Re: Spamassassin+amavis

[Luis Hernán Otegui]

Luis:

2008/10/29 Luis Croker <[EMAIL PROTECTED]>:
>
>   How can I tunr off the Network tests (RBLs) ???  Just to probe if it can
> make the delivery faster.

Just to check, you know you should run a RBL check in Postfix BEFORE
it accepts te message, do you? This reduces dramatically the number of
messages your server has to scan. And improves the performance a lot.
Personally, I run Zen, from SpamHaus:

reject_rbl_client zen.spamhaus.org

Try this, so you server doesn't get overloaded with obvious spammy
connections form spambots.

>
>
>
>
> On Wed, 2008-10-29 at 04:05 +, Ned Slider wrote:
>
> Gary V wrote:
>>
>> 6 seconds seems somewhat typical. Mostly due to network tests. Some
>> RBLs are no longer and you could turn the non functional RBL rules off
>> by setting to 0. I'm not sure which ones though. Maybe someone else
>> knows.
>>
>
>  From my own stats of hits against DNSBLs and URIBLs for the last ~1000
> spam (these results are typical for me):
>
> ## DNSBL Statistics ##
> 1223 RCVD_IN_ZEN (Spamhaus PBL, SBL or XBL)
> 1067 RCVD_IN_UCE_COMBINED (UCEPROTECT level 1, 2 or 3)
> 1052 RCVD_IN_PBL
>  900 RCVD_IN_UCEPROTECT3
>  834 RCVD_IN_UCEPROTECT2
>  678 RCVD_IN_SBLXBL
>  427 RCVD_IN_UCEPROTECT1
>  163 RCVD_IN_PSBL
>  105 RCVD_IN_BL_SPAMCOP_NET
>   15 RCVD_IN_SORBS_WEB
>   14 RCVD_IN_NJABL_PROXY
>1 RCVD_IN_SORBS_DUL
>  1329 Total Spam
>
> ## URIBL Statistics ##
> 1060 URIBL_BLACK
>  829 URIBL_JP_SURBL
>  695 URIBL_OB_SURBL
>  611 URIBL_SC_SURBL
>  444 URIBL_SBLXBL
>  440 URIBL_WS_SURBL
>  427 URIBL_AB_SURBL
>  163 URIBL_RHS_DOB
>   42 URIBL_PH_SURBL
>  1329 Total Spam
>
> Spamhaus Zen is highly effective for me and hits on >90% of spam when
> used as -lastexternal, and is the only DNSRBL I'd trust to use at the
> smtp level. I've also added custom rules for UCE Protect levels 1-3 and
> PSBL blacklists. I wouldn't use either at the smtp level as they do
> generate the occasional FP, but UCE Protect is useful in a scoring
> environment such as SA. For me NJABL, SORBS and pretty much anything
> else are a waste of space relative to the effectiveness of Spamhaus. If
> you can implement Spamhaus Zen at the smtp level then blocking ~90% of
> spam before it ever reaches SA is hugely beneficial to system load and
> the rest could probably be dropped from SA with minimal impact.
>
> I also find the URIBLs to be very effective, especially URIBL_BLACK.
> Between Bayes and my top DNSRBLs and URIBLs, nothing gets through -
> everything else is just bumping the score further past the spam threshold.
>
> I'd recommend taking a look at your own stats to see which are effective
> for you and maybe drop those that are ineffective or, better still, look
> at ways to pre-filter spam at the smtp level before it ever reaches
> amavisd/SA so as to reduce the load (for example,
> http://wiki.centos.org/HowTos/postfix_restrictions). A good setup like
> this can easily block the vast majority of spam at the smtp level
> meaning that your server/SA now primarily only has to deal with the ham
> and an insignificantly small proportion of spam.
>
> BTW, checking my logs I note typical delays of 4-6secs on a 3.0GHz quad
> core server with 4GB RAM running 4 amavisd child processes that handles
> a very light load.
>
> -Ned
>
>
> Luis Croker
> SCSA - SCNA
> Administrador de Sistemas
> Megacable Comunicaciones
> GPG Key1024D/48C1764B
> Key fingerprint = E8B6 E84F ECE4 661E 30C7 7208 042D BD09 48C1 764B

Best luck,


Luis
-- 
_

GNU/GPL: "May The Source Be With You...

Linux Registered User #448382.
_

Re: Out of memory during ridiculously large request at

[Luis Hernán Otegui]

Matthias:

2008/8/22 Matthias Häker <[EMAIL PROTECTED]>:
> Hi
>
> i found
>
> Wed Aug 20 19:10:54 2008 [81756] warn: rules: failed to run BAYES_99 test,
> skipping:
> Wed Aug 20 19:10:54 2008 [81756] warn:  (Out of memory during ridiculously
> large request at
> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/BayesStore/DBM.pm
> line 1851,  line 1047.
> Wed Aug 20 19:10:54 2008 [81756] warn: )
> Wed Aug 20 
>
> i my spamd.log
>
> and it reappears since then from time to time but not every Message is
> affected
>
>
>
> size of
> bayes_toks= 287014921
> bayes_seen= 10010624
> bayes_yournal = 55392
>
> every night i run
> /usr/local/bin/sa-learn -u spamd  --force-expire >/dev/null 2>&1
>
> and the bayes database looks not to big for me
>
> any idea what can cause this Error ?

Looks to me like you've passed a BIG message to sa-learn. By default,
SA scans and learns from small messages (>256 KB).


>
>
>
> Matthias
>
>
> --
>
> IT Service Häker
> Matthias Häker
> Hein Hoyer Straße 64
> 20359 Hamburg
> Tel: +49 (0)40 98238807
> Tel: +49 (0)40 35077502
> Fax: +49 (0)40 52596583
> Mob: +49 (0)176 65571482

Regards,

Luis
-- 
_

GNU/GPL: "May The Source Be With You...

 Linux Registered User #448382.
_

Re: Our secret is out

[Luis Hernán Otegui]

2008/8/15 John Hardin <[EMAIL PROTECTED]>:
> From a Slashdot thread about somebody suddenly seeing no spam on their mail
> feed and wondering why:
>
>  A group of the original SpamAssassin developers got together
>  with a group of mercenaries and created SpammerAssassin. It's
>  in alpha, and looks good except it seems to have started a
>  teeny-tiny war in the eastern bloc. Oops. They have an open
>  bug ticket on it.

Count me in! I know where some local spammers live, I can get a .275
sniper rifle from one on my friends, and I have Jui Jitsu training!

>
>  :D
>
> http://it.slashdot.org/it/08/08/15/1318221.shtml
>
> --
>  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>  [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>  Windows and its users got mentioned at home today, after my wife the
>  psych major brought up Seligman's theory of "learned helplessness."
> -- Dan Birchall in a.s.r
> ---
>  Today: the 63rd anniversary of the end of World War II
>

Regards


Luis
-- 
_

GNU/GPL: "May The Source Be With You...

 Linux Registered User #448382.
_

Re: Can I block/blacklist via SPF??

[Luis Hernán Otegui]

2008/5/20 mouss <[EMAIL PROTECTED]>:
> Matt Kettler wrote:
>>
>> Luis Hernán Otegui wrote:
>>>
>>> Hello, list. I've been wondering how to stop traffic from certain
>>> hosts which only seem to distribute spam. I'm tired of reporting the
>>> emails to their ISP, Spamcop, etc. Since the servers are identically
>>> configured (they seem to be virtual machines fired up/cloned from the
>>> same template), and have valid SPF records, I would like to know if is
>>> there a way to block/blacklist these domains via SpamAssassin.
>>>
>>
>> Why get SPF involved? Just blacklist the domain with blacklist_from
>> [EMAIL PROTECTED]
>>
>> SPF is useful to prevent forgery, but if a spammer wants to forge a domain
>> you've blacklisted.. well, more power to em.
>>
>>
>
> and he can also block the domains or the clients in his MTA.

Well, guess I left my brain on my night table this morning... Thanks
for the Kindergarden lesson! Blocked them @ Postfix.

Excuse me for the dumb topic. Too much coffee and no sleeping make me
really close to a sea slug when it comes to thinking ;-)

>
>

Best regards,


Luis
-- 
_

GNU/GPL: "May The Source Be With You...

 Linux Registered User #448382.
_

Can I block/blacklist via SPF??

[Luis Hernán Otegui]

Hello, list. I've been wondering how to stop traffic from certain
hosts which only seem to distribute spam. I'm tired of reporting the
emails to their ISP, Spamcop, etc. Since the servers are identically
configured (they seem to be virtual machines fired up/cloned from the
same template), and have valid SPF records, I would like to know if is
there a way to block/blacklist these domains via SpamAssassin.

For the record, I run Postfix/Amavisd-new 2.5.4/SA 3.2.4. I do SPF
checks only via SA.

Here are two examples:
http://pastebin.com/m2a039236
http://pastebin.com/m5f77a5a4

Thanks in advance,

Luis
-- 
_

GNU/GPL: "May The Source Be With You...

 Linux Registered User #448382.
_

Re: MySQL my.cnf file for innodb

[Luis Hernán Otegui]

Mark:

2008/5/18 Marc Perkel <[EMAIL PROTECTED]>:
> Just looking for some my.cnf example files for SA.
>
> Server has 4 gigs of ram, dual core CPU. What do I want in my my.cnf file?
>
> Thanks in advance.

Could you AT LEAST post this kind of questions as OFF TOPIC??? Or
maybe to the right list? (Mysql, Postfix, etc.)


>
>

Regards,


Luis
-- 
_

GNU/GPL: "May The Source Be With You...

 Linux Registered User #448382.
_

Re: Trouble with VBounce

[Luis Hernán Otegui]

Karsten:

2008/5/13 Karsten Bräckelmann <[EMAIL PROTECTED]>:
>
>  > Yup. Did you whitelist your servers? If you don't do it, SA doesn't
>  > know how to tell a legit bounce from UBE-generated bounces.
>  >
>  > You should have something like
>  > whitelist_bounce_relays my.server.name other.server.name
>  > in your local.cf.
>
>  True, and the OP did. He included another header snipped, showing
>  ANY_BOUNCE_MESSAGE hitting.
>
>
>
>  > Then you'll start to notice how bounce notifications start to get
>  > tagged as spam.
>
>  This is not true, however. VBounce will add a mere 0.1 or 0.2 to the
>  score, which hardly can be seen as "tagging as spam". The purpose of
>  VBounce is to *identify* backscatter. Not to treat it as spam. Please,
>  let me re-iterate what I have posted in here a bunch of times
>  already... :)

Well, you're right. I didn't express myself clearly. However, I have a
heavily modified vbounce2.cf in the /etc/spamassassin/ folder, which
assigns a default score of 7 so many bounce messages, since we don't
accept foreign bounces here.

>
>  $ grep -A 2 procmail /usr/share/spamassassin/20_vbounce.cf
>
>  # If you use this, set up procmail or your mail app to spot the
>  # "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move
>  # messages that match that to a 'vbounce' folder.
>
>   guenther
>
>
>  --
>  char *t="[EMAIL PROTECTED]";
>  main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i  (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
>
>

Anyway, thanks for pointing out the real aim of VBounce. I lost it
completely, and now you've got me thinking if what I'm doing is wrong.

Regards,


Luis
-- 
_

GNU/GPL: "May The Source Be With You...

 Linux Registered User #448382.
_

Re: Trouble with VBounce

[Luis Hernán Otegui]

Hi, Eric

2008/5/13 Erik Dasque <[EMAIL PROTECTED]>:
> I checked the debug result of my a --lint and got:
>
>
> [EMAIL PROTECTED]:~$ spamassassin 2>&1 -D --lint | grep ounce
> [13492] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC
> [13492] dbg: config: fixed relative path:
> /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf
> [13492] dbg: config: using
> "/var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf" for
> included file
> [13492] dbg: config: read file
> /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_vbounce.cf
>
> This seems right, yes ?
>
> Erik
>
>
>
> On May 13, 2008, at 8:14 AM, Erik Dasque wrote:
>
> Anyone ? Do you get the same analysis with the attached message that I got ?
> Is my VBounce setup wrong then ?
>
> Erik
>
> (did my message get ignored because of the text attachment ?)
>
>
> On May 12, 2008, at 11:32 AM, Erik Dasque wrote:
>
> Hi all,
>
> I am having trouble with VBounce. I think I followed the FAQ to the letter
> yet most of the backscatter still ends up in my mailbox. For example, if I
> analyze the attached sample email (which I received this morning), I get the
> following:
>
> [  ]
>
>
> Spam detection software, running on the system "li9-234.members.linode.com",
> has
> identified this incoming email as possible spam.  The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email.  If you have any questions, see
> root for details.
>
> Content preview:  Your message did not reach some or all of the intended
> recipients.
>The e-mail account does not exist. Check the e-mail address or contact
> the
>recipient directly to confirm the address. "Devon Roy" <[EMAIL PROTECTED]>
> [...]
>
>
> Content analysis details:   (-2.0 points, 3.0 required)
>
>  pts rule name  description
>  --
> --
> -2.3 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
> [score: 0.]
>  0.3 AWLAWL: From: address is in the auto white-list
>
>
> As you see, no bounce related analysis. However some messages get filtered
> out as bounce (just not the one attached and quite a few of its bretheren)
> which tells me it's at least working a bit :
>
>
>
>  X-Spam-Report: *  1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
> blocklist *  [URIs: bambinidimanina.org] *  1.5 URIBL_JP_SURBL Contains
> an URL listed in the JP SURBL blocklist *  [URIs: bambinidimanina.org] *
> 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist *  [URIs:
> bambinidimanina.org] *  0.0 BAYES_50 BODY: Bayesian spam probability is 40
> to 60% *  [score: 0.5000] *  0.1 CRBOUNCE_MESSAGE Challenge-response
> bounce message *  0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce
> message
>
>
> Any idea for me ?

Yup. Did you whitelist your servers? If you don't do it, SA doesn't
know how to tell a legit bounce from UBE-generated bounces.

You should have something like

whitelist_bounce_relays my.server.name other.server.name

in your local.cf.

Then you'll start to notice how bounce notifications start to get
tagged as spam.


>
> Erik
>
>
>
> 
>
>
>

Regards,


Luis
-- 
_

GNU/GPL: "May The Source Be With You...

 Linux Registered User #448382.
_

Re: Change subject depending on score

[Luis Hernán Otegui]

Hi

2008/5/7 pingu22 <[EMAIL PROTECTED]>:
>
>  Hi,
>
>  what I want to do is:
>
>  If score >= 5 && <= 15 change subject to ***SPAM***
>
>  If score >= 15 change subject to HIGH_SPAM***
>
>  with procmail I can control the score level and p.e. put the mail in a
>  different folder.

The question here is how do you call SA, and which MTA do you use.
AFAIK, with Amavisd-new calling SA, you could modify the subject
according tho the score.
>
>  But I'm using a database and I just want to change the subject and depending
>  on that send the message to a different mailbox number.
>
>  Thanks.
>  --
>  View this message in context: 
> http://www.nabble.com/Change-subject-depending-on-score-tp17109312p17109312.html
>  Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>

Best regards

Luis
-- 
_

GNU/GPL: "May The Source Be With You...

 Linux Registered User #448382.
_

Re: Filtering out delivery status notifications

[Luis Hernán Otegui]

Hi, Jarek

2008/4/15, Jarek <[EMAIL PROTECTED]>:
> Hi all!
>
> I've a problem with mass of DSN messages, which are replays to spam
>  sent by spammers with my address.
> How can I create rule to tag DSN as spam, if it is not the answer to
>  messsage send from my IPs ?

Boy, backscatter seems to be today's special. Take a look at some
other posts, you should imlpement VBounce plugin. And set appropriate
rules as well.

>
>  best regards
>  JT
>
>

Regards,

Luis
-- 
_

GNU/GPL: "May The Source Be With You...

Linux Registered User #448382.
_

Re: Returned mail spam

[Luis Hernán Otegui]

2008/4/9, John Hardin <[EMAIL PROTECTED]>:
> On Wed, 9 Apr 2008, mouss wrote:
>
>
> > Thanks for confirming that spf doesn't fix the problem.
> >
>
>  There's no silver bullet. SPF will tend to reduce the problem.

Would't DKIM help also? I've implemented both methods, and encouraged
my colleagues to do it too. The main advantage I see in DKIM is that
it doesn't break the chain of trust if somebody forwards a message.

>
>  --
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>   [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>   The ["assault weapons"] ban is the moral equivalent of banning red
>   cars because they look too fast.  -- Steve Chapman, Chicago Tribune
> ---
>   4 days until Thomas Jefferson's 265th Birthday
>

Luis
-- 
_

GNU/GPL: "May The Source Be With You...

Linux Registered User #448382.
_

Feature request

[Luis Hernán Otegui]

Hi, everybody (but specially developers). I've been running a sitewide
Bayes setup for almost three years, with a wonderful result. Along
with that, I report spam messages to my local spamassassin setup (and
some to spamcop) via a web interface (embedded in our Webmail).

>From the last training run I did, emerged an idea: would it be nice to
have some sort of "weighted" reporting? i.e. since every user in my
systems can report an email as spam (and some of them even do it with
our internal community mailing), would it be possible to define some
sort of administrative users which would have a higher impact on
training the Bayes database? I mean, if a user has a history of be a
responsible reporter, his/her trained messages would improve Bayesian
filtering. This came to my mind from looking at the debug ouptut of
the reporting process, in which it mentions the choosing of a default
scoreset.

I'm no Perl developer (or anything closer to that), so I don't know if
this is possible (or if it would fit SA's devel line), but I tought it
would be nice sharing this idea.

Anyway, thanks everybody for such an amazing job.


Luis
-- 
_

GNU/GPL: "May The Source Be With You...

Linux Registered User #448382.
_

Re: Celebrity spams

[Luis Hernán Otegui]

Hi,

2008/3/25, A&M ImpacT [W. Kranenborg] <[EMAIL PROTECTED]>:
> Hi,
>
>  We also have this problem at our company. It would be nice if there is a
>  rule for this spam.

Could you please post a full message to some place accessible to
everybody? (e.g., pastebin).


>
>  Regards,
>  Wessel Kranenborg
>  A&M ImpacT Internetdiensten BV
>  --
>  [E] [EMAIL PROTECTED]
>  [T] 0314-361988 (Netherlands)
>
>  > -Oorspronkelijk bericht-
>  > Van: penny/dell [mailto:[EMAIL PROTECTED]
>  > Verzonden: dinsdag 25 maart 2008 13:44
>  > Aan: users@spamassassin.apache.org
>  > Onderwerp: Celebrity spams
>
> >
>  >
>  > Hello,
>  >
>  > We were wondering what people are doing to stop these celebrity spams.
>  We
>  > have gotten hundreds of these and can't really block on common
>  phrases.
>  >
>  > Milla Jovovich Gallery cd.
>  > The pornos is Stunning!
>  > Only 1 day trial - get this Shocking cd now!
>  > Download it now!
>  >
>  > note: Download it now! is a link
>  >
>  > thanks
>  >
>  > Nick
>  > --
>  > View this message in context: http://www.nabble.com/Celebrity-spams-
>  > tp16274451p16274451.html
>  > Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>

Luis
-- 
_

GNU/GPL: "May The Source Be With You...

Linux Registered User #448382.
_

Re: SA-UPDATE How often new updates?

