TOM_TO_EQ_FR
I am receiving to many emails (spam) containing the same FROM EQ TO Initially tried to use SPF but spfquery returns 'NONE' and I could´t score it, so I ended up with the following rules and so far working fine: header __TOM_TO_EQ_FRa ALL =~ m/^From:\s+??(.+@.+)?(\s|$)[^\0]*^To:.*\1/m header __TOM_TO_EQ_FRb ALL =~ m/^To:\s+??(.+@.+)?(\s|$)[^\0]*^From:.*\1/m meta TOM_TO_EQ_FR __TOM_TO_EQ_FRa || __TOM_TO_EQ_FRb scoreTOM_TO_EQ_FR 2.5 describe TOM_TO_EQ_FR To and From are the same, could be a cc or a forgery regards. signature.asc Description: Message signed with OpenPGP using GPGMail
include conf file to local.cf
Hello. I have a feu rules (whitelist_from and blacklist_from). I don't want to put them into my local.cf. Is that possible to include a file? For example, in my local.cf (Include /path/to/my/rules) and in /path/to/my/rules, I put all my rules. Other question: is possible to parse conf file, to detect syntax errors? Thanks a lot. Best regards, -- -Nicolas.
Re: include conf file to local.cf
On Sat, 16 May 2009 04:56:48 -0400 Matt Kettler mkettler...@verizon.net wrote: Nicolas Letellier wrote: Hello. I have a feu rules (whitelist_from and blacklist_from). I don't want to put them into my local.cf. Is that possible to include a file? For example, in my local.cf (Include /path/to/my/rules) and in /path/to/my/rules, I put all my rules. Well, you really shouldn't need to do this at the site config level. SA will read *.cf from the site config directory, not just local.cf. So, if you need extra config files, just put them there and SA will read them (they will be parsed in alphabetical order). There is an include directive, but this is really intended to be used at the user_prefs level, where only one file gets read. See the preprocessing options section of man Mail::SpamAssassin::Conf or online: http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#preprocessing_options Other question: is possible to parse conf file, to detect syntax errors? spamassassin --lint Normally it runs quietly, but if the parse fails, it will complain. Thanks a lot for these informations. I will not include my file, I will use a *.cf file and parse it with 'spamassassin --lint'. -- -Nicolas.
dcc reports
Hello. I use spamassassin 3.2.5 and Dcc 1.3.103. When I execute cat /path/to/spammail | dccproc, I have lines with X-DCC in headers. However, when I execute cat /path/to/spammail | spamc, I do not have lives with X-DCC headers. Why I do not have DCC lines in headers, in this case? See my local.cf: use_dcc 1 dcc_path /usr/local/bin/dccproc And my v310.pre: loadplugin Mail::SpamAssassin::Plugin::DCC Do you have any ideas? If you need any informations, do not hesitate. Thanks. Best regards, -- -Nicolas.
Re: dcc reports
On Tue, 05 May 2009 07:57:37 -0400 Matt Kettler mkettler...@verizon.net wrote: Nicolas Letellier wrote: Hello. I use spamassassin 3.2.5 and Dcc 1.3.103. When I execute cat /path/to/spammail | dccproc, I have lines with X-DCC in headers. However, when I execute cat /path/to/spammail | spamc, I do not have lives with X-DCC headers. Why I do not have DCC lines in headers, in this case? Um, because you piped it to spamc, not dccproc? SpamAssassin doesn't add X-DCC headers, it just queries DCC (or uses upstream X-DCC-xxx-Metrics headers) and will add score via the DCC_CHECK rule if DCC's thresholds exceed dcc_body_max, dcc_fuz1_max or dcc_fuz2_max. If you want SA to add DCC metrics, it can create an X-Spam-DCC header if you add this to your config: add_header all DCC _DCCB_:_DCCR SA cannot add any headers that do not start with X-Spam. Thanks for your informations. I thank that SA will add DCC headers (because it use it). It uses it, but do not write anything. That's I wanted to know. Thanks a lot. -- -Nicolas.
duplicate header don't match header test?
Hi all, I have a problem. I have a rule like this header GM_BLAH X-BLAH ~= /^blah$/ If I receive a mail with one header X-BLAH, all is right, the rule match. But, If a receive a mail with two header lines X-BLAH, the rule don't match. So, is it normal? What can I do for my rule matching mail with duplicate header lines? Regards, -- Nicolas Haller
Re: duplicate header don't match header test?
