But it seems that changes I make to local.cf are not catching :( For example I've added score RCVD_IN_BL_SPAMCOP_NET 0 to local.cf Restarted spamd (/etc/init.d/spamd restart), and after a while I got message with scoring RCVD_IN_BL_SPAMCOP_NET=1.558. X-Spam-Status: Yes, score=6.276 tag=-999 tag2=5 kill=5 tests=[AWL=-0.686, BAYES_00=-2.599, HTML_90_100=0.113, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.558, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897] I can't figure out what can be the problem here (amavis debug and spamassassin --lint -D look normal)? This is how my local.cf looks: # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # for details of what can be tweaked. # required_score 5.0 rewrite_header Subject SPAM(_SCORE_) use_bayes1 bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 razor_config /var/spool/amavis/.razor/razor-agent.conf # Show individual score for rules add_header all Report _REPORT_ ## Optional Score Increases score ROUND_THE_WORLD 0 score SUBJ_ILLEGAL_CHARS 0 score HEAD_ILLEGAL_CHARS 0 score FORGED_HOTMAIL_RCVD2 0 score FORGED_YAHOO_RCVD 0 score SUBJ_ALL_CAPS 0 score MISSING_SUBJECT 0 score DNS_FROM_RFC_POST 0 score DNS_FROM_RFC_ABUSE 0 score RCVD_IN_BL_SPAMCOP_NET 0 # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales all # Internal clear_internal_networks internal_networks 127/8 132.74.1.219 132.74.1.39 132.74.1.218 # Trusted clear_trusted_networks trusted_networks 127/8 132.74.1.219 132.74.1.39 132.74.1.218 Best Regards, Leon Kolchinsky
RE: Question on Bayes ?
Hi, Quoting Gary V here: As of SA version 3.1.6, --lint turns off net tests. You now have to feed a message to debug to get net tests. spamassassin -D sample-spam.txt Regards, Leon Kolchinsky -Original Message- From: Noc Phibee [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 12:02 PM To: users@spamassassin.apache.org Subject: Question on Bayes ? and last question: [6057] dbg: dcc: local tests only, disabling DCC [6057] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0x91fea6c) [6057] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [6057] dbg: pyzor: local tests only, disabling Pyzor [6057] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9200d34) [6057] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [6057] dbg: razor2: local tests only, skipping Razor That's say that i can see of Dcc, Razor and Pyzor work's correctly on my sevrer ? Thanks bye
RE: SQL Performance w/ SpamAssassin
Hi, Below is a little info on optimizing MySQL. I've used it on my web server a while ago. If you use InnoDB, you should change it according to InnoDB parameters. Taken from here http://linuxgangster.org/modules.php?name=Contentfile=printoutid=8 Below is a good start for getting mysql going a little faster editing the mysql.conf file Code: [mysqld] port= 3306 socket = /var/lib/mysql/mysql.sock skip-locking key_buffer = 64M tmp_table_size = 32M max_allowed_packet = 16M max_connections = 650 myisam_sort_buffer_size = 64M table_cache = 1500 join_buffer_size = 1M sort_buffer_size = 2M read_buffer_size = 1M myisam_sort_buffer_size = 64M thread_cache_size = 128 wait_timeout = 900 connect_timeout = 10 query_cache_limit = 2M query_cache_size = 64M query_cache_type = 1 thread_concurrency = 8 [mysqld_safe] open_files_limit = 8192 Explanation key_buffer is the size of the buffer used with indexes. The larger the buffer, the faster the SQL command will finish and a result will be returned. The rule-of-thumb is to set the key_buffer_size to at least a quarter, but no more than half, of the total amount of memory on the server. Ideally, it will be large enough to contain all the indexes (http://linuxweblog.com/node/231) tmp_table_size Created_tmp_disk_tables are the number of implicit temporary tables on disk created while executing statements and Created_tmp_tables are memory-based. Obviously it is bad if you have to go to disk instead of memory. About 2% of temp tables go to disk, which doesn't seem too bad but increasing the tmp_table_size probably couldn't hurt either. (http://www.interworx.com/forums/showthread.php?p=2346) max_allowed_packet 16MB is the default. However, if you get the error lost connection to MySQL server during query, you might want up this to a higher value max_connections The number of connections allowed. 100 is the default. This should be raised to a higher value when running multiple databases, or very busy sites. myisam_sort_buffer_size Sets the size of the buffer used when recovering tables. table_cache Each time MySQL accesses a table, it places it in the cache. If the system accesses many tables, it is faster to have these in the cache. MySQL, being multi-threaded, may be running many queries on the table at one time, and each of these will open a table. Examine the value of open_tables at peak times. If you find it stays at the same value as your table_cache value, and then the number of opened_tables starts rapidly increasing, you should increase the table_cache if you have enough memory. (http://linuxweblog.com/node/231) join_buffer_size Sets the size of the buffer when joining without keys. sort_buffer_size The sort_buffer is very useful for speeding up myisamchk operations (which is why it is set much higher for that purpose in the default configuration files), but it can also be useful everyday when performing large numbers of sorts. (http://linuxweblog.com/node/231) read_buffer_size Sets the size of the buffer when scanning tables. myisam_sort_buffer_size Same as sort_buffer_size bt for myisam tables. thread_cache_size If you have a busy server that's getting a lot of quick connections, set your thread cache high enough that the Threads_created value in SHOW STATUS stops increasing. This should take some of the load off of the CPU. (http://linuxweblog.com/node/231) connect_timeout The number of seconds before connection timeout. query_cache_limit maximum size of result set that can be cached. query_cache_size MySQL 4 provides one feature that can prove very handy - a query cache. In a situation where the database has to repeatedly run the same queries on the same data set, returning the same results each time, MySQL can cache the result set, avoiding the overhead of running through the data over and over and is extremely helpful on busy servers. (http://linuxweblog.com/node/231) query_cache_type If the query cache size is greater than 0, the query_cache_type variable influences how it works. This variable can be set to the following values: A value of 0 or OFF prevents caching or retrieval of cached results. A value of 1 or ON allows caching except of those statements that begin with SELECT SQL_NO_CACHE. A value of 2 or DEMAND causes caching of only those statements that begin with SELECT SQL_CACHE. thread_concurrency Try number of CPU's*2 Reiserfs seems to be the best filesystem to use on a Linux system for Mysql performance. This is because it does well with multiple small files and is very fast for open, read and write. Running OPTIMIZE TABLE on a weekly basis is something I do for every table on every database on my servers. This can be easily done with PHPMyAdmin. Just to give you a idea of how much the changes above helped my server: 94,082.20 queries per hour is what my server is averaging now. It does this without even trying. With the default settings, this particular