[Luis Hernán Otegui]

Well, actually, I made a mistake when copying & pasting... It should
be something like this (sorry for the top posting):


#!/bin/sh
#
# update spamassassin
#
sa-update --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel
saupdates.openprotect.com
exitcodeA=$?
sa-update --gpgkey 26C900A46DD40CD5AD24F6D7DEE01987265FA05B --channel
updates.spamassassin.org
exitcodeB=$?
sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
exitcodeC=$?
if [ $exitcodeA -eq 0 -o $exitcodeB -eq 0 -o $exitcodeC -eq 0 ]
 then
 echo "Spamassassin rules updated."
 sa-compile
 spamassassin --lint
   exitcode2=$?
 if [ $exitcode2 -eq 0 ]
   then
  echo "Lint passed without error."
  /etc/init.d/amavis restart
 fi
 exit
fi
if [ $exitcodeA -eq 1 -o $exitcodeB -eq 1 -o $exitcodeC -eq 1 ]
 then
 echo "Spamassassin update run - no new rules today."
 exit
fi

if [ $exitcodeA -ge 4 -o $exitcodeB -ge 4 -o $exitcodeC -ge 4 ]
 then
 echo "Spamassassin update exited with error code of $exitcode"
 exit
fi
#--eof--

2008/3/25, Luis Hernán Otegui <[EMAIL PROTECTED]>:
> Sn!iper :
>
>  2008/3/25, Matt Kettler <[EMAIL PROTECTED]>:
>
> > Sn!per wrote:
>  >  >
>  >  >> You should be able to just do something like this:
>  >  >>
>  >  >> 27 * * * *  /usr/bin/sa-update && /etc/init.d/spamd restart
>  >  >>
>  >  >
>  >  > Will that also update sought and openprotect when new rules are made 
> available?
>  >
>  >
>  > Apparently it won't... my bad.. For some reason I was thinking sa-update
>  >  would by default grab all the channels it had been "introduced to".. but
>  >  by default it only grabs the official channel.. Not sure why my brain
>  >  wasn't working right there...
>
>
> I use something like this:
>
>  #!/bin/sh
>  #
>  # update spamassassin
>  #
>  sa-update --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel
>  saupdates.openprotect.com
>  exitcodeA=$?
>  sa-update --gpgkey 26C900A46DD40CD5AD24F6D7DEE01987265FA05B --channel
>  updates.spamassassin.org
>  exitcodeB=$?
>
> sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
>
> exitcodeC=$?
>  if [ $exitcodeA -eq 0 -o $exitcodeB -eq 0 -o $exitcodeC -eq 0 ]
>   then
>   echo "Spamassassin rules updated."
>   sa-compile
>   spamassassin --lint
>   /etc/init.d/amavis restart
>exitcode2=$?
>   if [ $exitcode2 -eq 0 ]
> then
>echo "Lint passed without error."
>   fi
>   exit
>  fi
>  if [ $exitcodeA -eq 1 -o $exitcodeB -eq 1 -o $exitcodeC -eq 1 ]
>   then
>   echo "Spamassassin update run - no new rules today."
>   exit
>  fi
>
>  if [ $exitcodeA -ge 4 -o $exitcodeB -ge 4 -o $exitcodeC -ge 4 ]
>   then
>   echo "Spamassassin update exited with error code of $exitcode"
>   exit
>  fi
>  #--eof--
>
>  The syntax could be improved, for sure, but it delivers my main goal,
>  which is updating the channels ;-)
>
>
>  >
>  >  However, I do still recommend using some random oddball number instead
>  >  of 00 for the minute.
>  >
>
>
>
> Luis
>
> --
>  _
>
>  GNU/GPL: "May The Source Be With You...
>
> Linux Registered User #448382.
>  _
>


-- 
_

GNU/GPL: "May The Source Be With You...

Linux Registered User #448382.
_

Re: SA-UPDATE How often new updates?

[Luis Hernán Otegui]

Sn!iper :

2008/3/25, Matt Kettler <[EMAIL PROTECTED]>:
> Sn!per wrote:
>  >
>  >> You should be able to just do something like this:
>  >>
>  >> 27 * * * *  /usr/bin/sa-update && /etc/init.d/spamd restart
>  >>
>  >
>  > Will that also update sought and openprotect when new rules are made 
> available?
>
>
> Apparently it won't... my bad.. For some reason I was thinking sa-update
>  would by default grab all the channels it had been "introduced to".. but
>  by default it only grabs the official channel.. Not sure why my brain
>  wasn't working right there...

I use something like this:

#!/bin/sh
#
# update spamassassin
#
sa-update --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel
saupdates.openprotect.com
exitcodeA=$?
sa-update --gpgkey 26C900A46DD40CD5AD24F6D7DEE01987265FA05B --channel
updates.spamassassin.org
exitcodeB=$?
sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
exitcodeC=$?
if [ $exitcodeA -eq 0 -o $exitcodeB -eq 0 -o $exitcodeC -eq 0 ]
 then
  echo "Spamassassin rules updated."
  sa-compile
  spamassassin --lint
  /etc/init.d/amavis restart
   exitcode2=$?
  if [ $exitcode2 -eq 0 ]
then
   echo "Lint passed without error."
  fi
 exit
fi
if [ $exitcodeA -eq 1 -o $exitcodeB -eq 1 -o $exitcodeC -eq 1 ]
 then
  echo "Spamassassin update run - no new rules today."
  exit
fi

if [ $exitcodeA -ge 4 -o $exitcodeB -ge 4 -o $exitcodeC -ge 4 ]
 then
  echo "Spamassassin update exited with error code of $exitcode"
  exit
fi
#--eof--

The syntax could be improved, for sure, but it delivers my main goal,
which is updating the channels ;-)

>
>  However, I do still recommend using some random oddball number instead
>  of 00 for the minute.
>


Luis
-- 
_

GNU/GPL: "May The Source Be With You...

Linux Registered User #448382.
_

Re: How can I catch these?

[Luis Hernán Otegui]

OK, Mouss

2008/3/18, mouss <[EMAIL PROTECTED]>:
> Loren Wilton wrote:
>  >> Hi, I'm kinda getting tired of reporting these mails (both to my local
>  >> SA and to SpamCop), and so are my customers. My problem is that the
>  >> spammers are using a large ISP's mail server, and that particular ISP
>  >> (as all the others here in Argentina) don't bother checking the abuse
>  >> reports. What drives me crazy is the little score it lacks to go
>  >> devnulled...
>  >>
>  >> Anyway, here's a sample: http://pastebin.com/m3c0e5b9
>  >
>  > The main problem here is that the standard SA rules are in english and
>  > the mail is in spanish (or something close to that I suppose).  My
>  > Spanish is incredibly rusty, but just scanning the mail I see dozens
>  > of phrases I'd try to match on to add points for this sort of thing.
>  > Of course, I'd need a few dozen examples (at least!) to even consider
>  > writing any rules for this sort of thing.  It would be better if a
>  > native speaker wrote the rules than someone not that familiar with the
>  > language.
>  >
>  > In any case, you can try blacklisting the address of the CD company,
>  > try rules against cheap CDs, try ruels against mail advertizing
>  > pictures of nice colored girls (presumably where all of the color is
>  > visible at once), and a half dozen other seemingly pretty obvious
>  > stock phrases.
>  >
>  > Of course, you need a bunch of these mails so you can compile a phrase
>  > list, and you ideally need some way to do a masscheck against spam and
>  > ham to make sure you aren't accidentally catching a lot of ham.  But
>  > you should be able to get the first of those requirements trivially,
>  > and if you are careful and start with low scores and monitor the logs
>  > for the rules that are hitting you should be able to adjust scores
>  > safely and successfuly.
>  >
>  > Justin has a tool that makes rules based on phrases found in ham and
>  > spam. This is an automated form of doing what I suggest above by
>  > hand.  I don't know if those tools are part of the SA package, but
>  > they might be.  If so, they could probably be used to advantage.
>  >
>  >Loren
>  >
>
>
> how about something like
>
>  headerNONFQHELO_DYN1  X-Spam-Relays-Untrusted =~ /^[^\]]+
>  rdns=\S*[^a-z]{9}\S+ helo=[^\.\s]+ /i
>  score  NONFQHELO_DYN1  3.0
>  describe NONFQHELO_DYN1  non fqdn helo from dynamic client
>
>  ?

I'll go with this, and tomorrow we'll see. Thanks a LOT to everybody
for their suggestions. They've gone right into my documentation folder
;-)


>
>
>
Regards,


Luis

Re: How can I catch these?

[Luis Hernán Otegui]

Hi, Matthias

2008/3/18, Matthias Haegele <[EMAIL PROTECTED]>:
> Luis Hernán Otegui schrieb:
>
> > Hi, I'm kinda getting tired of reporting these mails (both to my local
>  > SA and to SpamCop), and so are my customers. My problem is that the
>  > spammers are using a large ISP's mail server, and that particular ISP
>  > (as all the others here in Argentina) don't bother checking the abuse
>  > reports. What drives me crazy is the little score it lacks to go
>  > devnulled...
>  >
>  > I've tried adding
>  >
>  > blacklist_from  [EMAIL PROTECTED]
>  >
>  > to my local.cf
>  >
>  > Anyway, here's a sample: http://pastebin.com/m3c0e5b9
>  >
>  > Thanks in advance,
>
>
> X-Spam-Flag: YES
>  #
>  X-Spam-Score: 7.068
>  #
>  X-Spam-Level: ***
>  #
>  X-Spam-Status: Yes, score=7.068 tagged_above=-100 required=5
>  #
>  tests=[BAYES_99=3.5, DCC_CHECK=2.17, HTML_MESSAGE=0.001,
>  #
>  MIME_QP_LONG_LINE=1.396, NORMAL_HTTP_TO_IP=0.001
>
>  hmm, whats the problem you got some hits like: bayes_99 ... DCC ?
>

Well, it needs 8 points to go devnulled. Between 5 and 8 I only do
tag-and-pass, via Amavis.

BTW, I'm using SA 3.2.4, Amavisd-new 2.5.4, Debian Sarge

>
>  > Luis
>
>
>  --
>  Gruesse/Greetings
>  MH
>
>
>  Dont send mail to: [EMAIL PROTECTED]
>
> --
>
>
Luis

How can I catch these?

[Luis Hernán Otegui]

Hi, I'm kinda getting tired of reporting these mails (both to my local
SA and to SpamCop), and so are my customers. My problem is that the
spammers are using a large ISP's mail server, and that particular ISP
(as all the others here in Argentina) don't bother checking the abuse
reports. What drives me crazy is the little score it lacks to go
devnulled...

I've tried adding

blacklist_from  [EMAIL PROTECTED]

to my local.cf

Anyway, here's a sample: http://pastebin.com/m3c0e5b9

Thanks in advance,


Luis

Re: sa-learn user problem

[Luis Hernán Otegui]

Hi, Matthias

2008/3/1, Matthias Schmidt <[EMAIL PROTECTED]>:
> Am/On Fri, 29 Feb 2008 15:23:28 -0300 schrieb/wrote Diego Pomatta:
>
>
>  >Matthias Schmidt escribió:
>  >> Hello,
>  >> my mac os x leopard (10.5.2 with updated amavis-new and spamassassin)
>  >> runs a script, which calls sa-learn with sudo and user _amavis.
>  >> In the config files for amavis and clamAV the user is set to _amavis.
>  >> Now sa-learn always tries to open /var/root/.spamassassin/user_prefs,
>  >> which of course fails.
>  >>
>  >> Where or how can I correct this problem?
>  >>
>  >> Thanks and all the best
>  >>
>  >> Matthias
>  >>
>  >>
>  >
>  >I had a similar problem and Luis Otegui suggested I used
>  ># su  -c ''
>  >
>  >...and it worked. Try it.
>
>
>  thanks, I did that and the errors are gone, but now it looks like
>  something is wrong.
>  The statistics are showing nothing anymore.
>
>
>  Thanks and all the best
>
>  Matthias
>
>

Don't forget that if you're running Bayes over SQL, you must tell
sa-learn under which user it should learn the messages. That's what
the -u option does. You should run something linke

# su amavis -c 'sa-learn -u amavis --spam /dir/where/spams/are/'

or something like that. If you don´t, you'll end up learning as a
different user (most likely under root).

Take a look at Gary V's HOWTO:

http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html

Hope this helps


Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Is http://www.rulesemporium.com?

[Luis Hernán Otegui]

Well, same here, from Argentina

2008/2/29, DAve <[EMAIL PROTECTED]>:
> User for SpamAssassin Mail List wrote:
>  > I have the same problem here:
>  >
>  > traceroute to www.rulesemporium.com (72.52.4.74), 30 hops max, 38 byte
>  > packets
>  >  1  roxanne.pcez.com (209.102.124.1)  0.179 ms  0.146 ms  0.143 ms
>  >  2  52.ATM5-0.GW9.POR3.ALTER.NET (157.130.180.65)  3.016 ms  3.190 ms  
> 2.917 ms
>  >  3  0.so-4-3-0.XT2.POR3.ALTER.NET (152.63.104.254)  3.397 ms  3.131 ms  
> 3.121 ms
>  >  4  0.so-3-0-0.XL2.SJC7.ALTER.NET (152.63.0.146)  17.919 ms  17.896 ms  
> 17.895 ms
>  >  5  POS7-0-0.GW4.SJC7.ALTER.NET (152.63.48.245)  19.365 ms  19.351 ms  
> 19.328 ms
>  >  6  teliasonera-test-gw.customer.alter.net (157.130.215.70)  21.223 ms  
> 21.364 ms  21.248 ms
>  >  7  las-bb1-link.telia.net (213.248.80.17)  30.684 ms  30.711 ms  30.628 ms
>  >  8  dls-bb1-link.telia.net (213.248.80.14)  71.889 ms  71.869 ms  71.875 ms
>  >  9  mai-b1-link.telia.net (80.91.252.62)  98.787 ms  98.759 ms  98.765 ms
>  > 10  * * *
>  >
>  >
>  > Ken
>  >
>  > On Fri, 29 Feb 2008, David Filion wrote:
>  >
>  >> Ed Kasky wrote:
>  >>> At 12:08 AM Friday, 2/29/2008, blaine wrote -=>
>  >>>
>  > I was not able to access http://www.rulesemporium.com? is this working
>  > are moved some where?
>   Works fine from here.  Site is reachable and resolves to 72.52.4.74
>   which pings fine as well.
>  >>> Something's broken somewhere.  From sunny Los Angeles where it was 80
>  >>> degrees yesterday:
>  >>>
>  >>> traceroute to 72.52.4.74 (72.52.4.74), 30 hops max, 40 byte packets
>  >>>  1  ns5gt.wrenkasky.com (10.10.10.1)  0.620 ms  0.809 ms  1.058 ms
>  >>>  2  router.wrenkasky.com (216.102.129.41)  13.910 ms  19.470 ms  24.269 
> ms
>  >>>  3  dist4-vlan60.irvnca.sbcglobal.net (67.114.50.66)  29.160 ms  34.044
>  >>> ms  38.922 ms
>  >>>  4  bb2-g10-0.irvnca.sbcglobal.net (151.164.92.198)  85.450 ms  86.375
>  >>> ms  87.311 ms
>  >>>  5  151.164.93.167 (151.164.93.167)  70.757 ms  71.946 ms  72.868 ms
>  >>>  6  151.164.251.214 (151.164.251.214)  74.810 ms  76.133 ms  80.781 ms
>  >>>  7  dls-bb1-link.telia.net (213.248.80.14)  144.269 ms  72.000 ms
>  >>> 71.572 ms
>  >>>  8  mai-b1-link.telia.net (80.91.252.62)  100.388 ms  102.816 ms
>  >>> 107.478 ms
>  >>>  9  * * *
>  >>> 10  * * *
>  >>> 11  * * *
>  >>> 12  * * *
>
>
> Same result from Indiana USA, dies at telia.net.

Dies at Telia...


>
>  DAve
>
>
>  --
>  Google finally, after 7 years, provided a logo for
>  veterans. Thank you Google. What to do with my signature now?
>

Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Lots Of SPAM

[Luis Hernán Otegui]

Hi, tarak

2008/2/26, Tarak Ranjan <[EMAIL PROTECTED]>:
> Hi List,
>  i have posted my RAW email in http://pastebin.ca/918849 ,
>  i'm receiving 1000 to 4000 per day this king of mesages.
>  SA also skipping this kind of mails
>
>  /

Well, I get a beautiful BAYES_99 on the mail you've shown. You should
tell us more about your setup. Which SA version, how is it running, do
you use sa-update? Also, you should report the message to
razor/pyzor/spamcop. That'll help too.
>
> TArak
>
>
>
Regards,

Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: autolearn vs sa-learn / Bayes

[Luis Hernán Otegui]

Hola, Diego

2008/2/21, Diego Pomatta <[EMAIL PROTECTED]>:
> Hello list.
>
>  Does the bayes system use a separate db for the "autolearn" mode?
>
>  Today I noticed that my SA bayes has 50 spam and 45 ham mails learned,
>  when I thought the db had a lot more, because bayes IS being used.
>
>  # sa-learn --dump magic
>  0.000  0  3  0  non-token data: bayes db version
>  *0.000  0 50  0  non-token data: nspam
>  0.000  0 45  0  non-token data: nham*
>
>  # spamassassin -D --lint
>  ...
>  [7896] dbg: bayes: found bayes db version 3
>  [7896] dbg: bayes: DB journal sync: last sync: 0
>  *[7896] dbg: bayes: not available for scanning, only 50 spam(s) in bayes
>  DB < 200*
>  ...
>
>  In the beginning , after setting up SA, bayes was not being used.
>  I had not trained it with anything yet, but my local.cf had:
>  *use_bayes 1
>  use_bayes_rules 1
>  bayes_auto_learn 1*
>
>  Reading the logs I noticed that it was only autolearning spam, not ham.
>  So I added
>  *bayes_auto_learn_threshold_nonspam 0.5*
>  and it started learning ham.
>  I monitored the logs and at some point incoming mails started triggering
>  the BAYES_20, BAYES_50, BAYES_00, BAYES_95, BAYES_99, rules.
>  So I figured it had autlearned the minimum needed amount of ham and spam
>  (200) to start working.
>  Every now and then I use sa-learn to feed some spam and ham to bayes,
>  and I thought I was contributing to the same db. Those must be the 50
>  spam and 45 ham mails.
>
>  So what's the deal? :)
>  /Regards
>
>

Well, a couple of questions should be answered first: how do you call
SA? under which user does SA run? are you learning those mails under
the right user? Which version are you running? do you use sa-update?

Provided those questions, let's move to the core of this issue: As you
said, you only have 50 spams and 45 hams learned. You should feed more
data to SA, to make the Bayes scores kick-in. Normally, Bayes scores
help SA to get better filtering (at least, they do here, and I suspect
they'll help you too, since as you work in Argentina, your main locale
should be Spanish, and you'll be getting mostly Argentinian spam).

Regards,

Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: URIBL

[Luis Hernán Otegui]

HI, Rocco

2008/2/21, Rocco Scappatura <[EMAIL PROTECTED]>:
> > > Anyway I heard talking about URIBL, which as I have understod is a
>  > > quite different service (it blacklists 'domains' rather
>  > 'IPs'). But is
>  > > it maybe a dangerous practice to fight spam? Anyway, does anyone
>  > > suggest me to use URIBL?
>  >
>  > Are you looking for a PRE QUEUE blacklist? Or a way to help
>  > score SpamAssassin emails?
>  >
>  > URIBL (I think from spamcop/ironport/cisco) is already
>  > included in modern SA builds.
>
>
> I don't know what you mean for 'PRE QUEUE blacklist'.. Anyway I would
>  like to help SpamAssassin in scoring emails..
>

He means a blacklist which runs IN the MTA, not at SA level, when the
MTA has accepted the message. It rejects spammers as they connect,
mostly based on their IP. I run Zen, from Spamhaus here, with very
good results.
>  rocsca
>

Regards,


Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: sa-learn "not" learning?

[Luis Hernán Otegui]

Hi, Scott, I'll give you my two cents here

2008/2/20, [EMAIL PROTECTED] <
[EMAIL PROTECTED]>:
>
>
> Hi John,
>
> Looks like yo replied directly to me. I couldn't find your reply on the
> list yet?
> At any rate...
>
> The Bayes DB has been learned and in effect for a long time - years before
> my time.
>
> No ID's have changed or the config that has caused this error.
> I add users to the whitelist - and use sa-learn - that's it.
>
>
> 1.
> [EMAIL PROTECTED] spam-email]$ sa-learn --dump magic
> 0.000  0  3  0  non-token data: bayes db version
> 0.000  0 797361  0  non-token data: nspam
> 0.000  0 665377  0  non-token data: nham
> 0.000  0 186483  0  non-token data: ntokens
> 0.000  0 1203464108  0  non-token data: oldest atime
> 0.000  0 1203536991  0  non-token data: newest atime
> 0.000  0 1203536443  0  non-token data: last journal sync
> atime
> 0.000  0 1203507419  0  non-token data: last expiry atime
> 0.000  0  43200  0  non-token data: last expire atime
> delta
> 0.000  0 101794  0  non-token data: last expire
> reduction count
>
>
> 2.
> sa-learn running as "amavis".
>
> [EMAIL PROTECTED] spam-email]$ id
> uid=503(amavis) gid=504(amavis) groups=504(amavis)
>
> 3.
> I think we are filtering with Spamd - how can I tell - in a config file or
> dir? (/etc/mail./spamassasin or /var/amavis/.spamassassin)
> I have both binaries...