On Tue, Feb 24, 2009 at 03:52:02PM +0100, Karsten Bräckelmann wrote: On Tue, 2009-02-24 at 14:54 +0100, Nicolas Haller wrote: I have a problem. I have a rule like this header GM_BLAH X-BLAH ~= /^blah$/ If I receive a mail with one header X-BLAH, all is right, the rule match. But, If a receive a mail with two header lines X-BLAH, the rule don't match. No real rule, no sample that should be hit. Well, guess I see your problem anyway... ;) Please do provide useful, stripped-down and carefully crafted examples, please. The operator is =~ rather than ~=. See my point? Oops :-) So, is it normal? What can I do for my rule matching mail with duplicate header lines? IIRC the values of headers occuring multiple times are stored in a single string. Including the newline char. Ok, I didn't know this. With your RE modifiers (or the lack thereof), ^ and $ only match the beginning and end respectively of the string. Notably, they don't match an embedded newline, as they do with the /m modifier. Also, the '.' does not match a newline either, unless you specify the /s modifier. See the perlre documentation for details: http://perldoc.perl.org/perlre.html#Modifiers Thank you, you solve my problem :-) Regards, -- Nicolas Haller
open of auto-whitelist failed: Out of memory
Hello. I use FreeBSD 7.0 and p5-Mail-SpamAssassin-3.2.5. In my logs, sometimes, I see this message: Jan 31 22:36:09 * spamd[17781]: auto-whitelist: open of auto-whitelist file failed: Out of memory during ridiculously large request at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DBBasedAddrList.pm line 169. Jan 31 22:36:09 ** spamd[17781]: spamd: identified spam (26.8/6.0) for spamd:58 in 2.6 seconds, 3377 bytes. Jan 31 22:36:09 ** spamd[17781]: spamd: result: Y 26 - BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB scantime=2.6,size=3377,user=spamd,uid=58,required_score=6.0,rhost=localhost,raddr=127.0.0.1,rport=53197,mid=20090131213558.40c4a3227...@trinite.amoks-hebergement.com,bayes=1.00,autolearn=spam Why have I this message? What it signify? Is it dangerous to have it? Thanks for all your advices. Regards, -- -Nicolas.
Re: open of auto-whitelist failed: Out of memory
On Sun, 01 Feb 2009 12:20:06 +0100 mouss mo...@ml.netoyen.net wrote: Nicolas Letellier a écrit : Hello. I use FreeBSD 7.0 and p5-Mail-SpamAssassin-3.2.5. In my logs, sometimes, I see this message: Jan 31 22:36:09 * spamd[17781]: auto-whitelist: open of auto-whitelist file failed: Out of memory during ridiculously large request at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DBBasedAddrList.pm line 169. Jan 31 22:36:09 ** spamd[17781]: spamd: identified spam (26.8/6.0) for spamd:58 in 2.6 seconds, 3377 bytes. Jan 31 22:36:09 ** spamd[17781]: spamd: result: Y 26 - BAYES_99,DCC_CHECK,DIGEST_MULTIPLE,HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB scantime=2.6,size=3377,user=spamd,uid=58,required_score=6.0,rhost=localhost,raddr=127.0.0.1,rport=53197,mid=20090131213558.40c4a3227...@trinite.amoks-hebergement.com,bayes=1.00,autolearn=spam Why have I this message? What it signify? Is it dangerous to have it? probably that the AWL db is too large. Thanks for all your advices. consider using sql instead of a file db. The sizes: 8256 -rw--- 1 spamd spamd 10485760 1 fév 15:57 auto-whitelist 2 -rw--- 1 spamd spamd 6 1 fév 15:57 auto-whitelist.mutex 2 -rw--- 1 spamd spamd 1260 1 fév 15:57 bayes.mutex 56 -rw--- 1 spamd wheel 56496 1 fév 15:57 bayes_journal 8208 -rw--- 1 spamd spamd 10371072 1 fév 15:57 bayes_seen 4128 -rw--- 1 spamd wheel 5488640 1 fév 15:57 bayes_toks 2 -rw-r--r-- 1 spamd spamd 1487 10 mar 2008 user_prefs is it too big? If it's the case, why have I this message 'sometimes'? Regards, -- -Nicolas.
problem with MSGID_MULTIPLE_AT
Hello. I have a recurrent problem. Many *true* mail are tagged as SPAM because of a too high score. Indeed, a parameter causes problem: MSGID_MULTIPLE_AT is often high I see http://wiki.apache.org/spamassassin/Rules/MSGID_MULTIPLE_AT But these mails are sent with an Outlook 12.0, and aren't spam. Do you have a solution to solve this problem? Thanks for your help, Regards, -- -Nicolas.
