Re: ClamAV plugin with 3.1.17
Brent Kennedy wrote: Woops I meant .cf file not pm file. I just wanted to make sure this is still accurate: http://wiki.apache.org/spamassassin/ClamAVPlugin As a suggestion, the way I am doing it is running ClamAV as my SMTP proxy... so it gets virus scanned and dropped as required before it ever sees anything important in my infrastructure. -- -- Michel Vaillancourt Wolfstar Systems
Re: Earthlink emails
Ramprasad wrote: Why not SPF ?? Over two thirds of the email I receive that is UCE/Spam has an SPF_PASS associated with it from SA. All SPF seems to do is make the stupid spammers look more stupid. The clever ones aren't affected. DK is a resource HOG. And I cant do that easily in postfix ,( I know you will point to dk-milter ) http://jason.long.name/dkfilter/ ... Postfix specific implementation using the Sourceforge/ OpenSource adoptation of the DK standards. What is the point accepting the mail and the entire data and then scanning for DK when It should have ideally been rejected after mail from: That would be the exact point of DK at the Postfix/ MTA level. So I let SA do the testing .. which catches the spams but eats resources of my servers. When you receive 3-5 million mails a day you tend to bother more about resources I would humbly submit to you that if you move that much traffic, you should be able to justify one more MX machine in the pool and implementing DK. Thanks Ram Another point here is that SPF and DK are NOT mutually exclusive technologies. If a thirty-customer/ 10k message-a-day shop like me can implement both, I am sure that a Big Shop like yours can. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: Earthlink emails
Ramprasad wrote: On Fri, 2006-09-29 at 08:12 -0400, Michel Vaillancourt wrote: Ramprasad wrote: Why not SPF ?? Over two thirds of the email I receive that is UCE/Spam has an SPF_PASS associated with it from SA. All SPF seems to do is make the stupid spammers look more stupid. The clever ones aren't affected. I have a script that automatically blocks SPF-pass domains sending spam consistently. you could make good use of the SPF_PASS too. Care to share? This would be very handy. What is the point accepting the mail and the entire data and then scanning for DK when It should have ideally been rejected after mail from: That would be the exact point of DK at the Postfix/ MTA level. How. All the while I thought dkfilter helps me block after dataend ? Do I have to RTFM again ? My mistake.. this one runs as a content filter. The same author is working on a DKIM Proxy that would be your first point-of-contact and handle the mail from intercept. I got confused. So I let SA do the testing .. which catches the spams but eats resources of my servers. When you receive 3-5 million mails a day you tend to bother more about resources I would humbly submit to you that if you move that much traffic, you should be able to justify one more MX machine in the pool and implementing DK. We have 8 dual xeons already. for this much traffic. And servers are always loaded with all kinds tests enabled in SA I'm curious... what is the RAM/ MHz spec of your machines? 5M mail/day is 7 mail per second per machine... at a median 8 seconds mail handle time, that is 57 mail in the pipes at any one time... 50Mb for SA or anti-virus per message works to about 3Gb of RAM in use. I can see your concern. However, again, I'd say that even two more machines in the pool would bring that down to ~2GB of RAM in use per machine, and that should give you the cycles and memory to run SPF queries as well as DK filters. I do understand the notion your boss might not be willing to put another $5K down to deal with the problem. However, as anyone can attest to, good customer service costs money to provide. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: Inconsistent Rules Firing
Michel Vaillancourt wrote: Bowie Bailey wrote: Are you sure these messages are being scanned? Take a look at the headers and see if there are X-Spam headers in both the marked and unmarked messages. If so, post those headers here so we can see what is hitting. As I inidcated in the original mail... they are getting scored. The headers are there. However, the scores are VERY low compared to another similar one that arrives moments later. I'll post back when I get a good comparison pair. You also may want to add this line to you local.cf file: add_header all Report _REPORT_ This will add the report header listing the rule hits to all messages regardless of the score. Restart spamd after making the change. Will do. I'll post back with results. It turns out that the issue was *not* spamassasin. Due to a quirk in my mail routing, some messages were skipping the primary mail exchanger and going to one of my other machines which was running a less loaded version of SA. Once that was corrected, all started behaving correctly. My first clue was when the add_header didn't change anything on some of the incoming traffic... I started digging deeper. Thanks for the help and suggestions, all. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
SPF Scores