RE: stilldon'tt take local.cf configs UPDATE
Hi, I thought I was wrong and amavis restart didn't really helped there, but there is an update for this problem I had with configuration in local.cf not catching. It seems that only when I do /etc/init.d/amavis restart, all configs in local.cf are coming intact. I've used to an old version of amavis and SA on Suse, where you would only do changes to local.cf and spamd restart. 1) So, my question is - Is this a normal behavior? 2) For every change in local.cf should I do now only amavis restart and no spamd restart? Regards, Leon -Original Message- From: לאון קולצ'ינסקי Sent: Tuesday, November 28, 2006 3:34 PM To: 'users@spamassassin.apache.org' Subject: stilldon'tt take local.cf configs Hello All, I've trusted networks configured. But it seems that changes I make to local.cf are not catching :( For example I've added score RCVD_IN_BL_SPAMCOP_NET 0 to local.cf Restarted spamd (/etc/init.d/spamd restart), and after a while I got message with scoring RCVD_IN_BL_SPAMCOP_NET=1.558. X-Spam-Status: Yes, score=6.276 tag=-999 tag2=5 kill=5 tests=[AWL=-0.686, BAYES_00=-2.599, HTML_90_100=0.113, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.558, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897] I can't figure out what can be the problem here (amavis debug and spamassassin --lint -D look normal)? This is how my local.cf looks: # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # for details of what can be tweaked. # required_score 5.0 rewrite_header Subject SPAM(_SCORE_) use_bayes1 bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 razor_config /var/spool/amavis/.razor/razor-agent.conf # Show individual score for rules add_header all Report _REPORT_ ## Optional Score Increases score ROUND_THE_WORLD 0 score SUBJ_ILLEGAL_CHARS 0 score HEAD_ILLEGAL_CHARS 0 score FORGED_HOTMAIL_RCVD2 0 score FORGED_YAHOO_RCVD 0 score SUBJ_ALL_CAPS 0 score MISSING_SUBJECT 0 score DNS_FROM_RFC_POST 0 score DNS_FROM_RFC_ABUSE 0 score RCVD_IN_BL_SPAMCOP_NET 0 # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales all # Internal clear_internal_networks internal_networks 127/8 132.74.1.219 132.74.1.39 132.74.1.218 # Trusted clear_trusted_networks trusted_networks 127/8 132.74.1.219 132.74.1.39 132.74.1.218 Best Regards, Leon Kolchinsky
RE: optional score in local.cf is not working
Hi, I've moved to a new syntax style of amavisd.conf for 2.4.4 version (modified sample file) and now all is working. Restarted amavis and it read the local.cf config now. Best Regards, Leon Kolchinsky -Original Message- From: Mark Martinec [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 10:54 PM To: users@spamassassin.apache.org Subject: Re: optional score in local.cf is not working On Sunday November 26 2006 20:25, Matt Kettler wrote: Erm.. are you sure? I thought amavisd-new called SA directly at the API layer, not via spamd... I didn't even realize amavis *could* use spamd, every amavis person I've talked to on the list isn't using it. amavisd-new can't call spamd, there is no configuration option to do so, and no code to support it. spamc/spamd could be used (if desired/needed) by implementing the usual SA standalone setup, and disabling spam checking in amavisd. Mark
False positives with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL
Hello All, I see a lot of FP with RCVD_IN_NJABL_DUL, RCVD_IN_DSBL and RCVD_IN_SORBS_DUL from particulars users. This is very strange because a lot of those are coming from users on my server (server with static IP and not a relay server). I've seen this user sending to himself and getting RCVD_IN_DSBL=2.6, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046 Why is this happening? Is it recommended to lower score for these tests? What scores are recommended? Anyone have similar problems? Here is one such example: - Return-Path: [EMAIL PROTECTED] Received: from mydomain.ac.il ([unix socket]) by mydomain.ac.il (Cyrus v2.2.3) with LMTP; Mon, 27 Nov 2006 09:56:21 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mydomain.ac.il (Postfix) with ESMTP id 87CA6129288 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:21 +0200 (IST) X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] X-Quarantine-ID: 3zezHgDJGyFg X-Spam-Flag: YES X-Spam-Score: 5.317 X-Spam-Level: * X-Spam-Status: Yes, score=5.317 tag=-999 tag2=5 kill=5 tests=[AWL=0.119, BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, HTML_90_100=0.113, HTML_MESSAGE=0.001, RCVD_IN_DSBL=2.6, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] Received: from mydomain.ac.il ([127.0.0.1]) by localhost (mydomain.ac.il [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3zezHgDJGyFg for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:17 +0200 (IST) Received: from IBM-707AC13EF89 (unknown [82.166.48.182]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mydomain.ac.il (Postfix) with ESMTP id D17F019F2C for [EMAIL PROTECTED]; Mon, 27 Nov 2006 09:56:13 +0200 (IST) MIME-Version: 1.0 Message-Id: [EMAIL PROTECTED] Date: Mon, 27 Nov 2006 09:51:23 +0200 (Jerusalem Daylight Time) Content-Type: Multipart/related; type=multipart/alternative; boundary=Boundary-00=_NTPDBHK0 X-Mailer: IncrediMail (5002253) From: Billie Eilam [EMAIL PROTECTED] References: [EMAIL PROTECTED] X-FID: EAF615C8-5C8C-11D4-AF90-0050DAC67E11 X-Priority: 3 To: Vidergor [EMAIL PROTECTED] Subject: RE: Leon Kolchinsky
optional score in local.cf is not working
Hello All, I've upgraded to: amavisd-new-2.4.4-4 spamassassin-3.1.7-3 from: amavisd-new-20030616p9-3.6 spamassassin-2.64-3.7 These are optional scores in my local.cf: ## Optional Score score ROUND_THE_WORLD 0 score SUBJ_ILLEGAL_CHARS 0 score HEAD_ILLEGAL_CHARS 0 score FORGED_HOTMAIL_RCVD2 0 score FORGED_YAHOO_RCVD 0 score SUBJ_ALL_CAPS 0 score MISSING_SUBJECT 0 score DNS_FROM_RFC_POST 0 score DNS_FROM_RFC_ABUSE 0 The problem is that it seems that I still get scorings for the above rules :( DNS_FROM_RFC_ABUSE=0.2 See below example of such spam e-mail: --- Return-Path: [EMAIL PROTECTED] Received: from mydomain.ac.il ([unix socket]) by mydomain.ac.il (Cyrus v2.2.3) with LMTP; Sun, 26 Nov 2006 15:43:32 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mydomain.ac.il (Postfix) with ESMTP id 739CF12886D for [EMAIL PROTECTED]; Sun, 26 Nov 2006 15:43:32 +0200 (IST) X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] X-Quarantine-ID: a6-A-NiMWaoS X-Amavis-Alert: BAD HEADER Non-encoded 8-bit data (char 88 hex): Subject: \2101000 FREE in We... X-Spam-Flag: YES X-Spam-Score: 44.281 X-Spam-Level: X-Spam-Status: Yes, score=44.281 tag=-999 tag2=5 kill=5 tests=[BAYES_99=3.5, DATE_IN_PAST_96_XX=2.02, DNS_FROM_RFC_ABUSE=0.2, DNS_FROM_RFC_WHOIS=1.447, FROM_LOCAL_NOVOWEL=2.861, HELO_DYNAMIC_IPADDR2=3.818, HTML_50_60=0.134, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_HEAD=1.447, MIME_HTML_ONLY=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.558, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, URIBL_AB_SURBL=3.812, URIBL_JP_SURBL=4.087, URIBL_OB_SURBL=3.008, URIBL_SC_SURBL=4.498] Received: from mydomain.ac.il ([127.0.0.1]) by localhost (mydomain.ac.il [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6-A-NiMWaoS for [EMAIL PROTECTED]; Sun, 26 Nov 2006 15:43:29 +0200 (IST) Received: from 12-215-32-57.client.mchsi.com (12-215-32-57.client.mchsi.com [12.215.32.57]) by mydomain.ac.il (Postfix) with ESMTP id 3075B1F951 for [EMAIL PROTECTED]; Sun, 26 Nov 2006 15:43:23 +0200 (IST) From: wont realize [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: X1000 FREE in Welcome Bonuses Date: Thu, 26 Oct 2006 08:48:39 +0500 MIME-Version: 1.0 Content-Type: multipart/related; boundary==_NextPart_000_0002_01C6F8DB.88943B60 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: Acb424iUdIWYHggsSheZUsiBH1MRuA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Message-Id: [EMAIL PROTECTED] Could it be because I'm still using old stile amavisd.conf? Any help? Best Regards, Leon Kolchinsky