[EMAIL PROTECTED] spam-email]$ which spamd
>
/usr/bin/spamd
> [EMAIL PROTECTED] spam-email]$ which spamc
> /usr/bin/spamc
>
>
> 4.
> [EMAIL PROTECTED] root]# ps axu | grep spamd
>
> root 18580  0.0  0.1  1736  588 pts/2S14:00   0:00 grep spamd



 Amavis loads the pertinent SA routines and code by itself, it doesn't call
SA OR Spamd at any moment.

>From what I've read, you SA-Amavis duo has been running from some time ago.
Anyway, I recommend you read the HOWTO by Gary V. It has some interesting
notes about the users under  Amavis runs, and other valuable material. It's
located here:

http://www200.pair.com/mecham/spam/


You could try running Amavis in debug mode (i.e., stop amavis and from the
command line type:

*# amavisd debug*-*sa

*
That will show you how Amavis treats the message. I do also suggest rising
the detail level in Amavis' logs

Anyway, my answer is getting totally OT here. You might have more luck
asking in the Amavis list.

Hope this helps,


Luis

Scott Pichelman
> Systems Administrator
>
> Weir Minerals North America
> 2701 S Stoughton Rd
> Madison WI 53716  USA
>
> T: +(00)1 608 226 5615
> F: +(00)1 608 221 5807
> M: +(00)1 608 279 5056
> E: [EMAIL PROTECTED]
> W: www.weirminerals.com
>
>
>  *John Hardin <[EMAIL PROTECTED]>*
>
> 02/20/2008 01:43 PM
>   To
> pichels <[EMAIL PROTECTED]>  cc
> users@spamassassin.apache.org  Subject
> Re: sa-learn "not" learning?
>
>
>
>
>
>
> On Wed, 20 Feb 2008, pichels wrote:
>
> > But, I've tried learning any email after I recieved the Perl error
> > message and none are being learned?
> > And why is the spam being scored wioth spamassassin?
> > I don't understand? Could my Bayes DB need to be re-synced or forced to
> > expire some dups or ?
>
> Note that bayes needs at least 200 spams and 200 hams before is starts
> scoring. Have you learned that many yet?
>
> If you have kept your training corpus, you could delete the bayes database
>
> files entirely and start training over from scratch.
>
> > My users are getting the "nice girl emails and they are not scoring as
> I've
> > shown in my post - why?
> > They score with spamassassin debug but are not being stopped by SA in my
> > maillogs?
>
> That smells like a user ID problem. If the user ID that spamassassin/spamd
>
> is running under is different than the user ID you are running sa-learn
> under, the bayes databases are different - you're training a database that
>
> SA isn't looking at. Verify that you are training using the same user as
> the user spamassassin/spamd is running as to filter mail.
>
> > Can I provide more details?
>
> What does "sa-learn --dump magic" report?
>
> How are you filtering messages? spamc+spamd?
>
> What user is spamd running as? What user are you running sa-learn as?
>
> What (if anything) does "ps axu | grep spamd" report?
>
> --
>  John Hardin KA7OHZ
> http://www.impsec.org/~jhardin/
>  [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>  [Small arms] are fundamentally dangerous and their removal from the
>  equation either by control, neutralisation or removal is essential.
>  The first step is to gain information on their numbers and
>  whereabouts. -- the UN, who "doesn't want to confiscate guns"
> -

Re: Bayes: What am I missing

[Luis Hernán Otegui]

2008/2/17, comparity <[EMAIL PROTECTED]>:
>
>  I have found that in the last few months a lot of mail has been coming
> through. I believe that the bayes filter isn't working. None of the caught
> messages include a bayes score.
>
>  I have dutifully put all of my uncaught spam into a folder for the purposes
> of learning, and run sa-learn from time to time. Below is some information
> which may be relevant:
>
>  I am running spamassassin through procmail
>  SpamAssassin version 3.2.4
>  spamassassin -D bayes< ... indicates a bayes score
>  local.cf:
>  use_bayes   1
>  bayes_auto_learn  1
>  # From
> http://wiki.apache.org/spamassassin/SiteWideBayesSetup
>  bayes_path /etc/mail/spamassassin/bayes
>  bayes_file_mode 0770
>  sa-learn --dump magic
>  0.000  0  3  0  non-token data: bayes db
> version
>  0.000  0  14225  0  non-token data: nspam
>  0.000  0   9037  0  non-token data: nham
>  0.000  0 168352  0  non-token data: ntokens
>  0.000  0 1161931609  0  non-token data: oldest atime
>  0.000  0 1203213840  0  non-token data: newest atime
>  0.000  0 1203212640  0  non-token data: last journal
> sync atime
>  0.000  0 1203212721  0  non-token data: last expiry
> atime
>  0.000  0   11059200  0  non-token data: last expire
> atime delta
>  0.000  0  77173  0  non-token data: last expire
> reduction count
>
>  I have recently (a few months ago ...) cleared out the contents of the
> uncaught spam folders, reasoning that sa should have learned what it needs
> already. However, these folders now have hundreds of new spam to learn from.
>
>  Any ideas?
>
>  Mark
>
Well, what makes you think that Bayes is missing anything? SA needs to
be updated to work properly. Do you use sa-update?

How about sharing an uncaught message with the list? Then we could
have a better idea of what is failing.



> --
>
>
> Mark Simon
>
> Comparity Net
>  Computer Training & Support
>
> Phone/Fax: 1300 726 000
>  mobile: 0411 246 672
>
> email: [EMAIL PROTECTED]
>  web: http://www.comparity.net
>
> Resume: http://mark.manngo.net
>  Calendar: http://www.comparity.net/calendar.php

Regards,


Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Apache SpamAssassin 3.2.4

[Luis Hernán Otegui]

Hi

2008/1/11, Bret Miller <[EMAIL PROTECTED]>:
> > New upgrade is running GREAT here :)
>
> Running fine here on Windows Server 2003 with CommuniGate Pro. :)
>
>
Well, scan times went DOWN a LOT!!! According to Amavis-Logwatch:

===
 Timing Percentiles % Time   Total (s)0%5%
  25%   50%   75%   95%  100%
 
---
 SA check   92.66%   10750.540 0.040 0.068
3.009 4.130 5.934 9.61032.828
 SMTP DATA   1.74% 202.074 0.003 0.037
0.038 0.077 0.078 0.082 1.171
 fwd-end-chkpnt  1.41% 163.290 0.006 0.009
0.012 0.020 0.052 0.168 6.594
 ...
 
===
 Scan Time: Actual 100.00%   11601.872 0.142 0.207
0.387 3.776 5.606 9.21933.014
 Scan Time: Hypothetical   100.00%   11602.398 0.390 0.470
3.446 4.689 6.64410.72852.716

Timing for 75% used to be around 11-15 seconds. So it was a major
improvement what the Devel Team has done.

Thanks a lot!


Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: New credit card scams .. how to catch these

[Luis Hernán Otegui]

Hi, Ram,

2008/1/4, ram <[EMAIL PROTECTED]>:
> https://ecm.netcore.co.in/tmp/dinner.eml.txt
>
>
>
> The scam works like this:
>
> They send you a mail asking wether you accept credit cards at your
> hotel
>
> They get you to confirm you will accept credit card for payment. Once
> you agree they ask you to bill them extra fictional charges for taxis,
> etc on the card, and then wire transfer back (a portion) of the
> fictional overcharges. The victim thinks he will make some extra free
> money on top of the dinner charges.
>
> The people never show for dinner, and you are out the wire transfer
> amount.
>
>
>
> And my SA scores nothing on this spam ?

Well, after doing a little "spamassassin -r < dinner.eml.txt", I get this:

Content analysis details:   (11.4 points, 5.0 required)

 pts rule name  description
 -- --
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 2.0 FREEMAIL_REPLYTO   From and Reply-To point in different freemail
addresses
 0.0 HTML_MESSAGE   BODY: HTML included in message
 3.7 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
 2.2 DCC_CHECK  Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 0.0 DIGEST_MULTIPLEMessage hits more than one network digest check

>
>
>
>
> Thanks
> Ram
>
>
>
Pretty decent, eh? My discard threshold is at 8.0, so I guess it's
only a matter of time before these get caught, if you have network
tests enabled...


Luis


-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Will DKIM reduce the spam score

[Luis Hernán Otegui]

Merlin:
I have a couple of -very- old Postfix 2.1.5 mail servers up and
running with DKIM signing support. How did I achieve that? by means of
Amavisd-new and DKIM-Proxy. Basically, I route every mail originated
at my server (e.g, via webmail, OR TLS-authenticated users) to a
different Amavis stanza, and then I make DKIM-Proxy sign outgoing
messages. You can find more info at Amavis site and DKIM Proxy
(http://home.messiah.edu/~jlong/dkimproxy/) sites.

If you want more info, I have written a HOWTO, but is in Spanish,
tough the main concepts can be easily grabbed.


Luis

2007/12/21, Merlin <[EMAIL PROTECTED]>:
> Hi there,
>
> I am looking into DKIM in order to make it more easy for e-mail
> providers
> to verify my server adress and therefore get a trustworthy spam score
> like "ALL_TRUSTED",
> or "BAYES_00".
>
> Do you believe that adding DKIM support for postfix will help? I looked
> into the postfix help on
> how to achieve that:
> http://www.postfix.org/MILTER_README.html
>
> Unfortunatelly that would meen that I would have to upgrade from 2.2.1
> which I would rather like
> to not touch.
>
> I am not even sure if it would help. My situation is, that I am running
> a community page that
> sends for example opt-in registration emails to verify e-mail adresses
> on sign-ups. Some e-mail providers
> seem to mark that as untrusted, or even spam with a score of 0-3.5. I
> would like to make sure all
> e-mail got delivered and do search therefore for ways to add signatures
> or similar to set myself apart from
> spammers.
>
> Thank you for any hint on how to proceed from here.
>
> Best regards,
>
> Merlin
> --
>   Merlin
>   [EMAIL PROTECTED]
>
> --
> http://www.fastmail.fm - Email service worth paying for. Try it for free
>
>


-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: coming to your inbox: mp3 stock spams

[Luis Hernán Otegui]

Hi, Rob,

2007/10/19, Rob Sterenborg <[EMAIL PROTECTED]>:
> Luis Hernán Otegui wrote:
> > Anyway, the Faculty I work for tries to keep the e-mail system only
> > for research purposes, and mostly students and (sadly) technicians
> > tend to goof around with mail. Bandwidth isn't cheap here, so they
> > decided to straightly cut those extensions. Remember, the customer is
> > always right...
>
> If you'd just block out the extensions and I were a student in your faculty 
> and wanted to send an MP3 or something, then I'd just goof a bit more and 
> rename a .mp3 to a .txt, just because I can get around that. That's what I 
> think (most) students do if they're clever enough.
> Of course blocking extensions is cheap in CPU/mem resources but IMHO it's not 
> the way to go. Inspecting the attachments checking for filetypes to block is 
> more intensive but also much much harder to omit. Of course, you can still 
> block these extensions... :-)
>
>
> Rob
>
>
Well, this is getting a little bit off topic, but I guess it's worth
it, since I'm learning from others practices... Anyway, I feel like
I've "misexpressed" myself. When I wrote "we block these extensions",
what I meant was that we do perform content scanning and deny those
file types. If we wouldn`t do it, as you said, sending mp3s would be
as easy as to enclose them inside a .rar, .zip., .cab, .ace, or
whatever compressed file you'd like.


Luis

-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: coming to your inbox: mp3 stock spams

[Luis Hernán Otegui]

Hi, Per

2007/10/18, Per Jessen <[EMAIL PROTECTED]>:
> Luis Hernán Otegui wrote:
>
> > We block .avi, .mp3, .mpg, etc. here, because we think it's a waste of
> > bandwith to share those extensions via email,
>
> Voicemail (from a mobile for instance) is quite often sent in .wav
> or .mp3 format, so we don't just plainly block those.
>
>
> /Per Jessen, Zürich
>
>

Well, maybe in your country, but here in Argentina, voicemail is
merely an utopic wish ;-).

Anyway, the Faculty I work for tries to keep the e-mail system only
for research purposes, and mostly students and (sadly) technicians
tend to goof around with mail. Bandwidth isn't cheap here, so they
decided to straightly cut those extensions. Remember, the customer is
always right...


Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: upgrade question

[Luis Hernán Otegui]

Hi, Chuck

2007/10/18, Chuck Campbell <[EMAIL PROTECTED]>:
> I'm sure this is a FAQ, but I didn't find it on the web page FAQ section.
>
> Is there a "how to" for upgrading from 2.63 to present release (3.2.3)?
> If not, please, some pointers on what to read to make this as painless as
> possible.
>
> As usual, thing have been working (reasonably), so I haven't considered
> changing anything, but I'm starting to get a lot more spam in my inbox.
>
> I'm hoping a newer version will help with that.
>
> I've got autolearn turned off, and I train Bayes daily with my sorted
> ham and spam lists (all automated).  I'm loathe to break this, but I'm
> likely to with an upgrade.
>
> The best is that I have plenty of sorted ham and spam to train with for
> a new setup...
>
> TIA,
> -chuck
>
Well, it all depends on how do you have installed SA, and your OS. For
instance, many people running Debian or Redhat based systems do it via
dpkg-apt (Debian), or rpm-yum (Redhat). Or, on FreeBSD, via the
packages system (I'm not very familiar to *BSD, so better to ask
somenoe who knows).
I like to biuld and install via the classical "perl Makefile.PL, make,
make test, make install" sequence, but as I said, it all depends on
how did you installed SA the first time...


Hope this helps,


Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: coming to your inbox: mp3 stock spams

[Luis Hernán Otegui]

Well,

2007/10/18, ram <[EMAIL PROTECTED]>:
> On Thu, 2007-10-18 at 09:51 +0200, Yet Another Ninja wrote:
> > coming to your inbox: mp3 stock spams
>
> Atleast 70% of email users dont have their speakers on, the spammer has
> got his basics wrong
>
>
We block .avi, .mp3, .mpg, etc. here, because we think it's a waste of
bandwith to share those extensions via email, so that explains why
amavis-logwatch showed a big hop on the blocked extensions section...

But, as ram says, it seems too stupid to me. Maybe it's a
proof-of-concept. Spammers are trying to make the SA dev team focus on
these small things, instead of kkeping the good work they're doing...


Just my two pesos (USD 0.62)


Luis

-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Sa-compile error

[Luis Hernán Otegui]

Hi, everybody, sa-compile was running allright in my systems, and the
saturday it began to spit out this output (from sa-compile -D):

cd /tmp/.spamassassin28680clJUyOtmp
cd Mail-SpamAssassin-CompiledRegexps-body_0
Wide character in print at /usr/local/bin/sa-compile line 379, <$fh> line 4428.
re2c -i -b -o scanner1.c scanner1.re
re2c -i -b -o scanner2.c scanner2.re
re2c -i -b -o scanner3.c scanner3.re
re2c -i -b -o scanner4.c scanner4.re
re2c -i -b -o scanner5.c scanner5.re
re2c -i -b -o scanner6.c scanner6.re
re2c: error: line 103, column 8: can't find symbol
command failed! at /usr/local/bin/sa-compile line 282, <$fh> line 4586.

the relevant line of scanner6.re is this:

"e\""/[EMAIL PROTECTED], [EMAIL PROTECTED] = and many many more ) - free 
shipping "
{RET("__SEEK_F3UZNS");}

The saturday I've enabled Justin Mason's rules via sa-update, I don't
know if this has something to do with it...

Any other info you need to debug this, please ask.

Thanks in advance,


Luis

-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: OT: How to report a known spammer company?

[Luis Hernán Otegui]

2007/9/25, John D. Hardin <[EMAIL PROTECTED]>:
> On Tue, 25 Sep 2007, Luis Hernán Otegui wrote:
>
> > I want to know how to report them to a RBL server (currently I report
> > them via SpamCop, Razor and DCC, besides I'm blacklisting them at
> > local.cf), but I think it would be good for the rest of us here in
> > Argentina to blacklist these guys.
>
> Do they have URLs in the message bodies?
>
>   http://www.rulesemporium.com/cgi-bin/uribl.cgi
>

No, they mostly have telephone contact numbers.

I'll look better to find and report the unsubscribe mailto: addresses
they sport.


Thanks


Luis


> --
>  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>  [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>   Pelley: Will you pledge not to test a nuclear weapon?
>   Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
>-- Mahmoud Ahmadeinejad clumsily dodges a question
> (60 minutes interview, 9/20/2007)
> ---
>  243 days until the Mars Phoenix lander arrives at Mars
>
>


-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

OT: How to report a known spammer company?

[Luis Hernán Otegui]

Hi, list. In the past few months, I've seen an increasing rate of
mails coming from many servers hosted here in Argentina, with valid
domains, and Linux architecture (at least, that's what p0f is
reporting), thus they get -1'ed at scoring.
Digging around I've found many of these companies offering "email
marketing" come from the same IP block, or are registered domains of
the same "email marketing" advertised company. The range of products
vary from CD-packed-DIY courses, to several TV-infomercial advertised
products.
They don't even offer an opt-out method, their excuse is that "this is
a one-time contact".
I want to know how to report them to a RBL server (currently I report
them via SpamCop, Razor and DCC, besides I'm blacklisting them at
local.cf), but I think it would be good for the rest of us here in
Argentina to blacklist these guys.

Thanks in advance,


Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: sender name same as recipient name

[Luis Hernán Otegui]

Hi, feral

2007/9/24, feral <[EMAIL PROTECTED]>:
>
>
> Sorry if this is a well-known issue... first I have encountered it.
>
> I am using SA 3.1.9 installed on a CentOS Linux system.
>
> One of my clients just noticed a huge spike in spam getting
> through, even though SA is turned on for his email account at
> sensitivity level 4.
>
> For the sake of anonymity, let's say my client's domain is blah.com.
>
> His address is [EMAIL PROTECTED]  99% of the spam emails
> he received during this spike were from [EMAIL PROTECTED]
> (where "something" represents various domains.)
>
> Question: is SA not filtering out these obvious spams because
> the name "mark" is the same as the name on my client's
> account?
>
> thanks,
> Feral
> --
> View this message in context: 
> http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12868410
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>
Do you have a sample of these spams? Have you whitelisted something
like "marc@"?
Show us a sample of the sapmm y meesages, with all and headers, and
more could be told

Luis

-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Converting to MySQL

[Luis Hernán Otegui]

Raquel,

2007/9/24, Raquel <[EMAIL PROTECTED]>:
> On a new server I'm running Debian Etch, Sendmail and SpamAssassin,
> hosting email for a few accounts.  I'm contemplating converting my
> SpamAssassin to using MySQL.  Is there a "HOWTO" somewhere which
> would be good to follow?
>
> --
> Raquel
> 
> Racism is a learned affliction and anything that is learned can be
> unlearned.
>   --Jane Elliott
>
>

You could try MrC's Howto:
http://www200.pair.com/mecham/spam/debian-spamassassin-sql.html

Peace,

Luis

-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: New distribution rule not working ?

[Luis Hernán Otegui]

2007/9/21, Richard Smits <[EMAIL PROTECTED]>:
> Hi,
>
> In a spammail I found this rule :
> RCVD_IN_DNSWL_MED=-4
The DNSWL check went stock over sa-update some time ago. However, it
might happen that some spam could get passed through a server with a
good reputation (or a medium one, lithe the header says). IMHO, you
should report this message to the admin of that server, to alert him
about the event.
More info on this subject:

http://www.dnswl.org

Regards,

Luis
>
> But it is a spammail. I have never seen this rule before. Looks like a
> DNS Whitelist ?
>
> Greetings... Richard Smits
>


-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: How to analyze scan time

[Luis Hernán Otegui]

2007/9/13, Skip <[EMAIL PROTECTED]>:
> This is probably going to be a stupid question, but how do I go about
> implementing patches like this?  Should this file be copied in place of the
> file located here?:
>
> /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/
>
> - Skip
>
>
ASQ (another stupid question): is there any chance for Mark's patch to
become a stable part of SA in 3.2.4?