Re: problem with MSGID_MULTIPLE_AT
On Tue, 02 Sep 2008 12:51:58 +0200 Yet Another Ninja [EMAIL PROTECTED] wrote: Can you post a sample message on some web server (pastebin.com) so ppl can see what's causing this? PLEASE do NOT munge servernames IPs See the headers: http://pastebin.ca/1191372 I don't have the full message, just headers. (I remplaced mails, servernames, etc... by domain.com) Do you have a solution? A patch? Is it better to disable MSGID_MULTIPLE_AT check? Thanks. -- -Nicolas.
Re: problem with MSGID_MULTIPLE_AT
On Tue, 02 Sep 2008 08:47:18 -0400 Matt Kettler [EMAIL PROTECTED] wrote: Well, it's obvious what the problem is. There's clearly two @ signs in the message-id, which is illegal, but it's what Microsoft is doing anyway. There's also a bug already open on this. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5707 We might need to convert that rule to a meta and ignore it when the MUA is outlook 12.0 unless we can figure out that the outlook in question has some weird hack that causes it, and normal outlook 12 doesn't cause the problem.. Although I personally feel makers (and knowing users) of broken tools should suffer, I don't think SpamAssassin is the best spot to implement that. :-) Hello Matt, But today, I can't leave this option actived (or not patched). It's important for my business, and too many clients use Outlook 12.0 (I can't force them to use another mail client). For waiting, is it possible to disable the MSGID_MULTIPLE_AT check? And how? Thanks. -- -Nicolas.
Re: problem with MSGID_MULTIPLE_AT
On Tue, 02 Sep 2008 14:12:56 +0100 [EMAIL PROTECTED] (Justin Mason) wrote: Nicolas Letellier writes: On Tue, 02 Sep 2008 08:47:18 -0400 Matt Kettler [EMAIL PROTECTED] wrote: Well, it's obvious what the problem is. There's clearly two @ signs in the message-id, which is illegal, but it's what Microsoft is doing anyway. There's also a bug already open on this. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5707 We might need to convert that rule to a meta and ignore it when the MUA is outlook 12.0 unless we can figure out that the outlook in question has some weird hack that causes it, and normal outlook 12 doesn't cause the problem.. Although I personally feel makers (and knowing users) of broken tools should suffer, I don't think SpamAssassin is the best spot to implement that. :-) Hello Matt, But today, I can't leave this option actived (or not patched). It's important for my business, and too many clients use Outlook 12.0 (I can't force them to use another mail client). For waiting, is it possible to disable the MSGID_MULTIPLE_AT check? And how? To get it fixed quickly, the most important thing you could do is attach multiple samples of messages from Outlook 12.0 which demo this behaviour, with full headers and body, to that bug. Right now it appears we have none, so no changes to rules can be developed. --j. No, I think put a # in a file is more quickly than give you full mails and wait for a patch. Could you explain me how disable this check? It's important to disable MSGID_MULTIPLE_AT. I can send you mails for debug this problem if you want. But not now, because I must ask them to my users. Thanks ! -- -Nicolas.