RE: optional score in local.cf is not working
I've upgraded to:
amavisd-new-2.4.4-4
spamassassin-3.1.7-3
from:
amavisd-new-20030616p9-3.6
spamassassin-2.64-3.7
These are optional scores in my local.cf:
## Optional Score
score ROUND_THE_WORLD 0
score SUBJ_ILLEGAL_CHARS 0
score HEAD_ILLEGAL_CHARS 0
score FORGED_HOTMAIL_RCVD2 0
score FORGED_YAHOO_RCVD 0
score SUBJ_ALL_CAPS 0
score MISSING_SUBJECT 0
score DNS_FROM_RFC_POST 0
score DNS_FROM_RFC_ABUSE 0
The problem is that it seems that I still get scorings for the above rules :(
3 quick guesses about the problem:
1) make sure you restarted amavisd-new after making the edits to local.cf.
2) run spamassassin --lint. This should run and exit quietly. Any
messages it prints are errors in your config file. SEVERAL things about
the syntax have changed from 2.6x to 3.1.x. See the UPGRADE file for
more details on some of the config changes. UPGRADE is in the tarball,
or can be found here:
http://svn.apache.org/repos/asf/spamassassin/branches/3.1/UPGRADE
3) run spamassassin --lint -D. See what SA thinks the site rules dir
is.. if that's not where your local.cf is, that's your problem.
1. AFAIK it is not necessary to restart amavisd-new, after a change in local.cf
it is enough to restart spamd.
2. spamassassin --lint
Gives no output so it is OK I guess.
3. I've noticed that even whitelist_from_rcvd which worked fine with the old
version is now not working, i.e. users in whitelist_from_rcvd now getting spam
score enough to go to quarantine.
4. spamassassin --lint -D give the following output (as you can see below it
reads local.cf: [16694] dbg: config: read file /etc/mail/spamassassin/local.cf):
[16694] dbg: logger: adding facilities: all
[16694] dbg: logger: logging level is DBG
[16694] dbg: generic: SpamAssassin version 3.1.7
[16694] dbg: config: score set 0 chosen.
[16694] dbg: util: running in taint mode? yes
[16694] dbg: util: taint mode: deleting unsafe environment variables, resetting
PATH
[16694] dbg: util: PATH included '/sbin', keeping
[16694] dbg: util: PATH included '/usr/sbin', keeping
[16694] dbg: util: PATH included '/usr/local/sbin', keeping
[16694] dbg: util: PATH included '/root/bin', keeping
[16694] dbg: util: PATH included '/usr/local/bin', keeping
[16694] dbg: util: PATH included '/usr/bin', keeping
[16694] dbg: util: PATH included '/usr/X11R6/bin', keeping
[16694] dbg: util: PATH included '/bin', keeping
[16694] dbg: util: PATH included '/usr/games', keeping
[16694] dbg: util: PATH included '/opt/gnome/bin', keeping
[16694] dbg: util: PATH included '/opt/kde3/bin', keeping
[16694] dbg: util: PATH included '/usr/lib/java/jre/bin', keeping
[16694] dbg: util: final PATH set to:
/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin
[16694] dbg: message: MIME PARSER START
[16694] dbg: message: main message type: text/plain
[16694] dbg: message: parsing normal part
[16694] dbg: message: added part, type: text/plain
[16694] dbg: message: MIME PARSER END
[16694] dbg: dns: is Net::DNS::Resolver available? yes
[16694] dbg: dns: Net::DNS version: 0.46
[16694] dbg: diag: perl platform: 5.008003 linux
[16694] dbg: diag: module installed: Digest::SHA1, version 2.07
[16694] dbg: diag: module not installed: Mail::SPF::Query ('require' failed)
[16694] dbg: diag: module not installed: IP::Country::Fast ('require' failed)
[16694] dbg: diag: module installed: Razor2::Client::Agent, version 2.82
[16694] dbg: diag: module not installed: Net::Ident ('require' failed)
[16694] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed)
[16694] dbg: diag: module installed: IO::Socket::SSL, version 0.95
[16694] dbg: diag: module installed: Time::HiRes, version 1.52
[16694] dbg: diag: module installed: DBI, version 1.41
[16694] dbg: diag: module installed: Getopt::Long, version 2.34
[16694] dbg: diag: module installed: LWP::UserAgent, version 2.024
[16694] dbg: diag: module installed: HTTP::Date, version 1.46
[16694] dbg: diag: module installed: Archive::Tar, version 1.08
[16694] dbg: diag: module installed: IO::Zlib, version 1.04
[16694] dbg: diag: module installed: DB_File, version 1.808
[16694] dbg: diag: module installed: HTML::Parser, version 3.35
[16694] dbg: diag: module installed: MIME::Base64, version 2.21
[16694] dbg: diag: module installed: Net::DNS, version 0.46
[16694] dbg: diag: module installed: Net::SMTP, version 2.26
[16694] dbg: ignore: using a test message to lint rules
[16694] dbg: config: using /etc/mail/spamassassin for site rules pre files
[16694] dbg: config: read file /etc/mail/spamassassin/init.pre
[16694] dbg: config: read file /etc/mail/spamassassin/v310.pre
[16694] dbg: config: read file /etc/mail/spamassassin/v312.pre
[16694] dbg: config: using /usr/share/spamassassin for sys rules pre files
[16694] dbg: config: using /usr/share/spamassassin for default rules dir
[16694] dbg: config: read file /usr/share/spamassassin/10_misc.cf
RE: optional score in local.cf is not working
1. AFAIK it is not necessary to restart amavisd-new, after a change in local.cf it is enough to restart spamd. Erm.. are you sure? I thought amavisd-new called SA directly at the API layer, not via spamd... At least this is how it worked on SLES9 with those versions: amavisd-new-20030616p9-3.6 spamassassin-2.64-3.7
how to solve errors after upgrade
Hello All, I'm running SLES9 with the following versions: spamassassin-2.64-3.2 perl-spamassassin-2.64-3.2 amavisd-new-20030616p9-3.6 I know I probably stuck with perl5.8.3 because SLES9 don't have the newer :( I've installed new versions of SA and amavis (see below) with the following packets (compiled from src.rpm's): # rpm -Uvh amavisd-new-2.4.4-4.i586.rpm perl-BerkeleyDB-0.25-2.i586.rpm perl-Compress-Zlib-1.35-12.i586.rpm perl-Convert-UUlib-1.051-11.i586.rpm # rpm -Uvh perl-spamassassin-3.1.7-3.i586.rpm spamassassin-3.1.7-3.i586.rpm Restarted SA and amavis, and started to get the following errors while there was no email-coming through my system and mailque growing! Example of maillog errors: Nov 22 14:25:39 mail postfix/smtp[15132]: 23CBE1CA24: to= [EMAIL PROTECTED] , orig_to= [EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=25, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=15039-05, mime_decode-1 FAILED: Can't locate object method max_parts via package MIME::Parser at /usr/sbin/amavisd line 5933. (in reply to end of DATA command)) Nov 22 14:28:14 mail postfix/smtp[15215]: AC330192F3: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=15038-09, mime_decode-1 FAILED: Can't locate object method max_parts via package MIME::Parser at /usr/sbin/amavisd line 5933. (in reply to end of DATA command)) So, meanwhile I got the old SA and amavis back, but I wish I could use the newest versions. What may be causing these errors and how to solve this? Best Regards, Leon Kolchinsky