Thanks,


Luis

-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: FW: List of 700,000 IP addresses of virus infected computers

[Luis Hernán Otegui]

2007/9/12, Marc Perkel <[EMAIL PROTECTED]>:
> I just added you to my blackhole list.
>
>
So, You've just added Gmail to it. A Wise one, eh?

-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: FW: List of 700,000 IP addresses of virus infected computers

[Luis Hernán Otegui]

2007/9/12, Jon Trulson <[EMAIL PROTECTED]>:
> On Wed, 12 Sep 2007, Jason Bertoch wrote:
>
> > On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote:
> >
>  The details are a little to complex for this forum ...
> >>
> >> OK - had quite a few trolls here who seem to be hostile to my
> >> breakthroughs so I wasn't that motivated to post information.
> >>
> >
> > Is there any chance we can get a moderator on this, please?  This is 
> > clearly not
> > a SA topic and I'm weary of insults, flames, and advertisements from Marc.
> >
>
>   FWIW, +1
>
> --
> Jon Trulson
> mailto:[EMAIL PROTECTED]
> #include 
> "No Kill I" -Horta
>
>
OK, count me in...

-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: OT blacklist check

[Luis Hernán Otegui]

Hi, Jean Paul, check this site:
http://www.robtex.com/rbl.html
It does multi RBL checks, saved my butt a few times ;)

Peace,


Luis

2007/8/28, Jean-Paul Natola <[EMAIL PROTECTED]>:
> Hi all,
>
> I saw that my server wound up on http://spamcop.net/bl.shtml so I had my
> server removed- however , I think I may on other blacklist(s)  as I
> roadrunner *.rr.com is not accepting emails from our server-
>
> Is there a  way I can check my IP to see if I've been blacklisted anywhere
> else?
>
>
>
>
>
>
>
>
>
> Jean-Paul
>
>


-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: SPF-Compliant Spam

[Luis Hernán Otegui]

2007/8/27, Marc Perkel <[EMAIL PROTECTED]>:
>
> http://homepages.tesco.net/J.deBoynePollard/FGA/smtp-spf-is-harmful.html
>
>
> SPF is harmful. Adopt it. You've come to this page because you've said
> something similar to the following:
>
>
>  SPF ("sender permitted from" a.k.a. "sender policy framework") is a scheme
> designed to prevent forgery of SMTP-based Internet mail and thus prevent
> unsolicited bulk mail ("spam"). AOL has already adopted it.
>
>  This is the Frequently Given Answer to such statements.
>
> (You can find different approaches to this answer on John Levine's web page,
> in an article by Steven M. Bellovin, and on Brad Knowles' web page. By the
> way, whilst he agrees with what is said here about DNS security, take Brad
> Knowles' DNS server comparison, that he then refers to, with a large sackful
> of salt.)
>
> SPF is harmful. The architectural ramifications of it are so extensive and
> will have such significant changes on the ways that people can access and
> can use Internet mail, that it would actually be less costly to switch to an
> entirely new architecture such as IM2000 Internet mail than it would be to
> switch to SPF and deal with all of its consequences properly.
>
> Many of those architectural ramifications have either been incompletely
> addressed or not addressed at all as yet. Moreover, SPF usurps the meaning
> of an existing and widely used DNS resource record type for its own
> purposes, and has not yet been assigned its own actual resource record type.
> Anyone adopting SPF right now (which means actually adopting it, rather than
> merely paying it lip service) is adopting a scheme that can at best be
> described as woefully incomplete.
>
> Most people who have analysed SPF in detail have come to the conclusion that
> it is a deeply flawed scheme that should be avoided outright.
>
> On the gripping hand, maybe the fact that SPF is so damaging to the
> SMTP-based Internet mail architecture is a good thing. In the battle against
> unsolicited bulk mail, we have concentrated upon the wrong problem time
> after time, with mechanisms that address the wrong thing and that don't
> address the actual "unsolicited" and "bulk" qualities of undesirable mail.
> SMTP has become less usable, more patchy, and more balkanised with each new
> bodge. Perhaps the adoption of SPF will turn out to be the straw that
> finally breaks the camel's back, and that thus finally forcibly weans us off
> this bad habit of addressing the wrong problem.
>
> So perhaps SPF is a deeply flawed scheme that should be adopted.
>
> Ironically: SPF is also a good counter to one objection to IM2000 Internet
> mail, namely that it involves changing the structure of the mail system. If
> people sending mail and mail hosting companies are clearly willing to accept
> the massive structural changes that SPF will entail, they will be willing to
> accept the smaller structural changes that IM2000 Internet mail will entail.
>  Paying SPF lip service
>
>  10,000 domains cannot be wrong! claim the SPF marketing people. (That is
> actually quite a small number, of course. To gain perspective, note that in
> 2002-12-17 there were 22,009,173 domains under com. alone.) But publishing
> SPF data (aside from further entrenching the unauthorised hijacking by SPF
> of an existing DNS resource record type) is merely the paying of lip service
> to SPF.
>
> And, ironically, research has shown that most of the domains that are
> publishing such SPF data are owned by UBM senders, proving, as if any more
> proof were needed, that we are still dancing the same old foolish dance of
> concentrating upon the wrong problem, changing something that is not
> directly related to "unsolicited" and "bulk" and seeing the unsolicited bulk
> mail change to match.
>
> To properly adopt SPF, rather than just to pay it lip service, it is also
> necessary to configure one's SMTP Relay server to look up and to process the
> SPF data for all mail received.
>
> The adoption rate of those who are actually adopting SPF properly, and not
> just paying it lip service, is rather more difficult to measure. The UBM
> senders publishing SPF data probably haven't adopted SPF fully, of course.
> Interestingly, though, many proponents of SPF have fallen silent when asked
> whether, in addition to paying lip service to SPF, they have also configured
> their SMTP Relay servers to check SPF data, leading to the conclusion that
> it is quite probable that many of the SPF proponents in those 10,000 domains
> are paying mere lip service to SPF too.
>  Some of the flaws in SPF
>
>  The flaws in SPF are numerous and severalfold.
>
>  SPF breaks pre-delivery forwarding.
>  SPF hijacks existing DNS mechanisms.
>  SPF gives ISPs a "lock-in" weapon against their customers.
>  SPF is useless for several entire classes of people.
>  SPF relies upon DNS for security, but DNS isn't a security service.
>  SPF is vulnerable to race conditions during database changes.
>  SPF cre

Re: SPF-Compliant Spam

[Luis Hernán Otegui]

2007/8/27, Marc Perkel <[EMAIL PROTECTED]>:
>
>
>
>  Luis Hernán Otegui wrote:
>  2007/8/27, Marc Perkel <[EMAIL PROTECTED]>:
>
>
>  Meng Weng Wong wrote:
>
>
>  On Aug 27, 2007, at 11:39 AM, Kelson wrote:
>
>
>
>  Jason Bertoch wrote:
>
>
>  Is it wise to blacklist both, or is this yet another case where SPF
> has failed
> to meet projections?
>
>  It's a case where the spammer has just handed you useful information:
> You know for sure that the domain name is, indeed, the spammer's
> domain name, and not an innocent third-party's. Blacklist it without
> hesitation!
>
>
>  Yes, that usage was exactly the design intent of SPF.
>
> Once you move from IP to domain reputation, you can do many
> interesting things.
>
> For example, you can go from the known-bad domain to its nameservers.
>
> You can then go from those nameservers to detect other bad domains.
>
> The URIBL plugin associates URL -> domain -> IP -> reputation lookup.
>
> I am writing a similar plugin that associates domain -> NS ->
> reputation lookup.
>
>
>
>  Meng - you are doing the email community a huge disservice with SPF. I
> wish you'd just end this lie because SPF is less than useless. I breaks
> existing forwarding standards and it causes false positives. SPF DOESN'T
> WORK!
>
>  If my two cents worth anything here, Marc, you're the one doing a
> major damage to the email community by trying to reduce everything to
> DNS lookups.
>
> Without going into technical arguments about your practices, you're
> treating us who don't do as you do as mere stupids. And that, IMHO, is
> a terrible simplification. If you find you're in the right path FOR
> YOUR SITUATION, that's ok with me. But you CANNOT become a fanatic and
> begin yelling to the rest of us that we're going to hell because we
> don't agree with you. Qouting Einstein, "Only a fool confuses reality
> with the model. Such a simplification leads to a narrow mind"...
>
> Now, on the technical hand, SPF is an anti-forgery tool, as was said
> earlier in this discussion. I publish my records for anyone to know if
> a message which claims to come from my servers (or at least, my
> domain) is legit or not. If you run majordomo mor mailman based lists,
> the forwarding issue goes down... Or you could just rewrite your SPF
> records to include the domains that get forwarded usually, as I do
> between the two major domains I manage...
>
> Peace,
>
> Luis
>
>
>
>  Juis - you have 2 domains. I have 1600 domains. I have no control over
> other domains that people forward to domains that I filter for. So if I used
> SPF then I would be bouncing a LOT of good emaim from domiains that I don't
> control.
No, I said I have TWO PRIMARY DOMAINS. I host/have 25 different
domains, some more active than anothers. I know 25 it's WAAAY much
less than 1600, but still I try to do things the right way. The number
should not be an excuse.
Whenever I catch someone who doesn't do things the right way (and NOT
my right way, but the one suggested by RFCs), I first point them in
the right direction, then offer advice to them, and last (but not
least) refer the complains from my (or their) users to them.
Oh, and by the way, my name is Luis.

Peace,


Luis

-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: SPF-Compliant Spam

[Luis Hernán Otegui]

2007/8/27, Marc Perkel <[EMAIL PROTECTED]>:
>
>
> Meng Weng Wong wrote:
> > On Aug 27, 2007, at 11:39 AM, Kelson wrote:
> >
> >> Jason Bertoch wrote:
> >>> Is it wise to blacklist both, or is this yet another case where SPF
> >>> has failed
> >>> to meet projections?
> >>
> >> It's a case where the spammer has just handed you useful information:
> >> You know for sure that the domain name is, indeed, the spammer's
> >> domain name, and not an innocent third-party's.  Blacklist it without
> >> hesitation!
> >>
> >
> > Yes, that usage was exactly the design intent of SPF.
> >
> > Once you move from IP to domain reputation, you can do many
> > interesting things.
> >
> > For example, you can go from the known-bad domain to its nameservers.
> >
> > You can then go from those nameservers to detect other bad domains.
> >
> > The URIBL plugin associates URL -> domain -> IP -> reputation lookup.
> >
> > I am writing a similar plugin that associates domain -> NS ->
> > reputation lookup.
> >
> >
>
> Meng - you are doing the email community a huge disservice with SPF. I
> wish you'd just end this lie because SPF is less than useless. I breaks
> existing forwarding standards and it causes false positives. SPF DOESN'T
> WORK!
If my two cents worth anything here, Marc, you're the one doing a
major damage to the email community by trying to reduce everything to
DNS lookups.

Without going into technical arguments about your practices, you're
treating us who don't do as you do as mere stupids. And that, IMHO, is
a terrible simplification. If you find you're in the right path FOR
YOUR SITUATION, that's ok with me. But you CANNOT become a fanatic and
begin yelling to the rest of us that we're going to hell because we
don't agree with you. Qouting Einstein, "Only a fool confuses reality
with the model. Such a simplification leads to a narrow mind"...

Now, on the technical hand, SPF is an anti-forgery tool, as was said
earlier in this discussion. I publish my records for anyone to know if
a message which claims to come from my servers (or at least, my
domain) is legit or not. If you run majordomo mor mailman based lists,
the forwarding issue goes down... Or you could just rewrite your SPF
records to include the domains that get forwarded usually, as I do
between the two major domains I manage...

Peace,

Luis


-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: how to upgrade 3.1.7 to 3.2.x

[Luis Hernán Otegui]

It could be good if you provide us with some details about your
installation (OS, method of installation at least).
If you want to go the old compile way, backup your /etc/spamassassin
(or /etc/mail/spamassassin/), and then:

#wget last-version-of-spamassassin.tar.gz

#tar xzvf last-version-of-spamassassin.tar.gz

#cd last-version-of-spamassassin

#perl Makefile.PL

#make

#make test

#sudo make install

But it varies depending on your OS, Perl version, and update method
(RPMs, Debian packages, FreeBSD port system, etc)


Bring us more info, and you'll get more help.


Luix
2007/8/10, Sg <[EMAIL PROTECTED]>:
>
> Hi
>
>   How to upgrage 3.1.7 to 3.2.x. Please help me.
> --
> Sg


-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: not everyone is happy with SA

[Luis Hernán Otegui]

Funny how the closed-source companies need to base their marketing
policies on FUD, or even worse, user-defined indexes. If I'm allowed
to non-literally quote Homer Simpson here:

"Ah, Kent, everything can be proven these days with statistics. 60% of
the people knows it..."

I used to work as netadmin in a group who did cardiac arrhitmia
research. And everyone had their theories, which they backed up with
indexes kinda "created on the fly" for that sole purpose. I used to
compare this to Madamme Blavatski's theories on how the distance from
Earth to the Sun was related to a side of the Great Piramid of
Gizah...

Plain statistics tells you the real story, IMHO. Five years of SA
usage had convinced me it's a great product.
Backscatter virus and spam warningns do nothing but trash traffic. C/R
does the same.


Luis
2007/7/19, Steve Freegard <[EMAIL PROTECTED]>:

Per Jessen wrote:
> 
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-17-2007/0004626829&EDATE=

Justin's response is far better reading:

http://taint.org/2007/07/19/122638a.html


Kind regards,
Steve.




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Need a rule written - Can whitelisting be this easy?

[Luis Hernán Otegui]

2007/7/12, Meng Weng Wong <[EMAIL PROTECTED]>:

On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:

> Need a rule written to take advantage of this trick and this could
> be a major breakthrough in white listing.
>
> Here's what it needs to do:
>
> 1) Take the IP of the connecting host and do an RDNS lookup to get
> the name.
> 2) Verify that the name that was looked up resolves to the same IP
> address.
> 3) Look up the name in this dns list ===
> example.com.hostdomain.junkemailfilter.com
> 4) if it returns 127.0.0.1 - it's ham

I'd like to suggest that where the domain publishes SPF, we use that;
where it doesn't, we use your algorithm.

I recently coded up a very similar approach; I posted about it on the
SPF and Karmasphere mailing lists.  Here is the original message:





On Jul 12, 2007, at 6:53 PM, Meng Weng Wong wrote:
> Cross-posted to the SPF and Karmasphere lists ...
>
> On Jul 12, 2007, at 12:45 PM, Meng Weng Wong wrote:
>>
>> Those of you who have been following the authentication movement
>> will remember that reputation was always part of the plan.
>>
>> It is the job of SPF/DKIM/etc to provide authentication.
>>
>> Karmasphere's job is to provide reputation.
>>
>
> I have had a huge grin on my face for the last half an hour.
>
> Why?
>
> This afternoon I finally got up to speed with SpamAssassin's meta-
> rules.
>
> and I just now got this report in my headers:
>
>  * -0.0 SPF_PASS SPF: sender matches SPF record
>  * -0.0 KS_REPUTABLE_DOMAIN_DNS RBL: Envelope sender in mengwong
> whitelist feedset
>  * -123 AUTH_ACCOUNTABLE Envelope sender is both authenticated and
> reputable
>
> What does it mean?  An SPF pass, on its own, means little; an RHSWL
> match, on its own, means little; but together, they mean a lot.
>
> To obtain that score of -123, the message has to pass SPF and the
> envelope sender domain has to be whitelisted at the
> "mengwong.manywl-v1.dnswl.karmasphere.com" RHSWL.
>
> "mengwong.manywl-v1" is, in turn, a Karmasphere feedset that
> contains multiple other whitelists, including the dnswl.org's
> sources, ISIPP, Truste, and VeriSign's list of SSL certified domains.
>
> More feeds are being added to that feedset as we discover new
> sources of domain whitelists.
>
> I am tremendously pleased.  For me, this is the culmination of
> several years of work: SPF offers authentication, and Karmasphere
> offers reputation.  Together, they fight spam!
>
> Here's the snippet from my local.cf that does this:
>
>   # karmasphere domain-based whitelist
>   header   KS_REPUTABLE_DOMAIN_DNSeval:check_rbl_envfrom
> ('mengwong.manywl-v1', 'mengwong.manywl-v1.dnswl.karmasphere.com.')
>   describe KS_REPUTABLE_DOMAIN_DNSEnvelope sender in mengwong
> whitelist feedset
>   tflags   KS_REPUTABLE_DOMAIN_DNSnet
>
>   score KS_REPUTABLE_DOMAIN_DNS -0.01
>
>   meta AUTH_ACCOUNTABLE   ((SPF_PASS || DKIM_VERIFIED ||
> DK_VERIFIED) && KS_REPUTABLE_DOMAIN_DNS)
>   describe AUTH_ACCOUNTABLE   Envelope sender is both authenticated
> and reputable
>   tflags   AUTH_ACCOUNTABLE   userconf nice noautolearn
>
>   score AUTH_ACCOUNTABLE -123
>
> I'm very happy!
>
> (At this time, while Karmasphere is in beta, querying that
> whitelist requires IP registration; it will not work if you do not
> have an account.  After we're out of beta that requirement will be
> dropped.)
>
> Off to rummage through the fridge in search of champagne...




Well, if my two cents worth anything, here in Argentina most of the
"big fishes" in the internet mail game (telephone and cellular
companies, internet providers, banks, etc) either don't publish any
SPF records at all, or they send their mail from hosts not listed as
MX, or they don't have a proper setup of their RDNS... It makes a
living hell to whitelist some of them, since they switch mail servers
as much as I change my socks (well, maybe I change my socks a little
more often than that...).

Jokes apart, on the other hand, recently we are seeing some
"legitimate" email publilshing enterprises, with proper SPF and MX
setups. Examples of this are 2marketed.com.ar, emailservers.com.ar,
mailservice.com.ar and some others.

Guess that only you could be sure of the hosts you control, as was
said before in this discussion...


Luis

--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Upgrading to 3.2

[Luis Hernán Otegui]

Hi,

2007/7/3, [EMAIL PROTECTED] <[EMAIL PROTECTED]>:

We are trying to upgrade from 3.1.0 on SLES9 using spamd. I have viewed
the install notes and downloaded the zip. Extracted and CD'd to that new
SA dir. Followed these install instructions:
[unzip/untar the archive]
cd Mail-SpamAssassin-*
perl Makefile.PL
[option: add -DSPAMC_SSL to $CFLAGS to build an SSL-enabled spamc]
make
make install[as root]
On the first step, i get these required errors:
***
ERROR: the required HTML::Parser (version 3.43) module is installed,
but is not an up-to-date version. at
lib/Mail/SpamAssassin/Util/DependencyInfo.pm line 293,  line 1.


  HTML is used for an ever-increasing amount of email so this dependency
  is unavoidable.  Run "perldoc -q html" for additional information.

Followed by a host of other "warnings":
***
NOTE: the optional Mail::SPF module is not installed.

  Used to check DNS Sender Policy Framework (SPF) records to fight email
  address forgery and make it easier to identify spams.  (This is preferred
  over Mail::SPF::Query.)


***
NOTE: the optional Mail::SPF::Query module is not installed.

  Used to check DNS Sender Policy Framework (SPF) records to fight email
  address forgery and make it easier to identify spams.  (Mail::SPF is
  preferred instead of this module.)


***
NOTE: the optional IP::Country module is not installed.

  Used by the RelayCountry plugin (not enabled by default) to determine
  the domain country codes of each relay in the path of an email.


***
NOTE: the optional Net::Ident module is not installed.

  If you plan to use the --auth-ident option to spamd, you will need
  to install this module.


***
NOTE: the optional IO::Socket::INET6 module is not installed.

  This is required if the first nameserver listed in your IP
  configuration or /etc/resolv.conf file is available only via
  an IPv6 address.


***
NOTE: the optional IO::Socket::SSL module is not installed.

  If you wish to use SSL encryption to communicate between spamc and
  spamd (the --ssl option to spamd), you need to install this
  module. (You will need the OpenSSL libraries and use the
  ENABLE_SSL="yes" argument to Makefile.PL to build and run an SSL
  compatibile spamc.)