Re: problem with MSGID_MULTIPLE_AT
On Tue, 02 Sep 2008 15:40:18 +0200 Karsten Bräckelmann [EMAIL PROTECTED] wrote: On Tue, 2008-09-02 at 13:00 +0200, Nicolas Letellier wrote: On Tue, 02 Sep 2008 12:51:58 +0200 Yet Another Ninja [EMAIL PROTECTED] wrote: Can you post a sample message on some web server (pastebin.com) so ppl can see what's causing this? PLEASE do NOT munge servernames IPs See the headers: http://pastebin.ca/1191372 I don't have the full message, just headers. (I remplaced mails, servernames, etc... by domain.com) It appears you got greater problems than that rule. Have a closer look at the Report. One problem is Bayes, which probably could be trained better. That message scored BAYES_50. If you frequently discuss similar topics by mail, Bayes should considerably lean towards 00. The most glaring problem is AWL, though. Without AWL, that message already scored 3.1, which is pretty high for a ham, but still no problem. Yes, that includes the rule in question. Now, AWL accounts for another 2.9 points. This means that you previously got mail by that sender, and it appeared to score much higher. The way AWL works -- if you received, say, more than 2 messages by that user before -- setting MSGID_MULTIPLE_AT to 0 will *not* help, since AWL is sure to skyrocket the score above your threshold of 5 again. Things to consider: (a) Train your ham, in particular FPs like this and any other important mail. (b) Drop that user from your AWL database, for an immediate fix. And last but not least (c) figure out why the *average* score of all mail sent by that users scores way *above* 6. The last part is most important. AWL is a score averager. So previous messages by that sender scored even higher than the sample you provided. That's where you need to look into. Hi Karsten, Thanks for your complete message. I dropped this user from AWL database (with spamassassin --remove-addr-from-whitelist). On the other hand, the mail I've pasted was just an example. I have many mail not tagged as spam, but with a big MSGID_MULTIPLE_AT. It could be a problem. Regards, -- -Nicolas.
Re: problem with MSGID_MULTIPLE_AT
On Tue, 02 Sep 2008 15:45:35 +0200 Karsten Bräckelmann [EMAIL PROTECTED] wrote: On Tue, 2008-09-02 at 15:23 +0200, Nicolas Letellier wrote: No, I think put a # in a file is more quickly than give you full mails and wait for a patch. Could you explain me how disable this check? It's important to disable MSGID_MULTIPLE_AT. Just as has been mentioned by others already, set the rule's score to 0. Do NOT comment out the rule in the stock (update) cf files. That will break on your next sa-update run. Anyway, I believe just disabling this rule won't help much. See my other post with details about this. Thanks for the line (and others who told it too). Indeed, this line will not help me for the mail I've pasted. Just a little. But it's better than now, waiting a patch. Regards, -- -Nicolas.
user_pref for virtual mails
Hello. I use spamassassin on my Postfix/Dovecot mail server. Mailboxes are in /var/www/mail/vmail/domain.tld/user Is there a possibility to have a user_prefs for each mailbox? I don't see a similar option in http://wiki.apache.org/spamassassin/WhereDoLocalSettingsGo?highlight=(user_prefs) or here: http://svn.apache.org/repos/asf/spamassassin/branches/3.2/README Thanks for your informations. Regards, -- - Nicolas.
Re: user_pref for virtual mails
Le Wed, 27 Aug 2008 12:06:31 +0200, Robert Schetterer [EMAIL PROTECTED] a écrit : Nicolas Letellier schrieb: Hello. I use spamassassin on my Postfix/Dovecot mail server. Mailboxes are in /var/www/mail/vmail/domain.tld/user Is there a possibility to have a user_prefs for each mailbox? I don't see a similar option in http://wiki.apache.org/spamassassin/WhereDoLocalSettingsGo?highlight=(user_prefs) or here: http://svn.apache.org/repos/asf/spamassassin/branches/3.2/README Thanks for your informations. Regards, depends if you have real users or not, if using a vmail local user for all mailboxes ( i.e postfixadmin setup ) this works with spamass-milter, i ve included it for self user editing via squirrelmail which needs ftp server and a special coded spamassplugin , but the best way is to use spamass milter ( postfix/sendmail ) with spamd in mysql rules can be added by self user out of webmail squirrelmail or horde same should be possible with amavis-new but there are many ways to work with users_prefs, depends what you want to goal Hi Robert. My spamassassin runs as 'spamd'. All my mailboxes are virtual, and are in /var/mail/vmails/domain.tld/user My spamassin looks at /usr/local/etc/mail/spamassassin/local.cf for load rules. Now, I would like that, when spamc scans an email, for a mail to [EMAIL PROTECTED], spamassin loads /usr/local/etc/mail/spamassassin/local.cf AND /var/mail/vmails/domain.tld/toto/spamassassin/users_prefs More precisely, I'm looking for an option to have specific rules (like whitelist_from, etc...) for each mailboxes. Thanks. Regards, -- - Nicolas.
Don't tag selected recipients
Hello. I would like to know if an option is available in spamassassin. I use 3.2.5 with FreeBSD and Postfix. By default, spamassassin filers ALL emails. Is it possible to do not scan certain mails? Or to have a list (txt, sql) or an option (like whitelist_from) for don't scan (or tag headers). I didn't find this information in the spamassassin wiki. Thanks for your help. Regards, -- - Nicolas.