RE: getting mail directly and not via mail-relay
Thanks David,
I didn't thought of that simple solution :)
Firewall will certainly do the job here.
Best Regards,
Leon
-Original Message-
From: David B Funk [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 5:59 AM
To: לאון קולצ'ינסקי
Cc: users@spamassassin.apache.org
Subject: Re: getting mail directly and not via mail-relay
On Mon, 20 Nov 2006, Leon Kolchinsky wrote:
Hello,
There is a Mail-Relay administered by another person and its MX record stand
before MX record of my mail server, so theoretically mail should go first
through Mail-Relay to my server.
The thing is that for some reason there are much e-mails (and spam among them
of course) getting to my server directly and not via Mail-Relay.
What could be the reason for that?
Is this behavior avoidable at all?
It is a well documented fact that spammers abuse a setup like yours.
Yours is a bit unusual in that the low priority MX is the actual delivery
site not a fall-back server but spammers don't know nor care.
Spammers explicitly target low priority MXs because they believe
that those systems are fall-back servers and thus probably less well
'defended' against spam.
To stop your abuse, either remove univ.haifa.ac.il from the MX list for
univ.haifa.ac.il or configure the network fire-wall on univ.haifa.ac.il
so that it only accepts SMTP traffic from mr2.haifa.ac.il and
mr3.haifa.ac.il
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
RE: How to extract the Reverse DNS hostname by script means?
Hi Bret, According to tip from Gary V. you can reliably use whitelist_from_rcvd, You only should configure the following parameters right: trusted_networks internal_networks Best Regards, Leon Kolchinsky -Original Message- From: Bret Miller [mailto:[EMAIL PROTECTED] Sent: Thursday, November 16, 2006 4:42 PM To: לאון קולצ'ינסקי; users@spamassassin.apache.org Subject: RE: How to extract the Reverse DNS hostname by script means? My mailserver is mail.edu.haifa.ac.il. As you can see there are mail relay servers which is not in my responsibility mr[1-3].haifa.ac.il I want to make a script that parses the mail headers of FP mails and add this line to local.cf whitelist_from_rcvd [EMAIL PROTECTED] i_mtaout3.012.net.il My question is: 1) When I add whitelist_from_rcvd, what should I put into rDNS? Is it i_mtaout3.012.net.il or may be it is enough to put 012.net.il or net.il? It depends on how general you want to be. If i_mtaout3.012.net.il is the only server that sends messages from [EMAIL PROTECTED], then specify that. If other servers in 012.net.il send mail from that address, then use that. It's designed so you can be as specific or general as you need to be. 2) Should I use the first Received: header from the end of the headers, or should rDNS be from the last (upper) header? rDNS comes always after by, right? SpamAssassin will be testing the whitelist_from_rcvd against the topmost (final) received header when SA runs, so that's the one you need to look at. There are some obvious problems with this approach. One is that if all your e-mail goes through a relay before it gets to your server, then you can't reliably use whitelist_from_rcvd because you're never receiving the message from the original source server. Bret Here is an example from one of such headers on my server:
RE: adjust rules and whitelist_from_rcvd
Hi, So should I write? : whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il OR whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il Regards Leon -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 4:57 PM To: users@spamassassin.apache.org Subject: Re: adjust rules and whitelist_from_rcvd It is probably this header generated by SquirrelMail that is causing the problem. Received: from 217.132.226.2 (SquirrelMail authenticated user ronits) by mail.mydomain.ac.il with HTTP; Tue, 14 Nov 2006 13:11:52 +0200 (IST) I'm not really sure what the solution is though. What version of SA are you running? Leon Kolchinsky wrote: Hello All, I'm running several virtual domains on Cyrus+Postfix+SquirrelMail+Amavisd-new+Spamassassin+ClamAV system. There are several users sending their legitimate mails via SquirrelMail on the same mail server but getting scored as spam. Here are 2 examples of X-Spam-Status for such mails. X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** Below full headers for an example mail: Return-Path: [EMAIL PROTECTED] Received: from mail.mydomain.ac.il ([unix socket]) by mail.mydomain.ac.il (Cyrus v2.2.3) with LMTP; Tue, 14 Nov 2006 13:11:57 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mail.mydomain.ac.il (Postfix) with ESMTP id 3212A1B370 for [EMAIL PROTECTED]; Tue, 14 Nov 2006 13:11:57 +0200 (IST) X-Envelope-To: [EMAIL PROTECTED] X-Envelope-From: [EMAIL PROTECTED] X-Quarantine-id: spam-cf0b98c2a09b009790747cb05ba473a0-20061114-131157-00416-10 Received: from mail.mydomain.ac.il (localhost [127.0.0.1]) by mail.mydomain.ac.il (Postfix) with ESMTP id D0AB71C5CD for [EMAIL PROTECTED]; Tue, 14 Nov 2006 13:11:52 +0200 (IST) Received: from 217.132.226.2 (SquirrelMail authenticated user ronits) by mail.mydomain.ac.il with HTTP; Tue, 14 Nov 2006 13:11:52 +0200 (IST) Message-ID: [EMAIL PROTECTED] Date: Tue, 14 Nov 2006 13:11:52 +0200 (IST) Subject: =?utf-8?B?15fXqNeT15nXldeqINeR16DXmSDXkdeo16c=?= From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.4.7 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** 1) Could you please tell me what rules should I adjust (and what score give to those rules in local.cf) so these kinds of mails score below 5. 2) I've tried to add whitelist_from_rcvd to local.cf, but it didn't help: whitelist_from_rcvd [EMAIL PROTECTED] virtualdomain1.ac.il Should this line look like this? whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il Or this? whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il Best Regards, Leon Kolchinsky
RE: adjust rules and whitelist_from_rcvd
Hi, My server runs with static IP and have a legitimate MX record. Squirrelmail runs on the same mail server. So I don't think that this is the problem. Regards, Leon -Original Message- From: Benny Pedersen [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 10:01 AM To: users@spamassassin.apache.org Subject: Re: adjust rules and whitelist_from_rcvd On Tue, November 14, 2006 14:08, Leon Kolchinsky wrote: X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** you are running a mail server with dynamic ip ranges with means that mail from you will ALWAYS being seen as spam on other mailservers :/( to fix this search for a mail server that can smart-host for you, eg send all mail outgoing to your isp will do ask you isp about a static assigned ip will be perfect :-) the NO_REAL_NAME fix is here http://www.squirrelmail.org/plugin_view.php?id=142 -- This message was sent using 100% recycled spam mails.