***
NOTE: the optional Mail::DomainKeys module is not installed.

  If this module is installed, and you enable the DomainKeys plugin,
  SpamAssassin will perform Domain Key lookups when Domain Key
  information is present in the message headers.  (Note that new versions
  of Mail::DKIM render this module superfluous.)


***
NOTE: the optional Mail::DKIM module is not installed.

  If this module is installed, and you enable the DKIM plugin,
  SpamAssassin will perform DKIM lookups when a DKIM-Signature
  header is present in the message headers.  (New versions of this module
  support both Domain Keys and DKIM, rendering Mail::DomainKeys obsolete.)


***
NOTE: the optional LWP::UserAgent module is not installed.

  The "sa-update" script requires this module to make HTTP requests.


***
NOTE: the optional HTTP::Date module is not installed.

  The "sa-update" script requires this module to make HTTP
  If-Modified-Since GET requests.


***
NOTE: the optional Archive::Tar (version 1.23) module is not installed.

  The "sa-update" script requires this module to access tar update
  archive files.


***
NOTE: the optional IO::Zlib (version 1.04) module is not installed.

  The "sa-update" script requires this module to access compressed
  update archive files.


***
NOTE: the optional Encode::Detect module is not installed.

  If you plan to use the normalize_charset config setting to detect
  charsets and convert them into Unicode, you will need to install
  this module.

REQUIRED module out of date: HTML::Parser
optional module missing: Mail::SPF
optional module missing: Mail::SPF::Query
optional module missing: IP::Country
optional module missing: Net::Ident
optional module missing

Re: Rules in 2 locations

[Luis Hernán Otegui]

OK, here we go me and my big mouth... No, really, thanks for the
explanations, Bowie and Theo...


Luix

2007/6/29, Theo Van Dinter <[EMAIL PROTECTED]>:

On Fri, Jun 29, 2007 at 01:14:03PM -0300, Luis Hernán Otegui wrote:
> This is normal. Stock distribution rules are installed in
> /usr/local/share/spamassassin when you install SA. But as new rules
> are updated via SARE, they get downloaded to
> /var/lib/spamassassin/3.002001/updates_spamassassin_org/. Notice the
> version dependent subdir. After sa-update, SA will use the new rules
> sitting on /var/lib/...

Just for clarification, SARE has nothing to do with the
updates.spamassassin.org channel.  updates.spamassassin.org are rules/etc
from the official project.  Third parties make SARE rules available
through their own channels, the SARE group doesn't publish their own
channel.

Also, "man spamassassin" has a whole section on directories used for configs.

--
Randomly Selected Tagline:
"BABYLON 5!  A five-mile long cement mixer of truth, pouring out the
  Concrete of Nice-Nice in a long, grey ribbon into the future, to form a
 ***SIDE WALK OF JUSTICE!!***" - The Tick on Babylon 5





--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Rules in 2 locations

[Luis Hernán Otegui]

Don't bother. SA is smart enough to notice these issues, and use only
one set of rules. By default, it will use the newer ones and, if some
aren't updated, it'll take them from the satndard dir (i.e.
/usr/local/share/spamassassin).


Luix

2007/6/29, Irina <[EMAIL PROTECTED]>:

Oh, ok.  Thank you.  But...

Why I asked?...  When running spamassassin --lint -D, it shows many
duplicates.  Such as the following, for example:

[9460] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1
__MO_OL_CF0C0
[9460] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A

That is why I thought SA uses both directories and includes 2 sets of rules.

Since it uses only 1 directory, it puzzles me where these duplicates are
coming from.  Does anybody know?

Thank you
Irina
===




- Original Message -----
From: "Luis Hernán Otegui" <[EMAIL PROTECTED]>
To: "Irina" <[EMAIL PROTECTED]>
Cc: 
Sent: Friday, June 29, 2007 12:14 PM
Subject: Re: Rules in 2 locations


> Irina:
> This is normal. Stock distribution rules are installed in
> /usr/local/share/spamassassin when you install SA. But as new rules
> are updated via SARE, they get downloaded to
> /var/lib/spamassassin/3.002001/updates_spamassassin_org/. Notice the
> version dependent subdir. After sa-update, SA will use the new rules
> sitting on /var/lib/...
>
>
> Luix
>
> 2007/6/29, Irina <[EMAIL PROTECTED]>:
> > Can someone clarify?
> >
> > Spamassassin is in
> > /etc/mail/spamassassin
> > /usr/local/share/spamassassin
> >
> > I then run sa-update
> > sa-update --nogpg --allowplugins --channel
> > saupdates.openprotect.com --channel updates.spamassassin.org
> >
> > I now see the same set of file in the following 2 directories:
> > /usr/local/share/spamassassin/
> > /var/lib/spamassassin/3.002001/updates_spamassassin_org/
> >
> > Is it normal?
> >
> > Thank you
> > Irina
> >
> >
>
>
> --
> -
> GNU-GPL: "May The Source Be With You...
> Linux Registered User #448382.
> When I grow up, I wanna be like Theo...
> -
>





--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Rules in 2 locations

[Luis Hernán Otegui]

Irina:
This is normal. Stock distribution rules are installed in
/usr/local/share/spamassassin when you install SA. But as new rules
are updated via SARE, they get downloaded to
/var/lib/spamassassin/3.002001/updates_spamassassin_org/. Notice the
version dependent subdir. After sa-update, SA will use the new rules
sitting on /var/lib/...


Luix

2007/6/29, Irina <[EMAIL PROTECTED]>:

Can someone clarify?

Spamassassin is in
/etc/mail/spamassassin
/usr/local/share/spamassassin

I then run sa-update
sa-update --nogpg --allowplugins --channel
saupdates.openprotect.com --channel updates.spamassassin.org

I now see the same set of file in the following 2 directories:
/usr/local/share/spamassassin/
/var/lib/spamassassin/3.002001/updates_spamassassin_org/

Is it normal?

Thank you
Irina





--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: SASL and SPF Fail

[Luis Hernán Otegui]

OK, got the picture. Guess I'll go for the upgrade of postfix.

Thanks again,

Luis

2007/6/13, Daryl C. W. O'Shea <[EMAIL PROTECTED]>:

Luis Hernán Otegui wrote:
> OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth
> headers. Now, a question: how do I assign a score of zero to SPF_FAIL
> (in order to disable that rule) if my custom rule matches? I guess
> it's via a META rule, but I can't get it working...
>
> Based on the rule published at SA's Wiki, I was thinking of something
> like this:
>
> header LOCAL_AUTH_RCVDReceived =~ /\(authenticated \(\d+ bits\)\)
> by services04\.student\.cs\.uwaterloo\.ca /
>
> meta LOCAL_AUTH_NO_SPF (LOCAL_AUTH_RCVD && SPF_FAIL)
>
> But here I lost it. Thought of something like this:
>
> score LOCAL_AUTH_NO_SPF -0.693
>
> which has the exact reverse score of SPF_FAIL. I think it would be
> more elegant to zero that rule in this particula case. But I don't
> know how to do it...

The problem is that SPF_FAIL isn't the only thing that you don't want to
trigger that could trigger.  Any of the DNSBL tests could hit, too,
depending on where your roaming users connect from.

If you can't get one of the methods to extend trust to work (getting
Postfix to insert an auth header in late 2.2 or any 2.3+ or using
msa_networks in SA 3.2) you're best off not scanning auth'd mail at all
if you can manage a way to do it.

Otherwise, the UW example of matching on a received header and deducting
  a score is your last resort.  You might as well make it a fairly large
negative score since you'll want it to counter both SPF_FAIL and any
DNSBL tests that hit.  There's no way to use a meta, or anything other
than a plugin that mucks with SA internals, to zero the score for
SPF_FAIL as you'd like.


Daryl




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: SASL and SPF Fail

[Luis Hernán Otegui]

OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth
headers. Now, a question: how do I assign a score of zero to SPF_FAIL
(in order to disable that rule) if my custom rule matches? I guess
it's via a META rule, but I can't get it working...

Based on the rule published at SA's Wiki, I was thinking of something like this:

header LOCAL_AUTH_RCVDReceived =~ /\(authenticated \(\d+ bits\)\)
by services04\.student\.cs\.uwaterloo\.ca /

meta LOCAL_AUTH_NO_SPF (LOCAL_AUTH_RCVD && SPF_FAIL)

But here I lost it. Thought of something like this:

score LOCAL_AUTH_NO_SPF -0.693

which has the exact reverse score of SPF_FAIL. I think it would be
more elegant to zero that rule in this particula case. But I don't
know how to do it...

Thanks


Luis


2007/6/13, Daryl C. W. O'Shea <[EMAIL PROTECTED]>:

Luis Hernán Otegui wrote:
> Hi, list, several of my users are beggining to use the SASL method to
> send mails trhough the server. The point is that the messages from one
> of these users are getting tagged as spam (the lil' bastard uses
> Incredimail, so a bunch of another stuff regardind this crappy piece
> of software gets his messages over the discard line, but that's
> another story. I'll search the list messages, I think I remember a
> thread on that issue). Anyway, I've noticed SPF checks of his mails
> fail. He's connecting from a network outside ours, so I was wandering
> what makes the SPF checks fail, even when he is connecting as a client
> to our server...

http://wiki.apache.org/spamassassin/DynablockIssues




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

[Maybe OT] how do I avoid SPF_FAIL?

[Luis Hernán Otegui]

Hi, list, I've recently added the feature of SMTP Auth to my MTA
(Postfix running on Debian Sarge), and when any user tries to send a
mail trhoug the server, it hits SPF_FAIL (which, on the other hand,
seems natural, since one of the "relays" sits outside of the
mynetworks directive of Postfix. Is there any way to

a) disable SPF tests inside SA for authenticated users?
or
b) add the authenticated sender to the trust SPF chain?

Thanks a lot,


Luis

--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

SASL and SPF Fail

[Luis Hernán Otegui]

Hi, list, several of my users are beggining to use the SASL method to
send mails trhough the server. The point is that the messages from one
of these users are getting tagged as spam (the lil' bastard uses
Incredimail, so a bunch of another stuff regardind this crappy piece
of software gets his messages over the discard line, but that's
another story. I'll search the list messages, I think I remember a
thread on that issue). Anyway, I've noticed SPF checks of his mails
fail. He's connecting from a network outside ours, so I was wandering
what makes the SPF checks fail, even when he is connecting as a client
to our server...

Thanks,


Luis

--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: These are getting through SA...

[Luis Hernán Otegui]

Well, I dint't have rbl_timeout set, but after your mail, I did. The
DNSs I have set in resolv.conf are mine, they both cache and work as
internal and external resolvers. But the UNLP NOC got screwed in the
last days, so setting the timeout a little higher wont't hurt. Thanks
for the suggestion.
However, I upgraded to Amavis 2.5.1 yesterday (and rebuilt the AWL and
the Bayes SQL databases, because they got corrupted)  and everythig
got back to normal. Updated several modules as Amavis required, and
everything got back to the usual behavior. URIBL rules got fired (on
several mails), and Razor and Pyzor got me results again.
Additionally, SA stopped complaining about some minor issues when
running sa-compile.

Thanks again,


Luix
2007/6/12, Mark Martinec <[EMAIL PROTECTED]>:

Luis,

> I don't have any URIBL rules firing up (SA 3.2.0 from source here,
> most of the other relevant info is in the header of the mail I sent
> before to test). Where did you get them?
>[...]
> But the main difference between the live run and the ones I did with
> SA by itself (both as root and as user amavis) is the URIDNSBL hit.
>[...]
> From this debug, I see Amavis loading up the URIDNSBL plugin at startup,
> but lately it simply doesn't fire up on any spammy link (I googled
> for them, since the DDoS attack blocked the website).

I came across the same issue yesterday, with the same type
of a spam message, which would mostly get hits from URIBL tests,
but lots of other RBL checks come back emptyhanded.

On the first appearance it seems that SA under amavisd-new didn't
fire on DNSBL tests, but spamassassin from a command line did.

Investigating the problem more thoroughly turned out that even
a command line SA check behaved intermittently, sometimes
returning URIBL_BLACK, URIBL_JP_SURBL, etc, and sometimes
none of these URIBL tests - they were timing out.

What is your setting for rbl_timeout ?

Mine was fairly low, 5 seconds, and I find the dynamic timeout
(for rbl_timeout) cutback logic (man Mail::SpamAssassin::Conf)
does not work as advertised:

  In addition, whenever the effective timeout is lowered due to addi-
  tional query results returning, the remaining queries are always
  given at least one more second before timing out

Namely with 22 RBL results coming back, the last one
(which was the crucial URIBL test) had a timeout of 0
and was ignored even though dns result did arrive.

Moreover, there is a bug in Mail::SpamAssassin::Dns, where
a late-spawned URIBL queries (which only start after Razor,
DCC and Pyzor are run) are being timed against start time
of the first wave of plain RBL dns queries, which are fired-off
seconds earlier, so there is a good chance that URIBL queries
time out in 0 seconds and their resultes are never collected.
The problem is made worse when for example Razor itself also
times out (thus extending time between the two rounds of
dns queries being sent).

Luis, check your DNS if it is responponding quickly,
try extending rbl_timeout to maybe 10 seconds, see if
there are many timeouts in RBL, URIBL, Razor or DCC queries.

  Mark




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: These are getting through SA...

[Luis Hernán Otegui]

What I copied and pasted into my message was the original spammy
message (the source of it) as IMP showed it. The posterior ALL_TRUSTED
occured because it has already been scanned and tagged by my servers.
But the main difference between the live run and the ones I did with
SA by itself (both as root and as user amavis) is the URIDNSBL hit.

Well, the blaming on Net::DNS wasn't an easy way out. I ran Amavis in
debug mode and spotted out some warnings about the use of (.) in
concatenation string in Util.pm (not literally, i'll post the correct
output on monday, when I get back to work). From this debug, I see
Amavis loading up the URIDNSBL plugin at startup, but lately it simply
doesn't fire up on any spammy link (I googled for them, since the DDoS
attack blocked the website).
Anyway, seems like my perl installation came out buggy (upgraded from
source to 5.8.8 before upgrading SA from 3.1.8 to 3.2.0), and it is
messing things up. Lately some errors with Net::SMTP came out when
reporting to SpamCop, so I guess I'll have to start it all over again
from scratch, but this time making sure all compiles ok.

Thanks,


Luis

2007/6/8, guenther <[EMAIL PROTECTED]>:

On Fri, 2007-06-08 at 18:46 -0300, Luis Hernán Otegui wrote:
> OK, i?ve been googlin' around, and it seems like an issue between
> Amavis (or MailScanner, for waht I've found) and some unsupported
> versions of Net::DNS, because when I run the message through SA by
> itself, this comes out:

Whatever you manually fed SA was even more borked than the inline
copy-n-paste of a message in your OP. Looking briefly at your original
paste, I do see these:

> Date:   Fri, 8 Jun 2007 20:25:53 -0100
> From: "Deana Adams" <[EMAIL PROTECTED]>
> Message-ID: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Can you imagine that you are healthy?

However, your manual run hit hard on...

>  0.0 MISSING_MIDMissing Message-Id: header
>  0.0 MISSING_DATE   Missing Date: header
>  1.3 MISSING_HEADERSMissing To: header
>  1.8 MISSING_SUBJECTMissing Subject: header
>  2.5 FM_NO_FROM_OR_TO   FM_NO_FROM_OR_TO
>  0.5 FM_NO_TO   FM_NO_TO

The "-1.8 ALL_TRUSTED" seems to support the assumption that you fed a
body only. Could be due to the exact details how you did it, though.
Also, this run didn't identify a HTML part at all...

The only difference that accounts for the spamminess in the second run
is the URIBL_BLACK hit. Maybe an oops, maybe a misconfiguration, maybe
due to not running in real time, but long after.

> So I'm blaming it on Amavis... (Net::DNS 0.59 here)...

I don't see much evidence for this, yet. ;)

  guenther


--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}





--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: These are getting through SA...

[Luis Hernán Otegui]

OK, i?ve been googlin' around, and it seems like an issue between
Amavis (or MailScanner, for waht I've found) and some unsupported
versions of Net::DNS, because when I run the message through SA by
itself, this comes out:

Content analysis details:   (9.7 points, 5.0 required)

pts rule name  description
 -- --
-1.8 ALL_TRUSTEDPassed through trusted hosts only via SMTP
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 0.]
0.0 MISSING_MIDMissing Message-Id: header
0.0 MISSING_DATE   Missing Date: header
1.3 MISSING_HEADERSMissing To: header
2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist
   [URIs: teethcat.hk]
1.8 MISSING_SUBJECTMissing Subject: header
2.5 FM_NO_FROM_OR_TO   FM_NO_FROM_OR_TO
0.5 FM_NO_TO   FM_NO_TO


So I'm blaming it on Amavis... (Net::DNS 0.59 here)...

I'll post this issue to the Amavis list.


Luis
2007/6/8, Daryl C. W. O'Shea <[EMAIL PROTECTED]>:

If you've got the current update from updates.spamassassin.org you've
got a working set of rules for URIBL_BLACK and URIBL_GREY.  It turns out
that they didn't hit for Raymond either, so you won't see them in this case.

Daryl


Luis Hernán Otegui wrote:
> Well, right now I'm running these commands to get updates:
>
> sa-update --gpgkey  --channel saupdates.openprotect.com
>
> sa-update --gpgkey  --channel updates.spamassassin.org
>
> sa-update doesn't download URIBL_BLACK and URIBL_GREY
>
> What am I doing wrong?
>
>
> Luis
>
> 2007/6/8, Daryl C. W. O'Shea <[EMAIL PROTECTED]>:
>> Luis Hernán Otegui wrote:
>> > Hi, Raymond, I don't have any URIBL rules firing up (SA 3.2.0 from
>> > source here, most of the other relevant info is in the header of the
>> > mail I sent before to test). Where did you get them?
>>
>> Run sa-update to get URIBL_BLACK and URIBL_GREY.
>>
>> Daryl
>>
>
>





--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: These are getting through SA...

[Luis Hernán Otegui]

Well, right now I'm running these commands to get updates:

sa-update --gpgkey  --channel saupdates.openprotect.com

sa-update --gpgkey  --channel updates.spamassassin.org

sa-update doesn't download URIBL_BLACK and URIBL_GREY

What am I doing wrong?


Luis

2007/6/8, Daryl C. W. O'Shea <[EMAIL PROTECTED]>:

Luis Hernán Otegui wrote:
> Hi, Raymond, I don't have any URIBL rules firing up (SA 3.2.0 from
> source here, most of the other relevant info is in the header of the
> mail I sent before to test). Where did you get them?

Run sa-update to get URIBL_BLACK and URIBL_GREY.

Daryl




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: These are getting through SA...

[Luis Hernán Otegui]

Hi, Raymond, I don't have any URIBL rules firing up (SA 3.2.0 from
source here, most of the other relevant info is in the header of the
mail I sent before to test). Where did you get them?

Thanks,


Luis

2007/6/8, Raymond Dijkxhoorn <[EMAIL PROTECTED]>:

Hi!

> They aren't scoring very much here...
>
> Return-Path: <[EMAIL PROTECTED]>
> X-Original-To: [EMAIL PROTECTED]
> Delivered-To: [EMAIL PROTECTED]@domain.com
> Received: from localhost (localhost [127.0.0.1])
>   by nahuel.biol.unlp.edu.ar (Postfix) with ESMTP id 660BE7B1FE;
>   Fri,  8 Jun 2007 17:25:09 -0300 (ART)

X-Prolocation-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
 score=14.999, required 5, BAD_URI 1.50, CM_META_HK_NOW 2.50,
 CM_SPACED_DATE 0.50, PROLO_BLACK_DNSBL 3.00,
 RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50,
 RAZOR2_CHECK 0.50, SPF_PASS -0.00, URIBL_JP_SURBL 4.00)

Allmost 15, not bad i think.

Bye,
Raymond.




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: Problem with sa-update and ImageInfo

[Luis Hernán Otegui]

You're probably loading the plugin twice, one from your local.cf or a
v3**.pre file, and the other from the ImageInfo.cf. Take out one of
the LoadPlugin directives (preferably the one from local.cf or the
*.pre files), and everything will go fine.