Re: Don't tag selected recipients
Hello Evan, I use Postfix, directly with spamassassin. So, I must write a script, called in my master.cf for example? Regards, Nicolas Le Wed, 06 Aug 2008 16:25:48 -0700, Evan Platt [EMAIL PROTECTED] a écrit : In short, not in spamassassin. Anything sent to spamassassin is scanned. You could use a procmail filter to bypass spamassassin, but anything sent to spamassassin is scored. Yes, you can whitelist to give it 100 points or more, but it's still scanned and scored. Nicolas Letellier wrote: Hello. I would like to know if an option is available in spamassassin. I use 3.2.5 with FreeBSD and Postfix. By default, spamassassin filers ALL emails. Is it possible to do not scan certain mails? Or to have a list (txt, sql) or an option (like whitelist_from) for don't scan (or tag headers). I didn't find this information in the spamassassin wiki. Thanks for your help. Regards, -- - Nicolas.
Re: SA 99,9% CPU and freeze
Oops ! Sorry I haven't join the local.cf Le 16/05/06 9:36, « Nicolas Aulas » [EMAIL PROTECTED] a écrit : Hi list, I'm running amavisd-new.2.3.3, clamv 0.88.1, SA 3.1.1 with Perl 5.8.3 on FC1 2.4.22 Here the prinicipal options of local.cf required_hits 4.0 report_safe 1 trusted_networks 10. trusted_networks 192.168.20. skip_rbl_checks 0 dns_available yes fold_headers 1 use_razor2 1 use_bayes 0 #auto_learn 0 With some mail (don't know why), SA up to 99,9% cpu and freeze mail queu (mail are labelled in postfix as maybe be sent more than once) With problematic mail, sudo -u amavis -s | spamassassin -t /root/amavis-20060515T124439-32765/email.txt give : [1353] warn: dns: sendto() failed: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 340. [1353] warn: dns: sendto() failed: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 340. [1353] warn: dns: sendto() failed: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 340. [1353] warn: dns: sendto() failed: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 340. [1353] warn: dns: sendto() failed: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 340. [1353] warn: dns: sendto() failed: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 340. [1353] warn: dns: sendto() failed: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 340. [1353] warn: dns: sendto() failed: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 340. [1353] warn: dns: sendto() failed: at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/DnsResolver.pm line 340. Any idea what's wrong ? Thanks in advance for your help. Nicolas
Running spamassassin in two-pass
Hi, I think that some part of spamassassin is highly user-specific (such as BAYES, AWL or UNWANTED_LANGUAGE_BODY). But I receive some e-mails that are sent to hundreds of our users, and I consider it is some waste of CPU-time and bandwidth to run the same tests on the same message hundreds of times. So I considered running spammassassin in 2-pass: - 1 pass on our MX server, that runs most tests, and report in some header which tests were run and which were triggered; - 1 pass on the server that hosts the mailboxes, that read those headers added by the MX, runs the user-specific tests and computes the scores, does the AWL and BAYES learning and adds the required headers. What do you people think about this idea? Does it sound sane? Would you expect much improvement over a full single pass on the server that hosts the mailboxes? (As far as I am concerned, I used my very limited knowledge of perl to try to implement this 2-pass idea, but the improvement looks very limited...) Nicolas Boullis
RE: SA restarting problems, Address already in use
Quoting Michele Neylon :: Blacknight Solutions The problem occured again, and I catched the following from spamd output What is the output of netstat? Since restarting spamd solves the problem without any visible side-effect, I wrote a watchdog script to monitor spamd, and to restart it if it is not running. This watchdog script is run once per hour, so I cannot get netstat output of the time spamd did not start correctly. I will add a 'netstat' command to my 'spamassassin' init script, before the spamd command, in order to see what listens to port 783 at that time. My problem is that this Address already in use behaviour is not easily reproductible : when I manually stop/start spamd, I dont get any problem. This problem only happens around once in a week, during some (not all) daily stop/start. I will post the output of netstat when available. I will probably try to upgrade to 3.0.2 too, as Damien Kemens says, in order to see if it helps. Thanks for your answers.
bayes_seen file size becoming large : 160 MB
Hi,
The file size of the bayes database on a server is becoming really large :
bayes_seen is 160 MB and bayes_toks is 8 MB. This mail server processes around
3 mails a day, as a relay.