How to extract the Reverse DNS hostname by script means?
Hello, Is there any automatic way (using a script), to extract the Reverse DNS hostname for the host that delivered the message to my network? Because there may be mail-server serving multiple domains, i.e. somedomain.com is served by mailserver.someotherdomain.com and the line in local.cf would look like this: whitelist_from_rcvd [EMAIL PROTECTED] mailserver.someotherdomain.com In case there are multiple Received header how could I extract rDNS automatically? Here is an example of such headers taken fro the net: Received: from gandalf.ctdx.net ([199.0.161.154]) by buythetruck.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 31 Oct 2006 23:27:03 -0500 Received: from harbor.x-cart.com (harbor.x-cart.com [69.20.14.15]) by gandalf.ctdx.net (8.13.7/8.13.6) with ESMTP id kA14M3vT018502 for [EMAIL PROTECTED]; Tue, 31 Oct 2006 23:22:03 -0500 Received: from localhost (localhost [127.0.0.1]) by harbor.x-cart.com (Postfix) with ESMTP id 32CA4FC2B4 for [EMAIL PROTECTED]; Tue, 31 Oct 2006 20:18:36 -0800 (PST) Received: from harbor.x-cart.com ([127.0.0.1]) by localhost (harbor.x-cart.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJP1WignZXnm for [EMAIL PROTECTED]; Tue, 31 Oct 2006 20:18:34 -0800 (PST) Received: from gw-red.crtdev.local (mail.crtdev.local [192.168.10.1]) by harbor.x-cart.com (Postfix) with ESMTP id 1EE32FC2B2 for [EMAIL PROTECTED]; Tue, 31 Oct 2006 20:18:33 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by gw-red.crtdev.local (Postfix) with ESMTP id 0C9B8112EC3C; Wed, 1 Nov 2006 07:18:33 +0300 (MSK) Received: from gw-red.crtdev.local ([127.0.0.1]) by localhost (mail.crtdev.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iqw-2Ddq46oC; Wed, 1 Nov 2006 07:18:32 +0300 (MSK) Received: from gw-green.crtdev.local (green-red-fiber.crtdev.local [192.168.99.13]) by gw-red.crtdev.local (Postfix) with ESMTP id DC976112EC2B for [EMAIL PROTECTED]; Wed, 1 Nov 2006 07:18:32 +0300 (MSK) Received: from sauron.crtdev.local (sauron.crtdev.local [192.168.12.10]) by gw-green.crtdev.local (Postfix) with ESMTP id C1738244C21 for [EMAIL PROTECTED]; Wed, 1 Nov 2006 07:18:32 +0300 (MSK) Received: from sauron.crtdev.local (localhost [127.0.0.1]) by sauron.crtdev.local (8.13.8/8.13.8) with ESMTP id kA14IFAa080272 for [EMAIL PROTECTED]; Wed, 1 Nov 2006 07:18:15 +0300 (MSK) (envelope-from [EMAIL PROTECTED]) Received: (from [EMAIL PROTECTED]) by sauron.crtdev.local (8.13.8/8.13.8/Submit) id kA14IEv1080271; Wed, 1 Nov 2006 07:18:14 +0300 (MSK) (envelope-from www) Date: Wed, 1 Nov 2006 07:18:14 +0300 (MSK) Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Valentine Kaverin has posted a new message for you. From: Qualiteam HelpDesk system [EMAIL PROTECTED] Content-Type: text/plain;charset=iso-8859-1; X-Signature-Check-Ignore: Yes X-Virus-Scanned: ClamAV 0.88.5/2136/Tue Oct 31 22:06:48 2006 on gandalf.ctdx.net X-Virus-Scanned: amavisd-new at x-cart.com X-Virus-System: ClamAV 0.88.5/2136/Tue Oct 31 19:06:48 2006 X-Virus-Status: Clean X-Spam-Status: No, score=3.0 required=5.0 tests=AWL,BAYES_00,BIZ_TLD, SPF_SOFTFAIL,URI_NO_WWW_BIZ_CGI autolearn=no version=3.1.3 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on gandalf.ctdx.net Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 01 Nov 2006 04:27:03.0500 (UTC) FILETIME=[FB3D50C0:01C6FD6D] Best Regards, Leon Kolchinsky
adjust rules and whitelist_from_rcvd
Hello All, I'm running several virtual domains on Cyrus+Postfix+SquirrelMail+Amavisd-new+Spamassassin+ClamAV system. There are several users sending their legitimate mails via SquirrelMail on the same mail server but getting scored as spam. Here are 2 examples of X-Spam-Status for such mails. X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** Below full headers for an example mail: Return-Path: [EMAIL PROTECTED] Received: from mail.mydomain.ac.il ([unix socket]) by mail.mydomain.ac.il (Cyrus v2.2.3) with LMTP; Tue, 14 Nov 2006 13:11:57 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mail.mydomain.ac.il (Postfix) with ESMTP id 3212A1B370 for [EMAIL PROTECTED]; Tue, 14 Nov 2006 13:11:57 +0200 (IST) X-Envelope-To: [EMAIL PROTECTED] X-Envelope-From: [EMAIL PROTECTED] X-Quarantine-id: spam-cf0b98c2a09b009790747cb05ba473a0-20061114-131157-00416-10 Received: from mail.mydomain.ac.il (localhost [127.0.0.1]) by mail.mydomain.ac.il (Postfix) with ESMTP id D0AB71C5CD for [EMAIL PROTECTED]; Tue, 14 Nov 2006 13:11:52 +0200 (IST) Received: from 217.132.226.2 (SquirrelMail authenticated user ronits) by mail.mydomain.ac.il with HTTP; Tue, 14 Nov 2006 13:11:52 +0200 (IST) Message-ID: [EMAIL PROTECTED] Date: Tue, 14 Nov 2006 13:11:52 +0200 (IST) Subject: =?utf-8?B?15fXqNeT15nXldeqINeR16DXmSDXkdeo16c=?= From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.4.7 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** 1) Could you please tell me what rules should I adjust (and what score give to those rules in local.cf) so these kinds of mails score below 5. 2) I've tried to add whitelist_from_rcvd to local.cf, but it didn't help: whitelist_from_rcvd [EMAIL PROTECTED] virtualdomain1.ac.il Should this line look like this? whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il Or this? whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il Best Regards, Leon Kolchinsky
RE: adjust rules and whitelist_from_rcvd