Luix

2007/6/5, CHIME System Admin <[EMAIL PROTECTED]>:

Hi,

# spamassassin --version
SpamAssassin version 3.1.8
   running on Perl version 5.8.8

# sa-update --version
sa-update version svn507100
   running on Perl version 5.8.8

Sa-update command line run via cron

/usr/local/bin/sa-update --channelfile
/etc/mail/spamassassin/sare-sa-update-channels.txt

Channel file:

updates.spamassassin.org
70_sare_adult.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net


Every now and then I get the following errors from the cron job:

Subroutine new redefined at /etc/mail/spamassassin/plugins/ImageInfo.pm
line 98.
Subroutine _get_images redefined at
/etc/mail/spamassassin/plugins/ImageInfo.pm line 223.
Subroutine image_named redefined at
/etc/mail/spamassassin/plugins/ImageInfo.pm line 260.
Subroutine image_count redefined at
/etc/mail/spamassassin/plugins/ImageInfo.pm line 276.
Subroutine pixel_coverage redefined at
/etc/mail/spamassassin/plugins/ImageInfo.pm line 292.
Subroutine image_to_text_ratio redefined at
/etc/mail/spamassassin/plugins/ImageInfo.pm line 308.
Subroutine image_size_exact redefined at
/etc/mail/spamassassin/plugins/ImageInfo.pm line 330.
Subroutine image_size_range redefined at
/etc/mail/spamassassin/plugins/ImageInfo.pm line 346.
Subroutine result_check redefined at
/etc/mail/spamassassin/plugins/ImageInfo.pm line 374.

I haven't been able to repeat these errors when running from the command
line, and they don't appear every time the cron job is run.  Because of
this I suspect that they only appear when there is an update available.

I understand about 3.2.0 including ImageInfo and possible conflicts, but
I didn't think this affected 3.1.8.

Any thoughts?

--
System Admin
CHIME, Royal Free & University Collge Medical School
E-Mail: [EMAIL PROTECTED]




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: zen.spamhaus.org

[Luis Hernán Otegui]

Search through the archives, there was a patch to add it to SA.


Luix

2007/6/1, Martin Jürgens <[EMAIL PROTECTED]>:

Hi,
I am running Debian Etch, Exim4 and Spamassassin 3.1.7.

Now I am trying to find out how to make Spamassassin use Spamhaus Zen.

I am stuck.

Could anyone please tell me what I have to add to my local.cf in order
to use it?

Thanks!

Martin





--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: VBounce not working in 3.2.0

[Luis Hernán Otegui]

Well, it isn't working here too. Came up since upgrade to 3.2.0.
Worked fine with 3.1.8...


Luis

2007/5/27, Henrik Krohns <[EMAIL PROTECTED]>:

On Sat, May 26, 2007 at 10:12:27AM +, Bob Mortimer wrote:
> Hi,
>
> I had Justin's VBounce ruleset working fine until I switched to 3.2.0 and I
> seem to have bounce messages coming through again. I've checked that
> spamassassin is loading the plugin and it is, but testing with both a genuine
> bounce (I've commented out the whitelist_bounce_relays entries from local.cf)
> and with spurious joe-job bounces and the ruleset isn't firing.
>
> Any ideas what I might be doing wrong?

I have the same problem. Just can't figure out why it isn't working..





--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Re: AWL File Locking - Permission Denied

[Luis Hernán Otegui]

You should start probably by checking file permissions on the dir awl
sits, and its parent...



Luix

2007/5/17, Daniel Aquino <[EMAIL PROTECTED]>:

I seem to see this message allot...

warn: auto-whitelist: open of auto-whitelist file failed: locker:
safe_lock: cannot create lockfile
/var/spool/MD-Databases/auto-whitelist.mutex: Permission denied

If I delete my databases all together it creates it fine...
But once its created then it keeps giving the above error...

Only relevant option that may affect this in my local.cf is:

lock_method flock

Any idea about this warning or how I can get rid of it ?




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Problems with live.com alerts service

[Luis Hernán Otegui]

Interesting approach by M$... offering an alerts service for PayPal,
which is supposed to be secure, and then using mailservers which don't
resolv to anything...

This came up today (the user deleted the mail, and then decided to
give me a call, so all I have are the mail logs):
May 16 11:48:15 nahuel postfix/smtpd[12083]: 653578CFB9:
client=unknown[207.46.117.145]
May 16 11:48:15 nahuel postfix/cleanup[18085]: 653578CFB9: message-id=
May 16 11:48:16 nahuel postfix/qmgr[2166]: 653578CFB9:
from=<[EMAIL PROTECTED]>, size=10459, nrcpt=1 (queue active)
May 16 11:48:16 nahuel amavis[18092]: (18092-05) loaded policy bank "MYNETS"
May 16 11:48:16 nahuel amavis[18092]: (18092-05) ESMTP::10024
/var/lib/amavis/amavis-20070516T114453-18092: <[EMAIL PROTECTED]> ->
<[EMAIL PROTECTED]> SIZE=10459 Received: from
nahuel.biol.unlp.edu.ar ([127.0.0.1]) by localhost
(nahuel.biol.unlp.edu.ar [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP for <[EMAIL PROTECTED]>; Wed, 16 May 2007 11:48:16 -0300
(ART)
May 16 11:48:16 nahuel amavis[18092]: (18092-05) Checking:
tVqyWG7HIQ2H MYNETS [207.46.117.145] <[EMAIL PROTECTED]> ->
<[EMAIL PROTECTED]>
May 16 11:48:16 nahuel amavis[18092]: (18092-05) p003 1 Content-Type:
multipart/alternative
May 16 11:48:16 nahuel amavis[18092]: (18092-05) p001 1/1
Content-Type: text/plain, size: 900 B, name:
May 16 11:48:16 nahuel amavis[18092]: (18092-05) p002 1/2
Content-Type: text/html, size: 7268 B, name:
May 16 11:48:16 nahuel postfix/smtpd[12083]: disconnect from
unknown[207.46.117.145]
May 16 11:48:16 nahuel amavis[18092]: (18092-05) SPAM-TAG,
<[EMAIL PROTECTED]> -><[EMAIL PROTECTED]>, Yes, score=7.328
tagged_above=-100 required=5 tests=[BAYES_99=3.5, BOTNET_NORDNS=0.5,
FAKE_HELO_MSN=2.358, HTML_70_80=0.144, HTML_MESSAGE=0.001,
MIME_QP_LONG_LINE=0.234, SARE_UNI=0.591]

I've obfuscated the user's name in the previous transcription. Apart
from the BAYES_99 scoring, the server's IP doesn't resolve, so it got
tagged as spam. Here is what I got from dnsstuff.com:

IP address: 207.46.117.145
Reverse DNS:[No reverse DNS entry per cpipsdnsp01.phx.gbl.]
Reverse DNS authenticity:   [Unknown]
ASN:8075
ASN Name:   MICROSOFT-CORP---MSN-AS-BLOCK
IP range connectivity:  2
Registrar (per ASN):ARIN
Country (per IP registrar): US [United States]
Country Currency:   USD [United States Dollars]
Country IP Range:   207.46.0.0 to 207.46.255.255
Country fraud profile:  Normal
City (per outside source):  Redmond, Washington
Country (per outside source):   US [United States]
Private (internal) IP?  No
IP address registrar:   whois.arin.net
Known Proxy?No
Link for WHOIS: 207.46.117.145

If I look for the server's supposed name, b03.alerts.msn.com, I get this:

No ALL records exist for b03.alerts.msn.com, and b03.alerts.msn.com
does not exist. [Neg TTL=86400 seconds]

Any ideas on how to whitelist these?

Thanks,


Luix
--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Re: tracking down problem messages

[Luis Hernán Otegui]

How are you calling SA? procmail? Amavis? plugins? Which version are
you running? Most likely, the RBL checks are the reason for that
delays. Try setting

skip_rbl_checks 1

in the local.cf, then look over the statistics again. If scan times go
down, blame your nameserver...


Luix!

2007/5/15, Jean-Paul Natola <[EMAIL PROTECTED]>:

Hi everyone,

I'm seeing by the output of message analysis time that some messages must be
hanging up SA;

Total number of emails processed by the spam filter : 2019
Number of spams :  1108 ( 54.88%)
Number of clean messages:   911 ( 45.12%)
Average message analysis time   : 26.26 seconds
Average spam analysis time  : 21.65 seconds
Average clean message analysis time : 31.86 seconds
Average message score   :  4.71
Average spam score  : 23.39
Average clean message score :-18.02

How can I track the messages that are causing this to happen?








Jean-Paul Natola
Network Administrator
Information Technology
Family Care International
588 Broadway Suite 503
New York, NY 10012
Phone:212-941-5300 xt 36
Fax:  212-941-5563
Mailto: [EMAIL PROTECTED]





--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Re: SA 3.2.0 logging

[Luis Hernán Otegui]

Yup, it's Amavis. What could be ahppening is that either the
no-quarantine threshold was too low, or the mails never got
quarantined because they never scored high enough.
Chech you Amavis config. For instance, I don't quarantine, just change
the subject of mails with scores between 5 and 8 and reject everything
above that.

Luis

2007/5/12, Duane Hill <[EMAIL PROTECTED]>:

On Sat, 12 May 2007, Jerry Durand wrote:

> I notice that mail filtering now logs slightly differently than it did
> before, every entry mentions quarantine where before only the ones that were
> killed showed this.  I don't know if this message is from SA or Amavisd-new
> since Amavis filters SA output before I get to see it.
>
> May 12 07:59:19 interstellar.com /usr/bin/amavisd[5143]: (05143-02) Passed,
> <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, quarantine
> OQFHYAIbqILD, Message-ID:
> <[EMAIL PROTECTED]>, Hits: -3.555

It's my guess it would be a log amavisd made. It doesn't look like a spamd
log line.

I'm using Postfix and accessing spamd through spamc. I can't find any
spamd logs with 'quarantine'. Here is what shows in my logs for messages
being scanned:

May 12 15:25:19 smtpgate spamd[78819]: spamd: identified spam (21.0/5.0)
for [EMAIL PROTECTED]:58 in 2.3 seconds, 11560 bytes.

May 12 15:25:19 smtpgate spamd[78819]: spamd: result: Y 20 -
BIZ_TLD,DKIM_POLICY_SIGNSOME,FB_HARD_ERECTION,IMPOTENCE,MONEY_BACK,MSGID_FROM_MTA_HEADER,SARE_ADULT2,SARE_SXLIFE,SARE_URI_DIGITS4,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL
scantime=2.3,size=11560,[EMAIL 
PROTECTED],uid=58,required_score=5.0,rhost=localhost.example.net,raddr=127.0.0.1,rport=57680,mid=<[EMAIL
 PROTECTED]>,autolearn=disabled

May 12 15:25:20 smtpgate spamd[78811]: spamd: handled cleanup of child pid
78819 due to SIGCHLD




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Re: Bayes DB

[Luis Hernán Otegui]

First, RTFM.
Second, Google.
Third, oh, well... You NEED to feed Bayes a significant amount of
data, so it knows what is spam and waht is ham, due to the fact that
the kind of spam and ham you receive is different from the ones I get
on my servers. Then it will start auto learning on that basis. But, to
start, it needs you to feed it data...

Luix

2007/5/11, Daniel Aquino <[EMAIL PROTECTED]>:

> Have you trained the bayes database? Is this a fresh install? It needs
> at least 200 spam and 200 ham messages to get it going. However, the
> more ham and spam you can feed it, the better it will perform...

Well I thought I could use the auto-learning feature ?




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Re: Bayes DB

[Luis Hernán Otegui]

Have you trained the bayes database? Is this a fresh install? It needs
at least 200 spam and 200 ham messages to get it going. However, the
more ham and spam you can feed it, the better it will perform...


Luix

2007/5/11, Daniel Aquino <[EMAIL PROTECTED]>:

I setup Bayes and whitelist db paths in my local.cf
The whitelist db created succesfully but the bayes_* db's did not...




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Re: Disabling some DNS tests

[Luis Hernán Otegui]

OK, Got it. Anyway, I tracked down the timing issues which drove me to
disable DNS tests to a problem with my nameservers. Now the scanning
times reported by Amavis are similar to the other servers I have. BTW,
thanks for the tip, I've disabled CBL testings in Postfix.

Luix

2007/5/11, Randal, Phil <[EMAIL PROTECTED]>:

ZEN includes CBL, so you've got a duplicate test there.

CBL isn't tested in spamassassin (except via XBL).

You'll need something like this to stop the spamhaus tests:

score __RCVD_IN_ZEN 0.0
score RCVD_IN_SBL 0.0
score RCVD_IN_XBL 0.0
score RCVD_IN_PBL 0.0
score URIBL_SBL 0.0

Cheers,

Phil

--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -Original Message-----
> From: Luis Hernán Otegui [mailto:[EMAIL PROTECTED]
> Sent: 11 May 2007 14:33
> To: users@spamassassin.apache.org
> Subject: Disabling some DNS tests
>
> Hi, list, I'm currently running zen.spamhaus.org and cbl.abuseat.org
> as RBLs over Postfix, how can I disable them in SA? (I mean, if I'm
> already blocking connections which got listed in those RBLs, why let
> SA check them? I suppose it should lower scan times...)
>
>
> Thanks,
>
>
>
> Luix
> --
> -
> GNU-GPL: "May The Source Be With You...
> Linux Registered User #448382.
> -
>




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Disabling some DNS tests

[Luis Hernán Otegui]

Hi, list, I'm currently running zen.spamhaus.org and cbl.abuseat.org
as RBLs over Postfix, how can I disable them in SA? (I mean, if I'm
already blocking connections which got listed in those RBLs, why let
SA check them? I suppose it should lower scan times...)


Thanks,



Luix
--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Re: sa-stats and no spamd logs.

[Luis Hernán Otegui]

Hi, try Amavis Logwatch, by Mike Capella. It's working great here, and
you could run it from logwatch, or standalone:

http://www.mikecappella.com/logwatch

It's pretty straightforward to install and run, and it gives you lots
of info about Amavis performance, as well as antivirus & antispam
statistics...


Luix

2007/5/10, mbano <[EMAIL PROTECTED]>:


HI,

is there a way to extract statistics as with sa-stats from
spamassassin, even if spamd is not used (so no logs spamd format),
and it is used spamassassin from amavis-new instead.
anybody have a similar need?

Or .. logs in sql and php...

thanks in advance
--
View this message in context: 
http://www.nabble.com/sa-stats-and-no-spamd-logs.-tf3722909.html#a10417475
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.





--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Re: Poor performance with v3.2.0

[Luis Hernán Otegui]

Well, here, P4 HT 3.06 GHz, 2 GB RAM (just added 1GB, wanted to test
performance) Debian Sarge pretty standard, Perl 5.8.8 from Backports,
SA 3.2.0 from source, re2c 0.12.0 from source, a bunch of SARE and
openprotect rules, several plugins, sa-compile delivered this:

# time sa-compile

real2m37.209s
user2m17.220s
sys 0m14.943s

Plus, seems like SA isn't putting that much extra stress on my
servers, scantimes reported by Amavis are pretty much the same as
before the upgrade from 3.1.8 (from Debian backports), and top shows a
load index of 0.45-0.66 vs 0.22-0.33 before upgrading (Note: This
reports came from the 1 GB RAM setup). I guess the extra amount of
rules got compensated with the performance boost from sa-compile...



Luix

2007/5/10, Duane Hill <[EMAIL PROTECTED]>:

On Thu, 10 May 2007, Rosenbaum, Larry M. wrote:
>>
>> Took 10 mins on my 2.8gh 512mb ram, with a bunch of sares rules.
>>
>> You using .12.0 of re2c?
>
> Yes.
>
> I think most of the time is spent in the rule extraction steps and the
> gcc compiles, and not in the re2c steps.  (gcc is v3.4.6)
>
>>> Yes, you are right, after "use warnings;". I ran SA3.2 on my site
> with
>>> "use bytes;" added, no problem so far. But it seems SA developers
> did
>> not
>>> mention this, they might have their reasons (break normalize_charset
> for
>>> one reason).
>>
>> Yes, exactly -- breaking one of the major 3.2.0 features is not a good
>> thing. :(
>
> Where can I find documentation on what normalize_charset does?

% perldoc Mail::SpamAssassin::Conf
...
normalize_charset ( 0 | 1) (default: 0)

 Whether to detect character sets and normalize message content to
 Unicode. Requires the Encode::Detect module, HTML::Parser version 3.46
 or later, and Perl 5.8.5 or later.




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
-

Re: R: Evaluating how good is a rule

[Luis Hernán Otegui]

Well, you could try asking the amavis list, tough. I think you could
actually tell amavis to copy the messages which hit a certain rule to
a certain directory, or to look for a specific tag by SA. But this is
getting kinda off-toopic, I think...

Regards,


Luix

2007/5/7, Giampaolo Tomassoni <[EMAIL PROTECTED]>:

> -Messaggio originale-----
> Da: Luis Hernán Otegui [mailto:[EMAIL PROTECTED]
>
> Well, it all depends on how do you run SA (as a content filter,
> through AMAVIS, via procmail, etc). Via AMAVIS you could use the log
> parser which MrC wrote, which works like a charm here. It could work
> as a control, since it tell you which rules hitted harder, which ones
> didn't, etc.

It would be fine, since I'm using amavis, too. The problem is that I'm not
looking for statistical data about rules: I would need something to let me
have control on a rule which may possibly not work as expected in
production. So, it should report promptly what the rule did and, possibly,
let me have a copy of the afflicted messages.


> SA cannot copy a mail to any place by itself, its work is to test and tag
the mail either as spam or ham...

I see. The plugin I'm looking for is more or less a debugging aid, so it is
not really mean as a "production" feature. I believe it would help rule
debugging a lot, however...

giampaolo

>
>
> Luix
>
> 2007/5/6, Giampaolo Tomassoni <[EMAIL PROTECTED]>:
> > Dears,
> >
> > I'm something in need to write custom rules in order to penalize some
> kind
> > of messages running through my SA.
> >
> > Now, of course I do apply a 0.001 score to my own test rules in order
> not to
> > create FPs on received mails. Also, things are setup such that no SA
> header
> > is added to messages yielding a score below 5.
> >
> > This basically means that, while I may not causing FPs while testing,
> I
> > can't even detect any possible FP which my rules may cause "in
> production"
> > (when they get assigned an higher score) since I don't always get the
> SA
> > headers in processed messages.
> >
> > Is there any way to instruct SA to put a copy of the message in some
> folder
> > when a specific rule gets triggered? That would help rule debugging
> on
> > running systems a lot...
> >
> > Thanks,
> >
> > -
> > Giampaolo Tomassoni - I.T. Consultant
> > Piazza VIII Aprile 1948, 4
> > I-53043 Chiusi (SI) - Italy
> > Tel/Ph: +39-0578-21100
> >
> > MAI mandare un messaggio a:
> > NEVER send an e-mail to:
> >
> >  [EMAIL PROTECTED]
> >
> >
>
>
> --
> -
> GNU-GPL: "May The Source Be With You...
> -





--
-
GNU-GPL: "May The Source Be With You...
-

Re: Evaluating how good is a rule

[Luis Hernán Otegui]

Well, it all depends on how do you run SA (as a content filter,
through AMAVIS, via procmail, etc). Via AMAVIS you could use the log
parser which MrC wrote, which works like a charm here. It could work
as a control, since it tell you which rules hitted harder, which ones
didn't, etc. SA cannot copy a mail to any place by itself, its work is
to test and tag the mail either as spam or ham...


Luix

2007/5/6, Giampaolo Tomassoni <[EMAIL PROTECTED]>:

Dears,

I'm something in need to write custom rules in order to penalize some kind
of messages running through my SA.

Now, of course I do apply a 0.001 score to my own test rules in order not to
create FPs on received mails. Also, things are setup such that no SA header
is added to messages yielding a score below 5.

This basically means that, while I may not causing FPs while testing, I
can't even detect any possible FP which my rules may cause "in production"
(when they get assigned an higher score) since I don't always get the SA
headers in processed messages.

Is there any way to instruct SA to put a copy of the message in some folder
when a specific rule gets triggered? That would help rule debugging on
running systems a lot...

Thanks,

-
Giampaolo Tomassoni - I.T. Consultant
Piazza VIII Aprile 1948, 4
I-53043 Chiusi (SI) - Italy
Tel/Ph: +39-0578-21100

MAI mandare un messaggio a:
NEVER send an e-mail to:

 [EMAIL PROTECTED]





--
-
GNU-GPL: "May The Source Be With You...
-

Re: Justa a small nag from 3.2.0...