I did not configure any bayes_expiry_max_db_size, so it should be set to default
(15), and the only configuration directives in my local.cf are :
bayes_auto_learn1
bayes_auto_learn_threshold_nonspam 0.1
bayes_auto_learn_threshold_spam 12.0
I do not understand how these bayes files can be so large, the fine manual says
that with such settings, the file size should stay around 8MB. Or do these 8 MB
represent the normal size of the bayes_toks file, not the bayes_seen one ?
Some more info :
su spam -s /bin/sh -c sa-learn --dump magic -D
(...)
debug: bayes: 6765 tie-ing to DB file R/O /home/spam/.spamassassin/bayes_toks
debug: bayes: 6765 tie-ing to DB file R/O /home/spam/.spamassassin/bayes_seen
debug: bayes: found bayes db version 3
debug: Score set 2 chosen.
0.000 0 3 0 non-token data: bayes db version
0.000 0 405891 0 non-token data: nspam
0.000 0 948334 0 non-token data: nham
0.000 0 287829 0 non-token data: ntokens
0.000 0 1103037764 0 non-token data: oldest atime
0.000 0 1103107296 0 non-token data: newest atime
0.000 0 1103107219 0 non-token data: last journal sync atime
0.000 0 1103105595 0 non-token data: last expiry atime
0.000 0 43200 0 non-token data: last expire atime delta
0.000 0 161098 0 non-token data: last expire reduction
count
debug: bayes: 6765 untie-ing
debug: bayes: 6765 untie-ing db_toks
debug: bayes: 6765 untie-ing db_seen
Today, spamd stopped working with the following error :
Dec 15 04:25:15 server spamc[18803]: connect(AF_INET) to spamd at 127.0.0.1
failed, retrying (#1 of 3): Connection refused
I did not understand why it died. Manually restarting spamd solved the problem
but I think it could happen again, and it might be related to some lack of
resources due to the bayes file size ?
I am using postfix 1.1.12, SA 3.0.1, MIME-Base64-3.05, DB_File-1.809, and
db4-4.0.14-20 (RedHat 9) on a postfix+SA relay. The bayes database is common to
all users, and located on the spam user's home directory.
SA is invoked with spamd -d -c -u spam and /usr/bin/spamc -t 180 -s 50 -e
/usr/sbin/sendmail -i -f ${sender} -- ${recipient}
Many thanks to whoever has any clue on how I could shrink the bayes files
without loosing them. I would particularly be interested on the right
bayes_expiry_max_db_size setting I should configure for a server handling
around 3 mails daily.
Re: Is it not recommanded to learn a message already flaged as spam?
On Thu, Dec 02, 2004 at 10:04:27AM -0500, Matt Kettler wrote: At 10:17 AM 12/2/2004 +0100, Nicolas wrote: With mutt, I'd like to define a macro which learn the mail as spam, report it to razor, and delete it. I'd like to know if it is not recommanded to learn a mail as spam, while it's already flaged as spam by SA? It IS recommended to learn mail that's already been flagged. Even if it's flagged BAYES_99 SA can still learn worthwhile tokens from a message. sa-learn recognizes SA's own spam tags, and will automatically strip those out before learning it. The only thing I'd avoid in training messages is I'd not intentionally train the same message twice. But even this is only because it's a minor waste of time.. SA will just ignore them, no harm done, but it's pointless to go out of your way to retrain the same message. Also, if you use spamassassin -r on the message, it will strip tags, learn as spam, and report it to razor, spamcop and any other hash systems you have installed (ie: dcc or pyzor.) So all your macro needs to do is call spamssassin -r message.txt and then delete the message. Thanks for the help, guys! Nicolas -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x) ~~~
Re: reply from sorbs
On Sat, Nov 27, 2004 at 04:43:37PM -0800, Bob Amen wrote: I must disagree. Unfortunately the number of responsible people on the other end of cable and DSL modems is vanishingly small compared to the number of zombie machines that are spewing spam and more viruses. On a typical day we get abut 340,000 delivery attempts. We block about 110,000 thanks to SORBS. That's per day. I have only gotten 4 or 5 false positives due to SORBS listings in the last 6 months. (Of 340,000 incoming messages, we pass on 7,400 to our users.) So would you have us accept 110,000 garbage messages per day for less than one a month that are responsible people running their own mail server on a cable or DSL modem? That would be a great cost to us in either processing power to analyze the messages with SA and/or lost productivity for all our users to wade through more junk. I'm sorry but you must send mail through your ISP's mail server or be blocked by an increasing number of mail servers around the Internet. If your ISP doesn't support using their mail server with your domain, find another one. My home ISP does, which is one reason I chose them. -- Bob Amen O'Reilly Media, Inc. http://www.ora.com/ http://www.oreilly.com/ Bob is right. If you want to send mail directly to mail servers without having a static IP, switch to another ISP. Or use your ISP's mail server. We don't want users to receive thousands of spam mails just in order to allow 1 or 2 guys to send their mail directly from their machine, without using their ISP's mail server... Nicolas, Paris. -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x) ~~~