Hello All, I run SA on SLES9, so these are the packages I have (updated ones): spamassassin-2.64-3.7 amavisd-new-20030616p9-3.6 perl-spamassassin-2.64-3.7 clamav-0.88.5-0.2 Please read the following mail (under questions 1 and 2) and help: 1) Could you please tell me what rules should I adjust (and what score give to those rules in local.cf) so these kinds of mails score below 5. 2) I've tried to add whitelist_from_rcvd to local.cf, but it didn't help: whitelist_from_rcvd [EMAIL PROTECTED] virtualdomain1.ac.il Should this line look like this? whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il Or this? whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il -Original Message- From: Leon Kolchinsky [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 14, 2006 3:09 PM To: users@spamassassin.apache.org Subject: adjust rules and whitelist_from_rcvd Hello All, I'm running several virtual domains on Cyrus+Postfix+SquirrelMail+Amavisd-new+Spamassassin+ClamAV system. There are several users sending their legitimate mails via SquirrelMail on the same mail server but getting scored as spam. Here are 2 examples of X-Spam-Status for such mails. X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** Below full headers for an example mail: Return-Path: [EMAIL PROTECTED] Received: from mail.mydomain.ac.il ([unix socket]) by mail.mydomain.ac.il (Cyrus v2.2.3) with LMTP; Tue, 14 Nov 2006 13:11:57 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mail.mydomain.ac.il (Postfix) with ESMTP id 3212A1B370 for [EMAIL PROTECTED]; Tue, 14 Nov 2006 13:11:57 +0200 (IST) X-Envelope-To: [EMAIL PROTECTED] X-Envelope-From: [EMAIL PROTECTED] X-Quarantine-id: spam-cf0b98c2a09b009790747cb05ba473a0-20061114-131157-00416-10 Received: from mail.mydomain.ac.il (localhost [127.0.0.1]) by mail.mydomain.ac.il (Postfix) with ESMTP id D0AB71C5CD for [EMAIL PROTECTED]; Tue, 14 Nov 2006 13:11:52 +0200 (IST) Received: from 217.132.226.2 (SquirrelMail authenticated user ronits) by mail.mydomain.ac.il with HTTP; Tue, 14 Nov 2006 13:11:52 +0200 (IST) Message-ID: [EMAIL PROTECTED] Date: Tue, 14 Nov 2006 13:11:52 +0200 (IST) Subject: =?utf-8?B?15fXqNeT15nXldeqINeR16DXmSDXkdeo16c=?= From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.4.7 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** Best Regards, Leon Kolchinsky
RE: How to set up Razor (SOLVED)
Hello, Thanks for logging tip. How should I disable razor logging exactly? This is what I have in razor-agent.conf: # # Razor2 config file # # Autogenerated by Razor-Agents v2.82 # Thu Oct 26 12:17:46 2006 # Created with all default values # # see razor-agent.conf(5) man page # debuglevel = 3 identity = identity ignorelist = 0 listfile_catalogue = servers.catalogue.lst listfile_discovery = servers.discovery.lst listfile_nomination= servers.nomination.lst logfile= razor-agent.log logic_method = 4 min_cf = ac razordiscovery = discovery.spamnet.com rediscovery_wait = 172800 report_headers = 1 turn_off_discovery = 0 use_engines= 4,8 whitelist = razor-whitelist ### Best Regards, Leon Kolchinsky -Original Message- From: Gary V [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 5:25 PM To: users@spamassassin.apache.org Subject: RE: How to set up Razor (SOLVED) Installed it off Debian Sid. How do I get SA to make use of it? Thanks for all the helpful responses. I have it working fine, here is the idea: 1. Most of the documentation is out of date! One needs do absolutely nothing. Not true. It may function, but if you do nothing razor has to try and discover the servers for every message. This creates unnecessary traffic and processing power on both ends. You need to run razor-admin -create (twice for good measure - and then make sure it worked) as the user that will be calling razor (or every user that calls razor). This makes the available server data available locally. You also need to disable logging or eventually your disk will fill up with razor logs. You can do this globally if you like by configuring the site wide config file in the /etc/razor directory. SA tests for an will use Razor, Phyzor, etc., if they be installed. 2. All this is of no avail if TCP to port 2703 be not allowed by the firewall. This was buried in a email thread and not present in the documentation. (It is not sufficient to enable from Razors main site in a DMZ since other IPs are involved as well.) http://razor.sourceforge.net/docs/doc.php?type=textname=FAQ Q: I have a firewall. What ports do I need to open in order for Razor2 to work? Outgoing TCP port 2703 (Razor2), only. Previous versions used TCP port 7 (echo), but this is no longer used. Gary V _ Stay in touch with old friends and meet new ones with Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp007001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
Resending ham failes and go to quarantine
Hello All, After I teach Bayesian (with sa-learn --showdots --ham /folder_with_ham) and Razor (with razor-revoke) with False Positives (ham) messages I get, I'm going to resend these messages to their original recipients. But SA still recognizes this mail as Spam! Why is this happening? How to avoid this kind of behavior and resend ham messages? Below example of such resending: --- mail:/var/log # sendmail -itf [EMAIL PROTECTED] /home/lkolchin/spam_scripts/ham_test/3. mail:/var/log # grep [EMAIL PROTECTED] amavis.log Nov 6 15:19:26 mail.edu.haifa.ac.il amavisd[32677]: (32677-09) ESMTP::10024 /var/spool/amavis/amavis-20061106T151531-32677: [EMAIL PROTECTED] - [EMAIL PROTECTED] Received: SIZE=37242 BODY=8BITMIME from mail.edu.haifa.ac.il ([127.0.0.1]) by localhost (mail.edu.haifa.ac.il [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32677-09 for [EMAIL PROTECTED]; Mon, 6 Nov 2006 15:19:26 +0200 (IST) Nov 6 15:19:26 mail.edu.haifa.ac.il amavisd[32677]: (32677-09) Checking: [EMAIL PROTECTED] - [EMAIL PROTECTED] Nov 6 15:19:33 mail.edu.haifa.ac.il amavisd[32677]: (32677-09) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED], Yes, hits=5.4 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_99, quarantine spam-fd4fb4374df425aa3c2de2a2cf49e0d2-20061106-151933-32677-09 ([EMAIL PROTECTED]) Nov 6 15:19:33 mail.edu.haifa.ac.il amavisd[32677]: (32677-09) BAD HEADER from [EMAIL PROTECTED]: Improper use of control character (char 0D hex) in message header 'Received'\n Received: ...haifa.ac.il ([unix socket])\\r\\n\\tby mail.edu.h...\n ^ Nov 6 15:19:33 mail.edu.haifa.ac.il amavisd[32677]: (32677-09) Not-Delivered, [EMAIL PROTECTED] - [EMAIL PROTECTED], quarantine spam-fd4fb4374df425aa3c2de2a2cf49e0d2-20061106-151933-32677-09, Message-ID: [EMAIL PROTECTED], Hits: 5.4 Best Regards, Leon Kolchinsky