[Luis Hernán Otegui]

Ditto. I'm running 5.8.4 in one machine, and 5.8.8-4 in another, and
happens in both of them...

2007/5/4, Graham Murray <[EMAIL PROTECTED]>:

Matt Kettler <[EMAIL PROTECTED]> writes:

> This apparently is fixed in perl 5.8.8, but still happens in 5.8.6,
> 5.8.5, etc.

I see it in perl 5.8.8




--
-
GNU-GPL: "May The Source Be With You...
-

Re: notice diff between using 3.1.8 and 3.2.0 ?

[Luis Hernán Otegui]

Yup. Maybe a little too early to jump to conclusions, but since we're
running SA 3.2.0 here (two days ), less spam has made through it. I
have some spam trap accounts set up, and since the upgrade, none of
them has got any messages! (their daily rate varied from 2 to 10
messages a day).

As for the performance, I think 3.2.0 is a little bit slower than
3.1.8. Maybe 20-25% slower. Even with sa-compile ran... But as long as
we aren't a big traffic site, it's completely acceptable due to the
improvement in spam detection performance.


Luis

2007/5/4, Bret Miller <[EMAIL PROTECTED]>:

> Is anyone noticing small, medium, or large improvements in
> how well 3.2.0 does it's job compared to 3.1.8 ???

I'm seeing less spam slipping through in 3.2.0 rc3 than with 3.1.8. Of
course, that could be coincidental, but I'd rather attribute it to the
SA upgrade.

Bret







--
-
GNU-GPL: "May The Source Be With You...
-

Justa a small nag from 3.2.0...

[Luis Hernán Otegui]

Hi, list, I have a cron job running in order to learn from each user's
HAM and SPAM subdirs. Whenever it runs, it complains like this:

Subroutine FuzzyOcr::O_NONBLOCK redefined at
/usr/share/perl/5.8/Exporter.pm line 65.
at /usr/lib/perl/5.8/POSIX.pm line 19

Any hints on how to avoid this nag?


Luis
--
-
GNU-GPL: "May The Source Be With You...
-

Re: RBL tests on MTA vs. RBL rules on SA

[Luis Hernán Otegui]

Well, I have a caching dns running, and it performs (almost) flawlessly.
zen.spamhaus.org seems to perform very well here, since when I look at the
mail logs I don' find any false positives. I was using cbl.abuseat.org, bu
it was too loosy on checks, so many .edu.ar servers from here (I live and
work here in Argenina) go blacklisted. The point is that ONLY with
zen.spamhaus.org I get this much rejections at MTA level. As I said, I'm
concerned about if SA geting enough data as it needs to get Bayes working as
it was a month ago.

Regarding sa-update, which channels are you using? I'm currently running on
saupdates.openproect.com. Any suggestions on this subject?


Thanks,


Luis

2007/4/25, Randy Smith <[EMAIL PROTECTED]>:


Luis Hernán Otegui wrote:
> Hi, list, I know this is one of those "egg and chicken" kind of
> questions, but having now the possibility of checking the impact of
> various setups, I was wondering if it is more convenient to let the MTA
> perform the RBL checks, or disable them and let SA do this job.
> Currently I am using zen.spamhaus.org <http://zen.spamhaus.org> as my
> primary (and only) RBL tester on Postfix, and I am kinda surprised. The
> daily statistics show that my server is rejecting almost 22000
> connections a day, and accepting only 2500-3000 emails. The major
> drawback is bayes. It seems to lack the necessary amount of data to
> catch up as the spam evolves, so I'm continuously getting new kinds of
> spam (meaning that I can't figure out a tendency to draw a rule from).
> So I'm asking if anyone has a solution for this, or how do you deal with
> this (to me) dellicate balance.
>
> Thanks in advance,
>

I try to block as much as I can before the messages ever hit SA using
RBLs, HELO checks, greylisting, etc. for performance reasons. SA is a
much more expensive check so I try not to run it more than necessary.

I don't rely on Bayes here (my users can turn it on or off as they
choose) but many of the default SA and SARE rulesets pick up changes in
spam fairly quickly so new spam forms get detected soon enough. (/me
hugs sa-update)

If you still want to train on the RBL'd messages, you could configure
your MTA to either feed the messages to sa-learn directly or deliver to
a mailbox for later training.

--
Randy Smith
http://perlstalker.amigo.net/
"Work is the miracle by which talent is brought to the surface and
dreams become reality." - Gordon B. Hinckley






--
-
GNU-GPL: "May The Source Be With You...
-

RBL tests on MTA vs. RBL rules on SA

[Luis Hernán Otegui]

Hi, list, I know this is one of those "egg and chicken" kind of questions,
but having now the possibility of checking the impact of various setups, I
was wondering if it is more convenient to let the MTA perform the RBL
checks, or disable them and let SA do this job.
Currently I am using zen.spamhaus.org as my primary (and only) RBL tester on
Postfix, and I am kinda surprised. The daily statistics show that my server
is rejecting almost 22000 connections a day, and accepting only 2500-3000
emails. The major drawback is bayes. It seems to lack the necessary amount
of data to catch up as the spam evolves, so I'm continuously getting new
kinds of spam (meaning that I can't figure out a tendency to draw a rule
from).
So I'm asking if anyone has a solution for this, or how do you deal with
this (to me) dellicate balance.

Thanks in advance,


Luis

--
-
GNU-GPL: "May The Source Be With You...
-

Re: One word spam

[Luis Hernán Otegui]

As I recall, this has been discussed earlier on the list. It seems like
spammers are "fishing" for valid addresses Not lately, but I have seen
this kind of spam a lot two months ago or so...


Luix

2007/4/24, Marc Perkel <[EMAIL PROTECTED]>:


I'm seeing a lot of one words spam. I'm guessing they are probing for
capabilities. Is anyone else seeing this? If so - what do you know about
it?





--
-
GNU-GPL: "May The Source Be With You...
-

Re: spam test

[Luis Hernán Otegui]

The last one is the lowest scoring here, look at the results:
For the first mail:

Content analysis details:   (13.2 points, 5.0 required)

pts rule name  description
 --
--
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
-0.0 SPF_PASS   SPF: sender matches SPF record
0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
   [score: 0.5751]
2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
   [88.155.128.48 listed in dnsbl.sorbs.net]
3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
   [88.155.128.48 listed in zen.spamhaus.org]
7.0 BOUNCE_MESSAGE MTA bounce message
0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message

The second one:

Content analysis details:   (14.2 points, 5.0 required)

pts rule name  description
 --
--
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
-0.0 SPF_PASS   SPF: sender matches SPF record
1.0 DC_IMG_TEXT_RATIO  BODY: Low body to pixel area ratio
0.5 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE   BODY: HTML included in message
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
0.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
0.6 SARE_SPEC_LEO_LINE03e  RAW: common Leo body text
1.0 DC_IMG_HTML_RATIO  RAW: Low rawbody to pixel area ratio
7.0 BOUNCE_MESSAGE MTA bounce message
0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message

The third one:

Content analysis details:   (14.1 points, 5.0 required)

pts rule name  description
 --
--
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
-0.0 SPF_PASS   SPF: sender matches SPF record
0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
   [score: 0.5442]
3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
   [84.2.4.148 listed in zen.spamhaus.org]
3.0 BOTNET BOTNET
7.0 BOUNCE_MESSAGE MTA bounce message
0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message

And finaly, the low one:

Content analysis details:   (5.8 points, 5.0 required)

pts rule name  description
 --
--
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
0.3 RCVD_ILLEGAL_IPReceived: contains illegal IP address
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
   [12.162.173.226 listed in dnsbl.sorbs.net]

I give the BOUNCE_MESSAGE a high score because the bonce backs were driving
me (and my users) mad. So I just throw them away. I know it's not very
RFC-something style, but works like a charm ;-)


Luix


2007/4/10, Spamassassin List <[EMAIL PROTECTED]>:


> http://hege.li/howto/spam/spamassassin.html

Remove everything from Botnet.cf RULES-section and set it up this way:

Does the above line mean to remove from the # THE RULES?


regards





--
-
GNU-GPL: "May The Source Be With You...
-

Re: spam graphs

[Luis Hernán Otegui]

Chris, would you, by chance, share your modified scripts? I've been looking
for a tool to test the effectiveness of rules since a long time ago, and
your comment on the ability to test the effectiveness of RBLs has just
stunned me... BTW, I'm no Perl guru, or anything close to that...

Thanks,


Luix

2007/4/4, Chris St. Pierre <[EMAIL PROTECTED]>:


On Wed, 4 Apr 2007, maillist wrote:

> I have seen a few people present, on this mail list, nicely detailed
graphs,
> that obviously were the result of some server output, but they focused
on
> email, mainly spam.  I am interested in having the same.  Does anyone
have any
> recommendations for a good package that can do this?
>
> All I currently use is logwatch.  It's nice for my needs to administer,
but
> the boss would like to see something that he can understand without
having to
> do so much thinking.  Maybe he wants to replace me with a bar-graph.

IMO, more statistics == better.  Your boss would probably agree.

I use a heavily modified version of Mailgraph to get not just the
stock mailgraph stuff, but a bunch of other data, including the
effectiveness of our different RBLs, messages greylisted, etc.

I also use a heavily modified version of sa-stats to figure out which
of our rules are most effective, which hit the most spam/ham, etc.

I've also written a custom log analyzer to get data from ClamAV on
which viruses we're seeing the most, and a great big log analysis tool
to generate tons and tons of email statistics.  You can see sample
output here: http://www.nebrwesleyan.edu/people/stpierre/spam-stats.html

(Note the downtime that MX node experienced last week.)  The code is
pretty unpolished, and would really only be useful to someone with the
same setup as us, but it gives you an idea of things you might look at
graphing.  The Perl is really pretty simple -- File::Tail,
Parse::Syslog, and GD::Graph are your friend in this endeavor.

I'd also recommend, if you end up writing your own tool, generating
hard numbers as well as pretty graphs.  You can put the graph showing
the increase in spam|mail volume|whatever in your slideshow and
mention the hard numbers in your presentation on why you need N more
servers and X more sysadmins.

Good luck!

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

Never send mail to [EMAIL PROTECTED]





--
-
GNU-GPL: "May The Source Be With You...
-

Re: spam graphs

[Luis Hernán Otegui]

Well, if you have Postfix and Amavis, I've tried amavis-stats (a little bit
old now, and frankly, never worked correctly on my Debian-based servers).
I'm currently using Mailgraph, from the Debian package. Works like a charm
almost out-of-the-box. Though it should be available as a package for
another distros...


Luix

2007/4/4, maillist <[EMAIL PROTECTED]>:


I have seen a few people present, on this mail list, nicely detailed
graphs, that obviously were the result of some server output, but they
focused on email, mainly spam.  I am interested in having the same.
Does anyone have any recommendations for a good package that can do this?

All I currently use is logwatch.  It's nice for my needs to administer,
but the boss would like to see something that he can understand without
having to do so much thinking.  Maybe he wants to replace me with a
bar-graph.

As always, any help is appreciated.

-=Aubrey=-





--
-
GNU-GPL: "May The Source Be With You...
-

Re: An lot of these messages getting through

[Luis Hernán Otegui]

Thanks, these Stocks Du Jour rules have been created by you, aren't they? or
is there a script to create/download them?

Luis

2007/3/30, Bill Randle <[EMAIL PROTECTED]>:


On Fri, 2007-03-30 at 11:18 -0300, Luis Hernán Otegui wrote:
> Hi, List, could somebody run these messages trhough SA and give me the
> scores? On my servers they aren't scoring much, as you can see from
> the headers added by SA. Any special rules to catch them?

About the only thing they score on are the custom rules I wrote:

pts rule name  description
 
0.4 HELO_EQ_AT HELO_EQ_AT
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some
mails
3.0 OLN_SDJ53  BODY: Stocks du jour 53 - last 3/29/07
3.0 OLN_SDJ52  BODY: Stocks du jour 52 - last 3/24/07
0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5176]

The two OLN rules look like this:

body OLN_SDJ53 /Critical C ?A ?R ?E N ?E ?W/i
describe OLN_SDJ53 Stocks du jour 53 - last 3/29/07
score OLN_SDJ533.0

body OLN_SDJ52 /symb?-C[\-_\.]?C[\-_\.]?T[\-_\.]?I/i
describe OLN_SDJ52 Stocks du jour 52 - last 3/24/07
score OLN_SDJ523.0

-Bill






--
-
GNU-GPL: "May The Source Be With You...
-

An lot of these messages getting through

[Luis Hernán Otegui]

Hi, List, could somebody run these messages trhough SA and give me the
scores? On my servers they aren't scoring much, as you can see from the
headers added by SA. Any special rules to catch them?


Thanks,


Luis
--
-
GNU-GPL: "May The Source Be With You...
-
Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost [127.0.0.1])
by nahuel.biol.unlp.edu.ar (Postfix) with ESMTP id 7D118A29DF
for <[EMAIL PROTECTED]>; Thu, 29 Mar 2007 22:50:37 -0300 (ART)
X-Virus-Scanned: by amavisd-new-2.4.4 (20061120) (Debian) at biol.unlp.edu.ar
X-Spam-Score: 0.001
X-Spam-Level: 
X-Spam-Status: No, score=0.001 tagged_above=-100 required=5
tests=[BAYES_50=0.001]
Received: from nahuel.biol.unlp.edu.ar ([127.0.0.1])
by localhost (nahuel.biol.unlp.edu.ar [127.0.0.1]) (amavisd-new, port 
10024)
with ESMTP id ZGZp6Sj+ExPo for <[EMAIL PROTECTED]>;
Thu, 29 Mar 2007 22:50:37 -0300 (ART)
Received: from laternsertal.at (unknown [121.16.45.197])
by nahuel.biol.unlp.edu.ar (Postfix) with SMTP id 49E95A29DE
for <[EMAIL PROTECTED]>; Thu, 29 Mar 2007 22:50:34 -0300 (ART)
Message-ID: <[EMAIL PROTECTED]>
Reply-To: "Bernardor Roland" <[EMAIL PROTECTED]>
From: "Bernardor Roland" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Re: Is alva
Date: Fri, 30 Mar 2007 09:51:03 +0800
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.




Here's your chance
CRITICAL Care N E W
SYmb-C_C_T_I 
Currently : 16 Cents, CHEAP!!!
This could hit  in short and over  in the long run

This one is Guaranteed to double in next 2 days
Get in this gem tomorrow, Catch an easy doubler!!

defense.  ''That team can blow you out and they can score in bunches,'' he said 
 exhaustion.   ''We're still feeling it,'' Steve Nash said. ''It was a big win. 
 previous three games and take it on the road with us.''   The Suns had won 24 
confidence booster for us,'' Anthony said. ''To beat a team like that. You know

- Original Message - 
From: "Bernardor Roland" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 22, 2007 8:27 PM
Subject: Is alva


> Here's your chance
> CRITICAL Care N E W
> SYmb-C_C_T_I 
> Currently : 16 Cents, CHEAP!!!
> This could hit  in short and over  in the long run

Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost [127.0.0.1])
by nahuel.biol.unlp.edu.ar (Postfix) with ESMTP id A385995441
for <[EMAIL PROTECTED]>; Fri, 30 Mar 2007 10:30:40 -0300 (ART)
X-Virus-Scanned: by amavisd-new-2.4.4 (20061120) (Debian) at biol.unlp.edu.ar
X-Spam-Score: 1.884
X-Spam-Level: *
X-Spam-Status: No, score=1.884 tagged_above=-100 required=5
tests=[BAYES_50=0.001, DATE_IN_FUTURE_06_12=1.883]
Received: from nahuel.biol.unlp.edu.ar ([127.0.0.1])
by localhost (nahuel.biol.unlp.edu.ar [127.0.0.1]) (amavisd-new, port 
10024)
with ESMTP id 9O-Otuiy5TNh for <[EMAIL PROTECTED]>;
Fri, 30 Mar 2007 10:30:40 -0300 (ART)
Received: from puremeds.com (ppp125.pool1.as01.cn.svg.dial-up.kht.ru 
[85.114.72.125])
by nahuel.biol.unlp.edu.ar (Postfix) with SMTP id BD0A99DD4C
for <[EMAIL PROTECTED]>; Fri, 30 Mar 2007 10:30:16 -0300 (ART)
Message-ID: <[EMAIL PROTECTED]>
Reply-To: "ZChester TJones" <[EMAIL PROTECTED]>
From: "ZChester TJones" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Re: He bobolink
Date: Sat, 31 Mar 2007 00:30:21 +0300
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2720.




Get in on Energy Bottom
Critical Care NEW
Sym-CCTI
16 Cents is a STEAL
This could hit  in short and over  in the long run

This one is Guaranteed to double in next 2 days
Get in this gem tomorrow, Catch an easy doubler!!

,000 to ex-Wolverines Chris Webber, Maurice Taylor, Robert Traylor and  you or 
anything,'' Iverson said. ''It just feels good. It just feels like  -- with 
three 20-win seasons -- and 43-53 in the Big Ten.  He was under contract in a 
Freedom of Information Act request.  Amaker had to be employed as Michigan's

- Original Message - 
From: "ZChester TJones" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 22, 2007 8:27 PM
Subject: He bobolink


> Get in on Energy Bottom
> Critical Care NEW
> Sym-CCTI  
> 16 Cents is a STEAL
> This could hit  in short

Re: Just a general question

[Luis Hernán Otegui]

Well, let me see... 15 domains... 3000 users approx... oh, and two small
ones with 1 user each...


Luix

2007/3/24, Andy Figueroa <[EMAIL PROTECTED]>:




Gary V wrote:
 I've been on this mail list only for a few months now, and am
 wondering if I am the smallest guy here.
>>>
>>> No, you're not.
>>
>>
>> Oh me me me!
>>
>> 1 domain, 1 user. :)
>>
>
> I think only someone that uses fetchmail could beat that (no domain, 1
> user).

That might be me.
I use fetchmail to gather mail for 2 servers:
1 home-(not really a)-domain: 2 users
2 church/school-(not really a)-domain: 6 users
On second thought, I probably have too many users.

Andy Figueroa





--
-
GNU-GPL: "May The Source Be With You...
-

Re: Is Bayes Dead? Have the spammers won?

[Luis Hernán Otegui]

Well, my two cents on this:
When I upgraded my servers (about half a year ago) and started using a
mysql-based Bayes DB, image spams began to drive me crazy. Seemed like there
was no way to stop them. But with a good purge of bayes, a rebuild, and the
addition of sa-update rules, it all began to get better. Right now, I have
implemented a system for my users to train a global Bayes database, and I
must say it is working almost flawlessly. Only a few discussion lists got
BAYES_99 hits, but as soon as the users forwarded them to the ham training
account (or moved them to their webmail-based HAM folders), everything got
better. I'm a small fish in this fight (two servers, about 400 users each,
~25000 messages a day, ~2 rejected via zenspamhaus.org mostly, ~1100
spam messages, and ~30 virus messages a day), but I must say that taking
good care of my Bayes database has improved a lot the spam fighting
capabilities of my servers. It includes making sa-forget of false positives,
then feeding them to sa-learn as ham, sa-forget of false negatives and
making SA analyze and report them, etc. Luckily, I managed to write some
scripts to do the work for me. They're still at test stage, but I'm
convinced that they seem to perform very well...

A taste: http://www.biol.unlp.edu.ar/cgi-bin/mailgraph.cgi


Luis

2007/3/23, Jim Maul <[EMAIL PROTECTED]>:


Marc Perkel wrote:
> Perhaps what I need to do is to get rid of autolearn and write my own
> learning system that strips out the body of messages with images and
> just learns the headers. My problem is that when users get image spam
> they put it in the spam folders and they get learned. But the text in
> the image spam causes ham type text to be learned as spam. That causes
> ham to get higher scores.
>
>

Are you sure of this?  Have you also trained these ham messages to
counter this effect?  Not too long ago we were in the same situation.  I
have autolearn enabled but I have adjusted the thresholds to avoid
learning false positives/negatives.  We were getting ham (although
arguably - they were newsletter type ham) that was hitting BAYES_99.  As
soon as i started training them as ham the problem went away.  Spam is
still detected correctly by bayes and these newsletters no longer hit
bayes_99.