Re: reply from sorbs
On Sun, Nov 28, 2004 at 10:11:12AM -, [EMAIL PROTECTED] wrote: Hi, if I did not miss anything in this thread, the victim HAS a static IP on the cable/dsl link and pays more for the access than dynamic ip would cost with the same provider. The provider, however, reports a full ip block (which may have a few percent of static ip's) as dialup. I believe the extra money they get on the fixed ip should allow them to - either report correctly or - create a mail relay where authenticated users can use their own domain name as sender Wolfgang Hamann I think he has a dynamic IP over a DSL line. That's what I understood. Am I wrong? Nicolas, Paris. -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x) ~~~
Re: My IP listed in dnsbl.sorbs.net
On Fri, Nov 26, 2004 at 04:18:16PM +, Ron McKeating wrote: On Fri, 2004-11-26 at 15:54, Jim Maul wrote: Chris wrote: I was messing around with fetchmail yesterday seeing if I could get it to work for the first time. After playing with it for a few hours and seeing that it was working I happened to notice one of my crontab messages was in the right folder, but marked as spam. Looking at the headers and spam report I saw this: X-Spam-Prev-Subject: Cron [EMAIL PROTECTED] /etc/rc.d/init.d/spamassassin restart X-Spam-DCC: dcc3mcgill cpollock 1275; Body=17 Fuz1=471 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on cpollock X-Spam-Level: *** X-Spam-Status: Yes, score=7.0 required=5.0 tests=BAYES_50,NO_DNS_FOR_FROM, PYZOR_CHECK,RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4742] * 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 1.6 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records * 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [69.68.226.5 listed in dnsbl.sorbs.net] I'm using Sprint DSL, not a dial-up connection. I've contacted sorbs about this and am awaiting an answer. I've quit using fetchmail for now. Any ideas on why this happened? Id say its because you have a dynamic ip address. You might want to send all mail out through your isp's mail servers instead. Hmmm, but I have my own domain, and I want all my email to come from my domain, my isp will not route email from my domain (ntl) through their mail servers, they want my to use my [EMAIL PROTECTED] account. I want to use my [EMAIL PROTECTED] account. I really do disagree with this wholesale blacklisting of people who are perfectly responsible internet users, who happen to have their own mail-server on their cable lines. Ron -Jim -- Ron McKeating Senior IT Services Specialist Internet Services and Software Solutions Loughborough University 01509 222329 You're complaining about that list. However, if you want to send mail using your domain name ([EMAIL PROTECTED]), you have to use a static IP. Can't you understand that? What're doing is as hosting a website at home, while using a 56k bandwith line... If you want to do something specific, you have to get what's needed. I think the first thing you have to do is to find a good ISP. The one you're using is bullshit (it should allow you to send email using the from adress you want). And use a STATIC ip. Since I use dnsbl.sorbs.net, I receive approximately 15% less spam. I'll continue to use it, and a lot of other people do so. Nicolas, Paris. -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x) ~~~
Re: OT - How often to reboot?
On Sat, Nov 27, 2004 at 09:26:19AM -0800, Gary W. Smith wrote: My RH6.1 box had about 800 days on it I think until we upgrade it a couple months. My Windows domain controller has almost 9 months on it until I did the full set of service packs. You only really need to reboot if you have applications that are poorly writing and leak memory. Michele is right... Gary Smith 800 days... I'm not quite sure there was not any security problem with the kernel version you run... Nicolas, Paris. -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x) ~~~