RE: how to show exact score for the tests in the headers
Hi, I'm running SLES9. I've added add_header all Report _REPORT_ to local.cf file, but I'm still getting those headers without individual scores :( Like these: X-Spam-Status: Yes, hits=11.0 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_50, FROM_ILLEGAL_CHARS, HTML_60_70, HTML_MESSAGE, MIME_HTML_MOSTLY, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_NJABL_DUL, SUBJ_ILLEGAL_CHARS X-Spam-Level: *** These are the latest patched versions of SA and Amavis on SLES9: amavisd-new-20030616p9-3.6 spamassassin-2.64-3.7 Is there still a way for me to get these scores for every test? Best Regards, Leon -Original Message- From: Gary V [mailto:[EMAIL PROTECTED] Sent: Friday, November 03, 2006 12:57 AM To: users@spamassassin.apache.org Subject: Re: how to show exact score for the tests in the headers I'm running a system with Cyrus+Postfix+Amavisd-new+SA+ClamAV. I've seen on this list that there is a possibility to show in the SA headers the exact score for all tests scored for particular message, like this: No, hits=-0.8 required=5.0 tests=BAYES_00=-2.599, DK_POLICY_SIGNSOME=0.001,DNS_FROM_RFC_ABUSE=0.2, FORGED_MUA_MOZILLA=1.593,SPF_PASS=-0.001 autolearn=no version=3.1.7 My current SA headers look like this: X-Spam-Status: Yes, hits=15.8 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_99, HTML_FONTCOLOR_RED, HTML_FONTCOLOR_UNSAFE, HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, RCVD_IN_SORBS_WEB, RCVD_IN_XBL X-Spam-Level: *** How should I change the configs (local.cf, amavis.conf, etc.?) so it looks like in the upper example? To get the list of rules hit and their individual scores, add the following line to local.cf: add_header all Report _REPORT_ Run 'perldoc Mail::SpamAssassin::Conf' for details. -- Chris That will not help here as amavisd-new does not allow spamassassin to write headers. The problem here is an outdated amavisd-new. What distro are you running? Gary V _ Try Search Survival Kits: Fix up your home and better handle your cash with Live Search! http://imagine-windowslive.com/search/kits/default.aspx?kit=improvelocale=en-USsource=hmtagline
RE: script for reporting ham/spam/resending?
Leon Kolchinsky wrote: Hello All, I'm running Cyrus as my IMAP server (Cyrus+Postfix+Amavis_ClamAV+Spamassassin+Web-Cyradm). I've wrote a script for reporting spam to Razor DB and teaching with it Bayesian DB, revoking false positives from Razor DB and teaching Bayesian DB with false positives. It looks like this (didn't test it yet, waiting for your suggestions), had to do it this way (for i in *.) cause Razor manual says that more than one non-mbox mail cannot be read from stdin: #!/bin/bash ###Razor stuff### ##Revoking cd /ham_folder/ chmod 644 *. for i in *.; do echo Revoking $i su vscan -c (/usr/lib/razor-revoke $i) done echo Razor Revoke Completed! ###Reporting### cd /spam_folder/ chmod 644 *. for i in *.; do echo Reporting $i su vscan -c (/usr/lib/razor-report $i) done echo Razor Reporting Completed! ###Bayesian stuff### su vscan -c (sa-learn --showdots --spam /spam_folder/) su vscan -c (sa-learn --showdots --ham /ham_folder/ ###Cleaning spam folder from learned emails### su cyrus -c (/usr/lib/cyrus/bin/ipurge -d0 -f user/spamkiller/spam) End of the script### What I'm missing is a proper way of resending false positives (located now in /ham_folder/). Should I also add the sender to a whitelist? If yes how? How should I remove SA headers (how exactly?) and resend ham in the proper way? You're making it a lot harder for yourself. Take a look at the manual pages 'man 3 spamassassin' spamassassin -r ... This performes bayes learning and reports message to razor, pyzor, DCC, and spamcop. spamassassin -k ... This learns as ham and revokes message with razor. -- Chris --- Thanks Cris, What about resending false positives, after all filters learned that this is a ham, how should I resend these messages (on Cyrus system) to the original recipients? Any sample code would be very welcome :) Regards, Leon
how to show exact score for the tests in the headers
Hello All, I'm running a system with Cyrus+Postfix+Amavisd-new+SA+ClamAV. I've seen on this list that there is a possibility to show in the SA headers the exact score for all tests scored for particular message, like this: No, hits=-0.8 required=5.0 tests=BAYES_00=-2.599, DK_POLICY_SIGNSOME=0.001,DNS_FROM_RFC_ABUSE=0.2, FORGED_MUA_MOZILLA=1.593,SPF_PASS=-0.001 autolearn=no version=3.1.7 My current SA headers look like this: X-Spam-Status: Yes, hits=15.8 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_99, HTML_FONTCOLOR_RED, HTML_FONTCOLOR_UNSAFE, HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, RCVD_IN_SORBS_WEB, RCVD_IN_XBL X-Spam-Level: *** How should I change the configs (local.cf, amavis.conf, etc.?) so it looks like in the upper example? Regards, Leon Kolchinsky
RE: script for reporting ham/spam/resending?