I set up SPF for Wolfstar.ca yesterday, and I've been reading a bit off the website about SPF itself. WRT to SA, I'm interested in knowing if folks have adjusted their stock SPF scores or if they've done some custom rules to lever this technology? -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Inconsistent Rules Firing
Recently several IMG spams and plain-text stock spams have been making it in unmarked. However, they'll be right beside two more correctly identified. What seems to be happening is that spamd isn't always firing all the rules that apply to the message, resulting in a score 8 or 9 spam arriving with a score of 4.something. When I spamassassin -D --lint, the debug info always looks right about all the rules loading. Suggestions as to where to start looking? -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: Inconsistent Rules Firing
Bowie Bailey wrote: Are you sure these messages are being scanned? Take a look at the headers and see if there are X-Spam headers in both the marked and unmarked messages. If so, post those headers here so we can see what is hitting. As I inidcated in the original mail... they are getting scored. The headers are there. However, the scores are VERY low compared to another similar one that arrives moments later. I'll post back when I get a good comparison pair. You also may want to add this line to you local.cf file: add_header all Report _REPORT_ This will add the report header listing the rule hits to all messages regardless of the score. Restart spamd after making the change. Will do. I'll post back with results. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
Theo Van Dinter wrote: On Wed, Aug 30, 2006 at 10:10:00AM -0700, Michael Grey wrote: I am aware of SPF which can confirm that a host at ip address x.x.x.x is authorized to send mail as from domain A, but how about a means to confirm that '[EMAIL PROTECTED]' actually is a real user before accepting mail from him ? The short answer is that there's no way to do that in general, regardless of SA, so no. There is a way to do it, but someone more skilled at PERL than I would have to carve it... you actually open an SMTP conversation with REMOTE_DOMAIN.com a la: Connected to mail.wolfstar.ca. Escape character is '^]'. 220 ext1.wolfstar.ca ESMTP Postfix (Debian/GNU) EHLO spamTest.bot 250-ext1.wolfstar.ca 250-PIPELINING 250-SIZE 10240 250-ETRN 250 8BITMIME MAIL FROM: [EMAIL PROTECTED] 250 Ok RCPT TO: [EMAIL PROTECTED] 554 [EMAIL PROTECTED]: Relay access denied ... trap that 5xx return, and you know its a bogus sender. The plug-in adds 2 points to the score. Get a 250 Ok back, and you are likely safe... score 0. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: SA-LEARN Question
Bowie Bailey wrote: Christopher Mills wrote: Hi, We have over 100 domains on a server, all of which are getting junk mail. SA 3.1.4 installed, but I don't think it's properly trained yet (even though I did upgrade from an earlier version). If I set up a [EMAIL PROTECTED] address and tell all my customers to forward the junk mail they get to that address, then run sa-learn on that mailbox, will that help, or, will it train SA that the users that forwarded the junk ARE the spammers and start to assign higher scores to legitimate customers? No, SA will learn that messages forwarded from your users are spam. As someone else pointed out, you need to find a method that preserves the original headers of the message. Forwarding the spam as an attachment and then stripping it out or copying it to a shared imap folder are two of the more common options. I have similar, albiet smaller, environment. What I've done is asked my users who want to help to have a ConfirmedSpam folder in their IMAP directory. Every night I cron-job a LOCATE for that folder and then tell sa-learn to learn those emails. Then I empty the mail dir to start fresh for the next day. It works like a charm. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: Running on Debian stable
Raymond Wan wrote: I could also go up to testing or *gasp* unstable, but I really don't want to. I'm not a very good system admin and don't really know how to fix some things when they break. Also would rather have a working system than a up-to-the-minute system. I was wondering whether it is possible to update the rules and not the software. I guess not? spamassassin in Debian is one package? But anyway, I'll do your backports.org suggestion -- thanks! Hi, Ray. I'm a Debian admin as well. However, my experience has been that for Spamassassin in particular, don't use the .deb package. Instead, run the CPAN install process; I have it set as a CRON job that fires monthly. You'll find that it is no worse than using packages, and for SA at least, 10 times more effective. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: Rule for non-DK-signed mail from yahoo
Justin Mason wrote: I'd prefer not to do this without some kind of DKIM reputation service up and running, so that we don't give bonuses to spammers who sign their mails. In our experience, spammers will quickly exploit any SpamAssassin bonuses available, and this would be pretty easy. --j. So what is involved in establishing one?