-Jim





--
-
GNU-GPL: "May The Source Be With You...
-

Re: Reporting spam by forwarded/attached message

[Luis Hernán Otegui]

Well, I got it working (started a thread like this one month ago or so)
thanks to some other users contributions.
What I did (following someone elses instructions) was insert these lines in
local.cf:

bayes_ignore_header ReSent-Date
bayes_ignore_header ReSent-From
bayes_ignore_header ReSent-Message-ID
bayes_ignore_header ReSent-Subject
bayes_ignore_header ReSent-To
all_spam_to [EMAIL PROTECTED]


and after that, set up the spam account, and generate a script to teach
spamassassin the forwarded messages. Maybe the bash programming could be
improved, but it's working for me like this:


#!/bin/bash
result_spam=$(ls /usr/local/virtual/[EMAIL PROTECTED]/new | wc -l)
if [ $result_spam -ne 0 ]
   then
   spamassassin -r -d  --progress < /usr/local/virtual/spam@
mydomain.tld/new
   echo 1 > /var/tmp/sa-state
   rm -f /usr/local/virtual/[EMAIL PROTECTED]/new/*
fi


This script runs through cron once an hour along with some others which scan
my users IMAP folders (some of them only use a webmail, and some use MUAs,
such as Outlook Express), seach for spam and ham folders, checks if they're
not empty, and learn from their contents (that's why I put that "echo"
sentence. BTW, if anyone knows a better way to check for the existence of
spam in the precedent script, I will gladly accept their tips...

When I finish polishing this, I promess to make a nice package and share it.



Luis
2007/3/21, Wael Shaheen <[EMAIL PROTECTED]>:


Hello everyone,
am looking for a mechanism which allows my clients to report spam by
forwarding a message or attaching it to a single mailbox i.e
[EMAIL PROTECTED]

How can i do this, forwarded emails will have the sender information cut
off
before being fed to sa-learn
I would appreciate any hints-information in that direction and if any idea
would be better than what am thinking of
or have sa-learn run on the attached messages

Thank you





--
-
GNU-GPL: "May The Source Be With You...
-

Re: How to whitelist mail lists?

[Luis Hernán Otegui]

OK, but the point is that I run SA trough AMaViS, so procmail recipes aren't
the answer. Thanks a lot, I suppose I should create some type of whitelist
in AMaViS to avoid SA.


Luis

2007/3/6, David Goldsmith <[EMAIL PROTECTED]>:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Luis Hernán Otegui wrote:
> Hi, several of my users have mail lists (such as Yahoo ones, or some
> other, at elsevier.com <http://elsevier.com>, or other scientific
> publications).
> I've been searching the web, trying to find a way to whitelist the
> messages from these lists. Could anyone point me some directions?
>
>
> Thanks in advance,
>
>
> Luis
> --

Look for the "List-Id" field such as:

List-Id: 

As an example for if your call SA via procmail:

:0fw
* ! ^List-Id: 
* ! ^X-Spam-Checker-Version:.*iceman11
| /usr/bin/spamc -d  -u spamass


If the message does not contain that list id, and it hasn't already been
scanned by our SA, then passit to SA.

David Goldsmith
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7YKd417vU8/9QfkRAlo6AJ9/M97mO6H/KhViklaqprojwmHJVQCgmFKa
dVBuzm38UjcbidJbVLhUos0=
=ilI/
-END PGP SIGNATURE-





--
-
GNU-GPL: "May The Source Be With You...
-

How to whitelist mail lists?

[Luis Hernán Otegui]

Hi, several of my users have mail lists (such as Yahoo ones, or some other,
at elsevier.com, or other scientific publications).
I've been searching the web, trying to find a way to whitelist the messages
from these lists. Could anyone point me some directions?


Thanks in advance,


Luis
--
-
GNU-GPL: "May The Source Be With You...
-

Re: HAM and SPAM mailboxes

[Luis Hernán Otegui]

OK, Chris, I think I'll go on with you suggestion. I seems simpler, and a
lower load for my busted servers. However, I'm not a Perl Guru myself, so,
mind if you could clarify what did you ment with "In that case, Perl's
Mail::Box::Manager is your friend."

How do I extract the original mail from the forwarded one?


Thanks,



Luis

2007/3/2, Chris St. Pierre <[EMAIL PROTECTED]>:


On Fri, 2 Mar 2007, Luis Hernán Otegui wrote:

> Hi, people, I am currently researching, trying to implement a way for my
> POP3 users to train SA via message forwarding. I've read in the list
that
> the messages should be forwarded as attachments. My question is how do
you
> make SA process them. I was thinking of creating two accounts (
> [EMAIL PROTECTED], and [EMAIL PROTECTED]), but frankly, I don't
understand
> the way to hand the forwarded messages to SA...

Instead of forwarding as an attachment, I have my users
bounce/redirect/resend their mail, which maintains the message in its
original state and is a lot easier to process than messages in
attachments.  That way, I can just have a cron job go through the
[EMAIL PROTECTED] and [EMAIL PROTECTED] mailboxes and have sa-learn learn each 
message.
Otherwise, you'll have to strip the attachments and pipe them into
sa-learn, which is a lot less trivial.  In that case, Perl's
Mail::Box::Manager is your friend.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

Never send mail to [EMAIL PROTECTED]





--
-
GNU-GPL: "May The Source Be With You...
-

HAM and SPAM mailboxes

[Luis Hernán Otegui]

Hi, people, I am currently researching, trying to implement a way for my
POP3 users to train SA via message forwarding. I've read in the list that
the messages should be forwarded as attachments. My question is how do you
make SA process them. I was thinking of creating two accounts (
[EMAIL PROTECTED], and [EMAIL PROTECTED]), but frankly, I don't understand
the way to hand the forwarded messages to SA...
Currently, I run two production servers, with virtual users, and they have
separate HAM and SPAM IMAP folders for each user. Via a cron job, I teach
the system the spam messages (I've instructed my users to move the spam
messages there via our webmail). But now I'm looking forward to expand the
service to my POP3 users. Any suggests will be welcomed.

BTW, I run SA (v 3.1.7) trough AMaViS over Postfix, Debian Sarge based
install.


Thanks in advance,


Luis
--
-
GNU-GPL: "May The Source Be With You...
-

Re: [ semi OT ] Bounced Mails

[Luis Hernán Otegui]

OK, I'll give it a try. Thanks a lot


Luis

2007/2/20, Justin Mason <[EMAIL PROTECTED]>:



Jeff Chan writes:
> On Tuesday 20 February 2007 06:08, Luis Hernán Otegui wrote:
> > Hi, List, my users are getting increasing amounts of "Mail Delivery
> > Subsystem" mails, and I suspect spammers are using their addresses as
> > senders. I have my servers registered with SPF, but now I wonder how
> > could I stop this mails from getting to their accounts?
> > I've tried to explain to them that spammers are beggining to use the
> > spoofing techniques used in viruses, but they're just mad at it.
> > Has anyone a sollution to this issue, or we must just get used to it?
>
> Unfortunately not much can be done about it other than SPF.

well, you *can* filter them using
http://wiki.apache.org/spamassassin/VBounceRuleset ... that helps ;)

--j.





--
-
GNU-GPL: "May The Source Be With You...
-

[ semi OT ] Bounced Mails

[Luis Hernán Otegui]

Hi, List, my users are getting increasing amounts of "Mail Delivery
Subsystem" mails, and I suspect spammers are using their addresses as
senders. I have my servers registered with SPF, but now I wonder how could I
stop this mails from getting to their accounts?
I've tried to explain to them that spammers are beggining to use the
spoofing techniques used in viruses, but they're just mad at it.
Has anyone a sollution to this issue, or we must just get used to it?

BTW, I run SA through AMAVIS, on a Debian-based machine.

Thanks in advance,


Luis
--
-
GNU-GPL: "May The Source Be With You...
-

Re: SA not catching apostrophes in sender's addressess?

[Luis Hernán Otegui]

OK, I'm using sa-update AND Rules Du Jour. However, I'm not sure about which
rulesets are te most convenient to download. Could somebody pass a config
file for RDJ?

Thanks again,


Luis

2006/12/26, Chris <[EMAIL PROTECTED]>:


On Tuesday 26 December 2006 9:04 am, Luis Hernán Otegui wrote:
> Hi, list. I have been under heavy stocks alerts spamming. Currently, my
> setup goes like this:
>
> -Debian Sarge
> -Postfix 2.1.5-9 with VDA patch
> -Amavisd-new 2.4.2
> -SA 3.1.5
> -ClamAV 0.84-2.sarge.1
> -Mysql 4.0.24-10sarge
>
> System was installed and is mantained via apt. I've recently added the
> sa-update script to my cron. SA stores Bayes and the AWL in Mysql.
>
> But since a month or so, I've noticed that in some sender's addresses
> (spammers, of course) there are apostrophes.

Addresses such as this "Gena Mercer"  are
caught
here quite easily on my home system:

Content analysis details: (43.1 points, 5.0 required)

pts rule name description
 --
--
2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
0.0 BOTNET_NORDNS IP address has no PTR record
1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1
1.7 SARE_MLB_Stock5 BODY: Mentions stock symbol, tickers, or OTC.
0.4 SARE_LWOILCO BODY: SARE_LWOILCO
1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2
0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
  [score: 1.]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
  above 50%
  [cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
  [cf: 100]
3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
10 CLAMAV Clam AntiVirus detected a virus
3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
  [88.243.90.7 listed in sbl-xbl.spamhaus.org]
0.8 DIGEST_MULTIPLE Message hits more than one network digest check
5.0 BOTNET The submitting mail server looks like part of a
Botnet
1.0 SAGREY Adds 1.0 to spam from first-time senders

Looks like any of the sare rules, or network tests would kick it over the
limit. Are you running any of the add-on clamav db's? These are tagged
here
with this X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204). Even
running botnet would have put it over your threshlold.

--
Chris
http://learn.to/quote






--
-
GNU-GPL: "May The Source Be With You...
-

SA not catching apostrophes in sender's addressess?

[Luis Hernán Otegui]

Hi, list. I have been under heavy stocks alerts spamming. Currently, my
setup goes like this:

-Debian Sarge
-Postfix 2.1.5-9 with VDA patch
-Amavisd-new 2.4.2
-SA 3.1.5
-ClamAV 0.84-2.sarge.1
-Mysql 4.0.24-10sarge

System was installed and is mantained via apt. I've recently added the
sa-update script to my cron. SA stores Bayes and the AWL in Mysql.

But since a month or so, I've noticed that in some sender's addresses
(spammers, of course) there are apostrophes. Shouldn't them get caught by
the INVALID_CHARACTERS rule? I'm only getting a 3.5 points score because of
the BAYES tokens. My quarantine treshold is at 5, and the reject treshold is
set up at 8.

If there are no problems with my setup, could somebody point me a custom
rule in order to stop this type of spam?

Here I put an aexample of this kind of messages:




From Philadelphia'[EMAIL PROTECTED] mar dic 26 09:54:17 2006

Return-Path: 
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost [127.0.0.1])
   by nahuel.biol.unlp.edu.ar (Postfix) with ESMTP id 7342870EE1
   for <[EMAIL PROTECTED]>; Tue, 26 Dec 2006 09:54:17 -0300 (ART)
X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at
biol.unlp.edu.ar
X-Spam-Score: 3.5
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 tagged_above=2 required=5 tests=[BAYES_99=3.5]
Received: from nahuel.biol.unlp.edu.ar ([127.0.0.1])
   by localhost (nahuel.biol.unlp.edu.ar [127.0.0.1]) (amavisd-new, port
10024)
   with ESMTP id Xp6-Zl9r-rE0 for <[EMAIL PROTECTED]>;
   Tue, 26 Dec 2006 09:54:17 -0300 (ART)
Received: from mx1planet.ingw.tn (unknown [80.51.251.194])
   by nahuel.biol.unlp.edu.ar (Postfix) with ESMTP id B23AE70ECC
   for <[EMAIL PROTECTED]>; Tue, 26 Dec 2006 09:54:09 -0300 (ART)
Received: from 217.16.16.81 (HELO mx1.masterhost.ru)
by biol.unlp.edu.ar with esmtp (7>[EMAIL PROTECTED] [EMAIL PROTECTED])
id A2G5G)-2;9776-1/
for [EMAIL PROTECTED]; Tue, 26 Dec 2006 13:04:44 -0060
From: "Curtis Finch" 
To: <[EMAIL PROTECTED]>
Subject: Curtis
Date: Tue, 26 Dec 2006 13:04:44 -0060
Message-ID: <[EMAIL PROTECTED]'sNegro>
MIME-Version: 1.0
Content-Type: text/plain;
   charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Thread-Index: Aca6Q21Q4-E5.2-8V-2S:X935/JU9A==

2005 was the year of the oil company with many of these
companies posting record profits.  2006 has been the year
of alternative fuels with companies involved in this sector
blowing off the charts.  This trend shows no signs of
abating.
Our next feature is right in the thick of the high-growth
alternative energy sector and they are doing incredible
things.

AlgoDyne Ethanol Energy

Symbol:  ADYN

Current Price:$1.30
Short Term Target:$3.50
Long Term Projected:  $10.00

It doesn't take a genius to know why alternative energy is
such a high-growth area right now.  Smart traders know how
to watch global trends and seize the moment.

AlgoDyne is where it's at.  AlgoDyne has developed a
turnkey solution in their proprietary micro-algae based
process which can produce direct electricity, eco-friendly
fuels, and valuable bi-products.

The company has just hit its sweet spot in the development
phase and is set to release some astounding results.  These
revelations are being backed up by a far-reaching PR
campaign.

It is essential to get in early in order to enjoy the
biggest gains.  Come Tuesday, December 26th this one will
be rapidly going up to meet our target price!

Do not delay!  Win with ADYN!

---


Hope this info is enough.


Luis
--
-
GNU-GPL: "May The Source Be With You...
-

Re: SA 3.0.1, still memory issues...

[Luis Hernán Otegui]

Well first of all, sorry for the lack of info. Here it is the (I
think) relevant info on the servers. These two are identical machines,
except for the RAM amount (the good one has 768 MB an the troubled one
has 438 MB)
OS: RedHat 8.0
Perl Version: 5.8.5, compiled from source in both cases.
Kernel: 2.4.18-18SGI_XFS_1.2.0, from RPM, not recompiled.
ok, now, some instructive things. I limit the number of spamd
processes via the -m switch, in both servers. In fact, as I said,
they're pretty much the same machine, except for the RAM.
But when I do a "top" on the good-running one, I get this (this one is
able to run SA 3.0.1, and has not complained of anything, in fact, I
think it's running it faster than it did with 3.0.0):
 16:05:02  up 12 days,  6:15,  8 users,  load average: 0,42, 0,40, 0,37
165 processes: 159 sleeping, 5 running, 1 zombie, 0 stopped
CPU states:  22,0% user  10,9% system  51,6% nice   0,0% iowait  15,3% idle
Mem:   772980k av,  760400k used,   12580k free,   0k shrd,   4k buff
388184k actv,  177588k in_d,   67820k in_c
Swap:  524600k av,   19636k used,  504964k free  281572k cached

  PID USER PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
 5687 root  14  -1  106M  42M 11392 S <   0,0  5,6  46:13   0 X
13284 root  15   0 37884  36M 19724 S 0,0  4,9   2:37   0 galeon-bin
12997 root  15   0 29764  29M 11124 R 0,0  3,8   1:31   0 opera
13749 root  15   0 23804  23M  9808 S 0,0  3,0   0:03   0 java_vm
29542 spamd 25   0 23212  20M  9496 S19,3  2,6  16:49   0 spamd
 5809 root  15   0 13568  13M 11672 S 0,0  1,7   0:21   0 kdeinit
 5804 root  15   0 13484  13M 12064 R 0,0  1,7   0:13   0 kdeinit
12182 root  15   0 12432  12M 10676 S 0,0  1,6   0:05   0 kdeinit
 5822 root  15   0 11468  11M 10240 S 0,0  1,4   0:07   0 kdeinit
 5791 root  15   0 11244  10M 10160 S 0,0  1,4   0:00   0 kdeinit
 5801 root  15   0 11100  10M 10036 S 0,0  1,4   0:22   0 kdeinit
 7591 root  15   0 11064  10M 10108 S 0,0  1,4   0:00   0 kdeinit
 5817 root  15   0 10172 9,9M  9348 R 0,0  1,3   0:01   0 kdeinit
 5819 root  15   0  9944 9940  9260 S 0,0  1,2   0:00   0 kdeinit
 5764 root  15   0  9564 9560  8880 S 0,0  1,2   0:06   0 kdeinit
 5800 root  15   0  9312 9308  8640 S 0,0  1,2   0:00   0 kdeinit

Despite the fact that a colleague of mine is working over this server,
most of the time I do only see a single process shown in the TOP, when
I sort them by memory usage.
On the other hand, when I was running 3.0.1 in the faulty machine (had
to switch back to 2.64, or my boss would kill me), if a did a top,
then sort the porcesses by memory usage, the spamd processes were
always the firsts ones, starting at 22 MB and getting bigger and
bigger.
If I increase the number of childs allowed to run, it takes it a
little longer to start growing. But here's a test I did: according to
the man pages, --max-conn-per-child should cause the child to die when
that number of connections is reached, but this didn't happen. I even
tried putting a ridicoulous number here (reached even to three), but
still the child processes didn't die. They seemed to be determined to
grow bigger and bigger (reminds me of a virus... Nevermind, just a
little bit fun).
Anyway, I got clueless... 

Luis



On Tue, 26 Oct 2004 11:17:11 -0700, Justin Mason <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Matt Kettler writes:
> > At 01:49 PM 10/26/2004, Luis Hernán Otegui wrote:
> > >What really pisses me off is the fact that in the rest of my servers,
> > >when SA starts, only the parent process weights 22 MB, the children
> > >weight approx. 5 MB each. But in this particular server, all of the
> > >spamd processes start up as 22 MB processes...
> >
> > It strikes me as rather odd that the size of them is different. In theory
> > they should all be the same.
> >
> > What kernels are the boxes using?
> >
> > One theory I have is that the boxes with 5mb children has a RCU enabled
> > kernel, thus the children are 5mb of their own memory, and the rest is
> > shared with the map of the parent. (RCU causes forked children to share
> > pages of memory with the parent until they modify the page, then it gets
> > reallocated)
> >
> > On the one box which has 22mb children, I suspect there's no RCU support,
> > so the whole 22mb parent is copied at the time of fork().
> >
> > In linux, RCU is present on 2.6.x kernels, although some vendors may have
> > backported it to their 2.4x kernels
> 
> nah, that's Copy-On-Write you're thinking of, which has been std in linux
> and most UNIX kernels since 2.2.x ;)   Every 2.4.x and 2.6.x kernel

SA 3.0.1, still memory issues...

[Luis Hernán Otegui]

Well, I've upgraded to SA 3.0.1 several of my servers, and since the
bugfixes seemed so promising, I decided to give it a try on the server
which had the memory issues (I've sent a couple of mails to the list a
month ago, or so).
Good news is spamd doesn't chew up the memory as fast as with 3.0.0.
Bad news, it still does it. Playing with the numbre of
max-conn-per-child and the number of children, I've managed to make it
quasi-stable, but it still is a hell of a memory chewer.
What really pisses me off is the fact that in the rest of my servers,
when SA starts, only the parent process weights 22 MB, the children
weight approx. 5 MB each. But in this particular server, all of the
spamd processes start up as 22 MB processes...
I've downloaded and recompiled perl (running on 5.8.5 now, compiled
from source), and the bad behaviour keeps going and going.
I've enabled the debug option on spamd, but looking at the maillog, it
seems to be working fine. Every time a mail arrives, spamass-milter
passes it to spamd, it opens it, claims the mutexes on auto whitelist
and bayes, and then releases them, when it finishes scanning.
Running sa-learn force-expire didn't help at all, spamd just keeps
growing and growing, but with a setting of max-conn-per-child of 10o
and ten children, it does it slower, and allows the server to live
longer (so far, it didn't crash, but most of daily spam will arrive in
approx. five hours from now).
If anyone could point me on what to look at, or the output of what
process will be handy to attach here in order to debug this, please,
send me a mail, because this little big memory issue is really driving
me nuts.

Thanks in advance,

Luis
-- 
-
GNU-GPL: "May The Source Be With You...
-