Hi, You're right, this is my situation exactly. Your method is good for smart (intelligent) users. This is not my case (my users here are very hard nut :)). Just thought that may be someone have such script (for resending ham to its original recipients) running and could spare it with me :) Best Regards, Leon Kolchinsky -Original Message- From: Chris Purves [mailto:[EMAIL PROTECTED] Sent: Friday, November 03, 2006 12:06 AM To: users@spamassassin.apache.org Subject: Re: script for reporting ham/spam/resending? Leon Kolchinsky wrote: Thanks Cris, What about resending false positives, after all filters learned that this is a ham, how should I resend these messages (on Cyrus system) to the original recipients? Any sample code would be very welcome :) If I understand you correctly, your setup takes all your users spam and puts it into one maildir where you can accesss it. Now you have identified false positives and have learned them as ham, but you need to get those messages back into your users accounts. Probably the most straightforward method would be to write a scipt that checks the Envelope-to header and moves the file to that users inbox. Personally, I don't manage users spam. I give them imap folders for learn-spam and learn-ham then have a script that checks those folders and runs sa-learn. Spam is deleted once it is learned and ham is moved back to the inbox. For myself I also have report and revoke scripts that do the same, but instead of using sa-learn they use spamassasin -r or -k. -- Chris
'spamassassin --revoke' and 'razor-revoke' are interchangeable?
Hello all, Could someone tell me if 'spamassassin --revoke' and 'razor-revoke' are interchangeable? What exactly happening when I revoke the 'false negative' message? Its details reported to razor2 DB and BAYESIAN DB as ham? Are these messages being resend to the original recipients? Can I use the following syntax on my Cyrus system?: spamassassin --revoke /ham_folder/* or /usr/lib/razor-revoke /ham_folder/* sa-learn --showdots --ham /ham_folder/* Regards, Leon Kolchinsky
How to avoid spamassassin checks in Subject header?
Hello All, I've a mail system running Cyrus+Postfix+Amavisd-new+ClamAV+Spamassassin on SuSE Linux Ent. Server 9. The problem is that non-encoded 8bit data is not allowed in message headers and Cyrus-IMAPd prevents from any problem by replacing those chars with X (mail program should do encoding according to RFC 2047 on all headers. Unencoded 8-bit characters aren't allowed in headers). In SuSE's distribution there is no munge8bit option for Cyrus (which would leave the problematic subject as is but damage the search function) so all Subjects in Hebrew/Russian/Etc. sent form Hotmail,Yahoo,... clients arriving to users mailboxes changed to XXX. I have BAYES and RAZOR filters installed. Here are some headers from one of such mails: Subject: FW: XXX X XXX X X-Spam-Status: Yes, hits=6.8 tag1=-999.0 tag2=5.0 kill=5.0 tests=FROM_ENDS_IN_NUMS, HTML_MESSAGE, MIME_BOUND_NEXTPART, MIME_HTML_NO_CHARSET, MSGID_FROM_MTA_HEADER, SUBJ_ILLEGAL_CHARS X-Spam-Level: ** So it seems to me that this high score is due to XXX (or unencoded subjects) in the Subject header. Is there any way to tell Spamassassin to not check in 'Subject' header? Please Help. Best Regards, Leon Kolchinsky
RE: How to avoid spamassassin checks in Subject header?
Title: RE: How to avoid spamassassin checks in Subject header? Thanks Chris, I should read more about score rules J Another thing: There is a legitimate e-mail with empty body message but with .doc attachment (filename is in hebrew) that marked as a spam - X-Spam-Status: Yes, hits=5.4 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_44, FROM_ENDS_IN_NUMS, HTML_MESSAGE, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK, ROUND_THE_WORLD X-Spam-Level: * What would you suggest to eliminate or minimize ‘false positives’ in these cases? P.S.: I’ve seen that some howto’s suggest putting scores in local.cf file and some into user_prefs. What is the right way to do it? Best Regards, Leon Kolchinsky From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Thursday, October 26, 2006 3:29 PM To: לאון קולצ'ינסקי; users@spamassassin.apache.org Subject: RE: How to avoid spamassassin checks in Subject header? -Original Message- From: Leon Kolchinsky [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 26, 2006 9:09 AM To: users@spamassassin.apache.org Subject: How to avoid spamassassin checks in Subject header? Hello All, I've a mail system running Cyrus+Postfix+Amavisd-new+ClamAV+Spamassassin on SuSE Linux Ent. Server 9. The problem is that non-encoded 8bit data is not allowed in message headers and Cyrus-IMAPd prevents from any problem by replacing those chars with X (mail program should do encoding according to RFC 2047 on all headers. Unencoded 8-bit characters aren't allowed in headers). In SuSE's distribution there is no munge8bit option for Cyrus (which would leave the problematic subject as is but damage the search function) so all Subjects in Hebrew/Russian/Etc. sent form Hotmail,Yahoo,... clients arriving to users mailboxes changed to XXX. I have BAYES and RAZOR filters installed. Here are some headers from one of such mails: Subject: FW: XXX X XXX X X-Spam-Status: Yes, hits=6.8 tag1=-999.0 tag2=5.0 kill=5.0 tests=FROM_ENDS_IN_NUMS, HTML_MESSAGE, MIME_BOUND_NEXTPART, MIME_HTML_NO_CHARSET, MSGID_FROM_MTA_HEADER, SUBJ_ILLEGAL_CHARS X-Spam-Level: ** So it seems to me that this high score is due to XXX (or unencoded subjects) in the Subject header. Is there any way to tell Spamassassin to not check in 'Subject' header? Since this is also scaned by body rules... No. However you could just rescore the rule score SUBJ_ILLEGAL_CHARS 0.10 HTH, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
RE: How to avoid spamassassin checks in Subject header?
Thanks for the suggestion, But should I run spamassassin --revoke or /usr/lib/razor-revoke on folder containing such a ham? spamassassin --revoke /ham_folder/* or /usr/lib/razor-revoke /ham_folder/* Are these tools interchangeable? And again, it seems very strange that a regular message with empty message body and one attachment (hebrewnamedfile.doc) is labeled as a spam. Maybe there is a score on attachment names encodings? May be there is a good idea to play a little with score FROM_ENDS_IN_NUMS, ROUND_THE_WORLD etc.? Best Regards, Leon Kolchinsky -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Thursday, October 26, 2006 5:04 PM To: users@spamassassin.apache.org Subject: Re: How to avoid spamassassin checks in Subject header? On Thu, Oct 26, 2006 at 04:56:21PM +0200, Leon Kolchinsky wrote: There is a legitimate e-mail with empty body message but with .doc attachment (filename is in hebrew) that marked as a spam - X-Spam-Status: Yes, hits=5.4 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_44, FROM_ENDS_IN_NUMS, HTML_MESSAGE, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK, ROUND_THE_WORLD What would you suggest to eliminate or minimize ‘false positives’ in these cases? Well, I think the main hits are Razor and Bayes, since the rest are generally out of your control. You can teach Bayes the message is ham, so that'll help out the next time. As for Razor, you can revoke the message, which may cause Razor to lower the confidence (cf) on the message part, and possibly make it not hit the rules anymore. I’ve seen that some howto’s suggest putting scores in local.cf file and some into user_prefs. What is the right way to do it? Do you want the scores to be site-wide (local.cf) or for a specific user (user_prefs) ? -- Randomly Selected Tagline: But I forgot all about the Amnesia Conference!!