Re: Hashcash plugin to stamp outgoing mails (for postfix only)
decoder wrote: Hello there, since SpamAssassin supports the hashcash signatures but support for MUAs is rare, I wrote a plugin which is able to stamp all outgoing emails of a postfix server. If anyone is interested in testing this alpha version of the content_filter, please mail me. Chris What exactly is this going to achieve? I'm not familiar with using HCS (hashcash signatures). I'm running Postfix on all my boxen, so I'll be happy to test it for you, either way. --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: Hashcash plugin to stamp outgoing mails (for postfix only)
decoder wrote: SpamAssassin supports verification of these hashes (this is enabled by default, you only need to configure the mail adresses you accept mails for in the local.cf (http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_Hashcash.html) I read: hashcash_accept [EMAIL PROTECTED] ... Used to specify addresses that we accept HashCash tokens for. You should set it to match all the addresses that you may receive mail at. thus, if I accept traffic for wolfstar.ca, foo.bar.info, and yeahright.com then I would have: hashcash_accept [EMAIL PROTECTED], *.wolfstar.ca, [EMAIL PROTECTED], [EMAIL PROTECTED] ... traffic coming IN to these domains/addresses with an HCS is deemed safer than unmarked traffic and thus will be scored lower. I will send you the plugin this evening so you can try it out (as I am currently on a run:)) Chris Sounds good. I look forward to getting it. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Antiword Rules
Does anyone have an anti word based PM/CF file-set? I don't want to reinvent the wheel if I don't need to. Thanks. --Michel Vaillancourt Wolfstar Systems
Re: The arms race continues
Simon Standley wrote: Hi Gang, I've had the latest FuzzyOcr on test for the past day or so - very nice work. Congrats to all involved. Thought you may be interested in the attached GIF. It was only a matter of time before something like this came along ... Si. forgiving26.gif . I've seen three of these this morning alone... and FuzzyOCR isn't trapping them. --Michel Wolfstar Systems
RE: Memory requirements
jdow's plugged nickel's worthBased on the bad case I ran his
machine should do on the order of 10 to 30 seconds per email depending
on the speed of his processor. At 30 seconds per that gives him the
capacity, with delays to be sure, for 3000 emails per day. When they
come in batched there will be several minutes of delay. But for most
people's needs for a single user 3000 emails is somewhat more than is
to be expected.
{^_-} Joanne, who has a bad habit if running numbers. And I note he
might be able to run two instances to get SOME benefit from
paralleling the DNS lookups.
ext1:~# cat /proc/cpuinfo
[..trim..]
model name : Pentium II (Deschutes)
stepping: 2
cpu MHz : 398.982
cache size : 512 KB
[..trim..]
ext1:~# free -m
total used free sharedbuffers cached
Mem: 251247 4 0 16 12
-/+ buffers/cache:217 33
Swap: 760118642
ext1:~/pflogsumm-1.1.0# sh yesterday.stats.sh | head -n 10
Postfix log summaries for Aug 8
Grand Totals
messages
9867 received
9955 delivered
ext1:~# grep -i spamd /var/log/mail.log | grep -i identified | head
Aug 9 06:42:43 ext1 spamd[465]: spamd: identified spam (17.9/5.0) for
nobody:8 in 1.3 seconds, 1390 bytes.
Aug 9 06:43:04 ext1 spamd[466]: spamd: identified spam (24.6/5.0) for
nobody:8 in 1.4 seconds, 26292 bytes.
Aug 9 06:43:39 ext1 spamd[466]: spamd: identified spam (44.9/5.0) for
nobody:8 in 1.6 seconds, 2637 bytes.
Aug 9 06:46:55 ext1 spamd[466]: spamd: identified spam (14.7/5.0) for
nobody:8 in 1.3 seconds, 1415 bytes.
Aug 9 06:52:00 ext1 spamd[466]: spamd: identified spam (23.0/5.0) for
nobody:8 in 1.2 seconds, 2692 bytes.
Aug 9 06:58:33 ext1 spamd[466]: spamd: identified spam (16.6/5.0) for
nobody:8 in 1.4 seconds, 1313 bytes.
Aug 9 07:07:06 ext1 spamd[466]: spamd: identified spam (15.6/5.0) for
nobody:8 in 2.8 seconds, 21911 bytes.
Aug 9 07:07:42 ext1 spamd[466]: spamd: identified spam (12.7/5.0) for
nobody:8 in 7.1 seconds, 12636 bytes.
Aug 9 07:11:10 ext1 spamd[466]: spamd: identified spam (51.2/5.0) for
nobody:8 in 1.6 seconds, 3174 bytes.
Aug 9 07:11:54 ext1 spamd[466]: spamd: identified spam (42.1/5.0) for
nobody:8 in 3.9 seconds, 2034 bytes.
... and I'm running 66 optional tests above and beyond the stock set
that
come with SA, so that makes 85 rules tests my machine is running through.
Its running Postfix, Spam Assassin, ClamAV, Courier IMAPD/POPD with a local
replica of MySQL for authentication. I'm running six spamc clients
concurrently on the machine to keep delays down.
I don't know if that data-point is of use in the discussion, but there
it
is.
--Michel
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.10.8/413 - Release Date: 8/8/2006
Help With A Custom Rule
Hello to the list! I'm trying to write a rule to nail the following string: 'Microsoft Word 11 (filtered medium)' To wit, I've written the following rule: rawbody WOLFSTAR_MSWORD11_RULE /Microsoft Word 11 (filtered medium)/ score WOLFSTAR_MSWORD11_RULE 1.0 describe WOLFSTAR_MSWORD11_RULE Looks Like Another Inline IMG SPAM ... --lint gives me no indication that anything is wrong. However, the rule doesn't seem to fire... specifically I'm trying to trap: [meta name=3DGenerator content=3DMicrosoft Word 11 (filtered medium)] sub [/ ]/ in the line above Suggestions as to what I am doing wrong?
